feat(dgw): proxy-based credential injection for RDP

Issue: ARC-277

Author: CBenoit

Cargo.lock

@@ -26,9 +26,12 @@ devolutions-gateway-task = { path = "../crates/devolutions-gateway-task" }
 devolutions-log = { path = "../crates/devolutions-log" }
 job-queue = { path = "../crates/job-queue" }
 job-queue-libsql = { path = "../crates/job-queue-libsql" }
-ironrdp-pdu = { version = "0.1", git = "https://github.com/Devolutions/IronRDP", rev = "7c268d863048d0a9182b3f7bf778668de8db4ccf", features = ["std"] }
-ironrdp-core = { version = "0.1", git = "https://github.com/Devolutions/IronRDP", rev = "7c268d863048d0a9182b3f7bf778668de8db4ccf", features = ["std"] }
-ironrdp-rdcleanpath = { version = "0.1", git = "https://github.com/Devolutions/IronRDP", rev = "7c268d863048d0a9182b3f7bf778668de8db4ccf" }
+ironrdp-pdu = { version = "0.5", features = ["std"] }
+ironrdp-core = { version = "0.1", features = ["std"] }
+ironrdp-rdcleanpath = "0.1"
+ironrdp-tokio = { version = "0.4", default-features = false }
+ironrdp-connector = { version = "0.5" }
+ironrdp-acceptor = { version = "0.5" }
 ceviche = "0.6.1"
 picky-krb = "0.9"
 network-scanner = { version = "0.0.0", path = "../crates/network-scanner" }
@@ -65,6 +68,7 @@ picky = { version = "7.0.0-rc.10", default-features = false, features = ["jose",
 zeroize = { version = "1.8", features = ["derive"] }
 multibase = "0.9"
 argon2 = { version = "0.5", features = ["std"] }
+x509-cert = { version = "0.2", default-features = false, features = ["std"] }
 
 # Logging
 tracing = "0.1"

devolutions-gateway/Cargo.toml

@@ -152,63 +152,59 @@ impl Conf {
             .any(|l| matches!(l.internal_url.scheme(), "https" | "wss"));
 
         let tls = match conf_file.tls_certificate_source.unwrap_or_default() {
-            _ if !requires_tls => {
-                trace!("Not configured to use HTTPS, ignoring TLS configuration");
-                None
-            }
-            dto::CertSource::External => {
-                let certificate_path = conf_file
-                    .tls_certificate_file
-                    .as_ref()
-                    .context("TLS usage implied, but TLS certificate file is missing")?;
-
-                let (certificates, private_key) = match certificate_path.extension() {
-                    Some("pfx" | "p12") => read_pfx_file(certificate_path, conf_file.tls_private_key_password.as_ref())
-                        .context("read PFX/PKCS12 file")?,
-                    None | Some(_) => {
-                        let certificates =
-                            read_rustls_certificate_file(certificate_path).context("read TLS certificate")?;
-
-                        let private_key = conf_file
-                            .tls_private_key_file
-                            .as_ref()
-                            .context("TLS private key file is missing")?
-                            .pipe_deref(read_rustls_priv_key_file)
-                            .context("read TLS private key")?;
-
-                        (certificates, private_key)
-                    }
-                };
-
-                let cert_source = crate::tls::CertificateSource::External {
-                    certificates,
-                    private_key,
-                };
-
-                Tls::init(cert_source).context("failed to init TLS config")?.pipe(Some)
-            }
-            dto::CertSource::System => {
-                let cert_subject_name = conf_file
-                    .tls_certificate_subject_name
-                    .clone()
-                    .context("TLS usage implied, but TLS certificate subject name is missing")?;
-
-                let store_location = conf_file.tls_certificate_store_location.unwrap_or_default();
-
-                let store_name = conf_file
-                    .tls_certificate_store_name
-                    .clone()
-                    .unwrap_or_else(|| String::from("My"));
+            dto::CertSource::External => match conf_file.tls_certificate_file.as_ref() {
+                None if requires_tls => anyhow::bail!("TLS usage implied, but TLS certificate file is missing"),
+                None => None,
+                Some(certificate_path) => {
+                    let (certificates, private_key) = match certificate_path.extension() {
+                        Some("pfx" | "p12") => {
+                            read_pfx_file(certificate_path, conf_file.tls_private_key_password.as_ref())
+                                .context("read PFX/PKCS12 file")?
+                        }
+                        None | Some(_) => {
+                            let certificates =
+                                read_rustls_certificate_file(certificate_path).context("read TLS certificate")?;
+
+                            let private_key = conf_file
+                                .tls_private_key_file
+                                .as_ref()
+                                .context("TLS private key file is missing")?
+                                .pipe_deref(read_rustls_priv_key_file)
+                                .context("read TLS private key")?;
+
+                            (certificates, private_key)
+                        }
+                    };
 
