[ { "path": ".ci/apt-internal.gitlab-ci.yml", "content": ".register_inputs: ®ister_inputs\n stage: release-internal\n runOnBranches: \"^master$\"\n COMPONENT: \"common\"\n\n.register_inputs_stable_bookworm: ®ister_inputs_stable_bookworm\n <<: *register_inputs\n runOnChangesTo: ['RELEASE_NOTES']\n FLAVOR: \"bookworm\"\n SERIES: \"stable\"\n\n.register_inputs_stable_trixie: ®ister_inputs_stable_trixie\n <<: *register_inputs\n runOnChangesTo: ['RELEASE_NOTES']\n FLAVOR: \"trixie\"\n SERIES: \"stable\"\n\n.register_inputs_next_bookworm: ®ister_inputs_next_bookworm\n <<: *register_inputs\n FLAVOR: \"bookworm\"\n SERIES: next\n\n.register_inputs_next_trixie: ®ister_inputs_next_trixie\n <<: *register_inputs\n FLAVOR: \"trixie\"\n SERIES: next\n\n################################################\n### Generate Debian Package for Internal APT ###\n################################################\n.cloudflared-apt-build: &cloudflared_apt_build\n stage: package\n needs:\n - ci-image-get-image-ref\n - linux-packaging # For consistency, we only run this job after we knew we could build the packages for external delivery\n image: $BUILD_IMAGE\n cache: {}\n script:\n - make cloudflared-deb\n artifacts:\n paths:\n - cloudflared*.deb\n\n##############\n### Stable ###\n##############\ncloudflared-amd64-stable:\n <<: *cloudflared_apt_build\n rules:\n - !reference [.default-rules, run-on-release]\n variables: &amd64-stable-vars\n GOOS: linux\n GOARCH: amd64\n FIPS: true\n ORIGINAL_NAME: true\n CGO_ENABLED: 1\n\ncloudflared-arm64-stable:\n <<: *cloudflared_apt_build\n rules:\n - !reference [.default-rules, run-on-release]\n variables: &arm64-stable-vars\n GOOS: linux\n GOARCH: arm64\n FIPS: false # TUN-7595\n ORIGINAL_NAME: true\n CGO_ENABLED: 1\n\n############\n### Next ###\n############\ncloudflared-amd64-next:\n <<: *cloudflared_apt_build\n rules:\n - !reference [.default-rules, run-on-master]\n variables:\n <<: *amd64-stable-vars\n NIGHTLY: true\n\ncloudflared-arm64-next:\n <<: *cloudflared_apt_build\n rules:\n - !reference [.default-rules, run-on-master]\n variables:\n <<: *arm64-stable-vars\n NIGHTLY: true\n\ninclude:\n - local: .ci/commons.gitlab-ci.yml\n\n ##########################################\n ### Publish Packages to Internal Repos ###\n ##########################################\n # Bookworm AMD64\n - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest\n inputs:\n <<: *register_inputs_stable_bookworm\n jobPrefix: cloudflared-bookworm-amd64\n needs: &amd64-stable [\"cloudflared-amd64-stable\"]\n\n # Bookworm ARM64\n - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest\n inputs:\n <<: *register_inputs_stable_bookworm\n jobPrefix: cloudflared-bookworm-arm64\n needs: &arm64-stable [\"cloudflared-arm64-stable\"]\n\n # Trixie AMD64\n - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest\n inputs:\n <<: *register_inputs_stable_trixie\n jobPrefix: cloudflared-trixie-amd64\n needs: *amd64-stable\n\n # Trixie ARM64\n - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest\n inputs:\n <<: *register_inputs_stable_trixie\n jobPrefix: cloudflared-trixie-arm64\n needs: *arm64-stable\n\n ##################################################\n ### Publish Nightly Packages to Internal Repos ###\n ##################################################\n # Bookworm AMD64\n - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest\n inputs:\n <<: *register_inputs_next_bookworm\n jobPrefix: cloudflared-nightly-bookworm-amd64\n needs: &amd64-next ['cloudflared-amd64-next']\n\n # Bookworm ARM64\n - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest\n inputs:\n <<: *register_inputs_next_bookworm\n jobPrefix: cloudflared-nightly-bookworm-arm64\n needs: &arm64-next ['cloudflared-arm64-next']\n\n # Trixie AMD64\n - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest\n inputs:\n <<: *register_inputs_next_trixie\n jobPrefix: cloudflared-nightly-trixie-amd64\n needs: *amd64-next\n\n # Trixie ARM64\n - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest\n inputs:\n <<: *register_inputs_next_trixie\n jobPrefix: cloudflared-nightly-trixie-arm64\n needs: *arm64-next\n" }, { "path": ".ci/ci-image.gitlab-ci.yml", "content": "# Builds a custom CI Image when necessary\n\ninclude:\n #####################################################\n ############## Build and Push CI Image ##############\n #####################################################\n - component: $CI_SERVER_FQDN/cloudflare/ci/docker-image/build-push-image@~latest\n inputs:\n stage: pre-build\n jobPrefix: ci-image\n runOnChangesTo: [\".ci/image/**\"]\n runOnMR: true\n runOnBranches: '^master$'\n commentImageRefs: false\n runner: vm-linux-x86-4cpu-8gb\n EXTRA_DIB_ARGS: \"--manifest=.ci/image/.docker-images\"\n\n #####################################################\n ## Resolve the image reference for downstream jobs ##\n #####################################################\n - component: $CI_SERVER_FQDN/cloudflare/ci/docker-image/get-image-ref@~latest\n inputs:\n stage: pre-build\n jobPrefix: ci-image\n runOnMR: true\n runOnBranches: '^master$'\n IMAGE_PATH: \"$REGISTRY_HOST/stash/tun/cloudflared/ci-image/master\"\n VARIABLE_NAME: BUILD_IMAGE\n needs:\n - job: ci-image-build-push-image\n optional: true\n" }, { "path": ".ci/commons.gitlab-ci.yml", "content": "## A set of predefined rules to use on the different jobs\n.default-rules:\n # Rules to run the job only on the master branch\n run-on-master:\n - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH\n when: on_success\n - when: never\n # Rules to run the job only on merge requests\n run-on-mr:\n - if: $CI_COMMIT_TAG\n when: never\n - if: $CI_PIPELINE_SOURCE == \"merge_request_event\"\n when: on_success\n - when: never\n # Rules to run the job on merge_requests and master branch\n run-always:\n - if: $CI_COMMIT_TAG\n when: never\n - if: $CI_PIPELINE_SOURCE == \"merge_request_event\"\n - if: $CI_COMMIT_BRANCH != null && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH\n when: on_success\n - when: never\n # Rules to run the job only when a release happens\n run-on-release:\n - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH\n changes:\n - 'RELEASE_NOTES'\n when: on_success\n - when: never\n\n.component-tests:\n image: $BUILD_IMAGE\n rules:\n - !reference [.default-rules, run-always]\n variables:\n COMPONENT_TESTS_CONFIG: component-test-config.yaml\n COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiBjbG91ZGZsYXJlZC5leGUKY3JlZGVudGlhbHNfZmlsZTogY3JlZC5qc29uCm9yaWdpbmNlcnQ6IGNlcnQucGVtCnpvbmVfZG9tYWluOiBhcmdvdHVubmVsdGVzdC5jb20Kem9uZV90YWc6IDQ4Nzk2ZjFlNzBiYjc2NjljMjliYjUxYmEyODJiZjY1\n secrets:\n DNS_API_TOKEN:\n vault: gitlab/cloudflare/tun/cloudflared/_dev/_terraform_atlantis/component_tests_token/data@kv\n file: false\n COMPONENT_TESTS_ORIGINCERT:\n vault: gitlab/cloudflare/tun/cloudflared/_dev/component_tests_cert_pem/data@kv\n file: false\n cache: {}\n" }, { "path": ".ci/github.gitlab-ci.yml", "content": "include:\n - local: .ci/commons.gitlab-ci.yml\n\n######################################\n### Sync master branch with Github ###\n######################################\npush-github:\n stage: sync\n rules:\n - !reference [.default-rules, run-on-master]\n script:\n - ./.ci/scripts/github-push.sh\n secrets:\n CLOUDFLARED_DEPLOY_SSH_KEY:\n vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cloudflared_github_ssh/data@kv\n file: false\n cache: {}\n" }, { "path": ".ci/image/.docker-images", "content": "images:\n - name: ci-image\n" }, { "path": ".ci/image/Dockerfile", "content": "ARG CLOUDFLARE_DOCKER_REGISTRY_HOST\n\nFROM ${CLOUDFLARE_DOCKER_REGISTRY_HOST:-registry.cfdata.org}/stash/cf/debian-images/trixie/main:2026.1.0@sha256:e32092fd01520f5ae7de1fa6bb5a721720900ebeaa48e98f36f6f86168833cd7\nRUN apt-get update && \\\n apt-get upgrade -y && \\\n apt-get install --no-install-recommends --allow-downgrades -y \\\n build-essential \\\n git \\\n go-boring=1.24.13-1 \\\n libffi-dev \\\n procps \\\n python3-dev \\\n python3-pip \\\n python3-setuptools \\\n python3-venv \\\n # tool to create msi packages\n wixl \\\n # install ruby and rpm which are required to install fpm package builder\n rpm \\\n ruby \\\n ruby-dev \\\n rubygems \\\n # create deb and rpm repository files\n reprepro \\\n createrepo-c \\\n # gcc for cross architecture compilation in arm\n gcc-aarch64-linux-gnu \\\n libc6-dev-arm64-cross && \\\n rm -rf /var/lib/apt/lists/* && \\\n # Install fpm gem\n gem install fpm --no-document && \\\n # Initialize rpm repository, SQL Lite DB\n mkdir -p /var/lib/rpm && \\\n rpm --initdb && \\\n chmod -R 777 /var/lib/rpm && \\\n # Create work directory\n mkdir -p opt\n\nWORKDIR /opt\n" }, { "path": ".ci/linux.gitlab-ci.yml", "content": ".golang-inputs: &golang_inputs\n runOnMR: true\n runOnBranches: \"^master$\"\n outputDir: artifacts\n runner: linux-x86-8cpu-16gb\n stage: build\n golangVersion: \"boring-1.24\"\n imageVersion: \"3462-0b23466e0715@sha256:42e8533370666a2463041572293a79e1449001ef803a993e6a860be00858c806\"\n CGO_ENABLED: 1\n\n.default-packaging-job: &packaging-job-defaults\n stage: package\n needs:\n - ci-image-get-image-ref\n rules:\n - !reference [.default-rules, run-on-master]\n image: $BUILD_IMAGE\n cache: {}\n artifacts:\n paths:\n - artifacts/*\n\ninclude:\n ###################\n ### Linux Build ###\n ###################\n - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest\n inputs:\n <<: *golang_inputs\n jobPrefix: linux-build\n GOLANG_MAKE_TARGET: ci-build\n\n ########################\n ### Linux FIPS Build ###\n ########################\n - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest\n inputs:\n <<: *golang_inputs\n jobPrefix: linux-fips-build\n GOLANG_MAKE_TARGET: ci-fips-build\n\n #################\n ### Unit Tests ##\n #################\n - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest\n inputs:\n <<: *golang_inputs\n stage: test\n jobPrefix: test\n GOLANG_MAKE_TARGET: ci-test\n\n ######################\n ### Unit Tests FIPS ##\n ######################\n - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest\n inputs:\n <<: *golang_inputs\n stage: test\n jobPrefix: test-fips\n GOLANG_MAKE_TARGET: ci-fips-test\n\n #################\n ### Vuln Check ##\n #################\n - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest\n inputs:\n <<: *golang_inputs\n runOnBranches: \"^$\"\n stage: validate\n jobPrefix: vulncheck\n GOLANG_MAKE_TARGET: vulncheck\n\n#################################\n### Run Linux Component Tests ###\n#################################\nlinux-component-tests: &linux-component-tests\n stage: test\n extends: .component-tests\n needs:\n - ci-image-get-image-ref\n - linux-build-boring-make\n script:\n - ./.ci/scripts/component-tests.sh\n variables: &component-tests-variables\n CI: 1\n COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiAuL2Nsb3VkZmxhcmVkCmNyZWRlbnRpYWxzX2ZpbGU6IGNyZWQuanNvbgpvcmlnaW5jZXJ0OiBjZXJ0LnBlbQp6b25lX2RvbWFpbjogYXJnb3R1bm5lbHRlc3QuY29tCnpvbmVfdGFnOiA0ODc5NmYxZTcwYmI3NjY5YzI5YmI1MWJhMjgyYmY2NQ==\n tags:\n - linux-x86-8cpu-16gb\n artifacts:\n reports:\n junit: report.xml\n\n######################################\n### Run Linux FIPS Component Tests ###\n######################################\nlinux-component-tests-fips:\n <<: *linux-component-tests\n needs:\n - ci-image-get-image-ref\n - linux-fips-build-boring-make\n variables:\n <<: *component-tests-variables\n COMPONENT_TESTS_FIPS: 1\n\n################################\n####### Linux Packaging ########\n################################\nlinux-packaging:\n <<: *packaging-job-defaults\n parallel:\n matrix:\n - ARCH: [\"386\", \"amd64\", \"arm\", \"armhf\", \"arm64\"]\n script:\n - ./.ci/scripts/linux/build-packages.sh ${ARCH}\n\n################################\n##### Linux FIPS Packaging #####\n################################\nlinux-packaging-fips:\n <<: *packaging-job-defaults\n script:\n - ./.ci/scripts/linux/build-packages-fips.sh\n" }, { "path": ".ci/mac.gitlab-ci.yml", "content": "include:\n - local: .ci/commons.gitlab-ci.yml\n\n###############################\n### Defaults for Mac Builds ###\n###############################\n.mac-build-defaults: &mac-build-defaults\n rules:\n - !reference [.default-rules, run-on-mr]\n tags:\n - \"macstadium-${RUNNER_ARCH}\"\n parallel:\n matrix:\n - RUNNER_ARCH: [arm, intel]\n cache: {}\n\n######################################\n### Build Cloudflared Mac Binaries ###\n######################################\nmacos-build-cloudflared: &mac-build\n <<: *mac-build-defaults\n stage: build\n artifacts:\n paths:\n - artifacts/*\n script:\n - '[ \"${RUNNER_ARCH}\" = \"arm\" ] && export TARGET_ARCH=arm64'\n - '[ \"${RUNNER_ARCH}\" = \"intel\" ] && export TARGET_ARCH=amd64'\n - ARCH=$(uname -m)\n - echo ARCH=$ARCH - TARGET_ARCH=$TARGET_ARCH\n - ./.ci/scripts/mac/install-go.sh \"$MAC_GO_VERSION\"\n - BUILD_SCRIPT=.ci/scripts/mac/build.sh\n - if [[ ! -x ${BUILD_SCRIPT} ]] ; then exit ; fi\n - set -euo pipefail\n - echo \"Executing ${BUILD_SCRIPT}\"\n - exec ${BUILD_SCRIPT}\n\n###############################################\n### Build and Sign Cloudflared Mac Binaries ###\n###############################################\nmacos-build-and-sign-cloudflared:\n <<: *mac-build\n rules:\n - !reference [.default-rules, run-on-master]\n secrets:\n APPLE_DEV_CA_CERT:\n vault: gitlab/cloudflare/tun/cloudflared/_branch/master/apple_dev_ca_cert_v2/data@kv\n file: false\n CFD_CODE_SIGN_CERT:\n vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_cert_v2/data@kv\n file: false\n CFD_CODE_SIGN_KEY:\n vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_key_v2/data@kv\n file: false\n CFD_CODE_SIGN_PASS:\n vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_pass_v2/data@kv\n file: false\n CFD_INSTALLER_CERT:\n vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_cert_v2/data@kv\n file: false\n CFD_INSTALLER_KEY:\n vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_key_v2/data@kv\n file: false\n CFD_INSTALLER_PASS:\n vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_pass_v2/data@kv\n file: false\n" }, { "path": ".ci/release.gitlab-ci.yml", "content": "include:\n - local: .ci/commons.gitlab-ci.yml\n\n ######################################\n ### Build and Push DockerHub Image ###\n ######################################\n - component: $CI_SERVER_FQDN/cloudflare/ci/docker-image/build-push-image@~latest\n inputs:\n stage: release\n jobPrefix: docker-hub\n runOnMR: false\n runOnBranches: '^master$'\n runOnChangesTo: ['RELEASE_NOTES']\n needs:\n - generate-version-file\n - release-cloudflared-to-r2\n commentImageRefs: false\n runner: vm-linux-x86-4cpu-8gb\n # Based on if the CI reference is protected or not the CI component will\n # either use _BRANCH or _PROD, therefore, to prevent the pipelines from failing\n # we simply set both to the same value.\n DOCKER_USER_BRANCH: &docker-hub-user svcgithubdockerhubcloudflar045\n DOCKER_PASSWORD_BRANCH: &docker-hub-password gitlab/cloudflare/tun/cloudflared/_dev/dockerhub/svc_password/data\n DOCKER_USER_PROD: *docker-hub-user\n DOCKER_PASSWORD_PROD: *docker-hub-password\n EXTRA_DIB_ARGS: --overwrite\n\n.default-release-job: &release-job-defaults\n stage: release\n image: $BUILD_IMAGE\n cache:\n paths:\n - .cache/pip\n variables: &release-job-variables\n PIP_CACHE_DIR: \"$CI_PROJECT_DIR/.cache/pip\"\n # KV Vars\n KV_NAMESPACE: 380e19aa04314648949b6ad841417ebe\n KV_ACCOUNT: &cf-account 5ab4e9dfbd435d24068829fda0077963\n # R2 Vars\n R2_BUCKET: cloudflared-pkgs\n R2_ACCOUNT_ID: *cf-account\n # APT and RPM Repository Vars\n GPG_PUBLIC_KEY_URL: \"https://pkg.cloudflare.com/cloudflare-ascii-pubkey.gpg\"\n PKG_URL: \"https://pkg.cloudflare.com/cloudflared\"\n BINARY_NAME: cloudflared\n secrets:\n KV_API_TOKEN:\n vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_kv_api_token/data@kv\n file: false\n API_KEY:\n vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_github_api_key/data@kv\n file: false\n R2_CLIENT_ID:\n vault: gitlab/cloudflare/tun/cloudflared/_dev/_terraform_atlantis/r2_api_token/client_id@kv\n file: false\n R2_CLIENT_SECRET:\n vault: gitlab/cloudflare/tun/cloudflared/_dev/_terraform_atlantis/r2_api_token/client_secret@kv\n file: false\n LINUX_SIGNING_PUBLIC_KEY:\n vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v1/public_key@kv\n file: false\n LINUX_SIGNING_PRIVATE_KEY:\n vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v1/private_key@kv\n file: false\n LINUX_SIGNING_PUBLIC_KEY_2:\n vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v2/public_key@kv\n file: false\n LINUX_SIGNING_PRIVATE_KEY_2:\n vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v2/private_key@kv\n file: false\n\n###########################################\n### Push Cloudflared Binaries to Github ###\n###########################################\nrelease-cloudflared-to-github:\n <<: *release-job-defaults\n rules:\n - !reference [.default-rules, run-on-release]\n needs:\n - ci-image-get-image-ref\n - linux-packaging\n - linux-packaging-fips\n - macos-build-and-sign-cloudflared\n - windows-package-sign\n script:\n - ./.ci/scripts/release-target.sh github-release\n\n#########################################\n### Upload Cloudflared Binaries to R2 ###\n#########################################\nrelease-cloudflared-to-r2:\n <<: *release-job-defaults\n rules:\n - !reference [.default-rules, run-on-release]\n needs:\n - ci-image-get-image-ref\n - linux-packaging # We only release non-FIPS binaries to R2\n - release-cloudflared-to-github\n script:\n - ./.ci/scripts/release-target.sh r2-linux-release\n\n#################################################\n### Upload Cloudflared Nightly Binaries to R2 ###\n#################################################\nrelease-cloudflared-nightly-to-r2:\n <<: *release-job-defaults\n rules:\n - !reference [.default-rules, run-on-master]\n variables:\n <<: *release-job-variables\n R2_BUCKET: cloudflared-pkgs-next\n GPG_PUBLIC_KEY_URL: \"https://next.pkg.cloudflare.com/cloudflare-ascii-pubkey.gpg\"\n PKG_URL: \"https://next.pkg.cloudflare.com/cloudflared\"\n needs:\n - ci-image-get-image-ref\n - linux-packaging # We only release non-FIPS binaries to R2\n script:\n - ./.ci/scripts/release-target.sh r2-linux-release\n\n#############################\n### Generate Version File ###\n#############################\ngenerate-version-file:\n <<: *release-job-defaults\n rules:\n - !reference [.default-rules, run-on-release]\n needs:\n - ci-image-get-image-ref\n script:\n - make generate-docker-version\n artifacts:\n paths:\n - versions\n" }, { "path": ".ci/scripts/component-tests.sh", "content": "#!/bin/bash\nset -e -u -o pipefail\n\n# Fetch cloudflared from the artifacts folder\nmv ./artifacts/cloudflared ./cloudflared\n\npython3 -m venv env\n. env/bin/activate\n\npip install --upgrade -r component-tests/requirements.txt\n\n# Creates and routes a Named Tunnel for this build. Also constructs\n# config file from env vars.\npython3 component-tests/setup.py --type create\n\n# Define the cleanup function\ncleanup() {\n # The Named Tunnel is deleted and its route unprovisioned here.\n python3 component-tests/setup.py --type cleanup\n}\n\n# The trap will call the cleanup function on script exit\ntrap cleanup EXIT\n\npytest component-tests -o log_cli=true --log-cli-level=INFO --junit-xml=report.xml\n" }, { "path": ".ci/scripts/fmt-check.sh", "content": "#!/bin/bash\nset -e -u -o pipefail\n\nOUTPUT=$(go run -mod=readonly golang.org/x/tools/cmd/goimports@v0.30.0 -l -d -local github.com/cloudflare/cloudflared $(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc))\n\nif [ -n \"$OUTPUT\" ] ; then\n PAGER=$(which colordiff || echo cat)\n echo\n echo \"Code formatting issues found, use 'make fmt' to correct them\"\n echo\n echo \"$OUTPUT\" | $PAGER\n exit 1\nfi\n" }, { "path": ".ci/scripts/github-push.sh", "content": "#!/bin/bash\nset -e -u -o pipefail\n\nBRANCH=\"master\"\nTMP_PATH=\"$PWD/tmp\"\nPRIVATE_KEY_PATH=\"$TMP_PATH/github-deploy-key\"\nPUBLIC_KEY_GITHUB_PATH=\"$TMP_PATH/github.pub\"\n\nmkdir -p $TMP_PATH\n\n# Setup Private Key\necho \"$CLOUDFLARED_DEPLOY_SSH_KEY\" > $PRIVATE_KEY_PATH\nchmod 400 $PRIVATE_KEY_PATH\n\n# Download GitHub Public Key for KnownHostsFile\nssh-keyscan -t ed25519 github.com > $PUBLIC_KEY_GITHUB_PATH\n\n# Setup git ssh command with the right configurations\nexport GIT_SSH_COMMAND=\"ssh -o UserKnownHostsFile=$PUBLIC_KEY_GITHUB_PATH -o IdentitiesOnly=yes -i $PRIVATE_KEY_PATH\"\n\n# Add GitHub as a new remote\ngit remote add github git@github.com:cloudflare/cloudflared.git || true\n\n# GitLab doesn't pull branch references, instead it creates a new one on each pipeline.\n# Therefore, we need to manually fetch the reference to then push it to GitHub.\ngit fetch origin $BRANCH:$BRANCH\ngit push -u github $BRANCH\n\nif TAG=\"$(git describe --tags --exact-match 2>/dev/null)\"; then\n git push -u github \"$TAG\"\nfi\n" }, { "path": ".ci/scripts/linux/build-packages-fips.sh", "content": "#!/bin/bash\nset -e -u -o pipefail\nVERSION=$(git describe --tags --always --match \"[0-9][0-9][0-9][0-9].*.*\")\necho $VERSION\n\n# This controls the directory the built artifacts go into\nexport ARTIFACT_DIR=artifacts/\nmkdir -p $ARTIFACT_DIR\n\narch=(\"amd64\")\nexport TARGET_ARCH=$arch\nexport TARGET_OS=linux\nexport FIPS=true\n# For BoringCrypto to link, we need CGO enabled. Otherwise compilation fails.\nexport CGO_ENABLED=1\n\nmake cloudflared-deb\nmv cloudflared-fips\\_$VERSION\\_$arch.deb $ARTIFACT_DIR/cloudflared-fips-linux-$arch.deb\n\n# rpm packages invert the - and _ and use x86_64 instead of amd64.\nRPMVERSION=$(echo $VERSION | sed -r 's/-/_/g')\nRPMARCH=\"x86_64\"\nmake cloudflared-rpm\nmv cloudflared-fips-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-fips-linux-$RPMARCH.rpm\n\n# finally move the linux binary as well.\nmv ./cloudflared $ARTIFACT_DIR/cloudflared-fips-linux-$arch\n" }, { "path": ".ci/scripts/linux/build-packages.sh", "content": "#!/bin/bash\nset -e -u -o pipefail\n\n# Check if architecture argument is provided\nif [ $# -eq 0 ]; then\n echo \"Error: Architecture argument is required\"\n echo \"Usage: $0 \"\n exit 1\nfi\n\n# Parameters\narch=$1\n\n# Get Version\nVERSION=$(git describe --tags --always --match \"[0-9][0-9][0-9][0-9].*.*\")\necho $VERSION\n\n# Disable FIPS module in go-boring\nexport GOEXPERIMENT=noboringcrypto\nexport CGO_ENABLED=0\n\n# This controls the directory the built artifacts go into\nexport ARTIFACT_DIR=artifacts/\nmkdir -p $ARTIFACT_DIR\n\nexport TARGET_OS=linux\n\nunset TARGET_ARM\nexport TARGET_ARCH=$arch\n\n## Support for arm platforms without hardware FPU enabled\nif [[ $arch == arm ]] ; then\n export TARGET_ARCH=arm\n export TARGET_ARM=5\nfi\n\n## Support for armhf builds\nif [[ $arch == armhf ]] ; then\n export TARGET_ARCH=arm\n export TARGET_ARM=7\nfi\n\nmake cloudflared-deb\nmv cloudflared\\_$VERSION\\_$arch.deb $ARTIFACT_DIR/cloudflared-linux-$arch.deb\n\n# rpm packages invert the - and _ and use x86_64 instead of amd64.\nRPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')\nRPMARCH=$arch\nif [ $arch == \"amd64\" ];then\n RPMARCH=\"x86_64\"\nfi\nif [ $arch == \"arm64\" ]; then\n RPMARCH=\"aarch64\"\nfi\nmake cloudflared-rpm\nmv cloudflared-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-linux-$RPMARCH.rpm\n\n# finally move the linux binary as well.\nmv ./cloudflared $ARTIFACT_DIR/cloudflared-linux-$arch\n\n" }, { "path": ".ci/scripts/mac/build.sh", "content": "#!/bin/bash\n\nset -exo pipefail\n\nif [[ \"$(uname)\" != \"Darwin\" ]] ; then\n echo \"This should be run on macOS\"\n exit 1\nfi\n\nif [[ \"amd64\" != \"${TARGET_ARCH}\" && \"arm64\" != \"${TARGET_ARCH}\" ]]\nthen\n echo \"TARGET_ARCH must be amd64 or arm64\"\n exit 1\nfi\n\ngo version\nexport GO111MODULE=on\n\n# build 'cloudflared-darwin-amd64.tgz'\nmkdir -p artifacts\nTARGET_DIRECTORY=\".build\"\nBINARY_NAME=\"cloudflared\"\nVERSION=$(git describe --tags --always --dirty=\"-dev\")\nPRODUCT=\"cloudflared\"\nAPPLE_CA_CERT=\"apple_dev_ca.cert\"\nCODE_SIGN_PRIV=\"code_sign.p12\"\nCODE_SIGN_CERT=\"code_sign.cer\"\nINSTALLER_PRIV=\"installer.p12\"\nINSTALLER_CERT=\"installer.cer\"\nBUNDLE_ID=\"com.cloudflare.cloudflared\"\nSEC_DUP_MSG=\"security: SecKeychainItemImport: The specified item already exists in the keychain.\"\nexport PATH=\"$PATH:/usr/local/bin\"\nFILENAME=\"$(pwd)/artifacts/cloudflared-darwin-$TARGET_ARCH.tgz\"\nPKGNAME=\"$(pwd)/artifacts/cloudflared-$TARGET_ARCH.pkg\"\nmkdir -p ../src/github.com/cloudflare/ \ncp -r . ../src/github.com/cloudflare/cloudflared\ncd ../src/github.com/cloudflare/cloudflared \n\n# Imports certificates to the Apple KeyChain\nimport_certificate() {\n local CERTIFICATE_NAME=$1\n local CERTIFICATE_ENV_VAR=$2\n local CERTIFICATE_FILE_NAME=$3\n\n echo \"Importing $CERTIFICATE_NAME\"\n\n if [[ ! -z \"$CERTIFICATE_ENV_VAR\" ]]; then\n # write certificate to disk and then import it keychain\n echo -n -e ${CERTIFICATE_ENV_VAR} | base64 -D > ${CERTIFICATE_FILE_NAME}\n # we set || true here and for every `security import invoke` because the \"duplicate SecKeychainItemImport\" error\n # will cause set -e to exit 1. It is okay we do this because we deliberately handle this error in the lines below.\n local out=$(security import ${CERTIFICATE_FILE_NAME} -T /usr/bin/pkgbuild -A 2>&1) || true\n local exitcode=$?\n # delete the certificate from disk\n rm -rf ${CERTIFICATE_FILE_NAME}\n if [ -n \"$out\" ]; then\n if [ $exitcode -eq 0 ]; then\n echo \"$out\"\n else\n if [ \"$out\" != \"${SEC_DUP_MSG}\" ]; then\n echo \"$out\" >&2\n exit $exitcode\n else\n echo \"already imported code signing certificate\"\n fi\n fi\n fi\n fi\n}\n\ncreate_cloudflared_build_keychain() {\n # Reusing the private key password as the keychain key\n local PRIVATE_KEY_PASS=$1\n\n # Create keychain only if it doesn't already exist\n if [ ! -f \"$HOME/Library/Keychains/cloudflared_build_keychain.keychain-db\" ]; then\n security create-keychain -p \"$PRIVATE_KEY_PASS\" cloudflared_build_keychain\n else\n echo \"Keychain already exists: cloudflared_build_keychain\"\n fi\n\n # Append temp keychain to the user domain\n security list-keychains -d user -s cloudflared_build_keychain $(security list-keychains -d user | sed s/\\\"//g)\n\n # Remove relock timeout\n security set-keychain-settings cloudflared_build_keychain\n\n # Unlock keychain so it doesn't require password\n security unlock-keychain -p \"$PRIVATE_KEY_PASS\" cloudflared_build_keychain\n\n}\n\n# Imports private keys to the Apple KeyChain\nimport_private_keys() {\n local PRIVATE_KEY_NAME=$1\n local PRIVATE_KEY_ENV_VAR=$2\n local PRIVATE_KEY_FILE_NAME=$3\n local PRIVATE_KEY_PASS=$4\n\n echo \"Importing $PRIVATE_KEY_NAME\"\n\n if [[ ! -z \"$PRIVATE_KEY_ENV_VAR\" ]]; then\n if [[ ! -z \"$PRIVATE_KEY_PASS\" ]]; then\n # write private key to disk and then import it keychain\n echo -n -e ${PRIVATE_KEY_ENV_VAR} | base64 -D > ${PRIVATE_KEY_FILE_NAME}\n # we set || true here and for every `security import invoke` because the \"duplicate SecKeychainItemImport\" error\n # will cause set -e to exit 1. It is okay we do this because we deliberately handle this error in the lines below.\n local out=$(security import ${PRIVATE_KEY_FILE_NAME} -k cloudflared_build_keychain -P \"$PRIVATE_KEY_PASS\" -T /usr/bin/pkgbuild -A -P \"${PRIVATE_KEY_PASS}\" 2>&1) || true\n local exitcode=$?\n rm -rf ${PRIVATE_KEY_FILE_NAME}\n if [ -n \"$out\" ]; then\n if [ $exitcode -eq 0 ]; then\n echo \"$out\"\n else\n if [ \"$out\" != \"${SEC_DUP_MSG}\" ]; then\n echo \"$out\" >&2\n exit $exitcode\n fi\n fi\n fi\n fi\n fi\n}\n\n# Create temp keychain only for this build\ncreate_cloudflared_build_keychain \"${CFD_CODE_SIGN_PASS}\"\n\n# Add Apple Root Developer certificate to the key chain\nimport_certificate \"Apple Developer CA\" \"${APPLE_DEV_CA_CERT}\" \"${APPLE_CA_CERT}\"\n\n# Add code signing private key to the key chain\nimport_private_keys \"Developer ID Application\" \"${CFD_CODE_SIGN_KEY}\" \"${CODE_SIGN_PRIV}\" \"${CFD_CODE_SIGN_PASS}\"\n\n# Add code signing certificate to the key chain\nimport_certificate \"Developer ID Application\" \"${CFD_CODE_SIGN_CERT}\" \"${CODE_SIGN_CERT}\"\n\n# Add package signing private key to the key chain\nimport_private_keys \"Developer ID Installer\" \"${CFD_INSTALLER_KEY}\" \"${INSTALLER_PRIV}\" \"${CFD_INSTALLER_PASS}\"\n\n# Add package signing certificate to the key chain\nimport_certificate \"Developer ID Installer\" \"${CFD_INSTALLER_CERT}\" \"${INSTALLER_CERT}\"\n\n# get the code signing certificate name\nif [[ ! -z \"$CFD_CODE_SIGN_NAME\" ]]; then\n CODE_SIGN_NAME=\"${CFD_CODE_SIGN_NAME}\"\nelse\n if [[ -n \"$(security find-certificate -c \"Developer ID Application\" cloudflared_build_keychain | cut -d'\"' -f 4 -s | grep \"Developer ID Application:\" | head -1)\" ]]; then\n CODE_SIGN_NAME=$(security find-certificate -c \"Developer ID Application\" cloudflared_build_keychain | cut -d'\"' -f 4 -s | grep \"Developer ID Application:\" | head -1)\n else\n CODE_SIGN_NAME=\"\"\n fi\nfi\n\n# get the package signing certificate name\nif [[ ! -z \"$CFD_INSTALLER_NAME\" ]]; then\n PKG_SIGN_NAME=\"${CFD_INSTALLER_NAME}\"\nelse\n if [[ -n \"$(security find-certificate -c \"Developer ID Installer\" cloudflared_build_keychain | cut -d'\"' -f 4 -s | grep \"Developer ID Installer:\" | head -1)\" ]]; then\n PKG_SIGN_NAME=$(security find-certificate -c \"Developer ID Installer\" cloudflared_build_keychain | cut -d'\"' -f 4 -s | grep \"Developer ID Installer:\" | head -1)\n else\n PKG_SIGN_NAME=\"\"\n fi\nfi\n\n# cleanup the build directory because the previous execution might have failed without cleaning up.\nrm -rf \"${TARGET_DIRECTORY}\"\nexport TARGET_OS=\"darwin\"\nGOCACHE=\"$PWD/../../../../\" GOPATH=\"$PWD/../../../../\" CGO_ENABLED=1 make cloudflared\n\n\n# This allows apple tools to use the certificates in the keychain without requiring password input.\n# This command always needs to run after the certificates have been loaded into the keychain\nif [[ ! -z \"$CFD_CODE_SIGN_PASS\" ]]; then\n security set-key-partition-list -S apple-tool:,apple: -s -k \"${CFD_CODE_SIGN_PASS}\" cloudflared_build_keychain\nfi\n\n# sign the cloudflared binary\nif [[ ! -z \"$CODE_SIGN_NAME\" ]]; then\n codesign --keychain $HOME/Library/Keychains/cloudflared_build_keychain.keychain-db -s \"${CODE_SIGN_NAME}\" -fv --options runtime --timestamp ${BINARY_NAME}\n\n # notarize the binary\n # TODO: TUN-5789\nfi\n\nARCH_TARGET_DIRECTORY=\"${TARGET_DIRECTORY}/${TARGET_ARCH}-build\"\n# creating build directory\nrm -rf $ARCH_TARGET_DIRECTORY\nmkdir -p \"${ARCH_TARGET_DIRECTORY}\"\nmkdir -p \"${ARCH_TARGET_DIRECTORY}/contents\"\ncp -r \".mac_resources/scripts\" \"${ARCH_TARGET_DIRECTORY}/scripts\"\n\n# copy cloudflared into the build directory\ncp ${BINARY_NAME} \"${ARCH_TARGET_DIRECTORY}/contents/${PRODUCT}\"\n\n# compress cloudflared into a tar and gzipped file\ntar czf \"$FILENAME\" \"${BINARY_NAME}\"\n\n# build the installer package\nif [[ ! -z \"$PKG_SIGN_NAME\" ]]; then\n\n pkgbuild --identifier com.cloudflare.${PRODUCT} \\\n --version ${VERSION} \\\n --scripts ${ARCH_TARGET_DIRECTORY}/scripts \\\n --root ${ARCH_TARGET_DIRECTORY}/contents \\\n --install-location /usr/local/bin \\\n --keychain cloudflared_build_keychain \\\n --sign \"${PKG_SIGN_NAME}\" \\\n ${PKGNAME}\n\n # notarize the package\n # TODO: TUN-5789\nelse\n pkgbuild --identifier com.cloudflare.${PRODUCT} \\\n --version ${VERSION} \\\n --scripts ${ARCH_TARGET_DIRECTORY}/scripts \\\n --root ${ARCH_TARGET_DIRECTORY}/contents \\\n --install-location /usr/local/bin \\\n ${PKGNAME}\nfi\n\n# cleanup build directory because this script is not ran within containers,\n# which might lead to future issues in subsequent runs.\nrm -rf \"${TARGET_DIRECTORY}\"\n\n# cleanup the keychain\nsecurity default-keychain -d user -s login.keychain-db\nsecurity list-keychains -d user -s login.keychain-db\nsecurity delete-keychain cloudflared_build_keychain\n" }, { "path": ".ci/scripts/mac/install-go.sh", "content": "rm -rf /tmp/go\nexport GOCACHE=/tmp/gocache\nrm -rf $GOCACHE\n\nif [ -z \"$1\" ]\n then\n echo \"No go version supplied\"\nfi\n\nbrew install \"$1\"\n\ngo version\nwhich go\ngo env\n" }, { "path": ".ci/scripts/package-windows.sh", "content": "#!/bin/bash\nset -e -u -o pipefail\n\npython3 -m venv env\n. env/bin/activate\npip install pynacl==1.4.0 pygithub==1.55\n\nVERSION=$(git describe --tags --always --match \"[0-9][0-9][0-9][0-9].*.*\")\necho $VERSION\n\nexport TARGET_OS=windows\n# This controls the directory the built artifacts go into\nexport BUILT_ARTIFACT_DIR=artifacts/\nexport FINAL_ARTIFACT_DIR=artifacts/\nmkdir -p $BUILT_ARTIFACT_DIR\nmkdir -p $FINAL_ARTIFACT_DIR\nwindowsArchs=(\"amd64\" \"386\")\nfor arch in ${windowsArchs[@]}; do\n export TARGET_ARCH=$arch\n # Copy .exe from artifacts directory\n cp $BUILT_ARTIFACT_DIR/cloudflared-windows-$arch.exe ./cloudflared.exe\n make cloudflared-msi\n # Copy msi into final directory\n mv cloudflared-$VERSION-$arch.msi $FINAL_ARTIFACT_DIR/cloudflared-windows-$arch.msi\ndone\n" }, { "path": ".ci/scripts/release-target.sh", "content": "#!/bin/bash\nset -e -u -o pipefail\n\n# Check if a make target is provided as an argument\nif [ $# -eq 0 ]; then\n echo \"Error: Make target argument is required\"\n echo \"Usage: $0 \"\n exit 1\nfi\n\nMAKE_TARGET=$1\n\npython3 -m venv venv\nsource venv/bin/activate\n\n# Our release scripts are written in python, so we should install their dependecies here.\npip install pynacl==1.4.0 pygithub==1.55 boto3==1.42.30 python-gnupg==0.4.9\nmake $MAKE_TARGET\n" }, { "path": ".ci/scripts/vuln-check.sh", "content": "#!/bin/bash\nset -e -u\n\n# Define the file to store the list of vulnerabilities to ignore.\nIGNORE_FILE=\".vulnignore\"\n\ngo version\n# Check if the ignored vulnerabilities file exists. If not, create an empty one.\nif [ ! -f \"$IGNORE_FILE\" ]; then\n touch \"$IGNORE_FILE\"\n echo \"Created an empty file to store ignored vulnerabilities: $IGNORE_FILE\"\n echo \"# Add vulnerability IDs (e.g., GO-2022-0450) to ignore, one per line.\" >>\"$IGNORE_FILE\"\n echo \"# You can also add comments on the same line after the ID.\" >>\"$IGNORE_FILE\"\n echo \"\" >>\"$IGNORE_FILE\"\nfi\n\n# Run govulncheck and capture its output.\nVULN_OUTPUT=$(go run -mod=readonly golang.org/x/vuln/cmd/govulncheck@latest ./... || true)\n\n# Print the govuln output\necho \"=====================================\"\necho \"Full Output of govulncheck:\"\necho \"=====================================\"\necho \"$VULN_OUTPUT\"\necho \"=====================================\"\necho \"End of govulncheck Output\"\necho \"=====================================\"\n\n# Process the ignore file to remove comments and empty lines.\n# The 'cut' command gets the vulnerability ID and removes anything after the '#'.\n# The 'grep' command filters out empty lines and lines starting with '#'.\nCLEAN_IGNORES=$(grep -v '^\\s*#' \"$IGNORE_FILE\" | cut -d'#' -f1 | sed 's/ //g' | sort -u || true)\n\n# Filter out the ignored vulnerabilities.\nUNIGNORED_VULNS=$(echo \"$VULN_OUTPUT\" | grep 'Vulnerability' || true)\n\n# If the list of ignored vulnerabilities is not empty, filter them out.\nif [ -n \"$CLEAN_IGNORES\" ]; then\n UNIGNORED_VULNS=$(echo \"$UNIGNORED_VULNS\" | grep -vFf <(echo \"$CLEAN_IGNORES\") || true)\nfi\n\n# If there are any vulnerabilities that were not in our ignore list, print them and exit with an error.\nif [ -n \"$UNIGNORED_VULNS\" ]; then\n echo \"🚨 Found new, unignored vulnerabilities:\"\n echo \"-------------------------------------\"\n echo \"$UNIGNORED_VULNS\"\n echo \"-------------------------------------\"\n echo \"Exiting with an error. ❌\"\n exit 1\nelse\n echo \"🎉 No new vulnerabilities found. All clear! ✨\"\n exit 0\nfi\n" }, { "path": ".ci/scripts/windows/builds.ps1", "content": "Set-StrictMode -Version Latest\n$ErrorActionPreference = \"Stop\"\n$ProgressPreference = \"SilentlyContinue\"\n\n$env:TARGET_OS = \"windows\"\n$env:LOCAL_OS = \"windows\"\n$TIMESTAMP_RFC3161 = \"http://timestamp.digicert.com\"\n\nNew-Item -Path \".\\artifacts\" -ItemType Directory\n\nWrite-Output \"Building for amd64\"\n$env:TARGET_ARCH = \"amd64\"\n$env:LOCAL_ARCH = \"amd64\"\n$env:CGO_ENABLED = 1\n& make cloudflared\nif ($LASTEXITCODE -ne 0) { throw \"Failed to build cloudflared for amd64\" }\n# Sign build\nazuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi \"$env:KEY_VAULT_CLIENT_ID\" -kvs \"$env:KEY_VAULT_SECRET\" -kvc \"$env:KEY_VAULT_CERTIFICATE\" -kvt \"$env:KEY_VAULT_TENANT_ID\" -tr \"$TIMESTAMP_RFC3161\" -d \"Cloudflare Tunnel Daemon\" .\\cloudflared.exe\ncopy .\\cloudflared.exe .\\artifacts\\cloudflared-windows-amd64.exe\n\nWrite-Output \"Building for 386\"\n$env:TARGET_ARCH = \"386\"\n$env:LOCAL_ARCH = \"386\"\n$env:CGO_ENABLED = 0\n& make cloudflared\nif ($LASTEXITCODE -ne 0) { throw \"Failed to build cloudflared for 386\" }\n## Sign build\nazuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi \"$env:KEY_VAULT_CLIENT_ID\" -kvs \"$env:KEY_VAULT_SECRET\" -kvc \"$env:KEY_VAULT_CERTIFICATE\" -kvt \"$env:KEY_VAULT_TENANT_ID\" -tr \"$TIMESTAMP_RFC3161\" -d \"Cloudflare Tunnel Daemon\" .\\cloudflared.exe\ncopy .\\cloudflared.exe .\\artifacts\\cloudflared-windows-386.exe\n" }, { "path": ".ci/scripts/windows/component-test.ps1", "content": "Set-StrictMode -Version Latest\n$ErrorActionPreference = \"Stop\"\n$ProgressPreference = \"SilentlyContinue\"\n\n$env:TARGET_OS = \"windows\"\n$env:LOCAL_OS = \"windows\"\n$env:TARGET_ARCH = \"amd64\"\n$env:LOCAL_ARCH = \"amd64\"\n$env:CGO_ENABLED = 1\n\npython --version\npython -m pip --version\n\n\nWrite-Host \"Building cloudflared\"\n& make cloudflared\nif ($LASTEXITCODE -ne 0) { throw \"Failed to build cloudflared\" }\n\n\nWrite-Host \"Running unit tests\"\n# Not testing with race detector because of https://github.com/golang/go/issues/61058\n# We already test it on other platforms\ngo test -failfast -v -mod=vendor ./...\nif ($LASTEXITCODE -ne 0) { throw \"Failed unit tests\" }\n\n\n# On Gitlab runners we need to add all of this addresses to the NO_PROXY list in order for the tests to run.\n$env:NO_PROXY = \"pypi.org,files.pythonhosted.org,api.cloudflare.com,argotunneltest.com,argotunnel.com,trycloudflare.com,${env:NO_PROXY}\"\nWrite-Host \"No Proxy: ${env:NO_PROXY}\"\nWrite-Host \"Running component tests\"\ntry {\n python -m pip --disable-pip-version-check install --upgrade -r component-tests/requirements.txt --use-pep517\n python component-tests/setup.py --type create\n python -m pytest component-tests -o log_cli=true --log-cli-level=INFO --junit-xml=report.xml\n if ($LASTEXITCODE -ne 0) {\n throw \"Failed component tests\"\n }\n} finally {\n python component-tests/setup.py --type cleanup\n}\n" }, { "path": ".ci/scripts/windows/go-wrapper.ps1", "content": "Param(\n [string]$GoVersion,\n [string]$ScriptToExecute\n)\n\n# The script is a wrapper that downloads a specific version\n# of go, adds it to the PATH and executes a script with that go\n# version in the path.\n\nSet-StrictMode -Version Latest\n$ErrorActionPreference = \"Stop\"\n$ProgressPreference = \"SilentlyContinue\"\n\n# Get the path to the system's temporary directory.\n$tempPath = [System.IO.Path]::GetTempPath()\n\n# Create a unique name for the new temporary folder.\n$folderName = \"go_\" + (Get-Random)\n\n# Join the temp path and the new folder name to create the full path.\n$fullPath = Join-Path -Path $tempPath -ChildPath $folderName\n\n# Store the current value of PATH environment variable.\n$oldPath = $env:Path\n\n# Use a try...finally block to ensure the temporrary folder and PATH are cleaned up.\ntry {\n # Create the temporary folder.\n Write-Host \"Creating temporary folder at: $fullPath\"\n $newTempFolder = New-Item -ItemType Directory -Path $fullPath -Force\n\n # Download go\n $url = \"https://go.dev/dl/$GoVersion.windows-amd64.zip\"\n $destinationFile = Join-Path -Path $newTempFolder.FullName -ChildPath \"go$GoVersion.windows-amd64.zip\"\n Write-Host \"Downloading go from: $url\"\n Invoke-WebRequest -Uri $url -OutFile $destinationFile\n Write-Host \"File downloaded to: $destinationFile\"\n\n # Unzip the downloaded file.\n Write-Host \"Unzipping the file...\"\n Expand-Archive -Path $destinationFile -DestinationPath $newTempFolder.FullName -Force\n Write-Host \"File unzipped successfully.\"\n\n # Define the go/bin path wich is inside the temporary folder\n $goBinPath = Join-Path -Path $fullPath -ChildPath \"go\\bin\"\n\n # Add the go/bin path to the PATH environment variable.\n $env:Path = \"$goBinPath;$($env:Path)\"\n Write-Host \"Added $goBinPath to the environment PATH.\"\n\n go env\n go version\n\n & $ScriptToExecute\n} finally {\n # Cleanup: Remove the path from the environment variable and then the temporary folder.\n Write-Host \"Starting cleanup...\"\n\n $env:Path = $oldPath\n Write-Host \"Reverted changes in the environment PATH.\"\n\n # Remove the temporary folder and its contents.\n if (Test-Path -Path $fullPath) {\n Remove-Item -Path $fullPath -Recurse -Force\n Write-Host \"Temporary folder and its contents have been removed.\"\n } else {\n Write-Host \"Temporary folder does not exist, no cleanup needed.\"\n }\n}\n" }, { "path": ".ci/scripts/windows/sign-msi.ps1", "content": "# Sign Windows artifacts using azuretool\n# This script processes MSI files from the artifacts directory\n\n$ErrorActionPreference = \"Stop\"\n\n# Define paths\n$ARTIFACT_DIR = \"artifacts\"\n$TIMESTAMP_RFC3161 = \"http://timestamp.digicert.com\"\n\nWrite-Host \"Looking for Windows artifacts to sign in $ARTIFACT_DIR...\"\n\n# Find all Windows MSI files\n$msiFiles = Get-ChildItem -Path $ARTIFACT_DIR -Filter \"cloudflared-windows-*.msi\" -ErrorAction SilentlyContinue\n\nif ($msiFiles.Count -eq 0) {\n Write-Host \"No Windows MSI files found in $ARTIFACT_DIR\"\n exit 1\n}\n\nWrite-Host \"Found $($msiFiles.Count) file(s) to sign:\"\nforeach ($file in $msiFiles) {\n Write-Host \"Running azuretool sign for $($file.Name)\"\n azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi \"$env:KEY_VAULT_CLIENT_ID\" -kvs \"$env:KEY_VAULT_SECRET\" -kvc \"$env:KEY_VAULT_CERTIFICATE\" -kvt \"$env:KEY_VAULT_TENANT_ID\" -tr \"$TIMESTAMP_RFC3161\" -d \"Cloudflare Tunnel Daemon\" .\\\\$ARTIFACT_DIR\\\\$($file.Name)\n}\n\nWrite-Host \"Signing process completed\"\n" }, { "path": ".ci/windows.gitlab-ci.yml", "content": "include:\n - local: .ci/commons.gitlab-ci.yml\n\n###################################\n### Defaults for Windows Builds ###\n###################################\n.windows-build-defaults: &windows-build-defaults\n rules:\n - !reference [.default-rules, run-always]\n tags:\n - windows-x86\n cache: {}\n\n##########################################\n### Build Cloudflared Windows Binaries ###\n##########################################\nwindows-build-cloudflared:\n <<: *windows-build-defaults\n stage: build\n script:\n - powershell -ExecutionPolicy Bypass -File \".\\.ci\\scripts\\windows\\go-wrapper.ps1\" \"${WIN_GO_VERSION}\" \".\\.ci\\scripts\\windows\\builds.ps1\"\n artifacts:\n paths:\n - artifacts/*\n\n######################################################\n### Load Environment Variables for Component Tests ###\n######################################################\nwindows-load-env-variables:\n stage: pre-build\n extends: .component-tests\n script:\n - echo \"COMPONENT_TESTS_CONFIG=$COMPONENT_TESTS_CONFIG\" >> windows.env\n - echo \"COMPONENT_TESTS_CONFIG_CONTENT=$COMPONENT_TESTS_CONFIG_CONTENT\" >> windows.env\n - echo \"DNS_API_TOKEN=$DNS_API_TOKEN\" >> windows.env\n # We have to encode the `COMPONENT_TESTS_ORIGINCERT` secret, because it content is a file, otherwise we can't export it using gitlab\n - echo \"COMPONENT_TESTS_ORIGINCERT=$(echo \"$COMPONENT_TESTS_ORIGINCERT\" | base64 -w0)\" >> windows.env\n - echo \"KEY_VAULT_URL=$KEY_VAULT_URL\" >> windows.env\n - echo \"KEY_VAULT_CLIENT_ID=$KEY_VAULT_CLIENT_ID\" >> windows.env\n - echo \"KEY_VAULT_TENANT_ID=$KEY_VAULT_TENANT_ID\" >> windows.env\n - echo \"KEY_VAULT_SECRET=$KEY_VAULT_SECRET\" >> windows.env\n - echo \"KEY_VAULT_CERTIFICATE=$KEY_VAULT_CERTIFICATE\" >> windows.env\n variables:\n COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiAuL2Nsb3VkZmxhcmVkLmV4ZQpjcmVkZW50aWFsc19maWxlOiBjcmVkLmpzb24Kb3JpZ2luY2VydDogY2VydC5wZW0Kem9uZV9kb21haW46IGFyZ290dW5uZWx0ZXN0LmNvbQp6b25lX3RhZzogNDg3OTZmMWU3MGJiNzY2OWMyOWJiNTFiYTI4MmJmNjU=\n secrets:\n KEY_VAULT_URL:\n vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/app_info/key_vault_url@kv\n file: false\n KEY_VAULT_CLIENT_ID:\n vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/app_info/key_vault_client_id@kv\n file: false\n KEY_VAULT_TENANT_ID:\n vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/app_info/key_vault_tenant_id@kv\n file: false\n KEY_VAULT_SECRET:\n vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/secret/key_vault_secret@kv\n file: false\n KEY_VAULT_CERTIFICATE:\n vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/certificate/key_vault_certificate@kv\n file: false\n artifacts:\n access: 'none'\n reports:\n dotenv: windows.env\n\n###################################\n### Run Windows Component Tests ###\n###################################\nwindows-component-tests-cloudflared:\n <<: *windows-build-defaults\n stage: test\n needs: [\"windows-load-env-variables\"]\n script:\n # We have to decode the secret we encoded on the `windows-load-env-variables` job\n - $env:COMPONENT_TESTS_ORIGINCERT = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($env:COMPONENT_TESTS_ORIGINCERT))\n - powershell -ExecutionPolicy Bypass -File \".\\.ci\\scripts\\windows\\go-wrapper.ps1\" \"${WIN_GO_VERSION}\" \".\\.ci\\scripts\\windows\\component-test.ps1\"\n artifacts:\n reports:\n junit: report.xml\n\n################################\n### Package Windows Binaries ###\n################################\nwindows-package:\n rules:\n - !reference [.default-rules, run-on-master]\n stage: package\n needs:\n - ci-image-get-image-ref\n - windows-build-cloudflared\n image: $BUILD_IMAGE\n script:\n - .ci/scripts/package-windows.sh\n cache: {}\n artifacts:\n paths:\n - artifacts/*\n\n#############################\n### Sign Windows Binaries ###\n#############################\nwindows-package-sign:\n <<: *windows-build-defaults\n rules:\n - !reference [.default-rules, run-on-master]\n stage: package\n needs:\n - windows-package\n - windows-load-env-variables\n script:\n - powershell -ExecutionPolicy Bypass -File \".\\.ci\\scripts\\windows\\sign-msi.ps1\"\n artifacts:\n paths:\n - artifacts/*\n" }, { "path": ".docker-images", "content": "images:\n - name: cloudflared\n dockerfile: Dockerfile.$ARCH\n context: .\n version_file: versions\n registries:\n - name: docker.io/cloudflare\n user: env:DOCKER_USER\n password: env:DOCKER_PASSWORD\n architectures:\n - amd64\n - arm64\n" }, { "path": ".dockerignore", "content": "" }, { "path": ".github/ISSUE_TEMPLATE/---bug-report.md", "content": "---\nname: \"\\U0001F41B Bug report\"\nabout: Create a report to help us improve cloudflared\ntitle: \"\\U0001F41B\"\nlabels: 'Priority: Normal, Type: Bug'\n\n---\n\n**Describe the bug**\nA clear and concise description of what the bug is.\n\n**To Reproduce**\nSteps to reproduce the behavior:\n1. Configure '...'\n2. Run '....'\n3. See error\n\nIf it's an issue with Cloudflare Tunnel:\n4. Tunnel ID : \n5. cloudflared config: \n\n**Expected behavior**\nA clear and concise description of what you expected to happen.\n\n**Environment and versions**\n - OS: [e.g. MacOS]\n - Architecture: [e.g. AMD, ARM]\n - Version: [e.g. 2022.02.0]\n\n**Logs and errors**\nIf applicable, add logs or errors to help explain your problem.\n\n**Additional context**\nAdd any other context about the problem here.\n" }, { "path": ".github/ISSUE_TEMPLATE/---documentation.md", "content": "---\nname: \"\\U0001F4DD Documentation\"\nabout: Request new or updated documentation for cloudflared\ntitle: \"\\U0001F4DD\"\nlabels: 'Priority: Normal, Type: Documentation'\n\n---\n\n**Available Documentation**\nA link to the documentation that is available today and the areas which could be improved. \n\n**Suggested Documentation**\nA clear and concise description of the documentation, tutorial, or guide that should be added. \n\n**Additional context**\nAdd any other context or screenshots about the documentation request here.\n" }, { "path": ".github/ISSUE_TEMPLATE/---feature-request.md", "content": "---\nname: \"\\U0001F4A1 Feature request\"\nabout: Suggest a feature or enhancement for cloudflared\ntitle: \"\\U0001F4A1\"\nlabels: 'Priority: Normal, Type: Feature Request'\n\n---\n\n**Describe the feature you'd like**\nA clear and concise description of the feature. What problem does it solve for you?\n\n**Describe alternatives you've considered**\nAre there any alternatives to solving this problem? If so, what was your experience with them?\n\n**Additional context**\nAdd any other context or screenshots about the feature request here.\n" }, { "path": ".github/workflows/check.yaml", "content": "on: [push, pull_request]\nname: Check\njobs:\n check:\n strategy:\n matrix:\n go-version: [1.22.x]\n os: [ubuntu-latest, macos-latest, windows-latest]\n runs-on: ${{ matrix.os }}\n steps:\n - name: Install Go\n uses: actions/setup-go@v5\n with:\n go-version: ${{ matrix.go-version }}\n - name: Checkout code\n uses: actions/checkout@v4\n - name: Test\n run: make test\n" }, { "path": ".github/workflows/semgrep.yml", "content": "on:\n pull_request: {}\n workflow_dispatch: {}\n push: \n branches:\n - main\n - master\n schedule:\n - cron: '0 0 * * *'\nname: Semgrep config\njobs:\n semgrep:\n name: semgrep/ci\n runs-on: ubuntu-latest\n env:\n SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}\n SEMGREP_URL: https://cloudflare.semgrep.dev\n SEMGREP_APP_URL: https://cloudflare.semgrep.dev\n SEMGREP_VERSION_CHECK_URL: https://cloudflare.semgrep.dev/api/check-version\n container:\n image: semgrep/semgrep\n steps:\n - uses: actions/checkout@v4\n - run: semgrep ci\n" }, { "path": ".gitignore", "content": "/tmp\n/bin\n.idea\n.build\n.vscode\n\\#*\\#\ncscope.*\n/cloudflared\n/cloudflared.pkg\n/cloudflared.exe\n/cloudflared.msi\n/cloudflared-x86-64*\n/cloudflared.1\n/packaging\n.DS_Store\n*-session.log\nssh_server_tests/.env\n/.cover\nbuilt_artifacts/\ncomponent-tests/.venv\n/artifacts\n" }, { "path": ".gitlab-ci.yml", "content": "variables:\n GO_VERSION: \"1.24.13\"\n MAC_GO_VERSION: \"go@$GO_VERSION\"\n WIN_GO_VERSION: \"go$GO_VERSION\"\n GIT_DEPTH: \"0\"\n\ndefault:\n id_tokens:\n VAULT_ID_TOKEN:\n aud: https://vault.cfdata.org\n\nstages:\n [\n sync,\n pre-build,\n build,\n validate,\n test,\n package,\n release,\n release-internal,\n review,\n ]\n\ninclude:\n #####################################################\n ########## Import Commons Configurations ############\n #####################################################\n - local: .ci/commons.gitlab-ci.yml\n\n #####################################################\n ########### Sync Repository with Github #############\n #####################################################\n - local: .ci/github.gitlab-ci.yml\n\n #####################################################\n ############# Build or Fetch CI Image ###############\n #####################################################\n - local: .ci/ci-image.gitlab-ci.yml\n\n #####################################################\n ################## Linux Builds ###################\n #####################################################\n - local: .ci/linux.gitlab-ci.yml\n\n #####################################################\n ################## Windows Builds ###################\n #####################################################\n - local: .ci/windows.gitlab-ci.yml\n\n #####################################################\n ################### macOS Builds ####################\n #####################################################\n - local: .ci/mac.gitlab-ci.yml\n\n #####################################################\n ################# Release Packages ##################\n #####################################################\n - local: .ci/release.gitlab-ci.yml\n\n #####################################################\n ########## Release Packages Internally ##############\n #####################################################\n - local: .ci/apt-internal.gitlab-ci.yml\n\n #####################################################\n ############## Manual Claude Review #################\n #####################################################\n - component: $CI_SERVER_FQDN/cloudflare/ci/ai/review@~latest\n" }, { "path": ".golangci.yaml", "content": "linters:\n enable:\n # Some of the linters below are commented out. We should uncomment and start running them, but they return\n # too many problems to fix in one commit. Something for later.\n - asasalint # Check for pass []any as any in variadic func(...any).\n - asciicheck # Checks that all code identifiers does not have non-ASCII symbols in the name.\n - bidichk # Checks for dangerous unicode character sequences.\n - bodyclose # Checks whether HTTP response body is closed successfully.\n - decorder # Check declaration order and count of types, constants, variables and functions.\n - dogsled # Checks assignments with too many blank identifiers (e.g. x, , , _, := f()).\n - dupl # Tool for code clone detection.\n - dupword # Checks for duplicate words in the source code.\n - durationcheck # Check for two durations multiplied together.\n - errcheck # Errcheck is a program for checking for unchecked errors in Go code. These unchecked errors can be critical bugs in some cases.\n - errname # Checks that sentinel errors are prefixed with the Err and error types are suffixed with the Error.\n - exhaustive # Check exhaustiveness of enum switch statements.\n - gofmt # Gofmt checks whether code was gofmt-ed. By default this tool runs with -s option to check for code simplification.\n - goimports # Check import statements are formatted according to the 'goimport' command. Reformat imports in autofix mode.\n - gosec # Inspects source code for security problems.\n - gosimple # Linter for Go source code that specializes in simplifying code.\n - govet # Vet examines Go source code and reports suspicious constructs. It is roughly the same as 'go vet' and uses its passes.\n - ineffassign # Detects when assignments to existing variables are not used.\n - importas # Enforces consistent import aliases.\n - misspell # Finds commonly misspelled English words.\n - prealloc # Finds slice declarations that could potentially be pre-allocated.\n - promlinter # Check Prometheus metrics naming via promlint.\n - sloglint # Ensure consistent code style when using log/slog.\n - sqlclosecheck # Checks that sql.Rows, sql.Stmt, sqlx.NamedStmt, pgx.Query are closed.\n - staticcheck # It's a set of rules from staticcheck. It's not the same thing as the staticcheck binary.\n - usetesting # Reports uses of functions with replacement inside the testing package.\n - testableexamples # Linter checks if examples are testable (have an expected output).\n - testifylint # Checks usage of github.com/stretchr/testify.\n - tparallel # Tparallel detects inappropriate usage of t.Parallel() method in your Go test codes.\n - unconvert # Remove unnecessary type conversions.\n - unused # Checks Go code for unused constants, variables, functions and types.\n - wastedassign # Finds wasted assignment statements.\n - whitespace # Whitespace is a linter that checks for unnecessary newlines at the start and end of functions, if, for, etc.\n - zerologlint # Detects the wrong usage of zerolog that a user forgets to dispatch with Send or Msg.\n # Other linters are disabled, list of all is here: https://golangci-lint.run/usage/linters/\nrun:\n timeout: 5m\n modules-download-mode: vendor\n\n# output configuration options\noutput:\n formats:\n - format: 'colored-line-number'\n print-issued-lines: true\n print-linter-name: true\n\nissues:\n # Maximum issues count per one linter.\n # Set to 0 to disable.\n # Default: 50\n max-issues-per-linter: 50\n # Maximum count of issues with the same text.\n # Set to 0 to disable.\n # Default: 3\n max-same-issues: 15\n # Show only new issues: if there are unstaged changes or untracked files,\n # only those changes are analyzed, else only changes in HEAD~ are analyzed.\n # It's a super-useful option for integration of golangci-lint into existing large codebase.\n # It's not practical to fix all existing issues at the moment of integration:\n # much better don't allow issues in new code.\n #\n # Default: false\n new: true\n # Show only new issues created after git revision `REV`.\n # Default: \"\"\n new-from-rev: ac34f94d423273c8fa8fdbb5f2ac60e55f2c77d5\n # Show issues in any part of update files (requires new-from-rev or new-from-patch).\n # Default: false\n whole-files: true\n # Which dirs to exclude: issues from them won't be reported.\n # Can use regexp here: `generated.*`, regexp is applied on full path,\n # including the path prefix if one is set.\n # Default dirs are skipped independently of this option's value (see exclude-dirs-use-default).\n # \"/\" will be replaced by current OS file path separator to properly work on Windows.\n # Default: []\n exclude-dirs:\n - vendor\n\nlinters-settings:\n # Check exhaustiveness of enum switch statements.\n exhaustive:\n # Presence of \"default\" case in switch statements satisfies exhaustiveness,\n # even if all enum members are not listed.\n # Default: false\n default-signifies-exhaustive: true\n" }, { "path": ".mac_resources/scripts/postinstall", "content": "#!/bin/bash\n\n# uninstall first in case this is an upgrade\n/usr/local/bin/cloudflared service uninstall\n\n# install the new service using launchctl\n/usr/local/bin/cloudflared service install" }, { "path": ".mac_resources/uninstall.sh", "content": "#!/bin/bash\n\n/usr/local/bin/cloudflared service uninstall\nrm /usr/local/bin/cloudflared\npkgutil --forget com.cloudflare.cloudflared" }, { "path": ".vulnignore", "content": "# Add vulnerability IDs (e.g., GO-2022-0450) to ignore, one per line.\n# You can also add comments on the same line after the ID.\n" }, { "path": "AGENTS.md", "content": "# Cloudflared\n\nCloudflare's command-line tool and networking daemon written in Go.\nProduction-grade tunneling and network connectivity services used by millions of\ndevelopers and organizations worldwide.\n\n## Essential Commands\n\n### Build & Test (Always run before commits)\n\n```bash\n# Full development check (run before any commit)\nmake test lint\n\n# Build for current platform\nmake cloudflared\n\n# Run all unit tests with coverage\nmake test\nmake cover\n\n# Run specific test\ngo test -run TestFunctionName ./path/to/package\n\n# Run tests with race detection\ngo test -race ./...\n```\n\n### Platform-Specific Builds\n\n```bash\n# Linux\nTARGET_OS=linux TARGET_ARCH=amd64 make cloudflared\n\n# Windows\nTARGET_OS=windows TARGET_ARCH=amd64 make cloudflared\n\n# macOS ARM64\nTARGET_OS=darwin TARGET_ARCH=arm64 make cloudflared\n\n# FIPS compliant build\nFIPS=true make cloudflared\n```\n\n### Code Quality & Formatting\n\n```bash\n# Run linter (38+ enabled linters)\nmake lint\n\n# Auto-fix formatting\nmake fmt\ngofmt -w .\ngoimports -w .\n\n# Security scanning\nmake vet\n\n# Component tests (Python integration tests)\ncd component-tests && python -m pytest test_file.py::test_function_name\n```\n\n## Project Knowledge\n\n### Package Structure\n\n- Use meaningful package names that reflect functionality\n- Package names should be lowercase, single words when possible\n- Avoid generic names like `util`, `common`, `helper`\n\n### Function and Method Guidelines\n\n```go\n// Good: Clear purpose, proper error handling\nfunc (c *Connection) HandleRequest(ctx context.Context, req *http.Request) error {\n if req == nil {\n return errors.New(\"request cannot be nil\")\n }\n // Implementation...\n return nil\n}\n```\n\n### Error Handling\n\n- Always handle errors explicitly, never ignore them\n- Use `fmt.Errorf` for error wrapping\n- Create meaningful error messages with context\n- Use error variables for common errors\n\n```go\n// Good error handling patterns\nif err != nil {\n return fmt.Errorf(\"failed to process connection: %w\", err)\n}\n```\n\n### Logging Standards\n\n- Use `github.com/rs/zerolog` for structured logging\n- Include relevant context fields\n- Use appropriate log levels (Debug, Info, Warn, Error)\n\n```go\nlogger.Info().\n Str(\"tunnelID\", tunnel.ID).\n Int(\"connIndex\", connIndex).\n Msg(\"Connection established\")\n```\n\n### Testing Patterns\n\n- Use `github.com/stretchr/testify` for assertions\n- Test files end with `_test.go`\n- Use table-driven tests for multiple scenarios\n- Always use `t.Parallel()` for parallel-safe tests\n- Use meaningful test names that describe behavior\n\n```go\nfunc TestMetricsListenerCreation(t *testing.T) {\n t.Parallel()\n // Test implementation\n assert.Equal(t, expected, actual)\n require.NoError(t, err)\n}\n```\n\n### Constants and Variables\n\n```go\nconst (\n MaxGracePeriod = time.Minute * 3\n MaxConcurrentStreams = math.MaxUint32\n LogFieldConnIndex = \"connIndex\"\n)\n\nvar (\n // Group related variables\n switchingProtocolText = fmt.Sprintf(\"%d %s\", http.StatusSwitchingProtocols, http.StatusText(http.StatusSwitchingProtocols))\n flushableContentTypes = []string{sseContentType, grpcContentType, sseJsonContentType}\n)\n```\n\n### Type Definitions\n\n- Define interfaces close to their usage\n- Keep interfaces small and focused\n- Use descriptive names for complex types\n\n```go\ntype TunnelConnection interface {\n Serve(ctx context.Context) error\n}\n\ntype TunnelProperties struct {\n Credentials Credentials\n QuickTunnelUrl string\n}\n```\n\n## Key Architectural Patterns\n\n### Context Usage\n\n- Always accept `context.Context` as first parameter for long-running operations\n- Respect context cancellation in loops and blocking operations\n- Pass context through call chains\n\n### Concurrency\n\n- Use channels for goroutine communication\n- Protect shared state with mutexes\n- Prefer `sync.RWMutex` for read-heavy workloads\n\n### Configuration\n\n- Use structured configuration with validation\n- Support both file-based and CLI flag configuration\n- Provide sensible defaults\n\n### Metrics and Observability\n\n- Instrument code with Prometheus metrics\n- Use OpenTelemetry for distributed tracing\n- Include structured logging with relevant context\n\n## Boundaries\n\n### ✅ Always Do\n\n- Run `make test lint` before any commit\n- Handle all errors explicitly with proper context\n- Use `github.com/rs/zerolog` for all logging\n- Add `t.Parallel()` to all parallel-safe tests\n- Follow the import grouping conventions\n- Use meaningful variable and function names\n- Include context.Context for long-running operations\n- Close resources in defer statements\n\n### ⚠️ Ask First Before\n\n- Adding new dependencies to go.mod\n- Modifying CI/CD configuration files\n- Changing build system or Makefile\n- Modifying component test infrastructure\n- Adding new linter rules or changing golangci-lint config\n- Making breaking changes to public APIs\n- Changing logging levels or structured logging fields\n\n### 🚫 Never Do\n\n- Ignore errors without explicit handling (`_ = err`)\n- Use generic package names (`util`, `helper`, `common`)\n- Commit code that fails `make test lint`\n- Use `fmt.Print*` instead of structured logging\n- Modify vendor dependencies directly\n- Commit secrets, credentials, or sensitive data\n- Use deprecated or unsafe Go patterns\n- Skip testing for new functionality\n- Remove existing tests unless they're genuinely invalid\n\n## Dependencies Management\n\n- Use Go modules (`go.mod`) exclusively\n- Vendor dependencies for reproducible builds\n- Keep dependencies up-to-date and secure\n- Prefer standard library when possible\n- Cloudflared uses a fork of quic-go always check release notes before bumping\n this dependency.\n\n## Security Considerations\n\n- FIPS compliance support available\n- Vulnerability scanning integrated in CI\n- Credential handling follows security best practices\n- Network security with TLS/QUIC protocols\n- Regular security audits and updates\n- Post quantum encryption\n\n## Common Patterns to Follow\n\n1. **Graceful shutdown**: Always implement proper cleanup\n2. **Resource management**: Close resources in defer statements\n3. **Error propagation**: Wrap errors with meaningful context\n4. **Configuration validation**: Validate inputs early\n5. **Logging consistency**: Use structured logging throughout\n6. **Testing coverage**: Aim for comprehensive test coverage\n7. **Documentation**: Comment exported functions and types\n\nRemember: This is a mission-critical networking tool used in production by many\norganizations. Code quality, security, and reliability are paramount.\n" }, { "path": "CHANGES.md", "content": "## 2026.2.0\n### Breaking Change\n- Removes the `proxy-dns` feature from cloudflared. This feature allowed running a local DNS over HTTPS (DoH) proxy.\n Users who relied on this functionality should migrate to alternative solutions.\n \n Removed commands and flags:\n - `cloudflared proxy-dns`\n - `cloudflared tunnel proxy-dns` \n - `--proxy-dns`, `--proxy-dns-port`, `--proxy-dns-address`, `--proxy-dns-upstream`, `--proxy-dns-max-upstream-conns`, `--proxy-dns-bootstrap`\n - `resolver` section in configuration file\n\n## 2025.7.1\n### Notices\n- `cloudflared` will no longer officially support Debian and Ubuntu distros that reached end-of-life: `buster`, `bullseye`, `impish`, `trusty`.\n\n## 2025.1.1\n### New Features\n- This release introduces the use of new Post Quantum curves and the ability to use Post Quantum curves when running tunnels with the QUIC protocol this applies to non-FIPS and FIPS builds.\n\n## 2024.12.2\n### New Features\n- This release introduces the ability to collect troubleshooting information from one instance of cloudflared running on the local machine. The command can be executed as `cloudflared tunnel diag`.\n\n## 2024.12.1\n### Notices\n- The use of the `--metrics` is still honoured meaning that if this flag is set the metrics server will try to bind it, however, this version includes a change that makes the metrics server bind to a port with a semi-deterministic approach. If the metrics flag is not present the server will bind to the first available port of the range 20241 to 20245. In case of all ports being unavailable then the fallback is to bind to a random port.\n\n## 2024.10.0\n### Bug Fixes\n- We fixed a bug related to `--grace-period`. Tunnels that use QUIC as transport weren't abiding by this waiting period before forcefully closing the connections to the edge. From now on, both QUIC and HTTP2 tunnels will wait for either the grace period to end (defaults to 30 seconds) or until the last in-flight request is handled. Users that wish to maintain the previous behavior should set `--grace-period` to 0 if `--protocol` is set to `quic`. This will force `cloudflared` to shutdown as soon as either SIGTERM or SIGINT is received.\n\n## 2024.2.1\n### Notices\n- Starting from this version, tunnel diagnostics will be enabled by default. This will allow the engineering team to remotely get diagnostics from cloudflared during debug activities. Users still have the capability to opt-out of this feature by defining `--management-diagnostics=false` (or env `TUNNEL_MANAGEMENT_DIAGNOSTICS`).\n\n## 2023.9.0\n### Notices\n- The `warp-routing` `enabled: boolean` flag is no longer supported in the configuration file. Warp Routing traffic (eg TCP, UDP, ICMP) traffic is proxied to cloudflared if routes to the target tunnel are configured. This change does not affect remotely managed tunnels, but for locally managed tunnels, users that might be relying on this feature flag to block traffic should instead guarantee that tunnel has no Private Routes configured for the tunnel.\n## 2023.7.0\n### New Features\n- You can now enable additional diagnostics over the management.argotunnel.com service for your active cloudflared connectors via a new runtime flag `--management-diagnostics` (or env `TUNNEL_MANAGEMENT_DIAGNOSTICS`). This feature is provided as opt-in and requires the flag to enable. Endpoints such as /metrics provides your prometheus metrics endpoint another mechanism to be reached. Additionally /debug/pprof/(goroutine|heap) are also introduced to allow for remotely retrieving active pprof information from a running cloudflared connector.\n\n## 2023.4.1\n### New Features\n- You can now stream your logs from your remote cloudflared to your local terminal with `cloudflared tail `. This new feature requires the remote cloudflared to be version 2023.4.1 or higher.\n\n## 2023.3.2\n### Notices\n- Due to the nature of QuickTunnels (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/do-more-with-tunnels/trycloudflare/) and its intended usage for testing and experiment of Cloudflare Tunnels, starting from 2023.3.2, QuickTunnels only make a single connection to the edge. If users want to use Tunnels in a production environment, they should move to Named Tunnels instead. (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/remote/#set-up-a-tunnel-remotely-dashboard-setup)\n\n## 2023.3.1\n### Breaking Change\n- Running a tunnel without ingress rules defined in configuration file nor from the CLI flags will no longer provide a default ingress rule to localhost:8080 and instead will return HTTP response code 503 for all incoming HTTP requests.\n\n### Security Fixes\n- Windows 32 bit machines MSI now defaults to Program Files to install cloudflared. (See CVE-2023-1314). The cloudflared client itself is unaffected. This just changes how the installer works on 32 bit windows machines.\n\n### Bug Fixes\n- Fixed a bug that would cause running tunnel on Bastion mode and without ingress rules to crash.\n\n## 2023.2.2\n### Notices\n- Legacy tunnels were officially deprecated on December 1, 2022. Starting with this version, cloudflared no longer supports connecting legacy tunnels.\n- h2mux tunnel connection protocol is no longer supported. Any tunnels still configured to use this protocol will alert and use http2 tunnel protocol instead. We recommend using quic protocol for all tunnels going forward.\n\n## 2023.2.1\n### Bug fixes\n- Fixed a bug in TCP connection proxy that could result in the connection being closed before all data was written.\n- cloudflared now correctly aborts body write if connection to origin service fails after response headers were sent already.\n- Fixed a bug introduced in the previous release where debug endpoints were removed.\n\n## 2022.12.0\n### Improvements\n- cloudflared now attempts to try other edge addresses before falling back to a lower protocol.\n- cloudflared tunnel no longer spins up a quick tunnel. The call has to be explicit and provide a --url flag.\n- cloudflared will now randomly pick the first or second region to connect to instead of always connecting to region2 first.\n\n## 2022.9.0\n### New Features\n- cloudflared now rejects ingress rules with invalid http status codes for http_status.\n\n## 2022.8.1\n### New Features\n- cloudflared now remembers if it connected to a certain protocol successfully. If it did, it does not fall back to a lower\n protocol on connection failures.\n\n## 2022.7.1\n### New Features\n- It is now possible to connect cloudflared tunnel to Cloudflare Global Network with IPv6. See `cloudflared tunnel --help` and look for `edge-ip-version` for more information. For now, the default behavior is to still connect with IPv4 only.\n\n### Bug Fixes\n- Several bug fixes related with QUIC transport (used between cloudflared tunnel and Cloudflare Global Network). Updating to this version is highly recommended.\n\n## 2022.4.0\n### Bug Fixes\n- `cloudflared tunnel run` no longer logs the Tunnel token or JSON credentials in clear text as those are the secret\nthat allows to run the Tunnel.\n\n## 2022.3.4\n### New Features\n- It is now possible to retrieve the credentials that allow to run a Tunnel in case you forgot/lost them. This is\nachievable with: `cloudflared tunnel token --cred-file /path/to/file.json TUNNEL`. This new feature only works for\nTunnels created with cloudflared version 2022.3.0 or more recent.\n\n### Bug Fixes\n- `cloudflared service install` now starts the underlying agent service on Linux operating system (similarly to the\nbehaviour in Windows and MacOS).\n\n## 2022.3.3\n### Bug Fixes\n- `cloudflared service install` now starts the underlying agent service on Windows operating system (similarly to the\nbehaviour in MacOS).\n\n## 2022.3.1\n### Bug Fixes\n- Various fixes to the reliability of `quic` protocol, including an edge case that could lead to cloudflared crashing.\n\n## 2022.3.0\n### New Features\n- It is now possible to configure Ingress Rules to point to an origin served by unix socket with either HTTP or HTTPS.\nIf the origin starts with `unix:/` then we assume HTTP (existing behavior). Otherwise, the origin can start with\n`unix+tls:/` for HTTPS.\n\n## 2022.2.1\n### New Features\n- This project now has a new LICENSE that is more compliant with open source purposes.\n\n### Bug Fixes\n- Various fixes to the reliability of `quic` protocol.\n\n## 2022.1.3\n### New Features\n- New `cloudflared tunnel vnet` commands to allow for private routing to be virtualized. This means that the same CIDR\ncan now be used to point to two different Tunnels with `cloudflared tunnel route ip` command. More information will be\nmade available on blog.cloudflare.com and developers.cloudflare.com/cloudflare-one once the feature is globally available.\n\n### Bug Fixes\n- Correctly handle proxying UDP datagrams with no payload.\n- Bug fix for origins that use Server-Sent Events (SSE).\n\n## 2022.1.0\n### Improvements\n- If a specific `protocol` property is defined (e.g. for `quic`), cloudflared no longer falls back to an older protocol\n(such as `http2`) in face of connectivity errors. This is important because some features are only supported in a specific\nprotocol (e.g. UDP proxying only works for `quic`). Hence, if a user chooses a protocol, cloudflared now adheres to it\nno matter what.\n\n### Bug Fixes\n- Stopping cloudflared running with `quic` protocol now respects graceful shutdown.\n\n## 2021.12.2\n### Bug Fixes\n- Fix logging when `quic` transport is used and UDP traffic is proxied.\n- FIPS compliant cloudflared binaries will now be released as separate artifacts. Recall that these are only for linux\nand amd64.\n\n## 2021.12.1\n### Bug Fixes\n - Fixes Github issue #530 where cloudflared 2021.12.0 could not reach origins that were HTTPS and using certain encryption\nmethods forbidden by FIPS compliance (such as Let's Encrypt certificates). To address this fix we have temporarily reverted\nFIPS compliance from amd64 linux binaries that was recently introduced (or fixed actually as it was never working before).\n\n## 2021.12.0\n### New Features\n- Cloudflared binary released for amd64 linux is now FIPS compliant.\n\n### Improvements\n- Logging about connectivity to Cloudflare edge now only yields `ERR` level logging if there are no connections to\nCloudflare edge that are active. Otherwise it logs `WARN` level.\n \n### Bug Fixes\n- Fixes Github issue #501.\n\n## 2021.11.0\n### Improvements\n- Fallback from `protocol:quic` to `protocol:http2` immediately if UDP connectivity isn't available. This could be because of a firewall or \negress rule.\n\n## 2021.10.4\n### Improvements\n- Collect quic transport metrics on RTT, packets and bytes transferred.\n\n### Bug Fixes\n- Fix race condition that was writing to the connection after the http2 handler returns.\n\n## 2021.9.2\n\n### New features\n- `cloudflared` can now run with `quic` as the underlying tunnel transport protocol. To try it, change or add \"protocol: quic\" to your config.yml file or\nrun cloudflared with the `--protocol quic` flag. e.g:\n `cloudflared tunnel --protocol quic run `\n\n### Bug Fixes\n- Fixed some generic transport bugs in `quic` mode. It's advised to upgrade to at least this version (2021.9.2) when running `cloudflared`\nwith `quic` protocol.\n- `cloudflared` docker images will now show version.\n\n\n## 2021.8.4\n### Improvements\n- Temporary tunnels (those hosted on trycloudflare.com that do not require a Cloudflare login) now run as Named Tunnels\nunderneath. We recall that these tunnels should not be relied upon for production usage as they come with no guarantee\nof uptime. Previous cloudflared versions will soon be unable to run legacy temporary tunnels and will require an update\n(to this version or more recent).\n\n## 2021.8.2\n### Improvements\n- Because Equinox os shutting down, all cloudflared releases are now present [here](https://github.com/cloudflare/cloudflared/releases).\n[Equinox](https://dl.equinox.io/cloudflare/cloudflared/stable) will no longer receive updates. \n\n## 2021.8.0\n### Bug fixes\n- Prevents tunnel from accidentally running when only proxy-dns should run. \n\n### Improvements\n- If auto protocol transport lookup fails, we now default to a transport instead of not connecting.\n\n## 2021.6.0\n### Bug Fixes\n- Fixes a http2 transport (the new default for Named Tunnels) to work with unix socket origins.\n\n\n## 2021.5.10\n### Bug Fixes\n- Fixes a memory leak in h2mux transport that connects cloudflared to Cloudflare edge.\n\n\n## 2021.5.9\n### New Features\n- Uses new Worker based login helper service to facilitate token exchange in cloudflared flows.\n\n### Bug Fixes\n- Fixes Centos-7 builds.\n\n## 2021.5.8\n### New Features\n- When creating a DNS record to point a hostname at a tunnel, you can now use --overwrite-dns to overwrite any existing\n DNS records with that hostname. This works both when using the CLI to provision DNS, as well as when starting an adhoc\n named tunnel, e.g.:\n - `cloudflared tunnel route dns --overwrite-dns foo-tunnel foo.example.com`\n - `cloudflared tunnel --overwrite-dns --name foo-tunnel --hostname foo.example.com`\n\n## 2021.5.7\n### New Features\n- Named Tunnels will automatically select the protocol to connect to Cloudflare's edge network.\n\n## 2021.5.0\n\n### New Features\n- It is now possible to run the same tunnel using more than one `cloudflared` instance. This is a server-side change and\n is compatible with any client version that uses Named Tunnels.\n\n To get started, visit our [developer documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/deploy-cloudflared-replicas).\n- `cloudflared tunnel ingress validate` will now warn about unused keys in your config file. This is helpful for\n detecting typos in your config.\n- If `cloudflared` detects it is running inside a Linux container, it will limit itself to use only the number of CPUs\n the pod has been granted, instead of trying to use every CPU available.\n\n## 2021.4.0\n\n### Bug Fixes\n\n- Fixed proxying of websocket requests to avoid possibility of losing initial frames that were sent in the same TCP\n packet as response headers [#345](https://github.com/cloudflare/cloudflared/issues/345).\n- `proxy-dns` option now works in conjunction with running a named tunnel [#346](https://github.com/cloudflare/cloudflared/issues/346).\n\n## 2021.3.6\n\n### Bug Fixes\n\n- Reverted 2021.3.5 improvement to use HTTP/2 in a best-effort manner between cloudflared and origin services because\n it was found to break in some cases.\n\n## 2021.3.5\n\n### Improvements\n\n - HTTP/2 transport is now always chosen if origin server supports it and the service url scheme is HTTPS.\n This was previously done in a best attempt manner.\n\n### Bug Fixes\n\n - The MacOS binaries were not successfully released in 2021.3.3 and 2021.3.4. This release is aimed at addressing that.\n\n## 2021.3.3\n\n### Improvements\n\n- Tunnel create command, as well as, running ad-hoc tunnels using `cloudflared tunnel -name NAME`, will not overwrite\n existing files when writing tunnel credentials.\n\n### Bug Fixes\n\n- Tunnel create and delete commands no longer use path to credentials from the configuration file.\n If you need to place tunnel credentials file at a specific location, you must use `--credentials-file` flag.\n- Access ssh-gen creates properly named keys for SSH short lived certs.\n\n\n## 2021.3.2\n\n### New Features\n\n- It is now possible to obtain more detailed information about the cloudflared connectors to Cloudflare Edge via\n `cloudflared tunnel info `. It is possible to sort the output as well as output in different formats,\n such as: `cloudflared tunnel info --sort-by version --invert-sort --output json `.\n You can obtain more information via `cloudflared tunnel info --help`.\n\n### Bug Fixes\n\n- Don't look for configuration file in default paths when `--config FILE` flag is present after `tunnel` subcommand.\n- cloudflared access token command now functions correctly with the new token-per-app change from 2021.3.0.\n\n\n## 2021.3.0\n\n### New Features\n\n- [Cloudflare One Routing](https://developers.cloudflare.com/cloudflare-one/tutorials/warp-to-tunnel) specific commands\n now show up in the `cloudflared tunnel route --help` output.\n- There is a new ingress type that allows cloudflared to proxy SOCKS5 as a bastion. You can use it with an ingress\n rule by adding `service: socks-proxy`. Traffic is routed to any destination specified by the SOCKS5 packet but only\n if allowed by a rule. In the following example we allow proxying to a certain CIDR but explicitly forbid one address\n within it:\n```\ningress:\n - hostname: socks.example.com\n service: socks-proxy\n originRequest:\n ipRules:\n - prefix: 192.168.1.8/32\n allow: false\n - prefix: 192.168.1.0/24\n ports: [80, 443]\n allow: true\n```\n\n\n### Improvements\n\n- Nested commands, such as `cloudflared tunnel run`, now consider CLI arguments even if they appear earlier on the\n command. For instance, `cloudflared --config config.yaml tunnel run` will now behave the same as\n `cloudflared tunnel --config config.yaml run`\n- Warnings are now shown in the output logs whenever cloudflared is running without the most recent version and\n `no-autoupdate` is `true`.\n- Access tokens are now stored per Access App instead of per request path. This decreases the number of times that the\n user is required to authenticate with an Access policy redundantly.\n\n### Bug Fixes\n\n- GitHub [PR #317](https://github.com/cloudflare/cloudflared/issues/317) was broken in 2021.2.5 and is now fixed again.\n\n## 2021.2.5\n\n### New Features\n\n- We introduce [Cloudflare One Routing](https://developers.cloudflare.com/cloudflare-one/tutorials/warp-to-tunnel) in\n beta mode. Cloudflare customer can now connect users and private networks with RFC 1918 IP addresses via the\n Cloudflare edge network. Users running Cloudflare WARP client in the same organization can connect to the services\n made available by Argo Tunnel IP routes. Please share your feedback in the GitHub issue tracker.\n\n## 2021.2.4\n\n### Bug Fixes\n\n- Reverts the Improvement released in 2021.2.3 for CLI arguments as it introduced a regression where cloudflared failed\n to read URLs in configuration files.\n- cloudflared now logs the reason for failed connections if the error is recoverable.\n\n## 2021.2.3\n\n### Backward Incompatible Changes\n\n- Removes db-connect. The Cloudflare Workers product will continue to support db-connect implementations with versions\n of cloudflared that predate this release and include support for db-connect.\n\n### New Features\n\n- Introduces support for proxy configurations with websockets in arbitrary TCP connections (#318).\n\n### Improvements\n\n- (reverted) Nested command line argument handling.\n\n### Bug Fixes\n\n- The maximum number of upstream connections is now limited by default which should fix reported issues of cloudflared\n exhausting CPU usage when faced with connectivity issues.\n" }, { "path": "Dockerfile", "content": "# use a builder image for building cloudflare\nARG TARGET_GOOS\nARG TARGET_GOARCH\nFROM golang:1.24.13 AS builder\nENV GO111MODULE=on \\\n CGO_ENABLED=0 \\\n TARGET_GOOS=${TARGET_GOOS} \\\n TARGET_GOARCH=${TARGET_GOARCH} \\\n # the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual\n # which changes how cloudflared binds the metrics server\n CONTAINER_BUILD=1\n\n\nWORKDIR /go/src/github.com/cloudflare/cloudflared/\n\n# copy our sources into the builder image\nCOPY . .\n\n# compile cloudflared\nRUN make cloudflared\n\n# use a distroless base image with glibc\nFROM gcr.io/distroless/base-debian13:nonroot\n\nLABEL org.opencontainers.image.source=\"https://github.com/cloudflare/cloudflared\"\n\n# copy our compiled binary\nCOPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/\n\n# run as nonroot user\n# We need to use numeric user id's because Kubernetes doesn't support strings:\n# https://github.com/kubernetes/kubernetes/blob/v1.33.2/pkg/kubelet/kuberuntime/security_context_others.go#L49\n# The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18\nUSER 65532:65532\n\n# command / entrypoint of container\nENTRYPOINT [\"cloudflared\", \"--no-autoupdate\"]\nCMD [\"version\"]\n" }, { "path": "Dockerfile.amd64", "content": "# use a builder image for building cloudflare\nFROM golang:1.24.13 AS builder\nENV GO111MODULE=on \\\n CGO_ENABLED=0 \\\n # the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual\n # which changes how cloudflared binds the metrics server\n CONTAINER_BUILD=1 \n\nWORKDIR /go/src/github.com/cloudflare/cloudflared/\n\n# copy our sources into the builder image\nCOPY . .\n\n# compile cloudflared\nRUN GOOS=linux GOARCH=amd64 make cloudflared\n\n# use a distroless base image with glibc\nFROM gcr.io/distroless/base-debian13:nonroot\n\nLABEL org.opencontainers.image.source=\"https://github.com/cloudflare/cloudflared\"\n\n# copy our compiled binary\nCOPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/\n\n# run as nonroot user\n# We need to use numeric user id's because Kubernetes doesn't support strings:\n# https://github.com/kubernetes/kubernetes/blob/v1.33.2/pkg/kubelet/kuberuntime/security_context_others.go#L49\n# The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18\nUSER 65532:65532\n\n# command / entrypoint of container\nENTRYPOINT [\"cloudflared\", \"--no-autoupdate\"]\nCMD [\"version\"]\n" }, { "path": "Dockerfile.arm64", "content": "# use a builder image for building cloudflare\nFROM golang:1.24.13 AS builder\nENV GO111MODULE=on \\\n CGO_ENABLED=0 \\\n # the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual\n # which changes how cloudflared binds the metrics server\n CONTAINER_BUILD=1\n\nWORKDIR /go/src/github.com/cloudflare/cloudflared/\n\n# copy our sources into the builder image\nCOPY . .