@push.rocks/smartproxy 7.2.0 → 10.0.0

package/ts/port80handler/classes.port80handler.ts

@@ -1,7 +1,15 @@
 import * as plugins from '../plugins.js';
 import { IncomingMessage, ServerResponse } from 'http';
-import * as fs from 'fs';
-import * as path from 'path';
+import { Port80HandlerEvents } from '../common/types.js';
+import type {
+  IForwardConfig,
+  IDomainOptions,
+  ICertificateData,
+  ICertificateFailure,
+  ICertificateExpiring,
+  IAcmeOptions
+} from '../common/types.js';
+// (fs and path I/O moved to CertProvisioner)
 // ACME HTTP-01 challenge handler storing tokens in memory (diskless)
 class DisklessHttp01Handler {
   private storage: Map<string, string>;
@@ -46,24 +54,6 @@ export class ServerError extends Port80HandlerError {
   }
 }
 
-/**
- * Domain forwarding configuration
- */
-export interface IForwardConfig {
-  ip: string;
-  port: number;
-}
-
-/**
- * Domain configuration options
- */
-export interface IDomainOptions {
-  domainName: string;
-  sslRedirect: boolean;   // if true redirects the request to port 443
-  acmeMaintenance: boolean; // tries to always have a valid cert for this domain
-  forward?: IForwardConfig; // forwards all http requests to that target
-  acmeForward?: IForwardConfig; // forwards letsencrypt requests to this config
-}
 
 /**
  * Represents a domain configuration with certificate status information
@@ -81,59 +71,8 @@ interface IDomainCertificate {
 /**
  * Configuration options for the Port80Handler
  */
-interface IPort80HandlerOptions {
-  port?: number;
-  contactEmail?: string;
-  useProduction?: boolean;
-  renewThresholdDays?: number;
-  httpsRedirectPort?: number;
-  renewCheckIntervalHours?: number;
-  enabled?: boolean; // Whether ACME is enabled at all
-  autoRenew?: boolean; // Whether to automatically renew certificates
-  certificateStore?: string; // Directory to store certificates
-  skipConfiguredCerts?: boolean; // Skip domains that already have certificates
-}
-
-/**
- * Certificate data that can be emitted via events or set from outside
- */
-export interface ICertificateData {
-  domain: string;
-  certificate: string;
-  privateKey: string;
-  expiryDate: Date;
-}
+// Port80Handler options moved to common types
 
-/**
- * Events emitted by the Port80Handler
- */
-export enum Port80HandlerEvents {
-  CERTIFICATE_ISSUED = 'certificate-issued',
-  CERTIFICATE_RENEWED = 'certificate-renewed',
-  CERTIFICATE_FAILED = 'certificate-failed',
-  CERTIFICATE_EXPIRING = 'certificate-expiring',
-  MANAGER_STARTED = 'manager-started',
-  MANAGER_STOPPED = 'manager-stopped',
-  REQUEST_FORWARDED = 'request-forwarded',
-}
-
-/**
- * Certificate failure payload type
- */
-export interface ICertificateFailure {
-  domain: string;
-  error: string;
-  isRenewal: boolean;
-}
-
-/**
- * Certificate expiry payload type
- */
-export interface ICertificateExpiring {
-  domain: string;
-  expiryDate: Date;
-  daysRemaining: number;
-}
 
 /**
  * Port80Handler with ACME certificate management and request forwarding capabilities
@@ -146,15 +85,16 @@ export class Port80Handler extends plugins.EventEmitter {
   // SmartAcme instance for certificate management
   private smartAcme: plugins.smartacme.SmartAcme | null = null;
   private server: plugins.http.Server | null = null;
-  private renewalTimer: NodeJS.Timeout | null = null;
+  // Renewal scheduling is handled externally by SmartProxy
+  // (Removed internal renewal timer)
   private isShuttingDown: boolean = false;
-  private options: Required<IPort80HandlerOptions>;
+  private options: Required<IAcmeOptions>;
 
   /**
    * Creates a new Port80Handler
    * @param options Configuration options
    */
-  constructor(options: IPort80HandlerOptions = {}) {
+  constructor(options: IAcmeOptions = {}) {
     super();
     this.domainCertificates = new Map<string, IDomainCertificate>();
     