-                let cert_source = crate::tls::CertificateSource::SystemStore {
-                    machine_hostname: hostname.clone(),
-                    cert_subject_name,
-                    store_location,
-                    store_name,
-                };
+                    let cert_source = crate::tls::CertificateSource::External {
+                        certificates,
+                        private_key,
+                    };
 
-                Tls::init(cert_source).context("failed to init TLS config")?.pipe(Some)
-            }
+                    Tls::init(cert_source).context("failed to init TLS config")?.pipe(Some)
+                }
+            },
+            dto::CertSource::System => match conf_file.tls_certificate_subject_name.clone() {
+                None if requires_tls => anyhow::bail!("TLS usage implied, but TLS certificate subject name is missing"),
+                None => None,
+                Some(cert_subject_name) => {
+                    let store_location = conf_file.tls_certificate_store_location.unwrap_or_default();
+
+                    let store_name = conf_file
+                        .tls_certificate_store_name
+                        .clone()
+                        .unwrap_or_else(|| String::from("My"));
+
+                    let cert_source = crate::tls::CertificateSource::SystemStore {
+                        machine_hostname: hostname.clone(),
+                        cert_subject_name,
+                        store_location,
+                        store_name,
+                    };
+
+                    Tls::init(cert_source).context("failed to init TLS config")?.pipe(Some)
+                }
+            },
         };
 
         // Sanity check
@@ -1089,7 +1085,7 @@ pub mod dto {
             match self {
                 VerbosityProfile::Default => "info",
                 VerbosityProfile::Debug => {
-                    "info,devolutions_gateway=debug,devolutions_gateway::api=trace,jmux_proxy=debug,tower_http=trace,job_queue=trace,job_queue_libsql=trace"
+                    "info,devolutions_gateway=debug,devolutions_gateway::api=trace,jmux_proxy=debug,tower_http=trace,job_queue=trace,job_queue_libsql=trace,devolutions_gateway::rdp_proxy=trace"
                 }
                 VerbosityProfile::Tls => {
                     "info,devolutions_gateway=debug,devolutions_gateway::tls=trace,rustls=trace,tokio_rustls=debug"

devolutions-gateway/src/config.rs

@@ -1,6 +1,5 @@
 use core::fmt;
 use std::collections::HashMap;
-use std::str::FromStr;
 use std::sync::Arc;
 
 use anyhow::Context;
@@ -47,10 +46,6 @@ impl CredentialStoreHandle {
     pub fn get(&self, token_id: Uuid) -> Option<ArcCredentialEntry> {
         self.0.lock().get(token_id)
     }
-
-    pub fn remove(&self, token_id: Uuid) -> Option<ArcCredentialEntry> {
-        self.0.lock().remove(token_id)
-    }
 }
 
