society-protocol 1.0.0

package/dist/security.js

@@ -0,0 +1,652 @@
+/**
+ * Society Protocol - Advanced Security Layer v1.0
+ *
+ * Camada de segurança aprimorada:
+ * - End-to-end encryption (E2EE)
+ * - Key rotation automático
+ * - Permission system granular
+ * - Audit logging
+ * - Rate limiting avançado
+ * - Content sanitization
+ * - DDoS protection
+ * - Threat detection
+ */
+import { createHash, randomBytes, createCipheriv, createDecipheriv } from 'crypto';
+import { promisify } from 'util';
+import { sign as identitySign, verify as identityVerify } from './identity.js';
+const randomBytesAsync = promisify(randomBytes);
+// ─── End-to-End Encryption ───────────────────────────────────────
+export class E2EEncryption {
+    keys = new Map();
+    sharedSecrets = new Map();
+    config;
+    constructor(config) {
+        this.config = {
+            algorithm: config?.algorithm || 'aes-256-gcm',
+            keyRotationInterval: config?.keyRotationInterval || 24 * 60 * 60 * 1000, // 24h
+            forwardSecrecy: config?.forwardSecrecy ?? true
+        };
+        // Rotacionar chaves periodicamente
+        setInterval(() => this.rotateKeys(), this.config.keyRotationInterval);
+    }
+    /**
+     * Gerar par de chaves X25519 para Diffie-Hellman
+     */
+    async generateKeyPair(identityId) {
+        // Usar Web Crypto API
+        const keyPair = await crypto.subtle.generateKey({
+            name: 'X25519'
+        }, true, // extractable
+        ['deriveBits']);
+        this.keys.set(identityId, keyPair);
+        return keyPair;
+    }
+    /**
+     * Derivar segredo compartilhado com outro participante
+     */
+    async deriveSharedSecret(myId, theirPublicKey) {
+        const myKeyPair = this.keys.get(myId);
+        if (!myKeyPair) {
+            throw new Error('Key pair not found');
+        }
+        // Importar chave pública do outro
+        const theirKey = await crypto.subtle.importKey('raw', theirPublicKey, { name: 'X25519' }, false, []);
+        // Derivar segredo
+        const sharedSecret = await crypto.subtle.deriveBits({
+            name: 'X25519',
+            public: theirKey
+        }, myKeyPair.privateKey, 256);
+        const secret = new Uint8Array(sharedSecret);
+        // Derivar chave de criptografia
+        const key = await this.deriveEncryptionKey(secret);
+        const cacheKey = `${myId}:${Buffer.from(theirPublicKey).toString('hex')}`;
+        this.sharedSecrets.set(cacheKey, key);
+        return key;
+    }
+    /**
+     * Criptografar mensagem
+     */
+    async encrypt(plaintext, recipientPublicKey, senderId) {
+        const key = await this.deriveSharedSecret(senderId, recipientPublicKey);
+        // Gerar nonce
+        const nonce = await randomBytesAsync(12);
+        // Criptografar
+        const data = new TextEncoder().encode(plaintext);
+        let ciphertext;
+        if (this.config.algorithm === 'aes-256-gcm') {
+            // Usar AES-256-GCM via Node.js crypto
+            const cipher = createCipheriv('aes-256-gcm', key.slice(0, 32), nonce);
+            const encrypted = Buffer.concat([cipher.update(data), cipher.final()]);
+            const authTag = cipher.getAuthTag();
+            ciphertext = new Uint8Array(Buffer.concat([encrypted, authTag]));
+        }
+        else {
+            throw new Error(`Unsupported encryption algorithm: ${this.config.algorithm}`);
+        }
+        return { ciphertext, nonce };
+    }
+    /**
+     * Descriptografar mensagem
+     */
+    async decrypt(ciphertext, nonce, senderPublicKey, recipientId) {
+        const key = await this.deriveSharedSecret(recipientId, senderPublicKey);
+        let plaintext;
+        if (this.config.algorithm === 'aes-256-gcm') {
+            const decipher = createDecipheriv('aes-256-gcm', key.slice(0, 32), nonce);
+            const authTag = ciphertext.slice(-16);
+            decipher.setAuthTag(authTag);
+            const encrypted = ciphertext.slice(0, -16);
+            plaintext = new Uint8Array(Buffer.concat([
+                decipher.update(encrypted),
+                decipher.final()
+            ]));
+        }
+        else {
+            throw new Error(`Unsupported encryption algorithm: ${this.config.algorithm}`);
+        }
+        return new TextDecoder().decode(plaintext);
+    }
+    async deriveEncryptionKey(sharedSecret) {
+        // HKDF via Web Crypto API (RFC 5869)
+        // Use a deterministic salt derived from the shared secret itself,
+        // so both sides derive the same key from the same DH output.
