fix(routing): unify route based architecture

2025-05-13 12:48:41 +00:00
parent fe632bde67
commit fcc8cf9caa
46 changed files with 7943 additions and 1332 deletions
--- a/test/core/utils/test.event-system.ts
+++ b/test/core/utils/test.event-system.ts
@ -0,0 +1,202 @@
+import { expect } from '@push.rocks/tapbundle';
+import {
+  EventSystem,
+  ProxyEvents,
+  ComponentType
+} from '../../../ts/core/utils/event-system.js';
+
+// Test event system
+expect.describe('Event System', async () => {
+  let eventSystem: EventSystem;
+  let receivedEvents: any[] = [];
+  
+  // Set up a new event system before each test
+  expect.beforeEach(() => {
+    eventSystem = new EventSystem(ComponentType.SMART_PROXY, 'test-id');
+    receivedEvents = [];
+  });
+  
+  expect.it('should emit certificate events with correct structure', async () => {
+    // Set up listeners
+    eventSystem.on(ProxyEvents.CERTIFICATE_ISSUED, (data) => {
+      receivedEvents.push({
+        type: 'issued',
+        data
+      });
+    });
+    
+    eventSystem.on(ProxyEvents.CERTIFICATE_RENEWED, (data) => {
+      receivedEvents.push({
+        type: 'renewed',
+        data
+      });
+    });
+    
+    // Emit events
+    eventSystem.emitCertificateIssued({
+      domain: 'example.com',
+      certificate: 'cert-content',
+      privateKey: 'key-content',
+      expiryDate: new Date('2025-01-01')
+    });
+    
+    eventSystem.emitCertificateRenewed({
+      domain: 'example.com',
+      certificate: 'new-cert-content',
+      privateKey: 'new-key-content',
+      expiryDate: new Date('2026-01-01'),
+      isRenewal: true
+    });
+    
+    // Verify events
+    expect(receivedEvents.length).to.equal(2);
+    
+    // Check issuance event
+    expect(receivedEvents[0].type).to.equal('issued');
+    expect(receivedEvents[0].data.domain).to.equal('example.com');
+    expect(receivedEvents[0].data.certificate).to.equal('cert-content');
+    expect(receivedEvents[0].data.componentType).to.equal(ComponentType.SMART_PROXY);
+    expect(receivedEvents[0].data.componentId).to.equal('test-id');
+    expect(receivedEvents[0].data.timestamp).to.be.a('number');
+    
+    // Check renewal event
+    expect(receivedEvents[1].type).to.equal('renewed');
+    expect(receivedEvents[1].data.domain).to.equal('example.com');
+    expect(receivedEvents[1].data.isRenewal).to.be.true;
+    expect(receivedEvents[1].data.expiryDate).to.deep.equal(new Date('2026-01-01'));
+  });
+  
+  expect.it('should emit component lifecycle events', async () => {
+    // Set up listeners
+    eventSystem.on(ProxyEvents.COMPONENT_STARTED, (data) => {
+      receivedEvents.push({
+        type: 'started',
+        data
+      });
+    });
+    
+    eventSystem.on(ProxyEvents.COMPONENT_STOPPED, (data) => {
+      receivedEvents.push({
+        type: 'stopped',
+        data
+      });
+    });
+    
+    // Emit events
+    eventSystem.emitComponentStarted('TestComponent', '1.0.0');
+    eventSystem.emitComponentStopped('TestComponent');
+    
+    // Verify events
+    expect(receivedEvents.length).to.equal(2);
+    
+    // Check started event
+    expect(receivedEvents[0].type).to.equal('started');
+    expect(receivedEvents[0].data.name).to.equal('TestComponent');
+    expect(receivedEvents[0].data.version).to.equal('1.0.0');
+    
+    // Check stopped event
+    expect(receivedEvents[1].type).to.equal('stopped');
+    expect(receivedEvents[1].data.name).to.equal('TestComponent');
