pal-explorer-cli 0.4.12 → 0.4.13
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +149 -149
- package/bin/pal.js +63 -2
- package/extensions/@palexplorer/analytics/extension.json +20 -1
- package/extensions/@palexplorer/analytics/index.js +19 -9
- package/extensions/@palexplorer/audit/extension.json +14 -0
- package/extensions/@palexplorer/auth-email/extension.json +15 -0
- package/extensions/@palexplorer/auth-oauth/extension.json +15 -0
- package/extensions/@palexplorer/chat/extension.json +14 -0
- package/extensions/@palexplorer/discovery/extension.json +17 -0
- package/extensions/@palexplorer/discovery/index.js +1 -1
- package/extensions/@palexplorer/email-notifications/extension.json +23 -0
- package/extensions/@palexplorer/groups/extension.json +15 -0
- package/extensions/@palexplorer/share-links/extension.json +15 -0
- package/extensions/@palexplorer/sync/extension.json +16 -0
- package/extensions/@palexplorer/user-mgmt/extension.json +15 -0
- package/lib/capabilities.js +24 -24
- package/lib/commands/analytics.js +175 -175
- package/lib/commands/api-keys.js +131 -131
- package/lib/commands/audit.js +235 -235
- package/lib/commands/auth.js +137 -137
- package/lib/commands/backup.js +76 -76
- package/lib/commands/billing.js +148 -148
- package/lib/commands/chat.js +217 -217
- package/lib/commands/cloud-backup.js +231 -231
- package/lib/commands/comment.js +99 -99
- package/lib/commands/completion.js +203 -203
- package/lib/commands/compliance.js +218 -218
- package/lib/commands/config.js +136 -136
- package/lib/commands/connect.js +44 -44
- package/lib/commands/dept.js +294 -294
- package/lib/commands/device.js +146 -146
- package/lib/commands/download.js +240 -226
- package/lib/commands/explorer.js +178 -178
- package/lib/commands/extension.js +1060 -970
- package/lib/commands/favorite.js +90 -90
- package/lib/commands/federation.js +270 -270
- package/lib/commands/file.js +533 -533
- package/lib/commands/group.js +271 -271
- package/lib/commands/gui-share.js +29 -29
- package/lib/commands/init.js +61 -61
- package/lib/commands/invite.js +59 -59
- package/lib/commands/list.js +58 -58
- package/lib/commands/log.js +116 -116
- package/lib/commands/nearby.js +108 -108
- package/lib/commands/network.js +251 -251
- package/lib/commands/notify.js +198 -198
- package/lib/commands/org.js +273 -273
- package/lib/commands/pal.js +403 -180
- package/lib/commands/permissions.js +216 -216
- package/lib/commands/pin.js +97 -97
- package/lib/commands/protocol.js +357 -357
- package/lib/commands/rbac.js +147 -147
- package/lib/commands/recover.js +36 -36
- package/lib/commands/register.js +171 -171
- package/lib/commands/relay.js +131 -131
- package/lib/commands/remote.js +368 -368
- package/lib/commands/revoke.js +50 -50
- package/lib/commands/scanner.js +280 -280
- package/lib/commands/schedule.js +344 -344
- package/lib/commands/scim.js +203 -203
- package/lib/commands/search.js +181 -181
- package/lib/commands/serve.js +438 -438
