maven-proxy 1.0.1

package/scripts/truststore.js

@@ -0,0 +1,96 @@
+import { config } from "../src/config/config.js";
+import {
+  getTrustStoreCommands,
+  initTrustStore,
+  mergeTrustStores,
+} from "../src/cert/truststore-utils.js";
+
+function printUsage() {
+  console.log("Usage:");
+  console.log("  node scripts/truststore.js print");
+  console.log("  node scripts/truststore.js init");
+  console.log(
+    "  node scripts/truststore.js merge --source <path> --target <path> [--source-pass <pwd>] [--target-pass <pwd>] [--source-type <JKS|PKCS12>] [--target-type <JKS|PKCS12>] [--on-conflict <fail|overwrite>] [--dry-run]",
+  );
+}
+
+function parseCliOptions(args) {
+  const options = {};
+
+  for (let i = 0; i < args.length; i += 1) {
+    const token = args[i];
+    if (!token.startsWith("--")) {
+      continue;
+    }
+
+    const key = token.slice(2);
+
+    if (key === "dry-run") {
+      options[key] = true;
+      continue;
+    }
+
+    const value = args[i + 1];
+    if (!value || value.startsWith("--")) {
+      throw new Error(`Missing value for option: --${key}`);
+    }
+
+    options[key] = value;
+    i += 1;
+  }
+
+  return options;
+}
+
+const action = process.argv[2] || "print";
+
+try {
+  if (action === "init") {
+    initTrustStore(config);
+    process.exit(0);
+  }
+
+  if (action === "merge") {
+    if (process.argv.slice(3).includes("--help")) {
+      printUsage();
+      process.exit(0);
+    }
+
+    const opts = parseCliOptions(process.argv.slice(3));
+    if (!opts.source || !opts.target) {
+      throw new Error("merge requires --source and --target");
+    }
+
+    const mergeResult = mergeTrustStores({
+      sourcePath: opts.source,
+      targetPath: opts.target,
+      sourcePassword: opts["source-pass"] || config.trustStorePassword,
+      targetPassword: opts["target-pass"] || config.trustStorePassword,
+      sourceType: (opts["source-type"] || "JKS").toUpperCase(),
+      targetType: (opts["target-type"] || "JKS").toUpperCase(),
+      onConflict: (opts["on-conflict"] || "fail").toLowerCase(),
+      dryRun: Boolean(opts["dry-run"]),
+    });
+
+    if (mergeResult?.dryRun) {
+      console.log("Dry run passed: merge validation completed, no changes were made.");
+    } else {
+      console.log("Trust stores merged successfully.");
+    }
+    process.exit(0);
+  }
+
+  if (action !== "print") {
+    printUsage();
+    throw new Error(`Unknown action: ${action}`);
+  }
+
+  const commands = getTrustStoreCommands(config);
+  console.log("Trust store commands:");
+  console.log(commands.copyCmd);
+  console.log(commands.importCmd);
+  console.log(commands.listCmd);
+} catch (error) {
+  console.error(`[truststore] ${error.message}`);
+  process.exit(1);
+}

package/src/cache/cache-path.js

@@ -0,0 +1,50 @@
+import path from "node:path";
+
+function sanitizeSegment(segment) {
+  return segment.replace(/[<>:\\"|?*]/g, "_");
+}
+
+function safeDecode(pathname) {
+  try {
+    return decodeURIComponent(pathname || "/");
+  } catch {
+    return pathname || "/";
+  }
+}
+
+export function getCacheFilePath(cacheDir, urlObj, options = {}) {
+  const ecosystem = sanitizeSegment(String(options.ecosystem || "generic").toLowerCase());
+  const includeHost = options.includeHost ?? ecosystem !== "maven";
+
+  const rawPathname = safeDecode(urlObj.pathname || "/");
+  const normalized = rawPathname.replace(/\\/g, "/");