+  });
+  
+  expect.it('should emit connection events', async () => {
+    // Set up listeners
+    eventSystem.on(ProxyEvents.CONNECTION_ESTABLISHED, (data) => {
+      receivedEvents.push({
+        type: 'established',
+        data
+      });
+    });
+    
+    eventSystem.on(ProxyEvents.CONNECTION_CLOSED, (data) => {
+      receivedEvents.push({
+        type: 'closed',
+        data
+      });
+    });
+    
+    // Emit events
+    eventSystem.emitConnectionEstablished({
+      connectionId: 'conn-123',
+      clientIp: '192.168.1.1',
+      port: 443,
+      isTls: true,
+      domain: 'example.com'
+    });
+    
+    eventSystem.emitConnectionClosed({
+      connectionId: 'conn-123',
+      clientIp: '192.168.1.1',
+      port: 443
+    });
+    
+    // Verify events
+    expect(receivedEvents.length).to.equal(2);
+    
+    // Check established event
+    expect(receivedEvents[0].type).to.equal('established');
+    expect(receivedEvents[0].data.connectionId).to.equal('conn-123');
+    expect(receivedEvents[0].data.clientIp).to.equal('192.168.1.1');
+    expect(receivedEvents[0].data.port).to.equal(443);
+    expect(receivedEvents[0].data.isTls).to.be.true;
+    
+    // Check closed event
+    expect(receivedEvents[1].type).to.equal('closed');
+    expect(receivedEvents[1].data.connectionId).to.equal('conn-123');
+  });
+  
+  expect.it('should support once and off subscription methods', async () => {
+    // Set up a listener that should fire only once
+    eventSystem.once(ProxyEvents.CONNECTION_ESTABLISHED, (data) => {
+      receivedEvents.push({
+        type: 'once',
+        data
+      });
+    });
+    
+    // Set up a persistent listener
+    const persistentHandler = (data: any) => {
+      receivedEvents.push({
+        type: 'persistent',
+        data
+      });
+    };
+    
+    eventSystem.on(ProxyEvents.CONNECTION_ESTABLISHED, persistentHandler);
+    
+    // First event should trigger both listeners
+    eventSystem.emitConnectionEstablished({
+      connectionId: 'conn-1',
+      clientIp: '192.168.1.1',
+      port: 443
+    });
+    
+    // Second event should only trigger the persistent listener
+    eventSystem.emitConnectionEstablished({
+      connectionId: 'conn-2',
+      clientIp: '192.168.1.1',
+      port: 443
+    });
+    
+    // Unsubscribe the persistent listener
+    eventSystem.off(ProxyEvents.CONNECTION_ESTABLISHED, persistentHandler);
+    
+    // Third event should not trigger any listeners
+    eventSystem.emitConnectionEstablished({
+      connectionId: 'conn-3',
+      clientIp: '192.168.1.1',
+      port: 443
+    });
+    
+    // Verify events
+    expect(receivedEvents.length).to.equal(3);
+    expect(receivedEvents[0].type).to.equal('once');
+    expect(receivedEvents[0].data.connectionId).to.equal('conn-1');
+    
+    expect(receivedEvents[1].type).to.equal('persistent');
+    expect(receivedEvents[1].data.connectionId).to.equal('conn-1');
+    
+    expect(receivedEvents[2].type).to.equal('persistent');
+    expect(receivedEvents[2].data.connectionId).to.equal('conn-2');
+  });
+});
--- a/test/core/utils/test.route-utils.ts
+++ b/test/core/utils/test.route-utils.ts
@ -0,0 +1,116 @@
+import { expect } from '@push.rocks/tapbundle';
+import * as routeUtils from '../../../ts/core/utils/route-utils.js';
+
+// Test domain matching
+expect.describe('Route Utils - Domain Matching', async () => {