- package/lib/commands/server.js +350 -350
- package/lib/commands/share-link.js +199 -199
- package/lib/commands/share.js +336 -323
- package/lib/commands/sso.js +200 -200
- package/lib/commands/status.js +145 -145
- package/lib/commands/stream.js +562 -562
- package/lib/commands/su.js +187 -187
- package/lib/commands/sync.js +979 -979
- package/lib/commands/transfers.js +152 -152
- package/lib/commands/uninstall.js +188 -188
- package/lib/commands/update.js +204 -204
- package/lib/commands/user.js +276 -276
- package/lib/commands/vfs.js +84 -84
- package/lib/commands/web-login.js +79 -79
- package/lib/commands/web.js +52 -52
- package/lib/commands/webhook.js +180 -180
- package/lib/commands/whoami.js +59 -59
- package/lib/commands/workspace.js +121 -121
- package/lib/core/billing.js +16 -5
- package/lib/core/dhtDiscovery.js +9 -2
- package/lib/core/discoveryClient.js +13 -7
- package/lib/core/extensions.js +142 -1
- package/lib/core/identity.js +33 -2
- package/lib/core/imageProcessor.js +109 -0
- package/lib/core/imageTorrent.js +167 -0
- package/lib/core/permissions.js +1 -1
- package/lib/core/pro.js +11 -4
- package/lib/core/serverList.js +4 -1
- package/lib/core/shares.js +12 -1
- package/lib/core/signalingServer.js +14 -2
- package/lib/core/su.js +1 -1
- package/lib/core/users.js +1 -1
- package/lib/protocol/messages.js +12 -3
- package/lib/utils/explorer.js +1 -1
- package/lib/utils/help.js +357 -357
- package/lib/utils/torrent.js +1 -0
- package/package.json +4 -3
package/lib/commands/audit.js
CHANGED
|
@@ -1,235 +1,235 @@
|
|
|
1
|
-
import chalk from 'chalk';
|
|
2
|
-
import { createHash } from 'crypto';
|
|
3
|
-
import path from 'path';
|
|
4
|
-
import os from 'os';
|
|
5
|
-
|
|
6
|
-
function isPrivateIP(hostname) {
|
|
7
|
-
if (hostname === 'localhost' || hostname === '127.0.0.1' || hostname === '::1') return true;
|
|
8
|
-
const parts = hostname.split('.').map(Number);
|
|
9
|
-
if (parts.length === 4) {
|
|
10
|
-
if (parts[0] === 10) return true;
|
|
11
|
-
if (parts[0] === 172 && parts[1] >= 16 && parts[1] <= 31) return true;
|
|
12
|
-
if (parts[0] === 192 && parts[1] === 168) return true;
|
|
13
|
-
if (parts[0] === 169 && parts[1] === 254) return true;
|
|
14
|
-
if (parts[0] === 0) return true;
|
|
15
|
-
}
|
|
16
|
-
return false;
|
|
17
|
-
}
|
|
18
|
-
|
|
19
|
-
function validateWebhookUrl(url) {
|
|
20
|
-
let parsed;
|
|
21
|
-
try { parsed = new URL(url); } catch { throw new Error('Invalid URL'); }
|
|
22
|
-
if (parsed.protocol !== 'https:') throw new Error('Webhook URL must use HTTPS');
|
|
23
|
-
if (isPrivateIP(parsed.hostname)) throw new Error('Webhook URL must not point to private/internal addresses');
|
|
24
|
-
return url;
|
|
25
|
-
}
|
|
26
|
-
|
|
27
|
-
function validateOutputPath(filePath) {
|
|
28
|
-
const resolved = path.resolve(filePath);
|
|
29
|
-
const home = os.homedir();
|
|
30
|
-
const cwd = process.cwd();
|
|
31
|
-
if (!resolved.startsWith(home) && !resolved.startsWith(cwd)) {
|
|
32
|
-
