@serve.zone/dcrouter 13.23.0 → 13.25.0

package/ts/security/classes.security-policy-manager.ts

@@ -5,6 +5,7 @@ import type {
   IIpIntelligenceRecord,
   ISecurityBlockRule,
   ISecurityCompiledPolicy,
+  ISecurityPolicyAuditEvent,
   TSecurityBlockRuleMatchMode,
   TSecurityBlockRuleType,
 } from '../../ts_interfaces/data/security-policy.js';
@@ -15,7 +16,7 @@ export interface ISecurityPolicyManagerOptions {
 }
 
 export interface IRemoteIngressFirewallSnapshot {
-  blockedIps?: string[];
+  blockedIps: string[];
 }
 
 export class SecurityPolicyManager {
@@ -44,7 +45,7 @@ export class SecurityPolicyManager {
     await Promise.allSettled(uniqueIps.map((ip) => this.observeIp(ip)));
   }
 
-  public async observeIp(ipAddress: string): Promise<void> {
+  public async observeIp(ipAddress: string, options: { force?: boolean } = {}): Promise<void> {
     const ip = this.normalizeIp(ipAddress);
     if (!ip || !this.isPublicIp(ip) || this.inFlightObservations.has(ip)) {
       return;
@@ -54,7 +55,7 @@ export class SecurityPolicyManager {
     try {
       const now = Date.now();
       let doc = await IpIntelligenceDoc.findByIp(ip);
-      if (doc && now - doc.updatedAt < this.intelligenceRefreshMs) {
+      if (doc && !options.force && now - doc.updatedAt < this.intelligenceRefreshMs) {
         if (now - doc.lastSeenAt > 60_000) {
           doc.lastSeenAt = now;
           doc.seenCount = (doc.seenCount || 0) + 1;
@@ -90,13 +91,38 @@ export class SecurityPolicyManager {
   }
 
   public async listIpIntelligence(): Promise<IIpIntelligenceRecord[]> {
-    return (await IpIntelligenceDoc.findAll()).map((doc) => ({
+    return (await IpIntelligenceDoc.findAll()).map((doc) => this.intelligenceFromDoc(doc));
+  }
+
+  public async refreshIpIntelligence(ipAddress: string): Promise<IIpIntelligenceRecord | null> {
+    const ip = this.normalizeIp(ipAddress);
+    if (!ip || !this.isPublicIp(ip)) {
+      return null;
+    }
+    await this.observeIp(ip, { force: true });
+    const doc = await IpIntelligenceDoc.findByIp(ip);
+    return doc ? this.intelligenceFromDoc(doc) : null;
+  }
+
+  public async listAuditEvents(limit = 100): Promise<ISecurityPolicyAuditEvent[]> {
+    return (await SecurityPolicyAuditDoc.findRecent(limit)).map((doc) => ({
+      id: doc.id,
+      action: doc.action,
+      actor: doc.actor,
+      details: doc.details,
+      createdAt: doc.createdAt,
+    }));
+  }
+
+  private intelligenceFromDoc(doc: IpIntelligenceDoc): IIpIntelligenceRecord {
+    return {
       ipAddress: doc.ipAddress,
       asn: doc.asn,
       asnOrg: doc.asnOrg,
       registrantOrg: doc.registrantOrg,
       registrantCountry: doc.registrantCountry,
       networkRange: doc.networkRange,
+      networkCidrs: doc.networkCidrs,
       abuseContact: doc.abuseContact,
       country: doc.country,
       countryCode: doc.countryCode,
@@ -109,7 +135,7 @@ export class SecurityPolicyManager {
       lastSeenAt: doc.lastSeenAt,
       updatedAt: doc.updatedAt,
       seenCount: doc.seenCount,
-    }));
+    };
   }
 
   public async createBlockRule(input: {
@@ -180,16 +206,22 @@ export class SecurityPolicyManager {
       }
 
