maven-proxy 1.0.1

package/src/proxy/proxy-connect-handler.js

@@ -0,0 +1,173 @@
+import net from "node:net";
+import tls from "node:tls";
+
+function parseConnectTarget(rawUrl) {
+  const [host, portText] = String(rawUrl || "").split(":");
+  const port = Number.parseInt(portText || "443", 10);
+  return {
+    host,
+    port: Number.isFinite(port) ? port : 443,
+  };
+}
+
+function writeTunnelResponse(socket, statusLine, callback) {
+  socket.write(`${statusLine}\r\n\r\n`, callback);
+}
+
+async function openConnectUpstreamSocket(targetHost, targetPort, timeoutMs, upstreamProxyManager = null) {
+  const useUpstreamProxy =
+    upstreamProxyManager &&
+    upstreamProxyManager.hasProxyFor("https:", targetHost);
+
+  if (useUpstreamProxy) {
+    console.log(`[proxy] CONNECT via upstream target=${targetHost}:${targetPort}`);
+    const tunnel = await upstreamProxyManager.createConnectTunnel(targetHost, targetPort, timeoutMs);
+    return {
+      upstreamSocket: tunnel.socket,
+      bufferedData: tunnel.bufferedData || Buffer.alloc(0),
+    };
+  }
+
+  const upstreamSocket = await new Promise((resolve, reject) => {
+    const socket = net.connect(targetPort, targetHost, () => resolve(socket));
+    socket.once("error", reject);
+  });
+
+  return {
+    upstreamSocket,
+    bufferedData: Buffer.alloc(0),
+  };
+}
+
+async function handlePassThroughConnect(clientSocket, head, targetHost, targetPort, timeoutMs, upstreamProxyManager = null) {
+  const { upstreamSocket, bufferedData } = await openConnectUpstreamSocket(
+    targetHost,
+    targetPort,
+    timeoutMs,
+    upstreamProxyManager,
+  );
+
+  await new Promise((resolve, reject) => {
+    writeTunnelResponse(clientSocket, "HTTP/1.1 200 Connection Established", (error) => {
+      if (error) {
+        reject(error);
+        return;
+      }
+      resolve();
+    });
+  });
+
+  if (head && head.length > 0) {
+    upstreamSocket.write(head);
+  }
+
+  if (bufferedData.length > 0) {
+    clientSocket.write(bufferedData);
+  }
+
+  upstreamSocket.pipe(clientSocket);
+  clientSocket.pipe(upstreamSocket);
+
+  upstreamSocket.on("error", (error) => {
+    if (!clientSocket.destroyed) {
+      writeTunnelResponse(clientSocket, "HTTP/1.1 502 Bad Gateway");
+      clientSocket.destroy(error);
+    }
+  });
+
+  clientSocket.on("error", () => {
+    upstreamSocket.destroy();
+  });
+}
+
+async function handleMitmConnect(clientSocket, head, targetHost, certManager, mitmHttpServer) {
+  console.log(`[proxy] MITM prepare ${targetHost}`);
+  const leaf = await certManager.getOrCreateLeaf(targetHost);
+  console.log(`[proxy] MITM cert ready ${targetHost}`);
+
+  await new Promise((resolve, reject) => {
+    writeTunnelResponse(clientSocket, "HTTP/1.1 200 Connection Established", (error) => {
+      if (error) {
+        reject(error);
+        return;
+      }
+      resolve();
+    });
+  });
+  console.log(`[proxy] MITM tunnel established ${targetHost}`);
+
+  const tlsSocket = new tls.TLSSocket(clientSocket, {
+    isServer: true,
+    secureContext: tls.createSecureContext({
+      key: leaf.keyPem,
+      cert: leaf.certPem,
+    }),
+    ALPNProtocols: ["http/1.1"],
+  });
+
+  tlsSocket.__mitmHost = targetHost;
+
+  if (head && head.length > 0) {
+    tlsSocket.unshift(head);
+  }
+
+  tlsSocket.on("error", () => {
+    tlsSocket.destroy();
+  });
+
+  mitmHttpServer.emit("connection", tlsSocket);
+}
+
+export function attachConnectHandler(server, {
+  config,
+  certManager,
+  matchesDomain,