+  expect.it('should match exact domains', async () => {
+    expect(routeUtils.matchDomain('example.com', 'example.com')).to.be.true;
+  });
+
+  expect.it('should match wildcard domains', async () => {
+    expect(routeUtils.matchDomain('*.example.com', 'sub.example.com')).to.be.true;
+    expect(routeUtils.matchDomain('*.example.com', 'another.sub.example.com')).to.be.true;
+    expect(routeUtils.matchDomain('*.example.com', 'example.com')).to.be.false;
+  });
+
+  expect.it('should match domains case-insensitively', async () => {
+    expect(routeUtils.matchDomain('example.com', 'EXAMPLE.com')).to.be.true;
+  });
+
+  expect.it('should match routes with multiple domain patterns', async () => {
+    expect(routeUtils.matchRouteDomain(['example.com', '*.test.com'], 'example.com')).to.be.true;
+    expect(routeUtils.matchRouteDomain(['example.com', '*.test.com'], 'sub.test.com')).to.be.true;
+    expect(routeUtils.matchRouteDomain(['example.com', '*.test.com'], 'something.else')).to.be.false;
+  });
+});
+
+// Test path matching
+expect.describe('Route Utils - Path Matching', async () => {
+  expect.it('should match exact paths', async () => {
+    expect(routeUtils.matchPath('/api/users', '/api/users')).to.be.true;
+  });
+
+  expect.it('should match wildcard paths', async () => {
+    expect(routeUtils.matchPath('/api/*', '/api/users')).to.be.true;
+    expect(routeUtils.matchPath('/api/*', '/api/products')).to.be.true;
+    expect(routeUtils.matchPath('/api/*', '/something/else')).to.be.false;
+  });
+
+  expect.it('should match complex wildcard patterns', async () => {
+    expect(routeUtils.matchPath('/api/*/details', '/api/users/details')).to.be.true;
+    expect(routeUtils.matchPath('/api/*/details', '/api/products/details')).to.be.true;
+    expect(routeUtils.matchPath('/api/*/details', '/api/users/other')).to.be.false;
+  });
+});
+
+// Test IP matching
+expect.describe('Route Utils - IP Matching', async () => {
+  expect.it('should match exact IPs', async () => {
+    expect(routeUtils.matchIpPattern('192.168.1.1', '192.168.1.1')).to.be.true;
+  });
+
+  expect.it('should match wildcard IPs', async () => {
+    expect(routeUtils.matchIpPattern('192.168.1.*', '192.168.1.100')).to.be.true;
+    expect(routeUtils.matchIpPattern('192.168.1.*', '192.168.2.1')).to.be.false;
+  });
+
+  expect.it('should match CIDR notation', async () => {
+    expect(routeUtils.matchIpPattern('192.168.1.0/24', '192.168.1.100')).to.be.true;
+    expect(routeUtils.matchIpPattern('192.168.1.0/24', '192.168.2.1')).to.be.false;
+  });
+
+  expect.it('should handle IPv6-mapped IPv4 addresses', async () => {
+    expect(routeUtils.matchIpPattern('192.168.1.1', '::ffff:192.168.1.1')).to.be.true;
+  });
+
+  expect.it('should correctly authorize IPs based on allow/block lists', async () => {
+    // With allow and block lists
+    expect(routeUtils.isIpAuthorized('192.168.1.1', ['192.168.1.*'], ['192.168.1.5'])).to.be.true;
+    expect(routeUtils.isIpAuthorized('192.168.1.5', ['192.168.1.*'], ['192.168.1.5'])).to.be.false;
+    
+    // With only allow list
+    expect(routeUtils.isIpAuthorized('192.168.1.1', ['192.168.1.*'])).to.be.true;
+    expect(routeUtils.isIpAuthorized('192.168.2.1', ['192.168.1.*'])).to.be.false;
+    
+    // With only block list
+    expect(routeUtils.isIpAuthorized('192.168.1.5', undefined, ['192.168.1.5'])).to.be.false;
+    expect(routeUtils.isIpAuthorized('192.168.1.1', undefined, ['192.168.1.5'])).to.be.true;
