@zeroexcore/tuna 0.1.0

package/src/lib/access.ts

@@ -0,0 +1,191 @@
+/**
+ * Zero Trust Access management - handles Access applications and policies
+ * Uses snapshot-based diffing to sync config with Cloudflare
+ */
+
+import { CloudflareAPI } from './api.ts';
+import type {
+  Credentials,
+  AccessConfig,
+  ParsedAccessConfig,
+  AccessRule,
+  AccessPolicyCreate,
+} from '../types/index.ts';
+
+const TUNA_POLICY_NAME = 'tuna-access-policy';
+
+/**
+ * Parse access config array into emails and domains
+ * - Strings starting with @ are email domains
+ * - Other strings are specific emails
+ */
+export function parseAccessConfig(access: AccessConfig): ParsedAccessConfig {
+  const emails: string[] = [];
+  const emailDomains: string[] = [];
+
+  for (const entry of access) {
+    if (entry.startsWith('@')) {
+      // Email domain - remove the @ prefix
+      emailDomains.push(entry.slice(1));
+    } else {
+      // Specific email
+      emails.push(entry);
+    }
+  }
+
+  return { emails, emailDomains };
+}
+
+/**
+ * Build Access rules from parsed config
+ */
+function buildAccessRules(parsed: ParsedAccessConfig): AccessRule[] {
+  const rules: AccessRule[] = [];
+
+  // Add email rules
+  for (const email of parsed.emails) {
+    rules.push({ email: { email } });
+  }
+
+  // Add email domain rules
+  for (const domain of parsed.emailDomains) {
+    rules.push({ email_domain: { domain } });
+  }
+
+  return rules;
+}
+
+/**
+ * Compare two access rule sets to check if they're equivalent
+ */
+function accessRulesEqual(a: AccessRule[], b: AccessRule[]): boolean {
+  if (a.length !== b.length) return false;
+
+  // Normalize and sort for comparison
+  const normalize = (rules: AccessRule[]): string[] => {
+    return rules.map((rule) => {
+      if ('email' in rule) return `email:${rule.email.email}`;
+      if ('email_domain' in rule) return `domain:${rule.email_domain.domain}`;
+      return JSON.stringify(rule);
+    }).sort();
+  };
+
+  const aNorm = normalize(a);
+  const bNorm = normalize(b);
+
+  return aNorm.every((val, i) => val === bNorm[i]);
+}
+
+/**
+ * Ensure Access application and policy exist and are in sync with config
+ * Returns the app ID if access is configured, null otherwise
+ */
+export async function ensureAccess(
+  credentials: Credentials,
+  hostname: string,
+  access: AccessConfig | undefined
+): Promise<string | null> {
+  const api = new CloudflareAPI(credentials);
+
+  // Check if there's an existing Access app for this hostname
+  const existingApp = await api.getAccessApplicationByDomain(hostname);
+
+  // No access config - remove any existing Access app
+  if (!access || access.length === 0) {
+    if (existingApp) {
+      await api.deleteAccessApplication(existingApp.id);
+    }
+    return null;
+  }
+
+  // Parse the access config
+  const parsed = parseAccessConfig(access);
+  const desiredRules = buildAccessRules(parsed);
+
+  if (desiredRules.length === 0) {
+    // No valid rules - remove existing if any
+    if (existingApp) {
+      await api.deleteAccessApplication(existingApp.id);
+    }
+    return null;
+  }
+
+  // Create or get the Access application
+  let appId: string;
+
+  if (existingApp) {
+    appId = existingApp.id;
+  } else {
+    // Create new Access application
+    const app = await api.createAccessApplication({
+      name: `tuna-${hostname}`,
+      domain: hostname,
+      type: 'self_hosted',
+      session_duration: '24h',
+    });
+    appId = app.id;
+  }
+
+  // Now sync the policy
+  const existingPolicies = await api.listAccessPolicies(appId);
+  const tunaPolicy = existingPolicies.find((p) => p.name === TUNA_POLICY_NAME);
+
+  const desiredPolicy: AccessPolicyCreate = {
+    name: TUNA_POLICY_NAME,
+    decision: 'allow',
+    include: desiredRules,
+  };
+
+  if (tunaPolicy) {
