mirror of
https://github.com/fosrl/newt.git
synced 2026-07-12 07:00:31 -05:00
Compare commits
404 Commits
1.7.0-rc.0
...
1.13.0
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
80e5f664b7 | ||
|
|
df93f01e74 | ||
|
|
5e0eef3b27 | ||
|
|
ea3d9869c5 | ||
|
|
9f895ac7ec | ||
|
|
364073d28c | ||
|
|
8eb9661827 | ||
|
|
25960e4354 | ||
|
|
060fcb18d5 | ||
|
|
12af1f77fd | ||
|
|
8c698ffaee | ||
|
|
d360392214 | ||
|
|
1dbd1936ba | ||
|
|
40223eac90 | ||
|
|
17c4fe9b2b | ||
|
|
c515c4cd5f | ||
|
|
17a5689cf2 | ||
|
|
3d8a269819 | ||
|
|
86180c0ee8 | ||
|
|
8eddb908e0 | ||
|
|
74ce376c28 | ||
|
|
2d369176a1 | ||
|
|
a5828af214 | ||
|
|
62dc2d3e96 | ||
|
|
7d84393dd0 | ||
|
|
ac0079b7e2 | ||
|
|
02fc8b0684 | ||
|
|
5fb1ba5b35 | ||
|
|
9f014b19f8 | ||
|
|
da794460e5 | ||
|
|
acb21b1203 | ||
|
|
1f80280384 | ||
|
|
66714adb0a | ||
|
|
a868719459 | ||
|
|
b2c73a40df | ||
|
|
a82942381b | ||
|
|
fde46cb587 | ||
|
|
a8d91756ca | ||
|
|
e5bf31d118 | ||
|
|
e77b1d9363 | ||
|
|
8191f30e77 | ||
|
|
b35dd025bd | ||
|
|
763ef3726e | ||
|
|
e3fe89b431 | ||
|
|
3c47124894 | ||
|
|
1c591d8f1b | ||
|
|
7ff97eda51 | ||
|
|
e223a35a62 | ||
|
|
71eb811829 | ||
|
|
34d2cad512 | ||
|
|
7c22fe274a | ||
|
|
d2bd8cb97d | ||
|
|
24c4fbc0b0 | ||
|
|
e1b6fa9008 | ||
|
|
c058500932 | ||
|
|
3264aa0975 | ||
|
|
71ab4da7f5 | ||
|
|
2a3ec1953f | ||
|
|
865697204b | ||
|
|
6bf6b47d18 | ||
|
|
b9536597d2 | ||
|
|
647a6d2635 | ||
|
|
677146e20e | ||
|
|
097450ae15 | ||
|
|
cc7b2a5ade | ||
|
|
7636549e9a | ||
|
|
cb5d87587c | ||
|
|
2cd9ffc582 | ||
|
|
8d30a584b5 | ||
|
|
936642cef9 | ||
|
|
9d060c2ac5 | ||
|
|
fba7943cd3 | ||
|
|
f41e15fcb3 | ||
|
|
0d528abab8 | ||
|
|
16cb83fd28 | ||
|
|
e438a249dd | ||
|
|
40710e5197 | ||
|
|
385e9c0a83 | ||
|
|
d5c3dedca6 | ||
|
|
1de3076808 | ||
|
|
b0f8589443 | ||
|
|
a855047139 | ||
|
|
79e21b7917 | ||
|
|
c55071c60a | ||
|
|
b72c8e643d | ||
|
|
7ace4978a4 | ||
|
|
832b06d8d5 | ||
|
|
c9ac8fc28f | ||
|
|
74acbad133 | ||
|
|
7ff795b6bb | ||
|
|
8246eb1e36 | ||
|
|
9342546075 | ||
|
|
0d26fb6de4 | ||
|
|
9de90429d3 | ||
|
|
e167c35293 | ||
|
|
81a4f3fd27 | ||
|
|
5541f92d07 | ||
|
|
74b4b7d76d | ||
|
|
328b1aced3 | ||
|
|
655cfa45fb | ||
|
|
b3e4964e52 | ||
|
|
f871b5e324 | ||
|
|
85d51a300e | ||
|
|
cd9fb3d013 | ||
|
|
6b42cac02d | ||
|
|
d5f48f782f | ||
|
|
cd5f5c079c | ||
|
|
1f2d40c793 | ||
|
|
5e7cd9c0b9 | ||
|
|
a84bae3bc1 | ||
|
|
34c5260e49 | ||
|
|
d16b856719 | ||
|
|
f1bb6c663d | ||
|
|
b09f67c377 | ||
|
|
46d4d6539a | ||
|
|
367e4b03fe | ||
|
|
07613ebe05 | ||
|
|
81b6daceba | ||
|
|
72a209c7ae | ||
|
|
72c58c721b | ||
|
|
dd735555c4 | ||
|
|
51d7558ec5 | ||
|
|
ad8013ff77 | ||
|
|
7315f381d7 | ||
|
|
2038383393 | ||
|
|
1ecf6efdf5 | ||
|
|
3a5ce705b8 | ||
|
|
809e6cff30 | ||
|
|
96327034af | ||
|
|
5564eaa02f | ||
|
|
9545854cb5 | ||
|
|
d28b9bbca3 | ||
|
|
232b3936de | ||
|
|
5914b3107a | ||
|
|
015fe4b8db | ||
|
|
25eb79823f | ||
|
|
6b669db101 | ||
|
|
c0b00f7faa | ||
|
|
a223f4e6aa | ||
|
|
64b0bd2c70 | ||
|
|
7c3e0de5c9 | ||
|
|
b1db040bb9 | ||
|
|
3aae8264a8 | ||
|
|
8a63f5cd12 | ||
|
|
9725c266be | ||
|
|
b81c252586 | ||
|
|
b22f6f19bc | ||
|
|
6ef16b8c3a | ||
|
|
e9d2aed39a | ||
|
|
1043ee4758 | ||
|
|
be17fc554f | ||
|
|
53588baa61 | ||
|
|
0a043f2205 | ||
|
|
e9ac43d12b | ||
|
|
54a8390007 | ||
|
|
4e12ef169d | ||
|
|
a7b512833b | ||
|
|
b3a23a719f | ||
|
|
139de4a029 | ||
|
|
f8d8eaab2c | ||
|
|
90d486ca7f | ||
|
|
aa50a339d2 | ||
|
|
236e213b7b | ||
|
|
51c3f720fa | ||
|
|
93c7cafc33 | ||
|
|
57831f9473 | ||
|
|
9442142c32 | ||
|
|
5fb2fecc87 | ||
|
|
fdb85e7c25 | ||
|
|
004c599c19 | ||
|
|
2ab9fb901a | ||
|
|
3a0dd20bd3 | ||
|
|
0dc50321c6 | ||
|
|
753be0f74b | ||
|
|
363b37e241 | ||
|
|
a33508429c | ||
|
|
d748f64f79 | ||
|
|
5f8a984733 | ||
|
|
42fb9a675c | ||
|
|
df79474869 | ||
|
|
ec96bdbf1d | ||
|
|
cc4f34b48e | ||
|
|
9f68e9e2cf | ||
|
|
e62d5c463f | ||
|
|
deb2328f85 | ||
|
|
5f0fec22ad | ||
|
|
e0177f7a4d | ||
|
|
5e18816dcc | ||
|
|
1749d7c044 | ||
|
|
c4711203f4 | ||
|
|
31c0a4fee1 | ||
|
|
8d1a1f8d4a | ||
|
|
6f027542a2 | ||
|
|
f5905f1402 | ||
|
|
e89e5cd2d5 | ||
|
|
a8f7551750 | ||
|
|
a0867d5537 | ||
|
|
ea66070ad2 | ||
|
|
89fa24e7a5 | ||
|
|
3479cd0647 | ||
|
|
92c73cf019 | ||
|
|
86d2e51386 | ||
|
|
736fb19d3b | ||
|
|
d6ac75fd50 | ||
|
|
e3105ad4ce | ||
|
|
05be670f1c | ||
|
|
4ac3dea71b | ||
|
|
c969f44071 | ||
|
|
9293c71fb5 | ||
|
|
c191ff6cad | ||
|
|
74b7caf7ec | ||
|
|
ee1911709f | ||
|
|
2cf60d0fdb | ||
|
|
7f67714707 | ||
|
|
1a4cdf7fc3 | ||
|
|
195fb57f03 | ||
|
|
d3fef27949 | ||
|
|
32a689151e | ||
|
|
3cdad1f371 | ||
|
|
c5db50c948 | ||
|
|
0e690089f5 | ||
|
|
129ca0ad87 | ||
|
|
439685ec2a | ||
|
|
acdb460eba | ||
|
|
824606e8fb | ||
|
|
87d03bd589 | ||
|
|
3ccf13354c | ||
|
|
acbbce787c | ||
|
|
17a4db6810 | ||
|
|
7ddcfe968d | ||
|
|
19f1f38dcf | ||
|
|
ca22eb9a96 | ||
|
|
b6ed0c7b57 | ||
|
|
72ea572acb | ||
|
|
82074919d1 | ||
|
|
8bc4e414e7 | ||
|
|
1ba0d23a16 | ||
|
|
a5a0f42890 | ||
|
|
cc7a19bace | ||
|
|
59afb7da69 | ||
|
|
12a3e987b2 | ||
|
|
30ee82af2a | ||
|
|
4774ad9054 | ||
|
|
9377df6526 | ||
|
|
199f936046 | ||
|
|
4ce7b433ff | ||
|
|
bc5eaa9a35 | ||
|
|
a99c57b5e1 | ||
|
|
e03963003d | ||
|
|
5b44966809 | ||
|
|
a8063cdffe | ||
|
|
6d4f51078d | ||
|
|
838f99686b | ||
|
|
1d57344168 | ||
|
|
ddc98070bb | ||
|
|
72e2ebc0b2 | ||
|
|
362659ef28 | ||
|
|
cc7e6a8b25 | ||
|
|
d4edcf39f1 | ||
|
|
372aa726c1 | ||
|
|
d4a515cd76 | ||
|
|
0040d66fd9 | ||
|
|
e6b0cd3807 | ||
|
|
4fbeca9ab1 | ||
|
|
74cf94639e | ||
|
|
7815fe4074 | ||
|
|
301bba3b08 | ||
|
|
4daf103b5b | ||
|
|
99a429dc1b | ||
|
|
9a5dfd1bdb | ||
|
|
9f39f77554 | ||
|
|
6d6717952c | ||
|
|
3120d10f7e | ||
|
|
157d48bb13 | ||
|
|
6776e4c706 | ||
|
|
4ac0add080 | ||
|
|
d00eab0651 | ||
|
|
add13d7379 | ||
|
|
a2f3341e81 | ||
|
|
ac8791dab1 | ||
|
|
3abe585227 | ||
|
|
71749a4ade | ||
|
|
3fcf1f7427 | ||
|
|
9353186b60 | ||
|
|
41b90d8f30 | ||
|
|
5ba9e6702c | ||
|
|
d1df2c2830 | ||
|
|
e4abce97c1 | ||
|
|
0a6fd9b7c8 | ||
|
|
b2c102cdec | ||
|
|
4d478ba276 | ||
|
|
8f22937c1b | ||
|
|
ce290a1ba2 | ||
|
|
cadd64091a | ||
|
|
f0618cf3ab | ||
|
|
d6a29673ab | ||
|
|
78219f1302 | ||
|
|
889e0439a8 | ||
|
|
2f7843859b | ||
|
|
01c3c6de7e | ||
|
|
2649a125cd | ||
|
|
95542c7cb7 | ||
|
|
a1b1e495d2 | ||
|
|
dcf953b495 | ||
|
|
b705d52660 | ||
|
|
51faf1637e | ||
|
|
1246725e02 | ||
|
|
7cd12be043 | ||
|
|
8ad2deea92 | ||
|
|
95bb165e10 | ||
|
|
4dcafc9abd | ||
|
|
262f939f78 | ||
|
|
1a6a9699e1 | ||
|
|
6e0c1dc383 | ||
|
|
e0bb4808b9 | ||
|
|
31c36dffb9 | ||
|
|
a28e28cc5d | ||
|
|
a217da8c13 | ||
|
|
641d5a74ac | ||
|
|
6bb6c52e26 | ||
|
|
b8a6e492f9 | ||
|
|
634a62693a | ||
|
|
acc8f7a409 | ||
|
|
432f2ff7b2 | ||
|
|
fa4217a31d | ||
|
|
dcab3a46d0 | ||
|
|
2712bcda8c | ||
|
|
7609599129 | ||
|
|
ddccf9b200 | ||
|
|
8ca03eadcd | ||
|
|
1616fd9d68 | ||
|
|
0954f213dc | ||
|
|
2a2bb19ea3 | ||
|
|
95453cec15 | ||
|
|
7ed9e258ba | ||
|
|
1f9e84d4aa | ||
|
|
586ccae211 | ||
|
|
1e243a0cdc | ||
|
|
00538f0c7c | ||
|
|
dfb71f20ff | ||
|
|
2c6c1dc1fe | ||
|
|
fd623ca47d | ||
|
|
8deb6b226a | ||
|
|
45153dd7b8 | ||
|
|
b87b8c3168 | ||
|
|
dfad7d852a | ||
|
|
d0b1876ac4 | ||
|
|
51dc2ca875 | ||
|
|
c50a2ea93b | ||
|
|
2fbed8b879 | ||
|
|
14757e575b | ||
|
|
03c9e957a4 | ||
|
|
0f8ac38b66 | ||
|
|
5d4ec7a52c | ||
|
|
7d331c5c61 | ||
|
|
902063d207 | ||
|
|
f15f86364d | ||
|
|
9fc6cccb30 | ||
|
|
8a2df2cc3c | ||
|
|
78d4337748 | ||
|
|
aff9c1ee49 | ||
|
|
7c112def58 | ||
|
|
94c5e72b8b | ||
|
|
fbdfd16633 | ||
|
|
2de9b9e3e0 | ||
|
|
3c7d491133 | ||
|
|
fd1f2fac40 | ||
|
|
dd04fdd1df | ||
|
|
7e00e1ad26 | ||
|
|
0c482bf0ce | ||
|
|
5f2d9115c9 | ||
|
|
9762db4853 | ||
|
|
e9a526814e | ||
|
|
e9e9f8fc20 | ||
|
|
a832405e5f | ||
|
|
fc493abbbb | ||
|
|
59cae0d9b0 | ||
|
|
7ecd70aa1c | ||
|
|
f3e59a822c | ||
|
|
9b8aacd1a8 | ||
|
|
bb93fee614 | ||
|
|
ec4619583f | ||
|
|
f78c900d54 | ||
|
|
9c5aab638b | ||
|
|
e0fdb1bf33 | ||
|
|
da9ad06a44 | ||
|
|
ba51b4b5ea | ||
|
|
a001b372c5 | ||
|
|
9fcfc6b236 | ||
|
|
7610ee6550 | ||
|
|
21f34d4acc | ||
|
|
073fa30d66 | ||
|
|
61e0e6e5e4 | ||
|
|
0b904d0ba8 | ||
|
|
2b66535db2 | ||
|
|
cb745081aa | ||
|
|
5070264599 | ||
|
|
7689682a5a | ||
|
|
c5b357c0f6 | ||
|
|
8b0831823e | ||
|
|
7f89eba525 | ||
|
|
400318bbf1 | ||
|
|
3476e8ebe1 | ||
|
|
30ee22b774 |
@@ -1,5 +1,5 @@
|
||||
# Copy this file to .env and fill in your values
|
||||
# Required for connecting to Pangolin service
|
||||
PANGOLIN_ENDPOINT=https://example.com
|
||||
PANGOLIN_ENDPOINT=https://app.pangolin.net
|
||||
NEWT_ID=changeme-id
|
||||
NEWT_SECRET=changeme-secret
|
||||
1
.github/CODEOWNERS
vendored
Normal file
1
.github/CODEOWNERS
vendored
Normal file
@@ -0,0 +1 @@
|
||||
* @oschwartz10612 @miloschwartz
|
||||
5
.github/ISSUE_TEMPLATE/1.bug_report.yml
vendored
5
.github/ISSUE_TEMPLATE/1.bug_report.yml
vendored
@@ -14,12 +14,13 @@ body:
|
||||
label: Environment
|
||||
description: Please fill out the relevant details below for your environment.
|
||||
value: |
|
||||
- OS Type & Version: (e.g., Ubuntu 22.04)
|
||||
- OS Type & Version:
|
||||
- Pangolin Version:
|
||||
- Edition (Community or Enterprise):
|
||||
- Gerbil Version:
|
||||
- Traefik Version:
|
||||
- Newt Version:
|
||||
- Olm Version: (if applicable)
|
||||
- Client Version:
|
||||
validations:
|
||||
required: true
|
||||
|
||||
|
||||
1041
.github/workflows/cicd.yml
vendored
1041
.github/workflows/cicd.yml
vendored
File diff suppressed because it is too large
Load Diff
2
.github/workflows/mirror.yaml
vendored
2
.github/workflows/mirror.yaml
vendored
@@ -23,7 +23,7 @@ jobs:
|
||||
skopeo --version
|
||||
|
||||
- name: Install cosign
|
||||
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
|
||||
uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
|
||||
|
||||
- name: Input check
|
||||
run: |
|
||||
|
||||
23
.github/workflows/nix-build.yml
vendored
Normal file
23
.github/workflows/nix-build.yml
vendored
Normal file
@@ -0,0 +1,23 @@
|
||||
name: Build Nix package
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
pull_request:
|
||||
paths:
|
||||
- go.mod
|
||||
- go.sum
|
||||
|
||||
jobs:
|
||||
nix-build:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v6
|
||||
|
||||
- name: Install Nix
|
||||
uses: DeterminateSystems/nix-installer-action@main
|
||||
|
||||
- name: Build flake package
|
||||
run: |
|
||||
nix build .#pangolin-newt -L
|
||||
48
.github/workflows/nix-dependabot-update-hash.yml
vendored
Normal file
48
.github/workflows/nix-dependabot-update-hash.yml
vendored
Normal file
@@ -0,0 +1,48 @@
|
||||
name: Update Nix Package Hash On Dependabot PRs
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
types: [opened, synchronize]
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
nix-update:
|
||||
if: github.actor == 'dependabot[bot]'
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v6
|
||||
with:
|
||||
ref: ${{ github.head_ref }}
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
- name: Install Nix
|
||||
uses: DeterminateSystems/nix-installer-action@main
|
||||
|
||||
- name: Run nix-update
|
||||
run: |
|
||||
nix run nixpkgs#nix-update -- --flake pangolin-newt --no-src --version skip
|
||||
|
||||
- name: Check for changes
|
||||
id: changes
|
||||
run: |
|
||||
if git diff --quiet; then
|
||||
echo "changed=false" >> "$GITHUB_OUTPUT"
|
||||
else
|
||||
echo "changed=true" >> "$GITHUB_OUTPUT"
|
||||
fi
|
||||
|
||||
- name: Commit and push changes
|
||||
if: steps.changes.outputs.changed == 'true'
|
||||
run: |
|
||||
git config user.name "dependabot[bot]"
|
||||
git config user.email "dependabot[bot]@users.noreply.github.com"
|
||||
|
||||
git add .
|
||||
git commit -m "chore(nix): fix hash for updated go dependencies"
|
||||
git push
|
||||
37
.github/workflows/stale-bot.yml
vendored
Normal file
37
.github/workflows/stale-bot.yml
vendored
Normal file
@@ -0,0 +1,37 @@
|
||||
name: Mark and Close Stale Issues
|
||||
|
||||
on:
|
||||
schedule:
|
||||
- cron: '0 0 * * *'
|
||||
workflow_dispatch: # Allow manual trigger
|
||||
|
||||
permissions:
|
||||
contents: write # only for delete-branch option
|
||||
issues: write
|
||||
pull-requests: write
|
||||
|
||||
jobs:
|
||||
stale:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10.3.0
|
||||
with:
|
||||
days-before-stale: 14
|
||||
days-before-close: 14
|
||||
stale-issue-message: 'This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.'
|
||||
close-issue-message: 'This issue has been automatically closed due to inactivity. If you believe this is still relevant, please open a new issue with up-to-date information.'
|
||||
stale-issue-label: 'stale'
|
||||
|
||||
exempt-issue-labels: 'needs investigating, networking, new feature, reverse proxy, bug, api, authentication, documentation, enhancement, help wanted, good first issue, question'
|
||||
|
||||
exempt-all-issue-assignees: true
|
||||
|
||||
only-labels: ''
|
||||
exempt-pr-labels: ''
|
||||
days-before-pr-stale: -1
|
||||
days-before-pr-close: -1
|
||||
|
||||
operations-per-run: 100
|
||||
remove-stale-when-updated: true
|
||||
delete-branch: false
|
||||
enable-statistics: true
|
||||
44
.github/workflows/test.yml
vendored
44
.github/workflows/test.yml
vendored
@@ -11,21 +11,43 @@ on:
|
||||
|
||||
jobs:
|
||||
test:
|
||||
runs-on: amd64-runner
|
||||
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
||||
|
||||
- name: Set up Go
|
||||
uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
|
||||
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
|
||||
with:
|
||||
go-version: 1.25
|
||||
go-version-file: go.mod
|
||||
|
||||
- name: Build go
|
||||
run: go build
|
||||
- name: Run Go tests
|
||||
run: make test
|
||||
|
||||
- name: Build Docker image
|
||||
run: make build
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
strategy:
|
||||
matrix:
|
||||
target:
|
||||
- local
|
||||
- docker-build
|
||||
- go-build-release-darwin-amd64
|
||||
- go-build-release-darwin-arm64
|
||||
- go-build-release-freebsd-amd64
|
||||
- go-build-release-freebsd-arm64
|
||||
- go-build-release-linux-amd64
|
||||
- go-build-release-linux-arm32-v6
|
||||
- go-build-release-linux-arm32-v7
|
||||
- go-build-release-linux-riscv64
|
||||
- go-build-release-windows-amd64
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
||||
|
||||
- name: Build binaries
|
||||
run: make go-build-release
|
||||
- name: Set up Go
|
||||
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
|
||||
with:
|
||||
go-version-file: go.mod
|
||||
|
||||
- name: Build targets via `make`
|
||||
run: make ${{ matrix.target }}
|
||||
|
||||
5
.gitignore
vendored
5
.gitignore
vendored
@@ -1,4 +1,3 @@
|
||||
newt
|
||||
.DS_Store
|
||||
bin/
|
||||
nohup.out
|
||||
@@ -6,4 +5,6 @@ nohup.out
|
||||
*.iml
|
||||
certs/
|
||||
newt_arm64
|
||||
key
|
||||
key
|
||||
/.direnv/
|
||||
/result*
|
||||
|
||||
14
Dockerfile
14
Dockerfile
@@ -1,4 +1,5 @@
|
||||
FROM golang:1.25-alpine AS builder
|
||||
# FROM golang:1.25-alpine AS builder
|
||||
FROM public.ecr.aws/docker/library/golang:1.25-alpine AS builder
|
||||
|
||||
# Install git and ca-certificates
|
||||
RUN apk --no-cache add ca-certificates git tzdata
|
||||
@@ -16,15 +17,20 @@ RUN go mod download
|
||||
COPY . .
|
||||
|
||||
# Build the application
|
||||
RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /newt
|
||||
ARG VERSION=dev
|
||||
RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w -X main.newtVersion=${VERSION}" -o /newt
|
||||
|
||||
FROM alpine:3.23 AS runner
|
||||
FROM public.ecr.aws/docker/library/alpine:3.23 AS runner
|
||||
|
||||
RUN apk --no-cache add ca-certificates tzdata
|
||||
RUN apk --no-cache add ca-certificates tzdata iputils
|
||||
|
||||
COPY --from=builder /newt /usr/local/bin/
|
||||
COPY entrypoint.sh /
|
||||
|
||||
# Marks this as an official Fossorial container image.
|
||||
# Auto-update is disabled in official images — update by pulling a new image tag.
|
||||
ENV NEWT_SYSTEM_SUBSTRATE="CONTAINER"
|
||||
|
||||
# Admin/metrics endpoint (Prometheus scrape)
|
||||
EXPOSE 2112
|
||||
|
||||
|
||||
87
Makefile
87
Makefile
@@ -1,37 +1,76 @@
|
||||
.PHONY: all local test docker-build docker-build-release
|
||||
|
||||
all: build push
|
||||
all: local
|
||||
|
||||
VERSION ?= dev
|
||||
LDFLAGS = -X main.newtVersion=$(VERSION)
|
||||
|
||||
local:
|
||||
CGO_ENABLED=0 go build -ldflags "$(LDFLAGS) -X main.newtPlatform=$(shell go env GOOS)_$(shell go env GOARCH)" -o ./bin/newt
|
||||
|
||||
test:
|
||||
go test ./...
|
||||
|
||||
docker-build:
|
||||
docker build -t fosrl/newt:latest .
|
||||
|
||||
docker-build-release:
|
||||
@if [ -z "$(tag)" ]; then \
|
||||
echo "Error: tag is required. Usage: make docker-build-release tag=<tag>"; \
|
||||
exit 1; \
|
||||
fi
|
||||
docker buildx build --platform linux/arm/v7,linux/arm64,linux/amd64 -t fosrl/newt:latest -f Dockerfile --push .
|
||||
docker buildx build --platform linux/arm/v7,linux/arm64,linux/amd64 -t fosrl/newt:$(tag) -f Dockerfile --push .
|
||||
docker buildx build . \
|
||||
--platform linux/arm/v7,linux/arm64,linux/amd64 \
|
||||
-t fosrl/newt:latest \
|
||||
-t fosrl/newt:$(tag) \
|
||||
-f Dockerfile \
|
||||
--push
|
||||
|
||||
build:
|
||||
docker build -t fosrl/newt:latest .
|
||||
.PHONY: go-build-release \
|
||||
go-build-release-linux-arm64 go-build-release-linux-arm32-v7 \
|
||||
go-build-release-linux-arm32-v6 go-build-release-linux-amd64 \
|
||||
go-build-release-linux-riscv64 go-build-release-darwin-arm64 \
|
||||
go-build-release-darwin-amd64 go-build-release-windows-amd64 \
|
||||
go-build-release-freebsd-amd64 go-build-release-freebsd-arm64
|
||||
|
||||
push:
|
||||
docker push fosrl/newt:latest
|
||||
go-build-release: \
|
||||
go-build-release-linux-arm64 \
|
||||
go-build-release-linux-arm32-v7 \
|
||||
go-build-release-linux-arm32-v6 \
|
||||
go-build-release-linux-amd64 \
|
||||
go-build-release-linux-riscv64 \
|
||||
go-build-release-darwin-arm64 \
|
||||
go-build-release-darwin-amd64 \
|
||||
go-build-release-windows-amd64 \
|
||||
go-build-release-freebsd-amd64 \
|
||||
go-build-release-freebsd-arm64
|
||||
|
||||
test:
|
||||
docker run fosrl/newt:latest
|
||||
go-build-release-linux-arm64:
|
||||
CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -ldflags "$(LDFLAGS) -X main.newtPlatform=linux_arm64" -o bin/newt_linux_arm64
|
||||
|
||||
local:
|
||||
CGO_ENABLED=0 go build -o newt
|
||||
go-build-release-linux-arm32-v7:
|
||||
CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=7 go build -ldflags "$(LDFLAGS) -X main.newtPlatform=linux_arm32" -o bin/newt_linux_arm32
|
||||
|
||||
go-build-release:
|
||||
CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -o bin/newt_linux_arm64
|
||||
CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=7 go build -o bin/newt_linux_arm32
|
||||
CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=6 go build -o bin/newt_linux_arm32v6
|
||||
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o bin/newt_linux_amd64
|
||||
CGO_ENABLED=0 GOOS=linux GOARCH=riscv64 go build -o bin/newt_linux_riscv64
|
||||
CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -o bin/newt_darwin_arm64
|
||||
CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -o bin/newt_darwin_amd64
|
||||
CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -o bin/newt_windows_amd64.exe
|
||||
CGO_ENABLED=0 GOOS=freebsd GOARCH=amd64 go build -o bin/newt_freebsd_amd64
|
||||
CGO_ENABLED=0 GOOS=freebsd GOARCH=arm64 go build -o bin/newt_freebsd_arm64
|
||||
go-build-release-linux-arm32-v6:
|
||||
CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=6 go build -ldflags "$(LDFLAGS) -X main.newtPlatform=linux_arm32v6" -o bin/newt_linux_arm32v6
|
||||
|
||||
clean:
|
||||
rm newt
|
||||
go-build-release-linux-amd64:
|
||||
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "$(LDFLAGS) -X main.newtPlatform=linux_amd64" -o bin/newt_linux_amd64
|
||||
|
||||
go-build-release-linux-riscv64:
|
||||
CGO_ENABLED=0 GOOS=linux GOARCH=riscv64 go build -ldflags "$(LDFLAGS) -X main.newtPlatform=linux_riscv64" -o bin/newt_linux_riscv64
|
||||
|
||||
go-build-release-darwin-arm64:
|
||||
CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -ldflags "$(LDFLAGS) -X main.newtPlatform=darwin_arm64" -o bin/newt_darwin_arm64
|
||||
|
||||
go-build-release-darwin-amd64:
|
||||
CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -ldflags "$(LDFLAGS) -X main.newtPlatform=darwin_amd64" -o bin/newt_darwin_amd64
|
||||
|
||||
go-build-release-windows-amd64:
|
||||
CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -ldflags "$(LDFLAGS) -X main.newtPlatform=windows_amd64" -o bin/newt_windows_amd64.exe
|
||||
|
||||
go-build-release-freebsd-amd64:
|
||||
CGO_ENABLED=0 GOOS=freebsd GOARCH=amd64 go build -ldflags "$(LDFLAGS) -X main.newtPlatform=freebsd_amd64" -o bin/newt_freebsd_amd64
|
||||
|
||||
go-build-release-freebsd-arm64:
|
||||
CGO_ENABLED=0 GOOS=freebsd GOARCH=arm64 go build -ldflags "$(LDFLAGS) -X main.newtPlatform=freebsd_arm64" -o bin/newt_freebsd_arm64
|
||||
|
||||
410
README.md
410
README.md
@@ -9,13 +9,7 @@ Newt is a fully user space [WireGuard](https://www.wireguard.com/) tunnel client
|
||||
|
||||
Newt is used with Pangolin and Gerbil as part of the larger system. See documentation below:
|
||||
|
||||
- [Full Documentation](https://docs.pangolin.net)
|
||||
|
||||
## Preview
|
||||
|
||||
<img src="public/screenshots/preview.png" alt="Preview"/>
|
||||
|
||||
_Sample output of a Newt connected to Pangolin and hosting various resource target proxies._
|
||||
- [Full Documentation](https://docs.pangolin.net/manage/sites/understanding-sites)
|
||||
|
||||
## Key Functions
|
||||
|
||||
@@ -31,412 +25,14 @@ When Newt receives WireGuard control messages, it will use the information encod
|
||||
|
||||
When Newt receives WireGuard control messages, it will use the information encoded to create a local low level TCP and UDP proxies attached to the virtual tunnel in order to relay traffic to programmed targets.
|
||||
|
||||
## CLI Args
|
||||
|
||||
### Core Configuration
|
||||
|
||||
- `id`: Newt ID generated by Pangolin to identify the client.
|
||||
- `secret`: A unique secret (not shared and kept private) used to authenticate the client ID with the websocket in order to receive commands.
|
||||
- `endpoint`: The endpoint where both Gerbil and Pangolin reside in order to connect to the websocket.
|
||||
- `blueprint-file` (optional): Path to blueprint file to define Pangolin resources and configurations.
|
||||
- `no-cloud` (optional): Don't fail over to the cloud when using managed nodes in Pangolin Cloud. Default: false
|
||||
- `log-level` (optional): The log level to use (DEBUG, INFO, WARN, ERROR, FATAL). Default: INFO
|
||||
|
||||
### Docker Integration
|
||||
|
||||
- `docker-socket` (optional): Set the Docker socket to use the container discovery integration
|
||||
- `docker-enforce-network-validation` (optional): Validate the container target is on the same network as the newt process. Default: false
|
||||
|
||||
### Client Connections
|
||||
|
||||
- `disable-clients` (optional): Disable clients on the WireGuard interface. Default: false (clients enabled)
|
||||
- `native` (optional): Use native WireGuard interface (requires WireGuard kernel module and Linux, must run as root). Default: false (uses userspace netstack)
|
||||
- `interface` (optional): Name of the WireGuard interface. Default: newt
|
||||
|
||||
### Metrics & Observability
|
||||
|
||||
- `metrics` (optional): Enable Prometheus /metrics exporter. Default: true
|
||||
- `otlp` (optional): Enable OTLP exporters (metrics/traces) to OTEL_EXPORTER_OTLP_ENDPOINT. Default: false
|
||||
- `metrics-admin-addr` (optional): Admin/metrics bind address. Default: 127.0.0.1:2112
|
||||
- `metrics-async-bytes` (optional): Enable async bytes counting (background flush; lower hot path overhead). Default: false
|
||||
- `region` (optional): Optional region resource attribute for telemetry and metrics.
|
||||
|
||||
### Network Configuration
|
||||
|
||||
- `mtu` (optional): MTU for the internal WG interface. Default: 1280
|
||||
- `dns` (optional): DNS server to use to resolve the endpoint. Default: 9.9.9.9
|
||||
- `ping-interval` (optional): Interval for pinging the server. Default: 3s
|
||||
- `ping-timeout` (optional): Timeout for each ping. Default: 5s
|
||||
|
||||
### Security & TLS
|
||||
|
||||
- `enforce-hc-cert` (optional): Enforce certificate validation for health checks. Default: false (accepts any cert)
|
||||
- `tls-client-cert-file` (optional): Path to client certificate file (PEM/DER format) for mTLS. See [mTLS](#mtls)
|
||||
- `tls-client-key` (optional): Path to client private key file (PEM/DER format) for mTLS
|
||||
- `tls-client-ca` (optional): Path to CA certificate file for validating remote certificates (can be specified multiple times)
|
||||
- `tls-client-cert` (optional): Path to client certificate (PKCS12 format) - DEPRECATED: use `--tls-client-cert-file` and `--tls-client-key` instead
|
||||
- `prefer-endpoint` (optional): Prefer this endpoint for the connection (if set, will override the endpoint from the server)
|
||||
|
||||
### Monitoring & Health
|
||||
|
||||
- `health-file` (optional): Check if connection to WG server (pangolin) is ok. creates a file if ok, removes it if not ok. Can be used with docker healtcheck to restart newt
|
||||
- `updown` (optional): A script to be called when targets are added or removed.
|
||||
|
||||
## Environment Variables
|
||||
|
||||
All CLI arguments can be set using environment variables as an alternative to command line flags. Environment variables are particularly useful when running Newt in containerized environments.
|
||||
|
||||
### Core Configuration
|
||||
|
||||
- `PANGOLIN_ENDPOINT`: Endpoint of your pangolin server (equivalent to `--endpoint`)
|
||||
- `NEWT_ID`: Newt ID generated by Pangolin (equivalent to `--id`)
|
||||
- `NEWT_SECRET`: Newt secret for authentication (equivalent to `--secret`)
|
||||
- `CONFIG_FILE`: Load the config json from this file instead of in the home folder.
|
||||
- `BLUEPRINT_FILE`: Path to blueprint file to define Pangolin resources and configurations. (equivalent to `--blueprint-file`)
|
||||
- `NO_CLOUD`: Don't fail over to the cloud when using managed nodes in Pangolin Cloud. Default: false (equivalent to `--no-cloud`)
|
||||
- `LOG_LEVEL`: Log level (DEBUG, INFO, WARN, ERROR, FATAL). Default: INFO (equivalent to `--log-level`)
|
||||
|
||||
### Docker Integration
|
||||
|
||||
- `DOCKER_SOCKET`: Path to Docker socket for container discovery (equivalent to `--docker-socket`)
|
||||
- `DOCKER_ENFORCE_NETWORK_VALIDATION`: Validate container targets are on same network. Default: false (equivalent to `--docker-enforce-network-validation`)
|
||||
|
||||
### Client Connections
|
||||
|
||||
- `DISABLE_CLIENTS`: Disable clients on the WireGuard interface. Default: false (equivalent to `--disable-clients`)
|
||||
- `USE_NATIVE_INTERFACE`: Use native WireGuard interface (Linux only). Default: false (equivalent to `--native`)
|
||||
- `INTERFACE`: Name of the WireGuard interface. Default: newt (equivalent to `--interface`)
|
||||
|
||||
### Monitoring & Health
|
||||
|
||||
- `HEALTH_FILE`: Path to health file for connection monitoring (equivalent to `--health-file`)
|
||||
- `UPDOWN_SCRIPT`: Path to updown script for target add/remove events (equivalent to `--updown`)
|
||||
|
||||
### Metrics & Observability
|
||||
|
||||
- `NEWT_METRICS_PROMETHEUS_ENABLED`: Enable Prometheus /metrics exporter. Default: true (equivalent to `--metrics`)
|
||||
- `NEWT_METRICS_OTLP_ENABLED`: Enable OTLP exporters (metrics/traces) to OTEL_EXPORTER_OTLP_ENDPOINT. Default: false (equivalent to `--otlp`)
|
||||
- `NEWT_ADMIN_ADDR`: Admin/metrics bind address. Default: 127.0.0.1:2112 (equivalent to `--metrics-admin-addr`)
|
||||
- `NEWT_METRICS_ASYNC_BYTES`: Enable async bytes counting (background flush; lower hot path overhead). Default: false (equivalent to `--metrics-async-bytes`)
|
||||
- `NEWT_REGION`: Optional region resource attribute for telemetry and metrics (equivalent to `--region`)
|
||||
|
||||
### Network Configuration
|
||||
|
||||
- `MTU`: MTU for the internal WG interface. Default: 1280 (equivalent to `--mtu`)
|
||||
- `DNS`: DNS server to use to resolve the endpoint. Default: 9.9.9.9 (equivalent to `--dns`)
|
||||
- `PING_INTERVAL`: Interval for pinging the server. Default: 3s (equivalent to `--ping-interval`)
|
||||
- `PING_TIMEOUT`: Timeout for each ping. Default: 5s (equivalent to `--ping-timeout`)
|
||||
|
||||
### Security & TLS
|
||||
|
||||
- `ENFORCE_HC_CERT`: Enforce certificate validation for health checks. Default: false (equivalent to `--enforce-hc-cert`)
|
||||
- `TLS_CLIENT_CERT`: Path to client certificate file (PEM/DER format) for mTLS (equivalent to `--tls-client-cert-file`)
|
||||
- `TLS_CLIENT_KEY`: Path to client private key file (PEM/DER format) for mTLS (equivalent to `--tls-client-key`)
|
||||
- `TLS_CLIENT_CAS`: Comma-separated list of CA certificate file paths for validating remote certificates (equivalent to multiple `--tls-client-ca` flags)
|
||||
- `TLS_CLIENT_CERT_PKCS12`: Path to client certificate (PKCS12 format) - DEPRECATED: use `TLS_CLIENT_CERT` and `TLS_CLIENT_KEY` instead
|
||||
|
||||
## Loading secrets from files
|
||||
|
||||
You can use `CONFIG_FILE` to define a location of a config file to store the credentials between runs.
|
||||
|
||||
```
|
||||
$ cat ~/.config/newt-client/config.json
|
||||
{
|
||||
"id": "spmzu8rbpzj1qq6",
|
||||
"secret": "f6v61mjutwme2kkydbw3fjo227zl60a2tsf5psw9r25hgae3",
|
||||
"endpoint": "https://app.pangolin.net",
|
||||
"tlsClientCert": ""
|
||||
}
|
||||
```
|
||||
|
||||
This file is also written to when newt first starts up. So you do not need to run every time with --id and secret if you have run it once!
|
||||
|
||||
Default locations:
|
||||
|
||||
- **macOS**: `~/Library/Application Support/newt-client/config.json`
|
||||
- **Windows**: `%PROGRAMDATA%\newt\newt-client\config.json`
|
||||
- **Linux/Others**: `~/.config/newt-client/config.json`
|
||||
|
||||
## Examples
|
||||
|
||||
**Note**: When both environment variables and CLI arguments are provided, CLI arguments take precedence.
|
||||
|
||||
- Example:
|
||||
|
||||
```bash
|
||||
newt \
|
||||
--id 31frd0uzbjvp721 \
|
||||
--secret h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6 \
|
||||
--endpoint https://example.com
|
||||
```
|
||||
|
||||
You can also run it with Docker compose. For example, a service in your `docker-compose.yml` might look like this using environment vars (recommended):
|
||||
|
||||
```yaml
|
||||
services:
|
||||
newt:
|
||||
image: fosrl/newt
|
||||
container_name: newt
|
||||
restart: unless-stopped
|
||||
environment:
|
||||
- PANGOLIN_ENDPOINT=https://example.com
|
||||
- NEWT_ID=2ix2t8xk22ubpfy
|
||||
- NEWT_SECRET=nnisrfsdfc7prqsp9ewo1dvtvci50j5uiqotez00dgap0ii2
|
||||
- HEALTH_FILE=/tmp/healthy
|
||||
```
|
||||
|
||||
You can also pass the CLI args to the container:
|
||||
|
||||
```yaml
|
||||
services:
|
||||
newt:
|
||||
image: fosrl/newt
|
||||
container_name: newt
|
||||
restart: unless-stopped
|
||||
command:
|
||||
- --id 31frd0uzbjvp721
|
||||
- --secret h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6
|
||||
- --endpoint https://example.com
|
||||
- --health-file /tmp/healthy
|
||||
```
|
||||
|
||||
## Client Connections
|
||||
|
||||
By default, Newt can accept incoming client connections from other devices, enabling peer-to-peer connectivity through the Newt instance. This behavior can be disabled with the `--disable-clients` flag (or `DISABLE_CLIENTS=true` environment variable).
|
||||
|
||||
### How It Works
|
||||
|
||||
In client acceptance mode, Newt:
|
||||
|
||||
- **Creates a WireGuard service** that can accept incoming connections from other WireGuard clients
|
||||
- **Starts a connection testing server** (WGTester) that responds to connectivity checks from remote clients
|
||||
- **Manages peer configurations** dynamically based on Pangolin's instructions
|
||||
- **Enables bidirectional communication** between the Newt instance and connected clients
|
||||
|
||||
### Use Cases
|
||||
|
||||
- **Site-to-site connectivity**: Connect multiple locations through a central Newt instance
|
||||
- **Client access to private networks**: Allow remote clients to access resources behind the Newt instance
|
||||
- **Development environments**: Provide developers secure access to internal services
|
||||
|
||||
### Client Tunneling Modes
|
||||
|
||||
Newt supports two WireGuard tunneling modes:
|
||||
|
||||
#### Userspace Mode (Default)
|
||||
|
||||
By default, Newt uses a fully userspace WireGuard implementation using [netstack](https://github.com/WireGuard/wireguard-go/blob/master/tun/netstack/examples/http_server.go). This mode:
|
||||
|
||||
- **Does not require root privileges**
|
||||
- **Works on all supported platforms** (Linux, Windows, macOS)
|
||||
- **Does not require WireGuard kernel module** to be installed
|
||||
- **Runs entirely in userspace** - no system network interface is created
|
||||
- **Is containerization-friendly** - works seamlessly in Docker containers
|
||||
|
||||
This is the recommended mode for most deployments, especially containerized environments.
|
||||
|
||||
In this mode, TCP and UDP is proxied out of newt from the remote client using TCP/UDP resources in Pangolin.
|
||||
|
||||
#### Native Mode (Linux only)
|
||||
|
||||
When using the `--native` flag or setting `USE_NATIVE_INTERFACE=true`, Newt uses the native WireGuard kernel module. This mode:
|
||||
|
||||
- **Requires root privileges** to create and manage network interfaces
|
||||
- **Only works on Linux** with the WireGuard kernel module installed
|
||||
- **Creates a real network interface** (e.g., `newt0`) on the system
|
||||
- **May offer better performance** for high-throughput scenarios
|
||||
- **Requires proper network permissions** and may conflict with existing network configurations
|
||||
|
||||
In this mode it functions like a traditional VPN interface - all data arrives on the interface and you must get it to the destination (or access things locally).
|
||||
|
||||
#### Native Mode Requirements
|
||||
|
||||
To use native mode:
|
||||
|
||||
1. Run on a Linux system
|
||||
2. Install the WireGuard kernel module
|
||||
3. Run Newt as root (`sudo`)
|
||||
4. Ensure the system allows creation of network interfaces
|
||||
|
||||
Docker Compose example (with clients enabled by default):
|
||||
|
||||
```yaml
|
||||
services:
|
||||
newt:
|
||||
image: fosrl/newt
|
||||
container_name: newt
|
||||
restart: unless-stopped
|
||||
environment:
|
||||
- PANGOLIN_ENDPOINT=https://example.com
|
||||
- NEWT_ID=2ix2t8xk22ubpfy
|
||||
- NEWT_SECRET=nnisrfsdfc7prqsp9ewo1dvtvci50j5uiqotez00dgap0ii2
|
||||
```
|
||||
|
||||
### Technical Details
|
||||
|
||||
When client acceptance is enabled:
|
||||
|
||||
- **WGTester Server**: Runs on `port + 1` (e.g., if WireGuard uses port 51820, WGTester uses 51821)
|
||||
- **Connection Testing**: Responds to UDP packets with magic header `0xDEADBEEF` for connectivity verification
|
||||
- **Dynamic Configuration**: Peer configurations are managed remotely through Pangolin
|
||||
- **Proxy Integration**: Can work with both userspace (netstack) and native WireGuard modes
|
||||
|
||||
**Note**: Client acceptance mode requires coordination with Pangolin for peer management and configuration distribution.
|
||||
|
||||
### Docker Socket Integration
|
||||
|
||||
Newt can integrate with the Docker socket to provide remote inspection of Docker containers. This allows Pangolin to query and retrieve detailed information about containers running on the Newt client, including metadata, network configuration, port mappings, and more.
|
||||
|
||||
**Configuration:**
|
||||
|
||||
You can specify the Docker socket path using the `--docker-socket` CLI argument or by setting the `DOCKER_SOCKET` environment variable. If the Docker socket is not available or accessible, Newt will gracefully disable Docker integration and continue normal operation.
|
||||
|
||||
Supported values include:
|
||||
|
||||
- Local UNIX socket (default):
|
||||
>You must mount the socket file into the container using a volume, so Newt can access it.
|
||||
|
||||
`unix:///var/run/docker.sock`
|
||||
|
||||
- TCP socket (e.g., via Docker Socket Proxy):
|
||||
|
||||
`tcp://localhost:2375`
|
||||
|
||||
- HTTP/HTTPS endpoints (e.g., remote Docker APIs):
|
||||
|
||||
`http://your-host:2375`
|
||||
|
||||
- SSH connections (experimental, requires SSH setup):
|
||||
|
||||
`ssh://user@host`
|
||||
|
||||
|
||||
```yaml
|
||||
services:
|
||||
newt:
|
||||
image: fosrl/newt
|
||||
container_name: newt
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
environment:
|
||||
- PANGOLIN_ENDPOINT=https://example.com
|
||||
- NEWT_ID=2ix2t8xk22ubpfy
|
||||
- NEWT_SECRET=nnisrfsdfc7prqsp9ewo1dvtvci50j5uiqotez00dgap0ii2
|
||||
- DOCKER_SOCKET=unix:///var/run/docker.sock
|
||||
```
|
||||
>If you previously used just a path like `/var/run/docker.sock`, it still works — Newt assumes it is a UNIX socket by default.
|
||||
|
||||
#### Hostnames vs IPs
|
||||
|
||||
When the Docker Socket Integration is used, depending on the network which Newt is run with, either the hostname (generally considered the container name) or the IP address of the container will be sent to Pangolin. Here are some of the scenarios where IPs or hostname of the container will be utilised:
|
||||
|
||||
- **Running in Network Mode 'host'**: IP addresses will be used
|
||||
- **Running in Network Mode 'bridge'**: IP addresses will be used
|
||||
- **Running in docker-compose without a network specification**: Docker compose creates a network for the compose by default, hostnames will be used
|
||||
- **Running on docker-compose with defined network**: Hostnames will be used
|
||||
|
||||
### Docker Enforce Network Validation
|
||||
|
||||
When run as a Docker container, Newt can validate that the target being provided is on the same network as the Newt container and only return containers directly accessible by Newt. Validation will be carried out against either the hostname/IP Address and the Port number to ensure the running container is exposing the ports to Newt.
|
||||
|
||||
It is important to note that if the Newt container is run with a network mode of `host` that this feature will not work. Running in `host` mode causes the container to share its resources with the host machine, therefore making it so the specific host container information for Newt cannot be retrieved to be able to carry out network validation.
|
||||
|
||||
**Configuration:**
|
||||
|
||||
Validation is `false` by default. It can be enabled via setting the `--docker-enforce-network-validation` CLI argument or by setting the `DOCKER_ENFORCE_NETWORK_VALIDATION` environment variable.
|
||||
|
||||
If validation is enforced and the Docker socket is available, Newt will **not** add the target as it cannot be verified. A warning will be presented in the Newt logs.
|
||||
|
||||
### Updown
|
||||
|
||||
You can pass in a updown script for Newt to call when it is adding or removing a target:
|
||||
|
||||
`--updown "python3 test.py"`
|
||||
|
||||
It will get called with args when a target is added:
|
||||
`python3 test.py add tcp localhost:8556`
|
||||
`python3 test.py remove tcp localhost:8556`
|
||||
|
||||
Returning a string from the script in the format of a target (`ip:dst` so `10.0.0.1:8080`) it will override the target and use this value instead to proxy.
|
||||
|
||||
You can look at updown.py as a reference script to get started!
|
||||
|
||||
### mTLS
|
||||
|
||||
Newt supports mutual TLS (mTLS) authentication if the server is configured to request a client certificate. You can use either a PKCS12 (.p12/.pfx) file or split PEM files for the client cert, private key, and CA.
|
||||
|
||||
#### Option 1: PKCS12 (Legacy)
|
||||
|
||||
> This is the original method and still supported.
|
||||
|
||||
* File must contain:
|
||||
|
||||
* Client private key
|
||||
* Public certificate
|
||||
* CA certificate
|
||||
* Encrypted `.p12` files are **not supported**
|
||||
|
||||
Example:
|
||||
|
||||
```bash
|
||||
newt \
|
||||
--id 31frd0uzbjvp721 \
|
||||
--secret h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6 \
|
||||
--endpoint https://example.com \
|
||||
--tls-client-cert ./client.p12
|
||||
```
|
||||
|
||||
#### Option 2: Split PEM Files (Preferred)
|
||||
|
||||
You can now provide separate files for:
|
||||
|
||||
* `--tls-client-cert-file`: client certificate (`.crt` or `.pem`)
|
||||
* `--tls-client-key`: client private key (`.key` or `.pem`)
|
||||
* `--tls-client-ca`: CA cert to verify the server (can be specified multiple times)
|
||||
|
||||
Example:
|
||||
|
||||
```bash
|
||||
newt \
|
||||
--id 31frd0uzbjvp721 \
|
||||
--secret h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6 \
|
||||
--endpoint https://example.com \
|
||||
--tls-client-cert-file ./client.crt \
|
||||
--tls-client-key ./client.key \
|
||||
--tls-client-ca ./ca.crt
|
||||
```
|
||||
|
||||
|
||||
```yaml
|
||||
services:
|
||||
newt:
|
||||
image: fosrl/newt
|
||||
container_name: newt
|
||||
restart: unless-stopped
|
||||
environment:
|
||||
- PANGOLIN_ENDPOINT=https://example.com
|
||||
- NEWT_ID=2ix2t8xk22ubpfy
|
||||
- NEWT_SECRET=nnisrfsdfc7prqsp9ewo1dvtvci50j5uiqotez00dgap0ii2
|
||||
- TLS_CLIENT_CERT=./client.p12
|
||||
```
|
||||
|
||||
## Build
|
||||
|
||||
### Container
|
||||
|
||||
Ensure Docker is installed.
|
||||
|
||||
```bash
|
||||
make
|
||||
```
|
||||
|
||||
### Binary
|
||||
|
||||
Make sure to have Go 1.23.1 installed.
|
||||
Make sure to have Go 1.25 installed.
|
||||
|
||||
```bash
|
||||
make local
|
||||
make
|
||||
```
|
||||
|
||||
### Nix Flake
|
||||
|
||||
150
authdaemon.go
Normal file
150
authdaemon.go
Normal file
@@ -0,0 +1,150 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"fmt"
|
||||
"os"
|
||||
"runtime"
|
||||
|
||||
"github.com/fosrl/newt/authdaemon"
|
||||
"github.com/fosrl/newt/logger"
|
||||
)
|
||||
|
||||
const (
|
||||
defaultPrincipalsPath = "/var/run/auth-daemon/principals"
|
||||
defaultCACertPath = "/etc/ssh/ca.pem"
|
||||
)
|
||||
|
||||
var (
|
||||
errPresharedKeyRequired = errors.New("auth-daemon-key is required when --auth-daemon is enabled")
|
||||
errRootRequired = errors.New("auth-daemon must be run as root (use sudo)")
|
||||
authDaemonServer *authdaemon.Server // Global auth daemon server instance
|
||||
)
|
||||
|
||||
// startAuthDaemon initializes and starts the auth daemon in the background.
|
||||
// It validates requirements (Linux, root, preshared key) and starts the server
|
||||
// in a goroutine so it runs alongside normal newt operation.
|
||||
func startAuthDaemon(ctx context.Context) error {
|
||||
// Validation
|
||||
if runtime.GOOS != "linux" {
|
||||
return fmt.Errorf("auth-daemon is only supported on Linux, not %s", runtime.GOOS)
|
||||
}
|
||||
if os.Geteuid() != 0 {
|
||||
return errRootRequired
|
||||
}
|
||||
|
||||
// Use defaults if not set
|
||||
principalsFile := authDaemonPrincipalsFile
|
||||
if principalsFile == "" {
|
||||
principalsFile = defaultPrincipalsPath
|
||||
}
|
||||
caCertPath := authDaemonCACertPath
|
||||
if caCertPath == "" {
|
||||
caCertPath = defaultCACertPath
|
||||
}
|
||||
|
||||
// Create auth daemon server
|
||||
cfg := authdaemon.Config{
|
||||
DisableHTTPS: true, // We run without HTTP server in newt
|
||||
PresharedKey: "this-key-is-not-used", // Not used in embedded mode, but set to non-empty to satisfy validation
|
||||
PrincipalsFilePath: principalsFile,
|
||||
CACertPath: caCertPath,
|
||||
Force: true,
|
||||
GenerateRandomPassword: authDaemonGenerateRandomPassword,
|
||||
}
|
||||
|
||||
srv, err := authdaemon.NewServer(cfg)
|
||||
if err != nil {
|
||||
return fmt.Errorf("create auth daemon server: %w", err)
|
||||
}
|
||||
|
||||
authDaemonServer = srv
|
||||
|
||||
// Start the auth daemon in a goroutine so it runs alongside newt
|
||||
go func() {
|
||||
logger.Debug("Auth daemon starting (native mode, no HTTP server)")
|
||||
if err := srv.Run(ctx); err != nil {
|
||||
logger.Error("Auth daemon error: %v", err)
|
||||
}
|
||||
logger.Info("Auth daemon stopped")
|
||||
}()
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// runPrincipalsCmd executes the principals subcommand logic
|
||||
func runPrincipalsCmd(args []string) {
|
||||
opts := struct {
|
||||
PrincipalsFile string
|
||||
Username string
|
||||
}{
|
||||
PrincipalsFile: defaultPrincipalsPath,
|
||||
}
|
||||
|
||||
// Parse flags manually
|
||||
for i := 0; i < len(args); i++ {
|
||||
switch args[i] {
|
||||
case "--principals-file":
|
||||
if i+1 >= len(args) {
|
||||
fmt.Fprintf(os.Stderr, "Error: --principals-file requires a value\n")
|
||||
os.Exit(1)
|
||||
}
|
||||
opts.PrincipalsFile = args[i+1]
|
||||
i++
|
||||
case "--username":
|
||||
if i+1 >= len(args) {
|
||||
fmt.Fprintf(os.Stderr, "Error: --username requires a value\n")
|
||||
os.Exit(1)
|
||||
}
|
||||
opts.Username = args[i+1]
|
||||
i++
|
||||
case "--help", "-h":
|
||||
printPrincipalsHelp()
|
||||
os.Exit(0)
|
||||
default:
|
||||
fmt.Fprintf(os.Stderr, "Error: unknown flag: %s\n", args[i])
|
||||
printPrincipalsHelp()
|
||||
os.Exit(1)
|
||||
}
|
||||
}
|
||||
|
||||
// Validation
|
||||
if opts.Username == "" {
|
||||
fmt.Fprintf(os.Stderr, "Error: username is required\n")
|
||||
printPrincipalsHelp()
|
||||
os.Exit(1)
|
||||
}
|
||||
|
||||
// Get principals
|
||||
list, err := authdaemon.GetPrincipals(opts.PrincipalsFile, opts.Username)
|
||||
if err != nil {
|
||||
fmt.Fprintf(os.Stderr, "Error: %v\n", err)
|
||||
os.Exit(1)
|
||||
}
|
||||
if len(list) == 0 {
|
||||
fmt.Println("")
|
||||
return
|
||||
}
|
||||
for _, principal := range list {
|
||||
fmt.Println(principal)
|
||||
}
|
||||
}
|
||||
|
||||
func printPrincipalsHelp() {
|
||||
fmt.Fprintf(os.Stderr, `Usage: newt principals [flags]
|
||||
|
||||
Output principals for a username (for AuthorizedPrincipalsCommand in sshd_config).
|
||||
Read the principals file and print principals that match the given username, one per line.
|
||||
Configure in sshd_config with AuthorizedPrincipalsCommand and %%u for the username.
|
||||
|
||||
Flags:
|
||||
--principals-file string Path to the principals file (default "%s")
|
||||
--username string Username to look up (required)
|
||||
--help, -h Show this help message
|
||||
|
||||
Example:
|
||||
newt principals --username alice
|
||||
|
||||
`, defaultPrincipalsPath)
|
||||
}
|
||||
27
authdaemon/connection.go
Normal file
27
authdaemon/connection.go
Normal file
@@ -0,0 +1,27 @@
|
||||
package authdaemon
|
||||
|
||||
import (
|
||||
"github.com/fosrl/newt/logger"
|
||||
)
|
||||
|
||||
// ProcessConnection runs the same logic as POST /connection: CA cert, user create/reconcile, principals.
|
||||
// Use this when DisableHTTPS is true (e.g. embedded in Newt) instead of calling the API.
|
||||
func (s *Server) ProcessConnection(req ConnectionRequest) {
|
||||
logger.Info("connection: niceId=%q username=%q metadata.sudoMode=%q metadata.sudoCommands=%v metadata.homedir=%v metadata.groups=%v",
|
||||
req.NiceId, req.Username, req.Metadata.SudoMode, req.Metadata.SudoCommands, req.Metadata.Homedir, req.Metadata.Groups)
|
||||
|
||||
cfg := &s.cfg
|
||||
if cfg.CACertPath != "" {
|
||||
if err := writeCACertIfNotExists(cfg.CACertPath, req.CaCert, cfg.Force); err != nil {
|
||||
logger.Warn("auth-daemon: write CA cert: %v", err)
|
||||
}
|
||||
}
|
||||
if err := ensureUser(req.Username, req.Metadata, s.cfg.GenerateRandomPassword); err != nil {
|
||||
logger.Warn("auth-daemon: ensure user: %v", err)
|
||||
}
|
||||
if cfg.PrincipalsFilePath != "" && req.NiceId != "" {
|
||||
if err := writePrincipals(cfg.PrincipalsFilePath, req.Username, req.NiceId); err != nil {
|
||||
logger.Warn("auth-daemon: write principals: %v", err)
|
||||
}
|
||||
}
|
||||
}
|
||||
396
authdaemon/host_linux.go
Normal file
396
authdaemon/host_linux.go
Normal file
@@ -0,0 +1,396 @@
|
||||
//go:build linux
|
||||
|
||||
package authdaemon
|
||||
|
||||
import (
|
||||
"bufio"
|
||||
"crypto/rand"
|
||||
"encoding/hex"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"os"
|
||||
"os/exec"
|
||||
"os/user"
|
||||
"path/filepath"
|
||||
"strconv"
|
||||
"strings"
|
||||
|
||||
"github.com/fosrl/newt/logger"
|
||||
)
|
||||
|
||||
// writeCACertIfNotExists writes contents to path. If the file already exists: when force is false, skip; when force is true, overwrite only if content differs.
|
||||
func writeCACertIfNotExists(path, contents string, force bool) error {
|
||||
contents = strings.TrimSpace(contents)
|
||||
if contents != "" && !strings.HasSuffix(contents, "\n") {
|
||||
contents += "\n"
|
||||
}
|
||||
existing, err := os.ReadFile(path)
|
||||
if err == nil {
|
||||
existingStr := strings.TrimSpace(string(existing))
|
||||
if existingStr != "" && !strings.HasSuffix(existingStr, "\n") {
|
||||
existingStr += "\n"
|
||||
}
|
||||
if existingStr == contents {
|
||||
logger.Debug("auth-daemon: CA cert unchanged at %s, skipping write", path)
|
||||
return nil
|
||||
}
|
||||
if !force {
|
||||
logger.Debug("auth-daemon: CA cert already exists at %s, skipping write (Force disabled)", path)
|
||||
return nil
|
||||
}
|
||||
} else if !os.IsNotExist(err) {
|
||||
return fmt.Errorf("read %s: %w", path, err)
|
||||
}
|
||||
dir := filepath.Dir(path)
|
||||
if err := os.MkdirAll(dir, 0755); err != nil {
|
||||
return fmt.Errorf("mkdir %s: %w", dir, err)
|
||||
}
|
||||
if err := os.WriteFile(path, []byte(contents), 0644); err != nil {
|
||||
return fmt.Errorf("write CA cert: %w", err)
|
||||
}
|
||||
logger.Info("auth-daemon: wrote CA cert to %s", path)
|
||||
return nil
|
||||
}
|
||||
|
||||
// writePrincipals updates the principals file at path: JSON object keyed by username, value is array of principals. Adds username and niceId to that user's list (deduped).
|
||||
func writePrincipals(path, username, niceId string) error {
|
||||
if path == "" {
|
||||
return nil
|
||||
}
|
||||
username = strings.TrimSpace(username)
|
||||
niceId = strings.TrimSpace(niceId)
|
||||
if username == "" {
|
||||
return nil
|
||||
}
|
||||
data := make(map[string][]string)
|
||||
if raw, err := os.ReadFile(path); err == nil {
|
||||
_ = json.Unmarshal(raw, &data)
|
||||
}
|
||||
list := data[username]
|
||||
seen := make(map[string]struct{}, len(list)+2)
|
||||
for _, p := range list {
|
||||
seen[p] = struct{}{}
|
||||
}
|
||||
for _, p := range []string{username, niceId} {
|
||||
if p == "" {
|
||||
continue
|
||||
}
|
||||
if _, ok := seen[p]; !ok {
|
||||
seen[p] = struct{}{}
|
||||
list = append(list, p)
|
||||
}
|
||||
}
|
||||
data[username] = list
|
||||
body, err := json.Marshal(data)
|
||||
if err != nil {
|
||||
return fmt.Errorf("marshal principals: %w", err)
|
||||
}
|
||||
dir := filepath.Dir(path)
|
||||
if err := os.MkdirAll(dir, 0755); err != nil {
|
||||
return fmt.Errorf("mkdir %s: %w", dir, err)
|
||||
}
|
||||
if err := os.WriteFile(path, body, 0644); err != nil {
|
||||
return fmt.Errorf("write principals: %w", err)
|
||||
}
|
||||
logger.Debug("auth-daemon: wrote principals to %s", path)
|
||||
return nil
|
||||
}
|
||||
|
||||
// sudoGroup returns the name of the sudo group (wheel or sudo) that exists on the system. Prefers wheel.
|
||||
func sudoGroup() string {
|
||||
f, err := os.Open("/etc/group")
|
||||
if err != nil {
|
||||
return "sudo"
|
||||
}
|
||||
defer f.Close()
|
||||
sc := bufio.NewScanner(f)
|
||||
hasWheel := false
|
||||
hasSudo := false
|
||||
for sc.Scan() {
|
||||
line := sc.Text()
|
||||
if strings.HasPrefix(line, "wheel:") {
|
||||
hasWheel = true
|
||||
}
|
||||
if strings.HasPrefix(line, "sudo:") {
|
||||
hasSudo = true
|
||||
}
|
||||
}
|
||||
if hasWheel {
|
||||
return "wheel"
|
||||
}
|
||||
if hasSudo {
|
||||
return "sudo"
|
||||
}
|
||||
return "sudo"
|
||||
}
|
||||
|
||||
// setRandomPassword generates a random password and sets it for username via chpasswd.
|
||||
// Used when GenerateRandomPassword is true so SSH with PermitEmptyPasswords no can accept the user.
|
||||
func setRandomPassword(username string) error {
|
||||
b := make([]byte, 16)
|
||||
if _, err := rand.Read(b); err != nil {
|
||||
return fmt.Errorf("generate password: %w", err)
|
||||
}
|
||||
password := hex.EncodeToString(b)
|
||||
cmd := exec.Command("chpasswd")
|
||||
cmd.Stdin = strings.NewReader(username + ":" + password)
|
||||
if out, err := cmd.CombinedOutput(); err != nil {
|
||||
return fmt.Errorf("chpasswd: %w (output: %s)", err, string(out))
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
const skelDir = "/etc/skel"
|
||||
|
||||
// copySkelInto copies files from srcDir (e.g. /etc/skel) into dstDir (e.g. user's home).
|
||||
// Only creates files that don't already exist. All created paths are chowned to uid:gid.
|
||||
func copySkelInto(srcDir, dstDir string, uid, gid int) {
|
||||
entries, err := os.ReadDir(srcDir)
|
||||
if err != nil {
|
||||
if !os.IsNotExist(err) {
|
||||
logger.Warn("auth-daemon: read %s: %v", srcDir, err)
|
||||
}
|
||||
return
|
||||
}
|
||||
for _, e := range entries {
|
||||
name := e.Name()
|
||||
src := filepath.Join(srcDir, name)
|
||||
dst := filepath.Join(dstDir, name)
|
||||
if e.IsDir() {
|
||||
if st, err := os.Stat(dst); err == nil && st.IsDir() {
|
||||
copySkelInto(src, dst, uid, gid)
|
||||
continue
|
||||
}
|
||||
if err := os.MkdirAll(dst, 0755); err != nil {
|
||||
logger.Warn("auth-daemon: mkdir %s: %v", dst, err)
|
||||
continue
|
||||
}
|
||||
if err := os.Chown(dst, uid, gid); err != nil {
|
||||
logger.Warn("auth-daemon: chown %s: %v", dst, err)
|
||||
}
|
||||
copySkelInto(src, dst, uid, gid)
|
||||
continue
|
||||
}
|
||||
if _, err := os.Stat(dst); err == nil {
|
||||
continue
|
||||
}
|
||||
data, err := os.ReadFile(src)
|
||||
if err != nil {
|
||||
logger.Warn("auth-daemon: read %s: %v", src, err)
|
||||
continue
|
||||
}
|
||||
if err := os.WriteFile(dst, data, 0644); err != nil {
|
||||
logger.Warn("auth-daemon: write %s: %v", dst, err)
|
||||
continue
|
||||
}
|
||||
if err := os.Chown(dst, uid, gid); err != nil {
|
||||
logger.Warn("auth-daemon: chown %s: %v", dst, err)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// ensureUser creates the system user if missing, or reconciles sudo and homedir to match meta.
|
||||
func ensureUser(username string, meta ConnectionMetadata, generateRandomPassword bool) error {
|
||||
if username == "" {
|
||||
return nil
|
||||
}
|
||||
u, err := user.Lookup(username)
|
||||
if err != nil {
|
||||
if _, ok := err.(user.UnknownUserError); !ok {
|
||||
return fmt.Errorf("lookup user %s: %w", username, err)
|
||||
}
|
||||
return createUser(username, meta, generateRandomPassword)
|
||||
}
|
||||
return reconcileUser(u, meta)
|
||||
}
|
||||
|
||||
// desiredGroups returns the exact list of supplementary groups the user should have:
|
||||
// meta.Groups plus the sudo group when meta.SudoMode is "full" (deduped).
|
||||
func desiredGroups(meta ConnectionMetadata) []string {
|
||||
seen := make(map[string]struct{})
|
||||
var out []string
|
||||
for _, g := range meta.Groups {
|
||||
g = strings.TrimSpace(g)
|
||||
if g == "" {
|
||||
continue
|
||||
}
|
||||
if _, ok := seen[g]; ok {
|
||||
continue
|
||||
}
|
||||
seen[g] = struct{}{}
|
||||
out = append(out, g)
|
||||
}
|
||||
if meta.SudoMode == "full" {
|
||||
sg := sudoGroup()
|
||||
if _, ok := seen[sg]; !ok {
|
||||
out = append(out, sg)
|
||||
}
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
// setUserGroups sets the user's supplementary groups to exactly groups (local mirrors metadata).
|
||||
// When groups is empty, clears all supplementary groups (usermod -G "").
|
||||
func setUserGroups(username string, groups []string) {
|
||||
list := strings.Join(groups, ",")
|
||||
cmd := exec.Command("usermod", "-G", list, username)
|
||||
if out, err := cmd.CombinedOutput(); err != nil {
|
||||
logger.Warn("auth-daemon: usermod -G %s: %v (output: %s)", list, err, string(out))
|
||||
} else {
|
||||
logger.Info("auth-daemon: set %s supplementary groups to %s", username, list)
|
||||
}
|
||||
}
|
||||
|
||||
func createUser(username string, meta ConnectionMetadata, generateRandomPassword bool) error {
|
||||
args := []string{"-s", "/bin/bash"}
|
||||
if meta.Homedir {
|
||||
args = append(args, "-m")
|
||||
} else {
|
||||
args = append(args, "-M")
|
||||
}
|
||||
args = append(args, username)
|
||||
cmd := exec.Command("useradd", args...)
|
||||
if out, err := cmd.CombinedOutput(); err != nil {
|
||||
return fmt.Errorf("useradd %s: %w (output: %s)", username, err, string(out))
|
||||
}
|
||||
logger.Info("auth-daemon: created user %s (homedir=%v)", username, meta.Homedir)
|
||||
if generateRandomPassword {
|
||||
if err := setRandomPassword(username); err != nil {
|
||||
logger.Warn("auth-daemon: set random password for %s: %v", username, err)
|
||||
} else {
|
||||
logger.Info("auth-daemon: set random password for %s (PermitEmptyPasswords no)", username)
|
||||
}
|
||||
}
|
||||
if meta.Homedir {
|
||||
if u, err := user.Lookup(username); err == nil && u.HomeDir != "" {
|
||||
uid, gid := mustAtoi(u.Uid), mustAtoi(u.Gid)
|
||||
copySkelInto(skelDir, u.HomeDir, uid, gid)
|
||||
}
|
||||
}
|
||||
setUserGroups(username, desiredGroups(meta))
|
||||
switch meta.SudoMode {
|
||||
case "full":
|
||||
if err := configurePasswordlessSudo(username); err != nil {
|
||||
logger.Warn("auth-daemon: configure passwordless sudo for %s: %v", username, err)
|
||||
}
|
||||
case "commands":
|
||||
if len(meta.SudoCommands) > 0 {
|
||||
if err := configureSudoCommands(username, meta.SudoCommands); err != nil {
|
||||
logger.Warn("auth-daemon: configure sudo commands for %s: %v", username, err)
|
||||
}
|
||||
}
|
||||
default:
|
||||
removeSudoers(username)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
const sudoersFilePrefix = "90-pangolin-"
|
||||
|
||||
func sudoersPath(username string) string {
|
||||
return filepath.Join("/etc/sudoers.d", sudoersFilePrefix+username)
|
||||
}
|
||||
|
||||
// writeSudoersFile writes content to the user's sudoers.d file and validates with visudo.
|
||||
func writeSudoersFile(username, content string) error {
|
||||
sudoersFile := sudoersPath(username)
|
||||
tmpFile := sudoersFile + ".tmp"
|
||||
if err := os.WriteFile(tmpFile, []byte(content), 0440); err != nil {
|
||||
return fmt.Errorf("write temp sudoers file: %w", err)
|
||||
}
|
||||
cmd := exec.Command("visudo", "-c", "-f", tmpFile)
|
||||
if out, err := cmd.CombinedOutput(); err != nil {
|
||||
os.Remove(tmpFile)
|
||||
return fmt.Errorf("visudo validation failed: %w (output: %s)", err, string(out))
|
||||
}
|
||||
if err := os.Rename(tmpFile, sudoersFile); err != nil {
|
||||
os.Remove(tmpFile)
|
||||
return fmt.Errorf("move sudoers file: %w", err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// configurePasswordlessSudo creates a sudoers.d file to allow passwordless sudo for the user.
|
||||
func configurePasswordlessSudo(username string) error {
|
||||
content := fmt.Sprintf("# Created by Pangolin auth-daemon\n%s ALL=(ALL) NOPASSWD:ALL\n", username)
|
||||
if err := writeSudoersFile(username, content); err != nil {
|
||||
return err
|
||||
}
|
||||
logger.Info("auth-daemon: configured passwordless sudo for %s", username)
|
||||
return nil
|
||||
}
|
||||
|
||||
// configureSudoCommands creates a sudoers.d file allowing only the listed commands (NOPASSWD).
|
||||
// Each command should be a full path (e.g. /usr/bin/systemctl).
|
||||
func configureSudoCommands(username string, commands []string) error {
|
||||
var b strings.Builder
|
||||
b.WriteString("# Created by Pangolin auth-daemon (restricted commands)\n")
|
||||
n := 0
|
||||
for _, c := range commands {
|
||||
c = strings.TrimSpace(c)
|
||||
if c == "" {
|
||||
continue
|
||||
}
|
||||
fmt.Fprintf(&b, "%s ALL=(ALL) NOPASSWD: %s\n", username, c)
|
||||
n++
|
||||
}
|
||||
if n == 0 {
|
||||
return fmt.Errorf("no valid sudo commands")
|
||||
}
|
||||
if err := writeSudoersFile(username, b.String()); err != nil {
|
||||
return err
|
||||
}
|
||||
logger.Info("auth-daemon: configured restricted sudo for %s (%d commands)", username, len(commands))
|
||||
return nil
|
||||
}
|
||||
|
||||
// removeSudoers removes the sudoers.d file for the user.
|
||||
func removeSudoers(username string) {
|
||||
sudoersFile := sudoersPath(username)
|
||||
if err := os.Remove(sudoersFile); err != nil && !os.IsNotExist(err) {
|
||||
logger.Warn("auth-daemon: remove sudoers for %s: %v", username, err)
|
||||
} else if err == nil {
|
||||
logger.Info("auth-daemon: removed sudoers for %s", username)
|
||||
}
|
||||
}
|
||||
|
||||
func mustAtoi(s string) int {
|
||||
n, _ := strconv.Atoi(s)
|
||||
return n
|
||||
}
|
||||
|
||||
func reconcileUser(u *user.User, meta ConnectionMetadata) error {
|
||||
setUserGroups(u.Username, desiredGroups(meta))
|
||||
switch meta.SudoMode {
|
||||
case "full":
|
||||
if err := configurePasswordlessSudo(u.Username); err != nil {
|
||||
logger.Warn("auth-daemon: configure passwordless sudo for %s: %v", u.Username, err)
|
||||
}
|
||||
case "commands":
|
||||
if len(meta.SudoCommands) > 0 {
|
||||
if err := configureSudoCommands(u.Username, meta.SudoCommands); err != nil {
|
||||
logger.Warn("auth-daemon: configure sudo commands for %s: %v", u.Username, err)
|
||||
}
|
||||
} else {
|
||||
removeSudoers(u.Username)
|
||||
}
|
||||
default:
|
||||
removeSudoers(u.Username)
|
||||
}
|
||||
if meta.Homedir && u.HomeDir != "" {
|
||||
uid, gid := mustAtoi(u.Uid), mustAtoi(u.Gid)
|
||||
if st, err := os.Stat(u.HomeDir); err != nil || !st.IsDir() {
|
||||
if err := os.MkdirAll(u.HomeDir, 0755); err != nil {
|
||||
logger.Warn("auth-daemon: mkdir %s: %v", u.HomeDir, err)
|
||||
} else {
|
||||
_ = os.Chown(u.HomeDir, uid, gid)
|
||||
copySkelInto(skelDir, u.HomeDir, uid, gid)
|
||||
logger.Info("auth-daemon: created home %s for %s", u.HomeDir, u.Username)
|
||||
}
|
||||
} else {
|
||||
// Ensure .bashrc etc. exist (e.g. home existed but was empty or skel was minimal)
|
||||
copySkelInto(skelDir, u.HomeDir, uid, gid)
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
22
authdaemon/host_stub.go
Normal file
22
authdaemon/host_stub.go
Normal file
@@ -0,0 +1,22 @@
|
||||
//go:build !linux
|
||||
|
||||
package authdaemon
|
||||
|
||||
import "fmt"
|
||||
|
||||
var errLinuxOnly = fmt.Errorf("auth-daemon PAM agent is only supported on Linux")
|
||||
|
||||
// writeCACertIfNotExists returns an error on non-Linux.
|
||||
func writeCACertIfNotExists(path, contents string, force bool) error {
|
||||
return errLinuxOnly
|
||||
}
|
||||
|
||||
// ensureUser returns an error on non-Linux.
|
||||
func ensureUser(username string, meta ConnectionMetadata, generateRandomPassword bool) error {
|
||||
return errLinuxOnly
|
||||
}
|
||||
|
||||
// writePrincipals returns an error on non-Linux.
|
||||
func writePrincipals(path, username, niceId string) error {
|
||||
return errLinuxOnly
|
||||
}
|
||||
28
authdaemon/principals.go
Normal file
28
authdaemon/principals.go
Normal file
@@ -0,0 +1,28 @@
|
||||
package authdaemon
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"os"
|
||||
)
|
||||
|
||||
// GetPrincipals reads the principals data file at path, looks up the given user, and returns that user's principals as a string slice.
|
||||
// The file format is JSON: object with username keys and array-of-principals values, e.g. {"alice":["alice","usr-123"],"bob":["bob","usr-456"]}.
|
||||
// If the user is not found or the file is missing, returns nil and nil.
|
||||
func GetPrincipals(path, user string) ([]string, error) {
|
||||
if path == "" {
|
||||
return nil, fmt.Errorf("principals file path is required")
|
||||
}
|
||||
data, err := os.ReadFile(path)
|
||||
if err != nil {
|
||||
if os.IsNotExist(err) {
|
||||
return nil, nil
|
||||
}
|
||||
return nil, fmt.Errorf("read principals file: %w", err)
|
||||
}
|
||||
var m map[string][]string
|
||||
if err := json.Unmarshal(data, &m); err != nil {
|
||||
return nil, fmt.Errorf("parse principals file: %w", err)
|
||||
}
|
||||
return m[user], nil
|
||||
}
|
||||
58
authdaemon/routes.go
Normal file
58
authdaemon/routes.go
Normal file
@@ -0,0 +1,58 @@
|
||||
package authdaemon
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"net/http"
|
||||
)
|
||||
|
||||
// registerRoutes registers all API routes. Add new endpoints here.
|
||||
func (s *Server) registerRoutes() {
|
||||
s.mux.HandleFunc("/health", s.handleHealth)
|
||||
s.mux.HandleFunc("/connection", s.handleConnection)
|
||||
}
|
||||
|
||||
// ConnectionMetadata is the metadata object in POST /connection.
|
||||
type ConnectionMetadata struct {
|
||||
SudoMode string `json:"sudoMode"` // "none" | "full" | "commands"
|
||||
SudoCommands []string `json:"sudoCommands"` // used when sudoMode is "commands"
|
||||
Homedir bool `json:"homedir"`
|
||||
Groups []string `json:"groups"` // system groups to add the user to
|
||||
}
|
||||
|
||||
// ConnectionRequest is the JSON body for POST /connection.
|
||||
type ConnectionRequest struct {
|
||||
CaCert string `json:"caCert"`
|
||||
NiceId string `json:"niceId"`
|
||||
Username string `json:"username"`
|
||||
Metadata ConnectionMetadata `json:"metadata"`
|
||||
}
|
||||
|
||||
// healthResponse is the JSON body for GET /health.
|
||||
type healthResponse struct {
|
||||
Status string `json:"status"`
|
||||
}
|
||||
|
||||
// handleHealth responds with 200 and {"status":"ok"}.
|
||||
func (s *Server) handleHealth(w http.ResponseWriter, r *http.Request) {
|
||||
if r.Method != http.MethodGet {
|
||||
http.Error(w, "Method Not Allowed", http.StatusMethodNotAllowed)
|
||||
return
|
||||
}
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
_ = json.NewEncoder(w).Encode(healthResponse{Status: "ok"})
|
||||
}
|
||||
|
||||
// handleConnection accepts POST with connection payload and delegates to ProcessConnection.
|
||||
func (s *Server) handleConnection(w http.ResponseWriter, r *http.Request) {
|
||||
if r.Method != http.MethodPost {
|
||||
http.Error(w, "Method Not Allowed", http.StatusMethodNotAllowed)
|
||||
return
|
||||
}
|
||||
var req ConnectionRequest
|
||||
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
|
||||
http.Error(w, "Bad Request", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
s.ProcessConnection(req)
|
||||
w.WriteHeader(http.StatusOK)
|
||||
}
|
||||
180
authdaemon/server.go
Normal file
180
authdaemon/server.go
Normal file
@@ -0,0 +1,180 @@
|
||||
package authdaemon
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/ecdsa"
|
||||
"crypto/elliptic"
|
||||
"crypto/rand"
|
||||
"crypto/subtle"
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"crypto/x509/pkix"
|
||||
"encoding/pem"
|
||||
"fmt"
|
||||
"math/big"
|
||||
"net/http"
|
||||
"os"
|
||||
"runtime"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/fosrl/newt/logger"
|
||||
)
|
||||
|
||||
type Config struct {
|
||||
// DisableHTTPS: when true, Run() does not start the HTTPS server (for embedded use inside Newt). Call ProcessConnection directly for connection events.
|
||||
DisableHTTPS bool
|
||||
Port int // Required when DisableHTTPS is false. Listen port for the HTTPS server. No default.
|
||||
PresharedKey string // Required when DisableHTTPS is false. HTTP auth (Authorization: Bearer <key> or X-Preshared-Key: <key>). No default.
|
||||
CACertPath string // Required. Where to write the CA cert (e.g. /etc/ssh/ca.pem). No default.
|
||||
Force bool // If true, overwrite existing CA cert (and other items) when content differs. Default false.
|
||||
PrincipalsFilePath string // Required. Path to the principals data file (JSON: username -> array of principals). No default.
|
||||
GenerateRandomPassword bool // If true, set a random password on users when they are provisioned (for SSH PermitEmptyPasswords no).
