@serve.zone/dcrouter 15.0.1 → 15.0.3

package/ts/security/classes.route-policy-augmenter.ts

@@ -0,0 +1,140 @@
+import * as plugins from '../plugins.js';
+import type { IDcRouterRouteConfig } from '../../ts_interfaces/data/remoteingress.js';
+import type { ISecurityCompiledPolicy } from '../../ts_interfaces/data/security-policy.js';
+import type { DcRouter } from '../classes.dcrouter.js';
+
+type TInboundProxyProtocolPolicy = NonNullable<plugins.smartproxy.IRouteMatch['inboundProxyProtocol']>;
+
+/**
+ * Pure route-policy transformations applied before routes reach SmartProxy:
+ * per-listener inbound PROXY protocol policies (driven by RemoteIngress and
+ * VPN) and merging of compiled security policies.
+ */
+export class RoutePolicyAugmenter {
+  constructor(private dcRouterRef: DcRouter) {}
+
+  /**
+   * Ensure every route on a shared listener carries a compatible
+   * inboundProxyProtocol policy, deriving defaults from RemoteIngress/VPN.
+   */
+  public applyInboundProxyProtocolPolicies(
+    routes: plugins.smartproxy.IRouteConfig[],
+  ): plugins.smartproxy.IRouteConfig[] {
+    const policiesByListener = new Map<string, TInboundProxyProtocolPolicy>();
+
+    for (const route of routes) {
+      const policy = route.match?.inboundProxyProtocol || this.getDesiredInboundProxyProtocolPolicy(route);
+      if (!policy) {
+        continue;
+      }
+      for (const listenerKey of this.getInboundProxyListenerKeys(route)) {
+        const mergedPolicy = this.mergeInboundProxyProtocolPolicies(
+          policiesByListener.get(listenerKey),
+          policy,
+        );
+        if (mergedPolicy) {
+          policiesByListener.set(listenerKey, mergedPolicy);
+        }
+      }
+    }
+
+    if (policiesByListener.size === 0) {
+      return routes;
+    }
+
+    return routes.map((route) => {
+      if (route.match?.inboundProxyProtocol) {
+        return route;
+      }
+      let listenerPolicy: TInboundProxyProtocolPolicy | undefined;
+      for (const listenerKey of this.getInboundProxyListenerKeys(route)) {
+        listenerPolicy = this.mergeInboundProxyProtocolPolicies(
+          listenerPolicy,
+          policiesByListener.get(listenerKey),
+        );
+      }
+      if (!listenerPolicy) {
+        return route;
+      }
+      return {
+        ...route,
+        match: {
+          ...route.match,
+          inboundProxyProtocol: listenerPolicy,
+        },
+      };
+    });
+  }
+
+  /** Union blocked IPs/CIDRs across configured and compiled security policies. */
+  public mergeSecurityPolicies(
+    ...policies: Array<Partial<ISecurityCompiledPolicy> | undefined>
+  ): ISecurityCompiledPolicy | undefined {
+    const blockedIps = new Set<string>();
+    const blockedCidrs = new Set<string>();
+
+    for (const policy of policies) {
+      for (const ip of policy?.blockedIps || []) {
+        if (ip) blockedIps.add(ip);
+      }
+      for (const cidr of policy?.blockedCidrs || []) {
+        if (cidr) blockedCidrs.add(cidr);
+      }
+    }
+
+    if (blockedIps.size === 0 && blockedCidrs.size === 0) {
+      return undefined;
+    }
+
+    return {
+      blockedIps: [...blockedIps].sort(),
+      blockedCidrs: [...blockedCidrs].sort(),
+    };
+  }
+
+  private getDesiredInboundProxyProtocolPolicy(
+    route: plugins.smartproxy.IRouteConfig,
+  ): TInboundProxyProtocolPolicy | undefined {
+    const dcRoute = route as IDcRouterRouteConfig;
+    if (this.dcRouterRef.isRemoteIngressHubEnabled() && dcRoute.remoteIngress?.enabled) {
+      const ports = plugins.smartproxy.expandPortRange(route.match.ports as any) as number[];
+      if (ports.some((port) => port === 25 || port === 587)) {
+        return { mode: 'required' };
+      }
+      return { mode: 'optional' };
+    }
+    if (this.dcRouterRef.options.vpnConfig?.enabled) {
+      return { mode: 'optional' };
+    }
+    return undefined;
+  }
+
+  private getInboundProxyListenerKeys(route: plugins.smartproxy.IRouteConfig): string[] {
+    const ports = plugins.smartproxy.expandPortRange(route.match.ports as any) as number[];
+    const transports = route.match.transport === 'udp'
+      ? ['udp']
+      : route.match.transport === 'all'
+        ? ['tcp', 'udp']
+        : ['tcp'];
+    const keys: string[] = [];
+    for (const port of ports) {
+      for (const transport of transports) {
+        keys.push(`${transport}:${port}`);
+      }
+    }
+    return keys;
+  }
+
+  private mergeInboundProxyProtocolPolicies(
+    current?: TInboundProxyProtocolPolicy,
+    next?: TInboundProxyProtocolPolicy,
+  ): TInboundProxyProtocolPolicy | undefined {
+    if (!current) return next;
+    if (!next) return current;
+    if (current.mode === 'required') return current;
+    if (next.mode === 'required') return next;
+    if (current.mode === 'optional') return current;
+    if (next.mode === 'optional') return next;
+    return current;
+  }
+}

