cloudflared-mirror/cmd/cloudflared/access/carrier.go

package access

import (
	"net/http"
	"net/url"
	"strings"

	"github.com/cloudflare/cloudflared/carrier"
	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
	"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
	"github.com/cloudflare/cloudflared/h2mux"
	"github.com/cloudflare/cloudflared/logger"
	"github.com/cloudflare/cloudflared/validation"
	"github.com/pkg/errors"
	cli "gopkg.in/urfave/cli.v2"
)

// StartForwarder starts a client side websocket forward
func StartForwarder(forwarder config.Forwarder, shutdown <-chan struct{}, logger logger.Service) error {
	validURLString, err := validation.ValidateUrl(forwarder.Listener)
	if err != nil {
		return errors.Wrap(err, "error validating origin URL")
	}

	validURL, err := url.Parse(validURLString)
	if err != nil {
		return errors.Wrap(err, "error parsing origin URL")
	}

	// get the headers from the config file and add to the request
	headers := make(http.Header)
	if forwarder.TokenClientID != "" {
		headers.Set(h2mux.CFAccessClientIDHeader, forwarder.TokenClientID)
	}

	if forwarder.TokenSecret != "" {
		headers.Set(h2mux.CFAccessClientSecretHeader, forwarder.TokenSecret)
	}

	if forwarder.Destination != "" {
		headers.Add(h2mux.CFJumpDestinationHeader, forwarder.Destination)
	}

	options := &carrier.StartOptions{
		OriginURL: forwarder.URL,
		Headers:   headers, //TODO: TUN-2688 support custom headers from config file
	}

	// we could add a cmd line variable for this bool if we want the SOCK5 server to be on the client side
	wsConn := carrier.NewWSConnection(logger, false)

	logger.Infof("Start Websocket listener on: %s", validURL.Host)
	return carrier.StartForwarder(wsConn, validURL.Host, shutdown, options)
}

// ssh will start a WS proxy server for server mode
// or copy from stdin/stdout for client mode
// useful for proxying other protocols (like ssh) over websockets
// (which you can put Access in front of)
func ssh(c *cli.Context) error {
	logDirectory, logLevel := config.FindLogSettings()

	flagLogDirectory := c.String(sshLogDirectoryFlag)
	if flagLogDirectory != "" {
		logDirectory = flagLogDirectory
	}

	flagLogLevel := c.String(sshLogLevelFlag)
	if flagLogLevel != "" {
		logLevel = flagLogLevel
	}

	logger, err := logger.New(logger.DefaultFile(logDirectory), logger.LogLevelString(logLevel))
	if err != nil {
		return cliutil.PrintLoggerSetupError("error setting up logger", err)
	}

	// get the hostname from the cmdline and error out if its not provided
	rawHostName := c.String(sshHostnameFlag)
	hostname, err := validation.ValidateHostname(rawHostName)
	if err != nil || rawHostName == "" {
		return cli.ShowCommandHelp(c, "ssh")
	}
	originURL := ensureURLScheme(hostname)

	// get the headers from the cmdline and add them
	headers := buildRequestHeaders(c.StringSlice(sshHeaderFlag))
	if c.IsSet(sshTokenIDFlag) {
		headers.Set(h2mux.CFAccessClientIDHeader, c.String(sshTokenIDFlag))
	}
	if c.IsSet(sshTokenSecretFlag) {
		headers.Set(h2mux.CFAccessClientSecretHeader, c.String(sshTokenSecretFlag))
	}

	destination := c.String(sshDestinationFlag)
	if destination != "" {
		headers.Add(h2mux.CFJumpDestinationHeader, destination)
	}

	options := &carrier.StartOptions{
		OriginURL: originURL,
		Headers:   headers,
	}

	// we could add a cmd line variable for this bool if we want the SOCK5 server to be on the client side
	wsConn := carrier.NewWSConnection(logger, false)

	if c.NArg() > 0 || c.IsSet(sshURLFlag) {
		localForwarder, err := config.ValidateUrl(c)
		if err != nil {
			logger.Errorf("Error validating origin URL: %s", err)
			return errors.Wrap(err, "error validating origin URL")
		}
		forwarder, err := url.Parse(localForwarder)
		if err != nil {
			logger.Errorf("Error validating origin URL: %s", err)
			return errors.Wrap(err, "error validating origin URL")
		}

		logger.Infof("Start Websocket listener on: %s", forwarder.Host)
		err = carrier.StartForwarder(wsConn, forwarder.Host, shutdownC, options)
		if err != nil {
			logger.Errorf("Error on Websocket listener: %s", err)
		}
		return err
	}