throw new Error('Output path must be within home directory or current working directory');
|
|
33
|
-
}
|
|
34
|
-
if (resolved.includes('..')) {
|
|
35
|
-
throw new Error('Path traversal not allowed');
|
|
36
|
-
}
|
|
37
|
-
return resolved;
|
|
38
|
-
}
|
|
39
|
-
|
|
40
|
-
export default function auditCommand(program) {
|
|
41
|
-
const cmd = program
|
|
42
|
-
.command('audit')
|
|
43
|
-
.description('tamper-proof audit logging (Enterprise)')
|
|
44
|
-
.addHelpText('after', `
|
|
45
|
-
Examples:
|
|
46
|
-
$
|
|
47
|
-
$
|
|
48
|
-
$
|
|
49
|
-
$
|
|
50
|
-
$
|
|
51
|
-
`)
|
|
52
|
-
.action(() => { cmd.outputHelp(); });
|
|
53
|
-
|
|
54
|
-
cmd
|
|
55
|
-
.command('export')
|
|
56
|
-
.description('export audit log')
|
|
57
|
-
.option('--format <json|csv>', 'output format', 'json')
|
|
58
|
-
.option('--from <date>', 'start date (ISO format)')
|
|
59
|
-
.option('--to <date>', 'end date (ISO format)')
|
|
60
|
-
.option('-o, --output <path>', 'output file path')
|
|
61
|
-
.action(async (opts) => {
|
|
62
|
-
try {
|
|
63
|
-
const extConfig = (await import('../utils/config.js')).default;
|
|
64
|
-
const store = extConfig.get('ext_store.advanced-audit') || {};
|
|
65
|
-
let entries = store.auditLog || [];
|
|
66
|
-
|
|
67
|
-
if (opts.from) {
|
|
68
|
-
const fromDate = new Date(opts.from).getTime();
|
|
69
|
-
entries = entries.filter(e => new Date(e.timestamp).getTime() >= fromDate);
|
|
70
|
-
}
|
|
71
|
-
if (opts.to) {
|
|
72
|
-
const toDate = new Date(opts.to).getTime();
|
|
73
|
-
entries = entries.filter(e => new Date(e.timestamp).getTime() <= toDate);
|
|
74
|
-
}
|
|
75
|
-
|
|
76
|
-
if (!entries.length) {
|
|
77
|
-
console.log(chalk.gray('No audit log entries found.'));
|
|
78
|
-
return;
|
|
79
|
-
}
|
|
80
|
-
|
|
81
|
-
let output;
|
|
82
|
-
if (opts.format === 'csv') {
|
|
83
|
-
const header = 'id,timestamp,action,user,details,hash';
|
|
84
|
-
const rows = entries.map(e =>
|
|
85
|
-
`${e.id},${e.timestamp},${e.action},${e.user},"${JSON.stringify(e.details).replace(/"/g, '""')}",${e.hash}`
|
|
86
|
-
);
|
|
87
|
-
output = [header, ...rows].join('\n');
|
|
88
|
-
} else {
|
|
89
|
-
output = JSON.stringify(entries, null, 2);
|
|
90
|
-
}
|
|
91
|
-
|
|
92
|
-
if (opts.output) {
|
|
93
|
-
const validatedPath = validateOutputPath(opts.output);
|
|
94
|
-
const fs = await import('fs');
|
|
95
|
-
fs.writeFileSync(validatedPath, output, 'utf8');
|
|
96
|
-
console.log(chalk.green(`✔ Exported ${entries.length} entries to ${validatedPath}`));
|
|
97
|
-
} else {
|
|
98
|
-
console.log(output);
|
|
99
|
-
}
|
|
100
|
-
} catch (err) {
|
|
101
|
-
console.error(chalk.red(`Export failed: ${err.message}`));
|
|
102
|
-
process.exitCode = 1;
|
|
103
|
-
}
|
|
104
|
-
});
|
|
105
|
-
|
|
106
|
-
cmd
|
|
107
|
-
.command('verify')
|
|
108
|
-
.description('verify hash chain integrity of audit log')
|
|
109
|
-
.action(async () => {
|
|
110
|
-
try {
|
|
111
|
-
const extConfig = (await import('../utils/config.js')).default;