+        const ikm = await crypto.subtle.importKey('raw', sharedSecret, 'HKDF', false, ['deriveBits']);
+        const salt = createHash('sha256').update('society-hkdf-salt-v1').digest();
+        const info = new TextEncoder().encode('society-protocol-e2e-v1');
+        const derived = await crypto.subtle.deriveBits({
+            name: 'HKDF',
+            hash: 'SHA-256',
+            salt,
+            info,
+        }, ikm, 256 // 32 bytes
+        );
+        return new Uint8Array(derived);
+    }
+    async xorWithKey(data, key) {
+        const result = new Uint8Array(data.length);
+        for (let i = 0; i < data.length; i++) {
+            result[i] = data[i] ^ key[i % key.length];
+        }
+        return result;
+    }
+    rotateKeys() {
+        // Implementar rotação de chaves
+        console.log('[security] Rotating encryption keys...');
+        if (this.config.forwardSecrecy) {
+            // Limpar segredos antigos
+            this.sharedSecrets.clear();
+        }
+    }
+}
+// ─── Permission System ───────────────────────────────────────────
+export class PermissionManager {
+    roles = new Map();
+    userPermissions = new Map();
+    acl = new Map(); // resource -> Set<did>
+    constructor() {
+        this.setupDefaultRoles();
+    }
+    setupDefaultRoles() {
+        this.roles.set('guest', [
+            { resource: 'room:*', action: 'read' },
+            { resource: 'message:*', action: 'read' }
+        ]);
+        this.roles.set('member', [
+            { resource: 'room:*', action: 'read' },
+            { resource: 'room:*', action: 'write' },
+            { resource: 'message:*', action: 'read' },
+            { resource: 'message:*', action: 'write' },
+            { resource: 'coc:*', action: 'execute' }
+        ]);
+        this.roles.set('moderator', [
+            { resource: '*', action: 'read' },
+            { resource: 'room:*', action: 'admin' },
+            { resource: 'member:*', action: 'admin' },
+            { resource: 'message:*', action: 'admin' }
+        ]);
+        this.roles.set('admin', [
+            { resource: '*', action: 'admin' }
+        ]);
+    }
+    /**
+     * Verificar se usuário tem permissão
+     */
+    checkPermission(context, resource, action) {
+        // Verificar permissões diretas
+        const userPerms = this.userPermissions.get(context.identity.did) || [];
+        if (this.hasMatchingPermission(userPerms, resource, action)) {
+            return this.checkConditions(context, userPerms, resource, action);
+        }
+        // Verificar via roles
+        // TODO: Implementar sistema de roles vinculado ao context
+        return false;
+    }
+    /**
+     * Conceder permissão a usuário
+     */
+    grantPermission(did, permission) {
+        if (!this.userPermissions.has(did)) {
+            this.userPermissions.set(did, []);
+        }
+        this.userPermissions.get(did).push(permission);
+    }
+    /**
+     * Revogar permissão
+     */
+    revokePermission(did, resource, action) {
+        const perms = this.userPermissions.get(did);
+        if (!perms)
+            return;
+        const filtered = perms.filter(p => !(p.resource === resource && p.action === action));
+        this.userPermissions.set(did, filtered);
+    }
+    /**
+     * Verificar ACL de recurso
+     */
+    checkACL(resource, did) {
+        const allowed = this.acl.get(resource);
+        if (!allowed)
+            return true; // Sem ACL = aberto
+        return allowed.has(did) || allowed.has('*');
+    }
+    /**
+     * Adicionar entrada ACL
+     */
+    addToACL(resource, did) {
+        if (!this.acl.has(resource)) {
+            this.acl.set(resource, new Set());
+        }
+        this.acl.get(resource).add(did);
+    }
+    hasMatchingPermission(permissions, resource, action) {
+        return permissions.some(p => {
+            const resourceMatch = this.matchResource(p.resource, resource);
