update structure

2025-05-09 17:00:27 +00:00
parent 4a72d9f3bf
commit f1c0b8bfb7
60 changed files with 4919 additions and 1400 deletions
--- a/ts/core/events/index.ts
+++ b/ts/core/events/index.ts
@ -0,0 +1,3 @@
+/**
+ * Common event definitions
+ */
--- a/ts/core/index.ts
+++ b/ts/core/index.ts
@ -0,0 +1,8 @@
+/**
+ * Core functionality module
+ */
+
+// Export submodules
+export * from './models/index.js';
+export * from './utils/index.js';
+export * from './events/index.js';
--- a/ts/core/models/common-types.ts
+++ b/ts/core/models/common-types.ts
@ -0,0 +1,91 @@
+import * as plugins from '../../plugins.js';
+
+/**
+ * Shared types for certificate management and domain options
+ */
+
+/**
+ * Domain forwarding configuration
+ */
+export interface IForwardConfig {
+  ip: string;
+  port: number;
+}
+
+/**
+ * Domain configuration options
+ */
+export interface IDomainOptions {
+  domainName: string;
+  sslRedirect: boolean;   // if true redirects the request to port 443
+  acmeMaintenance: boolean; // tries to always have a valid cert for this domain
+  forward?: IForwardConfig; // forwards all http requests to that target
+  acmeForward?: IForwardConfig; // forwards letsencrypt requests to this config
+}
+
+/**
+ * Certificate data that can be emitted via events or set from outside
+ */
+export interface ICertificateData {
+  domain: string;
+  certificate: string;
+  privateKey: string;
+  expiryDate: Date;
+}
+
+/**
+ * Events emitted by the Port80Handler
+ */
+export enum Port80HandlerEvents {
+  CERTIFICATE_ISSUED = 'certificate-issued',
+  CERTIFICATE_RENEWED = 'certificate-renewed',
+  CERTIFICATE_FAILED = 'certificate-failed',
+  CERTIFICATE_EXPIRING = 'certificate-expiring',
+  MANAGER_STARTED = 'manager-started',
+  MANAGER_STOPPED = 'manager-stopped',
+  REQUEST_FORWARDED = 'request-forwarded',
+}
+
+/**
+ * Certificate failure payload type
+ */
+export interface ICertificateFailure {
+  domain: string;
+  error: string;
+  isRenewal: boolean;
+}
+
+/**
+ * Certificate expiry payload type
+ */
+export interface ICertificateExpiring {
+  domain: string;
+  expiryDate: Date;
+  daysRemaining: number;
+}
+/**
+ * Forwarding configuration for specific domains in ACME setup
+ */
+export interface IDomainForwardConfig {
+  domain: string;
+  forwardConfig?: IForwardConfig;
+  acmeForwardConfig?: IForwardConfig;
+  sslRedirect?: boolean;
+}
+
+/**
+ * Unified ACME configuration options used across proxies and handlers
+ */
+export interface IAcmeOptions {
+  accountEmail?: string;          // Email for Let's Encrypt account
+  enabled?: boolean;              // Whether ACME is enabled
+  port?: number;                  // Port to listen on for ACME challenges (default: 80)
+  useProduction?: boolean;        // Use production environment (default: staging)
+  httpsRedirectPort?: number;     // Port to redirect HTTP requests to HTTPS (default: 443)
+  renewThresholdDays?: number;    // Days before expiry to renew certificates
+  renewCheckIntervalHours?: number; // How often to check for renewals (in hours)
+  autoRenew?: boolean;            // Whether to automatically renew certificates
+  certificateStore?: string;      // Directory to store certificates
+  skipConfiguredCerts?: boolean;  // Skip domains with existing certificates
+  domainForwards?: IDomainForwardConfig[]; // Domain-specific forwarding configs
+}
--- a/ts/core/models/index.ts
+++ b/ts/core/models/index.ts
@ -0,0 +1,5 @@
+/**
+ * Core data models and interfaces
+ */
+
+export * from './common-types.js';
--- a/ts/core/utils/event-utils.ts
+++ b/ts/core/utils/event-utils.ts
@ -0,0 +1,34 @@
+import type { Port80Handler } from '../../port80handler/classes.port80handler.js';
+import { Port80HandlerEvents } from '../models/common-types.js';
+import type { ICertificateData, ICertificateFailure, ICertificateExpiring } from '../models/common-types.js';
+
+/**
+ * Subscribers callback definitions for Port80Handler events
+ */
+export interface Port80HandlerSubscribers {
+  onCertificateIssued?: (data: ICertificateData) => void;
+  onCertificateRenewed?: (data: ICertificateData) => void;
+  onCertificateFailed?: (data: ICertificateFailure) => void;
+  onCertificateExpiring?: (data: ICertificateExpiring) => void;
+}
+
+/**
+ * Subscribes to Port80Handler events based on provided callbacks
