starpod-proxy 0.3.1

Opaque secret proxy for Starpod - intercepts outbound HTTP and swaps tokens for real values
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155

//! TLS Man-in-the-Middle handler for HTTPS CONNECT tunnels.
//!
//! When enabled, the proxy intercepts HTTPS CONNECT requests by:
//! 1. Generating an ephemeral TLS certificate for the target hostname
//! 2. Accepting the client's TLS connection using that certificate
//! 3. Opening a real TLS connection to the target server
//! 4. Relaying HTTP requests between them, scanning for opaque tokens

use std::sync::Arc;

use aes_gcm::Aes256Gcm;
use bytes::Bytes;
use http_body_util::{BodyExt, Full};
use hyper::body::Incoming;
use hyper::server::conn::http1;
use hyper::service::service_fn;
use hyper::{Request, Response};
use hyper_util::rt::TokioIo;
use tokio::io::{AsyncRead, AsyncWrite};
use tokio_rustls::TlsAcceptor;
use tracing::{debug, warn};

use crate::ca::CertAuthority;
use crate::scan;

/// Handle a CONNECT tunnel with MITM TLS interception.
///
/// `upgraded` is the raw TCP stream from the client after the HTTP CONNECT
/// handshake. We terminate TLS with an ephemeral cert, relay requests to
/// the real server, and scan all traffic for opaque tokens.
pub async fn handle_mitm(
    upgraded: impl AsyncRead + AsyncWrite + Unpin + Send + 'static,
    hostname: String,
    port: u16,
    cipher: Arc<Aes256Gcm>,
    ca: Arc<CertAuthority>,
) {
    if let Err(e) = run_mitm(upgraded, &hostname, port, cipher, ca).await {
        debug!(host = %hostname, error = %e, "MITM session ended");
    }
}

async fn run_mitm(
    upgraded: impl AsyncRead + AsyncWrite + Unpin + Send + 'static,
    hostname: &str,
    port: u16,
    cipher: Arc<Aes256Gcm>,
    ca: Arc<CertAuthority>,
) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
    // 1. Issue ephemeral cert for the target hostname
    let (cert_chain, key) = ca.issue_cert(hostname)?;

    let server_config = rustls::ServerConfig::builder()
        .with_no_client_auth()
        .with_single_cert(cert_chain, key)?;

    // 2. Accept TLS from the client using our ephemeral cert
    let acceptor = TlsAcceptor::from(Arc::new(server_config));
    let client_tls = acceptor.accept(upgraded).await?;
    debug!(host = %hostname, "MITM TLS accepted from client");

    // 3. Serve HTTP/1.1 on the MITM'd connection, forwarding to the real server
    let target_host = hostname.to_string();
    let target_port = port;

    let io = TokioIo::new(client_tls);
    http1::Builder::new()
        .preserve_header_case(true)
        .title_case_headers(true)
        .serve_connection(
            io,
            service_fn(move |req| {
                let cipher = Arc::clone(&cipher);
                let host = target_host.clone();
                let port = target_port;
                async move { forward_request(req, &host, port, &cipher).await }
            }),
        )
        .await?;

    Ok(())
}

/// Forward a single HTTP request to the real target over TLS, scanning for tokens.
async fn forward_request(
    req: Request<Incoming>,
    target_host: &str,
    target_port: u16,
    cipher: &Aes256Gcm,
) -> Result<Response<Full<Bytes>>, hyper::Error> {
    let method = req.method().clone();
    let uri = req.uri().clone();
    let path = uri.path_and_query().map(|p| p.as_str()).unwrap_or("/");

    debug!(
        method = %method,
        host = %target_host,
        path = %path,
        "MITM forwarding request"
    );

    // Read and scan the body
    let body_bytes = match req.into_body().collect().await {
        Ok(collected) => collected.to_bytes(),
        Err(e) => {
            warn!("Failed to read MITM request body: {e}");
            return Ok(error_response(502, "Failed to read request body"));
        }
    };

    let body_result = scan::scan_and_replace(cipher, &body_bytes, target_host);
    if body_result.replaced > 0 || body_result.stripped > 0 {
        debug!(
            replaced = body_result.replaced,
            stripped = body_result.stripped,
            host = %target_host,
            "Tokens processed in HTTPS request"
        );
    }

    // Forward to real server via reqwest (which handles TLS to the target)
    let url = format!("https://{target_host}:{target_port}{path}");
    let client = reqwest::Client::builder()
        .no_proxy()
        .build()
        .unwrap_or_default();

    let resp = match client
        .request(method.clone(), &url)
        .body(body_result.data)
        .send()
        .await
    {
        Ok(r) => r,
        Err(e) => {
            warn!(host = %target_host, error = %e, "MITM upstream request failed");
            return Ok(error_response(502, &format!("Upstream error: {e}")));
        }
    };

    let status = resp.status();
    let resp_body = resp.bytes().await.unwrap_or_default();

    Ok(Response::builder()
        .status(status.as_u16())
        .body(Full::new(resp_body))
        .unwrap_or_else(|_| error_response(500, "Internal proxy error")))
}

fn error_response(status: u16, msg: &str) -> Response<Full<Bytes>> {
    Response::builder()
        .status(status)
        .body(Full::new(Bytes::from(msg.to_string())))
        .unwrap()
}