cipher-shield 1.0.0

package/src/shield.js

@@ -0,0 +1,694 @@
+/**
+ * cipher-shield v2.1 - Production Security Middleware
+ *
+ * A comprehensive, multi-layered security middleware for Node.js/Express applications
+ * providing AES encryption, ghost route protection, shadow banning, and AI-powered
+ * threat detection with adaptive DEFCON escalation.
+ *
+ * @author Omindu Dissanayaka
+ * @version 1.0.0
+ * @license MIT
+ */
+
+const ghostHandler = require('./modules/ghostHandler');
+const shadowHandler = require('./modules/shadowHandler');
+const aiScanner = require('./modules/aiScanner');
+const aesEngine = require('./core/aesEngine');
+const defconSystem = require('./core/defconSystem');
+const blacklistMem = require('./core/blacklistMem');
+const SSLManager = require('./sslManager');
+const helmet = require('helmet');
+const rateLimit = require('express-rate-limit');
+const onHeaders = require('on-headers');
+const fs = require('fs');
+const path = require('path');
+
+const packageJsonPath = path.join(__dirname, '..', 'package.json');
+const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'));
+const CIPHER_SHIELD_VERSION = packageJson.version;
+
+/**
+ * Generates a random security signature for header obfuscation
+ *
+ * @private
+ * @returns {string} Random security signature
+ */
+function generateRandomSignature() {
+  const signatures = [
+    'Cipher Shield',
+    'Security Shield',
+    'Defense Matrix',
+    'Protection Core',
+    'Security Engine',
+    'Defense System',
+    'Shield Protocol',
+    'Security Framework',
+    'Defense Network',
+    'Protection Layer',
+    'Security Vault',
+    'Defense Core',
+    'Shield Matrix',
+    'Security Grid',
+    'Defense Protocol'
+  ];
+
+  return signatures[Math.floor(Math.random() * signatures.length)];
+}
+
+/**
+ * Default strict helmet configuration for maximum security
+ * Military-grade HTTP security headers
+ */
+const defaultStrictConfig = {
+  contentSecurityPolicy: {
+    directives: {
+      defaultSrc: ["'self'"],
+      scriptSrc: ["'self'"],
+      styleSrc: ["'self'", "'unsafe-inline'"],
+      imgSrc: ["'self'", "data:", "https:"],
+      fontSrc: ["'self'", "https:", "data:"],
+      connectSrc: ["'self'"],
+      mediaSrc: ["'self'"],
+      objectSrc: ["'none'"],
+      frameSrc: ["'none'"],
+      baseUri: ["'self'"],
+      formAction: ["'self'"],
+      upgradeInsecureRequests: []
+    }
+  },
+  hsts: {
+    maxAge: 31536000,
+    includeSubDomains: true,
+    preload: true
+  },
+  noSniff: true,
+  xssFilter: true,
+  frameguard: {
+    action: 'deny'
+  },
+  referrerPolicy: {
+    policy: 'strict-origin-when-cross-origin'
+  },
+  permissionsPolicy: {
+    features: {
+      camera: ["'none'"],
+      microphone: ["'none'"],
+      geolocation: ["'none'"],
+      payment: ["'self'"]
+    }
+  }
+};
+
+/**
+ * Creates helmet middleware based on configuration
+ * @param {Object} config - Headers configuration
+ * @returns {Function} Helmet middleware function
+ */
+function createHelmetMiddleware(config) {
+  if (!config.enabled) {
+    return (req, res, next) => next();
+  }
+
+  let helmetConfig = {};
+
+  if (config.simple) {
+    helmetConfig = {};
+  } else if (config.security === 'max' || config.strict) {
+    helmetConfig = { ...defaultStrictConfig };
+  } else {
+    helmetConfig = {
+      contentSecurityPolicy: {
+        directives: {
