Improve messages logging

This commit is contained in:
Pierre HUBERT 2022-09-02 15:40:00 +02:00
parent 391d0facd2
commit 1321cf79c6
7 changed files with 58 additions and 35 deletions

View File

@ -8,7 +8,7 @@ use tcp_over_http::tcp_relay_server::server_config::ServerConfig;
author, author,
version, version,
about, about,
long_about = "Encapsulate TCP sockets inside HTTP WebSockets" long_about = "Encapsulate TCP sockets inside HTTP WebSockets\nSource code: https://gitea.communiquons.org/pierre/tcp-over-http"
)] )]
struct CliArgs { struct CliArgs {
#[clap(subcommand)] #[clap(subcommand)]

View File

@ -94,7 +94,7 @@ pub async fn run_app(mut args: ClientConfig) -> std::io::Result<()> {
port.id, port.id,
urlencoding::encode(args.get_auth_token()) urlencoding::encode(args.get_auth_token())
) )
.replace("http", "ws"), .replace("http", "ws"),
listen_address, listen_address,
args.clone(), args.clone(),
)); ));

View File

@ -196,11 +196,16 @@ pub async fn relay_ws(
tcp_write, tcp_write,
hb: Instant::now(), hb: Instant::now(),
}; };
let resp = ws::start(relay, &req, stream); let resp = ws::start(relay, &req, stream);
log::info!( log::info!(
"Opening new WS connection for {:?} to {}", "Opening new WS connection:\
* for {:?}\
* to {}\
* token {:?}",
req.peer_addr(), req.peer_addr(),
upstream_addr upstream_addr,
query.token
); );
resp resp
} }

View File

@ -1,9 +1,9 @@
use std::sync::Arc; use std::sync::Arc;
use std::time::SystemTime; use std::time::SystemTime;
use rustls::{Certificate, DistinguishedNames, Error, RootCertStore};
use rustls::internal::msgs::enums::AlertDescription; use rustls::internal::msgs::enums::AlertDescription;
use rustls::server::{AllowAnyAuthenticatedClient, ClientCertVerified, ClientCertVerifier}; use rustls::server::{AllowAnyAuthenticatedClient, ClientCertVerified, ClientCertVerifier};
use rustls::{Certificate, DistinguishedNames, Error, RootCertStore};
use x509_parser::prelude::{CertificateRevocationList, FromDer, X509Certificate}; use x509_parser::prelude::{CertificateRevocationList, FromDer, X509Certificate};
use crate::base::cert_utils::parse_pem_certificates; use crate::base::cert_utils::parse_pem_certificates;
@ -86,14 +86,14 @@ impl ClientCertVerifier for CustomCertClientVerifier {
intermediates: &[Certificate], intermediates: &[Certificate],
now: SystemTime, now: SystemTime,
) -> Result<ClientCertVerified, Error> { ) -> Result<ClientCertVerified, Error> {
let (_rem, cert) =
X509Certificate::from_der(&end_entity.0).expect("Failed to read certificate!");
// Check the certificates sent by the client has been revoked // Check the certificates sent by the client has been revoked
if let Some(crl) = &self.crl { if let Some(crl) = &self.crl {
let (_rem, crl) = let (_rem, crl) =
CertificateRevocationList::from_der(crl).expect("Failed to read CRL!"); CertificateRevocationList::from_der(crl).expect("Failed to read CRL!");
let (_rem, cert) =
X509Certificate::from_der(&end_entity.0).expect("Failed to read certificate!");
for revoked in crl.iter_revoked_certificates() { for revoked in crl.iter_revoked_certificates() {
if revoked.user_certificate == cert.serial { if revoked.user_certificate == cert.serial {
log::error!( log::error!(
@ -106,7 +106,24 @@ impl ClientCertVerifier for CustomCertClientVerifier {
} }
} }
self.upstream_cert_verifier let result = self
.verify_client_cert(end_entity, intermediates, now) .upstream_cert_verifier
.verify_client_cert(end_entity, intermediates, now);
match result.as_ref() {
Err(e) => log::error!(
"FAILED authentication attempt from Serial={} / Subject={} : {}",
cert.serial,
cert.subject,
e
),
Ok(_) => log::info!(
"SUCCESSFUL authentication attempt from Serial={} / Subject={}",
cert.serial,
cert.subject
),
}
result
} }
} }

View File

@ -2,10 +2,10 @@ use tokio::task;
use crate::tcp_relay_client::client_config::ClientConfig; use crate::tcp_relay_client::client_config::ClientConfig;
use crate::tcp_relay_server::server_config::ServerConfig; use crate::tcp_relay_server::server_config::ServerConfig;
use crate::test::{BAD_PATH, get_port_number, LOCALHOST_IP, PortsAllocation};
use crate::test::dummy_tcp_sockets::wait_for_port; use crate::test::dummy_tcp_sockets::wait_for_port;
use crate::test::pki::Pki; use crate::test::pki::Pki;
use crate::test::test_files_utils::create_temp_file_with_random_content; use crate::test::test_files_utils::create_temp_file_with_random_content;
use crate::test::{get_port_number, PortsAllocation, BAD_PATH, LOCALHOST_IP};
fn port(index: u16) -> u16 { fn port(index: u16) -> u16 {
get_port_number(PortsAllocation::ClientInvalidTlsConfiguration, index) get_port_number(PortsAllocation::ClientInvalidTlsConfiguration, index)
@ -26,8 +26,8 @@ async fn random_file_for_cert() {
tls_key: Some(pki.valid_client_key.file_path()), tls_key: Some(pki.valid_client_key.file_path()),
..Default::default() ..Default::default()
}) })
.await .await
.unwrap_err(); .unwrap_err();
} }
#[tokio::test()] #[tokio::test()]
@ -45,8 +45,8 @@ async fn random_file_for_key() {
tls_key: Some(random_file.to_string_lossy().to_string()), tls_key: Some(random_file.to_string_lossy().to_string()),
..Default::default() ..Default::default()
}) })
.await .await
.unwrap_err(); .unwrap_err();
} }
#[tokio::test()] #[tokio::test()]
@ -63,8 +63,8 @@ async fn bad_pem_file_for_cert() {
tls_key: Some(pki.valid_client_key.file_path()), tls_key: Some(pki.valid_client_key.file_path()),
..Default::default() ..Default::default()
}) })
.await .await
.unwrap_err(); .unwrap_err();
} }
#[tokio::test()] #[tokio::test()]
@ -81,8 +81,8 @@ async fn bad_pem_file_for_key() {
tls_key: Some(pki.root_ca_crl.file_path()), tls_key: Some(pki.root_ca_crl.file_path()),
..Default::default() ..Default::default()
}) })
.await .await
.unwrap_err(); .unwrap_err();
} }
#[tokio::test()] #[tokio::test()]
@ -99,8 +99,8 @@ async fn non_existing_cert() {
tls_key: Some(pki.valid_client_key.file_path()), tls_key: Some(pki.valid_client_key.file_path()),
..Default::default() ..Default::default()
}) })
.await .await
.unwrap_err(); .unwrap_err();
} }
#[tokio::test()] #[tokio::test()]
@ -117,8 +117,8 @@ async fn non_existing_key() {
tls_key: Some(BAD_PATH.to_string()), tls_key: Some(BAD_PATH.to_string()),
..Default::default() ..Default::default()
}) })
.await .await
.unwrap_err(); .unwrap_err();
} }
#[tokio::test()] #[tokio::test()]
@ -153,7 +153,8 @@ async fn unmatched_key_cert_pair() {
root_certificate: Some(pki.root_ca_crt.file_path()), root_certificate: Some(pki.root_ca_crt.file_path()),
..Default::default() ..Default::default()
}) })
.await .await
.unwrap_err(); .unwrap_err();
}).await; })
} .await;
}

View File

@ -1,7 +1,7 @@
use crate::tcp_relay_client::client_config::ClientConfig; use crate::tcp_relay_client::client_config::ClientConfig;
use crate::test::{BAD_PATH, get_port_number, LOCALHOST_IP, PortsAllocation};
use crate::test::pki::Pki; use crate::test::pki::Pki;
use crate::test::test_files_utils::create_temp_file_with_random_content; use crate::test::test_files_utils::create_temp_file_with_random_content;
use crate::test::{get_port_number, PortsAllocation, BAD_PATH, LOCALHOST_IP};
const VALID_TOKEN: &str = "AvalidTOKEN"; const VALID_TOKEN: &str = "AvalidTOKEN";
@ -22,8 +22,8 @@ async fn invalid_file_type() {
root_certificate: Some(pki.expired_client_key.file_path()), root_certificate: Some(pki.expired_client_key.file_path()),
..Default::default() ..Default::default()
}) })
.await .await
.unwrap_err(); .unwrap_err();
} }
#[tokio::test()] #[tokio::test()]
@ -37,8 +37,8 @@ async fn non_existing_file() {
root_certificate: Some(BAD_PATH.to_string()), root_certificate: Some(BAD_PATH.to_string()),
..Default::default() ..Default::default()
}) })
.await .await
.unwrap_err(); .unwrap_err();
} }
#[tokio::test()] #[tokio::test()]
@ -54,6 +54,6 @@ async fn random_file() {
root_certificate: Some(random_file.to_string_lossy().to_string()), root_certificate: Some(random_file.to_string_lossy().to_string()),
..Default::default() ..Default::default()
}) })
.await .await
.unwrap_err(); .unwrap_err();
} }

View File

@ -30,9 +30,9 @@ mod dummy_tcp_sockets;
mod pki; mod pki;
mod test_files_utils; mod test_files_utils;
mod client_invalid_tls_configuration;
mod client_invalid_tls_root_certificate_file; mod client_invalid_tls_root_certificate_file;
mod client_try_tls_while_there_is_no_tls; mod client_try_tls_while_there_is_no_tls;
mod client_invalid_tls_configuration;
mod invalid_with_token_auth; mod invalid_with_token_auth;
mod server_invalid_tls_config_invalid_cert; mod server_invalid_tls_config_invalid_cert;
mod server_invalid_tls_config_invalid_client_crl; mod server_invalid_tls_config_invalid_client_crl;