hoelee/cloudflared
1
0
Fork 0
mirror of https://github.com/cloudflare/cloudflared.git synced 2025-07-27 00:59:58 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

AUTH-1781: fixed race condition for short lived certs, doc required config

Browse Source
This commit is contained in:
Austin Cherry
2019-05-22 15:41:21 -05:00
parent 4662e40068
commit 25cfffd0d1
4 changed files with 99 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
carrier/carrier.go
View File

@@ -12,15 +12,13 @@ import (
"strings"
"github.com/cloudflare/cloudflared/cmd/cloudflared/token"
"github.com/cloudflare/cloudflared/sshgen"
"github.com/cloudflare/cloudflared/websocket"
"github.com/sirupsen/logrus"
)
type StartOptions struct {
OriginURL string
Headers http.Header
ShouldGenCert bool
OriginURL string
Headers http.Header
}
// StdinoutStream is empty struct for wrapping stdin/stdout
@@ -116,17 +114,11 @@ func createWebsocketStream(options *StartOptions) (*websocket.Conn, error) {
if !strings.Contains(location.String(), "cdn-cgi/access/login") {
return nil, errors.New("not an Access redirect")
}
req, token, err := buildAccessRequest(options.OriginURL)
req, err := buildAccessRequest(options.OriginURL)
if err != nil {
return nil, err
}
if options.ShouldGenCert {
if err := sshgen.GenerateShortLivedCertificate(req.URL, token); err != nil {
return nil, err
}
}
wsConn, _, err = websocket.ClientConnect(req, nil)
if err != nil {
return nil, err
@@ -139,24 +131,24 @@ func createWebsocketStream(options *StartOptions) (*websocket.Conn, error) {
}
// buildAccessRequest builds an HTTP request with the Access token set
func buildAccessRequest(originURL string) (*http.Request, string, error) {
func buildAccessRequest(originURL string) (*http.Request, error) {
req, err := http.NewRequest(http.MethodGet, originURL, nil)
if err != nil {
return nil, "", err
return nil, err
}
token, err := token.FetchToken(req.URL)
if err != nil {
return nil, "", err
return nil, err
}
// We need to create a new request as FetchToken will modify req (boo mutable)
// as it has to follow redirect on the API and such, so here we init a new one
originRequest, err := http.NewRequest(http.MethodGet, originURL, nil)
if err != nil {
return nil, "", err
return nil, err
}
originRequest.Header.Set("cf-access-token", token)
return originRequest, token, nil
return originRequest, nil
}

10
carrier/carrier_test.go
View File

@@ -49,9 +49,8 @@ func TestStartClient(t *testing.T) {
buf := newTestStream()
options := &StartOptions{
OriginURL: "http://" + ts.Listener.Addr().String(),
Headers: nil,
ShouldGenCert: false,
OriginURL: "http://" + ts.Listener.Addr().String(),
Headers: nil,
}
err := StartClient(logger, buf, options)
assert.NoError(t, err)
@@ -73,9 +72,8 @@ func TestStartServer(t *testing.T) {
ts := newTestWebSocketServer()
defer ts.Close()
options := &StartOptions{
OriginURL: "http://" + ts.Listener.Addr().String(),
Headers: nil,
ShouldGenCert: false,
OriginURL: "http://" + ts.Listener.Addr().String(),
Headers: nil,
}
go func() {