cyberia 2.8.885

package/src/server/crypto.js

@@ -0,0 +1,210 @@
+/**
+ * Module for managing crypto operations
+ * @module src/server/crypto.js
+ * @namespace Crypto
+ */
+
+import crypto from 'crypto';
+
+/* ----------------------------- SymmetricCrypto ----------------------------- */
+
+class SymmetricCrypto {
+  #encryptionKey;
+
+  /**
+   * @param {object} [options]
+   * @param {Buffer | string} [options.encryptionKey] - 32-byte key as Buffer or hex string. If not provided, a new random key is generated.
+   */
+  /** @memberof Crypto */
+  constructor(options = {}) {
+    const { encryptionKey } = options;
+
+    if (encryptionKey) {
+      this.#encryptionKey = typeof encryptionKey === 'string' ? Buffer.from(encryptionKey, 'hex') : encryptionKey;
+    } else {
+      this.#encryptionKey = crypto.randomBytes(32);
+    }
+
+    if (!Buffer.isBuffer(this.#encryptionKey) || this.#encryptionKey.length !== 32) {
+      throw new Error('Encryption key must be a 32-byte Buffer or 64-length hex string.');
+    }
+
+    // Provide a compatibility IV property expected by some test suites / legacy code.
+    // This IV is not reused for each encryption operation (encryptData will generate its own IV).
+    // It exists so tests that expect an ivHex on the instance (16 bytes) continue to work.
+    this.ivHex = crypto.randomBytes(16).toString('hex'); // 16 bytes -> 32 hex chars
+  }
+
+  /** Returns encryption key as hex. */
+  /** @memberof Crypto */
+  get encryptionKeyHex() {
+    return this.#encryptionKey.toString('hex');
+  }
+
+  /**
+   * Encrypts plaintext using AES-256-GCM and returns `iv_hex:ciphertext_hex:authTag_hex`.
+   *
+   * @param {string} [plaintext='']
+   * @returns {string}
+   * @memberof Crypto
+   */
+  encryptData(plaintext = '') {
+    // GCM recommended IV size is 12 bytes
+    const iv = crypto.randomBytes(12);
+    const cipher = crypto.createCipheriv('aes-256-gcm', this.#encryptionKey, iv);
+
+    const encryptedPart = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+
+    return `${iv.toString('hex')}:${encryptedPart.toString('hex')}:${authTag.toString('hex')}`;
+  }
+
+  /**
+   * Decrypts data. Supports two formats:
+   *  - AES-256-GCM: `iv_hex:ciphertext_hex:authTag_hex` (preferred)
+   *  - Legacy AES-256-CBC: `iv_hex:ciphertext_hex` (fallback for backward compatibility)
+   *
+   * @param {string} [ciphertext='']
+   * @returns {string} plaintext
+   * @throws {Error} Generic error on failure (to avoid leaking details).
+   * @memberof Crypto
+   */
+  decryptData(ciphertext = '') {
+    try {
+      const parts = ciphertext.split(':');
+
+      if (parts.length === 3) {
+        // AES-256-GCM
+        const [ivHex, encryptedHex, tagHex] = parts;
+        const iv = Buffer.from(ivHex, 'hex');
+        const encrypted = Buffer.from(encryptedHex, 'hex');
+        const authTag = Buffer.from(tagHex, 'hex');
+
+        const decipher = crypto.createDecipheriv('aes-256-gcm', this.#encryptionKey, iv);
+        decipher.setAuthTag(authTag);
+
+        const decrypted = Buffer.concat([decipher.update(encrypted), decipher.final()]);
+        return decrypted.toString('utf8');
+      }
+
+      if (parts.length === 2) {
+        // Legacy: AES-256-CBC (no authentication). Provided for compatibility only.
+        const [ivHex, encryptedHex] = parts;
+        const iv = Buffer.from(ivHex, 'hex');
+        const encrypted = encryptedHex;
+
+        const decipher = crypto.createDecipheriv('aes-256-cbc', this.#encryptionKey, iv);
+        let decrypted = decipher.update(encrypted, 'hex', 'utf8');
+        decrypted += decipher.final('utf8');
+        return decrypted;
+      }
+
+      throw new Error('Invalid ciphertext format.');
+    } catch (err) {
+      // Do not leak internal error details (stack, key material, etc.).
+      // Optional: instrument monitoring/logging but avoid logging sensitive inputs.
