Browse Source

AUTH-3455: Generate short-lived ssh cert per hostname

pull/341/head
Michael Borkenstein 10 months ago
parent
commit
63833b07dd
  1. 2
      cmd/cloudflared/access/cmd.go
  2. 5
      sshgen/sshgen.go
  3. 9
      sshgen/sshgen_test.go
  4. 11
      token/path.go

2
cmd/cloudflared/access/cmd.go

@ -387,7 +387,7 @@ func sshGen(c *cli.Context) error {
return err
}
if err := sshgen.GenerateShortLivedCertificate(appInfo, cfdToken); err != nil {
if err := sshgen.GenerateShortLivedCertificate(originURL, cfdToken); err != nil {
return err
}

5
sshgen/sshgen.go

@ -12,6 +12,7 @@ import (
"io"
"io/ioutil"
"net/http"
"net/url"
"time"
"github.com/coreos/go-oidc/jose"
@ -51,8 +52,8 @@ type errorResponse struct {
var mockRequest func(url, contentType string, body io.Reader) (*http.Response, error) = nil
// GenerateShortLivedCertificate generates and stores a keypair for short lived certs
func GenerateShortLivedCertificate(appInfo *cfpath.AppInfo, token string) error {
fullName, err := cfpath.GenerateAppTokenFilePathFromURL(appInfo.AppDomain, appInfo.AppAUD, keyName)
func GenerateShortLivedCertificate(appURL *url.URL, token string) error {
fullName, err := cfpath.GenerateSSHCertFilePathFromURL(appURL, keyName)
if err != nil {
return err
}

9
sshgen/sshgen_test.go

@ -9,7 +9,9 @@ import (
"io/ioutil"
"net/http"
"net/http/httptest"
"net/url"
"os"
"strings"
"testing"
"time"
@ -32,11 +34,12 @@ type signingArguments struct {
}
func TestCertGenSuccess(t *testing.T) {
appInfo := &cfpath.AppInfo{AppAUD: "abcd1234", AppDomain: "mySite.com"}
url, _ := url.Parse("https://cf-test-access.com/testpath")
token := tokenGenerator()
fullName, err := cfpath.GenerateAppTokenFilePathFromURL(appInfo.AppDomain, appInfo.AppAUD, keyName)
fullName, err := cfpath.GenerateSSHCertFilePathFromURL(url, keyName)
assert.NoError(t, err)
assert.True(t, strings.HasSuffix(fullName, "/cf-test-access.com-testpath-cf_key"))
pubKeyName := fullName + ".pub"
certKeyName := fullName + "-cert.pub"
@ -65,7 +68,7 @@ func TestCertGenSuccess(t *testing.T) {
return w.Result(), nil
}
err = GenerateShortLivedCertificate(appInfo, token)
err = GenerateShortLivedCertificate(url, token)
assert.NoError(t, err)
exist, err := config.FileExists(fullName)

11
token/path.go

@ -2,6 +2,7 @@ package token
import (
"fmt"
"net/url"
"os"
"path/filepath"
"strings"
@ -11,6 +12,16 @@ import (
"github.com/cloudflare/cloudflared/config"
)
// GenerateSSHCertFilePathFromURL will return a file path for creating short lived certificates
func GenerateSSHCertFilePathFromURL(url *url.URL, suffix string) (string, error) {
configPath, err := getConfigPath()
if err != nil {
return "", err
}
name := strings.Replace(fmt.Sprintf("%s%s-%s", url.Hostname(), url.EscapedPath(), suffix), "/", "-", -1)
return filepath.Join(configPath, name), nil
}
// GenerateAppTokenFilePathFromURL will return a filepath for given Access org token
func GenerateAppTokenFilePathFromURL(appDomain, aud string, suffix string) (string, error) {
configPath, err := getConfigPath()

Loading…
Cancel
Save