sliftutils 1.0.2 → 1.1.0

package/misc/https/httpsCerts.d.ts

@@ -0,0 +1,18 @@
+/** NOTE: We also generate the domain *.domain */
+export declare const getHTTPSCert: {
+    (key: string): Promise<{
+        key: string;
+        cert: string;
+    }>;
+    clear(key: string): void;
+    clearAll(): void;
+    forceSet(key: string, value: Promise<{
+        key: string;
+        cert: string;
+    }>): void;
+    getAllKeys(): string[];
+    get(key: string): Promise<{
+        key: string;
+        cert: string;
+    }> | undefined;
+};

package/misc/https/httpsCerts.ts

@@ -0,0 +1,184 @@
+
+import { addRecord, deleteRecord, getRecords, setRecord } from "./dns";
+import { cache, lazy } from "socket-function/src/caching";
+import * as forge from "node-forge";
+import acme from "acme-client";
+import { magenta, red } from "socket-function/src/formatting/logColors";
+import { formatDateTime, formatTime } from "socket-function/src/formatting/format";
+import { timeInMinute } from "socket-function/src/misc";
+import { delay } from "socket-function/src/batching";
+import fs from "fs";
+import { getKeyStore } from "./persistentLocalStorage";
+
+
+// Expire EXPIRATION_THRESHOLD% of the way through the certificate's lifetime
+const EXPIRATION_THRESHOLD = 0.4;
+
+/** NOTE: We also generate the domain *.domain */
+export const getHTTPSCert = cache(async (domain: string): Promise<{ key: string; cert: string }> => {
+    if (!domain.endsWith(".")) {
+        domain = domain + ".";
+    }
+    let keyCert: { key: string; cert: string } | undefined;
+    let path = domain + ".cert";
+
+    try {
+        keyCert = JSON.parse(fs.readFileSync(path, "utf8")) as { key: string; cert: string };
+    } catch { }
+    if (keyCert) {
+        // If 40% of the lifetime has passed, renew it (has to be < the threshold
+        //  in EdgeCertController).
+        let certObj = parseCert(keyCert.cert);
+        let expirationTime = +new Date(certObj.validity.notAfter);
+        let createTime = +new Date(certObj.validity.notBefore);
+        let renewDate = createTime + (expirationTime - createTime) * EXPIRATION_THRESHOLD;
+        if (renewDate < Date.now()) {
+            console.log(magenta(`Renewing domain ${domain} (renew target is ${formatDateTime(renewDate)}).`));
+            keyCert = undefined;
+        }
+    } else {
+        console.log(magenta(`No cert found for domain ${domain}, generating shortly.`));
+    }
+    if (keyCert) {
+        return keyCert;
+    }
+
+    const accountKey = await getAccountKey(domain);
+    let altDomains: string[] = [];
+
+    // altDomains.push("noproxy." + domain);
+    // // NOTE: Allowing local access is just an optimization, not to avoid having to forward ports
+    // //  (unless you type 127-0-0-1.domain into the browser... then I guess you don't have to forward ports?)
+    // altDomains.push("127-0-0-1." + domain);
+
+    // NOTE: I forget why we were not allowing wildcard domains. I think it was to prevent
+    //  any HTTPS domains from impersonating servers. But... servers have two levels, so that isn't
+    //  an issue. And even if they didn't they store their public key in their domain, so you
+    //  can't really impersonate them anyways...
+    //  - AND, we need this for IP type A records, which... we need to pick the server we want
+    //      to connect to.
+    altDomains.push("*." + domain);
+
+    try {
+        keyCert = await generateCert({ accountKey, domain, altDomains });
+    } catch (e) {
+        if (String(e).includes("authorization must be pending")) {
+            console.log(`Authorization appears to be pending, waiting 2 minutes for other process to create certificate`);
+            await delay(timeInMinute * 2);
+            return await getHTTPSCert(domain);
+        }
+        throw e;
