TUN-1099: Bring back changes in 2018.10.1

2025-08-09 19:39:39 +00:00 · 2018-10-08 14:20:28 -05:00
parent 995e773096
commit ca9902a8d1
105 changed files with 13902 additions and 997 deletions
--- a/cmd/cloudflared/access/cmd.go
+++ b/cmd/cloudflared/access/cmd.go
@@ -0,0 +1,199 @@
+package access
+
+import (
+	"errors"
+	"fmt"
+	"net/url"
+	"os"
+
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/shell"
+	"golang.org/x/net/idna"
+
+	"github.com/cloudflare/cloudflared/log"
+	raven "github.com/getsentry/raven-go"
+	cli "gopkg.in/urfave/cli.v2"
+)
+
+const sentryDSN = "https://56a9c9fa5c364ab28f34b14f35ea0f1b@sentry.io/189878"
+
+// Flags return the global flags for Access related commands (hopefully none)
+func Flags() []cli.Flag {
+	return []cli.Flag{} // no flags yet.
+}
+
+// Commands returns all the Access related subcommands
+func Commands() []*cli.Command {
+	return []*cli.Command{
+		{
+			Name:     "access",
+			Category: "Access (BETA)",
+			Usage:    "access <subcommand>",
+			Description: `(BETA) Cloudflare Access protects internal resources by securing, authenticating and monitoring access 
+			per-user and by application. With Cloudflare Access, only authenticated users with the required permissions are 
+			able to reach sensitive resources. The commands provided here allow you to interact with Access protected 
+			applications from the command line. This feature is considered beta. Your feedback is greatly appreciated!
+			https://cfl.re/CLIAuthBeta`,
+			Subcommands: []*cli.Command{
+				{
+					Name:   "login",
+					Action: login,
+					Usage:  "login <url of access application>",
+					Description: `The login subcommand initiates an authentication flow with your identity provider.
+					The subcommand will launch a browser. For headless systems, a url is provided.
+					Once authenticated with your identity provider, the login command will generate a JSON Web Token (JWT)
+					scoped to your identity, the application you intend to reach, and valid for a session duration set by your 
+					administrator. cloudflared stores the token in local storage.`,
+					Flags: []cli.Flag{
+						&cli.StringFlag{
+							Name:   "url",
+							Hidden: true,
+						},
+					},
+				},
+				{
+					Name:   "curl",
+					Action: curl,
+					Usage:  "curl <args>",
+					Description: `The curl subcommand wraps curl and automatically injects the JWT into a cf-access-token
+					header when using curl to reach an application behind Access.`,
+					ArgsUsage:       "allow-request will allow the curl request to continue even if the jwt is not present.",
+					SkipFlagParsing: true,
+				},
+				{
+					Name:        "token",
+					Action:      token,
+					Usage:       "token -app=<url of access application>",
+					ArgsUsage:   "url of Access application",
+					Description: `The token subcommand produces a JWT which can be used to authenticate requests.`,
+					Flags: []cli.Flag{
+						&cli.StringFlag{
+							Name: "app",
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+// login pops up the browser window to do the actual login and JWT generation
+func login(c *cli.Context) error {
+	raven.SetDSN(sentryDSN)
+	logger := log.CreateLogger()
+	args := c.Args()
+	appURL, err := url.Parse(args.First())
+	if args.Len() < 1 || err != nil {
+		logger.Errorf("Please provide the url of the Access application\n")
+		return err
+	}
+	if _, err := fetchToken(c, appURL); err != nil {
+		logger.Errorf("Failed to fetch token: %s\n", err)
+		return err
+	}
+
+	return nil
+}
+
+// curl provides a wrapper around curl, passing Access JWT along in request
+func curl(c *cli.Context) error {
+	raven.SetDSN(sentryDSN)
+	logger := log.CreateLogger()
+	args := c.Args()
+	if args.Len() < 1 {
+		logger.Error("Please provide the access app and command you wish to run.")
+		return errors.New("incorrect args")
+	}
+
+	cmdArgs, appURL, allowRequest, err := buildCurlCmdArgs(args.Slice())
+	if err != nil {
+		return err
+	}
+
+	token, err := getTokenIfExists(appURL)
+	if err != nil || token == "" {
+		if allowRequest {
+			logger.Warn("You don't have an Access token set. Please run access token <access application> to fetch one.")
+			return shell.Run("curl", cmdArgs...)
+		}
+		token, err = fetchToken(c, appURL)
+		if err != nil {
+			logger.Error("Failed to refresh token: ", err)
+			return err
+		}
+	}
+
+	cmdArgs = append(cmdArgs, "-H")
+	cmdArgs = append(cmdArgs, fmt.Sprintf("cf-access-token: %s", token))
+	return shell.Run("curl", cmdArgs...)
+}
+
+// token dumps provided token to stdout
+func token(c *cli.Context) error {
+	raven.SetDSN(sentryDSN)
+	appURL, err := url.Parse(c.String("app"))
+	if err != nil || c.NumFlags() < 1 {
+		fmt.Fprintln(os.Stderr, "Please provide a url.")