+      throw new Error('Decryption failed. Check key, IV, or ciphertext integrity.');
+    }
+  }
+}
+
+/* ---------------------------- AsymmetricCrypto ---------------------------- */
+
+class AsymmetricCrypto {
+  #publicKey;
+  #privateKey;
+  #modulusLength;
+
+  /**
+   * @param {object} [options]
+   * @param {string|Buffer} [options.publicKey] - PEM-formatted public key
+   * @param {string|Buffer} [options.privateKey] - PEM-formatted private key
+   * @param {number} [options.modulusLength=2048] - If keys are not provided, generates a new key pair of this size (bits). Consider 3072 for long-lived keys.
+   */
+  /** @memberof Crypto */
+  constructor(options = {}) {
+    const { publicKey, privateKey } = options;
+    this.#modulusLength = options.modulusLength || 2048;
+
+    if (!publicKey || !privateKey) {
+      // Generate an in-memory key pair. No file I/O; keys remain in process memory only.
+      const { publicKey: pub, privateKey: priv } = crypto.generateKeyPairSync('rsa', {
+        modulusLength: this.#modulusLength,
+        publicKeyEncoding: { type: 'spki', format: 'pem' },
+        privateKeyEncoding: { type: 'pkcs8', format: 'pem' },
+      });
+      this.#publicKey = pub;
+      this.#privateKey = priv;
+    } else {
+      // Accept provided keys (string or Buffer)
+      this.#publicKey = typeof publicKey === 'string' || Buffer.isBuffer(publicKey) ? publicKey : String(publicKey);
+      this.#privateKey =
+        typeof privateKey === 'string' || Buffer.isBuffer(privateKey) ? privateKey : String(privateKey);
+
+      // Basic validation: ensure PEM headers exist. This is intentionally lightweight.
+      const pubStr = String(this.#publicKey);
+      const privStr = String(this.#privateKey);
+      if (!pubStr.includes('BEGIN PUBLIC KEY') || !privStr.includes('BEGIN')) {
+        throw new Error('Provided keys do not appear to be valid PEM-formatted keys.');
+      }
+    }
+  }
+
+  /** @memberof Crypto */
+  get publicKey() {
+    return this.#publicKey;
+  }
+
+  /** @memberof Crypto */
+  get privateKey() {
+    return this.#privateKey;
+  }
+
+  /**
+   * Encrypts plaintext using RSA-OAEP with SHA-256. Returns hex-encoded ciphertext.
+   * Note: RSA encryption is intended for small payloads. For larger data use hybrid encryption (encrypt a symmetric key and then use AES-GCM).
+   * @param {string} plaintext
+   * @returns {string} hex ciphertext
+   * @memberof Crypto
+   */
+  encryptData(plaintext) {
+    const buffer = Buffer.from(plaintext, 'utf8');
+    const encrypted = crypto.publicEncrypt(
+      {
+        key: this.#publicKey,
+        padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,
+        oaepHash: 'sha256',
+      },
+      buffer,
+    );
+
+    return encrypted.toString('hex');
+  }
+
+  /**
+   * Decrypts RSA-OAEP hex ciphertext and returns utf8 plaintext.
+   * @param {string} ciphertextHex
+   * @returns {string}
+   * @memberof Crypto
+   */
+  decryptData(ciphertextHex) {
+    try {
+      const buffer = Buffer.from(ciphertextHex, 'hex');
+      const decrypted = crypto.privateDecrypt(
+        {
+          key: this.#privateKey,
+          padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,
+          oaepHash: 'sha256',
+        },
+        buffer,
+      );
+
+      return decrypted.toString('utf8');
+    } catch (err) {
+      // Avoid leaking details about keys or ciphertext
+      throw new Error('Decryption failed. Check private key or ciphertext integrity.');
+    }
+  }
+}
+
+export { SymmetricCrypto, AsymmetricCrypto };

package/src/server/dns.js

@@ -0,0 +1,276 @@
+/**
+ * Provides a comprehensive set of DNS and IP management utilities,
+ * primarily focused on dynamic DNS (DDNS) updates and network checks.
+ * @module src/server/dns.js
+ * @namespace DnsManager
+ */
+import axios from 'axios';
+import dotenv from 'dotenv';
+import fs from 'fs';
+import validator from 'validator';
+import { publicIp, publicIpv4, publicIpv6 } from 'public-ip';
+import { loggerFactory } from './logger.js';
+import UnderpostRootEnv from '../cli/env.js';
+import dns from 'node:dns';
+import os from 'node:os';
+import { shellExec } from './process.js';
+
+dotenv.config();
+
+const logger = loggerFactory(import.meta);
+
+/**
+ * Main class for handling DNS and IP related operations.
