support the use of teh Authentcation header instead of a cookie to find the right port

418f2449 · Chris Hines · 939c4198 · 418f2449 · 418f2449 · 418f2449
Commit 418f2449 authored 4 years ago by Chris Hines
--- a/tes/__init__.py
+++ b/tes/__init__.py
@@ -37,6 +37,8 @@ from . import apiendpoints
 def after_cleanup_sessions(response):
    import logging
    logger=logging.getLogger()
+    slist = []
+    klist = []
    try:
        sshsessid = session.get('sshsessid', None)

@@ -49,8 +51,13 @@ def after_cleanup_sessions(response):
        for k, sshsess in list(sshsessions.items()):
            if datetime.datetime.now() > sshsess.last + ttl:
                logger.debug("session last seen at {} now {}".format(sshsess.last,datetime.datetime.now()))
-                sshsess.kill()
-                del sshsessions[k]
+                slist.append(sshsess)
+                klist.append(k)
+        # Two keys may point at the same session. In particular an authentication token and our twsproxyauth cookie can both identify a session
+        for k in klist:
+            del sshsessions[k]
+        for s in slist:
+            s.kill()
    except:
        logger.error('failed to cleanup old sessions')


--- a/tes/apiendpoints.py
+++ b/tes/apiendpoints.py
@@ -448,7 +448,10 @@ class AppUrl(Resource):
 class SetTWSProxyAuth(Resource):
    def get(self, authtok):
        import urllib.parse
+        import logging
+        logger = logging.getLogger()
        url = urllib.parse.unquote(request.args.get('redirect'))
+        logger.debug('SetTWSProxyAuth will redirect to {}'.format(url))
        response = make_response(redirect(url))
        response.set_cookie('twsproxyauth', authtok, secure=True)
        return response
@@ -552,7 +555,10 @@ class CreateTunnel(Resource):
            else:
                localbind = True
            sshsess = SSHSession.get_sshsession()
-            authtok = gen_authtok()
+            if 'authtok' in data:
+                authtok = data['authtok']
+            else:
+                authtok = gen_authtok()
            port,pids = Ssh.tunnel(sshsess, port=port, batchhost=batchhost,
                       user=username, host=loginhost,
                       internalfirewall=firewall,

--- a/twsproxy/__init__.py
+++ b/twsproxy/__init__.py
@@ -97,9 +97,24 @@ class TWSProxy(threading.Thread):

    @staticmethod
    def verifyauth(header):
+        # We are looking for either 
+        # 1. An Authentication header that we can map to an ssh session
+        # 2. A cookie called twsproxyauth that we can make to an ssh sesssion
        import re
        import requests
        logger = logging.getLogger()
+        token = b'Authentication: (?P<authtok>\w+)[\W|$]'
+        m = re.search(token,header)
+        if m:
+            authtok = m.groupdict()['authtok']
+            s = requests.Session()
+            url = TES+'tunnelstat/'+authtok.decode()
+            try:
+                r = s.get(url)
+                port = r.json()
+            except:
+                raise Exception('unable to get a port number for the authtok {}'.format(r.text))
+            return port
        token = b'twsproxyauth=(?P<authtok>\w+)[\W|$]'
        m = re.search(token,header)
        if m: