feat: add configuration options to support mtls

coryb · coryb · commit 8a270101acb8 · 2023-10-22T16:47:29.000-07:00
adding options to support mtls with the coder server.  This supports
adding PEM certs and keys to the tls requests, and also supports
adding a CA cert to the trust store.  Also allowing for an alternate
hostname that may appear in the certs which is useful for testing or
for non-standard cert usage.
diff --git a/src/main/kotlin/com/coder/gateway/CoderSettingsConfigurable.kt b/src/main/kotlin/com/coder/gateway/CoderSettingsConfigurable.kt
@@ -73,6 +73,34 @@ class CoderSettingsConfigurable : BoundConfigurable("Coder") {
                         CoderGatewayBundle.message("gateway.connector.settings.header-command.comment")
                     )
             }.layout(RowLayout.PARENT_GRID)
+            row(CoderGatewayBundle.message("gateway.connector.settings.tls-cert-path.title")) {
+                textField().resizableColumn().align(AlignX.FILL)
+                    .bindText(state::tlsCertPath)
+                    .comment(
+                        CoderGatewayBundle.message("gateway.connector.settings.tls-cert-path.comment")
+                    )
+            }.layout(RowLayout.PARENT_GRID)
+            row(CoderGatewayBundle.message("gateway.connector.settings.tls-key-path.title")) {
+                textField().resizableColumn().align(AlignX.FILL)
+                    .bindText(state::tlsKeyPath)
+                    .comment(
+                        CoderGatewayBundle.message("gateway.connector.settings.tls-key-path.comment")
+                    )
+            }.layout(RowLayout.PARENT_GRID)
+            row(CoderGatewayBundle.message("gateway.connector.settings.tls-ca-path.title")) {
+                textField().resizableColumn().align(AlignX.FILL)
+                    .bindText(state::tlsCAPath)
+                    .comment(
+                        CoderGatewayBundle.message("gateway.connector.settings.tls-ca-path.comment")
+                    )
+            }.layout(RowLayout.PARENT_GRID)
+            row(CoderGatewayBundle.message("gateway.connector.settings.tls-alt-name.title")) {
+                textField().resizableColumn().align(AlignX.FILL)
+                    .bindText(state::tlsAlternateHostname)
+                    .comment(
+                        CoderGatewayBundle.message("gateway.connector.settings.tls-alt-name.comment")
+                    )
+            }.layout(RowLayout.PARENT_GRID)
         }
     }
 
diff --git a/src/main/kotlin/com/coder/gateway/sdk/CoderCLIManager.kt b/src/main/kotlin/com/coder/gateway/sdk/CoderCLIManager.kt
@@ -22,6 +22,7 @@ import java.nio.file.StandardCopyOption
 import java.security.DigestInputStream
 import java.security.MessageDigest
 import java.util.zip.GZIPInputStream
+import javax.net.ssl.HttpsURLConnection
 import javax.xml.bind.annotation.adapters.HexBinaryAdapter
 
 
@@ -104,6 +105,10 @@ class CoderCLIManager @JvmOverloads constructor(
             conn.setRequestProperty("If-None-Match", "\"$etag\"")
         }
         conn.setRequestProperty("Accept-Encoding", "gzip")
+        if (conn is HttpsURLConnection) {
+            conn.sslSocketFactory = coderSocketFactory()
+            conn.hostnameVerifier = CoderHostnameVerifier()
+        }
 
         try {
             conn.connect()
diff --git a/src/main/kotlin/com/coder/gateway/sdk/CoderRestClientService.kt b/src/main/kotlin/com/coder/gateway/sdk/CoderRestClientService.kt
@@ -14,21 +14,47 @@ import com.coder.gateway.sdk.v2.models.Workspace
 import com.coder.gateway.sdk.v2.models.WorkspaceBuild
 import com.coder.gateway.sdk.v2.models.WorkspaceTransition
 import com.coder.gateway.sdk.v2.models.toAgentModels
+import com.coder.gateway.services.CoderSettingsState
 import com.google.gson.Gson
 import com.google.gson.GsonBuilder
 import com.intellij.ide.plugins.PluginManagerCore
 import com.intellij.openapi.components.Service
+import com.intellij.openapi.components.service
 import com.intellij.openapi.extensions.PluginId
 import com.intellij.openapi.util.SystemInfo
 import okhttp3.OkHttpClient
+import okhttp3.internal.tls.OkHostnameVerifier
 import okhttp3.logging.HttpLoggingInterceptor
 import org.zeroturnaround.exec.ProcessExecutor
 import retrofit2.Retrofit
 import retrofit2.converter.gson.GsonConverterFactory
+import java.io.File
+import java.io.FileInputStream
 import java.net.HttpURLConnection.HTTP_CREATED
+import java.net.InetAddress
+import java.net.Socket
 import java.net.URL
+import java.security.KeyFactory
+import java.security.KeyStore
+import java.security.PrivateKey
+import java.security.cert.CertificateFactory
+import java.security.cert.X509Certificate
+import java.security.spec.InvalidKeySpecException
+import java.security.spec.PKCS8EncodedKeySpec
 import java.time.Instant
+import java.util.Base64
+import java.util.Locale
 import java.util.UUID
+import javax.net.ssl.HostnameVerifier
+import javax.net.ssl.KeyManagerFactory
+import javax.net.ssl.SNIHostName
+import javax.net.ssl.SSLContext
+import javax.net.ssl.SSLSession
+import javax.net.ssl.SSLSocket
+import javax.net.ssl.SSLSocketFactory
+import javax.net.ssl.TrustManagerFactory
+import javax.net.ssl.TrustManager
+import javax.net.ssl.X509TrustManager
 
