mirror of
https://github.com/bolkedebruin/rdpgw.git
synced 2025-07-21 01:55:57 +02:00
Enable simple security
This commit is contained in:
Bolke de Bruin
parent
3839058eb8
commit
afe33a9204
3 changed files with 36 additions and 11 deletions
7
main.go
7
main.go
|
|
@ -5,6 +5,7 @@ import (
|
||||||
"crypto/tls"
|
"crypto/tls"
|
||||||
"github.com/bolkedebruin/rdpgw/config"
|
"github.com/bolkedebruin/rdpgw/config"
|
||||||
"github.com/bolkedebruin/rdpgw/protocol"
|
"github.com/bolkedebruin/rdpgw/protocol"
|
||||||
|
"github.com/bolkedebruin/rdpgw/security"
|
||||||
"github.com/coreos/go-oidc/v3/oidc"
|
"github.com/coreos/go-oidc/v3/oidc"
|
||||||
"github.com/patrickmn/go-cache"
|
"github.com/patrickmn/go-cache"
|
||||||
"github.com/prometheus/client_golang/prometheus/promhttp"
|
"github.com/prometheus/client_golang/prometheus/promhttp"
|
||||||
|
|
@ -89,6 +90,11 @@ func main() {
|
||||||
TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler)), // disable http2
|
TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler)), // disable http2
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// setup security
|
||||||
|
securityConfig := &security.Config{
|
||||||
|
Store: tokens,
|
||||||
|
}
|
||||||
|
|
||||||
// create the gateway
|
// create the gateway
|
||||||
handlerConfig := protocol.HandlerConf{
|
handlerConfig := protocol.HandlerConf{
|
||||||
IdleTimeout: conf.Caps.IdleTimeout,
|
IdleTimeout: conf.Caps.IdleTimeout,
|
||||||
|
|
@ -103,6 +109,7 @@ func main() {
|
||||||
DisableAll: conf.Caps.DisableRedirect,
|
DisableAll: conf.Caps.DisableRedirect,
|
||||||
EnableAll: conf.Caps.RedirectAll,
|
EnableAll: conf.Caps.RedirectAll,
|
||||||
},
|
},
|
||||||
|
VerifyTunnelCreate: securityConfig.VerifyPAAToken,
|
||||||
}
|
}
|
||||||
gw := protocol.Gateway{
|
gw := protocol.Gateway{
|
||||||
HandlerConf: &handlerConfig,
|
HandlerConf: &handlerConfig,
|
||||||
|
|
|
||||||
|
|
@ -12,9 +12,9 @@ import (
|
||||||
"time"
|
"time"
|
||||||
)
|
)
|
||||||
|
|
||||||
type VerifyPAACookieFunc func(string) (bool, error)
|
type VerifyTunnelCreate func(*SessionInfo, string) (bool, error)
|
||||||
type VerifyTunnelAuthFunc func(string) (bool, error)
|
type VerifyTunnelAuthFunc func(*SessionInfo, string) (bool, error)
|
||||||
type VerifyServerFunc func(string) (bool, error)
|
type VerifyServerFunc func(*SessionInfo, string) (bool, error)
|
||||||
|
|
||||||
type RedirectFlags struct {
|
type RedirectFlags struct {
|
||||||
Clipboard bool
|
Clipboard bool
|
||||||
|
|
@ -27,9 +27,10 @@ type RedirectFlags struct {
|
||||||
}
|
}
|
||||||
|
|
||||||
type Handler struct {
|
type Handler struct {
|
||||||
|
Session *SessionInfo
|
||||||
TransportIn transport.Transport
|
TransportIn transport.Transport
|
||||||
TransportOut transport.Transport
|
TransportOut transport.Transport
|
||||||
VerifyPAACookieFunc VerifyPAACookieFunc
|
VerifyTunnelCreate VerifyTunnelCreate
|
||||||
VerifyTunnelAuthFunc VerifyTunnelAuthFunc
|
VerifyTunnelAuthFunc VerifyTunnelAuthFunc
|
||||||
VerifyServerFunc VerifyServerFunc
|
VerifyServerFunc VerifyServerFunc
|
||||||
RedirectFlags int
|
RedirectFlags int
|
||||||
|
|
@ -42,7 +43,7 @@ type Handler struct {
|
||||||
}
|
}
|
||||||
|
|
||||||
type HandlerConf struct {
|
type HandlerConf struct {
|
||||||
VerifyPAACookieFunc VerifyPAACookieFunc
|
VerifyTunnelCreate VerifyTunnelCreate
|
||||||
VerifyTunnelAuthFunc VerifyTunnelAuthFunc
|
VerifyTunnelAuthFunc VerifyTunnelAuthFunc
|
||||||
VerifyServerFunc VerifyServerFunc
|
VerifyServerFunc VerifyServerFunc
|
||||||
RedirectFlags RedirectFlags
|
RedirectFlags RedirectFlags
|
||||||
|
|
@ -53,6 +54,7 @@ type HandlerConf struct {
|
||||||
|
|
||||||
func NewHandler(s *SessionInfo, conf *HandlerConf) *Handler {
|
func NewHandler(s *SessionInfo, conf *HandlerConf) *Handler {
|
||||||
h := &Handler{
|
h := &Handler{
|
||||||
|
Session: s,
|
||||||
TransportIn: s.TransportIn,
|
TransportIn: s.TransportIn,
|
||||||
TransportOut: s.TransportOut,
|
TransportOut: s.TransportOut,
|
||||||
State: SERVER_STATE_INITIAL,
|
State: SERVER_STATE_INITIAL,
|
||||||
|
|
@ -60,7 +62,7 @@ func NewHandler(s *SessionInfo, conf *HandlerConf) *Handler {
|
||||||
IdleTimeout: conf.IdleTimeout,
|
IdleTimeout: conf.IdleTimeout,
|
||||||
SmartCardAuth: conf.SmartCardAuth,
|
SmartCardAuth: conf.SmartCardAuth,
|
||||||
TokenAuth: conf.TokenAuth,
|
TokenAuth: conf.TokenAuth,
|
||||||
VerifyPAACookieFunc: conf.VerifyPAACookieFunc,
|
VerifyTunnelCreate: conf.VerifyTunnelCreate,
|
||||||
VerifyServerFunc: conf.VerifyServerFunc,
|
VerifyServerFunc: conf.VerifyServerFunc,
|
||||||
VerifyTunnelAuthFunc: conf.VerifyTunnelAuthFunc,
|
VerifyTunnelAuthFunc: conf.VerifyTunnelAuthFunc,
|
||||||
}
|
}
|
||||||
|
|
@ -92,8 +94,8 @@ func (h *Handler) Process() error {
|
||||||
return errors.New("wrong state")
|
return errors.New("wrong state")
|
||||||
}
|
}
|
||||||
_, cookie := readCreateTunnelRequest(pkt)
|
_, cookie := readCreateTunnelRequest(pkt)
|
||||||
if h.VerifyPAACookieFunc != nil {
|
if h.VerifyTunnelCreate != nil {
|
||||||
if ok, _ := h.VerifyPAACookieFunc(cookie); !ok {
|
if ok, _ := h.VerifyTunnelCreate(h.Session, cookie); !ok {
|
||||||
log.Printf("Invalid PAA cookie: %s", cookie)
|
log.Printf("Invalid PAA cookie: %s", cookie)
|
||||||
return errors.New("invalid PAA cookie")
|
return errors.New("invalid PAA cookie")
|
||||||
}
|
}
|
||||||
|
|
@ -109,7 +111,7 @@ func (h *Handler) Process() error {
|
||||||
}
|
}
|
||||||
client := h.readTunnelAuthRequest(pkt)
|
client := h.readTunnelAuthRequest(pkt)
|
||||||
if h.VerifyTunnelAuthFunc != nil {
|
if h.VerifyTunnelAuthFunc != nil {
|
||||||
if ok, _ := h.VerifyTunnelAuthFunc(client); !ok {
|
if ok, _ := h.VerifyTunnelAuthFunc(h.Session, client); !ok {
|
||||||
log.Printf("Invalid client name: %s", client)
|
log.Printf("Invalid client name: %s", client)
|
||||||
return errors.New("invalid client name")
|
return errors.New("invalid client name")
|
||||||
}
|
}
|
||||||
|
|
@ -126,7 +128,7 @@ func (h *Handler) Process() error {
|
||||||
server, port := readChannelCreateRequest(pkt)
|
server, port := readChannelCreateRequest(pkt)
|
||||||
host := net.JoinHostPort(server, strconv.Itoa(int(port)))
|
host := net.JoinHostPort(server, strconv.Itoa(int(port)))
|
||||||
if h.VerifyServerFunc != nil {
|
if h.VerifyServerFunc != nil {
|
||||||
if ok, _ := h.VerifyServerFunc(host); !ok {
|
if ok, _ := h.VerifyServerFunc(h.Session, host); !ok {
|
||||||
log.Printf("Not allowed to connect to %s by policy handler", host)
|
log.Printf("Not allowed to connect to %s by policy handler", host)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,21 @@
|
||||||
package security
|
package security
|
||||||
|
|
||||||
func VerifyServerTemplate(server string) (bool, err) {
|
import (
|
||||||
|
"github.com/bolkedebruin/rdpgw/protocol"
|
||||||
|
"github.com/patrickmn/go-cache"
|
||||||
|
"log"
|
||||||
|
)
|
||||||
|
|
||||||
|
type Config struct {
|
||||||
|
Store *cache.Cache
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *Config) VerifyPAAToken(s *protocol.SessionInfo, token string) (bool, error) {
|
||||||
|
_, found := c.Store.Get(token)
|
||||||
|
if !found {
|
||||||
|
log.Printf("PAA Token %s not found", token)
|
||||||
|
return false, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
return true, nil
|
||||||
}
|
}
|
||||||
Loading…
Add table
Add a link
Reference in a new issue