	return carrier.StartClient(wsConn, &carrier.StdinoutStream{}, options)
}

func buildRequestHeaders(values []string) http.Header {
	headers := make(http.Header)
	for _, valuePair := range values {
		split := strings.Split(valuePair, ":")
		if len(split) > 1 {
			headers.Add(strings.TrimSpace(split[0]), strings.TrimSpace(split[1]))
		}
	}
	return headers
}
AUTH-1188: UX Review and Changes for CLI SSH Access 2018-10-19 20:44:35 +00:00			`package access`
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00
			`import (`
AUTH-1511: Add custom headers for ssh command 2019-02-07 16:56:33 +00:00			`"net/http"`
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00			`"net/url"`
AUTH-1511: Add custom headers for ssh command 2019-02-07 16:56:33 +00:00			`"strings"`
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00
			`"github.com/cloudflare/cloudflared/carrier"`
AUTH-2810 added warn for backwards compatibility sake 2020-06-12 16:20:36 +00:00			`"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"`
AUTH-1188: UX Review and Changes for CLI SSH Access 2018-10-19 20:44:35 +00:00			`"github.com/cloudflare/cloudflared/cmd/cloudflared/config"`
AUTH-2369: RDP Bastion prototype 2020-05-04 20:15:17 +00:00			`"github.com/cloudflare/cloudflared/h2mux"`
AUTH-2596 added new logger package and replaced logrus 2020-04-29 20:51:32 +00:00			`"github.com/cloudflare/cloudflared/logger"`
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00			`"github.com/cloudflare/cloudflared/validation"`
			`"github.com/pkg/errors"`
			`cli "gopkg.in/urfave/cli.v2"`
			`)`

AUTH-2587 add config watcher and reload logic for access client forwarder 2020-04-13 17:22:00 +00:00			`// StartForwarder starts a client side websocket forward`
AUTH-2596 added new logger package and replaced logrus 2020-04-29 20:51:32 +00:00			`func StartForwarder(forwarder config.Forwarder, shutdown <-chan struct{}, logger logger.Service) error {`
AUTH-2587 add config watcher and reload logic for access client forwarder 2020-04-13 17:22:00 +00:00			`validURLString, err := validation.ValidateUrl(forwarder.Listener)`
			`if err != nil {`
			`return errors.Wrap(err, "error validating origin URL")`
			`}`

			`validURL, err := url.Parse(validURLString)`
			`if err != nil {`
			`return errors.Wrap(err, "error parsing origin URL")`
			`}`

AUTH-2785 service token flag fix and logger fix 2020-06-08 22:01:48 +00:00			`// get the headers from the config file and add to the request`
			`headers := make(http.Header)`
			`if forwarder.TokenClientID != "" {`
			`headers.Set(h2mux.CFAccessClientIDHeader, forwarder.TokenClientID)`
			`}`

			`if forwarder.TokenSecret != "" {`
			`headers.Set(h2mux.CFAccessClientSecretHeader, forwarder.TokenSecret)`
			`}`

AUTH-2694 added destination header support to config file 2020-06-12 16:57:21 +00:00			`if forwarder.Destination != "" {`
			`headers.Add(h2mux.CFJumpDestinationHeader, forwarder.Destination)`
			`}`

AUTH-2587 add config watcher and reload logic for access client forwarder 2020-04-13 17:22:00 +00:00			`options := &carrier.StartOptions{`
			`OriginURL: forwarder.URL,`
AUTH-2785 service token flag fix and logger fix 2020-06-08 22:01:48 +00:00			`Headers: headers, //TODO: TUN-2688 support custom headers from config file`
AUTH-2587 add config watcher and reload logic for access client forwarder 2020-04-13 17:22:00 +00:00			`}`

			`// we could add a cmd line variable for this bool if we want the SOCK5 server to be on the client side`
			`wsConn := carrier.NewWSConnection(logger, false)`

			`logger.Infof("Start Websocket listener on: %s", validURL.Host)`
			`return carrier.StartForwarder(wsConn, validURL.Host, shutdown, options)`
			`}`

AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00			`// ssh will start a WS proxy server for server mode`
			`// or copy from stdin/stdout for client mode`
			`// useful for proxying other protocols (like ssh) over websockets`
			`// (which you can put Access in front of)`
			`func ssh(c *cli.Context) error {`
AUTH-2596 added new logger package and replaced logrus 2020-04-29 20:51:32 +00:00			`logDirectory, logLevel := config.FindLogSettings()`
AUTH-2729 added log file and level to cmd flags to match config file settings 2020-06-05 15:18:40 +00:00
			`flagLogDirectory := c.String(sshLogDirectoryFlag)`
			`if flagLogDirectory != "" {`
			`logDirectory = flagLogDirectory`
			`}`

			`flagLogLevel := c.String(sshLogLevelFlag)`
			`if flagLogLevel != "" {`
			`logLevel = flagLogLevel`
			`}`

AUTH-2596 added new logger package and replaced logrus 2020-04-29 20:51:32 +00:00			`logger, err := logger.New(logger.DefaultFile(logDirectory), logger.LogLevelString(logLevel))`
			`if err != nil {`
AUTH-2810 added warn for backwards compatibility sake 2020-06-12 16:20:36 +00:00			`return cliutil.PrintLoggerSetupError("error setting up logger", err)`
AUTH-2596 added new logger package and replaced logrus 2020-04-29 20:51:32 +00:00			`}`

