@opensecurity/zonzon-cli 0.1.0

package/dist/cli.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/cli.js

@@ -0,0 +1,257 @@
+#!/usr/bin/env node
+import { readFileSync, existsSync, watchFile } from "fs";
+import { resolve, dirname } from "path";
+import { fileURLToPath } from "url";
+import { parse as parseYaml } from "yaml";
+import { validateServerConfig, DevDnsServer, DnsHandler, HttpHandler, SniProxyService, audit } from "zonzon-core";
+const __dirname = dirname(fileURLToPath(import.meta.url));
+function parseArgs() {
+    const args = process.argv.slice(2);
+    let config = "";
+    let port;
+    let httpPort;
+    let watch = false;
+    let help = false;
+    for (let i = 0; i < args.length; i++) {
+        switch (args[i]) {
+            case "--config":
+            case "-c":
+                config = args[++i] || "";
+                break;
+            case "--port":
+            case "-p":
+                port = Number(args[++i]);
+                break;
+            case "--http-port":
+                httpPort = Number(args[++i]);
+                break;
+            case "--watch":
+            case "-w":
+                watch = true;
+                break;
+            case "--help":
+            case "-h":
+                help = true;
+                break;
+        }
+    }
+    return { config, port, httpPort, watch, help };
+}
+function findDefaultConfig() {
+    const candidates = [
+        resolve(process.cwd(), "config/hosts.yaml"),
+        resolve(process.cwd(), "config/hosts.json"),
+        resolve(__dirname, "../../../config/hosts.yaml"),
+        resolve(__dirname, "../../../config/hosts.json"),
+    ];
+    for (const candidate of candidates) {
+        if (existsSync(candidate)) {
+            return candidate;
+        }
+    }
+    return null;
+}
+function printUsage() {
+    console.log(`
+zonzon CLI
+
+Options:
+  -c, --config <path>    Path to configuration file
+  -p, --port <number>    DNS port
+      --http-port <num>  HTTP proxy/redirect port
+  -w, --watch            Watch config file
+  -h, --help             Show this help message
+`);
+}
+function mergeEnvConfig(config) {
+    if (process.env.ZONZON_PORT)
+        config.port = parseInt(process.env.ZONZON_PORT, 10);
+    if (process.env.ZONZON_FALLBACK_DNS)
+        config.fallbackDns = process.env.ZONZON_FALLBACK_DNS;
+    if (!config.firewall)
+        config.firewall = { defaultPolicy: "deny" };
+    if (process.env.ZONZON_DEFAULT_POLICY) {
+        const policy = process.env.ZONZON_DEFAULT_POLICY.toLowerCase();
+        if (policy === "allow" || policy === "deny") {
+            config.firewall.defaultPolicy = policy;
+        }
+    }
+    const listMappings = [
+        { env: "ZONZON_FIREWALL_ALLOWLIST_DOMAINS", key: "allowlist_domains" },
+        { env: "ZONZON_FIREWALL_BLOCKLIST_DOMAINS", key: "blocklist_domains" },
+        { env: "ZONZON_FIREWALL_ALLOWLIST_RANGES", key: "allowlist_ranges" },
+        { env: "ZONZON_FIREWALL_BLOCKLIST_RANGES", key: "blocklist_ranges" },
+        { env: "ZONZON_FIREWALL_ALLOWLIST_IPS", key: "allowlist_ips" },
+        { env: "ZONZON_FIREWALL_BLOCKLIST_IPS", key: "blocklist_ips" }
+    ];
+    for (const mapping of listMappings) {
+        const envVal = process.env[mapping.env];
+        if (envVal) {
+            const items = envVal.split(",").map(i => i.trim()).filter(Boolean);
+            config.firewall[mapping.key] = [...(config.firewall[mapping.key] || []), ...items];
+        }
+    }
+    return config;
+}
+function loadConfig(path) {
+    let raw;
+    try {
+        raw = readFileSync(path, "utf-8");
+    }
+    catch (err) {
+        audit.error(`Error loading config file '${path}'`);
