@opensecurity/zonzon-control-plane 0.1.3 → 0.1.5

package/dist/domain/config/config.handler.d.ts

@@ -4,6 +4,8 @@ export declare class ConfigHandler {
     private service;
     private blindIndexSalt;
     private expectedApiKeyHash;
+    private seenNonces;
+    private currentPoWWindow;
     constructor(service: ConfigService, rawApiKey: string, blindIndexSalt: string);
     private readBodyStrict;
     private verifyProofOfWork;

package/dist/domain/config/config.handler.js

@@ -1,40 +1,54 @@
-import { createHash, createHmac, timingSafeEqual } from "crypto";
+import { createHash, createHmac, timingSafeEqual, hkdfSync } from "crypto";
 import { audit } from "@opensecurity/zonzon-core";
 import { ApiAuthHeaderSchema } from "./config.schema.js";
+import { contextStorage } from "./context.js";
 export class ConfigHandler {
     service;
     blindIndexSalt;
     expectedApiKeyHash;
+    seenNonces = new Set();
+    currentPoWWindow = 0;
     constructor(service, rawApiKey, blindIndexSalt) {
         this.service = service;
         this.blindIndexSalt = blindIndexSalt;
-        this.expectedApiKeyHash = createHmac("sha256", this.blindIndexSalt).update(rawApiKey).digest("hex");
+        const apiKeySecret = hkdfSync("sha256", this.blindIndexSalt, Buffer.alloc(0), "api_key_derivation", 32);
+        this.expectedApiKeyHash = createHmac("sha256", Buffer.from(apiKeySecret)).update(rawApiKey).digest("hex");
     }
     readBodyStrict(req) {
         return new Promise((resolve, reject) => {
-            let body = "";
+            const chunks = [];
             let length = 0;
             req.on("data", (chunk) => {
                 length += chunk.length;
                 if (length > 1048576) {
+                    req.destroy();
                     reject(new Error("Payload size limit exceeded"));
                     return;
                 }
-                body += chunk.toString("utf8");
+                chunks.push(chunk);
             });
-            req.on("end", () => resolve(body));
+            req.on("end", () => resolve(Buffer.concat(chunks).toString("utf8")));
             req.on("error", reject);
         });
     }
     verifyProofOfWork(nonce) {
-        const hash = createHash("sha256").update(this.blindIndexSalt + nonce).digest("hex");
+        const timeWindow = Math.floor(Date.now() / 300000);
+        if (this.currentPoWWindow !== timeWindow) {
+            this.currentPoWWindow = timeWindow;
+            this.seenNonces.clear();
+        }
+        if (this.seenNonces.has(nonce)) {
+            throw new Error("Proof of Work challenge nonce already used");
+        }
+        const challenge = `${this.blindIndexSalt}:${timeWindow}`;
+        const hash = createHash("sha256").update(challenge + nonce).digest("hex");
         if (!hash.startsWith("0000")) {
             throw new Error("Invalid Proof of Work Challenge");
         }
+        this.seenNonces.add(nonce);
     }
     extractContext(req, isMutation) {
         const rawHeaders = {
-            authorization: req.headers.authorization,
             "x-api-key": req.headers["x-api-key"],
             "x-device-id": req.headers["x-device-id"],
             "x-pow-nonce": req.headers["x-pow-nonce"],
@@ -49,7 +63,8 @@ export class ConfigHandler {
         if (!providedKey) {
             throw new Error("Missing API Key");
         }
-        const providedHash = createHmac("sha256", this.blindIndexSalt).update(providedKey).digest("hex");
+        const apiKeySecret = hkdfSync("sha256", this.blindIndexSalt, Buffer.alloc(0), "api_key_derivation", 32);
+        const providedHash = createHmac("sha256", Buffer.from(apiKeySecret)).update(providedKey).digest("hex");
         const expectedBuffer = Buffer.from(this.expectedApiKeyHash, "utf8");
         const providedBuffer = Buffer.from(providedHash, "utf8");
         if (expectedBuffer.length !== providedBuffer.length || !timingSafeEqual(expectedBuffer, providedBuffer)) {
@@ -61,7 +76,8 @@ export class ConfigHandler {
             }
             this.verifyProofOfWork(validatedHeaders["x-pow-nonce"]);
         }
-        const deviceHash = createHmac("sha256", this.blindIndexSalt).update(validatedHeaders["x-device-id"]).digest("hex");
+        const deviceSecret = hkdfSync("sha256", this.blindIndexSalt, Buffer.alloc(0), "device_id_derivation", 32);
+        const deviceHash = createHmac("sha256", Buffer.from(deviceSecret)).update(validatedHeaders["x-device-id"]).digest("hex");
         return {
             tenantId: "system-tenant-001",
             deviceHash: deviceHash,
@@ -71,6 +87,16 @@ export class ConfigHandler {
         const clientIp = req.socket.remoteAddress || "unknown";
         const method = req.method || "GET";
         const url = new URL(req.url || "/", `http://${req.headers.host || "localhost"}`);
+        if (url.pathname === "/metrics") {
+            if (method !== "GET") {
+                res.writeHead(405);
+                res.end();
+                return;
+            }
+            res.writeHead(200, { "Content-Type": "text/plain; version=0.0.4" });
+            res.end(audit.getMetricsPrometheus());
+            return;
+        }
         if (url.pathname !== "/api/v1/config") {
             res.writeHead(404, { "Content-Type": "application/json" });
             res.end(JSON.stringify({ error: "Endpoint Not Found" }));
@@ -79,24 +105,26 @@ export class ConfigHandler {
         try {
             const isMutation = method === "PUT" || method === "POST";
             const context = this.extractContext(req, isMutation);
-            if (method === "GET") {
-                const config = await this.service.getConfig(context);
-                res.writeHead(200, { "Content-Type": "application/json" });
-                res.end(JSON.stringify(config));
-                audit.http(clientIp, "GET", "control-plane", url.pathname, 200, "Config retrieved");
-                return;
-            }
-            if (method === "PUT") {
-                const bodyStr = await this.readBodyStrict(req);
-                const rawConfig = JSON.parse(bodyStr);
-                await this.service.updateConfig(context, rawConfig);
-                res.writeHead(200, { "Content-Type": "application/json" });
-                res.end(JSON.stringify({ success: true, timestamp: Date.now() }));
-                audit.http(clientIp, "PUT", "control-plane", url.pathname, 200, "Config updated");
-                return;
-            }
-            res.writeHead(405, { "Content-Type": "application/json" });
-            res.end(JSON.stringify({ error: "Method Not Allowed" }));
+            await contextStorage.run(context, async () => {
+                if (method === "GET") {
+                    const config = await this.service.getConfig();
+                    res.writeHead(200, { "Content-Type": "application/json" });
+                    res.end(JSON.stringify(config));
+                    audit.http(clientIp, "GET", "control-plane", url.pathname, 200, "Config retrieved");
+                    return;
+                }
+                if (method === "PUT") {
+                    const bodyStr = await this.readBodyStrict(req);
+                    const rawConfig = JSON.parse(bodyStr);
+                    await this.service.updateConfig(rawConfig);
+                    res.writeHead(200, { "Content-Type": "application/json" });
+                    res.end(JSON.stringify({ success: true, timestamp: Date.now() }));
+                    audit.http(clientIp, "PUT", "control-plane", url.pathname, 200, "Config updated");
+                    return;
+                }
+                res.writeHead(405, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ error: "Method Not Allowed" }));
+            });
         }
         catch (error) {
             const message = error.message || "Internal Server Error";
@@ -107,7 +135,7 @@ export class ConfigHandler {
             else if (message.includes("Authentication Validation Failed") || message.includes("Unauthorized") || message.includes("API Key") || message.includes("x-pow-nonce")) {
                 statusCode = 401;
             }
-            else if (message.includes("Invalid Proof of Work")) {
+            else if (message.includes("Invalid Proof of Work") || message.includes("already used")) {
                 statusCode = 403;
             }
             audit.error(`Control Plane API Fault: HTTP ${statusCode} | ${message} | Client: ${clientIp}`);

