ssh/tailssh: support placeholders in SSHAction.HoldAndDelegate URL

Updates #3802

Change-Id: I60f9827409d14fd4f4824d102ba11db49bf0d365
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This commit is contained in:
Brad Fitzpatrick 2022-03-22 15:37:17 -07:00 committed by Brad Fitzpatrick
parent 257d75beb1
commit 091ea4a4a5
2 changed files with 74 additions and 38 deletions

View File

@ -214,39 +214,6 @@ func (srv *server) handleSSH(s ssh.Session) {
return return
} }
// Loop processing/fetching Actions until one reaches a
// terminal state (Accept, Reject, or invalid Action), or
// until fetchSSHAction times out due to the context being
// done (client disconnect) or its 30 minute timeout passes.
// (Which is a long time for somebody to see login
// instructions and go to a URL to do something.)
ProcessAction:
for {
if action.Message != "" {
io.WriteString(s.Stderr(), strings.Replace(action.Message, "\n", "\r\n", -1))
}
if action.Reject {
logf("ssh: access denied for %q from %v", ci.uprof.LoginName, ci.src.IP())
s.Exit(1)
return
}
if action.Accept {
break ProcessAction
}
url := action.HoldAndDelegate
if url == "" {
logf("ssh: access denied; SSHAction has neither Reject, Accept, or next step URL")
s.Exit(1)
return
}
action, err = srv.fetchSSHAction(s.Context(), url)
if err != nil {
logf("ssh: fetching SSAction from %s: %v", url, err)
s.Exit(1)
return
}
}
lu, err := user.Lookup(localUser) lu, err := user.Lookup(localUser)
if err != nil { if err != nil {
logf("ssh: user Lookup %q: %v", localUser, err) logf("ssh: user Lookup %q: %v", localUser, err)
@ -254,10 +221,71 @@ func (srv *server) handleSSH(s ssh.Session) {
return return
} }
ss := srv.newSSHSession(s, ci, lu, action) ss := srv.newSSHSession(s, ci, lu)
action, err = ss.resolveTerminalAction(action)
if err != nil {
logf("ssh: resolveTerminalAction: %v", err)
io.WriteString(s.Stderr(), "Access denied: failed to resolve SSHAction.\n")
s.Exit(1)
return
}
if action.Reject || !action.Accept {
logf("ssh: access denied for %q from %v", ci.uprof.LoginName, ci.src.IP())
s.Exit(1)
return
}
ss.action = action
ss.run() ss.run()
} }
// resolveTerminalAction either returns action (if it's Accept or Reject) or else
// loops, fetching new SSHActions from the control plane.
//
// Any action with a Message in the chain will be printed to ss.
//
// The returned SSHAction will be either Reject or Accept.
func (ss *sshSession) resolveTerminalAction(action *tailcfg.SSHAction) (*tailcfg.SSHAction, error) {
// Loop processing/fetching Actions until one reaches a
// terminal state (Accept, Reject, or invalid Action), or
// until fetchSSHAction times out due to the context being
// done (client disconnect) or its 30 minute timeout passes.
// (Which is a long time for somebody to see login
// instructions and go to a URL to do something.)
for {
if action.Message != "" {
io.WriteString(ss.Stderr(), strings.Replace(action.Message, "\n", "\r\n", -1))
}
if action.Accept || action.Reject {
return action, nil
}
url := action.HoldAndDelegate
if url == "" {
return nil, errors.New("reached Action that lacked Accept, Reject, and HoldAndDelegate")
}
url = ss.expandDelegateURL(url)
var err error
action, err = ss.srv.fetchSSHAction(ss.Context(), url)
if err != nil {
return nil, fmt.Errorf("fetching SSHAction from %s: %w", url, err)
}
}
}
func (ss *sshSession) expandDelegateURL(url string) string {
nm := ss.srv.lb.NetMap()
var dstNodeID string
if nm != nil {
dstNodeID = fmt.Sprint(int64(nm.SelfNode.ID))
}
return strings.NewReplacer(
"$SRC_NODE_ID", fmt.Sprint(int64(ss.connInfo.node.ID)),
"$DST_NODE_ID", dstNodeID,
"$SSH_USER", ss.connInfo.sshUser,
"$LOCAL_USER", ss.localUser.Username,
).Replace(url)
}
// sshSession is an accepted Tailscale SSH session. // sshSession is an accepted Tailscale SSH session.
type sshSession struct { type sshSession struct {
ssh.Session ssh.Session
@ -284,7 +312,7 @@ type sshSession struct {
exitOnce sync.Once exitOnce sync.Once
} }
func (srv *server) newSSHSession(s ssh.Session, ci *sshConnInfo, lu *user.User, action *tailcfg.SSHAction) *sshSession { func (srv *server) newSSHSession(s ssh.Session, ci *sshConnInfo, lu *user.User) *sshSession {
sharedID := fmt.Sprintf("%s-%02x", ci.now.UTC().Format("20060102T150405"), randBytes(5)) sharedID := fmt.Sprintf("%s-%02x", ci.now.UTC().Format("20060102T150405"), randBytes(5))
return &sshSession{ return &sshSession{
Session: s, Session: s,
@ -292,7 +320,6 @@ func (srv *server) newSSHSession(s ssh.Session, ci *sshConnInfo, lu *user.User,
sharedID: sharedID, sharedID: sharedID,
ctx: newSSHContext(), ctx: newSSHContext(),
srv: srv, srv: srv,
action: action,
localUser: lu, localUser: lu,
connInfo: ci, connInfo: ci,
logf: logger.WithPrefix(srv.logf, "ssh-session("+sharedID+"): "), logf: logger.WithPrefix(srv.logf, "ssh-session("+sharedID+"): "),
@ -317,12 +344,20 @@ func (srv *server) fetchSSHAction(ctx context.Context, url string) (*tailcfg.SSH
continue continue
} }
if res.StatusCode != 200 { if res.StatusCode != 200 {
body, _ := io.ReadAll(res.Body)
res.Body.Close() res.Body.Close()
if len(body) > 1<<10 {
body = body[:1<<10]
}
srv.logf("fetch of %v: %s, %s", url, res.Status, body)
bo.BackOff(ctx, fmt.Errorf("unexpected status: %v", res.Status)) bo.BackOff(ctx, fmt.Errorf("unexpected status: %v", res.Status))
continue continue
} }
a := new(tailcfg.SSHAction) a := new(tailcfg.SSHAction)
if err := json.NewDecoder(res.Body).Decode(a); err != nil { err = json.NewDecoder(res.Body).Decode(a)
res.Body.Close()
if err != nil {
srv.logf("invalid next SSHAction JSON from %v: %v", url, err)
bo.BackOff(ctx, err) bo.BackOff(ctx, err)
continue continue
} }

View File

@ -224,7 +224,8 @@ func TestSSH(t *testing.T) {
} }
ss.Handler = func(s ssh.Session) { ss.Handler = func(s ssh.Session) {
ss := srv.newSSHSession(s, ci, u, &tailcfg.SSHAction{Accept: true}) ss := srv.newSSHSession(s, ci, u)
ss.action = &tailcfg.SSHAction{Accept: true}
ss.run() ss.run()
} }