Google Git
Sign in
cos / mirrors / cros / chromiumos / platform2 / refs/heads/factory-drallion-13080.B / . / system-proxy / proxy_connect_job.cc
blob: f2e87f772b6275bf974a6b58fc7db6b6f620c18c [file] [log] [blame]
// Copyright 2020 The Chromium OS Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "system-proxy/proxy_connect_job.h"
#include <algorithm>
#include <utility>
#include <vector>
#include <curl/curl.h>
#include <curl/easy.h>
#include <base/base64.h>
#include <base/bind.h>
#include <base/bind_helpers.h>
#include <base/callback_helpers.h>
#include <base/files/file_util.h>
#include <base/strings/stringprintf.h>
#include <base/strings/string_split.h>
#include <base/strings/string_util.h>
#include <base/time/time.h>
#include <brillo/http/http_transport.h>
#include <chromeos/patchpanel/net_util.h>
#include <chromeos/patchpanel/socket.h>
#include <chromeos/patchpanel/socket_forwarder.h>
#include "system-proxy/curl_socket.h"
// The libarcnetwork-util library overloads << for socket data structures.
// By C++'s argument-dependent lookup rules, operators defined in a
// different namespace are not visible. We need the using directive to make
// the overload available this namespace.
using patchpanel::operator<<;
namespace {
// There's no RFC recomandation for the max size of http request headers but
// popular http server implementations (Apache, IIS, Tomcat) set the lower limit
// to 8000.
constexpr int kMaxHttpRequestHeadersSize = 8000;
constexpr char kConnectMethod[] = "CONNECT";
constexpr base::TimeDelta kCurlConnectTimeout = base::TimeDelta::FromMinutes(2);
constexpr size_t kMaxBadRequestPrintSize = 120;
// This sequence is used to identify the end of a HTTP header which should be an
// empty line. Note: all HTTP header lines end with CRLF. HTTP connect requests
// don't have a body so end of header is end of request.
const std::string_view kCrlfCrlf = "\r\n\r\n";
// HTTP error codes and messages with origin information for debugging (RFC723,
// section 6.1).
const std::string_view kHttpBadRequest =
"HTTP/1.1 400 Bad Request - Origin: local proxy\r\n\r\n";
const std::string_view kHttpInternalServerError =
"HTTP/1.1 500 Internal Server Error - Origin: local proxy\r\n\r\n";
const std::string_view kHttpBadGateway =
"HTTP/1.1 502 Bad Gateway - Origin: local proxy\r\n\r\n";
// Verifies if the http headers are ending with an http empty line, meaning a
// line that contains only CR LF preceded by a line ending with CRLF.
bool IsEndingWithHttpEmptyLine(const char* headers, int headers_size) {
return headers_size > kCrlfCrlf.size() &&
std::memcmp(kCrlfCrlf.data(),
headers + headers_size - kCrlfCrlf.size(),
kCrlfCrlf.size()) == 0;
}
// CURLOPT_HEADERFUNCTION callback implementation that only returns the headers
// from the last response sent by the sever. This is to make sure that we
// send back valid HTTP replies and auhentication data from the HTTP messages is
// not being leaked to the client. |userdata| is set on the libcurl CURL handle
// used to configure the request, using the the CURLOPT_HEADERDATA option. Note,
// from the libcurl documentation: This callback is being called for all the
// responses received from the proxy server after intiating the connection
// request. Multiple responses can be received in an authentication sequence.
// Only the last response's headers should be forwarded to the System-proxy
// client. The header callback will be called once for each header and only
// complete header lines are passed on to the callback.
static size_t WriteHeadersCallback(char* contents,
size_t size,
size_t nmemb,
void* userdata) {
std::vector<char>* vec = (std::vector<char>*)userdata;
// Check if we are receiving a new HTTP message (after the last one was
// terminated with an empty line).
if (IsEndingWithHttpEmptyLine(vec->data(), vec->size())) {
VLOG(1) << "Removing the http reply headers from the server "
<< base::StringPiece(vec->data(), vec->size());
vec->clear();
}
vec->insert(vec->end(), contents, contents + (nmemb * size));
return size * nmemb;
}
// CONNECT requests may have a reply body. This method will capture the reply
// and save it in |userdata|. |userdata| is set on the libcurl CURL handle
// used to configure the request, using the the CURLOPT_WRITEDATA option.
static size_t WriteCallback(char* contents,
size_t size,
size_t nmemb,
void* userdata) {
std::vector<char>* vec = (std::vector<char>*)userdata;
vec->insert(vec->end(), contents, contents + (nmemb * size));
return size * nmemb;
}
// Parses the first line of the http CONNECT request and extracts the URI
// authority, defined in RFC3986, section 3.2, as the host name and port number
// separated by a colon. The destination URI is specified in the request line
// (RFC2817, section 5.2):
// CONNECT server.example.com:80 HTTP/1.1
// If the first line in |raw_request| (the Request-Line) is a correctly formed
// CONNECT request, it will return the destination URI as host:port, otherwise
// it will return an empty string.
std::string GetUriAuthorityFromHttpHeader(
const std::vector<char>& raw_request) {
base::StringPiece request(raw_request.data(), raw_request.size());
// Request-Line ends with CRLF (RFC2616, section 5.1).
size_t i = request.find_first_of("\r\n");
if (i == base::StringPiece::npos)
return std::string();
// Elements are delimited by non-breaking space (SP).
auto pieces =
base::SplitString(request.substr(0, i), " ", base::TRIM_WHITESPACE,
base::SPLIT_WANT_NONEMPTY);
// Request-Line has the format: Method SP Request-URI SP HTTP-Version CRLF.
if (pieces.size() < 3)
return std::string();
if (pieces[0] != kConnectMethod)
return std::string();
return pieces[1];
}
} // namespace
namespace system_proxy {
ProxyConnectJob::ProxyConnectJob(
std::unique_ptr<patchpanel::Socket> socket,
const std::string& credentials,
ResolveProxyCallback resolve_proxy_callback,
OnConnectionSetupFinishedCallback setup_finished_callback)
: credentials_(credentials),
resolve_proxy_callback_(std::move(resolve_proxy_callback)),
setup_finished_callback_(std::move(setup_finished_callback)) {
client_socket_ = std::move(socket);
}
ProxyConnectJob::~ProxyConnectJob() = default;
bool ProxyConnectJob::Start() {
// Make the socket non-blocking.
if (!base::SetNonBlocking(client_socket_->fd())) {
PLOG(ERROR) << *this << " Failed to mark the socket as non-blocking.";
client_socket_->SendTo(kHttpInternalServerError.data(),
kHttpInternalServerError.size());
return false;
}
read_watcher_ = base::FileDescriptorWatcher::WatchReadable(
client_socket_->fd(),
base::Bind(&ProxyConnectJob::OnClientReadReady, base::Unretained(this)));
return true;
}
void ProxyConnectJob::OnClientReadReady() {
// Stop watching.
read_watcher_.reset();
// The first message should be a HTTP CONNECT request.
std::vector<char> connect_request;
if (!TryReadHttpHeader(&connect_request)) {
std::string encoded;
base::Base64Encode(
base::StringPiece(connect_request.data(), connect_request.size()),
&encoded);
LOG(ERROR) << *this
<< " Failure to read proxy CONNECT request. Base 64 encoded "
"request message from client: "
<< encoded;
OnError(kHttpBadRequest);
return;
}
target_url_ = GetUriAuthorityFromHttpHeader(connect_request);
if (target_url_.empty()) {
LOG(ERROR)
<< *this
<< " Failed to extract target url from the HTTP CONNECT request.";
OnError(kHttpBadRequest);
return;
}
std::move(resolve_proxy_callback_)
.Run(target_url_, base::Bind(&ProxyConnectJob::OnProxyResolution,
base::Unretained(this)));
}
bool ProxyConnectJob::TryReadHttpHeader(std::vector<char>* raw_request) {
size_t read_byte_count = 0;
raw_request->resize(kMaxHttpRequestHeadersSize);
// Read byte-by-byte and stop when reading an empty line (only CRLF) or when
// exceeding the max buffer size.
// TODO(acostinas, chromium:1064536) This may have some measurable performance
// impact. We should read larger blocks of data, consume the HTTP headers,
// cache the tunneled payload that may have already been included (e.g. TLS
// ClientHello) and send it to server after the connection is established.
while (read_byte_count < kMaxHttpRequestHeadersSize) {
if (client_socket_->RecvFrom(raw_request->data() + read_byte_count, 1) <=
0) {
raw_request->resize(std::min(read_byte_count, kMaxBadRequestPrintSize));
return false;
}
++read_byte_count;
if (IsEndingWithHttpEmptyLine(raw_request->data(), read_byte_count)) {
raw_request->resize(read_byte_count);
return true;
}
}
return false;
}
void ProxyConnectJob::OnProxyResolution(
const std::list<std::string>& proxy_servers) {
proxy_servers_ = proxy_servers;
DoCurlServerConnection(proxy_servers.front());
}
void ProxyConnectJob::DoCurlServerConnection(const std::string& proxy_url) {
CURL* easyhandle = curl_easy_init();
CURLcode res;
curl_socket_t newSocket = -1;
std::vector<char> server_header_reply, server_body_reply;
if (!easyhandle) {
// Unfortunately it's not possible to get the failure reason.
