cloudflared-mirror/credentials/origin_cert.go

package credentials

import (
	"bytes"
	"encoding/json"
	"encoding/pem"
	"fmt"
	"os"
	"path/filepath"
	"strings"

	"github.com/mitchellh/go-homedir"
	"github.com/rs/zerolog"

	"github.com/cloudflare/cloudflared/config"
)

const (
	DefaultCredentialFile = "cert.pem"
)

type OriginCert struct {
	ZoneID    string `json:"zoneID"`
	AccountID string `json:"accountID"`
	APIToken  string `json:"apiToken"`
	Endpoint  string `json:"endpoint,omitempty"`
}

func (oc *OriginCert) UnmarshalJSON(data []byte) error {
	var aux struct {
		ZoneID    string `json:"zoneID"`
		AccountID string `json:"accountID"`
		APIToken  string `json:"apiToken"`
		Endpoint  string `json:"endpoint,omitempty"`
	}
	if err := json.Unmarshal(data, &aux); err != nil {
		return fmt.Errorf("error parsing OriginCert: %v", err)
	}
	oc.ZoneID = aux.ZoneID
	oc.AccountID = aux.AccountID
	oc.APIToken = aux.APIToken
	oc.Endpoint = strings.ToLower(aux.Endpoint)
	return nil
}

// FindDefaultOriginCertPath returns the first path that contains a cert.pem file. If none of the
// DefaultConfigSearchDirectories contains a cert.pem file, return empty string
func FindDefaultOriginCertPath() string {
	for _, defaultConfigDir := range config.DefaultConfigSearchDirectories() {
		originCertPath, _ := homedir.Expand(filepath.Join(defaultConfigDir, DefaultCredentialFile))
		if ok := fileExists(originCertPath); ok {
			return originCertPath
		}
	}
	return ""
}

func DecodeOriginCert(blocks []byte) (*OriginCert, error) {
	return decodeOriginCert(blocks)
}

func (cert *OriginCert) EncodeOriginCert() ([]byte, error) {
	if cert == nil {
		return nil, fmt.Errorf("originCert cannot be nil")
	}
	buffer, err := json.Marshal(cert)
	if err != nil {
		return nil, fmt.Errorf("originCert marshal failed: %v", err)
	}
	block := pem.Block{
		Type:    "ARGO TUNNEL TOKEN",
		Headers: map[string]string{},
		Bytes:   buffer,
	}
	var out bytes.Buffer
	err = pem.Encode(&out, &block)
	if err != nil {
		return nil, fmt.Errorf("pem encoding failed: %v", err)
	}
	return out.Bytes(), nil
}

func decodeOriginCert(blocks []byte) (*OriginCert, error) {
	if len(blocks) == 0 {
		return nil, fmt.Errorf("cannot decode empty certificate")
	}
	originCert := OriginCert{}
	block, rest := pem.Decode(blocks)
	for block != nil {
		switch block.Type {
		case "PRIVATE KEY", "CERTIFICATE":
			// this is for legacy purposes.
		case "ARGO TUNNEL TOKEN":
			if originCert.ZoneID != "" || originCert.APIToken != "" {
				return nil, fmt.Errorf("found multiple tokens in the certificate")
			}
			// The token is a string,
			// Try the newer JSON format
			_ = json.Unmarshal(block.Bytes, &originCert)
		default:
			return nil, fmt.Errorf("unknown block %s in the certificate", block.Type)
		}
		block, rest = pem.Decode(rest)
	}

	if originCert.ZoneID == "" || originCert.APIToken == "" {
		return nil, fmt.Errorf("missing token in the certificate")
	}

	return &originCert, nil
}

func readOriginCert(originCertPath string) ([]byte, error) {
	originCert, err := os.ReadFile(originCertPath)
	if err != nil {
		return nil, fmt.Errorf("cannot read %s to load origin certificate", originCertPath)
	}

	return originCert, nil
}

// FindOriginCert will check to make sure that the certificate exists at the specified file path.
func FindOriginCert(originCertPath string, log *zerolog.Logger) (string, error) {
	if originCertPath == "" {
		log.Error().Msgf("Cannot determine default origin certificate path. No file %s in %v. You need to specify the origin certificate path by specifying the origincert option in the configuration file, or set TUNNEL_ORIGIN_CERT environment variable", DefaultCredentialFile, config.DefaultConfigSearchDirectories())
		return "", fmt.Errorf("client didn't specify origincert path")
	}
	var err error
	originCertPath, err = homedir.Expand(originCertPath)
	if err != nil {
		log.Err(err).Msgf("Cannot resolve origin certificate path")
		return "", fmt.Errorf("cannot resolve path %s", originCertPath)
	}
	// Check that the user has acquired a certificate using the login command
	ok := fileExists(originCertPath)
	if !ok {
		log.Error().Msgf(`Cannot find a valid certificate for your origin at the path:

    %s

If the path above is wrong, specify the path with the -origincert option.
If you don't have a certificate signed by Cloudflare, run the command:

	cloudflared login
`, originCertPath)
		return "", fmt.Errorf("cannot find a valid certificate at the path %s", originCertPath)
	}

	return originCertPath, nil
}

// FileExists checks to see if a file exist at the provided path.
func fileExists(path string) bool {
	fileStat, err := os.Stat(path)
	if err != nil {
		return false
	}
	return !fileStat.IsDir()
}
TUN-7134: Acquire token for cloudflared tail cloudflared tail will now fetch the management token from by making a request to the Cloudflare API using the cert.pem (acquired from cloudflared login). Refactored some of the credentials code into it's own package as to allow for easier use between subcommands outside of `cloudflared tunnel`. 2023-04-12 16:43:38 +00:00			`package credentials`

			`import (`
TUN-8960: Connect to FED API GW based on the OriginCert's endpoint ## Summary Within the scope of the FEDRamp High RM, it is necessary to detect if an user should connect to a FEDRamp colo. At first, it was considered to add the --fedramp as global flag however this could be a footgun for the user or even an hindrance, thus, the proposal is to save in the token (during login) if the user authenticated using the FEDRamp Dashboard. This solution makes it easier to the user as they will only be required to pass the flag in login and nothing else. * Introduces the new field, endpoint, in OriginCert * Refactors login to remove the private key and certificate which are no longer used * Login will only store the Argo Tunnel Token * Remove namedTunnelToken as it was only used to for serialization Closes TUN-8960 2025-02-25 17:13:33 +00:00			`"bytes"`
TUN-7134: Acquire token for cloudflared tail cloudflared tail will now fetch the management token from by making a request to the Cloudflare API using the cert.pem (acquired from cloudflared login). Refactored some of the credentials code into it's own package as to allow for easier use between subcommands outside of `cloudflared tunnel`. 2023-04-12 16:43:38 +00:00			`"encoding/json"`
			`"encoding/pem"`
			`"fmt"`
			`"os"`
			`"path/filepath"`
TUN-8960: Connect to FED API GW based on the OriginCert's endpoint ## Summary Within the scope of the FEDRamp High RM, it is necessary to detect if an user should connect to a FEDRamp colo. At first, it was considered to add the --fedramp as global flag however this could be a footgun for the user or even an hindrance, thus, the proposal is to save in the token (during login) if the user authenticated using the FEDRamp Dashboard. This solution makes it easier to the user as they will only be required to pass the flag in login and nothing else. * Introduces the new field, endpoint, in OriginCert * Refactors login to remove the private key and certificate which are no longer used * Login will only store the Argo Tunnel Token * Remove namedTunnelToken as it was only used to for serialization Closes TUN-8960 2025-02-25 17:13:33 +00:00			`"strings"`
TUN-7134: Acquire token for cloudflared tail cloudflared tail will now fetch the management token from by making a request to the Cloudflare API using the cert.pem (acquired from cloudflared login). Refactored some of the credentials code into it's own package as to allow for easier use between subcommands outside of `cloudflared tunnel`. 2023-04-12 16:43:38 +00:00
			`"github.com/mitchellh/go-homedir"`
			`"github.com/rs/zerolog"`