+  upstreamProxyManager = null,
+  mitmHttpServer,
+}) {
+  server.on("connect", (req, clientSocket, head) => {
+    const { host, port } = parseConnectTarget(req.url);
+
+    if (!host) {
+      writeTunnelResponse(clientSocket, "HTTP/1.1 400 Bad Request");
+      clientSocket.destroy();
+      return;
+    }
+
+    const mitmEnabled =
+      config.enableHttpsProxy &&
+      matchesDomain(host, config.httpsMitmDomains);
+
+    console.log(`[proxy] CONNECT ${host}:${port} mitm=${mitmEnabled}`);
+
+    if (!mitmEnabled) {
+      if (!config.httpsPassthroughForUnmatched) {
+        writeTunnelResponse(clientSocket, "HTTP/1.1 403 Forbidden");
+        clientSocket.destroy();
+        return;
+      }
+
+      handlePassThroughConnect(
+        clientSocket,
+        head,
+        host,
+        port,
+        config.downloadTimeoutMs,
+        upstreamProxyManager,
+      ).catch((error) => {
+        if (!clientSocket.destroyed) {
+          writeTunnelResponse(clientSocket, "HTTP/1.1 502 Bad Gateway");
+          clientSocket.destroy(error);
+        }
+      });
+      return;
+    }
+
+    handleMitmConnect(clientSocket, head, host, certManager, mitmHttpServer).catch((error) => {
+      if (!clientSocket.destroyed) {
+        writeTunnelResponse(clientSocket, "HTTP/1.1 502 Bad Gateway");
+      }
+      clientSocket.destroy(error);
+    });
+  });
+}

package/src/proxy/proxy-http-handler.js

@@ -0,0 +1,187 @@
+import fs from "node:fs";
+import http from "node:http";
+import https from "node:https";
+import path from "node:path";
+import { getCacheFilePath } from "../cache/cache-path.js";
+import { detectPackageEcosystem } from "../common/ecosystem.js";
+
+function pickClient(protocol) {
+  return protocol === "https:" ? https : http;
+}
+
+function sanitizeHeaders(headers = {}) {
+  const result = { ...headers };
+  const blocked = [
+    "proxy-connection",
+    "proxy-authorization",
+    "proxy-authenticate",
+    "connection",
+    "keep-alive",
+    "transfer-encoding",
+    "upgrade",
+    "te",
+    "trailer",
+  ];
+
+  for (const key of blocked) {
+    delete result[key];
+    delete result[key.toLowerCase()];
+  }
+
+  return result;
+}
+
+async function statIfFile(filePath) {
+  try {
+    const stats = await fs.promises.stat(filePath);
+    return stats.isFile() ? stats : null;
+  } catch (error) {
+    if (error.code === "ENOENT") {
+      return null;
+    }
+    throw error;
+  }
+}
+
+function sendText(res, statusCode, message) {
+  res.writeHead(statusCode, { "content-type": "text/plain; charset=utf-8" });
+  res.end(message);
+}
+
+function buildUrl(req, forcedProtocol = null) {
+  const raw = req.url || "/";
+  if (/^https?:\/\//i.test(raw)) {
+    return new URL(raw);
+  }
+
+  const host = req.headers.host || req.socket.__mitmHost;
+  if (!host) {
+    throw new Error("Missing host header");
+  }
+
+  const protocol = forcedProtocol || "http:";
+  return new URL(`${protocol}//${host}${raw}`);
+}
+
+async function serveFile(res, req, filePath) {
+  const stats = await statIfFile(filePath);
+  if (!stats) {
+    sendText(res, 404, "Not Found");
+    return;
+  }
+
+  res.setHeader("content-length", String(stats.size));
+  if (!res.hasHeader("x-cache")) {
+    res.setHeader("x-cache", "HIT");
+  }
+
+  if (req.method === "HEAD") {
+    res.writeHead(200);
+    res.end();
+    return;
+  }
+
+  res.writeHead(200);
+  fs.createReadStream(filePath).pipe(res);
+}
+
+function forwardDirectRequest(req, res, urlObj, timeoutMs, upstreamProxyManager = null) {