 #[derive(Debug)]
@@ -80,15 +75,7 @@ impl CredentialStore {
         mapping: Option<AppCredentialMapping>,
         time_to_live: time::Duration,
     ) -> anyhow::Result<Option<ArcCredentialEntry>> {
-        use picky::jose::jws::RawJws;
-
-        let jws = RawJws::decode(&token)
-            .context("failed to parse the provided JWS")?
-            .discard_signature();
-        let payload = serde_json::from_slice::<serde_json::Value>(&jws.payload).context("parse JWS payload")?;
-        let jti = payload.get("jti").context("jti is missing from the token")?;
-        let jti = jti.as_str().context("jti value is malformed")?;
-        let jti = Uuid::from_str(jti).context("jti is not a valid UUID string")?;
+        let jti = crate::token::extract_jti(&token).context("failed to extract token ID")?;
 
         let entry = CredentialEntry {
             token,
@@ -104,10 +91,6 @@ impl CredentialStore {
     fn get(&self, token_id: Uuid) -> Option<ArcCredentialEntry> {
         self.entries.get(&token_id).map(Arc::clone)
     }
-
-    fn remove(&mut self, token_id: Uuid) -> Option<ArcCredentialEntry> {
-        self.entries.remove(&token_id)
-    }
 }
 
 #[derive(PartialEq, Eq, Clone, zeroize::Zeroize)]

devolutions-gateway/src/credential.rs

@@ -7,12 +7,13 @@ use tracing::field;
 use typed_builder::TypedBuilder;
 
 use crate::config::Conf;
+use crate::credential::CredentialStoreHandle;
 use crate::proxy::Proxy;
 use crate::rdp_pcb::{extract_association_claims, read_pcb};
 use crate::recording::ActiveRecordings;
 use crate::session::{ConnectionModeDetails, SessionInfo, SessionMessageSender};
 use crate::subscriber::SubscriberSender;
-use crate::token::{ConnectionMode, CurrentJrl, RecordingPolicy, TokenCache};
+use crate::token::{self, ConnectionMode, CurrentJrl, RecordingPolicy, TokenCache};
 use crate::utils;
 
 #[derive(TypedBuilder)]
@@ -25,11 +26,12 @@ pub struct GenericClient<S> {
     sessions: SessionMessageSender,
     subscriber_tx: SubscriberSender,
     active_recordings: Arc<ActiveRecordings>,
+    credential_store: CredentialStoreHandle,
 }
 
 impl<S> GenericClient<S>
 where
-    S: AsyncWrite + AsyncRead + Unpin,
+    S: AsyncWrite + AsyncRead + Unpin + Send + Sync,
 {
     #[instrument(
         "generic_client",
@@ -46,14 +48,15 @@ where
             sessions,
             subscriber_tx,
             active_recordings,
+            credential_store,
         } = self;
 
         let span = tracing::Span::current();
 
         let timeout = tokio::time::sleep(tokio::time::Duration::from_secs(10));
         let read_pcb_fut = read_pcb(&mut client_stream);
 
-        let (pdu, mut leftover_bytes) = tokio::select! {
+        let (pcb, mut leftover_bytes) = tokio::select! {
             () = timeout => {
                 info!("Timed out at preconnection blob reception");
                 return Ok(())
@@ -69,8 +72,14 @@ where
             }
         };
 
+        let token = pcb.v2_payload.as_deref().context("V2 payload missing from RDP PCB")?;
+
+        if conf.debug.dump_tokens {
+            debug!(token, "**DEBUG OPTION**");
+        }
+
         let source_ip = client_addr.ip();
-        let claims = extract_association_claims(&pdu, source_ip, &conf, &token_cache, &jrl, &active_recordings)?;
+        let claims = extract_association_claims(token, source_ip, &conf, &token_cache, &jrl, &active_recordings)?;
 
         span.record("session_id", claims.jet_aid.to_string())
             .record("protocol", claims.jet_ap.to_string());
@@ -93,12 +102,7 @@ where
                 trace!(%selected_target, "Connected");
                 span.record("target", selected_target.to_string());
 
