From ae8d784e36e5d6dee0dafe8f4ca6e66915d8397b Mon Sep 17 00:00:00 2001 From: Dalton Date: Thu, 11 Jun 2020 12:02:34 -0500 Subject: [PATCH] AUTH-2763 don't redirect from curl command --- carrier/carrier.go | 2 +- cmd/cloudflared/access/cmd.go | 2 +- cmd/cloudflared/token/token.go | 14 +++++++++++++- cmd/cloudflared/transfer/transfer.go | 12 +++++++----- cmd/cloudflared/tunnel/login.go | 2 +- 5 files changed, 23 insertions(+), 9 deletions(-) diff --git a/carrier/carrier.go b/carrier/carrier.go index 6240b8e4..b289729d 100644 --- a/carrier/carrier.go +++ b/carrier/carrier.go @@ -131,7 +131,7 @@ func BuildAccessRequest(options *StartOptions, logger logger.Service) (*http.Req return nil, err } - token, err := token.FetchToken(req.URL, logger) + token, err := token.FetchTokenWithRedirect(req.URL, logger) if err != nil { return nil, err } diff --git a/cmd/cloudflared/access/cmd.go b/cmd/cloudflared/access/cmd.go index 2b12b5d3..02c8e820 100644 --- a/cmd/cloudflared/access/cmd.go +++ b/cmd/cloudflared/access/cmd.go @@ -351,7 +351,7 @@ func sshGen(c *cli.Context) error { // this fetchToken function mutates the appURL param. We should refactor that fetchTokenURL := &url.URL{} *fetchTokenURL = *originURL - cfdToken, err := token.FetchToken(fetchTokenURL, logger) + cfdToken, err := token.FetchTokenWithRedirect(fetchTokenURL, logger) if err != nil { return err } diff --git a/cmd/cloudflared/token/token.go b/cmd/cloudflared/token/token.go index 433187b2..56c51776 100644 --- a/cmd/cloudflared/token/token.go +++ b/cmd/cloudflared/token/token.go @@ -127,8 +127,20 @@ func isTokenLocked(lockFilePath string) bool { return exists && err == nil } +// FetchTokenWithRedirect will either load a stored token or generate a new one +// it appends a redirect URL to the access cli request if opening the browser +func FetchTokenWithRedirect(appURL *url.URL, logger logger.Service) (string, error) { + return getToken(appURL, true, logger) +} + // FetchToken will either load a stored token or generate a new one +// it doesn't append a redirect URL to the access cli request if opening the browser func FetchToken(appURL *url.URL, logger logger.Service) (string, error) { + return getToken(appURL, false, logger) +} + +// getToken will either load a stored token or generate a new one +func getToken(appURL *url.URL, shouldRedirect bool, logger logger.Service) (string, error) { if token, err := GetTokenIfExists(appURL); token != "" && err == nil { return token, nil } @@ -154,7 +166,7 @@ func FetchToken(appURL *url.URL, logger logger.Service) (string, error) { // this weird parameter is the resource name (token) and the key/value // we want to send to the transfer service. the key is token and the value // is blank (basically just the id generated in the transfer service) - token, err := transfer.Run(appURL, keyName, keyName, "", path, true, logger) + token, err := transfer.Run(appURL, keyName, keyName, "", path, true, shouldRedirect, logger) if err != nil { return "", err } diff --git a/cmd/cloudflared/transfer/transfer.go b/cmd/cloudflared/transfer/transfer.go index 24cfa745..52829b8c 100644 --- a/cmd/cloudflared/transfer/transfer.go +++ b/cmd/cloudflared/transfer/transfer.go @@ -28,12 +28,12 @@ const ( // The "dance" we refer to is building a HTTP request, opening that in a browser waiting for // the user to complete an action, while it long polls in the background waiting for an // action to be completed to download the resource. -func Run(transferURL *url.URL, resourceName, key, value, path string, shouldEncrypt bool, logger logger.Service) ([]byte, error) { +func Run(transferURL *url.URL, resourceName, key, value, path string, shouldEncrypt bool, shouldRedirect bool, logger logger.Service) ([]byte, error) { encrypterClient, err := encrypter.New("cloudflared_priv.pem", "cloudflared_pub.pem") if err != nil { return nil, err } - requestURL, err := buildRequestURL(transferURL, key, value+encrypterClient.PublicKey(), shouldEncrypt) + requestURL, err := buildRequestURL(transferURL, key, value+encrypterClient.PublicKey(), shouldEncrypt, shouldRedirect) if err != nil { return nil, err } @@ -82,7 +82,7 @@ func Run(transferURL *url.URL, resourceName, key, value, path string, shouldEncr // BuildRequestURL creates a request suitable for a resource transfer. // it will return a constructed url based off the base url and query key/value provided. // cli will build a url for cli transfer request. -func buildRequestURL(baseURL *url.URL, key, value string, cli bool) (string, error) { +func buildRequestURL(baseURL *url.URL, key, value string, cli, shouldRedirect bool) (string, error) { q := baseURL.Query() q.Set(key, value) baseURL.RawQuery = q.Encode() @@ -90,8 +90,10 @@ func buildRequestURL(baseURL *url.URL, key, value string, cli bool) (string, err return baseURL.String(), nil } - q.Set("redirect_url", baseURL.String()) // we add the token as a query param on both the redirect_url - baseURL.RawQuery = q.Encode() // and this actual baseURL. + if shouldRedirect { + q.Set("redirect_url", baseURL.String()) // we add the token as a query param on both the redirect_url and the main url + } + baseURL.RawQuery = q.Encode() // and this actual baseURL. baseURL.Path = "cdn-cgi/access/cli" return baseURL.String(), nil } diff --git a/cmd/cloudflared/tunnel/login.go b/cmd/cloudflared/tunnel/login.go index 3a9fbdb3..3a927259 100644 --- a/cmd/cloudflared/tunnel/login.go +++ b/cmd/cloudflared/tunnel/login.go @@ -40,7 +40,7 @@ func login(c *cli.Context) error { return err } - _, err = transfer.Run(loginURL, "cert", "callback", callbackStoreURL, path, false, logger) + _, err = transfer.Run(loginURL, "cert", "callback", callbackStoreURL, path, false, true, logger) if err != nil { fmt.Fprintf(os.Stderr, "Failed to write the certificate due to the following error:\n%v\n\nYour browser will download the certificate instead. You will have to manually\ncopy it to the following path:\n\n%s\n", err, path) return err