+ */
+export function subscribeToPort80Handler(
+  handler: Port80Handler,
+  subscribers: Port80HandlerSubscribers
+): void {
+  if (subscribers.onCertificateIssued) {
+    handler.on(Port80HandlerEvents.CERTIFICATE_ISSUED, subscribers.onCertificateIssued);
+  }
+  if (subscribers.onCertificateRenewed) {
+    handler.on(Port80HandlerEvents.CERTIFICATE_RENEWED, subscribers.onCertificateRenewed);
+  }
+  if (subscribers.onCertificateFailed) {
+    handler.on(Port80HandlerEvents.CERTIFICATE_FAILED, subscribers.onCertificateFailed);
+  }
+  if (subscribers.onCertificateExpiring) {
+    handler.on(Port80HandlerEvents.CERTIFICATE_EXPIRING, subscribers.onCertificateExpiring);
+  }
+}
--- a/ts/core/utils/index.ts
+++ b/ts/core/utils/index.ts
@ -0,0 +1,7 @@
+/**
+ * Core utility functions
+ */
+
+export * from './event-utils.js';
+export * from './validation-utils.js';
+export * from './ip-utils.js';
--- a/ts/core/utils/ip-utils.ts
+++ b/ts/core/utils/ip-utils.ts
@ -0,0 +1,175 @@
+import * as plugins from '../../plugins.js';
+
+/**
+ * Utility class for IP address operations
+ */
+export class IpUtils {
+  /**
+   * Check if the IP matches any of the glob patterns
+   *
+   * This method checks IP addresses against glob patterns and handles IPv4/IPv6 normalization.
+   * It's used to implement IP filtering based on security configurations.
+   *
+   * @param ip - The IP address to check
+   * @param patterns - Array of glob patterns
+   * @returns true if IP matches any pattern, false otherwise
+   */
+  public static isGlobIPMatch(ip: string, patterns: string[]): boolean {
+    if (!ip || !patterns || patterns.length === 0) return false;
+
+    // Normalize the IP being checked
+    const normalizedIPVariants = this.normalizeIP(ip);
+    if (normalizedIPVariants.length === 0) return false;
+
+    // Normalize the pattern IPs for consistent comparison
+    const expandedPatterns = patterns.flatMap(pattern => this.normalizeIP(pattern));
+
+    // Check for any match between normalized IP variants and patterns
+    return normalizedIPVariants.some((ipVariant) =>
+      expandedPatterns.some((pattern) => plugins.minimatch(ipVariant, pattern))
+    );
+  }
+
+  /**
+   * Normalize IP addresses for consistent comparison
+   * 
+   * @param ip The IP address to normalize
+   * @returns Array of normalized IP forms
+   */
+  public static normalizeIP(ip: string): string[] {
+    if (!ip) return [];
+    
+    // Handle IPv4-mapped IPv6 addresses (::ffff:127.0.0.1)
+    if (ip.startsWith('::ffff:')) {
+      const ipv4 = ip.slice(7);
+      return [ip, ipv4];
+    }
+    
+    // Handle IPv4 addresses by also checking IPv4-mapped form
+    if (/^\d{1,3}(\.\d{1,3}){3}$/.test(ip)) {
+      return [ip, `::ffff:${ip}`];
+    }
+    
+    return [ip];
+  }
+
+  /**
+   * Check if an IP is authorized using security rules
+   *
+   * @param ip - The IP address to check
+   * @param allowedIPs - Array of allowed IP patterns
+   * @param blockedIPs - Array of blocked IP patterns
+   * @returns true if IP is authorized, false if blocked
+   */
+  public static isIPAuthorized(ip: string, allowedIPs: string[] = [], blockedIPs: string[] = []): boolean {
+    // Skip IP validation if no rules are defined
+    if (!ip || (allowedIPs.length === 0 && blockedIPs.length === 0)) {
+      return true;
+    }
+
+    // First check if IP is blocked - blocked IPs take precedence
+    if (blockedIPs.length > 0 && this.isGlobIPMatch(ip, blockedIPs)) {
+      return false;
+    }
+
+    // Then check if IP is allowed (if no allowed IPs are specified, all non-blocked IPs are allowed)
+    return allowedIPs.length === 0 || this.isGlobIPMatch(ip, allowedIPs);
+  }
+
+  /**
+   * Check if an IP address is a private network address
+   * 
+   * @param ip The IP address to check
+   * @returns true if the IP is a private network address, false otherwise
+   */
+  public static isPrivateIP(ip: string): boolean {
+    if (!ip) return false;
+
+    // Handle IPv4-mapped IPv6 addresses
+    if (ip.startsWith('::ffff:')) {
+      ip = ip.slice(7);
+    }
+
+    // Check IPv4 private ranges
+    if (/^\d{1,3}(\.\d{1,3}){3}$/.test(ip)) {
+      const parts = ip.split('.').map(Number);
+      
+      // Check common private ranges
+      // 10.0.0.0/8
+      if (parts[0] === 10) return true;
+      
+      // 172.16.0.0/12
+      if (parts[0] === 172 && parts[1] >= 16 && parts[1] <= 31) return true;
+      
+      // 192.168.0.0/16
+      if (parts[0] === 192 && parts[1] === 168) return true;
+      
+      // 127.0.0.0/8 (localhost)
+      if (parts[0] === 127) return true;
+      
+      return false;
+    }
+    
+    // IPv6 local addresses
+    return ip === '::1' || ip.startsWith('fc00:') || ip.startsWith('fd00:') || ip.startsWith('fe80:');
+  }
+
+  /**
+   * Check if an IP address is a public network address
+   * 
+   * @param ip The IP address to check
+   * @returns true if the IP is a public network address, false otherwise
+   */
+  public static isPublicIP(ip: string): boolean {
+    return !this.isPrivateIP(ip);
+  }
+
+  /**
+   * Convert a subnet CIDR to an IP range for filtering
+   * 
+   * @param cidr The CIDR notation (e.g., "192.168.1.0/24")
+   * @returns Array of glob patterns that match the CIDR range
+   */
+  public static cidrToGlobPatterns(cidr: string): string[] {
+    if (!cidr || !cidr.includes('/')) return [];
+    
+    const [ipPart, prefixPart] = cidr.split('/');
+    const prefix = parseInt(prefixPart, 10);
+    
+    if (isNaN(prefix) || prefix < 0 || prefix > 32) return [];
+    
+    // For IPv4 only for now
+    if (!/^\d{1,3}(\.\d{1,3}){3}$/.test(ipPart)) return [];
+    
+    const ipParts = ipPart.split('.').map(Number);
+    const fullMask = Math.pow(2, 32 - prefix) - 1;
+    
+    // Convert IP to a numeric value
+    const ipNum = (ipParts[0] << 24) | (ipParts[1] << 16) | (ipParts[2] << 8) | ipParts[3];
+    
+    // Calculate network address (IP & ~fullMask)
+    const networkNum = ipNum & ~fullMask;
+    
+    // For large ranges, return wildcard patterns
+    if (prefix <= 8) {
+      return [`${(networkNum >>> 24) & 255}.*.*.*`];
+    } else if (prefix <= 16) {
+      return [`${(networkNum >>> 24) & 255}.${(networkNum >>> 16) & 255}.*.*`];
+    } else if (prefix <= 24) {
+      return [`${(networkNum >>> 24) & 255}.${(networkNum >>> 16) & 255}.${(networkNum >>> 8) & 255}.*`];
+    }
+    
+    // For small ranges, create individual IP patterns
+    const patterns = [];
+    const maxAddresses = Math.min(256, Math.pow(2, 32 - prefix));
+    
+    for (let i = 0; i < maxAddresses; i++) {
+      const currentIpNum = networkNum + i;
+      patterns.push(
+        `${(currentIpNum >>> 24) & 255}.${(currentIpNum >>> 16) & 255}.${(currentIpNum >>> 8) & 255}.${currentIpNum & 255}`
+      );
+    }
+    
+    return patterns;
+  }
+}
--- a/ts/core/utils/validation-utils.ts
+++ b/ts/core/utils/validation-utils.ts
@ -0,0 +1,177 @@
+import * as plugins from '../../plugins.js';
+import type { IDomainOptions, IAcmeOptions } from '../models/common-types.js';
+
+/**
+ * Collection of validation utilities for configuration and domain options
+ */
+export class ValidationUtils {
+  /**
+   * Validates domain configuration options
+   * 
+   * @param domainOptions The domain options to validate
+   * @returns An object with validation result and error message if invalid
+   */
+  public static validateDomainOptions(domainOptions: IDomainOptions): { isValid: boolean; error?: string } {
+    if (!domainOptions) {
+      return { isValid: false, error: 'Domain options cannot be null or undefined' };
+    }
+
+    if (!domainOptions.domainName) {
+      return { isValid: false, error: 'Domain name is required' };
+    }
+
+    // Check domain pattern
+    if (!this.isValidDomainName(domainOptions.domainName)) {
+      return { isValid: false, error: `Invalid domain name: ${domainOptions.domainName}` };
+    }
+
+    // Validate forward config if provided
+    if (domainOptions.forward) {
+      if (!domainOptions.forward.ip) {
+        return { isValid: false, error: 'Forward IP is required when forward is specified' };
+      }
+
+      if (!domainOptions.forward.port) {
+        return { isValid: false, error: 'Forward port is required when forward is specified' };
+      }
+
+      if (!this.isValidPort(domainOptions.forward.port)) {
+        return { isValid: false, error: `Invalid forward port: ${domainOptions.forward.port}` };
+      }
+    }
+
+    // Validate ACME forward config if provided
+    if (domainOptions.acmeForward) {
+      if (!domainOptions.acmeForward.ip) {
+        return { isValid: false, error: 'ACME forward IP is required when acmeForward is specified' };
+      }
+
+      if (!domainOptions.acmeForward.port) {
+        return { isValid: false, error: 'ACME forward port is required when acmeForward is specified' };
+      }
+
+      if (!this.isValidPort(domainOptions.acmeForward.port)) {
+        return { isValid: false, error: `Invalid ACME forward port: ${domainOptions.acmeForward.port}` };
+      }
+    }
+
+    return { isValid: true };
+  }
+
+  /**
+   * Validates ACME configuration options
+   * 
+   * @param acmeOptions The ACME options to validate
+   * @returns An object with validation result and error message if invalid
+   */
+  public static validateAcmeOptions(acmeOptions: IAcmeOptions): { isValid: boolean; error?: string } {
+    if (!acmeOptions) {
+      return { isValid: false, error: 'ACME options cannot be null or undefined' };
+    }
+
+    if (acmeOptions.enabled) {
+      if (!acmeOptions.accountEmail) {
+        return { isValid: false, error: 'Account email is required when ACME is enabled' };
+      }
+
+      if (!this.isValidEmail(acmeOptions.accountEmail)) {
+        return { isValid: false, error: `Invalid email: ${acmeOptions.accountEmail}` };
+      }
+
+      if (acmeOptions.port && !this.isValidPort(acmeOptions.port)) {
+        return { isValid: false, error: `Invalid ACME port: ${acmeOptions.port}` };
+      }
+
+      if (acmeOptions.httpsRedirectPort && !this.isValidPort(acmeOptions.httpsRedirectPort)) {
+        return { isValid: false, error: `Invalid HTTPS redirect port: ${acmeOptions.httpsRedirectPort}` };
+      }
+
+      if (acmeOptions.renewThresholdDays && acmeOptions.renewThresholdDays < 1) {
+        return { isValid: false, error: 'Renew threshold days must be greater than 0' };
+      }
+
+      if (acmeOptions.renewCheckIntervalHours && acmeOptions.renewCheckIntervalHours < 1) {
+        return { isValid: false, error: 'Renew check interval hours must be greater than 0' };
+      }
+    }
+
+    return { isValid: true };
+  }
+
+  /**
+   * Validates a port number
+   * 
+   * @param port The port to validate
+   * @returns true if the port is valid, false otherwise
+   */
+  public static isValidPort(port: number): boolean {
+    return typeof port === 'number' && port > 0 && port <= 65535 && Number.isInteger(port);
+  }
+
+  /**
+   * Validates a domain name
+   * 
+   * @param domain The domain name to validate
+   * @returns true if the domain name is valid, false otherwise
+   */
+  public static isValidDomainName(domain: string): boolean {
+    if (!domain || typeof domain !== 'string') {
+      return false;
+    }
+
+    // Wildcard domain check (*.example.com)
+    if (domain.startsWith('*.')) {
+      domain = domain.substring(2);
+    }
+
+    // Simple domain validation pattern
+    const domainPattern = /^([a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$/;
+    return domainPattern.test(domain);
+  }
+
+  /**
+   * Validates an email address
+   * 
+   * @param email The email to validate
+   * @returns true if the email is valid, false otherwise
+   */
+  public static isValidEmail(email: string): boolean {
+    if (!email || typeof email !== 'string') {
+      return false;
+    }
+    
+    // Basic email validation pattern
+    const emailPattern = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+    return emailPattern.test(email);
+  }
+
+  /**
+   * Validates a certificate format (PEM)
+   * 
+   * @param cert The certificate content to validate
+   * @returns true if the certificate appears to be in PEM format, false otherwise
+   */
+  public static isValidCertificate(cert: string): boolean {
+    if (!cert || typeof cert !== 'string') {
+      return false;
+    }
+    
+    return cert.includes('-----BEGIN CERTIFICATE-----') && 
+           cert.includes('-----END CERTIFICATE-----');
+  }
+
+  /**
+   * Validates a private key format (PEM)
+   * 
+   * @param key The private key content to validate
+   * @returns true if the key appears to be in PEM format, false otherwise
+   */
+  public static isValidPrivateKey(key: string): boolean {
+    if (!key || typeof key !== 'string') {
+      return false;
+    }
+    
+    return key.includes('-----BEGIN PRIVATE KEY-----') && 
+           key.includes('-----END PRIVATE KEY-----');
+  }
+}