TUN-3855: Add ability to override target of 'access ssh' command to a different host for testing

This commit is contained in:
Igor Postelnik 2021-02-03 13:00:55 -06:00 committed by Nuno Diegues
parent 8b794390e5
commit 9c298e4851
4 changed files with 41 additions and 4 deletions

View File

@ -4,6 +4,7 @@
package carrier package carrier
import ( import (
"crypto/tls"
"io" "io"
"net" "net"
"net/http" "net/http"
@ -20,8 +21,10 @@ import (
const LogFieldOriginURL = "originURL" const LogFieldOriginURL = "originURL"
type StartOptions struct { type StartOptions struct {
OriginURL string OriginURL string
Headers http.Header Headers http.Header
Host string
TLSClientConfig *tls.Config
} }
// Connection wraps up all the needed functions to forward over the tunnel // Connection wraps up all the needed functions to forward over the tunnel

View File

@ -82,11 +82,17 @@ func createWebsocketStream(options *StartOptions, log *zerolog.Logger) (*cfwebso
return nil, err return nil, err
} }
req.Header = options.Headers req.Header = options.Headers
if options.Host != "" {
req.Host = options.Host
}
dump, err := httputil.DumpRequest(req, false) dump, err := httputil.DumpRequest(req, false)
log.Debug().Msgf("Websocket request: %s", string(dump)) log.Debug().Msgf("Websocket request: %s", string(dump))
wsConn, resp, err := cfwebsocket.ClientConnect(req, nil) dialer := &websocket.Dialer{
TLSClientConfig: options.TLSClientConfig,
}
wsConn, resp, err := cfwebsocket.ClientConnect(req, dialer)
defer closeRespBody(resp) defer closeRespBody(resp)
if err != nil && IsAccessResponse(resp) { if err != nil && IsAccessResponse(resp) {

View File

@ -1,6 +1,8 @@
package access package access
import ( import (
"crypto/tls"
"fmt"
"net/http" "net/http"
"strings" "strings"
@ -84,6 +86,26 @@ func ssh(c *cli.Context) error {
options := &carrier.StartOptions{ options := &carrier.StartOptions{
OriginURL: originURL, OriginURL: originURL,
Headers: headers, Headers: headers,
Host: hostname,
}
if connectTo := c.String(sshConnectTo); connectTo != "" {
parts := strings.Split(connectTo, ":")
switch len(parts) {
case 1:
options.OriginURL = fmt.Sprintf("https://%s", parts[0])
case 2:
options.OriginURL = fmt.Sprintf("https://%s:%s", parts[0], parts[1])
case 3:
options.OriginURL = fmt.Sprintf("https://%s:%s", parts[2], parts[1])
options.TLSClientConfig = &tls.Config{
InsecureSkipVerify: true,
ServerName: parts[0],
}
log.Warn().Msgf("Using insecure SSL connection because SNI overridden to %s", parts[0])
default:
return fmt.Errorf("invalid connection override: %s", connectTo)
}
} }
// we could add a cmd line variable for this bool if we want the SOCK5 server to be on the client side // we could add a cmd line variable for this bool if we want the SOCK5 server to be on the client side

View File

@ -33,6 +33,7 @@ const (
sshTokenIDFlag = "service-token-id" sshTokenIDFlag = "service-token-id"
sshTokenSecretFlag = "service-token-secret" sshTokenSecretFlag = "service-token-secret"
sshGenCertFlag = "short-lived-cert" sshGenCertFlag = "short-lived-cert"
sshConnectTo = "connect-to"
sshConfigTemplate = ` sshConfigTemplate = `
Add to your {{.Home}}/.ssh/config: Add to your {{.Home}}/.ssh/config:
@ -54,7 +55,7 @@ Host cfpipe-{{.Hostname}}
const sentryDSN = "https://56a9c9fa5c364ab28f34b14f35ea0f1b@sentry.io/189878" const sentryDSN = "https://56a9c9fa5c364ab28f34b14f35ea0f1b@sentry.io/189878"
var ( var (
shutdownC chan struct{} shutdownC chan struct{}
) )
// Init will initialize and store vars from the main program // Init will initialize and store vars from the main program
@ -164,6 +165,11 @@ func Commands() []*cli.Command {
Aliases: []string{"loglevel"}, //added to match the tunnel side Aliases: []string{"loglevel"}, //added to match the tunnel side
Usage: "Application logging level {fatal, error, info, debug}. ", Usage: "Application logging level {fatal, error, info, debug}. ",
}, },
&cli.StringFlag{
Name: sshConnectTo,
Hidden: true,
Usage: "Connect to alternate location for testing, value is host, host:port, or sni:port:host",
},
}, },
}, },
{ {