@serve.zone/dcrouter 13.32.1 → 13.34.0

package/ts/config/classes.target-profile-manager.ts

@@ -5,6 +5,8 @@ import type { ITargetProfile, ITargetProfileTarget } from '../../ts_interfaces/d
 import type { IDcRouterRouteConfig } from '../../ts_interfaces/data/remoteingress.js';
 import type { IRoute } from '../../ts_interfaces/data/route-management.js';
 
+type TIpAllowEntry = string | { ip: string; domains?: string[] };
+
 /**
  * Manages TargetProfiles (target-side: what can be accessed).
  * TargetProfiles define what resources a VPN client can reach:
@@ -35,6 +37,7 @@ export class TargetProfileManager {
     domains?: string[];
     targets?: ITargetProfileTarget[];
     routeRefs?: string[];
+    allowRoutesByClientSourceIp?: boolean;
     createdBy: string;
   }): Promise<string> {
     // Enforce unique profile names
@@ -55,6 +58,7 @@ export class TargetProfileManager {
       domains: data.domains,
       targets: data.targets,
       routeRefs,
+      allowRoutesByClientSourceIp: data.allowRoutesByClientSourceIp === true,
       createdAt: now,
       updatedAt: now,
       createdBy: data.createdBy,
@@ -88,6 +92,9 @@ export class TargetProfileManager {
     if (patch.domains !== undefined) profile.domains = patch.domains;
     if (patch.targets !== undefined) profile.targets = patch.targets;
     if (patch.routeRefs !== undefined) profile.routeRefs = this.normalizeRouteRefs(patch.routeRefs);
+    if (patch.allowRoutesByClientSourceIp !== undefined) {
+      profile.allowRoutesByClientSourceIp = patch.allowRoutesByClientSourceIp === true;
+    }
     profile.updatedAt = Date.now();
 
     await this.persistProfile(profile);
@@ -208,13 +215,15 @@ export class TargetProfileManager {
    *
    * Entries are domain-scoped when a profile matches via specific domains that are
    * a subset of the route's wildcard. Plain IPs are returned for routeRef/target matches
-   * or when profile domains exactly equal the route's domains.
+   * or when profile domains exactly equal the route's domains. Profiles can also opt
+   * into source-IP matching against non-vpnOnly route security.
    */
   public getMatchingClientIps(
     route: IDcRouterRouteConfig,
     routeId: string | undefined,
     clients: VpnClientDoc[],
     allRoutes: Map<string, IRoute> = new Map(),
+    clientSourceIps: Map<string, string> = new Map(),
   ): Array<string | { ip: string; domains: string[] }> {
     const entries: Array<string | { ip: string; domains: string[] }> = [];
     const routeDomains = this.getRouteDomains(route);
@@ -227,6 +236,7 @@ export class TargetProfileManager {
       // Collect scoped domains from all matching profiles for this client
       let fullAccess = false;
       const scopedDomains = new Set<string>();
+      const clientSourceIp = clientSourceIps.get(client.clientId);
 
       for (const profileId of client.targetProfileIds) {
         const profile = this.profiles.get(profileId);
@@ -246,6 +256,16 @@ export class TargetProfileManager {
         if (matchResult !== 'none') {
           for (const d of matchResult.domains) scopedDomains.add(d);
         }
+
+        if (
+          !route.vpnOnly
+          && profile.allowRoutesByClientSourceIp === true
+          && clientSourceIp
+          && this.routeAllowsSourceIp(route, clientSourceIp, routeDomains)
+        ) {
+          fullAccess = true;
+          break;
+        }
       }
 