+  const client = pickClient(urlObj.protocol);
+  const headers = sanitizeHeaders(req.headers);
+  headers.host = urlObj.host;
+  const agent = upstreamProxyManager ? upstreamProxyManager.getAgentForUrl(urlObj) : undefined;
+
+  if (agent) {
+    console.log(`[proxy] direct forward via upstream host=${urlObj.hostname} protocol=${urlObj.protocol}`);
+  }
+
+  const upstreamReq = client.request(
+    {
+      protocol: urlObj.protocol,
+      hostname: urlObj.hostname,
+      port: urlObj.port || (urlObj.protocol === "https:" ? 443 : 80),
+      method: req.method,
+      path: `${urlObj.pathname}${urlObj.search}`,
+      headers,
+      agent,
+    },
+    (upstreamRes) => {
+      res.writeHead(upstreamRes.statusCode || 502, upstreamRes.headers);
+      upstreamRes.pipe(res);
+    },
+  );
+
+  upstreamReq.setTimeout(timeoutMs, () => {
+    upstreamReq.destroy(new Error(`Upstream timeout after ${timeoutMs}ms`));
+  });
+
+  upstreamReq.on("error", (error) => {
+    if (!res.headersSent) {
+      sendText(res, 502, `Proxy forward failed: ${error.message}`);
+    } else {
+      res.destroy(error);
+    }
+  });
+
+  req.pipe(upstreamReq);
+}
+
+export function createHttpRequestHandler({ config, downloader, upstreamProxyManager = null, matchesDomain }) {
+  return async function handleHttpRequestPath(req, res, forcedProtocol = null) {
+    let urlObj;
+    try {
+      urlObj = buildUrl(req, forcedProtocol);
+    } catch (error) {
+      sendText(res, 400, `Bad request: ${error.message}`);
+      return;
+    }
+
+    const method = (req.method || "GET").toUpperCase();
+    if (method !== "GET" && method !== "HEAD") {
+      forwardDirectRequest(req, res, urlObj, config.downloadTimeoutMs, upstreamProxyManager);
+      return;
+    }
+
+    let cachePath;
+    try {
+      const ecosystem = detectPackageEcosystem(urlObj, config, matchesDomain);
+      cachePath = getCacheFilePath(config.cacheDir, urlObj, {
+        ecosystem,
+        includeHost: ecosystem !== "maven",
+      });
+    } catch (error) {
+      sendText(res, 400, `Invalid cache path: ${error.message}`);
+      return;
+    }
+
+    const existing = await statIfFile(cachePath);
+    if (existing) {
+      await serveFile(res, req, cachePath);
+      return;
+    }
+
+    try {
+      await fs.promises.mkdir(path.dirname(cachePath), { recursive: true });
+      await downloader.ensureCached(urlObj, cachePath, req.headers);
+      res.setHeader("x-cache", "MISS");
+      await serveFile(res, req, cachePath);
+    } catch (error) {
+      const statusCode = error.statusCode || 502;
+      sendText(res, statusCode, `Download failed: ${error.message}`);
+    }
+  };
+}
+
+export function createMitmHttpServer(handleHttpRequestPath) {
+  const server = http.createServer((req, res) => {
+    handleHttpRequestPath(req, res, "https:").catch((error) => {
+      sendText(res, 500, `MITM request failed: ${error.message}`);
+    });
+  });
+
+  server.on("clientError", (error, socket) => {
+    socket.destroy(error);
+  });
+
+  return server;
+}

package/src/proxy/proxy-server.js

@@ -0,0 +1,35 @@
+import http from "node:http";
+import { createHttpRequestHandler, createMitmHttpServer } from "./proxy-http-handler.js";
+import { attachConnectHandler } from "./proxy-connect-handler.js";
+
+function sendText(res, statusCode, message) {
+  res.writeHead(statusCode, { "content-type": "text/plain; charset=utf-8" });
+  res.end(message);
+}
+
+export function startProxyServer(config, certManager, downloader, matchesDomain, upstreamProxyManager = null) {