			`"github.com/cloudflare/cloudflared/config"`
			`)`

			`const (`
			`DefaultCredentialFile = "cert.pem"`
			`)`

TUN-8960: Connect to FED API GW based on the OriginCert's endpoint ## Summary Within the scope of the FEDRamp High RM, it is necessary to detect if an user should connect to a FEDRamp colo. At first, it was considered to add the --fedramp as global flag however this could be a footgun for the user or even an hindrance, thus, the proposal is to save in the token (during login) if the user authenticated using the FEDRamp Dashboard. This solution makes it easier to the user as they will only be required to pass the flag in login and nothing else. * Introduces the new field, endpoint, in OriginCert * Refactors login to remove the private key and certificate which are no longer used * Login will only store the Argo Tunnel Token * Remove namedTunnelToken as it was only used to for serialization Closes TUN-8960 2025-02-25 17:13:33 +00:00			`type OriginCert struct {`
TUN-7134: Acquire token for cloudflared tail cloudflared tail will now fetch the management token from by making a request to the Cloudflare API using the cert.pem (acquired from cloudflared login). Refactored some of the credentials code into it's own package as to allow for easier use between subcommands outside of `cloudflared tunnel`. 2023-04-12 16:43:38 +00:00			ZoneID string `json:"zoneID"`
			AccountID string `json:"accountID"`
			APIToken string `json:"apiToken"`
TUN-8960: Connect to FED API GW based on the OriginCert's endpoint ## Summary Within the scope of the FEDRamp High RM, it is necessary to detect if an user should connect to a FEDRamp colo. At first, it was considered to add the --fedramp as global flag however this could be a footgun for the user or even an hindrance, thus, the proposal is to save in the token (during login) if the user authenticated using the FEDRamp Dashboard. This solution makes it easier to the user as they will only be required to pass the flag in login and nothing else. * Introduces the new field, endpoint, in OriginCert * Refactors login to remove the private key and certificate which are no longer used * Login will only store the Argo Tunnel Token * Remove namedTunnelToken as it was only used to for serialization Closes TUN-8960 2025-02-25 17:13:33 +00:00			Endpoint string `json:"endpoint,omitempty"`
TUN-7134: Acquire token for cloudflared tail cloudflared tail will now fetch the management token from by making a request to the Cloudflare API using the cert.pem (acquired from cloudflared login). Refactored some of the credentials code into it's own package as to allow for easier use between subcommands outside of `cloudflared tunnel`. 2023-04-12 16:43:38 +00:00			`}`

TUN-8960: Connect to FED API GW based on the OriginCert's endpoint ## Summary Within the scope of the FEDRamp High RM, it is necessary to detect if an user should connect to a FEDRamp colo. At first, it was considered to add the --fedramp as global flag however this could be a footgun for the user or even an hindrance, thus, the proposal is to save in the token (during login) if the user authenticated using the FEDRamp Dashboard. This solution makes it easier to the user as they will only be required to pass the flag in login and nothing else. * Introduces the new field, endpoint, in OriginCert * Refactors login to remove the private key and certificate which are no longer used * Login will only store the Argo Tunnel Token * Remove namedTunnelToken as it was only used to for serialization Closes TUN-8960 2025-02-25 17:13:33 +00:00			`func (oc *OriginCert) UnmarshalJSON(data []byte) error {`
			`var aux struct {`
			ZoneID string `json:"zoneID"`
			AccountID string `json:"accountID"`
			APIToken string `json:"apiToken"`
			Endpoint string `json:"endpoint,omitempty"`
			`}`
			`if err := json.Unmarshal(data, &aux); err != nil {`
			`return fmt.Errorf("error parsing OriginCert: %v", err)`
			`}`
			`oc.ZoneID = aux.ZoneID`
			`oc.AccountID = aux.AccountID`
			`oc.APIToken = aux.APIToken`
			`oc.Endpoint = strings.ToLower(aux.Endpoint)`
			`return nil`
TUN-7134: Acquire token for cloudflared tail cloudflared tail will now fetch the management token from by making a request to the Cloudflare API using the cert.pem (acquired from cloudflared login). Refactored some of the credentials code into it's own package as to allow for easier use between subcommands outside of `cloudflared tunnel`. 2023-04-12 16:43:38 +00:00			`}`

