npm - @push.rocks/smartproxy - Versions diffs - 21.1.6 → 22.4.2 - Mend

@push.rocks/smartproxy 21.1.6 → 22.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (103) hide show

package/ts/proxies/http-proxy/security-manager.ts CHANGED Viewed

@@ -1,28 +1,40 @@
-import * as plugins from '../../plugins.js';
 import type { ILogger } from './models/types.js';
 import type { IRouteConfig } from '../smart-proxy/models/route-types.js';
 import type { IRouteContext } from '../../core/models/route-context.js';
+import {
+  isIPAuthorized,
+  normalizeIP,
+  parseBasicAuthHeader,
+  cleanupExpiredRateLimits,
+  type IRateLimitInfo
+} from '../../core/utils/security-utils.js';
 /**
- * Manages security features for the NetworkProxy
- * Implements Phase 5.4: Security features like IP filtering and rate limiting
+ * Manages security features for the HttpProxy
+ * Implements IP filtering, rate limiting, and authentication.
+ * Uses shared utilities from security-utils.ts.
  */
 export class SecurityManager {
   // Cache IP filtering results to avoid constant regex matching
   private ipFilterCache: Map<string, Map<string, boolean>> = new Map();
   // Store rate limits per route and key
-  private rateLimits: Map<string, Map<string, { count: number, expiry: number }>> = new Map();
+  private rateLimits: Map<string, Map<string, IRateLimitInfo>> = new Map();
   // Connection tracking by IP
   private connectionsByIP: Map<string, Set<string>> = new Map();
   private connectionRateByIP: Map<string, number[]> = new Map();
-  constructor(private logger: ILogger, private routes: IRouteConfig[] = [], private maxConnectionsPerIP: number = 100, private connectionRateLimitPerMinute: number = 300) {
+  constructor(
+    private logger: ILogger,
+    private routes: IRouteConfig[] = [],
+    private maxConnectionsPerIP: number = 100,
+    private connectionRateLimitPerMinute: number = 300
+  ) {
     // Start periodic cleanup for connection tracking
     this.startPeriodicIpCleanup();
   }
   /**
    * Update the routes configuration
    */
@@ -31,10 +43,10 @@ export class SecurityManager {
     // Reset caches when routes change
     this.ipFilterCache.clear();
   }
   /**
    * Check if a client is allowed to access a specific route
-   *
+   *
    * @param route The route to check access for
    * @param context The route context with client information
    * @returns True if access is allowed, false otherwise
@@ -43,26 +55,26 @@ export class SecurityManager {
     if (!route.security) {
       return true; // No security restrictions
     }
     // --- IP filtering ---
     if (!this.isIpAllowed(route, context.clientIp)) {
-      this.logger.debug(`IP ${context.clientIp} is blocked for route ${route.name || route.id || 'unnamed'}`);
+      this.logger.debug(`IP ${context.clientIp} is blocked for route ${route.name || 'unnamed'}`);
       return false;
     }
     // --- Rate limiting ---
     if (route.security.rateLimit?.enabled && !this.isWithinRateLimit(route, context)) {
-      this.logger.debug(`Rate limit exceeded for route ${route.name || route.id || 'unnamed'}`);
+      this.logger.debug(`Rate limit exceeded for route ${route.name || 'unnamed'}`);
       return false;
     }
     // --- Basic Auth (handled at HTTP level) ---
     // Basic auth is not checked here as it requires HTTP headers
     // and is handled in the RequestHandler
     return true;
   }
   /**
    * Check if an IP is allowed based on route security settings
    */
@@ -70,94 +82,32 @@ export class SecurityManager {
     if (!route.security) {
       return true; // No security restrictions
     }
-    const routeId = route.id || route.name || 'unnamed';
+    const routeId = route.name || 'unnamed';
     // Check cache first
     if (!this.ipFilterCache.has(routeId)) {
       this.ipFilterCache.set(routeId, new Map());
     }
     const routeCache = this.ipFilterCache.get(routeId)!;
     if (routeCache.has(clientIp)) {
       return routeCache.get(clientIp)!;
     }
-    let allowed = true;
