hackerrun 0.1.0 → 0.1.2

package/src/lib/vpn.ts

@@ -0,0 +1,487 @@
+// WireGuard VPN management for IPv6 connectivity through gateway
+import { execSync, spawnSync } from 'child_process';
+import { existsSync, readFileSync, writeFileSync, mkdirSync, unlinkSync } from 'fs';
+import { homedir, platform } from 'os';
+import { join } from 'path';
+import chalk from 'chalk';
+
+/**
+ * Detect the current operating system and distribution
+ */
+function detectOS(): { type: 'linux' | 'macos' | 'windows' | 'unknown'; distro?: string } {
+  const os = platform();
+
+  if (os === 'darwin') {
+    return { type: 'macos' };
+  }
+
+  if (os === 'win32') {
+    return { type: 'windows' };
+  }
+
+  if (os === 'linux') {
+    // Try to detect Linux distribution from /etc/os-release
+    try {
+      if (existsSync('/etc/os-release')) {
+        const osRelease = readFileSync('/etc/os-release', 'utf-8');
+        const idMatch = osRelease.match(/^ID=(.*)$/m);
+        if (idMatch) {
+          const distro = idMatch[1].replace(/"/g, '').toLowerCase();
+          return { type: 'linux', distro };
+        }
+      }
+    } catch {
+      // Ignore errors, fall through to generic linux
+    }
+    return { type: 'linux' };
+  }
+
+  return { type: 'unknown' };
+}
+
+/**
+ * Get WireGuard installation instructions for the current OS
+ */
+export function getWireGuardInstallInstructions(): string {
+  const os = detectOS();
+
+  switch (os.type) {
+    case 'macos':
+      return `  ${chalk.cyan('macOS:')} brew install wireguard-tools`;
+
+    case 'windows':
+      return `  ${chalk.cyan('Windows:')} Download from https://www.wireguard.com/install/\n` +
+             `            Or using winget: winget install WireGuard.WireGuard`;
+
+    case 'linux':
+      // Provide specific instructions based on distro
+      switch (os.distro) {
+        case 'arch':
+        case 'manjaro':
+        case 'endeavouros':
+        case 'artix':
+          return `  ${chalk.cyan('Arch Linux:')} sudo pacman -S wireguard-tools`;
+
+        case 'ubuntu':
+        case 'debian':
+        case 'linuxmint':
+        case 'pop':
+        case 'elementary':
+        case 'zorin':
+          return `  ${chalk.cyan('Ubuntu/Debian:')} sudo apt install wireguard`;
+
+        case 'fedora':
+          return `  ${chalk.cyan('Fedora:')} sudo dnf install wireguard-tools`;
+
+        case 'rhel':
+        case 'centos':
+        case 'rocky':
+        case 'almalinux':
+          return `  ${chalk.cyan('RHEL/CentOS:')} sudo dnf install wireguard-tools\n` +
+                 `               (may need EPEL: sudo dnf install epel-release)`;
+
+        case 'opensuse':
+        case 'opensuse-leap':
+        case 'opensuse-tumbleweed':
+          return `  ${chalk.cyan('openSUSE:')} sudo zypper install wireguard-tools`;
+
+        case 'gentoo':
+          return `  ${chalk.cyan('Gentoo:')} sudo emerge net-vpn/wireguard-tools`;
+
+        case 'void':
+          return `  ${chalk.cyan('Void Linux:')} sudo xbps-install wireguard-tools`;
+
+        case 'alpine':
+          return `  ${chalk.cyan('Alpine:')} sudo apk add wireguard-tools`;
+
+        case 'nixos':
+          return `  ${chalk.cyan('NixOS:')} Add wireguard-tools to environment.systemPackages`;
+
+        default:
+          // Generic Linux instructions
+          return `  ${chalk.cyan('Linux:')} Install wireguard-tools using your package manager:\n` +
+                 `    Arch:          sudo pacman -S wireguard-tools\n` +
