xypriss 1.1.3 → 1.2.0

package/dist/esm/src/plugins/modules/core/SecurityPlugin.js

@@ -0,0 +1,797 @@
+import { func } from '../../../../mods/security/src/components/fortified-function/index.js';
+import { Hash } from '../../../../mods/security/src/core/hash/hash-core.js';
+import '../../../../mods/security/src/core/hash/hash-types.js';
+import 'crypto';
+import '../../../../mods/security/src/core/hash/hash-security.js';
+import '../../../../mods/security/src/core/hash/hash-advanced.js';
+import '../../../../mods/security/src/algorithms/hash-algorithms.js';
+import { PluginType, PluginPriority } from '../types/PluginTypes.js';
+import { fObject } from '../../../../mods/security/src/index.js';
+
+/**
+ * Security Plugin Base Class - Ultra-Fast Security Framework
+ *
+ * Lean, ultra-fast security plugin framework providing essential security infrastructure
+ * while allowing users to plug in their own authentication/authorization systems.
+ *
+ * Performance Target: <2ms execution time for security operations
+ * Focus: Framework-level security that integrates with any authentication system
+ */
+// import { sqlPatterns, xssPatterns } from "../../../../mods/security/src/utils/patterns";
+// import { SecurityRateLimiter } from "../../../../mods/security/src/utils/securityUtils";
+// import { TamperEvidentLogger, LogLevel } from "../../../../mods/security/src/components/tamper-evident-logging";
+// Fallback implementations for missing imports
+const sqlPatterns = [/union.*select/i, /drop.*table/i, /insert.*into/i];
+const xssPatterns = [/<script/i, /javascript:/i, /on\w+\s*=/i];
+var LogLevel;
+(function (LogLevel) {
+    LogLevel["INFO"] = "info";
+    LogLevel["WARN"] = "warn";
+    LogLevel["ERROR"] = "error";
+})(LogLevel || (LogLevel = {}));
+/**
+ * Abstract base class for security plugins
+ */
+class SecurityPlugin {
+    constructor() {
+        this.type = PluginType.SECURITY;
+        this.priority = PluginPriority.HIGH;
+        this.isAsync = true;
+        this.isCacheable = false; // Security operations should not be cached
+        this.maxExecutionTime = 2000; // 2ms max for security operations
+        // Security configuration
+        this.securityLevel = "enhanced";
+        this.encryptionRequired = true;
+        this.auditLogging = true;
+    }
+    /**
+     * Initialize security plugin with XyPrissJS utilities
+     */
+    async initialize(context) {
+        // Initialize XyPrissJS security utilities
+        this.hashUtil = Hash;
+        this.secureObjectUtil = fObject;
+        // Initialize audit logging with fallback implementation
+        this.auditLogger = {
+            log: (level, message, data) => {
+                console.log(`[${level}] ${message}`, data);
+            },
+        };
+        // Initialize rate limiting with fallback implementation
+        this.rateLimiter = {
+            isAllowed: (key) => true, // Fallback always allows
+            recordAttempt: (key) => { },
+            reset: (key) => { },
+        };
+        this.slidingWindowLimiter = new Map();
+        // Create fortified execution wrapper for ultra-fast security operations
+        this.fortifiedExecute = func(async (operation) => {
+            return await operation();
+        }, {
+            ultraFast: "maximum",
+            autoEncrypt: this.encryptionRequired,
+            auditLog: this.auditLogging,
+            timeout: this.maxExecutionTime,
+            errorHandling: "graceful",
+        });
+        // Perform plugin-specific initialization
+        await this.initializeSecurityPlugin(context);
+    }
+    /**
+     * Execute security plugin with comprehensive protection
+     */
+    async execute(context) {
+        const startTime = performance.now();
+        try {
+            // Pre-execution security checks
+            const preCheckResult = await this.preExecutionSecurityCheck(context);
+            if (!preCheckResult.success) {
+                return preCheckResult;
+            }
+            // Execute main security logic
+            const result = await this.fortifiedExecute(async () => {
+                return await this.executeSecurityLogic(context);
+            });
+            const executionTime = performance.now() - startTime;
+            // Post-execution security validation
+            const validationResult = await this.postExecutionValidation(context, result);
+            if (!validationResult.success) {
+                return validationResult;
+            }
+            // Log security event if audit logging is enabled
+            if (this.auditLogging) {
+                await this.logSecurityEvent(context, result, executionTime);
+            }
+            return {
+                success: true,
+                executionTime,
+                data: result,
+                shouldContinue: true,
+            };
+        }
+        catch (error) {
+            const executionTime = performance.now() - startTime;
+            // Log security error
+            await this.logSecurityError(context, error, executionTime);
