fbi-proxy 1.15.0 → 1.17.0

package/rs/tls.rs

@@ -0,0 +1,243 @@
+//! Self-signed TLS support for `--tls` mode (Phase 1: no system trust
+//! install). Generates a self-signed certificate for the configured
+//! domain (with `*.<domain>` SAN) and persists it under
+//! `~/.config/fbi-proxy/certs/` so the same fingerprint survives
+//! restarts — browsers can "remember the exception" once.
+//!
+//! The browser warning is expected in this phase. Use Phase 2
+//! (`fbi-proxy trust`) to install a local CA into the system trust
+//! store for a clean lock-icon experience.
+
+use std::path::{Path, PathBuf};
+use std::sync::Arc;
+
+use rcgen::{CertificateParams, DnType, DistinguishedName, KeyPair, SanType};
+use tokio_rustls::TlsAcceptor;
+use tokio_rustls::rustls::ServerConfig;
+use tokio_rustls::rustls::pki_types::{CertificateDer, PrivateKeyDer, pem::PemObject};
+
+pub type BoxError = Box<dyn std::error::Error + Send + Sync>;
+
+/// Where on-disk certs live. Layout: `{base}/certs/{domain}.{pem,key}`.
+pub fn default_cert_dir() -> PathBuf {
+    let base = std::env::var_os("XDG_CONFIG_HOME")
+        .map(PathBuf::from)
+        .or_else(|| std::env::var_os("HOME").map(|h| PathBuf::from(h).join(".config")))
+        .unwrap_or_else(|| PathBuf::from("."));
+    base.join("fbi-proxy").join("certs")
+}
+
+/// Path to the cert file for a given domain (sibling `.key` lives at
+/// the same stem). Use this when you need to install the cert into a
+/// system trust store after `build_acceptor` has materialized it.
+pub fn cert_pem_path(domain: &str, cert_dir: &Path) -> PathBuf {
+    let slug = if domain.is_empty() { "localhost" } else { domain };
+    cert_dir.join(format!("{slug}.pem"))
+}
+
+/// Whether the given cert is currently a trusted anchor on this
+/// system. Returns `false` if the check itself can't be performed
+/// (unsupported platform, missing tool) — callers should treat that
+/// as "no, attempt install."
+pub fn is_trusted(cert_path: &Path) -> bool {
+    #[cfg(target_os = "macos")]
+    {
+        std::process::Command::new("security")
+            .args(["verify-cert", "-c"])
+            .arg(cert_path)
+            .stdout(std::process::Stdio::null())
+            .stderr(std::process::Stdio::null())
+            .status()
+            .map(|s| s.success())
+            .unwrap_or(false)
+    }
+    #[cfg(not(target_os = "macos"))]
+    {
+        let _ = cert_path;
+        false
+    }
+}
+
+/// Install `cert_path` as a trusted root anchor in the system trust
+/// store. Idempotent — checks `is_trusted` first and returns `Ok(false)`
+/// if no install was performed.
+///
+/// Requires root on macOS (writes to `/Library/Keychains/System.keychain`).
+/// On other platforms this is a no-op for now (Linux / Windows is a
+/// follow-up — see TODO.md).
+pub fn install_to_system_trust(cert_path: &Path) -> Result<bool, BoxError> {
+    if is_trusted(cert_path) {
+        return Ok(false);
+    }
+
+    #[cfg(target_os = "macos")]
+    {
+        log::info!("installing {} to System.keychain", cert_path.display());
+        let status = std::process::Command::new("security")
+            .args([
+                "add-trusted-cert",
+                "-d",
+                "-r",
+                "trustRoot",
+                "-k",
+                "/Library/Keychains/System.keychain",
+            ])
+            .arg(cert_path)
+            .status()?;
+        if !status.success() {
+            return Err(format!(
+                "security add-trusted-cert failed (exit {:?}); needs root (sudo)",
+                status.code(),
+            )
+            .into());
+        }
+        Ok(true)
+    }
+    #[cfg(not(target_os = "macos"))]
+    {
+        let _ = cert_path;
+        log::warn!("auto-trust-install: only macOS supported in this build");
+        Ok(false)
+    }
+}
+
+/// Build a `TlsAcceptor` for the given domain, reusing a persisted
+/// cert if one exists or generating + writing a fresh one if not.
+///
+/// `domain` is the apex (e.g. `"fbi.com"`); the cert SAN includes both
+/// the apex and `*.{domain}` so any subdomain validates. If `domain`
+/// is empty or `"localhost"`, only `localhost` + `127.0.0.1` are
+/// covered.
+pub fn build_acceptor(domain: &str, cert_dir: &Path) -> Result<TlsAcceptor, BoxError> {
+    let (cert_pem, key_pem) = load_or_generate(domain, cert_dir)?;
+
+    let cert_chain: Vec<CertificateDer<'static>> = CertificateDer::pem_slice_iter(cert_pem.as_bytes())
+        .collect::<Result<Vec<_>, _>>()?;
+    let key = PrivateKeyDer::from_pem_slice(key_pem.as_bytes())?;
+
+    let config = ServerConfig::builder()
+        .with_no_client_auth()
+        .with_single_cert(cert_chain, key)?;
+
+    Ok(TlsAcceptor::from(Arc::new(config)))
+}
+
+fn load_or_generate(domain: &str, cert_dir: &Path) -> Result<(String, String), BoxError> {
+    let slug = if domain.is_empty() { "localhost" } else { domain };
+    let cert_path = cert_dir.join(format!("{slug}.pem"));
+    let key_path = cert_dir.join(format!("{slug}.key"));
+
+    if cert_path.exists() && key_path.exists() {
+        let cert = std::fs::read_to_string(&cert_path)?;
+        let key = std::fs::read_to_string(&key_path)?;
+        return Ok((cert, key));
+    }
+
+    let (cert_pem, key_pem) = generate_self_signed(domain)?;
+    std::fs::create_dir_all(cert_dir)?;
+    std::fs::write(&cert_path, &cert_pem)?;
+    // 0600 on the key — std::fs::write opens 0644 by default
+    write_private(&key_path, key_pem.as_bytes())?;
+
+    Ok((cert_pem, key_pem))
+}
+
+#[cfg(unix)]
+fn write_private(path: &Path, bytes: &[u8]) -> std::io::Result<()> {
+    use std::io::Write;
+    use std::os::unix::fs::OpenOptionsExt;
+    let mut f = std::fs::OpenOptions::new()
+        .write(true)
+        .create(true)
+        .truncate(true)
+        .mode(0o600)
+        .open(path)?;
+    f.write_all(bytes)?;
+    Ok(())
+}
+
+#[cfg(not(unix))]
+fn write_private(path: &Path, bytes: &[u8]) -> std::io::Result<()> {
+    std::fs::write(path, bytes)
+}
+
+/// Generate a SAN-only self-signed cert valid for ~1 year. Returns
+/// `(cert_pem, key_pem)`. The Common Name is intentionally left blank
+/// — modern browsers ignore CN and only honor SAN entries.
+pub fn generate_self_signed(domain: &str) -> Result<(String, String), BoxError> {
+    let mut sans: Vec<SanType> = Vec::new();
+    if domain.is_empty() || domain == "localhost" {
+        sans.push(SanType::DnsName("localhost".try_into()?));
+        sans.push(SanType::IpAddress("127.0.0.1".parse()?));
+    } else {
+        sans.push(SanType::DnsName(domain.try_into()?));
+        sans.push(SanType::DnsName(format!("*.{domain}").try_into()?));
+    }
+
+    let mut params = CertificateParams::default();
+    params.subject_alt_names = sans;
+
+    // Browsers ignore CN, but a non-empty DN avoids some tooling
+    // warnings. Use OrganizationName so the CN stays empty.
+    let mut dn = DistinguishedName::new();
+    dn.push(DnType::OrganizationName, "fbi-proxy (self-signed)");
+    params.distinguished_name = dn;
+
+    let now = time::OffsetDateTime::now_utc();
+    params.not_before = now - time::Duration::days(1);
+    params.not_after = now + time::Duration::days(365);
+
+    let key_pair = KeyPair::generate()?;
+    let cert = params.self_signed(&key_pair)?;
+
+    Ok((cert.pem(), key_pair.serialize_pem()))
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn generates_pem_with_domain_san() {
+        let (cert, key) = generate_self_signed("fbi.com").unwrap();
+        assert!(cert.contains("BEGIN CERTIFICATE"));
+        assert!(key.contains("BEGIN PRIVATE KEY"));
+
+        // Parse the cert and check SAN entries
+        let der = CertificateDer::pem_slice_iter(cert.as_bytes())
+            .next()
+            .unwrap()
+            .unwrap();
+        // We don't fully x509-parse here — but the cert+key should be
+        // accepted by rustls' single-cert builder, which is what the
+        // real server uses. That's the real-world contract.
+        let key_der = PrivateKeyDer::from_pem_slice(key.as_bytes()).unwrap();
+        let config = ServerConfig::builder()
+            .with_no_client_auth()
+            .with_single_cert(vec![der], key_der);
+        assert!(config.is_ok(), "rustls should accept generated cert+key");
+    }
+
+    #[test]
+    fn generates_for_localhost_fallback() {
+        let (cert, _key) = generate_self_signed("").unwrap();
+        assert!(cert.contains("BEGIN CERTIFICATE"));
+    }
+
+    #[test]
+    fn load_or_generate_round_trips_persisted_certs() {
+        let tmp = std::env::temp_dir().join(format!(
+            "fbi-tls-test-{}",
+            std::process::id()
+        ));
+        let _ = std::fs::remove_dir_all(&tmp);
+
+        let (cert1, key1) = load_or_generate("test.dev", &tmp).unwrap();
+        // Second call should return the same content (loaded from disk)
+        let (cert2, key2) = load_or_generate("test.dev", &tmp).unwrap();
+        assert_eq!(cert1, cert2);
+        assert_eq!(key1, key2);
+
+        let _ = std::fs::remove_dir_all(&tmp);
+    }
+}