+            const actionMatch = p.action === action || p.action === 'admin';
+            return resourceMatch && actionMatch;
+        });
+    }
+    matchPermission(pattern, resource) {
+        // Suportar wildcards: room:*:message → room:abc123:message
+        const regex = new RegExp('^' + pattern.replace(/\*/g, '[^:]*') + '$');
+        return regex.test(resource);
+    }
+    matchResource(pattern, resource) {
+        if (pattern === '*')
+            return true;
+        if (pattern === resource)
+            return true;
+        // Wildcard: room:*:message
+        const regex = new RegExp('^' + pattern.replace(/\*/g, '[^:]*') + '$');
+        return regex.test(resource);
+    }
+    checkConditions(context, permissions, resource, action) {
+        const perm = permissions.find(p => this.matchResource(p.resource, resource) &&
+            (p.action === action || p.action === 'admin'));
+        if (!perm?.conditions)
+            return true;
+        const cond = perm.conditions;
+        // Verificar time window
+        if (cond.timeWindow) {
+            const now = Date.now();
+            if (now < cond.timeWindow.start || now > cond.timeWindow.end) {
+                return false;
+            }
+        }
+        // Verificar IP whitelist
+        if (cond.ipWhitelist && context.ip) {
+            if (!cond.ipWhitelist.includes(context.ip)) {
+                return false;
+            }
+        }
+        // Verificar reputação mínima
+        if (cond.reputationMin && context.reputation < cond.reputationMin) {
+            return false;
+        }
+        // Verificar MFA
+        if (cond.mfaRequired && !context.mfaVerified) {
+            return false;
+        }
+        return true;
+    }
+}
+// ─── Audit Logger ────────────────────────────────────────────────
+export class AuditLogger {
+    events = [];
+    maxSize;
+    listeners = [];
+    constructor(maxSize = 10000) {
+        this.maxSize = maxSize;
+    }
+    async log(event) {
+        const fullEvent = {
+            id: `audit_${Date.now()}_${randomBytes(4).toString('hex')}`,
+            timestamp: Date.now(),
+            ...event
+        };
+        // Assinar evento para integridade
+        fullEvent.signature = await this.signEvent(fullEvent);
+        this.events.push(fullEvent);
+        // Manter tamanho limitado
+        if (this.events.length > this.maxSize) {
+            this.events = this.events.slice(-this.maxSize);
+        }
+        // Notificar listeners
+        for (const listener of this.listeners) {
+            listener(fullEvent);
+        }
+    }
+    query(filters) {
+        let results = this.events;
+        if (filters.type) {
+            results = results.filter(e => e.type === filters.type);
+        }
+        if (filters.actor) {
+            results = results.filter(e => e.actor === filters.actor);
+        }
+        if (filters.resource) {
+            results = results.filter(e => e.resource === filters.resource);
+        }
+        if (filters.severity) {
+            results = results.filter(e => e.severity === filters.severity);
+        }
+        if (filters.startTime) {
+            results = results.filter(e => e.timestamp >= filters.startTime);
+        }
+        if (filters.endTime) {
+            results = results.filter(e => e.timestamp <= filters.endTime);
+        }
+        // Ordenar por timestamp decrescente
+        results.sort((a, b) => b.timestamp - a.timestamp);
+        return results.slice(0, filters.limit || 100);
+    }
+    onEvent(listener) {
+        this.listeners.push(listener);
+    }
+    async signEvent(event) {
+        const data = JSON.stringify({
+            type: event.type,
+            actor: event.actor,
+            resource: event.resource,
+            action: event.action,
+            timestamp: event.timestamp
+        });
+        return createHash('sha256').update(data).digest('hex');
+    }
+}