package/dist/domain/config/config.schema.d.ts

@@ -1,27 +1,14 @@
 import { z } from "zod";
-export declare const ApiAuthHeaderSchema: z.ZodEffects<z.ZodObject<{
-    authorization: z.ZodOptional<z.ZodString>;
-    "x-api-key": z.ZodOptional<z.ZodString>;
+export declare const ApiAuthHeaderSchema: z.ZodObject<{
+    "x-api-key": z.ZodString;
     "x-device-id": z.ZodString;
     "x-pow-nonce": z.ZodOptional<z.ZodString>;
 }, "strip", z.ZodTypeAny, {
+    "x-api-key": string;
     "x-device-id": string;
-    authorization?: string | undefined;
-    "x-api-key"?: string | undefined;
     "x-pow-nonce"?: string | undefined;
 }, {
+    "x-api-key": string;
     "x-device-id": string;
-    authorization?: string | undefined;
-    "x-api-key"?: string | undefined;
-    "x-pow-nonce"?: string | undefined;
-}>, {
-    "x-device-id": string;
-    authorization?: string | undefined;
-    "x-api-key"?: string | undefined;
-    "x-pow-nonce"?: string | undefined;
-}, {
-    "x-device-id": string;
-    authorization?: string | undefined;
-    "x-api-key"?: string | undefined;
     "x-pow-nonce"?: string | undefined;
 }>;