       if (fullAccess) {
@@ -265,6 +285,7 @@ export class TargetProfileManager {
   public getClientAccessSpec(
     targetProfileIds: string[],
     allRoutes: Map<string, IRoute>,
+    clientSourceIp?: string,
   ): { domains: string[]; targetIps: string[] } {
     const domains = new Set<string>();
     const targetIps = new Set<string>();
@@ -292,13 +313,20 @@ export class TargetProfileManager {
       // Route references: scan all routes
       for (const [routeId, route] of allRoutes) {
         if (!route.enabled) continue;
-        if (this.routeMatchesProfile(
-          route.route as IDcRouterRouteConfig,
+        const dcRoute = route.route as IDcRouterRouteConfig;
+        const routeDomains = this.getRouteDomains(dcRoute);
+        const profileMatchesRoute = this.routeMatchesProfile(
+          dcRoute,
           routeId,
           profile,
           routeNameIndex,
-        )) {
-          for (const d of this.getRouteDomains(route.route as IDcRouterRouteConfig)) {
+        );
+        const sourceIpMatchesRoute = profile.allowRoutesByClientSourceIp === true
+          && clientSourceIp
+          && !dcRoute.vpnOnly
+          && this.routeAllowsSourceIp(dcRoute, clientSourceIp, routeDomains);
+        if (profileMatchesRoute || sourceIpMatchesRoute) {
+          for (const d of routeDomains) {
             domains.add(d);
           }
         }
@@ -422,6 +450,199 @@ export class TargetProfileManager {
     return false;
   }
 
