Compare commits
928 Commits
Author | SHA1 | Date |
---|---|---|
Devin Carr | 1f3e3045ad | |
Devin Carr | 952622a965 | |
lneto | 70393b6de4 | |
Luis Neto | e8e824a730 | |
Gonçalo Garcia | 3d33f559b1 | |
Devin Carr | 589c198d2d | |
Devin Carr | 5891c0d955 | |
lneto | d29017fac9 | |
Devin Carr | 6a6c890700 | |
Devin Carr | 599ba52750 | |
Luis Neto | 0eddb8a615 | |
Devin Carr | 16ecf60800 | |
Luis Neto | eabc0aaaa8 | |
GoncaloGarcia | 374a920b61 | |
lneto | 6ba0c25a92 | |
GoncaloGarcia | 48f703f990 | |
GoncaloGarcia | f407dbb712 | |
Devin Carr | 92e0f5fcf9 | |
Devin Carr | d608a64cc5 | |
Devin Carr | abb3466c31 | |
Devin Carr | a3ee49d8a9 | |
Luis Neto | bade488bdf | |
GoncaloGarcia | b426c62423 | |
GoncaloGarcia | fe7ff6cbfe | |
chungthuang | e2064c820f | |
GoncaloGarcia | 318488e229 | |
GoncaloGarcia | e251a21810 | |
Devin Carr | 05249c7b51 | |
Devin Carr | d7d81384c2 | |
Hrushikesh Deshpande | ea1c4a327d | |
Dean Sundquist | 5c5d1dc161 | |
Devin Carr | cd8cb47866 | |
Devin Carr | 2484df1f81 | |
GoncaloGarcia | a57fc25b54 | |
GoncaloGarcia | 2437675c04 | |
GoncaloGarcia | ec07269122 | |
GoncaloGarcia | 3ac69f2d06 | |
Devin Carr | a29184a171 | |
GoncaloGarcia | e05939f1c9 | |
GoncaloGarcia | ab0bce58f8 | |
chungthuang | d6b0833209 | |
chungthuang | 9f0f22c036 | |
Kornel | 394d3546bf | |
Kornel | a9365296ae | |
sellskin | 30c435fee6 | |
chungthuang | c7d63beba2 | |
lneto | 9f0002db40 | |
lneto | 86f33005b9 | |
lneto | bd9e020df9 | |
lneto | b03ea055b0 | |
lneto | ae7f7fa7e8 | |
lneto | c7f0f90bed | |
lneto | c7cd4e02b8 | |
lneto | 3bb3d71093 | |
lneto | c2183bd814 | |
lneto | db239e7319 | |
lneto | 26ae1ca3c8 | |
lneto | 13b2e423ed | |
lneto | 47733ba25e | |
lneto | c95959e845 | |
João Oliveirinha | 75752b681b | |
Devin Carr | 6174c4588b | |
Devin Carr | d875839e5e | |
GoncaloGarcia | 1f38deca1e | |
chungthuang | 628176a2d6 | |
chungthuang | 0b62d45738 | |
chungthuang | cb6e5999e1 | |
chungthuang | a16532dbbb | |
chungthuang | 354a5bb8af | |
chungthuang | e0b1899e97 | |
Devin Carr | d37ad42426 | |
Devin Carr | 44e6d1a313 | |
Devin Carr | 30197e7dfa | |
Devin Carr | 654a326098 | |
Devin Carr | 43446bc692 | |
Devin Carr | e9f010111d | |
Devin Carr | 8184bc457d | |
Devin Carr | 2db00211f5 | |
Devin Carr | eb2e4349e8 | |
João "Pisco" Fernandes | 7d76ce2d24 | |
João "Pisco" Fernandes | 66efd3f2bb | |
chungthuang | f27418044b | |
Devin Carr | 1b02d169ad | |
João "Pisco" Fernandes | 84833011ec | |
chungthuang | 5e5f2f4d8c | |
Devin Carr | b9898a9fbe | |
Devin Carr | 687682120c | |
Devin Carr | a1a9f3813e | |
GoncaloGarcia | 7deb4340b4 | |
Steven Kreitzer | b5be8a6fa4 | |
Alexandru Tocar | a665d3245a | |
chungthuang | a48691fe78 | |
chungthuang | b723a1a426 | |
sellskin | 619c12cc64 | |
GoncaloGarcia | bb29a0e194 | |
GoncaloGarcia | 86476e6248 | |
João "Pisco" Fernandes | da6fac4133 | |
João "Pisco" Fernandes | 47ad3238dd | |
João "Pisco" Fernandes | 4f7165530c | |
Nikita Sivukhin | a36fa07aba | |
Nanashi | e846943e66 | |
YueYue | 652c82daa9 | |
K.B.Dharun Krishna | a6760a6cbf | |
K.B.Dharun Krishna | 204d55ecec | |
K.B.Dharun Krishna | 1f4511ca6e | |
chungthuang | 110b2b4c80 | |
João Oliveirinha | dc2c76738a | |
João Oliveirinha | 5344a0bc6a | |
chungthuang | 3299a9bc15 | |
chungthuang | 34a876e4e7 | |
Devin Carr | 971360d5e0 | |
João "Pisco" Fernandes | 76badfa01b | |
Igor Postelnik | 56aeb6be65 | |
chungthuang | a9aa48d7a1 | |
chungthuang | 638203f9f1 | |
chungthuang | 98e043d17d | |
João Oliveirinha | 3ad4b732d4 | |
chungthuang | 9c1f5c33a8 | |
chungthuang | f75503bf3c | |
chungthuang | 2c38487a54 | |
chungthuang | ae0b261e56 | |
chungthuang | e653741885 | |
João Oliveirinha | e5ae80ab86 | |
chungthuang | ba2edca352 | |
Chung-Ting | c8ffdae859 | |
Chung-Ting | 8fc8c17522 | |
João "Pisco" Fernandes | 8d9aab5217 | |
João Oliveirinha | 25f91fec10 | |
chungthuang | c7b2cce131 | |
chungthuang | 3e5c2959db | |
chungthuang | 37ec2d4830 | |
chungthuang | ecd101d485 | |
chungthuang | cf5be91d2d | |
chungthuang | 28685a5055 | |
chungthuang | e23d928829 | |
chungthuang | 159fcb44ce | |
chungthuang | 8e69f41833 | |
Cristian Rodríguez | fbe357b1e6 | |
chungthuang | 00cd7c333c | |
chungthuang | 86b50eda15 | |
James Royal | 652df22831 | |
Shak Saleemi | 1776d3d335 | |
Chung-Ting | 33baad35b8 | |
Chung-Ting | 12dd91ada1 | |
Honahuku | b901d73d9b | |
Kyle Carberry | 61a16538a1 | |
TMKnight | 9e1f4c2bca | |
Alex Vanderpot | f51be82729 | |
Lars Lehtonen | fd5d8260bb | |
Sam Cook | f2c4fdb0ae | |
Lars Lehtonen | a4a84bb27e | |
Chung-Ting | 4ddc8d758b | |
Chung-Ting | 8068cdebb6 | |
James Royal | 45236a1f7d | |
Devin Carr | e0a55f9c0e | |
Sudarsan Reddy | c1d8c5e960 | |
Devin Carr | 7ae1d4668e | |
João Oliveirinha | adb7d40084 | |
João "Pisco" Fernandes | 541c63d737 | |
João Oliveirinha | f1d6f0c0be | |
João "Pisco" Fernandes | 958b6f1d24 | |
João Oliveirinha | 6d1d91d9f9 | |
João Oliveirinha | fc0ecf4185 | |
João Oliveirinha | 349586007c | |
Chung-Ting Huang | 569a7c3c9e | |
Chung-Ting Huang | bec683b67d | |
Chung-Ting Huang | 38d3c3cae5 | |
Chung-Ting Huang | f2d765351d | |
Sudarsan Reddy | 5d8f60873d | |
Chung-Ting Huang | b474778cf1 | |
Devin Carr | 65247b6f0f | |
Devin Carr | 5f3cfe044f | |
Devin Carr | 81fe0bd12b | |
João Oliveirinha | bfeaa3418d | |
Devin Carr | 9584adc38a | |
Devin Carr | 0096f2613c | |
João Oliveirinha | ac82c8b08b | |
João "Pisco" Fernandes | af3a66d60e | |
Devin Carr | 42e0540395 | |
Devin Carr | 2ee90483bf | |
Devin Carr | 2084a123c2 | |
Devin Carr | b500e556bf | |
Devin Carr | 1b0b6bf7a8 | |
Devin Carr | 85eee4849f | |
Devin Carr | 9b8a533435 | |
Devin Carr | 5abb90b539 | |
João Oliveirinha | 0c8bc56930 | |
Devin Carr | fdab68aa08 | |
Devin Carr | 5aaab967a3 | |
Devin Carr | ccad59dfab | |
Devin Carr | 8a3eade6d3 | |
Sudarsan Reddy | 39847a70f2 | |
João Oliveirinha | d1e338ee48 | |
Devin Carr | b243602d1c | |
Devin Carr | 960c5a7baf | |
Devin Carr | aca3575b6d | |
Devin Carr | 2b4815a9f5 | |
João "Pisco" Fernandes | 729890d847 | |
EduardoGomes | 31f424d589 | |
Sudarsan Reddy | cb4bd8d065 | |
Sudarsan Reddy | 1abd22ef0a | |
Devin Carr | a3bcf25fae | |
João Oliveirinha | 20e36c5bf3 | |
João "Pisco" Fernandes | 5693ba524b | |
João Oliveirinha | 9c6fbfca18 | |
João "Pisco" Fernandes | 925ec100d6 | |
Sudarsan Reddy | 58b27a1ccf | |
Devin Carr | 867360c8dd | |
Devin Carr | cb97257815 | |
Devin Carr | c43e07d6b7 | |
Devin Carr | 9426b60308 | |
Devin Carr | ff9621bbd5 | |
Devin Carr | 7a0a618c0d | |
João Oliveirinha | 0be1ed5284 | |
Devin Carr | 50a0c44cee | |
Devin Carr | 76391434c2 | |
Sudarsan Reddy | e8841c0fb3 | |
Devin Carr | aec1d8f653 | |
Devin Carr | c7f343a3b4 | |
Devin Carr | 7ecb6d3e88 | |
Devin Carr | 88c25d2c67 | |
Devin Carr | 38cd455e4d | |
Devin Carr | ee5e447d44 | |
Sudarsan Reddy | 4d30a71434 | |
Jesse Li | 39b7aed24e | |
Devin Carr | 4de1bc4bba | |
Sudarsan Reddy | e426693330 | |
Devin Carr | 0b5b9b8297 | |
Devin Carr | 7a014b06ec | |
James Royal | 171d4ac77c | |
Sudarsan Reddy | 5e212a6bf3 | |
Devin Carr | 3996b1adca | |
Devin Carr | 71997be90e | |
Devin Carr | 991f01fe34 | |
Devin Carr | b89c092c1b | |
Devin Carr | 8dc0697a8f | |
Sudarsan Reddy | 5dbf76a7aa | |
Devin Carr | 8d87d4facd | |
Devin Carr | 3fd571063e | |
Devin Carr | 5d0bb25572 | |
Devin Carr | c51b651afb | |
Devin Carr | 04367b0f63 | |
Devin Carr | 69eb9698b5 | |
Devin Carr | 55ed995bf0 | |
Devin Carr | 820a201603 | |
Devin Carr | 93acdaface | |
João Oliveirinha | 5972540efa | |
Han Li | 5e37a65dac | |
pufferfish | bfbe426905 | |
Devin Carr | 39ed5dc182 | |
Devin Carr | bbc8d9431b | |
Sudarsan Reddy | b5e03dd66c | |
Devin Carr | 87f81cc57c | |
Devin Carr | be64362fdb | |
João Oliveirinha | f686da832f | |
Sudarsan Reddy | be341fa055 | |
Sudarsan Reddy | ec2d18ea4f | |
Sudarsan Reddy | 1742379ba4 | |
Sudarsan Reddy | 9c15f31d00 | |
João Oliveirinha | 53fb50960d | |
Devin Carr | 7b8b3f73e7 | |
Robert Dinh | ede3c8e056 | |
Devin Carr | 93f8f6b55c | |
Devin Carr | bf3136debb | |
Devin Carr | 27f88ae209 | |
Sudarsan Reddy | 7080b8b2e6 | |
Sudarsan Reddy | 4c3417fedd | |
Bas Westerbaan | 354281fc6a | |
Spencer Comfort | b6d1daaf20 | |
Jake Edwards | 844b4938ca | |
iBug | fed60ae4c3 | |
Sudarsan Reddy | b97979487e | |
Sudarsan Reddy | 2221325f3d | |
Sudarsan Reddy | 2bb054c4bf | |
João Oliveirinha | 68ef4ab2a8 | |
Devin Carr | ea6fe121f8 | |
João Oliveirinha | 079631ccea | |
Devin Carr | 8cf2d319ca | |
Devin Carr | 0f95f8bae5 | |
Devin Carr | ae46af9236 | |
Devin Carr | bd046677e5 | |
João Oliveirinha | 8a9f076a26 | |
João Oliveirinha | 62dcb8a1d1 | |
João Oliveirinha | 90d710e3ec | |
Sudarsan Reddy | b8e610a067 | |
Devin Carr | c24f275981 | |
João Oliveirinha | d8f2b768f8 | |
Nuno Diegues | 93e569fa23 | |
Devin Carr | 207f4e2c8d | |
João Oliveirinha | 513855df5c | |
João Oliveirinha | bd917d294c | |
Nuno Diegues | 4616e9fcc2 | |
Sudarsan Reddy | de7ca4be30 | |
Sudarsan Reddy | 4d993488df | |
Devin Carr | 794e8e622f | |
Sudarsan Reddy | 87bd36c924 | |
Bas Westerbaan | de4fd472f3 | |
Devin Carr | 887e486a63 | |
Sudarsan Reddy | 645e22744c | |
Sudarsan Reddy | d19da6767a | |
Sudarsan Reddy | 045439f0ab | |
Sudarsan Reddy | 2519aec733 | |
Sudarsan Reddy | 99b3736cc7 | |
João Oliveirinha | e517242194 | |
Sudarsan Reddy | 7dee179652 | |
Sudarsan Reddy | 78ca8002d2 | |
Sudarsan Reddy | c13b6df0a7 | |
Sudarsan Reddy | b8b35d99fa | |
João Oliveirinha | 61ccc0b303 | |
João Oliveirinha | 7ef9bb89d3 | |
Sudarsan Reddy | 45e8eb7275 | |
Sudarsan Reddy | 72503eeaaa | |
Sudarsan Reddy | 09e33a0b17 | |
Sudarsan Reddy | 4c10f68e2d | |
João Oliveirinha | cf87ec7969 | |
João Oliveirinha | 64f15d9992 | |
João Oliveirinha | e3d35570e6 | |
João Oliveirinha | b0663dce33 | |
João Oliveirinha | af59851f33 | |
João Oliveirinha | c49621c723 | |
Sudarsan Reddy | 9339bb9485 | |
João Oliveirinha | 19106cd609 | |
João Oliveirinha | b50f172bdb | |
João Oliveirinha | 1c6316c1c9 | |
Devin Carr | 1fe4878264 | |
João Oliveirinha | 85b44695f0 | |
Joel May | 6a1dad0ce2 | |
Joel May | 2baea15387 | |
João Oliveirinha | a1d88a6cdd | |
Devin Carr | 515ad7cbee | |
n0k0m3 | 1b5313cc28 | |
João Oliveirinha | dde83d5a7c | |
João Oliveirinha | e14238224d | |
João Oliveirinha | 66d1f27507 | |
João Oliveirinha | e6c9ec0b39 | |
cthuang | c3c050aa79 | |
Chung-Ting | b1de2a74fa | |
Sudarsan Reddy | 4d32a64f98 | |
cthuang | 11f4d10174 | |
cthuang | 60a12fcb27 | |
Sudarsan Reddy | 442af9ee38 | |
Sudarsan Reddy | 2e895c3a4f | |
cthuang | e9d07e35c7 | |
cthuang | 2d5234e021 | |
cthuang | b6bd8c1f5e | |
cthuang | 495f9fb8bd | |
cthuang | 225c344ceb | |
João Oliveirinha | 61007dd2dd | |
João Oliveirinha | b01006fe46 | |
Robin Brämer | 872cb003a4 | |
Sven Höxter | 2aca844570 | |
Samuel Rhea | 90e5255a0d | |
Samuel Rhea | 4aead129ed | |
Jamie Nguyen | 9904929b83 | |
Nigel Armstrong | c280d62fe5 | |
cthuang | 40ea6a5080 | |
Devin Carr | 4642316167 | |
Bas Westerbaan | d0c10b34dd | |
Bas Westerbaan | f4ae8d1446 | |
Sudarsan Reddy | e89bceca5e | |
João Oliveirinha | 6be36fa2c5 | |
João Oliveirinha | f81d35447e | |
cthuang | 49438f30f5 | |
cthuang | eacc8c648d | |
Sudarsan Reddy | 5b30925773 | |
Devin Carr | d7fb18be22 | |
cthuang | cbf8c71fab | |
cthuang | 870193c064 | |
cthuang | fdddd86380 | |
Devin Carr | b3e26420c0 | |
cthuang | be0305ec58 | |
cthuang | 3449ea35f2 | |
Sudarsan Reddy | 7f487c2651 | |
Sudarsan Reddy | 9bb7628fbc | |
Sudarsan Reddy | eb36716ba4 | |
Sudarsan Reddy | 5d6b0642db | |
Sudarsan Reddy | 462d2f87df | |
Nuno Diegues | 0aa21f302e | |
Sudarsan Reddy | de07da02cd | |
Devin Carr | e9a2c85671 | |
Devin Carr | b0f0741a9b | |
Sudarsan Reddy | db4564e5b9 | |
cthuang | 3d345d3748 | |
cthuang | b1995b4dd1 | |
João Oliveirinha | b457cca1e5 | |
João Oliveirinha | a0b6ba9b8d | |
cthuang | de00396669 | |
Devin Carr | 013bdbd10c | |
cthuang | b639b6627a | |
cthuang | e454994e3e | |
cthuang | 8a53c1aa1d | |
Devin Carr | f5f3e6a453 | |
cthuang | 30c529e730 | |
cthuang | bf3d70d1d2 | |
cthuang | a65f8bce7f | |
cthuang | 2ffff0687b | |
Devin Carr | e380333520 | |
Bas Westerbaan | 11cbff4ff7 | |
Chung-Ting Huang | 3e0ff3a771 | |
Nuno Diegues | 7a19798682 | |
Nuno Diegues | 4b75943d59 | |
cthuang | fc20a22685 | |
cthuang | faa86ffeca | |
Devin Carr | f7a14d9200 | |
Nuno Diegues | 902e5beb4f | |
Nuno Diegues | 7ca5f7569a | |
Nuno Diegues | 4ac68711cd | |
Devin Carr | 075ac1acf1 | |
Devin Carr | cfef0e737f | |
Devin Carr | 8ec0f7746b | |
cthuang | 2b3707e2b9 | |
cthuang | 7e760f9fcc | |
cthuang | efb99d90d7 | |
João Oliveirinha | e131125558 | |
Devin Carr | af6bf5c4e5 | |
Sudarsan Reddy | e3390fcb15 | |
Devin Carr | fc5749328d | |
cthuang | 59f5b0df83 | |
João Oliveirinha | f6bd4aa039 | |
cthuang | d2bc15e224 | |
cthuang | bad2e8e812 | |
João Oliveirinha | 20ed7557f9 | |
Sudarsan Reddy | 8e9e1d973e | |
Devin Carr | a97673e8b9 | |
Sudarsan Reddy | e123bbe1c5 | |
Sudarsan Reddy | 906eb2d840 | |
Sudarsan Reddy | e09c62a796 | |
Sudarsan Reddy | bd88093de0 | |
Sudarsan Reddy | 0538953a39 | |
Opeyemi Onikute | 88235356d5 | |
Sudarsan Reddy | 99f39225f1 | |
cthuang | 278df5478a | |
Sudarsan Reddy | d3fd581b7b | |
Sudarsan Reddy | 68d370af19 | |
Sudarsan Reddy | 679a89c7df | |
João Oliveirinha | a768132d37 | |
João Oliveirinha | 9de4e88ca6 | |
Sudarsan Reddy | 91eba53035 | |
Sudarsan Reddy | 065d8355c5 | |
João Oliveirinha | 4016334efc | |
Sudarsan Reddy | d4d9a43dd7 | |
Sudarsan Reddy | 046a30e3c7 | |
Opeyemi Onikute | 7a9207a6e1 | |
Devin Carr | b9cba7f2ae | |
João Oliveirinha | 7f1c890a82 | |
Devin Carr | f48a7cd3dd | |
Sudarsan Reddy | d96c39196d | |
Sudarsan Reddy | 032ba7b5e4 | |
Anton Kozlov | e63ec34503 | |
Devin Carr | 2a177e0fc4 | |
Igor Postelnik | 1733fe8c65 | |
Nuno Diegues | 06f7ba4523 | |
Nuno Diegues | 7607ead143 | |
Devin Carr | ac7fdd5572 | |
cthuang | f3ba506880 | |
Silver | d2cb803336 | |
Stephen Heckler | efd4556546 | |
Devin Carr | 2e2718b7e3 | |
Devin Carr | b849def673 | |
Devin Carr | dd540af695 | |
Devin Carr | e921ab35d5 | |
Devin Carr | ae7fbc14f3 | |
Devin Carr | 2fa50acc2d | |
Devin Carr | c7a6304d32 | |
Devin Carr | f4667c6345 | |
Sudarsan Reddy | 6a6ba704f1 | |
Sudarsan Reddy | 135c8e6d13 | |
Sudarsan Reddy | 420e80ea50 | |
Sudarsan Reddy | 337591b2bb | |
Silver | fa6bcdad04 | |
Silver | ee87c43eb9 | |
Silver | bccc58b54d | |
Igor Postelnik | 3da1c25471 | |
Sudarsan Reddy | 7d0a271000 | |
Igor Postelnik | 102631d98d | |
Igor Postelnik | 6c3d2fc339 | |
Devin Carr | 1d79831651 | |
Devin Carr | 0458ad41dd | |
Devin Carr | b9453b84bb | |
Devin Carr | ab81ff8bfb | |
Igor Postelnik | f2339a7244 | |
Devin Carr | 978e01f77e | |
Areg Harutyunyan | 1275930f99 | |
Devin Carr | 8e9091cc48 | |
Devin Carr | 76add5ca77 | |
Igor Postelnik | e8407848ec | |
abe | 29d809535e | |
abe | cc1c6d9abc | |
Sudarsan Reddy | 69b28e358c | |
Niklas Rehfeld | 5ed3d4e29a | |
Devin Carr | 4f468b8a5d | |
Devin Carr | e3aad7799e | |
Sudarsan Reddy | cc8aa0efb5 | |
Nuno Diegues | 475939a77f | |
Nuno Diegues | 4ccef23dbc | |
Devin Carr | 2b0d704777 | |
Devin Carr | ee80e55833 | |
Niklas Rehfeld | 2345720b2b | |
Sudarsan Reddy | d714a62bd3 | |
Niklas Rehfeld | 7d4afd4ae0 | |
Nigel Armstrong | 056693c814 | |
Sudarsan Reddy | 73d948bc32 | |
Nuno Diegues | 5e6f606f4e | |
Sudarsan Reddy | 919227fc91 | |
Nuno Diegues | b8ba5b444c | |
cthuang | baed5f4eea | |
Sudarsan Reddy | 08a8101308 | |
Sudarsan Reddy | a2a4b06eb4 | |
Devin Carr | ec509e114a | |
Igor Postelnik | 7bc2462e36 | |
Sudarsan Reddy | 92f647d45c | |
Sudarsan Reddy | b2ac885370 | |
Igor Postelnik | 2c480a72db | |
Sudarsan Reddy | 32739e9f98 | |
Sudarsan Reddy | 7ce2bb8b2f | |
João Oliveirinha | 6f78ccde04 | |
João Oliveirinha | 26a7b59f6f | |
Sudarsan Reddy | 4b6437cc60 | |
Nuno Diegues | f7fd4ea71c | |
João Oliveirinha | 7bcab138c5 | |
Albony Cal | f758361730 | |
João Oliveirinha | fa2234d639 | |
João Oliveirinha | 99d4e48656 | |
Sudarsan Reddy | 0180b6d733 | |
Sudarsan Reddy | 9ef6191515 | |
Sudarsan Reddy | 2cf43abe8c | |
Nuno Diegues | 46c147a1b2 | |
Sudarsan Reddy | 1e71202c89 | |
Nuno Diegues | 8250708b37 | |
Sudarsan Reddy | 7499e5fa00 | |
Nuno Diegues | e8fe34773c | |
João Oliveirinha | 3254d08173 | |
João Oliveirinha | d68ad89159 | |
João Oliveirinha | f3244db861 | |
João Oliveirinha | d22cb4a6ca | |
cthuang | 8f0498f66a | |
Devin Carr | a97233bb3e | |
Jasmit Tarang | 775c2bc93e | |
cthuang | e4278bab97 | |
Devin Carr | f81b0ee9e8 | |
Nuno Diegues | 8a07a900fd | |
Nuno Diegues | d727d3ade6 | |
Nuno Diegues | 7a6ab54fcb | |
Devin Carr | def8f57dbc | |
João Oliveirinha | 9cde11f8e0 | |
João Oliveirinha | d1a4710aa2 | |
Piper McCorkle | 0dc3428424 | |
Sudarsan Reddy | b07b8b4d4b | |
Sudarsan Reddy | d433a0fa54 | |
Nuno Diegues | 2f05f969e2 | |
Silver | 14002e44e1 | |
Nuno Diegues | b12272529f | |
Misaka No | 377a9a8d27 | |
Nuno Diegues | a0f6eb9d5e | |
Sudarsan Reddy | 12302ba1bf | |
Silver | 317a7ea7e5 | |
Lars Lehtonen | 636ec75010 | |
cthuang | 98deb95eae | |
cthuang | c0f85ab85b | |
Nuno Diegues | c5d1662244 | |
Nuno Diegues | 8fd6074d67 | |
Devin Carr | 7e6fc49979 | |
Nuno Diegues | eb6697ae98 | |
Nuno Diegues | 092e76eb55 | |
Nuno Diegues | 62e1330e45 | |
Nuno Diegues | 98736a03e1 | |
Piper McCorkle | 4836216a9b | |
Nuno Diegues | 470e6c35c5 | |
Devin Carr | e2a8302bbc | |
Nuno Diegues | 6eeaf4be4b | |
Nuno Diegues | 5e2e757403 | |
João Oliveirinha | 9422ea8ed8 | |
Nuno Diegues | 1b511b2d25 | |
João Oliveirinha | 05b903a32e | |
Igor Postelnik | 398cc8b134 | |
Nuno Diegues | e1a9e98cca | |
Nuno Diegues | 057a0cc758 | |
cthuang | ca43b0357f | |
Devin Carr | 8cbd222e10 | |
João Oliveirinha | a50c0ca9ad | |
João Oliveirinha | 5352b3cf04 | |
Piper McCorkle | 9552bb7bc7 | |
Nuno Diegues | c54e8cd8e6 | |
Nuno Diegues | aeda35699e | |
cthuang | eee0d57ed0 | |
emmanuel | 0899d6a136 | |
Nuno Diegues | f44e496dd9 | |
Nuno Diegues | 3aebaaad01 | |
Nuno Diegues | 9d9627f645 | |
Sudarsan Reddy | 5c6207debc | |
Nuno Diegues | 7220c2c214 | |
João Oliveirinha | d17a61c15b | |
João Oliveirinha | 5431e0ca12 | |
João Oliveirinha | 706523389c | |
Devin Carr | c2a32de35f | |
Nuno Diegues | a1d485eca5 | |
Devin Carr | 8a1ba1f8ca | |
João Oliveirinha | b6d7076400 | |
João Oliveirinha | 22cd8ceb8c | |
Sudarsan Reddy | 9cd2780079 | |
Sudarsan Reddy | 9909e9d63c | |
João Oliveirinha | 051b2cf352 | |
Nuno Diegues | 4cf462e322 | |
cthuang | e56c4532ce | |
João Oliveirinha | d78a5ba5da | |
Areg Harutyunyan | 1c50618f97 | |
João Oliveirinha | 630650b90e | |
cthuang | d68ff390ca | |
abelinkinbio | 0571210374 | |
abe | a16dee1d2a | |
abe | 2f6f865f92 | |
cthuang | e22422aafb | |
Nuno Diegues | ff4cfeda0c | |
cthuang | db01127191 | |
cthuang | 1ff5fd3fdc | |
Nuno Diegues | 5b12e74099 | |
cthuang | b1edf5b96d | |
cthuang | d07d24e5a2 | |
Nuno Diegues | 0ab6867ae5 | |
Nuno Diegues | ed2bac026d | |
João Oliveirinha | e09dcf6d60 | |
João Oliveirinha | 76fb329a65 | |
Nuno Diegues | 7bac4b15b0 | |
cthuang | 8a5343d0a5 | |
Sudarsan Reddy | a84cbcde7e | |
Sudarsan Reddy | 1a92f1acfe | |
cthuang | c196679bc7 | |
Silver | 10fc450ae5 | |
João Oliveirinha | 74556bcd7d | |
cthuang | 97309d81ab | |
cthuang | 0292727a95 | |
cthuang | f33897615d | |
cthuang | 6fa58aadba | |
cthuang | ef3152f334 | |
Nuno Diegues | d6036d96f0 | |
Nuno Diegues | a6faa0c376 | |
Nuno Diegues | 1086d5ede5 | |
Nuno Diegues | c314d58b69 | |
Nuno Diegues | 628545d229 | |
Nuno Diegues | ead93e9f26 | |
João Oliveirinha | 5f380f3a54 | |
João Oliveirinha | 7814e870a7 | |
Nuno Diegues | 7c7cf688e6 | |
Nuno Diegues | a39d95d5f7 | |
Nuno Diegues | 01ad2785ee | |
Nuno Diegues | 6822e4f8ab | |
cthuang | 834c0eaeed | |
cthuang | 74a3026963 | |
Igor Postelnik | 8445b88d3c | |
cthuang | 7a55208c61 | |
Nuno Diegues | 581cfb8480 | |
Nuno Diegues | 201c462902 | |
cthuang | ebae7a7024 | |
Nuno Diegues | 70e675f42c | |
cthuang | 8f46065ab5 | |
cthuang | 41b9c22216 | |
Nuno Diegues | 88ce63e785 | |
Nuno Diegues | 2dc5f6ec8c | |
Nuno Diegues | 8d41f99f2f | |
Nuno Diegues | 173190aa79 | |
cthuang | 9251b3aa1f | |
Nuno Diegues | b0e27d1eac | |
cthuang | 73a265f2fc | |
Nuno Diegues | 9bc59bc78c | |
cthuang | b73c588254 | |
João Oliveirinha | 7e47667b08 | |
cthuang | eea3d11e40 | |
cthuang | dd32dc1364 | |
cthuang | fc2333c934 | |
Nuno Diegues | 571380b3f5 | |
Nuno Diegues | eec6b87eea | |
Nuno Diegues | 6cc7d99e32 | |
Nuno Diegues | 59bbd51065 | |
Nuno Diegues | e35f744b36 | |
Silver | a96d4243ba | |
Silver | d4733efb25 | |
Yuwei B | d1be558ca7 | |
Benoit Plessis | b88e0bc8f8 | |
Dimitris Apostolou | 197a70c9c4 | |
cthuang | e71b88fcaa | |
Nuno Diegues | 157f5d1412 | |
cthuang | 7024d193c9 | |
Nuno Diegues | 794635fb54 | |
Nuno Diegues | 1ee540a166 | |
Sudarsan Reddy | 6bcc9a76e9 | |
Sudarsan Reddy | 43f1c6ba82 | |
Sudarsan Reddy | 0146a8d8ed | |
Silver | 36479ef11f | |
Nuno Diegues | 58538619ea | |
Nuno Diegues | 573d410606 | |
cthuang | f6f10305a6 | |
cthuang | 588f1a03c4 | |
cthuang | f8fbbcd806 | |
cthuang | 2ca4633f89 | |
cthuang | 2ce11a20c4 | |
cthuang | ff7c48568c | |
Nuno Diegues | 958650be1f | |
Nuno Diegues | eb51ff0a6d | |
Nuno Diegues | 3f4407ce27 | |
Nuno Diegues | d9636c73b4 | |
Nuno Diegues | 6cbf90883d | |
Nuno Diegues | 76ade67f95 | |
Nuno Diegues | 997f2cf612 | |
Sudarsan Reddy | ceb509ee98 | |
Sudarsan Reddy | 5a3c0fdffa | |
Sudarsan Reddy | 2822fbe3db | |
Sudarsan Reddy | 5148d00516 | |
Sudarsan Reddy | bb10e1dee5 | |
Sudarsan Reddy | e445fd92f7 | |
Sudarsan Reddy | bccf4a63dc | |
Sudarsan Reddy | 7059ef8e13 | |
Jeremy Teale | 1239006e96 | |
Nuno Diegues | cbdf88ea28 | |
Sudarsan Reddy | 79ebfa8304 | |
Sudarsan Reddy | 5a5e49179a | |
Sudarsan Reddy | 470a85e65d | |
Sudarsan Reddy | d7da74cb9e | |
Sudarsan Reddy | 27e1277a3b | |
cthuang | 6238fd9022 | |
Nuno Diegues | f985ed567f | |
cthuang | d54c8cc745 | |
Sudarsan Reddy | 548e85829a | |
Sudarsan Reddy | fd14bf440b | |
Silver | e2b18364f4 | |
Nirantak Raghav | 52c4f875fa | |
Areg Harutyunyan | dac077fef1 | |
Silver | 0e68b1d24e | |
Riley Flynn | 6968b714d0 | |
Silver | 9310241e1a | |
Silver | 1cb22817db | |
Silver | fe4b9b1535 | |
Areg Harutyunyan | d04f48d872 | |
Joseph Voss | b5f6559179 | |
Silver | 89d408e3bd | |
Areg Harutyunyan | 533d005159 | |
cthuang | 98c3957d30 | |
Sudarsan Reddy | 671754fd19 | |
Sudarsan Reddy | d1801776b0 | |
cthuang | 11c06b5a1f | |
cthuang | 27cd83c2d3 | |
Nuno Diegues | 75bdc96763 | |
Nuno Diegues | c51879b17f | |
Nuno Diegues | 738b4f8d25 | |
Nuno Diegues | c7a44009d3 | |
Nuno Diegues | 754ad59512 | |
Sudarsan Reddy | 414cb12f02 | |
Areg Harutyunyan | d0a1daac3b | |
Nuno Diegues | 2afa307765 | |
Rishabh Bector | a4a9f45b0a | |
Sudarsan Reddy | 1da4fbbe0b | |
Nuno Diegues | 836149a5b0 | |
Sudarsan Reddy | 4ff215ee8c | |
Sudarsan Reddy | 17e3073a17 | |
Sudarsan Reddy | 071d595371 | |
Sudarsan Reddy | b6c85401a5 | |
Areg Harutyunyan | 3ef3e7a99a | |
Sudarsan Reddy | 12ad264eb3 | |
Sudarsan Reddy | 1082ac1c36 | |
Conor Mongey | a233f975c1 | |
Sudarsan Reddy | 5f6e867685 | |
Sudarsan Reddy | 78a9454023 | |
Sudarsan Reddy | ca85df10ff | |
Sudarsan Reddy | b8333b44a2 | |
Sudarsan Reddy | e49a7a4389 | |
Sudarsan Reddy | 5749425671 | |
Sudarsan Reddy | fac9dfb6e5 | |
Sudarsan Reddy | d9ec18314d | |
Sudarsan Reddy | ed024d0741 | |
Sudarsan Reddy | fd4000184c | |
Sudarsan Reddy | bcc847963e | |
Nuno Diegues | 1e8dea9112 | |
Sudarsan Reddy | cd4af5696d | |
Nuno Diegues | 8527d03a29 | |
Nuno Diegues | fa8aa02270 | |
Nuno Diegues | aa24338225 | |
Nuno Diegues | 0924549efd | |
Sudarsan Reddy | 67a3be5b7a | |
Sudarsan Reddy | c33a516663 | |
Sudarsan Reddy | ed1389ef08 | |
Sudarsan Reddy | 8fb6508ae6 | |
Sudarsan Reddy | ee8c8bd4c6 | |
Sudarsan Reddy | 0269062b24 | |
Sudarsan Reddy | bccf650165 | |
Sudarsan Reddy | cecc74d3fb | |
Rishabh Bector | 18992efa0c | |
Sudarsan Reddy | bd8af7d80d | |
Sudarsan Reddy | dff694b218 | |
Sudarsan Reddy | 38af26e232 | |
Sudarsan Reddy | 8f3526289a | |
Sudarsan Reddy | 81dff44bb9 | |
cthuang | 6e45e0d53b | |
Sudarsan Reddy | a7d2de1e12 | |
Rishabh Bector | 59cae0f622 | |
Sudarsan Reddy | d678584d89 | |
Sudarsan Reddy | f1b57526b3 | |
Rishabh Bector | 3eb9efd9f0 | |
Michael Borkenstein | 8d99e92852 | |
Nuno Diegues | 31ff7caeeb | |
Nuno Diegues | 5d84874d53 | |
Nuno Diegues | b06fe0fc5f | |
abe | bf38e5aa12 | |
Nuno Diegues | bf068e728f | |
Nuno Diegues | f88732277a | |
Martin Cuesta | a11c64b091 | |
Martin Cuesta | e404c29edb | |
Nuno Diegues | 98a0844f56 | |
Sudarsan Reddy | d6d65d183b | |
Sudarsan Reddy | 951d13d76c | |
Michael Borkenstein | f99ae90ca1 | |
Michael Borkenstein | e99d0b5bc4 | |
Michael Borkenstein | 48c5721bc6 | |
Michael Borkenstein | 235897ba21 | |
Adam Chalmers | bf737a0efc | |
Adam Chalmers | 4c5ebccacc | |
Adam Chalmers | a3153c6add | |
cthuang | a2bbe1bdc2 | |
cthuang | 6526211a69 | |
Silver | 103b2eca00 | |
Jonathon Belotti | 14ea6298bc | |
Adam Chalmers | b297e8bb90 | |
Igor Postelnik | 6cc8c39fa8 | |
Adam Chalmers | 4d4eedd1c0 | |
Adam Chalmers | a00eda9538 | |
Adam Chalmers | 9ff65c1e90 | |
Adam Chalmers | 2dcf3bd011 | |
Nuno Diegues | ae460b340b | |
Michael Borkenstein | bc54a7f87b | |
Adam Chalmers | 75c3ca2f4a | |
Adam Chalmers | 4bd17766a9 | |
Adam Chalmers | b87cb9aee8 | |
Adam Chalmers | 07af2a33b7 | |
abelinkinbio | 209091da39 | |
Areg Harutyunyan | 4d43a70a38 | |
Adam Chalmers | 5b35e968f3 | |
Daniel Hwang | f3b0b33dc5 | |
Michael Borkenstein | aca0c93461 | |
Adam Chalmers | eed7d7bbc9 | |
Areg Harutyunyan | 1073f8db40 | |
Igor Postelnik | e45695d4a3 | |
Igor Postelnik | 7ce0aefea4 | |
Igor Postelnik | 3ad99b241c | |
Nuno Diegues | b25d38dd72 | |
Nuno Diegues | 1720ac0fc6 | |
Nuno Diegues | 0929e5f0ff | |
Nuno Diegues | 36787d9cf7 | |
Adam Chalmers | 5afa3251dd | |
Igor Postelnik | 8ca0d86c85 | |
Adam Chalmers | ebf5292bf9 | |
Adam Chalmers | f9062ab473 | |
Nuno Diegues | d14f3b39a7 | |
Nuno Diegues | fd0529748a | |
Nuno Diegues | 9d3a7bd08e | |
Sudarsan Reddy | 1cf6ae37eb | |
Michael Borkenstein | 66da530ba3 | |
Michael Borkenstein | e9167f7f58 | |
Michael Borkenstein | 4494a27fab | |
Michael Borkenstein | 63833b07dd | |
Igor Postelnik | da4d0b2bae | |
cthuang | 027168c23a | |
Igor Postelnik | 50435546c5 | |
Igor Postelnik | 9018ee5d5e | |
cthuang | 12447677cf | |
Nuno Diegues | 6106737281 | |
Nuno Diegues | 8250b67a9f | |
Michael Borkenstein | db5c6f2556 | |
Michael Borkenstein | 9dd7898792 | |
cthuang | 92b3e8311f | |
Nuno Diegues | 4a7763e497 | |
cthuang | 9767ba1853 | |
Michael Borkenstein | 2c75326021 | |
Igor Postelnik | 9023daba24 | |
Nuno Diegues | 89d0e45d62 | |
Igor Postelnik | a34099724e | |
Igor Postelnik | 8c5498fad1 | |
Adam Chalmers | 2c746b3361 | |
cthuang | 954cd6adca | |
Nuno Diegues | 8432735867 | |
cthuang | d67fbbf94f | |
Nuno Diegues | 39901e1d60 | |
cthuang | 9df60276a9 | |
cthuang | 6a9ba61242 | |
Nuno Diegues | 848c44bd0b | |
Nuno Diegues | 9f84706eae | |
Michael Borkenstein | 841344f1e7 | |
cthuang | 25cfbec072 | |
cthuang | f23e33c082 | |
Nuno Diegues | d22b374208 | |
Nuno Diegues | d6e867d4d1 | |
cthuang | a7344435a5 | |
Lee Valentine | 206523344f | |
Adam Chalmers | b0e69c4b8a | |
Adam Chalmers | aa5ebb817a | |
Michael Borkenstein | 8e340d9598 | |
Nuno Diegues | 4296b23087 | |
Benjamin Buzbee | 452f8cef79 | |
Igor Postelnik | 39065377b5 | |
Areg Harutyunyan | d83d6d54ed | |
Nuno Diegues | a2b41ea3e6 | |
cthuang | 4481b9e46c | |
cthuang | e5d6f969be | |
Adam Chalmers | ded9dec4f0 | |
Nuno Diegues | 89b738f8fa | |
Adam Chalmers | 4f88982584 | |
Nuno Diegues | bcd71b56e9 | |
Adam Chalmers | 5c7b451e17 | |
cthuang | b73c039070 | |
PaulC | 53a69a228a | |
Areg Harutyunyan | eda3a7a305 | |
Nuno Diegues | f1ca2de515 | |
Adam Chalmers | 27507ab192 | |
Igor Postelnik | 6db934853d | |
Nuno Diegues | 792520d313 | |
Nuno Diegues | 8b9cfcde78 | |
Nuno Diegues | 5ba3b3b309 | |
cthuang | 63a29f421a | |
Sudarsan Reddy | e20c4f8752 | |
cthuang | ab4dda5427 | |
cthuang | 5943808746 | |
Sudarsan Reddy | ed57ee64e8 | |
Igor Postelnik | 9c298e4851 | |
Sudarsan Reddy | 8b794390e5 | |
Sudarsan Reddy | a6c2348127 | |
Nuno Diegues | 6681d179dc | |
cthuang | 2146f71b45 | |
cthuang | 3b93914612 | |
Sudarsan Reddy | b4700a52e3 | |
Sudarsan Reddy | 368066a966 | |
cthuang | e2262085e5 |
|
@ -1,8 +1,12 @@
|
||||||
images:
|
images:
|
||||||
- name: cloudflared
|
- name: cloudflared
|
||||||
dockerfile: Dockerfile
|
dockerfile: Dockerfile.$ARCH
|
||||||
context: .
|
context: .
|
||||||
|
version_file: versions
|
||||||
registries:
|
registries:
|
||||||
- name: docker.io/cloudflare
|
- name: docker.io/cloudflare
|
||||||
user: env:DOCKER_USER
|
user: env:DOCKER_USER
|
||||||
password: env:DOCKER_PASSWORD
|
password: env:DOCKER_PASSWORD
|
||||||
|
architectures:
|
||||||
|
- amd64
|
||||||
|
- arm64
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
.git
|
|
|
@ -0,0 +1,34 @@
|
||||||
|
---
|
||||||
|
name: "\U0001F41B Bug report"
|
||||||
|
about: Create a report to help us improve cloudflared
|
||||||
|
title: "\U0001F41B"
|
||||||
|
labels: 'Priority: Normal, Type: Bug'
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
**Describe the bug**
|
||||||
|
A clear and concise description of what the bug is.
|
||||||
|
|
||||||
|
**To Reproduce**
|
||||||
|
Steps to reproduce the behavior:
|
||||||
|
1. Configure '...'
|
||||||
|
2. Run '....'
|
||||||
|
3. See error
|
||||||
|
|
||||||
|
If it's an issue with Cloudflare Tunnel:
|
||||||
|
4. Tunnel ID :
|
||||||
|
5. cloudflared config:
|
||||||
|
|
||||||
|
**Expected behavior**
|
||||||
|
A clear and concise description of what you expected to happen.
|
||||||
|
|
||||||
|
**Environment and versions**
|
||||||
|
- OS: [e.g. MacOS]
|
||||||
|
- Architecture: [e.g. AMD, ARM]
|
||||||
|
- Version: [e.g. 2022.02.0]
|
||||||
|
|
||||||
|
**Logs and errors**
|
||||||
|
If applicable, add logs or errors to help explain your problem.
|
||||||
|
|
||||||
|
**Additional context**
|
||||||
|
Add any other context about the problem here.
|
|
@ -0,0 +1,16 @@
|
||||||
|
---
|
||||||
|
name: "\U0001F4DD Documentation"
|
||||||
|
about: Request new or updated documentation for cloudflared
|
||||||
|
title: "\U0001F4DD"
|
||||||
|
labels: 'Priority: Normal, Type: Documentation'
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
**Available Documentation**
|
||||||
|
A link to the documentation that is available today and the areas which could be improved.
|
||||||
|
|
||||||
|
**Suggested Documentation**
|
||||||
|
A clear and concise description of the documentation, tutorial, or guide that should be added.
|
||||||
|
|
||||||
|
**Additional context**
|
||||||
|
Add any other context or screenshots about the documentation request here.
|
|
@ -0,0 +1,16 @@
|
||||||
|
---
|
||||||
|
name: "\U0001F4A1 Feature request"
|
||||||
|
about: Suggest a feature or enhancement for cloudflared
|
||||||
|
title: "\U0001F4A1"
|
||||||
|
labels: 'Priority: Normal, Type: Feature Request'
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
**Describe the feature you'd like**
|
||||||
|
A clear and concise description of the feature. What problem does it solve for you?
|
||||||
|
|
||||||
|
**Describe alternatives you've considered**
|
||||||
|
Are there any alternatives to solving this problem? If so, what was your experience with them?
|
||||||
|
|
||||||
|
**Additional context**
|
||||||
|
Add any other context or screenshots about the feature request here.
|
|
@ -0,0 +1,18 @@
|
||||||
|
on: [push, pull_request]
|
||||||
|
name: Check
|
||||||
|
jobs:
|
||||||
|
check:
|
||||||
|
strategy:
|
||||||
|
matrix:
|
||||||
|
go-version: [1.22.x]
|
||||||
|
os: [ubuntu-latest, macos-latest, windows-latest]
|
||||||
|
runs-on: ${{ matrix.os }}
|
||||||
|
steps:
|
||||||
|
- name: Install Go
|
||||||
|
uses: actions/setup-go@v5
|
||||||
|
with:
|
||||||
|
go-version: ${{ matrix.go-version }}
|
||||||
|
- name: Checkout code
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
- name: Test
|
||||||
|
run: make test
|
|
@ -0,0 +1,25 @@
|
||||||
|
|
||||||
|
on:
|
||||||
|
pull_request: {}
|
||||||
|
workflow_dispatch: {}
|
||||||
|
push:
|
||||||
|
branches:
|
||||||
|
- main
|
||||||
|
- master
|
||||||
|
schedule:
|
||||||
|
- cron: '0 0 * * *'
|
||||||
|
name: Semgrep config
|
||||||
|
jobs:
|
||||||
|
semgrep:
|
||||||
|
name: semgrep/ci
|
||||||
|
runs-on: ubuntu-20.04
|
||||||
|
env:
|
||||||
|
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
|
||||||
|
SEMGREP_URL: https://cloudflare.semgrep.dev
|
||||||
|
SEMGREP_APP_URL: https://cloudflare.semgrep.dev
|
||||||
|
SEMGREP_VERSION_CHECK_URL: https://cloudflare.semgrep.dev/api/check-version
|
||||||
|
container:
|
||||||
|
image: returntocorp/semgrep
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
- run: semgrep ci
|
|
@ -1,21 +1,20 @@
|
||||||
.GOPATH/
|
/tmp
|
||||||
bin/
|
|
||||||
tmp/
|
|
||||||
guide/public
|
|
||||||
/.GOPATH
|
|
||||||
/bin
|
/bin
|
||||||
.idea
|
.idea
|
||||||
.build
|
.build
|
||||||
.vscode
|
.vscode
|
||||||
\#*\#
|
\#*\#
|
||||||
cscope.*
|
cscope.*
|
||||||
cloudflared
|
/cloudflared
|
||||||
cloudflared.pkg
|
/cloudflared.pkg
|
||||||
cloudflared.exe
|
/cloudflared.exe
|
||||||
cloudflared.msi
|
/cloudflared.msi
|
||||||
cloudflared-x86-64*
|
/cloudflared-x86-64*
|
||||||
!cmd/cloudflared/
|
/cloudflared.1
|
||||||
|
/packaging
|
||||||
.DS_Store
|
.DS_Store
|
||||||
*-session.log
|
*-session.log
|
||||||
ssh_server_tests/.env
|
ssh_server_tests/.env
|
||||||
.cover
|
/.cover
|
||||||
|
built_artifacts/
|
||||||
|
component-tests/.venv
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
# !/usr/bin/env bash
|
||||||
|
|
||||||
|
cd /tmp
|
||||||
|
git clone -q https://github.com/cloudflare/go
|
||||||
|
cd go/src
|
||||||
|
# https://github.com/cloudflare/go/tree/f4334cdc0c3f22a3bfdd7e66f387e3ffc65a5c38 is version go1.22.5-devel-cf
|
||||||
|
git checkout -q f4334cdc0c3f22a3bfdd7e66f387e3ffc65a5c38
|
||||||
|
./make.bash
|
|
@ -1,17 +1,23 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -exo pipefail
|
||||||
|
|
||||||
if [[ "$(uname)" != "Darwin" ]] ; then
|
if [[ "$(uname)" != "Darwin" ]] ; then
|
||||||
echo "This should be run on macOS"
|
echo "This should be run on macOS"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [[ "amd64" != "${TARGET_ARCH}" && "arm64" != "${TARGET_ARCH}" ]]
|
||||||
|
then
|
||||||
|
echo "TARGET_ARCH must be amd64 or arm64"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
go version
|
go version
|
||||||
export GO111MODULE=on
|
export GO111MODULE=on
|
||||||
|
|
||||||
# build 'cloudflared-darwin-amd64.tgz'
|
# build 'cloudflared-darwin-amd64.tgz'
|
||||||
mkdir -p artifacts
|
mkdir -p artifacts
|
||||||
FILENAME="$(pwd)/artifacts/cloudflared-darwin-amd64.tgz"
|
|
||||||
PKGNAME="$(pwd)/artifacts/cloudflared-amd64.pkg"
|
|
||||||
TARGET_DIRECTORY=".build"
|
TARGET_DIRECTORY=".build"
|
||||||
BINARY_NAME="cloudflared"
|
BINARY_NAME="cloudflared"
|
||||||
VERSION=$(git describe --tags --always --dirty="-dev")
|
VERSION=$(git describe --tags --always --dirty="-dev")
|
||||||
|
@ -23,17 +29,20 @@ INSTALLER_CERT="installer.cer"
|
||||||
BUNDLE_ID="com.cloudflare.cloudflared"
|
BUNDLE_ID="com.cloudflare.cloudflared"
|
||||||
SEC_DUP_MSG="security: SecKeychainItemImport: The specified item already exists in the keychain."
|
SEC_DUP_MSG="security: SecKeychainItemImport: The specified item already exists in the keychain."
|
||||||
export PATH="$PATH:/usr/local/bin"
|
export PATH="$PATH:/usr/local/bin"
|
||||||
|
FILENAME="$(pwd)/artifacts/cloudflared-darwin-$TARGET_ARCH.tgz"
|
||||||
|
PKGNAME="$(pwd)/artifacts/cloudflared-$TARGET_ARCH.pkg"
|
||||||
mkdir -p ../src/github.com/cloudflare/
|
mkdir -p ../src/github.com/cloudflare/
|
||||||
cp -r . ../src/github.com/cloudflare/cloudflared
|
cp -r . ../src/github.com/cloudflare/cloudflared
|
||||||
cd ../src/github.com/cloudflare/cloudflared
|
cd ../src/github.com/cloudflare/cloudflared
|
||||||
GOCACHE="$PWD/../../../../" GOPATH="$PWD/../../../../" CGO_ENABLED=1 make cloudflared
|
|
||||||
|
|
||||||
# Add code signing private key to the key chain
|
# Add code signing private key to the key chain
|
||||||
if [[ ! -z "$CFD_CODE_SIGN_KEY" ]]; then
|
if [[ ! -z "$CFD_CODE_SIGN_KEY" ]]; then
|
||||||
if [[ ! -z "$CFD_CODE_SIGN_PASS" ]]; then
|
if [[ ! -z "$CFD_CODE_SIGN_PASS" ]]; then
|
||||||
# write private key to disk and then import it keychain
|
# write private key to disk and then import it keychain
|
||||||
echo -n -e ${CFD_CODE_SIGN_KEY} | base64 -D > ${CODE_SIGN_PRIV}
|
echo -n -e ${CFD_CODE_SIGN_KEY} | base64 -D > ${CODE_SIGN_PRIV}
|
||||||
out=$(security import ${CODE_SIGN_PRIV} -A -P "${CFD_CODE_SIGN_PASS}" 2>&1)
|
# we set || true here and for every `security import invoke` because the "duplicate SecKeychainItemImport" error
|
||||||
|
# will cause set -e to exit 1. It is okay we do this because we deliberately handle this error in the lines below.
|
||||||
|
out=$(security import ${CODE_SIGN_PRIV} -A -P "${CFD_CODE_SIGN_PASS}" 2>&1) || true
|
||||||
exitcode=$?
|
exitcode=$?
|
||||||
if [ -n "$out" ]; then
|
if [ -n "$out" ]; then
|
||||||
if [ $exitcode -eq 0 ]; then
|
if [ $exitcode -eq 0 ]; then
|
||||||
|
@ -53,7 +62,7 @@ fi
|
||||||
if [[ ! -z "$CFD_CODE_SIGN_CERT" ]]; then
|
if [[ ! -z "$CFD_CODE_SIGN_CERT" ]]; then
|
||||||
# write certificate to disk and then import it keychain
|
# write certificate to disk and then import it keychain
|
||||||
echo -n -e ${CFD_CODE_SIGN_CERT} | base64 -D > ${CODE_SIGN_CERT}
|
echo -n -e ${CFD_CODE_SIGN_CERT} | base64 -D > ${CODE_SIGN_CERT}
|
||||||
out1=$(security import ${CODE_SIGN_CERT} -A 2>&1)
|
out1=$(security import ${CODE_SIGN_CERT} -A 2>&1) || true
|
||||||
exitcode1=$?
|
exitcode1=$?
|
||||||
if [ -n "$out1" ]; then
|
if [ -n "$out1" ]; then
|
||||||
if [ $exitcode1 -eq 0 ]; then
|
if [ $exitcode1 -eq 0 ]; then
|
||||||
|
@ -75,7 +84,7 @@ if [[ ! -z "$CFD_INSTALLER_KEY" ]]; then
|
||||||
if [[ ! -z "$CFD_INSTALLER_PASS" ]]; then
|
if [[ ! -z "$CFD_INSTALLER_PASS" ]]; then
|
||||||
# write private key to disk and then import it into the keychain
|
# write private key to disk and then import it into the keychain
|
||||||
echo -n -e ${CFD_INSTALLER_KEY} | base64 -D > ${INSTALLER_PRIV}
|
echo -n -e ${CFD_INSTALLER_KEY} | base64 -D > ${INSTALLER_PRIV}
|
||||||
out2=$(security import ${INSTALLER_PRIV} -A -P "${CFD_INSTALLER_PASS}" 2>&1)
|
out2=$(security import ${INSTALLER_PRIV} -A -P "${CFD_INSTALLER_PASS}" 2>&1) || true
|
||||||
exitcode2=$?
|
exitcode2=$?
|
||||||
if [ -n "$out2" ]; then
|
if [ -n "$out2" ]; then
|
||||||
if [ $exitcode2 -eq 0 ]; then
|
if [ $exitcode2 -eq 0 ]; then
|
||||||
|
@ -95,7 +104,7 @@ fi
|
||||||
if [[ ! -z "$CFD_INSTALLER_CERT" ]]; then
|
if [[ ! -z "$CFD_INSTALLER_CERT" ]]; then
|
||||||
# write certificate to disk and then import it keychain
|
# write certificate to disk and then import it keychain
|
||||||
echo -n -e ${CFD_INSTALLER_CERT} | base64 -D > ${INSTALLER_CERT}
|
echo -n -e ${CFD_INSTALLER_CERT} | base64 -D > ${INSTALLER_CERT}
|
||||||
out3=$(security import ${INSTALLER_CERT} -A 2>&1)
|
out3=$(security import ${INSTALLER_CERT} -A 2>&1) || true
|
||||||
exitcode3=$?
|
exitcode3=$?
|
||||||
if [ -n "$out3" ]; then
|
if [ -n "$out3" ]; then
|
||||||
if [ $exitcode3 -eq 0 ]; then
|
if [ $exitcode3 -eq 0 ]; then
|
||||||
|
@ -134,26 +143,28 @@ else
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# cleanup the build directory because the previous execution might have failed without cleaning up.
|
||||||
|
rm -rf "${TARGET_DIRECTORY}"
|
||||||
|
export TARGET_OS="darwin"
|
||||||
|
GOCACHE="$PWD/../../../../" GOPATH="$PWD/../../../../" CGO_ENABLED=1 make cloudflared
|
||||||
|
|
||||||
# sign the cloudflared binary
|
# sign the cloudflared binary
|
||||||
if [[ ! -z "$CODE_SIGN_NAME" ]]; then
|
if [[ ! -z "$CODE_SIGN_NAME" ]]; then
|
||||||
codesign -s "${CODE_SIGN_NAME}" -f -v --timestamp --options runtime ${BINARY_NAME}
|
codesign -s "${CODE_SIGN_NAME}" -f -v --timestamp --options runtime ${BINARY_NAME}
|
||||||
|
|
||||||
# notarize the binary
|
# notarize the binary
|
||||||
if [[ ! -z "$CFD_NOTE_PASSWORD" ]]; then
|
# TODO: TUN-5789
|
||||||
zip "${BINARY_NAME}.zip" ${BINARY_NAME}
|
|
||||||
xcrun altool --notarize-app -f "${BINARY_NAME}.zip" -t osx -u ${CFD_NOTE_USERNAME} -p ${CFD_NOTE_PASSWORD} --primary-bundle-id ${BUNDLE_ID}
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
ARCH_TARGET_DIRECTORY="${TARGET_DIRECTORY}/${TARGET_ARCH}-build"
|
||||||
# creating build directory
|
# creating build directory
|
||||||
rm -rf $TARGET_DIRECTORY
|
rm -rf $ARCH_TARGET_DIRECTORY
|
||||||
mkdir "${TARGET_DIRECTORY}"
|
mkdir -p "${ARCH_TARGET_DIRECTORY}"
|
||||||
mkdir "${TARGET_DIRECTORY}/contents"
|
mkdir -p "${ARCH_TARGET_DIRECTORY}/contents"
|
||||||
cp -r ".mac_resources/scripts" "${TARGET_DIRECTORY}/scripts"
|
cp -r ".mac_resources/scripts" "${ARCH_TARGET_DIRECTORY}/scripts"
|
||||||
|
|
||||||
# copy cloudflared into the build directory
|
# copy cloudflared into the build directory
|
||||||
cp ${BINARY_NAME} "${TARGET_DIRECTORY}/contents/${PRODUCT}"
|
cp ${BINARY_NAME} "${ARCH_TARGET_DIRECTORY}/contents/${PRODUCT}"
|
||||||
|
|
||||||
# compress cloudflared into a tar and gzipped file
|
# compress cloudflared into a tar and gzipped file
|
||||||
tar czf "$FILENAME" "${BINARY_NAME}"
|
tar czf "$FILENAME" "${BINARY_NAME}"
|
||||||
|
@ -162,26 +173,23 @@ tar czf "$FILENAME" "${BINARY_NAME}"
|
||||||
if [[ ! -z "$PKG_SIGN_NAME" ]]; then
|
if [[ ! -z "$PKG_SIGN_NAME" ]]; then
|
||||||
pkgbuild --identifier com.cloudflare.${PRODUCT} \
|
pkgbuild --identifier com.cloudflare.${PRODUCT} \
|
||||||
--version ${VERSION} \
|
--version ${VERSION} \
|
||||||
--scripts ${TARGET_DIRECTORY}/scripts \
|
--scripts ${ARCH_TARGET_DIRECTORY}/scripts \
|
||||||
--root ${TARGET_DIRECTORY}/contents \
|
--root ${ARCH_TARGET_DIRECTORY}/contents \
|
||||||
--install-location /usr/local/bin \
|
--install-location /usr/local/bin \
|
||||||
--sign "${PKG_SIGN_NAME}" \
|
--sign "${PKG_SIGN_NAME}" \
|
||||||
${PKGNAME}
|
${PKGNAME}
|
||||||
|
|
||||||
# notarize the package
|
# notarize the package
|
||||||
if [[ ! -z "$CFD_NOTE_PASSWORD" ]]; then
|
# TODO: TUN-5789
|
||||||
xcrun altool --notarize-app -f ${PKGNAME} -t osx -u ${CFD_NOTE_USERNAME} -p ${CFD_NOTE_PASSWORD} --primary-bundle-id ${BUNDLE_ID}
|
|
||||||
xcrun stapler staple ${PKGNAME}
|
|
||||||
fi
|
|
||||||
else
|
else
|
||||||
pkgbuild --identifier com.cloudflare.${PRODUCT} \
|
pkgbuild --identifier com.cloudflare.${PRODUCT} \
|
||||||
--version ${VERSION} \
|
--version ${VERSION} \
|
||||||
--scripts ${TARGET_DIRECTORY}/scripts \
|
--scripts ${ARCH_TARGET_DIRECTORY}/scripts \
|
||||||
--root ${TARGET_DIRECTORY}/contents \
|
--root ${ARCH_TARGET_DIRECTORY}/contents \
|
||||||
--install-location /usr/local/bin \
|
--install-location /usr/local/bin \
|
||||||
${PKGNAME}
|
${PKGNAME}
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# cleanup build directory because this script is not ran within containers,
|
||||||
# cleaning up the build directory
|
# which might lead to future issues in subsequent runs.
|
||||||
rm -rf $TARGET_DIRECTORY
|
rm -rf "${TARGET_DIRECTORY}"
|
|
@ -0,0 +1,10 @@
|
||||||
|
rm -rf /tmp/go
|
||||||
|
export GOCACHE=/tmp/gocache
|
||||||
|
rm -rf $GOCACHE
|
||||||
|
|
||||||
|
./.teamcity/install-cloudflare-go.sh
|
||||||
|
|
||||||
|
export PATH="/tmp/go/bin:$PATH"
|
||||||
|
go version
|
||||||
|
which go
|
||||||
|
go env
|
|
@ -0,0 +1,19 @@
|
||||||
|
VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
|
||||||
|
echo $VERSION
|
||||||
|
|
||||||
|
export TARGET_OS=windows
|
||||||
|
# This controls the directory the built artifacts go into
|
||||||
|
export BUILT_ARTIFACT_DIR=built_artifacts/
|
||||||
|
export FINAL_ARTIFACT_DIR=artifacts/
|
||||||
|
mkdir -p $BUILT_ARTIFACT_DIR
|
||||||
|
mkdir -p $FINAL_ARTIFACT_DIR
|
||||||
|
windowsArchs=("amd64" "386")
|
||||||
|
for arch in ${windowsArchs[@]}; do
|
||||||
|
export TARGET_ARCH=$arch
|
||||||
|
# Copy exe into final directory
|
||||||
|
cp $BUILT_ARTIFACT_DIR/cloudflared-windows-$arch.exe ./cloudflared.exe
|
||||||
|
make cloudflared-msi
|
||||||
|
# Copy msi into final directory
|
||||||
|
mv cloudflared-$VERSION-$arch.msi $FINAL_ARTIFACT_DIR/cloudflared-windows-$arch.msi
|
||||||
|
cp $BUILT_ARTIFACT_DIR/cloudflared-windows-$arch.exe $FINAL_ARTIFACT_DIR/cloudflared-windows-$arch.exe
|
||||||
|
done
|
|
@ -1,67 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
set -euo pipefail
|
|
||||||
|
|
||||||
FILENAME="${PWD}/artifacts/cloudflared-darwin-amd64.tgz"
|
|
||||||
|
|
||||||
if ! VERSION="$(git describe --tags --exact-match 2>/dev/null)" ; then
|
|
||||||
echo "Skipping public release for an untagged commit."
|
|
||||||
echo "##teamcity[buildStatus status='SUCCESS' text='Skipped due to lack of tag']"
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [[ ! -f "$FILENAME" ]] ; then
|
|
||||||
echo "Missing $FILENAME"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [[ "${GITHUB_PRIVATE_KEY:-}" == "" ]] ; then
|
|
||||||
echo "Missing GITHUB_PRIVATE_KEY"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
# upload to s3 bucket for use by Homebrew formula
|
|
||||||
s3cmd \
|
|
||||||
--acl-public --signature-v2 --access_key="$AWS_ACCESS_KEY_ID" --secret_key="$AWS_SECRET_ACCESS_KEY" --host-bucket="%(bucket)s.s3.cfdata.org" \
|
|
||||||
put "$FILENAME" "s3://cftunnel-docs/dl/cloudflared-$VERSION-darwin-amd64.tgz"
|
|
||||||
s3cmd \
|
|
||||||
--acl-public --signature-v2 --access_key="$AWS_ACCESS_KEY_ID" --secret_key="$AWS_SECRET_ACCESS_KEY" --host-bucket="%(bucket)s.s3.cfdata.org" \
|
|
||||||
cp "s3://cftunnel-docs/dl/cloudflared-$VERSION-darwin-amd64.tgz" "s3://cftunnel-docs/dl/cloudflared-stable-darwin-amd64.tgz"
|
|
||||||
SHA256=$(sha256sum "$FILENAME" | cut -b1-64)
|
|
||||||
|
|
||||||
# set up git (note that UserKnownHostsFile is an absolute path so we can cd wherever)
|
|
||||||
mkdir -p tmp
|
|
||||||
ssh-keyscan -t rsa github.com > tmp/github.txt
|
|
||||||
echo "$GITHUB_PRIVATE_KEY" > tmp/private.key
|
|
||||||
chmod 0400 tmp/private.key
|
|
||||||
export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=$PWD/tmp/github.txt -i $PWD/tmp/private.key -o IdentitiesOnly=yes"
|
|
||||||
|
|
||||||
# clone Homebrew repo into tmp/homebrew-cloudflare
|
|
||||||
git clone git@github.com:cloudflare/homebrew-cloudflare.git tmp/homebrew-cloudflare
|
|
||||||
cd tmp/homebrew-cloudflare
|
|
||||||
git checkout -f master
|
|
||||||
git reset --hard origin/master
|
|
||||||
|
|
||||||
# modify cloudflared.rb
|
|
||||||
URL="https://packages.argotunnel.com/dl/cloudflared-$VERSION-darwin-amd64.tgz"
|
|
||||||
tee cloudflared.rb <<EOF
|
|
||||||
class Cloudflared < Formula
|
|
||||||
desc 'Argo Tunnel'
|
|
||||||
homepage 'https://developers.cloudflare.com/argo-tunnel/'
|
|
||||||
url '$URL'
|
|
||||||
sha256 '$SHA256'
|
|
||||||
version '$VERSION'
|
|
||||||
def install
|
|
||||||
bin.install 'cloudflared'
|
|
||||||
end
|
|
||||||
end
|
|
||||||
EOF
|
|
||||||
|
|
||||||
# push cloudflared.rb
|
|
||||||
git add cloudflared.rb
|
|
||||||
git diff
|
|
||||||
git config user.name "cloudflare-warp-bot"
|
|
||||||
git config user.email "warp-bot@cloudflare.com"
|
|
||||||
git commit -m "Release Argo Tunnel $VERSION"
|
|
||||||
|
|
||||||
git push -v origin master
|
|
|
@ -0,0 +1,28 @@
|
||||||
|
Set-StrictMode -Version Latest
|
||||||
|
$ErrorActionPreference = "Stop"
|
||||||
|
$ProgressPreference = "SilentlyContinue"
|
||||||
|
|
||||||
|
# Relative path to working directory
|
||||||
|
$CloudflaredDirectory = "go\src\github.com\cloudflare\cloudflared"
|
||||||
|
|
||||||
|
cd $CloudflaredDirectory
|
||||||
|
|
||||||
|
Write-Output "Building for amd64"
|
||||||
|
$env:TARGET_OS = "windows"
|
||||||
|
$env:CGO_ENABLED = 1
|
||||||
|
$env:TARGET_ARCH = "amd64"
|
||||||
|
$env:Path = "$Env:Temp\go\bin;$($env:Path)"
|
||||||
|
|
||||||
|
go env
|
||||||
|
go version
|
||||||
|
|
||||||
|
& make cloudflared
|
||||||
|
if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for amd64" }
|
||||||
|
copy .\cloudflared.exe .\cloudflared-windows-amd64.exe
|
||||||
|
|
||||||
|
Write-Output "Building for 386"
|
||||||
|
$env:CGO_ENABLED = 0
|
||||||
|
$env:TARGET_ARCH = "386"
|
||||||
|
make cloudflared
|
||||||
|
if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for 386" }
|
||||||
|
copy .\cloudflared.exe .\cloudflared-windows-386.exe
|
|
@ -0,0 +1,47 @@
|
||||||
|
Set-StrictMode -Version Latest
|
||||||
|
$ErrorActionPreference = "Stop"
|
||||||
|
$ProgressPreference = "SilentlyContinue"
|
||||||
|
|
||||||
|
$WorkingDirectory = Get-Location
|
||||||
|
$CloudflaredDirectory = "$WorkingDirectory\go\src\github.com\cloudflare\cloudflared"
|
||||||
|
|
||||||
|
go env
|
||||||
|
go version
|
||||||
|
|
||||||
|
$env:TARGET_OS = "windows"
|
||||||
|
$env:CGO_ENABLED = 1
|
||||||
|
$env:TARGET_ARCH = "amd64"
|
||||||
|
$env:Path = "$Env:Temp\go\bin;$($env:Path)"
|
||||||
|
|
||||||
|
python --version
|
||||||
|
python -m pip --version
|
||||||
|
|
||||||
|
cd $CloudflaredDirectory
|
||||||
|
|
||||||
|
go env
|
||||||
|
go version
|
||||||
|
|
||||||
|
Write-Output "Building cloudflared"
|
||||||
|
|
||||||
|
& make cloudflared
|
||||||
|
if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared" }
|
||||||
|
|
||||||
|
echo $LASTEXITCODE
|
||||||
|
|
||||||
|
Write-Output "Running unit tests"
|
||||||
|
|
||||||
|
# Not testing with race detector because of https://github.com/golang/go/issues/61058
|
||||||
|
# We already test it on other platforms
|
||||||
|
& go test -failfast -mod=vendor ./...
|
||||||
|
if ($LASTEXITCODE -ne 0) { throw "Failed unit tests" }
|
||||||
|
|
||||||
|
Write-Output "Running component tests"
|
||||||
|
|
||||||
|
python -m pip --disable-pip-version-check install --upgrade -r component-tests/requirements.txt --use-pep517
|
||||||
|
python component-tests/setup.py --type create
|
||||||
|
python -m pytest component-tests -o log_cli=true --log-cli-level=INFO
|
||||||
|
if ($LASTEXITCODE -ne 0) {
|
||||||
|
python component-tests/setup.py --type cleanup
|
||||||
|
throw "Failed component tests"
|
||||||
|
}
|
||||||
|
python component-tests/setup.py --type cleanup
|
|
@ -0,0 +1,16 @@
|
||||||
|
Set-StrictMode -Version Latest
|
||||||
|
$ErrorActionPreference = "Stop"
|
||||||
|
$ProgressPreference = "SilentlyContinue"
|
||||||
|
|
||||||
|
Write-Output "Downloading cloudflare go..."
|
||||||
|
|
||||||
|
Set-Location "$Env:Temp"
|
||||||
|
|
||||||
|
git clone -q https://github.com/cloudflare/go
|
||||||
|
Write-Output "Building go..."
|
||||||
|
cd go/src
|
||||||
|
# https://github.com/cloudflare/go/tree/f4334cdc0c3f22a3bfdd7e66f387e3ffc65a5c38 is version go1.22.5-devel-cf
|
||||||
|
git checkout -q f4334cdc0c3f22a3bfdd7e66f387e3ffc65a5c38
|
||||||
|
& ./make.bat
|
||||||
|
|
||||||
|
Write-Output "Installed"
|
|
@ -0,0 +1,20 @@
|
||||||
|
$ErrorActionPreference = "Stop"
|
||||||
|
$ProgressPreference = "SilentlyContinue"
|
||||||
|
$GoMsiVersion = "go1.22.5.windows-amd64.msi"
|
||||||
|
|
||||||
|
Write-Output "Downloading go installer..."
|
||||||
|
|
||||||
|
Set-Location "$Env:Temp"
|
||||||
|
|
||||||
|
(New-Object System.Net.WebClient).DownloadFile(
|
||||||
|
"https://go.dev/dl/$GoMsiVersion",
|
||||||
|
"$Env:Temp\$GoMsiVersion"
|
||||||
|
)
|
||||||
|
|
||||||
|
Write-Output "Installing go..."
|
||||||
|
Install-Package "$Env:Temp\$GoMsiVersion" -Force
|
||||||
|
|
||||||
|
# Go installer updates global $PATH
|
||||||
|
go env
|
||||||
|
|
||||||
|
Write-Output "Installed"
|
352
CHANGES.md
352
CHANGES.md
|
@ -1,22 +1,360 @@
|
||||||
# Experimental: This is a new format for release notes. The format and availability is subject to change.
|
## 2024.10.0
|
||||||
|
### Bug Fixes
|
||||||
|
- We fixed a bug related to `--grace-period`. Tunnels that use QUIC as transport weren't abiding by this waiting period before forcefully closing the connections to the edge. From now on, both QUIC and HTTP2 tunnels will wait for either the grace period to end (defaults to 30 seconds) or until the last in-flight request is handled. Users that wish to maintain the previous behavior should set `--grace-period` to 0 if `--protocol` is set to `quic`. This will force `cloudflared` to shutdown as soon as either SIGTERM or SIGINT is received.
|
||||||
|
|
||||||
|
## 2024.2.1
|
||||||
|
### Notices
|
||||||
|
- Starting from this version, tunnel diagnostics will be enabled by default. This will allow the engineering team to remotely get diagnostics from cloudflared during debug activities. Users still have the capability to opt-out of this feature by defining `--management-diagnostics=false` (or env `TUNNEL_MANAGEMENT_DIAGNOSTICS`).
|
||||||
|
|
||||||
|
## 2023.9.0
|
||||||
|
### Notices
|
||||||
|
- The `warp-routing` `enabled: boolean` flag is no longer supported in the configuration file. Warp Routing traffic (eg TCP, UDP, ICMP) traffic is proxied to cloudflared if routes to the target tunnel are configured. This change does not affect remotely managed tunnels, but for locally managed tunnels, users that might be relying on this feature flag to block traffic should instead guarantee that tunnel has no Private Routes configured for the tunnel.
|
||||||
|
## 2023.7.0
|
||||||
|
### New Features
|
||||||
|
- You can now enable additional diagnostics over the management.argotunnel.com service for your active cloudflared connectors via a new runtime flag `--management-diagnostics` (or env `TUNNEL_MANAGEMENT_DIAGNOSTICS`). This feature is provided as opt-in and requires the flag to enable. Endpoints such as /metrics provides your prometheus metrics endpoint another mechanism to be reached. Additionally /debug/pprof/(goroutine|heap) are also introduced to allow for remotely retrieving active pprof information from a running cloudflared connector.
|
||||||
|
|
||||||
|
## 2023.4.1
|
||||||
|
### New Features
|
||||||
|
- You can now stream your logs from your remote cloudflared to your local terminal with `cloudflared tail <TUNNEL-ID>`. This new feature requires the remote cloudflared to be version 2023.4.1 or higher.
|
||||||
|
|
||||||
|
## 2023.3.2
|
||||||
|
### Notices
|
||||||
|
- Due to the nature of QuickTunnels (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/do-more-with-tunnels/trycloudflare/) and its intended usage for testing and experiment of Cloudflare Tunnels, starting from 2023.3.2, QuickTunnels only make a single connection to the edge. If users want to use Tunnels in a production environment, they should move to Named Tunnels instead. (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/remote/#set-up-a-tunnel-remotely-dashboard-setup)
|
||||||
|
|
||||||
|
## 2023.3.1
|
||||||
|
### Breaking Change
|
||||||
|
- Running a tunnel without ingress rules defined in configuration file nor from the CLI flags will no longer provide a default ingress rule to localhost:8080 and instead will return HTTP response code 503 for all incoming HTTP requests.
|
||||||
|
|
||||||
|
### Security Fixes
|
||||||
|
- Windows 32 bit machines MSI now defaults to Program Files to install cloudflared. (See CVE-2023-1314). The cloudflared client itself is unaffected. This just changes how the installer works on 32 bit windows machines.
|
||||||
|
|
||||||
|
### Bug Fixes
|
||||||
|
- Fixed a bug that would cause running tunnel on Bastion mode and without ingress rules to crash.
|
||||||
|
|
||||||
|
## 2023.2.2
|
||||||
|
### Notices
|
||||||
|
- Legacy tunnels were officially deprecated on December 1, 2022. Starting with this version, cloudflared no longer supports connecting legacy tunnels.
|
||||||
|
- h2mux tunnel connection protocol is no longer supported. Any tunnels still configured to use this protocol will alert and use http2 tunnel protocol instead. We recommend using quic protocol for all tunnels going forward.
|
||||||
|
|
||||||
|
## 2023.2.1
|
||||||
|
### Bug fixes
|
||||||
|
- Fixed a bug in TCP connection proxy that could result in the connection being closed before all data was written.
|
||||||
|
- cloudflared now correctly aborts body write if connection to origin service fails after response headers were sent already.
|
||||||
|
- Fixed a bug introduced in the previous release where debug endpoints were removed.
|
||||||
|
|
||||||
|
## 2022.12.0
|
||||||
|
### Improvements
|
||||||
|
- cloudflared now attempts to try other edge addresses before falling back to a lower protocol.
|
||||||
|
- cloudflared tunnel no longer spins up a quick tunnel. The call has to be explicit and provide a --url flag.
|
||||||
|
- cloudflared will now randomly pick the first or second region to connect to instead of always connecting to region2 first.
|
||||||
|
|
||||||
|
## 2022.9.0
|
||||||
|
### New Features
|
||||||
|
- cloudflared now rejects ingress rules with invalid http status codes for http_status.
|
||||||
|
|
||||||
|
## 2022.8.1
|
||||||
|
### New Features
|
||||||
|
- cloudflared now remembers if it connected to a certain protocol successfully. If it did, it does not fall back to a lower
|
||||||
|
protocol on connection failures.
|
||||||
|
|
||||||
|
## 2022.7.1
|
||||||
|
### New Features
|
||||||
|
- It is now possible to connect cloudflared tunnel to Cloudflare Global Network with IPv6. See `cloudflared tunnel --help` and look for `edge-ip-version` for more information. For now, the default behavior is to still connect with IPv4 only.
|
||||||
|
|
||||||
|
### Bug Fixes
|
||||||
|
- Several bug fixes related with QUIC transport (used between cloudflared tunnel and Cloudflare Global Network). Updating to this version is highly recommended.
|
||||||
|
|
||||||
|
## 2022.4.0
|
||||||
|
### Bug Fixes
|
||||||
|
- `cloudflared tunnel run` no longer logs the Tunnel token or JSON credentials in clear text as those are the secret
|
||||||
|
that allows to run the Tunnel.
|
||||||
|
|
||||||
|
## 2022.3.4
|
||||||
|
### New Features
|
||||||
|
- It is now possible to retrieve the credentials that allow to run a Tunnel in case you forgot/lost them. This is
|
||||||
|
achievable with: `cloudflared tunnel token --cred-file /path/to/file.json TUNNEL`. This new feature only works for
|
||||||
|
Tunnels created with cloudflared version 2022.3.0 or more recent.
|
||||||
|
|
||||||
|
### Bug Fixes
|
||||||
|
- `cloudflared service install` now starts the underlying agent service on Linux operating system (similarly to the
|
||||||
|
behaviour in Windows and MacOS).
|
||||||
|
|
||||||
|
## 2022.3.3
|
||||||
|
### Bug Fixes
|
||||||
|
- `cloudflared service install` now starts the underlying agent service on Windows operating system (similarly to the
|
||||||
|
behaviour in MacOS).
|
||||||
|
|
||||||
|
## 2022.3.1
|
||||||
|
### Bug Fixes
|
||||||
|
- Various fixes to the reliability of `quic` protocol, including an edge case that could lead to cloudflared crashing.
|
||||||
|
|
||||||
|
## 2022.3.0
|
||||||
|
### New Features
|
||||||
|
- It is now possible to configure Ingress Rules to point to an origin served by unix socket with either HTTP or HTTPS.
|
||||||
|
If the origin starts with `unix:/` then we assume HTTP (existing behavior). Otherwise, the origin can start with
|
||||||
|
`unix+tls:/` for HTTPS.
|
||||||
|
|
||||||
|
## 2022.2.1
|
||||||
|
### New Features
|
||||||
|
- This project now has a new LICENSE that is more compliant with open source purposes.
|
||||||
|
|
||||||
|
### Bug Fixes
|
||||||
|
- Various fixes to the reliability of `quic` protocol.
|
||||||
|
|
||||||
|
## 2022.1.3
|
||||||
|
### New Features
|
||||||
|
- New `cloudflared tunnel vnet` commands to allow for private routing to be virtualized. This means that the same CIDR
|
||||||
|
can now be used to point to two different Tunnels with `cloudflared tunnel route ip` command. More information will be
|
||||||
|
made available on blog.cloudflare.com and developers.cloudflare.com/cloudflare-one once the feature is globally available.
|
||||||
|
|
||||||
|
### Bug Fixes
|
||||||
|
- Correctly handle proxying UDP datagrams with no payload.
|
||||||
|
- Bug fix for origins that use Server-Sent Events (SSE).
|
||||||
|
|
||||||
|
## 2022.1.0
|
||||||
|
### Improvements
|
||||||
|
- If a specific `protocol` property is defined (e.g. for `quic`), cloudflared no longer falls back to an older protocol
|
||||||
|
(such as `http2`) in face of connectivity errors. This is important because some features are only supported in a specific
|
||||||
|
protocol (e.g. UDP proxying only works for `quic`). Hence, if a user chooses a protocol, cloudflared now adheres to it
|
||||||
|
no matter what.
|
||||||
|
|
||||||
|
### Bug Fixes
|
||||||
|
- Stopping cloudflared running with `quic` protocol now respects graceful shutdown.
|
||||||
|
|
||||||
|
## 2021.12.2
|
||||||
|
### Bug Fixes
|
||||||
|
- Fix logging when `quic` transport is used and UDP traffic is proxied.
|
||||||
|
- FIPS compliant cloudflared binaries will now be released as separate artifacts. Recall that these are only for linux
|
||||||
|
and amd64.
|
||||||
|
|
||||||
|
## 2021.12.1
|
||||||
|
### Bug Fixes
|
||||||
|
- Fixes Github issue #530 where cloudflared 2021.12.0 could not reach origins that were HTTPS and using certain encryption
|
||||||
|
methods forbidden by FIPS compliance (such as Let's Encrypt certificates). To address this fix we have temporarily reverted
|
||||||
|
FIPS compliance from amd64 linux binaries that was recently introduced (or fixed actually as it was never working before).
|
||||||
|
|
||||||
|
## 2021.12.0
|
||||||
|
### New Features
|
||||||
|
- Cloudflared binary released for amd64 linux is now FIPS compliant.
|
||||||
|
|
||||||
|
### Improvements
|
||||||
|
- Logging about connectivity to Cloudflare edge now only yields `ERR` level logging if there are no connections to
|
||||||
|
Cloudflare edge that are active. Otherwise it logs `WARN` level.
|
||||||
|
|
||||||
|
### Bug Fixes
|
||||||
|
- Fixes Github issue #501.