package/ts/adminClient.ts

@@ -0,0 +1,124 @@
+/**
+ * Tiny client for the fbi-proxy loopback admin/control API.
+ *
+ * The running proxy publishes its (ephemeral) admin port to
+ * `~/.config/fbi-proxy/runtime.json`. The `up` / `down` / `ps` CLI
+ * subcommands read that file to find the port, then drive the `/rules`
+ * endpoints over loopback HTTP.
+ */
+
+import { existsSync, readFileSync } from "node:fs";
+import path from "node:path";
+import os from "node:os";
+
+export type RuntimeInfo = {
+  adminPort: number;
+  proxyPort: number;
+  pid: number;
+  confDir: string;
+};
+
+/** A rule as reported by `GET /rules`. */
+export type RuleInfo = {
+  namespace: string;
+  name: string;
+  match: string;
+  path: string | null;
+  target: string;
+  headers: Record<string, string>;
+};
+
+/** Default config dir, matching the Rust side + setup.ts. */
+export function defaultConfigDir(): string {
+  const fromEnv = process.env.FBI_PROXY_CONF_DIR;
+  if (fromEnv && fromEnv.length > 0) {
+    // FBI_PROXY_CONF_DIR points at conf.d; runtime.json sits beside it.
+    return path.dirname(fromEnv);
+  }
+  return path.join(os.homedir(), ".config/fbi-proxy");
+}
+
+function runtimeJsonPath(): string {
+  return path.join(defaultConfigDir(), "runtime.json");
+}
+
+/**
+ * Locate the running proxy's admin endpoint. Throws a helpful error if
+ * the proxy doesn't appear to be running.
+ */
+export function readRuntime(): RuntimeInfo {
+  const p = runtimeJsonPath();
+  if (!existsSync(p)) {
+    throw new Error(
+      `[fbi-proxy] no running proxy found (missing ${p}).\n` +
+        `  Start it first: \`fbi-proxy setup\` (daemon) or \`fbi-proxy --tls --domain <d>\`.`,
+    );
+  }
+  let info: RuntimeInfo;
+  try {
+    info = JSON.parse(readFileSync(p, "utf8"));
+  } catch (e) {
+    throw new Error(`[fbi-proxy] could not parse ${p}: ${e}`);
+  }
+  if (!info.adminPort) {
+    throw new Error(
+      `[fbi-proxy] ${p} has no adminPort — is the proxy up to date?`,
+    );
+  }
+  return info;
+}
+
+function baseUrl(info: RuntimeInfo): string {
+  return `http://127.0.0.1:${info.adminPort}`;
+}
+
+async function asError(res: Response): Promise<never> {
+  let msg = `${res.status} ${res.statusText}`;
+  try {
+    const body = await res.json();
+    if (body?.error) msg = body.error;
+  } catch {
+    // non-JSON body; keep the status line
+  }
+  throw new Error(`[fbi-proxy] admin API: ${msg}`);
+}
+
+/** GET /rules — the full merged rule table. */
+export async function listRules(info = readRuntime()): Promise<RuleInfo[]> {
+  const res = await fetch(`${baseUrl(info)}/rules`);
+  if (!res.ok) await asError(res);
+  return (await res.json()) as RuleInfo[];
+}
+
+/** PUT /rules/{namespace} — reconcile a namespace to `yamlBody`. */
+export async function applyRules(
+  namespace: string,
+  yamlBody: string,
+  info = readRuntime(),
+): Promise<RuleInfo[]> {
+  const res = await fetch(
+    `${baseUrl(info)}/rules/${encodeURIComponent(namespace)}`,
+    {
+      method: "PUT",
+      headers: { "Content-Type": "application/yaml" },
+      body: yamlBody,
+    },
+  );
+  if (!res.ok) await asError(res);
+  return (await res.json()) as RuleInfo[];
+}
+
+/** DELETE /rules/{namespace} — remove a namespace's fragment. */
+export async function deleteRules(
+  namespace: string,
+  info = readRuntime(),
+): Promise<{ ok: boolean; removed: boolean }> {
+  const res = await fetch(
+    `${baseUrl(info)}/rules/${encodeURIComponent(namespace)}`,
+    {
+      method: "DELETE",
+    },
+  );
+  if (!res.ok) await asError(res);
+  return (await res.json()) as { ok: boolean; removed: boolean };
+}

package/ts/auth/authConfig.ts

@@ -10,15 +10,21 @@ export type FirebaseSubConfig = {
   authDomain?: string;
 };
 
+export type LocalSubConfig = {
+  email: string;
+  name?: string;
+};
+
 export type AuthConfigShape = {
   version: 1;
   domain: string;
   cookieDomain: string;
   ssoHost: string;
-  provider: "google" | "firebase" | "snolab";
+  provider: "google" | "firebase" | "snolab" | "local";
   clientId?: string;
   clientSecret?: string;
   firebase?: FirebaseSubConfig;
+  local?: LocalSubConfig;
   sessionSecret: string;
   allowlist: {
     emails?: string[];
@@ -63,10 +69,16 @@ export function configFromEnv(domain: string): AuthConfigShape | null {
     (process.env.FBI_AUTH_PROVIDER as AuthConfigShape["provider"]) ?? "google";
   const clientId = process.env.FBI_AUTH_CLIENT_ID;
   const firebaseProjectId = process.env.FBI_AUTH_FIREBASE_PROJECT_ID;
+  const localUser = process.env.FBI_AUTH_LOCAL_USER;
 
   if (provider === "firebase") {
     if (!firebaseProjectId) return null;
+  } else if (provider === "snolab") {
+    // snolab uses baked-in defaults; nothing required beyond the provider name
+  } else if (provider === "local") {
+    if (!localUser) return null;
   } else {
+    // google (default)
     if (!clientId) return null;
   }
 
@@ -86,6 +98,12 @@ export function configFromEnv(domain: string): AuthConfigShape | null {
           authDomain: process.env.FBI_AUTH_FIREBASE_AUTH_DOMAIN,
         }
       : undefined,
+    local: localUser
+      ? {
+          email: localUser,
+          name: process.env.FBI_AUTH_LOCAL_NAME,
+        }
+      : undefined,
     sessionSecret:
       process.env.FBI_AUTH_SESSION_SECRET ??
       randomBytes(32).toString("base64url"),

package/ts/cli.ts

@@ -1,4 +1,6 @@
 #!/usr/bin/env bun
+import { existsSync } from "node:fs";
+import { spawnSync } from "node:child_process";
 import getPort from "get-port";
 import hotMemo from "hot-memo";
 import path from "path";
@@ -29,6 +31,50 @@ import {
 } from "./auth/spawnCaddy";
 
 const originalCwd = process.cwd();
+
+// Subcommand routing & default behavior
+//
+// `fbi-proxy setup` (or `fbi-proxy` with no escape-hatch flags) runs the
+// one-shot setup orchestrator: registers an oxmgr daemon, generates+trusts
+// a TLS cert, installs a pf :443→:8443 forward, and verifies https://<domain>.
+//
+// Old foreground modes (Caddy, dev, raw TLS, auth wizard) are preserved by
+// flags below — explicit opt-in keeps the existing surface intact for users
+// who rely on it.
+{
+  const rawArgs = hideBin(process.argv);
+  const firstPositional = rawArgs.find((a) => !a.startsWith("-"));
+
+  // Rule-management subcommands (compose-style) talk to a running proxy's
+  // admin API; they never start a proxy themselves.
+  const { RULES_SUBCOMMANDS, runRulesCli } = await import("./rulesCli");
+  if (firstPositional && RULES_SUBCOMMANDS.has(firstPositional)) {
+    const code = await runRulesCli(rawArgs);
+    process.exit(code);
+  }
+
+  const FOREGROUND_FLAGS = [
+    "--dev",
+    "--with-caddy",
+    "--with-auth",
+    "--tls",
+    "--reconfigure",
+  ];
+  const wantsForeground = rawArgs.some((a) =>
+    FOREGROUND_FLAGS.some((f) => a === f || a.startsWith(`${f}=`)),
+  );
+  const hasExplicitPortEnv = !!process.env.FBI_PROXY_PORT;
+  const isSetupCmd = firstPositional === "setup";
+  const isDefault = !firstPositional && !wantsForeground && !hasExplicitPortEnv;
+
+  if (isSetupCmd || isDefault) {
+    const { runSetup } = await import("./setup");
+    const passArgs = rawArgs.filter((a) => a !== "setup");
+    await runSetup(passArgs, { originalCwd });
+    process.exit(0);
+  }
+}
+
 process.chdir(path.resolve(import.meta.dir, ".."));
 
 const argv = await yargs(hideBin(process.argv))
@@ -71,12 +117,33 @@ const argv = await yargs(hideBin(process.argv))
     description:
       "TLS strategy for --with-caddy. 'auto' uses ACME (Let's Encrypt); 'internal' uses Caddy's local CA. Defaults to 'internal' for fbi.com, 'auto' otherwise.",
   })
+  .option("tls", {
+    type: "boolean",
+    default: false,
+    description:
+      "Terminate TLS in the Rust proxy using a self-signed cert (no Caddy). Browser warning expected (Phase 1 — no system trust install). Use with --port 443 + sudo to serve standard HTTPS.",
+  })
   .help().argv;
 
-console.log("Preparing Binaries");
+if (argv.tls && argv["with-caddy"]) {
+  console.error(
+    "[fbi-proxy] --tls and --with-caddy are mutually exclusive (Caddy already terminates TLS).",
+  );
+  process.exit(2);
+}
 
 const FBI_PROXY_PORT =
-  process.env.FBI_PROXY_PORT || String(await getPort({ port: 2432 }));
+  process.env.FBI_PROXY_PORT ||
+  (argv.tls ? "443" : String(await getPort({ port: 2432 })));
+
+if (argv.tls) {
+  await ensureRootIfTlsNeedsIt({
+    domain: argv.domain,
+    port: Number(FBI_PROXY_PORT),
+  });
+}
+
+console.log("Preparing Binaries");
 