+  const lowerNormalized = normalized.toLowerCase();
+  const parts = normalized.split("/").filter(Boolean);
+
+  if (parts.some((part) => part === "..")) {
+    throw new Error(`Invalid path traversal attempt: ${rawPathname}`);
+  }
+
+  if (parts.length === 0) {
+    parts.push("index");
+  }
+
+  const safeParts = parts.map((part) => sanitizeSegment(part));
+
+  if (includeHost) {
+    safeParts.unshift(sanitizeSegment(String(urlObj.hostname || "unknown").toLowerCase()));
+  }
+
+  const npmTarballPath = /\/-\/.+\.tgz$/i.test(lowerNormalized);
+  if (ecosystem === "npm" && !npmTarballPath) {
+    safeParts.push("__meta__.json");
+  }
+
+  if (urlObj.search && urlObj.search.length > 1) {
+    const lastIndex = safeParts.length - 1;
+    const encodedQuery = encodeURIComponent(urlObj.search.slice(1));
+    safeParts[lastIndex] = `${safeParts[lastIndex]}__q__${encodedQuery}`;
+  }
+
+  return path.join(cacheDir, ecosystem, ...safeParts);
+}

package/src/cache/downloader.js

@@ -0,0 +1,350 @@
+import fs from "node:fs";
+import http from "node:http";
+import https from "node:https";
+import path from "node:path";
+import { pipeline } from "node:stream/promises";
+import { DownloadLogWriter } from "../common/download-log-writer.js";
+
+const REDIRECT_STATUS = new Set([301, 302, 303, 307, 308]);
+const MAX_REDIRECTS = 5;
+
+function pickClient(protocol) {
+  return protocol === "https:" ? https : http;
+}
+
+function stripHopByHopHeaders(headers = {}) {
+  const result = { ...headers };
+  const blocked = [
+    "connection",
+    "proxy-connection",
+    "keep-alive",
+    "transfer-encoding",
+    "upgrade",
+    "te",
+    "trailer",
+    "proxy-authenticate",
+    "proxy-authorization",
+  ];
+
+  for (const header of blocked) {
+    delete result[header];
+    delete result[header.toLowerCase()];
+  }
+
+  return result;
+}
+
+function requestRaw(urlObj, { method, headers, timeoutMs, getAgent }) {
+  const client = pickClient(urlObj.protocol);
+  const agent = getAgent ? getAgent(urlObj) : undefined;
+
+  return new Promise((resolve, reject) => {
+    const req = client.request(
+      {
+        protocol: urlObj.protocol,
+        hostname: urlObj.hostname,
+        port: urlObj.port || (urlObj.protocol === "https:" ? 443 : 80),
+        path: `${urlObj.pathname}${urlObj.search}`,
+        method,
+        headers,
+        agent,
+      },
+      (res) => resolve({ req, res }),
+    );
+
+    req.setTimeout(timeoutMs, () => {
+      req.destroy(new Error(`Request timeout after ${timeoutMs}ms: ${urlObj.href}`));
+    });
+
+    req.on("error", reject);
+    req.end();
+  });
+}
+
+async function requestWithRedirect(urlObj, options, redirectCount = 0) {
+  if (redirectCount > MAX_REDIRECTS) {
+    throw new Error(`Too many redirects while requesting ${urlObj.href}`);
+  }
+
+  const { res } = await requestRaw(urlObj, options);
+
+  if (REDIRECT_STATUS.has(res.statusCode) && res.headers.location) {
+    res.resume();
+    const nextUrl = new URL(res.headers.location, urlObj);
+    return requestWithRedirect(nextUrl, options, redirectCount + 1);
+  }
+
+  return { urlObj, res };
+}
+
+async function probe(urlObj, headers, timeoutMs, getAgent) {
+  try {
+    const { urlObj: finalUrl, res } = await requestWithRedirect(urlObj, {
+      method: "HEAD",
+      headers,
+      timeoutMs,
+      getAgent,
+    });
+
+    const contentLength = Number.parseInt(res.headers["content-length"], 10);