+                 `    Ubuntu/Debian: sudo apt install wireguard\n` +
+                 `    Fedora:        sudo dnf install wireguard-tools\n` +
+                 `    openSUSE:      sudo zypper install wireguard-tools`;
+      }
+
+    default:
+      return `  Visit https://www.wireguard.com/install/ for installation instructions`;
+  }
+}
+
+const CONFIG_DIR = join(homedir(), '.config', 'hackerrun');
+const PRIVATE_KEY_FILE = join(CONFIG_DIR, 'wg-private-key');
+const WG_INTERFACE = 'hackerrun';
+const WG_CONFIG_PATH = `/etc/wireguard/${WG_INTERFACE}.conf`;
+
+export interface VPNConfig {
+  privateKey: string;
+  publicKey: string;
+  address: string;           // User's assigned IPv6 address (e.g., fd00:hackerrun:user:1::1/64)
+  gatewayEndpoint: string;   // Gateway WireGuard endpoint (e.g., 46.4.244.246:51820)
+  gatewayPublicKey: string;  // Gateway's WireGuard public key
+  allowedIPs: string;        // IPs to route through VPN (app VM IPv6 ranges)
+}
+
+/**
+ * Check if WireGuard tools are installed
+ */
+export function isWireGuardInstalled(): boolean {
+  try {
+    execSync('which wg', { stdio: 'ignore' });
+    execSync('which wg-quick', { stdio: 'ignore' });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Ensure config directory exists
+ */
+function ensureConfigDir(): void {
+  if (!existsSync(CONFIG_DIR)) {
+    mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
+  }
+}
+
+/**
+ * Generate a new WireGuard keypair
+ */
+export function generateKeyPair(): { privateKey: string; publicKey: string } {
+  // Generate private key
+  const privateKey = execSync('wg genkey', { encoding: 'utf-8' }).trim();
+
+  // Derive public key from private key
+  const publicKey = execSync('wg pubkey', {
+    input: privateKey,
+    encoding: 'utf-8',
+  }).trim();
+
+  return { privateKey, publicKey };
+}
+
+/**
+ * Get or create WireGuard keypair
+ * Returns existing keypair if available, otherwise generates new one
+ */
+export function getOrCreateKeyPair(): { privateKey: string; publicKey: string; isNew: boolean } {
+  ensureConfigDir();
+
+  if (existsSync(PRIVATE_KEY_FILE)) {
+    // Load existing private key
+    const privateKey = readFileSync(PRIVATE_KEY_FILE, 'utf-8').trim();
+
+    // Derive public key
+    const publicKey = execSync('wg pubkey', {
+      input: privateKey,
+      encoding: 'utf-8',
+    }).trim();
+
+    return { privateKey, publicKey, isNew: false };
+  }
+
+  // Generate new keypair
+  const { privateKey, publicKey } = generateKeyPair();
+
+  // Save private key with restricted permissions
+  writeFileSync(PRIVATE_KEY_FILE, privateKey + '\n', { mode: 0o600 });
+
+  return { privateKey, publicKey, isNew: true };
+}
+
+/**
+ * Get public key without exposing private key
+ */
+export function getPublicKey(): string | null {
+  if (!existsSync(PRIVATE_KEY_FILE)) {
+    return null;
+  }
+
+  const privateKey = readFileSync(PRIVATE_KEY_FILE, 'utf-8').trim();
+  return execSync('wg pubkey', {
+    input: privateKey,
+    encoding: 'utf-8',
+  }).trim();
+}
+
+/**
+ * Check if VPN interface is currently up
+ */
+export function isVPNUp(): boolean {
+  try {
+    // Check if interface exists and is configured
+    const result = execSync(`ip link show ${WG_INTERFACE}`, {
+      encoding: 'utf-8',
+      stdio: ['pipe', 'pipe', 'pipe'],
+    });
+    return result.includes(WG_INTERFACE);
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Check if traffic to a given IPv6 address would go through the VPN interface
+ */
+export function isRoutedViaVPN(ipv6Address: string): boolean {