+ * All utility methods are implemented as static to serve as a namespace container.
+ * @class Dns
+ * @augments Dns
+ * @memberof DnsManager
+ */
+class Dns {
+  /**
+   * Retrieves the current public IP address (IPv4 or IPv6).
+   * @async
+   * @static
+   * @memberof DnsManager
+   * @returns {Promise<string>} The public IP address.
+   */
+  static async getPublicIp() {
+    return await publicIp();
+  }
+
+  /**
+   * Retrieves the current public IPv4 address.
+   * @async
+   * @static
+   * @memberof DnsManager
+   * @returns {Promise<string>} The public IPv4 address.
+   */
+  static async getPublicIpv4() {
+    return await publicIpv4();
+  }
+
+  /**
+   * Retrieves the current public IPv6 address.
+   * @async
+   * @static
+   * @memberof DnsManager
+   * @returns {Promise<string>} The public IPv6 address.
+   */
+  static async getPublicIpv6() {
+    return await publicIpv6();
+  }
+
+  /**
+   * Checks for active internet connection by performing a DNS lookup on a specified domain.
+   * @static
+   * @memberof DnsManager
+   * @param {string} [domain='google.com'] The domain to check the connection against.
+   * @returns {Promise<boolean>} True if connected, false otherwise.
+   */
+  static isInternetConnection(domain = 'google.com') {
+    return new Promise((resolve) => dns.lookup(domain, {}, (err) => resolve(err ? false : true)));
+  }
+
+  /**
+   * Gets the local device's IPv4 address by determining the active network interface.
+   * This relies on shell execution (`ip route`) and is primarily intended for Linux environments.
+   * @static
+   * @memberof DnsManager
+   * @returns {string} The local IPv4 address.
+   */
+  static getLocalIPv4Address() {
+    // Determine the default network interface name using shell command
+    const interfaceName = shellExec(`ip route | grep default | cut -d ' ' -f 5`, {
+      stdout: true,
+      silent: true,
+      disableLog: true,
+    }).trim();
+
+    // Find the IPv4 address associated with the determined interface
+    const networkInfo = os.networkInterfaces()[interfaceName];
+
+    if (!networkInfo) {
+      logger.error(`Could not find network interface: ${interfaceName}`);
+      return null;
+    }
+
+    const ipv4 = networkInfo.find((i) => i.family === 'IPv4');
+
+    if (!ipv4) {
+      logger.error(`Could not find IPv4 address for interface: ${interfaceName}`);
+      return null;
+    }
+
+    return ipv4.address;
+  }
+
+  /**
+   * Performs the dynamic DNS update logic.
+   * It checks if the public IP has changed and, if so, updates the configured DNS records.
+   * @async
+   * @static
+   * @memberof DnsManager
+   * @param {string} deployList Comma-separated string of deployment IDs to process.
+   * @returns {Promise<void>}
+   */
+  static async callback(deployList) {
+    const isOnline = await Dns.isInternetConnection();
+
+    if (!isOnline) return;
+
+    let testIp;
+
+    try {
+      testIp = await Dns.getPublicIpv4();
+    } catch (error) {
+      logger.error(error, { testIp, stack: error.stack });
+    }
+
+    const currentIp = UnderpostRootEnv.API.get('ip');
+
+    if (validator.isIP(testIp) && currentIp !== testIp) {
+      logger.info(`New IP detected`, testIp);
+      UnderpostRootEnv.API.set('monitor-input', 'pause');
+
+      for (const _deployId of deployList.split(',')) {
+        const deployId = _deployId.trim();
+        const privateCronConfPath = `./engine-private/conf/${deployId}/conf.cron.json`;
+        const confCronPath = fs.existsSync(privateCronConfPath) ? privateCronConfPath : './conf/conf.cron.json';
+
+        if (!fs.existsSync(confCronPath)) {
+          logger.warn(`Cron config file not found for deployId: ${deployId} at ${confCronPath}`);
+          continue;
+        }
+
+        const confCronData = JSON.parse(fs.readFileSync(confCronPath, 'utf8'));
+
+        if (!confCronData.records) {
+          logger.warn(`'records' field missing in cron config for deployId: ${deployId}`);
+          continue;
+        }
+
+        // Iterate through DNS record types (A, AAAA, etc.)
+        for (const recordType of Object.keys(confCronData.records)) {
+          switch (recordType) {
+            case 'A':
+              // Process A records for IPv4 update
+              for (const dnsProvider of confCronData.records[recordType]) {
+                if (typeof Dns.services.updateIp[dnsProvider.dns] === 'function')
+                  await Dns.services.updateIp[dnsProvider.dns]({ ...dnsProvider, ip: testIp });
+              }
+              break;
+
+            // Add other record types (e.g., AAAA) here if needed
+            default:
+              break;
+          }
+        }
+
+        // Verify the IP update externally
+        try {
+          const ipUrlTest = `https://${process.env.DEFAULT_DEPLOY_HOST}`;
+          const response = await axios.get(ipUrlTest);
+          const verifyIp = response.request.socket.remoteAddress;
+          logger.info(ipUrlTest + ' verify ip', verifyIp);
+          if (verifyIp === testIp) {
+            logger.info('IP updated successfully and verified', testIp);
+            UnderpostRootEnv.API.set('ip', testIp);
+            UnderpostRootEnv.API.delete('monitor-input');
+          } else {
+            logger.error('IP not updated or verification failed', { expected: testIp, received: verifyIp });
+          }
+        } catch (error) {
+          logger.error('Error during IP update verification step', {
+            error: error.message,
+            stack: error.stack,
+            testIp,
+          });
+        }
+      }
+    }
+  }
+
+  /**
+   * Internal collection of external DNS service update functions.
+   * @static
+   * @memberof DnsManager
+   * @property {object} updateIp - Functions keyed by DNS provider name to update A/AAAA records.
+   */
+  static services = {
+    updateIp: {
+      /**
+       * Updates the IP address for a dondominio.com DNS record.
+       * @memberof DnsManager
+       * @param {object} options
+       * @param {string} options.user - The dondominio DDNS username.
+       * @param {string} options.api_key - The dondominio DDNS password/API key.
+       * @param {string} options.host - The hostname to update.
+       * @param {string} options.dns - The name of the DNS provider ('dondominio').
+       * @param {string} options.ip - The new IPv4 address to set.
+       * @returns {Promise<boolean>} True on success, false on failure.
+       */
+      dondominio: (options) => {
+        const { user, api_key, host, dns, ip } = options;
+        const url = `https://dondns.dondominio.com/json/?user=${user}&password=${api_key}&host=${host}&ip=${ip}`;
+        logger.info(`${dns} update ip url`, url);
+
+        // Prevent live IP update in non-production environments
+        if (process.env.NODE_ENV !== 'production') {
+          logger.warn('Skipping dondominio update in non-production environment.');
+          return Promise.resolve(false);
+        }
+
+        return new Promise((resolve) => {
+          axios
+            .get(url)
+            .then((response) => {
+              logger.info(`${dns} update ip success`, response.data);
+              return resolve(true);
+            })
+            .catch((error) => {
+              logger.error(error, `${dns} update ip error: ${error.message}`);
+              return resolve(false);
+            });
+        });
+      },
+      // Add other DNS provider update functions here
+    },
+  };
+}
+
+/**
+ * @namespace Dns
+ * @description Exported IP object for backward compatibility, mapping to Dns static methods.
+ */
+const ip = {
+  public: {
+    /** @type {function(): Promise<string>} */
+    get: Dns.getPublicIp,
+    /** @type {function(): Promise<string>} */
+    ipv4: Dns.getPublicIpv4,
+    /** @type {function(): Promise<string>} */
+    ipv6: Dns.getPublicIpv6,
+  },
+};
+
+/**
+ * @function isInternetConnection
+ * @memberof DnsManager
+ * @description Exported function for backward compatibility.
+ * @param {string} [domain='google.com']
+ * @returns {Promise<boolean>}
+ */
+const isInternetConnection = Dns.isInternetConnection;
+
+/**
+ * @function getLocalIPv4Address
+ * @memberof DnsManager
+ * @description Exported function for backward compatibility.
+ * @returns {string}
+ */
+const getLocalIPv4Address = Dns.getLocalIPv4Address;
+
+// Export the class as default and all original identifiers for backward compatibility.