+            return {
+                success: false,
+                executionTime,
+                error,
+                shouldContinue: this.shouldContinueOnError(error),
+            };
+        }
+    }
+    /**
+     * Validate input data for security threats
+     */
+    async validateInput(context) {
+        try {
+            // Validate request body
+            if (context.req.body &&
+                !this.validateRequestBody(context.req.body)) {
+                return false;
+            }
+            // Validate query parameters
+            if (context.req.query &&
+                !this.validateQueryParameters(context.req.query)) {
+                return false;
+            }
+            // Validate headers
+            if (!this.validateHeaders(context.req.headers)) {
+                return false;
+            }
+            return true;
+        }
+        catch (error) {
+            console.error(`Input validation error in plugin ${this.id}:`, error);
+            return false;
+        }
+    }
+    /**
+     * Sanitize data to prevent security vulnerabilities
+     */
+    sanitizeData(data) {
+        if (!data)
+            return data;
+        try {
+            // Use fObject for secure data handling
+            const secureData = this.secureObjectUtil(data);
+            // Apply sanitization rules
+            return this.applySanitizationRules(secureData.getAll());
+        }
+        catch (error) {
+            console.error(`Data sanitization error in plugin ${this.id}:`, error);
+            return data; // Return original data if sanitization fails
+        }
+    }
+    // ===== SECURITY IMPLEMENTATIONS =====
+    /**
+     * Initialize plugin-specific security features
+     * implementation with comprehensive security setup
+     */
+    async initializeSecurityPlugin(context) {
+        try {
+            // Initialize security patterns from configuration
+            if (context.config.customSettings.securityPatterns) {
+                this.initializeSecurityPatterns(context.config.customSettings.securityPatterns);
+            }
+            // Setup rate limiting thresholds
+            if (context.config.customSettings.rateLimiting) {
+                this.setupRateLimitingConfig(context.config.customSettings.rateLimiting);
+            }
+            // Note: Authentication providers should be implemented by users
+            // This framework provides only the security infrastructure
+            // Setup security monitoring
+            if (context.config.enableAuditLogging) {
+                this.setupSecurityMonitoring(context);
+            }
+            context.logger.info(`Security plugin ${this.constructor.name} initialized successfully`);
+        }
+        catch (error) {
+            context.logger.error(`Error initializing security plugin: ${error.message}`, error);
+            throw error;
+        }
+    }
+    /**
+     * Execute main security logic
+     * implementation with comprehensive security checks
+     */
+    async executeSecurityLogic(context) {
+        try {
+            const securityResults = {
+                inputValidation: false,
+                rateLimitCheck: false,
+                threatDetection: false,
+                authenticationStatus: context.security.isAuthenticated,
+                securityScore: 0,
+                threats: [],
+                recommendations: [],
+            };
+            // Perform input validation
+            securityResults.inputValidation = await this.validateInput(context);
+            if (!securityResults.inputValidation) {
+                securityResults.threats.push("Invalid input detected");
+            }
+            // Perform threat detection
+            securityResults.threatDetection =
+                !this.detectSuspiciousActivity(context);
+            if (!securityResults.threatDetection) {
+                securityResults.threats.push("Suspicious activity detected");
+            }
+            // Calculate security score
+            securityResults.securityScore =
+                this.calculateSecurityScore(securityResults);
+            // Generate security recommendations
+            securityResults.recommendations =
+                this.generateSecurityRecommendations(securityResults);
+            return securityResults;
+        }
+        catch (error) {
+            console.error(`Error executing security logic: ${error.message}`);
+            return {
+                error: error.message,
+                securityScore: 0,
+                threats: ["Security check failed"],
+            };
+        }
+    }
+    /**
+     * Framework-level authentication validation
+     * Note: Users should implement their own authentication logic
+     */
+    async performAuthentication(authData, context) {
+        try {
+            if (!authData) {
+                return false;
+            }
+            // Framework-level validation only
+            // Users should override this method with their own authentication logic