package/ts/security/index.ts

@@ -25,3 +25,4 @@ export {
   type ISecurityPolicyManagerOptions,
   type IRemoteIngressFirewallSnapshot,
 } from './classes.security-policy-manager.js';
+export * from './classes.route-policy-augmenter.js';

package/ts/vpn/classes.vpn-access-resolver.ts

@@ -0,0 +1,126 @@
+import { logger } from '../logger.js';
+import type { TVpnClientAllowEntry } from '../config/classes.route-config-manager.js';
+import type { IDcRouterRouteConfig } from '../../ts_interfaces/data/remoteingress.js';
+import type { DcRouter } from '../classes.dcrouter.js';
+
+/**
+ * Resolves which VPN clients may access which routes and which IPs belong in
+ * a client's WireGuard AllowedIPs, including cached DNS resolution of
+ * VPN-gated route domains.
+ */
+export class VpnAccessResolver {
+  /** Cache for DNS-resolved IPs of VPN-gated domains. TTL: 5 minutes. */
+  private domainIpCache = new Map<string, { ips: string[]; expiresAt: number }>();
+  /** Deduplicate wildcard-resolution warnings for WireGuard AllowedIPs generation. */
+  private warnedWildcardDomains = new Set<string>();
+
+  constructor(private dcRouterRef: DcRouter) {}
+
+  /** Clear DNS and warning caches, e.g. after a VPN config change. */
+  public reset(): void {
+    this.domainIpCache.clear();
+    this.warnedWildcardDomains.clear();
+  }
+
+  /**
+   * Build the per-route VPN client allow resolver handed to RouteConfigManager,
+   * or undefined when VPN is disabled.
+   */
+  public createRouteAllowResolver(): ((
+    route: IDcRouterRouteConfig,
+    routeId?: string,
+  ) => TVpnClientAllowEntry[]) | undefined {
+    if (!this.dcRouterRef.options.vpnConfig?.enabled) {
+      return undefined;
+    }
+
+    return (route: IDcRouterRouteConfig, routeId?: string) => {
+      if (!this.dcRouterRef.vpnManager || !this.dcRouterRef.targetProfileManager) {
+        // VPN not ready yet — deny all until re-apply after VPN starts.
+        return [];
+      }
+
+      return this.dcRouterRef.targetProfileManager.getMatchingVpnClients(
+        route,
+        routeId,
+        this.dcRouterRef.vpnManager.listClients(),
+        this.dcRouterRef.routeConfigManager?.getRoutes() || new Map(),
+      );
+    };
+  }
+
+  /**
+   * Compute the WireGuard AllowedIPs for a client from its target profiles:
+   * the VPN subnet, direct target IPs, and DNS-resolved route domains.
+   */
+  public async getClientAllowedIPs(targetProfileIds: string[]): Promise<string[]> {
+    const subnet = this.dcRouterRef.options.vpnConfig?.subnet || '10.8.0.0/24';
+    const ips = new Set<string>([subnet]);
+
+    const targetProfileManager = this.dcRouterRef.targetProfileManager;
+    if (!targetProfileManager) return [...ips];
+
+    const allRoutes = this.dcRouterRef.routeConfigManager?.getRoutes() || new Map();
+
+    const { domains, targetIps } = targetProfileManager.getClientAccessSpec(
+      targetProfileIds,
+      allRoutes,
+    );
+
+    // Add target IPs directly
+    for (const ip of targetIps) {
+      ips.add(`${ip}/32`);
+    }
+
+    // Resolve DNS A records for matched domains (with caching)
+    for (const domain of domains) {
+      if (this.isWildcardDomain(domain)) {
+        this.logSkippedWildcardAllowedIp(domain);
+        continue;
+      }
+      const resolvedIps = await this.resolveDomainIPs(domain);
+      for (const ip of resolvedIps) {
+        ips.add(`${ip}/32`);
+      }
+    }
+
+    return [...ips];
+  }
+
+  /**
+   * Resolve a domain's A record(s) for VPN AllowedIPs, with a 5-minute cache.
+   */
+  private async resolveDomainIPs(domain: string): Promise<string[]> {
+    const cached = this.domainIpCache.get(domain);
+    if (cached && cached.expiresAt > Date.now()) {
+      return cached.ips;
+    }
+    try {
+      const { promises: dnsPromises } = await import('dns');
+      const ips = await dnsPromises.resolve4(domain);
+      this.domainIpCache.set(domain, { ips, expiresAt: Date.now() + 5 * 60 * 1000 });
+      // Evict oldest entries if cache exceeds 1000 entries
+      if (this.domainIpCache.size > 1000) {
+        const firstKey = this.domainIpCache.keys().next().value;
+        if (firstKey) this.domainIpCache.delete(firstKey);
+      }
+      return ips;
+    } catch (err) {
+      logger.log('warn', `VPN: Failed to resolve ${domain} for AllowedIPs: ${(err as Error).message}`);
+      return cached?.ips || []; // Return stale cache on failure, or empty
+    }
+  }
+
+  private isWildcardDomain(domain: string): boolean {
+    return domain.includes('*');
+  }
+
+  private logSkippedWildcardAllowedIp(domain: string): void {
+    if (this.warnedWildcardDomains.has(domain)) return;
+    this.warnedWildcardDomains.add(domain);
+    logger.log(
+      'warn',
+      `VPN: Skipping wildcard domain '${domain}' for WireGuard AllowedIPs; wildcard patterns must be resolved to concrete hostnames by matching routes.`,
+    );
+  }
+}

package/ts/vpn/index.ts

@@ -1 +1,2 @@
 export * from './classes.vpn-manager.js';
+export * from './classes.vpn-access-resolver.js';

package/ts_web/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '15.0.1',
+  version: '15.0.3',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

