mirror of
https://github.com/lensapp/lens.git
synced 2025-05-20 05:10:56 +00:00
Add IPC based authentication tokens
Signed-off-by: Sebastian Malton <sebastian@malton.name>
This commit is contained in:
parent
4e264d3c40
commit
7d430b57ad
@ -63,7 +63,7 @@ import { ensureDir } from "fs-extra";
|
|||||||
import { Router } from "./router";
|
import { Router } from "./router";
|
||||||
import { initMenu } from "./menu";
|
import { initMenu } from "./menu";
|
||||||
import { initTray } from "./tray";
|
import { initTray } from "./tray";
|
||||||
import { kubeApiRequest, shellApiRequest } from "./proxy-functions";
|
import { kubeApiRequest, shellApiRequest, ShellRequestAuthenticator } from "./proxy-functions";
|
||||||
import { AppPaths } from "../common/app-paths";
|
import { AppPaths } from "../common/app-paths";
|
||||||
|
|
||||||
injectSystemCAs();
|
injectSystemCAs();
|
||||||
@ -122,7 +122,7 @@ app.on("second-instance", (event, argv) => {
|
|||||||
WindowManager.getInstance(false)?.ensureMainWindow();
|
WindowManager.getInstance(false)?.ensureMainWindow();
|
||||||
});
|
});
|
||||||
|
|
||||||
app.on("ready", async () => {
|
app.on("ready", async () => {
|
||||||
logger.info(`🚀 Starting ${productName} from "${AppPaths.get("exe")}"`);
|
logger.info(`🚀 Starting ${productName} from "${AppPaths.get("exe")}"`);
|
||||||
logger.info("🐚 Syncing shell environment");
|
logger.info("🐚 Syncing shell environment");
|
||||||
await shellSync();
|
await shellSync();
|
||||||
@ -134,6 +134,7 @@ app.on("ready", async () => {
|
|||||||
registerFileProtocol("static", __static);
|
registerFileProtocol("static", __static);
|
||||||
|
|
||||||
PrometheusProviderRegistry.createInstance();
|
PrometheusProviderRegistry.createInstance();
|
||||||
|
ShellRequestAuthenticator.createInstance().init();
|
||||||
initializers.initPrometheusProviderRegistry();
|
initializers.initPrometheusProviderRegistry();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|||||||
@ -19,24 +19,65 @@
|
|||||||
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
import url from "url";
|
|
||||||
import logger from "../logger";
|
import logger from "../logger";
|
||||||
import { Server as WebSocketServer } from "ws";
|
import { Server as WebSocketServer } from "ws";
|
||||||
import { NodeShellSession, LocalShellSession } from "../shell-session";
|
import { NodeShellSession, LocalShellSession } from "../shell-session";
|
||||||
import type { ProxyApiRequestArgs } from "./types";
|
import type { ProxyApiRequestArgs } from "./types";
|
||||||
import { ClusterManager } from "../cluster-manager";
|
import { ClusterManager } from "../cluster-manager";
|
||||||
import { appName, appSemVer } from "../../common/vars";
|
import URLParse from "url-parse";
|
||||||
import { LensProxy } from "../lens-proxy";
|
import { ExtendedMap, Singleton } from "../../common/utils";
|
||||||
|
import type { ClusterId } from "../../common/cluster-types";
|
||||||
|
import { ipcMainHandle } from "../../common/ipc";
|
||||||
|
import * as uuid from "uuid";
|
||||||
|
|
||||||
|
export class ShellRequestAuthenticator extends Singleton {
|
||||||
|
private tokens = new ExtendedMap<ClusterId, Map<string, string>>();
|
||||||
|
|
||||||
|
init() {
|
||||||
|
ipcMainHandle("cluster:shell-api", (event, clusterId, tabId) => {
|
||||||
|
const authToken = uuid.v4();
|
||||||
|
|
||||||
|
this.tokens
|
||||||
|
.getOrInsert(clusterId, () => new Map())
|
||||||
|
.set(tabId, authToken);
|
||||||
|
|
||||||
|
return authToken;
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Authenticates a single use token for creating a new shell
|
||||||
|
* @param clusterId The `ClusterId` for the shell
|
||||||
|
* @param tabId The ID for the shell
|
||||||
|
* @param token The value that is being presented as a one time authentication token
|
||||||
|
* @returns `true` if `token` was valid, false otherwise
|
||||||
|
*/
|
||||||
|
authenticate(clusterId: ClusterId, tabId: string, token: string): boolean {
|
||||||
|
const clusterTokens = this.tokens.get(clusterId);
|
||||||
|
|
||||||
|
if (!clusterTokens) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
const authToken = clusterTokens.get(tabId);
|
||||||
|
|
||||||
|
// need both conditions to prevent `undefined === undefined` being true here
|
||||||
|
if (typeof authToken === "string" && authToken === token) {
|
||||||
|
// remove the token because it is a single use token
|
||||||
|
clusterTokens.delete(tabId);
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
export function shellApiRequest({ req, socket, head }: ProxyApiRequestArgs): void {
|
export function shellApiRequest({ req, socket, head }: ProxyApiRequestArgs): void {
|
||||||
const cluster = ClusterManager.getInstance().getClusterForRequest(req);
|
const cluster = ClusterManager.getInstance().getClusterForRequest(req);
|
||||||
|
const { query: { node, shellToken, id: tabId }} = new URLParse(req.url, true);
|
||||||
|
|
||||||
if (
|
