Merge branch 'cloudflare:master' into tunnel-health

.github/workflows/semgrep.yml

@@ -0,0 +1,25 @@
+
+on:
+  pull_request: {}
+  workflow_dispatch: {}
+  push: 
+    branches:
+      - main
+      - master
+  schedule:
+    - cron: '0 0 * * *'
+name: Semgrep config
+jobs:
+  semgrep:
+    name: semgrep/ci
+    runs-on: ubuntu-20.04
+    env:
+      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+      SEMGREP_URL: https://cloudflare.semgrep.dev
+      SEMGREP_APP_URL: https://cloudflare.semgrep.dev
+      SEMGREP_VERSION_CHECK_URL: https://cloudflare.semgrep.dev/api/check-version
+    container:
+      image: returntocorp/semgrep
+    steps:
+      - uses: actions/checkout@v3
+      - run: semgrep ci

RELEASE_NOTES

@@ -1,3 +1,18 @@
+2024.9.1
+- 2024-09-10 Revert Release 2024.9.0
+
+2024.9.0
+- 2024-09-10 TUN-8621: Fix cloudflared version in change notes.
+- 2024-09-06 PPIP-2310: Update quick tunnel disclaimer
+- 2024-08-30 TUN-8621: Prevent QUIC connection from closing before grace period after unregistering
+- 2024-08-09 TUN-8592: Use metadata from the edge to determine if request body is empty for QUIC transport
+- 2024-06-26 TUN-8484: Print response when QuickTunnel can't be unmarshalled
+
+2024.8.3
+- 2024-08-15 TUN-8591 login command without extra text
+- 2024-03-25 remove code that will not be executed
+- 2024-03-25 remove code that will not be executed
+
 2024.8.2
 - 2024-08-05 TUN-8583: change final directory of artifacts
 - 2024-08-05 TUN-8585: Avoid creating GH client when dry-run is true

cmd/cloudflared/cliutil/build_info.go

@@ -1,7 +1,10 @@
 package cliutil
 
 import (
+	"crypto/sha256"
 	"fmt"
+	"io"
+	"os"
 	"runtime"
 
 	"github.com/rs/zerolog"
@@ -13,6 +16,7 @@ type BuildInfo struct {
 	GoArch             string `json:"go_arch"`
 	BuildType          string `json:"build_type"`
 	CloudflaredVersion string `json:"cloudflared_version"`
+	Checksum           string `json:"checksum"`
 }
 
 func GetBuildInfo(buildType, version string) *BuildInfo {
@@ -22,11 +26,12 @@ func GetBuildInfo(buildType, version string) *BuildInfo {
 		GoArch:             runtime.GOARCH,
 		BuildType:          buildType,
 		CloudflaredVersion: version,
+		Checksum:           currentBinaryChecksum(),
 	}
 }
 
 func (bi *BuildInfo) Log(log *zerolog.Logger) {
-	log.Info().Msgf("Version %s", bi.CloudflaredVersion)
+	log.Info().Msgf("Version %s (Checksum %s)", bi.CloudflaredVersion, bi.Checksum)
 	if bi.BuildType != "" {
 		log.Info().Msgf("Built%s", bi.GetBuildTypeMsg())
 	}
@@ -51,3 +56,28 @@ func (bi *BuildInfo) GetBuildTypeMsg() string {
 func (bi *BuildInfo) UserAgent() string {
 	return fmt.Sprintf("cloudflared/%s", bi.CloudflaredVersion)
 }
+
+// FileChecksum opens a file and returns the SHA256 checksum.
+func FileChecksum(filePath string) (string, error) {
+	f, err := os.Open(filePath)
+	if err != nil {
+		return "", err
+	}
+	defer f.Close()
+
+	h := sha256.New()
+	if _, err := io.Copy(h, f); err != nil {
+		return "", err
+	}
+
+	return fmt.Sprintf("%x", h.Sum(nil)), nil
+}
+
+func currentBinaryChecksum() string {
+	currentPath, err := os.Executable()
+	if err != nil {
+		return ""
+	}
+	sum, _ := FileChecksum(currentPath)
+	return sum
+}

cmd/cloudflared/main.go

@@ -91,7 +91,7 @@ func main() {
 
 	tunnel.Init(bInfo, graceShutdownC) // we need this to support the tunnel sub command...
 	access.Init(graceShutdownC, Version)
-	updater.Init(Version)
+	updater.Init(bInfo)
 	tracing.Init(Version)
 	token.Init(Version)
 	tail.Init(bInfo)

cmd/cloudflared/updater/update.go

@@ -14,6 +14,7 @@ import (
 	"github.com/urfave/cli/v2"
 	"golang.org/x/term"
 