-    // Check block list first (deny has priority over allow)
-    if (route.security.ipBlockList && route.security.ipBlockList.length > 0) {
-      if (this.ipMatchesPattern(clientIp, route.security.ipBlockList)) {
-        allowed = false;
-      }
-    }
-    // Then check allow list (overrides block list if specified)
-    if (route.security.ipAllowList && route.security.ipAllowList.length > 0) {
-      // If allow list is specified, IP must match an entry to be allowed
-      allowed = this.ipMatchesPattern(clientIp, route.security.ipAllowList);
-    }
+    // Use shared utility for IP authorization
+    const allowed = isIPAuthorized(
+      clientIp,
+      route.security.ipAllowList,
+      route.security.ipBlockList
+    );
     // Cache the result
     routeCache.set(clientIp, allowed);
     return allowed;
   }
-  /**
-   * Check if IP matches any pattern in the list
-   */
-  private ipMatchesPattern(ip: string, patterns: string[]): boolean {
-    for (const pattern of patterns) {
-      // CIDR notation
-      if (pattern.includes('/')) {
-        if (this.ipMatchesCidr(ip, pattern)) {
-          return true;
-        }
-      }
-      // Wildcard notation
-      else if (pattern.includes('*')) {
-        const regex = new RegExp('^' + pattern.replace(/\./g, '\\.').replace(/\*/g, '.*') + '$');
-        if (regex.test(ip)) {
-          return true;
-        }
-      }
-      // Exact match
-      else if (pattern === ip) {
-        return true;
-      }
-    }
-    return false;
-  }
-  /**
-   * Check if IP matches CIDR notation
-   * Very basic implementation - for production use, consider a dedicated IP library
-   */
-  private ipMatchesCidr(ip: string, cidr: string): boolean {
-    try {
-      const [subnet, bits] = cidr.split('/');
-      const mask = parseInt(bits, 10);
-      // Convert IP to numeric format
-      const ipParts = ip.split('.').map(part => parseInt(part, 10));
-      const subnetParts = subnet.split('.').map(part => parseInt(part, 10));
-      // Calculate the numeric IP and subnet
-      const ipNum = (ipParts[0] << 24) | (ipParts[1] << 16) | (ipParts[2] << 8) | ipParts[3];
-      const subnetNum = (subnetParts[0] << 24) | (subnetParts[1] << 16) | (subnetParts[2] << 8) | subnetParts[3];
-      // Calculate the mask
-      const maskNum = ~((1 << (32 - mask)) - 1);
-      // Check if IP is in subnet
-      return (ipNum & maskNum) === (subnetNum & maskNum);
-    } catch (e) {
-      this.logger.error(`Invalid CIDR notation: ${cidr}`);
-      return false;
-    }
-  }
   /**
    * Check if request is within rate limit
    */
@@ -165,13 +115,13 @@ export class SecurityManager {
     if (!route.security?.rateLimit?.enabled) {
       return true;
     }
     const rateLimit = route.security.rateLimit;
-    const routeId = route.id || route.name || 'unnamed';
+    const routeId = route.name || 'unnamed';
     // Determine rate limit key (by IP, path, or header)
     let key = context.clientIp; // Default to IP
     if (rateLimit.keyBy === 'path' && context.path) {
       key = `${context.clientIp}:${context.path}`;
     } else if (rateLimit.keyBy === 'header' && rateLimit.headerName && context.headers) {
@@ -180,15 +130,15 @@ export class SecurityManager {
         key = `${context.clientIp}:${headerValue}`;
       }
     }
     // Get or create rate limit tracking for this route
     if (!this.rateLimits.has(routeId)) {
       this.rateLimits.set(routeId, new Map());
     }
     const routeLimits = this.rateLimits.get(routeId)!;
     const now = Date.now();
     // Get or create rate limit tracking for this key
     let limit = routeLimits.get(key);
     if (!limit || limit.expiry < now) {
@@ -200,37 +150,30 @@ export class SecurityManager {
       routeLimits.set(key, limit);
       return true;
     }
     // Increment the counter
     limit.count++;
     // Check if rate limit is exceeded
     return limit.count <= rateLimit.maxRequests;
   }
   /**
    * Clean up expired rate limits
    * Should be called periodically to prevent memory leaks
    */
   public cleanupExpiredRateLimits(): void {
-    const now = Date.now();
-    for (const [routeId, routeLimits] of this.rateLimits.entries()) {
-      let removed = 0;
-      for (const [key, limit] of routeLimits.entries()) {
-        if (limit.expiry < now) {
-          routeLimits.delete(key);
-          removed++;
-        }
-      }
-      if (removed > 0) {
-        this.logger.debug(`Cleaned up ${removed} expired rate limits for route ${routeId}`);
-      }
-    }
+    cleanupExpiredRateLimits(this.rateLimits, {
+      info: this.logger.info.bind(this.logger),
+      warn: this.logger.warn.bind(this.logger),
+      error: this.logger.error.bind(this.logger),
+      debug: this.logger.debug?.bind(this.logger)
+    });
   }
   /**
    * Check basic auth credentials
-   *
+   *
    * @param route The route to check auth for
    * @param username The provided username
    * @param password The provided password
@@ -240,22 +183,22 @@ export class SecurityManager {
     if (!route.security?.basicAuth?.enabled) {
       return true;
     }
     const basicAuth = route.security.basicAuth;
     // Check credentials against configured users
     for (const user of basicAuth.users) {
       if (user.username === username && user.password === password) {
         return true;
       }
     }
     return false;
   }
   /**
    * Verify a JWT token
-   *
+   *
    * @param route The route to verify the token for
    * @param token The JWT token to verify
    * @returns True if the token is valid, false otherwise
@@ -264,38 +207,37 @@ export class SecurityManager {
     if (!route.security?.jwtAuth?.enabled) {
       return true;
     }
     try {
-      // This is a simplified version - in production you'd use a proper JWT library
       const jwtAuth = route.security.jwtAuth;
       // Verify structure
       const parts = token.split('.');
       if (parts.length !== 3) {
         return false;
       }
       // Decode payload
       const payload = JSON.parse(Buffer.from(parts[1], 'base64').toString());
       // Check expiration
       if (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) {
         return false;
       }
       // Check issuer
       if (jwtAuth.issuer && payload.iss !== jwtAuth.issuer) {
         return false;
       }
       // Check audience
       if (jwtAuth.audience && payload.aud !== jwtAuth.audience) {
         return false;
       }
-      // In a real implementation, you'd also verify the signature
+      // Note: In a real implementation, you'd also verify the signature
       // using the secret and algorithm specified in jwtAuth
       return true;
     } catch (err) {
       this.logger.error(`Error verifying JWT: ${err}`);
@@ -304,12 +246,20 @@ export class SecurityManager {
   }
   /**
-   * Get connections count by IP
+   * Get connections count by IP (checks normalized variants)
    */
   public getConnectionCountByIP(ip: string): number {
-    return this.connectionsByIP.get(ip)?.size || 0;
+    // Check all normalized variants of the IP
+    const variants = normalizeIP(ip);
+    for (const variant of variants) {
+      const connections = this.connectionsByIP.get(variant);
+      if (connections) {
+        return connections.size;
+      }
+    }
+    return 0;
   }
   /**
    * Check and update connection rate for an IP
    * @returns true if within rate limit, false if exceeding limit
@@ -318,43 +268,73 @@ export class SecurityManager {
     const now = Date.now();
     const minute = 60 * 1000;
-    if (!this.connectionRateByIP.has(ip)) {
-      this.connectionRateByIP.set(ip, [now]);
+    // Find existing rate tracking (check normalized variants)
+    const variants = normalizeIP(ip);
+    let existingKey: string | null = null;
+    for (const variant of variants) {
+      if (this.connectionRateByIP.has(variant)) {
+        existingKey = variant;
+        break;
+      }
+    }
+    const key = existingKey || ip;
+    if (!this.connectionRateByIP.has(key)) {
+      this.connectionRateByIP.set(key, [now]);
       return true;
     }
     // Get timestamps and filter out entries older than 1 minute
-    const timestamps = this.connectionRateByIP.get(ip)!.filter((time) => now - time < minute);
+    const timestamps = this.connectionRateByIP.get(key)!.filter((time) => now - time < minute);
     timestamps.push(now);
-    this.connectionRateByIP.set(ip, timestamps);
+    this.connectionRateByIP.set(key, timestamps);
     // Check if rate exceeds limit
     return timestamps.length <= this.connectionRateLimitPerMinute;
   }
   /**
    * Track connection by IP
    */
   public trackConnectionByIP(ip: string, connectionId: string): void {
-    if (!this.connectionsByIP.has(ip)) {
-      this.connectionsByIP.set(ip, new Set());
+    // Check if any variant already exists
+    const variants = normalizeIP(ip);
+    let existingKey: string | null = null;
+    for (const variant of variants) {
+      if (this.connectionsByIP.has(variant)) {
+        existingKey = variant;
+        break;
+      }
+    }
+    const key = existingKey || ip;
+    if (!this.connectionsByIP.has(key)) {
+      this.connectionsByIP.set(key, new Set());
     }
-    this.connectionsByIP.get(ip)!.add(connectionId);
+    this.connectionsByIP.get(key)!.add(connectionId);
   }
   /**
    * Remove connection tracking for an IP
    */
   public removeConnectionByIP(ip: string, connectionId: string): void {
-    if (this.connectionsByIP.has(ip)) {
-      const connections = this.connectionsByIP.get(ip)!;
-      connections.delete(connectionId);
-      if (connections.size === 0) {
-        this.connectionsByIP.delete(ip);
+    // Check all variants to find where the connection is tracked
+    const variants = normalizeIP(ip);
+    for (const variant of variants) {
+      if (this.connectionsByIP.has(variant)) {
+        const connections = this.connectionsByIP.get(variant)!;
+        connections.delete(connectionId);
+        if (connections.size === 0) {
+          this.connectionsByIP.delete(variant);
+        }
+        break;
       }
     }
   }
   /**
    * Check if IP should be allowed considering connection rate and max connections
    * @returns Object with result and reason
@@ -375,10 +355,10 @@ export class SecurityManager {
         reason: `Connection rate limit (${this.connectionRateLimitPerMinute}/min) exceeded`
       };
     }
     return { allowed: true };
   }
   /**
    * Clears all IP tracking data (for shutdown)
    */
@@ -386,7 +366,7 @@ export class SecurityManager {
     this.connectionsByIP.clear();
     this.connectionRateByIP.clear();
   }
   /**
    * Start periodic cleanup of IP tracking data
    */
@@ -396,7 +376,7 @@ export class SecurityManager {
       this.performIpCleanup();
     }, 60000).unref();
   }
   /**
    * Perform cleanup of expired IP data
    */
@@ -405,11 +385,11 @@ export class SecurityManager {
     const minute = 60 * 1000;
     let cleanedRateLimits = 0;
     let cleanedIPs = 0;
     // Clean up expired rate limit timestamps
     for (const [ip, timestamps] of this.connectionRateByIP.entries()) {
-      const validTimestamps = timestamps.filter(time => now - time < minute);
+      const validTimestamps = timestamps.filter((time) => now - time < minute);
       if (validTimestamps.length === 0) {
         this.connectionRateByIP.delete(ip);
         cleanedRateLimits++;
@@ -417,7 +397,7 @@ export class SecurityManager {
         this.connectionRateByIP.set(ip, validTimestamps);
       }
     }
     // Clean up IPs with no active connections
     for (const [ip, connections] of this.connectionsByIP.entries()) {
       if (connections.size === 0) {
@@ -425,7 +405,7 @@ export class SecurityManager {
         cleanedIPs++;
       }
     }
     if (cleanedRateLimits > 0 || cleanedIPs > 0) {
       this.logger.debug(`IP cleanup: removed ${cleanedIPs} IPs and ${cleanedRateLimits} rate limits`);
     }

package/ts/proxies/nftables-proxy/index.ts CHANGED Viewed

@@ -3,3 +3,4 @@
  */
 export * from './nftables-proxy.js';
 export * from './models/index.js';
+export * from './utils/index.js';