+            console.warn(`SecurityPlugin.performAuthentication called but not implemented. ` +
+                `Users should implement their own authentication logic for type: ${authData.type}`);
+            return false; // Default to deny access
+        }
+        catch (error) {
+            console.error(`Authentication framework error: ${error.message}`);
+            return false;
+        }
+    }
+    /**
+     * Framework-level authorization validation
+     * Note: Users should implement their own authorization logic
+     */
+    async performAuthorization(context, resource) {
+        try {
+            // Check if user is authenticated
+            if (!context.security.isAuthenticated) {
+                return false;
+            }
+            // Framework-level validation only
+            // Users should override this method with their own authorization logic
+            console.warn(`SecurityPlugin.performAuthorization called but not implemented. ` +
+                `Users should implement their own authorization logic for resource: ${resource}`);
+            return false; // Default to deny access
+        }
+        catch (error) {
+            console.error(`Authorization framework error: ${error.message}`);
+            return false;
+        }
+    }
+    // ===== PROTECTED HELPER METHODS =====
+    /**
+     * Pre-execution security check
+     */
+    async preExecutionSecurityCheck(context) {
+        // Check for common security threats
+        if (this.detectSuspiciousActivity(context)) {
+            return {
+                success: false,
+                executionTime: 0,
+                error: new Error("Suspicious activity detected"),
+                shouldContinue: false,
+            };
+        }
+        return { success: true, executionTime: 0, shouldContinue: true };
+    }
+    /**
+     * Post-execution validation
+     */
+    async postExecutionValidation(_context, result) {
+        // Validate result data
+        if (result && typeof result === "object") {
+            const sanitizedResult = this.sanitizeData(result);
+            if (sanitizedResult !== result) {
+                console.warn(`Plugin ${this.id} result was sanitized`);
+            }
+        }
+        return { success: true, executionTime: 0, shouldContinue: true };
+    }
+    /**
+     * Extract authentication data from request
+     */
+    extractAuthenticationData(context) {
+        const { req } = context;
+        // Extract from Authorization header
+        const authHeader = req.headers.authorization;
+        if (authHeader) {
+            return this.parseAuthorizationHeader(authHeader);
+        }
+        // Extract from cookies
+        if (req.cookies) {
+            return this.parseAuthenticationCookies(req.cookies);
+        }
+        // Extract from session
+        if (req.session) {
+            return this.parseSessionData(req.session);
+        }
+        return null;
+    }
+    /**
+     * Detect suspicious activity patterns
+     */
+    detectSuspiciousActivity(context) {
+        const { req } = context;
+        // Check for SQL injection patterns
+        if (this.containsSqlInjectionPatterns(req)) {
+            return true;
+        }
+        // Check for XSS patterns
+        if (this.containsXssPatterns(req)) {
+            return true;
+        }
+        return false;
+    }
+    /**
+     * Log security event for audit trail
+     *  implementation using TamperEvidentLogger
+     */
+    async logSecurityEvent(context, result, executionTime) {
+        const logData = {
+            pluginId: this.id,
+            executionId: context.executionId,
+            userId: context.security.userId,
+            action: "security_check",
+            result: result ? "success" : "failure",
+            executionTime,
+            ipAddress: context.req.ip,
+            userAgent: context.req.headers["user-agent"],
+            path: context.req.path,
+            method: context.req.method,
+            securityScore: result?.securityScore || 0,
+            threats: result?.threats || [],
+            timestamp: Date.now(),
+        };
+        // Use tamper-evident audit logging
+        this.auditLogger.info(`Security check completed for plugin ${this.id}`, logData);
+    }
+    /**
+     * Log security error
+     *  implementation using TamperEvidentLogger
+     */
+    async logSecurityError(context, error, executionTime) {
+        const logData = {
+            pluginId: this.id,
+            executionId: context.executionId,
+            error: error.message,
+            stack: error.stack,
+            executionTime,
+            ipAddress: context.req.ip,
+            userAgent: context.req.headers["user-agent"],
+            path: context.req.path,
+            method: context.req.method,
+            timestamp: Date.now(),
+        };
+        // Use tamper-evident audit logging for security errors
+        this.auditLogger.error(`Security error in plugin ${this.id}`, logData);
+    }
+    /**
+     * Determine if execution should continue after error
