mirror of
https://github.com/bolkedebruin/rdpgw.git
synced 2025-08-17 22:13:50 +02:00
Switch to jwt tokens and allow some extra rdp settings
This commit is contained in:
parent
3ace4610fc
commit
46e1e9b9f4
7 changed files with 163 additions and 71 deletions
12
README.md
12
README.md
|
@ -43,6 +43,7 @@ server:
|
||||||
# if true the server randomly selects a host to connect to
|
# if true the server randomly selects a host to connect to
|
||||||
roundRobin: false
|
roundRobin: false
|
||||||
# a random string of at least 32 characters to secure cookies on the client
|
# a random string of at least 32 characters to secure cookies on the client
|
||||||
|
# make sure to share this across the different pods
|
||||||
sessionKey: thisisasessionkeyreplacethisjetzt
|
sessionKey: thisisasessionkeyreplacethisjetzt
|
||||||
# Open ID Connect specific settings
|
# Open ID Connect specific settings
|
||||||
openId:
|
openId:
|
||||||
|
@ -60,6 +61,17 @@ caps:
|
||||||
enablePnp: true
|
enablePnp: true
|
||||||
enableDrive: true
|
enableDrive: true
|
||||||
enableClipboard: true
|
enableClipboard: true
|
||||||
|
client:
|
||||||
|
usernameTemplate: "{{ username }}@bla.com"
|
||||||
|
# rdp file settings see:
|
||||||
|
# https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/rdp-files
|
||||||
|
networkAutoDetect: 0
|
||||||
|
bandwidthAutoDetect: 1
|
||||||
|
ConnectionType: 6
|
||||||
|
security:
|
||||||
|
# a random string of at least 32 characters to secure cookies on the client
|
||||||
|
# make sure to share this amongst different pods
|
||||||
|
tokenSigningKey: thisisasessionkeyreplacethisjetzt
|
||||||
```
|
```
|
||||||
|
|
||||||
## Use
|
## Use
|
||||||
|
|
77
api/web.go
77
api/web.go
|
@ -12,24 +12,30 @@ import (
|
||||||
"log"
|
"log"
|
||||||
"math/rand"
|
"math/rand"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
"strconv"
|
||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
RdpGwSession = "RDPGWSESSION"
|
RdpGwSession = "RDPGWSESSION"
|
||||||
PAAToken = "PAAToken"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
|
type TokenGeneratorFunc func(string, string) (string, error)
|
||||||
|
|
||||||
type Config struct {
|
type Config struct {
|
||||||
SessionKey []byte
|
SessionKey []byte
|
||||||
TokenCache *cache.Cache
|
TokenGenerator TokenGeneratorFunc
|
||||||
OAuth2Config *oauth2.Config
|
OAuth2Config *oauth2.Config
|
||||||
store *sessions.CookieStore
|
store *sessions.CookieStore
|
||||||
TokenVerifier *oidc.IDTokenVerifier
|
TokenVerifier *oidc.IDTokenVerifier
|
||||||
stateStore *cache.Cache
|
stateStore *cache.Cache
|
||||||
Hosts []string
|
Hosts []string
|
||||||
GatewayAddress string
|
GatewayAddress string
|
||||||
|
UsernameTemplate string
|
||||||
|
NetworkAutoDetect int
|
||||||
|
BandwidthAutoDetect int
|
||||||
|
ConnectionType int
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *Config) NewApi() {
|
func (c *Config) NewApi() {
|
||||||
|
@ -86,22 +92,18 @@ func (c *Config) HandleCallback(w http.ResponseWriter, r *http.Request) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
seed := make([]byte, 16)
|
|
||||||
rand.Read(seed)
|
|
||||||
token := hex.EncodeToString(seed)
|
|
||||||
|
|
||||||
session, err := c.store.Get(r, RdpGwSession)
|
session, err := c.store.Get(r, RdpGwSession)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
http.Error(w, err.Error(), http.StatusInternalServerError)
|
http.Error(w, err.Error(), http.StatusInternalServerError)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
session.Values[PAAToken] = token
|