|
|
112
|
-
const store = extConfig.get('ext_store.advanced-audit') || {};
|
|
113
|
-
const entries = store.auditLog || [];
|
|
114
|
-
|
|
115
|
-
if (!entries.length) {
|
|
116
|
-
console.log(chalk.gray('No audit log entries to verify.'));
|
|
117
|
-
return;
|
|
118
|
-
}
|
|
119
|
-
|
|
120
|
-
let valid = true;
|
|
121
|
-
let checked = 0;
|
|
122
|
-
|
|
123
|
-
for (let i = 0; i < entries.length; i++) {
|
|
124
|
-
const entry = entries[i];
|
|
125
|
-
const previousHash = entry.previousHash || '';
|
|
126
|
-
const data = `${entry.timestamp}${entry.action}${entry.user}${JSON.stringify(entry.details)}${previousHash}`;
|
|
127
|
-
const expectedHash = createHash('sha256').update(data).digest('hex');
|
|
128
|
-
|
|
129
|
-
if (entry.hash !== expectedHash) {
|
|
130
|
-
console.log(chalk.red(`✘ Entry ${i} (${entry.id}) hash mismatch`));
|
|
131
|
-
console.log(chalk.red(` Expected: ${expectedHash}`));
|
|
132
|
-
console.log(chalk.red(` Got: ${entry.hash}`));
|
|
133
|
-
valid = false;
|
|
134
|
-
}
|
|
135
|
-
|
|
136
|
-
if (i > 0 && entry.previousHash !== entries[i - 1].hash) {
|
|
137
|
-
console.log(chalk.red(`✘ Entry ${i} (${entry.id}) chain broken — previousHash does not match`));
|
|
138
|
-
valid = false;
|
|
139
|
-
}
|
|
140
|
-
|
|
141
|
-
checked++;
|
|
142
|
-
}
|
|
143
|
-
|
|
144
|
-
if (valid) {
|
|
145
|
-
console.log(chalk.green(`✔ Audit log integrity verified (${checked} entries)`));
|
|
146
|
-
} else {
|
|
147
|
-
console.log(chalk.red(`✘ Audit log integrity check FAILED`));
|
|
148
|
-
process.exitCode = 1;
|
|
149
|
-
}
|
|
150
|
-
} catch (err) {
|
|
151
|
-
console.error(chalk.red(`Verify failed: ${err.message}`));
|
|
152
|
-
process.exitCode = 1;
|
|
153
|
-
}
|
|
154
|
-
});
|
|
155
|
-
|
|
156
|
-
cmd
|
|
157
|
-
.command('alerts')
|
|
158
|
-
.description('configure real-time alerts')
|
|
159
|
-
.option('--webhook <url>', 'set alert webhook URL')
|
|
160
|
-
.option('--disable', 'disable alerts')
|
|
161
|
-
.action(async (opts) => {
|
|
162
|
-
try {
|
|
163
|
-
const extConfig = (await import('../utils/config.js')).default;
|
|
164
|
-
const config = extConfig.get('ext.advanced-audit') || {};
|
|
165
|
-
|
|
166
|
-
if (opts.disable) {
|
|
167
|
-
config.realTimeAlerts = false;
|
|
168
|
-
config.alertWebhook = null;
|
|
169
|
-
extConfig.set('ext.advanced-audit', config);
|
|
170
|
-
console.log(chalk.green('✔ Real-time alerts disabled'));
|
|
171
|
-
return;
|
|
172
|
-
}
|
|
173
|
-
|
|
174
|
-
if (opts.webhook) {
|
|
175
|
-
validateWebhookUrl(opts.webhook);
|
|
176
|
-
config.realTimeAlerts = true;
|
|
177
|
-
config.alertWebhook = opts.webhook;
|
|
178
|
-
extConfig.set('ext.advanced-audit', config);
|
|
179
|
-
console.log(chalk.green('✔ Real-time alerts enabled'));
|
|
180
|
-
console.log(` Webhook: ${chalk.white(opts.webhook)}`);
|
|
181
|
-
return;
|
|
182
|
-
}
|
|
183
|
-
|
|
184
|
-
console.log('');
|
|
185
|
-
console.log(chalk.cyan.bold('Alert Configuration'));
|
|
186
|
-