|
||||||
|
|
||||||
|
## 2021.11.0
|
||||||
|
### Improvements
|
||||||
|
- Fallback from `protocol:quic` to `protocol:http2` immediately if UDP connectivity isn't available. This could be because of a firewall or
|
||||||
|
egress rule.
|
||||||
|
|
||||||
|
## 2021.10.4
|
||||||
|
### Improvements
|
||||||
|
- Collect quic transport metrics on RTT, packets and bytes transferred.
|
||||||
|
|
||||||
|
### Bug Fixes
|
||||||
|
- Fix race condition that was writing to the connection after the http2 handler returns.
|
||||||
|
|
||||||
|
## 2021.9.2
|
||||||
|
|
||||||
|
### New features
|
||||||
|
- `cloudflared` can now run with `quic` as the underlying tunnel transport protocol. To try it, change or add "protocol: quic" to your config.yml file or
|
||||||
|
run cloudflared with the `--protocol quic` flag. e.g:
|
||||||
|
`cloudflared tunnel --protocol quic run <tunnel-name>`
|
||||||
|
|
||||||
|
### Bug Fixes
|
||||||
|
- Fixed some generic transport bugs in `quic` mode. It's advised to upgrade to at least this version (2021.9.2) when running `cloudflared`
|
||||||
|
with `quic` protocol.
|
||||||
|
- `cloudflared` docker images will now show version.
|
||||||
|
|
||||||
|
|
||||||
|
## 2021.8.4
|
||||||
|
### Improvements
|
||||||
|
- Temporary tunnels (those hosted on trycloudflare.com that do not require a Cloudflare login) now run as Named Tunnels
|
||||||
|
underneath. We recall that these tunnels should not be relied upon for production usage as they come with no guarantee
|
||||||
|
of uptime. Previous cloudflared versions will soon be unable to run legacy temporary tunnels and will require an update
|
||||||
|
(to this version or more recent).
|
||||||
|
|
||||||
|
## 2021.8.2
|
||||||
|
### Improvements
|
||||||
|
- Because Equinox os shutting down, all cloudflared releases are now present [here](https://github.com/cloudflare/cloudflared/releases).
|
||||||
|
[Equinox](https://dl.equinox.io/cloudflare/cloudflared/stable) will no longer receive updates.
|
||||||
|
|
||||||
|
## 2021.8.0
|
||||||
|
### Bug fixes
|
||||||
|
- Prevents tunnel from accidentally running when only proxy-dns should run.
|
||||||
|
|
||||||
|
### Improvements
|
||||||
|
- If auto protocol transport lookup fails, we now default to a transport instead of not connecting.
|
||||||
|
|
||||||
|
## 2021.6.0
|
||||||
|
### Bug Fixes
|
||||||
|
- Fixes a http2 transport (the new default for Named Tunnels) to work with unix socket origins.
|
||||||
|
|
||||||
|
|
||||||
|
## 2021.5.10
|
||||||
|
### Bug Fixes
|
||||||
|
- Fixes a memory leak in h2mux transport that connects cloudflared to Cloudflare edge.
|
||||||
|
|
||||||
|
|
||||||
|
## 2021.5.9
|
||||||
|
### New Features
|
||||||
|
- Uses new Worker based login helper service to facilitate token exchange in cloudflared flows.
|
||||||
|
|
||||||
|
### Bug Fixes
|
||||||
|
- Fixes Centos-7 builds.
|
||||||
|
|
||||||
|
## 2021.5.8
|
||||||
|
### New Features
|
||||||
|
- When creating a DNS record to point a hostname at a tunnel, you can now use --overwrite-dns to overwrite any existing
|
||||||
|
DNS records with that hostname. This works both when using the CLI to provision DNS, as well as when starting an adhoc
|
||||||
|
named tunnel, e.g.:
|
||||||
|
- `cloudflared tunnel route dns --overwrite-dns foo-tunnel foo.example.com`
|
||||||
|
- `cloudflared tunnel --overwrite-dns --name foo-tunnel --hostname foo.example.com`
|
||||||
|
|
||||||
|
## 2021.5.7
|
||||||
|
### New Features
|
||||||
|
- Named Tunnels will automatically select the protocol to connect to Cloudflare's edge network.
|
||||||
|
|
||||||
|
## 2021.5.0
|
||||||
|
|
||||||
|
### New Features
|
||||||
|
- It is now possible to run the same tunnel using more than one `cloudflared` instance. This is a server-side change and
|
||||||
|
is compatible with any client version that uses Named Tunnels.
|
||||||
|
|
||||||
|
To get started, visit our [developer documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/deploy-cloudflared-replicas).
|
||||||
|
- `cloudflared tunnel ingress validate` will now warn about unused keys in your config file. This is helpful for
|
||||||
|
detecting typos in your config.
|
||||||
|
- If `cloudflared` detects it is running inside a Linux container, it will limit itself to use only the number of CPUs
|
||||||
|
the pod has been granted, instead of trying to use every CPU available.
|
||||||
|
|
||||||
|
## 2021.4.0
|
||||||
|
|
||||||
|
### Bug Fixes
|
||||||
|
|
||||||
|
- Fixed proxying of websocket requests to avoid possibility of losing initial frames that were sent in the same TCP
|
||||||
|
packet as response headers [#345](https://github.com/cloudflare/cloudflared/issues/345).
|
||||||
|
- `proxy-dns` option now works in conjunction with running a named tunnel [#346](https://github.com/cloudflare/cloudflared/issues/346).
|
||||||
|
|
||||||
|
## 2021.3.6
|
||||||
|
|
||||||
|
### Bug Fixes
|
||||||
|
|
||||||
|
- Reverted 2021.3.5 improvement to use HTTP/2 in a best-effort manner between cloudflared and origin services because
|
||||||
|
it was found to break in some cases.
|
||||||
|
|
||||||
|
## 2021.3.5
|
||||||
|
|
||||||
|
### Improvements
|
||||||
|
|
||||||
|
- HTTP/2 transport is now always chosen if origin server supports it and the service url scheme is HTTPS.
|
||||||
|
This was previously done in a best attempt manner.
|
||||||
|
|
||||||
|
### Bug Fixes
|
||||||
|
|
||||||
|
- The MacOS binaries were not successfully released in 2021.3.3 and 2021.3.4. This release is aimed at addressing that.
|
||||||
|
|
||||||
|
## 2021.3.3
|
||||||
|
|
||||||
|
### Improvements
|
||||||
|
|
||||||
|
- Tunnel create command, as well as, running ad-hoc tunnels using `cloudflared tunnel -name NAME`, will not overwrite
|
||||||
|
existing files when writing tunnel credentials.
|
||||||
|
|
||||||
|
### Bug Fixes
|
||||||
|
|
||||||
|
- Tunnel create and delete commands no longer use path to credentials from the configuration file.
|
||||||
|
If you need ot place tunnel credentials file at a specific location, you must use `--credentials-file` flag.
|
||||||
|
- Access ssh-gen creates properly named keys for SSH short lived certs.
|
||||||
|
|
||||||
|
|
||||||
|
## 2021.3.2
|
||||||
|
|
||||||
|
### New Features
|
||||||
|
|
||||||
|
- It is now possible to obtain more detailed information about the cloudflared connectors to Cloudflare Edge via
|
||||||
|
`cloudflared tunnel info <name/uuid>`. It is possible to sort the output as well as output in different formats,
|
||||||
|
such as: `cloudflared tunnel info --sort-by version --invert-sort --output json <name/uuid>`.
|
||||||
|
You can obtain more information via `cloudflared tunnel info --help`.
|
||||||
|
|
||||||
|
### Bug Fixes
|
||||||
|
|
||||||
|
- Don't look for configuration file in default paths when `--config FILE` flag is present after `tunnel` subcommand.
|
||||||
|
- cloudflared access token command now functions correctly with the new token-per-app change from 2021.3.0.
|
||||||
|
|
||||||
|
|
||||||
|
## 2021.3.0
|
||||||
|
|
||||||
|
### New Features
|
||||||
|
|
||||||
|
- [Cloudflare One Routing](https://developers.cloudflare.com/cloudflare-one/tutorials/warp-to-tunnel) specific commands
|
||||||
|
now show up in the `cloudflared tunnel route --help` output.
|
||||||
|
- There is a new ingress type that allows cloudflared to proxy SOCKS5 as a bastion. You can use it with an ingress
|
||||||
|
rule by adding `service: socks-proxy`. Traffic is routed to any destination specified by the SOCKS5 packet but only
|
||||||
|
if allowed by a rule. In the following example we allow proxying to a certain CIDR but explicitly forbid one address
|
||||||
|
within it:
|
||||||
|
```
|
||||||
|
ingress:
|
||||||
|
- hostname: socks.example.com
|
||||||
|
service: socks-proxy
|
||||||
|
originRequest:
|
||||||
|
ipRules:
|
||||||
|
- prefix: 192.168.1.8/32
|
||||||
|
allow: false
|
||||||
|
- prefix: 192.168.1.0/24
|
||||||
|
ports: [80, 443]
|
||||||
|
allow: true
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### Improvements
|
||||||
|
|
||||||
|
- Nested commands, such as `cloudflared tunnel run`, now consider CLI arguments even if they appear earlier on the
|
||||||
|
command. For instance, `cloudflared --config config.yaml tunnel run` will now behave the same as
|
||||||
|
`cloudflared tunnel --config config.yaml run`
|
||||||
|
- Warnings are now shown in the output logs whenever cloudflared is running without the most recent version and
|
||||||
|
`no-autoupdate` is `true`.
|
||||||
|
- Access tokens are now stored per Access App instead of per request path. This decreases the number of times that the
|
||||||
|
user is required to authenticate with an Access policy redundantly.
|
||||||
|
|
||||||
|
### Bug Fixes
|
||||||
|
|
||||||
|
- GitHub [PR #317](https://github.com/cloudflare/cloudflared/issues/317) was broken in 2021.2.5 and is now fixed again.
|
||||||
|
|
||||||
|
## 2021.2.5
|
||||||
|
|
||||||
|
### New Features
|
||||||
|
|
||||||
|
- We introduce [Cloudflare One Routing](https://developers.cloudflare.com/cloudflare-one/tutorials/warp-to-tunnel) in
|
||||||
|
beta mode. Cloudflare customer can now connect users and private networks with RFC 1918 IP addresses via the
|
||||||
|
Cloudflare edge network. Users running Cloudflare WARP client in the same organization can connect to the services
|
||||||
|
made available by Argo Tunnel IP routes. Please share your feedback in the GitHub issue tracker.
|
||||||
|
|
||||||
## 2021.2.4
|
## 2021.2.4
|
||||||
|
|
||||||
### Bug Fixes
|
### Bug Fixes
|
||||||
- [configuration] fixes a case where `cloudflared` failed to read URLs in configuration files
|
|
||||||
- [logging] cloudflared now logs reason for failed connections if the error is recoverable
|
- Reverts the Improvement released in 2021.2.3 for CLI arguments as it introduced a regression where cloudflared failed
|
||||||
|
to read URLs in configuration files.
|
||||||
|
- cloudflared now logs the reason for failed connections if the error is recoverable.
|
||||||
|
|
||||||
## 2021.2.3
|
## 2021.2.3
|
||||||
|
|
||||||
### Backward Incompatible Changes
|
### Backward Incompatible Changes
|
||||||
- [db-connect] Removes db-connect from `cloudflared`. The Cloudflare Workers product will continue to support db-connect implementations with versions of `cloudflared` that predate this release and include support for db-connect.
|
|
||||||
|
- Removes db-connect. The Cloudflare Workers product will continue to support db-connect implementations with versions
|
||||||
|
of cloudflared that predate this release and include support for db-connect.
|
||||||
|
|
||||||
### New Features
|
### New Features
|
||||||
- [TCP connects] Introduces support for proxy configurations with websockets in arbitrary TCP connections (#318)
|
|
||||||
|
- Introduces support for proxy configurations with websockets in arbitrary TCP connections (#318).
|
||||||
|
|
||||||
### Improvements
|
### Improvements
|
||||||
- [command line interface] Nested commands (such as cloudflared tunnel run) now consider CLI arguments even if they appear earlier in the command. E.g. `cloudflared --config config.yaml tunnel run` will now behave similarly to `cloudflared tunnel --config config.yaml run`
|
|
||||||
|
- (reverted) Nested command line argument handling.
|
||||||
|
|
||||||
### Bug Fixes
|
### Bug Fixes
|
||||||
- [dns-proxy] The maximum number of upstream connections is now limited by default which should fix reported issues of cloudflared exhausting CPU usage when faced with connectivity issues.
|
|
||||||
|
|
||||||
|
- The maximum number of upstream connections is now limited by default which should fix reported issues of cloudflared
|
||||||
|
exhausting CPU usage when faced with connectivity issues.
|
||||||
|
|
10
Dockerfile
10
Dockerfile
|
@ -1,7 +1,7 @@
|
||||||
# use a builder image for building cloudflare
|
# use a builder image for building cloudflare
|
||||||
ARG TARGET_GOOS
|
ARG TARGET_GOOS
|
||||||
ARG TARGET_GOARCH
|
ARG TARGET_GOARCH
|
||||||
FROM golang:1.15.7 as builder
|
FROM golang:1.22.5 as builder
|
||||||
ENV GO111MODULE=on \
|
ENV GO111MODULE=on \
|
||||||
CGO_ENABLED=0 \
|
CGO_ENABLED=0 \
|
||||||
TARGET_GOOS=${TARGET_GOOS} \
|
TARGET_GOOS=${TARGET_GOOS} \
|
||||||
|
@ -12,11 +12,15 @@ WORKDIR /go/src/github.com/cloudflare/cloudflared/
|
||||||
# copy our sources into the builder image
|
# copy our sources into the builder image
|
||||||
COPY . .
|
COPY . .
|
||||||
|
|
||||||
|
RUN .teamcity/install-cloudflare-go.sh
|
||||||
|
|
||||||
# compile cloudflared
|
# compile cloudflared
|
||||||
RUN make cloudflared
|
RUN PATH="/tmp/go/bin:$PATH" make cloudflared
|
||||||
|
|
||||||
# use a distroless base image with glibc
|
# use a distroless base image with glibc
|
||||||
FROM gcr.io/distroless/base-debian10:nonroot
|
FROM gcr.io/distroless/base-debian11:nonroot
|
||||||
|
|
||||||
|
LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
|
||||||
|
|
||||||
# copy our compiled binary
|
# copy our compiled binary
|
||||||
COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
|
COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
|
||||||
|
|
|
@ -0,0 +1,29 @@
|
||||||
|
# use a builder image for building cloudflare
|
||||||
|
FROM golang:1.22.5 as builder
|
||||||
|
ENV GO111MODULE=on \
|
||||||
|
CGO_ENABLED=0
|
||||||
|
|
||||||
|
WORKDIR /go/src/github.com/cloudflare/cloudflared/
|
||||||
|
|
||||||
|
# copy our sources into the builder image
|
||||||
|
COPY . .
|
||||||
|
|
||||||
|
RUN .teamcity/install-cloudflare-go.sh
|
||||||
|
|
||||||
|
# compile cloudflared
|
||||||
|
RUN GOOS=linux GOARCH=amd64 PATH="/tmp/go/bin:$PATH" make cloudflared
|
||||||
|
|
||||||
|
# use a distroless base image with glibc
|
||||||
|
FROM gcr.io/distroless/base-debian11:nonroot
|
||||||
|
|
||||||
|
LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
|
||||||
|
|
||||||
|
# copy our compiled binary
|
||||||
|
COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
|
||||||
|
|
||||||
|
# run as non-privileged user
|
||||||
|
USER nonroot
|
||||||
|
|
||||||
|
# command / entrypoint of container
|
||||||
|
ENTRYPOINT ["cloudflared", "--no-autoupdate"]
|
||||||
|
CMD ["version"]
|
|
@ -0,0 +1,29 @@
|
||||||
|
# use a builder image for building cloudflare
|
||||||
|
FROM golang:1.22.5 as builder
|
||||||
|
ENV GO111MODULE=on \
|
||||||
|
CGO_ENABLED=0
|
||||||
|
|
||||||
|
WORKDIR /go/src/github.com/cloudflare/cloudflared/
|
||||||
|
|
||||||
|
# copy our sources into the builder image
|
||||||
|
COPY . .
|
||||||
|
|
||||||
|
RUN .teamcity/install-cloudflare-go.sh
|
||||||
|
|
||||||
|
# compile cloudflared
|
||||||
|
RUN GOOS=linux GOARCH=arm64 PATH="/tmp/go/bin:$PATH" make cloudflared
|
||||||
|
|
||||||
|
# use a distroless base image with glibc
|
||||||
|
FROM gcr.io/distroless/base-debian11:nonroot-arm64
|
||||||
|
|
||||||
|
LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
|
||||||
|
|
||||||
|
# copy our compiled binary
|
||||||
|
COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
|
||||||
|
|
||||||
|
# run as non-privileged user
|
||||||
|
USER nonroot
|
||||||
|
|
||||||
|
# command / entrypoint of container
|
||||||
|
ENTRYPOINT ["cloudflared", "--no-autoupdate"]
|
||||||
|
CMD ["version"]
|
313
LICENSE
313
LICENSE
|
@ -1,155 +1,202 @@
|
||||||
SERVICES AGREEMENT
|
|
||||||
|
|
||||||
Your installation of this software is symbol of your signature indicating that
|
Apache License
|
||||||
you accept the terms of this Services Agreement (this "Agreement"). This
|
Version 2.0, January 2004
|
||||||
Agreement is a legal agreement between you (either an individual or a single
|
http://www.apache.org/licenses/
|
||||||
entity) and CloudFlare, Inc. for the services being provided to you by
|
|
||||||
CloudFlare or its authorized representative (the "Services"), including any
|
|
||||||
computer software and any associated media, printed materials, and "online" or
|
|
||||||
electronic documentation provided in connection with the Services (the
|
|
||||||
"Software" and together with the Services are hereinafter collectively referred
|
|
||||||
to as the "Solution"). If the user is not an individual, then "you" means your
|
|
||||||
company, its officers, members, employees, agents, representatives, successors
|
|
||||||
and assigns. BY USING THE SOLUTION, YOU ARE INDICATING THAT YOU HAVE READ, AND
|
|
||||||
AGREE TO BE BOUND BY, THE POLICIES, TERMS, AND CONDITIONS SET FORTH BELOW IN
|
|
||||||
THEIR ENTIRETY WITHOUT LIMITATION OR QUALIFICATION, AS WELL AS BY ALL APPLICABLE
|
|
||||||
LAWS AND REGULATIONS, AS IF YOU HAD HANDWRITTEN YOUR NAME ON A CONTRACT. IF YOU
|
|
||||||
DO NOT AGREE TO THESE TERMS AND CONDITIONS, YOU MAY NOT USE THE SOLUTION.
|
|
||||||
|
|
||||||
1. GRANT OF RIGHTS
|
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
||||||
|
|
||||||
1.1 Grant of License. The Solution is licensed by CloudFlare and its
|
1. Definitions.
|
||||||
licensors, not sold. Subject to the terms and conditions of this Agreement,
|
|
||||||
CloudFlare hereby grants you a nonexclusive, nonsublicensable, nontransferable
|
|
||||||
license to use the Solution. You may examine source code, if provided to you,
|
|
||||||
solely for the limited purpose of evaluating the Software for security flaws.
|
|
||||||
You may also use the Service to create derivative works which are exclusively
|
|
||||||
compatible with any CloudFlare product serviceand no other product or service.
|
|
||||||
This license applies to the parts of the Solution developed by CloudFlare. The
|
|
||||||
Solution may also incorporate externally maintained libraries and other open software.
|
|
||||||
These resources may be governed by other licenses.
|
|
||||||
|
|
||||||
1.2 Restrictions. The license granted herein is granted solely to you and
|
"License" shall mean the terms and conditions for use, reproduction,
|
||||||
not, by implication or otherwise, to any of your parents, subsidiaries or
|
and distribution as defined by Sections 1 through 9 of this document.
|
||||||
affiliates. No right is granted hereunder to use the Solution to perform
|
|
||||||
services for third parties. All rights not expressly granted hereunder are
|
|
||||||
reserved to CloudFlare. You may not use the Solution except as explicitly
|
|
||||||
permitted under this Agreement. You are expressly prohibited from modifying,
|
|
||||||
adapting, translating, preparing derivative works from, decompiling, reverse
|
|
||||||
engineering, disassembling or otherwise attempting to derive source code from
|
|
||||||
the Software used to provide the Services or any internal data files generated
|
|
||||||
by the Solution. You are also prohibited from removing, obscuring or altering
|
|
||||||
any copyright notice, trademarks, or other proprietary rights notices affixed to
|
|
||||||
or associated with the Solution.
|
|
||||||
|
|
||||||
1.3 Ownership. As between the parties, CloudFlare and/or its licensors own
|
"Licensor" shall mean the copyright owner or entity authorized by
|
||||||
and shall retain all right, title, and interest in and to the Solution,
|
the copyright owner that is granting the License.
|
||||||
including any and all technology embodied therein, including all copyrights,
|
|
||||||
patents, trade secrets, trade dress and other proprietary rights associated
|
|
||||||
therewith, and any derivative works created there from.
|
|
||||||
|
|
||||||
2. LIMITATION OF LIABILITY
|
"Legal Entity" shall mean the union of the acting entity and all
|
||||||
|
other entities that control, are controlled by, or are under common
|
||||||
|
control with that entity. For the purposes of this definition,
|
||||||
|
"control" means (i) the power, direct or indirect, to cause the
|
||||||
|
direction or management of such entity, whether by contract or
|
||||||
|
otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
||||||
|
outstanding shares, or (iii) beneficial ownership of such entity.
|
||||||
|
|
||||||
YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT DOWNLOADING THE SOFTWARE IS AT YOUR
|
"You" (or "Your") shall mean an individual or Legal Entity
|
||||||
SOLE RISK. THE SOFTWARE IS PROVIDED "AS IS" AND WITHOUT WARRANTY OF ANY KIND
|
exercising permissions granted by this License.
|
||||||
AND CLOUDFLARE, ITS LICENSORS AND ITS AUTHORIZED REPRESENTATIVES (TOGETHER FOR
|
|
||||||
PURPOSES HEREOF, "CLOUDFLARE") EXPRESSLY DISCLAIM ALL WARRANTIES, EXPRESS OR
|
|
||||||
IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
|
||||||
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CLOUDFLARE DOES NOT
|
|
||||||
WARRANT THAT THE FUNCTIONS CONTAINED IN THE SOFTWARE WILL MEET YOUR
|
|
||||||
REQUIREMENTS, OR THAT THE OPERATION OF THE SOFTWARE WILL BE UNINTERRUPTED OR
|
|
||||||
ERROR-FREE, OR THAT DEFECTS IN THE SOFTWARE WILL BE CORRECTED. FURTHERMORE,
|
|
||||||
CLOUDFLARE DOES NOT WARRANT OR MAKE ANY REPRESENTATIONS REGARDING THE SOFTWARE
|
|
||||||
OR RELATED DOCUMENTATION IN TERMS OF THEIR CORRECTNESS, ACCURACY, RELIABILITY,
|
|
||||||
OR OTHERWISE. NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY CLOUDFLARE SHALL
|
|
||||||
CREATE A WARRANTY OR IN ANY WAY INCREASE THE SCOPE OF THIS WARRANTY.
|
|
||||||
|
|
||||||
3. CONFIDENTIALITY
|
"Source" form shall mean the preferred form for making modifications,
|
||||||
|
including but not limited to software source code, documentation
|
||||||
|
source, and configuration files.
|
||||||
|
|
||||||
It may be necessary during the set up and performance of the Solution for the
|
"Object" form shall mean any form resulting from mechanical
|
||||||
parties to exchange Confidential Information. "Confidential Information" means
|
transformation or translation of a Source form, including but
|
||||||
any information whether oral, or written, of a private, secret, proprietary or
|
not limited to compiled object code, generated documentation,
|
||||||
confidential nature, concerning either party or its business operations,
|
and conversions to other media types.
|
||||||
including without limitation: (a) your data and (b) CloudFlare's access control
|
|
||||||
systems, specialized network equipment and techniques related to the Solution,
|
|
||||||
use policies, which include trade secrets of CloudFlare and its licensors. Each
|
|
||||||
party agrees to use the same degree of care to protect the confidentiality of
|
|
||||||
the Confidential Information of the other party and to prevent its unauthorized
|
|
||||||
use or dissemination as it uses to protect its own Confidential Information of a
|
|
||||||
similar nature, but in no event shall exercise less than due diligence and
|
|
||||||
reasonable care. Each party agrees to use the Confidential Information of the
|
|
||||||
other party only for purposes related to the performance of this Agreement. All
|
|
||||||
Confidential Information remains the property of the party disclosing the
|
|
||||||
information and no license or other rights to Confidential Information is
|
|
||||||
granted or implied hereby.
|
|
||||||
|
|
||||||
4. TERM AND TERMINATION
|
"Work" shall mean the work of authorship, whether in Source or
|
||||||
|
Object form, made available under the License, as indicated by a
|
||||||
|
copyright notice that is included in or attached to the work
|
||||||
|
(an example is provided in the Appendix below).
|
||||||
|
|
||||||
4.1 Term. This Agreement shall be effective upon download or install of the
|
"Derivative Works" shall mean any work, whether in Source or Object
|
||||||
Software.
|
form, that is based on (or derived from) the Work and for which the
|
||||||
|
editorial revisions, annotations, elaborations, or other modifications
|
||||||
|
represent, as a whole, an original work of authorship. For the purposes
|
||||||
|
of this License, Derivative Works shall not include works that remain
|
||||||
|
separable from, or merely link (or bind by name) to the interfaces of,
|
||||||
|
the Work and Derivative Works thereof.
|
||||||
|
|
||||||
4.2 Termination. This Agreement may be terminated by CloudFlare or its
|
"Contribution" shall mean any work of authorship, including
|
||||||
authorized representative by written notice to you if any of the following
|
the original version of the Work and any modifications or additions
|
||||||
events occur: (i) you fail to pay any amounts due for the Services and the
|
to that Work or Derivative Works thereof, that is intentionally
|
||||||
Solution when due and after written notice of such nonpayment has been given to
|
submitted to Licensor for inclusion in the Work by the copyright owner
|
||||||
you; (ii) you are in material breach of any term, condition, or provision of
|
or by an individual or Legal Entity authorized to submit on behalf of
|
||||||
this Agreement or any other agreement executed by you with CloudFlare or its
|
the copyright owner. For the purposes of this definition, "submitted"
|
||||||
authorized representative in connection with the provision of the Solution and
|
means any form of electronic, verbal, or written communication sent
|
||||||
Services (a "Related Agreement"); or (iii) you terminate or suspend your
|
to the Licensor or its representatives, including but not limited to
|
||||||
business, becomes subject to any bankruptcy or insolvency proceeding under
|
communication on electronic mailing lists, source code control systems,
|
||||||
federal or state statutes, or become insolvent or subject to direct control by a
|
and issue tracking systems that are managed by, or on behalf of, the
|
||||||
trustee, receiver or similar authority.
|
Licensor for the purpose of discussing and improving the Work, but
|
||||||
|
excluding communication that is conspicuously marked or otherwise
|
||||||
|
designated in writing by the copyright owner as "Not a Contribution."
|
||||||
|
|
||||||
4.3 Effect of Termination. Upon the termination of this Agreement for any
|
"Contributor" shall mean Licensor and any individual or Legal Entity
|
||||||
reason: (1) all license rights granted hereunder shall terminate and (2) all
|
on behalf of whom a Contribution has been received by Licensor and
|
||||||
Confidential Information shall be returned to the disclosing party or destroyed.
|
subsequently incorporated within the Work.
|
||||||
|
|
||||||
5. MISCELLANEOUS
|
2. Grant of Copyright License. Subject to the terms and conditions of
|
||||||
|
this License, each Contributor hereby grants to You a perpetual,
|
||||||
|
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||||
|
copyright license to reproduce, prepare Derivative Works of,
|
||||||
|
publicly display, publicly perform, sublicense, and distribute the
|
||||||
|
Work and such Derivative Works in Source or Object form.
|
||||||
|
|
||||||
5.1 Assignment. You may not assign any of your rights or delegate any of
|
3. Grant of Patent License. Subject to the terms and conditions of
|
||||||
your obligations under this Agreement, whether by operation of law or otherwise,
|
this License, each Contributor hereby grants to You a perpetual,
|
||||||
without the prior express written consent of CloudFlare or its authorized
|
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||||
representative. Any such assignment without the prior express written consent
|
(except as stated in this section) patent license to make, have made,
|
||||||
of CloudFlare or its authorized representative shall be void. Subject to the
|
use, offer to sell, sell, import, and otherwise transfer the Work,
|
||||||
foregoing, this Agreement will bind and inure to the benefit of the parties,
|
where such license applies only to those patent claims licensable
|
||||||
their respective successors and permitted assigns.
|
by such Contributor that are necessarily infringed by their
|
||||||
|
Contribution(s) alone or by combination of their Contribution(s)
|
||||||
|
with the Work to which such Contribution(s) was submitted. If You
|
||||||
|
institute patent litigation against any entity (including a
|
||||||
|
cross-claim or counterclaim in a lawsuit) alleging that the Work
|
||||||
|
or a Contribution incorporated within the Work constitutes direct
|
||||||
|
or contributory patent infringement, then any patent licenses
|
||||||
|
granted to You under this License for that Work shall terminate
|
||||||
|
as of the date such litigation is filed.
|
||||||
|
|
||||||
5.2 Waiver and Amendment. No modification, amendment or waiver of any
|
4. Redistribution. You may reproduce and distribute copies of the
|
||||||
provision of this Agreement shall be effective unless in writing and signed by
|
Work or Derivative Works thereof in any medium, with or without
|
||||||
the party to be charged. No failure or delay by either party in exercising any
|
modifications, and in Source or Object form, provided that You
|
||||||
right, power, or remedy under this Agreement, except as specifically provided
|
meet the following conditions:
|
||||||
herein, shall operate as a waiver of any such right, power or remedy. Without
|
|
||||||
limiting the foregoing, terms and conditions on any purchase orders or similar
|
|
||||||
materials submitted by you to CloudFlare or its authorized representative shall
|
|
||||||
be of no force or effect.
|
|
||||||
|
|
||||||
5.3 Governing Law. This Agreement shall be governed by the laws of the State
|
(a) You must give any other recipients of the Work or
|
||||||
of California, USA, excluding conflict of laws and provisions, and excluding the
|
Derivative Works a copy of this License; and
|
||||||
United Nations Convention on Contracts for the International Sale of Goods.
|
|
||||||
|
|
||||||
5.4 Notices. All notices, demands or consents required or permitted under
|
(b) You must cause any modified files to carry prominent notices
|
||||||
this Agreement shall be in writing. Notice shall be sent to you at the e-mail
|
stating that You changed the files; and
|
||||||
address provided by you to CloudFlare or its authorized representative in
|
|
||||||
connection with the Solution.
|
|
||||||
|
|
||||||
5.5 Independent Contractors. The parties are independent contractors.
|
(c) You must retain, in the Source form of any Derivative Works
|
||||||
Neither party shall be deemed to be an employee, agent, partner or legal
|
that You distribute, all copyright, patent, trademark, and
|
||||||
representative of the other for any purpose and neither shall have any right,
|
attribution notices from the Source form of the Work,
|
||||||
power or authority to create any obligation or responsibility on behalf of the
|
excluding those notices that do not pertain to any part of
|
||||||
other.
|
the Derivative Works; and
|
||||||
|
|
||||||
5.6 Severability. If any provision of this Agreement is held by a court of
|
(d) If the Work includes a "NOTICE" text file as part of its
|
||||||
competent jurisdiction to be contrary to law, such provision shall be changed
|
distribution, then any Derivative Works that You distribute must
|
||||||
and interpreted so as to best accomplish the objectives of the original
|
include a readable copy of the attribution notices contained
|
||||||
provision to the fullest extent allowed by law and the remaining provisions of
|
within such NOTICE file, excluding those notices that do not
|
||||||
this Agreement shall remain in full force and effect.
|
pertain to any part of the Derivative Works, in at least one
|
||||||
|
of the following places: within a NOTICE text file distributed
|
||||||
|
as part of the Derivative Works; within the Source form or
|
||||||
|
documentation, if provided along with the Derivative Works; or,
|
||||||
|
within a display generated by the Derivative Works, if and
|
||||||
|
wherever such third-party notices normally appear. The contents
|
||||||
|
of the NOTICE file are for informational purposes only and
|
||||||
|
do not modify the License. You may add Your own attribution
|
||||||
|
notices within Derivative Works that You distribute, alongside
|
||||||
|
or as an addendum to the NOTICE text from the Work, provided
|
||||||
|
that such additional attribution notices cannot be construed
|
||||||
|
as modifying the License.
|
||||||
|
|
||||||
5.7 Force Majeure. CloudFlare shall not be liable to the other party for any
|
You may add Your own copyright statement to Your modifications and
|
||||||
failure or delay in performance caused by reasons beyond its reasonable control.
|
may provide additional or different license terms and conditions
|
||||||
|
for use, reproduction, or distribution of Your modifications, or
|
||||||
|
for any such Derivative Works as a whole, provided Your use,
|
||||||
|
reproduction, and distribution of the Work otherwise complies with
|
||||||
|
the conditions stated in this License.
|
||||||
|
|
||||||
5.8 Complete Understanding. This Agreement and the Related Agreement
|
5. Submission of Contributions. Unless You explicitly state otherwise,
|
||||||
constitute the final, complete and exclusive agreement between the parties with
|
any Contribution intentionally submitted for inclusion in the Work
|
||||||
respect to the subject matter hereof, and supersedes all previous written and
|
by You to the Licensor shall be under the terms and conditions of
|
||||||
oral agreements and communications related to the subject matter of this
|
this License, without any additional terms or conditions.
|
||||||
Agreement. To the extent this Agreement and the Related Agreement conflict,
|
Notwithstanding the above, nothing herein shall supersede or modify
|
||||||
this Agreement shall control.
|
the terms of any separate license agreement you may have executed
|
||||||
|
with Licensor regarding such Contributions.
|
||||||
|
|
||||||
|
6. Trademarks. This License does not grant permission to use the trade
|
||||||
|
names, trademarks, service marks, or product names of the Licensor,
|
||||||
|
except as required for reasonable and customary use in describing the
|
||||||
|
origin of the Work and reproducing the content of the NOTICE file.
|
||||||
|
|
||||||
|
7. Disclaimer of Warranty. Unless required by applicable law or
|
||||||
|
agreed to in writing, Licensor provides the Work (and each
|
||||||
|
Contributor provides its Contributions) on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||||
|
implied, including, without limitation, any warranties or conditions
|
||||||
|
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
|
||||||
|
PARTICULAR PURPOSE. You are solely responsible for determining the
|
||||||
|
appropriateness of using or redistributing the Work and assume any
|
||||||
|
risks associated with Your exercise of permissions under this License.
|
||||||
|
|
||||||
|
8. Limitation of Liability. In no event and under no legal theory,
|
||||||
|
whether in tort (including negligence), contract, or otherwise,
|
||||||
|
unless required by applicable law (such as deliberate and grossly
|
||||||
|
negligent acts) or agreed to in writing, shall any Contributor be
|
||||||
|
liable to You for damages, including any direct, indirect, special,
|
||||||
|
incidental, or consequential damages of any character arising as a
|
||||||
|
result of this License or out of the use or inability to use the
|
||||||
|
Work (including but not limited to damages for loss of goodwill,
|
||||||
|
work stoppage, computer failure or malfunction, or any and all
|
||||||
|
other commercial damages or losses), even if such Contributor
|
||||||
|
has been advised of the possibility of such damages.
|
||||||
|
|
||||||
|
9. Accepting Warranty or Additional Liability. While redistributing
|
||||||
|
the Work or Derivative Works thereof, You may choose to offer,
|
||||||
|
and charge a fee for, acceptance of support, warranty, indemnity,
|
||||||
|
or other liability obligations and/or rights consistent with this
|
||||||
|
License. However, in accepting such obligations, You may act only
|
||||||
|
on Your own behalf and on Your sole responsibility, not on behalf
|
||||||
|
of any other Contributor, and only if You agree to indemnify,
|
||||||
|
defend, and hold each Contributor harmless for any liability
|
||||||
|
incurred by, or claims asserted against, such Contributor by reason
|
||||||
|
of your accepting any such warranty or additional liability.
|
||||||
|
|
||||||
|
END OF TERMS AND CONDITIONS
|
||||||
|
|
||||||
|
APPENDIX: How to apply the Apache License to your work.
|
||||||
|
|
||||||
|
To apply the Apache License to your work, attach the following
|
||||||
|
boilerplate notice, with the fields enclosed by brackets "[]"
|
||||||
|
replaced with your own identifying information. (Don't include
|
||||||
|
the brackets!) The text should be enclosed in the appropriate
|
||||||
|
comment syntax for the file format. We also recommend that a
|
||||||
|
file or class name and description of purpose be included on the
|
||||||
|
same "printed page" as the copyright notice for easier
|
||||||
|
identification within third-party archives.
|
||||||
|
|
||||||
|
Copyright [yyyy] [name of copyright owner]
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
284
Makefile
284
Makefile
|
@ -1,47 +1,79 @@
|
||||||
VERSION := $(shell git describe --tags --always --dirty="-dev" --match "[0-9][0-9][0-9][0-9].*.*")
|
# The targets cannot be run in parallel
|
||||||
|
.NOTPARALLEL:
|
||||||
|
|
||||||
|
VERSION := $(shell git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
|
||||||
MSI_VERSION := $(shell git tag -l --sort=v:refname | grep "w" | tail -1 | cut -c2-)
|
MSI_VERSION := $(shell git tag -l --sort=v:refname | grep "w" | tail -1 | cut -c2-)
|
||||||
#MSI_VERSION expects the format of the tag to be: (wX.X.X). Starts with the w character to not break cfsetup.
|
#MSI_VERSION expects the format of the tag to be: (wX.X.X). Starts with the w character to not break cfsetup.
|
||||||
#e.g. w3.0.1 or w4.2.10. It trims off the w character when creating the MSI.
|
#e.g. w3.0.1 or w4.2.10. It trims off the w character when creating the MSI.
|
||||||
|
|
||||||
ifeq ($(FIPS), true)
|
ifeq ($(ORIGINAL_NAME), true)
|
||||||
GO_BUILD_TAGS := $(GO_BUILD_TAGS) fips
|
# Used for builds that want FIPS compilation but want the artifacts generated to still have the original name.
|
||||||
|
BINARY_NAME := cloudflared
|
||||||
|
else ifeq ($(FIPS), true)
|
||||||
|
# Used for FIPS compliant builds that do not match the case above.
|
||||||
|
BINARY_NAME := cloudflared-fips
|
||||||
|
else
|
||||||
|
# Used for all other (non-FIPS) builds.
|
||||||
|
BINARY_NAME := cloudflared
|
||||||
endif
|
endif
|
||||||
|
|
||||||
ifneq ($(GO_BUILD_TAGS),)
|
ifeq ($(NIGHTLY), true)
|
||||||
GO_BUILD_TAGS := -tags $(GO_BUILD_TAGS)
|
DEB_PACKAGE_NAME := $(BINARY_NAME)-nightly
|
||||||
|
NIGHTLY_FLAGS := --conflicts cloudflared --replaces cloudflared
|
||||||
|
else
|
||||||
|
DEB_PACKAGE_NAME := $(BINARY_NAME)
|
||||||
endif
|
endif
|
||||||
|
|
||||||
DATE := $(shell date -u '+%Y-%m-%d-%H%M UTC')
|
DATE := $(shell date -u '+%Y-%m-%d-%H%M UTC')
|
||||||
VERSION_FLAGS := -ldflags='-X "main.Version=$(VERSION)" -X "main.BuildTime=$(DATE)"'
|
VERSION_FLAGS := -X "main.Version=$(VERSION)" -X "main.BuildTime=$(DATE)"
|
||||||
|
ifdef PACKAGE_MANAGER
|
||||||
IMPORT_PATH := github.com/cloudflare/cloudflared
|
VERSION_FLAGS := $(VERSION_FLAGS) -X "github.com/cloudflare/cloudflared/cmd/cloudflared/updater.BuiltForPackageManager=$(PACKAGE_MANAGER)"
|
||||||
PACKAGE_DIR := $(CURDIR)/packaging
|
|
||||||
INSTALL_BINDIR := /usr/bin/
|
|
||||||
MAN_DIR := /usr/share/man/man1/
|
|
||||||
|
|
||||||
EQUINOX_FLAGS = --version="$(VERSION)" \
|
|
||||||
--platforms="$(EQUINOX_BUILD_PLATFORMS)" \
|
|
||||||
--app="$(EQUINOX_APP_ID)" \
|
|
||||||
--token="$(EQUINOX_TOKEN)" \
|
|
||||||
--channel="$(EQUINOX_CHANNEL)"
|
|
||||||
|
|
||||||
ifeq ($(EQUINOX_IS_DRAFT), true)
|
|
||||||
EQUINOX_FLAGS := --draft $(EQUINOX_FLAGS)
|
|
||||||
endif
|
endif
|
||||||
|
|
||||||
|
LINK_FLAGS :=
|
||||||
|
ifeq ($(FIPS), true)
|
||||||
|
LINK_FLAGS := -linkmode=external -extldflags=-static $(LINK_FLAGS)
|
||||||
|
# Prevent linking with libc regardless of CGO enabled or not.
|
||||||
|
GO_BUILD_TAGS := $(GO_BUILD_TAGS) osusergo netgo fips
|
||||||
|
VERSION_FLAGS := $(VERSION_FLAGS) -X "main.BuildType=FIPS"
|
||||||
|
endif
|
||||||
|
|
||||||
|
LDFLAGS := -ldflags='$(VERSION_FLAGS) $(LINK_FLAGS)'
|
||||||
|
ifneq ($(GO_BUILD_TAGS),)
|
||||||
|
GO_BUILD_TAGS := -tags "$(GO_BUILD_TAGS)"
|
||||||
|
endif
|
||||||
|
|
||||||
|
ifeq ($(debug), 1)
|
||||||
|
GO_BUILD_TAGS += -gcflags="all=-N -l"
|
||||||
|
endif
|
||||||
|
|
||||||
|
IMPORT_PATH := github.com/cloudflare/cloudflared
|
||||||
|
PACKAGE_DIR := $(CURDIR)/packaging
|
||||||
|
PREFIX := /usr
|
||||||
|
INSTALL_BINDIR := $(PREFIX)/bin/
|
||||||
|
INSTALL_MANDIR := $(PREFIX)/share/man/man1/
|
||||||
|
CF_GO_PATH := /tmp/go
|
||||||
|
PATH := $(CF_GO_PATH)/bin:$(PATH)
|
||||||
|
|
||||||
LOCAL_ARCH ?= $(shell uname -m)
|
LOCAL_ARCH ?= $(shell uname -m)
|
||||||
ifneq ($(GOARCH),)
|
ifneq ($(GOARCH),)
|
||||||
TARGET_ARCH ?= $(GOARCH)
|
TARGET_ARCH ?= $(GOARCH)
|
||||||
else ifeq ($(LOCAL_ARCH),x86_64)
|
else ifeq ($(LOCAL_ARCH),x86_64)
|
||||||
TARGET_ARCH ?= amd64
|
TARGET_ARCH ?= amd64
|
||||||
|
else ifeq ($(LOCAL_ARCH),amd64)
|
||||||
|
TARGET_ARCH ?= amd64
|
||||||
else ifeq ($(LOCAL_ARCH),i686)
|
else ifeq ($(LOCAL_ARCH),i686)
|
||||||
TARGET_ARCH ?= amd64
|
TARGET_ARCH ?= amd64
|
||||||
else ifeq ($(shell echo $(LOCAL_ARCH) | head -c 5),armv8)
|
else ifeq ($(shell echo $(LOCAL_ARCH) | head -c 5),armv8)
|
||||||
TARGET_ARCH ?= arm64
|
TARGET_ARCH ?= arm64
|
||||||
else ifeq ($(LOCAL_ARCH),aarch64)
|
else ifeq ($(LOCAL_ARCH),aarch64)
|
||||||
TARGET_ARCH ?= arm64
|
TARGET_ARCH ?= arm64
|
||||||
|
else ifeq ($(LOCAL_ARCH),arm64)
|
||||||
|
TARGET_ARCH ?= arm64
|
||||||
else ifeq ($(shell echo $(LOCAL_ARCH) | head -c 4),armv)
|
else ifeq ($(shell echo $(LOCAL_ARCH) | head -c 4),armv)
|
||||||
TARGET_ARCH ?= arm
|
TARGET_ARCH ?= arm
|
||||||
|
else ifeq ($(LOCAL_ARCH),s390x)
|
||||||
|
TARGET_ARCH ?= s390x
|
||||||
else
|
else
|
||||||
$(error This system's architecture $(LOCAL_ARCH) isn't supported)
|
$(error This system's architecture $(LOCAL_ARCH) isn't supported)
|
||||||
endif
|
endif
|
||||||
|
@ -55,14 +87,16 @@ else ifeq ($(LOCAL_OS),windows)
|
||||||
TARGET_OS ?= windows
|
TARGET_OS ?= windows
|
||||||
else ifeq ($(LOCAL_OS),freebsd)
|
else ifeq ($(LOCAL_OS),freebsd)
|
||||||
TARGET_OS ?= freebsd
|
TARGET_OS ?= freebsd
|
||||||
|
else ifeq ($(LOCAL_OS),openbsd)
|
||||||
|
TARGET_OS ?= openbsd
|
||||||
else
|
else
|
||||||
$(error This system's OS $(LOCAL_OS) isn't supported)
|
$(error This system's OS $(LOCAL_OS) isn't supported)
|
||||||
endif
|
endif
|
||||||
|
|
||||||
ifeq ($(TARGET_OS), windows)
|
ifeq ($(TARGET_OS), windows)
|
||||||
EXECUTABLE_PATH=./cloudflared.exe
|
EXECUTABLE_PATH=./$(BINARY_NAME).exe
|
||||||
else
|
else
|
||||||
EXECUTABLE_PATH=./cloudflared
|
EXECUTABLE_PATH=./$(BINARY_NAME)
|
||||||
endif
|
endif
|
||||||
|
|
||||||
ifeq ($(FLAVOR), centos-7)
|
ifeq ($(FLAVOR), centos-7)
|
||||||
|
@ -71,6 +105,19 @@ else
|
||||||
TARGET_PUBLIC_REPO ?= $(FLAVOR)
|
TARGET_PUBLIC_REPO ?= $(FLAVOR)
|
||||||
endif
|
endif
|
||||||
|
|
||||||
|
ifneq ($(TARGET_ARM), )
|
||||||
|
ARM_COMMAND := GOARM=$(TARGET_ARM)
|
||||||
|
endif
|
||||||
|
|
||||||
|
ifeq ($(TARGET_ARM), 7)
|
||||||
|
PACKAGE_ARCH := armhf
|
||||||
|
else
|
||||||
|
PACKAGE_ARCH := $(TARGET_ARCH)
|
||||||
|
endif
|
||||||
|
|
||||||
|
#for FIPS compliance, FPM defaults to MD5.
|
||||||
|
RPM_DIGEST := --rpm-digest sha256
|
||||||
|
|
||||||
.PHONY: all
|
.PHONY: all
|
||||||
all: cloudflared test
|
all: cloudflared test
|
||||||
|
|
||||||
|
@ -79,166 +126,117 @@ clean:
|
||||||
go clean
|
go clean
|
||||||
|
|
||||||
.PHONY: cloudflared
|
.PHONY: cloudflared
|
||||||
cloudflared: tunnel-deps
|
cloudflared:
|
||||||
GOOS=$(TARGET_OS) GOARCH=$(TARGET_ARCH) go build -v -mod=vendor $(GO_BUILD_TAGS) $(VERSION_FLAGS) $(IMPORT_PATH)/cmd/cloudflared
|
ifeq ($(FIPS), true)
|
||||||
|
$(info Building cloudflared with go-fips)
|
||||||
|
cp -f fips/fips.go.linux-amd64 cmd/cloudflared/fips.go
|
||||||
|
endif
|
||||||
|
GOOS=$(TARGET_OS) GOARCH=$(TARGET_ARCH) $(ARM_COMMAND) go build -mod=vendor $(GO_BUILD_TAGS) $(LDFLAGS) $(IMPORT_PATH)/cmd/cloudflared
|
||||||
|
ifeq ($(FIPS), true)
|
||||||
|
rm -f cmd/cloudflared/fips.go
|
||||||
|
./check-fips.sh cloudflared
|
||||||
|
endif
|
||||||
|
|
||||||
.PHONY: container
|
.PHONY: container
|
||||||
container:
|
container:
|
||||||
docker build --build-arg=TARGET_ARCH=$(TARGET_ARCH) --build-arg=TARGET_OS=$(TARGET_OS) -t cloudflare/cloudflared-$(TARGET_OS)-$(TARGET_ARCH):"$(VERSION)" .
|
docker build --build-arg=TARGET_ARCH=$(TARGET_ARCH) --build-arg=TARGET_OS=$(TARGET_OS) -t cloudflare/cloudflared-$(TARGET_OS)-$(TARGET_ARCH):"$(VERSION)" .
|
||||||
|
|
||||||
|
.PHONY: generate-docker-version
|
||||||
|
generate-docker-version:
|
||||||
|
echo latest $(VERSION) > versions
|
||||||
|
|
||||||
|
|
||||||
.PHONY: test
|
.PHONY: test
|
||||||
test: vet
|
test: vet
|
||||||
ifndef CI
|
ifndef CI
|
||||||
go test -v -mod=vendor -race $(VERSION_FLAGS) ./...
|
go test -v -mod=vendor -race $(LDFLAGS) ./...
|
||||||
else
|
else
|
||||||
@mkdir -p .cover
|
@mkdir -p .cover
|
||||||
go test -v -mod=vendor -race $(VERSION_FLAGS) -coverprofile=".cover/c.out" ./...
|
go test -v -mod=vendor -race $(LDFLAGS) -coverprofile=".cover/c.out" ./...
|
||||||
go tool cover -html ".cover/c.out" -o .cover/all.html
|
|
||||||
endif
|
endif
|
||||||
|
|
||||||
.PHONY: test-ssh-server
|
.PHONY: cover
|
||||||
test-ssh-server:
|
cover:
|
||||||
docker-compose -f ssh_server_tests/docker-compose.yml up
|
@echo ""
|
||||||
|
@echo "=====> Total test coverage: <====="
|
||||||
|
@echo ""
|
||||||
|
# Print the overall coverage here for quick access.
|
||||||
|
$Q go tool cover -func ".cover/c.out" | grep "total:" | awk '{print $$3}'
|
||||||
|
# Generate the HTML report that can be viewed from the browser in CI.
|
||||||
|
$Q go tool cover -html ".cover/c.out" -o .cover/all.html
|
||||||
|
|
||||||
define publish_package
|
.PHONY: install-go
|
||||||
for HOST in $(CF_PKG_HOSTS); do \
|
install-go:
|
||||||
ssh-keyscan -t rsa $$HOST >> ~/.ssh/known_hosts; \
|
rm -rf ${CF_GO_PATH}
|
||||||
scp -4 cloudflared*.$(1) cfsync@$$HOST:/state/cf-pkg/staging/$(2)/$(TARGET_PUBLIC_REPO)/cloudflared/; \
|
./.teamcity/install-cloudflare-go.sh
|
||||||
ssh cfsync@$$HOST 'chmod g+w /state/cf-pkg/staging/$(2)/$(TARGET_PUBLIC_REPO)/cloudflared/*.$(1)'; \
|
|
||||||
done
|
|
||||||
endef
|
|
||||||
|
|
||||||
.PHONY: publish-deb
|
.PHONY: cleanup-go
|
||||||
publish-deb: cloudflared-deb
|
cleanup-go:
|
||||||
$(call publish_package,deb,apt)
|
rm -rf ${CF_GO_PATH}
|
||||||
|
|
||||||
.PHONY: publish-rpm
|
cloudflared.1: cloudflared_man_template
|
||||||
publish-rpm: cloudflared-rpm
|
sed -e 's/\$${VERSION}/$(VERSION)/; s/\$${DATE}/$(DATE)/' cloudflared_man_template > cloudflared.1
|
||||||
$(call publish_package,rpm,yum)
|
|
||||||
|
|
||||||
|
install: install-go cloudflared cloudflared.1 cleanup-go
|
||||||
|
mkdir -p $(DESTDIR)$(INSTALL_BINDIR) $(DESTDIR)$(INSTALL_MANDIR)
|
||||||
|
install -m755 cloudflared $(DESTDIR)$(INSTALL_BINDIR)/cloudflared
|
||||||
|
install -m644 cloudflared.1 $(DESTDIR)$(INSTALL_MANDIR)/cloudflared.1
|
||||||
|
|
||||||
|
# When we build packages, the package name will be FIPS-aware.
|
||||||
|
# But we keep the binary installed by it to be named "cloudflared" regardless.
|
||||||
define build_package
|
define build_package
|
||||||
mkdir -p $(PACKAGE_DIR)
|
mkdir -p $(PACKAGE_DIR)
|
||||||
cp cloudflared $(PACKAGE_DIR)/cloudflared
|
cp cloudflared $(PACKAGE_DIR)/cloudflared
|
||||||
cat cloudflared_man_template | sed -e 's/\$${VERSION}/$(VERSION)/; s/\$${DATE}/$(DATE)/' > $(PACKAGE_DIR)/cloudflared.1
|
cp cloudflared.1 $(PACKAGE_DIR)/cloudflared.1
|
||||||
fakeroot fpm -C $(PACKAGE_DIR) -s dir -t $(1) \
|
fpm -C $(PACKAGE_DIR) -s dir -t $(1) \
|
||||||
--description 'Cloudflare Argo tunnel daemon' \
|
--description 'Cloudflare Tunnel daemon' \
|
||||||
--vendor 'Cloudflare' \
|
--vendor 'Cloudflare' \
|
||||||
--license 'Cloudflare Service Agreement' \
|
--license 'Apache License Version 2.0' \
|
||||||
--url 'https://github.com/cloudflare/cloudflared' \
|
--url 'https://github.com/cloudflare/cloudflared' \
|
||||||
-m 'Cloudflare <support@cloudflare.com>' \
|
-m 'Cloudflare <support@cloudflare.com>' \
|
||||||
-a $(TARGET_ARCH) -v $(VERSION) -n cloudflared --after-install postinst.sh --after-remove postrm.sh \
|
-a $(PACKAGE_ARCH) -v $(VERSION) -n $(DEB_PACKAGE_NAME) $(RPM_DIGEST) $(NIGHTLY_FLAGS) --after-install postinst.sh --after-remove postrm.sh \
|
||||||
cloudflared=$(INSTALL_BINDIR) cloudflared.1=$(MAN_DIR)
|
cloudflared=$(INSTALL_BINDIR) cloudflared.1=$(INSTALL_MANDIR)
|
||||||
endef
|
endef
|
||||||
|
|
||||||
.PHONY: cloudflared-deb
|
.PHONY: cloudflared-deb
|
||||||
cloudflared-deb: cloudflared
|
cloudflared-deb: cloudflared cloudflared.1
|
||||||
$(call build_package,deb)
|
$(call build_package,deb)
|
||||||
|
|
||||||
.PHONY: cloudflared-rpm
|
.PHONY: cloudflared-rpm
|
||||||
cloudflared-rpm: cloudflared
|
cloudflared-rpm: cloudflared cloudflared.1
|
||||||
$(call build_package,rpm)
|
$(call build_package,rpm)
|
||||||
|
|
||||||
.PHONY: cloudflared-darwin-amd64.tgz
|
.PHONY: cloudflared-pkg
|
||||||
cloudflared-darwin-amd64.tgz: cloudflared
|
cloudflared-pkg: cloudflared cloudflared.1
|
||||||
tar czf cloudflared-darwin-amd64.tgz cloudflared
|
$(call build_package,osxpkg)
|
||||||
rm cloudflared
|
|
||||||
|
|
||||||
.PHONY: cloudflared-junos
|
.PHONY: cloudflared-msi
|
||||||
cloudflared-junos: cloudflared jetez-certificate.pem jetez-key.pem
|
cloudflared-msi:
|
||||||
jetez --source . \
|
wixl --define Version=$(VERSION) --define Path=$(EXECUTABLE_PATH) --output cloudflared-$(VERSION)-$(TARGET_ARCH).msi cloudflared.wxs
|
||||||
-j jet.yaml \
|
|
||||||
--key jetez-key.pem \
|
|
||||||
--cert jetez-certificate.pem \
|
|
||||||
--version $(VERSION)
|
|
||||||
rm jetez-*.pem
|
|
||||||
|
|
||||||
jetez-certificate.pem:
|
.PHONY: github-release-dryrun
|
||||||
ifndef JETEZ_CERT
|
github-release-dryrun:
|
||||||
$(error JETEZ_CERT not defined)
|
python3 github_release.py --path $(PWD)/built_artifacts --release-version $(VERSION) --dry-run
|
||||||
endif
|
|
||||||
@echo "Writing JetEZ certificate"
|
|
||||||
@echo "$$JETEZ_CERT" > jetez-certificate.pem
|
|
||||||
|
|
||||||
jetez-key.pem:
|
|
||||||
ifndef JETEZ_KEY
|
|
||||||
$(error JETEZ_KEY not defined)
|
|
||||||
endif
|
|
||||||
@echo "Writing JetEZ key"
|
|
||||||
@echo "$$JETEZ_KEY" > jetez-key.pem
|
|
||||||
|
|
||||||
.PHONY: publish-cloudflared-junos
|
|
||||||
publish-cloudflared-junos: cloudflared-junos cloudflared-x86-64.latest.s3
|
|
||||||
ifndef S3_ENDPOINT
|
|
||||||
$(error S3_HOST not defined)
|
|
||||||
endif
|
|
||||||
ifndef S3_URI
|
|
||||||
$(error S3_URI not defined)
|
|
||||||
endif
|
|
||||||
ifndef S3_ACCESS_KEY
|
|
||||||
$(error S3_ACCESS_KEY not defined)
|
|
||||||
endif
|
|
||||||
ifndef S3_SECRET_KEY
|
|
||||||
$(error S3_SECRET_KEY not defined)
|
|
||||||
endif
|
|
||||||
sha256sum cloudflared-x86-64-$(VERSION).tgz | awk '{printf $$1}' > cloudflared-x86-64-$(VERSION).tgz.shasum
|
|
||||||
s4cmd --endpoint-url $(S3_ENDPOINT) --force --API-GrantRead=uri=http://acs.amazonaws.com/groups/global/AllUsers \
|
|
||||||
put cloudflared-x86-64-$(VERSION).tgz $(S3_URI)/cloudflared-x86-64-$(VERSION).tgz
|
|
||||||
s4cmd --endpoint-url $(S3_ENDPOINT) --force --API-GrantRead=uri=http://acs.amazonaws.com/groups/global/AllUsers \
|
|
||||||
put cloudflared-x86-64-$(VERSION).tgz.shasum $(S3_URI)/cloudflared-x86-64-$(VERSION).tgz.shasum
|
|
||||||
dpkg --compare-versions "$(VERSION)" gt "$(shell cat cloudflared-x86-64.latest.s3)" && \
|
|
||||||
echo -n "$(VERSION)" > cloudflared-x86-64.latest && \
|
|
||||||
s4cmd --endpoint-url $(S3_ENDPOINT) --force --API-GrantRead=uri=http://acs.amazonaws.com/groups/global/AllUsers \
|
|
||||||
put cloudflared-x86-64.latest $(S3_URI)/cloudflared-x86-64.latest || \
|
|
||||||
echo "Latest version not updated"
|
|
||||||
|
|
||||||
cloudflared-x86-64.latest.s3:
|
|
||||||
s4cmd --endpoint-url $(S3_ENDPOINT) --force \
|
|
||||||
get $(S3_URI)/cloudflared-x86-64.latest cloudflared-x86-64.latest.s3
|
|
||||||
|
|
||||||
.PHONY: homebrew-upload
|
|
||||||
homebrew-upload: cloudflared-darwin-amd64.tgz
|
|
||||||
aws s3 --endpoint-url $(S3_ENDPOINT) cp --acl public-read $$^ $(S3_URI)/cloudflared-$$(VERSION)-$1.tgz
|
|
||||||
aws s3 --endpoint-url $(S3_ENDPOINT) cp --acl public-read $(S3_URI)/cloudflared-$$(VERSION)-$1.tgz $(S3_URI)/cloudflared-stable-$1.tgz
|
|
||||||
|
|
||||||
.PHONY: homebrew-release
|
|
||||||
homebrew-release: homebrew-upload
|
|
||||||
./publish-homebrew-formula.sh cloudflared-darwin-amd64.tgz $(VERSION) homebrew-cloudflare
|
|
||||||
|
|
||||||
.PHONY: release
|
|
||||||
release: bin/equinox
|
|
||||||
bin/equinox release $(EQUINOX_FLAGS) -- $(VERSION_FLAGS) $(IMPORT_PATH)/cmd/cloudflared
|
|
||||||
|
|
||||||
.PHONY: github-release
|
.PHONY: github-release
|
||||||
github-release: cloudflared
|
github-release:
|
||||||
python3 github_release.py --path $(EXECUTABLE_PATH) --release-version $(VERSION)
|
python3 github_release.py --path $(PWD)/built_artifacts --release-version $(VERSION)
|
||||||
|
|
||||||
.PHONY: github-message
|
|
||||||
github-message:
|
|
||||||
python3 github_message.py --release-version $(VERSION)
|
python3 github_message.py --release-version $(VERSION)
|
||||||
|
|
||||||
.PHONY: github-mac-upload
|
.PHONY: r2-linux-release
|
||||||
github-mac-upload:
|
r2-linux-release:
|
||||||
python3 github_release.py --path artifacts/cloudflared-darwin-amd64.tgz --release-version $(VERSION) --name cloudflared-darwin-amd64.tgz
|
python3 ./release_pkgs.py
|
||||||
python3 github_release.py --path artifacts/cloudflared-amd64.pkg --release-version $(VERSION) --name cloudflared-amd64.pkg
|
|
||||||
|
|
||||||
bin/equinox:
|
.PHONY: capnp
|
||||||
mkdir -p bin
|
capnp:
|
||||||
curl -s https://bin.equinox.io/c/75JtLRTsJ3n/release-tool-beta-$(EQUINOX_PLATFORM).tgz | tar xz -C bin/
|
|
||||||
|
|
||||||
.PHONY: tunnel-deps
|
|
||||||
tunnel-deps: tunnelrpc/tunnelrpc.capnp.go
|
|
||||||
|
|
||||||
tunnelrpc/tunnelrpc.capnp.go: tunnelrpc/tunnelrpc.capnp
|
|
||||||
which capnp # https://capnproto.org/install.html
|
which capnp # https://capnproto.org/install.html
|
||||||
which capnpc-go # go get zombiezen.com/go/capnproto2/capnpc-go
|
which capnpc-go # go install zombiezen.com/go/capnproto2/capnpc-go@latest
|
||||||
capnp compile -ogo tunnelrpc/tunnelrpc.capnp
|
capnp compile -ogo tunnelrpc/proto/tunnelrpc.capnp tunnelrpc/proto/quic_metadata_protocol.capnp
|
||||||
|
|
||||||
.PHONY: vet
|
.PHONY: vet
|
||||||
vet:
|
vet:
|
||||||
go vet -mod=vendor ./...
|
go vet -mod=vendor github.com/cloudflare/cloudflared/...
|
||||||
which go-sumtype # go get github.com/BurntSushi/go-sumtype
|
|
||||||
go-sumtype $$(go list -mod=vendor ./...)
|
|
||||||
|
|
||||||
.PHONY: msi
|
.PHONY: fmt
|
||||||
msi: cloudflared
|
fmt:
|
||||||
go-msi make --msi cloudflared.msi --version $(MSI_VERSION)
|
goimports -l -w -local github.com/cloudflare/cloudflared $$(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc/proto)
|
||||||
|
|
47
README.md
47
README.md
|
@ -1,43 +1,58 @@
|
||||||
# Argo Tunnel client
|
# Cloudflare Tunnel client
|
||||||
|
|
||||||
|
Contains the command-line client for Cloudflare Tunnel, a tunneling daemon that proxies traffic from the Cloudflare network to your origins.
|
||||||
|
This daemon sits between Cloudflare network and your origin (e.g. a webserver). Cloudflare attracts client requests and sends them to you
|
||||||
|
via this daemon, without requiring you to poke holes on your firewall --- your origin can remain as closed as possible.
|
||||||
|
Extensive documentation can be found in the [Cloudflare Tunnel section](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps) of the Cloudflare Docs.
|
||||||
|
All usages related with proxying to your origins are available under `cloudflared tunnel help`.
|
||||||
|
|
||||||
|
You can also use `cloudflared` to access Tunnel origins (that are protected with `cloudflared tunnel`) for TCP traffic
|
||||||
|
at Layer 4 (i.e., not HTTP/websocket), which is relevant for use cases such as SSH, RDP, etc.
|
||||||
|
Such usages are available under `cloudflared access help`.
|
||||||
|
|
||||||
|
You can instead use [WARP client](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/private-networks)
|
||||||
|
to access private origins behind Tunnels for Layer 4 traffic without requiring `cloudflared access` commands on the client side.
|
||||||
|
|
||||||
Contains the command-line client for Argo Tunnel, a tunneling daemon that proxies any local webserver through the Cloudflare network. Extensive documentation can be found in the [Argo Tunnel section](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps) of the Cloudflare Docs.
|
|
||||||
|
|
||||||
## Before you get started
|
## Before you get started
|
||||||
|
|
||||||
Before you use Argo Tunnel, you'll need to complete a few steps in the Cloudflare dashboard. The website you add to Cloudflare will be used to route traffic to your Tunnel.
|
Before you use Cloudflare Tunnel, you'll need to complete a few steps in the Cloudflare dashboard: you need to add a
|
||||||
|
website to your Cloudflare account. Note that today it is possible to use Tunnel without a website (e.g. for private
|
||||||
|
routing), but for legacy reasons this requirement is still necessary:
|
||||||
1. [Add a website to Cloudflare](https://support.cloudflare.com/hc/en-us/articles/201720164-Creating-a-Cloudflare-account-and-adding-a-website)
|
1. [Add a website to Cloudflare](https://support.cloudflare.com/hc/en-us/articles/201720164-Creating-a-Cloudflare-account-and-adding-a-website)
|
||||||
2. [Change your domain nameservers to Cloudflare](https://support.cloudflare.com/hc/en-us/articles/205195708)
|
2. [Change your domain nameservers to Cloudflare](https://support.cloudflare.com/hc/en-us/articles/205195708)
|
||||||
|
|
||||||
|
|
||||||
## Installing `cloudflared`
|
## Installing `cloudflared`
|
||||||
|
|
||||||
Downloads are available as standalone binaries, a Docker image, and Debian, RPM, and Homebrew packages. You can also find releases here on the `cloudflared` GitHub repository.
|
Downloads are available as standalone binaries, a Docker image, and Debian, RPM, and Homebrew packages. You can also find releases [here](https://github.com/cloudflare/cloudflared/releases) on the `cloudflared` GitHub repository.
|
||||||
|
|
||||||
* You can [install on macOS](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#macos) via Homebrew or by downloading the [latest Darwin amd64 release](https://github.com/cloudflare/cloudflared/releases)
|
* You can [install on macOS](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#macos) via Homebrew or by downloading the [latest Darwin amd64 release](https://github.com/cloudflare/cloudflared/releases)
|
||||||
* Binaries, Debian, and RPM packages for Linux [can be found here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#linux)
|
* Binaries, Debian, and RPM packages for Linux [can be found here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#linux)
|
||||||
* A Docker image of `cloudflared` is [available on DockerHub](https://hub.docker.com/r/cloudflare/cloudflared)
|
* A Docker image of `cloudflared` is [available on DockerHub](https://hub.docker.com/r/cloudflare/cloudflared)
|
||||||
* You can install on Windows machines with the [steps here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#windows)
|
* You can install on Windows machines with the [steps here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#windows)
|
||||||
|
* To build from source, first you need to download the go toolchain by running `./.teamcity/install-cloudflare-go.sh` and follow the output. Then you can run `make cloudflared`
|
||||||
|
|
||||||
|
User documentation for Cloudflare Tunnel can be found at https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
|
||||||
|
|
||||||
User documentation for Argo Tunnel can be found at https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
|
|
||||||
|
|
||||||
## Creating Tunnels and routing traffic
|
## Creating Tunnels and routing traffic
|
||||||
|
|
||||||
Once installed, you can authenticate `cloudflared` into your Cloudflare account and begin creating Tunnels that serve traffic for hostnames in your account.
|
Once installed, you can authenticate `cloudflared` into your Cloudflare account and begin creating Tunnels to serve traffic to your origins.
|
||||||
|
|
||||||
* Create a Tunnel with [these instructions](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/create-tunnel)
|
* Create a Tunnel with [these instructions](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/create-tunnel)
|
||||||
* Route traffic to that Tunnel with [DNS records in Cloudflare](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/dns) or with a [Cloudflare Load Balancer](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/lb)
|
* Route traffic to that Tunnel:
|
||||||
|
* Via public [DNS records in Cloudflare](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/dns)
|
||||||
|
* Or via a public hostname guided by a [Cloudflare Load Balancer](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/lb)
|
||||||
|
* Or from [WARP client private traffic](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/private-net/)
|
||||||
|
|
||||||
|
|
||||||
## TryCloudflare
|
## TryCloudflare
|
||||||
|
|
||||||
Want to test Argo Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation [available here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/trycloudflare).
|
Want to test Cloudflare Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation [available here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/trycloudflare).
|
||||||
|
|
||||||
## Deprecated versions
|
## Deprecated versions
|
||||||
|
|
||||||
Cloudflare currently supports all versions of `cloudflared`. Starting on March 20, 2021, Cloudflare will no longer support versions released prior to 2020.5.1.
|
Cloudflare currently supports versions of cloudflared that are **within one year** of the most recent release. Breaking changes unrelated to feature availability may be introduced that will impact versions released more than one year ago. You can read more about upgrading cloudflared in our [developer documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/#updating-cloudflared).
|
||||||
|
|
||||||
All features available in versions released prior to 2020.5.1 are available in current versions. Breaking changes unrelated to feature availability may be introduced that will impact versions released prior to 2020.5.1. You can read more about upgrading `cloudflared` in our [developer documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#updating-cloudflared).
|
For example, as of January 2023 Cloudflare will support cloudflared version 2023.1.1 to cloudflared 2022.1.1.
|
||||||
|
|
||||||
| Version(s) | Deprecation status |
|
|
||||||
|---|---|
|
|
||||||
| 2020.5.1 and later | Supported |
|
|
||||||
| Versions prior to 2020.5.1 | Will no longer be supported starting March 20, 2021 |
|
|
||||||
|
|
1019
RELEASE_NOTES
1019
RELEASE_NOTES
File diff suppressed because it is too large
Load Diff
|
@ -1,29 +0,0 @@
|
||||||
package buffer
|
|
||||||
|
|
||||||
import (
|
|
||||||
"sync"
|
|
||||||
)
|
|
||||||
|
|
||||||
type Pool struct {
|
|
||||||
// A Pool must not be copied after first use.
|
|
||||||
// https://golang.org/pkg/sync/#Pool
|
|
||||||
buffers sync.Pool
|
|
||||||
}
|
|
||||||
|
|
||||||
func NewPool(bufferSize int) *Pool {
|
|
||||||
return &Pool{
|
|
||||||
buffers: sync.Pool{
|
|
||||||
New: func() interface{} {
|
|
||||||
return make([]byte, bufferSize)
|
|
||||||
},
|
|
||||||
},
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func (p *Pool) Get() []byte {
|
|
||||||
return p.buffers.Get().([]byte)
|
|
||||||
}
|
|
||||||
|
|
||||||
func (p *Pool) Put(buf []byte) {
|
|
||||||
p.buffers.Put(buf)
|
|
||||||
}
|
|
|
@ -0,0 +1,26 @@
|
||||||
|
#!/bin/bash
|
||||||
|
VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
|
||||||
|
echo $VERSION
|
||||||
|
|
||||||
|
# This controls the directory the built artifacts go into
|
||||||
|
export ARTIFACT_DIR=artifacts/
|
||||||
|
mkdir -p $ARTIFACT_DIR
|
||||||
|
|
||||||
|
arch=("amd64")
|
||||||
|
export TARGET_ARCH=$arch
|
||||||
|
export TARGET_OS=linux
|
||||||
|
export FIPS=true
|
||||||
|
# For BoringCrypto to link, we need CGO enabled. Otherwise compilation fails.
|
||||||
|
export CGO_ENABLED=1
|
||||||
|
|
||||||
|
make cloudflared-deb
|
||||||
|
mv cloudflared-fips\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-fips-linux-$arch.deb
|
||||||
|
|
||||||
|
# rpm packages invert the - and _ and use x86_64 instead of amd64.
|
||||||
|
RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')
|
||||||
|
RPMARCH="x86_64"
|
||||||
|
make cloudflared-rpm
|
||||||
|
mv cloudflared-fips-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-fips-linux-$RPMARCH.rpm
|
||||||
|
|
||||||
|
# finally move the linux binary as well.
|
||||||
|
mv ./cloudflared $ARTIFACT_DIR/cloudflared-fips-linux-$arch
|
|
@ -0,0 +1,48 @@
|
||||||
|
#!/bin/bash
|
||||||
|
VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
|
||||||
|
echo $VERSION
|
||||||
|
|
||||||
|
# Disable FIPS module in go-boring
|
||||||
|
export GOEXPERIMENT=noboringcrypto
|
||||||
|
export CGO_ENABLED=0
|
||||||
|
|
||||||
|
# This controls the directory the built artifacts go into
|
||||||
|
export ARTIFACT_DIR=artifacts/
|
||||||
|
mkdir -p $ARTIFACT_DIR
|
||||||
|
|
||||||
|
linuxArchs=("386" "amd64" "arm" "armhf" "arm64")
|
||||||
|
export TARGET_OS=linux
|
||||||
|
for arch in ${linuxArchs[@]}; do
|
||||||
|
unset TARGET_ARM
|
||||||
|
export TARGET_ARCH=$arch
|
||||||
|
|
||||||
|
## Support for arm platforms without hardware FPU enabled
|
||||||
|
if [[ $arch == arm ]] ; then
|
||||||
|
export TARGET_ARCH=arm
|
||||||
|
export TARGET_ARM=5
|
||||||
|
fi
|
||||||
|
|
||||||
|
## Support for armhf builds
|
||||||
|
if [[ $arch == armhf ]] ; then
|
||||||
|
export TARGET_ARCH=arm
|
||||||
|
export TARGET_ARM=7
|
||||||
|
fi
|
||||||
|
|
||||||
|
make cloudflared-deb
|
||||||
|
mv cloudflared\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-linux-$arch.deb
|
||||||
|
|
||||||
|
# rpm packages invert the - and _ and use x86_64 instead of amd64.
|
||||||
|
RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')
|
||||||
|
RPMARCH=$arch
|
||||||
|
if [ $arch == "amd64" ];then
|
||||||
|
RPMARCH="x86_64"
|
||||||
|
fi
|
||||||
|
if [ $arch == "arm64" ]; then
|
||||||
|
RPMARCH="aarch64"
|
||||||
|
fi
|
||||||
|
make cloudflared-rpm
|
||||||
|
mv cloudflared-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-linux-$RPMARCH.rpm
|
||||||
|
|
||||||
|
# finally move the linux binary as well.
|
||||||
|
mv ./cloudflared $ARTIFACT_DIR/cloudflared-linux-$arch
|
||||||
|
done
|
|
@ -1,42 +1,47 @@
|
||||||
//Package carrier provides a WebSocket proxy to carry or proxy a connection
|
// Package carrier provides a WebSocket proxy to carry or proxy a connection
|
||||||
//from the local client to the edge. See it as a wrapper around any protocol
|
// from the local client to the edge. See it as a wrapper around any protocol
|
||||||
//that it packages up in a WebSocket connection to the edge.
|
// that it packages up in a WebSocket connection to the edge.
|
||||||
package carrier
|
package carrier
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"crypto/tls"
|
||||||
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
"net"
|
"net"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
"net/url"
|
||||||
"os"
|
"os"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/token"
|
|
||||||
"github.com/cloudflare/cloudflared/h2mux"
|
|
||||||
|
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
"github.com/rs/zerolog"
|
"github.com/rs/zerolog"
|
||||||
|
|
||||||
|
"github.com/cloudflare/cloudflared/token"
|
||||||
)
|
)
|
||||||
|
|
||||||
const LogFieldOriginURL = "originURL"
|
const (
|
||||||
|
LogFieldOriginURL = "originURL"
|
||||||
|
CFAccessTokenHeader = "Cf-Access-Token"
|
||||||
|
cfJumpDestinationHeader = "Cf-Access-Jump-Destination"
|
||||||
|
)
|
||||||
|
|
||||||
type StartOptions struct {
|
type StartOptions struct {
|
||||||
OriginURL string
|
AppInfo *token.AppInfo
|
||||||
Headers http.Header
|
OriginURL string
|
||||||
|
Headers http.Header
|
||||||
|
Host string
|
||||||
|
TLSClientConfig *tls.Config
|
||||||
}
|
}
|
||||||
|
|
||||||
// Connection wraps up all the needed functions to forward over the tunnel
|
// Connection wraps up all the needed functions to forward over the tunnel
|
||||||
type Connection interface {
|
type Connection interface {
|
||||||
// ServeStream is used to forward data from the client to the edge
|
// ServeStream is used to forward data from the client to the edge
|
||||||
ServeStream(*StartOptions, io.ReadWriter) error
|
ServeStream(*StartOptions, io.ReadWriter) error
|
||||||
|
|
||||||
// StartServer is used to listen for incoming connections from the edge to the origin
|
|
||||||
StartServer(net.Listener, string, <-chan struct{}) error
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// StdinoutStream is empty struct for wrapping stdin/stdout
|
// StdinoutStream is empty struct for wrapping stdin/stdout
|
||||||
// into a single ReadWriter
|
// into a single ReadWriter
|
||||||
type StdinoutStream struct {
|
type StdinoutStream struct{}
|
||||||
}
|
|
||||||
|
|
||||||
// Read will read from Stdin
|
// Read will read from Stdin
|
||||||
func (c *StdinoutStream) Read(p []byte) (int, error) {
|
func (c *StdinoutStream) Read(p []byte) (int, error) {
|
||||||
|
@ -49,7 +54,7 @@ func (c *StdinoutStream) Write(p []byte) (int, error) {
|
||||||
return os.Stdout.Write(p)
|
return os.Stdout.Write(p)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Helper to allow defering the response close with a check that the resp is not nil
|
// Helper to allow deferring the response close with a check that the resp is not nil
|
||||||
func closeRespBody(resp *http.Response) {
|
func closeRespBody(resp *http.Response) {
|
||||||
if resp != nil {
|
if resp != nil {
|
||||||
_ = resp.Body.Close()
|
_ = resp.Body.Close()
|
||||||
|
@ -120,7 +125,7 @@ func IsAccessResponse(resp *http.Response) bool {
|
||||||
if err != nil || location == nil {
|
if err != nil || location == nil {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
if strings.HasPrefix(location.Path, "/cdn-cgi/access/login") {
|
if strings.HasPrefix(location.Path, token.AccessLoginWorkerPath) {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -134,7 +139,7 @@ func BuildAccessRequest(options *StartOptions, log *zerolog.Logger) (*http.Reque
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
token, err := token.FetchTokenWithRedirect(req.URL, log)
|
token, err := token.FetchTokenWithRedirect(req.URL, options.AppInfo, log)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
@ -145,7 +150,7 @@ func BuildAccessRequest(options *StartOptions, log *zerolog.Logger) (*http.Reque
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
originRequest.Header.Set(h2mux.CFAccessTokenHeader, token)
|
originRequest.Header.Set(CFAccessTokenHeader, token)
|
||||||
|
|
||||||
for k, v := range options.Headers {
|
for k, v := range options.Headers {
|
||||||
if len(v) >= 1 {
|
if len(v) >= 1 {
|
||||||
|
@ -155,3 +160,26 @@ func BuildAccessRequest(options *StartOptions, log *zerolog.Logger) (*http.Reque
|
||||||
|
|
||||||
return originRequest, nil
|
return originRequest, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func SetBastionDest(header http.Header, destination string) {
|
||||||
|
if destination != "" {
|
||||||
|
header.Set(cfJumpDestinationHeader, destination)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func ResolveBastionDest(r *http.Request) (string, error) {
|
||||||
|
jumpDestination := r.Header.Get(cfJumpDestinationHeader)
|
||||||
|
if jumpDestination == "" {
|
||||||
|
return "", fmt.Errorf("Did not receive final destination from client. The --destination flag is likely not set on the client side")
|
||||||
|
}
|
||||||
|
// Strip scheme and path set by client. Without a scheme
|
||||||
|
// Parsing a hostname and path without scheme might not return an error due to parsing ambiguities
|
||||||
|
if jumpURL, err := url.Parse(jumpDestination); err == nil && jumpURL.Host != "" {
|
||||||
|
return removePath(jumpURL.Host), nil
|
||||||
|
}
|
||||||
|
return removePath(jumpDestination), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func removePath(dest string) string {
|
||||||
|
return strings.SplitN(dest, "/", 2)[0]
|
||||||
|
}
|
||||||
|
|
|
@ -44,7 +44,7 @@ func (s *testStreamer) Write(p []byte) (int, error) {
|
||||||
func TestStartClient(t *testing.T) {
|
func TestStartClient(t *testing.T) {
|
||||||
message := "Good morning Austin! Time for another sunny day in the great state of Texas."
|
message := "Good morning Austin! Time for another sunny day in the great state of Texas."
|
||||||
log := zerolog.Nop()
|
log := zerolog.Nop()
|
||||||
wsConn := NewWSConnection(&log, false)
|
wsConn := NewWSConnection(&log)
|
||||||
ts := newTestWebSocketServer()
|
ts := newTestWebSocketServer()
|
||||||
defer ts.Close()
|
defer ts.Close()
|
||||||
|
|
||||||
|
@ -70,7 +70,7 @@ func TestStartServer(t *testing.T) {
|
||||||
message := "Good morning Austin! Time for another sunny day in the great state of Texas."
|
message := "Good morning Austin! Time for another sunny day in the great state of Texas."