+        process.exit(1);
+    }
+    let parsed;
+    try {
+        if (path.endsWith(".yaml") || path.endsWith(".yml")) {
+            parsed = parseYaml(raw);
+        }
+        else {
+            parsed = JSON.parse(raw);
+        }
+    }
+    catch (err) {
+        audit.error(`Error parsing config file`);
+        process.exit(1);
+    }
+    let validated;
+    try {
+        validated = validateServerConfig(parsed);
+        validated = mergeEnvConfig(validated);
+        validated = validateServerConfig(validated);
+    }
+    catch (err) {
+        audit.error(`Configuration validation error`);
+        process.exit(1);
+    }
+    return validated;
+}
+let isShuttingDown = false;
+async function gracefulShutdown(dnsHandler, httpHandler, sniHandler) {
+    if (isShuttingDown)
+        return;
+    isShuttingDown = true;
+    const forceExit = setTimeout(() => {
+        process.exit(1);
+    }, 5000);
+    try {
+        await Promise.all([
+            dnsHandler.stop(),
+            httpHandler.stop(),
+            sniHandler.stop()
+        ]);
+        clearTimeout(forceExit);
+        process.exit(0);
+    }
+    catch (err) {
+        clearTimeout(forceExit);
+        process.exit(1);
+    }
+}
+async function startServer(configPath, args) {
+    let config = loadConfig(configPath);
+    const effectivePort = args.port ?? config.port;
+    config = { ...config, port: effectivePort };
+    const httpPort = args.httpPort || 80;
+    const httpsPort = 443;
+    let dnsHandler;
+    let httpHandler;
+    let sniHandler;
+    const portsToTry = effectivePort === 53 ? [53, 10053] : [effectivePort];
+    let started = false;
+    for (const attemptPort of portsToTry) {
+        try {
+            const portConfig = { ...config, port: attemptPort };
+            const dnsServer = new DevDnsServer(portConfig);
+            dnsHandler = new DnsHandler(dnsServer, portConfig);
+            const actualHttpPort = (attemptPort !== effectivePort && !args.httpPort) ? 8080 : httpPort;
+            const actualHttpsPort = (attemptPort !== effectivePort && !args.httpPort) ? 8443 : httpsPort;
+            httpHandler = new HttpHandler(dnsServer, config, actualHttpPort);
+            sniHandler = new SniProxyService(config, actualHttpsPort);
+            await dnsHandler.start();
+            await httpHandler.start();
+            await sniHandler.start();
+            started = true;
+            audit.system(`System active: DNS=${attemptPort} | HTTP=${actualHttpPort} | HTTPS=${actualHttpsPort}`);
+            const filePath = resolve(configPath);
+            let prevContent = "";
+            try {
+                prevContent = readFileSync(filePath, { encoding: "utf-8" });
+            }
+            catch { }
+            watchFile(filePath, async () => {
+                if (isShuttingDown)
+                    return;
+                try {
+                    const content = readFileSync(filePath, { encoding: "utf-8" });
+                    if (content !== prevContent) {
+                        prevContent = content;
+                        if (dnsHandler && httpHandler && sniHandler) {
+                            await Promise.all([dnsHandler.stop(), httpHandler.stop(), sniHandler.stop()]);
+                            startServer(filePath, args);
+                        }
+                    }
+                }
+                catch {
+                }
+            });
+            const handleExit = () => {
+                if (dnsHandler && httpHandler && sniHandler)
+                    gracefulShutdown(dnsHandler, httpHandler, sniHandler);
+            };
+            process.on("SIGINT", handleExit);
+            process.on("SIGTERM", handleExit);
