From 63833b07dd6a100d4a18a7017e3d3cab233458f7 Mon Sep 17 00:00:00 2001
From: Michael Borkenstein <mborkenstein@cloudflare.com>
Date: Wed, 24 Mar 2021 16:31:02 -0500
Subject: [PATCH] AUTH-3455: Generate short-lived ssh cert per hostname

---
 cmd/cloudflared/access/cmd.go |  2 +-
 sshgen/sshgen.go              |  5 +++--
 sshgen/sshgen_test.go         |  9 ++++++---
 token/path.go                 | 11 +++++++++++
 4 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/cmd/cloudflared/access/cmd.go b/cmd/cloudflared/access/cmd.go
index 81ee4a6d..1cebbede 100644
--- a/cmd/cloudflared/access/cmd.go
+++ b/cmd/cloudflared/access/cmd.go
@@ -387,7 +387,7 @@ func sshGen(c *cli.Context) error {
 		return err
 	}
 
-	if err := sshgen.GenerateShortLivedCertificate(appInfo, cfdToken); err != nil {
+	if err := sshgen.GenerateShortLivedCertificate(originURL, cfdToken); err != nil {
 		return err
 	}
 
diff --git a/sshgen/sshgen.go b/sshgen/sshgen.go
index 47cc7297..9fba2053 100644
--- a/sshgen/sshgen.go
+++ b/sshgen/sshgen.go
@@ -12,6 +12,7 @@ import (
 	"io"
 	"io/ioutil"
 	"net/http"
+	"net/url"
 	"time"
 
 	"github.com/coreos/go-oidc/jose"
@@ -51,8 +52,8 @@ type errorResponse struct {
 var mockRequest func(url, contentType string, body io.Reader) (*http.Response, error) = nil
 
 // GenerateShortLivedCertificate generates and stores a keypair for short lived certs
-func GenerateShortLivedCertificate(appInfo *cfpath.AppInfo, token string) error {
-	fullName, err := cfpath.GenerateAppTokenFilePathFromURL(appInfo.AppDomain, appInfo.AppAUD, keyName)
+func GenerateShortLivedCertificate(appURL *url.URL, token string) error {
+	fullName, err := cfpath.GenerateSSHCertFilePathFromURL(appURL, keyName)
 	if err != nil {
 		return err
 	}
diff --git a/sshgen/sshgen_test.go b/sshgen/sshgen_test.go
index eae9ba4f..cb8af2ff 100644
--- a/sshgen/sshgen_test.go
+++ b/sshgen/sshgen_test.go
@@ -9,7 +9,9 @@ import (
 	"io/ioutil"
 	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"os"
+	"strings"
 	"testing"
 	"time"
 
@@ -32,11 +34,12 @@ type signingArguments struct {
 }
 
 func TestCertGenSuccess(t *testing.T) {
-	appInfo := &cfpath.AppInfo{AppAUD: "abcd1234", AppDomain: "mySite.com"}
+	url, _ := url.Parse("https://cf-test-access.com/testpath")
 	token := tokenGenerator()
 
-	fullName, err := cfpath.GenerateAppTokenFilePathFromURL(appInfo.AppDomain, appInfo.AppAUD, keyName)
+	fullName, err := cfpath.GenerateSSHCertFilePathFromURL(url, keyName)
 	assert.NoError(t, err)
+	assert.True(t, strings.HasSuffix(fullName, "/cf-test-access.com-testpath-cf_key"))
 
 	pubKeyName := fullName + ".pub"
 	certKeyName := fullName + "-cert.pub"
@@ -65,7 +68,7 @@ func TestCertGenSuccess(t *testing.T) {
 		return w.Result(), nil
 	}
 
-	err = GenerateShortLivedCertificate(appInfo, token)
+	err = GenerateShortLivedCertificate(url, token)
 	assert.NoError(t, err)
 
 	exist, err := config.FileExists(fullName)
diff --git a/token/path.go b/token/path.go
index e0806d64..332117c3 100644
--- a/token/path.go
+++ b/token/path.go
@@ -2,6 +2,7 @@ package token
 
 import (
 	"fmt"
+	"net/url"
 	"os"
 	"path/filepath"
 	"strings"
@@ -11,6 +12,16 @@ import (
 	"github.com/cloudflare/cloudflared/config"
 )
 
+// GenerateSSHCertFilePathFromURL will return a file path for creating short lived certificates
+func GenerateSSHCertFilePathFromURL(url *url.URL, suffix string) (string, error) {
+	configPath, err := getConfigPath()
+	if err != nil {
+		return "", err
+	}
+	name := strings.Replace(fmt.Sprintf("%s%s-%s", url.Hostname(), url.EscapedPath(), suffix), "/", "-", -1)
+	return filepath.Join(configPath, name), nil
+}
+
 // GenerateAppTokenFilePathFromURL will return a filepath for given Access org token
 func GenerateAppTokenFilePathFromURL(appDomain, aud string, suffix string) (string, error) {
 	configPath, err := getConfigPath()