smartproxy/ts/http/port80/port80-handler.ts

import * as plugins from '../../plugins.js';
import { IncomingMessage, ServerResponse } from 'http';
import { CertificateEvents } from '../../certificate/events/certificate-events.js';
import type {
  ForwardConfig,
  DomainOptions,
  CertificateData,
  CertificateFailure,
  CertificateExpiring,
  AcmeOptions
} from '../../certificate/models/certificate-types.js';
import {
  HttpEvents,
  HttpStatus,
  HttpError,
  CertificateError,
  ServerError,
} from '../models/http-types.js';
import type { DomainCertificate } from '../models/http-types.js';
import { ChallengeResponder } from './challenge-responder.js';

// Re-export for backward compatibility
export {
  HttpError as Port80HandlerError,
  CertificateError,
  ServerError
}

// Port80Handler events enum for backward compatibility
export const Port80HandlerEvents = CertificateEvents;

/**
 * Configuration options for the Port80Handler
 */
// Port80Handler options moved to common types


/**
 * Port80Handler with ACME certificate management and request forwarding capabilities
 * Now with glob pattern support for domain matching
 */
export class Port80Handler extends plugins.EventEmitter {
  private domainCertificates: Map<string, DomainCertificate>;
  private challengeResponder: ChallengeResponder | null = null;
  private server: plugins.http.Server | null = null;

  // Renewal scheduling is handled externally by SmartProxy
  private isShuttingDown: boolean = false;
  private options: Required<AcmeOptions>;

  /**
   * Creates a new Port80Handler
   * @param options Configuration options
   */
  constructor(options: AcmeOptions = {}) {
    super();
    this.domainCertificates = new Map<string, DomainCertificate>();

    // Default options
    this.options = {
      port: options.port ?? 80,
      accountEmail: options.accountEmail ?? 'admin@example.com',
      useProduction: options.useProduction ?? false, // Safer default: staging
      httpsRedirectPort: options.httpsRedirectPort ?? 443,
      enabled: options.enabled ?? true, // Enable by default
      certificateStore: options.certificateStore ?? './certs',
      skipConfiguredCerts: options.skipConfiguredCerts ?? false,
      renewThresholdDays: options.renewThresholdDays ?? 30,
      renewCheckIntervalHours: options.renewCheckIntervalHours ?? 24,
      autoRenew: options.autoRenew ?? true,
      domainForwards: options.domainForwards ?? []
    };

    // Initialize challenge responder
    if (this.options.enabled) {
      this.challengeResponder = new ChallengeResponder(
        this.options.useProduction,
        this.options.accountEmail,
        this.options.certificateStore
      );

      // Forward certificate events from the challenge responder
      this.challengeResponder.on(CertificateEvents.CERTIFICATE_ISSUED, (data: CertificateData) => {
        this.emit(CertificateEvents.CERTIFICATE_ISSUED, data);
      });

      this.challengeResponder.on(CertificateEvents.CERTIFICATE_RENEWED, (data: CertificateData) => {
        this.emit(CertificateEvents.CERTIFICATE_RENEWED, data);
      });

      this.challengeResponder.on(CertificateEvents.CERTIFICATE_FAILED, (error: CertificateFailure) => {
        this.emit(CertificateEvents.CERTIFICATE_FAILED, error);
      });

      this.challengeResponder.on(CertificateEvents.CERTIFICATE_EXPIRING, (expiry: CertificateExpiring) => {
        this.emit(CertificateEvents.CERTIFICATE_EXPIRING, expiry);
      });
    }
  }

  /**
   * Starts the HTTP server for ACME challenges
   */
  public async start(): Promise<void> {
    if (this.server) {
      throw new ServerError('Server is already running');
    }

    if (this.isShuttingDown) {
      throw new ServerError('Server is shutting down');
    }

    // Skip if disabled
    if (this.options.enabled === false) {
      console.log('Port80Handler is disabled, skipping start');
      return;
    }

