#! /usr/bin/perl -T # vim: set filetype=perl ts=4 sw=4 sts=4 et: # FILEMODE 0755 # FILEOWN root root use common::sense; use File::Basename; use lib dirname(__FILE__) . '/../../lib/perl'; use OVH::Result; use OVH::Bastion; use Fcntl qw(:flock SEEK_END); use Getopt::Long; use HTTP::Message; use IO::Pipe; use IO::Select; use IO::Socket::SSL; use IO::Socket::SSL; use LWP::UserAgent; use MIME::Base64; use POSIX (); use Storable qw{ freeze thaw }; use Sys::Hostname; use Time::HiRes (); $ENV{'FORCE_STDERR'} = 1; $ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/pkg/bin'; my $uniqid; my $fnret; my %log_params = ( 'cmdtype' => 'proxyhttp_worker', 'uniq_id' => $uniqid, 'bastionip' => $ENV{'SERVER_ADDR'}, 'bastionport' => $ENV{'SERVER_PORT'}, 'ipfrom' => $ENV{'REMOTE_ADDR'}, 'portfrom' => $ENV{'REMOTE_PORT'}, 'custom' => [[user_agent => $ENV{'HTTP_USER_AGENT'}]], ); # to handle child timeout my $child_finished = 0; $SIG{'CHLD'} = sub { wait; $child_finished = 1 }; my @headers; sub log_and_exit { my ($code, $msg, $body, $params) = @_; my %merged = (%log_params, %$params); $merged{'allowed'} //= 0; # custom data will only be logged to logfile and syslog, not sql (it's not in the generic schema) push @{$merged{'custom'}}, ['code' => $code], ['msg' => $msg]; OVH::Bastion::log_access_insert(%merged); push @headers, ["X-Bastion-Local-Status" => $code]; OVH::Bastion::json_output( R( 'OK', value => {code => $code, msg => $msg, body => $body . "\n", headers => \@headers, allowed => $merged{'allowed'}} ), no_delimiters => 1 ); exit 0; } my $pass = delete $ENV{'PROXY_ACCOUNT_PASSWORD'}; my $content; GetOptions( "account=s" => \my $account, "user=s" => \my $user, "group=s" => \my $group, "context=s" => \my $context, "host=s" => \my $remotemachine, "port=i" => \my $remoteport, "method=s" => \my $method, "path=s" => \my $path, "header=s" => \my @client_headers, "timeout=i" => \my $timeout, "insecure" => \my $insecure, "uniqid=s" => \$uniqid, "post-data-stdin" => \my $postDataStdin, "allow-downgrade" => \my $allow_downgrade, "monitoring" => \my $monitoring, "log-request-response" => \my $log_request_response, "log-request-response-max-size=i" => \my $log_request_response_max_size, ); push @headers, ["X-Bastion-Remote-IP" => $remotemachine]; if (!$postDataStdin) { $content = delete $ENV{'PROXY_POST_DATA'}; $content = decode_base64($content) if $content; } else { local $/ = undef; $content = ; } push @headers, ["X-Bastion-Request-Length" => "" . length($content)]; # if we're being called by the monitoring, just exit happily if ($monitoring) { OVH::Bastion::json_output(R('OK', value => {code => 200, msg => 'OK', body => $OVH::Bastion::VERSION, allowed => 1}), no_delimiters => 1); exit 0; } $fnret = OVH::Bastion::is_bastion_account_valid_and_existing(account => $account); # time: 20ms $fnret or log_and_exit(400, "Bad Request (bad account)", "Account name is invalid", {comment => "invalid_account"}); $account = $fnret->value->{'account'}; # untaint $log_params{'account'} = $account; $log_params{'user'} = $user; $log_params{'hostto'} = $remotemachine; $log_params{'params'} = $path; $log_params{'plugin'} = uc($method); push @{$log_params{'custom'}}, ['post_length' => length($content)]; my $shortGroup; if ($group) { $fnret = OVH::Bastion::is_valid_group_and_existing(group => $group, groupType => 'key'); $fnret or log_and_exit(400, "Bad Request (bad group)", "Group name is invalid", {comment => "invalid_group"}); $shortGroup = $fnret->value->{'shortGroup'}; $group = $fnret->value->{'group'}; } if (!OVH::Bastion::is_valid_port(port => $remoteport)) { log_and_exit( 400, "Bad Request (bad port number)", "Port number is out of range", {comment => "invalid_port_number"} ); } $log_params{'portto'} = $remoteport; if (!$timeout || $timeout !~ /^\d+$/ || $timeout < 1) { $timeout = 10; } elsif ($timeout > 3600) { $timeout = 3600; } if (not $pass) { log_and_exit(400, "Bad Request (no password)", "No password", {comment => "missing_password"}); } # convert the remotemachine into an IP if needed # if: avoid loading Net::IP and BigInt if there's no host specified if ($remotemachine !~ /^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/) { $fnret = OVH::Bastion::get_ip(host => $remotemachine); if ($fnret && $fnret->value->{'ip'} =~ /^([0-9.:]+)$/) { $remotemachine = $1; # untaint } else { log_and_exit( 400, "Bad Request (host not resolved)", "Specified remote host couldn't be resolved through the DNS", {comment => "host_not_found"} ); } } else { # it's already an IP, get $1 for untaint $remotemachine = $1; } delete $log_params{'hostto'}; $log_params{'ipto'} = $remotemachine; # now check that the password we were given for account matches the hash we have stored for it # first get our stored hash $fnret = OVH::Bastion::account_config(account => $account, key => "proxyhttphash"); if (not $fnret or not $fnret->value) { # bad login because we couldn't open the proper file log_and_exit(403, "Access Denied", "No password configured for you, $account", {comment => "no_password_for_login"}); } my $storedhash = $fnret->value; chomp $storedhash; # extract the salt from the stored hash we have if ($storedhash !~ /^\$(?[a-zA-Z0-9]{1,2})\$(?[^\$]+)\$[^\$]+$/) { # the hash we have stored in the bastion is fucked :( log_and_exit( 500, "Internal Error (malformed hash)", "Please contact a bastion admin\n", {comment => "malformed_hash"} ); } if ($storedhash ne crypt($account . ':' . $pass, '$' . $+{'cipher'} . '$' . $+{'salt'})) { log_and_exit( 403, "Access Denied", "Incorrect username ($account) or password (#REDACTED#, length=" . length($pass) . ")", {comment => "bad_login_password"} ); } undef $pass; undef $storedhash; # read the password we must use # pseudoalgo: # if mode was explicitly specified to group, we look for a group password # elif mode was explicitly specified to self, we look for a self account password # elif the legacy file with the same name as $user exists in /home/passkeeper, use it # elif the specified $user happens to be a group name, look for this group password # else look for a self account password my $authmode; my $hint; if ($context eq 'group') { $hint = $shortGroup; $authmode = 'group/explicit'; } elsif ($context eq 'self') { $hint = $account; $authmode = 'self/explicit'; } elsif (-f "/home/passkeeper/$user") { $hint = $user; $context = 'legacy'; $authmode = 'legacy'; } elsif (OVH::Bastion::is_valid_group_and_existing(group => $user, groupType => "key")) { $hint = $user; $context = 'group'; $authmode = 'group/guessed'; } else { $hint = $account; $context = 'self'; $authmode = 'self/default'; } push @headers, ["X-Bastion-Auth-Mode" => $authmode]; push @{$log_params{'custom'}}, ['auth_mode' => $authmode]; # check if account or group has the right to access $user@$remotemachine, time: 50ms (to re-compute) $fnret = OVH::Bastion::is_access_granted( account => $account, user => $user, ipfrom => $ENV{'REMOTE_ADDR'}, ip => $remotemachine, port => $remoteport, listOnly => 1, sudo => 1 ); if (not $fnret) { log_and_exit( 403, "Access Denied (access denied to remote)", "This account doesn't have access to this user\@host tuple ($fnret)\n", {comment => "access_denied"} ); } else { # check that the way we were asked to use (personal access, group access) is actually allowed for this account my $isOk = 0; if ($context ne 'legacy') { foreach my $access (@{$fnret->value}) { if ($access->{'type'} =~ /^group/ && $context eq 'group') { $isOk = 1 if $access->{'group'} eq $hint; } elsif ($access->{'type'} =~ /^personal/ && $context eq 'self') { $isOk = 1; } } } else { # for legacy, we don't check: we didn't know how to differentiate back then $isOk = 1; } if (!$isOk) { log_and_exit( 403, "Access Denied (access denied to remote this way)", "This account doesn't have access to $user\@$remotemachine:$remoteport using this auth mode ($authmode)\n", {comment => "access_denied_this_way"} ); } } $log_params{'allowed'} = 1; $fnret = OVH::Bastion::get_passfile(hint => $hint, context => $context); if (!$fnret) { log_and_exit(412, "Precondition Failed (egress password missing)", $fnret->msg, {comment => "no_password_found"}); } my $device_password; if (open(my $pwdfile, '<', $fnret->value)) { $device_password = <$pwdfile>; close($pwdfile); chomp $device_password; } else { log_and_exit( 500, "Internal Error (egress password unreadable)", "Couldn't read the $context '$user' egress password\n", {comment => "cannot_read_password"} ); } # Now build the UA for the request between bastion and remote device my $ua = LWP::UserAgent->new(); $ua->agent("The Bastion " . $OVH::Bastion::VERSION); $ua->timeout($timeout); $ua->protocols_allowed(['https']); if ($insecure) { $ua->ssl_opts('verify_hostname' => 0); $ua->ssl_opts('SSL_verify_mode' => IO::Socket::SSL::SSL_VERIFY_NONE); } # set the remote URL my $req = HTTP::Request->new($method => "https://" . $remotemachine . ':' . $remoteport . $path); # add the content we get (passthru) $req->content($content); # passthru some tolerated headers from client->bastion to bastion->device req my %passthrough_headers; foreach my $pattern (qw{ accept content-type content-length content-encoding x-test-[a-z-]+ }) { foreach my $header (grep { /^$pattern:/i } @client_headers) { my ($key, $value) = $header =~ /^([^:]+):\s*(.+)$/; $passthrough_headers{lc $key} = $value; } } foreach my $key (keys %passthrough_headers) { $req->header($key, $passthrough_headers{$key}); } $req->header('Accept-Encoding' => scalar HTTP::Message::decodable()); # set the header to auth ourselves to the remote device $req->header('Authorization', 'Basic ' . encode_base64($user . ':' . $device_password, '')); undef $device_password; # no longer needed $req->header('X-Bastion-Auth-Mode', $authmode); $req->header('X-Bastion-Ingress-Client-IP', $ENV{'REMOTE_ADDR'}); $req->header('X-Bastion-Ingress-Client-Port', $ENV{'REMOTE_PORT'}); $req->header('X-Bastion-Ingress-Client-User-Agent', $ENV{'HTTP_USER_AGENT'}); $req->header('X-Bastion-Ingress-Account', $account); $req->header('X-Bastion-UniqID', $uniqid); $req->header('X-Bastion-Instance', Sys::Hostname::hostname()); my $start_time = [Time::HiRes::gettimeofday()]; # to handle timeout properly, we fork a child, he'll do the req, and we'll wait for it, # potentially killing it if the timeout fires my $pipe = IO::Pipe->new; my $childpid = fork(); if ($childpid == 0) { # we are the child: make the req and return the result to our parent $pipe->writer; my $res; my $downgraded = 0; # do the req a first time with defaults $res = $ua->request($req); # if we get a HTTP/1.0 500 Can't connect to A.B.C.D:443 (SSL connect attempt failed error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol) # ... then the device might be old and support TLS v1.0 maximum only. let's retry that silently if our caller allows if ( $allow_downgrade && $res && $res->code == 500 && $res->message =~ /ssl_choose_client_version:unsupported protocol/) { $downgraded = 1; $ua->ssl_opts('SSL_version' => 'TLSv1'); $res = $ua->request($req); } $pipe->print(freeze({res => $res, downgraded => $downgraded})); exit; } # we are the parent: wait for our child but also consume the pipe to avoid blocking our child $pipe->reader; my $waiting_since = time(); my $remaining_wait = $timeout; my $child_data; my $timed_out = 0; while (1) { $remaining_wait = $timeout - (time() - $waiting_since); # we've waited long enough, bail out if ($remaining_wait <= 0) { $timed_out = 1; last; } my $select = IO::Select->new($pipe->fileno); my @ready = $select->can_read($remaining_wait); # we either have something to read or timed out if (@ready) { # we have something to read my $newdata; my $nbread = $pipe->read($newdata, 4096); if (defined $nbread && $nbread > 0) { $child_data .= $newdata; } else { # 0 means EOF, undef means error last; } } else { # we timed out, bail out $timed_out = 1; last; } } my $res; my $downgraded; if (!$timed_out) { # get the result of the request of our child my $childresult = thaw($child_data); if (ref $childresult eq 'HASH') { $res = $childresult->{'res'}; $downgraded = $childresult->{'downgraded'}; } } else { # got a timeout, kill our child kill(9, $childpid); } my $delay = Time::HiRes::tv_interval($start_time, [Time::HiRes::gettimeofday()]); # log what we got my $basedir = "/home/$account/ttyrec"; -d $basedir || mkdir $basedir; my $finaldir = "$basedir/$remotemachine"; -d $finaldir || mkdir $finaldir; # depending on whether we must log the body or not, and whether there is a max size specified, # prepare the log line about the body my $body_to_log = "(BODY OMITTED)"; if ($res && $log_request_response) { $log_request_response_max_size //= 65536; if ($log_request_response_max_size && length($res->decoded_content) > $log_request_response_max_size) { $body_to_log = substr($res->decoded_content, 0, $log_request_response_max_size / 2) . '[...snip...]' . substr($res->decoded_content, -$log_request_response_max_size / 2); } else { $body_to_log = $res->decoded_content; } } my @now = Time::HiRes::gettimeofday(); my @t = localtime($now[0]); my @headerlog = ($uniqid, $now[0], $now[1], POSIX::strftime("%Y/%m/%d.%H:%M:%S", @t)); my $headers_as_string = $res ? join("", $res->{'_headers'}->as_string("\n")) : ''; my $logfile = sprintf("%s/%s.txt", $finaldir, POSIX::strftime("%F", @t)); my $logline = sprintf( "" . "--- BASTION_REQUEST UNIQID=%s TIMESTAMP=%d.%06d DATE=%s ---\n%s\n" . "--- DEVICE_ANSWER UNIQID=%s TIMESTAMP=%d.%06d DATE=%s ---\n%s\n" . "--- END UNIQID=%s TIMESTAMP=%d.%06d DATE=%s ---\n\n", @headerlog, $req->as_string(), @headerlog, $res ? sprintf("%s %s\n%s\n%s", $res->protocol, $res->status_line, $headers_as_string, $body_to_log) : '(DEVICE TIMEOUT)', @headerlog, ); $logline =~ s/^(Authorization:).+/$1 (removed)/mgi; if (open(my $log, '>>', $logfile)) { flock($log, LOCK_EX); print $log $logline; flock($log, LOCK_UN); close($log); } else { warn("Couldn't open $logfile for log write"); } # those are the headers we allow to come back from the remote server to the client # we don't passthrough content-encoding, as we've already decoded the content (for logging purposes) my @passthru_headers = qw{ content-type content-length client-ssl-cert-subject client-ssl-cipher client-ssl-warning }; if ($res) { foreach my $key ($res->headers->header_field_names) { next unless (grep { lc($key) eq $_ } @passthru_headers); push @headers, [$key => $res->header($key)]; } } push @headers, ["X-Bastion-Local-Status" => ($res ? "200 OK" : "504 Device Timeout")]; push @headers, ["X-Bastion-Remote-Status" => $res->code] if $res; push @headers, ["X-Bastion-Remote-Server" => $res->header('server')] if ($res && $res->header('server')); push @headers, ["X-Bastion-Egress-Timing" => sprintf("%d", $delay * 1_000_000)]; push @headers, ["X-Bastion-Downgraded" => 1] if $downgraded; # custom data will only be logged to logfile and syslog, not sql (it's not in the generic schema) if ($res) { push @{$log_params{'custom'}}, ['code' => $res->code], ['msg' => $res->message],; } OVH::Bastion::log_access_insert(%log_params); my %ret = ( headers => \@headers, allowed => 1, ); if ($res) { $ret{'code'} = $res->code + 0; $ret{'msg'} = $res->message; $ret{'body'} = $res->decoded_content; } else { $ret{'code'} = 504; $ret{'msg'} = "Device Timeout"; $ret{'body'} = "Device Timeout\n"; } OVH::Bastion::json_output(R('OK', value => \%ret), no_delimiters => 1); exit 0;