+  private routeAllowsSourceIp(
+    route: IDcRouterRouteConfig,
+    sourceIp: string,
+    routeDomains: string[],
+  ): boolean {
+    const security = (route as any).security;
+    const ipAllowList = this.normalizeIpEntries(security?.ipAllowList);
+    const ipBlockList = this.normalizeIpEntries(security?.ipBlockList);
+
+    if (this.ipEntriesMatchSource(ipBlockList, sourceIp, routeDomains)) {
+      return false;
+    }
+
+    if (!ipAllowList.length) {
+      return true;
+    }
+
+    return this.ipEntriesMatchSource(ipAllowList, sourceIp, routeDomains);
+  }
+
+  private normalizeIpEntries(entries: unknown): TIpAllowEntry[] {
+    if (!entries) return [];
+    if (Array.isArray(entries)) return entries as TIpAllowEntry[];
+    return [entries as TIpAllowEntry];
+  }
+
+  private ipEntriesMatchSource(
+    entries: TIpAllowEntry[],
+    sourceIp: string,
+    routeDomains: string[],
+  ): boolean {
+    return entries.some((entry) => this.ipEntryMatchesSource(entry, sourceIp, routeDomains));
+  }
+
+  private ipEntryMatchesSource(
+    entry: TIpAllowEntry,
+    sourceIp: string,
+    routeDomains: string[],
+  ): boolean {
+    const ipPattern = typeof entry === 'string' ? entry : entry.ip;
+    if (typeof ipPattern !== 'string') return false;
+    if (!this.ipPatternMatchesSource(ipPattern, sourceIp)) {
+      return false;
+    }
+
+    if (typeof entry === 'string' || !entry.domains?.length) {
+      return true;
+    }
+
+    if (!routeDomains.length) {
+      return false;
+    }
+
+    return routeDomains.some((routeDomain) =>
+      entry.domains!.some((entryDomain) =>
+        this.domainMatchesPattern(routeDomain, entryDomain)
+        || this.domainMatchesPattern(entryDomain, routeDomain),
+      ),
+    );
+  }
+
+  private ipPatternMatchesSource(pattern: string, sourceIp: string): boolean {
+    const trimmedPattern = pattern.trim();
+    const trimmedSourceIp = sourceIp.trim();
+    if (!trimmedPattern || !trimmedSourceIp) return false;
+    if (trimmedPattern === '*') return true;
+    if (trimmedPattern === trimmedSourceIp) return true;
+
+    if (trimmedPattern.includes('/')) {
+      return this.ipMatchesCidr(trimmedSourceIp, trimmedPattern);
+    }
+
+    if (trimmedPattern.includes('-')) {
+      return this.ipMatchesRange(trimmedSourceIp, trimmedPattern);
+    }
+
+    if (trimmedPattern.includes('*')) {
+      return this.ipMatchesWildcard(trimmedSourceIp, trimmedPattern);
+    }
+
+    return false;
+  }
+
+  private ipMatchesCidr(sourceIp: string, cidr: string): boolean {
+    const [networkIp, prefixString] = cidr.split('/');
+    if (!networkIp || !prefixString) return false;
+    const source = this.ipToComparable(sourceIp);
+    const network = this.ipToComparable(networkIp);
+    const prefix = Number(prefixString);
+    if (!source || !network || source.version !== network.version) return false;
+
+    const bitCount = source.version === 4 ? 32 : 128;
+    if (!Number.isInteger(prefix) || prefix < 0 || prefix > bitCount) return false;
+    if (prefix === 0) return true;
+
+    const shift = BigInt(bitCount - prefix);
+    return (source.value >> shift) === (network.value >> shift);
+  }
+
+  private ipMatchesRange(sourceIp: string, range: string): boolean {
+    const [startIp, endIp] = range.split('-').map((part) => part.trim());
+    if (!startIp || !endIp) return false;
+    const source = this.ipToComparable(sourceIp);
+    const start = this.ipToComparable(startIp);
+    const end = this.ipToComparable(endIp);
+    if (!source || !start || !end) return false;
+    if (source.version !== start.version || source.version !== end.version) return false;
+    return source.value >= start.value && source.value <= end.value;
+  }
+
+  private ipMatchesWildcard(sourceIp: string, pattern: string): boolean {
+    const sourceParts = sourceIp.split('.');
+    const patternParts = pattern.split('.');
+    if (sourceParts.length !== 4 || patternParts.length !== 4) return false;
+
+    return patternParts.every((patternPart, index) => {
+      if (patternPart === '*') return true;
+      return patternPart === sourceParts[index];
+    });
+  }
+
+  private ipToComparable(ip: string): { version: 4 | 6; value: bigint } | undefined {
+    const normalizedIp = this.normalizeIpLiteral(ip);
+    const ipVersion = plugins.net.isIP(normalizedIp);
+    if (ipVersion === 4) {
+      const parts = normalizedIp.split('.').map((part) => Number(part));
+      if (parts.length !== 4 || parts.some((part) => !Number.isInteger(part) || part < 0 || part > 255)) {
+        return undefined;
+      }
+      return {
+        version: 4,
+        value: parts.reduce((value, part) => (value << 8n) + BigInt(part), 0n),
+      };
+    }
+
+    if (ipVersion === 6) {
+      const parts = this.expandIpv6(normalizedIp);
+      if (!parts) return undefined;
+      return {
+        version: 6,
+        value: parts.reduce((value, part) => (value << 16n) + BigInt(part), 0n),
+      };
+    }
+
+    return undefined;
+  }
+
+  private normalizeIpLiteral(ip: string): string {
+    const trimmed = ip.trim().replace(/^\[|\]$/g, '');
+    const zoneIndex = trimmed.indexOf('%');
+    const withoutZone = zoneIndex === -1 ? trimmed : trimmed.slice(0, zoneIndex);
+    const ipv4MappedPrefix = '::ffff:';
+    if (withoutZone.toLowerCase().startsWith(ipv4MappedPrefix)) {
+      const mappedIpv4 = withoutZone.slice(ipv4MappedPrefix.length);
+      if (plugins.net.isIP(mappedIpv4) === 4) return mappedIpv4;
+    }
+    return withoutZone;
+  }
+
+  private expandIpv6(ip: string): number[] | undefined {
+    let normalizedIp = ip.toLowerCase();
+    if (normalizedIp.includes('.')) {
+      const lastColonIndex = normalizedIp.lastIndexOf(':');
+      const ipv4Part = normalizedIp.slice(lastColonIndex + 1);
+      const ipv4Comparable = this.ipToComparable(ipv4Part);
+      if (!ipv4Comparable || ipv4Comparable.version !== 4) return undefined;
+      const high = Number((ipv4Comparable.value >> 16n) & 0xffffn).toString(16);
+      const low = Number(ipv4Comparable.value & 0xffffn).toString(16);
+      normalizedIp = `${normalizedIp.slice(0, lastColonIndex)}:${high}:${low}`;
+    }
+
+    const doubleColonParts = normalizedIp.split('::');
+    if (doubleColonParts.length > 2) return undefined;
+
+    const head = doubleColonParts[0] ? doubleColonParts[0].split(':') : [];
+    const tail = doubleColonParts[1] ? doubleColonParts[1].split(':') : [];
+    const missingCount = 8 - head.length - tail.length;
+    if (missingCount < 0 || (doubleColonParts.length === 1 && missingCount !== 0)) return undefined;
+
+    const parts = [
+      ...head,
+      ...Array(missingCount).fill('0'),
+      ...tail,
+    ];
+    if (parts.length !== 8) return undefined;
+
+    const numbers = parts.map((part) => Number.parseInt(part || '0', 16));
+    if (numbers.some((part) => !Number.isInteger(part) || part < 0 || part > 0xffff)) {
+      return undefined;
+    }
+    return numbers;
+  }
+
   private getRouteDomains(route: IDcRouterRouteConfig): string[] {
     const domains = (route.match as any)?.domains;
     if (!domains) return [];
@@ -503,6 +724,7 @@ export class TargetProfileManager {
           domains: doc.domains,
           targets: doc.targets,
           routeRefs: doc.routeRefs,
+          allowRoutesByClientSourceIp: doc.allowRoutesByClientSourceIp === true,
           createdAt: doc.createdAt,
           updatedAt: doc.updatedAt,
           createdBy: doc.createdBy,
@@ -522,6 +744,7 @@ export class TargetProfileManager {
       existingDoc.domains = profile.domains;
       existingDoc.targets = profile.targets;
       existingDoc.routeRefs = profile.routeRefs;
+      existingDoc.allowRoutesByClientSourceIp = profile.allowRoutesByClientSourceIp === true;
       existingDoc.updatedAt = profile.updatedAt;
       await existingDoc.save();
     } else {
@@ -532,6 +755,7 @@ export class TargetProfileManager {
       doc.domains = profile.domains;
       doc.targets = profile.targets;
       doc.routeRefs = profile.routeRefs;
+      doc.allowRoutesByClientSourceIp = profile.allowRoutesByClientSourceIp === true;
       doc.createdAt = profile.createdAt;
       doc.updatedAt = profile.updatedAt;
       doc.createdBy = profile.createdBy;