+    const acceptRanges = String(res.headers["accept-ranges"] || "").toLowerCase().includes("bytes");
+    const statusCode = res.statusCode || 0;
+    res.resume();
+
+    if (statusCode >= 400) {
+      return { finalUrl, contentLength: null, acceptRanges: false };
+    }
+
+    return {
+      finalUrl,
+      contentLength: Number.isFinite(contentLength) ? contentLength : null,
+      acceptRanges,
+    };
+  } catch {
+    return { finalUrl: urlObj, contentLength: null, acceptRanges: false };
+  }
+}
+
+async function downloadSingle(urlObj, tempPath, headers, timeoutMs, getAgent) {
+  const requestHeaders = {
+    ...stripHopByHopHeaders(headers),
+    "accept-encoding": "identity",
+  };
+
+  const { urlObj: finalUrl, res } = await requestWithRedirect(
+    urlObj,
+    {
+      method: "GET",
+      headers: requestHeaders,
+      timeoutMs,
+      getAgent,
+    },
+    0,
+  );
+
+  const statusCode = res.statusCode || 0;
+  if (statusCode >= 400) {
+    const chunks = [];
+    for await (const chunk of res) {
+      chunks.push(chunk);
+      if (Buffer.concat(chunks).length > 2048) {
+        break;
+      }
+    }
+    const body = Buffer.concat(chunks).toString("utf8");
+    throw Object.assign(new Error(`Upstream GET failed (${statusCode}) ${finalUrl.href}`), {
+      statusCode,
+      upstreamBody: body,
+    });
+  }
+
+  if (statusCode < 200 || statusCode >= 300) {
+    throw new Error(`Unexpected status code ${statusCode} for ${finalUrl.href}`);
+  }
+
+  const contentLength = Number.parseInt(res.headers["content-length"], 10);
+
+  const stream = fs.createWriteStream(tempPath, { flags: "w" });
+  await pipeline(res, stream);
+
+  return {
+    finalUrl,
+    contentLength: Number.isFinite(contentLength) ? contentLength : null,
+  };
+}
+
+async function downloadRange(urlObj, tempPath, start, end, headers, timeoutMs, getAgent) {
+  const requestHeaders = {
+    ...stripHopByHopHeaders(headers),
+    "accept-encoding": "identity",
+    range: `bytes=${start}-${end}`,
+  };
+
+  const { res } = await requestRaw(urlObj, {
+    method: "GET",
+    headers: requestHeaders,
+    timeoutMs,
+    getAgent,
+  });
+
+  const statusCode = res.statusCode || 0;
+  if (statusCode !== 206) {
+    res.resume();
+    throw new Error(`Range request failed with status ${statusCode} (${start}-${end})`);
+  }
+
+  const writeStream = fs.createWriteStream(tempPath, {
+    flags: "r+",
+    start,
+  });
+
+  await pipeline(res, writeStream);
+}
+
+async function downloadMultiThread(urlObj, tempPath, headers, timeoutMs, contentLength, threadCount, getAgent) {
+  const handle = await fs.promises.open(tempPath, "w");
+  await handle.truncate(contentLength);
+  await handle.close();
+
+  const partSize = Math.ceil(contentLength / threadCount);
+  const tasks = [];
+
+  for (let index = 0; index < threadCount; index += 1) {
+    const start = index * partSize;
+    const end = Math.min(contentLength - 1, start + partSize - 1);
+
+    if (start > end) {
+      continue;
+    }
+
+    tasks.push(downloadRange(urlObj, tempPath, start, end, headers, timeoutMs, getAgent));
+  }
+
+  await Promise.all(tasks);
+}
+
+async function fileExists(filePath) {
+  try {
+    const stats = await fs.promises.stat(filePath);
+    return stats.isFile();
+  } catch (error) {
+    if (error.code === "ENOENT") {
+      return false;
+    }
+    throw error;
+  }
+}
+
+async function verifyFileSize(filePath, expectedSize) {