 const proxyProcess = await hotMemo(async () => {
   const proxy = await getFbiProxyBinary({ originalCwd });
@@ -85,6 +152,17 @@ const proxyProcess = await hotMemo(async () => {
     env: {
       ...process.env,
       FBI_PROXY_PORT,
+      ...(argv.tls
+        ? {
+            FBI_PROXY_TLS: "true",
+            FBI_PROXY_DOMAIN: argv.domain,
+            // Forward CERT_DIR if the sudo wrapper set it (so the elevated
+            // Rust binary writes to the original user's $HOME, not /var/root)
+            ...(process.env.FBI_PROXY_CERT_DIR
+              ? { FBI_PROXY_CERT_DIR: process.env.FBI_PROXY_CERT_DIR }
+              : {}),
+          }
+        : {}),
     },
   })`${proxy}`.process;
 
@@ -136,6 +214,84 @@ process.on("uncaughtException", (err) => {
   exit();
 });
 
+async function ensureRootIfTlsNeedsIt(opts: {
+  domain: string;
+  port: number;
+}): Promise<void> {
+  if (process.platform !== "darwin") {
+    // Linux/Windows trust install is a follow-up. The Rust side prints a
+    // friendly fallback message if untrusted.
+    return;
+  }
+  if (process.getuid?.() === 0) return;
+
+  const home = process.env.HOME ?? "";
+  const certDir =
+    process.env.FBI_PROXY_CERT_DIR ??
+    path.join(home, ".config/fbi-proxy/certs");
+  const slug = opts.domain || "localhost";
+  const certPath = path.join(certDir, `${slug}.pem`);
+
+  const needsPortBind = opts.port < 1024;
+  const certMissing = !existsSync(certPath);
+  const certUntrusted = !certMissing && !isMacosCertTrusted(certPath);
+  const needsTrustInstall = certMissing || certUntrusted;
+
+  if (!needsPortBind && !needsTrustInstall) return;
+
+  const reasons = [
+    needsPortBind && `bind :${opts.port}`,
+    needsTrustInstall && "install cert to system trust",
+  ]
+    .filter(Boolean)
+    .join(" + ");
+  console.log(`[fbi-proxy] --tls needs root to: ${reasons}`);
+
+  // Preserve HOME and CERT_DIR so the elevated process writes cert/auth
+  // files into the original user's directory, not /var/root.
+  const sudoArgs = [
+    `HOME=${home}`,
+    `FBI_PROXY_CERT_DIR=${certDir}`,
+    process.execPath,
+    ...process.argv.slice(1),
+  ];
+
+  // Prefer terminal sudo when a TTY is attached; otherwise fall back to the
+  // macOS GUI authentication dialog via osascript so non-TTY contexts (agent
+  // shells, oxmgr-spawned children) can still escalate with a single password
+  // prompt instead of erroring out with "a terminal is required".
+  const hasTty = !!process.stdin.isTTY;
+  if (hasTty) {
+    console.log(
+      `[fbi-proxy] re-launching via sudo (terminal password prompt)…`,
+    );
+    const result = spawnSync("sudo", sudoArgs, { stdio: "inherit" });
+    process.exit(result.status ?? 1);
+  }
+
+  console.log(`[fbi-proxy] no TTY — opening macOS authentication dialog…`);
+  const shellCmd = sudoArgs.map(shellQuote).join(" ");
+  const prompt = `fbi-proxy needs administrator access to ${reasons} for https://${opts.domain}/.`;
+  const script = `do shell script ${appleScriptQuote(shellCmd)} with prompt ${appleScriptQuote(prompt)} with administrator privileges`;
+  const result = spawnSync("osascript", ["-e", script], { stdio: "inherit" });
+  process.exit(result.status ?? 1);
+}
+
+function shellQuote(s: string): string {
+  return `'${s.replace(/'/g, `'\\''`)}'`;
+}
+
+function appleScriptQuote(s: string): string {
+  return `"${s.replace(/\\/g, "\\\\").replace(/"/g, '\\"')}"`;
+}
+
+function isMacosCertTrusted(certPath: string): boolean {
+  const result = spawnSync("security", ["verify-cert", "-c", certPath], {
+    stdio: "ignore",
+  });
+  return result.status === 0;
+}
+
 async function startFbiAuth(opts: {
   domain: string;
   reconfigure: boolean;