Merge pull request #69 from uovobw:add-tls-client-certificate-authentication

Iwasaki Yudai
Commit 7715f935 authored Oct 05, 2015 by Iwasaki Yudai
Showing with 64 additions and 40 deletions
.gotty
README.md
app/app.go
main.go
--- a/.gotty
+++ b/.gotty
@@ -30,6 +30,12 @@
 // [string] Default TLS key file path
 // tls_key_file = "~/.gotty.key"

+// [bool] Enable client certificate authentication
+// enable_tls_client_auth = false
+
+// [string] Certificate file of CA for client certificates
+// tls_ca_crt_file = "~/.gotty.ca.crt"
+
 // [string] Custom index.html file
 // index_file = ""


--- a/README.md
+++ b/README.md
@@ -58,6 +58,7 @@ By default, GoTTY starts a web server at port 8080. Open the URL on your web bro
 --tls, -t                                                    Enable TLS/SSL [$GOTTY_TLS]
 --tls-crt "~/.gotty.key"                                     TLS/SSL crt file path [$GOTTY_TLS_CRT]
 --tls-key "~/.gotty.crt"                                     TLS/SSL key file path [$GOTTY_TLS_KEY]
+--tls-ca-crt "~/.gotty.ca.crt"                               TLS/SSL CA certificate file for client certifications [$GOTTY_TLS_CA_CRT]
 --index                                                      Custom index file [$GOTTY_INDEX]
 --title-format "GoTTY - {{ .Command }} ({{ .Hostname }})"    Title format of browser window [$GOTTY_TITLE_FORMAT]
 --reconnect                                                  Enable reconnection [$GOTTY_RECONNECT]
@@ -93,7 +94,9 @@ See the [`.gotty`](https://github.com/yudai/gotty/blob/master/.gotty) file in th

 By default, GoTTY doesn't allow clients to send any keystrokes or commands except terminal window resizing. When you want to permit clients to write input to the TTY, add the `-w` option. However, accepting input from remote clients is dangerous for most commands. When you need interaction with the TTY for some reasons, consider starting GoTTY with tmux or GNU Screen and run your command on it (see "Sharing with Multiple Clients" section for detail).

-To restrict client access, you can use the `-c` option to enable the basic authentication. With this option, clients need to input the specified username and password to connect to the GoTTY server. The `-r` option is a little bit casualer way to restrict access. With this option, GoTTY generates a random URL so that only people who know the URL can get access to the server. Note that the credentical will be transmitted between the server and clients in plain text.
+To restrict client access, you can use the `-c` option to enable the basic authentication. With this option, clients need to input the specified username and password to connect to the GoTTY server. Note that the credentical will be transmitted between the server and clients in plain text. For more strict authentication, consider the SSL/TLS client certificate authentication described below.
+
+The `-r` option is a little bit casualer way to restrict access. With this option, GoTTY generates a random URL so that only people who know the URL can get access to the server.  

 All traffic between the server and clients are NOT encrypted by default. When you send secret information through GoTTY, we strongly recommend you use the `-t` option which enables TLS/SSL on the session. By default, GoTTY loads the crt and key files placed at `~/.gotty.crt` and `~/.gotty.key`. You can overwrite these file paths with the `--tls-crt` and `--tls-key` options. When you need to generate a self-signed certification file, you can use the `openssl` command.

@@ -103,6 +106,8 @@ openssl req -x509 -nodes -days 9999 -newkey rsa:2048 -keyout ~/.gotty.key -out ~

 (NOTE: For Safari uses, see [how to enable self-signed certificates for WebSockets](http://blog.marcon.me/post/24874118286/secure-websockets-safari) when use self-signed certificates)

+For additional security, you can use the SSL/TLS client certificate authentication by providing a CA certificate file to the `--tls-ca-crt` option (this option requires the `-t` or `--tls` to be set). This option requires all clients to send valid client certificates that are signed by the specified certification authority.
+
 ## Sharing with Multiple Clients

 GoTTY starts a new process with the given command when a new client connects to the server. This means users cannot share a single terminal with others by default. However, you can use terminal multiplexers for sharing a single process with multiple clients.

--- a/app/app.go
+++ b/app/app.go
@@ -48,8 +48,8 @@ type Options struct {
 	EnableTLS           bool                   `hcl:"enable_tls"`
 	TLSCrtFile          string                 `hcl:"tls_crt_file"`
 	TLSKeyFile          string                 `hcl:"tls_key_file"`
-	VerifyClientCert bool                   `hcl:"verify_client_cert"`
-	ClientCAs        []string               `hcl:"client_cas"`
+	EnableTLSClientAuth bool                   `hcl:"enable_tls_client_auth"`
+	TLSCACrtFile        string                 `hcl:"tls_ca_crt_file"`
 	TitleFormat         string                 `hcl:"title_format"`
 	EnableReconnect     bool                   `hcl:"enable_reconnect"`
 	ReconnectTime       int                    `hcl:"reconnect_time"`
@@ -71,8 +71,8 @@ var DefaultOptions = Options{
 	EnableTLS:           false,
 	TLSCrtFile:          "~/.gotty.crt",
 	TLSKeyFile:          "~/.gotty.key",
-	VerifyClientCert: false,
-	ClientCAs:        []string{},
+	EnableTLSClientAuth: false,
+	TLSCACrtFile:        "~/.gotty.ca.crt",
 	TitleFormat:         "GoTTY - {{ .Command }} ({{ .Hostname }})",
 	EnableReconnect:     false,
 	ReconnectTime:       10,
@@ -120,6 +120,13 @@ func ApplyConfigFile(options *Options, filePath string) error {
 	return nil
 }