+    // Check if policy needs updating
+    if (!accessRulesEqual(tunaPolicy.include, desiredRules)) {
+      await api.updateAccessPolicy(appId, tunaPolicy.id, desiredPolicy);
+    }
+    // else: policy is already in sync, no action needed
+  } else {
+    // Create new policy
+    await api.createAccessPolicy(appId, desiredPolicy);
+  }
+
+  return appId;
+}
+
+/**
+ * Remove Access application for a hostname
+ */
+export async function removeAccess(
+  credentials: Credentials,
+  hostname: string
+): Promise<boolean> {
+  const api = new CloudflareAPI(credentials);
+
+  const existingApp = await api.getAccessApplicationByDomain(hostname);
+  if (existingApp) {
+    await api.deleteAccessApplication(existingApp.id);
+    return true;
+  }
+
+  return false;
+}
+
+/**
+ * Get access rules description for display
+ */
+export function getAccessDescription(access: AccessConfig): string {
+  const parsed = parseAccessConfig(access);
+  const parts: string[] = [];
+
+  if (parsed.emailDomains.length > 0) {
+    parts.push(...parsed.emailDomains.map((d) => `@${d}`));
+  }
+
+  if (parsed.emails.length > 0) {
+    if (parsed.emails.length <= 3) {
+      parts.push(...parsed.emails);
+    } else {
+      parts.push(`${parsed.emails.length} emails`);
+    }
+  }
+
+  return parts.join(', ');
+}

package/src/lib/api.ts

@@ -0,0 +1,383 @@
+/**
+ * Cloudflare API client for tunnel and DNS management
+ */
+
+import type {
+  Credentials,
+  Tunnel,
+  DnsRecord,
+  Zone,
+  CloudflareApiResponse,
+  AccessApplication,
+  AccessPolicy,
+  AccessApplicationCreate,
+  AccessPolicyCreate,
+} from '../types/index.ts';
+
+const BASE_URL = 'https://api.cloudflare.com/client/v4';
+
+export class CloudflareAPI {
+  private apiToken: string;
+  private accountId: string;
+
+  constructor(credentials: Credentials) {
+    this.accountId = credentials.accountId;
+    this.apiToken = credentials.apiToken;
+  }
+
+  /**
+   * Make an authenticated request to the Cloudflare API
+   */
+  private async request<T>(
+    path: string,
+    options: RequestInit = {}
+  ): Promise<CloudflareApiResponse<T>> {
+    const url = `${BASE_URL}${path}`;
+
+    const response = await fetch(url, {
+      ...options,
+      headers: {
+        Authorization: `Bearer ${this.apiToken}`,
+        'Content-Type': 'application/json',
+        ...options.headers,
+      },
+    });
+
+    // Handle rate limiting with retry
+    if (response.status === 429) {
+      const retryAfter = parseInt(response.headers.get('retry-after') || '5');
+      await new Promise((resolve) => setTimeout(resolve, retryAfter * 1000));
+      return this.request<T>(path, options);
+    }
+
+    const data = (await response.json()) as CloudflareApiResponse<T>;
+
+    if (!response.ok) {
+      this.handleApiError(response.status, data);
+    }
+
+    return data;
+  }
+
+  /**
+   * Validate API token and get account ID
+   */
+  async validateToken(): Promise<string> {
+    const verifyResponse = await this.request<{ status: string }>('/user/tokens/verify');
+
+    if (!verifyResponse.success) {
+      throw new Error('Invalid API token');
+    }
+
+    // Get account ID
+    const accountsResponse = await this.request<Array<{ id: string }>>('/accounts');
+    const accounts = accountsResponse.result;
+
+    if (!accounts || accounts.length === 0) {
+      throw new Error('No accounts found for this token');
+    }
+
+    return accounts[0].id;
+  }
+
+  /**
+   * Create a new tunnel
+   */
+  async createTunnel(name: string, secret: string): Promise<Tunnel> {
+    const response = await this.request<Tunnel>(`/accounts/${this.accountId}/cfd_tunnel`, {
+      method: 'POST',
+      body: JSON.stringify({
+        name,
+        tunnel_secret: secret,
+        config_src: 'local',
+      }),
+    });
+
+    if (!response.success) {