package/ts_web/appstate/acme.ts

@@ -0,0 +1,93 @@
+import * as plugins from '../plugins.js';
+import * as interfaces from '../../ts_interfaces/index.js';
+import { appState } from './shared.js';
+import { getActionContext } from './login.js';
+
+// ============================================================================
+// ACME Config State (DB-backed singleton, managed via Domains > Certificates)
+// ============================================================================
+
+export interface IAcmeConfigState {
+  config: interfaces.data.IAcmeConfig | null;
+  isLoading: boolean;
+  error: string | null;
+  lastUpdated: number;
+}
+
+export const acmeConfigStatePart = await appState.getStatePart<IAcmeConfigState>(
+  'acmeConfig',
+  {
+    config: null,
+    isLoading: false,
+    error: null,
+    lastUpdated: 0,
+  },
+  'soft',
+);
+
+// ACME Config Actions
+// ============================================================================
+
+export const fetchAcmeConfigAction = acmeConfigStatePart.createAction(
+  async (statePartArg): Promise<IAcmeConfigState> => {
+    const context = getActionContext();
+    const currentState = statePartArg.getState()!;
+    if (!context.identity) return currentState;
+
+    try {
+      const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+        interfaces.requests.IReq_GetAcmeConfig
+      >('/typedrequest', 'getAcmeConfig');
+      const response = await request.fire({ identity: context.identity });
+      return {
+        config: response.config,
+        isLoading: false,
+        error: null,
+        lastUpdated: Date.now(),
+      };
+    } catch (error: unknown) {
+      return {
+        ...currentState,
+        isLoading: false,
+        error: error instanceof Error ? error.message : 'Failed to fetch ACME config',
+      };
+    }
+  },
+);
+
+export const updateAcmeConfigAction = acmeConfigStatePart.createAction<{
+  accountEmail?: string;
+  enabled?: boolean;
+  useProduction?: boolean;
+  autoRenew?: boolean;
+  renewThresholdDays?: number;
+}>(async (statePartArg, dataArg, actionContext): Promise<IAcmeConfigState> => {
+  const context = getActionContext();
+  try {
+    const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+      interfaces.requests.IReq_UpdateAcmeConfig
+    >('/typedrequest', 'updateAcmeConfig');
+    const response = await request.fire({
+      identity: context.identity!,
+      accountEmail: dataArg.accountEmail,
+      enabled: dataArg.enabled,
+      useProduction: dataArg.useProduction,
+      autoRenew: dataArg.autoRenew,
+      renewThresholdDays: dataArg.renewThresholdDays,
+    });
+    if (!response.success) {
+      return {
+        ...statePartArg.getState()!,
+        error: response.message || 'Failed to update ACME config',
+      };
+    }
+    return await actionContext!.dispatch(fetchAcmeConfigAction, null);
+  } catch (error: unknown) {
+    return {
+      ...statePartArg.getState()!,
+      error: error instanceof Error ? error.message : 'Failed to update ACME config',
+    };
+  }
+});
+
+// ============================================================================