|
||||||
log := zerolog.Nop()
|
log := zerolog.Nop()
|
||||||
shutdownC := make(chan struct{})
|
shutdownC := make(chan struct{})
|
||||||
wsConn := NewWSConnection(&log, false)
|
wsConn := NewWSConnection(&log)
|
||||||
ts := newTestWebSocketServer()
|
ts := newTestWebSocketServer()
|
||||||
defer ts.Close()
|
defer ts.Close()
|
||||||
options := &StartOptions{
|
options := &StartOptions{
|
||||||
|
@ -81,7 +81,8 @@ func TestStartServer(t *testing.T) {
|
||||||
go func() {
|
go func() {
|
||||||
err := Serve(wsConn, listener, shutdownC, options)
|
err := Serve(wsConn, listener, shutdownC, options)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("Error running server: %v", err)
|
t.Errorf("Error running server: %v", err)
|
||||||
|
return
|
||||||
}
|
}
|
||||||
}()
|
}()
|
||||||
|
|
||||||
|
@ -155,3 +156,99 @@ func testRequest(t *testing.T, url string, stream io.ReadWriter) *http.Request {
|
||||||
|
|
||||||
return req
|
return req
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestBastionDestination(t *testing.T) {
|
||||||
|
tests := []struct {
|
||||||
|
name string
|
||||||
|
header http.Header
|
||||||
|
expectedDest string
|
||||||
|
wantErr bool
|
||||||
|
}{
|
||||||
|
{
|
||||||
|
name: "hostname destination",
|
||||||
|
header: http.Header{
|
||||||
|
cfJumpDestinationHeader: []string{"localhost"},
|
||||||
|
},
|
||||||
|
expectedDest: "localhost",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "hostname destination with port",
|
||||||
|
header: http.Header{
|
||||||
|
cfJumpDestinationHeader: []string{"localhost:9000"},
|
||||||
|
},
|
||||||
|
expectedDest: "localhost:9000",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "hostname destination with scheme and port",
|
||||||
|
header: http.Header{
|
||||||
|
cfJumpDestinationHeader: []string{"ssh://localhost:9000"},
|
||||||
|
},
|
||||||
|
expectedDest: "localhost:9000",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "full hostname url",
|
||||||
|
header: http.Header{
|
||||||
|
cfJumpDestinationHeader: []string{"ssh://localhost:9000/metrics"},
|
||||||
|
},
|
||||||
|
expectedDest: "localhost:9000",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "hostname destination with port and path",
|
||||||
|
header: http.Header{
|
||||||
|
cfJumpDestinationHeader: []string{"localhost:9000/metrics"},
|
||||||
|
},
|
||||||
|
expectedDest: "localhost:9000",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "ip destination",
|
||||||
|
header: http.Header{
|
||||||
|
cfJumpDestinationHeader: []string{"127.0.0.1"},
|
||||||
|
},
|
||||||
|
expectedDest: "127.0.0.1",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "ip destination with port",
|
||||||
|
header: http.Header{
|
||||||
|
cfJumpDestinationHeader: []string{"127.0.0.1:9000"},
|
||||||
|
},
|
||||||
|
expectedDest: "127.0.0.1:9000",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "ip destination with port and path",
|
||||||
|
header: http.Header{
|
||||||
|
cfJumpDestinationHeader: []string{"127.0.0.1:9000/metrics"},
|
||||||
|
},
|
||||||
|
expectedDest: "127.0.0.1:9000",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "ip destination with schem and port",
|
||||||
|
header: http.Header{
|
||||||
|
cfJumpDestinationHeader: []string{"tcp://127.0.0.1:9000"},
|
||||||
|
},
|
||||||
|
expectedDest: "127.0.0.1:9000",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "full ip url",
|
||||||
|
header: http.Header{
|
||||||
|
cfJumpDestinationHeader: []string{"ssh://127.0.0.1:9000/metrics"},
|
||||||
|
},
|
||||||
|
expectedDest: "127.0.0.1:9000",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "no destination",
|
||||||
|
wantErr: true,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
for _, test := range tests {
|
||||||
|
r := &http.Request{
|
||||||
|
Header: test.header,
|
||||||
|
}
|
||||||
|
dest, err := ResolveBastionDest(r)
|
||||||
|
if test.wantErr {
|
||||||
|
assert.Error(t, err, "Test %s expects error", test.name)
|
||||||
|
} else {
|
||||||
|
assert.NoError(t, err, "Test %s expects no error, got error %v", test.name, err)
|
||||||
|
assert.Equal(t, test.expectedDest, dest, "Test %s expect dest %s, got %s", test.name, test.expectedDest, dest)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
@ -1,18 +1,17 @@
|
||||||
package carrier
|
package carrier
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
|
||||||
"io"
|
"io"
|
||||||
"net"
|
|
||||||
"net/http"
|
"net/http"
|
||||||
"net/http/httputil"
|
"net/http/httputil"
|
||||||
|
"net/url"
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/token"
|
|
||||||
"github.com/cloudflare/cloudflared/socks"
|
|
||||||
cfwebsocket "github.com/cloudflare/cloudflared/websocket"
|
|
||||||
|
|
||||||
"github.com/gorilla/websocket"
|
"github.com/gorilla/websocket"
|
||||||
"github.com/rs/zerolog"
|
"github.com/rs/zerolog"
|
||||||
|
|
||||||
|
"github.com/cloudflare/cloudflared/stream"
|
||||||
|
"github.com/cloudflare/cloudflared/token"
|
||||||
|
cfwebsocket "github.com/cloudflare/cloudflared/websocket"
|
||||||
)
|
)
|
||||||
|
|
||||||
// Websocket is used to carry data via WS binary frames over the tunnel from client to the origin
|
// Websocket is used to carry data via WS binary frames over the tunnel from client to the origin
|
||||||
|
@ -22,25 +21,10 @@ type Websocket struct {
|
||||||
isSocks bool
|
isSocks bool
|
||||||
}
|
}
|
||||||
|
|
||||||
type wsdialer struct {
|
|
||||||
conn *cfwebsocket.Conn
|
|
||||||
}
|
|
||||||
|
|
||||||
func (d *wsdialer) Dial(address string) (io.ReadWriteCloser, *socks.AddrSpec, error) {
|
|
||||||
local, ok := d.conn.LocalAddr().(*net.TCPAddr)
|
|
||||||
if !ok {
|
|
||||||
return nil, nil, fmt.Errorf("not a tcp connection")
|
|
||||||
}
|
|
||||||
|
|
||||||
addr := socks.AddrSpec{IP: local.IP, Port: local.Port}
|
|
||||||
return d.conn, &addr, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// NewWSConnection returns a new connection object
|
// NewWSConnection returns a new connection object
|
||||||
func NewWSConnection(log *zerolog.Logger, isSocks bool) Connection {
|
func NewWSConnection(log *zerolog.Logger) Connection {
|
||||||
return &Websocket{
|
return &Websocket{
|
||||||
log: log,
|
log: log,
|
||||||
isSocks: isSocks,
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -54,41 +38,49 @@ func (ws *Websocket) ServeStream(options *StartOptions, conn io.ReadWriter) erro
|
||||||
}
|
}
|
||||||
defer wsConn.Close()
|
defer wsConn.Close()
|
||||||
|
|
||||||
if ws.isSocks {
|
stream.Pipe(wsConn, conn, ws.log)
|
||||||
dialer := &wsdialer{conn: wsConn}
|
|
||||||
requestHandler := socks.NewRequestHandler(dialer)
|
|
||||||
socksServer := socks.NewConnectionHandler(requestHandler)
|
|
||||||
|
|
||||||
_ = socksServer.Serve(conn)
|
|
||||||
} else {
|
|
||||||
cfwebsocket.Stream(wsConn, conn)
|
|
||||||
}
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// StartServer creates a Websocket server to listen for connections.
|
|
||||||
// This is used on the origin (tunnel) side to take data from the muxer and send it to the origin
|
|
||||||
func (ws *Websocket) StartServer(listener net.Listener, remote string, shutdownC <-chan struct{}) error {
|
|
||||||
return cfwebsocket.StartProxyServer(ws.log, listener, remote, shutdownC, cfwebsocket.DefaultStreamHandler)
|
|
||||||
}
|
|
||||||
|
|
||||||
// createWebsocketStream will create a WebSocket connection to stream data over
|
// createWebsocketStream will create a WebSocket connection to stream data over
|
||||||
// It also handles redirects from Access and will present that flow if
|
// It also handles redirects from Access and will present that flow if
|
||||||
// the token is not present on the request
|
// the token is not present on the request
|
||||||
func createWebsocketStream(options *StartOptions, log *zerolog.Logger) (*cfwebsocket.Conn, error) {
|
func createWebsocketStream(options *StartOptions, log *zerolog.Logger) (*cfwebsocket.GorillaConn, error) {
|
||||||
req, err := http.NewRequest(http.MethodGet, options.OriginURL, nil)
|
req, err := http.NewRequest(http.MethodGet, options.OriginURL, nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
req.Header = options.Headers
|
req.Header = options.Headers
|
||||||
|
if options.Host != "" {
|
||||||
|
req.Host = options.Host
|
||||||
|
}
|
||||||
|
|
||||||
dump, err := httputil.DumpRequest(req, false)
|
dump, err := httputil.DumpRequest(req, false)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
log.Debug().Msgf("Websocket request: %s", string(dump))
|
log.Debug().Msgf("Websocket request: %s", string(dump))
|
||||||
|
|
||||||
wsConn, resp, err := cfwebsocket.ClientConnect(req, nil)
|
dialer := &websocket.Dialer{
|
||||||
|
TLSClientConfig: options.TLSClientConfig,
|
||||||
|
Proxy: http.ProxyFromEnvironment,
|
||||||
|
}
|
||||||
|
wsConn, resp, err := clientConnect(req, dialer)
|
||||||
defer closeRespBody(resp)
|
defer closeRespBody(resp)
|
||||||
|
|
||||||
if err != nil && IsAccessResponse(resp) {
|
if err != nil && IsAccessResponse(resp) {
|
||||||
|
// Only get Access app info if we know the origin is protected by Access
|
||||||
|
originReq, err := http.NewRequest(http.MethodGet, options.OriginURL, nil)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
appInfo, err := token.GetAppInfo(originReq.URL)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
options.AppInfo = appInfo
|
||||||
|
|
||||||
wsConn, err = createAccessAuthenticatedStream(options, log)
|
wsConn, err = createAccessAuthenticatedStream(options, log)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
@ -97,7 +89,64 @@ func createWebsocketStream(options *StartOptions, log *zerolog.Logger) (*cfwebso
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
return &cfwebsocket.Conn{Conn: wsConn}, nil
|
return &cfwebsocket.GorillaConn{Conn: wsConn}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
var stripWebsocketHeaders = []string{
|
||||||
|
"Upgrade",
|
||||||
|
"Connection",
|
||||||
|
"Sec-Websocket-Key",
|
||||||
|
"Sec-Websocket-Version",
|
||||||
|
"Sec-Websocket-Extensions",
|
||||||
|
}
|
||||||
|
|
||||||
|
// the gorilla websocket library sets its own Upgrade, Connection, Sec-WebSocket-Key,
|
||||||
|
// Sec-WebSocket-Version and Sec-Websocket-Extensions headers.
|
||||||
|
// https://github.com/gorilla/websocket/blob/master/client.go#L189-L194.
|
||||||
|
func websocketHeaders(req *http.Request) http.Header {
|
||||||
|
wsHeaders := make(http.Header)
|
||||||
|
for key, val := range req.Header {
|
||||||
|
wsHeaders[key] = val
|
||||||
|
}
|
||||||
|
// Assume the header keys are in canonical format.
|
||||||
|
for _, header := range stripWebsocketHeaders {
|
||||||
|
wsHeaders.Del(header)
|
||||||
|
}
|
||||||
|
wsHeaders.Set("Host", req.Host) // See TUN-1097
|
||||||
|
return wsHeaders
|
||||||
|
}
|
||||||
|
|
||||||
|
// clientConnect creates a WebSocket client connection for provided request. Caller is responsible for closing
|
||||||
|
// the connection. The response body may not contain the entire response and does
|
||||||
|
// not need to be closed by the application.
|
||||||
|
func clientConnect(req *http.Request, dialler *websocket.Dialer) (*websocket.Conn, *http.Response, error) {
|
||||||
|
req.URL.Scheme = changeRequestScheme(req.URL)
|
||||||
|
wsHeaders := websocketHeaders(req)
|
||||||
|
if dialler == nil {
|
||||||
|
dialler = &websocket.Dialer{
|
||||||
|
Proxy: http.ProxyFromEnvironment,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
conn, response, err := dialler.Dial(req.URL.String(), wsHeaders)
|
||||||
|
if err != nil {
|
||||||
|
return nil, response, err
|
||||||
|
}
|
||||||
|
return conn, response, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// changeRequestScheme is needed as the gorilla websocket library requires the ws scheme.
|
||||||
|
// (even though it changes it back to http/https, but ¯\_(ツ)_/¯.)
|
||||||
|
func changeRequestScheme(reqURL *url.URL) string {
|
||||||
|
switch reqURL.Scheme {
|
||||||
|
case "https":
|
||||||
|
return "wss"
|
||||||
|
case "http":
|
||||||
|
return "ws"
|
||||||
|
case "":
|
||||||
|
return "ws"
|
||||||
|
default:
|
||||||
|
return reqURL.Scheme
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// createAccessAuthenticatedStream will try load a token from storage and make
|
// createAccessAuthenticatedStream will try load a token from storage and make
|
||||||
|
@ -117,11 +166,7 @@ func createAccessAuthenticatedStream(options *StartOptions, log *zerolog.Logger)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Access Token is invalid for some reason. Go through regen flow
|
// Access Token is invalid for some reason. Go through regen flow
|
||||||
originReq, err := http.NewRequest(http.MethodGet, options.OriginURL, nil)
|
if err := token.RemoveTokenIfExists(options.AppInfo); err != nil {
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
if err := token.RemoveTokenIfExists(originReq.URL); err != nil {
|
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
wsConn, resp, err = createAccessWebSocketStream(options, log)
|
wsConn, resp, err = createAccessWebSocketStream(options, log)
|
||||||
|
@ -141,9 +186,12 @@ func createAccessWebSocketStream(options *StartOptions, log *zerolog.Logger) (*w
|
||||||
}
|
}
|
||||||
|
|
||||||
dump, err := httputil.DumpRequest(req, false)
|
dump, err := httputil.DumpRequest(req, false)
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
log.Debug().Msgf("Access Websocket request: %s", string(dump))
|
log.Debug().Msgf("Access Websocket request: %s", string(dump))
|
||||||
|
|
||||||
conn, resp, err := cfwebsocket.ClientConnect(req, nil)
|
conn, resp, err := clientConnect(req, nil)
|
||||||
|
|
||||||
if resp != nil {
|
if resp != nil {
|
||||||
r, err := httputil.DumpResponse(resp, true)
|
r, err := httputil.DumpResponse(resp, true)
|
||||||
|
|
|
@ -0,0 +1,123 @@
|
||||||
|
package carrier
|
||||||
|
|
||||||
|
import (
|
||||||
|
"context"
|
||||||
|
"crypto/tls"
|
||||||
|
"crypto/x509"
|
||||||
|
"fmt"
|
||||||
|
"math/rand"
|
||||||
|
"testing"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
gws "github.com/gorilla/websocket"
|
||||||
|
"github.com/rs/zerolog"
|
||||||
|
"github.com/stretchr/testify/assert"
|
||||||
|
"github.com/stretchr/testify/require"
|
||||||
|
"golang.org/x/net/websocket"
|
||||||
|
|
||||||
|
"github.com/cloudflare/cloudflared/hello"
|
||||||
|
"github.com/cloudflare/cloudflared/tlsconfig"
|
||||||
|
cfwebsocket "github.com/cloudflare/cloudflared/websocket"
|
||||||
|
)
|
||||||
|
|
||||||
|
func websocketClientTLSConfig(t *testing.T) *tls.Config {
|
||||||
|
certPool := x509.NewCertPool()
|
||||||
|
helloCert, err := tlsconfig.GetHelloCertificateX509()
|
||||||
|
assert.NoError(t, err)
|
||||||
|
certPool.AddCert(helloCert)
|
||||||
|
assert.NotNil(t, certPool)
|
||||||
|
return &tls.Config{RootCAs: certPool}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestWebsocketHeaders(t *testing.T) {
|
||||||
|
req := testRequest(t, "http://example.com", nil)
|
||||||
|
wsHeaders := websocketHeaders(req)
|
||||||
|
for _, header := range stripWebsocketHeaders {
|
||||||
|
assert.Empty(t, wsHeaders[header])
|
||||||
|
}
|
||||||
|
assert.Equal(t, "curl/7.59.0", wsHeaders.Get("User-Agent"))
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestServe(t *testing.T) {
|
||||||
|
log := zerolog.Nop()
|
||||||
|
shutdownC := make(chan struct{})
|
||||||
|
errC := make(chan error)
|
||||||
|
listener, err := hello.CreateTLSListener("localhost:1111")
|
||||||
|
assert.NoError(t, err)
|
||||||
|
defer listener.Close()
|
||||||
|
|
||||||
|
go func() {
|
||||||
|
errC <- hello.StartHelloWorldServer(&log, listener, shutdownC)
|
||||||
|
}()
|
||||||
|
|
||||||
|
req := testRequest(t, "https://localhost:1111/ws", nil)
|
||||||
|
|
||||||
|
tlsConfig := websocketClientTLSConfig(t)
|
||||||
|
assert.NotNil(t, tlsConfig)
|
||||||
|
d := gws.Dialer{TLSClientConfig: tlsConfig}
|
||||||
|
conn, resp, err := clientConnect(req, &d)
|
||||||
|
assert.NoError(t, err)
|
||||||
|
assert.Equal(t, "websocket", resp.Header.Get("Upgrade"))
|
||||||
|
|
||||||
|
for i := 0; i < 1000; i++ {
|
||||||
|
messageSize := rand.Int()%2048 + 1
|
||||||
|
clientMessage := make([]byte, messageSize)
|
||||||
|
// rand.Read always returns len(clientMessage) and a nil error
|
||||||
|
rand.Read(clientMessage)
|
||||||
|
err = conn.WriteMessage(websocket.BinaryFrame, clientMessage)
|
||||||
|
assert.NoError(t, err)
|
||||||
|
|
||||||
|
messageType, message, err := conn.ReadMessage()
|
||||||
|
assert.NoError(t, err)
|
||||||
|
assert.Equal(t, websocket.BinaryFrame, messageType)
|
||||||
|
assert.Equal(t, clientMessage, message)
|
||||||
|
}
|
||||||
|
|
||||||
|
_ = conn.Close()
|
||||||
|
close(shutdownC)
|
||||||
|
<-errC
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestWebsocketWrapper(t *testing.T) {
|
||||||
|
listener, err := hello.CreateTLSListener("localhost:0")
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
serverErrorChan := make(chan error)
|
||||||
|
helloSvrCtx, cancelHelloSvr := context.WithCancel(context.Background())
|
||||||
|
defer func() { <-serverErrorChan }()
|
||||||
|
defer cancelHelloSvr()
|
||||||
|
go func() {
|
||||||
|
log := zerolog.Nop()
|
||||||
|
serverErrorChan <- hello.StartHelloWorldServer(&log, listener, helloSvrCtx.Done())
|
||||||
|
}()
|
||||||
|
|
||||||
|
tlsConfig := websocketClientTLSConfig(t)
|
||||||
|
d := gws.Dialer{TLSClientConfig: tlsConfig, HandshakeTimeout: time.Minute}
|
||||||
|
testAddr := fmt.Sprintf("https://%s/ws", listener.Addr().String())
|
||||||
|
req := testRequest(t, testAddr, nil)
|
||||||
|
conn, resp, err := clientConnect(req, &d)
|
||||||
|
require.NoError(t, err)
|
||||||
|
assert.Equal(t, "websocket", resp.Header.Get("Upgrade"))
|
||||||
|
|
||||||
|
// Websocket now connected to test server so lets check our wrapper
|
||||||
|
wrapper := cfwebsocket.GorillaConn{Conn: conn}
|
||||||
|
buf := make([]byte, 100)
|
||||||
|
wrapper.Write([]byte("abc"))
|
||||||
|
n, err := wrapper.Read(buf)
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.Equal(t, n, 3)
|
||||||
|
require.Equal(t, "abc", string(buf[:n]))
|
||||||
|
|
||||||
|
// Test partial read, read 1 of 3 bytes in one read and the other 2 in another read
|
||||||
|
wrapper.Write([]byte("abc"))
|
||||||
|
buf = buf[:1]
|
||||||
|
n, err = wrapper.Read(buf)
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.Equal(t, n, 1)
|
||||||
|
require.Equal(t, "a", string(buf[:n]))
|
||||||
|
buf = buf[:cap(buf)]
|
||||||
|
n, err = wrapper.Read(buf)
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.Equal(t, n, 2)
|
||||||
|
require.Equal(t, "bc", string(buf[:n]))
|
||||||
|
}
|
|
@ -0,0 +1,16 @@
|
||||||
|
apiVersion: backstage.io/v1alpha1
|
||||||
|
kind: Component
|
||||||
|
metadata:
|
||||||
|
name: cloudflared
|
||||||
|
description: Client for Cloudflare Tunnels
|
||||||
|
annotations:
|
||||||
|
backstage.io/source-location: url:https://bitbucket.cfdata.org/projects/TUN/repos/cloudflared/browse
|
||||||
|
cloudflare.com/software-excellence-opt-in: "true"
|
||||||
|
cloudflare.com/jira-project-key: "TUN"
|
||||||
|
cloudflare.com/jira-project-component: "Cloudflare Tunnel"
|
||||||
|
tags:
|
||||||
|
- internal
|
||||||
|
spec:
|
||||||
|
type: "service"
|
||||||
|
lifecycle: "Active"
|
||||||
|
owner: "teams/tunnel-teams-routing"
|
|
@ -1,94 +0,0 @@
|
||||||
package certutil
|
|
||||||
|
|
||||||
import (
|
|
||||||
"crypto/x509"
|
|
||||||
"encoding/json"
|
|
||||||
"encoding/pem"
|
|
||||||
"fmt"
|
|
||||||
"strings"
|
|
||||||
)
|
|
||||||
|
|
||||||
type namedTunnelToken struct {
|
|
||||||
ZoneID string `json:"zoneID"`
|
|
||||||
AccountID string `json:"accountID"`
|
|
||||||
ServiceKey string `json:"serviceKey"`
|
|
||||||
}
|
|
||||||
|
|
||||||
type OriginCert struct {
|
|
||||||
PrivateKey interface{}
|
|
||||||
Cert *x509.Certificate
|
|
||||||
ZoneID string
|
|
||||||
ServiceKey string
|
|
||||||
AccountID string
|
|
||||||
}
|
|
||||||
|
|
||||||
func DecodeOriginCert(blocks []byte) (*OriginCert, error) {
|
|
||||||
if len(blocks) == 0 {
|
|
||||||
return nil, fmt.Errorf("Cannot decode empty certificate")
|
|
||||||
}
|
|
||||||
originCert := OriginCert{}
|
|
||||||
block, rest := pem.Decode(blocks)
|
|
||||||
for {
|
|
||||||
if block == nil {
|
|
||||||
break
|
|
||||||
}
|
|
||||||
switch block.Type {
|
|
||||||
case "PRIVATE KEY":
|
|
||||||
if originCert.PrivateKey != nil {
|
|
||||||
return nil, fmt.Errorf("Found multiple private key in the certificate")
|
|
||||||
}
|
|
||||||
// RSA private key
|
|
||||||
privateKey, err := x509.ParsePKCS8PrivateKey(block.Bytes)
|
|
||||||
if err != nil {
|
|
||||||
return nil, fmt.Errorf("Cannot parse private key")
|
|
||||||
}
|
|
||||||
originCert.PrivateKey = privateKey
|
|
||||||
case "CERTIFICATE":
|
|
||||||
if originCert.Cert != nil {
|
|
||||||
return nil, fmt.Errorf("Found multiple certificates in the certificate")
|
|
||||||
}
|
|
||||||
cert, err := x509.ParseCertificates(block.Bytes)
|
|
||||||
if err != nil {
|
|
||||||
return nil, fmt.Errorf("Cannot parse certificate")
|
|
||||||
} else if len(cert) > 1 {
|
|
||||||
return nil, fmt.Errorf("Found multiple certificates in the certificate")
|
|
||||||
}
|
|
||||||
originCert.Cert = cert[0]
|
|
||||||
case "WARP TOKEN", "ARGO TUNNEL TOKEN":
|
|
||||||
if originCert.ZoneID != "" || originCert.ServiceKey != "" {
|
|
||||||
return nil, fmt.Errorf("Found multiple tokens in the certificate")
|
|
||||||
}
|
|
||||||
// The token is a string,
|
|
||||||
// Try the newer JSON format
|
|
||||||
ntt := namedTunnelToken{}
|
|
||||||
if err := json.Unmarshal(block.Bytes, &ntt); err == nil {
|
|
||||||
originCert.ZoneID = ntt.ZoneID
|
|
||||||
originCert.ServiceKey = ntt.ServiceKey
|
|
||||||
originCert.AccountID = ntt.AccountID
|
|
||||||
} else {
|
|
||||||
// Try the older format, where the zoneID and service key are seperated by
|
|
||||||
// a new line character
|
|
||||||
token := string(block.Bytes)
|
|
||||||
s := strings.Split(token, "\n")
|
|
||||||
if len(s) != 2 {
|
|
||||||
return nil, fmt.Errorf("Cannot parse token")
|
|
||||||
}
|
|
||||||
originCert.ZoneID = s[0]
|
|
||||||
originCert.ServiceKey = s[1]
|
|
||||||
}
|
|
||||||
default:
|
|
||||||
return nil, fmt.Errorf("Unknown block %s in the certificate", block.Type)
|
|
||||||
}
|
|
||||||
block, rest = pem.Decode(rest)
|
|
||||||
}
|
|
||||||
|
|
||||||
if originCert.PrivateKey == nil {
|
|
||||||
return nil, fmt.Errorf("Missing private key in the certificate")
|
|
||||||
} else if originCert.Cert == nil {
|
|
||||||
return nil, fmt.Errorf("Missing certificate in the certificate")
|
|
||||||
} else if originCert.ZoneID == "" || originCert.ServiceKey == "" {
|
|
||||||
return nil, fmt.Errorf("Missing token in the certificate")
|
|
||||||
}
|
|
||||||
|
|
||||||
return &originCert, nil
|
|
||||||
}
|
|
|
@ -1,67 +0,0 @@
|
||||||
package certutil
|
|
||||||
|
|
||||||
import (
|
|
||||||
"fmt"
|
|
||||||
"io/ioutil"
|
|
||||||
"testing"
|
|
||||||
|
|
||||||
"github.com/stretchr/testify/assert"
|
|
||||||
)
|
|
||||||
|
|
||||||
func TestLoadOriginCert(t *testing.T) {
|
|
||||||
cert, err := DecodeOriginCert([]byte{})
|
|
||||||
assert.Equal(t, fmt.Errorf("Cannot decode empty certificate"), err)
|
|
||||||
assert.Nil(t, cert)
|
|
||||||
|
|
||||||
blocks, err := ioutil.ReadFile("test-cert-no-key.pem")
|
|
||||||
assert.Nil(t, err)
|
|
||||||
cert, err = DecodeOriginCert(blocks)
|
|
||||||
assert.Equal(t, fmt.Errorf("Missing private key in the certificate"), err)
|
|
||||||
assert.Nil(t, cert)
|
|
||||||
|
|
||||||
blocks, err = ioutil.ReadFile("test-cert-two-certificates.pem")
|
|
||||||
assert.Nil(t, err)
|
|
||||||
cert, err = DecodeOriginCert(blocks)
|
|
||||||
assert.Equal(t, fmt.Errorf("Found multiple certificates in the certificate"), err)
|
|
||||||
assert.Nil(t, cert)
|
|
||||||
|
|
||||||
blocks, err = ioutil.ReadFile("test-cert-unknown-block.pem")
|
|
||||||
assert.Nil(t, err)
|
|
||||||
cert, err = DecodeOriginCert(blocks)
|
|
||||||
assert.Equal(t, fmt.Errorf("Unknown block RSA PRIVATE KEY in the certificate"), err)
|
|
||||||
assert.Nil(t, cert)
|
|
||||||
|
|
||||||
blocks, err = ioutil.ReadFile("test-cert.pem")
|
|
||||||
assert.Nil(t, err)
|
|
||||||
cert, err = DecodeOriginCert(blocks)
|
|
||||||
assert.Nil(t, err)
|
|
||||||
assert.NotNil(t, cert)
|
|
||||||
assert.Equal(t, "7b0a4d77dfb881c1a3b7d61ea9443e19", cert.ZoneID)
|
|
||||||
key := "v1.0-58bd4f9e28f7b3c28e05a35ff3e80ab4fd9644ef3fece537eb0d12e2e9258217-183442fbb0bbdb3e571558fec9b5589ebd77aafc87498ee3f09f64a4ad79ffe8791edbae08b36c1d8f1d70a8670de56922dff92b15d214a524f4ebfa1958859e-7ce80f79921312a6022c5d25e2d380f82ceaefe3fbdc43dd13b080e3ef1e26f7"
|
|
||||||
assert.Equal(t, key, cert.ServiceKey)
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestNewlineArgoTunnelToken(t *testing.T) {
|
|
||||||
ArgoTunnelTokenTest(t, "test-argo-tunnel-cert.pem")
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestJSONArgoTunnelToken(t *testing.T) {
|
|
||||||
// The given cert's Argo Tunnel Token was generated by base64 encoding this JSON:
|
|
||||||
// {
|
|
||||||
// "zoneID": "7b0a4d77dfb881c1a3b7d61ea9443e19",
|
|
||||||
// "serviceKey": "test-service-key",
|
|
||||||
// "accountID": "abcdabcdabcdabcd1234567890abcdef"
|
|
||||||
// }
|
|
||||||
ArgoTunnelTokenTest(t, "test-argo-tunnel-cert-json.pem")
|
|
||||||
}
|
|
||||||
|
|
||||||
func ArgoTunnelTokenTest(t *testing.T, path string) {
|
|
||||||
blocks, err := ioutil.ReadFile(path)
|
|
||||||
assert.Nil(t, err)
|
|
||||||
cert, err := DecodeOriginCert(blocks)
|
|
||||||
assert.Nil(t, err)
|
|
||||||
assert.NotNil(t, cert)
|
|
||||||
assert.Equal(t, "7b0a4d77dfb881c1a3b7d61ea9443e19", cert.ZoneID)
|
|
||||||
key := "test-service-key"
|
|
||||||
assert.Equal(t, key, cert.ServiceKey)
|
|
||||||
}
|
|
|
@ -1,33 +0,0 @@
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIID+jCCA6CgAwIBAgIUJhFxUKEGvTRc3CjCok6dbPGH/P4wCgYIKoZIzj0EAwIw
|
|
||||||
gagxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYD
|
|
||||||
VQQLEy9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhv
|
|
||||||
cml0eTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5p
|
|
||||||
YTEXMBUGA1UEAxMOKGRldiB1c2Ugb25seSkwHhcNMTcxMDEzMTM1OTAwWhcNMzIx
|
|
||||||
MDA5MTM1OTAwWjBiMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMR0wGwYDVQQL
|
|
||||||
ExRDbG91ZEZsYXJlIE9yaWdpbiBDQTEmMCQGA1UEAxMdQ2xvdWRGbGFyZSBPcmln
|
|
||||||
aW4gQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCf
|
|
||||||
GswL16Fz9Ei3sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng
|
|
||||||
6yHR1H5oX1Lg1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bx
|
|
||||||
tG0uyrXYh7Mtz0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyX
|
|
||||||
PE6SuDvMHIeX6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZ
|
|
||||||
AzNOxVKrUsySx7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOgl
|
|
||||||
HJ2n0sMcZ+Ja1Y649mPVAgMBAAGjggEgMIIBHDAOBgNVHQ8BAf8EBAMCBaAwEwYD
|
|
||||||
VR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUzA6f2Ajq
|
|
||||||
zhX67c6piY2a1uTiUkwwHwYDVR0jBBgwFoAU2qfBlqxKMZnf0QeTeYiMelfqJfgw
|
|
||||||
RAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vb2NzcC5jbG91ZGZs
|
|
||||||
YXJlLmNvbS9vcmlnaW5fZWNjX2NhMCMGA1UdEQQcMBqCDCouYXJub2xkLmNvbYIK
|
|
||||||
YXJub2xkLmNvbTA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmNsb3VkZmxh
|
|
||||||
cmUuY29tL29yaWdpbl9lY2NfY2EuY3JsMAoGCCqGSM49BAMCA0gAMEUCIDV7HoMj
|
|
||||||
K5rShE/l+90YAOzHC89OH/wUz3I5KYOFuehoAiEA8e92aIf9XBkr0K6EvFCiSsD+
|
|
||||||
x+Yo/cL8fGfVpPt4UM8=
|
|
||||||
-----END CERTIFICATE-----
|
|
||||||
-----BEGIN WARP TOKEN-----
|
|
||||||
N2IwYTRkNzdkZmI4ODFjMWEzYjdkNjFlYTk0NDNlMTkKdjEuMC01OGJkNGY5ZTI4
|
|
||||||
ZjdiM2MyOGUwNWEzNWZmM2U4MGFiNGZkOTY0NGVmM2ZlY2U1MzdlYjBkMTJlMmU5
|
|
||||||
MjU4MjE3LTE4MzQ0MmZiYjBiYmRiM2U1NzE1NThmZWM5YjU1ODllYmQ3N2FhZmM4
|
|
||||||
NzQ5OGVlM2YwOWY2NGE0YWQ3OWZmZTg3OTFlZGJhZTA4YjM2YzFkOGYxZDcwYTg2
|
|
||||||
NzBkZTU2OTIyZGZmOTJiMTVkMjE0YTUyNGY0ZWJmYTE5NTg4NTllLTdjZTgwZjc5
|
|
||||||
OTIxMzEyYTYwMjJjNWQyNWUyZDM4MGY4MmNlYWVmZTNmYmRjNDNkZDEzYjA4MGUz
|
|
||||||
ZWYxZTI2Zjc=
|
|
||||||
-----END WARP TOKEN-----
|
|
|
@ -1,85 +0,0 @@
|
||||||
-----BEGIN PRIVATE KEY-----
|
|
||||||
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCfGswL16Fz9Ei3
|
|
||||||
sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng6yHR1H5oX1Lg
|
|
||||||
1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bxtG0uyrXYh7Mt
|
|
||||||
z0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyXPE6SuDvMHIeX
|
|
||||||
6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZAzNOxVKrUsyS
|
|
||||||
x7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOglHJ2n0sMcZ+Ja
|
|
||||||
1Y649mPVAgMBAAECggEAEbPF0ah9fH0IzTU/CPbIeh3flyY8GDuMpR1HvwUurSWB
|
|
||||||
IFI9bLyVAXKb8vYP1TMaTnXi5qmFof+/JShgyZc3+1tZtWTfoaiC8Y1bRfE2yk+D
|
|
||||||
xmwddhDmijYGG7i8uEaeddSdFEh2GKAqkbV/QgBvN2Nl4EVmIOAJXXNe9l5LFyjy
|
|
||||||
sR10aNVJRYV1FahrCTwZ3SovHP4d4AUvHh/3FFZDukHc37CFA0+CcR4uehp5yedi
|
|
||||||
2UdqaszXqunFo/3h+Tn9dW2C7gTTZx4+mfyaws3p3YOmdYArXvpejxHIc0FGwLBm
|
|
||||||
sb9K7wGVUiF0Bt0ch+C1mdYrCaFNHnPuDswjmm3FwQKBgQDYtxOwwSLA6ZyppozX
|
|
||||||
Doyx9a7PhiMHCFKSdVB4l8rpK545a+AmpG6LRScTtBsMTHBhT3IQ3QPWlVm1AhjF
|
|
||||||
AvXMa1rOeaGbCbDn1xqEoEVPtj4tys8eTfyWmtU73jWTFauOt4/xpf/urEpg91xj
|
|
||||||
m+Gl/8qgBrpm5rQxV5Y4MysRlQKBgQC78jzzlhocXGNvw0wT/K2NsknyeoZXqpIE
|
|
||||||
QYL60FMl4geZn6w9hwxaL1r+g/tUjTnpBPQtS1r2Ed2gXby5zspN1g/PW8U3t3to
|
|
||||||
P7zHIJ/sLBXrCh5RJko3hUgGhDNOOCIQj4IaKUfvHYvEIbIxlyI0vdsXsgXgMuQ8
|
|
||||||
pb9Yifn5QQKBgQCmGu0EtYQlyOlDP10EGSrN3Dm45l9CrKZdi326cN4eCkikSoLs
|
|
||||||
G2x/YumouItiydP5QiNzuXOPrbmse4bwumwb2s0nJSMw6iSmDsFMlmuJxW2zO5e0
|
|
||||||
6qGH7fUyhgcaTanJIfk6hrm7/mKkH/S4hGpYCc8NCRsmc/35M+D4AoAoYQKBgQC0
|
|
||||||
LWpZaxDlF30MbAHHN3l6We2iU+vup0sMYXGb2ZOcwa/fir+ozIr++l8VmJmdWTan
|
|
||||||
OWSM96zgMghx8Os4hhJTxF+rvqK242OfcVsc2x31X94zUaP2z+peh5uhA6Pb3Nxr
|
|
||||||
W+iyA9k+Vujiwhr+h5D3VvtvH++aG6/KpGtoCf5nAQKBgQDXX2+d7bd5CLNLLFNd
|
|
||||||
M2i4QoOFcSKIG+v4SuvgEJHgG8vGvxh2qlSxnMWuPV+7/1P5ATLqDj1PlKms+BNR
|
|
||||||
y7sc5AT9PclkL3Y9MNzOu0LXyBkGYcl8M0EQfLv9VPbWT+NXiMg/O2CHiT02pAAz
|
|
||||||
uQicoQq3yzeQh20wtrtaXzTNmA==
|
|
||||||
-----END PRIVATE KEY-----
|
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIID+jCCA6CgAwIBAgIUJhFxUKEGvTRc3CjCok6dbPGH/P4wCgYIKoZIzj0EAwIw
|
|
||||||
gagxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYD
|
|
||||||
VQQLEy9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhv
|
|
||||||
cml0eTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5p
|
|
||||||
YTEXMBUGA1UEAxMOKGRldiB1c2Ugb25seSkwHhcNMTcxMDEzMTM1OTAwWhcNMzIx
|
|
||||||
MDA5MTM1OTAwWjBiMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMR0wGwYDVQQL
|
|
||||||
ExRDbG91ZEZsYXJlIE9yaWdpbiBDQTEmMCQGA1UEAxMdQ2xvdWRGbGFyZSBPcmln
|
|
||||||
aW4gQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCf
|
|
||||||
GswL16Fz9Ei3sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng
|
|
||||||
6yHR1H5oX1Lg1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bx
|
|
||||||
tG0uyrXYh7Mtz0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyX
|
|
||||||
PE6SuDvMHIeX6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZ
|
|
||||||
AzNOxVKrUsySx7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOgl
|
|
||||||
HJ2n0sMcZ+Ja1Y649mPVAgMBAAGjggEgMIIBHDAOBgNVHQ8BAf8EBAMCBaAwEwYD
|
|
||||||
VR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUzA6f2Ajq
|
|
||||||
zhX67c6piY2a1uTiUkwwHwYDVR0jBBgwFoAU2qfBlqxKMZnf0QeTeYiMelfqJfgw
|
|
||||||
RAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vb2NzcC5jbG91ZGZs
|
|
||||||
YXJlLmNvbS9vcmlnaW5fZWNjX2NhMCMGA1UdEQQcMBqCDCouYXJub2xkLmNvbYIK
|
|
||||||
YXJub2xkLmNvbTA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmNsb3VkZmxh
|
|
||||||
cmUuY29tL29yaWdpbl9lY2NfY2EuY3JsMAoGCCqGSM49BAMCA0gAMEUCIDV7HoMj
|
|
||||||
K5rShE/l+90YAOzHC89OH/wUz3I5KYOFuehoAiEA8e92aIf9XBkr0K6EvFCiSsD+
|
|
||||||
x+Yo/cL8fGfVpPt4UM8=
|
|
||||||
-----END CERTIFICATE-----
|
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIID+jCCA6CgAwIBAgIUJhFxUKEGvTRc3CjCok6dbPGH/P4wCgYIKoZIzj0EAwIw
|
|
||||||
gagxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYD
|
|
||||||
VQQLEy9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhv
|
|
||||||
cml0eTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5p
|
|
||||||
YTEXMBUGA1UEAxMOKGRldiB1c2Ugb25seSkwHhcNMTcxMDEzMTM1OTAwWhcNMzIx
|
|
||||||
MDA5MTM1OTAwWjBiMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMR0wGwYDVQQL
|
|
||||||
ExRDbG91ZEZsYXJlIE9yaWdpbiBDQTEmMCQGA1UEAxMdQ2xvdWRGbGFyZSBPcmln
|
|
||||||
aW4gQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCf
|
|
||||||
GswL16Fz9Ei3sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng
|
|
||||||
6yHR1H5oX1Lg1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bx
|
|
||||||
tG0uyrXYh7Mtz0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyX
|
|
||||||
PE6SuDvMHIeX6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZ
|
|
||||||
AzNOxVKrUsySx7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOgl
|
|
||||||
HJ2n0sMcZ+Ja1Y649mPVAgMBAAGjggEgMIIBHDAOBgNVHQ8BAf8EBAMCBaAwEwYD
|
|
||||||
VR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUzA6f2Ajq
|
|
||||||
zhX67c6piY2a1uTiUkwwHwYDVR0jBBgwFoAU2qfBlqxKMZnf0QeTeYiMelfqJfgw
|
|
||||||
RAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vb2NzcC5jbG91ZGZs
|
|
||||||
YXJlLmNvbS9vcmlnaW5fZWNjX2NhMCMGA1UdEQQcMBqCDCouYXJub2xkLmNvbYIK
|
|
||||||
YXJub2xkLmNvbTA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmNsb3VkZmxh
|
|
||||||
cmUuY29tL29yaWdpbl9lY2NfY2EuY3JsMAoGCCqGSM49BAMCA0gAMEUCIDV7HoMj
|
|
||||||
K5rShE/l+90YAOzHC89OH/wUz3I5KYOFuehoAiEA8e92aIf9XBkr0K6EvFCiSsD+
|
|
||||||
x+Yo/cL8fGfVpPt4UM8=
|
|
||||||
-----END CERTIFICATE-----
|
|
||||||
-----BEGIN WARP TOKEN-----
|
|
||||||
N2IwYTRkNzdkZmI4ODFjMWEzYjdkNjFlYTk0NDNlMTkKdjEuMC01OGJkNGY5ZTI4
|
|
||||||
ZjdiM2MyOGUwNWEzNWZmM2U4MGFiNGZkOTY0NGVmM2ZlY2U1MzdlYjBkMTJlMmU5
|
|
||||||
MjU4MjE3LTE4MzQ0MmZiYjBiYmRiM2U1NzE1NThmZWM5YjU1ODllYmQ3N2FhZmM4
|
|
||||||
NzQ5OGVlM2YwOWY2NGE0YWQ3OWZmZTg3OTFlZGJhZTA4YjM2YzFkOGYxZDcwYTg2
|
|
||||||
NzBkZTU2OTIyZGZmOTJiMTVkMjE0YTUyNGY0ZWJmYTE5NTg4NTllLTdjZTgwZjc5
|
|
||||||
OTIxMzEyYTYwMjJjNWQyNWUyZDM4MGY4MmNlYWVmZTNmYmRjNDNkZDEzYjA4MGUz
|
|
||||||
ZWYxZTI2Zjc=
|
|
||||||
-----END WARP TOKEN-----
|
|
|
@ -1,61 +0,0 @@
|
||||||
-----BEGIN PRIVATE KEY-----
|
|
||||||
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCfGswL16Fz9Ei3
|
|
||||||
sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng6yHR1H5oX1Lg
|
|
||||||
1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bxtG0uyrXYh7Mt
|
|
||||||
z0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyXPE6SuDvMHIeX
|
|
||||||
6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZAzNOxVKrUsyS
|
|
||||||
x7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOglHJ2n0sMcZ+Ja
|
|
||||||
1Y649mPVAgMBAAECggEAEbPF0ah9fH0IzTU/CPbIeh3flyY8GDuMpR1HvwUurSWB
|
|
||||||
IFI9bLyVAXKb8vYP1TMaTnXi5qmFof+/JShgyZc3+1tZtWTfoaiC8Y1bRfE2yk+D
|
|
||||||
xmwddhDmijYGG7i8uEaeddSdFEh2GKAqkbV/QgBvN2Nl4EVmIOAJXXNe9l5LFyjy
|
|
||||||
sR10aNVJRYV1FahrCTwZ3SovHP4d4AUvHh/3FFZDukHc37CFA0+CcR4uehp5yedi
|
|
||||||
2UdqaszXqunFo/3h+Tn9dW2C7gTTZx4+mfyaws3p3YOmdYArXvpejxHIc0FGwLBm
|
|
||||||
sb9K7wGVUiF0Bt0ch+C1mdYrCaFNHnPuDswjmm3FwQKBgQDYtxOwwSLA6ZyppozX
|
|
||||||
Doyx9a7PhiMHCFKSdVB4l8rpK545a+AmpG6LRScTtBsMTHBhT3IQ3QPWlVm1AhjF
|
|
||||||
AvXMa1rOeaGbCbDn1xqEoEVPtj4tys8eTfyWmtU73jWTFauOt4/xpf/urEpg91xj
|
|
||||||
m+Gl/8qgBrpm5rQxV5Y4MysRlQKBgQC78jzzlhocXGNvw0wT/K2NsknyeoZXqpIE
|
|
||||||
QYL60FMl4geZn6w9hwxaL1r+g/tUjTnpBPQtS1r2Ed2gXby5zspN1g/PW8U3t3to
|
|
||||||
P7zHIJ/sLBXrCh5RJko3hUgGhDNOOCIQj4IaKUfvHYvEIbIxlyI0vdsXsgXgMuQ8
|
|
||||||
pb9Yifn5QQKBgQCmGu0EtYQlyOlDP10EGSrN3Dm45l9CrKZdi326cN4eCkikSoLs
|
|
||||||
G2x/YumouItiydP5QiNzuXOPrbmse4bwumwb2s0nJSMw6iSmDsFMlmuJxW2zO5e0
|
|
||||||
6qGH7fUyhgcaTanJIfk6hrm7/mKkH/S4hGpYCc8NCRsmc/35M+D4AoAoYQKBgQC0
|
|
||||||
LWpZaxDlF30MbAHHN3l6We2iU+vup0sMYXGb2ZOcwa/fir+ozIr++l8VmJmdWTan
|
|
||||||
OWSM96zgMghx8Os4hhJTxF+rvqK242OfcVsc2x31X94zUaP2z+peh5uhA6Pb3Nxr
|
|
||||||
W+iyA9k+Vujiwhr+h5D3VvtvH++aG6/KpGtoCf5nAQKBgQDXX2+d7bd5CLNLLFNd
|
|
||||||
M2i4QoOFcSKIG+v4SuvgEJHgG8vGvxh2qlSxnMWuPV+7/1P5ATLqDj1PlKms+BNR
|
|
||||||
y7sc5AT9PclkL3Y9MNzOu0LXyBkGYcl8M0EQfLv9VPbWT+NXiMg/O2CHiT02pAAz
|
|
||||||
uQicoQq3yzeQh20wtrtaXzTNmA==
|
|
||||||
-----END PRIVATE KEY-----
|
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIID+jCCA6CgAwIBAgIUJhFxUKEGvTRc3CjCok6dbPGH/P4wCgYIKoZIzj0EAwIw
|
|
||||||
gagxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYD
|
|
||||||
VQQLEy9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhv
|
|
||||||
cml0eTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5p
|
|
||||||
YTEXMBUGA1UEAxMOKGRldiB1c2Ugb25seSkwHhcNMTcxMDEzMTM1OTAwWhcNMzIx
|
|
||||||
MDA5MTM1OTAwWjBiMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMR0wGwYDVQQL
|
|
||||||
ExRDbG91ZEZsYXJlIE9yaWdpbiBDQTEmMCQGA1UEAxMdQ2xvdWRGbGFyZSBPcmln
|
|
||||||
aW4gQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCf
|
|
||||||
GswL16Fz9Ei3sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng
|
|
||||||
6yHR1H5oX1Lg1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bx
|
|
||||||
tG0uyrXYh7Mtz0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyX
|
|
||||||
PE6SuDvMHIeX6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZ
|
|
||||||
AzNOxVKrUsySx7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOgl
|
|
||||||
HJ2n0sMcZ+Ja1Y649mPVAgMBAAGjggEgMIIBHDAOBgNVHQ8BAf8EBAMCBaAwEwYD
|
|
||||||
VR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUzA6f2Ajq
|
|
||||||
zhX67c6piY2a1uTiUkwwHwYDVR0jBBgwFoAU2qfBlqxKMZnf0QeTeYiMelfqJfgw
|
|
||||||
RAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vb2NzcC5jbG91ZGZs
|
|
||||||
YXJlLmNvbS9vcmlnaW5fZWNjX2NhMCMGA1UdEQQcMBqCDCouYXJub2xkLmNvbYIK
|
|
||||||
YXJub2xkLmNvbTA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmNsb3VkZmxh
|
|
||||||
cmUuY29tL29yaWdpbl9lY2NfY2EuY3JsMAoGCCqGSM49BAMCA0gAMEUCIDV7HoMj
|
|
||||||
K5rShE/l+90YAOzHC89OH/wUz3I5KYOFuehoAiEA8e92aIf9XBkr0K6EvFCiSsD+
|
|
||||||
x+Yo/cL8fGfVpPt4UM8=
|
|
||||||
-----END CERTIFICATE-----
|
|
||||||
-----BEGIN WARP TOKEN-----
|
|
||||||
N2IwYTRkNzdkZmI4ODFjMWEzYjdkNjFlYTk0NDNlMTkKdjEuMC01OGJkNGY5ZTI4
|
|
||||||
ZjdiM2MyOGUwNWEzNWZmM2U4MGFiNGZkOTY0NGVmM2ZlY2U1MzdlYjBkMTJlMmU5
|
|
||||||
MjU4MjE3LTE4MzQ0MmZiYjBiYmRiM2U1NzE1NThmZWM5YjU1ODllYmQ3N2FhZmM4
|
|
||||||
NzQ5OGVlM2YwOWY2NGE0YWQ3OWZmZTg3OTFlZGJhZTA4YjM2YzFkOGYxZDcwYTg2
|
|
||||||
NzBkZTU2OTIyZGZmOTJiMTVkMjE0YTUyNGY0ZWJmYTE5NTg4NTllLTdjZTgwZjc5
|
|
||||||
OTIxMzEyYTYwMjJjNWQyNWUyZDM4MGY4MmNlYWVmZTNmYmRjNDNkZDEzYjA4MGUz
|
|
||||||
ZWYxZTI2Zjc=
|
|
||||||
-----END WARP TOKEN-----
|
|
|
@ -0,0 +1,247 @@
|
||||||
|
package cfapi
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"encoding/json"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
"net/http"
|
||||||
|
"net/url"
|
||||||
|
"strings"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/pkg/errors"
|
||||||
|
"github.com/rs/zerolog"
|
||||||
|
"golang.org/x/net/http2"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
defaultTimeout = 15 * time.Second
|
||||||
|
jsonContentType = "application/json"
|
||||||
|
)
|
||||||
|
|
||||||
|
var (
|
||||||
|
ErrUnauthorized = errors.New("unauthorized")
|
||||||
|
ErrBadRequest = errors.New("incorrect request parameters")
|
||||||
|
ErrNotFound = errors.New("not found")
|
||||||
|
ErrAPINoSuccess = errors.New("API call failed")
|
||||||
|
)
|
||||||
|
|
||||||
|
type RESTClient struct {
|
||||||
|
baseEndpoints *baseEndpoints
|
||||||
|
authToken string
|
||||||
|
userAgent string
|
||||||
|
client http.Client
|
||||||
|
log *zerolog.Logger
|
||||||
|
}
|
||||||
|
|
||||||
|
type baseEndpoints struct {
|
||||||
|
accountLevel url.URL
|
||||||
|
zoneLevel url.URL
|
||||||
|
accountRoutes url.URL
|
||||||
|
accountVnets url.URL
|
||||||
|
}
|
||||||
|
|
||||||
|
var _ Client = (*RESTClient)(nil)
|
||||||
|
|
||||||
|
func NewRESTClient(baseURL, accountTag, zoneTag, authToken, userAgent string, log *zerolog.Logger) (*RESTClient, error) {
|
||||||
|
if strings.HasSuffix(baseURL, "/") {
|
||||||
|
baseURL = baseURL[:len(baseURL)-1]
|
||||||
|
}
|
||||||
|
accountLevelEndpoint, err := url.Parse(fmt.Sprintf("%s/accounts/%s/cfd_tunnel", baseURL, accountTag))
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrap(err, "failed to create account level endpoint")
|
||||||
|
}
|
||||||
|
accountRoutesEndpoint, err := url.Parse(fmt.Sprintf("%s/accounts/%s/teamnet/routes", baseURL, accountTag))
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrap(err, "failed to create route account-level endpoint")
|
||||||
|
}
|
||||||
|
accountVnetsEndpoint, err := url.Parse(fmt.Sprintf("%s/accounts/%s/teamnet/virtual_networks", baseURL, accountTag))
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrap(err, "failed to create virtual network account-level endpoint")
|
||||||
|
}
|
||||||
|
zoneLevelEndpoint, err := url.Parse(fmt.Sprintf("%s/zones/%s/tunnels", baseURL, zoneTag))
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrap(err, "failed to create account level endpoint")
|
||||||
|
}
|
||||||
|
httpTransport := http.Transport{
|
||||||
|
TLSHandshakeTimeout: defaultTimeout,
|
||||||
|
ResponseHeaderTimeout: defaultTimeout,
|
||||||
|
}
|
||||||
|
http2.ConfigureTransport(&httpTransport)
|
||||||
|
return &RESTClient{
|
||||||
|
baseEndpoints: &baseEndpoints{
|
||||||
|
accountLevel: *accountLevelEndpoint,
|
||||||
|
zoneLevel: *zoneLevelEndpoint,
|
||||||
|
accountRoutes: *accountRoutesEndpoint,
|
||||||
|
accountVnets: *accountVnetsEndpoint,
|
||||||
|
},
|
||||||
|
authToken: authToken,
|
||||||
|
userAgent: userAgent,
|
||||||
|
client: http.Client{
|
||||||
|
Transport: &httpTransport,
|
||||||
|
Timeout: defaultTimeout,
|
||||||
|
},
|
||||||
|
log: log,
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (r *RESTClient) sendRequest(method string, url url.URL, body interface{}) (*http.Response, error) {
|
||||||
|
var bodyReader io.Reader
|
||||||
|
if body != nil {
|
||||||
|
if bodyBytes, err := json.Marshal(body); err != nil {
|
||||||
|
return nil, errors.Wrap(err, "failed to serialize json body")
|
||||||
|
} else {
|
||||||
|
bodyReader = bytes.NewBuffer(bodyBytes)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
req, err := http.NewRequest(method, url.String(), bodyReader)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrapf(err, "can't create %s request", method)
|
||||||
|
}
|
||||||
|
req.Header.Set("User-Agent", r.userAgent)
|
||||||
|
if bodyReader != nil {
|
||||||
|
req.Header.Set("Content-Type", jsonContentType)
|
||||||
|
}
|
||||||
|
req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", r.authToken))
|
||||||
|
req.Header.Add("Accept", "application/json;version=1")
|
||||||
|
return r.client.Do(req)
|
||||||
|
}
|
||||||
|
|
||||||
|
func parseResponseEnvelope(reader io.Reader) (*response, error) {
|
||||||
|
// Schema for Tunnelstore responses in the v1 API.
|
||||||
|
// Roughly, it's a wrapper around a particular result that adds failures/errors/etc
|
||||||
|
var result response
|
||||||
|
// First, parse the wrapper and check the API call succeeded
|
||||||
|
if err := json.NewDecoder(reader).Decode(&result); err != nil {
|
||||||
|
return nil, errors.Wrap(err, "failed to decode response")
|
||||||
|
}
|
||||||
|
if err := result.checkErrors(); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if !result.Success {
|
||||||
|
return nil, ErrAPINoSuccess
|
||||||
|
}
|
||||||
|
|
||||||
|
return &result, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func parseResponse(reader io.Reader, data interface{}) error {
|
||||||
|
result, err := parseResponseEnvelope(reader)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
return parseResponseBody(result, data)
|
||||||
|
}
|
||||||
|
|
||||||
|
func parseResponseBody(result *response, data interface{}) error {
|
||||||
|
// At this point we know the API call succeeded, so, parse out the inner
|
||||||
|
// result into the datatype provided as a parameter.
|
||||||
|
if err := json.Unmarshal(result.Result, &data); err != nil {
|
||||||
|
return errors.Wrap(err, "the Cloudflare API response was an unexpected type")
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func fetchExhaustively[T any](requestFn func(int) (*http.Response, error)) ([]*T, error) {
|
||||||
|
page := 0
|
||||||
|
var fullResponse []*T
|
||||||
|
|
||||||
|
for {
|
||||||
|
page += 1
|
||||||
|
envelope, parsedBody, err := fetchPage[T](requestFn, page)
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrap(err, fmt.Sprintf("Error Parsing page %d", page))
|
||||||
|
}
|
||||||
|
|
||||||
|
fullResponse = append(fullResponse, parsedBody...)
|
||||||
|
if envelope.Pagination.Count < envelope.Pagination.PerPage || len(fullResponse) >= envelope.Pagination.TotalCount {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
return fullResponse, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func fetchPage[T any](requestFn func(int) (*http.Response, error), page int) (*response, []*T, error) {
|
||||||
|
pageResp, err := requestFn(page)
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, errors.Wrap(err, "REST request failed")
|
||||||
|
}
|
||||||
|
defer pageResp.Body.Close()
|
||||||
|
if pageResp.StatusCode == http.StatusOK {
|
||||||
|
envelope, err := parseResponseEnvelope(pageResp.Body)
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
var parsedRspBody []*T
|
||||||
|
return envelope, parsedRspBody, parseResponseBody(envelope, &parsedRspBody)
|
||||||
|
|
||||||
|
}
|
||||||
|
return nil, nil, errors.New(fmt.Sprintf("Failed to fetch page. Server returned: %d", pageResp.StatusCode))
|
||||||
|
}
|
||||||
|
|
||||||
|
type response struct {
|
||||||
|
Success bool `json:"success,omitempty"`
|
||||||
|
Errors []apiErr `json:"errors,omitempty"`
|
||||||
|
Messages []string `json:"messages,omitempty"`
|
||||||
|
Result json.RawMessage `json:"result,omitempty"`
|
||||||
|
Pagination Pagination `json:"result_info,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
|
type Pagination struct {
|
||||||
|
Count int `json:"count,omitempty"`
|
||||||
|
Page int `json:"page,omitempty"`
|
||||||
|
PerPage int `json:"per_page,omitempty"`
|
||||||
|
TotalCount int `json:"total_count,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
|
func (r *response) checkErrors() error {
|
||||||
|
if len(r.Errors) == 0 {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
if len(r.Errors) == 1 {
|
||||||
|
return r.Errors[0]
|
||||||
|
}
|
||||||
|
var messages string
|
||||||
|
for _, e := range r.Errors {
|
||||||
|
messages += fmt.Sprintf("%s; ", e)
|
||||||
|
}
|
||||||
|
return fmt.Errorf("API errors: %s", messages)
|
||||||
|
}
|
||||||
|
|
||||||
|
type apiErr struct {
|
||||||
|
Code json.Number `json:"code,omitempty"`
|
||||||
|
Message string `json:"message,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
|
func (e apiErr) Error() string {
|
||||||
|
return fmt.Sprintf("code: %v, reason: %s", e.Code, e.Message)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (r *RESTClient) statusCodeToError(op string, resp *http.Response) error {
|
||||||
|
if resp.Header.Get("Content-Type") == "application/json" {
|
||||||
|
var errorsResp response
|
||||||
|
if json.NewDecoder(resp.Body).Decode(&errorsResp) == nil {
|
||||||
|
if err := errorsResp.checkErrors(); err != nil {
|
||||||
|
return errors.Errorf("Failed to %s: %s", op, err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
switch resp.StatusCode {
|
||||||
|
case http.StatusOK:
|
||||||
|
return nil
|
||||||
|
case http.StatusBadRequest:
|
||||||
|
return ErrBadRequest
|
||||||
|
case http.StatusUnauthorized, http.StatusForbidden:
|
||||||
|
return ErrUnauthorized
|
||||||
|
case http.StatusNotFound:
|
||||||
|
return ErrNotFound
|
||||||
|
}
|
||||||
|
return errors.Errorf("API call to %s failed with status %d: %s", op,
|
||||||
|
resp.StatusCode, http.StatusText(resp.StatusCode))
|
||||||
|
}
|
|
@ -0,0 +1,41 @@
|
||||||
|
package cfapi
|
||||||
|
|
||||||
|
import (
|
||||||
|
"github.com/google/uuid"
|
||||||
|
)
|
||||||
|
|
||||||
|
type TunnelClient interface {
|
||||||
|
CreateTunnel(name string, tunnelSecret []byte) (*TunnelWithToken, error)
|
||||||
|
GetTunnel(tunnelID uuid.UUID) (*Tunnel, error)
|
||||||
|
GetTunnelToken(tunnelID uuid.UUID) (string, error)
|
||||||
|
GetManagementToken(tunnelID uuid.UUID) (string, error)
|
||||||
|
DeleteTunnel(tunnelID uuid.UUID, cascade bool) error
|
||||||
|
ListTunnels(filter *TunnelFilter) ([]*Tunnel, error)
|
||||||
|
ListActiveClients(tunnelID uuid.UUID) ([]*ActiveClient, error)
|
||||||
|
CleanupConnections(tunnelID uuid.UUID, params *CleanupParams) error
|
||||||
|
}
|
||||||
|
|
||||||
|
type HostnameClient interface {
|
||||||
|
RouteTunnel(tunnelID uuid.UUID, route HostnameRoute) (HostnameRouteResult, error)
|
||||||
|
}
|
||||||
|
|
||||||
|
type IPRouteClient interface {
|
||||||
|
ListRoutes(filter *IpRouteFilter) ([]*DetailedRoute, error)
|
||||||
|
AddRoute(newRoute NewRoute) (Route, error)
|
||||||
|
DeleteRoute(id uuid.UUID) error
|
||||||
|
GetByIP(params GetRouteByIpParams) (DetailedRoute, error)
|
||||||
|
}
|
||||||
|
|
||||||
|
type VnetClient interface {
|
||||||
|
CreateVirtualNetwork(newVnet NewVirtualNetwork) (VirtualNetwork, error)
|
||||||
|
ListVirtualNetworks(filter *VnetFilter) ([]*VirtualNetwork, error)
|
||||||
|
DeleteVirtualNetwork(id uuid.UUID, force bool) error
|
||||||
|
UpdateVirtualNetwork(id uuid.UUID, updates UpdateVirtualNetwork) error
|
||||||
|
}
|
||||||
|
|
||||||
|
type Client interface {
|
||||||
|
TunnelClient
|
||||||
|
HostnameClient
|
||||||
|
IPRouteClient
|
||||||
|
VnetClient
|
||||||
|
}
|
|
@ -0,0 +1,192 @@
|
||||||
|
package cfapi
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/json"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
"net/http"
|
||||||
|
"path"
|
||||||
|
|
||||||
|
"github.com/google/uuid"
|
||||||
|
"github.com/pkg/errors"
|
||||||
|
)
|
||||||
|
|
||||||
|
type Change = string
|
||||||
|
|
||||||
|
const (
|
||||||
|
ChangeNew = "new"
|
||||||
|
ChangeUpdated = "updated"
|
||||||
|
ChangeUnchanged = "unchanged"
|
||||||
|
)
|
||||||
|
|
||||||
|
// HostnameRoute represents a record type that can route to a tunnel
|
||||||
|
type HostnameRoute interface {
|
||||||
|
json.Marshaler
|
||||||
|
RecordType() string
|
||||||
|
UnmarshalResult(body io.Reader) (HostnameRouteResult, error)
|
||||||
|
String() string
|
||||||
|
}
|
||||||
|
|
||||||
|
type HostnameRouteResult interface {
|
||||||
|
// SuccessSummary explains what will route to this tunnel when it's provisioned successfully
|
||||||
|
SuccessSummary() string
|
||||||
|
}
|
||||||
|
|
||||||
|
type DNSRoute struct {
|
||||||
|
userHostname string
|
||||||
|
overwriteExisting bool
|
||||||
|
}
|
||||||
|
|
||||||
|
type DNSRouteResult struct {
|
||||||
|
route *DNSRoute
|
||||||
|
CName Change `json:"cname"`
|
||||||
|
Name string `json:"name"`
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewDNSRoute(userHostname string, overwriteExisting bool) HostnameRoute {
|
||||||
|
return &DNSRoute{
|
||||||
|
userHostname: userHostname,
|
||||||
|
overwriteExisting: overwriteExisting,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (dr *DNSRoute) MarshalJSON() ([]byte, error) {
|
||||||
|
s := struct {
|
||||||
|
Type string `json:"type"`
|
||||||
|
UserHostname string `json:"user_hostname"`
|
||||||
|
OverwriteExisting bool `json:"overwrite_existing"`
|
||||||
|
}{
|
||||||
|
Type: dr.RecordType(),
|
||||||
|
UserHostname: dr.userHostname,
|
||||||
|
OverwriteExisting: dr.overwriteExisting,
|
||||||
|
}
|
||||||
|
return json.Marshal(&s)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (dr *DNSRoute) UnmarshalResult(body io.Reader) (HostnameRouteResult, error) {
|
||||||
|
var result DNSRouteResult
|
||||||
|
err := parseResponse(body, &result)
|
||||||
|
result.route = dr
|
||||||
|
return &result, err
|
||||||
|
}
|
||||||
|
|
||||||
|
func (dr *DNSRoute) RecordType() string {
|
||||||
|
return "dns"
|
||||||
|
}
|
||||||
|
|
||||||
|
func (dr *DNSRoute) String() string {
|
||||||
|
return fmt.Sprintf("%s %s", dr.RecordType(), dr.userHostname)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (res *DNSRouteResult) SuccessSummary() string {
|
||||||
|
var msgFmt string
|
||||||
|
switch res.CName {
|
||||||
|
case ChangeNew:
|
||||||
|
msgFmt = "Added CNAME %s which will route to this tunnel"
|
||||||
|
case ChangeUpdated: // this is not currently returned by tunnelsore
|
||||||
|
msgFmt = "%s updated to route to your tunnel"
|
||||||
|
case ChangeUnchanged:
|
||||||
|
msgFmt = "%s is already configured to route to your tunnel"
|
||||||
|
}
|
||||||
|
return fmt.Sprintf(msgFmt, res.hostname())
|
||||||
|
}
|
||||||
|
|
||||||
|
// hostname yields the resulting name for the DNS route; if that is not available from Cloudflare API, then the
|
||||||
|
// requested name is returned instead (should not be the common path, it is just a fall-back).
|
||||||
|
func (res *DNSRouteResult) hostname() string {
|
||||||
|
if res.Name != "" {
|
||||||
|
return res.Name
|
||||||
|
}
|
||||||
|
return res.route.userHostname
|
||||||
|
}
|
||||||
|
|
||||||
|
type LBRoute struct {
|
||||||
|
lbName string
|
||||||
|
lbPool string
|
||||||
|
}
|
||||||
|
|
||||||
|
type LBRouteResult struct {
|
||||||
|
route *LBRoute
|
||||||
|
LoadBalancer Change `json:"load_balancer"`
|
||||||
|
Pool Change `json:"pool"`
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewLBRoute(lbName, lbPool string) HostnameRoute {
|
||||||
|
return &LBRoute{
|
||||||
|
lbName: lbName,
|
||||||
|
lbPool: lbPool,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (lr *LBRoute) MarshalJSON() ([]byte, error) {
|
||||||
|
s := struct {
|
||||||
|
Type string `json:"type"`
|
||||||
|
LBName string `json:"lb_name"`
|
||||||
|
LBPool string `json:"lb_pool"`
|
||||||
|
}{
|
||||||
|
Type: lr.RecordType(),
|
||||||
|
LBName: lr.lbName,
|
||||||
|
LBPool: lr.lbPool,
|
||||||
|
}
|
||||||
|
return json.Marshal(&s)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (lr *LBRoute) RecordType() string {
|
||||||
|
return "lb"
|
||||||
|
}
|
||||||
|
|
||||||
|
func (lb *LBRoute) String() string {
|
||||||
|
return fmt.Sprintf("%s %s %s", lb.RecordType(), lb.lbName, lb.lbPool)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (lr *LBRoute) UnmarshalResult(body io.Reader) (HostnameRouteResult, error) {
|
||||||
|
var result LBRouteResult
|
||||||
|
err := parseResponse(body, &result)
|
||||||
|
result.route = lr
|
||||||
|
return &result, err
|
||||||
|
}
|
||||||
|
|
||||||
|
func (res *LBRouteResult) SuccessSummary() string {
|
||||||
|
var msg string
|
||||||
|
switch res.LoadBalancer + "," + res.Pool {
|
||||||
|
case "new,new":
|
||||||
|
msg = "Created load balancer %s and added a new pool %s with this tunnel as an origin"
|
||||||
|
case "new,updated":
|
||||||
|
msg = "Created load balancer %s with an existing pool %s which was updated to use this tunnel as an origin"
|
||||||
|
case "new,unchanged":
|
||||||
|
msg = "Created load balancer %s with an existing pool %s which already has this tunnel as an origin"
|
||||||
|
case "updated,new":
|
||||||
|
msg = "Added new pool %[2]s with this tunnel as an origin to load balancer %[1]s"
|
||||||
|
case "updated,updated":
|
||||||
|
msg = "Updated pool %[2]s to use this tunnel as an origin and added it to load balancer %[1]s"
|
||||||
|
case "updated,unchanged":
|
||||||
|
msg = "Added pool %[2]s, which already has this tunnel as an origin, to load balancer %[1]s"
|
||||||
|
case "unchanged,updated":
|
||||||
|
msg = "Added this tunnel as an origin in pool %[2]s which is already used by load balancer %[1]s"
|
||||||
|
case "unchanged,unchanged":
|
||||||
|
msg = "Load balancer %s already uses pool %s which has this tunnel as an origin"
|
||||||
|
case "unchanged,new":
|
||||||
|
// this state is not possible
|
||||||
|
fallthrough
|
||||||
|
default:
|
||||||
|
msg = "Something went wrong: failed to modify load balancer %s with pool %s; please check traffic manager configuration in the dashboard"
|
||||||
|
}
|
||||||
|
|
||||||
|
return fmt.Sprintf(msg, res.route.lbName, res.route.lbPool)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (r *RESTClient) RouteTunnel(tunnelID uuid.UUID, route HostnameRoute) (HostnameRouteResult, error) {
|
||||||
|
endpoint := r.baseEndpoints.zoneLevel
|
||||||
|
endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v/routes", tunnelID))
|
||||||
|
resp, err := r.sendRequest("PUT", endpoint, route)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrap(err, "REST request failed")
|
||||||
|
}
|
||||||
|
defer resp.Body.Close()
|
||||||
|
|
||||||
|
if resp.StatusCode == http.StatusOK {
|
||||||
|
return route.UnmarshalResult(resp.Body)
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil, r.statusCodeToError("add route", resp)
|
||||||
|
}
|
|
@ -1,16 +1,9 @@
|
||||||
package tunnelstore
|
package cfapi
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"bytes"
|
|
||||||
"fmt"
|
|
||||||
"io"
|
|
||||||
"io/ioutil"
|
|
||||||
"reflect"
|
|
||||||
"strings"
|
"strings"
|
||||||
"testing"
|
"testing"
|
||||||
"time"
|
|
||||||
|
|
||||||
"github.com/google/uuid"
|
|
||||||
"github.com/stretchr/testify/assert"
|
"github.com/stretchr/testify/assert"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -104,104 +97,3 @@ func TestLBRouteResultSuccessSummary(t *testing.T) {
|
||||||
assert.Equal(t, tt.expected, actual, "case %d", i+1)
|
assert.Equal(t, tt.expected, actual, "case %d", i+1)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func Test_parseListTunnels(t *testing.T) {
|
|
||||||
type args struct {
|
|
||||||
body string
|
|
||||||
}
|
|
||||||
tests := []struct {
|
|
||||||
name string
|
|
||||||
args args
|
|
||||||
want []*Tunnel
|
|
||||||
wantErr bool
|
|
||||||
}{
|
|
||||||
{
|
|
||||||
name: "empty list",
|
|
||||||
args: args{body: `{"success": true, "result": []}`},
|
|
||||||
want: []*Tunnel{},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "success is false",
|
|
||||||
args: args{body: `{"success": false, "result": []}`},
|
|
||||||
wantErr: true,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "errors are present",
|
|
||||||
args: args{body: `{"errors": [{"code": 1003, "message":"An A, AAAA or CNAME record already exists with that host"}], "result": []}`},
|
|
||||||
wantErr: true,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "invalid response",
|
|
||||||
args: args{body: `abc`},
|
|
||||||
wantErr: true,
|
|
||||||
},
|
|
||||||
}
|
|
||||||
for _, tt := range tests {
|
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
|
||||||
body := ioutil.NopCloser(bytes.NewReader([]byte(tt.args.body)))
|
|
||||||
got, err := parseListTunnels(body)
|
|
||||||
if (err != nil) != tt.wantErr {
|
|
||||||
t.Errorf("parseListTunnels() error = %v, wantErr %v", err, tt.wantErr)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
if !reflect.DeepEqual(got, tt.want) {
|
|
||||||
t.Errorf("parseListTunnels() = %v, want %v", got, tt.want)
|
|
||||||
}
|
|
||||||
})
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func Test_unmarshalTunnel(t *testing.T) {
|
|
||||||
type args struct {
|
|
||||||
reader io.Reader
|
|
||||||
}
|
|
||||||
tests := []struct {
|
|
||||||
name string
|
|
||||||
args args
|
|
||||||
want *Tunnel
|
|
||||||
wantErr bool
|
|
||||||
}{
|
|
||||||
// TODO: Add test cases.
|
|
||||||
}
|
|
||||||
for _, tt := range tests {
|
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
|
||||||
got, err := unmarshalTunnel(tt.args.reader)
|
|
||||||
if (err != nil) != tt.wantErr {
|
|
||||||
t.Errorf("unmarshalTunnel() error = %v, wantErr %v", err, tt.wantErr)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
if !reflect.DeepEqual(got, tt.want) {
|
|
||||||
t.Errorf("unmarshalTunnel() = %v, want %v", got, tt.want)
|
|
||||||
}
|
|
||||||
})
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestUnmarshalTunnelOk(t *testing.T) {
|
|
||||||
|
|
||||||
jsonBody := `{"success": true, "result": {"id": "00000000-0000-0000-0000-000000000000","name":"test","created_at":"0001-01-01T00:00:00Z","connections":[]}}`
|
|
||||||
expected := Tunnel{
|
|
||||||
ID: uuid.Nil,
|
|
||||||
Name: "test",
|
|
||||||
CreatedAt: time.Time{},
|
|
||||||
Connections: []Connection{},
|
|
||||||
}
|
|
||||||
actual, err := unmarshalTunnel(bytes.NewReader([]byte(jsonBody)))
|
|
||||||
assert.NoError(t, err)
|
|
||||||
assert.Equal(t, &expected, actual)
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestUnmarshalTunnelErr(t *testing.T) {
|
|
||||||
|
|
||||||
tests := []string{
|
|
||||||
`abc`,
|
|
||||||
`{"success": true, "result": abc}`,
|
|
||||||
`{"success": false, "result": {"id": "00000000-0000-0000-0000-000000000000","name":"test","created_at":"0001-01-01T00:00:00Z","connections":[]}}}`,
|
|
||||||
`{"errors": [{"code": 1003, "message":"An A, AAAA or CNAME record already exists with that host"}], "result": {"id": "00000000-0000-0000-0000-000000000000","name":"test","created_at":"0001-01-01T00:00:00Z","connections":[]}}}`,
|
|
||||||
}
|
|
||||||
|
|
||||||
for i, test := range tests {
|
|
||||||
_, err := unmarshalTunnel(bytes.NewReader([]byte(test)))
|
|
||||||
assert.Error(t, err, fmt.Sprintf("Test #%v failed", i))
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -0,0 +1,235 @@
|
||||||
|
package cfapi
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/json"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
"net"
|
||||||
|
"net/http"
|
||||||
|
"net/url"
|
||||||
|
"path"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/google/uuid"
|
||||||
|
"github.com/pkg/errors"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Route is a mapping from customer's IP space to a tunnel.
|
||||||
|
// Each route allows the customer to route eyeballs in their corporate network
|
||||||
|
// to certain private IP ranges. Each Route represents an IP range in their
|
||||||
|
// network, and says that eyeballs can reach that route using the corresponding
|
||||||
|
// tunnel.
|
||||||
|
type Route struct {
|
||||||
|
Network CIDR `json:"network"`
|
||||||
|
TunnelID uuid.UUID `json:"tunnel_id"`
|
||||||
|
// Optional field. When unset, it means the Route belongs to the default virtual network.
|
||||||
|
VNetID *uuid.UUID `json:"virtual_network_id,omitempty"`
|
||||||
|
Comment string `json:"comment"`
|
||||||
|
CreatedAt time.Time `json:"created_at"`
|
||||||
|
DeletedAt time.Time `json:"deleted_at"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// CIDR is just a newtype wrapper around net.IPNet. It adds JSON unmarshalling.
|
||||||
|
type CIDR net.IPNet
|
||||||
|
|
||||||
|
func (c CIDR) String() string {
|
||||||
|
n := net.IPNet(c)
|
||||||
|
return n.String()
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c CIDR) MarshalJSON() ([]byte, error) {
|
||||||
|
str := c.String()
|
||||||
|
json, err := json.Marshal(str)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrap(err, "error serializing CIDR into JSON")
|
||||||
|
}
|
||||||
|
return json, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// UnmarshalJSON parses a JSON string into net.IPNet
|
||||||
|
func (c *CIDR) UnmarshalJSON(data []byte) error {
|
||||||
|
var s string
|
||||||
|
if err := json.Unmarshal(data, &s); err != nil {
|
||||||
|
return errors.Wrap(err, "error parsing cidr string")
|
||||||
|
}
|
||||||
|
_, network, err := net.ParseCIDR(s)
|
||||||
|
if err != nil {
|
||||||
|
return errors.Wrap(err, "error parsing invalid network from backend")
|
||||||
|
}
|
||||||
|
if network == nil {
|
||||||
|
return fmt.Errorf("backend returned invalid network %s", s)
|
||||||
|
}
|
||||||
|
*c = CIDR(*network)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewRoute has all the parameters necessary to add a new route to the table.
|
||||||
|
type NewRoute struct {
|
||||||
|
Network net.IPNet
|
||||||
|
TunnelID uuid.UUID
|
||||||
|
Comment string
|
||||||
|
// Optional field. If unset, backend will assume the default vnet for the account.
|
||||||
|
VNetID *uuid.UUID
|
||||||
|
}
|
||||||
|
|
||||||
|
// MarshalJSON handles fields with non-JSON types (e.g. net.IPNet).
|
||||||
|
func (r NewRoute) MarshalJSON() ([]byte, error) {
|
||||||
|
return json.Marshal(&struct {
|
||||||
|
Network string `json:"network"`
|
||||||
|
TunnelID uuid.UUID `json:"tunnel_id"`
|
||||||
|
Comment string `json:"comment"`
|
||||||
|
VNetID *uuid.UUID `json:"virtual_network_id,omitempty"`
|
||||||
|
}{
|
||||||
|
Network: r.Network.String(),
|
||||||
|
TunnelID: r.TunnelID,
|
||||||
|
Comment: r.Comment,
|
||||||
|
VNetID: r.VNetID,
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
// DetailedRoute is just a Route with some extra fields, e.g. TunnelName.
|
||||||
|
type DetailedRoute struct {
|
||||||
|
ID uuid.UUID `json:"id"`
|
||||||
|
Network CIDR `json:"network"`
|
||||||
|
TunnelID uuid.UUID `json:"tunnel_id"`
|
||||||
|
// Optional field. When unset, it means the DetailedRoute belongs to the default virtual network.
|
||||||
|
VNetID *uuid.UUID `json:"virtual_network_id,omitempty"`
|
||||||
|
Comment string `json:"comment"`
|
||||||
|
CreatedAt time.Time `json:"created_at"`
|
||||||
|
DeletedAt time.Time `json:"deleted_at"`
|
||||||
|
TunnelName string `json:"tunnel_name"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// IsZero checks if DetailedRoute is the zero value.
|
||||||
|
func (r *DetailedRoute) IsZero() bool {
|
||||||
|
return r.TunnelID == uuid.Nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// TableString outputs a table row summarizing the route, to be used
|
||||||
|
// when showing the user their routing table.
|
||||||
|
func (r DetailedRoute) TableString() string {
|
||||||
|
deletedColumn := "-"
|
||||||
|
if !r.DeletedAt.IsZero() {
|
||||||
|
deletedColumn = r.DeletedAt.Format(time.RFC3339)
|
||||||
|
}
|
||||||
|
vnetColumn := "default"
|
||||||
|
if r.VNetID != nil {
|
||||||
|
vnetColumn = r.VNetID.String()
|
||||||
|
}
|
||||||
|
|
||||||
|
return fmt.Sprintf(
|
||||||
|
"%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t",
|
||||||
|
r.ID,
|
||||||
|
r.Network.String(),
|
||||||
|
vnetColumn,
|
||||||
|
r.Comment,
|
||||||
|
r.TunnelID,
|
||||||
|
r.TunnelName,
|
||||||
|
r.CreatedAt.Format(time.RFC3339),
|
||||||
|
deletedColumn,
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
type GetRouteByIpParams struct {
|
||||||
|
Ip net.IP
|
||||||
|
// Optional field. If unset, backend will assume the default vnet for the account.
|
||||||
|
VNetID *uuid.UUID
|
||||||
|
}
|
||||||
|
|
||||||
|
// ListRoutes calls the Tunnelstore GET endpoint for all routes under an account.
|
||||||
|
// Due to pagination on the server side it will call the endpoint multiple times if needed.
|
||||||
|
func (r *RESTClient) ListRoutes(filter *IpRouteFilter) ([]*DetailedRoute, error) {
|
||||||
|
fetchFn := func(page int) (*http.Response, error) {
|
||||||
|
endpoint := r.baseEndpoints.accountRoutes
|
||||||
|
filter.Page(page)
|
||||||
|
endpoint.RawQuery = filter.Encode()
|
||||||
|
rsp, err := r.sendRequest("GET", endpoint, nil)
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrap(err, "REST request failed")
|
||||||
|
}
|
||||||
|
if rsp.StatusCode != http.StatusOK {
|
||||||
|
rsp.Body.Close()
|
||||||
|
return nil, r.statusCodeToError("list routes", rsp)
|
||||||
|
}
|
||||||
|
return rsp, nil
|
||||||
|
}
|
||||||
|
return fetchExhaustively[DetailedRoute](fetchFn)
|
||||||
|
}
|
||||||
|
|
||||||
|
// AddRoute calls the Tunnelstore POST endpoint for a given route.
|
||||||
|
func (r *RESTClient) AddRoute(newRoute NewRoute) (Route, error) {
|
||||||
|
endpoint := r.baseEndpoints.accountRoutes
|
||||||
|
endpoint.Path = path.Join(endpoint.Path)
|
||||||
|
resp, err := r.sendRequest("POST", endpoint, newRoute)
|
||||||
|
if err != nil {
|
||||||
|
return Route{}, errors.Wrap(err, "REST request failed")
|
||||||
|
}
|
||||||
|
defer resp.Body.Close()
|
||||||
|
|
||||||
|
if resp.StatusCode == http.StatusOK {
|
||||||
|
return parseRoute(resp.Body)
|
||||||
|
}
|
||||||
|
|
||||||
|
return Route{}, r.statusCodeToError("add route", resp)
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeleteRoute calls the Tunnelstore DELETE endpoint for a given route.
|
||||||
|
func (r *RESTClient) DeleteRoute(id uuid.UUID) error {
|
||||||
|
endpoint := r.baseEndpoints.accountRoutes
|
||||||
|
endpoint.Path = path.Join(endpoint.Path, url.PathEscape(id.String()))
|
||||||
|
|
||||||
|
resp, err := r.sendRequest("DELETE", endpoint, nil)
|
||||||
|
if err != nil {
|
||||||
|
return errors.Wrap(err, "REST request failed")
|
||||||
|
}
|
||||||
|
defer resp.Body.Close()
|
||||||
|
|
||||||
|
if resp.StatusCode == http.StatusOK {
|
||||||
|
_, err := parseRoute(resp.Body)
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
return r.statusCodeToError("delete route", resp)
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetByIP checks which route will proxy a given IP.
|
||||||
|
func (r *RESTClient) GetByIP(params GetRouteByIpParams) (DetailedRoute, error) {
|
||||||
|
endpoint := r.baseEndpoints.accountRoutes
|
||||||
|
endpoint.Path = path.Join(endpoint.Path, "ip", url.PathEscape(params.Ip.String()))
|
||||||
|
setVnetParam(&endpoint, params.VNetID)
|
||||||
|
|
||||||
|
resp, err := r.sendRequest("GET", endpoint, nil)
|
||||||
|
if err != nil {
|
||||||
|
return DetailedRoute{}, errors.Wrap(err, "REST request failed")
|
||||||
|
}
|
||||||
|
defer resp.Body.Close()
|
||||||
|
|
||||||
|
if resp.StatusCode == http.StatusOK {
|
||||||
|
return parseDetailedRoute(resp.Body)
|
||||||
|
}
|
||||||
|
|
||||||
|
return DetailedRoute{}, r.statusCodeToError("get route by IP", resp)
|
||||||
|
}
|
||||||
|
|
||||||
|
func parseRoute(body io.ReadCloser) (Route, error) {
|
||||||
|
var route Route
|
||||||
|
err := parseResponse(body, &route)
|
||||||
|
return route, err
|
||||||
|
}
|
||||||
|
|
||||||
|
func parseDetailedRoute(body io.ReadCloser) (DetailedRoute, error) {
|
||||||
|
var route DetailedRoute
|
||||||
|
err := parseResponse(body, &route)
|
||||||
|
return route, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// setVnetParam overwrites the URL's query parameters with a query param to scope the HostnameRoute action to a certain
|
||||||
|
// virtual network (if one is provided).