AUTH-1557: Short Lived Certs 2019-01-23 21:42:10 +00:00			`// get the hostname from the cmdline and error out if its not provided`
			`rawHostName := c.String(sshHostnameFlag)`
			`hostname, err := validation.ValidateHostname(rawHostName)`
			`if err != nil \|\| rawHostName == "" {`
AUTH-1188: UX Review and Changes for CLI SSH Access 2018-10-19 20:44:35 +00:00			`return cli.ShowCommandHelp(c, "ssh")`
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00			`}`
AUTH-2173: Prepends access login url with scheme if one doesnt exist 2019-10-22 15:41:44 +00:00			`originURL := ensureURLScheme(hostname)`
AUTH-1557: Short Lived Certs 2019-01-23 21:42:10 +00:00
			`// get the headers from the cmdline and add them`
			`headers := buildRequestHeaders(c.StringSlice(sshHeaderFlag))`
			`if c.IsSet(sshTokenIDFlag) {`
AUTH-2785 service token flag fix and logger fix 2020-06-08 22:01:48 +00:00			`headers.Set(h2mux.CFAccessClientIDHeader, c.String(sshTokenIDFlag))`
AUTH-1557: Short Lived Certs 2019-01-23 21:42:10 +00:00			`}`
			`if c.IsSet(sshTokenSecretFlag) {`
AUTH-2785 service token flag fix and logger fix 2020-06-08 22:01:48 +00:00			`headers.Set(h2mux.CFAccessClientSecretHeader, c.String(sshTokenSecretFlag))`
AUTH-1531: Named flags for ssh service tokens 2019-03-06 19:09:13 +00:00			`}`
AUTH-1557: Short Lived Certs 2019-01-23 21:42:10 +00:00
AUTH-2105: Adds support for local forwarding. Refactor auditlogger creation. AUTH-2088: Adds dynamic destination routing 2019-10-02 20:56:28 +00:00			`destination := c.String(sshDestinationFlag)`
AUTH-2105: Dont require --destination arg 2019-10-11 17:26:23 +00:00			`if destination != "" {`
AUTH-2369: RDP Bastion prototype 2020-05-04 20:15:17 +00:00			`headers.Add(h2mux.CFJumpDestinationHeader, destination)`
AUTH-2105: Adds support for local forwarding. Refactor auditlogger creation. AUTH-2088: Adds dynamic destination routing 2019-10-02 20:56:28 +00:00			`}`

AUTH-1557: Short Lived Certs 2019-01-23 21:42:10 +00:00			`options := &carrier.StartOptions{`
AUTH-1781: fixed race condition for short lived certs, doc required config 2019-05-22 20:41:21 +00:00			`OriginURL: originURL,`
			`Headers: headers,`
AUTH-1531: Named flags for ssh service tokens 2019-03-06 19:09:13 +00:00			`}`
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00
AUTH-2394 added socks5 proxy 2020-03-31 14:56:22 +00:00			`// we could add a cmd line variable for this bool if we want the SOCK5 server to be on the client side`
			`wsConn := carrier.NewWSConnection(logger, false)`

AUTH-1557: Short Lived Certs 2019-01-23 21:42:10 +00:00			`if c.NArg() > 0 \|\| c.IsSet(sshURLFlag) {`
AUTH-1188: UX Review and Changes for CLI SSH Access 2018-10-19 20:44:35 +00:00			`localForwarder, err := config.ValidateUrl(c)`
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00			`if err != nil {`
AUTH-2596 added new logger package and replaced logrus 2020-04-29 20:51:32 +00:00			`logger.Errorf("Error validating origin URL: %s", err)`
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00			`return errors.Wrap(err, "error validating origin URL")`
			`}`
			`forwarder, err := url.Parse(localForwarder)`
			`if err != nil {`
AUTH-2596 added new logger package and replaced logrus 2020-04-29 20:51:32 +00:00			`logger.Errorf("Error validating origin URL: %s", err)`
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00			`return errors.Wrap(err, "error validating origin URL")`
			`}`
AUTH-2394 added socks5 proxy 2020-03-31 14:56:22 +00:00
			`logger.Infof("Start Websocket listener on: %s", forwarder.Host)`
AUTH-2596 added new logger package and replaced logrus 2020-04-29 20:51:32 +00:00			`err = carrier.StartForwarder(wsConn, forwarder.Host, shutdownC, options)`
			`if err != nil {`
			`logger.Errorf("Error on Websocket listener: %s", err)`
			`}`
			`return err`
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00			`}`

AUTH-2394 added socks5 proxy 2020-03-31 14:56:22 +00:00			`return carrier.StartClient(wsConn, &carrier.StdinoutStream{}, options)`
AUTH-1511: Add custom headers for ssh command 2019-02-07 16:56:33 +00:00			`}`

			`func buildRequestHeaders(values []string) http.Header {`
			`headers := make(http.Header)`
			`for _, valuePair := range values {`
			`split := strings.Split(valuePair, ":")`
			`if len(split) > 1 {`
			`headers.Add(strings.TrimSpace(split[0]), strings.TrimSpace(split[1]))`
			`}`
			`}`
			`return headers`
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00			`}`