securenow 6.0.2 → 6.1.0

package/cli/diagnostics.js

@@ -0,0 +1,387 @@
+'use strict';
+
+const crypto = require('crypto');
+const url = require('url');
+const ui = require('./ui');
+const config = require('./config');
+
+// ── Config resolution (mirrors tracing.js priority order) ──
+
+function resolvedConfig() {
+  const serviceName =
+    process.env.OTEL_SERVICE_NAME ||
+    process.env.SECURENOW_APPID ||
+    '(auto-generated)';
+  const instance =
+    process.env.SECURENOW_INSTANCE || 'https://freetrial.securenow.ai:4318';
+  const tracesEndpoint =
+    process.env.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT ||
+    (process.env.OTEL_EXPORTER_OTLP_ENDPOINT
+      ? `${process.env.OTEL_EXPORTER_OTLP_ENDPOINT.replace(/\/$/, '')}/v1/traces`
+      : `${instance.replace(/\/$/, '')}/v1/traces`);
+  const logsEndpoint =
+    process.env.OTEL_EXPORTER_OTLP_LOGS_ENDPOINT ||
+    (process.env.OTEL_EXPORTER_OTLP_ENDPOINT
+      ? `${process.env.OTEL_EXPORTER_OTLP_ENDPOINT.replace(/\/$/, '')}/v1/logs`
+      : `${instance.replace(/\/$/, '')}/v1/logs`);
+  const headers = process.env.OTEL_EXPORTER_OTLP_HEADERS || '';
+  const apiKey = process.env.SECURENOW_API_KEY || '';
+  const apiUrl = config.getApiUrl();
+  const loggingEnabled = process.env.SECURENOW_LOGGING_ENABLED !== '0';
+  const captureBody = process.env.SECURENOW_CAPTURE_BODY === '1';
+  const firewallEnabled =
+    !!apiKey && process.env.SECURENOW_FIREWALL_ENABLED !== '0';
+
+  return {
+    serviceName,
+    instance,
+    tracesEndpoint,
+    logsEndpoint,
+    headers,
+    apiKey,
+    apiUrl,
+    loggingEnabled,
+    captureBody,
+    firewallEnabled,
+    firewallLayers: {
+      http: firewallEnabled,
+      tcp: firewallEnabled && process.env.SECURENOW_FIREWALL_TCP === '1',
+      iptables: firewallEnabled && process.env.SECURENOW_FIREWALL_IPTABLES === '1',
+      cloud: firewallEnabled ? process.env.SECURENOW_FIREWALL_CLOUD || null : null,
+    },
+  };
+}
+
+function parseHeaders(str) {
+  const out = {};
+  if (!str) return out;
+  for (const pair of str.split(',')) {
+    const [k, ...rest] = pair.split('=');
+    if (!k) continue;
+    out[k.trim()] = rest.join('=').trim();
+  }
+  return out;
+}
+
+// ── HTTP helpers ──
+
+function httpRequest({ method = 'POST', endpoint, headers = {}, body, timeoutMs = 5000 }) {
+  return new Promise((resolve, reject) => {
+    const parsed = new url.URL(endpoint);
+    const lib = parsed.protocol === 'https:' ? require('https') : require('http');
+    const payload = body == null ? null : Buffer.from(body);
+    const req = lib.request({
+      method,
+      hostname: parsed.hostname,
+      port: parsed.port || (parsed.protocol === 'https:' ? 443 : 80),
+      path: parsed.pathname + parsed.search,
+      headers: {
+        ...(payload ? { 'Content-Length': payload.length } : {}),
+        ...headers,
+      },
+      timeout: timeoutMs,
+    }, (res) => {
+      const chunks = [];
+      res.on('data', (c) => chunks.push(c));
+      res.on('end', () => {
+        resolve({ status: res.statusCode, body: Buffer.concat(chunks).toString('utf8') });
+      });
+    });
+    req.on('error', reject);
+    req.on('timeout', () => { req.destroy(new Error(`timeout after ${timeoutMs}ms`)); });
+    if (payload) req.write(payload);
+    req.end();
+  });
+}
+
+// ── OTLP/HTTP JSON payloads ──
+
+function attr(key, value) {
+  if (typeof value === 'number') {
+    if (Number.isInteger(value)) return { key, value: { intValue: String(value) } };
+    return { key, value: { doubleValue: value } };
+  }
+  if (typeof value === 'boolean') return { key, value: { boolValue: value } };
+  return { key, value: { stringValue: String(value) } };
+}
+
+function resourceAttrs(cfg, extra = {}) {
+  const base = {
+    'service.name': cfg.serviceName,
+    'deployment.environment': process.env.NODE_ENV || 'development',
+    'telemetry.sdk.name': 'securenow-cli',
+    'telemetry.sdk.language': 'nodejs',
+    ...extra,
+  };
+  return Object.entries(base).map(([k, v]) => attr(k, v));
+}
+
+function randomHex(bytes) {
+  return crypto.randomBytes(bytes).toString('hex');
+}
+
+function buildTracePayload(cfg, { name, attributes = {} }) {
+  const now = BigInt(Date.now()) * 1000000n;
+  const end = now + 1000000n;
+  return {
+    resourceSpans: [{
+      resource: { attributes: resourceAttrs(cfg) },
+      scopeSpans: [{
+        scope: { name: 'securenow-cli', version: '1.0.0' },
+        spans: [{
+          traceId: randomHex(16),
+          spanId: randomHex(8),
+          name,
+          kind: 1,
+          startTimeUnixNano: now.toString(),
+          endTimeUnixNano: end.toString(),
+          attributes: Object.entries(attributes).map(([k, v]) => attr(k, v)),
+          status: { code: 1 },
+        }],
+      }],
+    }],
+  };
+}
+
+const SEVERITY_MAP = {
+  trace: { number: 1, text: 'TRACE' },
+  debug: { number: 5, text: 'DEBUG' },
+  info: { number: 9, text: 'INFO' },
+  warn: { number: 13, text: 'WARN' },
+  warning: { number: 13, text: 'WARN' },
+  error: { number: 17, text: 'ERROR' },
+  fatal: { number: 21, text: 'FATAL' },
+};
+
+function buildLogPayload(cfg, { message, level = 'info', attributes = {} }) {
+  const now = BigInt(Date.now()) * 1000000n;
+  const sev = SEVERITY_MAP[level.toLowerCase()] || SEVERITY_MAP.info;
+  return {
+    resourceLogs: [{
+      resource: { attributes: resourceAttrs(cfg) },
+      scopeLogs: [{
+        scope: { name: 'securenow-cli', version: '1.0.0' },
+        logRecords: [{
+          timeUnixNano: now.toString(),
+          observedTimeUnixNano: now.toString(),
+          severityNumber: sev.number,
+          severityText: sev.text,
+          body: { stringValue: message },
+          attributes: Object.entries(attributes).map(([k, v]) => attr(k, v)),
+        }],
+      }],
+    }],
+  };
+}
+
+// ── Commands ──
+
+async function testSpan(args, flags) {
+  const cfg = resolvedConfig();
+  const spanName = args[0] || 'securenow.cli.test-span';
+  const headers = {
+    'Content-Type': 'application/json',
+    ...parseHeaders(cfg.headers),
+  };
+  const payload = buildTracePayload(cfg, {
+    name: spanName,
+    attributes: { 'test.source': 'securenow-cli' },
+  });
+
+  const spin = ui.spinner(`Sending test span to ${cfg.tracesEndpoint}`);
+  try {
+    const res = await httpRequest({
+      endpoint: cfg.tracesEndpoint,
+      headers,
+      body: JSON.stringify(payload),
+    });
+    if (res.status >= 200 && res.status < 300) {
+      spin.stop(`Span accepted (HTTP ${res.status})`);
+      if (flags.json) ui.json({ ok: true, status: res.status, endpoint: cfg.tracesEndpoint });
+      return;
+    }
+    spin.fail(`Collector returned HTTP ${res.status}`);
+    if (res.body) console.log(ui.c.dim(res.body.slice(0, 500)));
