Commit Graph

1737 Commits

Author SHA1 Message Date
kjake a450c52f82
Merge 95bd76ced6 into e7586153be 2025-03-21 12:53:52 +01:00
João "Pisco" Fernandes e7586153be TUN-9101: Don't ignore errors on `cloudflared access ssh`
## Summary

This change ensures that errors resulting from the `cloudflared access ssh` call are no longer ignored. By returning the error from `carrier.StartClient` to the upstream, we ensure that these errors are properly logged on stdout, providing better visibility and debugging capabilities.

Relates to TUN-9101
2025-03-17 18:42:19 +00:00
Chung-Ting Huang 11777db304 TUN-9089: Pin go import to v0.30.0, v0.31.0 requires go 1.23
Closes TUN-9089
2025-03-06 12:05:24 +00:00
lneto 3f6b1f24d0 Release 2025.2.1 2025-02-26 16:44:32 +00:00
Luis Neto a4105e8708 TUN-9016: update base-debian to v12
## Summary

Fixes vulnerability ([CVE -2024-4741](https://github.com/advisories/GHSA-6vgq-8qjq-h578))

 Closes TUN-9016
2025-02-26 15:54:10 +00:00
Luis Neto 6496322bee TUN-9007: modify logic to resolve region when the tunnel token has an endpoint field
## Summary

Within the work of FEDRamp it is necessary to change the HA SD lookup to use as srv `fed-v2-origintunneld`

This work assumes that the tunnel token has an optional endpoint field which will be used to modify the behaviour of the HA SD lookup.

Finally, the presence of the endpoint will override region to _fed_ and fail if any value is passed for the flag region.

Closes TUN-9007
2025-02-25 19:03:41 +00:00
Luis Neto 906452a9c9 TUN-8960: Connect to FED API GW based on the OriginCert's endpoint
## Summary

Within the scope of the FEDRamp High RM, it is necessary to detect if an user should connect to a FEDRamp colo.

At first, it was considered to add the --fedramp as global flag however this could be a footgun for the user or even an hindrance, thus, the proposal is to save in the token (during login) if the user authenticated using the FEDRamp Dashboard. This solution makes it easier to the user as they will only be required to pass the flag in login and nothing else.

* Introduces the new field, endpoint, in OriginCert
* Refactors login to remove the private key and certificate which are no longer used
* Login will only store the Argo Tunnel Token
* Remove namedTunnelToken as it was only used to for serialization

Closes TUN-8960
2025-02-25 17:13:33 +00:00
Jingqi Huang d969fdec3e SDLC-3762: Remove backstage.io/source-location from catalog-info.yaml 2025-02-13 13:02:50 -08:00
João "Pisco" Fernandes 7336a1a4d6 TUN-8914: Create a flags module to group all cloudflared cli flags
## Summary

This commit refactors some of the flags of cloudflared to their own module, so that they can be used across the code without requiring to literal strings which are much more error prone.

 Closes TUN-8914
2025-02-06 03:30:27 -08:00
João "Pisco" Fernandes df5dafa6d7 Release 2025.2.0 2025-02-03 18:39:00 +00:00
Bas Westerbaan c19f919428 Bump x/crypto to 0.31.0 2025-02-03 16:08:02 +01:00
João "Pisco" Fernandes b187879e69 TUN-8914: Add a new configuration to locally override the max-active-flows
## Summary

This commit introduces a new command line flag, `--max-active-flows`, which allows overriding the remote configuration for the maximum number of active flows.

The flag can be used with the `run` command, like `cloudflared tunnel --no-autoupdate run --token <TUNNEL_TOKEN> --max-active-flows 50000`, or set via an environment variable `TUNNEL_MAX_ACTIVE_FLOWS`.

Note that locally-set values always take precedence over remote settings, even if the tunnel is remotely managed.

Closes TUN-8914
2025-02-03 03:42:50 -08:00
lneto 2feccd772c Release 2025.1.1 2025-01-30 14:48:47 +00:00
Luis Neto 90176a79b4 TUN-8894: report FIPS+PQ error to Sentry when dialling to the edge
## Summary

Since we will enable PQ + FIPS it is necessary to add observability so that we can understand if issues are happening.

