securenow 7.7.16 → 8.0.0

package/firewall.js

@@ -17,6 +17,7 @@ let _initialized = false;
 let _consecutiveErrors = 0;
 let _layers = [];
 let _rawIps = [];
+let _blocklistRules = [];
 let _stats = { syncs: 0, blocked: 0, rateLimited: 0, allowed: 0, versionChecks: 0, errors: 0, suppressedDisabled: 0 };
 let _localhostFallbackTried = false;
 let _eventQueue = [];
@@ -37,8 +38,8 @@ let _lastAllowlistModified = null;
 let _lastAllowlistVersion = null;
 let _lastAllowlistSyncEtag = null;
 
-// Rate-limit policy state is synced in Phase 1 for forward compatibility.
-// Enforcement is intentionally added in the next SDK phase.
+// Route/method-scoped policy state. Global IP/CIDR blocks stay in _matcher so
+// TCP, OS firewall, and Cloud WAF layers never over-enforce an HTTP-only rule.
 let _rateLimitRules = [];
 let _lastRateLimitVersion = null;
 let _rateLimitBuckets = new Map();
@@ -322,9 +323,44 @@ function reportFirewallEvent(event) {
   if (_eventQueue.length >= EVENT_BATCH_SIZE) flushFirewallEvents();
   else scheduleEventFlush();
 }
-
+
+function normalizePrefixPattern(pattern) {
+  const value = String(pattern || '');
+  return value.endsWith('*') ? value.slice(0, -1) : value;
+}
+
+function normalizeBlocklistRules(rules) {
+  if (!Array.isArray(rules)) return [];
+  return rules
+    .map((rule) => {
+      if (!rule || !rule.ip) return null;
+      const pathMatchMode = ['exact', 'prefix', 'regex'].includes(String(rule.pathMatchMode || '').toLowerCase())
+        ? String(rule.pathMatchMode).toLowerCase()
+        : 'prefix';
+      return {
+        ...rule,
+        ip: String(rule.ip || '').trim(),
+        method: String(rule.method || 'ALL').toUpperCase(),
+        pathPattern: pathMatchMode === 'prefix'
+          ? normalizePrefixPattern(rule.pathPattern)
+          : String(rule.pathPattern || '').trim(),
+        pathMatchMode,
+      };
+    })
+    .filter(Boolean);
+}
+
+function setBlocklistData(ips, rules) {
+  const normalizedIps = Array.isArray(ips) ? ips : [];
+  _rawIps = normalizedIps;
+  _blocklistRules = normalizeBlocklistRules(rules);
+  _matcher = createMatcher(normalizedIps);
+  _stats.syncs++;
+  notifyLayers(normalizedIps);
+}
+
 // Unified Sync (v2 - single request for everything)
-
+
 function doUnifiedSync(callback) {
   const query = new URLSearchParams();
   if (_options.appKey) query.set('app', _options.appKey);
@@ -389,13 +425,10 @@ function doUnifiedSync(callback) {
         }
       }
 
-      if (body.blocklistIps) {
-        _rawIps = body.blocklistIps;
-        _matcher = createMatcher(body.blocklistIps);
-        _stats.syncs++;
-        notifyLayers(body.blocklistIps);
-        blChanged = true;
-      }
+      if (body.blocklistIps || body.blocklistRules) {
+        setBlocklistData(body.blocklistIps || [], body.blocklistRules || []);
+        blChanged = true;
+      }
 
       // Update allowlist version + data
       if (body.allowlist) {
@@ -445,16 +478,13 @@ function legacyBlocklistSync(callback) {
     if (res.statusCode === 429) { handleRetryAfter(res); }
     if (res.statusCode !== 200) return callback(new Error(`API returned ${res.statusCode}: ${data.slice(0, 200)}`));
 
-    try {
-      const body = JSON.parse(data);
-      const ips = body.ips || [];
-      _rawIps = ips;
-      _matcher = createMatcher(ips);
-      _lastModified = res.headers['last-modified'] || null;
-      if (res.headers['etag']) _lastSyncEtag = res.headers['etag'];
-      _stats.syncs++;
-      notifyLayers(ips);
-      callback(null, true, _matcher.stats());
+    try {
+      const body = JSON.parse(data);
+      const ips = body.ips || [];
+      setBlocklistData(ips, body.rules || body.blocklistRules || []);
+      _lastModified = res.headers['last-modified'] || null;
+      if (res.headers['etag']) _lastSyncEtag = res.headers['etag'];
+      callback(null, true, _matcher.stats());
     } catch (e) {
       callback(new Error(`Failed to parse blocklist: ${e.message}`));
     }
@@ -612,16 +642,17 @@ function pollOnce(callback) {
     _consecutiveErrors = 0;
     resetCircuit();
     if (result) {
-      if (result.blChanged && _options.log && _matcher) {
-        const s = _matcher.stats();
-        fwLog('[securenow] Firewall: re-synced %d blocked IPs (%d exact + %d CIDR ranges)', s.total, s.exact, s.cidr);
-      }
+      if (result.blChanged && _options.log && _matcher) {
+        const s = _matcher.stats();
+        fwLog('[securenow] Firewall: re-synced %d global blocked IPs (%d exact + %d CIDR ranges) and %d scoped block rules',
+          s.total, s.exact, s.cidr, _blocklistRules.length);
+      }
       if (result.alChanged && _options.log && _allowlistMatcher) {
         const s = _allowlistMatcher.stats();
         fwLog('[securenow] Firewall: re-synced %d allowed IPs (%d exact + %d CIDR ranges)', s.total, s.exact, s.cidr);
       }
       if (result.rlChanged && _options.log) {
-        fwLog('[securenow] Firewall: re-synced %d rate-limit rules (enforcement pending SDK phase 2)', _rateLimitRules.length);
+        fwLog('[securenow] Firewall: re-synced %d rate-limit rules', _rateLimitRules.length);
       }
     }
     callback(null);
@@ -701,17 +732,18 @@ function startSyncLoop() {
         return;
       }
 
-      _initialized = true;
-      if (_options.log && _matcher) {
-        const s = _matcher.stats();
-        fwLog('[securenow] Firewall: synced %d blocked IPs (%d exact + %d CIDR ranges)', s.total, s.exact, s.cidr);
-      }
+      _initialized = true;
+      if (_options.log && _matcher) {
+        const s = _matcher.stats();
+        fwLog('[securenow] Firewall: synced %d global blocked IPs (%d exact + %d CIDR ranges) and %d scoped block rules',
+          s.total, s.exact, s.cidr, _blocklistRules.length);
+      }
       if (_options.log && _allowlistMatcher) {
         const s = _allowlistMatcher.stats();
         if (s.total > 0) fwLog('[securenow] Firewall: synced %d allowed IPs (%d exact + %d CIDR ranges)', s.total, s.exact, s.cidr);
       }
       if (_options.log && _rateLimitRules.length > 0) {
-        fwLog('[securenow] Firewall: synced %d rate-limit rules (enforcement pending SDK phase 2)', _rateLimitRules.length);
+        fwLog('[securenow] Firewall: synced %d rate-limit rules', _rateLimitRules.length);
       }
     });
   }
@@ -859,7 +891,7 @@ function rulePathMatches(rule, path) {
   if (mode === 'regex') {
     try { return new RegExp(pattern).test(path); } catch (_) { return false; }
   }
-  return path.startsWith(pattern);
+  return path.startsWith(normalizePrefixPattern(pattern));
 }
 
 function rateLimitKey(rule, ip) {
@@ -868,6 +900,28 @@ function rateLimitKey(rule, ip) {
   return `${id}|${subject}`;
 }
 
+function checkBlocklistRules(req, ip) {
+  if (!_blocklistRules || _blocklistRules.length === 0) return null;
+  const method = String(req.method || 'GET').toUpperCase();
+  const path = requestPath(req);
+
+  for (const rule of _blocklistRules) {
+    if (!rule) continue;
+    const ruleMethod = String(rule.method || 'ALL').toUpperCase();
+    if (ruleMethod !== 'ALL' && ruleMethod !== method) continue;
+    if (!ruleIpMatches(rule, ip)) continue;
+    if (!rulePathMatches(rule, path)) continue;
+    return {
+      rule,
+      ruleId: rule.id || rule._id || '',
+      matchedEntry: rule.ip || ip,
+      path,
+    };
+  }
+
+  return null;
+}
+
 function checkRateLimitRules(req, ip) {
   if (!_rateLimitRules || _rateLimitRules.length === 0) return null;
   const method = String(req.method || 'GET').toUpperCase();
@@ -963,6 +1017,24 @@ function firewallRequestHandler(req, res) {
     return true;
   }
 
+  const blockRuleDecision = checkBlocklistRules(req, ip);
+  if (blockRuleDecision) {
+    _stats.blocked++;
+    if (_options && _options.log) {
+      fwLog('[securenow] Firewall: blocked %s via HTTP (rule=%s)', ip, blockRuleDecision.ruleId || 'scoped');
+    }
+    reportFirewallEvent({
+      source: 'blocklist',
+      ip,
+      matchedEntry: blockRuleDecision.matchedEntry || ip,
+      method: req.method || '',
+      path: blockRuleDecision.path || req.url || '',
+      userAgent: req.headers['user-agent'] || '',
+    });
+    sendBlockResponse(req, res, ip);
+    return true;
+  }
+
   const rateLimitDecision = checkRateLimitRules(req, ip);
   if (rateLimitDecision) {
     _stats.rateLimited++;
@@ -1094,6 +1166,7 @@ function shutdown() {
   _pollInflight = false;
   _retryAfterUntil = 0;
   _localhostFallbackTried = false;
+  _blocklistRules = [];
   _rateLimitRules = [];
   _rateLimitBuckets = new Map();
   _remainingApiUrlFallbacks = [];
@@ -1119,8 +1192,9 @@ function shutdown() {
 
 function getStats() {
   return {
-    ..._stats,
+    ..._stats,
     matcher: _matcher ? _matcher.stats() : null,
+    blocklistRules: _blocklistRules.length,
     allowlistMatcher: _allowlistMatcher ? _allowlistMatcher.stats() : null,
     rateLimitRules: _rateLimitRules.length,
     rateLimitBuckets: _rateLimitBuckets.size,
@@ -1139,7 +1213,8 @@ function getStats() {
 // as "no IPs to block" without us mutating the cached matcher.
 function getMatcher() { return _remoteEnabled === false ? null : _matcher; }
 function getAllowlistMatcher() { return _remoteEnabled === false ? null : _allowlistMatcher; }
+function getBlocklistRules() { return _remoteEnabled === false ? [] : _blocklistRules.slice(); }
 function getRateLimitRules() { return _remoteEnabled === false ? [] : _rateLimitRules.slice(); }
 function isRemoteEnabled() { return _remoteEnabled !== false; }
 
-module.exports = { init, shutdown, getStats, getMatcher, getAllowlistMatcher, getRateLimitRules, isRemoteEnabled };
+module.exports = { init, shutdown, getStats, getMatcher, getAllowlistMatcher, getBlocklistRules, getRateLimitRules, isRemoteEnabled };