+    
+    // With wildcard in allow list
+    expect(routeUtils.isIpAuthorized('192.168.1.1', ['*'], ['192.168.1.5'])).to.be.true;
+  });
+});
+
+// Test route specificity calculation
+expect.describe('Route Utils - Route Specificity', async () => {
+  expect.it('should calculate route specificity correctly', async () => {
+    const basicRoute = { domains: 'example.com' };
+    const pathRoute = { domains: 'example.com', path: '/api' };
+    const wildcardPathRoute = { domains: 'example.com', path: '/api/*' };
+    const headerRoute = { domains: 'example.com', headers: { 'content-type': 'application/json' } };
+    const complexRoute = { 
+      domains: 'example.com', 
+      path: '/api', 
+      headers: { 'content-type': 'application/json' },
+      clientIp: ['192.168.1.1'] 
+    };
+    
+    // Path routes should have higher specificity than domain-only routes
+    expect(routeUtils.calculateRouteSpecificity(pathRoute))
+      .to.be.greaterThan(routeUtils.calculateRouteSpecificity(basicRoute));
+    
+    // Exact path routes should have higher specificity than wildcard path routes
+    expect(routeUtils.calculateRouteSpecificity(pathRoute))
+      .to.be.greaterThan(routeUtils.calculateRouteSpecificity(wildcardPathRoute));
+    
+    // Routes with headers should have higher specificity than routes without
+    expect(routeUtils.calculateRouteSpecificity(headerRoute))
+      .to.be.greaterThan(routeUtils.calculateRouteSpecificity(basicRoute));
+    
+    // Complex routes should have the highest specificity
+    expect(routeUtils.calculateRouteSpecificity(complexRoute))
+      .to.be.greaterThan(routeUtils.calculateRouteSpecificity(pathRoute));
+    expect(routeUtils.calculateRouteSpecificity(complexRoute))
+      .to.be.greaterThan(routeUtils.calculateRouteSpecificity(headerRoute));
+  });
+});
--- a/test/core/utils/test.shared-security-manager.ts
+++ b/test/core/utils/test.shared-security-manager.ts
@ -0,0 +1,137 @@
+import { expect } from '@push.rocks/tapbundle';
+import { SharedSecurityManager } from '../../../ts/core/utils/shared-security-manager.js';
+import type { IRouteConfig, IRouteContext } from '../../../ts/proxies/smart-proxy/models/route-types.js';
+
+// Test security manager
+expect.describe('Shared Security Manager', async () => {
+  let securityManager: SharedSecurityManager;
+
+  // Set up a new security manager before each test
+  expect.beforeEach(() => {
+    securityManager = new SharedSecurityManager({
+      maxConnectionsPerIP: 5,
+      connectionRateLimitPerMinute: 10
+    });
+  });
+
+  expect.it('should validate IPs correctly', async () => {
+    // Should allow IPs under connection limit
+    expect(securityManager.validateIP('192.168.1.1').allowed).to.be.true;
+    
+    // Track multiple connections
+    for (let i = 0; i < 4; i++) {
+      securityManager.trackConnectionByIP('192.168.1.1', `conn_${i}`);
+    }
+    
+    // Should still allow IPs under connection limit
+    expect(securityManager.validateIP('192.168.1.1').allowed).to.be.true;
+    
+    // Add one more to reach the limit
+    securityManager.trackConnectionByIP('192.168.1.1', 'conn_4');
+    
+    // Should now block IPs over connection limit
+    expect(securityManager.validateIP('192.168.1.1').allowed).to.be.false;
+    
+    // Remove a connection
+    securityManager.removeConnectionByIP('192.168.1.1', 'conn_0');
+    
+    // Should allow again after connection is removed