@@ -163,13 +103,14 @@ export class Port80Handler extends plugins.EventEmitter {
       port: options.port ?? 80,
       contactEmail: options.contactEmail ?? 'admin@example.com',
       useProduction: options.useProduction ?? false, // Safer default: staging
-      renewThresholdDays: options.renewThresholdDays ?? 10, // Changed to 10 days as per requirements
       httpsRedirectPort: options.httpsRedirectPort ?? 443,
-      renewCheckIntervalHours: options.renewCheckIntervalHours ?? 24,
       enabled: options.enabled ?? true, // Enable by default
-      autoRenew: options.autoRenew ?? true, // Auto-renew by default
-      certificateStore: options.certificateStore ?? './certs', // Default store location
-      skipConfiguredCerts: options.skipConfiguredCerts ?? false
+      certificateStore: options.certificateStore ?? './certs',
+      skipConfiguredCerts: options.skipConfiguredCerts ?? false,
+      renewThresholdDays: options.renewThresholdDays ?? 30,
+      renewCheckIntervalHours: options.renewCheckIntervalHours ?? 24,
+      autoRenew: options.autoRenew ?? true,
+      domainForwards: options.domainForwards ?? []
     };
   }
 
@@ -204,10 +145,6 @@ export class Port80Handler extends plugins.EventEmitter {
 
     return new Promise((resolve, reject) => {
       try {
-        // Load certificates from store if enabled
-        if (this.options.certificateStore) {
-          this.loadCertificatesFromStore();
-        }
         
         this.server = plugins.http.createServer((req, res) => this.handleRequest(req, res));
         
@@ -223,7 +160,6 @@ export class Port80Handler extends plugins.EventEmitter {
         
         this.server.listen(this.options.port, () => {
           console.log(`Port80Handler is listening on port ${this.options.port}`);
-          this.startRenewalTimer();
           this.emit(Port80HandlerEvents.MANAGER_STARTED, this.options.port);
           
           // Start certificate process for domains with acmeMaintenance enabled
@@ -260,11 +196,6 @@ export class Port80Handler extends plugins.EventEmitter {
     
     this.isShuttingDown = true;
     
-    // Stop the renewal timer
-    if (this.renewalTimer) {
-      clearInterval(this.renewalTimer);
-      this.renewalTimer = null;
-    }
 
     return new Promise<void>((resolve) => {
       if (this.server) {
@@ -379,10 +310,7 @@ export class Port80Handler extends plugins.EventEmitter {
     
     console.log(`Certificate set for ${domain}`);
     
-    // Save certificate to store if enabled
-    if (this.options.certificateStore) {
-      this.saveCertificateToStore(domain, certificate, privateKey);
-    }
+    // (Persistence of certificates moved to CertProvisioner)
     
     // Emit certificate event
     this.emitCertificateEvent(Port80HandlerEvents.CERTIFICATE_ISSUED, {
@@ -417,134 +345,7 @@ export class Port80Handler extends plugins.EventEmitter {
     };
   }
 
-  /**
-   * Saves a certificate to the filesystem store
-   * @param domain The domain for the certificate
-   * @param certificate The certificate (PEM format)
-   * @param privateKey The private key (PEM format)
-   * @private
-   */
-  private saveCertificateToStore(domain: string, certificate: string, privateKey: string): void {
-    // Skip if certificate store is not enabled
-    if (!this.options.certificateStore) return;
-    
-    try {
-      const storePath = this.options.certificateStore;
-      
-      // Ensure the directory exists
-      if (!fs.existsSync(storePath)) {
-        fs.mkdirSync(storePath, { recursive: true });
-        console.log(`Created certificate store directory: ${storePath}`);
-      }
-      
-      const certPath = path.join(storePath, `${domain}.cert.pem`);
-      const keyPath = path.join(storePath, `${domain}.key.pem`);
-      
-      // Write certificate and private key files
-      fs.writeFileSync(certPath, certificate);
-      fs.writeFileSync(keyPath, privateKey);
-      
-      // Set secure permissions for private key
-      try {
-        fs.chmodSync(keyPath, 0o600);
-      } catch (err) {
-        console.log(`Warning: Could not set secure permissions on ${keyPath}`);
-      }
-      
-      console.log(`Saved certificate for ${domain} to ${certPath}`);
-    } catch (err) {
-      console.error(`Error saving certificate for ${domain}:`, err);
-    }
-  }
 
-  /**
-   * Loads certificates from the certificate store
-   * @private
-   */
-  private loadCertificatesFromStore(): void {
-    if (!this.options.certificateStore) return;
-    
-    try {
-      const storePath = this.options.certificateStore;
-      
-      // Ensure the directory exists
-      if (!fs.existsSync(storePath)) {
-        fs.mkdirSync(storePath, { recursive: true });
-        console.log(`Created certificate store directory: ${storePath}`);
-        return;
-      }
-      
-      // Get list of certificate files
-      const files = fs.readdirSync(storePath);
-      const certFiles = files.filter(file => file.endsWith('.cert.pem'));
-      
-      // Load each certificate
-      for (const certFile of certFiles) {
-        const domain = certFile.replace('.cert.pem', '');
-        const keyFile = `${domain}.key.pem`;
-        
-        // Skip if key file doesn't exist
-        if (!files.includes(keyFile)) {
-          console.log(`Warning: Found certificate for ${domain} but no key file`);
-          continue;
-        }
-        
-        // Skip if we should skip configured certs
-        if (this.options.skipConfiguredCerts) {
-          const domainInfo = this.domainCertificates.get(domain);
-          if (domainInfo && domainInfo.certObtained) {
-            console.log(`Skipping already configured certificate for ${domain}`);
-            continue;
-          }
-        }
-        
-        // Load certificate and key
-        try {
-          const certificate = fs.readFileSync(path.join(storePath, certFile), 'utf8');
-          const privateKey = fs.readFileSync(path.join(storePath, keyFile), 'utf8');
-          
-          // Extract expiry date
-          let expiryDate: Date | undefined;
-          try {
-            const matches = certificate.match(/Not After\s*:\s*(.*?)(?:\n|$)/i);
-            if (matches && matches[1]) {
-              expiryDate = new Date(matches[1]);
-            }
-          } catch (err) {
-            console.log(`Warning: Could not extract expiry date from certificate for ${domain}`);
-          }
-          
-          // Check if domain is already registered
-          let domainInfo = this.domainCertificates.get(domain);
-          if (!domainInfo) {
-            // Register domain if not already registered
-            domainInfo = {
-              options: {
-                domainName: domain,
-                sslRedirect: true,
-                acmeMaintenance: true
-              },
-              certObtained: false,
-              obtainingInProgress: false
-            };
-            this.domainCertificates.set(domain, domainInfo);
-          }
-          
-          // Set certificate
-          domainInfo.certificate = certificate;
-          domainInfo.privateKey = privateKey;
-          domainInfo.certObtained = true;
-          domainInfo.expiryDate = expiryDate;
-          
-          console.log(`Loaded certificate for ${domain} from store, valid until ${expiryDate?.toISOString() || 'unknown'}`);
-        } catch (err) {
-          console.error(`Error loading certificate for ${domain}:`, err);
-        }
-      }
-    } catch (err) {
-      console.error('Error loading certificates from store:', err);
-    }
-  }
 
   /**
    * Check if a domain is a glob pattern
@@ -634,13 +435,19 @@ export class Port80Handler extends plugins.EventEmitter {
     const { domainInfo, pattern } = domainMatch;
     const options = domainInfo.options;
 
-    // Serve or forward ACME HTTP-01 challenge requests
-    if (req.url && req.url.startsWith('/.well-known/acme-challenge/') && options.acmeMaintenance) {
+    // Handle ACME HTTP-01 challenge requests or forwarding
+    if (req.url && req.url.startsWith('/.well-known/acme-challenge/')) {
       // Forward ACME requests if configured
       if (options.acmeForward) {
         this.forwardRequest(req, res, options.acmeForward, 'ACME challenge');
         return;
       }
+      // If not managing ACME for this domain, return 404
+      if (!options.acmeMaintenance) {
+        res.statusCode = 404;
+        res.end('Not found');
+        return;
+      }
       // Serve challenge response from in-memory storage
       const token = req.url.split('/').pop() || '';
       const keyAuth = this.acmeHttp01Storage.get(token);
@@ -804,9 +611,7 @@ export class Port80Handler extends plugins.EventEmitter {
       domainInfo.expiryDate = expiryDate;
 
       console.log(`Certificate ${isRenewal ? 'renewed' : 'obtained'} for ${domain}`);
-      if (this.options.certificateStore) {
-        this.saveCertificateToStore(domain, certificate, privateKey);
-      }
+      // Persistence moved to CertProvisioner
       const eventType = isRenewal
         ? Port80HandlerEvents.CERTIFICATE_RENEWED
         : Port80HandlerEvents.CERTIFICATE_ISSUED;
@@ -830,89 +635,6 @@ export class Port80Handler extends plugins.EventEmitter {
     }
   }
 
-  /**
-   * Starts the certificate renewal timer
-   */
-  private startRenewalTimer(): void {
-    if (this.renewalTimer) {
-      clearInterval(this.renewalTimer);
-    }
-    
-    // Convert hours to milliseconds
-    const checkInterval = this.options.renewCheckIntervalHours * 60 * 60 * 1000;
-    
-    this.renewalTimer = setInterval(() => this.checkForRenewals(), checkInterval);
-    
-    // Prevent the timer from keeping the process alive
-    if (this.renewalTimer.unref) {
-      this.renewalTimer.unref();
-    }
-    
-    console.log(`Certificate renewal check scheduled every ${this.options.renewCheckIntervalHours} hours`);
-  }
-
-  /**
-   * Checks for certificates that need renewal
-   */
-  private checkForRenewals(): void {
-    if (this.isShuttingDown) {
-      return;
-    }
-    
-    // Skip renewal if auto-renewal is disabled
-    if (this.options.autoRenew === false) {
-      console.log('Auto-renewal is disabled, skipping certificate renewal check');
-      return;
-    }
-    
-    console.log('Checking for certificates that need renewal...');
-    
-    const now = new Date();
-    const renewThresholdMs = this.options.renewThresholdDays * 24 * 60 * 60 * 1000;
-    
-    for (const [domain, domainInfo] of this.domainCertificates.entries()) {
-      // Skip glob patterns
-      if (this.isGlobPattern(domain)) {
-        continue;
-      }
-      
-      // Skip domains with acmeMaintenance disabled
-      if (!domainInfo.options.acmeMaintenance) {
-        continue;
-      }
-      
-      // Skip domains without certificates or already in renewal
-      if (!domainInfo.certObtained || domainInfo.obtainingInProgress) {
-        continue;
-      }
-      
-      // Skip domains without expiry dates
-      if (!domainInfo.expiryDate) {
-        continue;
-      }
-      
-      const timeUntilExpiry = domainInfo.expiryDate.getTime() - now.getTime();
-      
-      // Check if certificate is near expiry
-      if (timeUntilExpiry <= renewThresholdMs) {
-        console.log(`Certificate for ${domain} expires soon, renewing...`);
-        
-        const daysRemaining = Math.ceil(timeUntilExpiry / (24 * 60 * 60 * 1000));
-        
-        this.emit(Port80HandlerEvents.CERTIFICATE_EXPIRING, {
-          domain,
-          expiryDate: domainInfo.expiryDate,
-          daysRemaining
-        } as ICertificateExpiring);
-        
-        // Start renewal process
-        this.obtainCertificate(domain, true).catch(err => {
-          const errorMessage = err instanceof Error ? err.message : 'Unknown error';
-          console.error(`Error renewing certificate for ${domain}:`, errorMessage);
-        });
-      }
-    }
-  }
   