			`// FindDefaultOriginCertPath returns the first path that contains a cert.pem file. If none of the`
			`// DefaultConfigSearchDirectories contains a cert.pem file, return empty string`
			`func FindDefaultOriginCertPath() string {`
			`for _, defaultConfigDir := range config.DefaultConfigSearchDirectories() {`
			`originCertPath, _ := homedir.Expand(filepath.Join(defaultConfigDir, DefaultCredentialFile))`
			`if ok := fileExists(originCertPath); ok {`
			`return originCertPath`
			`}`
			`}`
			`return ""`
			`}`

TUN-8960: Connect to FED API GW based on the OriginCert's endpoint ## Summary Within the scope of the FEDRamp High RM, it is necessary to detect if an user should connect to a FEDRamp colo. At first, it was considered to add the --fedramp as global flag however this could be a footgun for the user or even an hindrance, thus, the proposal is to save in the token (during login) if the user authenticated using the FEDRamp Dashboard. This solution makes it easier to the user as they will only be required to pass the flag in login and nothing else. * Introduces the new field, endpoint, in OriginCert * Refactors login to remove the private key and certificate which are no longer used * Login will only store the Argo Tunnel Token * Remove namedTunnelToken as it was only used to for serialization Closes TUN-8960 2025-02-25 17:13:33 +00:00			`func DecodeOriginCert(blocks []byte) (*OriginCert, error) {`
			`return decodeOriginCert(blocks)`
			`}`

			`func (cert *OriginCert) EncodeOriginCert() ([]byte, error) {`
			`if cert == nil {`
			`return nil, fmt.Errorf("originCert cannot be nil")`
			`}`
			`buffer, err := json.Marshal(cert)`
			`if err != nil {`
			`return nil, fmt.Errorf("originCert marshal failed: %v", err)`
			`}`
			`block := pem.Block{`
			`Type: "ARGO TUNNEL TOKEN",`
			`Headers: map[string]string{},`
			`Bytes: buffer,`
			`}`
			`var out bytes.Buffer`
			`err = pem.Encode(&out, &block)`
			`if err != nil {`
			`return nil, fmt.Errorf("pem encoding failed: %v", err)`
			`}`
			`return out.Bytes(), nil`
			`}`