+export default Dns;
+
+export { Dns, ip, isInternetConnection, getLocalIPv4Address };

package/src/server/downloader.js

@@ -0,0 +1,74 @@
+/**
+ * Provides a utility class for downloading files from a URL and saving them to the local filesystem.
+ * @module src/server/downloader.js
+ * @namespace Downloader
+ */
+
+import axios from 'axios';
+import fs from 'fs';
+import { loggerFactory } from './logger.js';
+import dotenv from 'dotenv';
+dotenv.config();
+
+const logger = loggerFactory(import.meta);
+
+/**
+ * Main class for handling file downloading operations.
+ * All utility methods are implemented as static to serve as a namespace container.
+ * @class Downloader
+ * @augments Downloader
+ * @memberof Downloader
+ */
+class Downloader {
+  /**
+   * Downloads a file from a given URL and pipes the stream to a local file path.
+   * @static
+   * @memberof Downloader
+   * @param {string} url The URL of the file to download.
+   * @param {string} fullPath The full local path where the file should be saved.
+   * @param {object} [options] Axios request configuration options.
+   * @param {string} [options.method='get'] HTTP method.
+   * @param {string} [options.responseType='stream'] Expected response type.
+   * @returns {Promise<string>} Resolves with the full path of the saved file on success.
+   * @memberof Downloader
+   */
+  static downloadFile(url, fullPath, options = { method: 'get', responseType: 'stream' }) {
+    return new Promise((resolve, reject) =>
+      axios({
+        url,
+        ...options,
+      })
+        .then((response) => {
+          // Create a write stream to save the file to the specified path
+          const writer = fs.createWriteStream(fullPath);
+          response.data.pipe(writer);
+          writer.on('finish', () => {
+            logger.info('Download complete. File saved at', fullPath);
+            return resolve(fullPath);
+          });
+          writer.on('error', (error) => {
+            logger.error(error, 'Error downloading the file');
+            // Cleanup incomplete file if possible
+            if (fs.existsSync(fullPath)) fs.unlinkSync(fullPath);
+            return reject(error);
+          });
+        })
+        .catch((error) => {
+          logger.error(error, 'Error in the request');
+          return reject(error);
+        }),
+    );
+  }
+}
+
+/**
+ * Backward compatibility export
+ * @type {function(string, string, object): Promise<string>}
+ * @memberof Downloader
+ */
+
+const downloadFile = Downloader.downloadFile;
+
+export default Downloader;
+
+export { Downloader, downloadFile };

package/src/server/json-schema.js

@@ -0,0 +1,77 @@
+function isPlainObject(obj) {
+  return obj ? typeof obj === 'object' && Object.getPrototypeOf(obj) === Object.prototype : false;
+}
+
+const supportType = ['string', 'number', 'array', 'object', 'boolean', 'integer'];
+
+function getType(type) {
+  if (!type) type = 'string';
+  if (supportType.indexOf(type) !== -1) {
+    return type;
+  }
+  return typeof type;
+}
+
+function isSchema(object) {
+  if (supportType.indexOf(object.type) !== -1) {
+    return true;
+  }
+  return false;
+}
+
+function handleSchema(json, schema) {
+  Object.assign(schema, json);
+  if (schema.type === 'object') {
+    delete schema.properties;
+    parse(json.properties, schema);
+  }
+  if (schema.type === 'array') {
+    delete schema.items;
+    schema.items = {};
+    parse(json.items, schema.items);
+  }
+}
+
+function handleArray(arr, schema) {
+  schema.type = 'array';
+  let props = (schema.items = {});
+  parse(arr[0], props);
+}
+
+function handleObject(json, schema) {
+  if (isSchema(json)) {
+    return handleSchema(json, schema);
+  }
+  schema.type = 'object';
+  schema.required = [];
+  let props = (schema.properties = {});
+  for (let key in json) {
+    let item = json[key];
+    let curSchema = (props[key] = {});
+    if (key[0] === '*') {
+      delete props[key];
+      key = key.substr(1);
+      schema.required.push(key);
+      curSchema = props[key] = {};
+    }
+    parse(item, curSchema);
+  }
+}
+
+function parse(json, schema) {
+  if (Array.isArray(json)) {
+    handleArray(json, schema);
+  } else if (isPlainObject(json)) {
+    handleObject(json, schema);
+  } else {
+    schema.type = getType(json);
+  }
+}
+
+function ejs(data) {
+  let JsonSchema = {};
+  parse(data, JsonSchema);
+  return JsonSchema;
+}
+
+export { ejs };