npm - @opensecurity/zonzon-cli - Versions diffs - 0.1.1 → 0.1.2 - Mend

@opensecurity/zonzon-cli 0.1.1 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/cli.js CHANGED Viewed

@@ -1,257 +1,250 @@
 #!/usr/bin/env node
-import { readFileSync, existsSync, watchFile } from "fs";
-import { resolve, dirname } from "path";
-import { fileURLToPath } from "url";
-import { parse as parseYaml } from "yaml";
-import { validateServerConfig, DevDnsServer, DnsHandler, HttpHandler, SniProxyService, audit } from "zonzon-core";
-const __dirname = dirname(fileURLToPath(import.meta.url));
-function parseArgs() {
-    const args = process.argv.slice(2);
-    let config = "";
-    let port;
-    let httpPort;
-    let watch = false;
-    let help = false;
-    for (let i = 0; i < args.length; i++) {
-        switch (args[i]) {
-            case "--config":
-            case "-c":
-                config = args[++i] || "";
-                break;
-            case "--port":
-            case "-p":
-                port = Number(args[++i]);
-                break;
-            case "--http-port":
-                httpPort = Number(args[++i]);
-                break;
-            case "--watch":
-            case "-w":
-                watch = true;
-                break;
-            case "--help":
-            case "-h":
-                help = true;
-                break;
-        }
+import * as fs from "fs";
+import * as path from "path";
+import * as os from "os";
+import { parseArgs } from "util";
+import { randomBytes } from "crypto";
+import { DevDnsServer, DnsHandler, HttpHandler, SniProxyService, validateServerConfig, audit } from "@opensecurity/zonzon-core";
+import { ControlPlane } from "@opensecurity/zonzon-control-plane";
+const CONFIG_DIR = path.join(os.homedir(), ".zonzon");
+const DEFAULT_CONFIG_PATH = path.join(CONFIG_DIR, "config.json");
+function ensureConfigDir() {
+    if (!fs.existsSync(CONFIG_DIR)) {
+        fs.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
     }
-    return { config, port, httpPort, watch, help };
 }
-function findDefaultConfig() {
-    const candidates = [
-        resolve(process.cwd(), "config/hosts.yaml"),
-        resolve(process.cwd(), "config/hosts.json"),
-        resolve(__dirname, "../../../config/hosts.yaml"),
-        resolve(__dirname, "../../../config/hosts.json"),
-    ];
-    for (const candidate of candidates) {
-        if (existsSync(candidate)) {
-            return candidate;
-        }
+function loadConfig(configPath) {
+    if (!fs.existsSync(configPath)) {
+        return {};
     }
-    return null;
-}
-function printUsage() {
-    console.log(`
-zonzon CLI
-Options:
-  -c, --config <path>    Path to configuration file
-  -p, --port <number>    DNS port
-      --http-port <num>  HTTP proxy/redirect port
-  -w, --watch            Watch config file
-  -h, --help             Show this help message
-`);
-}
-function mergeEnvConfig(config) {
-    if (process.env.ZONZON_PORT)
-        config.port = parseInt(process.env.ZONZON_PORT, 10);
-    if (process.env.ZONZON_FALLBACK_DNS)
-        config.fallbackDns = process.env.ZONZON_FALLBACK_DNS;
-    if (!config.firewall)
-        config.firewall = { defaultPolicy: "deny" };
-    if (process.env.ZONZON_DEFAULT_POLICY) {
-        const policy = process.env.ZONZON_DEFAULT_POLICY.toLowerCase();
-        if (policy === "allow" || policy === "deny") {
-            config.firewall.defaultPolicy = policy;
-        }
+    try {
+        const fileContents = fs.readFileSync(configPath, "utf8");
+        return JSON.parse(fileContents) || {};
     }
-    const listMappings = [
-        { env: "ZONZON_FIREWALL_ALLOWLIST_DOMAINS", key: "allowlist_domains" },
-        { env: "ZONZON_FIREWALL_BLOCKLIST_DOMAINS", key: "blocklist_domains" },
-        { env: "ZONZON_FIREWALL_ALLOWLIST_RANGES", key: "allowlist_ranges" },
-        { env: "ZONZON_FIREWALL_BLOCKLIST_RANGES", key: "blocklist_ranges" },
-        { env: "ZONZON_FIREWALL_ALLOWLIST_IPS", key: "allowlist_ips" },
-        { env: "ZONZON_FIREWALL_BLOCKLIST_IPS", key: "blocklist_ips" }
-    ];
-    for (const mapping of listMappings) {
-        const envVal = process.env[mapping.env];
-        if (envVal) {
-            const items = envVal.split(",").map(i => i.trim()).filter(Boolean);
-            config.firewall[mapping.key] = [...(config.firewall[mapping.key] || []), ...items];
-        }
+    catch (err) {
+        audit.error(`Failed to parse configuration file at ${configPath}: ${err.message}`);