    // Initialize the challenge responder if enabled
    if (this.options.enabled && this.challengeResponder) {
      try {
        await this.challengeResponder.initialize();
      } catch (error) {
        throw new ServerError(`Failed to initialize challenge responder: ${
          error instanceof Error ? error.message : String(error)
        }`);
      }
    }

    return new Promise((resolve, reject) => {
      try {
        this.server = plugins.http.createServer((req, res) => this.handleRequest(req, res));

        this.server.on('error', (error: NodeJS.ErrnoException) => {
          if (error.code === 'EACCES') {
            reject(new ServerError(`Permission denied to bind to port ${this.options.port}. Try running with elevated privileges or use a port > 1024.`, error.code));
          } else if (error.code === 'EADDRINUSE') {
            reject(new ServerError(`Port ${this.options.port} is already in use.`, error.code));
          } else {
            reject(new ServerError(error.message, error.code));
          }
        });

        this.server.listen(this.options.port, () => {
          console.log(`Port80Handler is listening on port ${this.options.port}`);
          this.emit(CertificateEvents.MANAGER_STARTED, this.options.port);

          // Start certificate process for domains with acmeMaintenance enabled
          for (const [domain, domainInfo] of this.domainCertificates.entries()) {
            // Skip glob patterns for certificate issuance
            if (this.isGlobPattern(domain)) {
              console.log(`Skipping initial certificate for glob pattern: ${domain}`);
              continue;
            }

            if (domainInfo.options.acmeMaintenance && !domainInfo.certObtained && !domainInfo.obtainingInProgress) {
              this.obtainCertificate(domain).catch(err => {
                console.error(`Error obtaining initial certificate for ${domain}:`, err);
              });
            }
          }

          resolve();
        });
      } catch (error) {
        const message = error instanceof Error ? error.message : 'Unknown error starting server';
        reject(new ServerError(message));
      }
    });
  }

  /**
   * Stops the HTTP server and cleanup resources
   */
  public async stop(): Promise<void> {
    if (!this.server) {
      return;
    }

    this.isShuttingDown = true;

    return new Promise<void>((resolve) => {
      if (this.server) {
        this.server.close(() => {
          this.server = null;
          this.isShuttingDown = false;
          this.emit(CertificateEvents.MANAGER_STOPPED);
          resolve();
        });
      } else {
        this.isShuttingDown = false;
        resolve();
      }
    });
  }

  /**
   * Adds a domain with configuration options
   * @param options Domain configuration options
   */
  public addDomain(options: DomainOptions): void {
    if (!options.domainName || typeof options.domainName !== 'string') {
      throw new HttpError('Invalid domain name');
    }

    const domainName = options.domainName;

    if (!this.domainCertificates.has(domainName)) {
      this.domainCertificates.set(domainName, {
        options,
        certObtained: false,
        obtainingInProgress: false
      });

      console.log(`Domain added: ${domainName} with configuration:`, {
        sslRedirect: options.sslRedirect,
        acmeMaintenance: options.acmeMaintenance,
        hasForward: !!options.forward,
        hasAcmeForward: !!options.acmeForward
      });

      // If acmeMaintenance is enabled and not a glob pattern, start certificate process immediately
      if (options.acmeMaintenance && this.server && !this.isGlobPattern(domainName)) {
        this.obtainCertificate(domainName).catch(err => {
          console.error(`Error obtaining initial certificate for ${domainName}:`, err);
        });
      }
    } else {
      // Update existing domain with new options
      const existing = this.domainCertificates.get(domainName)!;
      existing.options = options;
      console.log(`Domain ${domainName} configuration updated`);
    }
  }

  /**
   * Removes a domain from management
   * @param domain The domain to remove
   */
  public removeDomain(domain: string): void {
    if (this.domainCertificates.delete(domain)) {
      console.log(`Domain removed: ${domain}`);
    }
  }
  
  /**
   * Gets the certificate for a domain if it exists
   * @param domain The domain to get the certificate for
   */
  public getCertificate(domain: string): CertificateData | null {
    // Can't get certificates for glob patterns
    if (this.isGlobPattern(domain)) {
      return null;
    }

    const domainInfo = this.domainCertificates.get(domain);

    if (!domainInfo || !domainInfo.certObtained || !domainInfo.certificate || !domainInfo.privateKey) {
      return null;
    }

    return {
      domain,
      certificate: domainInfo.certificate,
      privateKey: domainInfo.privateKey,
      expiryDate: domainInfo.expiryDate || this.getDefaultExpiryDate()
    };
  }



  /**
   * Check if a domain is a glob pattern
   * @param domain Domain to check
   * @returns True if the domain is a glob pattern
   */
  private isGlobPattern(domain: string): boolean {
    return domain.includes('*');
  }
  