+            break;
+        }
+        catch (err) {
+            if (dnsHandler)
+                await dnsHandler.stop().catch(() => { });
+            if (httpHandler)
+                await httpHandler.stop().catch(() => { });
+            if (sniHandler)
+                await sniHandler.stop().catch(() => { });
+            const message = err instanceof Error ? err.message : String(err);
+            if (message.includes("EACCES") || message.includes("EADDRINUSE")) {
+                if (attemptPort === effectivePort && effectivePort === 53) {
+                    continue;
+                }
+                else if (attemptPort === 10053) {
+                    process.exit(1);
+                }
+            }
+            throw err;
+        }
+    }
+    if (!started) {
+        process.exit(1);
+    }
+}
+async function main() {
+    const args = parseArgs();
+    if (args.help) {
+        printUsage();
+        return;
+    }
+    let configPath;
+    if (args.config) {
+        configPath = resolve(args.config);
+        if (!existsSync(configPath)) {
+            audit.error(`Config file not found at '${configPath}'`);
+            process.exit(1);
+        }
+    }
+    else {
+        const autoPath = findDefaultConfig();
+        if (!autoPath) {
+            audit.error("No configuration file found");
+            process.exit(1);
+        }
+        configPath = autoPath;
+    }
+    await startServer(configPath, args);
+}
+main().catch((err) => {
+    audit.error(`Uncaught Exception: ${err instanceof Error ? err.message : String(err)}`);
+    process.exit(1);
+});

package/package.json

@@ -0,0 +1,33 @@
+{
+  "name": "@opensecurity/zonzon-cli",
+  "version": "0.1.0",
+  "description": "Command line interface and entrypoint for zonzon",
+  "type": "module",
+  "author": "Lucian BLETAN <neuraluc@gmail.com>",
+  "license": "Apache-2.0",
+  "bin": {
+    "zonzon": "./dist/cli.js"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/opensecurity/zonzon.git",
+    "directory": "packages/cli"
+  },
+  "homepage": "https://github.com/opensecurity/zonzon/tree/main/packages/cli#readme",
+  "keywords": [
+    "cli",
+    "server",
+    "daemon"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "build": "tsc -b",
+    "start": "node ./dist/cli.js start"
+  },
+  "dependencies": {
+    "@opensecurity/zonzon-core": "*",
+    "@opensecurity/zonzon-control-plane": "*"
+  }
+}

package/src/cli.ts

@@ -0,0 +1,284 @@
+#!/usr/bin/env node
+
+import * as fs from "fs";
+import * as path from "path";
+import * as os from "os";
+import { parseArgs } from "util";
+import { randomBytes } from "crypto";
+import {
+  DevDnsServer,
+  DnsHandler,
+  HttpHandler,
+  SniProxyService,
+  ServerConfig,
+  validateServerConfig,
+  audit
+} from "@opensecurity/zonzon-core";
+import { ControlPlane } from "@opensecurity/zonzon-control-plane";
+
+const CONFIG_DIR = path.join(os.homedir(), ".zonzon");
+const DEFAULT_CONFIG_PATH = path.join(CONFIG_DIR, "config.json");
+
+function ensureConfigDir() {
+  if (!fs.existsSync(CONFIG_DIR)) {
+    fs.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
+  }
+}
+
+function loadConfig(configPath: string): any {
+  if (!fs.existsSync(configPath)) {
+    return {};
+  }
+  try {
+    const fileContents = fs.readFileSync(configPath, "utf8");
+    return JSON.parse(fileContents) || {};
+  } catch (err: any) {
+    audit.error(`Failed to parse configuration file at ${configPath}: ${err.message}`);
+    process.exit(1);
+  }
+}
+
+function saveConfig(configPath: string, data: any): void {
+  ensureConfigDir();
+  try {
+    const jsonStr = JSON.stringify(data, null, 2);
+    fs.writeFileSync(configPath, jsonStr, { encoding: "utf8", mode: 0o600 });