session.Values["preferred_username"] = data["preferred_username"]
|
||||||
|
session.Values["authenticated"] = true
|
||||||
|
|
||||||
if err = session.Save(r, w); err != nil {
|
if err = session.Save(r, w); err != nil {
|
||||||
http.Error(w, err.Error(), http.StatusInternalServerError)
|
http.Error(w, err.Error(), http.StatusInternalServerError)
|
||||||
}
|
}
|
||||||
c.TokenCache.Set(token, data, cache.DefaultExpiration)
|
|
||||||
|
|
||||||
http.Redirect(w, r, url, http.StatusFound)
|
http.Redirect(w, r, url, http.StatusFound)
|
||||||
}
|
}
|
||||||
|
@ -114,13 +116,8 @@ func (c *Config) Authenticated(next http.Handler) http.Handler {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
found := false
|
found := session.Values["authenticated"]
|
||||||
token := session.Values[PAAToken]
|
if found == nil || !found.(bool) {
|
||||||
if token != nil {
|
|
||||||
_, found = c.TokenCache.Get(token.(string))
|
|
||||||
}
|
|
||||||
|
|
||||||
if !found {
|
|
||||||
seed := make([]byte, 16)
|
seed := make([]byte, 16)
|
||||||
rand.Read(seed)
|
rand.Read(seed)
|
||||||
state := hex.EncodeToString(seed)
|
state := hex.EncodeToString(seed)
|
||||||
|
@ -140,24 +137,35 @@ func (c *Config) HandleDownload(w http.ResponseWriter, r *http.Request) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
token := session.Values[PAAToken].(string)
|
userName := session.Values["preferred_username"]
|
||||||
data, found := c.TokenCache.Get(token)
|
if userName == nil || userName.(string) == "" {
|
||||||
if found == false {
|
|
||||||
// This shouldnt happen if the Authenticated handler is used to wrap this func
|
// This shouldnt happen if the Authenticated handler is used to wrap this func
|
||||||
log.Printf("Found expired or non existent session: %s", token)
|
log.Printf("Found expired or non existent session")
|
||||||
http.Error(w, errors.New("cannot find token").Error(), http.StatusInternalServerError)
|
http.Error(w, errors.New("cannot find session").Error(), http.StatusInternalServerError)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// do a round robin selection for now
|
// do a round robin selection for now
|
||||||
rand.Seed(time.Now().Unix())
|
rand.Seed(time.Now().Unix())
|
||||||
var host = c.Hosts[rand.Intn(len(c.Hosts))]
|
host := c.Hosts[rand.Intn(len(c.Hosts))]
|
||||||
for k, v := range data.(map[string]interface{}) {
|
host = strings.Replace(host, "{{ preferred_username }}", userName.(string), 1)
|
||||||
if val, ok := v.(string); ok == true {
|
|
||||||
host = strings.Replace(host, "{{ "+k+" }}", val, 1)
|
user := userName.(string)
|
||||||
|
if c.UsernameTemplate != "" {
|
||||||
|
user = strings.Replace(c.UsernameTemplate, "{{ username }}", user, 1)
|
||||||
|
if c.UsernameTemplate == user {
|
||||||
|
log.Printf("Invalid username template. %s == %s", c.UsernameTemplate, user)
|
||||||
|
http.Error(w, errors.New("invalid server configuration").Error(), http.StatusInternalServerError)
|
||||||
|
return
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
token, err := c.TokenGenerator(user, host)
|
||||||
|
if err != nil {
|
||||||
|
log.Printf("Cannot generate token for user %s due to %s", user, err)
|
||||||
|
http.Error(w, errors.New("unable to generate gateway credentials").Error(), http.StatusInternalServerError)
|
||||||
|
}
|
||||||
|
|
||||||
// authenticated
|
// authenticated
|
||||||
seed := make([]byte, 16)
|
seed := make([]byte, 16)
|
||||||
rand.Read(seed)
|
rand.Read(seed)
|
||||||
|
@ -172,7 +180,8 @@ func (c *Config) HandleDownload(w http.ResponseWriter, r *http.Request) {
|
||||||
"gatewayusagemethod:i:1\r\n"+
|
"gatewayusagemethod:i:1\r\n"+
|
||||||
"gatewayprofileusagemethod:i:1\r\n"+
|
"gatewayprofileusagemethod:i:1\r\n"+
|
||||||
"gatewayaccesstoken:s:"+token+"\r\n"+
|
"gatewayaccesstoken:s:"+token+"\r\n"+
|
||||||
"networkautodetect:i:0\r\n"+
|
"networkautodetect:i:"+strconv.Itoa(c.NetworkAutoDetect)+"\r\n"+
|
||||||
"bandwidthautodetect:i:1\r\n"+
|
"bandwidthautodetect:i:"+strconv.Itoa(c.BandwidthAutoDetect)+"\r\n"+
|
||||||
"connection type:i:6\r\n"))
|
"connection type:i:"+strconv.Itoa(c.ConnectionType)+"\r\n"+
|
||||||
|
"username:s:"+user+"\r\n"))
|
||||||
}
|
}
|
||||||
|
|
|
@ -6,9 +6,11 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
type Configuration struct {
|
type Configuration struct {
|
||||||
Server ServerConfig
|
Server ServerConfig
|
||||||
OpenId OpenIDConfig
|
OpenId OpenIDConfig
|
||||||
Caps RDGCapsConfig
|
Caps RDGCapsConfig
|
||||||
|
Security SecurityConfig
|
||||||
|
Client ClientConfig
|
||||||
}
|
}
|
||||||
|
|
||||||
type ServerConfig struct {
|
type ServerConfig struct {
|
||||||
|
@ -17,8 +19,8 @@ type ServerConfig struct {
|
||||||
CertFile string
|
CertFile string
|
||||||
KeyFile string
|
KeyFile string
|
||||||
Hosts []string
|
Hosts []string
|
||||||
RoundRobin bool
|
RoundRobin bool
|
||||||
SessionKey string
|
SessionKey string
|
||||||
}
|
}
|
||||||
|
|
||||||
type OpenIDConfig struct {
|
type OpenIDConfig struct {
|
||||||
|
@ -40,10 +42,26 @@ type RDGCapsConfig struct {
|
||||||
EnableDrive bool
|
EnableDrive bool
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type SecurityConfig struct {
|
||||||
|
EnableOpenId bool
|
||||||
|
TokenSigningKey string
|
||||||
|
PassTokenAsPassword bool
|
||||||
|
}
|
||||||
|
|
||||||
|
type ClientConfig struct {
|
||||||
|
NetworkAutoDetect int
|
||||||
|
BandwidthAutoDetect int
|
||||||
|
ConnectionType int
|
||||||
|
UsernameTemplate string
|
||||||
|
}
|
||||||
|
|
||||||
func init() {
|
func init() {
|
||||||
viper.SetDefault("server.certFile", "server.pem")
|
viper.SetDefault("server.certFile", "server.pem")
|
||||||
viper.SetDefault("server.keyFile", "key.pem")
|
viper.SetDefault("server.keyFile", "key.pem")
|
||||||
viper.SetDefault("server.port", 443)
|
viper.SetDefault("server.port", 443)
|
||||||
|
viper.SetDefault("security.enableOpenId", true)
|
||||||
|
viper.SetDefault("client.networkAutoDetect", 1)
|
||||||
|
viper.SetDefault("client.bandwidthAutoDetect", 1)
|
||||||
}
|
}
|
||||||
|
|
||||||
func Load(configFile string) Configuration {
|
func Load(configFile string) Configuration {
|
||||||
|
@ -56,12 +74,16 @@ func Load(configFile string) Configuration {
|
||||||
viper.AutomaticEnv()
|
viper.AutomaticEnv()
|
||||||
|
|
||||||
if err := viper.ReadInConfig(); err != nil {
|
if err := viper.ReadInConfig(); err != nil {
|
||||||
log.Printf("No config file found (%s). Using defaults", err)
|
log.Fatalf("No config file found (%s)", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := viper.Unmarshal(&conf); err != nil {
|
if err := viper.Unmarshal(&conf); err != nil {
|
||||||
log.Fatalf("Cannot unmarshal the config file; %s", err)
|
log.Fatalf("Cannot unmarshal the config file; %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if len(conf.Security.TokenSigningKey) < 32 {
|
||||||
|
log.Fatalf("Token signing key not long enough")
|
||||||
|
}
|
||||||
|
|
||||||
return conf
|
return conf
|
||||||
}
|
}
|
||||||
|
|
1
go.mod
1
go.mod
|
@ -4,6 +4,7 @@ go 1.14
|
||||||
|
|
||||||
require (
|
require (
|
||||||
github.com/coreos/go-oidc/v3 v3.0.0-alpha.1
|
github.com/coreos/go-oidc/v3 v3.0.0-alpha.1
|
||||||
|
github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1
|
||||||
github.com/gorilla/sessions v1.2.0
|
github.com/gorilla/sessions v1.2.0
|
||||||
github.com/gorilla/websocket v1.4.2
|
github.com/gorilla/websocket v1.4.2
|
||||||
github.com/patrickmn/go-cache v2.1.0+incompatible
|
github.com/patrickmn/go-cache v2.1.0+incompatible
|
||||||
|
|
19
main.go
19
main.go
|
@ -8,7 +8,6 @@ import (
|
||||||
"github.com/bolkedebruin/rdpgw/protocol"
|
"github.com/bolkedebruin/rdpgw/protocol"
|
||||||
"github.com/bolkedebruin/rdpgw/security"
|
"github.com/bolkedebruin/rdpgw/security"
|
||||||
"github.com/coreos/go-oidc/v3/oidc"
|
"github.com/coreos/go-oidc/v3/oidc"
|
||||||
"github.com/patrickmn/go-cache"
|
|
||||||
"github.com/prometheus/client_golang/prometheus/promhttp"
|
"github.com/prometheus/client_golang/prometheus/promhttp"
|
||||||
"github.com/spf13/cobra"
|
"github.com/spf13/cobra"
|
||||||
"golang.org/x/oauth2"
|
"golang.org/x/oauth2"
|
||||||
|
@ -16,7 +15,6 @@ import (
|
||||||
"net/http"
|
"net/http"
|
||||||
"os"
|
"os"
|
||||||
"strconv"
|
"strconv"
|
||||||
"time"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
var cmd = &cobra.Command{
|
var cmd = &cobra.Command{
|
||||||
|
@ -28,7 +26,6 @@ var (
|
||||||
configFile string
|
configFile string
|
||||||
)
|
)
|
||||||
|
|
||||||
var tokens = cache.New(time.Minute *5, 10*time.Minute)
|
|
||||||
var conf config.Configuration
|
var conf config.Configuration
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
|
@ -36,6 +33,9 @@ func main() {
|
||||||
cmd.PersistentFlags().StringVarP(&configFile, "conf", "c", "rdpgw.yaml", "config file (json, yaml, ini)")
|
cmd.PersistentFlags().StringVarP(&configFile, "conf", "c", "rdpgw.yaml", "config file (json, yaml, ini)")
|
||||||
conf = config.Load(configFile)
|
conf = config.Load(configFile)
|
||||||
|
|
||||||
|
// set security keys
|
||||||
|
security.SigningKey = []byte(conf.Security.TokenSigningKey)
|
||||||
|
|
||||||
// set oidc config
|
// set oidc config
|
||||||
ctx := context.Background()
|
ctx := context.Background()
|
||||||
provider, err := oidc.NewProvider(ctx, conf.OpenId.ProviderUrl)
|
provider, err := oidc.NewProvider(ctx, conf.OpenId.ProviderUrl)
|
||||||
|
@ -59,9 +59,13 @@ func main() {
|
||||||
GatewayAddress: conf.Server.GatewayAddress,
|
GatewayAddress: conf.Server.GatewayAddress,
|
||||||
OAuth2Config: &oauthConfig,
|
OAuth2Config: &oauthConfig,
|
||||||
TokenVerifier: verifier,
|
TokenVerifier: verifier,
|
||||||
TokenCache: tokens,
|
TokenGenerator: security.GeneratePAAToken,
|
||||||
SessionKey: []byte(conf.Server.SessionKey),
|
SessionKey: []byte(conf.Server.SessionKey),
|
||||||
Hosts: conf.Server.Hosts,
|
Hosts: conf.Server.Hosts,
|
||||||
|
NetworkAutoDetect: conf.Client.NetworkAutoDetect,
|
||||||
|
UsernameTemplate: conf.Client.UsernameTemplate,
|
||||||
|
BandwidthAutoDetect: conf.Client.BandwidthAutoDetect,
|
||||||
|
ConnectionType: conf.Client.ConnectionType,
|
||||||
}
|
}
|
||||||
api.NewApi()
|
api.NewApi()
|
||||||
|
|
||||||
|
@ -96,11 +100,6 @@ func main() {
|
||||||
TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler)), // disable http2
|
TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler)), // disable http2
|
||||||
}
|
}
|
||||||
|
|
||||||
// setup security
|
|
||||||
securityConfig := &security.Config{
|
|
||||||
Store: tokens,
|
|
||||||
}
|
|
||||||
|
|
||||||
// create the gateway
|
// create the gateway
|
||||||
handlerConfig := protocol.HandlerConf{