console.log(chalk.gray('─'.repeat(40)));
|
|
187
|
-
console.log(` Enabled: ${config.realTimeAlerts ? chalk.green('yes') : chalk.red('no')}`);
|
|
188
|
-
console.log(` Webhook: ${config.alertWebhook ? chalk.white(config.alertWebhook) : chalk.gray('not set')}`);
|
|
189
|
-
console.log('');
|
|
190
|
-
} catch (err) {
|
|
191
|
-
console.error(chalk.red(`Alerts failed: ${err.message}`));
|
|
192
|
-
process.exitCode = 1;
|
|
193
|
-
}
|
|
194
|
-
});
|
|
195
|
-
|
|
196
|
-
cmd
|
|
197
|
-
.command('siem')
|
|
198
|
-
.description('configure SIEM forwarding')
|
|
199
|
-
.option('--endpoint <url>', 'set SIEM endpoint')
|
|
200
|
-
.option('--disable', 'disable SIEM forwarding')
|
|
201
|
-
.action(async (opts) => {
|
|
202
|
-
try {
|
|
203
|
-
const extConfig = (await import('../utils/config.js')).default;
|
|
204
|
-
const config = extConfig.get('ext.advanced-audit') || {};
|
|
205
|
-
|
|
206
|
-
if (opts.disable) {
|
|
207
|
-
config.siem = false;
|
|
208
|
-
config.siemEndpoint = null;
|
|
209
|
-
extConfig.set('ext.advanced-audit', config);
|
|
210
|
-
console.log(chalk.green('✔ SIEM forwarding disabled'));
|
|
211
|
-
return;
|
|
212
|
-
}
|
|
213
|
-
|
|
214
|
-
if (opts.endpoint) {
|
|
215
|
-
validateWebhookUrl(opts.endpoint);
|
|
216
|
-
config.siem = true;
|
|
217
|
-
config.siemEndpoint = opts.endpoint;
|
|
218
|
-
extConfig.set('ext.advanced-audit', config);
|
|
219
|
-
console.log(chalk.green('✔ SIEM forwarding enabled'));
|
|
220
|
-
console.log(` Endpoint: ${chalk.white(opts.endpoint)}`);
|
|
221
|
-
return;
|
|
222
|
-
}
|
|
223
|
-
|
|
224
|
-
console.log('');
|
|
225
|
-
console.log(chalk.cyan.bold('SIEM Configuration'));
|
|
226
|
-
console.log(chalk.gray('─'.repeat(40)));
|
|
227
|
-
console.log(` Enabled: ${config.siem ? chalk.green('yes') : chalk.red('no')}`);
|
|
228
|
-
console.log(` Endpoint: ${config.siemEndpoint ? chalk.white(config.siemEndpoint) : chalk.gray('not set')}`);
|
|
229
|
-
console.log('');
|
|
230
|
-
} catch (err) {
|
|
231
|
-
console.error(chalk.red(`SIEM failed: ${err.message}`));
|
|
232
|
-
process.exitCode = 1;
|
|
233
|
-
}
|
|
234
|
-
});
|
|
235
|
-
}
|
|
1
|
+
import chalk from 'chalk';
|
|
2
|
+
import { createHash } from 'crypto';
|
|
3
|
+
import path from 'path';
|
|
4
|
+
import os from 'os';
|
|
5
|
+
|
|
6
|
+
function isPrivateIP(hostname) {
|
|
7
|
+
if (hostname === 'localhost' || hostname === '127.0.0.1' || hostname === '::1') return true;
|
|
8
|
+
const parts = hostname.split('.').map(Number);
|
|
9
|
+
if (parts.length === 4) {
|
|
10
|
+
if (parts[0] === 10) return true;
|
|
11
|
+
if (parts[0] === 172 && parts[1] >= 16 && parts[1] <= 31) return true;
|
|
12
|
+
if (parts[0] === 192 && parts[1] === 168) return true;
|
|
13
|
+
if (parts[0] === 169 && parts[1] === 254) return true;
|
|
14
|
+
if (parts[0] === 0) return true;
|
|
15
|
+
}
|
|
16
|
+
return false;
|
|
17
|
+
}
|
|
18
|
+
|
|
19
|
+
function validateWebhookUrl(url) {
|
|
20
|
+
let parsed;
|
|
21
|
+