+        process.exit(1);
     }
-    return config;
 }
-function loadConfig(path) {
-    let raw;
+function saveConfig(configPath, data) {
+    ensureConfigDir();
     try {
-        raw = readFileSync(path, "utf-8");
+        const jsonStr = JSON.stringify(data, null, 2);
+        fs.writeFileSync(configPath, jsonStr, { encoding: "utf8", mode: 0o600 });
     }
     catch (err) {
-        audit.error(`Error loading config file '${path}'`);
+        audit.error(`Failed to write configuration file at ${configPath}: ${err.message}`);
         process.exit(1);
     }
-    let parsed;
-    try {
-        if (path.endsWith(".yaml") || path.endsWith(".yml")) {
-            parsed = parseYaml(raw);
-        }
-        else {
-            parsed = JSON.parse(raw);
+}
+function setDeepValue(obj, pathStr, value) {
+    const parts = pathStr.split(".");
+    const last = parts.pop();
+    let current = obj;
+    for (const part of parts) {
+        if (!current[part] || typeof current[part] !== "object") {
+            current[part] = {};
         }
-    }
-    catch (err) {
-        audit.error(`Error parsing config file`);
+        current = current[part];
+    }
+    if (value === "true")
+        current[last] = true;
+    else if (value === "false")
+        current[last] = false;
+    else if (!isNaN(Number(value)))
+        current[last] = Number(value);
+    else
+        current[last] = value;
+}
+function printUsage() {
+    console.log(`
+zonzon core engine (v0.1.0)
+Usage: zonzon <command> [options]
+Commands:
+  init        Initialize the default configuration file at ~/.zonzon/config.json
+  start       Boot the routing engine and control plane
+  config      Manage configuration state
+Config Commands:
+  zonzon config view                   Print the current configuration
+  zonzon config set <key> <value>      Set a configuration value using dot notation
+                                       Example: zonzon config set port 53
+                                       Example: zonzon config set controlPlane.port 8081
+Global Options:
+  --config, -c   Override path to configuration file (default: ~/.zonzon/config.json)
+  `);
+    process.exit(0);
+}
+async function handleInit(configPath) {
+    if (fs.existsSync(configPath)) {
+        audit.error(`Configuration already exists at ${configPath}`);
         process.exit(1);
     }
-    let validated;
-    try {
-        validated = validateServerConfig(parsed);
-        validated = mergeEnvConfig(validated);
-        validated = validateServerConfig(validated);
+    const defaultConf = {
+        port: 53,
+        fallbackDns: "1.1.1.1",
+        maxTcpConnections: 100,
+        tcpIdleTimeoutMs: 30000,
+        controlPlane: {
+            enabled: true,
+            port: 8080
+        },
+        firewall: {
+            defaultPolicy: "deny",
+            allowlist_ips: ["127.0.0.1"]
+        },
+        hosts: {}
+    };
+    saveConfig(configPath, defaultConf);
+    audit.system(`Initialized secure default configuration at ${configPath}`);
+    process.exit(0);
+}
+async function handleConfig(configPath, args) {
+    const subCmd = args[0];
+    if (subCmd === "view") {
+        if (!fs.existsSync(configPath)) {
+            audit.error(`No configuration found at ${configPath}. Run 'zonzon init' first.`);
+            process.exit(1);
+        }
+        const fileContents = fs.readFileSync(configPath, "utf8");
+        console.log(fileContents);
+        process.exit(0);
     }
-    catch (err) {
-        audit.error(`Configuration validation error`);
-        process.exit(1);
+    if (subCmd === "set") {
+        const key = args[1];
+        const value = args[2];
+        if (!key || value === undefined) {
+            audit.error("Usage: zonzon config set <key> <value>");
+            process.exit(1);
+        }
+        const currentConfig = loadConfig(configPath);
+        setDeepValue(currentConfig, key, value);
+        saveConfig(configPath, currentConfig);
+        audit.system(`Updated configuration: ${key} = ${value}`);
+        process.exit(0);
     }
-    return validated;
+    printUsage();
 }
-let isShuttingDown = false;
-async function gracefulShutdown(dnsHandler, httpHandler, sniHandler) {
-    if (isShuttingDown)
-        return;
-    isShuttingDown = true;
-    const forceExit = setTimeout(() => {
-        process.exit(1);
-    }, 5000);
+async function startEngine(configPath, portOverride, cpPortOverride) {
+    const rawConfig = loadConfig(configPath);
+    if (portOverride) {