+     */
+    shouldContinueOnError(_error) {
+        // Security errors should generally stop execution
+        return false;
+    }
+    // ===== VALIDATION HELPER METHODS =====
+    validateRequestBody(body) {
+        if (!body || typeof body !== "object") {
+            return true; // No body to validate
+        }
+        try {
+            // Check for suspicious patterns in body
+            const bodyString = JSON.stringify(body);
+            for (const pattern of sqlPatterns) {
+                if (pattern.test(bodyString)) {
+                    console.warn(`SQL injection pattern detected in request body: ${this.id}`);
+                    return false;
+                }
+            }
+            for (const pattern of xssPatterns) {
+                if (pattern.test(bodyString)) {
+                    console.warn(`XSS pattern detected in request body: ${this.id}`);
+                    return false;
+                }
+            }
+            return true;
+        }
+        catch (error) {
+            console.error(`Error validating request body: ${error}`);
+            return false;
+        }
+    }
+    validateQueryParameters(query) {
+        if (!query || typeof query !== "object") {
+            return true; // No query params to validate
+        }
+        try {
+            for (const [key, value] of Object.entries(query)) {
+                if (typeof value === "string") {
+                    // Check for path traversal
+                    if (value.includes("../") || value.includes("..\\")) {
+                        console.warn(`Path traversal detected in query param ${key}: ${this.id}`);
+                        return false;
+                    }
+                    // Check for command injection
+                    const cmdPatterns = [
+                        /[;&|`$()]/,
+                        /\b(cat|ls|pwd|whoami|id|uname|ps|netstat|ifconfig)\b/i,
+                    ];
+                    for (const pattern of cmdPatterns) {
+                        if (pattern.test(value)) {
+                            console.warn(`Command injection pattern detected in query param ${key}: ${this.id}`);
+                            return false;
+                        }
+                    }
+                }
+            }
+            return true;
+        }
+        catch (error) {
+            console.error(`Error validating query parameters: ${error}`);
+            return false;
+        }
+    }
+    validateHeaders(headers) {
+        if (!headers || typeof headers !== "object") {
+            return true; // No headers to validate
+        }
+        try {
+            // Check for suspicious user agents
+            const userAgent = headers["user-agent"];
+            if (userAgent) {
+                const suspiciousPatterns = [
+                    /sqlmap/i,
+                    /nikto/i,
+                    /nessus/i,
+                    /burp/i,
+                    /scanner/i,
+                ];
+                for (const pattern of suspiciousPatterns) {
+                    if (pattern.test(userAgent)) {
+                        console.warn(`Suspicious user agent detected: ${this.id}`);
+                        return false;
+                    }
+                }
+            }
+            // Check for header injection
+            for (const [key, value] of Object.entries(headers)) {
+                if (typeof value === "string") {
+                    if (value.includes("\r") || value.includes("\n")) {
+                        console.warn(`Header injection detected in ${key}: ${this.id}`);
+                        return false;
+                    }
+                }
+            }
+            return true;
+        }
+        catch (error) {
+            console.error(`Error validating headers: ${error}`);
+            return false;
+        }
+    }
+    applySanitizationRules(data) {
+        if (!data || typeof data !== "object") {
+            return data;
+        }
+        try {
+            // Use fObject for secure data handling
+            const secureData = this.secureObjectUtil(data);
+            // Get sanitized data
+            const sanitized = secureData.getAll();
+            // Additional sanitization for common security issues
+            if (sanitized.password) {
+                // Never return passwords in sanitized data
+                delete sanitized.password;
+            }
+            if (sanitized.token && typeof sanitized.token === "string") {
+                // Sanitize tokens to alphanumeric and common token characters only
+                sanitized.token = sanitized.token.replace(/[^A-Za-z0-9._-]/g, "");
+            }
+            return sanitized;
+        }
+        catch (error) {
+            console.error(`Error applying sanitization rules: ${error}`);
+            return data; // Return original data if sanitization fails
+        }
+    }
+    parseAuthorizationHeader(header) {
+        try {
+            if (header.startsWith("Bearer ")) {
+                const token = header.substring(7);