package/ts/db/documents/classes.target-profile.doc.ts

@@ -25,6 +25,9 @@ export class TargetProfileDoc extends plugins.smartdata.SmartDataDbDoc<TargetPro
   @plugins.smartdata.svDb()
   public routeRefs?: string[];
 
+  @plugins.smartdata.svDb()
+  public allowRoutesByClientSourceIp?: boolean;
+
   @plugins.smartdata.svDb()
   public createdAt!: number;
 

package/ts/monitoring/classes.metricsmanager.ts

@@ -725,7 +725,10 @@ export class MetricsManager {
         .slice(0, 10)
         .map(([ip, data]) => ({ ip, count: data.count, bwIn: data.bwIn, bwOut: data.bwOut }));
 
-      void this.dcRouter.securityPolicyManager?.observeIps([...allIPData.keys()]);
+      this.dcRouter.securityPolicyManager?.queueObservedIps([
+        ...topIPs.map((item) => item.ip),
+        ...topIPsByBandwidth.map((item) => item.ip),
+      ]);
 
       // Build domain activity using per-IP domain request counts from Rust engine
       const connectionsByRoute = proxyMetrics.connections.byRoute();

package/ts/opsserver/handlers/security.handler.ts

@@ -180,7 +180,14 @@ export class SecurityHandler {
         async (dataArg) => {
           await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'security:read' });
           const manager = this.opsServerRef.dcRouterRef.securityPolicyManager;
-          return { records: manager ? await manager.listIpIntelligence() : [] };
+          return {
+            records: manager
+              ? await manager.listIpIntelligence({
+                  ipAddresses: dataArg.ipAddresses,
+                  limit: dataArg.limit,
+                })
+              : [],
+          };
         },
       ),
     );

package/ts/opsserver/handlers/target-profile.handler.ts

@@ -69,6 +69,7 @@ export class TargetProfileHandler {
             domains: dataArg.domains,
             targets: dataArg.targets,
             routeRefs: dataArg.routeRefs,
+            allowRoutesByClientSourceIp: dataArg.allowRoutesByClientSourceIp,
             createdBy: userId,
           });
           await this.opsServerRef.dcRouterRef.routeConfigManager?.applyRoutes();
@@ -94,6 +95,7 @@ export class TargetProfileHandler {
             domains: dataArg.domains,
             targets: dataArg.targets,
             routeRefs: dataArg.routeRefs,
+            allowRoutesByClientSourceIp: dataArg.allowRoutesByClientSourceIp,
           });
           // Re-apply routes and refresh VPN client security to update access
           await this.opsServerRef.dcRouterRef.routeConfigManager?.applyRoutes();

