chainlesschain 0.47.9 → 0.49.0

package/src/lib/hardening-manager.js

@@ -4,11 +4,33 @@
  */
 
 import crypto from "crypto";
+import fs from "fs";
+import path from "path";
+
+/* ── Dependency injection (for tests) ─────────────────────── */
+const _deps = { fs, path };
+export { _deps };
 
 /* ── In-memory stores ──────────────────────────────────────── */
 const _baselines = new Map();
 const _audits = new Map();
 
+/* ── Config audit constants ────────────────────────────────── */
+
+const DEFAULT_FORBIDDEN_PLACEHOLDERS = [
+  "changeme",
+  "change-me",
+  "your-api-key",
+  "your-secret",
+  "xxx",
+  "todo",
+  "replace-me",
+];
+
+const DEFAULT_REQUIRED_KEYS = []; // caller-supplied; empty default keeps helper generic
+
+const CONFIG_CHECK_PREFIX = "config:";
+
 const BASELINE_STATUS = {
   COLLECTING: "collecting",
   COMPLETE: "complete",
@@ -267,6 +289,393 @@ export function getAuditReport(auditId) {
   return audit;
 }
 
+/* ── Config Audit (real, deterministic) ───────────────────── */
+
+/**
+ * Load a JSON config file from disk. Returns `null` if missing or unreadable.
+ * Throws `SyntaxError` on malformed JSON so callers can distinguish
+ * "file not present" (checklist: absent) from "file invalid" (checklist: fail).
+ */
+export function loadConfig(configPath) {
+  if (!configPath) return null;
+  if (!_deps.fs.existsSync(configPath)) return null;
+  const raw = _deps.fs.readFileSync(configPath, "utf-8");
+  return JSON.parse(raw);
+}
+
+function _getByPath(obj, keyPath) {
+  if (obj == null) return undefined;
+  const parts = keyPath.split(".");
+  let cur = obj;
+  for (const p of parts) {
+    if (cur == null || typeof cur !== "object") return undefined;
+    cur = cur[p];
+  }
+  return cur;
+}
+
+function _containsPlaceholder(value, placeholders) {
+  if (typeof value !== "string") return null;
+  const lower = value.toLowerCase();
+  for (const ph of placeholders) {
+    if (lower.includes(ph.toLowerCase())) return ph;
+  }
+  return null;
+}
+
+/**
+ * Pure config inspection. Accepts a parsed config object (or null when the
+ * file is absent) and returns a check list.
+ *
+ * opts.configPath — reporting only (used in detail messages)
+ * opts.requiredKeys — dot-paths that MUST be present and non-empty
+ * opts.forbiddenPlaceholders — substrings that disqualify a string value
+ *   (defaults to common "changeme" style)
+ * opts.dangerousDefaults — [{path, badValue}] — path MUST NOT equal badValue
+ */
+export function checkConfig(config, opts = {}) {
+  const {
+    configPath = "(inline)",
+    requiredKeys = DEFAULT_REQUIRED_KEYS,
+    forbiddenPlaceholders = DEFAULT_FORBIDDEN_PLACEHOLDERS,
+    dangerousDefaults = [],
+  } = opts;
+
+  const checks = [];
+
+  // File presence
+  checks.push(
+    config == null
+      ? {
+          name: "config.file_present",
+          status: "fail",
+          severity: "high",
+          detail: `Config file not found: ${configPath}`,
+        }
+      : {
+          name: "config.file_present",
+          status: "pass",
+          severity: "info",
+          detail: `Loaded ${configPath}`,
+        },
+  );
+
+  if (config != null) {
+    // Required keys
+    for (const key of requiredKeys) {
+      const val = _getByPath(config, key);
+      const missing = val === undefined || val === null || val === "";
+      checks.push({
+        name: `config.required.${key}`,
+        status: missing ? "fail" : "pass",
+        severity: missing ? "high" : "info",
+        detail: missing
+          ? `Required key missing or empty: ${key}`
+          : `Present: ${key}`,
+      });
+    }
+
+    // Placeholder scan — recurse through string values
+    const offenders = [];
+    const scan = (val, trail) => {
+      if (val == null) return;
+      if (typeof val === "string") {
+        const hit = _containsPlaceholder(val, forbiddenPlaceholders);
+        if (hit) offenders.push({ path: trail, placeholder: hit });
+        return;
+      }
+      if (typeof val !== "object") return;
+      for (const [k, v] of Object.entries(val)) {
+        scan(v, trail ? `${trail}.${k}` : k);
+      }
+    };
+    scan(config, "");
+    if (offenders.length === 0) {
+      checks.push({
+        name: "config.no_placeholders",
+        status: "pass",
+        severity: "info",
+        detail: "No placeholder values detected",
+      });
+    } else {
+      for (const o of offenders) {
+        checks.push({
+          name: `config.placeholder.${o.path}`,
+          status: "fail",
+          severity: "critical",
+          detail: `Placeholder "${o.placeholder}" at ${o.path}`,
+        });
+      }
+    }
+
+    // Dangerous default detection
+    for (const { path: p, badValue } of dangerousDefaults) {
+      const val = _getByPath(config, p);
+      const dangerous = val === badValue;
+      checks.push({
+        name: `config.dangerous_default.${p}`,
+        status: dangerous ? "fail" : "pass",
+        severity: dangerous ? "high" : "info",
+        detail: dangerous
+          ? `${p} still at dangerous default (${JSON.stringify(badValue)})`
+          : `${p} overridden`,
+      });
+    }
+  }
+
+  const passed = checks.filter((c) => c.status === "pass").length;
+  const failed = checks.length - passed;
+  const score = checks.length ? Math.round((passed / checks.length) * 100) : 0;
+
+  return { checks, passed, failed, score, configPath };
+}
+
+/**
+ * Run a config audit and persist it to `hardening_audits`. Audit name is
+ * prefixed with `CONFIG_CHECK_PREFIX` so `deployCheck` can locate it.
+ */
+export function runConfigAudit(db, opts = {}) {
+  const {
+    name = "default",
+    configPath,
+    requiredKeys,
+    forbiddenPlaceholders,
+    dangerousDefaults,
+  } = opts;
+  if (!configPath) throw new Error("configPath is required");
+
+  let config = null;
+  let loadError = null;
+  try {
+    config = loadConfig(configPath);
+  } catch (err) {
+    loadError = err;
+  }
+
+  const result =
+    loadError != null
+      ? {
+          checks: [
+            {
+              name: "config.file_parseable",
+              status: "fail",
+              severity: "critical",
+              detail: `Failed to parse ${configPath}: ${loadError.message}`,
+            },
+          ],
+          passed: 0,
+          failed: 1,
+          score: 0,
+          configPath,
+        }
+      : checkConfig(config, {
+          configPath,
+          requiredKeys,
+          forbiddenPlaceholders,
+          dangerousDefaults,
+        });
+
+  const id = crypto.randomUUID();
+  const now = new Date().toISOString();
+  const recommendations = result.checks
+    .filter((c) => c.status === "fail")
+    .map((c) => `Fix [${c.severity || "medium"}]: ${c.name} — ${c.detail}`);
+
+  const audit = {
+    id,
+    name: `${CONFIG_CHECK_PREFIX}${name}`,
+    checks: result.checks,
+    passed: result.passed,
+    failed: result.failed,
+    score: result.score,
+    recommendations,
+    configPath,
+    createdAt: now,
+  };
+
+  _audits.set(id, audit);
+
+  db.prepare(
+    `INSERT INTO hardening_audits (id, name, checks, passed, failed, score, recommendations, created_at)
+     VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
+  ).run(
+    id,
+    audit.name,
+    JSON.stringify(result.checks),
+    result.passed,
+    result.failed,
+    result.score,
+    JSON.stringify(recommendations),
+    now,
+  );
+
+  return audit;
+}
+
+/* ── Deployment Readiness Check ───────────────────────────── */
+
+function _severityCounts(checks) {
+  const counts = { critical: 0, high: 0, medium: 0, low: 0, info: 0 };
+  for (const c of checks || []) {
+    if (c.status !== "fail") continue;
+    const sev = c.severity || "medium";
+    if (counts[sev] != null) counts[sev]++;
+  }
+  return counts;
+}
+
+/**
+ * Evaluate the six "§八 部署检查清单" items against the current
+ * `_baselines` / `_audits` stores.
+ *
+ * Returns `{ ready, items[], summary }` where each item is
+ * `{ id, label, status: "pass"|"fail"|"skipped", detail }`.
+ *
+ * CLI-evaluable items:
+ *   - baseline_established      — any baseline in store
+ *   - security_audit_score_80   — latest non-config audit score >= 80
+ *   - no_critical_high_vulns    — latest non-config audit: 0 critical + 0 high fails
+ *   - config_items_checked      — latest config:* audit has score >= 80
+ *