+      throw new Error(`Failed to create tunnel: ${response.errors[0]?.message}`);
+    }
+
+    return response.result;
+  }
+
+  /**
+   * List all tunnels
+   */
+  async listTunnels(): Promise<Tunnel[]> {
+    const response = await this.request<Tunnel[]>(`/accounts/${this.accountId}/cfd_tunnel`);
+
+    if (!response.success) {
+      throw new Error('Failed to list tunnels');
+    }
+
+    return response.result;
+  }
+
+  /**
+   * Get tunnel details
+   */
+  async getTunnel(tunnelId: string): Promise<Tunnel> {
+    const response = await this.request<Tunnel>(
+      `/accounts/${this.accountId}/cfd_tunnel/${tunnelId}`
+    );
+
+    if (!response.success) {
+      throw new Error('Tunnel not found');
+    }
+
+    return response.result;
+  }
+
+  /**
+   * Delete a tunnel
+   */
+  async deleteTunnel(tunnelId: string): Promise<void> {
+    const response = await this.request<{ id: string }>(
+      `/accounts/${this.accountId}/cfd_tunnel/${tunnelId}`,
+      { method: 'DELETE' }
+    );
+
+    if (!response.success) {
+      throw new Error('Failed to delete tunnel');
+    }
+  }
+
+  /**
+   * Get zone by domain name
+   */
+  async getZoneByName(domain: string): Promise<Zone> {
+    const response = await this.request<Zone[]>(`/zones?name=${encodeURIComponent(domain)}`);
+
+    if (!response.success || response.result.length === 0) {
+      throw new Error(
+        `Zone not found: ${domain}. Make sure the domain is added to your Cloudflare account.`
+      );
+    }
+
+    return response.result[0];
+  }
+
+  /**
+   * Create DNS record
+   */
+  async createDnsRecord(zoneId: string, record: DnsRecord): Promise<DnsRecord> {
+    const response = await this.request<DnsRecord>(`/zones/${zoneId}/dns_records`, {
+      method: 'POST',
+      body: JSON.stringify(record),
+    });
+
+    if (!response.success) {
+      throw new Error('Failed to create DNS record');
+    }
+
+    return response.result;
+  }
+
+  /**
+   * List DNS records
+   */
+  async listDnsRecords(zoneId: string, name?: string): Promise<DnsRecord[]> {
+    const params = name ? `?name=${encodeURIComponent(name)}` : '';
+    const response = await this.request<DnsRecord[]>(`/zones/${zoneId}/dns_records${params}`);
+
+    if (!response.success) {
+      throw new Error('Failed to list DNS records');
+    }
+
+    return response.result;
+  }
+
+  /**
+   * Update DNS record
+   */
+  async updateDnsRecord(zoneId: string, recordId: string, record: DnsRecord): Promise<DnsRecord> {
+    const response = await this.request<DnsRecord>(`/zones/${zoneId}/dns_records/${recordId}`, {
+      method: 'PUT',
+      body: JSON.stringify(record),
+    });
+
+    if (!response.success) {
+      throw new Error('Failed to update DNS record');
+    }
+
+    return response.result;
+  }
+
+  /**
+   * Delete DNS record
+   */
+  async deleteDnsRecord(zoneId: string, recordId: string): Promise<void> {
+    const response = await this.request<{ id: string }>(
+      `/zones/${zoneId}/dns_records/${recordId}`,
+      { method: 'DELETE' }
+    );
+
+    if (!response.success) {
+      throw new Error('Failed to delete DNS record');
+    }
+  }
+
+  // ============================================
+  // Zero Trust Access API Methods
+  // ============================================
+
+  /**
+   * List Access applications
+   */
+  async listAccessApplications(): Promise<AccessApplication[]> {
+    const response = await this.request<AccessApplication[]>(
+      `/accounts/${this.accountId}/access/apps`
+    );
+
+    if (!response.success) {
+      throw new Error('Failed to list Access applications');
+    }
+
+    return response.result;
+  }
+
+  /**
+   * Get Access application by domain
+   */
+  async getAccessApplicationByDomain(domain: string): Promise<AccessApplication | null> {
+    const apps = await this.listAccessApplications();