+  const handleHttpRequestPath = createHttpRequestHandler({
+    config,
+    downloader,
+    upstreamProxyManager,
+    matchesDomain,
+  });
+  const mitmHttpServer = createMitmHttpServer(handleHttpRequestPath);
+
+  const server = http.createServer((req, res) => {
+    handleHttpRequestPath(req, res, null).catch((error) => {
+      sendText(res, 500, `Proxy request failed: ${error.message}`);
+    });
+  });
+
+  attachConnectHandler(server, {
+    config,
+    certManager,
+    matchesDomain,
+    upstreamProxyManager,
+    mitmHttpServer,
+  });
+
+  server.listen(config.proxyPort);
+  return { proxyServer: server, mitmHttpServer };
+}

package/src/proxy/upstream-proxy.js

@@ -0,0 +1,236 @@
+import net from "node:net";
+import tls from "node:tls";
+import { ProxyAgent } from "proxy-agent";
+
+function normalizeHostname(hostname) {
+  return String(hostname || "")
+    .trim()
+    .replace(/^\[/, "")
+    .replace(/\]$/, "")
+    .toLowerCase();
+}
+
+function safeDecode(value) {
+  try {
+    return decodeURIComponent(value);
+  } catch {
+    return value;
+  }
+}
+
+function buildProxyAuthHeader(proxyUrl) {
+  if (!proxyUrl.username && !proxyUrl.password) {
+    return "";
+  }
+
+  const username = safeDecode(proxyUrl.username || "");
+  const password = safeDecode(proxyUrl.password || "");
+  const token = Buffer.from(`${username}:${password}`).toString("base64");
+  return `Basic ${token}`;
+}
+
+function parseStatusCode(responseHeader) {
+  const statusLine = responseHeader.split("\r\n")[0] || "";
+  const match = statusLine.match(/^HTTP\/\d\.\d\s+(\d{3})/i);
+  const code = match ? Number.parseInt(match[1], 10) : 0;
+  return { code, statusLine };
+}
+
+function createSocketToProxy(proxyUrl, timeoutMs) {
+  const port = proxyUrl.port
+    ? Number.parseInt(proxyUrl.port, 10)
+    : proxyUrl.protocol === "https:"
+      ? 443
+      : 80;
+
+  if (proxyUrl.protocol === "https:") {
+    return tls.connect({
+      host: proxyUrl.hostname,
+      port,
+      servername: proxyUrl.hostname,
+      timeout: timeoutMs,
+    });
+  }
+
+  return net.connect({
+    host: proxyUrl.hostname,
+    port,
+    timeout: timeoutMs,
+  });
+}
+
+export class UpstreamProxyManager {
+  constructor(config, matchesDomain) {
+    this.config = config;
+    this.matchesDomain = matchesDomain;
+    this.agentCache = new Map();
+  }
+
+  shouldBypass(hostname) {
+    const host = normalizeHostname(hostname);
+    if (!host) {
+      return true;
+    }
+
+    const patterns = [
+      ...(this.config.upstreamNoProxyDomains || []),
+      ...(this.config.upstreamIgnoreDomains || []),
+    ];
+
+    const uniquePatterns = [...new Set(patterns.map((item) => String(item).trim()).filter(Boolean))];
+    if (uniquePatterns.length === 0) {
+      return false;
+    }
+
+    if (uniquePatterns.includes("*")) {
+      return true;
+    }
+
+    return this.matchesDomain(host, uniquePatterns);
+  }
+
+  getProxyUrlFor(protocol, hostname) {
+    if (this.shouldBypass(hostname)) {
+      return "";
+    }
+
+    if (protocol === "https:") {
+      return (
+        this.config.upstreamHttpsProxyUrl ||
+        this.config.upstreamProxyUrl ||
+        this.config.upstreamHttpProxyUrl ||
+        ""
+      );
+    }
+
+    return (
+      this.config.upstreamHttpProxyUrl ||
+      this.config.upstreamProxyUrl ||
+      ""
+    );
+  }
+
+  getAgentForUrl(urlObj) {
+    const proxyUrl = this.getProxyUrlFor(urlObj.protocol, urlObj.hostname);
