@serve.zone/dcrouter 13.43.1 → 13.43.3

package/ts/config/classes.source-policy-compiler.ts

@@ -8,8 +8,7 @@ import type {
   IRoutePathPolicyBinding,
   IRouteMetadata,
   IRouteSecurity,
-  IRouteSourcePolicy,
-  IRouteSourcePolicyBinding,
+  IRouteSourceBinding,
 } from '../../ts_interfaces/data/route-management.js';
 import type { ReferenceResolver } from './classes.reference-resolver.js';
 
@@ -37,22 +36,23 @@ export class SourcePolicyCompiler {
     referenceResolver: ReferenceResolver | undefined,
     routeId?: string,
   ): plugins.smartproxy.IRouteConfig[] {
-    const bindings = metadata?.sourcePolicy?.bindings || [];
+    const bindings = metadata?.sourceBindings || [];
     if (bindings.length === 0) {
       return [route];
     }
-    if (this.validateSourcePolicyShape(metadata?.sourcePolicy, route)) {
+    if (this.validateSourceBindingsShape(bindings, route)) {
       return [];
     }
     if (!referenceResolver) {
       return [];
     }
-    if (this.validateResolvedSourcePolicy(metadata?.sourcePolicy, referenceResolver)) {
+    if (this.validateResolvedSourceBindings(bindings, referenceResolver)) {
       return [];
     }
 
     const compiledRoutes: plugins.smartproxy.IRouteConfig[] = [];
     const basePriority = route.priority ?? 0;
+    let hasAllSourcesBinding = false;
 
     bindings.forEach((binding, index) => {
       const profile = referenceResolver.getProfile(binding.sourceProfileRef);
@@ -65,6 +65,9 @@ export class SourcePolicyCompiler {
       if (sourceMatches.length === 0) {
         return;
       }
+      if (this.matchesAllSources(sourceMatches)) {
+        hasAllSourcesBinding = true;
+      }
       const sourcePriority = this.calculateSourcePriority(basePriority, index, bindings.length);
       const sourceMatch = this.matchesAllSources(sourceMatches)
         ? { ...route.match }
@@ -140,39 +143,43 @@ export class SourcePolicyCompiler {
       }
     });
 
+    if (compiledRoutes.length > 0 && !hasAllSourcesBinding) {
+      compiledRoutes.push(this.buildDenyFallbackRoute(route, basePriority, routeId));
+    }
+
     return this.applyIntegerPriorities(compiledRoutes, basePriority);
   }
 
-  public static validateSourcePolicyPayload(sourcePolicy?: Partial<IRouteSourcePolicy>): string | undefined {
-    if (!sourcePolicy) {
+  public static validateSourceBindingsPayload(sourceBindings?: Partial<IRouteSourceBinding>[]): string | undefined {
+    if (sourceBindings === undefined) {
       return undefined;
     }
-    if (!Array.isArray(sourcePolicy.bindings)) {
-      return 'Source policy bindings must be an array';
+    if (!Array.isArray(sourceBindings)) {
+      return 'Source bindings must be an array';
     }
-    if (sourcePolicy.bindings.length === 0) {
+    if (sourceBindings.length === 0) {
       return undefined;
     }
-    if (sourcePolicy.bindings.length > sourcePolicyLimits.maxBindings) {
+    if (sourceBindings.length > sourcePolicyLimits.maxBindings) {
       return `Source policy exceeds ${sourcePolicyLimits.maxBindings} bindings`;
     }
 
     const validClasses = new Set<string>(routePathClasses);
-    for (const binding of sourcePolicy.bindings) {
+    for (const binding of sourceBindings) {
       if (!binding || typeof binding !== 'object') {
-        return 'Source policy binding must be an object';
+        return 'Source binding must be an object';
       }
       if (typeof binding.sourceProfileRef !== 'string') {
-        return 'Source policy binding requires a source profile';
+        return 'Source binding requires a source profile';
       }
       if (binding.sourceProfileRef.length > sourcePolicyLimits.maxSourceProfileRefLength) {
-        return `Source policy source profile ref exceeds ${sourcePolicyLimits.maxSourceProfileRefLength} characters`;
+        return `Source binding source profile ref exceeds ${sourcePolicyLimits.maxSourceProfileRefLength} characters`;
       }
       if (binding.sourceProfileRef.trim().length === 0) {
-        return 'Source policy binding requires a source profile';
+        return 'Source binding requires a source profile';
       }
       if (typeof binding.id === 'string' && binding.id.length > sourcePolicyLimits.maxIdLength) {
-        return `Source policy binding id exceeds ${sourcePolicyLimits.maxIdLength} characters`;
+        return `Source binding id exceeds ${sourcePolicyLimits.maxIdLength} characters`;
       }
       if (typeof binding.maxConnections === 'number' && binding.maxConnections < 0) {
         return 'Source policy maxConnections must be non-negative';
@@ -268,14 +275,21 @@ export class SourcePolicyCompiler {
   }
 