 Closes TUN-8894
2025-01-30 06:26:53 -08:00
Luis Neto 9695829e5b TUN-8857: remove restriction for using FIPS and PQ
## Summary

When the FIPS compliance was achieved with HTTP/2 Transport the technology at the time wasn't available or certified to be used in tandem with Post-Quantum encryption. Nowadays, that is possible, thus, we can also remove this restriction from Cloudflared.

 Closes TUN-8857
2025-01-30 05:47:07 -08:00
Luis Neto 31a870b291 TUN-8855: Update PQ curve preferences
## Summary

Nowadays, Cloudflared only supports X25519Kyber768Draft00 (0x6399,25497) but older versions may use different preferences.

For FIPS compliance we are required to use P256Kyber768Draft00 (0xfe32,65074) which is supported in our internal fork of [Go-Boring-1.22.10](https://bitbucket.cfdata.org/projects/PLAT/repos/goboring/browse?at=refs/heads/go-boring/1.22.10 "Follow link").

In the near future, Go will support by default the X25519MLKEM768 (0x11ec,4588) given this we may drop the usage of our public fork of GO.

To summarise:

* Cloudflared FIPS: QUIC_CURVE_PREFERENCES=65074
* Cloudflared non-FIPS: QUIC_CURVE_PREFERENCES=4588

Closes TUN-8855
2025-01-30 05:02:47 -08:00
Luis Neto bfdb0c76dc TUN-8855: fix lint issues
## Summary

Fix lint issues necessary for a subsequent PR. This is only separate to allow a better code review of the actual changes.

Closes TUN-8855
2025-01-30 03:53:24 -08:00
Luis Neto 45f67c23fd TUN-8858: update go to 1.22.10 and include quic-go FIPS changes
## Summary

To have support for new curves and to achieve FIPS compliance Cloudflared must be released with [Go-Boring-1.22.10](https://bitbucket.cfdata.org/projects/PLAT/repos/goboring/browse?at=refs/heads/go-boring/1.22.10 "Follow link") along with the quic-go patches. 

 Closes TUN-8858
2025-01-30 03:11:54 -08:00
João "Pisco" Fernandes 0f1bfe99ce TUN-8904: Rename Connect Response Flow Rate Limited metadata
## Summary

This commit renames the public variable that identifies the metadata key and value for the ConnectResponse structure when the flow was rate limited.

 Closes TUN-8904
2025-01-22 07:23:46 -08:00
Eduardo Gomes 18eecaf151 AUTH-6633 Fix cloudflared access login + warp as auth
## Summary
cloudflared access login and cloudflared access curl fails when the Access application has warp_as_auth enabled.

This bug originates from a 4 year old inconsistency where tokens signed by the nginx-fl-access module include 'aud' as a string, while tokens signed by the access authentication worker include 'aud' as an array of strings.
When the new(ish) feature warp_as_auth is enabled for the app, the fl module signs the token as opposed to the worker like usually.


I'm going to bring this up to the Access team, and try to figure out a way to consolidate this discrepancy without breaking behaviour.

Meanwhile we have this [CUSTESC ](https://jira.cfdata.org/browse/CUSTESC-47987), so I'm making cloudflared more lenient by accepting both []string and string in the token 'aud' field.



