Merge remote-tracking branch 'origin/mr/264'

2025-10-13 11:11:30 -04:00 · 2024-03-12 08:26:04 -03:00 · 2024-03-12 08:26:04 -03:00 · d657098340
commit d657098340
parent 52fcd3d58a 91b8da423b
8 changed files with 91 additions and 21 deletions
--- a/client/lib/rendezvous.go
+++ b/client/lib/rendezvous.go
@ -94,11 +94,11 @@ func newBrokerChannelFromConfig(config ClientConfig) (*BrokerChannel, error) {
 		if config.AmpCacheURL != "" || config.BrokerURL != "" {
 			log.Fatalln("Multiple rendezvous methods specified. " + rendezvousErrorMsg)
 		}
-		if config.SQSAccessKeyID == "" || config.SQSSecretKey == "" {
-			log.Fatalln("sqsakid and sqsskey must be specified to use SQS rendezvous method.")
+		if config.SQSCredsStr == "" {
+			log.Fatalln("sqscreds must be specified to use SQS rendezvous method.")
 		}
 		log.Println("Through SQS queue at:", config.SQSQueueURL)
-		rendezvous, err = newSQSRendezvous(config.SQSQueueURL, config.SQSAccessKeyID, config.SQSSecretKey, brokerTransport)
+		rendezvous, err = newSQSRendezvous(config.SQSQueueURL, config.SQSCredsStr, brokerTransport)
 	} else if config.AmpCacheURL != "" && config.BrokerURL != "" {
 		log.Println("Through AMP cache at:", config.AmpCacheURL)
 		rendezvous, err = newAMPCacheRendezvous(
--- a/client/lib/rendezvous_sqs.go
+++ b/client/lib/rendezvous_sqs.go
@ -16,6 +16,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/sqs"
 	"github.com/aws/aws-sdk-go-v2/service/sqs/types"
 	"gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/v2/common/sqsclient"
+	sqscreds "gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/v2/common/sqscreds/lib"
 )

 type sqsRendezvous struct {
@ -26,12 +27,17 @@ type sqsRendezvous struct {
 	numRetries int
 }

-func newSQSRendezvous(sqsQueue string, sqsAccessKeyId string, sqsSecretKey string, transport http.RoundTripper) (*sqsRendezvous, error) {
+func newSQSRendezvous(sqsQueue string, sqsCredsStr string, transport http.RoundTripper) (*sqsRendezvous, error) {
 	sqsURL, err := url.Parse(sqsQueue)
 	if err != nil {
 		return nil, err
 	}

+	sqsCreds, err := sqscreds.AwsCredsFromBase64(sqsCredsStr)
+	if err != nil {
+		return nil, err
+	}
+
 	queueURL := sqsURL.String()
 	hostName := sqsURL.Hostname()

@ -43,7 +49,7 @@ func newSQSRendezvous(sqsQueue string, sqsAccessKeyId string, sqsSecretKey strin
 	region := res[1]
 	cfg, err := config.LoadDefaultConfig(context.TODO(),
 		config.WithCredentialsProvider(
-			credentials.NewStaticCredentialsProvider(sqsAccessKeyId, sqsSecretKey, ""),
+			credentials.NewStaticCredentialsProvider(sqsCreds.AwsAccessKeyId, sqsCreds.AwsSecretKey, ""),
 		),
 		config.WithRegion(region),
 	)
--- a/client/lib/rendezvous_test.go
+++ b/client/lib/rendezvous_test.go
@ -284,7 +284,7 @@ func TestSQSRendezvous(t *testing.T) {

 		Convey("Construct SQS queue rendezvous", func() {
 			transport := &mockTransport{http.StatusOK, []byte{}}
-			rend, err := newSQSRendezvous("https://sqs.us-east-1.amazonaws.com", "some-access-key-id", "some-secret-key", transport)
+			rend, err := newSQSRendezvous("https://sqs.us-east-1.amazonaws.com", "eyJhd3MtYWNjZXNzLWtleS1pZCI6InRlc3QtYWNjZXNzLWtleSIsImF3cy1zZWNyZXQta2V5IjoidGVzdC1zZWNyZXQta2V5In0=", transport)