try { parsed = new URL(url); } catch { throw new Error('Invalid URL'); }
|
|
22
|
+
if (parsed.protocol !== 'https:') throw new Error('Webhook URL must use HTTPS');
|
|
23
|
+
if (isPrivateIP(parsed.hostname)) throw new Error('Webhook URL must not point to private/internal addresses');
|
|
24
|
+
return url;
|
|
25
|
+
}
|
|
26
|
+
|
|
27
|
+
function validateOutputPath(filePath) {
|
|
28
|
+
const resolved = path.resolve(filePath);
|
|
29
|
+
const home = os.homedir();
|
|
30
|
+
const cwd = process.cwd();
|
|
31
|
+
if (!resolved.startsWith(home) && !resolved.startsWith(cwd)) {
|
|
32
|
+
throw new Error('Output path must be within home directory or current working directory');
|
|
33
|
+
}
|
|
34
|
+
if (resolved.includes('..')) {
|
|
35
|
+
throw new Error('Path traversal not allowed');
|
|
36
|
+
}
|
|
37
|
+
return resolved;
|
|
38
|
+
}
|
|
39
|
+
|
|
40
|
+
export default function auditCommand(program) {
|
|
41
|
+
const cmd = program
|
|
42
|
+
.command('audit')
|
|
43
|
+
.description('tamper-proof audit logging (Enterprise)')
|
|
44
|
+
.addHelpText('after', `
|
|
45
|
+
Examples:
|
|
46
|
+
$ pal audit export --format json -o audit.json
|
|
47
|
+
$ pal audit export --from 2026-01-01 --to 2026-03-20 --format csv
|
|
48
|
+
$ pal audit verify Verify hash chain integrity
|
|
49
|
+
$ pal audit alerts --webhook https://hooks.example.com/audit
|
|
50
|
+
$ pal audit siem --endpoint https://siem.example.com/ingest
|
|
51
|
+
`)
|
|
52
|
+
.action(() => { cmd.outputHelp(); });
|
|
53
|
+
|
|
54
|
+
cmd
|
|
55
|
+
.command('export')
|
|
56
|
+
.description('export audit log')
|
|
57
|
+
.option('--format <json|csv>', 'output format', 'json')
|
|
58
|
+
.option('--from <date>', 'start date (ISO format)')
|
|
59
|
+
.option('--to <date>', 'end date (ISO format)')
|
|
60
|
+
.option('-o, --output <path>', 'output file path')
|
|
61
|
+
.action(async (opts) => {
|
|
62
|
+
try {
|
|
63
|
+
const extConfig = (await import('../utils/config.js')).default;
|
|
64
|
+
const store = extConfig.get('ext_store.advanced-audit') || {};
|
|
65
|
+
let entries = store.auditLog || [];
|
|
66
|
+
|
|
67
|
+
if (opts.from) {
|
|
68
|
+
const fromDate = new Date(opts.from).getTime();
|
|
69
|
+
entries = entries.filter(e => new Date(e.timestamp).getTime() >= fromDate);
|
|
70
|
+
}
|
|
71
|
+
if (opts.to) {
|
|
72
|
+
const toDate = new Date(opts.to).getTime();
|
|
73
|
+
entries = entries.filter(e => new Date(e.timestamp).getTime() <= toDate);
|
|
74
|
+
}
|
|
75
|
+
|
|
76
|
+
if (!entries.length) {
|
|
77
|
+
console.log(chalk.gray('No audit log entries found.'));
|
|
78
|
+
return;
|
|
79
|
+
}
|
|
80
|
+
|
|
81
|
+
let output;
|
|
82
|
+
if (opts.format === 'csv') {
|
|
83
|
+
const header = 'id,timestamp,action,user,details,hash';
|
|
84
|
+
const rows = entries.map(e =>
|
|
85
|
+
`${e.id},${e.timestamp},${e.action},${e.user},"${JSON.stringify(e.details).replace(/"/g, '""')}",${e.hash}`
|
|
86
|
+
);
|
|
87
|
+
output = [header, ...rows].join('\n');
|
|
88
|
+