|
handlerConfig := protocol.HandlerConf{
|
||||||
IdleTimeout: conf.Caps.IdleTimeout,
|
IdleTimeout: conf.Caps.IdleTimeout,
|
||||||
|
@ -115,7 +114,7 @@ func main() {
|
||||||
DisableAll: conf.Caps.DisableRedirect,
|
DisableAll: conf.Caps.DisableRedirect,
|
||||||
EnableAll: conf.Caps.RedirectAll,
|
EnableAll: conf.Caps.RedirectAll,
|
||||||
},
|
},
|
||||||
VerifyTunnelCreate: securityConfig.VerifyPAAToken,
|
VerifyTunnelCreate: security.VerifyPAAToken,
|
||||||
}
|
}
|
||||||
gw := protocol.Gateway{
|
gw := protocol.Gateway{
|
||||||
HandlerConf: &handlerConfig,
|
HandlerConf: &handlerConfig,
|
||||||
|
|
70
security/jwt.go
Normal file
70
security/jwt.go
Normal file
|
@ -0,0 +1,70 @@
|
||||||
|
package security
|
||||||
|
|
||||||
|
import (
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"github.com/bolkedebruin/rdpgw/protocol"
|
||||||
|
"github.com/dgrijalva/jwt-go/v4"
|
||||||
|
"log"
|
||||||
|
"time"
|
||||||
|
)
|
||||||
|
|
||||||
|
var SigningKey []byte
|
||||||
|
var ExpiryTime time.Duration = 5
|
||||||
|
|
||||||
|
type customClaims struct {
|
||||||
|
RemoteServer string `json:"remoteServer"`
|
||||||
|
jwt.StandardClaims
|
||||||
|
}
|
||||||
|
|
||||||
|
func VerifyPAAToken(s *protocol.SessionInfo, tokenString string) (bool, error) {
|
||||||
|
token, err := jwt.ParseWithClaims(tokenString, &customClaims{}, func(token *jwt.Token) (interface{}, error) {
|
||||||
|
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
|
||||||
|
return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
|
||||||
|
}
|
||||||
|
|
||||||
|
return SigningKey, nil
|
||||||
|
})
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if _, ok := token.Claims.(*customClaims); ok && token.Valid {
|
||||||
|
return true, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
log.Printf("token validation failed: %s", err)
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
|
||||||
|
func GeneratePAAToken(username string, server string) (string, error) {
|
||||||
|
if len(SigningKey) < 32 {
|
||||||
|
return "", errors.New("token signing key not long enough or not specified")
|
||||||
|
}
|
||||||
|
|
||||||
|
exp := &jwt.Time{
|
||||||
|
Time: time.Now().Add(time.Minute * 5),
|
||||||
|
}
|
||||||
|
now := &jwt.Time{
|
||||||
|
Time: time.Now(),
|
||||||
|
}
|
||||||
|
|
||||||
|
c := customClaims{
|
||||||
|
RemoteServer: server,
|
||||||
|
StandardClaims: jwt.StandardClaims{
|
||||||
|
ExpiresAt: exp,
|
||||||
|
IssuedAt: now,
|
||||||
|
Issuer: "rdpgw",
|
||||||
|
Subject: username,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
token := jwt.NewWithClaims(jwt.SigningMethodHS512, c)
|
||||||
|
if ss, err := token.SignedString(SigningKey); err != nil {
|
||||||
|
log.Printf("Cannot sign PAA token %s", err)
|
||||||
|
return "", err
|
||||||
|
} else {
|
||||||
|
return ss, nil
|
||||||
|
}
|
||||||
|
}
|
|
@ -1,21 +0,0 @@
|
||||||
package security
|
|
||||||
|
|
||||||
import (
|
|
||||||
"github.com/bolkedebruin/rdpgw/protocol"
|
|
||||||
"github.com/patrickmn/go-cache"
|
|
||||||
"log"
|
|
||||||
)
|
|
||||||
|
|
||||||
type Config struct {
|
|
||||||
Store *cache.Cache
|
|
||||||
}
|
|
||||||
|
|
||||||
func (c *Config) VerifyPAAToken(s *protocol.SessionInfo, token string) (bool, error) {
|
|
||||||
_, found := c.Store.Get(token)
|
|
||||||
if !found {
|
|
||||||
log.Printf("PAA Token %s not found", token)
|
|
||||||
return false, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
return true, nil
|
|
||||||
}
|
|
Loading…
Add table
Add a link
Reference in a new issue