From 1321cf79c64a135039a504ff1a7e0a39dca27265 Mon Sep 17 00:00:00 2001 From: Pierre Hubert Date: Fri, 2 Sep 2022 15:40:00 +0200 Subject: [PATCH] Improve messages logging --- src/main.rs | 2 +- src/tcp_relay_client/mod.rs | 2 +- src/tcp_relay_server/relay_ws.rs | 9 +++-- .../tls_cert_client_verifier.rs | 29 +++++++++++---- src/test/client_invalid_tls_configuration.rs | 35 ++++++++++--------- ...lient_invalid_tls_root_certificate_file.rs | 14 ++++---- src/test/mod.rs | 2 +- 7 files changed, 58 insertions(+), 35 deletions(-) diff --git a/src/main.rs b/src/main.rs index 9872322..a9a35e2 100644 --- a/src/main.rs +++ b/src/main.rs @@ -8,7 +8,7 @@ use tcp_over_http::tcp_relay_server::server_config::ServerConfig; author, version, about, - long_about = "Encapsulate TCP sockets inside HTTP WebSockets" + long_about = "Encapsulate TCP sockets inside HTTP WebSockets\nSource code: https://gitea.communiquons.org/pierre/tcp-over-http" )] struct CliArgs { #[clap(subcommand)] diff --git a/src/tcp_relay_client/mod.rs b/src/tcp_relay_client/mod.rs index 3c688b0..d40c9d5 100644 --- a/src/tcp_relay_client/mod.rs +++ b/src/tcp_relay_client/mod.rs @@ -94,7 +94,7 @@ pub async fn run_app(mut args: ClientConfig) -> std::io::Result<()> { port.id, urlencoding::encode(args.get_auth_token()) ) - .replace("http", "ws"), + .replace("http", "ws"), listen_address, args.clone(), )); diff --git a/src/tcp_relay_server/relay_ws.rs b/src/tcp_relay_server/relay_ws.rs index 32f58f3..6b0ac19 100644 --- a/src/tcp_relay_server/relay_ws.rs +++ b/src/tcp_relay_server/relay_ws.rs @@ -196,11 +196,16 @@ pub async fn relay_ws( tcp_write, hb: Instant::now(), }; + let resp = ws::start(relay, &req, stream); log::info!( - "Opening new WS connection for {:?} to {}", + "Opening new WS connection:\ + * for {:?}\ + * to {}\ + * token {:?}", req.peer_addr(), - upstream_addr + upstream_addr, + query.token ); resp } diff --git a/src/tcp_relay_server/tls_cert_client_verifier.rs b/src/tcp_relay_server/tls_cert_client_verifier.rs index 07996fe..36c0bfa 100644 --- a/src/tcp_relay_server/tls_cert_client_verifier.rs +++ b/src/tcp_relay_server/tls_cert_client_verifier.rs @@ -1,9 +1,9 @@ use std::sync::Arc; use std::time::SystemTime; +use rustls::{Certificate, DistinguishedNames, Error, RootCertStore}; use rustls::internal::msgs::enums::AlertDescription; use rustls::server::{AllowAnyAuthenticatedClient, ClientCertVerified, ClientCertVerifier}; -use rustls::{Certificate, DistinguishedNames, Error, RootCertStore}; use x509_parser::prelude::{CertificateRevocationList, FromDer, X509Certificate}; use crate::base::cert_utils::parse_pem_certificates; @@ -86,14 +86,14 @@ impl ClientCertVerifier for CustomCertClientVerifier { intermediates: &[Certificate], now: SystemTime, ) -> Result { + let (_rem, cert) = + X509Certificate::from_der(&end_entity.0).expect("Failed to read certificate!"); + // Check the certificates sent by the client has been revoked if let Some(crl) = &self.crl { let (_rem, crl) = CertificateRevocationList::from_der(crl).expect("Failed to read CRL!"); - let (_rem, cert) = - X509Certificate::from_der(&end_entity.0).expect("Failed to read certificate!"); - for revoked in crl.iter_revoked_certificates() { if revoked.user_certificate == cert.serial { log::error!( @@ -106,7 +106,24 @@ impl ClientCertVerifier for CustomCertClientVerifier { } } - self.upstream_cert_verifier - .verify_client_cert(end_entity, intermediates, now) + let result = self + .upstream_cert_verifier + .verify_client_cert(end_entity, intermediates, now); + + match result.as_ref() { + Err(e) => log::error!( + "FAILED authentication attempt from Serial={} / Subject={} : {}", + cert.serial, + cert.subject, + e + ), + Ok(_) => log::info!