   /**
    * Extract expiry date from certificate using a more robust approach
@@ -1038,7 +760,19 @@ export class Port80Handler extends plugins.EventEmitter {
    * Gets configuration details
    * @returns Current configuration
    */
-  public getConfig(): Required<IPort80HandlerOptions> {
+  public getConfig(): Required<IAcmeOptions> {
     return { ...this.options };
   }
+  
+  /**
+   * Request a certificate renewal for a specific domain.
+   * @param domain The domain to renew.
+   */
+  public async renewCertificate(domain: string): Promise<void> {
+    if (!this.domainCertificates.has(domain)) {
+      throw new Port80HandlerError(`Domain not managed: ${domain}`);
+    }
+    // Trigger renewal via ACME
+    await this.obtainCertificate(domain, true);
+  }
 }

package/ts/smartproxy/classes.pp.certprovisioner.ts

@@ -0,0 +1,188 @@
+import * as plugins from '../plugins.js';
+import type { IDomainConfig, ISmartProxyCertProvisionObject } from './classes.pp.interfaces.js';
+import { Port80Handler } from '../port80handler/classes.port80handler.js';
+import { Port80HandlerEvents } from '../common/types.js';
+import { subscribeToPort80Handler } from '../common/eventUtils.js';
+import type { ICertificateData } from '../common/types.js';
+import type { NetworkProxyBridge } from './classes.pp.networkproxybridge.js';
+
+/**
+ * CertProvisioner manages certificate provisioning and renewal workflows,
+ * unifying static certificates and HTTP-01 challenges via Port80Handler.
+ */
+export class CertProvisioner extends plugins.EventEmitter {
+  private domainConfigs: IDomainConfig[];
+  private port80Handler: Port80Handler;
+  private networkProxyBridge: NetworkProxyBridge;
+  private certProvider?: (domain: string) => Promise<ISmartProxyCertProvisionObject>;
+  private forwardConfigs: Array<{ domain: string; forwardConfig?: { ip: string; port: number }; acmeForwardConfig?: { ip: string; port: number }; sslRedirect: boolean }>;
+  private renewThresholdDays: number;
+  private renewCheckIntervalHours: number;
+  private autoRenew: boolean;
+  private renewManager?: plugins.taskbuffer.TaskManager;
+  // Track provisioning type per domain: 'http01' or 'static'
+  private provisionMap: Map<string, 'http01' | 'static'>;
+
+  /**
+   * @param domainConfigs Array of domain configuration objects
+   * @param port80Handler HTTP-01 challenge handler instance
+   * @param networkProxyBridge Bridge for applying external certificates
+   * @param certProvider Optional callback returning a static cert or 'http01'
+   * @param renewThresholdDays Days before expiry to trigger renewals
+   * @param renewCheckIntervalHours Interval in hours to check for renewals
+   * @param autoRenew Whether to automatically schedule renewals
+   */
+  constructor(
+    domainConfigs: IDomainConfig[],
+    port80Handler: Port80Handler,
+    networkProxyBridge: NetworkProxyBridge,
+    certProvider?: (domain: string) => Promise<ISmartProxyCertProvisionObject>,
+    renewThresholdDays: number = 30,
+    renewCheckIntervalHours: number = 24,
+    autoRenew: boolean = true,
+    forwardConfigs: Array<{ domain: string; forwardConfig?: { ip: string; port: number }; acmeForwardConfig?: { ip: string; port: number }; sslRedirect: boolean }> = []
+  ) {
+    super();
+    this.domainConfigs = domainConfigs;
+    this.port80Handler = port80Handler;
+    this.networkProxyBridge = networkProxyBridge;
+    this.certProvider = certProvider;
+    this.renewThresholdDays = renewThresholdDays;
+    this.renewCheckIntervalHours = renewCheckIntervalHours;
+    this.autoRenew = autoRenew;
+    this.provisionMap = new Map();
+    this.forwardConfigs = forwardConfigs;
+  }
+
+  /**
+   * Start initial provisioning and schedule renewals.
+   */
+  public async start(): Promise<void> {
+    // Subscribe to Port80Handler certificate events
+    subscribeToPort80Handler(this.port80Handler, {
+      onCertificateIssued: (data: ICertificateData) => {
+        this.emit('certificate', { ...data, source: 'http01', isRenewal: false });
+      },
+      onCertificateRenewed: (data: ICertificateData) => {
+        this.emit('certificate', { ...data, source: 'http01', isRenewal: true });
+      }
+    });
+
+    // Apply external forwarding for ACME challenges (e.g. Synology)
+    for (const f of this.forwardConfigs) {
+      this.port80Handler.addDomain({
+        domainName: f.domain,
+        sslRedirect: f.sslRedirect,
+        acmeMaintenance: false,
+        forward: f.forwardConfig,
+        acmeForward: f.acmeForwardConfig
+      });
+    }
+    // Initial provisioning for all domains
+    const domains = this.domainConfigs.flatMap(cfg => cfg.domains);
+    for (const domain of domains) {
+      // Skip wildcard domains
+      if (domain.includes('*')) continue;
+      let provision: ISmartProxyCertProvisionObject | 'http01' = 'http01';
+      if (this.certProvider) {
+        try {
+          provision = await this.certProvider(domain);
+        } catch (err) {
+          console.error(`certProvider error for ${domain}:`, err);
+        }
+      }
+      if (provision === 'http01') {
+        this.provisionMap.set(domain, 'http01');
+        this.port80Handler.addDomain({ domainName: domain, sslRedirect: true, acmeMaintenance: true });
+      } else {
+        this.provisionMap.set(domain, 'static');
+        const certObj = provision as plugins.tsclass.network.ICert;
+        const certData: ICertificateData = {
+          domain: certObj.domainName,
+          certificate: certObj.publicKey,
+          privateKey: certObj.privateKey,
+          expiryDate: new Date(certObj.validUntil)
+        };
+        this.networkProxyBridge.applyExternalCertificate(certData);
+        this.emit('certificate', { ...certData, source: 'static', isRenewal: false });
+      }
+    }
+
+    // Schedule renewals if enabled
+    if (this.autoRenew) {
+      this.renewManager = new plugins.taskbuffer.TaskManager();
+      const renewTask = new plugins.taskbuffer.Task({
+        name: 'CertificateRenewals',
+        taskFunction: async () => {
+          for (const [domain, type] of this.provisionMap.entries()) {
+            // Skip wildcard domains
+            if (domain.includes('*')) continue;
+            try {
+              if (type === 'http01') {
+                await this.port80Handler.renewCertificate(domain);
+              } else if (type === 'static' && this.certProvider) {
+                const provision2 = await this.certProvider(domain);
+                if (provision2 !== 'http01') {
+                  const certObj = provision2 as plugins.tsclass.network.ICert;
+                  const certData: ICertificateData = {
+                    domain: certObj.domainName,
+                    certificate: certObj.publicKey,
+                    privateKey: certObj.privateKey,
+                    expiryDate: new Date(certObj.validUntil)
+                  };
+                  this.networkProxyBridge.applyExternalCertificate(certData);
+                  this.emit('certificate', { ...certData, source: 'static', isRenewal: true });
+                }
+              }
+            } catch (err) {
+              console.error(`Renewal error for ${domain}:`, err);
+            }
+          }
+        }
+      });
+      const hours = this.renewCheckIntervalHours;
+      const cronExpr = `0 0 */${hours} * * *`;
+      this.renewManager.addAndScheduleTask(renewTask, cronExpr);
+      this.renewManager.start();
+    }
+  }
+
+  /**
+   * Stop all scheduled renewal tasks.
+   */
+  public async stop(): Promise<void> {
+    // Stop scheduled renewals
+    if (this.renewManager) {
+      this.renewManager.stop();
+    }
+  }
+
+  /**
+   * Request a certificate on-demand for the given domain.
+   * @param domain Domain name to provision
+   */
+  public async requestCertificate(domain: string): Promise<void> {
+    // Skip wildcard domains
+    if (domain.includes('*')) {
+      throw new Error(`Cannot request certificate for wildcard domain: ${domain}`);
+    }
+    // Determine provisioning method
+    let provision: ISmartProxyCertProvisionObject | 'http01' = 'http01';
+    if (this.certProvider) {
+      provision = await this.certProvider(domain);
+    }
+    if (provision === 'http01') {
+      await this.port80Handler.renewCertificate(domain);
+    } else {
+      const certObj = provision as plugins.tsclass.network.ICert;
+      const certData: ICertificateData = {
+        domain: certObj.domainName,
+        certificate: certObj.publicKey,
+        privateKey: certObj.privateKey,
+        expiryDate: new Date(certObj.validUntil)
+      };
+      this.networkProxyBridge.applyExternalCertificate(certData);
+      this.emit('certificate', { ...certData, source: 'static', isRenewal: false });
+    }
+  }
+}