  /**
   * Get domain info for a specific domain, using glob pattern matching if needed
   * @param requestDomain The actual domain from the request
   * @returns The domain info or null if not found
   */
  private getDomainInfoForRequest(requestDomain: string): { domainInfo: DomainCertificate, pattern: string } | null {
    // Try direct match first
    if (this.domainCertificates.has(requestDomain)) {
      return {
        domainInfo: this.domainCertificates.get(requestDomain)!,
        pattern: requestDomain
      };
    }

    // Then try glob patterns
    for (const [pattern, domainInfo] of this.domainCertificates.entries()) {
      if (this.isGlobPattern(pattern) && this.domainMatchesPattern(requestDomain, pattern)) {
        return { domainInfo, pattern };
      }
    }

    return null;
  }
  
  /**
   * Check if a domain matches a glob pattern
   * @param domain The domain to check
   * @param pattern The pattern to match against
   * @returns True if the domain matches the pattern
   */
  private domainMatchesPattern(domain: string, pattern: string): boolean {
    // Handle different glob pattern styles
    if (pattern.startsWith('*.')) {
      // *.example.com matches any subdomain
      const suffix = pattern.substring(2);
      return domain.endsWith(suffix) && domain.includes('.') && domain !== suffix;
    } else if (pattern.endsWith('.*')) {
      // example.* matches any TLD
      const prefix = pattern.substring(0, pattern.length - 2);
      const domainParts = domain.split('.');
      return domain.startsWith(prefix + '.') && domainParts.length >= 2;
    } else if (pattern === '*') {
      // Wildcard matches everything
      return true;
    } else {
      // Exact match (shouldn't reach here as we check exact matches first)
      return domain === pattern;
    }
  }


  /**
   * Handles incoming HTTP requests
   * @param req The HTTP request
   * @param res The HTTP response
   */
  private handleRequest(req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse): void {
    // Emit request received event with basic info
    this.emit(HttpEvents.REQUEST_RECEIVED, {
      url: req.url,
      method: req.method,
      headers: req.headers
    });

    const hostHeader = req.headers.host;
    if (!hostHeader) {
      res.statusCode = HttpStatus.BAD_REQUEST;
      res.end('Bad Request: Host header is missing');
      return;
    }

    // Extract domain (ignoring any port in the Host header)
    const domain = hostHeader.split(':')[0];

    // Check if this is an ACME challenge request that our ChallengeResponder can handle
    if (this.challengeResponder && req.url?.startsWith('/.well-known/acme-challenge/')) {
      // Handle ACME HTTP-01 challenge with the challenge responder
      const domainMatch = this.getDomainInfoForRequest(domain);

      // If there's a specific ACME forwarding config for this domain, use that instead
      if (domainMatch?.domainInfo.options.acmeForward) {
        this.forwardRequest(req, res, domainMatch.domainInfo.options.acmeForward, 'ACME challenge');
        return;
      }

      // If domain exists and has acmeMaintenance enabled, or we don't have the domain yet
      // (for auto-provisioning), try to handle the ACME challenge
      if (!domainMatch || domainMatch.domainInfo.options.acmeMaintenance) {
        // Let the challenge responder try to handle this request
        if (this.challengeResponder.handleRequest(req, res)) {
          // Challenge was handled
          return;
        }
      }
    }

    // Dynamic provisioning: if domain not yet managed, register for ACME and return 503
    if (!this.domainCertificates.has(domain)) {
      try {
        this.addDomain({ domainName: domain, sslRedirect: false, acmeMaintenance: true });
      } catch (err) {
        console.error(`Error registering domain for on-demand provisioning: ${err}`);
      }
      res.statusCode = HttpStatus.SERVICE_UNAVAILABLE;
      res.end('Certificate issuance in progress');
      return;
    }

    // Get domain config, using glob pattern matching if needed
    const domainMatch = this.getDomainInfoForRequest(domain);
    if (!domainMatch) {
      res.statusCode = HttpStatus.NOT_FOUND;
      res.end('Domain not configured');
      return;
    }

    const { domainInfo, pattern } = domainMatch;
    const options = domainInfo.options;

    // Check if we should forward non-ACME requests
    if (options.forward) {
      this.forwardRequest(req, res, options.forward, 'HTTP');
      return;
    }

