AUTH-1188: UX Review and Changes for CLI SSH Access

cmd/cloudflared/access/carrier.go

@@ -0,0 +1,38 @@
+package access
+
+import (
+	"net/url"
+
+	"github.com/cloudflare/cloudflared/carrier"
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
+	"github.com/cloudflare/cloudflared/validation"
+	"github.com/pkg/errors"
+	cli "gopkg.in/urfave/cli.v2"
+)
+
+// ssh will start a WS proxy server for server mode
+// or copy from stdin/stdout for client mode
+// useful for proxying other protocols (like ssh) over websockets
+// (which you can put Access in front of)
+func ssh(c *cli.Context) error {
+	hostname, err := validation.ValidateHostname(c.String("hostname"))
+	if err != nil || c.String("hostname") == "" {
+		return cli.ShowCommandHelp(c, "ssh")
+	}
+
+	if c.NArg() > 0 || c.IsSet("url") {
+		localForwarder, err := config.ValidateUrl(c)
+		if err != nil {
+			logger.WithError(err).Error("Error validating origin URL")
+			return errors.Wrap(err, "error validating origin URL")
+		}
+		forwarder, err := url.Parse(localForwarder)
+		if err != nil {
+			logger.WithError(err).Error("Error validating origin URL")
+			return errors.Wrap(err, "error validating origin URL")
+		}
+		return carrier.StartServer(logger, forwarder.Host, "https://"+hostname, shutdownC)
+	}
+
+	return carrier.StartClient(logger, "https://"+hostname, &carrier.StdinoutStream{})
+}

cmd/cloudflared/access/cmd.go

@@ -7,6 +7,7 @@ import (
 	"os"
 
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/shell"
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/token"
 	"golang.org/x/net/idna"
 
 	"github.com/cloudflare/cloudflared/log"
@@ -16,6 +17,17 @@ import (
 
 const sentryDSN = "https://56a9c9fa5c364ab28f34b14f35ea0f1b@sentry.io/189878"
 
+var (
+	logger         = log.CreateLogger()
+	shutdownC      chan struct{}
+	graceShutdownC chan struct{}
+)
+
+// Init will initialize and store vars from the main program
+func Init(s, g chan struct{}) {
+	shutdownC, graceShutdownC = s, g
+}
+
 // Flags return the global flags for Access related commands (hopefully none)
 func Flags() []cli.Flag {
 	return []cli.Flag{} // no flags yet.
@@ -61,7 +73,7 @@ func Commands() []*cli.Command {
 				},
 				{
 					Name:        "token",
-					Action:      token,
+					Action:      generateToken,
 					Usage:       "token -app=<url of access application>",
 					ArgsUsage:   "url of Access application",
 					Description: `The token subcommand produces a JWT which can be used to authenticate requests.`,
@@ -71,6 +83,30 @@ func Commands() []*cli.Command {
 						},
 					},
 				},
+				{
+					Name:        "ssh",
+					Action:      ssh,
+					Usage:       "",
+					ArgsUsage:   "",
+					Description: `The ssh subcommand sends data over a proxy to the Cloudflare edge.`,
+					Hidden:      true,
+					Flags: []cli.Flag{
+						&cli.StringFlag{
+							Name: "hostname",
+						},
+						&cli.StringFlag{
+							Name:   "url",
+							Hidden: true,
+						},
+					},
+				},
+				{
+					Name:        "ssh-config",
+					Action:      sshConfig,
+					Usage:       "ssh-config",
+					Description: `Prints an example configuration ~/.ssh/config`,
+					Hidden:      true,
+				},
 			},
 		},
 	}
@@ -86,7 +122,7 @@ func login(c *cli.Context) error {
 		logger.Errorf("Please provide the url of the Access application\n")
 		return err
 	}
-	token, err := FetchToken(appURL)
+	token, err := token.FetchToken(appURL)
 	if err != nil {
 		logger.Errorf("Failed to fetch token: %s\n", err)
 		return err
@@ -111,13 +147,13 @@ func curl(c *cli.Context) error {
 		return err
 	}
 
-	token, err := getTokenIfExists(appURL)
-	if err != nil || token == "" {
+	tok, err := token.GetTokenIfExists(appURL)
+	if err != nil || tok == "" {
 		if allowRequest {
 			logger.Warn("You don't have an Access token set. Please run access token <access application> to fetch one.")
 			return shell.Run("curl", cmdArgs...)
 		}
-		token, err = FetchToken(appURL)
+		tok, err = token.FetchToken(appURL)
 		if err != nil {
 			logger.Error("Failed to refresh token: ", err)
 			return err
@@ -125,31 +161,39 @@ func curl(c *cli.Context) error {
 	}
 
 	cmdArgs = append(cmdArgs, "-H")
-	cmdArgs = append(cmdArgs, fmt.Sprintf("cf-access-token: %s", token))
+	cmdArgs = append(cmdArgs, fmt.Sprintf("cf-access-token: %s", tok))
 	return shell.Run("curl", cmdArgs...)
 }
 
