implement caching for Express client

Author: GyulyVGC

client_common/src/appguard.ts

@@ -7,11 +7,13 @@ import {AppGuardResponse__Output} from './proto/appguard/AppGuardResponse'
 import {AppGuardTcpConnection} from './proto/appguard/AppGuardTcpConnection'
 import {AppGuardHttpResponse} from './proto/appguard/AppGuardHttpResponse'
 import {AppGuardTcpResponse__Output} from "./proto/appguard/AppGuardTcpResponse";
-import {APP_ID_FILE, APP_SECRET_FILE, FIREWALL_DEFAULTS_FILE, TOKEN_FILE} from "./auth";
+import {APP_ID_FILE, APP_SECRET_FILE, CACHE_FILE, FIREWALL_DEFAULTS_FILE, TOKEN_FILE} from "./auth";
 import {AuthorizationRequest} from "./proto/appguard_commands/AuthorizationRequest";
 import {ClientMessage} from "./proto/appguard_commands/ClientMessage";
 import {ServerMessage__Output} from "./proto/appguard_commands/ServerMessage";
 import {FirewallDefaults, FirewallDefaults__Output} from "./proto/appguard_commands/FirewallDefaults";
+import {Cache, CacheKey} from "./cache";
+import {FirewallPolicy} from "./proto/appguard_commands/FirewallPolicy";
 
 const opts = {includeDirs: [
     'node_modules/@nullnet/appguard-express/node_modules/appguard-client-common/proto/',
@@ -186,6 +188,9 @@ export class AppGuardService {
                 let firewallDefaults: FirewallDefaults = server_msg.setFirewallDefaults;
                 console.log("Received firewall defaults from server:", firewallDefaults);
                 fs.writeFileSync(FIREWALL_DEFAULTS_FILE, JSON.stringify(firewallDefaults), {flag: 'w'});
+                // empty and update cache
+                let cache = new Cache(firewallDefaults.cache);
+                fs.writeFileSync(CACHE_FILE, JSON.stringify(cache), {flag: 'w'});
             }
             if (server_msg.deviceDeauthorized) {
                 // delete saved app secret and app id
@@ -206,9 +211,30 @@ export class AppGuardService {
             }, 10000);
         });
     }
+
+    getFromCache(key: CacheKey) : FirewallPolicy | undefined {
+        let cache = readCache();
+        return cache.get(key);
+    }
+
+    insertToCache(key: CacheKey, policy: FirewallPolicy) {
+        let cache = readCache();
+        cache.insert(key, policy);
+        fs.writeFileSync(CACHE_FILE, JSON.stringify(cache), {flag: 'w'});
+    }
 }
 
 function readFirewallDefaults(): FirewallDefaults {
     let text = fs.readFileSync(FIREWALL_DEFAULTS_FILE, 'utf8');
     return JSON.parse(text);
 }
+
+function readCache(): Cache {
+    let text = fs.readFileSync(CACHE_FILE, 'utf8');
+    if (text.trim() === '') {
+        let firewallDefaults = readFirewallDefaults();
+        return new Cache(firewallDefaults.cache);
+    } else {
+        return JSON.parse(text);
+    }
+}

client_common/src/auth.ts

@@ -8,6 +8,7 @@ export const APP_ID_FILE = process.cwd() + '/../app_id.txt'
 export const APP_SECRET_FILE = process.cwd() + '/../app_secret.txt'
 export const FIREWALL_DEFAULTS_FILE = process.cwd() + '/../firewall_defaults.json'
 export const UUID_FILE = process.cwd() + '/../uuid.txt'
+export const CACHE_FILE = process.cwd() + '/../cache.txt'
 
 const fs = require('fs');
 

client_common/src/cache.ts

@@ -0,0 +1,34 @@
+import {FirewallPolicy} from "./proto/appguard_commands/FirewallPolicy";
+
+export class CacheKey {
+    originalUrl: string;
+    method: string;
+    body: string;
+    sourceIp: string;
+    headers: Record<string, string>;
+    query: Record<string, string>;
+}
+
+export class Cache {
+    private active: boolean;
+    private cache: Map<CacheKey, FirewallPolicy>;
+
+    constructor(active: boolean) {
+        this.active = active;
+        this.cache = new Map<CacheKey, FirewallPolicy>();
+    }
+
+    get(key: CacheKey): FirewallPolicy | undefined {
+        if (this.active) {
+            return this.cache.get(key);
+        } else {
+            return undefined;
+        }
+    }
+
+    insert(key: CacheKey, policy: FirewallPolicy) {
+        if (this.active) {
+            this.cache.set(key, policy);
+        }
+    }
+}

