AUTH-3455: Generate short-lived ssh cert per hostname

1 year ago · 63833b07dd
4 changed files with 21 additions and 6 deletions
--- a/cmd/cloudflared/access/cmd.go
+++ b/cmd/cloudflared/access/cmd.go
@ -387,7 +387,7 @@ func sshGen(c *cli.Context) error {
 		return err
 	}

-	if err := sshgen.GenerateShortLivedCertificate(appInfo, cfdToken); err != nil {
+	if err := sshgen.GenerateShortLivedCertificate(originURL, cfdToken); err != nil {
 		return err
 	}

--- a/sshgen/sshgen.go
+++ b/sshgen/sshgen.go
@ -12,6 +12,7 @@ import (
 	"io"
 	"io/ioutil"
 	"net/http"
+	"net/url"
 	"time"

 	"github.com/coreos/go-oidc/jose"
@ -51,8 +52,8 @@ type errorResponse struct {
 var mockRequest func(url, contentType string, body io.Reader) (*http.Response, error) = nil

 // GenerateShortLivedCertificate generates and stores a keypair for short lived certs
-func GenerateShortLivedCertificate(appInfo *cfpath.AppInfo, token string) error {
-	fullName, err := cfpath.GenerateAppTokenFilePathFromURL(appInfo.AppDomain, appInfo.AppAUD, keyName)
+func GenerateShortLivedCertificate(appURL *url.URL, token string) error {
+	fullName, err := cfpath.GenerateSSHCertFilePathFromURL(appURL, keyName)
 	if err != nil {
 		return err
 	}
--- a/sshgen/sshgen_test.go
+++ b/sshgen/sshgen_test.go
@ -9,7 +9,9 @@ import (
 	"io/ioutil"
 	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"os"
+	"strings"
 	"testing"
 	"time"

@ -32,11 +34,12 @@ type signingArguments struct {
 }

 func TestCertGenSuccess(t *testing.T) {
-	appInfo := &cfpath.AppInfo{AppAUD: "abcd1234", AppDomain: "mySite.com"}
+	url, _ := url.Parse("https://cf-test-access.com/testpath")
 	token := tokenGenerator()

-	fullName, err := cfpath.GenerateAppTokenFilePathFromURL(appInfo.AppDomain, appInfo.AppAUD, keyName)
+	fullName, err := cfpath.GenerateSSHCertFilePathFromURL(url, keyName)
 	assert.NoError(t, err)
+	assert.True(t, strings.HasSuffix(fullName, "/cf-test-access.com-testpath-cf_key"))

 	pubKeyName := fullName + ".pub"
 	certKeyName := fullName + "-cert.pub"
@ -65,7 +68,7 @@ func TestCertGenSuccess(t *testing.T) {
 		return w.Result(), nil
 	}

-	err = GenerateShortLivedCertificate(appInfo, token)
+	err = GenerateShortLivedCertificate(url, token)
 	assert.NoError(t, err)

 	exist, err := config.FileExists(fullName)
--- a/token/path.go
+++ b/token/path.go
@ -2,6 +2,7 @@ package token

 import (
 	"fmt"
+	"net/url"
 	"os"
 	"path/filepath"
 	"strings"
@ -11,6 +12,16 @@ import (
 	"github.com/cloudflare/cloudflared/config"
 )

+// GenerateSSHCertFilePathFromURL will return a file path for creating short lived certificates
+func GenerateSSHCertFilePathFromURL(url *url.URL, suffix string) (string, error) {
+	configPath, err := getConfigPath()
+	if err != nil {
+		return "", err
+	}
+	name := strings.Replace(fmt.Sprintf("%s%s-%s", url.Hostname(), url.EscapedPath(), suffix), "/", "-", -1)
+	return filepath.Join(configPath, name), nil
+}
+
 // GenerateAppTokenFilePathFromURL will return a filepath for given Access org token
 func GenerateAppTokenFilePathFromURL(appDomain, aud string, suffix string) (string, error) {
 	configPath, err := getConfigPath()