+func CheckConfig(options *Options) error {
+	if options.EnableTLSClientAuth && !options.EnableTLS {
+		return errors.New("TLS client authentication is enabled, but TLS is not enabled")
+	}
+	return nil
+}
+
 func (app *App) Run() error {
 	if app.options.PermitWrite {
 		log.Printf("Permitting clients to write input to the PTY.")
@@ -197,50 +204,20 @@ func (app *App) Run() error {
 		}
 	}

-	serverMaker := func() *http.Server {
-		return &http.Server{
-			Addr:    endpoint,
-			Handler: siteHandler}
-	}
-	if app.options.VerifyClientCert && app.options.EnableTLS {
-		serverMaker = func() *http.Server {
-			clientCaPool := x509.NewCertPool()
-			for _, path := range app.options.ClientCAs {
-				pem, err := ioutil.ReadFile(path)
+	server, err := app.makeServer(endpoint, &siteHandler)
 	if err != nil {
-					log.Printf("Could not read pem file at: " + path)
-					return nil
-				}
-				if clientCaPool.AppendCertsFromPEM(pem) {
-					log.Printf("Could not parse pem file at: " + path)
-					return nil
-				}
-			}
-			return &http.Server{
-				Addr:    endpoint,
-				Handler: siteHandler,
-				TLSConfig: &tls.Config{
-					ClientAuth:               tls.RequireAndVerifyClientCert,
-					ClientCAs:                clientCaPool,
-					PreferServerCipherSuites: true}}
-		}
-	}
-
-	server := serverMaker()
-	if server == nil {
-		log.Printf("Failed to build server.")
-		return errors.New("Failed to build server.")
+		return errors.New("Failed to build server: " + err.Error())
 	}
-
-	var err error
 	app.server = manners.NewWithServer(
 		server,
 	)
+
 	if app.options.EnableTLS {
 		crtFile := ExpandHomeDir(app.options.TLSCrtFile)
 		keyFile := ExpandHomeDir(app.options.TLSKeyFile)
 		log.Printf("TLS crt file: " + crtFile)
 		log.Printf("TLS key file: " + keyFile)
+
 		err = app.server.ListenAndServeTLS(crtFile, keyFile)
 	} else {
 		err = app.server.ListenAndServe()
@@ -254,6 +231,33 @@ func (app *App) Run() error {
 	return nil
 }

+func (app *App) makeServer(addr string, handler *http.Handler) (*http.Server, error) {
+	server := &http.Server{
+		Addr:    addr,
+		Handler: *handler,
+	}
+
+	if app.options.EnableTLSClientAuth {
+		caFile := ExpandHomeDir(app.options.TLSCACrtFile)
+		log.Printf("CA file: " + caFile)
+		caCert, err := ioutil.ReadFile(caFile)
+		if err != nil {
+			return nil, errors.New("Could not open CA crt file " + caFile)
+		}
+		caCertPool := x509.NewCertPool()
+		if !caCertPool.AppendCertsFromPEM(caCert) {
+			return nil, errors.New("Could not parse CA crt file data in " + caFile)
+		}
+		tlsConfig := &tls.Config{
+			ClientCAs:  caCertPool,
+			ClientAuth: tls.RequireAndVerifyClientCert,
+		}
+		server.TLSConfig = tlsConfig
+	}
+
+	return server, nil
+}
+
 func (app *App) handleWS(w http.ResponseWriter, r *http.Request) {
 	log.Printf("New client connected: %s", r.RemoteAddr)


--- a/main.go
+++ b/main.go
@@ -26,8 +26,9 @@ func main() {
 		flag{"random-url", "r", "Add a random string to the URL"},
 		flag{"random-url-length", "", "Random URL length"},
 		flag{"tls", "t", "Enable TLS/SSL"},
-		flag{"tls-crt", "", "TLS/SSL crt file path"},
+		flag{"tls-crt", "", "TLS/SSL certificate file path"},
 		flag{"tls-key", "", "TLS/SSL key file path"},
+		flag{"tls-ca-crt", "", "TLS/SSL CA certificate file for client certifications"},
 		flag{"index", "", "Custom index.html file"},
 		flag{"title-format", "", "Title format of browser window"},
 		flag{"reconnect", "", "Enable reconnection"},
@@ -40,6 +41,7 @@ func main() {
 		"tls":        "EnableTLS",
 		"tls-crt":    "TLSCrtFile",
 		"tls-key":    "TLSKeyFile",
+		"tls-ca-crt": "TLSCACrtFile",
 		"random-url": "EnableRandomUrl",
 		"reconnect":  "EnableReconnect",
 	}
@@ -81,6 +83,13 @@ func main() {
 		if c.IsSet("credential") {
 			options.EnableBasicAuth = true
 		}
+		if c.IsSet("tls-ca-crt") {
+			options.EnableTLSClientAuth = true
+		}
+
+		if err := app.CheckConfig(&options); err != nil {
+			exit(err, 6)
+		}

 		app, err := app.New(c.Args(), &options)
 		if err != nil {