+    }
+    await fs.promises.writeFile(path, JSON.stringify(keyCert));
+    return keyCert;
+});
+
+
+const getAccountKey = async function getAccountKey(domain: string) {
+    let accountKey = getKeyStore<string>(domain, "letsEncryptAccountKey");
+    let secret = await accountKey.get();
+    if (!secret) {
+        // Should only HAPPEN ONCE, EVER!
+        console.error(red(`Generating new letsencrypt account key`));
+        const keyPair = forge.pki.rsa.generateKeyPair();
+        secret = forge.pki.privateKeyToPem(keyPair.privateKey);
+        await accountKey.set(secret);
+    }
+    return secret;
+};
+
+
+function parseCert(PEMorDER: string | Buffer) {
+    return forge.pki.certificateFromPem(normalizeCertToPEM(PEMorDER));
+}
+
+function normalizeCertToPEM(PEMorDER: string | Buffer): string {
+    if (PEMorDER.toString().startsWith("-----BEGIN CERTIFICATE-----")) {
+        return PEMorDER.toString();
+    }
+    PEMorDER = PEMorDER.toString("base64");
+    return "-----BEGIN CERTIFICATE-----\n" + PEMorDER + "\n-----END CERTIFICATE-----";
+}
+
+
+async function generateCert(config: {
+    accountKey: string;
+    domain: string;
+    altDomains?: string[];
+}): Promise<{
+    domains: string[];
+    key: string;
+    cert: string;
+}> {
+    let { accountKey, domain } = config;
+
+    console.log(magenta(`Generating new cert for ${domain}`));
+
+    let domainList = [domain, ...config.altDomains || []];
+    // Strip trailing "."
+    domainList = domainList.map(x => x.endsWith(".") ? x.slice(0, -1) : x);
+
+    const [certificateKey, certificateCsr] = await acme.forge.createCsr({
+        commonName: domainList[0],
+        altNames: domainList.slice(1),
+    });
+
+    // So... acme-client is fine. Just re-implement the "auto" mode ourselves, to have more control over it.
+    const client = new acme.Client({
+        directoryUrl: acme.directory.letsencrypt.production,
+        accountKey: accountKey,
+    });
+
+    const accountPayload = {
+        termsOfServiceAgreed: true,
+        contact: [`mailto:devops@perspectanalytics.com`],
+    };
+
+    try {
+        await client.getAccountUrl();
+    } catch {
+        await client.createAccount(accountPayload);
+    }
+
+    const orderPayload = {
+        identifiers: domainList.map(domain => ({ type: "dns", value: domain })),
+    };
+    const order = await client.createOrder(orderPayload);
+    const authorizations = await client.getAuthorizations(order);
+    console.log(`Starting authorizations: ${JSON.stringify(authorizations)}`);
+
+    for (let auth of authorizations) {
+        if (auth.status === "valid") {
+            console.log(`Authorization already valid for ${auth.identifier.value}`);
+            continue;
+        }
+        console.log(`Starting authorization for ${JSON.stringify(auth)}`);
+
+        // Only use DNS authorization
+        let challenge = auth.challenges.find(x => x.type === "dns-01");
+        if (!challenge) {
+            throw new Error("No DNS challenge found");
+        }
+        const keyAuthorization = await client.getChallengeKeyAuthorization(challenge);
+
+        let hostname = auth.identifier.value;
+        let challengeRecordName = "_acme-challenge." + hostname + ".";
+        await setRecord("TXT", challengeRecordName, keyAuthorization);
+
+        await client.completeChallenge(challenge);
+        console.log(`Challenge completed`);
+
+        await client.waitForValidStatus(challenge);
+        console.log(`Status of order is valid`);
+    }
+
+    const finalized = await client.finalizeOrder(order, certificateCsr);
+    console.log(`Order finalized`);
+
+    let cert = await client.getCertificate(finalized);
+    return {
+        domains: domainList,
+        key: certificateKey.toString(),
+        cert: cert,
+    };
+}

package/misc/https/node-forge-ed25519.d.ts

@@ -0,0 +1,17 @@
+
+
+declare module "node-forge" {
+    declare type Ed25519PublicKey = {
+        publicKeyBytes: Buffer;
+    } & Buffer;
+    declare type Ed25519PrivateKey = {
+        privateKeyBytes: Buffer;
+    } & Buffer;
+    class ed25519 {
+        static generateKeyPair(): { publicKey: Ed25519PublicKey, privateKey: Ed25519PrivateKey };
+        static privateKeyToPem(key: Ed25519PrivateKey): string;
+        static privateKeyFromPem(pem: string): Ed25519PrivateKey;
+        static publicKeyToPem(key: Ed25519PublicKey): string;
+        static publicKeyFromPem(pem: string): Ed25519PublicKey;
+    }
+}

package/misc/https/persistentLocalStorage.d.ts

@@ -0,0 +1,5 @@
+import { MaybePromise } from "socket-function/src/types";
+export declare function getKeyStore<T>(appName: string, key: string): {
+    get(): MaybePromise<T | undefined>;
+    set(value: T | null): MaybePromise<void>;
+};

package/misc/https/persistentLocalStorage.ts

@@ -0,0 +1,36 @@
+import { isNode } from "socket-function/src/misc";
+import fs from "fs";
+import os from "os";
+import { MaybePromise } from "socket-function/src/types";
+import { cache } from "socket-function/src/caching";
+
+export function getKeyStore<T>(appName: string, key: string): {
+    get(): MaybePromise<T | undefined>;
+    set(value: T | null): MaybePromise<void>;
+} {
+    if (isNode()) {
+        let path = os.homedir() + `/keystore_${appName}_` + key + ".json";
+        return {
+            get() {
+                let contents: string | undefined = undefined;
+                try { contents = fs.readFileSync(path, "utf8"); } catch { }
+                if (!contents) return undefined;
+                return JSON.parse(contents) as T;
+            },
+            set(value: T | null) {
+                fs.writeFileSync(path, JSON.stringify(value));
+            }
+        };
+    } else {
+        return {
+            get() {
+                let json = localStorage.getItem(key);
+                if (!json) return undefined;
+                return JSON.parse(json) as T;
+            },
+            set(value: T | null) {
+                localStorage.setItem(key, JSON.stringify(value));
+            }
+        };
+    }
+}

package/misc/openrouter.d.ts

@@ -29,7 +29,7 @@ export declare function yamlOpenRouterCall<T>(config: {
     validate?: (response: T) => void;
 }): Promise<T>;
 export declare function simpleAICall(model: string, message: string): Promise<string>;
-/** The message must request the result to be returned in YAML. */
+/** The message must request the result to be returned in YAML (we automatically parse this and return an object). */
 export declare function simpleAICallTyped<T>(model: string, message: string): Promise<T>;
 export declare function openRouterCall(config: {
     model: string;

package/misc/openrouter.ts

@@ -58,7 +58,7 @@ export async function simpleAICall(model: string, message: string): Promise<stri
         messages: [{ role: "user", content: message }],
     });
 }
-/** The message must request the result to be returned in YAML. */
+/** The message must request the result to be returned in YAML (we automatically parse this and return an object). */
 export async function simpleAICallTyped<T>(model: string, message: string): Promise<T> {
     return await yamlOpenRouterCall({
         model,

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "sliftutils",
-    "version": "1.0.2",
+    "version": "1.1.0",
     "main": "index.js",
     "license": "MIT",
     "files": [
@@ -43,7 +43,9 @@
     },
     "dependencies": {
         "@types/chrome": "^0.0.237",
+        "@types/node-forge": "^1.3.11",
         "@types/shell-quote": "^1.7.5",
+        "acme-client": "^5.0.0",
         "js-sha256": "^0.11.1",
         "mobx": "^6.13.3",
         "preact-old-types": "^10.28.1",

package/render-utils/Anchor.tsx

@@ -25,7 +25,8 @@ export class Anchor extends preact.Component<{
             <a
                 {...remaining}
                 className={
-                    css.textDecoration("none")
+                    "Anchor "
+                    + css.textDecoration("none")
                         .opacity(0.8, "hover")
                     + (selected && css.color("hsl(110, 75%, 65%)", "soft"))
                     + (!selected && css.color("hsl(210, 75%, 65%)", "soft"))

package/web/Page.tsx

@@ -48,7 +48,7 @@ export class Page extends preact.Component {
 
         return (
             <div className={css.size("100vw", "100vh").vbox(0)}>
-                <div className={css.hbox(12).pad2(20, 0)}>
+                <div className={css.hbox(12).pad2(20, 10).paddingBottom(5, "important")}>
                     {pages.map(p => (
                         <Anchor key={p.key} params={[[pageURL, p.key]]}>
                             {p.key}

package/web/browser.tsx

@@ -6,7 +6,7 @@ import { list } from "socket-function/src/misc";
 import { enableHotReloading } from "../builders/hotReload";
 import { URLParam } from "../render-utils/URLParam";
 import { Page } from "./Page";
-import { configureMobxNextFrameScheduler } from "sliftutils/render-utils/mobxTyped";
+import { configureMobxNextFrameScheduler } from "../render-utils/mobxTyped";
 
 
 async function main() {

package/web/index.html

@@ -23,6 +23,9 @@
             margin: 0px;
             padding: 0px;
         }
+        a:not(.Anchor), a:visited:not(.Anchor) {
+            color: hsl(210, 75%, 65%);
+        }
     </style>
 </head>
 <body>