if (!cluster || !ShellRequestAuthenticator.getInstance().authenticate(cluster.id, tabId, shellToken)) {
|
||||||
socket.remoteAddress !== "127.0.0.1"
|
|
||||||
|| !req.headers["user-agent"]?.includes(` ${appName}/${appSemVer} `)
|
|
||||||
|| !req.headers.origin?.endsWith(`.localhost:${LensProxy.getInstance().port}`)
|
|
||||||
|| !cluster
|
|
||||||
) {
|
|
||||||
socket.write("Invalid shell request");
|
socket.write("Invalid shell request");
|
||||||
|
|
||||||
return void socket.end();
|
return void socket.end();
|
||||||
@ -45,12 +86,11 @@ export function shellApiRequest({ req, socket, head }: ProxyApiRequestArgs): voi
|
|||||||
const ws = new WebSocketServer({ noServer: true });
|
const ws = new WebSocketServer({ noServer: true });
|
||||||
|
|
||||||
ws.handleUpgrade(req, socket, head, (webSocket) => {
|
ws.handleUpgrade(req, socket, head, (webSocket) => {
|
||||||
const nodeParam = url.parse(req.url, true).query["node"]?.toString();
|
const shell = node
|
||||||
const shell = nodeParam
|
? new NodeShellSession(webSocket, cluster, node)
|
||||||
? new NodeShellSession(webSocket, cluster, nodeParam)
|
|
||||||
: new LocalShellSession(webSocket, cluster);
|
: new LocalShellSession(webSocket, cluster);
|
||||||
|
|
||||||
shell.open()
|
shell.open()
|
||||||
.catch(error => logger.error(`[SHELL-SESSION]: failed to open a ${nodeParam ? "node" : "local"} shell`, error));
|
.catch(error => logger.error(`[SHELL-SESSION]: failed to open a ${node ? "node" : "local"} shell`, error));
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|||||||
@ -19,13 +19,13 @@
|
|||||||
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
import { boundMethod, base64, EventEmitter } from "../utils";
|
import { boundMethod, base64, EventEmitter, getHostedClusterId } from "../utils";
|
||||||
import { WebSocketApi } from "./websocket-api";
|
import { WebSocketApi } from "./websocket-api";
|
||||||
import isEqual from "lodash/isEqual";
|
import isEqual from "lodash/isEqual";
|
||||||
import { isDevelopment } from "../../common/vars";
|
import { isDevelopment } from "../../common/vars";
|
||||||
import url from "url";
|
import url from "url";
|
||||||
import { makeObservable, observable } from "mobx";
|
import { makeObservable, observable } from "mobx";
|
||||||
import type { ParsedUrlQueryInput } from "querystring";
|
import { ipcRenderer } from "electron";
|
||||||
|
|
||||||
export enum TerminalChannels {
|
export enum TerminalChannels {
|
||||||
STDIN = 0,
|
STDIN = 0,
|
||||||
@ -50,7 +50,7 @@ enum TerminalColor {
|
|||||||
export type TerminalApiQuery = Record<string, string> & {
|
export type TerminalApiQuery = Record<string, string> & {
|
||||||
id: string;
|
id: string;
|
||||||
node?: string;
|
node?: string;
|
||||||
type?: string | "node";
|
type?: string;
|
||||||
};
|
};
|
||||||
|
|
||||||
export class TerminalApi extends WebSocketApi {
|
export class TerminalApi extends WebSocketApi {
|
||||||
@ -60,7 +60,13 @@ export class TerminalApi extends WebSocketApi {
|
|||||||
@observable public isReady = false;
|
@observable public isReady = false;
|
||||||
public readonly url: string;
|
public readonly url: string;
|
||||||
|
|
||||||
constructor(protected options: TerminalApiQuery) {
|
public static async new(options: TerminalApiQuery): Promise<TerminalApi> {
|
||||||
|
const shellToken = await ipcRenderer.invoke("cluster:shell-api", getHostedClusterId(), options.id);
|
||||||
|
|
||||||
|
return new TerminalApi({ ...options, shellToken });
|
||||||
|
}
|
||||||
|
|
||||||
|
private constructor(query: TerminalApiQuery) {
|
||||||
super({
|
super({
|
||||||
logging: isDevelopment,
|
logging: isDevelopment,
|
||||||
flushOnOpen: false,
|
flushOnOpen: false,
|
||||||
@ -69,13 +75,9 @@ export class TerminalApi extends WebSocketApi {
|
|||||||
makeObservable(this);
|
makeObservable(this);
|
||||||
|
|
||||||
const { hostname, protocol, port } = location;
|
const { hostname, protocol, port } = location;
|
||||||
const query: ParsedUrlQueryInput = {
|
|
||||||
id: options.id,
|
|
||||||
};
|
|
||||||
|
|
||||||
if (options.node) {
|
if (query.node) {
|
||||||
query.node = options.node;
|
query.type ||= "node";
|
||||||
query.type = options.type || "node";
|
|
||||||
}
|
}
|
||||||
|
|
||||||
this.url = url.format({
|
this.url = url.format({
|
||||||
|
|||||||
@ -65,12 +65,12 @@ export class TerminalStore extends Singleton {
|
|||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
connect(tabId: TabId) {
|
async connect(tabId: TabId) {
|
||||||
if (this.isConnected(tabId)) {
|
if (this.isConnected(tabId)) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
const tab: ITerminalTab = dockStore.getTabById(tabId);
|
const tab: ITerminalTab = dockStore.getTabById(tabId);
|
||||||
const api = new TerminalApi({
|
const api = await TerminalApi.new({
|
||||||
id: tabId,
|
id: tabId,
|
||||||
node: tab.node,
|
node: tab.node,
|
||||||
});
|
});
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user