+    if (flags.json) ui.json({ ok: false, status: res.status, body: res.body });
+    process.exit(1);
+  } catch (err) {
+    spin.fail(`Failed: ${err.message}`);
+    if (flags.json) ui.json({ ok: false, error: err.message });
+    process.exit(1);
+  }
+}
+
+async function logSend(args, flags) {
+  const message = args.join(' ').trim();
+  if (!message) {
+    ui.error('Missing log message.');
+    console.log(`  ${ui.c.bold('Usage:')} securenow log send "<message>" [--level info|warn|error] [--attrs k=v,k=v]`);
+    process.exit(1);
+  }
+
+  const cfg = resolvedConfig();
+  if (!cfg.loggingEnabled) {
+    ui.warn('Logging is disabled (SECURENOW_LOGGING_ENABLED=0). Sending anyway.');
+  }
+
+  const level = (flags.level || 'info').toString();
+  const attributes = {};
+  if (flags.attrs) {
+    for (const pair of String(flags.attrs).split(',')) {
+      const [k, ...rest] = pair.split('=');
+      if (k && rest.length) attributes[k.trim()] = rest.join('=').trim();
+    }
+  }
+
+  const headers = {
+    'Content-Type': 'application/json',
+    ...parseHeaders(cfg.headers),
+  };
+  const payload = buildLogPayload(cfg, { message, level, attributes });
+
+  const spin = ui.spinner(`Sending log to ${cfg.logsEndpoint}`);
+  try {
+    const res = await httpRequest({
+      endpoint: cfg.logsEndpoint,
+      headers,
+      body: JSON.stringify(payload),
+    });
+    if (res.status >= 200 && res.status < 300) {
+      spin.stop(`Log accepted (HTTP ${res.status})`);
+      if (flags.json) ui.json({ ok: true, status: res.status, endpoint: cfg.logsEndpoint });
+      return;
+    }
+    spin.fail(`Collector returned HTTP ${res.status}`);
+    if (res.body) console.log(ui.c.dim(res.body.slice(0, 500)));
+    if (flags.json) ui.json({ ok: false, status: res.status, body: res.body });
+    process.exit(1);
+  } catch (err) {
+    spin.fail(`Failed: ${err.message}`);
+    if (flags.json) ui.json({ ok: false, error: err.message });
+    process.exit(1);
+  }
+}
+
+// ── doctor / env ──
+
+async function probe(endpoint, timeoutMs = 3000) {
+  try {
+    // A HEAD or empty POST is safer than sending real OTLP. Most collectors
+    // return 400/405 for a malformed request — that still proves reachability.
+    const res = await httpRequest({
+      method: 'POST',
+      endpoint,
+      headers: { 'Content-Type': 'application/json' },
+      body: '{}',
+      timeoutMs,
+    });
+    return { ok: true, status: res.status };
+  } catch (err) {
+    return { ok: false, error: err.message };
+  }
+}
+
+function env(_args, flags) {
+  const cfg = resolvedConfig();
+  const vars = {
+    SECURENOW_APPID: process.env.SECURENOW_APPID || null,
+    OTEL_SERVICE_NAME: process.env.OTEL_SERVICE_NAME || null,
+    SECURENOW_INSTANCE: process.env.SECURENOW_INSTANCE || null,
+    OTEL_EXPORTER_OTLP_ENDPOINT: process.env.OTEL_EXPORTER_OTLP_ENDPOINT || null,
+    OTEL_EXPORTER_OTLP_TRACES_ENDPOINT: process.env.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT || null,
+    OTEL_EXPORTER_OTLP_LOGS_ENDPOINT: process.env.OTEL_EXPORTER_OTLP_LOGS_ENDPOINT || null,
+    OTEL_EXPORTER_OTLP_HEADERS: process.env.OTEL_EXPORTER_OTLP_HEADERS ? '***' : null,
+    SECURENOW_API_KEY: cfg.apiKey ? `${cfg.apiKey.slice(0, 12)}...` : null,
+    SECURENOW_API_URL: cfg.apiUrl,
+    SECURENOW_LOGGING_ENABLED: cfg.loggingEnabled ? '1' : '0',
+    SECURENOW_CAPTURE_BODY: cfg.captureBody ? '1' : '0',
+    SECURENOW_NO_UUID: process.env.SECURENOW_NO_UUID || '0',
+    SECURENOW_FIREWALL_TCP: process.env.SECURENOW_FIREWALL_TCP || '0',
+    SECURENOW_FIREWALL_IPTABLES: process.env.SECURENOW_FIREWALL_IPTABLES || '0',
+    SECURENOW_FIREWALL_CLOUD: process.env.SECURENOW_FIREWALL_CLOUD || null,
+    NODE_ENV: process.env.NODE_ENV || 'development',
+  };
+
+  if (flags.json) {
+    ui.json({ resolved: cfg, env: vars });
+    return;
+  }
+
+  ui.heading('Resolved configuration');
+  ui.keyValue([
+    ['Service name', cfg.serviceName],
+    ['Traces endpoint', cfg.tracesEndpoint],
+    ['Logs endpoint', cfg.logsEndpoint],
+    ['Logging', cfg.loggingEnabled ? ui.c.green('enabled') : ui.c.dim('disabled')],
+    ['Body capture', cfg.captureBody ? ui.c.green('enabled') : ui.c.dim('disabled')],
+    ['Firewall', cfg.firewallEnabled ? ui.c.green('enabled') : ui.c.dim('disabled (no API key)')],
+  ]);
+
+  ui.heading('Environment variables');
+  ui.keyValue(
+    Object.entries(vars).map(([k, v]) => [k, v == null ? ui.c.dim('(not set)') : String(v)])
+  );
+  console.log('');
+}
+
+async function doctor(_args, flags) {
+  const cfg = resolvedConfig();
+  const checks = [];
+
+  // Collector traces
+  const spin1 = ui.spinner(`Probing traces endpoint ${cfg.tracesEndpoint}`);
+  const traces = await probe(cfg.tracesEndpoint);
+  if (traces.ok) spin1.stop(`Traces endpoint reachable (HTTP ${traces.status})`);
+  else spin1.fail(`Traces endpoint unreachable: ${traces.error}`);
+  checks.push({ name: 'traces', ...traces });
+
+  // Collector logs
+  const spin2 = ui.spinner(`Probing logs endpoint ${cfg.logsEndpoint}`);
+  const logs = await probe(cfg.logsEndpoint);
+  if (logs.ok) spin2.stop(`Logs endpoint reachable (HTTP ${logs.status})`);
+  else spin2.fail(`Logs endpoint unreachable: ${logs.error}`);
+  checks.push({ name: 'logs', ...logs });
+
+  // SecureNow API (only if API key or logged-in token)
+  const token = config.getToken();
+  if (cfg.apiKey || token) {
+    const spin3 = ui.spinner(`Probing SecureNow API ${cfg.apiUrl}`);
+    const api = await probe(`${cfg.apiUrl.replace(/\/$/, '')}/health`);
+    if (api.ok) spin3.stop(`API reachable (HTTP ${api.status})`);
+    else spin3.fail(`API unreachable: ${api.error}`);
+    checks.push({ name: 'api', ...api });
+  }
+
+  // Config sanity
+  const warnings = [];
+  if (!process.env.SECURENOW_APPID && !process.env.OTEL_SERVICE_NAME) {
+    warnings.push('No SECURENOW_APPID or OTEL_SERVICE_NAME set — a UUID-suffixed name will be generated.');
+  }
+  if (cfg.instance === 'https://freetrial.securenow.ai:4318') {
+    warnings.push('Using the free-trial collector — set SECURENOW_INSTANCE for production.');
+  }
+  if (!cfg.apiKey && cfg.firewallEnabled) {
+    warnings.push('Firewall enabled but SECURENOW_API_KEY missing — blocklist will not sync.');
+  }
+
+  const ok = checks.every((c) => c.ok);
+
+  if (flags.json) {
+    ui.json({ ok, resolved: cfg, checks, warnings });
+    process.exit(ok ? 0 : 1);
+  }
+
+  if (warnings.length) {
+    ui.heading('Warnings');
+    for (const w of warnings) ui.warn(w);
+  }
+
+  console.log('');
+  if (ok) ui.success('All checks passed.');
+  else ui.error('One or more checks failed. Run with --json for details.');
+  console.log('');
+
+  process.exit(ok ? 0 : 1);
+}
+
+module.exports = { testSpan, logSend, doctor, env };

package/cli/firewall.js