+    if (!proxyUrl) {
+      return undefined;
+    }
+
+    const cacheKey = `${proxyUrl}`;
+    if (!this.agentCache.has(cacheKey)) {
+      this.agentCache.set(cacheKey, new ProxyAgent(proxyUrl));
+    }
+
+    return this.agentCache.get(cacheKey);
+  }
+
+  hasProxyFor(protocol, hostname) {
+    return Boolean(this.getProxyUrlFor(protocol, hostname));
+  }
+
+  async createConnectTunnel(targetHost, targetPort, timeoutMs) {
+    const proxyUrlText = this.getProxyUrlFor("https:", targetHost);
+    if (!proxyUrlText) {
+      throw new Error("Upstream proxy is not configured for CONNECT");
+    }
+
+    const proxyUrl = new URL(proxyUrlText);
+    if (proxyUrl.protocol !== "http:" && proxyUrl.protocol !== "https:") {
+      throw new Error(`Unsupported upstream proxy protocol for CONNECT: ${proxyUrl.protocol}`);
+    }
+
+    const authHeader = buildProxyAuthHeader(proxyUrl);
+
+    const socket = createSocketToProxy(proxyUrl, timeoutMs);
+    const connectEvent = proxyUrl.protocol === "https:" ? "secureConnect" : "connect";
+
+    return new Promise((resolve, reject) => {
+      let settled = false;
+      let bytes = 0;
+      const chunks = [];
+
+      const cleanup = () => {
+        socket.removeListener(connectEvent, onConnectReady);
+        socket.removeListener("data", onData);
+        socket.removeListener("timeout", onTimeout);
+        socket.removeListener("error", onError);
+      };
+
+      const fail = (error) => {
+        if (settled) {
+          return;
+        }
+        settled = true;
+        cleanup();
+        socket.destroy();
+        reject(error);
+      };
+
+      const succeed = (bufferedData) => {
+        if (settled) {
+          return;
+        }
+        settled = true;
+        cleanup();
+        socket.setTimeout(0);
+        resolve({ socket, bufferedData });
+      };
+
+      const onConnectReady = () => {
+        const headers = [
+          `CONNECT ${targetHost}:${targetPort} HTTP/1.1`,
+          `Host: ${targetHost}:${targetPort}`,
+          "Proxy-Connection: Keep-Alive",
+        ];
+
+        if (authHeader) {
+          headers.push(`Proxy-Authorization: ${authHeader}`);
+        }
+
+        const payload = `${headers.join("\r\n")}\r\n\r\n`;
+        socket.write(payload);
+      };
+
+      const onData = (chunk) => {
+        chunks.push(chunk);
+        bytes += chunk.length;
+
+        if (bytes > 128 * 1024) {
+          fail(new Error("Upstream proxy CONNECT response is too large"));
+          return;
+        }
+
+        const merged = Buffer.concat(chunks, bytes);
+        const boundary = merged.indexOf("\r\n\r\n");
+        if (boundary === -1) {
+          return;
+        }
+
+        const headerBuffer = merged.slice(0, boundary + 4);
+        const headerText = headerBuffer.toString("latin1");
+        const { code, statusLine } = parseStatusCode(headerText);
+
+        if (code !== 200) {
+          fail(new Error(`Upstream proxy CONNECT failed: ${statusLine || "unknown response"}`));
+          return;
+        }
+
+        const rest = merged.slice(boundary + 4);
+        succeed(rest);
+      };
+
+      const onTimeout = () => {
+        fail(new Error(`Upstream proxy CONNECT timeout after ${timeoutMs}ms`));
+      };
+
+      const onError = (error) => {
+        fail(error);
+      };
+
+      socket.on(connectEvent, onConnectReady);
+      socket.on("data", onData);
+      socket.on("timeout", onTimeout);
+      socket.on("error", onError);
+    });
+  }
+}