@push.rocks/smartproxy 18.0.2 → 18.2.0

package/ts/proxies/smart-proxy/smart-proxy.ts

@@ -11,12 +11,8 @@ import { RouteManager } from './route-manager.js';
 import { RouteConnectionHandler } from './route-connection-handler.js';
 import { NFTablesManager } from './nftables-manager.js';
 
-// External dependencies
-import { Port80Handler } from '../../http/port80/port80-handler.js';
-import { CertProvisioner } from '../../certificate/providers/cert-provisioner.js';
-import type { ICertificateData } from '../../certificate/models/certificate-types.js';
-import { buildPort80Handler } from '../../certificate/acme/acme-factory.js';
-import { createPort80HandlerOptions } from '../../common/port80-adapter.js';
+// Certificate manager
+import { SmartCertManager, type ICertStatus } from './certificate-manager.js';
 
 // Import types and utilities
 import type {
@@ -53,10 +49,8 @@ export class SmartProxy extends plugins.EventEmitter {
   private routeConnectionHandler: RouteConnectionHandler;
   private nftablesManager: NFTablesManager;
   
-  // Port80Handler for ACME certificate management
-  private port80Handler: Port80Handler | null = null;
-  // CertProvisioner for unified certificate workflows
-  private certProvisioner?: CertProvisioner;
+  // Certificate manager for ACME and static certificates
+  private certManager: SmartCertManager | null = null;
   
   /**
    * Constructor for SmartProxy
@@ -180,29 +174,53 @@ export class SmartProxy extends plugins.EventEmitter {
   public settings: ISmartProxyOptions;
   
   /**
-   * Initialize the Port80Handler for ACME certificate management
+   * Initialize certificate manager
    */
-  private async initializePort80Handler(): Promise<void> {
-    const config = this.settings.acme!;
-    if (!config.enabled) {
-      console.log('ACME is disabled in configuration');
+  private async initializeCertificateManager(): Promise<void> {
+    // Extract global ACME options if any routes use auto certificates
+    const autoRoutes = this.settings.routes.filter(r => 
+      r.action.tls?.certificate === 'auto'
+    );
+    
+    if (autoRoutes.length === 0 && !this.hasStaticCertRoutes()) {
+      console.log('No routes require certificate management');
       return;
     }
     
-    try {
-      // Build and start the Port80Handler
-      this.port80Handler = buildPort80Handler({
-        ...config,
-        httpsRedirectPort: config.httpsRedirectPort || 443
-      });
-      
-      // Share Port80Handler with NetworkProxyBridge before start
-      this.networkProxyBridge.setPort80Handler(this.port80Handler);
-      await this.port80Handler.start();
-      console.log(`Port80Handler started on port ${config.port}`);
-    } catch (err) {
-      console.log(`Error initializing Port80Handler: ${err}`);
+    // Use the first auto route's ACME config as defaults
+    const defaultAcme = autoRoutes[0]?.action.tls?.acme;
+    
+    this.certManager = new SmartCertManager(
+      this.settings.routes,
+      './certs', // Certificate directory
+      defaultAcme ? {
+        email: defaultAcme.email,
+        useProduction: defaultAcme.useProduction,
+        port: defaultAcme.challengePort || 80
+      } : undefined
+    );
+    
+    // Connect with NetworkProxy
+    if (this.networkProxyBridge.getNetworkProxy()) {
+      this.certManager.setNetworkProxy(this.networkProxyBridge.getNetworkProxy());
     }
+    
+    // Set route update callback for ACME challenges
+    this.certManager.setUpdateRoutesCallback(async (routes) => {
+      await this.updateRoutes(routes);
+    });
+    
+    await this.certManager.initialize();
+  }
+  
+  /**
+   * Check if we have routes with static certificates
+   */
+  private hasStaticCertRoutes(): boolean {
+    return this.settings.routes.some(r => 
+      r.action.tls?.certificate && 
+      r.action.tls.certificate !== 'auto'
+    );
   }
   
   /**
@@ -215,51 +233,18 @@ export class SmartProxy extends plugins.EventEmitter {
       return;
     }
 