( + "SUCCESSFUL authentication attempt from Serial={} / Subject={}", + cert.serial, + cert.subject + ), + } + + result } } diff --git a/src/test/client_invalid_tls_configuration.rs b/src/test/client_invalid_tls_configuration.rs index 30ebeb0..79e8cf9 100644 --- a/src/test/client_invalid_tls_configuration.rs +++ b/src/test/client_invalid_tls_configuration.rs @@ -2,10 +2,10 @@ use tokio::task; use crate::tcp_relay_client::client_config::ClientConfig; use crate::tcp_relay_server::server_config::ServerConfig; -use crate::test::{BAD_PATH, get_port_number, LOCALHOST_IP, PortsAllocation}; use crate::test::dummy_tcp_sockets::wait_for_port; use crate::test::pki::Pki; use crate::test::test_files_utils::create_temp_file_with_random_content; +use crate::test::{get_port_number, PortsAllocation, BAD_PATH, LOCALHOST_IP}; fn port(index: u16) -> u16 { get_port_number(PortsAllocation::ClientInvalidTlsConfiguration, index) @@ -26,8 +26,8 @@ async fn random_file_for_cert() { tls_key: Some(pki.valid_client_key.file_path()), ..Default::default() }) - .await - .unwrap_err(); + .await + .unwrap_err(); } #[tokio::test()] @@ -45,8 +45,8 @@ async fn random_file_for_key() { tls_key: Some(random_file.to_string_lossy().to_string()), ..Default::default() }) - .await - .unwrap_err(); + .await + .unwrap_err(); } #[tokio::test()] @@ -63,8 +63,8 @@ async fn bad_pem_file_for_cert() { tls_key: Some(pki.valid_client_key.file_path()), ..Default::default() }) - .await - .unwrap_err(); + .await + .unwrap_err(); } #[tokio::test()] @@ -81,8 +81,8 @@ async fn bad_pem_file_for_key() { tls_key: Some(pki.root_ca_crl.file_path()), ..Default::default() }) - .await - .unwrap_err(); + .await + .unwrap_err(); } #[tokio::test()] @@ -99,8 +99,8 @@ async fn non_existing_cert() { tls_key: Some(pki.valid_client_key.file_path()), ..Default::default() }) - .await - .unwrap_err(); + .await + .unwrap_err(); } #[tokio::test()] @@ -117,8 +117,8 @@ async fn non_existing_key() { tls_key: Some(BAD_PATH.to_string()), ..Default::default() }) - .await - .unwrap_err(); + .await + .unwrap_err(); } #[tokio::test()] @@ -153,7 +153,8 @@ async fn unmatched_key_cert_pair() { root_certificate: Some(pki.root_ca_crt.file_path()), ..Default::default() }) - .await - .unwrap_err(); - }).await; -} \ No newline at end of file + .await + .unwrap_err(); + }) + .await; +} diff --git a/src/test/client_invalid_tls_root_certificate_file.rs b/src/test/client_invalid_tls_root_certificate_file.rs index bcd080f..4cfdc28 100644 --- a/src/test/client_invalid_tls_root_certificate_file.rs +++ b/src/test/client_invalid_tls_root_certificate_file.rs @@ -1,7 +1,7 @@ use crate::tcp_relay_client::client_config::ClientConfig; -use crate::test::{BAD_PATH, get_port_number, LOCALHOST_IP, PortsAllocation}; use crate::test::pki::Pki; use crate::test::test_files_utils::create_temp_file_with_random_content; +use crate::test::{get_port_number, PortsAllocation, BAD_PATH, LOCALHOST_IP}; const VALID_TOKEN: &str = "AvalidTOKEN"; @@ -22,8 +22,8 @@ async fn invalid_file_type() { root_certificate: Some(pki.expired_client_key.file_path()), ..Default::default() }) - .await - .unwrap_err(); + .await + .unwrap_err(); } #[tokio::test()] @@ -37,8 +37,8 @@ async fn non_existing_file() { root_certificate: Some(BAD_PATH.to_string()), ..Default::default() }) - .await - .unwrap_err(); + .await + .unwrap_err(); } #[tokio::test()] @@ -54,6 +54,6 @@ async fn random_file() { root_certificate: Some(random_file.to_string_lossy().to_string()), ..Default::default() }) - .await - .unwrap_err(); + .await + .unwrap_err(); } diff --git a/src/test/mod.rs b/src/test/mod.rs index 1c44edc..4ac9d17 100644 --- a/src/test/mod.rs +++ b/src/test/mod.rs @@ -30,9 +30,9 @@ mod dummy_tcp_sockets; mod pki; mod test_files_utils; +mod client_invalid_tls_configuration; mod client_invalid_tls_root_certificate_file; mod client_try_tls_while_there_is_no_tls; -mod client_invalid_tls_configuration; mod invalid_with_token_auth; mod server_invalid_tls_config_invalid_cert; mod server_invalid_tls_config_invalid_client_crl;