cloudflared-mirror/supervisor/reconnect_test.go

package supervisor

import (
	"context"
	"errors"
	"fmt"
	"testing"
	"time"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"

	"github.com/cloudflare/cloudflared/retry"
	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
)

func TestRefreshAuthBackoff(t *testing.T) {
	rcm := newReconnectCredentialManager(t.Name(), t.Name(), 4)

	var wait time.Duration
	retry.Clock.After = func(d time.Duration) <-chan time.Time {
		wait = d
		return time.After(d)
	}
	backoff := &retry.BackoffHandler{MaxRetries: 3}
	auth := func(ctx context.Context, n int) (tunnelpogs.AuthOutcome, error) {
		return nil, fmt.Errorf("authentication failure")
	}

	// authentication failures should consume the backoff
	for i := uint(0); i < backoff.MaxRetries; i++ {
		retryChan, err := rcm.RefreshAuth(context.Background(), backoff, auth)
		require.NoError(t, err)
		require.NotNil(t, retryChan)
		require.Greater(t, wait.Seconds(), 0.0)
		require.Less(t, wait.Seconds(), float64((1<<(i+1))*time.Second))
	}
	retryChan, err := rcm.RefreshAuth(context.Background(), backoff, auth)
	require.Error(t, err)
	require.Nil(t, retryChan)

	// now we actually make contact with the remote server
	_, _ = rcm.RefreshAuth(context.Background(), backoff, func(ctx context.Context, n int) (tunnelpogs.AuthOutcome, error) {
		return tunnelpogs.NewAuthUnknown(errors.New("auth unknown"), 19), nil
	})

	// The backoff timer should have been reset. To confirm this, make timeNow
	// return a value after the backoff timer's grace period
	retry.Clock.Now = func() time.Time {
		expectedGracePeriod := time.Duration(time.Second * 2 << backoff.MaxRetries)
		return time.Now().Add(expectedGracePeriod * 2)
	}
	_, ok := backoff.GetMaxBackoffDuration(context.Background())
	require.True(t, ok)
}

func TestRefreshAuthSuccess(t *testing.T) {
	rcm := newReconnectCredentialManager(t.Name(), t.Name(), 4)

	var wait time.Duration
	retry.Clock.After = func(d time.Duration) <-chan time.Time {
		wait = d
		return time.After(d)
	}

	backoff := &retry.BackoffHandler{MaxRetries: 3}
	auth := func(ctx context.Context, n int) (tunnelpogs.AuthOutcome, error) {
		return tunnelpogs.NewAuthSuccess([]byte("jwt"), 19), nil
	}

	retryChan, err := rcm.RefreshAuth(context.Background(), backoff, auth)
	assert.NoError(t, err)
	assert.NotNil(t, retryChan)
	assert.Equal(t, 19*time.Hour, wait)

	token, err := rcm.ReconnectToken()
	assert.NoError(t, err)
	assert.Equal(t, []byte("jwt"), token)
}

func TestRefreshAuthUnknown(t *testing.T) {
	rcm := newReconnectCredentialManager(t.Name(), t.Name(), 4)

	var wait time.Duration
	retry.Clock.After = func(d time.Duration) <-chan time.Time {
		wait = d
		return time.After(d)
	}

	backoff := &retry.BackoffHandler{MaxRetries: 3}
	auth := func(ctx context.Context, n int) (tunnelpogs.AuthOutcome, error) {
		return tunnelpogs.NewAuthUnknown(errors.New("auth unknown"), 19), nil
	}

	retryChan, err := rcm.RefreshAuth(context.Background(), backoff, auth)
	assert.NoError(t, err)
	assert.NotNil(t, retryChan)
	assert.Equal(t, 19*time.Hour, wait)

	token, err := rcm.ReconnectToken()
	assert.Equal(t, errJWTUnset, err)
	assert.Nil(t, token)
}

func TestRefreshAuthFail(t *testing.T) {
	rcm := newReconnectCredentialManager(t.Name(), t.Name(), 4)

	backoff := &retry.BackoffHandler{MaxRetries: 3}
	auth := func(ctx context.Context, n int) (tunnelpogs.AuthOutcome, error) {
		return tunnelpogs.NewAuthFail(errors.New("auth fail")), nil
	}

	retryChan, err := rcm.RefreshAuth(context.Background(), backoff, auth)
	assert.Error(t, err)
	assert.Nil(t, retryChan)

	token, err := rcm.ReconnectToken()
	assert.Equal(t, errJWTUnset, err)
	assert.Nil(t, token)
}
TUN-5749: Refactor cloudflared to pave way for reconfigurable ingress - Split origin into supervisor and proxy packages - Create configManager to handle dynamic config 2022-02-07 09:42:07 +00:00			`package supervisor`
TUN-2555: origin/supervisor.go calls Authenticate 2019-12-04 17:22:08 +00:00
			`import (`
			`"context"`
			`"errors"`
			`"fmt"`
			`"testing"`
			`"time"`

			`"github.com/stretchr/testify/assert"`
TUN-3902: Add jitter to backoffhandler Jitter is important to avoid every cloudflared in the world trying to reconnect at t=1, 2, 4, etc. That could overwhelm the backend. But if each cloudflared randomly waits for up to 2, then up to 4, then up to 8 etc, then the retries get spread out evenly across time. On average, wait times should be the same (e.g. instead of waiting for exactly 1 second, cloudflared will wait betweeen 0 and 2 seconds). This is the "Full Jitter" algorithm from https://aws.amazon.com/blogs/architecture/exponential-backoff-and-jitter/ 2021-02-10 16:42:09 +00:00			`"github.com/stretchr/testify/require"`
TUN-2555: origin/supervisor.go calls Authenticate 2019-12-04 17:22:08 +00:00
TUN-3863: Consolidate header handling logic in the connection package; move headers definitions from h2mux to packages that manage them; cleanup header conversions All header transformation code from h2mux has been consolidated in the connection package since it's used by both h2mux and http2 logic. Exported headers used by proxying between edge and cloudflared so then can be shared by tunnel service on the edge. Moved access-related headers to corresponding packages that have the code that sets/uses these headers. Removed tunnel hostname tracking from h2mux since it wasn't used by anything. We will continue to set the tunnel hostname header from the edge for backward compatibilty, but it's no longer used by cloudflared. Move bastion-related logic into carrier package, untangled dependencies between carrier, origin, and websocket packages. 2021-03-26 04:04:56 +00:00			`"github.com/cloudflare/cloudflared/retry"`
TUN-2555: origin/supervisor.go calls Authenticate 2019-12-04 17:22:08 +00:00			`tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"`
			`)`

			`func TestRefreshAuthBackoff(t *testing.T) {`
TUN-3268: Each connection has its own event digest to reconnect 2020-08-18 10:14:14 +00:00			`rcm := newReconnectCredentialManager(t.Name(), t.Name(), 4)`
TUN-2555: origin/supervisor.go calls Authenticate 2019-12-04 17:22:08 +00:00
			`var wait time.Duration`
TUN-3863: Consolidate header handling logic in the connection package; move headers definitions from h2mux to packages that manage them; cleanup header conversions All header transformation code from h2mux has been consolidated in the connection package since it's used by both h2mux and http2 logic. Exported headers used by proxying between edge and cloudflared so then can be shared by tunnel service on the edge. Moved access-related headers to corresponding packages that have the code that sets/uses these headers. Removed tunnel hostname tracking from h2mux since it wasn't used by anything. We will continue to set the tunnel hostname header from the edge for backward compatibilty, but it's no longer used by cloudflared. Move bastion-related logic into carrier package, untangled dependencies between carrier, origin, and websocket packages. 2021-03-26 04:04:56 +00:00			`retry.Clock.After = func(d time.Duration) <-chan time.Time {`
TUN-2555: origin/supervisor.go calls Authenticate 2019-12-04 17:22:08 +00:00			`wait = d`
			`return time.After(d)`
			`}`
TUN-3863: Consolidate header handling logic in the connection package; move headers definitions from h2mux to packages that manage them; cleanup header conversions All header transformation code from h2mux has been consolidated in the connection package since it's used by both h2mux and http2 logic. Exported headers used by proxying between edge and cloudflared so then can be shared by tunnel service on the edge. Moved access-related headers to corresponding packages that have the code that sets/uses these headers. Removed tunnel hostname tracking from h2mux since it wasn't used by anything. We will continue to set the tunnel hostname header from the edge for backward compatibilty, but it's no longer used by cloudflared. Move bastion-related logic into carrier package, untangled dependencies between carrier, origin, and websocket packages. 2021-03-26 04:04:56 +00:00			`backoff := &retry.BackoffHandler{MaxRetries: 3}`
TUN-2555: origin/supervisor.go calls Authenticate 2019-12-04 17:22:08 +00:00			`auth := func(ctx context.Context, n int) (tunnelpogs.AuthOutcome, error) {`
			`return nil, fmt.Errorf("authentication failure")`
			`}`

			`// authentication failures should consume the backoff`
			`for i := uint(0); i < backoff.MaxRetries; i++ {`
TUN-3268: Each connection has its own event digest to reconnect 2020-08-18 10:14:14 +00:00			`retryChan, err := rcm.RefreshAuth(context.Background(), backoff, auth)`
TUN-3902: Add jitter to backoffhandler Jitter is important to avoid every cloudflared in the world trying to reconnect at t=1, 2, 4, etc. That could overwhelm the backend. But if each cloudflared randomly waits for up to 2, then up to 4, then up to 8 etc, then the retries get spread out evenly across time. On average, wait times should be the same (e.g. instead of waiting for exactly 1 second, cloudflared will wait betweeen 0 and 2 seconds). This is the "Full Jitter" algorithm from https://aws.amazon.com/blogs/architecture/exponential-backoff-and-jitter/ 2021-02-10 16:42:09 +00:00			`require.NoError(t, err)`
			`require.NotNil(t, retryChan)`
			`require.Greater(t, wait.Seconds(), 0.0)`
			`require.Less(t, wait.Seconds(), float64((1<<(i+1))*time.Second))`
TUN-2555: origin/supervisor.go calls Authenticate 2019-12-04 17:22:08 +00:00			`}`
TUN-3268: Each connection has its own event digest to reconnect 2020-08-18 10:14:14 +00:00			`retryChan, err := rcm.RefreshAuth(context.Background(), backoff, auth)`
TUN-3902: Add jitter to backoffhandler Jitter is important to avoid every cloudflared in the world trying to reconnect at t=1, 2, 4, etc. That could overwhelm the backend. But if each cloudflared randomly waits for up to 2, then up to 4, then up to 8 etc, then the retries get spread out evenly across time. On average, wait times should be the same (e.g. instead of waiting for exactly 1 second, cloudflared will wait betweeen 0 and 2 seconds). This is the "Full Jitter" algorithm from https://aws.amazon.com/blogs/architecture/exponential-backoff-and-jitter/ 2021-02-10 16:42:09 +00:00			`require.Error(t, err)`
			`require.Nil(t, retryChan)`
TUN-2555: origin/supervisor.go calls Authenticate 2019-12-04 17:22:08 +00:00
			`// now we actually make contact with the remote server`
TUN-3268: Each connection has its own event digest to reconnect 2020-08-18 10:14:14 +00:00			`_, _ = rcm.RefreshAuth(context.Background(), backoff, func(ctx context.Context, n int) (tunnelpogs.AuthOutcome, error) {`
TUN-2555: origin/supervisor.go calls Authenticate 2019-12-04 17:22:08 +00:00			`return tunnelpogs.NewAuthUnknown(errors.New("auth unknown"), 19), nil`
			`})`

			`// The backoff timer should have been reset. To confirm this, make timeNow`
			`// return a value after the backoff timer's grace period`
TUN-3863: Consolidate header handling logic in the connection package; move headers definitions from h2mux to packages that manage them; cleanup header conversions All header transformation code from h2mux has been consolidated in the connection package since it's used by both h2mux and http2 logic. Exported headers used by proxying between edge and cloudflared so then can be shared by tunnel service on the edge. Moved access-related headers to corresponding packages that have the code that sets/uses these headers. Removed tunnel hostname tracking from h2mux since it wasn't used by anything. We will continue to set the tunnel hostname header from the edge for backward compatibilty, but it's no longer used by cloudflared. Move bastion-related logic into carrier package, untangled dependencies between carrier, origin, and websocket packages. 2021-03-26 04:04:56 +00:00			`retry.Clock.Now = func() time.Time {`
TUN-2555: origin/supervisor.go calls Authenticate 2019-12-04 17:22:08 +00:00			`expectedGracePeriod := time.Duration(time.Second * 2 << backoff.MaxRetries)`
			`return time.Now().Add(expectedGracePeriod * 2)`
			`}`
TUN-3902: Add jitter to backoffhandler Jitter is important to avoid every cloudflared in the world trying to reconnect at t=1, 2, 4, etc. That could overwhelm the backend. But if each cloudflared randomly waits for up to 2, then up to 4, then up to 8 etc, then the retries get spread out evenly across time. On average, wait times should be the same (e.g. instead of waiting for exactly 1 second, cloudflared will wait betweeen 0 and 2 seconds). This is the "Full Jitter" algorithm from https://aws.amazon.com/blogs/architecture/exponential-backoff-and-jitter/ 2021-02-10 16:42:09 +00:00			`_, ok := backoff.GetMaxBackoffDuration(context.Background())`
			`require.True(t, ok)`
TUN-2555: origin/supervisor.go calls Authenticate 2019-12-04 17:22:08 +00:00			`}`

			`func TestRefreshAuthSuccess(t *testing.T) {`
TUN-3268: Each connection has its own event digest to reconnect 2020-08-18 10:14:14 +00:00			`rcm := newReconnectCredentialManager(t.Name(), t.Name(), 4)`
TUN-2555: origin/supervisor.go calls Authenticate 2019-12-04 17:22:08 +00:00
			`var wait time.Duration`
TUN-3863: Consolidate header handling logic in the connection package; move headers definitions from h2mux to packages that manage them; cleanup header conversions All header transformation code from h2mux has been consolidated in the connection package since it's used by both h2mux and http2 logic. Exported headers used by proxying between edge and cloudflared so then can be shared by tunnel service on the edge. Moved access-related headers to corresponding packages that have the code that sets/uses these headers. Removed tunnel hostname tracking from h2mux since it wasn't used by anything. We will continue to set the tunnel hostname header from the edge for backward compatibilty, but it's no longer used by cloudflared. Move bastion-related logic into carrier package, untangled dependencies between carrier, origin, and websocket packages. 2021-03-26 04:04:56 +00:00			`retry.Clock.After = func(d time.Duration) <-chan time.Time {`
TUN-2555: origin/supervisor.go calls Authenticate 2019-12-04 17:22:08 +00:00			`wait = d`
			`return time.After(d)`
			`}`

TUN-3863: Consolidate header handling logic in the connection package; move headers definitions from h2mux to packages that manage them; cleanup header conversions All header transformation code from h2mux has been consolidated in the connection package since it's used by both h2mux and http2 logic. Exported headers used by proxying between edge and cloudflared so then can be shared by tunnel service on the edge. Moved access-related headers to corresponding packages that have the code that sets/uses these headers. Removed tunnel hostname tracking from h2mux since it wasn't used by anything. We will continue to set the tunnel hostname header from the edge for backward compatibilty, but it's no longer used by cloudflared. Move bastion-related logic into carrier package, untangled dependencies between carrier, origin, and websocket packages. 2021-03-26 04:04:56 +00:00			`backoff := &retry.BackoffHandler{MaxRetries: 3}`
TUN-2555: origin/supervisor.go calls Authenticate 2019-12-04 17:22:08 +00:00			`auth := func(ctx context.Context, n int) (tunnelpogs.AuthOutcome, error) {`
			`return tunnelpogs.NewAuthSuccess([]byte("jwt"), 19), nil`
			`}`

TUN-3268: Each connection has its own event digest to reconnect 2020-08-18 10:14:14 +00:00			`retryChan, err := rcm.RefreshAuth(context.Background(), backoff, auth)`
TUN-2555: origin/supervisor.go calls Authenticate 2019-12-04 17:22:08 +00:00			`assert.NoError(t, err)`
			`assert.NotNil(t, retryChan)`
			`assert.Equal(t, 19*time.Hour, wait)`

TUN-3268: Each connection has its own event digest to reconnect 2020-08-18 10:14:14 +00:00			`token, err := rcm.ReconnectToken()`
TUN-2555: origin/supervisor.go calls Authenticate 2019-12-04 17:22:08 +00:00			`assert.NoError(t, err)`
			`assert.Equal(t, []byte("jwt"), token)`
			`}`

			`func TestRefreshAuthUnknown(t *testing.T) {`
TUN-3268: Each connection has its own event digest to reconnect 2020-08-18 10:14:14 +00:00			`rcm := newReconnectCredentialManager(t.Name(), t.Name(), 4)`
TUN-2555: origin/supervisor.go calls Authenticate 2019-12-04 17:22:08 +00:00
			`var wait time.Duration`
TUN-3863: Consolidate header handling logic in the connection package; move headers definitions from h2mux to packages that manage them; cleanup header conversions All header transformation code from h2mux has been consolidated in the connection package since it's used by both h2mux and http2 logic. Exported headers used by proxying between edge and cloudflared so then can be shared by tunnel service on the edge. Moved access-related headers to corresponding packages that have the code that sets/uses these headers. Removed tunnel hostname tracking from h2mux since it wasn't used by anything. We will continue to set the tunnel hostname header from the edge for backward compatibilty, but it's no longer used by cloudflared. Move bastion-related logic into carrier package, untangled dependencies between carrier, origin, and websocket packages. 2021-03-26 04:04:56 +00:00			`retry.Clock.After = func(d time.Duration) <-chan time.Time {`
TUN-2555: origin/supervisor.go calls Authenticate 2019-12-04 17:22:08 +00:00			`wait = d`
			`return time.After(d)`
			`}`

TUN-3863: Consolidate header handling logic in the connection package; move headers definitions from h2mux to packages that manage them; cleanup header conversions All header transformation code from h2mux has been consolidated in the connection package since it's used by both h2mux and http2 logic. Exported headers used by proxying between edge and cloudflared so then can be shared by tunnel service on the edge. Moved access-related headers to corresponding packages that have the code that sets/uses these headers. Removed tunnel hostname tracking from h2mux since it wasn't used by anything. We will continue to set the tunnel hostname header from the edge for backward compatibilty, but it's no longer used by cloudflared. Move bastion-related logic into carrier package, untangled dependencies between carrier, origin, and websocket packages. 2021-03-26 04:04:56 +00:00			`backoff := &retry.BackoffHandler{MaxRetries: 3}`
TUN-2555: origin/supervisor.go calls Authenticate 2019-12-04 17:22:08 +00:00			`auth := func(ctx context.Context, n int) (tunnelpogs.AuthOutcome, error) {`
			`return tunnelpogs.NewAuthUnknown(errors.New("auth unknown"), 19), nil`
			`}`

TUN-3268: Each connection has its own event digest to reconnect 2020-08-18 10:14:14 +00:00			`retryChan, err := rcm.RefreshAuth(context.Background(), backoff, auth)`
TUN-2555: origin/supervisor.go calls Authenticate 2019-12-04 17:22:08 +00:00			`assert.NoError(t, err)`
			`assert.NotNil(t, retryChan)`
			`assert.Equal(t, 19*time.Hour, wait)`

TUN-3268: Each connection has its own event digest to reconnect 2020-08-18 10:14:14 +00:00			`token, err := rcm.ReconnectToken()`
TUN-2555: origin/supervisor.go calls Authenticate 2019-12-04 17:22:08 +00:00			`assert.Equal(t, errJWTUnset, err)`
			`assert.Nil(t, token)`
			`}`

			`func TestRefreshAuthFail(t *testing.T) {`
TUN-3268: Each connection has its own event digest to reconnect 2020-08-18 10:14:14 +00:00			`rcm := newReconnectCredentialManager(t.Name(), t.Name(), 4)`
TUN-2555: origin/supervisor.go calls Authenticate 2019-12-04 17:22:08 +00:00
TUN-3863: Consolidate header handling logic in the connection package; move headers definitions from h2mux to packages that manage them; cleanup header conversions All header transformation code from h2mux has been consolidated in the connection package since it's used by both h2mux and http2 logic. Exported headers used by proxying between edge and cloudflared so then can be shared by tunnel service on the edge. Moved access-related headers to corresponding packages that have the code that sets/uses these headers. Removed tunnel hostname tracking from h2mux since it wasn't used by anything. We will continue to set the tunnel hostname header from the edge for backward compatibilty, but it's no longer used by cloudflared. Move bastion-related logic into carrier package, untangled dependencies between carrier, origin, and websocket packages. 2021-03-26 04:04:56 +00:00			`backoff := &retry.BackoffHandler{MaxRetries: 3}`
TUN-2555: origin/supervisor.go calls Authenticate 2019-12-04 17:22:08 +00:00			`auth := func(ctx context.Context, n int) (tunnelpogs.AuthOutcome, error) {`
			`return tunnelpogs.NewAuthFail(errors.New("auth fail")), nil`
			`}`

TUN-3268: Each connection has its own event digest to reconnect 2020-08-18 10:14:14 +00:00			`retryChan, err := rcm.RefreshAuth(context.Background(), backoff, auth)`
TUN-2555: origin/supervisor.go calls Authenticate 2019-12-04 17:22:08 +00:00			`assert.Error(t, err)`
			`assert.Nil(t, retryChan)`

TUN-3268: Each connection has its own event digest to reconnect 2020-08-18 10:14:14 +00:00			`token, err := rcm.ReconnectToken()`
TUN-2555: origin/supervisor.go calls Authenticate 2019-12-04 17:22:08 +00:00			`assert.Equal(t, errJWTUnset, err)`
			`assert.Nil(t, token)`
			`}`