-    // Pure route-based configuration - no domain configs needed
-
-    // Initialize Port80Handler if enabled
-    await this.initializePort80Handler();
-
-    // Initialize CertProvisioner for unified certificate workflows
-    if (this.port80Handler) {
-      const acme = this.settings.acme!;
-
-      // Setup route forwards
-      const routeForwards = acme.routeForwards?.map(f => f) || [];
-
-      // Create CertProvisioner with appropriate parameters
-      // No longer need to support multiple configuration types
-      // Just pass the routes directly
-      this.certProvisioner = new CertProvisioner(
-        this.settings.routes,
-        this.port80Handler,
-        this.networkProxyBridge,
-        this.settings.certProvisionFunction,
-        acme.renewThresholdDays!,
-        acme.renewCheckIntervalHours!,
-        acme.autoRenew!,
-        routeForwards
-      );
-
-      // Register certificate event handler
-      this.certProvisioner.on('certificate', (certData) => {
-        this.emit('certificate', {
-          domain: certData.domain,
-          publicKey: certData.certificate,
-          privateKey: certData.privateKey,
-          expiryDate: certData.expiryDate,
-          source: certData.source,
-          isRenewal: certData.isRenewal
-        });
-      });
-
-      await this.certProvisioner.start();
-      console.log('CertProvisioner started');
-    }
+    // Initialize certificate manager before starting servers
+    await this.initializeCertificateManager();
 
     // Initialize and start NetworkProxy if needed
     if (this.settings.useNetworkProxy && this.settings.useNetworkProxy.length > 0) {
       await this.networkProxyBridge.initialize();
+      
+      // Connect NetworkProxy with certificate manager
+      if (this.certManager) {
+        this.certManager.setNetworkProxy(this.networkProxyBridge.getNetworkProxy());
+      }
+      
       await this.networkProxyBridge.start();
     }
 
@@ -371,27 +356,16 @@ export class SmartProxy extends plugins.EventEmitter {
     this.isShuttingDown = true;
     this.portManager.setShuttingDown(true);
     
-    // Stop CertProvisioner if active
-    if (this.certProvisioner) {
-      await this.certProvisioner.stop();
-      console.log('CertProvisioner stopped');
+    // Stop certificate manager
+    if (this.certManager) {
+      await this.certManager.stop();
+      console.log('Certificate manager stopped');
     }
     
     // Stop NFTablesManager
     await this.nftablesManager.stop();
     console.log('NFTablesManager stopped');
 
-    // Stop the Port80Handler if running
-    if (this.port80Handler) {
-      try {
-        await this.port80Handler.stop();
-        console.log('Port80Handler stopped');
-        this.port80Handler = null;
-      } catch (err) {
-        console.log(`Error stopping Port80Handler: ${err}`);
-      }
-    }
-
     // Stop the connection logger
     if (this.connectionLogger) {
       clearInterval(this.connectionLogger);
@@ -498,104 +472,60 @@ export class SmartProxy extends plugins.EventEmitter {
       await this.networkProxyBridge.syncRoutesToNetworkProxy(newRoutes);
     }
 
-    // If Port80Handler is running, provision certificates based on routes
-    if (this.port80Handler && this.settings.acme?.enabled) {
-      // Register all eligible domains from routes
-      this.port80Handler.addDomainsFromRoutes(newRoutes);
-
-      // Handle static certificates from certProvisionFunction if available
-      if (this.settings.certProvisionFunction) {
-        for (const route of newRoutes) {
-          // Skip routes without domains
-          if (!route.match.domains) continue;
-
-          // Skip non-forward routes
-          if (route.action.type !== 'forward') continue;
-
-          // Skip routes without TLS termination
-          if (!route.action.tls ||
-              route.action.tls.mode === 'passthrough' ||
-              !route.action.target) continue;
-
-          // Skip certificate provisioning if certificate is not auto
-          if (route.action.tls.certificate !== 'auto') continue;
-
-          const domains = Array.isArray(route.match.domains)
-            ? route.match.domains
-            : [route.match.domains];
-
-          for (const domain of domains) {
-            try {
-              const provision = await this.settings.certProvisionFunction(domain);
-
-              // Skip http01 as those are handled by Port80Handler
-              if (provision !== 'http01') {
-                // Handle static certificate (e.g., DNS-01 provisioned)
-                const certObj = provision as plugins.tsclass.network.ICert;
-                const certData: ICertificateData = {
-                  domain: certObj.domainName,
-                  certificate: certObj.publicKey,
-                  privateKey: certObj.privateKey,
-                  expiryDate: new Date(certObj.validUntil),
-                  routeReference: {
-                    routeName: route.name
-                  }
-                };
-                this.networkProxyBridge.applyExternalCertificate(certData);
-                console.log(`Applied static certificate for ${domain} from certProvider`);
-              }
-            } catch (err) {
-              console.log(`certProvider error for ${domain}: ${err}`);
-            }
-          }
-        }
+    // Update certificate manager with new routes
+    if (this.certManager) {
+      await this.certManager.stop();
+      
+      this.certManager = new SmartCertManager(
+        newRoutes,
+        './certs',
+        this.certManager.getAcmeOptions()
+      );
+      
+      if (this.networkProxyBridge.getNetworkProxy()) {
+        this.certManager.setNetworkProxy(this.networkProxyBridge.getNetworkProxy());
       }
-
-      console.log('Provisioned certificates for new routes');
+      
+      await this.certManager.initialize();
     }
   }
   