+ * Desktop-only items (reported as skipped):
+ *   - alerting_tested, monitoring_dashboard
+ */
+export function deployCheck() {
+  const baselines = [..._baselines.values()];
+  const audits = [..._audits.values()];
+  const configAudits = audits.filter((a) =>
+    (a.name || "").startsWith(CONFIG_CHECK_PREFIX),
+  );
+  const nonConfigAudits = audits.filter(
+    (a) => !(a.name || "").startsWith(CONFIG_CHECK_PREFIX),
+  );
+
+  const latestBy = (arr) =>
+    arr.length === 0
+      ? null
+      : arr.reduce((a, b) => (a.createdAt > b.createdAt ? a : b));
+
+  const latestAudit = latestBy(nonConfigAudits);
+  const latestConfigAudit = latestBy(configAudits);
+
+  const items = [];
+
+  items.push(
+    baselines.length > 0
+      ? {
+          id: "baseline_established",
+          label: "性能基线已建立",
+          status: "pass",
+          detail: `${baselines.length} baseline(s) recorded`,
+        }
+      : {
+          id: "baseline_established",
+          label: "性能基线已建立",
+          status: "fail",
+          detail:
+            "No baseline collected — run `cc hardening baseline collect <name>`",
+        },
+  );
+
+  items.push(
+    latestAudit == null
+      ? {
+          id: "security_audit_score_80",
+          label: "安全审计已完成且评分 >= 80",
+          status: "fail",
+          detail: "No security audit has been run",
+        }
+      : latestAudit.score >= 80
+        ? {
+            id: "security_audit_score_80",
+            label: "安全审计已完成且评分 >= 80",
+            status: "pass",
+            detail: `Latest audit "${latestAudit.name}" score=${latestAudit.score}%`,
+          }
+        : {
+            id: "security_audit_score_80",
+            label: "安全审计已完成且评分 >= 80",
+            status: "fail",
+            detail: `Latest audit score ${latestAudit.score}% < 80`,
+          },
+  );
+
+  if (latestAudit == null) {
+    items.push({
+      id: "no_critical_high_vulns",
+      label: "无 CRITICAL 和 HIGH 级别漏洞",
+      status: "fail",
+      detail: "No audit to evaluate severities",
+    });
+  } else {
+    const sev = _severityCounts(latestAudit.checks);
+    const bad = sev.critical + sev.high;
+    items.push(
+      bad === 0
+        ? {
+            id: "no_critical_high_vulns",
+            label: "无 CRITICAL 和 HIGH 级别漏洞",
+            status: "pass",
+            detail: `critical=0 high=0 (medium=${sev.medium} low=${sev.low})`,
+          }
+        : {
+            id: "no_critical_high_vulns",
+            label: "无 CRITICAL 和 HIGH 级别漏洞",
+            status: "fail",
+            detail: `critical=${sev.critical} high=${sev.high}`,
+          },
+    );
+  }
+
+  items.push(
+    latestConfigAudit == null
+      ? {
+          id: "config_items_checked",
+          label: "所有配置项已检查",
+          status: "fail",
+          detail:
+            "No config audit has been run — use `cc hardening config-check`",
+        }
+      : latestConfigAudit.score >= 80
+        ? {
+            id: "config_items_checked",
+            label: "所有配置项已检查",
+            status: "pass",
+            detail: `Config audit "${latestConfigAudit.name}" score=${latestConfigAudit.score}%`,
+          }
+        : {
+            id: "config_items_checked",
+            label: "所有配置项已检查",
+            status: "fail",
+            detail: `Config audit score ${latestConfigAudit.score}% < 80`,
+          },
+  );
+
+  items.push({
+    id: "alerting_tested",
+    label: "告警机制已测试",
+    status: "skipped",
+    detail: "Desktop-only (alert UI + notification subsystem)",
+  });
+
+  items.push({
+    id: "monitoring_dashboard",
+    label: "监控仪表板已配置",
+    status: "skipped",
+    detail: "Desktop-only (Ant Design chart dashboard)",
+  });
+
+  const blocking = items.filter((i) => i.status === "fail");
+  const skipped = items.filter((i) => i.status === "skipped");
+  const passed = items.filter((i) => i.status === "pass");
+
+  return {
+    ready: blocking.length === 0,
+    items,
+    summary: `${passed.length} pass, ${blocking.length} fail, ${skipped.length} skipped (desktop-only)`,
+  };
+}
+
 /* ── Reset (for testing) ───────────────────────────────────── */
 
 export function _resetState() {