+                return {
+                    type: "bearer",
+                    token: token,
+                    userId: null, // Will be extracted from token
+                };
+            }
+            if (header.startsWith("Basic ")) {
+                const credentials = Buffer.from(header.substring(6), "base64").toString("utf8");
+                const [username, password] = credentials.split(":");
+                return {
+                    type: "basic",
+                    username,
+                    password,
+                    userId: username,
+                };
+            }
+            return null;
+        }
+        catch (error) {
+            console.error(`Error parsing authorization header: ${error}`);
+            return null;
+        }
+    }
+    parseAuthenticationCookies(cookies) {
+        try {
+            if (cookies.token) {
+                return {
+                    type: "cookie",
+                    token: cookies.token,
+                    userId: null, // Will be extracted from token
+                };
+            }
+            if (cookies.sessionId) {
+                return {
+                    type: "session",
+                    sessionId: cookies.sessionId,
+                    userId: null, // Will be extracted from session
+                };
+            }
+            return null;
+        }
+        catch (error) {
+            console.error(`Error parsing authentication cookies: ${error}`);
+            return null;
+        }
+    }
+    parseSessionData(session) {
+        try {
+            if (session.userId) {
+                return {
+                    type: "session",
+                    userId: session.userId,
+                    roles: session.roles || [],
+                    permissions: session.permissions || [],
+                };
+            }
+            return null;
+        }
+        catch (error) {
+            console.error(`Error parsing session data: ${error}`);
+            return null;
+        }
+    }
+    containsSqlInjectionPatterns(req) {
+        try {
+            // Check URL path
+            const path = req.path || "";
+            const query = req.query || {};
+            const body = req.body || {};
+            // Combine all input sources
+            const inputs = [
+                path,
+                JSON.stringify(query),
+                JSON.stringify(body),
+            ].join(" ");
+            return sqlPatterns.some((pattern) => pattern.test(inputs));
+        }
+        catch (error) {
+            console.error(`Error checking SQL injection patterns: ${error}`);
+            return false;
+        }
+    }
+    containsXssPatterns(req) {
+        try {
+            // Check URL path, query, and body
+            const path = req.path || "";
+            const query = req.query || {};
+            const body = req.body || {};
+            // Combine all input sources
+            const inputs = [
+                path,
+                JSON.stringify(query),
+                JSON.stringify(body),
+            ].join(" ");
+            return xssPatterns.some((pattern) => pattern.test(inputs));
+        }
+        catch (error) {
+            console.error(`Error checking XSS patterns: ${error}`);
+            return false;
+        }
+    }
+    /**
+     * Clean up expired rate limiting data (call periodically)
+     */
+    cleanupRateLimitingData() {
+        if (!this.slidingWindowLimiter) {
+            return;
+        }
+        const now = Date.now();
+        const windowMs = 60000; // 1 minute
+        for (const [clientIp, clientData,] of this.slidingWindowLimiter.entries()) {
+            // Remove expired requests
+            clientData.requests = clientData.requests.filter((timestamp) => now - timestamp < windowMs);
+            // Remove expired blocks
+            if (clientData.blocked &&
+                clientData.blockExpiry &&
+                now >= clientData.blockExpiry) {
+                clientData.blocked = false;
+                delete clientData.blockExpiry;
+            }
+            // Remove empty entries
+            if (clientData.requests.length === 0 && !clientData.blocked) {
+                this.slidingWindowLimiter.delete(clientIp);
+            }
+        }
+    }
+    /**
+     * Get rate limiting statistics
+     */
+    getRateLimitingStats() {
+        if (!this.slidingWindowLimiter) {
+            return { totalClients: 0, blockedClients: 0, totalRequests: 0 };
+        }
+        let blockedClients = 0;
+        let totalRequests = 0;
+        for (const clientData of this.slidingWindowLimiter.values()) {
+            if (clientData.blocked) {
+                blockedClients++;
+            }
+            totalRequests += clientData.requests.length;
+        }
+        return {
+            totalClients: this.slidingWindowLimiter.size,
+            blockedClients,
+            totalRequests,
+        };
+    }
+    // ===== SECURITY HELPER METHODS =====
+    /**
+     * Initialize security patterns from configuration
