AUTH-1557: Short Lived Certs

2025-07-27 19:19:57 +00:00 · 2019-01-23 15:42:10 -06:00
parent 14f50d0922
commit fa17b0200f
36 changed files with 10286 additions and 71 deletions
--- a/cmd/cloudflared/access/carrier.go
+++ b/cmd/cloudflared/access/carrier.go
@@ -17,19 +17,32 @@ import (
 // useful for proxying other protocols (like ssh) over websockets
 // (which you can put Access in front of)
 func ssh(c *cli.Context) error {
-	hostname, err := validation.ValidateHostname(c.String("hostname"))
-	if err != nil || c.String("hostname") == "" {
+	// get the hostname from the cmdline and error out if its not provided
+	rawHostName := c.String(sshHostnameFlag)
+	hostname, err := validation.ValidateHostname(rawHostName)
+	if err != nil || rawHostName == "" {
 		return cli.ShowCommandHelp(c, "ssh")
 	}
-	headers := buildRequestHeaders(c.StringSlice("header"))
-	if c.IsSet("service-token-id") {
-		headers.Add("CF-Access-Client-Id", c.String("service-token-id"))
+	originURL := "https://" + hostname
+
+	// get the headers from the cmdline and add them
+	headers := buildRequestHeaders(c.StringSlice(sshHeaderFlag))
+	if c.IsSet(sshTokenIDFlag) {
+		headers.Add("CF-Access-Client-Id", c.String(sshTokenIDFlag))
 	}
-	if c.IsSet("service-token-secret") {
-		headers.Add("CF-Access-Client-Secret", c.String("service-token-secret"))
+	if c.IsSet(sshTokenSecretFlag) {
+		headers.Add("CF-Access-Client-Secret", c.String(sshTokenSecretFlag))
 	}

-	if c.NArg() > 0 || c.IsSet("url") {
+	genCertBool := c.Bool(sshGenCertFlag)
+
+	options := &carrier.StartOptions{
+		OriginURL:     originURL,
+		Headers:       headers,
+		ShouldGenCert: genCertBool,
+	}
+
+	if c.NArg() > 0 || c.IsSet(sshURLFlag) {
 		localForwarder, err := config.ValidateUrl(c)
 		if err != nil {
 			logger.WithError(err).Error("Error validating origin URL")
@@ -40,10 +53,10 @@ func ssh(c *cli.Context) error {
 			logger.WithError(err).Error("Error validating origin URL")
 			return errors.Wrap(err, "error validating origin URL")
 		}
-		return carrier.StartServer(logger, forwarder.Host, "https://"+hostname, shutdownC, headers)
+		return carrier.StartServer(logger, forwarder.Host, shutdownC, options)
 	}

-	return carrier.StartClient(logger, "https://"+hostname, &carrier.StdinoutStream{}, headers)
+	return carrier.StartClient(logger, &carrier.StdinoutStream{}, options)
 }

 func buildRequestHeaders(values []string) http.Header {
--- a/cmd/cloudflared/access/cmd.go
+++ b/cmd/cloudflared/access/cmd.go
@@ -16,6 +16,15 @@ import (
 	cli "gopkg.in/urfave/cli.v2"
 )

+const (
+	sshHostnameFlag    = "hostname"
+	sshURLFlag         = "url"
+	sshHeaderFlag      = "header"
+	sshTokenIDFlag     = "service-token-id"
+	sshTokenSecretFlag = "service-token-secret"
+	sshGenCertFlag     = "gen-cert"
+)
+
 const sentryDSN = "https://56a9c9fa5c364ab28f34b14f35ea0f1b@sentry.io/189878"