+  if (!Number.isFinite(expectedSize)) {
+    return;
+  }
+
+  const stats = await fs.promises.stat(filePath);
+  if (stats.size !== expectedSize) {
+    throw new Error(`Integrity check failed: expected ${expectedSize} bytes, got ${stats.size}`);
+  }
+}
+
+async function removeIfExists(filePath) {
+  try {
+    await fs.promises.unlink(filePath);
+  } catch (error) {
+    if (error.code !== "ENOENT") {
+      throw error;
+    }
+  }
+}
+
+export class Downloader {
+  constructor(config, domainMatcher, upstreamProxyManager = null) {
+    this.config = config;
+    this.domainMatcher = domainMatcher;
+    this.upstreamProxyManager = upstreamProxyManager;
+    this.inflight = new Map();
+    this.downloadLogWriter = new DownloadLogWriter(config.downloadLogDir, config.logRetentionDays);
+  }
+
+  logDownload(event, urlObj, details = {}) {
+    const url = typeof urlObj === "string" ? urlObj : urlObj?.href;
+    const detailText = Object.entries(details)
+      .filter(([, value]) => value !== undefined && value !== null && value !== "")
+      .map(([key, value]) => `${key}=${value}`)
+      .join(" ");
+
+    console.log(`[downloader] ${event} url=${url}${detailText ? ` ${detailText}` : ""}`);
+    this.downloadLogWriter.write(event, url, details);
+  }
+
+  async ensureCached(urlObj, finalPath, requestHeaders = {}) {
+    if (await fileExists(finalPath)) {
+      return { cacheHit: true, finalPath };
+    }
+
+    const existing = this.inflight.get(finalPath);
+    if (existing) {
+      await existing;
+      return { cacheHit: true, finalPath };
+    }
+
+    const downloadPromise = this.#downloadAtomic(urlObj, finalPath, requestHeaders);
+    this.inflight.set(finalPath, downloadPromise);
+
+    try {
+      await downloadPromise;
+    } finally {
+      this.inflight.delete(finalPath);
+    }
+
+    return { cacheHit: false, finalPath };
+  }
+
+  async #downloadAtomic(urlObj, finalPath, requestHeaders) {
+    await fs.promises.mkdir(path.dirname(finalPath), { recursive: true });
+    const tempPath = `${finalPath}.temp`;
+    await removeIfExists(tempPath);
+
+    try {
+      const headers = stripHopByHopHeaders(requestHeaders);
+      const getAgent = this.upstreamProxyManager
+        ? (currentUrl) => this.upstreamProxyManager.getAgentForUrl(currentUrl)
+        : null;
+      const metadata = await probe(urlObj, headers, this.config.downloadTimeoutMs, getAgent);
+      const downloadUrl = metadata.finalUrl;
+      const hostname = downloadUrl.hostname;
+
+      this.logDownload("download start", downloadUrl, { host: hostname, targetPath: finalPath });
+
+      if (getAgent && this.upstreamProxyManager.hasProxyFor(downloadUrl.protocol, hostname)) {
+        this.logDownload("outbound via upstream proxy", downloadUrl, {
+          host: hostname,
+          protocol: downloadUrl.protocol,
+        });
+      }
+
+      const shouldUseMulti =
+        this.domainMatcher(hostname, this.config.multiThreadDomains) &&
+        Number.isFinite(metadata.contentLength) &&
+        metadata.contentLength >= this.config.multiThreadMinSizeBytes &&
+        metadata.acceptRanges;
+
+      if (shouldUseMulti) {
+        this.logDownload("multi-thread download enabled", downloadUrl, {
+          host: hostname,
+          size: metadata.contentLength,
+          threads: this.config.multiThreadCount,
+        });
+        try {
+          await downloadMultiThread(
