AUTH-1557: Short Lived Certs

cmd/cloudflared/access/carrier.go

@@ -17,19 +17,32 @@ import (
 // useful for proxying other protocols (like ssh) over websockets
 // (which you can put Access in front of)
 func ssh(c *cli.Context) error {
-	hostname, err := validation.ValidateHostname(c.String("hostname"))
-	if err != nil || c.String("hostname") == "" {
+	// get the hostname from the cmdline and error out if its not provided
+	rawHostName := c.String(sshHostnameFlag)
+	hostname, err := validation.ValidateHostname(rawHostName)
+	if err != nil || rawHostName == "" {
 		return cli.ShowCommandHelp(c, "ssh")
 	}
-	headers := buildRequestHeaders(c.StringSlice("header"))
-	if c.IsSet("service-token-id") {
-		headers.Add("CF-Access-Client-Id", c.String("service-token-id"))
+	originURL := "https://" + hostname
+
+	// get the headers from the cmdline and add them
+	headers := buildRequestHeaders(c.StringSlice(sshHeaderFlag))
+	if c.IsSet(sshTokenIDFlag) {
+		headers.Add("CF-Access-Client-Id", c.String(sshTokenIDFlag))
 	}
-	if c.IsSet("service-token-secret") {
-		headers.Add("CF-Access-Client-Secret", c.String("service-token-secret"))
+	if c.IsSet(sshTokenSecretFlag) {
+		headers.Add("CF-Access-Client-Secret", c.String(sshTokenSecretFlag))
 	}
 
-	if c.NArg() > 0 || c.IsSet("url") {
+	genCertBool := c.Bool(sshGenCertFlag)
+
+	options := &carrier.StartOptions{
+		OriginURL:     originURL,
+		Headers:       headers,
+		ShouldGenCert: genCertBool,
+	}
+
+	if c.NArg() > 0 || c.IsSet(sshURLFlag) {
 		localForwarder, err := config.ValidateUrl(c)
 		if err != nil {
 			logger.WithError(err).Error("Error validating origin URL")
@@ -40,10 +53,10 @@ func ssh(c *cli.Context) error {
 			logger.WithError(err).Error("Error validating origin URL")
 			return errors.Wrap(err, "error validating origin URL")
 		}
-		return carrier.StartServer(logger, forwarder.Host, "https://"+hostname, shutdownC, headers)
+		return carrier.StartServer(logger, forwarder.Host, shutdownC, options)
 	}
 
-	return carrier.StartClient(logger, "https://"+hostname, &carrier.StdinoutStream{}, headers)
+	return carrier.StartClient(logger, &carrier.StdinoutStream{}, options)
 }
 
 func buildRequestHeaders(values []string) http.Header {

cmd/cloudflared/access/cmd.go

@@ -16,6 +16,15 @@ import (
 	cli "gopkg.in/urfave/cli.v2"
 )
 
+const (
+	sshHostnameFlag    = "hostname"
+	sshURLFlag         = "url"
+	sshHeaderFlag      = "header"
+	sshTokenIDFlag     = "service-token-id"
+	sshTokenSecretFlag = "service-token-secret"
+	sshGenCertFlag     = "gen-cert"
+)
+
 const sentryDSN = "https://56a9c9fa5c364ab28f34b14f35ea0f1b@sentry.io/189878"
 
 var (
@@ -93,27 +102,31 @@ func Commands() []*cli.Command {
 					Description: `The ssh subcommand sends data over a proxy to the Cloudflare edge.`,
 					Flags: []cli.Flag{
 						&cli.StringFlag{
-							Name:  "hostname",
-							Usage: "specifics the hostname of your application.",
+							Name:  sshHostnameFlag,
+							Usage: "specify the hostname of your application.",
 						},
 						&cli.StringFlag{
-							Name:  "url",
-							Usage: "specifics the host:port to forward data to Cloudflare edge.",
+							Name:  sshURLFlag,
+							Usage: "specify the host:port to forward data to Cloudflare edge.",
 						},
 						&cli.StringSliceFlag{
-							Name:    "header",
+							Name:    sshHeaderFlag,
 							Aliases: []string{"H"},
-							Usage:   "specific additional headers you wish to send.",
+							Usage:   "specify additional headers you wish to send.",
 						},
 						&cli.StringSliceFlag{
-							Name:    "service-token-id",
+							Name:    sshTokenIDFlag,
 							Aliases: []string{"id"},
-							Usage:   "specific an Access service token ID you wish to use.",
+							Usage:   "specify an Access service token ID you wish to use.",
 						},
 						&cli.StringSliceFlag{
-							Name:    "service-token-secret",
+							Name:    sshTokenSecretFlag,
 							Aliases: []string{"secret"},
-							Usage:   "specific an Access service token secret you wish to use.",
+							Usage:   "specify an Access service token secret you wish to use.",
+						},
+						&cli.BoolFlag{
+							Name:  sshGenCertFlag,
+							Usage: "specify if you wish to generate short lived certs.",
 						},
 					},
 				},