    // If certificate exists and sslRedirect is enabled, redirect to HTTPS
    // (Skip for glob patterns as they won't have certificates)
    if (!this.isGlobPattern(pattern) && domainInfo.certObtained && options.sslRedirect) {
      const httpsPort = this.options.httpsRedirectPort;
      const portSuffix = httpsPort === 443 ? '' : `:${httpsPort}`;
      const redirectUrl = `https://${domain}${portSuffix}${req.url || '/'}`;

      res.statusCode = HttpStatus.MOVED_PERMANENTLY;
      res.setHeader('Location', redirectUrl);
      res.end(`Redirecting to ${redirectUrl}`);
      return;
    }

    // Handle case where certificate maintenance is enabled but not yet obtained
    // (Skip for glob patterns as they can't have certificates)
    if (!this.isGlobPattern(pattern) && options.acmeMaintenance && !domainInfo.certObtained) {
      // Trigger certificate issuance if not already running
      if (!domainInfo.obtainingInProgress) {
        this.obtainCertificate(domain).catch(err => {
          const errorMessage = err instanceof Error ? err.message : 'Unknown error';
          this.emit(CertificateEvents.CERTIFICATE_FAILED, {
            domain,
            error: errorMessage,
            isRenewal: false
          });
          console.error(`Error obtaining certificate for ${domain}:`, err);
        });
      }

      res.statusCode = HttpStatus.SERVICE_UNAVAILABLE;
      res.end('Certificate issuance in progress, please try again later.');
      return;
    }

    // Default response for unhandled request
    res.statusCode = HttpStatus.NOT_FOUND;
    res.end('No handlers configured for this request');

    // Emit request handled event
    this.emit(HttpEvents.REQUEST_HANDLED, {
      domain,
      url: req.url,
      statusCode: res.statusCode
    });
  }
  
  /**
   * Forwards an HTTP request to the specified target
   * @param req The original request
   * @param res The response object
   * @param target The forwarding target (IP and port)
   * @param requestType Type of request for logging
   */
  private forwardRequest(
    req: plugins.http.IncomingMessage,
    res: plugins.http.ServerResponse,
    target: ForwardConfig,
    requestType: string
  ): void {
    const options = {
      hostname: target.ip,
      port: target.port,
      path: req.url,
      method: req.method,
      headers: { ...req.headers }
    };

    const domain = req.headers.host?.split(':')[0] || 'unknown';
    console.log(`Forwarding ${requestType} request for ${domain} to ${target.ip}:${target.port}`);

    const proxyReq = plugins.http.request(options, (proxyRes) => {
      // Copy status code
      res.statusCode = proxyRes.statusCode || HttpStatus.INTERNAL_SERVER_ERROR;

      // Copy headers
      for (const [key, value] of Object.entries(proxyRes.headers)) {
        if (value) res.setHeader(key, value);
      }

      // Pipe response data
      proxyRes.pipe(res);

      this.emit(HttpEvents.REQUEST_FORWARDED, {
        domain,
        requestType,
        target: `${target.ip}:${target.port}`,
        statusCode: proxyRes.statusCode
      });
    });

    proxyReq.on('error', (error) => {
      console.error(`Error forwarding request to ${target.ip}:${target.port}:`, error);

      this.emit(HttpEvents.REQUEST_ERROR, {
        domain,
        error: error.message,
        target: `${target.ip}:${target.port}`
      });

      if (!res.headersSent) {
        res.statusCode = HttpStatus.INTERNAL_SERVER_ERROR;
        res.end(`Proxy error: ${error.message}`);
      } else {
        res.end();
      }
    });

    // Pipe original request to proxy request
    if (req.readable) {
      req.pipe(proxyReq);
    } else {
      proxyReq.end();
    }
  }


  /**
   * Obtains a certificate for a domain using ACME HTTP-01 challenge
   * @param domain The domain to obtain a certificate for
   * @param isRenewal Whether this is a renewal attempt
   */
  private async obtainCertificate(domain: string, isRenewal: boolean = false): Promise<void> {
    if (this.isGlobPattern(domain)) {
      throw new CertificateError('Cannot obtain certificates for glob pattern domains', domain, isRenewal);
    }

    const domainInfo = this.domainCertificates.get(domain)!;

    if (!domainInfo.options.acmeMaintenance) {
      console.log(`Skipping certificate issuance for ${domain} - acmeMaintenance is disabled`);
      return;
    }

    if (domainInfo.obtainingInProgress) {
      console.log(`Certificate issuance already in progress for ${domain}`);
      return;
    }

    if (!this.challengeResponder) {
      throw new HttpError('Challenge responder is not initialized');
    }

    domainInfo.obtainingInProgress = true;
    domainInfo.lastRenewalAttempt = new Date();

    try {
      // Request certificate via ChallengeResponder
      const certData = await this.challengeResponder.requestCertificate(domain, isRenewal);

