AUTH-2394 added socks5 proxy

carrier/websocket.go

@@ -0,0 +1,137 @@
+package carrier
+
+import (
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/token"
+	"github.com/cloudflare/cloudflared/socks"
+	cfwebsocket "github.com/cloudflare/cloudflared/websocket"
+	"github.com/gorilla/websocket"
+	"github.com/sirupsen/logrus"
+)
+
+// Websocket is used to carry data via WS binary frames over the tunnel from client to the origin
+// This implements the functions for glider proxy (sock5) and the carrier interface
+type Websocket struct {
+	logger  *logrus.Logger
+	isSocks bool
+}
+
+type wsdialer struct {
+	conn *cfwebsocket.Conn
+}
+
+func (d *wsdialer) Dial(address string) (io.ReadWriteCloser, *socks.AddrSpec, error) {
+	local, ok := d.conn.LocalAddr().(*net.TCPAddr)
+	if !ok {
+		return nil, nil, fmt.Errorf("not a tcp connection")
+	}
+
+	addr := socks.AddrSpec{IP: local.IP, Port: local.Port}
+	return d.conn, &addr, nil
+}
+
+// NewWSConnection returns a new connection object
+func NewWSConnection(logger *logrus.Logger, isSocks bool) Connection {
+	return &Websocket{
+		logger:  logger,
+		isSocks: isSocks,
+	}
+}
+
+// ServeStream will create a Websocket client stream connection to the edge
+// it blocks and writes the raw data from conn over the tunnel
+func (ws *Websocket) ServeStream(options *StartOptions, conn io.ReadWriter) error {
+	wsConn, err := createWebsocketStream(options)
+	if err != nil {
+		ws.logger.WithError(err).Errorf("failed to connect to %s", options.OriginURL)
+		return err
+	}
+	defer wsConn.Close()
+
+	if ws.isSocks {
+		dialer := &wsdialer{conn: wsConn}
+		requestHandler := socks.NewRequestHandler(dialer)
+		socksServer := socks.NewConnectionHandler(requestHandler)
+
+		socksServer.Serve(conn)
+	} else {
+		cfwebsocket.Stream(wsConn, conn)
+	}
+	return nil
+}
+
+// StartServer creates a Websocket server to listen for connections.
+// This is used on the origin (tunnel) side to take data from the muxer and send it to the origin
+func (ws *Websocket) StartServer(listener net.Listener, remote string, shutdownC <-chan struct{}) error {
+	return cfwebsocket.StartProxyServer(ws.logger, listener, remote, shutdownC, cfwebsocket.DefaultStreamHandler)
+}
+
+// createWebsocketStream will create a WebSocket connection to stream data over
+// It also handles redirects from Access and will present that flow if
+// the token is not present on the request
+func createWebsocketStream(options *StartOptions) (*cfwebsocket.Conn, error) {
+	req, err := http.NewRequest(http.MethodGet, options.OriginURL, nil)
+	if err != nil {
+		return nil, err
+	}
+	req.Header = options.Headers
+
+	wsConn, resp, err := cfwebsocket.ClientConnect(req, nil)
+	defer closeRespBody(resp)
+	if err != nil && IsAccessResponse(resp) {
+		wsConn, err = createAccessAuthenticatedStream(options)
+		if err != nil {
+			return nil, err
+		}
+	} else if err != nil {
+		return nil, err
+	}
+
+	return &cfwebsocket.Conn{Conn: wsConn}, nil
+}
+
+// createAccessAuthenticatedStream will try load a token from storage and make
+// a connection with the token set on the request. If it still get redirect,
+// this probably means the token in storage is invalid (expired/revoked). If that
+// happens it deletes the token and runs the connection again, so the user can
+// login again and generate a new one.
+func createAccessAuthenticatedStream(options *StartOptions) (*websocket.Conn, error) {
+	wsConn, resp, err := createAccessWebSocketStream(options)
+	defer closeRespBody(resp)
+	if err == nil {
+		return wsConn, nil
+	}
+
+	if !IsAccessResponse(resp) {
+		return nil, err
+	}
+
+	// Access Token is invalid for some reason. Go through regen flow
+	originReq, err := http.NewRequest(http.MethodGet, options.OriginURL, nil)
+	if err != nil {
+		return nil, err
+	}
+	if err := token.RemoveTokenIfExists(originReq.URL); err != nil {
+		return nil, err
+	}
+	wsConn, resp, err = createAccessWebSocketStream(options)
+	defer closeRespBody(resp)
+	if err != nil {
+		return nil, err
+	}
+
+	return wsConn, nil
+}
+
+// createAccessWebSocketStream builds an Access request and makes a connection
+func createAccessWebSocketStream(options *StartOptions) (*websocket.Conn, *http.Response, error) {
+	req, err := BuildAccessRequest(options)
+	if err != nil {
+		return nil, nil, err
+	}
+	return cfwebsocket.ClientConnect(req, nil)
+}