+  if (!isVPNUp()) {
+    return false;
+  }
+
+  try {
+    // Use ip route get to check which interface would be used
+    const result = execSync(`ip -6 route get ${ipv6Address}`, {
+      encoding: 'utf-8',
+      stdio: ['pipe', 'pipe', 'pipe'],
+    });
+    return result.includes(`dev ${WG_INTERFACE}`);
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Get VPN connection status
+ */
+export function getVPNStatus(): {
+  connected: boolean;
+  interface?: string;
+  endpoint?: string;
+  latestHandshake?: string;
+  transferRx?: string;
+  transferTx?: string;
+} {
+  if (!isVPNUp()) {
+    return { connected: false };
+  }
+
+  try {
+    const output = execSync(`sudo wg show ${WG_INTERFACE}`, {
+      encoding: 'utf-8',
+      stdio: ['pipe', 'pipe', 'pipe'],
+    });
+
+    const lines = output.split('\n');
+    let endpoint: string | undefined;
+    let latestHandshake: string | undefined;
+    let transferRx: string | undefined;
+    let transferTx: string | undefined;
+
+    for (const line of lines) {
+      if (line.includes('endpoint:')) {
+        endpoint = line.split('endpoint:')[1]?.trim();
+      }
+      if (line.includes('latest handshake:')) {
+        latestHandshake = line.split('latest handshake:')[1]?.trim();
+      }
+      if (line.includes('transfer:')) {
+        const transfer = line.split('transfer:')[1]?.trim();
+        const parts = transfer?.split(',');
+        transferRx = parts?.[0]?.trim();
+        transferTx = parts?.[1]?.trim();
+      }
+    }
+
+    return {
+      connected: true,
+      interface: WG_INTERFACE,
+      endpoint,
+      latestHandshake,
+      transferRx,
+      transferTx,
+    };
+  } catch {
+    return { connected: isVPNUp(), interface: WG_INTERFACE };
+  }
+}
+
+/**
+ * Generate WireGuard config file content
+ */
+export function generateWireGuardConfig(config: VPNConfig): string {
+  return `# HackerRun VPN - Auto-generated
+# Do not edit manually
+
+[Interface]
+PrivateKey = ${config.privateKey}
+Address = ${config.address}
+
+[Peer]
+PublicKey = ${config.gatewayPublicKey}
+Endpoint = ${config.gatewayEndpoint}
+AllowedIPs = ${config.allowedIPs}
+PersistentKeepalive = 25
+`;
+}
+
+/**
+ * Write WireGuard config file (requires sudo)
+ */
+export function writeWireGuardConfig(config: VPNConfig): void {
+  const configContent = generateWireGuardConfig(config);
+
+  // Write to temp file first, then sudo mv to /etc/wireguard
+  const tempFile = join(CONFIG_DIR, 'wg-temp.conf');
+  writeFileSync(tempFile, configContent, { mode: 0o600 });
+
+  try {
+    // Ensure /etc/wireguard exists
+    execSync('sudo mkdir -p /etc/wireguard', { stdio: 'inherit' });
+
+    // Move config file with proper permissions
+    execSync(`sudo mv ${tempFile} ${WG_CONFIG_PATH}`, { stdio: 'inherit' });
+    execSync(`sudo chmod 600 ${WG_CONFIG_PATH}`, { stdio: 'inherit' });
+  } catch (error) {
+    // Clean up temp file on failure
+    if (existsSync(tempFile)) {
+      unlinkSync(tempFile);
+    }
+    throw error;
+  }
+}
+
+/**
+ * Bring VPN interface up (requires sudo)
+ */
+export function vpnUp(): void {
+  if (isVPNUp()) {
+    // Already up, nothing to do
+    return;
+  }
+
+  const result = spawnSync('sudo', ['wg-quick', 'up', WG_INTERFACE], {
+    stdio: 'inherit',
+  });
+
+  if (result.status !== 0) {
+    throw new Error(`Failed to bring up VPN interface (exit code ${result.status})`);
+  }
+}
+
+/**
+ * Bring VPN interface down (requires sudo)
+ */
+export function vpnDown(): void {
