mirror of
https://github.com/tailscale/tailscale.git
synced 2025-01-09 09:33:42 +00:00
ba517ab388
cmd/k8s-operator,ssh/tailssh,tsnet: optionally record kubectl exec sessions The Kubernetes operator's API server proxy, when it receives a request for 'kubectl exec' session now reads 'RecorderAddrs', 'EnforceRecorder' fields from tailcfg.KubernetesCapRule. If 'RecorderAddrs' is set to one or more addresses (of a tsrecorder instance(s)), it attempts to connect to those and sends the session contents to the recorder before forwarding the request to the kube API server. If connection cannot be established or fails midway, it is only allowed if 'EnforceRecorder' is not true (fail open). Updates tailscale/corp#19821 Signed-off-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Maisem Ali <maisem@tailscale.com>
286 lines
9.2 KiB
Go
286 lines
9.2 KiB
Go
// Copyright (c) Tailscale Inc & AUTHORS
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
//go:build !plan9
|
|
|
|
package main
|
|
|
|
import (
|
|
"bytes"
|
|
"encoding/binary"
|
|
"fmt"
|
|
"io"
|
|
"net/http"
|
|
"sync"
|
|
|
|
"go.uber.org/zap"
|
|
)
|
|
|
|
const (
|
|
SYN_STREAM ControlFrameType = 1 // https://www.ietf.org/archive/id/draft-mbelshe-httpbis-spdy-00.txt section 2.6.1
|
|
SYN_REPLY ControlFrameType = 2 // https://www.ietf.org/archive/id/draft-mbelshe-httpbis-spdy-00.txt section 2.6.2
|
|
SYN_PING ControlFrameType = 6 // https://www.ietf.org/archive/id/draft-mbelshe-httpbis-spdy-00.txt section 2.6.5
|
|
)
|
|
|
|
// spdyFrame is a parsed SPDY frame as defined in
|
|
// https://www.ietf.org/archive/id/draft-mbelshe-httpbis-spdy-00.txt
|
|
// A SPDY frame can be either a control frame or a data frame.
|
|
type spdyFrame struct {
|
|
Raw []byte // full frame as raw bytes
|
|
|
|
// Common frame fields:
|
|
Ctrl bool // true if this is a SPDY control frame
|
|
Payload []byte // payload as raw bytes
|
|
|
|
// Control frame fields:
|
|
Version uint16 // SPDY protocol version
|
|
Type ControlFrameType
|
|
|
|
// Data frame fields:
|
|
// StreamID is the id of the steam to which this data frame belongs.
|
|
// SPDY allows transmitting multiple data streams concurrently.
|
|
StreamID uint32
|
|
}
|
|
|
|
// Type of an SPDY control frame.
|
|
type ControlFrameType uint16
|
|
|
|
// Parse parses bytes into spdyFrame.
|
|
// If the bytes don't contain a full frame, return false.
|
|
//
|
|
// Control frame structure:
|
|
//
|
|
// +----------------------------------+
|
|
// |C| Version(15bits) | Type(16bits) |
|
|
// +----------------------------------+
|
|
// | Flags (8) | Length (24 bits) |
|
|
// +----------------------------------+
|
|
// | Data |
|
|
// +----------------------------------+
|
|
//
|
|
// Data frame structure:
|
|
//
|
|
// +----------------------------------+
|
|
// |C| Stream-ID (31bits) |
|
|
// +----------------------------------+
|
|
// | Flags (8) | Length (24 bits) |
|
|
// +----------------------------------+
|
|
// | Data |
|
|
// +----------------------------------+
|
|
//
|
|
// https://www.ietf.org/archive/id/draft-mbelshe-httpbis-spdy-00.txt
|
|
func (sf *spdyFrame) Parse(b []byte, log *zap.SugaredLogger) (ok bool, _ error) {
|
|
const (
|
|
spdyHeaderLength = 8
|
|
)
|
|
have := len(b)
|
|
if have < spdyHeaderLength { // input does not contain full frame
|
|
return false, nil
|
|
}
|
|
|
|
if !isSPDYFrameHeader(b) {
|
|
return false, fmt.Errorf("bytes %v do not seem to contain SPDY frames. Ensure that you are using a SPDY based client to 'kubectl exec'.", b)
|
|
}
|
|
|
|
payloadLength := readInt24(b[5:8])
|
|
frameLength := payloadLength + spdyHeaderLength
|
|
if have < frameLength { // input does not contain full frame
|
|
return false, nil
|
|
}
|
|
|
|
frame := b[:frameLength:frameLength] // enforce frameLength capacity
|
|
|
|
sf.Raw = frame
|
|
sf.Payload = frame[spdyHeaderLength:frameLength]
|
|
|
|
sf.Ctrl = hasControlBitSet(frame)
|
|
|
|
if !sf.Ctrl { // data frame
|
|
sf.StreamID = dataFrameStreamID(frame)
|
|
return true, nil
|
|
}
|
|
|
|
sf.Version = controlFrameVersion(frame)
|
|
sf.Type = controlFrameType(frame)
|
|
return true, nil
|
|
}
|
|
|
|
// parseHeaders retrieves any headers from this spdyFrame.
|
|
func (sf *spdyFrame) parseHeaders(z *zlibReader, log *zap.SugaredLogger) (http.Header, error) {
|
|
if !sf.Ctrl {
|
|
return nil, fmt.Errorf("[unexpected] parseHeaders called for a frame that is not a control frame")
|
|
}
|
|
const (
|
|
// +------------------------------------+
|
|
// |X| Stream-ID (31bits) |
|
|
// +------------------------------------+
|
|
// |X| Associated-To-Stream-ID (31bits) |
|
|
// +------------------------------------+
|
|
// | Pri|Unused | Slot | |
|
|
// +-------------------+ |
|
|
synStreamPayloadLengthBeforeHeaders = 10
|
|
|
|
// +------------------------------------+
|
|
// |X| Stream-ID (31bits) |
|
|
//+------------------------------------+
|
|
synReplyPayloadLengthBeforeHeaders = 4
|
|
|
|
// +----------------------------------|
|
|
// | 32-bit ID |
|
|
// +----------------------------------+
|
|
pingPayloadLength = 4
|
|
)
|
|
|
|
switch sf.Type {
|
|
case SYN_STREAM:
|
|
if len(sf.Payload) < synStreamPayloadLengthBeforeHeaders {
|
|
return nil, fmt.Errorf("SYN_STREAM frame too short: %v", len(sf.Payload))
|
|
}
|
|
z.Set(sf.Payload[synStreamPayloadLengthBeforeHeaders:])
|
|
return parseHeaders(z, log)
|
|
case SYN_REPLY:
|
|
if len(sf.Payload) < synReplyPayloadLengthBeforeHeaders {
|
|
return nil, fmt.Errorf("SYN_REPLY frame too short: %v", len(sf.Payload))
|
|
}
|
|
if len(sf.Payload) == synReplyPayloadLengthBeforeHeaders {
|
|
return nil, nil // no headers
|
|
}
|
|
z.Set(sf.Payload[synReplyPayloadLengthBeforeHeaders:])
|
|
return parseHeaders(z, log)
|
|
case SYN_PING:
|
|
if len(sf.Payload) != pingPayloadLength {
|
|
return nil, fmt.Errorf("PING frame with unexpected length %v", len(sf.Payload))
|
|
}
|
|
return nil, nil // ping frame has no headers
|
|
|
|
default:
|
|
log.Infof("[unexpected] unknown control frame type %v", sf.Type)
|
|
}
|
|
return nil, nil
|
|
}
|
|
|
|
// parseHeaders expects to be passed a reader that contains a compressed SPDY control
|
|
// frame Name/Value Header Block with 0 or more headers:
|
|
//
|
|
// | Number of Name/Value pairs (int32) | <+
|
|
// +------------------------------------+ |
|
|
// | Length of name (int32) | | This section is the "Name/Value
|
|
// +------------------------------------+ | Header Block", and is compressed.
|
|
// | Name (string) | |
|
|
// +------------------------------------+ |
|
|
// | Length of value (int32) | |
|
|
// +------------------------------------+ |
|
|
// | Value (string) | |
|
|
// +------------------------------------+ |
|
|
// | (repeats) | <+
|
|
//
|
|
// It extracts the headers and returns them as http.Header. By doing that it
|
|
// also advances the provided reader past the headers block.
|
|
// See also https://www.ietf.org/archive/id/draft-mbelshe-httpbis-spdy-00.txt section 2.6.10
|
|
func parseHeaders(decompressor io.Reader, log *zap.SugaredLogger) (http.Header, error) {
|
|
buf := bufPool.Get().(*bytes.Buffer)
|
|
defer bufPool.Put(buf)
|
|
buf.Reset()
|
|
|
|
// readUint32 reads the next 4 decompressed bytes from the decompressor
|
|
// as a uint32.
|
|
readUint32 := func() (uint32, error) {
|
|
const uint32Length = 4
|
|
if _, err := io.CopyN(buf, decompressor, uint32Length); err != nil { // decompress
|
|
return 0, fmt.Errorf("error decompressing bytes: %w", err)
|
|
}
|
|
return binary.BigEndian.Uint32(buf.Next(uint32Length)), nil // return as uint32
|
|
}
|
|
|
|
// readLenBytes decompresses and returns as bytes the next 'Name' or 'Value'
|
|
// field from SPDY Name/Value header block. decompressor must be at
|
|
// 'Length of name'/'Length of value' field.
|
|
readLenBytes := func() ([]byte, error) {
|
|
xLen, err := readUint32() // length of field to read
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if _, err := io.CopyN(buf, decompressor, int64(xLen)); err != nil { // decompress
|
|
return nil, err
|
|
}
|
|
return buf.Next(int(xLen)), nil
|
|
}
|
|
|
|
numHeaders, err := readUint32()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("error determining num headers: %v", err)
|
|
}
|
|
h := make(http.Header, numHeaders)
|
|
for i := uint32(0); i < numHeaders; i++ {
|
|
name, err := readLenBytes()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
ns := string(name)
|
|
if _, ok := h[ns]; ok {
|
|
return nil, fmt.Errorf("invalid data: duplicate header %q", ns)
|
|
}
|
|
val, err := readLenBytes()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("error reading header data: %w", err)
|
|
}
|
|
for _, v := range bytes.Split(val, headerSep) {
|
|
h.Add(ns, string(v))
|
|
}
|
|
}
|
|
return h, nil
|
|
}
|
|
|
|
// isSPDYFrame validates that the input bytes start with a valid SPDY frame
|
|
// header.
|
|
func isSPDYFrameHeader(f []byte) bool {
|
|
if hasControlBitSet(f) {
|
|
// If this is a control frame, version and type must be set.
|
|
return controlFrameVersion(f) != uint16(0) && uint16(controlFrameType(f)) != uint16(0)
|
|
}
|
|
// If this is a data frame, stream ID must be set.
|
|
return dataFrameStreamID(f) != uint32(0)
|
|
}
|
|
|
|
// spdyDataFrameStreamID returns stream ID for an SPDY data frame passed as the
|
|
// input data slice. StreaID is contained within bits [0-31) of a data frame
|
|
// header.
|
|
func dataFrameStreamID(frame []byte) uint32 {
|
|
return binary.BigEndian.Uint32(frame[0:4]) & 0x7f
|
|
}
|
|
|
|
// controlFrameType returns the type of a SPDY control frame.
|
|
// See https://www.ietf.org/archive/id/draft-mbelshe-httpbis-spdy-00.txt section 2.6
|
|
func controlFrameType(f []byte) ControlFrameType {
|
|
return ControlFrameType(binary.BigEndian.Uint16(f[2:4]))
|
|
}
|
|
|
|
// spdyControlFrameVersion returns SPDY version extracted from input bytes that
|
|
// must be a SPDY control frame.
|
|
func controlFrameVersion(frame []byte) uint16 {
|
|
bs := binary.BigEndian.Uint16(frame[0:2]) // first 16 bits
|
|
return bs & 0x7f // discard control bit
|
|
}
|
|
|
|
// hasControlBitSet returns true if the passsed bytes have SPDY control bit set.
|
|
// SPDY frames can be either control frames or data frames. A control frame has
|
|
// control bit set to 1 and a data frame has it set to 0.
|
|
func hasControlBitSet(frame []byte) bool {
|
|
return frame[0]&0x80 == 128 // 0x80
|
|
}
|
|
|
|
var bufPool = sync.Pool{
|
|
New: func() any {
|
|
return new(bytes.Buffer)
|
|
},
|
|
}
|
|
|
|
// Headers in SPDY header name/value block are separated by a 0 byte.
|
|
// https://www.ietf.org/archive/id/draft-mbelshe-httpbis-spdy-00.txt section 2.6.10
|
|
var headerSep = []byte{0}
|
|
|
|
func readInt24(b []byte) int {
|
|
_ = b[2] // bounds check hint to compiler; see golang.org/issue/14808
|
|
return int(b[0])<<16 | int(b[1])<<8 | int(b[2])
|
|
}
|