TUN-7134: Acquire token for cloudflared tail cloudflared tail will now fetch the management token from by making a request to the Cloudflare API using the cert.pem (acquired from cloudflared login). Refactored some of the credentials code into it's own package as to allow for easier use between subcommands outside of `cloudflared tunnel`. 2023-04-12 16:43:38 +00:00			`func decodeOriginCert(blocks []byte) (*OriginCert, error) {`
			`if len(blocks) == 0 {`
TUN-8960: Connect to FED API GW based on the OriginCert's endpoint ## Summary Within the scope of the FEDRamp High RM, it is necessary to detect if an user should connect to a FEDRamp colo. At first, it was considered to add the --fedramp as global flag however this could be a footgun for the user or even an hindrance, thus, the proposal is to save in the token (during login) if the user authenticated using the FEDRamp Dashboard. This solution makes it easier to the user as they will only be required to pass the flag in login and nothing else. * Introduces the new field, endpoint, in OriginCert * Refactors login to remove the private key and certificate which are no longer used * Login will only store the Argo Tunnel Token * Remove namedTunnelToken as it was only used to for serialization Closes TUN-8960 2025-02-25 17:13:33 +00:00			`return nil, fmt.Errorf("cannot decode empty certificate")`
TUN-7134: Acquire token for cloudflared tail cloudflared tail will now fetch the management token from by making a request to the Cloudflare API using the cert.pem (acquired from cloudflared login). Refactored some of the credentials code into it's own package as to allow for easier use between subcommands outside of `cloudflared tunnel`. 2023-04-12 16:43:38 +00:00			`}`
			`originCert := OriginCert{}`
			`block, rest := pem.Decode(blocks)`
TUN-8960: Connect to FED API GW based on the OriginCert's endpoint ## Summary Within the scope of the FEDRamp High RM, it is necessary to detect if an user should connect to a FEDRamp colo. At first, it was considered to add the --fedramp as global flag however this could be a footgun for the user or even an hindrance, thus, the proposal is to save in the token (during login) if the user authenticated using the FEDRamp Dashboard. This solution makes it easier to the user as they will only be required to pass the flag in login and nothing else. * Introduces the new field, endpoint, in OriginCert * Refactors login to remove the private key and certificate which are no longer used * Login will only store the Argo Tunnel Token * Remove namedTunnelToken as it was only used to for serialization Closes TUN-8960 2025-02-25 17:13:33 +00:00			`for block != nil {`
TUN-7134: Acquire token for cloudflared tail cloudflared tail will now fetch the management token from by making a request to the Cloudflare API using the cert.pem (acquired from cloudflared login). Refactored some of the credentials code into it's own package as to allow for easier use between subcommands outside of `cloudflared tunnel`. 2023-04-12 16:43:38 +00:00			`switch block.Type {`
			`case "PRIVATE KEY", "CERTIFICATE":`
			`// this is for legacy purposes.`
			`case "ARGO TUNNEL TOKEN":`
			`if originCert.ZoneID != "" \|\| originCert.APIToken != "" {`
TUN-8960: Connect to FED API GW based on the OriginCert's endpoint ## Summary Within the scope of the FEDRamp High RM, it is necessary to detect if an user should connect to a FEDRamp colo. At first, it was considered to add the --fedramp as global flag however this could be a footgun for the user or even an hindrance, thus, the proposal is to save in the token (during login) if the user authenticated using the FEDRamp Dashboard. This solution makes it easier to the user as they will only be required to pass the flag in login and nothing else. * Introduces the new field, endpoint, in OriginCert * Refactors login to remove the private key and certificate which are no longer used * Login will only store the Argo Tunnel Token * Remove namedTunnelToken as it was only used to for serialization Closes TUN-8960 2025-02-25 17:13:33 +00:00			`return nil, fmt.Errorf("found multiple tokens in the certificate")`
TUN-7134: Acquire token for cloudflared tail cloudflared tail will now fetch the management token from by making a request to the Cloudflare API using the cert.pem (acquired from cloudflared login). Refactored some of the credentials code into it's own package as to allow for easier use between subcommands outside of `cloudflared tunnel`. 2023-04-12 16:43:38 +00:00			`}`
			`// The token is a string,`
			`// Try the newer JSON format`
TUN-8960: Connect to FED API GW based on the OriginCert's endpoint ## Summary Within the scope of the FEDRamp High RM, it is necessary to detect if an user should connect to a FEDRamp colo. At first, it was considered to add the --fedramp as global flag however this could be a footgun for the user or even an hindrance, thus, the proposal is to save in the token (during login) if the user authenticated using the FEDRamp Dashboard. This solution makes it easier to the user as they will only be required to pass the flag in login and nothing else. * Introduces the new field, endpoint, in OriginCert * Refactors login to remove the private key and certificate which are no longer used * Login will only store the Argo Tunnel Token * Remove namedTunnelToken as it was only used to for serialization Closes TUN-8960 2025-02-25 17:13:33 +00:00			`_ = json.Unmarshal(block.Bytes, &originCert)`
TUN-7134: Acquire token for cloudflared tail cloudflared tail will now fetch the management token from by making a request to the Cloudflare API using the cert.pem (acquired from cloudflared login). Refactored some of the credentials code into it's own package as to allow for easier use between subcommands outside of `cloudflared tunnel`. 2023-04-12 16:43:38 +00:00			`default:`
TUN-8960: Connect to FED API GW based on the OriginCert's endpoint ## Summary Within the scope of the FEDRamp High RM, it is necessary to detect if an user should connect to a FEDRamp colo. At first, it was considered to add the --fedramp as global flag however this could be a footgun for the user or even an hindrance, thus, the proposal is to save in the token (during login) if the user authenticated using the FEDRamp Dashboard. This solution makes it easier to the user as they will only be required to pass the flag in login and nothing else. * Introduces the new field, endpoint, in OriginCert * Refactors login to remove the private key and certificate which are no longer used * Login will only store the Argo Tunnel Token * Remove namedTunnelToken as it was only used to for serialization Closes TUN-8960 2025-02-25 17:13:33 +00:00			`return nil, fmt.Errorf("unknown block %s in the certificate", block.Type)`
TUN-7134: Acquire token for cloudflared tail cloudflared tail will now fetch the management token from by making a request to the Cloudflare API using the cert.pem (acquired from cloudflared login). Refactored some of the credentials code into it's own package as to allow for easier use between subcommands outside of `cloudflared tunnel`. 2023-04-12 16:43:38 +00:00			`}`
			`block, rest = pem.Decode(rest)`
			`}`