|
||||
}
|
||||
|
||||
type Server struct {
|
||||
cfg Config
|
||||
addr string
|
||||
presharedKey string
|
||||
mux *http.ServeMux
|
||||
tlsCert tls.Certificate
|
||||
}
|
||||
|
||||
// generateTLSCert creates a self-signed certificate and key in memory (no disk).
|
||||
func generateTLSCert() (tls.Certificate, error) {
|
||||
key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
||||
if err != nil {
|
||||
return tls.Certificate{}, fmt.Errorf("generate key: %w", err)
|
||||
}
|
||||
serial, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
|
||||
if err != nil {
|
||||
return tls.Certificate{}, fmt.Errorf("serial: %w", err)
|
||||
}
|
||||
tmpl := &x509.Certificate{
|
||||
SerialNumber: serial,
|
||||
Subject: pkix.Name{
|
||||
CommonName: "localhost",
|
||||
},
|
||||
NotBefore: time.Now(),
|
||||
NotAfter: time.Now().Add(365 * 24 * time.Hour),
|
||||
KeyUsage: x509.KeyUsageDigitalSignature,
|
||||
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
|
||||
BasicConstraintsValid: true,
|
||||
DNSNames: []string{"localhost", "127.0.0.1"},
|
||||
}
|
||||
certDER, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, key.Public(), key)
|
||||
if err != nil {
|
||||
return tls.Certificate{}, fmt.Errorf("create certificate: %w", err)
|
||||
}
|
||||
keyDER, err := x509.MarshalECPrivateKey(key)
|
||||
if err != nil {
|
||||
return tls.Certificate{}, fmt.Errorf("marshal key: %w", err)
|
||||
}
|
||||
certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
|
||||
keyPEM := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: keyDER})
|
||||
cert, err := tls.X509KeyPair(certPEM, keyPEM)
|
||||
if err != nil {
|
||||
return tls.Certificate{}, fmt.Errorf("x509 key pair: %w", err)
|
||||
}
|
||||
return cert, nil
|
||||
}
|
||||
|
||||
// authMiddleware wraps next and requires a valid preshared key on every request.
|
||||
// Accepts Authorization: Bearer <key> or X-Preshared-Key: <key>.
|
||||
func (s *Server) authMiddleware(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
key := ""
|
||||
if v := r.Header.Get("Authorization"); strings.HasPrefix(v, "Bearer ") {
|
||||
key = strings.TrimSpace(strings.TrimPrefix(v, "Bearer "))
|
||||
}
|
||||
if key == "" {
|
||||
key = strings.TrimSpace(r.Header.Get("X-Preshared-Key"))
|
||||
}
|
||||
if key == "" || subtle.ConstantTimeCompare([]byte(key), []byte(s.presharedKey)) != 1 {
|
||||
http.Error(w, "Unauthorized", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
next.ServeHTTP(w, r)
|
||||
})
|
||||
}
|
||||
|
||||
// NewServer builds a new auth-daemon server from cfg. Port, PresharedKey, CACertPath, and PrincipalsFilePath are required (no defaults).
|
||||
func NewServer(cfg Config) (*Server, error) {
|
||||
if runtime.GOOS != "linux" {
|
||||
return nil, fmt.Errorf("auth-daemon is only supported on Linux, not %s", runtime.GOOS)
|
||||
}
|
||||
if !cfg.DisableHTTPS {
|
||||
if cfg.Port <= 0 {
|
||||
return nil, fmt.Errorf("port is required and must be positive")
|
||||
}
|
||||
if cfg.PresharedKey == "" {
|
||||
return nil, fmt.Errorf("preshared key is required")
|
||||
}
|
||||
}
|
||||
if cfg.CACertPath == "" {
|
||||
return nil, fmt.Errorf("CACertPath is required")
|
||||
}
|
||||
if cfg.PrincipalsFilePath == "" {
|
||||
return nil, fmt.Errorf("PrincipalsFilePath is required")
|
||||
}
|
||||
s := &Server{cfg: cfg}
|
||||
if !cfg.DisableHTTPS {
|
||||
cert, err := generateTLSCert()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
s.addr = fmt.Sprintf(":%d", cfg.Port)
|
||||
s.presharedKey = cfg.PresharedKey
|
||||
s.mux = http.NewServeMux()
|
||||
s.tlsCert = cert
|
||||
s.registerRoutes()
|
||||
}
|
||||
return s, nil
|
||||
}
|
||||
|
||||
// Run starts the HTTPS server (unless DisableHTTPS) and blocks until ctx is cancelled or the server errors.
|
||||
// When DisableHTTPS is true, Run() blocks on ctx only and does not listen; use ProcessConnection for connection events.
|
||||
func (s *Server) Run(ctx context.Context) error {
|
||||
if s.cfg.DisableHTTPS {
|
||||
logger.Debug("auth-daemon running (HTTPS disabled)")
|
||||
<-ctx.Done()
|
||||
s.cleanupPrincipalsFile()
|
||||
return nil
|
||||
}
|
||||
tcfg := &tls.Config{
|
||||
Certificates: []tls.Certificate{s.tlsCert},
|
||||
MinVersion: tls.VersionTLS12,
|
||||
}
|
||||
handler := s.authMiddleware(s.mux)
|
||||
srv := &http.Server{
|
||||
Addr: s.addr,
|
||||
Handler: handler,
|
||||
TLSConfig: tcfg,
|
||||
ReadTimeout: 10 * time.Second,
|
||||
WriteTimeout: 10 * time.Second,
|
||||
ReadHeaderTimeout: 5 * time.Second,
|
||||
IdleTimeout: 60 * time.Second,
|
||||
}
|
||||
go func() {
|
||||
<-ctx.Done()
|
||||
shutdownCtx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
|
||||
defer cancel()
|
||||
if err := srv.Shutdown(shutdownCtx); err != nil {
|
||||
logger.Warn("auth-daemon shutdown: %v", err)
|
||||
}
|
||||
}()
|
||||
logger.Info("auth-daemon listening on https://127.0.0.1%s", s.addr)
|
||||
if err := srv.ListenAndServeTLS("", ""); err != nil && err != http.ErrServerClosed {
|
||||
return err
|
||||
}
|
||||
s.cleanupPrincipalsFile()
|
||||
return nil
|
||||
}
|
||||
|
||||
func (s *Server) cleanupPrincipalsFile() {
|
||||
if s.cfg.PrincipalsFilePath != "" {
|
||||
if err := os.Remove(s.cfg.PrincipalsFilePath); err != nil && !os.IsNotExist(err) {
|
||||
logger.Warn("auth-daemon: remove principals file: %v", err)
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -144,6 +144,10 @@ type SharedBind struct {
|
||||
|
||||
// Callback for magic test responses (used for holepunch testing)
|
||||
magicResponseCallback atomic.Pointer[func(addr netip.AddrPort, echoData []byte)]
|
||||
|
||||
// Rebinding state - used to keep receive goroutines alive during socket transition
|
||||
rebinding bool // true when socket is being replaced
|
||||
rebindingCond *sync.Cond // signaled when rebind completes
|
||||
}
|
||||
|
||||
// MagicResponseCallback is the function signature for magic packet response callbacks
|
||||
@@ -163,6 +167,9 @@ func New(udpConn *net.UDPConn) (*SharedBind, error) {
|
||||
closeChan: make(chan struct{}),
|
||||
}
|
||||
|
||||
// Initialize the rebinding condition variable
|
||||
bind.rebindingCond = sync.NewCond(&bind.mu)
|
||||
|
||||
// Initialize reference count to 1 (the creator holds the first reference)
|
||||
bind.refCount.Store(1)
|
||||
|
||||
@@ -310,6 +317,109 @@ func (b *SharedBind) IsClosed() bool {
|
||||
return b.closed.Load()
|
||||
}
|
||||
|
||||
// GetPort returns the current UDP port the bind is using.
|
||||
// This is useful when rebinding to try to reuse the same port.
|
||||
func (b *SharedBind) GetPort() uint16 {
|
||||
b.mu.RLock()
|
||||
defer b.mu.RUnlock()
|
||||
return b.port
|
||||
}
|
||||
|
||||
// CloseSocket closes the underlying UDP connection to release the port,
|
||||
// but keeps the SharedBind in a state where it can accept a new connection via Rebind.
|
||||
// This allows the caller to close the old socket first, then bind a new socket
|
||||
// to the same port before calling Rebind.
|
||||
//
|
||||
// Returns the port that was being used, so the caller can attempt to rebind to it.
|
||||
// Sets the rebinding flag so receive goroutines will wait for the new socket
|
||||
// instead of exiting.
|
||||
func (b *SharedBind) CloseSocket() (uint16, error) {
|
||||
b.mu.Lock()
|
||||
defer b.mu.Unlock()
|
||||
|
||||
if b.closed.Load() {
|
||||
return 0, fmt.Errorf("bind is closed")
|
||||
}
|
||||
|
||||
port := b.port
|
||||
|
||||
// Set rebinding flag BEFORE closing the socket so receive goroutines
|
||||
// know to wait instead of exit
|
||||
b.rebinding = true
|
||||
|
||||
// Close the old connection to release the port
|
||||
if b.udpConn != nil {
|
||||
logger.Debug("Closing UDP connection to release port %d (rebinding)", port)
|
||||
b.udpConn.Close()
|
||||
b.udpConn = nil
|
||||
}
|
||||
|
||||
return port, nil
|
||||
}
|
||||
|
||||
// Rebind replaces the underlying UDP connection with a new one.
|
||||
// This is necessary when network connectivity changes (e.g., WiFi to cellular
|
||||
// transition on macOS/iOS) and the old socket becomes stale.
|
||||
//
|
||||
// The caller is responsible for creating the new UDP connection and passing it here.
|
||||
// After rebind, the caller should trigger a hole punch to re-establish NAT mappings.
|
||||
//
|
||||
// Note: Call CloseSocket() first if you need to rebind to the same port, as the
|
||||
// old socket must be closed before a new socket can bind to the same port.
|
||||
func (b *SharedBind) Rebind(newConn *net.UDPConn) error {
|
||||
if newConn == nil {
|
||||
return fmt.Errorf("newConn cannot be nil")
|
||||
}
|
||||
|
||||
b.mu.Lock()
|
||||
defer b.mu.Unlock()
|
||||
|
||||
if b.closed.Load() {
|
||||
return fmt.Errorf("bind is closed")
|
||||
}
|
||||
|
||||
// Close the old connection if it's still open
|
||||
// (it may have already been closed via CloseSocket)
|
||||
if b.udpConn != nil {
|
||||
logger.Debug("Closing old UDP connection during rebind")
|
||||
b.udpConn.Close()
|
||||
}
|
||||
|
||||
// Set up the new connection
|
||||
b.udpConn = newConn
|
||||
|
||||
// Update packet connections for the new socket
|
||||
if runtime.GOOS == "linux" || runtime.GOOS == "android" {
|
||||
b.ipv4PC = ipv4.NewPacketConn(newConn)
|
||||
b.ipv6PC = ipv6.NewPacketConn(newConn)
|
||||
|
||||
// Re-initialize message buffers for batch operations
|
||||
batchSize := wgConn.IdealBatchSize
|
||||
b.ipv4Msgs = make([]ipv4.Message, batchSize)
|
||||
for i := range b.ipv4Msgs {
|
||||
b.ipv4Msgs[i].OOB = make([]byte, 0)
|
||||
}
|
||||
} else {
|
||||
// For non-Linux platforms, still set up ipv4PC for consistency
|
||||
b.ipv4PC = ipv4.NewPacketConn(newConn)
|
||||
b.ipv6PC = ipv6.NewPacketConn(newConn)
|
||||
}
|
||||
|
||||
// Update the port
|
||||
if addr, ok := newConn.LocalAddr().(*net.UDPAddr); ok {
|
||||
b.port = uint16(addr.Port)
|
||||
logger.Info("Rebound UDP socket to port %d", b.port)
|
||||
}
|
||||
|
||||
// Clear the rebinding flag and wake up any waiting receive goroutines
|
||||
b.rebinding = false
|
||||
b.rebindingCond.Broadcast()
|
||||
|
||||
logger.Debug("Rebind complete, signaled waiting receive goroutines")
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// SetMagicResponseCallback sets a callback function that will be called when
|
||||
// a magic test response packet is received. This is used for holepunch testing.
|
||||
// Pass nil to clear the callback.
|
||||
@@ -392,24 +502,77 @@ func (b *SharedBind) Open(uport uint16) ([]wgConn.ReceiveFunc, uint16, error) {
|
||||
// makeReceiveSocket creates a receive function for physical UDP socket packets
|
||||
func (b *SharedBind) makeReceiveSocket() wgConn.ReceiveFunc {
|
||||
return func(bufs [][]byte, sizes []int, eps []wgConn.Endpoint) (n int, err error) {
|
||||
if b.closed.Load() {
|
||||
return 0, net.ErrClosed
|
||||
}
|
||||
for {
|
||||
if b.closed.Load() {
|
||||
return 0, net.ErrClosed
|
||||
}
|
||||
|
||||
b.mu.RLock()
|
||||
conn := b.udpConn
|
||||
pc := b.ipv4PC
|
||||
b.mu.RUnlock()
|
||||
b.mu.RLock()
|
||||
conn := b.udpConn
|
||||
pc := b.ipv4PC
|
||||
b.mu.RUnlock()
|
||||
|
||||
if conn == nil {
|
||||
return 0, net.ErrClosed
|
||||
}
|
||||
if conn == nil {
|
||||
// Socket is nil - check if we're rebinding or truly closed
|
||||
if b.closed.Load() {
|
||||
return 0, net.ErrClosed
|
||||
}
|
||||
|
||||
// Use batch reading on Linux for performance
|
||||
if pc != nil && (runtime.GOOS == "linux" || runtime.GOOS == "android") {
|
||||
return b.receiveIPv4Batch(pc, bufs, sizes, eps)
|
||||
// Wait for rebind to complete
|
||||
b.mu.Lock()
|
||||
for b.rebinding && !b.closed.Load() {
|
||||
logger.Debug("Receive goroutine waiting for socket rebind to complete")
|
||||
b.rebindingCond.Wait()
|
||||
}
|
||||
b.mu.Unlock()
|
||||
|
||||
// Check again after waking up
|
||||
if b.closed.Load() {
|
||||
return 0, net.ErrClosed
|
||||
}
|
||||
|
||||
// Loop back to retry with new socket
|
||||
continue
|
||||
}
|
||||
|
||||
// Use batch reading on Linux for performance
|
||||
var n int
|
||||
var err error
|
||||
if pc != nil && (runtime.GOOS == "linux" || runtime.GOOS == "android") {
|
||||
n, err = b.receiveIPv4Batch(pc, bufs, sizes, eps)
|
||||
} else {
|
||||
n, err = b.receiveIPv4Simple(conn, bufs, sizes, eps)
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
// Check if this error is due to rebinding
|
||||
b.mu.RLock()
|
||||
rebinding := b.rebinding
|
||||
b.mu.RUnlock()
|
||||
|
||||
if rebinding {
|
||||
logger.Debug("Receive got error during rebind, waiting for new socket: %v", err)
|
||||
// Wait for rebind to complete and retry
|
||||
b.mu.Lock()
|
||||
for b.rebinding && !b.closed.Load() {
|
||||
b.rebindingCond.Wait()
|
||||
}
|
||||
b.mu.Unlock()
|
||||
|
||||
if b.closed.Load() {
|
||||
return 0, net.ErrClosed
|
||||
}
|
||||
|
||||
// Retry with new socket
|
||||
continue
|
||||
}
|
||||
|
||||
// Not rebinding, return the error
|
||||
return 0, err
|
||||
}
|
||||
|
||||
return n, nil
|
||||
}
|
||||
return b.receiveIPv4Simple(conn, bufs, sizes, eps)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -492,6 +655,8 @@ func (b *SharedBind) receiveIPv4Batch(pc *ipv4.PacketConn, bufs [][]byte, sizes
|
||||
|
||||
// receiveIPv4Simple uses simple ReadFromUDP for non-Linux platforms
|
||||
func (b *SharedBind) receiveIPv4Simple(conn *net.UDPConn, bufs [][]byte, sizes []int, eps []wgConn.Endpoint) (int, error) {
|
||||
// No read deadline - we rely on socket close to unblock during rebind.
|
||||
// The caller (makeReceiveSocket) handles rebind state when errors occur.
|
||||
for {
|
||||
n, addr, err := conn.ReadFromUDP(bufs[0])
|
||||
if err != nil {
|
||||
@@ -523,7 +688,7 @@ func (b *SharedBind) receiveIPv4Simple(conn *net.UDPConn, bufs [][]byte, sizes [
|
||||
func (b *SharedBind) handleMagicPacket(data []byte, addr *net.UDPAddr) bool {
|
||||
// Check if this is a test request packet
|
||||
if len(data) >= MagicTestRequestLen && bytes.HasPrefix(data, MagicTestRequest) {
|
||||
logger.Debug("Received magic test REQUEST from %s, sending response", addr.String())
|
||||
// logger.Debug("Received magic test REQUEST from %s, sending response", addr.String())
|
||||
// Extract the random data portion to echo back
|
||||
echoData := data[len(MagicTestRequest) : len(MagicTestRequest)+MagicPacketDataLen]
|
||||
|
||||
@@ -546,7 +711,7 @@ func (b *SharedBind) handleMagicPacket(data []byte, addr *net.UDPAddr) bool {
|
||||
|
||||
// Check if this is a test response packet
|
||||
if len(data) >= MagicTestResponseLen && bytes.HasPrefix(data, MagicTestResponse) {
|
||||
logger.Debug("Received magic test RESPONSE from %s", addr.String())
|
||||
// logger.Debug("Received magic test RESPONSE from %s", addr.String())
|
||||
// Extract the echoed data
|
||||
echoData := data[len(MagicTestResponse) : len(MagicTestResponse)+MagicPacketDataLen]
|
||||
|
||||
|
||||
@@ -1,37 +0,0 @@
|
||||
resources:
|
||||
resource-nice-id:
|
||||
name: this is my resource
|
||||
protocol: http
|
||||
full-domain: level1.test3.example.com
|
||||
host-header: example.com
|
||||
tls-server-name: example.com
|
||||
auth:
|
||||
pincode: 123456
|
||||
password: sadfasdfadsf
|
||||
sso-enabled: true
|
||||
sso-roles:
|
||||
- Member
|
||||
sso-users:
|
||||
- owen@pangolin.net
|
||||
whitelist-users:
|
||||
- owen@pangolin.net
|
||||
targets:
|
||||
# - site: glossy-plains-viscacha-rat
|
||||
- hostname: localhost
|
||||
method: http
|
||||
port: 8000
|
||||
healthcheck:
|
||||
port: 8000
|
||||
hostname: localhost
|
||||
# - site: glossy-plains-viscacha-rat
|
||||
- hostname: localhost
|
||||
method: http
|
||||
port: 8001
|
||||
resource-nice-id2:
|
||||
name: this is other resource
|
||||
protocol: tcp
|
||||
proxy-port: 3000
|
||||
targets:
|
||||
# - site: glossy-plains-viscacha-rat
|
||||
- hostname: localhost
|
||||
port: 3000
|
||||
144
browsergateway/browsergateway.go
Normal file
144
browsergateway/browsergateway.go
Normal file
@@ -0,0 +1,144 @@
|
||||
package browsergateway
|
||||
|
||||
import (
|
||||
"crypto/subtle"
|
||||
"errors"
|
||||
"net"
|
||||
"net/http"
|
||||
"strings"
|
||||
"sync"
|
||||
|
||||
"github.com/fosrl/newt/nativessh"
|
||||
)
|
||||
|
||||
// Forwarding buffer size. RDP graphics traffic is bursty and TLS records cap
|
||||
// at ~16 KiB, so 64 KiB lets a couple of records pile up per syscall/frame
|
||||
// without wasting memory per session.
|
||||
const forwardBufSize = 64 * 1024
|
||||
|
||||
// ListenPort is the port the browser gateway HTTP server listens on inside the
|
||||
// WireGuard netstack. This is a fixed value shared between newt and pangolin.
|
||||
// Targets do not overlap with this port because they start at 40000.
|
||||
const ListenPort = 39999
|
||||
|
||||
// Target represents an allowed proxy destination for the browser gateway.
|
||||
// Only connections whose (Type, Destination, DestinationPort, AuthToken) match a
|
||||
// registered Target will be forwarded; all others are rejected.
|
||||
type Target struct {
|
||||
ID int
|
||||
Type string // "rdp" | "ssh" | "vnc"
|
||||
Destination string
|
||||
DestinationPort int
|
||||
AuthToken string // per-target secret; must match the token supplied by the client
|
||||
}
|
||||
|
||||
// Config holds the configuration for a Gateway.
|
||||
type Config struct {
|
||||
// AuthToken is used only for NativeSSH mode (which has no external target
|
||||
// to match against). For all proxy targets (RDP/SSH/VNC), auth tokens are
|
||||
// stored per-Target and validated by isAllowed.
|
||||
AuthToken string
|
||||
// SSHCredentials are used by native SSH browser sessions for certificate
|
||||
// validation against the in-memory CA/principal store.
|
||||
SSHCredentials *nativessh.CredentialStore
|
||||
}
|
||||
|
||||
// Gateway is a browser-based RDP/SSH/VNC WebSocket proxy.
|
||||
// Create one with New and mount it via RegisterHandlers or the individual
|
||||
// HandleRDP / HandleSSH / HandleVNC http.HandlerFunc methods.
|
||||
type Gateway struct {
|
||||
authToken string
|
||||
sshCreds *nativessh.CredentialStore
|
||||
|
||||
mu sync.RWMutex
|
||||
targets map[int]Target // keyed by Target.ID
|
||||
|
||||
server *http.Server
|
||||
}
|
||||
|
||||
// New creates a new Gateway from the provided Config.
|
||||
func New(cfg Config) *Gateway {
|
||||
return &Gateway{
|
||||
authToken: cfg.AuthToken,
|
||||
sshCreds: cfg.SSHCredentials,
|
||||
targets: make(map[int]Target),
|
||||
}
|
||||
}
|
||||
|
||||
// SetTargets replaces the entire allowed-destination list atomically.
|
||||
func (g *Gateway) SetTargets(targets []Target) {
|
||||
g.mu.Lock()
|
||||
defer g.mu.Unlock()
|
||||
g.targets = make(map[int]Target, len(targets))
|
||||
for _, t := range targets {
|
||||
g.targets[t.ID] = t
|
||||
}
|
||||
}
|
||||
|
||||
// AddTarget adds or updates a single allowed destination.
|
||||
func (g *Gateway) AddTarget(t Target) {
|
||||
g.mu.Lock()
|
||||
defer g.mu.Unlock()
|
||||
g.targets[t.ID] = t
|
||||
}
|
||||
|
||||
// RemoveTarget removes an allowed destination by its ID.
|
||||
func (g *Gateway) RemoveTarget(id int) {
|
||||
g.mu.Lock()
|
||||
defer g.mu.Unlock()
|
||||
delete(g.targets, id)
|
||||
}
|
||||
|
||||
// isAllowed reports whether a connection to (targetType, host, port) with the
|
||||
// given authToken is permitted. The token is compared against the per-target
|
||||
// AuthToken using constant-time comparison to prevent timing attacks.
|
||||
func (g *Gateway) isAllowed(targetType, host string, port int, authToken string) bool {
|
||||
g.mu.RLock()
|
||||
defer g.mu.RUnlock()
|
||||
for _, t := range g.targets {
|
||||
if t.Type == targetType && t.Destination == host && t.DestinationPort == port {
|
||||
return subtle.ConstantTimeCompare([]byte(authToken), []byte(t.AuthToken)) == 1
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
// isTokenValid reports whether the given authToken matches any registered
|
||||
// target of the specified type. Used for native SSH mode where there is no
|
||||
// external destination to match against.
|
||||
func (g *Gateway) isTokenValid(targetType, authToken string) bool {
|
||||
g.mu.RLock()
|
||||
defer g.mu.RUnlock()
|
||||
for _, t := range g.targets {
|
||||
if t.Type == targetType {
|
||||
if subtle.ConstantTimeCompare([]byte(authToken), []byte(t.AuthToken)) == 1 {
|
||||
return true
|
||||
}
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
// Start serves the browser gateway HTTP server on the provided listener.
|
||||
// It returns nil when the listener is closed (normal shutdown).
|
||||
func (g *Gateway) Start(ln net.Listener) error {
|
||||
mux := http.NewServeMux()
|
||||
g.RegisterHandlers(mux)
|
||||
g.server = &http.Server{Handler: mux}
|
||||
err := g.server.Serve(ln)
|
||||
if err == nil ||
|
||||
errors.Is(err, net.ErrClosed) ||
|
||||
errors.Is(err, http.ErrServerClosed) ||
|
||||
strings.Contains(err.Error(), "use of closed") ||
|
||||
strings.Contains(err.Error(), "invalid state") {
|
||||
return nil
|
||||
}
|
||||
return err
|
||||
}
|
||||
|
||||
// RegisterHandlers registers the /rdp, /ssh, and /vnc routes on mux.
|
||||
func (g *Gateway) RegisterHandlers(mux *http.ServeMux) {
|
||||
mux.HandleFunc("/gateway/rdp", g.HandleRDP)
|
||||
mux.HandleFunc("/gateway/ssh", g.HandleSSH)
|
||||
mux.HandleFunc("/gateway/vnc", g.handleVNC)
|
||||
}
|
||||
88
browsergateway/rdcleanpath.go
Normal file
88
browsergateway/rdcleanpath.go
Normal file
@@ -0,0 +1,88 @@
|
||||
package browsergateway
|
||||
|
||||
import (
|
||||
"encoding/asn1"
|
||||
"fmt"
|
||||
)
|
||||
|
||||
// RDCleanPath PDU version (BASE_VERSION + 1 = 3389 + 1).
|
||||
const rdCleanPathVersion = int64(3390)
|
||||
|
||||
// rdCleanPathPdu is a Go translation of the ASN.1 SEQUENCE defined in the
|
||||
// ironrdp-rdcleanpath crate. All optional fields use EXPLICIT context-specific
|
||||
// tagging, matching the Rust `der::Sequence` derivation with
|
||||
// `tag_mode = "EXPLICIT"`.
|
||||
//
|
||||
// We only need a subset of fields for the basic proxy flow, but the struct
|
||||
// declares every tag we may encounter so that decoding does not fail on an
|
||||
// unexpected element.
|
||||
type rdCleanPathPdu struct {
|
||||
Version int64 `asn1:"explicit,tag:0"`
|
||||
Destination string `asn1:"explicit,tag:2,optional,utf8"`
|
||||
ProxyAuth string `asn1:"explicit,tag:3,optional,utf8"`
|
||||
ServerAuth string `asn1:"explicit,tag:4,optional,utf8"`
|
||||
PreconnectionBlob string `asn1:"explicit,tag:5,optional,utf8"`
|
||||
X224 []byte `asn1:"explicit,tag:6,optional"`
|
||||
ServerCertChain [][]byte `asn1:"explicit,tag:7,optional"`
|
||||
ServerAddr string `asn1:"explicit,tag:9,optional,utf8"`
|
||||
}
|
||||
|
||||
// decodeRDCleanPathRequest parses a client-to-proxy RDCleanPath PDU.
|
||||
func decodeRDCleanPathRequest(buf []byte) (*rdCleanPathPdu, error) {
|
||||
var pdu rdCleanPathPdu
|
||||
rest, err := asn1.Unmarshal(buf, &pdu)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("asn1 unmarshal: %w", err)
|
||||
}
|
||||
if len(rest) != 0 {
|
||||
return nil, fmt.Errorf("trailing data after RDCleanPath PDU: %d bytes", len(rest))
|
||||
}
|
||||
if pdu.Version != rdCleanPathVersion {
|
||||
return nil, fmt.Errorf("unexpected RDCleanPath version: %d", pdu.Version)
|
||||
}
|
||||
return &pdu, nil
|
||||
}
|
||||
|
||||
// encodeRDCleanPathResponse builds a proxy-to-client RDCleanPath response PDU
|
||||
// containing the server address, X.224 connection confirm and server TLS chain.
|
||||
func encodeRDCleanPathResponse(serverAddr string, x224Rsp []byte, certChain [][]byte) ([]byte, error) {
|
||||
pdu := rdCleanPathPdu{
|
||||
Version: rdCleanPathVersion,
|
||||
X224: x224Rsp,
|
||||
ServerCertChain: certChain,
|
||||
ServerAddr: serverAddr,
|
||||
}
|
||||
return asn1.Marshal(pdu)
|
||||
}
|
||||
|
||||
// detectRDCleanPathLength returns the total DER length of an RDCleanPath PDU
|
||||
// if enough bytes are available, otherwise -1.
|
||||
//
|
||||
// The PDU is a DER SEQUENCE, which begins with the universal SEQUENCE tag
|
||||
// (0x30) followed by a length octet/octets. We parse just enough to know the
|
||||
// total length so we can buffer accordingly.
|
||||
func detectRDCleanPathLength(buf []byte) int {
|
||||
if len(buf) < 2 {
|
||||
return -1
|
||||
}
|
||||
if buf[0] != 0x30 {
|
||||
// Not a SEQUENCE: cannot be RDCleanPath.
|
||||
return -2
|
||||
}
|
||||
l := buf[1]
|
||||
if l < 0x80 {
|
||||
return 2 + int(l)
|
||||
}
|
||||
n := int(l & 0x7f)
|
||||
if n == 0 || n > 4 {
|
||||
return -2
|
||||
}
|
||||
if len(buf) < 2+n {
|
||||
return -1
|
||||
}
|
||||
total := 0
|
||||
for i := 0; i < n; i++ {
|
||||
total = (total << 8) | int(buf[2+i])
|
||||
}
|
||||
return 2 + n + total
|
||||
}
|
||||
271
browsergateway/rdp.go
Normal file
271
browsergateway/rdp.go
Normal file
@@ -0,0 +1,271 @@
|
||||
package browsergateway
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"encoding/binary"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
"net"
|
||||
"net/http"
|
||||
"strconv"
|
||||
"time"
|
||||
|
||||
"github.com/coder/websocket"
|
||||
"github.com/fosrl/newt/logger"
|
||||
)
|
||||
|
||||
// HandleRDP is an http.HandlerFunc for RDP-over-WebSocket connections.
|
||||
func (g *Gateway) HandleRDP(w http.ResponseWriter, r *http.Request) {
|
||||
ctx := r.Context()
|
||||
ws, err := websocket.Accept(w, r, &websocket.AcceptOptions{
|
||||
InsecureSkipVerify: true, // any-origin: minimal dev proxy with no auth
|
||||
Subprotocols: []string{"binary"},
|
||||
})
|
||||
if err != nil {
|
||||
logger.Debug("websocket upgrade failed: %v", err)
|
||||
return
|
||||
}
|
||||
// Disable per-message read size cap (default is 32 KiB which would break
|
||||
// large RDP graphics messages).
|
||||
ws.SetReadLimit(-1)
|
||||
defer ws.CloseNow() //nolint:errcheck
|
||||
|
||||
if err := g.serveSession(ctx, ws); err != nil {
|
||||
logger.Debug("session error: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
func (g *Gateway) serveSession(ctx context.Context, ws *websocket.Conn) error {
|
||||
// Expose the WebSocket as a streaming net.Conn. Binary messages are
|
||||
// concatenated into a byte stream and writes become single binary frames.
|
||||
// This is a thin wrapper with no per-message goroutine, unlike Gorilla.
|
||||
stream := websocket.NetConn(ctx, ws, websocket.MessageBinary)
|
||||
defer stream.Close() //nolint:errcheck
|
||||
|
||||
// -- Read the initial RDCleanPath request from the client --
|
||||
pdu, err := readCleanPath(stream)
|
||||
if err != nil {
|
||||
return fmt.Errorf("read RDCleanPath: %w", err)
|
||||
}
|
||||
|
||||
if pdu.Destination == "" {
|
||||
return errors.New("RDCleanPath missing destination")
|
||||
}
|
||||
if len(pdu.X224) == 0 {
|
||||
return errors.New("RDCleanPath missing X224 connection PDU")
|
||||
}
|
||||
|
||||
target := pdu.Destination
|
||||
// Default port for RDP if not specified.
|
||||
if _, _, splitErr := net.SplitHostPort(target); splitErr != nil {
|
||||
target = net.JoinHostPort(target, "3389")
|
||||
}
|
||||
|
||||
// Validate destination against the registered target allowlist,
|
||||
// including per-target auth token.
|
||||
rdpHost, rdpPortStr, _ := net.SplitHostPort(target)
|
||||
rdpPort, _ := strconv.Atoi(rdpPortStr)
|
||||
if !g.isAllowed("rdp", rdpHost, rdpPort, pdu.ProxyAuth) {
|
||||
return fmt.Errorf("RDP destination %s is not in the allowed target list or auth token mismatch", target)
|
||||
}
|
||||
|
||||
logger.Debug("Connecting to RDP server %s", target)
|
||||
|
||||
// -- Open TCP connection to the destination RDP server --
|
||||
serverTCP, err := net.DialTimeout("tcp", target, 15*time.Second)
|
||||
if err != nil {
|
||||
return fmt.Errorf("dial %s: %w", target, err)
|
||||
}
|
||||
defer serverTCP.Close()
|
||||
if tcp, ok := serverTCP.(*net.TCPConn); ok {
|
||||
// NoDelay is Go's default; set explicitly. RDP wants low latency for
|
||||
// input echo, and the bulk path is naturally chunked by TLS records.
|
||||
_ = tcp.SetNoDelay(true)
|
||||
_ = tcp.SetKeepAlive(true)
|
||||
_ = tcp.SetKeepAlivePeriod(30 * time.Second)
|
||||
_ = tcp.SetReadBuffer(forwardBufSize)
|
||||
_ = tcp.SetWriteBuffer(forwardBufSize)
|
||||
}
|
||||
serverAddr := serverTCP.RemoteAddr().String()
|
||||
|
||||
// Forward the optional pre-connection blob, then the X.224 connection request.
|
||||
if pdu.PreconnectionBlob != "" {
|
||||
if _, err := serverTCP.Write([]byte(pdu.PreconnectionBlob)); err != nil {
|
||||
return fmt.Errorf("send PCB: %w", err)
|
||||
}
|
||||
}
|
||||
if _, err := serverTCP.Write(pdu.X224); err != nil {
|
||||
return fmt.Errorf("send X224: %w", err)
|
||||
}
|
||||
|
||||
// -- Read the X.224 connection confirm from the server --
|
||||
x224Rsp, err := readX224(serverTCP)
|
||||
if err != nil {
|
||||
return fmt.Errorf("read X224 response: %w", err)
|
||||
}
|
||||
logX224Negotiation(x224Rsp)
|
||||
|
||||
// -- Upgrade the server connection to TLS (skip verification) --
|
||||
//
|
||||
// Windows RDP hosts are picky: only set SNI when the target is a hostname
|
||||
// (Go would skip SNI for IP literals anyway, but be explicit), and accept
|
||||
// the full range of TLS versions / ciphers since some servers only
|
||||
// negotiate TLS 1.0 or legacy suites.
|
||||
host, _, _ := net.SplitHostPort(target)
|
||||
tlsCfg := &tls.Config{
|
||||
InsecureSkipVerify: true, //nolint:gosec // proxy intentionally skips verification
|
||||
MinVersion: tls.VersionTLS10,
|
||||
// Cap at TLS 1.2: Windows RDP servers commonly send a TLS "internal_error"
|
||||
// alert when CredSSP/NLA is layered on top of a TLS 1.3 session.
|
||||
MaxVersion: tls.VersionTLS12,
|
||||
}
|
||||
if net.ParseIP(host) == nil {
|
||||
tlsCfg.ServerName = host
|
||||
}
|
||||
tlsConn := tls.Client(serverTCP, tlsCfg)
|
||||
if err := tlsConn.Handshake(); err != nil {
|
||||
return fmt.Errorf("TLS handshake with server: %w", err)
|
||||
}
|
||||
logger.Debug("Server TLS handshake OK (version=0x%04x cipher=0x%04x)",
|
||||
tlsConn.ConnectionState().Version, tlsConn.ConnectionState().CipherSuite)
|
||||
|
||||
// Collect the raw DER server certificate chain to return to the client.
|
||||
state := tlsConn.ConnectionState()
|
||||
if len(state.PeerCertificates) == 0 {
|
||||
return errors.New("server did not present any certificates")
|
||||
}
|
||||
chain := make([][]byte, 0, len(state.PeerCertificates))
|
||||
for _, c := range state.PeerCertificates {
|
||||
chain = append(chain, c.Raw)
|
||||
}
|
||||
|
||||
// -- Send the RDCleanPath response back to the client --
|
||||
rsp, err := encodeRDCleanPathResponse(serverAddr, x224Rsp, chain)
|
||||
if err != nil {
|
||||
return fmt.Errorf("encode RDCleanPath response: %w", err)
|
||||
}
|
||||
if _, err := stream.Write(rsp); err != nil {
|
||||
return fmt.Errorf("write RDCleanPath response: %w", err)
|
||||
}
|
||||
|
||||
logger.Debug("RDCleanPath handshake complete, forwarding traffic to %s", serverAddr)
|
||||
|
||||
// -- Two-way blind forwarding of the (now TLS-encrypted) RDP stream --
|
||||
return forward(stream, tlsConn)
|
||||
}
|
||||
|
||||
// readCleanPath buffers bytes from the stream until a full RDCleanPath PDU has
|
||||
// been received, then decodes it.
|
||||
func readCleanPath(r io.Reader) (*rdCleanPathPdu, error) {
|
||||
buf := make([]byte, 0, 1024)
|
||||
tmp := make([]byte, 1024)
|
||||
for {
|
||||
total := detectRDCleanPathLength(buf)
|
||||
switch {
|
||||
case total == -2:
|
||||
return nil, errors.New("invalid RDCleanPath PDU")
|
||||
case total > 0 && len(buf) >= total:
|
||||
return decodeRDCleanPathRequest(buf[:total])
|
||||
}
|
||||
n, err := r.Read(tmp)
|
||||
if n > 0 {
|
||||
buf = append(buf, tmp[:n]...)
|
||||
}
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// readX224 reads exactly one TPKT-framed X.224 PDU from the server.
|
||||
//
|
||||
// The TPKT header is 4 bytes: version (0x03), reserved (0x00), and a u16
|
||||
// big-endian total length that includes the header itself.
|
||||
func readX224(r io.Reader) ([]byte, error) {
|
||||
hdr := make([]byte, 4)
|
||||
if _, err := io.ReadFull(r, hdr); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if hdr[0] != 0x03 {
|
||||
return nil, fmt.Errorf("unexpected TPKT version 0x%02x", hdr[0])
|
||||
}
|
||||
total := int(binary.BigEndian.Uint16(hdr[2:4]))
|
||||
if total < 4 || total > 4096 {
|
||||
return nil, fmt.Errorf("unreasonable TPKT length %d", total)
|
||||
}
|
||||
out := make([]byte, total)
|
||||
copy(out, hdr)
|
||||
if _, err := io.ReadFull(r, out[4:]); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return out, nil
|
||||
}
|
||||
|
||||
// logX224Negotiation prints which RDP security protocol the server selected
|
||||
// (or the failure code), to help diagnose handshake issues such as the server
|
||||
// requiring NLA/CredSSP.
|
||||
//
|
||||
// X.224 Connection Confirm layout (RFC 1006 / [MS-RDPBCGR]):
|
||||
//
|
||||
// bytes 0..3 TPKT header (03 00 LL LL)
|
||||
// byte 4 X.224 length indicator
|
||||
// byte 5 X.224 code (0xD0 = CC)
|
||||
// bytes 6..10 DST-REF, SRC-REF, class
|
||||
// byte 11 optional RDP Negotiation type (0x02 = response, 0x03 = failure)
|
||||
// byte 12 flags
|
||||
// bytes 13..14 length (little-endian, =8)
|
||||
// bytes 15..18 selected protocol / failure code (u32 little-endian)
|
||||
func logX224Negotiation(pdu []byte) {
|
||||
if len(pdu) < 19 {
|
||||
logger.Debug("X.224 response too short (%d bytes) to contain RDP negotiation", len(pdu))
|
||||
return
|
||||
}
|
||||
switch pdu[11] {
|
||||
case 0x02:
|
||||
proto := uint32(pdu[15]) | uint32(pdu[16])<<8 | uint32(pdu[17])<<16 | uint32(pdu[18])<<24
|
||||
name := "unknown"
|
||||
switch proto {
|
||||
case 0:
|
||||
name = "RDP (standard)"
|
||||
case 1:
|
||||
name = "SSL/TLS"
|
||||
case 2:
|
||||
name = "HYBRID (CredSSP/NLA)"
|
||||
case 8:
|
||||
name = "HYBRID_EX"
|
||||
}
|
||||
logger.Debug("Server selected RDP protocol 0x%x (%s)", proto, name)
|
||||
case 0x03:
|
||||
code := uint32(pdu[15]) | uint32(pdu[16])<<8 | uint32(pdu[17])<<16 | uint32(pdu[18])<<24
|
||||
logger.Debug("Server returned RDP negotiation failure code 0x%x", code)
|
||||
default:
|
||||
logger.Debug("X.224 response has no RDP negotiation block (type=0x%02x)", pdu[11])
|
||||
}
|
||||
}
|
||||
|
||||
// forward shuttles bytes between the two streams until either side closes.
|
||||
func forward(a, b io.ReadWriteCloser) error {
|
||||
errc := make(chan error, 2)
|
||||
go func() {
|
||||
buf := make([]byte, forwardBufSize)
|
||||
_, err := io.CopyBuffer(a, b, buf)
|
||||
_ = a.Close()
|
||||
_ = b.Close()
|
||||
errc <- err
|
||||
}()
|
||||
go func() {
|
||||
buf := make([]byte, forwardBufSize)
|
||||
_, err := io.CopyBuffer(b, a, buf)
|
||||
_ = a.Close()
|
||||
_ = b.Close()
|
||||
errc <- err
|
||||
}()
|
||||
// Wait for one side to finish, then return.
|
||||
err := <-errc
|
||||
if errors.Is(err, io.EOF) || err == nil {
|
||||
return nil
|
||||
}
|
||||
return err
|
||||
}
|
||||
282
browsergateway/ssh.go
Normal file
282
browsergateway/ssh.go
Normal file
@@ -0,0 +1,282 @@
|
||||
package browsergateway
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"net"
|
||||
"net/http"
|
||||
"strconv"
|
||||
"time"
|
||||
|
||||
"github.com/coder/websocket"
|
||||
"github.com/fosrl/newt/logger"
|
||||
"golang.org/x/crypto/ssh"
|
||||
)
|
||||
|
||||
// sshClientMsg is a JSON message sent from the browser to the proxy.
|
||||
type sshClientMsg struct {
|
||||
// type: "auth" | "data" | "resize"
|
||||
Type string `json:"type"`
|
||||
Password string `json:"password,omitempty"` // used when type="auth"
|
||||
PrivateKey string `json:"privateKey,omitempty"` // used when type="auth"
|
||||
Certificate string `json:"certificate,omitempty"` // used when type="auth"
|
||||
Data string `json:"data,omitempty"` // used when type="data"
|
||||
Cols uint32 `json:"cols,omitempty"` // used when type="resize"
|
||||
Rows uint32 `json:"rows,omitempty"` // used when type="resize"
|
||||
}
|
||||
|
||||
// sshServerMsg is a JSON message sent from the proxy back to the browser.
|
||||
type sshServerMsg struct {
|
||||
// type: "data" | "error"
|
||||
Type string `json:"type"`
|
||||
Data string `json:"data,omitempty"`
|
||||
Error string `json:"error,omitempty"`
|
||||
}
|
||||
|
||||
// HandleSSH is an http.HandlerFunc for SSH-over-WebSocket connections.
|
||||
func (g *Gateway) HandleSSH(w http.ResponseWriter, r *http.Request) {
|
||||
logger.Debug("SSH connection request from %s", r.RemoteAddr)
|
||||
ctx := r.Context()
|
||||
|
||||
token := r.URL.Query().Get("authToken")
|
||||
|
||||
// "mode=native" (default) connects to the local SSH daemon on this host.
|
||||
// "mode=proxy" connects to an arbitrary host+port supplied in query params.
|
||||
nativeSSH := r.URL.Query().Get("mode") != "proxy"
|
||||
|
||||
// In proxy mode we also need host + username from query params.
|
||||
var target, username string
|
||||
if !nativeSSH {
|
||||
host := r.URL.Query().Get("host")
|
||||
port := r.URL.Query().Get("port")
|
||||
username = r.URL.Query().Get("username")
|
||||
if host == "" || username == "" {
|
||||
http.Error(w, "missing host or username", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
if port == "" {
|
||||
port = "22"
|
||||
}
|
||||
sshPort, _ := strconv.Atoi(port)
|
||||
if !g.isAllowed("ssh", host, sshPort, token) {
|
||||
http.Error(w, "destination not allowed or auth token mismatch", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
target = net.JoinHostPort(host, port)
|
||||
} else {
|
||||
// Native SSH mode: validate the token against any registered ssh target.
|
||||
if !g.isTokenValid("ssh", token) {
|
||||
http.Error(w, "unauthorized", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
username = r.URL.Query().Get("username")
|
||||
if username == "" {
|
||||
http.Error(w, "missing username", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
ws, err := websocket.Accept(w, r, &websocket.AcceptOptions{
|
||||
InsecureSkipVerify: true,
|
||||
Subprotocols: []string{"ssh"},
|
||||
})
|
||||
if err != nil {
|
||||
logger.Debug("SSH websocket upgrade failed: %v", err)
|
||||
return
|
||||
}
|
||||
ws.SetReadLimit(-1)
|
||||
defer ws.CloseNow() //nolint:errcheck
|
||||
|
||||
if nativeSSH {
|
||||
if err := serveNativeSSHSession(ctx, ws, username, g.sshCreds); err != nil {
|
||||
logger.Debug("SSH native session error: %v", err)
|
||||
}
|
||||
} else {
|
||||
if err := serveSSHSession(ctx, ws, target, username, g.authToken); err != nil {
|
||||
logger.Debug("SSH session error: %v", err)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func serveSSHSession(ctx context.Context, ws *websocket.Conn, target, username, _ string) error {
|
||||
// -- Wait for the auth message from the client to get the password --
|
||||
_, authBytes, err := ws.Read(ctx)
|
||||
if err != nil {
|
||||
return fmt.Errorf("read auth message: %w", err)
|
||||
}
|
||||
var authMsg sshClientMsg
|
||||
if err := json.Unmarshal(authBytes, &authMsg); err != nil || authMsg.Type != "auth" {
|
||||
return fmt.Errorf("expected auth message, got: %s", authBytes)
|
||||
}
|
||||
password := authMsg.Password
|
||||
privateKey := authMsg.PrivateKey
|
||||
certificate := authMsg.Certificate
|
||||
|
||||
// Build the list of auth methods. Certificate+private key takes priority
|
||||
// when both are provided, then private key, then password.
|
||||
var authMethods []ssh.AuthMethod
|
||||
if privateKey != "" {
|
||||
signer, err := ssh.ParsePrivateKey([]byte(privateKey))
|
||||
if err != nil {
|
||||
sendSSHError(ctx, ws, fmt.Sprintf("Failed to parse private key: %v", err))
|
||||
return fmt.Errorf("parse private key: %w", err)
|
||||
}
|
||||
|
||||
if certificate != "" {
|
||||
certPubKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(certificate))
|
||||
if err != nil {
|
||||
sendSSHError(ctx, ws, fmt.Sprintf("Failed to parse certificate: %v", err))
|
||||
return fmt.Errorf("parse certificate: %w", err)
|
||||
}
|
||||
|
||||
cert, ok := certPubKey.(*ssh.Certificate)
|
||||
if !ok {
|
||||
sendSSHError(ctx, ws, "Provided certificate is not a valid SSH certificate")
|
||||
return fmt.Errorf("provided certificate is not ssh certificate")
|
||||
}
|
||||
|
||||
certSigner, err := ssh.NewCertSigner(cert, signer)
|
||||
if err != nil {
|
||||
sendSSHError(ctx, ws, fmt.Sprintf("Failed to combine private key and certificate: %v", err))
|
||||
return fmt.Errorf("new cert signer: %w", err)
|
||||
}
|
||||
authMethods = append(authMethods, ssh.PublicKeys(certSigner))
|
||||
} else {
|
||||
authMethods = append(authMethods, ssh.PublicKeys(signer))
|
||||
}
|
||||
}
|
||||
if password != "" {
|
||||
authMethods = append(authMethods, ssh.Password(password))
|
||||
}
|
||||
if len(authMethods) == 0 {
|
||||
sendSSHError(ctx, ws, "No authentication credentials provided")
|
||||
return fmt.Errorf("no auth credentials")
|
||||
}
|
||||
logger.Debug("SSH: connecting to %s as %s", target, username)
|
||||
sshCfg := &ssh.ClientConfig{
|
||||
User: username,
|
||||
Auth: authMethods,
|
||||
// HostKeyCallback is intentionally InsecureIgnoreHostKey for this dev
|
||||
// proxy. In production, verify against a known-hosts store.
|
||||
HostKeyCallback: ssh.InsecureIgnoreHostKey(), //nolint:gosec
|
||||
Timeout: 15 * time.Second,
|
||||
}
|
||||
|
||||
sshClient, err := ssh.Dial("tcp", target, sshCfg)
|
||||
if err != nil {
|
||||
sendSSHError(ctx, ws, fmt.Sprintf("SSH dial failed: %v", err))
|
||||
return fmt.Errorf("ssh dial %s: %w", target, err)
|
||||
}
|
||||
defer sshClient.Close()
|
||||
|
||||
// -- Open an interactive session --
|
||||
sess, err := sshClient.NewSession()
|
||||
if err != nil {
|
||||
sendSSHError(ctx, ws, fmt.Sprintf("Failed to open SSH session: %v", err))
|
||||
return fmt.Errorf("ssh new session: %w", err)
|
||||
}
|
||||
defer sess.Close()
|
||||
|
||||
// Request a PTY.
|
||||
if err := sess.RequestPty("xterm-256color", 24, 80, ssh.TerminalModes{
|
||||
ssh.ECHO: 1,
|
||||
ssh.TTY_OP_ISPEED: 38400,
|
||||
ssh.TTY_OP_OSPEED: 38400,
|
||||
}); err != nil {
|
||||
sendSSHError(ctx, ws, fmt.Sprintf("Failed to request PTY: %v", err))
|
||||
return fmt.Errorf("ssh request pty: %w", err)
|
||||
}
|
||||
|
||||
stdinPipe, err := sess.StdinPipe()
|
||||
if err != nil {
|
||||
return fmt.Errorf("ssh stdin pipe: %w", err)
|
||||
}
|
||||
stdoutPipe, err := sess.StdoutPipe()
|
||||
if err != nil {
|
||||
return fmt.Errorf("ssh stdout pipe: %w", err)
|
||||
}
|
||||
stderrPipe, err := sess.StderrPipe()
|
||||
if err != nil {
|
||||
return fmt.Errorf("ssh stderr pipe: %w", err)
|
||||
}
|
||||
|
||||
if err := sess.Shell(); err != nil {
|
||||
sendSSHError(ctx, ws, fmt.Sprintf("Failed to start shell: %v", err))
|
||||
return fmt.Errorf("ssh shell: %w", err)
|
||||
}
|
||||
|
||||
logger.Debug("SSH: session established with %s", target)
|
||||
|
||||
// -- Pump SSH stdout/stderr → WebSocket --
|
||||
sessCtx, cancelSess := context.WithCancel(ctx)
|
||||
defer cancelSess()
|
||||
|
||||
go func() {
|
||||
buf := make([]byte, 4096)
|
||||
for {
|
||||
n, readErr := stdoutPipe.Read(buf)
|
||||
if n > 0 {
|
||||
msg := sshServerMsg{Type: "data", Data: string(buf[:n])}
|
||||
b, _ := json.Marshal(msg)
|
||||
if writeErr := ws.Write(sessCtx, websocket.MessageText, b); writeErr != nil {
|
||||
return
|
||||
}
|
||||
}
|
||||
if readErr != nil {
|
||||
cancelSess()
|
||||
return
|
||||
}
|
||||
}
|
||||
}()
|
||||
|
||||
go func() {
|
||||
buf := make([]byte, 4096)
|
||||
for {
|
||||
n, readErr := stderrPipe.Read(buf)
|
||||
if n > 0 {
|
||||
msg := sshServerMsg{Type: "data", Data: string(buf[:n])}
|
||||
b, _ := json.Marshal(msg)
|
||||
if writeErr := ws.Write(sessCtx, websocket.MessageText, b); writeErr != nil {
|
||||
return
|
||||
}
|
||||
}
|
||||
if readErr != nil {
|
||||
return
|
||||
}
|
||||
}
|
||||
}()
|
||||
|
||||
// -- Pump WebSocket input → SSH stdin / resize --
|
||||
for {
|
||||
_, msgBytes, readErr := ws.Read(sessCtx)
|
||||
if readErr != nil {
|
||||
break
|
||||
}
|
||||
|
||||
var msg sshClientMsg
|
||||
if err := json.Unmarshal(msgBytes, &msg); err != nil {
|
||||
continue
|
||||
}
|
||||
|
||||
switch msg.Type {
|
||||
case "data":
|
||||
if _, err := stdinPipe.Write([]byte(msg.Data)); err != nil {
|
||||
return fmt.Errorf("write ssh stdin: %w", err)
|
||||
}
|
||||
case "resize":
|
||||
if msg.Cols > 0 && msg.Rows > 0 {
|
||||
_ = sess.WindowChange(int(msg.Rows), int(msg.Cols))
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// sendSSHError sends an error message to the browser and logs it.
|
||||
func sendSSHError(ctx context.Context, ws *websocket.Conn, msg string) {
|
||||
logger.Debug("SSH error: %s", msg)
|
||||
b, _ := json.Marshal(sshServerMsg{Type: "error", Error: msg})
|
||||
_ = ws.Write(ctx, websocket.MessageText, b)
|
||||
}
|
||||
94
browsergateway/ssh_native.go
Normal file
94
browsergateway/ssh_native.go
Normal file
@@ -0,0 +1,94 @@
|
||||
//go:build !windows
|
||||
|
||||
package browsergateway
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
|
||||
"github.com/coder/websocket"
|
||||
"github.com/fosrl/newt/logger"
|
||||
"github.com/fosrl/newt/nativessh"
|
||||
)
|
||||
|
||||
// serveNativeSSHSession handles a WebSocket SSH session by authenticating the
|
||||
// user against the host OS (authorized_keys then PAM password) and then
|
||||
// spawning a PTY+shell running as that user.
|
||||
//
|
||||
// The auth frame from the browser must be a JSON sshClientMsg with type="auth"
|
||||
// carrying the same password/privateKey fields used by the proxy SSH path.
|
||||
// The target username is passed in from the HTTP layer (query param).
|
||||
func serveNativeSSHSession(ctx context.Context, ws *websocket.Conn, username string, creds *nativessh.CredentialStore) error {
|
||||
// Read the auth frame.
|
||||
_, authBytes, err := ws.Read(ctx)
|
||||
if err != nil {
|
||||
return fmt.Errorf("read auth message: %w", err)
|
||||
}
|
||||
var authMsg sshClientMsg
|
||||
if err := json.Unmarshal(authBytes, &authMsg); err != nil || authMsg.Type != "auth" {
|
||||
return fmt.Errorf("expected auth message, got: %s", authBytes)
|
||||
}
|
||||
|
||||
// Authenticate using host authorized_keys or PAM password.
|
||||
if err := nativessh.AuthenticateWithCertificate(creds, username, authMsg.Password, authMsg.PrivateKey, authMsg.Certificate); err != nil {
|
||||
sendSSHError(ctx, ws, "Authentication failed")
|
||||
return fmt.Errorf("auth for user %q: %w", username, err)
|
||||
}
|
||||
|
||||
logger.Debug("SSH native: spawning shell as user %q", username)
|
||||
|
||||
sess, err := nativessh.NewPTYSessionAs(username)
|
||||
if err != nil {
|
||||
sendSSHError(ctx, ws, fmt.Sprintf("Failed to spawn shell: %v", err))
|
||||
return fmt.Errorf("pty session as %q: %w", username, err)
|
||||
}
|
||||
defer sess.Close()
|
||||
|
||||
// Cancel context to unblock the WebSocket read loop when the shell exits.
|
||||
sessCtx, cancelSess := context.WithCancel(ctx)
|
||||
defer cancelSess()
|
||||
|
||||
// Pump PTY output → WebSocket.
|
||||
go func() {
|
||||
defer cancelSess()
|
||||
buf := make([]byte, 4096)
|
||||
for {
|
||||
n, readErr := sess.Read(buf)
|
||||
if n > 0 {
|
||||
msg := sshServerMsg{Type: "data", Data: string(buf[:n])}
|
||||
b, _ := json.Marshal(msg)
|
||||
if writeErr := ws.Write(sessCtx, websocket.MessageText, b); writeErr != nil {
|
||||
return
|
||||
}
|
||||
}
|
||||
if readErr != nil {
|
||||
return
|
||||
}
|
||||
}
|
||||
}()
|
||||
|
||||
// Pump WebSocket input → PTY stdin / resize.
|
||||
for {
|
||||
_, msgBytes, readErr := ws.Read(sessCtx)
|
||||
if readErr != nil {
|
||||
break
|
||||
}
|
||||
var msg sshClientMsg
|
||||
if err := json.Unmarshal(msgBytes, &msg); err != nil {
|
||||
continue
|
||||
}
|
||||
switch msg.Type {
|
||||
case "data":
|
||||
if _, writeErr := sess.Write([]byte(msg.Data)); writeErr != nil {
|
||||
return fmt.Errorf("write pty: %w", writeErr)
|
||||
}
|
||||
case "resize":
|
||||
if msg.Cols > 0 && msg.Rows > 0 {
|
||||
_ = sess.Resize(uint16(msg.Cols), uint16(msg.Rows))
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
16
browsergateway/ssh_native_windows.go
Normal file
16
browsergateway/ssh_native_windows.go
Normal file
@@ -0,0 +1,16 @@
|
||||
//go:build windows
|
||||
|
||||
package browsergateway
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
|
||||
"github.com/coder/websocket"
|
||||
"github.com/fosrl/newt/nativessh"
|
||||
)
|
||||
|
||||
// serveNativeSSHSession is not supported on Windows.
|
||||
func serveNativeSSHSession(_ context.Context, _ *websocket.Conn, _ string, _ *nativessh.CredentialStore) error {
|
||||
return errors.New("native SSH is not supported on Windows")
|
||||
}
|
||||
125
browsergateway/vnc.go
Normal file
125
browsergateway/vnc.go
Normal file
@@ -0,0 +1,125 @@
|
||||
package browsergateway
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"io"
|
||||
"net"
|
||||
"net/http"
|
||||
"strconv"
|
||||
"time"
|
||||
|
||||
"github.com/coder/websocket"
|
||||
"github.com/fosrl/newt/logger"
|
||||
)
|
||||
|
||||
const (
|
||||
vncDialTimeout = 10 * time.Second
|
||||
vncKeepAlive = 30 * time.Second
|
||||
vncForwardBufSize = 32 * 1024
|
||||
)
|
||||
|
||||
// handleVNC proxies a noVNC WebSocket connection to a raw TCP VNC backend.
|
||||
// It follows the same auth-token-in-query-param pattern as handleSSH.
|
||||
//
|
||||
// Query parameters:
|
||||
//
|
||||
// authToken – shared secret matching the -auth-token flag
|
||||
// host – VNC backend hostname or IP
|
||||
// port – VNC backend port (default: 5900)
|
||||
func (g *Gateway) handleVNC(w http.ResponseWriter, r *http.Request) {
|
||||
host := r.URL.Query().Get("host")
|
||||
port := r.URL.Query().Get("port")
|
||||
if host == "" {
|
||||
http.Error(w, "missing host", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
if port == "" {
|
||||
port = "5900"
|
||||
}
|
||||
vncPort, _ := strconv.Atoi(port)
|
||||
authToken := r.URL.Query().Get("authToken")
|
||||
if !g.isAllowed("vnc", host, vncPort, authToken) {
|
||||
http.Error(w, "destination not allowed or auth token mismatch", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
target := net.JoinHostPort(host, port)
|
||||
|
||||
// Optional HTTP probe used by the web UI to surface backend reachability
|
||||
// failures before attempting a WebSocket session.
|
||||
if r.URL.Query().Get("checkOnly") == "1" {
|
||||
if err := dialVNCBackend(r.Context(), target); err != nil {
|
||||
logger.Debug("vnc: preflight failed (%s): %v", target, err)
|
||||
http.Error(w, fmt.Sprintf("failed to connect to VNC backend: %v", err), http.StatusBadGateway)
|
||||
return
|
||||
}
|
||||
w.WriteHeader(http.StatusNoContent)
|
||||
return
|
||||
}
|
||||
|
||||
// Accept the WebSocket. noVNC negotiates the "binary" subprotocol;
|
||||
// fall back gracefully when the client sends "base64" as well.
|
||||
ws, err := websocket.Accept(w, r, &websocket.AcceptOptions{
|
||||
InsecureSkipVerify: true,
|
||||
Subprotocols: []string{"binary", "base64"},
|
||||
})
|
||||
if err != nil {
|
||||
logger.Debug("vnc: websocket upgrade failed: %v", err)
|
||||
return
|
||||
}
|
||||
ws.SetReadLimit(-1)
|
||||
defer ws.CloseNow() //nolint:errcheck
|
||||
|
||||
ctx := r.Context()
|
||||
if err := serveVNC(ctx, ws, target); err != nil {
|
||||
logger.Debug("vnc: session error (%s): %v", target, err)
|
||||
}
|
||||
}
|
||||
|
||||
func dialVNCBackend(ctx context.Context, target string) error {
|
||||
dialer := &net.Dialer{
|
||||
Timeout: vncDialTimeout,
|
||||
KeepAlive: vncKeepAlive,
|
||||
}
|
||||
conn, err := dialer.DialContext(ctx, "tcp", target)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer conn.Close() //nolint:errcheck
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func serveVNC(ctx context.Context, ws *websocket.Conn, target string) error {
|
||||
// Dial the VNC backend TCP server.
|
||||
dialer := &net.Dialer{
|
||||
Timeout: vncDialTimeout,
|
||||
KeepAlive: vncKeepAlive,
|
||||
}
|
||||
conn, err := dialer.DialContext(ctx, "tcp", target)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer conn.Close() //nolint:errcheck
|
||||
|
||||
// Expose the WebSocket as a plain net.Conn byte stream (binary frames).
|
||||
stream := websocket.NetConn(ctx, ws, websocket.MessageBinary)
|
||||
defer stream.Close() //nolint:errcheck
|
||||
|
||||
// Proxy bidirectionally: VNC backend <-> browser.
|
||||
errc := make(chan error, 2)
|
||||
go func() {
|
||||
buf := make([]byte, vncForwardBufSize)
|
||||
_, err := io.CopyBuffer(conn, stream, buf)
|
||||
errc <- err
|
||||
}()
|
||||
go func() {
|
||||
buf := make([]byte, vncForwardBufSize)
|
||||
_, err := io.CopyBuffer(stream, conn, buf)
|
||||
errc <- err
|
||||
}()
|
||||
|
||||
// Return when either direction closes.
|
||||
err = <-errc
|
||||
return err
|
||||
}
|
||||
20
clients.go
20
clients.go
@@ -7,6 +7,7 @@ import (
|
||||
wgnetstack "github.com/fosrl/newt/clients"
|
||||
"github.com/fosrl/newt/clients/permissions"
|
||||
"github.com/fosrl/newt/logger"
|
||||
"github.com/fosrl/newt/nativessh"
|
||||
"github.com/fosrl/newt/websocket"
|
||||
"golang.zx2c4.com/wireguard/tun/netstack"
|
||||
)
|
||||
@@ -14,7 +15,7 @@ import (
|
||||
var wgService *clients.WireGuardService
|
||||
var ready bool
|
||||
|
||||
func setupClients(client *websocket.Client) {
|
||||
func setupClients(client *websocket.Client, credStore *nativessh.CredentialStore) {
|
||||
var host = endpoint
|
||||
if strings.HasPrefix(host, "http://") {
|
||||
host = strings.TrimPrefix(host, "http://")
|
||||
@@ -24,7 +25,7 @@ func setupClients(client *websocket.Client) {
|
||||
|
||||
host = strings.TrimSuffix(host, "/")
|
||||
|
||||
logger.Info("Setting up clients with netstack2...")
|
||||
logger.Debug("Setting up clients with netstack2...")
|
||||
|
||||
// if useNativeInterface is true make sure we have permission to use native interface
|
||||
if useNativeInterface {
|
||||
@@ -37,11 +38,13 @@ func setupClients(client *websocket.Client) {
|
||||
}
|
||||
|
||||
// Create WireGuard service
|
||||
wgService, err = wgnetstack.NewWireGuardService(interfaceName, mtuInt, host, id, client, dns, useNativeInterface)
|
||||
wgService, err = wgnetstack.NewWireGuardService(interfaceName, port, mtuInt, host, id, client, dns, useNativeInterface)
|
||||
if err != nil {
|
||||
logger.Fatal("Failed to create WireGuard service: %v", err)
|
||||
}
|
||||
|
||||
wgService.SetCredentialStore(credStore)
|
||||
|
||||
client.OnTokenUpdate(func(token string) {
|
||||
wgService.SetToken(token)
|
||||
})
|
||||
@@ -63,7 +66,14 @@ func closeClients() {
|
||||
}
|
||||
}
|
||||
|
||||
func clientsHandleNewtConnection(publicKey string, endpoint string) {
|
||||
// setClientsBlocked enables or disables connection blocking on the WireGuard service.
|
||||
func setClientsBlocked(v bool) {
|
||||
if wgService != nil {
|
||||
wgService.SetBlocked(v)
|
||||
}
|
||||
}
|
||||
|
||||
func clientsHandleNewtConnection(publicKey string, endpoint string, relayPort uint16) {
|
||||
if !ready {
|
||||
return
|
||||
}
|
||||
@@ -77,7 +87,7 @@ func clientsHandleNewtConnection(publicKey string, endpoint string) {
|
||||
endpoint = strings.Join(parts[:len(parts)-1], ":")
|
||||
|
||||
if wgService != nil {
|
||||
wgService.StartHolepunch(publicKey, endpoint)
|
||||
wgService.StartHolepunch(publicKey, endpoint, relayPort)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -2,6 +2,8 @@ package clients
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/rand"
|
||||
"encoding/hex"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"net"
|
||||
@@ -11,12 +13,14 @@ import (
|
||||
"strconv"
|
||||
"strings"
|
||||
"sync"
|
||||
"sync/atomic"
|
||||
"time"
|
||||
|
||||
"github.com/fosrl/newt/bind"
|
||||
newtDevice "github.com/fosrl/newt/device"
|
||||
"github.com/fosrl/newt/holepunch"
|
||||
"github.com/fosrl/newt/logger"
|
||||
"github.com/fosrl/newt/nativessh"
|
||||
"github.com/fosrl/newt/netstack2"
|
||||
"github.com/fosrl/newt/network"
|
||||
"github.com/fosrl/newt/util"
|
||||
@@ -34,18 +38,27 @@ type WgConfig struct {
|
||||
IpAddress string `json:"ipAddress"`
|
||||
Peers []Peer `json:"peers"`
|
||||
Targets []Target `json:"targets"`
|
||||
ChainId string `json:"chainId"`
|
||||
}
|
||||
|
||||
type Target struct {
|
||||
SourcePrefix string `json:"sourcePrefix"`
|
||||
DestPrefix string `json:"destPrefix"`
|
||||
RewriteTo string `json:"rewriteTo,omitempty"`
|
||||
PortRange []PortRange `json:"portRange,omitempty"`
|
||||
SourcePrefix string `json:"sourcePrefix"`
|
||||
SourcePrefixes []string `json:"sourcePrefixes"`
|
||||
DestPrefix string `json:"destPrefix"`
|
||||
RewriteTo string `json:"rewriteTo,omitempty"`
|
||||
DisableIcmp bool `json:"disableIcmp,omitempty"`
|
||||
PortRange []PortRange `json:"portRange,omitempty"`
|
||||
ResourceId int `json:"resourceId,omitempty"`
|
||||
Protocol string `json:"protocol,omitempty"` // for now practicably either http or https
|
||||
HTTPTargets []netstack2.HTTPTarget `json:"httpTargets,omitempty"` // for http protocol, list of downstream services to load balance across
|
||||
TLSCert string `json:"tlsCert,omitempty"` // PEM-encoded certificate for incoming HTTPS termination
|
||||
TLSKey string `json:"tlsKey,omitempty"` // PEM-encoded private key for incoming HTTPS termination
|
||||
}
|
||||
|
||||
type PortRange struct {
|
||||
Min uint16 `json:"min"`
|
||||
Max uint16 `json:"max"`
|
||||
Min uint16 `json:"min"`
|
||||
Max uint16 `json:"max"`
|
||||
Protocol string `json:"protocol"` // "tcp" or "udp"
|
||||
}
|
||||
|
||||
type Peer struct {
|
||||
@@ -67,19 +80,20 @@ type PeerReading struct {
|
||||
}
|
||||
|
||||
type WireGuardService struct {
|
||||
interfaceName string
|
||||
mtu int
|
||||
client *websocket.Client
|
||||
config WgConfig
|
||||
key wgtypes.Key
|
||||
newtId string
|
||||
lastReadings map[string]PeerReading
|
||||
mu sync.Mutex
|
||||
Port uint16
|
||||
host string
|
||||
serverPubKey string
|
||||
token string
|
||||
stopGetConfig func()
|
||||
interfaceName string
|
||||
mtu int
|
||||
client *websocket.Client
|
||||
config WgConfig
|
||||
key wgtypes.Key
|
||||
newtId string
|
||||
lastReadings map[string]PeerReading
|
||||
mu sync.Mutex
|
||||
Port uint16
|
||||
host string
|
||||
serverPubKey string
|
||||
token string
|
||||
stopGetConfig func()
|
||||
pendingConfigChainId string
|
||||
// Netstack fields
|
||||
tun tun.Device
|
||||
tnet *netstack2.Net
|
||||
@@ -96,25 +110,40 @@ type WireGuardService struct {
|
||||
sharedBind *bind.SharedBind
|
||||
holePunchManager *holepunch.Manager
|
||||
useNativeInterface bool
|
||||
// SSH server running on the clients' netstack
|
||||
sshServer *sshServerHandle
|
||||
credStore *nativessh.CredentialStore
|
||||
// Direct UDP relay from main tunnel to clients' WireGuard
|
||||
directRelayStop chan struct{}
|
||||
directRelayWg sync.WaitGroup
|
||||
netstackListener net.PacketConn
|
||||
netstackListenerMu sync.Mutex
|
||||
wgTesterServer *wgtester.Server
|
||||
|
||||
// connection blocking: when true, all new incoming connections are dropped
|
||||
blocked atomic.Bool
|
||||
}
|
||||
|
||||
func NewWireGuardService(interfaceName string, mtu int, host string, newtId string, wsClient *websocket.Client, dns string, useNativeInterface bool) (*WireGuardService, error) {
|
||||
// generateChainId generates a random chain ID for deduplicating round-trip messages.
|
||||
func generateChainId() string {
|
||||
b := make([]byte, 8)
|
||||
_, _ = rand.Read(b)
|
||||
return hex.EncodeToString(b)
|
||||
}
|
||||
|
||||
func NewWireGuardService(interfaceName string, port uint16, mtu int, host string, newtId string, wsClient *websocket.Client, dns string, useNativeInterface bool) (*WireGuardService, error) {
|
||||
key, err := wgtypes.GeneratePrivateKey()
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to generate private key: %v", err)
|
||||
}
|
||||
|
||||
// Find an available port
|
||||
port, err := util.FindAvailableUDPPort(49152, 65535)
|
||||
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error finding available port: %v", err)
|
||||
if port == 0 {
|
||||
// Find an available port
|
||||
portRandom, err := util.FindAvailableUDPPort(49152, 65535)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error finding available port: %v", err)
|
||||
}
|
||||
port = uint16(portRandom)
|
||||
}
|
||||
|
||||
// Create shared UDP socket for both holepunch and WireGuard
|
||||
@@ -137,7 +166,7 @@ func NewWireGuardService(interfaceName string, mtu int, host string, newtId stri
|
||||
// Add a reference for the hole punch manager (creator already has one reference for WireGuard)
|
||||
sharedBind.AddRef()
|
||||
|
||||
logger.Info("Created shared UDP socket on port %d (refcount: %d)", port, sharedBind.GetRefCount())
|
||||
logger.Debug("Created shared UDP socket on port %d (refcount: %d)", port, sharedBind.GetRefCount())
|
||||
|
||||
// Parse DNS addresses
|
||||
dnsAddrs := []netip.Addr{netip.MustParseAddr(dns)}
|
||||
@@ -156,9 +185,8 @@ func NewWireGuardService(interfaceName string, mtu int, host string, newtId stri
|
||||
useNativeInterface: useNativeInterface,
|
||||
}
|
||||
|
||||
// Create the holepunch manager with ResolveDomain function
|
||||
// We'll need to pass a domain resolver function
|
||||
service.holePunchManager = holepunch.NewManager(sharedBind, newtId, "newt", key.PublicKey().String())
|
||||
// Create the holepunch manager
|
||||
service.holePunchManager = holepunch.NewManager(sharedBind, newtId, "newt", key.PublicKey().String(), nil)
|
||||
|
||||
// Register websocket handlers
|
||||
wsClient.RegisterHandler("newt/wg/receive-config", service.handleConfig)
|
||||
@@ -168,10 +196,18 @@ func NewWireGuardService(interfaceName string, mtu int, host string, newtId stri
|
||||
wsClient.RegisterHandler("newt/wg/targets/add", service.handleAddTarget)
|
||||
wsClient.RegisterHandler("newt/wg/targets/remove", service.handleRemoveTarget)
|
||||
wsClient.RegisterHandler("newt/wg/targets/update", service.handleUpdateTarget)
|
||||
wsClient.RegisterHandler("newt/wg/sync", service.handleSyncConfig)
|
||||
|
||||
return service, nil
|
||||
}
|
||||
|
||||
// SetCredentialStore sets the in-memory SSH credential store used by the
|
||||
// native SSH server. It must be called before the netstack is configured
|
||||
// (i.e. before the first newt/wg/receive-config message is processed).
|
||||
func (s *WireGuardService) SetCredentialStore(store *nativessh.CredentialStore) {
|
||||
s.credStore = store
|
||||
}
|
||||
|
||||
// ReportRTT allows reporting native RTTs to telemetry, rate-limited externally.
|
||||
func (s *WireGuardService) ReportRTT(seconds float64) {
|
||||
if s.serverPubKey == "" {
|
||||
@@ -190,6 +226,21 @@ func (s *WireGuardService) Close() {
|
||||
s.stopGetConfig = nil
|
||||
}
|
||||
|
||||
// Stop SSH server before tearing down the netstack
|
||||
if s.sshServer != nil {
|
||||
s.sshServer.stop()
|
||||
s.sshServer = nil
|
||||
}
|
||||
|
||||
// Flush access logs before tearing down the tunnel
|
||||
if s.tnet != nil {
|
||||
if ph := s.tnet.GetProxyHandler(); ph != nil {
|
||||
if al := ph.GetAccessLogger(); al != nil {
|
||||
al.Close()
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Stop the direct UDP relay first
|
||||
s.StopDirectUDPRelay()
|
||||
|
||||
@@ -256,6 +307,21 @@ func (s *WireGuardService) GetPublicKey() wgtypes.Key {
|
||||
return s.key.PublicKey()
|
||||
}
|
||||
|
||||
// SetBlocked enables or disables connection blocking for this WireGuard service.
|
||||
// The state is persisted and applied immediately to any active proxy handler.
|
||||
func (s *WireGuardService) SetBlocked(v bool) {
|
||||
s.blocked.Store(v)
|
||||
s.mu.Lock()
|
||||
tnet := s.tnet
|
||||
s.mu.Unlock()
|
||||
if tnet == nil {
|
||||
return
|
||||
}
|
||||
if ph := tnet.GetProxyHandler(); ph != nil {
|
||||
ph.SetBlocked(v)
|
||||
}
|
||||
}
|
||||
|
||||
// SetOnNetstackReady sets a callback function to be called when the netstack interface is ready
|
||||
func (s *WireGuardService) SetOnNetstackReady(callback func(*netstack2.Net)) {
|
||||
s.onNetstackReady = callback
|
||||
@@ -266,16 +332,21 @@ func (s *WireGuardService) SetOnNetstackClose(callback func()) {
|
||||
}
|
||||
|
||||
// StartHolepunch starts hole punching to a specific endpoint
|
||||
func (s *WireGuardService) StartHolepunch(publicKey string, endpoint string) {
|
||||
func (s *WireGuardService) StartHolepunch(publicKey string, endpoint string, relayPort uint16) {
|
||||
if s.holePunchManager == nil {
|
||||
logger.Warn("Hole punch manager not initialized")
|
||||
return
|
||||
}
|
||||
|
||||
if relayPort == 0 {
|
||||
relayPort = 21820
|
||||
}
|
||||
|
||||
// Convert websocket.ExitNode to holepunch.ExitNode
|
||||
hpExitNodes := []holepunch.ExitNode{
|
||||
{
|
||||
Endpoint: endpoint,
|
||||
RelayPort: relayPort,
|
||||
PublicKey: publicKey,
|
||||
},
|
||||
}
|
||||
@@ -285,7 +356,7 @@ func (s *WireGuardService) StartHolepunch(publicKey string, endpoint string) {
|
||||
logger.Warn("Failed to start hole punch: %v", err)
|
||||
}
|
||||
|
||||
logger.Info("Starting hole punch to %s with public key: %s", endpoint, publicKey)
|
||||
logger.Debug("Starting hole punch to %s with public key: %s", endpoint, publicKey)
|
||||
}
|
||||
|
||||
// StartDirectUDPRelay starts a direct UDP relay from the main tunnel netstack to the clients' WireGuard.
|
||||
@@ -332,7 +403,7 @@ func (s *WireGuardService) StartDirectUDPRelay(tunnelIP string) error {
|
||||
// Set the netstack connection on the SharedBind so responses go back through the tunnel
|
||||
s.sharedBind.SetNetstackConn(listener)
|
||||
|
||||
logger.Info("Started direct UDP relay on %s:%d (bidirectional via SharedBind)", tunnelIP, s.Port)
|
||||
logger.Debug("Started direct UDP relay on %s:%d (bidirectional via SharedBind)", tunnelIP, s.Port)
|
||||
|
||||
// Start the relay goroutine to read from netstack and inject into SharedBind
|
||||
s.directRelayWg.Add(1)
|
||||
@@ -350,7 +421,7 @@ func (s *WireGuardService) runDirectUDPRelay(listener net.PacketConn) {
|
||||
// Note: Don't close listener here - it's also used by SharedBind for sending responses
|
||||
// It will be closed when the relay is stopped
|
||||
|
||||
logger.Info("Direct UDP relay started (bidirectional through SharedBind)")
|
||||
logger.Debug("Direct UDP relay started (bidirectional through SharedBind)")
|
||||
|
||||
buf := make([]byte, 65535) // Max UDP packet size
|
||||
|
||||
@@ -431,12 +502,15 @@ func (s *WireGuardService) LoadRemoteConfig() error {
|
||||
s.stopGetConfig()
|
||||
s.stopGetConfig = nil
|
||||
}
|
||||
chainId := generateChainId()
|
||||
s.pendingConfigChainId = chainId
|
||||
s.stopGetConfig = s.client.SendMessageInterval("newt/wg/get-config", map[string]interface{}{
|
||||
"publicKey": s.key.PublicKey().String(),
|
||||
"port": s.Port,
|
||||
"chainId": chainId,
|
||||
}, 2*time.Second)
|
||||
|
||||
logger.Info("Requesting WireGuard configuration from remote server")
|
||||
logger.Debug("Requesting WireGuard configuration from remote server")
|
||||
go s.periodicBandwidthCheck()
|
||||
|
||||
return nil
|
||||
@@ -446,7 +520,7 @@ func (s *WireGuardService) handleConfig(msg websocket.WSMessage) {
|
||||
var config WgConfig
|
||||
|
||||
logger.Debug("Received message: %v", msg)
|
||||
logger.Info("Received WireGuard clients configuration from remote server")
|
||||
logger.Debug("Received WireGuard clients configuration from remote server")
|
||||
|
||||
jsonData, err := json.Marshal(msg.Data)
|
||||
if err != nil {
|
||||
@@ -458,6 +532,17 @@ func (s *WireGuardService) handleConfig(msg websocket.WSMessage) {
|
||||
logger.Info("Error unmarshaling target data: %v", err)
|
||||
return
|
||||
}
|
||||
|
||||
// Deduplicate using chainId: discard responses that don't match the
|
||||
// pending request, or that we have already processed.
|
||||
if config.ChainId != "" {
|
||||
if config.ChainId != s.pendingConfigChainId {
|
||||
logger.Debug("Discarding duplicate/stale newt/wg/get-config response (chainId=%s, expected=%s)", config.ChainId, s.pendingConfigChainId)
|
||||
return
|
||||
}
|
||||
s.pendingConfigChainId = "" // consume – further duplicates are rejected
|
||||
}
|
||||
|
||||
s.config = config
|
||||
|
||||
if s.stopGetConfig != nil {
|
||||
@@ -468,6 +553,8 @@ func (s *WireGuardService) handleConfig(msg websocket.WSMessage) {
|
||||
// Ensure the WireGuard interface and peers are configured
|
||||
if err := s.ensureWireguardInterface(config); err != nil {
|
||||
logger.Error("Failed to ensure WireGuard interface: %v", err)
|
||||
logger.Error("Clients functionality will be disabled until the interface can be created")
|
||||
return
|
||||
}
|
||||
|
||||
if err := s.ensureWireguardPeers(config.Peers); err != nil {
|
||||
@@ -477,6 +564,196 @@ func (s *WireGuardService) handleConfig(msg websocket.WSMessage) {
|
||||
if err := s.ensureTargets(config.Targets); err != nil {
|
||||
logger.Error("Failed to ensure WireGuard targets: %v", err)
|
||||
}
|
||||
|
||||
logger.Info("Client connectivity setup. Ready to accept connections from clients!")
|
||||
}
|
||||
|
||||
// SyncConfig represents the configuration sent from server for syncing
|
||||
type SyncConfig struct {
|
||||
Targets []Target `json:"targets"`
|
||||
Peers []Peer `json:"peers"`
|
||||
}
|
||||
|
||||
func (s *WireGuardService) handleSyncConfig(msg websocket.WSMessage) {
|
||||
var syncConfig SyncConfig
|
||||
|
||||
logger.Debug("Received sync message: %v", msg)
|
||||
logger.Info("Received sync configuration from remote server")
|
||||
|
||||
jsonData, err := json.Marshal(msg.Data)
|
||||
if err != nil {
|
||||
logger.Error("Error marshaling sync data: %v", err)
|
||||
return
|
||||
}
|
||||
|
||||
if err := json.Unmarshal(jsonData, &syncConfig); err != nil {
|
||||
logger.Error("Error unmarshaling sync data: %v", err)
|
||||
return
|
||||
}
|
||||
|
||||
// Sync peers
|
||||
if err := s.syncPeers(syncConfig.Peers); err != nil {
|
||||
logger.Error("Failed to sync peers: %v", err)
|
||||
}
|
||||
|
||||
// Sync targets
|
||||
if err := s.syncTargets(syncConfig.Targets); err != nil {
|
||||
logger.Error("Failed to sync targets: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
// syncPeers synchronizes the current peers with the desired state
|
||||
// It removes peers not in the desired list and adds missing ones
|
||||
func (s *WireGuardService) syncPeers(desiredPeers []Peer) error {
|
||||
if s.device == nil {
|
||||
return fmt.Errorf("WireGuard device is not initialized")
|
||||
}
|
||||
|
||||
// Get current peers from the device
|
||||
currentConfig, err := s.device.IpcGet()
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to get current device config: %v", err)
|
||||
}
|
||||
|
||||
// Parse current peer public keys
|
||||
lines := strings.Split(currentConfig, "\n")
|
||||
currentPeerKeys := make(map[string]bool)
|
||||
for _, line := range lines {
|
||||
if strings.HasPrefix(line, "public_key=") {
|
||||
pubKey := strings.TrimPrefix(line, "public_key=")
|
||||
currentPeerKeys[pubKey] = true
|
||||
}
|
||||
}
|
||||
|
||||
// Build a map of desired peers by their public key (normalized)
|
||||
desiredPeerMap := make(map[string]Peer)
|
||||
for _, peer := range desiredPeers {
|
||||
// Normalize the public key for comparison
|
||||
pubKey, err := wgtypes.ParseKey(peer.PublicKey)
|
||||
if err != nil {
|
||||
logger.Warn("Invalid public key in desired peers: %s", peer.PublicKey)
|
||||
continue
|
||||
}
|
||||
normalizedKey := util.FixKey(pubKey.String())
|
||||
desiredPeerMap[normalizedKey] = peer
|
||||
}
|
||||
|
||||
// Remove peers that are not in the desired list
|
||||
for currentKey := range currentPeerKeys {
|
||||
if _, exists := desiredPeerMap[currentKey]; !exists {
|
||||
// Parse the key back to get the original format for removal
|
||||
removeConfig := fmt.Sprintf("public_key=%s\nremove=true", currentKey)
|
||||
if err := s.device.IpcSet(removeConfig); err != nil {
|
||||
logger.Warn("Failed to remove peer %s during sync: %v", currentKey, err)
|
||||
} else {
|
||||
logger.Info("Removed peer %s during sync", currentKey)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Add peers that are missing
|
||||
for normalizedKey, peer := range desiredPeerMap {
|
||||
if _, exists := currentPeerKeys[normalizedKey]; !exists {
|
||||
if err := s.addPeerToDevice(peer); err != nil {
|
||||
logger.Warn("Failed to add peer %s during sync: %v", peer.PublicKey, err)
|
||||
} else {
|
||||
logger.Info("Added peer %s during sync", peer.PublicKey)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// syncTargets synchronizes the current targets with the desired state
|
||||
// It removes targets not in the desired list and adds missing ones
|
||||
func (s *WireGuardService) syncTargets(desiredTargets []Target) error {
|
||||
if s.tnet == nil {
|
||||
// Native interface mode - proxy features not available, skip silently
|
||||
logger.Debug("Skipping target sync - using native interface (no proxy support)")
|
||||
return nil
|
||||
}
|
||||
|
||||
// Get current rules from the proxy handler
|
||||
currentRules := s.tnet.GetProxySubnetRules()
|
||||
|
||||
// Build a map of current rules by source+dest prefix
|
||||
type ruleKey struct {
|
||||
sourcePrefix string
|
||||
destPrefix string
|
||||
}
|
||||
currentRuleMap := make(map[ruleKey]bool)
|
||||
for _, rule := range currentRules {
|
||||
key := ruleKey{
|
||||
sourcePrefix: rule.SourcePrefix.String(),
|
||||
destPrefix: rule.DestPrefix.String(),
|
||||
}
|
||||
currentRuleMap[key] = true
|
||||
}
|
||||
|
||||
// Build a map of desired targets
|
||||
desiredTargetMap := make(map[ruleKey]Target)
|
||||
for _, target := range desiredTargets {
|
||||
key := ruleKey{
|
||||
sourcePrefix: target.SourcePrefix,
|
||||
destPrefix: target.DestPrefix,
|
||||
}
|
||||
desiredTargetMap[key] = target
|
||||
}
|
||||
|
||||
// Remove targets that are not in the desired list
|
||||
for _, rule := range currentRules {
|
||||
key := ruleKey{
|
||||
sourcePrefix: rule.SourcePrefix.String(),
|
||||
destPrefix: rule.DestPrefix.String(),
|
||||
}
|
||||
if _, exists := desiredTargetMap[key]; !exists {
|
||||
s.tnet.RemoveProxySubnetRule(rule.SourcePrefix, rule.DestPrefix)
|
||||
logger.Info("Removed target %s -> %s during sync", rule.SourcePrefix.String(), rule.DestPrefix.String())
|
||||
}
|
||||
}
|
||||
|
||||
// Add targets that are missing
|
||||
for key, target := range desiredTargetMap {
|
||||
if _, exists := currentRuleMap[key]; !exists {
|
||||
sourcePrefix, err := netip.ParsePrefix(target.SourcePrefix)
|
||||
if err != nil {
|
||||
logger.Warn("Invalid source prefix %s during sync: %v", target.SourcePrefix, err)
|
||||
continue
|
||||
}
|
||||
|
||||
destPrefix, err := netip.ParsePrefix(target.DestPrefix)
|
||||
if err != nil {
|
||||
logger.Warn("Invalid dest prefix %s during sync: %v", target.DestPrefix, err)
|
||||
continue
|
||||
}
|
||||
|
||||
var portRanges []netstack2.PortRange
|
||||
for _, pr := range target.PortRange {
|
||||
portRanges = append(portRanges, netstack2.PortRange{
|
||||
Min: pr.Min,
|
||||
Max: pr.Max,
|
||||
Protocol: pr.Protocol,
|
||||
})
|
||||
}
|
||||
|
||||
s.tnet.AddProxySubnetRule(netstack2.SubnetRule{
|
||||
SourcePrefix: sourcePrefix,
|
||||
DestPrefix: destPrefix,
|
||||
RewriteTo: target.RewriteTo,
|
||||
PortRanges: portRanges,
|
||||
DisableIcmp: target.DisableIcmp,
|
||||
ResourceId: target.ResourceId,
|
||||
Protocol: target.Protocol,
|
||||
HTTPTargets: target.HTTPTargets,
|
||||
TLSCert: target.TLSCert,
|
||||
TLSKey: target.TLSKey,
|
||||
})
|
||||
logger.Info("Added target %s -> %s during sync", target.SourcePrefix, target.DestPrefix)
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (s *WireGuardService) ensureWireguardInterface(wgconfig WgConfig) error {
|
||||
@@ -522,7 +799,7 @@ func (s *WireGuardService) ensureWireguardInterface(wgconfig WgConfig) error {
|
||||
// Create WireGuard device using the shared bind
|
||||
s.device = device.NewDevice(s.tun, s.sharedBind, device.NewLogger(
|
||||
device.LogLevelSilent,
|
||||
"wireguard: ",
|
||||
"client-wireguard: ",
|
||||
))
|
||||
|
||||
fileUAPI, err := func() (*os.File, error) {
|
||||
@@ -590,8 +867,9 @@ func (s *WireGuardService) ensureWireguardInterface(wgconfig WgConfig) error {
|
||||
s.dns,
|
||||
s.mtu,
|
||||
netstack2.NetTunOptions{
|
||||
EnableTCPProxy: true,
|
||||
EnableUDPProxy: true,
|
||||
EnableTCPProxy: true,
|
||||
EnableUDPProxy: true,
|
||||
EnableICMPProxy: true,
|
||||
},
|
||||
)
|
||||
if err != nil {
|
||||
@@ -601,6 +879,20 @@ func (s *WireGuardService) ensureWireguardInterface(wgconfig WgConfig) error {
|
||||
|
||||
s.TunnelIP = tunnelIP.String()
|
||||
|
||||
// Configure the access log sender to ship compressed session logs via websocket
|
||||
s.tnet.SetAccessLogSender(func(data string) error {
|
||||
return s.client.SendMessageNoLog("newt/access-log", map[string]interface{}{
|
||||
"compressed": data,
|
||||
})
|
||||
})
|
||||
|
||||
// Configure the HTTP request log sender to ship compressed request logs via websocket
|
||||
s.tnet.SetHTTPRequestLogSender(func(data string) error {
|
||||
return s.client.SendMessageNoLog("newt/request-log", map[string]interface{}{
|
||||
"compressed": data,
|
||||
})
|
||||
})
|
||||
|
||||
// Create WireGuard device using the shared bind
|
||||
s.device = device.NewDevice(s.tun, s.sharedBind, device.NewLogger(
|
||||
device.LogLevelSilent, // Use silent logging by default - could be made configurable
|
||||
@@ -623,7 +915,7 @@ func (s *WireGuardService) ensureWireguardInterface(wgconfig WgConfig) error {
|
||||
return fmt.Errorf("failed to bring up WireGuard device: %v", err)
|
||||
}
|
||||
|
||||
logger.Info("WireGuard netstack device created and configured")
|
||||
logger.Debug("WireGuard netstack device created and configured")
|
||||
|
||||
// Release the mutex before calling the callback
|
||||
s.mu.Unlock()
|
||||
@@ -634,7 +926,25 @@ func (s *WireGuardService) ensureWireguardInterface(wgconfig WgConfig) error {
|
||||
logger.Error("Failed to start WireGuard tester server: %v", err)
|
||||
}
|
||||
|
||||
// Start the SSH server on the clients' netstack (port 22).
|
||||
// A nil credStore means SSH is disabled (--disable-ssh), so skip starting the server.
|
||||
if s.credStore != nil {
|
||||
if h, sshErr := startSSHOnNetstack(s.tnet, s.credStore); sshErr != nil {
|
||||
logger.Warn("nativessh: not starting SSH server on clients netstack: %v", sshErr)
|
||||
} else {
|
||||
s.sshServer = h
|
||||
}
|
||||
}
|
||||
|
||||
// Note: we already unlocked above, so don't use defer unlock
|
||||
|
||||
// Apply any pending blocked state to the newly created proxy handler
|
||||
if s.blocked.Load() {
|
||||
if ph := s.tnet.GetProxyHandler(); ph != nil {
|
||||
ph.SetBlocked(true)
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -642,6 +952,11 @@ func (s *WireGuardService) ensureWireguardPeers(peers []Peer) error {
|
||||
// For netstack, we need to manage peers differently
|
||||
// We'll configure peers directly on the device using IPC
|
||||
|
||||
// Check if device is initialized
|
||||
if s.device == nil {
|
||||
return fmt.Errorf("WireGuard device is not initialized")
|
||||
}
|
||||
|
||||
// First, clear all existing peers by getting current config and removing them
|
||||
currentConfig, err := s.device.IpcGet()
|
||||
if err != nil {
|
||||
@@ -676,6 +991,19 @@ func (s *WireGuardService) ensureWireguardPeers(peers []Peer) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// resolveSourcePrefixes returns the effective list of source prefixes for a target,
|
||||
// supporting both the legacy single SourcePrefix field and the new SourcePrefixes array.
|
||||
// If SourcePrefixes is non-empty it takes precedence; otherwise SourcePrefix is used.
|
||||
func resolveSourcePrefixes(target Target) []string {
|
||||
if len(target.SourcePrefixes) > 0 {
|
||||
return target.SourcePrefixes
|
||||
}
|
||||
if target.SourcePrefix != "" {
|
||||
return []string{target.SourcePrefix}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (s *WireGuardService) ensureTargets(targets []Target) error {
|
||||
if s.tnet == nil {
|
||||
// Native interface mode - proxy features not available, skip silently
|
||||
@@ -684,11 +1012,6 @@ func (s *WireGuardService) ensureTargets(targets []Target) error {
|
||||
}
|
||||
|
||||
for _, target := range targets {
|
||||
sourcePrefix, err := netip.ParsePrefix(target.SourcePrefix)
|
||||
if err != nil {
|
||||
return fmt.Errorf("invalid CIDR %s: %v", target.SourcePrefix, err)
|
||||
}
|
||||
|
||||
destPrefix, err := netip.ParsePrefix(target.DestPrefix)
|
||||
if err != nil {
|
||||
return fmt.Errorf("invalid CIDR %s: %v", target.DestPrefix, err)
|
||||
@@ -697,14 +1020,31 @@ func (s *WireGuardService) ensureTargets(targets []Target) error {
|
||||
var portRanges []netstack2.PortRange
|
||||
for _, pr := range target.PortRange {
|
||||
portRanges = append(portRanges, netstack2.PortRange{
|
||||
Min: pr.Min,
|
||||
Max: pr.Max,
|
||||
Min: pr.Min,
|
||||
Max: pr.Max,
|
||||
Protocol: pr.Protocol,
|
||||
})
|
||||
}
|
||||
|
||||
s.tnet.AddProxySubnetRule(sourcePrefix, destPrefix, target.RewriteTo, portRanges)
|
||||
|
||||
logger.Info("Added target subnet from %s to %s rewrite to %s with port ranges: %v", target.SourcePrefix, target.DestPrefix, target.RewriteTo, target.PortRange)
|
||||
for _, sp := range resolveSourcePrefixes(target) {
|
||||
sourcePrefix, err := netip.ParsePrefix(sp)
|
||||
if err != nil {
|
||||
return fmt.Errorf("invalid CIDR %s: %v", sp, err)
|
||||
}
|
||||
s.tnet.AddProxySubnetRule(netstack2.SubnetRule{
|
||||
SourcePrefix: sourcePrefix,
|
||||
DestPrefix: destPrefix,
|
||||
RewriteTo: target.RewriteTo,
|
||||
PortRanges: portRanges,
|
||||
DisableIcmp: target.DisableIcmp,
|
||||
ResourceId: target.ResourceId,
|
||||
Protocol: target.Protocol,
|
||||
HTTPTargets: target.HTTPTargets,
|
||||
TLSCert: target.TLSCert,
|
||||
TLSKey: target.TLSKey,
|
||||
})
|
||||
logger.Info("Added target subnet from %s to %s rewrite to %s with port ranges: %v", sp, target.DestPrefix, target.RewriteTo, target.PortRange)
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
@@ -1015,21 +1355,22 @@ func (s *WireGuardService) processPeerBandwidth(publicKey string, rxBytes, txByt
|
||||
// Update the last reading
|
||||
s.lastReadings[publicKey] = currentReading
|
||||
|
||||
return &PeerBandwidth{
|
||||
PublicKey: publicKey,
|
||||
BytesIn: bytesInMB,
|
||||
BytesOut: bytesOutMB,
|
||||
// Only return bandwidth data if there was an increase
|
||||
if bytesInDiff > 0 || bytesOutDiff > 0 {
|
||||
return &PeerBandwidth{
|
||||
PublicKey: publicKey,
|
||||
BytesIn: bytesInMB,
|
||||
BytesOut: bytesOutMB,
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
// For first reading or if readings are too close together, report 0
|
||||
// For first reading or if readings are too close together, don't report
|
||||
s.lastReadings[publicKey] = currentReading
|
||||
return &PeerBandwidth{
|
||||
PublicKey: publicKey,
|
||||
BytesIn: 0,
|
||||
BytesOut: 0,
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (s *WireGuardService) reportPeerBandwidth() error {
|
||||
@@ -1073,12 +1414,6 @@ func (s *WireGuardService) handleAddTarget(msg websocket.WSMessage) {
|
||||
|
||||
// Process all targets
|
||||
for _, target := range targets {
|
||||
sourcePrefix, err := netip.ParsePrefix(target.SourcePrefix)
|
||||
if err != nil {
|
||||
logger.Info("Invalid CIDR %s: %v", target.SourcePrefix, err)
|
||||
continue
|
||||
}
|
||||
|
||||
destPrefix, err := netip.ParsePrefix(target.DestPrefix)
|
||||
if err != nil {
|
||||
logger.Info("Invalid CIDR %s: %v", target.DestPrefix, err)
|
||||
@@ -1088,14 +1423,32 @@ func (s *WireGuardService) handleAddTarget(msg websocket.WSMessage) {
|
||||
var portRanges []netstack2.PortRange
|
||||
for _, pr := range target.PortRange {
|
||||
portRanges = append(portRanges, netstack2.PortRange{
|
||||
Min: pr.Min,
|
||||
Max: pr.Max,
|
||||
Min: pr.Min,
|
||||
Max: pr.Max,
|
||||
Protocol: pr.Protocol,
|
||||
})
|
||||
}
|
||||
|
||||
s.tnet.AddProxySubnetRule(sourcePrefix, destPrefix, target.RewriteTo, portRanges)
|
||||
|
||||
logger.Info("Added target subnet from %s to %s rewrite to %s with port ranges: %v", target.SourcePrefix, target.DestPrefix, target.RewriteTo, target.PortRange)
|
||||
for _, sp := range resolveSourcePrefixes(target) {
|
||||
sourcePrefix, err := netip.ParsePrefix(sp)
|
||||
if err != nil {
|
||||
logger.Info("Invalid CIDR %s: %v", sp, err)
|
||||
continue
|
||||
}
|
||||
s.tnet.AddProxySubnetRule(netstack2.SubnetRule{
|
||||
SourcePrefix: sourcePrefix,
|
||||
DestPrefix: destPrefix,
|
||||
RewriteTo: target.RewriteTo,
|
||||
PortRanges: portRanges,
|
||||
DisableIcmp: target.DisableIcmp,
|
||||
ResourceId: target.ResourceId,
|
||||
Protocol: target.Protocol,
|
||||
HTTPTargets: target.HTTPTargets,
|
||||
TLSCert: target.TLSCert,
|
||||
TLSKey: target.TLSKey,
|
||||
})
|
||||
logger.Info("Added target subnet from %s to %s rewrite to %s with port ranges: %v", sp, target.DestPrefix, target.RewriteTo, target.PortRange)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1124,21 +1477,21 @@ func (s *WireGuardService) handleRemoveTarget(msg websocket.WSMessage) {
|
||||
|
||||
// Process all targets
|
||||
for _, target := range targets {
|
||||
sourcePrefix, err := netip.ParsePrefix(target.SourcePrefix)
|
||||
if err != nil {
|
||||
logger.Info("Invalid CIDR %s: %v", target.SourcePrefix, err)
|
||||
continue
|
||||
}
|
||||
|
||||
destPrefix, err := netip.ParsePrefix(target.DestPrefix)
|
||||
if err != nil {
|
||||
logger.Info("Invalid CIDR %s: %v", target.DestPrefix, err)
|
||||
continue
|
||||
}
|
||||
|
||||
s.tnet.RemoveProxySubnetRule(sourcePrefix, destPrefix)
|
||||
|
||||
logger.Info("Removed target subnet %s with destination %s", target.SourcePrefix, target.DestPrefix)
|
||||
for _, sp := range resolveSourcePrefixes(target) {
|
||||
sourcePrefix, err := netip.ParsePrefix(sp)
|
||||
if err != nil {
|
||||
logger.Info("Invalid CIDR %s: %v", sp, err)
|
||||
continue
|
||||
}
|
||||
s.tnet.RemoveProxySubnetRule(sourcePrefix, destPrefix)
|
||||
logger.Info("Removed target subnet %s with destination %s", sp, target.DestPrefix)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1172,30 +1525,24 @@ func (s *WireGuardService) handleUpdateTarget(msg websocket.WSMessage) {
|
||||
|
||||
// Process all update requests
|
||||
for _, target := range requests.OldTargets {
|
||||
sourcePrefix, err := netip.ParsePrefix(target.SourcePrefix)
|
||||
if err != nil {
|
||||
logger.Info("Invalid CIDR %s: %v", target.SourcePrefix, err)
|
||||
continue
|
||||
}
|
||||
|
||||
destPrefix, err := netip.ParsePrefix(target.DestPrefix)
|
||||
if err != nil {
|
||||
logger.Info("Invalid CIDR %s: %v", target.DestPrefix, err)
|
||||
continue
|
||||
}
|
||||
|
||||
s.tnet.RemoveProxySubnetRule(sourcePrefix, destPrefix)
|
||||
logger.Info("Removed target subnet %s with destination %s", target.SourcePrefix, target.DestPrefix)
|
||||
for _, sp := range resolveSourcePrefixes(target) {
|
||||
sourcePrefix, err := netip.ParsePrefix(sp)
|
||||
if err != nil {
|
||||
logger.Info("Invalid CIDR %s: %v", sp, err)
|
||||
continue
|
||||
}
|
||||
s.tnet.RemoveProxySubnetRule(sourcePrefix, destPrefix)
|
||||
logger.Info("Removed target subnet %s with destination %s", sp, target.DestPrefix)
|
||||
}
|
||||
}
|
||||
|
||||
for _, target := range requests.NewTargets {
|
||||
// Now add the new target
|
||||
sourcePrefix, err := netip.ParsePrefix(target.SourcePrefix)
|
||||
if err != nil {
|
||||
logger.Info("Invalid CIDR %s: %v", target.SourcePrefix, err)
|
||||
continue
|
||||
}
|
||||
|
||||
destPrefix, err := netip.ParsePrefix(target.DestPrefix)
|
||||
if err != nil {
|
||||
logger.Info("Invalid CIDR %s: %v", target.DestPrefix, err)
|
||||
@@ -1205,13 +1552,32 @@ func (s *WireGuardService) handleUpdateTarget(msg websocket.WSMessage) {
|
||||
var portRanges []netstack2.PortRange
|
||||
for _, pr := range target.PortRange {
|
||||
portRanges = append(portRanges, netstack2.PortRange{
|
||||
Min: pr.Min,
|
||||
Max: pr.Max,
|
||||
Min: pr.Min,
|
||||
Max: pr.Max,
|
||||
Protocol: pr.Protocol,
|
||||
})
|
||||
}
|
||||
|
||||
s.tnet.AddProxySubnetRule(sourcePrefix, destPrefix, target.RewriteTo, portRanges)
|
||||
logger.Info("Added target subnet from %s to %s rewrite to %s with port ranges: %v", target.SourcePrefix, target.DestPrefix, target.RewriteTo, target.PortRange)
|
||||
for _, sp := range resolveSourcePrefixes(target) {
|
||||
sourcePrefix, err := netip.ParsePrefix(sp)
|
||||
if err != nil {
|
||||
logger.Info("Invalid CIDR %s: %v", sp, err)
|
||||
continue
|
||||
}
|
||||
s.tnet.AddProxySubnetRule(netstack2.SubnetRule{
|
||||
SourcePrefix: sourcePrefix,
|
||||
DestPrefix: destPrefix,
|
||||
RewriteTo: target.RewriteTo,
|
||||
PortRanges: portRanges,
|
||||
DisableIcmp: target.DisableIcmp,
|
||||
ResourceId: target.ResourceId,
|
||||
Protocol: target.Protocol,
|
||||
HTTPTargets: target.HTTPTargets,
|
||||
TLSCert: target.TLSCert,
|
||||
TLSKey: target.TLSKey,
|
||||
})
|
||||
logger.Info("Added target subnet from %s to %s rewrite to %s with port ranges: %v", sp, target.DestPrefix, target.RewriteTo, target.PortRange)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1251,3 +1617,33 @@ func (s *WireGuardService) filterReadOnlyFields(config string) string {
|
||||
|
||||
return strings.Join(filteredLines, "\n")
|
||||
}
|
||||
|
||||
// sshServerHandle holds the listener so the SSH server can be stopped by
|
||||
// closing it.
|
||||
type sshServerHandle struct {
|
||||
ln net.Listener
|
||||
}
|
||||
|
||||
func (h *sshServerHandle) stop() {
|
||||
_ = h.ln.Close()
|
||||
}
|
||||
|
||||
// startSSHOnNetstack creates a TCP listener on port 22 of the clients' netstack
|
||||
// and starts serving SSH connections on it in the background. The returned
|
||||
// handle can be used to stop the server by closing the listener.
|
||||
func startSSHOnNetstack(tnet *netstack2.Net, creds *nativessh.CredentialStore) (*sshServerHandle, error) {
|
||||
srv := nativessh.NewServer(nativessh.ServerConfig{
|
||||
Credentials: creds,
|
||||
})
|
||||
ln, err := tnet.ListenTCP(&net.TCPAddr{Port: 22})
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("listen on netstack port 22: %w", err)
|
||||
}
|
||||
h := &sshServerHandle{ln: ln}
|
||||
go func() {
|
||||
if err := srv.Serve(ln); err != nil {
|
||||
logger.Debug("nativessh: clients netstack server stopped: %v", err)
|
||||
}
|
||||
}()
|
||||
return h, nil
|
||||
}
|
||||
|
||||
8
clients/permissions/permissions_android.go
Normal file
8
clients/permissions/permissions_android.go
Normal file
@@ -0,0 +1,8 @@
|
||||
//go:build android
|
||||
|
||||
package permissions
|
||||
|
||||
// CheckNativeInterfacePermissions always allows permission on Android.
|
||||
func CheckNativeInterfacePermissions() error {
|
||||
return nil
|
||||
}
|
||||
@@ -1,4 +1,4 @@
|
||||
//go:build darwin
|
||||
//go:build darwin && !ios
|
||||
|
||||
package permissions
|
||||
|
||||
|
||||
8
clients/permissions/permissions_ios.go
Normal file
8
clients/permissions/permissions_ios.go
Normal file
@@ -0,0 +1,8 @@
|
||||
//go:build ios
|
||||
|
||||
package permissions
|
||||
|
||||
// CheckNativeInterfacePermissions always allows permission on iOS.
|
||||
func CheckNativeInterfacePermissions() error {
|
||||
return nil
|
||||
}
|
||||
@@ -1,4 +1,4 @@
|
||||
//go:build linux
|
||||
//go:build linux && !android
|
||||
|
||||
package permissions
|
||||
|
||||
|
||||
@@ -6,14 +6,24 @@ import (
|
||||
"fmt"
|
||||
|
||||
"golang.org/x/sys/windows"
|
||||
"golang.org/x/sys/windows/svc"
|
||||
)
|
||||
|
||||
// CheckNativeInterfacePermissions checks if the process has sufficient
|
||||
// permissions to create a native TUN interface on Windows.
|
||||
// This requires Administrator privileges.
|
||||
// This requires Administrator privileges and must be running as a Windows service.
|
||||
func CheckNativeInterfacePermissions() error {
|
||||
// Check if running as a Windows service
|
||||
isService, err := svc.IsWindowsService()
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to check if running as Windows service: %v", err)
|
||||
}
|
||||
if !isService {
|
||||
return fmt.Errorf("native TUN interface requires running as a Windows service")
|
||||
}
|
||||
|
||||
var sid *windows.SID
|
||||
err := windows.AllocateAndInitializeSid(
|
||||
err = windows.AllocateAndInitializeSid(
|
||||
&windows.SECURITY_NT_AUTHORITY,
|
||||
2,
|
||||
windows.SECURITY_BUILTIN_DOMAIN_RID,
|
||||
|
||||
247
common.go
247
common.go
@@ -5,8 +5,10 @@ import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"net"
|
||||
"os"
|
||||
"os/exec"
|
||||
"regexp"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
@@ -16,6 +18,7 @@ import (
|
||||
"github.com/fosrl/newt/logger"
|
||||
"github.com/fosrl/newt/proxy"
|
||||
"github.com/fosrl/newt/websocket"
|
||||
"github.com/fsnotify/fsnotify"
|
||||
"golang.org/x/net/icmp"
|
||||
"golang.org/x/net/ipv4"
|
||||
"golang.zx2c4.com/wireguard/tun/netstack"
|
||||
@@ -119,19 +122,11 @@ func reliablePing(tnet *netstack.Net, dst string, baseTimeout time.Duration, max
|
||||
totalLatency += latency
|
||||
successCount++
|
||||
|
||||
// If we get at least one success, we can return early for health checks
|
||||
if successCount > 0 {
|
||||
avgLatency := totalLatency / time.Duration(successCount)
|
||||
// logger.Debug("Reliable ping succeeded after %d attempts, avg latency: %v", attempt, avgLatency)
|
||||
return avgLatency, nil
|
||||
}
|
||||
// Return on first success
|
||||
return totalLatency / time.Duration(successCount), nil
|
||||
}
|
||||
|
||||
if successCount == 0 {
|
||||
return 0, fmt.Errorf("all %d ping attempts failed, last error: %v", maxAttempts, lastErr)
|
||||
}
|
||||
|
||||
return totalLatency / time.Duration(successCount), nil
|
||||
return 0, fmt.Errorf("all %d ping attempts failed, last error: %v", maxAttempts, lastErr)
|
||||
}
|
||||
|
||||
func pingWithRetry(tnet *netstack.Net, dst string, timeout time.Duration) (stopChan chan struct{}, err error) {
|
||||
@@ -206,6 +201,7 @@ func pingWithRetry(tnet *netstack.Net, dst string, timeout time.Duration) (stopC
|
||||
logger.Warn(msgHealthFileWriteFailed, err)
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
case <-pingStopChan:
|
||||
// Stop the goroutine when signaled
|
||||
@@ -218,6 +214,25 @@ func pingWithRetry(tnet *netstack.Net, dst string, timeout time.Duration) (stopC
|
||||
return stopChan, fmt.Errorf("initial ping attempts failed, continuing in background")
|
||||
}
|
||||
|
||||
// shouldFireRecovery decides whether the data-plane recovery flow in
|
||||
// startPingCheck should run on this tick. Recovery fires once when the
|
||||
// consecutive-failure counter first crosses the threshold; the connectionLost
|
||||
// flag prevents re-firing until a successful ping resets the state.
|
||||
//
|
||||
// This condition was previously inlined into startPingCheck and AND-ed with
|
||||
// `currentInterval < maxInterval`, which silently broke recovery once
|
||||
// pingInterval's default was bumped to 15s while maxInterval stayed at 6s
|
||||
// (commit 8161fa6, March 2026): the gate became permanently false on default
|
||||
// settings, so the recovery code never executed and ping failures climbed
|
||||
// forever — the proximate cause of fosrl/newt#284, #310 and pangolin#1004.
|
||||
//
|
||||
// Recovery and backoff are independent concerns; the backoff ramp is now
|
||||
// computed separately in the caller. Do not re-introduce currentInterval
|
||||
// here.
|
||||
func shouldFireRecovery(consecutiveFailures, failureThreshold int, connectionLost bool) bool {
|
||||
return consecutiveFailures >= failureThreshold && !connectionLost
|
||||
}
|
||||
|
||||
func startPingCheck(tnet *netstack.Net, serverIP string, client *websocket.Client, tunnelID string) chan struct{} {
|
||||
maxInterval := 6 * time.Second
|
||||
currentInterval := pingInterval
|
||||
@@ -277,35 +292,44 @@ func startPingCheck(tnet *netstack.Net, serverIP string, client *websocket.Clien
|
||||
|
||||
// More lenient threshold for declaring connection lost under load
|
||||
failureThreshold := 4
|
||||
if consecutiveFailures >= failureThreshold && currentInterval < maxInterval {
|
||||
if !connectionLost {
|
||||
connectionLost = true
|
||||
logger.Warn("Connection to server lost after %d failures. Continuous reconnection attempts will be made.", consecutiveFailures)
|
||||
if tunnelID != "" {
|
||||
telemetry.IncReconnect(context.Background(), tunnelID, "client", telemetry.ReasonTimeout)
|
||||
}
|
||||
stopFunc = client.SendMessageInterval("newt/ping/request", map[string]interface{}{}, 3*time.Second)
|
||||
// Send registration message to the server for backward compatibility
|
||||
err := client.SendMessage("newt/wg/register", map[string]interface{}{
|
||||
"publicKey": publicKey.String(),
|
||||
"backwardsCompatible": true,
|
||||
})
|
||||
if shouldFireRecovery(consecutiveFailures, failureThreshold, connectionLost) {
|
||||
connectionLost = true
|
||||
logger.Warn("Connection to server lost after %d failures. Continuous reconnection attempts will be made.", consecutiveFailures)
|
||||
if tunnelID != "" {
|
||||
telemetry.IncReconnect(context.Background(), tunnelID, "client", telemetry.ReasonTimeout)
|
||||
}
|
||||
pingChainId := generateChainId()
|
||||
pendingPingChainId = pingChainId
|
||||
stopFunc = client.SendMessageInterval("newt/ping/request", map[string]interface{}{
|
||||
"chainId": pingChainId,
|
||||
}, 3*time.Second)
|
||||
// Send registration message to the server for backward compatibility
|
||||
bcChainId := generateChainId()
|
||||
pendingRegisterChainId = bcChainId
|
||||
err := client.SendMessage("newt/wg/register", map[string]interface{}{
|
||||
"publicKey": publicKey.String(),
|
||||
"backwardsCompatible": true,
|
||||
"chainId": bcChainId,
|
||||
})
|
||||
if err != nil {
|
||||
logger.Error("Failed to send registration message: %v", err)
|
||||
}
|
||||
if healthFile != "" {
|
||||
err = os.Remove(healthFile)
|
||||
if err != nil {
|
||||
logger.Error("Failed to send registration message: %v", err)
|
||||
}
|
||||
if healthFile != "" {
|
||||
err = os.Remove(healthFile)
|
||||
if err != nil {
|
||||
logger.Error("Failed to remove health file: %v", err)
|
||||
}
|
||||
logger.Error("Failed to remove health file: %v", err)
|
||||
}
|
||||
}
|
||||
currentInterval = time.Duration(float64(currentInterval) * 1.3) // Slower increase
|
||||
}
|
||||
// Backoff: ramp the periodic-ping interval up while we are
|
||||
// past the failure threshold, capped at maxInterval. Kept
|
||||
// independent of the recovery trigger above so the trigger
|
||||
// fires on every outage regardless of pingInterval.
|
||||
if consecutiveFailures >= failureThreshold && currentInterval < maxInterval {
|
||||
currentInterval = time.Duration(float64(currentInterval) * 1.3)
|
||||
if currentInterval > maxInterval {
|
||||
currentInterval = maxInterval
|
||||
}
|
||||
ticker.Reset(currentInterval)
|
||||
logger.Debug("Increased ping check interval to %v due to consecutive failures", currentInterval)
|
||||
}
|
||||
} else {
|
||||
// Track recent latencies
|
||||
@@ -363,27 +387,62 @@ func parseTargetData(data interface{}) (TargetData, error) {
|
||||
return targetData, nil
|
||||
}
|
||||
|
||||
// parseTargetString parses a target string in the format "listenPort:host:targetPort"
|
||||
// It properly handles IPv6 addresses which must be in brackets: "listenPort:[ipv6]:targetPort"
|
||||
// Examples:
|
||||
// - IPv4: "3001:192.168.1.1:80"
|
||||
// - IPv6: "3001:[::1]:8080" or "3001:[fd70:1452:b736:4dd5:caca:7db9:c588:f5b3]:80"
|
||||
//
|
||||
// Returns listenPort, targetAddress (in host:port format suitable for net.Dial), and error
|
||||
func parseTargetString(target string) (int, string, error) {
|
||||
// Find the first colon to extract the listen port
|
||||
firstColon := strings.Index(target, ":")
|
||||
if firstColon == -1 {
|
||||
return 0, "", fmt.Errorf("invalid target format, no colon found: %s", target)
|
||||
}
|
||||
|
||||
listenPortStr := target[:firstColon]
|
||||
var listenPort int
|
||||
_, err := fmt.Sscanf(listenPortStr, "%d", &listenPort)
|
||||
if err != nil {
|
||||
return 0, "", fmt.Errorf("invalid listen port: %s", listenPortStr)
|
||||
}
|
||||
if listenPort <= 0 || listenPort > 65535 {
|
||||
return 0, "", fmt.Errorf("listen port out of range: %d", listenPort)
|
||||
}
|
||||
|
||||
// The remainder is host:targetPort - use net.SplitHostPort which handles IPv6 brackets
|
||||
remainder := target[firstColon+1:]
|
||||
host, targetPort, err := net.SplitHostPort(remainder)
|
||||
if err != nil {
|
||||
return 0, "", fmt.Errorf("invalid host:port format '%s': %w", remainder, err)
|
||||
}
|
||||
|
||||
// Reject empty host or target port
|
||||
if host == "" {
|
||||
return 0, "", fmt.Errorf("empty host in target: %s", target)
|
||||
}
|
||||
if targetPort == "" {
|
||||
return 0, "", fmt.Errorf("empty target port in target: %s", target)
|
||||
}
|
||||
|
||||
// Reconstruct the target address using JoinHostPort (handles IPv6 properly)
|
||||
targetAddr := net.JoinHostPort(host, targetPort)
|
||||
|
||||
return listenPort, targetAddr, nil
|
||||
}
|
||||
|
||||
func updateTargets(pm *proxy.ProxyManager, action string, tunnelIP string, proto string, targetData TargetData) error {
|
||||
for _, t := range targetData.Targets {
|
||||
// Split the first number off of the target with : separator and use as the port
|
||||
parts := strings.Split(t, ":")
|
||||
if len(parts) != 3 {
|
||||
logger.Info("Invalid target format: %s", t)
|
||||
continue
|
||||
}
|
||||
|
||||
// Get the port as an int
|
||||
port := 0
|
||||
_, err := fmt.Sscanf(parts[0], "%d", &port)
|
||||
// Parse the target string, handling both IPv4 and IPv6 addresses
|
||||
port, target, err := parseTargetString(t)
|
||||
if err != nil {
|
||||
logger.Info("Invalid port: %s", parts[0])
|
||||
logger.Info("Invalid target format: %s (%v)", t, err)
|
||||
continue
|
||||
}
|
||||
|
||||
switch action {
|
||||
case "add":
|
||||
target := parts[1] + ":" + parts[2]
|
||||
|
||||
// Call updown script if provided
|
||||
processedTarget := target
|
||||
if updownScript != "" {
|
||||
@@ -410,8 +469,6 @@ func updateTargets(pm *proxy.ProxyManager, action string, tunnelIP string, proto
|
||||
case "remove":
|
||||
logger.Info("Removing target with port %d", port)
|
||||
|
||||
target := parts[1] + ":" + parts[2]
|
||||
|
||||
// Call updown script if provided
|
||||
if updownScript != "" {
|
||||
_, err := executeUpdownScript(action, proto, target)
|
||||
@@ -420,7 +477,7 @@ func updateTargets(pm *proxy.ProxyManager, action string, tunnelIP string, proto
|
||||
}
|
||||
}
|
||||
|
||||
err := pm.RemoveTarget(proto, tunnelIP, port)
|
||||
err = pm.RemoveTarget(proto, tunnelIP, port)
|
||||
if err != nil {
|
||||
logger.Error("Failed to remove target: %v", err)
|
||||
return err
|
||||
@@ -475,15 +532,41 @@ func executeUpdownScript(action, proto, target string) (string, error) {
|
||||
return target, nil
|
||||
}
|
||||
|
||||
func sendBlueprint(client *websocket.Client) error {
|
||||
if blueprintFile == "" {
|
||||
// interpolateBlueprint finds all {{...}} tokens in the raw blueprint bytes and
|
||||
// replaces recognised schemes with their resolved values. Currently supported:
|
||||
//
|
||||
// - env.<VAR> – replaced with the value of the named environment variable
|
||||
//
|
||||
// Any token that does not match a supported scheme is left as-is so that
|
||||
// future schemes (e.g. tag., api.) are preserved rather than silently dropped.
|
||||
func interpolateBlueprint(data []byte) []byte {
|
||||
re := regexp.MustCompile(`\{\{([^}]+)\}\}`)
|
||||
return re.ReplaceAllFunc(data, func(match []byte) []byte {
|
||||
// strip the surrounding {{ }}
|
||||
inner := strings.TrimSpace(string(match[2 : len(match)-2]))
|
||||
|
||||
if strings.HasPrefix(inner, "env.") {
|
||||
varName := strings.TrimPrefix(inner, "env.")
|
||||
return []byte(os.Getenv(varName))
|
||||
}
|
||||
|
||||
// unrecognised scheme – leave the token untouched
|
||||
return match
|
||||
})
|
||||
}
|
||||
|
||||
func sendBlueprint(client *websocket.Client, file string) error {
|
||||
if file == "" {
|
||||
return nil
|
||||
}
|
||||
// try to read the blueprint file
|
||||
blueprintData, err := os.ReadFile(blueprintFile)
|
||||
blueprintData, err := os.ReadFile(file)
|
||||
if err != nil {
|
||||
logger.Error("Failed to read blueprint file: %v", err)
|
||||
} else {
|
||||
// interpolate {{env.VAR}} (and any future schemes) before parsing
|
||||
blueprintData = interpolateBlueprint(blueprintData)
|
||||
|
||||
// first we should convert the yaml to json and error if the yaml is bad
|
||||
var yamlObj interface{}
|
||||
var blueprintJsonData string
|
||||
@@ -518,3 +601,61 @@ func sendBlueprint(client *websocket.Client) error {
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func watchBlueprintFile(ctx context.Context, filePath string, send func() error) {
|
||||
watcher, err := fsnotify.NewWatcher()
|
||||
if err != nil {
|
||||
logger.Error("blueprint watcher: failed to create: %v", err)
|
||||
return
|
||||
}
|
||||
defer watcher.Close()
|
||||
|
||||
if err := watcher.Add(filePath); err != nil {
|
||||
logger.Error("blueprint watcher: failed to watch %s: %v", filePath, err)
|
||||
return
|
||||
}
|
||||
|
||||
logger.Info("Watching blueprint file for changes: %s", filePath)
|
||||
|
||||
var debounce *time.Timer
|
||||
scheduleSend := func() {
|
||||
if debounce != nil {
|
||||
debounce.Stop()
|
||||
}
|
||||
debounce = time.AfterFunc(500*time.Millisecond, func() {
|
||||
logger.Info("Blueprint file changed, resending...")
|
||||
if err := send(); err != nil {
|
||||
logger.Error("blueprint watcher: resend failed: %v", err)
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
for {
|
||||
select {
|
||||
case <-ctx.Done():
|
||||
if debounce != nil {
|
||||
debounce.Stop()
|
||||
}
|
||||
return
|
||||
case event, ok := <-watcher.Events:
|
||||
if !ok {
|
||||
return
|
||||
}
|
||||
switch {
|
||||
case event.Has(fsnotify.Write) || event.Has(fsnotify.Create):
|
||||
if event.Has(fsnotify.Create) {
|
||||
_ = watcher.Add(filePath)
|
||||
}
|
||||
scheduleSend()
|
||||
case event.Has(fsnotify.Remove) || event.Has(fsnotify.Rename):
|
||||
_ = watcher.Add(filePath)
|
||||
scheduleSend()
|
||||
}
|
||||
case err, ok := <-watcher.Errors:
|
||||
if !ok {
|
||||
return
|
||||
}
|
||||
logger.Error("blueprint watcher: %v", err)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
383
common_test.go
Normal file
383
common_test.go
Normal file
@@ -0,0 +1,383 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"sync/atomic"
|
||||
"testing"
|
||||
"time"
|
||||
)
|
||||
|
||||
func TestWatchBlueprintFile_WriteTriggersSend(t *testing.T) {
|
||||
f, err := os.CreateTemp(t.TempDir(), "blueprint-*.yaml")
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
f.Close()
|
||||
|
||||
ctx, cancel := context.WithCancel(context.Background())
|
||||
defer cancel()
|
||||
|
||||
var calls atomic.Int32
|
||||
go watchBlueprintFile(ctx, f.Name(), func() error {
|
||||
calls.Add(1)
|
||||
return nil
|
||||
})
|
||||
|
||||
time.Sleep(50 * time.Millisecond)
|
||||
|
||||
if err := os.WriteFile(f.Name(), []byte("content"), 0644); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
time.Sleep(700 * time.Millisecond)
|
||||
|
||||
if calls.Load() != 1 {
|
||||
t.Errorf("expected 1 send call, got %d", calls.Load())
|
||||
}
|
||||
}
|
||||
|
||||
func TestWatchBlueprintFile_DebounceCoalescesEvents(t *testing.T) {
|
||||
f, err := os.CreateTemp(t.TempDir(), "blueprint-*.yaml")
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
f.Close()
|
||||
|
||||
ctx, cancel := context.WithCancel(context.Background())
|
||||
defer cancel()
|
||||
|
||||
var calls atomic.Int32
|
||||
go watchBlueprintFile(ctx, f.Name(), func() error {
|
||||
calls.Add(1)
|
||||
return nil
|
||||
})
|
||||
|
||||
time.Sleep(50 * time.Millisecond)
|
||||
|
||||
for i := 0; i < 5; i++ {
|
||||
if err := os.WriteFile(f.Name(), []byte("change"), 0644); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
time.Sleep(50 * time.Millisecond)
|
||||
}
|
||||
|
||||
time.Sleep(700 * time.Millisecond)
|
||||
|
||||
if calls.Load() != 1 {
|
||||
t.Errorf("expected 1 send call after debounce, got %d", calls.Load())
|
||||
}
|
||||
}
|
||||
|
||||
func TestWatchBlueprintFile_ContextCancellationStops(t *testing.T) {
|
||||
f, err := os.CreateTemp(t.TempDir(), "blueprint-*.yaml")
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
f.Close()
|
||||
|
||||
ctx, cancel := context.WithCancel(context.Background())
|
||||
|
||||
done := make(chan struct{})
|
||||
go func() {
|
||||
watchBlueprintFile(ctx, f.Name(), func() error { return nil })
|
||||
close(done)
|
||||
}()
|
||||
|
||||
time.Sleep(50 * time.Millisecond)
|
||||
cancel()
|
||||
|
||||
select {
|
||||
case <-done:
|
||||
case <-time.After(2 * time.Second):
|
||||
t.Error("watchBlueprintFile did not exit after context cancellation")
|
||||
}
|
||||
}
|
||||
|
||||
func TestWatchBlueprintFile_AtomicWriteTriggersSend(t *testing.T) {
|
||||
dir := t.TempDir()
|
||||
target := filepath.Join(dir, "blueprint.yaml")
|
||||
if err := os.WriteFile(target, []byte("initial"), 0644); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
ctx, cancel := context.WithCancel(context.Background())
|
||||
defer cancel()
|
||||
|
||||
var calls atomic.Int32
|
||||
go watchBlueprintFile(ctx, target, func() error {
|
||||
calls.Add(1)
|
||||
return nil
|
||||
})
|
||||
|
||||
time.Sleep(50 * time.Millisecond)
|
||||
|
||||
tmp := filepath.Join(dir, "blueprint.yaml.tmp")
|
||||
if err := os.WriteFile(tmp, []byte("updated"), 0644); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if err := os.Rename(tmp, target); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
time.Sleep(700 * time.Millisecond)
|
||||
|
||||
if calls.Load() < 1 {
|
||||
t.Errorf("expected at least 1 send call after atomic write, got %d", calls.Load())
|
||||
}
|
||||
}
|
||||
|
||||
func TestWatchBlueprintFile_MissingFileReturnsGracefully(t *testing.T) {
|
||||
ctx, cancel := context.WithCancel(context.Background())
|
||||
defer cancel()
|
||||
|
||||
done := make(chan struct{})
|
||||
go func() {
|
||||
watchBlueprintFile(ctx, "/nonexistent/path/blueprint.yaml", func() error { return nil })
|
||||
close(done)
|
||||
}()
|
||||
|
||||
select {
|
||||
case <-done:
|
||||
case <-time.After(2 * time.Second):
|
||||
t.Error("watchBlueprintFile did not return for missing file")
|
||||
}
|
||||
}
|
||||
|
||||
func TestParseTargetString(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
input string
|
||||
wantListenPort int
|
||||
wantTargetAddr string
|
||||
wantErr bool
|
||||
}{
|
||||
{
|
||||
name: "valid IPv4 basic",
|
||||
input: "3001:192.168.1.1:80",
|
||||
wantListenPort: 3001,
|
||||
wantTargetAddr: "192.168.1.1:80",
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "valid IPv4 localhost",
|
||||
input: "8080:127.0.0.1:3000",
|
||||
wantListenPort: 8080,
|
||||
wantTargetAddr: "127.0.0.1:3000",
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "valid IPv4 same ports",
|
||||
input: "443:10.0.0.1:443",
|
||||
wantListenPort: 443,
|
||||
wantTargetAddr: "10.0.0.1:443",
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "valid IPv6 loopback",
|
||||
input: "3001:[::1]:8080",
|
||||
wantListenPort: 3001,
|
||||
wantTargetAddr: "[::1]:8080",
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "valid IPv6 full address",
|
||||
input: "80:[fd70:1452:b736:4dd5:caca:7db9:c588:f5b3]:8080",
|
||||
wantListenPort: 80,
|
||||
wantTargetAddr: "[fd70:1452:b736:4dd5:caca:7db9:c588:f5b3]:8080",
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "valid IPv6 link-local",
|
||||
input: "443:[fe80::1]:443",
|
||||
wantListenPort: 443,
|
||||
wantTargetAddr: "[fe80::1]:443",
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "valid IPv6 all zeros compressed",
|
||||
input: "8000:[::]:9000",
|
||||
wantListenPort: 8000,
|
||||
wantTargetAddr: "[::]:9000",
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "valid IPv6 mixed notation",
|
||||
input: "5000:[::ffff:192.168.1.1]:6000",
|
||||
wantListenPort: 5000,
|
||||
wantTargetAddr: "[::ffff:192.168.1.1]:6000",
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "valid hostname",
|
||||
input: "8080:example.com:80",
|
||||
wantListenPort: 8080,
|
||||
wantTargetAddr: "example.com:80",
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "valid hostname with subdomain",
|
||||
input: "443:api.example.com:8443",
|
||||
wantListenPort: 443,
|
||||
wantTargetAddr: "api.example.com:8443",
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "valid localhost hostname",
|
||||
input: "3000:localhost:3000",
|
||||
wantListenPort: 3000,
|
||||
wantTargetAddr: "localhost:3000",
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "invalid - no colons",
|
||||
input: "invalid",
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "invalid - empty string",
|
||||
input: "",
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "invalid - non-numeric listen port",
|
||||
input: "abc:192.168.1.1:80",
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "invalid - missing target port",
|
||||
input: "3001:192.168.1.1",
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "invalid - IPv6 without brackets",
|
||||
input: "3001:fd70:1452:b736:4dd5:caca:7db9:c588:f5b3:80",
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "invalid - only listen port",
|
||||
input: "3001:",
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "invalid - missing host",
|
||||
input: "3001::80",
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "invalid - IPv6 unclosed bracket",
|
||||
input: "3001:[::1:80",
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "invalid - listen port zero",
|
||||
input: "0:192.168.1.1:80",
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "invalid - listen port negative",
|
||||
input: "-1:192.168.1.1:80",
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "invalid - listen port out of range",
|
||||
input: "70000:192.168.1.1:80",
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "invalid - empty target port",
|
||||
input: "3001:192.168.1.1:",
|
||||
wantErr: true,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
listenPort, targetAddr, err := parseTargetString(tt.input)
|
||||
|
||||
if (err != nil) != tt.wantErr {
|
||||
t.Errorf("parseTargetString(%q) error = %v, wantErr %v", tt.input, err, tt.wantErr)
|
||||
return
|
||||
}
|
||||
|
||||
if tt.wantErr {
|
||||
return
|
||||
}
|
||||
|
||||
if listenPort != tt.wantListenPort {
|
||||
t.Errorf("parseTargetString(%q) listenPort = %d, want %d", tt.input, listenPort, tt.wantListenPort)
|
||||
}
|
||||
|
||||
if targetAddr != tt.wantTargetAddr {
|
||||
t.Errorf("parseTargetString(%q) targetAddr = %q, want %q", tt.input, targetAddr, tt.wantTargetAddr)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// TestParseTargetStringNetDialCompatibility verifies that the output is compatible with net.Dial.
|
||||
func TestParseTargetStringNetDialCompatibility(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
input string
|
||||
}{
|
||||
{"IPv4", "8080:127.0.0.1:80"},
|
||||
{"IPv6 loopback", "8080:[::1]:80"},
|
||||
{"IPv6 full", "8080:[2001:db8::1]:80"},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
_, targetAddr, err := parseTargetString(tt.input)
|
||||
if err != nil {
|
||||
t.Fatalf("parseTargetString(%q) unexpected error: %v", tt.input, err)
|
||||
}
|
||||
|
||||
_, _, err = net.SplitHostPort(targetAddr)
|
||||
if err != nil {
|
||||
t.Errorf("parseTargetString(%q) produced invalid net.Dial format %q: %v", tt.input, targetAddr, err)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// TestShouldFireRecovery is the regression guard for the broken trigger gate
|
||||
// that prevented data-plane recovery from ever firing under default settings
|
||||
// (fosrl/newt#284, #310, pangolin#1004). The pre-fix condition was
|
||||
//
|
||||
// consecutiveFailures >= failureThreshold && currentInterval < maxInterval
|
||||
//
|
||||
// which became permanently false once pingInterval's default was bumped from
|
||||
// 3s to 15s in commit 8161fa6 — currentInterval starts at pingInterval=15s,
|
||||
// maxInterval stayed at 6s, so 15<6 is false and the recovery branch never
|
||||
// executed.
|
||||
//
|
||||
// The fix is to drop currentInterval from the trigger condition entirely;
|
||||
// backoff is a separate concern computed in the caller. The cases below
|
||||
// exercise the documented contract.
|
||||
func TestShouldFireRecovery(t *testing.T) {
|
||||
const threshold = 4
|
||||
cases := []struct {
|
||||
name string
|
||||
failures int
|
||||
connectionLost bool
|
||||
want bool
|
||||
}{
|
||||
{"below threshold, fresh", 3, false, false},
|
||||
{"below threshold, already lost", 3, true, false},
|
||||
{"at threshold, fresh — recovery must fire", threshold, false, true},
|
||||
{"at threshold, already lost — gate prevents re-fire", threshold, true, false},
|
||||
{"far above threshold, fresh", 100, false, true},
|
||||
{"far above threshold, already lost", 100, true, false},
|
||||
}
|
||||
for _, c := range cases {
|
||||
t.Run(c.name, func(t *testing.T) {
|
||||
if got := shouldFireRecovery(c.failures, threshold, c.connectionLost); got != c.want {
|
||||
t.Errorf("shouldFireRecovery(failures=%d, threshold=%d, lost=%v) = %v, want %v",
|
||||
c.failures, threshold, c.connectionLost, got, c.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
@@ -4,7 +4,7 @@ services:
|
||||
container_name: newt
|
||||
restart: unless-stopped
|
||||
environment:
|
||||
- PANGOLIN_ENDPOINT=https://example.com
|
||||
- PANGOLIN_ENDPOINT=https://app.pangolin.net
|
||||
- NEWT_ID=2ix2t8xk22ubpfy
|
||||
- NEWT_SECRET=nnisrfsdfc7prqsp9ewo1dvtvci50j5uiqotez00dgap0ii2
|
||||
- LOG_LEVEL=DEBUG
|
||||
@@ -9,10 +9,9 @@ import (
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/docker/docker/api/types/container"
|
||||
"github.com/docker/docker/api/types/events"
|
||||
"github.com/docker/docker/api/types/filters"
|
||||
"github.com/docker/docker/client"
|
||||
"github.com/moby/moby/api/types/container"
|
||||
"github.com/moby/moby/api/types/events"
|
||||
"github.com/moby/moby/client"
|
||||
"github.com/fosrl/newt/logger"
|
||||
)
|
||||
|
||||
@@ -170,7 +169,7 @@ func ListContainers(socketPath string, enforceNetworkValidation bool) ([]Contain
|
||||
}
|
||||
|
||||
// Used to filter down containers returned to Pangolin
|
||||
containerFilters := filters.NewArgs()
|
||||
containerFilters := make(client.Filters)
|
||||
|
||||
// Used to determine if we will send IP addresses or hostnames to Pangolin
|
||||
useContainerIpAddresses := true
|
||||
@@ -215,21 +214,28 @@ func ListContainers(socketPath string, enforceNetworkValidation bool) ([]Contain
|
||||
}
|
||||
|
||||
// List containers
|
||||
containers, err := cli.ContainerList(ctx, container.ListOptions{All: true, Filters: containerFilters})
|
||||
containerListResult, err := cli.ContainerList(ctx, client.ContainerListOptions{All: true, Filters: containerFilters})
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to list containers: %v", err)
|
||||
}
|
||||
|
||||
addrToString := func(addr interface{ IsValid() bool; String() string }) string {
|
||||
if addr.IsValid() {
|
||||
return addr.String()
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
var dockerContainers []Container
|
||||
for _, c := range containers {
|
||||
for _, c := range containerListResult.Items {
|
||||
// Short ID like docker ps
|
||||
shortId := c.ID[:12]
|
||||
|
||||
// Inspect container to get hostname
|
||||
hostname := ""
|
||||
containerInfo, err := cli.ContainerInspect(ctx, c.ID)
|
||||
if err == nil && containerInfo.Config != nil {
|
||||
hostname = containerInfo.Config.Hostname
|
||||
containerInfo, err := cli.ContainerInspect(ctx, c.ID, client.ContainerInspectOptions{})
|
||||
if err == nil && containerInfo.Container.Config != nil {
|
||||
hostname = containerInfo.Container.Config.Hostname
|
||||
}
|
||||
|
||||
// Skip host container if set
|
||||
@@ -253,8 +259,8 @@ func ListContainers(socketPath string, enforceNetworkValidation bool) ([]Contain
|
||||
if port.PublicPort != 0 {
|
||||
dockerPort.PublicPort = int(port.PublicPort)
|
||||
}
|
||||
if port.IP != "" {
|
||||
dockerPort.IP = port.IP
|
||||
if port.IP.IsValid() {
|
||||
dockerPort.IP = port.IP.String()
|
||||
}
|
||||
ports = append(ports, dockerPort)
|
||||
}
|
||||
@@ -268,19 +274,19 @@ func ListContainers(socketPath string, enforceNetworkValidation bool) ([]Contain
|
||||
dockerNetwork := Network{
|
||||
NetworkID: endpoint.NetworkID,
|
||||
EndpointID: endpoint.EndpointID,
|
||||
Gateway: endpoint.Gateway,
|
||||
Gateway: addrToString(endpoint.Gateway),
|
||||
IPPrefixLen: endpoint.IPPrefixLen,
|
||||
IPv6Gateway: endpoint.IPv6Gateway,
|
||||
GlobalIPv6Address: endpoint.GlobalIPv6Address,
|
||||
IPv6Gateway: addrToString(endpoint.IPv6Gateway),
|
||||
GlobalIPv6Address: addrToString(endpoint.GlobalIPv6Address),
|
||||
GlobalIPv6PrefixLen: endpoint.GlobalIPv6PrefixLen,
|
||||
MacAddress: endpoint.MacAddress,
|
||||
MacAddress: endpoint.MacAddress.String(),
|
||||
Aliases: endpoint.Aliases,
|
||||
DNSNames: endpoint.DNSNames,
|
||||
}
|
||||
|
||||
// Use IPs over hostnames/containers as we're on the bridge network
|
||||
if useContainerIpAddresses {
|
||||
dockerNetwork.IPAddress = endpoint.IPAddress
|
||||
dockerNetwork.IPAddress = addrToString(endpoint.IPAddress)
|
||||
}
|
||||
|
||||
networks[networkName] = dockerNetwork
|
||||
@@ -291,7 +297,7 @@ func ListContainers(socketPath string, enforceNetworkValidation bool) ([]Contain
|
||||
ID: shortId,
|
||||
Name: name,
|
||||
Image: c.Image,
|
||||
State: c.State,
|
||||
State: string(c.State),
|
||||
Status: c.Status,
|
||||
Ports: ports,
|
||||
Labels: c.Labels,
|
||||
@@ -315,12 +321,12 @@ func getHostContainer(dockerContext context.Context, dockerClient *client.Client
|
||||
}
|
||||
|
||||
// Get host container from the docker socket
|
||||
hostContainer, err := dockerClient.ContainerInspect(dockerContext, hostContainerName)
|
||||
hostContainer, err := dockerClient.ContainerInspect(dockerContext, hostContainerName, client.ContainerInspectOptions{})
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to find host container")
|
||||
}
|
||||
|
||||
return &hostContainer, nil
|
||||
return &hostContainer.Container, nil
|
||||
}
|
||||
|
||||
// EventCallback defines the function signature for handling Docker events
|
||||
@@ -371,7 +377,7 @@ func (em *EventMonitor) Start() error {
|
||||
logger.Debug("Starting Docker event monitoring")
|
||||
|
||||
// Filter for container events we care about
|
||||
eventFilters := filters.NewArgs()
|
||||
eventFilters := make(client.Filters)
|
||||
eventFilters.Add("type", "container")
|
||||
// eventFilters.Add("event", "create")
|
||||
eventFilters.Add("event", "start")
|
||||
@@ -382,9 +388,10 @@ func (em *EventMonitor) Start() error {
|
||||
// eventFilters.Add("event", "unpause")
|
||||
|
||||
// Start listening for events
|
||||
eventCh, errCh := em.client.Events(em.ctx, events.ListOptions{
|
||||
eventsResult := em.client.Events(em.ctx, client.EventsListOptions{
|
||||
Filters: eventFilters,
|
||||
})
|
||||
eventCh, errCh := eventsResult.Messages, eventsResult.Err
|
||||
|
||||
go func() {
|
||||
defer func() {
|
||||
@@ -408,9 +415,10 @@ func (em *EventMonitor) Start() error {
|
||||
time.Sleep(5 * time.Second)
|
||||
if em.ctx.Err() == nil {
|
||||
logger.Info("Attempting to reconnect to Docker event stream")
|
||||
eventCh, errCh = em.client.Events(em.ctx, events.ListOptions{
|
||||
eventsResult = em.client.Events(em.ctx, client.EventsListOptions{
|
||||
Filters: eventFilters,
|
||||
})
|
||||
eventCh, errCh = eventsResult.Messages, eventsResult.Err
|
||||
}
|
||||
}
|
||||
return
|
||||
|
||||
17
flake.nix
17
flake.nix
@@ -25,7 +25,7 @@
|
||||
inherit (pkgs) lib;
|
||||
|
||||
# Update version when releasing
|
||||
version = "1.6.0";
|
||||
version = "1.12.5";
|
||||
in
|
||||
{
|
||||
default = self.packages.${system}.pangolin-newt;
|
||||
@@ -35,16 +35,28 @@
|
||||
inherit version;
|
||||
src = pkgs.nix-gitignore.gitignoreSource [ ] ./.;
|
||||
|
||||
vendorHash = "sha256-Jbu0pz+okV4N9MHUXLcTqSr3s/k5OVZ09hNuS/+4LFY=";
|
||||
vendorHash = "sha256-X70emc3uPN2YpsbudtoeEZDHilaTvFMqfRaDmIgRVZE=";
|
||||
|
||||
nativeInstallCheckInputs = [ pkgs.versionCheckHook ];
|
||||
|
||||
env = {
|
||||
CGO_ENABLED = 0;
|
||||
};
|
||||
|
||||
ldflags = [
|
||||
"-s"
|
||||
"-w"
|
||||
"-X main.newtVersion=${version}"
|
||||
];
|
||||
|
||||
# Tests are broken due to a lack of Internet.
|
||||
# Disable running `go test`, and instead do
|
||||
# a simple version check instead.
|
||||
doCheck = false;
|
||||
doInstallCheck = true;
|
||||
|
||||
versionCheckProgramArg = [ "-version" ];
|
||||
|
||||
meta = {
|
||||
description = "A tunneling client for Pangolin";
|
||||
homepage = "https://github.com/fosrl/newt";
|
||||
@@ -52,6 +64,7 @@
|
||||
maintainers = [
|
||||
lib.maintainers.water-sucks
|
||||
];
|
||||
mainProgram = "newt";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
311
get-newt.sh
311
get-newt.sh
@@ -1,7 +1,7 @@
|
||||
#!/bin/bash
|
||||
#!/bin/sh
|
||||
|
||||
# Get Newt - Cross-platform installation script
|
||||
# Usage: curl -fsSL https://raw.githubusercontent.com/fosrl/newt/refs/heads/main/get-newt.sh | bash
|
||||
# Usage: curl -fsSL https://raw.githubusercontent.com/fosrl/newt/refs/heads/main/get-newt.sh | sh
|
||||
|
||||
set -e
|
||||
|
||||
@@ -17,54 +17,51 @@ GITHUB_API_URL="https://api.github.com/repos/${REPO}/releases/latest"
|
||||
|
||||
# Function to print colored output
|
||||
print_status() {
|
||||
echo -e "${GREEN}[INFO]${NC} $1"
|
||||
printf '%b[INFO]%b %s\n' "${GREEN}" "${NC}" "$1"
|
||||
}
|
||||
|
||||
print_warning() {
|
||||
echo -e "${YELLOW}[WARN]${NC} $1"
|
||||
printf '%b[WARN]%b %s\n' "${YELLOW}" "${NC}" "$1"
|
||||
}
|
||||
|
||||
print_error() {
|
||||
echo -e "${RED}[ERROR]${NC} $1"
|
||||
printf '%b[ERROR]%b %s\n' "${RED}" "${NC}" "$1"
|
||||
}
|
||||
|
||||
# Function to get latest version from GitHub API
|
||||
get_latest_version() {
|
||||
local latest_info
|
||||
|
||||
latest_info=""
|
||||
|
||||
if command -v curl >/dev/null 2>&1; then
|
||||
latest_info=$(curl -fsSL "$GITHUB_API_URL" 2>/dev/null)
|
||||
elif command -v wget >/dev/null 2>&1; then
|
||||
latest_info=$(wget -qO- "$GITHUB_API_URL" 2>/dev/null)
|
||||
else
|
||||
print_error "Neither curl nor wget is available. Please install one of them." >&2
|
||||
print_error "Neither curl nor wget is available."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
||||
if [ -z "$latest_info" ]; then
|
||||
print_error "Failed to fetch latest version information" >&2
|
||||
print_error "Failed to fetch latest version info"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Extract version from JSON response (works without jq)
|
||||
local version=$(echo "$latest_info" | grep '"tag_name"' | head -1 | sed 's/.*"tag_name": *"\([^"]*\)".*/\1/')
|
||||
|
||||
|
||||
version=$(printf '%s' "$latest_info" | grep '"tag_name"' | head -1 | sed 's/.*"tag_name": *"\([^"]*\)".*/\1/')
|
||||
|
||||
if [ -z "$version" ]; then
|
||||
print_error "Could not parse version from GitHub API response" >&2
|
||||
print_error "Could not parse version from GitHub API response"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Remove 'v' prefix if present
|
||||
version=$(echo "$version" | sed 's/^v//')
|
||||
|
||||
echo "$version"
|
||||
|
||||
version=$(printf '%s' "$version" | sed 's/^v//')
|
||||
printf '%s' "$version"
|
||||
}
|
||||
|
||||
# Detect OS and architecture
|
||||
detect_platform() {
|
||||
local os arch
|
||||
|
||||
# Detect OS
|
||||
os=""
|
||||
arch=""
|
||||
|
||||
case "$(uname -s)" in
|
||||
Linux*) os="linux" ;;
|
||||
Darwin*) os="darwin" ;;
|
||||
@@ -75,12 +72,11 @@ detect_platform() {
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
# Detect architecture
|
||||
|
||||
case "$(uname -m)" in
|
||||
x86_64|amd64) arch="amd64" ;;
|
||||
arm64|aarch64) arch="arm64" ;;
|
||||
armv7l|armv6l)
|
||||
armv7l|armv6l)
|
||||
if [ "$os" = "linux" ]; then
|
||||
if [ "$(uname -m)" = "armv6l" ]; then
|
||||
arch="arm32v6"
|
||||
@@ -88,10 +84,10 @@ detect_platform() {
|
||||
arch="arm32"
|
||||
fi
|
||||
else
|
||||
arch="arm64" # Default for non-Linux ARM
|
||||
arch="arm64"
|
||||
fi
|
||||
;;
|
||||
riscv64)
|
||||
riscv64)
|
||||
if [ "$os" = "linux" ]; then
|
||||
arch="riscv64"
|
||||
else
|
||||
@@ -104,90 +100,166 @@ detect_platform() {
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
echo "${os}_${arch}"
|
||||
|
||||
printf '%s_%s' "$os" "$arch"
|
||||
}
|
||||
|
||||
# Get installation directory
|
||||
# Determine installation directory (default fallback)
|
||||
get_install_dir() {
|
||||
if [ "$OS" = "windows" ]; then
|
||||
echo "$HOME/bin"
|
||||
else
|
||||
# Try to use a directory in PATH, fallback to ~/.local/bin
|
||||
if echo "$PATH" | grep -q "/usr/local/bin"; then
|
||||
if [ -w "/usr/local/bin" ] 2>/dev/null; then
|
||||
echo "/usr/local/bin"
|
||||
else
|
||||
echo "$HOME/.local/bin"
|
||||
fi
|
||||
else
|
||||
echo "$HOME/.local/bin"
|
||||
case "$PLATFORM" in
|
||||
*windows*)
|
||||
echo "$HOME/bin"
|
||||
;;
|
||||
*)
|
||||
echo "/usr/local/bin"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
# Parse --path argument from args
|
||||
# Returns the value after --path, or empty string if not provided
|
||||
parse_path_arg() {
|
||||
while [ $# -gt 0 ]; do
|
||||
case "$1" in
|
||||
--path)
|
||||
if [ -n "$2" ]; then
|
||||
printf '%s' "$2"
|
||||
return
|
||||
fi
|
||||
;;
|
||||
--path=*)
|
||||
printf '%s' "${1#--path=}"
|
||||
return
|
||||
;;
|
||||
esac
|
||||
shift
|
||||
done
|
||||
}
|
||||
|
||||
# Detect an existing newt binary location.
|
||||
# Tries unprivileged which first, then sudo which (for binaries only visible to root).
|
||||
# Returns the full path of the binary, or empty string if not found.
|
||||
detect_existing_binary() {
|
||||
existing=""
|
||||
|
||||
# Try unprivileged which first
|
||||
existing=$(command -v newt 2>/dev/null || true)
|
||||
if [ -n "$existing" ]; then
|
||||
printf '%s' "$existing"
|
||||
return
|
||||
fi
|
||||
|
||||
# Try sudo which — some installations land in paths only root can see in $PATH
|
||||
if command -v sudo >/dev/null 2>&1; then
|
||||
existing=$(sudo which newt 2>/dev/null || true)
|
||||
if [ -n "$existing" ]; then
|
||||
printf '%s' "$existing"
|
||||
return
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# Check if we need sudo for installation
|
||||
needs_sudo() {
|
||||
install_dir="$1"
|
||||
if [ -w "$install_dir" ] 2>/dev/null; then
|
||||
return 1 # No sudo needed
|
||||
else
|
||||
return 0 # Sudo needed
|
||||
fi
|
||||
}
|
||||
|
||||
# Get the appropriate command prefix (sudo or empty)
|
||||
get_sudo_cmd() {
|
||||
install_dir="$1"
|
||||
if needs_sudo "$install_dir"; then
|
||||
if command -v sudo >/dev/null 2>&1; then
|
||||
echo "sudo"
|
||||
else
|
||||
print_error "Cannot write to ${install_dir} and sudo is not available."
|
||||
print_error "Please run this script as root or install sudo."
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
echo ""
|
||||
fi
|
||||
}
|
||||
|
||||
# Download and install newt
|
||||
install_newt() {
|
||||
local platform="$1"
|
||||
local install_dir="$2"
|
||||
local binary_name="newt_${platform}"
|
||||
local exe_suffix=""
|
||||
|
||||
# Add .exe suffix for Windows
|
||||
if [[ "$platform" == *"windows"* ]]; then
|
||||
binary_name="${binary_name}.exe"
|
||||
exe_suffix=".exe"
|
||||
platform="$1"
|
||||
install_dir="$2"
|
||||
sudo_cmd="$3"
|
||||
custom_path="$4"
|
||||
binary_name="newt_${platform}"
|
||||
final_name="newt"
|
||||
|
||||
case "$platform" in
|
||||
*windows*)
|
||||
binary_name="${binary_name}.exe"
|
||||
final_name="newt.exe"
|
||||
;;
|
||||
esac
|
||||
|
||||
download_url="${BASE_URL}/${binary_name}"
|
||||
temp_file="/tmp/${final_name}"
|
||||
|
||||
# If a custom path is provided, use it directly; otherwise use install_dir/final_name
|
||||
if [ -n "$custom_path" ]; then
|
||||
final_path="$custom_path"
|
||||
install_dir=$(dirname "$final_path")
|
||||
else
|
||||
final_path="${install_dir}/${final_name}"
|
||||
fi
|
||||
|
||||
local download_url="${BASE_URL}/${binary_name}"
|
||||
local temp_file="/tmp/newt${exe_suffix}"
|
||||
local final_path="${install_dir}/newt${exe_suffix}"
|
||||
|
||||
|
||||
print_status "Downloading newt from ${download_url}"
|
||||
|
||||
# Download the binary
|
||||
|
||||
if command -v curl >/dev/null 2>&1; then
|
||||
curl -fsSL "$download_url" -o "$temp_file"
|
||||
elif command -v wget >/dev/null 2>&1; then
|
||||
wget -q "$download_url" -O "$temp_file"
|
||||
else
|
||||
print_error "Neither curl nor wget is available. Please install one of them."
|
||||
print_error "Neither curl nor wget is available."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Create install directory if it doesn't exist
|
||||
mkdir -p "$install_dir"
|
||||
|
||||
# Move binary to install directory
|
||||
mv "$temp_file" "$final_path"
|
||||
|
||||
# Make executable (not needed on Windows, but doesn't hurt)
|
||||
chmod +x "$final_path"
|
||||
|
||||
|
||||
# Make executable before moving
|
||||
chmod +x "$temp_file"
|
||||
|
||||
# Create install directory if it doesn't exist and move binary
|
||||
if [ -n "$sudo_cmd" ]; then
|
||||
$sudo_cmd mkdir -p "$install_dir"
|
||||
print_status "Using sudo to install to ${install_dir}"
|
||||
$sudo_cmd mv "$temp_file" "$final_path"
|
||||
else
|
||||
mkdir -p "$install_dir"
|
||||
mv "$temp_file" "$final_path"
|
||||
fi
|
||||
|
||||
print_status "newt installed to ${final_path}"
|
||||
|
||||
|
||||
# Check if install directory is in PATH
|
||||
if ! echo "$PATH" | grep -q "$install_dir"; then
|
||||
print_warning "Install directory ${install_dir} is not in your PATH."
|
||||
print_warning "Add it to your PATH by adding this line to your shell profile:"
|
||||
print_warning "Add it with:"
|
||||
print_warning " export PATH=\"${install_dir}:\$PATH\""
|
||||
fi
|
||||
}
|
||||
|
||||
# Verify installation
|
||||
verify_installation() {
|
||||
local install_dir="$1"
|
||||
local exe_suffix=""
|
||||
|
||||
if [[ "$PLATFORM" == *"windows"* ]]; then
|
||||
exe_suffix=".exe"
|
||||
fi
|
||||
|
||||
local newt_path="${install_dir}/newt${exe_suffix}"
|
||||
|
||||
if [ -f "$newt_path" ] && [ -x "$newt_path" ]; then
|
||||
install_dir="$1"
|
||||
exe_suffix=""
|
||||
|
||||
case "$PLATFORM" in
|
||||
*windows*) exe_suffix=".exe" ;;
|
||||
esac
|
||||
|
||||
newt_path="${install_dir}/newt${exe_suffix}"
|
||||
|
||||
if [ -x "$newt_path" ]; then
|
||||
print_status "Installation successful!"
|
||||
print_status "newt version: $("$newt_path" --version 2>/dev/null || echo "unknown")"
|
||||
print_status "newt version: $("$newt_path" --version 2>/dev/null || printf 'unknown')"
|
||||
return 0
|
||||
else
|
||||
print_error "Installation failed. Binary not found or not executable."
|
||||
@@ -197,39 +269,66 @@ verify_installation() {
|
||||
|
||||
# Main installation process
|
||||
main() {
|
||||
print_status "Installing latest version of newt..."
|
||||
|
||||
# Get latest version
|
||||
print_status "Fetching latest version from GitHub..."
|
||||
# --path explicitly overrides everything
|
||||
CUSTOM_PATH=$(parse_path_arg "$@")
|
||||
|
||||
if [ -n "$CUSTOM_PATH" ]; then
|
||||
print_status "Installing latest version of newt to ${CUSTOM_PATH}..."
|
||||
else
|
||||
print_status "Installing latest version of newt..."
|
||||
fi
|
||||
|
||||
print_status "Fetching latest version..."
|
||||
VERSION=$(get_latest_version)
|
||||
print_status "Latest version: v${VERSION}"
|
||||
|
||||
# Set base URL with the fetched version
|
||||
|
||||
BASE_URL="https://github.com/${REPO}/releases/download/${VERSION}"
|
||||
|
||||
# Detect platform
|
||||
|
||||
PLATFORM=$(detect_platform)
|
||||
print_status "Detected platform: ${PLATFORM}"
|
||||
|
||||
# Get install directory
|
||||
INSTALL_DIR=$(get_install_dir)
|
||||
print_status "Install directory: ${INSTALL_DIR}"
|
||||
|
||||
# Install newt
|
||||
install_newt "$PLATFORM" "$INSTALL_DIR"
|
||||
|
||||
# Verify installation
|
||||
if verify_installation "$INSTALL_DIR"; then
|
||||
print_status "newt is ready to use!"
|
||||
if [[ "$PLATFORM" == *"windows"* ]]; then
|
||||
print_status "Run 'newt --help' to get started"
|
||||
|
||||
if [ -n "$CUSTOM_PATH" ]; then
|
||||
# --path wins; derive INSTALL_DIR from it
|
||||
INSTALL_DIR=$(dirname "$CUSTOM_PATH")
|
||||
else
|
||||
# Try to find an existing installation so we update the right place
|
||||
EXISTING_BINARY=$(detect_existing_binary)
|
||||
if [ -n "$EXISTING_BINARY" ]; then
|
||||
print_status "Found existing newt binary at ${EXISTING_BINARY}"
|
||||
CUSTOM_PATH="$EXISTING_BINARY"
|
||||
INSTALL_DIR=$(dirname "$EXISTING_BINARY")
|
||||
print_status "Will update existing installation at ${INSTALL_DIR}"
|
||||
else
|
||||
print_status "Run 'newt --help' to get started"
|
||||
INSTALL_DIR=$(get_install_dir)
|
||||
fi
|
||||
fi
|
||||
|
||||
print_status "Install directory: ${INSTALL_DIR}"
|
||||
|
||||
# Check if we need sudo
|
||||
SUDO_CMD=$(get_sudo_cmd "$INSTALL_DIR")
|
||||
if [ -n "$SUDO_CMD" ]; then
|
||||
print_status "Root privileges required for installation to ${INSTALL_DIR}"
|
||||
fi
|
||||
|
||||
install_newt "$PLATFORM" "$INSTALL_DIR" "$SUDO_CMD" "$CUSTOM_PATH"
|
||||
|
||||
if [ -n "$CUSTOM_PATH" ]; then
|
||||
if [ -x "$CUSTOM_PATH" ]; then
|
||||
print_status "Installation successful!"
|
||||
print_status "newt version: $("$CUSTOM_PATH" --version 2>/dev/null || printf 'unknown')"
|
||||
print_status "newt is ready to use!"
|
||||
else
|
||||
print_error "Installation failed. Binary not found or not executable at ${CUSTOM_PATH}."
|
||||
exit 1
|
||||
fi
|
||||
elif verify_installation "$INSTALL_DIR"; then
|
||||
print_status "newt is ready to use!"
|
||||
print_status "Run 'newt --help' to get started."
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
# Run main function
|
||||
main "$@"
|
||||
main "$@"
|
||||
|
||||
86
go.mod
86
go.mod
@@ -1,77 +1,75 @@
|
||||
module github.com/fosrl/newt
|
||||
|
||||
go 1.25
|
||||
go 1.25.0
|
||||
|
||||
require (
|
||||
github.com/docker/docker v28.5.2+incompatible
|
||||
github.com/coder/websocket v1.8.14
|
||||
github.com/creack/pty v1.1.24
|
||||
github.com/gaissmai/bart v0.26.1
|
||||
github.com/go-crypt/crypt v0.14.15
|
||||
github.com/go-crypt/x v0.4.16
|
||||
github.com/gorilla/websocket v1.5.3
|
||||
github.com/moby/moby/api v1.54.2
|
||||
github.com/moby/moby/client v0.4.1
|
||||
github.com/prometheus/client_golang v1.23.2
|
||||
github.com/vishvananda/netlink v1.3.1
|
||||
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0
|
||||
go.opentelemetry.io/contrib/instrumentation/runtime v0.63.0
|
||||
go.opentelemetry.io/otel v1.38.0
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.38.0
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0
|
||||
go.opentelemetry.io/otel/exporters/prometheus v0.60.0
|
||||
go.opentelemetry.io/otel/metric v1.38.0
|
||||
go.opentelemetry.io/otel/sdk v1.38.0
|
||||
go.opentelemetry.io/otel/sdk/metric v1.38.0
|
||||
golang.org/x/crypto v0.45.0
|
||||
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0
|
||||
go.opentelemetry.io/contrib/instrumentation/runtime v0.68.0
|
||||
go.opentelemetry.io/otel v1.43.0
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.43.0
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0
|
||||
go.opentelemetry.io/otel/exporters/prometheus v0.65.0
|
||||
go.opentelemetry.io/otel/metric v1.43.0
|
||||
go.opentelemetry.io/otel/sdk v1.43.0
|
||||
go.opentelemetry.io/otel/sdk/metric v1.43.0
|
||||
golang.org/x/crypto v0.52.0
|
||||
golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6
|
||||
golang.org/x/net v0.47.0
|
||||
golang.org/x/sys v0.38.0
|
||||
golang.org/x/net v0.55.0
|
||||
golang.org/x/sys v0.45.0
|
||||
golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb
|
||||
golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10
|
||||
golang.zx2c4.com/wireguard/windows v0.5.3
|
||||
google.golang.org/grpc v1.76.0
|
||||
golang.zx2c4.com/wireguard/windows v1.0.1
|
||||
google.golang.org/grpc v1.81.1
|
||||
gopkg.in/yaml.v3 v3.0.1
|
||||
gvisor.dev/gvisor v0.0.0-20250503011706-39ed1f5ac29c
|
||||
software.sslmate.com/src/go-pkcs12 v0.6.0
|
||||
software.sslmate.com/src/go-pkcs12 v0.7.1
|
||||
)
|
||||
|
||||
require (
|
||||
github.com/Microsoft/go-winio v0.6.0 // indirect
|
||||
github.com/Microsoft/go-winio v0.6.2 // indirect
|
||||
github.com/beorn7/perks v1.0.1 // indirect
|
||||
github.com/cenkalti/backoff/v5 v5.0.3 // indirect
|
||||
github.com/cespare/xxhash/v2 v2.3.0 // indirect
|
||||
github.com/containerd/errdefs v0.3.0 // indirect
|
||||
github.com/containerd/errdefs v1.0.0 // indirect
|
||||
github.com/containerd/errdefs/pkg v0.3.0 // indirect
|
||||
github.com/distribution/reference v0.6.0 // indirect
|
||||
github.com/docker/go-connections v0.6.0 // indirect
|
||||
github.com/docker/go-units v0.4.0 // indirect
|
||||
github.com/docker/go-connections v0.7.0 // indirect
|
||||
github.com/docker/go-units v0.5.0 // indirect
|
||||
github.com/felixge/httpsnoop v1.0.4 // indirect
|
||||
github.com/fsnotify/fsnotify v1.9.0 // indirect
|
||||
github.com/go-logr/logr v1.4.3 // indirect
|
||||
github.com/go-logr/stdr v1.2.2 // indirect
|
||||
github.com/google/btree v1.1.3 // indirect
|
||||
github.com/google/uuid v1.6.0 // indirect
|
||||
github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc // indirect
|
||||
github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 // indirect
|
||||
github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 // indirect
|
||||
github.com/moby/docker-image-spec v1.3.1 // indirect
|
||||
github.com/moby/sys/atomicwriter v0.1.0 // indirect
|
||||
github.com/moby/term v0.5.2 // indirect
|
||||
github.com/morikuni/aec v1.0.0 // indirect
|
||||
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
|
||||
github.com/opencontainers/go-digest v1.0.0 // indirect
|
||||
github.com/opencontainers/image-spec v1.1.0 // indirect
|
||||
github.com/pkg/errors v0.9.1 // indirect
|
||||
github.com/opencontainers/image-spec v1.1.1 // indirect
|
||||
github.com/prometheus/client_model v0.6.2 // indirect
|
||||
github.com/prometheus/common v0.66.1 // indirect
|
||||
github.com/prometheus/otlptranslator v0.0.2 // indirect
|
||||
github.com/prometheus/procfs v0.17.0 // indirect
|
||||
github.com/prometheus/common v0.67.5 // indirect
|
||||
github.com/prometheus/otlptranslator v1.0.0 // indirect
|
||||
github.com/prometheus/procfs v0.20.1 // indirect
|
||||
github.com/vishvananda/netns v0.0.5 // indirect
|
||||
go.opentelemetry.io/auto/sdk v1.1.0 // indirect
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 // indirect
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0 // indirect
|
||||
go.opentelemetry.io/otel/trace v1.38.0 // indirect
|
||||
go.opentelemetry.io/proto/otlp v1.7.1 // indirect
|
||||
go.yaml.in/yaml/v2 v2.4.2 // indirect
|
||||
golang.org/x/mod v0.30.0 // indirect
|
||||
golang.org/x/sync v0.18.0 // indirect
|
||||
golang.org/x/text v0.31.0 // indirect
|
||||
go.opentelemetry.io/auto/sdk v1.2.1 // indirect
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 // indirect
|
||||
go.opentelemetry.io/otel/trace v1.43.0 // indirect
|
||||
go.opentelemetry.io/proto/otlp v1.10.0 // indirect
|
||||
go.yaml.in/yaml/v2 v2.4.4 // indirect
|
||||
golang.org/x/text v0.37.0 // indirect
|
||||
golang.org/x/time v0.12.0 // indirect
|
||||
golang.org/x/tools v0.39.0 // indirect
|
||||
golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
|
||||
google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 // indirect
|
||||
google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 // indirect
|
||||
google.golang.org/protobuf v1.36.8 // indirect
|
||||
google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 // indirect
|
||||
google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 // indirect
|
||||
google.golang.org/protobuf v1.36.11 // indirect
|
||||
)
|
||||
|
||||
192
go.sum
192
go.sum
@@ -1,31 +1,37 @@
|
||||
github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg=
|
||||
github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
|
||||
github.com/Microsoft/go-winio v0.6.0 h1:slsWYD/zyx7lCXoZVlvQrj0hPTM1HI4+v1sIda2yDvg=
|
||||
github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2BO69KH/soAE=
|
||||
github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
|
||||
github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
|
||||
github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
|
||||
github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
|
||||
github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
|
||||
github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
|
||||
github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
|
||||
github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
|
||||
github.com/containerd/errdefs v0.3.0 h1:FSZgGOeK4yuT/+DnF07/Olde/q4KBoMsaamhXxIMDp4=
|
||||
github.com/containerd/errdefs v0.3.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
|
||||
github.com/coder/websocket v1.8.14 h1:9L0p0iKiNOibykf283eHkKUHHrpG7f65OE3BhhO7v9g=
|
||||
github.com/coder/websocket v1.8.14/go.mod h1:NX3SzP+inril6yawo5CQXx8+fk145lPDC6pumgx0mVg=
|
||||
github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
|
||||
github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
|
||||
github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
|
||||
github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
|
||||
github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
|
||||
github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
|
||||
github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s=
|
||||
github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
|
||||
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
|
||||
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||
github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
|
||||
github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
|
||||
github.com/docker/docker v28.5.2+incompatible h1:DBX0Y0zAjZbSrm1uzOkdr1onVghKaftjlSWt4AFexzM=
|
||||
github.com/docker/docker v28.5.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
|
||||
github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
|
||||
github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
|
||||
github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw=
|
||||
github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
|
||||
github.com/docker/go-connections v0.7.0 h1:6SsRfJddP22WMrCkj19x9WKjEDTB+ahsdiGYf0mN39c=
|
||||
github.com/docker/go-connections v0.7.0/go.mod h1:no1qkHdjq7kLMGUXYAduOhYPSJxxvgWBh7ogVvptn3Q=
|
||||
github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
|
||||
github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
|
||||
github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
|
||||
github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
|
||||
github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
|
||||
github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
|
||||
github.com/gaissmai/bart v0.26.1 h1:+w4rnLGNlA2GDVn382Tfe3jOsK5vOr5n4KmigJ9lbTo=
|
||||
github.com/gaissmai/bart v0.26.1/go.mod h1:GREWQfTLRWz/c5FTOsIw+KkscuFkIV5t8Rp7Nd1Td5c=
|
||||
github.com/go-crypt/crypt v0.14.15 h1:q1i5OMpL05r935IxWmXgpDAVF0nvi4SMoHhGXLBQUEQ=
|
||||
github.com/go-crypt/crypt v0.14.15/go.mod h1:0n/to1VqIZPENj2yEUa/sLLYYnmupma6cp+QMX4zfF0=
|
||||
github.com/go-crypt/x v0.4.16 h1:WXdY28H/0MsXnH+gwerxuCcvBTJPkBG90u6oS4gIPZI=
|
||||
github.com/go-crypt/x v0.4.16/go.mod h1:vmVFA/d/oLrEaCbqsLcjBMlTqF8u8pvH/c4+EJ/ped8=
|
||||
github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
|
||||
github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
|
||||
github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
|
||||
@@ -41,10 +47,8 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
|
||||
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
|
||||
github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
|
||||
github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
|
||||
github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc h1:GN2Lv3MGO7AS6PrRoT6yV5+wkrOpcszoIsO4+4ds248=
|
||||
github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc/go.mod h1:+JKpmjMGhpgPL+rXZ5nsZieVzvarn86asRlBg4uNGnk=
|
||||
github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 h1:8Tjv8EJ+pM1xP8mK6egEbD1OgnVTyacbefKhmbLhIhU=
|
||||
github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2/go.mod h1:pkJQ2tZHJ0aFOVEEot6oZmaVEZcRme73eIFmhiVuRWs=
|
||||
github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 h1:HWRh5R2+9EifMyIHV7ZV+MIZqgz+PMpZ14Jynv3O2Zs=
|
||||
github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0/go.mod h1:JfhWUomR1baixubs02l85lZYYOm7LV6om4ceouMv45c=
|
||||
github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
|
||||
github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
|
||||
github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
|
||||
@@ -55,122 +59,110 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0
|
||||
github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
|
||||
github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
|
||||
github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
|
||||
github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw=
|
||||
github.com/moby/sys/atomicwriter v0.1.0/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs=
|
||||
github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU=
|
||||
github.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko=
|
||||
github.com/moby/term v0.5.2 h1:6qk3FJAFDs6i/q3W/pQ97SX192qKfZgGjCQqfCJkgzQ=
|
||||
github.com/moby/term v0.5.2/go.mod h1:d3djjFCrjnB+fl8NJux+EJzu0msscUP+f8it8hPkFLc=
|
||||
github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
|
||||
github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
|
||||
github.com/moby/moby/api v1.54.2 h1:wiat9QAhnDQjA7wk1kh/TqHz2I1uUA7M7t9SAl/JNXg=
|
||||
github.com/moby/moby/api v1.54.2/go.mod h1:+RQ6wluLwtYaTd1WnPLykIDPekkuyD/ROWQClE83pzs=
|
||||
github.com/moby/moby/client v0.4.1 h1:DMQgisVoMkmMs7fp3ROSdiBnoAu8+vo3GggFl06M/wY=
|
||||
github.com/moby/moby/client v0.4.1/go.mod h1:z52C9O2POPOsnxZAy//WtKcQ32P+jT/NGeXu/7nfjGQ=
|
||||
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
|
||||
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
|
||||
github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
|
||||
github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
|
||||
github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
|
||||
github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
|
||||
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
|
||||
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
|
||||
github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
|
||||
github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
|
||||
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
|
||||
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
|
||||
github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
|
||||
github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
|
||||
github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
|
||||
github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
|
||||
github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs=
|
||||
github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
|
||||
github.com/prometheus/otlptranslator v0.0.2 h1:+1CdeLVrRQ6Psmhnobldo0kTp96Rj80DRXRd5OSnMEQ=
|
||||
github.com/prometheus/otlptranslator v0.0.2/go.mod h1:P8AwMgdD7XEr6QRUJ2QWLpiAZTgTE2UYgjlu3svompI=
|
||||
github.com/prometheus/procfs v0.17.0 h1:FuLQ+05u4ZI+SS/w9+BWEM2TXiHKsUQ9TADiRH7DuK0=
|
||||
github.com/prometheus/procfs v0.17.0/go.mod h1:oPQLaDAMRbA+u8H5Pbfq+dl3VDAvHxMUOVhe0wYB2zw=
|
||||
github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
|
||||
github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
|
||||
github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
|
||||
github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
|
||||
github.com/prometheus/common v0.67.5 h1:pIgK94WWlQt1WLwAC5j2ynLaBRDiinoAb86HZHTUGI4=
|
||||
github.com/prometheus/common v0.67.5/go.mod h1:SjE/0MzDEEAyrdr5Gqc6G+sXI67maCxzaT3A2+HqjUw=
|
||||
github.com/prometheus/otlptranslator v1.0.0 h1:s0LJW/iN9dkIH+EnhiD3BlkkP5QVIUVEoIwkU+A6qos=
|
||||
github.com/prometheus/otlptranslator v1.0.0/go.mod h1:vRYWnXvI6aWGpsdY/mOT/cbeVRBlPWtBNDb7kGR3uKM=
|
||||
github.com/prometheus/procfs v0.20.1 h1:XwbrGOIplXW/AU3YhIhLODXMJYyC1isLFfYCsTEycfc=
|
||||
github.com/prometheus/procfs v0.20.1/go.mod h1:o9EMBZGRyvDrSPH1RqdxhojkuXstoe4UlK79eF5TGGo=
|
||||
github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
|
||||
github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
|
||||
github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
|
||||
github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
|
||||
github.com/vishvananda/netlink v1.3.1 h1:3AEMt62VKqz90r0tmNhog0r/PpWKmrEShJU0wJW6bV0=
|
||||
github.com/vishvananda/netlink v1.3.1/go.mod h1:ARtKouGSTGchR8aMwmkzC0qiNPrrWO5JS/XMVl45+b4=
|
||||
github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zdEY=
|
||||
github.com/vishvananda/netns v0.0.5/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
|
||||
go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
|
||||
go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
|
||||
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 h1:RbKq8BG0FI8OiXhBfcRtqqHcZcka+gU3cskNuf05R18=
|
||||
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0/go.mod h1:h06DGIukJOevXaj/xrNjhi/2098RZzcLTbc0jDAUbsg=
|
||||
go.opentelemetry.io/contrib/instrumentation/runtime v0.63.0 h1:PeBoRj6af6xMI7qCupwFvTbbnd49V7n5YpG6pg8iDYQ=
|
||||
go.opentelemetry.io/contrib/instrumentation/runtime v0.63.0/go.mod h1:ingqBCtMCe8I4vpz/UVzCW6sxoqgZB37nao91mLQ3Bw=
|
||||
go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8=
|
||||
go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM=
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.38.0 h1:vl9obrcoWVKp/lwl8tRE33853I8Xru9HFbw/skNeLs8=
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.38.0/go.mod h1:GAXRxmLJcVM3u22IjTg74zWBrRCKq8BnOqUVLodpcpw=
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 h1:GqRJVj7UmLjCVyVJ3ZFLdPRmhDUp2zFmQe3RHIOsw24=
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0/go.mod h1:ri3aaHSmCTVYu2AWv44YMauwAQc0aqI9gHKIcSbI1pU=
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0 h1:lwI4Dc5leUqENgGuQImwLo4WnuXFPetmPpkLi2IrX54=
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0/go.mod h1:Kz/oCE7z5wuyhPxsXDuaPteSWqjSBD5YaSdbxZYGbGk=
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0 h1:aTL7F04bJHUlztTsNGJ2l+6he8c+y/b//eR0jjjemT4=
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0/go.mod h1:kldtb7jDTeol0l3ewcmd8SDvx3EmIE7lyvqbasU3QC4=
|
||||
go.opentelemetry.io/otel/exporters/prometheus v0.60.0 h1:cGtQxGvZbnrWdC2GyjZi0PDKVSLWP/Jocix3QWfXtbo=
|
||||
go.opentelemetry.io/otel/exporters/prometheus v0.60.0/go.mod h1:hkd1EekxNo69PTV4OWFGZcKQiIqg0RfuWExcPKFvepk=
|
||||
go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA=
|
||||
go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI=
|
||||
go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E=
|
||||
go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg=
|
||||
go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM=
|
||||
go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA=
|
||||
go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE=
|
||||
go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs=
|
||||
go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4=
|
||||
go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE=
|
||||
go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
|
||||
go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
|
||||
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0 h1:CqXxU8VOmDefoh0+ztfGaymYbhdB/tT3zs79QaZTNGY=
|
||||
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0/go.mod h1:BuhAPThV8PBHBvg8ZzZ/Ok3idOdhWIodywz2xEcRbJo=
|
||||
go.opentelemetry.io/contrib/instrumentation/runtime v0.68.0 h1:jhVIQEprwUTV+KfzzliLidclhoTOoHTgdz96kAyR8mU=
|
||||
go.opentelemetry.io/contrib/instrumentation/runtime v0.68.0/go.mod h1:4HsdbLUbernaTnA8CNaNE+1g026SciXb3juRYe3l8EY=
|
||||
go.opentelemetry.io/otel v1.43.0 h1:mYIM03dnh5zfN7HautFE4ieIig9amkNANT+xcVxAj9I=
|
||||
go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0=
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.43.0 h1:8UQVDcZxOJLtX6gxtDt3vY2WTgvZqMQRzjsqiIHQdkc=
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.43.0/go.mod h1:2lmweYCiHYpEjQ/lSJBYhj9jP1zvCvQW4BqL9dnT7FQ=
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 h1:88Y4s2C8oTui1LGM6bTWkw0ICGcOLCAI5l6zsD1j20k=
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0/go.mod h1:Vl1/iaggsuRlrHf/hfPJPvVag77kKyvrLeD10kpMl+A=
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0 h1:RAE+JPfvEmvy+0LzyUA25/SGawPwIUbZ6u0Wug54sLc=
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0/go.mod h1:AGmbycVGEsRx9mXMZ75CsOyhSP6MFIcj/6dnG+vhVjk=
|
||||
go.opentelemetry.io/otel/exporters/prometheus v0.65.0 h1:jOveH/b4lU9HT7y+Gfamf18BqlOuz2PWEvs8yM7Q6XE=
|
||||
go.opentelemetry.io/otel/exporters/prometheus v0.65.0/go.mod h1:i1P8pcumauPtUI4YNopea1dhzEMuEqWP1xoUZDylLHo=
|
||||
go.opentelemetry.io/otel/metric v1.43.0 h1:d7638QeInOnuwOONPp4JAOGfbCEpYb+K6DVWvdxGzgM=
|
||||
go.opentelemetry.io/otel/metric v1.43.0/go.mod h1:RDnPtIxvqlgO8GRW18W6Z/4P462ldprJtfxHxyKd2PY=
|
||||
go.opentelemetry.io/otel/sdk v1.43.0 h1:pi5mE86i5rTeLXqoF/hhiBtUNcrAGHLKQdhg4h4V9Dg=
|
||||
go.opentelemetry.io/otel/sdk v1.43.0/go.mod h1:P+IkVU3iWukmiit/Yf9AWvpyRDlUeBaRg6Y+C58QHzg=
|
||||
go.opentelemetry.io/otel/sdk/metric v1.43.0 h1:S88dyqXjJkuBNLeMcVPRFXpRw2fuwdvfCGLEo89fDkw=
|
||||
go.opentelemetry.io/otel/sdk/metric v1.43.0/go.mod h1:C/RJtwSEJ5hzTiUz5pXF1kILHStzb9zFlIEe85bhj6A=
|
||||
go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09nk+3A=
|
||||
go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0=
|
||||
go.opentelemetry.io/proto/otlp v1.10.0 h1:IQRWgT5srOCYfiWnpqUYz9CVmbO8bFmKcwYxpuCSL2g=
|
||||
go.opentelemetry.io/proto/otlp v1.10.0/go.mod h1:/CV4QoCR/S9yaPj8utp3lvQPoqMtxXdzn7ozvvozVqk=
|
||||
go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
|
||||
go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
|
||||
go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
|
||||
go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
|
||||
golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
|
||||
golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
|
||||
go.yaml.in/yaml/v2 v2.4.4 h1:tuyd0P+2Ont/d6e2rl3be67goVK4R6deVxCUX5vyPaQ=
|
||||
go.yaml.in/yaml/v2 v2.4.4/go.mod h1:gMZqIpDtDqOfM0uNfy0SkpRhvUryYH0Z6wdMYcacYXQ=
|
||||
golang.org/x/crypto v0.52.0 h1:RMs7fP2rXdep0CftQlK8Uf+kibLm7qkCcradZWYz988=
|
||||
golang.org/x/crypto v0.52.0/go.mod h1:1QgfPxDqh0T2M/elOJtp9RvuR95kVjir0e6/BvEmGbc=
|
||||
golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6 h1:zfMcR1Cs4KNuomFFgGefv5N0czO2XZpUbxGUy8i8ug0=
|
||||
golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6/go.mod h1:46edojNIoXTNOhySWIWdix628clX9ODXwPsQuG6hsK0=
|
||||
golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk=
|
||||
golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc=
|
||||
golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
|
||||
golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
|
||||
golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
|
||||
golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
|
||||
golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8=
|
||||
golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww=
|
||||
golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
|
||||
golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
|
||||
golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
|
||||
golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
|
||||
golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
|
||||
golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
|
||||
golang.org/x/term v0.43.0 h1:S4RLU2sB31O/NCl+zFN9Aru9A/Cq2aqKpTZJ6B+DwT4=
|
||||
golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk=
|
||||
golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
|
||||
golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
|
||||
golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
|
||||
golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
|
||||
golang.org/x/tools v0.39.0 h1:ik4ho21kwuQln40uelmciQPp9SipgNDdrafrYA4TmQQ=
|
||||
golang.org/x/tools v0.39.0/go.mod h1:JnefbkDPyD8UU2kI5fuf8ZX4/yUeh9W877ZeBONxUqQ=
|
||||
golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
|
||||
golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
|
||||
golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb h1:whnFRlWMcXI9d+ZbWg+4sHnLp52d5yiIPUxMBSt4X9A=
|
||||
golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb/go.mod h1:rpwXGsirqLqN2L0JDJQlwOboGHmptD5ZD6T2VmcqhTw=
|
||||
golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10 h1:3GDAcqdIg1ozBNLgPy4SLT84nfcBjr6rhGtXYtrkWLU=
|
||||
golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10/go.mod h1:T97yPqesLiNrOYxkwmhMI0ZIlJDm+p0PMR8eRVeR5tQ=
|
||||
golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus8eIuExIE=
|
||||
golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
|
||||
gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
|
||||
gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
|
||||
google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 h1:BIRfGDEjiHRrk0QKZe3Xv2ieMhtgRGeLcZQ0mIVn4EY=
|
||||
google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5/go.mod h1:j3QtIyytwqGr1JUDtYXwtMXWPKsEa5LtzIFN1Wn5WvE=
|
||||
google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 h1:eaY8u2EuxbRv7c3NiGK0/NedzVsCcV6hDuU5qPX5EGE=
|
||||
google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5/go.mod h1:M4/wBTSeyLxupu3W3tJtOgB14jILAS/XWPSSa3TAlJc=
|
||||
google.golang.org/grpc v1.76.0 h1:UnVkv1+uMLYXoIz6o7chp59WfQUYA2ex/BXQ9rHZu7A=
|
||||
google.golang.org/grpc v1.76.0/go.mod h1:Ju12QI8M6iQJtbcsV+awF5a4hfJMLi4X0JLo94ULZ6c=
|
||||
google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
|
||||
google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
|
||||
golang.zx2c4.com/wireguard/windows v1.0.1 h1:eOxiDVbywPC+ZQqvdCK7x+ZwWXKbYv50TtH8ysFIbw8=
|
||||
golang.zx2c4.com/wireguard/windows v1.0.1/go.mod h1:+fbT3FFdX4zzYDLwJh5+HPEcNN/3HyNdzhNSVsQM+zs=
|
||||
gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4=
|
||||
gonum.org/v1/gonum v0.17.0/go.mod h1:El3tOrEuMpv2UdMrbNlKEh9vd86bmQ6vqIcDwxEOc1E=
|
||||
google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 h1:VPWxll4HlMw1Vs/qXtN7BvhZqsS9cdAittCNvVENElA=
|
||||
google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:7QBABkRtR8z+TEnmXTqIqwJLlzrZKVfAUm7tY3yGv0M=
|
||||
google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 h1:m8qni9SQFH0tJc1X0vmnpw/0t+AImlSvp30sEupozUg=
|
||||
google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
|
||||
google.golang.org/grpc v1.81.1 h1:VnnIIZ88UzOOKLukQi+ImGz8O1Wdp8nAGGnvOfEIWQQ=
|
||||
google.golang.org/grpc v1.81.1/go.mod h1:xGH9GfzOyMTGIOXBJmXt+BX/V0kcdQbdcuwQ/zNw42I=
|
||||
google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
|
||||
google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
|
||||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
|
||||
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
|
||||
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
|
||||
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
||||
gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o=
|
||||
gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g=
|
||||
gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
|
||||
gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
|
||||
gvisor.dev/gvisor v0.0.0-20250503011706-39ed1f5ac29c h1:m/r7OM+Y2Ty1sgBQ7Qb27VgIMBW8ZZhT4gLnUyDIhzI=
|
||||
gvisor.dev/gvisor v0.0.0-20250503011706-39ed1f5ac29c/go.mod h1:3r5CMtNQMKIvBlrmM9xWUNamjKBYPOWyXOjmg5Kts3g=
|
||||
software.sslmate.com/src/go-pkcs12 v0.6.0 h1:f3sQittAeF+pao32Vb+mkli+ZyT+VwKaD014qFGq6oU=
|
||||
software.sslmate.com/src/go-pkcs12 v0.6.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=
|
||||
pgregory.net/rapid v1.2.0 h1:keKAYRcjm+e1F0oAuU5F5+YPAWcyxNNRK2wud503Gnk=
|
||||
pgregory.net/rapid v1.2.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04=
|
||||
software.sslmate.com/src/go-pkcs12 v0.7.1 h1:bxkUPRsvTPNRBZa4M/aSX4PyMOEbq3V8I6hbkG4F4Q8=
|
||||
software.sslmate.com/src/go-pkcs12 v0.7.1/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=
|
||||
|
||||
@@ -5,7 +5,9 @@ import (
|
||||
"crypto/tls"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"net"
|
||||
"net/http"
|
||||
"strconv"
|
||||
"strings"
|
||||
"sync"
|
||||
"time"
|
||||
@@ -35,32 +37,38 @@ func (s Health) String() string {
|
||||
|
||||
// Config holds the health check configuration for a target
|
||||
type Config struct {
|
||||
ID int `json:"id"`
|
||||
Enabled bool `json:"hcEnabled"`
|
||||
Path string `json:"hcPath"`
|
||||
Scheme string `json:"hcScheme"`
|
||||
Mode string `json:"hcMode"`
|
||||
Hostname string `json:"hcHostname"`
|
||||
Port int `json:"hcPort"`
|
||||
Interval int `json:"hcInterval"` // in seconds
|
||||
UnhealthyInterval int `json:"hcUnhealthyInterval"` // in seconds
|
||||
Timeout int `json:"hcTimeout"` // in seconds
|
||||
Headers map[string]string `json:"hcHeaders"`
|
||||
Method string `json:"hcMethod"`
|
||||
Status int `json:"hcStatus"` // HTTP status code
|
||||
TLSServerName string `json:"hcTlsServerName"`
|
||||
ID int `json:"id"`
|
||||
Enabled bool `json:"hcEnabled"`
|
||||
Path string `json:"hcPath"`
|
||||
Scheme string `json:"hcScheme"`
|
||||
Mode string `json:"hcMode"`
|
||||
Hostname string `json:"hcHostname"`
|
||||
Port int `json:"hcPort"`
|
||||
Interval int `json:"hcInterval"` // in seconds
|
||||
UnhealthyInterval int `json:"hcUnhealthyInterval"` // in seconds
|
||||
Timeout int `json:"hcTimeout"` // in seconds
|
||||
FollowRedirects *bool `json:"hcFollowRedirects"`
|
||||
Headers map[string]string `json:"hcHeaders"`
|
||||
Method string `json:"hcMethod"`
|
||||
Status int `json:"hcStatus"` // HTTP status code
|
||||
TLSServerName string `json:"hcTlsServerName"`
|
||||
HealthyThreshold int `json:"hcHealthyThreshold"` // consecutive successes required to become healthy
|
||||
UnhealthyThreshold int `json:"hcUnhealthyThreshold"` // consecutive failures required to become unhealthy
|
||||
}
|
||||
|
||||
// Target represents a health check target with its current status
|
||||
type Target struct {
|
||||
Config Config `json:"config"`
|
||||
Status Health `json:"status"`
|
||||
LastCheck time.Time `json:"lastCheck"`
|
||||
LastError string `json:"lastError,omitempty"`
|
||||
CheckCount int `json:"checkCount"`
|
||||
ticker *time.Ticker
|
||||
ctx context.Context
|
||||
cancel context.CancelFunc
|
||||
Config Config `json:"config"`
|
||||
Status Health `json:"status"`
|
||||
LastCheck time.Time `json:"lastCheck"`
|
||||
LastError string `json:"lastError,omitempty"`
|
||||
CheckCount int `json:"checkCount"`
|
||||
timer *time.Timer
|
||||
ctx context.Context
|
||||
cancel context.CancelFunc
|
||||
client *http.Client
|
||||
consecutiveSuccesses int
|
||||
consecutiveFailures int
|
||||
}
|
||||
|
||||
// StatusChangeCallback is called when any target's status changes
|
||||
@@ -162,9 +170,16 @@ func (m *Monitor) addTargetUnsafe(config Config) error {
|
||||
if config.Timeout == 0 {
|
||||
config.Timeout = 5
|
||||
}
|
||||
if config.HealthyThreshold == 0 {
|
||||
config.HealthyThreshold = 1
|
||||
}
|
||||
if config.UnhealthyThreshold == 0 {
|
||||
config.UnhealthyThreshold = 1
|
||||
}
|
||||
|
||||
logger.Debug("Target %d configuration: scheme=%s, method=%s, interval=%ds, timeout=%ds",
|
||||
config.ID, config.Scheme, config.Method, config.Interval, config.Timeout)
|
||||
logger.Debug("Target %d configuration: mode=%s, scheme=%s, method=%s, interval=%ds, timeout=%ds, healthyThreshold=%d, unhealthyThreshold=%d",
|
||||
config.ID, config.Mode, config.Scheme, config.Method, config.Interval, config.Timeout,
|
||||
config.HealthyThreshold, config.UnhealthyThreshold)
|
||||
|
||||
// Parse headers if provided as string
|
||||
if len(config.Headers) == 0 && config.Path != "" {
|
||||
@@ -185,6 +200,30 @@ func (m *Monitor) addTargetUnsafe(config Config) error {
|
||||
Status: StatusUnknown,
|
||||
ctx: ctx,
|
||||
cancel: cancel,
|
||||
client: &http.Client{
|
||||
CheckRedirect: func() func(*http.Request, []*http.Request) error {
|
||||
// Default to following redirects if not explicitly configured
|
||||
followRedirects := config.FollowRedirects == nil || *config.FollowRedirects
|
||||
if !followRedirects {
|
||||
return func(req *http.Request, via []*http.Request) error {
|
||||
return http.ErrUseLastResponse
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}(),
|
||||
Transport: &http.Transport{
|
||||
// Disable keep-alives so each health check uses a fresh connection.
|
||||
// Reusing idle connections causes spurious timeouts when the remote
|
||||
// server closes the connection between long check intervals.
|
||||
DisableKeepAlives: true,
|
||||
TLSClientConfig: &tls.Config{
|
||||
// Configure TLS settings based on certificate enforcement
|
||||
InsecureSkipVerify: !m.enforceCert,
|
||||
// Use SNI TLS header if present
|
||||
ServerName: config.TLSServerName,
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
m.targets[config.ID] = target
|
||||
@@ -217,7 +256,7 @@ func (m *Monitor) RemoveTarget(id int) error {
|
||||
|
||||
// Notify callback of status change
|
||||
if m.callback != nil {
|
||||
go m.callback(m.GetTargets())
|
||||
go m.callback(m.getAllTargetsUnsafe())
|
||||
}
|
||||
|
||||
logger.Info("Successfully removed target %d", id)
|
||||
@@ -250,7 +289,7 @@ func (m *Monitor) RemoveTargets(ids []int) error {
|
||||
|
||||
// Notify callback of status change if any targets were removed
|
||||
if len(notFound) != len(ids) && m.callback != nil {
|
||||
go m.callback(m.GetTargets())
|
||||
go m.callback(m.getAllTargetsUnsafe())
|
||||
}
|
||||
|
||||
if len(notFound) > 0 {
|
||||
@@ -304,26 +343,26 @@ func (m *Monitor) monitorTarget(target *Target) {
|
||||
go m.callback(m.GetTargets())
|
||||
}
|
||||
|
||||
// Set up ticker based on current status
|
||||
// Set up timer based on current status
|
||||
interval := time.Duration(target.Config.Interval) * time.Second
|
||||
if target.Status == StatusUnhealthy {
|
||||
interval = time.Duration(target.Config.UnhealthyInterval) * time.Second
|
||||
}
|
||||
|
||||
logger.Debug("Target %d: initial check interval set to %v", target.Config.ID, interval)
|
||||
target.ticker = time.NewTicker(interval)
|
||||
defer target.ticker.Stop()
|
||||
target.timer = time.NewTimer(interval)
|
||||
defer target.timer.Stop()
|
||||
|
||||
for {
|
||||
select {
|
||||
case <-target.ctx.Done():
|
||||
logger.Info("Stopping health check monitoring for target %d", target.Config.ID)
|
||||
return
|
||||
case <-target.ticker.C:
|
||||
case <-target.timer.C:
|
||||
oldStatus := target.Status
|
||||
m.performHealthCheck(target)
|
||||
|
||||
// Update ticker interval if status changed
|
||||
// Update timer interval if status changed
|
||||
newInterval := time.Duration(target.Config.Interval) * time.Second
|
||||
if target.Status == StatusUnhealthy {
|
||||
newInterval = time.Duration(target.Config.UnhealthyInterval) * time.Second
|
||||
@@ -332,11 +371,12 @@ func (m *Monitor) monitorTarget(target *Target) {
|
||||
if newInterval != interval {
|
||||
logger.Debug("Target %d: updating check interval from %v to %v due to status change",
|
||||
target.Config.ID, interval, newInterval)
|
||||
target.ticker.Stop()
|
||||
target.ticker = time.NewTicker(newInterval)
|
||||
interval = newInterval
|
||||
}
|
||||
|
||||
// Reset timer for next check with current interval
|
||||
target.timer.Reset(interval)
|
||||
|
||||
// Notify callback if status changed
|
||||
if oldStatus != target.Status && m.callback != nil {
|
||||
logger.Info("Target %d status changed: %s -> %s",
|
||||
@@ -347,17 +387,77 @@ func (m *Monitor) monitorTarget(target *Target) {
|
||||
}
|
||||
}
|
||||
|
||||
// performHealthCheck performs a health check on a target
|
||||
// performHealthCheck performs a health check on a target and applies threshold logic
|
||||
func (m *Monitor) performHealthCheck(target *Target) {
|
||||
target.CheckCount++
|
||||
target.LastCheck = time.Now()
|
||||
target.LastError = ""
|
||||
|
||||
// Build URL
|
||||
url := fmt.Sprintf("%s://%s", target.Config.Scheme, target.Config.Hostname)
|
||||
if target.Config.Port > 0 {
|
||||
url = fmt.Sprintf("%s:%d", url, target.Config.Port)
|
||||
var passed bool
|
||||
var checkErr string
|
||||
|
||||
switch strings.ToLower(target.Config.Mode) {
|
||||
case "tcp":
|
||||
passed, checkErr = m.performTCPCheck(target)
|
||||
default:
|
||||
// "http", "https", or anything else falls through to HTTP
|
||||
passed, checkErr = m.performHTTPCheck(target)
|
||||
}
|
||||
|
||||
if passed {
|
||||
target.consecutiveFailures = 0
|
||||
target.consecutiveSuccesses++
|
||||
|
||||
logger.Debug("Target %d: check passed (consecutive successes: %d / threshold: %d)",
|
||||
target.Config.ID, target.consecutiveSuccesses, target.Config.HealthyThreshold)
|
||||
|
||||
if target.consecutiveSuccesses >= target.Config.HealthyThreshold {
|
||||
target.Status = StatusHealthy
|
||||
target.LastError = ""
|
||||
}
|
||||
} else {
|
||||
target.consecutiveSuccesses = 0
|
||||
target.consecutiveFailures++
|
||||
target.LastError = checkErr
|
||||
|
||||
logger.Debug("Target %d: check failed (consecutive failures: %d / threshold: %d): %s",
|
||||
target.Config.ID, target.consecutiveFailures, target.Config.UnhealthyThreshold, checkErr)
|
||||
|
||||
if target.consecutiveFailures >= target.Config.UnhealthyThreshold {
|
||||
target.Status = StatusUnhealthy
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// performTCPCheck dials the target's host:port over TCP and returns whether it succeeded
|
||||
func (m *Monitor) performTCPCheck(target *Target) (bool, string) {
|
||||
address := net.JoinHostPort(target.Config.Hostname, strconv.Itoa(target.Config.Port))
|
||||
timeout := time.Duration(target.Config.Timeout) * time.Second
|
||||
|
||||
logger.Debug("Target %d: performing TCP health check to %s (timeout: %v)",
|
||||
target.Config.ID, address, timeout)
|
||||
|
||||
ctx, cancel := context.WithTimeout(target.ctx, timeout)
|
||||
defer cancel()
|
||||
conn, err := (&net.Dialer{}).DialContext(ctx, "tcp", address)
|
||||
if err != nil {
|
||||
msg := fmt.Sprintf("TCP dial failed: %v", err)
|
||||
logger.Warn("Target %d: %s", target.Config.ID, msg)
|
||||
return false, msg
|
||||
}
|
||||
conn.Close()
|
||||
|
||||
logger.Debug("Target %d: TCP health check passed", target.Config.ID)
|
||||
return true, ""
|
||||
}
|
||||
|
||||
// performHTTPCheck performs an HTTP/HTTPS health check and returns whether it succeeded
|
||||
func (m *Monitor) performHTTPCheck(target *Target) (bool, string) {
|
||||
// Build URL (use net.JoinHostPort to properly handle IPv6 addresses with ports)
|
||||
host := target.Config.Hostname
|
||||
if target.Config.Port > 0 {
|
||||
host = net.JoinHostPort(target.Config.Hostname, strconv.Itoa(target.Config.Port))
|
||||
}
|
||||
url := fmt.Sprintf("%s://%s", target.Config.Scheme, host)
|
||||
if target.Config.Path != "" {
|
||||
if !strings.HasPrefix(target.Config.Path, "/") {
|
||||
url += "/"
|
||||
@@ -365,7 +465,7 @@ func (m *Monitor) performHealthCheck(target *Target) {
|
||||
url += target.Config.Path
|
||||
}
|
||||
|
||||
logger.Debug("Target %d: performing health check %d to %s",
|
||||
logger.Debug("Target %d: performing HTTP health check %d to %s",
|
||||
target.Config.ID, target.CheckCount, url)
|
||||
|
||||
if target.Config.Scheme == "https" {
|
||||
@@ -373,74 +473,59 @@ func (m *Monitor) performHealthCheck(target *Target) {
|
||||
target.Config.ID, m.enforceCert)
|
||||
}
|
||||
|
||||
// Create request
|
||||
ctx, cancel := context.WithTimeout(context.Background(), time.Duration(target.Config.Timeout)*time.Second)
|
||||
// Create request with timeout context, derived from the target's context so
|
||||
// that in-flight requests are cancelled immediately when the target is replaced.
|
||||
ctx, cancel := context.WithTimeout(target.ctx, time.Duration(target.Config.Timeout)*time.Second)
|
||||
defer cancel()
|
||||
|
||||
client := &http.Client{
|
||||
Transport: &http.Transport{
|
||||
TLSClientConfig: &tls.Config{
|
||||
// Configure TLS settings based on certificate enforcement
|
||||
InsecureSkipVerify: !m.enforceCert,
|
||||
// Use SNI TLS header if present
|
||||
ServerName: target.Config.TLSServerName,
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
req, err := http.NewRequestWithContext(ctx, target.Config.Method, url, nil)
|
||||
if err != nil {
|
||||
target.Status = StatusUnhealthy
|
||||
target.LastError = fmt.Sprintf("failed to create request: %v", err)
|
||||
logger.Warn("Target %d: failed to create request: %v", target.Config.ID, err)
|
||||
return
|
||||
msg := fmt.Sprintf("failed to create request: %v", err)
|
||||
logger.Warn("Target %d: %s", target.Config.ID, msg)
|
||||
return false, msg
|
||||
}
|
||||
|
||||
// Add headers
|
||||
for key, value := range target.Config.Headers {
|
||||
req.Header.Set(key, value)
|
||||
// Handle Host header specially - it must be set on req.Host, not in headers
|
||||
if strings.EqualFold(key, "Host") {
|
||||
req.Host = value
|
||||
} else {
|
||||
req.Header.Set(key, value)
|
||||
}
|
||||
}
|
||||
|
||||
// Perform request
|
||||
resp, err := client.Do(req)
|
||||
resp, err := target.client.Do(req)
|
||||
if err != nil {
|
||||
target.Status = StatusUnhealthy
|
||||
target.LastError = fmt.Sprintf("request failed: %v", err)
|
||||
msg := fmt.Sprintf("request failed: %v", err)
|
||||
logger.Warn("Target %d: health check failed: %v", target.Config.ID, err)
|
||||
return
|
||||
return false, msg
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
|
||||
// Check response status
|
||||
var expectedStatus int
|
||||
if target.Config.Status > 0 {
|
||||
expectedStatus = target.Config.Status
|
||||
} else {
|
||||
expectedStatus = 0 // Use range check for 200-299
|
||||
// Check for specific status code
|
||||
logger.Debug("Target %d: checking status against expected code %d", target.Config.ID, target.Config.Status)
|
||||
if resp.StatusCode == target.Config.Status {
|
||||
logger.Debug("Target %d: health check passed (status: %d)", target.Config.ID, resp.StatusCode)
|
||||
return true, ""
|
||||
}
|
||||
msg := fmt.Sprintf("unexpected status code: %d (expected: %d)", resp.StatusCode, target.Config.Status)
|
||||
logger.Warn("Target %d: %s", target.Config.ID, msg)
|
||||
return false, msg
|
||||
}
|
||||
|
||||
if expectedStatus > 0 {
|
||||
logger.Debug("Target %d: checking health status against expected code %d", target.Config.ID, expectedStatus)
|
||||
// Check for specific status code
|
||||
if resp.StatusCode == expectedStatus {
|
||||
target.Status = StatusHealthy
|
||||
logger.Debug("Target %d: health check passed (status: %d, expected: %d)", target.Config.ID, resp.StatusCode, expectedStatus)
|
||||
} else {
|
||||
target.Status = StatusUnhealthy
|
||||
target.LastError = fmt.Sprintf("unexpected status code: %d (expected: %d)", resp.StatusCode, expectedStatus)
|
||||
logger.Warn("Target %d: health check failed with status code %d (expected: %d)", target.Config.ID, resp.StatusCode, expectedStatus)
|
||||
}
|
||||
} else {
|
||||
// Check for 2xx range
|
||||
if resp.StatusCode >= 200 && resp.StatusCode < 300 {
|
||||
target.Status = StatusHealthy
|
||||
logger.Debug("Target %d: health check passed (status: %d)", target.Config.ID, resp.StatusCode)
|
||||
} else {
|
||||
target.Status = StatusUnhealthy
|
||||
target.LastError = fmt.Sprintf("unhealthy status code: %d", resp.StatusCode)
|
||||
logger.Warn("Target %d: health check failed with status code %d", target.Config.ID, resp.StatusCode)
|
||||
}
|
||||
// Default: check for 2xx range
|
||||
if resp.StatusCode >= 200 && resp.StatusCode < 300 {
|
||||
logger.Debug("Target %d: health check passed (status: %d)", target.Config.ID, resp.StatusCode)
|
||||
return true, ""
|
||||
}
|
||||
|
||||
msg := fmt.Sprintf("unhealthy status code: %d", resp.StatusCode)
|
||||
logger.Warn("Target %d: health check failed with status code %d", target.Config.ID, resp.StatusCode)
|
||||
return false, msg
|
||||
}
|
||||
|
||||
// Stop stops monitoring all targets
|
||||
@@ -507,7 +592,7 @@ func (m *Monitor) DisableTarget(id int) error {
|
||||
|
||||
// Notify callback of status change
|
||||
if m.callback != nil {
|
||||
go m.callback(m.GetTargets())
|
||||
go m.callback(m.getAllTargetsUnsafe())
|
||||
}
|
||||
} else {
|
||||
logger.Debug("Target %d is already disabled", id)
|
||||
@@ -515,3 +600,82 @@ func (m *Monitor) DisableTarget(id int) error {
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// GetTargetIDs returns a slice of all current target IDs
|
||||
func (m *Monitor) GetTargetIDs() []int {
|
||||
m.mutex.RLock()
|
||||
defer m.mutex.RUnlock()
|
||||
|
||||
ids := make([]int, 0, len(m.targets))
|
||||
for id := range m.targets {
|
||||
ids = append(ids, id)
|
||||
}
|
||||
return ids
|
||||
}
|
||||
|
||||
// SyncTargets synchronizes the current targets to match the desired set.
|
||||
// It removes targets not in the desired set and adds targets that are missing.
|
||||
func (m *Monitor) SyncTargets(desiredConfigs []Config) error {
|
||||
m.mutex.Lock()
|
||||
defer m.mutex.Unlock()
|
||||
|
||||
logger.Info("Syncing health check targets: %d desired targets", len(desiredConfigs))
|
||||
|
||||
// Build a set of desired target IDs
|
||||
desiredIDs := make(map[int]Config)
|
||||
for _, config := range desiredConfigs {
|
||||
desiredIDs[config.ID] = config
|
||||
}
|
||||
|
||||
// Find targets to remove (exist but not in desired set)
|
||||
var toRemove []int
|
||||
for id := range m.targets {
|
||||
if _, exists := desiredIDs[id]; !exists {
|
||||
toRemove = append(toRemove, id)
|
||||
}
|
||||
}
|
||||
|
||||
// Remove targets that are not in the desired set
|
||||
for _, id := range toRemove {
|
||||
logger.Info("Sync: removing health check target %d", id)
|
||||
if target, exists := m.targets[id]; exists {
|
||||
target.cancel()
|
||||
delete(m.targets, id)
|
||||
}
|
||||
}
|
||||
|
||||
// Add or update targets from the desired set
|
||||
var addedCount, updatedCount int
|
||||
for id, config := range desiredIDs {
|
||||
if existing, exists := m.targets[id]; exists {
|
||||
// Target exists - check if config changed and update if needed
|
||||
// For now, we'll replace it to ensure config is up to date
|
||||
logger.Debug("Sync: updating health check target %d", id)
|
||||
existing.cancel()
|
||||
delete(m.targets, id)
|
||||
if err := m.addTargetUnsafe(config); err != nil {
|
||||
logger.Error("Sync: failed to update target %d: %v", id, err)
|
||||
return fmt.Errorf("failed to update target %d: %v", id, err)
|
||||
}
|
||||
updatedCount++
|
||||
} else {
|
||||
// Target doesn't exist - add it
|
||||
logger.Debug("Sync: adding health check target %d", id)
|
||||
if err := m.addTargetUnsafe(config); err != nil {
|
||||
logger.Error("Sync: failed to add target %d: %v", id, err)
|
||||
return fmt.Errorf("failed to add target %d: %v", id, err)
|
||||
}
|
||||
addedCount++
|
||||
}
|
||||
}
|
||||
|
||||
logger.Info("Sync complete: removed %d, added %d, updated %d targets",
|
||||
len(toRemove), addedCount, updatedCount)
|
||||
|
||||
// Notify callback if any changes were made
|
||||
if (len(toRemove) > 0 || addedCount > 0 || updatedCount > 0) && m.callback != nil {
|
||||
go m.callback(m.getAllTargetsUnsafe())
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -4,6 +4,7 @@ import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"net"
|
||||
"strconv"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
@@ -19,37 +20,49 @@ import (
|
||||
// ExitNode represents a WireGuard exit node for hole punching
|
||||
type ExitNode struct {
|
||||
Endpoint string `json:"endpoint"`
|
||||
RelayPort uint16 `json:"relayPort"`
|
||||
PublicKey string `json:"publicKey"`
|
||||
SiteIds []int `json:"siteIds,omitempty"`
|
||||
}
|
||||
|
||||
// Manager handles UDP hole punching operations
|
||||
type Manager struct {
|
||||
mu sync.Mutex
|
||||
running bool
|
||||
stopChan chan struct{}
|
||||
sharedBind *bind.SharedBind
|
||||
ID string
|
||||
token string
|
||||
publicKey string
|
||||
clientType string
|
||||
exitNodes map[string]ExitNode // key is endpoint
|
||||
updateChan chan struct{} // signals the goroutine to refresh exit nodes
|
||||
mu sync.Mutex
|
||||
running bool
|
||||
stopChan chan struct{}
|
||||
sharedBind *bind.SharedBind
|
||||
ID string
|
||||
token string
|
||||
publicKey string
|
||||
clientType string
|
||||
exitNodes map[string]ExitNode // key is endpoint
|
||||
updateChan chan struct{} // signals the goroutine to refresh exit nodes
|
||||
publicDNS []string
|
||||
|
||||
sendHolepunchInterval time.Duration
|
||||
sendHolepunchInterval time.Duration
|
||||
sendHolepunchIntervalMin time.Duration
|
||||
sendHolepunchIntervalMax time.Duration
|
||||
defaultIntervalMin time.Duration
|
||||
defaultIntervalMax time.Duration
|
||||
}
|
||||
|
||||
const sendHolepunchIntervalMax = 60 * time.Second
|
||||
const sendHolepunchIntervalMin = 1 * time.Second
|
||||
const defaultSendHolepunchIntervalMax = 60 * time.Second
|
||||
const defaultSendHolepunchIntervalMin = 1 * time.Second
|
||||
|
||||
// NewManager creates a new hole punch manager
|
||||
func NewManager(sharedBind *bind.SharedBind, ID string, clientType string, publicKey string) *Manager {
|
||||
func NewManager(sharedBind *bind.SharedBind, ID string, clientType string, publicKey string, publicDNS []string) *Manager {
|
||||
return &Manager{
|
||||
sharedBind: sharedBind,
|
||||
ID: ID,
|
||||
clientType: clientType,
|
||||
publicKey: publicKey,
|
||||
exitNodes: make(map[string]ExitNode),
|
||||
sendHolepunchInterval: sendHolepunchIntervalMin,
|
||||
sharedBind: sharedBind,
|
||||
ID: ID,
|
||||
clientType: clientType,
|
||||
publicKey: publicKey,
|
||||
publicDNS: publicDNS,
|
||||
exitNodes: make(map[string]ExitNode),
|
||||
sendHolepunchInterval: defaultSendHolepunchIntervalMin,
|
||||
sendHolepunchIntervalMin: defaultSendHolepunchIntervalMin,
|
||||
sendHolepunchIntervalMax: defaultSendHolepunchIntervalMax,
|
||||
defaultIntervalMin: defaultSendHolepunchIntervalMin,
|
||||
defaultIntervalMax: defaultSendHolepunchIntervalMax,
|
||||
}
|
||||
}
|
||||
|
||||
@@ -140,6 +153,51 @@ func (m *Manager) RemoveExitNode(endpoint string) bool {
|
||||
return true
|
||||
}
|
||||
|
||||
/*
|
||||
RemoveExitNodesByPeer removes the peer ID from the SiteIds list in each exit node.
|
||||
If the SiteIds list becomes empty after removal, the exit node is removed entirely.
|
||||
Returns the number of exit nodes removed.
|
||||
*/
|
||||
func (m *Manager) RemoveExitNodesByPeer(peerID int) int {
|
||||
m.mu.Lock()
|
||||
defer m.mu.Unlock()
|
||||
|
||||
removed := 0
|
||||
for endpoint, node := range m.exitNodes {
|
||||
// Remove peerID from SiteIds if present
|
||||
newSiteIds := make([]int, 0, len(node.SiteIds))
|
||||
for _, id := range node.SiteIds {
|
||||
if id != peerID {
|
||||
newSiteIds = append(newSiteIds, id)
|
||||
}
|
||||
}
|
||||
if len(newSiteIds) != len(node.SiteIds) {
|
||||
node.SiteIds = newSiteIds
|
||||
if len(node.SiteIds) == 0 {
|
||||
delete(m.exitNodes, endpoint)
|
||||
logger.Info("Removed exit node %s as no more site IDs remain after removing peer %d", endpoint, peerID)
|
||||
removed++
|
||||
} else {
|
||||
m.exitNodes[endpoint] = node
|
||||
logger.Info("Removed peer %d from exit node %s site IDs", peerID, endpoint)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if removed > 0 {
|
||||
// Signal the goroutine to refresh if running
|
||||
if m.running && m.updateChan != nil {
|
||||
select {
|
||||
case m.updateChan <- struct{}{}:
|
||||
default:
|
||||
// Channel full or closed, skip
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return removed
|
||||
}
|
||||
|
||||
// GetExitNodes returns a copy of the current exit nodes
|
||||
func (m *Manager) GetExitNodes() []ExitNode {
|
||||
m.mu.Lock()
|
||||
@@ -152,17 +210,46 @@ func (m *Manager) GetExitNodes() []ExitNode {
|
||||
return nodes
|
||||
}
|
||||
|
||||
// ResetInterval resets the hole punch interval back to the minimum value,
|
||||
// allowing it to climb back up through exponential backoff.
|
||||
// This is useful when network conditions change or connectivity is restored.
|
||||
func (m *Manager) ResetInterval() {
|
||||
// SetServerHolepunchInterval sets custom min and max intervals for hole punching.
|
||||
// This is useful for low power mode where longer intervals are desired.
|
||||
func (m *Manager) SetServerHolepunchInterval(min, max time.Duration) {
|
||||
m.mu.Lock()
|
||||
defer m.mu.Unlock()
|
||||
|
||||
if m.sendHolepunchInterval != sendHolepunchIntervalMin {
|
||||
m.sendHolepunchInterval = sendHolepunchIntervalMin
|
||||
logger.Info("Reset hole punch interval to minimum (%v)", sendHolepunchIntervalMin)
|
||||
m.sendHolepunchIntervalMin = min
|
||||
m.sendHolepunchIntervalMax = max
|
||||
m.sendHolepunchInterval = min
|
||||
|
||||
logger.Info("Set hole punch intervals: min=%v, max=%v", min, max)
|
||||
|
||||
// Signal the goroutine to apply the new interval if running
|
||||
if m.running && m.updateChan != nil {
|
||||
select {
|
||||
case m.updateChan <- struct{}{}:
|
||||
default:
|
||||
// Channel full or closed, skip
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// GetInterval returns the current min and max intervals
|
||||
func (m *Manager) GetServerHolepunchInterval() (min, max time.Duration) {
|
||||
m.mu.Lock()
|
||||
defer m.mu.Unlock()
|
||||
return m.sendHolepunchIntervalMin, m.sendHolepunchIntervalMax
|
||||
}
|
||||
|
||||
// ResetServerHolepunchInterval resets the hole punch interval back to the default values.
|
||||
// This restores normal operation after low power mode or other custom settings.
|
||||
func (m *Manager) ResetServerHolepunchInterval() {
|
||||
m.mu.Lock()
|
||||
defer m.mu.Unlock()
|
||||
|
||||
m.sendHolepunchIntervalMin = m.defaultIntervalMin
|
||||
m.sendHolepunchIntervalMax = m.defaultIntervalMax
|
||||
m.sendHolepunchInterval = m.defaultIntervalMin
|
||||
|
||||
logger.Info("Reset hole punch intervals to defaults: min=%v, max=%v", m.defaultIntervalMin, m.defaultIntervalMax)
|
||||
|
||||
// Signal the goroutine to apply the new interval if running
|
||||
if m.running && m.updateChan != nil {
|
||||
@@ -196,13 +283,19 @@ func (m *Manager) TriggerHolePunch() error {
|
||||
// Send hole punch to all exit nodes
|
||||
successCount := 0
|
||||
for _, exitNode := range currentExitNodes {
|
||||
host, err := util.ResolveDomain(exitNode.Endpoint)
|
||||
var host string
|
||||
var err error
|
||||
if len(m.publicDNS) > 0 {
|
||||
host, err = util.ResolveDomainUpstream(exitNode.Endpoint, m.publicDNS)
|
||||
} else {
|
||||
host, err = util.ResolveDomain(exitNode.Endpoint)
|
||||
}
|
||||
if err != nil {
|
||||
logger.Warn("Failed to resolve endpoint %s: %v", exitNode.Endpoint, err)
|
||||
continue
|
||||
}
|
||||
|
||||
serverAddr := net.JoinHostPort(host, "21820")
|
||||
serverAddr := net.JoinHostPort(host, strconv.Itoa(int(exitNode.RelayPort)))
|
||||
remoteAddr, err := net.ResolveUDPAddr("udp", serverAddr)
|
||||
if err != nil {
|
||||
logger.Error("Failed to resolve UDP address %s: %v", serverAddr, err)
|
||||
@@ -247,7 +340,7 @@ func (m *Manager) StartMultipleExitNodes(exitNodes []ExitNode) error {
|
||||
m.updateChan = make(chan struct{}, 1)
|
||||
m.mu.Unlock()
|
||||
|
||||
logger.Info("Starting UDP hole punch to %d exit nodes with shared bind", len(exitNodes))
|
||||
logger.Debug("Starting UDP hole punch to %d exit nodes with shared bind", len(exitNodes))
|
||||
|
||||
go m.runMultipleExitNodes()
|
||||
|
||||
@@ -307,13 +400,19 @@ func (m *Manager) runMultipleExitNodes() {
|
||||
|
||||
var resolvedNodes []resolvedExitNode
|
||||
for _, exitNode := range currentExitNodes {
|
||||
host, err := util.ResolveDomain(exitNode.Endpoint)
|
||||
var host string
|
||||
var err error
|
||||
if len(m.publicDNS) > 0 {
|
||||
host, err = util.ResolveDomainUpstream(exitNode.Endpoint, m.publicDNS)
|
||||
} else {
|
||||
host, err = util.ResolveDomain(exitNode.Endpoint)
|
||||
}
|
||||
if err != nil {
|
||||
logger.Warn("Failed to resolve endpoint %s: %v", exitNode.Endpoint, err)
|
||||
continue
|
||||
}
|
||||
|
||||
serverAddr := net.JoinHostPort(host, "21820")
|
||||
serverAddr := net.JoinHostPort(host, strconv.Itoa(int(exitNode.RelayPort)))
|
||||
remoteAddr, err := net.ResolveUDPAddr("udp", serverAddr)
|
||||
if err != nil {
|
||||
logger.Error("Failed to resolve UDP address %s: %v", serverAddr, err)
|
||||
@@ -325,7 +424,7 @@ func (m *Manager) runMultipleExitNodes() {
|
||||
publicKey: exitNode.PublicKey,
|
||||
endpointName: exitNode.Endpoint,
|
||||
})
|
||||
logger.Info("Resolved exit node: %s -> %s", exitNode.Endpoint, remoteAddr.String())
|
||||
logger.Debug("Resolved exit node: %s -> %s", exitNode.Endpoint, remoteAddr.String())
|
||||
}
|
||||
return resolvedNodes
|
||||
}
|
||||
@@ -345,7 +444,7 @@ func (m *Manager) runMultipleExitNodes() {
|
||||
|
||||
// Start with minimum interval
|
||||
m.mu.Lock()
|
||||
m.sendHolepunchInterval = sendHolepunchIntervalMin
|
||||
m.sendHolepunchInterval = m.sendHolepunchIntervalMin
|
||||
m.mu.Unlock()
|
||||
|
||||
ticker := time.NewTicker(m.sendHolepunchInterval)
|
||||
@@ -367,7 +466,7 @@ func (m *Manager) runMultipleExitNodes() {
|
||||
}
|
||||
// Reset interval to minimum on update
|
||||
m.mu.Lock()
|
||||
m.sendHolepunchInterval = sendHolepunchIntervalMin
|
||||
m.sendHolepunchInterval = m.sendHolepunchIntervalMin
|
||||
m.mu.Unlock()
|
||||
ticker.Reset(m.sendHolepunchInterval)
|
||||
// Send immediate hole punch to newly resolved nodes
|
||||
@@ -387,8 +486,8 @@ func (m *Manager) runMultipleExitNodes() {
|
||||
// Exponential backoff: double the interval up to max
|
||||
m.mu.Lock()
|
||||
newInterval := m.sendHolepunchInterval * 2
|
||||
if newInterval > sendHolepunchIntervalMax {
|
||||
newInterval = sendHolepunchIntervalMax
|
||||
if newInterval > m.sendHolepunchIntervalMax {
|
||||
newInterval = m.sendHolepunchIntervalMax
|
||||
}
|
||||
if newInterval != m.sendHolepunchInterval {
|
||||
m.sendHolepunchInterval = newInterval
|
||||
|
||||
@@ -41,18 +41,30 @@ func DefaultTestOptions() TestConnectionOptions {
|
||||
}
|
||||
}
|
||||
|
||||
// cachedAddr holds a cached resolved UDP address
|
||||
type cachedAddr struct {
|
||||
addr *net.UDPAddr
|
||||
resolvedAt time.Time
|
||||
}
|
||||
|
||||
// HolepunchTester monitors holepunch connectivity using magic packets
|
||||
type HolepunchTester struct {
|
||||
sharedBind *bind.SharedBind
|
||||
mu sync.RWMutex
|
||||
running bool
|
||||
stopChan chan struct{}
|
||||
sharedBind *bind.SharedBind
|
||||
publicDNS []string
|
||||
mu sync.RWMutex
|
||||
running bool
|
||||
stopChan chan struct{}
|
||||
|
||||
// Pending requests waiting for responses (key: echo data as string)
|
||||
pendingRequests sync.Map // map[string]*pendingRequest
|
||||
|
||||
// Callback when connection status changes
|
||||
callback HolepunchStatusCallback
|
||||
|
||||
// Address cache to avoid repeated DNS/UDP resolution
|
||||
addrCache map[string]*cachedAddr
|
||||
addrCacheMu sync.RWMutex
|
||||
addrCacheTTL time.Duration // How long cached addresses are valid
|
||||
}
|
||||
|
||||
// HolepunchStatus represents the status of a holepunch connection
|
||||
@@ -73,9 +85,12 @@ type pendingRequest struct {
|
||||
}
|
||||
|
||||
// NewHolepunchTester creates a new holepunch tester using the given SharedBind
|
||||
func NewHolepunchTester(sharedBind *bind.SharedBind) *HolepunchTester {
|
||||
func NewHolepunchTester(sharedBind *bind.SharedBind, publicDNS []string) *HolepunchTester {
|
||||
return &HolepunchTester{
|
||||
sharedBind: sharedBind,
|
||||
sharedBind: sharedBind,
|
||||
publicDNS: publicDNS,
|
||||
addrCache: make(map[string]*cachedAddr),
|
||||
addrCacheTTL: 5 * time.Minute, // Cache addresses for 5 minutes
|
||||
}
|
||||
}
|
||||
|
||||
@@ -135,12 +150,76 @@ func (t *HolepunchTester) Stop() {
|
||||
return true
|
||||
})
|
||||
|
||||
// Clear address cache
|
||||
t.addrCacheMu.Lock()
|
||||
t.addrCache = make(map[string]*cachedAddr)
|
||||
t.addrCacheMu.Unlock()
|
||||
|
||||
logger.Debug("HolepunchTester stopped")
|
||||
}
|
||||
|
||||
// resolveEndpoint resolves an endpoint to a UDP address, using cache when possible
|
||||
func (t *HolepunchTester) resolveEndpoint(endpoint string) (*net.UDPAddr, error) {
|
||||
// Check cache first
|
||||
t.addrCacheMu.RLock()
|
||||
cached, ok := t.addrCache[endpoint]
|
||||
ttl := t.addrCacheTTL
|
||||
t.addrCacheMu.RUnlock()
|
||||
|
||||
if ok && time.Since(cached.resolvedAt) < ttl {
|
||||
return cached.addr, nil
|
||||
}
|
||||
|
||||
// Resolve the endpoint
|
||||
var host string
|
||||
var err error
|
||||
if len(t.publicDNS) > 0 {
|
||||
host, err = util.ResolveDomainUpstream(endpoint, t.publicDNS)
|
||||
} else {
|
||||
host, err = util.ResolveDomain(endpoint)
|
||||
}
|
||||
if err != nil {
|
||||
host = endpoint
|
||||
}
|
||||
|
||||
_, _, err = net.SplitHostPort(host)
|
||||
if err != nil {
|
||||
host = net.JoinHostPort(host, "21820")
|
||||
}
|
||||
|
||||
remoteAddr, err := net.ResolveUDPAddr("udp", host)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to resolve UDP address %s: %w", host, err)
|
||||
}
|
||||
|
||||
// Cache the result
|
||||
t.addrCacheMu.Lock()
|
||||
t.addrCache[endpoint] = &cachedAddr{
|
||||
addr: remoteAddr,
|
||||
resolvedAt: time.Now(),
|
||||
}
|
||||
t.addrCacheMu.Unlock()
|
||||
|
||||
return remoteAddr, nil
|
||||
}
|
||||
|
||||
// InvalidateCache removes a specific endpoint from the address cache
|
||||
func (t *HolepunchTester) InvalidateCache(endpoint string) {
|
||||
t.addrCacheMu.Lock()
|
||||
delete(t.addrCache, endpoint)
|
||||
t.addrCacheMu.Unlock()
|
||||
}
|
||||
|
||||
// ClearCache clears all cached addresses
|
||||
func (t *HolepunchTester) ClearCache() {
|
||||
t.addrCacheMu.Lock()
|
||||
t.addrCache = make(map[string]*cachedAddr)
|
||||
t.addrCacheMu.Unlock()
|
||||
}
|
||||
|
||||
// handleResponse is called by SharedBind when a magic response is received
|
||||
func (t *HolepunchTester) handleResponse(addr netip.AddrPort, echoData []byte) {
|
||||
logger.Debug("Received magic response from %s", addr.String())
|
||||
// logger.Debug("Received magic response from %s", addr.String())
|
||||
key := string(echoData)
|
||||
|
||||
value, ok := t.pendingRequests.LoadAndDelete(key)
|
||||
@@ -152,7 +231,7 @@ func (t *HolepunchTester) handleResponse(addr netip.AddrPort, echoData []byte) {
|
||||
|
||||
req := value.(*pendingRequest)
|
||||
rtt := time.Since(req.sentAt)
|
||||
logger.Debug("Magic response matched pending request for %s (RTT: %v)", req.endpoint, rtt)
|
||||
// logger.Debug("Magic response matched pending request for %s (RTT: %v)", req.endpoint, rtt)
|
||||
|
||||
// Send RTT to the waiting goroutine (non-blocking)
|
||||
select {
|
||||
@@ -183,20 +262,10 @@ func (t *HolepunchTester) TestEndpoint(endpoint string, timeout time.Duration) T
|
||||
return result
|
||||
}
|
||||
|
||||
// Resolve the endpoint
|
||||
host, err := util.ResolveDomain(endpoint)
|
||||
// Resolve the endpoint (using cache)
|
||||
remoteAddr, err := t.resolveEndpoint(endpoint)
|
||||
if err != nil {
|
||||
host = endpoint
|
||||
}
|
||||
|
||||
_, _, err = net.SplitHostPort(host)
|
||||
if err != nil {
|
||||
host = net.JoinHostPort(host, "21820")
|
||||
}
|
||||
|
||||
remoteAddr, err := net.ResolveUDPAddr("udp", host)
|
||||
if err != nil {
|
||||
result.Error = fmt.Errorf("failed to resolve UDP address %s: %w", host, err)
|
||||
result.Error = err
|
||||
return result
|
||||
}
|
||||
|
||||
|
||||
158
nativessh/auth.go
Normal file
158
nativessh/auth.go
Normal file
@@ -0,0 +1,158 @@
|
||||
package nativessh
|
||||
|
||||
import (
|
||||
"bufio"
|
||||
"fmt"
|
||||
"net"
|
||||
"os"
|
||||
"os/user"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
|
||||
"github.com/fosrl/newt/logger"
|
||||
"golang.org/x/crypto/ssh"
|
||||
)
|
||||
|
||||
type staticConnMeta struct {
|
||||
user string
|
||||
}
|
||||
|
||||
func (m staticConnMeta) User() string { return m.user }
|
||||
func (m staticConnMeta) SessionID() []byte { return nil }
|
||||
func (m staticConnMeta) ClientVersion() []byte { return nil }
|
||||
func (m staticConnMeta) ServerVersion() []byte { return nil }
|
||||
func (m staticConnMeta) RemoteAddr() net.Addr { return nil }
|
||||
func (m staticConnMeta) LocalAddr() net.Addr { return nil }
|
||||
|
||||
// CheckAuthorizedKeys reports whether key matches any entry in the system
|
||||
// user's ~/.ssh/authorized_keys file. Returns false (not an error) when the
|
||||
// user or file does not exist.
|
||||
func CheckAuthorizedKeys(username string, key ssh.PublicKey) bool {
|
||||
u, err := user.Lookup(username)
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
f, err := os.Open(filepath.Join(u.HomeDir, ".ssh", "authorized_keys"))
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
defer f.Close()
|
||||
|
||||
want := ssh.FingerprintSHA256(key)
|
||||
scanner := bufio.NewScanner(f)
|
||||
for scanner.Scan() {
|
||||
line := strings.TrimSpace(scanner.Text())
|
||||
if line == "" || strings.HasPrefix(line, "#") {
|
||||
continue
|
||||
}
|
||||
parsed, _, _, _, err := ssh.ParseAuthorizedKey([]byte(line))
|
||||
if err != nil {
|
||||
continue
|
||||
}
|
||||
if ssh.FingerprintSHA256(parsed) == want {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
// SystemUserExists reports whether a user account with the given name exists
|
||||
// on the host OS.
|
||||
func SystemUserExists(username string) bool {
|
||||
_, err := user.Lookup(username)
|
||||
return err == nil
|
||||
}
|
||||
|
||||
// Authenticate authenticates a user for a browser-based native SSH session.
|
||||
// It tries, in order:
|
||||
// 1. Private key — parses privateKeyPEM and checks it against the user's
|
||||
// ~/.ssh/authorized_keys.
|
||||
// 2. Password — verifies password via the host OS PAM stack (Linux only).
|
||||
//
|
||||
// Returns nil on the first method that succeeds, or an error if all fail.
|
||||
func Authenticate(username, password, privateKeyPEM string) error {
|
||||
return AuthenticateWithCertificate(nil, username, password, privateKeyPEM, "")
|
||||
}
|
||||
|
||||
// AuthenticateWithCertificate authenticates a user for a browser-based native
|
||||
// SSH session using the same method ordering as the native SSH server:
|
||||
// 1. Private key in host ~/.ssh/authorized_keys.
|
||||
// 2. SSH certificate signed by the configured CA (when provided).
|
||||
// 3. Password via host PAM stack.
|
||||
func AuthenticateWithCertificate(store *CredentialStore, username, password, privateKeyPEM, certificate string) error {
|
||||
logger.Debug("nativessh: authenticating user %q (hasPassword=%v, hasPrivateKey=%v)", username, password != "", privateKeyPEM != "")
|
||||
if !SystemUserExists(username) {
|
||||
logger.Debug("nativessh: user %q not found on system", username)
|
||||
return fmt.Errorf("user %q does not exist", username)
|
||||
}
|
||||
|
||||
var signer ssh.Signer
|
||||
if privateKeyPEM != "" {
|
||||
parsedSigner, err := ssh.ParsePrivateKey([]byte(privateKeyPEM))
|
||||
if err != nil {
|
||||
logger.Debug("nativessh: failed to parse private key for %q: %v", username, err)
|
||||
} else if CheckAuthorizedKeys(username, parsedSigner.PublicKey()) {
|
||||
logger.Debug("nativessh: private key auth succeeded for %q", username)
|
||||
return nil
|
||||
} else {
|
||||
signer = parsedSigner
|
||||
logger.Debug("nativessh: private key not in authorized_keys for %q", username)
|
||||
}
|
||||
}
|
||||
|
||||
if store != nil && certificate != "" {
|
||||
if signer == nil {
|
||||
logger.Debug("nativessh: certificate provided for %q but no matching private key was provided", username)
|
||||
} else {
|
||||
pub, _, _, _, err := ssh.ParseAuthorizedKey([]byte(certificate))
|
||||
if err != nil {
|
||||
logger.Debug("nativessh: failed to parse certificate for %q: %v", username, err)
|
||||
} else {
|
||||
cert, ok := pub.(*ssh.Certificate)
|
||||
if !ok {
|
||||
logger.Debug("nativessh: provided cert data for %q is not an SSH certificate", username)
|
||||
} else if ssh.FingerprintSHA256(cert.Key) != ssh.FingerprintSHA256(signer.PublicKey()) {
|
||||
logger.Debug("nativessh: certificate key mismatch for %q", username)
|
||||
} else {
|
||||
caKey, userPrincipals := store.get(username)
|
||||
if caKey == nil {
|
||||
logger.Debug("nativessh: CA key is not set for certificate auth user %q", username)
|
||||
} else if len(userPrincipals) == 0 {
|
||||
logger.Debug("nativessh: no allowed principals found for certificate auth user %q", username)
|
||||
} else {
|
||||
checker := &ssh.CertChecker{
|
||||
IsUserAuthority: func(auth ssh.PublicKey) bool {
|
||||
return ssh.FingerprintSHA256(auth) == ssh.FingerprintSHA256(caKey)
|
||||
},
|
||||
}
|
||||
|
||||
var lastErr error
|
||||
for principal := range userPrincipals {
|
||||
_, authErr := checker.Authenticate(staticConnMeta{user: principal}, cert)
|
||||
if authErr == nil {
|
||||
logger.Debug("nativessh: certificate auth succeeded for %q (principal=%q)", username, principal)
|
||||
return nil
|
||||
}
|
||||
lastErr = authErr
|
||||
}
|
||||
if lastErr != nil {
|
||||
logger.Debug("nativessh: certificate auth failed for %q: %v", username, lastErr)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if password != "" {
|
||||
if err := VerifySystemPassword(username, password); err != nil {
|
||||
logger.Debug("nativessh: password auth failed for %q: %v", username, err)
|
||||
} else {
|
||||
logger.Debug("nativessh: password auth succeeded for %q", username)
|
||||
return nil
|
||||
}
|
||||
} else {
|
||||
logger.Debug("nativessh: no password provided for %q", username)
|
||||
}
|
||||
return fmt.Errorf("authentication failed for user %q", username)
|
||||
}
|
||||
99
nativessh/pam_linux.go
Normal file
99
nativessh/pam_linux.go
Normal file
@@ -0,0 +1,99 @@
|
||||
//go:build linux
|
||||
|
||||
package nativessh
|
||||
|
||||
import (
|
||||
"bufio"
|
||||
"bytes"
|
||||
"errors"
|
||||
"fmt"
|
||||
"os"
|
||||
"strings"
|
||||
|
||||
"github.com/fosrl/newt/logger"
|
||||
"github.com/go-crypt/crypt"
|
||||
"github.com/go-crypt/x/yescrypt"
|
||||
)
|
||||
|
||||
// VerifySystemPassword authenticates username/password by reading /etc/shadow.
|
||||
// Supports yescrypt ($y$), bcrypt ($2b$/$2a$/$2y$), SHA-512 ($6$), SHA-256
|
||||
// ($5$), argon2, scrypt, and other schemes handled by go-crypt/crypt.
|
||||
func VerifySystemPassword(username, password string) error {
|
||||
hash, err := readShadowHash(username)
|
||||
if err != nil {
|
||||
logger.Debug("nativessh/pam: readShadowHash for %q failed: %v", username, err)
|
||||
return fmt.Errorf("shadow: %w", err)
|
||||
}
|
||||
|
||||
// Log the scheme prefix only (never the full hash).
|
||||
scheme := "unknown"
|
||||
for _, prefix := range []string{"$y$", "$2a$", "$2b$", "$2y$", "$6$", "$5$", "$1$"} {
|
||||
if strings.HasPrefix(hash, prefix) {
|
||||
scheme = prefix
|
||||
break
|
||||
}
|
||||
}
|
||||
logger.Debug("nativessh/pam: verifying password for %q using scheme %s", username, scheme)
|
||||
|
||||
// Yescrypt ($y$) is not in go-crypt/crypt's default decoder; handle it directly.
|
||||
if strings.HasPrefix(hash, "$y$") {
|
||||
computed, err := yescrypt.Hash([]byte(password), []byte(hash))
|
||||
if err != nil {
|
||||
logger.Debug("nativessh/pam: yescrypt.Hash for %q failed: %v", username, err)
|
||||
return fmt.Errorf("yescrypt: %w", err)
|
||||
}
|
||||
if !bytes.Equal(computed, []byte(hash)) {
|
||||
logger.Debug("nativessh/pam: yescrypt mismatch for %q", username)
|
||||
return errors.New("authentication failed")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
decoder, err := crypt.NewDefaultDecoder()
|
||||
if err != nil {
|
||||
return fmt.Errorf("crypt decoder: %w", err)
|
||||
}
|
||||
|
||||
digest, err := decoder.Decode(hash)
|
||||
if err != nil {
|
||||
logger.Debug("nativessh/pam: failed to decode hash for %q: %v", username, err)
|
||||
return fmt.Errorf("unsupported password hash scheme %q: %w", scheme, err)
|
||||
}
|
||||
|
||||
match, err := digest.MatchAdvanced(password)
|
||||
if err != nil {
|
||||
logger.Debug("nativessh/pam: MatchAdvanced for %q failed: %v", username, err)
|
||||
return err
|
||||
}
|
||||
if !match {
|
||||
logger.Debug("nativessh/pam: password mismatch for %q", username)
|
||||
return errors.New("authentication failed")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// readShadowHash reads /etc/shadow and returns the password hash for username.
|
||||
func readShadowHash(username string) (string, error) {
|
||||
f, err := os.Open("/etc/shadow")
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
defer f.Close()
|
||||
|
||||
scanner := bufio.NewScanner(f)
|
||||
for scanner.Scan() {
|
||||
fields := strings.SplitN(scanner.Text(), ":", 3)
|
||||
if len(fields) < 2 || fields[0] != username {
|
||||
continue
|
||||
}
|
||||
h := fields[1]
|
||||
if h == "" || h == "*" || strings.HasPrefix(h, "!") || h == "x" {
|
||||
return "", errors.New("account locked or has no password")
|
||||
}
|
||||
return h, nil
|
||||
}
|
||||
if err := scanner.Err(); err != nil {
|
||||
return "", err
|
||||
}
|
||||
return "", errors.New("user not found in shadow database")
|
||||
}
|
||||
11
nativessh/pam_other.go
Normal file
11
nativessh/pam_other.go
Normal file
@@ -0,0 +1,11 @@
|
||||
//go:build !linux
|
||||
|
||||
package nativessh
|
||||
|
||||
import "errors"
|
||||
|
||||
// VerifySystemPassword is not supported on non-Linux platforms; it always
|
||||
// returns an error so that password authentication is never accepted.
|
||||
func VerifySystemPassword(username, password string) error {
|
||||
return errors.New("password authentication not supported on this platform")
|
||||
}
|
||||
130
nativessh/pty.go
Normal file
130
nativessh/pty.go
Normal file
@@ -0,0 +1,130 @@
|
||||
//go:build !windows
|
||||
|
||||
package nativessh
|
||||
|
||||
import (
|
||||
"bufio"
|
||||
"errors"
|
||||
"fmt"
|
||||
"os"
|
||||
"os/exec"
|
||||
"os/user"
|
||||
"strings"
|
||||
"sync"
|
||||
|
||||
"github.com/creack/pty"
|
||||
)
|
||||
|
||||
// PTYSession is a running shell process attached to a PTY.
|
||||
// It implements io.ReadWriteCloser so it can be bridged to any transport.
|
||||
type PTYSession struct {
|
||||
ptmx *os.File
|
||||
cmd *exec.Cmd
|
||||
waitOnce sync.Once
|
||||
exitCode int
|
||||
}
|
||||
|
||||
// findShell returns the path to the best available interactive shell by
|
||||
// checking preferred shells in order, falling back to /bin/sh.
|
||||
func findShell() string {
|
||||
preferred := []string{"zsh", "bash", "fish", "ksh", "sh"}
|
||||
for _, name := range preferred {
|
||||
if path, err := exec.LookPath(name); err == nil {
|
||||
return path
|
||||
}
|
||||
}
|
||||
return "/bin/sh"
|
||||
}
|
||||
|
||||
// userShell returns the login shell configured for u in /etc/passwd.
|
||||
// If the field is empty or the binary does not exist, it falls back to
|
||||
// findShell so there is always a usable shell.
|
||||
func userShell(u *user.User) string {
|
||||
if shell := passwdShell(u.Username); shell != "" {
|
||||
if _, err := exec.LookPath(shell); err == nil {
|
||||
return shell
|
||||
}
|
||||
}
|
||||
return findShell()
|
||||
}
|
||||
|
||||
// passwdShell reads /etc/passwd and returns the login shell for the named user.
|
||||
// Returns "" if the user is not found or the file cannot be read.
|
||||
func passwdShell(username string) string {
|
||||
f, err := os.Open("/etc/passwd")
|
||||
if err != nil {
|
||||
return ""
|
||||
}
|
||||
defer f.Close()
|
||||
scanner := bufio.NewScanner(f)
|
||||
for scanner.Scan() {
|
||||
line := scanner.Text()
|
||||
if line == "" || line[0] == '#' {
|
||||
continue
|
||||
}
|
||||
// Fields: username:password:uid:gid:gecos:home:shell
|
||||
fields := strings.SplitN(line, ":", 7)
|
||||
if len(fields) == 7 && fields[0] == username {
|
||||
return fields[6]
|
||||
}
|
||||
}
|
||||
_ = scanner.Err()
|
||||
return ""
|
||||
}
|
||||
|
||||
// NewPTYSession spawns the best available shell in a PTY.
|
||||
func NewPTYSession() (*PTYSession, error) {
|
||||
shell := findShell()
|
||||
cmd := exec.Command(shell)
|
||||
cmd.Env = append(os.Environ(), "TERM=xterm-256color")
|
||||
ptmx, err := pty.Start(cmd)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("pty start: %w", err)
|
||||
}
|
||||
return &PTYSession{ptmx: ptmx, cmd: cmd}, nil
|
||||
}
|
||||
|
||||
// Read reads output from the PTY.
|
||||
func (p *PTYSession) Read(b []byte) (int, error) {
|
||||
return p.ptmx.Read(b)
|
||||
}
|
||||
|
||||
// Write writes input to the PTY.
|
||||
func (p *PTYSession) Write(b []byte) (int, error) {
|
||||
return p.ptmx.Write(b)
|
||||
}
|
||||
|
||||
// Resize changes the PTY window size.
|
||||
func (p *PTYSession) Resize(cols, rows uint16) error {
|
||||
return pty.Setsize(p.ptmx, &pty.Winsize{Cols: cols, Rows: rows})
|
||||
}
|
||||
|
||||
// wait waits for the child process to exit exactly once and records its exit
|
||||
// code. Safe to call concurrently or multiple times.
|
||||
func (p *PTYSession) wait() {
|
||||
p.waitOnce.Do(func() {
|
||||
err := p.cmd.Wait()
|
||||
if err != nil {
|
||||
var exitErr *exec.ExitError
|
||||
if errors.As(err, &exitErr) {
|
||||
p.exitCode = exitErr.ExitCode()
|
||||
return
|
||||
}
|
||||
p.exitCode = 1
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
// ExitCode waits for the shell process to exit and returns its exit code.
|
||||
// It is safe to call before or after Close.
|
||||
func (p *PTYSession) ExitCode() int {
|
||||
p.wait()
|
||||
return p.exitCode
|
||||
}
|
||||
|
||||
// Close closes the PTY and waits for the child process to exit.