} else {
|
|
89
|
+
output = JSON.stringify(entries, null, 2);
|
|
90
|
+
}
|
|
91
|
+
|
|
92
|
+
if (opts.output) {
|
|
93
|
+
const validatedPath = validateOutputPath(opts.output);
|
|
94
|
+
const fs = await import('fs');
|
|
95
|
+
fs.writeFileSync(validatedPath, output, 'utf8');
|
|
96
|
+
console.log(chalk.green(`✔ Exported ${entries.length} entries to ${validatedPath}`));
|
|
97
|
+
} else {
|
|
98
|
+
console.log(output);
|
|
99
|
+
}
|
|
100
|
+
} catch (err) {
|
|
101
|
+
console.error(chalk.red(`Export failed: ${err.message}`));
|
|
102
|
+
process.exitCode = 1;
|
|
103
|
+
}
|
|
104
|
+
});
|
|
105
|
+
|
|
106
|
+
cmd
|
|
107
|
+
.command('verify')
|
|
108
|
+
.description('verify hash chain integrity of audit log')
|
|
109
|
+
.action(async () => {
|
|
110
|
+
try {
|
|
111
|
+
const extConfig = (await import('../utils/config.js')).default;
|
|
112
|
+
const store = extConfig.get('ext_store.advanced-audit') || {};
|
|
113
|
+
const entries = store.auditLog || [];
|
|
114
|
+
|
|
115
|
+
if (!entries.length) {
|
|
116
|
+
console.log(chalk.gray('No audit log entries to verify.'));
|
|
117
|
+
return;
|
|
118
|
+
}
|
|
119
|
+
|
|
120
|
+
let valid = true;
|
|
121
|
+
let checked = 0;
|
|
122
|
+
|
|
123
|
+
for (let i = 0; i < entries.length; i++) {
|
|
124
|
+
const entry = entries[i];
|
|
125
|
+
const previousHash = entry.previousHash || '';
|
|
126
|
+
const data = `${entry.timestamp}${entry.action}${entry.user}${JSON.stringify(entry.details)}${previousHash}`;
|
|
127
|
+
const expectedHash = createHash('sha256').update(data).digest('hex');
|
|
128
|
+
|
|
129
|
+
if (entry.hash !== expectedHash) {
|
|
130
|
+
console.log(chalk.red(`✘ Entry ${i} (${entry.id}) hash mismatch`));
|
|
131
|
+
console.log(chalk.red(` Expected: ${expectedHash}`));
|
|
132
|
+
console.log(chalk.red(` Got: ${entry.hash}`));
|
|
133
|
+
valid = false;
|
|
134
|
+
}
|
|
135
|
+
|
|
136
|
+
if (i > 0 && entry.previousHash !== entries[i - 1].hash) {
|
|
137
|
+
console.log(chalk.red(`✘ Entry ${i} (${entry.id}) chain broken — previousHash does not match`));
|
|
138
|
+
valid = false;
|
|
139
|
+
}
|
|
140
|
+
|
|
141
|
+
checked++;
|
|
142
|
+
}
|
|
143
|
+
|
|
144
|
+
if (valid) {
|
|
145
|
+
console.log(chalk.green(`✔ Audit log integrity verified (${checked} entries)`));
|
|
146
|
+
} else {
|
|
147
|
+
console.log(chalk.red(`✘ Audit log integrity check FAILED`));
|
|
148
|
+
process.exitCode = 1;
|
|
149
|
+
}
|
|
150
|
+
} catch (err) {
|
|
151
|
+
console.error(chalk.red(`Verify failed: ${err.message}`));
|
|
152
|
+
process.exitCode = 1;
|
|
153
|
+
}
|
|
154
|
+
});
|
|
155
|
+
|
|
156
|
+
cmd
|
|
157
|
+
.command('alerts')
|
|
158
|
+
.description('configure real-time alerts')
|
|
159
|
+
.option('--webhook <url>', 'set alert webhook URL')
|
|
160
|
+
.option('--disable', 'disable alerts')
|
|
161
|
+
.action(async (opts) => {
|
|
162
|
+
try {
|
|
163
|
+
const extConfig = (await import('../utils/config.js')).default;
|
|
164
|
+