package/dist/domain/config/config.schema.js

@@ -1,10 +1,6 @@
 import { z } from "zod";
 export const ApiAuthHeaderSchema = z.object({
-    authorization: z.string().regex(/^Bearer [a-zA-Z0-9\-_]+\.[a-zA-Z0-9\-_]+\.[a-zA-Z0-9\-_]+$/).optional(),
-    "x-api-key": z.string().min(32).max(128).optional(),
+    "x-api-key": z.string().min(32).max(128),
     "x-device-id": z.string().min(16).max(64),
     "x-pow-nonce": z.string().min(1).max(64).optional()
-}).refine(data => data.authorization || data["x-api-key"], {
-    message: "Missing authentication credentials",
-    path: ["x-api-key"]
 });

package/dist/domain/config/config.service.d.ts

@@ -1,11 +1,11 @@
 import { ServerConfig } from "@opensecurity/zonzon-core";
-import { ConfigContext } from "./config.types.js";
 export declare class ConfigService {
     private config;
+    private configFilePath;
     private lock;
     private subscribers;
-    constructor(initialConfig: ServerConfig);
+    constructor(initialConfig: ServerConfig, configFilePath: string);
     subscribe(callback: (config: ServerConfig) => void): void;
-    getConfig(ctx: ConfigContext): Promise<ServerConfig>;
-    updateConfig(ctx: ConfigContext, rawConfig: unknown): Promise<void>;
+    getConfig(): Promise<ServerConfig>;
+    updateConfig(rawConfig: unknown): Promise<void>;
 }

package/dist/domain/config/config.service.js

@@ -1,4 +1,7 @@
+import { promises as fs } from "node:fs";
+import * as path from "node:path";
 import { validateServerConfig, audit } from "@opensecurity/zonzon-core";
+import { getContext } from "./context.js";
 class PessimisticLock {
     locked = false;
     queue = [];
@@ -22,27 +25,34 @@ class PessimisticLock {
 }
 export class ConfigService {
     config;
+    configFilePath;
     lock = new PessimisticLock();
     subscribers = [];
-    constructor(initialConfig) {
+    constructor(initialConfig, configFilePath) {
         this.config = validateServerConfig(initialConfig);
+        this.configFilePath = path.resolve(configFilePath);
     }
     subscribe(callback) {
         this.subscribers.push(callback);
     }
-    async getConfig(ctx) {
+    async getConfig() {
+        const ctx = getContext();
         if (!ctx.tenantId) {
             throw new Error("Security Exception: Missing Tenant Context");
         }
         return this.config;
     }
-    async updateConfig(ctx, rawConfig) {
+    async updateConfig(rawConfig) {
+        const ctx = getContext();
         if (!ctx.tenantId) {
             throw new Error("Security Exception: Missing Tenant Context");
         }
         await this.lock.acquire();
         try {
             const validatedConfig = validateServerConfig(rawConfig);
+            const tempPath = `${this.configFilePath}.tmp.${Date.now()}`;
+            await fs.writeFile(tempPath, JSON.stringify(validatedConfig, null, 2), { mode: 0o600, encoding: "utf8" });
+            await fs.rename(tempPath, this.configFilePath);
             this.config = validatedConfig;
             for (const callback of this.subscribers) {
                 try {