package/ts/opsserver/handlers/vpn.handler.ts

@@ -102,6 +102,8 @@ export class VpnHandler {
               bytesSent: c.bytesSent,
               bytesReceived: c.bytesReceived,
               transport: c.transportType,
+              remoteAddr: c.remoteAddr,
+              sourceIp: manager.getClientSourceIp(c.registeredClientId || c.clientId),
             })),
           };
         },

package/ts/security/classes.security-policy-manager.ts

@@ -19,12 +19,24 @@ export interface IRemoteIngressFirewallSnapshot {
   blockedIps: string[];
 }
 
+const OBSERVED_IP_QUEUE_LIMIT = 512;
+const OBSERVED_IP_BATCH_LIMIT = 20;
+const OBSERVED_IP_QUEUE_CONCURRENCY = 2;
+const OBSERVED_IP_REQUEUE_THROTTLE_MS = 60_000;
+
 export class SecurityPolicyManager {
   private readonly smartNetwork = new plugins.smartnetwork.SmartNetwork({
     cacheTtl: 24 * 60 * 60 * 1000,
+    ipIntelligenceTimeout: 5_000,
   });
   private readonly intelligenceRefreshMs: number;
-  private readonly inFlightObservations = new Set<string>();
+  private readonly inFlightObservations = new Map<string, Promise<void>>();
+  private readonly queuedObservations = new Set<string>();
+  private readonly observationQueue: string[] = [];
+  private readonly lastQueuedAt = new Map<string, number>();
+  private activeQueuedObservations = 0;
+  private queueDrainScheduled = false;
+  private isStopping = false;
   private readonly onPolicyChanged?: () => void | Promise<void>;
 
   constructor(options: ISecurityPolicyManagerOptions = {}) {
@@ -37,6 +49,9 @@ export class SecurityPolicyManager {
   }
 
   public async stop(): Promise<void> {
+    this.isStopping = true;
+    this.observationQueue.length = 0;
+    this.queuedObservations.clear();
     await this.smartNetwork.stop();
   }
 
@@ -45,13 +60,55 @@ export class SecurityPolicyManager {
     await Promise.allSettled(uniqueIps.map((ip) => this.observeIp(ip)));
   }
 
+  public queueObservedIps(ips: string[]): void {
+    if (this.isStopping) return;
+
+    const now = Date.now();
+    const uniqueIps = [...new Set(ips.map((ip) => this.normalizeIp(ip)).filter(Boolean) as string[])];
+
+    for (const ip of uniqueIps.slice(0, OBSERVED_IP_BATCH_LIMIT)) {
+      if (!this.isPublicIp(ip)) continue;
+      if (this.inFlightObservations.has(ip) || this.queuedObservations.has(ip)) continue;
+
+      const lastQueuedAt = this.lastQueuedAt.get(ip);
+      if (lastQueuedAt && now - lastQueuedAt < OBSERVED_IP_REQUEUE_THROTTLE_MS) continue;
+
+      if (this.observationQueue.length >= OBSERVED_IP_QUEUE_LIMIT) {
+        const droppedIp = this.observationQueue.shift();
+        if (droppedIp) this.queuedObservations.delete(droppedIp);
+      }
+
+      this.observationQueue.push(ip);
+      this.queuedObservations.add(ip);
+      this.lastQueuedAt.set(ip, now);
+    }
+
+    this.pruneQueuedIpMemory(now);
+    this.scheduleQueueDrain();
+  }
+
   public async observeIp(ipAddress: string, options: { force?: boolean } = {}): Promise<void> {
     const ip = this.normalizeIp(ipAddress);
-    if (!ip || !this.isPublicIp(ip) || this.inFlightObservations.has(ip)) {
+    if (!ip || !this.isPublicIp(ip)) {
       return;
     }
 
-    this.inFlightObservations.add(ip);
+    const existingObservation = this.inFlightObservations.get(ip);
+    if (existingObservation) {
+      await existingObservation;
+      if (!options.force) return;
+    }
+
+    const observationPromise = this.performObserveIp(ip, options).finally(() => {
+      if (this.inFlightObservations.get(ip) === observationPromise) {
+        this.inFlightObservations.delete(ip);
+      }
+    });
+    this.inFlightObservations.set(ip, observationPromise);
+    await observationPromise;
+  }
+
+  private async performObserveIp(ip: string, options: { force?: boolean } = {}): Promise<void> {
     try {
       const now = Date.now();
       let doc = await IpIntelligenceDoc.findByIp(ip);
@@ -81,8 +138,6 @@ export class SecurityPolicyManager {
       }
     } catch (err) {
       logger.log('warn', `Failed to enrich IP ${ip}: ${(err as Error).message}`);
-    } finally {
-      this.inFlightObservations.delete(ip);
     }
   }
 
@@ -90,8 +145,22 @@ export class SecurityPolicyManager {
     return (await SecurityBlockRuleDoc.findAll()).map((doc) => this.ruleFromDoc(doc));
   }
 
-  public async listIpIntelligence(): Promise<IIpIntelligenceRecord[]> {
-    return (await IpIntelligenceDoc.findAll()).map((doc) => this.intelligenceFromDoc(doc));
+  public async listIpIntelligence(options: { ipAddresses?: string[]; limit?: number } = {}): Promise<IIpIntelligenceRecord[]> {
+    const limit = Number.isInteger(options.limit) && options.limit! > 0
+      ? Math.min(options.limit!, 500)
+      : undefined;
+
+    let docs: IpIntelligenceDoc[];
+    if (options.ipAddresses?.length) {
+      const ips = [...new Set(options.ipAddresses.map((ip) => this.normalizeIp(ip)).filter(Boolean) as string[])];
+      const results = await Promise.all(ips.map((ip) => IpIntelligenceDoc.findByIp(ip)));
+      docs = results.filter(Boolean) as IpIntelligenceDoc[];
+    } else {
+      docs = await IpIntelligenceDoc.findAll();
+    }
+
+    const sortedDocs = docs.sort((a, b) => (b.lastSeenAt || 0) - (a.lastSeenAt || 0));
+    return (limit ? sortedDocs.slice(0, limit) : sortedDocs).map((doc) => this.intelligenceFromDoc(doc));
   }
 
   public async refreshIpIntelligence(ipAddress: string): Promise<IIpIntelligenceRecord | null> {
@@ -104,6 +173,45 @@ export class SecurityPolicyManager {
     return doc ? this.intelligenceFromDoc(doc) : null;
   }
 
+  private scheduleQueueDrain(): void {
+    if (this.queueDrainScheduled || this.isStopping) return;
+    this.queueDrainScheduled = true;
+    setTimeout(() => {
+      this.queueDrainScheduled = false;
+      this.drainObservationQueue();
+    }, 0);
+  }
+
+  private drainObservationQueue(): void {
+    if (this.isStopping) return;
+
+    while (
+      this.activeQueuedObservations < OBSERVED_IP_QUEUE_CONCURRENCY &&
+      this.observationQueue.length > 0
+    ) {
+      const ip = this.observationQueue.shift()!;
+      this.queuedObservations.delete(ip);
+      this.activeQueuedObservations++;
+      void this.observeIp(ip)
+        .catch(() => undefined)
+        .finally(() => {
+          this.activeQueuedObservations--;
+          if (this.observationQueue.length > 0) {
+            this.scheduleQueueDrain();
+          }
+        });
+    }
+  }
+
+  private pruneQueuedIpMemory(now: number): void {
+    if (this.lastQueuedAt.size <= OBSERVED_IP_QUEUE_LIMIT * 2) return;
+    for (const [ip, lastQueuedAt] of this.lastQueuedAt) {
+      if (now - lastQueuedAt > OBSERVED_IP_REQUEUE_THROTTLE_MS * 2) {
+        this.lastQueuedAt.delete(ip);
+      }
+    }
+  }
+
   public async listAuditEvents(limit = 100): Promise<ISecurityPolicyAuditEvent[]> {
     return (await SecurityPolicyAuditDoc.findRecent(limit)).map((doc) => ({
       id: doc.id,