mirror of
https://github.com/cloudflare/cloudflared.git
synced 2025-06-18 02:16:35 +00:00
906452a9c9
## Summary Within the scope of the FEDRamp High RM, it is necessary to detect if an user should connect to a FEDRamp colo. At first, it was considered to add the --fedramp as global flag however this could be a footgun for the user or even an hindrance, thus, the proposal is to save in the token (during login) if the user authenticated using the FEDRamp Dashboard. This solution makes it easier to the user as they will only be required to pass the flag in login and nothing else. * Introduces the new field, endpoint, in OriginCert * Refactors login to remove the private key and certificate which are no longer used * Login will only store the Argo Tunnel Token * Remove namedTunnelToken as it was only used to for serialization Closes TUN-8960
88 lines
1.9 KiB
Go
88 lines
1.9 KiB
Go
package credentials
|
|
|
|
import (
|
|
"github.com/pkg/errors"
|
|
"github.com/rs/zerolog"
|
|
|
|
"github.com/cloudflare/cloudflared/cfapi"
|
|
)
|
|
|
|
const (
|
|
logFieldOriginCertPath = "originCertPath"
|
|
FedEndpoint = "fed"
|
|
)
|
|
|
|
type User struct {
|
|
cert *OriginCert
|
|
certPath string
|
|
}
|
|
|
|
func (c User) AccountID() string {
|
|
return c.cert.AccountID
|
|
}
|
|
|
|
func (c User) ZoneID() string {
|
|
return c.cert.ZoneID
|
|
}
|
|
|
|
func (c User) APIToken() string {
|
|
return c.cert.APIToken
|
|
}
|
|
|
|
func (c User) CertPath() string {
|
|
return c.certPath
|
|
}
|
|
|
|
func (c User) IsFEDEndpoint() bool {
|
|
return c.cert.Endpoint == FedEndpoint
|
|
}
|
|
|
|
// Client uses the user credentials to create a Cloudflare API client
|
|
func (c *User) Client(apiURL string, userAgent string, log *zerolog.Logger) (cfapi.Client, error) {
|
|
if apiURL == "" {
|
|
return nil, errors.New("An api-url was not provided for the Cloudflare API client")
|
|
}
|
|
client, err := cfapi.NewRESTClient(
|
|
apiURL,
|
|
c.cert.AccountID,
|
|
c.cert.ZoneID,
|
|
c.cert.APIToken,
|
|
userAgent,
|
|
log,
|
|
)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return client, nil
|
|
}
|
|
|
|
// Read will load and read the origin cert.pem to load the user credentials
|
|
func Read(originCertPath string, log *zerolog.Logger) (*User, error) {
|
|
originCertLog := log.With().
|
|
Str(logFieldOriginCertPath, originCertPath).
|
|
Logger()
|
|
|
|
originCertPath, err := FindOriginCert(originCertPath, &originCertLog)
|
|
if err != nil {
|
|
return nil, errors.Wrap(err, "Error locating origin cert")
|
|
}
|
|
blocks, err := readOriginCert(originCertPath)
|
|
if err != nil {
|
|
return nil, errors.Wrapf(err, "Can't read origin cert from %s", originCertPath)
|
|
}
|
|
|
|
cert, err := decodeOriginCert(blocks)
|
|
if err != nil {
|
|
return nil, errors.Wrap(err, "Error decoding origin cert")
|
|
}
|
|
|
|
if cert.AccountID == "" {
|
|
return nil, errors.Errorf(`Origin certificate needs to be refreshed before creating new tunnels.\nDelete %s and run "cloudflared login" to obtain a new cert.`, originCertPath)
|
|
}
|
|
|
|
return &User{
|
|
cert: cert,
|
|
certPath: originCertPath,
|
|
}, nil
|
|
}
|