package/dist/domain/config/config.test.js

@@ -1,26 +1,34 @@
 import { describe, it, before, after } from "node:test";
 import assert from "node:assert";
 import * as http from "http";
+import * as os from "node:os";
+import * as path from "node:path";
+import { promises as fs } from "node:fs";
 import { createHash } from "crypto";
 import { ConfigService } from "./config.service.js";
 import { ConfigHandler } from "./config.handler.js";
 const MOCK_SALT = "test-salt-1234567890";
 const MOCK_API_KEY = "test-api-key-very-long-and-secure-32-chars";
 const MOCK_DEVICE_ID = "test-device-id-1234";
+let globalNonceCounter = 0;
 function generateValidPoW(salt) {
-    let nonce = 0;
+    const timeWindow = Math.floor(Date.now() / 300000);
+    const challenge = `${salt}:${timeWindow}`;
     while (true) {
-        const hash = createHash("sha256").update(salt + nonce.toString()).digest("hex");
+        const hash = createHash("sha256").update(challenge + globalNonceCounter.toString()).digest("hex");
         if (hash.startsWith("0000")) {
-            return nonce.toString();
+            const validNonce = globalNonceCounter.toString();
+            globalNonceCounter++;
+            return validNonce;
         }
-        nonce++;
+        globalNonceCounter++;
     }
 }
 describe("Control Plane API Tests", () => {
     let server;
     let port;
     let validNonce;
+    let tempConfigPath;
     const initialConfig = {
         port: 53,
         hosts: {
@@ -28,8 +36,10 @@ describe("Control Plane API Tests", () => {
         }
     };
     before(async () => {
+        tempConfigPath = path.join(os.tmpdir(), `hosts-test-${Date.now()}.json`);
+        await fs.writeFile(tempConfigPath, JSON.stringify(initialConfig), { mode: 0o600 });
         validNonce = generateValidPoW(MOCK_SALT);
-        const service = new ConfigService(initialConfig);
+        const service = new ConfigService(initialConfig, tempConfigPath);
         const handler = new ConfigHandler(service, MOCK_API_KEY, MOCK_SALT);
         server = http.createServer((req, res) => handler.handleRequest(req, res));
         await new Promise((resolve) => {
@@ -39,8 +49,12 @@ describe("Control Plane API Tests", () => {
             });
         });
     });
-    after(() => {
+    after(async () => {
         server.close();
+        try {
+            await fs.unlink(tempConfigPath);
+        }
+        catch { }
     });
     function makeRequest(method, path, headers, body) {
         return new Promise((resolve, reject) => {
@@ -63,7 +77,14 @@ describe("Control Plane API Tests", () => {
                     }
                 });
             });
-            req.on("error", reject);
+            req.on("error", (err) => {
+                if (err.code === 'ECONNRESET') {
+                    resolve({ status: 413, data: { error: "Payload too large (Socket Destroyed)" } });
+                }
+                else {
+                    reject(err);
+                }
+            });
             if (body)
                 req.write(body);
             req.end();
@@ -103,17 +124,18 @@ describe("Control Plane API Tests", () => {
         assert.strictEqual(res.status, 403);
         assert.ok(res.data.error.includes("Invalid Proof of Work"));
     });
-    it("accepts PUT requests with valid configuration and PoW", async () => {
+    it("accepts PUT requests with valid configuration and PoW, and writes to disk", async () => {
         const newConfig = {
             port: 5353,
             hosts: {
                 "updated.loop": { records: [{ type: "A", address: "8.8.8.8" }] }
             }
         };
+        const freshNonce = generateValidPoW(MOCK_SALT);
         const res = await makeRequest("PUT", "/api/v1/config", {
             "x-api-key": MOCK_API_KEY,
             "x-device-id": MOCK_DEVICE_ID,
-            "x-pow-nonce": validNonce,
+            "x-pow-nonce": freshNonce,
             "Content-Type": "application/json"
         }, JSON.stringify(newConfig));
         assert.strictEqual(res.status, 200);
@@ -125,13 +147,18 @@ describe("Control Plane API Tests", () => {
         assert.strictEqual(checkRes.status, 200);
         assert.strictEqual(checkRes.data.port, 5353);
         assert.ok("updated.loop" in checkRes.data.hosts);
+        const diskContent = await fs.readFile(tempConfigPath, "utf8");
+        const parsedDisk = JSON.parse(diskContent);
+        assert.strictEqual(parsedDisk.port, 5353);
+        assert.ok("updated.loop" in parsedDisk.hosts);
     });
     it("rejects payloads exceeding the memory boundary", async () => {
         const hugePayload = JSON.stringify({ port: 53, hosts: {} }) + " ".repeat(1.5 * 1024 * 1024);
+        const boundaryNonce = generateValidPoW(MOCK_SALT);
         const res = await makeRequest("PUT", "/api/v1/config", {
             "x-api-key": MOCK_API_KEY,
             "x-device-id": MOCK_DEVICE_ID,
-            "x-pow-nonce": validNonce,
+            "x-pow-nonce": boundaryNonce,
             "Content-Type": "application/json"
         }, hugePayload);
         assert.strictEqual(res.status, 413);

package/dist/domain/config/context.d.ts

@@ -0,0 +1,4 @@
+import { AsyncLocalStorage } from "node:async_hooks";
+import { ConfigContext } from "./config.types.js";
+export declare const contextStorage: AsyncLocalStorage<ConfigContext>;
+export declare function getContext(): ConfigContext;

package/dist/domain/config/context.js

@@ -0,0 +1,9 @@
+import { AsyncLocalStorage } from "node:async_hooks";
+export const contextStorage = new AsyncLocalStorage();
+export function getContext() {
+    const store = contextStorage.getStore();
+    if (!store) {
+        throw new Error("Security Exception: Context missing. Ensure request is wrapped in middleware.");
+    }
+    return store;
+}

package/dist/domain/config/context.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/domain/config/context.test.js

@@ -0,0 +1,34 @@
+import { describe, it } from "node:test";
+import assert from "node:assert";
+import { getContext, contextStorage } from "./context.js";
+describe("AsyncLocalStorage Context Boundary", () => {
+    it("throws error when accessing context outside of storage run", () => {
+        assert.throws(() => getContext(), /Security Exception: Context missing/);
+    });
+    it("successfully retrieves injected context payload", () => {
+        const mockContext = {
+            tenantId: "test-tenant-001",
+            deviceHash: "deadbeef"
+        };
+        contextStorage.run(mockContext, () => {
+            const ctx = getContext();
+            assert.strictEqual(ctx.tenantId, "test-tenant-001");
+            assert.strictEqual(ctx.deviceHash, "deadbeef");
+        });
+    });
+    it("maintains isolation across asynchronous boundaries", async () => {
+        const contextA = { tenantId: "tenant-A", deviceHash: "hash-A" };
+        const contextB = { tenantId: "tenant-B", deviceHash: "hash-B" };
+        const promiseA = contextStorage.run(contextA, async () => {
+            await new Promise(resolve => setTimeout(resolve, 10));
+            const ctx = getContext();
+            assert.strictEqual(ctx.tenantId, "tenant-A");
+        });
+        const promiseB = contextStorage.run(contextB, async () => {
+            await new Promise(resolve => setTimeout(resolve, 5));
+            const ctx = getContext();
+            assert.strictEqual(ctx.tenantId, "tenant-B");
+        });
+        await Promise.all([promiseA, promiseB]);
+    });
+});

package/dist/index.d.ts

@@ -1,9 +1,11 @@
 import { ServerConfig } from "@opensecurity/zonzon-core";
 export interface ControlPlaneOptions {
-    port: number;
+    port?: number;
+    socketPath?: string;
     apiKey: string;
     blindIndexSalt: string;
     initialConfig: ServerConfig;
+    configFilePath: string;
 }
 export declare class ControlPlane {
     private service;

package/dist/index.js

@@ -1,4 +1,5 @@
 import * as http from "http";
+import * as fs from "node:fs";
 import { audit } from "@opensecurity/zonzon-core";
 import { ConfigService } from "./domain/config/config.service.js";
 import { ConfigHandler } from "./domain/config/config.handler.js";
@@ -8,7 +9,7 @@ export class ControlPlane {
     options;
     constructor(options) {
         this.options = options;
-        this.service = new ConfigService(options.initialConfig);
+        this.service = new ConfigService(options.initialConfig, options.configFilePath);
     }
     subscribe(callback) {
         this.service.subscribe(callback);
@@ -26,10 +27,22 @@ export class ControlPlane {
                 });
             });
             this.server.on("error", reject);
-            this.server.listen(this.options.port, "127.0.0.1", () => {
-                audit.system(`Control Plane locked strictly to loopback interface on port ${this.options.port}`);
-                resolve();
-            });
+            if (this.options.socketPath) {
+                if (fs.existsSync(this.options.socketPath)) {
+                    fs.unlinkSync(this.options.socketPath);
+                }
+                this.server.listen(this.options.socketPath, () => {
+                    fs.chmodSync(this.options.socketPath, 0o600);
+                    audit.system(`Control Plane locked strictly to Unix Domain Socket at ${this.options.socketPath}`);
+                    resolve();
+                });
+            }
+            else {
+                this.server.listen(this.options.port || 8080, "127.0.0.1", () => {
+                    audit.system(`Control Plane locked strictly to loopback interface on port ${this.options.port || 8080}`);
+                    resolve();
+                });
+            }
         });
     }
     async stop() {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opensecurity/zonzon-control-plane",
-  "version": "0.1.3",
+  "version": "0.1.5",
   "description": "dynamic configuration api for the core engine",
   "type": "module",
   "author": "Lucian BLETAN <neuraluc@gmail.com>",
@@ -28,7 +28,7 @@
     "build": "tsc -b"
   },
   "dependencies": {
-    "@opensecurity/zonzon-core": "^0.1.3",
+    "@opensecurity/zonzon-core": "^0.1.5",
     "zod": "^3.24.2"
   }
-}
+}