aherman
/
boundary
mirror of https://github.com/hashicorp/boundary
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'malnick-err-cli-update'
${ noResults }
boundary/internal/cmd/commands/proxy/proxy.go

895 lines
24 KiB
Raw Permalink Blame History

package proxy
import (
"context"
"crypto/ed25519"
"crypto/tls"
"crypto/x509"
"encoding/json"
"errors"
"fmt"
"io"
"io/ioutil"
"net"
"net/http"
"os"
"os/exec"
"strconv"
"strings"
"sync"
"syscall"
"time"
"github.com/hashicorp/boundary/api"
"github.com/hashicorp/boundary/api/targets"
"github.com/hashicorp/boundary/globals"
"github.com/hashicorp/boundary/internal/cmd/base"
targetspb "github.com/hashicorp/boundary/internal/gen/controller/api/resources/targets"
"github.com/hashicorp/boundary/internal/proxy"
"github.com/hashicorp/go-cleanhttp"
"github.com/hashicorp/vault/sdk/helper/base62"
"github.com/mitchellh/cli"
"github.com/mr-tron/base58"
"github.com/posener/complete"
"go.uber.org/atomic"
"google.golang.org/protobuf/proto"
"nhooyr.io/websocket"
"nhooyr.io/websocket/wspb"
)
type SessionInfo struct {
Address string `json:"address"`
Port int `json:"port"`
Protocol string `json:"protocol"`
Expiration time.Time `json:"expiration"`
ConnectionLimit int32 `json:"connection_limit"`
SessionId string `json:"session_id"`
}
type ConnectionInfo struct {
ConnectionsLeft int32 `json:"connections_left"`
}
type TerminationInfo struct {
Reason string `json:"termination_reason"`
}
var _ cli.Command = (*Command)(nil)
var _ cli.CommandAutocomplete = (*Command)(nil)
type Command struct {
*base.Command
flagAuthz string
flagListenAddr string
flagListenPort int
flagTargetId string
flagHostId string
flagExec string
flagUsername string
// HTTP
flagHttpStyle string
flagHttpHost string
flagHttpPath string
flagHttpMethod string
flagHttpScheme string
// SSH
flagSshStyle string
// Postgres
flagPostgresStyle string
// RDP
flagRdpStyle string
Func string
sessionAuthz *targets.SessionAuthorization
connWg *sync.WaitGroup
listenerCloseOnce sync.Once
listener *net.TCPListener
listenerAddr *net.TCPAddr
connsLeftCh chan int32
connectionsLeft atomic.Int32
expiration time.Time
execCmdReturnValue *atomic.Int32
proxyCtx context.Context
proxyCancel context.CancelFunc
}
func (c *Command) Synopsis() string {
switch c.Func {
case "proxy":
return "Launch the Boundary CLI in proxy mode"
case "connect":
return "Authorize a session against a target and launch a proxied connection"
case "http":
return "Authorize a session against a target and invoke an HTTP client to connect"
case "ssh":
return "Authorize a session against a target and invoke an SSH client to connect"
case "postgres":
return "Authorize a session against a target and invoke a Postgres client to connect"
case "rdp":
return "Authorize a session against a target and invoke an RDP client to connect"
}
return ""
}
func (c *Command) Help() string {
switch c.Func {
case "proxy":
return base.WrapForHelpText([]string{
"Usage: boundary proxy [options] [args]",
"",
" This command allows launching the Boundary CLI in proxy mode. In this mode, the CLI expects to take in an authorization string returned from a Boundary controller. The CLI will then create a connection to a Boundary worker and ready a listening port for a local connection.",
"",
" Example:",
"",
` $ boundary proxy -auth "UgxzX29mVEpwNUt6QlGiAQ..."`,
}) + c.Flags().Help()
case "connect":
return base.WrapForHelpText([]string{
"Usage: boundary connect [options] [args]",
"",
` This command performs a target authorization and proxy launch in one command; it is equivalent to sending the output of "boundary targets authorize-session" into "boundary proxy". See the help output for those commands for more information.`,
"",
" Example:",
"",
` $ boundary connect -target-id ttcp_1234567890"`,
}) + c.Flags().Help()
}
return ""
}
func (c *Command) Flags() *base.FlagSets {
bits := base.FlagSetOutputFormat
if c.Func == "connect" {
bits = base.FlagSetHTTP | base.FlagSetClient | bits
}
set := c.FlagSet(bits)
switch c.Func {
case "proxy":
f := set.NewFlagSet("Proxy Options")
f.StringVar(&base.StringVar{
Name: "authz",
Target: &c.flagAuthz,
EnvVar: "BOUNDARY_PROXY_AUTHZ",
Completion: complete.PredictAnything,
Usage: `The authorization string returned from the Boundary controller. If set to "-", the command will attempt to read in the authorization string from standard input.`,
})
f.StringVar(&base.StringVar{
Name: "listen-addr",
Target: &c.flagListenAddr,
EnvVar: "BOUNDARY_PROXY_LISTEN_ADDR",
Completion: complete.PredictAnything,
Usage: `If set, the CLI will attempt to bind its listening address to the given value, which must be an IP address. If it cannot, the command will error. If not set, defaults to the IPv4 loopback address (127.0.0.1).`,
})
f.IntVar(&base.IntVar{
Name: "listen-port",
Target: &c.flagListenPort,
EnvVar: "BOUNDARY_PROXY_LISTEN_PORT",
Completion: complete.PredictAnything,
Usage: `If set, the CLI will attempt to bind its listening port to the given value. If it cannot, the command will error.`,
})
case "connect", "http", "ssh", "rdp", "postgres":
f := set.NewFlagSet("Connect Options")
f.StringVar(&base.StringVar{
Name: "target-id",
Target: &c.flagTargetId,
Usage: "The ID of the target to authorize against.",
})
f.StringVar(&base.StringVar{
Name: "host-id",
Target: &c.flagHostId,
Usage: "The ID of a specific host to connect to out of the hosts from the target's host sets. If not specified, one is chosen at random.",
})
f.StringVar(&base.StringVar{
Name: "listen-addr",
Target: &c.flagListenAddr,
EnvVar: "BOUNDARY_CONNECT_LISTEN_ADDR",
Completion: complete.PredictAnything,
Usage: `If set, the CLI will attempt to bind its listening address to the given value, which must be an IP address. If it cannot, the command will error. If not set, defaults to the most common IPv4 loopback address (127.0.0.1).`,
})
f.IntVar(&base.IntVar{
Name: "listen-port",
Target: &c.flagListenPort,
EnvVar: "BOUNDARY_CONNECT_LISTEN_PORT",
Completion: complete.PredictAnything,
Usage: `If set, the CLI will attempt to bind its listening port to the given value. If it cannot, the command will error.`,
})
f.StringVar(&base.StringVar{
Name: "exec",
Target: &c.flagExec,
EnvVar: "BOUNDARY_CONNECT_EXEC",
Completion: complete.PredictAnything,
Usage: `If set, after connecting to the worker, the given binary will be executed. This should be a binary on your path, or an absolute path. If all command flags are followed by " -- " (space, two hyphens, space), then any arguments after that will be sent directly to the binary.`,
})
}
switch c.Func {
case "http":
f := set.NewFlagSet("HTTP Options")
f.StringVar(&base.StringVar{
Name: "style",
Target: &c.flagHttpStyle,
EnvVar: "BOUNDARY_CONNECT_HTTP_STYLE",
Completion: complete.PredictSet("curl"),
Default: "curl",
Usage: `Specifies how the CLI will attempt to invoke an HTTP client. This will also set a suitable default for -exec if a value was not specified. Currently-understood values are "curl".`,
})
f.StringVar(&base.StringVar{
Name: "host",
Target: &c.flagHttpHost,
EnvVar: "BOUNDARY_CONNECT_HTTP_HOST",
Completion: complete.PredictNothing,
Usage: `Specifies the host value to use. The specified hostname will be passed through to the client (if supported) for use in the Host header and TLS SNI value.`,
})
f.StringVar(&base.StringVar{
Name: "path",
Target: &c.flagHttpPath,
EnvVar: "BOUNDARY_CONNECT_HTTP_PATH",
Completion: complete.PredictNothing,
Usage: `Specifies a path that will be appended to the generated URL.`,
})
f.StringVar(&base.StringVar{
Name: "method",
Target: &c.flagHttpMethod,
EnvVar: "BOUNDARY_CONNECT_HTTP_METHOD",
Completion: complete.PredictNothing,
Usage: `Specifies the method to use. If not set, will use the client's default.`,
})
f.StringVar(&base.StringVar{
Name: "scheme",
Target: &c.flagHttpScheme,
Default: "https",
EnvVar: "BOUNDARY_CONNECT_HTTP_SCHEME",
Completion: complete.PredictNothing,
Usage: `Specifies the scheme to use.`,
})
case "ssh":
f := set.NewFlagSet("SSH Options")
f.StringVar(&base.StringVar{
Name: "style",
Target: &c.flagSshStyle,
EnvVar: "BOUNDARY_CONNECT_SSH_STYLE",
Completion: complete.PredictSet("ssh", "putty"),
Default: "ssh",
Usage: `Specifies how the CLI will attempt to invoke an SSH client. This will also set a suitable default for -exec if a value was not specified. Currently-understood values are "ssh" and "putty".`,
})
f.StringVar(&base.StringVar{
Name: "username",
Target: &c.flagUsername,
EnvVar: "BOUNDARY_CONNECT_USERNAME",
Completion: complete.PredictNothing,
Usage: `Specifies the username to pass through to the client`,
})
case "postgres":
f := set.NewFlagSet("Postgres Options")
f.StringVar(&base.StringVar{
Name: "style",
Target: &c.flagPostgresStyle,
EnvVar: "BOUNDARY_CONNECT_POSTGRES_STYLE",
Completion: complete.PredictSet("psql"),
Default: "psql",
Usage: `Specifies how the CLI will attempt to invoke a Postgres client. This will also set a suitable default for -exec if a value was not specified. Currently-understood values are "psql".`,
})
f.StringVar(&base.StringVar{
Name: "username",
Target: &c.flagUsername,
EnvVar: "BOUNDARY_CONNECT_USERNAME",
Completion: complete.PredictNothing,
Usage: `Specifies the username to pass through to the client`,
})
case "rdp":
f := set.NewFlagSet("RDP Options")
f.StringVar(&base.StringVar{
Name: "style",
Target: &c.flagRdpStyle,
EnvVar: "BOUNDARY_CONNECT_RDP_STYLE",
Completion: complete.PredictSet("mstsc"),
Default: "mstsc",
Usage: `Specifies how the CLI will attempt to invoke an RDP client. This will also set a suitable default for -exec if a value was not specified. Currently-understood values are "mstsc".`,
})
}
/*
f.BoolVar(&base.BoolVar{
Name: "verbose",
Target: &c.flagVerbose,
Completion: complete.PredictAnything,
Usage: "Turns on some extra verbosity in the command output.",
})
*/
return set
}
func (c *Command) AutocompleteArgs() complete.Predictor {
return complete.PredictAnything
}
func (c *Command) AutocompleteFlags() complete.Flags {
return c.Flags().Completions()
}
func (c *Command) Run(args []string) (retCode int) {
var passthroughArgs []string
for i, v := range args {
if v == "--" {
passthroughArgs = args[i+1:]
args = args[:i]
}
}
f := c.Flags()
if err := f.Parse(args); err != nil {
c.UI.Error(err.Error())
return 1
}
switch c.Func {
case "http":
if c.flagExec == "" {
c.flagExec = strings.ToLower(c.flagHttpStyle)
}
case "ssh":
if c.flagExec == "" {
c.flagExec = strings.ToLower(c.flagSshStyle)
}
case "postgres":
if c.flagExec == "" {
c.flagExec = strings.ToLower(c.flagPostgresStyle)
}
case "rdp":
if c.flagExec == "" {
c.flagExec = strings.ToLower(c.flagRdpStyle)
}
}
tofuToken, err := base62.Random(20)
if err != nil {
c.UI.Error(fmt.Errorf("Could not derive random bytes for tofu token: %w", err).Error())
return 1
}
c.connsLeftCh = make(chan int32)
if c.flagListenAddr == "" {
c.flagListenAddr = "127.0.0.1"
}
listenAddr := net.ParseIP(c.flagListenAddr)
if listenAddr == nil {
c.UI.Error(fmt.Sprintf("Could not successfully parse listen address of %s", c.flagListenAddr))
return 1
}
authzString := c.flagAuthz
switch c.Func {
case "proxy":
if authzString == "-" {
authBytes, err := ioutil.ReadAll(os.Stdin)
if err != nil {
c.UI.Error(fmt.Errorf("No authorization string was provided and encountered the following error attempting to read it from stdin: %w", err).Error())
return 1
}
if len(authBytes) == 0 {
c.UI.Error("No authorization data read from stdin")
return 1
}
authzString = string(authBytes)
}
if authzString == "" {
c.UI.Error("Authorization data was empty")
return 1
}
if authzString[0] == '{' {
// Attempt to decode the JSON output of an authorize-session call
// and pull the token out of there
c.sessionAuthz = new(targets.SessionAuthorization)
if err := json.Unmarshal([]byte(authzString), c.sessionAuthz); err == nil {
authzString = c.sessionAuthz.AuthorizationToken
}
}
case "connect", "http", "ssh", "postgres", "rdp":
if c.flagTargetId == "" {
c.UI.Error("Target ID must be provided")
return 1
}
client, err := c.Client()
if err != nil {
c.UI.Error(fmt.Sprintf("Error creating API client: %s", err.Error()))
return 2
}
targetClient := targets.NewClient(client)
var opts []targets.Option
if len(c.flagHostId) != 0 {
opts = append(opts, targets.WithHostId(c.flagHostId))
}
sar, err := targetClient.AuthorizeSession(c.Context, c.flagTargetId, opts...)
if err != nil {
if api.AsServerError(err) != nil {
c.UI.Error(fmt.Sprintf("Error from controller when performing authorize-session against target: %s", err.Error()))
return 1
}
c.UI.Error(fmt.Sprintf("Error trying to authorize a session against target: %s", err.Error()))
return 2
}
c.sessionAuthz = sar.GetItem().(*targets.SessionAuthorization)
authzString = c.sessionAuthz.AuthorizationToken
}
marshaled, err := base58.FastBase58Decoding(authzString)
if err != nil {
c.UI.Error(fmt.Errorf("Unable to base58-decode authorization data: %w", err).Error())
return 1
}
if len(marshaled) == 0 {
c.UI.Error("Zero length authorization information after decoding")
return 1
}
data := new(targetspb.SessionAuthorizationData)
if err := proto.Unmarshal(marshaled, data); err != nil {
c.UI.Error(fmt.Errorf("Unable to proto-decode authorization data: %w", err).Error())
return 1
}
if len(data.GetWorkerInfo()) == 0 {
c.UI.Error("No workers found in authorization string")
return 1
}
c.connectionsLeft.Store(data.ConnectionLimit)
workerAddr := data.GetWorkerInfo()[0].GetAddress()
parsedCert, err := x509.ParseCertificate(data.Certificate)
if err != nil {
c.UI.Error(fmt.Errorf("Unable to decode mTLS certificate: %w", err).Error())
return 1
}
if len(parsedCert.DNSNames) != 1 {
c.UI.Error(fmt.Errorf("mTLS certificate has invalid parameters: %w", err).Error())
return 1
}
c.expiration = parsedCert.NotAfter
// We don't _rely_ on client-side timeout verification but this prevents us
// seeming to be ready for a connection that will immediately fail when we
// try to actually make it
c.proxyCtx, c.proxyCancel = context.WithDeadline(c.Context, c.expiration)
defer c.proxyCancel()
certPool := x509.NewCertPool()
certPool.AddCert(parsedCert)
tlsConf := &tls.Config{
Certificates: []tls.Certificate{
{
Certificate: [][]byte{data.Certificate},
PrivateKey: ed25519.PrivateKey(data.PrivateKey),
Leaf: parsedCert,
},
},
RootCAs: certPool,
ServerName: parsedCert.DNSNames[0],
MinVersion: tls.VersionTLS13,
}
transport := cleanhttp.DefaultTransport()
transport.DisableKeepAlives = false
transport.TLSClientConfig = tlsConf
// This isn't/shouldn't used anyways really because the connection is
// hijacked, just setting for completeness
transport.IdleConnTimeout = 0
c.listener, err = net.ListenTCP("tcp", &net.TCPAddr{
IP: listenAddr,
Port: c.flagListenPort,
})
if err != nil {
c.UI.Error(fmt.Errorf("Error starting listening port: %w", err).Error())
return 1
}
listenerCloseFunc := func() {
// Forces the for loop to exist instead of spinning on errors
c.connectionsLeft.Store(0)
if err := c.listener.Close(); err != nil {
c.UI.Error(fmt.Errorf("Error closing listener on shutdown: %w", err).Error())
retCode = 1
}
}
// Ensure it runs on any other return condition
defer func() {
c.listenerCloseOnce.Do(listenerCloseFunc)
}()
c.listenerAddr = c.listener.Addr().(*net.TCPAddr)
if c.flagExec == "" {
sessInfo := SessionInfo{
Protocol: "tcp",
Address: c.listenerAddr.IP.String(),
Port: c.listenerAddr.Port,
Expiration: c.expiration,
ConnectionLimit: data.GetConnectionLimit(),
SessionId: data.GetSessionId(),
}
switch base.Format(c.UI) {
case "table":
c.UI.Output(generateSessionInfoTableOutput(sessInfo))
case "json":
out, err := json.Marshal(&sessInfo)
if err != nil {
c.UI.Error(fmt.Errorf("error marshaling session information: %w", err).Error())
return 1
}
c.UI.Output(string(out))
}
}
c.connWg = new(sync.WaitGroup)
c.connWg.Add(1)
go func() {
defer c.connWg.Done()
for {
listeningConn, err := c.listener.AcceptTCP()
if err != nil {
select {
case <-c.proxyCtx.Done():
return
case <-c.Context.Done():
return
default:
// When this hits zero we tigger listener close so this
// isn't actually an error condition
if c.connectionsLeft.Load() == 0 {
return
}
c.UI.Error(fmt.Errorf("Error accepting connection: %w", err).Error())
continue
}
}
c.connWg.Add(1)
go func() {
defer listeningConn.Close()
if err := c.handleConnection(
listeningConn,
workerAddr,
tofuToken,
transport); err != nil {
c.UI.Error(err.Error())
}
}()
}
}()
timer := time.NewTimer(time.Until(c.expiration))
c.connWg.Add(1)
go func() {
defer c.connWg.Done()
defer c.listenerCloseOnce.Do(listenerCloseFunc)
for {
select {
case <-c.proxyCtx.Done():
timer.Stop()
return
case <-c.Context.Done():
timer.Stop()
return
case <-timer.C:
return
case connsLeft := <-c.connsLeftCh:
c.updateConnsLeft(connsLeft)
if connsLeft == 0 {
return
}
}
}
}()
if c.flagExec != "" {
c.connWg.Add(1)
c.execCmdReturnValue = new(atomic.Int32)
go c.handleExec(passthroughArgs)
}
c.connWg.Wait()
if c.execCmdReturnValue != nil {
retCode = int(c.execCmdReturnValue.Load())
}
termInfo := TerminationInfo{Reason: "Unknown"}
select {
case <-c.Context.Done():
termInfo.Reason = "Received shutdown signal"
case <-timer.C:
termInfo.Reason = "Session has expired"
default:
if c.execCmdReturnValue != nil {
// Don't print out in this case, so ensure we clear it
termInfo.Reason = ""
} else {
if c.connectionsLeft.Load() == 0 {
termInfo.Reason = "No connections left in session"
}
}
}
if termInfo.Reason != "" {
switch base.Format(c.UI) {
case "table":
c.UI.Output(generateTerminationInfoTableOutput(termInfo))
case "json":
out, err := json.Marshal(&termInfo)
if err != nil {
c.UI.Error(fmt.Errorf("error marshaling termination information: %w", err).Error())
return 1
}
c.UI.Output(string(out))
}
}
return
}
func (c *Command) handleConnection(
listeningConn *net.TCPConn,
workerAddr string,
tofuToken string,
transport *http.Transport) error {
defer c.connWg.Done()
conn, resp, err := websocket.Dial(
c.proxyCtx,
fmt.Sprintf("wss://%s/v1/proxy", workerAddr),
&websocket.DialOptions{
HTTPClient: &http.Client{
Transport: transport,
},
Subprotocols: []string{globals.TcpProxyV1},
},
)
if err != nil {
switch {
case strings.Contains(err.Error(), "tls: internal error"):
return errors.New("Session is unauthorized")
case strings.Contains(err.Error(), "connect: connection refused"):
return fmt.Errorf("Unable to connect to worker at %s", workerAddr)
default:
return fmt.Errorf("Error dialing the worker: %w", err)
}
}
if resp == nil {
return errors.New("Response from worker is nil")
}
if resp.Header == nil {
return errors.New("Response header is nil")
}
negProto := resp.Header.Get("Sec-WebSocket-Protocol")
if negProto != globals.TcpProxyV1 {
return fmt.Errorf("Unexpected negotiated protocol: %s", negProto)
}
handshake := proxy.ClientHandshake{TofuToken: tofuToken}
if err := wspb.Write(c.proxyCtx, conn, &handshake); err != nil {
return fmt.Errorf("error sending handshake to worker: %w", err)
}
var handshakeResult proxy.HandshakeResult
if err := wspb.Read(c.proxyCtx, conn, &handshakeResult); err != nil {
switch {
case strings.Contains(err.Error(), "unable to authorize connection"):
// There's no reason to think we'd be able to authorize any more
// connections after the first has failed
c.connsLeftCh <- 0
return errors.New("Unable to authorize connection")
}
return fmt.Errorf("error reading handshake result: %w", err)
}
if handshakeResult.GetConnectionsLeft() != -1 {
c.connsLeftCh <- handshakeResult.GetConnectionsLeft()
}
// Get a wrapped net.Conn so we can use io.Copy
netConn := websocket.NetConn(c.proxyCtx, conn, websocket.MessageBinary)
localWg := new(sync.WaitGroup)
localWg.Add(2)
go func() {
defer localWg.Done()
io.Copy(netConn, listeningConn)
netConn.Close()
listeningConn.Close()
}()
go func() {
defer localWg.Done()
io.Copy(listeningConn, netConn)
listeningConn.Close()
netConn.Close()
}()
localWg.Wait()
return nil
}
func (c *Command) updateConnsLeft(connsLeft int32) {
c.connectionsLeft.Store(connsLeft)
connInfo := ConnectionInfo{
ConnectionsLeft: connsLeft,
}
if c.flagExec == "" {
switch base.Format(c.UI) {
case "table":
c.UI.Output(generateConnectionInfoTableOutput(connInfo))
case "json":
out, err := json.Marshal(&connInfo)
if err != nil {
c.UI.Error(fmt.Errorf("error marshaling connection information: %w", err).Error())
}
c.UI.Output(string(out))
}
}
}
func (c *Command) handleExec(passthroughArgs []string) {
defer c.connWg.Done()
defer c.proxyCancel()
port := strconv.Itoa(c.listenerAddr.Port)
ip := c.listenerAddr.IP.String()
addr := c.listenerAddr.String()
var args []string
switch c.Func {
case "http":
switch c.flagHttpStyle {
case "curl":
if c.flagHttpMethod != "" {
args = append(args, "-X", c.flagHttpMethod)
}
var uri string
if c.flagHttpHost != "" {
c.flagHttpHost = strings.TrimSuffix(c.flagHttpHost, "/")
args = append(args, "-H", fmt.Sprintf("Host: %s", c.flagHttpHost))
args = append(args, "--resolve", fmt.Sprintf("%s:%s:%s", c.flagHttpHost, port, ip))
uri = fmt.Sprintf("%s://%s:%s", c.flagHttpScheme, c.flagHttpHost, port)
} else {
uri = fmt.Sprintf("%s://%s", c.flagHttpScheme, addr)
}
if c.flagHttpPath != "" {
uri = fmt.Sprintf("%s/%s", uri, strings.TrimPrefix(c.flagHttpPath, "/"))
}
args = append(args, uri)
}
case "ssh":
switch c.flagSshStyle {
case "ssh":
args = append(args, "-p", port, ip)
args = append(args, "-o", fmt.Sprintf("HostKeyAlias=%s", c.sessionAuthz.HostId))
case "putty":
args = append(args, "-P", port, ip)
}
if c.flagUsername != "" {
args = append(args, "-l", c.flagUsername)
}
case "postgres":
switch c.flagPostgresStyle {
case "psql":
args = append(args, "-p", port, "-h", ip)
if c.flagUsername != "" {
args = append(args, "-U", c.flagUsername)
}
}
case "rdp":
switch c.flagRdpStyle {
case "mstsc":
args = append(args, "/v", addr)
}
}
args = append(passthroughArgs, args...)
// Might want -t for ssh or -tt but seems fine without it for now...
stringReplacer := func(in, typ, replacer string) string {
for _, style := range []string{
fmt.Sprintf("{{boundary.%s}}", typ),
fmt.Sprintf("{{ boundary.%s}}", typ),
fmt.Sprintf("{{boundary.%s }}", typ),
fmt.Sprintf("{{ boundary.%s }}", typ),
} {
in = strings.Replace(in, style, replacer, -1)
}
return in
}
for i := range args {
args[i] = stringReplacer(args[i], "port", port)
args[i] = stringReplacer(args[i], "ip", ip)
args[i] = stringReplacer(args[i], "addr", addr)
}
// NOTE: exec.CommandContext is a hard kill, so if used it leaves the
// terminal in a weird state. It suffices to simply close the connection,
// which already happens, so we don't need/want CommandContext here.
cmd := exec.Command(c.flagExec, args...)
cmd.Env = append(os.Environ(),
fmt.Sprintf("BOUNDARY_PROXIED_PORT=%s", port),
fmt.Sprintf("BOUNDARY_PROXIED_IP=%s", ip),
fmt.Sprintf("BOUNDARY_PROXIED_ADDR=%s", addr),
)
cmd.Stdin = os.Stdin
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
if err := cmd.Run(); err != nil {
exitCode := 2
if exitError, ok := err.(*exec.ExitError); ok {
if exitError.Success() {
c.execCmdReturnValue.Store(0)
return
}
if ws, ok := exitError.Sys().(syscall.WaitStatus); ok {
c.execCmdReturnValue.Store(int32(ws.ExitStatus()))
return
}
}
c.UI.Error(fmt.Sprintf("Failed to run command: %s", err))
c.execCmdReturnValue.Store(int32(exitCode))
return
}
c.execCmdReturnValue.Store(0)
}
Reference in new issue View Git Blame Copy Permalink