			`if originCert.ZoneID == "" \|\| originCert.APIToken == "" {`
TUN-8960: Connect to FED API GW based on the OriginCert's endpoint ## Summary Within the scope of the FEDRamp High RM, it is necessary to detect if an user should connect to a FEDRamp colo. At first, it was considered to add the --fedramp as global flag however this could be a footgun for the user or even an hindrance, thus, the proposal is to save in the token (during login) if the user authenticated using the FEDRamp Dashboard. This solution makes it easier to the user as they will only be required to pass the flag in login and nothing else. * Introduces the new field, endpoint, in OriginCert * Refactors login to remove the private key and certificate which are no longer used * Login will only store the Argo Tunnel Token * Remove namedTunnelToken as it was only used to for serialization Closes TUN-8960 2025-02-25 17:13:33 +00:00			`return nil, fmt.Errorf("missing token in the certificate")`
TUN-7134: Acquire token for cloudflared tail cloudflared tail will now fetch the management token from by making a request to the Cloudflare API using the cert.pem (acquired from cloudflared login). Refactored some of the credentials code into it's own package as to allow for easier use between subcommands outside of `cloudflared tunnel`. 2023-04-12 16:43:38 +00:00			`}`

			`return &originCert, nil`
			`}`

			`func readOriginCert(originCertPath string) ([]byte, error) {`
			`originCert, err := os.ReadFile(originCertPath)`
			`if err != nil {`
			`return nil, fmt.Errorf("cannot read %s to load origin certificate", originCertPath)`
			`}`

			`return originCert, nil`
			`}`

			`// FindOriginCert will check to make sure that the certificate exists at the specified file path.`
			`func FindOriginCert(originCertPath string, log *zerolog.Logger) (string, error) {`
			`if originCertPath == "" {`
			`log.Error().Msgf("Cannot determine default origin certificate path. No file %s in %v. You need to specify the origin certificate path by specifying the origincert option in the configuration file, or set TUNNEL_ORIGIN_CERT environment variable", DefaultCredentialFile, config.DefaultConfigSearchDirectories())`
			`return "", fmt.Errorf("client didn't specify origincert path")`
			`}`
			`var err error`
			`originCertPath, err = homedir.Expand(originCertPath)`
			`if err != nil {`
			`log.Err(err).Msgf("Cannot resolve origin certificate path")`
			`return "", fmt.Errorf("cannot resolve path %s", originCertPath)`
			`}`
			`// Check that the user has acquired a certificate using the login command`
			`ok := fileExists(originCertPath)`
			`if !ok {`
			log.Error().Msgf(`Cannot find a valid certificate for your origin at the path:

			`%s`

			`If the path above is wrong, specify the path with the -origincert option.`
			`If you don't have a certificate signed by Cloudflare, run the command:`

			`cloudflared login`
			`, originCertPath)
			`return "", fmt.Errorf("cannot find a valid certificate at the path %s", originCertPath)`
			`}`

			`return originCertPath, nil`
			`}`

			`// FileExists checks to see if a file exist at the provided path.`
			`func fileExists(path string) bool {`
			`fileStat, err := os.Stat(path)`
			`if err != nil {`
			`return false`
			`}`
			`return !fileStat.IsDir()`
			`}`