|
||||||
|
func setVnetParam(endpoint *url.URL, vnetID *uuid.UUID) {
|
||||||
|
queryParams := url.Values{}
|
||||||
|
if vnetID != nil {
|
||||||
|
queryParams.Set("virtual_network_id", vnetID.String())
|
||||||
|
}
|
||||||
|
endpoint.RawQuery = queryParams.Encode()
|
||||||
|
}
|
|
@ -0,0 +1,176 @@
|
||||||
|
package cfapi
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"net"
|
||||||
|
"net/url"
|
||||||
|
"strconv"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/google/uuid"
|
||||||
|
"github.com/pkg/errors"
|
||||||
|
"github.com/urfave/cli/v2"
|
||||||
|
)
|
||||||
|
|
||||||
|
var (
|
||||||
|
filterIpRouteDeleted = cli.BoolFlag{
|
||||||
|
Name: "filter-is-deleted",
|
||||||
|
Usage: "If false (default), only show non-deleted routes. If true, only show deleted routes.",
|
||||||
|
}
|
||||||
|
filterIpRouteTunnelID = cli.StringFlag{
|
||||||
|
Name: "filter-tunnel-id",
|
||||||
|
Usage: "Show only routes with the given tunnel ID.",
|
||||||
|
}
|
||||||
|
filterSubsetIpRoute = cli.StringFlag{
|
||||||
|
Name: "filter-network-is-subset-of",
|
||||||
|
Aliases: []string{"nsub"},
|
||||||
|
Usage: "Show only routes whose network is a subset of the given network.",
|
||||||
|
}
|
||||||
|
filterSupersetIpRoute = cli.StringFlag{
|
||||||
|
Name: "filter-network-is-superset-of",
|
||||||
|
Aliases: []string{"nsup"},
|
||||||
|
Usage: "Show only routes whose network is a superset of the given network.",
|
||||||
|
}
|
||||||
|
filterIpRouteComment = cli.StringFlag{
|
||||||
|
Name: "filter-comment-is",
|
||||||
|
Usage: "Show only routes with this comment.",
|
||||||
|
}
|
||||||
|
filterIpRouteByVnet = cli.StringFlag{
|
||||||
|
Name: "filter-vnet-id",
|
||||||
|
Usage: "Show only routes that are attached to the given virtual network ID.",
|
||||||
|
}
|
||||||
|
|
||||||
|
// Flags contains all filter flags.
|
||||||
|
IpRouteFilterFlags = []cli.Flag{
|
||||||
|
&filterIpRouteDeleted,
|
||||||
|
&filterIpRouteTunnelID,
|
||||||
|
&filterSubsetIpRoute,
|
||||||
|
&filterSupersetIpRoute,
|
||||||
|
&filterIpRouteComment,
|
||||||
|
&filterIpRouteByVnet,
|
||||||
|
}
|
||||||
|
)
|
||||||
|
|
||||||
|
// IpRouteFilter which routes get queried.
|
||||||
|
type IpRouteFilter struct {
|
||||||
|
queryParams url.Values
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewIpRouteFilterFromCLI parses CLI flags to discover which filters should get applied.
|
||||||
|
func NewIpRouteFilterFromCLI(c *cli.Context) (*IpRouteFilter, error) {
|
||||||
|
f := NewIPRouteFilter()
|
||||||
|
|
||||||
|
// Set deletion filter
|
||||||
|
if flag := filterIpRouteDeleted.Name; c.IsSet(flag) && c.Bool(flag) {
|
||||||
|
f.Deleted()
|
||||||
|
} else {
|
||||||
|
f.NotDeleted()
|
||||||
|
}
|
||||||
|
|
||||||
|
if subset, err := cidrFromFlag(c, filterSubsetIpRoute); err != nil {
|
||||||
|
return nil, err
|
||||||
|
} else if subset != nil {
|
||||||
|
f.NetworkIsSupersetOf(*subset)
|
||||||
|
}
|
||||||
|
|
||||||
|
if superset, err := cidrFromFlag(c, filterSupersetIpRoute); err != nil {
|
||||||
|
return nil, err
|
||||||
|
} else if superset != nil {
|
||||||
|
f.NetworkIsSupersetOf(*superset)
|
||||||
|
}
|
||||||
|
|
||||||
|
if comment := c.String(filterIpRouteComment.Name); comment != "" {
|
||||||
|
f.CommentIs(comment)
|
||||||
|
}
|
||||||
|
|
||||||
|
if tunnelID := c.String(filterIpRouteTunnelID.Name); tunnelID != "" {
|
||||||
|
u, err := uuid.Parse(tunnelID)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrapf(err, "Couldn't parse UUID from %s", filterIpRouteTunnelID.Name)
|
||||||
|
}
|
||||||
|
f.TunnelID(u)
|
||||||
|
}
|
||||||
|
|
||||||
|
if vnetId := c.String(filterIpRouteByVnet.Name); vnetId != "" {
|
||||||
|
u, err := uuid.Parse(vnetId)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrapf(err, "Couldn't parse UUID from %s", filterIpRouteByVnet.Name)
|
||||||
|
}
|
||||||
|
f.VNetID(u)
|
||||||
|
}
|
||||||
|
|
||||||
|
if maxFetch := c.Int("max-fetch-size"); maxFetch > 0 {
|
||||||
|
f.MaxFetchSize(uint(maxFetch))
|
||||||
|
}
|
||||||
|
|
||||||
|
return f, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Parses a CIDR from the flag. If the flag was unset, returns (nil, nil).
|
||||||
|
func cidrFromFlag(c *cli.Context, flag cli.StringFlag) (*net.IPNet, error) {
|
||||||
|
if !c.IsSet(flag.Name) {
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
_, subset, err := net.ParseCIDR(c.String(flag.Name))
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
} else if subset == nil {
|
||||||
|
return nil, fmt.Errorf("Invalid CIDR supplied for %s", flag.Name)
|
||||||
|
}
|
||||||
|
|
||||||
|
return subset, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewIPRouteFilter() *IpRouteFilter {
|
||||||
|
values := &IpRouteFilter{queryParams: url.Values{}}
|
||||||
|
|
||||||
|
// always list cfd_tunnel routes only
|
||||||
|
values.queryParams.Set("tun_types", "cfd_tunnel")
|
||||||
|
|
||||||
|
return values
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *IpRouteFilter) CommentIs(comment string) {
|
||||||
|
f.queryParams.Set("comment", comment)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *IpRouteFilter) NotDeleted() {
|
||||||
|
f.queryParams.Set("is_deleted", "false")
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *IpRouteFilter) Deleted() {
|
||||||
|
f.queryParams.Set("is_deleted", "true")
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *IpRouteFilter) NetworkIsSubsetOf(superset net.IPNet) {
|
||||||
|
f.queryParams.Set("network_subset", superset.String())
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *IpRouteFilter) NetworkIsSupersetOf(subset net.IPNet) {
|
||||||
|
f.queryParams.Set("network_superset", subset.String())
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *IpRouteFilter) ExistedAt(existedAt time.Time) {
|
||||||
|
f.queryParams.Set("existed_at", existedAt.Format(time.RFC3339))
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *IpRouteFilter) TunnelID(id uuid.UUID) {
|
||||||
|
f.queryParams.Set("tunnel_id", id.String())
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *IpRouteFilter) VNetID(id uuid.UUID) {
|
||||||
|
f.queryParams.Set("virtual_network_id", id.String())
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *IpRouteFilter) MaxFetchSize(max uint) {
|
||||||
|
f.queryParams.Set("per_page", strconv.Itoa(int(max)))
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *IpRouteFilter) Page(page int) {
|
||||||
|
f.queryParams.Set("page", strconv.Itoa(page))
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f IpRouteFilter) Encode() string {
|
||||||
|
return f.queryParams.Encode()
|
||||||
|
}
|
|
@ -0,0 +1,178 @@
|
||||||
|
package cfapi
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/json"
|
||||||
|
"fmt"
|
||||||
|
"net"
|
||||||
|
"strings"
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"github.com/google/uuid"
|
||||||
|
"github.com/stretchr/testify/require"
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestUnmarshalRoute(t *testing.T) {
|
||||||
|
testCases := []struct {
|
||||||
|
Json string
|
||||||
|
HasVnet bool
|
||||||
|
}{
|
||||||
|
{
|
||||||
|
`{
|
||||||
|
"network":"10.1.2.40/29",
|
||||||
|
"tunnel_id":"fba6ffea-807f-4e7a-a740-4184ee1b82c8",
|
||||||
|
"comment":"test",
|
||||||
|
"created_at":"2020-12-22T02:00:15.587008Z",
|
||||||
|
"deleted_at":null
|
||||||
|
}`,
|
||||||
|
false,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
`{
|
||||||
|
"network":"10.1.2.40/29",
|
||||||
|
"tunnel_id":"fba6ffea-807f-4e7a-a740-4184ee1b82c8",
|
||||||
|
"comment":"test",
|
||||||
|
"created_at":"2020-12-22T02:00:15.587008Z",
|
||||||
|
"deleted_at":null,
|
||||||
|
"virtual_network_id":"38c95083-8191-4110-8339-3f438d44fdb9"
|
||||||
|
}`,
|
||||||
|
true,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, testCase := range testCases {
|
||||||
|
data := testCase.Json
|
||||||
|
|
||||||
|
var r Route
|
||||||
|
err := json.Unmarshal([]byte(data), &r)
|
||||||
|
|
||||||
|
// Check everything worked
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.Equal(t, uuid.MustParse("fba6ffea-807f-4e7a-a740-4184ee1b82c8"), r.TunnelID)
|
||||||
|
require.Equal(t, "test", r.Comment)
|
||||||
|
_, cidr, err := net.ParseCIDR("10.1.2.40/29")
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.Equal(t, CIDR(*cidr), r.Network)
|
||||||
|
require.Equal(t, "test", r.Comment)
|
||||||
|
|
||||||
|
if testCase.HasVnet {
|
||||||
|
require.Equal(t, uuid.MustParse("38c95083-8191-4110-8339-3f438d44fdb9"), *r.VNetID)
|
||||||
|
} else {
|
||||||
|
require.Nil(t, r.VNetID)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestDetailedRouteJsonRoundtrip(t *testing.T) {
|
||||||
|
testCases := []struct {
|
||||||
|
Json string
|
||||||
|
HasVnet bool
|
||||||
|
}{
|
||||||
|
{
|
||||||
|
`{
|
||||||
|
"id":"91ebc578-cc99-4641-9937-0fb630505fa0",
|
||||||
|
"network":"10.1.2.40/29",
|
||||||
|
"tunnel_id":"fba6ffea-807f-4e7a-a740-4184ee1b82c8",
|
||||||
|
"comment":"test",
|
||||||
|
"created_at":"2020-12-22T02:00:15.587008Z",
|
||||||
|
"deleted_at":"2021-01-14T05:01:42.183002Z",
|
||||||
|
"tunnel_name":"Mr. Tun"
|
||||||
|
}`,
|
||||||
|
false,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
`{
|
||||||
|
"id":"91ebc578-cc99-4641-9937-0fb630505fa0",
|
||||||
|
"network":"10.1.2.40/29",
|
||||||
|
"tunnel_id":"fba6ffea-807f-4e7a-a740-4184ee1b82c8",
|
||||||
|
"virtual_network_id":"38c95083-8191-4110-8339-3f438d44fdb9",
|
||||||
|
"comment":"test",
|
||||||
|
"created_at":"2020-12-22T02:00:15.587008Z",
|
||||||
|
"deleted_at":"2021-01-14T05:01:42.183002Z",
|
||||||
|
"tunnel_name":"Mr. Tun"
|
||||||
|
}`,
|
||||||
|
true,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, testCase := range testCases {
|
||||||
|
data := testCase.Json
|
||||||
|
|
||||||
|
var r DetailedRoute
|
||||||
|
err := json.Unmarshal([]byte(data), &r)
|
||||||
|
|
||||||
|
// Check everything worked
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.Equal(t, uuid.MustParse("fba6ffea-807f-4e7a-a740-4184ee1b82c8"), r.TunnelID)
|
||||||
|
require.Equal(t, "test", r.Comment)
|
||||||
|
_, cidr, err := net.ParseCIDR("10.1.2.40/29")
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.Equal(t, CIDR(*cidr), r.Network)
|
||||||
|
require.Equal(t, "test", r.Comment)
|
||||||
|
require.Equal(t, "Mr. Tun", r.TunnelName)
|
||||||
|
|
||||||
|
if testCase.HasVnet {
|
||||||
|
require.Equal(t, uuid.MustParse("38c95083-8191-4110-8339-3f438d44fdb9"), *r.VNetID)
|
||||||
|
} else {
|
||||||
|
require.Nil(t, r.VNetID)
|
||||||
|
}
|
||||||
|
|
||||||
|
bytes, err := json.Marshal(r)
|
||||||
|
require.NoError(t, err)
|
||||||
|
obtainedJson := string(bytes)
|
||||||
|
data = strings.Replace(data, "\t", "", -1)
|
||||||
|
data = strings.Replace(data, "\n", "", -1)
|
||||||
|
require.Equal(t, data, obtainedJson)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestMarshalNewRoute(t *testing.T) {
|
||||||
|
_, network, err := net.ParseCIDR("1.2.3.4/32")
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.NotNil(t, network)
|
||||||
|
vnetId := uuid.New()
|
||||||
|
|
||||||
|
newRoutes := []NewRoute{
|
||||||
|
{
|
||||||
|
Network: *network,
|
||||||
|
TunnelID: uuid.New(),
|
||||||
|
Comment: "hi",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Network: *network,
|
||||||
|
TunnelID: uuid.New(),
|
||||||
|
Comment: "hi",
|
||||||
|
VNetID: &vnetId,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, newRoute := range newRoutes {
|
||||||
|
// Test where receiver is struct
|
||||||
|
serialized, err := json.Marshal(newRoute)
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.True(t, strings.Contains(string(serialized), "tunnel_id"))
|
||||||
|
|
||||||
|
// Test where receiver is pointer to struct
|
||||||
|
serialized, err = json.Marshal(&newRoute)
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.True(t, strings.Contains(string(serialized), "tunnel_id"))
|
||||||
|
|
||||||
|
if newRoute.VNetID == nil {
|
||||||
|
require.False(t, strings.Contains(string(serialized), "virtual_network_id"))
|
||||||
|
} else {
|
||||||
|
require.True(t, strings.Contains(string(serialized), "virtual_network_id"))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestRouteTableString(t *testing.T) {
|
||||||
|
_, network, err := net.ParseCIDR("1.2.3.4/32")
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.NotNil(t, network)
|
||||||
|
r := DetailedRoute{
|
||||||
|
ID: uuid.Nil,
|
||||||
|
Network: CIDR(*network),
|
||||||
|
}
|
||||||
|
row := r.TableString()
|
||||||
|
fmt.Println(row)
|
||||||
|
require.True(t, strings.HasPrefix(row, "00000000-0000-0000-0000-000000000000\t1.2.3.4/32"))
|
||||||
|
}
|
|
@ -0,0 +1,237 @@
|
||||||
|
package cfapi
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
"net"
|
||||||
|
"net/http"
|
||||||
|
"net/url"
|
||||||
|
"path"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/google/uuid"
|
||||||
|
"github.com/pkg/errors"
|
||||||
|
)
|
||||||
|
|
||||||
|
var ErrTunnelNameConflict = errors.New("tunnel with name already exists")
|
||||||
|
|
||||||
|
type Tunnel struct {
|
||||||
|
ID uuid.UUID `json:"id"`
|
||||||
|
Name string `json:"name"`
|
||||||
|
CreatedAt time.Time `json:"created_at"`
|
||||||
|
DeletedAt time.Time `json:"deleted_at"`
|
||||||
|
Connections []Connection `json:"connections"`
|
||||||
|
}
|
||||||
|
|
||||||
|
type TunnelWithToken struct {
|
||||||
|
Tunnel
|
||||||
|
Token string `json:"token"`
|
||||||
|
}
|
||||||
|
|
||||||
|
type Connection struct {
|
||||||
|
ColoName string `json:"colo_name"`
|
||||||
|
ID uuid.UUID `json:"id"`
|
||||||
|
IsPendingReconnect bool `json:"is_pending_reconnect"`
|
||||||
|
OriginIP net.IP `json:"origin_ip"`
|
||||||
|
OpenedAt time.Time `json:"opened_at"`
|
||||||
|
}
|
||||||
|
|
||||||
|
type ActiveClient struct {
|
||||||
|
ID uuid.UUID `json:"id"`
|
||||||
|
Features []string `json:"features"`
|
||||||
|
Version string `json:"version"`
|
||||||
|
Arch string `json:"arch"`
|
||||||
|
RunAt time.Time `json:"run_at"`
|
||||||
|
Connections []Connection `json:"conns"`
|
||||||
|
}
|
||||||
|
|
||||||
|
type newTunnel struct {
|
||||||
|
Name string `json:"name"`
|
||||||
|
TunnelSecret []byte `json:"tunnel_secret"`
|
||||||
|
}
|
||||||
|
|
||||||
|
type managementRequest struct {
|
||||||
|
Resources []string `json:"resources"`
|
||||||
|
}
|
||||||
|
|
||||||
|
type CleanupParams struct {
|
||||||
|
queryParams url.Values
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewCleanupParams() *CleanupParams {
|
||||||
|
return &CleanupParams{
|
||||||
|
queryParams: url.Values{},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (cp *CleanupParams) ForClient(clientID uuid.UUID) {
|
||||||
|
cp.queryParams.Set("client_id", clientID.String())
|
||||||
|
}
|
||||||
|
|
||||||
|
func (cp CleanupParams) encode() string {
|
||||||
|
return cp.queryParams.Encode()
|
||||||
|
}
|
||||||
|
|
||||||
|
func (r *RESTClient) CreateTunnel(name string, tunnelSecret []byte) (*TunnelWithToken, error) {
|
||||||
|
if name == "" {
|
||||||
|
return nil, errors.New("tunnel name required")
|
||||||
|
}
|
||||||
|
if _, err := uuid.Parse(name); err == nil {
|
||||||
|
return nil, errors.New("you cannot use UUIDs as tunnel names")
|
||||||
|
}
|
||||||
|
body := &newTunnel{
|
||||||
|
Name: name,
|
||||||
|
TunnelSecret: tunnelSecret,
|
||||||
|
}
|
||||||
|
|
||||||
|
resp, err := r.sendRequest("POST", r.baseEndpoints.accountLevel, body)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrap(err, "REST request failed")
|
||||||
|
}
|
||||||
|
defer resp.Body.Close()
|
||||||
|
|
||||||
|
switch resp.StatusCode {
|
||||||
|
case http.StatusOK:
|
||||||
|
var tunnel TunnelWithToken
|
||||||
|
if serdeErr := parseResponse(resp.Body, &tunnel); serdeErr != nil {
|
||||||
|
return nil, serdeErr
|
||||||
|
}
|
||||||
|
return &tunnel, nil
|
||||||
|
case http.StatusConflict:
|
||||||
|
return nil, ErrTunnelNameConflict
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil, r.statusCodeToError("create tunnel", resp)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (r *RESTClient) GetTunnel(tunnelID uuid.UUID) (*Tunnel, error) {
|
||||||
|
endpoint := r.baseEndpoints.accountLevel
|
||||||
|
endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v", tunnelID))
|
||||||
|
resp, err := r.sendRequest("GET", endpoint, nil)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrap(err, "REST request failed")
|
||||||
|
}
|
||||||
|
defer resp.Body.Close()
|
||||||
|
|
||||||
|
if resp.StatusCode == http.StatusOK {
|
||||||
|
return unmarshalTunnel(resp.Body)
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil, r.statusCodeToError("get tunnel", resp)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (r *RESTClient) GetTunnelToken(tunnelID uuid.UUID) (token string, err error) {
|
||||||
|
endpoint := r.baseEndpoints.accountLevel
|
||||||
|
endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v/token", tunnelID))
|
||||||
|
resp, err := r.sendRequest("GET", endpoint, nil)
|
||||||
|
if err != nil {
|
||||||
|
return "", errors.Wrap(err, "REST request failed")
|
||||||
|
}
|
||||||
|
defer resp.Body.Close()
|
||||||
|
|
||||||
|
if resp.StatusCode == http.StatusOK {
|
||||||
|
err = parseResponse(resp.Body, &token)
|
||||||
|
return token, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return "", r.statusCodeToError("get tunnel token", resp)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (r *RESTClient) GetManagementToken(tunnelID uuid.UUID) (token string, err error) {
|
||||||
|
endpoint := r.baseEndpoints.accountLevel
|
||||||
|
endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v/management", tunnelID))
|
||||||
|
|
||||||
|
body := &managementRequest{
|
||||||
|
Resources: []string{"logs"},
|
||||||
|
}
|
||||||
|
|
||||||
|
resp, err := r.sendRequest("POST", endpoint, body)
|
||||||
|
if err != nil {
|
||||||
|
return "", errors.Wrap(err, "REST request failed")
|
||||||
|
}
|
||||||
|
defer resp.Body.Close()
|
||||||
|
|
||||||
|
if resp.StatusCode == http.StatusOK {
|
||||||
|
err = parseResponse(resp.Body, &token)
|
||||||
|
return token, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return "", r.statusCodeToError("get tunnel token", resp)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (r *RESTClient) DeleteTunnel(tunnelID uuid.UUID, cascade bool) error {
|
||||||
|
endpoint := r.baseEndpoints.accountLevel
|
||||||
|
endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v", tunnelID))
|
||||||
|
// Cascade will delete all tunnel dependencies (connections, routes, etc.) that
|
||||||
|
// are linked to the deleted tunnel.
|
||||||
|
if cascade {
|
||||||
|
endpoint.RawQuery = "cascade=true"
|
||||||
|
}
|
||||||
|
resp, err := r.sendRequest("DELETE", endpoint, nil)
|
||||||
|
if err != nil {
|
||||||
|
return errors.Wrap(err, "REST request failed")
|
||||||
|
}
|
||||||
|
defer resp.Body.Close()
|
||||||
|
|
||||||
|
return r.statusCodeToError("delete tunnel", resp)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (r *RESTClient) ListTunnels(filter *TunnelFilter) ([]*Tunnel, error) {
|
||||||
|
fetchFn := func(page int) (*http.Response, error) {
|
||||||
|
endpoint := r.baseEndpoints.accountLevel
|
||||||
|
filter.Page(page)
|
||||||
|
endpoint.RawQuery = filter.encode()
|
||||||
|
rsp, err := r.sendRequest("GET", endpoint, nil)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrap(err, "REST request failed")
|
||||||
|
}
|
||||||
|
if rsp.StatusCode != http.StatusOK {
|
||||||
|
rsp.Body.Close()
|
||||||
|
return nil, r.statusCodeToError("list tunnels", rsp)
|
||||||
|
}
|
||||||
|
return rsp, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
return fetchExhaustively[Tunnel](fetchFn)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (r *RESTClient) ListActiveClients(tunnelID uuid.UUID) ([]*ActiveClient, error) {
|
||||||
|
endpoint := r.baseEndpoints.accountLevel
|
||||||
|
endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v/connections", tunnelID))
|
||||||
|
resp, err := r.sendRequest("GET", endpoint, nil)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrap(err, "REST request failed")
|
||||||
|
}
|
||||||
|
defer resp.Body.Close()
|
||||||
|
|
||||||
|
if resp.StatusCode == http.StatusOK {
|
||||||
|
return parseConnectionsDetails(resp.Body)
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil, r.statusCodeToError("list connection details", resp)
|
||||||
|
}
|
||||||
|
|
||||||
|
func parseConnectionsDetails(reader io.Reader) ([]*ActiveClient, error) {
|
||||||
|
var clients []*ActiveClient
|
||||||
|
err := parseResponse(reader, &clients)
|
||||||
|
return clients, err
|
||||||
|
}
|
||||||
|
|
||||||
|
func (r *RESTClient) CleanupConnections(tunnelID uuid.UUID, params *CleanupParams) error {
|
||||||
|
endpoint := r.baseEndpoints.accountLevel
|
||||||
|
endpoint.RawQuery = params.encode()
|
||||||
|
endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v/connections", tunnelID))
|
||||||
|
resp, err := r.sendRequest("DELETE", endpoint, nil)
|
||||||
|
if err != nil {
|
||||||
|
return errors.Wrap(err, "REST request failed")
|
||||||
|
}
|
||||||
|
defer resp.Body.Close()
|
||||||
|
|
||||||
|
return r.statusCodeToError("cleanup connections", resp)
|
||||||
|
}
|
||||||
|
|
||||||
|
func unmarshalTunnel(reader io.Reader) (*Tunnel, error) {
|
||||||
|
var tunnel Tunnel
|
||||||
|
err := parseResponse(reader, &tunnel)
|
||||||
|
return &tunnel, err
|
||||||
|
}
|
|
@ -0,0 +1,59 @@
|
||||||
|
package cfapi
|
||||||
|
|
||||||
|
import (
|
||||||
|
"net/url"
|
||||||
|
"strconv"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/google/uuid"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
TimeLayout = time.RFC3339
|
||||||
|
)
|
||||||
|
|
||||||
|
type TunnelFilter struct {
|
||||||
|
queryParams url.Values
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewTunnelFilter() *TunnelFilter {
|
||||||
|
return &TunnelFilter{
|
||||||
|
queryParams: url.Values{},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *TunnelFilter) ByName(name string) {
|
||||||
|
f.queryParams.Set("name", name)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *TunnelFilter) ByNamePrefix(namePrefix string) {
|
||||||
|
f.queryParams.Set("name_prefix", namePrefix)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *TunnelFilter) ExcludeNameWithPrefix(excludePrefix string) {
|
||||||
|
f.queryParams.Set("exclude_prefix", excludePrefix)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *TunnelFilter) NoDeleted() {
|
||||||
|
f.queryParams.Set("is_deleted", "false")
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *TunnelFilter) ByExistedAt(existedAt time.Time) {
|
||||||
|
f.queryParams.Set("existed_at", existedAt.Format(TimeLayout))
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *TunnelFilter) ByTunnelID(tunnelID uuid.UUID) {
|
||||||
|
f.queryParams.Set("uuid", tunnelID.String())
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *TunnelFilter) MaxFetchSize(max uint) {
|
||||||
|
f.queryParams.Set("per_page", strconv.Itoa(int(max)))
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *TunnelFilter) Page(page int) {
|
||||||
|
f.queryParams.Set("page", strconv.Itoa(page))
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f TunnelFilter) encode() string {
|
||||||
|
return f.queryParams.Encode()
|
||||||
|
}
|
|
@ -0,0 +1,102 @@
|
||||||
|
package cfapi
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"fmt"
|
||||||
|
"net"
|
||||||
|
"reflect"
|
||||||
|
"strings"
|
||||||
|
"testing"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/google/uuid"
|
||||||
|
"github.com/stretchr/testify/assert"
|
||||||
|
)
|
||||||
|
|
||||||
|
var loc, _ = time.LoadLocation("UTC")
|
||||||
|
|
||||||
|
func Test_unmarshalTunnel(t *testing.T) {
|
||||||
|
type args struct {
|
||||||
|
body string
|
||||||
|
}
|
||||||
|
tests := []struct {
|
||||||
|
name string
|
||||||
|
args args
|
||||||
|
want *Tunnel
|
||||||
|
wantErr bool
|
||||||
|
}{
|
||||||
|
{
|
||||||
|
name: "empty list",
|
||||||
|
args: args{body: `{"success": true, "result": {"id":"b34cc7ce-925b-46ee-bc23-4cb5c18d8292","created_at":"2021-07-29T13:46:14.090955Z","deleted_at":"2021-07-29T14:07:27.559047Z","name":"qt-bIWWN7D662ogh61pCPfu5s2XgqFY1OyV","account_id":6946212,"account_tag":"5ab4e9dfbd435d24068829fda0077963","conns_active_at":null,"conns_inactive_at":"2021-07-29T13:47:22.548482Z","tun_type":"cfd_tunnel","metadata":{"qtid":"a6fJROgkXutNruBGaJjD"}}}`},
|
||||||
|
want: &Tunnel{
|
||||||
|
ID: uuid.MustParse("b34cc7ce-925b-46ee-bc23-4cb5c18d8292"),
|
||||||
|
Name: "qt-bIWWN7D662ogh61pCPfu5s2XgqFY1OyV",
|
||||||
|
CreatedAt: time.Date(2021, 07, 29, 13, 46, 14, 90955000, loc),
|
||||||
|
DeletedAt: time.Date(2021, 07, 29, 14, 7, 27, 559047000, loc),
|
||||||
|
Connections: nil,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
for _, tt := range tests {
|
||||||
|
t.Run(tt.name, func(t *testing.T) {
|
||||||
|
got, err := unmarshalTunnel(strings.NewReader(tt.args.body))
|
||||||
|
if (err != nil) != tt.wantErr {
|
||||||
|
t.Errorf("unmarshalTunnel() error = %v, wantErr %v", err, tt.wantErr)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if !reflect.DeepEqual(got, tt.want) {
|
||||||
|
t.Errorf("unmarshalTunnel() = %v, want %v", got, tt.want)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestUnmarshalTunnelOk(t *testing.T) {
|
||||||
|
|
||||||
|
jsonBody := `{"success": true, "result": {"id": "00000000-0000-0000-0000-000000000000","name":"test","created_at":"0001-01-01T00:00:00Z","connections":[]}}`
|
||||||
|
expected := Tunnel{
|
||||||
|
ID: uuid.Nil,
|
||||||
|
Name: "test",
|
||||||
|
CreatedAt: time.Time{},
|
||||||
|
Connections: []Connection{},
|
||||||
|
}
|
||||||
|
actual, err := unmarshalTunnel(bytes.NewReader([]byte(jsonBody)))
|
||||||
|
assert.NoError(t, err)
|
||||||
|
assert.Equal(t, &expected, actual)
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestUnmarshalTunnelErr(t *testing.T) {
|
||||||
|
|
||||||
|
tests := []string{
|
||||||
|
`abc`,
|
||||||
|
`{"success": true, "result": abc}`,
|
||||||
|
`{"success": false, "result": {"id": "00000000-0000-0000-0000-000000000000","name":"test","created_at":"0001-01-01T00:00:00Z","connections":[]}}}`,
|
||||||
|
`{"errors": [{"code": 1003, "message":"An A, AAAA or CNAME record already exists with that host"}], "result": {"id": "00000000-0000-0000-0000-000000000000","name":"test","created_at":"0001-01-01T00:00:00Z","connections":[]}}}`,
|
||||||
|
}
|
||||||
|
|
||||||
|
for i, test := range tests {
|
||||||
|
_, err := unmarshalTunnel(bytes.NewReader([]byte(test)))
|
||||||
|
assert.Error(t, err, fmt.Sprintf("Test #%v failed", i))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestUnmarshalConnections(t *testing.T) {
|
||||||
|
jsonBody := `{"success":true,"messages":[],"errors":[],"result":[{"id":"d4041254-91e3-4deb-bd94-b46e11680b1e","features":["ha-origin"],"version":"2021.2.5","arch":"darwin_amd64","conns":[{"colo_name":"LIS","id":"ac2286e5-c708-4588-a6a0-ba6b51940019","is_pending_reconnect":false,"origin_ip":"148.38.28.2","opened_at":"0001-01-01T00:00:00Z"}],"run_at":"0001-01-01T00:00:00Z"}]}`
|
||||||
|
expected := ActiveClient{
|
||||||
|
ID: uuid.MustParse("d4041254-91e3-4deb-bd94-b46e11680b1e"),
|
||||||
|
Features: []string{"ha-origin"},
|
||||||
|
Version: "2021.2.5",
|
||||||
|
Arch: "darwin_amd64",
|
||||||
|
RunAt: time.Time{},
|
||||||
|
Connections: []Connection{{
|
||||||
|
ID: uuid.MustParse("ac2286e5-c708-4588-a6a0-ba6b51940019"),
|
||||||
|
ColoName: "LIS",
|
||||||
|
IsPendingReconnect: false,
|
||||||
|
OriginIP: net.ParseIP("148.38.28.2"),
|
||||||
|
OpenedAt: time.Time{},
|
||||||
|
}},
|
||||||
|
}
|
||||||
|
actual, err := parseConnectionsDetails(bytes.NewReader([]byte(jsonBody)))
|
||||||
|
assert.NoError(t, err)
|
||||||
|
assert.Equal(t, []*ActiveClient{&expected}, actual)
|
||||||
|
}
|
|
@ -0,0 +1,134 @@
|
||||||
|
package cfapi
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
"net/http"
|
||||||
|
"net/url"
|
||||||
|
"path"
|
||||||
|
"strconv"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/google/uuid"
|
||||||
|
"github.com/pkg/errors"
|
||||||
|
)
|
||||||
|
|
||||||
|
type NewVirtualNetwork struct {
|
||||||
|
Name string `json:"name"`
|
||||||
|
Comment string `json:"comment"`
|
||||||
|
IsDefault bool `json:"is_default"`
|
||||||
|
}
|
||||||
|
|
||||||
|
type VirtualNetwork struct {
|
||||||
|
ID uuid.UUID `json:"id"`
|
||||||
|
Comment string `json:"comment"`
|
||||||
|
Name string `json:"name"`
|
||||||
|
IsDefault bool `json:"is_default_network"`
|
||||||
|
CreatedAt time.Time `json:"created_at"`
|
||||||
|
DeletedAt time.Time `json:"deleted_at"`
|
||||||
|
}
|
||||||
|
|
||||||
|
type UpdateVirtualNetwork struct {
|
||||||
|
Name *string `json:"name,omitempty"`
|
||||||
|
Comment *string `json:"comment,omitempty"`
|
||||||
|
IsDefault *bool `json:"is_default_network,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
|
func (virtualNetwork VirtualNetwork) TableString() string {
|
||||||
|
deletedColumn := "-"
|
||||||
|
if !virtualNetwork.DeletedAt.IsZero() {
|
||||||
|
deletedColumn = virtualNetwork.DeletedAt.Format(time.RFC3339)
|
||||||
|
}
|
||||||
|
return fmt.Sprintf(
|
||||||
|
"%s\t%s\t%s\t%s\t%s\t%s\t",
|
||||||
|
virtualNetwork.ID,
|
||||||
|
virtualNetwork.Name,
|
||||||
|
strconv.FormatBool(virtualNetwork.IsDefault),
|
||||||
|
virtualNetwork.Comment,
|
||||||
|
virtualNetwork.CreatedAt.Format(time.RFC3339),
|
||||||
|
deletedColumn,
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (r *RESTClient) CreateVirtualNetwork(newVnet NewVirtualNetwork) (VirtualNetwork, error) {
|
||||||
|
resp, err := r.sendRequest("POST", r.baseEndpoints.accountVnets, newVnet)
|
||||||
|
if err != nil {
|
||||||
|
return VirtualNetwork{}, errors.Wrap(err, "REST request failed")
|
||||||
|
}
|
||||||
|
defer resp.Body.Close()
|
||||||
|
|
||||||
|
if resp.StatusCode == http.StatusOK {
|
||||||
|
return parseVnet(resp.Body)
|
||||||
|
}
|
||||||
|
|
||||||
|
return VirtualNetwork{}, r.statusCodeToError("add virtual network", resp)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (r *RESTClient) ListVirtualNetworks(filter *VnetFilter) ([]*VirtualNetwork, error) {
|
||||||
|
endpoint := r.baseEndpoints.accountVnets
|
||||||
|
endpoint.RawQuery = filter.Encode()
|
||||||
|
resp, err := r.sendRequest("GET", endpoint, nil)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrap(err, "REST request failed")
|
||||||
|
}
|
||||||
|
defer resp.Body.Close()
|
||||||
|
|
||||||
|
if resp.StatusCode == http.StatusOK {
|
||||||
|
return parseListVnets(resp.Body)
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil, r.statusCodeToError("list virtual networks", resp)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (r *RESTClient) DeleteVirtualNetwork(id uuid.UUID, force bool) error {
|
||||||
|
endpoint := r.baseEndpoints.accountVnets
|
||||||
|
endpoint.Path = path.Join(endpoint.Path, url.PathEscape(id.String()))
|
||||||
|
|
||||||
|
queryParams := url.Values{}
|
||||||
|
if force {
|
||||||
|
queryParams.Set("force", strconv.FormatBool(force))
|
||||||
|
}
|
||||||
|
endpoint.RawQuery = queryParams.Encode()
|
||||||
|
|
||||||
|
resp, err := r.sendRequest("DELETE", endpoint, nil)
|
||||||
|
if err != nil {
|
||||||
|
return errors.Wrap(err, "REST request failed")
|
||||||
|
}
|
||||||
|
defer resp.Body.Close()
|
||||||
|
|
||||||
|
if resp.StatusCode == http.StatusOK {
|
||||||
|
_, err := parseVnet(resp.Body)
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
return r.statusCodeToError("delete virtual network", resp)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (r *RESTClient) UpdateVirtualNetwork(id uuid.UUID, updates UpdateVirtualNetwork) error {
|
||||||
|
endpoint := r.baseEndpoints.accountVnets
|
||||||
|
endpoint.Path = path.Join(endpoint.Path, url.PathEscape(id.String()))
|
||||||
|
resp, err := r.sendRequest("PATCH", endpoint, updates)
|
||||||
|
if err != nil {
|
||||||
|
return errors.Wrap(err, "REST request failed")
|
||||||
|
}
|
||||||
|
defer resp.Body.Close()
|
||||||
|
|
||||||
|
if resp.StatusCode == http.StatusOK {
|
||||||
|
_, err := parseVnet(resp.Body)
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
return r.statusCodeToError("update virtual network", resp)
|
||||||
|
}
|
||||||
|
|
||||||
|
func parseListVnets(body io.ReadCloser) ([]*VirtualNetwork, error) {
|
||||||
|
var vnets []*VirtualNetwork
|
||||||
|
err := parseResponse(body, &vnets)
|
||||||
|
return vnets, err
|
||||||
|
}
|
||||||
|
|
||||||
|
func parseVnet(body io.ReadCloser) (VirtualNetwork, error) {
|
||||||
|
var vnet VirtualNetwork
|
||||||
|
err := parseResponse(body, &vnet)
|
||||||
|
return vnet, err
|
||||||
|
}
|
|
@ -0,0 +1,99 @@
|
||||||
|
package cfapi
|
||||||
|
|
||||||
|
import (
|
||||||
|
"net/url"
|
||||||
|
"strconv"
|
||||||
|
|
||||||
|
"github.com/google/uuid"
|
||||||
|
"github.com/pkg/errors"
|
||||||
|
"github.com/urfave/cli/v2"
|
||||||
|
)
|
||||||
|
|
||||||
|
var (
|
||||||
|
filterVnetId = cli.StringFlag{
|
||||||
|
Name: "id",
|
||||||
|
Usage: "List virtual networks with the given `ID`",
|
||||||
|
}
|
||||||
|
filterVnetByName = cli.StringFlag{
|
||||||
|
Name: "name",
|
||||||
|
Usage: "List virtual networks with the given `NAME`",
|
||||||
|
}
|
||||||
|
filterDefaultVnet = cli.BoolFlag{
|
||||||
|
Name: "is-default",
|
||||||
|
Usage: "If true, lists the virtual network that is the default one. If false, lists all non-default virtual networks for the account. If absent, all are included in the results regardless of their default status.",
|
||||||
|
}
|
||||||
|
filterDeletedVnet = cli.BoolFlag{
|
||||||
|
Name: "show-deleted",
|
||||||
|
Usage: "If false (default), only show non-deleted virtual networks. If true, only show deleted virtual networks.",
|
||||||
|
}
|
||||||
|
VnetFilterFlags = []cli.Flag{
|
||||||
|
&filterVnetId,
|
||||||
|
&filterVnetByName,
|
||||||
|
&filterDefaultVnet,
|
||||||
|
&filterDeletedVnet,
|
||||||
|
}
|
||||||
|
)
|
||||||
|
|
||||||
|
// VnetFilter which virtual networks get queried.
|
||||||
|
type VnetFilter struct {
|
||||||
|
queryParams url.Values
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewVnetFilter() *VnetFilter {
|
||||||
|
return &VnetFilter{
|
||||||
|
queryParams: url.Values{},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *VnetFilter) ById(vnetId uuid.UUID) {
|
||||||
|
f.queryParams.Set("id", vnetId.String())
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *VnetFilter) ByName(name string) {
|
||||||
|
f.queryParams.Set("name", name)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *VnetFilter) ByDefaultStatus(isDefault bool) {
|
||||||
|
f.queryParams.Set("is_default", strconv.FormatBool(isDefault))
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *VnetFilter) WithDeleted(isDeleted bool) {
|
||||||
|
f.queryParams.Set("is_deleted", strconv.FormatBool(isDeleted))
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *VnetFilter) MaxFetchSize(max uint) {
|
||||||
|
f.queryParams.Set("per_page", strconv.Itoa(int(max)))
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f VnetFilter) Encode() string {
|
||||||
|
return f.queryParams.Encode()
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewFromCLI parses CLI flags to discover which filters should get applied to list virtual networks.
|
||||||
|
func NewFromCLI(c *cli.Context) (*VnetFilter, error) {
|
||||||
|
f := NewVnetFilter()
|
||||||
|
|
||||||
|
if id := c.String("id"); id != "" {
|
||||||
|
vnetId, err := uuid.Parse(id)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrapf(err, "%s is not a valid virtual network ID", id)
|
||||||
|
}
|
||||||
|
f.ById(vnetId)
|
||||||
|
}
|
||||||
|
|
||||||
|
if name := c.String("name"); name != "" {
|
||||||
|
f.ByName(name)
|
||||||
|
}
|
||||||
|
|
||||||
|
if c.IsSet("is-default") {
|
||||||
|
f.ByDefaultStatus(c.Bool("is-default"))
|
||||||
|
}
|
||||||
|
|
||||||
|
f.WithDeleted(c.Bool("show-deleted"))
|
||||||
|
|
||||||
|
if maxFetch := c.Int("max-fetch-size"); maxFetch > 0 {
|
||||||
|
f.MaxFetchSize(uint(maxFetch))
|
||||||
|
}
|
||||||
|
|
||||||
|
return f, nil
|
||||||
|
}
|
|
@ -0,0 +1,79 @@
|
||||||
|
package cfapi
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/json"
|
||||||
|
"strings"
|
||||||
|
"testing"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/google/uuid"
|
||||||
|
"github.com/stretchr/testify/require"
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestVirtualNetworkJsonRoundtrip(t *testing.T) {
|
||||||
|
data := `{
|
||||||
|
"id":"74fce949-351b-4752-b261-81a56cfd3130",
|
||||||
|
"comment":"New York DC1",
|
||||||
|
"name":"us-east-1",
|
||||||
|
"is_default_network":true,
|
||||||
|
"created_at":"2021-11-26T14:40:02.600673Z",
|
||||||
|
"deleted_at":"2021-12-01T10:23:13.102645Z"
|
||||||
|
}`
|
||||||
|
var v VirtualNetwork
|
||||||
|
err := json.Unmarshal([]byte(data), &v)
|
||||||
|
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.Equal(t, uuid.MustParse("74fce949-351b-4752-b261-81a56cfd3130"), v.ID)
|
||||||
|
require.Equal(t, "us-east-1", v.Name)
|
||||||
|
require.Equal(t, "New York DC1", v.Comment)
|
||||||
|
require.Equal(t, true, v.IsDefault)
|
||||||
|
|
||||||
|
bytes, err := json.Marshal(v)
|
||||||
|
require.NoError(t, err)
|
||||||
|
obtainedJson := string(bytes)
|
||||||
|
data = strings.Replace(data, "\t", "", -1)
|
||||||
|
data = strings.Replace(data, "\n", "", -1)
|
||||||
|
require.Equal(t, data, obtainedJson)
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestMarshalNewVnet(t *testing.T) {
|
||||||
|
newVnet := NewVirtualNetwork{
|
||||||
|
Name: "eu-west-1",
|
||||||
|
Comment: "London office",
|
||||||
|
IsDefault: true,
|
||||||
|
}
|
||||||
|
|
||||||
|
serialized, err := json.Marshal(newVnet)
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.True(t, strings.Contains(string(serialized), newVnet.Name))
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestMarshalUpdateVnet(t *testing.T) {
|
||||||
|
newName := "bulgaria-1"
|
||||||
|
updates := UpdateVirtualNetwork{
|
||||||
|
Name: &newName,
|
||||||
|
}
|
||||||
|
|
||||||
|
// Test where receiver is struct
|
||||||
|
serialized, err := json.Marshal(updates)
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.True(t, strings.Contains(string(serialized), newName))
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestVnetTableString(t *testing.T) {
|
||||||
|
virtualNet := VirtualNetwork{
|
||||||
|
ID: uuid.New(),
|
||||||
|
Name: "us-east-1",
|
||||||
|
Comment: "New York DC1",
|
||||||
|
IsDefault: true,
|
||||||
|
CreatedAt: time.Now(),
|
||||||
|
DeletedAt: time.Time{},
|
||||||
|
}
|
||||||
|
|
||||||
|
row := virtualNet.TableString()
|
||||||
|
require.True(t, strings.HasPrefix(row, virtualNet.ID.String()))
|
||||||
|
require.True(t, strings.Contains(row, virtualNet.Name))
|
||||||
|
require.True(t, strings.Contains(row, virtualNet.Comment))
|
||||||
|
require.True(t, strings.Contains(row, "true"))
|
||||||
|
require.True(t, strings.HasSuffix(row, "-\t"))
|
||||||
|
}
|
|
@ -0,0 +1,27 @@
|
||||||
|
package cfio
|
||||||
|
|
||||||
|
import (
|
||||||
|
"io"
|
||||||
|
"sync"
|
||||||
|
)
|
||||||
|
|
||||||
|
const defaultBufferSize = 16 * 1024
|
||||||
|
|
||||||
|
var bufferPool = sync.Pool{
|
||||||
|
New: func() interface{} {
|
||||||
|
return make([]byte, defaultBufferSize)
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
func Copy(dst io.Writer, src io.Reader) (written int64, err error) {
|
||||||
|
_, okWriteTo := src.(io.WriterTo)
|
||||||
|
_, okReadFrom := dst.(io.ReaderFrom)
|
||||||
|
var buffer []byte = nil
|
||||||
|
|
||||||
|
if !(okWriteTo || okReadFrom) {
|
||||||
|
buffer = bufferPool.Get().([]byte)
|
||||||
|
defer bufferPool.Put(buffer)
|
||||||
|
}
|
||||||
|
|
||||||
|
return io.CopyBuffer(dst, src, buffer)
|
||||||
|
}
|
420
cfsetup.yaml
420
cfsetup.yaml
|
@ -1,23 +1,89 @@
|
||||||
pinned_go: &pinned_go go=1.15.7-1
|
pinned_go: &pinned_go go-boring=1.22.5-1
|
||||||
pinned_go_fips: &pinned_go_fips go-fips=1.15.5-3
|
|
||||||
|
|
||||||
build_dir: &build_dir /cfsetup_build
|
build_dir: &build_dir /cfsetup_build
|
||||||
default-flavor: buster
|
default-flavor: bullseye
|
||||||
stretch: &stretch
|
buster: &buster
|
||||||
build:
|
build-linux:
|
||||||
|
build_dir: *build_dir
|
||||||
|
builddeps: &build_deps
|
||||||
|
- *pinned_go
|
||||||
|
- build-essential
|
||||||
|
- fakeroot
|
||||||
|
- rubygem-fpm
|
||||||
|
- rpm
|
||||||
|
- libffi-dev
|
||||||
|
pre-cache: &build_pre_cache
|
||||||
|
- export GOCACHE=/cfsetup_build/.cache/go-build
|
||||||
|
- go install golang.org/x/tools/cmd/goimports@latest
|
||||||
|
post-cache:
|
||||||
|
# Build binary for component test
|
||||||
|
- GOOS=linux GOARCH=amd64 make cloudflared
|
||||||
|
build-linux-fips:
|
||||||
|
build_dir: *build_dir
|
||||||
|
builddeps: *build_deps
|
||||||
|
pre-cache: *build_pre_cache
|
||||||
|
post-cache:
|
||||||
|
- export FIPS=true
|
||||||
|
# Build binary for component test
|
||||||
|
- GOOS=linux GOARCH=amd64 make cloudflared
|
||||||
|
cover:
|
||||||
|
build_dir: *build_dir
|
||||||
|
builddeps: *build_deps
|
||||||
|
pre-cache: *build_pre_cache
|
||||||
|
post-cache:
|
||||||
|
- make cover
|
||||||
|
# except FIPS and macos
|
||||||
|
build-linux-release:
|
||||||
|
build_dir: *build_dir
|
||||||
|
builddeps: &build_deps_release
|
||||||
|
- *pinned_go
|
||||||
|
- build-essential
|
||||||
|
- fakeroot
|
||||||
|
- rubygem-fpm
|
||||||
|
- rpm
|
||||||
|
- libffi-dev
|
||||||
|
- python3-dev
|
||||||
|
- python3-pip
|
||||||
|
- python3-setuptools
|
||||||
|
- wget
|
||||||
|
pre-cache: &build_release_pre_cache
|
||||||
|
- pip3 install pynacl==1.4.0
|
||||||
|
- pip3 install pygithub==1.55
|
||||||
|
- pip3 install boto3==1.22.9
|
||||||
|
- pip3 install python-gnupg==0.4.9
|
||||||
|
post-cache:
|
||||||
|
# build all packages (except macos and FIPS) and move them to /cfsetup/built_artifacts
|
||||||
|
- ./build-packages.sh
|
||||||
|
# handle FIPS separately so that we built with gofips compiler
|
||||||
|
build-linux-fips-release:
|
||||||
|
build_dir: *build_dir
|
||||||
|
builddeps: *build_deps_release
|
||||||
|
pre-cache: *build_release_pre_cache
|
||||||
|
post-cache:
|
||||||
|
# same logic as above, but for FIPS packages only
|
||||||
|
- ./build-packages-fips.sh
|
||||||
|
generate-versions-file:
|
||||||
build_dir: *build_dir
|
build_dir: *build_dir
|
||||||
builddeps:
|
builddeps:
|
||||||
- *pinned_go_fips
|
- *pinned_go
|
||||||
- build-essential
|
- build-essential
|
||||||
|
post-cache:
|
||||||
|
- make generate-docker-version
|
||||||
|
build-deb:
|
||||||
|
build_dir: *build_dir
|
||||||
|
builddeps: &build_deb_deps
|
||||||
|
- *pinned_go
|
||||||
|
- build-essential
|
||||||
|
- fakeroot
|
||||||
|
- rubygem-fpm
|
||||||
post-cache:
|
post-cache:
|
||||||
- export GOOS=linux
|
- export GOOS=linux
|
||||||
- export GOARCH=amd64
|
- export GOARCH=amd64
|
||||||
- export FIPS=true
|
- make cloudflared-deb
|
||||||
- make cloudflared
|
build-fips-internal-deb:
|
||||||
build-deb:
|
|
||||||
build_dir: *build_dir
|
build_dir: *build_dir
|
||||||
builddeps:
|
builddeps: &build_fips_deb_deps
|
||||||
- *pinned_go_fips
|
- *pinned_go
|
||||||
- build-essential
|
- build-essential
|
||||||
- fakeroot
|
- fakeroot
|
||||||
- rubygem-fpm
|
- rubygem-fpm
|
||||||
|
@ -25,254 +91,160 @@ stretch: &stretch
|
||||||
- export GOOS=linux
|
- export GOOS=linux
|
||||||
- export GOARCH=amd64
|
- export GOARCH=amd64
|
||||||
- export FIPS=true
|
- export FIPS=true
|
||||||
|
- export ORIGINAL_NAME=true
|
||||||
|
- make cloudflared-deb
|
||||||
|
build-internal-deb-nightly-amd64:
|
||||||
|
build_dir: *build_dir
|
||||||
|
builddeps: *build_fips_deb_deps
|
||||||
|
post-cache:
|
||||||
|
- export GOOS=linux
|
||||||
|
- export GOARCH=amd64
|
||||||
|
- export NIGHTLY=true
|
||||||
|
- export FIPS=true
|
||||||
|
- export ORIGINAL_NAME=true
|
||||||
|
- make cloudflared-deb
|
||||||
|
build-internal-deb-nightly-arm64:
|
||||||
|
build_dir: *build_dir
|
||||||
|
builddeps: *build_fips_deb_deps
|
||||||
|
post-cache:
|
||||||
|
- export GOOS=linux
|
||||||
|
- export GOARCH=arm64
|
||||||
|
- export NIGHTLY=true
|
||||||
|
#- export FIPS=true # TUN-7595
|
||||||
|
- export ORIGINAL_NAME=true
|
||||||
- make cloudflared-deb
|
- make cloudflared-deb
|
||||||
build-deb-arm64:
|
build-deb-arm64:
|
||||||
build_dir: *build_dir
|
build_dir: *build_dir
|
||||||
builddeps:
|
builddeps: *build_deb_deps
|
||||||
- *pinned_go
|
|
||||||
- build-essential
|
|
||||||
- fakeroot
|
|
||||||
- rubygem-fpm
|
|
||||||
post-cache:
|
post-cache:
|
||||||
- export GOOS=linux
|
- export GOOS=linux
|
||||||
- export GOARCH=arm64
|
- export GOARCH=arm64
|
||||||
- make cloudflared-deb
|
- make cloudflared-deb
|
||||||
publish-deb:
|
package-windows:
|
||||||
build_dir: *build_dir
|
build_dir: *build_dir
|
||||||
builddeps:
|
builddeps:
|
||||||
- *pinned_go_fips
|
- *pinned_go
|
||||||
|
- build-essential
|
||||||
|
- python3-dev
|
||||||
|
- libffi-dev
|
||||||
|
- python3-setuptools
|
||||||
|
- python3-pip
|
||||||
|
- wget
|
||||||
|
# libmsi and libgcab are libraries the wixl binary depends on.
|
||||||
|
- libmsi-dev
|
||||||
|
- libgcab-dev
|
||||||
|
pre-cache:
|
||||||
|
- wget https://github.com/sudarshan-reddy/msitools/releases/download/v0.101b/wixl -P /usr/local/bin
|
||||||
|
- chmod a+x /usr/local/bin/wixl
|
||||||
|
- pip3 install pynacl==1.4.0
|
||||||
|
- pip3 install pygithub==1.55
|
||||||
|
post-cache:
|
||||||
|
- .teamcity/package-windows.sh
|
||||||
|
test:
|
||||||
|
build_dir: *build_dir
|
||||||
|
builddeps: &build_deps_tests
|
||||||
|
- *pinned_go
|
||||||
- build-essential
|
- build-essential
|
||||||
- fakeroot
|
- fakeroot
|
||||||
- rubygem-fpm
|
- rubygem-fpm
|
||||||
- openssh-client
|
- rpm
|
||||||
post-cache:
|
- libffi-dev
|
||||||
- export GOOS=linux
|
|
||||||
- export GOARCH=amd64
|
|
||||||
- export FIPS=true
|
|
||||||
- make publish-deb
|
|
||||||
release-linux-amd64:
|
|
||||||
build_dir: *build_dir
|
|
||||||
builddeps:
|
|
||||||
- *pinned_go_fips
|
|
||||||
- build-essential
|
|
||||||
post-cache:
|
|
||||||
- export GOOS=linux
|
|
||||||
- export GOARCH=amd64
|
|
||||||
- export FIPS=true
|
|
||||||
- make release
|
|
||||||
github-release-linux-amd64:
|
|
||||||
build_dir: *build_dir
|
|
||||||
builddeps:
|
|
||||||
- *pinned_go_fips
|
|
||||||
- build-essential
|
|
||||||
- python3-setuptools
|
|
||||||
- python3-pip
|
|
||||||
pre-cache: &install_pygithub
|
|
||||||
- pip3 install pygithub
|
|
||||||
post-cache:
|
|
||||||
- export GOOS=linux
|
|
||||||
- export GOARCH=amd64
|
|
||||||
- export FIPS=true
|
|
||||||
- make github-release
|
|
||||||
release-linux-armv6:
|
|
||||||
build_dir: *build_dir
|
|
||||||
builddeps:
|
|
||||||
- *pinned_go
|
|
||||||
- crossbuild-essential-armhf
|
|
||||||
- gcc-arm-linux-gnueabihf
|
|
||||||
post-cache:
|
|
||||||
- export GOOS=linux
|
|
||||||
- export GOARCH=arm
|
|
||||||
- export CC=arm-linux-gnueabihf-gcc
|
|
||||||
- make release
|
|
||||||
github-release-linux-armv6:
|
|
||||||
build_dir: *build_dir
|
|
||||||
builddeps:
|
|
||||||
- *pinned_go
|
|
||||||
- crossbuild-essential-armhf
|
|
||||||
- gcc-arm-linux-gnueabihf
|
|
||||||
- python3-setuptools
|
|
||||||
- python3-pip
|
|
||||||
pre-cache: *install_pygithub
|
|
||||||
post-cache:
|
|
||||||
- export GOOS=linux
|
|
||||||
- export GOARCH=arm
|
|
||||||
- export CC=arm-linux-gnueabihf-gcc
|
|
||||||
- make github-release
|
|
||||||
release-linux-386:
|
|
||||||
build_dir: *build_dir
|
|
||||||
builddeps:
|
|
||||||
- *pinned_go
|
|
||||||
- gcc-multilib
|
|
||||||
post-cache:
|
|
||||||
- export GOOS=linux
|
|
||||||
- export GOARCH=386
|
|
||||||
- make release
|
|
||||||
github-release-linux-386:
|
|
||||||
build_dir: *build_dir
|
|
||||||
builddeps:
|
|
||||||
- *pinned_go
|
|
||||||
- gcc-multilib
|
|
||||||
- python3-setuptools
|
|
||||||
- python3-pip
|
|
||||||
pre-cache: *install_pygithub
|
|
||||||
post-cache:
|
|
||||||
- export GOOS=linux
|
|
||||||
- export GOARCH=386
|
|
||||||
- make github-release
|
|
||||||
release-windows-amd64:
|
|
||||||
build_dir: *build_dir
|
|
||||||
builddeps:
|
|
||||||
- *pinned_go
|
|
||||||
- gcc-mingw-w64
|
|
||||||
post-cache:
|
|
||||||
- export GOOS=windows
|
|
||||||
- export GOARCH=amd64
|
|
||||||
- export CC=x86_64-w64-mingw32-gcc
|
|
||||||
- make release
|
|
||||||
github-release-windows-amd64:
|
|
||||||
build_dir: *build_dir
|
|
||||||
builddeps:
|
|
||||||
- *pinned_go
|
|
||||||
- gcc-mingw-w64
|
|
||||||
- python3-setuptools
|
|
||||||
- python3-pip
|
|
||||||
pre-cache: *install_pygithub
|
|
||||||
post-cache:
|
|
||||||
- export GOOS=windows
|
|
||||||
- export GOARCH=amd64
|
|
||||||
- export CC=x86_64-w64-mingw32-gcc
|
|
||||||
- make github-release
|
|
||||||
release-windows-386:
|
|
||||||
build_dir: *build_dir
|
|
||||||
builddeps:
|
|
||||||
- *pinned_go
|
|
||||||
- gcc-mingw-w64
|
|
||||||
post-cache:
|
|
||||||
- export GOOS=windows
|
|
||||||
- export GOARCH=386
|
|
||||||
- export CC=i686-w64-mingw32-gcc-win32
|
|
||||||
- make release
|
|
||||||
github-release-windows-386:
|
|
||||||
build_dir: *build_dir
|
|
||||||
builddeps:
|
|
||||||
- *pinned_go
|
|
||||||
- gcc-mingw-w64
|
|
||||||
- python3-setuptools
|
|
||||||
- python3-pip
|
|
||||||
pre-cache: *install_pygithub
|
|
||||||
post-cache:
|
|
||||||
- export GOOS=windows
|
|
||||||
- export GOARCH=386
|
|
||||||
- export CC=i686-w64-mingw32-gcc-win32
|
|
||||||
- make github-release
|
|
||||||
github-release-linux-arm64:
|
|
||||||
build_dir: *build_dir
|
|
||||||
builddeps:
|
|
||||||
- *pinned_go
|
|
||||||
- crossbuild-essential-armhf
|
|
||||||
- g++-aarch64-linux-gnu
|
|
||||||
- python3-setuptools
|
|
||||||
- python3-pip
|
|
||||||
pre-cache: *install_pygithub
|
|
||||||
post-cache:
|
|
||||||
- export GOOS=linux
|
|
||||||
- export GOARCH=arm64
|
|
||||||
- export CC=aarch64-linux-gnu-gcc
|
|
||||||
- make github-release
|
|
||||||
github-release-macos-amd64:
|
|
||||||
build_dir: *build_dir
|
|
||||||
builddeps:
|
|
||||||
- *pinned_go
|
|
||||||
- python3-setuptools
|
|
||||||
- python3-pip
|
|
||||||
pre-cache: *install_pygithub
|
|
||||||
post-cache:
|
|
||||||
- make github-mac-upload
|
|
||||||
test:
|
|
||||||
build_dir: *build_dir
|
|
||||||
builddeps:
|
|
||||||
- *pinned_go_fips
|
|
||||||
- build-essential
|
|
||||||
- gotest-to-teamcity
|
- gotest-to-teamcity
|
||||||
|
pre-cache: *build_pre_cache
|
||||||
|
post-cache:
|
||||||
|
- export GOOS=linux
|
||||||
|
- export GOARCH=amd64
|
||||||
|
- export PATH="$HOME/go/bin:$PATH"
|
||||||
|
- ./fmt-check.sh
|
||||||
|
- make test | gotest-to-teamcity
|
||||||
|
test-fips:
|
||||||
|
build_dir: *build_dir
|
||||||
|
builddeps: *build_deps_tests
|
||||||
|
pre-cache: *build_pre_cache
|
||||||
post-cache:
|
post-cache:
|
||||||
- export GOOS=linux
|
- export GOOS=linux
|
||||||
- export GOARCH=amd64
|
- export GOARCH=amd64
|
||||||
- export FIPS=true
|
- export FIPS=true
|
||||||
# cd to a non-module directory: https://github.com/golang/go/issues/24250
|
|
||||||
- (cd / && go get github.com/BurntSushi/go-sumtype)
|
|
||||||
- export PATH="$HOME/go/bin:$PATH"
|
- export PATH="$HOME/go/bin:$PATH"
|
||||||
|
- ./fmt-check.sh
|
||||||
- make test | gotest-to-teamcity
|
- make test | gotest-to-teamcity
|
||||||
update-homebrew:
|
component-test:
|
||||||
builddeps:
|
build_dir: *build_dir
|
||||||
- openssh-client
|
builddeps: &build_deps_component_test
|
||||||
- s3cmd
|
- *pinned_go
|
||||||
post-cache:
|
- python3.7
|
||||||
- .teamcity/update-homebrew.sh
|
- python3-pip
|
||||||
github-message-release:
|
- python3-setuptools
|
||||||
|
# procps installs the ps command which is needed in test_sysv_service because the init script
|
||||||
|
# uses ps pid to determine if the agent is running
|
||||||
|
- procps
|
||||||
|
pre-cache-copy-paths:
|
||||||
|
- component-tests/requirements.txt
|
||||||
|
pre-cache: &component_test_pre_cache
|
||||||
|
- sudo pip3 install --upgrade -r component-tests/requirements.txt
|
||||||
|
post-cache: &component_test_post_cache
|
||||||
|
# Creates and routes a Named Tunnel for this build. Also constructs config file from env vars.
|
||||||
|
- python3 component-tests/setup.py --type create
|
||||||
|
- pytest component-tests -o log_cli=true --log-cli-level=INFO
|
||||||
|
# The Named Tunnel is deleted and its route unprovisioned here.
|
||||||
|
- python3 component-tests/setup.py --type cleanup
|
||||||
|
component-test-fips:
|
||||||
|
build_dir: *build_dir
|
||||||
|
builddeps: *build_deps_component_test
|
||||||
|
pre-cache-copy-paths:
|
||||||
|
- component-tests/requirements.txt
|
||||||
|
pre-cache: *component_test_pre_cache
|
||||||
|
post-cache: *component_test_post_cache
|
||||||
|
github-release-dryrun:
|
||||||
build_dir: *build_dir
|
build_dir: *build_dir
|
||||||
builddeps:
|
builddeps:
|
||||||
- *pinned_go
|
- *pinned_go
|
||||||
|
- build-essential
|
||||||
|
- python3-dev
|
||||||
|
- libffi-dev
|
||||||
- python3-setuptools
|
- python3-setuptools
|
||||||
- python3-pip
|
- python3-pip
|
||||||
pre-cache: *install_pygithub
|
pre-cache:
|
||||||
|
- pip3 install pynacl==1.4.0
|
||||||
|
- pip3 install pygithub==1.55
|
||||||
post-cache:
|
post-cache:
|
||||||
- make github-message
|
- make github-release-dryrun
|
||||||
build-junos:
|
github-release:
|
||||||
build_dir: *build_dir
|
build_dir: *build_dir
|
||||||
builddeps:
|
builddeps:
|
||||||
- *pinned_go
|
- *pinned_go
|
||||||
- build-essential
|
- build-essential
|
||||||
- python3
|
- python3-dev
|
||||||
- genisoimage
|
- libffi-dev
|
||||||
- jetez
|
- python3-setuptools
|
||||||
|
- python3-pip
|
||||||
pre-cache:
|
pre-cache:
|
||||||
- ln -s /usr/bin/genisoimage /usr/bin/mkisofs
|
- pip3 install pynacl==1.4.0
|
||||||
|
- pip3 install pygithub==1.55
|
||||||
post-cache:
|
post-cache:
|
||||||
- export GOOS=freebsd
|
- make github-release
|
||||||
- export GOARCH=amd64
|
r2-linux-release:
|
||||||
- make cloudflared-junos
|
|
||||||
publish-junos:
|
|
||||||
build_dir: *build_dir
|
build_dir: *build_dir
|
||||||
builddeps:
|
builddeps:
|
||||||
- *pinned_go
|
- *pinned_go
|
||||||
- build-essential
|
- build-essential
|
||||||
- python3
|
- fakeroot
|
||||||
- genisoimage
|
- rubygem-fpm
|
||||||
- jetez
|
- rpm
|
||||||
- s4cmd
|
- wget
|
||||||
|
- python3-dev
|
||||||
|
- libffi-dev
|
||||||
|
- python3-setuptools
|
||||||
|
- python3-pip
|
||||||
|
- reprepro
|
||||||
|
- createrepo
|
||||||
pre-cache:
|
pre-cache:
|
||||||
- ln -s /usr/bin/genisoimage /usr/bin/mkisofs
|
- pip3 install pynacl==1.4.0
|
||||||
|
- pip3 install pygithub==1.55
|
||||||
|
- pip3 install boto3==1.22.9
|
||||||
|
- pip3 install python-gnupg==0.4.9
|
||||||
post-cache:
|
post-cache:
|
||||||
- export GOOS=freebsd
|
- make r2-linux-release
|
||||||
- export GOARCH=amd64
|
|
||||||
- make publish-cloudflared-junos
|
|
||||||
|
|
||||||
buster: *stretch
|
bullseye: *buster
|
||||||
bullseye: *stretch
|
bookworm: *buster
|
||||||
centos-7:
|
|
||||||
publish-rpm:
|
|
||||||
build_dir: *build_dir
|
|
||||||
builddeps: &el7_builddeps
|
|
||||||
- https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
|
|
||||||
pre-cache:
|
|
||||||
- yum install -y fakeroot
|
|
||||||
- wget https://golang.org/dl/go1.15.7.linux-amd64.tar.gz -P /tmp/
|
|
||||||
- tar -C /usr/local -xzf /tmp/go1.15.7.linux-amd64.tar.gz
|
|
||||||
post-cache:
|
|
||||||
- export PATH=$PATH:/usr/local/go/bin
|
|
||||||
- export GOOS=linux
|
|
||||||
- export GOARCH=amd64
|
|
||||||
- make publish-rpm
|
|
||||||
build-rpm:
|
|
||||||
build_dir: *build_dir
|
|
||||||
builddeps: *el7_builddeps
|
|
||||||
pre-cache:
|
|
||||||
- yum install -y fakeroot
|
|
||||||
- wget https://golang.org/dl/go1.15.7.linux-amd64.tar.gz -P /tmp/
|
|
||||||
- tar -C /usr/local -xzf /tmp/go1.15.7.linux-amd64.tar.gz
|
|
||||||
post-cache:
|
|
||||||
- export PATH=$PATH:/usr/local/go/bin
|
|
||||||
- export GOOS=linux
|
|
||||||
- export GOARCH=amd64
|
|
||||||
- make cloudflared-rpm
|
|
||||||
|
|
|
@ -0,0 +1,15 @@
|
||||||
|
# Pass the path to the executable to check for FIPS compliance
|
||||||
|
exe=$1
|
||||||
|
|
||||||
|
if [ "$(go tool nm "${exe}" | grep -c '_Cfunc__goboringcrypto_')" -eq 0 ]; then
|
||||||
|
# Asserts that executable is using FIPS-compliant boringcrypto
|
||||||
|
echo "${exe}: missing goboring symbols" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
if [ "$(go tool nm "${exe}" | grep -c 'crypto/internal/boring/sig.FIPSOnly')" -eq 0 ]; then
|
||||||
|
# Asserts that executable is using FIPS-only schemes
|
||||||
|
echo "${exe}: missing fipsonly symbols" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "${exe} is FIPS-compliant"
|
|
@ -0,0 +1,64 @@
|
||||||
|
<?xml version="1.0"?>
|
||||||
|
|
||||||
|
<?if $(var.Platform)="x64" ?>
|
||||||
|
<?define Program_Files="ProgramFiles64Folder"?>
|
||||||
|
<?else ?>
|
||||||
|
<?define Program_Files="ProgramFilesFolder"?>
|
||||||
|
<?endif ?>
|
||||||
|
<?ifndef var.Version?>
|
||||||
|
<?error Undefined Version variable?>
|
||||||
|
<?endif ?>
|
||||||
|
<?ifndef var.Path?>
|
||||||
|
<?error Undefined Path variable?>
|
||||||
|
<?endif ?>
|
||||||
|
|
||||||
|
<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
|
||||||
|
<Product Id="*"
|
||||||
|
UpgradeCode="23f90fdd-9328-47ea-ab52-5380855a4b12"
|
||||||
|
Name="cloudflared"
|
||||||
|
Version="$(var.Version)"
|
||||||
|
Manufacturer="cloudflare"
|
||||||
|
Language="1033">
|
||||||
|
|
||||||
|
<Package InstallerVersion="200" Compressed="yes" Comments="Windows Installer Package" InstallScope="perMachine" />
|
||||||
|
|
||||||
|
<Media Id="1" Cabinet="product.cab" EmbedCab="yes" />
|
||||||
|
|
||||||
|
<MajorUpgrade DowngradeErrorMessage="A later version of [ProductName] is already installed. Setup will now exit." />
|
||||||
|
|
||||||
|
<Upgrade Id="23f90fdd-9328-47ea-ab52-5380855a4b12">
|
||||||
|
<UpgradeVersion Minimum="$(var.Version)" OnlyDetect="yes" Property="NEWERVERSIONDETECTED" />
|
||||||
|
<UpgradeVersion Minimum="2020.8.0" Maximum="$(var.Version)" IncludeMinimum="yes" IncludeMaximum="no"
|
||||||
|
Property="OLDERVERSIONBEINGUPGRADED" />
|
||||||
|
</Upgrade>
|
||||||
|
<Condition Message="A newer version of this software is already installed.">NOT NEWERVERSIONDETECTED</Condition>
|
||||||
|
|
||||||
|
<Directory Id="TARGETDIR" Name="SourceDir">
|
||||||
|
<!--This specifies where the cloudflared.exe is moved to in the windows Operation System-->
|
||||||
|
<Directory Id="$(var.Program_Files)">
|
||||||
|
<Directory Id="INSTALLDIR" Name="cloudflared">
|
||||||
|
<Component Id="ApplicationFiles" Guid="35e5e858-9372-4449-bf73-1cd6f7267128">
|
||||||
|
<File Id="ApplicationFile0" Source="$(var.Path)" />
|
||||||
|
</Component>
|
||||||
|
</Directory>
|
||||||
|
</Directory>
|
||||||
|
<Component Id="ENVS" Guid="6bb74449-d10d-4f4a-933e-6fc9fa006eae">
|
||||||
|
<!--Set the cloudflared bin location to the Path Environment Variable-->
|
||||||
|
<Environment Id="ENV0"
|
||||||
|
Name="PATH"
|
||||||
|
Value="[INSTALLDIR]"
|
||||||
|
Permanent="no"
|
||||||
|
Part="last"
|
||||||
|
Action="create"
|
||||||
|
System="yes" />
|
||||||
|
</Component>
|
||||||
|
</Directory>
|
||||||
|
|
||||||
|
|
||||||
|
<Feature Id='Complete' Level='1'>
|
||||||
|
<ComponentRef Id="ENVS" />
|
||||||
|
<ComponentRef Id='ApplicationFiles' />
|
||||||
|
</Feature>
|
||||||
|
|
||||||
|
</Product>
|
||||||
|
</Wix>
|
|
@ -1,22 +1,27 @@
|
||||||
package access
|
package access
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"crypto/tls"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
"net/http"
|
"net/http"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"github.com/cloudflare/cloudflared/carrier"
|
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
|
|
||||||
"github.com/cloudflare/cloudflared/h2mux"
|
|
||||||
"github.com/cloudflare/cloudflared/logger"
|
|
||||||
"github.com/cloudflare/cloudflared/validation"
|
|
||||||
|
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
"github.com/rs/zerolog"
|
"github.com/rs/zerolog"
|
||||||
"github.com/urfave/cli/v2"
|
"github.com/urfave/cli/v2"
|
||||||
|
|
||||||
|
"github.com/cloudflare/cloudflared/carrier"
|
||||||
|
"github.com/cloudflare/cloudflared/config"
|
||||||
|
"github.com/cloudflare/cloudflared/logger"
|
||||||
|
"github.com/cloudflare/cloudflared/stream"
|
||||||
|
"github.com/cloudflare/cloudflared/validation"
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
LogFieldHost = "host"
|
LogFieldHost = "host"
|
||||||
|
cfAccessClientIDHeader = "Cf-Access-Client-Id"
|
||||||
|
cfAccessClientSecretHeader = "Cf-Access-Client-Secret"
|
||||||
)
|
)
|
||||||
|
|
||||||
// StartForwarder starts a client side websocket forward
|
// StartForwarder starts a client side websocket forward
|
||||||
|
@ -29,16 +34,15 @@ func StartForwarder(forwarder config.Forwarder, shutdown <-chan struct{}, log *z
|
||||||
// get the headers from the config file and add to the request
|
// get the headers from the config file and add to the request
|
||||||
headers := make(http.Header)
|
headers := make(http.Header)
|
||||||
if forwarder.TokenClientID != "" {
|
if forwarder.TokenClientID != "" {
|
||||||
headers.Set(h2mux.CFAccessClientIDHeader, forwarder.TokenClientID)
|
headers.Set(cfAccessClientIDHeader, forwarder.TokenClientID)
|
||||||
}
|
}
|
||||||
|
|
||||||
if forwarder.TokenSecret != "" {
|
if forwarder.TokenSecret != "" {
|
||||||
headers.Set(h2mux.CFAccessClientSecretHeader, forwarder.TokenSecret)
|
headers.Set(cfAccessClientSecretHeader, forwarder.TokenSecret)
|
||||||
}
|
}
|
||||||
|
headers.Set("User-Agent", userAgent)
|
||||||
|
|
||||||
if forwarder.Destination != "" {
|
carrier.SetBastionDest(headers, forwarder.Destination)
|
||||||
headers.Add(h2mux.CFJumpDestinationHeader, forwarder.Destination)
|
|
||||||
}
|
|
||||||
|
|
||||||
options := &carrier.StartOptions{
|
options := &carrier.StartOptions{
|
||||||
OriginURL: forwarder.URL,
|
OriginURL: forwarder.URL,
|
||||||
|
@ -46,7 +50,7 @@ func StartForwarder(forwarder config.Forwarder, shutdown <-chan struct{}, log *z
|
||||||
}
|
}
|
||||||
|
|
||||||
// we could add a cmd line variable for this bool if we want the SOCK5 server to be on the client side
|
// we could add a cmd line variable for this bool if we want the SOCK5 server to be on the client side
|
||||||
wsConn := carrier.NewWSConnection(log, false)
|
wsConn := carrier.NewWSConnection(log)
|
||||||
|
|
||||||
log.Info().Str(LogFieldHost, validURL.Host).Msg("Start Websocket listener")
|
log.Info().Str(LogFieldHost, validURL.Host).Msg("Start Websocket listener")
|
||||||
return carrier.StartForwarder(wsConn, validURL.Host, shutdown, options)
|
return carrier.StartForwarder(wsConn, validURL.Host, shutdown, options)
|
||||||
|
@ -57,37 +61,60 @@ func StartForwarder(forwarder config.Forwarder, shutdown <-chan struct{}, log *z
|
||||||
// useful for proxying other protocols (like ssh) over websockets
|
// useful for proxying other protocols (like ssh) over websockets
|
||||||
// (which you can put Access in front of)
|
// (which you can put Access in front of)
|
||||||
func ssh(c *cli.Context) error {
|
func ssh(c *cli.Context) error {
|
||||||
log := logger.CreateSSHLoggerFromContext(c, logger.EnableTerminalLog)
|
// If not running as a forwarder, disable terminal logs as it collides with the stdin/stdout of the parent process
|
||||||
|
outputTerminal := logger.DisableTerminalLog
|
||||||
|
if c.IsSet(sshURLFlag) {
|
||||||
|
outputTerminal = logger.EnableTerminalLog
|
||||||
|
}
|
||||||
|
log := logger.CreateSSHLoggerFromContext(c, outputTerminal)
|
||||||
|
|
||||||
// get the hostname from the cmdline and error out if its not provided
|
// get the hostname from the cmdline and error out if its not provided
|
||||||
rawHostName := c.String(sshHostnameFlag)
|
rawHostName := c.String(sshHostnameFlag)
|
||||||
hostname, err := validation.ValidateHostname(rawHostName)
|
url, err := parseURL(rawHostName)
|
||||||
if err != nil || rawHostName == "" {
|
if err != nil {
|
||||||
|
log.Err(err).Send()
|
||||||
return cli.ShowCommandHelp(c, "ssh")
|
return cli.ShowCommandHelp(c, "ssh")
|
||||||
}
|
}
|
||||||
originURL := ensureURLScheme(hostname)
|
|
||||||
|
|
||||||
// get the headers from the cmdline and add them
|
// get the headers from the cmdline and add them
|
||||||
headers := buildRequestHeaders(c.StringSlice(sshHeaderFlag))
|
headers := parseRequestHeaders(c.StringSlice(sshHeaderFlag))
|
||||||
if c.IsSet(sshTokenIDFlag) {
|
if c.IsSet(sshTokenIDFlag) {
|
||||||
headers.Set(h2mux.CFAccessClientIDHeader, c.String(sshTokenIDFlag))
|
headers.Set(cfAccessClientIDHeader, c.String(sshTokenIDFlag))
|
||||||
}
|
}
|
||||||
if c.IsSet(sshTokenSecretFlag) {
|
if c.IsSet(sshTokenSecretFlag) {
|
||||||
headers.Set(h2mux.CFAccessClientSecretHeader, c.String(sshTokenSecretFlag))
|
headers.Set(cfAccessClientSecretHeader, c.String(sshTokenSecretFlag))
|
||||||
}
|
}
|
||||||
|
headers.Set("User-Agent", userAgent)
|
||||||
|
|
||||||
destination := c.String(sshDestinationFlag)
|
carrier.SetBastionDest(headers, c.String(sshDestinationFlag))
|
||||||
if destination != "" {
|
|
||||||
headers.Add(h2mux.CFJumpDestinationHeader, destination)
|
|
||||||
}
|
|
||||||
|
|
||||||
options := &carrier.StartOptions{
|
options := &carrier.StartOptions{
|
||||||
OriginURL: originURL,
|
OriginURL: url.String(),
|
||||||
Headers: headers,
|
Headers: headers,
|
||||||
|
Host: url.Host,
|
||||||
|
}
|
||||||
|
|
||||||
|
if connectTo := c.String(sshConnectTo); connectTo != "" {
|
||||||
|
parts := strings.Split(connectTo, ":")
|
||||||
|
switch len(parts) {
|
||||||
|
case 1:
|
||||||
|
options.OriginURL = fmt.Sprintf("https://%s", parts[0])
|
||||||
|
case 2:
|
||||||
|
options.OriginURL = fmt.Sprintf("https://%s:%s", parts[0], parts[1])
|
||||||
|
case 3:
|
||||||
|
options.OriginURL = fmt.Sprintf("https://%s:%s", parts[2], parts[1])
|
||||||
|
options.TLSClientConfig = &tls.Config{
|
||||||
|
InsecureSkipVerify: true,
|
||||||
|
ServerName: parts[0],
|
||||||
|
}
|
||||||
|
log.Warn().Msgf("Using insecure SSL connection because SNI overridden to %s", parts[0])
|
||||||
|
default:
|
||||||
|
return fmt.Errorf("invalid connection override: %s", connectTo)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// we could add a cmd line variable for this bool if we want the SOCK5 server to be on the client side
|
// we could add a cmd line variable for this bool if we want the SOCK5 server to be on the client side
|
||||||
wsConn := carrier.NewWSConnection(log, false)
|
wsConn := carrier.NewWSConnection(log)
|
||||||
|
|
||||||
if c.NArg() > 0 || c.IsSet(sshURLFlag) {
|
if c.NArg() > 0 || c.IsSet(sshURLFlag) {
|
||||||
forwarder, err := config.ValidateUrl(c, true)
|
forwarder, err := config.ValidateUrl(c, true)
|
||||||
|
@ -95,7 +122,6 @@ func ssh(c *cli.Context) error {
|
||||||
log.Err(err).Msg("Error validating origin URL")
|
log.Err(err).Msg("Error validating origin URL")
|
||||||
return errors.Wrap(err, "error validating origin URL")
|
return errors.Wrap(err, "error validating origin URL")
|
||||||
}
|
}
|
||||||
|
|
||||||
log.Info().Str(LogFieldHost, forwarder.Host).Msg("Start Websocket listener")
|
log.Info().Str(LogFieldHost, forwarder.Host).Msg("Start Websocket listener")
|
||||||
err = carrier.StartForwarder(wsConn, forwarder.Host, shutdownC, options)
|
err = carrier.StartForwarder(wsConn, forwarder.Host, shutdownC, options)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -104,16 +130,17 @@ func ssh(c *cli.Context) error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
return carrier.StartClient(wsConn, &carrier.StdinoutStream{}, options)
|
var s io.ReadWriter
|
||||||
}
|
s = &carrier.StdinoutStream{}
|
||||||
|
if c.IsSet(sshDebugStream) {
|
||||||
func buildRequestHeaders(values []string) http.Header {
|
maxMessages := c.Uint64(sshDebugStream)
|
||||||
headers := make(http.Header)
|
if maxMessages == 0 {
|
||||||
for _, valuePair := range values {
|
// default to 10 if provided but unset
|
||||||
split := strings.Split(valuePair, ":")
|
maxMessages = 10
|
||||||
if len(split) > 1 {
|
|
||||||
headers.Add(strings.TrimSpace(split[0]), strings.TrimSpace(split[1]))
|
|
||||||
}
|
}
|
||||||
|
logger := log.With().Str("host", url.Host).Logger()
|
||||||
|
s = stream.NewDebugStream(s, &logger, maxMessages)
|
||||||
}
|
}
|
||||||
return headers
|
carrier.StartClient(wsConn, s, options)
|
||||||
|
return nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,18 +0,0 @@
|
||||||
package access
|
|
||||||
|
|
||||||
import (
|
|
||||||
"net/http"
|
|
||||||
"testing"
|
|
||||||
|
|
||||||
"github.com/stretchr/testify/assert"
|
|
||||||
)
|
|
||||||
|
|
||||||
func TestBuildRequestHeaders(t *testing.T) {
|
|
||||||
headers := make(http.Header)
|
|
||||||
headers.Add("client", "value")
|
|
||||||
headers.Add("secret", "safe-value")
|
|
||||||
|
|
||||||
values := buildRequestHeaders([]string{"client: value", "secret: safe-value", "trash"})
|
|
||||||
assert.Equal(t, headers.Get("client"), values.Get("client"))
|
|
||||||
assert.Equal(t, headers.Get("secret"), values.Get("secret"))
|
|
||||||
}
|
|
|
@ -2,30 +2,32 @@ package access
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"io"
|
||||||
"net/http"
|
"net/http"
|
||||||
"net/url"
|
"net/url"
|
||||||
"os"
|
"os"
|
||||||
|
"os/exec"
|
||||||
"strings"
|
"strings"
|
||||||
"text/template"
|
"text/template"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/cloudflare/cloudflared/carrier"
|
"github.com/getsentry/sentry-go"
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
|
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/shell"
|
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/token"
|
|
||||||
"github.com/cloudflare/cloudflared/h2mux"
|
|
||||||
"github.com/cloudflare/cloudflared/logger"
|
|
||||||
"github.com/cloudflare/cloudflared/sshgen"
|
|
||||||
"github.com/cloudflare/cloudflared/validation"
|
|
||||||
|
|
||||||
"github.com/getsentry/raven-go"
|
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
"github.com/rs/zerolog"
|
"github.com/rs/zerolog"
|
||||||
"github.com/urfave/cli/v2"
|
"github.com/urfave/cli/v2"
|
||||||
"golang.org/x/net/idna"
|
"golang.org/x/net/idna"
|
||||||
|
|
||||||
|
"github.com/cloudflare/cloudflared/carrier"
|
||||||
|
"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
|
||||||
|
"github.com/cloudflare/cloudflared/logger"
|
||||||
|
"github.com/cloudflare/cloudflared/sshgen"
|
||||||
|
"github.com/cloudflare/cloudflared/token"
|
||||||
|
"github.com/cloudflare/cloudflared/validation"
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
|
appURLFlag = "app"
|
||||||
|
loginQuietFlag = "quiet"
|
||||||
sshHostnameFlag = "hostname"
|
sshHostnameFlag = "hostname"
|
||||||
sshDestinationFlag = "destination"
|
sshDestinationFlag = "destination"
|
||||||
sshURLFlag = "url"
|
sshURLFlag = "url"
|
||||||
|
@ -33,19 +35,18 @@ const (
|
||||||
sshTokenIDFlag = "service-token-id"
|
sshTokenIDFlag = "service-token-id"
|
||||||
sshTokenSecretFlag = "service-token-secret"
|
sshTokenSecretFlag = "service-token-secret"
|
||||||
sshGenCertFlag = "short-lived-cert"
|
sshGenCertFlag = "short-lived-cert"
|
||||||
|
sshConnectTo = "connect-to"
|
||||||
|
sshDebugStream = "debug-stream"
|
||||||
sshConfigTemplate = `
|
sshConfigTemplate = `
|
||||||
Add to your {{.Home}}/.ssh/config:
|
Add to your {{.Home}}/.ssh/config:
|
||||||
|
|
||||||
Host {{.Hostname}}
|
|
||||||
{{- if .ShortLivedCerts}}
|
{{- if .ShortLivedCerts}}
|
||||||
ProxyCommand bash -c '{{.Cloudflared}} access ssh-gen --hostname %h; ssh -tt %r@cfpipe-{{.Hostname}} >&2 <&1'
|
Match host {{.Hostname}} exec "{{.Cloudflared}} access ssh-gen --hostname %h"
|
||||||
|
|
||||||
Host cfpipe-{{.Hostname}}
|
|
||||||
HostName {{.Hostname}}
|
|
||||||
ProxyCommand {{.Cloudflared}} access ssh --hostname %h
|
ProxyCommand {{.Cloudflared}} access ssh --hostname %h
|
||||||
IdentityFile ~/.cloudflared/{{.Hostname}}-cf_key
|
IdentityFile ~/.cloudflared/%h-cf_key
|
||||||
CertificateFile ~/.cloudflared/{{.Hostname}}-cf_key-cert.pub
|
CertificateFile ~/.cloudflared/%h-cf_key-cert.pub
|
||||||
{{- else}}
|
{{- else}}
|
||||||
|
Host {{.Hostname}}
|
||||||
ProxyCommand {{.Cloudflared}} access ssh --hostname %h
|
ProxyCommand {{.Cloudflared}} access ssh --hostname %h
|
||||||
{{end}}
|
{{end}}
|
||||||
`
|
`
|
||||||
|
@ -54,12 +55,14 @@ Host cfpipe-{{.Hostname}}
|
||||||
const sentryDSN = "https://56a9c9fa5c364ab28f34b14f35ea0f1b@sentry.io/189878"
|
const sentryDSN = "https://56a9c9fa5c364ab28f34b14f35ea0f1b@sentry.io/189878"
|
||||||
|
|
||||||
var (
|
var (
|
||||||
shutdownC chan struct{}
|
shutdownC chan struct{}
|
||||||
|
userAgent = "DEV"
|
||||||
)
|
)
|
||||||
|
|
||||||
// Init will initialize and store vars from the main program
|
// Init will initialize and store vars from the main program
|
||||||
func Init(shutdown chan struct{}) {
|
func Init(shutdown chan struct{}, version string) {
|
||||||
shutdownC = shutdown
|
shutdownC = shutdown
|
||||||
|
userAgent = fmt.Sprintf("cloudflared/%s", version)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Flags return the global flags for Access related commands (hopefully none)
|
// Flags return the global flags for Access related commands (hopefully none)
|
||||||
|
@ -81,24 +84,33 @@ func Commands() []*cli.Command {
|
||||||
applications from the command line.`,
|
applications from the command line.`,
|
||||||
Subcommands: []*cli.Command{
|
Subcommands: []*cli.Command{
|
||||||
{
|
{
|
||||||
Name: "login",
|
Name: "login",
|
||||||
Action: cliutil.ErrorHandler(login),
|
Action: cliutil.Action(login),
|
||||||
Usage: "login <url of access application>",
|
Usage: "login <url of access application>",
|
||||||
|
ArgsUsage: "url of Access application",
|
||||||
Description: `The login subcommand initiates an authentication flow with your identity provider.
