zydronium/rdpgw
1
0
Fork 0
mirror of https://github.com/bolkedebruin/rdpgw.git synced 2025-08-17 14:03:50 +02:00
Code Issues Projects Releases Packages Wiki Activity

Add comments and make client ip address verification optional but enabled by default

Browse source
This commit is contained in:
Bolke de Bruin 2020-08-21 09:53:36 +02:00
parent db00ce7be0
commit c9213414c5
4 changed files with 21 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

3
config/configuration.go
View file

@ -48,6 +48,7 @@ type SecurityConfig struct {
PAATokenSigningKey string PAATokenSigningKey string
UserTokenEncryptionKey string UserTokenEncryptionKey string
UserTokenSigningKey string UserTokenSigningKey string
VerifyClientIp bool
} }
type ClientConfig struct { type ClientConfig struct {
@ -61,9 +62,9 @@ func init() {
viper.SetDefault("server.certFile", "server.pem") viper.SetDefault("server.certFile", "server.pem")
viper.SetDefault("server.keyFile", "key.pem") viper.SetDefault("server.keyFile", "key.pem")
viper.SetDefault("server.port", 443) viper.SetDefault("server.port", 443)
viper.SetDefault("security.enableOpenId", true)
viper.SetDefault("client.networkAutoDetect", 1) viper.SetDefault("client.networkAutoDetect", 1)
viper.SetDefault("client.bandwidthAutoDetect", 1) viper.SetDefault("client.bandwidthAutoDetect", 1)
viper.SetDefault("security.verifyClientIp", true)
} }
func Load(configFile string) Configuration { func Load(configFile string) Configuration {

2
main.go
View file

@ -34,6 +34,8 @@ func main() {
cmd.PersistentFlags().StringVarP(&configFile, "conf", "c", "rdpgw.yaml", "config file (json, yaml, ini)") cmd.PersistentFlags().StringVarP(&configFile, "conf", "c", "rdpgw.yaml", "config file (json, yaml, ini)")
conf = config.Load(configFile) conf = config.Load(configFile)
security.VerifyClientIP = conf.Security.VerifyClientIp
// set security keys // set security keys
security.SigningKey = []byte(conf.Security.PAATokenSigningKey) security.SigningKey = []byte(conf.Security.PAATokenSigningKey)
security.EncryptionKey = []byte(conf.Security.PAATokenEncryptionKey) security.EncryptionKey = []byte(conf.Security.PAATokenEncryptionKey)

17
protocol/common.go
View file

@ -21,13 +21,22 @@ type RedirectFlags struct {
} }
type SessionInfo struct { type SessionInfo struct {
// The connection-id (RDG-ConnID) as reported by the client
ConnId string ConnId string
// The underlying incoming transport being either websocket or legacy http
// in case of websocket TransportOut will equal TransportIn
TransportIn transport.Transport TransportIn transport.Transport
// The underlying outgoing transport being either websocket or legacy http
// in case of websocket TransportOut will equal TransportOut
TransportOut transport.Transport TransportOut transport.Transport
// The remote desktop server (rdp, vnc etc) the clients intends to connect to
RemoteServer string RemoteServer string
// The obtained client ip address
ClientIp string ClientIp string
} }
// readMessage parses and defragments a packet from a Transport. It returns
// at most the bytes that have been reported by the packet
func readMessage(in transport.Transport) (pt int, n int, msg []byte, err error) { func readMessage(in transport.Transport) (pt int, n int, msg []byte, err error) {
fragment := false fragment := false
index := 0 index := 0
@ -66,6 +75,7 @@ func readMessage(in transport.Transport) (pt int, n int, msg []byte, err error)
} }
} }
// createPacket wraps the data into the protocol packet
func createPacket(pktType uint16, data []byte) (packet []byte) { func createPacket(pktType uint16, data []byte) (packet []byte) {
size := len(data) + 8 size := len(data) + 8
buf := new(bytes.Buffer) buf := new(bytes.Buffer)
@ -78,6 +88,7 @@ func createPacket(pktType uint16, data []byte) (packet []byte) {
return buf.Bytes() return buf.Bytes()
} }
// readHeader parses a packet and verifies its reported size
func readHeader(data []byte) (packetType uint16, size uint32, packet []byte, err error) { func readHeader(data []byte) (packetType uint16, size uint32, packet []byte, err error) {
// header needs to be 8 min // header needs to be 8 min
if len(data) < 8 { if len(data) < 8 {
@ -90,10 +101,10 @@ func readHeader(data []byte) (packetType uint16, size uint32, packet []byte, err
if len(data) < int(size) { if len(data) < int(size) {
return packetType, size, data[8:], errors.New("data incomplete, fragment received") return packetType, size, data[8:], errors.New("data incomplete, fragment received")
} }
return packetType, size, data[8:], nil return packetType, size, data[8:size-8], nil
} }
// sends data wrapped inside the rdpgw protocol // forwards data from a Connection to Transport and wraps it in the rdpgw protocol
func forward(in net.Conn, out transport.Transport) { func forward(in net.Conn, out transport.Transport) {
defer in.Close() defer in.Close()
@ -113,7 +124,7 @@ func forward(in net.Conn, out transport.Transport) {
} }
} }
// receive data from the wire, unwrap and forward to the client // receive data received from the gateway client, unwrap and forward the remote desktop server
func receive(data []byte, out net.Conn) { func receive(data []byte, out net.Conn) {
buf := bytes.NewReader(data) buf := bytes.NewReader(data)

5
security/jwt.go
View file

@ -24,6 +24,7 @@ var (
) )
var ExpiryTime time.Duration = 5 var ExpiryTime time.Duration = 5
var VerifyClientIP bool = true
type customClaims struct { type customClaims struct {
RemoteServer string `json:"remoteServer"` RemoteServer string `json:"remoteServer"`
@ -89,11 +90,11 @@ func VerifyServerFunc(ctx context.Context, host string) (bool, error) {
return false, nil return false, nil
} }
/*if s.ClientIp != common.GetClientIp(ctx) { if VerifyClientIP && s.ClientIp != common.GetClientIp(ctx) {
log.Printf("Current client ip address %s does not match token client ip %s", log.Printf("Current client ip address %s does not match token client ip %s",
common.GetClientIp(ctx), s.ClientIp) common.GetClientIp(ctx), s.ClientIp)
return false, nil return false, nil
}*/ }
return true, nil return true, nil
} }