   public static validateSourcePolicyShape(
-    sourcePolicy?: IRouteSourcePolicy,
+    sourceBindings?: IRouteSourceBinding[],
     route?: plugins.smartproxy.IRouteConfig,
   ): string | undefined {
-    const payloadError = this.validateSourcePolicyPayload(sourcePolicy);
+    return this.validateSourceBindingsShape(sourceBindings, route);
+  }
+
+  public static validateSourceBindingsShape(
+    sourceBindings?: IRouteSourceBinding[],
+    route?: plugins.smartproxy.IRouteConfig,
+  ): string | undefined {
+    const payloadError = this.validateSourceBindingsPayload(sourceBindings);
     if (payloadError) {
       return payloadError;
     }
-    const bindings = sourcePolicy?.bindings || [];
+    const bindings = sourceBindings || [];
     if (bindings.length === 0) {
       return undefined;
     }
@@ -310,19 +324,36 @@ export class SourcePolicyCompiler {
       }
     }
 
+    // Private-only source bindings add one terminal deny route to prevent fall-through
+    // to broader routes with the same host/path/port scope.
+    estimatedCompiledRoutes++;
+
     const expandedPortCount = route ? this.getExpandedPortCount(route.match?.ports) : 1;
     if (estimatedCompiledRoutes * expandedPortCount > sourcePolicyLimits.maxCompiledVariantsPerRoute) {
       return `Source policy exceeds ${sourcePolicyLimits.maxCompiledVariantsPerRoute} compiled route-port variants`;
     }
+    if (route && typeof route.priority === 'number' && Number.isFinite(route.priority)) {
+      const integerBasePriority = Math.trunc(this.clampPriority(route.priority));
+      if (integerBasePriority + estimatedCompiledRoutes > MAX_ROUTE_PRIORITY) {
+        return `Source policy route priority leaves no priority headroom for ${estimatedCompiledRoutes} compiled variants`;
+      }
+    }
 
     return undefined;
   }
 
   public static validateResolvedSourcePolicy(
-    sourcePolicy: IRouteSourcePolicy | undefined,
+    sourceBindings: IRouteSourceBinding[] | undefined,
+    referenceResolver: ReferenceResolver | undefined,
+  ): string | undefined {
+    return this.validateResolvedSourceBindings(sourceBindings, referenceResolver);
+  }
+
+  public static validateResolvedSourceBindings(
+    sourceBindings: IRouteSourceBinding[] | undefined,
     referenceResolver: ReferenceResolver | undefined,
   ): string | undefined {
-    const bindings = sourcePolicy?.bindings || [];
+    const bindings = sourceBindings || [];
     if (bindings.length === 0) {
       return undefined;
     }
@@ -346,10 +377,7 @@ export class SourcePolicyCompiler {
       }
       const matchesAllSources = this.matchesAllSources(sourceMatches);
       if (matchesAllSources && index < bindings.length - 1) {
-        return 'Wildcard source profile bindings must be last in a source policy';
-      }
-      if (index === bindings.length - 1 && !matchesAllSources) {
-        return 'Source policy must end with an all-source fallback profile';
+        return 'Wildcard source profile bindings must be last in source bindings';
       }
     }
 
@@ -361,7 +389,7 @@ export class SourcePolicyCompiler {
     sourceMatch: plugins.smartproxy.IRouteConfig['match'];
     profileName: string;
     profileSecurity: IRouteSecurity;
-    binding: IRouteSourcePolicyBinding;
+    binding: IRouteSourceBinding;
     pathPolicy?: IRoutePathPolicyBinding;
     pathPattern?: string;
     sourcePriority: number;
@@ -414,6 +442,63 @@ export class SourcePolicyCompiler {
     };
   }
 