|
Description: `The login subcommand initiates an authentication flow with your identity provider.
|
||||||
The subcommand will launch a browser. For headless systems, a url is provided.
|
The subcommand will launch a browser. For headless systems, a url is provided.
|
||||||
Once authenticated with your identity provider, the login command will generate a JSON Web Token (JWT)
|
Once authenticated with your identity provider, the login command will generate a JSON Web Token (JWT)
|
||||||
scoped to your identity, the application you intend to reach, and valid for a session duration set by your
|
scoped to your identity, the application you intend to reach, and valid for a session duration set by your
|
||||||
administrator. cloudflared stores the token in local storage.`,
|
administrator. cloudflared stores the token in local storage.`,
|
||||||
Flags: []cli.Flag{
|
Flags: []cli.Flag{
|
||||||
|
&cli.BoolFlag{
|
||||||
|
Name: loginQuietFlag,
|
||||||
|
Aliases: []string{"q"},
|
||||||
|
Usage: "do not print the jwt to the command line",
|
||||||
|
},
|
||||||
|
&cli.BoolFlag{
|
||||||
|
Name: "no-verbose",
|
||||||
|
Usage: "print only the jwt to stdout",
|
||||||
|
},
|
||||||
&cli.StringFlag{
|
&cli.StringFlag{
|
||||||
Name: "url",
|
Name: appURLFlag,
|
||||||
Hidden: true,
|
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Name: "curl",
|
Name: "curl",
|
||||||
Action: cliutil.ErrorHandler(curl),
|
Action: cliutil.Action(curl),
|
||||||
Usage: "curl [--allow-request, -ar] <url> [<curl args>...]",
|
Usage: "curl [--allow-request, -ar] <url> [<curl args>...]",
|
||||||
Description: `The curl subcommand wraps curl and automatically injects the JWT into a cf-access-token
|
Description: `The curl subcommand wraps curl and automatically injects the JWT into a cf-access-token
|
||||||
header when using curl to reach an application behind Access.`,
|
header when using curl to reach an application behind Access.`,
|
||||||
|
@ -107,19 +119,19 @@ func Commands() []*cli.Command {
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Name: "token",
|
Name: "token",
|
||||||
Action: cliutil.ErrorHandler(generateToken),
|
Action: cliutil.Action(generateToken),
|
||||||
Usage: "token -app=<url of access application>",
|
Usage: "token <url of access application>",
|
||||||
ArgsUsage: "url of Access application",
|
ArgsUsage: "url of Access application",
|
||||||
Description: `The token subcommand produces a JWT which can be used to authenticate requests.`,
|
Description: `The token subcommand produces a JWT which can be used to authenticate requests.`,
|
||||||
Flags: []cli.Flag{
|
Flags: []cli.Flag{
|
||||||
&cli.StringFlag{
|
&cli.StringFlag{
|
||||||
Name: "app",
|
Name: appURLFlag,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Name: "tcp",
|
Name: "tcp",
|
||||||
Action: cliutil.ErrorHandler(ssh),
|
Action: cliutil.Action(ssh),
|
||||||
Aliases: []string{"rdp", "ssh", "smb"},
|
Aliases: []string{"rdp", "ssh", "smb"},
|
||||||
Usage: "",
|
Usage: "",
|
||||||
ArgsUsage: "",
|
ArgsUsage: "",
|
||||||
|
@ -129,15 +141,18 @@ func Commands() []*cli.Command {
|
||||||
Name: sshHostnameFlag,
|
Name: sshHostnameFlag,
|
||||||
Aliases: []string{"tunnel-host", "T"},
|
Aliases: []string{"tunnel-host", "T"},
|
||||||
Usage: "specify the hostname of your application.",
|
Usage: "specify the hostname of your application.",
|
||||||
|
EnvVars: []string{"TUNNEL_SERVICE_HOSTNAME"},
|
||||||
},
|
},
|
||||||
&cli.StringFlag{
|
&cli.StringFlag{
|
||||||
Name: sshDestinationFlag,
|
Name: sshDestinationFlag,
|
||||||
Usage: "specify the destination address of your SSH server.",
|
Usage: "specify the destination address of your SSH server.",
|
||||||
|
EnvVars: []string{"TUNNEL_SERVICE_DESTINATION"},
|
||||||
},
|
},
|
||||||
&cli.StringFlag{
|
&cli.StringFlag{
|
||||||
Name: sshURLFlag,
|
Name: sshURLFlag,
|
||||||
Aliases: []string{"listener", "L"},
|
Aliases: []string{"listener", "L"},
|
||||||
Usage: "specify the host:port to forward data to Cloudflare edge.",
|
Usage: "specify the host:port to forward data to Cloudflare edge.",
|
||||||
|
EnvVars: []string{"TUNNEL_SERVICE_URL"},
|
||||||
},
|
},
|
||||||
&cli.StringSliceFlag{
|
&cli.StringSliceFlag{
|
||||||
Name: sshHeaderFlag,
|
Name: sshHeaderFlag,
|
||||||
|
@ -148,27 +163,42 @@ func Commands() []*cli.Command {
|
||||||
Name: sshTokenIDFlag,
|
Name: sshTokenIDFlag,
|
||||||
Aliases: []string{"id"},
|
Aliases: []string{"id"},
|
||||||
Usage: "specify an Access service token ID you wish to use.",
|
Usage: "specify an Access service token ID you wish to use.",
|
||||||
|
EnvVars: []string{"TUNNEL_SERVICE_TOKEN_ID"},
|
||||||
},
|
},
|
||||||
&cli.StringFlag{
|
&cli.StringFlag{
|
||||||
Name: sshTokenSecretFlag,
|
Name: sshTokenSecretFlag,
|
||||||
Aliases: []string{"secret"},
|
Aliases: []string{"secret"},
|
||||||
Usage: "specify an Access service token secret you wish to use.",
|
Usage: "specify an Access service token secret you wish to use.",
|
||||||
|
EnvVars: []string{"TUNNEL_SERVICE_TOKEN_SECRET"},
|
||||||
},
|
},
|
||||||
&cli.StringFlag{
|
&cli.StringFlag{
|
||||||
Name: logger.LogSSHDirectoryFlag,
|
Name: logger.LogFileFlag,
|
||||||
Aliases: []string{"logfile"}, //added to match the tunnel side
|
Usage: "Save application log to this file for reporting issues.",
|
||||||
Usage: "Save application log to this directory for reporting issues.",
|
},
|
||||||
|
&cli.StringFlag{
|
||||||
|
Name: logger.LogSSHDirectoryFlag,
|
||||||
|
Usage: "Save application log to this directory for reporting issues.",
|
||||||
},
|
},
|
||||||
&cli.StringFlag{
|
&cli.StringFlag{
|
||||||
Name: logger.LogSSHLevelFlag,
|
Name: logger.LogSSHLevelFlag,
|
||||||
Aliases: []string{"loglevel"}, //added to match the tunnel side
|
Aliases: []string{"loglevel"}, //added to match the tunnel side
|
||||||
Usage: "Application logging level {fatal, error, info, debug}. ",
|
Usage: "Application logging level {debug, info, warn, error, fatal}. ",
|
||||||
|
},
|
||||||
|
&cli.StringFlag{
|
||||||
|
Name: sshConnectTo,
|
||||||
|
Hidden: true,
|
||||||
|
Usage: "Connect to alternate location for testing, value is host, host:port, or sni:port:host",
|
||||||
|
},
|
||||||
|
&cli.Uint64Flag{
|
||||||
|
Name: sshDebugStream,
|
||||||
|
Hidden: true,
|
||||||
|
Usage: "Writes up-to the max provided stream payloads to the logger as debug statements.",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Name: "ssh-config",
|
Name: "ssh-config",
|
||||||
Action: cliutil.ErrorHandler(sshConfig),
|
Action: cliutil.Action(sshConfig),
|
||||||
Usage: "",
|
Usage: "",
|
||||||
Description: `Prints an example configuration ~/.ssh/config`,
|
Description: `Prints an example configuration ~/.ssh/config`,
|
||||||
Flags: []cli.Flag{
|
Flags: []cli.Flag{
|
||||||
|
@ -184,7 +214,7 @@ func Commands() []*cli.Command {
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Name: "ssh-gen",
|
Name: "ssh-gen",
|
||||||
Action: cliutil.ErrorHandler(sshGen),
|
Action: cliutil.Action(sshGen),
|
||||||
Usage: "",
|
Usage: "",
|
||||||
Description: `Generates a short lived certificate for given hostname`,
|
Description: `Generates a short lived certificate for given hostname`,
|
||||||
Flags: []cli.Flag{
|
Flags: []cli.Flag{
|
||||||
|
@ -201,25 +231,33 @@ func Commands() []*cli.Command {
|
||||||
|
|
||||||
// login pops up the browser window to do the actual login and JWT generation
|
// login pops up the browser window to do the actual login and JWT generation
|
||||||
func login(c *cli.Context) error {
|
func login(c *cli.Context) error {
|
||||||
if err := raven.SetDSN(sentryDSN); err != nil {
|
err := sentry.Init(sentry.ClientOptions{
|
||||||
|
Dsn: sentryDSN,
|
||||||
|
Release: c.App.Version,
|
||||||
|
})
|
||||||
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
|
log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
|
||||||
|
|
||||||
args := c.Args()
|
appURL, err := getAppURLFromArgs(c)
|
||||||
rawURL := ensureURLScheme(args.First())
|
if err != nil {
|
||||||
appURL, err := url.Parse(rawURL)
|
|
||||||
if args.Len() < 1 || err != nil {
|
|
||||||
log.Error().Msg("Please provide the url of the Access application")
|
log.Error().Msg("Please provide the url of the Access application")
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := verifyTokenAtEdge(appURL, c, log); err != nil {
|
|
||||||
|
appInfo, err := token.GetAppInfo(appURL)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := verifyTokenAtEdge(appURL, appInfo, c, log); err != nil {
|
||||||
log.Err(err).Msg("Could not verify token")
|
log.Err(err).Msg("Could not verify token")
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
cfdToken, err := token.GetAppTokenIfExists(appURL)
|
cfdToken, err := token.GetAppTokenIfExists(appInfo)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
fmt.Fprintln(os.Stderr, "Unable to find token for provided application.")
|
fmt.Fprintln(os.Stderr, "Unable to find token for provided application.")
|
||||||
return err
|
return err
|
||||||
|
@ -227,24 +265,29 @@ func login(c *cli.Context) error {
|
||||||
fmt.Fprintln(os.Stderr, "token for provided application was empty.")
|
fmt.Fprintln(os.Stderr, "token for provided application was empty.")
|
||||||
return errors.New("empty application token")
|
return errors.New("empty application token")
|
||||||
}
|
}
|
||||||
fmt.Fprintf(os.Stdout, "Successfully fetched your token:\n\n%s\n\n", cfdToken)
|
|
||||||
|
if c.Bool(loginQuietFlag) {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Chatty by default for backward compat. The new --app flag
|
||||||
|
// is an implicit opt-out of the backwards-compatible chatty output.
|
||||||
|
if c.Bool("no-verbose") || c.IsSet(appURLFlag) {
|
||||||
|
fmt.Fprint(os.Stdout, cfdToken)
|
||||||
|
} else {
|
||||||
|
fmt.Fprintf(os.Stdout, "Successfully fetched your token:\n\n%s\n\n", cfdToken)
|
||||||
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// ensureURLScheme prepends a URL with https:// if it doesnt have a scheme. http:// URLs will not be converted.
|
|
||||||
func ensureURLScheme(url string) string {
|
|
||||||
url = strings.Replace(strings.ToLower(url), "http://", "https://", 1)
|
|
||||||
if !strings.HasPrefix(url, "https://") {
|
|
||||||
url = fmt.Sprintf("https://%s", url)
|
|
||||||
|
|
||||||
}
|
|
||||||
return url
|
|
||||||
}
|
|
||||||
|
|
||||||
// curl provides a wrapper around curl, passing Access JWT along in request
|
// curl provides a wrapper around curl, passing Access JWT along in request
|
||||||
func curl(c *cli.Context) error {
|
func curl(c *cli.Context) error {
|
||||||
if err := raven.SetDSN(sentryDSN); err != nil {
|
err := sentry.Init(sentry.ClientOptions{
|
||||||
|
Dsn: sentryDSN,
|
||||||
|
Release: c.App.Version,
|
||||||
|
})
|
||||||
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
|
log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
|
||||||
|
@ -261,13 +304,24 @@ func curl(c *cli.Context) error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
tok, err := token.GetAppTokenIfExists(appURL)
|
appInfo, err := token.GetAppInfo(appURL)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Verify that the existing token is still good; if not fetch a new one
|
||||||
|
if err := verifyTokenAtEdge(appURL, appInfo, c, log); err != nil {
|
||||||
|
log.Err(err).Msg("Could not verify token")
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
tok, err := token.GetAppTokenIfExists(appInfo)
|
||||||
if err != nil || tok == "" {
|
if err != nil || tok == "" {
|
||||||
if allowRequest {
|
if allowRequest {
|
||||||
log.Info().Msg("You don't have an Access token set. Please run access token <access application> to fetch one.")
|
log.Info().Msg("You don't have an Access token set. Please run access token <access application> to fetch one.")
|
||||||
return shell.Run("curl", cmdArgs...)
|
return run("curl", cmdArgs...)
|
||||||
}
|
}
|
||||||
tok, err = token.FetchToken(appURL, log)
|
tok, err = token.FetchToken(appURL, appInfo, log)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Err(err).Msg("Failed to refresh token")
|
log.Err(err).Msg("Failed to refresh token")
|
||||||
return err
|
return err
|
||||||
|
@ -275,21 +329,63 @@ func curl(c *cli.Context) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
cmdArgs = append(cmdArgs, "-H")
|
cmdArgs = append(cmdArgs, "-H")
|
||||||
cmdArgs = append(cmdArgs, fmt.Sprintf("%s: %s", h2mux.CFAccessTokenHeader, tok))
|
cmdArgs = append(cmdArgs, fmt.Sprintf("%s: %s", carrier.CFAccessTokenHeader, tok))
|
||||||
return shell.Run("curl", cmdArgs...)
|
return run("curl", cmdArgs...)
|
||||||
|
}
|
||||||
|
|
||||||
|
// run kicks off a shell task and pipe the results to the respective std pipes
|
||||||
|
func run(cmd string, args ...string) error {
|
||||||
|
c := exec.Command(cmd, args...)
|
||||||
|
c.Stdin = os.Stdin
|
||||||
|
stderr, err := c.StderrPipe()
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
go func() {
|
||||||
|
io.Copy(os.Stderr, stderr)
|
||||||
|
}()
|
||||||
|
|
||||||
|
stdout, err := c.StdoutPipe()
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
go func() {
|
||||||
|
io.Copy(os.Stdout, stdout)
|
||||||
|
}()
|
||||||
|
return c.Run()
|
||||||
|
}
|
||||||
|
|
||||||
|
func getAppURLFromArgs(c *cli.Context) (*url.URL, error) {
|
||||||
|
var appURLStr string
|
||||||
|
args := c.Args()
|
||||||
|
if args.Len() < 1 {
|
||||||
|
appURLStr = c.String(appURLFlag)
|
||||||
|
} else {
|
||||||
|
appURLStr = args.First()
|
||||||
|
}
|
||||||
|
return parseURL(appURLStr)
|
||||||
}
|
}
|
||||||
|
|
||||||
// token dumps provided token to stdout
|
// token dumps provided token to stdout
|
||||||
func generateToken(c *cli.Context) error {
|
func generateToken(c *cli.Context) error {
|
||||||
if err := raven.SetDSN(sentryDSN); err != nil {
|
err := sentry.Init(sentry.ClientOptions{
|
||||||
|
Dsn: sentryDSN,
|
||||||
|
Release: c.App.Version,
|
||||||
|
})
|
||||||
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
appURL, err := url.Parse(c.String("app"))
|
appURL, err := getAppURLFromArgs(c)
|
||||||
if err != nil || c.NumFlags() < 1 {
|
if err != nil {
|
||||||
fmt.Fprintln(os.Stderr, "Please provide a url.")
|
fmt.Fprintln(os.Stderr, "Please provide a url.")
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
tok, err := token.GetAppTokenIfExists(appURL)
|
|
||||||
|
appInfo, err := token.GetAppInfo(appURL)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
tok, err := token.GetAppTokenIfExists(appInfo)
|
||||||
if err != nil || tok == "" {
|
if err != nil || tok == "" {
|
||||||
fmt.Fprintln(os.Stderr, "Unable to find token for provided application. Please run login command to generate token.")
|
fmt.Fprintln(os.Stderr, "Unable to find token for provided application. Please run login command to generate token.")
|
||||||
return err
|
return err
|
||||||
|
@ -332,7 +428,7 @@ func sshGen(c *cli.Context) error {
|
||||||
return cli.ShowCommandHelp(c, "ssh-gen")
|
return cli.ShowCommandHelp(c, "ssh-gen")
|
||||||
}
|
}
|
||||||
|
|
||||||
originURL, err := url.Parse(ensureURLScheme(hostname))
|
originURL, err := parseURL(hostname)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -340,7 +436,12 @@ func sshGen(c *cli.Context) error {
|
||||||
// this fetchToken function mutates the appURL param. We should refactor that
|
// this fetchToken function mutates the appURL param. We should refactor that
|
||||||
fetchTokenURL := &url.URL{}
|
fetchTokenURL := &url.URL{}
|
||||||
*fetchTokenURL = *originURL
|
*fetchTokenURL = *originURL
|
||||||
cfdToken, err := token.FetchTokenWithRedirect(fetchTokenURL, log)
|
|
||||||
|
appInfo, err := token.GetAppInfo(fetchTokenURL)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
cfdToken, err := token.FetchTokenWithRedirect(fetchTokenURL, appInfo, log)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -352,7 +453,7 @@ func sshGen(c *cli.Context) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// getAppURL will pull the appURL needed for fetching a user's Access token
|
// getAppURL will pull the request URL needed for fetching a user's Access token
|
||||||
func getAppURL(cmdArgs []string, log *zerolog.Logger) (*url.URL, error) {
|
func getAppURL(cmdArgs []string, log *zerolog.Logger) (*url.URL, error) {
|
||||||
if len(cmdArgs) < 1 {
|
if len(cmdArgs) < 1 {
|
||||||
log.Error().Msg("Please provide a valid URL as the first argument to curl.")
|
log.Error().Msg("Please provide a valid URL as the first argument to curl.")
|
||||||
|
@ -406,6 +507,11 @@ func processURL(s string) (*url.URL, error) {
|
||||||
|
|
||||||
// cloudflaredPath pulls the full path of cloudflared on disk
|
// cloudflaredPath pulls the full path of cloudflared on disk
|
||||||
func cloudflaredPath() string {
|
func cloudflaredPath() string {
|
||||||
|
path, err := os.Executable()
|
||||||
|
if err == nil && isFileThere(path) {
|
||||||
|
return path
|
||||||
|
}
|
||||||
|
|
||||||
for _, p := range strings.Split(os.Getenv("PATH"), ":") {
|
for _, p := range strings.Split(os.Getenv("PATH"), ":") {
|
||||||
path := fmt.Sprintf("%s/%s", p, "cloudflared")
|
path := fmt.Sprintf("%s/%s", p, "cloudflared")
|
||||||
if isFileThere(path) {
|
if isFileThere(path) {
|
||||||
|
@ -427,15 +533,15 @@ func isFileThere(candidate string) bool {
|
||||||
// verifyTokenAtEdge checks for a token on disk, or generates a new one.
|
// verifyTokenAtEdge checks for a token on disk, or generates a new one.
|
||||||
// Then makes a request to to the origin with the token to ensure it is valid.
|
// Then makes a request to to the origin with the token to ensure it is valid.
|
||||||
// Returns nil if token is valid.
|
// Returns nil if token is valid.
|
||||||
func verifyTokenAtEdge(appUrl *url.URL, c *cli.Context, log *zerolog.Logger) error {
|
func verifyTokenAtEdge(appUrl *url.URL, appInfo *token.AppInfo, c *cli.Context, log *zerolog.Logger) error {
|
||||||
headers := buildRequestHeaders(c.StringSlice(sshHeaderFlag))
|
headers := parseRequestHeaders(c.StringSlice(sshHeaderFlag))
|
||||||
if c.IsSet(sshTokenIDFlag) {
|
if c.IsSet(sshTokenIDFlag) {
|
||||||
headers.Add(h2mux.CFAccessClientIDHeader, c.String(sshTokenIDFlag))
|
headers.Add(cfAccessClientIDHeader, c.String(sshTokenIDFlag))
|
||||||
}
|
}
|
||||||
if c.IsSet(sshTokenSecretFlag) {
|
if c.IsSet(sshTokenSecretFlag) {
|
||||||
headers.Add(h2mux.CFAccessClientSecretHeader, c.String(sshTokenSecretFlag))
|
headers.Add(cfAccessClientSecretHeader, c.String(sshTokenSecretFlag))
|
||||||
}
|
}
|
||||||
options := &carrier.StartOptions{OriginURL: appUrl.String(), Headers: headers}
|
options := &carrier.StartOptions{AppInfo: appInfo, OriginURL: appUrl.String(), Headers: headers}
|
||||||
|
|
||||||
if valid, err := isTokenValid(options, log); err != nil {
|
if valid, err := isTokenValid(options, log); err != nil {
|
||||||
return err
|
return err
|
||||||
|
@ -443,7 +549,7 @@ func verifyTokenAtEdge(appUrl *url.URL, c *cli.Context, log *zerolog.Logger) err
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := token.RemoveTokenIfExists(appUrl); err != nil {
|
if err := token.RemoveTokenIfExists(appInfo); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -462,6 +568,11 @@ func isTokenValid(options *carrier.StartOptions, log *zerolog.Logger) (bool, err
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return false, errors.Wrap(err, "Could not create access request")
|
return false, errors.Wrap(err, "Could not create access request")
|
||||||
}
|
}
|
||||||
|
req.Header.Set("User-Agent", userAgent)
|
||||||
|
|
||||||
|
query := req.URL.Query()
|
||||||
|
query.Set("cloudflared_token_check", "true")
|
||||||
|
req.URL.RawQuery = query.Encode()
|
||||||
|
|
||||||
// Do not follow redirects
|
// Do not follow redirects
|
||||||
client := &http.Client{
|
client := &http.Client{
|
||||||
|
|
|
@ -1,25 +0,0 @@
|
||||||
package access
|
|
||||||
|
|
||||||
import "testing"
|
|
||||||
|
|
||||||
func Test_ensureURLScheme(t *testing.T) {
|
|
||||||
type args struct {
|
|
||||||
url string
|
|
||||||
}
|
|
||||||
tests := []struct {
|
|
||||||
name string
|
|
||||||
args args
|
|
||||||
want string
|
|
||||||
}{
|
|
||||||
{"no scheme", args{"localhost:123"}, "https://localhost:123"},
|
|
||||||
{"http scheme", args{"http://test"}, "https://test"},
|
|
||||||
{"https scheme", args{"https://test"}, "https://test"},
|
|
||||||
}
|
|
||||||
for _, tt := range tests {
|
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
|
||||||
if got := ensureURLScheme(tt.args.url); got != tt.want {
|
|
||||||
t.Errorf("ensureURLScheme() = %v, want %v", got, tt.want)
|
|
||||||
}
|
|
||||||
})
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -0,0 +1,55 @@
|
||||||
|
package access
|
||||||
|
|
||||||
|
import (
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"net/http"
|
||||||
|
"net/url"
|
||||||
|
"strings"
|
||||||
|
|
||||||
|
"golang.org/x/net/http/httpguts"
|
||||||
|
)
|
||||||
|
|
||||||
|
// parseRequestHeaders will take user-provided header values as strings "Content-Type: application/json" and create
|
||||||
|
// a http.Header object.
|
||||||
|
func parseRequestHeaders(values []string) http.Header {
|
||||||
|
headers := make(http.Header)
|
||||||
|
for _, valuePair := range values {
|
||||||
|
header, value, found := strings.Cut(valuePair, ":")
|
||||||
|
if found {
|
||||||
|
headers.Add(strings.TrimSpace(header), strings.TrimSpace(value))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return headers
|
||||||
|
}
|
||||||
|
|
||||||
|
// parseHostname will attempt to convert a user provided URL string into a string with some light error checking on
|
||||||
|
// certain expectations from the URL.
|
||||||
|
// Will convert all HTTP URLs to HTTPS
|
||||||
|
func parseURL(input string) (*url.URL, error) {
|
||||||
|
if input == "" {
|
||||||
|
return nil, errors.New("no input provided")
|
||||||
|
}
|
||||||
|
if !strings.HasPrefix(input, "https://") && !strings.HasPrefix(input, "http://") {
|
||||||
|
input = fmt.Sprintf("https://%s", input)
|
||||||
|
}
|
||||||
|
url, err := url.ParseRequestURI(input)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("failed to parse as URL: %w", err)
|
||||||
|
}
|
||||||
|
if url.Scheme != "https" {
|
||||||
|
url.Scheme = "https"
|
||||||
|
}
|
||||||
|
if url.Host == "" {
|
||||||
|
return nil, errors.New("failed to parse Host")
|
||||||
|
}
|
||||||
|
host, err := httpguts.PunycodeHostPort(url.Host)
|
||||||
|
if err != nil || host == "" {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if !httpguts.ValidHostHeader(host) {
|
||||||
|
return nil, errors.New("invalid Host provided")
|
||||||
|
}
|
||||||
|
url.Host = host
|
||||||
|
return url, nil
|
||||||
|
}
|
|
@ -0,0 +1,80 @@
|
||||||
|
package access
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"github.com/stretchr/testify/assert"
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestParseRequestHeaders(t *testing.T) {
|
||||||
|
values := parseRequestHeaders([]string{"client: value", "secret: safe-value", "trash", "cf-trace-id: 000:000:0:1:asd"})
|
||||||
|
assert.Len(t, values, 3)
|
||||||
|
assert.Equal(t, "value", values.Get("client"))
|
||||||
|
assert.Equal(t, "safe-value", values.Get("secret"))
|
||||||
|
assert.Equal(t, "000:000:0:1:asd", values.Get("cf-trace-id"))
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestParseURL(t *testing.T) {
|
||||||
|
schemes := []string{
|
||||||
|
"http://",
|
||||||
|
"https://",
|
||||||
|
"",
|
||||||
|
}
|
||||||
|
hosts := []struct {
|
||||||
|
input string
|
||||||
|
expected string
|
||||||
|
}{
|
||||||
|
{"localhost", "localhost"},
|
||||||
|
{"127.0.0.1", "127.0.0.1"},
|
||||||
|
{"127.0.0.1:9090", "127.0.0.1:9090"},
|
||||||
|
{"::1", "::1"},
|
||||||
|
{"::1:8080", "::1:8080"},
|
||||||
|
{"[::1]", "[::1]"},
|
||||||
|
{"[::1]:8080", "[::1]:8080"},
|
||||||
|
{":8080", ":8080"},
|
||||||
|
{"example.com", "example.com"},
|
||||||
|
{"hello.example.com", "hello.example.com"},
|
||||||
|
{"bücher.example.com", "xn--bcher-kva.example.com"},
|
||||||
|
}
|
||||||
|
paths := []string{
|
||||||
|
"",
|
||||||
|
"/test",
|
||||||
|
"/example.com?qwe=123",
|
||||||
|
}
|
||||||
|
for i, scheme := range schemes {
|
||||||
|
for j, host := range hosts {
|
||||||
|
for k, path := range paths {
|
||||||
|
t.Run(fmt.Sprintf("%d_%d_%d", i, j, k), func(t *testing.T) {
|
||||||
|
input := fmt.Sprintf("%s%s%s", scheme, host.input, path)
|
||||||
|
expected := fmt.Sprintf("%s%s%s", "https://", host.expected, path)
|
||||||
|
url, err := parseURL(input)
|
||||||
|
assert.NoError(t, err, "input: %s\texpected: %s", input, expected)
|
||||||
|
assert.Equal(t, expected, url.String())
|
||||||
|
assert.Equal(t, host.expected, url.Host)
|
||||||
|
assert.Equal(t, "https", url.Scheme)
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
t.Run("no input", func(t *testing.T) {
|
||||||
|
_, err := parseURL("")
|
||||||
|
assert.ErrorContains(t, err, "no input provided")
|
||||||
|
})
|
||||||
|
|
||||||
|
t.Run("missing host", func(t *testing.T) {
|
||||||
|
_, err := parseURL("https:///host")
|
||||||
|
assert.ErrorContains(t, err, "failed to parse Host")
|
||||||
|
})
|
||||||
|
|
||||||
|
t.Run("invalid path only", func(t *testing.T) {
|
||||||
|
_, err := parseURL("/host")
|
||||||
|
assert.ErrorContains(t, err, "failed to parse Host")
|
||||||
|
})
|
||||||
|
|
||||||
|
t.Run("invalid parse URL", func(t *testing.T) {
|
||||||
|
_, err := parseURL("https://host\\host")
|
||||||
|
assert.ErrorContains(t, err, "failed to parse as URL")
|
||||||
|
})
|
||||||
|
}
|
|
@ -1,10 +1,10 @@
|
||||||
package main
|
package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/access"
|
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
|
|
||||||
|
|
||||||
"github.com/rs/zerolog"
|
"github.com/rs/zerolog"
|
||||||
|
|
||||||
|
"github.com/cloudflare/cloudflared/cmd/cloudflared/access"
|
||||||
|
"github.com/cloudflare/cloudflared/config"
|
||||||
)
|
)
|
||||||
|
|
||||||
// ForwardServiceType is used to identify what kind of overwatch service this is
|
// ForwardServiceType is used to identify what kind of overwatch service this is
|
||||||
|
|
|
@ -1,10 +1,10 @@
|
||||||
package main
|
package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
|
|
||||||
"github.com/cloudflare/cloudflared/tunneldns"
|
|
||||||
|
|
||||||
"github.com/rs/zerolog"
|
"github.com/rs/zerolog"
|
||||||
|
|
||||||
|
"github.com/cloudflare/cloudflared/config"
|
||||||
|
"github.com/cloudflare/cloudflared/tunneldns"
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
|
|
|
@ -1,10 +1,10 @@
|
||||||
package main
|
package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
|
|
||||||
"github.com/cloudflare/cloudflared/overwatch"
|
|
||||||
|
|
||||||
"github.com/rs/zerolog"
|
"github.com/rs/zerolog"
|
||||||
|
|
||||||
|
"github.com/cloudflare/cloudflared/config"
|
||||||
|
"github.com/cloudflare/cloudflared/overwatch"
|
||||||
)
|
)
|
||||||
|
|
||||||
// AppService is the main service that runs when no command lines flags are passed to cloudflared
|
// AppService is the main service that runs when no command lines flags are passed to cloudflared
|
||||||
|
|
|
@ -1,27 +0,0 @@
|
||||||
package buildinfo
|
|
||||||
|
|
||||||
import (
|
|
||||||
"github.com/rs/zerolog"
|
|
||||||
"runtime"
|
|
||||||
)
|
|
||||||
|
|
||||||
type BuildInfo struct {
|
|
||||||
GoOS string `json:"go_os"`
|
|
||||||
GoVersion string `json:"go_version"`
|
|
||||||
GoArch string `json:"go_arch"`
|
|
||||||
CloudflaredVersion string `json:"cloudflared_version"`
|
|
||||||
}
|
|
||||||
|
|
||||||
func GetBuildInfo(cloudflaredVersion string) *BuildInfo {
|
|
||||||
return &BuildInfo{
|
|
||||||
GoOS: runtime.GOOS,
|
|
||||||
GoVersion: runtime.Version(),
|
|
||||||
GoArch: runtime.GOARCH,
|
|
||||||
CloudflaredVersion: cloudflaredVersion,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func (bi *BuildInfo) Log(log *zerolog.Logger) {
|
|
||||||
log.Info().Msgf("Version %s", bi.CloudflaredVersion)
|
|
||||||
log.Info().Msgf("GOOS: %s, GOVersion: %s, GoArch: %s", bi.GoOS, bi.GoVersion, bi.GoArch)
|
|
||||||
}
|
|
|
@ -0,0 +1,83 @@
|
||||||
|
package cliutil
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/sha256"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
"os"
|
||||||
|
"runtime"
|
||||||
|
|
||||||
|
"github.com/rs/zerolog"
|
||||||
|
)
|
||||||
|
|
||||||
|
type BuildInfo struct {
|
||||||
|
GoOS string `json:"go_os"`
|
||||||
|
GoVersion string `json:"go_version"`
|
||||||
|
GoArch string `json:"go_arch"`
|
||||||
|
BuildType string `json:"build_type"`
|
||||||
|
CloudflaredVersion string `json:"cloudflared_version"`
|
||||||
|
Checksum string `json:"checksum"`
|
||||||
|
}
|
||||||
|
|
||||||
|
func GetBuildInfo(buildType, version string) *BuildInfo {
|
||||||
|
return &BuildInfo{
|
||||||
|
GoOS: runtime.GOOS,
|
||||||
|
GoVersion: runtime.Version(),
|
||||||
|
GoArch: runtime.GOARCH,
|
||||||
|
BuildType: buildType,
|
||||||
|
CloudflaredVersion: version,
|
||||||
|
Checksum: currentBinaryChecksum(),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (bi *BuildInfo) Log(log *zerolog.Logger) {
|
||||||
|
log.Info().Msgf("Version %s (Checksum %s)", bi.CloudflaredVersion, bi.Checksum)
|
||||||
|
if bi.BuildType != "" {
|
||||||
|
log.Info().Msgf("Built%s", bi.GetBuildTypeMsg())
|
||||||
|
}
|
||||||
|
log.Info().Msgf("GOOS: %s, GOVersion: %s, GoArch: %s", bi.GoOS, bi.GoVersion, bi.GoArch)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (bi *BuildInfo) OSArch() string {
|
||||||
|
return fmt.Sprintf("%s_%s", bi.GoOS, bi.GoArch)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (bi *BuildInfo) Version() string {
|
||||||
|
return bi.CloudflaredVersion
|
||||||
|
}
|
||||||
|
|
||||||
|
func (bi *BuildInfo) GetBuildTypeMsg() string {
|
||||||
|
if bi.BuildType == "" {
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
return fmt.Sprintf(" with %s", bi.BuildType)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (bi *BuildInfo) UserAgent() string {
|
||||||
|
return fmt.Sprintf("cloudflared/%s", bi.CloudflaredVersion)
|
||||||
|
}
|
||||||
|
|
||||||
|
// FileChecksum opens a file and returns the SHA256 checksum.
|
||||||
|
func FileChecksum(filePath string) (string, error) {
|
||||||
|
f, err := os.Open(filePath)
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
defer f.Close()
|
||||||
|
|
||||||
|
h := sha256.New()
|
||||||
|
if _, err := io.Copy(h, f); err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
|
||||||
|
return fmt.Sprintf("%x", h.Sum(nil)), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func currentBinaryChecksum() string {
|
||||||
|
currentPath, err := os.Executable()
|
||||||
|
if err != nil {
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
sum, _ := FileChecksum(currentPath)
|
||||||
|
return sum
|
||||||
|
}
|
|
@ -9,13 +9,13 @@ import (
|
||||||
func RemovedCommand(name string) *cli.Command {
|
func RemovedCommand(name string) *cli.Command {
|
||||||
return &cli.Command{
|
return &cli.Command{
|
||||||
Name: name,
|
Name: name,
|
||||||
Action: ErrorHandler(func(context *cli.Context) error {
|
Action: func(context *cli.Context) error {
|
||||||
return cli.Exit(
|
return cli.Exit(
|
||||||
fmt.Sprintf("%s command is no longer supported by cloudflared. Consult Argo Tunnel documentation for possible alternative solutions.", name),
|
fmt.Sprintf("%s command is no longer supported by cloudflared. Consult Cloudflare Tunnel documentation for possible alternative solutions.", name),
|
||||||
-1,
|
-1,
|
||||||
)
|
)
|
||||||
}),
|
},
|
||||||
Description: fmt.Sprintf("%s is deprecated", name),
|
Description: fmt.Sprintf("%s is deprecated", name),
|
||||||
Hidden: true,
|
Hidden: true,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,6 +2,7 @@ package cliutil
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
|
|
||||||
"github.com/urfave/cli/v2"
|
"github.com/urfave/cli/v2"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -21,7 +22,7 @@ func UsageError(format string, args ...interface{}) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Ensures exit with error code if actionFunc returns an error
|
// Ensures exit with error code if actionFunc returns an error
|
||||||
func ErrorHandler(actionFunc cli.ActionFunc) cli.ActionFunc {
|
func WithErrorHandler(actionFunc cli.ActionFunc) cli.ActionFunc {
|
||||||
return func(ctx *cli.Context) error {
|
return func(ctx *cli.Context) error {
|
||||||
err := actionFunc(ctx)
|
err := actionFunc(ctx)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
@ -0,0 +1,50 @@
|
||||||
|
package cliutil
|
||||||
|
|
||||||
|
import (
|
||||||
|
"github.com/urfave/cli/v2"
|
||||||
|
"github.com/urfave/cli/v2/altsrc"
|
||||||
|
|
||||||
|
"github.com/cloudflare/cloudflared/config"
|
||||||
|
"github.com/cloudflare/cloudflared/logger"
|
||||||
|
)
|
||||||
|
|
||||||
|
func Action(actionFunc cli.ActionFunc) cli.ActionFunc {
|
||||||
|
return WithErrorHandler(actionFunc)
|
||||||
|
}
|
||||||
|
|
||||||
|
func ConfiguredAction(actionFunc cli.ActionFunc) cli.ActionFunc {
|
||||||
|
// Adapt actionFunc to the type signature required by ConfiguredActionWithWarnings
|
||||||
|
f := func(context *cli.Context, _ string) error {
|
||||||
|
return actionFunc(context)
|
||||||
|
}
|
||||||
|
|
||||||
|
return ConfiguredActionWithWarnings(f)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Just like ConfiguredAction, but accepts a second parameter with configuration warnings.
|
||||||
|
func ConfiguredActionWithWarnings(actionFunc func(*cli.Context, string) error) cli.ActionFunc {
|
||||||
|
return WithErrorHandler(func(c *cli.Context) error {
|
||||||
|
warnings, err := setFlagsFromConfigFile(c)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
return actionFunc(c, warnings)
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
func setFlagsFromConfigFile(c *cli.Context) (configWarnings string, err error) {
|
||||||
|
const errorExitCode = 1
|
||||||
|
log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
|
||||||
|
inputSource, warnings, err := config.ReadConfigFile(c, log)
|
||||||
|
if err != nil {
|
||||||
|
if err == config.ErrNoConfigFile {
|
||||||
|
return "", nil
|
||||||
|
}
|
||||||
|
return "", cli.Exit(err, errorExitCode)
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := altsrc.ApplyInputSource(c, inputSource); err != nil {
|
||||||
|
return "", cli.Exit(err, errorExitCode)
|
||||||
|
}
|
||||||
|
return warnings, nil
|
||||||
|
}
|
|
@ -0,0 +1,51 @@
|
||||||
|
package cliutil
|
||||||
|
|
||||||
|
import (
|
||||||
|
"github.com/urfave/cli/v2"
|
||||||
|
"github.com/urfave/cli/v2/altsrc"
|
||||||
|
|
||||||
|
"github.com/cloudflare/cloudflared/logger"
|
||||||
|
)
|
||||||
|
|
||||||
|
var (
|
||||||
|
debugLevelWarning = "At debug level cloudflared will log request URL, method, protocol, content length, as well as, all request and response headers. " +
|
||||||
|
"This can expose sensitive information in your logs."
|
||||||
|
)
|
||||||
|
|
||||||
|
func ConfigureLoggingFlags(shouldHide bool) []cli.Flag {
|
||||||
|
return []cli.Flag{
|
||||||
|
altsrc.NewStringFlag(&cli.StringFlag{
|
||||||
|
Name: logger.LogLevelFlag,
|
||||||
|
Value: "info",
|
||||||
|
Usage: "Application logging level {debug, info, warn, error, fatal}. " + debugLevelWarning,
|
||||||
|
EnvVars: []string{"TUNNEL_LOGLEVEL"},
|
||||||
|
Hidden: shouldHide,
|
||||||
|
}),
|
||||||
|
altsrc.NewStringFlag(&cli.StringFlag{
|
||||||
|
Name: logger.LogTransportLevelFlag,
|
||||||
|
Aliases: []string{"proto-loglevel"}, // This flag used to be called proto-loglevel
|
||||||
|
Value: "info",
|
||||||
|
Usage: "Transport logging level(previously called protocol logging level) {debug, info, warn, error, fatal}",
|
||||||
|
EnvVars: []string{"TUNNEL_PROTO_LOGLEVEL", "TUNNEL_TRANSPORT_LOGLEVEL"},
|
||||||
|
Hidden: shouldHide,
|
||||||
|
}),
|
||||||
|
altsrc.NewStringFlag(&cli.StringFlag{
|
||||||
|
Name: logger.LogFileFlag,
|
||||||
|
Usage: "Save application log to this file for reporting issues.",
|
||||||
|
EnvVars: []string{"TUNNEL_LOGFILE"},
|
||||||
|
Hidden: shouldHide,
|
||||||
|
}),
|
||||||
|
altsrc.NewStringFlag(&cli.StringFlag{
|
||||||
|
Name: logger.LogDirectoryFlag,
|
||||||
|
Usage: "Save application log to this directory for reporting issues.",
|
||||||
|
EnvVars: []string{"TUNNEL_LOGDIRECTORY"},
|
||||||
|
Hidden: shouldHide,
|
||||||
|
}),
|
||||||
|
altsrc.NewStringFlag(&cli.StringFlag{
|
||||||
|
Name: "trace-output",
|
||||||
|
Usage: "Name of trace output file, generated when cloudflared stops.",
|
||||||
|
EnvVars: []string{"TUNNEL_TRACE_OUTPUT"},
|
||||||
|
Hidden: shouldHide,
|
||||||
|
}),
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,30 @@
|
||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
"github.com/rs/zerolog"
|
||||||
|
"github.com/urfave/cli/v2"
|
||||||
|
|
||||||
|
"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
|
||||||
|
"github.com/cloudflare/cloudflared/cmd/cloudflared/tunnel"
|
||||||
|
)
|
||||||
|
|
||||||
|
func buildArgsForToken(c *cli.Context, log *zerolog.Logger) ([]string, error) {
|
||||||
|
token := c.Args().First()
|
||||||
|
if _, err := tunnel.ParseToken(token); err != nil {
|
||||||
|
return nil, cliutil.UsageError("Provided tunnel token is not valid (%s).", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
return []string{
|
||||||
|
"tunnel", "run", "--token", token,
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func getServiceExtraArgsFromCliArgs(c *cli.Context, log *zerolog.Logger) ([]string, error) {
|
||||||
|
if c.NArg() > 0 {
|
||||||
|
// currently, we only support extra args for token
|
||||||
|
return buildArgsForToken(c, log)
|
||||||
|
} else {
|
||||||
|
// empty extra args
|
||||||
|
return make([]string, 0), nil
|
||||||
|
}
|
||||||
|
}
|
|
@ -1,76 +0,0 @@
|
||||||
package config
|
|
||||||
|
|
||||||
import (
|
|
||||||
"testing"
|
|
||||||
"time"
|
|
||||||
|
|
||||||
"github.com/stretchr/testify/assert"
|
|
||||||
"gopkg.in/yaml.v2"
|
|
||||||
)
|
|
||||||
|
|
||||||
func TestConfigFileSettings(t *testing.T) {
|
|
||||||
var (
|
|
||||||
firstIngress = UnvalidatedIngressRule{
|
|
||||||
Hostname: "tunnel1.example.com",
|
|
||||||
Path: "/id",
|
|
||||||
Service: "https://localhost:8000",
|
|
||||||
}
|
|
||||||
secondIngress = UnvalidatedIngressRule{
|
|
||||||
Hostname: "*",
|
|
||||||
Path: "",
|
|
||||||
Service: "https://localhost:8001",
|
|
||||||
}
|
|
||||||
)
|
|
||||||
rawYAML := `
|
|
||||||
tunnel: config-file-test
|
|
||||||
ingress:
|
|
||||||
- hostname: tunnel1.example.com
|
|
||||||
path: /id
|
|
||||||
service: https://localhost:8000
|
|
||||||
- hostname: "*"
|
|
||||||
service: https://localhost:8001
|
|
||||||
retries: 5
|
|
||||||
grace-period: 30s
|
|
||||||
percentage: 3.14
|
|
||||||
hostname: example.com
|
|
||||||
tag:
|
|
||||||
- test
|
|
||||||
- central-1
|
|
||||||
counters:
|
|
||||||
- 123
|
|
||||||
- 456
|
|
||||||
`
|
|
||||||
var config configFileSettings
|
|
||||||
err := yaml.Unmarshal([]byte(rawYAML), &config)
|
|
||||||
assert.NoError(t, err)
|
|
||||||
|
|
||||||
assert.Equal(t, "config-file-test", config.TunnelID)
|
|
||||||
assert.Equal(t, firstIngress, config.Ingress[0])
|
|
||||||
assert.Equal(t, secondIngress, config.Ingress[1])
|
|
||||||
|
|
||||||
retries, err := config.Int("retries")
|
|
||||||
assert.NoError(t, err)
|
|
||||||
assert.Equal(t, 5, retries)
|
|
||||||
|
|
||||||
gracePeriod, err := config.Duration("grace-period")
|
|
||||||
assert.NoError(t, err)
|
|
||||||
assert.Equal(t, time.Second*30, gracePeriod)
|
|
||||||
|
|
||||||
percentage, err := config.Float64("percentage")
|
|
||||||
assert.NoError(t, err)
|
|
||||||
assert.Equal(t, 3.14, percentage)
|
|
||||||
|
|
||||||
hostname, err := config.String("hostname")
|
|
||||||
assert.NoError(t, err)
|
|
||||||
assert.Equal(t, "example.com", hostname)
|
|
||||||
|
|
||||||
tags, err := config.StringSlice("tag")
|
|
||||||
assert.NoError(t, err)
|
|
||||||
assert.Equal(t, "test", tags[0])
|
|
||||||
assert.Equal(t, "central-1", tags[1])
|
|
||||||
|
|
||||||
counters, err := config.IntSlice("counters")
|
|
||||||
assert.NoError(t, err)
|
|
||||||
assert.Equal(t, 123, counters[0])
|
|
||||||
assert.Equal(t, 456, counters[1])
|
|
||||||
}
|
|
|
@ -1,5 +0,0 @@
|
||||||
// +build fips
|
|
||||||
|
|
||||||
package main
|
|
||||||
|
|
||||||
import _ "crypto/tls/fipsonly"
|
|
|
@ -1,4 +1,4 @@
|
||||||
// +build !windows,!darwin,!linux
|
//go:build !windows && !darwin && !linux
|
||||||
|
|
||||||
package main
|
package main
|
||||||
|
|
||||||
|
|
|
@ -1,41 +1,37 @@
|
||||||
// +build linux
|
//go:build linux
|
||||||
|
|
||||||
package main
|
package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"os"
|
"os"
|
||||||
"path/filepath"
|
|
||||||
|
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
|
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
|
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/tunnel"
|
|
||||||
"github.com/cloudflare/cloudflared/logger"
|
|
||||||
|
|
||||||
"github.com/rs/zerolog"
|
"github.com/rs/zerolog"
|
||||||
"github.com/urfave/cli/v2"
|
"github.com/urfave/cli/v2"
|
||||||
|
|
||||||
|
"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
|
||||||
|
"github.com/cloudflare/cloudflared/cmd/cloudflared/tunnel"
|
||||||
|
"github.com/cloudflare/cloudflared/config"
|
||||||
|
"github.com/cloudflare/cloudflared/logger"
|
||||||
)
|
)
|
||||||
|
|
||||||
func runApp(app *cli.App, graceShutdownC chan struct{}) {
|
func runApp(app *cli.App, graceShutdownC chan struct{}) {
|
||||||
app.Commands = append(app.Commands, &cli.Command{
|
app.Commands = append(app.Commands, &cli.Command{
|
||||||
Name: "service",
|
Name: "service",
|
||||||
Usage: "Manages the Argo Tunnel system service",
|
Usage: "Manages the cloudflared system service",
|
||||||
Subcommands: []*cli.Command{
|
Subcommands: []*cli.Command{
|
||||||
{
|
{
|
||||||
Name: "install",
|
Name: "install",
|
||||||
Usage: "Install Argo Tunnel as a system service",
|
Usage: "Install cloudflared as a system service",
|
||||||
Action: cliutil.ErrorHandler(installLinuxService),
|
Action: cliutil.ConfiguredAction(installLinuxService),
|
||||||
Flags: []cli.Flag{
|
Flags: []cli.Flag{
|
||||||
&cli.BoolFlag{
|
noUpdateServiceFlag,
|
||||||
Name: "legacy",
|
|
||||||
Usage: "Generate service file for non-named tunnels",
|
|
||||||
},
|
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Name: "uninstall",
|
Name: "uninstall",
|
||||||
Usage: "Uninstall the Argo Tunnel service",
|
Usage: "Uninstall the cloudflared service",
|
||||||
Action: cliutil.ErrorHandler(uninstallLinuxService),
|
Action: cliutil.ConfiguredAction(uninstallLinuxService),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
})
|
})
|
||||||
|
@ -45,23 +41,27 @@ func runApp(app *cli.App, graceShutdownC chan struct{}) {
|
||||||
// The directory and files that are used by the service.
|
// The directory and files that are used by the service.
|
||||||
// These are hard-coded in the templates below.
|
// These are hard-coded in the templates below.
|
||||||
const (
|
const (
|
||||||
serviceConfigDir = "/etc/cloudflared"
|
serviceConfigDir = "/etc/cloudflared"
|
||||||
serviceConfigFile = "config.yml"
|
serviceConfigFile = "config.yml"
|
||||||
serviceCredentialFile = "cert.pem"
|
serviceCredentialFile = "cert.pem"
|
||||||
serviceConfigPath = serviceConfigDir + "/" + serviceConfigFile
|
serviceConfigPath = serviceConfigDir + "/" + serviceConfigFile
|
||||||
|
cloudflaredService = "cloudflared.service"
|
||||||
|
cloudflaredUpdateService = "cloudflared-update.service"
|
||||||
|
cloudflaredUpdateTimer = "cloudflared-update.timer"
|
||||||
)
|
)
|
||||||
|
|
||||||
var systemdTemplates = []ServiceTemplate{
|
var systemdAllTemplates = map[string]ServiceTemplate{
|
||||||
{
|
cloudflaredService: {
|
||||||
Path: "/etc/systemd/system/cloudflared.service",
|
Path: fmt.Sprintf("/etc/systemd/system/%s", cloudflaredService),
|
||||||
Content: `[Unit]
|
Content: `[Unit]
|
||||||
Description=Argo Tunnel
|
Description=cloudflared
|
||||||
After=network.target
|
After=network-online.target
|
||||||
|
Wants=network-online.target
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
TimeoutStartSec=0
|
TimeoutStartSec=0
|
||||||
Type=notify
|
Type=notify
|
||||||
ExecStart={{ .Path }} --config /etc/cloudflared/config.yml --no-autoupdate{{ range .ExtraArgs }} {{ . }}{{ end }}
|
ExecStart={{ .Path }} --no-autoupdate{{ range .ExtraArgs }} {{ . }}{{ end }}
|
||||||
Restart=on-failure
|
Restart=on-failure
|
||||||
RestartSec=5s
|
RestartSec=5s
|
||||||
|
|
||||||
|
@ -69,20 +69,21 @@ RestartSec=5s
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
`,
|
`,
|
||||||
},
|
},
|
||||||
{
|
cloudflaredUpdateService: {
|
||||||
Path: "/etc/systemd/system/cloudflared-update.service",
|
Path: fmt.Sprintf("/etc/systemd/system/%s", cloudflaredUpdateService),
|
||||||
Content: `[Unit]
|
Content: `[Unit]
|
||||||
Description=Update Argo Tunnel
|
Description=Update cloudflared
|
||||||
After=network.target
|
After=network-online.target
|
||||||
|
Wants=network-online.target
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
ExecStart=/bin/bash -c '{{ .Path }} update; code=$?; if [ $code -eq 11 ]; then systemctl restart cloudflared; exit 0; fi; exit $code'
|
ExecStart=/bin/bash -c '{{ .Path }} update; code=$?; if [ $code -eq 11 ]; then systemctl restart cloudflared; exit 0; fi; exit $code'
|
||||||
`,
|
`,
|
||||||
},
|
},
|
||||||
{
|
cloudflaredUpdateTimer: {
|
||||||
Path: "/etc/systemd/system/cloudflared-update.timer",
|
Path: fmt.Sprintf("/etc/systemd/system/%s", cloudflaredUpdateTimer),
|
||||||
Content: `[Unit]
|
Content: `[Unit]
|
||||||
Description=Update Argo Tunnel
|
Description=Update cloudflared
|
||||||
|
|
||||||
[Timer]
|
[Timer]
|
||||||
OnCalendar=daily
|
OnCalendar=daily
|
||||||
|
@ -99,7 +100,7 @@ var sysvTemplate = ServiceTemplate{
|
||||||
Content: `#!/bin/sh
|
Content: `#!/bin/sh
|
||||||
# For RedHat and cousins:
|
# For RedHat and cousins:
|
||||||
# chkconfig: 2345 99 01
|
# chkconfig: 2345 99 01
|
||||||
# description: Argo Tunnel agent
|
# description: cloudflared
|
||||||
# processname: {{.Path}}
|
# processname: {{.Path}}
|
||||||
### BEGIN INIT INFO
|
### BEGIN INIT INFO
|
||||||
# Provides: {{.Path}}
|
# Provides: {{.Path}}
|
||||||
|
@ -107,11 +108,11 @@ var sysvTemplate = ServiceTemplate{
|
||||||
# Required-Stop:
|
# Required-Stop:
|
||||||
# Default-Start: 2 3 4 5
|
# Default-Start: 2 3 4 5
|
||||||
# Default-Stop: 0 1 6
|
# Default-Stop: 0 1 6
|
||||||
# Short-Description: Argo Tunnel
|
# Short-Description: cloudflared
|
||||||
# Description: Argo Tunnel agent
|
# Description: cloudflared agent
|
||||||
### END INIT INFO
|
### END INIT INFO
|
||||||
name=$(basename $(readlink -f $0))
|
name=$(basename $(readlink -f $0))
|
||||||
cmd="{{.Path}} --config /etc/cloudflared/config.yml --pidfile /var/run/$name.pid --autoupdate-freq 24h0m0s{{ range .ExtraArgs }} {{ . }}{{ end }}"
|
cmd="{{.Path}} --pidfile /var/run/$name.pid {{ range .ExtraArgs }} {{ . }}{{ end }}"
|
||||||
pid_file="/var/run/$name.pid"
|
pid_file="/var/run/$name.pid"
|
||||||
stdout_log="/var/log/$name.log"
|
stdout_log="/var/log/$name.log"
|
||||||
stderr_log="/var/log/$name.err"
|
stderr_log="/var/log/$name.err"
|
||||||
|
@ -183,6 +184,14 @@ exit 0
|
||||||
`,
|
`,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var (
|
||||||
|
noUpdateServiceFlag = &cli.BoolFlag{
|
||||||
|
Name: "no-update-service",
|
||||||
|
Usage: "Disable auto-update of the cloudflared linux service, which restarts the server to upgrade for new versions.",
|
||||||
|
Value: false,
|
||||||
|
}
|
||||||
|
)
|
||||||
|
|
||||||
func isSystemd() bool {
|
func isSystemd() bool {
|
||||||
if _, err := os.Stat("/run/systemd/system"); err == nil {
|
if _, err := os.Stat("/run/systemd/system"); err == nil {
|
||||||
return true
|
return true
|
||||||
|
@ -190,27 +199,6 @@ func isSystemd() bool {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
func copyUserConfiguration(userConfigDir, userConfigFile, userCredentialFile string, log *zerolog.Logger) error {
|
|
||||||
srcCredentialPath := filepath.Join(userConfigDir, userCredentialFile)
|
|
||||||
destCredentialPath := filepath.Join(serviceConfigDir, serviceCredentialFile)
|
|
||||||
if srcCredentialPath != destCredentialPath {
|
|
||||||
if err := copyCredential(srcCredentialPath, destCredentialPath); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
srcConfigPath := filepath.Join(userConfigDir, userConfigFile)
|
|
||||||
destConfigPath := filepath.Join(serviceConfigDir, serviceConfigFile)
|
|
||||||
if srcConfigPath != destConfigPath {
|
|
||||||
if err := copyConfig(srcConfigPath, destConfigPath); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
log.Info().Msgf("Copied %s to %s", srcConfigPath, destConfigPath)
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func installLinuxService(c *cli.Context) error {
|
func installLinuxService(c *cli.Context) error {
|
||||||
log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
|
log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
|
||||||
|
|
||||||
|
@ -222,64 +210,88 @@ func installLinuxService(c *cli.Context) error {
|
||||||
Path: etPath,
|
Path: etPath,
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := ensureConfigDirExists(serviceConfigDir); err != nil {
|
// Check if the "no update flag" is set
|
||||||
|
autoUpdate := !c.IsSet(noUpdateServiceFlag.Name)
|
||||||
|
|
||||||
|
var extraArgsFunc func(c *cli.Context, log *zerolog.Logger) ([]string, error)
|
||||||
|
if c.NArg() == 0 {
|
||||||
|
extraArgsFunc = buildArgsForConfig
|
||||||
|
} else {
|
||||||
|
extraArgsFunc = buildArgsForToken
|
||||||
|
}
|
||||||
|
|
||||||
|
extraArgs, err := extraArgsFunc(c, log)
|
||||||
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if c.Bool("legacy") {
|
|
||||||
userConfigDir := filepath.Dir(c.String("config"))
|
|
||||||
userConfigFile := filepath.Base(c.String("config"))
|
|
||||||
userCredentialFile := config.DefaultCredentialFile
|
|
||||||
if err = copyUserConfiguration(userConfigDir, userConfigFile, userCredentialFile, log); err != nil {
|
|
||||||
log.Err(err).Msgf("Failed to copy user configuration. Before running the service, ensure that %s contains two files, %s and %s",
|
|
||||||
serviceConfigDir, serviceCredentialFile, serviceConfigFile)
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
templateArgs.ExtraArgs = []string{
|
|
||||||
"--origincert", serviceConfigDir + "/" + serviceCredentialFile,
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
src, err := config.ReadConfigFile(c, log)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
// can't use context because this command doesn't define "credentials-file" flag
|
templateArgs.ExtraArgs = extraArgs
|
||||||
configPresent := func(s string) bool {
|
|
||||||
val, err := src.String(s)
|
|
||||||
return err == nil && val != ""
|
|
||||||
}
|
|
||||||
if src.TunnelID == "" || !configPresent(tunnel.CredFileFlag) {
|
|
||||||
return fmt.Errorf(`Configuration file %s must contain entries for the tunnel to run and its associated credentials:
|
|
||||||
tunnel: TUNNEL-UUID
|
|
||||||
credentials-file: CREDENTIALS-FILE
|
|
||||||
`, src.Source())
|
|
||||||
}
|
|
||||||
if src.Source() != serviceConfigPath {
|
|
||||||
if exists, err := config.FileExists(serviceConfigPath); err != nil || exists {
|
|
||||||
return fmt.Errorf("Possible conflicting configuration in %[1]s and %[2]s. Either remove %[2]s or run `cloudflared --config %[2]s service install`", src.Source(), serviceConfigPath)
|
|
||||||
}
|
|
||||||
|
|
||||||
if err := copyFile(src.Source(), serviceConfigPath); err != nil {
|
|
||||||
return fmt.Errorf("failed to copy %s to %s: %w", src.Source(), serviceConfigPath, err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
templateArgs.ExtraArgs = []string{
|
|
||||||
"tunnel", "run",
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
switch {
|
switch {
|
||||||
case isSystemd():
|
case isSystemd():
|
||||||
log.Info().Msgf("Using Systemd")
|
log.Info().Msgf("Using Systemd")
|
||||||
return installSystemd(&templateArgs, log)
|
err = installSystemd(&templateArgs, autoUpdate, log)
|
||||||
default:
|
default:
|
||||||
log.Info().Msgf("Using SysV")
|
log.Info().Msgf("Using SysV")
|
||||||
return installSysv(&templateArgs, log)
|
err = installSysv(&templateArgs, autoUpdate, log)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if err == nil {
|
||||||
|
log.Info().Msg("Linux service for cloudflared installed successfully")
|
||||||
|
}
|
||||||
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
func installSystemd(templateArgs *ServiceTemplateArgs, log *zerolog.Logger) error {
|
func buildArgsForConfig(c *cli.Context, log *zerolog.Logger) ([]string, error) {
|
||||||
|
if err := ensureConfigDirExists(serviceConfigDir); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
src, _, err := config.ReadConfigFile(c, log)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// can't use context because this command doesn't define "credentials-file" flag
|
||||||
|
configPresent := func(s string) bool {
|
||||||
|
val, err := src.String(s)
|
||||||
|
return err == nil && val != ""
|
||||||
|
}
|
||||||
|
if src.TunnelID == "" || !configPresent(tunnel.CredFileFlag) {
|
||||||
|
return nil, fmt.Errorf(`Configuration file %s must contain entries for the tunnel to run and its associated credentials:
|
||||||
|
tunnel: TUNNEL-UUID
|
||||||
|
credentials-file: CREDENTIALS-FILE
|
||||||
|
`, src.Source())
|
||||||
|
}
|
||||||
|
if src.Source() != serviceConfigPath {
|
||||||
|
if exists, err := config.FileExists(serviceConfigPath); err != nil || exists {
|
||||||
|
return nil, fmt.Errorf("Possible conflicting configuration in %[1]s and %[2]s. Either remove %[2]s or run `cloudflared --config %[2]s service install`", src.Source(), serviceConfigPath)
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := copyFile(src.Source(), serviceConfigPath); err != nil {
|
||||||
|
return nil, fmt.Errorf("failed to copy %s to %s: %w", src.Source(), serviceConfigPath, err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return []string{
|
||||||
|
"--config", "/etc/cloudflared/config.yml", "tunnel", "run",
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func installSystemd(templateArgs *ServiceTemplateArgs, autoUpdate bool, log *zerolog.Logger) error {
|
||||||
|
var systemdTemplates []ServiceTemplate
|
||||||
|
if autoUpdate {
|
||||||
|
systemdTemplates = []ServiceTemplate{
|
||||||
|
systemdAllTemplates[cloudflaredService],
|
||||||
|
systemdAllTemplates[cloudflaredUpdateService],
|
||||||
|
systemdAllTemplates[cloudflaredUpdateTimer],
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
systemdTemplates = []ServiceTemplate{
|
||||||
|
systemdAllTemplates[cloudflaredService],
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
for _, serviceTemplate := range systemdTemplates {
|
for _, serviceTemplate := range systemdTemplates {
|
||||||
err := serviceTemplate.Generate(templateArgs)
|
err := serviceTemplate.Generate(templateArgs)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -287,24 +299,38 @@ func installSystemd(templateArgs *ServiceTemplateArgs, log *zerolog.Logger) erro
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if err := runCommand("systemctl", "enable", "cloudflared.service"); err != nil {
|
if err := runCommand("systemctl", "enable", cloudflaredService); err != nil {
|
||||||
log.Err(err).Msg("systemctl enable cloudflared.service error")
|
log.Err(err).Msgf("systemctl enable %s error", cloudflaredService)
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := runCommand("systemctl", "start", "cloudflared-update.timer"); err != nil {
|
|
||||||
log.Err(err).Msg("systemctl start cloudflared-update.timer error")
|
if autoUpdate {
|
||||||
|
if err := runCommand("systemctl", "start", cloudflaredUpdateTimer); err != nil {
|
||||||
|
log.Err(err).Msgf("systemctl start %s error", cloudflaredUpdateTimer)
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := runCommand("systemctl", "daemon-reload"); err != nil {
|
||||||
|
log.Err(err).Msg("systemctl daemon-reload error")
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
log.Info().Msg("systemctl daemon-reload")
|
return runCommand("systemctl", "start", cloudflaredService)
|
||||||
return runCommand("systemctl", "daemon-reload")
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func installSysv(templateArgs *ServiceTemplateArgs, log *zerolog.Logger) error {
|
func installSysv(templateArgs *ServiceTemplateArgs, autoUpdate bool, log *zerolog.Logger) error {
|
||||||
confPath, err := sysvTemplate.ResolvePath()
|
confPath, err := sysvTemplate.ResolvePath()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Err(err).Msg("error resolving system path")
|
log.Err(err).Msg("error resolving system path")
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if autoUpdate {
|
||||||
|
templateArgs.ExtraArgs = append([]string{"--autoupdate-freq 24h0m0s"}, templateArgs.ExtraArgs...)
|
||||||
|
} else {
|
||||||
|
templateArgs.ExtraArgs = append([]string{"--no-autoupdate"}, templateArgs.ExtraArgs...)
|
||||||
|
}
|
||||||
|
|
||||||
if err := sysvTemplate.Generate(templateArgs); err != nil {
|
if err := sysvTemplate.Generate(templateArgs); err != nil {
|
||||||
log.Err(err).Msg("error generating system template")
|
log.Err(err).Msg("error generating system template")
|
||||||
return err
|
return err
|
||||||
|
@ -319,42 +345,75 @@ func installSysv(templateArgs *ServiceTemplateArgs, log *zerolog.Logger) error {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return nil
|
return runCommand("service", "cloudflared", "start")
|
||||||
}
|
}
|
||||||
|
|
||||||
func uninstallLinuxService(c *cli.Context) error {
|
func uninstallLinuxService(c *cli.Context) error {
|
||||||
log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
|
log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
|
||||||
|
|
||||||
|
var err error
|
||||||
switch {
|
switch {
|
||||||
case isSystemd():
|
case isSystemd():
|
||||||
log.Info().Msg("Using Systemd")
|
log.Info().Msg("Using Systemd")
|
||||||
return uninstallSystemd(log)
|
err = uninstallSystemd(log)
|
||||||
default:
|
default:
|
||||||
log.Info().Msg("Using SysV")
|
log.Info().Msg("Using SysV")
|
||||||
return uninstallSysv(log)
|
err = uninstallSysv(log)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if err == nil {
|
||||||
|
log.Info().Msg("Linux service for cloudflared uninstalled successfully")
|
||||||
|
}
|
||||||
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
func uninstallSystemd(log *zerolog.Logger) error {
|
func uninstallSystemd(log *zerolog.Logger) error {
|
||||||
if err := runCommand("systemctl", "disable", "cloudflared.service"); err != nil {
|
// Get only the installed services
|
||||||
log.Err(err).Msg("systemctl disable cloudflared.service error")
|
installedServices := make(map[string]ServiceTemplate)
|
||||||
return err
|
for serviceName, serviceTemplate := range systemdAllTemplates {
|
||||||
|
if err := runCommand("systemctl", "list-units", "--all", "|", "grep", serviceName); err == nil {
|
||||||
|
installedServices[serviceName] = serviceTemplate
|
||||||
|
} else {
|
||||||
|
log.Info().Msgf("Service '%s' not installed, skipping its uninstall", serviceName)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
if err := runCommand("systemctl", "stop", "cloudflared-update.timer"); err != nil {
|
|
||||||
log.Err(err).Msg("systemctl stop cloudflared-update.timer error")
|
if _, exists := installedServices[cloudflaredService]; exists {
|
||||||
return err
|
if err := runCommand("systemctl", "disable", cloudflaredService); err != nil {
|
||||||
|
log.Err(err).Msgf("systemctl disable %s error", cloudflaredService)
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if err := runCommand("systemctl", "stop", cloudflaredService); err != nil {
|
||||||
|
log.Err(err).Msgf("systemctl stop %s error", cloudflaredService)
|
||||||
|
return err
|
||||||
|
}
|
||||||
}
|
}
|
||||||
for _, serviceTemplate := range systemdTemplates {
|
|
||||||
|
if _, exists := installedServices[cloudflaredUpdateTimer]; exists {
|
||||||
|
if err := runCommand("systemctl", "stop", cloudflaredUpdateTimer); err != nil {
|
||||||
|
log.Err(err).Msgf("systemctl stop %s error", cloudflaredUpdateTimer)
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, serviceTemplate := range installedServices {
|
||||||
if err := serviceTemplate.Remove(); err != nil {
|
if err := serviceTemplate.Remove(); err != nil {
|
||||||
log.Err(err).Msg("error removing service template")
|
log.Err(err).Msg("error removing service template")
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
log.Info().Msgf("Successfully uninstalled cloudflared service from systemd")
|
if err := runCommand("systemctl", "daemon-reload"); err != nil {
|
||||||
|
log.Err(err).Msg("systemctl daemon-reload error")
|
||||||
|
return err
|
||||||
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func uninstallSysv(log *zerolog.Logger) error {
|
func uninstallSysv(log *zerolog.Logger) error {
|
||||||
|
if err := runCommand("service", "cloudflared", "stop"); err != nil {
|
||||||
|
log.Err(err).Msg("service cloudflared stop error")
|
||||||
|
return err
|
||||||
|
}
|
||||||
if err := sysvTemplate.Remove(); err != nil {
|
if err := sysvTemplate.Remove(); err != nil {
|
||||||
log.Err(err).Msg("error removing service template")
|
log.Err(err).Msg("error removing service template")
|
||||||
return err
|
return err
|
||||||
|
@ -369,6 +428,5 @@ func uninstallSysv(log *zerolog.Logger) error {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
log.Info().Msgf("Successfully uninstalled cloudflared service from sysv")
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
// +build darwin
|
//go:build darwin
|
||||||
|
|
||||||
package main
|
package main
|
||||||
|
|
||||||
|
@ -6,11 +6,11 @@ import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"os"
|
"os"
|
||||||
|
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
|
|
||||||
"github.com/cloudflare/cloudflared/logger"
|
|
||||||
|
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
"github.com/urfave/cli/v2"
|
"github.com/urfave/cli/v2"
|
||||||
|
|
||||||
|
"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
|
||||||
|
"github.com/cloudflare/cloudflared/logger"
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
|
@ -20,17 +20,17 @@ const (
|
||||||
func runApp(app *cli.App, graceShutdownC chan struct{}) {
|
func runApp(app *cli.App, graceShutdownC chan struct{}) {
|
||||||
app.Commands = append(app.Commands, &cli.Command{
|
app.Commands = append(app.Commands, &cli.Command{
|
||||||
Name: "service",
|
Name: "service",
|
||||||
Usage: "Manages the Argo Tunnel launch agent",
|
Usage: "Manages the cloudflared launch agent",
|
||||||
Subcommands: []*cli.Command{
|
Subcommands: []*cli.Command{
|
||||||
{
|
{
|
||||||
Name: "install",
|
Name: "install",
|
||||||
Usage: "Install Argo Tunnel as an user launch agent",
|
Usage: "Install cloudflared as an user launch agent",
|
||||||
Action: cliutil.ErrorHandler(installLaunchd),
|
Action: cliutil.ConfiguredAction(installLaunchd),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Name: "uninstall",
|
Name: "uninstall",
|
||||||
Usage: "Uninstall the Argo Tunnel launch agent",
|
Usage: "Uninstall the cloudflared launch agent",
|
||||||
Action: cliutil.ErrorHandler(uninstallLaunchd),
|
Action: cliutil.ConfiguredAction(uninstallLaunchd),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
})
|
})
|
||||||
|
@ -49,6 +49,9 @@ func newLaunchdTemplate(installPath, stdoutPath, stderrPath string) *ServiceTemp
|
||||||
<key>ProgramArguments</key>
|
<key>ProgramArguments</key>
|
||||||
<array>
|
<array>
|
||||||
<string>{{ .Path }}</string>
|
<string>{{ .Path }}</string>
|
||||||
|
{{- range $i, $item := .ExtraArgs}}
|
||||||
|
<string>{{ $item }}</string>
|
||||||
|
{{- end}}
|
||||||
</array>
|
</array>
|
||||||
<key>RunAtLoad</key>
|
<key>RunAtLoad</key>
|
||||||
<true/>
|
<true/>
|
||||||
|
@ -110,13 +113,13 @@ func installLaunchd(c *cli.Context) error {
|
||||||
log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
|
log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
|
||||||
|
|
||||||
if isRootUser() {
|
if isRootUser() {
|
||||||
log.Info().Msg("Installing Argo Tunnel client as a system launch daemon. " +
|
log.Info().Msg("Installing cloudflared client as a system launch daemon. " +
|
||||||
"Argo Tunnel client will run at boot")
|
"cloudflared client will run at boot")
|
||||||
} else {
|
} else {
|
||||||
log.Info().Msg("Installing Argo Tunnel client as an user launch agent. " +
|
log.Info().Msg("Installing cloudflared client as an user launch agent. " +
|
||||||
"Note that Argo Tunnel client will only run when the user is logged in. " +
|
"Note that cloudflared client will only run when the user is logged in. " +
|
||||||
"If you want to run Argo Tunnel client at boot, install with root permission. " +
|
"If you want to run cloudflared client at boot, install with root permission. " +
|
||||||
"For more information, visit https://developers.cloudflare.com/argo-tunnel/reference/service/")
|
"For more information, visit https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/run-as-service")
|
||||||
}
|
}
|
||||||
etPath, err := os.Executable()
|
etPath, err := os.Executable()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -128,6 +131,13 @@ func installLaunchd(c *cli.Context) error {
|
||||||
log.Err(err).Msg("Error determining install path")
|
log.Err(err).Msg("Error determining install path")
|
||||||
return errors.Wrap(err, "Error determining install path")
|
return errors.Wrap(err, "Error determining install path")
|
||||||
}
|
}
|
||||||
|
extraArgs, err := getServiceExtraArgsFromCliArgs(c, log)
|
||||||
|
if err != nil {
|
||||||
|
errMsg := "Unable to determine extra arguments for launch daemon"
|
||||||
|
log.Err(err).Msg(errMsg)
|
||||||
|
return errors.Wrap(err, errMsg)
|
||||||
|
}
|
||||||
|
|
||||||
stdoutPath, err := stdoutPath()
|
stdoutPath, err := stdoutPath()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Err(err).Msg("error determining stdout path")
|
log.Err(err).Msg("error determining stdout path")
|
||||||
|
@ -139,7 +149,7 @@ func installLaunchd(c *cli.Context) error {
|
||||||
return errors.Wrap(err, "error determining stderr path")
|
return errors.Wrap(err, "error determining stderr path")
|
||||||
}
|
}
|
||||||
launchdTemplate := newLaunchdTemplate(installPath, stdoutPath, stderrPath)
|
launchdTemplate := newLaunchdTemplate(installPath, stdoutPath, stderrPath)
|
||||||
templateArgs := ServiceTemplateArgs{Path: etPath}
|
templateArgs := ServiceTemplateArgs{Path: etPath, ExtraArgs: extraArgs}
|
||||||
err = launchdTemplate.Generate(&templateArgs)
|
err = launchdTemplate.Generate(&templateArgs)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Err(err).Msg("error generating launchd template")
|
log.Err(err).Msg("error generating launchd template")
|
||||||
|
@ -152,16 +162,20 @@ func installLaunchd(c *cli.Context) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
log.Info().Msgf("Outputs are logged to %s and %s", stderrPath, stdoutPath)
|
log.Info().Msgf("Outputs are logged to %s and %s", stderrPath, stdoutPath)
|
||||||
return runCommand("launchctl", "load", plistPath)
|
err = runCommand("launchctl", "load", plistPath)
|
||||||
|
if err == nil {
|
||||||
|
log.Info().Msg("MacOS service for cloudflared installed successfully")
|
||||||
|
}
|
||||||
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
func uninstallLaunchd(c *cli.Context) error {
|
func uninstallLaunchd(c *cli.Context) error {
|
||||||
log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
|
log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
|
||||||
|
|
||||||
if isRootUser() {
|
if isRootUser() {
|
||||||
log.Info().Msg("Uninstalling Argo Tunnel as a system launch daemon")
|
log.Info().Msg("Uninstalling cloudflared as a system launch daemon")
|
||||||
} else {
|
} else {
|
||||||
log.Info().Msg("Uninstalling Argo Tunnel as an user launch agent")
|
log.Info().Msg("Uninstalling cloudflared as a user launch agent")
|
||||||
}
|
}
|
||||||
installPath, err := installPath()
|
installPath, err := installPath()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -183,10 +197,13 @@ func uninstallLaunchd(c *cli.Context) error {
|
||||||
}
|
}
|
||||||
err = runCommand("launchctl", "unload", plistPath)
|
err = runCommand("launchctl", "unload", plistPath)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Err(err).Msg("error unloading")
|
log.Err(err).Msg("error unloading launchd")
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
log.Info().Msgf("Outputs are logged to %s and %s", stderrPath, stdoutPath)
|
err = launchdTemplate.Remove()
|
||||||
return launchdTemplate.Remove()
|
if err == nil {
|
||||||
|
log.Info().Msg("Launchd for cloudflared was uninstalled successfully")
|
||||||
|
}
|
||||||
|
return err
|
||||||
}
|
}
|
||||||
|
|
|
@ -3,24 +3,29 @@ package main
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"math/rand"
|
"math/rand"
|
||||||
|
"os"
|
||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"github.com/getsentry/sentry-go"
|
||||||
|
homedir "github.com/mitchellh/go-homedir"
|
||||||
|
"github.com/pkg/errors"
|
||||||
|
"github.com/urfave/cli/v2"
|
||||||
|
"go.uber.org/automaxprocs/maxprocs"
|
||||||
|
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/access"
|
"github.com/cloudflare/cloudflared/cmd/cloudflared/access"
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
|
"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
|
"github.com/cloudflare/cloudflared/cmd/cloudflared/proxydns"
|
||||||
|
"github.com/cloudflare/cloudflared/cmd/cloudflared/tail"
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/tunnel"
|
"github.com/cloudflare/cloudflared/cmd/cloudflared/tunnel"
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/updater"
|
"github.com/cloudflare/cloudflared/cmd/cloudflared/updater"
|
||||||
|
"github.com/cloudflare/cloudflared/config"
|
||||||
"github.com/cloudflare/cloudflared/logger"
|
"github.com/cloudflare/cloudflared/logger"
|
||||||
"github.com/cloudflare/cloudflared/metrics"
|
"github.com/cloudflare/cloudflared/metrics"
|
||||||
"github.com/cloudflare/cloudflared/overwatch"
|
"github.com/cloudflare/cloudflared/overwatch"
|
||||||
"github.com/cloudflare/cloudflared/tunneldns"
|
"github.com/cloudflare/cloudflared/token"
|
||||||
|
"github.com/cloudflare/cloudflared/tracing"
|
||||||
"github.com/cloudflare/cloudflared/watcher"
|
"github.com/cloudflare/cloudflared/watcher"
|
||||||
|
|
||||||
"github.com/getsentry/raven-go"
|
|
||||||
"github.com/mitchellh/go-homedir"
|
|
||||||
"github.com/pkg/errors"
|
|
||||||
"github.com/urfave/cli/v2"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
|
@ -30,6 +35,7 @@ const (
|
||||||
var (
|
var (
|
||||||
Version = "DEV"
|
Version = "DEV"
|
||||||
BuildTime = "unknown"
|
BuildTime = "unknown"
|
||||||
|
BuildType = ""
|
||||||
// Mostly network errors that we don't want reported back to Sentry, this is done by substring match.
|
// Mostly network errors that we don't want reported back to Sentry, this is done by substring match.
|
||||||
ignoredErrors = []string{
|
ignoredErrors = []string{
|
||||||
"connection reset by peer",
|
"connection reset by peer",
|
||||||
|
@ -44,9 +50,13 @@ var (
|
||||||
)
|
)
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
|
// FIXME: TUN-8148: Disable QUIC_GO ECN due to bugs in proper detection if supported
|
||||||
|
os.Setenv("QUIC_GO_DISABLE_ECN", "1")
|
||||||
|
|
||||||
rand.Seed(time.Now().UnixNano())
|
rand.Seed(time.Now().UnixNano())
|
||||||
metrics.RegisterBuildInfo(BuildTime, Version)
|
metrics.RegisterBuildInfo(BuildType, BuildTime, Version)
|
||||||
raven.SetRelease(Version)
|
maxprocs.Set()
|
||||||
|
bInfo := cliutil.GetBuildInfo(BuildType, Version)
|
||||||
|
|
||||||
// Graceful shutdown channel used by the app. When closed, app must terminate gracefully.
|
// Graceful shutdown channel used by the app. When closed, app must terminate gracefully.
|
||||||
// Windows service manager closes this channel when it receives stop command.
|
// Windows service manager closes this channel when it receives stop command.
|
||||||
|
@ -65,24 +75,26 @@ func main() {
|
||||||
app.Copyright = fmt.Sprintf(
|
app.Copyright = fmt.Sprintf(
|
||||||
`(c) %d Cloudflare Inc.
|
`(c) %d Cloudflare Inc.
|
||||||
Your installation of cloudflared software constitutes a symbol of your signature indicating that you accept
|
Your installation of cloudflared software constitutes a symbol of your signature indicating that you accept
|
||||||
the terms of the Cloudflare License (https://developers.cloudflare.com/argo-tunnel/license/),
|
the terms of the Apache License Version 2.0 (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/license),
|
||||||
Terms (https://www.cloudflare.com/terms/) and Privacy Policy (https://www.cloudflare.com/privacypolicy/).`,
|
Terms (https://www.cloudflare.com/terms/) and Privacy Policy (https://www.cloudflare.com/privacypolicy/).`,
|
||||||
time.Now().Year(),
|
time.Now().Year(),
|
||||||
)
|
)
|
||||||
app.Version = fmt.Sprintf("%s (built %s)", Version, BuildTime)
|
app.Version = fmt.Sprintf("%s (built %s%s)", Version, BuildTime, bInfo.GetBuildTypeMsg())
|
||||||
app.Description = `cloudflared connects your machine or user identity to Cloudflare's global network.
|
app.Description = `cloudflared connects your machine or user identity to Cloudflare's global network.
|
||||||
You can use it to authenticate a session to reach an API behind Access, route web traffic to this machine,
|
You can use it to authenticate a session to reach an API behind Access, route web traffic to this machine,
|
||||||
and configure access control.
|
and configure access control.
|
||||||
|
|
||||||
See https://developers.cloudflare.com/argo-tunnel/ for more in-depth documentation.`
|
See https://developers.cloudflare.com/cloudflare-one/connections/connect-apps for more in-depth documentation.`
|
||||||
app.Flags = flags()
|
app.Flags = flags()
|
||||||
app.Action = action(graceShutdownC)
|
app.Action = action(graceShutdownC)
|
||||||
app.Before = tunnel.SetFlagsFromConfigFile
|
|
||||||
app.Commands = commands(cli.ShowVersion)
|
app.Commands = commands(cli.ShowVersion)
|
||||||
|
|
||||||
tunnel.Init(Version, graceShutdownC) // we need this to support the tunnel sub command...
|
tunnel.Init(bInfo, graceShutdownC) // we need this to support the tunnel sub command...
|
||||||
access.Init(graceShutdownC)
|
access.Init(graceShutdownC, Version)
|
||||||
updater.Init(Version)
|
updater.Init(bInfo)
|
||||||
|
tracing.Init(Version)
|
||||||
|
token.Init(Version)
|
||||||
|
tail.Init(bInfo)
|
||||||
runApp(app, graceShutdownC)
|
runApp(app, graceShutdownC)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -90,7 +102,7 @@ func commands(version func(c *cli.Context)) []*cli.Command {
|
||||||
cmds := []*cli.Command{
|
cmds := []*cli.Command{
|
||||||
{
|
{
|
||||||
Name: "update",
|
Name: "update",
|
||||||
Action: cliutil.ErrorHandler(updater.Update),
|
Action: cliutil.ConfiguredAction(updater.Update),
|
||||||
Usage: "Update the agent if a new version exists",
|
Usage: "Update the agent if a new version exists",
|
||||||
Flags: []cli.Flag{
|
Flags: []cli.Flag{
|
||||||
&cli.BoolFlag{
|
&cli.BoolFlag{
|
||||||
|
@ -122,16 +134,28 @@ To determine if an update happened in a script, check for error code 11.`,
|
||||||
{
|
{
|
||||||
Name: "version",
|
Name: "version",
|
||||||
Action: func(c *cli.Context) (err error) {
|
Action: func(c *cli.Context) (err error) {
|
||||||
|
if c.Bool("short") {
|
||||||
|
fmt.Println(strings.Split(c.App.Version, " ")[0])
|
||||||
|
return nil
|
||||||
|
}
|
||||||
version(c)
|
version(c)
|
||||||
return nil
|
return nil
|
||||||
},
|
},
|
||||||
Usage: versionText,
|
Usage: versionText,
|
||||||
Description: versionText,
|
Description: versionText,
|
||||||
|
Flags: []cli.Flag{
|
||||||
|
&cli.BoolFlag{
|
||||||
|
Name: "short",
|
||||||
|
Aliases: []string{"s"},
|
||||||
|
Usage: "print just the version number",
|
||||||
|
},
|
||||||
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
cmds = append(cmds, tunnel.Commands()...)
|
cmds = append(cmds, tunnel.Commands()...)
|
||||||
cmds = append(cmds, tunneldns.Command(false))
|
cmds = append(cmds, proxydns.Command(false))
|
||||||
cmds = append(cmds, access.Commands()...)
|
cmds = append(cmds, access.Commands()...)
|
||||||
|
cmds = append(cmds, tail.Command())
|
||||||
return cmds
|
return cmds
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -145,14 +169,14 @@ func isEmptyInvocation(c *cli.Context) bool {
|
||||||
}
|
}
|
||||||
|
|
||||||
func action(graceShutdownC chan struct{}) cli.ActionFunc {
|
func action(graceShutdownC chan struct{}) cli.ActionFunc {
|
||||||
return cliutil.ErrorHandler(func(c *cli.Context) (err error) {
|
return cliutil.ConfiguredAction(func(c *cli.Context) (err error) {
|
||||||
if isEmptyInvocation(c) {
|
if isEmptyInvocation(c) {
|
||||||
return handleServiceMode(c, graceShutdownC)
|
return handleServiceMode(c, graceShutdownC)
|
||||||
}
|
}
|
||||||
tags := make(map[string]string)
|
func() {
|
||||||
tags["hostname"] = c.String("hostname")
|
defer sentry.Recover()
|
||||||
raven.SetTagsContext(tags)
|
err = tunnel.TunnelCommand(c)
|
||||||
raven.CapturePanic(func() { err = tunnel.TunnelCommand(c) }, nil)
|
}()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
captureError(err)
|
captureError(err)
|
||||||
}
|
}
|
||||||
|
@ -180,7 +204,7 @@ func captureError(err error) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
raven.CaptureError(err, nil)
|
sentry.CaptureException(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
// cloudflared was started without any flags
|
// cloudflared was started without any flags
|
||||||
|
|
|
@ -0,0 +1,115 @@
|
||||||
|
package proxydns
|
||||||
|
|
||||||
|
import (
|
||||||
|
"context"
|
||||||
|
"net"
|
||||||
|
"os"
|
||||||
|
"os/signal"
|
||||||
|
"syscall"
|
||||||
|
|
||||||
|
"github.com/urfave/cli/v2"
|
||||||
|
|
||||||
|
"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
|
||||||
|
"github.com/cloudflare/cloudflared/logger"
|
||||||
|
"github.com/cloudflare/cloudflared/metrics"
|
||||||
|
"github.com/cloudflare/cloudflared/tunneldns"
|
||||||
|
)
|
||||||
|
|
||||||
|
func Command(hidden bool) *cli.Command {
|
||||||
|
return &cli.Command{
|
||||||
|
Name: "proxy-dns",
|
||||||
|
Action: cliutil.ConfiguredAction(Run),
|
||||||
|
|
||||||
|
Usage: "Run a DNS over HTTPS proxy server.",
|
||||||
|
Flags: []cli.Flag{
|
||||||
|
&cli.StringFlag{
|
||||||
|
Name: "metrics",
|
||||||
|
Value: "localhost:",
|
||||||
|
Usage: "Listen address for metrics reporting.",
|
||||||
|
EnvVars: []string{"TUNNEL_METRICS"},
|
||||||
|
},
|
||||||
|
&cli.StringFlag{
|
||||||
|
Name: "address",
|
||||||
|
Usage: "Listen address for the DNS over HTTPS proxy server.",
|
||||||
|
Value: "localhost",
|
||||||
|
EnvVars: []string{"TUNNEL_DNS_ADDRESS"},
|
||||||
|
},
|
||||||
|
// Note TUN-3758 , we use Int because UInt is not supported with altsrc
|
||||||
|
&cli.IntFlag{
|
||||||
|
Name: "port",
|
||||||
|
Usage: "Listen on given port for the DNS over HTTPS proxy server.",
|
||||||
|
Value: 53,
|
||||||
|
EnvVars: []string{"TUNNEL_DNS_PORT"},
|
||||||
|
},
|
||||||
|
&cli.StringSliceFlag{
|
||||||
|
Name: "upstream",
|
||||||
|
Usage: "Upstream endpoint URL, you can specify multiple endpoints for redundancy.",
|
||||||
|
Value: cli.NewStringSlice("https://1.1.1.1/dns-query", "https://1.0.0.1/dns-query"),
|
||||||
|
EnvVars: []string{"TUNNEL_DNS_UPSTREAM"},
|
||||||
|
},
|
||||||
|
&cli.StringSliceFlag{
|
||||||
|
Name: "bootstrap",
|
||||||
|
Usage: "bootstrap endpoint URL, you can specify multiple endpoints for redundancy.",
|
||||||
|
Value: cli.NewStringSlice("https://162.159.36.1/dns-query", "https://162.159.46.1/dns-query", "https://[2606:4700:4700::1111]/dns-query", "https://[2606:4700:4700::1001]/dns-query"),
|
||||||
|
EnvVars: []string{"TUNNEL_DNS_BOOTSTRAP"},
|
||||||
|
},
|
||||||
|
&cli.IntFlag{
|
||||||
|
Name: "max-upstream-conns",
|
||||||
|
Usage: "Maximum concurrent connections to upstream. Setting to 0 means unlimited.",
|
||||||
|
Value: tunneldns.MaxUpstreamConnsDefault,
|
||||||
|
EnvVars: []string{"TUNNEL_DNS_MAX_UPSTREAM_CONNS"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
ArgsUsage: " ", // can't be the empty string or we get the default output
|
||||||
|
Hidden: hidden,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Run implements a foreground runner
|
||||||
|
func Run(c *cli.Context) error {
|
||||||
|
log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
|
||||||
|
|
||||||
|
metricsListener, err := net.Listen("tcp", c.String("metrics"))
|
||||||
|
if err != nil {
|
||||||
|
log.Fatal().Err(err).Msg("Failed to open the metrics listener")
|
||||||
|
}
|
||||||
|
|
||||||
|
go metrics.ServeMetrics(metricsListener, context.Background(), metrics.Config{}, log)
|
||||||
|
|
||||||
|
listener, err := tunneldns.CreateListener(
|
||||||
|
c.String("address"),
|
||||||
|
// Note TUN-3758 , we use Int because UInt is not supported with altsrc
|
||||||
|
uint16(c.Int("port")),
|
||||||
|
c.StringSlice("upstream"),
|
||||||
|
c.StringSlice("bootstrap"),
|
||||||
|
c.Int("max-upstream-conns"),
|
||||||
|
log,
|
||||||
|
)
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
log.Err(err).Msg("Failed to create the listeners")
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Try to start the server
|
||||||
|
readySignal := make(chan struct{})
|
||||||
|
err = listener.Start(readySignal)
|
||||||
|
if err != nil {
|
||||||
|
log.Err(err).Msg("Failed to start the listeners")
|
||||||
|
return listener.Stop()
|
||||||
|
}
|
||||||
|
<-readySignal
|
||||||
|
|
||||||
|
// Wait for signal
|
||||||
|
signals := make(chan os.Signal, 10)
|
||||||
|
signal.Notify(signals, syscall.SIGTERM, syscall.SIGINT)
|
||||||
|
defer signal.Stop(signals)
|
||||||
|
<-signals
|
||||||
|
|
||||||
|
// Shut down server
|
||||||
|
err = listener.Stop()
|
||||||
|
if err != nil {
|
||||||
|
log.Err(err).Msg("failed to stop")
|
||||||
|
}
|
||||||
|
return err
|
||||||
|
}
|
|
@ -5,14 +5,14 @@ import (
|
||||||
"bytes"
|
"bytes"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
"io/ioutil"
|
|
||||||
"os"
|
"os"
|
||||||
"os/exec"
|
"os/exec"
|
||||||
|
"path"
|
||||||
"text/template"
|
"text/template"
|
||||||
|
|
||||||
"github.com/mitchellh/go-homedir"
|
homedir "github.com/mitchellh/go-homedir"
|
||||||
|
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
|
"github.com/cloudflare/cloudflared/config"
|
||||||
)
|
)
|
||||||
|
|
||||||
type ServiceTemplate struct {
|
type ServiceTemplate struct {
|
||||||
|
@ -43,16 +43,27 @@ func (st *ServiceTemplate) Generate(args *ServiceTemplateArgs) error {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
if _, err = os.Stat(resolvedPath); err == nil {
|
||||||
|
return fmt.Errorf(serviceAlreadyExistsWarn(resolvedPath))
|
||||||
|
}
|
||||||
|
|
||||||
var buffer bytes.Buffer
|
var buffer bytes.Buffer
|
||||||
err = tmpl.Execute(&buffer, args)
|
err = tmpl.Execute(&buffer, args)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("error generating %s: %v", st.Path, err)
|
return fmt.Errorf("error generating %s: %v", st.Path, err)
|
||||||
}
|
}
|
||||||
fileMode := os.FileMode(0644)
|
fileMode := os.FileMode(0o644)
|
||||||
if st.FileMode != 0 {
|
if st.FileMode != 0 {
|
||||||
fileMode = st.FileMode
|
fileMode = st.FileMode
|
||||||
}
|
}
|
||||||
err = ioutil.WriteFile(resolvedPath, buffer.Bytes(), fileMode)
|
|
||||||
|
plistFolder := path.Dir(resolvedPath)
|
||||||
|
err = os.MkdirAll(plistFolder, 0o755)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("error creating %s: %v", plistFolder, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
err = os.WriteFile(resolvedPath, buffer.Bytes(), fileMode)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("error writing %s: %v", resolvedPath, err)
|
return fmt.Errorf("error writing %s: %v", resolvedPath, err)
|
||||||
}
|
}
|
||||||
|
@ -71,6 +82,15 @@ func (st *ServiceTemplate) Remove() error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func serviceAlreadyExistsWarn(service string) string {
|
||||||
|
return fmt.Sprintf("cloudflared service is already installed at %s; if you are running a cloudflared tunnel, you "+
|
||||||
|
"can point it to multiple origins, avoiding the need to run more than one cloudflared service in the "+
|
||||||
|
"same machine; otherwise if you are really sure, you can do `cloudflared service uninstall` to clean "+
|
||||||
|
"up the existing service and then try again this command",
|
||||||
|
service,
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
func runCommand(command string, args ...string) error {
|
func runCommand(command string, args ...string) error {
|
||||||
cmd := exec.Command(command, args...)
|
cmd := exec.Command(command, args...)
|
||||||
stderr, err := cmd.StderrPipe()
|
stderr, err := cmd.StderrPipe()
|
||||||
|
@ -82,10 +102,10 @@ func runCommand(command string, args ...string) error {
|
||||||
return fmt.Errorf("error starting %s: %v", command, err)
|
return fmt.Errorf("error starting %s: %v", command, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
_, _ = ioutil.ReadAll(stderr)
|
output, _ := io.ReadAll(stderr)
|
||||||
err = cmd.Wait()
|
err = cmd.Wait()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("%s returned with error: %v", command, err)
|
return fmt.Errorf("%s %v returned with error code %v due to: %v", command, args, err, string(output))
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,11 +0,0 @@
|
||||||
//+build !windows,!darwin,!linux,!netbsd,!freebsd,!openbsd
|
|
||||||
|
|
||||||
package shell
|
|
||||||
|
|
||||||
import (
|
|
||||||
"os/exec"
|
|
||||||
)
|
|
||||||
|
|
||||||
func getBrowserCmd(url string) *exec.Cmd {
|
|
||||||
return nil
|
|
||||||
}
|
|
|
@ -1,33 +0,0 @@
|
||||||
package shell
|
|
||||||
|
|
||||||
import (
|
|
||||||
"io"
|
|
||||||
"os"
|
|
||||||
"os/exec"
|
|
||||||
)
|
|
||||||
|
|
||||||
// OpenBrowser opens the specified URL in the default browser of the user
|
|
||||||
func OpenBrowser(url string) error {
|
|
||||||
return getBrowserCmd(url).Start()
|
|
||||||
}
|
|
||||||
|
|
||||||
// Run will kick off a shell task and pipe the results to the respective std pipes
|
|
||||||
func Run(cmd string, args ...string) error {
|
|
||||||
c := exec.Command(cmd, args...)
|
|
||||||
stderr, err := c.StderrPipe()
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
go func() {
|
|
||||||
io.Copy(os.Stderr, stderr)
|
|
||||||
}()
|
|
||||||
|
|
||||||
stdout, err := c.StdoutPipe()
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
go func() {
|
|
||||||
io.Copy(os.Stdout, stdout)
|
|
||||||
}()
|
|
||||||
return c.Run()
|
|
||||||
}
|
|
|
@ -0,0 +1,428 @@
|
||||||
|
package tail
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/json"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"net/http"
|
||||||
|
"net/url"
|
||||||
|
"os"
|
||||||
|
"os/signal"
|
||||||
|
"syscall"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/google/uuid"
|
||||||
|
"github.com/mattn/go-colorable"
|
||||||
|
"github.com/rs/zerolog"
|
||||||
|
"github.com/urfave/cli/v2"
|
||||||
|
"nhooyr.io/websocket"
|
||||||
|
|
||||||
|
"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
|
||||||
|
"github.com/cloudflare/cloudflared/credentials"
|
||||||
|
"github.com/cloudflare/cloudflared/logger"
|
||||||
|
"github.com/cloudflare/cloudflared/management"
|
||||||
|
)
|
||||||
|
|
||||||
|
var (
|
||||||
|
buildInfo *cliutil.BuildInfo
|
||||||
|
)
|
||||||
|
|
||||||
|
func Init(bi *cliutil.BuildInfo) {
|
||||||
|
buildInfo = bi
|
||||||
|
}
|
||||||
|
|
||||||
|
func Command() *cli.Command {
|
||||||
|
subcommands := []*cli.Command{
|
||||||
|
buildTailManagementTokenSubcommand(),
|
||||||
|
}
|
||||||
|
|
||||||
|
return buildTailCommand(subcommands)
|
||||||
|
}
|
||||||
|
|
||||||
|
func buildTailManagementTokenSubcommand() *cli.Command {
|
||||||
|
return &cli.Command{
|
||||||
|
Name: "token",
|
||||||
|
Action: cliutil.ConfiguredAction(managementTokenCommand),
|
||||||
|
Usage: "Get management access jwt",
|
||||||
|
UsageText: "cloudflared tail token TUNNEL_ID",
|
||||||
|
Description: `Get management access jwt for a tunnel`,
|
||||||
|
Hidden: true,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func managementTokenCommand(c *cli.Context) error {
|
||||||
|
log := createLogger(c)
|
||||||
|
token, err := getManagementToken(c, log)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
var tokenResponse = struct {
|
||||||
|
Token string `json:"token"`
|
||||||
|
}{Token: token}
|
||||||
|
|
||||||
|
return json.NewEncoder(os.Stdout).Encode(tokenResponse)
|
||||||
|
}
|
||||||
|
|
||||||
|
func buildTailCommand(subcommands []*cli.Command) *cli.Command {
|
||||||
|
return &cli.Command{
|
||||||
|
Name: "tail",
|
||||||
|
Action: Run,
|
||||||
|
Usage: "Stream logs from a remote cloudflared",
|
||||||
|
UsageText: "cloudflared tail [tail command options] [TUNNEL-ID]",
|
||||||
|
Flags: []cli.Flag{
|
||||||
|
&cli.StringFlag{
|
||||||
|
Name: "connector-id",
|
||||||
|
Usage: "Access a specific cloudflared instance by connector id (for when a tunnel has multiple cloudflared's)",
|
||||||
|
Value: "",
|
||||||
|
EnvVars: []string{"TUNNEL_MANAGEMENT_CONNECTOR"},
|
||||||
|
},
|
||||||
|
&cli.StringSliceFlag{
|
||||||
|
Name: "event",
|
||||||
|
Usage: "Filter by specific Events (cloudflared, http, tcp, udp) otherwise, defaults to send all events",
|
||||||
|
EnvVars: []string{"TUNNEL_MANAGEMENT_FILTER_EVENTS"},
|
||||||
|
},
|
||||||
|
&cli.StringFlag{
|
||||||
|
Name: "level",
|
||||||
|
Usage: "Filter by specific log levels (debug, info, warn, error). Filters by debug log level by default.",
|
||||||
|
EnvVars: []string{"TUNNEL_MANAGEMENT_FILTER_LEVEL"},
|
||||||
|
Value: "debug",
|
||||||
|
},
|
||||||
|
&cli.Float64Flag{
|
||||||
|
Name: "sample",
|
||||||
|
Usage: "Sample log events by percentage (0.0 .. 1.0). No sampling by default.",
|
||||||
|
EnvVars: []string{"TUNNEL_MANAGEMENT_FILTER_SAMPLE"},
|
||||||
|
Value: 1.0,
|
||||||
|
},
|
||||||
|
&cli.StringFlag{
|
||||||
|
Name: "token",
|
||||||
|
Usage: "Access token for a specific tunnel",
|
||||||
|
Value: "",
|
||||||
|
EnvVars: []string{"TUNNEL_MANAGEMENT_TOKEN"},
|
||||||
|
},
|
||||||
|
&cli.StringFlag{
|
||||||
|
Name: "output",
|
||||||
|
Usage: "Output format for the logs (default, json)",
|
||||||
|
Value: "default",
|
||||||
|
EnvVars: []string{"TUNNEL_MANAGEMENT_OUTPUT"},
|
||||||
|
},
|
||||||
|
&cli.StringFlag{
|
||||||
|
Name: "management-hostname",
|
||||||
|
Usage: "Management hostname to signify incoming management requests",
|
||||||
|
EnvVars: []string{"TUNNEL_MANAGEMENT_HOSTNAME"},
|
||||||
|
Hidden: true,
|
||||||
|
Value: "management.argotunnel.com",
|
||||||
|
},
|
||||||
|
&cli.StringFlag{
|
||||||
|
Name: "trace",
|
||||||
|
Usage: "Set a cf-trace-id for the request",
|
||||||
|
Hidden: true,
|
||||||
|
Value: "",
|
||||||
|
},
|
||||||
|
&cli.StringFlag{
|
||||||
|
Name: logger.LogLevelFlag,
|
||||||
|
Value: "info",
|
||||||
|
Usage: "Application logging level {debug, info, warn, error, fatal}",
|
||||||
|
EnvVars: []string{"TUNNEL_LOGLEVEL"},
|
||||||
|
},
|
||||||
|
&cli.StringFlag{
|
||||||
|
Name: credentials.OriginCertFlag,
|
||||||
|
Usage: "Path to the certificate generated for your origin when you run cloudflared login.",
|
||||||
|
EnvVars: []string{"TUNNEL_ORIGIN_CERT"},
|
||||||
|
Value: credentials.FindDefaultOriginCertPath(),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
Subcommands: subcommands,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Middleware validation error struct for returning to the eyeball
|
||||||
|
type managementError struct {
|
||||||
|
Code int `json:"code,omitempty"`
|
||||||
|
Message string `json:"message,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// Middleware validation error HTTP response JSON for returning to the eyeball
|
||||||
|
type managementErrorResponse struct {
|
||||||
|
Success bool `json:"success,omitempty"`
|
||||||
|
Errors []managementError `json:"errors,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
|
func handleValidationError(resp *http.Response, log *zerolog.Logger) {
|
||||||
|
if resp.StatusCode == 530 {
|
||||||
|
log.Error().Msgf("no cloudflared connector available or reachable via management request (a recent version of cloudflared is required to use streaming logs)")
|
||||||
|
}
|
||||||
|
var managementErr managementErrorResponse
|
||||||
|
err := json.NewDecoder(resp.Body).Decode(&managementErr)
|
||||||
|
if err != nil {
|
||||||
|
log.Error().Msgf("unable to start management log streaming session: http response code returned %d", resp.StatusCode)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if managementErr.Success || len(managementErr.Errors) == 0 {
|
||||||
|
log.Error().Msgf("management tunnel validation returned success with invalid HTTP response code to convert to a WebSocket request")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
for _, e := range managementErr.Errors {
|
||||||
|
log.Error().Msgf("management request failed validation: (%d) %s", e.Code, e.Message)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// logger will be created to emit only against the os.Stderr as to not obstruct with normal output from
|
||||||
|
// management requests
|
||||||
|
func createLogger(c *cli.Context) *zerolog.Logger {
|
||||||
|
level, levelErr := zerolog.ParseLevel(c.String(logger.LogLevelFlag))
|
||||||
|
if levelErr != nil {
|
||||||
|
level = zerolog.InfoLevel
|
||||||
|
}
|
||||||
|
log := zerolog.New(zerolog.ConsoleWriter{
|
||||||
|
Out: colorable.NewColorable(os.Stderr),
|
||||||
|
TimeFormat: time.RFC3339,
|
||||||
|
}).With().Timestamp().Logger().Level(level)
|
||||||
|
return &log
|
||||||
|
}
|
||||||
|
|
||||||
|
// parseFilters will attempt to parse provided filters to send to with the EventStartStreaming
|
||||||
|
func parseFilters(c *cli.Context) (*management.StreamingFilters, error) {
|
||||||
|
var level *management.LogLevel
|
||||||
|
var events []management.LogEventType
|
||||||
|
var sample float64
|
||||||
|
|
||||||
|
argLevel := c.String("level")
|
||||||
|
argEvents := c.StringSlice("event")
|
||||||
|
argSample := c.Float64("sample")
|
||||||
|
|
||||||
|
if argLevel != "" {
|
||||||
|
l, ok := management.ParseLogLevel(argLevel)
|
||||||
|
if !ok {
|
||||||
|
return nil, fmt.Errorf("invalid --level filter provided, please use one of the following Log Levels: debug, info, warn, error")
|
||||||
|
}
|
||||||
|
level = &l
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, v := range argEvents {
|
||||||
|
t, ok := management.ParseLogEventType(v)
|
||||||
|
if !ok {
|
||||||
|
return nil, fmt.Errorf("invalid --event filter provided, please use one of the following EventTypes: cloudflared, http, tcp, udp")
|
||||||
|
}
|
||||||
|
events = append(events, t)
|
||||||
|
}
|
||||||
|
|
||||||
|
if argSample <= 0.0 || argSample > 1.0 {
|
||||||
|
return nil, fmt.Errorf("invalid --sample value provided, please make sure it is in the range (0.0 .. 1.0)")
|
||||||
|
}
|
||||||
|
sample = argSample
|
||||||
|
|
||||||
|
if level == nil && len(events) == 0 && argSample != 1.0 {
|
||||||
|
// When no filters are provided, do not return a StreamingFilters struct
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
return &management.StreamingFilters{
|
||||||
|
Level: level,
|
||||||
|
Events: events,
|
||||||
|
Sampling: sample,
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// getManagementToken will make a call to the Cloudflare API to acquire a management token for the requested tunnel.
|
||||||
|
func getManagementToken(c *cli.Context, log *zerolog.Logger) (string, error) {
|
||||||
|
userCreds, err := credentials.Read(c.String(credentials.OriginCertFlag), log)
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
|
||||||
|
client, err := userCreds.Client(c.String("api-url"), buildInfo.UserAgent(), log)
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
|
||||||
|
tunnelIDString := c.Args().First()
|
||||||
|
if tunnelIDString == "" {
|
||||||
|
return "", errors.New("no tunnel ID provided")
|
||||||
|
}
|
||||||
|
tunnelID, err := uuid.Parse(tunnelIDString)
|
||||||
|
if err != nil {
|
||||||
|
return "", errors.New("unable to parse provided tunnel id as a valid UUID")
|
||||||
|
}
|
||||||
|
|
||||||
|
token, err := client.GetManagementToken(tunnelID)
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
|
||||||
|
return token, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// buildURL will build the management url to contain the required query parameters to authenticate the request.
|
||||||
|
func buildURL(c *cli.Context, log *zerolog.Logger) (url.URL, error) {
|
||||||
|
var err error
|
||||||
|
managementHostname := c.String("management-hostname")
|
||||||
|
token := c.String("token")
|
||||||
|
if token == "" {
|
||||||
|
token, err = getManagementToken(c, log)
|
||||||
|
if err != nil {
|
||||||
|
return url.URL{}, fmt.Errorf("unable to acquire management token for requested tunnel id: %w", err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
query := url.Values{}
|
||||||
|
query.Add("access_token", token)
|
||||||
|
connector := c.String("connector-id")
|
||||||
|
if connector != "" {
|
||||||
|
connectorID, err := uuid.Parse(connector)
|
||||||
|
if err != nil {
|
||||||
|
return url.URL{}, fmt.Errorf("unabled to parse 'connector-id' flag into a valid UUID: %w", err)
|
||||||
|
}
|
||||||
|
query.Add("connector_id", connectorID.String())
|
||||||
|
}
|
||||||
|
return url.URL{Scheme: "wss", Host: managementHostname, Path: "/logs", RawQuery: query.Encode()}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func printLine(log *management.Log, logger *zerolog.Logger) {
|
||||||
|
fields, err := json.Marshal(log.Fields)
|
||||||
|
if err != nil {
|
||||||
|
fields = []byte("unable to parse fields")
|
||||||
|
logger.Debug().Msgf("unable to parse fields from event %+v", log)
|
||||||
|
}
|
||||||
|
fmt.Printf("%s %s %s %s %s\n", log.Time, log.Level, log.Event, log.Message, fields)
|
||||||
|
}
|
||||||
|
|
||||||
|
func printJSON(log *management.Log, logger *zerolog.Logger) {
|
||||||
|
output, err := json.Marshal(log)
|
||||||
|
if err != nil {
|
||||||
|
logger.Debug().Msgf("unable to parse event to json %+v", log)
|
||||||
|
} else {
|
||||||
|
fmt.Println(string(output))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Run implements a foreground runner
|
||||||
|
func Run(c *cli.Context) error {
|
||||||
|
log := createLogger(c)
|
||||||
|
|
||||||
|
signals := make(chan os.Signal, 10)
|
||||||
|
signal.Notify(signals, syscall.SIGTERM, syscall.SIGINT)
|
||||||
|
defer signal.Stop(signals)
|
||||||
|
|
||||||
|
output := "default"
|
||||||
|
switch c.String("output") {
|
||||||
|
case "default", "":
|
||||||
|
output = "default"
|
||||||
|
case "json":
|
||||||
|
output = "json"
|
||||||
|
default:
|
||||||
|
log.Err(errors.New("invalid --output value provided, please make sure it is one of: default, json")).Send()
|
||||||
|
}
|
||||||
|
|
||||||
|
filters, err := parseFilters(c)
|
||||||
|
if err != nil {
|
||||||
|
log.Error().Err(err).Msgf("invalid filters provided")
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
u, err := buildURL(c, log)
|
||||||
|
if err != nil {
|
||||||
|
log.Err(err).Msg("unable to construct management request URL")
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
header := make(http.Header)
|
||||||
|
header.Add("User-Agent", buildInfo.UserAgent())
|
||||||
|
trace := c.String("trace")
|
||||||
|
if trace != "" {
|
||||||
|
header["cf-trace-id"] = []string{trace}
|
||||||
|
}
|
||||||
|
ctx := c.Context
|
||||||
|
conn, resp, err := websocket.Dial(ctx, u.String(), &websocket.DialOptions{
|
||||||
|
HTTPHeader: header,
|
||||||
|
})
|
||||||
|
if err != nil {
|
||||||
|
if resp != nil && resp.StatusCode != http.StatusSwitchingProtocols {
|
||||||
|
handleValidationError(resp, log)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
log.Error().Err(err).Msgf("unable to start management log streaming session")
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
defer conn.Close(websocket.StatusInternalError, "management connection was closed abruptly")
|
||||||
|
|
||||||
|
// Once connection is established, send start_streaming event to begin receiving logs
|
||||||
|
err = management.WriteEvent(conn, ctx, &management.EventStartStreaming{
|
||||||
|
ClientEvent: management.ClientEvent{Type: management.StartStreaming},
|
||||||
|
Filters: filters,
|
||||||
|
})
|
||||||
|
if err != nil {
|
||||||
|
log.Error().Err(err).Msg("unable to request logs from management tunnel")
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
log.Debug().
|
||||||
|
Str("tunnel-id", c.Args().First()).
|
||||||
|
Str("connector-id", c.String("connector-id")).
|
||||||
|
Interface("filters", filters).
|
||||||
|
Msg("connected")
|
||||||
|
|
||||||
|
readerDone := make(chan struct{})
|
||||||
|
|
||||||
|
go func() {
|
||||||
|
defer close(readerDone)
|
||||||
|
for {
|
||||||
|
select {
|
||||||
|
case <-ctx.Done():
|
||||||
|
return
|
||||||
|
default:
|
||||||
|
event, err := management.ReadServerEvent(conn, ctx)
|
||||||
|
if err != nil {
|
||||||
|
if closeErr := management.AsClosed(err); closeErr != nil {
|
||||||
|
// If the client (or the server) already closed the connection, don't continue to
|
||||||
|
// attempt to read from the client.
|
||||||
|
if closeErr.Code == websocket.StatusNormalClosure {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
// Only log abnormal closures
|
||||||
|
log.Error().Msgf("received remote closure: (%d) %s", closeErr.Code, closeErr.Reason)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
log.Err(err).Msg("unable to read event from server")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
switch event.Type {
|
||||||
|
case management.Logs:
|
||||||
|
logs, ok := management.IntoServerEvent(event, management.Logs)
|
||||||
|
if !ok {
|
||||||
|
log.Error().Msgf("invalid logs event")
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
// Output all the logs received to stdout
|
||||||
|
for _, l := range logs.Logs {
|
||||||
|
if output == "json" {
|
||||||
|
printJSON(l, log)
|
||||||
|
} else {
|
||||||
|
printLine(l, log)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
case management.UnknownServerEventType:
|
||||||
|
fallthrough
|
||||||
|
default:
|
||||||
|
log.Debug().Msgf("unexpected log event type: %s", event.Type)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}()
|
||||||
|
|
||||||
|
for {
|
||||||
|
select {
|
||||||
|
case <-ctx.Done():
|
||||||
|
return nil
|
||||||
|
case <-readerDone:
|
||||||
|
return nil
|
||||||
|
case <-signals:
|
||||||
|
log.Debug().Msg("closing management connection")
|
||||||
|
// Cleanly close the connection by sending a close message and then
|
||||||
|
// waiting (with timeout) for the server to close the connection.
|
||||||
|
conn.Close(websocket.StatusNormalClosure, "")
|
||||||
|
select {
|
||||||
|
case <-readerDone:
|
||||||
|
case <-time.After(time.Second):
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -4,43 +4,50 @@ import (
|
||||||
"bufio"
|
"bufio"
|
||||||
"context"
|
"context"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io/ioutil"
|
|
||||||
"net/url"
|
"net/url"
|
||||||
"os"
|
"os"
|
||||||
"reflect"
|
|
||||||
"runtime/trace"
|
"runtime/trace"
|
||||||
"strings"
|
"strings"
|
||||||
"sync"
|
"sync"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/buildinfo"
|
"github.com/coreos/go-systemd/v22/daemon"
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
|
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
|
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/ui"
|
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/updater"
|
|
||||||
"github.com/cloudflare/cloudflared/connection"
|
|
||||||
"github.com/cloudflare/cloudflared/ingress"
|
|
||||||
"github.com/cloudflare/cloudflared/logger"
|
|
||||||
"github.com/cloudflare/cloudflared/metrics"
|
|
||||||
"github.com/cloudflare/cloudflared/origin"
|
|
||||||
"github.com/cloudflare/cloudflared/signal"
|
|
||||||
"github.com/cloudflare/cloudflared/tlsconfig"
|
|
||||||
"github.com/cloudflare/cloudflared/tunneldns"
|
|
||||||
"github.com/cloudflare/cloudflared/tunnelstore"
|
|
||||||
|
|
||||||
"github.com/coreos/go-systemd/daemon"
|
|
||||||
"github.com/facebookgo/grace/gracenet"
|
"github.com/facebookgo/grace/gracenet"
|
||||||
"github.com/getsentry/raven-go"
|
"github.com/getsentry/sentry-go"
|
||||||
"github.com/mitchellh/go-homedir"
|
"github.com/google/uuid"
|
||||||
|
homedir "github.com/mitchellh/go-homedir"
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
"github.com/rs/zerolog"
|
"github.com/rs/zerolog"
|
||||||
"github.com/urfave/cli/v2"
|
"github.com/urfave/cli/v2"
|
||||||
"github.com/urfave/cli/v2/altsrc"
|
"github.com/urfave/cli/v2/altsrc"
|
||||||
|
|
||||||
|
"github.com/cloudflare/cloudflared/cfapi"
|
||||||
|
"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
|
||||||
|
"github.com/cloudflare/cloudflared/cmd/cloudflared/proxydns"
|
||||||
|
"github.com/cloudflare/cloudflared/cmd/cloudflared/updater"
|
||||||
|
"github.com/cloudflare/cloudflared/config"
|
||||||
|
"github.com/cloudflare/cloudflared/connection"
|
||||||
|
"github.com/cloudflare/cloudflared/credentials"
|
||||||
|
"github.com/cloudflare/cloudflared/edgediscovery"
|
||||||
|
"github.com/cloudflare/cloudflared/features"
|
||||||
|
"github.com/cloudflare/cloudflared/ingress"
|
||||||
|
"github.com/cloudflare/cloudflared/logger"
|
||||||
|
"github.com/cloudflare/cloudflared/management"
|
||||||
|
"github.com/cloudflare/cloudflared/metrics"
|
||||||
|
"github.com/cloudflare/cloudflared/orchestration"
|
||||||
|
"github.com/cloudflare/cloudflared/signal"
|
||||||
|
"github.com/cloudflare/cloudflared/supervisor"
|
||||||
|
"github.com/cloudflare/cloudflared/tlsconfig"
|
||||||
|
"github.com/cloudflare/cloudflared/tunneldns"
|
||||||
|
"github.com/cloudflare/cloudflared/validation"
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
sentryDSN = "https://56a9c9fa5c364ab28f34b14f35ea0f1b:3e8827f6f9f740738eb11138f7bebb68@sentry.io/189878"
|
sentryDSN = "https://56a9c9fa5c364ab28f34b14f35ea0f1b:3e8827f6f9f740738eb11138f7bebb68@sentry.io/189878"
|
||||||
|
|
||||||
|
// ha-Connections specifies how many connections to make to the edge
|
||||||
|
haConnectionsFlag = "ha-connections"
|
||||||
|
|
||||||
// sshPortFlag is the port on localhost the cloudflared ssh server will run on
|
// sshPortFlag is the port on localhost the cloudflared ssh server will run on
|
||||||
sshPortFlag = "local-ssh-port"
|
sshPortFlag = "local-ssh-port"
|
||||||
|
|
||||||
|
@ -71,22 +78,53 @@ const (
|
||||||
// hostKeyPath is the path of the dir to save SSH host keys too
|
// hostKeyPath is the path of the dir to save SSH host keys too
|
||||||
hostKeyPath = "host-key-path"
|
hostKeyPath = "host-key-path"
|
||||||
|
|
||||||
|
// rpcTimeout is how long to wait for a Capnp RPC request to the edge
|
||||||
|
rpcTimeout = "rpc-timeout"
|
||||||
|
|
||||||
|
// writeStreamTimeout sets if we should have a timeout when writing data to a stream towards the destination (edge/origin).
|
||||||
|
writeStreamTimeout = "write-stream-timeout"
|
||||||
|
|
||||||
|
// quicDisablePathMTUDiscovery sets if QUIC should not perform PTMU discovery and use a smaller (safe) packet size.
|
||||||
|
// Packets will then be at most 1252 (IPv4) / 1232 (IPv6) bytes in size.
|
||||||
|
// Note that this may result in packet drops for UDP proxying, since we expect being able to send at least 1280 bytes of inner packets.
|
||||||
|
quicDisablePathMTUDiscovery = "quic-disable-pmtu-discovery"
|
||||||
|
|
||||||
|
// quicConnLevelFlowControlLimit controls the max flow control limit allocated for a QUIC connection. This controls how much data is the
|
||||||
|
// receiver willing to buffer. Once the limit is reached, the sender will send a DATA_BLOCKED frame to indicate it has more data to write,
|
||||||
|
// but it's blocked by flow control
|
||||||
|
quicConnLevelFlowControlLimit = "quic-connection-level-flow-control-limit"
|
||||||
|
// quicStreamLevelFlowControlLimit is similar to quicConnLevelFlowControlLimit but for each QUIC stream. When the sender is blocked,
|
||||||
|
// it will send a STREAM_DATA_BLOCKED frame
|
||||||
|
quicStreamLevelFlowControlLimit = "quic-stream-level-flow-control-limit"
|
||||||
|
|
||||||
// uiFlag is to enable launching cloudflared in interactive UI mode
|
// uiFlag is to enable launching cloudflared in interactive UI mode
|
||||||
uiFlag = "ui"
|
uiFlag = "ui"
|
||||||
|
|
||||||
debugLevelWarning = "At debug level, request URL, method, protocol, content legnth and header will be logged. " +
|
|
||||||
"Response status, content length and header will also be logged in debug level."
|
|
||||||
|
|
||||||
LogFieldCommand = "command"
|
LogFieldCommand = "command"
|
||||||
LogFieldExpandedPath = "expandedPath"
|
LogFieldExpandedPath = "expandedPath"
|
||||||
LogFieldPIDPathname = "pidPathname"
|
LogFieldPIDPathname = "pidPathname"
|
||||||
LogFieldTmpTraceFilename = "tmpTraceFilename"
|
LogFieldTmpTraceFilename = "tmpTraceFilename"
|
||||||
LogFieldTraceOutputFilepath = "traceOutputFilepath"
|
LogFieldTraceOutputFilepath = "traceOutputFilepath"
|
||||||
|
|
||||||
|
tunnelCmdErrorMessage = `You did not specify any valid additional argument to the cloudflared tunnel command.
|
||||||
|
|
||||||
|
If you are trying to run a Quick Tunnel then you need to explicitly pass the --url flag.
|
||||||
|
Eg. cloudflared tunnel --url localhost:8080/.
|
||||||
|
|
||||||
|
Please note that Quick Tunnels are meant to be ephemeral and should only be used for testing purposes.
|
||||||
|
For production usage, we recommend creating Named Tunnels. (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/)
|
||||||
|
`
|
||||||
|
connectorLabelFlag = "label"
|
||||||
)
|
)
|
||||||
|
|
||||||
var (
|
var (
|
||||||
graceShutdownC chan struct{}
|
graceShutdownC chan struct{}
|
||||||
version string
|
buildInfo *cliutil.BuildInfo
|
||||||
|
|
||||||
|
routeFailMsg = fmt.Sprintf("failed to provision routing, please create it manually via Cloudflare dashboard or UI; "+
|
||||||
|
"most likely you already have a conflicting record there. You can also rerun this command with --%s to overwrite "+
|
||||||
|
"any existing DNS records for this hostname.", overwriteDNSFlag)
|
||||||
|
deprecatedClassicTunnelErr = fmt.Errorf("Classic tunnels have been deprecated, please use Named Tunnels. (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/)")
|
||||||
)
|
)
|
||||||
|
|
||||||
func Flags() []cli.Flag {
|
func Flags() []cli.Flag {
|
||||||
|
@ -98,13 +136,16 @@ func Commands() []*cli.Command {
|
||||||
buildLoginSubcommand(false),
|
buildLoginSubcommand(false),
|
||||||
buildCreateCommand(),
|
buildCreateCommand(),
|
||||||
buildRouteCommand(),
|
buildRouteCommand(),
|
||||||
|
buildVirtualNetworkSubcommand(false),
|
||||||
buildRunCommand(),
|
buildRunCommand(),
|
||||||
buildListCommand(),
|
buildListCommand(),
|
||||||
|
buildInfoCommand(),
|
||||||
buildIngressSubcommand(),
|
buildIngressSubcommand(),
|
||||||
buildDeleteCommand(),
|
buildDeleteCommand(),
|
||||||
buildCleanupCommand(),
|
buildCleanupCommand(),
|
||||||
|
buildTokenCommand(),
|
||||||
// for compatibility, allow following as tunnel subcommands
|
// for compatibility, allow following as tunnel subcommands
|
||||||
tunneldns.Command(true),
|
proxydns.Command(true),
|
||||||
cliutil.RemovedCommand("db-connect"),
|
cliutil.RemovedCommand("db-connect"),
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -119,29 +160,36 @@ func Commands() []*cli.Command {
|
||||||
func buildTunnelCommand(subcommands []*cli.Command) *cli.Command {
|
func buildTunnelCommand(subcommands []*cli.Command) *cli.Command {
|
||||||
return &cli.Command{
|
return &cli.Command{
|
||||||
Name: "tunnel",
|
Name: "tunnel",
|
||||||
Action: cliutil.ErrorHandler(TunnelCommand),
|
Action: cliutil.ConfiguredAction(TunnelCommand),
|
||||||
Before: SetFlagsFromConfigFile,
|
|
||||||
Category: "Tunnel",
|
Category: "Tunnel",
|
||||||
Usage: "Make a locally-running web service accessible over the internet using Argo Tunnel.",
|
Usage: "Use Cloudflare Tunnel to expose private services to the Internet or to Cloudflare connected private users.",
|
||||||
ArgsUsage: " ",
|
ArgsUsage: " ",
|
||||||
Description: `Argo Tunnel asks you to specify a hostname on a Cloudflare-powered
|
Description: ` Cloudflare Tunnel allows to expose private services without opening any ingress port on this machine. It can expose:
|
||||||
domain you control and a local address. Traffic from that hostname is routed
|
A) Locally reachable HTTP-based private services to the Internet on DNS with Cloudflare as authority (which you can
|
||||||
(optionally via a Cloudflare Load Balancer) to this machine and appears on the
|
then protect with Cloudflare Access).
|
||||||
specified port where it can be served.
|
B) Locally reachable TCP/UDP-based private services to Cloudflare connected private users in the same account, e.g.,
|
||||||
|
those enrolled to a Zero Trust WARP Client.
|
||||||
|
|
||||||
This feature requires your Cloudflare account be subscribed to the Argo Smart Routing feature.
|
You can manage your Tunnels via dash.teams.cloudflare.com. This approach will only require you to run a single command
|
||||||
|
later in each machine where you wish to run a Tunnel.
|
||||||
|
|
||||||
To use, begin by calling login to download a certificate:
|
Alternatively, you can manage your Tunnels via the command line. Begin by obtaining a certificate to be able to do so:
|
||||||
|
|
||||||
$ cloudflared tunnel login
|
$ cloudflared tunnel login
|
||||||
|
|
||||||
With your certificate installed you can then launch your first tunnel,
|
With your certificate installed you can then get started with Tunnels:
|
||||||
replacing my.site.com with a subdomain of your site:
|
|
||||||
|
|
||||||
$ cloudflared tunnel --hostname my.site.com --url http://localhost:8080
|
$ cloudflared tunnel create my-first-tunnel
|
||||||
|
$ cloudflared tunnel route dns my-first-tunnel my-first-tunnel.mydomain.com
|
||||||
|
$ cloudflared tunnel run --hello-world my-first-tunnel
|
||||||
|
|
||||||
If you have a web server running on port 8080 (in this example), it will be available on
|
You can now access my-first-tunnel.mydomain.com and be served an example page by your local cloudflared process.
|
||||||
the internet!`,
|
|
||||||
|
For exposing local TCP/UDP services by IP to your privately connected users, check out:
|
||||||
|
|
||||||
|
$ cloudflared tunnel route ip --help
|
||||||
|
|
||||||
|
See https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/ for more info.`,
|
||||||
Subcommands: subcommands,
|
Subcommands: subcommands,
|
||||||
Flags: tunnelFlags(false),
|
Flags: tunnelFlags(false),
|
||||||
}
|
}
|
||||||
|
@ -152,26 +200,66 @@ func TunnelCommand(c *cli.Context) error {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if name := c.String("name"); name != "" { // Start a named tunnel
|
|
||||||
|
// Run a adhoc named tunnel
|
||||||
|
// Allows for the creation, routing (optional), and startup of a tunnel in one command
|
||||||
|
// --name required
|
||||||
|
// --url or --hello-world required
|
||||||
|
// --hostname optional
|
||||||
|
if name := c.String("name"); name != "" {
|
||||||
|
hostname, err := validation.ValidateHostname(c.String("hostname"))
|
||||||
|
if err != nil {
|
||||||
|
return errors.Wrap(err, "Invalid hostname provided")
|
||||||
|
}
|
||||||
|
url := c.String("url")
|
||||||
|
if url == hostname && url != "" && hostname != "" {
|
||||||
|
return fmt.Errorf("hostname and url shouldn't match. See --help for more information")
|
||||||
|
}
|
||||||
|
|
||||||
return runAdhocNamedTunnel(sc, name, c.String(CredFileFlag))
|
return runAdhocNamedTunnel(sc, name, c.String(CredFileFlag))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Run a quick tunnel
|
||||||
|
// A unauthenticated named tunnel hosted on <random>.<quick-tunnels-service>.com
|
||||||
|
// We don't support running proxy-dns and a quick tunnel at the same time as the same process
|
||||||
|
shouldRunQuickTunnel := c.IsSet("url") || c.IsSet(ingress.HelloWorldFlag)
|
||||||
|
if !c.IsSet("proxy-dns") && c.String("quick-service") != "" && shouldRunQuickTunnel {
|
||||||
|
return RunQuickTunnel(sc)
|
||||||
|
}
|
||||||
|
|
||||||
|
// If user provides a config, check to see if they meant to use `tunnel run` instead
|
||||||
if ref := config.GetConfiguration().TunnelID; ref != "" {
|
if ref := config.GetConfiguration().TunnelID; ref != "" {
|
||||||
return fmt.Errorf("Use `cloudflared tunnel run` to start tunnel %s", ref)
|
return fmt.Errorf("Use `cloudflared tunnel run` to start tunnel %s", ref)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Start a classic tunnel
|
// Classic tunnel usage is no longer supported
|
||||||
return runClassicTunnel(sc)
|
if c.String("hostname") != "" {
|
||||||
|
return deprecatedClassicTunnelErr
|
||||||
|
}
|
||||||
|
|
||||||
|
if c.IsSet("proxy-dns") {
|
||||||
|
if shouldRunQuickTunnel {
|
||||||
|
return fmt.Errorf("running a quick tunnel with `proxy-dns` is not supported")
|
||||||
|
}
|
||||||
|
// NamedTunnelProperties are nil since proxy dns server does not need it.
|
||||||
|
// This is supported for legacy reasons: dns proxy server is not a tunnel and ideally should
|
||||||
|
// not run as part of cloudflared tunnel.
|
||||||
|
return StartServer(sc.c, buildInfo, nil, sc.log)
|
||||||
|
}
|
||||||
|
|
||||||
|
return errors.New(tunnelCmdErrorMessage)
|
||||||
}
|
}
|
||||||
|
|
||||||
func Init(ver string, gracefulShutdown chan struct{}) {
|
func Init(info *cliutil.BuildInfo, gracefulShutdown chan struct{}) {
|
||||||
version, graceShutdownC = ver, gracefulShutdown
|
buildInfo, graceShutdownC = info, gracefulShutdown
|
||||||
}
|
}
|
||||||
|
|
||||||
// runAdhocNamedTunnel create, route and run a named tunnel in one command
|
// runAdhocNamedTunnel create, route and run a named tunnel in one command
|
||||||
func runAdhocNamedTunnel(sc *subcommandContext, name, credentialsOutputPath string) error {
|
func runAdhocNamedTunnel(sc *subcommandContext, name, credentialsOutputPath string) error {
|
||||||
tunnel, ok, err := sc.tunnelActive(name)
|
tunnel, ok, err := sc.tunnelActive(name)
|
||||||
if err != nil || !ok {
|
if err != nil || !ok {
|
||||||
tunnel, err = sc.create(name, credentialsOutputPath)
|
// pass empty string as secret to generate one
|
||||||
|
tunnel, err = sc.create(name, credentialsOutputPath, "")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return errors.Wrap(err, "failed to create tunnel")
|
return errors.Wrap(err, "failed to create tunnel")
|
||||||
}
|
}
|
||||||
|
@ -181,7 +269,7 @@ func runAdhocNamedTunnel(sc *subcommandContext, name, credentialsOutputPath stri
|
||||||
|
|
||||||
if r, ok := routeFromFlag(sc.c); ok {
|
if r, ok := routeFromFlag(sc.c); ok {
|
||||||
if res, err := sc.route(tunnel.ID, r); err != nil {
|
if res, err := sc.route(tunnel.ID, r); err != nil {
|
||||||
sc.log.Err(err).Msg("failed to create route, please create it manually")
|
sc.log.Err(err).Str("route", r.String()).Msg(routeFailMsg)
|
||||||
} else {
|
} else {
|
||||||
sc.log.Info().Msg(res.SuccessSummary())
|
sc.log.Info().Msg(res.SuccessSummary())
|
||||||
}
|
}
|
||||||
|
@ -194,39 +282,40 @@ func runAdhocNamedTunnel(sc *subcommandContext, name, credentialsOutputPath stri
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// runClassicTunnel creates a "classic" non-named tunnel
|
func routeFromFlag(c *cli.Context) (route cfapi.HostnameRoute, ok bool) {
|
||||||
func runClassicTunnel(sc *subcommandContext) error {
|
|
||||||
return StartServer(sc.c, version, nil, sc.log, sc.isUIEnabled)
|
|
||||||
}
|
|
||||||
|
|
||||||
func routeFromFlag(c *cli.Context) (tunnelstore.Route, bool) {
|
|
||||||
if hostname := c.String("hostname"); hostname != "" {
|
if hostname := c.String("hostname"); hostname != "" {
|
||||||
if lbPool := c.String("lb-pool"); lbPool != "" {
|
if lbPool := c.String("lb-pool"); lbPool != "" {
|
||||||
return tunnelstore.NewLBRoute(hostname, lbPool), true
|
return cfapi.NewLBRoute(hostname, lbPool), true
|
||||||
}
|
}
|
||||||
return tunnelstore.NewDNSRoute(hostname), true
|
return cfapi.NewDNSRoute(hostname, c.Bool(overwriteDNSFlagName)), true
|
||||||
}
|
}
|
||||||
return nil, false
|
return nil, false
|
||||||
}
|
}
|
||||||
|
|
||||||
func StartServer(
|
func StartServer(
|
||||||
c *cli.Context,
|
c *cli.Context,
|
||||||
version string,
|
info *cliutil.BuildInfo,
|
||||||
namedTunnel *connection.NamedTunnelConfig,
|
namedTunnel *connection.TunnelProperties,
|
||||||
log *zerolog.Logger,
|
log *zerolog.Logger,
|
||||||
isUIEnabled bool,
|
|
||||||
) error {
|
) error {
|
||||||
_ = raven.SetDSN(sentryDSN)
|
err := sentry.Init(sentry.ClientOptions{
|
||||||
|
Dsn: sentryDSN,
|
||||||
|
Release: c.App.Version,
|
||||||
|
})
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
var wg sync.WaitGroup
|
var wg sync.WaitGroup
|
||||||
listeners := gracenet.Net{}
|
listeners := gracenet.Net{}
|
||||||
errC := make(chan error)
|
errC := make(chan error)
|
||||||
|
|
||||||
if config.GetConfiguration().Source() == "" {
|
// Only log for locally configured tunnels (Token is blank).
|
||||||
|
if config.GetConfiguration().Source() == "" && c.String(TunnelTokenFlag) == "" {
|
||||||
log.Info().Msg(config.ErrNoConfigFile.Error())
|
log.Info().Msg(config.ErrNoConfigFile.Error())
|
||||||
}
|
}
|
||||||
|
|
||||||
if c.IsSet("trace-output") {
|
if c.IsSet("trace-output") {
|
||||||
tmpTraceFile, err := ioutil.TempFile("", "trace")
|
tmpTraceFile, err := os.CreateTemp("", "trace")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Err(err).Msg("Failed to create new temporary file to save trace output")
|
log.Err(err).Msg("Failed to create new temporary file to save trace output")
|
||||||
}
|
}
|
||||||
|
@ -258,12 +347,11 @@ func StartServer(
|
||||||
defer trace.Stop()
|
defer trace.Stop()
|
||||||
}
|
}
|
||||||
|
|
||||||
buildInfo := buildinfo.GetBuildInfo(version)
|
info.Log(log)
|
||||||
buildInfo.Log(log)
|
|
||||||
logClientOptions(c, log)
|
logClientOptions(c, log)
|
||||||
|
|
||||||
// this context drives the server, when it's cancelled tunnel and all other components (origins, dns, etc...) should stop
|
// this context drives the server, when it's cancelled tunnel and all other components (origins, dns, etc...) should stop
|
||||||
ctx, cancel := context.WithCancel(context.Background())
|
ctx, cancel := context.WithCancel(c.Context)
|
||||||
defer cancel()
|
defer cancel()
|
||||||
|
|
||||||
go waitForSignal(graceShutdownC, log)
|
go waitForSignal(graceShutdownC, log)
|
||||||
|
@ -286,41 +374,78 @@ func StartServer(
|
||||||
}
|
}
|
||||||
|
|
||||||
// update needs to be after DNS proxy is up to resolve equinox server address
|
// update needs to be after DNS proxy is up to resolve equinox server address
|
||||||
if updater.IsAutoupdateEnabled(c, log) {
|
wg.Add(1)
|
||||||
autoupdateFreq := c.Duration("autoupdate-freq")
|
go func() {
|
||||||
log.Info().Dur("autoupdateFreq", autoupdateFreq).Msg("Autoupdate frequency is set")
|
defer wg.Done()
|
||||||
wg.Add(1)
|
autoupdater := updater.NewAutoUpdater(
|
||||||
go func() {
|
c.Bool("no-autoupdate"), c.Duration("autoupdate-freq"), &listeners, log,
|
||||||
defer wg.Done()
|
)
|
||||||
autoupdater := updater.NewAutoUpdater(c.Duration("autoupdate-freq"), &listeners, log)
|
errC <- autoupdater.Run(ctx)
|
||||||
errC <- autoupdater.Run(ctx)
|
}()
|
||||||
}()
|
|
||||||
}
|
|
||||||
|
|
||||||
// Serve DNS proxy stand-alone if no hostname or tag or app is going to run
|
// Serve DNS proxy stand-alone if no tunnel type (quick, adhoc, named) is going to run
|
||||||
if dnsProxyStandAlone(c) {
|
if dnsProxyStandAlone(c, namedTunnel) {
|
||||||
connectedSignal.Notify()
|
connectedSignal.Notify()
|
||||||
// no grace period, handle SIGINT/SIGTERM immediately
|
// no grace period, handle SIGINT/SIGTERM immediately
|
||||||
return waitToShutdown(&wg, cancel, errC, graceShutdownC, 0, log)
|
return waitToShutdown(&wg, cancel, errC, graceShutdownC, 0, log)
|
||||||
}
|
}
|
||||||
|
|
||||||
url := c.String("url")
|
logTransport := logger.CreateTransportLoggerFromContext(c, logger.EnableTerminalLog)
|
||||||
hostname := c.String("hostname")
|
|
||||||
if url == hostname && url != "" && hostname != "" {
|
observer := connection.NewObserver(log, logTransport)
|
||||||
errText := "hostname and url shouldn't match. See --help for more information"
|
|
||||||
log.Error().Msg(errText)
|
// Send Quick Tunnel URL to UI if applicable
|
||||||
return fmt.Errorf(errText)
|
var quickTunnelURL string
|
||||||
|
if namedTunnel != nil {
|
||||||
|
quickTunnelURL = namedTunnel.QuickTunnelUrl
|
||||||
|
}
|
||||||
|
if quickTunnelURL != "" {
|
||||||
|
observer.SendURL(quickTunnelURL)
|
||||||
}
|
}
|
||||||
|
|
||||||
logTransport := logger.CreateTransportLoggerFromContext(c, isUIEnabled)
|
tunnelConfig, orchestratorConfig, err := prepareTunnelConfig(ctx, c, info, log, logTransport, observer, namedTunnel)
|
||||||
|
|
||||||
observer := connection.NewObserver(log, logTransport, isUIEnabled)
|
|
||||||
|
|
||||||
tunnelConfig, ingressRules, err := prepareTunnelConfig(c, buildInfo, version, log, logTransport, observer, namedTunnel)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Err(err).Msg("Couldn't start tunnel")
|
log.Err(err).Msg("Couldn't start tunnel")
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
var clientID uuid.UUID
|
||||||
|
if tunnelConfig.NamedTunnel != nil {
|
||||||
|
clientID, err = uuid.FromBytes(tunnelConfig.NamedTunnel.Client.ClientID)
|
||||||
|
if err != nil {
|
||||||
|
// set to nil for classic tunnels
|
||||||
|
clientID = uuid.Nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Disable ICMP packet routing for quick tunnels
|
||||||
|
if quickTunnelURL != "" {
|
||||||
|
tunnelConfig.PacketConfig = nil
|
||||||
|
}
|
||||||
|
|
||||||
|
internalRules := []ingress.Rule{}
|
||||||
|
if features.Contains(features.FeatureManagementLogs) {
|
||||||
|
serviceIP := c.String("service-op-ip")
|
||||||
|
if edgeAddrs, err := edgediscovery.ResolveEdge(log, tunnelConfig.Region, tunnelConfig.EdgeIPVersion); err == nil {
|
||||||
|
if serviceAddr, err := edgeAddrs.GetAddrForRPC(); err == nil {
|
||||||
|
serviceIP = serviceAddr.TCP.String()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
mgmt := management.New(
|
||||||
|
c.String("management-hostname"),
|
||||||
|
c.Bool("management-diagnostics"),
|
||||||
|
serviceIP,
|
||||||
|
clientID,
|
||||||
|
c.String(connectorLabelFlag),
|
||||||
|
logger.ManagementLogger.Log,
|
||||||
|
logger.ManagementLogger,
|
||||||
|
)
|
||||||
|
internalRules = []ingress.Rule{ingress.NewManagementRule(mgmt)}
|
||||||
|
}
|
||||||
|
orchestrator, err := orchestration.NewOrchestrator(ctx, orchestratorConfig, tunnelConfig.Tags, internalRules, tunnelConfig.Log)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
metricsListener, err := listeners.Listen("tcp", c.String("metrics"))
|
metricsListener, err := listeners.Listen("tcp", c.String("metrics"))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -331,16 +456,17 @@ func StartServer(
|
||||||
wg.Add(1)
|
wg.Add(1)
|
||||||
go func() {
|
go func() {
|
||||||
defer wg.Done()
|
defer wg.Done()
|
||||||
readinessServer := metrics.NewReadyServer(log)
|
readinessServer := metrics.NewReadyServer(log, clientID)
|
||||||
observer.RegisterSink(readinessServer)
|
observer.RegisterSink(readinessServer)
|
||||||
errC <- metrics.ServeMetrics(metricsListener, ctx.Done(), readinessServer, log)
|
metricsConfig := metrics.Config{
|
||||||
|
ReadyServer: readinessServer,
|
||||||
|
QuickTunnelHostname: quickTunnelURL,
|
||||||
|
Orchestrator: orchestrator,
|
||||||
|
}
|
||||||
|
errC <- metrics.ServeMetrics(metricsListener, ctx, metricsConfig, log)
|
||||||
}()
|
}()
|
||||||
|
|
||||||
if err := ingressRules.StartOrigins(&wg, log, ctx.Done(), errC); err != nil {
|
reconnectCh := make(chan supervisor.ReconnectSignal, c.Int(haConnectionsFlag))
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
reconnectCh := make(chan origin.ReconnectSignal, 1)
|
|
||||||
if c.IsSet("stdin-control") {
|
if c.IsSet("stdin-control") {
|
||||||
log.Info().Msg("Enabling control through stdin")
|
log.Info().Msg("Enabling control through stdin")
|
||||||
go stdinControl(reconnectCh, log)
|
go stdinControl(reconnectCh, log)
|
||||||
|
@ -352,42 +478,14 @@ func StartServer(
|
||||||
wg.Done()
|
wg.Done()
|
||||||
log.Info().Msg("Tunnel server stopped")
|
log.Info().Msg("Tunnel server stopped")
|
||||||
}()
|
}()
|
||||||
errC <- origin.StartTunnelDaemon(ctx, tunnelConfig, connectedSignal, reconnectCh, graceShutdownC)
|
errC <- supervisor.StartTunnelDaemon(ctx, tunnelConfig, orchestrator, connectedSignal, reconnectCh, graceShutdownC)
|
||||||
}()
|
}()
|
||||||
|
|
||||||
if isUIEnabled {
|
gracePeriod, err := gracePeriod(c)
|
||||||
tunnelUI := ui.NewUIModel(
|
|
||||||
version,
|
|
||||||
hostname,
|
|
||||||
metricsListener.Addr().String(),
|
|
||||||
&ingressRules,
|
|
||||||
tunnelConfig.HAConnections,
|
|
||||||
)
|
|
||||||
app := tunnelUI.Launch(ctx, log, logTransport)
|
|
||||||
observer.RegisterSink(app)
|
|
||||||
}
|
|
||||||
|
|
||||||
return waitToShutdown(&wg, cancel, errC, graceShutdownC, c.Duration("grace-period"), log)
|
|
||||||
}
|
|
||||||
|
|
||||||
func SetFlagsFromConfigFile(c *cli.Context) error {
|
|
||||||
const exitCode = 1
|
|
||||||
log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
|
|
||||||
inputSource, err := config.ReadConfigFile(c, log)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if err == config.ErrNoConfigFile {
|
return err
|
||||||
return nil
|
|
||||||
}
|
|
||||||
return cli.Exit(err, exitCode)
|
|
||||||
}
|
}
|
||||||
targetFlags := c.Command.Flags
|
return waitToShutdown(&wg, cancel, errC, graceShutdownC, gracePeriod, log)
|
||||||
if c.Command.Name == "" {
|
|
||||||
targetFlags = c.App.Flags
|
|
||||||
}
|
|
||||||
if err := altsrc.ApplyInputSourceValues(c, inputSource, targetFlags); err != nil {
|
|
||||||
return cli.Exit(err, exitCode)
|
|
||||||
}
|
|
||||||
return nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func waitToShutdown(wg *sync.WaitGroup,
|
func waitToShutdown(wg *sync.WaitGroup,
|
||||||
|
@ -478,43 +576,16 @@ func addPortIfMissing(uri *url.URL, port int) string {
|
||||||
return fmt.Sprintf("%s:%d", uri.Hostname(), port)
|
return fmt.Sprintf("%s:%d", uri.Hostname(), port)
|
||||||
}
|
}
|
||||||
|
|
||||||
// appendFlags will append extra flags to a slice of flags.
|
|
||||||
//
|
|
||||||
// The cli package will panic if two flags exist with the same name,
|
|
||||||
// so if extraFlags contains a flag that was already defined, modify the
|
|
||||||
// original flags to use the extra version.
|
|
||||||
func appendFlags(flags []cli.Flag, extraFlags ...cli.Flag) []cli.Flag {
|
|
||||||
for _, extra := range extraFlags {
|
|
||||||
var found bool
|
|
||||||
|
|
||||||
// Check if an extra flag overrides an existing flag.
|
|
||||||
for i, flag := range flags {
|
|
||||||
if reflect.DeepEqual(extra.Names(), flag.Names()) {
|
|
||||||
flags[i] = extra
|
|
||||||
found = true
|
|
||||||
break
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Append the extra flag if it has nothing to override.
|
|
||||||
if !found {
|
|
||||||
flags = append(flags, extra)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return flags
|
|
||||||
}
|
|
||||||
|
|
||||||
func tunnelFlags(shouldHide bool) []cli.Flag {
|
func tunnelFlags(shouldHide bool) []cli.Flag {
|
||||||
flags := configureCloudflaredFlags(shouldHide)
|
flags := configureCloudflaredFlags(shouldHide)
|
||||||
flags = append(flags, configureProxyFlags(shouldHide)...)
|
flags = append(flags, configureProxyFlags(shouldHide)...)
|
||||||
flags = append(flags, configureLoggingFlags(shouldHide)...)
|
flags = append(flags, cliutil.ConfigureLoggingFlags(shouldHide)...)
|
||||||
flags = append(flags, configureProxyDNSFlags(shouldHide)...)
|
flags = append(flags, configureProxyDNSFlags(shouldHide)...)
|
||||||
flags = append(flags, []cli.Flag{
|
flags = append(flags, []cli.Flag{
|
||||||
credentialsFileFlag,
|
credentialsFileFlag,
|
||||||
altsrc.NewBoolFlag(&cli.BoolFlag{
|
altsrc.NewBoolFlag(&cli.BoolFlag{
|
||||||
Name: "is-autoupdated",
|
Name: "is-autoupdated",
|
||||||
Usage: "Signal the new process that Argo Tunnel client has been autoupdated",
|
Usage: "Signal the new process that Cloudflare Tunnel connector has been autoupdated",
|
||||||
Value: false,
|
Value: false,
|
||||||
Hidden: true,
|
Hidden: true,
|
||||||
}),
|
}),
|
||||||
|
@ -524,6 +595,24 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
|
||||||
EnvVars: []string{"TUNNEL_EDGE"},
|
EnvVars: []string{"TUNNEL_EDGE"},
|
||||||
Hidden: true,
|
Hidden: true,
|
||||||
}),
|
}),
|
||||||
|
altsrc.NewStringFlag(&cli.StringFlag{
|
||||||
|
Name: "region",
|
||||||
|
Usage: "Cloudflare Edge region to connect to. Omit or set to empty to connect to the global region.",
|
||||||
|
EnvVars: []string{"TUNNEL_REGION"},
|
||||||
|
}),
|
||||||
|
altsrc.NewStringFlag(&cli.StringFlag{
|
||||||
|
Name: "edge-ip-version",
|
||||||
|
Usage: "Cloudflare Edge IP address version to connect with. {4, 6, auto}",
|
||||||
|
EnvVars: []string{"TUNNEL_EDGE_IP_VERSION"},
|
||||||
|
Value: "4",
|
||||||
|
Hidden: false,
|
||||||
|
}),
|
||||||
|
altsrc.NewStringFlag(&cli.StringFlag{
|
||||||
|
Name: "edge-bind-address",
|
||||||
|
Usage: "Bind to IP address for outgoing connections to Cloudflare Edge.",
|
||||||
|
EnvVars: []string{"TUNNEL_EDGE_BIND_ADDRESS"},
|
||||||
|
Hidden: false,
|
||||||
|
}),
|
||||||
altsrc.NewStringFlag(&cli.StringFlag{
|
altsrc.NewStringFlag(&cli.StringFlag{
|
||||||
Name: tlsconfig.CaCertFlag,
|
Name: tlsconfig.CaCertFlag,
|
||||||
Usage: "Certificate Authority authenticating connections with Cloudflare's edge network.",
|
Usage: "Certificate Authority authenticating connections with Cloudflare's edge network.",
|
||||||
|
@ -582,9 +671,9 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
|
||||||
}),
|
}),
|
||||||
altsrc.NewStringSliceFlag(&cli.StringSliceFlag{
|
altsrc.NewStringSliceFlag(&cli.StringSliceFlag{
|
||||||
Name: "tag",
|
Name: "tag",
|
||||||
Usage: "Custom tags used to identify this tunnel, in format `KEY=VALUE`. Multiple tags may be specified",
|
Usage: "Custom tags used to identify this tunnel via added HTTP request headers to the origin, in format `KEY=VALUE`. Multiple tags may be specified.",
|
||||||
EnvVars: []string{"TUNNEL_TAG"},
|
EnvVars: []string{"TUNNEL_TAG"},
|
||||||
Hidden: shouldHide,
|
Hidden: true,
|
||||||
}),
|
}),
|
||||||
altsrc.NewDurationFlag(&cli.DurationFlag{
|
altsrc.NewDurationFlag(&cli.DurationFlag{
|
||||||
Name: "heartbeat-interval",
|
Name: "heartbeat-interval",
|
||||||
|
@ -599,6 +688,12 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
|
||||||
Value: 5,
|
Value: 5,
|
||||||
Hidden: true,
|
Hidden: true,
|
||||||
}),
|
}),
|
||||||
|
altsrc.NewIntFlag(&cli.IntFlag{
|
||||||
|
Name: "max-edge-addr-retries",
|
||||||
|
Usage: "Maximum number of times to retry on edge addrs before falling back to a lower protocol",
|
||||||
|
Value: 8,
|
||||||
|
Hidden: true,
|
||||||
|
}),
|
||||||
// Note TUN-3758 , we use Int because UInt is not supported with altsrc
|
// Note TUN-3758 , we use Int because UInt is not supported with altsrc
|
||||||
altsrc.NewIntFlag(&cli.IntFlag{
|
altsrc.NewIntFlag(&cli.IntFlag{
|
||||||
Name: "retries",
|
Name: "retries",
|
||||||
|
@ -608,16 +703,54 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
|
||||||
Hidden: shouldHide,
|
Hidden: shouldHide,
|
||||||
}),
|
}),
|
||||||
altsrc.NewIntFlag(&cli.IntFlag{
|
altsrc.NewIntFlag(&cli.IntFlag{
|
||||||
Name: "ha-connections",
|
Name: haConnectionsFlag,
|
||||||
Value: 4,
|
Value: 4,
|
||||||
Hidden: true,
|
Hidden: true,
|
||||||
}),
|
}),
|
||||||
|
altsrc.NewDurationFlag(&cli.DurationFlag{
|
||||||
|
Name: rpcTimeout,
|
||||||
|
Value: 5 * time.Second,
|
||||||
|
Hidden: true,
|
||||||
|
}),
|
||||||
|
altsrc.NewDurationFlag(&cli.DurationFlag{
|
||||||
|
Name: writeStreamTimeout,
|
||||||
|
EnvVars: []string{"TUNNEL_STREAM_WRITE_TIMEOUT"},
|
||||||
|
Usage: "Use this option to add a stream write timeout for connections when writing towards the origin or edge. Default is 0 which disables the write timeout.",
|
||||||
|
Value: 0 * time.Second,
|
||||||
|
Hidden: true,
|
||||||
|
}),
|
||||||
|
altsrc.NewBoolFlag(&cli.BoolFlag{
|
||||||
|
Name: quicDisablePathMTUDiscovery,
|
||||||
|
EnvVars: []string{"TUNNEL_DISABLE_QUIC_PMTU"},
|
||||||
|
Usage: "Use this option to disable PTMU discovery for QUIC connections. This will result in lower packet sizes. Not however, that this may cause instability for UDP proxying.",
|
||||||
|
Value: false,
|
||||||
|
Hidden: true,
|
||||||
|
}),
|
||||||
|
altsrc.NewIntFlag(&cli.IntFlag{
|
||||||
|
Name: quicConnLevelFlowControlLimit,
|
||||||
|
EnvVars: []string{"TUNNEL_QUIC_CONN_LEVEL_FLOW_CONTROL_LIMIT"},
|
||||||
|
Usage: "Use this option to change the connection-level flow control limit for QUIC transport.",
|
||||||
|
Value: 30 * (1 << 20), // 30 MB
|
||||||
|
Hidden: true,
|
||||||
|
}),
|
||||||
|
altsrc.NewIntFlag(&cli.IntFlag{
|
||||||
|
Name: quicStreamLevelFlowControlLimit,
|
||||||
|
EnvVars: []string{"TUNNEL_QUIC_STREAM_LEVEL_FLOW_CONTROL_LIMIT"},
|
||||||
|
Usage: "Use this option to change the connection-level flow control limit for QUIC transport.",
|
||||||
|
Value: 6 * (1 << 20), // 6 MB
|
||||||
|
Hidden: true,
|
||||||
|
}),
|
||||||
|
altsrc.NewStringFlag(&cli.StringFlag{
|
||||||
|
Name: connectorLabelFlag,
|
||||||
|
Usage: "Use this option to give a meaningful label to a specific connector. When a tunnel starts up, a connector id unique to the tunnel is generated. This is a uuid. To make it easier to identify a connector, we will use the hostname of the machine the tunnel is running on along with the connector ID. This option exists if one wants to have more control over what their individual connectors are called.",
|
||||||
|
Value: "",
|
||||||
|
}),
|
||||||
altsrc.NewDurationFlag(&cli.DurationFlag{
|
altsrc.NewDurationFlag(&cli.DurationFlag{
|
||||||
Name: "grace-period",
|
Name: "grace-period",
|
||||||
Usage: "Duration to accept new requests after cloudflared receives first SIGINT/SIGTERM. A second SIGINT/SIGTERM will force cloudflared to shutdown immediately.",
|
Usage: "When cloudflared receives SIGINT/SIGTERM it will stop accepting new requests, wait for in-progress requests to terminate, then shutdown. Waiting for in-progress requests will timeout after this grace period, or when a second SIGTERM/SIGINT is received.",
|
||||||
Value: time.Second * 30,
|
Value: time.Second * 30,
|
||||||
EnvVars: []string{"TUNNEL_GRACE_PERIOD"},
|
EnvVars: []string{"TUNNEL_GRACE_PERIOD"},
|
||||||
Hidden: true,
|
Hidden: shouldHide,
|
||||||
}),
|
}),
|
||||||
// Note TUN-3758 , we use Int because UInt is not supported with altsrc
|
// Note TUN-3758 , we use Int because UInt is not supported with altsrc
|
||||||
altsrc.NewIntFlag(&cli.IntFlag{
|
altsrc.NewIntFlag(&cli.IntFlag{
|
||||||
|
@ -644,7 +777,7 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
|
||||||
altsrc.NewBoolFlag(&cli.BoolFlag{
|
altsrc.NewBoolFlag(&cli.BoolFlag{
|
||||||
Name: "stdin-control",
|
Name: "stdin-control",
|
||||||
Usage: "Control the process using commands sent through stdin",
|
Usage: "Control the process using commands sent through stdin",
|
||||||
EnvVars: []string{"STDIN-CONTROL"},
|
EnvVars: []string{"STDIN_CONTROL"},
|
||||||
Hidden: true,
|
Hidden: true,
|
||||||
Value: false,
|
Value: false,
|
||||||
}),
|
}),
|
||||||
|
@ -653,14 +786,41 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
|
||||||
Aliases: []string{"n"},
|
Aliases: []string{"n"},
|
||||||
EnvVars: []string{"TUNNEL_NAME"},
|
EnvVars: []string{"TUNNEL_NAME"},
|
||||||
Usage: "Stable name to identify the tunnel. Using this flag will create, route and run a tunnel. For production usage, execute each command separately",
|
Usage: "Stable name to identify the tunnel. Using this flag will create, route and run a tunnel. For production usage, execute each command separately",
|
||||||
|
Hidden: shouldHide,
|
||||||
}),
|
}),
|
||||||
altsrc.NewBoolFlag(&cli.BoolFlag{
|
altsrc.NewBoolFlag(&cli.BoolFlag{
|
||||||
Name: uiFlag,
|
Name: uiFlag,
|
||||||
Usage: "Launch tunnel UI. Tunnel logs are scrollable via 'j', 'k', or arrow keys.",
|
Usage: "(depreciated) Launch tunnel UI. Tunnel logs are scrollable via 'j', 'k', or arrow keys.",
|
||||||
Value: false,
|
Value: false,
|
||||||
Hidden: shouldHide,
|
Hidden: true,
|
||||||
|
}),
|
||||||
|
altsrc.NewStringFlag(&cli.StringFlag{
|
||||||
|
Name: "quick-service",
|
||||||
|
Usage: "URL for a service which manages unauthenticated 'quick' tunnels.",
|
||||||
|
Value: "https://api.trycloudflare.com",
|
||||||
|
Hidden: true,
|
||||||
|
}),
|
||||||
|
altsrc.NewIntFlag(&cli.IntFlag{
|
||||||
|
Name: "max-fetch-size",
|
||||||
|
Usage: `The maximum number of results that cloudflared can fetch from Cloudflare API for any listing operations needed`,
|
||||||
|
EnvVars: []string{"TUNNEL_MAX_FETCH_SIZE"},
|
||||||
|
Hidden: true,
|
||||||
|
}),
|
||||||
|
altsrc.NewBoolFlag(&cli.BoolFlag{
|
||||||
|
Name: "post-quantum",
|
||||||
|
Usage: "When given creates an experimental post-quantum secure tunnel",
|
||||||
|
Aliases: []string{"pq"},
|
||||||
|
EnvVars: []string{"TUNNEL_POST_QUANTUM"},
|
||||||
|
Hidden: FipsEnabled,
|
||||||
|
}),
|
||||||
|
altsrc.NewBoolFlag(&cli.BoolFlag{
|
||||||
|
Name: "management-diagnostics",
|
||||||
|
Usage: "Enables the in-depth diagnostic routes to be made available over the management service (/debug/pprof, /metrics, etc.)",
|
||||||
|
EnvVars: []string{"TUNNEL_MANAGEMENT_DIAGNOSTICS"},
|
||||||
|
Value: true,
|
||||||
}),
|
}),
|
||||||
selectProtocolFlag,
|
selectProtocolFlag,
|
||||||
|
overwriteDNSFlag,
|
||||||
}...)
|
}...)
|
||||||
|
|
||||||
return flags
|
return flags
|
||||||
|
@ -676,10 +836,10 @@ func configureCloudflaredFlags(shouldHide bool) []cli.Flag {
|
||||||
Hidden: shouldHide,
|
Hidden: shouldHide,
|
||||||
},
|
},
|
||||||
altsrc.NewStringFlag(&cli.StringFlag{
|
altsrc.NewStringFlag(&cli.StringFlag{
|
||||||
Name: "origincert",
|
Name: credentials.OriginCertFlag,
|
||||||
Usage: "Path to the certificate generated for your origin when you run cloudflared login.",
|
Usage: "Path to the certificate generated for your origin when you run cloudflared login.",
|
||||||
EnvVars: []string{"TUNNEL_ORIGIN_CERT"},
|
EnvVars: []string{"TUNNEL_ORIGIN_CERT"},
|
||||||
Value: findDefaultOriginCertPath(),
|
Value: credentials.FindDefaultOriginCertPath(),
|
||||||
Hidden: shouldHide,
|
Hidden: shouldHide,
|
||||||
}),
|
}),
|
||||||
altsrc.NewDurationFlag(&cli.DurationFlag{
|
altsrc.NewDurationFlag(&cli.DurationFlag{
|
||||||
|
@ -721,7 +881,7 @@ func configureProxyFlags(shouldHide bool) []cli.Flag {
|
||||||
Hidden: shouldHide,
|
Hidden: shouldHide,
|
||||||
}),
|
}),
|
||||||
altsrc.NewBoolFlag(&cli.BoolFlag{
|
altsrc.NewBoolFlag(&cli.BoolFlag{
|
||||||
Name: "hello-world",
|
Name: ingress.HelloWorldFlag,
|
||||||
Value: false,
|
Value: false,
|
||||||
Usage: "Run Hello World Server",
|
Usage: "Run Hello World Server",
|
||||||
EnvVars: []string{"TUNNEL_HELLO_WORLD"},
|
EnvVars: []string{"TUNNEL_HELLO_WORLD"},
|
||||||
|
@ -729,43 +889,43 @@ func configureProxyFlags(shouldHide bool) []cli.Flag {
|
||||||
}),
|
}),
|
||||||
altsrc.NewBoolFlag(&cli.BoolFlag{
|
altsrc.NewBoolFlag(&cli.BoolFlag{
|
||||||
Name: ingress.Socks5Flag,
|
Name: ingress.Socks5Flag,
|
||||||
Usage: "specify if this tunnel is running as a SOCK5 Server",
|
Usage: legacyTunnelFlag("specify if this tunnel is running as a SOCK5 Server"),
|
||||||
EnvVars: []string{"TUNNEL_SOCKS"},
|
EnvVars: []string{"TUNNEL_SOCKS"},
|
||||||
Value: false,
|
Value: false,
|
||||||
Hidden: shouldHide,
|
Hidden: shouldHide,
|
||||||
}),
|
}),
|
||||||
altsrc.NewDurationFlag(&cli.DurationFlag{
|
altsrc.NewDurationFlag(&cli.DurationFlag{
|
||||||
Name: ingress.ProxyConnectTimeoutFlag,
|
Name: ingress.ProxyConnectTimeoutFlag,
|
||||||
Usage: "HTTP proxy timeout for establishing a new connection",
|
Usage: legacyTunnelFlag("HTTP proxy timeout for establishing a new connection"),
|
||||||
Value: time.Second * 30,
|
Value: time.Second * 30,
|
||||||
Hidden: shouldHide,
|
Hidden: shouldHide,
|
||||||
}),
|
}),
|
||||||
altsrc.NewDurationFlag(&cli.DurationFlag{
|
altsrc.NewDurationFlag(&cli.DurationFlag{
|
||||||
Name: ingress.ProxyTLSTimeoutFlag,
|
Name: ingress.ProxyTLSTimeoutFlag,
|
||||||
Usage: "HTTP proxy timeout for completing a TLS handshake",
|
Usage: legacyTunnelFlag("HTTP proxy timeout for completing a TLS handshake"),
|
||||||
Value: time.Second * 10,
|
Value: time.Second * 10,
|
||||||
Hidden: shouldHide,
|
Hidden: shouldHide,
|
||||||
}),
|
}),
|
||||||
altsrc.NewDurationFlag(&cli.DurationFlag{
|
altsrc.NewDurationFlag(&cli.DurationFlag{
|
||||||
Name: ingress.ProxyTCPKeepAlive,
|
Name: ingress.ProxyTCPKeepAliveFlag,
|
||||||
Usage: "HTTP proxy TCP keepalive duration",
|
Usage: legacyTunnelFlag("HTTP proxy TCP keepalive duration"),
|
||||||
Value: time.Second * 30,
|
Value: time.Second * 30,
|
||||||
Hidden: shouldHide,
|
Hidden: shouldHide,
|
||||||
}),
|
}),
|
||||||
altsrc.NewBoolFlag(&cli.BoolFlag{
|
altsrc.NewBoolFlag(&cli.BoolFlag{
|
||||||
Name: ingress.ProxyNoHappyEyeballsFlag,
|
Name: ingress.ProxyNoHappyEyeballsFlag,
|
||||||
Usage: "HTTP proxy should disable \"happy eyeballs\" for IPv4/v6 fallback",
|
Usage: legacyTunnelFlag("HTTP proxy should disable \"happy eyeballs\" for IPv4/v6 fallback"),
|
||||||
Hidden: shouldHide,
|
Hidden: shouldHide,
|
||||||
}),
|
}),
|
||||||
altsrc.NewIntFlag(&cli.IntFlag{
|
altsrc.NewIntFlag(&cli.IntFlag{
|
||||||
Name: ingress.ProxyKeepAliveConnectionsFlag,
|
Name: ingress.ProxyKeepAliveConnectionsFlag,
|
||||||
Usage: "HTTP proxy maximum keepalive connection pool size",
|
Usage: legacyTunnelFlag("HTTP proxy maximum keepalive connection pool size"),
|
||||||
Value: 100,
|
Value: 100,
|
||||||
Hidden: shouldHide,
|
Hidden: shouldHide,
|
||||||
}),
|
}),
|
||||||
altsrc.NewDurationFlag(&cli.DurationFlag{
|
altsrc.NewDurationFlag(&cli.DurationFlag{
|
||||||
Name: ingress.ProxyKeepAliveTimeoutFlag,
|
Name: ingress.ProxyKeepAliveTimeoutFlag,
|
||||||
Usage: "HTTP proxy timeout for closing an idle connection",
|
Usage: legacyTunnelFlag("HTTP proxy timeout for closing an idle connection"),
|
||||||
Value: time.Second * 90,
|
Value: time.Second * 90,
|
||||||
Hidden: shouldHide,
|
Hidden: shouldHide,
|
||||||
}),
|
}),
|
||||||
|
@ -783,13 +943,13 @@ func configureProxyFlags(shouldHide bool) []cli.Flag {
|
||||||
}),
|
}),
|
||||||
altsrc.NewStringFlag(&cli.StringFlag{
|
altsrc.NewStringFlag(&cli.StringFlag{
|
||||||
Name: ingress.HTTPHostHeaderFlag,
|
Name: ingress.HTTPHostHeaderFlag,
|
||||||
Usage: "Sets the HTTP Host header for the local webserver.",
|
Usage: legacyTunnelFlag("Sets the HTTP Host header for the local webserver."),
|
||||||
EnvVars: []string{"TUNNEL_HTTP_HOST_HEADER"},
|
EnvVars: []string{"TUNNEL_HTTP_HOST_HEADER"},
|
||||||
Hidden: shouldHide,
|
Hidden: shouldHide,
|
||||||
}),
|
}),
|
||||||
altsrc.NewStringFlag(&cli.StringFlag{
|
altsrc.NewStringFlag(&cli.StringFlag{
|
||||||
Name: ingress.OriginServerNameFlag,
|
Name: ingress.OriginServerNameFlag,
|
||||||
Usage: "Hostname on the origin server certificate.",
|
Usage: legacyTunnelFlag("Hostname on the origin server certificate."),
|
||||||
EnvVars: []string{"TUNNEL_ORIGIN_SERVER_NAME"},
|
EnvVars: []string{"TUNNEL_ORIGIN_SERVER_NAME"},
|
||||||
Hidden: shouldHide,
|
Hidden: shouldHide,
|
||||||
}),
|
}),
|
||||||
|
@ -801,26 +961,56 @@ func configureProxyFlags(shouldHide bool) []cli.Flag {
|
||||||
}),
|
}),
|
||||||
altsrc.NewStringFlag(&cli.StringFlag{
|
altsrc.NewStringFlag(&cli.StringFlag{
|
||||||
Name: tlsconfig.OriginCAPoolFlag,
|
Name: tlsconfig.OriginCAPoolFlag,
|
||||||
Usage: "Path to the CA for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.",
|
Usage: legacyTunnelFlag("Path to the CA for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare."),
|
||||||
EnvVars: []string{"TUNNEL_ORIGIN_CA_POOL"},
|
EnvVars: []string{"TUNNEL_ORIGIN_CA_POOL"},
|
||||||
Hidden: shouldHide,
|
Hidden: shouldHide,
|
||||||
}),
|
}),
|
||||||
altsrc.NewBoolFlag(&cli.BoolFlag{
|
altsrc.NewBoolFlag(&cli.BoolFlag{
|
||||||
Name: ingress.NoTLSVerifyFlag,
|
Name: ingress.NoTLSVerifyFlag,
|
||||||
Usage: "Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. Note: The connection from your machine to Cloudflare's Edge is still encrypted.",
|
Usage: legacyTunnelFlag("Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. Note: The connection from your machine to Cloudflare's Edge is still encrypted."),
|
||||||
EnvVars: []string{"NO_TLS_VERIFY"},
|
EnvVars: []string{"NO_TLS_VERIFY"},
|
||||||
Hidden: shouldHide,
|
Hidden: shouldHide,
|
||||||
}),
|
}),
|
||||||
altsrc.NewBoolFlag(&cli.BoolFlag{
|
altsrc.NewBoolFlag(&cli.BoolFlag{
|
||||||
Name: ingress.NoChunkedEncodingFlag,
|
Name: ingress.NoChunkedEncodingFlag,
|
||||||
Usage: "Disables chunked transfer encoding; useful if you are running a WSGI server.",
|
Usage: legacyTunnelFlag("Disables chunked transfer encoding; useful if you are running a WSGI server."),
|
||||||
EnvVars: []string{"TUNNEL_NO_CHUNKED_ENCODING"},
|
EnvVars: []string{"TUNNEL_NO_CHUNKED_ENCODING"},
|
||||||
Hidden: shouldHide,
|
Hidden: shouldHide,
|
||||||
}),
|
}),
|
||||||
|
altsrc.NewBoolFlag(&cli.BoolFlag{
|
||||||
|
Name: ingress.Http2OriginFlag,
|
||||||
|
Usage: "Enables HTTP/2 origin servers.",
|
||||||
|
EnvVars: []string{"TUNNEL_ORIGIN_ENABLE_HTTP2"},
|
||||||
|
Hidden: shouldHide,
|
||||||
|
Value: false,
|
||||||
|
}),
|
||||||
|
altsrc.NewStringFlag(&cli.StringFlag{
|
||||||
|
Name: "management-hostname",
|
||||||
|
Usage: "Management hostname to signify incoming management requests",
|
||||||
|
EnvVars: []string{"TUNNEL_MANAGEMENT_HOSTNAME"},
|
||||||
|
Hidden: true,
|
||||||
|
Value: "management.argotunnel.com",
|
||||||
|
}),
|
||||||
|
altsrc.NewStringFlag(&cli.StringFlag{
|
||||||
|
Name: "service-op-ip",
|
||||||
|
Usage: "Fallback IP for service operations run by the management service.",
|
||||||
|
EnvVars: []string{"TUNNEL_SERVICE_OP_IP"},
|
||||||
|
Hidden: true,
|
||||||
|
Value: "198.41.200.113:80",
|
||||||
|
}),
|
||||||
}
|
}
|
||||||
return append(flags, sshFlags(shouldHide)...)
|
return append(flags, sshFlags(shouldHide)...)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func legacyTunnelFlag(msg string) string {
|
||||||
|
return fmt.Sprintf(
|
||||||
|
"%s This flag only takes effect if you define your origin with `--url` and if you do not use ingress rules."+
|
||||||
|
" The recommended way is to rely on ingress rules and define this property under `originRequest` as per"+
|
||||||
|
" https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/configuration-file/ingress",
|
||||||
|
msg,
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
func sshFlags(shouldHide bool) []cli.Flag {
|
func sshFlags(shouldHide bool) []cli.Flag {
|
||||||
return []cli.Flag{
|
return []cli.Flag{
|
||||||
altsrc.NewStringFlag(&cli.StringFlag{
|
altsrc.NewStringFlag(&cli.StringFlag{
|
||||||
|
@ -916,44 +1106,6 @@ func sshFlags(shouldHide bool) []cli.Flag {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func configureLoggingFlags(shouldHide bool) []cli.Flag {
|
|
||||||
return []cli.Flag{
|
|
||||||
altsrc.NewStringFlag(&cli.StringFlag{
|
|
||||||
Name: logger.LogLevelFlag,
|
|
||||||
Value: "info",
|
|
||||||
Usage: "Application logging level {fatal, error, info, debug}. " + debugLevelWarning,
|
|
||||||
EnvVars: []string{"TUNNEL_LOGLEVEL"},
|
|
||||||
Hidden: shouldHide,
|
|
||||||
}),
|
|
||||||
altsrc.NewStringFlag(&cli.StringFlag{
|
|
||||||
Name: logger.LogTransportLevelFlag,
|
|
||||||
Aliases: []string{"proto-loglevel"}, // This flag used to be called proto-loglevel
|
|
||||||
Value: "info",
|
|
||||||
Usage: "Transport logging level(previously called protocol logging level) {fatal, error, info, debug}",
|
|
||||||
EnvVars: []string{"TUNNEL_PROTO_LOGLEVEL", "TUNNEL_TRANSPORT_LOGLEVEL"},
|
|
||||||
Hidden: shouldHide,
|
|
||||||
}),
|
|
||||||
altsrc.NewStringFlag(&cli.StringFlag{
|
|
||||||
Name: logger.LogFileFlag,
|
|
||||||
Usage: "Save application log to this file for reporting issues.",
|
|
||||||
EnvVars: []string{"TUNNEL_LOGFILE"},
|
|
||||||
Hidden: shouldHide,
|
|
||||||
}),
|
|
||||||
altsrc.NewStringFlag(&cli.StringFlag{
|
|
||||||
Name: logger.LogDirectoryFlag,
|
|
||||||
Usage: "Save application log to this directory for reporting issues.",
|
|
||||||
EnvVars: []string{"TUNNEL_LOGDIRECTORY"},
|
|
||||||
Hidden: shouldHide,
|
|
||||||
}),
|
|
||||||
altsrc.NewStringFlag(&cli.StringFlag{
|
|
||||||
Name: "trace-output",
|
|
||||||
Usage: "Name of trace output file, generated when cloudflared stops.",
|
|
||||||
EnvVars: []string{"TUNNEL_TRACE_OUTPUT"},
|
|
||||||
Hidden: shouldHide,
|
|
||||||
}),
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func configureProxyDNSFlags(shouldHide bool) []cli.Flag {
|
func configureProxyDNSFlags(shouldHide bool) []cli.Flag {
|
||||||
return []cli.Flag{
|
return []cli.Flag{
|
||||||
altsrc.NewBoolFlag(&cli.BoolFlag{
|
altsrc.NewBoolFlag(&cli.BoolFlag{
|
||||||
|
@ -1005,7 +1157,7 @@ func configureProxyDNSFlags(shouldHide bool) []cli.Flag {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func stdinControl(reconnectCh chan origin.ReconnectSignal, log *zerolog.Logger) {
|
func stdinControl(reconnectCh chan supervisor.ReconnectSignal, log *zerolog.Logger) {
|
||||||
for {
|
for {
|
||||||
scanner := bufio.NewScanner(os.Stdin)
|
scanner := bufio.NewScanner(os.Stdin)
|
||||||
for scanner.Scan() {
|
for scanner.Scan() {
|
||||||
|
@ -1016,7 +1168,7 @@ func stdinControl(reconnectCh chan origin.ReconnectSignal, log *zerolog.Logger)
|
||||||
case "":
|
case "":
|
||||||
break
|
break
|
||||||
case "reconnect":
|
case "reconnect":
|
||||||
var reconnect origin.ReconnectSignal
|
var reconnect supervisor.ReconnectSignal
|
||||||
if len(parts) > 1 {
|
if len(parts) > 1 {
|
||||||
var err error
|
var err error
|
||||||
if reconnect.Delay, err = time.ParseDuration(parts[1]); err != nil {
|
if reconnect.Delay, err = time.ParseDuration(parts[1]); err != nil {
|
||||||
|
|
|
@ -0,0 +1,15 @@
|
||||||
|
package tunnel
|
||||||
|
|
||||||
|
import (
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"github.com/stretchr/testify/require"
|
||||||
|
|
||||||
|
"github.com/cloudflare/cloudflared/features"
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestDedup(t *testing.T) {
|
||||||
|
expected := []string{"a", "b"}
|
||||||
|
actual := features.Dedup([]string{"a", "b", "a"})
|
||||||
|
require.ElementsMatch(t, expected, actual)
|
||||||
|
}
|
|
@ -1,55 +1,50 @@
|
||||||
package tunnel
|
package tunnel
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"context"
|
||||||
"crypto/tls"
|
"crypto/tls"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io/ioutil"
|
"net"
|
||||||
|
"net/netip"
|
||||||
"os"
|
"os"
|
||||||
"path/filepath"
|
|
||||||
"strings"
|
"strings"
|
||||||
|
"time"
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/buildinfo"
|
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
|
|
||||||
"github.com/cloudflare/cloudflared/connection"
|
|
||||||
"github.com/cloudflare/cloudflared/edgediscovery"
|
|
||||||
"github.com/cloudflare/cloudflared/h2mux"
|
|
||||||
"github.com/cloudflare/cloudflared/ingress"
|
|
||||||
"github.com/cloudflare/cloudflared/origin"
|
|
||||||
"github.com/cloudflare/cloudflared/tlsconfig"
|
|
||||||
tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
|
|
||||||
"github.com/cloudflare/cloudflared/validation"
|
|
||||||
|
|
||||||
"github.com/google/uuid"
|
"github.com/google/uuid"
|
||||||
"github.com/mitchellh/go-homedir"
|
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
"github.com/rs/zerolog"
|
"github.com/rs/zerolog"
|
||||||
"github.com/urfave/cli/v2"
|
"github.com/urfave/cli/v2"
|
||||||
"golang.org/x/crypto/ssh/terminal"
|
"github.com/urfave/cli/v2/altsrc"
|
||||||
|
"golang.org/x/term"
|
||||||
|
|
||||||
|
"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
|
||||||
|
"github.com/cloudflare/cloudflared/config"
|
||||||
|
"github.com/cloudflare/cloudflared/connection"
|
||||||
|
"github.com/cloudflare/cloudflared/edgediscovery"
|
||||||
|
"github.com/cloudflare/cloudflared/edgediscovery/allregions"
|
||||||
|
"github.com/cloudflare/cloudflared/features"
|
||||||
|
"github.com/cloudflare/cloudflared/ingress"
|
||||||
|
"github.com/cloudflare/cloudflared/orchestration"
|
||||||
|
"github.com/cloudflare/cloudflared/supervisor"
|
||||||
|
"github.com/cloudflare/cloudflared/tlsconfig"
|
||||||
|
"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
|
||||||
)
|
)
|
||||||
|
|
||||||
const LogFieldOriginCertPath = "originCertPath"
|
const (
|
||||||
|
secretValue = "*****"
|
||||||
|
icmpFunnelTimeout = time.Second * 10
|
||||||
|
)
|
||||||
|
|
||||||
var (
|
var (
|
||||||
developerPortal = "https://developers.cloudflare.com/argo-tunnel"
|
developerPortal = "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup"
|
||||||
quickStartUrl = developerPortal + "/quickstart/quickstart/"
|
serviceUrl = developerPortal + "/tunnel-guide/local/as-a-service/"
|
||||||
serviceUrl = developerPortal + "/reference/service/"
|
argumentsUrl = developerPortal + "/tunnel-guide/local/local-management/arguments/"
|
||||||
argumentsUrl = developerPortal + "/reference/arguments/"
|
|
||||||
|
|
||||||
LogFieldHostname = "hostname"
|
secretFlags = [2]*altsrc.StringFlag{credentialsContentsFlag, tunnelTokenFlag}
|
||||||
|
|
||||||
|
configFlags = []string{"autoupdate-freq", "no-autoupdate", "retries", "protocol", "loglevel", "transport-loglevel", "origincert", "metrics", "metrics-update-freq", "edge-ip-version", "edge-bind-address"}
|
||||||
)
|
)
|
||||||
|
|
||||||
// returns the first path that contains a cert.pem file. If none of the DefaultConfigSearchDirectories
|
|
||||||
// contains a cert.pem file, return empty string
|
|
||||||
func findDefaultOriginCertPath() string {
|
|
||||||
for _, defaultConfigDir := range config.DefaultConfigSearchDirectories() {
|
|
||||||
originCertPath, _ := homedir.Expand(filepath.Join(defaultConfigDir, config.DefaultCredentialFile))
|
|
||||||
if ok, _ := config.FileExists(originCertPath); ok {
|
|
||||||
return originCertPath
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return ""
|
|
||||||
}
|
|
||||||
|
|
||||||
func generateRandomClientID(log *zerolog.Logger) (string, error) {
|
func generateRandomClientID(log *zerolog.Logger) (string, error) {
|
||||||
u, err := uuid.NewRandom()
|
u, err := uuid.NewRandom()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -62,7 +57,11 @@ func generateRandomClientID(log *zerolog.Logger) (string, error) {
|
||||||
func logClientOptions(c *cli.Context, log *zerolog.Logger) {
|
func logClientOptions(c *cli.Context, log *zerolog.Logger) {
|
||||||
flags := make(map[string]interface{})
|
flags := make(map[string]interface{})
|
||||||
for _, flag := range c.FlagNames() {
|
for _, flag := range c.FlagNames() {
|
||||||
flags[flag] = c.Generic(flag)
|
if isSecretFlag(flag) {
|
||||||
|
flags[flag] = secretValue
|
||||||
|
} else {
|
||||||
|
flags[flag] = c.Generic(flag)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(flags) > 0 {
|
if len(flags) > 0 {
|
||||||
|
@ -76,7 +75,11 @@ func logClientOptions(c *cli.Context, log *zerolog.Logger) {
|
||||||
if strings.Contains(env, "TUNNEL_") {
|
if strings.Contains(env, "TUNNEL_") {
|
||||||
vars := strings.Split(env, "=")
|
vars := strings.Split(env, "=")
|
||||||
if len(vars) == 2 {
|
if len(vars) == 2 {
|
||||||
envs[vars[0]] = vars[1]
|
if isSecretEnvVar(vars[0]) {
|
||||||
|
envs[vars[0]] = secretValue
|
||||||
|
} else {
|
||||||
|
envs[vars[0]] = vars[1]
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -85,207 +88,409 @@ func logClientOptions(c *cli.Context, log *zerolog.Logger) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func dnsProxyStandAlone(c *cli.Context) bool {
|
func isSecretFlag(key string) bool {
|
||||||
return c.IsSet("proxy-dns") && (!c.IsSet("hostname") && !c.IsSet("tag") && !c.IsSet("hello-world"))
|
for _, flag := range secretFlags {
|
||||||
}
|
if flag.Name == key {
|
||||||
|
return true
|
||||||
func findOriginCert(originCertPath string, log *zerolog.Logger) (string, error) {
|
|
||||||
if originCertPath == "" {
|
|
||||||
log.Info().Msgf("Cannot determine default origin certificate path. No file %s in %v", config.DefaultCredentialFile, config.DefaultConfigSearchDirectories())
|
|
||||||
if isRunningFromTerminal() {
|
|
||||||
log.Error().Msgf("You need to specify the origin certificate path with --origincert option, or set TUNNEL_ORIGIN_CERT environment variable. See %s for more information.", argumentsUrl)
|
|
||||||
return "", fmt.Errorf("client didn't specify origincert path when running from terminal")
|
|
||||||
} else {
|
|
||||||
log.Error().Msgf("You need to specify the origin certificate path by specifying the origincert option in the configuration file, or set TUNNEL_ORIGIN_CERT environment variable. See %s for more information.", serviceUrl)
|
|
||||||
return "", fmt.Errorf("client didn't specify origincert path")
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
var err error
|
return false
|
||||||
originCertPath, err = homedir.Expand(originCertPath)
|
|
||||||
if err != nil {
|
|
||||||
log.Err(err).Msgf("Cannot resolve origin certificate path")
|
|
||||||
return "", fmt.Errorf("cannot resolve path %s", originCertPath)
|
|
||||||
}
|
|
||||||
// Check that the user has acquired a certificate using the login command
|
|
||||||
ok, err := config.FileExists(originCertPath)
|
|
||||||
if err != nil {
|
|
||||||
log.Error().Msgf("Cannot check if origin cert exists at path %s", originCertPath)
|
|
||||||
return "", fmt.Errorf("cannot check if origin cert exists at path %s", originCertPath)
|
|
||||||
}
|
|
||||||
if !ok {
|
|
||||||
log.Error().Msgf(`Cannot find a valid certificate for your origin at the path:
|
|
||||||
|
|
||||||
%s
|
|
||||||
|
|
||||||
If the path above is wrong, specify the path with the -origincert option.
|
|
||||||
If you don't have a certificate signed by Cloudflare, run the command:
|
|
||||||
|
|
||||||
%s login
|
|
||||||
`, originCertPath, os.Args[0])
|
|
||||||
return "", fmt.Errorf("cannot find a valid certificate at the path %s", originCertPath)
|
|
||||||
}
|
|
||||||
|
|
||||||
return originCertPath, nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func readOriginCert(originCertPath string) ([]byte, error) {
|
func isSecretEnvVar(key string) bool {
|
||||||
// Easier to send the certificate as []byte via RPC than decoding it at this point
|
for _, flag := range secretFlags {
|
||||||
originCert, err := ioutil.ReadFile(originCertPath)
|
for _, secretEnvVar := range flag.EnvVars {
|
||||||
if err != nil {
|
if secretEnvVar == key {
|
||||||
return nil, fmt.Errorf("cannot read %s to load origin certificate", originCertPath)
|
return true
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return originCert, nil
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
func getOriginCert(originCertPath string, log *zerolog.Logger) ([]byte, error) {
|
func dnsProxyStandAlone(c *cli.Context, namedTunnel *connection.TunnelProperties) bool {
|
||||||
if originCertPath, err := findOriginCert(originCertPath, log); err != nil {
|
return c.IsSet("proxy-dns") &&
|
||||||
return nil, err
|
!(c.IsSet("name") || // adhoc-named tunnel
|
||||||
} else {
|
c.IsSet(ingress.HelloWorldFlag) || // quick or named tunnel
|
||||||
return readOriginCert(originCertPath)
|
namedTunnel != nil) // named tunnel
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func prepareTunnelConfig(
|
func prepareTunnelConfig(
|
||||||
|
ctx context.Context,
|
||||||
c *cli.Context,
|
c *cli.Context,
|
||||||
buildInfo *buildinfo.BuildInfo,
|
info *cliutil.BuildInfo,
|
||||||
version string,
|
|
||||||
log, logTransport *zerolog.Logger,
|
log, logTransport *zerolog.Logger,
|
||||||
observer *connection.Observer,
|
observer *connection.Observer,
|
||||||
namedTunnel *connection.NamedTunnelConfig,
|
namedTunnel *connection.TunnelProperties,
|
||||||
) (*origin.TunnelConfig, ingress.Ingress, error) {
|
) (*supervisor.TunnelConfig, *orchestration.Config, error) {
|
||||||
isNamedTunnel := namedTunnel != nil
|
clientID, err := uuid.NewRandom()
|
||||||
|
|
||||||
configHostname := c.String("hostname")
|
|
||||||
hostname, err := validation.ValidateHostname(configHostname)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Err(err).Str(LogFieldHostname, configHostname).Msg("Invalid hostname")
|
return nil, nil, errors.Wrap(err, "can't generate connector UUID")
|
||||||
return nil, ingress.Ingress{}, errors.Wrap(err, "Invalid hostname")
|
|
||||||
}
|
}
|
||||||
isFreeTunnel := hostname == ""
|
log.Info().Msgf("Generated Connector ID: %s", clientID)
|
||||||
clientID := c.String("id")
|
|
||||||
if !c.IsSet("id") {
|
|
||||||
clientID, err = generateRandomClientID(log)
|
|
||||||
if err != nil {
|
|
||||||
return nil, ingress.Ingress{}, err
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
tags, err := NewTagSliceFromCLI(c.StringSlice("tag"))
|
tags, err := NewTagSliceFromCLI(c.StringSlice("tag"))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Err(err).Msg("Tag parse failure")
|
log.Err(err).Msg("Tag parse failure")
|
||||||
return nil, ingress.Ingress{}, errors.Wrap(err, "Tag parse failure")
|
return nil, nil, errors.Wrap(err, "Tag parse failure")
|
||||||
}
|
}
|
||||||
|
tags = append(tags, pogs.Tag{Name: "ID", Value: clientID.String()})
|
||||||
|
|
||||||
tags = append(tags, tunnelpogs.Tag{Name: "ID", Value: clientID})
|
transportProtocol := c.String("protocol")
|
||||||
|
|
||||||
var originCert []byte
|
clientFeatures := features.Dedup(append(c.StringSlice("features"), features.DefaultFeatures...))
|
||||||
if !isFreeTunnel {
|
|
||||||
originCertPath := c.String("origincert")
|
|
||||||
originCertLog := log.With().
|
|
||||||
Str(LogFieldOriginCertPath, originCertPath).
|
|
||||||
Logger()
|
|
||||||
|
|
||||||
originCert, err = getOriginCert(originCertPath, &originCertLog)
|
staticFeatures := features.StaticFeatures{}
|
||||||
if err != nil {
|
if c.Bool("post-quantum") {
|
||||||
return nil, ingress.Ingress{}, errors.Wrap(err, "Error getting origin cert")
|
if FipsEnabled {
|
||||||
|
return nil, nil, fmt.Errorf("post-quantum not supported in FIPS mode")
|
||||||
}
|
}
|
||||||
|
pqMode := features.PostQuantumStrict
|
||||||
|
staticFeatures.PostQuantumMode = &pqMode
|
||||||
}
|
}
|
||||||
|
featureSelector, err := features.NewFeatureSelector(ctx, namedTunnel.Credentials.AccountTag, staticFeatures, log)
|
||||||
var (
|
|
||||||
ingressRules ingress.Ingress
|
|
||||||
classicTunnel *connection.ClassicTunnelConfig
|
|
||||||
)
|
|
||||||
if isNamedTunnel {
|
|
||||||
clientUUID, err := uuid.NewRandom()
|
|
||||||
if err != nil {
|
|
||||||
return nil, ingress.Ingress{}, errors.Wrap(err, "can't generate clientUUID")
|
|
||||||
}
|
|
||||||
namedTunnel.Client = tunnelpogs.ClientInfo{
|
|
||||||
ClientID: clientUUID[:],
|
|
||||||
Features: []string{origin.FeatureSerializedHeaders},
|
|
||||||
Version: version,
|
|
||||||
Arch: fmt.Sprintf("%s_%s", buildInfo.GoOS, buildInfo.GoArch),
|
|
||||||
}
|
|
||||||
ingressRules, err = ingress.ParseIngress(config.GetConfiguration())
|
|
||||||
if err != nil && err != ingress.ErrNoIngressRules {
|
|
||||||
return nil, ingress.Ingress{}, err
|
|
||||||
}
|
|
||||||
if !ingressRules.IsEmpty() && c.IsSet("url") {
|
|
||||||
return nil, ingress.Ingress{}, ingress.ErrURLIncompatibleWithIngress
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
classicTunnel = &connection.ClassicTunnelConfig{
|
|
||||||
Hostname: hostname,
|
|
||||||
OriginCert: originCert,
|
|
||||||
// turn off use of reconnect token and auth refresh when using named tunnels
|
|
||||||
UseReconnectToken: !isNamedTunnel && c.Bool("use-reconnect-token"),
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Convert single-origin configuration into multi-origin configuration.
|
|
||||||
if ingressRules.IsEmpty() {
|
|
||||||
ingressRules, err = ingress.NewSingleOrigin(c, !isNamedTunnel)
|
|
||||||
if err != nil {
|
|
||||||
return nil, ingress.Ingress{}, err
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
protocolSelector, err := connection.NewProtocolSelector(c.String("protocol"), namedTunnel, edgediscovery.HTTP2Percentage, origin.ResolveTTL, log)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, ingress.Ingress{}, err
|
return nil, nil, errors.Wrap(err, "Failed to create feature selector")
|
||||||
|
}
|
||||||
|
pqMode := featureSelector.PostQuantumMode()
|
||||||
|
if pqMode == features.PostQuantumStrict {
|
||||||
|
// Error if the user tries to force a non-quic transport protocol
|
||||||
|
if transportProtocol != connection.AutoSelectFlag && transportProtocol != connection.QUIC.String() {
|
||||||
|
return nil, nil, fmt.Errorf("post-quantum is only supported with the quic transport")
|
||||||
|
}
|
||||||
|
transportProtocol = connection.QUIC.String()
|
||||||
|
clientFeatures = append(clientFeatures, features.FeaturePostQuantum)
|
||||||
|
|
||||||
|
log.Info().Msgf(
|
||||||
|
"Using hybrid post-quantum key agreement %s",
|
||||||
|
supervisor.PQKexName,
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
namedTunnel.Client = pogs.ClientInfo{
|
||||||
|
ClientID: clientID[:],
|
||||||
|
Features: clientFeatures,
|
||||||
|
Version: info.Version(),
|
||||||
|
Arch: info.OSArch(),
|
||||||
|
}
|
||||||
|
cfg := config.GetConfiguration()
|
||||||
|
ingressRules, err := ingress.ParseIngressFromConfigAndCLI(cfg, c, log)
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
protocolSelector, err := connection.NewProtocolSelector(transportProtocol, namedTunnel.Credentials.AccountTag, c.IsSet(TunnelTokenFlag), c.Bool("post-quantum"), edgediscovery.ProtocolPercentage, connection.ResolveTTL, log)
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, err
|
||||||
}
|
}
|
||||||
log.Info().Msgf("Initial protocol %s", protocolSelector.Current())
|
log.Info().Msgf("Initial protocol %s", protocolSelector.Current())
|
||||||
|
|
||||||
edgeTLSConfigs := make(map[connection.Protocol]*tls.Config, len(connection.ProtocolList))
|
edgeTLSConfigs := make(map[connection.Protocol]*tls.Config, len(connection.ProtocolList))
|
||||||
for _, p := range connection.ProtocolList {
|
for _, p := range connection.ProtocolList {
|
||||||
edgeTLSConfig, err := tlsconfig.CreateTunnelConfig(c, p.ServerName())
|
tlsSettings := p.TLSSettings()
|
||||||
|
if tlsSettings == nil {
|
||||||
|
return nil, nil, fmt.Errorf("%s has unknown TLS settings", p)
|
||||||
|
}
|
||||||
|
edgeTLSConfig, err := tlsconfig.CreateTunnelConfig(c, tlsSettings.ServerName)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, ingress.Ingress{}, errors.Wrap(err, "unable to create TLS config to connect with edge")
|
return nil, nil, errors.Wrap(err, "unable to create TLS config to connect with edge")
|
||||||
|
}
|
||||||
|
if len(tlsSettings.NextProtos) > 0 {
|
||||||
|
edgeTLSConfig.NextProtos = tlsSettings.NextProtos
|
||||||
}
|
}
|
||||||
edgeTLSConfigs[p] = edgeTLSConfig
|
edgeTLSConfigs[p] = edgeTLSConfig
|
||||||
}
|
}
|
||||||
|
|
||||||
originClient := origin.NewClient(ingressRules, tags, log)
|
gracePeriod, err := gracePeriod(c)
|
||||||
connectionConfig := &connection.Config{
|
if err != nil {
|
||||||
OriginClient: originClient,
|
return nil, nil, err
|
||||||
GracePeriod: c.Duration("grace-period"),
|
|
||||||
ReplaceExisting: c.Bool("force"),
|
|
||||||
}
|
}
|
||||||
muxerConfig := &connection.MuxerConfig{
|
edgeIPVersion, err := parseConfigIPVersion(c.String("edge-ip-version"))
|
||||||
HeartbeatInterval: c.Duration("heartbeat-interval"),
|
if err != nil {
|
||||||
// Note TUN-3758 , we use Int because UInt is not supported with altsrc
|
return nil, nil, err
|
||||||
MaxHeartbeats: uint64(c.Int("heartbeat-count")),
|
}
|
||||||
// Note TUN-3758 , we use Int because UInt is not supported with altsrc
|
edgeBindAddr, err := parseConfigBindAddress(c.String("edge-bind-address"))
|
||||||
CompressionSetting: h2mux.CompressionSetting(uint64(c.Int("compression-quality"))),
|
if err != nil {
|
||||||
MetricsUpdateFreq: c.Duration("metrics-update-freq"),
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
if err := testIPBindable(edgeBindAddr); err != nil {
|
||||||
|
return nil, nil, fmt.Errorf("invalid edge-bind-address %s: %v", edgeBindAddr, err)
|
||||||
|
}
|
||||||
|
edgeIPVersion, err = adjustIPVersionByBindAddress(edgeIPVersion, edgeBindAddr)
|
||||||
|
if err != nil {
|
||||||
|
// This is not a fatal error, we just overrode edgeIPVersion
|
||||||
|
log.Warn().Str("edgeIPVersion", edgeIPVersion.String()).Err(err).Msg("Overriding edge-ip-version")
|
||||||
}
|
}
|
||||||
|
|
||||||
return &origin.TunnelConfig{
|
tunnelConfig := &supervisor.TunnelConfig{
|
||||||
ConnectionConfig: connectionConfig,
|
GracePeriod: gracePeriod,
|
||||||
BuildInfo: buildInfo,
|
ReplaceExisting: c.Bool("force"),
|
||||||
ClientID: clientID,
|
OSArch: info.OSArch(),
|
||||||
EdgeAddrs: c.StringSlice("edge"),
|
ClientID: clientID.String(),
|
||||||
HAConnections: c.Int("ha-connections"),
|
EdgeAddrs: c.StringSlice("edge"),
|
||||||
IncidentLookup: origin.NewIncidentLookup(),
|
Region: c.String("region"),
|
||||||
IsAutoupdated: c.Bool("is-autoupdated"),
|
EdgeIPVersion: edgeIPVersion,
|
||||||
IsFreeTunnel: isFreeTunnel,
|
EdgeBindAddr: edgeBindAddr,
|
||||||
LBPool: c.String("lb-pool"),
|
HAConnections: c.Int(haConnectionsFlag),
|
||||||
Tags: tags,
|
IsAutoupdated: c.Bool("is-autoupdated"),
|
||||||
Log: log,
|
LBPool: c.String("lb-pool"),
|
||||||
LogTransport: logTransport,
|
Tags: tags,
|
||||||
Observer: observer,
|
Log: log,
|
||||||
ReportedVersion: version,
|
LogTransport: logTransport,
|
||||||
|
Observer: observer,
|
||||||
|
ReportedVersion: info.Version(),
|
||||||
// Note TUN-3758 , we use Int because UInt is not supported with altsrc
|
// Note TUN-3758 , we use Int because UInt is not supported with altsrc
|
||||||
Retries: uint(c.Int("retries")),
|
Retries: uint(c.Int("retries")),
|
||||||
RunFromTerminal: isRunningFromTerminal(),
|
RunFromTerminal: isRunningFromTerminal(),
|
||||||
NamedTunnel: namedTunnel,
|
NamedTunnel: namedTunnel,
|
||||||
ClassicTunnel: classicTunnel,
|
ProtocolSelector: protocolSelector,
|
||||||
MuxerConfig: muxerConfig,
|
EdgeTLSConfigs: edgeTLSConfigs,
|
||||||
ProtocolSelector: protocolSelector,
|
FeatureSelector: featureSelector,
|
||||||
EdgeTLSConfigs: edgeTLSConfigs,
|
MaxEdgeAddrRetries: uint8(c.Int("max-edge-addr-retries")),
|
||||||
}, ingressRules, nil
|
RPCTimeout: c.Duration(rpcTimeout),
|
||||||
|
WriteStreamTimeout: c.Duration(writeStreamTimeout),
|
||||||
|
DisableQUICPathMTUDiscovery: c.Bool(quicDisablePathMTUDiscovery),
|
||||||
|
QUICConnectionLevelFlowControlLimit: c.Uint64(quicConnLevelFlowControlLimit),
|
||||||
|
QUICStreamLevelFlowControlLimit: c.Uint64(quicStreamLevelFlowControlLimit),
|
||||||
|
}
|
||||||
|
packetConfig, err := newPacketConfig(c, log)
|
||||||
|
if err != nil {
|
||||||
|
log.Warn().Err(err).Msg("ICMP proxy feature is disabled")
|
||||||
|
} else {
|
||||||
|
tunnelConfig.PacketConfig = packetConfig
|
||||||
|
}
|
||||||
|
orchestratorConfig := &orchestration.Config{
|
||||||
|
Ingress: &ingressRules,
|
||||||
|
WarpRouting: ingress.NewWarpRoutingConfig(&cfg.WarpRouting),
|
||||||
|
ConfigurationFlags: parseConfigFlags(c),
|
||||||
|
WriteTimeout: c.Duration(writeStreamTimeout),
|
||||||
|
}
|
||||||
|
return tunnelConfig, orchestratorConfig, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func parseConfigFlags(c *cli.Context) map[string]string {
|
||||||
|
result := make(map[string]string)
|
||||||
|
|
||||||
|
for _, flag := range configFlags {
|
||||||
|
if v := c.String(flag); c.IsSet(flag) && v != "" {
|
||||||
|
result[flag] = v
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return result
|
||||||
|
}
|
||||||
|
|
||||||
|
func gracePeriod(c *cli.Context) (time.Duration, error) {
|
||||||
|
period := c.Duration("grace-period")
|
||||||
|
if period > connection.MaxGracePeriod {
|
||||||
|
return time.Duration(0), fmt.Errorf("grace-period must be equal or less than %v", connection.MaxGracePeriod)
|
||||||
|
}
|
||||||
|
return period, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func isRunningFromTerminal() bool {
|
func isRunningFromTerminal() bool {
|
||||||
return terminal.IsTerminal(int(os.Stdout.Fd()))
|
return term.IsTerminal(int(os.Stdout.Fd()))
|
||||||
|
}
|
||||||
|
|
||||||
|
// ParseConfigIPVersion returns the IP version from possible expected values from config
|
||||||
|
func parseConfigIPVersion(version string) (v allregions.ConfigIPVersion, err error) {
|
||||||
|
switch version {
|
||||||
|
case "4":
|
||||||
|
v = allregions.IPv4Only
|
||||||
|
case "6":
|
||||||
|
v = allregions.IPv6Only
|
||||||
|
case "auto":
|
||||||
|
v = allregions.Auto
|
||||||
|
default: // unspecified or invalid
|
||||||
|
err = fmt.Errorf("invalid value for edge-ip-version: %s", version)
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func parseConfigBindAddress(ipstr string) (net.IP, error) {
|
||||||
|
// Unspecified - it's fine
|
||||||
|
if ipstr == "" {
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
|
ip := net.ParseIP(ipstr)
|
||||||
|
if ip == nil {
|
||||||
|
return nil, fmt.Errorf("invalid value for edge-bind-address: %s", ipstr)
|
||||||
|
}
|
||||||
|
return ip, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func testIPBindable(ip net.IP) error {
|
||||||
|
// "Unspecified" = let OS choose, so always bindable
|
||||||
|
if ip == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
addr := &net.UDPAddr{IP: ip, Port: 0}
|
||||||
|
listener, err := net.ListenUDP("udp", addr)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
listener.Close()
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func adjustIPVersionByBindAddress(ipVersion allregions.ConfigIPVersion, ip net.IP) (allregions.ConfigIPVersion, error) {
|
||||||
|
if ip == nil {
|
||||||
|
return ipVersion, nil
|
||||||
|
}
|
||||||
|
// https://pkg.go.dev/net#IP.To4: "If ip is not an IPv4 address, To4 returns nil."
|
||||||
|
if ip.To4() != nil {
|
||||||
|
if ipVersion == allregions.IPv6Only {
|
||||||
|
return allregions.IPv4Only, fmt.Errorf("IPv4 bind address is specified, but edge-ip-version is IPv6")
|
||||||
|
}
|
||||||
|
return allregions.IPv4Only, nil
|
||||||
|
} else {
|
||||||
|
if ipVersion == allregions.IPv4Only {
|
||||||
|
return allregions.IPv6Only, fmt.Errorf("IPv6 bind address is specified, but edge-ip-version is IPv4")
|
||||||
|
}
|
||||||
|
return allregions.IPv6Only, nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func newPacketConfig(c *cli.Context, logger *zerolog.Logger) (*ingress.GlobalRouterConfig, error) {
|
||||||
|
ipv4Src, err := determineICMPv4Src(c.String("icmpv4-src"), logger)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrap(err, "failed to determine IPv4 source address for ICMP proxy")
|
||||||
|
}
|
||||||
|
logger.Info().Msgf("ICMP proxy will use %s as source for IPv4", ipv4Src)
|
||||||
|
|
||||||
|
ipv6Src, zone, err := determineICMPv6Src(c.String("icmpv6-src"), logger, ipv4Src)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrap(err, "failed to determine IPv6 source address for ICMP proxy")
|
||||||
|
}
|
||||||
|
if zone != "" {
|
||||||
|
logger.Info().Msgf("ICMP proxy will use %s in zone %s as source for IPv6", ipv6Src, zone)
|
||||||
|
} else {
|
||||||
|
logger.Info().Msgf("ICMP proxy will use %s as source for IPv6", ipv6Src)
|
||||||
|
}
|
||||||
|
|
||||||
|
icmpRouter, err := ingress.NewICMPRouter(ipv4Src, ipv6Src, zone, logger, icmpFunnelTimeout)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return &ingress.GlobalRouterConfig{
|
||||||
|
ICMPRouter: icmpRouter,
|
||||||
|
IPv4Src: ipv4Src,
|
||||||
|
IPv6Src: ipv6Src,
|
||||||
|
Zone: zone,
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func determineICMPv4Src(userDefinedSrc string, logger *zerolog.Logger) (netip.Addr, error) {
|
||||||
|
if userDefinedSrc != "" {
|
||||||
|
addr, err := netip.ParseAddr(userDefinedSrc)
|
||||||
|
if err != nil {
|
||||||
|
return netip.Addr{}, err
|
||||||
|
}
|
||||||
|
if addr.Is4() {
|
||||||
|
return addr, nil
|
||||||
|
}
|
||||||
|
return netip.Addr{}, fmt.Errorf("expect IPv4, but %s is IPv6", userDefinedSrc)
|
||||||
|
}
|
||||||
|
|
||||||
|
addr, err := findLocalAddr(net.ParseIP("192.168.0.1"), 53)
|
||||||
|
if err != nil {
|
||||||
|
addr = netip.IPv4Unspecified()
|
||||||
|
logger.Debug().Err(err).Msgf("Failed to determine the IPv4 for this machine. It will use %s to send/listen for ICMPv4 echo", addr)
|
||||||
|
}
|
||||||
|
return addr, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
type interfaceIP struct {
|
||||||
|
name string
|
||||||
|
ip net.IP
|
||||||
|
}
|
||||||
|
|
||||||
|
func determineICMPv6Src(userDefinedSrc string, logger *zerolog.Logger, ipv4Src netip.Addr) (addr netip.Addr, zone string, err error) {
|
||||||
|
if userDefinedSrc != "" {
|
||||||
|
userDefinedIP, zone, _ := strings.Cut(userDefinedSrc, "%")
|
||||||
|
addr, err := netip.ParseAddr(userDefinedIP)
|
||||||
|
if err != nil {
|
||||||
|
return netip.Addr{}, "", err
|
||||||
|
}
|
||||||
|
if addr.Is6() {
|
||||||
|
return addr, zone, nil
|
||||||
|
}
|
||||||
|
return netip.Addr{}, "", fmt.Errorf("expect IPv6, but %s is IPv4", userDefinedSrc)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Loop through all the interfaces, the preference is
|
||||||
|
// 1. The interface where ipv4Src is in
|
||||||
|
// 2. Interface with IPv6 address
|
||||||
|
// 3. Unspecified interface
|
||||||
|
|
||||||
|
interfaces, err := net.Interfaces()
|
||||||
|
if err != nil {
|
||||||
|
return netip.IPv6Unspecified(), "", nil
|
||||||
|
}
|
||||||
|
|
||||||
|
interfacesWithIPv6 := make([]interfaceIP, 0)
|
||||||
|
for _, interf := range interfaces {
|
||||||
|
interfaceAddrs, err := interf.Addrs()
|
||||||
|
if err != nil {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
foundIPv4SrcInterface := false
|
||||||
|
for _, interfaceAddr := range interfaceAddrs {
|
||||||
|
if ipnet, ok := interfaceAddr.(*net.IPNet); ok {
|
||||||
|
ip := ipnet.IP
|
||||||
|
if ip.Equal(ipv4Src.AsSlice()) {
|
||||||
|
foundIPv4SrcInterface = true
|
||||||
|
}
|
||||||
|
if ip.To4() == nil {
|
||||||
|
interfacesWithIPv6 = append(interfacesWithIPv6, interfaceIP{
|
||||||
|
name: interf.Name,
|
||||||
|
ip: ip,
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
// Found the interface of ipv4Src. Loop through the addresses to see if there is an IPv6
|
||||||
|
if foundIPv4SrcInterface {
|
||||||
|
for _, interfaceAddr := range interfaceAddrs {
|
||||||
|
if ipnet, ok := interfaceAddr.(*net.IPNet); ok {
|
||||||
|
ip := ipnet.IP
|
||||||
|
if ip.To4() == nil {
|
||||||
|
addr, err := netip.ParseAddr(ip.String())
|
||||||
|
if err == nil {
|
||||||
|
return addr, interf.Name, nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, interf := range interfacesWithIPv6 {
|
||||||
|
addr, err := netip.ParseAddr(interf.ip.String())
|
||||||
|
if err == nil {
|
||||||
|
return addr, interf.name, nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
logger.Debug().Err(err).Msgf("Failed to determine the IPv6 for this machine. It will use %s to send/listen for ICMPv6 echo", netip.IPv6Unspecified())
|
||||||
|
|
||||||
|
return netip.IPv6Unspecified(), "", nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// FindLocalAddr tries to dial UDP and returns the local address picked by the OS
|
||||||
|
func findLocalAddr(dst net.IP, port int) (netip.Addr, error) {
|
||||||
|
udpConn, err := net.DialUDP("udp", nil, &net.UDPAddr{
|
||||||
|
IP: dst,
|
||||||
|
Port: port,
|
||||||
|
})
|
||||||
|
if err != nil {
|
||||||
|
return netip.Addr{}, err
|
||||||
|
}
|
||||||
|
defer udpConn.Close()
|
||||||
|
localAddrPort, err := netip.ParseAddrPort(udpConn.LocalAddr().String())
|
||||||
|
if err != nil {
|
||||||
|
return netip.Addr{}, err
|
||||||
|
}
|
||||||
|
localAddr := localAddrPort.Addr()
|
||||||
|
return localAddr, nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
// +build ignore
|
//go:build ignore
|
||||||
|
|
||||||
// TODO: Remove the above build tag and include this test when we start compiling with Golang 1.10.0+
|
// TODO: Remove the above build tag and include this test when we start compiling with Golang 1.10.0+
|
||||||
|
|
||||||
package tunnel
|
package tunnel
|
||||||
|
@ -7,6 +8,7 @@ import (
|
||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
"crypto/x509/pkix"
|
"crypto/x509/pkix"
|
||||||
"encoding/asn1"
|
"encoding/asn1"
|
||||||
|
"net"
|
||||||
"os"
|
"os"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
|
@ -212,3 +214,23 @@ func getCertPoolSubjects(certPool *x509.CertPool) ([]*pkix.Name, error) {
|
||||||
func isUnrecoverableError(err error) bool {
|
func isUnrecoverableError(err error) bool {
|
||||||
return err != nil && err.Error() != "crypto/x509: system root pool is not available on Windows"
|
return err != nil && err.Error() != "crypto/x509: system root pool is not available on Windows"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestTestIPBindable(t *testing.T) {
|
||||||
|
assert.Nil(t, testIPBindable(nil))
|
||||||
|
|
||||||
|
// Public services - if one of these IPs is on the machine, the test environment is too weird
|
||||||
|
assert.NotNil(t, testIPBindable(net.ParseIP("8.8.8.8")))
|
||||||
|
assert.NotNil(t, testIPBindable(net.ParseIP("1.1.1.1")))
|
||||||
|
|
||||||
|
addrs, err := net.InterfaceAddrs()
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
for i, addr := range addrs {
|
||||||
|
if i >= 3 {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
ip := addr.(*net.IPNet).IP
|
||||||
|
assert.Nil(t, testIPBindable(ip))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
@ -4,7 +4,8 @@ import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
|
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
|
"github.com/cloudflare/cloudflared/config"
|
||||||
|
"github.com/cloudflare/cloudflared/credentials"
|
||||||
|
|
||||||
"github.com/google/uuid"
|
"github.com/google/uuid"
|
||||||
"github.com/rs/zerolog"
|
"github.com/rs/zerolog"
|
||||||
|
@ -56,13 +57,13 @@ func newSearchByID(id uuid.UUID, c *cli.Context, log *zerolog.Logger, fs fileSys
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s searchByID) Path() (string, error) {
|
func (s searchByID) Path() (string, error) {
|
||||||
originCertPath := s.c.String("origincert")
|
originCertPath := s.c.String(credentials.OriginCertFlag)
|
||||||
originCertLog := s.log.With().
|
originCertLog := s.log.With().
|
||||||
Str(LogFieldOriginCertPath, originCertPath).
|
Str("originCertPath", originCertPath).
|
||||||
Logger()
|
Logger()
|
||||||
|
|
||||||
// Fallback to look for tunnel credentials in the origin cert directory
|
// Fallback to look for tunnel credentials in the origin cert directory
|
||||||
if originCertPath, err := findOriginCert(originCertPath, &originCertLog); err == nil {
|
if originCertPath, err := credentials.FindOriginCert(originCertPath, &originCertLog); err == nil {
|
||||||
originCertDir := filepath.Dir(originCertPath)
|
originCertDir := filepath.Dir(originCertPath)
|
||||||
if filePath, err := tunnelFilePath(s.id, originCertDir); err == nil {
|
if filePath, err := tunnelFilePath(s.id, originCertDir); err == nil {
|
||||||
if s.fs.validFilePath(filePath) {
|
if s.fs.validFilePath(filePath) {
|
||||||
|
|
|
@ -1,7 +1,6 @@
|
||||||
package tunnel
|
package tunnel
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"io/ioutil"
|
|
||||||
"os"
|
"os"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -23,5 +22,5 @@ func (fs realFileSystem) validFilePath(path string) bool {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (fs realFileSystem) readFile(filePath string) ([]byte, error) {
|
func (fs realFileSystem) readFile(filePath string) ([]byte, error) {
|
||||||
return ioutil.ReadFile(filePath)
|
return os.ReadFile(filePath)
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
package tunnel
|
||||||
|
|
||||||
|
var FipsEnabled bool
|
|
@ -0,0 +1,16 @@
|
||||||
|
package tunnel
|
||||||
|
|
||||||
|
import (
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/google/uuid"
|
||||||
|
|
||||||
|
"github.com/cloudflare/cloudflared/cfapi"
|
||||||
|
)
|
||||||
|
|
||||||
|
type Info struct {
|
||||||
|
ID uuid.UUID `json:"id"`
|
||||||
|
Name string `json:"name"`
|
||||||
|
CreatedAt time.Time `json:"createdAt"`
|
||||||
|
Connectors []*cfapi.ActiveClient `json:"conns"`
|
||||||
|
}
|
|
@ -1,17 +1,27 @@
|
||||||
package tunnel
|
package tunnel
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"encoding/json"
|
||||||
"fmt"
|
"fmt"
|
||||||
"net/url"
|
"net/url"
|
||||||
|
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
|
"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
|
"github.com/cloudflare/cloudflared/config"
|
||||||
"github.com/cloudflare/cloudflared/ingress"
|
"github.com/cloudflare/cloudflared/ingress"
|
||||||
|
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
"github.com/urfave/cli/v2"
|
"github.com/urfave/cli/v2"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
const ingressDataJSONFlagName = "json"
|
||||||
|
|
||||||
|
var ingressDataJSON = &cli.StringFlag{
|
||||||
|
Name: ingressDataJSONFlagName,
|
||||||
|
Aliases: []string{"j"},
|
||||||
|
Usage: `Accepts data in the form of json as an input rather than read from a file`,
|
||||||
|
EnvVars: []string{"TUNNEL_INGRESS_VALIDATE_JSON"},
|
||||||
|
}
|
||||||
|
|
||||||
func buildIngressSubcommand() *cli.Command {
|
func buildIngressSubcommand() *cli.Command {
|
||||||
return &cli.Command{
|
return &cli.Command{
|
||||||
Name: "ingress",
|
Name: "ingress",
|
||||||
|
@ -45,17 +55,18 @@ func buildIngressSubcommand() *cli.Command {
|
||||||
func buildValidateIngressCommand() *cli.Command {
|
func buildValidateIngressCommand() *cli.Command {
|
||||||
return &cli.Command{
|
return &cli.Command{
|
||||||
Name: "validate",
|
Name: "validate",
|
||||||
Action: cliutil.ErrorHandler(validateIngressCommand),
|
Action: cliutil.ConfiguredActionWithWarnings(validateIngressCommand),
|
||||||
Usage: "Validate the ingress configuration ",
|
Usage: "Validate the ingress configuration ",
|
||||||
UsageText: "cloudflared tunnel [--config FILEPATH] ingress validate",
|
UsageText: "cloudflared tunnel [--config FILEPATH] ingress validate",
|
||||||
Description: "Validates the configuration file, ensuring your ingress rules are OK.",
|
Description: "Validates the configuration file, ensuring your ingress rules are OK.",
|
||||||
|
Flags: []cli.Flag{ingressDataJSON},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func buildTestURLCommand() *cli.Command {
|
func buildTestURLCommand() *cli.Command {
|
||||||
return &cli.Command{
|
return &cli.Command{
|
||||||
Name: "rule",
|
Name: "rule",
|
||||||
Action: cliutil.ErrorHandler(testURLCommand),
|
Action: cliutil.ConfiguredAction(testURLCommand),
|
||||||
Usage: "Check which ingress rule matches a given request URL",
|
Usage: "Check which ingress rule matches a given request URL",
|
||||||
UsageText: "cloudflared tunnel [--config FILEPATH] ingress rule URL",
|
UsageText: "cloudflared tunnel [--config FILEPATH] ingress rule URL",
|
||||||
ArgsUsage: "URL",
|
ArgsUsage: "URL",
|
||||||
|
@ -68,23 +79,43 @@ func buildTestURLCommand() *cli.Command {
|
||||||
}
|
}
|
||||||
|
|
||||||
// validateIngressCommand check the syntax of the ingress rules in the cloudflared config file
|
// validateIngressCommand check the syntax of the ingress rules in the cloudflared config file
|
||||||
func validateIngressCommand(c *cli.Context) error {
|
func validateIngressCommand(c *cli.Context, warnings string) error {
|
||||||
conf := config.GetConfiguration()
|
conf, err := getConfiguration(c)
|
||||||
if conf.Source() == "" {
|
if err != nil {
|
||||||
fmt.Println("No configuration file was found. Please create one, or use the --config flag to specify its filepath. You can use the help command to learn more about configuration files")
|
return err
|
||||||
return nil
|
|
||||||
}
|
}
|
||||||
fmt.Println("Validating rules from", conf.Source())
|
|
||||||
if _, err := ingress.ParseIngress(conf); err != nil {
|
if _, err := ingress.ParseIngress(conf); err != nil {
|
||||||
return errors.Wrap(err, "Validation failed")
|
return errors.Wrap(err, "Validation failed")
|
||||||
}
|
}
|
||||||
if c.IsSet("url") {
|
if c.IsSet("url") {
|
||||||
return ingress.ErrURLIncompatibleWithIngress
|
return ingress.ErrURLIncompatibleWithIngress
|
||||||
}
|
}
|
||||||
|
if warnings != "" {
|
||||||
|
fmt.Println("Warning: unused keys detected in your config file. Here is a list of unused keys:")
|
||||||
|
fmt.Println(warnings)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
fmt.Println("OK")
|
fmt.Println("OK")
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func getConfiguration(c *cli.Context) (*config.Configuration, error) {
|
||||||
|
var conf *config.Configuration
|
||||||
|
if c.IsSet(ingressDataJSONFlagName) {
|
||||||
|
ingressJSON := c.String(ingressDataJSONFlagName)
|
||||||
|
fmt.Println("Validating rules from cmdline flag --json")
|
||||||
|
err := json.Unmarshal([]byte(ingressJSON), &conf)
|
||||||
|
return conf, err
|
||||||
|
}
|
||||||
|
conf = config.GetConfiguration()
|
||||||
|
if conf.Source() == "" {
|
||||||
|
return nil, errors.New("No configuration file was found. Please create one, or use the --config flag to specify its filepath. You can use the help command to learn more about configuration files")
|
||||||
|
}
|
||||||
|
fmt.Println("Validating rules from", conf.Source())
|
||||||
|
return conf, nil
|
||||||
|
}
|
||||||
|
|
||||||
// testURLCommand checks which ingress rule matches the given URL.
|
// testURLCommand checks which ingress rule matches the given URL.
|
||||||
func testURLCommand(c *cli.Context) error {
|
func testURLCommand(c *cli.Context) error {
|
||||||
requestArg := c.Args().First()
|
requestArg := c.Args().First()
|
||||||
|
@ -108,7 +139,7 @@ func testURLCommand(c *cli.Context) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
_, i := ing.FindMatchingRule(requestURL.Hostname(), requestURL.Path)
|
_, i := ing.FindMatchingRule(requestURL.Hostname(), requestURL.Path)
|
||||||
fmt.Printf("Matched rule #%d\n", i+1)
|
fmt.Printf("Matched rule #%d\n", i)
|
||||||
fmt.Println(ing.Rules[i].MultiLineString())
|
fmt.Println(ing.Rules[i].MultiLineString())
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,40 +2,34 @@ package tunnel
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"io/ioutil"
|
|
||||||
"net/url"
|
"net/url"
|
||||||
"os"
|
"os"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
"syscall"
|
"syscall"
|
||||||
|
|
||||||
"github.com/mitchellh/go-homedir"
|
homedir "github.com/mitchellh/go-homedir"
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
"github.com/urfave/cli/v2"
|
"github.com/urfave/cli/v2"
|
||||||
|
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
|
"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
|
"github.com/cloudflare/cloudflared/config"
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/transfer"
|
"github.com/cloudflare/cloudflared/credentials"
|
||||||
"github.com/cloudflare/cloudflared/logger"
|
"github.com/cloudflare/cloudflared/logger"
|
||||||
|
"github.com/cloudflare/cloudflared/token"
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
baseLoginURL = "https://dash.cloudflare.com/argotunnel"
|
baseLoginURL = "https://dash.cloudflare.com/argotunnel"
|
||||||
callbackStoreURL = "https://login.argotunnel.com/"
|
callbackStoreURL = "https://login.cloudflareaccess.org/"
|
||||||
)
|
)
|
||||||
|
|
||||||
func buildLoginSubcommand(hidden bool) *cli.Command {
|
func buildLoginSubcommand(hidden bool) *cli.Command {
|
||||||
return &cli.Command{
|
return &cli.Command{
|
||||||
Name: "login",
|
Name: "login",
|
||||||
Action: cliutil.ErrorHandler(login),
|
Action: cliutil.ConfiguredAction(login),
|
||||||
Usage: "Generate a configuration file with your login details",
|
Usage: "Generate a configuration file with your login details",
|
||||||
ArgsUsage: " ",
|
ArgsUsage: " ",
|
||||||
Flags: []cli.Flag{
|
Hidden: hidden,
|
||||||
&cli.StringFlag{
|
|
||||||
Name: "url",
|
|
||||||
Hidden: true,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
Hidden: hidden,
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -56,8 +50,9 @@ func login(c *cli.Context) error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
resourceData, err := transfer.Run(
|
resourceData, err := token.RunTransfer(
|
||||||
loginURL,
|
loginURL,
|
||||||
|
"",
|
||||||
"cert",
|
"cert",
|
||||||
"callback",
|
"callback",
|
||||||
callbackStoreURL,
|
callbackStoreURL,
|
||||||
|
@ -70,7 +65,7 @@ func login(c *cli.Context) error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := ioutil.WriteFile(path, resourceData, 0600); err != nil {
|
if err := os.WriteFile(path, resourceData, 0600); err != nil {
|
||||||
return errors.Wrap(err, fmt.Sprintf("error writing cert to %s", path))
|
return errors.Wrap(err, fmt.Sprintf("error writing cert to %s", path))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -91,7 +86,7 @@ func checkForExistingCert() (string, bool, error) {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", false, err
|
return "", false, err
|
||||||
}
|
}
|
||||||
path := filepath.Join(configPath, config.DefaultCredentialFile)
|
path := filepath.Join(configPath, credentials.DefaultCredentialFile)
|
||||||
fileInfo, err := os.Stat(path)
|
fileInfo, err := os.Stat(path)
|
||||||
if err == nil && fileInfo.Size() > 0 {
|
if err == nil && fileInfo.Size() > 0 {
|
||||||
return path, true, nil
|
return path, true, nil
|
||||||
|
|
|
@ -0,0 +1,140 @@
|
||||||
|
package tunnel
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/json"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
"net/http"
|
||||||
|
"strings"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/google/uuid"
|
||||||
|
"github.com/pkg/errors"
|
||||||
|
|
||||||
|
"github.com/cloudflare/cloudflared/connection"
|
||||||
|
)
|
||||||
|
|
||||||
|
const httpTimeout = 15 * time.Second
|
||||||
|
|
||||||
|
const disclaimer = "Thank you for trying Cloudflare Tunnel. Doing so, without a Cloudflare account, is a quick way to experiment and try it out. However, be aware that these account-less Tunnels have no uptime guarantee, are subject to the Cloudflare Online Services Terms of Use (https://www.cloudflare.com/website-terms/), and Cloudflare reserves the right to investigate your use of Tunnels for violations of such terms. If you intend to use Tunnels in production you should use a pre-created named tunnel by following: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps"
|
||||||
|
|
||||||
|
// RunQuickTunnel requests a tunnel from the specified service.
|
||||||
|
// We use this to power quick tunnels on trycloudflare.com, but the
|
||||||
|
// service is open-source and could be used by anyone.
|
||||||
|
func RunQuickTunnel(sc *subcommandContext) error {
|
||||||
|
sc.log.Info().Msg(disclaimer)
|
||||||
|
sc.log.Info().Msg("Requesting new quick Tunnel on trycloudflare.com...")
|
||||||
|
|
||||||
|
client := http.Client{
|
||||||
|
Transport: &http.Transport{
|
||||||
|
TLSHandshakeTimeout: httpTimeout,
|
||||||
|
ResponseHeaderTimeout: httpTimeout,
|
||||||
|
},
|
||||||
|
Timeout: httpTimeout,
|
||||||
|
}
|
||||||
|
|
||||||
|
req, err := http.NewRequest(http.MethodPost, fmt.Sprintf("%s/tunnel", sc.c.String("quick-service")), nil)
|
||||||
|
if err != nil {
|
||||||
|
return errors.Wrap(err, "failed to build quick tunnel request")
|
||||||
|
}
|
||||||
|
req.Header.Add("Content-Type", "application/json")
|
||||||
|
req.Header.Add("User-Agent", buildInfo.UserAgent())
|
||||||
|
resp, err := client.Do(req)
|
||||||
|
if err != nil {
|
||||||
|
return errors.Wrap(err, "failed to request quick Tunnel")
|
||||||
|
}
|
||||||
|
defer resp.Body.Close()
|
||||||
|
|
||||||
|
// This will read the entire response into memory so we can print it in case of error
|
||||||
|
rsp_body, err := io.ReadAll(resp.Body)
|
||||||
|
if err != nil {
|
||||||
|
return errors.Wrap(err, "failed to read quick-tunnel response")
|
||||||
|
}
|
||||||
|
|
||||||
|
var data QuickTunnelResponse
|
||||||
|
if err := json.Unmarshal(rsp_body, &data); err != nil {
|
||||||
|
rsp_string := string(rsp_body)
|
||||||
|
fields := map[string]interface{}{"status_code": resp.Status}
|
||||||
|
sc.log.Err(err).Fields(fields).Msgf("Error unmarshaling QuickTunnel response: %s", rsp_string)
|
||||||
|
return errors.Wrap(err, "failed to unmarshal quick Tunnel")
|
||||||
|
}
|
||||||
|
|
||||||
|
tunnelID, err := uuid.Parse(data.Result.ID)
|
||||||
|
if err != nil {
|
||||||
|
return errors.Wrap(err, "failed to parse quick Tunnel ID")
|
||||||
|
}
|
||||||
|
|
||||||
|
credentials := connection.Credentials{
|
||||||
|
AccountTag: data.Result.AccountTag,
|
||||||
|
TunnelSecret: data.Result.Secret,
|
||||||
|
TunnelID: tunnelID,
|
||||||
|
}
|
||||||
|
|
||||||
|
url := data.Result.Hostname
|
||||||
|
if !strings.HasPrefix(url, "https://") {
|
||||||
|
url = "https://" + url
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, line := range AsciiBox([]string{
|
||||||
|
"Your quick Tunnel has been created! Visit it at (it may take some time to be reachable):",
|
||||||
|
url,
|
||||||
|
}, 2) {
|
||||||
|
sc.log.Info().Msg(line)
|
||||||
|
}
|
||||||
|
|
||||||
|
if !sc.c.IsSet("protocol") {
|
||||||
|
sc.c.Set("protocol", "quic")
|
||||||
|
}
|
||||||
|
|
||||||
|
// Override the number of connections used. Quick tunnels shouldn't be used for production usage,
|
||||||
|
// so, use a single connection instead.
|
||||||
|
sc.c.Set(haConnectionsFlag, "1")
|
||||||
|
return StartServer(
|
||||||
|
sc.c,
|
||||||
|
buildInfo,
|
||||||
|
&connection.TunnelProperties{Credentials: credentials, QuickTunnelUrl: data.Result.Hostname},
|
||||||
|
sc.log,
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
type QuickTunnelResponse struct {
|
||||||
|
Success bool
|
||||||
|
Result QuickTunnel
|
||||||
|
Errors []QuickTunnelError
|
||||||
|
}
|
||||||
|
|
||||||
|
type QuickTunnelError struct {
|
||||||
|
Code int
|
||||||
|
Message string
|
||||||
|
}
|
||||||
|
|
||||||
|
type QuickTunnel struct {
|
||||||
|
ID string `json:"id"`
|
||||||
|
Name string `json:"name"`
|
||||||
|
Hostname string `json:"hostname"`
|
||||||
|
AccountTag string `json:"account_tag"`
|
||||||
|
Secret []byte `json:"secret"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// Print out the given lines in a nice ASCII box.
|
||||||
|
func AsciiBox(lines []string, padding int) (box []string) {
|
||||||
|
maxLen := maxLen(lines)
|
||||||
|
spacer := strings.Repeat(" ", padding)
|
||||||
|
border := "+" + strings.Repeat("-", maxLen+(padding*2)) + "+"
|
||||||
|
box = append(box, border)
|
||||||
|
for _, line := range lines {
|
||||||
|
box = append(box, "|"+spacer+line+strings.Repeat(" ", maxLen-len(line))+spacer+"|")
|
||||||
|
}
|
||||||
|
box = append(box, border)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func maxLen(lines []string) int {
|
||||||
|
max := 0
|
||||||
|
for _, line := range lines {
|
||||||
|
if len(line) > max {
|
||||||
|
max = len(line)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return max
|
||||||
|
}
|
|
@ -1,3 +1,5 @@
|
||||||
|
//go:build !windows
|
||||||
|
|
||||||
package tunnel
|
package tunnel
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
@ -101,4 +103,3 @@ func TestWaitForShutdown(t *testing.T) {
|
||||||
assert.True(t, contextCancelled)
|
assert.True(t, contextCancelled)
|
||||||
assert.True(t, time.Now().Sub(startTime) < time.Second) // check that wait ended early
|
assert.True(t, time.Now().Sub(startTime) < time.Second) // check that wait ended early
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1,9 +1,11 @@
|
||||||
package tunnel
|
package tunnel
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"encoding/base64"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"fmt"
|
"fmt"
|
||||||
"os"
|
"os"
|
||||||
|
"path/filepath"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"github.com/google/uuid"
|
"github.com/google/uuid"
|
||||||
|
@ -11,10 +13,10 @@ import (
|
||||||
"github.com/rs/zerolog"
|
"github.com/rs/zerolog"
|
||||||
"github.com/urfave/cli/v2"
|
"github.com/urfave/cli/v2"
|
||||||
|
|
||||||
"github.com/cloudflare/cloudflared/certutil"
|
"github.com/cloudflare/cloudflared/cfapi"
|
||||||
"github.com/cloudflare/cloudflared/connection"
|
"github.com/cloudflare/cloudflared/connection"
|
||||||
|
"github.com/cloudflare/cloudflared/credentials"
|
||||||
"github.com/cloudflare/cloudflared/logger"
|
"github.com/cloudflare/cloudflared/logger"
|
||||||
"github.com/cloudflare/cloudflared/tunnelstore"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
type errInvalidJSONCredential struct {
|
type errInvalidJSONCredential struct {
|
||||||
|
@ -29,27 +31,20 @@ func (e errInvalidJSONCredential) Error() string {
|
||||||
// subcommandContext carries structs shared between subcommands, to reduce number of arguments needed to
|
// subcommandContext carries structs shared between subcommands, to reduce number of arguments needed to
|
||||||
// pass between subcommands, and make sure they are only initialized once
|
// pass between subcommands, and make sure they are only initialized once
|
||||||
type subcommandContext struct {
|
type subcommandContext struct {
|
||||||
c *cli.Context
|
c *cli.Context
|
||||||
log *zerolog.Logger
|
log *zerolog.Logger
|
||||||
isUIEnabled bool
|
fs fileSystem
|
||||||
fs fileSystem
|
|
||||||
|
|
||||||
// These fields should be accessed using their respective Getter
|
// These fields should be accessed using their respective Getter
|
||||||
tunnelstoreClient tunnelstore.Client
|
tunnelstoreClient cfapi.Client
|
||||||
userCredential *userCredential
|
userCredential *credentials.User
|
||||||
}
|
}
|
||||||
|
|
||||||
func newSubcommandContext(c *cli.Context) (*subcommandContext, error) {
|
func newSubcommandContext(c *cli.Context) (*subcommandContext, error) {
|
||||||
isUIEnabled := c.IsSet(uiFlag) && c.String("name") != ""
|
|
||||||
|
|
||||||
// If UI is enabled, terminal log output should be disabled -- log should be written into a UI log window instead
|
|
||||||
log := logger.CreateLoggerFromContext(c, isUIEnabled)
|
|
||||||
|
|
||||||
return &subcommandContext{
|
return &subcommandContext{
|
||||||
c: c,
|
c: c,
|
||||||
log: log,
|
log: logger.CreateLoggerFromContext(c, logger.EnableTerminalLog),
|
||||||
isUIEnabled: isUIEnabled,
|
fs: realFileSystem{},
|
||||||
fs: realFileSystem{},
|
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -61,65 +56,28 @@ func (sc *subcommandContext) credentialFinder(tunnelID uuid.UUID) CredFinder {
|
||||||
return newSearchByID(tunnelID, sc.c, sc.log, sc.fs)
|
return newSearchByID(tunnelID, sc.c, sc.log, sc.fs)
|
||||||
}
|
}
|
||||||
|
|
||||||
type userCredential struct {
|
func (sc *subcommandContext) client() (cfapi.Client, error) {
|
||||||
cert *certutil.OriginCert
|
|
||||||
certPath string
|
|
||||||
}
|
|
||||||
|
|
||||||
func (sc *subcommandContext) client() (tunnelstore.Client, error) {
|
|
||||||
if sc.tunnelstoreClient != nil {
|
if sc.tunnelstoreClient != nil {
|
||||||
return sc.tunnelstoreClient, nil
|
return sc.tunnelstoreClient, nil
|
||||||
}
|
}
|
||||||
credential, err := sc.credential()
|
cred, err := sc.credential()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
userAgent := fmt.Sprintf("cloudflared/%s", version)
|
sc.tunnelstoreClient, err = cred.Client(sc.c.String("api-url"), buildInfo.UserAgent(), sc.log)
|
||||||
client, err := tunnelstore.NewRESTClient(
|
|
||||||
sc.c.String("api-url"),
|
|
||||||
credential.cert.AccountID,
|
|
||||||
credential.cert.ZoneID,
|
|
||||||
credential.cert.ServiceKey,
|
|
||||||
userAgent,
|
|
||||||
sc.log,
|
|
||||||
)
|
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
sc.tunnelstoreClient = client
|
return sc.tunnelstoreClient, nil
|
||||||
return client, nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (sc *subcommandContext) credential() (*userCredential, error) {
|
func (sc *subcommandContext) credential() (*credentials.User, error) {
|
||||||
if sc.userCredential == nil {
|
if sc.userCredential == nil {
|
||||||
originCertPath := sc.c.String("origincert")
|
uc, err := credentials.Read(sc.c.String(credentials.OriginCertFlag), sc.log)
|
||||||
originCertLog := sc.log.With().
|
|
||||||
Str(LogFieldOriginCertPath, originCertPath).
|
|
||||||
Logger()
|
|
||||||
|
|
||||||
originCertPath, err := findOriginCert(originCertPath, &originCertLog)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errors.Wrap(err, "Error locating origin cert")
|
return nil, err
|
||||||
}
|
|
||||||
blocks, err := readOriginCert(originCertPath)
|
|
||||||
if err != nil {
|
|
||||||
return nil, errors.Wrapf(err, "Can't read origin cert from %s", originCertPath)
|
|
||||||
}
|
|
||||||
|
|
||||||
cert, err := certutil.DecodeOriginCert(blocks)
|
|
||||||
if err != nil {
|
|
||||||
return nil, errors.Wrap(err, "Error decoding origin cert")
|
|
||||||
}
|
|
||||||
|
|
||||||
if cert.AccountID == "" {
|
|
||||||
return nil, errors.Errorf(`Origin certificate needs to be refreshed before creating new tunnels.\nDelete %s and run "cloudflared login" to obtain a new cert.`, originCertPath)
|
|
||||||
}
|
|
||||||
|
|
||||||
sc.userCredential = &userCredential{
|
|
||||||
cert: cert,
|
|
||||||
certPath: originCertPath,
|
|
||||||
}
|
}
|
||||||
|
sc.userCredential = uc
|
||||||
}
|
}
|
||||||
return sc.userCredential, nil
|
return sc.userCredential, nil
|
||||||
}
|
}
|
||||||
|
@ -147,15 +105,27 @@ func (sc *subcommandContext) readTunnelCredentials(credFinder CredFinder) (conne
|
||||||
return credentials, nil
|
return credentials, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (sc *subcommandContext) create(name string, credentialsOutputPath string) (*tunnelstore.Tunnel, error) {
|
func (sc *subcommandContext) create(name string, credentialsFilePath string, secret string) (*cfapi.Tunnel, error) {
|
||||||
client, err := sc.client()
|
client, err := sc.client()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errors.Wrap(err, "couldn't create client to talk to Argo Tunnel backend")
|
return nil, errors.Wrap(err, "couldn't create client to talk to Cloudflare Tunnel backend")
|
||||||
}
|
}
|
||||||
|
|
||||||
tunnelSecret, err := generateTunnelSecret()
|
var tunnelSecret []byte
|
||||||
if err != nil {
|
if secret == "" {
|
||||||
return nil, errors.Wrap(err, "couldn't generate the secret for your new tunnel")
|
tunnelSecret, err = generateTunnelSecret()
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrap(err, "couldn't generate the secret for your new tunnel")
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
decodedSecret, err := base64.StdEncoding.DecodeString(secret)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrap(err, "Couldn't decode tunnel secret from base64")
|
||||||
|
}
|
||||||
|
tunnelSecret = []byte(decodedSecret)
|
||||||
|
if len(tunnelSecret) < 32 {
|
||||||
|
return nil, errors.New("Decoded tunnel secret must be at least 32 bytes long")
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
tunnel, err := client.CreateTunnel(name, tunnelSecret)
|
tunnel, err := client.CreateTunnel(name, tunnelSecret)
|
||||||
|
@ -168,36 +138,49 @@ func (sc *subcommandContext) create(name string, credentialsOutputPath string) (
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
tunnelCredentials := connection.Credentials{
|
tunnelCredentials := connection.Credentials{
|
||||||
AccountTag: credential.cert.AccountID,
|
AccountTag: credential.AccountID(),
|
||||||
TunnelSecret: tunnelSecret,
|
TunnelSecret: tunnelSecret,
|
||||||
TunnelID: tunnel.ID,
|
TunnelID: tunnel.ID,
|
||||||
TunnelName: name,
|
|
||||||
}
|
}
|
||||||
filePath, writeFileErr := writeTunnelCredentials(credential.certPath, credentialsOutputPath, &tunnelCredentials)
|
usedCertPath := false
|
||||||
|
if credentialsFilePath == "" {
|
||||||
|
originCertDir := filepath.Dir(credential.CertPath())
|
||||||
|
credentialsFilePath, err = tunnelFilePath(tunnelCredentials.TunnelID, originCertDir)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
usedCertPath = true
|
||||||
|
}
|
||||||
|
writeFileErr := writeTunnelCredentials(credentialsFilePath, &tunnelCredentials)
|
||||||
if writeFileErr != nil {
|
if writeFileErr != nil {
|
||||||
var errorLines []string
|
var errorLines []string
|
||||||
errorLines = append(errorLines, fmt.Sprintf("Your tunnel '%v' was created with ID %v. However, cloudflared couldn't write to the tunnel credentials file at %v.json.", tunnel.Name, tunnel.ID, tunnel.ID))
|
errorLines = append(errorLines, fmt.Sprintf("Your tunnel '%v' was created with ID %v. However, cloudflared couldn't write tunnel credentials to %s.", tunnel.Name, tunnel.ID, credentialsFilePath))
|
||||||
errorLines = append(errorLines, fmt.Sprintf("The file-writing error is: %v", writeFileErr))
|
errorLines = append(errorLines, fmt.Sprintf("The file-writing error is: %v", writeFileErr))
|
||||||
if deleteErr := client.DeleteTunnel(tunnel.ID); deleteErr != nil {
|
if deleteErr := client.DeleteTunnel(tunnel.ID, true); deleteErr != nil {
|
||||||
errorLines = append(errorLines, fmt.Sprintf("Cloudflared tried to delete the tunnel for you, but encountered an error. You should use `cloudflared tunnel delete %v` to delete the tunnel yourself, because the tunnel can't be run without the tunnelfile.", tunnel.ID))
|
errorLines = append(errorLines, fmt.Sprintf("Cloudflared tried to delete the tunnel for you, but encountered an error. You should use `cloudflared tunnel delete %v` to delete the tunnel yourself, because the tunnel can't be run without the tunnelfile.", tunnel.ID))
|
||||||
errorLines = append(errorLines, fmt.Sprintf("The delete tunnel error is: %v", deleteErr))
|
errorLines = append(errorLines, fmt.Sprintf("The delete tunnel error is: %v", deleteErr))
|
||||||
} else {
|
} else {
|
||||||
errorLines = append(errorLines, fmt.Sprintf("The tunnel was deleted, because the tunnel can't be run without the tunnelfile"))
|
errorLines = append(errorLines, fmt.Sprintf("The tunnel was deleted, because the tunnel can't be run without the credentials file"))
|
||||||
}
|
}
|
||||||
errorMsg := strings.Join(errorLines, "\n")
|
errorMsg := strings.Join(errorLines, "\n")
|
||||||
return nil, errors.New(errorMsg)
|
return nil, errors.New(errorMsg)
|
||||||
}
|
}
|
||||||
sc.log.Info().Msgf("Tunnel credentials written to %v. cloudflared chose this file based on where your origin certificate was found. Keep this file secret. To revoke these credentials, delete the tunnel.", filePath)
|
|
||||||
|
|
||||||
if outputFormat := sc.c.String(outputFormatFlag.Name); outputFormat != "" {
|
if outputFormat := sc.c.String(outputFormatFlag.Name); outputFormat != "" {
|
||||||
return nil, renderOutput(outputFormat, &tunnel)
|
return nil, renderOutput(outputFormat, &tunnel)
|
||||||
}
|
}
|
||||||
|
|
||||||
sc.log.Info().Msgf("Created tunnel %s with id %s", tunnel.Name, tunnel.ID)
|
fmt.Printf("Tunnel credentials written to %v.", credentialsFilePath)
|
||||||
return tunnel, nil
|
if usedCertPath {
|
||||||
|
fmt.Print(" cloudflared chose this file based on where your origin certificate was found.")
|
||||||
|
}
|
||||||
|
fmt.Println(" Keep this file secret. To revoke these credentials, delete the tunnel.")
|
||||||
|
fmt.Printf("\nCreated tunnel %s with id %s\n", tunnel.Name, tunnel.ID)
|
||||||
|
|
||||||
|
return &tunnel.Tunnel, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (sc *subcommandContext) list(filter *tunnelstore.Filter) ([]*tunnelstore.Tunnel, error) {
|
func (sc *subcommandContext) list(filter *cfapi.TunnelFilter) ([]*cfapi.Tunnel, error) {
|
||||||
client, err := sc.client()
|
client, err := sc.client()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
@ -216,25 +199,15 @@ func (sc *subcommandContext) delete(tunnelIDs []uuid.UUID) error {
|
||||||
for _, id := range tunnelIDs {
|
for _, id := range tunnelIDs {
|
||||||
tunnel, err := client.GetTunnel(id)
|
tunnel, err := client.GetTunnel(id)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return errors.Wrapf(err, "Can't get tunnel information. Please check tunnel id: %s", tunnel.ID)
|
return errors.Wrapf(err, "Can't get tunnel information. Please check tunnel id: %s", id)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check if tunnel DeletedAt field has already been set
|
// Check if tunnel DeletedAt field has already been set
|
||||||
if !tunnel.DeletedAt.IsZero() {
|
if !tunnel.DeletedAt.IsZero() {
|
||||||
return fmt.Errorf("Tunnel %s has already been deleted", tunnel.ID)
|
return fmt.Errorf("Tunnel %s has already been deleted", tunnel.ID)
|
||||||
}
|
}
|
||||||
// Check if tunnel has existing connections and if force flag is set, cleanup connections
|
|
||||||
if len(tunnel.Connections) > 0 {
|
|
||||||
if !forceFlagSet {
|
|
||||||
return fmt.Errorf("You can not delete tunnel %s because it has active connections. To see connections run the 'list' command. If you believe the tunnel is not active, you can use a -f / --force flag with this command.", id)
|
|
||||||
}
|
|
||||||
|
|
||||||
if err := client.CleanupConnections(tunnel.ID); err != nil {
|
if err := client.DeleteTunnel(tunnel.ID, forceFlagSet); err != nil {
|
||||||
return errors.Wrapf(err, "Error cleaning up connections for tunnel %s", tunnel.ID)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if err := client.DeleteTunnel(tunnel.ID); err != nil {
|
|
||||||
return errors.Wrapf(err, "Error deleting tunnel %s", tunnel.ID)
|
return errors.Wrapf(err, "Error deleting tunnel %s", tunnel.ID)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -252,8 +225,16 @@ func (sc *subcommandContext) delete(tunnelIDs []uuid.UUID) error {
|
||||||
// and add the TunnelID into any old credentials (generated before TUN-3581 added the `TunnelID`
|
// and add the TunnelID into any old credentials (generated before TUN-3581 added the `TunnelID`
|
||||||
// field to credentials files)
|
// field to credentials files)
|
||||||
func (sc *subcommandContext) findCredentials(tunnelID uuid.UUID) (connection.Credentials, error) {
|
func (sc *subcommandContext) findCredentials(tunnelID uuid.UUID) (connection.Credentials, error) {
|
||||||
credFinder := sc.credentialFinder(tunnelID)
|
var credentials connection.Credentials
|
||||||
credentials, err := sc.readTunnelCredentials(credFinder)
|
var err error
|
||||||
|
if credentialsContents := sc.c.String(CredContentsFlag); credentialsContents != "" {
|
||||||
|
if err = json.Unmarshal([]byte(credentialsContents), &credentials); err != nil {
|
||||||
|
err = errInvalidJSONCredential{path: "TUNNEL_CRED_CONTENTS", err: err}
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
credFinder := sc.credentialFinder(tunnelID)
|
||||||
|
credentials, err = sc.readTunnelCredentials(credFinder)
|
||||||
|
}
|
||||||
// This line ensures backwards compatibility with credentials files generated before
|
// This line ensures backwards compatibility with credentials files generated before
|
||||||
// TUN-3581. Those old credentials files don't have a TunnelID field, so we enrich the struct
|
// TUN-3581. Those old credentials files don't have a TunnelID field, so we enrich the struct
|
||||||
// with the ID, which we have already resolved from the user input.