+          defaultSrc: ["'self'"],
+          scriptSrc: ["'self'", "'unsafe-inline'"],
+          styleSrc: ["'self'", "'unsafe-inline'"],
+          imgSrc: ["'self'", "data:", "https:"],
+          connectSrc: ["'self'"],
+          objectSrc: ["'none'"]
+        }
+      },
+      hsts: {
+        maxAge: 86400,
+        includeSubDomains: false
+      },
+      noSniff: true,
+      xssFilter: true,
+      frameguard: {
+        action: 'sameorigin'
+      }
+    };
+  }
+
+  if (config.options && typeof config.options === 'object') {
+    helmetConfig = { ...helmetConfig, ...config.options };
+  }
+
+  return helmet(helmetConfig);
+}
+
+/**
+ * Creates rate limiter middleware based on configuration
+ * @param {Object} config - Rate limit configuration
+ * @param {Object} smartLogger - SmartLogger instance for logging (optional)
+ * @returns {Function} Rate limiter middleware function
+ */
+function createRateLimitMiddleware(config, smartLogger = null) {
+  if (!config.enabled) {
+    return (req, res, next) => next();
+  }
+
+  let rateLimitConfig = {
+    windowMs: config.windowMs,
+    max: config.max,
+    message: config.message,
+    standardHeaders: config.standardHeaders,
+    legacyHeaders: config.legacyHeaders,
+    skipSuccessfulRequests: config.skipSuccessfulRequests,
+    skipFailedRequests: config.skipFailedRequests
+  };
+
+  if (config.options && typeof config.options === 'object') {
+    rateLimitConfig = { ...rateLimitConfig, ...config.options };
+  }
+
+  return rateLimit(rateLimitConfig);
+}
+
+/**
+ * Utility function to extract client IP address from request
+ * Handles various proxy headers and fallbacks
+ */
+function extractClientIP(req) {
+  const forwarded = req.headers['x-forwarded-for'];
+  if (forwarded) {
+    return forwarded.split(',')[0].trim();
+  }
+
+  const realIP = req.headers['x-real-ip'];
+  if (realIP) {
+    return realIP;
+  }
+
+  const clientIP = req.headers['x-client-ip'];
+  if (clientIP) {
+    return clientIP;
+  }
+
+  const remoteAddress = req.connection?.remoteAddress ||
+                       req.socket?.remoteAddress ||
+                       req.connection?.socket?.remoteAddress;
+
+  if (remoteAddress) {
+    return remoteAddress.replace(/^::ffff:/, '');
+  }
+
+  return req.ip || 'unknown';
+}
+
+/**
+ * Validates IP address format to prevent injection attacks
+ *
+ * @private
+ * @param {string} ip - IP address to validate
+ * @returns {boolean} True if IP is valid format
+ */
+function isValidIP(ip) {
+  if (!ip || typeof ip !== 'string') return false;
+
+  const ipv4Regex = /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/;
+  if (ipv4Regex.test(ip)) {
+    return ip.split('.').every(part => {
+      const num = parseInt(part, 10);
+      return num >= 0 && num <= 255;
+    });
+  }
+
+  const ipv6Regex = /^([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}$/;
+  return ipv6Regex.test(ip);
+}
+
+/**
+ * Adds security branding to blocked response objects
+ *
+ * @private
+ * @param {Object} responseObj - The response object to brand
+ * @param {Object} signatureConfig - Signature configuration
+ * @returns {Object} Branded response object
+ */
+function addSecurityBranding(responseObj, signatureConfig) {
+  if (!signatureConfig.enabled || !signatureConfig.branding) {
+    return responseObj;
+  }
+
+  return {
+    ...responseObj,
+    security_provider: signatureConfig.simple ?
+      signatureConfig.protectedBy :
+      signatureConfig.server
+  };
+}
+
+/**
+ * Validates and normalizes cipher-shield configuration
+ * Ensures all required settings are present and valid
+ *
+ * @private
+ * @param {Object} config - Raw configuration object
+ * @returns {Object} Normalized and validated configuration
+ * @throws {Error} If configuration is invalid
+ */
+function validateAndNormalizeConfig(config = {}) {
+  const settings = {
+    encryption: {
+      enabled: Boolean(config.encryption?.enabled),
+      secretKey: config.encryption?.secretKey || null,
+      algorithm: config.encryption?.algorithm || 'aes-256-gcm'
+    },
+    ghostRoutes: Array.isArray(config.ghostRoutes) ? config.ghostRoutes : [],
+    shadowBan: {
+      enabled: Boolean(config.shadowBan?.enabled),
+      delayTime: Math.max(1000, config.shadowBan?.delayTime || 20000)
+    },
+    aiGate: {
+      enabled: Boolean(config.aiGate?.enabled),
+      provider: config.aiGate?.provider || 'gemini',
+      gemini: {
+        apiKey: config.aiGate?.gemini?.apiKey || null,
+        model: config.aiGate?.gemini?.model || 'gemini-2.5-flash'
+      },
+      openai: {
+        apiKey: config.aiGate?.openai?.apiKey || null,
+        model: config.aiGate?.openai?.model || 'gpt-4o-mini',
+        organization: config.aiGate?.openai?.organization || null
+      },
+      scanRoutes: Array.isArray(config.aiGate?.scanRoutes) ? config.aiGate.scanRoutes : [],
+      failSafe: config.aiGate?.failSafe !== false
+    },
+    headers: {
+      enabled: config.headers?.enabled !== false,
+      simple: Boolean(config.headers?.simple),
+      security: config.headers?.security || 'standard',
+      strict: Boolean(config.headers?.strict),
+      options: config.headers?.options || {}
+    },
+    rateLimit: {
+      enabled: config.rateLimit?.enabled !== false,
+      simple: Boolean(config.rateLimit?.simple),
+      windowMs: config.rateLimit?.windowMs || 15 * 60 * 1000,
+      max: config.rateLimit?.max || 100,
+      message: config.rateLimit?.message || 'Too many requests from this IP, please try again later.',
+      standardHeaders: config.rateLimit?.standardHeaders !== false,
+      legacyHeaders: Boolean(config.rateLimit?.legacyHeaders),
+      skipSuccessfulRequests: Boolean(config.rateLimit?.skipSuccessfulRequests),
+      skipFailedRequests: Boolean(config.rateLimit?.skipFailedRequests),
+      options: config.rateLimit?.options || {}
+    },
+    signature: {
+      enabled: config.signature?.enabled !== false,
+      simple: Boolean(config.signature?.simple),
+      headerValue: config.signature?.headerValue || 'Cipher Shield',
+      randomize: Boolean(config.signature?.randomize),
+      customHeaderName: config.signature?.customHeaderName || 'X-Protected-By',
+      server: config.signature?.customServer ?
+        `${config.signature.customServer}/${CIPHER_SHIELD_VERSION}` :
+        `CipherShield/${CIPHER_SHIELD_VERSION}`,
+      removePoweredBy: config.signature?.removePoweredBy !== false,
+      branding: config.signature?.branding !== false
+    },
+    adaptiveDefcon: config.adaptiveDefcon !== false
+  };
+
+  if (settings.encryption.enabled) {
+    try {
+      const algoInfo = aesEngine.getAlgorithmInfo(settings.encryption.algorithm);
+
+      if (!settings.encryption.secretKey || settings.encryption.secretKey.length !== algoInfo.keyLength) {
+        throw new Error(
+          `${settings.encryption.algorithm} requires a ${algoInfo.keyLength}-character hex-encoded secret key`
+        );
+      }
+
+      if (!/^[0-9a-fA-F]+$/.test(settings.encryption.secretKey)) {
+        throw new Error(`Secret key must be valid hexadecimal for ${settings.encryption.algorithm}`);
+      }
+    } catch (error) {
+      throw new Error(`cipher-shield: ${error.message}`);
+    }
+  }
+
+  if (settings.aiGate.enabled) {
+    if (settings.aiGate.provider === 'gemini' && !settings.aiGate.gemini.apiKey) {
+      throw new Error('Gemini API key is required when using Gemini provider');
+    }
+    if (settings.aiGate.provider === 'openai' && !settings.aiGate.openai.apiKey) {
+      throw new Error('OpenAI API key is required when using OpenAI provider');
+    }
+    if (!['gemini', 'openai'].includes(settings.aiGate.provider)) {
+      throw new Error('AI provider must be either "gemini" or "openai"');
+    }
+  }
+
+  if (settings.shadowBan.enabled && settings.shadowBan.delayTime > 45000) {
+    throw new Error('Shadow ban delay time cannot exceed 45 seconds (45000ms)');
+  }
+
+  return settings;
+}
+
+/**
+ * CipherShield - Production Security Middleware Class
+ *
+ * A comprehensive, multi-layered security middleware for Node.js/Express applications
+ * providing AES encryption, ghost route protection, shadow banning, AI-powered
+ * threat detection, adaptive DEFCON escalation, and automated SSL certificate management.
+ *
+ * @class CipherShield
+ * @version 1.0.0
+ * @author Omindu Dissanayaka
+ * @license MIT
+ */
+class CipherShield {
+  /**
+   * Creates a CipherShield instance
+   *
+   * @param {Object} config - Configuration object
+   */
+  constructor(config = {}) {
+    this.config = validateAndNormalizeConfig(config);
+    this.sslManager = null;
+
+    this.helmetMiddleware = createHelmetMiddleware(this.config.headers);
+
+    this.rateLimitMiddleware = createRateLimitMiddleware(this.config.rateLimit);
+
+    this.algoInfo = this.config.encryption.enabled ?
+      aesEngine.getAlgorithmInfo(this.config.encryption.algorithm) : null;
+
+    if (this.config.adaptiveDefcon) {
+      defconSystem.initialize();
+    }
+  }
+
+  /**
+   * Get the Express middleware function
+   *
+   * @returns {Function} Express middleware function
+   */
+  middleware() {
+    return this.createMiddleware();
+  }
+
+  /**
+   * Enable automated SSL certificate management
+   *
+   * @param {Object} sslConfig - SSL configuration
+   * @param {string} sslConfig.email - Email for Let's Encrypt account
+   * @param {string|string[]} sslConfig.domains - Domain(s) to obtain certificates for
+   * @param {boolean} [sslConfig.staging=true] - Use staging environment
+   * @param {string} [sslConfig.certDir] - Certificate storage directory
+   * @param {Object} [sslConfig.expressApp] - Express app for HTTP-01 challenges
+   * @returns {SSLManager} SSL Manager instance
+   */
+  async enableSSL(sslConfig) {
+    if (!sslConfig.email) {
+      throw new Error('SSL configuration requires an email address');
+    }
+    if (!sslConfig.domains || (Array.isArray(sslConfig.domains) && sslConfig.domains.length === 0)) {
+      throw new Error('SSL configuration requires at least one domain');
+    }
+
+    const fullSSLConfig = {
+      ...sslConfig,
+      expressApp: sslConfig.expressApp || this.config.expressApp
+    };
+
+    this.sslManager = new SSLManager(fullSSLConfig);
+    await this.sslManager.initialize();
+
+    return this.sslManager;
+  }
+
+  /**
+   * Get SSL certificates
+   *
+   * @param {string} [domain] - Specific domain, or all if not provided
+   * @returns {Object|Object[]|null} Certificate data
+   */
+  getSSLCertificates(domain) {
+    if (!this.sslManager) {
+      return null;
+    }
+
+    if (domain) {
+      return this.sslManager.getCertificate(domain);
+    }
+
+    return this.sslManager.getAllCertificates();
+  }
+
+  /**
+   * Shutdown all services
+   */
+  async shutdown() {
+    if (this.sslManager) {
+      await this.sslManager.shutdown();
+    }
+  }
+
+  /**
+   * Create the middleware function
+   *
+   * @private
+   * @returns {Function} Express middleware function
+   */
+  createMiddleware() {
+    return async (req, res, next) => {
+      const startTime = process.hrtime.bigint();
+
+      if (this.config.signature.enabled) {
+        onHeaders(res, () => {
+          if (this.config.signature.removePoweredBy) {
+            res.removeHeader('X-Powered-By');
+          }
+
+          let headerValue = this.config.signature.headerValue;
+          if (this.config.signature.randomize) {
+            headerValue = generateRandomSignature();
+          }
+
+          if (this.config.signature.simple) {
+            res.setHeader(this.config.signature.customHeaderName, headerValue);
+          } else {
+            res.setHeader('Server', this.config.signature.server);
+            res.setHeader(this.config.signature.customHeaderName, headerValue);
+          }
+        });
+      }
+    };
+  }
+
+  /**
+   * Execute active defense logic (Layers 1-4)
+   * @private
+   */
+  async executeActiveDefense(req, res, next, startTime) {
+    const clientIP = extractClientIP(req);
+
+    try {
+      if (this.config.ghostRoutes.length > 0) {
+        const isGhostRoute = ghostHandler.detect(req.path, this.config.ghostRoutes);
+
+        if (isGhostRoute) {
+          blacklistMem.add(clientIP, 'ghost_route_access');
+
+          if (this.config.adaptiveDefcon) {
+            defconSystem.escalate('GHOST_ROUTE_HIT');
+          }
+
+        }
+      }
+
+      if (this.config.shadowBan.enabled && blacklistMem.isBlacklisted(clientIP)) {
+        const currentDefcon = this.config.adaptiveDefcon ? defconSystem.getState() : 'GREEN';
+        const shouldBlock = await shadowHandler.delay(
+          clientIP,
+          this.config.shadowBan.delayTime,
+          currentDefcon
+        );
+
+        if (shouldBlock) {
+          const processingTime = Number(process.hrtime.bigint() - startTime) / 1000000;
+          console.log(`[cipher-shield] Blocked ${clientIP} after ${processingTime.toFixed(2)}ms`);
+
+          return res.status(408).json(addSecurityBranding({
+            error: 'Request Timeout',
+            message: 'The server timed out waiting for the request'
+          }, this.config.signature));
+        }
+      }
+
+      if (this.config.encryption.enabled && (req.method === 'POST' || req.method === 'PUT')) {
+        if (!req.body || typeof req.body !== 'object') {
+          blacklistMem.add(clientIP, 'invalid_request_body');
+          if (this.config.adaptiveDefcon) {
+            defconSystem.escalate('INVALID_REQUEST_BODY');
+          }
+          return res.status(400).json(addSecurityBranding({
+            error: 'Bad Request',
+            message: 'Invalid request body'
+          }, this.config.signature));
+        }
+
+        if (req.body.payload) {
+          if (typeof req.body.payload !== 'string' || req.body.payload.length > 10000) {
+            blacklistMem.add(clientIP, 'invalid_payload_format');
+            if (this.config.adaptiveDefcon) {
+              defconSystem.escalate('INVALID_PAYLOAD_FORMAT');
+            }
+            return res.status(400).json(addSecurityBranding({
+              error: 'Bad Request',
+              message: 'Invalid payload format'
+            }, this.config.signature));
+          }
+
+          try {
+            const decryptedData = aesEngine.decrypt(
+              req.body.payload,
+              this.config.encryption.secretKey
+            );
+
+            let parsedData;
+            try {
+              const tempObj = {};
+              parsedData = JSON.parse(decryptedData);
+
+              if (parsedData === null || typeof parsedData !== 'object') {
+                throw new Error('Invalid decrypted data structure');
+              }
+
+              if ('__proto__' in parsedData || 'constructor' in parsedData || 'prototype' in parsedData) {
+                throw new Error('Potential prototype pollution detected');
+              }
+
+              function checkPrototypePollution(obj, depth = 0) {
+                if (depth > 10) throw new Error('Maximum object depth exceeded');
+                if (obj === null || typeof obj !== 'object') return;
+
+                if ('__proto__' in obj || 'constructor' in obj || 'prototype' in obj) {
+                  throw new Error('Prototype pollution detected in nested object');
+                }
+
+                for (const key in obj) {
+                  if (obj.hasOwnProperty(key)) {
+                    checkPrototypePollution(obj[key], depth + 1);
+                  }
+                }
+              }
+
+              checkPrototypePollution(parsedData);
+
+            } catch (parseError) {
+              throw new Error(`JSON parsing failed: ${parseError.message}`);
+            }
+
+            req.body = parsedData;
+
+          } catch (decryptError) {
+            blacklistMem.add(clientIP, `aes_decryption_failure:${this.config.encryption.algorithm}`);
+
+            if (this.config.adaptiveDefcon) {
+              defconSystem.escalate('AES_DECRYPTION_FAIL');
+            }
+
+            const processingTime = Number(process.hrtime.bigint() - startTime) / 1000000;
+            console.log(`[cipher-shield] Decryption failed for ${clientIP} after ${processingTime.toFixed(2)}ms`);
+
+            return res.status(400).json(addSecurityBranding({
+              error: 'Bad Request',
+              message: 'Invalid payload format'
+            }, this.config.signature));
+          }
+        }
+      }
+
+      if (this.config.aiGate.enabled) {
+        const shouldScanRoute = this.config.aiGate.scanRoutes.some(route =>
+          req.path === route || req.path.startsWith(route)
+        );
+
+        if (shouldScanRoute) {
+          const currentDefcon = this.config.adaptiveDefcon ? defconSystem.getState() : 'GREEN';
+
+          if (currentDefcon !== 'RED' || !this.config.adaptiveDefcon) {
+            try {
+              const aiConfig = {
+                provider: this.config.aiGate.provider,
+                gemini: this.config.aiGate.gemini,
+                openai: this.config.aiGate.openai
+              };
+
+              const aiResult = await aiScanner.scan(req.body, aiConfig);
+
+              if (!aiResult.safe) {
+                const threatLevel = aiResult.threatLevel || 0;
+
+                if (threatLevel >= 7) {
+                  blacklistMem.add(clientIP, 'ai_high_threat');
+
+                  if (this.config.adaptiveDefcon) {
+                    defconSystem.escalate('AI_HIGH_THREAT');
+                  }
+
+                  const processingTime = Number(process.hrtime.bigint() - startTime) / 1000000;
+                  console.log(`[cipher-shield] Blocked high threat from ${clientIP} after ${processingTime.toFixed(2)}ms`);
+
+                  return res.status(403).json(addSecurityBranding({
+                    error: 'Forbidden',
+                    message: 'Request blocked by security policy'
+                  }, this.config.signature));
+
+                } else if (threatLevel >= 4) {
+                  blacklistMem.add(clientIP, 'ai_medium_threat');
+                }
+              }
+
+            } catch (aiError) {
+              if (this.config.aiGate.failSafe) {
+                if (this.config.adaptiveDefcon) {
+                  defconSystem.escalate('AI_FAILURE');
+                }
+              } else {
+                const processingTime = Number(process.hrtime.bigint() - startTime) / 1000000;
+                console.log(`[cipher-shield] AI failure for ${clientIP} after ${processingTime.toFixed(2)}ms`);
+
+                return res.status(503).json(addSecurityBranding({
+                  error: 'Service Unavailable',
+                  message: 'Security validation unavailable'
+                }, this.config.signature));
+              }
+            }
+          }
+        }
+      }
+
+      const totalTime = Number(process.hrtime.bigint() - startTime) / 1000000;
+
+      if (process.env.NODE_ENV === 'development') {
+        console.log(`[cipher-shield] ✅ ${clientIP} passed all checks in ${totalTime.toFixed(2)}ms`);
+      }
+
+      next();
+
+    } catch (error) {
+      const processingTime = Number(process.hrtime.bigint() - startTime) / 1000000;
+
+      const sanitizedError = error.message ? error.message.substring(0, 100) : 'Unknown error';
+
+      console.error(`[cipher-shield] Middleware error for ${clientIP} after ${processingTime.toFixed(2)}ms: ${sanitizedError}`);
+
+      next();
+    }
+  }
+}
+
+module.exports = CipherShield;