+    expect(securityManager.validateIP('192.168.1.1').allowed).to.be.true;
+  });
+  
+  expect.it('should authorize IPs based on allow/block lists', async () => {
+    // Test with allow list only
+    expect(securityManager.isIPAuthorized('192.168.1.1', ['192.168.1.*'])).to.be.true;
+    expect(securityManager.isIPAuthorized('192.168.2.1', ['192.168.1.*'])).to.be.false;
+    
+    // Test with block list
+    expect(securityManager.isIPAuthorized('192.168.1.5', ['*'], ['192.168.1.5'])).to.be.false;
+    expect(securityManager.isIPAuthorized('192.168.1.1', ['*'], ['192.168.1.5'])).to.be.true;
+    
+    // Test with both allow and block lists
+    expect(securityManager.isIPAuthorized('192.168.1.1', ['192.168.1.*'], ['192.168.1.5'])).to.be.true;
+    expect(securityManager.isIPAuthorized('192.168.1.5', ['192.168.1.*'], ['192.168.1.5'])).to.be.false;
+  });
+  
+  expect.it('should validate route access', async () => {
+    // Create test route with IP restrictions
+    const route: IRouteConfig = {
+      match: { ports: 443 },
+      action: { type: 'forward', target: { host: 'localhost', port: 8080 } },
+      security: {
+        ipAllowList: ['192.168.1.*'],
+        ipBlockList: ['192.168.1.5']
+      }
+    };
+    
+    // Create test contexts
+    const allowedContext: IRouteContext = {
+      port: 443,
+      clientIp: '192.168.1.1',
+      serverIp: 'localhost',
+      isTls: true,
+      timestamp: Date.now(),
+      connectionId: 'test_conn_1'
+    };
+    
+    const blockedContext: IRouteContext = {
+      port: 443,
+      clientIp: '192.168.1.5',
+      serverIp: 'localhost',
+      isTls: true,
+      timestamp: Date.now(),
+      connectionId: 'test_conn_2'
+    };
+    
+    const outsideContext: IRouteContext = {
+      port: 443,
+      clientIp: '192.168.2.1',
+      serverIp: 'localhost',
+      isTls: true,
+      timestamp: Date.now(),
+      connectionId: 'test_conn_3'
+    };
+    
+    // Test route access
+    expect(securityManager.isAllowed(route, allowedContext)).to.be.true;
+    expect(securityManager.isAllowed(route, blockedContext)).to.be.false;
+    expect(securityManager.isAllowed(route, outsideContext)).to.be.false;
+  });
+  
+  expect.it('should validate basic auth', async () => {
+    // Create test route with basic auth
+    const route: IRouteConfig = {
+      match: { ports: 443 },
+      action: { type: 'forward', target: { host: 'localhost', port: 8080 } },
+      security: {
+        basicAuth: {
+          enabled: true,
+          users: [
+            { username: 'user1', password: 'pass1' },
+            { username: 'user2', password: 'pass2' }
+          ],
+          realm: 'Test Realm'
+        }
+      }
+    };
+    
+    // Test valid credentials
+    const validAuth = 'Basic ' + Buffer.from('user1:pass1').toString('base64');
+    expect(securityManager.validateBasicAuth(route, validAuth)).to.be.true;
+    
+    // Test invalid credentials
+    const invalidAuth = 'Basic ' + Buffer.from('user1:wrongpass').toString('base64');
+    expect(securityManager.validateBasicAuth(route, invalidAuth)).to.be.false;
+    
+    // Test missing auth header
+    expect(securityManager.validateBasicAuth(route)).to.be.false;
+    
+    // Test malformed auth header
+    expect(securityManager.validateBasicAuth(route, 'malformed')).to.be.false;
+  });
+  
+  // Clean up resources after tests
+  expect.afterEach(() => {
+    securityManager.clearIPTracking();
+  });
+});