@@ -0,0 +1,100 @@
+'use strict';
+
+const { api, requireAuth } = require('./client');
+const ui = require('./ui');
+
+async function status(args, flags) {
+  requireAuth();
+  const s = ui.spinner('Checking firewall status');
+
+  try {
+    const data = await api.get('/firewall/status');
+
+    s.stop('Firewall status retrieved');
+
+    if (flags.json) {
+      ui.json(data);
+      return;
+    }
+
+    console.log('');
+    console.log(`  ${ui.c.bold(ui.c.green('Firewall: ENABLED'))}`);
+    console.log('');
+    ui.keyValue([
+      ['Blocked IPs', `${data.totalIps} total (${data.exactCount} exact + ${data.cidrCount} CIDR ranges)`],
+      ['Last updated', data.updatedAt || 'unknown'],
+      ['Allowed IPs', data.allowlistCount != null ? `${data.allowlistCount} total (${data.allowlistExactCount} exact + ${data.allowlistCidrCount} CIDR ranges)` : '0'],
+      ['Allowlist updated', data.allowlistUpdatedAt || 'never'],
+      ['Sync TTL', `${data.ttl || 60}s`],
+    ]);
+    if (data.allowlistCount > 0) {
+      console.log('');
+      console.log(`  ${ui.c.yellow('!')} Allowlist is active — only ${data.allowlistCount} IP(s) can reach your app`);
+    }
+    console.log('');
+    console.log(`  ${ui.c.dim('Manage your blocklist:')} securenow blocklist`);
+    console.log(`  ${ui.c.dim('Manage your allowlist:')} securenow allowlist`);
+    console.log(`  ${ui.c.dim('Test an IP:')} securenow firewall test-ip <ip>`);
+    console.log('');
+  } catch (err) {
+    if (err.statusCode === 401 || err.status === 401) {
+      s.fail('Authentication failed');
+      ui.error('API key is invalid or missing the firewall:read scope.');
+      ui.info('Create an API key with firewall:read scope in the dashboard.');
+    } else {
+      s.fail('Failed to check firewall status');
+      throw err;
+    }
+  }
+}
+
+async function testIp(args, flags) {
+  requireAuth();
+  const ip = args[0];
+  if (!ip) {
+    ui.error('Usage: securenow firewall test-ip <ip-address>');
+    process.exit(1);
+  }
+
+  const s = ui.spinner(`Testing IP ${ip}`);
+
+  try {
+    const data = await api.get(`/firewall/check/${encodeURIComponent(ip)}`);
+
+    s.stop(`IP ${ip} checked`);
+
+    if (flags.json) {
+      ui.json(data);
+      return;
+    }
+
+    console.log('');
+    if (data.blocked) {
+      if (data.allowlistActive && !data.allowlisted) {
+        console.log(`  ${ui.c.bold(ui.c.red('BLOCKED'))} — ${ip} is not on the allowlist`);
+        console.log(`  ${ui.c.dim('Allowlist is active — only listed IPs are permitted')}`);
+      } else {
+        console.log(`  ${ui.c.bold(ui.c.red('BLOCKED'))} — ${ip} is in the blocklist`);
+        if (data.matchedEntry && data.matchedEntry !== ip) {
+          console.log(`  ${ui.c.dim(`Matched by: ${data.matchedEntry}`)}`);
+        }
+      }
+    } else {
+      if (data.allowlisted) {
+        console.log(`  ${ui.c.bold(ui.c.green('ALLOWED'))} — ${ip} is on the allowlist`);
+      } else {
+        console.log(`  ${ui.c.bold(ui.c.green('ALLOWED'))} — ${ip} is not in the blocklist`);
+      }
+    }
+    console.log(`  ${ui.c.dim(`Blocklist contains ${data.totalBlockedIps} entries`)}`);
+    if (data.allowlistActive) {
+      console.log(`  ${ui.c.dim('Allowlist is active')}`);
+    }
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to test IP');
+    throw err;
+  }
+}
+
+module.exports = { status, testIp };