+            downloadUrl,
+            tempPath,
+            headers,
+            this.config.downloadTimeoutMs,
+            metadata.contentLength,
+            this.config.multiThreadCount,
+            getAgent,
+          );
+        } catch (error) {
+          await removeIfExists(tempPath);
+          this.logDownload("multi-thread fallback to single-thread", downloadUrl, {
+            host: hostname,
+            reason: error.message,
+          });
+          await downloadSingle(downloadUrl, tempPath, headers, this.config.downloadTimeoutMs, getAgent);
+        }
+      } else {
+        this.logDownload("single-thread download", downloadUrl, { host: hostname });
+        const single = await downloadSingle(downloadUrl, tempPath, headers, this.config.downloadTimeoutMs, getAgent);
+        if (single.contentLength != null) {
+          metadata.contentLength = single.contentLength;
+        }
+      }
+
+      await verifyFileSize(tempPath, metadata.contentLength);
+      await fs.promises.rename(tempPath, finalPath);
+    } catch (error) {
+      await removeIfExists(tempPath);
+      throw error;
+    }
+  }
+}

package/src/cert/cert-manager.js

@@ -0,0 +1,194 @@
+import fs from "node:fs";
+import path from "node:path";
+import forge from "node-forge";
+
+const CERT_VALID_YEARS = 30;
+
+function randomSerial() {
+  return forge.util.bytesToHex(forge.random.getBytesSync(9));
+}
+
+function sanitizeHost(hostname) {
+  return hostname.replace(/[^a-zA-Z0-9.-]/g, "_");
+}
+
+async function ensureDir(dirPath) {
+  await fs.promises.mkdir(dirPath, { recursive: true });
+}
+
+async function readIfExists(filePath) {
+  try {
+    return await fs.promises.readFile(filePath, "utf8");
+  } catch (error) {
+    if (error.code === "ENOENT") {
+      return null;
+    }
+    throw error;
+  }
+}
+
+function createRootCertificate() {
+  const keys = forge.pki.rsa.generateKeyPair(2048);
+  const cert = forge.pki.createCertificate();
+
+  cert.publicKey = keys.publicKey;
+  cert.serialNumber = randomSerial();
+
+  const now = new Date();
+  const rootNotAfter = new Date(now);
+  rootNotAfter.setFullYear(rootNotAfter.getFullYear() + CERT_VALID_YEARS);
+  cert.validity.notBefore = new Date(now.getTime() - 24 * 60 * 60 * 1000);
+  cert.validity.notAfter = rootNotAfter;
+
+  const attrs = [
+    { name: "commonName", value: "Maven Proxy Root CA" },
+    { name: "organizationName", value: "maven-proxy" },
+    { shortName: "OU", value: "Development" },
+  ];
+
+  cert.setSubject(attrs);
+  cert.setIssuer(attrs);
+  cert.setExtensions([
+    { name: "basicConstraints", cA: true, critical: true },
+    {
+      name: "keyUsage",
+      keyCertSign: true,
+      cRLSign: true,
+      digitalSignature: true,
+      critical: true,
+    },
+    { name: "subjectKeyIdentifier" },
+  ]);
+
+  cert.sign(keys.privateKey, forge.md.sha256.create());
+
+  return {
+    keyPem: forge.pki.privateKeyToPem(keys.privateKey),
+    certPem: forge.pki.certificateToPem(cert),
+    privateKey: keys.privateKey,
+    certificate: cert,
+  };
+}
+
+function createLeafCertificate(hostname, rootPrivateKey, rootCertificate) {
+  const keys = forge.pki.rsa.generateKeyPair(2048);
+  const cert = forge.pki.createCertificate();
+
+  cert.publicKey = keys.publicKey;
+  cert.serialNumber = randomSerial();
+
+  const now = new Date();
+  const leafNotAfter = new Date(now);
+  leafNotAfter.setFullYear(leafNotAfter.getFullYear() + CERT_VALID_YEARS);
