Add db-connect, a SQL over HTTPS server

2025-07-27 00:29:58 +00:00 · 2019-11-12 10:50:41 -08:00
parent 13bf65ce4e
commit 759cd019be
396 changed files with 362808 additions and 649 deletions
--- a/validation/validation.go
+++ b/validation/validation.go
@@ -1,6 +1,7 @@
 package validation

 import (
+	"context"
 	"fmt"
 	"net"
 	"net/url"
@@ -11,13 +12,19 @@ import (

 	"github.com/pkg/errors"
 	"golang.org/x/net/idna"
+	"gopkg.in/coreos/go-oidc.v2"
 )

-const defaultScheme = "http"
+const (
+	defaultScheme   = "http"
+	accessDomain    = "cloudflareaccess.com"
+	accessCertPath  = "/cdn-cgi/access/certs"
+	accessJwtHeader = "Cf-access-jwt-assertion"
+)

 var (
 	supportedProtocols = []string{"http", "https", "rdp"}
-	validationTimeout = time.Duration(30 * time.Second)
+	validationTimeout  = time.Duration(30 * time.Second)
 )

 func ValidateHostname(hostname string) (string, error) {
@@ -197,3 +204,50 @@ func toggleProtocol(httpProtocol string) string {
 		return httpProtocol
 	}
 }
+
+// Access checks if a JWT from Cloudflare Access is valid.
+type Access struct {
+	verifier *oidc.IDTokenVerifier
+}
+
+func NewAccessValidator(ctx context.Context, domain, issuer, applicationAUD string) (*Access, error) {
+	domainURL, err := ValidateUrl(domain)
+	if err != nil {
+		return nil, err
+	}
+
+	issuerURL, err := ValidateUrl(issuer)
+	if err != nil {
+		return nil, err
+	}
+
+	// An issuerURL from Cloudflare Access will always use HTTPS.
+	issuerURL = strings.Replace(issuerURL, "http:", "https:", 1)
+
+	keySet := oidc.NewRemoteKeySet(ctx, domainURL+accessCertPath)
+	return &Access{oidc.NewVerifier(issuerURL, keySet, &oidc.Config{ClientID: applicationAUD})}, nil
+}
+
+func (a *Access) Validate(ctx context.Context, jwt string) error {
+	token, err := a.verifier.Verify(ctx, jwt)
+
+	if err != nil {
+		return errors.Wrapf(err, "token is invalid: %s", jwt)
+	}
+
+	// Perform extra sanity checks, just to be safe.
+
+	if token == nil {
+		return fmt.Errorf("token is nil: %s", jwt)
+	}
+
+	if !strings.HasSuffix(token.Issuer, accessDomain) {
+		return fmt.Errorf("token has non-cloudflare issuer of %s: %s", token.Issuer, jwt)
+	}
+
+	return nil
+}
+
+func (a *Access) ValidateRequest(ctx context.Context, r *http.Request) error {
+	return a.Validate(ctx, r.Header.Get(accessJwtHeader))
+}
--- a/validation/validation_test.go
+++ b/validation/validation_test.go
@@ -320,6 +320,39 @@ func TestValidateHTTPService_NonResponsiveOrigin(t *testing.T) {
 	}
 }

+func TestNewAccessValidatorOk(t *testing.T) {
+	ctx := context.Background()
+	url := "test.cloudflareaccess.com"
+	access, err := NewAccessValidator(ctx, url, url, "")
+
+	assert.NoError(t, err)
+	assert.NotNil(t, access)
+
+	assert.Error(t, access.Validate(ctx, ""))
+	assert.Error(t, access.Validate(ctx, "invalid"))
+
+	req := httptest.NewRequest("GET", "https://test.cloudflareaccess.com", nil)
+	req.Header.Set(accessJwtHeader, "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c")
+	assert.Error(t, access.ValidateRequest(ctx, req))
+}
+
+func TestNewAccessValidatorErr(t *testing.T) {
+	ctx := context.Background()
+
+	urls := []string{
+		"",
+		"tcp://test.cloudflareaccess.com",
+		"wss://cloudflarenone.com",
+	}
+
+	for _, url := range urls {
+		access, err := NewAccessValidator(ctx, url, url, "")
+
+		assert.Error(t, err, url)
+		assert.Nil(t, access)
+	}
+}
+
 type testRoundTripper func(req *http.Request) (*http.Response, error)

 func (f testRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {