cloudflared-mirror/carrier/carrier.go

//Package carrier provides a WebSocket proxy to carry or proxy a connection
//from the local client to the edge. See it as a wrapper around any protocol
//that it packages up in a WebSocket connection to the edge.
package carrier

import (
	"io"
	"net"
	"net/http"
	"os"
	"strings"

	"github.com/cloudflare/cloudflared/cmd/cloudflared/token"
	"github.com/cloudflare/cloudflared/h2mux"
	"github.com/cloudflare/cloudflared/logger"
	"github.com/pkg/errors"
)

type StartOptions struct {
	OriginURL string
	Headers   http.Header
}

// Connection wraps up all the needed functions to forward over the tunnel
type Connection interface {
	// ServeStream is used to forward data from the client to the edge
	ServeStream(*StartOptions, io.ReadWriter) error

	// StartServer is used to listen for incoming connections from the edge to the origin
	StartServer(net.Listener, string, <-chan struct{}) error
}

// StdinoutStream is empty struct for wrapping stdin/stdout
// into a single ReadWriter
type StdinoutStream struct {
}

// Read will read from Stdin
func (c *StdinoutStream) Read(p []byte) (int, error) {
	return os.Stdin.Read(p)

}

// Write will write to Stdout
func (c *StdinoutStream) Write(p []byte) (int, error) {
	return os.Stdout.Write(p)
}

// Helper to allow defering the response close with a check that the resp is not nil
func closeRespBody(resp *http.Response) {
	if resp != nil {
		resp.Body.Close()
	}
}

// StartForwarder will setup a listener on a specified address/port and then
// forward connections to the origin by calling `Serve()`.
func StartForwarder(conn Connection, address string, shutdownC <-chan struct{}, options *StartOptions) error {
	listener, err := net.Listen("tcp", address)
	if err != nil {
		return errors.Wrap(err, "failed to start forwarding server")
	}
	return Serve(conn, listener, shutdownC, options)
}

// StartClient will copy the data from stdin/stdout over a WebSocket connection
// to the edge (originURL)
func StartClient(conn Connection, stream io.ReadWriter, options *StartOptions) error {
	return conn.ServeStream(options, stream)
}

// Serve accepts incoming connections on the specified net.Listener.
// Each connection is handled in a new goroutine: its data is copied over a
// WebSocket connection to the edge (originURL).
// `Serve` always closes `listener`.
func Serve(remoteConn Connection, listener net.Listener, shutdownC <-chan struct{}, options *StartOptions) error {
	defer listener.Close()
	errChan := make(chan error)

	go func() {
		for {
			conn, err := listener.Accept()
			if err != nil {
				// don't block if parent goroutine quit early
				select {
				case errChan <- err:
				default:
				}
				return
			}
			go serveConnection(remoteConn, conn, options)
		}
	}()

	select {
	case <-shutdownC:
		return nil
	case err := <-errChan:
		return err
	}
}

// serveConnection handles connections for the Serve() call
func serveConnection(remoteConn Connection, c net.Conn, options *StartOptions) {
	defer c.Close()
	remoteConn.ServeStream(options, c)
}

// IsAccessResponse checks the http Response to see if the url location
// contains the Access structure.
func IsAccessResponse(resp *http.Response) bool {
	if resp == nil || resp.StatusCode != http.StatusFound {
		return false
	}

	location, err := resp.Location()
	if err != nil || location == nil {
		return false
	}
	if strings.HasPrefix(location.Path, "/cdn-cgi/access/login") {
		return true
	}

	return false
}

// BuildAccessRequest builds an HTTP request with the Access token set
func BuildAccessRequest(options *StartOptions, logger logger.Service) (*http.Request, error) {
	req, err := http.NewRequest(http.MethodGet, options.OriginURL, nil)
	if err != nil {
		return nil, err
	}

	token, err := token.FetchTokenWithRedirect(req.URL, logger)
	if err != nil {
		return nil, err
	}

	// We need to create a new request as FetchToken will modify req (boo mutable)
	// as it has to follow redirect on the API and such, so here we init a new one
	originRequest, err := http.NewRequest(http.MethodGet, options.OriginURL, nil)
	if err != nil {
		return nil, err
	}
	originRequest.Header.Set(h2mux.CFAccessTokenHeader, token)

	for k, v := range options.Headers {
		if len(v) >= 1 {
			originRequest.Header.Set(k, v[0])
		}
	}

	return originRequest, nil
}
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00			`//Package carrier provides a WebSocket proxy to carry or proxy a connection`
			`//from the local client to the edge. See it as a wrapper around any protocol`
			`//that it packages up in a WebSocket connection to the edge.`
			`package carrier`

			`import (`
			`"io"`
			`"net"`
			`"net/http"`
			`"os"`
			`"strings"`

AUTH-1188: UX Review and Changes for CLI SSH Access 2018-10-19 20:44:35 +00:00			`"github.com/cloudflare/cloudflared/cmd/cloudflared/token"`
AUTH-2369: RDP Bastion prototype 2020-05-04 20:15:17 +00:00			`"github.com/cloudflare/cloudflared/h2mux"`
AUTH-2596 added new logger package and replaced logrus 2020-04-29 20:51:32 +00:00			`"github.com/cloudflare/cloudflared/logger"`
AUTH-2394 added socks5 proxy 2020-03-31 14:56:22 +00:00			`"github.com/pkg/errors"`
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00			`)`

AUTH-1557: Short Lived Certs 2019-01-23 21:42:10 +00:00			`type StartOptions struct {`
AUTH-1781: fixed race condition for short lived certs, doc required config 2019-05-22 20:41:21 +00:00			`OriginURL string`
			`Headers http.Header`
AUTH-1557: Short Lived Certs 2019-01-23 21:42:10 +00:00			`}`

AUTH-2394 added socks5 proxy 2020-03-31 14:56:22 +00:00			`// Connection wraps up all the needed functions to forward over the tunnel`
			`type Connection interface {`
			`// ServeStream is used to forward data from the client to the edge`
			`ServeStream(*StartOptions, io.ReadWriter) error`

			`// StartServer is used to listen for incoming connections from the edge to the origin`
			`StartServer(net.Listener, string, <-chan struct{}) error`
			`}`

AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00			`// StdinoutStream is empty struct for wrapping stdin/stdout`
			`// into a single ReadWriter`
			`type StdinoutStream struct {`
			`}`

			`// Read will read from Stdin`
			`func (c *StdinoutStream) Read(p []byte) (int, error) {`
			`return os.Stdin.Read(p)`

			`}`

			`// Write will write to Stdout`
			`func (c *StdinoutStream) Write(p []byte) (int, error) {`
			`return os.Stdout.Write(p)`
			`}`

AUTH-1736: Better handling of token revocation We removed all token validation from cloudflared and now rely on the edge to do the validation. This is better because the edge is the only thing that fully knows about token revocation. So if a user logs out or the application revokes all it's tokens cloudflared will now handle that process instead of barfing on it. When we go to fetch a token we will check for the existence of a lock file. If the lock file exists, we stop and poll every half second to see if the lock is still there. Once the lock file is removed, it will restart the function to (hopefully) go pick up the valid token that was just created. 2019-06-26 15:48:45 +00:00			`// Helper to allow defering the response close with a check that the resp is not nil`
			`func closeRespBody(resp *http.Response) {`
			`if resp != nil {`
			`resp.Body.Close()`
			`}`
			`}`

AUTH-2394 added socks5 proxy 2020-03-31 14:56:22 +00:00			`// StartForwarder will setup a listener on a specified address/port and then`
TUN-1577: decompose carrier.StartServer to make TestStartServer less flappy 2019-04-05 06:57:00 +00:00			// forward connections to the origin by calling `Serve()`.
AUTH-2394 added socks5 proxy 2020-03-31 14:56:22 +00:00			`func StartForwarder(conn Connection, address string, shutdownC <-chan struct{}, options *StartOptions) error {`
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00			`listener, err := net.Listen("tcp", address)`
			`if err != nil {`
AUTH-2394 added socks5 proxy 2020-03-31 14:56:22 +00:00			`return errors.Wrap(err, "failed to start forwarding server")`
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00			`}`
AUTH-2394 added socks5 proxy 2020-03-31 14:56:22 +00:00			`return Serve(conn, listener, shutdownC, options)`
			`}`

			`// StartClient will copy the data from stdin/stdout over a WebSocket connection`
			`// to the edge (originURL)`
			`func StartClient(conn Connection, stream io.ReadWriter, options *StartOptions) error {`
AUTH-2169 make access login page more generic 2020-06-05 14:26:06 +00:00			`return conn.ServeStream(options, stream)`
TUN-1577: decompose carrier.StartServer to make TestStartServer less flappy 2019-04-05 06:57:00 +00:00			`}`

			`// Serve accepts incoming connections on the specified net.Listener.`
			`// Each connection is handled in a new goroutine: its data is copied over a`
			`// WebSocket connection to the edge (originURL).`
			// `Serve` always closes `listener`.
AUTH-2394 added socks5 proxy 2020-03-31 14:56:22 +00:00			`func Serve(remoteConn Connection, listener net.Listener, shutdownC <-chan struct{}, options *StartOptions) error {`
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00			`defer listener.Close()`
AUTH-2587 add config watcher and reload logic for access client forwarder 2020-04-13 17:22:00 +00:00			`errChan := make(chan error)`

			`go func() {`
			`for {`
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00			`conn, err := listener.Accept()`
			`if err != nil {`
TUN-2955: Fix connection and goroutine leaks when tunnel conection is terminated on error. Only unregister tunnels that had connected successfully. Close edge connection used to unregister the tunnel. Use buffered channels for error channels where receiver may quit early on context cancellation. 2020-05-05 22:56:39 +00:00			`// don't block if parent goroutine quit early`
			`select {`
			`case errChan <- err:`
			`default:`
			`}`
AUTH-2587 add config watcher and reload logic for access client forwarder 2020-04-13 17:22:00 +00:00			`return`
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00			`}`
AUTH-2394 added socks5 proxy 2020-03-31 14:56:22 +00:00			`go serveConnection(remoteConn, conn, options)`
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00			`}`
AUTH-2587 add config watcher and reload logic for access client forwarder 2020-04-13 17:22:00 +00:00			`}()`

			`select {`
			`case <-shutdownC:`
			`return nil`
			`case err := <-errChan:`
			`return err`
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00			`}`
			`}`

TUN-1577: decompose carrier.StartServer to make TestStartServer less flappy 2019-04-05 06:57:00 +00:00			`// serveConnection handles connections for the Serve() call`
AUTH-2394 added socks5 proxy 2020-03-31 14:56:22 +00:00			`func serveConnection(remoteConn Connection, c net.Conn, options *StartOptions) {`
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00			`defer c.Close()`
AUTH-2169 make access login page more generic 2020-06-05 14:26:06 +00:00			`remoteConn.ServeStream(options, c)`
AUTH-1736: Better handling of token revocation We removed all token validation from cloudflared and now rely on the edge to do the validation. This is better because the edge is the only thing that fully knows about token revocation. So if a user logs out or the application revokes all it's tokens cloudflared will now handle that process instead of barfing on it. When we go to fetch a token we will check for the existence of a lock file. If the lock file exists, we stop and poll every half second to see if the lock is still there. Once the lock file is removed, it will restart the function to (hopefully) go pick up the valid token that was just created. 2019-06-26 15:48:45 +00:00			`}`

AUTH-2055: Verifies token at edge on access login 2019-09-19 18:47:08 +00:00			`// IsAccessResponse checks the http Response to see if the url location`
AUTH-1736: Better handling of token revocation We removed all token validation from cloudflared and now rely on the edge to do the validation. This is better because the edge is the only thing that fully knows about token revocation. So if a user logs out or the application revokes all it's tokens cloudflared will now handle that process instead of barfing on it. When we go to fetch a token we will check for the existence of a lock file. If the lock file exists, we stop and poll every half second to see if the lock is still there. Once the lock file is removed, it will restart the function to (hopefully) go pick up the valid token that was just created. 2019-06-26 15:48:45 +00:00			`// contains the Access structure.`
AUTH-2055: Verifies token at edge on access login 2019-09-19 18:47:08 +00:00			`func IsAccessResponse(resp *http.Response) bool {`
			`if resp == nil \|\| resp.StatusCode != http.StatusFound {`
AUTH-1736: Better handling of token revocation We removed all token validation from cloudflared and now rely on the edge to do the validation. This is better because the edge is the only thing that fully knows about token revocation. So if a user logs out or the application revokes all it's tokens cloudflared will now handle that process instead of barfing on it. When we go to fetch a token we will check for the existence of a lock file. If the lock file exists, we stop and poll every half second to see if the lock is still there. Once the lock file is removed, it will restart the function to (hopefully) go pick up the valid token that was just created. 2019-06-26 15:48:45 +00:00			`return false`
			`}`

			`location, err := resp.Location()`
			`if err != nil \|\| location == nil {`
			`return false`
			`}`
			`if strings.HasPrefix(location.Path, "/cdn-cgi/access/login") {`
			`return true`
			`}`

			`return false`
			`}`

AUTH-2394 added socks5 proxy 2020-03-31 14:56:22 +00:00			`// BuildAccessRequest builds an HTTP request with the Access token set`
AUTH-2596 added new logger package and replaced logrus 2020-04-29 20:51:32 +00:00			`func BuildAccessRequest(options StartOptions, logger logger.Service) (http.Request, error) {`
AUTH-1736: Better handling of token revocation We removed all token validation from cloudflared and now rely on the edge to do the validation. This is better because the edge is the only thing that fully knows about token revocation. So if a user logs out or the application revokes all it's tokens cloudflared will now handle that process instead of barfing on it. When we go to fetch a token we will check for the existence of a lock file. If the lock file exists, we stop and poll every half second to see if the lock is still there. Once the lock file is removed, it will restart the function to (hopefully) go pick up the valid token that was just created. 2019-06-26 15:48:45 +00:00			`req, err := http.NewRequest(http.MethodGet, options.OriginURL, nil)`
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00			`if err != nil {`
AUTH-1781: fixed race condition for short lived certs, doc required config 2019-05-22 20:41:21 +00:00			`return nil, err`
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00			`}`

AUTH-2763 don't redirect from curl command 2020-06-11 17:02:34 +00:00			`token, err := token.FetchTokenWithRedirect(req.URL, logger)`
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00			`if err != nil {`
AUTH-1781: fixed race condition for short lived certs, doc required config 2019-05-22 20:41:21 +00:00			`return nil, err`
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00			`}`

AUTH-1320: Fixed request issue and unhide the ssh command 2018-11-15 19:08:56 +00:00			`// We need to create a new request as FetchToken will modify req (boo mutable)`
			`// as it has to follow redirect on the API and such, so here we init a new one`
AUTH-1736: Better handling of token revocation We removed all token validation from cloudflared and now rely on the edge to do the validation. This is better because the edge is the only thing that fully knows about token revocation. So if a user logs out or the application revokes all it's tokens cloudflared will now handle that process instead of barfing on it. When we go to fetch a token we will check for the existence of a lock file. If the lock file exists, we stop and poll every half second to see if the lock is still there. Once the lock file is removed, it will restart the function to (hopefully) go pick up the valid token that was just created. 2019-06-26 15:48:45 +00:00			`originRequest, err := http.NewRequest(http.MethodGet, options.OriginURL, nil)`
AUTH-1320: Fixed request issue and unhide the ssh command 2018-11-15 19:08:56 +00:00			`if err != nil {`
AUTH-1781: fixed race condition for short lived certs, doc required config 2019-05-22 20:41:21 +00:00			`return nil, err`
AUTH-1320: Fixed request issue and unhide the ssh command 2018-11-15 19:08:56 +00:00			`}`
AUTH-2369: RDP Bastion prototype 2020-05-04 20:15:17 +00:00			`originRequest.Header.Set(h2mux.CFAccessTokenHeader, token)`
AUTH-1320: Fixed request issue and unhide the ssh command 2018-11-15 19:08:56 +00:00
AUTH-1736: Better handling of token revocation We removed all token validation from cloudflared and now rely on the edge to do the validation. This is better because the edge is the only thing that fully knows about token revocation. So if a user logs out or the application revokes all it's tokens cloudflared will now handle that process instead of barfing on it. When we go to fetch a token we will check for the existence of a lock file. If the lock file exists, we stop and poll every half second to see if the lock is still there. Once the lock file is removed, it will restart the function to (hopefully) go pick up the valid token that was just created. 2019-06-26 15:48:45 +00:00			`for k, v := range options.Headers {`
			`if len(v) >= 1 {`
			`originRequest.Header.Set(k, v[0])`
			`}`
			`}`

AUTH-1781: fixed race condition for short lived certs, doc required config 2019-05-22 20:41:21 +00:00			`return originRequest, nil`
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00			`}`