+  private static buildDenyFallbackRoute(
+    route: plugins.smartproxy.IRouteConfig,
+    basePriority: number,
+    routeId?: string,
+  ): plugins.smartproxy.IRouteConfig {
+    const routeKey = route.id || routeId || route.name || 'route';
+    return {
+      ...route,
+      id: `${routeKey}:source:deny-fallback`,
+      name: `${route.name || routeKey}:source:deny-fallback`,
+      match: { ...route.match },
+      priority: this.clampPriority(basePriority - SOURCE_PRIORITY_BAND - PATH_PRIORITY_BAND),
+      action: {
+        type: 'socket-handler',
+        socketHandler: (socket) => this.denySocket(socket),
+      },
+      security: undefined,
+    };
+  }
+
+  private static denySocket(socket: plugins.net.Socket): void {
+    let timeout: ReturnType<typeof setTimeout> & { unref?: () => void };
+    const cleanup = () => {
+      clearTimeout(timeout);
+      socket.removeListener('data', handleData);
+      socket.removeListener('error', cleanup);
+      socket.removeListener('close', cleanup);
+    };
+
+    const handleData = (chunk: string | Uint8Array) => {
+      cleanup();
+      if (this.looksLikeHttpRequest(chunk)) {
+        socket.end('HTTP/1.1 403 Forbidden\r\nContent-Type: text/plain\r\nContent-Length: 9\r\nConnection: close\r\n\r\nForbidden');
+        return;
+      }
+      socket.destroy();
+    };
+
+    timeout = setTimeout(() => {
+      cleanup();
+      socket.destroy();
+    }, 2000) as ReturnType<typeof setTimeout> & { unref?: () => void };
+    timeout.unref?.();
+
+    socket.once('data', handleData);
+    socket.once('error', cleanup);
+    socket.once('close', cleanup);
+  }
+
+  private static looksLikeHttpRequest(chunk: string | Uint8Array): boolean {
+    const prefix = typeof chunk === 'string'
+      ? chunk.slice(0, 16)
+      : String.fromCharCode(...chunk.subarray(0, 16));
+    return /^(GET|POST|HEAD|PUT|PATCH|DELETE|OPTIONS|TRACE|CONNECT)\s/.test(prefix)
+      || prefix.startsWith('PRI * HTTP/2.0');
+  }
+
   private static getPathPatterns(pathPolicy: IRoutePathPolicyBinding): string[] {
     const patterns: string[] = pathPolicy.pathPatterns?.length
       ? pathPolicy.pathPatterns
@@ -469,8 +554,8 @@ export class SourcePolicyCompiler {
       }))
       .sort((a, b) => (b.priority - a.priority) || (a.originalIndex - b.originalIndex));
     const topPriority = Math.trunc(this.clampPriority(
-      basePriority + routes.length - 1,
-      MIN_ROUTE_PRIORITY + routes.length - 1,
+      basePriority + routes.length,
+      MIN_ROUTE_PRIORITY + routes.length,
       MAX_ROUTE_PRIORITY,
     ));
     const integerPriorities = new Map<number, number>();
@@ -589,7 +674,7 @@ export class SourcePolicyCompiler {
   private static buildBindingSecurity(
     routeSecurity: IRouteSecurity | undefined,
     profileSecurity: IRouteSecurity,
-    binding: IRouteSourcePolicyBinding,
+    binding: IRouteSourceBinding,
     pathPolicy?: IRoutePathPolicyBinding,
   ): IRouteSecurity | undefined {
     const baseSecurity = this.omitSourceMatchFields(routeSecurity || {});

package/ts/opsserver/handlers/workhoster.handler.ts

@@ -587,7 +587,13 @@ export class WorkHosterHandler {
       return { success: false, message: 'route is required unless delete=true' };
     }
 
+    const sourceBindings = this.getManagedRouteSourceBindings();
+    if (!sourceBindings) {
+      return { success: false, message: 'STANDARD source profile not found' };
+    }
+
     const metadata: interfaces.data.IRouteMetadata = {
+      sourceBindings,
       ownerType: 'gatewayClient',
       gatewayClientType: resolvedOwnership.gatewayClientType,
       gatewayClientId: resolvedOwnership.gatewayClientId,
@@ -600,8 +606,10 @@ export class WorkHosterHandler {
     const normalizedRoute = this.normalizeGatewayClientRoute(route, resolvedOwnership, externalKey);
 
     if (existingRoute) {
+      const routePatch: Partial<interfaces.data.IDcRouterRouteConfig> = { ...normalizedRoute };
+      (routePatch as any).security = null;
       const result = await manager.updateRoute(existingRoute.id, {
-        route: normalizedRoute,
+        route: routePatch,
         enabled: enabled ?? true,
         metadata,
       });
@@ -640,10 +648,26 @@ export class WorkHosterHandler {
     ownership: Required<interfaces.data.IGatewayClientOwnership>,
     externalKey: string,
   ): interfaces.data.IDcRouterRouteConfig {
-    const normalizedRoute = { ...route };
+    const normalizedRoute = structuredClone(route);
+    delete normalizedRoute.security;
     if (!normalizedRoute.name) {
       normalizedRoute.name = `gateway-client-${externalKey.replace(/[^a-zA-Z0-9-]+/g, '-').slice(0, 80)}`;
     }
     return normalizedRoute;
   }
+
+  private getManagedRouteSourceBindings(): interfaces.data.IRouteSourceBinding[] | undefined {
+    const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
+    const standardProfile = resolver?.listProfiles().find((profile: interfaces.data.ISourceProfile) => {
+      return profile.id.trim().toLowerCase() === 'standard'
+        || profile.name.trim().toLowerCase() === 'standard';
+    });
+    if (!standardProfile) {
+      return undefined;
+    }
+    return [{
+      sourceProfileRef: standardProfile.id,
+      sourceProfileName: standardProfile.name,
+    }];
+  }
 }

package/ts_web/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '13.43.1',
+  version: '13.43.3',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }