cipher-shield 1.0.0

package/src/smartLogger.js

@@ -0,0 +1,268 @@
+/**
+ * SmartLogger - Advanced Logging with Automatic Data Masking
+ *
+ * A secure logging utility that automatically masks sensitive data in logs.
+ * Recursively scans objects, arrays, and strings to protect sensitive information
+ * like passwords, tokens, and API keys.
+ *
+ * @module SmartLogger
+ * @version 1.0.0
+ * @author Omindu Dissanayaka
+ * @license MIT
+ */
+
+class SmartLogger {
+  /**
+   * Creates a SmartLogger instance
+   *
+   * @param {Object} [options] - Configuration options
+   * @param {string[]} [options.maskKeys] - Additional keys to mask (case-insensitive)
+   * @param {string} [options.maskValue='********'] - Value to replace sensitive data with
+   * @param {boolean} [options.enableTimestamp=true] - Include timestamp in logs
+   * @param {boolean} [options.enableColors=true] - Enable colored output
+   */
+  constructor(options = {}) {
+    this.options = {
+      maskKeys: [
+        'password', 'token', 'secret', 'apikey', 'api_key', 'apiKey',
+        'creditcard', 'credit_card', 'cvv', 'auth', 'authorization',
+        'bearer', 'session', 'cookie', 'private_key', 'privateKey'
+      ].concat(options.maskKeys || []),
+      maskValue: options.maskValue || '********',
+      enableTimestamp: options.enableTimestamp !== false,
+      enableColors: options.enableColors !== false,
+      ...options
+    };
+
+    this.colors = {
+      reset: '\x1b[0m',
+      bright: '\x1b[1m',
+      dim: '\x1b[2m',
+      red: '\x1b[31m',
+      green: '\x1b[32m',
+      yellow: '\x1b[33m',
+      blue: '\x1b[34m',
+      magenta: '\x1b[35m',
+      cyan: '\x1b[36m',
+      white: '\x1b[37m'
+    };
+  }
+
+  /**
+   * Add additional keys to mask in logs
+   *
+   * @param {string|string[]} keys - Key(s) to add to the masking list
+   */
+  addMaskKey(keys) {
+    if (Array.isArray(keys)) {
+      this.options.maskKeys = this.options.maskKeys.concat(keys);
+    } else if (typeof keys === 'string') {
+      this.options.maskKeys.push(keys);
+    } else {
+      throw new Error('Keys must be a string or array of strings');
+    }
+  }
+
+  /**
+   * Log information with data masking
+   *
+   * @param {*} message - Message or data to log
+   * @param {...*} args - Additional arguments
+   */
+  info(message, ...args) {
+    this._log('INFO', message, args, this.colors.green);
+  }
+
+  /**
+   * Log warnings with data masking
+   *
+   * @param {*} message - Message or data to log
+   * @param {...*} args - Additional arguments
+   */
+  warn(message, ...args) {
+    this._log('WARN', message, args, this.colors.yellow);
+  }
+
+  /**
+   * Log errors with data masking
+   *
+   * @param {*} message - Message or data to log
+   * @param {...*} args - Additional arguments
+   */
+  error(message, ...args) {
+    this._log('ERROR', message, args, this.colors.red);
+  }
+
+  /**
+   * Log debug information with data masking
+   *
+   * @param {*} message - Message or data to log
+   * @param {...*} args - Additional arguments
+   */
+  debug(message, ...args) {
+    this._log('DEBUG', message, args, this.colors.blue);
+  }
+
+  /**
+   * Log with custom level
+   *
+   * @param {string} level - Log level
+   * @param {*} message - Message or data to log
+   * @param {...*} args - Additional arguments
+   */
+  log(level, message, ...args) {
+    this._log(level.toUpperCase(), message, args, this.colors.white);
+  }
+
+  /**
+   * Internal logging method
+   *
+   * @private
+   * @param {string} level - Log level
+   * @param {*} message - Message or data to log
+   * @param {Array} args - Additional arguments
+   * @param {string} color - Color code for output
+   */
+  _log(level, message, args, color) {
+    const timestamp = this.options.enableTimestamp ?
+      `[${new Date().toISOString()}] ` : '';
+
+    const levelStr = this.options.enableColors ?
+      `${color}[${level}]${this.colors.reset}` : `[${level}]`;
+
+    const sanitizedMessage = this._sanitize(message);
+    const sanitizedArgs = args.map(arg => this._sanitize(arg));
+
+    let output = `${timestamp}${levelStr} ${sanitizedMessage}`;
+
+    if (sanitizedArgs.length > 0) {
+      output += ' ' + sanitizedArgs.map(arg =>
+        typeof arg === 'object' ? JSON.stringify(arg, null, 2) : String(arg)
+      ).join(' ');
+    }
+
+    console.log(output);
+  }
+
+  /**
+   * Sanitize data by masking sensitive information
+   *
+   * @private
+   * @param {*} data - Data to sanitize
+   * @returns {*} Sanitized data
+   */
+  _sanitize(data) {
+    if (data === null || data === undefined) {
+      return data;
+    }
+
+    if (typeof data === 'string') {
+      return this._sanitizeString(data);
+    }
+
+    if (typeof data === 'object') {
+      if (Array.isArray(data)) {
+        return data.map(item => this._sanitize(item));
+      }
+
+      return this._sanitizeObject(data);
+    }
+
+    return data;
+  }
+
+  /**
+   * Sanitize string data
+   *
+   * @private
+   * @param {string} str - String to sanitize
+   * @returns {string} Sanitized string
+   */
+  _sanitizeString(str) {
+    if (str.trim().startsWith('{') || str.trim().startsWith('[')) {
+      try {
+        const parsed = JSON.parse(str);
+        const sanitized = this._sanitize(parsed);
+        return JSON.stringify(sanitized);
+      } catch {
+      }
+    }
+
+    const sensitivePatterns = [
+      /password[\s]*[:=][\s]*[^\s]+/gi,
+      /token[\s]*[:=][\s]*[^\s]+/gi,
+      /secret[\s]*[:=][\s]*[^\s]+/gi,
+      /apikey[\s]*[:=][\s]*[^\s]+/gi,
+      /api_key[\s]*[:=][\s]*[^\s]+/gi,
+      /bearer[\s]+[^\s]+/gi,
+      /authorization[\s]*[:=][\s]*[^\s]+/gi
+    ];
+
+    let sanitized = str;
+    for (const pattern of sensitivePatterns) {
+      sanitized = sanitized.replace(pattern, (match) => {
+        const parts = match.split(/[:=\s]+/);
+        return parts[0] + ': ' + this.options.maskValue;
+      });
+    }
+
+    return sanitized;
+  }
+
+  /**
+   * Sanitize object data recursively
+   *
+   * @private
+   * @param {Object} obj - Object to sanitize
+   * @returns {Object} Sanitized object
+   */
+  _sanitizeObject(obj) {
+    if (obj === null || typeof obj !== 'object') {
+      return obj;
+    }
+
+    const sanitized = Array.isArray(obj) ? [] : {};
+
+    for (const [key, value] of Object.entries(obj)) {
+      const lowerKey = key.toLowerCase();
+
+      const shouldMask = this.options.maskKeys.some(maskKey =>
+        lowerKey.includes(maskKey.toLowerCase())
+      );
+
+      if (shouldMask) {
+        sanitized[key] = this.options.maskValue;
+      } else {
+        sanitized[key] = this._sanitize(value);
+      }
+    }
+
+    return sanitized;
+  }
+
+  /**
+   * Add custom keys to mask
+   *
+   * @param {string|string[]} keys - Keys to add to masking list
+   */
+  addMaskKeys(keys) {
+    const newKeys = Array.isArray(keys) ? keys : [keys];
+    this.options.maskKeys.push(...newKeys);
+  }
+
+  /**
+   * Remove keys from masking list
+   *
+   * @param {string|string[]} keys - Keys to remove from masking list
+   */
+  removeMaskKeys(keys) {
+    const keysToRemove = Array.isArray(keys) ? keys : [keys];
+    this.options.maskKeys = this.options.maskKeys.filter(maskKey =>
+      !keysToRemove.some(removeKey =>
+        maskKey.toLowerCase() === removeKey.toLowerCase()
+      )
+    );
+  }
+}
+
+module.exports = SmartLogger;

package/src/sslManager.js

@@ -0,0 +1,345 @@
+/**
+ * SSLManager - Automated SSL Certificate Management for Cipher Shield
+ *
+ * Handles automated SSL certificate generation and renewal using Let's Encrypt ACME protocol.
+ * Supports HTTP-01 challenge automation, secure certificate storage, and auto-renewal.
+ *
+ * @module SSLManager
+ * @version 1.0.0
+ * @author Omindu Dissanayaka
+ * @license MIT
+ */
+
+const acme = require('acme-client');
+const forge = require('node-forge');
+const fs = require('fs').promises;
+const path = require('path');
+const crypto = require('crypto');
+
+class SSLManager {
+  /**
+   * Creates an SSL Manager instance
+   *
+   * @param {Object} config - SSL configuration
+   * @param {string} config.email - Email for Let's Encrypt account registration
+   * @param {string[]} config.domains - Array of domains to obtain certificates for
+   * @param {boolean} [config.staging=true] - Use Let's Encrypt staging environment
+   * @param {string} [config.certDir='./ssl-certs'] - Directory to store certificates
+   * @param {Object} [config.expressApp] - Express app instance for HTTP-01 challenge
+   */
+  constructor(config) {
+    this.config = {
+      email: config.email,
+      domains: Array.isArray(config.domains) ? config.domains : [config.domains],
+      staging: config.staging !== false,
+      certDir: config.certDir || path.join(process.cwd(), 'ssl-certs'),
+      expressApp: config.expressApp,
+      ...config
+    };
+
+    this.client = null;
+    this.accountKey = null;
+    this.certificates = new Map();
+    this.renewalInterval = null;
+
+    this.directoryUrl = this.config.staging
+      ? acme.directory.letsencrypt.staging
+      : acme.directory.letsencrypt.production;
+
+    this.logger = {
+      info: (msg) => console.log(`[SSLManager] ${msg}`),
+      error: (msg) => console.error(`[SSLManager] ${msg}`),
+      warn: (msg) => console.warn(`[SSLManager] ${msg}`)
+    };
+  }
+
+  /**
+   * Initialize SSL Manager and start certificate management
+   */
+  async initialize() {
+    try {
+      this.logger.info('Initializing SSL Manager...');
+
+      await this.ensureCertDirectory();
+      await this.initializeACMEClient();
+      await this.loadExistingCertificates();
+      this.startAutoRenewal();
+      await this.obtainCertificates();
+
+      this.logger.info('SSL Manager initialized successfully');
+    } catch (error) {
+      this.logger.error(`SSL Manager initialization failed: ${error.message}`);
+      throw error;
+    }
+  }
+
+  /**
+   * Ensure certificate directory exists
+   */
+  async ensureCertDirectory() {
+    try {
+      await fs.access(this.config.certDir);
+    } catch {
+      await fs.mkdir(this.config.certDir, { recursive: true });
+      this.logger.info(`Created certificate directory: ${this.config.certDir}`);
+    }
+  }
+
+  /**
+   * Initialize ACME client with account registration
+   */
+  async initializeACMEClient() {
+    try {
+      this.accountKey = await this.getOrCreateAccountKey();
+
+      this.client = new acme.Client({
+        directoryUrl: this.directoryUrl,
+        accountKey: this.accountKey
+      });
+
+      this.logger.info('ACME client initialized');
+    } catch (error) {
+      this.logger.error(`ACME client initialization failed: ${error.message}`);
+      throw error;
+    }
+  }
+
+  /**
+   * Get or create account private key
+   */
+  async getOrCreateAccountKey() {
+    const accountKeyPath = path.join(this.config.certDir, 'account-key.pem');
+
+    try {
+      const keyData = await fs.readFile(accountKeyPath, 'utf8');
+      this.logger.info('Loaded existing account key');
+      return keyData;
+    } catch {
+      this.logger.info('Generating new account key...');
+      const { privateKey } = crypto.generateKeyPairSync('ec', {
+        namedCurve: 'P-256',
+        publicKeyEncoding: { type: 'spki', format: 'pem' },
+        privateKeyEncoding: { type: 'pkcs8', format: 'pem' }
+      });
+
+      await fs.writeFile(accountKeyPath, privateKey, { mode: 0o600 });
+      this.logger.info('Account key saved');
+      return privateKey;
+    }
+  }
+
+  /**
+   * Load existing certificates from disk
+   */
+  async loadExistingCertificates() {
+    for (const domain of this.config.domains) {
+      try {
+        const certData = await this.loadCertificate(domain);
+        if (certData) {
+          this.certificates.set(domain, certData);
+          this.logger.info(`Loaded existing certificate for ${domain}`);
+        }
+      } catch (error) {
+        this.logger.warn(`Could not load certificate for ${domain}: ${error.message}`);
+      }
+    }
+  }
+
+  /**
+   * Load certificate data for a domain
+   */
+  async loadCertificate(domain) {
+    const certPath = path.join(this.config.certDir, `${domain}.pem`);
+    const keyPath = path.join(this.config.certDir, `${domain}-key.pem`);
+
+    try {
+      const [cert, key] = await Promise.all([
+        fs.readFile(certPath, 'utf8'),
+        fs.readFile(keyPath, 'utf8')
+      ]);
+
+      return { cert, key, domain };
+    } catch {
+      return null;
+    }
+  }
+
+  /**
+   * Obtain certificates for all configured domains
+   */
+  async obtainCertificates() {
+    for (const domain of this.config.domains) {
+      try {
+        const existingCert = this.certificates.get(domain);
+        if (existingCert && !this.isCertificateExpiringSoon(existingCert.cert)) {
+          this.logger.info(`Certificate for ${domain} is still valid`);
+          continue;
+        }
+
+        this.logger.info(`Obtaining certificate for ${domain}...`);
+        const certData = await this.obtainCertificate(domain);
+        this.certificates.set(domain, certData);
+        await this.saveCertificate(certData);
+
+        this.logger.info(`Certificate obtained and saved for ${domain}`);
+      } catch (error) {
+        this.logger.error(`Failed to obtain certificate for ${domain}: ${error.message}`);
+        throw error;
+      }
+    }
+  }
+
+  /**
+   * Obtain certificate for a specific domain
+   */
+  async obtainCertificate(domain) {
+    try {
+      const domainKey = crypto.generateKeyPairSync('rsa', {
+        modulusLength: 2048,
+        publicKeyEncoding: { type: 'spki', format: 'pem' },
+        privateKeyEncoding: { type: 'pkcs8', format: 'pem' }
+      });
+
+      const [key, csr] = await acme.crypto.createCsr({
+        commonName: domain,
+        altNames: [domain]
+      });
+
+      const challengeHandler = this.createChallengeHandler(domain);
+
+      const certificate = await this.client.auto({
+        csr,
+        email: this.config.email,
+        termsOfServiceAgreed: true,
+        challengeCreateFn: challengeHandler.create,
+        challengeRemoveFn: challengeHandler.remove
+      });
+
+      return {
+        cert: certificate,
+        key: key,
+        domain
+      };
+    } catch (error) {
+      this.logger.error(`Certificate obtain failed for ${domain}: ${error.message}`);
+      throw error;
+    }
+  }
+
+  /**
+   * Create HTTP-01 challenge handler
+   */
+  createChallengeHandler(domain) {
+    const challenges = new Map();
+
+    return {
+      create: async (authz, challenge, keyAuthorization) => {
+        if (challenge.type === 'http-01') {
+          const challengePath = `/.well-known/acme-challenge/${challenge.token}`;
+
+          challenges.set(challenge.token, keyAuthorization);
+
+          if (this.config.expressApp) {
+            this.config.expressApp.get(challengePath, (req, res) => {
+              const token = req.path.split('/').pop();
+              const auth = challenges.get(token);
+              if (auth) {
+                res.set('Content-Type', 'text/plain');
+                res.send(auth);
+              } else {
+                res.status(404).send('Challenge not found');
+              }
+            });
+
+            this.logger.info(`HTTP-01 challenge route setup for ${domain}: ${challengePath}`);
+          } else {
+            this.logger.warn('No Express app provided - HTTP-01 challenge will not be served automatically');
+          }
+        }
+      },
+
+      remove: async (authz, challenge) => {
+        if (challenge.type === 'http-01') {
+          challenges.delete(challenge.token);
+          this.logger.info(`HTTP-01 challenge removed for ${domain}`);
+        }
+      }
+    };
+  }
+
+  isCertificateExpiringSoon(certPem) {
+    try {
+      const cert = forge.pki.certificateFromPem(certPem);
+      const now = new Date();
+      const expiry = cert.validity.notAfter;
+      const daysUntilExpiry = (expiry - now) / (1000 * 60 * 60 * 24);
+
+      return daysUntilExpiry < 30;
+    } catch {
+      return true;
+    }
+  }
+
+  /**
+   * Save certificate to disk
+   */
+  async saveCertificate(certData) {
+    const certPath = path.join(this.config.certDir, `${certData.domain}.pem`);
+    const keyPath = path.join(this.config.certDir, `${certData.domain}-key.pem`);
+
+    await Promise.all([
+      fs.writeFile(certPath, certData.cert, { mode: 0o644 }),
+      fs.writeFile(keyPath, certData.key, { mode: 0o600 })
+    ]);
+
+    this.logger.info(`Certificate saved for ${certData.domain}`);
+  }
+
+  /**
+   * Start auto-renewal process
+   */
+  startAutoRenewal() {
+    this.renewalInterval = setInterval(async () => {
+      try {
+        this.logger.info('Checking certificates for renewal...');
+        await this.obtainCertificates();
+      } catch (error) {
+        this.logger.error(`Auto-renewal check failed: ${error.message}`);
+      }
+    }, 24 * 60 * 60 * 1000);
+
+    this.logger.info('Auto-renewal process started (checks every 24 hours)');
+  }
+
+  stopAutoRenewal() {
+    if (this.renewalInterval) {
+      clearInterval(this.renewalInterval);
+      this.renewalInterval = null;
+      this.logger.info('Auto-renewal process stopped');
+    }
+  }
+
+  /**
+   * Get certificate for domain
+   */
+  getCertificate(domain) {
+    return this.certificates.get(domain) || null;
+  }
+
+  /**
+   * Get all certificates
+   */
+  getAllCertificates() {
+    return Array.from(this.certificates.values());
+  }
+
+  /**
+   * Shutdown SSL Manager
+   */
+  async shutdown() {
+    this.stopAutoRenewal();
+    this.logger.info('SSL Manager shutdown complete');
+  }
+}
+
+module.exports = SSLManager;