+  } catch (err: any) {
+    audit.error(`Failed to write configuration file at ${configPath}: ${err.message}`);
+    process.exit(1);
+  }
+}
+
+function setDeepValue(obj: any, pathStr: string, value: any): void {
+  const parts = pathStr.split(".");
+  const last = parts.pop()!;
+  let current = obj;
+  for (const part of parts) {
+    if (!current[part] || typeof current[part] !== "object") {
+      current[part] = {};
+    }
+    current = current[part];
+  }
+  
+  if (value === "true") current[last] = true;
+  else if (value === "false") current[last] = false;
+  else if (!isNaN(Number(value))) current[last] = Number(value);
+  else current[last] = value;
+}
+
+function printUsage() {
+  console.log(`
+zonzon core engine (v0.1.0)
+Usage: zonzon <command> [options]
+
+Commands:
+  init        Initialize the default configuration file at ~/.zonzon/config.json
+  start       Boot the routing engine and control plane
+  config      Manage configuration state
+
+Config Commands:
+  zonzon config view                   Print the current configuration
+  zonzon config set <key> <value>      Set a configuration value using dot notation
+                                       Example: zonzon config set port 53
+                                       Example: zonzon config set controlPlane.port 8081
+
+Global Options:
+  --config, -c   Override path to configuration file (default: ~/.zonzon/config.json)
+  `);
+  process.exit(0);
+}
+
+async function handleInit(configPath: string) {
+  if (fs.existsSync(configPath)) {
+    audit.error(`Configuration already exists at ${configPath}`);
+    process.exit(1);
+  }
+  
+  const defaultConf = {
+    port: 53,
+    fallbackDns: "1.1.1.1",
+    maxTcpConnections: 100,
+    tcpIdleTimeoutMs: 30000,
+    controlPlane: {
+      enabled: true,
+      port: 8080
+    },
+    firewall: {
+      defaultPolicy: "deny",
+      allowlist_ips: ["127.0.0.1"]
+    },
+    hosts: {}
+  };
+
+  saveConfig(configPath, defaultConf);
+  audit.system(`Initialized secure default configuration at ${configPath}`);
+  process.exit(0);
+}
+
+async function handleConfig(configPath: string, args: string[]) {
+  const subCmd = args[0];
+  if (subCmd === "view") {
+    if (!fs.existsSync(configPath)) {
+      audit.error(`No configuration found at ${configPath}. Run 'zonzon init' first.`);
+      process.exit(1);
+    }
+    const fileContents = fs.readFileSync(configPath, "utf8");
+    console.log(fileContents);
+    process.exit(0);
+  }
+
+  if (subCmd === "set") {
+    const key = args[1];
+    const value = args[2];
+    if (!key || value === undefined) {
+      audit.error("Usage: zonzon config set <key> <value>");
+      process.exit(1);
+    }
+
+    const currentConfig = loadConfig(configPath);
+    setDeepValue(currentConfig, key, value);
+    saveConfig(configPath, currentConfig);
+    audit.system(`Updated configuration: ${key} = ${value}`);
+    process.exit(0);
+  }
+
+  printUsage();
+}
+
+async function startEngine(configPath: string, portOverride?: string, cpPortOverride?: string) {
+  const rawConfig = loadConfig(configPath);
+
+  if (portOverride) {
+    rawConfig.port = parseInt(portOverride, 10);
+  }
+
+  if (cpPortOverride) {
+    if (!rawConfig.controlPlane) rawConfig.controlPlane = {};
+    rawConfig.controlPlane.port = parseInt(cpPortOverride, 10);
+  }
+
+  let config: ServerConfig;
+  try {
+    config = validateServerConfig(rawConfig);
+  } catch (err: any) {
+    audit.error(`Configuration Schema Violation: ${err.message}`);
+    process.exit(1);
+  }
+
+  const dnsServer = new DevDnsServer(config);
+  const dnsHandler = new DnsHandler(dnsServer, config);