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/logger"
 )
@@ -31,7 +32,7 @@ const (
 )
 
 var (
-	version                string
+	buildInfo              *cliutil.BuildInfo
 	BuiltForPackageManager = ""
 )
 
@@ -81,8 +82,8 @@ func (uo *UpdateOutcome) noUpdate() bool {
 	return uo.Error == nil && uo.Updated == false
 }
 
-func Init(v string) {
-	version = v
+func Init(info *cliutil.BuildInfo) {
+	buildInfo = info
 }
 
 func CheckForUpdate(options updateOptions) (CheckResult, error) {
@@ -100,11 +101,12 @@ func CheckForUpdate(options updateOptions) (CheckResult, error) {
 		cfdPath = encodeWindowsPath(cfdPath)
 	}
 
-	s := NewWorkersService(version, url, cfdPath, Options{IsBeta: options.isBeta,
+	s := NewWorkersService(buildInfo.CloudflaredVersion, url, cfdPath, Options{IsBeta: options.isBeta,
 		IsForced: options.isForced, RequestedVersion: options.intendedVersion})
 
 	return s.Check()
 }
+
 func encodeWindowsPath(path string) string {
 	// We do this because Windows allows spaces in directories such as
 	// Program Files but does not allow these directories to be spaced in batch files.
@@ -196,10 +198,9 @@ func loggedUpdate(log *zerolog.Logger, options updateOptions) UpdateOutcome {
 
 // AutoUpdater periodically checks for new version of cloudflared.
 type AutoUpdater struct {
-	configurable     *configurable
-	listeners        *gracenet.Net
-	updateConfigChan chan *configurable
-	log              *zerolog.Logger
+	configurable *configurable
+	listeners    *gracenet.Net
+	log          *zerolog.Logger
 }
 
 // AutoUpdaterConfigurable is the attributes of AutoUpdater that can be reconfigured during runtime
@@ -210,10 +211,9 @@ type configurable struct {
 
 func NewAutoUpdater(updateDisabled bool, freq time.Duration, listeners *gracenet.Net, log *zerolog.Logger) *AutoUpdater {
 	return &AutoUpdater{
-		configurable:     createUpdateConfig(updateDisabled, freq, log),
-		listeners:        listeners,
-		updateConfigChan: make(chan *configurable),
-		log:              log,
+		configurable: createUpdateConfig(updateDisabled, freq, log),
+		listeners:    listeners,
+		log:          log,
 	}
 }
 
@@ -232,12 +232,20 @@ func createUpdateConfig(updateDisabled bool, freq time.Duration, log *zerolog.Lo
 	}
 }
 
+// Run will perodically check for cloudflared updates, download them, and then restart the current cloudflared process
+// to use the new version. It delays the first update check by the configured frequency as to not attempt a
+// download immediately and restart after starting (in the case that there is an upgrade available).
 func (a *AutoUpdater) Run(ctx context.Context) error {
 	ticker := time.NewTicker(a.configurable.freq)
 	for {
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		case <-ticker.C:
+		}
 		updateOutcome := loggedUpdate(a.log, updateOptions{updateDisabled: !a.configurable.enabled})
 		if updateOutcome.Updated {
-			Init(updateOutcome.Version)
+			buildInfo.CloudflaredVersion = updateOutcome.Version
 			if IsSysV() {
 				// SysV doesn't have a mechanism to keep service alive, we have to restart the process
 				a.log.Info().Msg("Restarting service managed by SysV...")
@@ -254,25 +262,9 @@ func (a *AutoUpdater) Run(ctx context.Context) error {
 		} else if updateOutcome.UserMessage != "" {
 			a.log.Warn().Msg(updateOutcome.UserMessage)
 		}
-
-		select {
-		case <-ctx.Done():
-			return ctx.Err()
-		case newConfigurable := <-a.updateConfigChan:
-			ticker.Stop()
-			a.configurable = newConfigurable
-			ticker = time.NewTicker(a.configurable.freq)
-			// Check if there is new version of cloudflared after receiving new AutoUpdaterConfigurable
-		case <-ticker.C:
-		}
 	}
 }
 
-// Update is the method to pass new AutoUpdaterConfigurable to a running AutoUpdater. It is safe to be called concurrently
-func (a *AutoUpdater) Update(updateDisabled bool, newFreq time.Duration) {
-	a.updateConfigChan <- createUpdateConfig(updateDisabled, newFreq, a.log)
-}
-
 func isAutoupdateEnabled(log *zerolog.Logger, updateDisabled bool, updateFreq time.Duration) bool {
 	if !supportAutoUpdate(log) {
 		return false

cmd/cloudflared/updater/update_test.go

@@ -9,8 +9,14 @@ import (
 	"github.com/rs/zerolog"
 	"github.com/stretchr/testify/assert"
 	"github.com/urfave/cli/v2"
+
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 )
 
+func init() {
+	Init(cliutil.GetBuildInfo("TEST", "TEST"))
+}
+
 func TestDisabledAutoUpdater(t *testing.T) {
 	listeners := &gracenet.Net{}
 	log := zerolog.Nop()

cmd/cloudflared/updater/workers_service.go

@@ -3,6 +3,7 @@ package updater
 import (
 	"encoding/json"
 	"errors"
+	"fmt"
 	"net/http"
 	"runtime"
 )
@@ -79,6 +80,10 @@ func (s *WorkersService) Check() (CheckResult, error) {
 	}
 	defer resp.Body.Close()
 
+	if resp.StatusCode != 200 {
+		return nil, fmt.Errorf("unable to check for update: %d", resp.StatusCode)
+	}
+
 	var v VersionResponse
 	if err := json.NewDecoder(resp.Body).Decode(&v); err != nil {
 		return nil, err

cmd/cloudflared/updater/workers_update.go

@@ -3,7 +3,6 @@ package updater
 import (
 	"archive/tar"
 	"compress/gzip"
-	"crypto/sha256"
 	"errors"
 	"fmt"
 	"io"
@@ -16,6 +15,10 @@ import (
 	"strings"
 	"text/template"
 	"time"
+
+	"github.com/getsentry/sentry-go"
+
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 )
 
 const (
@@ -27,9 +30,9 @@ const (
 	// start the service
 	// exit with code 0 if we've reached this point indicating success.
 	windowsUpdateCommandTemplate = `sc stop cloudflared >nul 2>&1
+del "{{.OldPath}}"
 rename "{{.TargetPath}}" {{.OldName}}
 rename "{{.NewPath}}" {{.BinaryName}}
-del "{{.OldPath}}"
 sc start cloudflared >nul 2>&1
 exit /b 0`
 	batchFileName = "cfd_update.bat"
@@ -86,8 +89,25 @@ func (v *WorkersVersion) Apply() error {
 		return err
 	}
 
-	// check that the file is what is expected
-	if err := isValidChecksum(v.checksum, newFilePath); err != nil {
+	downloadSum, err := cliutil.FileChecksum(newFilePath)
+	if err != nil {
+		return err
+	}
+
+	// Check that the file downloaded matches what is expected.
+	if v.checksum != downloadSum {
+		return errors.New("checksum validation failed")
+	}
+
+	// Check if the currently running version has the same checksum
+	if downloadSum == buildInfo.Checksum {
+		// Currently running binary matches the downloaded binary so we have no reason to update. This is
+		// typically unexpected, as such we emit a sentry event.
+		localHub := sentry.CurrentHub().Clone()
+		err := errors.New("checksum validation matches currently running process")
+		localHub.CaptureException(err)
+		// Make sure to cleanup the new downloaded file since we aren't upgrading versions.
+		os.Remove(newFilePath)
 		return err
 	}
 
@@ -189,27 +209,6 @@ func isCompressedFile(urlstring string) bool {
 	return strings.HasSuffix(u.Path, ".tgz")
 }
 
-// checks if the checksum in the json response matches the checksum of the file download
-func isValidChecksum(checksum, filePath string) error {
-	f, err := os.Open(filePath)
-	if err != nil {
-		return err
-	}
-	defer f.Close()
-
-	h := sha256.New()
-	if _, err := io.Copy(h, f); err != nil {
-		return err
-	}
-
-	hash := fmt.Sprintf("%x", h.Sum(nil))
-
-	if checksum != hash {
-		return errors.New("checksum validation failed")
-	}
-	return nil
-}
-
 // writeBatchFile writes a batch file out to disk
 // see the dicussion on why it has to be done this way
 func writeBatchFile(targetPath string, newPath string, oldPath string) error {

features/features.go

@@ -8,6 +8,7 @@ const (
 	FeaturePostQuantum       = "postquantum"
 	FeatureQUICSupportEOF    = "support_quic_eof"
 	FeatureManagementLogs    = "management_logs"
+	FeatureDatagramV3        = "support_datagram_v3"
 )
 
 var (