AUTH-3455: Generate short-lived ssh cert per hostname

This commit is contained in:
Michael Borkenstein 2021-03-24 16:31:02 -05:00
parent da4d0b2bae
commit 63833b07dd
4 changed files with 21 additions and 6 deletions

View File

@ -387,7 +387,7 @@ func sshGen(c *cli.Context) error {
return err return err
} }
if err := sshgen.GenerateShortLivedCertificate(appInfo, cfdToken); err != nil { if err := sshgen.GenerateShortLivedCertificate(originURL, cfdToken); err != nil {
return err return err
} }

View File

@ -12,6 +12,7 @@ import (
"io" "io"
"io/ioutil" "io/ioutil"
"net/http" "net/http"
"net/url"
"time" "time"
"github.com/coreos/go-oidc/jose" "github.com/coreos/go-oidc/jose"
@ -51,8 +52,8 @@ type errorResponse struct {
var mockRequest func(url, contentType string, body io.Reader) (*http.Response, error) = nil var mockRequest func(url, contentType string, body io.Reader) (*http.Response, error) = nil
// GenerateShortLivedCertificate generates and stores a keypair for short lived certs // GenerateShortLivedCertificate generates and stores a keypair for short lived certs
func GenerateShortLivedCertificate(appInfo *cfpath.AppInfo, token string) error { func GenerateShortLivedCertificate(appURL *url.URL, token string) error {
fullName, err := cfpath.GenerateAppTokenFilePathFromURL(appInfo.AppDomain, appInfo.AppAUD, keyName) fullName, err := cfpath.GenerateSSHCertFilePathFromURL(appURL, keyName)
if err != nil { if err != nil {
return err return err
} }

View File

@ -9,7 +9,9 @@ import (
"io/ioutil" "io/ioutil"
"net/http" "net/http"
"net/http/httptest" "net/http/httptest"
"net/url"
"os" "os"
"strings"
"testing" "testing"
"time" "time"
@ -32,11 +34,12 @@ type signingArguments struct {
} }
func TestCertGenSuccess(t *testing.T) { func TestCertGenSuccess(t *testing.T) {
appInfo := &cfpath.AppInfo{AppAUD: "abcd1234", AppDomain: "mySite.com"} url, _ := url.Parse("https://cf-test-access.com/testpath")
token := tokenGenerator() token := tokenGenerator()
fullName, err := cfpath.GenerateAppTokenFilePathFromURL(appInfo.AppDomain, appInfo.AppAUD, keyName) fullName, err := cfpath.GenerateSSHCertFilePathFromURL(url, keyName)
assert.NoError(t, err) assert.NoError(t, err)
assert.True(t, strings.HasSuffix(fullName, "/cf-test-access.com-testpath-cf_key"))
pubKeyName := fullName + ".pub" pubKeyName := fullName + ".pub"
certKeyName := fullName + "-cert.pub" certKeyName := fullName + "-cert.pub"
@ -65,7 +68,7 @@ func TestCertGenSuccess(t *testing.T) {
return w.Result(), nil return w.Result(), nil
} }
err = GenerateShortLivedCertificate(appInfo, token) err = GenerateShortLivedCertificate(url, token)
assert.NoError(t, err) assert.NoError(t, err)
exist, err := config.FileExists(fullName) exist, err := config.FileExists(fullName)

View File

@ -2,6 +2,7 @@ package token
import ( import (
"fmt" "fmt"
"net/url"
"os" "os"
"path/filepath" "path/filepath"
"strings" "strings"
@ -11,6 +12,16 @@ import (
"github.com/cloudflare/cloudflared/config" "github.com/cloudflare/cloudflared/config"
) )
// GenerateSSHCertFilePathFromURL will return a file path for creating short lived certificates
func GenerateSSHCertFilePathFromURL(url *url.URL, suffix string) (string, error) {
configPath, err := getConfigPath()
if err != nil {
return "", err
}
name := strings.Replace(fmt.Sprintf("%s%s-%s", url.Hostname(), url.EscapedPath(), suffix), "/", "-", -1)
return filepath.Join(configPath, name), nil
}
// GenerateAppTokenFilePathFromURL will return a filepath for given Access org token // GenerateAppTokenFilePathFromURL will return a filepath for given Access org token
func GenerateAppTokenFilePathFromURL(appDomain, aud string, suffix string) (string, error) { func GenerateAppTokenFilePathFromURL(appDomain, aud string, suffix string) (string, error) {
configPath, err := getConfigPath() configPath, err := getConfigPath()