+  const httpHandler = new HttpHandler(dnsServer, config, 80);
+  const sniProxy = new SniProxyService(config, 443);
+
+  const isCpEnabled = config.controlPlane?.enabled !== false;
+  let controlPlane: ControlPlane | null = null;
+  let isEphemeralKey = false;
+  let activeApiKey = "";
+
+  if (isCpEnabled) {
+    activeApiKey = config.controlPlane?.apiKey || "";
+    if (!activeApiKey) {
+      activeApiKey = randomBytes(32).toString("hex");
+      isEphemeralKey = true;
+    }
+
+    const blindIndexSalt = randomBytes(16).toString("hex");
+    const cpPort = config.controlPlane?.port || 8080;
+
+    controlPlane = new ControlPlane({
+      port: cpPort,
+      apiKey: activeApiKey,
+      blindIndexSalt: blindIndexSalt,
+      initialConfig: config,
+    });
+
+    controlPlane.subscribe((newConfig) => {
+      audit.system("Applying dynamic configuration update from Control Plane...");
+    });
+  }
+
+  const shutdown = async () => {
+    audit.system("Initiating graceful shutdown sequence...");
+    await dnsHandler.stop();
+    await httpHandler.stop();
+    await sniProxy.stop();
+    if (controlPlane) {
+      await controlPlane.stop();
+    }
+    process.exit(0);
+  };
+
+  process.on("SIGINT", shutdown);
+  process.on("SIGTERM", shutdown);
+
+  try {
+    await dnsHandler.start();
+    audit.system(`DNS Listener actively enforcing Zero-Trust boundaries on port ${config.port}`);
+
+    await httpHandler.start();
+    audit.system(`HTTP L7 Sandbox Router active on port 80`);
+
+    await sniProxy.start();
+    audit.system(`SNI Proxy active on port 443`);
+
+    if (controlPlane) {
+      await controlPlane.start();
+      if (isEphemeralKey) {
+        audit.system(`[SECURITY] Generated Ephemeral API Key for this session: ${activeApiKey}`);
+        audit.system(`[SECURITY] Do not lose this key. It will not be shown again.`);
+      } else {
+        audit.system(`[SECURITY] Control Plane using static API Key from configuration.`);
+      }
+    }
+
+    audit.system("Initialization complete. Awaiting connections...");
+  } catch (err: any) {
+    audit.error(`Fatal bind error during initialization: ${err.message}`);
+    await shutdown();
+  }
+}
+
+async function main() {
+  const { values, positionals } = parseArgs({
+    options: {
+      config: {
+        type: "string",
+        short: "c",
+      },
+      port: {
+        type: "string",
+        short: "p",
+      },
+      "cp-port": {
+        type: "string",
+      },
+    },
+    strict: false,
+    allowPositionals: true
+  });
+
+  const command = positionals[0];
+  const configPath = values.config 
+    ? path.resolve(process.cwd(), values.config as string)
+    : DEFAULT_CONFIG_PATH;
+
+  switch (command) {
+    case "init":
+      await handleInit(configPath);
+      break;
+    case "config":
+      await handleConfig(configPath, positionals.slice(1));
+      break;
+    case "start":
+      await startEngine(configPath, values.port as string, values["cp-port"] as string);
+      break;
+    default:
+      printUsage();
+      break;
+  }
+}
+
+main().catch((err) => {
+  audit.error(`Unhandled execution fault: ${err.message}`);
+  process.exit(1);
+});

package/tsconfig.json

@@ -0,0 +1,19 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "compilerOptions": {
+    "outDir": "./dist",
+    "rootDir": "./src",
+    "baseUrl": ".",
+    "ignoreDeprecations": "6.0",
+    "paths": {
+      "@opensecurity/zonzon-core": ["../core/src/index.ts"],
+      "@opensecurity/zonzon-control-plane": ["../control-plane/src/index.ts"]
+    }
+  },
+  "references": [
+    { "path": "../core" },
+    { "path": "../control-plane" }
+  ],
+  "include": ["src/**/*.ts"],
+  "exclude": ["node_modules", "dist"]
+}