client_common/src/index.ts

@@ -1,4 +1,5 @@
 export {FirewallPolicy} from "./proto/appguard_commands/FirewallPolicy";
 export {AppGuardService} from './appguard';
 export {AuthHandler} from './auth';
-export {AppGuardTcpInfo} from './proto/appguard/AppGuardTcpInfo';
+export {AppGuardTcpInfo} from './proto/appguard/AppGuardTcpInfo';
+export {CacheKey} from './cache';

clients/express/src/express-middleware.ts

@@ -1,5 +1,5 @@
 import { NextFunction, Request, Response, Send } from 'express';
-import { FirewallPolicy, AppGuardTcpInfo, AppGuardService, AuthHandler } from 'appguard-client-common';
+import { FirewallPolicy, AppGuardTcpInfo, AppGuardService, AuthHandler, CacheKey } from 'appguard-client-common';
 
 type ExpressMiddleware = (
   req: Request,
@@ -21,7 +21,8 @@ export const createAppGuardMiddleware = () => {
 
   const attachResponseHandlers = (
     res: Response,
-    tcp_info: AppGuardTcpInfo
+    tcp_info: AppGuardTcpInfo,
+    cacheKey: CacheKey,
   ) => {
     // Storing the original send function
     // @ts-ignore
@@ -49,10 +50,12 @@ export const createAppGuardMiddleware = () => {
       ));
 
       if (handleHTTPResponseResponse.policy === FirewallPolicy.DENY) {
+        appGuardService.insertToCache(cacheKey, FirewallPolicy.DENY);
         // Destroying the socket connection instead of sending the response
         // @ts-ignore
         res.socket?.destroy();
       } else {
+        appGuardService.insertToCache(cacheKey, FirewallPolicy.ALLOW);
         // Intercepting the response.send() call
         // Calling the original send function
         //@ts-expect-error: This function is this context
@@ -72,6 +75,7 @@ export const createAppGuardMiddleware = () => {
         // @ts-ignore
         req.socket.remoteAddress;
 
+
       // console.log(
       //   // @ts-ignore
       //   `Appguard Debug XRI:${req.headers['x-real-ip']} - XFF:${req.headers['x-forwarded-for']} TCP/PROXY:${req.socket.remoteAddress} SRC=${sourceIp}`
@@ -82,6 +86,32 @@ export const createAppGuardMiddleware = () => {
       //   `Appguard Debug From - ${sourceIp} - ${req.method} ${req.originalUrl}`
       // );
 
+        let cacheKey: CacheKey = {
+            // @ts-ignore
+            originalUrl: req.originalUrl,
+            // @ts-ignore
+            method: req.method,
+            // @ts-ignore
+            body: req.body,
+            // @ts-ignore
+            sourceIp: sourceIp,
+            // @ts-ignore
+            headers: req.headers as Record<string, string>,
+            // @ts-ignore
+            query: req.query as Record<string, string>,
+        };
+
+        let cached = appGuardService.getFromCache(cacheKey);
+        if (cached !== undefined) {
+            if (cached === FirewallPolicy.DENY) {
+                // @ts-ignore
+                res.socket?.destroy();
+            } else {
+                next();
+            }
+            return;
+        }
+
       const handleTCPConnectionResponse = await appGuardService.connectionPromise(
           {
               // @ts-ignore
@@ -122,6 +152,7 @@ export const createAppGuardMiddleware = () => {
 
       const policy = handleHTTPRequestResponse.policy;
       if (policy === FirewallPolicy.DENY) {
+        appGuardService.insertToCache(cacheKey, FirewallPolicy.DENY);
         // Destroying the socket connection instead of sending the response
         // @ts-ignore
         res.socket?.destroy();
@@ -130,7 +161,8 @@ export const createAppGuardMiddleware = () => {
         // attach response handlers after we get the req.id
         attachResponseHandlers(
           res,
-          handleTCPConnectionResponse.tcpInfo as AppGuardTcpInfo
+          handleTCPConnectionResponse.tcpInfo as AppGuardTcpInfo,
+          cacheKey
         );
         next();
       }