 // token dumps provided token to stdout
-func token(c *cli.Context) error {
+func generateToken(c *cli.Context) error {
 	raven.SetDSN(sentryDSN)
 	appURL, err := url.Parse(c.String("app"))
 	if err != nil || c.NumFlags() < 1 {
 		fmt.Fprintln(os.Stderr, "Please provide a url.")
 		return err
 	}
-	token, err := getTokenIfExists(appURL)
-	if err != nil || token == "" {
+	tok, err := token.GetTokenIfExists(appURL)
+	if err != nil || tok == "" {
 		fmt.Fprintln(os.Stderr, "Unable to find token for provided application. Please run token command to generate token.")
 		return err
 	}
 
-	if _, err := fmt.Fprint(os.Stdout, token); err != nil {
+	if _, err := fmt.Fprint(os.Stdout, tok); err != nil {
 		fmt.Fprintln(os.Stderr, "Failed to write token to stdout.")
 		return err
 	}
 	return nil
 }
 
+// sshConfig prints an example SSH config to stdout
+func sshConfig(c *cli.Context) error {
+	_, err := os.Stdout.Write([]byte(`Add this configuration block to your $HOME/.ssh/config
+		Host <your hostname>
+		    ProxyCommand cloudflared access ssh --hostname %h` + "\n"))
+	return err
+}
+
 // processURL will preprocess the string (parse to a url, convert to punycode, etc).
 func processURL(s string) (*url.URL, error) {
 	u, err := url.ParseRequestURI(s)

cmd/cloudflared/access/token.go

@@ -1,87 +0,0 @@
-package access
-
-import (
-	"fmt"
-	"io/ioutil"
-	"net/url"
-	"os"
-	"path/filepath"
-	"strings"
-	"time"
-
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/transfer"
-	"github.com/cloudflare/cloudflared/log"
-	"github.com/coreos/go-oidc/jose"
-	"github.com/coreos/go-oidc/oidc"
-	homedir "github.com/mitchellh/go-homedir"
-)
-
-var logger = log.CreateLogger()
-
-// FetchToken will either load a stored token or generate a new one
-func FetchToken(appURL *url.URL) (string, error) {
-	if token, err := getTokenIfExists(appURL); token != "" && err == nil {
-		return token, nil
-	}
-
-	path, err := generateFilePathForTokenURL(appURL)
-	if err != nil {
-		return "", err
-	}
-
-	// this weird parameter is the resource name (token) and the key/value
-	// we want to send to the transfer service. the key is token and the value
-	// is blank (basically just the id generated in the transfer service)
-	const resourceName, key, value = "token", "token", ""
-	token, err := transfer.Run(appURL, resourceName, key, value, path, true)
-	if err != nil {
-		return "", err
-	}
-
-	return string(token), nil
-}
-
-// getTokenIfExists will return the token from local storage if it exists
-func getTokenIfExists(url *url.URL) (string, error) {
-	path, err := generateFilePathForTokenURL(url)
-	if err != nil {
-		return "", err
-	}
-	content, err := ioutil.ReadFile(path)
-	if err != nil {
-		return "", err
-	}
-	token, err := jose.ParseJWT(string(content))
-	if err != nil {
-		return "", err
-	}
-
-	claims, err := token.Claims()
-	if err != nil {
-		return "", err
-	}
-	ident, err := oidc.IdentityFromClaims(claims)
-	if err == nil && ident.ExpiresAt.After(time.Now()) {
-		return token.Encode(), nil
-	}
-	return "", err
-}
-
-// generateFilePathForTokenURL will return a filepath for given access application url
-func generateFilePathForTokenURL(url *url.URL) (string, error) {
-	configPath, err := homedir.Expand(config.DefaultConfigDirs[0])
-	if err != nil {
-		return "", err
-	}
-	ok, err := config.FileExists(configPath)
-	if !ok && err == nil {
-		// create config directory if doesn't already exist
-		err = os.Mkdir(configPath, 0700)
-	}
-	if err != nil {
-		return "", err
-	}
-	name := strings.Replace(fmt.Sprintf("%s%s-token", url.Hostname(), url.EscapedPath()), "/", "-", -1)
-	return filepath.Join(configPath, name), nil
-}