Forward unix sockets & implement ssh agent forwarding (#226)

* draft * fixes * fix source/dest bug * works but needs more work * re-work tunnels to be part of the initial payload and get passed to the terminal process before it spawns a shell * chown pipes * fix print in SocketEndpoint * set ownership on unix forward sockets immediately * Fix permissions * allow other users to talk to the terminal router
MisterTea · Sep 6, 2019 · 1b3a488 · 1b3a488
1 parent bacc2ea
commit 1b3a488
Show file tree

Hide file tree

Showing 36 changed files with 515 additions and 330 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -8,7 +8,7 @@ option(CODE_COVERAGE "Enable code coverage" OFF)
 
 SET(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DET_VERSION='\"${PROJECT_VERSION}\"'")
 # For easylogging, disable default log file, enable crash log, ensure thread safe, and catch c++ exceptions
-SET(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DELPP_NO_DEFAULT_LOG_FILE -DELPP_FEATURE_CRASH_LOG -DELPP_THREAD_SAFE -DELPP_HANDLE_SIGABRT")
+SET(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DELPP_NO_DEFAULT_LOG_FILE -DELPP_FEATURE_CRASH_LOG -DELPP_THREAD_SAFE")
 IF(CODE_COVERAGE)
   if(UNIX)
     SET(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fprofile-arcs -ftest-coverage")
@@ -97,6 +97,7 @@ include_directories(
   external/msgpack-c/include
   src/base
   src/terminal
+  src/terminal/forwarding
   src/htm
   ${PROTOBUF_INCLUDE_DIRS}
   ${CMAKE_CURRENT_BINARY_DIR}
@@ -111,22 +112,52 @@ add_library(
   et-lib
   STATIC
 
+  external/easyloggingpp/src/easylogging++.h
   external/easyloggingpp/src/easylogging++.cc
 
+  src/base/BackedReader.hpp
   src/base/BackedReader.cpp
+
+  src/base/BackedWriter.hpp
   src/base/BackedWriter.cpp
+
+  src/base/ClientConnection.hpp
   src/base/ClientConnection.cpp
+
+  src/base/Connection.hpp
   src/base/Connection.cpp
+
+  src/base/CryptoHandler.hpp
   src/base/CryptoHandler.cpp
+
+  src/base/ServerClientConnection.hpp
   src/base/ServerClientConnection.cpp
+
+  src/base/ServerConnection.hpp
   src/base/ServerConnection.cpp
+
+  src/base/SocketHandler.hpp
   src/base/SocketHandler.cpp
+
+  src/base/PipeSocketHandler.hpp
   src/base/PipeSocketHandler.cpp
+
+  src/base/TcpSocketHandler.hpp
   src/base/TcpSocketHandler.cpp
+
+  src/base/UnixSocketHandler.hpp
   src/base/UnixSocketHandler.cpp
+
+  src/base/LogHandler.hpp
   src/base/LogHandler.cpp
+
+  src/base/DaemonCreator.hpp
   src/base/DaemonCreator.cpp
+
+  src/base/SystemUtils.hpp
   src/base/SystemUtils.cpp
+
+  src/base/RawSocketUtils.hpp
   src/base/RawSocketUtils.cpp
 
   ${ET_SRCS}
@@ -141,14 +172,31 @@ add_library(
   TerminalCommon
   STATIC
 
-  src/terminal/PortForwardHandler.cpp
-  src/terminal/PortForwardSourceHandler.cpp
-  src/terminal/PortForwardDestinationHandler.cpp
+  src/terminal/forwarding/PortForwardHandler.hpp
+  src/terminal/forwarding/PortForwardHandler.cpp
+
+  src/terminal/forwarding/ForwardSourceHandler.hpp
+  src/terminal/forwarding/ForwardSourceHandler.cpp
+
+  src/terminal/forwarding/ForwardDestinationHandler.hpp
+  src/terminal/forwarding/ForwardDestinationHandler.cpp
+
+  src/terminal/TerminalServer.hpp
   src/terminal/TerminalServer.cpp
+
+  src/terminal/UserTerminalRouter.hpp
   src/terminal/UserTerminalRouter.cpp
+
+  src/terminal/TerminalClient.hpp
   src/terminal/TerminalClient.cpp
+
+  src/terminal/SshSetupHandler.hpp
   src/terminal/SshSetupHandler.cpp
+
+  src/terminal/UserTerminalHandler.hpp
   src/terminal/UserTerminalHandler.cpp
+
+  src/terminal/UserJumphostHandler.hpp
   src/terminal/UserJumphostHandler.cpp
 
   ${ETERMINAL_SRCS} ${ETERMINAL_HDRS}

diff --git a/proto/ET.proto b/proto/ET.proto
@@ -6,6 +6,7 @@ enum EtPacketType {
   // Count down from 254 to avoid collisions
   HEARTBEAT = 254;
   INITIAL_PAYLOAD = 253;
+  INITIAL_RESPONSE = 252;
 }
 
 message ConnectRequest {
@@ -25,10 +26,11 @@ message ConnectResponse {
   optional string error = 2;
 }
 
-message SequenceHeader {
-  optional int32 sequenceNumber = 1;
-}
+message SequenceHeader { optional int32 sequenceNumber = 1; }
+
+message CatchupBuffer { repeated bytes buffer = 1; }
 
-message CatchupBuffer {
-  repeated bytes buffer = 1;
+message SocketEndpoint {
+  optional string name = 1;
+  optional int32 port = 2;
 }
diff --git a/proto/ETerminal.proto b/proto/ETerminal.proto
@@ -2,16 +2,17 @@ syntax = "proto2";
 package et;
 option optimize_for = LITE_RUNTIME;
 
+import "ET.proto";
+
 enum TerminalPacketType {
   KEEP_ALIVE = 0;
   TERMINAL_BUFFER = 1;
   TERMINAL_INFO = 2;
-  PORT_FORWARD_SOURCE_REQUEST = 3;
-  PORT_FORWARD_SOURCE_RESPONSE = 4;
   PORT_FORWARD_DESTINATION_REQUEST = 5;
   PORT_FORWARD_DESTINATION_RESPONSE = 6;
   PORT_FORWARD_DATA = 7;
-  IDPASSKEY = 8;
+  TERMINAL_USER_INFO = 8;
+  TERMINAL_INIT = 9;
 }
 
 message TerminalBuffer {
@@ -27,16 +28,17 @@ message TerminalInfo {
 }
 
 message PortForwardSourceRequest {
-  optional int32 sourceport = 1;
-  optional int32 destinationport = 2;
+  optional SocketEndpoint source = 1;
+  optional SocketEndpoint destination = 2;
+  optional string environmentvariable = 3;
 }
 
 message PortForwardSourceResponse {
   optional string error = 1;
 }
 
 message PortForwardDestinationRequest {
-  optional int32 port = 1;
+  optional SocketEndpoint destination = 1;
   optional int32 fd = 2;
 }
 
@@ -56,9 +58,27 @@ message PortForwardData {
 
 message InitialPayload {
   optional bool jumphost = 1 [default = false];
+  repeated PortForwardSourceRequest reversetunnels = 2;
+}
+
+message InitialResponse {
+  optional string error = 1;
 }
 
 message ConfigParams {
   optional int32 vlevel = 1;
   optional int32 minloglevel = 2;
 }
+
+message TermInit {
+  repeated string environmentnames = 1;
+  repeated string environmentvalues = 2;
+}
+
+message TerminalUserInfo {
+  optional string id = 1;
+  optional string passkey = 2;
+  optional int64 uid = 3;
+  optional int64 gid = 4;
+  optional int64 fd = 5;
+}
diff --git a/src/base/ClientConnection.hpp b/src/base/ClientConnection.hpp
@@ -4,7 +4,6 @@
 #include "Headers.hpp"
 
 #include "Connection.hpp"
-#include "SocketEndpoint.hpp"
 
 namespace et {
 extern const int NULL_CLIENT_ID;

diff --git a/src/base/Headers.hpp b/src/base/Headers.hpp
@@ -57,6 +57,18 @@
 
 #include <google/protobuf/message_lite.h>
 #include "ET.pb.h"
+#include "ETerminal.pb.h"
+inline std::ostream& operator<<(std::ostream& os,
+                                const et::SocketEndpoint& se) {
+  if (se.has_name()) {
+    os << se.name();
+  }
+  if (se.has_port()) {
+    os << ":" << se.port();
+  }
+  return os;
+}
+
 #include "easylogging++.h"
 
 #include <cxxopts.hpp>

diff --git a/src/base/PipeSocketHandler.cpp b/src/base/PipeSocketHandler.cpp
@@ -14,7 +14,7 @@ PipeSocketHandler::PipeSocketHandler() {}
 int PipeSocketHandler::connect(const SocketEndpoint& endpoint) {
   lock_guard<std::recursive_mutex> guard(mutex);
 
-  string pipePath = endpoint.getName();
+  string pipePath = endpoint.name();
   sockaddr_un remote;
 
   int sockFd = ::socket(AF_UNIX, SOCK_STREAM, 0);
@@ -81,9 +81,9 @@ int PipeSocketHandler::connect(const SocketEndpoint& endpoint) {
 set<int> PipeSocketHandler::listen(const SocketEndpoint& endpoint) {
   lock_guard<std::recursive_mutex> guard(mutex);
 
-  string pipePath = endpoint.getName();
+  string pipePath = endpoint.name();
   if (pipeServerSockets.find(pipePath) != pipeServerSockets.end()) {
-    LOG(FATAL) << "Tried to listen twice on the same path";
+    throw runtime_error("Tried to listen twice on the same path");
   }
 
   sockaddr_un local;
@@ -97,7 +97,7 @@ set<int> PipeSocketHandler::listen(const SocketEndpoint& endpoint) {
 
   FATAL_FAIL(::bind(fd, (struct sockaddr*)&local, sizeof(sockaddr_un)));
   ::listen(fd, 5);
-  chmod(local.sun_path, 0777);
+  FATAL_FAIL(::chmod(local.sun_path, S_IRUSR | S_IWUSR | S_IXUSR));
 
   pipeServerSockets[pipePath] = set<int>({fd});
   return pipeServerSockets[pipePath];
@@ -106,7 +106,7 @@ set<int> PipeSocketHandler::listen(const SocketEndpoint& endpoint) {
 set<int> PipeSocketHandler::getEndpointFds(const SocketEndpoint& endpoint) {
   lock_guard<std::recursive_mutex> guard(mutex);
 
-  string pipePath = endpoint.getName();
+  string pipePath = endpoint.name();
   if (pipeServerSockets.find(pipePath) == pipeServerSockets.end()) {
     LOG(FATAL)
         << "Tried to getPipeFd on a pipe without calling listen() first: "
@@ -118,7 +118,7 @@ set<int> PipeSocketHandler::getEndpointFds(const SocketEndpoint& endpoint) {
 void PipeSocketHandler::stopListening(const SocketEndpoint& endpoint) {
   lock_guard<std::recursive_mutex> guard(mutex);
 
-  string pipePath = endpoint.getName();
+  string pipePath = endpoint.name();
   auto it = pipeServerSockets.find(pipePath);
   if (it == pipeServerSockets.end()) {
     LOG(FATAL)

diff --git a/src/base/ServerConnection.hpp b/src/base/ServerConnection.hpp
@@ -4,7 +4,6 @@
 #include "Headers.hpp"
 
 #include "ServerClientConnection.hpp"
-#include "SocketEndpoint.hpp"
 #include "SocketHandler.hpp"
 
 namespace et {

diff --git a/src/base/SocketEndpoint.hpp b/src/base/SocketEndpoint.hpp
diff --git a/src/base/SocketHandler.hpp b/src/base/SocketHandler.hpp
@@ -4,7 +4,6 @@
 #include "Headers.hpp"
 
 #include "Packet.hpp"
-#include "SocketEndpoint.hpp"
 
 namespace et {
 class SocketHandler {

diff --git a/src/base/TcpSocketHandler.cpp b/src/base/TcpSocketHandler.cpp
@@ -25,8 +25,8 @@ int TcpSocketHandler::connect(const SocketEndpoint &endpoint) {
 #else
   hints.ai_flags = (AI_CANONNAME | AI_V4MAPPED | AI_ADDRCONFIG | AI_ALL);
 #endif
-  std::string portname = std::to_string(endpoint.getPort());
-  std::string hostname = endpoint.getName();
+  std::string portname = std::to_string(endpoint.port());
+  std::string hostname = endpoint.name();
 
   // (re)initialize the DNS system
   ::res_init();
@@ -140,7 +140,7 @@ int TcpSocketHandler::connect(const SocketEndpoint &endpoint) {
 set<int> TcpSocketHandler::listen(const SocketEndpoint &endpoint) {
   lock_guard<std::recursive_mutex> guard(mutex);
 
-  int port = endpoint.getPort();
+  int port = endpoint.port();
   if (portServerSockets.find(port) != portServerSockets.end()) {
     LOG(FATAL) << "Tried to listen twice on the same port";
   }
@@ -219,7 +219,7 @@ set<int> TcpSocketHandler::listen(const SocketEndpoint &endpoint) {
 set<int> TcpSocketHandler::getEndpointFds(const SocketEndpoint &endpoint) {
   lock_guard<std::recursive_mutex> guard(mutex);
 
-  int port = endpoint.getPort();
+  int port = endpoint.port();
   if (portServerSockets.find(port) == portServerSockets.end()) {
     LOG(FATAL)
         << "Tried to getEndpointFds on a port without calling listen() first";
@@ -230,7 +230,7 @@ set<int> TcpSocketHandler::getEndpointFds(const SocketEndpoint &endpoint) {
 void TcpSocketHandler::stopListening(const SocketEndpoint &endpoint) {
   lock_guard<std::recursive_mutex> guard(mutex);
 
-  int port = endpoint.getPort();
+  int port = endpoint.port();
   auto it = portServerSockets.find(port);
   if (it == portServerSockets.end()) {
     LOG(FATAL)