       if (rule.type === 'cidr') {
-        const cidr = this.normalizeCidr(normalizedValue);
-        if (cidr) blockedCidrs.add(cidr);
+        for (const cidr of this.normalizeNetworkEntries(normalizedValue)) {
+          blockedCidrs.add(cidr);
+        }
         continue;
       }
 
       for (const doc of intelligenceDocs) {
         if (!this.ruleMatchesIntelligence(rule, doc)) continue;
-        const cidr = this.normalizeCidr(doc.networkRange || '');
-        if (cidr) {
-          blockedCidrs.add(cidr);
+        const networkEntries = this.normalizeNetworkEntryList([
+          ...(doc.networkCidrs || []),
+          doc.networkRange,
+        ]);
+        if (networkEntries.length > 0) {
+          for (const cidr of networkEntries) {
+            blockedCidrs.add(cidr);
+          }
         } else if (this.normalizeIp(doc.ipAddress)) {
           blockedIps.add(this.normalizeIp(doc.ipAddress)!);
         }
@@ -206,13 +238,13 @@ export class SecurityPolicyManager {
     return await this.compilePolicy();
   }
 
-  public async compileRemoteIngressFirewall(): Promise<IRemoteIngressFirewallSnapshot | undefined> {
+  public async compileRemoteIngressFirewall(): Promise<IRemoteIngressFirewallSnapshot> {
     const policy = await this.compilePolicy();
     const blockedIps = [
       ...policy.blockedIps.filter((ip) => plugins.net.isIP(ip) === 4),
       ...policy.blockedCidrs.filter((cidr) => plugins.net.isIP(cidr.split('/')[0]) === 4),
     ];
-    return blockedIps.length > 0 ? { blockedIps } : undefined;
+    return { blockedIps };
   }
 
   private async matchesAnyReactiveRule(doc: IpIntelligenceDoc): Promise<boolean> {
@@ -262,6 +294,81 @@ export class SecurityPolicyManager {
     return `${ip}/${prefix}`;
   }
 
+  private normalizeNetworkEntries(value: string): string[] {
+    const trimmed = value.trim();
+    if (!trimmed) return [];
+
+    const cidr = this.normalizeCidr(trimmed);
+    if (cidr) return [cidr];
+
+    const rangeParts = trimmed.split(/\s+-\s+/);
+    if (rangeParts.length === 2) {
+      return this.ipv4RangeToCidrs(rangeParts[0], rangeParts[1]);
+    }
+
+    return [];
+  }
+
+  private normalizeNetworkEntryList(values: Array<string | null | undefined>): string[] {
+    const cidrs = new Set<string>();
+    for (const value of values) {
+      if (!value) continue;
+      for (const entry of value.split(',').map((part) => part.trim()).filter(Boolean)) {
+        for (const cidr of this.normalizeNetworkEntries(entry)) {
+          cidrs.add(cidr);
+        }
+      }
+    }
+    return [...cidrs];
+  }
+
+  private ipv4RangeToCidrs(startIp: string, endIp: string): string[] {
+    const start = this.ipv4ToBigInt(startIp);
+    const end = this.ipv4ToBigInt(endIp);
+    if (start === undefined || end === undefined || start > end) return [];
+
+    const cidrs: string[] = [];
+    let current = start;
+    while (current <= end) {
+      let maxBlockSize = current === 0n ? 1n << 32n : current & -current;
+      const remaining = end - current + 1n;
+      while (maxBlockSize > remaining) {
+        maxBlockSize = maxBlockSize / 2n;
+      }
+      const prefixLength = 32 - this.powerOfTwoExponent(maxBlockSize);
+      cidrs.push(`${this.numberToIpv4(current)}/${prefixLength}`);
+      current += maxBlockSize;
+    }
+    return cidrs;
+  }
+
+  private ipv4ToBigInt(ip: string): bigint | undefined {
+    const normalized = this.normalizeIp(ip);
+    if (!normalized || plugins.net.isIP(normalized) !== 4) return undefined;
+    return normalized
+      .split('.')
+      .reduce((sum, part) => (sum * 256n) + BigInt(Number(part)), 0n);
+  }
+
+  private numberToIpv4(value: bigint): string {
+    return [
+      Number((value >> 24n) & 255n),
+      Number((value >> 16n) & 255n),
+      Number((value >> 8n) & 255n),
+      Number(value & 255n),
+    ].join('.');
+  }
+
+  private powerOfTwoExponent(value: bigint): number {
+    let exponent = 0;
+    let remaining = value;
+    while (remaining > 1n) {
+      remaining >>= 1n;
+      exponent++;
+    }
+    return exponent;
+  }
+
   private isPublicIp(ip: string): boolean {
     const family = plugins.net.isIP(ip);
     if (family === 4) {