const config = extConfig.get('ext.advanced-audit') || {};
|
|
165
|
+
|
|
166
|
+
if (opts.disable) {
|
|
167
|
+
config.realTimeAlerts = false;
|
|
168
|
+
config.alertWebhook = null;
|
|
169
|
+
extConfig.set('ext.advanced-audit', config);
|
|
170
|
+
console.log(chalk.green('✔ Real-time alerts disabled'));
|
|
171
|
+
return;
|
|
172
|
+
}
|
|
173
|
+
|
|
174
|
+
if (opts.webhook) {
|
|
175
|
+
validateWebhookUrl(opts.webhook);
|
|
176
|
+
config.realTimeAlerts = true;
|
|
177
|
+
config.alertWebhook = opts.webhook;
|
|
178
|
+
extConfig.set('ext.advanced-audit', config);
|
|
179
|
+
console.log(chalk.green('✔ Real-time alerts enabled'));
|
|
180
|
+
console.log(` Webhook: ${chalk.white(opts.webhook)}`);
|
|
181
|
+
return;
|
|
182
|
+
}
|
|
183
|
+
|
|
184
|
+
console.log('');
|
|
185
|
+
console.log(chalk.cyan.bold('Alert Configuration'));
|
|
186
|
+
console.log(chalk.gray('─'.repeat(40)));
|
|
187
|
+
console.log(` Enabled: ${config.realTimeAlerts ? chalk.green('yes') : chalk.red('no')}`);
|
|
188
|
+
console.log(` Webhook: ${config.alertWebhook ? chalk.white(config.alertWebhook) : chalk.gray('not set')}`);
|
|
189
|
+
console.log('');
|
|
190
|
+
} catch (err) {
|
|
191
|
+
console.error(chalk.red(`Alerts failed: ${err.message}`));
|
|
192
|
+
process.exitCode = 1;
|
|
193
|
+
}
|
|
194
|
+
});
|
|
195
|
+
|
|
196
|
+
cmd
|
|
197
|
+
.command('siem')
|
|
198
|
+
.description('configure SIEM forwarding')
|
|
199
|
+
.option('--endpoint <url>', 'set SIEM endpoint')
|
|
200
|
+
.option('--disable', 'disable SIEM forwarding')
|
|
201
|
+
.action(async (opts) => {
|
|
202
|
+
try {
|
|
203
|
+
const extConfig = (await import('../utils/config.js')).default;
|
|
204
|
+
const config = extConfig.get('ext.advanced-audit') || {};
|
|
205
|
+
|
|
206
|
+
if (opts.disable) {
|
|
207
|
+
config.siem = false;
|
|
208
|
+
config.siemEndpoint = null;
|
|
209
|
+
extConfig.set('ext.advanced-audit', config);
|
|
210
|
+
console.log(chalk.green('✔ SIEM forwarding disabled'));
|
|
211
|
+
return;
|
|
212
|
+
}
|
|
213
|
+
|
|
214
|
+
if (opts.endpoint) {
|
|
215
|
+
validateWebhookUrl(opts.endpoint);
|
|
216
|
+
config.siem = true;
|
|
217
|
+
config.siemEndpoint = opts.endpoint;
|
|
218
|
+
extConfig.set('ext.advanced-audit', config);
|
|
219
|
+
console.log(chalk.green('✔ SIEM forwarding enabled'));
|
|
220
|
+
console.log(` Endpoint: ${chalk.white(opts.endpoint)}`);
|
|
221
|
+
return;
|
|
222
|
+
}
|
|
223
|
+
|
|
224
|
+
console.log('');
|
|
225
|
+
console.log(chalk.cyan.bold('SIEM Configuration'));
|
|
226
|
+
console.log(chalk.gray('─'.repeat(40)));
|
|
227
|
+
console.log(` Enabled: ${config.siem ? chalk.green('yes') : chalk.red('no')}`);
|
|
228
|
+
console.log(` Endpoint: ${config.siemEndpoint ? chalk.white(config.siemEndpoint) : chalk.gray('not set')}`);
|
|
229
|
+
console.log('');
|
|
230
|
+
} catch (err) {
|
|
231
|
+
console.error(chalk.red(`SIEM failed: ${err.message}`));
|
|
232
|
+
process.exitCode = 1;
|
|
233
|
+
}
|
|
234
|
+
});
|
|
235
|
+
}
|