TUN-7134: Acquire token for cloudflared tail

cloudflared tail will now fetch the management token from by making
a request to the Cloudflare API using the cert.pem (acquired from
cloudflared login).

Refactored some of the credentials code into it's own package as
to allow for easier use between subcommands outside of
`cloudflared tunnel`.

Author: DevinCarr

certutil/certutil.go

@@ -8,6 +8,7 @@ type TunnelClient interface {
 	CreateTunnel(name string, tunnelSecret []byte) (*TunnelWithToken, error)
 	GetTunnel(tunnelID uuid.UUID) (*Tunnel, error)
 	GetTunnelToken(tunnelID uuid.UUID) (string, error)
+	GetManagementToken(tunnelID uuid.UUID) (string, error)
 	DeleteTunnel(tunnelID uuid.UUID) error
 	ListTunnels(filter *TunnelFilter) ([]*Tunnel, error)
 	ListActiveClients(tunnelID uuid.UUID) ([]*ActiveClient, error)

certutil/certutil_test.go

@@ -50,6 +50,10 @@ type newTunnel struct {
 	TunnelSecret []byte `json:"tunnel_secret"`
 }
 
+type managementRequest struct {
+	Resources []string `json:"resources"`
+}
+
 type CleanupParams struct {
 	queryParams url.Values
 }
@@ -133,6 +137,28 @@ func (r *RESTClient) GetTunnelToken(tunnelID uuid.UUID) (token string, err error
 	return "", r.statusCodeToError("get tunnel token", resp)
 }
 
+func (r *RESTClient) GetManagementToken(tunnelID uuid.UUID) (token string, err error) {
+	endpoint := r.baseEndpoints.accountLevel
+	endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v/management", tunnelID))
+
+	body := &managementRequest{
+		Resources: []string{"logs"},
+	}
+
+	resp, err := r.sendRequest("POST", endpoint, body)
+	if err != nil {
+		return "", errors.Wrap(err, "REST request failed")
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode == http.StatusOK {
+		err = parseResponse(resp.Body, &token)
+		return token, err
+	}
+
+	return "", r.statusCodeToError("get tunnel token", resp)
+}
+
 func (r *RESTClient) DeleteTunnel(tunnelID uuid.UUID) error {
 	endpoint := r.baseEndpoints.accountLevel
 	endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v", tunnelID))

cfapi/client.go

@@ -47,3 +47,7 @@ func (bi *BuildInfo) GetBuildTypeMsg() string {
 	}
 	return fmt.Sprintf(" with %s", bi.BuildType)
 }
+
+func (bi *BuildInfo) UserAgent() string {
+	return fmt.Sprintf("cloudflared/%s", bi.CloudflaredVersion)
+}

cfapi/tunnel.go

@@ -90,7 +90,7 @@ func main() {
 	updater.Init(Version)
 	tracing.Init(Version)
 	token.Init(Version)
-	tail.Init(Version)
+	tail.Init(bInfo)
 	runApp(app, graceShutdownC)
 }
 

cmd/cloudflared/cliutil/build_info.go

@@ -2,6 +2,7 @@ package tail
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
 	"net/url"
@@ -10,28 +11,32 @@ import (
 	"syscall"
 	"time"
 
+	"github.com/google/uuid"
 	"github.com/mattn/go-colorable"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
 	"nhooyr.io/websocket"
 
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
+	"github.com/cloudflare/cloudflared/credentials"
 	"github.com/cloudflare/cloudflared/logger"
 	"github.com/cloudflare/cloudflared/management"
 )
 
 var (
-	version string
+	buildInfo *cliutil.BuildInfo
 )
 
-func Init(v string) {
-	version = v
+func Init(bi *cliutil.BuildInfo) {
+	buildInfo = bi
 }
 
 func Command() *cli.Command {
 	return &cli.Command{
-		Name:   "tail",
-		Action: Run,
-		Usage:  "Stream logs from a remote cloudflared",
+		Name:      "tail",
+		Action:    Run,
+		Usage:     "Stream logs from a remote cloudflared",
+		UsageText: "cloudflared tail [tail command options] [TUNNEL-ID]",
 		Flags: []cli.Flag{
 			&cli.StringFlag{
 				Name:    "connector-id",
@@ -75,6 +80,12 @@ func Command() *cli.Command {
 				Usage:   "Application logging level {debug, info, warn, error, fatal}",
 				EnvVars: []string{"TUNNEL_LOGLEVEL"},
 			},
+			&cli.StringFlag{
+				Name:    credentials.OriginCertFlag,
+				Usage:   "Path to the certificate generated for your origin when you run cloudflared login.",
+				EnvVars: []string{"TUNNEL_ORIGIN_CERT"},
+				Value:   credentials.FindDefaultOriginCertPath(),
+			},
 		},
 	}
 }
@@ -159,6 +170,59 @@ func parseFilters(c *cli.Context) (*management.StreamingFilters, error) {
 	}, nil
 }
 
+// getManagementToken will make a call to the Cloudflare API to acquire a management token for the requested tunnel.
+func getManagementToken(c *cli.Context, log *zerolog.Logger) (string, error) {
+	userCreds, err := credentials.Read(c.String(credentials.OriginCertFlag), log)
+	if err != nil {
+		return "", err
+	}
+
+	client, err := userCreds.Client(c.String("api-url"), buildInfo.UserAgent(), log)
+	if err != nil {
+		return "", err
+	}
+
+	tunnelIDString := c.Args().First()
+	if tunnelIDString == "" {
+		return "", errors.New("no tunnel ID provided")
+	}
+	tunnelID, err := uuid.Parse(tunnelIDString)
+	if err != nil {
+		return "", errors.New("unable to parse provided tunnel id as a valid UUID")
+	}
+
+	token, err := client.GetManagementToken(tunnelID)
+	if err != nil {
+		return "", err
+	}
+
+	return token, nil
+}
+
+// buildURL will build the management url to contain the required query parameters to authenticate the request.
+func buildURL(c *cli.Context, log *zerolog.Logger) (url.URL, error) {
+	var err error
+	managementHostname := c.String("management-hostname")
+	token := c.String("token")
+	if token == "" {
+		token, err = getManagementToken(c, log)
+		if err != nil {
+			return url.URL{}, fmt.Errorf("unable to acquire management token for requested tunnel id: %w", err)
+		}
+	}
+	query := url.Values{}
+	query.Add("access_token", token)
+	connector := c.String("connector-id")
+	if connector != "" {
+		connectorID, err := uuid.Parse(connector)
+		if err != nil {
+			return url.URL{}, fmt.Errorf("unabled to parse 'connector-id' flag into a valid UUID: %w", err)
+		}
+		query.Add("connector_id", connectorID.String())
+	}
+	return url.URL{Scheme: "wss", Host: managementHostname, Path: "/logs", RawQuery: query.Encode()}, nil
+}
+
 // Run implements a foreground runner
 func Run(c *cli.Context) error {
 	log := createLogger(c)
@@ -173,12 +237,14 @@ func Run(c *cli.Context) error {
 		return nil
 	}
 
-	managementHostname := c.String("management-hostname")
-	token := c.String("token")
-	u := url.URL{Scheme: "wss", Host: managementHostname, Path: "/logs", RawQuery: "access_token=" + token}
+	u, err := buildURL(c, log)
+	if err != nil {
+		log.Err(err).Msg("unable to construct management request URL")
+		return nil
+	}
 
 	header := make(http.Header)
-	header.Add("User-Agent", "cloudflared/"+version)
+	header.Add("User-Agent", buildInfo.UserAgent())
 	trace := c.String("trace")
 	if trace != "" {
 		header["cf-trace-id"] = []string{trace}
@@ -206,6 +272,11 @@ func Run(c *cli.Context) error {
 		log.Error().Err(err).Msg("unable to request logs from management tunnel")
 		return nil
 	}
+	log.Debug().
+		Str("tunnel-id", c.Args().First()).
+		Str("connector-id", c.String("connector-id")).
+		Interface("filters", filters).
+		Msg("connected")
 
 	readerDone := make(chan struct{})
 

cmd/cloudflared/main.go

@@ -28,6 +28,7 @@ import (
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/updater"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/connection"
+	"github.com/cloudflare/cloudflared/credentials"
 	"github.com/cloudflare/cloudflared/features"
 	"github.com/cloudflare/cloudflared/ingress"
 	"github.com/cloudflare/cloudflared/logger"
@@ -751,10 +752,10 @@ func configureCloudflaredFlags(shouldHide bool) []cli.Flag {
 			Hidden: shouldHide,
 		},
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "origincert",
+			Name:    credentials.OriginCertFlag,
 			Usage:   "Path to the certificate generated for your origin when you run cloudflared login.",
 			EnvVars: []string{"TUNNEL_ORIGIN_CERT"},
-			Value:   findDefaultOriginCertPath(),
+			Value:   credentials.FindDefaultOriginCertPath(),
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{