 var (
@@ -93,27 +102,31 @@ func Commands() []*cli.Command {
 					Description: `The ssh subcommand sends data over a proxy to the Cloudflare edge.`,
 					Flags: []cli.Flag{
 						&cli.StringFlag{
-							Name:  "hostname",
-							Usage: "specifics the hostname of your application.",
+							Name:  sshHostnameFlag,
+							Usage: "specify the hostname of your application.",
 						},
 						&cli.StringFlag{
-							Name:  "url",
-							Usage: "specifics the host:port to forward data to Cloudflare edge.",
+							Name:  sshURLFlag,
+							Usage: "specify the host:port to forward data to Cloudflare edge.",
 						},
 						&cli.StringSliceFlag{
-							Name:    "header",
+							Name:    sshHeaderFlag,
 							Aliases: []string{"H"},
-							Usage:   "specific additional headers you wish to send.",
+							Usage:   "specify additional headers you wish to send.",
 						},
 						&cli.StringSliceFlag{
-							Name:    "service-token-id",
+							Name:    sshTokenIDFlag,
 							Aliases: []string{"id"},
-							Usage:   "specific an Access service token ID you wish to use.",
+							Usage:   "specify an Access service token ID you wish to use.",
 						},
 						&cli.StringSliceFlag{
-							Name:    "service-token-secret",
+							Name:    sshTokenSecretFlag,
 							Aliases: []string{"secret"},
-							Usage:   "specific an Access service token secret you wish to use.",
+							Usage:   "specify an Access service token secret you wish to use.",
+						},
+						&cli.BoolFlag{
+							Name:  sshGenCertFlag,
+							Usage: "specify if you wish to generate short lived certs.",
 						},
 					},
 				},
--- a/cmd/cloudflared/path/path.go
+++ b/cmd/cloudflared/path/path.go
@@ -0,0 +1,30 @@
+package path
+
+import (
+	"fmt"
+	"net/url"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
+	"github.com/mitchellh/go-homedir"
+)
+
+// GenerateFilePathFromURL will return a filepath for given access application url
+func GenerateFilePathFromURL(url *url.URL, suffix string) (string, error) {
+	configPath, err := homedir.Expand(config.DefaultConfigDirs[0])
+	if err != nil {
+		return "", err
+	}
+	ok, err := config.FileExists(configPath)
+	if !ok && err == nil {
+		// create config directory if doesn't already exist
+		err = os.Mkdir(configPath, 0700)
+	}
+	if err != nil {
+		return "", err
+	}
+	name := strings.Replace(fmt.Sprintf("%s%s-%s", url.Hostname(), url.EscapedPath(), suffix), "/", "-", -1)
+	return filepath.Join(configPath, name), nil
+}
--- a/cmd/cloudflared/token/token.go
+++ b/cmd/cloudflared/token/token.go
@@ -1,20 +1,19 @@
 package token

 import (
-	"fmt"
 	"io/ioutil"
 	"net/url"
-	"os"
-	"path/filepath"
-	"strings"
 	"time"

-	"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/path"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/transfer"
 	"github.com/cloudflare/cloudflared/log"
 	"github.com/coreos/go-oidc/jose"
 	"github.com/coreos/go-oidc/oidc"
-	homedir "github.com/mitchellh/go-homedir"
+)
+
+const (
+	keyName = "token"
 )

 var logger = log.CreateLogger()
@@ -25,7 +24,7 @@ func FetchToken(appURL *url.URL) (string, error) {
 		return token, nil
 	}

-	path, err := generateFilePathForTokenURL(appURL)
+	path, err := path.GenerateFilePathFromURL(appURL, keyName)
 	if err != nil {
 		return "", err
 	}
@@ -33,8 +32,7 @@ func FetchToken(appURL *url.URL) (string, error) {
 	// this weird parameter is the resource name (token) and the key/value
 	// we want to send to the transfer service. the key is token and the value
 	// is blank (basically just the id generated in the transfer service)
-	const resourceName, key, value = "token", "token", ""
-	token, err := transfer.Run(appURL, resourceName, key, value, path, true)
+	token, err := transfer.Run(appURL, keyName, keyName, "", path, true)
 	if err != nil {
 		return "", err
 	}
@@ -44,7 +42,7 @@ func FetchToken(appURL *url.URL) (string, error) {

 // GetTokenIfExists will return the token from local storage if it exists
 func GetTokenIfExists(url *url.URL) (string, error) {
-	path, err := generateFilePathForTokenURL(url)
+	path, err := path.GenerateFilePathFromURL(url, keyName)
 	if err != nil {
 		return "", err
 	}
@@ -68,21 +66,3 @@ func GetTokenIfExists(url *url.URL) (string, error) {
 	}
 	return "", err
 }
-
-// generateFilePathForTokenURL will return a filepath for given access application url
-func generateFilePathForTokenURL(url *url.URL) (string, error) {
-	configPath, err := homedir.Expand(config.DefaultConfigDirs[0])
-	if err != nil {
-		return "", err
-	}
-	ok, err := config.FileExists(configPath)
-	if !ok && err == nil {
-		// create config directory if doesn't already exist
-		err = os.Mkdir(configPath, 0700)
-	}
-	if err != nil {
-		return "", err
-	}
-	name := strings.Replace(fmt.Sprintf("%s%s-token", url.Hostname(), url.EscapedPath()), "/", "-", -1)
-	return filepath.Join(configPath, name), nil
-}