|
||||
func (p *PTYSession) Close() error {
|
||||
err := p.ptmx.Close()
|
||||
p.wait()
|
||||
return err
|
||||
}
|
||||
78
nativessh/pty_unix.go
Normal file
78
nativessh/pty_unix.go
Normal file
@@ -0,0 +1,78 @@
|
||||
//go:build !windows
|
||||
|
||||
package nativessh
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
"os/exec"
|
||||
"os/user"
|
||||
"strconv"
|
||||
"syscall"
|
||||
|
||||
"github.com/creack/pty"
|
||||
)
|
||||
|
||||
// NewPTYSessionAs spawns an interactive shell in a PTY running as the given
|
||||
// system user. The calling process must have sufficient privileges (typically
|
||||
// root / CAP_SETUID) to switch to a different UID/GID.
|
||||
func NewPTYSessionAs(username string) (*PTYSession, error) {
|
||||
u, err := user.Lookup(username)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("user lookup %q: %w", username, err)
|
||||
}
|
||||
uid, err := strconv.ParseUint(u.Uid, 10, 32)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("parse uid: %w", err)
|
||||
}
|
||||
gid, err := strconv.ParseUint(u.Gid, 10, 32)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("parse gid: %w", err)
|
||||
}
|
||||
|
||||
// Collect supplementary group IDs.
|
||||
groupIDs, err := u.GroupIds()
|
||||
if err != nil {
|
||||
groupIDs = []string{}
|
||||
}
|
||||
var groups []uint32
|
||||
for _, g := range groupIDs {
|
||||
gval, err := strconv.ParseUint(g, 10, 32)
|
||||
if err == nil {
|
||||
groups = append(groups, uint32(gval))
|
||||
}
|
||||
}
|
||||
|
||||
shell := userShell(u)
|
||||
|
||||
// Prefer the user's home directory as the working directory, but fall back
|
||||
// to / if it does not exist (e.g. useradd was run without -m).
|
||||
homeDir := u.HomeDir
|
||||
if _, err := os.Stat(homeDir); err != nil {
|
||||
homeDir = "/"
|
||||
}
|
||||
|
||||
cmd := exec.Command(shell, "--login")
|
||||
cmd.Env = []string{
|
||||
"TERM=xterm-256color",
|
||||
"HOME=" + u.HomeDir,
|
||||
"USER=" + username,
|
||||
"LOGNAME=" + username,
|
||||
"SHELL=" + shell,
|
||||
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
|
||||
}
|
||||
cmd.Dir = homeDir
|
||||
cmd.SysProcAttr = &syscall.SysProcAttr{
|
||||
Credential: &syscall.Credential{
|
||||
Uid: uint32(uid),
|
||||
Gid: uint32(gid),
|
||||
Groups: groups,
|
||||
},
|
||||
}
|
||||
|
||||
ptmx, err := pty.Start(cmd)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("pty start: %w", err)
|
||||
}
|
||||
return &PTYSession{ptmx: ptmx, cmd: cmd}, nil
|
||||
}
|
||||
467
nativessh/server.go
Normal file
467
nativessh/server.go
Normal file
@@ -0,0 +1,467 @@
|
||||
//go:build !windows
|
||||
|
||||
package nativessh
|
||||
|
||||
import (
|
||||
"crypto/ed25519"
|
||||
"crypto/rand"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
"net"
|
||||
"os"
|
||||
"os/exec"
|
||||
"os/user"
|
||||
"strconv"
|
||||
"strings"
|
||||
"sync"
|
||||
"syscall"
|
||||
|
||||
"github.com/fosrl/newt/logger"
|
||||
"golang.org/x/crypto/ssh"
|
||||
)
|
||||
|
||||
// CredentialStore holds in-memory SSH credentials that can be updated at runtime.
|
||||
// It is safe for concurrent use.
|
||||
type CredentialStore struct {
|
||||
mu sync.RWMutex
|
||||
caKey ssh.PublicKey
|
||||
principals map[string]map[string]struct{} // username -> set of allowed principals
|
||||
}
|
||||
|
||||
// connMetaWithUser wraps ConnMetadata while overriding User() for cert checks.
|
||||
type connMetaWithUser struct {
|
||||
ssh.ConnMetadata
|
||||
user string
|
||||
}
|
||||
|
||||
func (m connMetaWithUser) User() string { return m.user }
|
||||
|
||||
// NewCredentialStore returns an empty, ready-to-use CredentialStore.
|
||||
func NewCredentialStore() *CredentialStore {
|
||||
return &CredentialStore{
|
||||
principals: make(map[string]map[string]struct{}),
|
||||
}
|
||||
}
|
||||
|
||||
// SetCAKey parses and stores the CA public key from authorized_keys-format data.
|
||||
func (s *CredentialStore) SetCAKey(authorizedKeyData string) error {
|
||||
key, _, _, _, err := ssh.ParseAuthorizedKey([]byte(authorizedKeyData))
|
||||
if err != nil {
|
||||
return fmt.Errorf("parse CA key: %w", err)
|
||||
}
|
||||
s.mu.Lock()
|
||||
s.caKey = key
|
||||
s.mu.Unlock()
|
||||
return nil
|
||||
}
|
||||
|
||||
// AddPrincipals records username and niceId as allowed principals for username.
|
||||
// Both values are stored; either can appear in the certificate's ValidPrincipals
|
||||
// field to satisfy the standard cert-auth principal check.
|
||||
func (s *CredentialStore) AddPrincipals(username, niceId string) {
|
||||
username = strings.TrimSpace(username)
|
||||
niceId = strings.TrimSpace(niceId)
|
||||
if username == "" {
|
||||
return
|
||||
}
|
||||
s.mu.Lock()
|
||||
defer s.mu.Unlock()
|
||||
if s.principals[username] == nil {
|
||||
s.principals[username] = make(map[string]struct{})
|
||||
}
|
||||
s.principals[username][username] = struct{}{}
|
||||
if niceId != "" {
|
||||
s.principals[username][niceId] = struct{}{}
|
||||
}
|
||||
}
|
||||
|
||||
// get returns the CA key and the principal set for username under a read lock.
|
||||
func (s *CredentialStore) get(username string) (ssh.PublicKey, map[string]struct{}) {
|
||||
s.mu.RLock()
|
||||
defer s.mu.RUnlock()
|
||||
return s.caKey, s.principals[username]
|
||||
}
|
||||
|
||||
// ServerConfig holds configuration for the native SSH server.
|
||||
type ServerConfig struct {
|
||||
// ListenAddr is the TCP address to listen on. Defaults to ":2222".
|
||||
ListenAddr string
|
||||
// Credentials provides in-memory CA key and per-user principals.
|
||||
// Updates to the store are reflected immediately for new connections.
|
||||
// If nil or the store has no CA key set, all connections are rejected.
|
||||
Credentials *CredentialStore
|
||||
}
|
||||
|
||||
// Server is a simple SSH server that authenticates clients via SSH certificate
|
||||
// auth only. Certificates must be signed by the configured CA and the
|
||||
// connecting username must appear in both the certificate's principal list and
|
||||
// the local principals file.
|
||||
type Server struct {
|
||||
cfg ServerConfig
|
||||
}
|
||||
|
||||
// NewServer creates a new Server. The ListenAddr defaults to ":2222" when empty.
|
||||
func NewServer(cfg ServerConfig) *Server {
|
||||
if cfg.ListenAddr == "" {
|
||||
cfg.ListenAddr = ":2222"
|
||||
}
|
||||
return &Server{cfg: cfg}
|
||||
}
|
||||
|
||||
// buildSSHConfig builds the ssh.ServerConfig with multi-method authentication:
|
||||
// 1. Public key: host ~/.ssh/authorized_keys, then CA certificate.
|
||||
// 2. Password: system PAM stack (Linux only).
|
||||
func (s *Server) buildSSHConfig() (*ssh.ServerConfig, error) {
|
||||
hostSigner, err := generateHostKey()
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("host key: %w", err)
|
||||
}
|
||||
cfg := &ssh.ServerConfig{
|
||||
PublicKeyCallback: makePublicKeyCallback(s.cfg.Credentials),
|
||||
PasswordCallback: makePasswordCallback(),
|
||||
}
|
||||
cfg.AddHostKey(hostSigner)
|
||||
return cfg, nil
|
||||
}
|
||||
|
||||
// Serve accepts connections on ln and handles them. It returns when ln is
|
||||
// closed or a non-temporary Accept error occurs.
|
||||
func (s *Server) Serve(ln net.Listener) error {
|
||||
sshCfg, err := s.buildSSHConfig()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
logger.Debug("nativessh: server listening on %s", ln.Addr())
|
||||
for {
|
||||
conn, err := ln.Accept()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
go s.handleConn(conn, sshCfg)
|
||||
}
|
||||
}
|
||||
|
||||
// ListenAndServe starts the SSH server on the host network and blocks until
|
||||
// the listener is closed.
|
||||
func (s *Server) ListenAndServe() error {
|
||||
ln, err := net.Listen("tcp", s.cfg.ListenAddr)
|
||||
if err != nil {
|
||||
return fmt.Errorf("listen %s: %w", s.cfg.ListenAddr, err)
|
||||
}
|
||||
defer ln.Close()
|
||||
return s.Serve(ln)
|
||||
}
|
||||
|
||||
func (s *Server) handleConn(conn net.Conn, cfg *ssh.ServerConfig) {
|
||||
defer conn.Close()
|
||||
sshConn, chans, reqs, err := ssh.NewServerConn(conn, cfg)
|
||||
if err != nil {
|
||||
logger.Debug("nativessh: handshake failed from %s: %v", conn.RemoteAddr(), err)
|
||||
return
|
||||
}
|
||||
defer sshConn.Close()
|
||||
logger.Debug("nativessh: connection from %s user=%s", conn.RemoteAddr(), sshConn.User())
|
||||
|
||||
go ssh.DiscardRequests(reqs)
|
||||
|
||||
for newChan := range chans {
|
||||
if newChan.ChannelType() != "session" {
|
||||
_ = newChan.Reject(ssh.UnknownChannelType, "unknown channel type")
|
||||
continue
|
||||
}
|
||||
ch, requests, err := newChan.Accept()
|
||||
if err != nil {
|
||||
logger.Debug("nativessh: channel accept error: %v", err)
|
||||
return
|
||||
}
|
||||
go s.handleSession(ch, requests, sshConn.User())
|
||||
}
|
||||
}
|
||||
|
||||
// handleSession drives a single SSH session channel. It waits for a pty-req
|
||||
// followed by a shell request and then bridges the PTY to the channel.
|
||||
func (s *Server) handleSession(ch ssh.Channel, requests <-chan *ssh.Request, username string) {
|
||||
defer ch.Close()
|
||||
|
||||
var (
|
||||
sess *PTYSession
|
||||
started bool
|
||||
)
|
||||
|
||||
for req := range requests {
|
||||
switch req.Type {
|
||||
case "pty-req":
|
||||
var err error
|
||||
if sess == nil {
|
||||
sess, err = NewPTYSessionAs(username)
|
||||
if err != nil {
|
||||
logger.Debug("nativessh: PTY start error: %v", err)
|
||||
if req.WantReply {
|
||||
_ = req.Reply(false, nil)
|
||||
}
|
||||
return
|
||||
}
|
||||
}
|
||||
cols, rows := parsePTYReq(req.Payload)
|
||||
_ = sess.Resize(cols, rows)
|
||||
if req.WantReply {
|
||||
_ = req.Reply(true, nil)
|
||||
}
|
||||
|
||||
case "shell":
|
||||
if req.WantReply {
|
||||
_ = req.Reply(true, nil)
|
||||
}
|
||||
if started || sess == nil {
|
||||
continue
|
||||
}
|
||||
started = true
|
||||
// PTY output → SSH channel.
|
||||
go func() {
|
||||
_, _ = io.Copy(ch, sess)
|
||||
// Notify the client of the shell's exit status so it can
|
||||
// disconnect cleanly instead of requiring a manual disconnect.
|
||||
exitCode := sess.ExitCode()
|
||||
exitStatusPayload := ssh.Marshal(struct{ Status uint32 }{uint32(exitCode)})
|
||||
_, _ = ch.SendRequest("exit-status", false, exitStatusPayload)
|
||||
_ = ch.CloseWrite()
|
||||
sess.Close() //nolint:errcheck
|
||||
// Close the channel so the ssh library closes the requests
|
||||
// channel, which unblocks the for-range loop in handleSession
|
||||
// and allows the deferred ch.Close() to run. Without this,
|
||||
// handleSession blocks forever waiting for requests to drain.
|
||||
_ = ch.Close()
|
||||
}()
|
||||
// SSH channel input → PTY stdin.
|
||||
go func() {
|
||||
_, _ = io.Copy(sess, ch)
|
||||
}()
|
||||
|
||||
case "exec":
|
||||
if req.WantReply {
|
||||
_ = req.Reply(true, nil)
|
||||
}
|
||||
cmd := parseExecPayload(req.Payload)
|
||||
go s.runExecAs(ch, username, cmd)
|
||||
// Drain remaining requests; the goroutine owns the channel now.
|
||||
go ssh.DiscardRequests(requests)
|
||||
return
|
||||
|
||||
case "window-change":
|
||||
if sess != nil {
|
||||
cols, rows := parseWindowChange(req.Payload)
|
||||
_ = sess.Resize(cols, rows)
|
||||
}
|
||||
if req.WantReply {
|
||||
_ = req.Reply(true, nil)
|
||||
}
|
||||
|
||||
default:
|
||||
if req.WantReply {
|
||||
_ = req.Reply(false, nil)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if sess != nil && !started {
|
||||
sess.Close() //nolint:errcheck
|
||||
}
|
||||
}
|
||||
|
||||
// runExecAs runs command as username, wiring stdin/stdout/stderr directly to
|
||||
// the SSH channel (no PTY). This supports scp, rsync, and plain exec requests.
|
||||
func (s *Server) runExecAs(ch ssh.Channel, username, command string) {
|
||||
defer ch.Close()
|
||||
|
||||
u, err := user.Lookup(username)
|
||||
if err != nil {
|
||||
logger.Debug("nativessh: exec user lookup %q: %v", username, err)
|
||||
sendExitStatus(ch, 1)
|
||||
return
|
||||
}
|
||||
|
||||
uid, err := strconv.ParseUint(u.Uid, 10, 32)
|
||||
if err != nil {
|
||||
logger.Debug("nativessh: exec parse uid for %q: %v", username, err)
|
||||
sendExitStatus(ch, 1)
|
||||
return
|
||||
}
|
||||
gid, err := strconv.ParseUint(u.Gid, 10, 32)
|
||||
if err != nil {
|
||||
logger.Debug("nativessh: exec parse gid for %q: %v", username, err)
|
||||
sendExitStatus(ch, 1)
|
||||
return
|
||||
}
|
||||
|
||||
groupIDs, _ := u.GroupIds()
|
||||
var groups []uint32
|
||||
for _, g := range groupIDs {
|
||||
gval, err := strconv.ParseUint(g, 10, 32)
|
||||
if err == nil {
|
||||
groups = append(groups, uint32(gval))
|
||||
}
|
||||
}
|
||||
|
||||
homeDir := u.HomeDir
|
||||
if _, err := os.Stat(homeDir); err != nil {
|
||||
homeDir = "/"
|
||||
}
|
||||
|
||||
cmd := exec.Command("/bin/sh", "-c", command)
|
||||
cmd.Env = []string{
|
||||
"HOME=" + u.HomeDir,
|
||||
"USER=" + username,
|
||||
"LOGNAME=" + username,
|
||||
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
|
||||
}
|
||||
cmd.Dir = homeDir
|
||||
cmd.SysProcAttr = &syscall.SysProcAttr{
|
||||
Credential: &syscall.Credential{
|
||||
Uid: uint32(uid),
|
||||
Gid: uint32(gid),
|
||||
Groups: groups,
|
||||
},
|
||||
}
|
||||
cmd.Stdin = ch
|
||||
cmd.Stdout = ch
|
||||
cmd.Stderr = ch.Stderr()
|
||||
|
||||
exitCode := 0
|
||||
if err := cmd.Run(); err != nil {
|
||||
var exitErr *exec.ExitError
|
||||
if errors.As(err, &exitErr) {
|
||||
exitCode = exitErr.ExitCode()
|
||||
} else {
|
||||
exitCode = 1
|
||||
}
|
||||
logger.Debug("nativessh: exec %q as %q exited: %v", command, username, err)
|
||||
}
|
||||
|
||||
sendExitStatus(ch, exitCode)
|
||||
_ = ch.CloseWrite()
|
||||
}
|
||||
|
||||
// sendExitStatus sends an SSH exit-status request on ch.
|
||||
func sendExitStatus(ch ssh.Channel, code int) {
|
||||
payload := ssh.Marshal(struct{ Status uint32 }{uint32(code)})
|
||||
_, _ = ch.SendRequest("exit-status", false, payload)
|
||||
}
|
||||
|
||||
// parseExecPayload decodes the command string from an SSH exec request payload.
|
||||
func parseExecPayload(payload []byte) string {
|
||||
var msg struct{ Command string }
|
||||
if err := ssh.Unmarshal(payload, &msg); err != nil {
|
||||
return ""
|
||||
}
|
||||
return msg.Command
|
||||
}
|
||||
|
||||
// makePublicKeyCallback returns a PublicKeyCallback that tries, in order:
|
||||
// 1. Host authorized_keys – matches any key in the OS user's
|
||||
// ~/.ssh/authorized_keys file.
|
||||
// 2. CA certificate – validates an SSH certificate signed by the
|
||||
// configured CA and checks that the user appears in the principals map.
|
||||
//
|
||||
// store may be nil or empty; those paths are simply skipped.
|
||||
func makePublicKeyCallback(store *CredentialStore) func(ssh.ConnMetadata, ssh.PublicKey) (*ssh.Permissions, error) {
|
||||
return func(meta ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
|
||||
// 1. Host authorized_keys.
|
||||
if CheckAuthorizedKeys(meta.User(), key) {
|
||||
logger.Debug("nativessh: authorized_keys auth for user %q", meta.User())
|
||||
return &ssh.Permissions{}, nil
|
||||
}
|
||||
|
||||
// 2. CA certificate.
|
||||
if store != nil {
|
||||
caKey, userPrincipals := store.get(meta.User())
|
||||
if caKey != nil {
|
||||
checker := &ssh.CertChecker{
|
||||
IsUserAuthority: func(auth ssh.PublicKey) bool {
|
||||
return ssh.FingerprintSHA256(auth) == ssh.FingerprintSHA256(caKey)
|
||||
},
|
||||
}
|
||||
|
||||
if len(userPrincipals) == 0 {
|
||||
return nil, fmt.Errorf("user %q not in allowed principals list", meta.User())
|
||||
}
|
||||
|
||||
var lastErr error
|
||||
for principal := range userPrincipals {
|
||||
perms, err := checker.Authenticate(connMetaWithUser{ConnMetadata: meta, user: principal}, key)
|
||||
if err == nil {
|
||||
logger.Debug("nativessh: CA cert auth for user %q principal=%q", meta.User(), principal)
|
||||
return perms, nil
|
||||
}
|
||||
lastErr = err
|
||||
}
|
||||
|
||||
if lastErr != nil {
|
||||
logger.Debug("nativessh: CA cert rejected for user %q: %v", meta.User(), lastErr)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return nil, fmt.Errorf("public key not authorized for user %q", meta.User())
|
||||
}
|
||||
}
|
||||
|
||||
// makePasswordCallback returns a PasswordCallback that validates the supplied
|
||||
// password via the host OS PAM stack. On non-Linux platforms this always
|
||||
// fails (see pam_other.go).
|
||||
func makePasswordCallback() func(ssh.ConnMetadata, []byte) (*ssh.Permissions, error) {
|
||||
return func(meta ssh.ConnMetadata, password []byte) (*ssh.Permissions, error) {
|
||||
if err := VerifySystemPassword(meta.User(), string(password)); err != nil {
|
||||
// Return a generic message to the client; log the real reason.
|
||||
logger.Debug("nativessh: password auth failed for user %q: %v", meta.User(), err)
|
||||
return nil, fmt.Errorf("permission denied")
|
||||
}
|
||||
logger.Debug("nativessh: password auth for user %q", meta.User())
|
||||
return &ssh.Permissions{}, nil
|
||||
}
|
||||
}
|
||||
|
||||
// generateHostKey generates a fresh ephemeral Ed25519 host key in memory.
|
||||
// A new key is created on every server start; nothing is written to disk.
|
||||
func generateHostKey() (ssh.Signer, error) {
|
||||
_, priv, err := ed25519.GenerateKey(rand.Reader)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("generate host key: %w", err)
|
||||
}
|
||||
logger.Debug("nativessh: generated ephemeral Ed25519 host key")
|
||||
return ssh.NewSignerFromKey(priv)
|
||||
}
|
||||
|
||||
// ptyRequestMsg mirrors the SSH wire format for pty-req (RFC 4254 §6.2).
|
||||
type ptyRequestMsg struct {
|
||||
Term string
|
||||
Columns uint32
|
||||
Rows uint32
|
||||
Width uint32
|
||||
Height uint32
|
||||
Modelist string
|
||||
}
|
||||
|
||||
func parsePTYReq(payload []byte) (cols, rows uint16) {
|
||||
var req ptyRequestMsg
|
||||
if err := ssh.Unmarshal(payload, &req); err != nil {
|
||||
return 80, 24
|
||||
}
|
||||
return uint16(req.Columns), uint16(req.Rows)
|
||||
}
|
||||
|
||||
// windowChangeMsg mirrors the SSH wire format for window-change (RFC 4254 §6.7).
|
||||
type windowChangeMsg struct {
|
||||
Columns uint32
|
||||
Rows uint32
|
||||
Width uint32
|
||||
Height uint32
|
||||
}
|
||||
|
||||
func parseWindowChange(payload []byte) (cols, rows uint16) {
|
||||
var msg windowChangeMsg
|
||||
if err := ssh.Unmarshal(payload, &msg); err != nil {
|
||||
return 80, 24
|
||||
}
|
||||
return uint16(msg.Columns), uint16(msg.Rows)
|
||||
}
|
||||
64
nativessh/server_windows.go
Normal file
64
nativessh/server_windows.go
Normal file
@@ -0,0 +1,64 @@
|
||||
//go:build windows
|
||||
|
||||
package nativessh
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"log"
|
||||
"net"
|
||||
"sync"
|
||||
|
||||
"golang.org/x/crypto/ssh"
|
||||
)
|
||||
|
||||
// CredentialStore is a stub on Windows. Native SSH is not supported on Windows.
|
||||
type CredentialStore struct {
|
||||
mu sync.RWMutex
|
||||
principals map[string]map[string]struct{}
|
||||
}
|
||||
|
||||
// NewCredentialStore returns an empty CredentialStore stub.
|
||||
// Native SSH is not supported on Windows; a warning is logged.
|
||||
func NewCredentialStore() *CredentialStore {
|
||||
log.Println("WARNING: native SSH is not supported on Windows and will be disabled")
|
||||
return &CredentialStore{
|
||||
principals: make(map[string]map[string]struct{}),
|
||||
}
|
||||
}
|
||||
|
||||
// SetCAKey is a no-op stub on Windows.
|
||||
func (s *CredentialStore) SetCAKey(_ string) error {
|
||||
return errors.New("native SSH not supported on Windows")
|
||||
}
|
||||
|
||||
// AddPrincipals is a no-op stub on Windows.
|
||||
func (s *CredentialStore) AddPrincipals(_, _ string) {}
|
||||
|
||||
// get returns nil CA key and empty principals on Windows.
|
||||
func (s *CredentialStore) get(_ string) (ssh.PublicKey, map[string]struct{}) {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
// ServerConfig holds configuration for the native SSH server (stub on Windows).
|
||||
type ServerConfig struct {
|
||||
ListenAddr string
|
||||
Credentials *CredentialStore
|
||||
}
|
||||
|
||||
// Server is a stub on Windows.
|
||||
type Server struct{}
|
||||
|
||||
// NewServer returns a stub Server and logs a warning.
|
||||
func NewServer(cfg ServerConfig) *Server {
|
||||
return &Server{}
|
||||
}
|
||||
|
||||
// ListenAndServe always returns an error on Windows.
|
||||
func (s *Server) ListenAndServe() error {
|
||||
return errors.New("native SSH not supported on Windows")
|
||||
}
|
||||
|
||||
// Serve always returns an error on Windows.
|
||||
func (s *Server) Serve(_ net.Listener) error {
|
||||
return errors.New("native SSH not supported on Windows")
|
||||
}
|
||||
514
netstack2/access_log.go
Normal file
514
netstack2/access_log.go
Normal file
@@ -0,0 +1,514 @@
|
||||
package netstack2
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"compress/zlib"
|
||||
"crypto/rand"
|
||||
"encoding/base64"
|
||||
"encoding/hex"
|
||||
"encoding/json"
|
||||
"net"
|
||||
"sort"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"github.com/fosrl/newt/logger"
|
||||
)
|
||||
|
||||
const (
|
||||
// flushInterval is how often the access logger flushes completed sessions to the server
|
||||
flushInterval = 60 * time.Second
|
||||
|
||||
// maxBufferedSessions is the max number of completed sessions to buffer before forcing a flush
|
||||
maxBufferedSessions = 100
|
||||
|
||||
// sessionGapThreshold is the maximum gap between the end of one connection
|
||||
// and the start of the next for them to be considered part of the same session.
|
||||
// If the gap exceeds this, a new consolidated session is created.
|
||||
sessionGapThreshold = 5 * time.Second
|
||||
|
||||
// minConnectionsToConsolidate is the minimum number of connections in a group
|
||||
// before we bother consolidating. Groups smaller than this are sent as-is.
|
||||
minConnectionsToConsolidate = 2
|
||||
)
|
||||
|
||||
// SendFunc is a callback that sends compressed access log data to the server.
|
||||
// The data is a base64-encoded zlib-compressed JSON array of AccessSession objects.
|
||||
type SendFunc func(data string) error
|
||||
|
||||
// AccessSession represents a tracked access session through the proxy
|
||||
type AccessSession struct {
|
||||
SessionID string `json:"sessionId"`
|
||||
ResourceID int `json:"resourceId"`
|
||||
SourceAddr string `json:"sourceAddr"`
|
||||
DestAddr string `json:"destAddr"`
|
||||
Protocol string `json:"protocol"`
|
||||
StartedAt time.Time `json:"startedAt"`
|
||||
EndedAt time.Time `json:"endedAt,omitempty"`
|
||||
BytesTx int64 `json:"bytesTx"`
|
||||
BytesRx int64 `json:"bytesRx"`
|
||||
ConnectionCount int `json:"connectionCount,omitempty"` // number of raw connections merged into this session (0 or 1 = single)
|
||||
}
|
||||
|
||||
// udpSessionKey identifies a unique UDP "session" by src -> dst
|
||||
type udpSessionKey struct {
|
||||
srcAddr string
|
||||
dstAddr string
|
||||
protocol string
|
||||
}
|
||||
|
||||
// consolidationKey groups connections that may be part of the same logical session.
|
||||
// Source port is intentionally excluded so that many ephemeral-port connections
|
||||
// from the same source IP to the same destination are grouped together.
|
||||
type consolidationKey struct {
|
||||
sourceIP string // IP only, no port
|
||||
destAddr string // full host:port of the destination
|
||||
protocol string
|
||||
resourceID int
|
||||
}
|
||||
|
||||
// AccessLogger tracks access sessions for resources and periodically
|
||||
// flushes completed sessions to the server via a configurable SendFunc.
|
||||
type AccessLogger struct {
|
||||
mu sync.Mutex
|
||||
sessions map[string]*AccessSession // active sessions: sessionID -> session
|
||||
udpSessions map[udpSessionKey]*AccessSession // active UDP sessions for dedup
|
||||
completedSessions []*AccessSession // completed sessions waiting to be flushed
|
||||
udpTimeout time.Duration
|
||||
sendFn SendFunc
|
||||
stopCh chan struct{}
|
||||
flushDone chan struct{} // closed after the flush goroutine exits
|
||||
}
|
||||
|
||||
// NewAccessLogger creates a new access logger.
|
||||
// udpTimeout controls how long a UDP session is kept alive without traffic before being ended.
|
||||
func NewAccessLogger(udpTimeout time.Duration) *AccessLogger {
|
||||
al := &AccessLogger{
|
||||
sessions: make(map[string]*AccessSession),
|
||||
udpSessions: make(map[udpSessionKey]*AccessSession),
|
||||
completedSessions: make([]*AccessSession, 0),
|
||||
udpTimeout: udpTimeout,
|
||||
stopCh: make(chan struct{}),
|
||||
flushDone: make(chan struct{}),
|
||||
}
|
||||
go al.backgroundLoop()
|
||||
return al
|
||||
}
|
||||
|
||||
// SetSendFunc sets the callback used to send compressed access log batches
|
||||
// to the server. This can be called after construction once the websocket
|
||||
// client is available.
|
||||
func (al *AccessLogger) SetSendFunc(fn SendFunc) {
|
||||
al.mu.Lock()
|
||||
defer al.mu.Unlock()
|
||||
al.sendFn = fn
|
||||
}
|
||||
|
||||
// generateSessionID creates a random session identifier
|
||||
func generateSessionID() string {
|
||||
b := make([]byte, 8)
|
||||
rand.Read(b)
|
||||
return hex.EncodeToString(b)
|
||||
}
|
||||
|
||||
// StartTCPSession logs the start of a TCP session and returns a session ID.
|
||||
func (al *AccessLogger) StartTCPSession(resourceID int, srcAddr, dstAddr string) string {
|
||||
sessionID := generateSessionID()
|
||||
now := time.Now()
|
||||
|
||||
session := &AccessSession{
|
||||
SessionID: sessionID,
|
||||
ResourceID: resourceID,
|
||||
SourceAddr: srcAddr,
|
||||
DestAddr: dstAddr,
|
||||
Protocol: "tcp",
|
||||
StartedAt: now,
|
||||
}
|
||||
|
||||
al.mu.Lock()
|
||||
al.sessions[sessionID] = session
|
||||
al.mu.Unlock()
|
||||
|
||||
logger.Info("ACCESS START session=%s resource=%d proto=tcp src=%s dst=%s time=%s",
|
||||
sessionID, resourceID, srcAddr, dstAddr, now.Format(time.RFC3339))
|
||||
|
||||
return sessionID
|
||||
}
|
||||
|
||||
// EndTCPSession logs the end of a TCP session and queues it for sending.
|
||||
func (al *AccessLogger) EndTCPSession(sessionID string) {
|
||||
now := time.Now()
|
||||
|
||||
al.mu.Lock()
|
||||
session, ok := al.sessions[sessionID]
|
||||
if ok {
|
||||
session.EndedAt = now
|
||||
delete(al.sessions, sessionID)
|
||||
al.completedSessions = append(al.completedSessions, session)
|
||||
}
|
||||
shouldFlush := len(al.completedSessions) >= maxBufferedSessions
|
||||
al.mu.Unlock()
|
||||
|
||||
if ok {
|
||||
duration := now.Sub(session.StartedAt)
|
||||
logger.Info("ACCESS END session=%s resource=%d proto=tcp src=%s dst=%s started=%s ended=%s duration=%s",
|
||||
sessionID, session.ResourceID, session.SourceAddr, session.DestAddr,
|
||||
session.StartedAt.Format(time.RFC3339), now.Format(time.RFC3339), duration)
|
||||
}
|
||||
|
||||
if shouldFlush {
|
||||
al.flush()
|
||||
}
|
||||
}
|
||||
|
||||
// TrackUDPSession starts or returns an existing UDP session. Returns the session ID.
|
||||
func (al *AccessLogger) TrackUDPSession(resourceID int, srcAddr, dstAddr string) string {
|
||||
key := udpSessionKey{
|
||||
srcAddr: srcAddr,
|
||||
dstAddr: dstAddr,
|
||||
protocol: "udp",
|
||||
}
|
||||
|
||||
al.mu.Lock()
|
||||
defer al.mu.Unlock()
|
||||
|
||||
if existing, ok := al.udpSessions[key]; ok {
|
||||
return existing.SessionID
|
||||
}
|
||||
|
||||
sessionID := generateSessionID()
|
||||
now := time.Now()
|
||||
|
||||
session := &AccessSession{
|
||||
SessionID: sessionID,
|
||||
ResourceID: resourceID,
|
||||
SourceAddr: srcAddr,
|
||||
DestAddr: dstAddr,
|
||||
Protocol: "udp",
|
||||
StartedAt: now,
|
||||
}
|
||||
|
||||
al.sessions[sessionID] = session
|
||||
al.udpSessions[key] = session
|
||||
|
||||
logger.Info("ACCESS START session=%s resource=%d proto=udp src=%s dst=%s time=%s",
|
||||
sessionID, resourceID, srcAddr, dstAddr, now.Format(time.RFC3339))
|
||||
|
||||
return sessionID
|
||||
}
|
||||
|
||||
// EndUDPSession ends a UDP session and queues it for sending.
|
||||
func (al *AccessLogger) EndUDPSession(sessionID string) {
|
||||
now := time.Now()
|
||||
|
||||
al.mu.Lock()
|
||||
session, ok := al.sessions[sessionID]
|
||||
if ok {
|
||||
session.EndedAt = now
|
||||
delete(al.sessions, sessionID)
|
||||
key := udpSessionKey{
|
||||
srcAddr: session.SourceAddr,
|
||||
dstAddr: session.DestAddr,
|
||||
protocol: "udp",
|
||||
}
|
||||
delete(al.udpSessions, key)
|
||||
al.completedSessions = append(al.completedSessions, session)
|
||||
}
|
||||
shouldFlush := len(al.completedSessions) >= maxBufferedSessions
|
||||
al.mu.Unlock()
|
||||
|
||||
if ok {
|
||||
duration := now.Sub(session.StartedAt)
|
||||
logger.Info("ACCESS END session=%s resource=%d proto=udp src=%s dst=%s started=%s ended=%s duration=%s",
|
||||
sessionID, session.ResourceID, session.SourceAddr, session.DestAddr,
|
||||
session.StartedAt.Format(time.RFC3339), now.Format(time.RFC3339), duration)
|
||||
}
|
||||
|
||||
if shouldFlush {
|
||||
al.flush()
|
||||
}
|
||||
}
|
||||
|
||||
// backgroundLoop handles periodic flushing and stale session reaping.
|
||||
func (al *AccessLogger) backgroundLoop() {
|
||||
defer close(al.flushDone)
|
||||
|
||||
flushTicker := time.NewTicker(flushInterval)
|
||||
defer flushTicker.Stop()
|
||||
|
||||
reapTicker := time.NewTicker(30 * time.Second)
|
||||
defer reapTicker.Stop()
|
||||
|
||||
for {
|
||||
select {
|
||||
case <-al.stopCh:
|
||||
return
|
||||
case <-flushTicker.C:
|
||||
al.flush()
|
||||
case <-reapTicker.C:
|
||||
al.reapStaleSessions()
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// reapStaleSessions cleans up UDP sessions that were not properly ended.
|
||||
func (al *AccessLogger) reapStaleSessions() {
|
||||
al.mu.Lock()
|
||||
defer al.mu.Unlock()
|
||||
|
||||
staleThreshold := time.Now().Add(-5 * time.Minute)
|
||||
|
||||
for key, session := range al.udpSessions {
|
||||
if session.StartedAt.Before(staleThreshold) && session.EndedAt.IsZero() {
|
||||
now := time.Now()
|
||||
session.EndedAt = now
|
||||
duration := now.Sub(session.StartedAt)
|
||||
logger.Info("ACCESS END (reaped) session=%s resource=%d proto=udp src=%s dst=%s started=%s ended=%s duration=%s",
|
||||
session.SessionID, session.ResourceID, session.SourceAddr, session.DestAddr,
|
||||
session.StartedAt.Format(time.RFC3339), now.Format(time.RFC3339), duration)
|
||||
al.completedSessions = append(al.completedSessions, session)
|
||||
delete(al.sessions, session.SessionID)
|
||||
delete(al.udpSessions, key)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// extractIP strips the port from an address string and returns just the IP.
|
||||
// If the address has no port component it is returned as-is.
|
||||
func extractIP(addr string) string {
|
||||
host, _, err := net.SplitHostPort(addr)
|
||||
if err != nil {
|
||||
// Might already be a bare IP
|
||||
return addr
|
||||
}
|
||||
return host
|
||||
}
|
||||
|
||||
// consolidateSessions takes a slice of completed sessions and merges bursts of
|
||||
// short-lived connections from the same source IP to the same destination into
|
||||
// single higher-level session entries.
|
||||
//
|
||||
// The algorithm:
|
||||
// 1. Group sessions by (sourceIP, destAddr, protocol, resourceID).
|
||||
// 2. Within each group, sort by StartedAt.
|
||||
// 3. Walk through the sorted list and merge consecutive sessions whose gap
|
||||
// (previous EndedAt → next StartedAt) is ≤ sessionGapThreshold.
|
||||
// 4. For merged sessions the earliest StartedAt and latest EndedAt are kept,
|
||||
// bytes are summed, and ConnectionCount records how many raw connections
|
||||
// were folded in. If the merged connections used more than one source port,
|
||||
// SourceAddr is set to just the IP (port omitted).
|
||||
// 5. Groups with fewer than minConnectionsToConsolidate members are passed
|
||||
// through unmodified.
|
||||
func consolidateSessions(sessions []*AccessSession) []*AccessSession {
|
||||
if len(sessions) <= 1 {
|
||||
return sessions
|
||||
}
|
||||
|
||||
// Group sessions by consolidation key
|
||||
groups := make(map[consolidationKey][]*AccessSession)
|
||||
for _, s := range sessions {
|
||||
key := consolidationKey{
|
||||
sourceIP: extractIP(s.SourceAddr),
|
||||
destAddr: s.DestAddr,
|
||||
protocol: s.Protocol,
|
||||
resourceID: s.ResourceID,
|
||||
}
|
||||
groups[key] = append(groups[key], s)
|
||||
}
|
||||
|
||||
result := make([]*AccessSession, 0, len(sessions))
|
||||
|
||||
for key, group := range groups {
|
||||
// Small groups don't need consolidation
|
||||
if len(group) < minConnectionsToConsolidate {
|
||||
result = append(result, group...)
|
||||
continue
|
||||
}
|
||||
|
||||
// Sort the group by start time so we can detect gaps
|
||||
sort.Slice(group, func(i, j int) bool {
|
||||
return group[i].StartedAt.Before(group[j].StartedAt)
|
||||
})
|
||||
|
||||
// Walk through and merge runs that are within the gap threshold
|
||||
var merged []*AccessSession
|
||||
cur := cloneSession(group[0])
|
||||
cur.ConnectionCount = 1
|
||||
sourcePorts := make(map[string]struct{})
|
||||
sourcePorts[cur.SourceAddr] = struct{}{}
|
||||
|
||||
for i := 1; i < len(group); i++ {
|
||||
s := group[i]
|
||||
|
||||
// Determine the gap: from the latest end time we've seen so far to the
|
||||
// start of the next connection.
|
||||
gapRef := cur.EndedAt
|
||||
if gapRef.IsZero() {
|
||||
gapRef = cur.StartedAt
|
||||
}
|
||||
gap := s.StartedAt.Sub(gapRef)
|
||||
|
||||
if gap <= sessionGapThreshold {
|
||||
// Merge into the current consolidated session
|
||||
cur.ConnectionCount++
|
||||
cur.BytesTx += s.BytesTx
|
||||
cur.BytesRx += s.BytesRx
|
||||
sourcePorts[s.SourceAddr] = struct{}{}
|
||||
|
||||
// Extend EndedAt to the latest time
|
||||
endTime := s.EndedAt
|
||||
if endTime.IsZero() {
|
||||
endTime = s.StartedAt
|
||||
}
|
||||
if endTime.After(cur.EndedAt) {
|
||||
cur.EndedAt = endTime
|
||||
}
|
||||
} else {
|
||||
// Gap exceeded — finalize the current session and start a new one
|
||||
finalizeMergedSourceAddr(cur, key.sourceIP, sourcePorts)
|
||||
merged = append(merged, cur)
|
||||
|
||||
cur = cloneSession(s)
|
||||
cur.ConnectionCount = 1
|
||||
sourcePorts = make(map[string]struct{})
|
||||
sourcePorts[s.SourceAddr] = struct{}{}
|
||||
}
|
||||
}
|
||||
|
||||
// Finalize the last accumulated session
|
||||
finalizeMergedSourceAddr(cur, key.sourceIP, sourcePorts)
|
||||
merged = append(merged, cur)
|
||||
|
||||
result = append(result, merged...)
|
||||
}
|
||||
|
||||
return result
|
||||
}
|
||||
|
||||
// cloneSession creates a shallow copy of an AccessSession.
|
||||
func cloneSession(s *AccessSession) *AccessSession {
|
||||
cp := *s
|
||||
return &cp
|
||||
}
|
||||
|
||||
// finalizeMergedSourceAddr sets the SourceAddr on a consolidated session.
|
||||
// If multiple distinct source addresses (ports) were seen, the port is
|
||||
// stripped and only the IP is kept so the log isn't misleading.
|
||||
func finalizeMergedSourceAddr(s *AccessSession, sourceIP string, ports map[string]struct{}) {
|
||||
if len(ports) > 1 {
|
||||
// Multiple source ports — just report the IP
|
||||
s.SourceAddr = sourceIP
|
||||
}
|
||||
// Otherwise keep the original SourceAddr which already has ip:port
|
||||
}
|
||||
|
||||
// flush drains the completed sessions buffer, consolidates bursts of
|
||||
// short-lived connections, compresses with zlib, and sends via the SendFunc.
|
||||
func (al *AccessLogger) flush() {
|
||||
al.mu.Lock()
|
||||
if len(al.completedSessions) == 0 {
|
||||
al.mu.Unlock()
|
||||
return
|
||||
}
|
||||
batch := al.completedSessions
|
||||
al.completedSessions = make([]*AccessSession, 0)
|
||||
sendFn := al.sendFn
|
||||
al.mu.Unlock()
|
||||
|
||||
if sendFn == nil {
|
||||
logger.Debug("Access logger: no send function configured, discarding %d sessions", len(batch))
|
||||
return
|
||||
}
|
||||
|
||||
// Consolidate bursts of short-lived connections into higher-level sessions
|
||||
originalCount := len(batch)
|
||||
batch = consolidateSessions(batch)
|
||||
if len(batch) != originalCount {
|
||||
logger.Info("Access logger: consolidated %d raw connections into %d sessions", originalCount, len(batch))
|
||||
}
|
||||
|
||||
compressed, err := compressSessions(batch)
|
||||
if err != nil {
|
||||
logger.Error("Access logger: failed to compress %d sessions: %v", len(batch), err)
|
||||
return
|
||||
}
|
||||
|
||||
if err := sendFn(compressed); err != nil {
|
||||
logger.Error("Access logger: failed to send %d sessions: %v", len(batch), err)
|
||||
// Re-queue the batch so we don't lose data
|
||||
al.mu.Lock()
|
||||
al.completedSessions = append(batch, al.completedSessions...)
|
||||
// Cap re-queued data to prevent unbounded growth if server is unreachable
|
||||
if len(al.completedSessions) > maxBufferedSessions*5 {
|
||||
dropped := len(al.completedSessions) - maxBufferedSessions*5
|
||||
al.completedSessions = al.completedSessions[:maxBufferedSessions*5]
|
||||
logger.Warn("Access logger: buffer overflow, dropped %d oldest sessions", dropped)
|
||||
}
|
||||
al.mu.Unlock()
|
||||
return
|
||||
}
|
||||
|
||||
logger.Info("Access logger: sent %d sessions to server", len(batch))
|
||||
}
|
||||
|
||||
// compressSessions JSON-encodes the sessions, compresses with zlib, and returns
|
||||
// a base64-encoded string suitable for embedding in a JSON message.
|
||||
func compressSessions(sessions []*AccessSession) (string, error) {
|
||||
jsonData, err := json.Marshal(sessions)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
var buf bytes.Buffer
|
||||
w, err := zlib.NewWriterLevel(&buf, zlib.BestCompression)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
if _, err := w.Write(jsonData); err != nil {
|
||||
w.Close()
|
||||
return "", err
|
||||
}
|
||||
if err := w.Close(); err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
return base64.StdEncoding.EncodeToString(buf.Bytes()), nil
|
||||
}
|
||||
|
||||
// Close shuts down the background loop, ends all active sessions,
|
||||
// and performs one final flush to send everything to the server.
|
||||
func (al *AccessLogger) Close() {
|
||||
// Signal the background loop to stop
|
||||
select {
|
||||
case <-al.stopCh:
|
||||
// Already closed
|
||||
return
|
||||
default:
|
||||
close(al.stopCh)
|
||||
}
|
||||
|
||||
// Wait for the background loop to exit so we don't race on flush
|
||||
<-al.flushDone
|
||||
|
||||
al.mu.Lock()
|
||||
now := time.Now()
|
||||
|
||||
// End all active sessions and move them to the completed buffer
|
||||
for _, session := range al.sessions {
|
||||
if session.EndedAt.IsZero() {
|
||||
session.EndedAt = now
|
||||
duration := now.Sub(session.StartedAt)
|
||||
logger.Info("ACCESS END (shutdown) session=%s resource=%d proto=%s src=%s dst=%s started=%s ended=%s duration=%s",
|
||||
session.SessionID, session.ResourceID, session.Protocol, session.SourceAddr, session.DestAddr,
|
||||
session.StartedAt.Format(time.RFC3339), now.Format(time.RFC3339), duration)
|
||||
al.completedSessions = append(al.completedSessions, session)
|
||||
}
|
||||
}
|
||||
|
||||
al.sessions = make(map[string]*AccessSession)
|
||||
al.udpSessions = make(map[udpSessionKey]*AccessSession)
|
||||
al.mu.Unlock()
|
||||
|
||||
// Final flush to send all remaining sessions to the server
|
||||
al.flush()
|
||||
}
|
||||
811
netstack2/access_log_test.go
Normal file
811
netstack2/access_log_test.go
Normal file
@@ -0,0 +1,811 @@
|
||||
package netstack2
|
||||
|
||||
import (
|
||||
"testing"
|
||||
"time"
|
||||
)
|
||||
|
||||
func TestExtractIP(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
addr string
|
||||
expected string
|
||||
}{
|
||||
{"ipv4 with port", "192.168.1.1:12345", "192.168.1.1"},
|
||||
{"ipv4 without port", "192.168.1.1", "192.168.1.1"},
|
||||
{"ipv6 with port", "[::1]:12345", "::1"},
|
||||
{"ipv6 without port", "::1", "::1"},
|
||||
{"empty string", "", ""},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
result := extractIP(tt.addr)
|
||||
if result != tt.expected {
|
||||
t.Errorf("extractIP(%q) = %q, want %q", tt.addr, result, tt.expected)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestConsolidateSessions_Empty(t *testing.T) {
|
||||
result := consolidateSessions(nil)
|
||||
if result != nil {
|
||||
t.Errorf("expected nil, got %v", result)
|
||||
}
|
||||
|
||||
result = consolidateSessions([]*AccessSession{})
|
||||
if len(result) != 0 {
|
||||
t.Errorf("expected empty slice, got %d items", len(result))
|
||||
}
|
||||
}
|
||||
|
||||
func TestConsolidateSessions_SingleSession(t *testing.T) {
|
||||
now := time.Now()
|
||||
sessions := []*AccessSession{
|
||||
{
|
||||
SessionID: "abc123",
|
||||
ResourceID: 1,
|
||||
SourceAddr: "10.0.0.1:5000",
|
||||
DestAddr: "192.168.1.100:443",
|
||||
Protocol: "tcp",
|
||||
StartedAt: now,
|
||||
EndedAt: now.Add(1 * time.Second),
|
||||
},
|
||||
}
|
||||
|
||||
result := consolidateSessions(sessions)
|
||||
if len(result) != 1 {
|
||||
t.Fatalf("expected 1 session, got %d", len(result))
|
||||
}
|
||||
if result[0].SourceAddr != "10.0.0.1:5000" {
|
||||
t.Errorf("expected source addr preserved, got %q", result[0].SourceAddr)
|
||||
}
|
||||
}
|
||||
|
||||
func TestConsolidateSessions_MergesBurstFromSameSourceIP(t *testing.T) {
|
||||
now := time.Now()
|
||||
sessions := []*AccessSession{
|
||||
{
|
||||
SessionID: "s1",
|
||||
ResourceID: 1,
|
||||
SourceAddr: "10.0.0.1:5000",
|
||||
DestAddr: "192.168.1.100:443",
|
||||
Protocol: "tcp",
|
||||
StartedAt: now,
|
||||
EndedAt: now.Add(100 * time.Millisecond),
|
||||
BytesTx: 100,
|
||||
BytesRx: 200,
|
||||
},
|
||||
{
|
||||
SessionID: "s2",
|
||||
ResourceID: 1,
|
||||
SourceAddr: "10.0.0.1:5001",
|
||||
DestAddr: "192.168.1.100:443",
|
||||
Protocol: "tcp",
|
||||
StartedAt: now.Add(200 * time.Millisecond),
|
||||
EndedAt: now.Add(300 * time.Millisecond),
|
||||
BytesTx: 150,
|
||||
BytesRx: 250,
|
||||
},
|
||||
{
|
||||
SessionID: "s3",
|
||||
ResourceID: 1,
|
||||
SourceAddr: "10.0.0.1:5002",
|
||||
DestAddr: "192.168.1.100:443",
|
||||
Protocol: "tcp",
|
||||
StartedAt: now.Add(400 * time.Millisecond),
|
||||
EndedAt: now.Add(500 * time.Millisecond),
|
||||
BytesTx: 50,
|
||||
BytesRx: 75,
|
||||
},
|
||||
}
|
||||
|
||||
result := consolidateSessions(sessions)
|
||||
if len(result) != 1 {
|
||||
t.Fatalf("expected 1 consolidated session, got %d", len(result))
|
||||
}
|
||||
|
||||
s := result[0]
|
||||
if s.ConnectionCount != 3 {
|
||||
t.Errorf("expected ConnectionCount=3, got %d", s.ConnectionCount)
|
||||
}
|
||||
if s.SourceAddr != "10.0.0.1" {
|
||||
t.Errorf("expected source addr to be IP only (multiple ports), got %q", s.SourceAddr)
|
||||
}
|
||||
if s.DestAddr != "192.168.1.100:443" {
|
||||
t.Errorf("expected dest addr preserved, got %q", s.DestAddr)
|
||||
}
|
||||
if s.StartedAt != now {
|
||||
t.Errorf("expected StartedAt to be earliest time")
|
||||
}
|
||||
if s.EndedAt != now.Add(500*time.Millisecond) {
|
||||
t.Errorf("expected EndedAt to be latest time")
|
||||
}
|
||||
expectedTx := int64(300)
|
||||
expectedRx := int64(525)
|
||||
if s.BytesTx != expectedTx {
|
||||
t.Errorf("expected BytesTx=%d, got %d", expectedTx, s.BytesTx)
|
||||
}
|
||||
if s.BytesRx != expectedRx {
|
||||
t.Errorf("expected BytesRx=%d, got %d", expectedRx, s.BytesRx)
|
||||
}
|
||||
}
|
||||
|
||||
func TestConsolidateSessions_SameSourcePortPreserved(t *testing.T) {
|
||||
now := time.Now()
|
||||
sessions := []*AccessSession{
|
||||
{
|
||||
SessionID: "s1",
|
||||
ResourceID: 1,
|
||||
SourceAddr: "10.0.0.1:5000",
|
||||
DestAddr: "192.168.1.100:443",
|
||||
Protocol: "tcp",
|
||||
StartedAt: now,
|
||||
EndedAt: now.Add(100 * time.Millisecond),
|
||||
},
|
||||
{
|
||||
SessionID: "s2",
|
||||
ResourceID: 1,
|
||||
SourceAddr: "10.0.0.1:5000",
|
||||
DestAddr: "192.168.1.100:443",
|
||||
Protocol: "tcp",
|
||||
StartedAt: now.Add(200 * time.Millisecond),
|
||||
EndedAt: now.Add(300 * time.Millisecond),
|
||||
},
|
||||
}
|
||||
|
||||
result := consolidateSessions(sessions)
|
||||
if len(result) != 1 {
|
||||
t.Fatalf("expected 1 session, got %d", len(result))
|
||||
}
|
||||
if result[0].SourceAddr != "10.0.0.1:5000" {
|
||||
t.Errorf("expected source addr with port preserved when all ports are the same, got %q", result[0].SourceAddr)
|
||||
}
|
||||
if result[0].ConnectionCount != 2 {
|
||||
t.Errorf("expected ConnectionCount=2, got %d", result[0].ConnectionCount)
|
||||
}
|
||||
}
|
||||
|
||||
func TestConsolidateSessions_GapSplitsSessions(t *testing.T) {
|
||||
now := time.Now()
|
||||
|
||||
// First burst
|
||||
sessions := []*AccessSession{
|
||||
{
|
||||
SessionID: "s1",
|
||||
ResourceID: 1,
|
||||
SourceAddr: "10.0.0.1:5000",
|
||||
DestAddr: "192.168.1.100:443",
|
||||
Protocol: "tcp",
|
||||
StartedAt: now,
|
||||
EndedAt: now.Add(100 * time.Millisecond),
|
||||
},
|
||||
{
|
||||
SessionID: "s2",
|
||||
ResourceID: 1,
|
||||
SourceAddr: "10.0.0.1:5001",
|
||||
DestAddr: "192.168.1.100:443",
|
||||
Protocol: "tcp",
|
||||
StartedAt: now.Add(200 * time.Millisecond),
|
||||
EndedAt: now.Add(300 * time.Millisecond),
|
||||
},
|
||||
// Big gap here (10 seconds)
|
||||
{
|
||||
SessionID: "s3",
|
||||
ResourceID: 1,
|
||||
SourceAddr: "10.0.0.1:5002",
|
||||
DestAddr: "192.168.1.100:443",
|
||||
Protocol: "tcp",
|
||||
StartedAt: now.Add(10 * time.Second),
|
||||
EndedAt: now.Add(10*time.Second + 100*time.Millisecond),
|
||||
},
|
||||
{
|
||||
SessionID: "s4",
|
||||
ResourceID: 1,
|
||||
SourceAddr: "10.0.0.1:5003",
|
||||
DestAddr: "192.168.1.100:443",
|
||||
Protocol: "tcp",
|
||||
StartedAt: now.Add(10*time.Second + 200*time.Millisecond),
|
||||
EndedAt: now.Add(10*time.Second + 300*time.Millisecond),
|
||||
},
|
||||
}
|
||||
|
||||
result := consolidateSessions(sessions)
|
||||
if len(result) != 2 {
|
||||
t.Fatalf("expected 2 consolidated sessions (gap split), got %d", len(result))
|
||||
}
|
||||
|
||||
// Find the sessions by their start time
|
||||
var first, second *AccessSession
|
||||
for _, s := range result {
|
||||
if s.StartedAt.Equal(now) {
|
||||
first = s
|
||||
} else {
|
||||
second = s
|
||||
}
|
||||
}
|
||||
|
||||
if first == nil || second == nil {
|
||||
t.Fatal("could not find both consolidated sessions")
|
||||
}
|
||||
|
||||
if first.ConnectionCount != 2 {
|
||||
t.Errorf("first burst: expected ConnectionCount=2, got %d", first.ConnectionCount)
|
||||
}
|
||||
if second.ConnectionCount != 2 {
|
||||
t.Errorf("second burst: expected ConnectionCount=2, got %d", second.ConnectionCount)
|
||||
}
|
||||
}
|
||||
|
||||
func TestConsolidateSessions_DifferentDestinationsNotMerged(t *testing.T) {
|
||||
now := time.Now()
|
||||
sessions := []*AccessSession{
|
||||
{
|
||||
SessionID: "s1",
|
||||
ResourceID: 1,
|
||||
SourceAddr: "10.0.0.1:5000",
|
||||
DestAddr: "192.168.1.100:443",
|
||||
Protocol: "tcp",
|
||||
StartedAt: now,
|
||||
EndedAt: now.Add(100 * time.Millisecond),
|
||||
},
|
||||
{
|
||||
SessionID: "s2",
|
||||
ResourceID: 1,
|
||||
SourceAddr: "10.0.0.1:5001",
|
||||
DestAddr: "192.168.1.100:8080",
|
||||
Protocol: "tcp",
|
||||
StartedAt: now.Add(200 * time.Millisecond),
|
||||
EndedAt: now.Add(300 * time.Millisecond),
|
||||
},
|
||||
}
|
||||
|
||||
result := consolidateSessions(sessions)
|
||||
// Each goes to a different dest port so they should not be merged
|
||||
if len(result) != 2 {
|
||||
t.Fatalf("expected 2 sessions (different destinations), got %d", len(result))
|
||||
}
|
||||
}
|
||||
|
||||
func TestConsolidateSessions_DifferentProtocolsNotMerged(t *testing.T) {
|
||||
now := time.Now()
|
||||
sessions := []*AccessSession{
|
||||
{
|
||||
SessionID: "s1",
|
||||
ResourceID: 1,
|
||||
SourceAddr: "10.0.0.1:5000",
|
||||
DestAddr: "192.168.1.100:443",
|
||||
Protocol: "tcp",
|
||||
StartedAt: now,
|
||||
EndedAt: now.Add(100 * time.Millisecond),
|
||||
},
|
||||
{
|
||||
SessionID: "s2",
|
||||
ResourceID: 1,
|
||||
SourceAddr: "10.0.0.1:5001",
|
||||
DestAddr: "192.168.1.100:443",
|
||||
Protocol: "udp",
|
||||
StartedAt: now.Add(200 * time.Millisecond),
|
||||
EndedAt: now.Add(300 * time.Millisecond),
|
||||
},
|
||||
}
|
||||
|
||||
result := consolidateSessions(sessions)
|
||||
if len(result) != 2 {
|
||||
t.Fatalf("expected 2 sessions (different protocols), got %d", len(result))
|
||||
}
|
||||
}
|
||||
|
||||
func TestConsolidateSessions_DifferentResourceIDsNotMerged(t *testing.T) {
|
||||
now := time.Now()
|
||||
sessions := []*AccessSession{
|
||||
{
|
||||
SessionID: "s1",
|
||||
ResourceID: 1,
|
||||
SourceAddr: "10.0.0.1:5000",
|
||||
DestAddr: "192.168.1.100:443",
|
||||
Protocol: "tcp",
|
||||
StartedAt: now,
|
||||
EndedAt: now.Add(100 * time.Millisecond),
|
||||
},
|
||||
{
|
||||
SessionID: "s2",
|
||||
ResourceID: 2,
|
||||
SourceAddr: "10.0.0.1:5001",
|
||||
DestAddr: "192.168.1.100:443",
|
||||
Protocol: "tcp",
|
||||
StartedAt: now.Add(200 * time.Millisecond),
|
||||
EndedAt: now.Add(300 * time.Millisecond),
|
||||
},
|
||||
}
|
||||
|
||||
result := consolidateSessions(sessions)
|
||||
if len(result) != 2 {
|
||||
t.Fatalf("expected 2 sessions (different resource IDs), got %d", len(result))
|
||||
}
|
||||
}
|
||||
|
||||
func TestConsolidateSessions_DifferentSourceIPsNotMerged(t *testing.T) {
|
||||
now := time.Now()
|
||||
sessions := []*AccessSession{
|
||||
{
|
||||
SessionID: "s1",
|
||||
ResourceID: 1,
|
||||
SourceAddr: "10.0.0.1:5000",
|
||||
DestAddr: "192.168.1.100:443",
|
||||
Protocol: "tcp",
|
||||
StartedAt: now,
|
||||
EndedAt: now.Add(100 * time.Millisecond),
|
||||
},
|
||||
{
|
||||
SessionID: "s2",
|
||||
ResourceID: 1,
|
||||
SourceAddr: "10.0.0.2:5001",
|
||||
DestAddr: "192.168.1.100:443",
|
||||
Protocol: "tcp",
|
||||
StartedAt: now.Add(200 * time.Millisecond),
|
||||
EndedAt: now.Add(300 * time.Millisecond),
|
||||
},
|
||||
}
|
||||
|
||||
result := consolidateSessions(sessions)
|
||||
if len(result) != 2 {
|
||||
t.Fatalf("expected 2 sessions (different source IPs), got %d", len(result))
|
||||
}
|
||||
}
|
||||
|
||||
func TestConsolidateSessions_OutOfOrderInput(t *testing.T) {
|
||||
now := time.Now()
|
||||
// Provide sessions out of chronological order to verify sorting
|
||||
sessions := []*AccessSession{
|
||||
{
|
||||
SessionID: "s3",
|
||||
ResourceID: 1,
|
||||
SourceAddr: "10.0.0.1:5002",
|
||||
DestAddr: "192.168.1.100:443",
|
||||
Protocol: "tcp",
|
||||
StartedAt: now.Add(400 * time.Millisecond),
|
||||
EndedAt: now.Add(500 * time.Millisecond),
|
||||
BytesTx: 30,
|
||||
},
|
||||
{
|
||||
SessionID: "s1",
|
||||
ResourceID: 1,
|
||||
SourceAddr: "10.0.0.1:5000",
|
||||
DestAddr: "192.168.1.100:443",
|
||||
Protocol: "tcp",
|
||||
StartedAt: now,
|
||||
EndedAt: now.Add(100 * time.Millisecond),
|
||||
BytesTx: 10,
|
||||
},
|
||||
{
|
||||
SessionID: "s2",
|
||||
ResourceID: 1,
|
||||
SourceAddr: "10.0.0.1:5001",
|
||||
DestAddr: "192.168.1.100:443",
|
||||
Protocol: "tcp",
|
||||
StartedAt: now.Add(200 * time.Millisecond),
|
||||
EndedAt: now.Add(300 * time.Millisecond),
|
||||
BytesTx: 20,
|
||||
},
|
||||
}
|
||||
|
||||
result := consolidateSessions(sessions)
|
||||
if len(result) != 1 {
|
||||
t.Fatalf("expected 1 consolidated session, got %d", len(result))
|
||||
}
|
||||
|
||||
s := result[0]
|
||||
if s.ConnectionCount != 3 {
|
||||
t.Errorf("expected ConnectionCount=3, got %d", s.ConnectionCount)
|
||||
}
|
||||
if s.StartedAt != now {
|
||||
t.Errorf("expected StartedAt to be earliest time")
|
||||
}
|
||||
if s.EndedAt != now.Add(500*time.Millisecond) {
|
||||
t.Errorf("expected EndedAt to be latest time")
|
||||
}
|
||||
if s.BytesTx != 60 {
|
||||
t.Errorf("expected BytesTx=60, got %d", s.BytesTx)
|
||||
}
|
||||
}
|
||||
|
||||
func TestConsolidateSessions_ExactlyAtGapThreshold(t *testing.T) {
|
||||
now := time.Now()
|
||||
sessions := []*AccessSession{
|
||||
{
|
||||
SessionID: "s1",
|
||||
ResourceID: 1,
|
||||
SourceAddr: "10.0.0.1:5000",
|
||||
DestAddr: "192.168.1.100:443",
|
||||
Protocol: "tcp",
|
||||
StartedAt: now,
|
||||
EndedAt: now.Add(100 * time.Millisecond),
|
||||
},
|
||||
{
|
||||
// Starts exactly sessionGapThreshold after s1 ends — should still merge
|
||||
SessionID: "s2",
|
||||
ResourceID: 1,
|
||||
SourceAddr: "10.0.0.1:5001",
|
||||
DestAddr: "192.168.1.100:443",
|
||||
Protocol: "tcp",
|
||||
StartedAt: now.Add(100*time.Millisecond + sessionGapThreshold),
|
||||
EndedAt: now.Add(100*time.Millisecond + sessionGapThreshold + 50*time.Millisecond),
|
||||
},
|
||||
}
|
||||
|
||||
result := consolidateSessions(sessions)
|
||||
if len(result) != 1 {
|
||||
t.Fatalf("expected 1 session (gap exactly at threshold merges), got %d", len(result))
|
||||
}
|
||||
if result[0].ConnectionCount != 2 {
|
||||
t.Errorf("expected ConnectionCount=2, got %d", result[0].ConnectionCount)
|
||||
}
|
||||
}
|
||||
|
||||
func TestConsolidateSessions_JustOverGapThreshold(t *testing.T) {
|
||||
now := time.Now()
|
||||
sessions := []*AccessSession{
|
||||
{
|
||||
SessionID: "s1",
|
||||
ResourceID: 1,
|
||||
SourceAddr: "10.0.0.1:5000",
|
||||
DestAddr: "192.168.1.100:443",
|
||||
Protocol: "tcp",
|
||||
StartedAt: now,
|
||||
EndedAt: now.Add(100 * time.Millisecond),
|
||||
},
|
||||
{
|
||||
// Starts 1ms over the gap threshold after s1 ends — should split
|
||||
SessionID: "s2",
|
||||
ResourceID: 1,
|
||||
SourceAddr: "10.0.0.1:5001",
|
||||
DestAddr: "192.168.1.100:443",
|
||||
Protocol: "tcp",
|
||||
StartedAt: now.Add(100*time.Millisecond + sessionGapThreshold + 1*time.Millisecond),
|
||||
EndedAt: now.Add(100*time.Millisecond + sessionGapThreshold + 50*time.Millisecond),
|
||||
},
|
||||
}
|
||||
|
||||
result := consolidateSessions(sessions)
|
||||
if len(result) != 2 {
|
||||
t.Fatalf("expected 2 sessions (gap just over threshold splits), got %d", len(result))
|
||||
}
|
||||
}
|
||||
|
||||
func TestConsolidateSessions_UDPSessions(t *testing.T) {
|
||||
now := time.Now()
|
||||
sessions := []*AccessSession{
|
||||
{
|
||||
SessionID: "u1",
|
||||
ResourceID: 5,
|
||||
SourceAddr: "10.0.0.1:6000",
|
||||
DestAddr: "192.168.1.100:53",
|
||||
Protocol: "udp",
|
||||
StartedAt: now,
|
||||
EndedAt: now.Add(50 * time.Millisecond),
|
||||
BytesTx: 64,
|
||||
BytesRx: 512,
|
||||
},
|
||||
{
|
||||
SessionID: "u2",
|
||||
ResourceID: 5,
|
||||
SourceAddr: "10.0.0.1:6001",
|
||||
DestAddr: "192.168.1.100:53",
|
||||
Protocol: "udp",
|
||||
StartedAt: now.Add(100 * time.Millisecond),
|
||||
EndedAt: now.Add(150 * time.Millisecond),
|
||||
BytesTx: 64,
|
||||
BytesRx: 256,
|
||||
},
|
||||
{
|
||||
SessionID: "u3",
|
||||
ResourceID: 5,
|
||||
SourceAddr: "10.0.0.1:6002",
|
||||
DestAddr: "192.168.1.100:53",
|
||||
Protocol: "udp",
|
||||
StartedAt: now.Add(200 * time.Millisecond),
|
||||
EndedAt: now.Add(250 * time.Millisecond),
|
||||
BytesTx: 64,
|
||||
BytesRx: 128,
|
||||
},
|
||||
}
|
||||
|
||||
result := consolidateSessions(sessions)
|
||||
if len(result) != 1 {
|
||||
t.Fatalf("expected 1 consolidated UDP session, got %d", len(result))
|
||||
}
|
||||
|
||||
s := result[0]
|
||||
if s.Protocol != "udp" {
|
||||
t.Errorf("expected protocol=udp, got %q", s.Protocol)
|
||||
}
|
||||
if s.ConnectionCount != 3 {
|
||||
t.Errorf("expected ConnectionCount=3, got %d", s.ConnectionCount)
|
||||
}
|
||||
if s.SourceAddr != "10.0.0.1" {
|
||||
t.Errorf("expected source addr to be IP only, got %q", s.SourceAddr)
|
||||
}
|
||||
if s.BytesTx != 192 {
|
||||
t.Errorf("expected BytesTx=192, got %d", s.BytesTx)
|
||||
}
|
||||
if s.BytesRx != 896 {
|
||||
t.Errorf("expected BytesRx=896, got %d", s.BytesRx)
|
||||
}
|
||||
}
|
||||
|
||||
func TestConsolidateSessions_MixedGroupsSomeConsolidatedSomeNot(t *testing.T) {
|
||||
now := time.Now()
|
||||
sessions := []*AccessSession{
|
||||
// Group 1: 3 connections to :443 from same IP — should consolidate
|
||||
{
|
||||
SessionID: "s1",
|
||||
ResourceID: 1,
|
||||
SourceAddr: "10.0.0.1:5000",
|
||||
DestAddr: "192.168.1.100:443",
|
||||
Protocol: "tcp",
|
||||
StartedAt: now,
|
||||
EndedAt: now.Add(100 * time.Millisecond),
|
||||
},
|
||||
{
|
||||
SessionID: "s2",
|
||||
ResourceID: 1,
|
||||
SourceAddr: "10.0.0.1:5001",
|
||||
DestAddr: "192.168.1.100:443",
|
||||
Protocol: "tcp",
|
||||
StartedAt: now.Add(200 * time.Millisecond),
|
||||
EndedAt: now.Add(300 * time.Millisecond),
|
||||
},
|
||||
{
|
||||
SessionID: "s3",
|
||||
ResourceID: 1,
|
||||
SourceAddr: "10.0.0.1:5002",
|
||||
DestAddr: "192.168.1.100:443",
|
||||
Protocol: "tcp",
|
||||
StartedAt: now.Add(400 * time.Millisecond),
|
||||
EndedAt: now.Add(500 * time.Millisecond),
|
||||
},
|
||||
// Group 2: 1 connection to :8080 from different IP — should pass through
|
||||
{
|
||||
SessionID: "s4",
|
||||
ResourceID: 2,
|
||||
SourceAddr: "10.0.0.2:6000",
|
||||
DestAddr: "192.168.1.200:8080",
|
||||
Protocol: "tcp",
|
||||
StartedAt: now.Add(1 * time.Second),
|
||||
EndedAt: now.Add(2 * time.Second),
|
||||
},
|
||||
}
|
||||
|
||||
result := consolidateSessions(sessions)
|
||||
if len(result) != 2 {
|
||||
t.Fatalf("expected 2 sessions total, got %d", len(result))
|
||||
}
|
||||
|
||||
var consolidated, passthrough *AccessSession
|
||||
for _, s := range result {
|
||||
if s.ConnectionCount > 1 {
|
||||
consolidated = s
|
||||
} else {
|
||||
passthrough = s
|
||||
}
|
||||
}
|
||||
|
||||
if consolidated == nil {
|
||||
t.Fatal("expected a consolidated session")
|
||||
}
|
||||
if consolidated.ConnectionCount != 3 {
|
||||
t.Errorf("consolidated: expected ConnectionCount=3, got %d", consolidated.ConnectionCount)
|
||||
}
|
||||
|
||||
if passthrough == nil {
|
||||
t.Fatal("expected a passthrough session")
|
||||
}
|
||||
if passthrough.SessionID != "s4" {
|
||||
t.Errorf("passthrough: expected session s4, got %s", passthrough.SessionID)
|
||||
}
|
||||
}
|
||||
|
||||
func TestConsolidateSessions_OverlappingConnections(t *testing.T) {
|
||||
now := time.Now()
|
||||
// Connections that overlap in time (not sequential)
|
||||
sessions := []*AccessSession{
|
||||
{
|
||||
SessionID: "s1",
|
||||
ResourceID: 1,
|
||||
SourceAddr: "10.0.0.1:5000",
|
||||
DestAddr: "192.168.1.100:443",
|
||||
Protocol: "tcp",
|
||||
StartedAt: now,
|
||||
EndedAt: now.Add(5 * time.Second),
|
||||
BytesTx: 100,
|
||||
},
|
||||
{
|
||||
SessionID: "s2",
|
||||
ResourceID: 1,
|
||||
SourceAddr: "10.0.0.1:5001",
|
||||
DestAddr: "192.168.1.100:443",
|
||||
Protocol: "tcp",
|
||||
StartedAt: now.Add(1 * time.Second),
|
||||
EndedAt: now.Add(3 * time.Second),
|
||||
BytesTx: 200,
|
||||
},
|
||||
{
|
||||
SessionID: "s3",
|
||||
ResourceID: 1,
|
||||
SourceAddr: "10.0.0.1:5002",
|
||||
DestAddr: "192.168.1.100:443",
|
||||
Protocol: "tcp",
|
||||
StartedAt: now.Add(2 * time.Second),
|
||||
EndedAt: now.Add(6 * time.Second),
|
||||
BytesTx: 300,
|
||||
},
|
||||
}
|
||||
|
||||
result := consolidateSessions(sessions)
|
||||
if len(result) != 1 {
|
||||
t.Fatalf("expected 1 consolidated session, got %d", len(result))
|
||||
}
|
||||
|
||||
s := result[0]
|
||||
if s.ConnectionCount != 3 {
|
||||
t.Errorf("expected ConnectionCount=3, got %d", s.ConnectionCount)
|
||||
}
|
||||
if s.StartedAt != now {
|
||||
t.Error("expected StartedAt to be earliest")
|
||||
}
|
||||
if s.EndedAt != now.Add(6*time.Second) {
|
||||
t.Error("expected EndedAt to be the latest end time")
|
||||
}
|
||||
if s.BytesTx != 600 {
|
||||
t.Errorf("expected BytesTx=600, got %d", s.BytesTx)
|
||||
}
|
||||
}
|
||||
|
||||
func TestConsolidateSessions_DoesNotMutateOriginals(t *testing.T) {
|
||||
now := time.Now()
|
||||
s1 := &AccessSession{
|
||||
SessionID: "s1",
|
||||
ResourceID: 1,
|
||||
SourceAddr: "10.0.0.1:5000",
|
||||
DestAddr: "192.168.1.100:443",
|
||||
Protocol: "tcp",
|
||||
StartedAt: now,
|
||||
EndedAt: now.Add(100 * time.Millisecond),
|
||||
BytesTx: 100,
|
||||
}
|
||||
s2 := &AccessSession{
|
||||
SessionID: "s2",
|
||||
ResourceID: 1,
|
||||
SourceAddr: "10.0.0.1:5001",
|
||||
DestAddr: "192.168.1.100:443",
|
||||
Protocol: "tcp",
|
||||
StartedAt: now.Add(200 * time.Millisecond),
|
||||
EndedAt: now.Add(300 * time.Millisecond),
|
||||
BytesTx: 200,
|
||||
}
|
||||
|
||||
// Save original values
|
||||
origS1Addr := s1.SourceAddr
|
||||
origS1Bytes := s1.BytesTx
|
||||
origS2Addr := s2.SourceAddr
|
||||
origS2Bytes := s2.BytesTx
|
||||
|
||||
_ = consolidateSessions([]*AccessSession{s1, s2})
|
||||
|
||||
if s1.SourceAddr != origS1Addr {
|
||||
t.Errorf("s1.SourceAddr was mutated: %q -> %q", origS1Addr, s1.SourceAddr)
|
||||
}
|
||||
if s1.BytesTx != origS1Bytes {
|
||||
t.Errorf("s1.BytesTx was mutated: %d -> %d", origS1Bytes, s1.BytesTx)
|
||||
}
|
||||
if s2.SourceAddr != origS2Addr {
|
||||
t.Errorf("s2.SourceAddr was mutated: %q -> %q", origS2Addr, s2.SourceAddr)
|
||||
}
|
||||
if s2.BytesTx != origS2Bytes {
|
||||
t.Errorf("s2.BytesTx was mutated: %d -> %d", origS2Bytes, s2.BytesTx)
|
||||
}
|
||||
}
|
||||
|
||||
func TestConsolidateSessions_ThreeBurstsWithGaps(t *testing.T) {
|
||||
now := time.Now()
|
||||
|
||||
sessions := make([]*AccessSession, 0, 9)
|
||||
|
||||
// Burst 1: 3 connections at t=0
|
||||
for i := 0; i < 3; i++ {
|
||||
sessions = append(sessions, &AccessSession{
|
||||
SessionID: generateSessionID(),
|
||||
ResourceID: 1,
|
||||
SourceAddr: "10.0.0.1:" + string(rune('A'+i)),
|
||||
DestAddr: "192.168.1.100:443",
|
||||
Protocol: "tcp",
|
||||
StartedAt: now.Add(time.Duration(i*100) * time.Millisecond),
|
||||
EndedAt: now.Add(time.Duration(i*100+50) * time.Millisecond),
|
||||
})
|
||||
}
|
||||
|
||||
// Burst 2: 3 connections at t=20s (well past the 5s gap)
|
||||
for i := 0; i < 3; i++ {
|
||||
sessions = append(sessions, &AccessSession{
|
||||
SessionID: generateSessionID(),
|
||||
ResourceID: 1,
|
||||
SourceAddr: "10.0.0.1:" + string(rune('D'+i)),
|
||||
DestAddr: "192.168.1.100:443",
|
||||
Protocol: "tcp",
|
||||
StartedAt: now.Add(20*time.Second + time.Duration(i*100)*time.Millisecond),
|
||||
EndedAt: now.Add(20*time.Second + time.Duration(i*100+50)*time.Millisecond),
|
||||
})
|
||||
}
|
||||
|
||||
// Burst 3: 3 connections at t=40s
|
||||
for i := 0; i < 3; i++ {
|
||||
sessions = append(sessions, &AccessSession{
|
||||
SessionID: generateSessionID(),
|
||||
ResourceID: 1,
|
||||
SourceAddr: "10.0.0.1:" + string(rune('G'+i)),
|
||||
DestAddr: "192.168.1.100:443",
|
||||
Protocol: "tcp",
|
||||
StartedAt: now.Add(40*time.Second + time.Duration(i*100)*time.Millisecond),
|
||||
EndedAt: now.Add(40*time.Second + time.Duration(i*100+50)*time.Millisecond),
|
||||
})
|
||||
}
|
||||
|
||||
result := consolidateSessions(sessions)
|
||||
if len(result) != 3 {
|
||||
t.Fatalf("expected 3 consolidated sessions (3 bursts), got %d", len(result))
|
||||
}
|
||||
|
||||
for _, s := range result {
|
||||
if s.ConnectionCount != 3 {
|
||||
t.Errorf("expected each burst to have ConnectionCount=3, got %d (started=%v)", s.ConnectionCount, s.StartedAt)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestFinalizeMergedSourceAddr(t *testing.T) {
|
||||
s := &AccessSession{SourceAddr: "10.0.0.1:5000"}
|
||||
ports := map[string]struct{}{"10.0.0.1:5000": {}}
|
||||
finalizeMergedSourceAddr(s, "10.0.0.1", ports)
|
||||
if s.SourceAddr != "10.0.0.1:5000" {
|
||||
t.Errorf("single port: expected addr preserved, got %q", s.SourceAddr)
|
||||
}
|
||||
|
||||
s2 := &AccessSession{SourceAddr: "10.0.0.1:5000"}
|
||||
ports2 := map[string]struct{}{"10.0.0.1:5000": {}, "10.0.0.1:5001": {}}
|
||||
finalizeMergedSourceAddr(s2, "10.0.0.1", ports2)
|
||||
if s2.SourceAddr != "10.0.0.1" {
|
||||
t.Errorf("multiple ports: expected IP only, got %q", s2.SourceAddr)
|
||||
}
|
||||
}
|
||||
|
||||
func TestCloneSession(t *testing.T) {
|
||||
original := &AccessSession{
|
||||
SessionID: "test",
|
||||
ResourceID: 42,
|
||||
SourceAddr: "1.2.3.4:100",
|
||||
DestAddr: "5.6.7.8:443",
|
||||
Protocol: "tcp",
|
||||
BytesTx: 999,
|
||||
}
|
||||
|
||||
clone := cloneSession(original)
|
||||
|
||||
if clone == original {
|
||||
t.Error("clone should be a different pointer")
|
||||
}
|
||||
if clone.SessionID != original.SessionID {
|
||||
t.Error("clone should have same SessionID")
|
||||
}
|
||||
|
||||
// Mutating clone should not affect original
|
||||
clone.BytesTx = 0
|
||||
clone.SourceAddr = "changed"
|
||||
if original.BytesTx != 999 {
|
||||
t.Error("mutating clone affected original BytesTx")
|
||||
}
|
||||
if original.SourceAddr != "1.2.3.4:100" {
|
||||
t.Error("mutating clone affected original SourceAddr")
|
||||
}
|
||||
}
|
||||
@@ -1,8 +1,3 @@
|
||||
/* SPDX-License-Identifier: MIT
|
||||
*
|
||||
* Copyright (C) 2017-2025 WireGuard LLC. All Rights Reserved.
|
||||
*/
|
||||
|
||||
package netstack2
|
||||
|
||||
import (
|
||||
@@ -10,12 +5,18 @@ import (
|
||||
"fmt"
|
||||
"io"
|
||||
"net"
|
||||
"net/netip"
|
||||
"os/exec"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"github.com/fosrl/newt/logger"
|
||||
"golang.org/x/net/icmp"
|
||||
"golang.org/x/net/ipv4"
|
||||
"gvisor.dev/gvisor/pkg/tcpip"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/adapters/gonet"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/checksum"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/header"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/stack"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/transport/tcp"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/transport/udp"
|
||||
@@ -58,6 +59,9 @@ const (
|
||||
|
||||
// Buffer size for copying data
|
||||
bufferSize = 32 * 1024
|
||||
|
||||
// icmpTimeout is the default timeout for ICMP ping requests.
|
||||
icmpTimeout = 5 * time.Second
|
||||
)
|
||||
|
||||
// TCPHandler handles TCP connections from netstack
|
||||
@@ -72,6 +76,12 @@ type UDPHandler struct {
|
||||
proxyHandler *ProxyHandler
|
||||
}
|
||||
|
||||
// ICMPHandler handles ICMP packets from netstack
|
||||
type ICMPHandler struct {
|
||||
stack *stack.Stack
|
||||
proxyHandler *ProxyHandler
|
||||
}
|
||||
|
||||
// NewTCPHandler creates a new TCP handler
|
||||
func NewTCPHandler(s *stack.Stack, ph *ProxyHandler) *TCPHandler {
|
||||
return &TCPHandler{stack: s, proxyHandler: ph}
|
||||
@@ -82,6 +92,11 @@ func NewUDPHandler(s *stack.Stack, ph *ProxyHandler) *UDPHandler {
|
||||
return &UDPHandler{stack: s, proxyHandler: ph}
|
||||
}
|
||||
|
||||
// NewICMPHandler creates a new ICMP handler
|
||||
func NewICMPHandler(s *stack.Stack, ph *ProxyHandler) *ICMPHandler {
|
||||
return &ICMPHandler{stack: s, proxyHandler: ph}
|
||||
}
|
||||
|
||||
// InstallTCPHandler installs the TCP forwarder on the stack
|
||||
func (h *TCPHandler) InstallTCPHandler() error {
|
||||
tcpForwarder := tcp.NewForwarder(h.stack, defaultWndSize, maxConnAttempts, func(r *tcp.ForwarderRequest) {
|
||||
@@ -117,14 +132,40 @@ func (h *TCPHandler) InstallTCPHandler() error {
|
||||
|
||||
// handleTCPConn handles a TCP connection by proxying it to the actual target
|
||||
func (h *TCPHandler) handleTCPConn(netstackConn *gonet.TCPConn, id stack.TransportEndpointID) {
|
||||
defer netstackConn.Close()
|
||||
|
||||
// Extract source and target address from the connection ID
|
||||
// Extract source and target address from the connection ID first so they
|
||||
// are available for HTTP routing before any defer is set up.
|
||||
srcIP := id.RemoteAddress.String()
|
||||
srcPort := id.RemotePort
|
||||
dstIP := id.LocalAddress.String()
|
||||
dstPort := id.LocalPort
|
||||
|
||||
// Drop connection if blocking is enabled
|
||||
if h.proxyHandler != nil && h.proxyHandler.IsBlocked() {
|
||||
logger.Debug("TCP Forwarder: connection blocked: %s:%d -> %s:%d", srcIP, srcPort, dstIP, dstPort)
|
||||
netstackConn.Close()
|
||||
return
|
||||
}
|
||||
|
||||
// For HTTP/HTTPS ports, look up the matching subnet rule. If the rule has
|
||||
// Protocol configured, hand the connection off to the HTTP handler which
|
||||
// takes full ownership of the lifecycle (the defer close must not be
|
||||
// installed before this point).
|
||||
if (dstPort == 80 || dstPort == 443) && h.proxyHandler != nil && h.proxyHandler.httpHandler != nil {
|
||||
srcAddr, _ := netip.ParseAddr(srcIP)
|
||||
dstAddr, _ := netip.ParseAddr(dstIP)
|
||||
rule := h.proxyHandler.subnetLookup.Match(srcAddr, dstAddr, dstPort, tcp.ProtocolNumber)
|
||||
if rule != nil && rule.Protocol != "" && len(rule.HTTPTargets) > 0 {
|
||||
logger.Info("TCP Forwarder: Routing %s:%d -> %s:%d to HTTP handler (%s)",
|
||||
srcIP, srcPort, dstIP, dstPort, rule.Protocol)
|
||||
h.proxyHandler.httpHandler.HandleConn(netstackConn, rule)
|
||||
return
|
||||
}
|
||||
// Otherwise fall through to raw TCP forwarding (e.g. CIDR resources
|
||||
// that happen to use port 80/443 without HTTP configuration).
|
||||
}
|
||||
|
||||
defer netstackConn.Close()
|
||||
|
||||
logger.Info("TCP Forwarder: Handling connection %s:%d -> %s:%d", srcIP, srcPort, dstIP, dstPort)
|
||||
|
||||
// Check if there's a destination rewrite for this connection (e.g., localhost targets)
|
||||
@@ -138,6 +179,18 @@ func (h *TCPHandler) handleTCPConn(netstackConn *gonet.TCPConn, id stack.Transpo
|
||||
|
||||
targetAddr := fmt.Sprintf("%s:%d", actualDstIP, dstPort)
|
||||
|
||||
// Look up resource ID and start access session if applicable
|
||||
var accessSessionID string
|
||||
if h.proxyHandler != nil {
|
||||
resourceId := h.proxyHandler.LookupResourceId(srcIP, dstIP, dstPort, uint8(tcp.ProtocolNumber))
|
||||
if resourceId != 0 {
|
||||
if al := h.proxyHandler.GetAccessLogger(); al != nil {
|
||||
srcAddr := fmt.Sprintf("%s:%d", srcIP, srcPort)
|
||||
accessSessionID = al.StartTCPSession(resourceId, srcAddr, targetAddr)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Create context with timeout for connection establishment
|
||||
ctx, cancel := context.WithTimeout(context.Background(), tcpConnectTimeout)
|
||||
defer cancel()
|
||||
@@ -147,11 +200,26 @@ func (h *TCPHandler) handleTCPConn(netstackConn *gonet.TCPConn, id stack.Transpo
|
||||
targetConn, err := d.DialContext(ctx, "tcp", targetAddr)
|
||||
if err != nil {
|
||||
logger.Info("TCP Forwarder: Failed to connect to %s: %v", targetAddr, err)
|
||||
// End access session on connection failure
|
||||
if accessSessionID != "" {
|
||||
if al := h.proxyHandler.GetAccessLogger(); al != nil {
|
||||
al.EndTCPSession(accessSessionID)
|
||||
}
|
||||
}
|
||||
// Connection failed, netstack will handle RST
|
||||
return
|
||||
}
|
||||
defer targetConn.Close()
|
||||
|
||||
// End access session when connection closes
|
||||
if accessSessionID != "" {
|
||||
defer func() {
|
||||
if al := h.proxyHandler.GetAccessLogger(); al != nil {
|
||||
al.EndTCPSession(accessSessionID)
|
||||
}
|
||||
}()
|
||||
}
|
||||
|
||||
logger.Info("TCP Forwarder: Successfully connected to %s, starting bidirectional copy", targetAddr)
|
||||
|
||||
// Bidirectional copy between netstack and target
|
||||
@@ -249,6 +317,12 @@ func (h *UDPHandler) handleUDPConn(netstackConn *gonet.UDPConn, id stack.Transpo
|
||||
|
||||
logger.Info("UDP Forwarder: Handling connection %s:%d -> %s:%d", srcIP, srcPort, dstIP, dstPort)
|
||||
|
||||
// Drop connection if blocking is enabled
|
||||
if h.proxyHandler != nil && h.proxyHandler.IsBlocked() {
|
||||
logger.Debug("UDP Forwarder: connection blocked: %s:%d -> %s:%d", srcIP, srcPort, dstIP, dstPort)
|
||||
return
|
||||
}
|
||||
|
||||
// Check if there's a destination rewrite for this connection (e.g., localhost targets)
|
||||
actualDstIP := dstIP
|
||||
if h.proxyHandler != nil {
|
||||
@@ -260,6 +334,27 @@ func (h *UDPHandler) handleUDPConn(netstackConn *gonet.UDPConn, id stack.Transpo
|
||||
|
||||
targetAddr := fmt.Sprintf("%s:%d", actualDstIP, dstPort)
|
||||
|
||||
// Look up resource ID and start access session if applicable
|
||||
var accessSessionID string
|
||||
if h.proxyHandler != nil {
|
||||
resourceId := h.proxyHandler.LookupResourceId(srcIP, dstIP, dstPort, uint8(udp.ProtocolNumber))
|
||||
if resourceId != 0 {
|
||||
if al := h.proxyHandler.GetAccessLogger(); al != nil {
|
||||
srcAddr := fmt.Sprintf("%s:%d", srcIP, srcPort)
|
||||
accessSessionID = al.TrackUDPSession(resourceId, srcAddr, targetAddr)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// End access session when UDP handler returns (timeout or error)
|
||||
if accessSessionID != "" {
|
||||
defer func() {
|
||||
if al := h.proxyHandler.GetAccessLogger(); al != nil {
|
||||
al.EndUDPSession(accessSessionID)
|
||||
}
|
||||
}()
|
||||
}
|
||||
|
||||
// Resolve target address
|
||||
remoteUDPAddr, err := net.ResolveUDPAddr("udp", targetAddr)
|
||||
if err != nil {
|
||||
@@ -348,3 +443,334 @@ func copyPacketData(dst, src net.PacketConn, to net.Addr, timeout time.Duration)
|
||||
dst.SetReadDeadline(time.Now().Add(timeout))
|
||||
}
|
||||
}
|
||||
|
||||
// InstallICMPHandler installs the ICMP handler on the stack
|
||||
func (h *ICMPHandler) InstallICMPHandler() error {
|
||||
h.stack.SetTransportProtocolHandler(header.ICMPv4ProtocolNumber, h.handleICMPPacket)
|
||||
logger.Debug("ICMP Handler: Installed ICMP protocol handler")
|
||||
return nil
|
||||
}
|
||||
|
||||
// handleICMPPacket handles incoming ICMP packets
|
||||
func (h *ICMPHandler) handleICMPPacket(id stack.TransportEndpointID, pkt *stack.PacketBuffer) bool {
|
||||
logger.Debug("ICMP Handler: Received ICMP packet from %s to %s", id.RemoteAddress, id.LocalAddress)
|
||||
|
||||
// Get the ICMP header from the packet
|
||||
icmpData := pkt.TransportHeader().Slice()
|
||||
if len(icmpData) < header.ICMPv4MinimumSize {
|
||||
logger.Debug("ICMP Handler: Packet too small for ICMP header: %d bytes", len(icmpData))
|
||||
return false
|
||||
}
|
||||
|
||||
icmpHdr := header.ICMPv4(icmpData)
|
||||
icmpType := icmpHdr.Type()
|
||||
icmpCode := icmpHdr.Code()
|
||||
|
||||
logger.Debug("ICMP Handler: Type=%d, Code=%d, Ident=%d, Seq=%d",
|
||||
icmpType, icmpCode, icmpHdr.Ident(), icmpHdr.Sequence())
|
||||
|
||||
// Only handle Echo Request (ping)
|
||||
if icmpType != header.ICMPv4Echo {
|
||||
logger.Debug("ICMP Handler: Ignoring non-echo ICMP type: %d", icmpType)
|
||||
return false
|
||||
}
|
||||
|
||||
// Extract source and destination addresses
|
||||
srcIP := id.RemoteAddress.String()
|
||||
dstIP := id.LocalAddress.String()
|
||||
|
||||
logger.Info("ICMP Handler: Echo Request from %s to %s (ident=%d, seq=%d)",
|
||||
srcIP, dstIP, icmpHdr.Ident(), icmpHdr.Sequence())
|
||||
|
||||
// Convert to netip.Addr for subnet matching
|
||||
srcAddr, err := netip.ParseAddr(srcIP)
|
||||
if err != nil {
|
||||
logger.Debug("ICMP Handler: Failed to parse source IP %s: %v", srcIP, err)
|
||||
return false
|
||||
}
|
||||
dstAddr, err := netip.ParseAddr(dstIP)
|
||||
if err != nil {
|
||||
logger.Debug("ICMP Handler: Failed to parse dest IP %s: %v", dstIP, err)
|
||||
return false
|
||||
}
|
||||
|
||||
// Check subnet rules (use port 0 for ICMP since it doesn't have ports)
|
||||
if h.proxyHandler == nil {
|
||||
logger.Debug("ICMP Handler: No proxy handler configured")
|
||||
return false
|
||||
}
|
||||
|
||||
matchedRule := h.proxyHandler.subnetLookup.Match(srcAddr, dstAddr, 0, header.ICMPv4ProtocolNumber)
|
||||
if matchedRule == nil {
|
||||
logger.Debug("ICMP Handler: No matching subnet rule for %s -> %s", srcIP, dstIP)
|
||||
return false
|
||||
}
|
||||
|
||||
logger.Info("ICMP Handler: Matched subnet rule for %s -> %s", srcIP, dstIP)
|
||||
|
||||
// Determine actual destination (with possible rewrite)
|
||||
actualDstIP := dstIP
|
||||
if matchedRule.RewriteTo != "" {
|
||||
resolvedAddr, err := h.proxyHandler.resolveRewriteAddress(matchedRule.RewriteTo)
|
||||
if err != nil {
|
||||
logger.Info("ICMP Handler: Failed to resolve rewrite address %s: %v", matchedRule.RewriteTo, err)
|
||||
} else {
|
||||
actualDstIP = resolvedAddr.String()
|
||||
logger.Info("ICMP Handler: Using rewritten destination %s (original: %s)", actualDstIP, dstIP)
|
||||
}
|
||||
}
|
||||
|
||||
// Get the full ICMP payload (including the data after the header)
|
||||
icmpPayload := pkt.Data().AsRange().ToSlice()
|
||||
|
||||
// Handle the ping in a goroutine to avoid blocking
|
||||
go h.proxyPing(srcIP, dstIP, actualDstIP, icmpHdr.Ident(), icmpHdr.Sequence(), icmpPayload)
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
// proxyPing sends a ping to the actual destination and injects the reply back
|
||||
func (h *ICMPHandler) proxyPing(srcIP, originalDstIP, actualDstIP string, ident, seq uint16, payload []byte) {
|
||||
logger.Debug("ICMP Handler: Proxying ping from %s to %s (actual: %s), ident=%d, seq=%d",
|
||||
srcIP, originalDstIP, actualDstIP, ident, seq)
|
||||
|
||||
// Try three methods in order: ip4:icmp -> udp4 -> ping command
|
||||
// Track which method succeeded so we can handle identifier matching correctly
|
||||
method, success := h.tryICMPMethods(actualDstIP, ident, seq, payload)
|
||||
|
||||
if !success {
|
||||
logger.Info("ICMP Handler: All ping methods failed for %s", actualDstIP)
|
||||
return
|
||||
}
|
||||
|
||||
logger.Info("ICMP Handler: Ping successful to %s using %s, injecting reply (ident=%d, seq=%d)",
|
||||
actualDstIP, method, ident, seq)
|
||||
|
||||
// Build the reply packet to inject back into the netstack
|
||||
// The reply should appear to come from the original destination (before rewrite)
|
||||
h.injectICMPReply(srcIP, originalDstIP, ident, seq, payload)
|
||||
}
|
||||
|
||||
// tryICMPMethods tries all available ICMP methods in order
|
||||
func (h *ICMPHandler) tryICMPMethods(actualDstIP string, ident, seq uint16, payload []byte) (string, bool) {
|
||||
if h.tryRawICMP(actualDstIP, ident, seq, payload, false) {
|
||||
return "raw ICMP", true
|
||||
}
|
||||
if h.tryUnprivilegedICMP(actualDstIP, ident, seq, payload) {
|
||||
return "unprivileged ICMP", true
|
||||
}
|
||||
if h.tryPingCommand(actualDstIP, ident, seq, payload) {
|
||||
return "ping command", true
|
||||
}
|
||||
return "", false
|
||||
}
|
||||
|
||||
// tryRawICMP attempts to ping using raw ICMP sockets (requires CAP_NET_RAW or root)
|
||||
func (h *ICMPHandler) tryRawICMP(actualDstIP string, ident, seq uint16, payload []byte, ignoreIdent bool) bool {
|
||||
conn, err := icmp.ListenPacket("ip4:icmp", "0.0.0.0")
|
||||
if err != nil {
|
||||
logger.Debug("ICMP Handler: Raw ICMP socket not available: %v", err)
|
||||
return false
|
||||
}
|
||||
defer conn.Close()
|
||||
|
||||
logger.Debug("ICMP Handler: Using raw ICMP socket")
|
||||
return h.sendAndReceiveICMP(conn, actualDstIP, ident, seq, payload, false, ignoreIdent)
|
||||
}
|
||||
|
||||
// tryUnprivilegedICMP attempts to ping using unprivileged ICMP (requires ping_group_range configured)
|
||||
func (h *ICMPHandler) tryUnprivilegedICMP(actualDstIP string, ident, seq uint16, payload []byte) bool {
|
||||
conn, err := icmp.ListenPacket("udp4", "0.0.0.0")
|
||||
if err != nil {
|
||||
logger.Debug("ICMP Handler: Unprivileged ICMP socket not available: %v", err)
|
||||
return false
|
||||
}
|
||||
defer conn.Close()
|
||||
|
||||
logger.Debug("ICMP Handler: Using unprivileged ICMP socket")
|
||||
// Unprivileged ICMP doesn't let us control the identifier, so we ignore it in matching
|
||||
return h.sendAndReceiveICMP(conn, actualDstIP, ident, seq, payload, true, true)
|
||||
}
|
||||
|
||||
// sendAndReceiveICMP sends an ICMP echo request and waits for the reply
|
||||
func (h *ICMPHandler) sendAndReceiveICMP(conn *icmp.PacketConn, actualDstIP string, ident, seq uint16, payload []byte, isUnprivileged bool, ignoreIdent bool) bool {
|
||||
// Build the ICMP echo request message
|
||||
echoMsg := &icmp.Message{
|
||||
Type: ipv4.ICMPTypeEcho,
|
||||
Code: 0,
|
||||
Body: &icmp.Echo{
|
||||
ID: int(ident),
|
||||
Seq: int(seq),
|
||||
Data: payload,
|
||||
},
|
||||
}
|
||||
|
||||
msgBytes, err := echoMsg.Marshal(nil)
|
||||
if err != nil {
|
||||
logger.Debug("ICMP Handler: Failed to marshal ICMP message: %v", err)
|
||||
return false
|
||||
}
|
||||
|
||||
// Resolve destination address based on socket type
|
||||
var writeErr error
|
||||
if isUnprivileged {
|
||||
// For unprivileged ICMP, use UDP-style addressing
|
||||
udpAddr := &net.UDPAddr{IP: net.ParseIP(actualDstIP)}
|
||||
logger.Debug("ICMP Handler: Sending ping to %s (unprivileged)", udpAddr.String())
|
||||
conn.SetDeadline(time.Now().Add(icmpTimeout))
|
||||
_, writeErr = conn.WriteTo(msgBytes, udpAddr)
|
||||
} else {
|
||||
// For raw ICMP, use IP addressing
|
||||
dst, err := net.ResolveIPAddr("ip4", actualDstIP)
|
||||
if err != nil {
|
||||
logger.Debug("ICMP Handler: Failed to resolve destination %s: %v", actualDstIP, err)
|
||||
return false
|
||||
}
|
||||
logger.Debug("ICMP Handler: Sending ping to %s (raw)", dst.String())
|
||||
conn.SetDeadline(time.Now().Add(icmpTimeout))
|
||||
_, writeErr = conn.WriteTo(msgBytes, dst)
|
||||
}
|
||||
|
||||
if writeErr != nil {
|
||||
logger.Debug("ICMP Handler: Failed to send ping to %s: %v", actualDstIP, writeErr)
|
||||
return false
|
||||
}
|
||||
|
||||
logger.Debug("ICMP Handler: Ping sent to %s, waiting for reply (ident=%d, seq=%d)", actualDstIP, ident, seq)
|
||||
|
||||
// Wait for reply - loop to filter out non-matching packets
|
||||
replyBuf := make([]byte, 1500)
|
||||
|
||||
for {
|
||||
n, peer, err := conn.ReadFrom(replyBuf)
|
||||
if err != nil {
|
||||
logger.Debug("ICMP Handler: Failed to receive ping reply from %s: %v", actualDstIP, err)
|
||||
return false
|
||||
}
|
||||
|
||||
logger.Debug("ICMP Handler: Received %d bytes from %s", n, peer.String())
|
||||
|
||||
// Parse the reply
|
||||
replyMsg, err := icmp.ParseMessage(1, replyBuf[:n])
|
||||
if err != nil {
|
||||
logger.Debug("ICMP Handler: Failed to parse ICMP message: %v", err)
|
||||
continue
|
||||
}
|
||||
|
||||
// Check if it's an echo reply (type 0), not an echo request (type 8)
|
||||
if replyMsg.Type != ipv4.ICMPTypeEchoReply {
|
||||
logger.Debug("ICMP Handler: Received non-echo-reply type: %v, continuing to wait", replyMsg.Type)
|
||||
continue
|
||||
}
|
||||
|
||||
reply, ok := replyMsg.Body.(*icmp.Echo)
|
||||
if !ok {
|
||||
logger.Debug("ICMP Handler: Invalid echo reply body type, continuing to wait")
|
||||
continue
|
||||
}
|
||||
|
||||
// Verify the sequence matches what we sent
|
||||
// For unprivileged ICMP, the kernel controls the identifier, so we only check sequence
|
||||
if reply.Seq != int(seq) {
|
||||
logger.Debug("ICMP Handler: Reply seq mismatch: got seq=%d, want seq=%d", reply.Seq, seq)
|
||||
continue
|
||||
}
|
||||
|
||||
if !ignoreIdent && reply.ID != int(ident) {
|
||||
logger.Debug("ICMP Handler: Reply ident mismatch: got ident=%d, want ident=%d", reply.ID, ident)
|
||||
continue
|
||||
}
|
||||
|
||||
// Found matching reply
|
||||
logger.Debug("ICMP Handler: Received valid echo reply")
|
||||
return true
|
||||
}
|
||||
}
|
||||
|
||||
// tryPingCommand attempts to ping using the system ping command (always works, but less control)
|
||||
func (h *ICMPHandler) tryPingCommand(actualDstIP string, ident, seq uint16, payload []byte) bool {
|
||||
logger.Debug("ICMP Handler: Attempting to use system ping command")
|
||||
|
||||
ctx, cancel := context.WithTimeout(context.Background(), icmpTimeout)
|
||||
defer cancel()
|
||||
|
||||
// Send one ping with timeout
|
||||
// -c 1: count = 1 packet
|
||||
// -W 5: timeout = 5 seconds
|
||||
// -q: quiet output (just summary)
|
||||
cmd := exec.CommandContext(ctx, "ping", "-c", "1", "-W", "5", "-q", actualDstIP)
|
||||
output, err := cmd.CombinedOutput()
|
||||
|
||||
if err != nil {
|
||||
logger.Debug("ICMP Handler: System ping command failed: %v, output: %s", err, string(output))
|
||||
return false
|
||||
}
|
||||
|
||||
logger.Debug("ICMP Handler: System ping command succeeded")
|
||||
return true
|
||||
}
|
||||
|
||||
// injectICMPReply creates an ICMP echo reply packet and queues it to be sent back through the tunnel
|
||||
func (h *ICMPHandler) injectICMPReply(dstIP, srcIP string, ident, seq uint16, payload []byte) {
|
||||
logger.Debug("ICMP Handler: Creating reply from %s to %s (ident=%d, seq=%d)",
|
||||
srcIP, dstIP, ident, seq)
|
||||
|
||||
// Parse addresses
|
||||
srcAddr, err := netip.ParseAddr(srcIP)
|
||||
if err != nil {
|
||||
logger.Info("ICMP Handler: Failed to parse source IP for reply: %v", err)
|
||||
return
|
||||
}
|
||||
dstAddr, err := netip.ParseAddr(dstIP)
|
||||
if err != nil {
|
||||
logger.Info("ICMP Handler: Failed to parse dest IP for reply: %v", err)
|
||||
return
|
||||
}
|
||||
|
||||
// Calculate total packet size
|
||||
ipHeaderLen := header.IPv4MinimumSize
|
||||
icmpHeaderLen := header.ICMPv4MinimumSize
|
||||
totalLen := ipHeaderLen + icmpHeaderLen + len(payload)
|
||||
|
||||
// Create the packet buffer
|
||||
pkt := make([]byte, totalLen)
|
||||
|
||||
// Build IPv4 header
|
||||
ipHdr := header.IPv4(pkt[:ipHeaderLen])
|
||||
ipHdr.Encode(&header.IPv4Fields{
|
||||
TotalLength: uint16(totalLen),
|
||||
TTL: 64,
|
||||
Protocol: uint8(header.ICMPv4ProtocolNumber),
|
||||
SrcAddr: tcpip.AddrFrom4(srcAddr.As4()),
|
||||
DstAddr: tcpip.AddrFrom4(dstAddr.As4()),
|
||||
})
|
||||
ipHdr.SetChecksum(^ipHdr.CalculateChecksum())
|
||||
|
||||
// Build ICMP header
|
||||
icmpHdr := header.ICMPv4(pkt[ipHeaderLen : ipHeaderLen+icmpHeaderLen])
|
||||
icmpHdr.SetType(header.ICMPv4EchoReply)
|
||||
icmpHdr.SetCode(0)
|
||||
icmpHdr.SetIdent(ident)
|
||||
icmpHdr.SetSequence(seq)
|
||||
|
||||
// Copy payload
|
||||
copy(pkt[ipHeaderLen+icmpHeaderLen:], payload)
|
||||
|
||||
// Calculate ICMP checksum (covers ICMP header + payload)
|
||||
icmpHdr.SetChecksum(0)
|
||||
icmpData := pkt[ipHeaderLen:]
|
||||
icmpHdr.SetChecksum(^checksum.Checksum(icmpData, 0))
|
||||
|
||||
logger.Debug("ICMP Handler: Built reply packet, total length=%d", totalLen)
|
||||
|
||||
// Queue the packet to be sent back through the tunnel
|
||||
if h.proxyHandler != nil {
|
||||
if h.proxyHandler.QueueICMPReply(pkt) {
|
||||
logger.Info("ICMP Handler: Queued echo reply packet for transmission")
|
||||
} else {
|
||||
logger.Info("ICMP Handler: Failed to queue echo reply packet")
|
||||
}
|
||||
} else {
|
||||
logger.Info("ICMP Handler: Cannot queue reply - proxy handler not available")
|
||||
}
|
||||
}
|
||||
|
||||
420
netstack2/http_handler.go
Normal file
420
netstack2/http_handler.go
Normal file
@@ -0,0 +1,420 @@
|
||||
package netstack2
|
||||
|
||||
import (
|
||||
"bufio"
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"errors"
|
||||
"fmt"
|
||||
"net"
|
||||
"net/http"
|
||||
"net/http/httputil"
|
||||
"net/url"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"github.com/fosrl/newt/logger"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/stack"
|
||||
)
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// HTTPTarget
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
// HTTPTarget describes a single downstream HTTP or HTTPS service that the
|
||||
// proxy should forward requests to.
|
||||
type HTTPTarget struct {
|
||||
DestAddr string `json:"destAddr"` // IP address or hostname of the downstream service
|
||||
DestPort uint16 `json:"destPort"` // TCP port of the downstream service
|
||||
Scheme string `json:"scheme"` // When true the outbound leg uses HTTPS
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// HTTPHandler
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
// HTTPHandler intercepts TCP connections from the netstack forwarder on ports
|
||||
// 80 and 443 and services them as HTTP or HTTPS, reverse-proxying each request
|
||||
// to downstream targets specified by the matching SubnetRule.
|
||||
//
|
||||
// HTTP and raw TCP are fully separate: a connection is only routed here when
|
||||
// its SubnetRule has Protocol set ("http" or "https"). All other connections
|
||||
// on those ports fall through to the normal raw-TCP path.
|
||||
//
|
||||
// Incoming TLS termination (Protocol == "https") is performed per-connection
|
||||
// using the certificate and key stored in the rule, so different subnet rules
|
||||
// can present different certificates without sharing any state.
|
||||
//
|
||||
// Outbound connections to downstream targets honour HTTPTarget.UseHTTPS
|
||||
// independently of the incoming protocol.
|
||||
type HTTPHandler struct {
|
||||
stack *stack.Stack
|
||||
proxyHandler *ProxyHandler
|
||||
requestLogger *HTTPRequestLogger
|
||||
|
||||
listener *chanListener
|
||||
server *http.Server
|
||||
|
||||
// proxyCache holds pre-built *httputil.ReverseProxy values keyed by the
|
||||
// canonical target URL string ("scheme://host:port"). Building a proxy is
|
||||
// cheap, but reusing one preserves the underlying http.Transport connection
|
||||
// pool, which matters for throughput.
|
||||
proxyCache sync.Map // map[string]*httputil.ReverseProxy
|
||||
|
||||
// tlsCache holds pre-parsed *tls.Config values keyed by the concatenation
|
||||
// of the PEM certificate and key. Parsing a keypair is relatively expensive
|
||||
// and the same cert is likely reused across many connections.
|
||||
tlsCache sync.Map // map[string]*tls.Config
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// chanListener – net.Listener backed by a channel
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
// chanListener implements net.Listener by receiving net.Conn values over a
|
||||
// buffered channel. This lets the netstack TCP forwarder hand off connections
|
||||
// directly to a running http.Server without any real OS socket.
|
||||
type chanListener struct {
|
||||
connCh chan net.Conn
|
||||
closed chan struct{}
|
||||
once sync.Once
|
||||
}
|
||||
|
||||
func newChanListener() *chanListener {
|
||||
return &chanListener{
|
||||
connCh: make(chan net.Conn, 128),
|
||||
closed: make(chan struct{}),
|
||||
}
|
||||
}
|
||||
|
||||
// Accept blocks until a connection is available or the listener is closed.
|
||||
func (l *chanListener) Accept() (net.Conn, error) {
|
||||
select {
|
||||
case conn, ok := <-l.connCh:
|
||||
if !ok {
|
||||
return nil, net.ErrClosed
|
||||
}
|
||||
return conn, nil
|
||||
case <-l.closed:
|
||||
return nil, net.ErrClosed
|
||||
}
|
||||
}
|
||||
|
||||
// Close shuts down the listener; subsequent Accept calls return net.ErrClosed.
|
||||
func (l *chanListener) Close() error {
|
||||
l.once.Do(func() { close(l.closed) })
|
||||
return nil
|
||||
}
|
||||
|
||||
// Addr returns a placeholder address (the listener has no real OS socket).
|
||||
func (l *chanListener) Addr() net.Addr {
|
||||
return &net.TCPAddr{}
|
||||
}
|
||||
|
||||
// send delivers conn to the listener. Returns false if the listener is already
|
||||
// closed, in which case the caller is responsible for closing conn.
|
||||
func (l *chanListener) send(conn net.Conn) bool {
|
||||
select {
|
||||
case l.connCh <- conn:
|
||||
return true
|
||||
case <-l.closed:
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// httpConnCtx – conn wrapper that carries a SubnetRule through the listener
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
// httpConnCtx wraps a net.Conn so the matching SubnetRule and TLS state can
|
||||
// be passed through the chanListener into the http.Server's ConnContext
|
||||
// callback, making them available to request handlers via the request context.
|
||||
type httpConnCtx struct {
|
||||
net.Conn
|
||||
rule *SubnetRule
|
||||
isTLS bool // true when the conn was wrapped with tls.Server
|
||||
}
|
||||
|
||||
// connCtxKey is the unexported context key used to store a *SubnetRule on the
|
||||
// per-connection context created by http.Server.ConnContext.
|
||||
type connCtxKey struct{}
|
||||
|
||||
// connTLSKey is the unexported context key used to store the isTLS flag on
|
||||
// the per-connection context created by http.Server.ConnContext.
|
||||
type connTLSKey struct{}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// Constructor and lifecycle
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
// NewHTTPHandler creates an HTTPHandler attached to the given stack and
|
||||
// ProxyHandler. Call Start to begin serving connections.
|
||||
func NewHTTPHandler(s *stack.Stack, ph *ProxyHandler) *HTTPHandler {
|
||||
return &HTTPHandler{
|
||||
stack: s,
|
||||
proxyHandler: ph,
|
||||
}
|
||||
}
|
||||
|
||||
// SetRequestLogger attaches an HTTPRequestLogger so that every proxied request
|
||||
// is recorded and periodically shipped to the server.
|
||||
func (h *HTTPHandler) SetRequestLogger(rl *HTTPRequestLogger) {
|
||||
h.requestLogger = rl
|
||||
}
|
||||
|
||||
// Start launches the internal http.Server that services connections delivered
|
||||
// via HandleConn. The server runs for the lifetime of the HTTPHandler; call
|
||||
// Close to stop it.
|
||||
func (h *HTTPHandler) Start() error {
|
||||
h.listener = newChanListener()
|
||||
|
||||
h.server = &http.Server{
|
||||
Handler: http.HandlerFunc(h.handleRequest),
|
||||
// ConnContext runs once per accepted connection and attaches the
|
||||
// SubnetRule carried by httpConnCtx to the connection's context so
|
||||
// that handleRequest can retrieve it without any global state.
|
||||
ConnContext: func(ctx context.Context, c net.Conn) context.Context {
|
||||
if cc, ok := c.(*httpConnCtx); ok {
|
||||
ctx = context.WithValue(ctx, connCtxKey{}, cc.rule)
|
||||
ctx = context.WithValue(ctx, connTLSKey{}, cc.isTLS)
|
||||
}
|
||||
return ctx
|
||||
},
|
||||
}
|
||||
|
||||
go func() {
|
||||
if err := h.server.Serve(h.listener); err != nil && err != http.ErrServerClosed {
|
||||
logger.Error("HTTP handler: server exited unexpectedly: %v", err)
|
||||
}
|
||||
}()
|
||||
|
||||
logger.Debug("HTTP handler: ready — routing determined per SubnetRule on ports 80/443")
|
||||
return nil
|
||||
}
|
||||
|
||||
// HandleConn accepts a TCP connection from the netstack forwarder together
|
||||
// with the SubnetRule that matched it. The HTTP handler takes full ownership
|
||||
// of the connection's lifecycle; the caller must NOT close conn after this call.
|
||||
//
|
||||
// When rule.Protocol is "https", TLS termination is performed on conn using
|
||||
// the certificate and key stored in rule.TLSCert and rule.TLSKey before the
|
||||
// connection is passed to the HTTP server. The HTTP server itself is always
|
||||
// plain-HTTP; TLS is fully unwrapped at this layer.
|
||||
func (h *HTTPHandler) HandleConn(conn net.Conn, rule *SubnetRule) {
|
||||
var effectiveConn net.Conn = conn
|
||||
|
||||
if rule.Protocol == "https" {
|
||||
// Only perform TLS termination for connections arriving on port 443.
|
||||
// Connections on port 80 are passed through as plain HTTP so that
|
||||
// handleRequest can issue the HTTP→HTTPS redirect.
|
||||
doTLS := false
|
||||
if tcpAddr, ok := conn.LocalAddr().(*net.TCPAddr); ok {
|
||||
doTLS = tcpAddr.Port == 443
|
||||
}
|
||||
if doTLS {
|
||||
tlsCfg, err := h.getTLSConfig(rule)
|
||||
if err != nil {
|
||||
logger.Error("HTTP handler: cannot build TLS config for connection from %s: %v",
|
||||
conn.RemoteAddr(), err)
|
||||
conn.Close()
|
||||
return
|
||||
}
|
||||
// tls.Server wraps the raw conn; the TLS handshake is deferred until
|
||||
// the first Read, which the http.Server will trigger naturally.
|
||||
effectiveConn = tls.Server(conn, tlsCfg)
|
||||
}
|
||||
}
|
||||
|
||||
wrapped := &httpConnCtx{Conn: effectiveConn, rule: rule, isTLS: effectiveConn != conn}
|
||||
if !h.listener.send(wrapped) {
|
||||
// Listener is already closed — clean up the orphaned connection.
|
||||
effectiveConn.Close()
|
||||
}
|
||||
}
|
||||
|
||||
// Close gracefully shuts down the HTTP server and the underlying channel
|
||||
// listener, causing the goroutine started in Start to exit.
|
||||
func (h *HTTPHandler) Close() error {
|
||||
if h.server != nil {
|
||||
if err := h.server.Close(); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
if h.listener != nil {
|
||||
h.listener.Close()
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// Internal helpers
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
// getTLSConfig returns a *tls.Config for the cert/key pair in rule, using a
|
||||
// cache to avoid re-parsing the same keypair on every connection.
|
||||
// The cache key is the concatenation of the PEM cert and key strings, so
|
||||
// different rules that happen to share the same material hit the same entry.
|
||||
func (h *HTTPHandler) getTLSConfig(rule *SubnetRule) (*tls.Config, error) {
|
||||
cacheKey := rule.TLSCert + "|" + rule.TLSKey
|
||||
if v, ok := h.tlsCache.Load(cacheKey); ok {
|
||||
return v.(*tls.Config), nil
|
||||
}
|
||||
|
||||
cert, err := tls.X509KeyPair([]byte(rule.TLSCert), []byte(rule.TLSKey))
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to parse TLS keypair: %w", err)
|
||||
}
|
||||
cfg := &tls.Config{
|
||||
Certificates: []tls.Certificate{cert},
|
||||
}
|
||||
// LoadOrStore is safe under concurrent calls: if two goroutines race here
|
||||
// both will produce a valid config; the loser's work is discarded.
|
||||
actual, _ := h.tlsCache.LoadOrStore(cacheKey, cfg)
|
||||
return actual.(*tls.Config), nil
|
||||
}
|
||||
|
||||
// getProxy returns a cached *httputil.ReverseProxy for the given target,
|
||||
// creating one on first use. Reusing the proxy preserves its http.Transport
|
||||
// connection pool, avoiding repeated TCP/TLS handshakes to the downstream.
|
||||
func (h *HTTPHandler) getProxy(target HTTPTarget) *httputil.ReverseProxy {
|
||||
scheme := target.Scheme
|
||||
cacheKey := fmt.Sprintf("%s://%s:%d", scheme, target.DestAddr, target.DestPort)
|
||||
|
||||
if v, ok := h.proxyCache.Load(cacheKey); ok {
|
||||
return v.(*httputil.ReverseProxy)
|
||||
}
|
||||
|
||||
targetURL := &url.URL{
|
||||
Scheme: scheme,
|
||||
Host: fmt.Sprintf("%s:%d", target.DestAddr, target.DestPort),
|
||||
}
|
||||
var transport http.RoundTripper = http.DefaultTransport
|
||||
if target.Scheme == "https" {
|
||||
// Allow self-signed certificates on downstream HTTPS targets.
|
||||
transport = &http.Transport{
|
||||
TLSClientConfig: &tls.Config{
|
||||
InsecureSkipVerify: true, //nolint:gosec // downstream self-signed certs are a supported configuration
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
proxy := &httputil.ReverseProxy{
|
||||
Rewrite: func(pr *httputil.ProxyRequest) {
|
||||
pr.SetURL(targetURL)
|
||||
if host := pr.In.Host; host != "" {
|
||||
pr.Out.Host = host
|
||||
}
|
||||
// SetXForwarded sets X-Forwarded-For from the inbound request's
|
||||
// RemoteAddr (the WireGuard/netstack client address), along with
|
||||
// X-Forwarded-Host and X-Forwarded-Proto. Using Rewrite instead of
|
||||
// Director means the proxy does not append its own automatic
|
||||
// X-Forwarded-For entry, so the header is set exactly once.
|
||||
pr.SetXForwarded()
|
||||
|
||||
// SetXForwarded derives X-Forwarded-Proto from pr.In.TLS,
|
||||
// which is nil because httpConnCtx wraps *tls.Conn behind
|
||||
// net.Conn. Override using the context flag set by ConnContext.
|
||||
if isTLS, _ := pr.In.Context().Value(connTLSKey{}).(bool); isTLS {
|
||||
pr.Out.Header.Set("X-Forwarded-Proto", "https")
|
||||
}
|
||||
},
|
||||
Transport: transport,
|
||||
}
|
||||
|
||||
proxy.ErrorHandler = func(w http.ResponseWriter, r *http.Request, err error) {
|
||||
logger.Error("HTTP handler: upstream error (%s %s -> %s): %v",
|
||||
r.Method, r.URL.RequestURI(), cacheKey, err)
|
||||
http.Error(w, "Bad Gateway", http.StatusBadGateway)
|
||||
}
|
||||
|
||||
actual, _ := h.proxyCache.LoadOrStore(cacheKey, proxy)
|
||||
return actual.(*httputil.ReverseProxy)
|
||||
}
|
||||
|
||||
// statusCapture wraps an http.ResponseWriter and records the HTTP status code
|
||||
// written by the upstream handler. If WriteHeader is never called the status
|
||||
// defaults to 200 (http.StatusOK), matching net/http semantics.
|
||||
type statusCapture struct {
|
||||
http.ResponseWriter
|
||||
status int
|
||||
}
|
||||
|
||||
func (sc *statusCapture) WriteHeader(code int) {
|
||||
sc.status = code
|
||||
sc.ResponseWriter.WriteHeader(code)
|
||||
}
|
||||
|
||||
func (sc *statusCapture) Unwrap() http.ResponseWriter {
|
||||
return sc.ResponseWriter
|
||||
}
|
||||
|
||||
func (sc *statusCapture) Flush() {
|
||||
if flusher, ok := sc.ResponseWriter.(http.Flusher); ok {
|
||||
flusher.Flush()
|
||||
}
|
||||
}
|
||||
|
||||
func (sc *statusCapture) Hijack() (net.Conn, *bufio.ReadWriter, error) {
|
||||
hijacker, ok := sc.ResponseWriter.(http.Hijacker)
|
||||
if !ok {
|
||||
return nil, nil, errors.New("underlying response writer does not support hijacking")
|
||||
}
|
||||
return hijacker.Hijack()
|
||||
}
|
||||
|
||||
// handleRequest is the http.Handler entry point. It retrieves the SubnetRule
|
||||
// attached to the connection by ConnContext, selects the first configured
|
||||
// downstream target, and forwards the request via the cached ReverseProxy.
|
||||
//
|
||||
// TODO: add host/path-based routing across multiple HTTPTargets once the
|
||||
// configuration model evolves beyond a single target per rule.
|
||||
func (h *HTTPHandler) handleRequest(w http.ResponseWriter, r *http.Request) {
|
||||
rule, _ := r.Context().Value(connCtxKey{}).(*SubnetRule)
|
||||
if rule == nil || len(rule.HTTPTargets) == 0 {
|
||||
logger.Error("HTTP handler: no downstream targets for request %s %s", r.Method, r.URL.RequestURI())
|
||||
http.Error(w, "no targets configured", http.StatusBadGateway)
|
||||
return
|
||||
}
|
||||
|
||||
// If the rule is HTTPS but the incoming request arrived over plain HTTP
|
||||
// (port 80), redirect to HTTPS. We use the isTLS flag stored on the
|
||||
// connection context rather than r.TLS, because Go's http.Server calls
|
||||
// ConnectionState() before the TLS handshake completes, so r.TLS.Version
|
||||
// is 0 even for genuine TLS connections at that point.
|
||||
isTLS, _ := r.Context().Value(connTLSKey{}).(bool)
|
||||
if rule.Protocol == "https" && !isTLS {
|
||||
host := r.Host
|
||||
if host == "" {
|
||||
host = r.URL.Host
|
||||
}
|
||||
httpsURL := "https://" + host + r.RequestURI
|
||||
logger.Info("HTTP handler: redirecting %s %s -> %s (TLS cert present)", r.Method, r.URL.RequestURI(), httpsURL)
|
||||
http.Redirect(w, r, httpsURL, http.StatusPermanentRedirect)
|
||||
return
|
||||
}
|
||||
|
||||
target := rule.HTTPTargets[0]
|
||||
scheme := target.Scheme
|
||||
logger.Info("HTTP handler: %s %s -> %s://%s:%d",
|
||||
r.Method, r.URL.RequestURI(), scheme, target.DestAddr, target.DestPort)
|
||||
|
||||
timestamp := time.Now()
|
||||
sc := &statusCapture{ResponseWriter: w, status: http.StatusOK}
|
||||
|
||||
h.getProxy(target).ServeHTTP(sc, r)
|
||||
|
||||
if h.requestLogger != nil && rule.ResourceId != 0 {
|
||||
h.requestLogger.LogRequest(HTTPRequestLog{
|
||||
ResourceID: rule.ResourceId,
|
||||
Timestamp: timestamp,
|
||||
Method: r.Method,
|
||||
Scheme: rule.Protocol,
|
||||
Host: r.Host,
|
||||
Path: r.URL.Path,
|
||||
RawQuery: r.URL.RawQuery,
|
||||
UserAgent: r.UserAgent(),
|
||||
SourceAddr: r.RemoteAddr,
|
||||
TLS: rule.Protocol == "https",
|
||||
})
|
||||
}
|
||||
}
|
||||
97
netstack2/http_handler_test.go
Normal file
97
netstack2/http_handler_test.go
Normal file
@@ -0,0 +1,97 @@
|
||||
package netstack2
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"net/url"
|
||||
"testing"
|
||||
|
||||
"github.com/gorilla/websocket"
|
||||
)
|
||||
|
||||
func TestHTTPHandlerProxiesWebSocketUpgrade(t *testing.T) {
|
||||
upgrader := websocket.Upgrader{}
|
||||
backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
conn, err := upgrader.Upgrade(w, r, nil)
|
||||
if err != nil {
|
||||
t.Errorf("upgrade failed: %v", err)
|
||||
return
|
||||
}
|
||||
defer conn.Close()
|
||||
|
||||
messageType, payload, err := conn.ReadMessage()
|
||||
if err != nil {
|
||||
t.Errorf("read failed: %v", err)
|
||||
return
|
||||
}
|
||||
if err := conn.WriteMessage(messageType, append([]byte("echo:"), payload...)); err != nil {
|
||||
t.Errorf("write failed: %v", err)
|
||||
}
|
||||
}))
|
||||
defer backend.Close()
|
||||
|
||||
backendURL, err := url.Parse(backend.URL)
|
||||
if err != nil {
|
||||
t.Fatalf("parse backend URL: %v", err)
|
||||
}
|
||||
backendHost, backendPort, err := net.SplitHostPort(backendURL.Host)
|
||||
if err != nil {
|
||||
t.Fatalf("split backend host: %v", err)
|
||||
}
|
||||
port, err := net.LookupPort("tcp", backendPort)
|
||||
if err != nil {
|
||||
t.Fatalf("parse backend port: %v", err)
|
||||
}
|
||||
|
||||
handler := NewHTTPHandler(nil, nil)
|
||||
rule := &SubnetRule{
|
||||
Protocol: "http",
|
||||
HTTPTargets: []HTTPTarget{
|
||||
{
|
||||
DestAddr: backendHost,
|
||||
DestPort: uint16(port),
|
||||
Scheme: backendURL.Scheme,
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
frontend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
ctx := context.WithValue(r.Context(), connCtxKey{}, rule)
|
||||
handler.handleRequest(w, r.WithContext(ctx))
|
||||
}))
|
||||
defer frontend.Close()
|
||||
|
||||
frontendURL, err := url.Parse(frontend.URL)
|
||||
if err != nil {
|
||||
t.Fatalf("parse frontend URL: %v", err)
|
||||
}
|
||||
wsURL := url.URL{
|
||||
Scheme: "ws",
|
||||
Host: frontendURL.Host,
|
||||
Path: "/socket",
|
||||
RawQuery: "token=test",
|
||||
}
|
||||
|
||||
conn, _, err := websocket.DefaultDialer.Dial(wsURL.String(), nil)
|
||||
if err != nil {
|
||||
t.Fatalf("dial websocket through proxy: %v", err)
|
||||
}
|
||||
defer conn.Close()
|
||||
|
||||
if err := conn.WriteMessage(websocket.TextMessage, []byte("hello")); err != nil {
|
||||
t.Fatalf("write websocket message: %v", err)
|
||||
}
|
||||
|
||||
messageType, payload, err := conn.ReadMessage()
|
||||
if err != nil {
|
||||
t.Fatalf("read websocket message: %v", err)
|
||||
}
|
||||
if messageType != websocket.TextMessage {
|
||||
t.Fatalf("message type = %d, want %d", messageType, websocket.TextMessage)
|
||||
}
|
||||
if got, want := string(payload), "echo:hello"; got != want {
|
||||
t.Fatalf("payload = %q, want %q", got, want)
|
||||
}
|
||||
}
|
||||
175
netstack2/http_request_log.go
Normal file
175
netstack2/http_request_log.go
Normal file
@@ -0,0 +1,175 @@
|
||||
package netstack2
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"compress/zlib"
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"github.com/fosrl/newt/logger"
|
||||
)
|
||||
|
||||
// HTTPRequestLog represents a single HTTP/HTTPS request proxied through the handler.
|
||||
type HTTPRequestLog struct {
|
||||
RequestID string `json:"requestId"`
|
||||
ResourceID int `json:"resourceId"`
|
||||
Timestamp time.Time `json:"timestamp"`
|
||||
Method string `json:"method"`
|
||||
Scheme string `json:"scheme"`
|
||||
Host string `json:"host"`
|
||||
Path string `json:"path"`
|
||||
RawQuery string `json:"rawQuery,omitempty"`
|
||||
UserAgent string `json:"userAgent,omitempty"`
|
||||
SourceAddr string `json:"sourceAddr"`
|
||||
TLS bool `json:"tls"`
|
||||
}
|
||||
|
||||
// HTTPRequestLogger buffers HTTP request logs and periodically flushes them
|
||||
// to the server via a configurable SendFunc.
|
||||
type HTTPRequestLogger struct {
|
||||
mu sync.Mutex
|
||||
pending []HTTPRequestLog
|
||||
sendFn SendFunc
|
||||
stopCh chan struct{}
|
||||
flushDone chan struct{}
|
||||
}
|
||||
|
||||
// NewHTTPRequestLogger creates a new HTTPRequestLogger and starts its background flush loop.
|
||||
func NewHTTPRequestLogger() *HTTPRequestLogger {
|
||||
rl := &HTTPRequestLogger{
|
||||
pending: make([]HTTPRequestLog, 0),
|
||||
stopCh: make(chan struct{}),
|
||||
flushDone: make(chan struct{}),
|
||||
}
|
||||
go rl.backgroundLoop()
|
||||
return rl
|
||||
}
|
||||
|
||||
// SetSendFunc sets the callback used to send compressed HTTP request log batches
|
||||
// to the server. This can be called after construction once the websocket
|
||||
// client is available.
|
||||
func (rl *HTTPRequestLogger) SetSendFunc(fn SendFunc) {
|
||||
rl.mu.Lock()
|
||||
defer rl.mu.Unlock()
|
||||
rl.sendFn = fn
|
||||
}
|
||||
|
||||
// LogRequest adds an HTTP request log entry to the buffer. If the buffer
|
||||
// reaches maxBufferedSessions entries a flush is triggered immediately.
|
||||
func (rl *HTTPRequestLogger) LogRequest(log HTTPRequestLog) {
|
||||
if log.RequestID == "" {
|
||||
log.RequestID = generateSessionID()
|
||||
}
|
||||
|
||||
rl.mu.Lock()
|
||||
rl.pending = append(rl.pending, log)
|
||||
shouldFlush := len(rl.pending) >= maxBufferedSessions
|
||||
rl.mu.Unlock()
|
||||
|
||||
if shouldFlush {
|
||||
rl.flush()
|
||||
}
|
||||
}
|
||||
|
||||
// backgroundLoop handles periodic flushing of buffered request logs.
|
||||
func (rl *HTTPRequestLogger) backgroundLoop() {
|
||||
defer close(rl.flushDone)
|
||||
|
||||
ticker := time.NewTicker(flushInterval)
|
||||
defer ticker.Stop()
|
||||
|
||||
for {
|
||||
select {
|
||||
case <-rl.stopCh:
|
||||
return
|
||||
case <-ticker.C:
|
||||
rl.flush()
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// flush drains the pending buffer, compresses with zlib, and sends via the SendFunc.
|
||||
// On send failure the batch is re-queued, capped at maxBufferedSessions*5 entries
|
||||
// to prevent unbounded memory growth when the server is unreachable.
|
||||
func (rl *HTTPRequestLogger) flush() {
|
||||
rl.mu.Lock()
|
||||
if len(rl.pending) == 0 {
|
||||
rl.mu.Unlock()
|
||||
return
|
||||
}
|
||||
batch := rl.pending
|
||||
rl.pending = make([]HTTPRequestLog, 0)
|
||||
sendFn := rl.sendFn
|
||||
rl.mu.Unlock()
|
||||
|
||||
if sendFn == nil {
|
||||
logger.Debug("HTTP request logger: no send function configured, discarding %d requests", len(batch))
|
||||
return
|
||||
}
|
||||
|
||||
compressed, err := compressRequestLogs(batch)
|
||||
if err != nil {
|
||||
logger.Error("HTTP request logger: failed to compress %d requests: %v", len(batch), err)
|
||||
return
|
||||
}
|
||||
|
||||
if err := sendFn(compressed); err != nil {
|
||||
logger.Error("HTTP request logger: failed to send %d requests: %v", len(batch), err)
|
||||
// Re-queue the batch so we don't lose data
|
||||
rl.mu.Lock()
|
||||
rl.pending = append(batch, rl.pending...)
|
||||
// Cap re-queued data to prevent unbounded growth if server is unreachable
|
||||
if len(rl.pending) > maxBufferedSessions*5 {
|
||||
dropped := len(rl.pending) - maxBufferedSessions*5
|
||||
rl.pending = rl.pending[:maxBufferedSessions*5]
|
||||
logger.Warn("HTTP request logger: buffer overflow, dropped %d oldest requests", dropped)
|
||||
}
|
||||
rl.mu.Unlock()
|
||||
return
|
||||
}
|
||||
|
||||
logger.Info("HTTP request logger: sent %d requests to server", len(batch))
|
||||
}
|
||||
|
||||
// compressRequestLogs JSON-encodes the request logs, compresses with zlib, and
|
||||
// returns a base64-encoded string suitable for embedding in a JSON message.
|
||||
func compressRequestLogs(logs []HTTPRequestLog) (string, error) {
|
||||
jsonData, err := json.Marshal(logs)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
var buf bytes.Buffer
|
||||
w, err := zlib.NewWriterLevel(&buf, zlib.BestCompression)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
if _, err := w.Write(jsonData); err != nil {
|
||||
w.Close()
|
||||
return "", err
|
||||
}
|
||||
if err := w.Close(); err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
return base64.StdEncoding.EncodeToString(buf.Bytes()), nil
|
||||
}
|
||||
|
||||
// Close shuts down the background loop and performs one final flush to send
|
||||
// any remaining buffered requests to the server.
|
||||
func (rl *HTTPRequestLogger) Close() {
|
||||
select {
|
||||
case <-rl.stopCh:
|
||||
// Already closed
|
||||
return
|
||||
default:
|
||||
close(rl.stopCh)
|
||||
}
|
||||
|
||||
// Wait for the background loop to exit so we don't race on flush
|
||||
<-rl.flushDone
|
||||
|
||||
rl.flush()
|
||||
}
|
||||
@@ -6,6 +6,7 @@ import (
|
||||
"net"
|
||||
"net/netip"
|
||||
"sync"
|
||||
"sync/atomic"
|
||||
"time"
|
||||
|
||||
"github.com/fosrl/newt/logger"
|
||||
@@ -22,10 +23,18 @@ import (
|
||||
"gvisor.dev/gvisor/pkg/tcpip/transport/udp"
|
||||
)
|
||||
|
||||
// PortRange represents an allowed range of ports (inclusive)
|
||||
const (
|
||||
// udpAccessSessionTimeout is how long a UDP access session stays alive without traffic
|
||||
// before being considered ended by the access logger
|
||||
udpAccessSessionTimeout = 120 * time.Second
|
||||
)
|
||||
|
||||
// PortRange represents an allowed range of ports (inclusive) with optional protocol filtering
|
||||
// Protocol can be "tcp", "udp", or "" (empty string means both protocols)
|
||||
type PortRange struct {
|
||||
Min uint16
|
||||
Max uint16
|
||||
Min uint16
|
||||
Max uint16
|
||||
Protocol string // "tcp", "udp", or "" for both
|
||||
}
|
||||
|
||||
// SubnetRule represents a subnet with optional port restrictions and source address
|
||||
@@ -41,99 +50,35 @@ type PortRange struct {
|
||||
type SubnetRule struct {
|
||||
SourcePrefix netip.Prefix // Source IP prefix (who is sending)
|
||||
DestPrefix netip.Prefix // Destination IP prefix (where it's going)
|
||||
DisableIcmp bool // If true, ICMP traffic is blocked for this subnet
|
||||
RewriteTo string // Optional rewrite address for DNAT - can be IP/CIDR or domain name
|
||||
PortRanges []PortRange // empty slice means all ports allowed
|
||||
ResourceId int // Optional resource ID from the server for access logging
|
||||
|
||||
// HTTP proxy configuration (optional).
|
||||
// When Protocol is non-empty the TCP connection is handled by HTTPHandler
|
||||
// instead of the raw TCP forwarder.
|
||||
Protocol string // "", "http", or "https" — controls the incoming (client-facing) protocol
|
||||
HTTPTargets []HTTPTarget // downstream services to proxy requests to
|
||||
TLSCert string // PEM-encoded certificate for incoming HTTPS termination
|
||||
TLSKey string // PEM-encoded private key for incoming HTTPS termination
|
||||
}
|
||||
|
||||
// ruleKey is used as a map key for fast O(1) lookups
|
||||
type ruleKey struct {
|
||||
sourcePrefix string
|
||||
destPrefix string
|
||||
}
|
||||
|
||||
// SubnetLookup provides fast IP subnet and port matching with O(1) lookup performance
|
||||
type SubnetLookup struct {
|
||||
mu sync.RWMutex
|
||||
rules map[ruleKey]*SubnetRule // Map for O(1) lookups by prefix combination
|
||||
}
|
||||
|
||||
// NewSubnetLookup creates a new subnet lookup table
|
||||
func NewSubnetLookup() *SubnetLookup {
|
||||
return &SubnetLookup{
|
||||
rules: make(map[ruleKey]*SubnetRule),
|
||||
}
|
||||
}
|
||||
|
||||
// AddSubnet adds a subnet rule with source and destination prefixes and optional port restrictions
|
||||
// If portRanges is nil or empty, all ports are allowed for this subnet
|
||||
// rewriteTo can be either an IP/CIDR (e.g., "192.168.1.1/32") or a domain name (e.g., "example.com")
|
||||
func (sl *SubnetLookup) AddSubnet(sourcePrefix, destPrefix netip.Prefix, rewriteTo string, portRanges []PortRange) {
|
||||
sl.mu.Lock()
|
||||
defer sl.mu.Unlock()
|
||||
|
||||
key := ruleKey{
|
||||
sourcePrefix: sourcePrefix.String(),
|
||||
destPrefix: destPrefix.String(),
|
||||
}
|
||||
|
||||
sl.rules[key] = &SubnetRule{
|
||||
SourcePrefix: sourcePrefix,
|
||||
DestPrefix: destPrefix,
|
||||
RewriteTo: rewriteTo,
|
||||
PortRanges: portRanges,
|
||||
}
|
||||
}
|
||||
|
||||
// RemoveSubnet removes a subnet rule from the lookup table
|
||||
func (sl *SubnetLookup) RemoveSubnet(sourcePrefix, destPrefix netip.Prefix) {
|
||||
sl.mu.Lock()
|
||||
defer sl.mu.Unlock()
|
||||
|
||||
key := ruleKey{
|
||||
sourcePrefix: sourcePrefix.String(),
|
||||
destPrefix: destPrefix.String(),
|
||||
}
|
||||
|
||||
delete(sl.rules, key)
|
||||
}
|
||||
|
||||
// Match checks if a source IP, destination IP, and port match any subnet rule
|
||||
// Returns the matched rule if BOTH:
|
||||
// - The source IP is in the rule's source prefix
|
||||
// - The destination IP is in the rule's destination prefix
|
||||
// - The port is in an allowed range (or no port restrictions exist)
|
||||
//
|
||||
// Returns nil if no rule matches
|
||||
func (sl *SubnetLookup) Match(srcIP, dstIP netip.Addr, port uint16) *SubnetRule {
|
||||
// GetAllRules returns a copy of all subnet rules
|
||||
func (sl *SubnetLookup) GetAllRules() []SubnetRule {
|
||||
sl.mu.RLock()
|
||||
defer sl.mu.RUnlock()
|
||||
|
||||
// Iterate through all rules to find matching source and destination prefixes
|
||||
// This is O(n) but necessary since we need to check prefix containment, not exact match
|
||||
for _, rule := range sl.rules {
|
||||
// Check if source and destination IPs match their respective prefixes
|
||||
if !rule.SourcePrefix.Contains(srcIP) {
|
||||
var rules []SubnetRule
|
||||
for _, destTriePtr := range sl.sourceTrie.All() {
|
||||
if destTriePtr == nil {
|
||||
continue
|
||||
}
|
||||
if !rule.DestPrefix.Contains(dstIP) {
|
||||
continue
|
||||
}
|
||||
|
||||
// Both IPs match - now check port restrictions
|
||||
// If no port ranges specified, all ports are allowed
|
||||
if len(rule.PortRanges) == 0 {
|
||||
return rule
|
||||
}
|
||||
|
||||
// Check if port is in any of the allowed ranges
|
||||
for _, pr := range rule.PortRanges {
|
||||
if port >= pr.Min && port <= pr.Max {
|
||||
return rule
|
||||
}
|
||||
for _, rule := range destTriePtr.rules {
|
||||
rules = append(rules, *rule)
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
return rules
|
||||
}
|
||||
|
||||
// connKey uniquely identifies a connection for NAT tracking
|
||||
@@ -145,6 +90,17 @@ type connKey struct {
|
||||
proto uint8
|
||||
}
|
||||
|
||||
// reverseConnKey uniquely identifies a connection for reverse NAT lookup (reply direction)
|
||||
// Key structure: (rewrittenTo, originalSrcIP, originalSrcPort, originalDstPort, proto)
|
||||
// This allows O(1) lookup of NAT entries for reply packets
|
||||
type reverseConnKey struct {
|
||||
rewrittenTo string // The address we rewrote to (becomes src in replies)
|
||||
originalSrcIP string // Original source IP (becomes dst in replies)
|
||||
originalSrcPort uint16 // Original source port (becomes dst port in replies)
|
||||
originalDstPort uint16 // Original destination port (becomes src port in replies)
|
||||
proto uint8
|
||||
}
|
||||
|
||||
// destKey identifies a destination for handler lookups (without source port since it may change)
|
||||
type destKey struct {
|
||||
srcIP string
|
||||
@@ -166,23 +122,33 @@ type ProxyHandler struct {
|
||||
proxyNotifyHandle *channel.NotificationHandle
|
||||
tcpHandler *TCPHandler
|
||||
udpHandler *UDPHandler
|
||||
icmpHandler *ICMPHandler
|
||||
httpHandler *HTTPHandler
|
||||
subnetLookup *SubnetLookup
|
||||
natTable map[connKey]*natState
|
||||
destRewriteTable map[destKey]netip.Addr // Maps original dest to rewritten dest for handler lookups
|
||||
reverseNatTable map[reverseConnKey]*natState // Reverse lookup map for O(1) reply packet NAT
|
||||
destRewriteTable map[destKey]netip.Addr // Maps original dest to rewritten dest for handler lookups
|
||||
resourceTable map[destKey]int // Maps connection key to resource ID for access logging
|
||||
natMu sync.RWMutex
|
||||
enabled bool
|
||||
icmpReplies chan []byte // Channel for ICMP reply packets to be sent back through the tunnel
|
||||
notifiable channel.Notification // Notification handler for triggering reads
|
||||
accessLogger *AccessLogger // Access logger for tracking sessions
|
||||
httpRequestLogger *HTTPRequestLogger // HTTP request logger for proxied HTTP/HTTPS requests
|
||||
blocked atomic.Bool // when true, all new connections are dropped
|
||||
}
|
||||
|
||||
// ProxyHandlerOptions configures the proxy handler
|
||||
type ProxyHandlerOptions struct {
|
||||
EnableTCP bool
|
||||
EnableUDP bool
|
||||
MTU int
|
||||
EnableTCP bool
|
||||
EnableUDP bool
|
||||
EnableICMP bool
|
||||
MTU int
|
||||
}
|
||||
|
||||
// NewProxyHandler creates a new proxy handler for promiscuous mode
|
||||
func NewProxyHandler(options ProxyHandlerOptions) (*ProxyHandler, error) {
|
||||
if !options.EnableTCP && !options.EnableUDP {
|
||||
if !options.EnableTCP && !options.EnableUDP && !options.EnableICMP {
|
||||
return nil, nil // No proxy needed
|
||||
}
|
||||
|
||||
@@ -190,7 +156,11 @@ func NewProxyHandler(options ProxyHandlerOptions) (*ProxyHandler, error) {
|
||||
enabled: true,
|
||||
subnetLookup: NewSubnetLookup(),
|
||||
natTable: make(map[connKey]*natState),
|
||||
reverseNatTable: make(map[reverseConnKey]*natState),
|
||||
destRewriteTable: make(map[destKey]netip.Addr),
|
||||
resourceTable: make(map[destKey]int),
|
||||
icmpReplies: make(chan []byte, 256), // Buffer for ICMP reply packets
|
||||
accessLogger: NewAccessLogger(udpAccessSessionTimeout),
|
||||
proxyEp: channel.New(1024, uint32(options.MTU), ""),
|
||||
proxyStack: stack.New(stack.Options{
|
||||
NetworkProtocols: []stack.NetworkProtocolFactory{
|
||||
@@ -206,12 +176,24 @@ func NewProxyHandler(options ProxyHandlerOptions) (*ProxyHandler, error) {
|
||||
}),
|
||||
}
|
||||
|
||||
// Initialize TCP handler if enabled
|
||||
// Initialize TCP handler if enabled. The HTTP handler piggybacks on the
|
||||
// TCP forwarder — TCPHandler.handleTCPConn checks the subnet rule for
|
||||
// ports 80/443 and routes matching connections to the HTTP handler, so
|
||||
// the HTTP handler is always initialised alongside TCP.
|
||||
if options.EnableTCP {
|
||||
handler.tcpHandler = NewTCPHandler(handler.proxyStack, handler)
|
||||
if err := handler.tcpHandler.InstallTCPHandler(); err != nil {
|
||||
return nil, fmt.Errorf("failed to install TCP handler: %v", err)
|
||||
}
|
||||
|
||||
handler.httpHandler = NewHTTPHandler(handler.proxyStack, handler)
|
||||
if err := handler.httpHandler.Start(); err != nil {
|
||||
return nil, fmt.Errorf("failed to start HTTP handler: %v", err)
|
||||
}
|
||||
|
||||
handler.httpRequestLogger = NewHTTPRequestLogger()
|
||||
handler.httpHandler.SetRequestLogger(handler.httpRequestLogger)
|
||||
logger.Debug("ProxyHandler: HTTP handler enabled")
|
||||
}
|
||||
|
||||
// Initialize UDP handler if enabled
|
||||
@@ -222,6 +204,15 @@ func NewProxyHandler(options ProxyHandlerOptions) (*ProxyHandler, error) {
|
||||
}
|
||||
}
|
||||
|
||||
// Initialize ICMP handler if enabled
|
||||
if options.EnableICMP {
|
||||
handler.icmpHandler = NewICMPHandler(handler.proxyStack, handler)
|
||||
if err := handler.icmpHandler.InstallICMPHandler(); err != nil {
|
||||
return nil, fmt.Errorf("failed to install ICMP handler: %v", err)
|
||||
}
|
||||
logger.Debug("ProxyHandler: ICMP handler enabled")
|
||||
}
|
||||
|
||||
// // Example 1: Add a rule with no port restrictions (all ports allowed)
|
||||
// // This accepts all traffic FROM 10.0.0.0/24 TO 10.20.20.0/24
|
||||
// sourceSubnet := netip.MustParsePrefix("10.0.0.0/24")
|
||||
@@ -241,16 +232,36 @@ func NewProxyHandler(options ProxyHandlerOptions) (*ProxyHandler, error) {
|
||||
return handler, nil
|
||||
}
|
||||
|
||||
// AddSubnetRule adds a subnet with optional port restrictions to the proxy handler
|
||||
// sourcePrefix: The IP prefix of the peer sending the data
|
||||
// destPrefix: The IP prefix of the destination
|
||||
// rewriteTo: Optional address to rewrite destination to - can be IP/CIDR or domain name
|
||||
// If portRanges is nil or empty, all ports are allowed for this subnet
|
||||
func (p *ProxyHandler) AddSubnetRule(sourcePrefix, destPrefix netip.Prefix, rewriteTo string, portRanges []PortRange) {
|
||||
// AddSubnetRule adds a subnet rule to the proxy handler.
|
||||
// HTTP proxy behaviour is configured via rule.Protocol, rule.HTTPTargets,
|
||||
// rule.TLSCert, and rule.TLSKey; leave Protocol empty for raw TCP/UDP.
|
||||
func (p *ProxyHandler) AddSubnetRule(rule SubnetRule) {
|
||||
if p == nil || !p.enabled {
|
||||
return
|
||||
}
|
||||
p.subnetLookup.AddSubnet(sourcePrefix, destPrefix, rewriteTo, portRanges)
|
||||
p.subnetLookup.AddSubnet(rule)
|
||||
}
|
||||
|
||||
// SetBlocked enables or disables connection blocking on this proxy handler.
|
||||
// When enabled, all new TCP/UDP connections from the tunnel are dropped immediately.
|
||||
func (p *ProxyHandler) SetBlocked(v bool) {
|
||||
if p == nil {
|
||||
return
|
||||
}
|
||||
p.blocked.Store(v)
|
||||
if v {
|
||||
logger.Debug("ProxyHandler: connection blocking enabled")
|
||||
} else {
|
||||
logger.Debug("ProxyHandler: connection blocking disabled")
|
||||
}
|
||||
}
|
||||
|
||||
// IsBlocked returns true if connection blocking is currently enabled.
|
||||
func (p *ProxyHandler) IsBlocked() bool {
|
||||
if p == nil {
|
||||
return false
|
||||
}
|
||||
return p.blocked.Load()
|
||||
}
|
||||
|
||||
// RemoveSubnetRule removes a subnet from the proxy handler
|
||||
@@ -261,6 +272,69 @@ func (p *ProxyHandler) RemoveSubnetRule(sourcePrefix, destPrefix netip.Prefix) {
|
||||
p.subnetLookup.RemoveSubnet(sourcePrefix, destPrefix)
|
||||
}
|
||||
|
||||
// GetAllRules returns all subnet rules from the proxy handler
|
||||
func (p *ProxyHandler) GetAllRules() []SubnetRule {
|
||||
if p == nil || !p.enabled {
|
||||
return nil
|
||||
}
|
||||
return p.subnetLookup.GetAllRules()
|
||||
}
|
||||
|
||||
// LookupResourceId looks up the resource ID for a connection
|
||||
// Returns 0 if no resource ID is associated with this connection
|
||||
func (p *ProxyHandler) LookupResourceId(srcIP, dstIP string, dstPort uint16, proto uint8) int {
|
||||
if p == nil || !p.enabled {
|
||||
return 0
|
||||
}
|
||||
|
||||
key := destKey{
|
||||
srcIP: srcIP,
|
||||
dstIP: dstIP,
|
||||
dstPort: dstPort,
|
||||
proto: proto,
|
||||
}
|
||||
|
||||
p.natMu.RLock()
|
||||
defer p.natMu.RUnlock()
|
||||
|
||||
return p.resourceTable[key]
|
||||
}
|
||||
|
||||
// GetAccessLogger returns the access logger for session tracking
|
||||
func (p *ProxyHandler) GetAccessLogger() *AccessLogger {
|
||||
if p == nil {
|
||||
return nil
|
||||
}
|
||||
return p.accessLogger
|
||||
}
|
||||
|
||||
// SetAccessLogSender configures the function used to send compressed access log
|
||||
// batches to the server. This should be called once the websocket client is available.
|
||||
func (p *ProxyHandler) SetAccessLogSender(fn SendFunc) {
|
||||
if p == nil || !p.enabled || p.accessLogger == nil {
|
||||
return
|
||||
}
|
||||
p.accessLogger.SetSendFunc(fn)
|
||||
}
|
||||
|
||||
// GetHTTPRequestLogger returns the HTTP request logger.
|
||||
func (p *ProxyHandler) GetHTTPRequestLogger() *HTTPRequestLogger {
|
||||
if p == nil {
|
||||
return nil
|
||||
}
|
||||
return p.httpRequestLogger
|
||||
}
|
||||
|
||||
// SetHTTPRequestLogSender configures the function used to send compressed HTTP
|
||||
// request log batches to the server. This should be called once the websocket
|
||||
// client is available.
|
||||
func (p *ProxyHandler) SetHTTPRequestLogSender(fn SendFunc) {
|
||||
if p == nil || !p.enabled || p.httpRequestLogger == nil {
|
||||
return
|
||||
}
|
||||
p.httpRequestLogger.SetSendFunc(fn)
|
||||
}
|
||||
|
||||
// LookupDestinationRewrite looks up the rewritten destination for a connection
|
||||
// This is used by TCP/UDP handlers to find the actual target address
|
||||
func (p *ProxyHandler) LookupDestinationRewrite(srcIP, dstIP string, dstPort uint16, proto uint8) (netip.Addr, bool) {
|
||||
@@ -329,6 +403,9 @@ func (p *ProxyHandler) Initialize(notifiable channel.Notification) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// Store notifiable for triggering notifications on ICMP replies
|
||||
p.notifiable = notifiable
|
||||
|
||||
// Add notification handler
|
||||
p.proxyNotifyHandle = p.proxyEp.AddNotify(notifiable)
|
||||
|
||||
@@ -407,14 +484,35 @@ func (p *ProxyHandler) HandleIncomingPacket(packet []byte) bool {
|
||||
}
|
||||
udpHeader := header.UDP(packet[headerLen:])
|
||||
dstPort = udpHeader.DestinationPort()
|
||||
default:
|
||||
// For other protocols (ICMP, etc.), use port 0 (must match rules with no port restrictions)
|
||||
case header.ICMPv4ProtocolNumber:
|
||||
// ICMP doesn't have ports, use port 0 (must match rules with no port restrictions)
|
||||
dstPort = 0
|
||||
logger.Debug("HandleIncomingPacket: ICMP packet from %s to %s", srcAddr, dstAddr)
|
||||
default:
|
||||
// For other protocols, use port 0 (must match rules with no port restrictions)
|
||||
dstPort = 0
|
||||
logger.Debug("HandleIncomingPacket: Unknown protocol %d from %s to %s", protocol, srcAddr, dstAddr)
|
||||
}
|
||||
|
||||
// Check if the source IP, destination IP, and port match any subnet rule
|
||||
matchedRule := p.subnetLookup.Match(srcAddr, dstAddr, dstPort)
|
||||
// Check if the source IP, destination IP, port, and protocol match any subnet rule
|
||||
matchedRule := p.subnetLookup.Match(srcAddr, dstAddr, dstPort, protocol)
|
||||
if matchedRule != nil {
|
||||
logger.Debug("HandleIncomingPacket: Matched rule for %s -> %s (proto=%d, port=%d, resourceId=%d)",
|
||||
srcAddr, dstAddr, protocol, dstPort, matchedRule.ResourceId)
|
||||
|
||||
// Store resource ID for connections without DNAT as well
|
||||
if matchedRule.ResourceId != 0 && matchedRule.RewriteTo == "" {
|
||||
dKey := destKey{
|
||||
srcIP: srcAddr.String(),
|
||||
dstIP: dstAddr.String(),
|
||||
dstPort: dstPort,
|
||||
proto: uint8(protocol),
|
||||
}
|
||||
p.natMu.Lock()
|
||||
p.resourceTable[dKey] = matchedRule.ResourceId
|
||||
p.natMu.Unlock()
|
||||
}
|
||||
|
||||
// Check if we need to perform DNAT
|
||||
if matchedRule.RewriteTo != "" {
|
||||
// Create connection tracking key using original destination
|
||||
@@ -446,6 +544,13 @@ func (p *ProxyHandler) HandleIncomingPacket(packet []byte) bool {
|
||||
proto: uint8(protocol),
|
||||
}
|
||||
|
||||
// Store resource ID for access logging if present
|
||||
if matchedRule.ResourceId != 0 {
|
||||
p.natMu.Lock()
|
||||
p.resourceTable[dKey] = matchedRule.ResourceId
|
||||
p.natMu.Unlock()
|
||||
}
|
||||
|
||||
// Check if we already have a NAT entry for this connection
|
||||
p.natMu.RLock()
|
||||
existingEntry, exists := p.natTable[key]
|
||||
@@ -472,12 +577,37 @@ func (p *ProxyHandler) HandleIncomingPacket(packet []byte) bool {
|
||||
|
||||
// Store NAT state for this connection
|
||||
p.natMu.Lock()
|
||||
p.natTable[key] = &natState{
|
||||
natEntry := &natState{
|
||||
originalDst: dstAddr,
|
||||
rewrittenTo: newDst,
|
||||
}
|
||||
p.natTable[key] = natEntry
|
||||
|
||||
// Create reverse lookup key for O(1) reply packet lookups
|
||||
// Key: (rewrittenTo, originalSrcIP, originalSrcPort, originalDstPort, proto)
|
||||
reverseKey := reverseConnKey{
|
||||
rewrittenTo: newDst.String(),
|
||||
originalSrcIP: srcAddr.String(),
|
||||
originalSrcPort: srcPort,
|
||||
originalDstPort: dstPort,
|
||||
proto: uint8(protocol),
|
||||
}
|
||||
p.reverseNatTable[reverseKey] = natEntry
|
||||
|
||||
// Store destination rewrite for handler lookups
|
||||
p.destRewriteTable[dKey] = newDst
|
||||
|
||||
// Also store the resource ID under the rewritten destination key so that
|
||||
// TCP/UDP handlers can find it after DNAT (they see the post-NAT dst IP).
|
||||
if matchedRule.ResourceId != 0 {
|
||||
rewrittenKey := destKey{
|
||||
srcIP: srcAddr.String(),
|
||||
dstIP: newDst.String(),
|
||||
dstPort: dstPort,
|
||||
proto: uint8(protocol),
|
||||
}
|
||||
p.resourceTable[rewrittenKey] = matchedRule.ResourceId
|
||||
}
|
||||
p.natMu.Unlock()
|
||||
logger.Debug("New NAT entry for connection: %s -> %s", dstAddr, newDst)
|
||||
}
|
||||
@@ -501,9 +631,12 @@ func (p *ProxyHandler) HandleIncomingPacket(packet []byte) bool {
|
||||
Payload: buffer.MakeWithData(packet),
|
||||
})
|
||||
p.proxyEp.InjectInbound(header.IPv4ProtocolNumber, pkb)
|
||||
logger.Debug("HandleIncomingPacket: Injected packet into proxy stack (proto=%d)", protocol)
|
||||
return true
|
||||
}
|
||||
|
||||
// logger.Debug("HandleIncomingPacket: No matching rule for %s -> %s (proto=%d, port=%d)",
|
||||
// srcAddr, dstAddr, protocol, dstPort)
|
||||
return false
|
||||
}
|
||||
|
||||
@@ -626,6 +759,15 @@ func (p *ProxyHandler) ReadOutgoingPacket() *buffer.View {
|
||||
return nil
|
||||
}
|
||||
|
||||
// First check for ICMP reply packets (non-blocking)
|
||||
select {
|
||||
case icmpReply := <-p.icmpReplies:
|
||||
logger.Debug("ReadOutgoingPacket: Returning ICMP reply packet (%d bytes)", len(icmpReply))
|
||||
return buffer.NewViewWithData(icmpReply)
|
||||
default:
|
||||
// No ICMP reply available, continue to check proxy endpoint
|
||||
}
|
||||
|
||||
pkt := p.proxyEp.Read()
|
||||
if pkt != nil {
|
||||
view := pkt.ToView()
|
||||
@@ -655,22 +797,29 @@ func (p *ProxyHandler) ReadOutgoingPacket() *buffer.View {
|
||||
srcPort = udpHeader.SourcePort()
|
||||
dstPort = udpHeader.DestinationPort()
|
||||
}
|
||||
case header.ICMPv4ProtocolNumber:
|
||||
// ICMP packets don't need NAT translation in our implementation
|
||||
// since we construct reply packets with the correct addresses
|
||||
logger.Debug("ReadOutgoingPacket: ICMP packet from %s to %s", srcIP, dstIP)
|
||||
return view
|
||||
}
|
||||
|
||||
// Look up NAT state for reverse translation
|
||||
// The key uses the original dst (before rewrite), so for replies we need to
|
||||
// find the entry where the rewritten address matches the current source
|
||||
// Look up NAT state for reverse translation using O(1) reverse lookup map
|
||||
// Key: (rewrittenTo, originalSrcIP, originalSrcPort, originalDstPort, proto)
|
||||
// For reply packets:
|
||||
// - reply's srcIP = rewrittenTo (the address we rewrote to)
|
||||
// - reply's dstIP = originalSrcIP (original source IP)
|
||||
// - reply's srcPort = originalDstPort (original destination port)
|
||||
// - reply's dstPort = originalSrcPort (original source port)
|
||||
p.natMu.RLock()
|
||||
var natEntry *natState
|
||||
for k, entry := range p.natTable {
|
||||
// Match: reply's dst should be original src, reply's src should be rewritten dst
|
||||
if k.srcIP == dstIP.String() && k.srcPort == dstPort &&
|
||||
entry.rewrittenTo.String() == srcIP.String() && k.dstPort == srcPort &&
|
||||
k.proto == uint8(protocol) {
|
||||
natEntry = entry
|
||||
break
|
||||
}
|
||||
reverseKey := reverseConnKey{
|
||||
rewrittenTo: srcIP.String(), // Reply's source is the rewritten address
|
||||
originalSrcIP: dstIP.String(), // Reply's destination is the original source
|
||||
originalSrcPort: dstPort, // Reply's destination port is the original source port
|
||||
originalDstPort: srcPort, // Reply's source port is the original destination port
|
||||
proto: uint8(protocol),
|
||||
}
|
||||
natEntry := p.reverseNatTable[reverseKey]
|
||||
p.natMu.RUnlock()
|
||||
|
||||
if natEntry != nil {
|
||||
@@ -688,12 +837,52 @@ func (p *ProxyHandler) ReadOutgoingPacket() *buffer.View {
|
||||
return nil
|
||||
}
|
||||
|
||||
// QueueICMPReply queues an ICMP reply packet to be sent back through the tunnel
|
||||
func (p *ProxyHandler) QueueICMPReply(packet []byte) bool {
|
||||
if p == nil || !p.enabled {
|
||||
return false
|
||||
}
|
||||
|
||||
select {
|
||||
case p.icmpReplies <- packet:
|
||||
logger.Debug("QueueICMPReply: Queued ICMP reply packet (%d bytes)", len(packet))
|
||||
// Trigger notification so WriteNotify picks up the packet
|
||||
if p.notifiable != nil {
|
||||
p.notifiable.WriteNotify()
|
||||
}
|
||||
return true
|
||||
default:
|
||||
logger.Info("QueueICMPReply: ICMP reply channel full, dropping packet")
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
// Close cleans up the proxy handler resources
|
||||
func (p *ProxyHandler) Close() error {
|
||||
if p == nil || !p.enabled {
|
||||
return nil
|
||||
}
|
||||
|
||||
// Shut down access logger
|
||||
if p.accessLogger != nil {
|
||||
p.accessLogger.Close()
|
||||
}
|
||||
|
||||
// Shut down HTTP request logger
|
||||
if p.httpRequestLogger != nil {
|
||||
p.httpRequestLogger.Close()
|
||||
}
|
||||
|
||||
// Shut down HTTP handler
|
||||
if p.httpHandler != nil {
|
||||
p.httpHandler.Close()
|
||||
}
|
||||
|
||||
// Close ICMP replies channel
|
||||
if p.icmpReplies != nil {
|
||||
close(p.icmpReplies)
|
||||
}
|
||||
|
||||
if p.proxyStack != nil {
|
||||
p.proxyStack.RemoveNIC(1)
|
||||
p.proxyStack.Close()
|
||||
|
||||
201
netstack2/subnet_lookup.go
Normal file
201
netstack2/subnet_lookup.go
Normal file
@@ -0,0 +1,201 @@
|
||||
package netstack2
|
||||
|
||||
import (
|
||||
"net/netip"
|
||||
"sync"
|
||||
|
||||
"github.com/gaissmai/bart"
|
||||
"gvisor.dev/gvisor/pkg/tcpip"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/header"
|
||||
)
|
||||
|
||||
// SubnetLookup provides fast IP subnet and port matching using BART (Binary Aggregated Range Tree)
|
||||
// This uses BART Table for O(log n) prefix matching with Supernets() for efficient lookups
|
||||
//
|
||||
// Architecture:
|
||||
// - Two-level BART structure for matching both source AND destination prefixes
|
||||
// - Level 1: Source prefix -> Level 2 (destination prefix -> rules)
|
||||
// - This reduces search space: only check destination prefixes for matching source prefixes
|
||||
type SubnetLookup struct {
|
||||
mu sync.RWMutex
|
||||
// Two-level BART structure:
|
||||
// Level 1: Source prefix -> Level 2 (destination prefix -> rules)
|
||||
// This allows us to first match source prefix, then only check destination prefixes
|
||||
// for matching source prefixes, reducing the search space significantly
|
||||
sourceTrie *bart.Table[*destTrie]
|
||||
}
|
||||
|
||||
// destTrie is a BART for destination prefixes, containing the actual rules
|
||||
type destTrie struct {
|
||||
trie *bart.Table[[]*SubnetRule]
|
||||
rules []*SubnetRule // All rules for this source prefix (for iteration if needed)
|
||||
}
|
||||
|
||||
// NewSubnetLookup creates a new subnet lookup table using BART
|
||||
func NewSubnetLookup() *SubnetLookup {
|
||||
return &SubnetLookup{
|
||||
sourceTrie: &bart.Table[*destTrie]{},
|
||||
}
|
||||
}
|
||||
|
||||
// prefixEqual compares two prefixes after masking to handle host bits correctly.
|
||||
// For example, 10.0.0.5/24 and 10.0.0.0/24 are treated as equal.
|
||||
func prefixEqual(a, b netip.Prefix) bool {
|
||||
return a.Masked() == b.Masked()
|
||||
}
|
||||
|
||||
// AddSubnet adds a subnet rule to the lookup table.
|
||||
// If rule.PortRanges is nil or empty, all ports are allowed.
|
||||
// rule.RewriteTo can be either an IP/CIDR (e.g., "192.168.1.1/32") or a domain name (e.g., "example.com").
|
||||
// HTTP proxy behaviour is driven by rule.Protocol, rule.HTTPTargets, rule.TLSCert, and rule.TLSKey.
|
||||
func (sl *SubnetLookup) AddSubnet(rule SubnetRule) {
|
||||
sl.mu.Lock()
|
||||
defer sl.mu.Unlock()
|
||||
|
||||
rulePtr := &rule
|
||||
|
||||
// Canonicalize source prefix to handle host bits correctly
|
||||
canonicalSourcePrefix := rule.SourcePrefix.Masked()
|
||||
|
||||
// Get or create destination trie for this source prefix
|
||||
destTriePtr, exists := sl.sourceTrie.Get(canonicalSourcePrefix)
|
||||
if !exists {
|
||||
// Create new destination trie for this source prefix
|
||||
destTriePtr = &destTrie{
|
||||
trie: &bart.Table[[]*SubnetRule]{},
|
||||
rules: make([]*SubnetRule, 0),
|
||||
}
|
||||
sl.sourceTrie.Insert(canonicalSourcePrefix, destTriePtr)
|
||||
}
|
||||
|
||||
// Canonicalize destination prefix to handle host bits correctly
|
||||
// BART masks prefixes internally, so we need to match that behavior in our bookkeeping
|
||||
canonicalDestPrefix := rule.DestPrefix.Masked()
|
||||
|
||||
// Add rule to destination trie
|
||||
// Original behavior: overwrite if same (sourcePrefix, destPrefix) exists
|
||||
// Store as single-element slice to match original overwrite behavior
|
||||
destTriePtr.trie.Insert(canonicalDestPrefix, []*SubnetRule{rulePtr})
|
||||
|
||||
// Update destTriePtr.rules - remove old rule with same canonical prefix if exists, then add new one
|
||||
// Use canonical comparison to handle cases like 10.0.0.5/24 vs 10.0.0.0/24
|
||||
newRules := make([]*SubnetRule, 0, len(destTriePtr.rules)+1)
|
||||
for _, r := range destTriePtr.rules {
|
||||
if !prefixEqual(r.DestPrefix, canonicalDestPrefix) || !prefixEqual(r.SourcePrefix, canonicalSourcePrefix) {
|
||||
newRules = append(newRules, r)
|
||||
}
|
||||
}
|
||||
newRules = append(newRules, rulePtr)
|
||||
destTriePtr.rules = newRules
|
||||
}
|
||||
|
||||
// RemoveSubnet removes a subnet rule from the lookup table
|
||||
func (sl *SubnetLookup) RemoveSubnet(sourcePrefix, destPrefix netip.Prefix) {
|
||||
sl.mu.Lock()
|
||||
defer sl.mu.Unlock()
|
||||
|
||||
// Canonicalize prefixes to handle host bits correctly
|
||||
canonicalSourcePrefix := sourcePrefix.Masked()
|
||||
canonicalDestPrefix := destPrefix.Masked()
|
||||
|
||||
destTriePtr, exists := sl.sourceTrie.Get(canonicalSourcePrefix)
|
||||
if !exists {
|
||||
return
|
||||
}
|
||||
|
||||
// Remove the rule - original behavior: delete exact (sourcePrefix, destPrefix) combination
|
||||
// BART masks prefixes internally, so Delete works with canonical form
|
||||
destTriePtr.trie.Delete(canonicalDestPrefix)
|
||||
|
||||
// Also remove from destTriePtr.rules using canonical comparison
|
||||
// This ensures we remove rules even if they were added with host bits set
|
||||
newDestRules := make([]*SubnetRule, 0, len(destTriePtr.rules))
|
||||
for _, r := range destTriePtr.rules {
|
||||
if !prefixEqual(r.DestPrefix, canonicalDestPrefix) || !prefixEqual(r.SourcePrefix, canonicalSourcePrefix) {
|
||||
newDestRules = append(newDestRules, r)
|
||||
}
|
||||
}
|
||||
destTriePtr.rules = newDestRules
|
||||
|
||||
// Check if the trie is actually empty using BART's Size() method
|
||||
// This is more efficient than iterating and ensures we clean up empty tries
|
||||
// even if there were stale entries in the rules slice (which shouldn't happen
|
||||
// with proper canonicalization, but this provides a definitive check)
|
||||
if destTriePtr.trie.Size() == 0 {
|
||||
sl.sourceTrie.Delete(canonicalSourcePrefix)
|
||||
}
|
||||
}
|
||||
|
||||
// Match checks if a source IP, destination IP, port, and protocol match any subnet rule
|
||||
// Returns the matched rule if ALL of these conditions are met:
|
||||
// - The source IP is in the rule's source prefix
|
||||
// - The destination IP is in the rule's destination prefix
|
||||
// - The port is in an allowed range (or no port restrictions exist)
|
||||
// - The protocol matches (or the port range allows both protocols)
|
||||
//
|
||||
// proto should be header.TCPProtocolNumber, header.UDPProtocolNumber, or header.ICMPv4ProtocolNumber
|
||||
// Returns nil if no rule matches
|
||||
// This uses BART's Supernets() for O(log n) prefix matching instead of O(n) iteration
|
||||
func (sl *SubnetLookup) Match(srcIP, dstIP netip.Addr, port uint16, proto tcpip.TransportProtocolNumber) *SubnetRule {
|
||||
sl.mu.RLock()
|
||||
defer sl.mu.RUnlock()
|
||||
|
||||
// Convert IP addresses to /32 (IPv4) or /128 (IPv6) prefixes
|
||||
// Supernets() finds all prefixes that contain this IP (i.e., are supernets of /32 or /128)
|
||||
srcPrefix := netip.PrefixFrom(srcIP, srcIP.BitLen())
|
||||
dstPrefix := netip.PrefixFrom(dstIP, dstIP.BitLen())
|
||||
|
||||
// Step 1: Find all source prefixes that contain srcIP using BART's Supernets
|
||||
// This is O(log n) instead of O(n) iteration
|
||||
// Supernets returns all prefixes that are supernets (contain) the given prefix
|
||||
for _, destTriePtr := range sl.sourceTrie.Supernets(srcPrefix) {
|
||||
if destTriePtr == nil {
|
||||
continue
|
||||
}
|
||||
|
||||
// Step 2: Find all destination prefixes that contain dstIP
|
||||
// This is also O(log n) for each matching source prefix
|
||||
for _, rules := range destTriePtr.trie.Supernets(dstPrefix) {
|
||||
if rules == nil {
|
||||
continue
|
||||
}
|
||||
|
||||
// Step 3: Check each rule for ICMP and port restrictions
|
||||
for _, rule := range rules {
|
||||
// Handle ICMP before port range check — ICMP has no ports
|
||||
if proto == header.ICMPv4ProtocolNumber || proto == header.ICMPv6ProtocolNumber {
|
||||
if rule.DisableIcmp {
|
||||
return nil
|
||||
}
|
||||
// ICMP is allowed; port ranges don't apply to ICMP
|
||||
return rule
|
||||
}
|
||||
|
||||
// Check port restrictions
|
||||
if len(rule.PortRanges) == 0 {
|
||||
// No port restrictions, match!
|
||||
return rule
|
||||
}
|
||||
|
||||
// Check if port and protocol are in any of the allowed ranges
|
||||
for _, pr := range rule.PortRanges {
|
||||
if port >= pr.Min && port <= pr.Max {
|
||||
// Check protocol compatibility
|
||||
if pr.Protocol == "" {
|
||||
// Empty protocol means allow both TCP and UDP
|
||||
return rule
|
||||
}
|
||||
// Check if the packet protocol matches the port range protocol
|
||||
if (pr.Protocol == "tcp" && proto == header.TCPProtocolNumber) ||
|
||||
(pr.Protocol == "udp" && proto == header.UDPProtocolNumber) {
|
||||
return rule
|
||||
}
|
||||
// Port matches but protocol doesn't - continue checking other ranges
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
@@ -1,8 +1,3 @@
|
||||
/* SPDX-License-Identifier: MIT
|
||||
*
|
||||
* Copyright (C) 2017-2025 WireGuard LLC. All Rights Reserved.
|
||||
*/
|
||||
|
||||
package netstack2
|
||||
|
||||
import (
|
||||
@@ -56,15 +51,17 @@ type Net netTun
|
||||
|
||||
// NetTunOptions contains options for creating a NetTUN device
|
||||
type NetTunOptions struct {
|
||||
EnableTCPProxy bool
|
||||
EnableUDPProxy bool
|
||||
EnableTCPProxy bool
|
||||
EnableUDPProxy bool
|
||||
EnableICMPProxy bool
|
||||
}
|
||||
|
||||
// CreateNetTUN creates a new TUN device with netstack without proxying
|
||||
func CreateNetTUN(localAddresses, dnsServers []netip.Addr, mtu int) (tun.Device, *Net, error) {
|
||||
return CreateNetTUNWithOptions(localAddresses, dnsServers, mtu, NetTunOptions{
|
||||
EnableTCPProxy: true,
|
||||
EnableUDPProxy: true,
|
||||
EnableTCPProxy: true,
|
||||
EnableUDPProxy: true,
|
||||
EnableICMPProxy: true,
|
||||
})
|
||||
}
|
||||
|
||||
@@ -84,13 +81,14 @@ func CreateNetTUNWithOptions(localAddresses, dnsServers []netip.Addr, mtu int, o
|
||||
mtu: mtu,
|
||||
}
|
||||
|
||||
// Initialize proxy handler if TCP or UDP proxying is enabled
|
||||
if options.EnableTCPProxy || options.EnableUDPProxy {
|
||||
// Initialize proxy handler if TCP, UDP, or ICMP proxying is enabled
|
||||
if options.EnableTCPProxy || options.EnableUDPProxy || options.EnableICMPProxy {
|
||||
var err error
|
||||
dev.proxyHandler, err = NewProxyHandler(ProxyHandlerOptions{
|
||||
EnableTCP: options.EnableTCPProxy,
|
||||
EnableUDP: options.EnableUDPProxy,
|
||||
MTU: mtu,
|
||||
EnableTCP: options.EnableTCPProxy,
|
||||
EnableUDP: options.EnableUDPProxy,
|
||||
EnableICMP: options.EnableICMPProxy,
|
||||
MTU: mtu,
|
||||
})
|
||||
if err != nil {
|
||||
return nil, nil, fmt.Errorf("failed to create proxy handler: %v", err)
|
||||
@@ -348,13 +346,13 @@ func (net *Net) ListenUDP(laddr *net.UDPAddr) (*gonet.UDPConn, error) {
|
||||
return net.DialUDP(laddr, nil)
|
||||
}
|
||||
|
||||
// AddProxySubnetRule adds a subnet rule to the proxy handler
|
||||
// If portRanges is nil or empty, all ports are allowed for this subnet
|
||||
// rewriteTo can be either an IP/CIDR (e.g., "192.168.1.1/32") or a domain name (e.g., "example.com")
|
||||
func (net *Net) AddProxySubnetRule(sourcePrefix, destPrefix netip.Prefix, rewriteTo string, portRanges []PortRange) {
|
||||
// AddProxySubnetRule adds a subnet rule to the proxy handler.
|
||||
// HTTP proxy behaviour is configured via rule.Protocol, rule.HTTPTargets,
|
||||
// rule.TLSCert, and rule.TLSKey; leave Protocol empty for raw TCP/UDP.
|
||||
func (net *Net) AddProxySubnetRule(rule SubnetRule) {
|
||||
tun := (*netTun)(net)
|
||||
if tun.proxyHandler != nil {
|
||||
tun.proxyHandler.AddSubnetRule(sourcePrefix, destPrefix, rewriteTo, portRanges)
|
||||
tun.proxyHandler.AddSubnetRule(rule)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -366,6 +364,15 @@ func (net *Net) RemoveProxySubnetRule(sourcePrefix, destPrefix netip.Prefix) {
|
||||
}
|
||||
}
|
||||
|
||||
// GetProxySubnetRules returns all subnet rules from the proxy handler
|
||||
func (net *Net) GetProxySubnetRules() []SubnetRule {
|
||||
tun := (*netTun)(net)
|
||||
if tun.proxyHandler != nil {
|
||||
return tun.proxyHandler.GetAllRules()
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// GetProxyHandler returns the proxy handler (for advanced use cases)
|
||||
// Returns nil if proxy is not enabled
|
||||
func (net *Net) GetProxyHandler() *ProxyHandler {
|
||||
@@ -373,6 +380,25 @@ func (net *Net) GetProxyHandler() *ProxyHandler {
|
||||
return tun.proxyHandler
|
||||
}
|
||||
|
||||
// SetAccessLogSender configures the function used to send compressed access log
|
||||
// batches to the server. This should be called once the websocket client is available.
|
||||
func (net *Net) SetAccessLogSender(fn SendFunc) {
|
||||
tun := (*netTun)(net)
|
||||
if tun.proxyHandler != nil {
|
||||
tun.proxyHandler.SetAccessLogSender(fn)
|
||||
}
|
||||
}
|
||||
|
||||
// SetHTTPRequestLogSender configures the function used to send compressed HTTP
|
||||
// request log batches to the server. This should be called once the websocket
|
||||
// client is available.
|
||||
func (net *Net) SetHTTPRequestLogSender(fn SendFunc) {
|
||||
tun := (*netTun)(net)
|
||||
if tun.proxyHandler != nil {
|
||||
tun.proxyHandler.SetHTTPRequestLogSender(fn)
|
||||
}
|
||||
}
|
||||
|
||||
type PingConn struct {
|
||||
laddr PingAddr
|
||||
raddr PingAddr
|
||||
|
||||
@@ -44,9 +44,13 @@ func ConfigureInterface(interfaceName string, tunnelIp string, mtu int) error {
|
||||
return configureDarwin(interfaceName, ip, ipNet)
|
||||
case "windows":
|
||||
return configureWindows(interfaceName, ip, ipNet)
|
||||
default:
|
||||
return fmt.Errorf("unsupported operating system: %s", runtime.GOOS)
|
||||
case "android":
|
||||
return nil
|
||||
case "ios":
|
||||
return nil
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// waitForInterfaceUp polls the network interface until it's up or times out
|
||||
@@ -116,7 +120,7 @@ func configureDarwin(interfaceName string, ip net.IP, ipNet *net.IPNet) error {
|
||||
prefix, _ := ipNet.Mask.Size()
|
||||
ipStr := fmt.Sprintf("%s/%d", ip.String(), prefix)
|
||||
|
||||
cmd := exec.Command("ifconfig", interfaceName, "inet", ipStr, ip.String(), "alias")
|
||||
cmd := exec.Command("/sbin/ifconfig", interfaceName, "inet", ipStr, ip.String(), "alias")
|
||||
logger.Info("Running command: %v", cmd)
|
||||
|
||||
out, err := cmd.CombinedOutput()
|
||||
@@ -125,7 +129,7 @@ func configureDarwin(interfaceName string, ip net.IP, ipNet *net.IPNet) error {
|
||||
}
|
||||
|
||||
// Bring up the interface
|
||||
cmd = exec.Command("ifconfig", interfaceName, "up")
|
||||
cmd = exec.Command("/sbin/ifconfig", interfaceName, "up")
|
||||
logger.Info("Running command: %v", cmd)
|
||||
|
||||
out, err = cmd.CombinedOutput()
|
||||
|
||||
@@ -126,13 +126,14 @@ func LinuxRemoveRoute(destination string) error {
|
||||
|
||||
// addRouteForServerIP adds an OS-specific route for the server IP
|
||||
func AddRouteForServerIP(serverIP, interfaceName string) error {
|
||||
if err := AddRouteForNetworkConfig(serverIP); err != nil {
|
||||
return err
|
||||
}
|
||||
if interfaceName == "" {
|
||||
return nil
|
||||
}
|
||||
if runtime.GOOS == "darwin" {
|
||||
// TODO: does this also need to be ios?
|
||||
if runtime.GOOS == "darwin" { // macos requires routes for each peer to be added but this messes with other platforms
|
||||
if err := AddRouteForNetworkConfig(serverIP); err != nil {
|
||||
return err
|
||||
}
|
||||
return DarwinAddRoute(serverIP, "", interfaceName)
|
||||
}
|
||||
// else if runtime.GOOS == "windows" {
|
||||
@@ -145,13 +146,14 @@ func AddRouteForServerIP(serverIP, interfaceName string) error {
|
||||
|
||||
// removeRouteForServerIP removes an OS-specific route for the server IP
|
||||
func RemoveRouteForServerIP(serverIP string, interfaceName string) error {
|
||||
if err := RemoveRouteForNetworkConfig(serverIP); err != nil {
|
||||
return err
|
||||
}
|
||||
if interfaceName == "" {
|
||||
return nil
|
||||
}
|
||||
if runtime.GOOS == "darwin" {
|
||||
// TODO: does this also need to be ios?
|
||||
if runtime.GOOS == "darwin" { // macos requires routes for each peer to be added but this messes with other platforms
|
||||
if err := RemoveRouteForNetworkConfig(serverIP); err != nil {
|
||||
return err
|
||||
}
|
||||
return DarwinRemoveRoute(serverIP)
|
||||
}
|
||||
// else if runtime.GOOS == "windows" {
|
||||
@@ -217,21 +219,22 @@ func AddRoutes(remoteSubnets []string, interfaceName string) error {
|
||||
continue
|
||||
}
|
||||
|
||||
if runtime.GOOS == "darwin" {
|
||||
switch runtime.GOOS {
|
||||
case "darwin":
|
||||
if err := DarwinAddRoute(subnet, "", interfaceName); err != nil {
|
||||
logger.Error("Failed to add Darwin route for subnet %s: %v", subnet, err)
|
||||
return err
|
||||
}
|
||||
} else if runtime.GOOS == "windows" {
|
||||
case "windows":
|
||||
if err := WindowsAddRoute(subnet, "", interfaceName); err != nil {
|
||||
logger.Error("Failed to add Windows route for subnet %s: %v", subnet, err)
|
||||
return err
|
||||
}
|
||||
} else if runtime.GOOS == "linux" {
|
||||
case "linux":
|
||||
if err := LinuxAddRoute(subnet, "", interfaceName); err != nil {
|
||||
logger.Error("Failed to add Linux route for subnet %s: %v", subnet, err)
|
||||
return err
|
||||
}
|
||||
case "android", "ios":
|
||||
// Routes handled by the OS/VPN service
|
||||
continue
|
||||
}
|
||||
|
||||
logger.Info("Added route for remote subnet: %s", subnet)
|
||||
@@ -258,21 +261,22 @@ func RemoveRoutes(remoteSubnets []string) error {
|
||||
}
|
||||
|
||||
// Remove route based on operating system
|
||||
if runtime.GOOS == "darwin" {
|
||||
switch runtime.GOOS {
|
||||
case "darwin":
|
||||
if err := DarwinRemoveRoute(subnet); err != nil {
|
||||
logger.Error("Failed to remove Darwin route for subnet %s: %v", subnet, err)
|
||||
return err
|
||||
}
|
||||
} else if runtime.GOOS == "windows" {
|
||||
case "windows":
|
||||
if err := WindowsRemoveRoute(subnet); err != nil {
|
||||
logger.Error("Failed to remove Windows route for subnet %s: %v", subnet, err)
|
||||
return err
|
||||
}
|
||||
} else if runtime.GOOS == "linux" {
|
||||
case "linux":
|
||||
if err := LinuxRemoveRoute(subnet); err != nil {
|
||||
logger.Error("Failed to remove Linux route for subnet %s: %v", subnet, err)
|
||||
return err
|
||||
}
|
||||
case "android", "ios":
|
||||
// Routes handled by the OS/VPN service
|
||||
continue
|
||||
}
|
||||
|
||||
logger.Info("Removed route for remote subnet: %s", subnet)
|
||||
|
||||
@@ -115,7 +115,7 @@ func RemoveIPv4IncludedRoute(route IPv4Route) {
|
||||
if r == route {
|
||||
networkSettings.IPv4IncludedRoutes = append(routes[:i], routes[i+1:]...)
|
||||
logger.Info("Removed IPv4 included route: %+v", route)
|
||||
return
|
||||
break
|
||||
}
|
||||
}
|
||||
incrementor++
|
||||
|
||||
152
newt.iss
Normal file
152
newt.iss
Normal file
@@ -0,0 +1,152 @@
|
||||
; Script generated by the Inno Setup Script Wizard.
|
||||
; SEE THE DOCUMENTATION FOR DETAILS ON CREATING INNO SETUP SCRIPT FILES!
|
||||
|
||||
#define MyAppName "newt"
|
||||
#define MyAppVersion "1.0.0"
|
||||
#define MyAppPublisher "Fossorial Inc."
|
||||
#define MyAppURL "https://pangolin.net"
|
||||
#define MyAppExeName "newt.exe"
|
||||
|
||||
[Setup]
|
||||
; NOTE: The value of AppId uniquely identifies this application. Do not use the same AppId value in installers for other applications.
|
||||
; (To generate a new GUID, click Tools | Generate GUID inside the IDE.)
|
||||
AppId={{25A1E3C4-F273-4334-8DF3-47408E83012D}
|
||||
AppName={#MyAppName}
|
||||
AppVersion={#MyAppVersion}
|
||||
;AppVerName={#MyAppName} {#MyAppVersion}
|
||||
AppPublisher={#MyAppPublisher}
|
||||
AppPublisherURL={#MyAppURL}
|
||||
AppSupportURL={#MyAppURL}
|
||||
AppUpdatesURL={#MyAppURL}
|
||||
DefaultDirName={autopf}\{#MyAppName}
|
||||
UninstallDisplayIcon={app}\{#MyAppExeName}
|
||||
; "ArchitecturesAllowed=x64compatible" specifies that Setup cannot run
|
||||
; on anything but x64 and Windows 11 on Arm.
|
||||
ArchitecturesAllowed=x64compatible
|
||||
; "ArchitecturesInstallIn64BitMode=x64compatible" requests that the
|
||||
; install be done in "64-bit mode" on x64 or Windows 11 on Arm,
|
||||
; meaning it should use the native 64-bit Program Files directory and
|
||||
; the 64-bit view of the registry.
|
||||
ArchitecturesInstallIn64BitMode=x64compatible
|
||||
DefaultGroupName={#MyAppName}
|
||||
DisableProgramGroupPage=yes
|
||||
; Uncomment the following line to run in non administrative install mode (install for current user only).
|
||||
;PrivilegesRequired=lowest
|
||||
OutputBaseFilename=newt_windows_installer
|
||||
SolidCompression=yes
|
||||
WizardStyle=modern
|
||||
; Add this to ensure PATH changes are applied and the system is prompted for a restart if needed
|
||||
RestartIfNeededByRun=no
|
||||
ChangesEnvironment=true
|
||||
|
||||
[Languages]
|
||||
Name: "english"; MessagesFile: "compiler:Default.isl"
|
||||
|
||||
[Files]
|
||||
; The 'DestName' flag ensures that 'newt_windows_amd64.exe' is installed as 'newt.exe'
|
||||
Source: "Z:\newt_windows_amd64.exe"; DestDir: "{app}"; DestName: "{#MyAppExeName}"; Flags: ignoreversion
|
||||
Source: "Z:\wintun.dll"; DestDir: "{app}"; Flags: ignoreversion
|
||||
; NOTE: Don't use "Flags: ignoreversion" on any shared system files
|
||||
|
||||
[Icons]
|
||||
Name: "{group}\{#MyAppName}"; Filename: "{app}\{#MyAppExeName}"
|
||||
|
||||
[Registry]
|
||||
; Add the application's installation directory to the system PATH environment variable.
|
||||
; HKLM (HKEY_LOCAL_MACHINE) is used for system-wide changes.
|
||||
; The 'Path' variable is located under 'SYSTEM\CurrentControlSet\Control\Session Manager\Environment'.
|
||||
; ValueType: expandsz allows for environment variables (like %ProgramFiles%) in the path.
|
||||
; ValueData: "{olddata};{app}" appends the current application directory to the existing PATH.
|
||||
; Note: Removal during uninstallation is handled by CurUninstallStepChanged procedure in [Code] section.
|
||||
; Check: NeedsAddPath ensures this is applied only if the path is not already present.
|
||||
[Registry]
|
||||
; Add the application's installation directory to the system PATH.
|
||||
Root: HKLM; Subkey: "SYSTEM\CurrentControlSet\Control\Session Manager\Environment"; \
|
||||
ValueType: expandsz; ValueName: "Path"; ValueData: "{olddata};{app}"; \
|
||||
Check: NeedsAddPath(ExpandConstant('{app}'))
|
||||
|
||||
[Code]
|
||||
function NeedsAddPath(Path: string): boolean;
|
||||
var
|
||||
OrigPath: string;
|
||||
begin
|
||||
if not RegQueryStringValue(HKEY_LOCAL_MACHINE,
|
||||
'SYSTEM\CurrentControlSet\Control\Session Manager\Environment',
|
||||
'Path', OrigPath)
|
||||
then begin
|
||||
// Path variable doesn't exist at all, so we definitely need to add it.
|
||||
Result := True;
|
||||
exit;
|
||||
end;
|
||||
|
||||
// Perform a case-insensitive check to see if the path is already present.
|
||||
// We add semicolons to prevent partial matches (e.g., matching C:\App in C:\App2).
|
||||
if Pos(';' + UpperCase(Path) + ';', ';' + UpperCase(OrigPath) + ';') > 0 then
|
||||
Result := False
|
||||
else
|
||||
Result := True;
|
||||
end;
|
||||
|
||||
procedure RemovePathEntry(PathToRemove: string);
|
||||
var
|
||||
OrigPath: string;
|
||||
NewPath: string;
|
||||
PathList: TStringList;
|
||||
I: Integer;
|
||||
begin
|
||||
if not RegQueryStringValue(HKEY_LOCAL_MACHINE,
|
||||
'SYSTEM\CurrentControlSet\Control\Session Manager\Environment',
|
||||
'Path', OrigPath)
|
||||
then begin
|
||||
// Path variable doesn't exist, nothing to remove
|
||||
exit;
|
||||
end;
|
||||
|
||||
// Create a string list to parse the PATH entries
|
||||
PathList := TStringList.Create;
|
||||
try
|
||||
// Split the PATH by semicolons
|
||||
PathList.Delimiter := ';';
|
||||
PathList.StrictDelimiter := True;
|
||||
PathList.DelimitedText := OrigPath;
|
||||
|
||||
// Find and remove the matching entry (case-insensitive)
|
||||
for I := PathList.Count - 1 downto 0 do
|
||||
begin
|
||||
if CompareText(Trim(PathList[I]), Trim(PathToRemove)) = 0 then
|
||||
begin
|
||||
Log('Found and removing PATH entry: ' + PathList[I]);
|
||||
PathList.Delete(I);
|
||||
end;
|
||||
end;
|
||||
|
||||
// Reconstruct the PATH
|
||||
NewPath := PathList.DelimitedText;
|
||||
|
||||
// Write the new PATH back to the registry
|
||||
if RegWriteExpandStringValue(HKEY_LOCAL_MACHINE,
|
||||
'SYSTEM\CurrentControlSet\Control\Session Manager\Environment',
|
||||
'Path', NewPath)
|
||||
then
|
||||
Log('Successfully removed path entry: ' + PathToRemove)
|
||||
else
|
||||
Log('Failed to write modified PATH to registry');
|
||||
finally
|
||||
PathList.Free;
|
||||
end;
|
||||
end;
|
||||
|
||||
procedure CurUninstallStepChanged(CurUninstallStep: TUninstallStep);
|
||||
var
|
||||
AppPath: string;
|
||||
begin
|
||||
if CurUninstallStep = usUninstall then
|
||||
begin
|
||||
// Get the application installation path
|
||||
AppPath := ExpandConstant('{app}');
|
||||
Log('Removing PATH entry for: ' + AppPath);
|
||||
|
||||
// Remove only our path entry from the system PATH
|
||||
RemovePathEntry(AppPath);
|
||||
end;
|
||||
end;
|
||||
3
packages/advantech/.gitignore
vendored
Normal file
3
packages/advantech/.gitignore
vendored
Normal file
@@ -0,0 +1,3 @@
|
||||
.build
|
||||
*.tgz
|
||||
bin
|
||||
54
packages/advantech/Makefile
Normal file
54
packages/advantech/Makefile
Normal file
@@ -0,0 +1,54 @@
|
||||
MODNAME := newt
|
||||
VERSION := 1.12.5
|
||||
RELEASE_URL := https://github.com/fosrl/newt/releases/download/$(VERSION)
|
||||
PLATFORM ?= v4
|
||||
|
||||
# Map Advantech platform to newt release binary name
|
||||
arch_v4 := arm64
|
||||
arch_v4i := arm64
|
||||
arch_v3 := arm32
|
||||
arch_v2 := arm32
|
||||
arch_v2i := arm32
|
||||
|
||||
NEWT_ARCH := $(arch_$(PLATFORM))
|
||||
ifeq ($(NEWT_ARCH),)
|
||||
$(error Unknown platform '$(PLATFORM)'. Supported: v4, v4i, v3, v2, v2i)
|
||||
endif
|
||||
|
||||
BINARY := newt_linux_$(NEWT_ARCH)
|
||||
BINDIR := bin
|
||||
OUTFILE := $(MODNAME).$(PLATFORM).tgz
|
||||
STAGEDIR := .build/$(MODNAME)
|
||||
|
||||
.PHONY: all clean
|
||||
|
||||
all: $(OUTFILE)
|
||||
|
||||
# Cache the downloaded binary in bin/ (re-download only if missing)
|
||||
$(BINDIR)/$(BINARY):
|
||||
mkdir -p $(BINDIR)
|
||||
@echo "Downloading $(BINARY) $(VERSION) for platform $(PLATFORM)..."
|
||||
wget -q -O $@ "$(RELEASE_URL)/$(BINARY)" 2>/dev/null || \
|
||||
curl -fsSL -o $@ "$(RELEASE_URL)/$(BINARY)"
|
||||
chmod +x $@
|
||||
@echo "Binary ready: $@"
|
||||
|
||||
# Build the package
|
||||
$(OUTFILE): $(BINDIR)/$(BINARY) $(shell find merge -type f 2>/dev/null)
|
||||
@rm -rf $(STAGEDIR)
|
||||
@mkdir -p $(STAGEDIR)/bin
|
||||
@cp $(BINDIR)/$(BINARY) $(STAGEDIR)/bin/newt
|
||||
@chmod +x $(STAGEDIR)/bin/newt
|
||||
@cp -r merge/. $(STAGEDIR)/
|
||||
@chmod +x \
|
||||
$(STAGEDIR)/etc/init \
|
||||
$(STAGEDIR)/etc/install \
|
||||
$(STAGEDIR)/etc/uninstall \
|
||||
$(STAGEDIR)/www/index.cgi
|
||||
tar -c --owner=0 --group=0 --mtime="2001-01-01 UTC" \
|
||||
-C .build $(MODNAME) | gzip -n > $@
|
||||
@echo "Created: $@"
|
||||
|
||||
clean:
|
||||
rm -rf .build $(MODNAME).*.tgz
|
||||
@echo "Cleaned."
|
||||
61
packages/advantech/merge/etc/defaults
Normal file
61
packages/advantech/merge/etc/defaults
Normal file
@@ -0,0 +1,61 @@
|
||||
MOD_PANGOLIN_SITE_ENABLED=0
|
||||
MOD_PANGOLIN_SITE_ENDPOINT=
|
||||
MOD_PANGOLIN_SITE_ID=
|
||||
MOD_PANGOLIN_SITE_SECRET=
|
||||
|
||||
# Core networking
|
||||
MOD_PANGOLIN_SITE_MTU=
|
||||
MOD_PANGOLIN_SITE_DNS=
|
||||
MOD_PANGOLIN_SITE_INTERFACE=
|
||||
MOD_PANGOLIN_SITE_PORT=
|
||||
MOD_PANGOLIN_SITE_UPDOWN_SCRIPT=
|
||||
MOD_PANGOLIN_SITE_PREFER_ENDPOINT=
|
||||
|
||||
# Logging
|
||||
MOD_PANGOLIN_SITE_LOG_LEVEL=
|
||||
|
||||
# Behavior toggles (true/false)
|
||||
MOD_PANGOLIN_SITE_DISABLE_CLIENTS=
|
||||
MOD_PANGOLIN_SITE_USE_NATIVE_INTERFACE=
|
||||
MOD_PANGOLIN_SITE_ENFORCE_HC_CERT=
|
||||
MOD_PANGOLIN_SITE_NO_CLOUD=
|
||||
|
||||
# Timers
|
||||
MOD_PANGOLIN_SITE_PING_INTERVAL=
|
||||
MOD_PANGOLIN_SITE_PING_TIMEOUT=
|
||||
MOD_PANGOLIN_SITE_UDP_PROXY_IDLE_TIMEOUT=
|
||||
|
||||
# Docker integration
|
||||
MOD_PANGOLIN_SITE_DOCKER_SOCKET=
|
||||
MOD_PANGOLIN_SITE_DOCKER_ENFORCE_NETWORK_VALIDATION=
|
||||
|
||||
# Health / files
|
||||
MOD_PANGOLIN_SITE_HEALTH_FILE=
|
||||
MOD_PANGOLIN_SITE_BLUEPRINT_FILE=
|
||||
MOD_PANGOLIN_SITE_PROVISIONING_BLUEPRINT_FILE=
|
||||
MOD_PANGOLIN_SITE_CONFIG_FILE=
|
||||
|
||||
# Provisioning
|
||||
MOD_PANGOLIN_SITE_PROVISIONING_KEY=
|
||||
MOD_PANGOLIN_SITE_NAME=
|
||||
|
||||
# Auth daemon
|
||||
MOD_PANGOLIN_SITE_AUTH_DAEMON_ENABLED=
|
||||
MOD_PANGOLIN_SITE_AD_GENERATE_RANDOM_PASSWORD=
|
||||
MOD_PANGOLIN_SITE_AD_KEY=
|
||||
MOD_PANGOLIN_SITE_AD_PRINCIPALS_FILE=
|
||||
MOD_PANGOLIN_SITE_AD_CA_CERT_PATH=
|
||||
|
||||
# Metrics / observability
|
||||
MOD_PANGOLIN_SITE_METRICS_PROMETHEUS_ENABLED=
|
||||
MOD_PANGOLIN_SITE_METRICS_OTLP_ENABLED=
|
||||
MOD_PANGOLIN_SITE_ADMIN_ADDR=
|
||||
MOD_PANGOLIN_SITE_REGION=
|
||||
MOD_PANGOLIN_SITE_METRICS_ASYNC_BYTES=
|
||||
MOD_PANGOLIN_SITE_PPROF_ENABLED=
|
||||
|
||||
# mTLS
|
||||
MOD_PANGOLIN_SITE_TLS_CLIENT_CERT=
|
||||
MOD_PANGOLIN_SITE_TLS_CLIENT_KEY=
|
||||
MOD_PANGOLIN_SITE_TLS_CLIENT_CAS=
|
||||
MOD_PANGOLIN_SITE_TLS_CLIENT_CERT_PKCS12=
|
||||
4
packages/advantech/merge/etc/description
Normal file
4
packages/advantech/merge/etc/description
Normal file
@@ -0,0 +1,4 @@
|
||||
Pangolin Site (newt) is a WireGuard-based tunnel client that connects this router to a
|
||||
Pangolin server, enabling secure remote access to local resources without opening
|
||||
firewall ports. Configure the server endpoint, ID, and secret via the web
|
||||
interface to establish the tunnel automatically on startup.
|
||||
124
packages/advantech/merge/etc/init
Normal file
124
packages/advantech/merge/etc/init
Normal file
@@ -0,0 +1,124 @@
|
||||
#!/bin/sh
|
||||
|
||||
MODNAME=newt
|
||||
PIDFILE=/tmp/newt.pid
|
||||
LOGFILE=/tmp/newt.log
|
||||
|
||||
set_setting_raw() {
|
||||
key="$1"
|
||||
value="$2"
|
||||
[ -f "/opt/$MODNAME/etc/settings" ] || cp "/opt/$MODNAME/etc/defaults" "/opt/$MODNAME/etc/settings" 2>/dev/null
|
||||
awk -v k="$key" -v v="$value" '
|
||||
BEGIN { done=0 }
|
||||
index($0, k "=") == 1 { print k "=" v; done=1; next }
|
||||
{ print }
|
||||
END { if (!done) print k "=" v }
|
||||
' "/opt/$MODNAME/etc/settings" > "/tmp/${MODNAME}.settings.tmp" && mv "/tmp/${MODNAME}.settings.tmp" "/opt/$MODNAME/etc/settings"
|
||||
}
|
||||
|
||||
/usr/bin/logger -t $MODNAME "DEBUG: $0 $@"
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
. /opt/$MODNAME/etc/settings
|
||||
if [ "$MOD_PANGOLIN_SITE_ENABLED" != "1" ]; then
|
||||
echo "$MODNAME is disabled in settings, skipping start"
|
||||
exit 0
|
||||
fi
|
||||
if [ -f "$PIDFILE" ] && kill -0 "$(cat "$PIDFILE" 2>/dev/null)" 2>/dev/null; then
|
||||
echo "$MODNAME is already running (PID: $(cat "$PIDFILE"))"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Starting newt implies enable at boot.
|
||||
set_setting_raw "MOD_PANGOLIN_SITE_ENABLED" "1"
|
||||
|
||||
# Map module settings to Newt environment variables.
|
||||
[ -n "$MOD_PANGOLIN_SITE_ENDPOINT" ] && export PANGOLIN_ENDPOINT="$MOD_PANGOLIN_SITE_ENDPOINT"
|
||||
[ -n "$MOD_PANGOLIN_SITE_ID" ] && export NEWT_ID="$MOD_PANGOLIN_SITE_ID"
|
||||
[ -n "$MOD_PANGOLIN_SITE_SECRET" ] && export NEWT_SECRET="$MOD_PANGOLIN_SITE_SECRET"
|
||||
[ -n "$MOD_PANGOLIN_SITE_MTU" ] && export MTU="$MOD_PANGOLIN_SITE_MTU"
|
||||
[ -n "$MOD_PANGOLIN_SITE_DNS" ] && export DNS="$MOD_PANGOLIN_SITE_DNS"
|
||||
[ -n "$MOD_PANGOLIN_SITE_LOG_LEVEL" ] && export LOG_LEVEL="$MOD_PANGOLIN_SITE_LOG_LEVEL"
|
||||
[ -n "$MOD_PANGOLIN_SITE_UPDOWN_SCRIPT" ] && export UPDOWN_SCRIPT="$MOD_PANGOLIN_SITE_UPDOWN_SCRIPT"
|
||||
[ -n "$MOD_PANGOLIN_SITE_INTERFACE" ] && export INTERFACE="$MOD_PANGOLIN_SITE_INTERFACE"
|
||||
[ -n "$MOD_PANGOLIN_SITE_PORT" ] && export PORT="$MOD_PANGOLIN_SITE_PORT"
|
||||
[ -n "$MOD_PANGOLIN_SITE_DISABLE_CLIENTS" ] && export DISABLE_CLIENTS="$MOD_PANGOLIN_SITE_DISABLE_CLIENTS"
|
||||
[ -n "$MOD_PANGOLIN_SITE_USE_NATIVE_INTERFACE" ] && export USE_NATIVE_INTERFACE="$MOD_PANGOLIN_SITE_USE_NATIVE_INTERFACE"
|
||||
[ -n "$MOD_PANGOLIN_SITE_ENFORCE_HC_CERT" ] && export ENFORCE_HC_CERT="$MOD_PANGOLIN_SITE_ENFORCE_HC_CERT"
|
||||
[ -n "$MOD_PANGOLIN_SITE_DOCKER_SOCKET" ] && export DOCKER_SOCKET="$MOD_PANGOLIN_SITE_DOCKER_SOCKET"
|
||||
[ -n "$MOD_PANGOLIN_SITE_PING_INTERVAL" ] && export PING_INTERVAL="$MOD_PANGOLIN_SITE_PING_INTERVAL"
|
||||
[ -n "$MOD_PANGOLIN_SITE_PING_TIMEOUT" ] && export PING_TIMEOUT="$MOD_PANGOLIN_SITE_PING_TIMEOUT"
|
||||
[ -n "$MOD_PANGOLIN_SITE_UDP_PROXY_IDLE_TIMEOUT" ] && export NEWT_UDP_PROXY_IDLE_TIMEOUT="$MOD_PANGOLIN_SITE_UDP_PROXY_IDLE_TIMEOUT"
|
||||
[ -n "$MOD_PANGOLIN_SITE_DOCKER_ENFORCE_NETWORK_VALIDATION" ] && export DOCKER_ENFORCE_NETWORK_VALIDATION="$MOD_PANGOLIN_SITE_DOCKER_ENFORCE_NETWORK_VALIDATION"
|
||||
[ -n "$MOD_PANGOLIN_SITE_HEALTH_FILE" ] && export HEALTH_FILE="$MOD_PANGOLIN_SITE_HEALTH_FILE"
|
||||
[ -n "$MOD_PANGOLIN_SITE_AUTH_DAEMON_ENABLED" ] && export AUTH_DAEMON_ENABLED="$MOD_PANGOLIN_SITE_AUTH_DAEMON_ENABLED"
|
||||
[ -n "$MOD_PANGOLIN_SITE_AD_GENERATE_RANDOM_PASSWORD" ] && export AD_GENERATE_RANDOM_PASSWORD="$MOD_PANGOLIN_SITE_AD_GENERATE_RANDOM_PASSWORD"
|
||||
[ -n "$MOD_PANGOLIN_SITE_AD_KEY" ] && export AD_KEY="$MOD_PANGOLIN_SITE_AD_KEY"
|
||||
[ -n "$MOD_PANGOLIN_SITE_AD_PRINCIPALS_FILE" ] && export AD_PRINCIPALS_FILE="$MOD_PANGOLIN_SITE_AD_PRINCIPALS_FILE"
|
||||
[ -n "$MOD_PANGOLIN_SITE_AD_CA_CERT_PATH" ] && export AD_CA_CERT_PATH="$MOD_PANGOLIN_SITE_AD_CA_CERT_PATH"
|
||||
[ -n "$MOD_PANGOLIN_SITE_METRICS_PROMETHEUS_ENABLED" ] && export NEWT_METRICS_PROMETHEUS_ENABLED="$MOD_PANGOLIN_SITE_METRICS_PROMETHEUS_ENABLED"
|
||||
[ -n "$MOD_PANGOLIN_SITE_METRICS_OTLP_ENABLED" ] && export NEWT_METRICS_OTLP_ENABLED="$MOD_PANGOLIN_SITE_METRICS_OTLP_ENABLED"
|
||||
[ -n "$MOD_PANGOLIN_SITE_ADMIN_ADDR" ] && export NEWT_ADMIN_ADDR="$MOD_PANGOLIN_SITE_ADMIN_ADDR"
|
||||
[ -n "$MOD_PANGOLIN_SITE_REGION" ] && export NEWT_REGION="$MOD_PANGOLIN_SITE_REGION"
|
||||
[ -n "$MOD_PANGOLIN_SITE_METRICS_ASYNC_BYTES" ] && export NEWT_METRICS_ASYNC_BYTES="$MOD_PANGOLIN_SITE_METRICS_ASYNC_BYTES"
|
||||
[ -n "$MOD_PANGOLIN_SITE_PPROF_ENABLED" ] && export NEWT_PPROF_ENABLED="$MOD_PANGOLIN_SITE_PPROF_ENABLED"
|
||||
[ -n "$MOD_PANGOLIN_SITE_TLS_CLIENT_CERT" ] && export TLS_CLIENT_CERT="$MOD_PANGOLIN_SITE_TLS_CLIENT_CERT"
|
||||
[ -n "$MOD_PANGOLIN_SITE_TLS_CLIENT_KEY" ] && export TLS_CLIENT_KEY="$MOD_PANGOLIN_SITE_TLS_CLIENT_KEY"
|
||||
[ -n "$MOD_PANGOLIN_SITE_TLS_CLIENT_CAS" ] && export TLS_CLIENT_CAS="$MOD_PANGOLIN_SITE_TLS_CLIENT_CAS"
|
||||
[ -n "$MOD_PANGOLIN_SITE_TLS_CLIENT_CERT_PKCS12" ] && export TLS_CLIENT_CERT_PKCS12="$MOD_PANGOLIN_SITE_TLS_CLIENT_CERT_PKCS12"
|
||||
[ -n "$MOD_PANGOLIN_SITE_BLUEPRINT_FILE" ] && export BLUEPRINT_FILE="$MOD_PANGOLIN_SITE_BLUEPRINT_FILE"
|
||||
[ -n "$MOD_PANGOLIN_SITE_PROVISIONING_BLUEPRINT_FILE" ] && export PROVISIONING_BLUEPRINT_FILE="$MOD_PANGOLIN_SITE_PROVISIONING_BLUEPRINT_FILE"
|
||||
[ -n "$MOD_PANGOLIN_SITE_NO_CLOUD" ] && export NO_CLOUD="$MOD_PANGOLIN_SITE_NO_CLOUD"
|
||||
[ -n "$MOD_PANGOLIN_SITE_PROVISIONING_KEY" ] && export NEWT_PROVISIONING_KEY="$MOD_PANGOLIN_SITE_PROVISIONING_KEY"
|
||||
[ -n "$MOD_PANGOLIN_SITE_NAME" ] && export NEWT_NAME="$MOD_PANGOLIN_SITE_NAME"
|
||||
[ -n "$MOD_PANGOLIN_SITE_CONFIG_FILE" ] && export CONFIG_FILE="$MOD_PANGOLIN_SITE_CONFIG_FILE"
|
||||
|
||||
export NEWT_SYSTEM_SUBSTRATE="ADVANTECH_ROUTER_APP"
|
||||
export NEWT_PID_FILE="$PIDFILE"
|
||||
|
||||
echo "Starting $MODNAME..."
|
||||
if [ -n "$MOD_PANGOLIN_SITE_PREFER_ENDPOINT" ]; then
|
||||
/opt/$MODNAME/bin/newt --prefer-endpoint "$MOD_PANGOLIN_SITE_PREFER_ENDPOINT" >> "$LOGFILE" 2>&1 &
|
||||
else
|
||||
/opt/$MODNAME/bin/newt >> "$LOGFILE" 2>&1 &
|
||||
fi
|
||||
echo $! > "$PIDFILE"
|
||||
echo "Started $MODNAME (PID: $(cat "$PIDFILE"))"
|
||||
exit 0
|
||||
;;
|
||||
stop)
|
||||
echo "Stopping $MODNAME..."
|
||||
if [ -f "$PIDFILE" ]; then
|
||||
kill "$(cat "$PIDFILE" 2>/dev/null)" 2>/dev/null
|
||||
rm -f "$PIDFILE"
|
||||
fi
|
||||
killall newt 2>/dev/null
|
||||
# Stopping newt implies disable at boot.
|
||||
set_setting_raw "MOD_PANGOLIN_SITE_ENABLED" "0"
|
||||
echo "Stopped $MODNAME"
|
||||
exit 0
|
||||
;;
|
||||
restart)
|
||||
$0 stop
|
||||
sleep 1
|
||||
# Restart should remain enabled after reboot.
|
||||
set_setting_raw "MOD_PANGOLIN_SITE_ENABLED" "1"
|
||||
$0 start
|
||||
;;
|
||||
status)
|
||||
if [ -f "$PIDFILE" ] && kill -0 "$(cat "$PIDFILE" 2>/dev/null)" 2>/dev/null; then
|
||||
echo "$MODNAME is running (PID: $(cat "$PIDFILE"))"
|
||||
exit 0
|
||||
else
|
||||
echo "$MODNAME is not running"
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
defaults)
|
||||
cp /opt/$MODNAME/etc/defaults /opt/$MODNAME/etc/settings 2>/dev/null
|
||||
;;
|
||||
*)
|
||||
echo "Usage: $0 {start|stop|restart|status|defaults}"
|
||||
exit 1
|
||||
esac
|
||||
15
packages/advantech/merge/etc/install
Normal file
15
packages/advantech/merge/etc/install
Normal file
@@ -0,0 +1,15 @@
|
||||
#!/bin/sh
|
||||
|
||||
MODNAME=newt
|
||||
|
||||
# Ensure scripts are executable
|
||||
chmod +x /opt/$MODNAME/etc/init
|
||||
chmod +x /opt/$MODNAME/etc/install
|
||||
chmod +x /opt/$MODNAME/etc/uninstall
|
||||
chmod +x /opt/$MODNAME/bin/newt
|
||||
chmod +x /opt/$MODNAME/www/index.cgi
|
||||
|
||||
# Secure the web interface with router authentication
|
||||
ln -sf /etc/htpasswd /opt/$MODNAME/www/.htpasswd
|
||||
|
||||
exit 0
|
||||
1
packages/advantech/merge/etc/name
Normal file
1
packages/advantech/merge/etc/name
Normal file
@@ -0,0 +1 @@
|
||||
Pangolin Site
|
||||
1
packages/advantech/merge/etc/summary
Normal file
1
packages/advantech/merge/etc/summary
Normal file
@@ -0,0 +1 @@
|
||||
Tunnel client for Pangolin secure remote access.
|
||||
9
packages/advantech/merge/etc/uninstall
Normal file
9
packages/advantech/merge/etc/uninstall
Normal file
@@ -0,0 +1,9 @@
|
||||
#!/bin/sh
|
||||
|
||||
MODNAME=newt
|
||||
|
||||
rm -f /opt/$MODNAME/www/.htpasswd
|
||||
rm -f /tmp/newt.pid
|
||||
rm -f /tmp/newt.log
|
||||
|
||||
exit 0
|
||||
1
packages/advantech/merge/etc/version
Normal file
1
packages/advantech/merge/etc/version
Normal file
@@ -0,0 +1 @@
|
||||
1.12.5
|
||||
282
packages/advantech/merge/www/index.cgi
Normal file
282
packages/advantech/merge/www/index.cgi
Normal file
@@ -0,0 +1,282 @@
|
||||
#!/bin/sh
|
||||
|
||||
MODNAME=newt
|
||||
SETTINGS=/opt/$MODNAME/etc/settings
|
||||
LOGFILE=/tmp/newt.log
|
||||
PIDFILE=/tmp/newt.pid
|
||||
|
||||
# Escape special HTML characters
|
||||
htmlesc() {
|
||||
printf '%s' "$1" | sed \
|
||||
-e 's/&/\&/g' \
|
||||
-e 's/</\</g' \
|
||||
-e 's/>/\>/g' \
|
||||
-e 's/"/\"/g'
|
||||
}
|
||||
|
||||
# Decode URL-encoded form values (handles common chars in endpoints/ids/secrets)
|
||||
urldecode() {
|
||||
printf '%s' "$1" | sed \
|
||||
-e 's/+/ /g' \
|
||||
-e 's/%3[Aa]/:/g' -e 's/%3[aa]/:/g' \
|
||||
-e 's/%2[Ff]/\//g' -e 's/%2[ff]/\//g' \
|
||||
-e 's/%40/@/g' \
|
||||
-e 's/%2[Ee]/./g' \
|
||||
-e 's/%2[Dd]/-/g' \
|
||||
-e 's/%5[Ff]/_/g' \
|
||||
-e 's/%3[Dd]/=/g' \
|
||||
-e 's/%3[Ff]/?/g' \
|
||||
-e 's/%23/#/g' \
|
||||
-e 's/%25/%/g'
|
||||
}
|
||||
|
||||
# Extract a named field from URL-encoded POST data (awk splits on & without tr)
|
||||
get_field() {
|
||||
printf '%s' "$2" | awk -v f="${1}=" 'BEGIN{RS="&"} index($0,f)==1 {print substr($0,length(f)+1); exit}'
|
||||
}
|
||||
|
||||
# Check whether newt process is alive
|
||||
is_running() {
|
||||
[ -f "$PIDFILE" ] && kill -0 "$(cat "$PIDFILE" 2>/dev/null)" 2>/dev/null
|
||||
}
|
||||
|
||||
ensure_settings_file() {
|
||||
[ -f "$SETTINGS" ] && return
|
||||
if [ -f "/opt/$MODNAME/etc/defaults" ]; then
|
||||
cp "/opt/$MODNAME/etc/defaults" "$SETTINGS" 2>/dev/null
|
||||
else
|
||||
printf 'MOD_PANGOLIN_SITE_ENABLED=0\n' > "$SETTINGS"
|
||||
fi
|
||||
}
|
||||
|
||||
set_setting_raw() {
|
||||
key="$1"
|
||||
value="$2"
|
||||
ensure_settings_file
|
||||
awk -v k="$key" -v v="$value" '
|
||||
BEGIN { done=0 }
|
||||
index($0, k "=") == 1 { print k "=" v; done=1; next }
|
||||
{ print }
|
||||
END { if (!done) print k "=" v }
|
||||
' "$SETTINGS" > "$SETTINGS.tmp" && mv "$SETTINGS.tmp" "$SETTINGS"
|
||||
}
|
||||
|
||||
quote_sh_value() {
|
||||
printf '%s' "$1" | sed -e 's/\\/\\\\/g' -e 's/"/\\"/g'
|
||||
}
|
||||
|
||||
# ── Read POST body ──────────────────────────────────────────────────────────
|
||||
POST_DATA=""
|
||||
if [ "$REQUEST_METHOD" = "POST" ] && [ -n "$CONTENT_LENGTH" ] && [ "$CONTENT_LENGTH" -gt 0 ] 2>/dev/null; then
|
||||
POST_DATA=$(dd bs="$CONTENT_LENGTH" count=1 2>/dev/null)
|
||||
fi
|
||||
|
||||
# ── Load current settings ───────────────────────────────────────────────────
|
||||
MOD_PANGOLIN_SITE_ENABLED=0
|
||||
MOD_PANGOLIN_SITE_ENDPOINT=""
|
||||
MOD_PANGOLIN_SITE_ID=""
|
||||
MOD_PANGOLIN_SITE_SECRET=""
|
||||
[ -f "$SETTINGS" ] && . "$SETTINGS"
|
||||
|
||||
# ── Handle actions ──────────────────────────────────────────────────────────
|
||||
if [ -n "$POST_DATA" ]; then
|
||||
ACTION=$(get_field "action" "$POST_DATA")
|
||||
case "$ACTION" in
|
||||
save)
|
||||
EP=$(urldecode "$(get_field "endpoint" "$POST_DATA")")
|
||||
ID=$(urldecode "$(get_field "id" "$POST_DATA")")
|
||||
SEC=$(urldecode "$(get_field "secret" "$POST_DATA")")
|
||||
set_setting_raw "MOD_PANGOLIN_SITE_ENDPOINT" "\"$(quote_sh_value "$EP")\""
|
||||
set_setting_raw "MOD_PANGOLIN_SITE_ID" "\"$(quote_sh_value "$ID")\""
|
||||
set_setting_raw "MOD_PANGOLIN_SITE_SECRET" "\"$(quote_sh_value "$SEC")\""
|
||||
;;
|
||||
start)
|
||||
set_setting_raw "MOD_PANGOLIN_SITE_ENABLED" "1"
|
||||
/opt/$MODNAME/etc/init start >/dev/null 2>&1
|
||||
;;
|
||||
stop)
|
||||
/opt/$MODNAME/etc/init stop >/dev/null 2>&1
|
||||
set_setting_raw "MOD_PANGOLIN_SITE_ENABLED" "0"
|
||||
;;
|
||||
restart)
|
||||
set_setting_raw "MOD_PANGOLIN_SITE_ENABLED" "1"
|
||||
/opt/$MODNAME/etc/init restart >/dev/null 2>&1
|
||||
;;
|
||||
clearlog)
|
||||
printf '' > "$LOGFILE"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
# Reload settings after actions.
|
||||
MOD_PANGOLIN_SITE_ENABLED=0
|
||||
MOD_PANGOLIN_SITE_ENDPOINT=""
|
||||
MOD_PANGOLIN_SITE_ID=""
|
||||
MOD_PANGOLIN_SITE_SECRET=""
|
||||
[ -f "$SETTINGS" ] && . "$SETTINGS"
|
||||
|
||||
# ── Status ──────────────────────────────────────────────────────────────────
|
||||
if is_running; then
|
||||
STATUS_TEXT="Running"
|
||||
STATUS_CLASS="running"
|
||||
DISABLED="disabled"
|
||||
SETTINGS_HINT='<div class="notice">Stop Newt first to edit settings.</div>'
|
||||
else
|
||||
STATUS_TEXT="Stopped"
|
||||
STATUS_CLASS="stopped"
|
||||
DISABLED=""
|
||||
SETTINGS_HINT=""
|
||||
fi
|
||||
|
||||
EP_ESC=$(htmlesc "$MOD_PANGOLIN_SITE_ENDPOINT")
|
||||
ID_ESC=$(htmlesc "$MOD_PANGOLIN_SITE_ID")
|
||||
SEC_ESC=$(htmlesc "$MOD_PANGOLIN_SITE_SECRET")
|
||||
EP_INPUT_ESC="$EP_ESC"
|
||||
[ -z "$MOD_PANGOLIN_SITE_ENDPOINT" ] && EP_INPUT_ESC="https://app.pangolin.net"
|
||||
|
||||
# ── Log (escape HTML and dollar signs to prevent shell expansion in heredoc) ─
|
||||
LOG_HTML=""
|
||||
if [ -f "$LOGFILE" ]; then
|
||||
LOG_HTML=$(tail -100 "$LOGFILE" 2>/dev/null | sed \
|
||||
-e 's/&/\&/g' \
|
||||
-e 's/</\</g' \
|
||||
-e 's/>/\>/g' \
|
||||
-e 's/\$/\$/g')
|
||||
fi
|
||||
|
||||
# ── Output ──────────────────────────────────────────────────────────────────
|
||||
printf 'Content-type: text/html\r\n\r\n'
|
||||
|
||||
# Static head — split around the conditional refresh meta tag
|
||||
cat << 'HEAD_START'
|
||||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="UTF-8">
|
||||
HEAD_START
|
||||
|
||||
# Only auto-refresh while newt is running (avoids wiping settings form mid-edit)
|
||||
[ "$STATUS_CLASS" = "running" ] && printf '<meta http-equiv="refresh" content="10">\n'
|
||||
|
||||
cat << 'STATIC_HEAD'
|
||||
<title>Pangolin Site</title>
|
||||
<style>
|
||||
*{box-sizing:border-box}
|
||||
body{margin:0;padding:8px;border-top:3px solid #79BD28;background:#fff;color:#000}
|
||||
body,table,tr,td,a,input,select,textarea,button{font-family:Verdana,Arial,Helvetica,sans-serif;font-size:12px}
|
||||
a{color:#004280;text-decoration:none}
|
||||
a:hover{text-decoration:underline}
|
||||
.topline{display:flex;align-items:center;justify-content:space-between;gap:8px;flex-wrap:wrap;margin-bottom:6px}
|
||||
.app-title{background:#004280;color:#fff;font-weight:bold;padding:6px 8px;border:1px solid #00315f;border-bottom:none}
|
||||
.window{background:#f4f4f4;border:2px solid #004280;padding:0}
|
||||
.section{border-top:1px solid #9fb7d5}
|
||||
.section:first-child{border-top:none}
|
||||
.section-head{background:#c0e0ff;color:#000;font-weight:bold;padding:5px 8px;border-bottom:1px solid #9fb7d5;display:flex;align-items:center;justify-content:space-between;gap:8px;flex-wrap:wrap}
|
||||
.section-body{padding:10px 8px}
|
||||
.badge{display:inline-block;padding:2px 10px;border-radius:2px;color:#fff;font-weight:bold;line-height:1.4}
|
||||
.running{background:#008000}
|
||||
.stopped{background:#800000}
|
||||
.row{display:flex;align-items:center;gap:8px;margin:6px 0}
|
||||
.row label{width:90px;font-weight:bold}
|
||||
.row input{width:360px;max-width:100%;padding:2px 4px;border:1px solid #7f9db9;background:#fff;height:23px}
|
||||
.btn{height:24px;padding:0 10px;border:1px solid #7f9db9;background:#efefef;color:#000;cursor:pointer}
|
||||
.btn:disabled{color:#777;background:#e5e5e5}
|
||||
.btn + .btn{margin-left:6px}
|
||||
.btn-start{border-color:#2d7a2d;background:#dff0df}
|
||||
.btn-stop{border-color:#8a2c2c;background:#f7dddd}
|
||||
.btn-restart{border-color:#9a6a1f;background:#f7ecd8}
|
||||
.btn-save{border-color:#2e5f92;background:#dce9f8}
|
||||
.hint{color:#808080;font-weight:normal}
|
||||
.notice{margin:0 0 10px 0;color:#ff0000;font-style:italic}
|
||||
.log{background:#fff;border:1px solid #7f9db9;color:#000;font-family:monospace;font-size:12px;line-height:1.35;padding:6px;height:300px;overflow-y:auto;white-space:pre-wrap;word-break:break-word}
|
||||
</style>
|
||||
</head>
|
||||
<body>
|
||||
<div class="topline">
|
||||
<a href="/">« Back to Router</a>
|
||||
</div>
|
||||
<div class="app-title">Router Apps - Pangolin Site</div>
|
||||
<div class="window">
|
||||
STATIC_HEAD
|
||||
|
||||
# Status card (double-quoted heredoc — variables expand)
|
||||
cat << STATUS_CARD
|
||||
<div class="section">
|
||||
<div class="section-head">Status</div>
|
||||
<div class="section-body">
|
||||
<div><span class="badge ${STATUS_CLASS}">${STATUS_TEXT}</span></div>
|
||||
<div style="margin-top:8px">
|
||||
<form method="post" style="display:inline">
|
||||
<input type="hidden" name="action" value="start">
|
||||
<button class="btn btn-start" type="submit">Start</button>
|
||||
</form>
|
||||
<form method="post" style="display:inline">
|
||||
<input type="hidden" name="action" value="stop">
|
||||
<button class="btn btn-stop" type="submit">Stop</button>
|
||||
</form>
|
||||
<form method="post" style="display:inline">
|
||||
<input type="hidden" name="action" value="restart">
|
||||
<button class="btn btn-restart" type="submit">Restart</button>
|
||||
</form>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
STATUS_CARD
|
||||
|
||||
# Settings card
|
||||
cat << SETTINGS_CARD
|
||||
<div class="section">
|
||||
<div class="section-head">Settings</div>
|
||||
<div class="section-body">
|
||||
${SETTINGS_HINT}<form method="post">
|
||||
<input type="hidden" name="action" value="save">
|
||||
<div class="row">
|
||||
<label>Endpoint</label>
|
||||
<input type="text" name="endpoint" value="${EP_INPUT_ESC}" ${DISABLED}>
|
||||
</div>
|
||||
<div class="row">
|
||||
<label>ID</label>
|
||||
<input type="text" name="id" value="${ID_ESC}" ${DISABLED}>
|
||||
</div>
|
||||
<div class="row">
|
||||
<label>Secret</label>
|
||||
<input type="password" name="secret" value="${SEC_ESC}" ${DISABLED}>
|
||||
</div>
|
||||
<div style="margin-top:12px">
|
||||
<button class="btn btn-save" type="submit" ${DISABLED}>Save</button>
|
||||
</div>
|
||||
</form>
|
||||
</div>
|
||||
</div>
|
||||
SETTINGS_CARD
|
||||
|
||||
# Log card header
|
||||
cat << 'LOG_HEADER'
|
||||
<div class="section">
|
||||
<div class="section-head">
|
||||
<span>Log <span class="hint">(last 100 lines, auto-refreshes every 10s while running)</span></span>
|
||||
<span style="display:inline-flex;gap:6px">
|
||||
<form method="post" style="margin:0">
|
||||
<input type="hidden" name="action" value="clearlog">
|
||||
<button class="btn" type="submit">Clear Log</button>
|
||||
</form>
|
||||
<form method="get" style="margin:0">
|
||||
<button class="btn" type="submit">Refresh</button>
|
||||
</form>
|
||||
</span>
|
||||
</div>
|
||||
<div class="section-body">
|
||||
<div class="log">
|
||||
LOG_HEADER
|
||||
|
||||
# Log content — printed with printf to prevent any shell expansion
|
||||
printf '%s' "$LOG_HTML"
|
||||
|
||||
# Close tags (static)
|
||||
cat << 'STATIC_FOOTER'
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
||||
STATIC_FOOTER
|
||||
0
packages/openwrt/.gitkeep
Normal file
0
packages/openwrt/.gitkeep
Normal file
0
packages/teltonika/.gitkeep
Normal file
0
packages/teltonika/.gitkeep
Normal file
156
proxy/manager.go
156
proxy/manager.go
@@ -21,7 +21,32 @@ import (
|
||||
"gvisor.dev/gvisor/pkg/tcpip/adapters/gonet"
|
||||
)
|
||||
|
||||
const errUnsupportedProtoFmt = "unsupported protocol: %s"
|
||||
const (
|
||||
errUnsupportedProtoFmt = "unsupported protocol: %s"
|
||||
maxUDPPacketSize = 65507 // Maximum UDP packet size
|
||||
defaultUDPIdleTimeout = 90 * time.Second
|
||||
)
|
||||
|
||||
// udpBufferPool provides reusable buffers for UDP packet handling.
|
||||
// This reduces GC pressure from frequent large allocations.
|
||||
var udpBufferPool = sync.Pool{
|
||||
New: func() any {
|
||||
buf := make([]byte, maxUDPPacketSize)
|
||||
return &buf
|
||||
},
|
||||
}
|
||||
|
||||
// getUDPBuffer retrieves a buffer from the pool.
|
||||
func getUDPBuffer() *[]byte {
|
||||
return udpBufferPool.Get().(*[]byte)
|
||||
}
|
||||
|
||||
// putUDPBuffer clears and returns a buffer to the pool.
|
||||
func putUDPBuffer(buf *[]byte) {
|
||||
// Clear the buffer to prevent data leakage
|
||||
clear(*buf)
|
||||
udpBufferPool.Put(buf)
|
||||
}
|
||||
|
||||
// Target represents a proxy target with its address and port
|
||||
type Target struct {
|
||||
@@ -44,6 +69,10 @@ type ProxyManager struct {
|
||||
tunnels map[string]*tunnelEntry
|
||||
asyncBytes bool
|
||||
flushStop chan struct{}
|
||||
udpIdleTimeout time.Duration
|
||||
|
||||
// connection blocking
|
||||
blocked atomic.Bool
|
||||
}
|
||||
|
||||
// tunnelEntry holds per-tunnel attributes and (optional) async counters.
|
||||
@@ -105,13 +134,9 @@ func classifyProxyError(err error) string {
|
||||
if errors.Is(err, net.ErrClosed) {
|
||||
return "closed"
|
||||
}
|
||||
if ne, ok := err.(net.Error); ok {
|
||||
if ne.Timeout() {
|
||||
return "timeout"
|
||||
}
|
||||
if ne.Temporary() {
|
||||
return "temporary"
|
||||
}
|
||||
var ne net.Error
|
||||
if errors.As(err, &ne) && ne.Timeout() {
|
||||
return "timeout"
|
||||
}
|
||||
msg := strings.ToLower(err.Error())
|
||||
switch {
|
||||
@@ -127,12 +152,13 @@ func classifyProxyError(err error) string {
|
||||
// NewProxyManager creates a new proxy manager instance
|
||||
func NewProxyManager(tnet *netstack.Net) *ProxyManager {
|
||||
return &ProxyManager{
|
||||
tnet: tnet,
|
||||
tcpTargets: make(map[string]map[int]string),
|
||||
udpTargets: make(map[string]map[int]string),
|
||||
listeners: make([]*gonet.TCPListener, 0),
|
||||
udpConns: make([]*gonet.UDPConn, 0),
|
||||
tunnels: make(map[string]*tunnelEntry),
|
||||
tnet: tnet,
|
||||
tcpTargets: make(map[string]map[int]string),
|
||||
udpTargets: make(map[string]map[int]string),
|
||||
listeners: make([]*gonet.TCPListener, 0),
|
||||
udpConns: make([]*gonet.UDPConn, 0),
|
||||
tunnels: make(map[string]*tunnelEntry),
|
||||
udpIdleTimeout: defaultUDPIdleTimeout,
|
||||
}
|
||||
}
|
||||
|
||||
@@ -206,10 +232,11 @@ func (pm *ProxyManager) ClearTunnelID() {
|
||||
// init function without tnet
|
||||
func NewProxyManagerWithoutTNet() *ProxyManager {
|
||||
return &ProxyManager{
|
||||
tcpTargets: make(map[string]map[int]string),
|
||||
udpTargets: make(map[string]map[int]string),
|
||||
listeners: make([]*gonet.TCPListener, 0),
|
||||
udpConns: make([]*gonet.UDPConn, 0),
|
||||
tcpTargets: make(map[string]map[int]string),
|
||||
udpTargets: make(map[string]map[int]string),
|
||||
listeners: make([]*gonet.TCPListener, 0),
|
||||
udpConns: make([]*gonet.UDPConn, 0),
|
||||
udpIdleTimeout: defaultUDPIdleTimeout,
|
||||
}
|
||||
}
|
||||
|
||||
@@ -220,6 +247,18 @@ func (pm *ProxyManager) SetTNet(tnet *netstack.Net) {
|
||||
pm.tnet = tnet
|
||||
}
|
||||
|
||||
// SetBlocked enables or disables connection blocking.
|
||||
// When enabled, all new incoming TCP connections are immediately closed
|
||||
// and all incoming UDP packets are silently dropped.
|
||||
func (pm *ProxyManager) SetBlocked(v bool) {
|
||||
pm.blocked.Store(v)
|
||||
if v {
|
||||
logger.Debug("ProxyManager: connection blocking enabled, new connections will be dropped")
|
||||
} else {
|
||||
logger.Debug("ProxyManager: connection blocking disabled, accepting connections")
|
||||
}
|
||||
}
|
||||
|
||||
// AddTarget adds as new target for proxying
|
||||
func (pm *ProxyManager) AddTarget(proto, listenIP string, port int, targetAddr string) error {
|
||||
pm.mutex.Lock()
|
||||
@@ -346,6 +385,17 @@ func (pm *ProxyManager) SetAsyncBytes(b bool) {
|
||||
go pm.flushLoop()
|
||||
}
|
||||
}
|
||||
|
||||
// SetUDPIdleTimeout configures when idle UDP client flows are reclaimed.
|
||||
func (pm *ProxyManager) SetUDPIdleTimeout(d time.Duration) {
|
||||
pm.mutex.Lock()
|
||||
defer pm.mutex.Unlock()
|
||||
if d <= 0 {
|
||||
pm.udpIdleTimeout = defaultUDPIdleTimeout
|
||||
return
|
||||
}
|
||||
pm.udpIdleTimeout = d
|
||||
}
|
||||
func (pm *ProxyManager) flushLoop() {
|
||||
flushInterval := 2 * time.Second
|
||||
if v := os.Getenv("OTEL_METRIC_EXPORT_INTERVAL"); v != "" {
|
||||
@@ -437,14 +487,6 @@ func (pm *ProxyManager) Stop() error {
|
||||
pm.udpConns = append(pm.udpConns[:i], pm.udpConns[i+1:]...)
|
||||
}
|
||||
|
||||
// // Clear the target maps
|
||||
// for k := range pm.tcpTargets {
|
||||
// delete(pm.tcpTargets, k)
|
||||
// }
|
||||
// for k := range pm.udpTargets {
|
||||
// delete(pm.udpTargets, k)
|
||||
// }
|
||||
|
||||
// Give active connections a chance to close gracefully
|
||||
time.Sleep(100 * time.Millisecond)
|
||||
|
||||
@@ -498,7 +540,7 @@ func (pm *ProxyManager) handleTCPProxy(listener net.Listener, targetAddr string)
|
||||
if !pm.running {
|
||||
return
|
||||
}
|
||||
if ne, ok := err.(net.Error); ok && !ne.Temporary() {
|
||||
if errors.Is(err, net.ErrClosed) {
|
||||
logger.Info("TCP listener closed, stopping proxy handler for %v", listener.Addr())
|
||||
return
|
||||
}
|
||||
@@ -508,6 +550,12 @@ func (pm *ProxyManager) handleTCPProxy(listener net.Listener, targetAddr string)
|
||||
}
|
||||
|
||||
tunnelID := pm.currentTunnelID
|
||||
// Drop connection if blocking is enabled
|
||||
if pm.blocked.Load() {
|
||||
conn.Close()
|
||||
logger.Debug("TCP proxy: connection dropped (blocking enabled)")
|
||||
continue
|
||||
}
|
||||
telemetry.IncProxyAccept(context.Background(), tunnelID, "tcp", "success", "")
|
||||
telemetry.IncProxyConnectionEvent(context.Background(), tunnelID, "tcp", telemetry.ProxyConnectionOpened)
|
||||
if tunnelID != "" {
|
||||
@@ -564,7 +612,9 @@ func (pm *ProxyManager) handleTCPProxy(listener net.Listener, targetAddr string)
|
||||
}
|
||||
|
||||
func (pm *ProxyManager) handleUDPProxy(conn *gonet.UDPConn, targetAddr string) {
|
||||
buffer := make([]byte, 65507) // Max UDP packet size
|
||||
bufPtr := getUDPBuffer()
|
||||
defer putUDPBuffer(bufPtr)
|
||||
buffer := *bufPtr
|
||||
clientConns := make(map[string]*net.UDPConn)
|
||||
var clientsMutex sync.RWMutex
|
||||
|
||||
@@ -583,7 +633,7 @@ func (pm *ProxyManager) handleUDPProxy(conn *gonet.UDPConn, targetAddr string) {
|
||||
}
|
||||
|
||||
// Check for connection closed conditions
|
||||
if err == io.EOF || strings.Contains(err.Error(), "use of closed network connection") {
|
||||
if errors.Is(err, io.EOF) || errors.Is(err, net.ErrClosed) {
|
||||
logger.Info("UDP connection closed, stopping proxy handler")
|
||||
|
||||
// Clean up existing client connections
|
||||
@@ -602,6 +652,11 @@ func (pm *ProxyManager) handleUDPProxy(conn *gonet.UDPConn, targetAddr string) {
|
||||
}
|
||||
|
||||
clientKey := remoteAddr.String()
|
||||
// Drop packet if blocking is enabled
|
||||
if pm.blocked.Load() {
|
||||
logger.Debug("UDP proxy: packet dropped (blocking enabled)")
|
||||
continue
|
||||
}
|
||||
// bytes from client -> target (direction=in)
|
||||
if pm.currentTunnelID != "" && n > 0 {
|
||||
if pm.asyncBytes {
|
||||
@@ -632,6 +687,9 @@ func (pm *ProxyManager) handleUDPProxy(conn *gonet.UDPConn, targetAddr string) {
|
||||
telemetry.IncProxyAccept(context.Background(), pm.currentTunnelID, "udp", "failure", classifyProxyError(err))
|
||||
continue
|
||||
}
|
||||
// Prevent idle UDP client goroutines from living forever and
|
||||
// retaining large per-connection buffers.
|
||||
_ = targetConn.SetReadDeadline(time.Now().Add(pm.udpIdleTimeout))
|
||||
tunnelID := pm.currentTunnelID
|
||||
telemetry.IncProxyAccept(context.Background(), tunnelID, "udp", "success", "")
|
||||
telemetry.IncProxyConnectionEvent(context.Background(), tunnelID, "udp", telemetry.ProxyConnectionOpened)
|
||||
@@ -647,7 +705,10 @@ func (pm *ProxyManager) handleUDPProxy(conn *gonet.UDPConn, targetAddr string) {
|
||||
go func(clientKey string, targetConn *net.UDPConn, remoteAddr net.Addr, tunnelID string) {
|
||||
start := time.Now()
|
||||
result := "success"
|
||||
bufPtr := getUDPBuffer()
|
||||
defer func() {
|
||||
// Return buffer to pool first
|
||||
putUDPBuffer(bufPtr)
|
||||
// Always clean up when this goroutine exits
|
||||
clientsMutex.Lock()
|
||||
if storedConn, exists := clientConns[clientKey]; exists && storedConn == targetConn {
|
||||
@@ -662,10 +723,18 @@ func (pm *ProxyManager) handleUDPProxy(conn *gonet.UDPConn, targetAddr string) {
|
||||
telemetry.IncProxyConnectionEvent(context.Background(), tunnelID, "udp", telemetry.ProxyConnectionClosed)
|
||||
}()
|
||||
|
||||
buffer := make([]byte, 65507)
|
||||
buffer := *bufPtr
|
||||
for {
|
||||
n, _, err := targetConn.ReadFromUDP(buffer)
|
||||
if err != nil {
|
||||
var netErr net.Error
|
||||
if errors.As(err, &netErr) && netErr.Timeout() {
|
||||
return
|
||||
}
|
||||
// Connection closed is normal during cleanup
|
||||
if errors.Is(err, net.ErrClosed) || errors.Is(err, io.EOF) {
|
||||
return // defer will handle cleanup, result stays "success"
|
||||
}
|
||||
logger.Error("Error reading from target: %v", err)
|
||||
result = "failure"
|
||||
return // defer will handle cleanup
|
||||
@@ -704,6 +773,8 @@ func (pm *ProxyManager) handleUDPProxy(conn *gonet.UDPConn, targetAddr string) {
|
||||
delete(clientConns, clientKey)
|
||||
clientsMutex.Unlock()
|
||||
} else if pm.currentTunnelID != "" && written > 0 {
|
||||
// Extend idle timeout whenever client traffic is observed.
|
||||
_ = targetConn.SetReadDeadline(time.Now().Add(pm.udpIdleTimeout))
|
||||
if pm.asyncBytes {
|
||||
if e := pm.getEntry(pm.currentTunnelID); e != nil {
|
||||
e.bytesInUDP.Add(uint64(written))
|
||||
@@ -736,3 +807,28 @@ func (pm *ProxyManager) PrintTargets() {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// GetTargets returns a copy of the current TCP and UDP targets
|
||||
// Returns map[listenIP]map[port]targetAddress for both TCP and UDP
|
||||
func (pm *ProxyManager) GetTargets() (tcpTargets map[string]map[int]string, udpTargets map[string]map[int]string) {
|
||||
pm.mutex.RLock()
|
||||
defer pm.mutex.RUnlock()
|
||||
|
||||
tcpTargets = make(map[string]map[int]string)
|
||||
for listenIP, targets := range pm.tcpTargets {
|
||||
tcpTargets[listenIP] = make(map[int]string)
|
||||
for port, targetAddr := range targets {
|
||||
tcpTargets[listenIP][port] = targetAddr
|
||||
}
|
||||
}
|
||||
|
||||
udpTargets = make(map[string]map[int]string)
|
||||
for listenIP, targets := range pm.udpTargets {
|
||||
udpTargets[listenIP] = make(map[int]string)
|
||||
for port, targetAddr := range targets {
|
||||
udpTargets[listenIP][port] = targetAddr
|
||||
}
|
||||
}
|
||||
|
||||
return tcpTargets, udpTargets
|
||||
}
|
||||
|
||||
21
reexec_unix.go
Normal file
21
reexec_unix.go
Normal file
@@ -0,0 +1,21 @@
|
||||
//go:build !windows
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
"syscall"
|
||||
)
|
||||
|
||||
// reexec replaces the current process image with a fresh copy of itself,
|
||||
// preserving all arguments and environment variables. On success it never
|
||||
// returns (execve replaces the process in-place). On failure it returns an
|
||||
// error describing why the exec could not be performed.
|
||||
func reexec() error {
|
||||
exe, err := os.Executable()
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to get executable path: %w", err)
|
||||
}
|
||||
return syscall.Exec(exe, os.Args, os.Environ())
|
||||
}
|
||||
30
reexec_windows.go
Normal file
30
reexec_windows.go
Normal file
@@ -0,0 +1,30 @@
|
||||
//go:build windows
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
"os/exec"
|
||||
)
|
||||
|
||||
// reexec spawns a new copy of the current process with the same arguments and
|
||||
// environment, then exits the current process. On Windows, execve is not
|
||||
// available, so we start a child process and exit. On success it never returns
|
||||
// (os.Exit terminates the current process). On failure it returns an error.
|
||||
func reexec() error {
|
||||
exe, err := os.Executable()
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to get executable path: %w", err)
|
||||
}
|
||||
cmd := exec.Command(exe, os.Args[1:]...)
|
||||
cmd.Stdout = os.Stdout
|
||||
cmd.Stderr = os.Stderr
|
||||
cmd.Stdin = os.Stdin
|
||||
cmd.Env = os.Environ()
|
||||
if err := cmd.Start(); err != nil {
|
||||
return fmt.Errorf("failed to start new process: %w", err)
|
||||
}
|
||||
os.Exit(0)
|
||||
return nil // unreachable
|
||||
}
|
||||
59
service_unix.go
Normal file
59
service_unix.go
Normal file
@@ -0,0 +1,59 @@
|
||||
//go:build !windows
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
)
|
||||
|
||||
// Service management functions are not available on non-Windows platforms
|
||||
func installService() error {
|
||||
return fmt.Errorf("service management is only available on Windows")
|
||||
}
|
||||
|
||||
func removeService() error {
|
||||
return fmt.Errorf("service management is only available on Windows")
|
||||
}
|
||||
|
||||
func startService(args []string) error {
|
||||
_ = args // unused on Unix platforms
|
||||
return fmt.Errorf("service management is only available on Windows")
|
||||
}
|
||||
|
||||
func stopService() error {
|
||||
return fmt.Errorf("service management is only available on Windows")
|
||||
}
|
||||
|
||||
func getServiceStatus() (string, error) {
|
||||
return "", fmt.Errorf("service management is only available on Windows")
|
||||
}
|
||||
|
||||
func debugService(args []string) error {
|
||||
_ = args // unused on Unix platforms
|
||||
return fmt.Errorf("debug service is only available on Windows")
|
||||
}
|
||||
|
||||
func isWindowsService() bool {
|
||||
return false
|
||||
}
|
||||
|
||||
func runService(name string, isDebug bool, args []string) {
|
||||
// No-op on non-Windows platforms
|
||||
}
|
||||
|
||||
func setupWindowsEventLog() {
|
||||
// No-op on non-Windows platforms
|
||||
}
|
||||
|
||||
func watchLogFile(end bool) error {
|
||||
return fmt.Errorf("watching log file is only available on Windows")
|
||||
}
|
||||
|
||||
func showServiceConfig() {
|
||||
fmt.Println("Service configuration is only available on Windows")
|
||||
}
|
||||
|
||||
// handleServiceCommand returns false on non-Windows platforms
|
||||
func handleServiceCommand() bool {
|
||||
return false
|
||||
}
|
||||
759
service_windows.go
Normal file
759
service_windows.go
Normal file
@@ -0,0 +1,759 @@
|
||||
//go:build windows
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"io"
|
||||
"os"
|
||||
"os/signal"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
"syscall"
|
||||
"time"
|
||||
|
||||
"github.com/fosrl/newt/logger"
|
||||
"golang.org/x/sys/windows/svc"
|
||||
"golang.org/x/sys/windows/svc/debug"
|
||||
"golang.org/x/sys/windows/svc/eventlog"
|
||||
"golang.org/x/sys/windows/svc/mgr"
|
||||
)
|
||||
|
||||
const (
|
||||
serviceName = "NewtWireguardService"
|
||||
serviceDisplayName = "Newt WireGuard Tunnel Service"
|
||||
serviceDescription = "Newt WireGuard tunnel service for secure network connectivity"
|
||||
)
|
||||
|
||||
// Global variable to store service arguments
|
||||
var serviceArgs []string
|
||||
|
||||
// getServiceArgsPath returns the path where service arguments are stored
|
||||
func getServiceArgsPath() string {
|
||||
logDir := filepath.Join(os.Getenv("PROGRAMDATA"), "newt")
|
||||
return filepath.Join(logDir, "service_args.json")
|
||||
}
|
||||
|
||||
// saveServiceArgs saves the service arguments to a file
|
||||
func saveServiceArgs(args []string) error {
|
||||
logDir := filepath.Join(os.Getenv("PROGRAMDATA"), "newt")
|
||||
err := os.MkdirAll(logDir, 0755)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to create config directory: %v", err)
|
||||
}
|
||||
|
||||
argsPath := getServiceArgsPath()
|
||||
data, err := json.Marshal(args)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to marshal service args: %v", err)
|
||||
}
|
||||
|
||||
err = os.WriteFile(argsPath, data, 0644)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to write service args: %v", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// loadServiceArgs loads the service arguments from a file
|
||||
func loadServiceArgs() ([]string, error) {
|
||||
argsPath := getServiceArgsPath()
|
||||
data, err := os.ReadFile(argsPath)
|
||||
if err != nil {
|
||||
if os.IsNotExist(err) {
|
||||
return []string{}, nil // Return empty args if file doesn't exist
|
||||
}
|
||||
return nil, fmt.Errorf("failed to read service args: %v", err)
|
||||
}
|
||||
|
||||
var args []string
|
||||
err = json.Unmarshal(data, &args)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to unmarshal service args: %v", err)
|
||||
}
|
||||
|
||||
return args, nil
|
||||
}
|
||||
|
||||
type newtService struct {
|
||||
elog debug.Log
|
||||
ctx context.Context
|
||||
stop context.CancelFunc
|
||||
args []string
|
||||
}
|
||||
|
||||
func (s *newtService) Execute(args []string, r <-chan svc.ChangeRequest, changes chan<- svc.Status) (bool, uint32) {
|
||||
const cmdsAccepted = svc.AcceptStop | svc.AcceptShutdown
|
||||
changes <- svc.Status{State: svc.StartPending}
|
||||
|
||||
s.elog.Info(1, fmt.Sprintf("Service Execute called with args: %v", args))
|
||||
|
||||
// Load saved service arguments
|
||||
savedArgs, err := loadServiceArgs()
|
||||
if err != nil {
|
||||
s.elog.Error(1, fmt.Sprintf("Failed to load service args: %v", err))
|
||||
// Continue with empty args if loading fails
|
||||
savedArgs = []string{}
|
||||
}
|
||||
s.elog.Info(1, fmt.Sprintf("Loaded saved service args: %v", savedArgs))
|
||||
|
||||
// Combine service start args with saved args, giving priority to service start args
|
||||
// Note: When the service is started via SCM, args[0] is the service name
|
||||
// When started via s.Start(args...), the args passed are exactly what we provide
|
||||
finalArgs := []string{}
|
||||
|
||||
// Check if we have args passed directly to Execute (from s.Start())
|
||||
if len(args) > 0 {
|
||||
// The first arg from SCM is the service name, but when we call s.Start(args...),
|
||||
// the args we pass become args[1:] in Execute. However, if started by SCM without
|
||||
// args, args[0] will be the service name.
|
||||
// We need to check if args[0] looks like the service name or a flag
|
||||
if len(args) == 1 && args[0] == serviceName {
|
||||
// Only service name, no actual args
|
||||
s.elog.Info(1, "Only service name in args, checking saved args")
|
||||
} else if len(args) > 1 && args[0] == serviceName {
|
||||
// Service name followed by actual args
|
||||
finalArgs = append(finalArgs, args[1:]...)
|
||||
s.elog.Info(1, fmt.Sprintf("Using service start parameters (after service name): %v", finalArgs))
|
||||
} else {
|
||||
// Args don't start with service name, use them all
|
||||
// This happens when args are passed via s.Start(args...)
|
||||
finalArgs = append(finalArgs, args...)
|
||||
s.elog.Info(1, fmt.Sprintf("Using service start parameters (direct): %v", finalArgs))
|
||||
}
|
||||
}
|
||||
|
||||
// If no service start parameters, use saved args
|
||||
if len(finalArgs) == 0 && len(savedArgs) > 0 {
|
||||
finalArgs = savedArgs
|
||||
s.elog.Info(1, fmt.Sprintf("Using saved service args: %v", finalArgs))
|
||||
}
|
||||
|
||||
s.elog.Info(1, fmt.Sprintf("Final args to use: %v", finalArgs))
|
||||
s.args = finalArgs
|
||||
|
||||
// Start the main newt functionality
|
||||
newtDone := make(chan struct{})
|
||||
go func() {
|
||||
s.runNewt()
|
||||
close(newtDone)
|
||||
}()
|
||||
|
||||
changes <- svc.Status{State: svc.Running, Accepts: cmdsAccepted}
|
||||
s.elog.Info(1, "Service status set to Running")
|
||||
|
||||
for {
|
||||
select {
|
||||
case c := <-r:
|
||||
switch c.Cmd {
|
||||
case svc.Interrogate:
|
||||
changes <- c.CurrentStatus
|
||||
case svc.Stop, svc.Shutdown:
|
||||
s.elog.Info(1, "Service stopping")
|
||||
changes <- svc.Status{State: svc.StopPending}
|
||||
if s.stop != nil {
|
||||
s.stop()
|
||||
}
|
||||
// Wait for main logic to finish or timeout
|
||||
select {
|
||||
case <-newtDone:
|
||||
s.elog.Info(1, "Main logic finished gracefully")
|
||||
case <-time.After(10 * time.Second):
|
||||
s.elog.Info(1, "Timeout waiting for main logic to finish")
|
||||
}
|
||||
return false, 0
|
||||
default:
|
||||
s.elog.Error(1, fmt.Sprintf("Unexpected control request #%d", c))
|
||||
}
|
||||
case <-newtDone:
|
||||
s.elog.Info(1, "Main newt logic completed, stopping service")
|
||||
changes <- svc.Status{State: svc.StopPending}
|
||||
return false, 0
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func (s *newtService) runNewt() {
|
||||
// Create a context that can be cancelled when the service stops
|
||||
s.ctx, s.stop = context.WithCancel(context.Background())
|
||||
|
||||
// Setup logging for service mode
|
||||
s.elog.Info(1, "Starting Newt main logic")
|
||||
|
||||
// Run the main newt logic and wait for it to complete
|
||||
done := make(chan struct{})
|
||||
go func() {
|
||||
defer func() {
|
||||
if r := recover(); r != nil {
|
||||
s.elog.Error(1, fmt.Sprintf("Panic in newt main: %v", r))
|
||||
}
|
||||
close(done)
|
||||
}()
|
||||
|
||||
// Call the main newt function with stored arguments
|
||||
// Use s.ctx as the signal context since the service manages shutdown
|
||||
runNewtMainWithArgs(s.ctx, s.args)
|
||||
}()
|
||||
|
||||
// Wait for either context cancellation or main logic completion
|
||||
select {
|
||||
case <-s.ctx.Done():
|
||||
s.elog.Info(1, "Newt service context cancelled")
|
||||
case <-done:
|
||||
s.elog.Info(1, "Newt main logic completed")
|
||||
}
|
||||
}
|
||||
|
||||
func runService(name string, isDebug bool, args []string) {
|
||||
var err error
|
||||
var elog debug.Log
|
||||
|
||||
if isDebug {
|
||||
elog = debug.New(name)
|
||||
fmt.Printf("Starting %s service in debug mode\n", name)
|
||||
} else {
|
||||
elog, err = eventlog.Open(name)
|
||||
if err != nil {
|
||||
fmt.Printf("Failed to open event log: %v\n", err)
|
||||
return
|
||||
}
|
||||
}
|
||||
defer elog.Close()
|
||||
|
||||
elog.Info(1, fmt.Sprintf("Starting %s service", name))
|
||||
run := svc.Run
|
||||
if isDebug {
|
||||
run = debug.Run
|
||||
}
|
||||
|
||||
service := &newtService{elog: elog, args: args}
|
||||
err = run(name, service)
|
||||
if err != nil {
|
||||
elog.Error(1, fmt.Sprintf("%s service failed: %v", name, err))
|
||||
if isDebug {
|
||||
fmt.Printf("Service failed: %v\n", err)
|
||||
}
|
||||
return
|
||||
}
|
||||
elog.Info(1, fmt.Sprintf("%s service stopped", name))
|
||||
if isDebug {
|
||||
fmt.Printf("%s service stopped\n", name)
|
||||
}
|
||||
}
|
||||
|
||||
func installService() error {
|
||||
exepath, err := os.Executable()
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to get executable path: %v", err)
|
||||
}
|
||||
|
||||
m, err := mgr.Connect()
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to connect to service manager: %v", err)
|
||||
}
|
||||
defer m.Disconnect()
|
||||
|
||||
s, err := m.OpenService(serviceName)
|
||||
if err == nil {
|
||||
s.Close()
|
||||
return fmt.Errorf("service %s already exists", serviceName)
|
||||
}
|
||||
|
||||
config := mgr.Config{
|
||||
ServiceType: 0x10, // SERVICE_WIN32_OWN_PROCESS
|
||||
StartType: mgr.StartManual,
|
||||
ErrorControl: mgr.ErrorNormal,
|
||||
DisplayName: serviceDisplayName,
|
||||
Description: serviceDescription,
|
||||
BinaryPathName: exepath,
|
||||
}
|
||||
|
||||
s, err = m.CreateService(serviceName, exepath, config)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to create service: %v", err)
|
||||
}
|
||||
defer s.Close()
|
||||
|
||||
err = eventlog.InstallAsEventCreate(serviceName, eventlog.Error|eventlog.Warning|eventlog.Info)
|
||||
if err != nil {
|
||||
s.Delete()
|
||||
return fmt.Errorf("failed to install event log: %v", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func removeService() error {
|
||||
m, err := mgr.Connect()
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to connect to service manager: %v", err)
|
||||
}
|
||||
defer m.Disconnect()
|
||||
|
||||
s, err := m.OpenService(serviceName)
|
||||
if err != nil {
|
||||
return fmt.Errorf("service %s is not installed", serviceName)
|
||||
}
|
||||
defer s.Close()
|
||||
|
||||
// Stop the service if it's running
|
||||
status, err := s.Query()
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to query service status: %v", err)
|
||||
}
|
||||
|
||||
if status.State != svc.Stopped {
|
||||
_, err = s.Control(svc.Stop)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to stop service: %v", err)
|
||||
}
|
||||
|
||||
// Wait for service to stop
|
||||
timeout := time.Now().Add(30 * time.Second)
|
||||
for status.State != svc.Stopped {
|
||||
if timeout.Before(time.Now()) {
|
||||
return fmt.Errorf("timeout waiting for service to stop")
|
||||
}
|
||||
time.Sleep(300 * time.Millisecond)
|
||||
status, err = s.Query()
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to query service status: %v", err)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
err = s.Delete()
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to delete service: %v", err)
|
||||
}
|
||||
|
||||
err = eventlog.Remove(serviceName)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to remove event log: %v", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func startService(args []string) error {
|
||||
fmt.Printf("Starting service with args: %v\n", args)
|
||||
|
||||
// Always save the service arguments so they can be loaded on service restart
|
||||
err := saveServiceArgs(args)
|
||||
if err != nil {
|
||||
fmt.Printf("Warning: failed to save service args: %v\n", err)
|
||||
// Continue anyway, args will still be passed directly
|
||||
} else {
|
||||
fmt.Printf("Saved service args to: %s\n", getServiceArgsPath())
|
||||
}
|
||||
|
||||
m, err := mgr.Connect()
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to connect to service manager: %v", err)
|
||||
}
|
||||
defer m.Disconnect()
|
||||
|
||||
s, err := m.OpenService(serviceName)
|
||||
if err != nil {
|
||||
return fmt.Errorf("service %s is not installed", serviceName)
|
||||
}
|
||||
defer s.Close()
|
||||
|
||||
// Pass arguments directly to the service start call
|
||||
// Note: These args will appear in Execute() after the service name
|
||||
err = s.Start(args...)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to start service: %v", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func stopService() error {
|
||||
m, err := mgr.Connect()
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to connect to service manager: %v", err)
|
||||
}
|
||||
defer m.Disconnect()
|
||||
|
||||
s, err := m.OpenService(serviceName)
|
||||
if err != nil {
|
||||
return fmt.Errorf("service %s is not installed", serviceName)
|
||||
}
|
||||
defer s.Close()
|
||||
|
||||
status, err := s.Control(svc.Stop)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to stop service: %v", err)
|
||||
}
|
||||
|
||||
timeout := time.Now().Add(30 * time.Second)
|
||||
for status.State != svc.Stopped {
|
||||
if timeout.Before(time.Now()) {
|
||||
return fmt.Errorf("timeout waiting for service to stop")
|
||||
}
|
||||
time.Sleep(300 * time.Millisecond)
|
||||
status, err = s.Query()
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to query service status: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func debugService(args []string) error {
|
||||
// Save the service arguments before starting
|
||||
if len(args) > 0 {
|
||||
err := saveServiceArgs(args)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to save service args: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
// Start the service with the provided arguments
|
||||
err := startService(args)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to start service: %v", err)
|
||||
}
|
||||
|
||||
// Watch the log file
|
||||
return watchLogFile(true)
|
||||
}
|
||||
|
||||
func watchLogFile(end bool) error {
|
||||
logDir := filepath.Join(os.Getenv("PROGRAMDATA"), "newt", "logs")
|
||||
logPath := filepath.Join(logDir, "newt.log")
|
||||
|
||||
// Ensure the log directory exists
|
||||
err := os.MkdirAll(logDir, 0755)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to create log directory: %v", err)
|
||||
}
|
||||
|
||||
// Wait for the log file to be created if it doesn't exist
|
||||
var file *os.File
|
||||
for i := 0; i < 30; i++ { // Wait up to 15 seconds
|
||||
file, err = os.Open(logPath)
|
||||
if err == nil {
|
||||
break
|
||||
}
|
||||
if i == 0 {
|
||||
fmt.Printf("Waiting for log file to be created...\n")
|
||||
}
|
||||
time.Sleep(500 * time.Millisecond)
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to open log file after waiting: %v", err)
|
||||
}
|
||||
defer file.Close()
|
||||
|
||||
// Seek to the end of the file to only show new logs
|
||||
_, err = file.Seek(0, 2)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to seek to end of file: %v", err)
|
||||
}
|
||||
|
||||
// Set up signal handling for graceful exit
|
||||
sigCh := make(chan os.Signal, 1)
|
||||
signal.Notify(sigCh, os.Interrupt, syscall.SIGTERM)
|
||||
|
||||
// Create a ticker to check for new content
|
||||
ticker := time.NewTicker(500 * time.Millisecond)
|
||||
defer ticker.Stop()
|
||||
|
||||
buffer := make([]byte, 4096)
|
||||
|
||||
for {
|
||||
select {
|
||||
case <-sigCh:
|
||||
fmt.Printf("\n\nStopping log watch...\n")
|
||||
// stop the service if needed
|
||||
if end {
|
||||
fmt.Printf("Stopping service...\n")
|
||||
stopService()
|
||||
}
|
||||
fmt.Printf("Log watch stopped.\n")
|
||||
return nil
|
||||
case <-ticker.C:
|
||||
// Read new content
|
||||
n, err := file.Read(buffer)
|
||||
if err != nil && err != io.EOF {
|
||||
// Try to reopen the file in case it was recreated
|
||||
file.Close()
|
||||
file, err = os.Open(logPath)
|
||||
if err != nil {
|
||||
continue
|
||||
}
|
||||
continue
|
||||
}
|
||||
|
||||
if n > 0 {
|
||||
// Print the new content
|
||||
fmt.Print(string(buffer[:n]))
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func getServiceStatus() (string, error) {
|
||||
m, err := mgr.Connect()
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("failed to connect to service manager: %v", err)
|
||||
}
|
||||
defer m.Disconnect()
|
||||
|
||||
s, err := m.OpenService(serviceName)
|
||||
if err != nil {
|
||||
return "Not Installed", nil
|
||||
}
|
||||
defer s.Close()
|
||||
|
||||
status, err := s.Query()
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("failed to query service status: %v", err)
|
||||
}
|
||||
|
||||
switch status.State {
|
||||
case svc.Stopped:
|
||||
return "Stopped", nil
|
||||
case svc.StartPending:
|
||||
return "Starting", nil
|
||||
case svc.StopPending:
|
||||
return "Stopping", nil
|
||||
case svc.Running:
|
||||
return "Running", nil
|
||||
case svc.ContinuePending:
|
||||
return "Continue Pending", nil
|
||||
case svc.PausePending:
|
||||
return "Pause Pending", nil
|
||||
case svc.Paused:
|
||||
return "Paused", nil
|
||||
default:
|
||||
return "Unknown", nil
|
||||
}
|
||||
}
|
||||
|
||||
// showServiceConfig displays current saved service configuration
|
||||
func showServiceConfig() {
|
||||
configPath := getServiceArgsPath()
|
||||
fmt.Printf("Service configuration file: %s\n", configPath)
|
||||
|
||||
args, err := loadServiceArgs()
|
||||
if err != nil {
|
||||
fmt.Printf("No saved configuration found or error loading: %v\n", err)
|
||||
return
|
||||
}
|
||||
|
||||
if len(args) == 0 {
|
||||
fmt.Println("No saved service arguments found")
|
||||
} else {
|
||||
fmt.Printf("Saved service arguments: %v\n", args)
|
||||
}
|
||||
}
|
||||
|
||||
func isWindowsService() bool {
|
||||
isWindowsService, err := svc.IsWindowsService()
|
||||
return err == nil && isWindowsService
|
||||
}
|
||||
|
||||
// rotateLogFile handles daily log rotation
|
||||
func rotateLogFile(logDir string, logFile string) error {
|
||||
// Get current log file info
|
||||
info, err := os.Stat(logFile)
|
||||
if err != nil {
|
||||
if os.IsNotExist(err) {
|
||||
return nil // No current log file to rotate
|
||||
}
|
||||
return fmt.Errorf("failed to stat log file: %v", err)
|
||||
}
|
||||
|
||||
// Check if log file is from today
|
||||
now := time.Now()
|
||||
fileTime := info.ModTime()
|
||||
|
||||
// If the log file is from today, no rotation needed
|
||||
if now.Year() == fileTime.Year() && now.YearDay() == fileTime.YearDay() {
|
||||
return nil
|
||||
}
|
||||
|
||||
// Create rotated filename with date
|
||||
rotatedName := fmt.Sprintf("newt-%s.log", fileTime.Format("2006-01-02"))
|
||||
rotatedPath := filepath.Join(logDir, rotatedName)
|
||||
|
||||
// Rename current log file to dated filename
|
||||
err = os.Rename(logFile, rotatedPath)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to rotate log file: %v", err)
|
||||
}
|
||||
|
||||
// Clean up old log files (keep last 30 days)
|
||||
cleanupOldLogFiles(logDir, 30)
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// cleanupOldLogFiles removes log files older than specified days
|
||||
func cleanupOldLogFiles(logDir string, daysToKeep int) {
|
||||
cutoff := time.Now().AddDate(0, 0, -daysToKeep)
|
||||
|
||||
files, err := os.ReadDir(logDir)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
for _, file := range files {
|
||||
if !file.IsDir() && strings.HasPrefix(file.Name(), "newt-") && strings.HasSuffix(file.Name(), ".log") {
|
||||
filePath := filepath.Join(logDir, file.Name())
|
||||
info, err := file.Info()
|
||||
if err != nil {
|
||||
continue
|
||||
}
|
||||
|
||||
if info.ModTime().Before(cutoff) {
|
||||
os.Remove(filePath)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func setupWindowsEventLog() {
|
||||
// Create log directory if it doesn't exist
|
||||
logDir := filepath.Join(os.Getenv("PROGRAMDATA"), "newt", "logs")
|
||||
err := os.MkdirAll(logDir, 0755)
|
||||
if err != nil {
|
||||
fmt.Printf("Failed to create log directory: %v\n", err)
|
||||
return
|
||||
}
|
||||
|
||||
logFile := filepath.Join(logDir, "newt.log")
|
||||
|
||||
// Rotate log file if needed
|
||||
err = rotateLogFile(logDir, logFile)
|
||||
if err != nil {
|
||||
fmt.Printf("Failed to rotate log file: %v\n", err)
|
||||
// Continue anyway to create new log file
|
||||
}
|
||||
|
||||
file, err := os.OpenFile(logFile, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0666)
|
||||
if err != nil {
|
||||
fmt.Printf("Failed to open log file: %v\n", err)
|
||||
return
|
||||
}
|
||||
|
||||
// Set the custom logger output
|
||||
logger.GetLogger().SetOutput(file)
|
||||
|
||||
logger.Debug("Newt service logging initialized - log file: %s", logFile)
|
||||
}
|
||||
|
||||
// handleServiceCommand checks for service management commands and returns true if handled
|
||||
func handleServiceCommand() bool {
|
||||
if len(os.Args) < 2 {
|
||||
return false
|
||||
}
|
||||
|
||||
command := os.Args[1]
|
||||
|
||||
switch command {
|
||||
case "install":
|
||||
err := installService()
|
||||
if err != nil {
|
||||
fmt.Printf("Failed to install service: %v\n", err)
|
||||
os.Exit(1)
|
||||
}
|
||||
fmt.Println("Service installed successfully")
|
||||
return true
|
||||
case "remove", "uninstall":
|
||||
err := removeService()
|
||||
if err != nil {
|
||||
fmt.Printf("Failed to remove service: %v\n", err)
|
||||
os.Exit(1)
|
||||
}
|
||||
fmt.Println("Service removed successfully")
|
||||
return true
|
||||
case "start":
|
||||
// Pass the remaining arguments (after "start") to the service
|
||||
serviceArgs := os.Args[2:]
|
||||
err := startService(serviceArgs)
|
||||
if err != nil {
|
||||
fmt.Printf("Failed to start service: %v\n", err)
|
||||
os.Exit(1)
|
||||
}
|
||||
fmt.Println("Service started successfully")
|
||||
return true
|
||||
case "stop":
|
||||
err := stopService()
|
||||
if err != nil {
|
||||
fmt.Printf("Failed to stop service: %v\n", err)
|
||||
os.Exit(1)
|
||||
}
|
||||
fmt.Println("Service stopped successfully")
|
||||
return true
|
||||
case "status":
|
||||
status, err := getServiceStatus()
|
||||
if err != nil {
|
||||
fmt.Printf("Failed to get service status: %v\n", err)
|
||||
os.Exit(1)
|
||||
}
|
||||
fmt.Printf("Service status: %s\n", status)
|
||||
return true
|
||||
case "debug":
|
||||
// get the status and if it is Not Installed then install it first
|
||||
status, err := getServiceStatus()
|
||||
if err != nil {
|
||||
fmt.Printf("Failed to get service status: %v\n", err)
|
||||
os.Exit(1)
|
||||
}
|
||||
if status == "Not Installed" {
|
||||
err := installService()
|
||||
if err != nil {
|
||||
fmt.Printf("Failed to install service: %v\n", err)
|
||||
os.Exit(1)
|
||||
}
|
||||
fmt.Println("Service installed successfully, now running in debug mode")
|
||||
}
|
||||
|
||||
// Pass the remaining arguments (after "debug") to the service
|
||||
serviceArgs := os.Args[2:]
|
||||
err = debugService(serviceArgs)
|
||||
if err != nil {
|
||||
fmt.Printf("Failed to debug service: %v\n", err)
|
||||
os.Exit(1)
|
||||
}
|
||||
return true
|
||||
case "logs":
|
||||
err := watchLogFile(false)
|
||||
if err != nil {
|
||||
fmt.Printf("Failed to watch log file: %v\n", err)
|
||||
os.Exit(1)
|
||||
}
|
||||
return true
|
||||
case "config":
|
||||
showServiceConfig()
|
||||
return true
|
||||
case "service-help":
|
||||
fmt.Println("Newt WireGuard Tunnel")
|
||||
fmt.Println("\nWindows Service Management:")
|
||||
fmt.Println(" install Install the service")
|
||||
fmt.Println(" remove Remove the service")
|
||||
fmt.Println(" start [args] Start the service with optional arguments")
|
||||
fmt.Println(" stop Stop the service")
|
||||
fmt.Println(" status Show service status")
|
||||
fmt.Println(" debug [args] Run service in debug mode with optional arguments")
|
||||
fmt.Println(" logs Tail the service log file")
|
||||
fmt.Println(" config Show current service configuration")
|
||||
fmt.Println(" service-help Show this service help")
|
||||
fmt.Println("\nExamples:")
|
||||
fmt.Println(" newt start --endpoint https://example.com --id myid --secret mysecret")
|
||||
fmt.Println(" newt debug --endpoint https://example.com --id myid --secret mysecret")
|
||||
fmt.Println("\nFor normal console mode, run with standard flags (e.g., newt --endpoint ...)")
|
||||
return true
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
49
testing/udp_client.py
Normal file
49
testing/udp_client.py
Normal file
@@ -0,0 +1,49 @@
|
||||
import socket
|
||||
import sys
|
||||
|
||||
# Argument parsing: Check if IP and Port are provided
|
||||
if len(sys.argv) != 3:
|
||||
print("Usage: python udp_client.py <HOST_IP> <HOST_PORT>")
|
||||
# Example: python udp_client.py 127.0.0.1 12000
|
||||
sys.exit(1)
|
||||
|
||||
HOST = sys.argv[1]
|
||||
try:
|
||||
PORT = int(sys.argv[2])
|
||||
except ValueError:
|
||||
print("Error: HOST_PORT must be an integer.")
|
||||
sys.exit(1)
|
||||
|
||||
# The message to send to the server
|
||||
MESSAGE = "Hello UDP Server! How are you?"
|
||||
|
||||
# Create a UDP socket
|
||||
try:
|
||||
client_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
||||
except socket.error as err:
|
||||
print(f"Failed to create socket: {err}")
|
||||
sys.exit()
|
||||
|
||||
try:
|
||||
print(f"Sending message to {HOST}:{PORT}...")
|
||||
|
||||
# Send the message (data must be encoded to bytes)
|
||||
client_socket.sendto(MESSAGE.encode('utf-8'), (HOST, PORT))
|
||||
|
||||
# Wait for the server's response (buffer size 1024 bytes)
|
||||
data, server_address = client_socket.recvfrom(1024)
|
||||
|
||||
# Decode and print the server's response
|
||||
response = data.decode('utf-8')
|
||||
print("-" * 30)
|
||||
print(f"Received response from server {server_address[0]}:{server_address[1]}:")
|
||||
print(f"-> Data: '{response}'")
|
||||
|
||||
except socket.error as err:
|
||||
print(f"Error during communication: {err}")
|
||||
|
||||
finally:
|
||||
# Close the socket
|
||||
client_socket.close()
|
||||
print("-" * 30)
|
||||
print("Client finished and socket closed.")
|
||||
58
testing/udp_server.py
Normal file
58
testing/udp_server.py
Normal file
@@ -0,0 +1,58 @@
|
||||
import socket
|
||||
import sys
|
||||
|
||||
# optionally take in some positional args for the port
|
||||
if len(sys.argv) > 1:
|
||||
try:
|
||||
PORT = int(sys.argv[1])
|
||||
except ValueError:
|
||||
print("Invalid port number. Using default port 12000.")
|
||||
PORT = 12000
|
||||
else:
|
||||
PORT = 12000
|
||||
|
||||
# Define the server host and port
|
||||
HOST = '0.0.0.0' # Standard loopback interface address (localhost)
|
||||
|
||||
# Create a UDP socket
|
||||
try:
|
||||
server_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
||||
except socket.error as err:
|
||||
print(f"Failed to create socket: {err}")
|
||||
sys.exit()
|
||||
|
||||
# Bind the socket to the address
|
||||
try:
|
||||
server_socket.bind((HOST, PORT))
|
||||
print(f"UDP Server listening on {HOST}:{PORT}")
|
||||
except socket.error as err:
|
||||
print(f"Bind failed: {err}")
|
||||
server_socket.close()
|
||||
sys.exit()
|
||||
|
||||
# Wait for and process incoming data
|
||||
while True:
|
||||
try:
|
||||
# Receive data and the client's address (buffer size 1024 bytes)
|
||||
data, client_address = server_socket.recvfrom(1024)
|
||||
|
||||
# Decode the data and print the message
|
||||
message = data.decode('utf-8')
|
||||
print("-" * 30)
|
||||
print(f"Received message from {client_address[0]}:{client_address[1]}:")
|
||||
print(f"-> Data: '{message}'")
|
||||
|
||||
# Prepare the response message
|
||||
response_message = f"Hello client! Server received: '{message.upper()}'"
|
||||
|
||||
# Send the response back to the client
|
||||
server_socket.sendto(response_message.encode('utf-8'), client_address)
|
||||
print(f"Sent response back to client.")
|
||||
|
||||
except Exception as e:
|
||||
print(f"An error occurred: {e}")
|
||||
break
|
||||
|
||||
# Clean up (though usually unreachable in an infinite server loop)
|
||||
server_socket.close()
|
||||
print("Server stopped.")
|
||||
60
testing/ws_client.py
Normal file
60
testing/ws_client.py
Normal file
@@ -0,0 +1,60 @@
|
||||
import asyncio
|
||||
import sys
|
||||
import websockets
|
||||
|
||||
# Argument parsing: Check if HOST and PORT are provided
|
||||
if len(sys.argv) < 3 or len(sys.argv) > 4:
|
||||
print("Usage: python ws_client.py <HOST_IP> <HOST_PORT> [ws|wss]")
|
||||
# Example: python ws_client.py 127.0.0.1 8765
|
||||
# Example: python ws_client.py 127.0.0.1 8765 wss
|
||||
sys.exit(1)
|
||||
|
||||
HOST = sys.argv[1]
|
||||
try:
|
||||
PORT = int(sys.argv[2])
|
||||
except ValueError:
|
||||
print("Error: HOST_PORT must be an integer.")
|
||||
sys.exit(1)
|
||||
|
||||
if len(sys.argv) == 4:
|
||||
SCHEME = sys.argv[3].lower()
|
||||
if SCHEME not in ("ws", "wss"):
|
||||
print("Error: scheme must be 'ws' or 'wss'.")
|
||||
sys.exit(1)
|
||||
else:
|
||||
SCHEME = "ws"
|
||||
|
||||
URI = f"{SCHEME}://{HOST}:{PORT}"
|
||||
|
||||
# The message to send to the server
|
||||
MESSAGE = "Hello WebSocket Server! How are you?"
|
||||
|
||||
|
||||
async def main():
|
||||
print(f"Connecting to {URI}...")
|
||||
|
||||
try:
|
||||
async with websockets.connect(URI) as websocket:
|
||||
print(f"Connected to server.")
|
||||
print(f"Sending message: '{MESSAGE}'")
|
||||
|
||||
await websocket.send(MESSAGE)
|
||||
|
||||
response = await websocket.recv()
|
||||
|
||||
print("-" * 30)
|
||||
print(f"Received response from server:")
|
||||
print(f"-> Data: '{response}'")
|
||||
|
||||
except ConnectionRefusedError:
|
||||
print(f"Error: Connection to {URI} was refused. Is the server running?")
|
||||
except websockets.exceptions.InvalidMessage as e:
|
||||
print(f"Error: Server did not respond with a valid WebSocket handshake: {e}")
|
||||
except Exception as e:
|
||||
print(f"Error during communication: {e}")
|
||||
|
||||
print("-" * 30)
|
||||
print("Client finished.")
|
||||
|
||||
|
||||
asyncio.run(main())
|
||||
49
testing/ws_server.py
Normal file
49
testing/ws_server.py
Normal file
@@ -0,0 +1,49 @@
|
||||
import asyncio
|
||||
import sys
|
||||
import websockets
|
||||
|
||||
# Optionally take in a positional arg for the port
|
||||
if len(sys.argv) > 1:
|
||||
try:
|
||||
PORT = int(sys.argv[1])
|
||||
except ValueError:
|
||||
print("Invalid port number. Using default port 8765.")
|
||||
PORT = 8765
|
||||
else:
|
||||
PORT = 8765
|
||||
|
||||
# Define the server host
|
||||
HOST = "0.0.0.0"
|
||||
|
||||
|
||||
async def handle_client(websocket):
|
||||
client_address = websocket.remote_address
|
||||
print(f"Client connected: {client_address[0]}:{client_address[1]}")
|
||||
|
||||
try:
|
||||
async for message in websocket:
|
||||
print("-" * 30)
|
||||
print(f"Received message from {client_address[0]}:{client_address[1]}:")
|
||||
print(f"-> Data: '{message}'")
|
||||
|
||||
response = f"Hello client! Server received: '{message.upper()}'"
|
||||
|
||||
await websocket.send(response)
|
||||
print(f"Sent response back to client.")
|
||||
|
||||
except websockets.exceptions.ConnectionClosedOK:
|
||||
print(f"Client {client_address[0]}:{client_address[1]} disconnected cleanly.")
|
||||
except websockets.exceptions.ConnectionClosedError as e:
|
||||
print(f"Client {client_address[0]}:{client_address[1]} disconnected with error: {e}")
|
||||
|
||||
|
||||
async def main():
|
||||
print(f"WebSocket Server listening on {HOST}:{PORT}")
|
||||
async with websockets.serve(handle_client, HOST, PORT):
|
||||
await asyncio.Future() # Run forever
|
||||
|
||||
|
||||
try:
|
||||
asyncio.run(main())
|
||||
except KeyboardInterrupt:
|
||||
print("\nServer stopped.")
|
||||
48
updates/advantech.go
Normal file
48
updates/advantech.go
Normal file
@@ -0,0 +1,48 @@
|
||||
//go:build !windows
|
||||
|
||||
package updates
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
"path/filepath"
|
||||
|
||||
"github.com/fosrl/newt/logger"
|
||||
)
|
||||
|
||||
const advantechVersionFile = "/opt/newt/etc/version"
|
||||
|
||||
// postUpdateAdvantech performs Advantech Router App-specific post-update steps:
|
||||
// - Writes the new version string to /opt/newt/etc/version so that the
|
||||
// router firmware's package management reflects the installed version.
|
||||
// - Updates the PID file at pidFile (if non-empty) with the current process
|
||||
// PID, in case the re-exec lands with a new PID on platforms where
|
||||
// syscall.Exec behaviour differs.
|
||||
func postUpdateAdvantech(newVersion, pidFile string) error {
|
||||
// --- Write version file ---
|
||||
versionDir := filepath.Dir(advantechVersionFile)
|
||||
if err := os.MkdirAll(versionDir, 0755); err != nil {
|
||||
return fmt.Errorf("advantech: failed to create version directory %s: %w", versionDir, err)
|
||||
}
|
||||
|
||||
if err := os.WriteFile(advantechVersionFile, []byte(newVersion+"\n"), 0644); err != nil {
|
||||
return fmt.Errorf("advantech: failed to write version file %s: %w", advantechVersionFile, err)
|
||||
}
|
||||
logger.Debug("postUpdateAdvantech: wrote version %s to %s", newVersion, advantechVersionFile)
|
||||
|
||||
// --- Update PID file ---
|
||||
// syscall.Exec replaces the process image in-place so the PID is preserved.
|
||||
// We update the PID file here anyway so that any race between the old and
|
||||
// new binary is covered (e.g. on platforms that fork before exec).
|
||||
if pidFile != "" {
|
||||
pid := fmt.Sprintf("%d\n", os.Getpid())
|
||||
if err := os.WriteFile(pidFile, []byte(pid), 0644); err != nil {
|
||||
// Non-fatal: log and continue so the update still proceeds.
|
||||
logger.Debug("postUpdateAdvantech: warning: failed to update PID file %s: %v", pidFile, err)
|
||||
} else {
|
||||
logger.Debug("postUpdateAdvantech: updated PID file %s with PID %d", pidFile, os.Getpid())
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
8
updates/advantech_windows.go
Normal file
8
updates/advantech_windows.go
Normal file
@@ -0,0 +1,8 @@
|
||||
//go:build windows
|
||||
|
||||
package updates
|
||||
|
||||
// postUpdateAdvantech is not supported on Windows.
|
||||
func postUpdateAdvantech(newVersion, pidFile string) error {
|
||||
return nil
|
||||
}
|
||||
14
updates/reexec_unix.go
Normal file
14
updates/reexec_unix.go
Normal file
@@ -0,0 +1,14 @@
|
||||
//go:build !windows
|
||||
|
||||
package updates
|
||||
|
||||
import (
|
||||
"os"
|
||||
"syscall"
|
||||
)
|
||||
|
||||
// reexec replaces the current process image with the binary at exePath,
|
||||
// forwarding all original arguments and environment variables.
|
||||
func reexec(exePath string) error {
|
||||
return syscall.Exec(exePath, os.Args, os.Environ())
|
||||
}
|
||||
28
updates/reexec_windows.go
Normal file
28
updates/reexec_windows.go
Normal file
@@ -0,0 +1,28 @@
|
||||
//go:build windows
|
||||
|
||||
package updates
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
"os/exec"
|
||||
)
|
||||
|
||||
// reexec on Windows cannot use syscall.Exec (there is no exec syscall that
|
||||
// replaces the process image). Instead we start a new process and exit the
|
||||
// current one.
|
||||
func reexec(exePath string) error {
|
||||
cmd := exec.Command(exePath, os.Args[1:]...)
|
||||
cmd.Stdin = os.Stdin
|
||||
cmd.Stdout = os.Stdout
|
||||
cmd.Stderr = os.Stderr
|
||||
cmd.Env = os.Environ()
|
||||
|
||||
if err := cmd.Start(); err != nil {
|
||||
return fmt.Errorf("failed to start updated binary: %w", err)
|
||||
}
|
||||
|
||||
// Exit the current process so the new binary takes over.
|
||||
os.Exit(0)
|
||||
return nil // unreachable
|
||||
}
|
||||
295
updates/selfupdate.go
Normal file
295
updates/selfupdate.go
Normal file
@@ -0,0 +1,295 @@
|
||||
package updates
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"crypto/sha256"
|
||||
"crypto/tls"
|
||||
"encoding/hex"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"io"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"runtime"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/fosrl/newt/logger"
|
||||
)
|
||||
|
||||
// SelfUpdateConfig holds the configuration required to perform a self-update.
|
||||
type SelfUpdateConfig struct {
|
||||
// Endpoint is the base URL of the pangolin server (e.g. "https://app.pangolin.net")
|
||||
Endpoint string
|
||||
// NewtID is the newt client identifier used for authentication.
|
||||
NewtID string
|
||||
// Secret is the newt client secret used for authentication.
|
||||
Secret string
|
||||
// CurrentVersion is the version of the currently running binary.
|
||||
CurrentVersion string
|
||||
// Platform is the OS+arch string embedded at build time via ldflags
|
||||
// (e.g. "linux_amd64", "darwin_arm64"). When non-empty it is used
|
||||
// directly; when empty the value is derived from runtime.GOOS/GOARCH.
|
||||
Platform string
|
||||
// TLSConfig is an optional TLS configuration for the HTTP client (may be nil).
|
||||
TLSConfig *tls.Config
|
||||
}
|
||||
|
||||
// versionResponse mirrors the JSON returned by POST /api/v1/auth/newt/version
|
||||
type versionResponse struct {
|
||||
Data struct {
|
||||
LatestVersion string `json:"latestVersion"`
|
||||
CurrentIsLatest bool `json:"currentIsLatest"`
|
||||
DownloadUrl string `json:"downloadUrl"`
|
||||
Sha256 string `json:"sha256"`
|
||||
} `json:"data"`
|
||||
Success bool `json:"success"`
|
||||
Message string `json:"message"`
|
||||
}
|
||||
|
||||
// isOfficialContainer returns true when the process is running inside an
|
||||
// official Fossorial-built container image. The image sets
|
||||
// NEWT_SYSTEM_SUBSTRATE="CONTAINER" at build time; users running newt in their own
|
||||
// containers (or bare-metal) will not have this variable set.
|
||||
func isOfficialContainer() bool {
|
||||
return os.Getenv("NEWT_SYSTEM_SUBSTRATE") == "CONTAINER"
|
||||
}
|
||||
|
||||
// platform returns the OS+arch string used in the newt release binary names,
|
||||
// e.g. "linux_amd64", "darwin_arm64", "windows_amd64".
|
||||
// It is used as a fallback when no platform was embedded at build time.
|
||||
func platform() string {
|
||||
goarch := runtime.GOARCH
|
||||
goos := runtime.GOOS
|
||||
|
||||
// Map Go arch names to the names used by newt releases
|
||||
archMap := map[string]string{
|
||||
"amd64": "amd64",
|
||||
"arm64": "arm64",
|
||||
"arm": "arm32",
|
||||
"riscv64": "riscv64",
|
||||
}
|
||||
|
||||
arch, ok := archMap[goarch]
|
||||
if !ok {
|
||||
arch = goarch
|
||||
}
|
||||
|
||||
return fmt.Sprintf("%s_%s", goos, arch)
|
||||
}
|
||||
|
||||
// verifySHA256 checks that the file at path has the expected SHA-256 hex digest.
|
||||
func verifySHA256(path, expected string) error {
|
||||
f, err := os.Open(path)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to open file for hashing: %w", err)
|
||||
}
|
||||
defer f.Close()
|
||||
|
||||
h := sha256.New()
|
||||
if _, err := io.Copy(h, f); err != nil {
|
||||
return fmt.Errorf("failed to hash file: %w", err)
|
||||
}
|
||||
|
||||
got := hex.EncodeToString(h.Sum(nil))
|
||||
if !strings.EqualFold(got, expected) {
|
||||
return fmt.Errorf("sha256 mismatch: expected %s, got %s", expected, got)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// CheckAndSelfUpdate contacts the pangolin server, checks whether a newer
|
||||
// version of newt is available, downloads it if so, replaces the running
|
||||
// binary on disk, and re-executes from the new binary.
|
||||
//
|
||||
// It returns an error when the check or update fails. On a successful update
|
||||
// the function does not return – the process is replaced by the new binary via
|
||||
// syscall.Exec.
|
||||
func CheckAndSelfUpdate(cfg SelfUpdateConfig) error {
|
||||
logger.Debug("checkAndSelfUpdate: starting update check (currentVersion=%s)", cfg.CurrentVersion)
|
||||
|
||||
if isOfficialContainer() {
|
||||
logger.Debug("checkAndSelfUpdate: running inside official container, skipping auto-update")
|
||||
return fmt.Errorf("auto-update is not supported in official Fossorial container images; pull a new image tag instead")
|
||||
}
|
||||
|
||||
if cfg.CurrentVersion == "version_replaceme" {
|
||||
logger.Debug("checkAndSelfUpdate: development build detected, skipping auto-update")
|
||||
return fmt.Errorf("cannot auto-update a development build (version_replaceme)")
|
||||
}
|
||||
|
||||
baseEndpoint := strings.TrimRight(cfg.Endpoint, "/")
|
||||
|
||||
// Build the HTTP client.
|
||||
httpClient := &http.Client{Timeout: 30 * time.Second}
|
||||
if cfg.TLSConfig != nil {
|
||||
httpClient.Transport = &http.Transport{TLSClientConfig: cfg.TLSConfig}
|
||||
}
|
||||
|
||||
// Check the current binary path before we do anything else so we can fail
|
||||
// fast if the executable path cannot be determined.
|
||||
exePath, err := os.Executable()
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to determine current executable path: %w", err)
|
||||
}
|
||||
exePath, err = filepath.EvalSymlinks(exePath)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to resolve symlinks for executable path: %w", err)
|
||||
}
|
||||
logger.Debug("checkAndSelfUpdate: current executable path: %s", exePath)
|
||||
|
||||
// --- Step 1: Ask the server for the latest version ---
|
||||
plat := cfg.Platform
|
||||
if plat == "" {
|
||||
plat = platform()
|
||||
}
|
||||
logger.Debug("checkAndSelfUpdate: querying server for latest version (platform=%s, endpoint=%s)", plat, baseEndpoint)
|
||||
reqBody, err := json.Marshal(map[string]string{
|
||||
"newtId": cfg.NewtID,
|
||||
"secret": cfg.Secret,
|
||||
"platform": plat,
|
||||
})
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to marshal version request: %w", err)
|
||||
}
|
||||
|
||||
versionURL, err := url.JoinPath(baseEndpoint, "/api/v1/auth/newt/version")
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to build version URL: %w", err)
|
||||
}
|
||||
|
||||
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
|
||||
defer cancel()
|
||||
|
||||
req, err := http.NewRequestWithContext(ctx, "POST", versionURL, bytes.NewBuffer(reqBody))
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to create version request: %w", err)
|
||||
}
|
||||
req.Header.Set("Content-Type", "application/json")
|
||||
req.Header.Set("X-CSRF-Token", "x-csrf-protection")
|
||||
|
||||
resp, err := httpClient.Do(req)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to request version info: %w", err)
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
|
||||
if resp.StatusCode == http.StatusNoContent { // updates are disabled
|
||||
logger.Debug("checkAndSelfUpdate: server indicated updates are disabled (204 No Content)")
|
||||
return nil
|
||||
}
|
||||
|
||||
if resp.StatusCode == http.StatusNotFound { // older server without version endpoint
|
||||
logger.Debug("checkAndSelfUpdate: server does not support version endpoint (404 Not Found), skipping")
|
||||
return nil
|
||||
}
|
||||
|
||||
if resp.StatusCode != http.StatusOK {
|
||||
body, _ := io.ReadAll(resp.Body)
|
||||
return fmt.Errorf("server returned status %d: %s", resp.StatusCode, string(body))
|
||||
}
|
||||
|
||||
var verResp versionResponse
|
||||
if err := json.NewDecoder(resp.Body).Decode(&verResp); err != nil {
|
||||
return fmt.Errorf("failed to parse version response: %w", err)
|
||||
}
|
||||
|
||||
if !verResp.Success {
|
||||
return fmt.Errorf("server error: %s", verResp.Message)
|
||||
}
|
||||
|
||||
if verResp.Data.CurrentIsLatest {
|
||||
logger.Debug("checkAndSelfUpdate: already up to date (%s)", cfg.CurrentVersion)
|
||||
return nil
|
||||
}
|
||||
|
||||
logger.Debug("checkAndSelfUpdate: update available %s → %s", cfg.CurrentVersion, verResp.Data.LatestVersion)
|
||||
|
||||
// --- Pre-download: verify we can write to the binary's directory ---
|
||||
// Do this before downloading so a permission failure doesn't waste bandwidth.
|
||||
exeDir := filepath.Dir(exePath)
|
||||
logger.Debug("checkAndSelfUpdate: verifying write access to %s", exeDir)
|
||||
writeTestFile, err := os.CreateTemp(exeDir, ".newt-write-test-*")
|
||||
if err != nil {
|
||||
return fmt.Errorf("cannot write to %s (you may need to run as root or with elevated permissions): %w", exeDir, err)
|
||||
}
|
||||
writeTestFile.Close()
|
||||
_ = os.Remove(writeTestFile.Name())
|
||||
|
||||
// --- Step 2: Download the new binary ---
|
||||
logger.Debug("checkAndSelfUpdate: beginning download of new binary")
|
||||
dlCtx, dlCancel := context.WithTimeout(context.Background(), 5*time.Minute)
|
||||
defer dlCancel()
|
||||
|
||||
dlReq, err := http.NewRequestWithContext(dlCtx, "GET", verResp.Data.DownloadUrl, nil)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to create download request: %w", err)
|
||||
}
|
||||
|
||||
dlResp, err := httpClient.Do(dlReq)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to download new binary: %w", err)
|
||||
}
|
||||
defer dlResp.Body.Close()
|
||||
|
||||
if dlResp.StatusCode != http.StatusOK {
|
||||
return fmt.Errorf("download failed with status %d", dlResp.StatusCode)
|
||||
}
|
||||
|
||||
// Write to a temp file in the same directory as the current binary so that
|
||||
// an atomic rename works even across filesystem boundaries.
|
||||
tmpFile, err := os.CreateTemp(exeDir, ".newt-update-*")
|
||||
tmpPath := tmpFile.Name()
|
||||
|
||||
// Ensure the temp file is cleaned up on any error path.
|
||||
defer func() {
|
||||
_ = os.Remove(tmpPath)
|
||||
}()
|
||||
|
||||
if _, err := io.Copy(tmpFile, dlResp.Body); err != nil {
|
||||
_ = tmpFile.Close()
|
||||
return fmt.Errorf("failed to write downloaded binary: %w", err)
|
||||
}
|
||||
if err := tmpFile.Close(); err != nil {
|
||||
return fmt.Errorf("failed to close temp file: %w", err)
|
||||
}
|
||||
|
||||
// --- Verify SHA256 checksum if the server provided one ---
|
||||
if verResp.Data.Sha256 != "" {
|
||||
logger.Debug("checkAndSelfUpdate: verifying SHA256 checksum")
|
||||
if err := verifySHA256(tmpPath, verResp.Data.Sha256); err != nil {
|
||||
return fmt.Errorf("binary integrity check failed: %w", err)
|
||||
}
|
||||
logger.Debug("checkAndSelfUpdate: SHA256 checksum verified")
|
||||
} else {
|
||||
logger.Debug("checkAndSelfUpdate: no SHA256 checksum provided by server, skipping verification")
|
||||
}
|
||||
|
||||
// Make the new binary executable.
|
||||
if err := os.Chmod(tmpPath, 0755); err != nil {
|
||||
return fmt.Errorf("failed to set executable permission: %w", err)
|
||||
}
|
||||
|
||||
// --- Step 3: Replace the running binary ---
|
||||
// On Unix an atomic rename works even while the file is running.
|
||||
logger.Debug("checkAndSelfUpdate: replacing binary at %s", exePath)
|
||||
if err := os.Rename(tmpPath, exePath); err != nil {
|
||||
return fmt.Errorf("failed to replace binary (you may need to run as root): %w", err)
|
||||
}
|
||||
|
||||
systemSubstrate := os.Getenv("NEWT_SYSTEM_SUBSTRATE")
|
||||
logger.Debug("checkAndSelfUpdate: system substrate: %s", systemSubstrate)
|
||||
if systemSubstrate == "ADVANTECH_ROUTER_APP" {
|
||||
pidFile := os.Getenv("NEWT_PID_FILE")
|
||||
if err := postUpdateAdvantech(verResp.Data.LatestVersion, pidFile); err != nil {
|
||||
logger.Debug("checkAndSelfUpdate: advantech post-update steps failed: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
// --- Step 4: Re-exec ---
|
||||
logger.Debug("checkAndSelfUpdate: re-executing new binary")
|
||||
return reexec(exePath)
|
||||
}
|
||||
@@ -119,7 +119,7 @@ func CheckForUpdate(owner, repo, currentVersion string) error {
|
||||
|
||||
// Check if update is available
|
||||
if currentVer.isNewer(latestVer) {
|
||||
printUpdateBanner(currentVer.String(), latestVer.String(), release.HTMLURL)
|
||||
printUpdateBanner(currentVer.String(), latestVer.String(), "curl -fsSL https://static.pangolin.net/get-newt.sh | bash")
|
||||
}
|
||||
|
||||
return nil
|
||||
@@ -145,7 +145,7 @@ func printUpdateBanner(currentVersion, latestVersion, releaseURL string) {
|
||||
"║ A newer version is available! Please update to get the" + padRight("", contentWidth-56) + "║",
|
||||
"║ latest features, bug fixes, and security improvements." + padRight("", contentWidth-56) + "║",
|
||||
emptyLine,
|
||||
"║ Release URL: " + padRight(releaseURL, contentWidth-15) + "║",
|
||||
"║ Update: " + padRight(releaseURL, contentWidth-10) + "║",
|
||||
emptyLine,
|
||||
borderBot,
|
||||
}
|
||||
|
||||
107
util/util.go
107
util/util.go
@@ -1,6 +1,7 @@
|
||||
package util
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/base64"
|
||||
"encoding/binary"
|
||||
"encoding/hex"
|
||||
@@ -14,6 +15,99 @@ import (
|
||||
"golang.zx2c4.com/wireguard/device"
|
||||
)
|
||||
|
||||
func ResolveDomainUpstream(domain string, publicDNS []string) (string, error) {
|
||||
// trim whitespace
|
||||
domain = strings.TrimSpace(domain)
|
||||
|
||||
// Remove any protocol prefix if present (do this first, before splitting host/port)
|
||||
domain = strings.TrimPrefix(domain, "http://")
|
||||
domain = strings.TrimPrefix(domain, "https://")
|
||||
|
||||
// if there are any trailing slashes, remove them
|
||||
domain = strings.TrimSuffix(domain, "/")
|
||||
|
||||
// Check if there's a port in the domain
|
||||
host, port, err := net.SplitHostPort(domain)
|
||||
if err != nil {
|
||||
// No port found, use the domain as is
|
||||
host = domain
|
||||
port = ""
|
||||
}
|
||||
|
||||
// Check if host is already an IP address (IPv4 or IPv6)
|
||||
// For IPv6, the host from SplitHostPort will already have brackets stripped
|
||||
// but if there was no port, we need to handle bracketed IPv6 addresses
|
||||
cleanHost := strings.TrimPrefix(strings.TrimSuffix(host, "]"), "[")
|
||||
if ip := net.ParseIP(cleanHost); ip != nil {
|
||||
// It's already an IP address, no need to resolve
|
||||
ipAddr := ip.String()
|
||||
if port != "" {
|
||||
return net.JoinHostPort(ipAddr, port), nil
|
||||
}
|
||||
return ipAddr, nil
|
||||
}
|
||||
|
||||
// Lookup IP addresses using the upstream DNS servers if provided
|
||||
var ips []net.IP
|
||||
if len(publicDNS) > 0 {
|
||||
var lastErr error
|
||||
for _, server := range publicDNS {
|
||||
// Ensure the upstream DNS address has a port
|
||||
dnsAddr := server
|
||||
if _, _, err := net.SplitHostPort(dnsAddr); err != nil {
|
||||
// No port specified, default to 53
|
||||
dnsAddr = net.JoinHostPort(server, "53")
|
||||
}
|
||||
|
||||
resolver := &net.Resolver{
|
||||
PreferGo: true,
|
||||
Dial: func(ctx context.Context, network, address string) (net.Conn, error) {
|
||||
d := net.Dialer{}
|
||||
return d.DialContext(ctx, "udp", dnsAddr)
|
||||
},
|
||||
}
|
||||
ips, lastErr = resolver.LookupIP(context.Background(), "ip", host)
|
||||
if lastErr == nil {
|
||||
break
|
||||
}
|
||||
}
|
||||
if lastErr != nil {
|
||||
return "", fmt.Errorf("DNS lookup failed using all upstream servers: %v", lastErr)
|
||||
}
|
||||
} else {
|
||||
ips, err = net.LookupIP(host)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("DNS lookup failed: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
if len(ips) == 0 {
|
||||
return "", fmt.Errorf("no IP addresses found for domain %s", host)
|
||||
}
|
||||
|
||||
// Get the first IPv4 address if available
|
||||
var ipAddr string
|
||||
for _, ip := range ips {
|
||||
if ipv4 := ip.To4(); ipv4 != nil {
|
||||
ipAddr = ipv4.String()
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
// If no IPv4 found, use the first IP (might be IPv6)
|
||||
if ipAddr == "" {
|
||||
ipAddr = ips[0].String()
|
||||
}
|
||||
|
||||
// Add port back if it existed
|
||||
if port != "" {
|
||||
ipAddr = net.JoinHostPort(ipAddr, port)
|
||||
}
|
||||
|
||||
return ipAddr, nil
|
||||
}
|
||||
|
||||
|
||||
func ResolveDomain(domain string) (string, error) {
|
||||
// trim whitespace
|
||||
domain = strings.TrimSpace(domain)
|
||||
@@ -33,6 +127,19 @@ func ResolveDomain(domain string) (string, error) {
|
||||
port = ""
|
||||
}
|
||||
|
||||
// Check if host is already an IP address (IPv4 or IPv6)
|
||||
// For IPv6, the host from SplitHostPort will already have brackets stripped
|
||||
// but if there was no port, we need to handle bracketed IPv6 addresses
|
||||
cleanHost := strings.TrimPrefix(strings.TrimSuffix(host, "]"), "[")
|
||||
if ip := net.ParseIP(cleanHost); ip != nil {
|
||||
// It's already an IP address, no need to resolve
|
||||
ipAddr := ip.String()
|
||||
if port != "" {
|
||||
return net.JoinHostPort(ipAddr, port), nil
|
||||
}
|
||||
return ipAddr, nil
|
||||
}
|
||||
|
||||
// Lookup IP addresses
|
||||
ips, err := net.LookupIP(host)
|
||||
if err != nil {
|
||||
|
||||
@@ -2,6 +2,7 @@ package websocket
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"compress/gzip"
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"encoding/json"
|
||||
@@ -37,16 +38,22 @@ type Client struct {
|
||||
isConnected bool
|
||||
reconnectMux sync.RWMutex
|
||||
pingInterval time.Duration
|
||||
pingTimeout time.Duration
|
||||
onConnect func() error
|
||||
onTokenUpdate func(token string)
|
||||
writeMux sync.Mutex
|
||||
clientType string // Type of client (e.g., "newt", "olm")
|
||||
configFilePath string // Optional override for the config file path
|
||||
tlsConfig TLSConfig
|
||||
metricsCtxMu sync.RWMutex
|
||||
metricsCtx context.Context
|
||||
configNeedsSave bool // Flag to track if config needs to be saved
|
||||
serverVersion string
|
||||
configVersion int64 // Latest config version received from server
|
||||
configVersionMux sync.RWMutex
|
||||
processingMessage bool // Flag to track if a message is currently being processed
|
||||
processingMux sync.RWMutex // Protects processingMessage
|
||||
processingWg sync.WaitGroup // WaitGroup to wait for message processing to complete
|
||||
justProvisioned bool // Set to true when provisionIfNeeded exchanges a key for permanent credentials
|
||||
}
|
||||
|
||||
type ClientOption func(*Client)
|
||||
@@ -72,6 +79,12 @@ func WithBaseURL(url string) ClientOption {
|
||||
}
|
||||
|
||||
// WithTLSConfig sets the TLS configuration for the client
|
||||
func WithConfigFile(path string) ClientOption {
|
||||
return func(c *Client) {
|
||||
c.configFilePath = path
|
||||
}
|
||||
}
|
||||
|
||||
func WithTLSConfig(config TLSConfig) ClientOption {
|
||||
return func(c *Client) {
|
||||
c.tlsConfig = config
|
||||
@@ -90,6 +103,16 @@ func (c *Client) OnTokenUpdate(callback func(token string)) {
|
||||
c.onTokenUpdate = callback
|
||||
}
|
||||
|
||||
// WasJustProvisioned reports whether the client exchanged a provisioning key
|
||||
// for permanent credentials during the most recent connection attempt. It
|
||||
// consumes the flag – subsequent calls return false until provisioning occurs
|
||||
// again (which, in practice, never happens once credentials are persisted).
|
||||
func (c *Client) WasJustProvisioned() bool {
|
||||
v := c.justProvisioned
|
||||
c.justProvisioned = false
|
||||
return v
|
||||
}
|
||||
|
||||
func (c *Client) metricsContext() context.Context {
|
||||
c.metricsCtxMu.RLock()
|
||||
defer c.metricsCtxMu.RUnlock()
|
||||
@@ -111,7 +134,7 @@ func (c *Client) MetricsContext() context.Context {
|
||||
}
|
||||
|
||||
// NewClient creates a new websocket client
|
||||
func NewClient(clientType string, ID, secret string, endpoint string, pingInterval time.Duration, pingTimeout time.Duration, opts ...ClientOption) (*Client, error) {
|
||||
func NewClient(clientType string, ID, secret string, endpoint string, pingInterval time.Duration, opts ...ClientOption) (*Client, error) {
|
||||
config := &Config{
|
||||
ID: ID,
|
||||
Secret: secret,
|
||||
@@ -126,7 +149,6 @@ func NewClient(clientType string, ID, secret string, endpoint string, pingInterv
|
||||
reconnectInterval: 3 * time.Second,
|
||||
isConnected: false,
|
||||
pingInterval: pingInterval,
|
||||
pingTimeout: pingTimeout,
|
||||
clientType: clientType,
|
||||
}
|
||||
|
||||
@@ -150,10 +172,29 @@ func (c *Client) GetConfig() *Config {
|
||||
return c.config
|
||||
}
|
||||
|
||||
// GetConfigFilePath returns the resolved path to the config file used by this client.
|
||||
func (c *Client) GetConfigFilePath() string {
|
||||
return getConfigPath(c.clientType, c.configFilePath)
|
||||
}
|
||||
|
||||
func (c *Client) GetServerVersion() string {
|
||||
return c.serverVersion
|
||||
}
|
||||
|
||||
// GetConfigVersion returns the latest config version received from server
|
||||
func (c *Client) GetConfigVersion() int64 {
|
||||
c.configVersionMux.RLock()
|
||||
defer c.configVersionMux.RUnlock()
|
||||
return c.configVersion
|
||||
}
|
||||
|
||||
// setConfigVersion updates the config version
|
||||
func (c *Client) setConfigVersion(version int64) {
|
||||
c.configVersionMux.Lock()
|
||||
defer c.configVersionMux.Unlock()
|
||||
c.configVersion = version
|
||||
}
|
||||
|
||||
// Connect establishes the WebSocket connection
|
||||
func (c *Client) Connect() error {
|
||||
go c.connectWithRetry()
|
||||
@@ -235,13 +276,17 @@ func (c *Client) SendMessageInterval(messageType string, data interface{}, inter
|
||||
stopChan := make(chan struct{})
|
||||
go func() {
|
||||
count := 0
|
||||
maxAttempts := 10
|
||||
maxAttempts := 16
|
||||
|
||||
c.reconnectMux.RLock()
|
||||
connected := c.isConnected
|
||||
c.reconnectMux.RUnlock()
|
||||
err := c.SendMessage(messageType, data) // Send immediately
|
||||
if err != nil {
|
||||
logger.Error("Failed to send initial message: %v", err)
|
||||
} else if connected {
|
||||
count++
|
||||
}
|
||||
count++
|
||||
|
||||
ticker := time.NewTicker(interval)
|
||||
defer ticker.Stop()
|
||||
@@ -252,11 +297,15 @@ func (c *Client) SendMessageInterval(messageType string, data interface{}, inter
|
||||
logger.Info("SendMessageInterval timed out after %d attempts for message type: %s", maxAttempts, messageType)
|
||||
return
|
||||
}
|
||||
c.reconnectMux.RLock()
|
||||
connected = c.isConnected
|
||||
c.reconnectMux.RUnlock()
|
||||
err = c.SendMessage(messageType, data)
|
||||
if err != nil {
|
||||
logger.Error("Failed to send message: %v", err)
|
||||
} else if connected {
|
||||
count++
|
||||
}
|
||||
count++
|
||||
case <-stopChan:
|
||||
return
|
||||
}
|
||||
@@ -463,6 +512,11 @@ func (c *Client) connectWithRetry() {
|
||||
func (c *Client) establishConnection() error {
|
||||
ctx := context.Background()
|
||||
|
||||
// Exchange provisioning key for permanent credentials if needed.
|
||||
if err := c.provisionIfNeeded(); err != nil {
|
||||
return fmt.Errorf("failed to provision newt credentials: %w", err)
|
||||
}
|
||||
|
||||
// Get token for authentication
|
||||
token, err := c.getToken()
|
||||
if err != nil {
|
||||
@@ -641,7 +695,61 @@ func (c *Client) setupPKCS12TLS() (*tls.Config, error) {
|
||||
}
|
||||
|
||||
// pingMonitor sends pings at a short interval and triggers reconnect on failure
|
||||
func (c *Client) sendPing() {
|
||||
if c.conn == nil {
|
||||
return
|
||||
}
|
||||
|
||||
// Skip ping if a message is currently being processed
|
||||
c.processingMux.RLock()
|
||||
isProcessing := c.processingMessage
|
||||
c.processingMux.RUnlock()
|
||||
if isProcessing {
|
||||
logger.Debug("Skipping ping, message is being processed")
|
||||
return
|
||||
}
|
||||
|
||||
c.configVersionMux.RLock()
|
||||
configVersion := c.configVersion
|
||||
c.configVersionMux.RUnlock()
|
||||
|
||||
pingMsg := WSMessage{
|
||||
Type: "newt/ping",
|
||||
Data: map[string]interface{}{},
|
||||
ConfigVersion: configVersion,
|
||||
}
|
||||
|
||||
c.writeMux.Lock()
|
||||
if c.conn == nil {
|
||||
c.writeMux.Unlock()
|
||||
return
|
||||
}
|
||||
err := c.conn.WriteJSON(pingMsg)
|
||||
if err == nil {
|
||||
telemetry.IncWSMessage(c.metricsContext(), "out", "ping")
|
||||
}
|
||||
c.writeMux.Unlock()
|
||||
|
||||
if err != nil {
|
||||
// Check if we're shutting down before logging error and reconnecting
|
||||
select {
|
||||
case <-c.done:
|
||||
// Expected during shutdown
|
||||
return
|
||||
default:
|
||||
logger.Error("Ping failed: %v", err)
|
||||
telemetry.IncWSKeepaliveFailure(c.metricsContext(), "ping_write")
|
||||
telemetry.IncWSReconnect(c.metricsContext(), "ping_write")
|
||||
c.reconnect()
|
||||
return
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func (c *Client) pingMonitor() {
|
||||
// Send an immediate ping as soon as we connect
|
||||
c.sendPing()
|
||||
|
||||
ticker := time.NewTicker(c.pingInterval)
|
||||
defer ticker.Stop()
|
||||
|
||||
@@ -650,29 +758,7 @@ func (c *Client) pingMonitor() {
|
||||
case <-c.done:
|
||||
return
|
||||
case <-ticker.C:
|
||||
if c.conn == nil {
|
||||
return
|
||||
}
|
||||
c.writeMux.Lock()
|
||||
err := c.conn.WriteControl(websocket.PingMessage, []byte{}, time.Now().Add(c.pingTimeout))
|
||||
if err == nil {
|
||||
telemetry.IncWSMessage(c.metricsContext(), "out", "ping")
|
||||
}
|
||||
c.writeMux.Unlock()
|
||||
if err != nil {
|
||||
// Check if we're shutting down before logging error and reconnecting
|
||||
select {
|
||||
case <-c.done:
|
||||
// Expected during shutdown
|
||||
return
|
||||
default:
|
||||
logger.Error("Ping failed: %v", err)
|
||||
telemetry.IncWSKeepaliveFailure(c.metricsContext(), "ping_write")
|
||||
telemetry.IncWSReconnect(c.metricsContext(), "ping_write")
|
||||
c.reconnect()
|
||||
return
|
||||
}
|
||||
}
|
||||
c.sendPing()
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -709,10 +795,13 @@ func (c *Client) readPumpWithDisconnectDetection(started time.Time) {
|
||||
disconnectResult = "success"
|
||||
return
|
||||
default:
|
||||
var msg WSMessage
|
||||
err := c.conn.ReadJSON(&msg)
|
||||
msgType, p, err := c.conn.ReadMessage()
|
||||
if err == nil {
|
||||
telemetry.IncWSMessage(c.metricsContext(), "in", "text")
|
||||
if msgType == websocket.BinaryMessage {
|
||||
telemetry.IncWSMessage(c.metricsContext(), "in", "binary")
|
||||
} else {
|
||||
telemetry.IncWSMessage(c.metricsContext(), "in", "text")
|
||||
}
|
||||
}
|
||||
if err != nil {
|
||||
// Check if we're shutting down before logging error
|
||||
@@ -737,9 +826,47 @@ func (c *Client) readPumpWithDisconnectDetection(started time.Time) {
|
||||
}
|
||||
}
|
||||
|
||||
// Update config version from incoming message
|
||||
var data []byte
|
||||
if msgType == websocket.BinaryMessage {
|
||||
gr, err := gzip.NewReader(bytes.NewReader(p))
|
||||
if err != nil {
|
||||
logger.Error("WebSocket failed to create gzip reader: %v", err)
|
||||
continue
|
||||
}
|
||||
data, err = io.ReadAll(gr)
|
||||
gr.Close()
|
||||
if err != nil {
|
||||
logger.Error("WebSocket failed to decompress message: %v", err)
|
||||
continue
|
||||
}
|
||||
} else {
|
||||
data = p
|
||||
}
|
||||
|
||||
var msg WSMessage
|
||||
if err = json.Unmarshal(data, &msg); err != nil {
|
||||
logger.Error("WebSocket failed to parse message: %v", err)
|
||||
continue
|
||||
}
|
||||
|
||||
c.setConfigVersion(msg.ConfigVersion)
|
||||
|
||||
c.handlersMux.RLock()
|
||||
if handler, ok := c.handlers[msg.Type]; ok {
|
||||
// Mark that we're processing a message
|
||||
c.processingMux.Lock()
|
||||
c.processingMessage = true
|
||||
c.processingMux.Unlock()
|
||||
c.processingWg.Add(1)
|
||||
|
||||
handler(msg)
|
||||
|
||||
// Mark that we're done processing
|
||||
c.processingWg.Done()
|
||||
c.processingMux.Lock()
|
||||
c.processingMessage = false
|
||||
c.processingMux.Unlock()
|
||||
}
|
||||
c.handlersMux.RUnlock()
|
||||
}
|
||||
@@ -749,10 +876,12 @@ func (c *Client) readPumpWithDisconnectDetection(started time.Time) {
|
||||
func (c *Client) reconnect() {
|
||||
c.setConnected(false)
|
||||
telemetry.SetWSConnectionState(false)
|
||||
c.writeMux.Lock()
|
||||
if c.conn != nil {
|
||||
c.conn.Close()
|
||||
c.conn = nil
|
||||
}
|
||||
c.writeMux.Unlock()
|
||||
|
||||
// Only reconnect if we're not shutting down
|
||||
select {
|
||||
@@ -807,3 +936,19 @@ func loadClientCertificate(p12Path string) (*tls.Config, error) {
|
||||
RootCAs: rootCAs,
|
||||
}, nil
|
||||
}
|
||||
|
||||
// BuildTLSConfig creates a *tls.Config from the provided certificate files.
|
||||
// Pass empty strings / nil slice for fields that are not used.
|
||||
// Returns nil, nil when no TLS credentials are provided.
|
||||
func BuildTLSConfig(certFile, keyFile string, caFiles []string, pkcs12File string) (*tls.Config, error) {
|
||||
c := &Client{
|
||||
tlsConfig: TLSConfig{
|
||||
ClientCertFile: certFile,
|
||||
ClientKeyFile: keyFile,
|
||||
CAFiles: caFiles,
|
||||
PKCS12File: pkcs12File,
|
||||
},
|
||||
config: &Config{},
|
||||
}
|
||||
return c.setupTLS()
|
||||
}
|
||||
|
||||
@@ -1,16 +1,28 @@
|
||||
package websocket
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"encoding/json"
|
||||
"log"
|
||||
"fmt"
|
||||
"io"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"regexp"
|
||||
"runtime"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/fosrl/newt/logger"
|
||||
)
|
||||
|
||||
func getConfigPath(clientType string) string {
|
||||
func getConfigPath(clientType string, overridePath string) string {
|
||||
if overridePath != "" {
|
||||
return overridePath
|
||||
}
|
||||
configFile := os.Getenv("CONFIG_FILE")
|
||||
if configFile == "" {
|
||||
var configDir string
|
||||
@@ -25,7 +37,7 @@ func getConfigPath(clientType string) string {
|
||||
}
|
||||
|
||||
if err := os.MkdirAll(configDir, 0755); err != nil {
|
||||
log.Printf("Failed to create config directory: %v", err)
|
||||
logger.Debug("Failed to create config directory: %v", err)
|
||||
}
|
||||
|
||||
return filepath.Join(configDir, "config.json")
|
||||
@@ -36,7 +48,7 @@ func getConfigPath(clientType string) string {
|
||||
|
||||
func (c *Client) loadConfig() error {
|
||||
originalConfig := *c.config // Store original config to detect changes
|
||||
configPath := getConfigPath(c.clientType)
|
||||
configPath := getConfigPath(c.clientType, c.configFilePath)
|
||||
|
||||
if c.config.ID != "" && c.config.Secret != "" && c.config.Endpoint != "" {
|
||||
logger.Debug("Config already provided, skipping loading from file")
|
||||
@@ -58,6 +70,11 @@ func (c *Client) loadConfig() error {
|
||||
}
|
||||
return err
|
||||
}
|
||||
if len(bytes.TrimSpace(data)) == 0 {
|
||||
logger.Info("Config file at %s is empty, will initialize it with provided values", configPath)
|
||||
c.configNeedsSave = true
|
||||
return nil
|
||||
}
|
||||
|
||||
var config Config
|
||||
if err := json.Unmarshal(data, &config); err != nil {
|
||||
@@ -83,6 +100,14 @@ func (c *Client) loadConfig() error {
|
||||
c.config.Endpoint = config.Endpoint
|
||||
c.baseURL = config.Endpoint
|
||||
}
|
||||
// Always load the provisioning key from the file if not already set
|
||||
if c.config.ProvisioningKey == "" {
|
||||
c.config.ProvisioningKey = config.ProvisioningKey
|
||||
}
|
||||
// Always load the name from the file if not already set
|
||||
if c.config.Name == "" {
|
||||
c.config.Name = config.Name
|
||||
}
|
||||
|
||||
// Check if CLI args provided values that override file values
|
||||
if (!fileHadID && originalConfig.ID != "") ||
|
||||
@@ -105,7 +130,7 @@ func (c *Client) saveConfig() error {
|
||||
return nil
|
||||
}
|
||||
|
||||
configPath := getConfigPath(c.clientType)
|
||||
configPath := getConfigPath(c.clientType, c.configFilePath)
|
||||
data, err := json.MarshalIndent(c.config, "", " ")
|
||||
if err != nil {
|
||||
return err
|
||||
@@ -118,3 +143,139 @@ func (c *Client) saveConfig() error {
|
||||
}
|
||||
return err
|
||||
}
|
||||
|
||||
// interpolateString replaces {{env.VAR}} tokens in s with the corresponding
|
||||
// environment variable values. Tokens that do not match a supported scheme are
|
||||
// left unchanged, mirroring the blueprint interpolation logic.
|
||||
func interpolateString(s string) string {
|
||||
re := regexp.MustCompile(`\{\{([^}]+)\}\}`)
|
||||
return re.ReplaceAllStringFunc(s, func(match string) string {
|
||||
inner := strings.TrimSpace(match[2 : len(match)-2])
|
||||
if strings.HasPrefix(inner, "env.") {
|
||||
varName := strings.TrimPrefix(inner, "env.")
|
||||
return os.Getenv(varName)
|
||||
}
|
||||
return match
|
||||
})
|
||||
}
|
||||
|
||||
// provisionIfNeeded checks whether a provisioning key is present and, if so,
|
||||
// exchanges it for a newt ID and secret by calling the registration endpoint.
|
||||
// On success the config is updated in-place and flagged for saving so that
|
||||
// subsequent runs use the permanent credentials directly.
|
||||
func (c *Client) provisionIfNeeded() error {
|
||||
if c.config.ProvisioningKey == "" {
|
||||
return nil
|
||||
}
|
||||
|
||||
// If we already have both credentials there is nothing to provision.
|
||||
if c.config.ID != "" && c.config.Secret != "" {
|
||||
logger.Debug("Credentials already present, skipping provisioning")
|
||||
return nil
|
||||
}
|
||||
|
||||
logger.Info("Provisioning key found – exchanging for newt credentials...")
|
||||
|
||||
baseURL, err := url.Parse(c.baseURL)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to parse base URL for provisioning: %w", err)
|
||||
}
|
||||
baseEndpoint := strings.TrimRight(baseURL.String(), "/")
|
||||
|
||||
// Interpolate any {{env.VAR}} tokens in the name before sending.
|
||||
name := interpolateString(c.config.Name)
|
||||
|
||||
reqBody := map[string]interface{}{
|
||||
"provisioningKey": c.config.ProvisioningKey,
|
||||
}
|
||||
if name != "" {
|
||||
reqBody["name"] = name
|
||||
}
|
||||
jsonData, err := json.Marshal(reqBody)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to marshal provisioning request: %w", err)
|
||||
}
|
||||
|
||||
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
|
||||
defer cancel()
|
||||
|
||||
req, err := http.NewRequestWithContext(
|
||||
ctx,
|
||||
"POST",
|
||||
baseEndpoint+"/api/v1/auth/newt/register",
|
||||
bytes.NewBuffer(jsonData),
|
||||
)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to create provisioning request: %w", err)
|
||||
}
|
||||
req.Header.Set("Content-Type", "application/json")
|
||||
req.Header.Set("X-CSRF-Token", "x-csrf-protection")
|
||||
|
||||
// Mirror the TLS setup used by getToken so mTLS / self-signed CAs work.
|
||||
var tlsCfg *tls.Config
|
||||
if c.tlsConfig.ClientCertFile != "" || c.tlsConfig.ClientKeyFile != "" ||
|
||||
len(c.tlsConfig.CAFiles) > 0 || c.tlsConfig.PKCS12File != "" {
|
||||
tlsCfg, err = c.setupTLS()
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to setup TLS for provisioning: %w", err)
|
||||
}
|
||||
}
|
||||
if os.Getenv("SKIP_TLS_VERIFY") == "true" {
|
||||
if tlsCfg == nil {
|
||||
tlsCfg = &tls.Config{}
|
||||
}
|
||||
tlsCfg.InsecureSkipVerify = true
|
||||
logger.Debug("TLS certificate verification disabled for provisioning via SKIP_TLS_VERIFY")
|
||||
}
|
||||
|
||||
httpClient := &http.Client{}
|
||||
if tlsCfg != nil {
|
||||
httpClient.Transport = &http.Transport{TLSClientConfig: tlsCfg}
|
||||
}
|
||||
|
||||
resp, err := httpClient.Do(req)
|
||||
if err != nil {
|
||||
return fmt.Errorf("provisioning request failed: %w", err)
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
|
||||
body, _ := io.ReadAll(resp.Body)
|
||||
logger.Debug("Provisioning response body: %s", string(body))
|
||||
|
||||
if resp.StatusCode < 200 || resp.StatusCode >= 300 {
|
||||
return fmt.Errorf("provisioning endpoint returned status %d: %s", resp.StatusCode, string(body))
|
||||
}
|
||||
|
||||
var provResp ProvisioningResponse
|
||||
if err := json.Unmarshal(body, &provResp); err != nil {
|
||||
return fmt.Errorf("failed to decode provisioning response: %w", err)
|
||||
}
|
||||
|
||||
if !provResp.Success {
|
||||
return fmt.Errorf("provisioning failed: %s", provResp.Message)
|
||||
}
|
||||
|
||||
if provResp.Data.NewtID == "" || provResp.Data.Secret == "" {
|
||||
return fmt.Errorf("provisioning response is missing newt ID or secret")
|
||||
}
|
||||
|
||||
logger.Info("Successfully provisioned – newt ID: %s", provResp.Data.NewtID)
|
||||
|
||||
// Persist the returned credentials and clear the one-time provisioning key
|
||||
// so subsequent runs authenticate normally.
|
||||
c.config.ID = provResp.Data.NewtID
|
||||
c.config.Secret = provResp.Data.Secret
|
||||
c.config.ProvisioningKey = ""
|
||||
c.config.Name = ""
|
||||
c.configNeedsSave = true
|
||||
c.justProvisioned = true
|
||||
|
||||
// Save immediately so that if the subsequent connection attempt fails the
|
||||
// provisioning key is already gone from disk and the next retry uses the
|
||||
// permanent credentials instead of trying to provision again.
|
||||
if err := c.saveConfig(); err != nil {
|
||||
logger.Error("Failed to save config after provisioning: %v", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
35
websocket/config_test.go
Normal file
35
websocket/config_test.go
Normal file
@@ -0,0 +1,35 @@
|
||||
package websocket
|
||||
|
||||
import (
|
||||
"os"
|
||||
"path/filepath"
|
||||
"testing"
|
||||
)
|
||||
|
||||
func TestLoadConfig_EmptyFileMarksConfigForSave(t *testing.T) {
|
||||
t.Setenv("CONFIG_FILE", "")
|
||||
|
||||
tmpDir := t.TempDir()
|
||||
configPath := filepath.Join(tmpDir, "config.json")
|
||||
if err := os.WriteFile(configPath, []byte(""), 0o644); err != nil {
|
||||
t.Fatalf("failed to create empty config file: %v", err)
|
||||
}
|
||||
|
||||
client := &Client{
|
||||
config: &Config{
|
||||
Endpoint: "https://example.com",
|
||||
ProvisioningKey: "spk-test",
|
||||
},
|
||||
clientType: "newt",
|
||||
configFilePath: configPath,
|
||||
}
|
||||
|
||||
if err := client.loadConfig(); err != nil {
|
||||
t.Fatalf("loadConfig returned error for empty file: %v", err)
|
||||
}
|
||||
|
||||
if !client.configNeedsSave {
|
||||
t.Fatal("expected empty config file to mark configNeedsSave")
|
||||
}
|
||||
}
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user