+  if (!isVPNUp()) {
+    // Already down, nothing to do
+    return;
+  }
+
+  const result = spawnSync('sudo', ['wg-quick', 'down', WG_INTERFACE], {
+    stdio: 'inherit',
+  });
+
+  if (result.status !== 0) {
+    throw new Error(`Failed to bring down VPN interface (exit code ${result.status})`);
+  }
+}
+
+/**
+ * Test IPv6 connectivity to a specific address
+ */
+export function testIPv6Connectivity(ipv6Address: string, timeoutSeconds: number = 3): boolean {
+  try {
+    // Use ping6 to test connectivity
+    execSync(`ping -6 -c 1 -W ${timeoutSeconds} ${ipv6Address}`, {
+      stdio: 'ignore',
+      timeout: (timeoutSeconds + 2) * 1000,
+    });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * VPN Manager class for managing VPN lifecycle during operations
+ */
+export class VPNManager {
+  private wasConnectedByUs: boolean = false;
+
+  /**
+   * Ensure VPN is connected if IPv6 is not available
+   * Returns true if VPN was established (and should be torn down later)
+   */
+  async ensureConnected(
+    targetIPv6: string,
+    getVPNConfig: () => Promise<VPNConfig>
+  ): Promise<boolean> {
+    // First, test direct IPv6 connectivity
+    if (testIPv6Connectivity(targetIPv6)) {
+      console.log(chalk.green('✓ Direct IPv6 connectivity available'));
+      return false;
+    }
+
+    console.log(chalk.yellow('IPv6 not available, checking VPN...'));
+
+    // Check if VPN is already up
+    if (isVPNUp()) {
+      // VPN is up, test connectivity again through VPN
+      if (testIPv6Connectivity(targetIPv6)) {
+        console.log(chalk.green('✓ VPN already connected'));
+        return false; // Don't tear down - we didn't establish it
+      }
+      // VPN is up but can't reach target - might be misconfigured
+      console.log(chalk.yellow('VPN is up but cannot reach target, reconnecting...'));
+      vpnDown();
+    }
+
+    // Check WireGuard is installed
+    if (!isWireGuardInstalled()) {
+      const instructions = getWireGuardInstallInstructions();
+      throw new Error(
+        'WireGuard is not installed.\n\n' +
+        'WireGuard is needed for IPv6 connectivity to your app VMs.\n' +
+        'Please install it and try again:\n\n' +
+        instructions
+      );
+    }
+
+    console.log(chalk.cyan('Establishing VPN tunnel (requires sudo)...'));
+
+    // Get or create keypair
+    const { publicKey, isNew } = getOrCreateKeyPair();
+    if (isNew) {
+      console.log(chalk.dim('Generated new WireGuard keypair'));
+    }
+
+    // Get VPN config from platform (this registers our public key if needed)
+    const vpnConfig = await getVPNConfig();
+
+    // Write WireGuard config
+    writeWireGuardConfig(vpnConfig);
+
+    // Bring up VPN
+    vpnUp();
+
+    // Verify connectivity
+    if (!testIPv6Connectivity(targetIPv6)) {
+      // Clean up on failure
+      vpnDown();
+      throw new Error('VPN established but cannot reach target. Please try again.');
+    }
+
+    console.log(chalk.green('✓ VPN connected'));
+    this.wasConnectedByUs = true;
+    return true;
+  }
+
+  /**
+   * Disconnect VPN if we established it
+   */
+  disconnect(): void {
+    if (this.wasConnectedByUs && isVPNUp()) {
+      console.log(chalk.dim('Disconnecting VPN...'));
+      try {
+        vpnDown();
+        console.log(chalk.green('✓ VPN disconnected'));
+      } catch (error) {
+        console.log(chalk.yellow(`Warning: Failed to disconnect VPN: ${(error as Error).message}`));
+      }
+      this.wasConnectedByUs = false;
+    }
+  }
+}