package/ts_web/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '13.23.0',
+  version: '13.25.0',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

package/ts_web/appstate.ts

@@ -54,6 +54,7 @@ export interface INetworkState {
   topIPs: Array<{ ip: string; count: number }>;
   topIPsByBandwidth: Array<{ ip: string; count: number; bwIn: number; bwOut: number }>;
   throughputByIP: Array<{ ip: string; in: number; out: number }>;
+  ipIntelligence: interfaces.data.IIpIntelligenceRecord[];
   domainActivity: interfaces.data.IDomainActivity[];
   throughputHistory: Array<{ timestamp: number; in: number; out: number }>;
   requestsPerSecond: number;
@@ -66,6 +67,16 @@ export interface INetworkState {
   error: string | null;
 }
 
+export interface ISecurityPolicyState {
+  rules: interfaces.data.ISecurityBlockRule[];
+  ipIntelligence: interfaces.data.IIpIntelligenceRecord[];
+  compiledPolicy: interfaces.data.ISecurityCompiledPolicy | null;
+  auditEvents: interfaces.data.ISecurityPolicyAuditEvent[];
+  isLoading: boolean;
+  error: string | null;
+  lastUpdated: number;
+}
+
 export interface ICertificateState {
   certificates: interfaces.requests.ICertificateInfo[];
   summary: { total: number; valid: number; expiring: number; expired: number; failed: number; unknown: number };
@@ -164,6 +175,7 @@ export const networkStatePart = await appState.getStatePart<INetworkState>(
     topIPs: [],
     topIPsByBandwidth: [],
     throughputByIP: [],
+    ipIntelligence: [],
     domainActivity: [],
     throughputHistory: [],
     requestsPerSecond: 0,
@@ -178,6 +190,20 @@ export const networkStatePart = await appState.getStatePart<INetworkState>(
   'soft'
 );
 
+export const securityPolicyStatePart = await appState.getStatePart<ISecurityPolicyState>(
+  'securityPolicy',
+  {
+    rules: [],
+    ipIntelligence: [],
+    compiledPolicy: null,
+    auditEvents: [],
+    isLoading: false,
+    error: null,
+    lastUpdated: 0,
+  },
+  'soft',
+);
+
 export const emailOpsStatePart = await appState.getStatePart<IEmailOpsState>(
   'emailOps',
   {
@@ -517,9 +543,18 @@ export const fetchNetworkStatsAction = networkStatePart.createAction(async (stat
       interfaces.requests.IReq_GetNetworkStats
     >('/typedrequest', 'getNetworkStats');
 
-    const networkStatsResponse = await networkStatsRequest.fire({
-      identity: context.identity,
-    });
+    const ipIntelligenceRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
+      interfaces.requests.IReq_ListIpIntelligence
+    >('/typedrequest', 'listIpIntelligence');
+
+    const [networkStatsResponse, ipIntelligenceResponse] = await Promise.all([
+      networkStatsRequest.fire({
+        identity: context.identity,
+      }),
+      ipIntelligenceRequest.fire({
+        identity: context.identity,
+      }),
+    ]);
 