   /**
-   * Request a certificate for a specific domain
-   *
-   * @param domain The domain to request a certificate for
-   * @param routeName Optional route name to associate with the certificate
+   * Manually provision a certificate for a route
    */
-  public async requestCertificate(domain: string, routeName?: string): Promise<boolean> {
-    // Validate domain format
-    if (!this.isValidDomain(domain)) {
-      console.log(`Invalid domain format: ${domain}`);
-      return false;
+  public async provisionCertificate(routeName: string): Promise<void> {
+    if (!this.certManager) {
+      throw new Error('Certificate manager not initialized');
     }
-
-    // Use Port80Handler if available
-    if (this.port80Handler) {
-      try {
-        // Check if we already have a certificate
-        const cert = this.port80Handler.getCertificate(domain);
-        if (cert) {
-          console.log(`Certificate already exists for ${domain}, valid until ${cert.expiryDate.toISOString()}`);
-          return true;
-        }
-
-        // Register domain for certificate issuance
-        this.port80Handler.addDomain({
-          domain,
-          sslRedirect: true,
-          acmeMaintenance: true,
-          routeReference: routeName ? { routeName } : undefined
-        });
-
-        console.log(`Domain ${domain} registered for certificate issuance` + (routeName ? ` for route '${routeName}'` : ''));
-        return true;
-      } catch (err) {
-        console.log(`Error registering domain with Port80Handler: ${err}`);
-        return false;
-      }
+    
+    const route = this.settings.routes.find(r => r.name === routeName);
+    if (!route) {
+      throw new Error(`Route ${routeName} not found`);
+    }
+    
+    await this.certManager.provisionCertificate(route);
+  }
+  
+  /**
+   * Force renewal of a certificate
+   */
+  public async renewCertificate(routeName: string): Promise<void> {
+    if (!this.certManager) {
+      throw new Error('Certificate manager not initialized');
+    }
+    
+    await this.certManager.renewCertificate(routeName);
+  }
+  
+  /**
+   * Get certificate status for a route
+   */
+  public getCertificateStatus(routeName: string): ICertStatus | undefined {
+    if (!this.certManager) {
+      return undefined;
     }
     
-    // Fall back to NetworkProxyBridge
-    return this.networkProxyBridge.requestCertificate(domain);
+    return this.certManager.getCertificateStatus(routeName);
   }
   
   /**
@@ -685,8 +615,8 @@ export class SmartProxy extends plugins.EventEmitter {
       keepAliveConnections,
       networkProxyConnections,
       terminationStats,
-      acmeEnabled: !!this.port80Handler,
-      port80HandlerPort: this.port80Handler ? this.settings.acme?.port : null,
+      acmeEnabled: !!this.certManager,
+      port80HandlerPort: this.certManager ? 80 : null,
       routes: this.routeManager.getListeningPorts().length,
       listeningPorts: this.portManager.getListeningPorts(),
       activePorts: this.portManager.getListeningPorts().length
@@ -735,51 +665,4 @@ export class SmartProxy extends plugins.EventEmitter {
     return this.nftablesManager.getStatus();
   }
 
-  /**
-   * Get status of certificates managed by Port80Handler
-   */
-  public getCertificateStatus(): any {
-    if (!this.port80Handler) {
-      return {
-        enabled: false,
-        message: 'Port80Handler is not enabled'
-      };
-    }
-    
-    // Get eligible domains
-    const eligibleDomains = this.getEligibleDomainsForCertificates();
-    const certificateStatus: Record<string, any> = {};
-    
-    // Check each domain
-    for (const domain of eligibleDomains) {
-      const cert = this.port80Handler.getCertificate(domain);
-      
-      if (cert) {
-        const now = new Date();
-        const expiryDate = cert.expiryDate;
-        const daysRemaining = Math.floor((expiryDate.getTime() - now.getTime()) / (24 * 60 * 60 * 1000));
-        
-        certificateStatus[domain] = {
-          status: 'valid',
-          expiryDate: expiryDate.toISOString(),
-          daysRemaining,
-          renewalNeeded: daysRemaining <= (this.settings.acme?.renewThresholdDays ?? 0)
-        };
-      } else {
-        certificateStatus[domain] = {
-          status: 'missing',
-          message: 'No certificate found'
-        };
-      }
-    }
-    
-    const acme = this.settings.acme!;
-    return {
-      enabled: true,
-      port: acme.port!,
-      useProduction: acme.useProduction!,
-      autoRenew: acme.autoRenew!,
-      certificates: certificateStatus
-    };
-  }
 }