+        rawConfig.port = parseInt(portOverride, 10);
+    }
+    if (cpPortOverride) {
+        if (!rawConfig.controlPlane)
+            rawConfig.controlPlane = {};
+        rawConfig.controlPlane.port = parseInt(cpPortOverride, 10);
+    }
+    let config;
     try {
-        await Promise.all([
-            dnsHandler.stop(),
-            httpHandler.stop(),
-            sniHandler.stop()
-        ]);
-        clearTimeout(forceExit);
-        process.exit(0);
+        config = validateServerConfig(rawConfig);
     }
     catch (err) {
-        clearTimeout(forceExit);
+        audit.error(`Configuration Schema Violation: ${err.message}`);
         process.exit(1);
     }
-}
-async function startServer(configPath, args) {
-    let config = loadConfig(configPath);
-    const effectivePort = args.port ?? config.port;
-    config = { ...config, port: effectivePort };
-    const httpPort = args.httpPort || 80;
-    const httpsPort = 443;
-    let dnsHandler;
-    let httpHandler;
-    let sniHandler;
-    const portsToTry = effectivePort === 53 ? [53, 10053] : [effectivePort];
-    let started = false;
-    for (const attemptPort of portsToTry) {
-        try {
-            const portConfig = { ...config, port: attemptPort };
-            const dnsServer = new DevDnsServer(portConfig);
-            dnsHandler = new DnsHandler(dnsServer, portConfig);
-            const actualHttpPort = (attemptPort !== effectivePort && !args.httpPort) ? 8080 : httpPort;
-            const actualHttpsPort = (attemptPort !== effectivePort && !args.httpPort) ? 8443 : httpsPort;
-            httpHandler = new HttpHandler(dnsServer, config, actualHttpPort);
-            sniHandler = new SniProxyService(config, actualHttpsPort);
-            await dnsHandler.start();
-            await httpHandler.start();
-            await sniHandler.start();
-            started = true;
-            audit.system(`System active: DNS=${attemptPort} | HTTP=${actualHttpPort} | HTTPS=${actualHttpsPort}`);
-            const filePath = resolve(configPath);
-            let prevContent = "";
-            try {
-                prevContent = readFileSync(filePath, { encoding: "utf-8" });
-            }
-            catch { }
-            watchFile(filePath, async () => {
-                if (isShuttingDown)
-                    return;
-                try {
-                    const content = readFileSync(filePath, { encoding: "utf-8" });
-                    if (content !== prevContent) {
-                        prevContent = content;
-                        if (dnsHandler && httpHandler && sniHandler) {
-                            await Promise.all([dnsHandler.stop(), httpHandler.stop(), sniHandler.stop()]);
-                            startServer(filePath, args);
-                        }
-                    }
-                }
-                catch {
-                }
-            });
-            const handleExit = () => {
-                if (dnsHandler && httpHandler && sniHandler)
-                    gracefulShutdown(dnsHandler, httpHandler, sniHandler);
-            };
-            process.on("SIGINT", handleExit);
-            process.on("SIGTERM", handleExit);
-            break;
+    const dnsServer = new DevDnsServer(config);
+    const dnsHandler = new DnsHandler(dnsServer, config);
+    const httpHandler = new HttpHandler(dnsServer, config, 80);
+    const sniProxy = new SniProxyService(config, 443);
+    const isCpEnabled = config.controlPlane?.enabled !== false;
+    let controlPlane = null;
+    let isEphemeralKey = false;
+    let activeApiKey = "";
+    if (isCpEnabled) {
+        activeApiKey = config.controlPlane?.apiKey || "";
+        if (!activeApiKey) {
+            activeApiKey = randomBytes(32).toString("hex");
+            isEphemeralKey = true;
+        }
+        const blindIndexSalt = randomBytes(16).toString("hex");
+        const cpPort = config.controlPlane?.port || 8080;
+        controlPlane = new ControlPlane({
+            port: cpPort,
+            apiKey: activeApiKey,
+            blindIndexSalt: blindIndexSalt,
+            initialConfig: config,
+        });
+        controlPlane.subscribe((newConfig) => {
+            audit.system("Applying dynamic configuration update from Control Plane...");
+        });
+    }
+    const shutdown = async () => {
+        audit.system("Initiating graceful shutdown sequence...");
+        await dnsHandler.stop();
+        await httpHandler.stop();
+        await sniProxy.stop();
+        if (controlPlane) {
+            await controlPlane.stop();
         }
-        catch (err) {
-            if (dnsHandler)
-                await dnsHandler.stop().catch(() => { });
-            if (httpHandler)
-                await httpHandler.stop().catch(() => { });
-            if (sniHandler)
-                await sniHandler.stop().catch(() => { });
-            const message = err instanceof Error ? err.message : String(err);
-            if (message.includes("EACCES") || message.includes("EADDRINUSE")) {
-                if (attemptPort === effectivePort && effectivePort === 53) {
-                    continue;
-                }
-                else if (attemptPort === 10053) {
-                    process.exit(1);
-                }
+        process.exit(0);
+    };
+    process.on("SIGINT", shutdown);
+    process.on("SIGTERM", shutdown);
+    try {
+        await dnsHandler.start();
+        audit.system(`DNS Listener actively enforcing Zero-Trust boundaries on port ${config.port}`);
+        await httpHandler.start();
+        audit.system(`HTTP L7 Sandbox Router active on port 80`);
+        await sniProxy.start();
+        audit.system(`SNI Proxy active on port 443`);
+        if (controlPlane) {
+            await controlPlane.start();
+            if (isEphemeralKey) {
+                audit.system(`[SECURITY] Generated Ephemeral API Key for this session: ${activeApiKey}`);
+                audit.system(`[SECURITY] Do not lose this key. It will not be shown again.`);
+            }
+            else {
+                audit.system(`[SECURITY] Control Plane using static API Key from configuration.`);
             }
-            throw err;
         }
+        audit.system("Initialization complete. Awaiting connections...");
     }
-    if (!started) {
-        process.exit(1);
+    catch (err) {
+        audit.error(`Fatal bind error during initialization: ${err.message}`);
+        await shutdown();
     }
 }
 async function main() {
-    const args = parseArgs();
-    if (args.help) {
-        printUsage();
-        return;
-    }
-    let configPath;
-    if (args.config) {
-        configPath = resolve(args.config);
-        if (!existsSync(configPath)) {
-            audit.error(`Config file not found at '${configPath}'`);
-            process.exit(1);
-        }
-    }
-    else {
-        const autoPath = findDefaultConfig();
-        if (!autoPath) {
-            audit.error("No configuration file found");
-            process.exit(1);
-        }
-        configPath = autoPath;
+    const { values, positionals } = parseArgs({
+        options: {
+            config: {
+                type: "string",
+                short: "c",
+            },
+            port: {
+                type: "string",
+                short: "p",
+            },
+            "cp-port": {
+                type: "string",
+            },
+        },
+        strict: false,
+        allowPositionals: true
+    });
+    const command = positionals[0];
+    const configPath = values.config
+        ? path.resolve(process.cwd(), values.config)
+        : DEFAULT_CONFIG_PATH;
+    switch (command) {
+        case "init":
+            await handleInit(configPath);
+            break;
+        case "config":
+            await handleConfig(configPath, positionals.slice(1));
+            break;
+        case "start":
+            await startEngine(configPath, values.port, values["cp-port"]);
+            break;
+        default:
+            printUsage();
+            break;
     }
-    await startServer(configPath, args);
 }
 main().catch((err) => {
-    audit.error(`Uncaught Exception: ${err instanceof Error ? err.message : String(err)}`);
+    audit.error(`Unhandled execution fault: ${err.message}`);
     process.exit(1);
 });

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@opensecurity/zonzon-cli",
-  "version": "0.1.1",
+  "version": "0.1.2",
   "description": "Command line interface and entrypoint for zonzon",
   "type": "module",
   "author": "Lucian BLETAN <neuraluc@gmail.com>",

package/tsconfig.json CHANGED Viewed

@@ -2,13 +2,7 @@
   "extends": "../../tsconfig.base.json",
   "compilerOptions": {
     "outDir": "./dist",
-    "rootDir": "./src",
-    "baseUrl": ".",
-    "ignoreDeprecations": "6.0",
-    "paths": {
-      "@opensecurity/zonzon-core": ["../core/src/index.ts"],
-      "@opensecurity/zonzon-control-plane": ["../control-plane/src/index.ts"]
-    }
+    "rootDir": "./src"
   },
   "references": [
     { "path": "../core" },