feat: "proxy" subcommand providing an mTLS authenticating proxy

This implements a feature a few customers have already implemented
internally. They rely on mTLS to avoid the need of distributing access
tokens per user / oauth. This proxy uses the email field of a request
and then sets the appropriate headers on the request for sourcegraph to
authenticate it. In particular we rely on the site-admin:sudo scope
which allows user impersonation.

This feature is still experimental so is not shown in the -help output.

Author: keegancsmith

cmd/src/proxy.go

@@ -0,0 +1,90 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"io"
+	"log"
+	"os"
+
+	"github.com/sourcegraph/src-cli/internal/cmderrors"
+	"github.com/sourcegraph/src-cli/internal/srcproxy"
+)
+
+func init() {
+	// NOTE: this is an experimental command. It isn't advertised in -help
+
+	flagSet := flag.NewFlagSet("proxy", flag.ExitOnError)
+	usageFunc := func() {
+		fmt.Fprintf(flag.CommandLine.Output(), `'src proxy' starts a local reverse proxy to your Sourcegraph instance.
+
+USAGE
+  src [-v] proxy [-addr :7777] [-insecure-skip-verify] [-server-cert cert.pem -server-key key.pem] [client-ca.pem]
+
+By default, proxied requests use SRC_ACCESS_TOKEN via:
+  Authorization: token SRC_ACCESS_TOKEN
+
+If a client CA certificate path is provided, proxy runs in mTLS sudo mode:
+  1. Serves HTTPS and requires a client certificate signed by the provided CA.
+  2. Reads the first email SAN from the presented client certificate.
+  3. Looks up the Sourcegraph user by that email.
+  4. Proxies requests with:
+     Authorization: token-sudo token="TOKEN",user="USERNAME"
+
+Server certificate options:
+  -server-cert and -server-key can be used to provide the TLS certificate
+  and key used by the local proxy server. If omitted in cert mode, an
+  ephemeral self-signed server certificate is generated.
+`)
+	}
+
+	var (
+		addrFlag               = flagSet.String("addr", ":7777", "Address on which to serve")
+		insecureSkipVerifyFlag = flagSet.Bool("insecure-skip-verify", false, "Skip validation of TLS certificates against trusted chains")
+		serverCertFlag         = flagSet.String("server-cert", "", "Path to TLS server certificate for local proxy listener")
+		serverKeyFlag          = flagSet.String("server-key", "", "Path to TLS server private key for local proxy listener")
+	)
+
+	handler := func(args []string) error {
+		if err := flagSet.Parse(args); err != nil {
+			return err
+		}
+
+		var clientCAPath string
+		switch flagSet.NArg() {
+		case 0:
+		case 1:
+			clientCAPath = flagSet.Arg(0)
+		default:
+			return cmderrors.Usage("requires zero or one positional argument: path to client CA certificate")
+		}
+		if (*serverCertFlag == "") != (*serverKeyFlag == "") {
+			return cmderrors.Usage("both -server-cert and -server-key must be provided together")
+		}
+
+		dbug := log.New(io.Discard, "", log.LstdFlags)
+		if *verbose {
+			dbug = log.New(os.Stderr, "DBUG proxy: ", log.LstdFlags)
+		}
+
+		s := &srcproxy.Serve{
+			Addr:               *addrFlag,
+			Endpoint:           cfg.Endpoint,
+			AccessToken:        cfg.AccessToken,
+			ClientCAPath:       clientCAPath,
+			ServerCertPath:     *serverCertFlag,
+			ServerKeyPath:      *serverKeyFlag,
+			InsecureSkipVerify: *insecureSkipVerifyFlag,
+			AdditionalHeaders:  cfg.AdditionalHeaders,
+			Info:               log.New(os.Stderr, "proxy: ", log.LstdFlags),
+			Debug:              dbug,
+		}
+		return s.Start()
+	}
+
+	commands = append(commands, &command{
+		flagSet:   flagSet,
+		handler:   handler,
+		usageFunc: usageFunc,
+	})
+}

internal/srcproxy/gen-test-certs.sh

@@ -0,0 +1,86 @@
+#!/usr/bin/env bash
+# gen-test-certs.sh — generate certs for testing `src proxy` mTLS mode
+#
+# Usage: ./gen-test-certs.sh [email] [output-dir]
+#   email:      email SAN to embed in client cert (default: alice@example.com)
+#   output-dir: where to write files (default: ./test-certs)
+set -euo pipefail
+
+EMAIL="${1:-alice@example.com}"
+DIR="${2:-./test-certs}"
+mkdir -p "$DIR"
+
+echo "==> Generating certs in $DIR (email: $EMAIL)"
+
+# ── 1. CA ────────────────────────────────────────────────────────────────────
+openssl genrsa -out "$DIR/ca.key" 2048 2>/dev/null
+
+openssl req -new -x509 -days 1 \
+  -key "$DIR/ca.key" \
+  -out "$DIR/ca.pem" \
+  -subj "/CN=Test Client CA" 2>/dev/null
+
+echo "    ca.pem / ca.key"
+
+# ── 2. Server cert (so you can pass it to the proxy and trust it in curl) ────
+openssl genrsa -out "$DIR/server.key" 2048 2>/dev/null
+
+openssl req -new \
+  -key "$DIR/server.key" \
+  -out "$DIR/server.csr" \
+  -subj "/CN=localhost" 2>/dev/null
+
+openssl x509 -req -days 1 \
+  -in "$DIR/server.csr" \
+  -signkey "$DIR/server.key" \
+  -out "$DIR/server.pem" \
+  -extfile <(printf 'subjectAltName=DNS:localhost,IP:127.0.0.1') 2>/dev/null
+
+echo "    server.pem / server.key"
+
+# ── 3. Client cert with email SAN signed by the CA ───────────────────────────
+openssl genrsa -out "$DIR/client.key" 2048 2>/dev/null
+
+openssl req -new \
+  -key "$DIR/client.key" \
+  -out "$DIR/client.csr" \
+  -subj "/CN=test-client" 2>/dev/null
+
+openssl x509 -req -days 1 \
+  -in "$DIR/client.csr" \
+  -CA "$DIR/ca.pem" \
+  -CAkey "$DIR/ca.key" \
+  -CAcreateserial \
+  -out "$DIR/client.pem" \
+  -extfile <(printf "subjectAltName=email:%s" "$EMAIL") 2>/dev/null
+
+echo "    client.pem / client.key  (email SAN: $EMAIL)"
+
+# Confirm the SAN is present
+echo ""
+echo "==> Verifying email SAN in client cert:"
+openssl x509 -in "$DIR/client.pem" -noout -text \
+  | grep -A1 "Subject Alternative Name"
+
+echo ""
+echo "==> Done. Next steps:"
+echo ""
+echo "  # 1. Start the proxy (in another terminal):"
+echo "  export SRC_ENDPOINT=https://sourcegraph.example.com"
+echo "  export SRC_ACCESS_TOKEN=<site-admin-sudo-token>"
+echo "  go run ./cmd/src proxy \\"
+echo "    -server-cert $DIR/server.pem \\"
+echo "    -server-key  $DIR/server.key \\"
+echo "    $DIR/ca.pem"
+echo ""
+echo "  # 2. Send a request via curl using the client cert:"
+echo "  curl --cacert $DIR/server.pem \\"
+echo "       --cert   $DIR/client.pem \\"
+echo "       --key    $DIR/client.key \\"
+echo "       https://localhost:7777/.api/graphql \\"
+echo "       -d '{\"query\":\"{ currentUser { username } }\"}'"
+echo ""
+echo "  # Or skip server cert verification with -k:"
+echo "  curl -k --cert $DIR/client.pem --key $DIR/client.key \\"
+echo "       https://localhost:7777/.api/graphql \\"
+echo "       -d '{\"query\":\"{ currentUser { username } }\"}'"