-                info!("TCP forwarding");
-
-                server_stream
-                    .write_buf(&mut leftover_bytes)
-                    .await
-                    .context("failed to write leftover bytes")?;
+                let is_rdp = claims.jet_ap == token::ApplicationProtocol::Known(token::Protocol::Rdp);
 
                 let info = SessionInfo::builder()
                     .association_id(claims.jet_aid)
@@ -111,6 +115,44 @@ where
                     .filtering_policy(claims.jet_flt)
                     .build();
 
+                // We support proxy-based credential injection for RDP.
+                // If a credential mapping has been pushed, we automatically switch to this mode.
+                // Otherwise, we continue the generic procedure.
+                if is_rdp {
+                    let token_id = token::extract_jti(token).context("failed to extract jti claim from token")?;
+
+                    if let Some(entry) = credential_store.get(token_id) {
+                        anyhow::ensure!(token == entry.token, "token mismatch");
+
+                        // NOTE: In the future, we could imagine performing proxy-based recording as well using RdpProxy.
+                        if entry.mapping.is_some() {
+                            return crate::rdp_proxy::RdpProxy::builder()
+                                .conf(conf)
+                                .session_info(info)
+                                .client_addr(client_addr)
+                                .client_stream(client_stream)
+                                .server_addr(server_addr)
+                                .server_stream(server_stream)
+                                .sessions(sessions)
+                                .subscriber_tx(subscriber_tx)
+                                .credential_entry(entry)
+                                .client_stream_leftover_bytes(leftover_bytes)
+                                .server_dns_name(selected_target.host().to_owned())
+                                .build()
+                                .run()
+                                .await
+                                .context("encountered a failure during RDP proxying (credential injection)");
+                        }
+                    }
+                }
+
+                info!("TCP forwarding");
+
+                server_stream
+                    .write_buf(&mut leftover_bytes)
+                    .await
+                    .context("failed to write leftover bytes")?;
+
                 Proxy::builder()
                     .conf(conf)
                     .session_info(info)

devolutions-gateway/src/generic_client.rs

@@ -30,6 +30,7 @@ pub mod plugin_manager;
 pub mod proxy;
 pub mod rd_clean_path;
 pub mod rdp_pcb;
+pub mod rdp_proxy;
 pub mod recording;
 pub mod session;
 pub mod streaming;

devolutions-gateway/src/lib.rs

@@ -155,6 +155,7 @@ async fn handle_tcp_peer(stream: TcpStream, state: DgwState, peer_addr: SocketAd
                 .sessions(state.sessions)
                 .subscriber_tx(state.subscriber_tx)
                 .active_recordings(state.recordings.active_recordings)
+                .credential_store(state.credential_store)
                 .build()
                 .serve()
                 .await?;

devolutions-gateway/src/listener.rs

@@ -233,6 +233,7 @@ async fn run_tcp_tunnel(mut tunnel: ngrok::tunnel::TcpTunnel, state: DgwState) {
                         .sessions(state.sessions)
                         .subscriber_tx(state.subscriber_tx)
                         .active_recordings(state.recordings.active_recordings)
+                        .credential_store(state.credential_store)
                         .build()
                         .serve()
                         .await

devolutions-gateway/src/ngrok.rs

@@ -11,19 +11,13 @@ use crate::recording::ActiveRecordings;
 use crate::token::{AccessTokenClaims, AssociationTokenClaims, CurrentJrl, TokenCache, TokenValidator};
 
 pub fn extract_association_claims(
-    pcb: &PreconnectionBlob,
+    token: &str,
     source_ip: IpAddr,
     conf: &Conf,
     token_cache: &TokenCache,
     jrl: &CurrentJrl,
     active_recordings: &ActiveRecordings,
 ) -> anyhow::Result<AssociationTokenClaims> {
-    let token = pcb.v2_payload.as_deref().context("V2 payload missing from RDP PCB")?;
-
-    if conf.debug.dump_tokens {
-        debug!(token, "**DEBUG OPTION**");
-    }
-
     let delegation_key = conf.delegation_private_key.as_ref();
 
     let claims = if conf.debug.disable_token_validation {