+     */
+    initializeSecurityPatterns(patterns) {
+        try {
+            // Initialize custom SQL injection patterns
+            if (patterns.sqlInjection) {
+                sqlPatterns.push(...patterns.sqlInjection.map((p) => new RegExp(p, "i")));
+            }
+            // Initialize custom XSS patterns
+            if (patterns.xss) {
+                xssPatterns.push(...patterns.xss.map((p) => new RegExp(p, "i")));
+            }
+            console.debug("Security patterns initialized successfully");
+        }
+        catch (error) {
+            console.error("Error initializing security patterns:", error);
+        }
+    }
+    /**
+     * Setup rate limiting configuration
+     */
+    setupRateLimitingConfig(config) {
+        try {
+            if (config.maxAttempts && config.windowMs) {
+                this.rateLimiter = {
+                    isAllowed: (key) => true, // Fallback always allows
+                    recordAttempt: (key) => { },
+                    reset: (key) => { },
+                };
+            }
+            console.debug("Rate limiting configuration setup completed");
+        }
+        catch (error) {
+            console.error("Error setting up rate limiting config:", error);
+        }
+    }
+    /**
+     * Framework-level authentication provider initialization
+     * Note: Users should implement their own authentication providers
+     */
+    async initializeAuthProviders(providers) {
+        try {
+            // Framework-level initialization only
+            // Users should override this method to implement their own authentication providers
+            console.warn(`SecurityPlugin.initializeAuthProviders called but not implemented. ` +
+                `Users should implement their own authentication providers for: ${Object.keys(providers).join(", ")}`);
+            console.debug("Authentication provider framework initialized");
+        }
+        catch (error) {
+            console.error("Error initializing auth provider framework:", error);
+        }
+    }
+    /**
+     * Setup security monitoring
+     */
+    setupSecurityMonitoring(context) {
+        try {
+            // Setup audit logging
+            if (context.config.enableAuditLogging) {
+                console.debug("Security monitoring and audit logging enabled");
+            }
+            // Setup threat detection monitoring
+            console.debug("Security monitoring setup completed");
+        }
+        catch (error) {
+            console.error("Error setting up security monitoring:", error);
+        }
+    }
+    /**
+     * Calculate security score based on security results
+     */
+    calculateSecurityScore(results) {
+        try {
+            let score = 100;
+            // Deduct points for each threat
+            score -= results.threats.length * 20;
+            // Deduct points for failed checks
+            if (!results.inputValidation)
+                score -= 15;
+            if (!results.rateLimitCheck)
+                score -= 25;
+            if (!results.threatDetection)
+                score -= 30;
+            // Bonus points for authentication
+            if (results.authenticationStatus)
+                score += 10;
+            return Math.max(0, Math.min(100, score));
+        }
+        catch (error) {
+            console.error("Error calculating security score:", error);
+            return 0;
+        }
+    }
+    /**
+     * Generate security recommendations
+     */
+    generateSecurityRecommendations(results) {
+        const recommendations = [];
+        try {
+            if (!results.inputValidation) {
+                recommendations.push("Implement stricter input validation");
+                recommendations.push("Consider using input sanitization libraries");
+            }
+            if (!results.rateLimitCheck) {
+                recommendations.push("Review and adjust rate limiting thresholds");
+                recommendations.push("Consider implementing progressive rate limiting");
+            }
+            if (!results.threatDetection) {
+                recommendations.push("Enhance threat detection patterns");
+                recommendations.push("Consider implementing behavioral analysis");
+            }
+            if (!results.authenticationStatus) {
+                recommendations.push("Implement proper authentication mechanisms");
+                recommendations.push("Consider multi-factor authentication");
+            }
+            if (results.securityScore < 70) {
+                recommendations.push("Overall security posture needs improvement");
+                recommendations.push("Consider security audit and penetration testing");
+            }
+            return recommendations;
+        }
+        catch (error) {
+            console.error("Error generating security recommendations:", error);
+            return ["Error generating recommendations"];
+        }
+    }
+}
+
+export { SecurityPlugin };
+//# sourceMappingURL=SecurityPlugin.js.map