+// ─── Threat Detection ────────────────────────────────────────────
+export class ThreatDetector {
+    threatIntel = new Map();
+    patterns = new Map();
+    behaviorScores = new Map();
+    constructor() {
+        this.setupPatterns();
+    }
+    setupPatterns() {
+        // Padrões de ameaça
+        this.patterns.set('spam', /\b(viagra|casino|lottery|winner)\b/gi);
+        this.patterns.set('suspicious_links', /https?:\/\/[^\s]{100,}/gi);
+        this.patterns.set('credential_harvest', /\b(password|login|credential)\s*=\s*/gi);
+    }
+    /**
+     * Analisar envelope para ameaças
+     */
+    analyzeEnvelope(envelope) {
+        const checks = [
+            this.checkKnownThreats(envelope.from.did),
+            this.checkContentPatterns(envelope),
+            this.checkBehaviorAnomalies(envelope.from.did),
+            this.checkRateAnomalies(envelope.from.did)
+        ];
+        const highestThreat = checks
+            .filter(c => c.threat)
+            .sort((a, b) => this.severityRank(b.severity) - this.severityRank(a.severity))[0];
+        return highestThreat || { threat: false, severity: 'low' };
+    }
+    /**
+     * Reportar ameaça
+     */
+    reportThreat(threat) {
+        const existing = this.threatIntel.get(threat.value);
+        if (existing) {
+            existing.lastSeen = Date.now();
+            existing.occurrences++;
+            existing.confidence = Math.min(1, existing.confidence + 0.1);
+        }
+        else {
+            const newThreat = {
+                ...threat,
+                firstSeen: Date.now(),
+                lastSeen: Date.now(),
+                occurrences: 1
+            };
+            this.threatIntel.set(threat.value, newThreat);
+        }
+    }
+    /**
+     * Verificar se está na lista de ameaças
+     */
+    isThreat(value) {
+        return this.threatIntel.get(value);
+    }
+    checkKnownThreats(did) {
+        const threat = this.threatIntel.get(did);
+        if (threat) {
+            return {
+                threat: true,
+                severity: threat.severity,
+                category: threat.category,
+                reason: `Known threat: ${threat.category}`
+            };
+        }
+        return { threat: false, severity: 'low' };
+    }
+    checkContentPatterns(envelope) {
+        const bodyStr = JSON.stringify(envelope.body);
+        for (const [category, pattern] of this.patterns) {
+            if (pattern.test(bodyStr)) {
+                return {
+                    threat: true,
+                    severity: 'medium',
+                    category: category,
+                    reason: `Pattern match: ${category}`
+                };
+            }
+        }
+        return { threat: false, severity: 'low' };
+    }
+    checkBehaviorAnomalies(did) {
+        const behavior = this.behaviorScores.get(did);
+        if (!behavior)
+            return { threat: false, severity: 'low' };
+        // Score anormalmente alto = possível Sybil ou ataque
+        if (behavior.score > 100) {
+            return {
+                threat: true,
+                severity: 'high',
+                category: 'sybil',
+                reason: 'Behavioral anomaly detected'
+            };
+        }
+        return { threat: false, severity: 'low' };
+    }
+    checkRateAnomalies(did) {
+        const behavior = this.behaviorScores.get(did);
+        if (!behavior)
+            return { threat: false, severity: 'low' };
+        // Muitos eventos em curto período
+        const recentEvents = behavior.events.filter(t => Date.now() - t < 60000);
+        if (recentEvents.length > 100) {
+            return {
+                threat: true,
+                severity: 'high',
+                category: 'ddos',
+                reason: 'Rate limit exceeded'
+            };
+        }
+        return { threat: false, severity: 'low' };
+    }
+    updateBehaviorScore(did, delta) {
+        if (!this.behaviorScores.has(did)) {
+            this.behaviorScores.set(did, { score: 0, events: [] });
+        }
+        const behavior = this.behaviorScores.get(did);
+        behavior.score += delta;
+        behavior.events.push(Date.now());
+        // Limpar eventos antigos
+        behavior.events = behavior.events.filter(t => Date.now() - t < 3600000);
+    }
+    severityRank(severity) {
+        const ranks = { low: 1, medium: 2, high: 3, critical: 4 };
+        return ranks[severity];
+    }
+}
+// ─── Content Sanitizer ───────────────────────────────────────────
+export class ContentSanitizer {
+    allowedTags = new Set(['b', 'i', 'u', 'code', 'pre', 'a']);
+    allowedSchemes = new Set(['http', 'https', 'mailto']);
+    /**
+     * Sanitizar conteúdo HTML/Markdown
+     */
+    sanitize(input) {
+        let sanitized = input;
+        // Remover scripts e eventos
+        sanitized = sanitized.replace(/<script[^>]*>.*?<\/script>/gi, '');
+        sanitized = sanitized.replace(/on\w+\s*=\s*["'][^"']*["']/gi, '');
+        sanitized = sanitized.replace(/javascript:/gi, '');
+        // Validar links
+        sanitized = sanitized.replace(/href=["']([^"']*)["']/gi, (match, url) => {
+            try {
+                const parsed = new URL(url);
+                if (this.allowedSchemes.has(parsed.protocol.slice(0, -1))) {
+                    return match;
+                }
+            }
+            catch {
+                // URL relativa - permitir
+                return match;
+            }
+            return 'href="#"';
+        });
+        // Limitar tamanho
+        if (sanitized.length > 10000) {
+            sanitized = sanitized.slice(0, 10000) + '... [truncated]';
+        }
+        return sanitized;
+    }
+    /**
+     * Validar e normalizar input
+     */
+    normalize(input) {
+        // Normalizar Unicode
+        let normalized = input.normalize('NFC');
+        // Remover caracteres de controle (exceto whitespace)
+        normalized = normalized.replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, '');
+        // Normalizar whitespace
+        normalized = normalized.replace(/\s+/g, ' ').trim();
+        return normalized;
+    }
+}
+// ─── Security Manager ────────────────────────────────────────────
+export class SecurityManager {
+    encryption;
+    permissions;
+    audit;
+    threats;
+    sanitizer;
+    identity;
+    localEncryptionId;
+    localEncryptionPublicKey;
+    localKeyGenerated = false;
+    constructor(identityOrConfig) {
+        const hasIdentity = this.isIdentity(identityOrConfig);
+        this.identity = hasIdentity ? identityOrConfig : undefined;
+        const config = hasIdentity ? undefined : identityOrConfig;
+        this.encryption = new E2EEncryption(config?.encryption);
+        this.permissions = new PermissionManager();
+        this.audit = new AuditLogger();
+        this.threats = new ThreatDetector();
+        this.sanitizer = new ContentSanitizer();
+        if (this.identity) {
+            this.localEncryptionId = this.identity.did;
+        }
+    }
+    /**
+     * Pipeline completo de segurança para mensagem
+     */
+    async processIncoming(envelope) {
+        // 1. Verificar ameaças
+        const threatCheck = this.threats.analyzeEnvelope(envelope);
+        if (threatCheck.threat && threatCheck.severity === 'critical') {
+            await this.audit.log({
+                type: 'violation',
+                severity: 'critical',
+                actor: envelope.from.did,
+                resource: 'network',
+                action: 'receive',
+                result: 'blocked',
+                details: { threat: threatCheck }
+            });
+            return { allowed: false, reason: threatCheck.reason };
+        }
+        // 2. Sanitizar conteúdo
+        const sanitizedBody = this.sanitizer.sanitize(JSON.stringify(envelope.body));
+        const sanitized = {
+            ...envelope,
+            body: JSON.parse(sanitizedBody)
+        };
+        // 3. Auditar
+        await this.audit.log({
+            type: 'access',
+            severity: 'info',
+            actor: envelope.from.did,
+            resource: `room:${envelope.room}`,
+            action: 'receive',
+            result: 'success',
+            details: { messageType: envelope.t }
+        });
+        return { allowed: true, sanitized };
+    }
+    /**
+     * Verificar permissão completa
+     */
+    async checkAccess(context, resource, action) {
+        // Verificar permissão
+        const hasPermission = this.permissions.checkPermission(context, resource, action);
+        if (!hasPermission) {
+            await this.audit.log({
+                type: 'access',
+                severity: 'warning',
+                actor: context.identity.did,
+                resource,
+                action,
+                result: 'blocked',
+                details: { reason: 'permission_denied' }
+            });
+            return false;
+        }
+        return true;
+    }
+    // ─── Compatibility Wrappers ───────────────────────────────────
+    async generateKeyPair(identityId) {
+        const id = identityId || this.localEncryptionId || this.identity?.did || `sec_${Date.now()}`;
+        const keyPair = await this.encryption.generateKeyPair(id);
+        if (!this.localEncryptionId) {
+            this.localEncryptionId = id;
+        }
+        if (id === this.localEncryptionId) {
+            this.localEncryptionId = id;
+            const exported = await crypto.subtle.exportKey('raw', keyPair.publicKey);
+            this.localEncryptionPublicKey = new Uint8Array(exported);
+            this.localKeyGenerated = true;
+        }
+        return keyPair;
+    }
+    async sign(message) {
+        if (!this.identity) {
+            throw new Error('Identity is required for signing');
+        }
+        const msgBase64 = Buffer.from(message).toString('base64');
+        const signatureBase64 = identitySign(this.identity, msgBase64);
+        return new Uint8Array(Buffer.from(signatureBase64, 'base64'));
+    }
+    async verify(message, signature, publicKey) {
+        const msgBase64 = Buffer.from(message).toString('base64');
+        const signatureBase64 = Buffer.from(signature).toString('base64');
+        return identityVerify(publicKey, msgBase64, signatureBase64);
+    }
+    async encrypt(plaintext, recipientPublicKey) {
+        const senderId = await this.ensureEncryptionIdentity();
+        const encodedPlaintext = Buffer.from(plaintext).toString('base64');
+        const encrypted = await this.encryption.encrypt(encodedPlaintext, recipientPublicKey, senderId);
+        if (!this.localEncryptionPublicKey) {
+            throw new Error('Missing sender public key');
+        }
+        return {
+            ...encrypted,
+            senderPublicKey: this.localEncryptionPublicKey
+        };
+    }
+    async decrypt(message) {
+        const recipientId = await this.ensureEncryptionIdentity();
+        const decoded = await this.encryption.decrypt(message.ciphertext, message.nonce, message.senderPublicKey, recipientId);
+        return new Uint8Array(Buffer.from(decoded, 'base64'));
+    }
+    isIdentity(value) {
+        if (!value || typeof value !== 'object')
+            return false;
+        const candidate = value;
+        return (typeof candidate.did === 'string' &&
+            candidate.privateKey instanceof Uint8Array &&
+            candidate.publicKey instanceof Uint8Array);
+    }
+    async ensureEncryptionIdentity() {
+        const senderId = this.localEncryptionId || this.identity?.did || `sec_${Date.now()}`;
+        this.localEncryptionId = senderId;
+        if (!this.localKeyGenerated) {
+            await this.generateKeyPair(senderId);
+        }
+        return senderId;
+    }
+}
+// Classes already exported via 'export class'
+//# sourceMappingURL=security.js.map