+		return err
+	}
+	token, err := getTokenIfExists(appURL)
+	if err != nil || token == "" {
+		fmt.Fprintln(os.Stderr, "Unable to find token for provided application. Please run token command to generate token.")
+		return err
+	}
+
+	if _, err := fmt.Fprint(os.Stdout, token); err != nil {
+		fmt.Fprintln(os.Stderr, "Failed to write token to stdout.")
+		return err
+	}
+	return nil
+}
+
+// processURL will preprocess the string (parse to a url, convert to punycode, etc).
+func processURL(s string) (*url.URL, error) {
+	u, err := url.ParseRequestURI(s)
+	if err != nil {
+		return nil, err
+	}
+	host, err := idna.ToASCII(u.Hostname())
+	if err != nil { // we fail to convert to punycode, just return the url we parsed.
+		return u, nil
+	}
+	if u.Port() != "" {
+		u.Host = fmt.Sprintf("%s:%s", host, u.Port())
+	} else {
+		u.Host = host
+	}
+
+	return u, nil
+}
+
+// buildCurlCmdArgs will build the curl cmd args
+func buildCurlCmdArgs(cmdArgs []string) ([]string, *url.URL, bool, error) {
+	allowRequest, iAllowRequest := false, 0
+	var appURL *url.URL
+	for i, arg := range cmdArgs {
+		if arg == "-allow-request" || arg == "-ar" {
+			iAllowRequest = i
+			allowRequest = true
+		}
+
+		u, err := processURL(arg)
+		if err == nil {
+			appURL = u
+			cmdArgs[i] = appURL.String()
+		}
+	}
+
+	if appURL == nil {
+		logger.Error("Please provide a valid URL.")
+		return cmdArgs, appURL, allowRequest, errors.New("invalid url")
+	}
+
+	if allowRequest {
+		// remove from cmdArgs
+		cmdArgs[iAllowRequest] = cmdArgs[len(cmdArgs)-1]
+		cmdArgs = cmdArgs[:len(cmdArgs)-1]
+	}
+
+	return cmdArgs, appURL, allowRequest, nil
+}
--- a/cmd/cloudflared/access/token.go
+++ b/cmd/cloudflared/access/token.go
@@ -0,0 +1,90 @@
+package access
+
+import (
+	"fmt"
+	"io/ioutil"
+	"net/url"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/transfer"
+	"github.com/cloudflare/cloudflared/log"
+	"github.com/coreos/go-oidc/jose"
+	"github.com/coreos/go-oidc/oidc"
+	homedir "github.com/mitchellh/go-homedir"
+	cli "gopkg.in/urfave/cli.v2"
+)
+
+var logger = log.CreateLogger()
+
+// fetchToken will either load a stored token or generate a new one
+func fetchToken(c *cli.Context, appURL *url.URL) (string, error) {
+	if token, err := getTokenIfExists(appURL); token != "" && err == nil {
+		fmt.Fprintf(os.Stdout, "You have an existing token:\n\n%s\n\n", token)
+		return token, nil
+	}
+
+	path, err := generateFilePathForTokenURL(appURL)
+	if err != nil {
+		return "", err
+	}
+
+	// this weird parameter is the resource name (token) and the key/value
+	// we want to send to the transfer service. the key is token and the value
+	// is blank (basically just the id generated in the transfer service)
+	const resourceName, key, value = "token", "token", ""
+	token, err := transfer.Run(c, appURL, resourceName, key, value, path, true)
+	if err != nil {
+		return "", err
+	}
+
+	fmt.Fprintf(os.Stdout, "Successfully fetched your token:\n\n%s\n\n", string(token))
+	return string(token), nil
+}
+
+// getTokenIfExists will return the token from local storage if it exists
+func getTokenIfExists(url *url.URL) (string, error) {
+	path, err := generateFilePathForTokenURL(url)
+	if err != nil {
+		return "", err
+	}
+	content, err := ioutil.ReadFile(path)
+	if err != nil {
+		return "", err
+	}
+	token, err := jose.ParseJWT(string(content))
+	if err != nil {
+		return "", err
+	}
+
+	claims, err := token.Claims()
+	if err != nil {
+		return "", err
+	}
+	ident, err := oidc.IdentityFromClaims(claims)
+	if err == nil && ident.ExpiresAt.After(time.Now()) {
+		return token.Encode(), nil
+	}
+	return "", err
+}
+
+// generateFilePathForTokenURL will return a filepath for given access application url
+func generateFilePathForTokenURL(url *url.URL) (string, error) {
+	configPath, err := homedir.Expand(config.DefaultConfigDirs[0])
+	if err != nil {
+		return "", err
+	}
+	ok, err := config.FileExists(configPath)
+	if !ok && err == nil {
+		// create config directory if doesn't already exist
+		err = os.Mkdir(configPath, 0700)
+	}
+	if err != nil {
+		return "", err
+	}
+	name := strings.Replace(fmt.Sprintf("%s%s-token", url.Hostname(), url.EscapedPath()), "/", "-", -1)
+	return filepath.Join(configPath, name), nil
+}