+  cert.validity.notBefore = new Date(now.getTime() - 60 * 60 * 1000);
+  cert.validity.notAfter = leafNotAfter;
+
+  cert.setSubject([
+    { name: "commonName", value: hostname },
+    { name: "organizationName", value: "maven-proxy-leaf" },
+  ]);
+
+  cert.setIssuer(rootCertificate.subject.attributes);
+  cert.setExtensions([
+    { name: "basicConstraints", cA: false, critical: true },
+    {
+      name: "keyUsage",
+      digitalSignature: true,
+      keyEncipherment: true,
+      dataEncipherment: true,
+      critical: true,
+    },
+    { name: "extKeyUsage", serverAuth: true },
+    {
+      name: "subjectAltName",
+      altNames: [{ type: 2, value: hostname }],
+    },
+    { name: "subjectKeyIdentifier" },
+  ]);
+
+  cert.sign(rootPrivateKey, forge.md.sha256.create());
+
+  return {
+    keyPem: forge.pki.privateKeyToPem(keys.privateKey),
+    certPem: forge.pki.certificateToPem(cert),
+  };
+}
+
+export class CertManager {
+  constructor(config) {
+    this.config = config;
+    this.rootPrivateKey = null;
+    this.rootCertificate = null;
+    this.leafCache = new Map();
+    this.leafPromiseCache = new Map();
+  }
+
+  async init() {
+    await ensureDir(path.dirname(this.config.rootCertPath));
+    await ensureDir(path.dirname(this.config.rootKeyPath));
+    await ensureDir(this.config.leafCertDir);
+
+    const certPem = await readIfExists(this.config.rootCertPath);
+    const keyPem = await readIfExists(this.config.rootKeyPath);
+
+    if (certPem && keyPem) {
+      this.rootCertificate = forge.pki.certificateFromPem(certPem);
+      this.rootPrivateKey = forge.pki.privateKeyFromPem(keyPem);
+      return;
+    }
+
+    const root = createRootCertificate();
+    this.rootCertificate = root.certificate;
+    this.rootPrivateKey = root.privateKey;
+
+    await fs.promises.writeFile(this.config.rootCertPath, root.certPem, "utf8");
+    await fs.promises.writeFile(this.config.rootKeyPath, root.keyPem, "utf8");
+  }
+
+  async getRootCertPem() {
+    return fs.promises.readFile(this.config.rootCertPath, "utf8");
+  }
+
+  async getOrCreateLeaf(hostname) {
+    const normalizedHost = String(hostname).toLowerCase();
+
+    if (this.leafCache.has(normalizedHost)) {
+      return this.leafCache.get(normalizedHost);
+    }
+
+    if (this.leafPromiseCache.has(normalizedHost)) {
+      return this.leafPromiseCache.get(normalizedHost);
+    }
+
+    const promise = this.#loadOrCreateLeaf(normalizedHost)
+      .then((leaf) => {
+        this.leafCache.set(normalizedHost, leaf);
+        return leaf;
+      })
+      .finally(() => {
+        this.leafPromiseCache.delete(normalizedHost);
+      });
+
+    this.leafPromiseCache.set(normalizedHost, promise);
+    return promise;
+  }
+
+  async #loadOrCreateLeaf(hostname) {
+    const safeHost = sanitizeHost(hostname);
+    const certPath = path.join(this.config.leafCertDir, `${safeHost}.crt`);
+    const keyPath = path.join(this.config.leafCertDir, `${safeHost}.key.pem`);
+
+    const certPem = await readIfExists(certPath);
+    const keyPem = await readIfExists(keyPath);
+
+    if (certPem && keyPem) {
+      return { certPem, keyPem };
+    }
+
+    const leaf = createLeafCertificate(hostname, this.rootPrivateKey, this.rootCertificate);
+    await fs.promises.writeFile(certPath, leaf.certPem, "utf8");
+    await fs.promises.writeFile(keyPath, leaf.keyPem, "utf8");
+
+    return leaf;
+  }
+}