package/ts_web/appstate/certificates.ts

@@ -0,0 +1,159 @@
+import * as plugins from '../plugins.js';
+import type * as servezoneInterfaces from '@serve.zone/interfaces';
+import * as interfaces from '../../ts_interfaces/index.js';
+import { appState } from './shared.js';
+import { getActionContext } from './login.js';
+
+export interface ICertificateState {
+  certificates: interfaces.requests.ICertificateInfo[];
+  summary: { total: number; valid: number; expiring: number; expired: number; failed: number; unknown: number };
+  isLoading: boolean;
+  error: string | null;
+  lastUpdated: number;
+}
+
+export const certificateStatePart = await appState.getStatePart<ICertificateState>(
+  'certificates',
+  {
+    certificates: [],
+    summary: { total: 0, valid: 0, expiring: 0, expired: 0, failed: 0, unknown: 0 },
+    isLoading: false,
+    error: null,
+    lastUpdated: 0,
+  },
+  'soft'
+);
+
+// Certificate Actions
+// ============================================================================
+
+export const fetchCertificateOverviewAction = certificateStatePart.createAction(async (statePartArg): Promise<ICertificateState> => {
+  const context = getActionContext();
+  const currentState = statePartArg.getState()!;
+  if (!context.identity) return currentState;
+
+  try {
+    const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+      interfaces.requests.IReq_GetCertificateOverview
+    >('/typedrequest', 'getCertificateOverview');
+
+    const response = await request.fire({
+      identity: context.identity,
+    });
+
+    return {
+      certificates: response.certificates,
+      summary: response.summary,
+      isLoading: false,
+      error: null,
+      lastUpdated: Date.now(),
+    };
+  } catch (error) {
+    return {
+      ...currentState,
+      isLoading: false,
+      error: error instanceof Error ? error.message : 'Failed to fetch certificate overview',
+    };
+  }
+});
+
+export const reprovisionCertificateAction = certificateStatePart.createAction<{ domain: string; forceRenew?: boolean }>(
+  async (statePartArg, dataArg, actionContext): Promise<ICertificateState> => {
+    const context = getActionContext();
+    const currentState = statePartArg.getState()!;
+
+    try {
+      const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+        interfaces.requests.IReq_ReprovisionCertificateDomain
+      >('/typedrequest', 'reprovisionCertificateDomain');
+
+      await request.fire({
+        identity: context.identity!,
+        domain: dataArg.domain,
+        forceRenew: dataArg.forceRenew,
+      });
+
+      // Re-fetch overview after reprovisioning
+      return await actionContext!.dispatch(fetchCertificateOverviewAction, null);
+    } catch (error: unknown) {
+      return {
+        ...currentState,
+        error: error instanceof Error ? error.message : 'Failed to reprovision certificate',
+      };
+    }
+  }
+);
+
+export const deleteCertificateAction = certificateStatePart.createAction<string>(
+  async (statePartArg, domain, actionContext): Promise<ICertificateState> => {
+    const context = getActionContext();
+    const currentState = statePartArg.getState()!;
+
+    try {
+      const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+        interfaces.requests.IReq_DeleteCertificate