|
// with the ID, which we have already resolved from the user input.
|
||||||
|
@ -271,30 +252,61 @@ func (sc *subcommandContext) run(tunnelID uuid.UUID) error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
return sc.runWithCredentials(credentials)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (sc *subcommandContext) runWithCredentials(credentials connection.Credentials) error {
|
||||||
|
sc.log.Info().Str(LogFieldTunnelID, credentials.TunnelID.String()).Msg("Starting tunnel")
|
||||||
|
|
||||||
return StartServer(
|
return StartServer(
|
||||||
sc.c,
|
sc.c,
|
||||||
version,
|
buildInfo,
|
||||||
&connection.NamedTunnelConfig{Credentials: credentials},
|
&connection.TunnelProperties{Credentials: credentials},
|
||||||
sc.log,
|
sc.log,
|
||||||
sc.isUIEnabled,
|
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (sc *subcommandContext) cleanupConnections(tunnelIDs []uuid.UUID) error {
|
func (sc *subcommandContext) cleanupConnections(tunnelIDs []uuid.UUID) error {
|
||||||
|
params := cfapi.NewCleanupParams()
|
||||||
|
extraLog := ""
|
||||||
|
if connector := sc.c.String("connector-id"); connector != "" {
|
||||||
|
connectorID, err := uuid.Parse(connector)
|
||||||
|
if err != nil {
|
||||||
|
return errors.Wrapf(err, "%s is not a valid client ID (must be a UUID)", connector)
|
||||||
|
}
|
||||||
|
params.ForClient(connectorID)
|
||||||
|
extraLog = fmt.Sprintf(" for connector-id %s", connectorID.String())
|
||||||
|
}
|
||||||
|
|
||||||
client, err := sc.client()
|
client, err := sc.client()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
for _, tunnelID := range tunnelIDs {
|
for _, tunnelID := range tunnelIDs {
|
||||||
sc.log.Info().Msgf("Cleanup connection for tunnel %s", tunnelID)
|
sc.log.Info().Msgf("Cleanup connection for tunnel %s%s", tunnelID, extraLog)
|
||||||
if err := client.CleanupConnections(tunnelID); err != nil {
|
if err := client.CleanupConnections(tunnelID, params); err != nil {
|
||||||
sc.log.Error().Msgf("Error cleaning up connections for tunnel %v, error :%v", tunnelID, err)
|
sc.log.Error().Msgf("Error cleaning up connections for tunnel %v, error :%v", tunnelID, err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (sc *subcommandContext) route(tunnelID uuid.UUID, r tunnelstore.Route) (tunnelstore.RouteResult, error) {
|
func (sc *subcommandContext) getTunnelTokenCredentials(tunnelID uuid.UUID) (*connection.TunnelToken, error) {
|
||||||
|
client, err := sc.client()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
token, err := client.GetTunnelToken(tunnelID)
|
||||||
|
if err != nil {
|
||||||
|
sc.log.Err(err).Msgf("Could not get the Token for the given Tunnel %v", tunnelID)
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return ParseToken(token)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (sc *subcommandContext) route(tunnelID uuid.UUID, r cfapi.HostnameRoute) (cfapi.HostnameRouteResult, error) {
|
||||||
client, err := sc.client()
|
client, err := sc.client()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
@ -304,8 +316,8 @@ func (sc *subcommandContext) route(tunnelID uuid.UUID, r tunnelstore.Route) (tun
|
||||||
}
|
}
|
||||||
|
|
||||||
// Query Tunnelstore to find the active tunnel with the given name.
|
// Query Tunnelstore to find the active tunnel with the given name.
|
||||||
func (sc *subcommandContext) tunnelActive(name string) (*tunnelstore.Tunnel, bool, error) {
|
func (sc *subcommandContext) tunnelActive(name string) (*cfapi.Tunnel, bool, error) {
|
||||||
filter := tunnelstore.NewFilter()
|
filter := cfapi.NewTunnelFilter()
|
||||||
filter.NoDeleted()
|
filter.NoDeleted()
|
||||||
filter.ByName(name)
|
filter.ByName(name)
|
||||||
tunnels, err := sc.list(filter)
|
tunnels, err := sc.list(filter)
|
||||||
|
@ -329,7 +341,7 @@ func (sc *subcommandContext) findID(input string) (uuid.UUID, error) {
|
||||||
// Look up name in the credentials file.
|
// Look up name in the credentials file.
|
||||||
credFinder := newStaticPath(sc.c.String(CredFileFlag), sc.fs)
|
credFinder := newStaticPath(sc.c.String(CredFileFlag), sc.fs)
|
||||||
if credentials, err := sc.readTunnelCredentials(credFinder); err == nil {
|
if credentials, err := sc.readTunnelCredentials(credFinder); err == nil {
|
||||||
if credentials.TunnelID != uuid.Nil && input == credentials.TunnelName {
|
if credentials.TunnelID != uuid.Nil {
|
||||||
return credentials.TunnelID, nil
|
return credentials.TunnelID, nil
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -345,43 +357,42 @@ func (sc *subcommandContext) findID(input string) (uuid.UUID, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// findIDs is just like mapping `findID` over a slice, but it only uses
|
// findIDs is just like mapping `findID` over a slice, but it only uses
|
||||||
// one Tunnelstore API call.
|
// one Tunnelstore API call per non-UUID input provided.
|
||||||
func (sc *subcommandContext) findIDs(inputs []string) ([]uuid.UUID, error) {
|
func (sc *subcommandContext) findIDs(inputs []string) ([]uuid.UUID, error) {
|
||||||
|
uuids, names := splitUuids(inputs)
|
||||||
|
|
||||||
// First, look up all tunnels the user has
|
for _, name := range names {
|
||||||
filter := tunnelstore.NewFilter()
|
filter := cfapi.NewTunnelFilter()
|
||||||
filter.NoDeleted()
|
filter.NoDeleted()
|
||||||
tunnels, err := sc.list(filter)
|
filter.ByName(name)
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
tunnels, err := sc.list(filter)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(tunnels) != 1 {
|
||||||
|
return nil, fmt.Errorf("there should only be 1 non-deleted Tunnel named %s", name)
|
||||||
|
}
|
||||||
|
|
||||||
|
uuids = append(uuids, tunnels[0].ID)
|
||||||
}
|
}
|
||||||
// Do the pure list-processing in its own function, so that it can be
|
|
||||||
// unit tested easily.
|
return uuids, nil
|
||||||
return findIDs(tunnels, inputs)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func findIDs(tunnels []*tunnelstore.Tunnel, inputs []string) ([]uuid.UUID, error) {
|
func splitUuids(inputs []string) ([]uuid.UUID, []string) {
|
||||||
// Put them into a dictionary for faster lookups
|
uuids := make([]uuid.UUID, 0)
|
||||||
nameToID := make(map[string]uuid.UUID, len(tunnels))
|
names := make([]string, 0)
|
||||||
for _, tunnel := range tunnels {
|
|
||||||
nameToID[tunnel.Name] = tunnel.ID
|
|
||||||
}
|
|
||||||
|
|
||||||
// For each input, try to find the tunnel ID.
|
for _, input := range inputs {
|
||||||
tunnelIDs := make([]uuid.UUID, len(inputs))
|
id, err := uuid.Parse(input)
|
||||||
var badInputs []string
|
if err != nil {
|
||||||
for i, input := range inputs {
|
names = append(names, input)
|
||||||
if id, err := uuid.Parse(input); err == nil {
|
|
||||||
tunnelIDs[i] = id
|
|
||||||
} else if id, ok := nameToID[input]; ok {
|
|
||||||
tunnelIDs[i] = id
|
|
||||||
} else {
|
} else {
|
||||||
badInputs = append(badInputs, input)
|
uuids = append(uuids, id)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if len(badInputs) > 0 {
|
|
||||||
msg := "Please specify either the ID or name of a tunnel. The following inputs were neither: %s"
|
return uuids, names
|
||||||
return nil, fmt.Errorf(msg, strings.Join(badInputs, ", "))
|
|
||||||
}
|
|
||||||
return tunnelIDs, nil
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -3,13 +3,15 @@ package tunnel
|
||||||
import (
|
import (
|
||||||
"net"
|
"net"
|
||||||
|
|
||||||
"github.com/cloudflare/cloudflared/teamnet"
|
"github.com/google/uuid"
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
|
|
||||||
|
"github.com/cloudflare/cloudflared/cfapi"
|
||||||
)
|
)
|
||||||
|
|
||||||
const noClientMsg = "error while creating backend client"
|
const noClientMsg = "error while creating backend client"
|
||||||
|
|
||||||
func (sc *subcommandContext) listRoutes(filter *teamnet.Filter) ([]*teamnet.DetailedRoute, error) {
|
func (sc *subcommandContext) listRoutes(filter *cfapi.IpRouteFilter) ([]*cfapi.DetailedRoute, error) {
|
||||||
client, err := sc.client()
|
client, err := sc.client()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errors.Wrap(err, noClientMsg)
|
return nil, errors.Wrap(err, noClientMsg)
|
||||||
|
@ -17,26 +19,48 @@ func (sc *subcommandContext) listRoutes(filter *teamnet.Filter) ([]*teamnet.Deta
|
||||||
return client.ListRoutes(filter)
|
return client.ListRoutes(filter)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (sc *subcommandContext) addRoute(newRoute teamnet.NewRoute) (teamnet.Route, error) {
|
func (sc *subcommandContext) addRoute(newRoute cfapi.NewRoute) (cfapi.Route, error) {
|
||||||
client, err := sc.client()
|
client, err := sc.client()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return teamnet.Route{}, errors.Wrap(err, noClientMsg)
|
return cfapi.Route{}, errors.Wrap(err, noClientMsg)
|
||||||
}
|
}
|
||||||
return client.AddRoute(newRoute)
|
return client.AddRoute(newRoute)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (sc *subcommandContext) deleteRoute(network net.IPNet) error {
|
func (sc *subcommandContext) deleteRoute(id uuid.UUID) error {
|
||||||
client, err := sc.client()
|
client, err := sc.client()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return errors.Wrap(err, noClientMsg)
|
return errors.Wrap(err, noClientMsg)
|
||||||
}
|
}
|
||||||
return client.DeleteRoute(network)
|
return client.DeleteRoute(id)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (sc *subcommandContext) getRouteByIP(ip net.IP) (teamnet.DetailedRoute, error) {
|
func (sc *subcommandContext) getRouteByIP(params cfapi.GetRouteByIpParams) (cfapi.DetailedRoute, error) {
|
||||||
client, err := sc.client()
|
client, err := sc.client()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return teamnet.DetailedRoute{}, errors.Wrap(err, noClientMsg)
|
return cfapi.DetailedRoute{}, errors.Wrap(err, noClientMsg)
|
||||||
}
|
}
|
||||||
return client.GetByIP(ip)
|
return client.GetByIP(params)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (sc *subcommandContext) getRouteId(network net.IPNet, vnetId *uuid.UUID) (uuid.UUID, error) {
|
||||||
|
filters := cfapi.NewIPRouteFilter()
|
||||||
|
filters.NotDeleted()
|
||||||
|
filters.NetworkIsSubsetOf(network)
|
||||||
|
filters.NetworkIsSupersetOf(network)
|
||||||
|
|
||||||
|
if vnetId != nil {
|
||||||
|
filters.VNetID(*vnetId)
|
||||||
|
}
|
||||||
|
|
||||||
|
result, err := sc.listRoutes(filters)
|
||||||
|
if err != nil {
|
||||||
|
return uuid.Nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(result) != 1 {
|
||||||
|
return uuid.Nil, errors.New("unable to find route for provided network and vnet")
|
||||||
|
}
|
||||||
|
|
||||||
|
return result[0].ID, nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -4,90 +4,20 @@ import (
|
||||||
"encoding/base64"
|
"encoding/base64"
|
||||||
"flag"
|
"flag"
|
||||||
"fmt"
|
"fmt"
|
||||||
"github.com/rs/zerolog"
|
|
||||||
"reflect"
|
"reflect"
|
||||||
"testing"
|
"testing"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/cloudflare/cloudflared/connection"
|
|
||||||
"github.com/cloudflare/cloudflared/tunnelstore"
|
|
||||||
"github.com/google/uuid"
|
"github.com/google/uuid"
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
|
"github.com/rs/zerolog"
|
||||||
|
"github.com/stretchr/testify/assert"
|
||||||
"github.com/urfave/cli/v2"
|
"github.com/urfave/cli/v2"
|
||||||
)
|
|
||||||
|
|
||||||
func Test_findIDs(t *testing.T) {
|
"github.com/cloudflare/cloudflared/cfapi"
|
||||||
type args struct {
|
"github.com/cloudflare/cloudflared/connection"
|
||||||
tunnels []*tunnelstore.Tunnel
|
"github.com/cloudflare/cloudflared/credentials"
|
||||||
inputs []string
|
)
|
||||||
}
|
|
||||||
tests := []struct {
|
|
||||||
name string
|
|
||||||
args args
|
|
||||||
want []uuid.UUID
|
|
||||||
wantErr bool
|
|
||||||
}{
|
|
||||||
{
|
|
||||||
name: "input not found",
|
|
||||||
args: args{
|
|
||||||
inputs: []string{"asdf"},
|
|
||||||
},
|
|
||||||
wantErr: true,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "only UUID",
|
|
||||||
args: args{
|
|
||||||
inputs: []string{"a8398a0b-876d-48ed-b609-3fcfd67a4950"},
|
|
||||||
},
|
|
||||||
want: []uuid.UUID{uuid.MustParse("a8398a0b-876d-48ed-b609-3fcfd67a4950")},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "only name",
|
|
||||||
args: args{
|
|
||||||
tunnels: []*tunnelstore.Tunnel{
|
|
||||||
{
|
|
||||||
ID: uuid.MustParse("a8398a0b-876d-48ed-b609-3fcfd67a4950"),
|
|
||||||
Name: "tunnel1",
|
|
||||||
},
|
|
||||||
},
|
|
||||||
inputs: []string{"tunnel1"},
|
|
||||||
},
|
|
||||||
want: []uuid.UUID{uuid.MustParse("a8398a0b-876d-48ed-b609-3fcfd67a4950")},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "both UUID and name",
|
|
||||||
args: args{
|
|
||||||
tunnels: []*tunnelstore.Tunnel{
|
|
||||||
{
|
|
||||||
ID: uuid.MustParse("a8398a0b-876d-48ed-b609-3fcfd67a4950"),
|
|
||||||
Name: "tunnel1",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
ID: uuid.MustParse("bf028b68-744f-466e-97f8-c46161d80aa5"),
|
|
||||||
Name: "tunnel2",
|
|
||||||
},
|
|
||||||
},
|
|
||||||
inputs: []string{"tunnel1", "bf028b68-744f-466e-97f8-c46161d80aa5"},
|
|
||||||
},
|
|
||||||
want: []uuid.UUID{
|
|
||||||
uuid.MustParse("a8398a0b-876d-48ed-b609-3fcfd67a4950"),
|
|
||||||
uuid.MustParse("bf028b68-744f-466e-97f8-c46161d80aa5"),
|
|
||||||
},
|
|
||||||
},
|
|
||||||
}
|
|
||||||
for _, tt := range tests {
|
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
|
||||||
got, err := findIDs(tt.args.tunnels, tt.args.inputs)
|
|
||||||
if (err != nil) != tt.wantErr {
|
|
||||||
t.Errorf("findIDs() error = %v, wantErr %v", err, tt.wantErr)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
if !reflect.DeepEqual(got, tt.want) {
|
|
||||||
t.Errorf("findIDs() = %v, want %v", got, tt.want)
|
|
||||||
}
|
|
||||||
})
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
type mockFileSystem struct {
|
type mockFileSystem struct {
|
||||||
rf func(string) ([]byte, error)
|
rf func(string) ([]byte, error)
|
||||||
|
@ -106,10 +36,9 @@ func Test_subcommandContext_findCredentials(t *testing.T) {
|
||||||
type fields struct {
|
type fields struct {
|
||||||
c *cli.Context
|
c *cli.Context
|
||||||
log *zerolog.Logger
|
log *zerolog.Logger
|
||||||
isUIEnabled bool
|
|
||||||
fs fileSystem
|
fs fileSystem
|
||||||
tunnelstoreClient tunnelstore.Client
|
tunnelstoreClient cfapi.Client
|
||||||
userCredential *userCredential
|
userCredential *credentials.User
|
||||||
}
|
}
|
||||||
type args struct {
|
type args struct {
|
||||||
tunnelID uuid.UUID
|
tunnelID uuid.UUID
|
||||||
|
@ -187,7 +116,50 @@ func Test_subcommandContext_findCredentials(t *testing.T) {
|
||||||
AccountTag: accountTag,
|
AccountTag: accountTag,
|
||||||
TunnelID: tunnelID,
|
TunnelID: tunnelID,
|
||||||
TunnelSecret: secret,
|
TunnelSecret: secret,
|
||||||
TunnelName: name,
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "TUNNEL_CRED_CONTENTS given contains old credentials contents",
|
||||||
|
fields: fields{
|
||||||
|
log: &log,
|
||||||
|
fs: fs,
|
||||||
|
c: func() *cli.Context {
|
||||||
|
flagSet := flag.NewFlagSet("test0", flag.PanicOnError)
|
||||||
|
flagSet.String(CredContentsFlag, "", "")
|
||||||
|
c := cli.NewContext(cli.NewApp(), flagSet, nil)
|
||||||
|
_ = c.Set(CredContentsFlag, fmt.Sprintf(`{"AccountTag":"%s","TunnelSecret":"%s"}`, accountTag, secretB64))
|
||||||
|
return c
|
||||||
|
}(),
|
||||||
|
},
|
||||||
|
args: args{
|
||||||
|
tunnelID: tunnelID,
|
||||||
|
},
|
||||||
|
want: connection.Credentials{
|
||||||
|
AccountTag: accountTag,
|
||||||
|
TunnelID: tunnelID,
|
||||||
|
TunnelSecret: secret,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "TUNNEL_CRED_CONTENTS given contains new credentials contents",
|
||||||
|
fields: fields{
|
||||||
|
log: &log,
|
||||||
|
fs: fs,
|
||||||
|
c: func() *cli.Context {
|
||||||
|
flagSet := flag.NewFlagSet("test0", flag.PanicOnError)
|
||||||
|
flagSet.String(CredContentsFlag, "", "")
|
||||||
|
c := cli.NewContext(cli.NewApp(), flagSet, nil)
|
||||||
|
_ = c.Set(CredContentsFlag, fmt.Sprintf(`{"AccountTag":"%s","TunnelSecret":"%s","TunnelID":"%s","TunnelName":"%s"}`, accountTag, secretB64, tunnelID, name))
|
||||||
|
return c
|
||||||
|
}(),
|
||||||
|
},
|
||||||
|
args: args{
|
||||||
|
tunnelID: tunnelID,
|
||||||
|
},
|
||||||
|
want: connection.Credentials{
|
||||||
|
AccountTag: accountTag,
|
||||||
|
TunnelID: tunnelID,
|
||||||
|
TunnelSecret: secret,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
@ -196,7 +168,6 @@ func Test_subcommandContext_findCredentials(t *testing.T) {
|
||||||
sc := &subcommandContext{
|
sc := &subcommandContext{
|
||||||
c: tt.fields.c,
|
c: tt.fields.c,
|
||||||
log: tt.fields.log,
|
log: tt.fields.log,
|
||||||
isUIEnabled: tt.fields.isUIEnabled,
|
|
||||||
fs: tt.fields.fs,
|
fs: tt.fields.fs,
|
||||||
tunnelstoreClient: tt.fields.tunnelstoreClient,
|
tunnelstoreClient: tt.fields.tunnelstoreClient,
|
||||||
userCredential: tt.fields.userCredential,
|
userCredential: tt.fields.userCredential,
|
||||||
|
@ -214,13 +185,13 @@ func Test_subcommandContext_findCredentials(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
type deleteMockTunnelStore struct {
|
type deleteMockTunnelStore struct {
|
||||||
tunnelstore.Client
|
cfapi.Client
|
||||||
mockTunnels map[uuid.UUID]mockTunnelBehaviour
|
mockTunnels map[uuid.UUID]mockTunnelBehaviour
|
||||||
deletedTunnelIDs []uuid.UUID
|
deletedTunnelIDs []uuid.UUID
|
||||||
}
|
}
|
||||||
|
|
||||||
type mockTunnelBehaviour struct {
|
type mockTunnelBehaviour struct {
|
||||||
tunnel tunnelstore.Tunnel
|
tunnel cfapi.Tunnel
|
||||||
deleteErr error
|
deleteErr error
|
||||||
cleanupErr error
|
cleanupErr error
|
||||||
}
|
}
|
||||||
|
@ -236,7 +207,7 @@ func newDeleteMockTunnelStore(tunnels ...mockTunnelBehaviour) *deleteMockTunnelS
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (d *deleteMockTunnelStore) GetTunnel(tunnelID uuid.UUID) (*tunnelstore.Tunnel, error) {
|
func (d *deleteMockTunnelStore) GetTunnel(tunnelID uuid.UUID) (*cfapi.Tunnel, error) {
|
||||||
tunnel, ok := d.mockTunnels[tunnelID]
|
tunnel, ok := d.mockTunnels[tunnelID]
|
||||||
if !ok {
|
if !ok {
|
||||||
return nil, fmt.Errorf("Couldn't find tunnel: %v", tunnelID)
|
return nil, fmt.Errorf("Couldn't find tunnel: %v", tunnelID)
|
||||||
|
@ -244,7 +215,11 @@ func (d *deleteMockTunnelStore) GetTunnel(tunnelID uuid.UUID) (*tunnelstore.Tunn
|
||||||
return &tunnel.tunnel, nil
|
return &tunnel.tunnel, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (d *deleteMockTunnelStore) DeleteTunnel(tunnelID uuid.UUID) error {
|
func (d *deleteMockTunnelStore) GetTunnelToken(tunnelID uuid.UUID) (string, error) {
|
||||||
|
return "token", nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (d *deleteMockTunnelStore) DeleteTunnel(tunnelID uuid.UUID, cascade bool) error {
|
||||||
tunnel, ok := d.mockTunnels[tunnelID]
|
tunnel, ok := d.mockTunnels[tunnelID]
|
||||||
if !ok {
|
if !ok {
|
||||||
return fmt.Errorf("Couldn't find tunnel: %v", tunnelID)
|
return fmt.Errorf("Couldn't find tunnel: %v", tunnelID)
|
||||||
|
@ -260,7 +235,7 @@ func (d *deleteMockTunnelStore) DeleteTunnel(tunnelID uuid.UUID) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (d *deleteMockTunnelStore) CleanupConnections(tunnelID uuid.UUID) error {
|
func (d *deleteMockTunnelStore) CleanupConnections(tunnelID uuid.UUID, _ *cfapi.CleanupParams) error {
|
||||||
tunnel, ok := d.mockTunnels[tunnelID]
|
tunnel, ok := d.mockTunnels[tunnelID]
|
||||||
if !ok {
|
if !ok {
|
||||||
return fmt.Errorf("Couldn't find tunnel: %v", tunnelID)
|
return fmt.Errorf("Couldn't find tunnel: %v", tunnelID)
|
||||||
|
@ -275,7 +250,7 @@ func Test_subcommandContext_Delete(t *testing.T) {
|
||||||
isUIEnabled bool
|
isUIEnabled bool
|
||||||
fs fileSystem
|
fs fileSystem
|
||||||
tunnelstoreClient *deleteMockTunnelStore
|
tunnelstoreClient *deleteMockTunnelStore
|
||||||
userCredential *userCredential
|
userCredential *credentials.User
|
||||||
}
|
}
|
||||||
type args struct {
|
type args struct {
|
||||||
tunnelIDs []uuid.UUID
|
tunnelIDs []uuid.UUID
|
||||||
|
@ -311,10 +286,10 @@ func Test_subcommandContext_Delete(t *testing.T) {
|
||||||
}(),
|
}(),
|
||||||
tunnelstoreClient: newDeleteMockTunnelStore(
|
tunnelstoreClient: newDeleteMockTunnelStore(
|
||||||
mockTunnelBehaviour{
|
mockTunnelBehaviour{
|
||||||
tunnel: tunnelstore.Tunnel{ID: tunnelID1},
|
tunnel: cfapi.Tunnel{ID: tunnelID1},
|
||||||
},
|
},
|
||||||
mockTunnelBehaviour{
|
mockTunnelBehaviour{
|
||||||
tunnel: tunnelstore.Tunnel{ID: tunnelID2},
|
tunnel: cfapi.Tunnel{ID: tunnelID2},
|
||||||
},
|
},
|
||||||
),
|
),
|
||||||
},
|
},
|
||||||
|
@ -331,7 +306,6 @@ func Test_subcommandContext_Delete(t *testing.T) {
|
||||||
sc := &subcommandContext{
|
sc := &subcommandContext{
|
||||||
c: tt.fields.c,
|
c: tt.fields.c,
|
||||||
log: tt.fields.log,
|
log: tt.fields.log,
|
||||||
isUIEnabled: tt.fields.isUIEnabled,
|
|
||||||
fs: tt.fields.fs,
|
fs: tt.fields.fs,
|
||||||
tunnelstoreClient: tt.fields.tunnelstoreClient,
|
tunnelstoreClient: tt.fields.tunnelstoreClient,
|
||||||
userCredential: tt.fields.userCredential,
|
userCredential: tt.fields.userCredential,
|
||||||
|
@ -349,3 +323,48 @@ func Test_subcommandContext_Delete(t *testing.T) {
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func Test_subcommandContext_ValidateIngressCommand(t *testing.T) {
|
||||||
|
var tests = []struct {
|
||||||
|
name string
|
||||||
|
c *cli.Context
|
||||||
|
wantErr bool
|
||||||
|
expectedErr error
|
||||||
|
}{
|
||||||
|
{
|
||||||
|
name: "read a valid configuration from data",
|
||||||
|
c: func() *cli.Context {
|
||||||
|
data := `{ "warp-routing": {"enabled": true}, "originRequest" : {"connectTimeout": 10}, "ingress" : [ {"hostname": "test", "service": "https://localhost:8000" } , {"service": "http_status:404"} ]}`
|
||||||
|
flagSet := flag.NewFlagSet("json", flag.PanicOnError)
|
||||||
|
flagSet.String(ingressDataJSONFlagName, data, "")
|
||||||
|
c := cli.NewContext(cli.NewApp(), flagSet, nil)
|
||||||
|
_ = c.Set(ingressDataJSONFlagName, data)
|
||||||
|
return c
|
||||||
|
}(),
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "read an invalid configuration with multiple mistakes",
|
||||||
|
c: func() *cli.Context {
|
||||||
|
data := `{ "ingress" : [ {"hostname": "test", "service": "localhost:8000" } , {"service": "http_status:invalid_status"} ]}`
|
||||||
|
flagSet := flag.NewFlagSet("json", flag.PanicOnError)
|
||||||
|
flagSet.String(ingressDataJSONFlagName, data, "")
|
||||||
|
c := cli.NewContext(cli.NewApp(), flagSet, nil)
|
||||||
|
_ = c.Set(ingressDataJSONFlagName, data)
|
||||||
|
return c
|
||||||
|
}(),
|
||||||
|
wantErr: true,
|
||||||
|
expectedErr: errors.New("Validation failed: localhost:8000 is an invalid address, please make sure it has a scheme and a hostname"),
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, tt := range tests {
|
||||||
|
t.Run(tt.name, func(t *testing.T) {
|
||||||
|
err := validateIngressCommand(tt.c, "")
|
||||||
|
if tt.wantErr {
|
||||||
|
assert.Equal(t, tt.expectedErr.Error(), err.Error())
|
||||||
|
} else {
|
||||||
|
assert.Nil(t, err)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,40 @@
|
||||||
|
package tunnel
|
||||||
|
|
||||||
|
import (
|
||||||
|
"github.com/google/uuid"
|
||||||
|
"github.com/pkg/errors"
|
||||||
|
|
||||||
|
"github.com/cloudflare/cloudflared/cfapi"
|
||||||
|
)
|
||||||
|
|
||||||
|
func (sc *subcommandContext) addVirtualNetwork(newVnet cfapi.NewVirtualNetwork) (cfapi.VirtualNetwork, error) {
|
||||||
|
client, err := sc.client()
|
||||||
|
if err != nil {
|
||||||
|
return cfapi.VirtualNetwork{}, errors.Wrap(err, noClientMsg)
|
||||||
|
}
|
||||||
|
return client.CreateVirtualNetwork(newVnet)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (sc *subcommandContext) listVirtualNetworks(filter *cfapi.VnetFilter) ([]*cfapi.VirtualNetwork, error) {
|
||||||
|
client, err := sc.client()
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrap(err, noClientMsg)
|
||||||
|
}
|
||||||
|
return client.ListVirtualNetworks(filter)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (sc *subcommandContext) deleteVirtualNetwork(vnetId uuid.UUID, force bool) error {
|
||||||
|
client, err := sc.client()
|
||||||
|
if err != nil {
|
||||||
|
return errors.Wrap(err, noClientMsg)
|
||||||
|
}
|
||||||
|
return client.DeleteVirtualNetwork(vnetId, force)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (sc *subcommandContext) updateVirtualNetwork(vnetId uuid.UUID, updates cfapi.UpdateVirtualNetwork) error {
|
||||||
|
client, err := sc.client()
|
||||||
|
if err != nil {
|
||||||
|
return errors.Wrap(err, noClientMsg)
|
||||||
|
}
|
||||||
|
return client.UpdateVirtualNetwork(vnetId, updates)
|
||||||
|
}
|
|
@ -2,9 +2,9 @@ package tunnel
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"crypto/rand"
|
"crypto/rand"
|
||||||
|
"encoding/base64"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io/ioutil"
|
|
||||||
"os"
|
"os"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
"regexp"
|
"regexp"
|
||||||
|
@ -14,23 +14,28 @@ import (
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/google/uuid"
|
"github.com/google/uuid"
|
||||||
"github.com/mitchellh/go-homedir"
|
homedir "github.com/mitchellh/go-homedir"
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
"github.com/urfave/cli/v2"
|
"github.com/urfave/cli/v2"
|
||||||
"github.com/urfave/cli/v2/altsrc"
|
"github.com/urfave/cli/v2/altsrc"
|
||||||
"golang.org/x/net/idna"
|
"golang.org/x/net/idna"
|
||||||
"gopkg.in/yaml.v2"
|
yaml "gopkg.in/yaml.v3"
|
||||||
|
|
||||||
|
"github.com/cloudflare/cloudflared/cfapi"
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
|
"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
|
||||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
|
"github.com/cloudflare/cloudflared/cmd/cloudflared/updater"
|
||||||
|
"github.com/cloudflare/cloudflared/config"
|
||||||
"github.com/cloudflare/cloudflared/connection"
|
"github.com/cloudflare/cloudflared/connection"
|
||||||
"github.com/cloudflare/cloudflared/tunnelstore"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
allSortByOptions = "name, id, createdAt, deletedAt, numConnections"
|
allSortByOptions = "name, id, createdAt, deletedAt, numConnections"
|
||||||
CredFileFlagAlias = "cred-file"
|
connsSortByOptions = "id, startedAt, numConnections, version"
|
||||||
CredFileFlag = "credentials-file"
|
CredFileFlagAlias = "cred-file"
|
||||||
|
CredFileFlag = "credentials-file"
|
||||||
|
CredContentsFlag = "credentials-contents"
|
||||||
|
TunnelTokenFlag = "token"
|
||||||
|
overwriteDNSFlagName = "overwrite-dns"
|
||||||
|
|
||||||
LogFieldTunnelID = "tunnelID"
|
LogFieldTunnelID = "tunnelID"
|
||||||
)
|
)
|
||||||
|
@ -46,12 +51,22 @@ var (
|
||||||
Aliases: []string{"n"},
|
Aliases: []string{"n"},
|
||||||
Usage: "List tunnels with the given `NAME`",
|
Usage: "List tunnels with the given `NAME`",
|
||||||
}
|
}
|
||||||
|
listNamePrefixFlag = &cli.StringFlag{
|
||||||
|
Name: "name-prefix",
|
||||||
|
Aliases: []string{"np"},
|
||||||
|
Usage: "List tunnels that start with the give `NAME` prefix",
|
||||||
|
}
|
||||||
|
listExcludeNamePrefixFlag = &cli.StringFlag{
|
||||||
|
Name: "exclude-name-prefix",
|
||||||
|
Aliases: []string{"enp"},
|
||||||
|
Usage: "List tunnels whose `NAME` does not start with the given prefix",
|
||||||
|
}
|
||||||
listExistedAtFlag = &cli.TimestampFlag{
|
listExistedAtFlag = &cli.TimestampFlag{
|
||||||
Name: "when",
|
Name: "when",
|
||||||
Aliases: []string{"w"},
|
Aliases: []string{"w"},
|
||||||
Usage: "List tunnels that are active at the given `TIME` in RFC3339 format",
|
Usage: "List tunnels that are active at the given `TIME` in RFC3339 format",
|
||||||
Layout: tunnelstore.TimeLayout,
|
Layout: cfapi.TimeLayout,
|
||||||
DefaultText: fmt.Sprintf("current time, %s", time.Now().Format(tunnelstore.TimeLayout)),
|
DefaultText: fmt.Sprintf("current time, %s", time.Now().Format(cfapi.TimeLayout)),
|
||||||
}
|
}
|
||||||
listIDFlag = &cli.StringFlag{
|
listIDFlag = &cli.StringFlag{
|
||||||
Name: "id",
|
Name: "id",
|
||||||
|
@ -63,11 +78,11 @@ var (
|
||||||
Aliases: []string{"rd"},
|
Aliases: []string{"rd"},
|
||||||
Usage: "Include connections that have recently disconnected in the list",
|
Usage: "Include connections that have recently disconnected in the list",
|
||||||
}
|
}
|
||||||
outputFormatFlag = altsrc.NewStringFlag(&cli.StringFlag{
|
outputFormatFlag = &cli.StringFlag{
|
||||||
Name: "output",
|
Name: "output",
|
||||||
Aliases: []string{"o"},
|
Aliases: []string{"o"},
|
||||||
Usage: "Render output using given `FORMAT`. Valid options are 'json' or 'yaml'",
|
Usage: "Render output using given `FORMAT`. Valid options are 'json' or 'yaml'",
|
||||||
})
|
}
|
||||||
sortByFlag = &cli.StringFlag{
|
sortByFlag = &cli.StringFlag{
|
||||||
Name: "sort-by",
|
Name: "sort-by",
|
||||||
Value: "name",
|
Value: "name",
|
||||||
|
@ -79,40 +94,95 @@ var (
|
||||||
Usage: "Inverts the sort order of the tunnel list.",
|
Usage: "Inverts the sort order of the tunnel list.",
|
||||||
EnvVars: []string{"TUNNEL_LIST_INVERT_SORT"},
|
EnvVars: []string{"TUNNEL_LIST_INVERT_SORT"},
|
||||||
}
|
}
|
||||||
forceFlag = altsrc.NewBoolFlag(&cli.BoolFlag{
|
featuresFlag = altsrc.NewStringSliceFlag(&cli.StringSliceFlag{
|
||||||
Name: "force",
|
Name: "features",
|
||||||
Aliases: []string{"f"},
|
Aliases: []string{"F"},
|
||||||
Usage: "By default, if a tunnel is currently being run from a cloudflared, you can't " +
|
Usage: "Opt into various features that are still being developed or tested.",
|
||||||
"simultaneously rerun it again from a second cloudflared. The --force flag lets you " +
|
|
||||||
"overwrite the previous tunnel. If you want to use a single hostname with multiple " +
|
|
||||||
"tunnels, you can do so with Cloudflare's Load Balancer product.",
|
|
||||||
})
|
})
|
||||||
credentialsFileFlag = altsrc.NewStringFlag(&cli.StringFlag{
|
credentialsFileFlagCLIOnly = &cli.StringFlag{
|
||||||
Name: CredFileFlag,
|
Name: CredFileFlag,
|
||||||
Aliases: []string{CredFileFlagAlias},
|
Aliases: []string{CredFileFlagAlias},
|
||||||
Usage: "Filepath at which to read/write the tunnel credentials",
|
Usage: "Filepath at which to read/write the tunnel credentials",
|
||||||
EnvVars: []string{"TUNNEL_CRED_FILE"},
|
EnvVars: []string{"TUNNEL_CRED_FILE"},
|
||||||
|
}
|
||||||
|
credentialsFileFlag = altsrc.NewStringFlag(credentialsFileFlagCLIOnly)
|
||||||
|
credentialsContentsFlag = altsrc.NewStringFlag(&cli.StringFlag{
|
||||||
|
Name: CredContentsFlag,
|
||||||
|
Usage: "Contents of the tunnel credentials JSON file to use. When provided along with credentials-file, this will take precedence.",
|
||||||
|
EnvVars: []string{"TUNNEL_CRED_CONTENTS"},
|
||||||
|
})
|
||||||
|
tunnelTokenFlag = altsrc.NewStringFlag(&cli.StringFlag{
|
||||||
|
Name: TunnelTokenFlag,
|
||||||
|
Usage: "The Tunnel token. When provided along with credentials, this will take precedence.",
|
||||||
|
EnvVars: []string{"TUNNEL_TOKEN"},
|
||||||
})
|
})
|
||||||
forceDeleteFlag = &cli.BoolFlag{
|
forceDeleteFlag = &cli.BoolFlag{
|
||||||
Name: "force",
|
Name: "force",
|
||||||
Aliases: []string{"f"},
|
Aliases: []string{"f"},
|
||||||
Usage: "Allows you to delete a tunnel, even if it has active connections.",
|
Usage: "Deletes a tunnel even if tunnel is connected and it has dependencies associated to it. (eg. IP routes)." +
|
||||||
|
" It is not possible to delete tunnels that have connections or non-deleted dependencies, without this flag.",
|
||||||
EnvVars: []string{"TUNNEL_RUN_FORCE_OVERWRITE"},
|
EnvVars: []string{"TUNNEL_RUN_FORCE_OVERWRITE"},
|
||||||
}
|
}
|
||||||
selectProtocolFlag = altsrc.NewStringFlag(&cli.StringFlag{
|
selectProtocolFlag = altsrc.NewStringFlag(&cli.StringFlag{
|
||||||
Name: "protocol",
|
Name: "protocol",
|
||||||
Value: "h2mux",
|
Value: connection.AutoSelectFlag,
|
||||||
Aliases: []string{"p"},
|
Aliases: []string{"p"},
|
||||||
Usage: fmt.Sprintf("Protocol implementation to connect with Cloudflare's edge network. %s", connection.AvailableProtocolFlagMessage),
|
Usage: fmt.Sprintf("Protocol implementation to connect with Cloudflare's edge network. %s", connection.AvailableProtocolFlagMessage),
|
||||||
EnvVars: []string{"TUNNEL_TRANSPORT_PROTOCOL"},
|
EnvVars: []string{"TUNNEL_TRANSPORT_PROTOCOL"},
|
||||||
Hidden: true,
|
Hidden: true,
|
||||||
})
|
})
|
||||||
|
postQuantumFlag = altsrc.NewBoolFlag(&cli.BoolFlag{
|
||||||
|
Name: "post-quantum",
|
||||||
|
Usage: "When given creates an experimental post-quantum secure tunnel",
|
||||||
|
Aliases: []string{"pq"},
|
||||||
|
EnvVars: []string{"TUNNEL_POST_QUANTUM"},
|
||||||
|
Hidden: FipsEnabled,
|
||||||
|
})
|
||||||
|
sortInfoByFlag = &cli.StringFlag{
|
||||||
|
Name: "sort-by",
|
||||||
|
Value: "createdAt",
|
||||||
|
Usage: fmt.Sprintf("Sorts the list of connections of a tunnel by the given field. Valid options are {%s}", connsSortByOptions),
|
||||||
|
EnvVars: []string{"TUNNEL_INFO_SORT_BY"},
|
||||||
|
}
|
||||||
|
invertInfoSortFlag = &cli.BoolFlag{
|
||||||
|
Name: "invert-sort",
|
||||||
|
Usage: "Inverts the sort order of the tunnel info.",
|
||||||
|
EnvVars: []string{"TUNNEL_INFO_INVERT_SORT"},
|
||||||
|
}
|
||||||
|
cleanupClientFlag = &cli.StringFlag{
|
||||||
|
Name: "connector-id",
|
||||||
|
Aliases: []string{"c"},
|
||||||
|
Usage: `Constraints the cleanup to stop the connections of a single Connector (by its ID). You can find the various Connectors (and their IDs) currently connected to your tunnel via 'cloudflared tunnel info <name>'.`,
|
||||||
|
EnvVars: []string{"TUNNEL_CLEANUP_CONNECTOR"},
|
||||||
|
}
|
||||||
|
overwriteDNSFlag = &cli.BoolFlag{
|
||||||
|
Name: overwriteDNSFlagName,
|
||||||
|
Aliases: []string{"f"},
|
||||||
|
Usage: `Overwrites existing DNS records with this hostname`,
|
||||||
|
EnvVars: []string{"TUNNEL_FORCE_PROVISIONING_DNS"},
|
||||||
|
}
|
||||||
|
createSecretFlag = &cli.StringFlag{
|
||||||
|
Name: "secret",
|
||||||
|
Aliases: []string{"s"},
|
||||||
|
Usage: "Base64 encoded secret to set for the tunnel. The decoded secret must be at least 32 bytes long. If not specified, a random 32-byte secret will be generated.",
|
||||||
|
EnvVars: []string{"TUNNEL_CREATE_SECRET"},
|
||||||
|
}
|
||||||
|
icmpv4SrcFlag = &cli.StringFlag{
|
||||||
|
Name: "icmpv4-src",
|
||||||
|
Usage: "Source address to send/receive ICMPv4 messages. If not provided cloudflared will dial a local address to determine the source IP or fallback to 0.0.0.0.",
|
||||||
|
EnvVars: []string{"TUNNEL_ICMPV4_SRC"},
|
||||||
|
}
|
||||||
|
icmpv6SrcFlag = &cli.StringFlag{
|
||||||
|
Name: "icmpv6-src",
|
||||||
|
Usage: "Source address and the interface name to send/receive ICMPv6 messages. If not provided cloudflared will dial a local address to determine the source IP or fallback to ::.",
|
||||||
|
EnvVars: []string{"TUNNEL_ICMPV6_SRC"},
|
||||||
|
}
|
||||||
)
|
)
|
||||||
|
|
||||||
func buildCreateCommand() *cli.Command {
|
func buildCreateCommand() *cli.Command {
|
||||||
return &cli.Command{
|
return &cli.Command{
|
||||||
Name: "create",
|
Name: "create",
|
||||||
Action: cliutil.ErrorHandler(createCommand),
|
Action: cliutil.ConfiguredAction(createCommand),
|
||||||
Usage: "Create a new tunnel with given name",
|
Usage: "Create a new tunnel with given name",
|
||||||
UsageText: "cloudflared tunnel [tunnel command options] create [subcommand options] NAME",
|
UsageText: "cloudflared tunnel [tunnel command options] create [subcommand options] NAME",
|
||||||
Description: `Creates a tunnel, registers it with Cloudflare edge and generates credential file used to run this tunnel.
|
Description: `Creates a tunnel, registers it with Cloudflare edge and generates credential file used to run this tunnel.
|
||||||
|
@ -121,7 +191,7 @@ func buildCreateCommand() *cli.Command {
|
||||||
For example, to create a tunnel named 'my-tunnel' run:
|
For example, to create a tunnel named 'my-tunnel' run:
|
||||||
|
|
||||||
$ cloudflared tunnel create my-tunnel`,
|
$ cloudflared tunnel create my-tunnel`,
|
||||||
Flags: []cli.Flag{outputFormatFlag, credentialsFileFlag},
|
Flags: []cli.Flag{outputFormatFlag, credentialsFileFlagCLIOnly, createSecretFlag},
|
||||||
CustomHelpTemplate: commandHelpTemplate(),
|
CustomHelpTemplate: commandHelpTemplate(),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -144,7 +214,10 @@ func createCommand(c *cli.Context) error {
|
||||||
}
|
}
|
||||||
name := c.Args().First()
|
name := c.Args().First()
|
||||||
|
|
||||||
_, err = sc.create(name, c.String(CredFileFlag))
|
warningChecker := updater.StartWarningCheck(c)
|
||||||
|
defer warningChecker.LogWarningIfAny(sc.log)
|
||||||
|
|
||||||
|
_, err = sc.create(name, c.String(CredFileFlag), c.String(createSecretFlag.Name))
|
||||||
return errors.Wrap(err, "failed to create tunnel")
|
return errors.Wrap(err, "failed to create tunnel")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -154,33 +227,26 @@ func tunnelFilePath(tunnelID uuid.UUID, directory string) (string, error) {
|
||||||
return homedir.Expand(filePath)
|
return homedir.Expand(filePath)
|
||||||
}
|
}
|
||||||
|
|
||||||
// If an `outputFile` is given, write the credentials there.
|
// writeTunnelCredentials saves `credentials` as a JSON into `filePath`, only if
|
||||||
// Otherwise, write it to the same directory as the originCert,
|
// the file does not exist already
|
||||||
// with the filename `<tunnel id>.json`.
|
func writeTunnelCredentials(filePath string, credentials *connection.Credentials) error {
|
||||||
func writeTunnelCredentials(
|
if _, err := os.Stat(filePath); !os.IsNotExist(err) {
|
||||||
originCertPath, outputFile string,
|
if err == nil {
|
||||||
credentials *connection.Credentials,
|
return fmt.Errorf("%s already exists", filePath)
|
||||||
) (filePath string, err error) {
|
}
|
||||||
filePath = outputFile
|
return err
|
||||||
if outputFile == "" {
|
|
||||||
originCertDir := filepath.Dir(originCertPath)
|
|
||||||
filePath, err = tunnelFilePath(credentials.TunnelID, originCertDir)
|
|
||||||
}
|
}
|
||||||
if err != nil {
|
|
||||||
return "", err
|
|
||||||
}
|
|
||||||
// Write the name and ID to the file too
|
|
||||||
body, err := json.Marshal(credentials)
|
body, err := json.Marshal(credentials)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", errors.Wrap(err, "Unable to marshal tunnel credentials to JSON")
|
return errors.Wrap(err, "Unable to marshal tunnel credentials to JSON")
|
||||||
}
|
}
|
||||||
return filePath, ioutil.WriteFile(filePath, body, 400)
|
return os.WriteFile(filePath, body, 0400)
|
||||||
}
|
}
|
||||||
|
|
||||||
func buildListCommand() *cli.Command {
|
func buildListCommand() *cli.Command {
|
||||||
return &cli.Command{
|
return &cli.Command{
|
||||||
Name: "list",
|
Name: "list",
|
||||||
Action: cliutil.ErrorHandler(listCommand),
|
Action: cliutil.ConfiguredAction(listCommand),
|
||||||
Usage: "List existing tunnels",
|
Usage: "List existing tunnels",
|
||||||
UsageText: "cloudflared tunnel [tunnel command options] list [subcommand options]",
|
UsageText: "cloudflared tunnel [tunnel command options] list [subcommand options]",
|
||||||
Description: "cloudflared tunnel list will display all active tunnels, their created time and associated connections. Use -d flag to include deleted tunnels. See the list of options to filter the list",
|
Description: "cloudflared tunnel list will display all active tunnels, their created time and associated connections. Use -d flag to include deleted tunnels. See the list of options to filter the list",
|
||||||
|
@ -188,6 +254,8 @@ func buildListCommand() *cli.Command {
|
||||||
outputFormatFlag,
|
outputFormatFlag,
|
||||||
showDeletedFlag,
|
showDeletedFlag,
|
||||||
listNameFlag,
|
listNameFlag,
|
||||||
|
listNamePrefixFlag,
|
||||||
|
listExcludeNamePrefixFlag,
|
||||||
listExistedAtFlag,
|
listExistedAtFlag,
|
||||||
listIDFlag,
|
listIDFlag,
|
||||||
showRecentlyDisconnected,
|
showRecentlyDisconnected,
|
||||||
|
@ -204,13 +272,22 @@ func listCommand(c *cli.Context) error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
filter := tunnelstore.NewFilter()
|
warningChecker := updater.StartWarningCheck(c)
|
||||||
|
defer warningChecker.LogWarningIfAny(sc.log)
|
||||||
|
|
||||||
|
filter := cfapi.NewTunnelFilter()
|
||||||
if !c.Bool("show-deleted") {
|
if !c.Bool("show-deleted") {
|
||||||
filter.NoDeleted()
|
filter.NoDeleted()
|
||||||
}
|
}
|
||||||
if name := c.String("name"); name != "" {
|
if name := c.String("name"); name != "" {
|
||||||
filter.ByName(name)
|
filter.ByName(name)
|
||||||
}
|
}
|
||||||
|
if namePrefix := c.String("name-prefix"); namePrefix != "" {
|
||||||
|
filter.ByNamePrefix(namePrefix)
|
||||||
|
}
|
||||||
|
if excludePrefix := c.String("exclude-name-prefix"); excludePrefix != "" {
|
||||||
|
filter.ExcludeNameWithPrefix(excludePrefix)
|
||||||
|
}
|
||||||
if existedAt := c.Timestamp("time"); existedAt != nil {
|
if existedAt := c.Timestamp("time"); existedAt != nil {
|
||||||
filter.ByExistedAt(*existedAt)
|
filter.ByExistedAt(*existedAt)
|
||||||
}
|
}
|
||||||
|
@ -221,6 +298,9 @@ func listCommand(c *cli.Context) error {
|
||||||
}
|
}
|
||||||
filter.ByTunnelID(tunnelID)
|
filter.ByTunnelID(tunnelID)
|
||||||
}
|
}
|
||||||
|
if maxFetch := c.Int("max-fetch-size"); maxFetch > 0 {
|
||||||
|
filter.MaxFetchSize(uint(maxFetch))
|
||||||
|
}
|
||||||
|
|
||||||
tunnels, err := sc.list(filter)
|
tunnels, err := sc.list(filter)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -264,23 +344,18 @@ func listCommand(c *cli.Context) error {
|
||||||
if len(tunnels) > 0 {
|
if len(tunnels) > 0 {
|
||||||
formatAndPrintTunnelList(tunnels, c.Bool("show-recently-disconnected"))
|
formatAndPrintTunnelList(tunnels, c.Bool("show-recently-disconnected"))
|
||||||
} else {
|
} else {
|
||||||
fmt.Println("You have no tunnels, use 'cloudflared tunnel create' to define a new tunnel")
|
fmt.Println("No tunnels were found for the given filter flags. You can use 'cloudflared tunnel create' to create a tunnel.")
|
||||||
}
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func formatAndPrintTunnelList(tunnels []*tunnelstore.Tunnel, showRecentlyDisconnected bool) {
|
func formatAndPrintTunnelList(tunnels []*cfapi.Tunnel, showRecentlyDisconnected bool) {
|
||||||
const (
|
writer := tabWriter()
|
||||||
minWidth = 0
|
|
||||||
tabWidth = 8
|
|
||||||
padding = 1
|
|
||||||
padChar = ' '
|
|
||||||
flags = 0
|
|
||||||
)
|
|
||||||
|
|
||||||
writer := tabwriter.NewWriter(os.Stdout, minWidth, tabWidth, padding, padChar, flags)
|
|
||||||
defer writer.Flush()
|
defer writer.Flush()
|
||||||
|
|
||||||
|
_, _ = fmt.Fprintln(writer, "You can obtain more detailed information for each tunnel with `cloudflared tunnel info <name/uuid>`")
|
||||||
|
|
||||||
// Print column headers with tabbed columns
|
// Print column headers with tabbed columns
|
||||||
_, _ = fmt.Fprintln(writer, "ID\tNAME\tCREATED\tCONNECTIONS\t")
|
_, _ = fmt.Fprintln(writer, "ID\tNAME\tCREATED\tCONNECTIONS\t")
|
||||||
|
|
||||||
|
@ -297,7 +372,7 @@ func formatAndPrintTunnelList(tunnels []*tunnelstore.Tunnel, showRecentlyDisconn
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func fmtConnections(connections []tunnelstore.Connection, showRecentlyDisconnected bool) string {
|
func fmtConnections(connections []cfapi.Connection, showRecentlyDisconnected bool) string {
|
||||||
|
|
||||||
// Count connections per colo
|
// Count connections per colo
|
||||||
numConnsPerColo := make(map[string]uint, len(connections))
|
numConnsPerColo := make(map[string]uint, len(connections))
|
||||||
|
@ -322,14 +397,176 @@ func fmtConnections(connections []tunnelstore.Connection, showRecentlyDisconnect
|
||||||
return strings.Join(output, ", ")
|
return strings.Join(output, ", ")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func buildInfoCommand() *cli.Command {
|
||||||
|
return &cli.Command{
|
||||||
|
Name: "info",
|
||||||
|
Action: cliutil.ConfiguredAction(tunnelInfo),
|
||||||
|
Usage: "List details about the active connectors for a tunnel",
|
||||||
|
UsageText: "cloudflared tunnel [tunnel command options] info [subcommand options] [TUNNEL]",
|
||||||
|
Description: "cloudflared tunnel info displays details about the active connectors for a given tunnel (identified by name or uuid).",
|
||||||
|
Flags: []cli.Flag{
|
||||||
|
outputFormatFlag,
|
||||||
|
showRecentlyDisconnected,
|
||||||
|
sortInfoByFlag,
|
||||||
|
invertInfoSortFlag,
|
||||||
|
},
|
||||||
|
CustomHelpTemplate: commandHelpTemplate(),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func tunnelInfo(c *cli.Context) error {
|
||||||
|
sc, err := newSubcommandContext(c)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
warningChecker := updater.StartWarningCheck(c)
|
||||||
|
defer warningChecker.LogWarningIfAny(sc.log)
|
||||||
|
|
||||||
|
if c.NArg() != 1 {
|
||||||
|
return cliutil.UsageError(`"cloudflared tunnel info" accepts exactly one argument, the ID or name of the tunnel to get info about.`)
|
||||||
|
}
|
||||||
|
tunnelID, err := sc.findID(c.Args().First())
|
||||||
|
if err != nil {
|
||||||
|
return errors.Wrap(err, "error parsing tunnel ID")
|
||||||
|
}
|
||||||
|
|
||||||
|
client, err := sc.client()
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
clients, err := client.ListActiveClients(tunnelID)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
sortBy := c.String("sort-by")
|
||||||
|
invalidSortField := false
|
||||||
|
sort.Slice(clients, func(i, j int) bool {
|
||||||
|
cmp := func() bool {
|
||||||
|
switch sortBy {
|
||||||
|
case "id":
|
||||||
|
return clients[i].ID.String() < clients[j].ID.String()
|
||||||
|
case "createdAt":
|
||||||
|
return clients[i].RunAt.Unix() < clients[j].RunAt.Unix()
|
||||||
|
case "numConnections":
|
||||||
|
return len(clients[i].Connections) < len(clients[j].Connections)
|
||||||
|
case "version":
|
||||||
|
return clients[i].Version < clients[j].Version
|
||||||
|
default:
|
||||||
|
invalidSortField = true
|
||||||
|
return clients[i].RunAt.Unix() < clients[j].RunAt.Unix()
|
||||||
|
}
|
||||||
|
}()
|
||||||
|
if c.Bool("invert-sort") {
|
||||||
|
return !cmp
|
||||||
|
}
|
||||||
|
return cmp
|
||||||
|
})
|
||||||
|
if invalidSortField {
|
||||||
|
sc.log.Error().Msgf("%s is not a valid sort field. Valid sort fields are %s. Defaulting to 'name'.", sortBy, connsSortByOptions)
|
||||||
|
}
|
||||||
|
|
||||||
|
tunnel, err := getTunnel(sc, tunnelID)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
info := Info{
|
||||||
|
tunnel.ID,
|
||||||
|
tunnel.Name,
|
||||||
|
tunnel.CreatedAt,
|
||||||
|
clients,
|
||||||
|
}
|
||||||
|
|
||||||
|
if outputFormat := c.String(outputFormatFlag.Name); outputFormat != "" {
|
||||||
|
return renderOutput(outputFormat, info)
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(clients) > 0 {
|
||||||
|
formatAndPrintConnectionsList(info, c.Bool("show-recently-disconnected"))
|
||||||
|
} else {
|
||||||
|
fmt.Printf("Your tunnel %s does not have any active connection.\n", tunnelID)
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func getTunnel(sc *subcommandContext, tunnelID uuid.UUID) (*cfapi.Tunnel, error) {
|
||||||
|
filter := cfapi.NewTunnelFilter()
|
||||||
|
filter.ByTunnelID(tunnelID)
|
||||||
|
tunnels, err := sc.list(filter)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if len(tunnels) != 1 {
|
||||||
|
return nil, errors.Errorf("Expected to find a single tunnel with uuid %v but found %d tunnels.", tunnelID, len(tunnels))
|
||||||
|
}
|
||||||
|
return tunnels[0], nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func formatAndPrintConnectionsList(tunnelInfo Info, showRecentlyDisconnected bool) {
|
||||||
|
writer := tabWriter()
|
||||||
|
defer writer.Flush()
|
||||||
|
|
||||||
|
// Print the general tunnel info table
|
||||||
|
_, _ = fmt.Fprintf(writer, "NAME: %s\nID: %s\nCREATED: %s\n\n", tunnelInfo.Name, tunnelInfo.ID, tunnelInfo.CreatedAt)
|
||||||
|
|
||||||
|
// Determine whether to print the connector table
|
||||||
|
shouldDisplayTable := false
|
||||||
|
for _, c := range tunnelInfo.Connectors {
|
||||||
|
conns := fmtConnections(c.Connections, showRecentlyDisconnected)
|
||||||
|
if len(conns) > 0 {
|
||||||
|
shouldDisplayTable = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if !shouldDisplayTable {
|
||||||
|
fmt.Println("This tunnel has no active connectors.")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// Print the connector table
|
||||||
|
_, _ = fmt.Fprintln(writer, "CONNECTOR ID\tCREATED\tARCHITECTURE\tVERSION\tORIGIN IP\tEDGE\t")
|
||||||
|
for _, c := range tunnelInfo.Connectors {
|
||||||
|
conns := fmtConnections(c.Connections, showRecentlyDisconnected)
|
||||||
|
if len(conns) == 0 {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
originIp := c.Connections[0].OriginIP.String()
|
||||||
|
formattedStr := fmt.Sprintf(
|
||||||
|
"%s\t%s\t%s\t%s\t%s\t%s\t",
|
||||||
|
c.ID,
|
||||||
|
c.RunAt.Format(time.RFC3339),
|
||||||
|
c.Arch,
|
||||||
|
c.Version,
|
||||||
|
originIp,
|
||||||
|
conns,
|
||||||
|
)
|
||||||
|
_, _ = fmt.Fprintln(writer, formattedStr)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func tabWriter() *tabwriter.Writer {
|
||||||
|
const (
|
||||||
|
minWidth = 0
|
||||||
|
tabWidth = 8
|
||||||
|
padding = 1
|
||||||
|
padChar = ' '
|
||||||
|
flags = 0
|
||||||
|
)
|
||||||
|
|
||||||
|
writer := tabwriter.NewWriter(os.Stdout, minWidth, tabWidth, padding, padChar, flags)
|
||||||
|
return writer
|
||||||
|
}
|
||||||
|
|
||||||
func buildDeleteCommand() *cli.Command {
|
func buildDeleteCommand() *cli.Command {
|
||||||
return &cli.Command{
|
return &cli.Command{
|
||||||
Name: "delete",
|
Name: "delete",
|
||||||
Action: cliutil.ErrorHandler(deleteCommand),
|
Action: cliutil.ConfiguredAction(deleteCommand),
|
||||||
Usage: "Delete existing tunnel by UUID or name",
|
Usage: "Delete existing tunnel by UUID or name",
|
||||||
UsageText: "cloudflared tunnel [tunnel command options] delete [subcommand options] TUNNEL",
|
UsageText: "cloudflared tunnel [tunnel command options] delete [subcommand options] TUNNEL",
|
||||||
Description: "cloudflared tunnel delete will delete tunnels with the given tunnel UUIDs or names. A tunnel cannot be deleted if it has active connections. To delete the tunnel unconditionally, use -f flag.",
|
Description: "cloudflared tunnel delete will delete tunnels with the given tunnel UUIDs or names. A tunnel cannot be deleted if it has active connections. To delete the tunnel unconditionally, use -f flag.",
|
||||||
Flags: []cli.Flag{credentialsFileFlag, forceDeleteFlag},
|
Flags: []cli.Flag{credentialsFileFlagCLIOnly, forceDeleteFlag},
|
||||||
CustomHelpTemplate: commandHelpTemplate(),
|
CustomHelpTemplate: commandHelpTemplate(),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -344,6 +581,9 @@ func deleteCommand(c *cli.Context) error {
|
||||||
return cliutil.UsageError(`"cloudflared tunnel delete" requires at least 1 argument, the ID or name of the tunnel to delete.`)
|
return cliutil.UsageError(`"cloudflared tunnel delete" requires at least 1 argument, the ID or name of the tunnel to delete.`)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
warningChecker := updater.StartWarningCheck(c)
|
||||||
|
defer warningChecker.LogWarningIfAny(sc.log)
|
||||||
|
|
||||||
tunnelIDs, err := sc.findIDs(c.Args().Slice())
|
tunnelIDs, err := sc.findIDs(c.Args().Slice())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
|
@ -367,18 +607,22 @@ func renderOutput(format string, v interface{}) error {
|
||||||
|
|
||||||
func buildRunCommand() *cli.Command {
|
func buildRunCommand() *cli.Command {
|
||||||
flags := []cli.Flag{
|
flags := []cli.Flag{
|
||||||
forceFlag,
|
|
||||||
credentialsFileFlag,
|
credentialsFileFlag,
|
||||||
|
credentialsContentsFlag,
|
||||||
|
postQuantumFlag,
|
||||||
selectProtocolFlag,
|
selectProtocolFlag,
|
||||||
|
featuresFlag,
|
||||||
|
tunnelTokenFlag,
|
||||||
|
icmpv4SrcFlag,
|
||||||
|
icmpv6SrcFlag,
|
||||||
}
|
}
|
||||||
flags = append(flags, configureProxyFlags(false)...)
|
flags = append(flags, configureProxyFlags(false)...)
|
||||||
return &cli.Command{
|
return &cli.Command{
|
||||||
Name: "run",
|
Name: "run",
|
||||||
Action: cliutil.ErrorHandler(runCommand),
|
Action: cliutil.ConfiguredAction(runCommand),
|
||||||
Before: SetFlagsFromConfigFile,
|
|
||||||
Usage: "Proxy a local web server by running the given tunnel",
|
Usage: "Proxy a local web server by running the given tunnel",
|
||||||
UsageText: "cloudflared tunnel [tunnel command options] run [subcommand options] [TUNNEL]",
|
UsageText: "cloudflared tunnel [tunnel command options] run [subcommand options] [TUNNEL]",
|
||||||
Description: `Runs the tunnel identified by name or UUUD, creating highly available connections
|
Description: `Runs the tunnel identified by name or UUID, creating highly available connections
|
||||||
between your server and the Cloudflare edge. You can provide name or UUID of tunnel to run either as the
|
between your server and the Cloudflare edge. You can provide name or UUID of tunnel to run either as the
|
||||||
last command line argument or in the configuration file using "tunnel: TUNNEL".
|
last command line argument or in the configuration file using "tunnel: TUNNEL".
|
||||||
|
|
||||||
|
@ -401,16 +645,45 @@ func runCommand(c *cli.Context) error {
|
||||||
if c.NArg() > 1 {
|
if c.NArg() > 1 {
|
||||||
return cliutil.UsageError(`"cloudflared tunnel run" accepts only one argument, the ID or name of the tunnel to run.`)
|
return cliutil.UsageError(`"cloudflared tunnel run" accepts only one argument, the ID or name of the tunnel to run.`)
|
||||||
}
|
}
|
||||||
tunnelRef := c.Args().First()
|
|
||||||
if tunnelRef == "" {
|
if c.String("hostname") != "" {
|
||||||
// see if tunnel id was in the config file
|
sc.log.Warn().Msg("The property `hostname` in your configuration is ignored because you configured a Named Tunnel " +
|
||||||
tunnelRef = config.GetConfiguration().TunnelID
|
"in the property `tunnel` to run. Make sure to provision the routing (e.g. via `cloudflared tunnel route dns/lb`) or else " +
|
||||||
if tunnelRef == "" {
|
"your origin will not be reachable. You should remove the `hostname` property to avoid this warning.")
|
||||||
return cliutil.UsageError(`"cloudflared tunnel run" requires the ID or name of the tunnel to run as the last command line argument or in the configuration file.`)
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return runNamedTunnel(sc, tunnelRef)
|
// Check if token is provided and if not use default tunnelID flag method
|
||||||
|
if tokenStr := c.String(TunnelTokenFlag); tokenStr != "" {
|
||||||
|
if token, err := ParseToken(tokenStr); err == nil {
|
||||||
|
return sc.runWithCredentials(token.Credentials())
|
||||||
|
}
|
||||||
|
|
||||||
|
return cliutil.UsageError("Provided Tunnel token is not valid.")
|
||||||
|
} else {
|
||||||
|
tunnelRef := c.Args().First()
|
||||||
|
if tunnelRef == "" {
|
||||||
|
// see if tunnel id was in the config file
|
||||||
|
tunnelRef = config.GetConfiguration().TunnelID
|
||||||
|
if tunnelRef == "" {
|
||||||
|
return cliutil.UsageError(`"cloudflared tunnel run" requires the ID or name of the tunnel to run as the last command line argument or in the configuration file.`)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return runNamedTunnel(sc, tunnelRef)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func ParseToken(tokenStr string) (*connection.TunnelToken, error) {
|
||||||
|
content, err := base64.StdEncoding.DecodeString(tokenStr)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
var token connection.TunnelToken
|
||||||
|
if err := json.Unmarshal(content, &token); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return &token, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func runNamedTunnel(sc *subcommandContext, tunnelRef string) error {
|
func runNamedTunnel(sc *subcommandContext, tunnelRef string) error {
|
||||||
|
@ -418,19 +691,17 @@ func runNamedTunnel(sc *subcommandContext, tunnelRef string) error {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return errors.Wrap(err, "error parsing tunnel ID")
|
return errors.Wrap(err, "error parsing tunnel ID")
|
||||||
}
|
}
|
||||||
|
|
||||||
sc.log.Info().Str(LogFieldTunnelID, tunnelID.String()).Msg("Starting tunnel")
|
|
||||||
|
|
||||||
return sc.run(tunnelID)
|
return sc.run(tunnelID)
|
||||||
}
|
}
|
||||||
|
|
||||||
func buildCleanupCommand() *cli.Command {
|
func buildCleanupCommand() *cli.Command {
|
||||||
return &cli.Command{
|
return &cli.Command{
|
||||||
Name: "cleanup",
|
Name: "cleanup",
|
||||||
Action: cliutil.ErrorHandler(cleanupCommand),
|
Action: cliutil.ConfiguredAction(cleanupCommand),
|
||||||
Usage: "Cleanup tunnel connections",
|
Usage: "Cleanup tunnel connections",
|
||||||
UsageText: "cloudflared tunnel [tunnel command options] cleanup [subcommand options] TUNNEL",
|
UsageText: "cloudflared tunnel [tunnel command options] cleanup [subcommand options] TUNNEL",
|
||||||
Description: "Delete connections for tunnels with the given UUIDs or names.",
|
Description: "Delete connections for tunnels with the given UUIDs or names.",
|
||||||
|
Flags: []cli.Flag{cleanupClientFlag},
|
||||||
CustomHelpTemplate: commandHelpTemplate(),
|
CustomHelpTemplate: commandHelpTemplate(),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -453,29 +724,105 @@ func cleanupCommand(c *cli.Context) error {
|
||||||
return sc.cleanupConnections(tunnelIDs)
|
return sc.cleanupConnections(tunnelIDs)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func buildTokenCommand() *cli.Command {
|
||||||
|
return &cli.Command{
|
||||||
|
Name: "token",
|
||||||
|
Action: cliutil.ConfiguredAction(tokenCommand),
|
||||||
|
Usage: "Fetch the credentials token for an existing tunnel (by name or UUID) that allows to run it",
|
||||||
|
UsageText: "cloudflared tunnel [tunnel command options] token [subcommand options] TUNNEL",
|
||||||
|
Description: "cloudflared tunnel token will fetch the credentials token for a given tunnel (by its name or UUID), which is then used to run the tunnel. This command fails if the tunnel does not exist or has been deleted. Use the flag `cloudflared tunnel token --cred-file /my/path/file.json TUNNEL` to output the token to the credentials JSON file. Note: this command only works for Tunnels created since cloudflared version 2022.3.0",
|
||||||
|
Flags: []cli.Flag{credentialsFileFlagCLIOnly},
|
||||||
|
CustomHelpTemplate: commandHelpTemplate(),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func tokenCommand(c *cli.Context) error {
|
||||||
|
sc, err := newSubcommandContext(c)
|
||||||
|
if err != nil {
|
||||||
|
return errors.Wrap(err, "error setting up logger")
|
||||||
|
}
|
||||||
|
|
||||||
|
warningChecker := updater.StartWarningCheck(c)
|
||||||
|
defer warningChecker.LogWarningIfAny(sc.log)
|
||||||
|
|
||||||
|
if c.NArg() != 1 {
|
||||||
|
return cliutil.UsageError(`"cloudflared tunnel token" requires exactly 1 argument, the name or UUID of tunnel to fetch the credentials token for.`)
|
||||||
|
}
|
||||||
|
tunnelID, err := sc.findID(c.Args().First())
|
||||||
|
if err != nil {
|
||||||
|
return errors.Wrap(err, "error parsing tunnel ID")
|
||||||
|
}
|
||||||
|
|
||||||
|
token, err := sc.getTunnelTokenCredentials(tunnelID)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
if path := c.String(CredFileFlag); path != "" {
|
||||||
|
credentials := token.Credentials()
|
||||||
|
err := writeTunnelCredentials(path, &credentials)
|
||||||
|
if err != nil {
|
||||||
|
return errors.Wrapf(err, "error writing token credentials to JSON file in path %s", path)
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
encodedToken, err := token.Encode()
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
fmt.Println(encodedToken)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
func buildRouteCommand() *cli.Command {
|
func buildRouteCommand() *cli.Command {
|
||||||
return &cli.Command{
|
return &cli.Command{
|
||||||
Name: "route",
|
Name: "route",
|
||||||
Action: cliutil.ErrorHandler(routeCommand),
|
Usage: "Define which traffic routed from Cloudflare edge to this tunnel: requests to a DNS hostname, to a Cloudflare Load Balancer, or traffic originating from Cloudflare WARP clients",
|
||||||
Usage: "Define what hostname or load balancer can route to this tunnel",
|
UsageText: "cloudflared tunnel [tunnel command options] route [subcommand options] [dns TUNNEL HOSTNAME]|[lb TUNNEL HOSTNAME LB-POOL]|[ip NETWORK TUNNEL]",
|
||||||
UsageText: "cloudflared tunnel [tunnel command options] route [subcommand options] dns|lb TUNNEL HOSTNAME [LB-POOL]",
|
Description: `The route command defines how Cloudflare will proxy requests to this tunnel.
|
||||||
Description: `The route defines what hostname or load balancer will proxy requests to this tunnel.
|
|
||||||
|
|
||||||
To route a hostname by creating a CNAME to tunnel's address:
|
To route a hostname by creating a DNS CNAME record to a tunnel:
|
||||||
cloudflared tunnel route dns <tunnel ID> <hostname>
|
cloudflared tunnel route dns <tunnel ID or name> <hostname>
|
||||||
To use this tunnel as a load balancer origin, creating pool and load balancer if necessary:
|
You can read more at: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/dns
|
||||||
cloudflared tunnel route lb <tunnel ID> <load balancer name> <load balancer pool>`,
|
|
||||||
|
To use this tunnel as a load balancer origin, creating pool and load balancer if necessary:
|
||||||
|
cloudflared tunnel route lb <tunnel ID or name> <hostname> <load balancer pool>
|
||||||
|
You can read more at: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/lb
|
||||||
|
|
||||||
|
For Cloudflare WARP traffic to be routed to your private network, reachable from this tunnel as origins, use:
|
||||||
|
cloudflared tunnel route ip <network CIDR> <tunnel ID or name>
|
||||||
|
Further information about managing Cloudflare WARP traffic to your tunnel is available at:
|
||||||
|
cloudflared tunnel route ip --help
|
||||||
|
`,
|
||||||
CustomHelpTemplate: commandHelpTemplate(),
|
CustomHelpTemplate: commandHelpTemplate(),
|
||||||
Subcommands: []*cli.Command{
|
Subcommands: []*cli.Command{
|
||||||
|
{
|
||||||
|
Name: "dns",
|
||||||
|
Action: cliutil.ConfiguredAction(routeDnsCommand),
|
||||||
|
Usage: "HostnameRoute a hostname by creating a DNS CNAME record to a tunnel",
|
||||||
|
UsageText: "cloudflared tunnel route dns [TUNNEL] [HOSTNAME]",
|
||||||
|
Description: `Creates a DNS CNAME record hostname that points to the tunnel.`,
|
||||||
|
Flags: []cli.Flag{overwriteDNSFlag},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Name: "lb",
|
||||||
|
Action: cliutil.ConfiguredAction(routeLbCommand),
|
||||||
|
Usage: "Use this tunnel as a load balancer origin, creating pool and load balancer if necessary",
|
||||||
|
UsageText: "cloudflared tunnel route lb [TUNNEL] [HOSTNAME] [LB-POOL-NAME]",
|
||||||
|
Description: `Creates Load Balancer with an origin pool that points to the tunnel.`,
|
||||||
|
},
|
||||||
buildRouteIPSubcommand(),
|
buildRouteIPSubcommand(),
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func dnsRouteFromArg(c *cli.Context) (tunnelstore.Route, error) {
|
func dnsRouteFromArg(c *cli.Context, overwriteExisting bool) (cfapi.HostnameRoute, error) {
|
||||||
const (
|
const (
|
||||||
userHostnameIndex = 2
|
userHostnameIndex = 1
|
||||||
expectedNArgs = 3
|
expectedNArgs = 2
|
||||||
)
|
)
|
||||||
if c.NArg() != expectedNArgs {
|
if c.NArg() != expectedNArgs {
|
||||||
return nil, cliutil.UsageError("Expected %d arguments, got %d", expectedNArgs, c.NArg())
|
return nil, cliutil.UsageError("Expected %d arguments, got %d", expectedNArgs, c.NArg())
|
||||||
|
@ -486,14 +833,14 @@ func dnsRouteFromArg(c *cli.Context) (tunnelstore.Route, error) {
|
||||||
} else if !validateHostname(userHostname, true) {
|
} else if !validateHostname(userHostname, true) {
|
||||||
return nil, errors.Errorf("%s is not a valid hostname", userHostname)
|
return nil, errors.Errorf("%s is not a valid hostname", userHostname)
|
||||||
}
|
}
|
||||||
return tunnelstore.NewDNSRoute(userHostname), nil
|
return cfapi.NewDNSRoute(userHostname, overwriteExisting), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func lbRouteFromArg(c *cli.Context) (tunnelstore.Route, error) {
|
func lbRouteFromArg(c *cli.Context) (cfapi.HostnameRoute, error) {
|
||||||
const (
|
const (
|
||||||
lbNameIndex = 2
|
lbNameIndex = 1
|
||||||
lbPoolIndex = 3
|
lbPoolIndex = 2
|
||||||
expectedNArgs = 4
|
expectedNArgs = 3
|
||||||
)
|
)
|
||||||
if c.NArg() != expectedNArgs {
|
if c.NArg() != expectedNArgs {
|
||||||
return nil, cliutil.UsageError("Expected %d arguments, got %d", expectedNArgs, c.NArg())
|
return nil, cliutil.UsageError("Expected %d arguments, got %d", expectedNArgs, c.NArg())
|
||||||
|
@ -512,7 +859,7 @@ func lbRouteFromArg(c *cli.Context) (tunnelstore.Route, error) {
|
||||||
return nil, errors.Errorf("%s is not a valid pool name", lbPool)
|
return nil, errors.Errorf("%s is not a valid pool name", lbPool)
|
||||||
}
|
}
|
||||||
|
|
||||||
return tunnelstore.NewLBRoute(lbName, lbPool), nil
|
return cfapi.NewLBRoute(lbName, lbPool), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
var nameRegex = regexp.MustCompile("^[_a-zA-Z0-9][-_.a-zA-Z0-9]*$")
|
var nameRegex = regexp.MustCompile("^[_a-zA-Z0-9][-_.a-zA-Z0-9]*$")
|
||||||
|
@ -535,41 +882,39 @@ func validateHostname(s string, allowWildcardSubdomain bool) bool {
|
||||||
return err == nil && validateName(puny, allowWildcardSubdomain)
|
return err == nil && validateName(puny, allowWildcardSubdomain)
|
||||||
}
|
}
|
||||||
|
|
||||||
func routeCommand(c *cli.Context) error {
|
func routeDnsCommand(c *cli.Context) error {
|
||||||
if c.NArg() < 2 {
|
if c.NArg() != 2 {
|
||||||
return cliutil.UsageError(`"cloudflared tunnel route" requires the first argument to be the route type(dns or lb), followed by the ID or name of the tunnel`)
|
return cliutil.UsageError(`This command expects the format "cloudflared tunnel route dns <tunnel name/id> <hostname>"`)
|
||||||
}
|
}
|
||||||
|
return routeCommand(c, "dns")
|
||||||
|
}
|
||||||
|
|
||||||
|
func routeLbCommand(c *cli.Context) error {
|
||||||
|
if c.NArg() != 3 {
|
||||||
|
return cliutil.UsageError(`This command expects the format "cloudflared tunnel route lb <tunnel name/id> <hostname> <load balancer pool>"`)
|
||||||
|
}
|
||||||
|
return routeCommand(c, "lb")
|
||||||
|
}
|
||||||
|
|
||||||
|
func routeCommand(c *cli.Context, routeType string) error {
|
||||||
sc, err := newSubcommandContext(c)
|
sc, err := newSubcommandContext(c)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
const tunnelIDIndex = 1
|
tunnelID, err := sc.findID(c.Args().Get(0))
|
||||||
|
if err != nil {
|
||||||
routeType := c.Args().First()
|
return err
|
||||||
var route tunnelstore.Route
|
}
|
||||||
var tunnelID uuid.UUID
|
var route cfapi.HostnameRoute
|
||||||
switch routeType {
|
switch routeType {
|
||||||
case "dns":
|
case "dns":
|
||||||
tunnelID, err = sc.findID(c.Args().Get(tunnelIDIndex))
|
route, err = dnsRouteFromArg(c, c.Bool(overwriteDNSFlagName))
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
route, err = dnsRouteFromArg(c)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
case "lb":
|
case "lb":
|
||||||
tunnelID, err = sc.findID(c.Args().Get(tunnelIDIndex))
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
route, err = lbRouteFromArg(c)
|
route, err = lbRouteFromArg(c)
|
||||||
if err != nil {
|
}
|
||||||
return err
|
if err != nil {
|
||||||
}
|
return err
|
||||||
default:
|
|
||||||
return cliutil.UsageError("%s is not a recognized route type. Supported route types are dns and lb", routeType)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
res, err := sc.route(tunnelID, route)
|
res, err := sc.route(tunnelID, route)
|
||||||
|
@ -586,7 +931,7 @@ func commandHelpTemplate() string {
|
||||||
for _, f := range configureCloudflaredFlags(false) {
|
for _, f := range configureCloudflaredFlags(false) {
|
||||||
parentFlagsHelp += fmt.Sprintf(" %s\n\t", f)
|
parentFlagsHelp += fmt.Sprintf(" %s\n\t", f)
|
||||||
}
|
}
|
||||||
for _, f := range configureLoggingFlags(false) {
|
for _, f := range cliutil.ConfigureLoggingFlags(false) {
|
||||||
parentFlagsHelp += fmt.Sprintf(" %s\n\t", f)
|
parentFlagsHelp += fmt.Sprintf(" %s\n\t", f)
|
||||||
}
|
}
|
||||||
const template = `NAME:
|
const template = `NAME:
|
||||||
|
|
|
@ -1,19 +1,23 @@
|
||||||
package tunnel
|
package tunnel
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"encoding/base64"
|
||||||
|
"encoding/json"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"github.com/cloudflare/cloudflared/tunnelstore"
|
|
||||||
"github.com/google/uuid"
|
"github.com/google/uuid"
|
||||||
"github.com/mitchellh/go-homedir"
|
homedir "github.com/mitchellh/go-homedir"
|
||||||
"github.com/stretchr/testify/assert"
|
"github.com/stretchr/testify/assert"
|
||||||
|
"github.com/stretchr/testify/require"
|
||||||
|
|
||||||
|
"github.com/cloudflare/cloudflared/cfapi"
|
||||||
|
"github.com/cloudflare/cloudflared/connection"
|
||||||
)
|
)
|
||||||
|
|
||||||
func Test_fmtConnections(t *testing.T) {
|
func Test_fmtConnections(t *testing.T) {
|
||||||
type args struct {
|
type args struct {
|
||||||
connections []tunnelstore.Connection
|
connections []cfapi.Connection
|
||||||
}
|
}
|
||||||
tests := []struct {
|
tests := []struct {
|
||||||
name string
|
name string
|
||||||
|
@ -23,14 +27,14 @@ func Test_fmtConnections(t *testing.T) {
|
||||||
{
|
{
|
||||||
name: "empty",
|
name: "empty",
|
||||||
args: args{
|
args: args{
|
||||||
connections: []tunnelstore.Connection{},
|
connections: []cfapi.Connection{},
|
||||||
},
|
},
|
||||||
want: "",
|
want: "",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "trivial",
|
name: "trivial",
|
||||||
args: args{
|
args: args{
|
||||||
connections: []tunnelstore.Connection{
|
connections: []cfapi.Connection{
|
||||||
{
|
{
|
||||||
ColoName: "DFW",
|
ColoName: "DFW",
|
||||||
ID: uuid.MustParse("ea550130-57fd-4463-aab1-752822231ddd"),
|
ID: uuid.MustParse("ea550130-57fd-4463-aab1-752822231ddd"),
|
||||||
|
@ -42,7 +46,7 @@ func Test_fmtConnections(t *testing.T) {
|
||||||
{
|
{
|
||||||
name: "with a pending reconnect",
|
name: "with a pending reconnect",
|
||||||
args: args{
|
args: args{
|
||||||
connections: []tunnelstore.Connection{
|
connections: []cfapi.Connection{
|
||||||
{
|
{
|
||||||
ColoName: "DFW",
|
ColoName: "DFW",
|
||||||
ID: uuid.MustParse("ea550130-57fd-4463-aab1-752822231ddd"),
|
ID: uuid.MustParse("ea550130-57fd-4463-aab1-752822231ddd"),
|
||||||
|
@ -55,7 +59,7 @@ func Test_fmtConnections(t *testing.T) {
|
||||||
{
|
{
|
||||||
name: "many colos",
|
name: "many colos",
|
||||||
args: args{
|
args: args{
|
||||||
connections: []tunnelstore.Connection{
|
connections: []cfapi.Connection{
|
||||||
{
|
{
|
||||||
ColoName: "YRV",
|
ColoName: "YRV",
|
||||||
ID: uuid.MustParse("ea550130-57fd-4463-aab1-752822231ddd"),
|
ID: uuid.MustParse("ea550130-57fd-4463-aab1-752822231ddd"),
|
||||||
|
@ -94,7 +98,7 @@ func TestTunnelfilePath(t *testing.T) {
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
homeDir, err := homedir.Dir()
|
homeDir, err := homedir.Dir()
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
expected := fmt.Sprintf("%s/.cloudflared/%v.json", homeDir, tunnelID)
|
expected := filepath.Join(homeDir, ".cloudflared", tunnelID.String()+".json")
|
||||||
assert.Equal(t, expected, actual)
|
assert.Equal(t, expected, actual)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -177,3 +181,24 @@ func Test_validateHostname(t *testing.T) {
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func Test_TunnelToken(t *testing.T) {
|
||||||
|
token, err := ParseToken("aabc")
|
||||||
|
require.Error(t, err)
|
||||||
|
require.Nil(t, token)
|
||||||
|
|
||||||
|
expectedToken := &connection.TunnelToken{
|
||||||
|
AccountTag: "abc",
|
||||||
|
TunnelSecret: []byte("secret"),
|
||||||
|
TunnelID: uuid.New(),
|
||||||
|
}
|
||||||
|
|
||||||
|
tokenJsonStr, err := json.Marshal(expectedToken)
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
token64 := base64.StdEncoding.EncodeToString(tokenJsonStr)
|
||||||
|
|
||||||
|
token, err = ParseToken(token64)
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.Equal(t, token, expectedToken)
|
||||||
|
}
|
||||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue