From 60de05bfc11dcde62518f37d608778166ee9d3ba Mon Sep 17 00:00:00 2001
From: Dalton Cherry <dalton@cloudflare.com>
Date: Tue, 7 Jul 2020 15:44:07 +0000
Subject: [PATCH] AUTH-2712 added MSI build for a windows agent

---
 .gitignore                         |  1 +
 .teamcity/build-macos.sh           | 90 +++++++++++++++++++++++++++++-
 Makefile                           | 11 +++-
 cmd/cloudflared/windows_service.go |  7 +--
 make-mac-pkg.sh                    | 31 ----------
 5 files changed, 103 insertions(+), 37 deletions(-)
 delete mode 100755 make-mac-pkg.sh

diff --git a/.gitignore b/.gitignore
index 65164567..d513f7ab 100644
--- a/.gitignore
+++ b/.gitignore
@@ -11,6 +11,7 @@ cscope.*
 cloudflared
 cloudflared.pkg
 cloudflared.exe
+cloudflared.msi
 !cmd/cloudflared/
 .DS_Store
 *-session.log
diff --git a/.teamcity/build-macos.sh b/.teamcity/build-macos.sh
index 9ea3e1f4..97324eef 100755
--- a/.teamcity/build-macos.sh
+++ b/.teamcity/build-macos.sh
@@ -13,9 +13,97 @@ export GO111MODULE=on
 # build 'cloudflared-darwin-amd64.tgz'
 mkdir -p artifacts
 FILENAME="$(pwd)/artifacts/cloudflared-darwin-amd64.tgz"
+PKGNAME="$(pwd)/artifacts/cloudflared-amd64.pkg"
+TARGET_DIRECTORY=".build"
+BINARY_NAME="cloudflared"
+VERSION=$(git describe --tags --always --dirty="-dev")
+PRODUCT="cloudflared"
+CODE_SIGN_PRIV="code_sign.pk12"
+CODE_SIGN_CERT="code_sign.cer"
+INSTALLER_PRIV="installer.pk12"
+INSTALLER_CERT="installer.cer"
 export PATH="$PATH:/usr/local/bin"
 mkdir -p ../src/github.com/cloudflare/    
 cp -r . ../src/github.com/cloudflare/cloudflared
 cd ../src/github.com/cloudflare/cloudflared 
 GOCACHE="$PWD/../../../../" GOPATH="$PWD/../../../../" CGO_ENABLED=1 make cloudflared
-tar czf "$FILENAME" cloudflared
+
+# Add code signing private key to the key chain
+if [[ -z "${CFD_CODE_SIGN_KEY}" ]]; then
+  # write private key to disk and then import it keychain
+  echo -n -e ${CFD_CODE_SIGN_KEY} | base64 -D > ${CODE_SIGN_PRIV}
+  security import ${CODE_SIGN_PRIV} -A -P "${CFD_CODE_SIGN_PASS}"
+  rm ${CODE_SIGN_PRIV}
+else
+  exit 1
+fi
+
+# Add code signing certificate to the key chain
+if [[ -z "${CFD_CODE_SIGN_CERT}" ]]; then
+  # write certificate to disk and then import it keychain
+  echo -n -e ${CFD_CODE_SIGN_CERT} | base64 -D > ${CODE_SIGN_CERT}
+  security import ${CODE_SIGN_CERT}
+  rm ${CODE_SIGN_CERT}
+else
+  exit 1
+fi
+
+# Add package signing private key to the key chain
+if [[ -z "${CFD_INSTALLER_KEY}" ]]; then
+  # write private key to disk and then import it into the keychain
+  echo -n -e ${CFD_INSTALLER_KEY} | base64 -D > ${INSTALLER_PRIV}
+  security import ${INSTALLER_PRIV} -A -P "${CFD_INSTALLER_PASS}"
+  rm ${INSTALLER_PRIV}
+else
+  exit 1
+fi
+
+# Add package signing certificate to the key chain
+if [[ -z "${CFD_INSTALLER_CERT}" ]]; then
+  # write certificate to disk and then import it keychain
+  echo -n -e ${CFD_INSTALLER_CERT} | base64 -D > ${INSTALLER_CERT}
+  security import ${INSTALLER_CERT}
+  rm ${INSTALLER_CERT}
+else
+  exit 1
+fi
+
+# get the code signing certificate name
+if [[ -z "${CFD_CODE_SIGN_NAME}" ]]; then
+  CODE_SIGN_NAME=$(security find-identity -v | cut -d'"' -f 2 -s | grep "Developer ID Application:")
+else
+  CODE_SIGN_NAME="${CFD_CODE_SIGN_NAME}"
+fi
+
+# get the package signing certificate name
+if [[ -z "${CFD_INSTALLER_NAME}" ]]; then
+  PKG_SIGN_NAME=$(security find-identity -v | cut -d'"' -f 2 -s | grep "Developer ID Installer:")
+else
+  PKG_SIGN_NAME="${CFD_INSTALLER_NAME}"
+fi
+
+# sign the cloudflared binary
+codesign -s "${CODE_SIGN_NAME}" -f -v --timestamp --options runtime ${BINARY_NAME}
+
+# creating build directory
+mkdir ${TARGET_DIRECTORY}
+mkdir ${TARGET_DIRECTORY}/contents
+cp -r .mac_resources/scripts ${TARGET_DIRECTORY}/scripts
+
+# copy cloudflared into the build directory
+cp ${BINARY_NAME} {$TARGET_DIRECTORY}/contents/${PRODUCT}
+
+# compress cloudflared into a tar and gzipped file
+tar czf "$FILENAME" ${BINARY_NAME}
+
+# build the installer package
+pkgbuild --identifier com.cloudflare.${PRODUCT} \
+    --version ${VERSION} \
+    --scripts ${TARGET_DIRECTORY}/scripts \
+    --root ${TARGET_DIRECTORY}/contents \
+    --install-location /usr/local/bin \
+    --sign "${PKG_SIGN_NAME}" \
+    ${PKGNAME}
+
+# cleaning up the build directory
+rm -rf $TARGET_DIRECTORY
diff --git a/Makefile b/Makefile
index 71a58144..2195f991 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,9 @@
-VERSION       := $(shell git describe --tags --always --dirty="-dev")
+VERSION       := $(shell git describe --tags --always --dirty="-dev" --exclude "w*")
 DATE          := $(shell date -u '+%Y-%m-%d-%H%M UTC')
 VERSION_FLAGS := -ldflags='-X "main.Version=$(VERSION)" -X "main.BuildTime=$(DATE)"'
+MSI_VERSION   := $(shell git tag -l --sort=v:refname | grep "w" | tail -1 | cut -c2-)
+#MSI_VERSION expects the format of the tag to be: (wX.X.X). Starts with the w character to not break cfsetup. 
+#e.g. w3.0.1 or w4.2.10. It trims off the w character when creating the MSI.
 
 IMPORT_PATH   := github.com/cloudflare/cloudflared
 PACKAGE_DIR   := $(CURDIR)/packaging
@@ -22,6 +25,8 @@ ifneq ($(GOARCH),)
     TARGET_ARCH ?= $(GOARCH)
 else ifeq ($(LOCAL_ARCH),x86_64)
     TARGET_ARCH ?= amd64
+else ifeq ($(LOCAL_ARCH),i686)
+    TARGET_ARCH ?= amd64
 else ifeq ($(shell echo $(LOCAL_ARCH) | head -c 5),armv8)
     TARGET_ARCH ?= arm64
 else ifeq ($(LOCAL_ARCH),aarch64)
@@ -158,3 +163,7 @@ vet:
 	go vet -mod=vendor ./...
 	which go-sumtype  # go get github.com/BurntSushi/go-sumtype
 	go-sumtype $$(go list -mod=vendor ./...)
+
+.PHONY: msi
+msi: cloudflared
+	go-msi make --msi cloudflared.msi --version $(MSI_VERSION)
\ No newline at end of file
diff --git a/cmd/cloudflared/windows_service.go b/cmd/cloudflared/windows_service.go
index e8d19c12..7b21e7f7 100644
--- a/cmd/cloudflared/windows_service.go
+++ b/cmd/cloudflared/windows_service.go
@@ -150,12 +150,11 @@ func (s *windowsService) Execute(serviceArgs []string, r <-chan svc.ChangeReques
 			switch c.Cmd {
 			case svc.Interrogate:
 				statusChan <- c.CurrentStatus
-			case svc.Stop:
+			case svc.Stop, svc.Shutdown:
 				close(s.graceShutdownC)
+				statusChan <- svc.Status{State: svc.Stopped, Accepts: cmdsAccepted}
 				statusChan <- svc.Status{State: svc.StopPending}
-			case svc.Shutdown:
-				close(s.shutdownC)
-				statusChan <- svc.Status{State: svc.StopPending}
+				return
 			default:
 				elog.Error(1, fmt.Sprintf("unexpected control request #%d", c))
 			}
diff --git a/make-mac-pkg.sh b/make-mac-pkg.sh
deleted file mode 100755
index 95659452..00000000
--- a/make-mac-pkg.sh
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/bin/bash
-
-TARGET_DIRECTORY=".build"
-BINARY_NAME="cloudflared"
-VERSION=$(git describe --tags --always --dirty="-dev")
-PRODUCT="cloudflared"
-
-
-echo "building cloudflared"
-make cloudflared
-
-echo "creating build directory"
-mkdir ${TARGET_DIRECTORY}
-mkdir ${TARGET_DIRECTORY}/contents
-cp -r .mac_resources/scripts ${TARGET_DIRECTORY}/scripts
-
-echo "move cloudflared into the build directory"
-mv $BINARY_NAME {$TARGET_DIRECTORY}/contents/${PRODUCT}
-
-echo "build the installer package"
-pkgbuild --identifier com.cloudflare.${PRODUCT} \
-    --version ${VERSION} \
-    --scripts ${TARGET_DIRECTORY}/scripts \
-    --root ${TARGET_DIRECTORY}/contents \
-    --install-location /usr/local/bin \
-    ${PRODUCT}.pkg
-    # TODO: our iOS/Mac account doesn't have this installer certificate type. 
-    # need to find how we can get it --sign "Developer ID Installer: Cloudflare" \
-    
-echo "cleaning up the build directory"
-rm -rf $TARGET_DIRECTORY