+      >('/typedrequest', 'deleteCertificate');
+
+      await request.fire({
+        identity: context.identity!,
+        domain,
+      });
+
+      // Re-fetch overview after deletion
+      return await actionContext!.dispatch(fetchCertificateOverviewAction, null);
+    } catch (error: unknown) {
+      return {
+        ...currentState,
+        error: error instanceof Error ? error.message : 'Failed to delete certificate',
+      };
+    }
+  }
+);
+
+export const importCertificateAction = certificateStatePart.createAction<{
+  id: string;
+  domainName: string;
+  created: number;
+  validUntil: number;
+  privateKey: string;
+  publicKey: string;
+  csr: string;
+}>(
+  async (statePartArg, cert, actionContext): Promise<ICertificateState> => {
+    const context = getActionContext();
+    const currentState = statePartArg.getState()!;
+
+    try {
+      const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+        servezoneInterfaces.requests.gateway.IReq_ImportCertificate
+      >('/typedrequest', 'importCertificate');
+
+      await request.fire({
+        identity: context.identity!,
+        cert,
+      });
+
+      // Re-fetch overview after import
+      return await actionContext!.dispatch(fetchCertificateOverviewAction, null);
+    } catch (error: unknown) {
+      return {
+        ...currentState,
+        error: error instanceof Error ? error.message : 'Failed to import certificate',
+      };
+    }
+  }
+);
+
+export async function fetchCertificateExport(domain: string) {
+  const context = getActionContext();
+  const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+    servezoneInterfaces.requests.gateway.IReq_ExportCertificate
+  >('/typedrequest', 'exportCertificate');
+
+  return request.fire({
+    identity: context.identity!,
+    domain,
+  });
+}
+
+// ============================================================================

package/ts_web/appstate/config.ts

@@ -0,0 +1,49 @@
+import * as plugins from '../plugins.js';
+import * as interfaces from '../../ts_interfaces/index.js';
+import { appState } from './shared.js';
+import { getActionContext } from './login.js';
+
+export interface IConfigState {
+  config: interfaces.requests.IConfigData | null;
+  isLoading: boolean;
+  error: string | null;
+}
+
+export const configStatePart = await appState.getStatePart<IConfigState>(
+  'config',
+  {
+    config: null,
+    isLoading: false,
+    error: null,
+  }
+);
+
+// Fetch Configuration Action (read-only)
+export const fetchConfigurationAction = configStatePart.createAction(async (statePartArg): Promise<IConfigState> => {
+  const context = getActionContext();
+  const currentState = statePartArg.getState()!;
+  if (!context.identity) return currentState;
+
+  try {
+    const configRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
+      interfaces.requests.IReq_GetConfiguration
+    >('/typedrequest', 'getConfiguration');
+
+    const response = await configRequest.fire({
+      identity: context.identity,
+    });
+
+    return {
+      config: response.config,
+      isLoading: false,
+      error: null,
+    };
+  } catch (error: unknown) {
+    return {
+      ...currentState,
+      isLoading: false,
+      error: (error as Error).message || 'Failed to fetch configuration',
+    };
+  }
+});
+