LOG(ERROR) << *this << " Failure to create curl handle.";
curl_easy_cleanup(easyhandle);
OnError(kHttpInternalServerError);
return;
}
curl_easy_setopt(easyhandle, CURLOPT_URL, target_url_.c_str());
if (proxy_url != brillo::http::kDirectProxy) {
curl_easy_setopt(easyhandle, CURLOPT_PROXY, proxy_url.c_str());
curl_easy_setopt(easyhandle, CURLOPT_HTTPPROXYTUNNEL, 1L);
curl_easy_setopt(easyhandle, CURLOPT_CONNECT_ONLY, 1);
// Allow libcurl to pick authentication method. Curl will use the most
// secure one the remote site claims to support.
curl_easy_setopt(easyhandle, CURLOPT_PROXYAUTH, CURLAUTH_ANY);
curl_easy_setopt(easyhandle, CURLOPT_PROXYUSERPWD, credentials_.c_str());
}
curl_easy_setopt(easyhandle, CURLOPT_CONNECTTIMEOUT_MS,
kCurlConnectTimeout.InMilliseconds());
curl_easy_setopt(easyhandle, CURLOPT_HEADERFUNCTION, WriteHeadersCallback);
curl_easy_setopt(easyhandle, CURLOPT_HEADERDATA, &server_header_reply);
curl_easy_setopt(easyhandle, CURLOPT_WRITEFUNCTION, WriteCallback);
curl_easy_setopt(easyhandle, CURLOPT_WRITEDATA, &server_body_reply);
res = curl_easy_perform(easyhandle);
if (res != CURLE_OK) {
LOG(ERROR) << *this << " curl_easy_perform() failed with error: ",
curl_easy_strerror(res);
curl_easy_cleanup(easyhandle);
if (server_header_reply.size() > 0) {
// Send the error message from the remote server back to the client.
OnError(std::string_view(server_header_reply.data(),
server_header_reply.size()));
} else {
OnError(kHttpInternalServerError);
}
return;
}
// Extract the socket from the curl handle.
res = curl_easy_getinfo(easyhandle, CURLINFO_ACTIVESOCKET, &newSocket);
if (res != CURLE_OK) {
LOG(ERROR) << *this << " Failed to get socket from curl with error: "
<< curl_easy_strerror(res);
curl_easy_cleanup(easyhandle);
OnError(kHttpBadGateway);
return;
}
ScopedCurlEasyhandle scoped_handle(easyhandle, FreeCurlEasyhandle());
auto server_conn = std::make_unique<CurlSocket>(base::ScopedFD(newSocket),
std::move(scoped_handle));
// Send the server reply to the client. If the connection is successful, the
// reply headers should be "HTTP/1.1 200 Connection Established".
if (client_socket_->SendTo(server_header_reply.data(),
server_header_reply.size()) !=
server_header_reply.size()) {
PLOG(ERROR) << *this << " Failed to send HTTP reply headers to client: "
<< base::StringPiece(server_header_reply.data(),
server_header_reply.size());
OnError(kHttpInternalServerError);
return;
}
// HTTP CONNECT responses can have a payload body which should be forwarded to
// the client.
if (server_body_reply.size() > 0) {
// TODO(acostinas, chromium:1064536) Resend the reply body in case of EAGAIN
// or EWOULDBLOCK errors.
if (client_socket_->SendTo(server_body_reply.data(),
server_body_reply.size()) !=
server_body_reply.size()) {
PLOG(ERROR) << *this
<< " Failed to send HTTP CONNECT reply body to client: "
<< base::StringPiece(server_body_reply.data(),
server_body_reply.size());
}
}
auto fwd = std::make_unique<patchpanel::SocketForwarder>(
base::StringPrintf("%d-%d", client_socket_->fd(), server_conn->fd()),
std::move(client_socket_), std::move(server_conn));
// Start forwarding data between sockets.
fwd->Start();
std::move(setup_finished_callback_).Run(std::move(fwd), this);
}
void ProxyConnectJob::OnError(const std::string_view& http_error_message) {
client_socket_->SendTo(http_error_message.data(), http_error_message.size());
std::move(setup_finished_callback_).Run(nullptr, this);
}
std::ostream& operator<<(std::ostream& stream, const ProxyConnectJob& job) {
stream << "{fd: " << job.client_socket_->fd();
if (!job.target_url_.empty()) {
stream << ", url: " << job.target_url_;
}
stream << "}";
return stream;
}
} // namespace system_proxy