 @Service(Service.Level.APP)
 class CoderRestClientService {
@@ -66,7 +92,11 @@ class CoderRestClient(var url: URL, var token: String,
             pluginVersion = PluginManagerCore.getPlugin(PluginId.getId("com.coder.gateway"))!!.version // this is the id from the plugin.xml
         }
 
+        val socketFactory = coderSocketFactory()
+        val trustManagers = coderTrustManagers()
         httpClient = OkHttpClient.Builder()
+            .sslSocketFactory(socketFactory, trustManagers[0] as X509TrustManager)
+            .hostnameVerifier(CoderHostnameVerifier())
             .addInterceptor { it.proceed(it.request().newBuilder().addHeader("Coder-Session-Token", token).build()) }
             .addInterceptor { it.proceed(it.request().newBuilder().addHeader("User-Agent", "Coder Gateway/${pluginVersion} (${SystemInfo.getOsNameAndVersion()}; ${SystemInfo.OS_ARCH})").build()) }
             .addInterceptor {
@@ -218,3 +248,168 @@ class CoderRestClient(var url: URL, var token: String,
         }
     }
 }
+
+fun coderSocketFactory() : SSLSocketFactory {
+    val state: CoderSettingsState = service()
+
+    if (state.tlsCertPath.isBlank() || state.tlsKeyPath.isBlank()) {
+        return SSLSocketFactory.getDefault() as SSLSocketFactory
+    }
+
+    val certificateFactory = CertificateFactory.getInstance("X.509")
+    val certInputStream = FileInputStream(state.tlsCertPath)
+    val certChain = certificateFactory.generateCertificates(certInputStream)
+    certInputStream.close()
+
+    // ideally we would use something like PemReader from BouncyCastle, but
+    // BC is used by the IDE.  This makes using BC very impractical since
+    // type casting will mismatch due to the different class loaders.
+    val privateKeyPem = File(state.tlsKeyPath).readText()
+    val start: Int = privateKeyPem.indexOf("-----BEGIN PRIVATE KEY-----")
+    val end: Int = privateKeyPem.indexOf("-----END PRIVATE KEY-----", start)
+    val pemBytes: ByteArray = Base64.getDecoder().decode(
+        privateKeyPem.substring(start + "-----BEGIN PRIVATE KEY-----".length, end)
+            .replace("\\s+".toRegex(), "")
+    )
+
+    var privateKey : PrivateKey
+    try {
+        val kf = KeyFactory.getInstance("RSA")
+        val keySpec = PKCS8EncodedKeySpec(pemBytes)
+        privateKey = kf.generatePrivate(keySpec)
+    } catch (e: InvalidKeySpecException) {
+        val kf = KeyFactory.getInstance("EC")
+        val keySpec = PKCS8EncodedKeySpec(pemBytes)
+        privateKey = kf.generatePrivate(keySpec)
+    }
+
+    val keyStore = KeyStore.getInstance(KeyStore.getDefaultType())
+    keyStore.load(null)
+    certChain.withIndex().forEach {
+        keyStore.setCertificateEntry("cert${it.index}", it.value as X509Certificate)
+    }
+    keyStore.setKeyEntry("key", privateKey, null, certChain.toTypedArray())
+
+    val keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm())
+    keyManagerFactory.init(keyStore, null)
+
+    val sslContext = SSLContext.getInstance("TLS")
+
+    val trustManagers = coderTrustManagers()
+    sslContext.init(keyManagerFactory.keyManagers, trustManagers, null)
+
+    if (state.tlsAlternateHostname.isBlank()) {
+        return sslContext.socketFactory
+    }
+
+    return AlternateNameSSLSocketFactory(sslContext.socketFactory, state.tlsAlternateHostname)
+}
+
+fun coderTrustManagers() : Array<TrustManager> {
+    val state: CoderSettingsState = service()
+
+    val trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
+    if (state.tlsCAPath.isBlank()) {
+        // return default trust managers
+        trustManagerFactory.init(null as KeyStore?)
+        return trustManagerFactory.trustManagers
+    }
+
+
+    val certificateFactory = CertificateFactory.getInstance("X.509")
+    val caInputStream = FileInputStream(state.tlsCAPath)
+    val certChain = certificateFactory.generateCertificates(caInputStream)
+
+    val truststore = KeyStore.getInstance(KeyStore.getDefaultType())
+    truststore.load(null)
+    certChain.withIndex().forEach {
+        truststore.setCertificateEntry("cert${it.index}", it.value as X509Certificate)
+    }
+    trustManagerFactory.init(truststore)
+    return trustManagerFactory.trustManagers
+}
+
+class AlternateNameSSLSocketFactory(private val delegate: SSLSocketFactory, private val alternateName: String) : SSLSocketFactory() {
+    override fun getDefaultCipherSuites(): Array<String> {
+        return delegate.defaultCipherSuites
+    }
+
+    override fun getSupportedCipherSuites(): Array<String> {
+        return delegate.supportedCipherSuites
+    }
+
+    override fun createSocket(): Socket {
+        val socket = delegate.createSocket() as SSLSocket
+        customizeSocket(socket)
+        return socket
+    }
+
+    override fun createSocket(host: String?, port: Int): Socket {
+        val socket = delegate.createSocket(host,  port) as SSLSocket
+        customizeSocket(socket)
+        return socket
+    }
+
+    override fun createSocket(host: String?, port: Int, localHost: InetAddress?, localPort: Int): Socket {
+        val socket = delegate.createSocket(host, port, localHost, localPort) as SSLSocket
+        customizeSocket(socket)
+        return socket
+    }
+
+    override fun createSocket(host: InetAddress?, port: Int): Socket {
+        val socket = delegate.createSocket(host, port) as SSLSocket
+        customizeSocket(socket)
+        return socket
+    }
+
+    override fun createSocket(address: InetAddress?, port: Int, localAddress: InetAddress?, localPort: Int): Socket {
+        val socket = delegate.createSocket(address, port, localAddress, localPort) as SSLSocket
+        customizeSocket(socket)
+        return socket
+    }
+
+    override fun createSocket(s: Socket?, host: String?, port: Int, autoClose: Boolean): Socket {
+        val socket = delegate.createSocket(s, host, port, autoClose) as SSLSocket
+        customizeSocket(socket)
+        return socket
+    }
+
+    private fun customizeSocket(socket: SSLSocket) {
+        val params = socket.sslParameters
+        params.serverNames = listOf(SNIHostName(alternateName))
+        socket.sslParameters = params
+    }
+}
+
+class CoderHostnameVerifier() : HostnameVerifier {
+    private val alternateName: String
+
+    init {
+        val state: CoderSettingsState = service()
+        this.alternateName = state.tlsAlternateHostname.lowercase(Locale.getDefault())
+    }
+
+    override fun verify(host: String, session: SSLSession): Boolean {
+        if (alternateName.isEmpty()) {
+            return OkHostnameVerifier.verify(host, session)
+        }
+        val certs = session.peerCertificates ?: return false
+        for (cert in certs) {
+            if (cert !is X509Certificate) {
+                continue
+            }
+            val entries = cert.subjectAlternativeNames ?: continue
+            for (entry in entries) {
+                val kind = entry[0] as Int
+                if (kind != 2) { // DNS Name
+                    continue
+                }
+                val hostname = entry[1] as String
+                if (hostname.lowercase(Locale.getDefault()) == alternateName) {
+                    return true
+                }
+            }
+        }
+        return false
+    }
+}
diff --git a/src/main/kotlin/com/coder/gateway/services/CoderSettingsState.kt b/src/main/kotlin/com/coder/gateway/services/CoderSettingsState.kt
@@ -19,6 +19,10 @@ class CoderSettingsState : PersistentStateComponent<CoderSettingsState> {
     var enableDownloads: Boolean = true
     var enableBinaryDirectoryFallback: Boolean = false
     var headerCommand: String = ""
+    var tlsCertPath: String = ""
+    var tlsKeyPath: String = ""
+    var tlsCAPath: String = ""
+    var tlsAlternateHostname: String = ""
     override fun getState(): CoderSettingsState {
         return this
     }
diff --git a/src/main/resources/messages/CoderGatewayBundle.properties b/src/main/resources/messages/CoderGatewayBundle.properties
@@ -93,3 +93,21 @@ gateway.connector.settings.header-command.comment=An external command that \
   outputs additional HTTP headers added to all requests. The command must \
   output each header as `key=value` on its own line. The following \
   environment variables will be available to the process: CODER_URL.
+gateway.connector.settings.tls-cert-path.title=Cert Path:
+gateway.connector.settings.tls-cert-path.comment=Optionally set this to \
+  the path of a certificate to use for TLS connections. The certificate \
+  should be in X.509 PEM format.
+gateway.connector.settings.tls-key-path.title=Key Path:
+gateway.connector.settings.tls-key-path.comment=Optionally set this to \
+  the path of the private key that corresponds to the above cert path to use \
+  for TLS connections. The key should be in X.509 PEM format.
+gateway.connector.settings.tls-ca-path.title=CA Path:
+gateway.connector.settings.tls-ca-path.comment=Optionally set this to \
+  the path of a file containing certificates for an alternate certificate \
+  authority used to verify TLS certs returned by the Coder service. \
+  The file should be in X.509 PEM format.
+gateway.connector.settings.tls-alt-name.title=Alt Hostname:
+gateway.connector.settings.tls-alt-name.comment=Optionally set this to \
+  an alternate hostname used for verifying TLS connections. This is useful \
+  when the hostname used to connect to the Coder service does not match the \
+  hostname in the TLS certificate.