 			So(err, ShouldBeNil)
 			So(rend.sqsClient, ShouldNotBeNil)
--- a/client/lib/snowflake.go
+++ b/client/lib/snowflake.go
@ -89,9 +89,8 @@ type ClientConfig struct {
 	// SQSQueueURL is the full URL of an AWS SQS Queue. A nonzero value indicates
 	// that SQS queue will be used as the rendezvous method with the broker.
 	SQSQueueURL string
-	// Access Key ID and Secret Key of the credentials used to access the AWS SQS Qeueue
-	SQSAccessKeyID string
-	SQSSecretKey   string
+	// Base64 encoded string of the credentials containing access Key ID and secret key used to access the AWS SQS Qeueue
+	SQSCredsStr string
 	// FrontDomain is the full URL of an optional front domain that can be used with either
 	// the AMP cache or HTTP domain fronting rendezvous method.
 	FrontDomain string
--- a/client/snowflake.go
+++ b/client/snowflake.go
@ -84,11 +84,8 @@ func socksAcceptLoop(ln *pt.SocksListener, config sf.ClientConfig, shutdown chan
 			if arg, ok := conn.Req.Args.Get("sqsqueue"); ok {
 				config.SQSQueueURL = arg
 			}
-			if arg, ok := conn.Req.Args.Get("sqsakid"); ok {
-				config.SQSAccessKeyID = arg
-			}
-			if arg, ok := conn.Req.Args.Get("sqsskey"); ok {
-				config.SQSSecretKey = arg
+			if arg, ok := conn.Req.Args.Get("sqscreds"); ok {
+				config.SQSCredsStr = arg
 			}
 			if arg, ok := conn.Req.Args.Get("fronts"); ok {
 				if arg != "" {
@ -169,8 +166,7 @@ func main() {
 	frontDomainsCommas := flag.String("fronts", "", "comma-separated list of front domains")
 	ampCacheURL := flag.String("ampcache", "", "URL of AMP cache to use as a proxy for signaling")
 	sqsQueueURL := flag.String("sqsqueue", "", "URL of SQS Queue to use as a proxy for signaling")
-	sqsAccessKeyId := flag.String("sqsakid", "", "Access Key ID for credentials to access SQS Queue ")
-	sqsSecretKey := flag.String("sqsskey", "", "Secret Key for credentials to access SQS Queue")
+	sqsCredsStr := flag.String("sqscreds", "", "credentials to access SQS Queue")
 	logFilename := flag.String("log", "", "name of log file")
 	logToStateDir := flag.Bool("log-to-state-dir", false, "resolve the log file relative to tor's pt state dir")
 	keepLocalAddresses := flag.Bool("keep-local-addresses", false, "keep local LAN address ICE candidates")
@ -239,8 +235,7 @@ func main() {
 		BrokerURL:          *brokerURL,
 		AmpCacheURL:        *ampCacheURL,
 		SQSQueueURL:        *sqsQueueURL,
-		SQSAccessKeyID:     *sqsAccessKeyId,
-		SQSSecretKey:       *sqsSecretKey,
+		SQSCredsStr:        *sqsCredsStr,
 		FrontDomains:       frontDomains,
 		ICEAddresses:       iceAddresses,
 		KeepLocalAddresses: *keepLocalAddresses || *oldKeepLocalAddresses,
--- a/common/sqscreds/generate_creds.go
+++ b/common/sqscreds/generate_creds.go
@ -0,0 +1,36 @@
+package main
+
+import (
+	"fmt"
+
+	sqscreds "gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/v2/common/sqscreds/lib"
+)
+
+// This script can be run to generate the encoded SQS credentials to pass as a CLI param or SOCKS option to the client
+func main() {
+	var accessKey, secretKey string
+
+	fmt.Print("Enter Access Key: ")
+	_, err := fmt.Scanln(&accessKey)
+	if err != nil {
+		fmt.Println("Error reading access key:", err)
+		return
+	}
+
+	fmt.Print("Enter Secret Key: ")
+	_, err = fmt.Scanln(&secretKey)
+	if err != nil {
+		fmt.Println("Error reading access key:", err)
+		return
+	}
+
+	awsCreds := sqscreds.AwsCreds{AwsAccessKeyId: accessKey, AwsSecretKey: secretKey}
+	println()
+	println("Encoded Credentials:")
+	res, err := awsCreds.Base64()
+	if err != nil {
+		fmt.Println("Error encoding credentials:", err)
+		return
+	}
+	println(res)
+}
--- a/common/sqscreds/lib/sqs_creds.go
+++ b/common/sqscreds/lib/sqs_creds.go
@ -0,0 +1,35 @@
+package sqscreds
+
+import (
+	"encoding/base64"
+	"encoding/json"
+)
+
+type AwsCreds struct {
+	AwsAccessKeyId string `json:"aws-access-key-id"`
+	AwsSecretKey   string `json:"aws-secret-key"`
+}
+
+func (awsCreds AwsCreds) Base64() (string, error) {
+	jsonData, err := json.Marshal(awsCreds)
+	if err != nil {
+		return "", err
+	}
+	return base64.StdEncoding.EncodeToString(jsonData), nil
+}
+
+func AwsCredsFromBase64(base64Str string) (AwsCreds, error) {
+	var awsCreds AwsCreds
+
+	jsonData, err := base64.StdEncoding.DecodeString(base64Str)
+	if err != nil {
+		return awsCreds, err
+	}
+
+	err = json.Unmarshal(jsonData, &awsCreds)
+	if err != nil {
+		return awsCreds, err
+	}
+
+	return awsCreds, nil
+}
--- a/doc/rendezvous-with-sqs.md
+++ b/doc/rendezvous-with-sqs.md
@ -16,13 +16,12 @@ The machine on which the broker is being run must be equiped with the correct AW
 ## Client
 To run the client with this rendezvous method, use the following CLI flags (they are all required):
 - `sqsqueue` - URL of the SQS queue to use as a proxy for signalling
- `sqsakid` - AWS Access Key ID of credentials for accessing the SQS queue
- `sqsskey` - AWS Secrety Key of credentials for accessing the SQS queue
+- `sqscreds` - Encoded credentials for accessing the SQS queue

 `sqsqueue` should correspond to the URL of the SQS queue that the broker is listening on. 
 For the example above, the following value can be used:

-`-sqsqueue https://sqs.us-east-1.amazonaws.com/893902434899/snowflake-broker -sqsakid some-aws-access-key-id -sqsskey some-aws-secret-key`
+`-sqsqueue https://sqs.us-east-1.amazonaws.com/893902434899/snowflake-broker -sqscreds some-encoded-sqs-creds`

 *Public access to SQS queues is not allowed, so there needs to be some form of authentication to be able to access the queue. Limited permission credentials will be provided by the Snowflake team to access the corresponding SQS queue.*