     // Use the connections data for the connection list
     // and network stats for throughput and IP analytics
@@ -561,6 +596,7 @@ export const fetchNetworkStatsAction = networkStatePart.createAction(async (stat
       topIPs: networkStatsResponse.topIPs || [],
       topIPsByBandwidth: networkStatsResponse.topIPsByBandwidth || [],
       throughputByIP: networkStatsResponse.throughputByIP || [],
+      ipIntelligence: ipIntelligenceResponse.records || [],
       domainActivity: networkStatsResponse.domainActivity || [],
       throughputHistory: networkStatsResponse.throughputHistory || [],
       requestsPerSecond: networkStatsResponse.requestsPerSecond || 0,
@@ -582,6 +618,182 @@ export const fetchNetworkStatsAction = networkStatePart.createAction(async (stat
   }
 });
 
+// ============================================================================
+// Security Policy Actions
+// ============================================================================
+
+export const fetchSecurityPolicyAction = securityPolicyStatePart.createAction(
+  async (statePartArg): Promise<ISecurityPolicyState> => {
+    const context = getActionContext();
+    const currentState = statePartArg.getState()!;
+    if (!context.identity) return currentState;
+
+    try {
+      const rulesRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
+        interfaces.requests.IReq_ListSecurityBlockRules
+      >('/typedrequest', 'listSecurityBlockRules');
+      const intelligenceRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
+        interfaces.requests.IReq_ListIpIntelligence
+      >('/typedrequest', 'listIpIntelligence');
+      const compiledPolicyRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
+        interfaces.requests.IReq_GetCompiledSecurityPolicy
+      >('/typedrequest', 'getCompiledSecurityPolicy');
+      const auditRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
+        interfaces.requests.IReq_ListSecurityPolicyAudit
+      >('/typedrequest', 'listSecurityPolicyAudit');
+
+      const [rulesResponse, intelligenceResponse, compiledPolicyResponse, auditResponse] = await Promise.all([
+        rulesRequest.fire({ identity: context.identity }),
+        intelligenceRequest.fire({ identity: context.identity }),
+        compiledPolicyRequest.fire({ identity: context.identity }),
+        auditRequest.fire({ identity: context.identity, limit: 100 }),
+      ]);
+
+      return {
+        rules: rulesResponse.rules || [],
+        ipIntelligence: intelligenceResponse.records || [],
+        compiledPolicy: compiledPolicyResponse.policy,
+        auditEvents: auditResponse.events || [],
+        isLoading: false,
+        error: null,
+        lastUpdated: Date.now(),
+      };
+    } catch (error: unknown) {
+      return {
+        ...currentState,
+        isLoading: false,
+        error: error instanceof Error ? error.message : 'Failed to fetch security policy',
+      };
+    }
+  },
+);
+
+export const createSecurityBlockRuleAction = securityPolicyStatePart.createAction<{
+  type: interfaces.data.TSecurityBlockRuleType;
+  value: string;
+  matchMode?: interfaces.data.TSecurityBlockRuleMatchMode;
+  reason?: string;
+  enabled?: boolean;
+}>(async (statePartArg, dataArg, actionContext): Promise<ISecurityPolicyState> => {
+  const context = getActionContext();
+  const currentState = statePartArg.getState()!;
+  if (!context.identity) return currentState;
+
+  try {
+    const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+      interfaces.requests.IReq_CreateSecurityBlockRule
+    >('/typedrequest', 'createSecurityBlockRule');
+
+    const response = await request.fire({
+      identity: context.identity,
+      type: dataArg.type,
+      value: dataArg.value,
+      matchMode: dataArg.matchMode,
+      reason: dataArg.reason,
+      enabled: dataArg.enabled,
+    });
+
+    if (!response.success) {
+      return { ...currentState, error: response.message || 'Failed to create security block rule' };
+    }
+
+    return await actionContext!.dispatch(fetchSecurityPolicyAction, null);
+  } catch (error: unknown) {
+    return {
+      ...currentState,
+      error: error instanceof Error ? error.message : 'Failed to create security block rule',
+    };
+  }
+});
+
+export const updateSecurityBlockRuleAction = securityPolicyStatePart.createAction<{
+  id: string;
+  value?: string;
