Add AF_UNIX support for destination (-d) mode (#211)

* Add AF_UNIX support for destination (-d) mode

This implementation adds AF_UNIX support to the destination mode so
that the connectivity can be isolated to the host running the aws iot
agent. Particularly useful in containers.

Tests performed
1) Implemented an echo server with below:
socat UNIX-LISTEN:/tmp/echo.sock,fork EXEC:/bin/cat
Connected the local proxy with -d /tmp/echo.sock
Mapped this with another instance -s 3131.
Connected to it with telnet localhost 3131.
2) Mapped localproxy with -d /run/ssh-unix-local/socket
to the running container's systemd generated ssh socket
Started another instance of localproxy with -s 2222
Connected to it with ssh -p 2222 root@localhost

* Exclude AF_UNIX destination support from windows OS

* nit: format files

* Update function name to better reflect the synchronicity

---------

Co-authored-by: Anubhav Rawal <anubhavrawal00@gmail.com>

Author: utezduyar

README.md

@@ -748,18 +748,26 @@ sets the mappings between port and service identifier. For example: SSH1=5555
 or 5555.
 
 - It follows format serviceId1=endpoint1, serviceId2=endpoint2, ...
-- Endpoint can be IP address:port , port or hostname:port.
+- Endpoint can be IP address:port, port, hostname:port, or a Unix domain socket
+  path.
+- Unix domain socket paths are detected when the endpoint contains a '/'
+  character (e.g., /run/ssh-unix-local/socket, /tmp/app.sock, ./local.sock).
+  Note: Unix domain sockets are only supported on Unix/Linux/macOS platforms.
 - If only one port is needed to start local proxy, service ID is not needed. You
   can simply pass the port used, for example, 5555.
 - An item of the mapping SSH1=5555 means that local proxy will forward data
   received from the tunnel to TCP port 5555 for service ID SSH1.
+- An item of the mapping SSH1=/run/app.sock means that local proxy will forward
+  data received from the tunnel to the Unix domain socket at /run/app.sock for
+  service ID SSH1.
 - The value of service ID and how many service IDs are used needs to match with
   **services** in open tunnel call. For example:
   ```shell script
   aws iotsecuretunneling open-tunnel --destination-config thingName=foo,services=SSH1,SSH2
   ```
   Then to start local proxy in destination mode, need to use:
-  `-d SSH1=$port1,SSH2=$port2`
+  `-d SSH1=$port1,SSH2=$port2` or
+  `-d SSH1=/path/to/socket1,SSH2=/path/to/socket2`
 
 **-b/--local-bind-address [argvalue]** Specifies the local bind address (network
 interface) to use for listening for new connections when running the local proxy

src/InputValidation.cpp

@@ -223,6 +223,13 @@ namespace iot {
                     return;
                 }
 
+                // Check if it's a Unix socket path (contains '/')
+                // Unix socket paths: /run/socket, ./socket, /tmp/sock
+                if (endpoint.find('/') != std::string::npos) {
+                    validate_path(endpoint);
+                    return;
+                }
+
                 // It's host:port or just host - validate the address part
                 validate_bind_address(endpoint);
 

src/TcpAdapterProxy.cpp

@@ -1,11 +1,16 @@
 // Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 #include "TcpAdapterProxy.h"
+#include "InputValidation.h"
 #include "ProxySettings.h"
 #include "WebProxyAdapter.h"
 #include "config/ConfigFile.h"
 #include <boost/algorithm/string.hpp>
 #include <boost/asio.hpp>
+#ifndef _WIN32
+#include <boost/asio/local/stream_protocol.hpp>
+#include <unistd.h> // for close() and unlink()
+#endif
 #include <boost/asio/ssl/host_name_verification.hpp>
 #include <boost/beast/core/flat_buffer.hpp>
 #include <boost/beast/websocket.hpp>
@@ -3147,6 +3152,92 @@ namespace iot {
             );
         }
 
+#ifndef _WIN32
+        void tcp_adapter_proxy::connect_and_setup_unix_socket(
+            tcp_adapter_context &tac,
+            std::shared_ptr<basic_retry_config> retry_config,
+            const string &service_id,
+            const uint32_t &connection_id,
+            const std::string &socket_path
+        ) {
+            BOOST_LOG_SEV(log, trace)
+                << "Connecting to Unix domain socket: " << socket_path
+                << " for service id: " << service_id
+                << " connection id: " << connection_id;
+
+            tcp_client::pointer client
+                = tac.serviceId_to_tcp_client_map[service_id];
+
+            // Create a Unix domain socket and connect
+            boost::asio::local::stream_protocol::socket unix_socket(tac.io_ctx);
+            boost::system::error_code connect_ec;
+
+            try {
+                unix_socket.connect(
+                    boost::asio::local::stream_protocol::endpoint(socket_path),
+                    connect_ec
+                );
+
+                if (connect_ec) {
+                    BOOST_LOG_SEV(log, error)
+                        << (boost::format(
+                                "Could not connect to Unix socket %1% -- %2%"
+                            )
+                            % socket_path % connect_ec.message())
+                               .str();
+                    basic_retry_execute(
+                        log, retry_config, [this, &tac, service_id]() {
+                            BOOST_LOG_SEV(log, trace)
+                                << "resetting stream for service id:"
+                                << service_id
+                                << ", then listen for stream start";
+                            async_send_stream_reset(tac, service_id);
+                            setup_tcp_socket(std::ref(tac), service_id);
+                        }
+                    );
+                } else {
+                    BOOST_LOG_SEV(log, info)
+                        << "Connected to Unix socket: " << socket_path;
+
+                    // Transfer the Unix socket to the TCP connection
+                    // Get the native file descriptor and assign it to the TCP
+                    // socket
+                    int fd = unix_socket.release();
+                    boost::system::error_code assign_ec;
+                    client->connectionId_to_tcp_connection_map[connection_id]
+                        ->socket()
+                        .assign(boost::asio::ip::tcp::v4(), fd, assign_ec);
+
+                    if (assign_ec) {
+                        BOOST_LOG_SEV(log, error)
+                            << "Failed to assign Unix socket to TCP socket: "
+                            << assign_ec.message();
+                        ::close(fd);
+                        basic_retry_execute(
+                            log, retry_config, [this, &tac, service_id]() {
+                                async_send_stream_reset(tac, service_id);
+                                setup_tcp_socket(std::ref(tac), service_id);
+                            }
+                        );
+                    } else {
+                        async_setup_bidirectional_data_transfers(
+                            tac, service_id, connection_id
+                        );
+                    }
+                }
+            } catch (const std::exception &e) {
+                BOOST_LOG_SEV(log, error)
+                    << "Exception connecting to Unix socket: " << e.what();
+                basic_retry_execute(
+                    log, retry_config, [this, &tac, service_id]() {
+                        async_send_stream_reset(tac, service_id);
+                        setup_tcp_socket(std::ref(tac), service_id);
+                    }
+                );
+            }
+        }
+#endif
+
         void tcp_adapter_proxy::async_resolve_destination_for_connect(
             tcp_adapter_context &tac,
             std::shared_ptr<basic_retry_config> retry_config,
@@ -3291,6 +3382,28 @@ namespace iot {
                     );
             }
 
+            // Check if endpoint is a Unix domain socket path (contains '/')
+#ifndef _WIN32
+            if (endpoint.find('/') != std::string::npos) {
+                BOOST_LOG_SEV(log, debug)
+                    << "Detected Unix domain socket path: " << endpoint;
+                connect_and_setup_unix_socket(
+                    tac, retry_config, service_id, connection_id, endpoint
+                );
+                return;
+            }
+#else
+            // On Windows, reject Unix socket paths with a clear error
+            if (endpoint.find('/') != std::string::npos) {
+                BOOST_LOG_SEV(log, error)
+                    << "Unix domain sockets are not supported on Windows. "
+                    << "Path provided: " << endpoint;
+                throw std::runtime_error(
+                    "Unix domain sockets are not supported on Windows"
+                );
+            }
+#endif
+
             if (tac.adapter_config.bind_address.has_value()) {
                 BOOST_LOG_SEV(log, debug)
                     << "Resolving local address host: "

src/TcpAdapterProxy.h

@@ -13,6 +13,9 @@
 #include "WebSocketStream.h"
 #include <boost/asio.hpp>
 #include <boost/asio/ip/tcp.hpp>
+#ifndef _WIN32
+#include <boost/asio/local/stream_protocol.hpp>
+#endif
 #include <boost/asio/ssl/host_name_verification.hpp>
 #include <boost/beast/core/flat_buffer.hpp>
 #include <boost/beast/websocket.hpp>
@@ -449,6 +452,16 @@ namespace iot {
                 tcp::resolver::results_type results
             );
 
+#ifndef _WIN32
+            void connect_and_setup_unix_socket(
+                tcp_adapter_context &tac,
+                std::shared_ptr<basic_retry_config> retry_config,
+                const std::string &service_id,
+                const uint32_t &connection_id,
+                const std::string &socket_path
+            );
+#endif
+
             bool process_incoming_websocket_buffer(
                 tcp_adapter_context &tac,
                 boost::beast::multi_buffer &message_buffer