      // Update domain info with certificate data
      domainInfo.certificate = certData.certificate;
      domainInfo.privateKey = certData.privateKey;
      domainInfo.certObtained = true;
      domainInfo.expiryDate = certData.expiryDate;

      console.log(`Certificate ${isRenewal ? 'renewed' : 'obtained'} for ${domain}`);

      // The event will be emitted by the ChallengeResponder, we just store the certificate
    } catch (error: any) {
      const errorMsg = error instanceof Error ? error.message : String(error);
      console.error(`Error during certificate issuance for ${domain}:`, error);

      // The failure event will be emitted by the ChallengeResponder
      throw new CertificateError(errorMsg, domain, isRenewal);
    } finally {
      domainInfo.obtainingInProgress = false;
    }
  }

  
  /**
   * Extract expiry date from certificate using a more robust approach
   * @param certificate Certificate PEM string
   * @param domain Domain for logging
   * @returns Extracted expiry date or default
   */
  private extractExpiryDateFromCertificate(certificate: string, domain: string): Date {
    try {
      // This is still using regex, but in a real implementation you would use
      // a library like node-forge or x509 to properly parse the certificate
      const matches = certificate.match(/Not After\s*:\s*(.*?)(?:\n|$)/i);
      if (matches && matches[1]) {
        const expiryDate = new Date(matches[1]);
        
        // Validate that we got a valid date
        if (!isNaN(expiryDate.getTime())) {
          console.log(`Certificate for ${domain} will expire on ${expiryDate.toISOString()}`);
          return expiryDate;
        }
      }
      
      console.warn(`Could not extract valid expiry date from certificate for ${domain}, using default`);
      return this.getDefaultExpiryDate();
    } catch (error) {
      console.warn(`Failed to extract expiry date from certificate for ${domain}, using default`);
      return this.getDefaultExpiryDate();
    }
  }
  
  /**
   * Get a default expiry date (90 days from now)
   * @returns Default expiry date
   */
  private getDefaultExpiryDate(): Date {
    return new Date(Date.now() + 90 * 24 * 60 * 60 * 1000); // 90 days default
  }
  
  /**
   * Emits a certificate event with the certificate data
   * @param eventType The event type to emit
   * @param data The certificate data
   */
  private emitCertificateEvent(eventType: CertificateEvents, data: CertificateData): void {
    this.emit(eventType, data);
  }
  
  /**
   * Gets all domains and their certificate status
   * @returns Map of domains to certificate status
   */
  public getDomainCertificateStatus(): Map<string, {
    certObtained: boolean;
    expiryDate?: Date;
    daysRemaining?: number;
    obtainingInProgress: boolean;
    lastRenewalAttempt?: Date;
  }> {
    const result = new Map<string, {
      certObtained: boolean;
      expiryDate?: Date;
      daysRemaining?: number;
      obtainingInProgress: boolean;
      lastRenewalAttempt?: Date;
    }>();
    
    const now = new Date();
    
    for (const [domain, domainInfo] of this.domainCertificates.entries()) {
      // Skip glob patterns
      if (this.isGlobPattern(domain)) continue;
      
      const status: {
        certObtained: boolean;
        expiryDate?: Date;
        daysRemaining?: number;
        obtainingInProgress: boolean;
        lastRenewalAttempt?: Date;
      } = {
        certObtained: domainInfo.certObtained,
        expiryDate: domainInfo.expiryDate,
        obtainingInProgress: domainInfo.obtainingInProgress,
        lastRenewalAttempt: domainInfo.lastRenewalAttempt
      };
      
      // Calculate days remaining if expiry date is available
      if (domainInfo.expiryDate) {
        const daysRemaining = Math.ceil(
          (domainInfo.expiryDate.getTime() - now.getTime()) / (24 * 60 * 60 * 1000)
        );
        status.daysRemaining = daysRemaining;
      }
      
      result.set(domain, status);
    }
    
    return result;
  }
  
  /**
   * Request a certificate renewal for a specific domain.
   * @param domain The domain to renew.
   */
  public async renewCertificate(domain: string): Promise<void> {
    if (!this.domainCertificates.has(domain)) {
      throw new HttpError(`Domain not managed: ${domain}`);
    }
    // Trigger renewal via ACME
    await this.obtainCertificate(domain, true);
  }
}