+  matchMode?: interfaces.data.TSecurityBlockRuleMatchMode;
+  reason?: string;
+  enabled?: boolean;
+}>(async (statePartArg, dataArg, actionContext): Promise<ISecurityPolicyState> => {
+  const context = getActionContext();
+  const currentState = statePartArg.getState()!;
+  if (!context.identity) return currentState;
+
+  try {
+    const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+      interfaces.requests.IReq_UpdateSecurityBlockRule
+    >('/typedrequest', 'updateSecurityBlockRule');
+
+    const response = await request.fire({
+      identity: context.identity,
+      id: dataArg.id,
+      value: dataArg.value,
+      matchMode: dataArg.matchMode,
+      reason: dataArg.reason,
+      enabled: dataArg.enabled,
+    });
+
+    if (!response.success) {
+      return { ...currentState, error: response.message || 'Failed to update security block rule' };
+    }
+
+    return await actionContext!.dispatch(fetchSecurityPolicyAction, null);
+  } catch (error: unknown) {
+    return {
+      ...currentState,
+      error: error instanceof Error ? error.message : 'Failed to update security block rule',
+    };
+  }
+});
+
+export const deleteSecurityBlockRuleAction = securityPolicyStatePart.createAction<string>(
+  async (statePartArg, ruleId, actionContext): Promise<ISecurityPolicyState> => {
+    const context = getActionContext();
+    const currentState = statePartArg.getState()!;
+    if (!context.identity) return currentState;
+
+    try {
+      const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+        interfaces.requests.IReq_DeleteSecurityBlockRule
+      >('/typedrequest', 'deleteSecurityBlockRule');
+
+      const response = await request.fire({ identity: context.identity, id: ruleId });
+      if (!response.success) {
+        return { ...currentState, error: response.message || 'Failed to delete security block rule' };
+      }
+
+      return await actionContext!.dispatch(fetchSecurityPolicyAction, null);
+    } catch (error: unknown) {
+      return {
+        ...currentState,
+        error: error instanceof Error ? error.message : 'Failed to delete security block rule',
+      };
+    }
+  },
+);
+
+export const refreshIpIntelligenceAction = securityPolicyStatePart.createAction<string>(
+  async (statePartArg, ipAddress, actionContext): Promise<ISecurityPolicyState> => {
+    const context = getActionContext();
+    const currentState = statePartArg.getState()!;
+    if (!context.identity) return currentState;
+
+    try {
+      const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+        interfaces.requests.IReq_RefreshIpIntelligence
+      >('/typedrequest', 'refreshIpIntelligence');
+      const response = await request.fire({ identity: context.identity, ipAddress });
+      if (!response.success) {
+        return { ...currentState, error: response.message || 'Failed to refresh IP intelligence' };
+      }
+      return await actionContext!.dispatch(fetchSecurityPolicyAction, null);
+    } catch (error: unknown) {
+      return {
+        ...currentState,
+        error: error instanceof Error ? error.message : 'Failed to refresh IP intelligence',
+      };
+    }
+  },
+);
+
 // ============================================================================
 // Email Operations Actions
 // ============================================================================
@@ -2665,6 +2877,27 @@ async function dispatchCombinedRefreshActionInner() {
         isLoading: false,
         error: null,
       });
+
+      try {
+        const intelligenceRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
+          interfaces.requests.IReq_ListIpIntelligence
+        >('/typedrequest', 'listIpIntelligence');
+        const intelligenceResponse = await intelligenceRequest.fire({ identity: context.identity });
+        networkStatePart.setState({
+          ...networkStatePart.getState()!,
+          ipIntelligence: intelligenceResponse.records || [],
+        });
+      } catch (error) {
+        console.error('IP intelligence refresh failed:', error);
+      }
+    }
+
+    if (currentView === 'security') {
+      try {
+        await securityPolicyStatePart.dispatchAction(fetchSecurityPolicyAction, null);
+      } catch (error) {
+        console.error('Security policy refresh failed:', error);
+      }
     }
 
     // Refresh certificate data if on Domains > Certificates subview