+    return apps.find((app) => app.domain === domain) || null;
+  }
+
+  /**
+   * Create Access application
+   */
+  async createAccessApplication(app: AccessApplicationCreate): Promise<AccessApplication> {
+    const response = await this.request<AccessApplication>(
+      `/accounts/${this.accountId}/access/apps`,
+      {
+        method: 'POST',
+        body: JSON.stringify(app),
+      }
+    );
+
+    if (!response.success) {
+      throw new Error(`Failed to create Access application: ${response.errors[0]?.message}`);
+    }
+
+    return response.result;
+  }
+
+  /**
+   * Delete Access application
+   */
+  async deleteAccessApplication(appId: string): Promise<void> {
+    const response = await this.request<{ id: string }>(
+      `/accounts/${this.accountId}/access/apps/${appId}`,
+      { method: 'DELETE' }
+    );
+
+    if (!response.success) {
+      throw new Error('Failed to delete Access application');
+    }
+  }
+
+  /**
+   * List policies for an Access application
+   */
+  async listAccessPolicies(appId: string): Promise<AccessPolicy[]> {
+    const response = await this.request<AccessPolicy[]>(
+      `/accounts/${this.accountId}/access/apps/${appId}/policies`
+    );
+
+    if (!response.success) {
+      throw new Error('Failed to list Access policies');
+    }
+
+    return response.result;
+  }
+
+  /**
+   * Create Access policy for an application
+   */
+  async createAccessPolicy(appId: string, policy: AccessPolicyCreate): Promise<AccessPolicy> {
+    const response = await this.request<AccessPolicy>(
+      `/accounts/${this.accountId}/access/apps/${appId}/policies`,
+      {
+        method: 'POST',
+        body: JSON.stringify(policy),
+      }
+    );
+
+    if (!response.success) {
+      throw new Error(`Failed to create Access policy: ${response.errors[0]?.message}`);
+    }
+
+    return response.result;
+  }
+
+  /**
+   * Update Access policy
+   */
+  async updateAccessPolicy(
+    appId: string,
+    policyId: string,
+    policy: AccessPolicyCreate
+  ): Promise<AccessPolicy> {
+    const response = await this.request<AccessPolicy>(
+      `/accounts/${this.accountId}/access/apps/${appId}/policies/${policyId}`,
+      {
+        method: 'PUT',
+        body: JSON.stringify(policy),
+      }
+    );
+
+    if (!response.success) {
+      throw new Error(`Failed to update Access policy: ${response.errors[0]?.message}`);
+    }
+
+    return response.result;
+  }
+
+  /**
+   * Delete Access policy
+   */
+  async deleteAccessPolicy(appId: string, policyId: string): Promise<void> {
+    const response = await this.request<{ id: string }>(
+      `/accounts/${this.accountId}/access/apps/${appId}/policies/${policyId}`,
+      { method: 'DELETE' }
+    );
+
+    if (!response.success) {
+      throw new Error('Failed to delete Access policy');
+    }
+  }
+
+  /**
+   * Handle API errors with user-friendly messages
+   */
+  private handleApiError(status: number, data: CloudflareApiResponse<unknown>): never {
+    if (status === 401) {
+      throw new Error('Invalid API token. Run: tuna --login');
+    }
+
+    if (status === 403) {
+      throw new Error(
+        'Insufficient permissions. Your API token needs:\n' +
+          '  - Account → Cloudflare Tunnel → Edit\n' +
+          '  - Account → Access: Apps and Policies → Edit\n' +
+          '  - Zone → DNS → Edit\n' +
+          '  - Account → Account Settings → Read'
+      );
+    }
+
+    if (status === 404) {
+      throw new Error('Resource not found. Check tunnel ID or domain.');
+    }
+
+    if (status === 429) {
+      throw new Error('Rate limited. Please wait a moment and try again.');
+    }
+
+    if (data?.errors?.[0]) {
+      throw new Error(`Cloudflare API error: ${data.errors[0].message}`);
+    }
+
+    throw new Error(`API request failed with status ${status}`);
+  }
+}