Tested this by compiling and running cloudflared access curls to my domains


Closes AUTH-6633
2025-01-21 04:00:28 -08:00
kjake 95bd76ced6 Final clean for PR 2025-01-20 17:25:23 -05:00
kjake b22006b0fe Undo change 2025-01-20 17:15:36 -05:00
kjake e75a43eec4 Align to original 2025-01-20 17:13:45 -05:00
kjake fee93f8cce
Merge branch 'cloudflare:master' into freebsd 2025-01-20 17:10:45 -05:00
kjake 4e9b54e610 Unwind Most Changes
Paring down to what should be necessary, but likely won't build in this state
2025-01-20 17:10:15 -05:00
kjake 3da39ea5bb Correct artifact path 2025-01-20 15:43:46 -05:00
kjake 4197b4267f Attach successful build file 2025-01-20 15:30:47 -05:00
kjake 49c3be3188 Fix missing cliutil
Aligns slightly more with the linux flavor
2025-01-20 15:11:19 -05:00
kjake 822fbc379d Implement NewSystemCollectorImpl for BSD 2025-01-20 14:48:07 -05:00
kjake 4c2e515fb3 Test fix for network diag package 2025-01-20 14:26:03 -05:00
kjake 8e668f511b Improve BSD coverage 2025-01-20 13:59:15 -05:00
kjake 32a5ba9418 More complete freebsd change 2025-01-20 13:36:21 -05:00
kjake 7c6405b158 Build for unix
Test build against our fork before opening a PR against the origin
2025-01-20 13:21:13 -05:00
João "Pisco" Fernandes 4eb0f8ce5f TUN-8861: Rename Session Limiter to Flow Limiter
## Summary
Session is the concept used for UDP flows. Therefore, to make
the session limiter ambiguous for both TCP and UDP, this commit
renames it to flow limiter.

Closes TUN-8861
2025-01-20 06:33:40 -08:00
João "Pisco" Fernandes 8c2eda16c1 TUN-8861: Add configuration for active sessions limiter
## Summary
This commit adds a new configuration in the warp routing
config to allow users to define the active sessions limit
value.
2025-01-20 11:39:42 +00:00
João "Pisco" Fernandes 8bfe111cab TUN-8861: Add session limiter to TCP session manager
## Summary
In order to make cloudflared behavior more predictable and
prevent an exhaustion of resources, we have decided to add
session limits that can be configured by the user. This commit
adds the session limiter to the HTTP/TCP handling path.
For now the limiter is set to run only in unlimited mode.
2025-01-20 10:53:53 +00:00
João "Pisco" Fernandes bf4954e96a TUN-8861: Add session limiter to UDP session manager
## Summary
In order to make cloudflared behavior more predictable and
prevent an exhaustion of resources, we have decided to add
session limits that can be configured by the user. This first
commit introduces the session limiter and adds it to the UDP
handling path. For now the limiter is set to run only in
unlimited mode.
2025-01-20 02:52:32 -08:00
kjake a546d623df Another vendor fix 2025-01-19 17:38:43 -05:00
kjake 018cba60e5 Fix vendors 2025-01-19 17:23:59 -05:00
kjake abce3d76f8 Update build.yml
Get go deps in the correct context
2025-01-19 17:12:54 -05:00
kjake bf160b011b Update go vendor modules
Making sure that go modules are current
2025-01-19 17:06:11 -05:00
kjake 45e3aef1ea Update build.yml
trying to solve `go build` issues
2025-01-19 16:29:47 -05:00
kjake 0cff12b1b6 Update build.yml
Enable CGO builds
2025-01-19 15:54:30 -05:00
kjake 8e4438c1b5 Update build.yml
Re-target FreeBSD 14.1
Debug environment vars
2025-01-19 15:07:44 -05:00
kjake cae50fffc0 Update build.yml
ensure dependancies are met
2025-01-19 14:44:20 -05:00
kjake 8aa84e46e3 Update build.yml
Fix for VCS stamping
2025-01-19 14:00:09 -05:00
kjake 6cca71a05c Create build.yml
Attempting automated FreeBSD builds
2025-01-19 13:47:49 -05:00
kjake 06fdbd4343 Update generic_service.go
Include changes from micah-yeager:master
2025-01-19 13:05:12 -05:00
Gonçalo Garcia 8918b6729e TUN-8871: Accept login flag to authenticate with Fedramp environment
## Summary
Some description...

Closes TUN-8871
2025-01-17 08:16:36 -08:00
João "Pisco" Fernandes 25c3f676f4 TUN-8900: Add import of Apple Developer Certificate Authority to macOS Pipeline
## Summary
During the renewal of the certificates used to sign the macOS binaries and package,
we faced an issue with the new certificates requiring a specific certification authority
that wasn't available in the keychain of the mac agents. Therefore, this commit adds
an import step that will ensure that the Certificate Authority, usually fetched from
https://www.apple.com/certificateauthority/ is imported into the keychain to validate
the Developer Certificates.

Closes TUN-8900
2025-01-17 07:10:16 -08:00