\n\n# compile cloudflared\nRUN GOOS=linux GOARCH=arm64 make cloudflared\n\n# use a distroless base image with glibc\nFROM gcr.io/distroless/base-debian13:nonroot-arm64\n\nLABEL org.opencontainers.image.source=\"https://github.com/cloudflare/cloudflared\"\n\n# copy our compiled binary\nCOPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/\n\n# run as nonroot user\n# We need to use numeric user id's because Kubernetes doesn't support strings:\n# https://github.com/kubernetes/kubernetes/blob/v1.33.2/pkg/kubelet/kuberuntime/security_context_others.go#L49\n# The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18\nUSER 65532:65532\n\n# command / entrypoint of container\nENTRYPOINT [\"cloudflared\", \"--no-autoupdate\"]\nCMD [\"version\"]\n" }, { "path": "LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License." }, { "path": "Makefile", "content": "# The targets cannot be run in parallel\n.NOTPARALLEL:\n\nVERSION := $(shell git describe --tags --always --match \"[0-9][0-9][0-9][0-9].*.*\")\nMSI_VERSION := $(shell git tag -l --sort=v:refname | grep \"w\" | tail -1 | cut -c2-)\n#MSI_VERSION expects the format of the tag to be: (wX.X.X). Starts with the w character to not break cfsetup.\n#e.g. w3.0.1 or w4.2.10. It trims off the w character when creating the MSI.\n\nifeq ($(ORIGINAL_NAME), true)\n\t# Used for builds that want FIPS compilation but want the artifacts generated to still have the original name.\n\tBINARY_NAME := cloudflared\nelse ifeq ($(FIPS), true)\n\t# Used for FIPS compliant builds that do not match the case above.\n\tBINARY_NAME := cloudflared-fips\nelse\n\t# Used for all other (non-FIPS) builds.\n\tBINARY_NAME := cloudflared\nendif\n\nifeq ($(NIGHTLY), true)\n\tDEB_PACKAGE_NAME := $(BINARY_NAME)-nightly\n\tNIGHTLY_FLAGS := --conflicts cloudflared --replaces cloudflared\nelse\n\tDEB_PACKAGE_NAME := $(BINARY_NAME)\nendif\n\n# Use git in windows since we don't have access to the `date` tool\nifeq ($(TARGET_OS), windows)\n\tDATE := $(shell git log -1 --format=\"%ad\" --date=format-local:'%Y-%m-%dT%H:%M UTC' -- RELEASE_NOTES)\nelse\n\tDATE := $(shell date -u -r RELEASE_NOTES '+%Y-%m-%d-%H:%M UTC')\nendif\n\nVERSION_FLAGS := -X \"main.Version=$(VERSION)\" -X \"main.BuildTime=$(DATE)\"\nifdef PACKAGE_MANAGER\n\tVERSION_FLAGS := $(VERSION_FLAGS) -X \"github.com/cloudflare/cloudflared/cmd/cloudflared/updater.BuiltForPackageManager=$(PACKAGE_MANAGER)\"\nendif\n\nifdef CONTAINER_BUILD\n\tVERSION_FLAGS := $(VERSION_FLAGS) -X \"github.com/cloudflare/cloudflared/metrics.Runtime=virtual\"\nendif\n\nLINK_FLAGS :=\nifeq ($(FIPS), true)\n\tLINK_FLAGS := -linkmode=external -extldflags=-static $(LINK_FLAGS)\n\t# Prevent linking with libc regardless of CGO enabled or not.\n\tGO_BUILD_TAGS := $(GO_BUILD_TAGS) osusergo netgo fips\n\tVERSION_FLAGS := $(VERSION_FLAGS) -X \"main.BuildType=FIPS\"\nendif\n\nLDFLAGS := -ldflags='$(VERSION_FLAGS) $(LINK_FLAGS)'\nifneq ($(GO_BUILD_TAGS),)\n\tGO_BUILD_TAGS := -tags \"$(GO_BUILD_TAGS)\"\nendif\n\nifeq ($(debug), 1)\n\tGO_BUILD_TAGS += -gcflags=\"all=-N -l\"\nendif\n\nIMPORT_PATH := github.com/cloudflare/cloudflared\nPACKAGE_DIR := $(CURDIR)/packaging\nPREFIX := /usr\nINSTALL_BINDIR := $(PREFIX)/bin/\nINSTALL_MANDIR := $(PREFIX)/share/man/man1/\n\nLOCAL_ARCH ?= $(shell uname -m)\nifneq ($(GOARCH),)\n TARGET_ARCH ?= $(GOARCH)\nelse ifeq ($(LOCAL_ARCH),x86_64)\n TARGET_ARCH ?= amd64\nelse ifeq ($(LOCAL_ARCH),amd64)\n TARGET_ARCH ?= amd64\nelse ifeq ($(LOCAL_ARCH),386)\n TARGET_ARCH ?= 386\nelse ifeq ($(LOCAL_ARCH),i686)\n TARGET_ARCH ?= amd64\nelse ifeq ($(shell echo $(LOCAL_ARCH) | head -c 5),armv8)\n TARGET_ARCH ?= arm64\nelse ifeq ($(LOCAL_ARCH),aarch64)\n TARGET_ARCH ?= arm64\nelse ifeq ($(LOCAL_ARCH),arm64)\n TARGET_ARCH ?= arm64\nelse ifeq ($(shell echo $(LOCAL_ARCH) | head -c 4),armv)\n TARGET_ARCH ?= arm\nelse ifeq ($(LOCAL_ARCH),s390x)\n TARGET_ARCH ?= s390x\nelse\n $(error This system's architecture $(LOCAL_ARCH) isn't supported)\nendif\n\nLOCAL_OS ?= $(shell go env GOOS)\nifeq ($(LOCAL_OS),linux)\n TARGET_OS ?= linux\nelse ifeq ($(LOCAL_OS),darwin)\n TARGET_OS ?= darwin\nelse ifeq ($(LOCAL_OS),windows)\n TARGET_OS ?= windows\nelse ifeq ($(LOCAL_OS),freebsd)\n TARGET_OS ?= freebsd\nelse ifeq ($(LOCAL_OS),openbsd)\n TARGET_OS ?= openbsd\nelse\n $(error This system's OS $(LOCAL_OS) isn't supported)\nendif\n\nifeq ($(TARGET_OS), windows)\n\tEXECUTABLE_PATH=./$(BINARY_NAME).exe\nelse\n\tEXECUTABLE_PATH=./$(BINARY_NAME)\nendif\n\nifeq ($(FLAVOR), centos-7)\n\tTARGET_PUBLIC_REPO ?= el7\nelse\n\tTARGET_PUBLIC_REPO ?= $(FLAVOR)\nendif\n\nifneq ($(TARGET_ARM), )\n\tARM_COMMAND := GOARM=$(TARGET_ARM)\nendif\n\nifeq ($(TARGET_ARM), 7)\n\tPACKAGE_ARCH := armhf\nelse\n\tPACKAGE_ARCH := $(TARGET_ARCH)\nendif\n\n#for FIPS compliance, FPM defaults to MD5.\nRPM_DIGEST := --rpm-digest sha256\n\nGO_TEST_LOG_OUTPUT = /tmp/gotest.log\n\n.PHONY: all\nall: cloudflared test\n\n.PHONY: clean\nclean:\n\tgo clean\n\n.PHONY: vulncheck\nvulncheck:\n\t@./.ci/scripts/vuln-check.sh\n\n.PHONY: cloudflared\ncloudflared:\nifeq ($(FIPS), true)\n\t$(info Building cloudflared with go-fips)\nendif\n\tGOOS=$(TARGET_OS) GOARCH=$(TARGET_ARCH) $(ARM_COMMAND) go build -mod=vendor $(GO_BUILD_TAGS) $(LDFLAGS) $(IMPORT_PATH)/cmd/cloudflared\nifeq ($(FIPS), true)\n\t./check-fips.sh cloudflared\nendif\n\n.PHONY: container\ncontainer:\n\tdocker build --build-arg=TARGET_ARCH=$(TARGET_ARCH) --build-arg=TARGET_OS=$(TARGET_OS) -t cloudflare/cloudflared-$(TARGET_OS)-$(TARGET_ARCH):\"$(VERSION)\" .\n\n.PHONY: generate-docker-version\ngenerate-docker-version:\n\techo latest $(VERSION) > versions\n\n\n.PHONY: test\ntest: vet\n\t$Q go test -json -v -mod=vendor -race $(LDFLAGS) ./... 2>&1 | tee $(GO_TEST_LOG_OUTPUT)\nifneq ($(FIPS), true)\n\t@go run -mod=readonly github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@latest -input $(GO_TEST_LOG_OUTPUT)\nendif\n\n.PHONY: cover\ncover:\n\t@echo \"\"\n\t@echo \"=====> Total test coverage: <=====\"\n\t@echo \"\"\n\t# Print the overall coverage here for quick access.\n\t$Q go tool cover -func \".cover/c.out\" | grep \"total:\" | awk '{print $$3}'\n\t# Generate the HTML report that can be viewed from the browser in CI.\n\t$Q go tool cover -html \".cover/c.out\" -o .cover/all.html\n\n.PHONY: fuzz\nfuzz:\n\t@go test -fuzz=FuzzIPDecoder -fuzztime=600s ./packet\n\t@go test -fuzz=FuzzICMPDecoder -fuzztime=600s ./packet\n\t@go test -fuzz=FuzzSessionWrite -fuzztime=600s ./quic/v3\n\t@go test -fuzz=FuzzSessionRead -fuzztime=600s ./quic/v3\n\t@go test -fuzz=FuzzRegistrationDatagram -fuzztime=600s ./quic/v3\n\t@go test -fuzz=FuzzPayloadDatagram -fuzztime=600s ./quic/v3\n\t@go test -fuzz=FuzzRegistrationResponseDatagram -fuzztime=600s ./quic/v3\n\t@go test -fuzz=FuzzNewIdentity -fuzztime=600s ./tracing\n\t@go test -fuzz=FuzzNewAccessValidator -fuzztime=600s ./validation\n\ncloudflared.1: cloudflared_man_template\n\tsed -e 's/\\$${VERSION}/$(VERSION)/; s/\\$${DATE}/$(DATE)/' cloudflared_man_template > cloudflared.1\n\ninstall: cloudflared cloudflared.1\n\tmkdir -p $(DESTDIR)$(INSTALL_BINDIR) $(DESTDIR)$(INSTALL_MANDIR)\n\tinstall -m755 cloudflared $(DESTDIR)$(INSTALL_BINDIR)/cloudflared\n\tinstall -m644 cloudflared.1 $(DESTDIR)$(INSTALL_MANDIR)/cloudflared.1\n\n# When we build packages, the package name will be FIPS-aware.\n# But we keep the binary installed by it to be named \"cloudflared\" regardless.\ndefine build_package\n\tmkdir -p $(PACKAGE_DIR)\n\tcp cloudflared $(PACKAGE_DIR)/cloudflared\n\tcp cloudflared.1 $(PACKAGE_DIR)/cloudflared.1\n\tfpm -C $(PACKAGE_DIR) -s dir -t $(1) \\\n\t\t--description 'Cloudflare Tunnel daemon' \\\n\t\t--vendor 'Cloudflare' \\\n\t\t--license 'Apache License Version 2.0' \\\n\t\t--url 'https://github.com/cloudflare/cloudflared' \\\n\t\t-m 'Cloudflare ' \\\n\t -a $(PACKAGE_ARCH) -v $(VERSION) -n $(DEB_PACKAGE_NAME) $(RPM_DIGEST) $(NIGHTLY_FLAGS) --after-install postinst.sh --after-remove postrm.sh \\\n\t\tcloudflared=$(INSTALL_BINDIR) cloudflared.1=$(INSTALL_MANDIR)\nendef\n\n.PHONY: cloudflared-deb\ncloudflared-deb: cloudflared cloudflared.1\n\t$(call build_package,deb)\n\n.PHONY: cloudflared-rpm\ncloudflared-rpm: cloudflared cloudflared.1\n\t$(call build_package,rpm)\n\n.PHONY: cloudflared-msi\ncloudflared-msi:\n\twixl --define Version=$(VERSION) --define Path=$(EXECUTABLE_PATH) --output cloudflared-$(VERSION)-$(TARGET_ARCH).msi cloudflared.wxs\n\n.PHONY: github-release-dryrun\ngithub-release-dryrun:\n\tpython3 github_release.py --path $(PWD)/built_artifacts --release-version $(VERSION) --dry-run\n\n.PHONY: github-release\ngithub-release:\n\tpython3 github_release.py --path $(PWD)/artifacts/ --release-version $(VERSION)\n\tpython3 github_message.py --release-version $(VERSION)\n\n.PHONY: r2-linux-release\nr2-linux-release:\n\tpython3 ./release_pkgs.py\n\n.PHONY: r2-next-linux-release\n# Publishes to a separate R2 repository during GPG key rollover, using dual-key signing.\nr2-next-linux-release:\n\tpython3 ./release_pkgs.py --upload-repo-file\n\n.PHONY: capnp\ncapnp:\n\twhich capnp # https://capnproto.org/install.html\n\twhich capnpc-go # go install zombiezen.com/go/capnproto2/capnpc-go@latest\n\tcapnp compile -ogo tunnelrpc/proto/tunnelrpc.capnp tunnelrpc/proto/quic_metadata_protocol.capnp\n\n.PHONY: vet\nvet:\n\t$Q go vet -mod=vendor github.com/cloudflare/cloudflared/...\n\n.PHONY: fmt\nfmt:\n\t@goimports -l -w -local github.com/cloudflare/cloudflared $$(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc/proto)\n\t@go fmt $$(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc/proto)\n\n.PHONY: fmt-check\nfmt-check:\n\t@./.ci/scripts/fmt-check.sh\n\n.PHONY: lint\nlint:\n\t@golangci-lint run\n\n.PHONY: mocks\nmocks:\n\tgo generate mocks/mockgen.go\n\n.PHONY: ci-build\nci-build:\n\t@GOOS=linux GOARCH=amd64 $(MAKE) cloudflared\n\t@mkdir -p artifacts\n\t@mv cloudflared artifacts/cloudflared\n\n.PHONY: ci-fips-build\nci-fips-build:\n\t@FIPS=true GOOS=linux GOARCH=amd64 $(MAKE) cloudflared\n\t@mkdir -p artifacts\n\t@mv cloudflared artifacts/cloudflared\n\n.PHONY: ci-test\nci-test: fmt-check lint test\n\t@go run -mod=readonly github.com/jstemmer/go-junit-report/v2@latest -in $(GO_TEST_LOG_OUTPUT) -parser gojson -out report.xml -set-exit-code\n\n.PHONY: ci-fips-test\nci-fips-test:\n\t@FIPS=true $(MAKE) ci-test\n" }, { "path": "README.md", "content": "# Cloudflare Tunnel client\n\nContains the command-line client for Cloudflare Tunnel, a tunneling daemon that proxies traffic from the Cloudflare network to your origins.\nThis daemon sits between Cloudflare network and your origin (e.g. a webserver). Cloudflare attracts client requests and sends them to you\nvia this daemon, without requiring you to poke holes on your firewall --- your origin can remain as closed as possible.\nExtensive documentation can be found in the [Cloudflare Tunnel section](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel) of the Cloudflare Docs.\nAll usages related with proxying to your origins are available under `cloudflared tunnel help`.\n\nYou can also use `cloudflared` to access Tunnel origins (that are protected with `cloudflared tunnel`) for TCP traffic\nat Layer 4 (i.e., not HTTP/websocket), which is relevant for use cases such as SSH, RDP, etc.\nSuch usages are available under `cloudflared access help`.\n\nYou can instead use [WARP client](https://developers.cloudflare.com/warp-client/)\nto access private origins behind Tunnels for Layer 4 traffic without requiring `cloudflared access` commands on the client side.\n\n\n## Before you get started\n\nBefore you use Cloudflare Tunnel, you'll need to complete a few steps in the Cloudflare dashboard: you need to add a\nwebsite to your Cloudflare account. Note that today it is possible to use Tunnel without a website (e.g. for private\nrouting), but for legacy reasons this requirement is still necessary:\n1. [Add a website to Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/)\n2. [Change your domain nameservers to Cloudflare](https://developers.cloudflare.com/dns/zone-setups/full-setup/setup/)\n\n\n## Installing `cloudflared`\n\nDownloads are available as standalone binaries, a Docker image, and Debian, RPM, and Homebrew packages. You can also find releases [here](https://github.com/cloudflare/cloudflared/releases) on the `cloudflared` GitHub repository.\n\n* You can [install on macOS](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#macos) via Homebrew or by downloading the [latest Darwin amd64 release](https://github.com/cloudflare/cloudflared/releases)\n* Binaries, Debian, and RPM packages for Linux [can be found here](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#linux)\n* A Docker image of `cloudflared` is [available on DockerHub](https://hub.docker.com/r/cloudflare/cloudflared)\n* You can install on Windows machines with the [steps here](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#windows)\n* To build from source, install the required version of go, mentioned in the [Development](#development) section below. Then you can run `make cloudflared`.\n\nUser documentation for Cloudflare Tunnel can be found at https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/\n\n\n## Creating Tunnels and routing traffic\n\nOnce installed, you can authenticate `cloudflared` into your Cloudflare account and begin creating Tunnels to serve traffic to your origins.\n\n* Create a Tunnel with [these instructions](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/)\n* Route traffic to that Tunnel:\n * Via public [DNS records in Cloudflare](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/dns/)\n * Or via a public hostname guided by a [Cloudflare Load Balancer](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/public-load-balancers/)\n * Or from [WARP client private traffic](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/)\n\n\n## TryCloudflare\n\nWant to test Cloudflare Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation [available here](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/trycloudflare/).\n\n## Deprecated versions\n\nCloudflare currently supports versions of cloudflared that are **within one year** of the most recent release. Breaking changes unrelated to feature availability may be introduced that will impact versions released more than one year ago. You can read more about upgrading cloudflared in our [developer documentation](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/update-cloudflared/).\n\nFor example, as of January 2023 Cloudflare will support cloudflared version 2023.1.1 to cloudflared 2022.1.1.\n\n## Development\n\n### Requirements\n- [GNU Make](https://www.gnu.org/software/make/)\n- [capnp](https://capnproto.org/install.html)\n- [go >= 1.24](https://go.dev/doc/install)\n- Optional tools:\n - [capnpc-go](https://pkg.go.dev/zombiezen.com/go/capnproto2/capnpc-go)\n - [goimports](https://pkg.go.dev/golang.org/x/tools/cmd/goimports)\n - [golangci-lint](https://github.com/golangci/golangci-lint)\n - [gomocks](https://pkg.go.dev/go.uber.org/mock)\n\n### Build\nTo build cloudflared locally run `make cloudflared`\n\n### Test\nTo locally run the tests run `make test`\n\n### Linting\nTo format the code and keep a good code quality use `make fmt` and `make lint`\n\n### Mocks\nAfter changes on interfaces you might need to regenerate the mocks, so run `make mock`\n" }, { "path": "RELEASE_NOTES", "content": "2026.3.0\n- 2026-03-05 TUN-10292: Add cloudflared management token command\n- 2026-03-03 chore: Addressing small fixes and typos\n- 2026-03-03 fix: Update go-sentry and go-oidc to address CVE's\n- 2026-02-24 TUN-10258: add agents.md\n- 2026-02-23 TUN-10267: Update mods to fix CVE GO-2026-4394\n- 2026-02-20 TUN-10247: Update tail command to use /management/logs endpoint\n- 2026-02-11 TUN-9858: Add more information to proxy-dns removal message\n\n2026.2.0\n- 2026-02-06 TUN-10216: TUN fix cloudflare vulnerabilities GO-2026-4340 and GO-2026-4341\n- 2026-02-02 TUN-9858: Remove proxy-dns feature from cloudflared\n\n2026.1.2\n- 2026-01-23 Revert \"TUN-9863: Update pipelines to use cloudflared EV Certificate\"\n- 2026-01-21 Revert \"TUN-9886 notarize cloudflared\"\n- 2025-12-12 TUN-9886 notarize cloudflared\n\n2026.1.1\n- 2026-01-19 fix: Update boto3 to run on trixie\n- 2026-01-19 fix: Fix wixl bundling tool for windows msi packages\n- 2026-01-19 fix: rpm bundling and rpm key import\n\n2026.1.0\n- 2026-01-13 TUN-10162: Update go to 1.24.11 and Debian distroless to debian13\n- 2025-11-21 Replace jira.cfops.it with jira.cfdata.org in connection/http2_test.go\n- 2025-11-19 TUN-9863: Update pipelines to use cloudflared EV Certificate\n- 2025-11-07 TUN-9800: Migrate apt internal builds to Gitlab\n- 2025-11-04 TUN-9998: Don't need to read origin cert to determine if the endpoint is fedramp\n- 2025-10-13 TUN-9910: Make the metadata key to carry HTTP status over QUIC transport a constant\n\n2025.11.1\n- 2025-11-07 TUN-9800: Fix docker hub push step\n\n2025.11.0\n- 2025-11-06 TUN-9863: Introduce Code Signing for Windows Builds\n- 2025-11-06 TUN-9800: Prefix gitlab steps with operating system\n- 2025-11-04 chore: Update cloudflared signing key name in index.html\n- 2025-10-31 chore: add claude review\n- 2025-10-31 Chore: Update documentation links in README\n- 2025-10-31 TUN-9800: Add pipelines for linux packaging\n\n2025.10.1\n- 2025-10-30 chore: Update ci image to use goboring 1.24.9\n- 2025-10-28 TUN-9849: Add cf-proxy-* to control response headers\n- 2025-10-24 TUN-9961: Add pkg.cloudflared.com index.html to git repo\n- 2025-10-23 TUN-9954: Update from go1.24.6 to go1.24.9\n- 2025-10-23 Fix systemd service installation hanging\n- 2025-10-21 TUN-9941: Use new GPG key for RPM builds\n- 2025-10-21 TUN-9941: Fix typo causing r2-release-next deployment to fail\n- 2025-10-21 TUN-9941: Lookup correct key for RPM signature\n- 2025-10-15 TUN-9919: Make RPM postinstall scriplet idempotent\n- 2025-10-14 TUN-9916: Fix the cloudflared binary path used in the component test\n\n2025.10.0\n- 2025-10-14 chore: Fix upload of RPM repo file during double signing\n- 2025-10-13 TUN-9882: Bump datagram v3 write channel capacity\n- 2025-10-10 chore: Fix import of GPG keys when two keys are provided\n- 2025-10-10 chore: Fix parameter order when uploading RPM .repo file to R2\n- 2025-10-10 TUN-9883: Add new datagram v3 feature flag\n- 2025-10-09 chore: Force usage of go-boring 1.24\n- 2025-10-08 TUN-9882: Improve metrics for datagram v3\n- 2025-10-07 GRC-16749: Add fedramp tags to catalog\n- 2025-10-07 TUN-9882: Add buffers for UDP and ICMP datagrams in datagram v3\n- 2025-10-07 TUN-9882: Add write deadline for UDP origin writes\n- 2025-09-29 TUN-9776: Support signing Debian packages with two keys for rollover\n- 2025-09-22 TUN-9800: Add pipeline to sync between gitlab and github repos\n\n2025.9.1\n- 2025-09-22 TUN-9855: Create script to ignore vulnerabilities from govuln check\n- 2025-09-19 TUN-9852: Remove fmt.Println from cloudflared access command\n\n2025.9.0\n- 2025-09-15 TUN-9820: Add support for FedRAMP in originRequest Access config\n- 2025-09-11 TUN-9800: Migrate cloudflared-ci pipelines to Gitlab CI\n- 2025-09-04 TUN-9803: Add windows builds to gitlab-ci\n- 2025-08-27 TUN-9755: Set endpoint in tunnel credentials when generating locally managed tunnel with a Fed token\n\n2025.8.1\n- 2025-08-19 AUTH-7480 update fed callback url for login helper\n- 2025-08-19 CUSTESC-53681: Correct QUIC connection management for datagram handlers\n- 2025-08-12 AUTH-7260: Add support for login interstitial auto closure\n\n2025.8.0\n- 2025-08-07 vuln: Fix GO-2025-3770 vulnerability\n- 2025-07-23 TUN-9583: set proper url and hostname for cloudflared tail command\n- 2025-07-07 TUN-9542: Remove unsupported Debian-based releases\n\n2025.7.0\n- 2025-07-03 TUN-9540: Use numeric user id for Dockerfiles\n- 2025-07-01 TUN-9161: Remove P256Kyber768Draft00PQKex curve from nonFips curve preferences\n- 2025-07-01 TUN-9531: Bump go-boring from 1.24.2 to 1.24.4\n- 2025-07-01 TUN-9511: Add metrics for virtual DNS origin\n- 2025-06-30 TUN-9470: Add OriginDialerService to include TCP\n- 2025-06-30 TUN-9473: Add --dns-resolver-addrs flag\n- 2025-06-27 TUN-9472: Add virtual DNS service\n- 2025-06-23 TUN-9469: Centralize UDP origin proxy dialing as ingress service\n\n2025.6.1\n- 2025-06-16 TUN-9467: add vulncheck to cloudflared\n- 2025-06-16 TUN-9495: Remove references to cloudflare-go\n- 2025-06-16 TUN-9371: Add logging format as JSON\n- 2025-06-12 TUN-9467: bump coredns to solve CVE\n\n2025.6.0\n- 2025-06-06 TUN-9016: update go to 1.24\n- 2025-06-05 TUN-9171: Use `is_default_network` instead of `is_default` to create vnet's\n\n2025.5.0\n- 2025-05-14 TUN-9319: Add dynamic loading of features to connections via ConnectionOptionsSnapshot\n- 2025-05-13 TUN-9322: Add metric for unsupported RPC commands for datagram v3\n- 2025-05-07 TUN-9291: Remove dynamic reloading of features for datagram v3\n\n2025.4.2\n- 2025-04-30 chore: Do not use gitlab merge request pipelines\n- 2025-04-30 DEVTOOLS-16383: Create GitlabCI pipeline to release Mac builds\n- 2025-04-24 TUN-9255: Improve flush on write conditions in http2 tunnel type to match what is done on the edge\n- 2025-04-10 SDLC-3727 - Adding FIPS status to backstage\n\n2025.4.0\n- 2025-04-02 Fix broken links in `cmd/cloudflared/*.go` related to running tunnel as a service\n- 2025-04-02 chore: remove repetitive words\n- 2025-04-01 Fix messages to point to one.dash.cloudflare.com\n- 2025-04-01 feat: emit explicit errors for the `service` command on unsupported OSes\n- 2025-04-01 Use RELEASE_NOTES date instead of build date\n- 2025-04-01 chore: Update tunnel configuration link in the readme\n- 2025-04-01 fix: expand home directory for credentials file\n- 2025-04-01 fix: Use path and filepath operation appropriately\n- 2025-04-01 feat: Adds a new command line for tunnel run for token file\n- 2025-04-01 chore: fix linter rules\n- 2025-03-17 TUN-9101: Don't ignore errors on `cloudflared access ssh`\n- 2025-03-06 TUN-9089: Pin go import to v0.30.0, v0.31.0 requires go 1.23\n\n2025.2.1\n- 2025-02-26 TUN-9016: update base-debian to v12\n- 2025-02-25 TUN-8960: Connect to FED API GW based on the OriginCert's endpoint\n- 2025-02-25 TUN-9007: modify logic to resolve region when the tunnel token has an endpoint field\n- 2025-02-13 SDLC-3762: Remove backstage.io/source-location from catalog-info.yaml\n- 2025-02-06 TUN-8914: Create a flags module to group all cloudflared cli flags\n\n2025.2.0\n- 2025-02-03 TUN-8914: Add a new configuration to locally override the max-active-flows\n- 2025-02-03 Bump x/crypto to 0.31.0\n\n2025.1.1\n- 2025-01-30 TUN-8858: update go to 1.22.10 and include quic-go FIPS changes\n- 2025-01-30 TUN-8855: fix lint issues\n- 2025-01-30 TUN-8855: Update PQ curve preferences\n- 2025-01-30 TUN-8857: remove restriction for using FIPS and PQ\n- 2025-01-30 TUN-8894: report FIPS+PQ error to Sentry when dialling to the edge\n- 2025-01-22 TUN-8904: Rename Connect Response Flow Rate Limited metadata\n- 2025-01-21 AUTH-6633 Fix cloudflared access login + warp as auth\n- 2025-01-20 TUN-8861: Add session limiter to UDP session manager\n- 2025-01-20 TUN-8861: Rename Session Limiter to Flow Limiter\n- 2025-01-17 TUN-8900: Add import of Apple Developer Certificate Authority to macOS Pipeline\n- 2025-01-17 TUN-8871: Accept login flag to authenticate with Fedramp environment\n- 2025-01-16 TUN-8866: Add linter to cloudflared repository\n- 2025-01-14 TUN-8861: Add session limiter to TCP session manager\n- 2025-01-13 TUN-8861: Add configuration for active sessions limiter\n- 2025-01-09 TUN-8848: Don't treat connection shutdown as an error condition when RPC server is done\n\n2025.1.0\n- 2025-01-06 TUN-8842: Add Ubuntu Noble and 'any' debian distributions to release script\n- 2025-01-06 TUN-8807: Add support_datagram_v3 to remote feature rollout\n- 2024-12-20 TUN-8829: add CONTAINER_BUILD to dockerfiles\n\n2024.12.2\n- 2024-12-19 TUN-8822: Prevent concurrent usage of ICMPDecoder\n- 2024-12-18 TUN-8818: update changes document to reflect newly added diag subcommand\n- 2024-12-17 TUN-8817: Increase close session channel by one since there are two writers\n- 2024-12-13 TUN-8797: update CHANGES.md with note about semi-deterministic approach used to bind metrics server\n- 2024-12-13 TUN-8724: Add CLI command for diagnostic procedure\n- 2024-12-11 TUN-8786: calculate cli flags once for the diagnostic procedure\n- 2024-12-11 TUN-8792: Make diag/system endpoint always return a JSON\n- 2024-12-10 TUN-8783: fix log collectors for the diagnostic procedure\n- 2024-12-10 TUN-8785: include the icmp sources in the diag's tunnel state\n- 2024-12-10 TUN-8784: Set JSON encoder options to print formatted JSON when writing diag files\n\n2024.12.1\n- 2024-12-10 TUN-8795: update createrepo to createrepo_c to fix the release_pkgs.py script\n\n2024.12.0\n- 2024-12-09 TUN-8640: Add ICMP support for datagram V3\n- 2024-12-09 TUN-8789: make python package installation consistent\n- 2024-12-06 TUN-8781: Add Trixie, drop Buster. Default to Bookworm\n- 2024-12-05 TUN-8775: Make sure the session Close can only be called once\n- 2024-12-04 TUN-8725: implement diagnostic procedure\n- 2024-12-04 TUN-8767: include raw output from network collector in diagnostic zipfile\n- 2024-12-04 TUN-8770: add cli configuration and tunnel configuration to diagnostic zipfile\n- 2024-12-04 TUN-8768: add job report to diagnostic zipfile\n- 2024-12-03 TUN-8726: implement compression routine to be used in diagnostic procedure\n- 2024-12-03 TUN-8732: implement port selection algorithm\n- 2024-12-03 TUN-8762: fix argument order when invoking tracert and modify network info output parsing.\n- 2024-12-03 TUN-8769: fix k8s log collector arguments\n- 2024-12-03 TUN-8727: extend client to include function to get cli configuration and tunnel configuration\n- 2024-11-29 TUN-8729: implement network collection for diagnostic procedure\n- 2024-11-29 TUN-8727: implement metrics, runtime, system, and tunnelstate in diagnostic http client\n- 2024-11-27 TUN-8733: add log collection for docker\n- 2024-11-27 TUN-8734: add log collection for kubernetes\n- 2024-11-27 TUN-8640: Refactor ICMPRouter to support new ICMPResponders\n- 2024-11-26 TUN-8735: add managed/local log collection\n- 2024-11-25 TUN-8728: implement diag/tunnel endpoint\n- 2024-11-25 TUN-8730: implement diag/configuration\n- 2024-11-22 TUN-8737: update metrics server port selection\n- 2024-11-22 TUN-8731: Implement diag/system endpoint\n- 2024-11-21 TUN-8748: Migrated datagram V3 flows to use migrated context\n\n2024.11.1\n- 2024-11-18 Add cloudflared tunnel ready command\n- 2024-11-14 Make metrics a requirement for tunnel ready command\n- 2024-11-12 TUN-8701: Simplify flow registration logs for datagram v3\n- 2024-11-11 add: new go-fuzz targets\n- 2024-11-07 TUN-8701: Add metrics and adjust logs for datagram v3\n- 2024-11-06 TUN-8709: Add session migration for datagram v3\n- 2024-11-04 Fixed 404 in README.md to TryCloudflare\n- 2024-09-24 Update semgrep.yml\n\n2024.11.0\n- 2024-11-05 VULN-66059: remove ssh server tests\n- 2024-11-04 TUN-8700: Add datagram v3 muxer\n- 2024-11-04 TUN-8646: Allow experimental feature support for datagram v3\n- 2024-11-04 TUN-8641: Expose methods to simplify V3 Datagram parsing on the edge\n- 2024-10-31 TUN-8708: Bump python min version to 3.10\n- 2024-10-31 TUN-8667: Add datagram v3 session manager\n- 2024-10-25 TUN-8692: remove dashes from session id\n- 2024-10-24 TUN-8694: Rework release script\n- 2024-10-24 TUN-8661: Refactor connection methods to support future different datagram muxing methods\n- 2024-07-22 TUN-8553: Bump go to 1.22.5 and go-boring 1.22.5-1\n\n2024.10.1\n- 2024-10-23 TUN-8694: Fix github release script\n- 2024-10-21 Revert \"TUN-8592: Use metadata from the edge to determine if request body is empty for QUIC transport\"\n- 2024-10-18 TUN-8688: Correct UDP bind for IPv6 edge connectivity on macOS\n- 2024-10-17 TUN-8685: Bump coredns dependency\n- 2024-10-16 TUN-8638: Add datagram v3 serializers and deserializers\n- 2024-10-15 chore: Remove h2mux code\n- 2024-10-11 TUN-8631: Abort release on version mismatch\n\n2024.10.0\n- 2024-10-01 TUN-8646: Add datagram v3 support feature flag\n- 2024-09-30 TUN-8621: Fix cloudflared version in change notes to account for release date\n- 2024-09-19 Adding semgrep yaml file\n- 2024-09-12 TUN-8632: Delay checking auto-update by the provided frequency\n- 2024-09-11 TUN-8630: Check checksum of downloaded binary to compare to current for auto-updating\n- 2024-09-09 TUN-8629: Cloudflared update on Windows requires running it twice to update\n- 2024-09-06 PPIP-2310: Update quick tunnel disclaimer\n- 2024-08-30 TUN-8621: Prevent QUIC connection from closing before grace period after unregistering\n- 2024-08-09 TUN-8592: Use metadata from the edge to determine if request body is empty for QUIC transport\n- 2024-06-26 TUN-8484: Print response when QuickTunnel can't be unmarshalled\n\n2024.9.1\n- 2024-09-10 Revert Release 2024.9.0\n\n2024.9.0\n- 2024-09-10 TUN-8621: Fix cloudflared version in change notes.\n- 2024-09-06 PPIP-2310: Update quick tunnel disclaimer\n- 2024-08-30 TUN-8621: Prevent QUIC connection from closing before grace period after unregistering\n- 2024-08-09 TUN-8592: Use metadata from the edge to determine if request body is empty for QUIC transport\n- 2024-06-26 TUN-8484: Print response when QuickTunnel can't be unmarshalled\n\n2024.8.3\n- 2024-08-15 TUN-8591 login command without extra text\n- 2024-03-25 remove code that will not be executed\n- 2024-03-25 remove code that will not be executed\n\n2024.8.2\n- 2024-08-05 TUN-8583: change final directory of artifacts\n- 2024-08-05 TUN-8585: Avoid creating GH client when dry-run is true\n\n2024.7.3\n- 2024-07-31 TUN-8546: Fix final artifacts paths\n\n2024.7.2\n- 2024-07-17 TUN-8546: rework MacOS build script\n\n2024.7.1\n- 2024-07-16 TUN-8543: use -p flag to create intermediate directories\n\n2024.7.0\n- 2024-07-05 TUN-8520: add macos arm64 build\n- 2024-07-05 TUN-8523: refactor makefile and cfsetup\n- 2024-07-02 TUN-8504: Use pre-installed python version instead of downloading it on Windows builds\n- 2024-06-26 TUN-8489: Add default noop logger for capnprpc\n- 2024-06-25 TUN-8487: Add user-agent for quick-tunnel requests\n- 2023-12-12 TUN-8057: cloudflared uses new PQ curve ID\n\n2024.6.1\n- 2024-06-12 TUN-8461: Don't log Failed to send session payload if the error is EOF\n- 2024-06-07 TUN-8456: Update quic-go to 0.45 and collect mtu and congestion control metrics\n- 2024-06-06 TUN-8452: Add flag to control QUIC stream-level flow control limit\n- 2024-06-06 TUN-8451: Log QUIC flow control frames and transport parameters received\n- 2024-06-05 TUN-8449: Add flag to control QUIC connection-level flow control limit and increase default to 30MB\n\n2024.6.0\n- 2024-05-30 TUN-8441: Correct UDP total sessions metric to a counter and add new ICMP metrics\n- 2024-05-28 TUN-8422: Add metrics for capnp method calls\n- 2024-05-24 TUN-8424: Refactor capnp registration server\n- 2024-05-23 TUN-8427: Fix BackoffHandler's internally shared clock structure\n- 2024-05-21 TUN-8425: Remove ICMP binding for quick tunnels\n- 2024-05-20 TUN-8423: Deprecate older legacy tunnel capnp interfaces\n- 2024-05-15 TUN-8419: Add capnp safe transport\n- 2024-05-13 TUN-8415: Refactor capnp rpc into a single module\n\n2024.5.0\n- 2024-05-07 TUN-8407: Upgrade go to version 1.22.2\n\n2024.4.1\n- 2024-04-22 TUN-8380: Add sleep before requesting quick tunnel as temporary fix for component tests\n- 2024-04-19 TUN-8374: Close UDP socket if registration fails\n- 2024-04-18 TUN-8371: Bump quic-go to v0.42.0\n- 2024-04-03 TUN-8333: Bump go-jose dependency to v4\n- 2024-04-02 TUN-8331: Add unit testing for AccessJWTValidator middleware\n\n2024.4.0\n- 2024-04-02 feat: provide short version (#1206)\n- 2024-04-02 Format code\n- 2024-01-18 feat: auto tls sni\n- 2023-12-24 fix checkInPingGroup bugs\n- 2023-12-15 Add environment variables for TCP tunnel hostname / destination / URL.\n\n2024.3.0\n- 2024-03-14 TUN-8281: Run cloudflared query list tunnels/routes endpoint in a paginated way\n- 2024-03-13 TUN-8297: Improve write timeout logging on safe_stream.go\n- 2024-03-07 TUN-8290: Remove `|| true` from postrm.sh\n- 2024-03-05 TUN-8275: Skip write timeout log on \"no network activity\"\n- 2024-01-23 Update postrm.sh to fix incomplete uninstall\n- 2024-01-05 fix typo in errcheck for response parsing logic in CreateTunnel routine\n- 2023-12-23 Update linux_service.go\n- 2023-12-07 ci: bump actions/checkout to v4\n- 2023-12-07 ci/check: bump actions/setup-go to v5\n- 2023-04-28 check.yaml: bump actions/setup-go to v4\n\n2024.2.1\n- 2024-02-20 TUN-8242: Update Changes.md file with new remote diagnostics behaviour\n- 2024-02-19 TUN-8238: Fix type mismatch introduced by fast-forward\n- 2024-02-16 TUN-8243: Collect metrics on the number of QUIC frames sent/received\n- 2024-02-15 TUN-8238: Refactor proxy logging\n- 2024-02-14 TUN-8242: Enable remote diagnostics by default\n- 2024-02-12 TUN-8236: Add write timeout to quic and tcp connections\n- 2024-02-09 TUN-8224: Fix safety of TCP stream logging, separate connect and ack log messages\n\n2024.2.0\n- 2024-02-07 TUN-8224: Count and collect metrics on stream connect successes/errors\n\n2024.1.5\n- 2024-01-22 TUN-8176: Support ARM platforms that don't have an FPU or have it enabled in kernel\n- 2024-01-15 TUN-8158: Bring back commit e6537418859afcac29e56a39daa08bcabc09e048 and fixes infinite loop on linux when the socket is closed\n\n2024.1.4\n- 2024-01-19 Revert \"TUN-8158: Add logging to confirm when ICMP reply is returned to the edge\"\n\n2024.1.3\n- 2024-01-15 TUN-8161: Fix broken ARM build for armv6\n- 2024-01-15 TUN-8158: Add logging to confirm when ICMP reply is returned to the edge\n\n2024.1.2\n- 2024-01-11 TUN-8147: Disable ECN usage due to bugs in detecting if supported\n- 2024-01-11 TUN-8146: Fix export path for install-go command\n- 2024-01-11 TUN-8146: Fix Makefile targets should not be run in parallel and install-go script was missing shebang\n- 2024-01-10 TUN-8140: Remove homebrew scripts\n\n2024.1.1\n- 2024-01-10 TUN-8134: Revert installed prefix to /usr\n- 2024-01-09 TUN-8130: Fix path to install go for mac build\n- 2024-01-09 TUN-8129: Use the same build command between branch and release builds\n- 2024-01-09 TUN-8130: Install go tool chain in /tmp on build agents\n- 2024-01-09 TUN-8134: Install cloudflare go as part of make install\n- 2024-01-08 TUN-8118: Disable FIPS module to build with go-boring without CGO_ENABLED\n\n2024.1.0\n- 2024-01-01 TUN-7934: Update quic-go to a version that queues datagrams for better throughput and drops large datagram\n- 2023-12-20 TUN-8072: Need to set GOCACHE in mac go installation script\n- 2023-12-17 TUN-8072: Add script to download cloudflare go for Mac build agents\n- 2023-12-15 Fix nil pointer dereference segfault when passing \"null\" config json to cloudflared tunnel ingress validate (#1070)\n- 2023-12-15 configuration.go: fix developerPortal link (#960)\n- 2023-12-14 tunnelrpc/pogs: fix dropped test errors (#1106)\n- 2023-12-14 cmd/cloudflared/updater: fix dropped error (#1055)\n- 2023-12-14 use os.Executable to discover the path to cloudflared (#1040)\n- 2023-12-14 Remove extraneous `period` from Path Environment Variable (#1009)\n- 2023-12-14 Use CLI context when running tunnel (#597)\n- 2023-12-14 TUN-8066: Define scripts to build on Windows agents\n- 2023-12-11 TUN-8052: Update go to 1.21.5\n- 2023-12-07 TUN-7970: Default to enable post quantum encryption for quic transport\n- 2023-12-04 TUN-8006: Update quic-go to latest upstream\n- 2023-11-15 VULN-44842 Add a flag that allows users to not send the Access JWT to stdout\n- 2023-11-13 TUN-7965: Remove legacy incident status page check\n- 2023-11-13 AUTH-5682 Org token flow in Access logins should pass CF_AppSession cookie\n\n2023.10.0\n- 2023-10-06 TUN-7864: Document cloudflared versions support\n- 2023-10-03 CUSTESC-33731: Make rule match test report rule in 0-index base\n- 2023-09-22 TUN-7824: Fix usage of systemctl status to detect which services are installed\n- 2023-09-20 TUN-7813: Improve tunnel delete command to use cascade delete\n- 2023-09-20 TUN-7787: cloudflared only list ip routes targeted for cfd_tunnel\n- 2023-09-15 TUN-7787: Refactor cloudflared to use new route endpoints based on route IDs\n- 2023-09-08 TUN-7776: Remove warp-routing flag from cloudflared\n- 2023-09-05 TUN-7756: Clarify that QUIC is mandatory to support ICMP proxying\n\n2023.8.2\n- 2023-08-25 TUN-7700: Implement feature selector to determine if connections will prefer post quantum cryptography\n- 2023-08-22 TUN-7707: Use X25519Kyber768Draft00 curve when post-quantum feature is enabled\n\n2023.8.1\n- 2023-08-23 TUN-7718: Update R2 Token to no longer encode secret\n\n2023.8.0\n- 2023-07-26 TUN-7584: Bump go 1.20.6\n\n2023.7.3\n- 2023-07-25 TUN-7628: Correct Host parsing for Access\n- 2023-07-24 TUN-7624: Fix flaky TestBackoffGracePeriod test in cloudflared\n\n2023.7.2\n- 2023-07-19 TUN-7599: Onboard cloudflared to Software Dashboard\n- 2023-07-19 TUN-7587: Remove junos builds\n- 2023-07-18 TUN-7597: Add flag to disable auto-update services to be installed\n- 2023-07-17 TUN-7594: Add nightly arm64 cloudflared internal deb publishes\n- 2023-07-14 TUN-7586: Upgrade go-jose/go-jose/v3 and core-os/go-oidc/v3\n- 2023-07-14 TUN-7589: Remove legacy golang.org/x/crypto/ssh/terminal package usage\n- 2023-07-14 TUN-7590: Remove usages of ioutil\n- 2023-07-14 TUN-7585: Remove h2mux compression\n- 2023-07-14 TUN-7588: Update package coreos/go-systemd\n\n2023.7.1\n- 2023-07-13 TUN-7582: Correct changelog wording for --management-diagnostics\n- 2023-07-12 TUN-7575: Add option to disable PTMU discovery over QUIC\n\n2023.7.0\n- 2023-07-06 TUN-7558: Flush on Writes for StreamBasedOriginProxy\n- 2023-07-05 TUN-7553: Add flag to enable management diagnostic services\n- 2023-07-05 TUN-7564: Support cf-trace-id for cloudflared access\n- 2023-07-05 TUN-7477: Decrement UDP sessions on shutdown\n- 2023-07-03 TUN-7545: Add support for full bidirectionally streaming with close signal propagation\n- 2023-06-30 TUN-7549: Add metrics route to management service\n- 2023-06-30 TUN-7551: Complete removal of raven-go to sentry-go\n- 2023-06-30 TUN-7550: Add pprof endpoint to management service\n- 2023-06-29 TUN-7543: Add --debug-stream flag to cloudflared access ssh\n- 2023-06-26 TUN-6011: Remove docker networks from ICMP Proxy test\n- 2023-06-20 AUTH-5328 Pass cloudflared_token_check param when running cloudflared access login\n\n2023.6.1\n- 2023-06-19 TUN-7480: Added a timeout for unregisterUDP.\n- 2023-06-16 TUN-7477: Add UDP/TCP session metrics\n- 2023-06-14 TUN-7468: Increase the limit of incoming streams\n\n2023.6.0\n- 2023-06-15 TUN-7471: Fixes cloudflared not closing the quic stream on unregister UDP session\n- 2023-06-09 TUN-7463: Add default ingress rule if no ingress rules are provided when updating the configuration\n- 2023-05-31 TUN-7447: Add a cover build to report code coverage\n\n2023.5.1\n- 2023-05-16 TUN-7424: Add CORS headers to host_details responses\n- 2023-05-11 TUN-7421: Add *.cloudflare.com to permitted Origins for management WebSocket requests\n- 2023-05-05 TUN-7404: Default configuration version set to -1\n- 2023-05-05 TUN-7227: Migrate to devincarr/quic-go\n\n2023.5.0\n- 2023-04-27 TUN-7398: Add support for quic safe stream to set deadline\n- 2023-04-26 TUN-7394: Retry StartFirstTunnel on quic.ApplicationErrors\n- 2023-04-26 TUN-7392: Ignore release checksum upload if asset already uploaded\n- 2023-04-25 TUN-7392: Ignore duplicate artifact uploads for github release\n- 2023-04-25 TUN-7393: Add json output for cloudflared tail\n- 2023-04-24 TUN-7390: Remove Debian stretch builds\n\n2023.4.2\n- 2023-04-24 TUN-7133: Add sampling support for streaming logs\n- 2023-04-21 TUN-7141: Add component tests for streaming logs\n- 2023-04-21 TUN-7373: Streaming logs override for same actor\n- 2023-04-20 TUN-7383: Bump requirements.txt\n- 2023-04-19 TUN-7361: Add a label to override hostname\n- 2023-04-19 TUN-7378: Remove RPC debug logs\n- 2023-04-18 TUN-7360: Add Get Host Details handler in management service\n- 2023-04-17 AUTH-3122 Verify that Access tokens are still valid in curl command\n- 2023-04-17 TUN-7129: Categorize TCP logs for streaming logs\n- 2023-04-17 TUN-7130: Categorize UDP logs for streaming logs\n- 2023-04-10 AUTH-4887 Add aud parameter to token transfer url\n\n2023.4.1\n- 2023-04-13 TUN-7368: Report destination address for TCP requests in logs\n- 2023-04-12 TUN-7134: Acquire token for cloudflared tail\n- 2023-04-12 TUN-7131: Add cloudflared log event to connection messages and enable streaming logs\n- 2023-04-11 TUN-7132 TUN-7136: Add filter support for streaming logs\n- 2023-04-06 TUN-7354: Don't warn for empty ingress rules when using --token\n- 2023-04-06 TUN-7128: Categorize logs from public hostname locations\n- 2023-04-06 TUN-7351: Add streaming logs session ping and timeout\n- 2023-04-06 TUN-7335: Fix cloudflared update not working in windows\n\n2023.4.0\n- 2023-04-07 TUN-7356: Bump golang.org/x/net package to 0.7.0\n- 2023-04-07 TUN-7357: Bump to go 1.19.6\n- 2023-04-06 TUN-7127: Disconnect logger level requirement for management\n- 2023-04-05 TUN-7332: Remove legacy tunnel force flag\n- 2023-04-05 TUN-7135: Add cloudflared tail\n- 2023-04-04 Add suport for OpenBSD (#916)\n- 2023-04-04 Fix typo (#918)\n- 2023-04-04 TUN-7125: Add management streaming logs WebSocket protocol\n- 2023-03-30 TUN-9999: Remove classic tunnel component tests\n- 2023-03-30 TUN-7126: Add Management logger io.Writer\n- 2023-03-29 TUN-7324: Add http.Hijacker to connection.ResponseWriter\n- 2023-03-29 TUN-7333: Default features checkable at runtime across all packages\n- 2023-03-21 TUN-7124: Add intercept ingress rule for management requests\n\n2023.3.1\n- 2023-03-13 TUN-7271: Return 503 status code when no ingress rules configured\n- 2023-03-10 TUN-7272: Fix cloudflared returning non supported status service which breaks configuration migration\n- 2023-03-09 TUN-7259: Add warning for missing ingress rules\n- 2023-03-09 TUN-7268: Default to Program Files as location for win32\n- 2023-03-07 TUN-7252: Remove h2mux connection\n- 2023-03-07 TUN-7253: Adopt http.ResponseWriter for connection.ResponseWriter\n- 2023-03-06 TUN-7245: Add bastion flag to origin service check\n- 2023-03-06 EDGESTORE-108: Remove deprecated s3v2 signature\n- 2023-03-02 TUN-7226: Fixed a missed rename\n\n2023.3.0\n- 2023-03-01 GH-352: Add Tunnel CLI option \"edge-bind-address\" (#870)\n- 2023-03-01 Fixed WIX template to allow MSI upgrades (#838)\n- 2023-02-28 TUN-7213: Decode Base64 encoded key before writing it\n- 2023-02-28 check.yaml: update actions to v3 (#876)\n- 2023-02-27 TUN-7213: Debug homebrew-cloudflare build\n- 2023-02-15 RTG-2476 Add qtls override for Go 1.20\n\n2023.2.2\n- 2023-02-22 TUN-7197: Add connIndex tag to debug messages of incoming requests\n- 2023-02-08 TUN-7167: Respect protocol overrides with --token\n- 2023-02-06 TUN-7065: Remove classic tunnel creation\n- 2023-02-06 TUN-6938: Force h2mux protocol to http2 for named tunnels\n- 2023-02-06 TUN-6938: Provide QUIC as first in protocol list\n- 2023-02-03 TUN-7158: Correct TCP tracing propagation\n- 2023-02-01 TUN-7151: Update changes file with latest release notices\n\n2023.2.1\n- 2023-02-01 TUN-7065: Revert Ingress Rule check for named tunnel configurations\n- 2023-02-01 Revert \"TUN-7065: Revert Ingress Rule check for named tunnel configurations\"\n- 2023-02-01 Revert \"TUN-7065: Remove classic tunnel creation\"\n2023.1.0\n- 2023-01-10 TUN-7064: RPM digests are now sha256 instead of md5sum\n- 2023-01-04 RTG-2418 Update qtls\n- 2022-12-24 TUN-7057: Remove dependency github.com/gorilla/mux\n- 2022-12-24 TUN-6724: Migrate to sentry-go from raven-go\n\n2022.12.1\n- 2022-12-20 TUN-7021: Fix proxy-dns not starting when cloudflared tunnel is run\n- 2022-12-15 TUN-7010: Changelog for release 2022.12.0\n\n2022.12.0\n- 2022-12-14 TUN-6999: cloudflared should attempt other edge addresses before falling back on protocol\n- 2022-12-13 TUN-7004: Dont show local config dirs for remotely configured tuns\n- 2022-12-12 TUN-7003: Tempoarily disable erroneous notarize-app\n- 2022-12-12 TUN-7003: Add back a missing fi\n- 2022-12-07 TUN-7000: Reduce metric cardinality of closedConnections metric by removing error as tag\n- 2022-12-07 TUN-6994: Improve logging config file not found\n- 2022-12-07 TUN-7002: Randomise first region selection\n- 2022-12-07 TUN-6995: Disable quick-tunnels spin up by default\n- 2022-12-05 TUN-6984: Add bash set x to improve visibility during builds\n- 2022-12-05 TUN-6984: [CI] Ignore security import errors for code_sigining\n- 2022-12-05 TUN-6984: [CI] Don't fail on unset.\n- 2022-11-30 TUN-6984: Set euo pipefile for homebrew builds\n\n2022.11.1\n- 2022-11-29 TUN-6981: We should close UDP socket if failed to connecto to edge\n- 2022-11-25 CUSTESC-23757: Fix a bug where a wildcard ingress rule would match an host without starting with a dot\n- 2022-11-24 TUN-6970: Print newline when printing tunnel token\n- 2022-11-22 TUN-6963: Refactor Metrics service setup\n2022.11.0\n- 2022-11-16 Revert \"TUN-6935: Cloudflared should use APIToken instead of serviceKey\"\n- 2022-11-16 TUN-6929: Use same protocol for other connections as first one\n- 2022-11-14 TUN-6941: Reduce log level to debug when failing to proxy ICMP reply\n- 2022-11-14 TUN-6935: Cloudflared should use APIToken instead of serviceKey\n- 2022-11-14 TUN-6935: Cloudflared should use APIToken instead of serviceKey\n- 2022-11-11 TUN-6937: Bump golang.org/x/* packages to new release tags\n- 2022-11-10 ZTC-234: macOS tests\n- 2022-11-09 TUN-6927: Refactor validate access configuration to allow empty audTags only\n- 2022-11-08 ZTC-234: Replace ICMP funnels when ingress connection changes\n- 2022-11-04 TUN-6917: Bump go to 1.19.3\n- 2022-11-02 Issue #574: Better ssh config for short-lived cert (#763)\n- 2022-10-28 TUN-6898: Fix bug handling IPv6 based ingresses with missing port\n- 2022-10-28 TUN-6898: Refactor addPortIfMissing\n2022.10.3\n- 2022-10-24 TUN-6871: Add default feature to cloudflared to support EOF on QUIC connections\n- 2022-10-19 TUN-6876: Fix flaky TestTraceICMPRouterEcho by taking account request span can return before reply\n- 2022-10-18 TUN-6867: Clear spans right after they are serialized to avoid returning duplicate spans\n2022.10.2\n- 2022-10-18 TUN-6869: Fix Makefile complaining about missing GO packages\n- 2022-10-18 TUN-6864: Don't reuse port in quic unit tests\n- 2022-10-18 TUN-6868: Return left padded tracing ID when tracing identity is converted to string\n\n2022.10.1\n- 2022-10-16 TUN-6861: Trace ICMP on Windows\n- 2022-10-15 TUN-6860: Send access configuration keys to the edge\n- 2022-10-14 TUN-6858: Trace ICMP reply\n- 2022-10-13 TUN-6855: Add DatagramV2Type for IP packet with trace and tracing spans\n- 2022-10-13 TUN-6856: Refactor to lay foundation for tracing ICMP\n- 2022-10-13 TUN-6604: Trace icmp echo request on Linux and Darwin\n- 2022-10-12 Fix log message (#591)\n- 2022-10-12 TUN-6853: Reuse source port when connecting to the edge for quic connections\n- 2022-10-11 TUN-6829: Allow user of datagramsession to control logging level of errors\n- 2022-10-10 RTG-2276 Update qtls and go mod tidy\n- 2022-10-05 Add post-quantum flag to quick tunnel\n- 2022-10-05 TUN-6823: Update github release message to pull from KV\n- 2022-10-04 TUN-6825: Fix cloudflared:version images require arch hyphens\n- 2022-10-03 TUN-6806: Add ingress rule number to log when filtering due to middlware handler\n- 2022-08-17 Label correct container\n- 2022-08-16 Fix typo in help text for `cloudflared tunnel route lb`\n- 2022-07-18 drop usage of cat when sed is invoked to generate the manpage\n- 2021-03-15 update-build-readme\n- 2021-03-15 fix link\n\n2022.10.0\n- 2022-09-30 TUN-6755: Remove unused publish functions\n- 2022-09-30 TUN-6813: Only proxy ICMP packets when warp-routing is enabled\n- 2022-09-29 TUN-6811: Ping group range should be parsed as int32\n- 2022-09-29 TUN-6812: Drop IP packets if ICMP proxy is not initialized\n- 2022-09-28 TUN-6716: Document limitation of Windows ICMP proxy\n- 2022-09-28 TUN-6810: Add component test for post-quantum\n- 2022-09-27 TUN-6715: Provide suggestion to add cloudflared to ping_group_range if it failed to open ICMP socket\n- 2022-09-22 TUN-6792: Fix brew core release by not auditing the formula\n- 2022-09-22 TUN-6774: Validate OriginRequest.Access to add Ingress.Middleware\n- 2022-09-22 TUN-6775: Add middleware.Handler verification to ProxyHTTP\n- 2022-09-22 TUN-6791: Calculate ICMPv6 checksum\n- 2022-09-22 TUN-6801: Add punycode alternatives for ingress rules\n- 2022-09-21 TUN-6772: Add a JWT Validator as an ingress verifier\n- 2022-09-21 TUN-6772: Add a JWT Validator as an ingress verifier\n- 2022-09-21 TUN-6774: Validate OriginRequest.Access to add Ingress.Middleware\n- 2022-09-21 TUN-6772: Add a JWT Validator as an ingress verifier\n- 2022-09-20 TUN-6741: ICMP proxy tries to listen on specific IPv4 & IPv6 when possible\n2022.9.1\n- 2022-09-20 TUN-6777: Fix race condition in TestFunnelIdleTimeout\n- 2022-09-20 TUN-6595: Enable datagramv2 and icmp proxy by default\n- 2022-09-20 TUN-6773: Add access based configuration to ingress.OriginRequestConfig\n- 2022-09-19 TUN-6778: Cleanup logs about ICMP\n- 2022-09-19 TUN-6779: cloudflared should also use the root CAs from system pool to validate edge certificate\n- 2022-09-19 TUN-6780: Add support for certReload to also include support for client certificates\n- 2022-09-16 TUN-6767: Build ICMP proxy for Windows only when CGO is enabled\n- 2022-09-15 TUN-6590: Use Windows Teamcity agent to build binary\n- 2022-09-13 TUN-6592: Decrement TTL and return ICMP time exceed if it's 0\n- 2022-09-09 TUN-6749: Fix icmp_generic build\n- 2022-09-09 TUN-6744: On posix platforms, assign unique echo ID per (src, dst, echo ID)\n- 2022-09-08 TUN-6743: Support ICMPv6 echo on Windows\n- 2022-09-08 TUN-6689: Utilize new RegisterUDPSession to begin tracing\n- 2022-09-07 TUN-6688: Update RegisterUdpSession capnproto to include trace context\n- 2022-09-06 TUN-6740: Detect no UDP packets allowed and fallback from QUIC in that case\n- 2022-09-06 TUN-6654: Support ICMPv6 on Linux and Darwin\n- 2022-09-02 TUN-6696: Refactor flow into funnel and close idle funnels\n- 2022-09-02 TUN-6718: Bump go and go-boring 1.18.6\n- 2022-08-29 TUN-6531: Implement ICMP proxy for Windows using IcmpSendEcho\n- 2022-08-24 RTG-1339 Support post-quantum hybrid key exchange\n\n2022.9.0\n- 2022-09-05 TUN-6737: Fix datagramV2Type should be declared in its own block so it starts at 0\n- 2022-09-01 TUN-6725: Fix testProxySSEAllData\n- 2022-09-01 TUN-6726: Fix maxDatagramPayloadSize for Windows QUIC datagrams\n- 2022-09-01 TUN-6729: Fix flaky TestClosePreviousProxies\n- 2022-09-01 TUN-6728: Verify http status code ingress rule\n- 2022-08-25 TUN-6695: Implement ICMP proxy for linux\n\n2022.8.4\n- 2022-08-31 TUN-6717: Update Github action to run with Go 1.19\n- 2022-08-31 TUN-6720: Remove forcibly closing connection during reconnect signal\n- 2022-08-29 Release 2022.8.3\n\n2022.8.3\n- 2022-08-26 TUN-6708: Fix replace flow logic\n- 2022-08-25 TUN-6705: Tunnel should retry connections forever\n- 2022-08-25 TUN-6704: Honor protocol flag when edge discovery is unreachable\n- 2022-08-25 TUN-6699: Add metric for packet too big dropped\n- 2022-08-24 TUN-6691: Properly error check for net.ErrClosed\n- 2022-08-22 TUN-6679: Allow client side of quic request to close body\n- 2022-08-22 TUN-6586: Change ICMP proxy to only build for Darwin and use echo ID to track flows\n- 2022-08-18 TUN-6530: Implement ICMPv4 proxy\n- 2022-08-17 TUN-6666: Define packet package\n- 2022-08-17 TUN-6667: DatagramMuxerV2 provides a method to receive RawPacket\n- 2022-08-16 TUN-6657: Ask for Tunnel ID and Configuration on Bug Report\n- 2022-08-16 TUN-6676: Add suport for trailers in http2 connections\n- 2022-08-11 TUN-6575: Consume cf-trace-id from incoming http2 TCP requests\n\n2022.8.2\n- 2022-08-16 TUN-6656: Docker for arm64 should not be deployed in an amd64 container\n\n2022.8.1\n- 2022-08-15 TUN-6617: Updated CHANGES.md for protocol stickiness\n- 2022-08-12 EDGEPLAT-3918: bump go and go-boring to 1.18.5\n- 2022-08-12 TUN-6652: Publish dockerfile for both amd64 and arm64\n- 2022-08-11 TUN-6617: Dont fallback to http2 if QUIC conn was successful.\n- 2022-08-11 TUN-6617: Dont fallback to http2 if QUIC conn was successful.\n- 2022-08-11 Revert \"TUN-6617: Dont fallback to http2 if QUIC conn was successful.\"\n- 2022-08-11 TUN-6617: Dont fallback to http2 if QUIC conn was successful.\n- 2022-08-01 TUN-6584: Define QUIC datagram v2 format to support proxying IP packets\n\n2022.8.0\n- 2022-08-10 TUN-6637: Upgrade quic-go\n- 2022-08-10 TUN-6646: Add support to SafeStreamCloser to close only write side of stream\n- 2022-08-09 TUN-6642: Fix unexpected close of quic stream triggered by upstream origin close\n- 2022-08-09 TUN-6639: Validate cyclic ingress configuration\n- 2022-08-08 TUN-6637: Upgrade go version and quic-go\n- 2022-08-08 TUN-6639: Validate cyclic ingress configuration\n- 2022-08-04 EDGEPLAT-3918: build cloudflared for Bookworm\n- 2022-08-02 Revert \"TUN-6576: Consume cf-trace-id from incoming TCP requests to create root span\"\n- 2022-07-27 TUN-6601: Update gopkg.in/yaml.v3 references in modules\n- 2022-07-26 TUN-6576: Consume cf-trace-id from incoming TCP requests to create root span\n- 2022-07-26 TUN-6576: Consume cf-trace-id from incoming TCP requests to create root span\n- 2022-07-25 TUN-6598: Remove auto assignees on github issues\n- 2022-07-20 TUN-6583: Remove legacy --ui flag\n- 2022-07-20 cURL supports stdin and uses os pipes directly without copying\n- 2022-07-07 TUN-6517: Use QUIC stream context while proxying HTTP requests and TCP connections\n2022.7.1\n- 2022-07-06 TUN-6503: Fix transport fallback from QUIC in face of dial error \"no network activity\"\n\n2022.7.0\n- 2022-07-05 TUN-6499: Remove log that is per datagram\n- 2022-06-24 TUN-6460: Rename metric label location to edge_location\n- 2022-06-24 TUN-6459: Add cloudflared user-agent to access calls\n- 2022-06-17 TUN-6427: Differentiate between upstream request closed/canceled and failed origin requests\n- 2022-06-17 TUN-6388: Fix first tunnel connection not retrying\n- 2022-06-13 TUN-6384: Correct duplicate connection error to fetch new IP first\n- 2022-06-13 TUN-6373: Add edge-ip-version to remotely pushed configuration\n- 2022-06-07 TUN-6010: Add component tests for --edge-ip-version\n- 2022-05-20 TUN-6007: Implement new edge discovery algorithm\n- 2022-02-18 Ensure service install directories are created before writing file\n\n2022.6.3\n- 2022-06-20 TUN-6362: Add armhf support to cloudflare packaging\n\n2022.6.2\n- 2022-06-13 TUN-6381: Write error data on QUIC stream when we fail to talk to the origin; separate logging for protocol errors vs. origin errors.\n- 2022-06-17 TUN-6414: Remove go-sumtype from cloudflared build process\n- 2022-06-01 Add Http2Origin option to force HTTP/2 origin connections\n- 2022-06-02 fix ingress rules unit test\n- 2022-06-09 Update remaining OriginRequestConfig functions for Http2Origins\n- 2022-05-31 Add image source label to docker container.\n- 2022-05-10 Warp Private Network link updated\n\n2022.6.1\n- 2022-06-14 TUN-6395: Fix writing RPM repo data\n\n2022.6.0\n- 2022-06-14 Revert \"TUN-6010: Add component tests for --edge-ip-version\"\n- 2022-06-14 Revert \"TUN-6373: Add edge-ip-version to remotely pushed configuration\"\n- 2022-06-14 Revert \"TUN-6384: Correct duplicate connection error to fetch new IP first\"\n- 2022-06-14 Revert \"TUN-6007: Implement new edge discovery algorithm\"\n- 2022-06-13 TUN-6385: Don't share err between acceptStream loop and per-stream goroutines\n- 2022-06-13 TUN-6384: Correct duplicate connection error to fetch new IP first\n- 2022-06-13 TUN-6373: Add edge-ip-version to remotely pushed configuration\n- 2022-06-13 TUN-6380: Enforce connect and keep-alive timeouts for TCP connections in both WARP routing and websocket based TCP proxy.\n- 2022-06-11 Update issue templates\n- 2022-06-11 Amendment to previous PR\n- 2022-06-09 TUN-6347: Add TCP stream logs with FlowID\n- 2022-06-08 TUN-6361: Add cloudflared arm builds to pkging as well\n- 2022-06-07 TUN-6357: Add connector id to ready check endpoint\n- 2022-06-07 TUN-6010: Add component tests for --edge-ip-version\n- 2022-06-06 TUN-6191: Update quic-go to v0.27.1 and with custom patch to allow keep alive period to be configurable\n- 2022-06-03 TUN-6343: Fix QUIC->HTTP2 fallback\n- 2022-06-02 TUN-6339: Add config for IPv6 support\n- 2022-06-02 TUN-6341: Fix default config value for edge-ip-version\n- 2022-06-01 TUN-6323: Add Xenial and Trusty for Ubuntu pkging\n- 2022-05-31 TUN-6210: Add cloudflared.repo to make it easy for yum installs\n- 2022-05-30 TUN-6293: Update yaml v3 to latest hotfix\n- 2022-05-20 TUN-6007: Implement new edge discovery algorithm\n2022.5.3\n- 2022-05-30 TUN-6308: Add debug logs to see if packets are sent/received from edge\n- 2022-05-30 TUN-6301: Allow to update logger used by UDP session manager\n\n2022.5.2\n- 2022-05-23 TUN-6270: Import gpg keys from environment variables\n- 2022-05-24 TUN-6209: Improve feedback process if release_pkgs to deb and rpm fail\n- 2022-05-24 TUN-6280: Don't wrap qlog connection tracer for gatethering QUIC metrics since we're not writing qlog files.\n- 2022-05-25 TUN-6209: Sign RPM packages\n- 2022-05-25 TUN-6285: Upload pkg assets to repos when cloudflared is released.\n- 2022-05-24 TUN-6282: Upgrade golang to 1.17.10, go-boring to 1.17.9\n- 2022-05-26 TUN-6292: Debug builds for cloudflared\n- 2022-05-28 TUN-6304: Fixed some file permission issues\n- 2022-05-11 TUN-6197: Publish to brew core should not try to open the browser\n- 2022-05-12 TUN-5943: Add RPM support\n- 2022-05-18 TUN-6248: Fix panic in cloudflared during tracing when origin doesn't provide header map\n- 2022-05-18 TUN-6250: Add upstream response status code to tracing span attributes\n\n2022.5.1\n- 2022-05-06 TUN-6146: Release_pkgs is now a generic command line script\n- 2022-05-06 TUN-6185: Fix tcpOverWSOriginService not using original scheme for String representation\n- 2022-05-05 TUN-6175: Simply debian packaging by structural upload\n- 2022-05-05 TUN-5945: Added support for Ubuntu releases\n- 2022-05-04 TUN-6054: Create and upload deb packages to R2\n- 2022-05-03 TUN-6161: Set git user/email for brew core release\n- 2022-05-03 TUN-6166: Fix mocked QUIC transport for UDP proxy manager to return expected error\n- 2022-04-27 TUN-6016: Push local managed tunnels configuration to the edge\n2022.5.0\n- 2022-05-02 TUN-6158: Update golang.org/x/crypto\n- 2022-04-20 VULN-8383 Bump yaml.v2 to yaml.v3\n- 2022-04-21 TUN-6123: For a given connection with edge, close all datagram sessions through this connection when it's closed\n- 2022-04-20 TUN-6015: Add RPC method for pushing local config\n- 2022-04-21 TUN-6130: Fix vendoring due to case sensitive typo in package\n- 2022-04-27 TUN-6142: Add tunnel details support to RPC\n- 2022-04-28 TUN-6014: Add remote config flag as default feature\n- 2022-04-12 TUN-6000: Another fix for publishing to brew core\n- 2022-04-11 TUN-5990: Add otlp span export to response header\n- 2022-04-19 TUN-6070: First connection retries other edge IPs if the error is quic timeout(likely due to firewall blocking UDP)\n- 2022-04-11 TUN-6030: Add ttfb span for origin http request\n\n2022.4.1\n- 2022-04-11 TUN-6035: Reduce buffer size when proxying data\n- 2022-04-11 TUN-6038: Reduce buffer size used for proxying data\n- 2022-04-11 TUN-6043: Allow UI-managed Tunnels to fallback from QUIC but warn about that\n- 2022-04-07 TUN-6000 add version argument to bump-formula-pr\n- 2022-04-06 TUN-5989: Add in-memory otlp exporter\n\n2022.4.0\n- 2022-04-01 TUN-5973: Add backoff for non-recoverable errors as well\n- 2022-04-05 TUN-5992: Use QUIC protocol for remotely managed tunnels when protocol is unspecified\n- 2022-04-06 Update Makefile\n- 2022-04-06 TUN-5995: Update prometheus to 1.12.1 to avoid vulnerabilities\n- 2022-04-07 TUN-5995: Force prometheus v1.12.1 usage\n- 2022-04-07 TUN-4130: cloudflared docker images now have a latest tag\n- 2022-03-30 TUN-5842: Fix flaky TestConcurrentUpdateAndRead by making sure resources are released\n- 2022-03-30 carrier: fix dropped errors\n- 2022-03-25 TUN-5959: tidy go.mod\n- 2022-03-25 TUN-5958: Fix release to homebrew core\n- 2022-03-28 TUN-5960: Do not log the tunnel token or json credentials\n- 2022-03-28 TUN-5956: Add timeout to session manager APIs\n\n2022.3.4\n- 2022-03-22 TUN-5918: Clean up text in cloudflared tunnel --help\n- 2022-03-22 TUN-5895 run brew bump-formula-pr on release\n- 2022-03-22 TUN-5915: New cloudflared command to allow to retrieve the token credentials for a Tunnel\n- 2022-03-24 TUN-5933: Better messaging to help user when installing service if it is already installed\n- 2022-03-25 TUN-5954: Start cloudflared service in Linux too similarly to other OSs\n- 2022-03-14 TUN-5869: Add configuration endpoint in metrics server\n\n2022.3.3\n- 2022-03-17 TUN-5893: Start windows service on install, stop on uninstall. Previously user had to manually start the service after running 'cloudflared tunnel install' and stop the service before running uninstall command.\n- 2022-03-17 Revert \"CC-796: Remove dependency on unsupported version of go-oidc\"\n- 2022-03-18 TUN-5881: Clarify success (or lack thereof) of (un)installing cloudflared service\n- 2022-03-18 CC-796: Remove dependency on unsupported version of go-oidc\n- 2022-03-18 TUN-5907: Change notes for 2022.3.3\n\n2022.3.2\n- 2022-03-10 TUN-5833: Create constant for allow-remote-config\n- 2022-03-15 TUN-5867: Return error if service was already installed\n- 2022-03-16 TUN-5833: Send feature `allow_remote_config` if Tunnel is run with --token\n- 2022-03-08 TUN-5849: Remove configuration debug log\n- 2022-03-08 TUN-5850: Update CHANGES.md with latest releases\n- 2022-03-08 TUN-5851: Update all references to point to Apache License 2.0\n- 2022-03-07 TUN-5853 Add \"install\" make target and build package manager info into executable\n- 2022-03-08 TUN-5801: Add custom wrapper for OriginConfig for JSON serde\n- 2022-03-09 TUN-5703: Add prometheus metric for current configuration version\n- 2022-02-05 CC-796: Remove dependency on unsupported version of go-oidc\n\n2022.3.1\n- 2022-03-04 TUN-5837: Log panic recovery in http2 logic with debug level log\n- 2022-03-04 TUN-5696: HTTP/2 Configuration Update\n- 2022-03-04 TUN-5836: Avoid websocket#Stream function from crashing cloudflared with unexpected memory access\n- 2022-03-05 TUN-5836: QUIC transport no longer sets body to nil in any condition\n\n2022.3.0\n- 2022-03-02 TUN-5680: Adapt component tests for new service install based on token\n- 2022-02-21 TUN-5682: Remove name field from credentials\n- 2022-02-21 TUN-5681: Add support for running tunnel using Token\n- 2022-02-28 TUN-5824: Update updater no-update-in-shell link\n- 2022-02-28 TUN-5823: Warn about legacy flags that are ignored when ingress rules are used\n- 2022-02-28 TUN-5737: Support https protocol over unix socket origin\n- 2022-02-23 TUN-5679: Add support for service install using Tunnel Token\n\n2022.2.2\n- 2022-02-22 TUN-5754: Allow ingress validate to take plaintext option\n- 2022-02-17 TUN-5678: Cloudflared uses typed tunnel API\n\n2022.2.1\n- 2022-02-10 TUN-5184: Handle errors in bidrectional streaming (websocket#Stream) gracefully when 1 side has ended\n- 2022-02-14 Update issue templates\n- 2022-02-14 Update issue templates\n- 2022-02-11 TUN-5768: Update cloudflared license file\n- 2022-02-11 TUN-5698: Make ingress rules and warp routing dynamically configurable\n- 2022-02-14 TUN-5678: Adapt cloudflared to use new typed APIs\n- 2022-02-17 Revert \"TUN-5678: Adapt cloudflared to use new typed APIs\"\n- 2022-02-11 TUN-5697: Listen for UpdateConfiguration RPC in quic transport\n- 2022-02-04 TUN-5744: Add a test to make sure cloudflared uses scheme defined in ingress rule, not X-Forwarded-Proto header\n- 2022-02-07 TUN-5749: Refactor cloudflared to pave way for reconfigurable ingress - Split origin into supervisor and proxy packages - Create configManager to handle dynamic config\n- 2021-10-19 TUN-5184: Make sure outstanding websocket write is finished, and no more writes after shutdown\n\n2022.2.0\n- 2022-02-02 TUN-4947: Use http when talking to Unix sockets origins\n- 2022-02-02 TUN-5695: Define RPC method to update configuration\n- 2022-01-27 TUN-5621: Correctly manage QUIC stream closing\n- 2022-01-28 TUN-5702: Allow to deserialize config from JSON\n\n2022.1.3\n- 2022-01-21 TUN-5477: Unhide vnet commands\n- 2022-01-24 TUN-5669: Change network command to vnet\n- 2022-01-25 TUN-5675: Remove github.com/dgrijalva/jwt-go dependency by upgrading coredns version\n- 2022-01-27 TUN-5719: Re-attempt connection to edge with QUIC despite network error when there is no fallback\n- 2022-01-28 TUN-5724: Fix SSE streaming by guaranteeing we write everything we read\n- 2022-01-17 TUN-5547: Bump golang x/net package to fix http2 transport bugs\n- 2022-01-19 TUN-5659: Proxy UDP with zero-byte payload\n- 2021-10-22 Add X-Forwarded-Host for http proxy\n\n2022.1.2\n- 2022-01-13 TUN-5650: Fix pynacl version to 1.4.0 and pygithub version to 1.55 so release doesn't break unexpectedly\n\n2022.1.1\n- 2022-01-10 TUN-5631: Build everything with go 1.17.5\n- 2022-01-06 TUN-5623: Configure quic max datagram frame size to 1350 bytes for none Windows platforms\n\n2022.1.0\n- 2022-01-03 TUN-5612: Add support for specifying TLS min/max version\n- 2022-01-03 TUN-5612: Make tls min/max version public visible\n- 2022-01-03 TUN-5551: Internally published debian artifacts are now named just cloudflared even though they are FIPS compliant\n- 2022-01-04 TUN-5600: Close QUIC transports as soon as possible while respecting graceful shutdown\n- 2022-01-05 TUN-5616: Never fallback transport if user chooses it on purpose\n- 2022-01-05 TUN-5204: Unregister QUIC transports on disconnect\n- 2022-01-04 TUN-5600: Add coverage to component tests for various transports\n\n2021.12.4\n- 2021-12-27 TUN-5482: Refactor tunnelstore client related packages for more coherent package\n- 2021-12-27 TUN-5551: Change internally published debian package to be FIPS compliant\n- 2021-12-27 TUN-5551: Show whether the binary was built for FIPS compliance\n\n2021.12.3\n- 2021-12-22 TUN-5584: Changes for release 2021.12.2\n- 2021-12-22 TUN-5590: QUIC datagram max user payload is 1217 bytes\n- 2021-12-22 TUN-5593: Read full packet from UDP connection, even if it exceeds MTU of the transport. When packet length is greater than the MTU of the transport, we will silently drop packets (for now).\n- 2021-12-23 TUN-5597: Log session ID when session is terminated by edge\n\n2021.12.2\n- 2021-12-20 TUN-5571: Remove redundant session manager log, it's already logged in origin/tunnel.ServeQUIC\n- 2021-12-20 TUN-5570: Only log RPC server events at error level to reduce noise\n- 2021-12-14 TUN-5494: Send a RPC with terminate reason to edge if the session is closed locally\n- 2021-11-09 TUN-5551: Reintroduce FIPS compliance for linux amd64 now as separate binaries\n\n2021.12.1\n- 2021-12-16 TUN-5549: Revert \"TUN-5277: Ensure cloudflared binary is FIPS compliant on linux amd64\"\n\n2021.12.0\n- 2021-12-13 TUN-5530: Get current time from ticker\n- 2021-12-15 TUN-5544: Update CHANGES.md for next release\n- 2021-12-07 TUN-5519: Adjust URL for virtual_networks endpoint to match what we will publish\n- 2021-12-02 TUN-5488: Close session after it's idle for a period defined by registerUdpSession RPC\n- 2021-12-09 TUN-5504: Fix upload of packages to public repo\n- 2021-11-30 TUN-5481: Create abstraction for Origin UDP Connection\n- 2021-11-30 TUN-5422: Define RPC to unregister session\n- 2021-11-26 TUN-5361: Commands for managing virtual networks\n- 2021-11-29 TUN-5362: Adjust route ip commands to be aware of virtual networks\n- 2021-11-23 TUN-5301: Separate datagram multiplex and session management logic from quic connection logic\n- 2021-11-10 TUN-5405: Update net package to v0.0.0-20211109214657-ef0fda0de508\n- 2021-11-10 TUN-5408: Update quic package to v0.24.0\n- 2021-11-12 Fix typos\n- 2021-11-13 Fix for Issue #501: Unexpected User-agent insertion when tunneling http request\n- 2021-11-16 TUN-5129: Remove `-dev` suffix when computing version and Git has uncommitted changes\n- 2021-11-18 TUN-5441: Fix message about available protocols\n- 2021-11-12 TUN-5300: Define RPC to register UDP sessions\n- 2021-11-14 TUN-5299: Send/receive QUIC datagram from edge and proxy to origin as UDP\n- 2021-11-04 TUN-5387: Updated CHANGES.md for 2021.11.0\n- 2021-11-08 TUN-5368: Log connection issues with LogLevel that depends on tunnel state\n- 2021-11-09 TUN-5397: Log cloudflared output when it fails to connect tunnel\n- 2021-11-09 TUN-5277: Ensure cloudflared binary is FIPS compliant on linux amd64\n- 2021-11-08 TUN-5393: Content-length is no longer a control header for non-h2mux transports\n\n2021.11.0\n- 2021-11-03 TUN-5285: Fallback to HTTP2 immediately if connection times out with no network activity\n- 2021-09-29 Add flag to 'tunnel create' subcommand to specify a base64-encoded secret\n\n2021.10.5\n- 2021-10-25 Update change log for release 2021.10.4\n- 2021-10-25 Revert \"TUN-5184: Make sure outstanding websocket write is finished, and no more writes after shutdown\"\n\n2021.10.4\n- 2021-10-21 TUN-5287: Fix misuse of wait group in TestQUICServer that caused the test to exit immediately\n- 2021-10-21 TUN-5286: Upgrade crypto/ssh package to fix CVE-2020-29652\n- 2021-10-18 TUN-5262: Allow to configure max fetch size for listing queries\n- 2021-10-19 TUN-5262: Improvements to `max-fetch-size` that allow to deal with large number of tunnels in account\n- 2021-10-15 TUN-5261: Collect QUIC metrics about RTT, packets and bytes transfered and log events at tracing level\n- 2021-10-19 TUN-5184: Make sure outstanding websocket write is finished, and no more writes after shutdown\n\n2021.10.3\n- 2021-10-14 TUN-5255: Fix potential panic if Cloudflare API fails to respond to GetTunnel(id) during delete command\n- 2021-10-14 TUN-5257: Fix more cfsetup targets that were broken by recent package changes\n\n2021.10.2\n- 2021-10-11 TUN-5138: Switch to QUIC on auto protocol based on threshold\n- 2021-10-14 TUN-5250: Add missing packages for cfsetup to succeed in github release pkgs target\n\n2021.10.1\n- 2021-10-12 TUN-5246: Use protocol: quic for Quick tunnels if one is not already set\n- 2021-10-13 TUN-5249: Revert \"TUN-5138: Switch to QUIC on auto protocol based on threshold\"\n\n2021.10.0\n- 2021-10-11 TUN-5138: Switch to QUIC on auto protocol based on threshold\n- 2021-10-07 TUN-5195: Do not set empty body if not applicable\n- 2021-10-08 UN-5213: Increase MaxStreams value for QUIC transport\n- 2021-09-28 TUN-5169: Release 2021.9.2 CHANGES.md\n- 2021-09-28 TUN-5164: Update README and clean up references to Argo Tunnel (using Cloudflare Tunnel instead)\n\n2021.9.2\n- 2021-09-21 TUN-5129: Use go 1.17 and copy .git folder to docker build to compute version\n- 2021-09-21 TUN-5128: Enforce maximum grace period\n- 2021-09-22 TUN-5141: Make sure websocket pinger returns before streaming returns\n- 2021-09-24 TUN-5142: Add asynchronous servecontrolstream for QUIC\n- 2021-09-24 TUN-5142: defer close rpcconn inside unregister instead of ServeControlStream\n- 2021-09-27 TUN-5160: Set request.ContentLength when this value is in request header\n\n2021.9.1\n- 2021-09-21 TUN-5118: Quic connection now detects duplicate connections similar to http2\n- 2021-09-15 Fix TryCloudflare link\n\n2021.9.0\n- 2021-09-02 Fix broken TryCloudflare link\n- 2021-09-03 Add support for taking named tunnel credentials from an environment variable\n- 2021-08-30 TUN-5012: Use patched go-sumtype\n- 2021-08-31 TUN-5011: Use the region parameter in fallback SRV lookup\n- 2021-08-31 TUN-5029: Do not strip cf- prefixed headers\n- 2021-08-29 TUN-5009: Updated github action to use go 1.17.x for checks\n- 2021-08-28 TUN-5010: --region should be a string flag\n- 2021-08-10 Allow building on arm64 platforms\n- 2021-06-09 Update README.md\n- 2021-05-31 🖌️ Allow providing TokenID and TokenSecret as env vars when calling cloudflared access\n- 2021-05-31 🎨 Prefix env var parameters with TUNNEL\n\n2021.8.7\n- 2021-08-28 Revert \"TUN-4926: Implement --region configuration option\"\n\n2021.8.6\n- 2021-08-27 TUN-5000: De-flake logging to dir component test in Windows by increasing to buffer to cope with more logging\n- 2021-08-27 TUN-5003: Fix cfsetup for non-FIPS golang version\n\n2021.8.5\n- 2021-08-27 TUN-4961: Update quic-go to latest\n- 2021-08-27 Release 2021.8.4\n\n2021.8.4\n- 2021-08-26 TUN-4974: Fix regression where we were debug logging by accident\n- 2021-08-26 TUN-4970: Only default to http2 for warp-routing if protocol is h2mux\n- 2021-08-26 TUN-4981: Improve readability of prepareTunnelConfig method\n- 2021-08-26 TUN-4926: Implement --region configuration option\n- 2021-07-09 TUN-4821: Make quick tunnels the default in cloudflared\n\n2021.8.3\n- 2021-08-23 TUN-4889: Add back appendtagheaders function\n- 2021-08-21 TUN-4940: Fix cloudflared not picking up correct NextProtos for quic\n- 2021-08-21 TUN-4613: Add a no-op protocol version slot\n- 2021-08-13 TUN-4922: Downgrade quic-go library to 0.20.0\n- 2021-08-17 TUN-4866: Add Control Stream for QUIC\n- 2021-08-17 TUN-4927: Parameterize region in edge discovery code\n- 2021-08-06 TUN-4602: Added UDP resolves to Edge discovery\n\n2021.8.2\n- 2021-08-03 TUN-4597: Added HTTPProxy for QUIC\n- 2021-08-04 TUN-4795: Remove Equinox releases\n- 2021-08-09 TUN-4911: Append Environment variable to Path instead of overwriting it\n\n2021.8.1\n- 2021-08-02 TUN-4855: Added CHANGES.md for release 2021.8.0\n- 2021-08-03 TUN-4597: Add a QUIC server skeleton\n- 2021-08-03 TUN-4873: Disable unix domain socket test for windows unit tests\n- 2021-08-04 TUN-4875: Added amd64-linux builds back to releases\n\n2021.8.0\n- 2021-07-30 TUN-4847: Allow to list tunnels by prefix name or exclusion prefix name\n- 2021-07-30 TUN-4772: Release built executables with packages\n- 2021-07-30 TUN-4851: Component tests to smoke test that Proxy DNS and Tunnel are only run when expected\n- 2021-07-28 TUN-4811: Publish quick tunnels' hostname in /metrics under `userHostname` for backwards-compatibility\n- 2021-07-29 TUN-4832: Prevent tunnel from running accidentally when only proxy-dns should run\n- 2021-07-28 TUN-4819: Tolerate protocol TXT record lookup failing\n\n2021.7.4\n- 2021-07-28 TUN-4814: Revert \"TUN-4699: Make quick tunnels the default in cloudflared\"\n- 2021-07-28 TUN-4812: Disable CGO for cloudflared builds\n\n2021.7.3\n- 2021-07-27 TUN-4799: Build deb, msi and rpm packages with fips\n\n2021.7.2\n- 2021-07-27 Fixed a syntax error with python logging.\n\n2021.7.1\n- 2021-07-21 TUN-4755: Add a windows msi release option to Make\n- 2021-07-22 TUN-4761: Added a build-all-packages target to cfsetup\n- 2021-07-26 TUN-4771: Upload deb, rpm and msi packages to github\n- 2021-07-14 TUN-4714: Name nightly package cloudflared-nightly to avoid apt conflict\n- 2021-07-16 TUN-4701: Split Proxy into ProxyHTTP and ProxyTCP\n- 2021-07-08 TUN-4596: Add QUIC application protocol for QUIC stream handshake\n- 2021-07-09 TUN-4699: Make quick tunnels the default in cloudflared\n\n2021.7.0\n- 2021-07-01 TUN-4626: Proxy non-stream based origin websockets with http Roundtrip.\n- 2021-07-01 TUN-4655: ingress.StreamBasedProxy.EstablishConnection takes dest input\n- 2021-07-09 TUN-4698: Add cloudflared metrics endpoint to serve quick tunnel hostname\n- 2021-06-21 TUN-4521: Modify cloudflared to use zoneless-tunnels-worker for free tunnels\n- 2021-04-05 AUTH-3475: Updated GetAppInfo error message\n\n2021.6.0\n- 2021-06-21 TUN-4571: Changelog for 2021.6.0\n- 2021-06-18 TUN-4571: Fix proxying to unix sockets when using HTTP2 transport to Cloudflare Edge\n- 2021-06-07 TUN-4502: Make `cloudflared tunnel route` subcommands described consistently\n- 2021-06-08 TUN-4504: Fix component tests in windows\n- 2021-05-27 TUN-4461: Log resulting DNS hostname if one is received from Cloudflare API\n\n2021.5.10\n- 2021-05-25 TUN-4456: Replaced instances of Tick() with Ticker() in h2mux paths\n\n2021.5.9\n- 2021-05-20 TUN-4426: Fix centos builds\n- 2021-05-20 Update changelog\n- 2021-04-30 AUTH-3426: Point to new transfer service URL and eliminate PUT /ok\n\n2021.5.8\n- 2021-05-14 TUN-4419: Improve error message when cloudflared cannot reach origin\n- 2021-05-19 TUN-4425: --overwrite-dns flag for in adhoc and route dns cmds\n\n2021.5.7\n- 2021-05-17 Fix typo in Changes.md\n- 2021-05-17 TUN-4421: Named Tunnels will automatically select the protocol to connect to Cloudflare's edge network\n\n2021.5.6\n- 2021-05-14 TUN-4418: Downgrade to Go 1.16.3\n\n2021.5.5\n\n\n2021.5.4\n- Fix release pipeline\n\n2021.5.1\n- 2021-05-10 TUN-4342: Fix false positive warning about unused hostname property\n- 2021-05-10 Release 2021.5.0\n\n2021.5.0\n- 2021-05-10 TUN-4384: Silence log from automaxprocs\n- 2021-05-10 AUTH-3537: AUDs in JWTs are now always arrays\n- 2021-05-10 Update changelog for 2021.5.0\n- 2021-05-03 TUN-4343: Fix broken build by setting debug field correctly\n- 2021-05-06 TUN-4356: Set AUTOMAXPROCS to the CPU limit when running in a Linux container\n- 2021-05-06 TUN-4357: Bump Go to 1.16\n- 2021-05-06 TUN-4359: Warn about unused keys in 'tunnel ingress validate'\n- 2021-04-30 debug: log host / path\n- 2021-04-20 AUTH-3513: Checks header for app info in case response is a 403/401 from the edge\n- 2021-04-29 TUN-4000: Release notes for cloudflared replica model\n- 2021-04-09 TUN-2853: rename STDIN-CONTROL env var to STDIN_CONTROL\n- 2021-04-09 TUN-4206: Better error message when user is only using one ingress rule\n\n2021.4.0\n- 2021-04-05 TUN-4178: Fix component test for running as a service in MacOS to not assume a named tunnel\n- 2021-04-05 TUN-4177: Running with proxy-dns should not prevent running Named Tunnels\n- 2021-04-02 TUN-4168: Transparently proxy websocket connections using stdlib HTTP client instead of gorilla/websocket; move websocket client code into carrier package since it's only used by access subcommands now (#345).\n- 2021-04-07 Publish change log for 2021.4.0\n\n2021.3.6\n- 2021-03-30 TUN-4150: Only show the connector table in 'tunnel info' if there are connectors. Don't show rows with zero connections.\n- 2021-03-31 TUN-4153: Revert best-effort HTTP2 usage when talking to origins\n- 2021-03-26 TUN-4141: Better error messages for tunnel info subcommand.\n- 2021-03-29 TUN-4146: Unhide and document grace-period\n- 2021-03-25 TUN-3863: Consolidate header handling logic in the connection package; move headers definitions from h2mux to packages that manage them; cleanup header conversions\n\n2021.3.5\n- 2021-03-26 TUN-3896: http-service and tunnelstore client use http2 transport.\n- 2021-03-25 TUN-4125: Change component tests to run in CI with its own dedicated resources\n- 2021-03-26 Publish change log for 2021.3.5\n\n2021.3.4\n\n\n2021.3.3\n- 2021-03-23 TUN-4111: Warn the user if both properties \"tunnel\" and \"hostname\" are used\n- 2021-03-23 TUN-4082: Test logging when running as a service\n- 2021-03-23 TUN-4112: Skip testing graceful shutdown with SIGINT on Windows\n- 2021-03-23 TUN-4116: Ingore credentials-file setting in configuration file during tunnel create and delete opeations.\n- 2021-03-23 TUN-4118: Don't overwrite existing file with tunnel credentials. For ad-hoc tunnels, this means tunnel won't start if there's a file in the way.\n- 2021-03-24 TUN-4123: Don't capture output in reconnect componet test\n- 2021-03-23 TUN-4067: Reformat code for consistent import order, grouping, and fix formatting. Added goimports target to the Makefile to make this easier in the future.\n- 2021-03-24 AUTH-3455: Generate short-lived ssh cert per hostname\n- 2021-03-25 Update changelog 2021.3.3\n\n2021.3.2\n- 2021-03-23 TUN-4042: Capture cloudflared output to debug component tests\n- 2021-03-23 Publish changelog for 2021.3.2\n- 2021-03-16 TUN-4089: Address flakiness in component tests for termination\n- 2021-03-16 TUN-4060: Fix Go Vet warnings (new with go 1.16) where t.Fatalf is called from a test goroutine\n- 2021-03-16 TUN-4091: Use flaky decorator to rerun reconnect component tests when they fail\n- 2021-03-12 TUN-4081: Update log severities to use Zerolog's levels\n- 2021-03-16 TUN-4094: Don't read configuration file for access commands\n- 2021-03-15 TUN-3993: New `cloudflared tunnel info` to obtain details about the active connectors for a tunnel\n- 2021-03-17 TUN-3715: Apply input source to the correct context\n- 2021-03-17 AUTH-3394: Ensure scheme on token command\n- 2021-03-18 TUN-4096: Reduce tunnel not connected assertion backoff to address flaky termination tests\n- 2021-03-19 TUN-3998: Allow to cleanup the connections of a tunnel limited to a single client\n- 2021-02-04 TUN-3715: Only read config file once, right before invoking the command\n\n2021.3.1\n- 2021-03-11 TUN-4051: Add component-tests to test graceful shutdown\n- 2021-03-12 TUN-4052: Add component tests to assert service mode behavior\n\n2021.3.0\n- 2021-03-10 TUN-4075: Dedup test should not compare order of list\n- 2021-03-10 Revert \"AUTH-3394: Creates a token per app instead of per path\"\n- 2021-03-11 TUN-4066: Remove unnecessary chmod during package publish to CF_PKG_HOSTS\n- 2021-03-11 TUN-4066: Set permissions in build agent before 'scp'-ing to machine hosting package repo\n- 2021-03-11 TUN-4050: Add component tests to assert reconnect behavior\n- 2021-03-10 AUTH-3394: Creates a token per app instead of per path - with fix for free tunnels\n- 2021-03-15 Publish change log for 2021.3.0\n- 2021-03-01 Issue #285 - Makefile does not detect TARGET_ARCH correctly on FreeBSD (#325)\n- 2021-03-01 TUN-3988: Log why it cannot check if origin cert exists\n- 2021-03-02 TUN-3995: Optional --features flag for tunnel run.\n- 2021-03-02 TUN-3994: Log client_id when running a named tunnel\n- 2021-03-04 TUN-4026: Fix regression where HTTP2 edge transport was no longer propagating control plane errors\n- 2021-03-05 TUN-4055: Skeleton for component tests\n- 2021-03-08 TUN-4047: Add cfsetup target to run component test\n- 2021-03-08 TUN-4016: Delegate decision to update for Worker service\n- 2021-03-02 TUN-3905: Cannot run go mod vendor in cloudflared due to fips\n- 2021-03-08 TUN-4063: Cleanup dependencies between packages.\n- 2021-03-09 Allow partial reads from a GorillaConn; add SetDeadline (from net.Conn) (#330)\n- 2021-03-09 TUN-4069: Fix regression on support for websocket over proxy\n- 2021-03-02 AUTH-3394: Creates a token per app instead of per path\n- 2021-03-01 TUN-4017: Add support for using cloudflared as a full socks proxy.\n- 2021-03-08 TUN-4062: Read component tests config from yaml file\n- 2021-03-08 TUN-4049: Add component tests to assert logging behavior when running from terminal\n- 2021-02-23 TUN-3963: Repoint urfave/cli/v2 library at patched branch at github.com/ipostelnik/cli/v2@fixed which correctly handles reading flags declared at multiple levels of subcommands.\n- 2021-02-25 TUN-3970: Route ip show has alias route ip list\n- 2021-02-26 TUN-3978: Unhide teamnet commands and improve their help\n- 2021-02-26 TUN-3983: Renew CA certs in cloudflared\n- 2021-02-28 TUN-3989: Check in with Updater service in more situations and convey messages to user\n- 2021-02-11 TUN-3819: Remove client-side check that deleted tunnels have no connections\n\n2021.2.5\n- 2021-02-23 Publish change notes for 2021.2.5\n- 2021-02-11 TUN-3838: ResponseWriter no longer reads and origin error tests\n- 2021-02-10 TUN-3895: Tests for socks stream handler\n- 2021-02-19 TUN-3939: Add logging that shows that Warp-routing is enabled\n- 2021-02-02 TUN-3817: Adds tests for websocket based streaming regression\n- 2021-02-04 TUN-3799: extended the Stream interface to take a logger and added debug logs for io.Copy errors\n- 2021-02-03 TUN-3855: Add ability to override target of 'access ssh' command to a different host for testing\n- 2021-02-04 TUN-3853: Respond with ws headers from the origin service rather than generating our own\n- 2021-02-08 TUN-3889: Move host header override logic to httpService\n- 2021-02-05 TUN-3868: Refactor singleTCPService and bridgeService to tcpOverWSService and rawTCPService\n- 2021-01-21 TUN-3753: Select http2 protocol when warp routing is enabled\n- 2021-01-26 TUN-3809: Allow routes ip show to output as JSON or YAML\n- 2021-01-11 TUN-3615: added support to proxy tcp streams\n- 2021-01-17 TUN-3725: Warp-routing is independent of ingress\n- 2021-01-15 TUN-3764: Actively flush data for TCP streams\n- 2020-12-09 TUN-3617: Separate service from client, and implement different client for http vs. tcp origins\n\n2021.2.4\n- 2021-02-22 TUN-3948: Log error when retrying connection\n- 2021-02-23 TUN-3964: Revert \"TUN-3922: Repoint urfave/cli/v2 library at patched branch at github.com/ipostelnik/cli/v2@fixed which correctly handles reading flags declared at multiple levels of subcommands.\"\n- 2021-02-23 Publish release notes for 2021.2.4\n\n2021.2.3\n- 2021-02-23 Publish release notes for 2021.2.3\n- 2021-02-10 TUN-3902: Add jitter to backoffhandler\n- 2021-02-11 TUN-3913: Help gives wrong exit code for autoupdate\n- 2021-02-12 Add max upstream connections dns-proxy option (#290)\n- 2021-02-16 TUN-3924: Removed db-connect command. Added a placeholder handler for this command that informs users that command is no longer supported.\n- 2021-02-12 TUN-3922: Repoint urfave/cli/v2 library at patched branch at github.com/ipostelnik/cli/v2@fixed which correctly handles reading flags declared at multiple levels of subcommands.\n- 2021-02-19 Added support for proxy (#318)\n- 2021-02-19 TUN-3945: Fix runApp signature for generic service\n- 2021-02-09 Update README.md\n- 2021-02-09 Update the TryCloudflare link\n\n2021.2.2\n- 2021-02-04 TUN-3864: Users can choose where credentials file is written after creating a tunnel\n- 2021-02-04 TUN-3869: Improve reliability of graceful shutdown.\n- 2021-02-07 TUN-3878: Do not supply -tags when none are specified\n- 2021-02-04 TUN-3635: Send event when unregistering tunnel for gracful shutdown so /ready endpoint reports down status befoe connections finish handling pending requests.\n- 2021-02-08 TUN-3890: Code coverage for cloudflared in CI\n- 2021-02-09 AUTH-3375 exchangeOrgToken deleted cookie fix\n- 2020-11-18 Update error message to use login command\n\n2021.2.1\n- 2021-02-04 TUN-3858: Do not suffix cloudflared version with -fips\n\n2021.2.0\n- 2021-02-01 TUN-3837: Remove automation_email from cloudflared status page test\n- 2021-02-03 TUN-3848: Use transport logger for h2mux\n- 2021-02-03 TUN-3854: cloudflared tunnel list flags to sort output\n- 2021-01-21 TUN-3195: Don't colorize console logs when stderr is not a terminal\n- 2021-01-20 Fixed connection error handling by removing duplicated errors, standardizing on non-pointer error types\n- 2021-01-20 TUN-3118: Changed graceful shutdown to immediately unregister tunnel from the edge, keep the connection open until the edge drops it or grace period expires\n- 2021-01-25 TUN-3165: Add reference to Argo Tunnel documentation in the help output\n- 2021-01-25 TUN-3806: Use a .dockerignore\n- 2021-01-21 TUN-3795: Use RFC-3339 style date format for logs, produce timestamp in UTC\n- 2021-01-26 TUN-3795: Removed errant test\n- 2021-01-25 TUN-3792: Handle graceful shutdown correctly when running as a windows service. Only expose one shutdown channel globally, which now triggers the graceful shutdown sequence across all modes. Removed separate handling of zero-duration grace period, instead it's checked only when we need to wait for exit.\n- 2021-01-27 TUN-3811: Better error reporting on http2 connection termination. Registration errors from control loop are now propagated out of the connection server code. Unified error handling between h2mux and http2 connections so we log and retry errors the same way, regardless of underlying transport.\n- 2021-01-28 TUN-3830: Use Go 1.15.7\n- 2021-01-28 TUN-3826: Use go-fips when building cloudflared for linux/amd64\n- 2021-01-19 TUN-3777: Fix /ready endpoint for classic tunnels\n- 2021-01-19 TUN-3773: Add back pprof endpoints\n\n2021.1.5\n- 2021-01-15 TUN-3594: Log ingress response at debug level\n- 2021-01-15 TUN-3765: Fix doubly nested log output by `logfile` option\n- 2021-01-16 TUN-3767: Tolerate logging errors\n- 2021-01-17 TUN-3768: Reuse file loggers\n- 2021-01-14 TUN-3738: Refactor observer to avoid potential of blocking on tunnel notifications\n- 2021-01-15 TUN-3766: Print flags defined at all levels of command hierarchy, not just locally defined flags for a command. This fixes output of overriden settings for subcommand.\n\n2021.1.4\n- 2021-01-14 TUN-3759: Single file logging output should always append\n\n2021.1.3\n- 2021-01-14 TUN-3756: File logging output must consider the directory\n- 2021-01-14 TUN-3757: Fix legacy Uint flags that are incorrectly handled by ufarve library\n\n2021.1.2\n- 2021-01-13 TUN-3747: Fix logging in Windows\n\n2021.1.1\n- 2021-01-13 TUN-3744: Fix compilation error in windows service\n\n2021.1.0\n- 2021-01-11 TUN-3670: Update Teamnet API gateway prefixes\n- 2021-01-13 TUN-3738: Consume UI events even when UI is disabled\n- 2021-01-06 TUN-3722: Teamnet API paths include /network\n- 2021-01-05 TUN-3688: Subcommand for users to check which route an IP proxies through\n- 2021-01-08 TUN-3691: Edit Teamnet help text\n- 2020-12-30 TUN-3706: Quit if any origin service fails to start\n- 2020-12-31 TUN-3708: Better info message about system root certpool on Windows\n- 2020-12-21 TUN-3669: Teamnet commands to add/show Teamnet routes.\n- 2020-12-29 TUN-3689: Delete routes via cloudflared CLI\n- 2020-12-28 TUN-3471: Add structured log context to logs\n- 2020-12-15 TUN-3650: Remove unused awsuploader package\n- 2020-12-03 Update to add deprecated version note (#271)\n- 2020-12-02 TUN-3472: Set up rolling logger with zerolog and lumberjack\n- 2020-12-08 TUN-3607: Set up single-file logger with zerolog\n- 2020-12-03 Update to add deprecated version note (#271)\n- 2020-11-25 TUN-3470: Replace in-house logger calls with zerolog\n\n2020.12.0\n- 2020-12-04 TUN-3599: improved delete if credentials isnt found.\n- 2020-12-04 TUN-3612: Upgrade to Go 1.15.6\n- 2020-11-30 TUN-3593: /ready endpoint for k8s readiness. Move tunnel events out of UI package, into connection package.\n- 2020-11-27 TUN-3594: Log response status at debug level\n\n2020.11.11\n- 2020-11-20 TUN-3578: cloudflared tunnel route dns should allow wildcard subdomains\n- 2020-11-21 EDGEPLAT-2958 remove deb-compression, defaulting to gzip\n- 2020-11-23 TUN-3581: Tunnels can be run by name using only --credentials-file, no origin cert necessary.\n- 2020-11-15 TUN-3561: Unified logger configuration\n- 2020-11-08 AUTH-3221: Saves org token to disk and uses it to refresh the app token\n\n2020.11.10\n- 2020-11-20 TUN-3562: Fix panic when using bastion mode ingress rule\n- 2020-11-20 EDGEPLAT-2958 build cloudflared for Bullseye\n\n2020.11.9\n- 2020-11-18 TUN-3557: Detect SSE if content-type starts with text/event-stream\n- 2020-11-18 TUN-3559: Share response meta header with other packages\n- 2020-11-18 DEVTOOLS-7936: Remove redundant chgrp from publish\n- 2020-11-18 TUN-3558: cloudflared allows empty config files\n- 2020-11-18 TUN-3544: Upgrade to Go 1.15.5\n\n2020.11.8\n- 2020-11-17 TUN-3555: Single origin service should default to localhost:8080\n\n2020.11.7\n- 2020-11-13 TUN-3514: Stop setting --is-autoupdated flag after autoupdate because it can break named tunnel running in k8s\n- 2020-11-15 TUN-3548, TUN-3547: Bastion mode can be specified as a service, doesn't require URL.\n- 2020-11-16 TUN-3549: Use a separate handler for each websocket proxy\n\n2020.11.6\n- 2020-11-14 TUN-3546: Fix panic in tlsconfig.LoadOriginCA\n\n2020.11.5\n- 2020-11-12 TUN-3540: Better copy in ingress rules error messages\n- 2020-11-12 DEVTOOLS-7936: Set permissions on public packages\n- 2020-11-13 TUN-3543: ProxyAddress not using default in single-origin mode\n\n2020.11.4\n- 2020-11-11 TUN-3534: Specific error message when credentials file is a .pem not .json\n- 2020-11-02 TUN-3500: Integrate replace h2mux by http2 work with multiple origin support\n- 2020-11-09 TUN-3514: Transport logger write to UI when UI is enabled\n- 2020-10-30 TUN-3490: Make sure OriginClient implementation doesn't write after Proxy return\n- 2020-10-20 TUN-3403: Unit test for origin/proxy to test serving HTTP and Websocket\n- 2020-10-23 TUN-3480: Support SSE with http2 connection, and add SSE handler to hello-world server\n- 2020-10-27 TUN-3489: Add unit tests to cover proxy logic in connection package of cloudflared\n- 2020-10-16 TUN-3467: Serialize cf-cloudflared-response-meta during package initialization using jsoniter\n- 2020-10-14 TUN-3456: New protocol option auto to automatically select between http2 and h2mux\n- 2020-10-14 TUN-3458: Upgrade to http2 when available, fallback to h2mux when we reach max retries\n- 2020-10-08 TUN-3449: Use flag to select transport protocol implementation\n- 2020-10-08 TUN-3462: Refactor cloudflared to separate origin from connection\n- 2020-09-21 TUN-3406: Proxy websocket requests over Go http2\n- 2020-09-25 TUN-3420: Establish control plane and send RPC over control plane\n- 2020-09-11 TUN-3400: Use Go HTTP2 library as transport to connect with the edge\n\n2020.11.3\n- 2020-11-11 TUN-3533: Set config for single origin ingress\n\n2020.11.2\n\n\n2020.11.1\n- 2020-11-10 TUN-3527: More specific error for invalid YAML/JSON\n- 2020-11-06 Update README.md (#256)\n\n2020.11.0\n- 2020-11-04 TUN-3484: OriginService that responds with configured HTTP status\n- 2020-11-05 TUN-3505: Response body for status code origin returns EOF on Read\n- 2020-11-04 TUN-3503: Matching ingress rule should not take port into account\n- 2020-11-05 TUN-3506: OriginService needs to set request host and scheme for websocket requests\n- 2020-11-09 TUN-3516: Better error message when parsing invalid YAML config\n- 2020-11-09 TUN-3522: ingress validate checks that the config file exists\n- 2020-11-09 TUN-3524: Don't ignore errors from app-level action handler (#248)\n- 2020-11-09 TUN-3461: Show all origin services in the UI\n- 2020-10-30 TUN-3494: Proceed to create tunnel if at least one edge address can be resolved\n- 2020-10-30 TUN-3492: Refactor OriginService, shrink its interface\n- 2020-10-22 TUN-3478: Increase download timeout to 60s\n- 2020-10-15 TUN-2640: Users can configure per-origin config. Unify single-rule CLI flow with multi-rule config file code.\n\n2020.10.2\n- 2020-10-21 Release 2020.10.1\n- 2020-10-21 AUTH-3185 fixed indention error\n- 2020-10-19 TUN-3459: Make service install on linux use named tunnels\n\n2020.10.1\n- 2020-10-20 Split out typed config from legacy command-line switches; refactor ingress commands and fix tests\n- 2020-10-20 Move raw ingress rules to config package\n- 2020-10-21 TUN-3476: Fix conversion to string and int slice\n- 2020-10-12 TUN-3441: Multiple-origin routing via ingress rules\n- 2020-10-15 TUN-3464: Newtype to wrap []ingress.Rule\n- 2020-10-15 TUN-3465: Use Go 1.15.3\n- 2020-10-15 TUN-3463: Let users run a named tunnel via config file setting\n- 2020-10-19 TUN-3475: Unify config file handling with typed config for new fields\n- 2020-10-19 TUN-3459: Make service install on linux use named tunnels\n- 2020-10-06 AUTH-3148 fixed cloudflared copy and match all the files in the checksum upload\n- 2020-10-06 TUN-3436, TUN-3437: Parse ingress from YAML, ensure last rule catches everything\n- 2020-10-06 TUN-3446: Use go 1.15.2 and add a step to build cloudflared in the dev Dockerfile\n- 2020-10-07 TUN-3439: 'tunnel validate' command to check ingress rules\n- 2020-10-07 TUN-3440: 'tunnel rule' command to test ingress rules\n- 2020-10-08 TUN-3451: Cloudflared tunnel ingress command\n- 2020-10-09 TUN-3452: Fix loading of flags from config file for tunnel run subcommand. This change also cleans up building of tunnel subcommand list, hides deprecated subcommands and improves help.\n- 2020-10-08 TUN-3438: move ingress into own package, read into TunnelConfig\n\n2020.10.0\n- 2020-10-02 AUTH-2993 cleaned up worker service tests\n- 2020-10-02 TUN-3443: Decode as v4api response on non-200 status\n- 2020-09-24 TRAFFIC-448: allow the user to specify the proxy address and port to bind to, falling back to 127.0.0.1 and random port if not specified\n- 2020-09-28 TUN-3427: Define a struct that only implements RegistrationServer in tunnelpogs\n- 2020-09-29 TUN-3430: Copy flags to configure proxy to run subcommand, print relevant tunnel flags in help\n- 2020-08-12 AUTH-2993 added workers updater logic\n\n2020.9.3\n- 2020-09-22 TRAFFIC-448: build cloudflare for junos and publish to s3\n- 2020-09-22 TUN-3410: Request the v1 Tunnelstore API\n- 2020-09-23 Release 2020.9.2\n- 2020-09-17 updater service exit code should be 11\n- 2020-09-18 AUTH-3109 upload the checksum to workers kv on github releases\n\n2020.9.2\n- 2020-09-22 TRAFFIC-448: build cloudflare for junos and publish to s3\n- 2020-09-22 TUN-3410: Request the v1 Tunnelstore API\n- 2020-09-17 AUTH-3103 CI build fixes\n- 2020-09-18 AUTH-3110-use-cfsetup-precache\n- 2020-09-17 TUN-3295: Show route command results\n- 2020-09-16 TUN-3291: cloudflared tunnel run -h explains how to use flags from parent command\n- 2020-09-18 AUTH-3109 upload the checksum to workers kv on github releases\n- 2020-09-17 updater service exit code should be 11\n- 2020-09-01 TUN-3216: UI improvements\n- 2020-08-25 Rebased and passed TunnelEventChan to LogServerInfo in new ReconnectTunnel function\n- 2020-08-25 TUN-3321: Add box around logs on UI\n- 2020-08-26 TUN-3328: Filter out free tunnel has started log from UI\n- 2020-08-27 TUN-3333: Add text to UI explaining how to exit\n- 2020-08-27 TUN-3335: Dynamically set connection table size for UI\n- 2020-08-10 TUN-3238: Update UI when connection re-connects\n- 2020-08-17 TUN-3261: Display connections on UI for free classic tunnels\n- 2020-07-24 TUN-3201: Create base cloudflared UI structure\n- 2020-07-29 TUN-3200: Add connection information to UI\n- 2020-07-24 TUN-3255: Update UI to display URL instead of hostname\n- 2020-07-29 TUN-3198: Handle errors while running tunnel UI\n\n2020.9.1\n- 2020-09-14 TUN-3395: Unhide named tunnel subcommands, tweak help\n- 2020-09-15 TUN-3395: Improve help for list command\n- 2020-09-14 TUN-3294: Perform basic validation on arguments of route command; remove default pool name which wasn't valid\n- 2020-09-15 TUN-3395: Improve help for list command\n- 2020-09-16 Use Go 1.15.2\n\n2020.9.0\n- 2020-09-11 TUN-3293: Try to use error information from the body of a failed tunnelstore reresponse if available\n- 2020-09-04 AUTH-2653 renabled signing\n- 2020-09-04 TUN-3377: Tunnel route should check dns/lb before checking tunnel ID\n- 2020-09-04 AUTH-2653 changed to proper file extension\n- 2020-09-04 AUTH-2653 handle duplicate key import errors\n- 2020-09-04 TUN-3345: tunnel run accepts name of tunnel as argument\n- 2020-09-08 AUTH-2653 disble error pipe to see what is failing\n- 2020-09-08 AUTH-2653 search for the certificate and not the identity\n- 2020-09-09 TUN-3284: Use cloudflared/ as user agent of tunnelstore client\n- 2020-09-09 TUN-3375: Upgrade x/text and gorilla websocket deps\n- 2020-09-09 TUN-3375: Upgrade coredns and prometheus dependencies\n- 2020-09-09 AUTH-2653 add notarization to mac build\n- 2020-09-08 TUN-3292: Mention cleanup in tunnel run help.\n- 2020-08-20 AUTH-2016 fixed variable fail\n- 2020-08-12 TUN-3352 extra debug logging for websockets\n\n2020.8.2\n- 2020-08-20 AUTH-3021 fixed the git version call by using the older flag\n- 2020-08-18 TUN-3268: Each connection has its own event digest to reconnect\n\n2020.8.1\n- 2020-08-14 AUTH-2975 don't check /etc on windows\n- 2020-08-14 AUTH-2977 log file protection\n- 2020-08-18 TUN-3286: Use either ID or name in Named Tunnel subcommands.\n- 2020-08-18 AUTH-2712 fixed the mac build script\n- 2020-08-19 AUTH-2653 disabling signing until we can get the keys\n- 2020-08-05 TUN-3233: List tunnels support filtering by deleted, name, existed at and id\n- 2020-08-05 TUN-3237: By default, don't show connections that are pending reconnect\n- 2020-08-06 TUN-3242: Build with go 1.14\n- 2020-08-07 TUN-3243: Refactor tunnel subcommands to allow commands to compose better\n- 2020-08-07 AUTH-2864 - add macos build to github release\n- 2020-07-31 AUTH-2857 update homebrew script to use new url\n- 2020-07-30 TUN-3213: Create, route and run named tunnels in one command\n- 2020-07-07 AUTH-2712 added MSI build for a windows agent\n\n2020.8.0\n- 2020-07-30 TUN-3220: tunnel route reports created route\n- 2020-07-31 TUN-3221: ConnectionOptions tracks numPreviousAttempts.\n- 2020-07-20 TUN-3190: Initialize logger using command line flags in tunnels subcommands\n- 2020-07-21 TUN-3192: Use zone ID in tunnelstore request path; improve debug logging\n- 2020-07-23 TUN-3194: Don't render log output when level is not enabled\n- 2020-07-22 AUTH-2016 adds sha256 hashes to releases\n- 2020-07-27 Removes centos 6 build\n- 2020-07-27 TUN-3209: Add benchmark for header serialization\n- 2020-07-24 TUN-3209: improve performance and reduce allocations during user header serialization from h1 to h2\n- 2020-07-26 TUN-3208: Add benchmark for large response write\n- 2020-07-27 TUN-3208: Reduce copies and allocations on h2mux write path. Pre-allocate 16KB write buffer on the first write if possible. Use explicit byte array for chunks on write thread to avoid copying through intermediate buffer due to io.CopyN.\n- 2020-07-28 AUTH-2714: Adds arm64 cloudflared build\n- 2020-07-29 AUTH-2927 run message update after all github builds are done\n- 2020-07-17 AUTH-2902 redirect with just the root host on curl commands\n\n2020.7.4\n- 2020-07-20 Build cloudflared for arm64 on native agents\n- 2020-07-10 TUN-3048: Handle error when user tries to delete active tunnel\n- 2020-07-14 AUTH-2890: adds error handler to cli actions\n- 2020-07-06 TUN-3156: Add route subcommand under tunnel\n\n2020.7.3\n- 2020-07-13 Change scp command to use file glob that matches both cloudflared rpms and debs\n\n2020.7.2\n- 2020-07-02 AUTH-2644: Change install location and add man page\n- 2020-07-02 TUN-3131: Allow user to specify tunnel credentials path, and remove it in tunnel delete command\n- 2020-07-03 TUN-3008: Implement cloudflared tunnel cleanup command\n- 2020-07-02 TUN-3150: cloudflared tunnel list's table should use intelligent column width\n- 2020-07-07 TUN-3169: Move on to the next address when edge returns duplicate connection. There's no point in trying to connect to the same address since it will be hashed to the same metal. Improve logging of errors from serve tunnel loop, hide useless context cancelled error.\n- 2020-07-08 beautify package meta information generated by fpm (#218)\n- 2020-07-06 AUTH-2871: fix rpm builds\n- 2020-07-08 AUTH-2858: Set file to disable autoupdate\n- 2020-07-09 AUTH-2872: Adds centos-6 build\n\n2020.7.1\n- 2020-07-02 DEVTOOLS-7321: Push GitHub homebrew updates to master\n- 2020-07-06 TUN-3161: Upgrade golang.org/x/ deps\n- 2020-06-30 AUTH-2854: Create cloudflared RPMs\n- 2020-06-26 AUTH-2850 log config file path\n\n2020.7.0\n- 2020-06-30 TUN-3140: Add timestamps to terminal log entries\n- 2020-06-30 AUTH-2860: Fix builds\n- 2020-06-25 TUN-3007: Implement named tunnel connection registration and unregistration.\n\n2020.6.6\n- 2020-06-23 AUTH-2685: Adds script to create release\n- 2020-06-25 AUTH-2652: Update cloudflare repo\n- 2020-06-26 AUTH-2718: Add target for publishing deb to pkg.cloudflare repo\n- 2020-06-26 AUTH-2849 all log output to stderr\n- 2020-06-17 TUN-3106: Pass NamedTunnel config to StartServer\n- 2020-06-18 TUN-3107: UnregisterConnection shouldn't wrap nil error as RPC error\n- 2020-06-17 AUTH-2652: Adds .docker-images to push images to docker hub\n- 2020-06-18 AUTH-2712 mac package build script and better config file handling when started as a service\n\n2020.6.5\n- 2020-06-16 DEVTOOLS-7321: Don't skip macOS builds based on tag\n- 2020-06-16 fix for a flaky test\n- 2020-06-16 AUTH-2815 flag check was wrong. stupid oversight\n- 2020-06-16 TUN-3101: Tunnel list command should only show non-deleted, by default\n- 2020-06-16 TUN-3066: Command line action for tunnel run\n- 2020-06-16 TUN-3100 make updater report the right text\n\n2020.6.4\n- 2020-06-11 TUN-3085: Pass connection authentication information using TunnelAuth struct\n- 2020-06-15 TUN-3084: Generate and store tunnel_secret value during tunnel creation\n- 2020-06-16 AUTH-2815 add the log file to support the config.yaml file\n- 2020-06-02 TUN-3015: Add a new cap'n'proto RPC interface for connection registration as well as matching client and server implementations. The old interface extends the new one for backward compatibility.\n\n2020.6.3\n- 2020-06-15 DEVTOOLS-7321: Add openssh-client pkg for missing ssh-keyscan\n- 2020-06-15 AUTH-2813 adds back a single file support a cloudflared log file\n\n2020.6.2\n- 2020-06-11 AUTH-2648 updated usage text\n- 2020-06-11 AUTH-2763 don't redirect from curl command\n- 2020-06-12 TUN-3090: Upgrade crypto dep\n- 2020-06-11 TUN-3038: Add connections to tunnel list table\n- 2020-06-12 AUTH-2810 added warn for backwards compatibility sake\n\n2020.6.1\n- 2020-06-09 AUTH-2796 fixed windows build\n\n2020.6.0\n- 2020-06-05 AUTH-2645 protect against user mistaken flag input\n- 2020-06-05 AUTH-2687 don't copy config unnecessarily\n- 2020-06-05 AUTH-2169 make access login page more generic\n- 2020-06-05 AUTH-2729 added log file and level to cmd flags to match config file settings\n- 2020-06-08 AUTH-2785 service token flag fix and logger fix\n- 2020-05-20 AUTH-2682: Create buster build\n- 2020-05-21 TUN-2928, TUN-2929, TUN-2930: Add tunnel subcommands to interact with tunnel store service\n- 2020-05-29 Adding support for multi-architecture images and binaries (#184)\n- 2020-05-29 TUN-3019: Remove declarative tunnel entry code\n- 2020-05-29 TUN-3020: Remove declarative tunnel related RPC code\n- 2020-05-13 AUTH-2505 added aliases\n- 2020-05-14 AUTH-2529 added deprecation text to db-connect command\n- 2020-05-18 AUTH-2686: Added error handling to tunnel subcommand\n- 2020-05-04 AUTH-2369: RDP Bastion prototype\n- 2020-04-29 AUTH-2596 added new logger package and replaced logrus\n- 2020-04-25 DEVTOOLS-7321: Use SSH key from env for pushing to GitHub\n- 2020-04-25 DEVTOOLS-7321: Push to a test branch instead of to master\n- 2020-03-30 DEVTOOLS-7321: Add scripts for macOS builds and homebrew uploads\n\n2020.5.1\n- 2020-05-07 TUN-2860: Enable quick reconnect feature by default\n- 2020-05-07 AUTH-2564: error handling and minor fixes\n- 2020-05-01 AUTH-2588 add DoH to service mode\n\n2020.5.0\n- 2020-05-01 TUN-2943: Copy certutil from edge into cloudflared\n- 2020-05-05 TUN-2955: Fix connection and goroutine leaks when tunnel conection is terminated on error. Only unregister tunnels that had connected successfully. Close edge connection used to unregister the tunnel. Use buffered channels for error channels where receiver may quit early on context cancellation.\n- 2020-04-30 TUN-2940: Added delay parameter to stdin reconnect command.\n- 2020-04-27 TUN-2921: Rework address selection logic to avoid corner cases\n- 2020-04-28 TUN-2872: Exit with non-0 status code when the binary is updated so launchd will restart the service\n- 2020-04-13 AUTH-2587 add config watcher and reload logic for access client forwarder\n\n2020.4.0\n- 2020-04-10 TUN-2881: Parameterize response meta information header name in the generating function\n- 2020-04-11 TUN-2894: ResponseMetaHeader should be public\n- 2020-04-09 TUN-2880: Return metadata about source of the response from cloudflared\n- 2020-04-04 ARES-899: Fixes DoH client as system resolver. Fixes #91\n- 2020-03-31 AUTH-2394 added socks5 proxy\n- 2020-02-24 AUTH-2235 GetTokenIfExists now parses JWT payload for json expiry field to detect if the cached access token is expired\n\n2020.3.2\n- 2020-03-31 TUN-2854: Quick Reconnects should be an optional supported feature\n- 2020-03-30 TUN-2850: Tunnel stripping Cloudflare headers\n\n2020.3.1\n- 2020-03-27 TUN-2846: Trigger debug reconnects from stdin commands, not SIGUSR1\n\n2020.3.0\n- 2020-03-23 AUTH-2394 fixed header for websockets. Added TCP alias\n- 2020-03-10 TUN-2797: Fix panic in SetConnDigest by making mutexes values.\n- 2020-03-13 TUN-2807: cloudflared hello-world shouldn't assume it's my first tunnel\n- 2020-03-13 TUN-2756: Set connection digest after reconnect.\n- 2020-03-16 TUN-2812: Tunnel proxies and RPCs can share an edge address\n- 2020-03-18 TUN-2816: cloudflared metrics server should be more discoverable\n- 2020-03-19 TUN-2820: Serialized headers for Websockets\n- 2020-03-19 TUN-2819: cloudflared should close its connections when a signal is sent\n- 2020-03-19 TUN-2823: Bugfix. cloudflared would hang forever if error occurred.\n- 2020-03-10 TUN-2796: Implement HTTP2 CONTINUATION headers correctly\n- 2020-03-02 TUN-2779: update sample HTML pages\n- 2020-03-04 TUN-2785: Use reconnect token by default\n- 2020-03-05 TUN-2754: Add ConnDigest to cloudflared and its RPCs\n- 2020-03-06 TUN-2755: ReconnectTunnel RPC now transmits ConnectionDigest\n- 2020-03-06 TUN-2761: Use the new header management functions in cloudflared\n- 2020-03-06 TUN-2788: cloudflared should store one ConnDigest per HA connection\n- 2020-02-26 TUN-2767: Test for large headers\n- 2020-02-28 do not terminate tunnel if origin is not reachable on start-up (#177)\n- 2020-02-28 TUN-2776: Add header serialization feature in cloudflared\n- 2020-02-21 TUN-2748: Insecure randomness vulnerability in github.com/miekg/dns\n\n2020.2.1\n- 2020-02-20 TUN-2745: Rename existing header management functions\n- 2020-02-21 TUN-2746: Add the new header management functions\n- 2020-02-25 perf(cloudflared): reuse memory from buffer pool to get better throughput (#161)\n- 2020-02-25 Tweak HTTP host header. Fixes #107 (#168)\n- 2020-02-25 TUN-2765: Add list of features to tunnelrpc\n- 2020-02-19 TUN-2725: Specify in code that --edge is for internal testing only\n- 2020-02-19 TUN-2703: Muxer.Serve terminates when its context is Done\n- 2020-02-09 TUN-2717: Function to serialize/deserialize HTTP headers\n- 2020-02-05 TUN-2714: New edge discovery. Connections try to reconnect to the same edge IP.\n\n2020.2.0\n- 2020-01-30 TUN-2651: Fix panic in h2mux reader when a stream error is encountered\n- 2020-01-27 TUN-2645: Revert \"TUN-2645: Turn on reconnect tokens\"\n- 2020-01-28 TUN-2693: Metrics for ReconnectTunnel\n- 2020-01-28 TUN-2696: Add unknown registerRPCName\n- 2020-01-28 TUN-2699: Metrics for Authenticate RPCs\n- 2020-01-28 TUN-2690: cloudflared reconnect uses wrong context\n- 2020-01-29 TUN-2707: Inconsistent cardinality in tunnel error metrics\n- 2020-01-13 TUN-2645: Turn on reconnect tokens\n- 2019-12-23 TUN-2646: Make --edge flag work again for local development\n\n2019.12.0\n- 2019-12-11 TUN-2631: only notify that activeStreamMap is closed if ignoreNewStreams=true\n- 2019-12-17 bug(cloudflared): Set the MaxIdleConnsPerHost of http.Transport to proxy-keepalive-connections (#155)\n- 2019-12-17 refactor(docker): optimize Dockerfile (#126)\n- 2019-12-19 Fix timer scheduling for systemd update service (#159)\n- 2019-12-13 TUN-2637: Manage edge IPs in a region-aware manner\n- 2019-12-03 bug(cloudflared): nil pointer deference on h2DictWriter Close() (#154)\n- 2019-12-03 TUN-2608: h2mux.Muxer.Shutdown always returns a non-nil channel\n- 2019-12-04 TUN-2555: origin/supervisor.go calls Authenticate\n- 2019-12-06 TUN-2554: cloudflared calls ReconnectTunnel\n- 2019-11-20 TUN-2575: Constructors + simpler conversions for AuthOutcome\n- 2019-11-22 Fix Docker build failure (#149)\n- 2019-11-21 TUN-2573: Refactor TunnelRegistration into PermanentRegistrationError, RetryableRegistrationError and SuccessfulTunnelRegistration\n- 2019-11-22 TUN-2582: EventDigest field in tunnelrpc\n- 2019-11-22 Fix \"happy eyeballs\" not being disabled since Golang 1.12 upgrade * The Dialer.DualStack setting is now ignored and deprecated; RFC 6555 Fast Fallback (\"Happy Eyeballs\") is now enabled by default. To disable, set Dialer.FallbackDelay to a negative value.\n- 2019-11-25 TUN-2591: ReconnectTunnel now sends EventDigest\n- 2019-11-21 TUN-2606: add DialEdge helpers\n- 2019-11-21 TUN-2607: add RPC stream helpers\n\n2019.11.3\n- 2019-11-20 TUN-2562: Update Cloudflare Origin CA RSA root\n\n2019.11.2\n- 2019-11-18 TUN-2567: AuthOutcome can be turned back into AuthResponse\n- 2019-11-18 TUN-2563: Exposes config_version metrics\n\n2019.11.1\n- 2019-11-12 Add db-connect, a SQL over HTTPS server\n- 2019-11-12 TUN-2053: Add a /healthcheck endpoint to the metrics server\n- 2019-11-13 TUN-2178: public API to create new h2mux.MuxedStreamRequest\n- 2019-11-13 TUN-2490: respect original representation of HTTP request path\n- 2019-11-18 TUN-2547: TunnelRPC definitions for Authenticate flow\n- 2019-11-18 TUN-2551: TunnelRPC definitions for ReconnectTunnel flow\n- 2019-11-05 TUN-2506: Expose active streams metrics\n\n2019.11.0\n- 2019-11-04 TUN-2502: Switch to go modules\n- 2019-11-04 TUN-2500: Don't send client registration errors to Sentry\n- 2019-11-04 TUN-2489: Delete stream from activestreammap when read and write are both closed\n- 2019-11-05 TUN-2505: Terminate stream on receipt of RST_STREAM; MuxedStream.CloseWrite() should terminate the MuxedStream.Write() loop\n- 2019-10-30 TUN-2451: Log inavlid path\n- 2019-10-22 TUN-2425: Enable cloudflared to serve multiple Hello World servers by having each of them create its own ServeMux\n- 2019-10-22 AUTH-2173: Prepends access login url with scheme if one doesnt exist\n- 2019-10-23 TUN-2460: Configure according to the ClientConfig recevied from a successful Connect\n- 2019-10-23 AUTH-2177: Reads and writes error streams\n\n2019.10.4\n- 2019-10-21 TUN-2450: Remove Brew publishing formula\n\n2019.10.3\n- 2019-10-18 Fix #129: Excessive memory usage streaming large files (#142)\n\n2019.10.2\n- 2019-10-17 AUTH-2167: Adds CLI option for host key directory\n\n2019.10.1\n- 2019-10-17 Adds variable to fix windows build\n\n2019.10.0\n- 2019-10-11 AUTH-2105: Dont require --destination arg\n- 2019-10-14 TUN-2344: log more details: http2.Framer.ErrorDetail() if available, connectionID\n- 2019-10-16 AUTH-2159: Moves shutdownC close into error handling AUTH-2161: Lowers size of preamble length AUTH-2160: Fixes url parsing logic\n- 2019-10-16 AUTH-2135: Adds support for IPv6 and tests\n- 2019-10-02 AUTH-2105: Adds support for local forwarding. Refactor auditlogger creation. AUTH-2088: Adds dynamic destination routing\n- 2019-10-09 AUTH-2114: Uses short lived cert auth for outgoing client connection\n- 2019-09-30 AUTH-2089: Revise ssh server to function as a proxy\n\n2019.9.2\n- 2019-09-26 TUN-2355: Roll back TUN-2276\n\n2019.9.1\n- 2019-09-23 TUN-2334: remove tlsConfig.ServerName special case\n- 2019-09-23 AUTH-2077: Quotes open browser command in windows\n- 2019-09-11 AUTH-2050: Adds time.sleep to temporarily avoid hitting tunnel muxer dealock issue\n- 2019-09-10 AUTH-2056: Writes stderr to its own stream for non-pty connections\n- 2019-09-16 TUN-2307: Capnp is the only serialization format used in tunnelpogs\n- 2019-09-18 TUN-2315: Replace Scope with IntentLabel\n- 2019-09-17 TUN-2309: Split ConnectResult into ConnectError and ConnectSuccess, each implementing its own capnp serialization logic\n- 2019-09-18 AUTH-2052: Adds tests for SSH server\n- 2019-09-18 AUTH-2067: Log commands correctly\n- 2019-09-19 AUTH-2055: Verifies token at edge on access login\n- 2019-09-04 TUN-2201: change SRV records used by cloudflared\n- 2019-09-06 TUN-2280: Revert \"TUN-2260: add name/group to CapnpConnectParameters, remove Scope\"\n- 2019-09-03 AUTH-1943 hooked up uploader to logger, added timestamp to session logs, add tests\n- 2019-09-04 AUTH-2036: Refactor user retrieval, shutdown after ssh server stops, add custom version string\n- 2019-09-06 AUTH-1942 added event log to ssh server\n- 2019-09-04 AUTH-2037: Adds support for ssh port forwarding\n- 2019-09-05 TUN-2276: Path encoding broken\n\n2019.9.0\n- 2019-09-05 TUN-2279: Revert path encoding fix\n- 2019-08-30 AUTH-2021 - check error for failing tests\n- 2019-08-29 AUTH-2030: Support both authorized_key and short lived cert authentication simultaniously without specifiying at start time\n- 2019-08-29 AUTH-2026: Adds support for non-pty sessions and inline command exec\n- 2019-08-26 AUTH-1943: Adds session logging\n- 2019-08-26 TUN-2162: Decomplect OpenStream to allow finer-grained timeouts\n- 2019-08-29 TUN-2260: add name/group to CapnpConnectParameters, remove Scope\n\n2019.8.4\n- 2019-08-30 Fix #111: Add support for specifying a specific HTTP Host: header on the origin. (#114)\n- 2019-08-22 TUN-2165: Add ClientConfig to tunnelrpc.ConnectResult\n- 2019-08-20 AUTH-2014: Checks users login shell\n- 2019-08-26 TUN-2243: Revert \"STOR-519: Add db-connect, a SQL over HTTPS server\"\n- 2019-08-27 TUN-2244: Add NO_AUTOUPDATE env var\n- 2019-08-22 AUTH-2018: Adds support for authorized keys and short lived certs\n- 2019-08-28 AUTH-2022: Adds ssh timeout configuration\n- 2019-08-28 TUN-1968: Gracefully diff StreamHandler.UpdateConfig\n- 2019-08-26 AUTH-2021 - s3 bucket uploading for SSH logs\n- 2019-08-19 AUTH-2004: Adds static host key support\n- 2019-07-18 AUTH-1941: Adds initial SSH server implementation\n\n2019.8.3\n- 2019-08-20 STOR-519: Add db-connect, a SQL over HTTPS server\n- 2019-08-20 Release 2019.8.2\n- 2019-08-20 Revert \"AUTH-1941: Adds initial SSH server implementation\"\n- 2019-08-11 TUN-2163: Add GrapQLType method to Scope interface\n- 2019-08-06 TUN-2152: Requests with a query in the URL are erroneously escaped\n- 2019-07-18 AUTH-1941: Adds initial SSH server implementation\n\n2019.8.1\n- 2019-08-05 TUN-2111: Implement custom serialization logic for FallibleConfig and OriginConfig\n- 2019-08-06 Revert \"TUN-1736: Missing headers when passing an invalid path\"\n\n2019.8.0\n- 2019-07-11 TUN-1956: Go 1.12 update\n- 2019-07-24 TUN-1736: Missing headers when passing an invalid path\n- 2019-07-30 TUN-2117: read group/system-name from CLI, send it to edge\n- 2019-08-02 TUN-2125: Add PostgresType() to Scope\n- 2019-08-05 TUN-2147: Implemented ScopeUnmarshaler\n- 2019-07-31 TUN-2110: Implement custom deserialization logic for OriginConfig\n- 2019-07-31 AUTH-1972: Deletes token lock file if backoff retry attempts exceeded and intercepts signals until lock is released\n\n2019.7.0\n- 2019-05-28 TUN-1913: Define OriginService for each type of origin\n- 2019-04-29 Build a docker container\n- 2019-06-12 TUN-1952: Group ClientConfig fields by the component that uses the config, and return the part of the config that failed to be applied\n- 2019-06-05 TUN-1893: Proxy requests to the origin based on tunnel hostname\n- 2019-06-17 TUN-1961: Create EdgeConnectionManager to maintain outbound connections to the edge\n- 2019-06-18 TUN-1885: Reconfigure cloudflared on receiving new ClientConfig\n- 2019-06-19 TUN-1976: Pass tunnel hostname through header\n- 2019-06-20 TUN-1982: Load custom origin CA when OriginCAPool is specified\n- 2019-06-26 TUN-2005: Upgrade logrus\n- 2019-06-20 TUN-1981: Write response header & body on proxy error to notify eyeballs of failure category\n- 2019-06-20 TUN-1977: Validate OriginConfig has valid URL, and use scheme to determine if a HTTPOriginService is expecting HTTP or Unix\n- 2019-06-13 DoH: change the media type to application/dns-message\n- 2019-06-26 AUTH-1736: Better handling of token revocation\n\n2019.6.0\n- 2019-05-17 TUN-1828: Update declarative tunnel config struct\n- 2019-05-29 Handle exit code on err\n- 2019-05-29 AUTH-1802: Fixed ssh-config templating\n- 2019-05-30 TUN-1914: Conflate HTTP and Unix OriginConfig, and add TLS config to WebSocketOriginConfig\n- 2019-06-03 AUTH-1811: ssh-gen config fixes\n\n2019.5.0\n- 2019-04-25 TUN-1781: ServeStream should return early on error\n- 2019-04-30 TUN-1786: Remove low-level Windows service logging\n- 2019-05-03 TUN-1807: Send cloudflared version in Connect RPC\n- 2019-01-23 AUTH-1557: Short Lived Certs\n- 2019-05-13 TUN-1847: Log a distinct message when OpenStream fails while waiting for response headers\n- 2019-05-13 AUTH-1706: fixes and testing\n- 2019-05-22 TUN-1880: Save debug and warn level log to logfile\n- 2019-05-22 AUTH-1781: fixed race condition for short lived certs, doc required config\n\n2019.4.1\n- 2019-03-18 TUN-1626: Create new supervisor to establish connection with origintunneld\n- 2019-04-04 TUN-1619: Add flag to test declarative tunnels.\n- 2019-04-05 TUN-1577: decompose carrier.StartServer to make TestStartServer less flappy\n- 2019-03-29 TUN-1606: Define CloudflaredConfig RPC structure, interface for cloudflared's RPC server\n- 2019-04-02 TUN-1682: Add context to OpenStream to prevent it from blocking indefinitely.\n- 2019-04-16 TUN-1732: cloudflared metrics should track userHostnames\n- 2019-04-17 TUN-1734: Pin packages at exact versions\n- 2019-04-18 TUN-1669: Update license message in help text. Also fix test\n\n2019.4.0\n- 2019-03-28 TUN-1648: ConnectionID is now a UUID\n- 2019-04-01 TUN-1673: Conflate Hello and Connect RPCs\n\n2019.3.2\n- 2019-03-22 TUN-1637: Free tunnels shouldn't require cert.pem\n- 2019-03-18 TUN-1604: Define Connect RPC call\n\n2019.3.1\n- 2019-03-09 Add rdp as a supported protocol in URL validation (#76)\n- 2019-03-15 TUN-1613: improved cloudflared RegisterTunnel fail metrics\n- 2019-03-17 TUN-1615: revert miekg/dns to last known working revision\n\n2019.3.0\n- 2018-12-28 make http transport aware of proxy from envvar\n- 2019-02-28 TUN-1559: fix nil dereference in TunnelConfig.CloseConnOnce\n- 2019-03-04 TUN-1451: Make non-interactive, non-service execution possible on Windows\n- 2019-03-04 TUN-1562: Refactor connectedSignal to be safe to close multiple times\n- 2019-02-27 TUN-1550: Add validation timeout for non-responsive origins\n- 2019-03-06 AUTH-1531: Named flags for ssh service tokens\n- 2019-02-14 Support unix sockets.\n- 2019-03-08 TUN-1389: Non-scalar flags in a cloudflared config.yml don't get logged\n- 2019-03-07 TUN-1522: If we can't get SRV from default resolver, get them from 1.1.1.1 DoT\n\n2019.2.1\n- 2019-02-14 TUN-1381: should tell you if you're on the latest version rather than just exiting silently\n- 2019-02-15 TUN-1467: build with Go 1.11\n- 2019-02-15 AUTH-1519: Added logging\n- 2019-02-19 TUN-1525: cloudflared metrics for registration success/fail\n- 2019-02-19 TUN-1510: Wrap the close() in sync.Once.Do\n\n2019.2.0\n- 2019-01-24 AUTH-1462: better curl arg parsing\n- 2019-02-01 TUN-1456: Only make one UUID\n- 2019-01-30 cloudflared/linux_service: Add missing /etc/init.d shebang\n- 2019-02-07 AUTH-1511: Add custom headers for ssh command\n- 2019-02-01 AUTH-1503: Added RDP support\n- 2019-02-01 AUTH-1403: Print the paths in the ssh-config instructions\n\n2019.1.0\n- 2018-12-10 TUN-1231: Horizontal overflow wrapping on the Hello page\n- 2018-12-17 TUN-1140: Show usage if invoked with no args or config\n- 2018-11-06 TUN-632 Filter out common network exceptions from going to Sentry on StartServer\n- 2019-01-07 TUN-1138: Install cloudflared service directory with 755 permissions\n- 2019-01-07 TUN-1265: Silent exit when failing to parse config\n- 2019-01-10 TUN-1350: Enhance error messages with cloudflarestatus.com link, if relevant\n- 2019-01-16 TUN-1358: Close readyList after Muxer.Serve() has stopped running\n- 2019-01-24 AUTH-1423: move from stdout to stderr\n- 2019-01-24 AUTH-1404: reauth if the token is about to expire within 15 minutes\n- 2019-01-24 AUTH-1459: improved ssh streaming error message\n- 2019-01-24 AUTH-1211: print all the versions\n- 2019-01-24 AUTH-1337: fix url path\n- 2019-01-28 TUN-1418: Rename ProtocolLogger to TransportLogger, and use TransportLogger to log RPC events.\n- 2019-01-28 TUN-1419: Identify request/response headers/content length with ray ID\n\n2018.12.1\n- 2018-12-11 TUN-1270: cloudflared panic (HA metrics missing label)\n\n2018.12.0\n- 2018-11-15 TUN-1196: Allow TLS config client CA and root CA to be constructed from multiple certificates\n- 2018-11-20 TUN-1209: TLS Config Certificates and GetCertificate can both be set\n- 2018-11-26 TUN-1212: Expose tunnel_id in metrics\n- 2018-11-30 TUN-1204: remove 'cloudflared hello' command\n- 2018-12-04 Fix license URL typo\n- 2018-12-07 TUN-1250: ValidateHTTPService shouldn't follow 302s\n\n2018.11.0\n- 2018-10-31 AUTH-1282: Fixed an issue where we were receiving as opposed sending on the channel.\n- 2018-11-06 TUN-1179: Fix log message in cmd/cloudflared/transfer.Run\n- 2018-11-13 AUTH-1308: get jwt even when you are already logged in\n- 2018-11-12 TUN-1190: check URL parse error when starting SSH proxy server\n- 2018-11-15 AUTH-1320: Fixed request issue and unhide the ssh command\n\n2018.10.5\n- 2018-10-18 TUN-968: Flow control for large requests/responses\n- 2018-10-26 TUN-1158: Windows: use process arguments rather than trivial service arguments\n- 2018-10-20 #30: Fix the Content-Length header for HTTP2->HTTP1\n- 2018-10-29 TUN-1160: pass Host header during origin url validation\n\n2018.10.4\n- 2018-09-21 AUTH-1070: added SSH/protocol forwarding\n- 2018-10-19 AUTH-1235: fixed packaging of deb dev file\n- 2018-10-19 TUN-1097: Host missing from WebSocket request\n- 2018-10-19 AUTH-1188: UX Review and Changes for CLI SSH Access\n\n2018.10.3\n- 2018-10-08 TUN-1099: Bring back changes in 2018.10.1\n- 2018-10-08 TUN-1098: removed deprecation error\n- 2018-10-08 TUN-1101: False negatives in Cloudflared error reporting\n\n2018.10.2\n- 2018-10-06 TUN-1093: Revert cloudflared to 2018.8.0\n\n2018.10.1\n- 2018-10-03 TUN-1012: Normalize config filename for Linux services\n- 2018-10-05 TUN-1081: cloudflared now generates UUIDs\n- 2018-10-05 TUN-1083: fixed incorrect help menu\n- 2018-10-05 TUN-1086: fixed config option\n\n2018.10.0\n- 2018-08-15 AUTH-910, AUTH-1049, AUTH-1068, AUTH-1056: Generate and store Access tokens with E2EE option, curl/cmd wrapper\n- 2018-09-11 TUN-890: To support free tunnels, hostname can now be \"\"\n- 2018-09-12 TUN-810: Cloudflared should open dash/argotunnel not dash/warp\n- 2018-09-12 TUN-985: Don't display tunnel ID if it's empty string\n- 2018-09-11 TUN-881: Display trial zone URL upon successful registration\n- 2018-09-11 TUN-868: HTTP/HTTPS mismatch should have a better error message\n- 2018-09-19 TUN-1028: Unhide cloudflared compression flag\n- 2018-09-20 AUTH-1139: refactored cloudflared help menu\n- 2018-09-20 TUN-1035: New text for cloudflared tunnel --help\n- 2018-09-18 AUTH-1136: addressing beta feedback\n- 2018-09-26 AUTH-1165: hide access command\n- 2018-09-26 TUN-1046: Document that delta compression is a beta feature\n- 2018-09-28 TUN-1056: Lint error broke build\n- 2018-09-27 TUN-1052: Origintunneld can send back an Origincert to Cloudflared\n- 2018-09-28 TUN-1052: Changing type of OriginCert to :Data\n- 2018-10-01 TUN-1062: Makefile target for regenerating Capn Proto definitions\n- 2018-10-02 TUN-1064: Revert OriginCert capnp changes in Cloudflared. Reverts commits a1ee2342e97 and 8c756c45785.\n- 2018-10-03 TUN-1076: Pin capnproto2 to version 2.17.1\n- 2018-10-03 AUTH-1199: unhide access command, added beta label\n\n2018.8.0\n- 2018-05-01 Initial commit\n- 2018-05-03 TUN-595: Add License/Readme files to cloudflared\n- 2018-05-01 TUN-528: Move cloudflared into a separate repo\n- 2018-07-24 TUN-813: Clean up cloudflared dependencies\n- 2018-07-25 TUN-814: Handle error in CreateTLSListener before closing listener\n- 2018-07-24 TUN-804: create Makefile recipe to build cloudflared and run tests\n- 2018-07-26 TUN-817: Increase the log time precision\n- 2018-07-30 TUN-828: Added Connection: keep-alive header\n- 2018-07-30 TUN-829: prefer p256 curve\n- 2018-07-31 TUN-834: Enable tracing on cloudflared\n- 2018-08-07 TUN-820: Fix caddyfile gitignore\n- 2018-07-25 TUN-804: create make recipe for building deb package\n- 2018-08-07 TUN-861: Disable cloudflared tracing by default; preserve the latest tracefile\n- 2018-08-07 TUN-857: Pull the brotli-go dependency from Github\n- 2018-08-14 TUN-897: Bring back missing Brotli files\n- 2018-07-26 TUN-804: create makefile recipe to release cloudflared using equinox\n- 2018-08-15 TUN-901: makefile target for homebrew release\n- 2018-07-30 TUN-801: Rapid SQL Proxy\n- 2018-08-27 TUN-833: Don't log system root certificate loading failure on Windows\n\n" }, { "path": "carrier/carrier.go", "content": "// Package carrier provides a WebSocket proxy to carry or proxy a connection\n// from the local client to the edge. See it as a wrapper around any protocol\n// that it packages up in a WebSocket connection to the edge.\npackage carrier\n\nimport (\n\t\"crypto/tls\"\n\t\"fmt\"\n\t\"io\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"os\"\n\t\"strings\"\n\n\t\"github.com/pkg/errors\"\n\t\"github.com/rs/zerolog\"\n\n\t\"github.com/cloudflare/cloudflared/token\"\n)\n\nconst (\n\tLogFieldOriginURL = \"originURL\"\n\tCFAccessTokenHeader = \"Cf-Access-Token\"\n\tcfJumpDestinationHeader = \"Cf-Access-Jump-Destination\"\n)\n\ntype StartOptions struct {\n\tAppInfo *token.AppInfo\n\tOriginURL string\n\tHeaders http.Header\n\tHost string\n\tTLSClientConfig *tls.Config\n\tAutoCloseInterstitial bool\n\tIsFedramp bool\n}\n\n// Connection wraps up all the needed functions to forward over the tunnel\ntype Connection interface {\n\t// ServeStream is used to forward data from the client to the edge\n\tServeStream(*StartOptions, io.ReadWriter) error\n}\n\n// StdinoutStream is empty struct for wrapping stdin/stdout\n// into a single ReadWriter\ntype StdinoutStream struct{}\n\n// Read will read from Stdin\nfunc (c *StdinoutStream) Read(p []byte) (int, error) {\n\treturn os.Stdin.Read(p)\n}\n\n// Write will write to Stdout\nfunc (c *StdinoutStream) Write(p []byte) (int, error) {\n\treturn os.Stdout.Write(p)\n}\n\n// Helper to allow deferring the response close with a check that the resp is not nil\nfunc closeRespBody(resp *http.Response) {\n\tif resp != nil {\n\t\t_ = resp.Body.Close()\n\t}\n}\n\n// StartForwarder will setup a listener on a specified address/port and then\n// forward connections to the origin by calling `Serve()`.\nfunc StartForwarder(conn Connection, address string, shutdownC <-chan struct{}, options *StartOptions) error {\n\tlistener, err := net.Listen(\"tcp\", address)\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"failed to start forwarding server\")\n\t}\n\treturn Serve(conn, listener, shutdownC, options)\n}\n\n// StartClient will copy the data from stdin/stdout over a WebSocket connection\n// to the edge (originURL)\nfunc StartClient(conn Connection, stream io.ReadWriter, options *StartOptions) error {\n\treturn conn.ServeStream(options, stream)\n}\n\n// Serve accepts incoming connections on the specified net.Listener.\n// Each connection is handled in a new goroutine: its data is copied over a\n// WebSocket connection to the edge (originURL).\n// `Serve` always closes `listener`.\nfunc Serve(remoteConn Connection, listener net.Listener, shutdownC <-chan struct{}, options *StartOptions) error {\n\tdefer listener.Close()\n\terrChan := make(chan error)\n\n\tgo func() {\n\t\tfor {\n\t\t\tconn, err := listener.Accept()\n\t\t\tif err != nil {\n\t\t\t\t// don't block if parent goroutine quit early\n\t\t\t\tselect {\n\t\t\t\tcase errChan <- err:\n\t\t\t\tdefault:\n\t\t\t\t}\n\t\t\t\treturn\n\t\t\t}\n\t\t\tgo serveConnection(remoteConn, conn, options)\n\t\t}\n\t}()\n\n\tselect {\n\tcase <-shutdownC:\n\t\treturn nil\n\tcase err := <-errChan:\n\t\treturn err\n\t}\n}\n\n// serveConnection handles connections for the Serve() call\nfunc serveConnection(remoteConn Connection, c net.Conn, options *StartOptions) {\n\tdefer c.Close()\n\t_ = remoteConn.ServeStream(options, c)\n}\n\n// IsAccessResponse checks the http Response to see if the url location\n// contains the Access structure.\nfunc IsAccessResponse(resp *http.Response) bool {\n\tif resp == nil || resp.StatusCode != http.StatusFound {\n\t\treturn false\n\t}\n\n\tlocation, err := resp.Location()\n\tif err != nil || location == nil {\n\t\treturn false\n\t}\n\tif strings.HasPrefix(location.Path, token.AccessLoginWorkerPath) {\n\t\treturn true\n\t}\n\n\treturn false\n}\n\n// BuildAccessRequest builds an HTTP request with the Access token set\nfunc BuildAccessRequest(options *StartOptions, log *zerolog.Logger) (*http.Request, error) {\n\treq, err := http.NewRequest(http.MethodGet, options.OriginURL, nil)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\ttoken, err := token.FetchTokenWithRedirect(req.URL, options.AppInfo, options.AutoCloseInterstitial, options.IsFedramp, log)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\t// We need to create a new request as FetchToken will modify req (boo mutable)\n\t// as it has to follow redirect on the API and such, so here we init a new one\n\toriginRequest, err := http.NewRequest(http.MethodGet, options.OriginURL, nil)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\toriginRequest.Header.Set(CFAccessTokenHeader, token)\n\n\tfor k, v := range options.Headers {\n\t\tif len(v) >= 1 {\n\t\t\toriginRequest.Header.Set(k, v[0])\n\t\t}\n\t}\n\n\treturn originRequest, nil\n}\n\nfunc SetBastionDest(header http.Header, destination string) {\n\tif destination != \"\" {\n\t\theader.Set(cfJumpDestinationHeader, destination)\n\t}\n}\n\nfunc ResolveBastionDest(r *http.Request) (string, error) {\n\tjumpDestination := r.Header.Get(cfJumpDestinationHeader)\n\tif jumpDestination == \"\" {\n\t\treturn \"\", fmt.Errorf(\"Did not receive final destination from client. The --destination flag is likely not set on the client side\")\n\t}\n\t// Strip scheme and path set by client. Without a scheme\n\t// Parsing a hostname and path without scheme might not return an error due to parsing ambiguities\n\tif jumpURL, err := url.Parse(jumpDestination); err == nil && jumpURL.Host != \"\" {\n\t\treturn removePath(jumpURL.Host), nil\n\t}\n\treturn removePath(jumpDestination), nil\n}\n\nfunc removePath(dest string) string {\n\treturn strings.SplitN(dest, \"/\", 2)[0]\n}\n" }, { "path": "carrier/carrier_test.go", "content": "package carrier\n\nimport (\n\t\"bytes\"\n\t\"io\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"sync\"\n\t\"testing\"\n\n\tws \"github.com/gorilla/websocket\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/stretchr/testify/assert\"\n)\n\nconst (\n\t// example in Sec-Websocket-Key in rfc6455\n\ttestSecWebsocketKey = \"dGhlIHNhbXBsZSBub25jZQ==\"\n)\n\ntype testStreamer struct {\n\tbuf *bytes.Buffer\n\tl sync.RWMutex\n}\n\nfunc newTestStream() *testStreamer {\n\treturn &testStreamer{buf: new(bytes.Buffer)}\n}\n\nfunc (s *testStreamer) Read(p []byte) (int, error) {\n\ts.l.RLock()\n\tdefer s.l.RUnlock()\n\treturn s.buf.Read(p)\n\n}\n\nfunc (s *testStreamer) Write(p []byte) (int, error) {\n\ts.l.Lock()\n\tdefer s.l.Unlock()\n\treturn s.buf.Write(p)\n}\n\nfunc TestStartClient(t *testing.T) {\n\tmessage := \"Good morning Austin! Time for another sunny day in the great state of Texas.\"\n\tlog := zerolog.Nop()\n\twsConn := NewWSConnection(&log)\n\tts := newTestWebSocketServer()\n\tdefer ts.Close()\n\n\tbuf := newTestStream()\n\toptions := &StartOptions{\n\t\tOriginURL: \"http://\" + ts.Listener.Addr().String(),\n\t\tHeaders: nil,\n\t}\n\terr := StartClient(wsConn, buf, options)\n\tassert.NoError(t, err)\n\t_, _ = buf.Write([]byte(message))\n\n\treadBuffer := make([]byte, len(message))\n\t_, _ = buf.Read(readBuffer)\n\tassert.Equal(t, message, string(readBuffer))\n}\n\nfunc TestStartServer(t *testing.T) {\n\tlistener, err := net.Listen(\"tcp\", \"localhost:\")\n\tif err != nil {\n\t\tt.Fatalf(\"Error starting listener: %v\", err)\n\t}\n\tmessage := \"Good morning Austin! Time for another sunny day in the great state of Texas.\"\n\tlog := zerolog.Nop()\n\tshutdownC := make(chan struct{})\n\twsConn := NewWSConnection(&log)\n\tts := newTestWebSocketServer()\n\tdefer ts.Close()\n\toptions := &StartOptions{\n\t\tOriginURL: \"http://\" + ts.Listener.Addr().String(),\n\t\tHeaders: nil,\n\t}\n\n\tgo func() {\n\t\terr := Serve(wsConn, listener, shutdownC, options)\n\t\tif err != nil {\n\t\t\tt.Errorf(\"Error running server: %v\", err)\n\t\t\treturn\n\t\t}\n\t}()\n\n\tconn, err := net.Dial(\"tcp\", listener.Addr().String())\n\t_, _ = conn.Write([]byte(message))\n\n\treadBuffer := make([]byte, len(message))\n\t_, _ = conn.Read(readBuffer)\n\tassert.Equal(t, string(readBuffer), message)\n}\n\nfunc TestIsAccessResponse(t *testing.T) {\n\tvalidLocationHeader := http.Header{}\n\tvalidLocationHeader.Add(\"location\", \"https://test.cloudflareaccess.com/cdn-cgi/access/login/blahblah\")\n\tinvalidLocationHeader := http.Header{}\n\tinvalidLocationHeader.Add(\"location\", \"https://google.com\")\n\ttestCases := []struct {\n\t\tDescription string\n\t\tIn *http.Response\n\t\tExpectedOut bool\n\t}{\n\t\t{\"nil response\", nil, false},\n\t\t{\"redirect with no location\", &http.Response{StatusCode: http.StatusFound}, false},\n\t\t{\"200 ok\", &http.Response{StatusCode: http.StatusOK}, false},\n\t\t{\"redirect with location\", &http.Response{StatusCode: http.StatusFound, Header: validLocationHeader}, true},\n\t\t{\"redirect with invalid location\", &http.Response{StatusCode: http.StatusFound, Header: invalidLocationHeader}, false},\n\t}\n\n\tfor i, tc := range testCases {\n\t\tif IsAccessResponse(tc.In) != tc.ExpectedOut {\n\t\t\tt.Fatalf(\"Failed case %d -- %s\", i, tc.Description)\n\t\t}\n\t}\n\n}\n\nfunc newTestWebSocketServer() *httptest.Server {\n\tupgrader := ws.Upgrader{\n\t\tReadBufferSize: 1024,\n\t\tWriteBufferSize: 1024,\n\t}\n\n\treturn httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\tconn, _ := upgrader.Upgrade(w, r, nil)\n\t\tdefer conn.Close()\n\t\tfor {\n\t\t\tmt, message, err := conn.ReadMessage()\n\t\t\tif err != nil {\n\t\t\t\tbreak\n\t\t\t}\n\n\t\t\tif err := conn.WriteMessage(mt, []byte(message)); err != nil {\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t}))\n}\n\nfunc testRequest(t *testing.T, url string, stream io.ReadWriter) *http.Request {\n\treq, err := http.NewRequest(\"GET\", url, stream)\n\tif err != nil {\n\t\tt.Fatalf(\"testRequestHeader error\")\n\t}\n\n\treq.Header.Add(\"Connection\", \"Upgrade\")\n\treq.Header.Add(\"Upgrade\", \"WebSocket\")\n\treq.Header.Add(\"Sec-Websocket-Key\", testSecWebsocketKey)\n\treq.Header.Add(\"Sec-Websocket-Protocol\", \"tunnel-protocol\")\n\treq.Header.Add(\"Sec-Websocket-Version\", \"13\")\n\treq.Header.Add(\"User-Agent\", \"curl/7.59.0\")\n\n\treturn req\n}\n\nfunc TestBastionDestination(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\theader http.Header\n\t\texpectedDest string\n\t\twantErr bool\n\t}{\n\t\t{\n\t\t\tname: \"hostname destination\",\n\t\t\theader: http.Header{\n\t\t\t\tcfJumpDestinationHeader: []string{\"localhost\"},\n\t\t\t},\n\t\t\texpectedDest: \"localhost\",\n\t\t},\n\t\t{\n\t\t\tname: \"hostname destination with port\",\n\t\t\theader: http.Header{\n\t\t\t\tcfJumpDestinationHeader: []string{\"localhost:9000\"},\n\t\t\t},\n\t\t\texpectedDest: \"localhost:9000\",\n\t\t},\n\t\t{\n\t\t\tname: \"hostname destination with scheme and port\",\n\t\t\theader: http.Header{\n\t\t\t\tcfJumpDestinationHeader: []string{\"ssh://localhost:9000\"},\n\t\t\t},\n\t\t\texpectedDest: \"localhost:9000\",\n\t\t},\n\t\t{\n\t\t\tname: \"full hostname url\",\n\t\t\theader: http.Header{\n\t\t\t\tcfJumpDestinationHeader: []string{\"ssh://localhost:9000/metrics\"},\n\t\t\t},\n\t\t\texpectedDest: \"localhost:9000\",\n\t\t},\n\t\t{\n\t\t\tname: \"hostname destination with port and path\",\n\t\t\theader: http.Header{\n\t\t\t\tcfJumpDestinationHeader: []string{\"localhost:9000/metrics\"},\n\t\t\t},\n\t\t\texpectedDest: \"localhost:9000\",\n\t\t},\n\t\t{\n\t\t\tname: \"ip destination\",\n\t\t\theader: http.Header{\n\t\t\t\tcfJumpDestinationHeader: []string{\"127.0.0.1\"},\n\t\t\t},\n\t\t\texpectedDest: \"127.0.0.1\",\n\t\t},\n\t\t{\n\t\t\tname: \"ip destination with port\",\n\t\t\theader: http.Header{\n\t\t\t\tcfJumpDestinationHeader: []string{\"127.0.0.1:9000\"},\n\t\t\t},\n\t\t\texpectedDest: \"127.0.0.1:9000\",\n\t\t},\n\t\t{\n\t\t\tname: \"ip destination with port and path\",\n\t\t\theader: http.Header{\n\t\t\t\tcfJumpDestinationHeader: []string{\"127.0.0.1:9000/metrics\"},\n\t\t\t},\n\t\t\texpectedDest: \"127.0.0.1:9000\",\n\t\t},\n\t\t{\n\t\t\tname: \"ip destination with schem and port\",\n\t\t\theader: http.Header{\n\t\t\t\tcfJumpDestinationHeader: []string{\"tcp://127.0.0.1:9000\"},\n\t\t\t},\n\t\t\texpectedDest: \"127.0.0.1:9000\",\n\t\t},\n\t\t{\n\t\t\tname: \"full ip url\",\n\t\t\theader: http.Header{\n\t\t\t\tcfJumpDestinationHeader: []string{\"ssh://127.0.0.1:9000/metrics\"},\n\t\t\t},\n\t\t\texpectedDest: \"127.0.0.1:9000\",\n\t\t},\n\t\t{\n\t\t\tname: \"no destination\",\n\t\t\twantErr: true,\n\t\t},\n\t}\n\tfor _, test := range tests {\n\t\tr := &http.Request{\n\t\t\tHeader: test.header,\n\t\t}\n\t\tdest, err := ResolveBastionDest(r)\n\t\tif test.wantErr {\n\t\t\tassert.Error(t, err, \"Test %s expects error\", test.name)\n\t\t} else {\n\t\t\tassert.NoError(t, err, \"Test %s expects no error, got error %v\", test.name, err)\n\t\t\tassert.Equal(t, test.expectedDest, dest, \"Test %s expect dest %s, got %s\", test.name, test.expectedDest, dest)\n\t\t}\n\t}\n}\n" }, { "path": "carrier/websocket.go", "content": "package carrier\n\nimport (\n\t\"io\"\n\t\"net/http\"\n\t\"net/http/httputil\"\n\t\"net/url\"\n\n\t\"github.com/gorilla/websocket\"\n\t\"github.com/rs/zerolog\"\n\n\t\"github.com/cloudflare/cloudflared/stream\"\n\t\"github.com/cloudflare/cloudflared/token\"\n\tcfwebsocket \"github.com/cloudflare/cloudflared/websocket\"\n)\n\n// Websocket is used to carry data via WS binary frames over the tunnel from client to the origin\n// This implements the functions for glider proxy (sock5) and the carrier interface\ntype Websocket struct {\n\tlog *zerolog.Logger\n\tisSocks bool\n}\n\n// NewWSConnection returns a new connection object\nfunc NewWSConnection(log *zerolog.Logger) Connection {\n\treturn &Websocket{\n\t\tlog: log,\n\t}\n}\n\n// ServeStream will create a Websocket client stream connection to the edge\n// it blocks and writes the raw data from conn over the tunnel\nfunc (ws *Websocket) ServeStream(options *StartOptions, conn io.ReadWriter) error {\n\twsConn, err := createWebsocketStream(options, ws.log)\n\tif err != nil {\n\t\tws.log.Err(err).Str(LogFieldOriginURL, options.OriginURL).Msg(\"failed to connect to origin\")\n\t\treturn err\n\t}\n\tdefer wsConn.Close()\n\n\tstream.Pipe(wsConn, conn, ws.log)\n\treturn nil\n}\n\n// createWebsocketStream will create a WebSocket connection to stream data over\n// It also handles redirects from Access and will present that flow if\n// the token is not present on the request\nfunc createWebsocketStream(options *StartOptions, log *zerolog.Logger) (*cfwebsocket.GorillaConn, error) {\n\treq, err := http.NewRequest(http.MethodGet, options.OriginURL, nil)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treq.Header = options.Headers\n\tif options.Host != \"\" {\n\t\treq.Host = options.Host\n\t}\n\n\tdump, err := httputil.DumpRequest(req, false)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tlog.Debug().Msgf(\"Websocket request: %s\", string(dump))\n\n\tdialer := &websocket.Dialer{\n\t\tTLSClientConfig: options.TLSClientConfig,\n\t\tProxy: http.ProxyFromEnvironment,\n\t}\n\twsConn, resp, err := clientConnect(req, dialer)\n\tdefer closeRespBody(resp)\n\n\tif err != nil && IsAccessResponse(resp) {\n\t\t// Only get Access app info if we know the origin is protected by Access\n\t\toriginReq, err := http.NewRequest(http.MethodGet, options.OriginURL, nil)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\n\t\tappInfo, err := token.GetAppInfo(originReq.URL)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\toptions.AppInfo = appInfo\n\n\t\twsConn, err = createAccessAuthenticatedStream(options, log)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t} else if err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn &cfwebsocket.GorillaConn{Conn: wsConn}, nil\n}\n\nvar stripWebsocketHeaders = []string{\n\t\"Upgrade\",\n\t\"Connection\",\n\t\"Sec-Websocket-Key\",\n\t\"Sec-Websocket-Version\",\n\t\"Sec-Websocket-Extensions\",\n}\n\n// the gorilla websocket library sets its own Upgrade, Connection, Sec-WebSocket-Key,\n// Sec-WebSocket-Version and Sec-Websocket-Extensions headers.\n// https://github.com/gorilla/websocket/blob/master/client.go#L189-L194.\nfunc websocketHeaders(req *http.Request) http.Header {\n\twsHeaders := make(http.Header)\n\tfor key, val := range req.Header {\n\t\twsHeaders[key] = val\n\t}\n\t// Assume the header keys are in canonical format.\n\tfor _, header := range stripWebsocketHeaders {\n\t\twsHeaders.Del(header)\n\t}\n\twsHeaders.Set(\"Host\", req.Host) // See TUN-1097\n\treturn wsHeaders\n}\n\n// clientConnect creates a WebSocket client connection for provided request. Caller is responsible for closing\n// the connection. The response body may not contain the entire response and does\n// not need to be closed by the application.\nfunc clientConnect(req *http.Request, dialler *websocket.Dialer) (*websocket.Conn, *http.Response, error) {\n\treq.URL.Scheme = changeRequestScheme(req.URL)\n\twsHeaders := websocketHeaders(req)\n\tif dialler == nil {\n\t\tdialler = &websocket.Dialer{\n\t\t\tProxy: http.ProxyFromEnvironment,\n\t\t}\n\t}\n\tconn, response, err := dialler.Dial(req.URL.String(), wsHeaders)\n\tif err != nil {\n\t\treturn nil, response, err\n\t}\n\treturn conn, response, nil\n}\n\n// changeRequestScheme is needed as the gorilla websocket library requires the ws scheme.\n// (even though it changes it back to http/https, but ¯\\_(ツ)_/¯.)\nfunc changeRequestScheme(reqURL *url.URL) string {\n\tswitch reqURL.Scheme {\n\tcase \"https\":\n\t\treturn \"wss\"\n\tcase \"http\":\n\t\treturn \"ws\"\n\tcase \"\":\n\t\treturn \"ws\"\n\tdefault:\n\t\treturn reqURL.Scheme\n\t}\n}\n\n// createAccessAuthenticatedStream will try load a token from storage and make\n// a connection with the token set on the request. If it still get redirect,\n// this probably means the token in storage is invalid (expired/revoked). If that\n// happens it deletes the token and runs the connection again, so the user can\n// login again and generate a new one.\nfunc createAccessAuthenticatedStream(options *StartOptions, log *zerolog.Logger) (*websocket.Conn, error) {\n\twsConn, resp, err := createAccessWebSocketStream(options, log)\n\tdefer closeRespBody(resp)\n\tif err == nil {\n\t\treturn wsConn, nil\n\t}\n\n\tif !IsAccessResponse(resp) {\n\t\treturn nil, err\n\t}\n\n\t// Access Token is invalid for some reason. Go through regen flow\n\tif err := token.RemoveTokenIfExists(options.AppInfo); err != nil {\n\t\treturn nil, err\n\t}\n\twsConn, resp, err = createAccessWebSocketStream(options, log)\n\tdefer closeRespBody(resp)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn wsConn, nil\n}\n\n// createAccessWebSocketStream builds an Access request and makes a connection\nfunc createAccessWebSocketStream(options *StartOptions, log *zerolog.Logger) (*websocket.Conn, *http.Response, error) {\n\treq, err := BuildAccessRequest(options, log)\n\tif err != nil {\n\t\treturn nil, nil, err\n\t}\n\n\tdump, err := httputil.DumpRequest(req, false)\n\tif err != nil {\n\t\treturn nil, nil, err\n\t}\n\tlog.Debug().Msgf(\"Access Websocket request: %s\", string(dump))\n\n\tconn, resp, err := clientConnect(req, nil)\n\n\tif resp != nil {\n\t\tr, err := httputil.DumpResponse(resp, true)\n\t\tif r != nil {\n\t\t\tlog.Debug().Msgf(\"Websocket response: %q\", r)\n\t\t} else if err != nil {\n\t\t\tlog.Debug().Msgf(\"Websocket response error: %v\", err)\n\t\t}\n\t}\n\n\treturn conn, resp, err\n}\n" }, { "path": "carrier/websocket_test.go", "content": "package carrier\n\nimport (\n\t\"context\"\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n\t\"fmt\"\n\t\"math/rand\"\n\t\"testing\"\n\t\"time\"\n\n\tgws \"github.com/gorilla/websocket\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\t\"golang.org/x/net/websocket\"\n\n\t\"github.com/cloudflare/cloudflared/hello\"\n\t\"github.com/cloudflare/cloudflared/tlsconfig\"\n\tcfwebsocket \"github.com/cloudflare/cloudflared/websocket\"\n)\n\nfunc websocketClientTLSConfig(t *testing.T) *tls.Config {\n\tcertPool := x509.NewCertPool()\n\thelloCert, err := tlsconfig.GetHelloCertificateX509()\n\tassert.NoError(t, err)\n\tcertPool.AddCert(helloCert)\n\tassert.NotNil(t, certPool)\n\treturn &tls.Config{RootCAs: certPool}\n}\n\nfunc TestWebsocketHeaders(t *testing.T) {\n\treq := testRequest(t, \"http://example.com\", nil)\n\twsHeaders := websocketHeaders(req)\n\tfor _, header := range stripWebsocketHeaders {\n\t\tassert.Empty(t, wsHeaders[header])\n\t}\n\tassert.Equal(t, \"curl/7.59.0\", wsHeaders.Get(\"User-Agent\"))\n}\n\nfunc TestServe(t *testing.T) {\n\tlog := zerolog.Nop()\n\tshutdownC := make(chan struct{})\n\terrC := make(chan error)\n\tlistener, err := hello.CreateTLSListener(\"localhost:1111\")\n\tassert.NoError(t, err)\n\tdefer listener.Close()\n\n\tgo func() {\n\t\terrC <- hello.StartHelloWorldServer(&log, listener, shutdownC)\n\t}()\n\n\treq := testRequest(t, \"https://localhost:1111/ws\", nil)\n\n\ttlsConfig := websocketClientTLSConfig(t)\n\tassert.NotNil(t, tlsConfig)\n\td := gws.Dialer{TLSClientConfig: tlsConfig}\n\tconn, resp, err := clientConnect(req, &d)\n\tassert.NoError(t, err)\n\tassert.Equal(t, \"websocket\", resp.Header.Get(\"Upgrade\"))\n\n\tfor i := 0; i < 1000; i++ {\n\t\tmessageSize := rand.Int()%2048 + 1\n\t\tclientMessage := make([]byte, messageSize)\n\t\t// rand.Read always returns len(clientMessage) and a nil error\n\t\trand.Read(clientMessage)\n\t\terr = conn.WriteMessage(websocket.BinaryFrame, clientMessage)\n\t\tassert.NoError(t, err)\n\n\t\tmessageType, message, err := conn.ReadMessage()\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, websocket.BinaryFrame, messageType)\n\t\tassert.Equal(t, clientMessage, message)\n\t}\n\n\t_ = conn.Close()\n\tclose(shutdownC)\n\t<-errC\n}\n\nfunc TestWebsocketWrapper(t *testing.T) {\n\tlistener, err := hello.CreateTLSListener(\"localhost:0\")\n\trequire.NoError(t, err)\n\n\tserverErrorChan := make(chan error)\n\thelloSvrCtx, cancelHelloSvr := context.WithCancel(context.Background())\n\tdefer func() { <-serverErrorChan }()\n\tdefer cancelHelloSvr()\n\tgo func() {\n\t\tlog := zerolog.Nop()\n\t\tserverErrorChan <- hello.StartHelloWorldServer(&log, listener, helloSvrCtx.Done())\n\t}()\n\n\ttlsConfig := websocketClientTLSConfig(t)\n\td := gws.Dialer{TLSClientConfig: tlsConfig, HandshakeTimeout: time.Minute}\n\ttestAddr := fmt.Sprintf(\"https://%s/ws\", listener.Addr().String())\n\treq := testRequest(t, testAddr, nil)\n\tconn, resp, err := clientConnect(req, &d)\n\trequire.NoError(t, err)\n\tassert.Equal(t, \"websocket\", resp.Header.Get(\"Upgrade\"))\n\n\t// Websocket now connected to test server so lets check our wrapper\n\twrapper := cfwebsocket.GorillaConn{Conn: conn}\n\tbuf := make([]byte, 100)\n\twrapper.Write([]byte(\"abc\"))\n\tn, err := wrapper.Read(buf)\n\trequire.NoError(t, err)\n\trequire.Equal(t, n, 3)\n\trequire.Equal(t, \"abc\", string(buf[:n]))\n\n\t// Test partial read, read 1 of 3 bytes in one read and the other 2 in another read\n\twrapper.Write([]byte(\"abc\"))\n\tbuf = buf[:1]\n\tn, err = wrapper.Read(buf)\n\trequire.NoError(t, err)\n\trequire.Equal(t, n, 1)\n\trequire.Equal(t, \"a\", string(buf[:n]))\n\tbuf = buf[:cap(buf)]\n\tn, err = wrapper.Read(buf)\n\trequire.NoError(t, err)\n\trequire.Equal(t, n, 2)\n\trequire.Equal(t, \"bc\", string(buf[:n]))\n}\n" }, { "path": "catalog-info.yaml", "content": "apiVersion: backstage.io/v1alpha1\nkind: Component\nmetadata:\n name: cloudflared\n description: Client for Cloudflare Tunnels\n annotations:\n cloudflare.com/software-excellence-opt-in: \"true\"\n cloudflare.com/jira-project-key: \"TUN\"\n cloudflare.com/jira-project-component: \"Cloudflare Tunnel\"\n tags:\n - internal\nspec:\n type: \"service\"\n lifecycle: \"Active\"\n owner: \"teams/tunnel-teams-routing\"\n cf:\n compliance:\n fedramp-high: \"pending\"\n fedramp-moderate: \"yes\"\n FIPS: \"required\"\n" }, { "path": "cfapi/base_client.go", "content": "package cfapi\n\nimport (\n\t\"bytes\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/pkg/errors\"\n\t\"github.com/rs/zerolog\"\n\t\"golang.org/x/net/http2\"\n)\n\nconst (\n\tdefaultTimeout = 15 * time.Second\n\tjsonContentType = \"application/json\"\n)\n\nvar (\n\tErrUnauthorized = errors.New(\"unauthorized\")\n\tErrBadRequest = errors.New(\"incorrect request parameters\")\n\tErrNotFound = errors.New(\"not found\")\n\tErrAPINoSuccess = errors.New(\"API call failed\")\n)\n\ntype RESTClient struct {\n\tbaseEndpoints *baseEndpoints\n\tauthToken string\n\tuserAgent string\n\tclient http.Client\n\tlog *zerolog.Logger\n}\n\ntype baseEndpoints struct {\n\taccountLevel url.URL\n\tzoneLevel url.URL\n\taccountRoutes url.URL\n\taccountVnets url.URL\n}\n\nvar _ Client = (*RESTClient)(nil)\n\nfunc NewRESTClient(baseURL, accountTag, zoneTag, authToken, userAgent string, log *zerolog.Logger) (*RESTClient, error) {\n\tbaseURL = strings.TrimSuffix(baseURL, \"/\")\n\taccountLevelEndpoint, err := url.Parse(fmt.Sprintf(\"%s/accounts/%s/cfd_tunnel\", baseURL, accountTag))\n\tif err != nil {\n\t\treturn nil, errors.Wrap(err, \"failed to create account level endpoint\")\n\t}\n\taccountRoutesEndpoint, err := url.Parse(fmt.Sprintf(\"%s/accounts/%s/teamnet/routes\", baseURL, accountTag))\n\tif err != nil {\n\t\treturn nil, errors.Wrap(err, \"failed to create route account-level endpoint\")\n\t}\n\taccountVnetsEndpoint, err := url.Parse(fmt.Sprintf(\"%s/accounts/%s/teamnet/virtual_networks\", baseURL, accountTag))\n\tif err != nil {\n\t\treturn nil, errors.Wrap(err, \"failed to create virtual network account-level endpoint\")\n\t}\n\tzoneLevelEndpoint, err := url.Parse(fmt.Sprintf(\"%s/zones/%s/tunnels\", baseURL, zoneTag))\n\tif err != nil {\n\t\treturn nil, errors.Wrap(err, \"failed to create account level endpoint\")\n\t}\n\thttpTransport := http.Transport{\n\t\tTLSHandshakeTimeout: defaultTimeout,\n\t\tResponseHeaderTimeout: defaultTimeout,\n\t}\n\t_ = http2.ConfigureTransport(&httpTransport)\n\treturn &RESTClient{\n\t\tbaseEndpoints: &baseEndpoints{\n\t\t\taccountLevel: *accountLevelEndpoint,\n\t\t\tzoneLevel: *zoneLevelEndpoint,\n\t\t\taccountRoutes: *accountRoutesEndpoint,\n\t\t\taccountVnets: *accountVnetsEndpoint,\n\t\t},\n\t\tauthToken: authToken,\n\t\tuserAgent: userAgent,\n\t\tclient: http.Client{\n\t\t\tTransport: &httpTransport,\n\t\t\tTimeout: defaultTimeout,\n\t\t},\n\t\tlog: log,\n\t}, nil\n}\n\nfunc (r *RESTClient) sendRequest(method string, url url.URL, body interface{}) (*http.Response, error) {\n\tvar bodyReader io.Reader\n\tif body != nil {\n\t\tif bodyBytes, err := json.Marshal(body); err != nil {\n\t\t\treturn nil, errors.Wrap(err, \"failed to serialize json body\")\n\t\t} else {\n\t\t\tbodyReader = bytes.NewBuffer(bodyBytes)\n\t\t}\n\t}\n\n\treq, err := http.NewRequest(method, url.String(), bodyReader)\n\tif err != nil {\n\t\treturn nil, errors.Wrapf(err, \"can't create %s request\", method)\n\t}\n\treq.Header.Set(\"User-Agent\", r.userAgent)\n\tif bodyReader != nil {\n\t\treq.Header.Set(\"Content-Type\", jsonContentType)\n\t}\n\treq.Header.Add(\"Authorization\", fmt.Sprintf(\"Bearer %s\", r.authToken))\n\treq.Header.Add(\"Accept\", \"application/json;version=1\")\n\treturn r.client.Do(req)\n}\n\nfunc parseResponseEnvelope(reader io.Reader) (*response, error) {\n\t// Schema for Tunnelstore responses in the v1 API.\n\t// Roughly, it's a wrapper around a particular result that adds failures/errors/etc\n\tvar result response\n\t// First, parse the wrapper and check the API call succeeded\n\tif err := json.NewDecoder(reader).Decode(&result); err != nil {\n\t\treturn nil, errors.Wrap(err, \"failed to decode response\")\n\t}\n\tif err := result.checkErrors(); err != nil {\n\t\treturn nil, err\n\t}\n\tif !result.Success {\n\t\treturn nil, ErrAPINoSuccess\n\t}\n\n\treturn &result, nil\n}\n\nfunc parseResponse(reader io.Reader, data interface{}) error {\n\tresult, err := parseResponseEnvelope(reader)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\treturn parseResponseBody(result, data)\n}\n\nfunc parseResponseBody(result *response, data interface{}) error {\n\t// At this point we know the API call succeeded, so, parse out the inner\n\t// result into the datatype provided as a parameter.\n\tif err := json.Unmarshal(result.Result, &data); err != nil {\n\t\treturn errors.Wrap(err, \"the Cloudflare API response was an unexpected type\")\n\t}\n\treturn nil\n}\n\nfunc fetchExhaustively[T any](requestFn func(int) (*http.Response, error)) ([]*T, error) {\n\tpage := 0\n\tvar fullResponse []*T\n\n\tfor {\n\t\tpage += 1\n\t\tenvelope, parsedBody, err := fetchPage[T](requestFn, page)\n\n\t\tif err != nil {\n\t\t\treturn nil, errors.Wrap(err, fmt.Sprintf(\"Error Parsing page %d\", page))\n\t\t}\n\n\t\tfullResponse = append(fullResponse, parsedBody...)\n\t\tif envelope.Pagination.Count < envelope.Pagination.PerPage || len(fullResponse) >= envelope.Pagination.TotalCount {\n\t\t\tbreak\n\t\t}\n\t}\n\treturn fullResponse, nil\n}\n\nfunc fetchPage[T any](requestFn func(int) (*http.Response, error), page int) (*response, []*T, error) {\n\tpageResp, err := requestFn(page)\n\tif err != nil {\n\t\treturn nil, nil, errors.Wrap(err, \"REST request failed\")\n\t}\n\tdefer pageResp.Body.Close()\n\tif pageResp.StatusCode == http.StatusOK {\n\t\tenvelope, err := parseResponseEnvelope(pageResp.Body)\n\t\tif err != nil {\n\t\t\treturn nil, nil, err\n\t\t}\n\t\tvar parsedRspBody []*T\n\t\treturn envelope, parsedRspBody, parseResponseBody(envelope, &parsedRspBody)\n\t}\n\treturn nil, nil, errors.New(fmt.Sprintf(\"Failed to fetch page. Server returned: %d\", pageResp.StatusCode))\n}\n\ntype response struct {\n\tSuccess bool `json:\"success,omitempty\"`\n\tErrors []apiError `json:\"errors,omitempty\"`\n\tMessages []string `json:\"messages,omitempty\"`\n\tResult json.RawMessage `json:\"result,omitempty\"`\n\tPagination Pagination `json:\"result_info,omitempty\"`\n}\n\ntype Pagination struct {\n\tCount int `json:\"count,omitempty\"`\n\tPage int `json:\"page,omitempty\"`\n\tPerPage int `json:\"per_page,omitempty\"`\n\tTotalCount int `json:\"total_count,omitempty\"`\n}\n\nfunc (r *response) checkErrors() error {\n\tif len(r.Errors) == 0 {\n\t\treturn nil\n\t}\n\tif len(r.Errors) == 1 {\n\t\treturn r.Errors[0]\n\t}\n\tvar messagesBuilder strings.Builder\n\tfor _, e := range r.Errors {\n\t\tmessagesBuilder.WriteString(fmt.Sprintf(\"%s; \", e))\n\t}\n\treturn fmt.Errorf(\"API errors: %s\", messagesBuilder.String())\n}\n\ntype apiError struct {\n\tCode json.Number `json:\"code,omitempty\"`\n\tMessage string `json:\"message,omitempty\"`\n}\n\nfunc (e apiError) Error() string {\n\treturn fmt.Sprintf(\"code: %v, reason: %s\", e.Code, e.Message)\n}\n\nfunc (r *RESTClient) statusCodeToError(op string, resp *http.Response) error {\n\tif resp.Header.Get(\"Content-Type\") == \"application/json\" {\n\t\tvar errorsResp response\n\t\tif json.NewDecoder(resp.Body).Decode(&errorsResp) == nil {\n\t\t\tif err := errorsResp.checkErrors(); err != nil {\n\t\t\t\treturn errors.Errorf(\"Failed to %s: %s\", op, err)\n\t\t\t}\n\t\t}\n\t}\n\n\tswitch resp.StatusCode {\n\tcase http.StatusOK:\n\t\treturn nil\n\tcase http.StatusBadRequest:\n\t\treturn ErrBadRequest\n\tcase http.StatusUnauthorized, http.StatusForbidden:\n\t\treturn ErrUnauthorized\n\tcase http.StatusNotFound:\n\t\treturn ErrNotFound\n\t}\n\treturn errors.Errorf(\"API call to %s failed with status %d: %s\", op,\n\t\tresp.StatusCode, http.StatusText(resp.StatusCode))\n}\n" }, { "path": "cfapi/client.go", "content": "package cfapi\n\nimport (\n\t\"github.com/google/uuid\"\n)\n\ntype TunnelClient interface {\n\tCreateTunnel(name string, tunnelSecret []byte) (*TunnelWithToken, error)\n\tGetTunnel(tunnelID uuid.UUID) (*Tunnel, error)\n\tGetTunnelToken(tunnelID uuid.UUID) (string, error)\n\tGetManagementToken(tunnelID uuid.UUID, resource ManagementResource) (string, error)\n\tDeleteTunnel(tunnelID uuid.UUID, cascade bool) error\n\tListTunnels(filter *TunnelFilter) ([]*Tunnel, error)\n\tListActiveClients(tunnelID uuid.UUID) ([]*ActiveClient, error)\n\tCleanupConnections(tunnelID uuid.UUID, params *CleanupParams) error\n}\n\ntype HostnameClient interface {\n\tRouteTunnel(tunnelID uuid.UUID, route HostnameRoute) (HostnameRouteResult, error)\n}\n\ntype IPRouteClient interface {\n\tListRoutes(filter *IpRouteFilter) ([]*DetailedRoute, error)\n\tAddRoute(newRoute NewRoute) (Route, error)\n\tDeleteRoute(id uuid.UUID) error\n\tGetByIP(params GetRouteByIpParams) (DetailedRoute, error)\n}\n\ntype VnetClient interface {\n\tCreateVirtualNetwork(newVnet NewVirtualNetwork) (VirtualNetwork, error)\n\tListVirtualNetworks(filter *VnetFilter) ([]*VirtualNetwork, error)\n\tDeleteVirtualNetwork(id uuid.UUID, force bool) error\n\tUpdateVirtualNetwork(id uuid.UUID, updates UpdateVirtualNetwork) error\n}\n\ntype Client interface {\n\tTunnelClient\n\tHostnameClient\n\tIPRouteClient\n\tVnetClient\n}\n" }, { "path": "cfapi/hostname.go", "content": "package cfapi\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"path\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/pkg/errors\"\n)\n\ntype Change = string\n\nconst (\n\tChangeNew = \"new\"\n\tChangeUpdated = \"updated\"\n\tChangeUnchanged = \"unchanged\"\n)\n\n// HostnameRoute represents a record type that can route to a tunnel\ntype HostnameRoute interface {\n\tjson.Marshaler\n\tRecordType() string\n\tUnmarshalResult(body io.Reader) (HostnameRouteResult, error)\n\tString() string\n}\n\ntype HostnameRouteResult interface {\n\t// SuccessSummary explains what will route to this tunnel when it's provisioned successfully\n\tSuccessSummary() string\n}\n\ntype DNSRoute struct {\n\tuserHostname string\n\toverwriteExisting bool\n}\n\ntype DNSRouteResult struct {\n\troute *DNSRoute\n\tCName Change `json:\"cname\"`\n\tName string `json:\"name\"`\n}\n\nfunc NewDNSRoute(userHostname string, overwriteExisting bool) HostnameRoute {\n\treturn &DNSRoute{\n\t\tuserHostname: userHostname,\n\t\toverwriteExisting: overwriteExisting,\n\t}\n}\n\nfunc (dr *DNSRoute) MarshalJSON() ([]byte, error) {\n\ts := struct {\n\t\tType string `json:\"type\"`\n\t\tUserHostname string `json:\"user_hostname\"`\n\t\tOverwriteExisting bool `json:\"overwrite_existing\"`\n\t}{\n\t\tType: dr.RecordType(),\n\t\tUserHostname: dr.userHostname,\n\t\tOverwriteExisting: dr.overwriteExisting,\n\t}\n\treturn json.Marshal(&s)\n}\n\nfunc (dr *DNSRoute) UnmarshalResult(body io.Reader) (HostnameRouteResult, error) {\n\tvar result DNSRouteResult\n\terr := parseResponse(body, &result)\n\tresult.route = dr\n\treturn &result, err\n}\n\nfunc (dr *DNSRoute) RecordType() string {\n\treturn \"dns\"\n}\n\nfunc (dr *DNSRoute) String() string {\n\treturn fmt.Sprintf(\"%s %s\", dr.RecordType(), dr.userHostname)\n}\n\nfunc (res *DNSRouteResult) SuccessSummary() string {\n\tvar msgFmt string\n\tswitch res.CName {\n\tcase ChangeNew:\n\t\tmsgFmt = \"Added CNAME %s which will route to this tunnel\"\n\tcase ChangeUpdated: // this is not currently returned by tunnelsore\n\t\tmsgFmt = \"%s updated to route to your tunnel\"\n\tcase ChangeUnchanged:\n\t\tmsgFmt = \"%s is already configured to route to your tunnel\"\n\t}\n\treturn fmt.Sprintf(msgFmt, res.hostname())\n}\n\n// hostname yields the resulting name for the DNS route; if that is not available from Cloudflare API, then the\n// requested name is returned instead (should not be the common path, it is just a fall-back).\nfunc (res *DNSRouteResult) hostname() string {\n\tif res.Name != \"\" {\n\t\treturn res.Name\n\t}\n\treturn res.route.userHostname\n}\n\ntype LBRoute struct {\n\tlbName string\n\tlbPool string\n}\n\ntype LBRouteResult struct {\n\troute *LBRoute\n\tLoadBalancer Change `json:\"load_balancer\"`\n\tPool Change `json:\"pool\"`\n}\n\nfunc NewLBRoute(lbName, lbPool string) HostnameRoute {\n\treturn &LBRoute{\n\t\tlbName: lbName,\n\t\tlbPool: lbPool,\n\t}\n}\n\nfunc (lr *LBRoute) MarshalJSON() ([]byte, error) {\n\ts := struct {\n\t\tType string `json:\"type\"`\n\t\tLBName string `json:\"lb_name\"`\n\t\tLBPool string `json:\"lb_pool\"`\n\t}{\n\t\tType: lr.RecordType(),\n\t\tLBName: lr.lbName,\n\t\tLBPool: lr.lbPool,\n\t}\n\treturn json.Marshal(&s)\n}\n\nfunc (lr *LBRoute) RecordType() string {\n\treturn \"lb\"\n}\n\nfunc (lb *LBRoute) String() string {\n\treturn fmt.Sprintf(\"%s %s %s\", lb.RecordType(), lb.lbName, lb.lbPool)\n}\n\nfunc (lr *LBRoute) UnmarshalResult(body io.Reader) (HostnameRouteResult, error) {\n\tvar result LBRouteResult\n\terr := parseResponse(body, &result)\n\tresult.route = lr\n\treturn &result, err\n}\n\nfunc (res *LBRouteResult) SuccessSummary() string {\n\tvar msg string\n\tswitch res.LoadBalancer + \",\" + res.Pool {\n\tcase \"new,new\":\n\t\tmsg = \"Created load balancer %s and added a new pool %s with this tunnel as an origin\"\n\tcase \"new,updated\":\n\t\tmsg = \"Created load balancer %s with an existing pool %s which was updated to use this tunnel as an origin\"\n\tcase \"new,unchanged\":\n\t\tmsg = \"Created load balancer %s with an existing pool %s which already has this tunnel as an origin\"\n\tcase \"updated,new\":\n\t\tmsg = \"Added new pool %[2]s with this tunnel as an origin to load balancer %[1]s\"\n\tcase \"updated,updated\":\n\t\tmsg = \"Updated pool %[2]s to use this tunnel as an origin and added it to load balancer %[1]s\"\n\tcase \"updated,unchanged\":\n\t\tmsg = \"Added pool %[2]s, which already has this tunnel as an origin, to load balancer %[1]s\"\n\tcase \"unchanged,updated\":\n\t\tmsg = \"Added this tunnel as an origin in pool %[2]s which is already used by load balancer %[1]s\"\n\tcase \"unchanged,unchanged\":\n\t\tmsg = \"Load balancer %s already uses pool %s which has this tunnel as an origin\"\n\tcase \"unchanged,new\":\n\t\t// this state is not possible\n\t\tfallthrough\n\tdefault:\n\t\tmsg = \"Something went wrong: failed to modify load balancer %s with pool %s; please check traffic manager configuration in the dashboard\"\n\t}\n\n\treturn fmt.Sprintf(msg, res.route.lbName, res.route.lbPool)\n}\n\nfunc (r *RESTClient) RouteTunnel(tunnelID uuid.UUID, route HostnameRoute) (HostnameRouteResult, error) {\n\tendpoint := r.baseEndpoints.zoneLevel\n\tendpoint.Path = path.Join(endpoint.Path, fmt.Sprintf(\"%v/routes\", tunnelID))\n\tresp, err := r.sendRequest(\"PUT\", endpoint, route)\n\tif err != nil {\n\t\treturn nil, errors.Wrap(err, \"REST request failed\")\n\t}\n\tdefer resp.Body.Close()\n\n\tif resp.StatusCode == http.StatusOK {\n\t\treturn route.UnmarshalResult(resp.Body)\n\t}\n\n\treturn nil, r.statusCodeToError(\"add route\", resp)\n}\n" }, { "path": "cfapi/hostname_test.go", "content": "package cfapi\n\nimport (\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/stretchr/testify/assert\"\n)\n\nfunc TestDNSRouteUnmarshalResult(t *testing.T) {\n\troute := &DNSRoute{\n\t\tuserHostname: \"example.com\",\n\t}\n\n\tresult, err := route.UnmarshalResult(strings.NewReader(`{\"success\": true, \"result\": {\"cname\": \"new\"}}`))\n\n\tassert.NoError(t, err)\n\tassert.Equal(t, &DNSRouteResult{\n\t\troute: route,\n\t\tCName: ChangeNew,\n\t}, result)\n\n\tbadJSON := []string{\n\t\t`abc`,\n\t\t`{\"success\": false, \"result\": {\"cname\": \"new\"}}`,\n\t\t`{\"errors\": [{\"code\": 1003, \"message\":\"An A, AAAA or CNAME record already exists with that host\"}], \"result\": {\"cname\": \"new\"}}`,\n\t\t`{\"errors\": [{\"code\": 1003, \"message\":\"An A, AAAA or CNAME record already exists with that host\"}, {\"code\": 1004, \"message\":\"Cannot use tunnel as origin for non-proxied load balancer\"}], \"result\": {\"cname\": \"new\"}}`,\n\t\t`{\"result\": {\"cname\": \"new\"}}`,\n\t\t`{\"result\": {\"cname\": \"new\"}}`,\n\t}\n\n\tfor _, j := range badJSON {\n\t\t_, err = route.UnmarshalResult(strings.NewReader(j))\n\t\tassert.NotNil(t, err)\n\t}\n}\n\nfunc TestLBRouteUnmarshalResult(t *testing.T) {\n\troute := &LBRoute{\n\t\tlbName: \"lb.example.com\",\n\t\tlbPool: \"pool\",\n\t}\n\n\tresult, err := route.UnmarshalResult(strings.NewReader(`{\"success\": true, \"result\": {\"pool\": \"unchanged\", \"load_balancer\": \"updated\"}}`))\n\n\tassert.NoError(t, err)\n\tassert.Equal(t, &LBRouteResult{\n\t\troute: route,\n\t\tLoadBalancer: ChangeUpdated,\n\t\tPool: ChangeUnchanged,\n\t}, result)\n\n\tbadJSON := []string{\n\t\t`abc`,\n\t\t`{\"success\": false, \"result\": {\"pool\": \"unchanged\", \"load_balancer\": \"updated\"}}`,\n\t\t`{\"errors\": [{\"code\": 1003, \"message\":\"An A, AAAA or CNAME record already exists with that host\"}], \"result\": {\"pool\": \"unchanged\", \"load_balancer\": \"updated\"}}`,\n\t\t`{\"errors\": [{\"code\": 1003, \"message\":\"An A, AAAA or CNAME record already exists with that host\"}, {\"code\": 1004, \"message\":\"Cannot use tunnel as origin for non-proxied load balancer\"}], \"result\": {\"pool\": \"unchanged\", \"load_balancer\": \"updated\"}}`,\n\t\t`{\"result\": {\"pool\": \"unchanged\", \"load_balancer\": \"updated\"}}`,\n\t}\n\n\tfor _, j := range badJSON {\n\t\t_, err = route.UnmarshalResult(strings.NewReader(j))\n\t\tassert.NotNil(t, err)\n\t}\n}\n\nfunc TestLBRouteResultSuccessSummary(t *testing.T) {\n\troute := &LBRoute{\n\t\tlbName: \"lb.example.com\",\n\t\tlbPool: \"POOL\",\n\t}\n\n\ttests := []struct {\n\t\tlb Change\n\t\tpool Change\n\t\texpected string\n\t}{\n\t\t{ChangeNew, ChangeNew, \"Created load balancer lb.example.com and added a new pool POOL with this tunnel as an origin\"},\n\t\t{ChangeNew, ChangeUpdated, \"Created load balancer lb.example.com with an existing pool POOL which was updated to use this tunnel as an origin\"},\n\t\t{ChangeNew, ChangeUnchanged, \"Created load balancer lb.example.com with an existing pool POOL which already has this tunnel as an origin\"},\n\t\t{ChangeUpdated, ChangeNew, \"Added new pool POOL with this tunnel as an origin to load balancer lb.example.com\"},\n\t\t{ChangeUpdated, ChangeUpdated, \"Updated pool POOL to use this tunnel as an origin and added it to load balancer lb.example.com\"},\n\t\t{ChangeUpdated, ChangeUnchanged, \"Added pool POOL, which already has this tunnel as an origin, to load balancer lb.example.com\"},\n\t\t{ChangeUnchanged, ChangeNew, \"Something went wrong: failed to modify load balancer lb.example.com with pool POOL; please check traffic manager configuration in the dashboard\"},\n\t\t{ChangeUnchanged, ChangeUpdated, \"Added this tunnel as an origin in pool POOL which is already used by load balancer lb.example.com\"},\n\t\t{ChangeUnchanged, ChangeUnchanged, \"Load balancer lb.example.com already uses pool POOL which has this tunnel as an origin\"},\n\t\t{\"\", \"\", \"Something went wrong: failed to modify load balancer lb.example.com with pool POOL; please check traffic manager configuration in the dashboard\"},\n\t\t{\"a\", \"b\", \"Something went wrong: failed to modify load balancer lb.example.com with pool POOL; please check traffic manager configuration in the dashboard\"},\n\t}\n\tfor i, tt := range tests {\n\t\tres := &LBRouteResult{\n\t\t\troute: route,\n\t\t\tLoadBalancer: tt.lb,\n\t\t\tPool: tt.pool,\n\t\t}\n\t\tactual := res.SuccessSummary()\n\t\tassert.Equal(t, tt.expected, actual, \"case %d\", i+1)\n\t}\n}\n" }, { "path": "cfapi/ip_route.go", "content": "package cfapi\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"io\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"path\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/pkg/errors\"\n)\n\n// Route is a mapping from customer's IP space to a tunnel.\n// Each route allows the customer to route eyeballs in their corporate network\n// to certain private IP ranges. Each Route represents an IP range in their\n// network, and says that eyeballs can reach that route using the corresponding\n// tunnel.\ntype Route struct {\n\tNetwork CIDR `json:\"network\"`\n\tTunnelID uuid.UUID `json:\"tunnel_id\"`\n\t// Optional field. When unset, it means the Route belongs to the default virtual network.\n\tVNetID *uuid.UUID `json:\"virtual_network_id,omitempty\"`\n\tComment string `json:\"comment\"`\n\tCreatedAt time.Time `json:\"created_at\"`\n\tDeletedAt time.Time `json:\"deleted_at\"`\n}\n\n// CIDR is just a newtype wrapper around net.IPNet. It adds JSON unmarshalling.\ntype CIDR net.IPNet\n\nfunc (c CIDR) String() string {\n\tn := net.IPNet(c)\n\treturn n.String()\n}\n\nfunc (c CIDR) MarshalJSON() ([]byte, error) {\n\tstr := c.String()\n\tjson, err := json.Marshal(str)\n\tif err != nil {\n\t\treturn nil, errors.Wrap(err, \"error serializing CIDR into JSON\")\n\t}\n\treturn json, nil\n}\n\n// UnmarshalJSON parses a JSON string into net.IPNet\nfunc (c *CIDR) UnmarshalJSON(data []byte) error {\n\tvar s string\n\tif err := json.Unmarshal(data, &s); err != nil {\n\t\treturn errors.Wrap(err, \"error parsing cidr string\")\n\t}\n\t_, network, err := net.ParseCIDR(s)\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"error parsing invalid network from backend\")\n\t}\n\tif network == nil {\n\t\treturn fmt.Errorf(\"backend returned invalid network %s\", s)\n\t}\n\t*c = CIDR(*network)\n\treturn nil\n}\n\n// NewRoute has all the parameters necessary to add a new route to the table.\ntype NewRoute struct {\n\tNetwork net.IPNet\n\tTunnelID uuid.UUID\n\tComment string\n\t// Optional field. If unset, backend will assume the default vnet for the account.\n\tVNetID *uuid.UUID\n}\n\n// MarshalJSON handles fields with non-JSON types (e.g. net.IPNet).\nfunc (r NewRoute) MarshalJSON() ([]byte, error) {\n\treturn json.Marshal(&struct {\n\t\tNetwork string `json:\"network\"`\n\t\tTunnelID uuid.UUID `json:\"tunnel_id\"`\n\t\tComment string `json:\"comment\"`\n\t\tVNetID *uuid.UUID `json:\"virtual_network_id,omitempty\"`\n\t}{\n\t\tNetwork: r.Network.String(),\n\t\tTunnelID: r.TunnelID,\n\t\tComment: r.Comment,\n\t\tVNetID: r.VNetID,\n\t})\n}\n\n// DetailedRoute is just a Route with some extra fields, e.g. TunnelName.\ntype DetailedRoute struct {\n\tID uuid.UUID `json:\"id\"`\n\tNetwork CIDR `json:\"network\"`\n\tTunnelID uuid.UUID `json:\"tunnel_id\"`\n\t// Optional field. When unset, it means the DetailedRoute belongs to the default virtual network.\n\tVNetID *uuid.UUID `json:\"virtual_network_id,omitempty\"`\n\tComment string `json:\"comment\"`\n\tCreatedAt time.Time `json:\"created_at\"`\n\tDeletedAt time.Time `json:\"deleted_at\"`\n\tTunnelName string `json:\"tunnel_name\"`\n}\n\n// IsZero checks if DetailedRoute is the zero value.\nfunc (r *DetailedRoute) IsZero() bool {\n\treturn r.TunnelID == uuid.Nil\n}\n\n// TableString outputs a table row summarizing the route, to be used\n// when showing the user their routing table.\nfunc (r DetailedRoute) TableString() string {\n\tdeletedColumn := \"-\"\n\tif !r.DeletedAt.IsZero() {\n\t\tdeletedColumn = r.DeletedAt.Format(time.RFC3339)\n\t}\n\tvnetColumn := \"default\"\n\tif r.VNetID != nil {\n\t\tvnetColumn = r.VNetID.String()\n\t}\n\n\treturn fmt.Sprintf(\n\t\t\"%s\\t%s\\t%s\\t%s\\t%s\\t%s\\t%s\\t%s\\t\",\n\t\tr.ID,\n\t\tr.Network.String(),\n\t\tvnetColumn,\n\t\tr.Comment,\n\t\tr.TunnelID,\n\t\tr.TunnelName,\n\t\tr.CreatedAt.Format(time.RFC3339),\n\t\tdeletedColumn,\n\t)\n}\n\ntype GetRouteByIpParams struct {\n\tIp net.IP\n\t// Optional field. If unset, backend will assume the default vnet for the account.\n\tVNetID *uuid.UUID\n}\n\n// ListRoutes calls the Tunnelstore GET endpoint for all routes under an account.\n// Due to pagination on the server side it will call the endpoint multiple times if needed.\nfunc (r *RESTClient) ListRoutes(filter *IpRouteFilter) ([]*DetailedRoute, error) {\n\tfetchFn := func(page int) (*http.Response, error) {\n\t\tendpoint := r.baseEndpoints.accountRoutes\n\t\tfilter.Page(page)\n\t\tendpoint.RawQuery = filter.Encode()\n\t\trsp, err := r.sendRequest(\"GET\", endpoint, nil)\n\n\t\tif err != nil {\n\t\t\treturn nil, errors.Wrap(err, \"REST request failed\")\n\t\t}\n\t\tif rsp.StatusCode != http.StatusOK {\n\t\t\trsp.Body.Close()\n\t\t\treturn nil, r.statusCodeToError(\"list routes\", rsp)\n\t\t}\n\t\treturn rsp, nil\n\t}\n\treturn fetchExhaustively[DetailedRoute](fetchFn)\n}\n\n// AddRoute calls the Tunnelstore POST endpoint for a given route.\nfunc (r *RESTClient) AddRoute(newRoute NewRoute) (Route, error) {\n\tendpoint := r.baseEndpoints.accountRoutes\n\tendpoint.Path = path.Join(endpoint.Path)\n\tresp, err := r.sendRequest(\"POST\", endpoint, newRoute)\n\tif err != nil {\n\t\treturn Route{}, errors.Wrap(err, \"REST request failed\")\n\t}\n\tdefer resp.Body.Close()\n\n\tif resp.StatusCode == http.StatusOK {\n\t\treturn parseRoute(resp.Body)\n\t}\n\n\treturn Route{}, r.statusCodeToError(\"add route\", resp)\n}\n\n// DeleteRoute calls the Tunnelstore DELETE endpoint for a given route.\nfunc (r *RESTClient) DeleteRoute(id uuid.UUID) error {\n\tendpoint := r.baseEndpoints.accountRoutes\n\tendpoint.Path = path.Join(endpoint.Path, url.PathEscape(id.String()))\n\n\tresp, err := r.sendRequest(\"DELETE\", endpoint, nil)\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"REST request failed\")\n\t}\n\tdefer resp.Body.Close()\n\n\tif resp.StatusCode == http.StatusOK {\n\t\t_, err := parseRoute(resp.Body)\n\t\treturn err\n\t}\n\n\treturn r.statusCodeToError(\"delete route\", resp)\n}\n\n// GetByIP checks which route will proxy a given IP.\nfunc (r *RESTClient) GetByIP(params GetRouteByIpParams) (DetailedRoute, error) {\n\tendpoint := r.baseEndpoints.accountRoutes\n\tendpoint.Path = path.Join(endpoint.Path, \"ip\", url.PathEscape(params.Ip.String()))\n\tsetVnetParam(&endpoint, params.VNetID)\n\n\tresp, err := r.sendRequest(\"GET\", endpoint, nil)\n\tif err != nil {\n\t\treturn DetailedRoute{}, errors.Wrap(err, \"REST request failed\")\n\t}\n\tdefer resp.Body.Close()\n\n\tif resp.StatusCode == http.StatusOK {\n\t\treturn parseDetailedRoute(resp.Body)\n\t}\n\n\treturn DetailedRoute{}, r.statusCodeToError(\"get route by IP\", resp)\n}\n\nfunc parseRoute(body io.ReadCloser) (Route, error) {\n\tvar route Route\n\terr := parseResponse(body, &route)\n\treturn route, err\n}\n\nfunc parseDetailedRoute(body io.ReadCloser) (DetailedRoute, error) {\n\tvar route DetailedRoute\n\terr := parseResponse(body, &route)\n\treturn route, err\n}\n\n// setVnetParam overwrites the URL's query parameters with a query param to scope the HostnameRoute action to a certain\n// virtual network (if one is provided).\nfunc setVnetParam(endpoint *url.URL, vnetID *uuid.UUID) {\n\tqueryParams := url.Values{}\n\tif vnetID != nil {\n\t\tqueryParams.Set(\"virtual_network_id\", vnetID.String())\n\t}\n\tendpoint.RawQuery = queryParams.Encode()\n}\n" }, { "path": "cfapi/ip_route_filter.go", "content": "package cfapi\n\nimport (\n\t\"fmt\"\n\t\"net\"\n\t\"net/url\"\n\t\"strconv\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/pkg/errors\"\n\t\"github.com/urfave/cli/v2\"\n)\n\nvar (\n\tfilterIpRouteDeleted = cli.BoolFlag{\n\t\tName: \"filter-is-deleted\",\n\t\tUsage: \"If false (default), only show non-deleted routes. If true, only show deleted routes.\",\n\t}\n\tfilterIpRouteTunnelID = cli.StringFlag{\n\t\tName: \"filter-tunnel-id\",\n\t\tUsage: \"Show only routes with the given tunnel ID.\",\n\t}\n\tfilterSubsetIpRoute = cli.StringFlag{\n\t\tName: \"filter-network-is-subset-of\",\n\t\tAliases: []string{\"nsub\"},\n\t\tUsage: \"Show only routes whose network is a subset of the given network.\",\n\t}\n\tfilterSupersetIpRoute = cli.StringFlag{\n\t\tName: \"filter-network-is-superset-of\",\n\t\tAliases: []string{\"nsup\"},\n\t\tUsage: \"Show only routes whose network is a superset of the given network.\",\n\t}\n\tfilterIpRouteComment = cli.StringFlag{\n\t\tName: \"filter-comment-is\",\n\t\tUsage: \"Show only routes with this comment.\",\n\t}\n\tfilterIpRouteByVnet = cli.StringFlag{\n\t\tName: \"filter-vnet-id\",\n\t\tUsage: \"Show only routes that are attached to the given virtual network ID.\",\n\t}\n\n\t// Flags contains all filter flags.\n\tIpRouteFilterFlags = []cli.Flag{\n\t\t&filterIpRouteDeleted,\n\t\t&filterIpRouteTunnelID,\n\t\t&filterSubsetIpRoute,\n\t\t&filterSupersetIpRoute,\n\t\t&filterIpRouteComment,\n\t\t&filterIpRouteByVnet,\n\t}\n)\n\n// IpRouteFilter which routes get queried.\ntype IpRouteFilter struct {\n\tqueryParams url.Values\n}\n\n// NewIpRouteFilterFromCLI parses CLI flags to discover which filters should get applied.\nfunc NewIpRouteFilterFromCLI(c *cli.Context) (*IpRouteFilter, error) {\n\tf := NewIPRouteFilter()\n\n\t// Set deletion filter\n\tif flag := filterIpRouteDeleted.Name; c.IsSet(flag) && c.Bool(flag) {\n\t\tf.Deleted()\n\t} else {\n\t\tf.NotDeleted()\n\t}\n\n\tif subset, err := cidrFromFlag(c, filterSubsetIpRoute); err != nil {\n\t\treturn nil, err\n\t} else if subset != nil {\n\t\tf.NetworkIsSupersetOf(*subset)\n\t}\n\n\tif superset, err := cidrFromFlag(c, filterSupersetIpRoute); err != nil {\n\t\treturn nil, err\n\t} else if superset != nil {\n\t\tf.NetworkIsSupersetOf(*superset)\n\t}\n\n\tif comment := c.String(filterIpRouteComment.Name); comment != \"\" {\n\t\tf.CommentIs(comment)\n\t}\n\n\tif tunnelID := c.String(filterIpRouteTunnelID.Name); tunnelID != \"\" {\n\t\tu, err := uuid.Parse(tunnelID)\n\t\tif err != nil {\n\t\t\treturn nil, errors.Wrapf(err, \"Couldn't parse UUID from %s\", filterIpRouteTunnelID.Name)\n\t\t}\n\t\tf.TunnelID(u)\n\t}\n\n\tif vnetId := c.String(filterIpRouteByVnet.Name); vnetId != \"\" {\n\t\tu, err := uuid.Parse(vnetId)\n\t\tif err != nil {\n\t\t\treturn nil, errors.Wrapf(err, \"Couldn't parse UUID from %s\", filterIpRouteByVnet.Name)\n\t\t}\n\t\tf.VNetID(u)\n\t}\n\n\tif maxFetch := c.Int(\"max-fetch-size\"); maxFetch > 0 {\n\t\tf.MaxFetchSize(uint(maxFetch))\n\t}\n\n\treturn f, nil\n}\n\n// Parses a CIDR from the flag. If the flag was unset, returns (nil, nil).\nfunc cidrFromFlag(c *cli.Context, flag cli.StringFlag) (*net.IPNet, error) {\n\tif !c.IsSet(flag.Name) {\n\t\treturn nil, nil\n\t}\n\n\t_, subset, err := net.ParseCIDR(c.String(flag.Name))\n\tif err != nil {\n\t\treturn nil, err\n\t} else if subset == nil {\n\t\treturn nil, fmt.Errorf(\"Invalid CIDR supplied for %s\", flag.Name)\n\t}\n\n\treturn subset, nil\n}\n\nfunc NewIPRouteFilter() *IpRouteFilter {\n\tvalues := &IpRouteFilter{queryParams: url.Values{}}\n\n\t// always list cfd_tunnel routes only\n\tvalues.queryParams.Set(\"tun_types\", \"cfd_tunnel\")\n\n\treturn values\n}\n\nfunc (f *IpRouteFilter) CommentIs(comment string) {\n\tf.queryParams.Set(\"comment\", comment)\n}\n\nfunc (f *IpRouteFilter) NotDeleted() {\n\tf.queryParams.Set(\"is_deleted\", \"false\")\n}\n\nfunc (f *IpRouteFilter) Deleted() {\n\tf.queryParams.Set(\"is_deleted\", \"true\")\n}\n\nfunc (f *IpRouteFilter) NetworkIsSubsetOf(superset net.IPNet) {\n\tf.queryParams.Set(\"network_subset\", superset.String())\n}\n\nfunc (f *IpRouteFilter) NetworkIsSupersetOf(subset net.IPNet) {\n\tf.queryParams.Set(\"network_superset\", subset.String())\n}\n\nfunc (f *IpRouteFilter) ExistedAt(existedAt time.Time) {\n\tf.queryParams.Set(\"existed_at\", existedAt.Format(time.RFC3339))\n}\n\nfunc (f *IpRouteFilter) TunnelID(id uuid.UUID) {\n\tf.queryParams.Set(\"tunnel_id\", id.String())\n}\n\nfunc (f *IpRouteFilter) VNetID(id uuid.UUID) {\n\tf.queryParams.Set(\"virtual_network_id\", id.String())\n}\n\nfunc (f *IpRouteFilter) MaxFetchSize(max uint) {\n\tf.queryParams.Set(\"per_page\", strconv.Itoa(int(max)))\n}\n\nfunc (f *IpRouteFilter) Page(page int) {\n\tf.queryParams.Set(\"page\", strconv.Itoa(page))\n}\n\nfunc (f IpRouteFilter) Encode() string {\n\treturn f.queryParams.Encode()\n}\n" }, { "path": "cfapi/ip_route_test.go", "content": "package cfapi\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"net\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/stretchr/testify/require\"\n)\n\nfunc TestUnmarshalRoute(t *testing.T) {\n\ttestCases := []struct {\n\t\tJson string\n\t\tHasVnet bool\n\t}{\n\t\t{\n\t\t\t`{\n\t\t\t\t\"network\":\"10.1.2.40/29\",\n\t\t\t\t\"tunnel_id\":\"fba6ffea-807f-4e7a-a740-4184ee1b82c8\",\n\t\t\t\t\"comment\":\"test\",\n\t\t\t\t\"created_at\":\"2020-12-22T02:00:15.587008Z\",\n\t\t\t\t\"deleted_at\":null\n\t\t\t}`,\n\t\t\tfalse,\n\t\t},\n\t\t{\n\t\t\t`{\n\t\t\t\t\"network\":\"10.1.2.40/29\",\n\t\t\t\t\"tunnel_id\":\"fba6ffea-807f-4e7a-a740-4184ee1b82c8\",\n\t\t\t\t\"comment\":\"test\",\n\t\t\t\t\"created_at\":\"2020-12-22T02:00:15.587008Z\",\n\t\t\t\t\"deleted_at\":null,\n\t\t\t\t\"virtual_network_id\":\"38c95083-8191-4110-8339-3f438d44fdb9\"\n\t\t\t}`,\n\t\t\ttrue,\n\t\t},\n\t}\n\n\tfor _, testCase := range testCases {\n\t\tdata := testCase.Json\n\n\t\tvar r Route\n\t\terr := json.Unmarshal([]byte(data), &r)\n\n\t\t// Check everything worked\n\t\trequire.NoError(t, err)\n\t\trequire.Equal(t, uuid.MustParse(\"fba6ffea-807f-4e7a-a740-4184ee1b82c8\"), r.TunnelID)\n\t\trequire.Equal(t, \"test\", r.Comment)\n\t\t_, cidr, err := net.ParseCIDR(\"10.1.2.40/29\")\n\t\trequire.NoError(t, err)\n\t\trequire.Equal(t, CIDR(*cidr), r.Network)\n\t\trequire.Equal(t, \"test\", r.Comment)\n\n\t\tif testCase.HasVnet {\n\t\t\trequire.Equal(t, uuid.MustParse(\"38c95083-8191-4110-8339-3f438d44fdb9\"), *r.VNetID)\n\t\t} else {\n\t\t\trequire.Nil(t, r.VNetID)\n\t\t}\n\t}\n}\n\nfunc TestDetailedRouteJsonRoundtrip(t *testing.T) {\n\ttestCases := []struct {\n\t\tJson string\n\t\tHasVnet bool\n\t}{\n\t\t{\n\t\t\t`{\n\t\t\t\t\"id\":\"91ebc578-cc99-4641-9937-0fb630505fa0\",\n\t\t\t\t\"network\":\"10.1.2.40/29\",\n\t\t\t\t\"tunnel_id\":\"fba6ffea-807f-4e7a-a740-4184ee1b82c8\",\n\t\t\t\t\"comment\":\"test\",\n\t\t\t\t\"created_at\":\"2020-12-22T02:00:15.587008Z\",\n\t\t\t\t\"deleted_at\":\"2021-01-14T05:01:42.183002Z\",\n\t\t\t\t\"tunnel_name\":\"Mr. Tun\"\n\t\t\t}`,\n\t\t\tfalse,\n\t\t},\n\t\t{\n\t\t\t`{\n\t\t\t\t\"id\":\"91ebc578-cc99-4641-9937-0fb630505fa0\",\n\t\t\t\t\"network\":\"10.1.2.40/29\",\n\t\t\t\t\"tunnel_id\":\"fba6ffea-807f-4e7a-a740-4184ee1b82c8\",\n\t\t\t\t\"virtual_network_id\":\"38c95083-8191-4110-8339-3f438d44fdb9\",\n\t\t\t\t\"comment\":\"test\",\n\t\t\t\t\"created_at\":\"2020-12-22T02:00:15.587008Z\",\n\t\t\t\t\"deleted_at\":\"2021-01-14T05:01:42.183002Z\",\n\t\t\t\t\"tunnel_name\":\"Mr. Tun\"\n\t\t\t}`,\n\t\t\ttrue,\n\t\t},\n\t}\n\n\tfor _, testCase := range testCases {\n\t\tdata := testCase.Json\n\n\t\tvar r DetailedRoute\n\t\terr := json.Unmarshal([]byte(data), &r)\n\n\t\t// Check everything worked\n\t\trequire.NoError(t, err)\n\t\trequire.Equal(t, uuid.MustParse(\"fba6ffea-807f-4e7a-a740-4184ee1b82c8\"), r.TunnelID)\n\t\trequire.Equal(t, \"test\", r.Comment)\n\t\t_, cidr, err := net.ParseCIDR(\"10.1.2.40/29\")\n\t\trequire.NoError(t, err)\n\t\trequire.Equal(t, CIDR(*cidr), r.Network)\n\t\trequire.Equal(t, \"test\", r.Comment)\n\t\trequire.Equal(t, \"Mr. Tun\", r.TunnelName)\n\n\t\tif testCase.HasVnet {\n\t\t\trequire.Equal(t, uuid.MustParse(\"38c95083-8191-4110-8339-3f438d44fdb9\"), *r.VNetID)\n\t\t} else {\n\t\t\trequire.Nil(t, r.VNetID)\n\t\t}\n\n\t\tbytes, err := json.Marshal(r)\n\t\trequire.NoError(t, err)\n\t\tobtainedJson := string(bytes)\n\t\tdata = strings.Replace(data, \"\\t\", \"\", -1)\n\t\tdata = strings.Replace(data, \"\\n\", \"\", -1)\n\t\trequire.Equal(t, data, obtainedJson)\n\t}\n}\n\nfunc TestMarshalNewRoute(t *testing.T) {\n\t_, network, err := net.ParseCIDR(\"1.2.3.4/32\")\n\trequire.NoError(t, err)\n\trequire.NotNil(t, network)\n\tvnetId := uuid.New()\n\n\tnewRoutes := []NewRoute{\n\t\t{\n\t\t\tNetwork: *network,\n\t\t\tTunnelID: uuid.New(),\n\t\t\tComment: \"hi\",\n\t\t},\n\t\t{\n\t\t\tNetwork: *network,\n\t\t\tTunnelID: uuid.New(),\n\t\t\tComment: \"hi\",\n\t\t\tVNetID: &vnetId,\n\t\t},\n\t}\n\n\tfor _, newRoute := range newRoutes {\n\t\t// Test where receiver is struct\n\t\tserialized, err := json.Marshal(newRoute)\n\t\trequire.NoError(t, err)\n\t\trequire.True(t, strings.Contains(string(serialized), \"tunnel_id\"))\n\n\t\t// Test where receiver is pointer to struct\n\t\tserialized, err = json.Marshal(&newRoute)\n\t\trequire.NoError(t, err)\n\t\trequire.True(t, strings.Contains(string(serialized), \"tunnel_id\"))\n\n\t\tif newRoute.VNetID == nil {\n\t\t\trequire.False(t, strings.Contains(string(serialized), \"virtual_network_id\"))\n\t\t} else {\n\t\t\trequire.True(t, strings.Contains(string(serialized), \"virtual_network_id\"))\n\t\t}\n\t}\n}\n\nfunc TestRouteTableString(t *testing.T) {\n\t_, network, err := net.ParseCIDR(\"1.2.3.4/32\")\n\trequire.NoError(t, err)\n\trequire.NotNil(t, network)\n\tr := DetailedRoute{\n\t\tID: uuid.Nil,\n\t\tNetwork: CIDR(*network),\n\t}\n\trow := r.TableString()\n\tfmt.Println(row)\n\trequire.True(t, strings.HasPrefix(row, \"00000000-0000-0000-0000-000000000000\\t1.2.3.4/32\"))\n}\n" }, { "path": "cfapi/tunnel.go", "content": "package cfapi\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"path\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/pkg/errors\"\n)\n\nvar ErrTunnelNameConflict = errors.New(\"tunnel with name already exists\")\n\ntype ManagementResource int\n\nconst (\n\tLogs ManagementResource = iota\n\tAdmin\n\tHostDetails\n)\n\nfunc (r ManagementResource) String() string {\n\tswitch r {\n\tcase Logs:\n\t\treturn \"logs\"\n\tcase Admin:\n\t\treturn \"admin\"\n\tcase HostDetails:\n\t\treturn \"host_details\"\n\tdefault:\n\t\treturn \"\"\n\t}\n}\n\ntype Tunnel struct {\n\tID uuid.UUID `json:\"id\"`\n\tName string `json:\"name\"`\n\tCreatedAt time.Time `json:\"created_at\"`\n\tDeletedAt time.Time `json:\"deleted_at\"`\n\tConnections []Connection `json:\"connections\"`\n}\n\ntype TunnelWithToken struct {\n\tTunnel\n\tToken string `json:\"token\"`\n}\n\ntype Connection struct {\n\tColoName string `json:\"colo_name\"`\n\tID uuid.UUID `json:\"id\"`\n\tIsPendingReconnect bool `json:\"is_pending_reconnect\"`\n\tOriginIP net.IP `json:\"origin_ip\"`\n\tOpenedAt time.Time `json:\"opened_at\"`\n}\n\ntype ActiveClient struct {\n\tID uuid.UUID `json:\"id\"`\n\tFeatures []string `json:\"features\"`\n\tVersion string `json:\"version\"`\n\tArch string `json:\"arch\"`\n\tRunAt time.Time `json:\"run_at\"`\n\tConnections []Connection `json:\"conns\"`\n}\n\ntype newTunnel struct {\n\tName string `json:\"name\"`\n\tTunnelSecret []byte `json:\"tunnel_secret\"`\n}\n\ntype CleanupParams struct {\n\tqueryParams url.Values\n}\n\nfunc NewCleanupParams() *CleanupParams {\n\treturn &CleanupParams{\n\t\tqueryParams: url.Values{},\n\t}\n}\n\nfunc (cp *CleanupParams) ForClient(clientID uuid.UUID) {\n\tcp.queryParams.Set(\"client_id\", clientID.String())\n}\n\nfunc (cp CleanupParams) encode() string {\n\treturn cp.queryParams.Encode()\n}\n\nfunc (r *RESTClient) CreateTunnel(name string, tunnelSecret []byte) (*TunnelWithToken, error) {\n\tif name == \"\" {\n\t\treturn nil, errors.New(\"tunnel name required\")\n\t}\n\tif _, err := uuid.Parse(name); err == nil {\n\t\treturn nil, errors.New(\"you cannot use UUIDs as tunnel names\")\n\t}\n\tbody := &newTunnel{\n\t\tName: name,\n\t\tTunnelSecret: tunnelSecret,\n\t}\n\n\tresp, err := r.sendRequest(\"POST\", r.baseEndpoints.accountLevel, body)\n\tif err != nil {\n\t\treturn nil, errors.Wrap(err, \"REST request failed\")\n\t}\n\tdefer resp.Body.Close()\n\n\tswitch resp.StatusCode {\n\tcase http.StatusOK:\n\t\tvar tunnel TunnelWithToken\n\t\tif serdeErr := parseResponse(resp.Body, &tunnel); serdeErr != nil {\n\t\t\treturn nil, serdeErr\n\t\t}\n\t\treturn &tunnel, nil\n\tcase http.StatusConflict:\n\t\treturn nil, ErrTunnelNameConflict\n\t}\n\n\treturn nil, r.statusCodeToError(\"create tunnel\", resp)\n}\n\nfunc (r *RESTClient) GetTunnel(tunnelID uuid.UUID) (*Tunnel, error) {\n\tendpoint := r.baseEndpoints.accountLevel\n\tendpoint.Path = path.Join(endpoint.Path, fmt.Sprintf(\"%v\", tunnelID))\n\tresp, err := r.sendRequest(\"GET\", endpoint, nil)\n\tif err != nil {\n\t\treturn nil, errors.Wrap(err, \"REST request failed\")\n\t}\n\tdefer resp.Body.Close()\n\n\tif resp.StatusCode == http.StatusOK {\n\t\treturn unmarshalTunnel(resp.Body)\n\t}\n\n\treturn nil, r.statusCodeToError(\"get tunnel\", resp)\n}\n\nfunc (r *RESTClient) GetTunnelToken(tunnelID uuid.UUID) (token string, err error) {\n\tendpoint := r.baseEndpoints.accountLevel\n\tendpoint.Path = path.Join(endpoint.Path, fmt.Sprintf(\"%v/token\", tunnelID))\n\tresp, err := r.sendRequest(\"GET\", endpoint, nil)\n\tif err != nil {\n\t\treturn \"\", errors.Wrap(err, \"REST request failed\")\n\t}\n\tdefer resp.Body.Close()\n\n\tif resp.StatusCode == http.StatusOK {\n\t\terr = parseResponse(resp.Body, &token)\n\t\treturn token, err\n\t}\n\n\treturn \"\", r.statusCodeToError(\"get tunnel token\", resp)\n}\n\n// managementEndpointPath returns the path segment for a management resource endpoint\nfunc managementEndpointPath(tunnelID uuid.UUID, res ManagementResource) string {\n\treturn fmt.Sprintf(\"%v/management/%s\", tunnelID, res.String())\n}\n\nfunc (r *RESTClient) GetManagementToken(tunnelID uuid.UUID, res ManagementResource) (token string, err error) {\n\tendpoint := r.baseEndpoints.accountLevel\n\tendpoint.Path = path.Join(endpoint.Path, managementEndpointPath(tunnelID, res))\n\n\tresp, err := r.sendRequest(\"POST\", endpoint, nil)\n\tif err != nil {\n\t\treturn \"\", errors.Wrap(err, \"REST request failed\")\n\t}\n\tdefer resp.Body.Close()\n\n\tif resp.StatusCode == http.StatusOK {\n\t\terr = parseResponse(resp.Body, &token)\n\t\treturn token, err\n\t}\n\n\treturn \"\", r.statusCodeToError(\"get tunnel token\", resp)\n}\n\nfunc (r *RESTClient) DeleteTunnel(tunnelID uuid.UUID, cascade bool) error {\n\tendpoint := r.baseEndpoints.accountLevel\n\tendpoint.Path = path.Join(endpoint.Path, fmt.Sprintf(\"%v\", tunnelID))\n\t// Cascade will delete all tunnel dependencies (connections, routes, etc.) that\n\t// are linked to the deleted tunnel.\n\tif cascade {\n\t\tendpoint.RawQuery = \"cascade=true\"\n\t}\n\tresp, err := r.sendRequest(\"DELETE\", endpoint, nil)\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"REST request failed\")\n\t}\n\tdefer resp.Body.Close()\n\n\treturn r.statusCodeToError(\"delete tunnel\", resp)\n}\n\nfunc (r *RESTClient) ListTunnels(filter *TunnelFilter) ([]*Tunnel, error) {\n\tfetchFn := func(page int) (*http.Response, error) {\n\t\tendpoint := r.baseEndpoints.accountLevel\n\t\tfilter.Page(page)\n\t\tendpoint.RawQuery = filter.encode()\n\t\trsp, err := r.sendRequest(\"GET\", endpoint, nil)\n\t\tif err != nil {\n\t\t\treturn nil, errors.Wrap(err, \"REST request failed\")\n\t\t}\n\t\tif rsp.StatusCode != http.StatusOK {\n\t\t\trsp.Body.Close()\n\t\t\treturn nil, r.statusCodeToError(\"list tunnels\", rsp)\n\t\t}\n\t\treturn rsp, nil\n\t}\n\n\treturn fetchExhaustively[Tunnel](fetchFn)\n}\n\nfunc (r *RESTClient) ListActiveClients(tunnelID uuid.UUID) ([]*ActiveClient, error) {\n\tendpoint := r.baseEndpoints.accountLevel\n\tendpoint.Path = path.Join(endpoint.Path, fmt.Sprintf(\"%v/connections\", tunnelID))\n\tresp, err := r.sendRequest(\"GET\", endpoint, nil)\n\tif err != nil {\n\t\treturn nil, errors.Wrap(err, \"REST request failed\")\n\t}\n\tdefer resp.Body.Close()\n\n\tif resp.StatusCode == http.StatusOK {\n\t\treturn parseConnectionsDetails(resp.Body)\n\t}\n\n\treturn nil, r.statusCodeToError(\"list connection details\", resp)\n}\n\nfunc parseConnectionsDetails(reader io.Reader) ([]*ActiveClient, error) {\n\tvar clients []*ActiveClient\n\terr := parseResponse(reader, &clients)\n\treturn clients, err\n}\n\nfunc (r *RESTClient) CleanupConnections(tunnelID uuid.UUID, params *CleanupParams) error {\n\tendpoint := r.baseEndpoints.accountLevel\n\tendpoint.RawQuery = params.encode()\n\tendpoint.Path = path.Join(endpoint.Path, fmt.Sprintf(\"%v/connections\", tunnelID))\n\tresp, err := r.sendRequest(\"DELETE\", endpoint, nil)\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"REST request failed\")\n\t}\n\tdefer resp.Body.Close()\n\n\treturn r.statusCodeToError(\"cleanup connections\", resp)\n}\n\nfunc unmarshalTunnel(reader io.Reader) (*Tunnel, error) {\n\tvar tunnel Tunnel\n\terr := parseResponse(reader, &tunnel)\n\treturn &tunnel, err\n}\n" }, { "path": "cfapi/tunnel_filter.go", "content": "package cfapi\n\nimport (\n\t\"net/url\"\n\t\"strconv\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n)\n\nconst (\n\tTimeLayout = time.RFC3339\n)\n\ntype TunnelFilter struct {\n\tqueryParams url.Values\n}\n\nfunc NewTunnelFilter() *TunnelFilter {\n\treturn &TunnelFilter{\n\t\tqueryParams: url.Values{},\n\t}\n}\n\nfunc (f *TunnelFilter) ByName(name string) {\n\tf.queryParams.Set(\"name\", name)\n}\n\nfunc (f *TunnelFilter) ByNamePrefix(namePrefix string) {\n\tf.queryParams.Set(\"name_prefix\", namePrefix)\n}\n\nfunc (f *TunnelFilter) ExcludeNameWithPrefix(excludePrefix string) {\n\tf.queryParams.Set(\"exclude_prefix\", excludePrefix)\n}\n\nfunc (f *TunnelFilter) NoDeleted() {\n\tf.queryParams.Set(\"is_deleted\", \"false\")\n}\n\nfunc (f *TunnelFilter) ByExistedAt(existedAt time.Time) {\n\tf.queryParams.Set(\"existed_at\", existedAt.Format(TimeLayout))\n}\n\nfunc (f *TunnelFilter) ByTunnelID(tunnelID uuid.UUID) {\n\tf.queryParams.Set(\"uuid\", tunnelID.String())\n}\n\nfunc (f *TunnelFilter) MaxFetchSize(max uint) {\n\tf.queryParams.Set(\"per_page\", strconv.Itoa(int(max)))\n}\n\nfunc (f *TunnelFilter) Page(page int) {\n\tf.queryParams.Set(\"page\", strconv.Itoa(page))\n}\n\nfunc (f TunnelFilter) encode() string {\n\treturn f.queryParams.Encode()\n}\n" }, { "path": "cfapi/tunnel_test.go", "content": "package cfapi\n\nimport (\n\t\"bytes\"\n\t\"net\"\n\t\"reflect\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n)\n\nvar loc, _ = time.LoadLocation(\"UTC\")\n\nfunc Test_unmarshalTunnel(t *testing.T) {\n\ttype args struct {\n\t\tbody string\n\t}\n\ttests := []struct {\n\t\tname string\n\t\targs args\n\t\twant *Tunnel\n\t\twantErr bool\n\t}{\n\t\t{\n\t\t\tname: \"empty list\",\n\t\t\targs: args{body: `{\"success\": true, \"result\": {\"id\":\"b34cc7ce-925b-46ee-bc23-4cb5c18d8292\",\"created_at\":\"2021-07-29T13:46:14.090955Z\",\"deleted_at\":\"2021-07-29T14:07:27.559047Z\",\"name\":\"qt-bIWWN7D662ogh61pCPfu5s2XgqFY1OyV\",\"account_id\":6946212,\"account_tag\":\"5ab4e9dfbd435d24068829fda0077963\",\"conns_active_at\":null,\"conns_inactive_at\":\"2021-07-29T13:47:22.548482Z\",\"tun_type\":\"cfd_tunnel\",\"metadata\":{\"qtid\":\"a6fJROgkXutNruBGaJjD\"}}}`},\n\t\t\twant: &Tunnel{\n\t\t\t\tID: uuid.MustParse(\"b34cc7ce-925b-46ee-bc23-4cb5c18d8292\"),\n\t\t\t\tName: \"qt-bIWWN7D662ogh61pCPfu5s2XgqFY1OyV\",\n\t\t\t\tCreatedAt: time.Date(2021, 07, 29, 13, 46, 14, 90955000, loc),\n\t\t\t\tDeletedAt: time.Date(2021, 07, 29, 14, 7, 27, 559047000, loc),\n\t\t\t\tConnections: nil,\n\t\t\t},\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tgot, err := unmarshalTunnel(strings.NewReader(tt.args.body))\n\t\t\tif (err != nil) != tt.wantErr {\n\t\t\t\tt.Errorf(\"unmarshalTunnel() error = %v, wantErr %v\", err, tt.wantErr)\n\t\t\t\treturn\n\t\t\t}\n\t\t\tif !reflect.DeepEqual(got, tt.want) {\n\t\t\t\tt.Errorf(\"unmarshalTunnel() = %v, want %v\", got, tt.want)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestUnmarshalTunnelOk(t *testing.T) {\n\tjsonBody := `{\"success\": true, \"result\": {\"id\": \"00000000-0000-0000-0000-000000000000\",\"name\":\"test\",\"created_at\":\"0001-01-01T00:00:00Z\",\"connections\":[]}}`\n\texpected := Tunnel{\n\t\tID: uuid.Nil,\n\t\tName: \"test\",\n\t\tCreatedAt: time.Time{},\n\t\tConnections: []Connection{},\n\t}\n\tactual, err := unmarshalTunnel(bytes.NewReader([]byte(jsonBody)))\n\trequire.NoError(t, err)\n\trequire.Equal(t, &expected, actual)\n}\n\nfunc TestUnmarshalTunnelErr(t *testing.T) {\n\ttests := []string{\n\t\t`abc`,\n\t\t`{\"success\": true, \"result\": abc}`,\n\t\t`{\"success\": false, \"result\": {\"id\": \"00000000-0000-0000-0000-000000000000\",\"name\":\"test\",\"created_at\":\"0001-01-01T00:00:00Z\",\"connections\":[]}}}`,\n\t\t`{\"errors\": [{\"code\": 1003, \"message\":\"An A, AAAA or CNAME record already exists with that host\"}], \"result\": {\"id\": \"00000000-0000-0000-0000-000000000000\",\"name\":\"test\",\"created_at\":\"0001-01-01T00:00:00Z\",\"connections\":[]}}}`,\n\t}\n\n\tfor i, test := range tests {\n\t\t_, err := unmarshalTunnel(bytes.NewReader([]byte(test)))\n\t\tassert.Error(t, err, \"Test #%v failed\", i)\n\t}\n}\n\nfunc TestManagementResource_String(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\tresource ManagementResource\n\t\twant string\n\t}{\n\t\t{\n\t\t\tname: \"Logs\",\n\t\t\tresource: Logs,\n\t\t\twant: \"logs\",\n\t\t},\n\t\t{\n\t\t\tname: \"Admin\",\n\t\t\tresource: Admin,\n\t\t\twant: \"admin\",\n\t\t},\n\t\t{\n\t\t\tname: \"HostDetails\",\n\t\t\tresource: HostDetails,\n\t\t\twant: \"host_details\",\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tassert.Equal(t, tt.want, tt.resource.String())\n\t\t})\n\t}\n}\n\nfunc TestManagementResource_String_Unknown(t *testing.T) {\n\tunknown := ManagementResource(999)\n\tassert.Equal(t, \"\", unknown.String())\n}\n\nfunc TestManagementEndpointPath(t *testing.T) {\n\ttunnelID := uuid.MustParse(\"b34cc7ce-925b-46ee-bc23-4cb5c18d8292\")\n\n\ttests := []struct {\n\t\tname string\n\t\tresource ManagementResource\n\t\twant string\n\t}{\n\t\t{\n\t\t\tname: \"Logs resource\",\n\t\t\tresource: Logs,\n\t\t\twant: \"b34cc7ce-925b-46ee-bc23-4cb5c18d8292/management/logs\",\n\t\t},\n\t\t{\n\t\t\tname: \"Admin resource\",\n\t\t\tresource: Admin,\n\t\t\twant: \"b34cc7ce-925b-46ee-bc23-4cb5c18d8292/management/admin\",\n\t\t},\n\t\t{\n\t\t\tname: \"HostDetails resource\",\n\t\t\tresource: HostDetails,\n\t\t\twant: \"b34cc7ce-925b-46ee-bc23-4cb5c18d8292/management/host_details\",\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tgot := managementEndpointPath(tunnelID, tt.resource)\n\t\t\tassert.Equal(t, tt.want, got)\n\t\t})\n\t}\n}\n\nfunc TestUnmarshalConnections(t *testing.T) {\n\tjsonBody := `{\"success\":true,\"messages\":[],\"errors\":[],\"result\":[{\"id\":\"d4041254-91e3-4deb-bd94-b46e11680b1e\",\"features\":[\"ha-origin\"],\"version\":\"2021.2.5\",\"arch\":\"darwin_amd64\",\"conns\":[{\"colo_name\":\"LIS\",\"id\":\"ac2286e5-c708-4588-a6a0-ba6b51940019\",\"is_pending_reconnect\":false,\"origin_ip\":\"148.38.28.2\",\"opened_at\":\"0001-01-01T00:00:00Z\"}],\"run_at\":\"0001-01-01T00:00:00Z\"}]}`\n\texpected := ActiveClient{\n\t\tID: uuid.MustParse(\"d4041254-91e3-4deb-bd94-b46e11680b1e\"),\n\t\tFeatures: []string{\"ha-origin\"},\n\t\tVersion: \"2021.2.5\",\n\t\tArch: \"darwin_amd64\",\n\t\tRunAt: time.Time{},\n\t\tConnections: []Connection{{\n\t\t\tID: uuid.MustParse(\"ac2286e5-c708-4588-a6a0-ba6b51940019\"),\n\t\t\tColoName: \"LIS\",\n\t\t\tIsPendingReconnect: false,\n\t\t\tOriginIP: net.ParseIP(\"148.38.28.2\"),\n\t\t\tOpenedAt: time.Time{},\n\t\t}},\n\t}\n\tactual, err := parseConnectionsDetails(bytes.NewReader([]byte(jsonBody)))\n\trequire.NoError(t, err)\n\tassert.Equal(t, []*ActiveClient{&expected}, actual)\n}\n" }, { "path": "cfapi/virtual_network.go", "content": "package cfapi\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"path\"\n\t\"strconv\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/pkg/errors\"\n)\n\ntype NewVirtualNetwork struct {\n\tName string `json:\"name\"`\n\tComment string `json:\"comment\"`\n\tIsDefault bool `json:\"is_default_network\"`\n}\n\ntype VirtualNetwork struct {\n\tID uuid.UUID `json:\"id\"`\n\tComment string `json:\"comment\"`\n\tName string `json:\"name\"`\n\tIsDefault bool `json:\"is_default_network\"`\n\tCreatedAt time.Time `json:\"created_at\"`\n\tDeletedAt time.Time `json:\"deleted_at\"`\n}\n\ntype UpdateVirtualNetwork struct {\n\tName *string `json:\"name,omitempty\"`\n\tComment *string `json:\"comment,omitempty\"`\n\tIsDefault *bool `json:\"is_default_network,omitempty\"`\n}\n\nfunc (virtualNetwork VirtualNetwork) TableString() string {\n\tdeletedColumn := \"-\"\n\tif !virtualNetwork.DeletedAt.IsZero() {\n\t\tdeletedColumn = virtualNetwork.DeletedAt.Format(time.RFC3339)\n\t}\n\treturn fmt.Sprintf(\n\t\t\"%s\\t%s\\t%s\\t%s\\t%s\\t%s\\t\",\n\t\tvirtualNetwork.ID,\n\t\tvirtualNetwork.Name,\n\t\tstrconv.FormatBool(virtualNetwork.IsDefault),\n\t\tvirtualNetwork.Comment,\n\t\tvirtualNetwork.CreatedAt.Format(time.RFC3339),\n\t\tdeletedColumn,\n\t)\n}\n\nfunc (r *RESTClient) CreateVirtualNetwork(newVnet NewVirtualNetwork) (VirtualNetwork, error) {\n\tresp, err := r.sendRequest(\"POST\", r.baseEndpoints.accountVnets, newVnet)\n\tif err != nil {\n\t\treturn VirtualNetwork{}, errors.Wrap(err, \"REST request failed\")\n\t}\n\tdefer resp.Body.Close()\n\n\tif resp.StatusCode == http.StatusOK {\n\t\treturn parseVnet(resp.Body)\n\t}\n\n\treturn VirtualNetwork{}, r.statusCodeToError(\"add virtual network\", resp)\n}\n\nfunc (r *RESTClient) ListVirtualNetworks(filter *VnetFilter) ([]*VirtualNetwork, error) {\n\tendpoint := r.baseEndpoints.accountVnets\n\tendpoint.RawQuery = filter.Encode()\n\tresp, err := r.sendRequest(\"GET\", endpoint, nil)\n\tif err != nil {\n\t\treturn nil, errors.Wrap(err, \"REST request failed\")\n\t}\n\tdefer resp.Body.Close()\n\n\tif resp.StatusCode == http.StatusOK {\n\t\treturn parseListVnets(resp.Body)\n\t}\n\n\treturn nil, r.statusCodeToError(\"list virtual networks\", resp)\n}\n\nfunc (r *RESTClient) DeleteVirtualNetwork(id uuid.UUID, force bool) error {\n\tendpoint := r.baseEndpoints.accountVnets\n\tendpoint.Path = path.Join(endpoint.Path, url.PathEscape(id.String()))\n\n\tqueryParams := url.Values{}\n\tif force {\n\t\tqueryParams.Set(\"force\", strconv.FormatBool(force))\n\t}\n\tendpoint.RawQuery = queryParams.Encode()\n\n\tresp, err := r.sendRequest(\"DELETE\", endpoint, nil)\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"REST request failed\")\n\t}\n\tdefer resp.Body.Close()\n\n\tif resp.StatusCode == http.StatusOK {\n\t\t_, err := parseVnet(resp.Body)\n\t\treturn err\n\t}\n\n\treturn r.statusCodeToError(\"delete virtual network\", resp)\n}\n\nfunc (r *RESTClient) UpdateVirtualNetwork(id uuid.UUID, updates UpdateVirtualNetwork) error {\n\tendpoint := r.baseEndpoints.accountVnets\n\tendpoint.Path = path.Join(endpoint.Path, url.PathEscape(id.String()))\n\tresp, err := r.sendRequest(\"PATCH\", endpoint, updates)\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"REST request failed\")\n\t}\n\tdefer resp.Body.Close()\n\n\tif resp.StatusCode == http.StatusOK {\n\t\t_, err := parseVnet(resp.Body)\n\t\treturn err\n\t}\n\n\treturn r.statusCodeToError(\"update virtual network\", resp)\n}\n\nfunc parseListVnets(body io.ReadCloser) ([]*VirtualNetwork, error) {\n\tvar vnets []*VirtualNetwork\n\terr := parseResponse(body, &vnets)\n\treturn vnets, err\n}\n\nfunc parseVnet(body io.ReadCloser) (VirtualNetwork, error) {\n\tvar vnet VirtualNetwork\n\terr := parseResponse(body, &vnet)\n\treturn vnet, err\n}\n" }, { "path": "cfapi/virtual_network_filter.go", "content": "package cfapi\n\nimport (\n\t\"net/url\"\n\t\"strconv\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/pkg/errors\"\n\t\"github.com/urfave/cli/v2\"\n)\n\nvar (\n\tfilterVnetId = cli.StringFlag{\n\t\tName: \"id\",\n\t\tUsage: \"List virtual networks with the given `ID`\",\n\t}\n\tfilterVnetByName = cli.StringFlag{\n\t\tName: \"name\",\n\t\tUsage: \"List virtual networks with the given `NAME`\",\n\t}\n\tfilterDefaultVnet = cli.BoolFlag{\n\t\tName: \"is-default\",\n\t\tUsage: \"If true, lists the virtual network that is the default one. If false, lists all non-default virtual networks for the account. If absent, all are included in the results regardless of their default status.\",\n\t}\n\tfilterDeletedVnet = cli.BoolFlag{\n\t\tName: \"show-deleted\",\n\t\tUsage: \"If false (default), only show non-deleted virtual networks. If true, only show deleted virtual networks.\",\n\t}\n\tVnetFilterFlags = []cli.Flag{\n\t\t&filterVnetId,\n\t\t&filterVnetByName,\n\t\t&filterDefaultVnet,\n\t\t&filterDeletedVnet,\n\t}\n)\n\n// VnetFilter which virtual networks get queried.\ntype VnetFilter struct {\n\tqueryParams url.Values\n}\n\nfunc NewVnetFilter() *VnetFilter {\n\treturn &VnetFilter{\n\t\tqueryParams: url.Values{},\n\t}\n}\n\nfunc (f *VnetFilter) ById(vnetId uuid.UUID) {\n\tf.queryParams.Set(\"id\", vnetId.String())\n}\n\nfunc (f *VnetFilter) ByName(name string) {\n\tf.queryParams.Set(\"name\", name)\n}\n\nfunc (f *VnetFilter) ByDefaultStatus(isDefault bool) {\n\tf.queryParams.Set(\"is_default\", strconv.FormatBool(isDefault))\n}\n\nfunc (f *VnetFilter) WithDeleted(isDeleted bool) {\n\tf.queryParams.Set(\"is_deleted\", strconv.FormatBool(isDeleted))\n}\n\nfunc (f *VnetFilter) MaxFetchSize(max uint) {\n\tf.queryParams.Set(\"per_page\", strconv.Itoa(int(max)))\n}\n\nfunc (f VnetFilter) Encode() string {\n\treturn f.queryParams.Encode()\n}\n\n// NewFromCLI parses CLI flags to discover which filters should get applied to list virtual networks.\nfunc NewFromCLI(c *cli.Context) (*VnetFilter, error) {\n\tf := NewVnetFilter()\n\n\tif id := c.String(\"id\"); id != \"\" {\n\t\tvnetId, err := uuid.Parse(id)\n\t\tif err != nil {\n\t\t\treturn nil, errors.Wrapf(err, \"%s is not a valid virtual network ID\", id)\n\t\t}\n\t\tf.ById(vnetId)\n\t}\n\n\tif name := c.String(\"name\"); name != \"\" {\n\t\tf.ByName(name)\n\t}\n\n\tif c.IsSet(\"is-default\") {\n\t\tf.ByDefaultStatus(c.Bool(\"is-default\"))\n\t}\n\n\tf.WithDeleted(c.Bool(\"show-deleted\"))\n\n\tif maxFetch := c.Int(\"max-fetch-size\"); maxFetch > 0 {\n\t\tf.MaxFetchSize(uint(maxFetch))\n\t}\n\n\treturn f, nil\n}\n" }, { "path": "cfapi/virtual_network_test.go", "content": "package cfapi\n\nimport (\n\t\"encoding/json\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/stretchr/testify/require\"\n)\n\nfunc TestVirtualNetworkJsonRoundtrip(t *testing.T) {\n\tdata := `{\n\t\t\"id\":\"74fce949-351b-4752-b261-81a56cfd3130\",\n\t\t\"comment\":\"New York DC1\",\n\t\t\"name\":\"us-east-1\",\n\t\t\"is_default_network\":true,\n\t\t\"created_at\":\"2021-11-26T14:40:02.600673Z\",\n\t\t\"deleted_at\":\"2021-12-01T10:23:13.102645Z\"\n\t}`\n\tvar v VirtualNetwork\n\terr := json.Unmarshal([]byte(data), &v)\n\n\trequire.NoError(t, err)\n\trequire.Equal(t, uuid.MustParse(\"74fce949-351b-4752-b261-81a56cfd3130\"), v.ID)\n\trequire.Equal(t, \"us-east-1\", v.Name)\n\trequire.Equal(t, \"New York DC1\", v.Comment)\n\trequire.Equal(t, true, v.IsDefault)\n\n\tbytes, err := json.Marshal(v)\n\trequire.NoError(t, err)\n\tobtainedJson := string(bytes)\n\tdata = strings.Replace(data, \"\\t\", \"\", -1)\n\tdata = strings.Replace(data, \"\\n\", \"\", -1)\n\trequire.Equal(t, data, obtainedJson)\n}\n\nfunc TestMarshalNewVnet(t *testing.T) {\n\tnewVnet := NewVirtualNetwork{\n\t\tName: \"eu-west-1\",\n\t\tComment: \"London office\",\n\t\tIsDefault: true,\n\t}\n\n\tserialized, err := json.Marshal(newVnet)\n\trequire.NoError(t, err)\n\trequire.True(t, strings.Contains(string(serialized), newVnet.Name))\n}\n\nfunc TestMarshalUpdateVnet(t *testing.T) {\n\tnewName := \"bulgaria-1\"\n\tupdates := UpdateVirtualNetwork{\n\t\tName: &newName,\n\t}\n\n\t// Test where receiver is struct\n\tserialized, err := json.Marshal(updates)\n\trequire.NoError(t, err)\n\trequire.True(t, strings.Contains(string(serialized), newName))\n}\n\nfunc TestVnetTableString(t *testing.T) {\n\tvirtualNet := VirtualNetwork{\n\t\tID: uuid.New(),\n\t\tName: \"us-east-1\",\n\t\tComment: \"New York DC1\",\n\t\tIsDefault: true,\n\t\tCreatedAt: time.Now(),\n\t\tDeletedAt: time.Time{},\n\t}\n\n\trow := virtualNet.TableString()\n\trequire.True(t, strings.HasPrefix(row, virtualNet.ID.String()))\n\trequire.True(t, strings.Contains(row, virtualNet.Name))\n\trequire.True(t, strings.Contains(row, virtualNet.Comment))\n\trequire.True(t, strings.Contains(row, \"true\"))\n\trequire.True(t, strings.HasSuffix(row, \"-\\t\"))\n}\n" }, { "path": "cfio/copy.go", "content": "package cfio\n\nimport (\n\t\"io\"\n\t\"sync\"\n)\n\nconst defaultBufferSize = 16 * 1024\n\nvar bufferPool = sync.Pool{\n\tNew: func() interface{} {\n\t\treturn make([]byte, defaultBufferSize)\n\t},\n}\n\nfunc Copy(dst io.Writer, src io.Reader) (written int64, err error) {\n\t_, okWriteTo := src.(io.WriterTo)\n\t_, okReadFrom := dst.(io.ReaderFrom)\n\tvar buffer []byte = nil\n\n\tif !(okWriteTo || okReadFrom) {\n\t\tbuffer = bufferPool.Get().([]byte)\n\t\tdefer bufferPool.Put(buffer)\n\t}\n\n\treturn io.CopyBuffer(dst, src, buffer)\n}\n" }, { "path": "cfsetup.yaml", "content": "# A valid cfsetup.yaml is required but we dont have any real config to specify\ndummy_key: true\n" }, { "path": "check-fips.sh", "content": "# Pass the path to the executable to check for FIPS compliance\nexe=$1\n\nif [ \"$(go tool nm \"${exe}\" | grep -c '_Cfunc__goboringcrypto_')\" -eq 0 ]; then\n # Asserts that executable is using FIPS-compliant boringcrypto\n echo \"${exe}: missing goboring symbols\" >&2\n exit 1\nfi\nif [ \"$(go tool nm \"${exe}\" | grep -c 'crypto/internal/boring/sig.FIPSOnly')\" -eq 0 ]; then\n # Asserts that executable is using FIPS-only schemes\n echo \"${exe}: missing fipsonly symbols\" >&2\n exit 1\nfi\n\necho \"${exe} is FIPS-compliant\"\n" }, { "path": "client/config.go", "content": "package client\n\nimport (\n\t\"fmt\"\n\t\"net\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/rs/zerolog\"\n\n\t\"github.com/cloudflare/cloudflared/features\"\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/pogs\"\n)\n\n// Config captures the local client runtime configuration.\ntype Config struct {\n\tConnectorID uuid.UUID\n\tVersion string\n\tArch string\n\n\tfeatureSelector features.FeatureSelector\n}\n\nfunc NewConfig(version string, arch string, featureSelector features.FeatureSelector) (*Config, error) {\n\tconnectorID, err := uuid.NewRandom()\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"unable to generate a connector UUID: %w\", err)\n\t}\n\treturn &Config{\n\t\tConnectorID: connectorID,\n\t\tVersion: version,\n\t\tArch: arch,\n\t\tfeatureSelector: featureSelector,\n\t}, nil\n}\n\n// ConnectionOptionsSnapshot is a snapshot of the current client information used to initialize a connection.\n//\n// The FeatureSnapshot is the features that are available for this connection. At the client level they may\n// change, but they will not change within the scope of this struct.\ntype ConnectionOptionsSnapshot struct {\n\tclient pogs.ClientInfo\n\toriginLocalIP net.IP\n\tnumPreviousAttempts uint8\n\tFeatureSnapshot features.FeatureSnapshot\n}\n\nfunc (c *Config) ConnectionOptionsSnapshot(originIP net.IP, previousAttempts uint8) *ConnectionOptionsSnapshot {\n\tsnapshot := c.featureSelector.Snapshot()\n\treturn &ConnectionOptionsSnapshot{\n\t\tclient: pogs.ClientInfo{\n\t\t\tClientID: c.ConnectorID[:],\n\t\t\tVersion: c.Version,\n\t\t\tArch: c.Arch,\n\t\t\tFeatures: snapshot.FeaturesList,\n\t\t},\n\t\toriginLocalIP: originIP,\n\t\tnumPreviousAttempts: previousAttempts,\n\t\tFeatureSnapshot: snapshot,\n\t}\n}\n\nfunc (c ConnectionOptionsSnapshot) ConnectionOptions() *pogs.ConnectionOptions {\n\treturn &pogs.ConnectionOptions{\n\t\tClient: c.client,\n\t\tOriginLocalIP: c.originLocalIP,\n\t\tReplaceExisting: false,\n\t\tCompressionQuality: 0,\n\t\tNumPreviousAttempts: c.numPreviousAttempts,\n\t}\n}\n\nfunc (c ConnectionOptionsSnapshot) LogFields(event *zerolog.Event) *zerolog.Event {\n\treturn event.Strs(\"features\", c.client.Features)\n}\n" }, { "path": "client/config_test.go", "content": "package client\n\nimport (\n\t\"net\"\n\t\"testing\"\n\n\t\"github.com/stretchr/testify/require\"\n\n\t\"github.com/cloudflare/cloudflared/features\"\n)\n\nfunc TestGenerateConnectionOptions(t *testing.T) {\n\tversion := \"1234\"\n\tarch := \"linux_amd64\"\n\toriginIP := net.ParseIP(\"192.168.1.1\")\n\tvar previousAttempts uint8 = 4\n\n\tconfig, err := NewConfig(version, arch, &mockFeatureSelector{})\n\trequire.NoError(t, err)\n\trequire.Equal(t, version, config.Version)\n\trequire.Equal(t, arch, config.Arch)\n\n\t// Validate ConnectionOptionsSnapshot fields\n\tconnOptions := config.ConnectionOptionsSnapshot(originIP, previousAttempts)\n\trequire.Equal(t, version, connOptions.client.Version)\n\trequire.Equal(t, arch, connOptions.client.Arch)\n\trequire.Equal(t, config.ConnectorID[:], connOptions.client.ClientID)\n\n\t// Vaidate snapshot feature fields against the connOptions generated\n\tsnapshot := config.featureSelector.Snapshot()\n\trequire.Equal(t, features.DatagramV3, snapshot.DatagramVersion)\n\trequire.Equal(t, features.DatagramV3, connOptions.FeatureSnapshot.DatagramVersion)\n\n\tpogsConnOptions := connOptions.ConnectionOptions()\n\trequire.Equal(t, connOptions.client, pogsConnOptions.Client)\n\trequire.Equal(t, originIP, pogsConnOptions.OriginLocalIP)\n\trequire.False(t, pogsConnOptions.ReplaceExisting)\n\trequire.Equal(t, uint8(0), pogsConnOptions.CompressionQuality)\n\trequire.Equal(t, previousAttempts, pogsConnOptions.NumPreviousAttempts)\n}\n\ntype mockFeatureSelector struct{}\n\nfunc (m *mockFeatureSelector) Snapshot() features.FeatureSnapshot {\n\treturn features.FeatureSnapshot{\n\t\tPostQuantum: features.PostQuantumPrefer,\n\t\tDatagramVersion: features.DatagramV3,\n\t\tFeaturesList: []string{features.FeaturePostQuantum, features.FeatureDatagramV3_2},\n\t}\n}\n" }, { "path": "cloudflared.wxs", "content": "\n\n\n \n\n \n\n\n \n\n\n \n\n\n\n \n\n \n\n \n\n \n\n \n \n \n \n NOT NEWERVERSIONDETECTED\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n\n \n \n \n \n\n \n\n" }, { "path": "cloudflared_man_template", "content": ".\\\" Manpage for cloudflared.\n.TH man 1 ${DATE} \"${VERSION}\" \"cloudflared man page\"\n.SH NAME\ncloudflared \\- creates a connection to the cloudflare edge network\n.SH DESCRIPTION\ncloudflared creates a persistent connection between a local service and the Cloudflare network. Once the daemon is running and the Tunnel has been configured, the local service can be locked down to only allow connections from Cloudflare.\n" }, { "path": "cmd/cloudflared/access/carrier.go", "content": "package access\n\nimport (\n\t\"crypto/tls\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"strings\"\n\n\t\"github.com/pkg/errors\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/urfave/cli/v2\"\n\n\t\"github.com/cloudflare/cloudflared/carrier\"\n\t\"github.com/cloudflare/cloudflared/config\"\n\t\"github.com/cloudflare/cloudflared/logger\"\n\t\"github.com/cloudflare/cloudflared/stream\"\n\t\"github.com/cloudflare/cloudflared/validation\"\n)\n\nconst (\n\tLogFieldHost = \"host\"\n\tcfAccessClientIDHeader = \"Cf-Access-Client-Id\"\n\tcfAccessClientSecretHeader = \"Cf-Access-Client-Secret\"\n)\n\n// StartForwarder starts a client side websocket forward\nfunc StartForwarder(forwarder config.Forwarder, shutdown <-chan struct{}, log *zerolog.Logger) error {\n\tvalidURL, err := validation.ValidateUrl(forwarder.Listener)\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"error validating origin URL\")\n\t}\n\n\t// get the headers from the config file and add to the request\n\theaders := make(http.Header)\n\tif forwarder.TokenClientID != \"\" {\n\t\theaders.Set(cfAccessClientIDHeader, forwarder.TokenClientID)\n\t}\n\n\tif forwarder.TokenSecret != \"\" {\n\t\theaders.Set(cfAccessClientSecretHeader, forwarder.TokenSecret)\n\t}\n\theaders.Set(\"User-Agent\", userAgent)\n\n\tcarrier.SetBastionDest(headers, forwarder.Destination)\n\n\toptions := &carrier.StartOptions{\n\t\tOriginURL: forwarder.URL,\n\t\tHeaders: headers, //TODO: TUN-2688 support custom headers from config file\n\t\tIsFedramp: forwarder.IsFedramp,\n\t}\n\n\t// we could add a cmd line variable for this bool if we want the SOCK5 server to be on the client side\n\twsConn := carrier.NewWSConnection(log)\n\n\tlog.Info().Str(LogFieldHost, validURL.Host).Msg(\"Start Websocket listener\")\n\treturn carrier.StartForwarder(wsConn, validURL.Host, shutdown, options)\n}\n\n// ssh will start a WS proxy server for server mode\n// or copy from stdin/stdout for client mode\n// useful for proxying other protocols (like ssh) over websockets\n// (which you can put Access in front of)\nfunc ssh(c *cli.Context) error {\n\t// If not running as a forwarder, disable terminal logs as it collides with the stdin/stdout of the parent process\n\toutputTerminal := logger.DisableTerminalLog\n\tif c.IsSet(sshURLFlag) {\n\t\toutputTerminal = logger.EnableTerminalLog\n\t}\n\tlog := logger.CreateSSHLoggerFromContext(c, outputTerminal)\n\n\t// get the hostname from the cmdline and error out if its not provided\n\trawHostName := c.String(sshHostnameFlag)\n\turl, err := parseURL(rawHostName)\n\tif err != nil {\n\t\tlog.Err(err).Send()\n\t\treturn cli.ShowCommandHelp(c, \"ssh\")\n\t}\n\n\t// get the headers from the cmdline and add them\n\theaders := parseRequestHeaders(c.StringSlice(sshHeaderFlag))\n\tif c.IsSet(sshTokenIDFlag) {\n\t\theaders.Set(cfAccessClientIDHeader, c.String(sshTokenIDFlag))\n\t}\n\tif c.IsSet(sshTokenSecretFlag) {\n\t\theaders.Set(cfAccessClientSecretHeader, c.String(sshTokenSecretFlag))\n\t}\n\theaders.Set(\"User-Agent\", userAgent)\n\n\tcarrier.SetBastionDest(headers, c.String(sshDestinationFlag))\n\n\toptions := &carrier.StartOptions{\n\t\tOriginURL: url.String(),\n\t\tHeaders: headers,\n\t\tHost: url.Host,\n\t\tIsFedramp: c.Bool(fedrampFlag),\n\t}\n\n\tif connectTo := c.String(sshConnectTo); connectTo != \"\" {\n\t\tparts := strings.Split(connectTo, \":\")\n\t\tswitch len(parts) {\n\t\tcase 1:\n\t\t\toptions.OriginURL = fmt.Sprintf(\"https://%s\", parts[0])\n\t\tcase 2:\n\t\t\toptions.OriginURL = fmt.Sprintf(\"https://%s:%s\", parts[0], parts[1])\n\t\tcase 3:\n\t\t\toptions.OriginURL = fmt.Sprintf(\"https://%s:%s\", parts[2], parts[1])\n\t\t\toptions.TLSClientConfig = &tls.Config{\n\t\t\t\tInsecureSkipVerify: true, // #nosec G402\n\t\t\t\tServerName: parts[0],\n\t\t\t}\n\t\t\tlog.Warn().Msgf(\"Using insecure SSL connection because SNI overridden to %s\", parts[0])\n\t\tdefault:\n\t\t\treturn fmt.Errorf(\"invalid connection override: %s\", connectTo)\n\t\t}\n\t}\n\n\t// we could add a cmd line variable for this bool if we want the SOCK5 server to be on the client side\n\twsConn := carrier.NewWSConnection(log)\n\n\tif c.NArg() > 0 || c.IsSet(sshURLFlag) {\n\t\tforwarder, err := config.ValidateUrl(c, true)\n\t\tif err != nil {\n\t\t\tlog.Err(err).Msg(\"Error validating origin URL\")\n\t\t\treturn errors.Wrap(err, \"error validating origin URL\")\n\t\t}\n\t\tlog.Info().Str(LogFieldHost, forwarder.Host).Msg(\"Start Websocket listener\")\n\t\terr = carrier.StartForwarder(wsConn, forwarder.Host, shutdownC, options)\n\t\tif err != nil {\n\t\t\tlog.Err(err).Msg(\"Error on Websocket listener\")\n\t\t}\n\t\treturn err\n\t}\n\n\tvar s io.ReadWriter\n\ts = &carrier.StdinoutStream{}\n\tif c.IsSet(sshDebugStream) {\n\t\tmaxMessages := c.Uint64(sshDebugStream)\n\t\tif maxMessages == 0 {\n\t\t\t// default to 10 if provided but unset\n\t\t\tmaxMessages = 10\n\t\t}\n\t\tlogger := log.With().Str(\"host\", url.Host).Logger()\n\t\ts = stream.NewDebugStream(s, &logger, maxMessages)\n\t}\n\treturn carrier.StartClient(wsConn, s, options)\n}\n" }, { "path": "cmd/cloudflared/access/cmd.go", "content": "package access\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"os\"\n\t\"os/exec\"\n\t\"strings\"\n\t\"text/template\"\n\t\"time\"\n\n\t\"github.com/getsentry/sentry-go\"\n\t\"github.com/pkg/errors\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/urfave/cli/v2\"\n\t\"golang.org/x/net/idna\"\n\n\t\"github.com/cloudflare/cloudflared/carrier\"\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil\"\n\tcfdflags \"github.com/cloudflare/cloudflared/cmd/cloudflared/flags\"\n\t\"github.com/cloudflare/cloudflared/logger\"\n\t\"github.com/cloudflare/cloudflared/sshgen\"\n\t\"github.com/cloudflare/cloudflared/token\"\n\t\"github.com/cloudflare/cloudflared/validation\"\n)\n\nconst (\n\tappURLFlag = \"app\"\n\tloginQuietFlag = \"quiet\"\n\tsshHostnameFlag = \"hostname\"\n\tsshDestinationFlag = \"destination\"\n\tsshURLFlag = \"url\"\n\tsshHeaderFlag = \"header\"\n\tsshTokenIDFlag = \"service-token-id\"\n\tsshTokenSecretFlag = \"service-token-secret\"\n\tsshGenCertFlag = \"short-lived-cert\"\n\tsshConnectTo = \"connect-to\"\n\tsshDebugStream = \"debug-stream\"\n\tsshConfigTemplate = `\nAdd to your {{.Home}}/.ssh/config:\n\n{{- if .ShortLivedCerts}}\nMatch host {{.Hostname}} exec \"{{.Cloudflared}} access ssh-gen --hostname %h\"\n ProxyCommand {{.Cloudflared}} access ssh --hostname %h\n IdentityFile ~/.cloudflared/%h-cf_key\n CertificateFile ~/.cloudflared/%h-cf_key-cert.pub\n{{- else}}\nHost {{.Hostname}}\n ProxyCommand {{.Cloudflared}} access ssh --hostname %h\n{{end}}\n`\n\tfedrampFlag = \"fedramp\"\n)\n\nconst sentryDSN = \"https://56a9c9fa5c364ab28f34b14f35ea0f1b@sentry.io/189878\"\n\nvar (\n\tshutdownC chan struct{}\n\tuserAgent = \"DEV\"\n)\n\n// Init will initialize and store vars from the main program\nfunc Init(shutdown chan struct{}, version string) {\n\tshutdownC = shutdown\n\tuserAgent = fmt.Sprintf(\"cloudflared/%s\", version)\n}\n\n// Flags return the global flags for Access related commands (hopefully none)\nfunc Flags() []cli.Flag {\n\treturn []cli.Flag{} // no flags yet.\n}\n\n// Commands returns all the Access related subcommands\nfunc Commands() []*cli.Command {\n\treturn []*cli.Command{\n\t\t{\n\t\t\tName: \"access\",\n\t\t\tAliases: []string{\"forward\"},\n\t\t\tCategory: \"Access\",\n\t\t\tUsage: \"access \",\n\t\t\tFlags: []cli.Flag{&cli.BoolFlag{\n\t\t\t\tName: fedrampFlag,\n\t\t\t\tUsage: \"use when performing operations in fedramp account\",\n\t\t\t}},\n\t\t\tDescription: `Cloudflare Access protects internal resources by securing, authenticating and monitoring access\n\t\t\tper-user and by application. With Cloudflare Access, only authenticated users with the required permissions are\n\t\t\table to reach sensitive resources. The commands provided here allow you to interact with Access protected\n\t\t\tapplications from the command line.`,\n\t\t\tSubcommands: []*cli.Command{\n\t\t\t\t{\n\t\t\t\t\tName: \"login\",\n\t\t\t\t\tAction: cliutil.Action(login),\n\t\t\t\t\tUsage: \"login \",\n\t\t\t\t\tArgsUsage: \"url of Access application\",\n\t\t\t\t\tDescription: `The login subcommand initiates an authentication flow with your identity provider.\n\t\t\t\t\tThe subcommand will launch a browser. For headless systems, a url is provided.\n\t\t\t\t\tOnce authenticated with your identity provider, the login command will generate a JSON Web Token (JWT)\n\t\t\t\t\tscoped to your identity, the application you intend to reach, and valid for a session duration set by your\n\t\t\t\t\tadministrator. cloudflared stores the token in local storage.`,\n\t\t\t\t\tFlags: []cli.Flag{\n\t\t\t\t\t\t&cli.BoolFlag{\n\t\t\t\t\t\t\tName: loginQuietFlag,\n\t\t\t\t\t\t\tAliases: []string{\"q\"},\n\t\t\t\t\t\t\tUsage: \"do not print the jwt to the command line\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\t&cli.BoolFlag{\n\t\t\t\t\t\t\tName: \"no-verbose\",\n\t\t\t\t\t\t\tUsage: \"print only the jwt to stdout\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\t&cli.BoolFlag{\n\t\t\t\t\t\t\tName: \"auto-close\",\n\t\t\t\t\t\t\tUsage: \"automatically close the auth interstitial after action\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\t&cli.StringFlag{\n\t\t\t\t\t\t\tName: appURLFlag,\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tName: \"curl\",\n\t\t\t\t\tAction: cliutil.Action(curl),\n\t\t\t\t\tUsage: \"curl [--allow-request, -ar] [...]\",\n\t\t\t\t\tDescription: `The curl subcommand wraps curl and automatically injects the JWT into a cf-access-token\n\t\t\t\t\theader when using curl to reach an application behind Access.`,\n\t\t\t\t\tArgsUsage: \"allow-request will allow the curl request to continue even if the jwt is not present.\",\n\t\t\t\t\tSkipFlagParsing: true,\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tName: \"token\",\n\t\t\t\t\tAction: cliutil.Action(generateToken),\n\t\t\t\t\tUsage: \"token \",\n\t\t\t\t\tArgsUsage: \"url of Access application\",\n\t\t\t\t\tDescription: `The token subcommand produces a JWT which can be used to authenticate requests.`,\n\t\t\t\t\tFlags: []cli.Flag{\n\t\t\t\t\t\t&cli.StringFlag{\n\t\t\t\t\t\t\tName: appURLFlag,\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tName: \"tcp\",\n\t\t\t\t\tAction: cliutil.Action(ssh),\n\t\t\t\t\tAliases: []string{\"rdp\", \"ssh\", \"smb\"},\n\t\t\t\t\tUsage: \"\",\n\t\t\t\t\tArgsUsage: \"\",\n\t\t\t\t\tDescription: `The tcp subcommand sends data over a proxy to the Cloudflare edge.`,\n\t\t\t\t\tFlags: []cli.Flag{\n\t\t\t\t\t\t&cli.StringFlag{\n\t\t\t\t\t\t\tName: sshHostnameFlag,\n\t\t\t\t\t\t\tAliases: []string{\"tunnel-host\", \"T\"},\n\t\t\t\t\t\t\tUsage: \"specify the hostname of your application.\",\n\t\t\t\t\t\t\tEnvVars: []string{\"TUNNEL_SERVICE_HOSTNAME\"},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t&cli.StringFlag{\n\t\t\t\t\t\t\tName: sshDestinationFlag,\n\t\t\t\t\t\t\tUsage: \"specify the destination address of your SSH server.\",\n\t\t\t\t\t\t\tEnvVars: []string{\"TUNNEL_SERVICE_DESTINATION\"},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t&cli.StringFlag{\n\t\t\t\t\t\t\tName: sshURLFlag,\n\t\t\t\t\t\t\tAliases: []string{\"listener\", \"L\"},\n\t\t\t\t\t\t\tUsage: \"specify the host:port to forward data to Cloudflare edge.\",\n\t\t\t\t\t\t\tEnvVars: []string{\"TUNNEL_SERVICE_URL\"},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t&cli.StringSliceFlag{\n\t\t\t\t\t\t\tName: sshHeaderFlag,\n\t\t\t\t\t\t\tAliases: []string{\"H\"},\n\t\t\t\t\t\t\tUsage: \"specify additional headers you wish to send.\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\t&cli.StringFlag{\n\t\t\t\t\t\t\tName: sshTokenIDFlag,\n\t\t\t\t\t\t\tAliases: []string{\"id\"},\n\t\t\t\t\t\t\tUsage: \"specify an Access service token ID you wish to use.\",\n\t\t\t\t\t\t\tEnvVars: []string{\"TUNNEL_SERVICE_TOKEN_ID\"},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t&cli.StringFlag{\n\t\t\t\t\t\t\tName: sshTokenSecretFlag,\n\t\t\t\t\t\t\tAliases: []string{\"secret\"},\n\t\t\t\t\t\t\tUsage: \"specify an Access service token secret you wish to use.\",\n\t\t\t\t\t\t\tEnvVars: []string{\"TUNNEL_SERVICE_TOKEN_SECRET\"},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t&cli.StringFlag{\n\t\t\t\t\t\t\tName: cfdflags.LogFile,\n\t\t\t\t\t\t\tUsage: \"Save application log to this file for reporting issues.\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\t&cli.StringFlag{\n\t\t\t\t\t\t\tName: cfdflags.LogDirectory,\n\t\t\t\t\t\t\tUsage: \"Save application log to this directory for reporting issues.\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\t&cli.StringFlag{\n\t\t\t\t\t\t\tName: cfdflags.LogLevelSSH,\n\t\t\t\t\t\t\tAliases: []string{\"loglevel\"}, //added to match the tunnel side\n\t\t\t\t\t\t\tUsage: \"Application logging level {debug, info, warn, error, fatal}. \",\n\t\t\t\t\t\t},\n\t\t\t\t\t\t&cli.StringFlag{\n\t\t\t\t\t\t\tName: sshConnectTo,\n\t\t\t\t\t\t\tHidden: true,\n\t\t\t\t\t\t\tUsage: \"Connect to alternate location for testing, value is host, host:port, or sni:port:host\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\t&cli.Uint64Flag{\n\t\t\t\t\t\t\tName: sshDebugStream,\n\t\t\t\t\t\t\tHidden: true,\n\t\t\t\t\t\t\tUsage: \"Writes up-to the max provided stream payloads to the logger as debug statements.\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tName: \"ssh-config\",\n\t\t\t\t\tAction: cliutil.Action(sshConfig),\n\t\t\t\t\tUsage: \"\",\n\t\t\t\t\tDescription: `Prints an example configuration ~/.ssh/config`,\n\t\t\t\t\tFlags: []cli.Flag{\n\t\t\t\t\t\t&cli.StringFlag{\n\t\t\t\t\t\t\tName: sshHostnameFlag,\n\t\t\t\t\t\t\tUsage: \"specify the hostname of your application.\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\t&cli.BoolFlag{\n\t\t\t\t\t\t\tName: sshGenCertFlag,\n\t\t\t\t\t\t\tUsage: \"specify if you wish to generate short lived certs.\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tName: \"ssh-gen\",\n\t\t\t\t\tAction: cliutil.Action(sshGen),\n\t\t\t\t\tUsage: \"\",\n\t\t\t\t\tDescription: `Generates a short lived certificate for given hostname`,\n\t\t\t\t\tFlags: []cli.Flag{\n\t\t\t\t\t\t&cli.StringFlag{\n\t\t\t\t\t\t\tName: sshHostnameFlag,\n\t\t\t\t\t\t\tUsage: \"specify the hostname of your application.\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n}\n\n// login pops up the browser window to do the actual login and JWT generation\nfunc login(c *cli.Context) error {\n\terr := sentry.Init(sentry.ClientOptions{\n\t\tDsn: sentryDSN,\n\t\tRelease: c.App.Version,\n\t})\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tlog := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)\n\n\tappURL, err := getAppURLFromArgs(c)\n\tif err != nil {\n\t\tlog.Error().Msg(\"Please provide the url of the Access application\")\n\t\treturn err\n\t}\n\n\tappInfo, err := token.GetAppInfo(appURL)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif err := verifyTokenAtEdge(appURL, appInfo, c, log); err != nil {\n\t\tlog.Err(err).Msg(\"Could not verify token\")\n\t\treturn err\n\t}\n\n\tcfdToken, err := token.GetAppTokenIfExists(appInfo)\n\tif err != nil {\n\t\tfmt.Fprintln(os.Stderr, \"Unable to find token for provided application.\")\n\t\treturn err\n\t} else if cfdToken == \"\" {\n\t\tfmt.Fprintln(os.Stderr, \"token for provided application was empty.\")\n\t\treturn errors.New(\"empty application token\")\n\t}\n\n\tif c.Bool(loginQuietFlag) {\n\t\treturn nil\n\t}\n\n\t// Chatty by default for backward compat. The new --app flag\n\t// is an implicit opt-out of the backwards-compatible chatty output.\n\tif c.Bool(\"no-verbose\") || c.IsSet(appURLFlag) {\n\t\tfmt.Fprint(os.Stdout, cfdToken)\n\t} else {\n\t\tfmt.Fprintf(os.Stdout, \"Successfully fetched your token:\\n\\n%s\\n\\n\", cfdToken)\n\t}\n\n\treturn nil\n}\n\n// curl provides a wrapper around curl, passing Access JWT along in request\nfunc curl(c *cli.Context) error {\n\terr := sentry.Init(sentry.ClientOptions{\n\t\tDsn: sentryDSN,\n\t\tRelease: c.App.Version,\n\t})\n\tif err != nil {\n\t\treturn err\n\t}\n\tlog := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)\n\n\targs := c.Args()\n\tif args.Len() < 1 {\n\t\tlog.Error().Msg(\"Please provide the access app and command you wish to run.\")\n\t\treturn errors.New(\"incorrect args\")\n\t}\n\n\tcmdArgs, allowRequest := parseAllowRequest(args.Slice())\n\tappURL, err := getAppURL(cmdArgs, log)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tappInfo, err := token.GetAppInfo(appURL)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\t// Verify that the existing token is still good; if not fetch a new one\n\tif err := verifyTokenAtEdge(appURL, appInfo, c, log); err != nil {\n\t\tlog.Err(err).Msg(\"Could not verify token\")\n\t\treturn err\n\t}\n\n\ttok, err := token.GetAppTokenIfExists(appInfo)\n\tif err != nil || tok == \"\" {\n\t\tif allowRequest {\n\t\t\tlog.Info().Msg(\"You don't have an Access token set. Please run access token to fetch one.\")\n\t\t\treturn run(\"curl\", cmdArgs...)\n\t\t}\n\t\ttok, err = token.FetchToken(appURL, appInfo, c.Bool(cfdflags.AutoCloseInterstitial), c.Bool(fedrampFlag), log)\n\t\tif err != nil {\n\t\t\tlog.Err(err).Msg(\"Failed to refresh token\")\n\t\t\treturn err\n\t\t}\n\t}\n\n\tcmdArgs = append(cmdArgs, \"-H\")\n\tcmdArgs = append(cmdArgs, fmt.Sprintf(\"%s: %s\", carrier.CFAccessTokenHeader, tok))\n\treturn run(\"curl\", cmdArgs...)\n}\n\n// run kicks off a shell task and pipe the results to the respective std pipes\nfunc run(cmd string, args ...string) error {\n\tc := exec.Command(cmd, args...)\n\tc.Stdin = os.Stdin\n\tstderr, err := c.StderrPipe()\n\tif err != nil {\n\t\treturn err\n\t}\n\tgo func() {\n\t\t_, _ = io.Copy(os.Stderr, stderr)\n\t}()\n\n\tstdout, err := c.StdoutPipe()\n\tif err != nil {\n\t\treturn err\n\t}\n\tgo func() {\n\t\t_, _ = io.Copy(os.Stdout, stdout)\n\t}()\n\treturn c.Run()\n}\n\nfunc getAppURLFromArgs(c *cli.Context) (*url.URL, error) {\n\tvar appURLStr string\n\targs := c.Args()\n\tif args.Len() < 1 {\n\t\tappURLStr = c.String(appURLFlag)\n\t} else {\n\t\tappURLStr = args.First()\n\t}\n\treturn parseURL(appURLStr)\n}\n\n// token dumps provided token to stdout\nfunc generateToken(c *cli.Context) error {\n\terr := sentry.Init(sentry.ClientOptions{\n\t\tDsn: sentryDSN,\n\t\tRelease: c.App.Version,\n\t})\n\tif err != nil {\n\t\treturn err\n\t}\n\tappURL, err := getAppURLFromArgs(c)\n\tif err != nil {\n\t\tfmt.Fprintln(os.Stderr, \"Please provide a url.\")\n\t\treturn err\n\t}\n\n\tappInfo, err := token.GetAppInfo(appURL)\n\tif err != nil {\n\t\treturn err\n\t}\n\ttok, err := token.GetAppTokenIfExists(appInfo)\n\tif err != nil || tok == \"\" {\n\t\tfmt.Fprintln(os.Stderr, \"Unable to find token for provided application. Please run login command to generate token.\")\n\t\treturn err\n\t}\n\n\tif _, err := fmt.Fprint(os.Stdout, tok); err != nil {\n\t\tfmt.Fprintln(os.Stderr, \"Failed to write token to stdout.\")\n\t\treturn err\n\t}\n\treturn nil\n}\n\n// sshConfig prints an example SSH config to stdout\nfunc sshConfig(c *cli.Context) error {\n\tgenCertBool := c.Bool(sshGenCertFlag)\n\thostname := c.String(sshHostnameFlag)\n\tif hostname == \"\" {\n\t\thostname = \"[your hostname]\"\n\t}\n\n\ttype config struct {\n\t\tHome string\n\t\tShortLivedCerts bool\n\t\tHostname string\n\t\tCloudflared string\n\t}\n\n\tt := template.Must(template.New(\"sshConfig\").Parse(sshConfigTemplate))\n\treturn t.Execute(os.Stdout, config{Home: os.Getenv(\"HOME\"), ShortLivedCerts: genCertBool, Hostname: hostname, Cloudflared: cloudflaredPath()})\n}\n\n// sshGen generates a short lived certificate for provided hostname\nfunc sshGen(c *cli.Context) error {\n\tlog := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)\n\n\t// get the hostname from the cmdline and error out if its not provided\n\trawHostName := c.String(sshHostnameFlag)\n\thostname, err := validation.ValidateHostname(rawHostName)\n\tif err != nil || rawHostName == \"\" {\n\t\treturn cli.ShowCommandHelp(c, \"ssh-gen\")\n\t}\n\n\toriginURL, err := parseURL(hostname)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\t// this fetchToken function mutates the appURL param. We should refactor that\n\tfetchTokenURL := &url.URL{}\n\t*fetchTokenURL = *originURL\n\n\tappInfo, err := token.GetAppInfo(fetchTokenURL)\n\tif err != nil {\n\t\treturn err\n\t}\n\tcfdToken, err := token.FetchTokenWithRedirect(fetchTokenURL, appInfo, c.Bool(cfdflags.AutoCloseInterstitial), c.Bool(fedrampFlag), log)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif err := sshgen.GenerateShortLivedCertificate(originURL, cfdToken); err != nil {\n\t\treturn err\n\t}\n\n\treturn nil\n}\n\n// getAppURL will pull the request URL needed for fetching a user's Access token\nfunc getAppURL(cmdArgs []string, log *zerolog.Logger) (*url.URL, error) {\n\tif len(cmdArgs) < 1 {\n\t\tlog.Error().Msg(\"Please provide a valid URL as the first argument to curl.\")\n\t\treturn nil, errors.New(\"not a valid url\")\n\t}\n\n\tu, err := processURL(cmdArgs[0])\n\tif err != nil {\n\t\tlog.Error().Msg(\"Please provide a valid URL as the first argument to curl.\")\n\t\treturn nil, err\n\t}\n\n\treturn u, err\n}\n\n// parseAllowRequest will parse cmdArgs and return a copy of the args and result\n// of the allow request was present\nfunc parseAllowRequest(cmdArgs []string) ([]string, bool) {\n\tif len(cmdArgs) > 1 {\n\t\tif cmdArgs[0] == \"--allow-request\" || cmdArgs[0] == \"-ar\" {\n\t\t\treturn cmdArgs[1:], true\n\t\t}\n\t}\n\n\treturn cmdArgs, false\n}\n\n// processURL will preprocess the string (parse to a url, convert to punycode, etc).\nfunc processURL(s string) (*url.URL, error) {\n\tu, err := url.ParseRequestURI(s)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tif u.Host == \"\" {\n\t\treturn nil, errors.New(\"not a valid host\")\n\t}\n\n\thost, err := idna.ToASCII(u.Hostname())\n\tif err != nil { // we fail to convert to punycode, just return the url we parsed.\n\t\treturn u, nil\n\t}\n\tif u.Port() != \"\" {\n\t\tu.Host = fmt.Sprintf(\"%s:%s\", host, u.Port())\n\t} else {\n\t\tu.Host = host\n\t}\n\n\treturn u, nil\n}\n\n// cloudflaredPath pulls the full path of cloudflared on disk\nfunc cloudflaredPath() string {\n\tpath, err := os.Executable()\n\tif err == nil && isFileThere(path) {\n\t\treturn path\n\t}\n\n\tfor _, p := range strings.Split(os.Getenv(\"PATH\"), \":\") {\n\t\tpath := fmt.Sprintf(\"%s/%s\", p, \"cloudflared\")\n\t\tif isFileThere(path) {\n\t\t\treturn path\n\t\t}\n\t}\n\treturn \"cloudflared\"\n}\n\n// isFileThere will check for the presence of candidate path\nfunc isFileThere(candidate string) bool {\n\tfi, err := os.Stat(candidate)\n\tif err != nil || fi.IsDir() || !fi.Mode().IsRegular() {\n\t\treturn false\n\t}\n\treturn true\n}\n\n// verifyTokenAtEdge checks for a token on disk, or generates a new one.\n// Then makes a request to the origin with the token to ensure it is valid.\n// Returns nil if token is valid.\nfunc verifyTokenAtEdge(appUrl *url.URL, appInfo *token.AppInfo, c *cli.Context, log *zerolog.Logger) error {\n\theaders := parseRequestHeaders(c.StringSlice(sshHeaderFlag))\n\tif c.IsSet(sshTokenIDFlag) {\n\t\theaders.Add(cfAccessClientIDHeader, c.String(sshTokenIDFlag))\n\t}\n\tif c.IsSet(sshTokenSecretFlag) {\n\t\theaders.Add(cfAccessClientSecretHeader, c.String(sshTokenSecretFlag))\n\t}\n\toptions := &carrier.StartOptions{AppInfo: appInfo, OriginURL: appUrl.String(), Headers: headers, AutoCloseInterstitial: c.Bool(cfdflags.AutoCloseInterstitial), IsFedramp: c.Bool(fedrampFlag)}\n\n\tif valid, err := isTokenValid(options, log); err != nil {\n\t\treturn err\n\t} else if valid {\n\t\treturn nil\n\t}\n\n\tif err := token.RemoveTokenIfExists(appInfo); err != nil {\n\t\treturn err\n\t}\n\n\tif valid, err := isTokenValid(options, log); err != nil {\n\t\treturn err\n\t} else if !valid {\n\t\treturn errors.New(\"failed to verify token\")\n\t}\n\n\treturn nil\n}\n\n// isTokenValid makes a request to the origin and returns true if the response was not a 302.\nfunc isTokenValid(options *carrier.StartOptions, log *zerolog.Logger) (bool, error) {\n\treq, err := carrier.BuildAccessRequest(options, log)\n\tif err != nil {\n\t\treturn false, errors.Wrap(err, \"Could not create access request\")\n\t}\n\treq.Header.Set(\"User-Agent\", userAgent)\n\n\tquery := req.URL.Query()\n\tquery.Set(\"cloudflared_token_check\", \"true\")\n\treq.URL.RawQuery = query.Encode()\n\n\t// Do not follow redirects\n\tclient := &http.Client{\n\t\tCheckRedirect: func(req *http.Request, via []*http.Request) error {\n\t\t\treturn http.ErrUseLastResponse\n\t\t},\n\t\tTimeout: time.Second * 5,\n\t}\n\tresp, err := client.Do(req)\n\tif err != nil {\n\t\treturn false, err\n\t}\n\tdefer resp.Body.Close()\n\n\t// A redirect to login means the token was invalid.\n\treturn !carrier.IsAccessResponse(resp), nil\n}\n" }, { "path": "cmd/cloudflared/access/validation.go", "content": "package access\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"strings\"\n\n\t\"golang.org/x/net/http/httpguts\"\n)\n\n// parseRequestHeaders will take user-provided header values as strings \"Content-Type: application/json\" and create\n// a http.Header object.\nfunc parseRequestHeaders(values []string) http.Header {\n\theaders := make(http.Header)\n\tfor _, valuePair := range values {\n\t\theader, value, found := strings.Cut(valuePair, \":\")\n\t\tif found {\n\t\t\theaders.Add(strings.TrimSpace(header), strings.TrimSpace(value))\n\t\t}\n\t}\n\treturn headers\n}\n\n// parseHostname will attempt to convert a user provided URL string into a string with some light error checking on\n// certain expectations from the URL.\n// Will convert all HTTP URLs to HTTPS\nfunc parseURL(input string) (*url.URL, error) {\n\tif input == \"\" {\n\t\treturn nil, errors.New(\"no input provided\")\n\t}\n\tif !strings.HasPrefix(input, \"https://\") && !strings.HasPrefix(input, \"http://\") {\n\t\tinput = fmt.Sprintf(\"https://%s\", input)\n\t}\n\turl, err := url.ParseRequestURI(input)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to parse as URL: %w\", err)\n\t}\n\tif url.Scheme != \"https\" {\n\t\turl.Scheme = \"https\"\n\t}\n\tif url.Host == \"\" {\n\t\treturn nil, errors.New(\"failed to parse Host\")\n\t}\n\thost, err := httpguts.PunycodeHostPort(url.Host)\n\tif err != nil || host == \"\" {\n\t\treturn nil, err\n\t}\n\tif !httpguts.ValidHostHeader(host) {\n\t\treturn nil, errors.New(\"invalid Host provided\")\n\t}\n\turl.Host = host\n\treturn url, nil\n}\n" }, { "path": "cmd/cloudflared/access/validation_test.go", "content": "package access\n\nimport (\n\t\"fmt\"\n\t\"testing\"\n\n\t\"github.com/stretchr/testify/assert\"\n)\n\nfunc TestParseRequestHeaders(t *testing.T) {\n\tvalues := parseRequestHeaders([]string{\"client: value\", \"secret: safe-value\", \"trash\", \"cf-trace-id: 000:000:0:1:asd\"})\n\tassert.Len(t, values, 3)\n\tassert.Equal(t, \"value\", values.Get(\"client\"))\n\tassert.Equal(t, \"safe-value\", values.Get(\"secret\"))\n\tassert.Equal(t, \"000:000:0:1:asd\", values.Get(\"cf-trace-id\"))\n}\n\nfunc TestParseURL(t *testing.T) {\n\tschemes := []string{\n\t\t\"http://\",\n\t\t\"https://\",\n\t\t\"\",\n\t}\n\thosts := []struct {\n\t\tinput string\n\t\texpected string\n\t}{\n\t\t{\"localhost\", \"localhost\"},\n\t\t{\"127.0.0.1\", \"127.0.0.1\"},\n\t\t{\"127.0.0.1:9090\", \"127.0.0.1:9090\"},\n\t\t{\"::1\", \"::1\"},\n\t\t{\"::1:8080\", \"::1:8080\"},\n\t\t{\"[::1]\", \"[::1]\"},\n\t\t{\"[::1]:8080\", \"[::1]:8080\"},\n\t\t{\":8080\", \":8080\"},\n\t\t{\"example.com\", \"example.com\"},\n\t\t{\"hello.example.com\", \"hello.example.com\"},\n\t\t{\"bücher.example.com\", \"xn--bcher-kva.example.com\"},\n\t}\n\tpaths := []string{\n\t\t\"\",\n\t\t\"/test\",\n\t\t\"/example.com?qwe=123\",\n\t}\n\tfor i, scheme := range schemes {\n\t\tfor j, host := range hosts {\n\t\t\tfor k, path := range paths {\n\t\t\t\tt.Run(fmt.Sprintf(\"%d_%d_%d\", i, j, k), func(t *testing.T) {\n\t\t\t\t\tinput := fmt.Sprintf(\"%s%s%s\", scheme, host.input, path)\n\t\t\t\t\texpected := fmt.Sprintf(\"%s%s%s\", \"https://\", host.expected, path)\n\t\t\t\t\turl, err := parseURL(input)\n\t\t\t\t\tassert.NoError(t, err, \"input: %s\\texpected: %s\", input, expected)\n\t\t\t\t\tassert.Equal(t, expected, url.String())\n\t\t\t\t\tassert.Equal(t, host.expected, url.Host)\n\t\t\t\t\tassert.Equal(t, \"https\", url.Scheme)\n\t\t\t\t})\n\t\t\t}\n\t\t}\n\t}\n\n\tt.Run(\"no input\", func(t *testing.T) {\n\t\t_, err := parseURL(\"\")\n\t\tassert.ErrorContains(t, err, \"no input provided\")\n\t})\n\n\tt.Run(\"missing host\", func(t *testing.T) {\n\t\t_, err := parseURL(\"https:///host\")\n\t\tassert.ErrorContains(t, err, \"failed to parse Host\")\n\t})\n\n\tt.Run(\"invalid path only\", func(t *testing.T) {\n\t\t_, err := parseURL(\"/host\")\n\t\tassert.ErrorContains(t, err, \"failed to parse Host\")\n\t})\n\n\tt.Run(\"invalid parse URL\", func(t *testing.T) {\n\t\t_, err := parseURL(\"https://host\\\\host\")\n\t\tassert.ErrorContains(t, err, \"failed to parse as URL\")\n\t})\n}\n" }, { "path": "cmd/cloudflared/app_forward_service.go", "content": "package main\n\nimport (\n\t\"github.com/rs/zerolog\"\n\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/access\"\n\t\"github.com/cloudflare/cloudflared/config\"\n)\n\n// ForwardServiceType is used to identify what kind of overwatch service this is\nconst ForwardServiceType = \"forward\"\n\n// ForwarderService is used to wrap the access package websocket forwarders\n// into a service model for the overwatch package.\n// it also holds a reference to the config object that represents its state\ntype ForwarderService struct {\n\tforwarder config.Forwarder\n\tshutdown chan struct{}\n\tlog *zerolog.Logger\n}\n\n// NewForwardService creates a new forwarder service\nfunc NewForwardService(f config.Forwarder, log *zerolog.Logger) *ForwarderService {\n\treturn &ForwarderService{forwarder: f, shutdown: make(chan struct{}, 1), log: log}\n}\n\n// Name is used to figure out this service is related to the others (normally the addr it binds to)\n// e.g. localhost:78641 or 127.0.0.1:2222 since this is a websocket forwarder\nfunc (s *ForwarderService) Name() string {\n\treturn s.forwarder.Listener\n}\n\n// Type is used to identify what kind of overwatch service this is\nfunc (s *ForwarderService) Type() string {\n\treturn ForwardServiceType\n}\n\n// Hash is used to figure out if this forwarder is the unchanged or not from the config file updates\nfunc (s *ForwarderService) Hash() string {\n\treturn s.forwarder.Hash()\n}\n\n// Shutdown stops the websocket listener\nfunc (s *ForwarderService) Shutdown() {\n\ts.shutdown <- struct{}{}\n}\n\n// Run is the run loop that is started by the overwatch service\nfunc (s *ForwarderService) Run() error {\n\treturn access.StartForwarder(s.forwarder, s.shutdown, s.log)\n}\n" }, { "path": "cmd/cloudflared/app_service.go", "content": "package main\n\nimport (\n\t\"github.com/rs/zerolog\"\n\n\t\"github.com/cloudflare/cloudflared/config\"\n\t\"github.com/cloudflare/cloudflared/overwatch\"\n)\n\n// AppService is the main service that runs when no command lines flags are passed to cloudflared\n// it manages all the running services such as tunnels, forwarders, etc\ntype AppService struct {\n\tconfigManager config.Manager\n\tserviceManager overwatch.Manager\n\tshutdownC chan struct{}\n\tconfigUpdateChan chan config.Root\n\tlog *zerolog.Logger\n}\n\n// NewAppService creates a new AppService with needed supporting services\nfunc NewAppService(configManager config.Manager, serviceManager overwatch.Manager, shutdownC chan struct{}, log *zerolog.Logger) *AppService {\n\treturn &AppService{\n\t\tconfigManager: configManager,\n\t\tserviceManager: serviceManager,\n\t\tshutdownC: shutdownC,\n\t\tconfigUpdateChan: make(chan config.Root),\n\t\tlog: log,\n\t}\n}\n\n// Run starts the run loop to handle config updates and run forwarders, tunnels, etc\nfunc (s *AppService) Run() error {\n\tgo s.actionLoop()\n\treturn s.configManager.Start(s)\n}\n\n// Shutdown kills all the running services\nfunc (s *AppService) Shutdown() error {\n\ts.configManager.Shutdown()\n\ts.shutdownC <- struct{}{}\n\n\treturn nil\n}\n\n// ConfigDidUpdate is a delegate notification from the config manager\n// it is trigger when the config file has been updated and now the service needs\n// to update its services accordingly\nfunc (s *AppService) ConfigDidUpdate(c config.Root) {\n\ts.configUpdateChan <- c\n}\n\n// actionLoop handles the actions from running processes\nfunc (s *AppService) actionLoop() {\n\tfor {\n\t\tselect {\n\t\tcase c := <-s.configUpdateChan:\n\t\t\ts.handleConfigUpdate(c)\n\t\tcase <-s.shutdownC:\n\t\t\tfor _, service := range s.serviceManager.Services() {\n\t\t\t\tservice.Shutdown()\n\t\t\t}\n\t\t\treturn\n\t\t}\n\t}\n}\n\nfunc (s *AppService) handleConfigUpdate(c config.Root) {\n\t// handle the client forward listeners\n\tactiveServices := map[string]struct{}{}\n\tfor _, f := range c.Forwarders {\n\t\tservice := NewForwardService(f, s.log)\n\t\ts.serviceManager.Add(service)\n\t\tactiveServices[service.Name()] = struct{}{}\n\t}\n\n\t// TODO: TUN-1451 - tunnels\n\n\t// remove any services that are no longer active\n\tfor _, service := range s.serviceManager.Services() {\n\t\tif _, ok := activeServices[service.Name()]; !ok {\n\t\t\ts.serviceManager.Remove(service.Name())\n\t\t}\n\t}\n}\n" }, { "path": "cmd/cloudflared/cliutil/build_info.go", "content": "package cliutil\n\nimport (\n\t\"crypto/sha256\"\n\t\"fmt\"\n\t\"io\"\n\t\"os\"\n\t\"runtime\"\n\n\t\"github.com/rs/zerolog\"\n)\n\ntype BuildInfo struct {\n\tGoOS string `json:\"go_os\"`\n\tGoVersion string `json:\"go_version\"`\n\tGoArch string `json:\"go_arch\"`\n\tBuildType string `json:\"build_type\"`\n\tCloudflaredVersion string `json:\"cloudflared_version\"`\n\tChecksum string `json:\"checksum\"`\n}\n\nfunc GetBuildInfo(buildType, version string) *BuildInfo {\n\treturn &BuildInfo{\n\t\tGoOS: runtime.GOOS,\n\t\tGoVersion: runtime.Version(),\n\t\tGoArch: runtime.GOARCH,\n\t\tBuildType: buildType,\n\t\tCloudflaredVersion: version,\n\t\tChecksum: currentBinaryChecksum(),\n\t}\n}\n\nfunc (bi *BuildInfo) Log(log *zerolog.Logger) {\n\tlog.Info().Msgf(\"Version %s (Checksum %s)\", bi.CloudflaredVersion, bi.Checksum)\n\tif bi.BuildType != \"\" {\n\t\tlog.Info().Msgf(\"Built%s\", bi.GetBuildTypeMsg())\n\t}\n\tlog.Info().Msgf(\"GOOS: %s, GOVersion: %s, GoArch: %s\", bi.GoOS, bi.GoVersion, bi.GoArch)\n}\n\nfunc (bi *BuildInfo) OSArch() string {\n\treturn fmt.Sprintf(\"%s_%s\", bi.GoOS, bi.GoArch)\n}\n\nfunc (bi *BuildInfo) Version() string {\n\treturn bi.CloudflaredVersion\n}\n\nfunc (bi *BuildInfo) GetBuildTypeMsg() string {\n\tif bi.BuildType == \"\" {\n\t\treturn \"\"\n\t}\n\treturn fmt.Sprintf(\" with %s\", bi.BuildType)\n}\n\nfunc (bi *BuildInfo) UserAgent() string {\n\treturn fmt.Sprintf(\"cloudflared/%s\", bi.CloudflaredVersion)\n}\n\n// FileChecksum opens a file and returns the SHA256 checksum.\nfunc FileChecksum(filePath string) (string, error) {\n\tf, err := os.Open(filePath)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tdefer f.Close()\n\n\th := sha256.New()\n\tif _, err := io.Copy(h, f); err != nil {\n\t\treturn \"\", err\n\t}\n\n\treturn fmt.Sprintf(\"%x\", h.Sum(nil)), nil\n}\n\nfunc currentBinaryChecksum() string {\n\tcurrentPath, err := os.Executable()\n\tif err != nil {\n\t\treturn \"\"\n\t}\n\tsum, _ := FileChecksum(currentPath)\n\treturn sum\n}\n" }, { "path": "cmd/cloudflared/cliutil/deprecated.go", "content": "package cliutil\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/urfave/cli/v2\"\n)\n\nfunc RemovedCommand(name string) *cli.Command {\n\treturn &cli.Command{\n\t\tName: name,\n\t\tAction: func(context *cli.Context) error {\n\t\t\treturn cli.Exit(\n\t\t\t\tfmt.Sprintf(\"%s command is no longer supported by cloudflared. Consult Cloudflare Tunnel documentation for possible alternative solutions.\", name),\n\t\t\t\t-1,\n\t\t\t)\n\t\t},\n\t\tDescription: fmt.Sprintf(\"%s is deprecated\", name),\n\t\tHidden: true,\n\t}\n}\n" }, { "path": "cmd/cloudflared/cliutil/errors.go", "content": "package cliutil\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/urfave/cli/v2\"\n)\n\ntype usageError string\n\nfunc (ue usageError) Error() string {\n\treturn string(ue)\n}\n\nfunc UsageError(format string, args ...interface{}) error {\n\tif len(args) == 0 {\n\t\treturn usageError(format)\n\t} else {\n\t\tmsg := fmt.Sprintf(format, args...)\n\t\treturn usageError(msg)\n\t}\n}\n\n// Ensures exit with error code if actionFunc returns an error\nfunc WithErrorHandler(actionFunc cli.ActionFunc) cli.ActionFunc {\n\treturn func(ctx *cli.Context) error {\n\t\terr := actionFunc(ctx)\n\t\tif err != nil {\n\t\t\tif _, ok := err.(usageError); ok {\n\t\t\t\tmsg := fmt.Sprintf(\"%s\\nSee 'cloudflared %s --help'.\", err.Error(), ctx.Command.FullName())\n\t\t\t\terr = cli.Exit(msg, -1)\n\t\t\t} else if _, ok := err.(cli.ExitCoder); !ok {\n\t\t\t\terr = cli.Exit(err.Error(), 1)\n\t\t\t}\n\t\t}\n\t\treturn err\n\t}\n}\n" }, { "path": "cmd/cloudflared/cliutil/handler.go", "content": "package cliutil\n\nimport (\n\t\"github.com/urfave/cli/v2\"\n\t\"github.com/urfave/cli/v2/altsrc\"\n\n\t\"github.com/cloudflare/cloudflared/config\"\n\t\"github.com/cloudflare/cloudflared/logger\"\n)\n\nfunc Action(actionFunc cli.ActionFunc) cli.ActionFunc {\n\treturn WithErrorHandler(actionFunc)\n}\n\nfunc ConfiguredAction(actionFunc cli.ActionFunc) cli.ActionFunc {\n\t// Adapt actionFunc to the type signature required by ConfiguredActionWithWarnings\n\tf := func(context *cli.Context, _ string) error {\n\t\treturn actionFunc(context)\n\t}\n\n\treturn ConfiguredActionWithWarnings(f)\n}\n\n// Just like ConfiguredAction, but accepts a second parameter with configuration warnings.\nfunc ConfiguredActionWithWarnings(actionFunc func(*cli.Context, string) error) cli.ActionFunc {\n\treturn WithErrorHandler(func(c *cli.Context) error {\n\t\twarnings, err := setFlagsFromConfigFile(c)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn actionFunc(c, warnings)\n\t})\n}\n\nfunc setFlagsFromConfigFile(c *cli.Context) (configWarnings string, err error) {\n\tconst errorExitCode = 1\n\tlog := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)\n\tinputSource, warnings, err := config.ReadConfigFile(c, log)\n\tif err != nil {\n\t\tif err == config.ErrNoConfigFile {\n\t\t\treturn \"\", nil\n\t\t}\n\t\treturn \"\", cli.Exit(err, errorExitCode)\n\t}\n\n\tif err := altsrc.ApplyInputSource(c, inputSource); err != nil {\n\t\treturn \"\", cli.Exit(err, errorExitCode)\n\t}\n\treturn warnings, nil\n}\n" }, { "path": "cmd/cloudflared/cliutil/logger.go", "content": "package cliutil\n\nimport (\n\t\"github.com/urfave/cli/v2\"\n\t\"github.com/urfave/cli/v2/altsrc\"\n\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/flags\"\n)\n\nvar (\n\tdebugLevelWarning = \"At debug level cloudflared will log request URL, method, protocol, content length, as well as, all request and response headers. \" +\n\t\t\"This can expose sensitive information in your logs.\"\n\n\tFlagLogOutput = &cli.StringFlag{\n\t\tName: flags.LogFormatOutput,\n\t\tUsage: \"Output format for the logs (default, json)\",\n\t\tValue: flags.LogFormatOutputValueDefault,\n\t\tEnvVars: []string{\"TUNNEL_MANAGEMENT_OUTPUT\", \"TUNNEL_LOG_OUTPUT\"},\n\t}\n)\n\nfunc ConfigureLoggingFlags(shouldHide bool) []cli.Flag {\n\treturn []cli.Flag{\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: flags.LogLevel,\n\t\t\tValue: \"info\",\n\t\t\tUsage: \"Application logging level {debug, info, warn, error, fatal}. \" + debugLevelWarning,\n\t\t\tEnvVars: []string{\"TUNNEL_LOGLEVEL\"},\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: flags.TransportLogLevel,\n\t\t\tAliases: []string{\"proto-loglevel\"}, // This flag used to be called proto-loglevel\n\t\t\tValue: \"info\",\n\t\t\tUsage: \"Transport logging level(previously called protocol logging level) {debug, info, warn, error, fatal}\",\n\t\t\tEnvVars: []string{\"TUNNEL_PROTO_LOGLEVEL\", \"TUNNEL_TRANSPORT_LOGLEVEL\"},\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: flags.LogFile,\n\t\t\tUsage: \"Save application log to this file for reporting issues.\",\n\t\t\tEnvVars: []string{\"TUNNEL_LOGFILE\"},\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: flags.LogDirectory,\n\t\t\tUsage: \"Save application log to this directory for reporting issues.\",\n\t\t\tEnvVars: []string{\"TUNNEL_LOGDIRECTORY\"},\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: flags.TraceOutput,\n\t\t\tUsage: \"Name of trace output file, generated when cloudflared stops.\",\n\t\t\tEnvVars: []string{\"TUNNEL_TRACE_OUTPUT\"},\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t\tFlagLogOutput,\n\t}\n}\n" }, { "path": "cmd/cloudflared/cliutil/management.go", "content": "package cliutil\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"os\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/mattn/go-colorable\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/urfave/cli/v2\"\n\n\t\"github.com/cloudflare/cloudflared/cfapi\"\n\tcfdflags \"github.com/cloudflare/cloudflared/cmd/cloudflared/flags\"\n\t\"github.com/cloudflare/cloudflared/credentials\"\n)\n\n// Error definitions for management token operations\nvar (\n\tErrNoTunnelID = errors.New(\"no tunnel ID provided\")\n\tErrInvalidTunnelID = errors.New(\"unable to parse provided tunnel id as a valid UUID\")\n)\n\n// GetManagementToken acquires a management token from Cloudflare API for the specified resource\nfunc GetManagementToken(c *cli.Context, log *zerolog.Logger, res cfapi.ManagementResource, buildInfo *BuildInfo) (string, error) {\n\tuserCreds, err := credentials.Read(c.String(cfdflags.OriginCert), log)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\n\tvar apiURL string\n\tif userCreds.IsFEDEndpoint() {\n\t\tapiURL = credentials.FedRampBaseApiURL\n\t} else {\n\t\tapiURL = c.String(cfdflags.ApiURL)\n\t}\n\n\tclient, err := userCreds.Client(apiURL, buildInfo.UserAgent(), log)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\n\ttunnelIDString := c.Args().First()\n\tif tunnelIDString == \"\" {\n\t\treturn \"\", ErrNoTunnelID\n\t}\n\ttunnelID, err := uuid.Parse(tunnelIDString)\n\tif err != nil {\n\t\treturn \"\", fmt.Errorf(\"%w: %v\", ErrInvalidTunnelID, err)\n\t}\n\n\ttoken, err := client.GetManagementToken(tunnelID, res)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\n\treturn token, nil\n}\n\n// CreateStderrLogger creates a logger that outputs to stderr to avoid interfering with stdout\nfunc CreateStderrLogger(c *cli.Context) *zerolog.Logger {\n\tlevel, levelErr := zerolog.ParseLevel(c.String(cfdflags.LogLevel))\n\tif levelErr != nil {\n\t\tlevel = zerolog.InfoLevel\n\t}\n\tvar writer io.Writer\n\tswitch c.String(cfdflags.LogFormatOutput) {\n\tcase cfdflags.LogFormatOutputValueJSON:\n\t\t// zerolog by default outputs as JSON\n\t\twriter = os.Stderr\n\tcase cfdflags.LogFormatOutputValueDefault:\n\t\t// \"default\" and unset use the same logger output format\n\t\tfallthrough\n\tdefault:\n\t\twriter = zerolog.ConsoleWriter{\n\t\t\tOut: colorable.NewColorable(os.Stderr),\n\t\t\tTimeFormat: time.RFC3339,\n\t\t}\n\t}\n\tlog := zerolog.New(writer).With().Timestamp().Logger().Level(level)\n\treturn &log\n}\n" }, { "path": "cmd/cloudflared/common_service.go", "content": "package main\n\nimport (\n\t\"github.com/rs/zerolog\"\n\t\"github.com/urfave/cli/v2\"\n\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil\"\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/tunnel\"\n)\n\nfunc buildArgsForToken(c *cli.Context, log *zerolog.Logger) ([]string, error) {\n\ttoken := c.Args().First()\n\tif _, err := tunnel.ParseToken(token); err != nil {\n\t\treturn nil, cliutil.UsageError(\"Provided tunnel token is not valid (%s).\", err)\n\t}\n\n\treturn []string{\n\t\t\"tunnel\", \"run\", \"--token\", token,\n\t}, nil\n}\n\nfunc getServiceExtraArgsFromCliArgs(c *cli.Context, log *zerolog.Logger) ([]string, error) {\n\tif c.NArg() > 0 {\n\t\t// currently, we only support extra args for token\n\t\treturn buildArgsForToken(c, log)\n\t} else {\n\t\t// empty extra args\n\t\treturn make([]string, 0), nil\n\t}\n}\n" }, { "path": "cmd/cloudflared/flags/flags.go", "content": "package flags\n\nconst (\n\t// HaConnections specifies how many connections to make to the edge\n\tHaConnections = \"ha-connections\"\n\n\t// SshPort is the port on localhost the cloudflared ssh server will run on\n\tSshPort = \"local-ssh-port\"\n\n\t// SshIdleTimeout defines the duration a SSH session can remain idle before being closed\n\tSshIdleTimeout = \"ssh-idle-timeout\"\n\n\t// SshMaxTimeout defines the max duration a SSH session can remain open for\n\tSshMaxTimeout = \"ssh-max-timeout\"\n\n\t// SshLogUploaderBucketName is the bucket name to use for the SSH log uploader\n\tSshLogUploaderBucketName = \"bucket-name\"\n\n\t// SshLogUploaderRegionName is the AWS region name to use for the SSH log uploader\n\tSshLogUploaderRegionName = \"region-name\"\n\n\t// SshLogUploaderSecretID is the Secret id of SSH log uploader\n\tSshLogUploaderSecretID = \"secret-id\"\n\n\t// SshLogUploaderAccessKeyID is the Access key id of SSH log uploader\n\tSshLogUploaderAccessKeyID = \"access-key-id\"\n\n\t// SshLogUploaderSessionTokenID is the Session token of SSH log uploader\n\tSshLogUploaderSessionTokenID = \"session-token\"\n\n\t// SshLogUploaderS3URL is the S3 URL of SSH log uploader (e.g. don't use AWS s3 and use google storage bucket instead)\n\tSshLogUploaderS3URL = \"s3-url-host\"\n\n\t// HostKeyPath is the path of the dir to save SSH host keys too\n\tHostKeyPath = \"host-key-path\"\n\n\t// RpcTimeout is how long to wait for a Capnp RPC request to the edge\n\tRpcTimeout = \"rpc-timeout\"\n\n\t// WriteStreamTimeout sets if we should have a timeout when writing data to a stream towards the destination (edge/origin).\n\tWriteStreamTimeout = \"write-stream-timeout\"\n\n\t// QuicDisablePathMTUDiscovery sets if QUIC should not perform PTMU discovery and use a smaller (safe) packet size.\n\t// Packets will then be at most 1252 (IPv4) / 1232 (IPv6) bytes in size.\n\t// Note that this may result in packet drops for UDP proxying, since we expect being able to send at least 1280 bytes of inner packets.\n\tQuicDisablePathMTUDiscovery = \"quic-disable-pmtu-discovery\"\n\n\t// QuicConnLevelFlowControlLimit controls the max flow control limit allocated for a QUIC connection. This controls how much data is the\n\t// receiver willing to buffer. Once the limit is reached, the sender will send a DATA_BLOCKED frame to indicate it has more data to write,\n\t// but it's blocked by flow control\n\tQuicConnLevelFlowControlLimit = \"quic-connection-level-flow-control-limit\"\n\n\t// QuicStreamLevelFlowControlLimit is similar to quicConnLevelFlowControlLimit but for each QUIC stream. When the sender is blocked,\n\t// it will send a STREAM_DATA_BLOCKED frame\n\tQuicStreamLevelFlowControlLimit = \"quic-stream-level-flow-control-limit\"\n\n\t// Ui is to enable launching cloudflared in interactive UI mode\n\tUi = \"ui\"\n\n\t// ConnectorLabel is the command line flag to give a meaningful label to a specific connector\n\tConnectorLabel = \"label\"\n\n\t// MaxActiveFlows is the command line flag to set the maximum number of flows that cloudflared can be processing at the same time\n\tMaxActiveFlows = \"max-active-flows\"\n\n\t// Tag is the command line flag to set custom tags used to identify this tunnel via added HTTP request headers to the origin\n\tTag = \"tag\"\n\n\t// Protocol is the command line flag to set the protocol to use to connect to the Cloudflare Edge\n\tProtocol = \"protocol\"\n\n\t// PostQuantum is the command line flag to force the connection to Cloudflare Edge to use Post Quantum cryptography\n\tPostQuantum = \"post-quantum\"\n\n\t// Features is the command line flag to opt into various features that are still being developed or tested\n\tFeatures = \"features\"\n\n\t// EdgeIpVersion is the command line flag to set the Cloudflare Edge IP address version to connect with\n\tEdgeIpVersion = \"edge-ip-version\"\n\n\t// EdgeBindAddress is the command line flag to bind to IP address for outgoing connections to Cloudflare Edge\n\tEdgeBindAddress = \"edge-bind-address\"\n\n\t// Force is the command line flag to specify if you wish to force an action\n\tForce = \"force\"\n\n\t// Edge is the command line flag to set the address of the Cloudflare tunnel server. Only works in Cloudflare's internal testing environment\n\tEdge = \"edge\"\n\n\t// Region is the command line flag to set the Cloudflare Edge region to connect to\n\tRegion = \"region\"\n\n\t// IsAutoUpdated is the command line flag to signal the new process that cloudflared has been autoupdated\n\tIsAutoUpdated = \"is-autoupdated\"\n\n\t// LBPool is the command line flag to set the name of the load balancing pool to add this origin to\n\tLBPool = \"lb-pool\"\n\n\t// Retries is the command line flag to set the maximum number of retries for connection/protocol errors\n\tRetries = \"retries\"\n\n\t// MaxEdgeAddrRetries is the command line flag to set the maximum number of times to retry on edge addrs before falling back to a lower protocol\n\tMaxEdgeAddrRetries = \"max-edge-addr-retries\"\n\n\t// GracePeriod is the command line flag to set the maximum amount of time that cloudflared waits to shut down if it is still serving requests\n\tGracePeriod = \"grace-period\"\n\n\t// ICMPV4Src is the command line flag to set the source address and the interface name to send/receive ICMPv4 messages\n\tICMPV4Src = \"icmpv4-src\"\n\n\t// ICMPV6Src is the command line flag to set the source address and the interface name to send/receive ICMPv6 messages\n\tICMPV6Src = \"icmpv6-src\"\n\n\t// Name is the command line to set the name of the tunnel\n\tName = \"name\"\n\n\t// AutoUpdateFreq is the command line for setting the frequency that cloudflared checks for updates\n\tAutoUpdateFreq = \"autoupdate-freq\"\n\n\t// NoAutoUpdate is the command line flag to disable cloudflared from checking for updates\n\tNoAutoUpdate = \"no-autoupdate\"\n\n\t// LogLevel is the command line flag for the cloudflared logging level\n\tLogLevel = \"loglevel\"\n\n\t// LogLevelSSH is the command line flag for the cloudflared ssh logging level\n\tLogLevelSSH = \"log-level\"\n\n\t// TransportLogLevel is the command line flag for the transport logging level\n\tTransportLogLevel = \"transport-loglevel\"\n\n\t// LogFile is the command line flag to define the file where application logs will be stored\n\tLogFile = \"logfile\"\n\n\t// LogDirectory is the command line flag to define the directory where application logs will be stored.\n\tLogDirectory = \"log-directory\"\n\n\t// LogFormatOutput allows the command line logs to be output as JSON.\n\tLogFormatOutput = \"output\"\n\tLogFormatOutputValueDefault = \"default\"\n\tLogFormatOutputValueJSON = \"json\"\n\n\t// TraceOutput is the command line flag to set the name of trace output file\n\tTraceOutput = \"trace-output\"\n\n\t// OriginCert is the command line flag to define the path for the origin certificate used by cloudflared\n\tOriginCert = \"origincert\"\n\n\t// Metrics is the command line flag to define the address of the metrics server\n\tMetrics = \"metrics\"\n\n\t// MetricsUpdateFreq is the command line flag to define how frequently tunnel metrics are updated\n\tMetricsUpdateFreq = \"metrics-update-freq\"\n\n\t// ApiURL is the command line flag used to define the base URL of the API\n\tApiURL = \"api-url\"\n\n\t// Virtual DNS resolver service resolver addresses to use instead of dynamically fetching them from the OS.\n\tVirtualDNSServiceResolverAddresses = \"dns-resolver-addrs\"\n\n\t// Management hostname to signify incoming management requests\n\tManagementHostname = \"management-hostname\"\n\n\t// Automatically close the login interstitial browser window after the user makes a decision.\n\tAutoCloseInterstitial = \"auto-close\"\n)\n" }, { "path": "cmd/cloudflared/generic_service.go", "content": "//go:build !windows && !darwin && !linux\n\npackage main\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\n\tcli \"github.com/urfave/cli/v2\"\n\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil\"\n)\n\nfunc runApp(app *cli.App, graceShutdownC chan struct{}) {\n\tapp.Commands = append(app.Commands, &cli.Command{\n\t\tName: \"service\",\n\t\tUsage: \"Manages the cloudflared system service (not supported on this operating system)\",\n\t\tSubcommands: []*cli.Command{\n\t\t\t{\n\t\t\t\tName: \"install\",\n\t\t\t\tUsage: \"Install cloudflared as a system service (not supported on this operating system)\",\n\t\t\t\tAction: cliutil.ConfiguredAction(installGenericService),\n\t\t\t},\n\t\t\t{\n\t\t\t\tName: \"uninstall\",\n\t\t\t\tUsage: \"Uninstall the cloudflared service (not supported on this operating system)\",\n\t\t\t\tAction: cliutil.ConfiguredAction(uninstallGenericService),\n\t\t\t},\n\t\t},\n\t})\n\tapp.Run(os.Args)\n}\n\nfunc installGenericService(c *cli.Context) error {\n\treturn fmt.Errorf(\"service installation is not supported on this operating system\")\n}\n\nfunc uninstallGenericService(c *cli.Context) error {\n\treturn fmt.Errorf(\"service uninstallation is not supported on this operating system\")\n}\n" }, { "path": "cmd/cloudflared/linux_service.go", "content": "//go:build linux\n\npackage main\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\t\"os\"\n\n\t\"github.com/rs/zerolog\"\n\t\"github.com/urfave/cli/v2\"\n\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil\"\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/tunnel\"\n\t\"github.com/cloudflare/cloudflared/config\"\n\t\"github.com/cloudflare/cloudflared/logger\"\n)\n\nfunc runApp(app *cli.App, _ chan struct{}) {\n\tapp.Commands = append(app.Commands, &cli.Command{\n\t\tName: \"service\",\n\t\tUsage: \"Manages the cloudflared system service\",\n\t\tSubcommands: []*cli.Command{\n\t\t\t{\n\t\t\t\tName: \"install\",\n\t\t\t\tUsage: \"Install cloudflared as a system service\",\n\t\t\t\tAction: cliutil.ConfiguredAction(installLinuxService),\n\t\t\t\tFlags: []cli.Flag{\n\t\t\t\t\tnoUpdateServiceFlag,\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tName: \"uninstall\",\n\t\t\t\tUsage: \"Uninstall the cloudflared service\",\n\t\t\t\tAction: cliutil.ConfiguredAction(uninstallLinuxService),\n\t\t\t},\n\t\t},\n\t})\n\t_ = app.Run(os.Args)\n}\n\n// The directory and files that are used by the service.\n// These are hard-coded in the templates below.\nconst (\n\tserviceConfigDir = \"/etc/cloudflared\"\n\tserviceConfigFile = \"config.yml\"\n\tserviceCredentialFile = \"cert.pem\"\n\tserviceConfigPath = serviceConfigDir + \"/\" + serviceConfigFile\n\tcloudflaredService = \"cloudflared.service\"\n\tcloudflaredUpdateService = \"cloudflared-update.service\"\n\tcloudflaredUpdateTimer = \"cloudflared-update.timer\"\n)\n\nvar systemdAllTemplates = map[string]ServiceTemplate{\n\tcloudflaredService: {\n\t\tPath: fmt.Sprintf(\"/etc/systemd/system/%s\", cloudflaredService),\n\t\tContent: `[Unit]\nDescription=cloudflared\nAfter=network-online.target\nWants=network-online.target\n\n[Service]\nTimeoutStartSec=15\nType=notify\nExecStart={{ .Path }} --no-autoupdate{{ range .ExtraArgs }} {{ . }}{{ end }}\nRestart=on-failure\nRestartSec=5s\n\n[Install]\nWantedBy=multi-user.target\n`,\n\t},\n\tcloudflaredUpdateService: {\n\t\tPath: fmt.Sprintf(\"/etc/systemd/system/%s\", cloudflaredUpdateService),\n\t\tContent: `[Unit]\nDescription=Update cloudflared\nAfter=network-online.target\nWants=network-online.target\n\n[Service]\nExecStart=/bin/bash -c '{{ .Path }} update; code=$?; if [ $code -eq 11 ]; then systemctl restart cloudflared; exit 0; fi; exit $code'\n`,\n\t},\n\tcloudflaredUpdateTimer: {\n\t\tPath: fmt.Sprintf(\"/etc/systemd/system/%s\", cloudflaredUpdateTimer),\n\t\tContent: `[Unit]\nDescription=Update cloudflared\n\n[Timer]\nOnCalendar=daily\n\n[Install]\nWantedBy=timers.target\n`,\n\t},\n}\n\nvar sysvTemplate = ServiceTemplate{\n\tPath: \"/etc/init.d/cloudflared\",\n\tFileMode: 0755,\n\t// nolint: dupword\n\tContent: `#!/bin/sh\n# For RedHat and cousins:\n# chkconfig: 2345 99 01\n# description: cloudflared\n# processname: {{.Path}}\n### BEGIN INIT INFO\n# Provides: {{.Path}}\n# Required-Start:\n# Required-Stop:\n# Default-Start: 2 3 4 5\n# Default-Stop: 0 1 6\n# Short-Description: cloudflared\n# Description: cloudflared agent\n### END INIT INFO\nname=$(basename $(readlink -f $0))\ncmd=\"{{.Path}} --pidfile /var/run/$name.pid {{ range .ExtraArgs }} {{ . }}{{ end }}\"\npid_file=\"/var/run/$name.pid\"\nstdout_log=\"/var/log/$name.log\"\nstderr_log=\"/var/log/$name.err\"\n[ -e /etc/sysconfig/$name ] && . /etc/sysconfig/$name\nget_pid() {\n cat \"$pid_file\"\n}\nis_running() {\n [ -f \"$pid_file\" ] && ps $(get_pid) > /dev/null 2>&1\n}\ncase \"$1\" in\n start)\n if is_running; then\n echo \"Already started\"\n else\n echo \"Starting $name\"\n $cmd >> \"$stdout_log\" 2>> \"$stderr_log\" &\n echo $! > \"$pid_file\"\n fi\n ;;\n stop)\n if is_running; then\n echo -n \"Stopping $name..\"\n kill $(get_pid)\n for i in {1..10}\n do\n if ! is_running; then\n break\n fi\n echo -n \".\"\n sleep 1\n done\n echo\n if is_running; then\n echo \"Not stopped; may still be shutting down or shutdown may have failed\"\n exit 1\n else\n echo \"Stopped\"\n if [ -f \"$pid_file\" ]; then\n rm \"$pid_file\"\n fi\n fi\n else\n echo \"Not running\"\n fi\n ;;\n restart)\n $0 stop\n if is_running; then\n echo \"Unable to stop, will not attempt to start\"\n exit 1\n fi\n $0 start\n ;;\n status)\n if is_running; then\n echo \"Running\"\n else\n echo \"Stopped\"\n exit 1\n fi\n ;;\n *)\n echo \"Usage: $0 {start|stop|restart|status}\"\n exit 1\n ;;\nesac\nexit 0\n`,\n}\n\nvar noUpdateServiceFlag = &cli.BoolFlag{\n\tName: \"no-update-service\",\n\tUsage: \"Disable auto-update of the cloudflared linux service, which restarts the server to upgrade for new versions.\",\n\tValue: false,\n}\n\nfunc isSystemd() bool {\n\tif _, err := os.Stat(\"/run/systemd/system\"); err == nil {\n\t\treturn true\n\t}\n\treturn false\n}\n\nfunc installLinuxService(c *cli.Context) error {\n\tlog := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)\n\n\tetPath, err := os.Executable()\n\tif err != nil {\n\t\treturn fmt.Errorf(\"error determining executable path: %v\", err)\n\t}\n\ttemplateArgs := ServiceTemplateArgs{\n\t\tPath: etPath,\n\t}\n\n\t// Check if the \"no update flag\" is set\n\tautoUpdate := !c.IsSet(noUpdateServiceFlag.Name)\n\n\tvar extraArgsFunc func(c *cli.Context, log *zerolog.Logger) ([]string, error)\n\tif c.NArg() == 0 {\n\t\textraArgsFunc = buildArgsForConfig\n\t} else {\n\t\textraArgsFunc = buildArgsForToken\n\t}\n\n\textraArgs, err := extraArgsFunc(c, log)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\ttemplateArgs.ExtraArgs = extraArgs\n\n\tswitch {\n\tcase isSystemd():\n\t\tlog.Info().Msgf(\"Using Systemd\")\n\t\terr = installSystemd(&templateArgs, autoUpdate, log)\n\tdefault:\n\t\tlog.Info().Msgf(\"Using SysV\")\n\t\terr = installSysv(&templateArgs, autoUpdate, log)\n\t}\n\n\tif err == nil {\n\t\tlog.Info().Msg(\"Linux service for cloudflared installed successfully\")\n\t}\n\treturn err\n}\n\nfunc buildArgsForConfig(c *cli.Context, log *zerolog.Logger) ([]string, error) {\n\tif err := ensureConfigDirExists(serviceConfigDir); err != nil {\n\t\treturn nil, err\n\t}\n\n\tsrc, _, err := config.ReadConfigFile(c, log)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\t// can't use context because this command doesn't define \"credentials-file\" flag\n\tconfigPresent := func(s string) bool {\n\t\tval, err := src.String(s)\n\t\treturn err == nil && val != \"\"\n\t}\n\tif src.TunnelID == \"\" || !configPresent(tunnel.CredFileFlag) {\n\t\treturn nil, fmt.Errorf(`Configuration file %s must contain entries for the tunnel to run and its associated credentials:\ntunnel: TUNNEL-UUID\ncredentials-file: CREDENTIALS-FILE\n`, src.Source())\n\t}\n\tif src.Source() != serviceConfigPath {\n\t\tif exists, err := config.FileExists(serviceConfigPath); err != nil || exists {\n\t\t\treturn nil, fmt.Errorf(\"Possible conflicting configuration in %[1]s and %[2]s. Either remove %[2]s or run `cloudflared --config %[2]s service install`\", src.Source(), serviceConfigPath)\n\t\t}\n\n\t\tif err := copyFile(src.Source(), serviceConfigPath); err != nil {\n\t\t\treturn nil, fmt.Errorf(\"failed to copy %s to %s: %w\", src.Source(), serviceConfigPath, err)\n\t\t}\n\t}\n\n\treturn []string{\n\t\t\"--config\", \"/etc/cloudflared/config.yml\", \"tunnel\", \"run\",\n\t}, nil\n}\n\nfunc installSystemd(templateArgs *ServiceTemplateArgs, autoUpdate bool, log *zerolog.Logger) error {\n\tvar systemdTemplates []ServiceTemplate\n\tif autoUpdate {\n\t\tsystemdTemplates = []ServiceTemplate{\n\t\t\tsystemdAllTemplates[cloudflaredService],\n\t\t\tsystemdAllTemplates[cloudflaredUpdateService],\n\t\t\tsystemdAllTemplates[cloudflaredUpdateTimer],\n\t\t}\n\t} else {\n\t\tsystemdTemplates = []ServiceTemplate{\n\t\t\tsystemdAllTemplates[cloudflaredService],\n\t\t}\n\t}\n\n\tfor _, serviceTemplate := range systemdTemplates {\n\t\terr := serviceTemplate.Generate(templateArgs)\n\t\tif err != nil {\n\t\t\tlog.Err(err).Msg(\"error generating service template\")\n\t\t\treturn err\n\t\t}\n\t}\n\tif err := runCommand(\"systemctl\", \"enable\", cloudflaredService); err != nil {\n\t\tlog.Err(err).Msgf(\"systemctl enable %s error\", cloudflaredService)\n\t\treturn err\n\t}\n\n\tif autoUpdate {\n\t\tif err := runCommand(\"systemctl\", \"start\", cloudflaredUpdateTimer); err != nil {\n\t\t\tlog.Err(err).Msgf(\"systemctl start %s error\", cloudflaredUpdateTimer)\n\t\t\treturn err\n\t\t}\n\t}\n\n\tif err := runCommand(\"systemctl\", \"daemon-reload\"); err != nil {\n\t\tlog.Err(err).Msg(\"systemctl daemon-reload error\")\n\t\treturn err\n\t}\n\treturn runCommand(\"systemctl\", \"start\", cloudflaredService)\n}\n\nfunc installSysv(templateArgs *ServiceTemplateArgs, autoUpdate bool, log *zerolog.Logger) error {\n\tconfPath, err := sysvTemplate.ResolvePath()\n\tif err != nil {\n\t\tlog.Err(err).Msg(\"error resolving system path\")\n\t\treturn err\n\t}\n\n\tif autoUpdate {\n\t\ttemplateArgs.ExtraArgs = append([]string{\"--autoupdate-freq 24h0m0s\"}, templateArgs.ExtraArgs...)\n\t} else {\n\t\ttemplateArgs.ExtraArgs = append([]string{\"--no-autoupdate\"}, templateArgs.ExtraArgs...)\n\t}\n\n\tif err := sysvTemplate.Generate(templateArgs); err != nil {\n\t\tlog.Err(err).Msg(\"error generating system template\")\n\t\treturn err\n\t}\n\tfor _, i := range [...]string{\"2\", \"3\", \"4\", \"5\"} {\n\t\tif err := os.Symlink(confPath, \"/etc/rc\"+i+\".d/S50et\"); err != nil {\n\t\t\tcontinue\n\t\t}\n\t}\n\tfor _, i := range [...]string{\"0\", \"1\", \"6\"} {\n\t\tif err := os.Symlink(confPath, \"/etc/rc\"+i+\".d/K02et\"); err != nil {\n\t\t\tcontinue\n\t\t}\n\t}\n\treturn runCommand(\"service\", \"cloudflared\", \"start\")\n}\n\nfunc uninstallLinuxService(c *cli.Context) error {\n\tlog := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)\n\n\tvar err error\n\tswitch {\n\tcase isSystemd():\n\t\tlog.Info().Msg(\"Using Systemd\")\n\t\terr = uninstallSystemd(log)\n\tdefault:\n\t\tlog.Info().Msg(\"Using SysV\")\n\t\terr = uninstallSysv(log)\n\t}\n\n\tif err == nil {\n\t\tlog.Info().Msg(\"Linux service for cloudflared uninstalled successfully\")\n\t}\n\treturn err\n}\n\nfunc uninstallSystemd(log *zerolog.Logger) error {\n\t// Get only the installed services\n\tinstalledServices := make(map[string]ServiceTemplate)\n\tfor serviceName, serviceTemplate := range systemdAllTemplates {\n\t\tif err := runCommand(\"systemctl\", \"list-units\", \"--all\", \"|\", \"grep\", serviceName); err == nil {\n\t\t\tinstalledServices[serviceName] = serviceTemplate\n\t\t} else {\n\t\t\tlog.Info().Msgf(\"Service '%s' not installed, skipping its uninstall\", serviceName)\n\t\t}\n\t}\n\n\tif _, exists := installedServices[cloudflaredService]; exists {\n\t\tif err := runCommand(\"systemctl\", \"disable\", cloudflaredService); err != nil {\n\t\t\tlog.Err(err).Msgf(\"systemctl disable %s error\", cloudflaredService)\n\t\t\treturn err\n\t\t}\n\t\tif err := runCommand(\"systemctl\", \"stop\", cloudflaredService); err != nil {\n\t\t\tlog.Err(err).Msgf(\"systemctl stop %s error\", cloudflaredService)\n\t\t\treturn err\n\t\t}\n\t}\n\n\tif _, exists := installedServices[cloudflaredUpdateTimer]; exists {\n\t\tif err := runCommand(\"systemctl\", \"stop\", cloudflaredUpdateTimer); err != nil {\n\t\t\tlog.Err(err).Msgf(\"systemctl stop %s error\", cloudflaredUpdateTimer)\n\t\t\treturn err\n\t\t}\n\t}\n\n\tfor _, serviceTemplate := range installedServices {\n\t\tif err := serviceTemplate.Remove(); err != nil {\n\t\t\tlog.Err(err).Msg(\"error removing service template\")\n\t\t\treturn err\n\t\t}\n\t}\n\tif err := runCommand(\"systemctl\", \"daemon-reload\"); err != nil {\n\t\tlog.Err(err).Msg(\"systemctl daemon-reload error\")\n\t\treturn err\n\t}\n\treturn nil\n}\n\nfunc uninstallSysv(log *zerolog.Logger) error {\n\tif err := runCommand(\"service\", \"cloudflared\", \"stop\"); err != nil {\n\t\tlog.Err(err).Msg(\"service cloudflared stop error\")\n\t\treturn err\n\t}\n\tif err := sysvTemplate.Remove(); err != nil {\n\t\tlog.Err(err).Msg(\"error removing service template\")\n\t\treturn err\n\t}\n\tfor _, i := range [...]string{\"2\", \"3\", \"4\", \"5\"} {\n\t\tif err := os.Remove(\"/etc/rc\" + i + \".d/S50et\"); err != nil {\n\t\t\tcontinue\n\t\t}\n\t}\n\tfor _, i := range [...]string{\"0\", \"1\", \"6\"} {\n\t\tif err := os.Remove(\"/etc/rc\" + i + \".d/K02et\"); err != nil {\n\t\t\tcontinue\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc ensureConfigDirExists(configDir string) error {\n\tok, err := config.FileExists(configDir)\n\tif !ok && err == nil {\n\t\terr = os.Mkdir(configDir, 0755)\n\t}\n\treturn err\n}\n\nfunc copyFile(src, dest string) error {\n\tsrcFile, err := os.Open(src)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer srcFile.Close()\n\n\tdestFile, err := os.Create(dest)\n\tif err != nil {\n\t\treturn err\n\t}\n\tok := false\n\tdefer func() {\n\t\tdestFile.Close()\n\t\tif !ok {\n\t\t\t_ = os.Remove(dest)\n\t\t}\n\t}()\n\n\tif _, err := io.Copy(destFile, srcFile); err != nil {\n\t\treturn err\n\t}\n\n\tok = true\n\treturn nil\n}\n" }, { "path": "cmd/cloudflared/macos_service.go", "content": "//go:build darwin\n\npackage main\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\n\thomedir \"github.com/mitchellh/go-homedir\"\n\t\"github.com/pkg/errors\"\n\t\"github.com/urfave/cli/v2\"\n\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil\"\n\t\"github.com/cloudflare/cloudflared/logger\"\n)\n\nconst (\n\tlaunchdIdentifier = \"com.cloudflare.cloudflared\"\n)\n\nfunc runApp(app *cli.App, _ chan struct{}) {\n\tapp.Commands = append(app.Commands, &cli.Command{\n\t\tName: \"service\",\n\t\tUsage: \"Manages the cloudflared launch agent\",\n\t\tSubcommands: []*cli.Command{\n\t\t\t{\n\t\t\t\tName: \"install\",\n\t\t\t\tUsage: \"Install cloudflared as an user launch agent\",\n\t\t\t\tAction: cliutil.ConfiguredAction(installLaunchd),\n\t\t\t},\n\t\t\t{\n\t\t\t\tName: \"uninstall\",\n\t\t\t\tUsage: \"Uninstall the cloudflared launch agent\",\n\t\t\t\tAction: cliutil.ConfiguredAction(uninstallLaunchd),\n\t\t\t},\n\t\t},\n\t})\n\t_ = app.Run(os.Args)\n}\n\nfunc newLaunchdTemplate(installPath, stdoutPath, stderrPath string) *ServiceTemplate {\n\treturn &ServiceTemplate{\n\t\tPath: installPath,\n\t\tContent: fmt.Sprintf(`\n\n\n\t\n\t\tLabel\n\t\t%s\n\t\tProgramArguments\n\t\t\n\t\t\t{{ .Path }}\n\t\t\t{{- range $i, $item := .ExtraArgs}}\n\t\t\t{{ $item }}\n\t\t\t{{- end}}\n\t\t\n\t\tRunAtLoad\n\t\t\n\t\tStandardOutPath\n\t\t%s\n\t\tStandardErrorPath\n\t\t%s\n\t\tKeepAlive\n\t\t\n\t\t\tSuccessfulExit\n\t\t\t\n\t\t\n\t\tThrottleInterval\n\t\t5\n\t\n`, launchdIdentifier, stdoutPath, stderrPath),\n\t}\n}\n\nfunc isRootUser() bool {\n\treturn os.Geteuid() == 0\n}\n\nfunc installPath() (string, error) {\n\t// User is root, use /Library/LaunchDaemons instead of home directory\n\tif isRootUser() {\n\t\treturn fmt.Sprintf(\"/Library/LaunchDaemons/%s.plist\", launchdIdentifier), nil\n\t}\n\tuserHomeDir, err := userHomeDir()\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\treturn fmt.Sprintf(\"%s/Library/LaunchAgents/%s.plist\", userHomeDir, launchdIdentifier), nil\n}\n\nfunc stdoutPath() (string, error) {\n\tif isRootUser() {\n\t\treturn fmt.Sprintf(\"/Library/Logs/%s.out.log\", launchdIdentifier), nil\n\t}\n\tuserHomeDir, err := userHomeDir()\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\treturn fmt.Sprintf(\"%s/Library/Logs/%s.out.log\", userHomeDir, launchdIdentifier), nil\n}\n\nfunc stderrPath() (string, error) {\n\tif isRootUser() {\n\t\treturn fmt.Sprintf(\"/Library/Logs/%s.err.log\", launchdIdentifier), nil\n\t}\n\tuserHomeDir, err := userHomeDir()\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\treturn fmt.Sprintf(\"%s/Library/Logs/%s.err.log\", userHomeDir, launchdIdentifier), nil\n}\n\nfunc installLaunchd(c *cli.Context) error {\n\tlog := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)\n\n\tif isRootUser() {\n\t\tlog.Info().Msg(\"Installing cloudflared client as a system launch daemon. \" +\n\t\t\t\"cloudflared client will run at boot\")\n\t} else {\n\t\tlog.Info().Msg(\"Installing cloudflared client as an user launch agent. \" +\n\t\t\t\"Note that cloudflared client will only run when the user is logged in. \" +\n\t\t\t\"If you want to run cloudflared client at boot, install with root permission. \" +\n\t\t\t\"For more information, visit https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/as-a-service/macos/\")\n\t}\n\tetPath, err := os.Executable()\n\tif err != nil {\n\t\tlog.Err(err).Msg(\"Error determining executable path\")\n\t\treturn fmt.Errorf(\"Error determining executable path: %v\", err)\n\t}\n\tinstallPath, err := installPath()\n\tif err != nil {\n\t\tlog.Err(err).Msg(\"Error determining install path\")\n\t\treturn errors.Wrap(err, \"Error determining install path\")\n\t}\n\textraArgs, err := getServiceExtraArgsFromCliArgs(c, log)\n\tif err != nil {\n\t\terrMsg := \"Unable to determine extra arguments for launch daemon\"\n\t\tlog.Err(err).Msg(errMsg)\n\t\treturn errors.Wrap(err, errMsg)\n\t}\n\n\tstdoutPath, err := stdoutPath()\n\tif err != nil {\n\t\tlog.Err(err).Msg(\"error determining stdout path\")\n\t\treturn errors.Wrap(err, \"error determining stdout path\")\n\t}\n\tstderrPath, err := stderrPath()\n\tif err != nil {\n\t\tlog.Err(err).Msg(\"error determining stderr path\")\n\t\treturn errors.Wrap(err, \"error determining stderr path\")\n\t}\n\tlaunchdTemplate := newLaunchdTemplate(installPath, stdoutPath, stderrPath)\n\ttemplateArgs := ServiceTemplateArgs{Path: etPath, ExtraArgs: extraArgs}\n\terr = launchdTemplate.Generate(&templateArgs)\n\tif err != nil {\n\t\tlog.Err(err).Msg(\"error generating launchd template\")\n\t\treturn err\n\t}\n\tplistPath, err := launchdTemplate.ResolvePath()\n\tif err != nil {\n\t\tlog.Err(err).Msg(\"error resolving launchd template path\")\n\t\treturn err\n\t}\n\n\tlog.Info().Msgf(\"Outputs are logged to %s and %s\", stderrPath, stdoutPath)\n\terr = runCommand(\"launchctl\", \"load\", plistPath)\n\tif err == nil {\n\t\tlog.Info().Msg(\"MacOS service for cloudflared installed successfully\")\n\t}\n\treturn err\n}\n\nfunc uninstallLaunchd(c *cli.Context) error {\n\tlog := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)\n\n\tif isRootUser() {\n\t\tlog.Info().Msg(\"Uninstalling cloudflared as a system launch daemon\")\n\t} else {\n\t\tlog.Info().Msg(\"Uninstalling cloudflared as a user launch agent\")\n\t}\n\tinstallPath, err := installPath()\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"error determining install path\")\n\t}\n\tstdoutPath, err := stdoutPath()\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"error determining stdout path\")\n\t}\n\tstderrPath, err := stderrPath()\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"error determining stderr path\")\n\t}\n\tlaunchdTemplate := newLaunchdTemplate(installPath, stdoutPath, stderrPath)\n\tplistPath, err := launchdTemplate.ResolvePath()\n\tif err != nil {\n\t\tlog.Err(err).Msg(\"error resolving launchd template path\")\n\t\treturn err\n\t}\n\terr = runCommand(\"launchctl\", \"unload\", plistPath)\n\tif err != nil {\n\t\tlog.Err(err).Msg(\"error unloading launchd\")\n\t\treturn err\n\t}\n\n\terr = launchdTemplate.Remove()\n\tif err == nil {\n\t\tlog.Info().Msg(\"Launchd for cloudflared was uninstalled successfully\")\n\t}\n\treturn err\n}\n\nfunc userHomeDir() (string, error) {\n\t// This returns the home dir of the executing user using OS-specific method\n\t// for discovering the home dir. It's not recommended to call this function\n\t// when the user has root permission as $HOME depends on what options the user\n\t// use with sudo.\n\thomeDir, err := homedir.Dir()\n\tif err != nil {\n\t\treturn \"\", errors.Wrap(err, \"Cannot determine home directory for the user\")\n\t}\n\treturn homeDir, nil\n}\n" }, { "path": "cmd/cloudflared/main.go", "content": "package main\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/getsentry/sentry-go\"\n\t\"github.com/urfave/cli/v2\"\n\t\"go.uber.org/automaxprocs/maxprocs\"\n\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/access\"\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil\"\n\tcfdflags \"github.com/cloudflare/cloudflared/cmd/cloudflared/flags\"\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/management\"\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/proxydns\"\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/tail\"\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/tunnel\"\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/updater\"\n\t\"github.com/cloudflare/cloudflared/config\"\n\t\"github.com/cloudflare/cloudflared/logger\"\n\t\"github.com/cloudflare/cloudflared/metrics\"\n\t\"github.com/cloudflare/cloudflared/overwatch\"\n\t\"github.com/cloudflare/cloudflared/token\"\n\t\"github.com/cloudflare/cloudflared/tracing\"\n\t\"github.com/cloudflare/cloudflared/watcher\"\n)\n\nconst (\n\tversionText = \"Print the version\"\n)\n\nvar (\n\tVersion = \"DEV\"\n\tBuildTime = \"unknown\"\n\tBuildType = \"\"\n\t// Mostly network errors that we don't want reported back to Sentry, this is done by substring match.\n\tignoredErrors = []string{\n\t\t\"connection reset by peer\",\n\t\t\"An existing connection was forcibly closed by the remote host.\",\n\t\t\"use of closed connection\",\n\t\t\"You need to enable Argo Smart Routing\",\n\t\t\"3001 connection closed\",\n\t\t\"3002 connection dropped\",\n\t\t\"rpc exception: dial tcp\",\n\t\t\"rpc exception: EOF\",\n\t}\n)\n\nfunc main() {\n\t// FIXME: TUN-8148: Disable QUIC_GO ECN due to bugs in proper detection if supported\n\tos.Setenv(\"QUIC_GO_DISABLE_ECN\", \"1\")\n\tmetrics.RegisterBuildInfo(BuildType, BuildTime, Version)\n\t_, _ = maxprocs.Set()\n\tbInfo := cliutil.GetBuildInfo(BuildType, Version)\n\n\t// Graceful shutdown channel used by the app. When closed, app must terminate gracefully.\n\t// Windows service manager closes this channel when it receives stop command.\n\tgraceShutdownC := make(chan struct{})\n\n\tcli.VersionFlag = &cli.BoolFlag{\n\t\tName: \"version\",\n\t\tAliases: []string{\"v\", \"V\"},\n\t\tUsage: versionText,\n\t}\n\n\tapp := &cli.App{}\n\tapp.Name = \"cloudflared\"\n\tapp.Usage = \"Cloudflare's command-line tool and agent\"\n\tapp.UsageText = \"cloudflared [global options] [command] [command options]\"\n\tapp.Copyright = fmt.Sprintf(\n\t\t`(c) %d Cloudflare Inc.\n Your installation of cloudflared software constitutes a symbol of your signature indicating that you accept\n the terms of the Apache License Version 2.0 (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/license),\n Terms (https://www.cloudflare.com/terms/) and Privacy Policy (https://www.cloudflare.com/privacypolicy/).`,\n\t\ttime.Now().Year(),\n\t)\n\tapp.Version = fmt.Sprintf(\"%s (built %s%s)\", Version, BuildTime, bInfo.GetBuildTypeMsg())\n\tapp.Description = `cloudflared connects your machine or user identity to Cloudflare's global network.\n\tYou can use it to authenticate a session to reach an API behind Access, route web traffic to this machine,\n\tand configure access control.\n\n\tSee https://developers.cloudflare.com/cloudflare-one/connections/connect-apps for more in-depth documentation.`\n\tapp.Flags = flags()\n\tapp.Action = action(graceShutdownC)\n\tapp.Commands = commands(cli.ShowVersion)\n\n\ttunnel.Init(bInfo, graceShutdownC) // we need this to support the tunnel sub command...\n\taccess.Init(graceShutdownC, Version)\n\tupdater.Init(bInfo)\n\ttracing.Init(Version)\n\ttoken.Init(Version)\n\ttail.Init(bInfo)\n\tmanagement.Init(bInfo)\n\trunApp(app, graceShutdownC)\n}\n\nfunc commands(version func(c *cli.Context)) []*cli.Command {\n\tcmds := []*cli.Command{\n\t\t{\n\t\t\tName: \"update\",\n\t\t\tAction: cliutil.ConfiguredAction(updater.Update),\n\t\t\tUsage: \"Update the agent if a new version exists\",\n\t\t\tFlags: []cli.Flag{\n\t\t\t\t&cli.BoolFlag{\n\t\t\t\t\tName: \"beta\",\n\t\t\t\t\tUsage: \"specify if you wish to update to the latest beta version\",\n\t\t\t\t},\n\t\t\t\t&cli.BoolFlag{\n\t\t\t\t\tName: cfdflags.Force,\n\t\t\t\t\tUsage: \"specify if you wish to force an upgrade to the latest version regardless of the current version\",\n\t\t\t\t\tHidden: true,\n\t\t\t\t},\n\t\t\t\t&cli.BoolFlag{\n\t\t\t\t\tName: \"staging\",\n\t\t\t\t\tUsage: \"specify if you wish to use the staging url for updating\",\n\t\t\t\t\tHidden: true,\n\t\t\t\t},\n\t\t\t\t&cli.StringFlag{\n\t\t\t\t\tName: \"version\",\n\t\t\t\t\tUsage: \"specify a version you wish to upgrade or downgrade to\",\n\t\t\t\t\tHidden: false,\n\t\t\t\t},\n\t\t\t},\n\t\t\tDescription: `Looks for a new version on the official download server.\nIf a new version exists, updates the agent binary and quits.\nOtherwise, does nothing.\n\nTo determine if an update happened in a script, check for error code 11.`,\n\t\t},\n\t\t{\n\t\t\tName: \"version\",\n\t\t\tAction: func(c *cli.Context) (err error) {\n\t\t\t\tif c.Bool(\"short\") {\n\t\t\t\t\tfmt.Println(strings.Split(c.App.Version, \" \")[0])\n\t\t\t\t\treturn nil\n\t\t\t\t}\n\t\t\t\tversion(c)\n\t\t\t\treturn nil\n\t\t\t},\n\t\t\tUsage: versionText,\n\t\t\tDescription: versionText,\n\t\t\tFlags: []cli.Flag{\n\t\t\t\t&cli.BoolFlag{\n\t\t\t\t\tName: \"short\",\n\t\t\t\t\tAliases: []string{\"s\"},\n\t\t\t\t\tUsage: \"print just the version number\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\tcmds = append(cmds, tunnel.Commands()...)\n\tcmds = append(cmds, proxydns.Command()) // removed feature, only here for error message\n\tcmds = append(cmds, access.Commands()...)\n\tcmds = append(cmds, tail.Command())\n\tcmds = append(cmds, management.Command())\n\treturn cmds\n}\n\nfunc flags() []cli.Flag {\n\tflags := tunnel.Flags()\n\treturn append(flags, access.Flags()...)\n}\n\nfunc isEmptyInvocation(c *cli.Context) bool {\n\treturn c.NArg() == 0 && c.NumFlags() == 0\n}\n\nfunc action(graceShutdownC chan struct{}) cli.ActionFunc {\n\treturn cliutil.ConfiguredAction(func(c *cli.Context) (err error) {\n\t\tif isEmptyInvocation(c) {\n\t\t\treturn handleServiceMode(c, graceShutdownC)\n\t\t}\n\t\tfunc() {\n\t\t\tdefer sentry.Recover()\n\t\t\terr = tunnel.TunnelCommand(c)\n\t\t}()\n\t\tif err != nil {\n\t\t\tcaptureError(err)\n\t\t}\n\t\treturn err\n\t})\n}\n\n// In order to keep the amount of noise sent to Sentry low, typical network errors can be filtered out here by a substring match.\nfunc captureError(err error) {\n\terrorMessage := err.Error()\n\tfor _, ignoredErrorMessage := range ignoredErrors {\n\t\tif strings.Contains(errorMessage, ignoredErrorMessage) {\n\t\t\treturn\n\t\t}\n\t}\n\tsentry.CaptureException(err)\n}\n\n// cloudflared was started without any flags\nfunc handleServiceMode(c *cli.Context, shutdownC chan struct{}) error {\n\tlog := logger.CreateLoggerFromContext(c, logger.DisableTerminalLog)\n\n\t// start the main run loop that reads from the config file\n\tf, err := watcher.NewFile()\n\tif err != nil {\n\t\tlog.Err(err).Msg(\"Cannot load config file\")\n\t\treturn err\n\t}\n\n\tconfigPath := config.FindOrCreateConfigPath()\n\tconfigManager, err := config.NewFileManager(f, configPath, log)\n\tif err != nil {\n\t\tlog.Err(err).Msg(\"Cannot setup config file for monitoring\")\n\t\treturn err\n\t}\n\tlog.Info().Msgf(\"monitoring config file at: %s\", configPath)\n\n\tserviceCallback := func(t string, name string, err error) {\n\t\tif err != nil {\n\t\t\tlog.Err(err).Msgf(\"%s service: %s encountered an error\", t, name)\n\t\t}\n\t}\n\tserviceManager := overwatch.NewAppManager(serviceCallback)\n\n\tappService := NewAppService(configManager, serviceManager, shutdownC, log)\n\tif err := appService.Run(); err != nil {\n\t\tlog.Err(err).Msg(\"Failed to start app service\")\n\t\treturn err\n\t}\n\treturn nil\n}\n" }, { "path": "cmd/cloudflared/management/cmd.go", "content": "package management\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"os\"\n\n\t\"github.com/urfave/cli/v2\"\n\n\t\"github.com/cloudflare/cloudflared/cfapi\"\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil\"\n\tcfdflags \"github.com/cloudflare/cloudflared/cmd/cloudflared/flags\"\n\t\"github.com/cloudflare/cloudflared/credentials\"\n)\n\nvar buildInfo *cliutil.BuildInfo\n\n// Init initializes the management package with build info\nfunc Init(bi *cliutil.BuildInfo) {\n\tbuildInfo = bi\n}\n\n// Command returns the management command with its subcommands\nfunc Command() *cli.Command {\n\treturn &cli.Command{\n\t\tName: \"management\",\n\t\tUsage: \"Monitor cloudflared tunnels via management API\",\n\t\tCategory: \"Management\",\n\t\tHidden: true,\n\t\tSubcommands: []*cli.Command{\n\t\t\tbuildTokenSubcommand(),\n\t\t},\n\t}\n}\n\n// buildTokenSubcommand creates the token subcommand\nfunc buildTokenSubcommand() *cli.Command {\n\treturn &cli.Command{\n\t\tName: \"token\",\n\t\tAction: cliutil.ConfiguredAction(tokenCommand),\n\t\tUsage: \"Get management access jwt for a specific resource\",\n\t\tUsageText: \"cloudflared management token --resource TUNNEL_ID\",\n\t\tDescription: \"Get management access jwt for a tunnel with specified resource permissions (logs, admin, host_details)\",\n\t\tHidden: true,\n\t\tFlags: []cli.Flag{\n\t\t\t&cli.StringFlag{\n\t\t\t\tName: \"resource\",\n\t\t\t\tUsage: \"Resource type for token permissions: logs, admin, or host_details\",\n\t\t\t\tRequired: true,\n\t\t\t},\n\t\t\t&cli.StringFlag{\n\t\t\t\tName: cfdflags.OriginCert,\n\t\t\t\tUsage: \"Path to the certificate generated for your origin when you run cloudflared login.\",\n\t\t\t\tEnvVars: []string{\"TUNNEL_ORIGIN_CERT\"},\n\t\t\t\tValue: credentials.FindDefaultOriginCertPath(),\n\t\t\t},\n\t\t\t&cli.StringFlag{\n\t\t\t\tName: cfdflags.LogLevel,\n\t\t\t\tValue: \"info\",\n\t\t\t\tUsage: \"Application logging level {debug, info, warn, error, fatal}\",\n\t\t\t\tEnvVars: []string{\"TUNNEL_LOGLEVEL\"},\n\t\t\t},\n\t\t\tcliutil.FlagLogOutput,\n\t\t},\n\t}\n}\n\n// tokenCommand handles the token subcommand execution\nfunc tokenCommand(c *cli.Context) error {\n\tlog := cliutil.CreateStderrLogger(c)\n\n\t// Parse and validate resource flag\n\tresourceStr := c.String(\"resource\")\n\tresource, err := parseResource(resourceStr)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"invalid resource '%s': %w\", resourceStr, err)\n\t}\n\n\t// Get management token\n\ttoken, err := cliutil.GetManagementToken(c, log, resource, buildInfo)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\t// Output JSON to stdout\n\ttokenResponse := struct {\n\t\tToken string `json:\"token\"`\n\t}{Token: token}\n\n\treturn json.NewEncoder(os.Stdout).Encode(tokenResponse)\n}\n\n// parseResource converts resource string to ManagementResource enum\nfunc parseResource(resource string) (cfapi.ManagementResource, error) {\n\tswitch resource {\n\tcase \"logs\":\n\t\treturn cfapi.Logs, nil\n\tcase \"admin\":\n\t\treturn cfapi.Admin, nil\n\tcase \"host_details\":\n\t\treturn cfapi.HostDetails, nil\n\tdefault:\n\t\treturn 0, fmt.Errorf(\"must be one of: logs, admin, host_details\")\n\t}\n}\n" }, { "path": "cmd/cloudflared/management/cmd_test.go", "content": "package management\n\nimport (\n\t\"testing\"\n\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\n\t\"github.com/cloudflare/cloudflared/cfapi\"\n)\n\nfunc TestParseResource_ValidResources(t *testing.T) {\n\tt.Parallel()\n\n\ttests := []struct {\n\t\tinput string\n\t\texpected cfapi.ManagementResource\n\t}{\n\t\t{\"logs\", cfapi.Logs},\n\t\t{\"admin\", cfapi.Admin},\n\t\t{\"host_details\", cfapi.HostDetails},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.input, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\tresult, err := parseResource(tt.input)\n\t\t\trequire.NoError(t, err)\n\t\t\tassert.Equal(t, tt.expected, result)\n\t\t})\n\t}\n}\n\nfunc TestParseResource_InvalidResource(t *testing.T) {\n\tt.Parallel()\n\n\tinvalid := []string{\"invalid\", \"LOGS\", \"Admin\", \"\", \"metrics\", \"host-details\"}\n\n\tfor _, input := range invalid {\n\t\tt.Run(input, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\t_, err := parseResource(input)\n\t\t\trequire.Error(t, err)\n\t\t\tassert.Contains(t, err.Error(), \"must be one of\")\n\t\t})\n\t}\n}\n\nfunc TestCommandStructure(t *testing.T) {\n\tt.Parallel()\n\n\tcmd := Command()\n\n\tassert.Equal(t, \"management\", cmd.Name)\n\tassert.True(t, cmd.Hidden)\n\tassert.Len(t, cmd.Subcommands, 1)\n\n\ttokenCmd := cmd.Subcommands[0]\n\tassert.Equal(t, \"token\", tokenCmd.Name)\n\tassert.True(t, tokenCmd.Hidden)\n\n\t// Verify required flags exist\n\tvar hasResourceFlag bool\n\tfor _, flag := range tokenCmd.Flags {\n\t\tif flag.Names()[0] == \"resource\" {\n\t\t\thasResourceFlag = true\n\t\t\tbreak\n\t\t}\n\t}\n\tassert.True(t, hasResourceFlag, \"token command should have --resource flag\")\n}\n" }, { "path": "cmd/cloudflared/proxydns/cmd.go", "content": "package proxydns\n\nimport (\n\t\"errors\"\n\n\t\"github.com/urfave/cli/v2\"\n\t\"github.com/urfave/cli/v2/altsrc\"\n\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil\"\n\t\"github.com/cloudflare/cloudflared/logger\"\n)\n\nconst removedMessage = \"dns-proxy feature is no longer supported\"\n\nfunc Command() *cli.Command {\n\treturn &cli.Command{\n\t\tName: \"proxy-dns\",\n\t\tAction: cliutil.ConfiguredAction(Run),\n\t\tUsage: removedMessage,\n\t\tSkipFlagParsing: true,\n\t}\n}\n\nfunc Run(c *cli.Context) error {\n\tlog := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)\n\terr := errors.New(removedMessage)\n\tlog.Error().Msg(\"DNS Proxy is no longer supported since version 2026.2.0 (https://developers.cloudflare.com/changelog/2025-11-11-cloudflared-proxy-dns/). As an alternative consider using https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/dns-over-https-client/\")\n\n\treturn err\n}\n\n// Old flags used by the proxy-dns command, only kept to not break any script that might be setting these flags\nfunc ConfigureProxyDNSFlags(shouldHide bool) []cli.Flag {\n\treturn []cli.Flag{\n\t\taltsrc.NewBoolFlag(&cli.BoolFlag{\n\t\t\tName: \"proxy-dns\",\n\t\t}),\n\t\taltsrc.NewIntFlag(&cli.IntFlag{\n\t\t\tName: \"proxy-dns-port\",\n\t\t}),\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: \"proxy-dns-address\",\n\t\t}),\n\t\taltsrc.NewStringSliceFlag(&cli.StringSliceFlag{\n\t\t\tName: \"proxy-dns-upstream\",\n\t\t}),\n\t\taltsrc.NewIntFlag(&cli.IntFlag{\n\t\t\tName: \"proxy-dns-max-upstream-conns\",\n\t\t}),\n\t\taltsrc.NewStringSliceFlag(&cli.StringSliceFlag{\n\t\t\tName: \"proxy-dns-bootstrap\",\n\t\t}),\n\t}\n}\n" }, { "path": "cmd/cloudflared/service_template.go", "content": "package main\n\nimport (\n\t\"bytes\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path/filepath\"\n\t\"text/template\"\n\n\thomedir \"github.com/mitchellh/go-homedir\"\n)\n\ntype ServiceTemplate struct {\n\tPath string\n\tContent string\n\tFileMode os.FileMode\n}\n\ntype ServiceTemplateArgs struct {\n\tPath string\n\tExtraArgs []string\n}\n\nfunc (st *ServiceTemplate) ResolvePath() (string, error) {\n\tresolvedPath, err := homedir.Expand(st.Path)\n\tif err != nil {\n\t\treturn \"\", fmt.Errorf(\"error resolving path %s: %v\", st.Path, err)\n\t}\n\treturn resolvedPath, nil\n}\n\nfunc (st *ServiceTemplate) Generate(args *ServiceTemplateArgs) error {\n\ttmpl, err := template.New(st.Path).Parse(st.Content)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"error generating %s template: %v\", st.Path, err)\n\t}\n\tresolvedPath, err := st.ResolvePath()\n\tif err != nil {\n\t\treturn err\n\t}\n\tif _, err = os.Stat(resolvedPath); err == nil {\n\t\treturn errors.New(serviceAlreadyExistsWarn(resolvedPath))\n\t}\n\n\tvar buffer bytes.Buffer\n\terr = tmpl.Execute(&buffer, args)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"error generating %s: %v\", st.Path, err)\n\t}\n\tfileMode := os.FileMode(0o644)\n\tif st.FileMode != 0 {\n\t\tfileMode = st.FileMode\n\t}\n\n\tplistFolder := filepath.Dir(resolvedPath)\n\terr = os.MkdirAll(plistFolder, 0o755)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"error creating %s: %v\", plistFolder, err)\n\t}\n\n\terr = os.WriteFile(resolvedPath, buffer.Bytes(), fileMode)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"error writing %s: %v\", resolvedPath, err)\n\t}\n\treturn nil\n}\n\nfunc (st *ServiceTemplate) Remove() error {\n\tresolvedPath, err := st.ResolvePath()\n\tif err != nil {\n\t\treturn err\n\t}\n\terr = os.Remove(resolvedPath)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"error deleting %s: %v\", resolvedPath, err)\n\t}\n\treturn nil\n}\n\nfunc serviceAlreadyExistsWarn(service string) string {\n\treturn fmt.Sprintf(\"cloudflared service is already installed at %s; if you are running a cloudflared tunnel, you \"+\n\t\t\"can point it to multiple origins, avoiding the need to run more than one cloudflared service in the \"+\n\t\t\"same machine; otherwise if you are really sure, you can do `cloudflared service uninstall` to clean \"+\n\t\t\"up the existing service and then try again this command\",\n\t\tservice,\n\t)\n}\n\nfunc runCommand(command string, args ...string) error {\n\tcmd := exec.Command(command, args...)\n\tstderr, err := cmd.StderrPipe()\n\tif err != nil {\n\t\treturn fmt.Errorf(\"error getting stderr pipe: %v\", err)\n\t}\n\terr = cmd.Start()\n\tif err != nil {\n\t\treturn fmt.Errorf(\"error starting %s: %v\", command, err)\n\t}\n\n\toutput, _ := io.ReadAll(stderr)\n\terr = cmd.Wait()\n\tif err != nil {\n\t\treturn fmt.Errorf(\"%s %v returned with error code %v due to: %v\", command, args, err, string(output))\n\t}\n\treturn nil\n}\n" }, { "path": "cmd/cloudflared/tail/cmd.go", "content": "package tail\n\nimport (\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"os\"\n\t\"os/signal\"\n\t\"syscall\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/urfave/cli/v2\"\n\t\"nhooyr.io/websocket\"\n\n\t\"github.com/cloudflare/cloudflared/cfapi\"\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil\"\n\tcfdflags \"github.com/cloudflare/cloudflared/cmd/cloudflared/flags\"\n\t\"github.com/cloudflare/cloudflared/credentials\"\n\t\"github.com/cloudflare/cloudflared/management\"\n)\n\nvar buildInfo *cliutil.BuildInfo\n\nfunc Init(bi *cliutil.BuildInfo) {\n\tbuildInfo = bi\n}\n\nfunc Command() *cli.Command {\n\tsubcommands := []*cli.Command{\n\t\tbuildTailManagementTokenSubcommand(),\n\t}\n\n\treturn buildTailCommand(subcommands)\n}\n\nfunc buildTailManagementTokenSubcommand() *cli.Command {\n\treturn &cli.Command{\n\t\tName: \"token\",\n\t\tAction: cliutil.ConfiguredAction(managementTokenCommand),\n\t\tUsage: \"Get management access jwt\",\n\t\tUsageText: \"cloudflared tail token TUNNEL_ID\",\n\t\tDescription: `Get management access jwt for a tunnel`,\n\t\tHidden: true,\n\t}\n}\n\nfunc managementTokenCommand(c *cli.Context) error {\n\tlog := cliutil.CreateStderrLogger(c)\n\n\ttoken, err := cliutil.GetManagementToken(c, log, cfapi.Logs, buildInfo)\n\tif err != nil {\n\t\treturn err\n\t}\n\ttokenResponse := struct {\n\t\tToken string `json:\"token\"`\n\t}{Token: token}\n\n\treturn json.NewEncoder(os.Stdout).Encode(tokenResponse)\n}\n\nfunc buildTailCommand(subcommands []*cli.Command) *cli.Command {\n\treturn &cli.Command{\n\t\tName: \"tail\",\n\t\tAction: Run,\n\t\tUsage: \"Stream logs from a remote cloudflared\",\n\t\tUsageText: \"cloudflared tail [tail command options] [TUNNEL-ID]\",\n\t\tFlags: []cli.Flag{\n\t\t\t&cli.StringFlag{\n\t\t\t\tName: \"connector-id\",\n\t\t\t\tUsage: \"Access a specific cloudflared instance by connector id (for when a tunnel has multiple cloudflared's)\",\n\t\t\t\tValue: \"\",\n\t\t\t\tEnvVars: []string{\"TUNNEL_MANAGEMENT_CONNECTOR\"},\n\t\t\t},\n\t\t\t&cli.StringSliceFlag{\n\t\t\t\tName: \"event\",\n\t\t\t\tUsage: \"Filter by specific Events (cloudflared, http, tcp, udp) otherwise, defaults to send all events\",\n\t\t\t\tEnvVars: []string{\"TUNNEL_MANAGEMENT_FILTER_EVENTS\"},\n\t\t\t},\n\t\t\t&cli.StringFlag{\n\t\t\t\tName: \"level\",\n\t\t\t\tUsage: \"Filter by specific log levels (debug, info, warn, error). Filters by debug log level by default.\",\n\t\t\t\tEnvVars: []string{\"TUNNEL_MANAGEMENT_FILTER_LEVEL\"},\n\t\t\t\tValue: \"debug\",\n\t\t\t},\n\t\t\t&cli.Float64Flag{\n\t\t\t\tName: \"sample\",\n\t\t\t\tUsage: \"Sample log events by percentage (0.0 .. 1.0). No sampling by default.\",\n\t\t\t\tEnvVars: []string{\"TUNNEL_MANAGEMENT_FILTER_SAMPLE\"},\n\t\t\t\tValue: 1.0,\n\t\t\t},\n\t\t\t&cli.StringFlag{\n\t\t\t\tName: \"token\",\n\t\t\t\tUsage: \"Access token for a specific tunnel\",\n\t\t\t\tValue: \"\",\n\t\t\t\tEnvVars: []string{\"TUNNEL_MANAGEMENT_TOKEN\"},\n\t\t\t},\n\t\t\t&cli.StringFlag{\n\t\t\t\tName: cfdflags.ManagementHostname,\n\t\t\t\tUsage: \"Management hostname to signify incoming management requests\",\n\t\t\t\tEnvVars: []string{\"TUNNEL_MANAGEMENT_HOSTNAME\"},\n\t\t\t\tHidden: true,\n\t\t\t\tValue: \"management.argotunnel.com\",\n\t\t\t},\n\t\t\t&cli.StringFlag{\n\t\t\t\tName: \"trace\",\n\t\t\t\tUsage: \"Set a cf-trace-id for the request\",\n\t\t\t\tHidden: true,\n\t\t\t\tValue: \"\",\n\t\t\t},\n\t\t\t&cli.StringFlag{\n\t\t\t\tName: cfdflags.LogLevel,\n\t\t\t\tValue: \"info\",\n\t\t\t\tUsage: \"Application logging level {debug, info, warn, error, fatal}\",\n\t\t\t\tEnvVars: []string{\"TUNNEL_LOGLEVEL\"},\n\t\t\t},\n\t\t\t&cli.StringFlag{\n\t\t\t\tName: cfdflags.OriginCert,\n\t\t\t\tUsage: \"Path to the certificate generated for your origin when you run cloudflared login.\",\n\t\t\t\tEnvVars: []string{\"TUNNEL_ORIGIN_CERT\"},\n\t\t\t\tValue: credentials.FindDefaultOriginCertPath(),\n\t\t\t},\n\t\t\tcliutil.FlagLogOutput,\n\t\t},\n\t\tSubcommands: subcommands,\n\t}\n}\n\n// Middleware validation error struct for returning to the eyeball\ntype managementError struct {\n\tCode int `json:\"code,omitempty\"`\n\tMessage string `json:\"message,omitempty\"`\n}\n\n// Middleware validation error HTTP response JSON for returning to the eyeball\ntype managementErrorResponse struct {\n\tSuccess bool `json:\"success,omitempty\"`\n\tErrors []managementError `json:\"errors,omitempty\"`\n}\n\nfunc handleValidationError(resp *http.Response, log *zerolog.Logger) {\n\tif resp.StatusCode == 530 {\n\t\tlog.Error().Msgf(\"no cloudflared connector available or reachable via management request (a recent version of cloudflared is required to use streaming logs)\")\n\t}\n\tvar managementErr managementErrorResponse\n\terr := json.NewDecoder(resp.Body).Decode(&managementErr)\n\tif err != nil {\n\t\tlog.Error().Msgf(\"unable to start management log streaming session: http response code returned %d\", resp.StatusCode)\n\t\treturn\n\t}\n\tif managementErr.Success || len(managementErr.Errors) == 0 {\n\t\tlog.Error().Msgf(\"management tunnel validation returned success with invalid HTTP response code to convert to a WebSocket request\")\n\t\treturn\n\t}\n\tfor _, e := range managementErr.Errors {\n\t\tlog.Error().Msgf(\"management request failed validation: (%d) %s\", e.Code, e.Message)\n\t}\n}\n\n// parseFilters will attempt to parse provided filters to send to with the EventStartStreaming\nfunc parseFilters(c *cli.Context) (*management.StreamingFilters, error) {\n\tvar level *management.LogLevel\n\tvar sample float64\n\n\tevents := make([]management.LogEventType, 0)\n\n\targLevel := c.String(\"level\")\n\targEvents := c.StringSlice(\"event\")\n\targSample := c.Float64(\"sample\")\n\n\tif argLevel != \"\" {\n\t\tl, ok := management.ParseLogLevel(argLevel)\n\t\tif !ok {\n\t\t\treturn nil, fmt.Errorf(\"invalid --level filter provided, please use one of the following Log Levels: debug, info, warn, error\")\n\t\t}\n\t\tlevel = &l\n\t}\n\n\tfor _, v := range argEvents {\n\t\tt, ok := management.ParseLogEventType(v)\n\t\tif !ok {\n\t\t\treturn nil, fmt.Errorf(\"invalid --event filter provided, please use one of the following EventTypes: cloudflared, http, tcp, udp\")\n\t\t}\n\t\tevents = append(events, t)\n\t}\n\n\tif argSample <= 0.0 || argSample > 1.0 {\n\t\treturn nil, fmt.Errorf(\"invalid --sample value provided, please make sure it is in the range (0.0 .. 1.0)\")\n\t}\n\tsample = argSample\n\n\tif level == nil && len(events) == 0 && argSample != 1.0 {\n\t\t// When no filters are provided, do not return a StreamingFilters struct\n\t\treturn nil, nil\n\t}\n\n\treturn &management.StreamingFilters{\n\t\tLevel: level,\n\t\tEvents: events,\n\t\tSampling: sample,\n\t}, nil\n}\n\n// buildURL will build the management url to contain the required query parameters to authenticate the request.\nfunc buildURL(c *cli.Context, log *zerolog.Logger, res cfapi.ManagementResource) (url.URL, error) {\n\tvar err error\n\n\ttoken := c.String(\"token\")\n\tif token == \"\" {\n\t\ttoken, err = cliutil.GetManagementToken(c, log, res, buildInfo)\n\t\tif err != nil {\n\t\t\treturn url.URL{}, fmt.Errorf(\"unable to acquire management token for requested tunnel id: %w\", err)\n\t\t}\n\t}\n\n\tclaims, err := management.ParseToken(token)\n\tif err != nil {\n\t\treturn url.URL{}, fmt.Errorf(\"failed to determine if token is FED: %w\", err)\n\t}\n\n\tvar managementHostname string\n\tif claims.IsFed() {\n\t\tmanagementHostname = credentials.FedRampHostname\n\t} else {\n\t\tmanagementHostname = c.String(cfdflags.ManagementHostname)\n\t}\n\n\tquery := url.Values{}\n\tquery.Add(\"access_token\", token)\n\tconnector := c.String(\"connector-id\")\n\tif connector != \"\" {\n\t\tconnectorID, err := uuid.Parse(connector)\n\t\tif err != nil {\n\t\t\treturn url.URL{}, fmt.Errorf(\"unabled to parse 'connector-id' flag into a valid UUID: %w\", err)\n\t\t}\n\t\tquery.Add(\"connector_id\", connectorID.String())\n\t}\n\treturn url.URL{Scheme: \"wss\", Host: managementHostname, Path: \"/logs\", RawQuery: query.Encode()}, nil\n}\n\nfunc printLine(log *management.Log, logger *zerolog.Logger) {\n\tfields, err := json.Marshal(log.Fields)\n\tif err != nil {\n\t\tfields = []byte(\"unable to parse fields\")\n\t\tlogger.Debug().Msgf(\"unable to parse fields from event %+v\", log)\n\t}\n\tfmt.Printf(\"%s %s %s %s %s\\n\", log.Time, log.Level, log.Event, log.Message, fields)\n}\n\nfunc printJSON(log *management.Log, logger *zerolog.Logger) {\n\toutput, err := json.Marshal(log)\n\tif err != nil {\n\t\tlogger.Debug().Msgf(\"unable to parse event to json %+v\", log)\n\t} else {\n\t\tfmt.Println(string(output))\n\t}\n}\n\n// Run implements a foreground runner\nfunc Run(c *cli.Context) error {\n\tlog := cliutil.CreateStderrLogger(c)\n\n\tsignals := make(chan os.Signal, 10)\n\tsignal.Notify(signals, syscall.SIGTERM, syscall.SIGINT)\n\tdefer signal.Stop(signals)\n\n\toutput := \"default\"\n\tswitch c.String(\"output\") {\n\tcase \"default\", \"\":\n\t\toutput = \"default\"\n\tcase \"json\":\n\t\toutput = \"json\"\n\tdefault:\n\t\tlog.Err(errors.New(\"invalid --output value provided, please make sure it is one of: default, json\")).Send()\n\t}\n\n\tfilters, err := parseFilters(c)\n\tif err != nil {\n\t\tlog.Error().Err(err).Msgf(\"invalid filters provided\")\n\t\treturn nil\n\t}\n\n\tu, err := buildURL(c, log, cfapi.Logs)\n\tif err != nil {\n\t\tlog.Err(err).Msg(\"unable to construct management request URL\")\n\t\treturn nil\n\t}\n\n\theader := make(http.Header)\n\theader.Add(\"User-Agent\", buildInfo.UserAgent())\n\ttrace := c.String(\"trace\")\n\tif trace != \"\" {\n\t\theader[\"cf-trace-id\"] = []string{trace}\n\t}\n\tctx := c.Context\n\t// nolint: bodyclose\n\tconn, resp, err := websocket.Dial(ctx, u.String(), &websocket.DialOptions{\n\t\tHTTPHeader: header,\n\t})\n\tif err != nil {\n\t\tif resp != nil && resp.StatusCode != http.StatusSwitchingProtocols {\n\t\t\thandleValidationError(resp, log)\n\t\t\treturn nil\n\t\t}\n\t\tlog.Error().Err(err).Msgf(\"unable to start management log streaming session\")\n\t\treturn nil\n\t}\n\tdefer conn.Close(websocket.StatusInternalError, \"management connection was closed abruptly\")\n\n\t// Once connection is established, send start_streaming event to begin receiving logs\n\terr = management.WriteEvent(conn, ctx, &management.EventStartStreaming{\n\t\tClientEvent: management.ClientEvent{Type: management.StartStreaming},\n\t\tFilters: filters,\n\t})\n\tif err != nil {\n\t\tlog.Error().Err(err).Msg(\"unable to request logs from management tunnel\")\n\t\treturn nil\n\t}\n\tlog.Debug().\n\t\tStr(\"tunnel-id\", c.Args().First()).\n\t\tStr(\"connector-id\", c.String(\"connector-id\")).\n\t\tInterface(\"filters\", filters).\n\t\tMsg(\"connected\")\n\n\treaderDone := make(chan struct{})\n\n\tgo func() {\n\t\tdefer close(readerDone)\n\t\tfor {\n\t\t\tselect {\n\t\t\tcase <-ctx.Done():\n\t\t\t\treturn\n\t\t\tdefault:\n\t\t\t\tevent, err := management.ReadServerEvent(conn, ctx)\n\t\t\t\tif err != nil {\n\t\t\t\t\tif closeErr := management.AsClosed(err); closeErr != nil {\n\t\t\t\t\t\t// If the client (or the server) already closed the connection, don't continue to\n\t\t\t\t\t\t// attempt to read from the client.\n\t\t\t\t\t\tif closeErr.Code == websocket.StatusNormalClosure {\n\t\t\t\t\t\t\treturn\n\t\t\t\t\t\t}\n\t\t\t\t\t\t// Only log abnormal closures\n\t\t\t\t\t\tlog.Error().Msgf(\"received remote closure: (%d) %s\", closeErr.Code, closeErr.Reason)\n\t\t\t\t\t\treturn\n\t\t\t\t\t}\n\t\t\t\t\tlog.Err(err).Msg(\"unable to read event from server\")\n\t\t\t\t\treturn\n\t\t\t\t}\n\t\t\t\tswitch event.Type {\n\t\t\t\tcase management.Logs:\n\t\t\t\t\tlogs, ok := management.IntoServerEvent(event, management.Logs)\n\t\t\t\t\tif !ok {\n\t\t\t\t\t\tlog.Error().Msgf(\"invalid logs event\")\n\t\t\t\t\t\tcontinue\n\t\t\t\t\t}\n\t\t\t\t\t// Output all the logs received to stdout\n\t\t\t\t\tfor _, l := range logs.Logs {\n\t\t\t\t\t\tif output == \"json\" {\n\t\t\t\t\t\t\tprintJSON(l, log)\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tprintLine(l, log)\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\tcase management.UnknownServerEventType:\n\t\t\t\t\tfallthrough\n\t\t\t\tdefault:\n\t\t\t\t\tlog.Debug().Msgf(\"unexpected log event type: %s\", event.Type)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}()\n\n\tfor {\n\t\tselect {\n\t\tcase <-ctx.Done():\n\t\t\treturn nil\n\t\tcase <-readerDone:\n\t\t\treturn nil\n\t\tcase <-signals:\n\t\t\tlog.Debug().Msg(\"closing management connection\")\n\t\t\t// Cleanly close the connection by sending a close message and then\n\t\t\t// waiting (with timeout) for the server to close the connection.\n\t\t\tconn.Close(websocket.StatusNormalClosure, \"\")\n\t\t\tselect {\n\t\t\tcase <-readerDone:\n\t\t\tcase <-time.After(time.Second):\n\t\t\t}\n\t\t\treturn nil\n\t\t}\n\t}\n}\n" }, { "path": "cmd/cloudflared/tunnel/cmd.go", "content": "package tunnel\n\nimport (\n\t\"bufio\"\n\t\"context\"\n\t\"fmt\"\n\t\"net/url\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"runtime/trace\"\n\t\"strings\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/coreos/go-systemd/v22/daemon\"\n\t\"github.com/facebookgo/grace/gracenet\"\n\t\"github.com/getsentry/sentry-go\"\n\t\"github.com/mitchellh/go-homedir\"\n\t\"github.com/pkg/errors\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/urfave/cli/v2\"\n\t\"github.com/urfave/cli/v2/altsrc\"\n\n\t\"github.com/cloudflare/cloudflared/cfapi\"\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil\"\n\tcfdflags \"github.com/cloudflare/cloudflared/cmd/cloudflared/flags\"\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/proxydns\"\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/updater\"\n\t\"github.com/cloudflare/cloudflared/config\"\n\t\"github.com/cloudflare/cloudflared/connection\"\n\t\"github.com/cloudflare/cloudflared/credentials\"\n\t\"github.com/cloudflare/cloudflared/diagnostic\"\n\t\"github.com/cloudflare/cloudflared/edgediscovery\"\n\t\"github.com/cloudflare/cloudflared/ingress\"\n\t\"github.com/cloudflare/cloudflared/logger\"\n\t\"github.com/cloudflare/cloudflared/management\"\n\t\"github.com/cloudflare/cloudflared/metrics\"\n\t\"github.com/cloudflare/cloudflared/orchestration\"\n\t\"github.com/cloudflare/cloudflared/signal\"\n\t\"github.com/cloudflare/cloudflared/supervisor\"\n\t\"github.com/cloudflare/cloudflared/tlsconfig\"\n\t\"github.com/cloudflare/cloudflared/tunnelstate\"\n\t\"github.com/cloudflare/cloudflared/validation\"\n)\n\nconst (\n\tsentryDSN = \"https://56a9c9fa5c364ab28f34b14f35ea0f1b:3e8827f6f9f740738eb11138f7bebb68@sentry.io/189878\"\n\n\tLogFieldCommand = \"command\"\n\tLogFieldExpandedPath = \"expandedPath\"\n\tLogFieldPIDPathname = \"pidPathname\"\n\tLogFieldTmpTraceFilename = \"tmpTraceFilename\"\n\tLogFieldTraceOutputFilepath = \"traceOutputFilepath\"\n\n\ttunnelCmdErrorMessage = `You did not specify any valid additional argument to the cloudflared tunnel command.\n\nIf you are trying to run a Quick Tunnel then you need to explicitly pass the --url flag.\nEg. cloudflared tunnel --url localhost:8080/.\n\nPlease note that Quick Tunnels are meant to be ephemeral and should only be used for testing purposes.\nFor production usage, we recommend creating Named Tunnels. (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/)\n`\n)\n\nvar (\n\tgraceShutdownC chan struct{}\n\tbuildInfo *cliutil.BuildInfo\n\n\trouteFailMsg = fmt.Sprintf(\"failed to provision routing, please create it manually via Cloudflare dashboard or UI; \"+\n\t\t\"most likely you already have a conflicting record there. You can also rerun this command with --%s to overwrite \"+\n\t\t\"any existing DNS records for this hostname.\", overwriteDNSFlag)\n\terrDeprecatedClassicTunnel = errors.New(\"Classic tunnels have been deprecated, please use Named Tunnels. (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/)\")\n\t// TODO: TUN-8756 the list below denotes the flags that do not possess any kind of sensitive information\n\t// however this approach is not maintainble in the long-term.\n\tnonSecretFlagsList = []string{\n\t\t\"config\",\n\t\tcfdflags.AutoUpdateFreq,\n\t\tcfdflags.NoAutoUpdate,\n\t\tcfdflags.Metrics,\n\t\t\"pidfile\",\n\t\t\"url\",\n\t\t\"hello-world\",\n\t\t\"socks5\",\n\t\t\"proxy-connect-timeout\",\n\t\t\"proxy-tls-timeout\",\n\t\t\"proxy-tcp-keepalive\",\n\t\t\"proxy-no-happy-eyeballs\",\n\t\t\"proxy-keepalive-connections\",\n\t\t\"proxy-keepalive-timeout\",\n\t\t\"proxy-connection-timeout\",\n\t\t\"proxy-expect-continue-timeout\",\n\t\t\"http-host-header\",\n\t\t\"origin-server-name\",\n\t\t\"unix-socket\",\n\t\t\"origin-ca-pool\",\n\t\t\"no-tls-verify\",\n\t\t\"no-chunked-encoding\",\n\t\t\"http2-origin\",\n\t\tcfdflags.ManagementHostname,\n\t\t\"service-op-ip\",\n\t\t\"local-ssh-port\",\n\t\t\"ssh-idle-timeout\",\n\t\t\"ssh-max-timeout\",\n\t\t\"bucket-name\",\n\t\t\"region-name\",\n\t\t\"s3-url-host\",\n\t\t\"host-key-path\",\n\t\t\"ssh-server\",\n\t\t\"bastion\",\n\t\t\"proxy-address\",\n\t\t\"proxy-port\",\n\t\tcfdflags.LogLevel,\n\t\tcfdflags.TransportLogLevel,\n\t\tcfdflags.LogFile,\n\t\tcfdflags.LogDirectory,\n\t\tcfdflags.TraceOutput,\n\t\tcfdflags.IsAutoUpdated,\n\t\tcfdflags.Edge,\n\t\tcfdflags.Region,\n\t\tcfdflags.EdgeIpVersion,\n\t\tcfdflags.EdgeBindAddress,\n\t\t\"cacert\",\n\t\t\"hostname\",\n\t\t\"id\",\n\t\tcfdflags.LBPool,\n\t\tcfdflags.ApiURL,\n\t\tcfdflags.MetricsUpdateFreq,\n\t\tcfdflags.Tag,\n\t\t\"heartbeat-interval\",\n\t\t\"heartbeat-count\",\n\t\tcfdflags.MaxEdgeAddrRetries,\n\t\tcfdflags.Retries,\n\t\t\"ha-connections\",\n\t\t\"rpc-timeout\",\n\t\t\"write-stream-timeout\",\n\t\t\"quic-disable-pmtu-discovery\",\n\t\t\"quic-connection-level-flow-control-limit\",\n\t\t\"quic-stream-level-flow-control-limit\",\n\t\tcfdflags.ConnectorLabel,\n\t\tcfdflags.GracePeriod,\n\t\t\"compression-quality\",\n\t\t\"use-reconnect-token\",\n\t\t\"dial-edge-timeout\",\n\t\t\"stdin-control\",\n\t\tcfdflags.Name,\n\t\tcfdflags.Ui,\n\t\t\"quick-service\",\n\t\t\"max-fetch-size\",\n\t\tcfdflags.PostQuantum,\n\t\t\"management-diagnostics\",\n\t\tcfdflags.Protocol,\n\t\t\"overwrite-dns\",\n\t\t\"help\",\n\t\tcfdflags.MaxActiveFlows,\n\t}\n)\n\nfunc Flags() []cli.Flag {\n\treturn tunnelFlags(true)\n}\n\nfunc Commands() []*cli.Command {\n\tsubcommands := []*cli.Command{\n\t\tbuildLoginSubcommand(false),\n\t\tbuildCreateCommand(),\n\t\tbuildRouteCommand(),\n\t\tbuildVirtualNetworkSubcommand(false),\n\t\tbuildRunCommand(),\n\t\tbuildListCommand(),\n\t\tbuildReadyCommand(),\n\t\tbuildInfoCommand(),\n\t\tbuildIngressSubcommand(),\n\t\tbuildDeleteCommand(),\n\t\tbuildCleanupCommand(),\n\t\tbuildTokenCommand(),\n\t\tbuildDiagCommand(),\n\t\tproxydns.Command(), // removed feature, only here for error message\n\t\tcliutil.RemovedCommand(\"db-connect\"),\n\t}\n\n\treturn []*cli.Command{\n\t\tbuildTunnelCommand(subcommands),\n\t\t// for compatibility, allow following as top-level subcommands\n\t\tbuildLoginSubcommand(true),\n\t\tcliutil.RemovedCommand(\"db-connect\"),\n\t}\n}\n\nfunc buildTunnelCommand(subcommands []*cli.Command) *cli.Command {\n\treturn &cli.Command{\n\t\tName: \"tunnel\",\n\t\tAction: cliutil.ConfiguredAction(TunnelCommand),\n\t\tCategory: \"Tunnel\",\n\t\tUsage: \"Use Cloudflare Tunnel to expose private services to the Internet or to Cloudflare connected private users.\",\n\t\tArgsUsage: \" \",\n\t\tDescription: ` Cloudflare Tunnel allows to expose private services without opening any ingress port on this machine. It can expose:\n A) Locally reachable HTTP-based private services to the Internet on DNS with Cloudflare as authority (which you can\nthen protect with Cloudflare Access).\n B) Locally reachable TCP/UDP-based private services to Cloudflare connected private users in the same account, e.g.,\nthose enrolled to a Zero Trust WARP Client.\n\nYou can manage your Tunnels via one.dash.cloudflare.com. This approach will only require you to run a single command\nlater in each machine where you wish to run a Tunnel.\n\nAlternatively, you can manage your Tunnels via the command line. Begin by obtaining a certificate to be able to do so:\n\n\t$ cloudflared tunnel login\n\nWith your certificate installed you can then get started with Tunnels:\n\n\t$ cloudflared tunnel create my-first-tunnel\n\t$ cloudflared tunnel route dns my-first-tunnel my-first-tunnel.mydomain.com\n\t$ cloudflared tunnel run --hello-world my-first-tunnel\n\nYou can now access my-first-tunnel.mydomain.com and be served an example page by your local cloudflared process.\n\nFor exposing local TCP/UDP services by IP to your privately connected users, check out:\n\n\t$ cloudflared tunnel route ip --help\n\nSee https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/ for more info.`,\n\t\tSubcommands: subcommands,\n\t\tFlags: tunnelFlags(false),\n\t}\n}\n\nfunc TunnelCommand(c *cli.Context) error {\n\tsc, err := newSubcommandContext(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\t// Run a adhoc named tunnel\n\t// Allows for the creation, routing (optional), and startup of a tunnel in one command\n\t// --name required\n\t// --url or --hello-world required\n\t// --hostname optional\n\tif name := c.String(cfdflags.Name); name != \"\" {\n\t\thostname, err := validation.ValidateHostname(c.String(\"hostname\"))\n\t\tif err != nil {\n\t\t\treturn errors.Wrap(err, \"Invalid hostname provided\")\n\t\t}\n\t\turl := c.String(\"url\")\n\t\tif url == hostname && url != \"\" && hostname != \"\" {\n\t\t\treturn fmt.Errorf(\"hostname and url shouldn't match. See --help for more information\")\n\t\t}\n\n\t\treturn runAdhocNamedTunnel(sc, name, c.String(CredFileFlag))\n\t}\n\n\t// Run a quick tunnel\n\t// A unauthenticated named tunnel hosted on ..com\n\tshouldRunQuickTunnel := c.IsSet(\"url\") || c.IsSet(ingress.HelloWorldFlag)\n\tif c.String(\"quick-service\") != \"\" && shouldRunQuickTunnel {\n\t\treturn RunQuickTunnel(sc)\n\t}\n\n\t// If user provides a config, check to see if they meant to use `tunnel run` instead\n\tif ref := config.GetConfiguration().TunnelID; ref != \"\" {\n\t\treturn fmt.Errorf(\"Use `cloudflared tunnel run` to start tunnel %s\", ref)\n\t}\n\n\t// Classic tunnel usage is no longer supported\n\tif c.String(\"hostname\") != \"\" {\n\t\treturn errDeprecatedClassicTunnel\n\t}\n\n\treturn errors.New(tunnelCmdErrorMessage)\n}\n\nfunc Init(info *cliutil.BuildInfo, gracefulShutdown chan struct{}) {\n\tbuildInfo, graceShutdownC = info, gracefulShutdown\n}\n\n// runAdhocNamedTunnel create, route and run a named tunnel in one command\nfunc runAdhocNamedTunnel(sc *subcommandContext, name, credentialsOutputPath string) error {\n\ttunnel, ok, err := sc.tunnelActive(name)\n\tif err != nil || !ok {\n\t\t// pass empty string as secret to generate one\n\t\ttunnel, err = sc.create(name, credentialsOutputPath, \"\")\n\t\tif err != nil {\n\t\t\treturn errors.Wrap(err, \"failed to create tunnel\")\n\t\t}\n\t} else {\n\t\tsc.log.Info().Str(LogFieldTunnelID, tunnel.ID.String()).Msg(\"Reusing existing tunnel with this name\")\n\t}\n\n\tif r, ok := routeFromFlag(sc.c); ok {\n\t\tif res, err := sc.route(tunnel.ID, r); err != nil {\n\t\t\tsc.log.Err(err).Str(\"route\", r.String()).Msg(routeFailMsg)\n\t\t} else {\n\t\t\tsc.log.Info().Msg(res.SuccessSummary())\n\t\t}\n\t}\n\n\tif err := sc.run(tunnel.ID); err != nil {\n\t\treturn errors.Wrap(err, \"error running tunnel\")\n\t}\n\n\treturn nil\n}\n\nfunc routeFromFlag(c *cli.Context) (route cfapi.HostnameRoute, ok bool) {\n\tif hostname := c.String(\"hostname\"); hostname != \"\" {\n\t\tif lbPool := c.String(cfdflags.LBPool); lbPool != \"\" {\n\t\t\treturn cfapi.NewLBRoute(hostname, lbPool), true\n\t\t}\n\t\treturn cfapi.NewDNSRoute(hostname, c.Bool(overwriteDNSFlagName)), true\n\t}\n\treturn nil, false\n}\n\nfunc StartServer(\n\tc *cli.Context,\n\tinfo *cliutil.BuildInfo,\n\tnamedTunnel *connection.TunnelProperties,\n\tlog *zerolog.Logger,\n) error {\n\terr := sentry.Init(sentry.ClientOptions{\n\t\tDsn: sentryDSN,\n\t\tRelease: c.App.Version,\n\t})\n\tif err != nil {\n\t\treturn err\n\t}\n\tvar wg sync.WaitGroup\n\tlisteners := gracenet.Net{}\n\terrC := make(chan error)\n\n\t// Only log for locally configured tunnels (Token is blank).\n\tif config.GetConfiguration().Source() == \"\" && c.String(TunnelTokenFlag) == \"\" {\n\t\tlog.Info().Msg(config.ErrNoConfigFile.Error())\n\t}\n\n\tif c.IsSet(cfdflags.TraceOutput) {\n\t\ttmpTraceFile, err := os.CreateTemp(\"\", \"trace\")\n\t\tif err != nil {\n\t\t\tlog.Err(err).Msg(\"Failed to create new temporary file to save trace output\")\n\t\t}\n\n\t\ttraceLog := log.With().Str(LogFieldTmpTraceFilename, tmpTraceFile.Name()).Logger()\n\n\t\tdefer func() {\n\t\t\tif err := tmpTraceFile.Close(); err != nil {\n\t\t\t\ttraceLog.Err(err).Msg(\"Failed to close temporary trace output file\")\n\t\t\t}\n\t\t\ttraceOutputFilepath := c.String(cfdflags.TraceOutput)\n\t\t\tif err := os.Rename(tmpTraceFile.Name(), traceOutputFilepath); err != nil {\n\t\t\t\ttraceLog.\n\t\t\t\t\tErr(err).\n\t\t\t\t\tStr(LogFieldTraceOutputFilepath, traceOutputFilepath).\n\t\t\t\t\tMsg(\"Failed to rename temporary trace output file\")\n\t\t\t} else {\n\t\t\t\terr := os.Remove(tmpTraceFile.Name())\n\t\t\t\tif err != nil {\n\t\t\t\t\ttraceLog.Err(err).Msg(\"Failed to remove the temporary trace file\")\n\t\t\t\t}\n\t\t\t}\n\t\t}()\n\n\t\tif err := trace.Start(tmpTraceFile); err != nil {\n\t\t\ttraceLog.Err(err).Msg(\"Failed to start trace\")\n\t\t\treturn errors.Wrap(err, \"Error starting tracing\")\n\t\t}\n\t\tdefer trace.Stop()\n\t}\n\n\tinfo.Log(log)\n\tlogClientOptions(c, log)\n\n\t// this context drives the server, when it's cancelled tunnel and all other components (origins, dns, etc...) should stop\n\tctx, cancel := context.WithCancel(c.Context)\n\tdefer cancel()\n\n\tgo waitForSignal(graceShutdownC, log)\n\n\tconnectedSignal := signal.New(make(chan struct{}))\n\tgo notifySystemd(connectedSignal)\n\tif c.IsSet(\"pidfile\") {\n\t\tgo writePidFile(connectedSignal, c.String(\"pidfile\"), log)\n\t}\n\n\twg.Add(1)\n\tgo func() {\n\t\tdefer wg.Done()\n\t\tautoupdater := updater.NewAutoUpdater(\n\t\t\tc.Bool(cfdflags.NoAutoUpdate), c.Duration(cfdflags.AutoUpdateFreq), &listeners, log,\n\t\t)\n\t\terrC <- autoupdater.Run(ctx)\n\t}()\n\n\tif namedTunnel == nil {\n\t\treturn fmt.Errorf(\"namedTunnel is nil\")\n\t}\n\n\tlogTransport := logger.CreateTransportLoggerFromContext(c, logger.EnableTerminalLog)\n\n\tobserver := connection.NewObserver(log, logTransport)\n\n\t// Send Quick Tunnel URL to UI if applicable\n\tquickTunnelURL := namedTunnel.QuickTunnelUrl\n\tif quickTunnelURL != \"\" {\n\t\tobserver.SendURL(quickTunnelURL)\n\t}\n\n\ttunnelConfig, orchestratorConfig, err := prepareTunnelConfig(ctx, c, info, log, logTransport, observer, namedTunnel)\n\tif err != nil {\n\t\tlog.Err(err).Msg(\"Couldn't start tunnel\")\n\t\treturn err\n\t}\n\tconnectorID := tunnelConfig.ClientConfig.ConnectorID\n\n\t// Disable ICMP packet routing for quick tunnels\n\tif quickTunnelURL != \"\" {\n\t\ttunnelConfig.ICMPRouterServer = nil\n\t}\n\n\tserviceIP := c.String(\"service-op-ip\")\n\tif edgeAddrs, err := edgediscovery.ResolveEdge(log, tunnelConfig.Region, tunnelConfig.EdgeIPVersion); err == nil {\n\t\tif serviceAddr, err := edgeAddrs.GetAddrForRPC(); err == nil {\n\t\t\tserviceIP = serviceAddr.TCP.String()\n\t\t}\n\t}\n\n\tisFEDEndpoint := namedTunnel.Credentials.Endpoint == credentials.FedEndpoint\n\tvar managementHostname string\n\tif isFEDEndpoint {\n\t\tmanagementHostname = credentials.FedRampHostname\n\t} else {\n\t\tmanagementHostname = c.String(cfdflags.ManagementHostname)\n\t}\n\n\tmgmt := management.New(\n\t\tmanagementHostname,\n\t\tc.Bool(\"management-diagnostics\"),\n\t\tserviceIP,\n\t\tconnectorID,\n\t\tc.String(cfdflags.ConnectorLabel),\n\t\tlogger.ManagementLogger.Log,\n\t\tlogger.ManagementLogger,\n\t)\n\tinternalRules := []ingress.Rule{ingress.NewManagementRule(mgmt)}\n\torchestrator, err := orchestration.NewOrchestrator(ctx, orchestratorConfig, tunnelConfig.Tags, internalRules, tunnelConfig.Log)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tmetricsListener, err := metrics.CreateMetricsListener(&listeners, c.String(\"metrics\"))\n\tif err != nil {\n\t\tlog.Err(err).Msg(\"Error opening metrics server listener\")\n\t\treturn errors.Wrap(err, \"Error opening metrics server listener\")\n\t}\n\n\tdefer metricsListener.Close()\n\twg.Add(1)\n\n\tgo func() {\n\t\tdefer wg.Done()\n\t\ttracker := tunnelstate.NewConnTracker(log)\n\t\tobserver.RegisterSink(tracker)\n\n\t\tipv4, ipv6, err := determineICMPSources(c, log)\n\t\tsources := make([]string, 0)\n\t\tif err == nil {\n\t\t\tsources = append(sources, ipv4.String())\n\t\t\tsources = append(sources, ipv6.String())\n\t\t}\n\n\t\treadinessServer := metrics.NewReadyServer(connectorID, tracker)\n\t\tcliFlags := nonSecretCliFlags(log, c, nonSecretFlagsList)\n\t\tdiagnosticHandler := diagnostic.NewDiagnosticHandler(\n\t\t\tlog,\n\t\t\t0,\n\t\t\tdiagnostic.NewSystemCollectorImpl(buildInfo.CloudflaredVersion),\n\t\t\ttunnelConfig.NamedTunnel.Credentials.TunnelID,\n\t\t\tconnectorID,\n\t\t\ttracker,\n\t\t\tcliFlags,\n\t\t\tsources,\n\t\t)\n\t\tmetricsConfig := metrics.Config{\n\t\t\tReadyServer: readinessServer,\n\t\t\tDiagnosticHandler: diagnosticHandler,\n\t\t\tQuickTunnelHostname: quickTunnelURL,\n\t\t\tOrchestrator: orchestrator,\n\t\t}\n\t\terrC <- metrics.ServeMetrics(metricsListener, ctx, metricsConfig, log)\n\t}()\n\n\treconnectCh := make(chan supervisor.ReconnectSignal, c.Int(cfdflags.HaConnections))\n\tif c.IsSet(\"stdin-control\") {\n\t\tlog.Info().Msg(\"Enabling control through stdin\")\n\t\tgo stdinControl(reconnectCh, log)\n\t}\n\n\twg.Add(1)\n\tgo func() {\n\t\tdefer func() {\n\t\t\twg.Done()\n\t\t\tlog.Info().Msg(\"Tunnel server stopped\")\n\t\t}()\n\t\terrC <- supervisor.StartTunnelDaemon(ctx, tunnelConfig, orchestrator, connectedSignal, reconnectCh, graceShutdownC)\n\t}()\n\n\tgracePeriod, err := gracePeriod(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn waitToShutdown(&wg, cancel, errC, graceShutdownC, gracePeriod, log)\n}\n\nfunc waitToShutdown(wg *sync.WaitGroup,\n\tcancelServerContext func(),\n\terrC <-chan error,\n\tgraceShutdownC <-chan struct{},\n\tgracePeriod time.Duration,\n\tlog *zerolog.Logger,\n) error {\n\tvar err error\n\tselect {\n\tcase err = <-errC:\n\t\tlog.Error().Err(err).Msg(\"Initiating shutdown\")\n\tcase <-graceShutdownC:\n\t\tlog.Debug().Msg(\"Graceful shutdown signalled\")\n\t\tif gracePeriod > 0 {\n\t\t\t// wait for either grace period or service termination\n\t\t\tticker := time.NewTicker(gracePeriod)\n\t\t\tdefer ticker.Stop()\n\t\t\tselect {\n\t\t\tcase <-ticker.C:\n\t\t\tcase <-errC:\n\t\t\t}\n\t\t}\n\t}\n\n\t// stop server context\n\tcancelServerContext()\n\n\t// Wait for clean exit, discarding all errors while we wait\n\tstopDiscarding := make(chan struct{})\n\tgo func() {\n\t\tfor {\n\t\t\tselect {\n\t\t\tcase <-errC: // ignore\n\t\t\tcase <-stopDiscarding:\n\t\t\t\treturn\n\t\t\t}\n\t\t}\n\t}()\n\twg.Wait()\n\tclose(stopDiscarding)\n\n\treturn err\n}\n\nfunc notifySystemd(waitForSignal *signal.Signal) {\n\t<-waitForSignal.Wait()\n\t_, _ = daemon.SdNotify(false, \"READY=1\")\n}\n\nfunc writePidFile(waitForSignal *signal.Signal, pidPathname string, log *zerolog.Logger) {\n\t<-waitForSignal.Wait()\n\texpandedPath, err := homedir.Expand(pidPathname)\n\tif err != nil {\n\t\tlog.Err(err).Str(LogFieldPIDPathname, pidPathname).Msg(\"Unable to expand the path, try to use absolute path in --pidfile\")\n\t\treturn\n\t}\n\tfile, err := os.Create(expandedPath)\n\tif err != nil {\n\t\tlog.Err(err).Str(LogFieldExpandedPath, expandedPath).Msg(\"Unable to write pid\")\n\t\treturn\n\t}\n\tdefer file.Close()\n\tfmt.Fprintf(file, \"%d\", os.Getpid())\n}\n\nfunc hostnameFromURI(uri string) string {\n\tu, err := url.Parse(uri)\n\tif err != nil {\n\t\treturn \"\"\n\t}\n\tswitch u.Scheme {\n\tcase \"ssh\":\n\t\treturn addPortIfMissing(u, 22)\n\tcase \"rdp\":\n\t\treturn addPortIfMissing(u, 3389)\n\tcase \"smb\":\n\t\treturn addPortIfMissing(u, 445)\n\tcase \"tcp\":\n\t\treturn addPortIfMissing(u, 7864) // just a random port since there isn't a default in this case\n\t}\n\treturn \"\"\n}\n\nfunc addPortIfMissing(uri *url.URL, port int) string {\n\tif uri.Port() != \"\" {\n\t\treturn uri.Host\n\t}\n\treturn fmt.Sprintf(\"%s:%d\", uri.Hostname(), port)\n}\n\nfunc tunnelFlags(shouldHide bool) []cli.Flag {\n\tflags := configureCloudflaredFlags(shouldHide)\n\tflags = append(flags, configureProxyFlags(shouldHide)...)\n\tflags = append(flags, cliutil.ConfigureLoggingFlags(shouldHide)...)\n\tflags = append(flags, proxydns.ConfigureProxyDNSFlags(shouldHide)...) // removed feature, only kept to not break any script that might be setting these flags\n\tflags = append(flags, []cli.Flag{\n\t\tcredentialsFileFlag,\n\t\taltsrc.NewBoolFlag(&cli.BoolFlag{\n\t\t\tName: cfdflags.IsAutoUpdated,\n\t\t\tUsage: \"Signal the new process that Cloudflare Tunnel connector has been autoupdated\",\n\t\t\tValue: false,\n\t\t\tHidden: true,\n\t\t}),\n\t\taltsrc.NewStringSliceFlag(&cli.StringSliceFlag{\n\t\t\tName: cfdflags.Edge,\n\t\t\tUsage: \"Address of the Cloudflare tunnel server. Only works in Cloudflare's internal testing environment.\",\n\t\t\tEnvVars: []string{\"TUNNEL_EDGE\"},\n\t\t\tHidden: true,\n\t\t}),\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: cfdflags.Region,\n\t\t\tUsage: \"Cloudflare Edge region to connect to. Omit or set to empty to connect to the global region.\",\n\t\t\tEnvVars: []string{\"TUNNEL_REGION\"},\n\t\t}),\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: cfdflags.EdgeIpVersion,\n\t\t\tUsage: \"Cloudflare Edge IP address version to connect with. {4, 6, auto}\",\n\t\t\tEnvVars: []string{\"TUNNEL_EDGE_IP_VERSION\"},\n\t\t\tValue: \"4\",\n\t\t\tHidden: false,\n\t\t}),\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: cfdflags.EdgeBindAddress,\n\t\t\tUsage: \"Bind to IP address for outgoing connections to Cloudflare Edge.\",\n\t\t\tEnvVars: []string{\"TUNNEL_EDGE_BIND_ADDRESS\"},\n\t\t\tHidden: false,\n\t\t}),\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: tlsconfig.CaCertFlag,\n\t\t\tUsage: \"Certificate Authority authenticating connections with Cloudflare's edge network.\",\n\t\t\tEnvVars: []string{\"TUNNEL_CACERT\"},\n\t\t\tHidden: true,\n\t\t}),\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: \"hostname\",\n\t\t\tUsage: \"Set a hostname on a Cloudflare zone to route traffic through this tunnel.\",\n\t\t\tEnvVars: []string{\"TUNNEL_HOSTNAME\"},\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: \"id\",\n\t\t\tUsage: \"A unique identifier used to tie connections to this tunnel instance.\",\n\t\t\tEnvVars: []string{\"TUNNEL_ID\"},\n\t\t\tHidden: true,\n\t\t}),\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: cfdflags.LBPool,\n\t\t\tUsage: \"The name of a (new/existing) load balancing pool to add this origin to.\",\n\t\t\tEnvVars: []string{\"TUNNEL_LB_POOL\"},\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: \"api-key\",\n\t\t\tUsage: \"This parameter has been deprecated since version 2017.10.1.\",\n\t\t\tEnvVars: []string{\"TUNNEL_API_KEY\"},\n\t\t\tHidden: true,\n\t\t}),\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: \"api-email\",\n\t\t\tUsage: \"This parameter has been deprecated since version 2017.10.1.\",\n\t\t\tEnvVars: []string{\"TUNNEL_API_EMAIL\"},\n\t\t\tHidden: true,\n\t\t}),\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: \"api-ca-key\",\n\t\t\tUsage: \"This parameter has been deprecated since version 2017.10.1.\",\n\t\t\tEnvVars: []string{\"TUNNEL_API_CA_KEY\"},\n\t\t\tHidden: true,\n\t\t}),\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: cfdflags.ApiURL,\n\t\t\tUsage: \"Base URL for Cloudflare API v4\",\n\t\t\tEnvVars: []string{\"TUNNEL_API_URL\"},\n\t\t\tValue: \"https://api.cloudflare.com/client/v4\",\n\t\t\tHidden: true,\n\t\t}),\n\t\taltsrc.NewDurationFlag(&cli.DurationFlag{\n\t\t\tName: cfdflags.MetricsUpdateFreq,\n\t\t\tUsage: \"Frequency to update tunnel metrics\",\n\t\t\tValue: time.Second * 5,\n\t\t\tEnvVars: []string{\"TUNNEL_METRICS_UPDATE_FREQ\"},\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t\taltsrc.NewStringSliceFlag(&cli.StringSliceFlag{\n\t\t\tName: cfdflags.Tag,\n\t\t\tUsage: \"Custom tags used to identify this tunnel via added HTTP request headers to the origin, in format `KEY=VALUE`. Multiple tags may be specified.\",\n\t\t\tEnvVars: []string{\"TUNNEL_TAG\"},\n\t\t\tHidden: true,\n\t\t}),\n\t\taltsrc.NewDurationFlag(&cli.DurationFlag{\n\t\t\tName: \"heartbeat-interval\",\n\t\t\tUsage: \"Minimum idle time before sending a heartbeat.\",\n\t\t\tValue: time.Second * 5,\n\t\t\tHidden: true,\n\t\t}),\n\t\t// Note TUN-3758 , we use Int because UInt is not supported with altsrc\n\t\taltsrc.NewIntFlag(&cli.IntFlag{\n\t\t\tName: \"heartbeat-count\",\n\t\t\tUsage: \"Minimum number of unacked heartbeats to send before closing the connection.\",\n\t\t\tValue: 5,\n\t\t\tHidden: true,\n\t\t}),\n\t\taltsrc.NewIntFlag(&cli.IntFlag{\n\t\t\tName: cfdflags.MaxEdgeAddrRetries,\n\t\t\tUsage: \"Maximum number of times to retry on edge addrs before falling back to a lower protocol\",\n\t\t\tValue: 8,\n\t\t\tHidden: true,\n\t\t}),\n\t\t// Note TUN-3758 , we use Int because UInt is not supported with altsrc\n\t\taltsrc.NewIntFlag(&cli.IntFlag{\n\t\t\tName: cfdflags.Retries,\n\t\t\tValue: 5,\n\t\t\tUsage: \"Maximum number of retries for connection/protocol errors.\",\n\t\t\tEnvVars: []string{\"TUNNEL_RETRIES\"},\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t\taltsrc.NewIntFlag(&cli.IntFlag{\n\t\t\tName: cfdflags.HaConnections,\n\t\t\tValue: 4,\n\t\t\tHidden: true,\n\t\t}),\n\t\taltsrc.NewDurationFlag(&cli.DurationFlag{\n\t\t\tName: cfdflags.RpcTimeout,\n\t\t\tValue: 5 * time.Second,\n\t\t\tHidden: true,\n\t\t}),\n\t\taltsrc.NewDurationFlag(&cli.DurationFlag{\n\t\t\tName: cfdflags.WriteStreamTimeout,\n\t\t\tEnvVars: []string{\"TUNNEL_STREAM_WRITE_TIMEOUT\"},\n\t\t\tUsage: \"Use this option to add a stream write timeout for connections when writing towards the origin or edge. Default is 0 which disables the write timeout.\",\n\t\t\tValue: 0 * time.Second,\n\t\t\tHidden: true,\n\t\t}),\n\t\taltsrc.NewBoolFlag(&cli.BoolFlag{\n\t\t\tName: cfdflags.QuicDisablePathMTUDiscovery,\n\t\t\tEnvVars: []string{\"TUNNEL_DISABLE_QUIC_PMTU\"},\n\t\t\tUsage: \"Use this option to disable PTMU discovery for QUIC connections. This will result in lower packet sizes. Not however, that this may cause instability for UDP proxying.\",\n\t\t\tValue: false,\n\t\t\tHidden: true,\n\t\t}),\n\t\taltsrc.NewIntFlag(&cli.IntFlag{\n\t\t\tName: cfdflags.QuicConnLevelFlowControlLimit,\n\t\t\tEnvVars: []string{\"TUNNEL_QUIC_CONN_LEVEL_FLOW_CONTROL_LIMIT\"},\n\t\t\tUsage: \"Use this option to change the connection-level flow control limit for QUIC transport.\",\n\t\t\tValue: 30 * (1 << 20), // 30 MB\n\t\t\tHidden: true,\n\t\t}),\n\t\taltsrc.NewIntFlag(&cli.IntFlag{\n\t\t\tName: cfdflags.QuicStreamLevelFlowControlLimit,\n\t\t\tEnvVars: []string{\"TUNNEL_QUIC_STREAM_LEVEL_FLOW_CONTROL_LIMIT\"},\n\t\t\tUsage: \"Use this option to change the connection-level flow control limit for QUIC transport.\",\n\t\t\tValue: 6 * (1 << 20), // 6 MB\n\t\t\tHidden: true,\n\t\t}),\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: cfdflags.ConnectorLabel,\n\t\t\tUsage: \"Use this option to give a meaningful label to a specific connector. When a tunnel starts up, a connector id unique to the tunnel is generated. This is a uuid. To make it easier to identify a connector, we will use the hostname of the machine the tunnel is running on along with the connector ID. This option exists if one wants to have more control over what their individual connectors are called.\",\n\t\t\tValue: \"\",\n\t\t}),\n\t\taltsrc.NewDurationFlag(&cli.DurationFlag{\n\t\t\tName: cfdflags.GracePeriod,\n\t\t\tUsage: \"When cloudflared receives SIGINT/SIGTERM it will stop accepting new requests, wait for in-progress requests to terminate, then shutdown. Waiting for in-progress requests will timeout after this grace period, or when a second SIGTERM/SIGINT is received.\",\n\t\t\tValue: time.Second * 30,\n\t\t\tEnvVars: []string{\"TUNNEL_GRACE_PERIOD\"},\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t\t// Note TUN-3758 , we use Int because UInt is not supported with altsrc\n\t\taltsrc.NewIntFlag(&cli.IntFlag{\n\t\t\tName: \"compression-quality\",\n\t\t\tValue: 0,\n\t\t\tUsage: \"(beta) Use cross-stream compression instead HTTP compression. 0-off, 1-low, 2-medium, >=3-high.\",\n\t\t\tEnvVars: []string{\"TUNNEL_COMPRESSION_LEVEL\"},\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t\taltsrc.NewBoolFlag(&cli.BoolFlag{\n\t\t\tName: \"use-reconnect-token\",\n\t\t\tUsage: \"Test reestablishing connections with the new 'reconnect token' flow.\",\n\t\t\tValue: true,\n\t\t\tEnvVars: []string{\"TUNNEL_USE_RECONNECT_TOKEN\"},\n\t\t\tHidden: true,\n\t\t}),\n\t\taltsrc.NewDurationFlag(&cli.DurationFlag{\n\t\t\tName: \"dial-edge-timeout\",\n\t\t\tUsage: \"Maximum wait time to set up a connection with the edge\",\n\t\t\tValue: time.Second * 15,\n\t\t\tEnvVars: []string{\"DIAL_EDGE_TIMEOUT\"},\n\t\t\tHidden: true,\n\t\t}),\n\t\taltsrc.NewBoolFlag(&cli.BoolFlag{\n\t\t\tName: \"stdin-control\",\n\t\t\tUsage: \"Control the process using commands sent through stdin\",\n\t\t\tEnvVars: []string{\"STDIN_CONTROL\"},\n\t\t\tHidden: true,\n\t\t\tValue: false,\n\t\t}),\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: cfdflags.Name,\n\t\t\tAliases: []string{\"n\"},\n\t\t\tEnvVars: []string{\"TUNNEL_NAME\"},\n\t\t\tUsage: \"Stable name to identify the tunnel. Using this flag will create, route and run a tunnel. For production usage, execute each command separately\",\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t\taltsrc.NewBoolFlag(&cli.BoolFlag{\n\t\t\tName: cfdflags.Ui,\n\t\t\tUsage: \"(depreciated) Launch tunnel UI. Tunnel logs are scrollable via 'j', 'k', or arrow keys.\",\n\t\t\tValue: false,\n\t\t\tHidden: true,\n\t\t}),\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: \"quick-service\",\n\t\t\tUsage: \"URL for a service which manages unauthenticated 'quick' tunnels.\",\n\t\t\tValue: \"https://api.trycloudflare.com\",\n\t\t\tHidden: true,\n\t\t}),\n\t\taltsrc.NewIntFlag(&cli.IntFlag{\n\t\t\tName: \"max-fetch-size\",\n\t\t\tUsage: `The maximum number of results that cloudflared can fetch from Cloudflare API for any listing operations needed`,\n\t\t\tEnvVars: []string{\"TUNNEL_MAX_FETCH_SIZE\"},\n\t\t\tHidden: true,\n\t\t}),\n\t\taltsrc.NewBoolFlag(&cli.BoolFlag{\n\t\t\tName: cfdflags.PostQuantum,\n\t\t\tUsage: \"When given creates an experimental post-quantum secure tunnel\",\n\t\t\tAliases: []string{\"pq\"},\n\t\t\tEnvVars: []string{\"TUNNEL_POST_QUANTUM\"},\n\t\t}),\n\t\taltsrc.NewBoolFlag(&cli.BoolFlag{\n\t\t\tName: \"management-diagnostics\",\n\t\t\tUsage: \"Enables the in-depth diagnostic routes to be made available over the management service (/debug/pprof, /metrics, etc.)\",\n\t\t\tEnvVars: []string{\"TUNNEL_MANAGEMENT_DIAGNOSTICS\"},\n\t\t\tValue: true,\n\t\t}),\n\t\tselectProtocolFlag,\n\t\toverwriteDNSFlag,\n\t}...)\n\n\treturn flags\n}\n\n// Flags in tunnel command that is relevant to run subcommand\nfunc configureCloudflaredFlags(shouldHide bool) []cli.Flag {\n\treturn []cli.Flag{\n\t\t&cli.StringFlag{\n\t\t\tName: \"config\",\n\t\t\tUsage: \"Specifies a config file in YAML format.\",\n\t\t\tValue: config.FindDefaultConfigPath(),\n\t\t\tHidden: shouldHide,\n\t\t},\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: cfdflags.OriginCert,\n\t\t\tUsage: \"Path to the certificate generated for your origin when you run cloudflared login.\",\n\t\t\tEnvVars: []string{\"TUNNEL_ORIGIN_CERT\"},\n\t\t\tValue: credentials.FindDefaultOriginCertPath(),\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t\taltsrc.NewDurationFlag(&cli.DurationFlag{\n\t\t\tName: cfdflags.AutoUpdateFreq,\n\t\t\tUsage: fmt.Sprintf(\"Autoupdate frequency. Default is %v.\", updater.DefaultCheckUpdateFreq),\n\t\t\tValue: updater.DefaultCheckUpdateFreq,\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t\taltsrc.NewBoolFlag(&cli.BoolFlag{\n\t\t\tName: cfdflags.NoAutoUpdate,\n\t\t\tUsage: \"Disable periodic check for updates, restarting the server with the new version.\",\n\t\t\tEnvVars: []string{\"NO_AUTOUPDATE\"},\n\t\t\tValue: false,\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: cfdflags.Metrics,\n\t\t\tValue: metrics.GetMetricsDefaultAddress(metrics.Runtime),\n\t\t\tUsage: fmt.Sprintf(\n\t\t\t\t`Listen address for metrics reporting. If no address is passed cloudflared will try to bind to %v.\nIf all are unavailable, a random port will be used. Note that when running cloudflared from an virtual\nenvironment the default address binds to all interfaces, hence, it is important to isolate the host\nand virtualized host network stacks from each other`,\n\t\t\t\tmetrics.GetMetricsKnownAddresses(metrics.Runtime),\n\t\t\t),\n\t\t\tEnvVars: []string{\"TUNNEL_METRICS\"},\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: \"pidfile\",\n\t\t\tUsage: \"Write the application's PID to this file after first successful connection.\",\n\t\t\tEnvVars: []string{\"TUNNEL_PIDFILE\"},\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t}\n}\n\nfunc configureProxyFlags(shouldHide bool) []cli.Flag {\n\tflags := []cli.Flag{\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: \"url\",\n\t\t\tValue: \"http://localhost:8080\",\n\t\t\tUsage: \"Connect to the local webserver at `URL`.\",\n\t\t\tEnvVars: []string{\"TUNNEL_URL\"},\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t\taltsrc.NewBoolFlag(&cli.BoolFlag{\n\t\t\tName: ingress.HelloWorldFlag,\n\t\t\tValue: false,\n\t\t\tUsage: \"Run Hello World Server\",\n\t\t\tEnvVars: []string{\"TUNNEL_HELLO_WORLD\"},\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t\taltsrc.NewBoolFlag(&cli.BoolFlag{\n\t\t\tName: ingress.Socks5Flag,\n\t\t\tUsage: legacyTunnelFlag(\"specify if this tunnel is running as a SOCK5 Server\"),\n\t\t\tEnvVars: []string{\"TUNNEL_SOCKS\"},\n\t\t\tValue: false,\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t\taltsrc.NewDurationFlag(&cli.DurationFlag{\n\t\t\tName: ingress.ProxyConnectTimeoutFlag,\n\t\t\tUsage: legacyTunnelFlag(\"HTTP proxy timeout for establishing a new connection\"),\n\t\t\tValue: time.Second * 30,\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t\taltsrc.NewDurationFlag(&cli.DurationFlag{\n\t\t\tName: ingress.ProxyTLSTimeoutFlag,\n\t\t\tUsage: legacyTunnelFlag(\"HTTP proxy timeout for completing a TLS handshake\"),\n\t\t\tValue: time.Second * 10,\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t\taltsrc.NewDurationFlag(&cli.DurationFlag{\n\t\t\tName: ingress.ProxyTCPKeepAliveFlag,\n\t\t\tUsage: legacyTunnelFlag(\"HTTP proxy TCP keepalive duration\"),\n\t\t\tValue: time.Second * 30,\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t\taltsrc.NewBoolFlag(&cli.BoolFlag{\n\t\t\tName: ingress.ProxyNoHappyEyeballsFlag,\n\t\t\tUsage: legacyTunnelFlag(\"HTTP proxy should disable \\\"happy eyeballs\\\" for IPv4/v6 fallback\"),\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t\taltsrc.NewIntFlag(&cli.IntFlag{\n\t\t\tName: ingress.ProxyKeepAliveConnectionsFlag,\n\t\t\tUsage: legacyTunnelFlag(\"HTTP proxy maximum keepalive connection pool size\"),\n\t\t\tValue: 100,\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t\taltsrc.NewDurationFlag(&cli.DurationFlag{\n\t\t\tName: ingress.ProxyKeepAliveTimeoutFlag,\n\t\t\tUsage: legacyTunnelFlag(\"HTTP proxy timeout for closing an idle connection\"),\n\t\t\tValue: time.Second * 90,\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t\taltsrc.NewDurationFlag(&cli.DurationFlag{\n\t\t\tName: \"proxy-connection-timeout\",\n\t\t\tUsage: \"DEPRECATED. No longer has any effect.\",\n\t\t\tValue: time.Second * 90,\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t\taltsrc.NewDurationFlag(&cli.DurationFlag{\n\t\t\tName: \"proxy-expect-continue-timeout\",\n\t\t\tUsage: \"DEPRECATED. No longer has any effect.\",\n\t\t\tValue: time.Second * 90,\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: ingress.HTTPHostHeaderFlag,\n\t\t\tUsage: legacyTunnelFlag(\"Sets the HTTP Host header for the local webserver.\"),\n\t\t\tEnvVars: []string{\"TUNNEL_HTTP_HOST_HEADER\"},\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: ingress.OriginServerNameFlag,\n\t\t\tUsage: legacyTunnelFlag(\"Hostname on the origin server certificate.\"),\n\t\t\tEnvVars: []string{\"TUNNEL_ORIGIN_SERVER_NAME\"},\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: \"unix-socket\",\n\t\t\tUsage: \"Path to unix socket to use instead of --url\",\n\t\t\tEnvVars: []string{\"TUNNEL_UNIX_SOCKET\"},\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: tlsconfig.OriginCAPoolFlag,\n\t\t\tUsage: legacyTunnelFlag(\"Path to the CA for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.\"),\n\t\t\tEnvVars: []string{\"TUNNEL_ORIGIN_CA_POOL\"},\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t\taltsrc.NewBoolFlag(&cli.BoolFlag{\n\t\t\tName: ingress.NoTLSVerifyFlag,\n\t\t\tUsage: legacyTunnelFlag(\"Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. Note: The connection from your machine to Cloudflare's Edge is still encrypted.\"),\n\t\t\tEnvVars: []string{\"NO_TLS_VERIFY\"},\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t\taltsrc.NewBoolFlag(&cli.BoolFlag{\n\t\t\tName: ingress.NoChunkedEncodingFlag,\n\t\t\tUsage: legacyTunnelFlag(\"Disables chunked transfer encoding; useful if you are running a WSGI server.\"),\n\t\t\tEnvVars: []string{\"TUNNEL_NO_CHUNKED_ENCODING\"},\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t\taltsrc.NewBoolFlag(&cli.BoolFlag{\n\t\t\tName: ingress.Http2OriginFlag,\n\t\t\tUsage: \"Enables HTTP/2 origin servers.\",\n\t\t\tEnvVars: []string{\"TUNNEL_ORIGIN_ENABLE_HTTP2\"},\n\t\t\tHidden: shouldHide,\n\t\t\tValue: false,\n\t\t}),\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: cfdflags.ManagementHostname,\n\t\t\tUsage: \"Management hostname to signify incoming management requests\",\n\t\t\tEnvVars: []string{\"TUNNEL_MANAGEMENT_HOSTNAME\"},\n\t\t\tHidden: true,\n\t\t\tValue: \"management.argotunnel.com\",\n\t\t}),\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: \"service-op-ip\",\n\t\t\tUsage: \"Fallback IP for service operations run by the management service.\",\n\t\t\tEnvVars: []string{\"TUNNEL_SERVICE_OP_IP\"},\n\t\t\tHidden: true,\n\t\t\tValue: \"198.41.200.113:80\",\n\t\t}),\n\t}\n\treturn append(flags, sshFlags(shouldHide)...)\n}\n\nfunc legacyTunnelFlag(msg string) string {\n\treturn fmt.Sprintf(\n\t\t\"%s This flag only takes effect if you define your origin with `--url` and if you do not use ingress rules.\"+\n\t\t\t\" The recommended way is to rely on ingress rules and define this property under `originRequest` as per\"+\n\t\t\t\" https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/configuration-file/ingress\",\n\t\tmsg,\n\t)\n}\n\nfunc sshFlags(shouldHide bool) []cli.Flag {\n\treturn []cli.Flag{\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: cfdflags.SshPort,\n\t\t\tUsage: \"Localhost port that cloudflared SSH server will run on\",\n\t\t\tValue: \"2222\",\n\t\t\tEnvVars: []string{\"LOCAL_SSH_PORT\"},\n\t\t\tHidden: true,\n\t\t}),\n\t\taltsrc.NewDurationFlag(&cli.DurationFlag{\n\t\t\tName: cfdflags.SshIdleTimeout,\n\t\t\tUsage: \"Connection timeout after no activity\",\n\t\t\tEnvVars: []string{\"SSH_IDLE_TIMEOUT\"},\n\t\t\tHidden: true,\n\t\t}),\n\t\taltsrc.NewDurationFlag(&cli.DurationFlag{\n\t\t\tName: cfdflags.SshMaxTimeout,\n\t\t\tUsage: \"Absolute connection timeout\",\n\t\t\tEnvVars: []string{\"SSH_MAX_TIMEOUT\"},\n\t\t\tHidden: true,\n\t\t}),\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: cfdflags.SshLogUploaderBucketName,\n\t\t\tUsage: \"Bucket name of where to upload SSH logs\",\n\t\t\tEnvVars: []string{\"BUCKET_ID\"},\n\t\t\tHidden: true,\n\t\t}),\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: cfdflags.SshLogUploaderRegionName,\n\t\t\tUsage: \"Region name of where to upload SSH logs\",\n\t\t\tEnvVars: []string{\"REGION_ID\"},\n\t\t\tHidden: true,\n\t\t}),\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: cfdflags.SshLogUploaderSecretID,\n\t\t\tUsage: \"Secret ID of where to upload SSH logs\",\n\t\t\tEnvVars: []string{\"SECRET_ID\"},\n\t\t\tHidden: true,\n\t\t}),\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: cfdflags.SshLogUploaderAccessKeyID,\n\t\t\tUsage: \"Access Key ID of where to upload SSH logs\",\n\t\t\tEnvVars: []string{\"ACCESS_CLIENT_ID\"},\n\t\t\tHidden: true,\n\t\t}),\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: cfdflags.SshLogUploaderSessionTokenID,\n\t\t\tUsage: \"Session Token to use in the configuration of SSH logs uploading\",\n\t\t\tEnvVars: []string{\"SESSION_TOKEN_ID\"},\n\t\t\tHidden: true,\n\t\t}),\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: cfdflags.SshLogUploaderS3URL,\n\t\t\tUsage: \"S3 url of where to upload SSH logs\",\n\t\t\tEnvVars: []string{\"S3_URL\"},\n\t\t\tHidden: true,\n\t\t}),\n\t\taltsrc.NewPathFlag(&cli.PathFlag{\n\t\t\tName: cfdflags.HostKeyPath,\n\t\t\tUsage: \"Absolute path of directory to save SSH host keys in\",\n\t\t\tEnvVars: []string{\"HOST_KEY_PATH\"},\n\t\t\tHidden: true,\n\t\t}),\n\t\taltsrc.NewBoolFlag(&cli.BoolFlag{\n\t\t\tName: ingress.SSHServerFlag,\n\t\t\tValue: false,\n\t\t\tUsage: \"Run an SSH Server\",\n\t\t\tEnvVars: []string{\"TUNNEL_SSH_SERVER\"},\n\t\t\tHidden: true, // TODO: remove when feature is complete\n\t\t}),\n\t\taltsrc.NewBoolFlag(&cli.BoolFlag{\n\t\t\tName: config.BastionFlag,\n\t\t\tValue: false,\n\t\t\tUsage: \"Runs as jump host\",\n\t\t\tEnvVars: []string{\"TUNNEL_BASTION\"},\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t\taltsrc.NewStringFlag(&cli.StringFlag{\n\t\t\tName: ingress.ProxyAddressFlag,\n\t\t\tUsage: \"Listen address for the proxy.\",\n\t\t\tValue: \"127.0.0.1\",\n\t\t\tEnvVars: []string{\"TUNNEL_PROXY_ADDRESS\"},\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t\t// Note TUN-3758 , we use Int because UInt is not supported with altsrc\n\t\taltsrc.NewIntFlag(&cli.IntFlag{\n\t\t\tName: ingress.ProxyPortFlag,\n\t\t\tUsage: \"Listen port for the proxy.\",\n\t\t\tValue: 0,\n\t\t\tEnvVars: []string{\"TUNNEL_PROXY_PORT\"},\n\t\t\tHidden: shouldHide,\n\t\t}),\n\t}\n}\n\nfunc stdinControl(reconnectCh chan supervisor.ReconnectSignal, log *zerolog.Logger) {\n\tfor {\n\t\tscanner := bufio.NewScanner(os.Stdin)\n\t\tfor scanner.Scan() {\n\t\t\tcommand := scanner.Text()\n\t\t\tparts := strings.SplitN(command, \" \", 2)\n\n\t\t\tswitch parts[0] {\n\t\t\tcase \"\":\n\t\t\t\tbreak\n\t\t\tcase \"reconnect\":\n\t\t\t\tvar reconnect supervisor.ReconnectSignal\n\t\t\t\tif len(parts) > 1 {\n\t\t\t\t\tvar err error\n\t\t\t\t\tif reconnect.Delay, err = time.ParseDuration(parts[1]); err != nil {\n\t\t\t\t\t\tlog.Error().Msg(err.Error())\n\t\t\t\t\t\tcontinue\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tlog.Info().Msgf(\"Sending %+v\", reconnect)\n\t\t\t\treconnectCh <- reconnect\n\t\t\tdefault:\n\t\t\t\tlog.Info().Str(LogFieldCommand, command).Msg(\"Unknown command\")\n\t\t\t\tfallthrough\n\t\t\tcase \"help\":\n\t\t\t\tlog.Info().Msg(`Supported command:\nreconnect [delay]\n- restarts one randomly chosen connection with optional delay before reconnect`)\n\t\t\t}\n\t\t}\n\t}\n}\n\nfunc nonSecretCliFlags(log *zerolog.Logger, cli *cli.Context, flagInclusionList []string) map[string]string {\n\tflagsNames := cli.FlagNames()\n\tflags := make(map[string]string, len(flagsNames))\n\n\tfor _, flag := range flagsNames {\n\t\tvalue := cli.String(flag)\n\n\t\tif value == \"\" {\n\t\t\tcontinue\n\t\t}\n\n\t\tisIncluded := isFlagIncluded(flagInclusionList, flag)\n\t\tif !isIncluded {\n\t\t\tcontinue\n\t\t}\n\n\t\tswitch flag {\n\t\tcase cfdflags.LogDirectory, cfdflags.LogFile:\n\t\t\t{\n\t\t\t\tabsolute, err := filepath.Abs(value)\n\t\t\t\tif err != nil {\n\t\t\t\t\tlog.Error().Err(err).Msgf(\"could not convert %s path to absolute\", flag)\n\t\t\t\t} else {\n\t\t\t\t\tflags[flag] = absolute\n\t\t\t\t}\n\t\t\t}\n\t\tdefault:\n\t\t\tflags[flag] = value\n\t\t}\n\t}\n\treturn flags\n}\n\nfunc isFlagIncluded(flagInclusionList []string, flag string) bool {\n\tfor _, include := range flagInclusionList {\n\t\tif include == flag {\n\t\t\treturn true\n\t\t}\n\t}\n\n\treturn false\n}\n" }, { "path": "cmd/cloudflared/tunnel/cmd_test.go", "content": "package tunnel\n\nimport (\n\t\"testing\"\n\n\t\"github.com/stretchr/testify/assert\"\n)\n\nfunc TestHostnameFromURI(t *testing.T) {\n\tassert.Equal(t, \"awesome.warptunnels.horse:22\", hostnameFromURI(\"ssh://awesome.warptunnels.horse:22\"))\n\tassert.Equal(t, \"awesome.warptunnels.horse:22\", hostnameFromURI(\"ssh://awesome.warptunnels.horse\"))\n\tassert.Equal(t, \"awesome.warptunnels.horse:2222\", hostnameFromURI(\"ssh://awesome.warptunnels.horse:2222\"))\n\tassert.Equal(t, \"localhost:3389\", hostnameFromURI(\"rdp://localhost\"))\n\tassert.Equal(t, \"localhost:3390\", hostnameFromURI(\"rdp://localhost:3390\"))\n\tassert.Equal(t, \"\", hostnameFromURI(\"trash\"))\n\tassert.Equal(t, \"\", hostnameFromURI(\"https://awesomesauce.com\"))\n}\n" }, { "path": "cmd/cloudflared/tunnel/configuration.go", "content": "package tunnel\n\nimport (\n\t\"context\"\n\t\"crypto/tls\"\n\t\"fmt\"\n\t\"net\"\n\t\"net/netip\"\n\t\"os\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/pkg/errors\"\n\t\"github.com/prometheus/client_golang/prometheus\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/urfave/cli/v2\"\n\t\"github.com/urfave/cli/v2/altsrc\"\n\t\"golang.org/x/term\"\n\n\t\"github.com/cloudflare/cloudflared/client\"\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil\"\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/flags\"\n\t\"github.com/cloudflare/cloudflared/config\"\n\t\"github.com/cloudflare/cloudflared/connection\"\n\t\"github.com/cloudflare/cloudflared/edgediscovery\"\n\t\"github.com/cloudflare/cloudflared/edgediscovery/allregions\"\n\t\"github.com/cloudflare/cloudflared/features\"\n\t\"github.com/cloudflare/cloudflared/ingress\"\n\t\"github.com/cloudflare/cloudflared/ingress/origins\"\n\t\"github.com/cloudflare/cloudflared/orchestration\"\n\t\"github.com/cloudflare/cloudflared/supervisor\"\n\t\"github.com/cloudflare/cloudflared/tlsconfig\"\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/pogs\"\n)\n\nconst (\n\tsecretValue = \"*****\"\n\ticmpFunnelTimeout = time.Second * 10\n)\n\nvar (\n\tsecretFlags = [2]*altsrc.StringFlag{credentialsContentsFlag, tunnelTokenFlag}\n\n\tconfigFlags = []string{\n\t\tflags.AutoUpdateFreq,\n\t\tflags.NoAutoUpdate,\n\t\tflags.Retries,\n\t\tflags.Protocol,\n\t\tflags.LogLevel,\n\t\tflags.TransportLogLevel,\n\t\tflags.OriginCert,\n\t\tflags.Metrics,\n\t\tflags.MetricsUpdateFreq,\n\t\tflags.EdgeIpVersion,\n\t\tflags.EdgeBindAddress,\n\t\tflags.MaxActiveFlows,\n\t}\n)\n\nfunc logClientOptions(c *cli.Context, log *zerolog.Logger) {\n\tflags := make(map[string]interface{})\n\tfor _, flag := range c.FlagNames() {\n\t\tif isSecretFlag(flag) {\n\t\t\tflags[flag] = secretValue\n\t\t} else {\n\t\t\tflags[flag] = c.Generic(flag)\n\t\t}\n\t}\n\n\tif len(flags) > 0 {\n\t\tlog.Info().Msgf(\"Settings: %v\", flags)\n\t}\n\n\tenvs := make(map[string]string)\n\t// Find env variables for Argo Tunnel\n\tfor _, env := range os.Environ() {\n\t\t// All Argo Tunnel env variables start with TUNNEL_\n\t\tif strings.Contains(env, \"TUNNEL_\") {\n\t\t\tvars := strings.Split(env, \"=\")\n\t\t\tif len(vars) == 2 {\n\t\t\t\tif isSecretEnvVar(vars[0]) {\n\t\t\t\t\tenvs[vars[0]] = secretValue\n\t\t\t\t} else {\n\t\t\t\t\tenvs[vars[0]] = vars[1]\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\tif len(envs) > 0 {\n\t\tlog.Info().Msgf(\"Environmental variables %v\", envs)\n\t}\n}\n\nfunc isSecretFlag(key string) bool {\n\tfor _, flag := range secretFlags {\n\t\tif flag.Name == key {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\nfunc isSecretEnvVar(key string) bool {\n\tfor _, flag := range secretFlags {\n\t\tfor _, secretEnvVar := range flag.EnvVars {\n\t\t\tif secretEnvVar == key {\n\t\t\t\treturn true\n\t\t\t}\n\t\t}\n\t}\n\treturn false\n}\n\nfunc prepareTunnelConfig(\n\tctx context.Context,\n\tc *cli.Context,\n\tinfo *cliutil.BuildInfo,\n\tlog, logTransport *zerolog.Logger,\n\tobserver *connection.Observer,\n\tnamedTunnel *connection.TunnelProperties,\n) (*supervisor.TunnelConfig, *orchestration.Config, error) {\n\ttransportProtocol := c.String(flags.Protocol)\n\tisPostQuantumEnforced := c.Bool(flags.PostQuantum)\n\tfeatureSelector, err := features.NewFeatureSelector(ctx, namedTunnel.Credentials.AccountTag, c.StringSlice(flags.Features), isPostQuantumEnforced, log)\n\tif err != nil {\n\t\treturn nil, nil, errors.Wrap(err, \"Failed to create feature selector\")\n\t}\n\n\tclientConfig, err := client.NewConfig(info.Version(), info.OSArch(), featureSelector)\n\tif err != nil {\n\t\treturn nil, nil, err\n\t}\n\n\tlog.Info().Msgf(\"Generated Connector ID: %s\", clientConfig.ConnectorID)\n\n\ttags, err := NewTagSliceFromCLI(c.StringSlice(flags.Tag))\n\tif err != nil {\n\t\tlog.Err(err).Msg(\"Tag parse failure\")\n\t\treturn nil, nil, errors.Wrap(err, \"Tag parse failure\")\n\t}\n\ttags = append(tags, pogs.Tag{Name: \"ID\", Value: clientConfig.ConnectorID.String()})\n\n\tclientFeatures := featureSelector.Snapshot()\n\tpqMode := clientFeatures.PostQuantum\n\tif pqMode == features.PostQuantumStrict {\n\t\t// Error if the user tries to force a non-quic transport protocol\n\t\tif transportProtocol != connection.AutoSelectFlag && transportProtocol != connection.QUIC.String() {\n\t\t\treturn nil, nil, fmt.Errorf(\"post-quantum is only supported with the quic transport\")\n\t\t}\n\t\ttransportProtocol = connection.QUIC.String()\n\t}\n\n\tcfg := config.GetConfiguration()\n\tingressRules, err := ingress.ParseIngressFromConfigAndCLI(cfg, c, log)\n\tif err != nil {\n\t\treturn nil, nil, err\n\t}\n\n\tprotocolSelector, err := connection.NewProtocolSelector(transportProtocol, namedTunnel.Credentials.AccountTag, c.IsSet(TunnelTokenFlag), isPostQuantumEnforced, edgediscovery.ProtocolPercentage, connection.ResolveTTL, log)\n\tif err != nil {\n\t\treturn nil, nil, err\n\t}\n\tlog.Info().Msgf(\"Initial protocol %s\", protocolSelector.Current())\n\n\tedgeTLSConfigs := make(map[connection.Protocol]*tls.Config, len(connection.ProtocolList))\n\tfor _, p := range connection.ProtocolList {\n\t\ttlsSettings := p.TLSSettings()\n\t\tif tlsSettings == nil {\n\t\t\treturn nil, nil, fmt.Errorf(\"%s has unknown TLS settings\", p)\n\t\t}\n\t\tedgeTLSConfig, err := tlsconfig.CreateTunnelConfig(c, tlsSettings.ServerName)\n\t\tif err != nil {\n\t\t\treturn nil, nil, errors.Wrap(err, \"unable to create TLS config to connect with edge\")\n\t\t}\n\t\tif len(tlsSettings.NextProtos) > 0 {\n\t\t\tedgeTLSConfig.NextProtos = tlsSettings.NextProtos\n\t\t}\n\t\tedgeTLSConfigs[p] = edgeTLSConfig\n\t}\n\n\tgracePeriod, err := gracePeriod(c)\n\tif err != nil {\n\t\treturn nil, nil, err\n\t}\n\tedgeIPVersion, err := parseConfigIPVersion(c.String(flags.EdgeIpVersion))\n\tif err != nil {\n\t\treturn nil, nil, err\n\t}\n\tedgeBindAddr, err := parseConfigBindAddress(c.String(flags.EdgeBindAddress))\n\tif err != nil {\n\t\treturn nil, nil, err\n\t}\n\tif err := testIPBindable(edgeBindAddr); err != nil {\n\t\treturn nil, nil, fmt.Errorf(\"invalid edge-bind-address %s: %v\", edgeBindAddr, err)\n\t}\n\tedgeIPVersion, err = adjustIPVersionByBindAddress(edgeIPVersion, edgeBindAddr)\n\tif err != nil {\n\t\t// This is not a fatal error, we just overrode edgeIPVersion\n\t\tlog.Warn().Str(\"edgeIPVersion\", edgeIPVersion.String()).Err(err).Msg(\"Overriding edge-ip-version\")\n\t}\n\n\tregion := c.String(flags.Region)\n\tendpoint := namedTunnel.Credentials.Endpoint\n\tvar resolvedRegion string\n\t// set resolvedRegion to either the region passed as argument\n\t// or to the endpoint in the credentials.\n\t// Region and endpoint are interchangeable\n\tif region != \"\" && endpoint != \"\" {\n\t\treturn nil, nil, fmt.Errorf(\"region provided with a token that has an endpoint\")\n\t} else if region != \"\" {\n\t\tresolvedRegion = region\n\t} else if endpoint != \"\" {\n\t\tresolvedRegion = endpoint\n\t}\n\n\twarpRoutingConfig := ingress.NewWarpRoutingConfig(&cfg.WarpRouting)\n\n\t// Setup origin dialer service and virtual services\n\toriginDialerService := ingress.NewOriginDialer(ingress.OriginConfig{\n\t\tDefaultDialer: ingress.NewDialer(warpRoutingConfig),\n\t\tTCPWriteTimeout: c.Duration(flags.WriteStreamTimeout),\n\t}, log)\n\n\t// Setup DNS Resolver Service\n\toriginMetrics := origins.NewMetrics(prometheus.DefaultRegisterer)\n\tdnsResolverAddrs := c.StringSlice(flags.VirtualDNSServiceResolverAddresses)\n\tdnsService := origins.NewDNSResolverService(origins.NewDNSDialer(), log, originMetrics)\n\tif len(dnsResolverAddrs) > 0 {\n\t\taddrs, err := parseResolverAddrPorts(dnsResolverAddrs)\n\t\tif err != nil {\n\t\t\treturn nil, nil, fmt.Errorf(\"invalid %s provided: %w\", flags.VirtualDNSServiceResolverAddresses, err)\n\t\t}\n\t\tdnsService = origins.NewStaticDNSResolverService(addrs, origins.NewDNSDialer(), log, originMetrics)\n\t}\n\toriginDialerService.AddReservedService(dnsService, []netip.AddrPort{origins.VirtualDNSServiceAddr})\n\n\ttunnelConfig := &supervisor.TunnelConfig{\n\t\tClientConfig: clientConfig,\n\t\tGracePeriod: gracePeriod,\n\t\tEdgeAddrs: c.StringSlice(flags.Edge),\n\t\tRegion: resolvedRegion,\n\t\tEdgeIPVersion: edgeIPVersion,\n\t\tEdgeBindAddr: edgeBindAddr,\n\t\tHAConnections: c.Int(flags.HaConnections),\n\t\tIsAutoupdated: c.Bool(flags.IsAutoUpdated),\n\t\tLBPool: c.String(flags.LBPool),\n\t\tTags: tags,\n\t\tLog: log,\n\t\tLogTransport: logTransport,\n\t\tObserver: observer,\n\t\tReportedVersion: info.Version(),\n\t\t// Note TUN-3758 , we use Int because UInt is not supported with altsrc\n\t\tRetries: uint(c.Int(flags.Retries)), // nolint: gosec\n\t\tRunFromTerminal: isRunningFromTerminal(),\n\t\tNamedTunnel: namedTunnel,\n\t\tProtocolSelector: protocolSelector,\n\t\tEdgeTLSConfigs: edgeTLSConfigs,\n\t\tMaxEdgeAddrRetries: uint8(c.Int(flags.MaxEdgeAddrRetries)), // nolint: gosec\n\t\tRPCTimeout: c.Duration(flags.RpcTimeout),\n\t\tWriteStreamTimeout: c.Duration(flags.WriteStreamTimeout),\n\t\tDisableQUICPathMTUDiscovery: c.Bool(flags.QuicDisablePathMTUDiscovery),\n\t\tQUICConnectionLevelFlowControlLimit: c.Uint64(flags.QuicConnLevelFlowControlLimit),\n\t\tQUICStreamLevelFlowControlLimit: c.Uint64(flags.QuicStreamLevelFlowControlLimit),\n\t\tOriginDNSService: dnsService,\n\t\tOriginDialerService: originDialerService,\n\t}\n\ticmpRouter, err := newICMPRouter(c, log)\n\tif err != nil {\n\t\tlog.Warn().Err(err).Msg(\"ICMP proxy feature is disabled\")\n\t} else {\n\t\ttunnelConfig.ICMPRouterServer = icmpRouter\n\t}\n\torchestratorConfig := &orchestration.Config{\n\t\tIngress: &ingressRules,\n\t\tWarpRouting: warpRoutingConfig,\n\t\tOriginDialerService: originDialerService,\n\t\tConfigurationFlags: parseConfigFlags(c),\n\t}\n\treturn tunnelConfig, orchestratorConfig, nil\n}\n\nfunc parseConfigFlags(c *cli.Context) map[string]string {\n\tresult := make(map[string]string)\n\n\tfor _, flag := range configFlags {\n\t\tif v := c.String(flag); c.IsSet(flag) && v != \"\" {\n\t\t\tresult[flag] = v\n\t\t}\n\t}\n\n\treturn result\n}\n\nfunc gracePeriod(c *cli.Context) (time.Duration, error) {\n\tperiod := c.Duration(flags.GracePeriod)\n\tif period > connection.MaxGracePeriod {\n\t\treturn time.Duration(0), fmt.Errorf(\"%s must be equal or less than %v\", flags.GracePeriod, connection.MaxGracePeriod)\n\t}\n\treturn period, nil\n}\n\nfunc isRunningFromTerminal() bool {\n\treturn term.IsTerminal(int(os.Stdout.Fd()))\n}\n\n// ParseConfigIPVersion returns the IP version from possible expected values from config\nfunc parseConfigIPVersion(version string) (v allregions.ConfigIPVersion, err error) {\n\tswitch version {\n\tcase \"4\":\n\t\tv = allregions.IPv4Only\n\tcase \"6\":\n\t\tv = allregions.IPv6Only\n\tcase \"auto\":\n\t\tv = allregions.Auto\n\tdefault: // unspecified or invalid\n\t\terr = fmt.Errorf(\"invalid value for edge-ip-version: %s\", version)\n\t}\n\treturn\n}\n\nfunc parseConfigBindAddress(ipstr string) (net.IP, error) {\n\t// Unspecified - it's fine\n\tif ipstr == \"\" {\n\t\treturn nil, nil\n\t}\n\tip := net.ParseIP(ipstr)\n\tif ip == nil {\n\t\treturn nil, fmt.Errorf(\"invalid value for edge-bind-address: %s\", ipstr)\n\t}\n\treturn ip, nil\n}\n\nfunc testIPBindable(ip net.IP) error {\n\t// \"Unspecified\" = let OS choose, so always bindable\n\tif ip == nil {\n\t\treturn nil\n\t}\n\n\taddr := &net.UDPAddr{IP: ip, Port: 0}\n\tlistener, err := net.ListenUDP(\"udp\", addr)\n\tif err != nil {\n\t\treturn err\n\t}\n\tlistener.Close()\n\treturn nil\n}\n\nfunc adjustIPVersionByBindAddress(ipVersion allregions.ConfigIPVersion, ip net.IP) (allregions.ConfigIPVersion, error) {\n\tif ip == nil {\n\t\treturn ipVersion, nil\n\t}\n\t// https://pkg.go.dev/net#IP.To4: \"If ip is not an IPv4 address, To4 returns nil.\"\n\tif ip.To4() != nil {\n\t\tif ipVersion == allregions.IPv6Only {\n\t\t\treturn allregions.IPv4Only, fmt.Errorf(\"IPv4 bind address is specified, but edge-ip-version is IPv6\")\n\t\t}\n\t\treturn allregions.IPv4Only, nil\n\t} else {\n\t\tif ipVersion == allregions.IPv4Only {\n\t\t\treturn allregions.IPv6Only, fmt.Errorf(\"IPv6 bind address is specified, but edge-ip-version is IPv4\")\n\t\t}\n\t\treturn allregions.IPv6Only, nil\n\t}\n}\n\nfunc newICMPRouter(c *cli.Context, logger *zerolog.Logger) (ingress.ICMPRouterServer, error) {\n\tipv4Src, ipv6Src, err := determineICMPSources(c, logger)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\ticmpRouter, err := ingress.NewICMPRouter(ipv4Src, ipv6Src, logger, icmpFunnelTimeout)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn icmpRouter, nil\n}\n\nfunc determineICMPSources(c *cli.Context, logger *zerolog.Logger) (netip.Addr, netip.Addr, error) {\n\tipv4Src, err := determineICMPv4Src(c.String(flags.ICMPV4Src), logger)\n\tif err != nil {\n\t\treturn netip.Addr{}, netip.Addr{}, errors.Wrap(err, \"failed to determine IPv4 source address for ICMP proxy\")\n\t}\n\n\tlogger.Info().Msgf(\"ICMP proxy will use %s as source for IPv4\", ipv4Src)\n\n\tipv6Src, zone, err := determineICMPv6Src(c.String(flags.ICMPV6Src), logger, ipv4Src)\n\tif err != nil {\n\t\treturn netip.Addr{}, netip.Addr{}, errors.Wrap(err, \"failed to determine IPv6 source address for ICMP proxy\")\n\t}\n\n\tif zone != \"\" {\n\t\tlogger.Info().Msgf(\"ICMP proxy will use %s in zone %s as source for IPv6\", ipv6Src, zone)\n\t} else {\n\t\tlogger.Info().Msgf(\"ICMP proxy will use %s as source for IPv6\", ipv6Src)\n\t}\n\n\treturn ipv4Src, ipv6Src, nil\n}\n\nfunc determineICMPv4Src(userDefinedSrc string, logger *zerolog.Logger) (netip.Addr, error) {\n\tif userDefinedSrc != \"\" {\n\t\taddr, err := netip.ParseAddr(userDefinedSrc)\n\t\tif err != nil {\n\t\t\treturn netip.Addr{}, err\n\t\t}\n\t\tif addr.Is4() {\n\t\t\treturn addr, nil\n\t\t}\n\t\treturn netip.Addr{}, fmt.Errorf(\"expect IPv4, but %s is IPv6\", userDefinedSrc)\n\t}\n\n\taddr, err := findLocalAddr(net.ParseIP(\"192.168.0.1\"), 53)\n\tif err != nil {\n\t\taddr = netip.IPv4Unspecified()\n\t\tlogger.Debug().Err(err).Msgf(\"Failed to determine the IPv4 for this machine. It will use %s to send/listen for ICMPv4 echo\", addr)\n\t}\n\treturn addr, nil\n}\n\ntype interfaceIP struct {\n\tname string\n\tip net.IP\n}\n\nfunc determineICMPv6Src(userDefinedSrc string, logger *zerolog.Logger, ipv4Src netip.Addr) (addr netip.Addr, zone string, err error) {\n\tif userDefinedSrc != \"\" {\n\t\taddr, err := netip.ParseAddr(userDefinedSrc)\n\t\tif err != nil {\n\t\t\treturn netip.Addr{}, \"\", err\n\t\t}\n\t\tif addr.Is6() {\n\t\t\treturn addr, addr.Zone(), nil\n\t\t}\n\t\treturn netip.Addr{}, \"\", fmt.Errorf(\"expect IPv6, but %s is IPv4\", userDefinedSrc)\n\t}\n\n\t// Loop through all the interfaces, the preference is\n\t// 1. The interface where ipv4Src is in\n\t// 2. Interface with IPv6 address\n\t// 3. Unspecified interface\n\n\tinterfaces, err := net.Interfaces()\n\tif err != nil {\n\t\treturn netip.IPv6Unspecified(), \"\", nil\n\t}\n\n\tinterfacesWithIPv6 := make([]interfaceIP, 0)\n\tfor _, interf := range interfaces {\n\t\tinterfaceAddrs, err := interf.Addrs()\n\t\tif err != nil {\n\t\t\tcontinue\n\t\t}\n\n\t\tfoundIPv4SrcInterface := false\n\t\tfor _, interfaceAddr := range interfaceAddrs {\n\t\t\tif ipnet, ok := interfaceAddr.(*net.IPNet); ok {\n\t\t\t\tip := ipnet.IP\n\t\t\t\tif ip.Equal(ipv4Src.AsSlice()) {\n\t\t\t\t\tfoundIPv4SrcInterface = true\n\t\t\t\t}\n\t\t\t\tif ip.To4() == nil {\n\t\t\t\t\tinterfacesWithIPv6 = append(interfacesWithIPv6, interfaceIP{\n\t\t\t\t\t\tname: interf.Name,\n\t\t\t\t\t\tip: ip,\n\t\t\t\t\t})\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\t// Found the interface of ipv4Src. Loop through the addresses to see if there is an IPv6\n\t\tif foundIPv4SrcInterface {\n\t\t\tfor _, interfaceAddr := range interfaceAddrs {\n\t\t\t\tif ipnet, ok := interfaceAddr.(*net.IPNet); ok {\n\t\t\t\t\tip := ipnet.IP\n\t\t\t\t\tif ip.To4() == nil {\n\t\t\t\t\t\taddr, err := netip.ParseAddr(ip.String())\n\t\t\t\t\t\tif err == nil {\n\t\t\t\t\t\t\treturn addr, interf.Name, nil\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\tfor _, interf := range interfacesWithIPv6 {\n\t\taddr, err := netip.ParseAddr(interf.ip.String())\n\t\tif err == nil {\n\t\t\treturn addr, interf.name, nil\n\t\t}\n\t}\n\tlogger.Debug().Err(err).Msgf(\"Failed to determine the IPv6 for this machine. It will use %s to send/listen for ICMPv6 echo\", netip.IPv6Unspecified())\n\n\treturn netip.IPv6Unspecified(), \"\", nil\n}\n\n// FindLocalAddr tries to dial UDP and returns the local address picked by the OS\nfunc findLocalAddr(dst net.IP, port int) (netip.Addr, error) {\n\tudpConn, err := net.DialUDP(\"udp\", nil, &net.UDPAddr{\n\t\tIP: dst,\n\t\tPort: port,\n\t})\n\tif err != nil {\n\t\treturn netip.Addr{}, err\n\t}\n\tdefer udpConn.Close()\n\tlocalAddrPort, err := netip.ParseAddrPort(udpConn.LocalAddr().String())\n\tif err != nil {\n\t\treturn netip.Addr{}, err\n\t}\n\tlocalAddr := localAddrPort.Addr()\n\treturn localAddr, nil\n}\n\nfunc parseResolverAddrPorts(input []string) ([]netip.AddrPort, error) {\n\t// We don't allow more than 10 resolvers to be provided statically for the resolver service.\n\tif len(input) > 10 {\n\t\treturn nil, errors.New(\"too many addresses provided, max: 10\")\n\t}\n\taddrs := make([]netip.AddrPort, 0, len(input))\n\tfor _, val := range input {\n\t\taddr, err := netip.ParseAddrPort(val)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\taddrs = append(addrs, addr)\n\t}\n\treturn addrs, nil\n}\n" }, { "path": "cmd/cloudflared/tunnel/configuration_test.go", "content": "//go:build ignore\n\n// TODO: Remove the above build tag and include this test when we start compiling with Golang 1.10.0+\n\npackage tunnel\n\nimport (\n\t\"crypto/x509\"\n\t\"crypto/x509/pkix\"\n\t\"encoding/asn1\"\n\t\"net\"\n\t\"os\"\n\t\"testing\"\n\n\t\"github.com/stretchr/testify/assert\"\n)\n\n// Generated using `openssl req -newkey rsa:512 -nodes -x509 -days 3650`\nvar samplePEM = []byte(`\n-----BEGIN CERTIFICATE-----\nMIIB4DCCAYoCCQCb/H0EUrdXEjANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJV\nUzEOMAwGA1UECAwFVGV4YXMxDzANBgNVBAcMBkF1c3RpbjEZMBcGA1UECgwQQ2xv\ndWRmbGFyZSwgSW5jLjEZMBcGA1UECwwQUHJvZHVjdCBTdHJhdGVneTERMA8GA1UE\nAwwIVGVzdCBPbmUwHhcNMTgwNDI2MTYxMDUxWhcNMjgwNDIzMTYxMDUxWjB3MQsw\nCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxDzANBgNVBAcMBkF1c3RpbjEZMBcG\nA1UECgwQQ2xvdWRmbGFyZSwgSW5jLjEZMBcGA1UECwwQUHJvZHVjdCBTdHJhdGVn\neTERMA8GA1UEAwwIVGVzdCBPbmUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAwVQD\nK0SJ25UFLznm2pU3zhzMEvpDEofHVNnCjk4mlDrtVop7PkKZ8pDEmuQANltUrxC8\nyHBE2wXMv+GlH+bDtwIDAQABMA0GCSqGSIb3DQEBCwUAA0EAjVYQzozIFPkt/HRY\nuUoZ8zEHIDICb0syFf5VAjm9AgTwIPzUmD+c5vl6LWDnxq7L45nLCzhhQ6YmiwDz\nX7Wcyg==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIB4DCCAYoCCQDZfCdAJ+mwzDANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJV\nUzEOMAwGA1UECAwFVGV4YXMxDzANBgNVBAcMBkF1c3RpbjEZMBcGA1UECgwQQ2xv\ndWRmbGFyZSwgSW5jLjEZMBcGA1UECwwQUHJvZHVjdCBTdHJhdGVneTERMA8GA1UE\nAwwIVGVzdCBUd28wHhcNMTgwNDI2MTYxMTIwWhcNMjgwNDIzMTYxMTIwWjB3MQsw\nCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxDzANBgNVBAcMBkF1c3RpbjEZMBcG\nA1UECgwQQ2xvdWRmbGFyZSwgSW5jLjEZMBcGA1UECwwQUHJvZHVjdCBTdHJhdGVn\neTERMA8GA1UEAwwIVGVzdCBUd28wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAoHKp\nROVK3zCSsH7ocYeyRAML4V7SFAbZcb4WIwDnE08oMBVRkQVcW5tqEkvG3RiClfzV\nwZIJ3CfqKIeSNSDU9wIDAQABMA0GCSqGSIb3DQEBCwUAA0EAJw2gUbnPiq4C2p5b\niWzlA9Q7aKo+VQ4H7IZS7tTccr59nVjvH/TG3eWujpnocr4TOqW9M3CK1DF9mUGP\n3pQ3Jg==\n-----END CERTIFICATE-----\n`)\n\nvar systemCertPoolSubjects []*pkix.Name\n\ntype certificateFixture struct {\n\tou string\n\tcn string\n}\n\nfunc TestMain(m *testing.M) {\n\tsystemCertPool, err := x509.SystemCertPool()\n\tif isUnrecoverableError(err) {\n\t\tos.Exit(1)\n\t}\n\n\tif systemCertPool == nil {\n\t\t// On Windows, let's just assume the system cert pool was empty\n\t\tsystemCertPool = x509.NewCertPool()\n\t}\n\n\tsystemCertPoolSubjects, err = getCertPoolSubjects(systemCertPool)\n\tif err != nil {\n\t\tos.Exit(1)\n\t}\n\n\tos.Exit(m.Run())\n}\n\nfunc TestLoadOriginCertPoolJustSystemPool(t *testing.T) {\n\tcertPoolSubjects := loadCertPoolSubjects(t, nil)\n\textraSubjects := subjectSubtract(systemCertPoolSubjects, certPoolSubjects)\n\n\t// Remove extra subjects from the cert pool\n\tvar filteredSystemCertPoolSubjects []*pkix.Name\n\n\tt.Log(extraSubjects)\n\nOUTER:\n\tfor _, subject := range certPoolSubjects {\n\t\tfor _, extraSubject := range extraSubjects {\n\t\t\tif subject == extraSubject {\n\t\t\t\tt.Log(extraSubject)\n\t\t\t\tcontinue OUTER\n\t\t\t}\n\t\t}\n\n\t\tfilteredSystemCertPoolSubjects = append(filteredSystemCertPoolSubjects, subject)\n\t}\n\n\tassert.Equal(t, len(filteredSystemCertPoolSubjects), len(systemCertPoolSubjects))\n\n\tdifference := subjectSubtract(systemCertPoolSubjects, filteredSystemCertPoolSubjects)\n\tassert.Equal(t, 0, len(difference))\n}\n\nfunc TestLoadOriginCertPoolCFCertificates(t *testing.T) {\n\tcertPoolSubjects := loadCertPoolSubjects(t, nil)\n\n\textraSubjects := subjectSubtract(systemCertPoolSubjects, certPoolSubjects)\n\n\texpected := []*certificateFixture{\n\t\t{ou: \"CloudFlare Origin SSL ECC Certificate Authority\"},\n\t\t{ou: \"CloudFlare Origin SSL Certificate Authority\"},\n\t\t{cn: \"origin-pull.cloudflare.net\"},\n\t\t{cn: \"Argo Tunnel Sample Hello Server Certificate\"},\n\t}\n\n\tassertFixturesMatchSubjects(t, expected, extraSubjects)\n}\n\nfunc TestLoadOriginCertPoolWithExtraPEMs(t *testing.T) {\n\tcertPoolWithoutPEMSubjects := loadCertPoolSubjects(t, nil)\n\tcertPoolWithPEMSubjects := loadCertPoolSubjects(t, samplePEM)\n\n\tdifference := subjectSubtract(certPoolWithoutPEMSubjects, certPoolWithPEMSubjects)\n\n\tassert.Equal(t, 2, len(difference))\n\n\texpected := []*certificateFixture{\n\t\t{cn: \"Test One\"},\n\t\t{cn: \"Test Two\"},\n\t}\n\n\tassertFixturesMatchSubjects(t, expected, difference)\n}\n\nfunc loadCertPoolSubjects(t *testing.T, originCAPoolPEM []byte) []*pkix.Name {\n\tcertPool, err := loadOriginCertPool(originCAPoolPEM)\n\tif isUnrecoverableError(err) {\n\t\tt.Fatal(err)\n\t}\n\tassert.NotEmpty(t, certPool.Subjects())\n\tcertPoolSubjects, err := getCertPoolSubjects(certPool)\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\n\treturn certPoolSubjects\n}\n\nfunc assertFixturesMatchSubjects(t *testing.T, fixtures []*certificateFixture, subjects []*pkix.Name) {\n\tassert.Equal(t, len(fixtures), len(subjects))\n\n\tfor _, fixture := range fixtures {\n\t\tfound := false\n\t\tfor _, subject := range subjects {\n\t\t\tfound = found || fixtureMatchesSubjectPredicate(fixture, subject)\n\t\t}\n\n\t\tif !found {\n\t\t\tt.Fail()\n\t\t}\n\t}\n}\n\nfunc fixtureMatchesSubjectPredicate(fixture *certificateFixture, subject *pkix.Name) bool {\n\tcnMatch := true\n\tif fixture.cn != \"\" {\n\t\tcnMatch = fixture.cn == subject.CommonName\n\t}\n\n\touMatch := true\n\tif fixture.ou != \"\" {\n\t\touMatch = len(subject.OrganizationalUnit) > 0 && fixture.ou == subject.OrganizationalUnit[0]\n\t}\n\n\treturn cnMatch && ouMatch\n}\n\nfunc subjectSubtract(left []*pkix.Name, right []*pkix.Name) []*pkix.Name {\n\tvar difference []*pkix.Name\n\n\tvar found bool\n\tfor _, r := range right {\n\t\tfound = false\n\t\tfor _, l := range left {\n\t\t\tif (*l).String() == (*r).String() {\n\t\t\t\tfound = true\n\t\t\t}\n\t\t}\n\n\t\tif !found {\n\t\t\tdifference = append(difference, r)\n\t\t}\n\t}\n\n\treturn difference\n}\n\nfunc getCertPoolSubjects(certPool *x509.CertPool) ([]*pkix.Name, error) {\n\tvar subjects []*pkix.Name\n\n\tfor _, subject := range certPool.Subjects() {\n\t\tvar sequence pkix.RDNSequence\n\t\t_, err := asn1.Unmarshal(subject, &sequence)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\n\t\tname := pkix.Name{}\n\t\tname.FillFromRDNSequence(&sequence)\n\n\t\tsubjects = append(subjects, &name)\n\t}\n\n\treturn subjects, nil\n}\n\nfunc isUnrecoverableError(err error) bool {\n\treturn err != nil && err.Error() != \"crypto/x509: system root pool is not available on Windows\"\n}\n\nfunc TestTestIPBindable(t *testing.T) {\n\tassert.Nil(t, testIPBindable(nil))\n\n\t// Public services - if one of these IPs is on the machine, the test environment is too weird\n\tassert.NotNil(t, testIPBindable(net.ParseIP(\"8.8.8.8\")))\n\tassert.NotNil(t, testIPBindable(net.ParseIP(\"1.1.1.1\")))\n\n\taddrs, err := net.InterfaceAddrs()\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\tfor i, addr := range addrs {\n\t\tif i >= 3 {\n\t\t\tbreak\n\t\t}\n\t\tip := addr.(*net.IPNet).IP\n\t\tassert.Nil(t, testIPBindable(ip))\n\t}\n}\n" }, { "path": "cmd/cloudflared/tunnel/credential_finder.go", "content": "package tunnel\n\nimport (\n\t\"fmt\"\n\t\"path/filepath\"\n\n\tcfdflags \"github.com/cloudflare/cloudflared/cmd/cloudflared/flags\"\n\t\"github.com/cloudflare/cloudflared/config\"\n\t\"github.com/cloudflare/cloudflared/credentials\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/urfave/cli/v2\"\n)\n\n// CredFinder can find the tunnel credentials file.\ntype CredFinder interface {\n\tPath() (string, error)\n}\n\n// Implements CredFinder and looks for the credentials file at the given\n// filepath.\ntype staticPath struct {\n\tfilePath string\n\tfs fileSystem\n}\n\nfunc newStaticPath(filePath string, fs fileSystem) CredFinder {\n\treturn staticPath{\n\t\tfilePath: filePath,\n\t\tfs: fs,\n\t}\n}\n\nfunc (a staticPath) Path() (string, error) {\n\tif a.filePath != \"\" && a.fs.validFilePath(a.filePath) {\n\t\treturn a.filePath, nil\n\t}\n\treturn \"\", fmt.Errorf(\"Tunnel credentials file '%s' doesn't exist or is not a file\", a.filePath)\n}\n\n// Implements CredFinder and looks for the credentials file in several directories\n// searching for a file named .json\ntype searchByID struct {\n\tid uuid.UUID\n\tc *cli.Context\n\tlog *zerolog.Logger\n\tfs fileSystem\n}\n\nfunc newSearchByID(id uuid.UUID, c *cli.Context, log *zerolog.Logger, fs fileSystem) CredFinder {\n\treturn searchByID{\n\t\tid: id,\n\t\tc: c,\n\t\tlog: log,\n\t\tfs: fs,\n\t}\n}\n\nfunc (s searchByID) Path() (string, error) {\n\toriginCertPath := s.c.String(cfdflags.OriginCert)\n\toriginCertLog := s.log.With().\n\t\tStr(\"originCertPath\", originCertPath).\n\t\tLogger()\n\n\tif originCertPath != \"\" {\n\t\t// Look for tunnel credentials in the origin cert directory if the flag is provided\n\t\tif originCertPath, err := credentials.FindOriginCert(originCertPath, &originCertLog); err == nil {\n\t\t\toriginCertDir := filepath.Dir(originCertPath)\n\t\t\tif filePath, err := tunnelFilePath(s.id, originCertDir); err == nil {\n\t\t\t\tif s.fs.validFilePath(filePath) {\n\t\t\t\t\treturn filePath, nil\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\t// Last resort look under default config directories\n\tfor _, configDir := range config.DefaultConfigSearchDirectories() {\n\t\tif filePath, err := tunnelFilePath(s.id, configDir); err == nil {\n\t\t\tif s.fs.validFilePath(filePath) {\n\t\t\t\treturn filePath, nil\n\t\t\t}\n\t\t}\n\t}\n\treturn \"\", fmt.Errorf(\"tunnel credentials file not found\")\n}\n" }, { "path": "cmd/cloudflared/tunnel/filesystem.go", "content": "package tunnel\n\nimport (\n\t\"os\"\n)\n\n// Abstract away details of reading files, so that SubcommandContext can read\n// from either the real filesystem, or a mock (when running unit tests).\ntype fileSystem interface {\n\treadFile(filePath string) ([]byte, error)\n\tvalidFilePath(path string) bool\n}\n\ntype realFileSystem struct{}\n\nfunc (fs realFileSystem) validFilePath(path string) bool {\n\tfileStat, err := os.Stat(path)\n\tif err != nil {\n\t\treturn false\n\t}\n\treturn !fileStat.IsDir()\n}\n\nfunc (fs realFileSystem) readFile(filePath string) ([]byte, error) {\n\treturn os.ReadFile(filePath)\n}\n" }, { "path": "cmd/cloudflared/tunnel/info.go", "content": "package tunnel\n\nimport (\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\n\t\"github.com/cloudflare/cloudflared/cfapi\"\n)\n\ntype Info struct {\n\tID uuid.UUID `json:\"id\"`\n\tName string `json:\"name\"`\n\tCreatedAt time.Time `json:\"createdAt\"`\n\tConnectors []*cfapi.ActiveClient `json:\"conns\"`\n}\n" }, { "path": "cmd/cloudflared/tunnel/ingress_subcommands.go", "content": "package tunnel\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"net/url\"\n\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil\"\n\t\"github.com/cloudflare/cloudflared/config\"\n\t\"github.com/cloudflare/cloudflared/ingress\"\n\n\t\"github.com/pkg/errors\"\n\t\"github.com/urfave/cli/v2\"\n)\n\nconst ingressDataJSONFlagName = \"json\"\n\nvar ingressDataJSON = &cli.StringFlag{\n\tName: ingressDataJSONFlagName,\n\tAliases: []string{\"j\"},\n\tUsage: `Accepts data in the form of json as an input rather than read from a file`,\n\tEnvVars: []string{\"TUNNEL_INGRESS_VALIDATE_JSON\"},\n}\n\nfunc buildIngressSubcommand() *cli.Command {\n\treturn &cli.Command{\n\t\tName: \"ingress\",\n\t\tCategory: \"Tunnel\",\n\t\tUsage: \"Validate and test cloudflared tunnel's ingress configuration\",\n\t\tUsageText: \"cloudflared tunnel [--config FILEPATH] ingress COMMAND [arguments...]\",\n\t\tHidden: true,\n\t\tDescription: ` Cloudflared lets you route traffic from the internet to multiple different addresses on your\n\t\torigin. Multiple-origin routing is configured by a set of rules. Each rule matches traffic\n\t\tby its hostname or path, and routes it to an address. These rules are configured under the\n\t\t'ingress' key of your config.yaml, for example:\n\n\t\tingress:\n\t\t - hostname: www.example.com\n\t\t service: https://localhost:8000\n\t\t - hostname: *.example.xyz\n\t\t path: /[a-zA-Z]+.html\n\t\t service: https://localhost:8001\n\t\t - hostname: *\n\t\t service: https://localhost:8002\n\n\t\tTo ensure cloudflared can route all incoming requests, the last rule must be a catch-all\n\t\trule that matches all traffic. You can validate these rules with the 'ingress validate'\n\t\tcommand, and test which rule matches a particular URL with 'ingress rule '.\n\n\t\tMultiple-origin routing is incompatible with the --url flag.`,\n\t\tSubcommands: []*cli.Command{buildValidateIngressCommand(), buildTestURLCommand()},\n\t}\n}\n\nfunc buildValidateIngressCommand() *cli.Command {\n\treturn &cli.Command{\n\t\tName: \"validate\",\n\t\tAction: cliutil.ConfiguredActionWithWarnings(validateIngressCommand),\n\t\tUsage: \"Validate the ingress configuration \",\n\t\tUsageText: \"cloudflared tunnel [--config FILEPATH] ingress validate\",\n\t\tDescription: \"Validates the configuration file, ensuring your ingress rules are OK.\",\n\t\tFlags: []cli.Flag{ingressDataJSON},\n\t}\n}\n\nfunc buildTestURLCommand() *cli.Command {\n\treturn &cli.Command{\n\t\tName: \"rule\",\n\t\tAction: cliutil.ConfiguredAction(testURLCommand),\n\t\tUsage: \"Check which ingress rule matches a given request URL\",\n\t\tUsageText: \"cloudflared tunnel [--config FILEPATH] ingress rule URL\",\n\t\tArgsUsage: \"URL\",\n\t\tDescription: \"Check which ingress rule matches a given request URL. \" +\n\t\t\t\"Ingress rules match a request's hostname and path. Hostname is \" +\n\t\t\t\"optional and is either a full hostname like `www.example.com` or a \" +\n\t\t\t\"hostname with a `*` for its subdomains, e.g. `*.example.com`. Path \" +\n\t\t\t\"is optional and matches a regular expression, like `/[a-zA-Z0-9_]+.html`\",\n\t}\n}\n\n// validateIngressCommand check the syntax of the ingress rules in the cloudflared config file\nfunc validateIngressCommand(c *cli.Context, warnings string) error {\n\tconf, err := getConfiguration(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif _, err := ingress.ParseIngress(conf); err != nil {\n\t\treturn errors.Wrap(err, \"Validation failed\")\n\t}\n\tif c.IsSet(\"url\") {\n\t\treturn ingress.ErrURLIncompatibleWithIngress\n\t}\n\tif warnings != \"\" {\n\t\tfmt.Println(\"Warning: unused keys detected in your config file. Here is a list of unused keys:\")\n\t\tfmt.Println(warnings)\n\t\treturn nil\n\t}\n\tfmt.Println(\"OK\")\n\treturn nil\n}\n\nfunc getConfiguration(c *cli.Context) (*config.Configuration, error) {\n\tvar conf *config.Configuration\n\tif c.IsSet(ingressDataJSONFlagName) {\n\t\tingressJSON := c.String(ingressDataJSONFlagName)\n\t\tfmt.Println(\"Validating rules from cmdline flag --json\")\n\t\terr := json.Unmarshal([]byte(ingressJSON), &conf)\n\t\treturn conf, err\n\t}\n\tconf = config.GetConfiguration()\n\tif conf.Source() == \"\" {\n\t\treturn nil, errors.New(\"No configuration file was found. Please create one, or use the --config flag to specify its filepath. You can use the help command to learn more about configuration files\")\n\t}\n\tfmt.Println(\"Validating rules from\", conf.Source())\n\treturn conf, nil\n}\n\n// testURLCommand checks which ingress rule matches the given URL.\nfunc testURLCommand(c *cli.Context) error {\n\trequestArg := c.Args().First()\n\tif requestArg == \"\" {\n\t\treturn errors.New(\"cloudflared tunnel rule expects a single argument, the URL to test\")\n\t}\n\n\trequestURL, err := url.Parse(requestArg)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"%s is not a valid URL\", requestArg)\n\t}\n\tif requestURL.Hostname() == \"\" && requestURL.Scheme == \"\" {\n\t\treturn fmt.Errorf(\"%s doesn't have a hostname, consider adding a scheme\", requestArg)\n\t}\n\n\tconf := config.GetConfiguration()\n\tfmt.Println(\"Using rules from\", conf.Source())\n\ting, err := ingress.ParseIngress(conf)\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"Validation failed\")\n\t}\n\n\t_, i := ing.FindMatchingRule(requestURL.Hostname(), requestURL.Path)\n\tfmt.Printf(\"Matched rule #%d\\n\", i)\n\tfmt.Println(ing.Rules[i].MultiLineString())\n\treturn nil\n}\n" }, { "path": "cmd/cloudflared/tunnel/login.go", "content": "package tunnel\n\nimport (\n\t\"fmt\"\n\t\"net/url\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"syscall\"\n\n\thomedir \"github.com/mitchellh/go-homedir\"\n\t\"github.com/pkg/errors\"\n\t\"github.com/urfave/cli/v2\"\n\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil\"\n\tcfdflags \"github.com/cloudflare/cloudflared/cmd/cloudflared/flags\"\n\t\"github.com/cloudflare/cloudflared/config\"\n\t\"github.com/cloudflare/cloudflared/credentials\"\n\t\"github.com/cloudflare/cloudflared/logger\"\n\t\"github.com/cloudflare/cloudflared/token\"\n)\n\nconst (\n\tbaseLoginURL = \"https://dash.cloudflare.com/argotunnel\"\n\tcallbackURL = \"https://login.cloudflareaccess.org/\"\n\tfedBaseLoginURL = \"https://dash.fed.cloudflare.com/argotunnel\"\n\tfedCallbackStoreURL = \"https://login.fed.cloudflareaccess.org/\"\n\tfedRAMPParamName = \"fedramp\"\n\tloginURLParamName = \"loginURL\"\n\tcallbackURLParamName = \"callbackURL\"\n)\n\nvar (\n\tloginURL = &cli.StringFlag{\n\t\tName: loginURLParamName,\n\t\tValue: baseLoginURL,\n\t\tUsage: \"The URL used to login (default is https://dash.cloudflare.com/argotunnel)\",\n\t}\n\tcallbackStore = &cli.StringFlag{\n\t\tName: callbackURLParamName,\n\t\tValue: callbackURL,\n\t\tUsage: \"The URL used for the callback (default is https://login.cloudflareaccess.org/)\",\n\t}\n\tfedramp = &cli.BoolFlag{\n\t\tName: fedRAMPParamName,\n\t\tAliases: []string{\"f\"},\n\t\tUsage: \"Login with FedRAMP High environment.\",\n\t}\n)\n\nfunc buildLoginSubcommand(hidden bool) *cli.Command {\n\treturn &cli.Command{\n\t\tName: \"login\",\n\t\tAction: cliutil.ConfiguredAction(login),\n\t\tUsage: \"Generate a configuration file with your login details\",\n\t\tArgsUsage: \" \",\n\t\tHidden: hidden,\n\t\tFlags: []cli.Flag{\n\t\t\tloginURL,\n\t\t\tcallbackStore,\n\t\t\tfedramp,\n\t\t},\n\t}\n}\n\nfunc login(c *cli.Context) error {\n\tlog := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)\n\n\tpath, ok, err := checkForExistingCert()\n\tif ok {\n\t\tlog.Error().Err(err).Msgf(\"You have an existing certificate at %s which login would overwrite.\\nIf this is intentional, please move or delete that file then run this command again.\\n\", path)\n\t\treturn nil\n\t} else if err != nil {\n\t\treturn err\n\t}\n\n\tvar (\n\t\tbaseloginURL = c.String(loginURLParamName)\n\t\tcallbackStoreURL = c.String(callbackURLParamName)\n\t)\n\n\tisFEDRamp := c.Bool(fedRAMPParamName)\n\tif isFEDRamp {\n\t\tbaseloginURL = fedBaseLoginURL\n\t\tcallbackStoreURL = fedCallbackStoreURL\n\t}\n\n\tloginURL, err := url.Parse(baseloginURL)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tresourceData, err := token.RunTransfer(\n\t\tloginURL,\n\t\t\"\",\n\t\t\"cert\",\n\t\t\"callback\",\n\t\tcallbackStoreURL,\n\t\tfalse,\n\t\tfalse,\n\t\tc.Bool(cfdflags.AutoCloseInterstitial),\n\t\tisFEDRamp,\n\t\tlog,\n\t)\n\tif err != nil {\n\t\tlog.Error().Err(err).Msgf(\"Failed to write the certificate.\\n\\nYour browser will download the certificate instead. You will have to manually\\ncopy it to the following path:\\n\\n%s\\n\", path)\n\t\treturn err\n\t}\n\n\tcert, err := credentials.DecodeOriginCert(resourceData)\n\tif err != nil {\n\t\tlog.Error().Err(err).Msg(\"failed to decode origin certificate\")\n\t\treturn err\n\t}\n\n\tif isFEDRamp {\n\t\tcert.Endpoint = credentials.FedEndpoint\n\t}\n\n\tresourceData, err = cert.EncodeOriginCert()\n\tif err != nil {\n\t\tlog.Error().Err(err).Msg(\"failed to encode origin certificate\")\n\t\treturn err\n\t}\n\n\tif err := os.WriteFile(path, resourceData, 0600); err != nil {\n\t\treturn errors.Wrap(err, fmt.Sprintf(\"error writing cert to %s\", path))\n\t}\n\n\tlog.Info().Msgf(\"You have successfully logged in.\\nIf you wish to copy your credentials to a server, they have been saved to:\\n%s\\n\", path)\n\treturn nil\n}\n\nfunc checkForExistingCert() (string, bool, error) {\n\tconfigPath, err := homedir.Expand(config.DefaultConfigSearchDirectories()[0])\n\tif err != nil {\n\t\treturn \"\", false, err\n\t}\n\tok, err := config.FileExists(configPath)\n\tif !ok && err == nil {\n\t\t// create config directory if doesn't already exist\n\t\terr = os.Mkdir(configPath, 0700)\n\t}\n\tif err != nil {\n\t\treturn \"\", false, err\n\t}\n\tpath := filepath.Join(configPath, credentials.DefaultCredentialFile)\n\tfileInfo, err := os.Stat(path)\n\tif err == nil && fileInfo.Size() > 0 {\n\t\treturn path, true, nil\n\t}\n\tif err != nil && err.(*os.PathError).Err != syscall.ENOENT {\n\t\treturn path, false, err\n\t}\n\n\treturn path, false, nil\n}\n" }, { "path": "cmd/cloudflared/tunnel/quick_tunnel.go", "content": "package tunnel\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/pkg/errors\"\n\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/flags\"\n\t\"github.com/cloudflare/cloudflared/connection\"\n)\n\nconst httpTimeout = 15 * time.Second\n\nconst disclaimer = \"Thank you for trying Cloudflare Tunnel. Doing so, without a Cloudflare account, is a quick way to experiment and try it out. However, be aware that these account-less Tunnels have no uptime guarantee, are subject to the Cloudflare Online Services Terms of Use (https://www.cloudflare.com/website-terms/), and Cloudflare reserves the right to investigate your use of Tunnels for violations of such terms. If you intend to use Tunnels in production you should use a pre-created named tunnel by following: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps\"\n\n// RunQuickTunnel requests a tunnel from the specified service.\n// We use this to power quick tunnels on trycloudflare.com, but the\n// service is open-source and could be used by anyone.\nfunc RunQuickTunnel(sc *subcommandContext) error {\n\tsc.log.Info().Msg(disclaimer)\n\tsc.log.Info().Msg(\"Requesting new quick Tunnel on trycloudflare.com...\")\n\n\tclient := http.Client{\n\t\tTransport: &http.Transport{\n\t\t\tTLSHandshakeTimeout: httpTimeout,\n\t\t\tResponseHeaderTimeout: httpTimeout,\n\t\t},\n\t\tTimeout: httpTimeout,\n\t}\n\n\treq, err := http.NewRequest(http.MethodPost, fmt.Sprintf(\"%s/tunnel\", sc.c.String(\"quick-service\")), nil)\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"failed to build quick tunnel request\")\n\t}\n\treq.Header.Add(\"Content-Type\", \"application/json\")\n\treq.Header.Add(\"User-Agent\", buildInfo.UserAgent())\n\tresp, err := client.Do(req)\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"failed to request quick Tunnel\")\n\t}\n\tdefer resp.Body.Close()\n\n\t// This will read the entire response into memory so we can print it in case of error\n\trsp_body, err := io.ReadAll(resp.Body)\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"failed to read quick-tunnel response\")\n\t}\n\n\tvar data QuickTunnelResponse\n\tif err := json.Unmarshal(rsp_body, &data); err != nil {\n\t\trsp_string := string(rsp_body)\n\t\tfields := map[string]interface{}{\"status_code\": resp.Status}\n\t\tsc.log.Err(err).Fields(fields).Msgf(\"Error unmarshaling QuickTunnel response: %s\", rsp_string)\n\t\treturn errors.Wrap(err, \"failed to unmarshal quick Tunnel\")\n\t}\n\n\ttunnelID, err := uuid.Parse(data.Result.ID)\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"failed to parse quick Tunnel ID\")\n\t}\n\n\tcredentials := connection.Credentials{\n\t\tAccountTag: data.Result.AccountTag,\n\t\tTunnelSecret: data.Result.Secret,\n\t\tTunnelID: tunnelID,\n\t}\n\n\turl := data.Result.Hostname\n\tif !strings.HasPrefix(url, \"https://\") {\n\t\turl = \"https://\" + url\n\t}\n\n\tfor _, line := range AsciiBox([]string{\n\t\t\"Your quick Tunnel has been created! Visit it at (it may take some time to be reachable):\",\n\t\turl,\n\t}, 2) {\n\t\tsc.log.Info().Msg(line)\n\t}\n\n\tif !sc.c.IsSet(flags.Protocol) {\n\t\t_ = sc.c.Set(flags.Protocol, \"quic\")\n\t}\n\n\t// Override the number of connections used. Quick tunnels shouldn't be used for production usage,\n\t// so, use a single connection instead.\n\t_ = sc.c.Set(flags.HaConnections, \"1\")\n\treturn StartServer(\n\t\tsc.c,\n\t\tbuildInfo,\n\t\t&connection.TunnelProperties{Credentials: credentials, QuickTunnelUrl: data.Result.Hostname},\n\t\tsc.log,\n\t)\n}\n\ntype QuickTunnelResponse struct {\n\tSuccess bool\n\tResult QuickTunnel\n\tErrors []QuickTunnelError\n}\n\ntype QuickTunnelError struct {\n\tCode int\n\tMessage string\n}\n\ntype QuickTunnel struct {\n\tID string `json:\"id\"`\n\tName string `json:\"name\"`\n\tHostname string `json:\"hostname\"`\n\tAccountTag string `json:\"account_tag\"`\n\tSecret []byte `json:\"secret\"`\n}\n\n// Print out the given lines in a nice ASCII box.\nfunc AsciiBox(lines []string, padding int) (box []string) {\n\tmaxLen := maxLen(lines)\n\tspacer := strings.Repeat(\" \", padding)\n\tborder := \"+\" + strings.Repeat(\"-\", maxLen+(padding*2)) + \"+\"\n\tbox = append(box, border)\n\tfor _, line := range lines {\n\t\tbox = append(box, \"|\"+spacer+line+strings.Repeat(\" \", maxLen-len(line))+spacer+\"|\")\n\t}\n\tbox = append(box, border)\n\treturn\n}\n\nfunc maxLen(lines []string) int {\n\tmax := 0\n\tfor _, line := range lines {\n\t\tif len(line) > max {\n\t\t\tmax = len(line)\n\t\t}\n\t}\n\treturn max\n}\n" }, { "path": "cmd/cloudflared/tunnel/signal.go", "content": "package tunnel\n\nimport (\n\t\"os\"\n\t\"os/signal\"\n\t\"syscall\"\n\n\t\"github.com/rs/zerolog\"\n)\n\n// waitForSignal closes graceShutdownC to indicate that we should start graceful shutdown sequence\nfunc waitForSignal(graceShutdownC chan struct{}, logger *zerolog.Logger) {\n\tsignals := make(chan os.Signal, 10)\n\tsignal.Notify(signals, syscall.SIGTERM, syscall.SIGINT)\n\tdefer signal.Stop(signals)\n\n\tselect {\n\tcase s := <-signals:\n\t\tlogger.Info().Msgf(\"Initiating graceful shutdown due to signal %s ...\", s)\n\t\tclose(graceShutdownC)\n\tcase <-graceShutdownC:\n\t}\n}\n" }, { "path": "cmd/cloudflared/tunnel/signal_test.go", "content": "//go:build !windows\n\npackage tunnel\n\nimport (\n\t\"fmt\"\n\t\"sync\"\n\t\"syscall\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/rs/zerolog\"\n\t\"github.com/stretchr/testify/assert\"\n)\n\nconst tick = 100 * time.Millisecond\n\nvar (\n\tserverErr = fmt.Errorf(\"server error\")\n\tshutdownErr = fmt.Errorf(\"receive shutdown\")\n\tgraceShutdownErr = fmt.Errorf(\"receive grace shutdown\")\n)\n\nfunc channelClosed(c chan struct{}) bool {\n\tselect {\n\tcase <-c:\n\t\treturn true\n\tdefault:\n\t\treturn false\n\t}\n}\n\nfunc TestSignalShutdown(t *testing.T) {\n\tlog := zerolog.Nop()\n\n\t// Test handling SIGTERM & SIGINT\n\tfor _, sig := range []syscall.Signal{syscall.SIGTERM, syscall.SIGINT} {\n\t\tgraceShutdownC := make(chan struct{})\n\n\t\tgo func(sig syscall.Signal) {\n\t\t\t// sleep for a tick to prevent sending signal before calling waitForSignal\n\t\t\ttime.Sleep(tick)\n\t\t\t_ = syscall.Kill(syscall.Getpid(), sig)\n\t\t}(sig)\n\n\t\ttime.AfterFunc(time.Second, func() {\n\t\t\tselect {\n\t\t\tcase <-graceShutdownC:\n\t\t\tdefault:\n\t\t\t\tclose(graceShutdownC)\n\t\t\t\tt.Fatal(\"waitForSignal timed out\")\n\t\t\t}\n\t\t})\n\n\t\twaitForSignal(graceShutdownC, &log)\n\t\tassert.True(t, channelClosed(graceShutdownC))\n\t}\n}\n\nfunc TestWaitForShutdown(t *testing.T) {\n\tlog := zerolog.Nop()\n\n\terrC := make(chan error)\n\tgraceShutdownC := make(chan struct{})\n\tconst gracePeriod = 5 * time.Second\n\n\tcontextCancelled := false\n\tcancel := func() {\n\t\tcontextCancelled = true\n\t}\n\tvar wg sync.WaitGroup\n\n\t// on, error stop immediately\n\tcontextCancelled = false\n\tstartTime := time.Now()\n\tgo func() {\n\t\terrC <- serverErr\n\t}()\n\terr := waitToShutdown(&wg, cancel, errC, graceShutdownC, gracePeriod, &log)\n\tassert.Equal(t, serverErr, err)\n\tassert.True(t, contextCancelled)\n\tassert.False(t, channelClosed(graceShutdownC))\n\tassert.True(t, time.Now().Sub(startTime) < time.Second) // check that wait ended early\n\n\t// on graceful shutdown, ignore error but stop as soon as an error arrives\n\tcontextCancelled = false\n\tstartTime = time.Now()\n\tgo func() {\n\t\tclose(graceShutdownC)\n\t\ttime.Sleep(tick)\n\t\terrC <- serverErr\n\t}()\n\terr = waitToShutdown(&wg, cancel, errC, graceShutdownC, gracePeriod, &log)\n\tassert.Nil(t, err)\n\tassert.True(t, contextCancelled)\n\tassert.True(t, time.Now().Sub(startTime) < time.Second) // check that wait ended early\n\n\t// with graceShutdownC closed stop right away without grace period\n\tcontextCancelled = false\n\tstartTime = time.Now()\n\terr = waitToShutdown(&wg, cancel, errC, graceShutdownC, 0, &log)\n\tassert.Nil(t, err)\n\tassert.True(t, contextCancelled)\n\tassert.True(t, time.Now().Sub(startTime) < time.Second) // check that wait ended early\n}\n" }, { "path": "cmd/cloudflared/tunnel/subcommand_context.go", "content": "package tunnel\n\nimport (\n\t\"encoding/base64\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/mitchellh/go-homedir\"\n\t\"github.com/pkg/errors\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/urfave/cli/v2\"\n\n\t\"github.com/cloudflare/cloudflared/cfapi\"\n\tcfdflags \"github.com/cloudflare/cloudflared/cmd/cloudflared/flags\"\n\t\"github.com/cloudflare/cloudflared/connection\"\n\t\"github.com/cloudflare/cloudflared/credentials\"\n\t\"github.com/cloudflare/cloudflared/logger\"\n)\n\nconst fedRampBaseApiURL = \"https://api.fed.cloudflare.com/client/v4\"\n\ntype invalidJSONCredentialError struct {\n\terr error\n\tpath string\n}\n\nfunc (e invalidJSONCredentialError) Error() string {\n\treturn \"Invalid JSON when parsing tunnel credentials file\"\n}\n\n// subcommandContext carries structs shared between subcommands, to reduce number of arguments needed to\n// pass between subcommands, and make sure they are only initialized once\ntype subcommandContext struct {\n\tc *cli.Context\n\tlog *zerolog.Logger\n\tfs fileSystem\n\n\t// These fields should be accessed using their respective Getter\n\ttunnelstoreClient cfapi.Client\n\tuserCredential *credentials.User\n}\n\nfunc newSubcommandContext(c *cli.Context) (*subcommandContext, error) {\n\treturn &subcommandContext{\n\t\tc: c,\n\t\tlog: logger.CreateLoggerFromContext(c, logger.EnableTerminalLog),\n\t\tfs: realFileSystem{},\n\t}, nil\n}\n\n// Returns something that can find the given tunnel's credentials file.\nfunc (sc *subcommandContext) credentialFinder(tunnelID uuid.UUID) CredFinder {\n\tif path := sc.c.String(CredFileFlag); path != \"\" {\n\t\t// Expand path if CredFileFlag contains `~`\n\t\tabsPath, err := homedir.Expand(path)\n\t\tif err != nil {\n\t\t\treturn newStaticPath(path, sc.fs)\n\t\t}\n\t\treturn newStaticPath(absPath, sc.fs)\n\t}\n\treturn newSearchByID(tunnelID, sc.c, sc.log, sc.fs)\n}\n\nfunc (sc *subcommandContext) client() (cfapi.Client, error) {\n\tif sc.tunnelstoreClient != nil {\n\t\treturn sc.tunnelstoreClient, nil\n\t}\n\tcred, err := sc.credential()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tvar apiURL string\n\tif cred.IsFEDEndpoint() {\n\t\tsc.log.Info().Str(\"api-url\", fedRampBaseApiURL).Msg(\"using fedramp base api\")\n\t\tapiURL = fedRampBaseApiURL\n\t} else {\n\t\tapiURL = sc.c.String(cfdflags.ApiURL)\n\t}\n\n\tsc.tunnelstoreClient, err = cred.Client(apiURL, buildInfo.UserAgent(), sc.log)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn sc.tunnelstoreClient, nil\n}\n\nfunc (sc *subcommandContext) credential() (*credentials.User, error) {\n\tif sc.userCredential == nil {\n\t\tuc, err := credentials.Read(sc.c.String(cfdflags.OriginCert), sc.log)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tsc.userCredential = uc\n\t}\n\treturn sc.userCredential, nil\n}\n\nfunc (sc *subcommandContext) readTunnelCredentials(credFinder CredFinder) (connection.Credentials, error) {\n\tfilePath, err := credFinder.Path()\n\tif err != nil {\n\t\treturn connection.Credentials{}, err\n\t}\n\tbody, err := sc.fs.readFile(filePath)\n\tif err != nil {\n\t\treturn connection.Credentials{}, errors.Wrapf(err, \"couldn't read tunnel credentials from %v\", filePath)\n\t}\n\n\tvar credentials connection.Credentials\n\tif err = json.Unmarshal(body, &credentials); err != nil {\n\t\tif filepath.Ext(filePath) == \".pem\" {\n\t\t\treturn connection.Credentials{}, fmt.Errorf(\"The tunnel credentials file should be .json but you gave a .pem. \" +\n\t\t\t\t\"The tunnel credentials file was originally created by `cloudflared tunnel create`. \" +\n\t\t\t\t\"You may have accidentally used the filepath to cert.pem, which is generated by `cloudflared tunnel \" +\n\t\t\t\t\"login`.\")\n\t\t}\n\t\treturn connection.Credentials{}, invalidJSONCredentialError{path: filePath, err: err}\n\t}\n\treturn credentials, nil\n}\n\nfunc (sc *subcommandContext) create(name string, credentialsFilePath string, secret string) (*cfapi.Tunnel, error) {\n\tclient, err := sc.client()\n\tif err != nil {\n\t\treturn nil, errors.Wrap(err, \"couldn't create client to talk to Cloudflare Tunnel backend\")\n\t}\n\n\tvar tunnelSecret []byte\n\tif secret == \"\" {\n\t\ttunnelSecret, err = generateTunnelSecret()\n\t\tif err != nil {\n\t\t\treturn nil, errors.Wrap(err, \"couldn't generate the secret for your new tunnel\")\n\t\t}\n\t} else {\n\t\tdecodedSecret, err := base64.StdEncoding.DecodeString(secret)\n\t\tif err != nil {\n\t\t\treturn nil, errors.Wrap(err, \"Couldn't decode tunnel secret from base64\")\n\t\t}\n\t\ttunnelSecret = decodedSecret\n\t\tif len(tunnelSecret) < 32 {\n\t\t\treturn nil, errors.New(\"Decoded tunnel secret must be at least 32 bytes long\")\n\t\t}\n\t}\n\n\ttunnel, err := client.CreateTunnel(name, tunnelSecret)\n\tif err != nil {\n\t\treturn nil, errors.Wrap(err, \"Create Tunnel API call failed\")\n\t}\n\n\tcredential, err := sc.credential()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\ttunnelCredentials := connection.Credentials{\n\t\tAccountTag: credential.AccountID(),\n\t\tTunnelSecret: tunnelSecret,\n\t\tTunnelID: tunnel.ID,\n\t\tEndpoint: credential.Endpoint(),\n\t}\n\tusedCertPath := false\n\tif credentialsFilePath == \"\" {\n\t\toriginCertDir := filepath.Dir(credential.CertPath())\n\t\tcredentialsFilePath, err = tunnelFilePath(tunnelCredentials.TunnelID, originCertDir)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tusedCertPath = true\n\t}\n\twriteFileErr := writeTunnelCredentials(credentialsFilePath, &tunnelCredentials)\n\tif writeFileErr != nil {\n\t\tvar errorLines []string\n\t\terrorLines = append(errorLines, fmt.Sprintf(\"Your tunnel '%v' was created with ID %v. However, cloudflared couldn't write tunnel credentials to %s.\", tunnel.Name, tunnel.ID, credentialsFilePath))\n\t\terrorLines = append(errorLines, fmt.Sprintf(\"The file-writing error is: %v\", writeFileErr))\n\t\tif deleteErr := client.DeleteTunnel(tunnel.ID, true); deleteErr != nil {\n\t\t\terrorLines = append(errorLines, fmt.Sprintf(\"Cloudflared tried to delete the tunnel for you, but encountered an error. You should use `cloudflared tunnel delete %v` to delete the tunnel yourself, because the tunnel can't be run without the tunnelfile.\", tunnel.ID))\n\t\t\terrorLines = append(errorLines, fmt.Sprintf(\"The delete tunnel error is: %v\", deleteErr))\n\t\t} else {\n\t\t\terrorLines = append(errorLines, \"The tunnel was deleted, because the tunnel can't be run without the credentials file\")\n\t\t}\n\t\terrorMsg := strings.Join(errorLines, \"\\n\")\n\t\treturn nil, errors.New(errorMsg)\n\t}\n\n\tif outputFormat := sc.c.String(outputFormatFlag.Name); outputFormat != \"\" {\n\t\treturn nil, renderOutput(outputFormat, &tunnel)\n\t}\n\n\tfmt.Printf(\"Tunnel credentials written to %v.\", credentialsFilePath)\n\tif usedCertPath {\n\t\tfmt.Print(\" cloudflared chose this file based on where your origin certificate was found.\")\n\t}\n\tfmt.Println(\" Keep this file secret. To revoke these credentials, delete the tunnel.\")\n\tfmt.Printf(\"\\nCreated tunnel %s with id %s\\n\", tunnel.Name, tunnel.ID)\n\n\treturn &tunnel.Tunnel, nil\n}\n\nfunc (sc *subcommandContext) list(filter *cfapi.TunnelFilter) ([]*cfapi.Tunnel, error) {\n\tclient, err := sc.client()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn client.ListTunnels(filter)\n}\n\nfunc (sc *subcommandContext) delete(tunnelIDs []uuid.UUID) error {\n\tforceFlagSet := sc.c.Bool(cfdflags.Force)\n\n\tclient, err := sc.client()\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tfor _, id := range tunnelIDs {\n\t\ttunnel, err := client.GetTunnel(id)\n\t\tif err != nil {\n\t\t\treturn errors.Wrapf(err, \"Can't get tunnel information. Please check tunnel id: %s\", id)\n\t\t}\n\n\t\t// Check if tunnel DeletedAt field has already been set\n\t\tif !tunnel.DeletedAt.IsZero() {\n\t\t\treturn fmt.Errorf(\"Tunnel %s has already been deleted\", tunnel.ID)\n\t\t}\n\n\t\tif err := client.DeleteTunnel(tunnel.ID, forceFlagSet); err != nil {\n\t\t\treturn errors.Wrapf(err, \"Error deleting tunnel %s\", tunnel.ID)\n\t\t}\n\n\t\tcredFinder := sc.credentialFinder(id)\n\t\tif tunnelCredentialsPath, err := credFinder.Path(); err == nil {\n\t\t\tif err = os.Remove(tunnelCredentialsPath); err != nil {\n\t\t\t\tsc.log.Info().Msgf(\"Tunnel %v was deleted, but we could not remove its credentials file %s: %s. Consider deleting this file manually.\", id, tunnelCredentialsPath, err)\n\t\t\t}\n\t\t}\n\t}\n\treturn nil\n}\n\n// findCredentials will choose the right way to find the credentials file, find it,\n// and add the TunnelID into any old credentials (generated before TUN-3581 added the `TunnelID`\n// field to credentials files)\nfunc (sc *subcommandContext) findCredentials(tunnelID uuid.UUID) (connection.Credentials, error) {\n\tvar credentials connection.Credentials\n\tvar err error\n\tif credentialsContents := sc.c.String(CredContentsFlag); credentialsContents != \"\" {\n\t\tif err = json.Unmarshal([]byte(credentialsContents), &credentials); err != nil {\n\t\t\terr = invalidJSONCredentialError{path: \"TUNNEL_CRED_CONTENTS\", err: err}\n\t\t}\n\t} else {\n\t\tcredFinder := sc.credentialFinder(tunnelID)\n\t\tcredentials, err = sc.readTunnelCredentials(credFinder)\n\t}\n\t// This line ensures backwards compatibility with credentials files generated before\n\t// TUN-3581. Those old credentials files don't have a TunnelID field, so we enrich the struct\n\t// with the ID, which we have already resolved from the user input.\n\tcredentials.TunnelID = tunnelID\n\treturn credentials, err\n}\n\nfunc (sc *subcommandContext) run(tunnelID uuid.UUID) error {\n\tcredentials, err := sc.findCredentials(tunnelID)\n\tif err != nil {\n\t\tif e, ok := err.(invalidJSONCredentialError); ok {\n\t\t\tsc.log.Error().Msgf(\"The credentials file at %s contained invalid JSON. This is probably caused by passing the wrong filepath. Reminder: the credentials file is a .json file created via `cloudflared tunnel create`.\", e.path)\n\t\t\tsc.log.Error().Msgf(\"Invalid JSON when parsing credentials file: %s\", e.err.Error())\n\t\t}\n\t\treturn err\n\t}\n\n\treturn sc.runWithCredentials(credentials)\n}\n\nfunc (sc *subcommandContext) runWithCredentials(credentials connection.Credentials) error {\n\tsc.log.Info().Str(LogFieldTunnelID, credentials.TunnelID.String()).Msg(\"Starting tunnel\")\n\n\treturn StartServer(\n\t\tsc.c,\n\t\tbuildInfo,\n\t\t&connection.TunnelProperties{Credentials: credentials},\n\t\tsc.log,\n\t)\n}\n\nfunc (sc *subcommandContext) cleanupConnections(tunnelIDs []uuid.UUID) error {\n\tparams := cfapi.NewCleanupParams()\n\textraLog := \"\"\n\tif connector := sc.c.String(\"connector-id\"); connector != \"\" {\n\t\tconnectorID, err := uuid.Parse(connector)\n\t\tif err != nil {\n\t\t\treturn errors.Wrapf(err, \"%s is not a valid client ID (must be a UUID)\", connector)\n\t\t}\n\t\tparams.ForClient(connectorID)\n\t\textraLog = fmt.Sprintf(\" for connector-id %s\", connectorID.String())\n\t}\n\n\tclient, err := sc.client()\n\tif err != nil {\n\t\treturn err\n\t}\n\tfor _, tunnelID := range tunnelIDs {\n\t\tsc.log.Info().Msgf(\"Cleanup connection for tunnel %s%s\", tunnelID, extraLog)\n\t\tif err := client.CleanupConnections(tunnelID, params); err != nil {\n\t\t\tsc.log.Error().Msgf(\"Error cleaning up connections for tunnel %v, error :%v\", tunnelID, err)\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (sc *subcommandContext) getTunnelTokenCredentials(tunnelID uuid.UUID) (*connection.TunnelToken, error) {\n\tclient, err := sc.client()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\ttoken, err := client.GetTunnelToken(tunnelID)\n\tif err != nil {\n\t\tsc.log.Err(err).Msgf(\"Could not get the Token for the given Tunnel %v\", tunnelID)\n\t\treturn nil, err\n\t}\n\n\treturn ParseToken(token)\n}\n\nfunc (sc *subcommandContext) route(tunnelID uuid.UUID, r cfapi.HostnameRoute) (cfapi.HostnameRouteResult, error) {\n\tclient, err := sc.client()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn client.RouteTunnel(tunnelID, r)\n}\n\n// Query Tunnelstore to find the active tunnel with the given name.\nfunc (sc *subcommandContext) tunnelActive(name string) (*cfapi.Tunnel, bool, error) {\n\tfilter := cfapi.NewTunnelFilter()\n\tfilter.NoDeleted()\n\tfilter.ByName(name)\n\ttunnels, err := sc.list(filter)\n\tif err != nil {\n\t\treturn nil, false, err\n\t}\n\tif len(tunnels) == 0 {\n\t\treturn nil, false, nil\n\t}\n\t// There should only be 1 active tunnel for a given name\n\treturn tunnels[0], true, nil\n}\n\n// findID parses the input. If it's a UUID, return the UUID.\n// Otherwise, assume it's a name, and look up the ID of that tunnel.\nfunc (sc *subcommandContext) findID(input string) (uuid.UUID, error) {\n\tif u, err := uuid.Parse(input); err == nil {\n\t\treturn u, nil\n\t}\n\n\t// Look up name in the credentials file.\n\tcredFinder := newStaticPath(sc.c.String(CredFileFlag), sc.fs)\n\tif credentials, err := sc.readTunnelCredentials(credFinder); err == nil {\n\t\tif credentials.TunnelID != uuid.Nil {\n\t\t\treturn credentials.TunnelID, nil\n\t\t}\n\t}\n\n\t// Fall back to querying Tunnelstore.\n\tif tunnel, found, err := sc.tunnelActive(input); err != nil {\n\t\treturn uuid.Nil, err\n\t} else if found {\n\t\treturn tunnel.ID, nil\n\t}\n\n\treturn uuid.Nil, fmt.Errorf(\"%s is neither the ID nor the name of any of your tunnels\", input)\n}\n\n// findIDs is just like mapping `findID` over a slice, but it only uses\n// one Tunnelstore API call per non-UUID input provided.\nfunc (sc *subcommandContext) findIDs(inputs []string) ([]uuid.UUID, error) {\n\tuuids, names := splitUuids(inputs)\n\n\tfor _, name := range names {\n\t\tfilter := cfapi.NewTunnelFilter()\n\t\tfilter.NoDeleted()\n\t\tfilter.ByName(name)\n\n\t\ttunnels, err := sc.list(filter)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\n\t\tif len(tunnels) != 1 {\n\t\t\treturn nil, fmt.Errorf(\"there should only be 1 non-deleted Tunnel named %s\", name)\n\t\t}\n\n\t\tuuids = append(uuids, tunnels[0].ID)\n\t}\n\n\treturn uuids, nil\n}\n\nfunc splitUuids(inputs []string) ([]uuid.UUID, []string) {\n\tuuids := make([]uuid.UUID, 0)\n\tnames := make([]string, 0)\n\n\tfor _, input := range inputs {\n\t\tid, err := uuid.Parse(input)\n\t\tif err != nil {\n\t\t\tnames = append(names, input)\n\t\t} else {\n\t\t\tuuids = append(uuids, id)\n\t\t}\n\t}\n\n\treturn uuids, names\n}\n" }, { "path": "cmd/cloudflared/tunnel/subcommand_context_teamnet.go", "content": "package tunnel\n\nimport (\n\t\"net\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/pkg/errors\"\n\n\t\"github.com/cloudflare/cloudflared/cfapi\"\n)\n\nconst noClientMsg = \"error while creating backend client\"\n\nfunc (sc *subcommandContext) listRoutes(filter *cfapi.IpRouteFilter) ([]*cfapi.DetailedRoute, error) {\n\tclient, err := sc.client()\n\tif err != nil {\n\t\treturn nil, errors.Wrap(err, noClientMsg)\n\t}\n\treturn client.ListRoutes(filter)\n}\n\nfunc (sc *subcommandContext) addRoute(newRoute cfapi.NewRoute) (cfapi.Route, error) {\n\tclient, err := sc.client()\n\tif err != nil {\n\t\treturn cfapi.Route{}, errors.Wrap(err, noClientMsg)\n\t}\n\treturn client.AddRoute(newRoute)\n}\n\nfunc (sc *subcommandContext) deleteRoute(id uuid.UUID) error {\n\tclient, err := sc.client()\n\tif err != nil {\n\t\treturn errors.Wrap(err, noClientMsg)\n\t}\n\treturn client.DeleteRoute(id)\n}\n\nfunc (sc *subcommandContext) getRouteByIP(params cfapi.GetRouteByIpParams) (cfapi.DetailedRoute, error) {\n\tclient, err := sc.client()\n\tif err != nil {\n\t\treturn cfapi.DetailedRoute{}, errors.Wrap(err, noClientMsg)\n\t}\n\treturn client.GetByIP(params)\n}\n\nfunc (sc *subcommandContext) getRouteId(network net.IPNet, vnetId *uuid.UUID) (uuid.UUID, error) {\n\tfilters := cfapi.NewIPRouteFilter()\n\tfilters.NotDeleted()\n\tfilters.NetworkIsSubsetOf(network)\n\tfilters.NetworkIsSupersetOf(network)\n\n\tif vnetId != nil {\n\t\tfilters.VNetID(*vnetId)\n\t}\n\n\tresult, err := sc.listRoutes(filters)\n\tif err != nil {\n\t\treturn uuid.Nil, err\n\t}\n\n\tif len(result) != 1 {\n\t\treturn uuid.Nil, errors.New(\"unable to find route for provided network and vnet\")\n\t}\n\n\treturn result[0].ID, nil\n}\n" }, { "path": "cmd/cloudflared/tunnel/subcommand_context_test.go", "content": "package tunnel\n\nimport (\n\t\"encoding/base64\"\n\t\"flag\"\n\t\"fmt\"\n\t\"reflect\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/pkg/errors\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/urfave/cli/v2\"\n\n\t\"github.com/cloudflare/cloudflared/cfapi\"\n\t\"github.com/cloudflare/cloudflared/connection\"\n\t\"github.com/cloudflare/cloudflared/credentials\"\n)\n\ntype mockFileSystem struct {\n\trf func(string) ([]byte, error)\n\tvfp func(string) bool\n}\n\nfunc (fs mockFileSystem) validFilePath(path string) bool {\n\treturn fs.vfp(path)\n}\n\nfunc (fs mockFileSystem) readFile(filePath string) ([]byte, error) {\n\treturn fs.rf(filePath)\n}\n\nfunc Test_subcommandContext_findCredentials(t *testing.T) {\n\ttype fields struct {\n\t\tc *cli.Context\n\t\tlog *zerolog.Logger\n\t\tfs fileSystem\n\t\ttunnelstoreClient cfapi.Client\n\t\tuserCredential *credentials.User\n\t}\n\ttype args struct {\n\t\ttunnelID uuid.UUID\n\t}\n\toldCertPath := \"old_cert.json\"\n\tnewCertPath := \"new_cert.json\"\n\taccountTag := \"0000d4d14e84bd4ae5a6a02e0000ac63\"\n\tsecret := []byte{211, 79, 177, 245, 179, 194, 152, 127, 140, 71, 18, 46, 183, 209, 10, 24, 192, 150, 55, 249, 211, 16, 167, 30, 113, 51, 152, 168, 72, 100, 205, 144}\n\tsecretB64 := base64.StdEncoding.EncodeToString(secret)\n\ttunnelID := uuid.MustParse(\"df5ed608-b8b4-4109-89f3-9f2cf199df64\")\n\tname := \"mytunnel\"\n\n\tfs := mockFileSystem{\n\t\trf: func(filePath string) ([]byte, error) {\n\t\t\tif filePath == oldCertPath {\n\t\t\t\t// An old credentials file created before TUN-3581 added the new fields\n\t\t\t\treturn []byte(fmt.Sprintf(`{\"AccountTag\":\"%s\",\"TunnelSecret\":\"%s\"}`, accountTag, secretB64)), nil\n\t\t\t}\n\t\t\tif filePath == newCertPath {\n\t\t\t\t// A new credentials file created after TUN-3581 with its new fields.\n\t\t\t\treturn []byte(fmt.Sprintf(`{\"AccountTag\":\"%s\",\"TunnelSecret\":\"%s\",\"TunnelID\":\"%s\",\"TunnelName\":\"%s\"}`, accountTag, secretB64, tunnelID, name)), nil\n\t\t\t}\n\t\t\treturn nil, errors.New(\"file not found\")\n\t\t},\n\t\tvfp: func(string) bool { return true },\n\t}\n\tlog := zerolog.Nop()\n\n\ttests := []struct {\n\t\tname string\n\t\tfields fields\n\t\targs args\n\t\twant connection.Credentials\n\t\twantErr bool\n\t}{\n\t\t{\n\t\t\tname: \"Filepath given leads to old credentials file\",\n\t\t\tfields: fields{\n\t\t\t\tlog: &log,\n\t\t\t\tfs: fs,\n\t\t\t\tc: func() *cli.Context {\n\t\t\t\t\tflagSet := flag.NewFlagSet(\"test0\", flag.PanicOnError)\n\t\t\t\t\tflagSet.String(CredFileFlag, oldCertPath, \"\")\n\t\t\t\t\tc := cli.NewContext(cli.NewApp(), flagSet, nil)\n\t\t\t\t\t_ = c.Set(CredFileFlag, oldCertPath)\n\t\t\t\t\treturn c\n\t\t\t\t}(),\n\t\t\t},\n\t\t\targs: args{\n\t\t\t\ttunnelID: tunnelID,\n\t\t\t},\n\t\t\twant: connection.Credentials{\n\t\t\t\tAccountTag: accountTag,\n\t\t\t\tTunnelID: tunnelID,\n\t\t\t\tTunnelSecret: secret,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"Filepath given leads to new credentials file\",\n\t\t\tfields: fields{\n\t\t\t\tlog: &log,\n\t\t\t\tfs: fs,\n\t\t\t\tc: func() *cli.Context {\n\t\t\t\t\tflagSet := flag.NewFlagSet(\"test0\", flag.PanicOnError)\n\t\t\t\t\tflagSet.String(CredFileFlag, newCertPath, \"\")\n\t\t\t\t\tc := cli.NewContext(cli.NewApp(), flagSet, nil)\n\t\t\t\t\t_ = c.Set(CredFileFlag, newCertPath)\n\t\t\t\t\treturn c\n\t\t\t\t}(),\n\t\t\t},\n\t\t\targs: args{\n\t\t\t\ttunnelID: tunnelID,\n\t\t\t},\n\t\t\twant: connection.Credentials{\n\t\t\t\tAccountTag: accountTag,\n\t\t\t\tTunnelID: tunnelID,\n\t\t\t\tTunnelSecret: secret,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"TUNNEL_CRED_CONTENTS given contains old credentials contents\",\n\t\t\tfields: fields{\n\t\t\t\tlog: &log,\n\t\t\t\tfs: fs,\n\t\t\t\tc: func() *cli.Context {\n\t\t\t\t\tflagSet := flag.NewFlagSet(\"test0\", flag.PanicOnError)\n\t\t\t\t\tflagSet.String(CredContentsFlag, \"\", \"\")\n\t\t\t\t\tc := cli.NewContext(cli.NewApp(), flagSet, nil)\n\t\t\t\t\t_ = c.Set(CredContentsFlag, fmt.Sprintf(`{\"AccountTag\":\"%s\",\"TunnelSecret\":\"%s\"}`, accountTag, secretB64))\n\t\t\t\t\treturn c\n\t\t\t\t}(),\n\t\t\t},\n\t\t\targs: args{\n\t\t\t\ttunnelID: tunnelID,\n\t\t\t},\n\t\t\twant: connection.Credentials{\n\t\t\t\tAccountTag: accountTag,\n\t\t\t\tTunnelID: tunnelID,\n\t\t\t\tTunnelSecret: secret,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"TUNNEL_CRED_CONTENTS given contains new credentials contents\",\n\t\t\tfields: fields{\n\t\t\t\tlog: &log,\n\t\t\t\tfs: fs,\n\t\t\t\tc: func() *cli.Context {\n\t\t\t\t\tflagSet := flag.NewFlagSet(\"test0\", flag.PanicOnError)\n\t\t\t\t\tflagSet.String(CredContentsFlag, \"\", \"\")\n\t\t\t\t\tc := cli.NewContext(cli.NewApp(), flagSet, nil)\n\t\t\t\t\t_ = c.Set(CredContentsFlag, fmt.Sprintf(`{\"AccountTag\":\"%s\",\"TunnelSecret\":\"%s\",\"TunnelID\":\"%s\",\"TunnelName\":\"%s\"}`, accountTag, secretB64, tunnelID, name))\n\t\t\t\t\treturn c\n\t\t\t\t}(),\n\t\t\t},\n\t\t\targs: args{\n\t\t\t\ttunnelID: tunnelID,\n\t\t\t},\n\t\t\twant: connection.Credentials{\n\t\t\t\tAccountTag: accountTag,\n\t\t\t\tTunnelID: tunnelID,\n\t\t\t\tTunnelSecret: secret,\n\t\t\t},\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tsc := &subcommandContext{\n\t\t\t\tc: tt.fields.c,\n\t\t\t\tlog: tt.fields.log,\n\t\t\t\tfs: tt.fields.fs,\n\t\t\t\ttunnelstoreClient: tt.fields.tunnelstoreClient,\n\t\t\t\tuserCredential: tt.fields.userCredential,\n\t\t\t}\n\t\t\tgot, err := sc.findCredentials(tt.args.tunnelID)\n\t\t\tif (err != nil) != tt.wantErr {\n\t\t\t\tt.Errorf(\"subcommandContext.findCredentials() error = %v, wantErr %v\", err, tt.wantErr)\n\t\t\t\treturn\n\t\t\t}\n\t\t\tif !reflect.DeepEqual(got, tt.want) {\n\t\t\t\tt.Errorf(\"subcommandContext.findCredentials() = %v, want %v\", got, tt.want)\n\t\t\t}\n\t\t})\n\t}\n}\n\ntype deleteMockTunnelStore struct {\n\tcfapi.Client\n\tmockTunnels map[uuid.UUID]mockTunnelBehaviour\n\tdeletedTunnelIDs []uuid.UUID\n}\n\ntype mockTunnelBehaviour struct {\n\ttunnel cfapi.Tunnel\n\tdeleteErr error\n\tcleanupErr error\n}\n\nfunc newDeleteMockTunnelStore(tunnels ...mockTunnelBehaviour) *deleteMockTunnelStore {\n\tmockTunnels := make(map[uuid.UUID]mockTunnelBehaviour)\n\tfor _, tunnel := range tunnels {\n\t\tmockTunnels[tunnel.tunnel.ID] = tunnel\n\t}\n\treturn &deleteMockTunnelStore{\n\t\tmockTunnels: mockTunnels,\n\t\tdeletedTunnelIDs: make([]uuid.UUID, 0),\n\t}\n}\n\nfunc (d *deleteMockTunnelStore) GetTunnel(tunnelID uuid.UUID) (*cfapi.Tunnel, error) {\n\ttunnel, ok := d.mockTunnels[tunnelID]\n\tif !ok {\n\t\treturn nil, fmt.Errorf(\"Couldn't find tunnel: %v\", tunnelID)\n\t}\n\treturn &tunnel.tunnel, nil\n}\n\nfunc (d *deleteMockTunnelStore) GetTunnelToken(tunnelID uuid.UUID) (string, error) {\n\treturn \"token\", nil\n}\n\nfunc (d *deleteMockTunnelStore) DeleteTunnel(tunnelID uuid.UUID, cascade bool) error {\n\ttunnel, ok := d.mockTunnels[tunnelID]\n\tif !ok {\n\t\treturn fmt.Errorf(\"Couldn't find tunnel: %v\", tunnelID)\n\t}\n\n\tif tunnel.deleteErr != nil {\n\t\treturn tunnel.deleteErr\n\t}\n\n\td.deletedTunnelIDs = append(d.deletedTunnelIDs, tunnelID)\n\ttunnel.tunnel.DeletedAt = time.Now()\n\tdelete(d.mockTunnels, tunnelID)\n\treturn nil\n}\n\nfunc (d *deleteMockTunnelStore) CleanupConnections(tunnelID uuid.UUID, _ *cfapi.CleanupParams) error {\n\ttunnel, ok := d.mockTunnels[tunnelID]\n\tif !ok {\n\t\treturn fmt.Errorf(\"Couldn't find tunnel: %v\", tunnelID)\n\t}\n\treturn tunnel.cleanupErr\n}\n\nfunc Test_subcommandContext_Delete(t *testing.T) {\n\ttype fields struct {\n\t\tc *cli.Context\n\t\tlog *zerolog.Logger\n\t\tisUIEnabled bool\n\t\tfs fileSystem\n\t\ttunnelstoreClient *deleteMockTunnelStore\n\t\tuserCredential *credentials.User\n\t}\n\ttype args struct {\n\t\ttunnelIDs []uuid.UUID\n\t}\n\tnewCertPath := \"new_cert.json\"\n\ttunnelID1 := uuid.MustParse(\"df5ed608-b8b4-4109-89f3-9f2cf199df64\")\n\ttunnelID2 := uuid.MustParse(\"af5ed608-b8b4-4109-89f3-9f2cf199df64\")\n\tlog := zerolog.Nop()\n\n\tvar tests = []struct {\n\t\tname string\n\t\tfields fields\n\t\targs args\n\t\twant []uuid.UUID\n\t\twantErr bool\n\t}{\n\t\t{\n\t\t\tname: \"clean up continues if credentials are not found\",\n\t\t\tfields: fields{\n\t\t\t\tlog: &log,\n\t\t\t\tfs: mockFileSystem{\n\t\t\t\t\trf: func(filePath string) ([]byte, error) {\n\t\t\t\t\t\treturn nil, errors.New(\"file not found\")\n\t\t\t\t\t},\n\t\t\t\t\tvfp: func(string) bool { return true },\n\t\t\t\t},\n\t\t\t\tc: func() *cli.Context {\n\t\t\t\t\tflagSet := flag.NewFlagSet(\"test0\", flag.PanicOnError)\n\t\t\t\t\tflagSet.String(CredFileFlag, newCertPath, \"\")\n\t\t\t\t\tc := cli.NewContext(cli.NewApp(), flagSet, nil)\n\t\t\t\t\t_ = c.Set(CredFileFlag, newCertPath)\n\t\t\t\t\treturn c\n\t\t\t\t}(),\n\t\t\t\ttunnelstoreClient: newDeleteMockTunnelStore(\n\t\t\t\t\tmockTunnelBehaviour{\n\t\t\t\t\t\ttunnel: cfapi.Tunnel{ID: tunnelID1},\n\t\t\t\t\t},\n\t\t\t\t\tmockTunnelBehaviour{\n\t\t\t\t\t\ttunnel: cfapi.Tunnel{ID: tunnelID2},\n\t\t\t\t\t},\n\t\t\t\t),\n\t\t\t},\n\n\t\t\targs: args{\n\t\t\t\ttunnelIDs: []uuid.UUID{tunnelID1, tunnelID2},\n\t\t\t},\n\t\t\twant: []uuid.UUID{tunnelID1, tunnelID2},\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tsc := &subcommandContext{\n\t\t\t\tc: tt.fields.c,\n\t\t\t\tlog: tt.fields.log,\n\t\t\t\tfs: tt.fields.fs,\n\t\t\t\ttunnelstoreClient: tt.fields.tunnelstoreClient,\n\t\t\t\tuserCredential: tt.fields.userCredential,\n\t\t\t}\n\t\t\terr := sc.delete(tt.args.tunnelIDs)\n\t\t\tif (err != nil) != tt.wantErr {\n\t\t\t\tt.Errorf(\"subcommandContext.findCredentials() error = %v, wantErr %v\", err, tt.wantErr)\n\t\t\t\treturn\n\t\t\t}\n\t\t\tgot := tt.fields.tunnelstoreClient.deletedTunnelIDs\n\t\t\tif !reflect.DeepEqual(got, tt.want) {\n\t\t\t\tt.Errorf(\"subcommandContext.findCredentials() = %v, want %v\", got, tt.want)\n\t\t\t\treturn\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc Test_subcommandContext_ValidateIngressCommand(t *testing.T) {\n\tvar tests = []struct {\n\t\tname string\n\t\tc *cli.Context\n\t\twantErr bool\n\t\texpectedErr error\n\t}{\n\t\t{\n\t\t\tname: \"read a valid configuration from data\",\n\t\t\tc: func() *cli.Context {\n\t\t\t\tdata := `{ \"warp-routing\": {\"enabled\": true}, \"originRequest\" : {\"connectTimeout\": 10}, \"ingress\" : [ {\"hostname\": \"test\", \"service\": \"https://localhost:8000\" } , {\"service\": \"http_status:404\"} ]}`\n\t\t\t\tflagSet := flag.NewFlagSet(\"json\", flag.PanicOnError)\n\t\t\t\tflagSet.String(ingressDataJSONFlagName, data, \"\")\n\t\t\t\tc := cli.NewContext(cli.NewApp(), flagSet, nil)\n\t\t\t\t_ = c.Set(ingressDataJSONFlagName, data)\n\t\t\t\treturn c\n\t\t\t}(),\n\t\t},\n\t\t{\n\t\t\tname: \"read an invalid configuration with multiple mistakes\",\n\t\t\tc: func() *cli.Context {\n\t\t\t\tdata := `{ \"ingress\" : [ {\"hostname\": \"test\", \"service\": \"localhost:8000\" } , {\"service\": \"http_status:invalid_status\"} ]}`\n\t\t\t\tflagSet := flag.NewFlagSet(\"json\", flag.PanicOnError)\n\t\t\t\tflagSet.String(ingressDataJSONFlagName, data, \"\")\n\t\t\t\tc := cli.NewContext(cli.NewApp(), flagSet, nil)\n\t\t\t\t_ = c.Set(ingressDataJSONFlagName, data)\n\t\t\t\treturn c\n\t\t\t}(),\n\t\t\twantErr: true,\n\t\t\texpectedErr: errors.New(\"Validation failed: localhost:8000 is an invalid address, please make sure it has a scheme and a hostname\"),\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\terr := validateIngressCommand(tt.c, \"\")\n\t\t\tif tt.wantErr {\n\t\t\t\tassert.Equal(t, tt.expectedErr.Error(), err.Error())\n\t\t\t} else {\n\t\t\t\tassert.Nil(t, err)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "cmd/cloudflared/tunnel/subcommand_context_vnets.go", "content": "package tunnel\n\nimport (\n\t\"github.com/google/uuid\"\n\t\"github.com/pkg/errors\"\n\n\t\"github.com/cloudflare/cloudflared/cfapi\"\n)\n\nfunc (sc *subcommandContext) addVirtualNetwork(newVnet cfapi.NewVirtualNetwork) (cfapi.VirtualNetwork, error) {\n\tclient, err := sc.client()\n\tif err != nil {\n\t\treturn cfapi.VirtualNetwork{}, errors.Wrap(err, noClientMsg)\n\t}\n\treturn client.CreateVirtualNetwork(newVnet)\n}\n\nfunc (sc *subcommandContext) listVirtualNetworks(filter *cfapi.VnetFilter) ([]*cfapi.VirtualNetwork, error) {\n\tclient, err := sc.client()\n\tif err != nil {\n\t\treturn nil, errors.Wrap(err, noClientMsg)\n\t}\n\treturn client.ListVirtualNetworks(filter)\n}\n\nfunc (sc *subcommandContext) deleteVirtualNetwork(vnetId uuid.UUID, force bool) error {\n\tclient, err := sc.client()\n\tif err != nil {\n\t\treturn errors.Wrap(err, noClientMsg)\n\t}\n\treturn client.DeleteVirtualNetwork(vnetId, force)\n}\n\nfunc (sc *subcommandContext) updateVirtualNetwork(vnetId uuid.UUID, updates cfapi.UpdateVirtualNetwork) error {\n\tclient, err := sc.client()\n\tif err != nil {\n\t\treturn errors.Wrap(err, noClientMsg)\n\t}\n\treturn client.UpdateVirtualNetwork(vnetId, updates)\n}\n" }, { "path": "cmd/cloudflared/tunnel/subcommands.go", "content": "package tunnel\n\nimport (\n\t\"crypto/rand\"\n\t\"encoding/base64\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"regexp\"\n\t\"sort\"\n\t\"strings\"\n\t\"text/tabwriter\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/mitchellh/go-homedir\"\n\t\"github.com/pkg/errors\"\n\t\"github.com/urfave/cli/v2\"\n\t\"github.com/urfave/cli/v2/altsrc\"\n\t\"golang.org/x/net/idna\"\n\t\"gopkg.in/yaml.v3\"\n\n\t\"github.com/cloudflare/cloudflared/cfapi\"\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil\"\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/flags\"\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/updater\"\n\t\"github.com/cloudflare/cloudflared/config\"\n\t\"github.com/cloudflare/cloudflared/connection\"\n\t\"github.com/cloudflare/cloudflared/diagnostic\"\n\t\"github.com/cloudflare/cloudflared/fips\"\n\t\"github.com/cloudflare/cloudflared/metrics\"\n)\n\nconst (\n\tallSortByOptions = \"name, id, createdAt, deletedAt, numConnections\"\n\tconnsSortByOptions = \"id, startedAt, numConnections, version\"\n\tCredFileFlagAlias = \"cred-file\"\n\tCredFileFlag = \"credentials-file\"\n\tCredContentsFlag = \"credentials-contents\"\n\tTunnelTokenFlag = \"token\"\n\tTunnelTokenFileFlag = \"token-file\"\n\toverwriteDNSFlagName = \"overwrite-dns\"\n\tnoDiagLogsFlagName = \"no-diag-logs\"\n\tnoDiagMetricsFlagName = \"no-diag-metrics\"\n\tnoDiagSystemFlagName = \"no-diag-system\"\n\tnoDiagRuntimeFlagName = \"no-diag-runtime\"\n\tnoDiagNetworkFlagName = \"no-diag-network\"\n\tdiagContainerIDFlagName = \"diag-container-id\"\n\tdiagPodFlagName = \"diag-pod-id\"\n\n\tLogFieldTunnelID = \"tunnelID\"\n)\n\nvar (\n\tshowDeletedFlag = &cli.BoolFlag{\n\t\tName: \"show-deleted\",\n\t\tAliases: []string{\"d\"},\n\t\tUsage: \"Include deleted tunnels in the list\",\n\t}\n\tlistNameFlag = &cli.StringFlag{\n\t\tName: flags.Name,\n\t\tAliases: []string{\"n\"},\n\t\tUsage: \"List tunnels with the given `NAME`\",\n\t}\n\tlistNamePrefixFlag = &cli.StringFlag{\n\t\tName: \"name-prefix\",\n\t\tAliases: []string{\"np\"},\n\t\tUsage: \"List tunnels that start with the give `NAME` prefix\",\n\t}\n\tlistExcludeNamePrefixFlag = &cli.StringFlag{\n\t\tName: \"exclude-name-prefix\",\n\t\tAliases: []string{\"enp\"},\n\t\tUsage: \"List tunnels whose `NAME` does not start with the given prefix\",\n\t}\n\tlistExistedAtFlag = &cli.TimestampFlag{\n\t\tName: \"when\",\n\t\tAliases: []string{\"w\"},\n\t\tUsage: \"List tunnels that are active at the given `TIME` in RFC3339 format\",\n\t\tLayout: cfapi.TimeLayout,\n\t\tDefaultText: fmt.Sprintf(\"current time, %s\", time.Now().Format(cfapi.TimeLayout)),\n\t}\n\tlistIDFlag = &cli.StringFlag{\n\t\tName: \"id\",\n\t\tAliases: []string{\"i\"},\n\t\tUsage: \"List tunnel by `ID`\",\n\t}\n\tshowRecentlyDisconnected = &cli.BoolFlag{\n\t\tName: \"show-recently-disconnected\",\n\t\tAliases: []string{\"rd\"},\n\t\tUsage: \"Include connections that have recently disconnected in the list\",\n\t}\n\toutputFormatFlag = &cli.StringFlag{\n\t\tName: \"output\",\n\t\tAliases: []string{\"o\"},\n\t\tUsage: \"Render output using given `FORMAT`. Valid options are 'json' or 'yaml'\",\n\t}\n\tsortByFlag = &cli.StringFlag{\n\t\tName: \"sort-by\",\n\t\tValue: \"name\",\n\t\tUsage: fmt.Sprintf(\"Sorts the list of tunnels by the given field. Valid options are {%s}\", allSortByOptions),\n\t\tEnvVars: []string{\"TUNNEL_LIST_SORT_BY\"},\n\t}\n\tinvertSortFlag = &cli.BoolFlag{\n\t\tName: \"invert-sort\",\n\t\tUsage: \"Inverts the sort order of the tunnel list.\",\n\t\tEnvVars: []string{\"TUNNEL_LIST_INVERT_SORT\"},\n\t}\n\tfeaturesFlag = altsrc.NewStringSliceFlag(&cli.StringSliceFlag{\n\t\tName: flags.Features,\n\t\tAliases: []string{\"F\"},\n\t\tUsage: \"Opt into various features that are still being developed or tested.\",\n\t})\n\tcredentialsFileFlagCLIOnly = &cli.StringFlag{\n\t\tName: CredFileFlag,\n\t\tAliases: []string{CredFileFlagAlias},\n\t\tUsage: \"Filepath at which to read/write the tunnel credentials\",\n\t\tEnvVars: []string{\"TUNNEL_CRED_FILE\"},\n\t}\n\tcredentialsFileFlag = altsrc.NewStringFlag(credentialsFileFlagCLIOnly)\n\tcredentialsContentsFlag = altsrc.NewStringFlag(&cli.StringFlag{\n\t\tName: CredContentsFlag,\n\t\tUsage: \"Contents of the tunnel credentials JSON file to use. When provided along with credentials-file, this will take precedence.\",\n\t\tEnvVars: []string{\"TUNNEL_CRED_CONTENTS\"},\n\t})\n\ttunnelTokenFlag = altsrc.NewStringFlag(&cli.StringFlag{\n\t\tName: TunnelTokenFlag,\n\t\tUsage: \"The Tunnel token. When provided along with credentials, this will take precedence. Also takes precedence over token-file\",\n\t\tEnvVars: []string{\"TUNNEL_TOKEN\"},\n\t})\n\ttunnelTokenFileFlag = altsrc.NewStringFlag(&cli.StringFlag{\n\t\tName: TunnelTokenFileFlag,\n\t\tUsage: \"Filepath at which to read the tunnel token. When provided along with credentials, this will take precedence.\",\n\t\tEnvVars: []string{\"TUNNEL_TOKEN_FILE\"},\n\t})\n\tforceDeleteFlag = &cli.BoolFlag{\n\t\tName: flags.Force,\n\t\tAliases: []string{\"f\"},\n\t\tUsage: \"Deletes a tunnel even if tunnel is connected and it has dependencies associated to it. (eg. IP routes).\" +\n\t\t\t\" It is not possible to delete tunnels that have connections or non-deleted dependencies, without this flag.\",\n\t\tEnvVars: []string{\"TUNNEL_RUN_FORCE_OVERWRITE\"},\n\t}\n\tselectProtocolFlag = altsrc.NewStringFlag(&cli.StringFlag{\n\t\tName: flags.Protocol,\n\t\tValue: connection.AutoSelectFlag,\n\t\tAliases: []string{\"p\"},\n\t\tUsage: fmt.Sprintf(\"Protocol implementation to connect with Cloudflare's edge network. %s\", connection.AvailableProtocolFlagMessage),\n\t\tEnvVars: []string{\"TUNNEL_TRANSPORT_PROTOCOL\"},\n\t\tHidden: true,\n\t})\n\tpostQuantumFlag = altsrc.NewBoolFlag(&cli.BoolFlag{\n\t\tName: flags.PostQuantum,\n\t\tUsage: \"When given creates an experimental post-quantum secure tunnel\",\n\t\tAliases: []string{\"pq\"},\n\t\tEnvVars: []string{\"TUNNEL_POST_QUANTUM\"},\n\t\tHidden: fips.IsFipsEnabled(),\n\t})\n\tsortInfoByFlag = &cli.StringFlag{\n\t\tName: \"sort-by\",\n\t\tValue: \"createdAt\",\n\t\tUsage: fmt.Sprintf(\"Sorts the list of connections of a tunnel by the given field. Valid options are {%s}\", connsSortByOptions),\n\t\tEnvVars: []string{\"TUNNEL_INFO_SORT_BY\"},\n\t}\n\tinvertInfoSortFlag = &cli.BoolFlag{\n\t\tName: \"invert-sort\",\n\t\tUsage: \"Inverts the sort order of the tunnel info.\",\n\t\tEnvVars: []string{\"TUNNEL_INFO_INVERT_SORT\"},\n\t}\n\tcleanupClientFlag = &cli.StringFlag{\n\t\tName: \"connector-id\",\n\t\tAliases: []string{\"c\"},\n\t\tUsage: `Constraints the cleanup to stop the connections of a single Connector (by its ID). You can find the various Connectors (and their IDs) currently connected to your tunnel via 'cloudflared tunnel info '.`,\n\t\tEnvVars: []string{\"TUNNEL_CLEANUP_CONNECTOR\"},\n\t}\n\toverwriteDNSFlag = &cli.BoolFlag{\n\t\tName: overwriteDNSFlagName,\n\t\tAliases: []string{\"f\"},\n\t\tUsage: `Overwrites existing DNS records with this hostname`,\n\t\tEnvVars: []string{\"TUNNEL_FORCE_PROVISIONING_DNS\"},\n\t}\n\tcreateSecretFlag = &cli.StringFlag{\n\t\tName: \"secret\",\n\t\tAliases: []string{\"s\"},\n\t\tUsage: \"Base64 encoded secret to set for the tunnel. The decoded secret must be at least 32 bytes long. If not specified, a random 32-byte secret will be generated.\",\n\t\tEnvVars: []string{\"TUNNEL_CREATE_SECRET\"},\n\t}\n\ticmpv4SrcFlag = &cli.StringFlag{\n\t\tName: flags.ICMPV4Src,\n\t\tUsage: \"Source address to send/receive ICMPv4 messages. If not provided cloudflared will dial a local address to determine the source IP or fallback to 0.0.0.0.\",\n\t\tEnvVars: []string{\"TUNNEL_ICMPV4_SRC\"},\n\t}\n\ticmpv6SrcFlag = &cli.StringFlag{\n\t\tName: flags.ICMPV6Src,\n\t\tUsage: \"Source address and the interface name to send/receive ICMPv6 messages. If not provided cloudflared will dial a local address to determine the source IP or fallback to ::.\",\n\t\tEnvVars: []string{\"TUNNEL_ICMPV6_SRC\"},\n\t}\n\tmetricsFlag = &cli.StringFlag{\n\t\tName: flags.Metrics,\n\t\tUsage: \"The metrics server address i.e.: 127.0.0.1:12345. If your instance is running in a Docker/Kubernetes environment you need to setup port forwarding for your application.\",\n\t\tValue: \"\",\n\t}\n\tdiagContainerFlag = &cli.StringFlag{\n\t\tName: diagContainerIDFlagName,\n\t\tUsage: \"Container ID or Name to collect logs from\",\n\t\tValue: \"\",\n\t}\n\tdiagPodFlag = &cli.StringFlag{\n\t\tName: diagPodFlagName,\n\t\tUsage: \"Kubernetes POD to collect logs from\",\n\t\tValue: \"\",\n\t}\n\tnoDiagLogsFlag = &cli.BoolFlag{\n\t\tName: noDiagLogsFlagName,\n\t\tUsage: \"Log collection will not be performed\",\n\t\tValue: false,\n\t}\n\tnoDiagMetricsFlag = &cli.BoolFlag{\n\t\tName: noDiagMetricsFlagName,\n\t\tUsage: \"Metric collection will not be performed\",\n\t\tValue: false,\n\t}\n\tnoDiagSystemFlag = &cli.BoolFlag{\n\t\tName: noDiagSystemFlagName,\n\t\tUsage: \"System information collection will not be performed\",\n\t\tValue: false,\n\t}\n\tnoDiagRuntimeFlag = &cli.BoolFlag{\n\t\tName: noDiagRuntimeFlagName,\n\t\tUsage: \"Runtime information collection will not be performed\",\n\t\tValue: false,\n\t}\n\tnoDiagNetworkFlag = &cli.BoolFlag{\n\t\tName: noDiagNetworkFlagName,\n\t\tUsage: \"Network diagnostics won't be performed\",\n\t\tValue: false,\n\t}\n\tmaxActiveFlowsFlag = &cli.Uint64Flag{\n\t\tName: flags.MaxActiveFlows,\n\t\tUsage: \"Overrides the remote configuration for max active private network flows (TCP/UDP) that this cloudflared instance supports\",\n\t\tEnvVars: []string{\"TUNNEL_MAX_ACTIVE_FLOWS\"},\n\t}\n\tdnsResolverAddrsFlag = &cli.StringSliceFlag{\n\t\tName: flags.VirtualDNSServiceResolverAddresses,\n\t\tUsage: \"Overrides the dynamic DNS resolver resolution to use these address:port's instead.\",\n\t\tEnvVars: []string{\"TUNNEL_DNS_RESOLVER_ADDRS\"},\n\t}\n)\n\nfunc buildCreateCommand() *cli.Command {\n\treturn &cli.Command{\n\t\tName: \"create\",\n\t\tAction: cliutil.ConfiguredAction(createCommand),\n\t\tUsage: \"Create a new tunnel with given name\",\n\t\tUsageText: \"cloudflared tunnel [tunnel command options] create [subcommand options] NAME\",\n\t\tDescription: `Creates a tunnel, registers it with Cloudflare edge and generates credential file used to run this tunnel.\n Use \"cloudflared tunnel route\" subcommand to map a DNS name to this tunnel and \"cloudflared tunnel run\" to start the connection.\n\n For example, to create a tunnel named 'my-tunnel' run:\n\n $ cloudflared tunnel create my-tunnel`,\n\t\tFlags: []cli.Flag{outputFormatFlag, credentialsFileFlagCLIOnly, createSecretFlag},\n\t\tCustomHelpTemplate: commandHelpTemplate(),\n\t}\n}\n\n// generateTunnelSecret as an array of 32 bytes using secure random number generator\nfunc generateTunnelSecret() ([]byte, error) {\n\trandomBytes := make([]byte, 32)\n\t_, err := rand.Read(randomBytes)\n\treturn randomBytes, err\n}\n\nfunc createCommand(c *cli.Context) error {\n\tsc, err := newSubcommandContext(c)\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"error setting up logger\")\n\t}\n\n\tif c.NArg() != 1 {\n\t\treturn cliutil.UsageError(`\"cloudflared tunnel create\" requires exactly 1 argument, the name of tunnel to create.`)\n\t}\n\tname := c.Args().First()\n\n\twarningChecker := updater.StartWarningCheck(c)\n\tdefer warningChecker.LogWarningIfAny(sc.log)\n\n\t_, err = sc.create(name, c.String(CredFileFlag), c.String(createSecretFlag.Name))\n\treturn errors.Wrap(err, \"failed to create tunnel\")\n}\n\nfunc tunnelFilePath(tunnelID uuid.UUID, directory string) (string, error) {\n\tfileName := fmt.Sprintf(\"%v.json\", tunnelID)\n\tfilePath := filepath.Clean(fmt.Sprintf(\"%s/%s\", directory, fileName))\n\treturn homedir.Expand(filePath)\n}\n\n// writeTunnelCredentials saves `credentials` as a JSON into `filePath`, only if\n// the file does not exist already\nfunc writeTunnelCredentials(filePath string, credentials *connection.Credentials) error {\n\tif _, err := os.Stat(filePath); !os.IsNotExist(err) {\n\t\tif err == nil {\n\t\t\treturn fmt.Errorf(\"%s already exists\", filePath)\n\t\t}\n\t\treturn err\n\t}\n\tbody, err := json.Marshal(credentials)\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"Unable to marshal tunnel credentials to JSON\")\n\t}\n\treturn os.WriteFile(filePath, body, 0400)\n}\n\nfunc buildListCommand() *cli.Command {\n\treturn &cli.Command{\n\t\tName: \"list\",\n\t\tAction: cliutil.ConfiguredAction(listCommand),\n\t\tUsage: \"List existing tunnels\",\n\t\tUsageText: \"cloudflared tunnel [tunnel command options] list [subcommand options]\",\n\t\tDescription: \"cloudflared tunnel list will display all active tunnels, their created time and associated connections. Use -d flag to include deleted tunnels. See the list of options to filter the list\",\n\t\tFlags: []cli.Flag{\n\t\t\toutputFormatFlag,\n\t\t\tshowDeletedFlag,\n\t\t\tlistNameFlag,\n\t\t\tlistNamePrefixFlag,\n\t\t\tlistExcludeNamePrefixFlag,\n\t\t\tlistExistedAtFlag,\n\t\t\tlistIDFlag,\n\t\t\tshowRecentlyDisconnected,\n\t\t\tsortByFlag,\n\t\t\tinvertSortFlag,\n\t\t},\n\t\tCustomHelpTemplate: commandHelpTemplate(),\n\t}\n}\n\nfunc listCommand(c *cli.Context) error {\n\tsc, err := newSubcommandContext(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\twarningChecker := updater.StartWarningCheck(c)\n\tdefer warningChecker.LogWarningIfAny(sc.log)\n\n\tfilter := cfapi.NewTunnelFilter()\n\tif !c.Bool(\"show-deleted\") {\n\t\tfilter.NoDeleted()\n\t}\n\tif name := c.String(flags.Name); name != \"\" {\n\t\tfilter.ByName(name)\n\t}\n\tif namePrefix := c.String(\"name-prefix\"); namePrefix != \"\" {\n\t\tfilter.ByNamePrefix(namePrefix)\n\t}\n\tif excludePrefix := c.String(\"exclude-name-prefix\"); excludePrefix != \"\" {\n\t\tfilter.ExcludeNameWithPrefix(excludePrefix)\n\t}\n\tif existedAt := c.Timestamp(\"time\"); existedAt != nil {\n\t\tfilter.ByExistedAt(*existedAt)\n\t}\n\tif id := c.String(\"id\"); id != \"\" {\n\t\ttunnelID, err := uuid.Parse(id)\n\t\tif err != nil {\n\t\t\treturn errors.Wrapf(err, \"%s is not a valid tunnel ID\", id)\n\t\t}\n\t\tfilter.ByTunnelID(tunnelID)\n\t}\n\tif maxFetch := c.Int(\"max-fetch-size\"); maxFetch > 0 {\n\t\tfilter.MaxFetchSize(uint(maxFetch))\n\t}\n\n\ttunnels, err := sc.list(filter)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\t// Sort the tunnels\n\tsortBy := c.String(\"sort-by\")\n\tinvalidSortField := false\n\tsort.Slice(tunnels, func(i, j int) bool {\n\t\tcmp := func() bool {\n\t\t\tswitch sortBy {\n\t\t\tcase \"name\":\n\t\t\t\treturn tunnels[i].Name < tunnels[j].Name\n\t\t\tcase \"id\":\n\t\t\t\treturn tunnels[i].ID.String() < tunnels[j].ID.String()\n\t\t\tcase \"createdAt\":\n\t\t\t\treturn tunnels[i].CreatedAt.Unix() < tunnels[j].CreatedAt.Unix()\n\t\t\tcase \"deletedAt\":\n\t\t\t\treturn tunnels[i].DeletedAt.Unix() < tunnels[j].DeletedAt.Unix()\n\t\t\tcase \"numConnections\":\n\t\t\t\treturn len(tunnels[i].Connections) < len(tunnels[j].Connections)\n\t\t\tdefault:\n\t\t\t\tinvalidSortField = true\n\t\t\t\treturn tunnels[i].Name < tunnels[j].Name\n\t\t\t}\n\t\t}()\n\t\tif c.Bool(\"invert-sort\") {\n\t\t\treturn !cmp\n\t\t}\n\t\treturn cmp\n\t})\n\tif invalidSortField {\n\t\tsc.log.Error().Msgf(\"%s is not a valid sort field. Valid sort fields are %s. Defaulting to 'name'.\", sortBy, allSortByOptions)\n\t}\n\n\tif outputFormat := c.String(outputFormatFlag.Name); outputFormat != \"\" {\n\t\treturn renderOutput(outputFormat, tunnels)\n\t}\n\n\tif len(tunnels) > 0 {\n\t\tformatAndPrintTunnelList(tunnels, c.Bool(\"show-recently-disconnected\"))\n\t} else {\n\t\tfmt.Println(\"No tunnels were found for the given filter flags. You can use 'cloudflared tunnel create' to create a tunnel.\")\n\t}\n\n\treturn nil\n}\n\nfunc formatAndPrintTunnelList(tunnels []*cfapi.Tunnel, showRecentlyDisconnected bool) {\n\twriter := tabWriter()\n\tdefer writer.Flush()\n\n\t_, _ = fmt.Fprintln(writer, \"You can obtain more detailed information for each tunnel with `cloudflared tunnel info `\")\n\n\t// Print column headers with tabbed columns\n\t_, _ = fmt.Fprintln(writer, \"ID\\tNAME\\tCREATED\\tCONNECTIONS\\t\")\n\n\t// Loop through tunnels, create formatted string for each, and print using tabwriter\n\tfor _, t := range tunnels {\n\t\tformattedStr := fmt.Sprintf(\n\t\t\t\"%s\\t%s\\t%s\\t%s\\t\",\n\t\t\tt.ID,\n\t\t\tt.Name,\n\t\t\tt.CreatedAt.Format(time.RFC3339),\n\t\t\tfmtConnections(t.Connections, showRecentlyDisconnected),\n\t\t)\n\t\t_, _ = fmt.Fprintln(writer, formattedStr)\n\t}\n}\n\nfunc fmtConnections(connections []cfapi.Connection, showRecentlyDisconnected bool) string {\n\t// Count connections per colo\n\tnumConnsPerColo := make(map[string]uint, len(connections))\n\tfor _, connection := range connections {\n\t\tif !connection.IsPendingReconnect || showRecentlyDisconnected {\n\t\t\tnumConnsPerColo[connection.ColoName]++\n\t\t}\n\t}\n\n\t// Get sorted list of colos\n\tsortedColos := []string{}\n\tfor coloName := range numConnsPerColo {\n\t\tsortedColos = append(sortedColos, coloName)\n\t}\n\tsort.Strings(sortedColos)\n\n\t// Map each colo to its frequency, combine into output string.\n\toutput := make([]string, 0, len(sortedColos))\n\tfor _, coloName := range sortedColos {\n\t\toutput = append(output, fmt.Sprintf(\"%dx%s\", numConnsPerColo[coloName], coloName))\n\t}\n\treturn strings.Join(output, \", \")\n}\n\nfunc buildReadyCommand() *cli.Command {\n\treturn &cli.Command{\n\t\tName: \"ready\",\n\t\tAction: cliutil.ConfiguredAction(readyCommand),\n\t\tUsage: \"Call /ready endpoint and return proper exit code\",\n\t\tUsageText: \"cloudflared tunnel [tunnel command options] ready [subcommand options]\",\n\t\tDescription: \"cloudflared tunnel ready will return proper exit code based on the /ready endpoint\",\n\t\tFlags: []cli.Flag{},\n\t\tCustomHelpTemplate: commandHelpTemplate(),\n\t}\n}\n\nfunc readyCommand(c *cli.Context) error {\n\tmetricsOpts := c.String(flags.Metrics)\n\tif !c.IsSet(flags.Metrics) {\n\t\treturn errors.New(\"--metrics has to be provided\")\n\t}\n\n\trequestURL := fmt.Sprintf(\"http://%s/ready\", metricsOpts)\n\treq, err := http.NewRequest(http.MethodGet, requestURL, nil)\n\tif err != nil {\n\t\treturn err\n\t}\n\tres, err := http.DefaultClient.Do(req)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer res.Body.Close()\n\tif res.StatusCode != 200 {\n\t\tbody, err := io.ReadAll(res.Body)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn fmt.Errorf(\"http://%s/ready endpoint returned status code %d\\n%s\", metricsOpts, res.StatusCode, body)\n\t}\n\treturn nil\n}\n\nfunc buildInfoCommand() *cli.Command {\n\treturn &cli.Command{\n\t\tName: \"info\",\n\t\tAction: cliutil.ConfiguredAction(tunnelInfo),\n\t\tUsage: \"List details about the active connectors for a tunnel\",\n\t\tUsageText: \"cloudflared tunnel [tunnel command options] info [subcommand options] [TUNNEL]\",\n\t\tDescription: \"cloudflared tunnel info displays details about the active connectors for a given tunnel (identified by name or uuid).\",\n\t\tFlags: []cli.Flag{\n\t\t\toutputFormatFlag,\n\t\t\tshowRecentlyDisconnected,\n\t\t\tsortInfoByFlag,\n\t\t\tinvertInfoSortFlag,\n\t\t},\n\t\tCustomHelpTemplate: commandHelpTemplate(),\n\t}\n}\n\nfunc tunnelInfo(c *cli.Context) error {\n\tsc, err := newSubcommandContext(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\twarningChecker := updater.StartWarningCheck(c)\n\tdefer warningChecker.LogWarningIfAny(sc.log)\n\n\tif c.NArg() != 1 {\n\t\treturn cliutil.UsageError(`\"cloudflared tunnel info\" accepts exactly one argument, the ID or name of the tunnel to get info about.`)\n\t}\n\ttunnelID, err := sc.findID(c.Args().First())\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"error parsing tunnel ID\")\n\t}\n\n\tclient, err := sc.client()\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclients, err := client.ListActiveClients(tunnelID)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tsortBy := c.String(\"sort-by\")\n\tinvalidSortField := false\n\tsort.Slice(clients, func(i, j int) bool {\n\t\tcmp := func() bool {\n\t\t\tswitch sortBy {\n\t\t\tcase \"id\":\n\t\t\t\treturn clients[i].ID.String() < clients[j].ID.String()\n\t\t\tcase \"createdAt\":\n\t\t\t\treturn clients[i].RunAt.Unix() < clients[j].RunAt.Unix()\n\t\t\tcase \"numConnections\":\n\t\t\t\treturn len(clients[i].Connections) < len(clients[j].Connections)\n\t\t\tcase \"version\":\n\t\t\t\treturn clients[i].Version < clients[j].Version\n\t\t\tdefault:\n\t\t\t\tinvalidSortField = true\n\t\t\t\treturn clients[i].RunAt.Unix() < clients[j].RunAt.Unix()\n\t\t\t}\n\t\t}()\n\t\tif c.Bool(\"invert-sort\") {\n\t\t\treturn !cmp\n\t\t}\n\t\treturn cmp\n\t})\n\tif invalidSortField {\n\t\tsc.log.Error().Msgf(\"%s is not a valid sort field. Valid sort fields are %s. Defaulting to 'name'.\", sortBy, connsSortByOptions)\n\t}\n\n\ttunnel, err := getTunnel(sc, tunnelID)\n\tif err != nil {\n\t\treturn err\n\t}\n\tinfo := Info{\n\t\ttunnel.ID,\n\t\ttunnel.Name,\n\t\ttunnel.CreatedAt,\n\t\tclients,\n\t}\n\n\tif outputFormat := c.String(outputFormatFlag.Name); outputFormat != \"\" {\n\t\treturn renderOutput(outputFormat, info)\n\t}\n\n\tif len(clients) > 0 {\n\t\tformatAndPrintConnectionsList(info, c.Bool(\"show-recently-disconnected\"))\n\t} else {\n\t\tfmt.Printf(\"Your tunnel %s does not have any active connection.\\n\", tunnelID)\n\t}\n\n\treturn nil\n}\n\nfunc getTunnel(sc *subcommandContext, tunnelID uuid.UUID) (*cfapi.Tunnel, error) {\n\tfilter := cfapi.NewTunnelFilter()\n\tfilter.ByTunnelID(tunnelID)\n\ttunnels, err := sc.list(filter)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif len(tunnels) != 1 {\n\t\treturn nil, errors.Errorf(\"Expected to find a single tunnel with uuid %v but found %d tunnels.\", tunnelID, len(tunnels))\n\t}\n\treturn tunnels[0], nil\n}\n\nfunc formatAndPrintConnectionsList(tunnelInfo Info, showRecentlyDisconnected bool) {\n\twriter := tabWriter()\n\tdefer writer.Flush()\n\n\t// Print the general tunnel info table\n\t_, _ = fmt.Fprintf(writer, \"NAME: %s\\nID: %s\\nCREATED: %s\\n\\n\", tunnelInfo.Name, tunnelInfo.ID, tunnelInfo.CreatedAt)\n\n\t// Determine whether to print the connector table\n\tshouldDisplayTable := false\n\tfor _, c := range tunnelInfo.Connectors {\n\t\tconns := fmtConnections(c.Connections, showRecentlyDisconnected)\n\t\tif len(conns) > 0 {\n\t\t\tshouldDisplayTable = true\n\t\t}\n\t}\n\tif !shouldDisplayTable {\n\t\tfmt.Println(\"This tunnel has no active connectors.\")\n\t\treturn\n\t}\n\n\t// Print the connector table\n\t_, _ = fmt.Fprintln(writer, \"CONNECTOR ID\\tCREATED\\tARCHITECTURE\\tVERSION\\tORIGIN IP\\tEDGE\\t\")\n\tfor _, c := range tunnelInfo.Connectors {\n\t\tconns := fmtConnections(c.Connections, showRecentlyDisconnected)\n\t\tif len(conns) == 0 {\n\t\t\tcontinue\n\t\t}\n\t\toriginIp := c.Connections[0].OriginIP.String()\n\t\tformattedStr := fmt.Sprintf(\n\t\t\t\"%s\\t%s\\t%s\\t%s\\t%s\\t%s\\t\",\n\t\t\tc.ID,\n\t\t\tc.RunAt.Format(time.RFC3339),\n\t\t\tc.Arch,\n\t\t\tc.Version,\n\t\t\toriginIp,\n\t\t\tconns,\n\t\t)\n\t\t_, _ = fmt.Fprintln(writer, formattedStr)\n\t}\n}\n\nfunc tabWriter() *tabwriter.Writer {\n\tconst (\n\t\tminWidth = 0\n\t\ttabWidth = 8\n\t\tpadding = 1\n\t\tpadChar = ' '\n\t\tflags = 0\n\t)\n\n\twriter := tabwriter.NewWriter(os.Stdout, minWidth, tabWidth, padding, padChar, flags)\n\treturn writer\n}\n\nfunc buildDeleteCommand() *cli.Command {\n\treturn &cli.Command{\n\t\tName: \"delete\",\n\t\tAction: cliutil.ConfiguredAction(deleteCommand),\n\t\tUsage: \"Delete existing tunnel by UUID or name\",\n\t\tUsageText: \"cloudflared tunnel [tunnel command options] delete [subcommand options] TUNNEL\",\n\t\tDescription: \"cloudflared tunnel delete will delete tunnels with the given tunnel UUIDs or names. A tunnel cannot be deleted if it has active connections. To delete the tunnel unconditionally, use -f flag.\",\n\t\tFlags: []cli.Flag{credentialsFileFlagCLIOnly, forceDeleteFlag},\n\t\tCustomHelpTemplate: commandHelpTemplate(),\n\t}\n}\n\nfunc deleteCommand(c *cli.Context) error {\n\tsc, err := newSubcommandContext(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif c.NArg() < 1 {\n\t\treturn cliutil.UsageError(`\"cloudflared tunnel delete\" requires at least 1 argument, the ID or name of the tunnel to delete.`)\n\t}\n\n\twarningChecker := updater.StartWarningCheck(c)\n\tdefer warningChecker.LogWarningIfAny(sc.log)\n\n\ttunnelIDs, err := sc.findIDs(c.Args().Slice())\n\tif err != nil {\n\t\treturn err\n\t}\n\n\treturn sc.delete(tunnelIDs)\n}\n\nfunc renderOutput(format string, v interface{}) error {\n\tswitch format {\n\tcase \"json\":\n\t\tencoder := json.NewEncoder(os.Stdout)\n\t\tencoder.SetIndent(\"\", \" \")\n\t\treturn encoder.Encode(v)\n\tcase \"yaml\":\n\t\treturn yaml.NewEncoder(os.Stdout).Encode(v)\n\tdefault:\n\t\treturn errors.Errorf(\"Unknown output format '%s'\", format)\n\t}\n}\n\nfunc buildRunCommand() *cli.Command {\n\tflags := []cli.Flag{\n\t\tcredentialsFileFlag,\n\t\tcredentialsContentsFlag,\n\t\tpostQuantumFlag,\n\t\tselectProtocolFlag,\n\t\tfeaturesFlag,\n\t\ttunnelTokenFlag,\n\t\ttunnelTokenFileFlag,\n\t\ticmpv4SrcFlag,\n\t\ticmpv6SrcFlag,\n\t\tmaxActiveFlowsFlag,\n\t\tdnsResolverAddrsFlag,\n\t}\n\tflags = append(flags, configureProxyFlags(false)...)\n\treturn &cli.Command{\n\t\tName: \"run\",\n\t\tAction: cliutil.ConfiguredAction(runCommand),\n\t\tUsage: \"Proxy a local web server by running the given tunnel\",\n\t\tUsageText: \"cloudflared tunnel [tunnel command options] run [subcommand options] [TUNNEL]\",\n\t\tDescription: `Runs the tunnel identified by name or UUID, creating highly available connections\n between your server and the Cloudflare edge. You can provide name or UUID of tunnel to run either as the\n last command line argument or in the configuration file using \"tunnel: TUNNEL\".\n\n This command requires the tunnel credentials file created when \"cloudflared tunnel create\" was run,\n however it does not need access to cert.pem from \"cloudflared login\" if you identify the tunnel by UUID.\n If you experience other problems running the tunnel, \"cloudflared tunnel cleanup\" may help by removing\n any old connection records.\n`,\n\t\tFlags: flags,\n\t\tCustomHelpTemplate: commandHelpTemplate(),\n\t}\n}\n\nfunc runCommand(c *cli.Context) error {\n\tsc, err := newSubcommandContext(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif c.NArg() > 1 {\n\t\treturn cliutil.UsageError(`\"cloudflared tunnel run\" accepts only one argument, the ID or name of the tunnel to run.`)\n\t}\n\n\tif c.String(\"hostname\") != \"\" {\n\t\tsc.log.Warn().Msg(\"The property `hostname` in your configuration is ignored because you configured a Named Tunnel \" +\n\t\t\t\"in the property `tunnel` to run. Make sure to provision the routing (e.g. via `cloudflared tunnel route dns/lb`) or else \" +\n\t\t\t\"your origin will not be reachable. You should remove the `hostname` property to avoid this warning.\")\n\t}\n\n\ttokenStr := c.String(TunnelTokenFlag)\n\t// Check if tokenStr is blank before checking for tokenFile\n\tif tokenStr == \"\" {\n\t\tif tokenFile := c.String(TunnelTokenFileFlag); tokenFile != \"\" {\n\t\t\tdata, err := os.ReadFile(tokenFile)\n\t\t\tif err != nil {\n\t\t\t\treturn cliutil.UsageError(\"Failed to read token file: %s\", err.Error())\n\t\t\t}\n\t\t\ttokenStr = strings.TrimSpace(string(data))\n\t\t}\n\t}\n\t// Check if token is provided and if not use default tunnelID flag method\n\tif tokenStr != \"\" {\n\t\tif token, err := ParseToken(tokenStr); err == nil {\n\t\t\treturn sc.runWithCredentials(token.Credentials())\n\t\t}\n\t\treturn cliutil.UsageError(\"Provided Tunnel token is not valid.\")\n\t} else {\n\t\ttunnelRef := c.Args().First()\n\t\tif tunnelRef == \"\" {\n\t\t\t// see if tunnel id was in the config file\n\t\t\ttunnelRef = config.GetConfiguration().TunnelID\n\t\t\tif tunnelRef == \"\" {\n\t\t\t\treturn cliutil.UsageError(`\"cloudflared tunnel run\" requires the ID or name of the tunnel to run as the last command line argument or in the configuration file.`)\n\t\t\t}\n\t\t}\n\n\t\treturn runNamedTunnel(sc, tunnelRef)\n\t}\n}\n\nfunc ParseToken(tokenStr string) (*connection.TunnelToken, error) {\n\tcontent, err := base64.StdEncoding.DecodeString(tokenStr)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tvar token connection.TunnelToken\n\tif err := json.Unmarshal(content, &token); err != nil {\n\t\treturn nil, err\n\t}\n\treturn &token, nil\n}\n\nfunc runNamedTunnel(sc *subcommandContext, tunnelRef string) error {\n\ttunnelID, err := sc.findID(tunnelRef)\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"error parsing tunnel ID\")\n\t}\n\treturn sc.run(tunnelID)\n}\n\nfunc buildCleanupCommand() *cli.Command {\n\treturn &cli.Command{\n\t\tName: \"cleanup\",\n\t\tAction: cliutil.ConfiguredAction(cleanupCommand),\n\t\tUsage: \"Cleanup tunnel connections\",\n\t\tUsageText: \"cloudflared tunnel [tunnel command options] cleanup [subcommand options] TUNNEL\",\n\t\tDescription: \"Delete connections for tunnels with the given UUIDs or names.\",\n\t\tFlags: []cli.Flag{cleanupClientFlag},\n\t\tCustomHelpTemplate: commandHelpTemplate(),\n\t}\n}\n\nfunc cleanupCommand(c *cli.Context) error {\n\tif c.NArg() < 1 {\n\t\treturn cliutil.UsageError(`\"cloudflared tunnel cleanup\" requires at least 1 argument, the IDs of the tunnels to cleanup connections.`)\n\t}\n\n\tsc, err := newSubcommandContext(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\ttunnelIDs, err := sc.findIDs(c.Args().Slice())\n\tif err != nil {\n\t\treturn err\n\t}\n\n\treturn sc.cleanupConnections(tunnelIDs)\n}\n\nfunc buildTokenCommand() *cli.Command {\n\treturn &cli.Command{\n\t\tName: \"token\",\n\t\tAction: cliutil.ConfiguredAction(tokenCommand),\n\t\tUsage: \"Fetch the credentials token for an existing tunnel (by name or UUID) that allows to run it\",\n\t\tUsageText: \"cloudflared tunnel [tunnel command options] token [subcommand options] TUNNEL\",\n\t\tDescription: \"cloudflared tunnel token will fetch the credentials token for a given tunnel (by its name or UUID), which is then used to run the tunnel. This command fails if the tunnel does not exist or has been deleted. Use the flag `cloudflared tunnel token --cred-file /my/path/file.json TUNNEL` to output the token to the credentials JSON file. Note: this command only works for Tunnels created since cloudflared version 2022.3.0\",\n\t\tFlags: []cli.Flag{credentialsFileFlagCLIOnly},\n\t\tCustomHelpTemplate: commandHelpTemplate(),\n\t}\n}\n\nfunc tokenCommand(c *cli.Context) error {\n\tsc, err := newSubcommandContext(c)\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"error setting up logger\")\n\t}\n\n\twarningChecker := updater.StartWarningCheck(c)\n\tdefer warningChecker.LogWarningIfAny(sc.log)\n\n\tif c.NArg() != 1 {\n\t\treturn cliutil.UsageError(`\"cloudflared tunnel token\" requires exactly 1 argument, the name or UUID of tunnel to fetch the credentials token for.`)\n\t}\n\ttunnelID, err := sc.findID(c.Args().First())\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"error parsing tunnel ID\")\n\t}\n\n\ttoken, err := sc.getTunnelTokenCredentials(tunnelID)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif path := c.String(CredFileFlag); path != \"\" {\n\t\tcredentials := token.Credentials()\n\t\terr := writeTunnelCredentials(path, &credentials)\n\t\tif err != nil {\n\t\t\treturn errors.Wrapf(err, \"error writing token credentials to JSON file in path %s\", path)\n\t\t}\n\n\t\treturn nil\n\t}\n\n\tencodedToken, err := token.Encode()\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tfmt.Println(encodedToken)\n\treturn nil\n}\n\nfunc buildRouteCommand() *cli.Command {\n\treturn &cli.Command{\n\t\tName: \"route\",\n\t\tUsage: \"Define which traffic routed from Cloudflare edge to this tunnel: requests to a DNS hostname, to a Cloudflare Load Balancer, or traffic originating from Cloudflare WARP clients\",\n\t\tUsageText: \"cloudflared tunnel [tunnel command options] route [subcommand options] [dns TUNNEL HOSTNAME]|[lb TUNNEL HOSTNAME LB-POOL]|[ip NETWORK TUNNEL]\",\n\t\tDescription: `The route command defines how Cloudflare will proxy requests to this tunnel.\n\nTo route a hostname by creating a DNS CNAME record to a tunnel:\n cloudflared tunnel route dns \nYou can read more at: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/dns\n\nTo use this tunnel as a load balancer origin, creating pool and load balancer if necessary:\n cloudflared tunnel route lb \nYou can read more at: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/lb\n\nFor Cloudflare WARP traffic to be routed to your private network, reachable from this tunnel as origins, use:\n cloudflared tunnel route ip \nFurther information about managing Cloudflare WARP traffic to your tunnel is available at:\n cloudflared tunnel route ip --help\n`,\n\t\tCustomHelpTemplate: commandHelpTemplate(),\n\t\tSubcommands: []*cli.Command{\n\t\t\t{\n\t\t\t\tName: \"dns\",\n\t\t\t\tAction: cliutil.ConfiguredAction(routeDnsCommand),\n\t\t\t\tUsage: \"HostnameRoute a hostname by creating a DNS CNAME record to a tunnel\",\n\t\t\t\tUsageText: \"cloudflared tunnel route dns [TUNNEL] [HOSTNAME]\",\n\t\t\t\tDescription: `Creates a DNS CNAME record hostname that points to the tunnel.`,\n\t\t\t\tFlags: []cli.Flag{overwriteDNSFlag},\n\t\t\t},\n\t\t\t{\n\t\t\t\tName: \"lb\",\n\t\t\t\tAction: cliutil.ConfiguredAction(routeLbCommand),\n\t\t\t\tUsage: \"Use this tunnel as a load balancer origin, creating pool and load balancer if necessary\",\n\t\t\t\tUsageText: \"cloudflared tunnel route lb [TUNNEL] [HOSTNAME] [LB-POOL-NAME]\",\n\t\t\t\tDescription: `Creates Load Balancer with an origin pool that points to the tunnel.`,\n\t\t\t},\n\t\t\tbuildRouteIPSubcommand(),\n\t\t},\n\t}\n}\n\nfunc dnsRouteFromArg(c *cli.Context, overwriteExisting bool) (cfapi.HostnameRoute, error) {\n\tconst (\n\t\tuserHostnameIndex = 1\n\t\texpectedNArgs = 2\n\t)\n\tif c.NArg() != expectedNArgs {\n\t\treturn nil, cliutil.UsageError(\"Expected %d arguments, got %d\", expectedNArgs, c.NArg())\n\t}\n\tuserHostname := c.Args().Get(userHostnameIndex)\n\tif userHostname == \"\" {\n\t\treturn nil, cliutil.UsageError(\"The third argument should be the hostname\")\n\t} else if !validateHostname(userHostname, true) {\n\t\treturn nil, errors.Errorf(\"%s is not a valid hostname\", userHostname)\n\t}\n\treturn cfapi.NewDNSRoute(userHostname, overwriteExisting), nil\n}\n\nfunc lbRouteFromArg(c *cli.Context) (cfapi.HostnameRoute, error) {\n\tconst (\n\t\tlbNameIndex = 1\n\t\tlbPoolIndex = 2\n\t\texpectedNArgs = 3\n\t)\n\tif c.NArg() != expectedNArgs {\n\t\treturn nil, cliutil.UsageError(\"Expected %d arguments, got %d\", expectedNArgs, c.NArg())\n\t}\n\tlbName := c.Args().Get(lbNameIndex)\n\tif lbName == \"\" {\n\t\treturn nil, cliutil.UsageError(\"The third argument should be the load balancer name\")\n\t} else if !validateHostname(lbName, true) {\n\t\treturn nil, errors.Errorf(\"%s is not a valid load balancer name\", lbName)\n\t}\n\n\tlbPool := c.Args().Get(lbPoolIndex)\n\tif lbPool == \"\" {\n\t\treturn nil, cliutil.UsageError(\"The fourth argument should be the pool name\")\n\t} else if !validateName(lbPool, false) {\n\t\treturn nil, errors.Errorf(\"%s is not a valid pool name\", lbPool)\n\t}\n\n\treturn cfapi.NewLBRoute(lbName, lbPool), nil\n}\n\nvar (\n\tnameRegex = regexp.MustCompile(\"^[_a-zA-Z0-9][-_.a-zA-Z0-9]*$\")\n\thostNameRegex = regexp.MustCompile(\"^[*_a-zA-Z0-9][-_.a-zA-Z0-9]*$\")\n)\n\nfunc validateName(s string, allowWildcardSubdomain bool) bool {\n\tif allowWildcardSubdomain {\n\t\treturn hostNameRegex.MatchString(s)\n\t}\n\treturn nameRegex.MatchString(s)\n}\n\nfunc validateHostname(s string, allowWildcardSubdomain bool) bool {\n\t// Slightly stricter than PunyCodeProfile\n\tidnaProfile := idna.New(\n\t\tidna.ValidateLabels(true),\n\t\tidna.VerifyDNSLength(true))\n\n\tpuny, err := idnaProfile.ToASCII(s)\n\treturn err == nil && validateName(puny, allowWildcardSubdomain)\n}\n\nfunc routeDnsCommand(c *cli.Context) error {\n\tif c.NArg() != 2 {\n\t\treturn cliutil.UsageError(`This command expects the format \"cloudflared tunnel route dns \"`)\n\t}\n\treturn routeCommand(c, \"dns\")\n}\n\nfunc routeLbCommand(c *cli.Context) error {\n\tif c.NArg() != 3 {\n\t\treturn cliutil.UsageError(`This command expects the format \"cloudflared tunnel route lb \"`)\n\t}\n\treturn routeCommand(c, \"lb\")\n}\n\nfunc routeCommand(c *cli.Context, routeType string) error {\n\tsc, err := newSubcommandContext(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\ttunnelID, err := sc.findID(c.Args().Get(0))\n\tif err != nil {\n\t\treturn err\n\t}\n\tvar route cfapi.HostnameRoute\n\tswitch routeType {\n\tcase \"dns\":\n\t\troute, err = dnsRouteFromArg(c, c.Bool(overwriteDNSFlagName))\n\tcase \"lb\":\n\t\troute, err = lbRouteFromArg(c)\n\t}\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tres, err := sc.route(tunnelID, route)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tsc.log.Info().Str(LogFieldTunnelID, tunnelID.String()).Msg(res.SuccessSummary())\n\treturn nil\n}\n\nfunc commandHelpTemplate() string {\n\tvar parentFlagsHelp string\n\tfor _, f := range configureCloudflaredFlags(false) {\n\t\tparentFlagsHelp += fmt.Sprintf(\" %s\\n\\t\", f)\n\t}\n\tfor _, f := range cliutil.ConfigureLoggingFlags(false) {\n\t\tparentFlagsHelp += fmt.Sprintf(\" %s\\n\\t\", f)\n\t}\n\tconst template = `NAME:\n\t{{.HelpName}} - {{.Usage}}\n\nUSAGE:\n\t{{.UsageText}}\n\nDESCRIPTION:\n\t{{.Description}}\n\nTUNNEL COMMAND OPTIONS:\n\t%s\nSUBCOMMAND OPTIONS:\n\t{{range .VisibleFlags}}{{.}}\n\t{{end}}\n`\n\treturn fmt.Sprintf(template, parentFlagsHelp)\n}\n\nfunc buildDiagCommand() *cli.Command {\n\treturn &cli.Command{\n\t\tName: \"diag\",\n\t\tAction: cliutil.ConfiguredAction(diagCommand),\n\t\tUsage: \"Creates a diagnostic report from a local cloudflared instance\",\n\t\tUsageText: \"cloudflared tunnel [tunnel command options] diag [subcommand options]\",\n\t\tDescription: \"cloudflared tunnel diag will create a diagnostic report of a local cloudflared instance. The diagnostic procedure collects: logs, metrics, system information, traceroute to Cloudflare Edge, and runtime information. Since there may be multiple instances of cloudflared running the --metrics option may be provided to target a specific instance.\",\n\t\tFlags: []cli.Flag{\n\t\t\tmetricsFlag,\n\t\t\tdiagContainerFlag,\n\t\t\tdiagPodFlag,\n\t\t\tnoDiagLogsFlag,\n\t\t\tnoDiagMetricsFlag,\n\t\t\tnoDiagSystemFlag,\n\t\t\tnoDiagRuntimeFlag,\n\t\t\tnoDiagNetworkFlag,\n\t\t},\n\t\tCustomHelpTemplate: commandHelpTemplate(),\n\t}\n}\n\nfunc diagCommand(ctx *cli.Context) error {\n\tsctx, err := newSubcommandContext(ctx)\n\tif err != nil {\n\t\treturn err\n\t}\n\tlog := sctx.log\n\toptions := diagnostic.Options{\n\t\tKnownAddresses: metrics.GetMetricsKnownAddresses(metrics.Runtime),\n\t\tAddress: sctx.c.String(flags.Metrics),\n\t\tContainerID: sctx.c.String(diagContainerIDFlagName),\n\t\tPodID: sctx.c.String(diagPodFlagName),\n\t\tToggles: diagnostic.Toggles{\n\t\t\tNoDiagLogs: sctx.c.Bool(noDiagLogsFlagName),\n\t\t\tNoDiagMetrics: sctx.c.Bool(noDiagMetricsFlagName),\n\t\t\tNoDiagSystem: sctx.c.Bool(noDiagSystemFlagName),\n\t\t\tNoDiagRuntime: sctx.c.Bool(noDiagRuntimeFlagName),\n\t\t\tNoDiagNetwork: sctx.c.Bool(noDiagNetworkFlagName),\n\t\t},\n\t}\n\n\tif options.Address == \"\" {\n\t\tlog.Info().Msg(\"If your instance is running in a Docker/Kubernetes environment you need to setup port forwarding for your application.\")\n\t}\n\n\tstates, err := diagnostic.RunDiagnostic(log, options)\n\n\tif errors.Is(err, diagnostic.ErrMetricsServerNotFound) {\n\t\tlog.Warn().Msg(\"No instances found\")\n\t\treturn nil\n\t}\n\tif errors.Is(err, diagnostic.ErrMultipleMetricsServerFound) {\n\t\tif states != nil {\n\t\t\tlog.Info().Msgf(\"Found multiple instances running:\")\n\t\t\tfor _, state := range states {\n\t\t\t\tlog.Info().Msgf(\"Instance: tunnel-id=%s connector-id=%s metrics-address=%s\", state.TunnelID, state.ConnectorID, state.URL.String())\n\t\t\t}\n\t\t\tlog.Info().Msgf(\"To select one instance use the option --metrics\")\n\t\t}\n\t\treturn nil\n\t}\n\n\tif errors.Is(err, diagnostic.ErrLogConfigurationIsInvalid) {\n\t\tlog.Info().Msg(\"Couldn't extract logs from the instance. If the instance is running in a containerized environment use the option --diag-container-id or --diag-pod-id. If there is no logging configuration use --no-diag-logs.\")\n\t}\n\n\tif err != nil {\n\t\tlog.Warn().Msg(\"Diagnostic completed with one or more errors\")\n\t} else {\n\t\tlog.Info().Msg(\"Diagnostic completed\")\n\t}\n\n\treturn nil\n}\n" }, { "path": "cmd/cloudflared/tunnel/subcommands_test.go", "content": "package tunnel\n\nimport (\n\t\"encoding/base64\"\n\t\"encoding/json\"\n\t\"path/filepath\"\n\t\"testing\"\n\n\t\"github.com/google/uuid\"\n\thomedir \"github.com/mitchellh/go-homedir\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\n\t\"github.com/cloudflare/cloudflared/cfapi\"\n\t\"github.com/cloudflare/cloudflared/connection\"\n)\n\nfunc Test_fmtConnections(t *testing.T) {\n\ttype args struct {\n\t\tconnections []cfapi.Connection\n\t}\n\ttests := []struct {\n\t\tname string\n\t\targs args\n\t\twant string\n\t}{\n\t\t{\n\t\t\tname: \"empty\",\n\t\t\targs: args{\n\t\t\t\tconnections: []cfapi.Connection{},\n\t\t\t},\n\t\t\twant: \"\",\n\t\t},\n\t\t{\n\t\t\tname: \"trivial\",\n\t\t\targs: args{\n\t\t\t\tconnections: []cfapi.Connection{\n\t\t\t\t\t{\n\t\t\t\t\t\tColoName: \"DFW\",\n\t\t\t\t\t\tID: uuid.MustParse(\"ea550130-57fd-4463-aab1-752822231ddd\"),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\twant: \"1xDFW\",\n\t\t},\n\t\t{\n\t\t\tname: \"with a pending reconnect\",\n\t\t\targs: args{\n\t\t\t\tconnections: []cfapi.Connection{\n\t\t\t\t\t{\n\t\t\t\t\t\tColoName: \"DFW\",\n\t\t\t\t\t\tID: uuid.MustParse(\"ea550130-57fd-4463-aab1-752822231ddd\"),\n\t\t\t\t\t\tIsPendingReconnect: true,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\twant: \"\",\n\t\t},\n\t\t{\n\t\t\tname: \"many colos\",\n\t\t\targs: args{\n\t\t\t\tconnections: []cfapi.Connection{\n\t\t\t\t\t{\n\t\t\t\t\t\tColoName: \"YRV\",\n\t\t\t\t\t\tID: uuid.MustParse(\"ea550130-57fd-4463-aab1-752822231ddd\"),\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tColoName: \"DFW\",\n\t\t\t\t\t\tID: uuid.MustParse(\"c13c0b3b-0fbf-453c-8169-a1990fced6d0\"),\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tColoName: \"ATL\",\n\t\t\t\t\t\tID: uuid.MustParse(\"70c90639-e386-4e8d-9a4e-7f046d70e63f\"),\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tColoName: \"DFW\",\n\t\t\t\t\t\tID: uuid.MustParse(\"30ad6251-0305-4635-a670-d3994f474981\"),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\twant: \"1xATL, 2xDFW, 1xYRV\",\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tif got := fmtConnections(tt.args.connections, false); got != tt.want {\n\t\t\t\tt.Errorf(\"fmtConnections() = %v, want %v\", got, tt.want)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestTunnelfilePath(t *testing.T) {\n\ttunnelID, err := uuid.Parse(\"f48d8918-bc23-4647-9d48-082c5b76de65\")\n\tassert.NoError(t, err)\n\toriginCertDir := filepath.Dir(\"~/.cloudflared/cert.pem\")\n\tactual, err := tunnelFilePath(tunnelID, originCertDir)\n\tassert.NoError(t, err)\n\thomeDir, err := homedir.Dir()\n\tassert.NoError(t, err)\n\texpected := filepath.Join(homeDir, \".cloudflared\", tunnelID.String()+\".json\")\n\tassert.Equal(t, expected, actual)\n}\n\nfunc TestValidateName(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\twant bool\n\t}{\n\t\t{name: \"\", want: false},\n\t\t{name: \"-\", want: false},\n\t\t{name: \".\", want: false},\n\t\t{name: \"a b\", want: false},\n\t\t{name: \"a+b\", want: false},\n\t\t{name: \"-ab\", want: false},\n\n\t\t{name: \"ab\", want: true},\n\t\t{name: \"ab-c\", want: true},\n\t\t{name: \"abc.def\", want: true},\n\t\t{name: \"_ab_c.-d-ef\", want: true},\n\t}\n\tfor _, tt := range tests {\n\t\tif got := validateName(tt.name, false); got != tt.want {\n\t\t\tt.Errorf(\"validateName() = %v, want %v\", got, tt.want)\n\t\t}\n\t}\n}\n\nfunc Test_validateHostname(t *testing.T) {\n\ttype args struct {\n\t\ts string\n\t\tallowWildcardSubdomain bool\n\t}\n\ttests := []struct {\n\t\tname string\n\t\targs args\n\t\twant bool\n\t}{\n\t\t{\n\t\t\tname: \"Normal\",\n\t\t\targs: args{\n\t\t\t\ts: \"example.com\",\n\t\t\t\tallowWildcardSubdomain: true,\n\t\t\t},\n\t\t\twant: true,\n\t\t},\n\t\t{\n\t\t\tname: \"wildcard subdomain for TUN-358\",\n\t\t\targs: args{\n\t\t\t\ts: \"*.ehrig.io\",\n\t\t\t\tallowWildcardSubdomain: true,\n\t\t\t},\n\t\t\twant: true,\n\t\t},\n\t\t{\n\t\t\tname: \"Misplaced wildcard\",\n\t\t\targs: args{\n\t\t\t\ts: \"subdomain.*.ehrig.io\",\n\t\t\t\tallowWildcardSubdomain: true,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"Invalid domain\",\n\t\t\targs: args{\n\t\t\t\ts: \"..\",\n\t\t\t\tallowWildcardSubdomain: true,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"Invalid domain\",\n\t\t\targs: args{\n\t\t\t\ts: \"..\",\n\t\t\t},\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tif got := validateHostname(tt.args.s, tt.args.allowWildcardSubdomain); got != tt.want {\n\t\t\t\tt.Errorf(\"validateHostname() = %v, want %v\", got, tt.want)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc Test_TunnelToken(t *testing.T) {\n\ttoken, err := ParseToken(\"aabc\")\n\trequire.Error(t, err)\n\trequire.Nil(t, token)\n\n\texpectedToken := &connection.TunnelToken{\n\t\tAccountTag: \"abc\",\n\t\tTunnelSecret: []byte(\"secret\"),\n\t\tTunnelID: uuid.New(),\n\t}\n\n\ttokenJsonStr, err := json.Marshal(expectedToken)\n\trequire.NoError(t, err)\n\n\ttoken64 := base64.StdEncoding.EncodeToString(tokenJsonStr)\n\n\ttoken, err = ParseToken(token64)\n\trequire.NoError(t, err)\n\trequire.Equal(t, token, expectedToken)\n}\n" }, { "path": "cmd/cloudflared/tunnel/tag.go", "content": "package tunnel\n\nimport (\n\t\"fmt\"\n\t\"regexp\"\n\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/pogs\"\n)\n\n// Restrict key names to characters allowed in an HTTP header name.\n// Restrict key values to printable characters (what is recognised as data in an HTTP header value).\nvar tagRegexp = regexp.MustCompile(\"^([a-zA-Z0-9!#$%&'*+\\\\-.^_`|~]+)=([[:print:]]+)$\")\n\nfunc NewTagFromCLI(compoundTag string) (pogs.Tag, bool) {\n\tmatches := tagRegexp.FindStringSubmatch(compoundTag)\n\tif len(matches) == 0 {\n\t\treturn pogs.Tag{}, false\n\t}\n\treturn pogs.Tag{Name: matches[1], Value: matches[2]}, true\n}\n\nfunc NewTagSliceFromCLI(tags []string) ([]pogs.Tag, error) {\n\tvar tagSlice []pogs.Tag\n\tfor _, compoundTag := range tags {\n\t\tif tag, ok := NewTagFromCLI(compoundTag); ok {\n\t\t\ttagSlice = append(tagSlice, tag)\n\t\t} else {\n\t\t\treturn nil, fmt.Errorf(\"Cannot parse tag value %s\", compoundTag)\n\t\t}\n\t}\n\treturn tagSlice, nil\n}\n" }, { "path": "cmd/cloudflared/tunnel/tag_test.go", "content": "package tunnel\n\nimport (\n\t\"testing\"\n\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/pogs\"\n\n\t\"github.com/stretchr/testify/assert\"\n)\n\nfunc TestSingleTag(t *testing.T) {\n\ttestCases := []struct {\n\t\tInput string\n\t\tOutput pogs.Tag\n\t\tFail bool\n\t}{\n\t\t{Input: \"x=y\", Output: pogs.Tag{Name: \"x\", Value: \"y\"}},\n\t\t{Input: \"More-Complex=Tag Values\", Output: pogs.Tag{Name: \"More-Complex\", Value: \"Tag Values\"}},\n\t\t{Input: \"First=Equals=Wins\", Output: pogs.Tag{Name: \"First\", Value: \"Equals=Wins\"}},\n\t\t{Input: \"x=\", Fail: true},\n\t\t{Input: \"=y\", Fail: true},\n\t\t{Input: \"=\", Fail: true},\n\t\t{Input: \"No spaces allowed=in key names\", Fail: true},\n\t\t{Input: \"omg\\nwtf=bbq\", Fail: true},\n\t}\n\tfor i, testCase := range testCases {\n\t\ttag, ok := NewTagFromCLI(testCase.Input)\n\t\tassert.Equalf(t, !testCase.Fail, ok, \"mismatched success for test case %d\", i)\n\t\tassert.Equalf(t, testCase.Output, tag, \"mismatched output for test case %d\", i)\n\t}\n}\n\nfunc TestTagSlice(t *testing.T) {\n\ttagSlice, err := NewTagSliceFromCLI([]string{\"a=b\", \"c=d\", \"e=f\"})\n\tassert.NoError(t, err)\n\tassert.Len(t, tagSlice, 3)\n\tassert.Equal(t, \"a\", tagSlice[0].Name)\n\tassert.Equal(t, \"b\", tagSlice[0].Value)\n\tassert.Equal(t, \"c\", tagSlice[1].Name)\n\tassert.Equal(t, \"d\", tagSlice[1].Value)\n\tassert.Equal(t, \"e\", tagSlice[2].Name)\n\tassert.Equal(t, \"f\", tagSlice[2].Value)\n\n\ttagSlice, err = NewTagSliceFromCLI([]string{\"a=b\", \"=\", \"e=f\"})\n\tassert.Error(t, err)\n}\n" }, { "path": "cmd/cloudflared/tunnel/teamnet_subcommands.go", "content": "package tunnel\n\nimport (\n\t\"fmt\"\n\t\"net\"\n\t\"os\"\n\t\"text/tabwriter\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/pkg/errors\"\n\t\"github.com/urfave/cli/v2\"\n\n\t\"github.com/cloudflare/cloudflared/cfapi\"\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil\"\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/updater\"\n)\n\nvar (\n\tvnetFlag = &cli.StringFlag{\n\t\tName: \"vnet\",\n\t\tAliases: []string{\"vn\"},\n\t\tUsage: \"The ID or name of the virtual network to which the route is associated to.\",\n\t}\n\n\terrAddRoute = errors.New(\"You must supply exactly one argument, the ID or CIDR of the route you want to delete\")\n)\n\nfunc buildRouteIPSubcommand() *cli.Command {\n\treturn &cli.Command{\n\t\tName: \"ip\",\n\t\tUsage: \"Configure and query Cloudflare WARP routing to private IP networks made available through Cloudflare Tunnels.\",\n\t\tUsageText: \"cloudflared tunnel [--config FILEPATH] route COMMAND [arguments...]\",\n\t\tDescription: `cloudflared can provision routes for any IP space in your corporate network. Users enrolled in\nyour Cloudflare for Teams organization can reach those IPs through the Cloudflare WARP\nclient. You can then configure L7/L4 filtering on https://one.dash.cloudflare.com to\ndetermine who can reach certain routes.\nBy default IP routes all exist within a single virtual network. If you use the same IP\nspace(s) in different physical private networks, all meant to be reachable via IP routes,\nthen you have to manage the ambiguous IP routes by associating them to virtual networks.\nSee \"cloudflared tunnel vnet --help\" for more information.`,\n\t\tSubcommands: []*cli.Command{\n\t\t\t{\n\t\t\t\tName: \"add\",\n\t\t\t\tAction: cliutil.ConfiguredAction(addRouteCommand),\n\t\t\t\tUsage: \"Add a new network to the routing table reachable via a Tunnel\",\n\t\t\t\tUsageText: \"cloudflared tunnel [--config FILEPATH] route ip add [flags] [CIDR] [TUNNEL] [COMMENT?]\",\n\t\t\t\tDescription: `Adds a network IP route space (represented as a CIDR) to your routing table.\nThat network IP space becomes reachable for requests egressing from a user's machine\nas long as it is using Cloudflare WARP client and is enrolled in the same account\nthat is running the Tunnel chosen here. Further, those requests will be proxied to\nthe specified Tunnel, and reach an IP in the given CIDR, as long as that IP is\nreachable from cloudflared.\nIf the CIDR exists in more than one private network, to be connected with Cloudflare\nTunnels, then you have to manage those IP routes with virtual networks (see\n\"cloudflared tunnel vnet --help)\". In those cases, you then have to tell\nwhich virtual network's routing table you want to add the route to with:\n\"cloudflared tunnel route ip add --vnet [ID/name] [CIDR] [TUNNEL]\".`,\n\t\t\t\tFlags: []cli.Flag{vnetFlag},\n\t\t\t},\n\t\t\t{\n\t\t\t\tName: \"show\",\n\t\t\t\tAliases: []string{\"list\"},\n\t\t\t\tAction: cliutil.ConfiguredAction(showRoutesCommand),\n\t\t\t\tUsage: \"Show the routing table\",\n\t\t\t\tUsageText: \"cloudflared tunnel [--config FILEPATH] route ip show [flags]\",\n\t\t\t\tDescription: `Shows your organization private routing table. You can use flags to filter the results.`,\n\t\t\t\tFlags: showRoutesFlags(),\n\t\t\t},\n\t\t\t{\n\t\t\t\tName: \"delete\",\n\t\t\t\tAction: cliutil.ConfiguredAction(deleteRouteCommand),\n\t\t\t\tUsage: \"Delete a row from your organization's private routing table\",\n\t\t\t\tUsageText: \"cloudflared tunnel [--config FILEPATH] route ip delete [flags] [Route ID or CIDR]\",\n\t\t\t\tDescription: `Deletes the row for the given route ID from your routing table. That portion of your network\nwill no longer be reachable.`,\n\t\t\t\tFlags: []cli.Flag{vnetFlag},\n\t\t\t},\n\t\t\t{\n\t\t\t\tName: \"get\",\n\t\t\t\tAction: cliutil.ConfiguredAction(getRouteByIPCommand),\n\t\t\t\tUsage: \"Check which row of the routing table matches a given IP.\",\n\t\t\t\tUsageText: \"cloudflared tunnel [--config FILEPATH] route ip get [flags] [IP]\",\n\t\t\t\tDescription: `Checks which row of the routing table will be used to proxy a given IP. This helps check\nand validate your config. Note that if you use virtual networks, then you have\nto tell which virtual network whose routing table you want to use.`,\n\t\t\t\tFlags: []cli.Flag{vnetFlag},\n\t\t\t},\n\t\t},\n\t}\n}\n\nfunc showRoutesFlags() []cli.Flag {\n\tflags := make([]cli.Flag, 0)\n\tflags = append(flags, cfapi.IpRouteFilterFlags...)\n\tflags = append(flags, outputFormatFlag)\n\treturn flags\n}\n\nfunc showRoutesCommand(c *cli.Context) error {\n\tsc, err := newSubcommandContext(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tfilter, err := cfapi.NewIpRouteFilterFromCLI(c)\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"invalid config for routing filters\")\n\t}\n\n\twarningChecker := updater.StartWarningCheck(c)\n\tdefer warningChecker.LogWarningIfAny(sc.log)\n\n\troutes, err := sc.listRoutes(filter)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif outputFormat := c.String(outputFormatFlag.Name); outputFormat != \"\" {\n\t\treturn renderOutput(outputFormat, routes)\n\t}\n\n\tif len(routes) > 0 {\n\t\tformatAndPrintRouteList(routes)\n\t} else {\n\t\tfmt.Println(\"No routes were found for the given filter flags. You can use 'cloudflared tunnel route ip add' to add a route.\")\n\t}\n\n\treturn nil\n}\n\nfunc addRouteCommand(c *cli.Context) error {\n\tsc, err := newSubcommandContext(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif c.NArg() < 2 {\n\t\treturn errors.New(\"You must supply at least 2 arguments, first the network you wish to route (in CIDR form e.g. 1.2.3.4/32) and then the tunnel ID to proxy with\")\n\t}\n\n\targs := c.Args()\n\n\t_, network, err := net.ParseCIDR(args.Get(0))\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"Invalid network CIDR\")\n\t}\n\tif network == nil {\n\t\treturn errors.New(\"Invalid network CIDR\")\n\t}\n\n\ttunnelRef := args.Get(1)\n\ttunnelID, err := sc.findID(tunnelRef)\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"Invalid tunnel\")\n\t}\n\n\tcomment := \"\"\n\tif c.NArg() >= 3 {\n\t\tcomment = args.Get(2)\n\t}\n\n\tvar vnetId *uuid.UUID\n\tif c.IsSet(vnetFlag.Name) {\n\t\tid, err := getVnetId(sc, c.String(vnetFlag.Name))\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tvnetId = &id\n\t}\n\n\t_, err = sc.addRoute(cfapi.NewRoute{\n\t\tComment: comment,\n\t\tNetwork: *network,\n\t\tTunnelID: tunnelID,\n\t\tVNetID: vnetId,\n\t})\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"API error\")\n\t}\n\tfmt.Printf(\"Successfully added route for %s over tunnel %s\\n\", network, tunnelID)\n\treturn nil\n}\n\nfunc deleteRouteCommand(c *cli.Context) error {\n\tsc, err := newSubcommandContext(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif c.NArg() != 1 {\n\t\treturn errAddRoute\n\t}\n\n\tvar routeId uuid.UUID\n\trouteId, err = uuid.Parse(c.Args().First())\n\tif err != nil {\n\t\t_, network, err := net.ParseCIDR(c.Args().First())\n\t\tif err != nil || network == nil {\n\t\t\treturn errAddRoute\n\t\t}\n\n\t\tvar vnetId *uuid.UUID\n\t\tif c.IsSet(vnetFlag.Name) {\n\t\t\tid, err := getVnetId(sc, c.String(vnetFlag.Name))\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tvnetId = &id\n\t\t}\n\n\t\trouteId, err = sc.getRouteId(*network, vnetId)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\tif err := sc.deleteRoute(routeId); err != nil {\n\t\treturn errors.Wrap(err, \"API error\")\n\t}\n\tfmt.Printf(\"Successfully deleted route with ID %s\\n\", routeId)\n\treturn nil\n}\n\nfunc getRouteByIPCommand(c *cli.Context) error {\n\tsc, err := newSubcommandContext(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif c.NArg() != 1 {\n\t\treturn errors.New(\"You must supply exactly one argument, an IP whose route will be queried (e.g. 1.2.3.4 or 2001:0db8:::7334)\")\n\t}\n\n\tipInput := c.Args().First()\n\tip := net.ParseIP(ipInput)\n\tif ip == nil {\n\t\treturn fmt.Errorf(\"Invalid IP %s\", ipInput)\n\t}\n\n\tparams := cfapi.GetRouteByIpParams{\n\t\tIp: ip,\n\t}\n\n\tif c.IsSet(vnetFlag.Name) {\n\t\tvnetId, err := getVnetId(sc, c.String(vnetFlag.Name))\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tparams.VNetID = &vnetId\n\t}\n\n\troute, err := sc.getRouteByIP(params)\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"API error\")\n\t}\n\tif route.IsZero() {\n\t\tfmt.Printf(\"No route matches the IP %s\\n\", ip)\n\t} else {\n\t\tformatAndPrintRouteList([]*cfapi.DetailedRoute{&route})\n\t}\n\treturn nil\n}\n\nfunc formatAndPrintRouteList(routes []*cfapi.DetailedRoute) {\n\tconst (\n\t\tminWidth = 0\n\t\ttabWidth = 8\n\t\tpadding = 1\n\t\tpadChar = ' '\n\t\tflags = 0\n\t)\n\n\twriter := tabwriter.NewWriter(os.Stdout, minWidth, tabWidth, padding, padChar, flags)\n\tdefer writer.Flush()\n\n\t// Print column headers with tabbed columns\n\t_, _ = fmt.Fprintln(writer, \"ID\\tNETWORK\\tVIRTUAL NET ID\\tCOMMENT\\tTUNNEL ID\\tTUNNEL NAME\\tCREATED\\tDELETED\\t\")\n\n\t// Loop through routes, create formatted string for each, and print using tabwriter\n\tfor _, route := range routes {\n\t\tformattedStr := route.TableString()\n\t\t_, _ = fmt.Fprintln(writer, formattedStr)\n\t}\n}\n" }, { "path": "cmd/cloudflared/tunnel/vnets_subcommands.go", "content": "package tunnel\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\t\"text/tabwriter\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/pkg/errors\"\n\t\"github.com/urfave/cli/v2\"\n\n\t\"github.com/cloudflare/cloudflared/cfapi\"\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil\"\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/updater\"\n)\n\nvar (\n\tmakeDefaultFlag = &cli.BoolFlag{\n\t\tName: \"default\",\n\t\tAliases: []string{\"d\"},\n\t\tUsage: \"The virtual network becomes the default one for the account. This means that all operations that \" +\n\t\t\t\"omit a virtual network will now implicitly be using this virtual network (i.e., the default one) such \" +\n\t\t\t\"as new IP routes that are created. When this flag is not set, the virtual network will not become the \" +\n\t\t\t\"default one in the account.\",\n\t}\n\tnewNameFlag = &cli.StringFlag{\n\t\tName: \"name\",\n\t\tAliases: []string{\"n\"},\n\t\tUsage: \"The new name for the virtual network.\",\n\t}\n\tnewCommentFlag = &cli.StringFlag{\n\t\tName: \"comment\",\n\t\tAliases: []string{\"c\"},\n\t\tUsage: \"A new comment describing the purpose of the virtual network.\",\n\t}\n\tvnetForceDeleteFlag = &cli.BoolFlag{\n\t\tName: \"force\",\n\t\tAliases: []string{\"f\"},\n\t\tUsage: \"Force the deletion of the virtual network even if it is being relied upon by other resources. Those\" +\n\t\t\t\"resources will either be deleted (e.g. IP Routes) or moved to the current default virutal network.\",\n\t}\n)\n\nfunc buildVirtualNetworkSubcommand(hidden bool) *cli.Command {\n\treturn &cli.Command{\n\t\tName: \"vnet\",\n\t\tUsage: \"Configure and query virtual networks to manage private IP routes with overlapping IPs.\",\n\t\tUsageText: \"cloudflared tunnel [--config FILEPATH] network COMMAND [arguments...]\",\n\t\tDescription: `cloudflared allows to manage IP routes that expose origins in your private network space via their IP directly\nto clients outside (e.g. using WARP client) --- those are configurable via \"cloudflared tunnel route ip\" commands.\nBy default, all those IP routes live in the same virtual network. Managing virtual networks (e.g. by creating a\nnew one) becomes relevant when you have different private networks that have overlapping IPs. E.g.: if you have\na private network A running Tunnel 1, and private network B running Tunnel 2, it is possible that both Tunnels\nexpose the same IP space (say 10.0.0.0/8); to handle that, you have to add each IP Route (one that points to\nTunnel 1 and another that points to Tunnel 2) in different Virtual Networks. That way, if your clients are on\nVirtual Network X, they will see Tunnel 1 (via Route A) and not see Tunnel 2 (since its Route B is associated\nto another Virtual Network Y).`,\n\t\tHidden: hidden,\n\t\tSubcommands: []*cli.Command{\n\t\t\t{\n\t\t\t\tName: \"add\",\n\t\t\t\tAction: cliutil.ConfiguredAction(addVirtualNetworkCommand),\n\t\t\t\tUsage: \"Add a new virtual network to which IP routes can be attached\",\n\t\t\t\tUsageText: \"cloudflared tunnel [--config FILEPATH] network add [flags] NAME [\\\"comment\\\"]\",\n\t\t\t\tDescription: `Adds a new virtual network. You can then attach IP routes to this virtual network with \"cloudflared tunnel route ip\"\ncommands. By doing so, such route(s) become segregated from route(s) in another virtual networks. Note that all\nroutes exist within some virtual network. If you do not specify any, then the system pre-creates a default virtual\nnetwork to which all routes belong. That is fine if you do not have overlapping IPs within different physical\nprivate networks in your infrastructure exposed via Cloudflare Tunnel. Note: if a virtual network is added as\nthe new default, then the previous existing default virtual network will be automatically modified to no longer\nbe the current default.`,\n\t\t\t\tFlags: []cli.Flag{makeDefaultFlag},\n\t\t\t\tHidden: hidden,\n\t\t\t},\n\t\t\t{\n\t\t\t\tName: \"list\",\n\t\t\t\tAction: cliutil.ConfiguredAction(listVirtualNetworksCommand),\n\t\t\t\tUsage: \"Lists the virtual networks\",\n\t\t\t\tUsageText: \"cloudflared tunnel [--config FILEPATH] network list [flags]\",\n\t\t\t\tDescription: \"Lists the virtual networks based on the given filter flags.\",\n\t\t\t\tFlags: listVirtualNetworksFlags(),\n\t\t\t\tHidden: hidden,\n\t\t\t},\n\t\t\t{\n\t\t\t\tName: \"delete\",\n\t\t\t\tAction: cliutil.ConfiguredAction(deleteVirtualNetworkCommand),\n\t\t\t\tUsage: \"Delete a virtual network\",\n\t\t\t\tUsageText: \"cloudflared tunnel [--config FILEPATH] network delete VIRTUAL_NETWORK\",\n\t\t\t\tDescription: `Deletes the virtual network (given its ID or name). This is only possible if that virtual network is unused. \nA virtual network may be used by IP routes or by WARP devices.`,\n\t\t\t\tFlags: []cli.Flag{vnetForceDeleteFlag},\n\t\t\t\tHidden: hidden,\n\t\t\t},\n\t\t\t{\n\t\t\t\tName: \"update\",\n\t\t\t\tAction: cliutil.ConfiguredAction(updateVirtualNetworkCommand),\n\t\t\t\tUsage: \"Update a virtual network\",\n\t\t\t\tUsageText: \"cloudflared tunnel [--config FILEPATH] network update [flags] VIRTUAL_NETWORK\",\n\t\t\t\tDescription: `Updates the virtual network (given its ID or name). If this virtual network is updated to become the new\ndefault, then the previously existing default virtual network will also be modified to no longer be the default.\nYou cannot update a virtual network to not be the default anymore directly. Instead, you should create a new\ndefault or update an existing one to become the default.`,\n\t\t\t\tFlags: []cli.Flag{newNameFlag, newCommentFlag, makeDefaultFlag},\n\t\t\t\tHidden: hidden,\n\t\t\t},\n\t\t},\n\t}\n}\n\nfunc listVirtualNetworksFlags() []cli.Flag {\n\tflags := make([]cli.Flag, 0)\n\tflags = append(flags, cfapi.VnetFilterFlags...)\n\tflags = append(flags, outputFormatFlag)\n\treturn flags\n}\n\nfunc addVirtualNetworkCommand(c *cli.Context) error {\n\tsc, err := newSubcommandContext(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif c.NArg() < 1 {\n\t\treturn errors.New(\"You must supply at least 1 argument, the name of the virtual network you wish to add.\")\n\t}\n\n\twarningChecker := updater.StartWarningCheck(c)\n\tdefer warningChecker.LogWarningIfAny(sc.log)\n\n\targs := c.Args()\n\n\tname := args.Get(0)\n\n\tcomment := \"\"\n\tif c.NArg() >= 2 {\n\t\tcomment = args.Get(1)\n\t}\n\n\tnewVnet := cfapi.NewVirtualNetwork{\n\t\tName: name,\n\t\tComment: comment,\n\t\tIsDefault: c.Bool(makeDefaultFlag.Name),\n\t}\n\tcreatedVnet, err := sc.addVirtualNetwork(newVnet)\n\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"Could not add virtual network\")\n\t}\n\n\textraMsg := \"\"\n\tif createdVnet.IsDefault {\n\t\textraMsg = \" (as the new default for this account) \"\n\t}\n\tfmt.Printf(\n\t\t\"Successfully added virtual 'network' %s with ID: %s%s\\n\"+\n\t\t\t\"You can now add IP routes attached to this virtual network. See `cloudflared tunnel route ip add -help`\\n\",\n\t\tname, createdVnet.ID, extraMsg,\n\t)\n\treturn nil\n}\n\nfunc listVirtualNetworksCommand(c *cli.Context) error {\n\tsc, err := newSubcommandContext(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\twarningChecker := updater.StartWarningCheck(c)\n\tdefer warningChecker.LogWarningIfAny(sc.log)\n\n\tfilter, err := cfapi.NewFromCLI(c)\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"invalid flags for filtering virtual networks\")\n\t}\n\n\tvnets, err := sc.listVirtualNetworks(filter)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif outputFormat := c.String(outputFormatFlag.Name); outputFormat != \"\" {\n\t\treturn renderOutput(outputFormat, vnets)\n\t}\n\n\tif len(vnets) > 0 {\n\t\tformatAndPrintVnetsList(vnets)\n\t} else {\n\t\tfmt.Println(\"No virtual networks were found for the given filter flags. You can use 'cloudflared tunnel vnet add' to add a virtual network.\")\n\t}\n\n\treturn nil\n}\n\nfunc deleteVirtualNetworkCommand(c *cli.Context) error {\n\tsc, err := newSubcommandContext(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif c.NArg() < 1 {\n\t\treturn errors.New(\"You must supply exactly one argument, either the ID or name of the virtual network to delete\")\n\t}\n\n\tinput := c.Args().Get(0)\n\tvnetId, err := getVnetId(sc, input)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tforceDelete := false\n\tif c.IsSet(vnetForceDeleteFlag.Name) {\n\t\tforceDelete = c.Bool(vnetForceDeleteFlag.Name)\n\t}\n\n\tif err := sc.deleteVirtualNetwork(vnetId, forceDelete); err != nil {\n\t\treturn errors.Wrap(err, \"API error\")\n\t}\n\tfmt.Printf(\"Successfully deleted virtual network '%s'\\n\", input)\n\treturn nil\n}\n\nfunc updateVirtualNetworkCommand(c *cli.Context) error {\n\tsc, err := newSubcommandContext(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif c.NArg() != 1 {\n\t\treturn errors.New(\" You must supply exactly one argument, either the ID or (current) name of the virtual network to update\")\n\t}\n\n\tinput := c.Args().Get(0)\n\tvnetId, err := getVnetId(sc, input)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tupdates := cfapi.UpdateVirtualNetwork{}\n\n\tif c.IsSet(newNameFlag.Name) {\n\t\tnewName := c.String(newNameFlag.Name)\n\t\tupdates.Name = &newName\n\t}\n\tif c.IsSet(newCommentFlag.Name) {\n\t\tnewComment := c.String(newCommentFlag.Name)\n\t\tupdates.Comment = &newComment\n\t}\n\tif c.IsSet(makeDefaultFlag.Name) {\n\t\tisDefault := c.Bool(makeDefaultFlag.Name)\n\t\tupdates.IsDefault = &isDefault\n\t}\n\n\tif err := sc.updateVirtualNetwork(vnetId, updates); err != nil {\n\t\treturn errors.Wrap(err, \"API error\")\n\t}\n\tfmt.Printf(\"Successfully updated virtual network '%s'\\n\", input)\n\treturn nil\n}\n\nfunc getVnetId(sc *subcommandContext, input string) (uuid.UUID, error) {\n\tval, err := uuid.Parse(input)\n\tif err == nil {\n\t\treturn val, nil\n\t}\n\n\tfilter := cfapi.NewVnetFilter()\n\tfilter.WithDeleted(false)\n\tfilter.ByName(input)\n\n\tvnets, err := sc.listVirtualNetworks(filter)\n\tif err != nil {\n\t\treturn uuid.Nil, err\n\t}\n\n\tif len(vnets) != 1 {\n\t\treturn uuid.Nil, fmt.Errorf(\"there should only be 1 non-deleted virtual network named %s\", input)\n\t}\n\n\treturn vnets[0].ID, nil\n}\n\nfunc formatAndPrintVnetsList(vnets []*cfapi.VirtualNetwork) {\n\tconst (\n\t\tminWidth = 0\n\t\ttabWidth = 8\n\t\tpadding = 1\n\t\tpadChar = ' '\n\t\tflags = 0\n\t)\n\n\twriter := tabwriter.NewWriter(os.Stdout, minWidth, tabWidth, padding, padChar, flags)\n\tdefer writer.Flush()\n\n\t_, _ = fmt.Fprintln(writer, \"ID\\tNAME\\tIS DEFAULT\\tCOMMENT\\tCREATED\\tDELETED\\t\")\n\n\tfor _, virtualNetwork := range vnets {\n\t\tformattedStr := virtualNetwork.TableString()\n\t\t_, _ = fmt.Fprintln(writer, formattedStr)\n\t}\n}\n" }, { "path": "cmd/cloudflared/updater/check.go", "content": "package updater\n\nimport (\n\t\"github.com/rs/zerolog\"\n\t\"github.com/urfave/cli/v2\"\n)\n\ntype VersionWarningChecker struct {\n\twarningChan chan string\n}\n\nfunc StartWarningCheck(c *cli.Context) VersionWarningChecker {\n\tchecker := VersionWarningChecker{\n\t\twarningChan: make(chan string),\n\t}\n\n\tgo func() {\n\t\toptions := updateOptions{\n\t\t\tupdateDisabled: true,\n\t\t\tisBeta: c.Bool(\"beta\"),\n\t\t\tisStaging: c.Bool(\"staging\"),\n\t\t\tisForced: false,\n\t\t\tintendedVersion: \"\",\n\t\t}\n\t\tcheckResult, err := CheckForUpdate(options)\n\t\tif err == nil {\n\t\t\tchecker.warningChan <- checkResult.UserMessage()\n\t\t}\n\t\tclose(checker.warningChan)\n\t}()\n\n\treturn checker\n}\n\nfunc (checker VersionWarningChecker) getWarning() string {\n\tselect {\n\tcase message := <-checker.warningChan:\n\t\treturn message\n\tdefault:\n\t\t// No feedback on time, we don't wait for it, since this is best-effort.\n\t\treturn \"\"\n\t}\n}\n\nfunc (checker VersionWarningChecker) LogWarningIfAny(log *zerolog.Logger) {\n\tif warning := checker.getWarning(); warning != \"\" {\n\t\tlog.Warn().Msg(warning)\n\t}\n}\n" }, { "path": "cmd/cloudflared/updater/service.go", "content": "package updater\n\n// CheckResult is the behaviour resulting from checking in with the Update Service\ntype CheckResult interface {\n\tApply() error\n\tVersion() string\n\tUserMessage() string\n}\n\n// Service is the functions to get check for new updates\ntype Service interface {\n\tCheck() (CheckResult, error)\n}\n\nconst (\n\t// OSKeyName is the url parameter key to send to the checkin API for the operating system of the local cloudflared (e.g. windows, darwin, linux)\n\tOSKeyName = \"os\"\n\n\t// ArchitectureKeyName is the url parameter key to send to the checkin API for the architecture of the local cloudflared (e.g. amd64, x86)\n\tArchitectureKeyName = \"arch\"\n\n\t// BetaKeyName is the url parameter key to send to the checkin API to signal if the update should be a beta version or not\n\tBetaKeyName = \"beta\"\n\n\t// VersionKeyName is the url parameter key to send to the checkin API to specific what version to upgrade or downgrade to\n\tVersionKeyName = \"version\"\n\n\t// ClientVersionName is the url parameter key to send the version that this cloudflared is currently running with\n\tClientVersionName = \"clientVersion\"\n)\n" }, { "path": "cmd/cloudflared/updater/update.go", "content": "package updater\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"runtime\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/facebookgo/grace/gracenet\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/urfave/cli/v2\"\n\t\"golang.org/x/term\"\n\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil\"\n\tcfdflags \"github.com/cloudflare/cloudflared/cmd/cloudflared/flags\"\n\t\"github.com/cloudflare/cloudflared/config\"\n\t\"github.com/cloudflare/cloudflared/logger\"\n)\n\nconst (\n\tDefaultCheckUpdateFreq = time.Hour * 24\n\tnoUpdateInShellMessage = \"cloudflared will not automatically update when run from the shell. To enable auto-updates, run cloudflared as a service: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configure-tunnels/local-management/as-a-service/\"\n\tnoUpdateOnWindowsMessage = \"cloudflared will not automatically update on Windows systems.\"\n\tnoUpdateManagedPackageMessage = \"cloudflared will not automatically update if installed by a package manager.\"\n\tisManagedInstallFile = \".installedFromPackageManager\"\n\tUpdateURL = \"https://update.argotunnel.com\"\n\tStagingUpdateURL = \"https://staging-update.argotunnel.com\"\n\n\tLogFieldVersion = \"version\"\n)\n\nvar (\n\tbuildInfo *cliutil.BuildInfo\n\tBuiltForPackageManager = \"\"\n)\n\n// BinaryUpdated implements ExitCoder interface, the app will exit with status code 11\n// https://pkg.go.dev/github.com/urfave/cli/v2?tab=doc#ExitCoder\n// nolint: errname\ntype statusSuccess struct {\n\tnewVersion string\n}\n\nfunc (u *statusSuccess) Error() string {\n\treturn fmt.Sprintf(\"cloudflared has been updated to version %s\", u.newVersion)\n}\n\nfunc (u *statusSuccess) ExitCode() int {\n\treturn 11\n}\n\n// statusError implements ExitCoder interface, the app will exit with status code 10\ntype statusError struct {\n\terr error\n}\n\nfunc (e *statusError) Error() string {\n\treturn fmt.Sprintf(\"failed to update cloudflared: %v\", e.err)\n}\n\nfunc (e *statusError) ExitCode() int {\n\treturn 10\n}\n\ntype updateOptions struct {\n\tupdateDisabled bool\n\tisBeta bool\n\tisStaging bool\n\tisForced bool\n\tintendedVersion string\n}\n\ntype UpdateOutcome struct {\n\tUpdated bool\n\tVersion string\n\tUserMessage string\n\tError error\n}\n\nfunc (uo *UpdateOutcome) noUpdate() bool {\n\treturn uo.Error == nil && !uo.Updated\n}\n\nfunc Init(info *cliutil.BuildInfo) {\n\tbuildInfo = info\n}\n\nfunc CheckForUpdate(options updateOptions) (CheckResult, error) {\n\tcfdPath, err := os.Executable()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\turl := UpdateURL\n\tif options.isStaging {\n\t\turl = StagingUpdateURL\n\t}\n\n\tif runtime.GOOS == \"windows\" {\n\t\tcfdPath = encodeWindowsPath(cfdPath)\n\t}\n\n\ts := NewWorkersService(buildInfo.CloudflaredVersion, url, cfdPath, Options{IsBeta: options.isBeta,\n\t\tIsForced: options.isForced, RequestedVersion: options.intendedVersion})\n\n\treturn s.Check()\n}\n\nfunc encodeWindowsPath(path string) string {\n\t// We do this because Windows allows spaces in directories such as\n\t// Program Files but does not allow these directories to be spaced in batch files.\n\ttargetPath := strings.Replace(path, \"Program Files (x86)\", \"PROGRA~2\", -1)\n\t// This is to do the same in 32 bit systems. We do this second so that the first\n\t// replace is for x86 dirs.\n\ttargetPath = strings.Replace(targetPath, \"Program Files\", \"PROGRA~1\", -1)\n\treturn targetPath\n}\n\nfunc applyUpdate(options updateOptions, update CheckResult) UpdateOutcome {\n\tif update.Version() == \"\" || options.updateDisabled {\n\t\treturn UpdateOutcome{UserMessage: update.UserMessage()}\n\t}\n\n\terr := update.Apply()\n\tif err != nil {\n\t\treturn UpdateOutcome{Error: err}\n\t}\n\n\treturn UpdateOutcome{Updated: true, Version: update.Version(), UserMessage: update.UserMessage()}\n}\n\n// Update is the handler for the update command from the command line\nfunc Update(c *cli.Context) error {\n\tlog := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)\n\n\tif wasInstalledFromPackageManager() {\n\t\tpackageManagerName := \"a package manager\"\n\t\tif BuiltForPackageManager != \"\" {\n\t\t\tpackageManagerName = BuiltForPackageManager\n\t\t}\n\t\tlog.Error().Msg(fmt.Sprintf(\"cloudflared was installed by %s. Please update using the same method.\", packageManagerName))\n\t\treturn nil\n\t}\n\n\tisBeta := c.Bool(\"beta\")\n\tif isBeta {\n\t\tlog.Info().Msg(\"cloudflared is set to update to the latest beta version\")\n\t}\n\n\tisStaging := c.Bool(\"staging\")\n\tif isStaging {\n\t\tlog.Info().Msg(\"cloudflared is set to update from staging\")\n\t}\n\n\tisForced := c.Bool(cfdflags.Force)\n\tif isForced {\n\t\tlog.Info().Msg(\"cloudflared is set to upgrade to the latest publish version regardless of the current version\")\n\t}\n\n\tupdateOutcome := loggedUpdate(log, updateOptions{\n\t\tupdateDisabled: false,\n\t\tisBeta: isBeta,\n\t\tisStaging: isStaging,\n\t\tisForced: isForced,\n\t\tintendedVersion: c.String(\"version\"),\n\t})\n\tif updateOutcome.Error != nil {\n\t\treturn &statusError{updateOutcome.Error}\n\t}\n\n\tif updateOutcome.noUpdate() {\n\t\tlog.Info().Str(LogFieldVersion, updateOutcome.Version).Msg(\"cloudflared is up to date\")\n\t\treturn nil\n\t}\n\n\treturn &statusSuccess{newVersion: updateOutcome.Version}\n}\n\n// Checks for an update and applies it if one is available\nfunc loggedUpdate(log *zerolog.Logger, options updateOptions) UpdateOutcome {\n\tcheckResult, err := CheckForUpdate(options)\n\tif err != nil {\n\t\tlog.Err(err).Msg(\"update check failed\")\n\t\treturn UpdateOutcome{Error: err}\n\t}\n\n\tupdateOutcome := applyUpdate(options, checkResult)\n\tif updateOutcome.Updated {\n\t\tlog.Info().Str(LogFieldVersion, updateOutcome.Version).Msg(\"cloudflared has been updated\")\n\t}\n\tif updateOutcome.Error != nil {\n\t\tlog.Err(updateOutcome.Error).Msg(\"update failed to apply\")\n\t}\n\n\treturn updateOutcome\n}\n\n// AutoUpdater periodically checks for new version of cloudflared.\ntype AutoUpdater struct {\n\tconfigurable *configurable\n\tlisteners *gracenet.Net\n\tlog *zerolog.Logger\n}\n\n// AutoUpdaterConfigurable is the attributes of AutoUpdater that can be reconfigured during runtime\ntype configurable struct {\n\tenabled bool\n\tfreq time.Duration\n}\n\nfunc NewAutoUpdater(updateDisabled bool, freq time.Duration, listeners *gracenet.Net, log *zerolog.Logger) *AutoUpdater {\n\treturn &AutoUpdater{\n\t\tconfigurable: createUpdateConfig(updateDisabled, freq, log),\n\t\tlisteners: listeners,\n\t\tlog: log,\n\t}\n}\n\nfunc createUpdateConfig(updateDisabled bool, freq time.Duration, log *zerolog.Logger) *configurable {\n\tif isAutoupdateEnabled(log, updateDisabled, freq) {\n\t\tlog.Info().Dur(\"autoupdateFreq\", freq).Msg(\"Autoupdate frequency is set\")\n\t\treturn &configurable{\n\t\t\tenabled: true,\n\t\t\tfreq: freq,\n\t\t}\n\t} else {\n\t\treturn &configurable{\n\t\t\tenabled: false,\n\t\t\tfreq: DefaultCheckUpdateFreq,\n\t\t}\n\t}\n}\n\n// Run will perodically check for cloudflared updates, download them, and then restart the current cloudflared process\n// to use the new version. It delays the first update check by the configured frequency as to not attempt a\n// download immediately and restart after starting (in the case that there is an upgrade available).\nfunc (a *AutoUpdater) Run(ctx context.Context) error {\n\tticker := time.NewTicker(a.configurable.freq)\n\tfor {\n\t\tselect {\n\t\tcase <-ctx.Done():\n\t\t\treturn ctx.Err()\n\t\tcase <-ticker.C:\n\t\t}\n\t\tupdateOutcome := loggedUpdate(a.log, updateOptions{updateDisabled: !a.configurable.enabled})\n\t\tif updateOutcome.Updated {\n\t\t\tbuildInfo.CloudflaredVersion = updateOutcome.Version\n\t\t\tif IsSysV() {\n\t\t\t\t// SysV doesn't have a mechanism to keep service alive, we have to restart the process\n\t\t\t\ta.log.Info().Msg(\"Restarting service managed by SysV...\")\n\t\t\t\tpid, err := a.listeners.StartProcess()\n\t\t\t\tif err != nil {\n\t\t\t\t\ta.log.Err(err).Msg(\"Unable to restart server automatically\")\n\t\t\t\t\treturn &statusError{err: err}\n\t\t\t\t}\n\t\t\t\t// stop old process after autoupdate. Otherwise we create a new process\n\t\t\t\t// after each update\n\t\t\t\ta.log.Info().Msgf(\"PID of the new process is %d\", pid)\n\t\t\t}\n\t\t\treturn &statusSuccess{newVersion: updateOutcome.Version}\n\t\t} else if updateOutcome.UserMessage != \"\" {\n\t\t\ta.log.Warn().Msg(updateOutcome.UserMessage)\n\t\t}\n\t}\n}\n\nfunc isAutoupdateEnabled(log *zerolog.Logger, updateDisabled bool, updateFreq time.Duration) bool {\n\tif !supportAutoUpdate(log) {\n\t\treturn false\n\t}\n\treturn !updateDisabled && updateFreq != 0\n}\n\nfunc supportAutoUpdate(log *zerolog.Logger) bool {\n\tif runtime.GOOS == \"windows\" {\n\t\tlog.Info().Msg(noUpdateOnWindowsMessage)\n\t\treturn false\n\t}\n\n\tif wasInstalledFromPackageManager() {\n\t\tlog.Info().Msg(noUpdateManagedPackageMessage)\n\t\treturn false\n\t}\n\n\tif isRunningFromTerminal() {\n\t\tlog.Info().Msg(noUpdateInShellMessage)\n\t\treturn false\n\t}\n\treturn true\n}\n\nfunc wasInstalledFromPackageManager() bool {\n\tok, _ := config.FileExists(filepath.Join(config.DefaultUnixConfigLocation, isManagedInstallFile))\n\treturn len(BuiltForPackageManager) != 0 || ok\n}\n\nfunc isRunningFromTerminal() bool {\n\treturn term.IsTerminal(int(os.Stdout.Fd()))\n}\n\nfunc IsSysV() bool {\n\tif runtime.GOOS != \"linux\" {\n\t\treturn false\n\t}\n\n\tif _, err := os.Stat(\"/run/systemd/system\"); err == nil {\n\t\treturn false\n\t}\n\treturn true\n}\n" }, { "path": "cmd/cloudflared/updater/update_test.go", "content": "package updater\n\nimport (\n\t\"context\"\n\t\"flag\"\n\t\"testing\"\n\n\t\"github.com/facebookgo/grace/gracenet\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/urfave/cli/v2\"\n\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil\"\n)\n\nfunc init() {\n\tInit(cliutil.GetBuildInfo(\"TEST\", \"TEST\"))\n}\n\nfunc TestDisabledAutoUpdater(t *testing.T) {\n\tlisteners := &gracenet.Net{}\n\tlog := zerolog.Nop()\n\tautoupdater := NewAutoUpdater(false, 0, listeners, &log)\n\tctx, cancel := context.WithCancel(context.Background())\n\terrC := make(chan error)\n\tgo func() {\n\t\terrC <- autoupdater.Run(ctx)\n\t}()\n\n\tassert.False(t, autoupdater.configurable.enabled)\n\tassert.Equal(t, DefaultCheckUpdateFreq, autoupdater.configurable.freq)\n\n\tcancel()\n\t// Make sure that autoupdater terminates after canceling the context\n\tassert.Equal(t, context.Canceled, <-errC)\n}\n\nfunc TestCheckInWithUpdater(t *testing.T) {\n\tflagSet := flag.NewFlagSet(t.Name(), flag.PanicOnError)\n\tcliCtx := cli.NewContext(cli.NewApp(), flagSet, nil)\n\n\twarningChecker := StartWarningCheck(cliCtx)\n\twarning := warningChecker.getWarning()\n\t// Assuming this runs either on a release or development version, then the Worker will never have anything to tell us.\n\tassert.Empty(t, warning)\n}\n" }, { "path": "cmd/cloudflared/updater/workers_service.go", "content": "package updater\n\nimport (\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"runtime\"\n)\n\n// Options are the update options supported by the\ntype Options struct {\n\t// IsBeta is for beta updates to be installed if available\n\tIsBeta bool\n\n\t// IsForced is to forcibly download the latest version regardless of the current version\n\tIsForced bool\n\n\t// RequestedVersion is the specific version to upgrade or downgrade to\n\tRequestedVersion string\n}\n\n// VersionResponse is the JSON response from the Workers API endpoint\ntype VersionResponse struct {\n\tURL string `json:\"url\"`\n\tVersion string `json:\"version\"`\n\tChecksum string `json:\"checksum\"`\n\tIsCompressed bool `json:\"compressed\"`\n\tUserMessage string `json:\"userMessage\"`\n\tShouldUpdate bool `json:\"shouldUpdate\"`\n\tError string `json:\"error\"`\n}\n\n// WorkersService implements Service.\n// It contains everything needed to check in with the WorkersAPI and download and apply the updates\ntype WorkersService struct {\n\tcurrentVersion string\n\turl string\n\ttargetPath string\n\topts Options\n}\n\n// NewWorkersService creates a new updater Service object.\nfunc NewWorkersService(currentVersion, url, targetPath string, opts Options) Service {\n\treturn &WorkersService{\n\t\tcurrentVersion: currentVersion,\n\t\turl: url,\n\t\ttargetPath: targetPath,\n\t\topts: opts,\n\t}\n}\n\n// Check does a check in with the Workers API to get a new version update\nfunc (s *WorkersService) Check() (CheckResult, error) {\n\tclient := &http.Client{\n\t\tTimeout: clientTimeout,\n\t}\n\n\treq, err := http.NewRequest(http.MethodGet, s.url, nil)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tq := req.URL.Query()\n\tq.Add(OSKeyName, runtime.GOOS)\n\tq.Add(ArchitectureKeyName, runtime.GOARCH)\n\tq.Add(ClientVersionName, s.currentVersion)\n\n\tif s.opts.IsBeta {\n\t\tq.Add(BetaKeyName, \"true\")\n\t}\n\n\tif s.opts.RequestedVersion != \"\" {\n\t\tq.Add(VersionKeyName, s.opts.RequestedVersion)\n\t}\n\n\treq.URL.RawQuery = q.Encode()\n\tresp, err := client.Do(req)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tif resp.StatusCode != 200 {\n\t\treturn nil, fmt.Errorf(\"unable to check for update: %d\", resp.StatusCode)\n\t}\n\n\tvar v VersionResponse\n\tif err := json.NewDecoder(resp.Body).Decode(&v); err != nil {\n\t\treturn nil, err\n\t}\n\n\tif v.Error != \"\" {\n\t\treturn nil, errors.New(v.Error)\n\t}\n\n\tversionToUpdate := \"\"\n\tif v.ShouldUpdate {\n\t\tversionToUpdate = v.Version\n\t}\n\n\treturn NewWorkersVersion(v.URL, versionToUpdate, v.Checksum, s.targetPath, v.UserMessage, v.IsCompressed), nil\n}\n" }, { "path": "cmd/cloudflared/updater/workers_service_test.go", "content": "//go:build !windows\n\npackage updater\n\nimport (\n\t\"archive/tar\"\n\t\"bytes\"\n\t\"compress/gzip\"\n\t\"crypto/sha256\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"log\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"runtime\"\n\t\"strconv\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/stretchr/testify/require\"\n)\n\nvar testFilePath = filepath.Join(os.TempDir(), \"test\")\n\nfunc respondWithJSON(w http.ResponseWriter, v interface{}, status int) {\n\tdata, _ := json.Marshal(v)\n\n\tw.Header().Set(\"Content-Type\", \"application/json\")\n\tw.WriteHeader(status)\n\tw.Write(data)\n}\n\nfunc respondWithData(w http.ResponseWriter, b []byte, status int) {\n\tw.Header().Set(\"Content-Type\", \"application/octet-stream\")\n\tw.WriteHeader(status)\n\tw.Write(b)\n}\n\nconst mostRecentVersion = \"2021.2.5\"\nconst mostRecentBetaVersion = \"2021.3.0\"\nconst knownBuggyVersion = \"2020.12.0\"\nconst expectedUserMsg = \"This message is expected when running a known buggy version\"\n\nfunc updateHandler(w http.ResponseWriter, r *http.Request) {\n\tversion := mostRecentVersion\n\thost := fmt.Sprintf(\"http://%s\", r.Host)\n\turl := host + \"/download\"\n\n\tquery := r.URL.Query()\n\n\tif query.Get(BetaKeyName) == \"true\" {\n\t\tversion = mostRecentBetaVersion\n\t\turl = host + \"/beta\"\n\t}\n\n\trequestedVersion := query.Get(VersionKeyName)\n\tif requestedVersion != \"\" {\n\t\tversion = requestedVersion\n\t\turl = fmt.Sprintf(\"%s?version=%s\", url, requestedVersion)\n\t}\n\n\tif query.Get(ArchitectureKeyName) != runtime.GOARCH || query.Get(OSKeyName) != runtime.GOOS {\n\t\trespondWithJSON(w, VersionResponse{Error: \"unsupported os and architecture\"}, http.StatusBadRequest)\n\t\treturn\n\t}\n\n\th := sha256.New()\n\tfmt.Fprint(h, version)\n\tchecksum := fmt.Sprintf(\"%x\", h.Sum(nil))\n\n\tvar userMessage = \"\"\n\tif query.Get(ClientVersionName) == knownBuggyVersion {\n\t\tuserMessage = expectedUserMsg\n\t}\n\tshouldUpdate := requestedVersion != \"\" || IsNewerVersion(query.Get(ClientVersionName), version)\n\n\tv := VersionResponse{\n\t\tURL: url, Version: version, Checksum: checksum, UserMessage: userMessage, ShouldUpdate: shouldUpdate,\n\t}\n\trespondWithJSON(w, v, http.StatusOK)\n}\n\nfunc gzipUpdateHandler(w http.ResponseWriter, r *http.Request) {\n\tlog.Println(\"got a request!\")\n\tversion := \"2020.09.02\"\n\th := sha256.New()\n\tfmt.Fprint(h, version)\n\tchecksum := fmt.Sprintf(\"%x\", h.Sum(nil))\n\n\turl := fmt.Sprintf(\"http://%s/gzip-download.tgz\", r.Host)\n\tv := VersionResponse{URL: url, Version: version, Checksum: checksum, ShouldUpdate: true}\n\trespondWithJSON(w, v, http.StatusOK)\n}\n\nfunc compressedDownloadHandler(w http.ResponseWriter, r *http.Request) {\n\tversion := \"2020.09.02\"\n\tbuf := new(bytes.Buffer)\n\n\tgw := gzip.NewWriter(buf)\n\ttw := tar.NewWriter(gw)\n\n\theader := &tar.Header{\n\t\tSize: int64(len(version)),\n\t\tName: \"download\",\n\t}\n\ttw.WriteHeader(header)\n\ttw.Write([]byte(version))\n\n\ttw.Close()\n\tgw.Close()\n\n\trespondWithData(w, buf.Bytes(), http.StatusOK)\n}\n\nfunc downloadHandler(w http.ResponseWriter, r *http.Request) {\n\tversion := mostRecentVersion\n\trequestedVersion := r.URL.Query().Get(VersionKeyName)\n\tif requestedVersion != \"\" {\n\t\tversion = requestedVersion\n\t}\n\trespondWithData(w, []byte(version), http.StatusOK)\n}\n\nfunc betaHandler(w http.ResponseWriter, r *http.Request) {\n\trespondWithData(w, []byte(mostRecentBetaVersion), http.StatusOK)\n}\n\nfunc failureHandler(w http.ResponseWriter, r *http.Request) {\n\trespondWithJSON(w, VersionResponse{Error: \"unsupported os and architecture\"}, http.StatusBadRequest)\n}\n\nfunc IsNewerVersion(current string, check string) bool {\n\tif current == \"\" || check == \"\" {\n\t\treturn false\n\t}\n\tif strings.Contains(strings.ToLower(current), \"dev\") {\n\t\treturn false // dev builds shouldn't update\n\t}\n\n\tcMajor, cMinor, cPatch, err := SemanticParts(current)\n\tif err != nil {\n\t\treturn false\n\t}\n\n\tnMajor, nMinor, nPatch, err := SemanticParts(check)\n\tif err != nil {\n\t\treturn false\n\t}\n\n\tif nMajor > cMajor {\n\t\treturn true\n\t}\n\n\tif nMajor == cMajor && nMinor > cMinor {\n\t\treturn true\n\t}\n\n\tif nMajor == cMajor && nMinor == cMinor && nPatch > cPatch {\n\t\treturn true\n\t}\n\treturn false\n}\n\nfunc SemanticParts(version string) (major int, minor int, patch int, err error) {\n\tmajor = 0\n\tminor = 0\n\tpatch = 0\n\tparts := strings.Split(version, \".\")\n\tif len(parts) != 3 {\n\t\terr = errors.New(\"invalid version\")\n\t\treturn\n\t}\n\tmajor, err = strconv.Atoi(parts[0])\n\tif err != nil {\n\t\treturn\n\t}\n\n\tminor, err = strconv.Atoi(parts[1])\n\tif err != nil {\n\t\treturn\n\t}\n\n\tpatch, err = strconv.Atoi(parts[2])\n\tif err != nil {\n\t\treturn\n\t}\n\treturn\n}\n\nfunc createServer() *httptest.Server {\n\tmux := http.NewServeMux()\n\tmux.HandleFunc(\"/updater\", updateHandler)\n\tmux.HandleFunc(\"/download\", downloadHandler)\n\tmux.HandleFunc(\"/beta\", betaHandler)\n\tmux.HandleFunc(\"/fail\", failureHandler)\n\tmux.HandleFunc(\"/compressed\", gzipUpdateHandler)\n\tmux.HandleFunc(\"/gzip-download.tgz\", compressedDownloadHandler)\n\treturn httptest.NewServer(mux)\n}\n\nfunc createTestFile(t *testing.T, path string) {\n\tf, err := os.Create(path)\n\trequire.NoError(t, err)\n\tfmt.Fprint(f, \"2020.08.04\")\n\tf.Close()\n}\n\nfunc TestUpdateService(t *testing.T) {\n\tts := createServer()\n\tdefer ts.Close()\n\n\tcreateTestFile(t, testFilePath)\n\tdefer os.Remove(testFilePath)\n\tlog.Println(\"server url: \", ts.URL)\n\n\ts := NewWorkersService(\"2020.8.2\", fmt.Sprintf(\"%s/updater\", ts.URL), testFilePath, Options{})\n\tv, err := s.Check()\n\trequire.NoError(t, err)\n\trequire.Equal(t, v.Version(), mostRecentVersion)\n\n\trequire.NoError(t, v.Apply())\n\tdat, err := os.ReadFile(testFilePath)\n\trequire.NoError(t, err)\n\n\trequire.Equal(t, string(dat), mostRecentVersion)\n}\n\nfunc TestBetaUpdateService(t *testing.T) {\n\tts := createServer()\n\tdefer ts.Close()\n\n\tcreateTestFile(t, testFilePath)\n\tdefer os.Remove(testFilePath)\n\n\ts := NewWorkersService(\"2020.8.2\", fmt.Sprintf(\"%s/updater\", ts.URL), testFilePath, Options{IsBeta: true})\n\tv, err := s.Check()\n\trequire.NoError(t, err)\n\trequire.Equal(t, v.Version(), mostRecentBetaVersion)\n\n\trequire.NoError(t, v.Apply())\n\tdat, err := os.ReadFile(testFilePath)\n\trequire.NoError(t, err)\n\n\trequire.Equal(t, string(dat), mostRecentBetaVersion)\n}\n\nfunc TestFailUpdateService(t *testing.T) {\n\tts := createServer()\n\tdefer ts.Close()\n\n\tcreateTestFile(t, testFilePath)\n\tdefer os.Remove(testFilePath)\n\n\ts := NewWorkersService(\"2020.8.2\", fmt.Sprintf(\"%s/fail\", ts.URL), testFilePath, Options{})\n\tv, err := s.Check()\n\trequire.Error(t, err)\n\trequire.Nil(t, v)\n}\n\nfunc TestNoUpdateService(t *testing.T) {\n\tts := createServer()\n\tdefer ts.Close()\n\n\tcreateTestFile(t, testFilePath)\n\tdefer os.Remove(testFilePath)\n\n\ts := NewWorkersService(mostRecentVersion, fmt.Sprintf(\"%s/updater\", ts.URL), testFilePath, Options{})\n\tv, err := s.Check()\n\trequire.NoError(t, err)\n\trequire.NotNil(t, v)\n\trequire.Empty(t, v.Version())\n}\n\nfunc TestForcedUpdateService(t *testing.T) {\n\tts := createServer()\n\tdefer ts.Close()\n\n\tcreateTestFile(t, testFilePath)\n\tdefer os.Remove(testFilePath)\n\n\ts := NewWorkersService(\"2020.8.5\", fmt.Sprintf(\"%s/updater\", ts.URL), testFilePath, Options{IsForced: true})\n\tv, err := s.Check()\n\trequire.NoError(t, err)\n\trequire.Equal(t, v.Version(), mostRecentVersion)\n\n\trequire.NoError(t, v.Apply())\n\tdat, err := os.ReadFile(testFilePath)\n\trequire.NoError(t, err)\n\n\trequire.Equal(t, string(dat), mostRecentVersion)\n}\n\nfunc TestUpdateSpecificVersionService(t *testing.T) {\n\tts := createServer()\n\tdefer ts.Close()\n\n\tcreateTestFile(t, testFilePath)\n\tdefer os.Remove(testFilePath)\n\treqVersion := \"2020.9.1\"\n\n\ts := NewWorkersService(\"2020.8.2\", fmt.Sprintf(\"%s/updater\", ts.URL), testFilePath, Options{RequestedVersion: reqVersion})\n\tv, err := s.Check()\n\trequire.NoError(t, err)\n\trequire.Equal(t, reqVersion, v.Version())\n\n\trequire.NoError(t, v.Apply())\n\tdat, err := os.ReadFile(testFilePath)\n\trequire.NoError(t, err)\n\n\trequire.Equal(t, reqVersion, string(dat))\n}\n\nfunc TestCompressedUpdateService(t *testing.T) {\n\tts := createServer()\n\tdefer ts.Close()\n\n\tcreateTestFile(t, testFilePath)\n\tdefer os.Remove(testFilePath)\n\n\ts := NewWorkersService(\"2020.8.2\", fmt.Sprintf(\"%s/compressed\", ts.URL), testFilePath, Options{})\n\tv, err := s.Check()\n\trequire.NoError(t, err)\n\trequire.Equal(t, \"2020.09.02\", v.Version())\n\n\trequire.NoError(t, v.Apply())\n\tdat, err := os.ReadFile(testFilePath)\n\trequire.NoError(t, err)\n\n\trequire.Equal(t, \"2020.09.02\", string(dat))\n}\n\nfunc TestUpdateWhenRunningKnownBuggyVersion(t *testing.T) {\n\tts := createServer()\n\tdefer ts.Close()\n\n\tcreateTestFile(t, testFilePath)\n\tdefer os.Remove(testFilePath)\n\n\ts := NewWorkersService(knownBuggyVersion, fmt.Sprintf(\"%s/updater\", ts.URL), testFilePath, Options{})\n\tv, err := s.Check()\n\trequire.NoError(t, err)\n\trequire.Equal(t, v.Version(), mostRecentVersion)\n\trequire.Equal(t, v.UserMessage(), expectedUserMsg)\n}\n" }, { "path": "cmd/cloudflared/updater/workers_update.go", "content": "package updater\n\nimport (\n\t\"archive/tar\"\n\t\"compress/gzip\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"runtime\"\n\t\"text/template\"\n\t\"time\"\n\n\t\"github.com/getsentry/sentry-go\"\n\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil\"\n)\n\nconst (\n\tclientTimeout = time.Second * 60\n\t// stop the service\n\t// rename cloudflared.exe to cloudflared.exe.old\n\t// rename cloudflared.exe.new to cloudflared.exe\n\t// delete cloudflared.exe.old\n\t// start the service\n\t// exit with code 0 if we've reached this point indicating success.\n\twindowsUpdateCommandTemplate = `sc stop cloudflared >nul 2>&1\ndel \"{{.OldPath}}\"\nrename \"{{.TargetPath}}\" {{.OldName}}\nrename \"{{.NewPath}}\" {{.BinaryName}}\nsc start cloudflared >nul 2>&1\nexit /b 0`\n\tbatchFileName = \"cfd_update.bat\"\n)\n\n// Prepare some data to insert into the template.\ntype batchData struct {\n\tTargetPath string\n\tOldName string\n\tNewPath string\n\tOldPath string\n\tBinaryName string\n\tBatchName string\n}\n\n// WorkersVersion implements the Version interface.\n// It contains everything needed to perform a version upgrade\ntype WorkersVersion struct {\n\tdownloadURL string\n\tchecksum string\n\tversion string\n\ttargetPath string\n\tisCompressed bool\n\tuserMessage string\n}\n\n// NewWorkersVersion creates a new Version object. This is normally created by a WorkersService JSON checkin response\n// url is where to download the file\n// version is the version of this update\n// checksum is the expected checksum of the downloaded file\n// target path is where the file should be replace. Normally this the running cloudflared's path\n// userMessage is a possible message to convey back to the user after having checked in with the Updater Service\n// isCompressed tells whether the asset to update cloudflared is compressed or not\nfunc NewWorkersVersion(url, version, checksum, targetPath, userMessage string, isCompressed bool) CheckResult {\n\treturn &WorkersVersion{\n\t\tdownloadURL: url,\n\t\tversion: version,\n\t\tchecksum: checksum,\n\t\ttargetPath: targetPath,\n\t\tisCompressed: isCompressed,\n\t\tuserMessage: userMessage,\n\t}\n}\n\n// Apply does the actual verification and update logic.\n// This includes signature and checksum validation,\n// replacing the binary, etc\nfunc (v *WorkersVersion) Apply() error {\n\tnewFilePath := fmt.Sprintf(\"%s.new\", v.targetPath)\n\tos.Remove(newFilePath) //remove any failed updates before download\n\n\t// download the file\n\tif err := download(v.downloadURL, newFilePath, v.isCompressed); err != nil {\n\t\treturn err\n\t}\n\n\tdownloadSum, err := cliutil.FileChecksum(newFilePath)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\t// Check that the file downloaded matches what is expected.\n\tif v.checksum != downloadSum {\n\t\treturn errors.New(\"checksum validation failed\")\n\t}\n\n\t// Check if the currently running version has the same checksum\n\tif downloadSum == buildInfo.Checksum {\n\t\t// Currently running binary matches the downloaded binary so we have no reason to update. This is\n\t\t// typically unexpected, as such we emit a sentry event.\n\t\tlocalHub := sentry.CurrentHub().Clone()\n\t\terr := errors.New(\"checksum validation matches currently running process\")\n\t\tlocalHub.CaptureException(err)\n\t\t// Make sure to cleanup the new downloaded file since we aren't upgrading versions.\n\t\tos.Remove(newFilePath)\n\t\treturn err\n\t}\n\n\toldFilePath := fmt.Sprintf(\"%s.old\", v.targetPath)\n\t// Windows requires more effort to self update, especially when it is running as a service:\n\t// you have to stop the service (if running as one) in order to move/rename the binary\n\t// but now the binary isn't running though, so an external process\n\t// has to move the old binary out and the new one in then start the service\n\t// the easiest way to do this is with a batch file (or with a DLL, but that gets ugly for a cross compiled binary like cloudflared)\n\t// a batch file isn't ideal, but it is the simplest path forward for the constraints Windows creates\n\tif runtime.GOOS == \"windows\" {\n\t\tif err := writeBatchFile(v.targetPath, newFilePath, oldFilePath); err != nil {\n\t\t\treturn err\n\t\t}\n\t\trootDir := filepath.Dir(v.targetPath)\n\t\tbatchPath := filepath.Join(rootDir, batchFileName)\n\t\treturn runWindowsBatch(batchPath)\n\t}\n\n\t// now move the current file out, move the new file in and delete the old file\n\tif err := os.Rename(v.targetPath, oldFilePath); err != nil {\n\t\treturn err\n\t}\n\n\tif err := os.Rename(newFilePath, v.targetPath); err != nil {\n\t\t//attempt rollback\n\t\t_ = os.Rename(oldFilePath, v.targetPath)\n\t\treturn err\n\t}\n\tos.Remove(oldFilePath)\n\n\treturn nil\n}\n\n// String returns the version number of this update/release (e.g. 2020.08.05)\nfunc (v *WorkersVersion) Version() string {\n\treturn v.version\n}\n\n// String returns a possible message to convey back to user after having checked in with the Updater Service. E.g.\n// it can warn about the need to update the version currently running.\nfunc (v *WorkersVersion) UserMessage() string {\n\treturn v.userMessage\n}\n\n// download the file from the link in the json\nfunc download(url, filepath string, isCompressed bool) error {\n\tclient := &http.Client{\n\t\tTimeout: clientTimeout,\n\t}\n\tresp, err := client.Get(url)\n\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer resp.Body.Close()\n\n\tvar r io.Reader\n\tr = resp.Body\n\n\t// compressed macos binary, need to decompress\n\tif isCompressed || isCompressedFile(url) {\n\t\t// first the gzip reader\n\t\tgr, err := gzip.NewReader(resp.Body)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tdefer gr.Close()\n\n\t\t// now the tar\n\t\ttr := tar.NewReader(gr)\n\n\t\t// advance the reader pass the header, which will be the single binary file\n\t\t_, _ = tr.Next()\n\n\t\tr = tr\n\t}\n\n\tout, err := os.OpenFile(filepath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0755)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer out.Close()\n\n\t_, err = io.Copy(out, r)\n\treturn err\n}\n\n// isCompressedFile is a really simple file extension check to see if this is a macos tar and gzipped\nfunc isCompressedFile(urlstring string) bool {\n\tif path.Ext(urlstring) == \".tgz\" {\n\t\treturn true\n\t}\n\n\tu, err := url.Parse(urlstring)\n\tif err != nil {\n\t\treturn false\n\t}\n\treturn path.Ext(u.Path) == \".tgz\"\n}\n\n// writeBatchFile writes a batch file out to disk\n// see the dicussion on why it has to be done this way\nfunc writeBatchFile(targetPath string, newPath string, oldPath string) error {\n\tbatchFilePath := filepath.Join(filepath.Dir(targetPath), batchFileName)\n\tos.Remove(batchFilePath) //remove any failed updates before download\n\tf, err := os.Create(batchFilePath)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer f.Close()\n\tcfdName := filepath.Base(targetPath)\n\toldName := filepath.Base(oldPath)\n\n\tdata := batchData{\n\t\tTargetPath: targetPath,\n\t\tOldName: oldName,\n\t\tNewPath: newPath,\n\t\tOldPath: oldPath,\n\t\tBinaryName: cfdName,\n\t\tBatchName: batchFileName,\n\t}\n\n\tt, err := template.New(\"batch\").Parse(windowsUpdateCommandTemplate)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn t.Execute(f, data)\n}\n\n// run each OS command for windows\nfunc runWindowsBatch(batchFile string) error {\n\tdefer os.Remove(batchFile)\n\tcmd := exec.Command(\"cmd\", \"/C\", batchFile)\n\t_, err := cmd.Output()\n\t// Remove the batch file we created. Don't let this interfere with the error\n\t// we report.\n\tif err != nil {\n\t\tif exitError, ok := err.(*exec.ExitError); ok {\n\t\t\treturn fmt.Errorf(\"Error during update : %s;\", string(exitError.Stderr))\n\t\t}\n\t}\n\treturn err\n}\n" }, { "path": "cmd/cloudflared/windows_service.go", "content": "//go:build windows\n\npackage main\n\n// Copypasta from the example files:\n// https://github.com/golang/sys/blob/master/windows/svc/example\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\t\"syscall\"\n\t\"time\"\n\t\"unsafe\"\n\n\t\"github.com/pkg/errors\"\n\t\"github.com/urfave/cli/v2\"\n\t\"golang.org/x/sys/windows\"\n\t\"golang.org/x/sys/windows/svc\"\n\t\"golang.org/x/sys/windows/svc/eventlog\"\n\t\"golang.org/x/sys/windows/svc/mgr\"\n\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil\"\n\t\"github.com/cloudflare/cloudflared/logger\"\n)\n\nconst (\n\twindowsServiceName = \"Cloudflared\"\n\twindowsServiceDescription = \"Cloudflared agent\"\n\twindowsServiceUrl = \"https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configure-tunnels/local-management/as-a-service/windows/\"\n\n\trecoverActionDelay = time.Second * 20\n\tfailureCountResetPeriod = time.Hour * 24\n\n\t// not defined in golang.org/x/sys/windows package\n\t// https://msdn.microsoft.com/en-us/library/windows/desktop/ms681988(v=vs.85).aspx\n\tserviceConfigFailureActionsFlag = 4\n\n\t// ERROR_FAILED_SERVICE_CONTROLLER_CONNECT\n\t// https://docs.microsoft.com/en-us/windows/desktop/debug/system-error-codes--1000-1299-\n\tserviceControllerConnectionFailure = 1063\n\n\tLogFieldWindowsServiceName = \"windowsServiceName\"\n)\n\nfunc runApp(app *cli.App, graceShutdownC chan struct{}) {\n\tapp.Commands = append(app.Commands, &cli.Command{\n\t\tName: \"service\",\n\t\tUsage: \"Manages the cloudflared Windows service\",\n\t\tSubcommands: []*cli.Command{\n\t\t\t{\n\t\t\t\tName: \"install\",\n\t\t\t\tUsage: \"Install cloudflared as a Windows service\",\n\t\t\t\tAction: cliutil.ConfiguredAction(installWindowsService),\n\t\t\t},\n\t\t\t{\n\t\t\t\tName: \"uninstall\",\n\t\t\t\tUsage: \"Uninstall the cloudflared service\",\n\t\t\t\tAction: cliutil.ConfiguredAction(uninstallWindowsService),\n\t\t\t},\n\t\t},\n\t})\n\n\t// `IsAnInteractiveSession()` isn't exactly equivalent to \"should the\n\t// process run as a normal EXE?\" There are legitimate non-service cases,\n\t// like running cloudflared in a GCP startup script, for which\n\t// `IsAnInteractiveSession()` returns false. For more context, see:\n\t// https://github.com/judwhite/go-svc/issues/6\n\t// It seems that the \"correct way\" to check \"is this a normal EXE?\" is:\n\t// 1. attempt to connect to the Service Control Manager\n\t// 2. get ERROR_FAILED_SERVICE_CONTROLLER_CONNECT\n\t// This involves actually trying to start the service.\n\n\tlog := logger.Create(nil)\n\n\tisIntSess, err := svc.IsAnInteractiveSession()\n\tif err != nil {\n\t\tlog.Fatal().Err(err).Msg(\"failed to determine if we are running in an interactive session\")\n\t}\n\tif isIntSess {\n\t\tapp.Run(os.Args)\n\t\treturn\n\t}\n\n\t// Run executes service name by calling windowsService which is a Handler\n\t// interface that implements Execute method.\n\t// It will set service status to stop after Execute returns\n\terr = svc.Run(windowsServiceName, &windowsService{app: app, graceShutdownC: graceShutdownC})\n\tif err != nil {\n\t\tif errno, ok := err.(syscall.Errno); ok && int(errno) == serviceControllerConnectionFailure {\n\t\t\t// Hack: assume this is a false negative from the IsAnInteractiveSession() check above.\n\t\t\t// Run the app in \"interactive\" mode anyway.\n\t\t\tapp.Run(os.Args)\n\t\t\treturn\n\t\t}\n\t\tlog.Fatal().Err(err).Msgf(\"%s service failed\", windowsServiceName)\n\t}\n}\n\ntype windowsService struct {\n\tapp *cli.App\n\tgraceShutdownC chan struct{}\n}\n\n// Execute is called by the service manager when service starts, the state\n// of the service will be set to Stopped when this function returns.\nfunc (s *windowsService) Execute(serviceArgs []string, r <-chan svc.ChangeRequest, statusChan chan<- svc.Status) (ssec bool, errno uint32) {\n\tlog := logger.Create(nil)\n\telog, err := eventlog.Open(windowsServiceName)\n\tif err != nil {\n\t\tlog.Err(err).Msgf(\"Cannot open event log for %s\", windowsServiceName)\n\t\treturn\n\t}\n\tdefer elog.Close()\n\n\telog.Info(1, fmt.Sprintf(\"%s service starting\", windowsServiceName))\n\tdefer func() {\n\t\telog.Info(1, fmt.Sprintf(\"%s service stopped\", windowsServiceName))\n\t}()\n\n\t// the arguments passed here are only meaningful if they were manually\n\t// specified by the user, e.g. using the Services console or `sc start`.\n\t// https://docs.microsoft.com/en-us/windows/desktop/services/service-entry-point\n\t// https://stackoverflow.com/a/6235139\n\tvar args []string\n\tif len(serviceArgs) > 1 {\n\t\targs = serviceArgs\n\t} else {\n\t\t// fall back to the arguments from ImagePath (or, as sc calls it, binPath)\n\t\targs = os.Args\n\t}\n\telog.Info(1, fmt.Sprintf(\"%s service arguments: %v\", windowsServiceName, args))\n\n\tstatusChan <- svc.Status{State: svc.StartPending}\n\terrC := make(chan error)\n\tgo func() {\n\t\terrC <- s.app.Run(args)\n\t}()\n\tstatusChan <- svc.Status{State: svc.Running, Accepts: svc.AcceptStop | svc.AcceptShutdown}\n\n\tfor {\n\t\tselect {\n\t\tcase c := <-r:\n\t\t\tswitch c.Cmd {\n\t\t\tcase svc.Interrogate:\n\t\t\t\tstatusChan <- c.CurrentStatus\n\t\t\tcase svc.Stop, svc.Shutdown:\n\t\t\t\tif s.graceShutdownC != nil {\n\t\t\t\t\t// start graceful shutdown\n\t\t\t\t\telog.Info(1, \"cloudflared starting graceful shutdown\")\n\t\t\t\t\tclose(s.graceShutdownC)\n\t\t\t\t\ts.graceShutdownC = nil\n\t\t\t\t\tstatusChan <- svc.Status{State: svc.StopPending}\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\t// repeated attempts at graceful shutdown forces immediate stop\n\t\t\t\telog.Info(1, \"cloudflared terminating immediately\")\n\t\t\t\tstatusChan <- svc.Status{State: svc.StopPending}\n\t\t\t\treturn false, 0\n\t\t\tdefault:\n\t\t\t\telog.Error(1, fmt.Sprintf(\"unexpected control request #%d\", c))\n\t\t\t}\n\t\tcase err := <-errC:\n\t\t\tif err != nil {\n\t\t\t\telog.Error(1, fmt.Sprintf(\"cloudflared terminated with error %v\", err))\n\t\t\t\tssec = true\n\t\t\t\terrno = 1\n\t\t\t} else {\n\t\t\t\telog.Info(1, \"cloudflared terminated without error\")\n\t\t\t\terrno = 0\n\t\t\t}\n\t\t\treturn\n\t\t}\n\t}\n}\n\nfunc installWindowsService(c *cli.Context) error {\n\tzeroLogger := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)\n\n\tzeroLogger.Info().Msg(\"Installing cloudflared Windows service\")\n\texepath, err := os.Executable()\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"Cannot find path name that start the process\")\n\t}\n\tm, err := mgr.Connect()\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"Cannot establish a connection to the service control manager\")\n\t}\n\tdefer m.Disconnect()\n\ts, err := m.OpenService(windowsServiceName)\n\tlog := zeroLogger.With().Str(LogFieldWindowsServiceName, windowsServiceName).Logger()\n\tif err == nil {\n\t\ts.Close()\n\t\treturn errors.New(serviceAlreadyExistsWarn(windowsServiceName))\n\t}\n\textraArgs, err := getServiceExtraArgsFromCliArgs(c, &log)\n\tif err != nil {\n\t\terrMsg := \"Unable to determine extra arguments for windows service\"\n\t\tlog.Err(err).Msg(errMsg)\n\t\treturn errors.Wrap(err, errMsg)\n\t}\n\n\tconfig := mgr.Config{StartType: mgr.StartAutomatic, DisplayName: windowsServiceDescription}\n\ts, err = m.CreateService(windowsServiceName, exepath, config, extraArgs...)\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"Cannot install service\")\n\t}\n\tdefer s.Close()\n\tlog.Info().Msg(\"cloudflared agent service is installed\")\n\terr = eventlog.InstallAsEventCreate(windowsServiceName, eventlog.Error|eventlog.Warning|eventlog.Info)\n\tif err != nil {\n\t\ts.Delete()\n\t\treturn errors.Wrap(err, \"Cannot install event logger\")\n\t}\n\n\terr = configRecoveryOption(s.Handle)\n\tif err != nil {\n\t\tlog.Err(err).Msg(\"Cannot set service recovery actions\")\n\t\tlog.Info().Msgf(\"See %s to manually configure service recovery actions\", windowsServiceUrl)\n\t}\n\n\terr = s.Start()\n\tif err == nil {\n\t\tlog.Info().Msg(\"Agent service for cloudflared installed successfully\")\n\t}\n\treturn err\n}\n\nfunc uninstallWindowsService(c *cli.Context) error {\n\tlog := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog).\n\t\tWith().\n\t\tStr(LogFieldWindowsServiceName, windowsServiceName).Logger()\n\n\tlog.Info().Msg(\"Uninstalling cloudflared agent service\")\n\tm, err := mgr.Connect()\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"Cannot establish a connection to the service control manager\")\n\t}\n\tdefer m.Disconnect()\n\ts, err := m.OpenService(windowsServiceName)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"agent service %s is not installed, so it could not be uninstalled\", windowsServiceName)\n\t}\n\tdefer s.Close()\n\n\tif status, err := s.Query(); err == nil && status.State == svc.Running {\n\t\tlog.Info().Msg(\"Stopping cloudflared agent service\")\n\t\tif _, err := s.Control(svc.Stop); err != nil {\n\t\t\tlog.Info().Err(err).Msg(\"Failed to stop cloudflared agent service, you may need to stop it manually to complete uninstall.\")\n\t\t}\n\t}\n\n\terr = s.Delete()\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"Cannot delete agent service\")\n\t}\n\tlog.Info().Msg(\"Agent service for cloudflared was uninstalled successfully\")\n\terr = eventlog.Remove(windowsServiceName)\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"Cannot remove event logger\")\n\t}\n\treturn nil\n}\n\n// defined in https://msdn.microsoft.com/en-us/library/windows/desktop/ms685126(v=vs.85).aspx\ntype scAction int\n\n// https://msdn.microsoft.com/en-us/library/windows/desktop/ms685126(v=vs.85).aspx\nconst (\n\tscActionNone scAction = iota\n\tscActionRestart\n\tscActionReboot\n\tscActionRunCommand\n)\n\n// defined in https://msdn.microsoft.com/en-us/library/windows/desktop/ms685939(v=vs.85).aspx\ntype serviceFailureActions struct {\n\t// time to wait to reset the failure count to zero if there are no failures in seconds\n\tresetPeriod uint32\n\trebootMsg *uint16\n\tcommand *uint16\n\t// If failure count is greater than actionCount, the service controller repeats\n\t// the last action in actions\n\tactionCount uint32\n\tactions uintptr\n}\n\n// https://msdn.microsoft.com/en-us/library/windows/desktop/ms685937(v=vs.85).aspx\n// Not supported in Windows Server 2003 and Windows XP\ntype serviceFailureActionsFlag struct {\n\t// enableActionsForStopsWithErr is of type BOOL, which is declared as\n\t// typedef int BOOL in C\n\tenableActionsForStopsWithErr int\n}\n\ntype recoveryAction struct {\n\trecoveryType uint32\n\t// The time to wait before performing the specified action, in milliseconds\n\tdelay uint32\n}\n\n// until https://github.com/golang/go/issues/23239 is release, we will need to\n// configure through ChangeServiceConfig2\nfunc configRecoveryOption(handle windows.Handle) error {\n\tactions := []recoveryAction{\n\t\t{recoveryType: uint32(scActionRestart), delay: uint32(recoverActionDelay / time.Millisecond)},\n\t}\n\tserviceRecoveryActions := serviceFailureActions{\n\t\tresetPeriod: uint32(failureCountResetPeriod / time.Second),\n\t\tactionCount: uint32(len(actions)),\n\t\tactions: uintptr(unsafe.Pointer(&actions[0])),\n\t}\n\tif err := windows.ChangeServiceConfig2(handle, windows.SERVICE_CONFIG_FAILURE_ACTIONS, (*byte)(unsafe.Pointer(&serviceRecoveryActions))); err != nil {\n\t\treturn err\n\t}\n\tserviceFailureActionsFlag := serviceFailureActionsFlag{enableActionsForStopsWithErr: 1}\n\treturn windows.ChangeServiceConfig2(handle, serviceConfigFailureActionsFlag, (*byte)(unsafe.Pointer(&serviceFailureActionsFlag)))\n}\n" }, { "path": "component-tests/.gitignore", "content": "__pycache__\n.pytest_cache\n" }, { "path": "component-tests/README.md", "content": "# Requirements\n1. Python 3.10 or later with packages in the given `requirements.txt`\n - E.g. with venv:\n - `python3 -m venv ./.venv` \n - `source ./.venv/bin/activate`\n - `python3 -m pip install -r requirements.txt`\n\n2. Create a config yaml file, for example:\n```\ncloudflared_binary: \"cloudflared\"\ntunnel: \"3d539f97-cd3a-4d8e-c33b-65e9099c7a8d\"\ncredentials_file: \"/Users/tunnel/.cloudflared/3d539f97-cd3a-4d8e-c33b-65e9099c7a8d.json\"\norigincert: \"/Users/tunnel/.cloudflared/cert.pem\"\ningress:\n- hostname: named-tunnel-component-tests.example.com\n service: hello_world\n- service: http_status:404\n```\n\n3. Route hostname to the tunnel. For the example config above, we can do that via\n```\n cloudflared tunnel route dns 3d539f97-cd3a-4d8e-c33b-65e9099c7a8d named-tunnel-component-tests.example.com\n```\n\n4. Turn on linter\nIf you are using Visual Studio, follow https://code.visualstudio.com/docs/python/linting to turn on linter.\n\n5. Turn on formatter\nIf you are using Visual Studio, follow https://code.visualstudio.com/docs/python/editing#_formatting\nto turn on formatter and https://marketplace.visualstudio.com/items?itemName=cbrevik.toggle-format-on-save\nto turn on format on save.\n\n6. If you have cloudflared running as a service on your machine, you can either stop the service or ignore the service tests\nvia `--ignore test_service.py`\n\n# How to run\nSpecify path to config file via env var `COMPONENT_TESTS_CONFIG`. This is required.\n## All tests\nRun `pytest` inside this(component-tests) folder\n\n## Specific files\nRun `pytest .py .py`\n\n## Specific tests\nRun `pytest file.py -k -k `\n\n## Live Logging\nRunning with `-o log_cli=true` outputs logging to CLI as the tests are. By default the log level is WARN.\n`--log-cli-level` control logging level.\nFor example, to log at info level, run `pytest -o log_cli=true --log-cli-level=INFO`.\nSee https://docs.pytest.org/en/latest/logging.html#live-logs for more documentation on logging." }, { "path": "component-tests/cli.py", "content": "import json\nimport subprocess\nfrom time import sleep\n\nfrom constants import MANAGEMENT_HOST_NAME\nfrom setup import get_config_from_file\nfrom util import get_tunnel_connector_id\n\nSINGLE_CASE_TIMEOUT = 600\n\nclass CloudflaredCli:\n def __init__(self, config, config_path, logger):\n self.basecmd = [config.cloudflared_binary, \"tunnel\"]\n if config_path is not None:\n self.basecmd += [\"--config\", str(config_path)]\n origincert = get_config_from_file()[\"origincert\"]\n if origincert:\n self.basecmd += [\"--origincert\", origincert]\n self.logger = logger\n\n def _run_command(self, subcmd, subcmd_name, needs_to_pass=True):\n cmd = self.basecmd + subcmd\n # timeout limits the time a subprocess can run. This is useful to guard against running a tunnel when\n # command/args are in wrong order.\n result = run_subprocess(cmd, subcmd_name, self.logger, check=needs_to_pass, capture_output=True, timeout=15)\n return result\n\n def list_tunnels(self):\n cmd_args = [\"list\", \"--output\", \"json\"]\n listed = self._run_command(cmd_args, \"list\")\n return json.loads(listed.stdout)\n\n def get_management_token(self, config, config_path, resource):\n basecmd = [config.cloudflared_binary]\n if config_path is not None:\n basecmd += [\"--config\", str(config_path)]\n origincert = get_config_from_file()[\"origincert\"]\n if origincert:\n basecmd += [\"--origincert\", origincert]\n\n cmd_args = [\"management\", \"token\", \"--resource\", resource, config.get_tunnel_id()]\n cmd = basecmd + cmd_args\n result = run_subprocess(cmd, \"token\", self.logger, check=True, capture_output=True, timeout=15)\n return json.loads(result.stdout.decode(\"utf-8\").strip())[\"token\"]\n \n def get_tail_token(self, config, config_path):\n \"\"\"\n Get management token using the 'tail token' command.\n Returns a token scoped for 'logs' resource.\n \"\"\"\n basecmd = [config.cloudflared_binary]\n if config_path is not None:\n basecmd += [\"--config\", str(config_path)]\n origincert = get_config_from_file()[\"origincert\"]\n if origincert:\n basecmd += [\"--origincert\", origincert]\n \n cmd_args = [\"tail\", \"token\", config.get_tunnel_id()]\n cmd = basecmd + cmd_args\n result = run_subprocess(cmd, \"tail-token\", self.logger, check=True, capture_output=True, timeout=15)\n return json.loads(result.stdout.decode(\"utf-8\").strip())[\"token\"]\n \n def get_management_url(self, path, config, config_path, resource):\n access_jwt = self.get_management_token(config, config_path, resource)\n connector_id = get_tunnel_connector_id()\n return f\"https://{MANAGEMENT_HOST_NAME}/{path}?connector_id={connector_id}&access_token={access_jwt}\"\n \n def get_management_wsurl(self, path, config, config_path, resource):\n access_jwt = self.get_management_token(config, config_path, resource)\n connector_id = get_tunnel_connector_id()\n return f\"wss://{MANAGEMENT_HOST_NAME}/{path}?connector_id={connector_id}&access_token={access_jwt}\"\n\n def get_connector_id(self, config): \n op = self.get_tunnel_info(config.get_tunnel_id())\n connectors = []\n for conn in op[\"conns\"]:\n connectors.append(conn[\"id\"])\n return connectors\n\n def get_tunnel_info(self, tunnel_id):\n info = self._run_command([\"info\", \"--output\", \"json\", tunnel_id], \"info\")\n return json.loads(info.stdout)\n\n def __enter__(self):\n self.basecmd += [\"run\"]\n self.process = subprocess.Popen(self.basecmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)\n self.logger.info(f\"Run cmd {self.basecmd}\")\n return self.process\n\n def __exit__(self, exc_type, exc_value, exc_traceback):\n terminate_gracefully(self.process, self.logger, self.basecmd)\n self.logger.debug(f\"{self.basecmd} logs: {self.process.stderr.read()}\")\n\n\ndef terminate_gracefully(process, logger, cmd):\n process.terminate()\n process_terminated = wait_for_terminate(process)\n if not process_terminated:\n process.kill()\n logger.warning(f\"{cmd}: cloudflared did not terminate within wait period. Killing process. logs: \\\n stdout: {process.stdout.read()}, stderr: {process.stderr.read()}\")\n\n\ndef wait_for_terminate(opened_subprocess, attempts=10, poll_interval=1):\n \"\"\"\n wait_for_terminate polls the opened_subprocess every x seconds for a given number of attempts.\n It returns true if the subprocess was terminated and false if it didn't.\n \"\"\"\n for _ in range(attempts):\n if _is_process_stopped(opened_subprocess):\n return True\n sleep(poll_interval)\n return False\n\n\ndef _is_process_stopped(process):\n return process.poll() is not None\n\n\ndef cert_path():\n return get_config_from_file()[\"origincert\"]\n\n\nclass SubprocessError(Exception):\n def __init__(self, program, exit_code, cause):\n self.program = program\n self.exit_code = exit_code\n self.cause = cause\n\n\ndef run_subprocess(cmd, cmd_name, logger, timeout=SINGLE_CASE_TIMEOUT, **kargs):\n kargs[\"timeout\"] = timeout\n try:\n result = subprocess.run(cmd, **kargs)\n logger.debug(f\"{cmd} log: {result.stdout}\", extra={\"cmd\": cmd_name})\n return result\n except subprocess.CalledProcessError as e:\n err = f\"{cmd} return exit code {e.returncode}, stderr\" + e.stderr.decode(\"utf-8\")\n logger.error(err, extra={\"cmd\": cmd_name, \"return_code\": e.returncode})\n raise SubprocessError(cmd[0], e.returncode, e)\n except subprocess.TimeoutExpired as e:\n err = f\"{cmd} timeout after {e.timeout} seconds, stdout: {e.stdout}, stderr: {e.stderr}\"\n logger.error(err, extra={\"cmd\": cmd_name, \"return_code\": \"timeout\"})\n raise e" }, { "path": "component-tests/config.py", "content": "#!/usr/bin/env python\nimport copy\nimport json\nimport base64\n\nfrom dataclasses import dataclass, InitVar\n\nfrom constants import METRICS_PORT\n\n# frozen=True raises exception when assigning to fields. This emulates immutability\n\n\n@dataclass(frozen=True)\nclass BaseConfig:\n cloudflared_binary: str\n no_autoupdate: bool = True\n metrics: str = f'localhost:{METRICS_PORT}'\n\n def merge_config(self, additional):\n config = copy.copy(additional)\n config['no-autoupdate'] = self.no_autoupdate\n config['metrics'] = self.metrics\n return config\n\n\n@dataclass(frozen=True)\nclass NamedTunnelBaseConfig(BaseConfig):\n # The attributes of the parent class are ordered before attributes in this class,\n # so we have to use default values here and check if they are set in __post_init__\n tunnel: str = None\n credentials_file: str = None\n ingress: list = None\n hostname: str = None\n\n def __post_init__(self):\n if self.tunnel is None:\n raise TypeError(\"Field tunnel is not set\")\n if self.credentials_file is None:\n raise TypeError(\"Field credentials_file is not set\")\n if self.ingress is None:\n raise TypeError(\"Field ingress is not set\")\n\n def merge_config(self, additional):\n config = super(NamedTunnelBaseConfig, self).merge_config(additional)\n if 'tunnel' not in config:\n config['tunnel'] = self.tunnel\n if 'credentials-file' not in config:\n config['credentials-file'] = self.credentials_file\n # In some cases we want to override default ingress, such as in config tests\n if 'ingress' not in config:\n config['ingress'] = self.ingress\n return config\n\n\n@dataclass(frozen=True)\nclass NamedTunnelConfig(NamedTunnelBaseConfig):\n full_config: dict = None\n additional_config: InitVar[dict] = {}\n\n def __post_init__(self, additional_config):\n # Cannot call set self.full_config because the class is frozen, instead, we can use __setattr__\n # https://docs.python.org/3/library/dataclasses.html#frozen-instances\n object.__setattr__(self, 'full_config',\n self.merge_config(additional_config))\n\n def get_url(self):\n return \"https://\" + self.hostname\n\n def base_config(self):\n config = self.full_config.copy()\n\n # removes the tunnel reference\n del(config[\"tunnel\"])\n del(config[\"credentials-file\"])\n\n return config\n\n def get_tunnel_id(self):\n return self.full_config[\"tunnel\"]\n\n def get_token(self):\n creds = self.get_credentials_json()\n token_dict = {\"a\": creds[\"AccountTag\"], \"t\": creds[\"TunnelID\"], \"s\": creds[\"TunnelSecret\"]}\n token_json_str = json.dumps(token_dict)\n return base64.b64encode(token_json_str.encode('utf-8'))\n\n def get_credentials_json(self):\n with open(self.credentials_file) as json_file:\n return json.load(json_file)\n \n@dataclass(frozen=True)\nclass QuickTunnelConfig(BaseConfig):\n full_config: dict = None\n additional_config: InitVar[dict] = {}\n\n def __post_init__(self, additional_config):\n # Cannot call set self.full_config because the class is frozen, instead, we can use __setattr__\n # https://docs.python.org/3/library/dataclasses.html#frozen-instances\n object.__setattr__(self, 'full_config',\n self.merge_config(additional_config))\n\n" }, { "path": "component-tests/config.yaml", "content": "cloudflared_binary: \"cloudflared\"\ntunnel: \"ae21a96c-24d1-4ce8-a6ba-962cba5976d3\"\ncredentials_file: \"/Users/sudarsan/.cloudflared/ae21a96c-24d1-4ce8-a6ba-962cba5976d3.json\"\norigincert: \"/Users/sudarsan/.cloudflared/cert.pem\"\ningress:\n- hostname: named-tunnel-component-tests.example.com\n service: hello_world\n- service: http_status:404\n" }, { "path": "component-tests/conftest.py", "content": "import os\nfrom enum import Enum, auto\nfrom time import sleep\n\nimport pytest\nimport yaml\n\nfrom config import NamedTunnelConfig, QuickTunnelConfig\nfrom constants import BACKOFF_SECS\nfrom util import LOGGER\n\n\nclass CfdModes(Enum):\n NAMED = auto()\n QUICK = auto()\n\n\n@pytest.fixture(scope=\"session\")\ndef component_tests_config():\n config_file = os.getenv(\"COMPONENT_TESTS_CONFIG\")\n if config_file is None:\n raise Exception(\n \"Need to provide path to config file in COMPONENT_TESTS_CONFIG\")\n with open(config_file, 'r') as stream:\n config = yaml.safe_load(stream)\n LOGGER.info(f\"component tests base config {config}\")\n\n def _component_tests_config(additional_config={}, cfd_mode=CfdModes.NAMED, provide_ingress=True):\n # Allows the ingress rules to be omitted from the provided config\n ingress = []\n if provide_ingress:\n ingress = config['ingress']\n\n # Provide the hostname to allow routing to the tunnel even if the ingress rule isn't defined in the config\n hostname = config['ingress'][0]['hostname']\n\n if cfd_mode is CfdModes.NAMED:\n return NamedTunnelConfig(additional_config=additional_config,\n cloudflared_binary=config['cloudflared_binary'],\n tunnel=config['tunnel'],\n credentials_file=config['credentials_file'],\n ingress=ingress,\n hostname=hostname)\n elif cfd_mode is CfdModes.QUICK:\n return QuickTunnelConfig(additional_config=additional_config, cloudflared_binary=config['cloudflared_binary'])\n else:\n raise Exception(f\"Unknown cloudflared mode {cfd_mode}\")\n\n return _component_tests_config\n\n\n# This fixture is automatically called before each tests to make sure the previous cloudflared has been shutdown\n@pytest.fixture(autouse=True)\ndef wait_previous_cloudflared():\n sleep(BACKOFF_SECS)\n" }, { "path": "component-tests/constants.py", "content": "METRICS_PORT = 51000\nMAX_RETRIES = 5\nBACKOFF_SECS = 7\nMAX_LOG_LINES = 50\n\nMANAGEMENT_HOST_NAME = \"management.argotunnel.com\"\n\n\ndef protocols():\n return [\"http2\", \"quic\"]\n" }, { "path": "component-tests/requirements.txt", "content": "cloudflare==2.14.3\nflaky==3.7.0\npytest==7.3.1\npytest-asyncio==0.21.0\npyyaml==6.0.1\nrequests==2.28.2\nretrying==1.3.4\nwebsockets==11.0.1\n" }, { "path": "component-tests/setup.py", "content": "#!/usr/bin/env python\nimport argparse\nimport base64\nimport json\nimport os\nimport subprocess\nimport uuid\n\nimport CloudFlare\nimport yaml\nfrom retrying import retry\n\nfrom constants import MAX_RETRIES, BACKOFF_SECS\nfrom util import LOGGER\n\n\ndef get_config_from_env():\n config_content = base64.b64decode(get_env(\"COMPONENT_TESTS_CONFIG_CONTENT\")).decode('utf-8')\n return yaml.safe_load(config_content)\n\n\ndef get_config_from_file():\n config_path = get_env(\"COMPONENT_TESTS_CONFIG\")\n with open(config_path, 'r') as infile:\n return yaml.safe_load(infile)\n\n\ndef persist_config(config):\n config_path = get_env(\"COMPONENT_TESTS_CONFIG\")\n with open(config_path, 'w') as outfile:\n yaml.safe_dump(config, outfile)\n\n\ndef persist_origin_cert(config):\n origincert = get_env(\"COMPONENT_TESTS_ORIGINCERT\")\n path = config[\"origincert\"]\n with open(path, 'w') as outfile:\n outfile.write(origincert)\n return path\n\n\n@retry(stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)\ndef create_tunnel(config, origincert_path, random_uuid):\n # Delete any previous existing credentials file. If the agent keeps files around (that's the case in Windows) then\n # cloudflared tunnel create will refuse to create the tunnel because it does not want to overwrite credentials\n # files.\n credentials_path = config[\"credentials_file\"]\n try:\n os.remove(credentials_path)\n except OSError:\n pass\n\n tunnel_name = \"cfd_component_test-\" + random_uuid\n create_cmd = [config[\"cloudflared_binary\"], \"tunnel\", \"--origincert\", origincert_path, \"create\",\n \"--credentials-file\", credentials_path, tunnel_name]\n LOGGER.info(f\"Creating tunnel with {create_cmd}\")\n subprocess.run(create_cmd, check=True)\n\n list_cmd = [config[\"cloudflared_binary\"], \"tunnel\", \"--origincert\", origincert_path, \"list\", \"--name\",\n tunnel_name, \"--output\", \"json\"]\n LOGGER.info(f\"Listing tunnel with {list_cmd}\")\n cloudflared = subprocess.run(list_cmd, check=True, capture_output=True)\n return json.loads(cloudflared.stdout)[0][\"id\"]\n\n\n@retry(stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)\ndef delete_tunnel(config):\n credentials_path = config[\"credentials_file\"]\n delete_cmd = [config[\"cloudflared_binary\"], \"tunnel\", \"--origincert\", config[\"origincert\"], \"delete\",\n \"--credentials-file\", credentials_path, \"-f\", config[\"tunnel\"]]\n LOGGER.info(f\"Deleting tunnel with {delete_cmd}\")\n subprocess.run(delete_cmd, check=True)\n\n\n@retry(stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)\ndef create_dns(config, hostname, type, content):\n cf = CloudFlare.CloudFlare(debug=False, token=get_env(\"DNS_API_TOKEN\"))\n cf.zones.dns_records.post(\n config[\"zone_tag\"],\n data={'name': hostname, 'type': type, 'content': content, 'proxied': True}\n )\n\n\ndef create_named_dns(config, random_uuid):\n hostname = \"named-\" + random_uuid + \".\" + config[\"zone_domain\"]\n create_dns(config, hostname, \"CNAME\", config[\"tunnel\"] + \".cfargotunnel.com\")\n return hostname\n\n\n@retry(stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)\ndef delete_dns(config, hostname):\n cf = CloudFlare.CloudFlare(debug=False, token=get_env(\"DNS_API_TOKEN\"))\n zone_tag = config[\"zone_tag\"]\n dns_records = cf.zones.dns_records.get(zone_tag, params={'name': hostname})\n if len(dns_records) > 0:\n cf.zones.dns_records.delete(zone_tag, dns_records[0]['id'])\n\n\ndef write_file(content, path):\n with open(path, 'w') as outfile:\n outfile.write(content)\n\n\ndef get_env(env_name):\n val = os.getenv(env_name)\n if val is None:\n raise Exception(f\"{env_name} is not set\")\n return val\n\n\ndef create():\n \"\"\"\n Creates the necessary resources for the components test to run.\n - Creates a named tunnel with a random name.\n - Creates a random CNAME DNS entry for that tunnel.\n\n Those created resources are added to the config (obtained from an environment variable).\n The resulting configuration is persisted for the tests to use.\n \"\"\"\n config = get_config_from_env()\n origincert_path = persist_origin_cert(config)\n\n random_uuid = str(uuid.uuid4())\n config[\"tunnel\"] = create_tunnel(config, origincert_path, random_uuid)\n config[\"ingress\"] = [\n {\n \"hostname\": create_named_dns(config, random_uuid),\n \"service\": \"hello_world\"\n },\n {\n \"service\": \"http_status:404\"\n }\n ]\n\n persist_config(config)\n\n\ndef cleanup():\n \"\"\"\n Reads the persisted configuration that was created previously.\n Deletes the resources that were created there.\n \"\"\"\n config = get_config_from_file()\n delete_tunnel(config)\n delete_dns(config, config[\"ingress\"][0][\"hostname\"])\n\n\nif __name__ == '__main__':\n parser = argparse.ArgumentParser(description='setup component tests')\n parser.add_argument('--type', choices=['create', 'cleanup'], default='create')\n args = parser.parse_args()\n\n if args.type == 'create':\n create()\n else:\n cleanup()\n" }, { "path": "component-tests/test_config.py", "content": "#!/usr/bin/env python\nfrom util import start_cloudflared\n\n\nclass TestConfig:\n # tmp_path is a fixture provides a temporary directory unique to the test invocation\n def test_validate_ingress_rules(self, tmp_path, component_tests_config):\n extra_config = {\n 'ingress': [\n {\n \"hostname\": \"example.com\",\n \"service\": \"https://localhost:8000\",\n \"originRequest\": {\n \"originServerName\": \"test.example.com\",\n \"caPool\": \"/etc/certs/ca.pem\"\n },\n },\n {\n \"hostname\": \"api.example.com\",\n \"path\": \"login\",\n \"service\": \"https://localhost:9000\",\n },\n {\n \"hostname\": \"wss.example.com\",\n \"service\": \"wss://localhost:8000\",\n },\n {\n \"hostname\": \"ssh.example.com\",\n \"service\": \"ssh://localhost:8000\",\n },\n {\"service\": \"http_status:404\"}\n ],\n }\n config = component_tests_config(extra_config)\n validate_args = [\"ingress\", \"validate\"]\n _ = start_cloudflared(tmp_path, config, validate_args)\n\n self.match_rule(tmp_path, config,\n \"http://example.com/index.html\", 0)\n self.match_rule(tmp_path, config,\n \"https://example.com/index.html\", 0)\n self.match_rule(tmp_path, config,\n \"https://api.example.com/login\", 1)\n self.match_rule(tmp_path, config,\n \"https://wss.example.com\", 2)\n self.match_rule(tmp_path, config,\n \"https://ssh.example.com\", 3)\n self.match_rule(tmp_path, config,\n \"https://api.example.com\", 4)\n\n # This is used to check that the command tunnel ingress url matches rule number . Note that rule number uses 1-based indexing\n\n def match_rule(self, tmp_path, config, url, rule_num):\n args = [\"ingress\", \"rule\", url]\n match_rule = start_cloudflared(tmp_path, config, args)\n\n assert f\"Matched rule #{rule_num}\" .encode() in match_rule.stdout\n" }, { "path": "component-tests/test_edge_discovery.py", "content": "import ipaddress\nimport socket\n\nimport pytest\n\nfrom constants import protocols\nfrom cli import CloudflaredCli\nfrom util import get_tunnel_connector_id, LOGGER, wait_tunnel_ready, write_config\n\n\nclass TestEdgeDiscovery:\n def _extra_config(self, protocol, edge_ip_version):\n config = {\n \"protocol\": protocol,\n }\n if edge_ip_version:\n config[\"edge-ip-version\"] = edge_ip_version\n return config\n\n @pytest.mark.parametrize(\"protocol\", protocols())\n def test_default_only(self, tmp_path, component_tests_config, protocol):\n \"\"\"\n This test runs a tunnel to connect via IPv4-only edge addresses (default is unset \"--edge-ip-version 4\")\n \"\"\"\n if self.has_ipv6_only():\n pytest.skip(\"Host has IPv6 only support and current default is IPv4 only\")\n self.expect_address_connections(\n tmp_path, component_tests_config, protocol, None, self.expect_ipv4_address)\n\n @pytest.mark.parametrize(\"protocol\", protocols())\n def test_ipv4_only(self, tmp_path, component_tests_config, protocol):\n \"\"\"\n This test runs a tunnel to connect via IPv4-only edge addresses\n \"\"\"\n if self.has_ipv6_only():\n pytest.skip(\"Host has IPv6 only support\")\n self.expect_address_connections(\n tmp_path, component_tests_config, protocol, \"4\", self.expect_ipv4_address)\n\n @pytest.mark.parametrize(\"protocol\", protocols())\n def test_ipv6_only(self, tmp_path, component_tests_config, protocol):\n \"\"\"\n This test runs a tunnel to connect via IPv6-only edge addresses\n \"\"\"\n if self.has_ipv4_only():\n pytest.skip(\"Host has IPv4 only support\")\n self.expect_address_connections(\n tmp_path, component_tests_config, protocol, \"6\", self.expect_ipv6_address)\n\n @pytest.mark.parametrize(\"protocol\", protocols())\n def test_auto_ip64(self, tmp_path, component_tests_config, protocol):\n \"\"\"\n This test runs a tunnel to connect via auto with a preference of IPv6 then IPv4 addresses for a dual stack host\n\n This test also assumes that the host has IPv6 preference.\n \"\"\"\n if not self.has_dual_stack(address_family_preference=socket.AddressFamily.AF_INET6):\n pytest.skip(\"Host does not support dual stack with IPv6 preference\")\n self.expect_address_connections(\n tmp_path, component_tests_config, protocol, \"auto\", self.expect_ipv6_address)\n\n @pytest.mark.parametrize(\"protocol\", protocols())\n def test_auto_ip46(self, tmp_path, component_tests_config, protocol):\n \"\"\"\n This test runs a tunnel to connect via auto with a preference of IPv4 then IPv6 addresses for a dual stack host\n\n This test also assumes that the host has IPv4 preference.\n \"\"\"\n if not self.has_dual_stack(address_family_preference=socket.AddressFamily.AF_INET):\n pytest.skip(\"Host does not support dual stack with IPv4 preference\")\n self.expect_address_connections(\n tmp_path, component_tests_config, protocol, \"auto\", self.expect_ipv4_address)\n\n def expect_address_connections(self, tmp_path, component_tests_config, protocol, edge_ip_version, assert_address_type):\n config = component_tests_config(\n self._extra_config(protocol, edge_ip_version))\n config_path = write_config(tmp_path, config.full_config)\n LOGGER.debug(config)\n with CloudflaredCli(config, config_path, LOGGER):\n wait_tunnel_ready(tunnel_url=config.get_url(),\n require_min_connections=4)\n cfd_cli = CloudflaredCli(config, config_path, LOGGER)\n tunnel_id = config.get_tunnel_id()\n info = cfd_cli.get_tunnel_info(tunnel_id)\n connector_id = get_tunnel_connector_id()\n connector = next(\n (c for c in info[\"conns\"] if c[\"id\"] == connector_id), None)\n assert connector, f\"Expected connection info from get tunnel info for the connected instance: {info}\"\n conns = connector[\"conns\"]\n assert conns == None or len(\n conns) == 4, f\"There should be 4 connections registered: {conns}\"\n for conn in conns:\n origin_ip = conn[\"origin_ip\"]\n assert origin_ip, f\"No available origin_ip for this connection: {conn}\"\n assert_address_type(origin_ip)\n\n def expect_ipv4_address(self, address):\n assert type(ipaddress.ip_address(\n address)) is ipaddress.IPv4Address, f\"Expected connection from origin to be a valid IPv4 address: {address}\"\n\n def expect_ipv6_address(self, address):\n assert type(ipaddress.ip_address(\n address)) is ipaddress.IPv6Address, f\"Expected connection from origin to be a valid IPv6 address: {address}\"\n\n def get_addresses(self):\n \"\"\"\n Returns a list of addresses for the host.\n \"\"\"\n host_addresses = socket.getaddrinfo(\n \"region1.v2.argotunnel.com\", 7844, socket.AF_UNSPEC, socket.SOCK_STREAM)\n assert len(\n host_addresses) > 0, \"No addresses returned from getaddrinfo\"\n return host_addresses\n\n def has_dual_stack(self, address_family_preference=None):\n \"\"\"\n Returns true if the host has dual stack support and can optionally check \n the provided IP family preference.\n \"\"\"\n dual_stack = not self.has_ipv6_only() and not self.has_ipv4_only()\n if address_family_preference:\n address = self.get_addresses()[0]\n return dual_stack and address[0] == address_family_preference\n\n return dual_stack\n\n def has_ipv6_only(self):\n \"\"\"\n Returns True if the host has only IPv6 address support.\n \"\"\"\n return self.attempt_connection(socket.AddressFamily.AF_INET6) and not self.attempt_connection(socket.AddressFamily.AF_INET)\n\n def has_ipv4_only(self):\n \"\"\"\n Returns True if the host has only IPv4 address support.\n \"\"\"\n return self.attempt_connection(socket.AddressFamily.AF_INET) and not self.attempt_connection(socket.AddressFamily.AF_INET6)\n\n def attempt_connection(self, address_family):\n \"\"\"\n Returns True if a successful socket connection can be made to the \n remote host with the provided address family to validate host support \n for the provided address family.\n \"\"\"\n address = None\n for a in self.get_addresses():\n if a[0] == address_family:\n address = a\n break\n if address is None:\n # Couldn't even lookup the address family so we can't connect\n return False\n af, socktype, proto, canonname, sockaddr = address\n s = None\n try:\n s = socket.socket(af, socktype, proto)\n except OSError:\n return False\n try:\n s.connect(sockaddr)\n except OSError:\n s.close()\n return False\n s.close()\n return True\n" }, { "path": "component-tests/test_logging.py", "content": "#!/usr/bin/env python\nimport json\nimport os\n\nfrom constants import MAX_LOG_LINES\nfrom util import start_cloudflared, wait_tunnel_ready, send_requests\n\n# Rolling logger rotate log files after 1 MB\nrotate_after_size = 1000 * 1000\ndefault_log_file = \"cloudflared.log\"\nexpect_message = \"Starting Hello\"\n\n\ndef assert_log_to_terminal(cloudflared):\n for _ in range(0, MAX_LOG_LINES):\n line = cloudflared.stderr.readline()\n if not line:\n break\n if expect_message.encode() in line:\n return\n raise Exception(f\"terminal log doesn't contain {expect_message}\")\n\n\ndef assert_log_in_file(file):\n with open(file, \"r\") as f:\n for _ in range(0, MAX_LOG_LINES):\n line = f.readline()\n if not line:\n break\n if expect_message in line:\n return\n raise Exception(f\"log file doesn't contain {expect_message}\")\n\n\ndef assert_json_log(file):\n def assert_in_json(j, key):\n assert key in j, f\"{key} is not in j\"\n\n with open(file, \"r\") as f:\n line = f.readline()\n json_log = json.loads(line)\n assert_in_json(json_log, \"level\")\n assert_in_json(json_log, \"time\")\n assert_in_json(json_log, \"message\")\n\n\ndef assert_log_to_dir(config, log_dir):\n max_batches = 3\n batch_requests = 1000\n for _ in range(max_batches):\n send_requests(config.get_url(),\n batch_requests, require_ok=False)\n files = os.listdir(log_dir)\n if len(files) == 2:\n current_log_file_index = files.index(default_log_file)\n current_file = log_dir / files[current_log_file_index]\n stats = os.stat(current_file)\n assert stats.st_size > 0\n assert_json_log(current_file)\n\n # One file is the current log file, the other is the rotated log file\n rotated_log_file_index = 0 if current_log_file_index == 1 else 1\n rotated_file = log_dir / files[rotated_log_file_index]\n stats = os.stat(rotated_file)\n assert stats.st_size > rotate_after_size\n assert_log_in_file(rotated_file)\n assert_json_log(current_file)\n return\n\n raise Exception(\n f\"Log file isn't rotated after sending {max_batches * batch_requests} requests\")\n\n\nclass TestLogging:\n def test_logging_to_terminal(self, tmp_path, component_tests_config):\n config = component_tests_config()\n with start_cloudflared(tmp_path, config, cfd_pre_args=[\"tunnel\", \"--ha-connections\", \"1\"], new_process=True) as cloudflared:\n wait_tunnel_ready(tunnel_url=config.get_url())\n assert_log_to_terminal(cloudflared)\n\n def test_logging_to_file(self, tmp_path, component_tests_config):\n log_file = tmp_path / default_log_file\n extra_config = {\n # Convert from pathlib.Path to str\n \"logfile\": str(log_file),\n }\n config = component_tests_config(extra_config)\n with start_cloudflared(tmp_path, config, cfd_pre_args=[\"tunnel\", \"--ha-connections\", \"1\"], new_process=True, capture_output=False):\n wait_tunnel_ready(tunnel_url=config.get_url(), cfd_logs=str(log_file))\n assert_log_in_file(log_file)\n assert_json_log(log_file)\n\n def test_logging_to_dir(self, tmp_path, component_tests_config):\n log_dir = tmp_path / \"logs\"\n extra_config = {\n \"loglevel\": \"debug\",\n # Convert from pathlib.Path to str\n \"log-directory\": str(log_dir),\n }\n config = component_tests_config(extra_config)\n with start_cloudflared(tmp_path, config, cfd_pre_args=[\"tunnel\", \"--ha-connections\", \"1\"], new_process=True, capture_output=False):\n wait_tunnel_ready(tunnel_url=config.get_url(), cfd_logs=str(log_dir))\n assert_log_to_dir(config, log_dir)\n" }, { "path": "component-tests/test_management.py", "content": "#!/usr/bin/env python\nimport json\nimport requests\nfrom conftest import CfdModes\nfrom constants import METRICS_PORT, MAX_RETRIES, BACKOFF_SECS\nfrom retrying import retry\nfrom cli import CloudflaredCli\nfrom util import LOGGER, write_config, start_cloudflared, wait_tunnel_ready, send_requests, decode_jwt_payload\nimport platform\n\n\"\"\"\nEach test in TestManagement will:\n1. Acquire a management token from Cloudflare public API\n2. Make a request against the management service for the running tunnel\n\"\"\"\nclass TestManagement:\n \"\"\"\n test_get_host_details does the following:\n 1. It gets a management token from Tunnelstore using cloudflared tail token \n 2. It gets the connector_id after starting a cloudflare tunnel\n 3. It sends a request to the management host with the connector_id and management token\n 4. Asserts that the response has a hostname and ip.\n \"\"\"\n def test_get_host_details(self, tmp_path, component_tests_config):\n # TUN-7377 : wait_tunnel_ready does not work properly in windows.\n # Skipping this test for windows for now and will address it as part of tun-7377\n if platform.system() == \"Windows\":\n return\n config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False)\n LOGGER.debug(config)\n headers = {}\n headers[\"Content-Type\"] = \"application/json\"\n config_path = write_config(tmp_path, config.full_config)\n with start_cloudflared(tmp_path, config, cfd_pre_args=[\"tunnel\", \"--ha-connections\", \"1\", \"--label\" , \"test\"], cfd_args=[\"run\", \"--hello-world\"], new_process=True):\n wait_tunnel_ready(tunnel_url=config.get_url(),\n require_min_connections=1)\n cfd_cli = CloudflaredCli(config, config_path, LOGGER)\n connector_id = cfd_cli.get_connector_id(config)[0]\n url = cfd_cli.get_management_url(\"host_details\", config, config_path, resource=\"host_details\")\n resp = send_request(url, headers=headers)\n \n # Assert response json.\n assert resp.status_code == 200, \"Expected cloudflared to return 200 for host details\"\n assert resp.json()[\"hostname\"] == \"custom:test\", \"Expected cloudflared to return hostname\"\n assert resp.json()[\"ip\"] != \"\", \"Expected cloudflared to return ip\"\n assert resp.json()[\"connector_id\"] == connector_id, \"Expected cloudflared to return connector_id\"\n \n \"\"\"\n test_get_metrics will verify that the /metrics endpoint returns the prometheus metrics dump\n \"\"\"\n def test_get_metrics(self, tmp_path, component_tests_config):\n # TUN-7377 : wait_tunnel_ready does not work properly in windows.\n # Skipping this test for windows for now and will address it as part of tun-7377\n if platform.system() == \"Windows\":\n return\n config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False)\n LOGGER.debug(config)\n config_path = write_config(tmp_path, config.full_config)\n with start_cloudflared(tmp_path, config, cfd_pre_args=[\"tunnel\", \"--ha-connections\", \"1\"], new_process=True):\n wait_tunnel_ready(require_min_connections=1)\n cfd_cli = CloudflaredCli(config, config_path, LOGGER)\n url = cfd_cli.get_management_url(\"metrics\", config, config_path, resource=\"admin\")\n resp = send_request(url)\n \n # Assert response.\n assert resp.status_code == 200, \"Expected cloudflared to return 200 for /metrics\"\n assert \"# HELP build_info Build and version information\" in resp.text, \"Expected /metrics to have with the build_info details\"\n\n \"\"\"\n test_get_pprof_heap will verify that the /debug/pprof/heap endpoint returns a pprof/heap dump response\n \"\"\"\n def test_get_pprof_heap(self, tmp_path, component_tests_config):\n # TUN-7377 : wait_tunnel_ready does not work properly in windows.\n # Skipping this test for windows for now and will address it as part of tun-7377\n if platform.system() == \"Windows\":\n return\n config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False)\n LOGGER.debug(config)\n config_path = write_config(tmp_path, config.full_config)\n with start_cloudflared(tmp_path, config, cfd_pre_args=[\"tunnel\", \"--ha-connections\", \"1\"], new_process=True):\n wait_tunnel_ready(require_min_connections=1)\n cfd_cli = CloudflaredCli(config, config_path, LOGGER)\n url = cfd_cli.get_management_url(\"debug/pprof/heap\", config, config_path, resource=\"admin\")\n resp = send_request(url)\n \n # Assert response.\n assert resp.status_code == 200, \"Expected cloudflared to return 200 for /debug/pprof/heap\"\n assert resp.headers[\"Content-Type\"] == \"application/octet-stream\", \"Expected /debug/pprof/heap to have return a binary response\"\n \n \"\"\"\n test_get_metrics_when_disabled will verify that diagnostic endpoints (such as /metrics) return 404 and are unmounted. \n \"\"\"\n def test_get_metrics_when_disabled(self, tmp_path, component_tests_config):\n # TUN-7377 : wait_tunnel_ready does not work properly in windows.\n # Skipping this test for windows for now and will address it as part of tun-7377\n if platform.system() == \"Windows\":\n return\n config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False)\n LOGGER.debug(config)\n config_path = write_config(tmp_path, config.full_config)\n with start_cloudflared(tmp_path, config, cfd_pre_args=[\"tunnel\", \"--ha-connections\", \"1\", \"--management-diagnostics=false\"], new_process=True):\n wait_tunnel_ready(require_min_connections=1)\n cfd_cli = CloudflaredCli(config, config_path, LOGGER)\n url = cfd_cli.get_management_url(\"metrics\", config, config_path, resource=\"admin\")\n resp = send_request(url)\n \n # Assert response.\n assert resp.status_code == 404, \"Expected cloudflared to return 404 for /metrics\"\n\n def test_tail_token_command(self, tmp_path, component_tests_config):\n \"\"\"\n Validates that 'cloudflared tail token' command returns a token \n scoped for 'logs' and 'ping' resources.\n \"\"\"\n # TUN-7377: wait_tunnel_ready does not work properly in windows\n if platform.system() == \"Windows\":\n return\n \n config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False)\n LOGGER.debug(config)\n config_path = write_config(tmp_path, config.full_config)\n \n cfd_cli = CloudflaredCli(config, config_path, LOGGER)\n token = cfd_cli.get_tail_token(config, config_path)\n \n # Verify token was returned\n assert token, \"Expected non-empty token to be returned\"\n \n # Decode JWT payload to verify resource claims\n claims = decode_jwt_payload(token)\n\n resource_tag = 'res'\n # Verify the token has 'logs' and 'ping' in resource array\n assert resource_tag in claims, f\"Expected {resource_tag} claim in token\"\n assert isinstance(claims['res'], list), f\"Expected {resource_tag} to be an array\"\n assert 'logs' in claims[resource_tag], \\\n f\"Expected 'logs' in resource array, got: {claims[resource_tag]}\"\n assert 'ping' in claims[resource_tag], \\\n f\"Expected 'ping' in resource array, got: {claims[resource_tag]}\"\n \n LOGGER.info(f\"Tail token successfully verified with resources: {claims[resource_tag]}\")\n\n\n\n\n@retry(stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)\ndef send_request(url, headers={}):\n with requests.Session() as s:\n resp = s.get(url, timeout=BACKOFF_SECS, headers=headers)\n if resp.status_code == 530:\n LOGGER.debug(f\"Received 530 status, retrying request to {url}\")\n raise Exception(f\"Received 530 status code from {url}\")\n return resp\n" }, { "path": "component-tests/test_pq.py", "content": "from util import LOGGER, start_cloudflared, wait_tunnel_ready\n\n\nclass TestPostQuantum:\n def _extra_config(self):\n config = {\n \"protocol\": \"quic\",\n }\n return config\n\n def test_post_quantum(self, tmp_path, component_tests_config):\n config = component_tests_config(self._extra_config())\n LOGGER.debug(config)\n with start_cloudflared(\n tmp_path,\n config,\n cfd_pre_args=[\"tunnel\", \"--ha-connections\", \"1\"],\n cfd_args=[\"run\", \"--post-quantum\"],\n new_process=True,\n ):\n wait_tunnel_ready(tunnel_url=config.get_url(), require_min_connections=1)\n" }, { "path": "component-tests/test_quicktunnels.py", "content": "#!/usr/bin/env python\nfrom conftest import CfdModes\nfrom constants import METRICS_PORT\nimport time\nfrom util import LOGGER, start_cloudflared, wait_tunnel_ready, get_quicktunnel_url, send_requests\n\nclass TestQuickTunnels:\n def test_quick_tunnel(self, tmp_path, component_tests_config):\n config = component_tests_config(cfd_mode=CfdModes.QUICK)\n LOGGER.debug(config)\n with start_cloudflared(tmp_path, config, cfd_pre_args=[\"tunnel\", \"--ha-connections\", \"1\"], cfd_args=[\"--hello-world\"], new_process=True):\n wait_tunnel_ready(require_min_connections=1)\n time.sleep(10)\n url = get_quicktunnel_url()\n send_requests(url, 3, True)\n \n def test_quick_tunnel_url(self, tmp_path, component_tests_config):\n config = component_tests_config(cfd_mode=CfdModes.QUICK)\n LOGGER.debug(config)\n with start_cloudflared(tmp_path, config, cfd_pre_args=[\"tunnel\", \"--ha-connections\", \"1\"], cfd_args=[\"--url\", f\"http://localhost:{METRICS_PORT}/\"], new_process=True):\n wait_tunnel_ready(require_min_connections=1)\n time.sleep(10)\n url = get_quicktunnel_url()\n send_requests(url+\"/ready\", 3, True)\n" }, { "path": "component-tests/test_reconnect.py", "content": "#!/usr/bin/env python\nimport copy\nimport platform\nfrom time import sleep\n\nimport pytest\nfrom flaky import flaky\n\nfrom conftest import CfdModes\nfrom constants import protocols\nfrom util import start_cloudflared, wait_tunnel_ready, check_tunnel_not_connected\n\n\n@flaky(max_runs=3, min_passes=1)\nclass TestReconnect:\n default_ha_conns = 1\n default_reconnect_secs = 15\n extra_config = {\n \"stdin-control\": True,\n }\n\n def _extra_config(self, protocol):\n return {\n \"stdin-control\": True,\n \"protocol\": protocol,\n }\n\n @pytest.mark.skipif(platform.system() == \"Windows\", reason=f\"Currently buggy on Windows TUN-4584\")\n @pytest.mark.parametrize(\"protocol\", protocols())\n def test_named_reconnect(self, tmp_path, component_tests_config, protocol):\n config = component_tests_config(self._extra_config(protocol))\n with start_cloudflared(tmp_path, config, cfd_pre_args=[\"tunnel\", \"--ha-connections\", \"1\"], new_process=True, allow_input=True, capture_output=False) as cloudflared:\n # Repeat the test multiple times because some issues only occur after multiple reconnects\n self.assert_reconnect(config, cloudflared, 5)\n\n def send_reconnect(self, cloudflared, secs):\n # Although it is recommended to use the Popen.communicate method, we cannot\n # use it because it blocks on reading stdout and stderr until EOF is reached\n cloudflared.stdin.write(f\"reconnect {secs}s\\n\".encode())\n cloudflared.stdin.flush()\n\n def assert_reconnect(self, config, cloudflared, repeat):\n wait_tunnel_ready(tunnel_url=config.get_url(),\n require_min_connections=self.default_ha_conns)\n for _ in range(repeat):\n for _ in range(self.default_ha_conns):\n self.send_reconnect(cloudflared, self.default_reconnect_secs)\n check_tunnel_not_connected()\n sleep(self.default_reconnect_secs * 2)\n wait_tunnel_ready(tunnel_url=config.get_url(),\n require_min_connections=self.default_ha_conns)\n" }, { "path": "component-tests/test_service.py", "content": "#!/usr/bin/env python\nimport os\nimport pathlib\nimport subprocess\nfrom contextlib import contextmanager\nfrom pathlib import Path\n\nimport pytest\n\nimport test_logging\nfrom conftest import CfdModes\nfrom util import select_platform, skip_on_ci, start_cloudflared, wait_tunnel_ready, write_config\n\n\ndef default_config_dir():\n return os.path.join(Path.home(), \".cloudflared\")\n\n\ndef default_config_file():\n return os.path.join(default_config_dir(), \"config.yml\")\n\n\nclass TestServiceMode:\n @select_platform(\"Darwin\")\n @pytest.mark.skipif(os.path.exists(default_config_file()), reason=f\"There is already a config file in default path\")\n def test_launchd_service_log_to_file(self, tmp_path, component_tests_config):\n log_file = tmp_path / test_logging.default_log_file\n additional_config = {\n # On Darwin cloudflared service defaults to run classic tunnel command\n \"hello-world\": True,\n \"logfile\": str(log_file),\n }\n config = component_tests_config(additional_config=additional_config, cfd_mode=CfdModes.CLASSIC)\n\n def assert_log_file():\n test_logging.assert_log_in_file(log_file)\n test_logging.assert_json_log(log_file)\n\n self.launchd_service_scenario(config, assert_log_file)\n\n @select_platform(\"Darwin\")\n @pytest.mark.skipif(os.path.exists(default_config_file()), reason=f\"There is already a config file in default path\")\n def test_launchd_service_with_token(self, tmp_path, component_tests_config):\n log_file = tmp_path / test_logging.default_log_file\n additional_config = {\n \"logfile\": str(log_file),\n }\n config = component_tests_config(additional_config=additional_config)\n\n # service install doesn't install the config file but in this case we want to use some default settings\n # so we write the base config without the tunnel credentials and ID\n write_config(pathlib.Path(default_config_dir()), config.base_config())\n\n self.launchd_service_scenario(config, use_token=True)\n\n @select_platform(\"Darwin\")\n @pytest.mark.skipif(os.path.exists(default_config_file()), reason=f\"There is already a config file in default path\")\n def test_launchd_service_rotating_log(self, tmp_path, component_tests_config):\n log_dir = tmp_path / \"logs\"\n additional_config = {\n # On Darwin cloudflared service defaults to run classic tunnel command\n \"hello-world\": True,\n \"loglevel\": \"debug\",\n \"log-directory\": str(log_dir),\n }\n config = component_tests_config(additional_config=additional_config, cfd_mode=CfdModes.CLASSIC)\n\n def assert_rotating_log():\n test_logging.assert_log_to_dir(config, log_dir)\n\n self.launchd_service_scenario(config, assert_rotating_log)\n\n def launchd_service_scenario(self, config, extra_assertions=None, use_token=False):\n with self.run_service(Path(default_config_dir()), config, use_token=use_token):\n self.launchctl_cmd(\"list\")\n self.launchctl_cmd(\"start\")\n wait_tunnel_ready(tunnel_url=config.get_url())\n if extra_assertions is not None:\n extra_assertions()\n self.launchctl_cmd(\"stop\")\n\n os.remove(default_config_file())\n self.launchctl_cmd(\"list\", success=False)\n\n @skip_on_ci(\"we can't run sudo command on CI\")\n @select_platform(\"Linux\")\n @pytest.mark.skipif(os.path.exists(\"/etc/cloudflared/config.yml\"),\n reason=f\"There is already a config file in default path\")\n def test_sysv_service_log_to_file(self, tmp_path, component_tests_config):\n log_file = tmp_path / test_logging.default_log_file\n additional_config = {\n \"logfile\": str(log_file),\n }\n config = component_tests_config(additional_config=additional_config)\n\n def assert_log_file():\n test_logging.assert_log_in_file(log_file)\n test_logging.assert_json_log(log_file)\n\n self.sysv_service_scenario(config, tmp_path, assert_log_file)\n\n @skip_on_ci(\"we can't run sudo command on CI\")\n @select_platform(\"Linux\")\n @pytest.mark.skipif(os.path.exists(\"/etc/cloudflared/config.yml\"),\n reason=f\"There is already a config file in default path\")\n def test_sysv_service_rotating_log(self, tmp_path, component_tests_config):\n log_dir = tmp_path / \"logs\"\n additional_config = {\n \"loglevel\": \"debug\",\n \"log-directory\": str(log_dir),\n }\n config = component_tests_config(additional_config=additional_config)\n\n def assert_rotating_log():\n # We need the folder to have executable permissions for the \"stat\" command in the assertions to work.\n subprocess.check_call(['sudo', 'chmod', 'o+x', log_dir])\n test_logging.assert_log_to_dir(config, log_dir)\n\n self.sysv_service_scenario(config, tmp_path, assert_rotating_log)\n\n @skip_on_ci(\"we can't run sudo command on CI\")\n @select_platform(\"Linux\")\n @pytest.mark.skipif(os.path.exists(\"/etc/cloudflared/config.yml\"),\n reason=f\"There is already a config file in default path\")\n def test_sysv_service_with_token(self, tmp_path, component_tests_config):\n additional_config = {\n \"loglevel\": \"debug\",\n }\n\n config = component_tests_config(additional_config=additional_config)\n\n # service install doesn't install the config file but in this case we want to use some default settings\n # so we write the base config without the tunnel credentials and ID\n config_path = write_config(tmp_path, config.base_config())\n subprocess.run([\"sudo\", \"cp\", config_path, \"/etc/cloudflared/config.yml\"], check=True)\n\n self.sysv_service_scenario(config, tmp_path, use_token=True)\n\n def sysv_service_scenario(self, config, tmp_path, extra_assertions=None, use_token=False):\n with self.run_service(tmp_path, config, root=True, use_token=use_token):\n self.sysv_cmd(\"status\")\n wait_tunnel_ready(tunnel_url=config.get_url())\n if extra_assertions is not None:\n extra_assertions()\n\n # Service install copies config file to /etc/cloudflared/config.yml\n subprocess.run([\"sudo\", \"rm\", \"/etc/cloudflared/config.yml\"])\n self.sysv_cmd(\"status\", success=False)\n\n @contextmanager\n def run_service(self, tmp_path, config, root=False, use_token=False):\n args = [\"service\", \"install\"]\n\n if use_token:\n args.append(config.get_token())\n\n try:\n service = start_cloudflared(\n tmp_path, config, cfd_args=args, cfd_pre_args=[], capture_output=False, root=root, skip_config_flag=use_token)\n yield service\n finally:\n start_cloudflared(\n tmp_path, config, cfd_args=[\"service\", \"uninstall\"], cfd_pre_args=[], capture_output=False, root=root, skip_config_flag=use_token)\n\n def launchctl_cmd(self, action, success=True):\n cmd = subprocess.run(\n [\"launchctl\", action, \"com.cloudflare.cloudflared\"], check=success)\n if not success:\n assert cmd.returncode != 0, f\"Expect {cmd.args} to fail, but it succeed\"\n\n def sysv_cmd(self, action, success=True):\n cmd = subprocess.run(\n [\"sudo\", \"service\", \"cloudflared\", action], check=success)\n if not success:\n assert cmd.returncode != 0, f\"Expect {cmd.args} to fail, but it succeed\"\n" }, { "path": "component-tests/test_tail.py", "content": "#!/usr/bin/env python\nimport asyncio\nimport json\nimport pytest\nimport requests\nimport websockets\nfrom websockets.client import connect, WebSocketClientProtocol\nfrom conftest import CfdModes\nfrom constants import MAX_RETRIES, BACKOFF_SECS\nfrom retrying import retry\nfrom cli import CloudflaredCli\nfrom util import LOGGER, start_cloudflared, write_config, wait_tunnel_ready\n\nclass TestTail:\n @pytest.mark.asyncio\n async def test_start_stop_streaming(self, tmp_path, component_tests_config):\n \"\"\"\n Validates that a websocket connection to management.argotunnel.com/logs can be opened\n with the access token and start and stop streaming on-demand.\n \"\"\"\n print(\"test_start_stop_streaming\")\n config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False)\n LOGGER.debug(config)\n config_path = write_config(tmp_path, config.full_config)\n with start_cloudflared(tmp_path, config, cfd_args=[\"run\", \"--hello-world\"], new_process=True):\n wait_tunnel_ready(tunnel_url=config.get_url(), require_min_connections=1)\n cfd_cli = CloudflaredCli(config, config_path, LOGGER)\n url = cfd_cli.get_management_wsurl(\"logs\", config, config_path, resource=\"logs\")\n async with connect(url, open_timeout=5, close_timeout=3) as websocket:\n await websocket.send('{\"type\": \"start_streaming\"}')\n await websocket.send('{\"type\": \"stop_streaming\"}')\n await websocket.send('{\"type\": \"start_streaming\"}')\n await websocket.send('{\"type\": \"stop_streaming\"}')\n\n @pytest.mark.asyncio\n async def test_streaming_logs(self, tmp_path, component_tests_config):\n \"\"\"\n Validates that a streaming logs connection will stream logs\n \"\"\"\n print(\"test_streaming_logs\")\n config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False)\n LOGGER.debug(config)\n config_path = write_config(tmp_path, config.full_config)\n with start_cloudflared(tmp_path, config, cfd_args=[\"run\", \"--hello-world\"], new_process=True):\n wait_tunnel_ready(tunnel_url=config.get_url(), require_min_connections=1)\n cfd_cli = CloudflaredCli(config, config_path, LOGGER)\n url = cfd_cli.get_management_wsurl(\"logs\", config, config_path, resource=\"logs\")\n async with connect(url, open_timeout=5, close_timeout=5) as websocket:\n # send start_streaming\n await websocket.send(json.dumps({\n \"type\": \"start_streaming\",\n \"filters\": {\n \"events\": [\"http\"]\n }\n }))\n # send some http requests to the tunnel to trigger some logs\n await generate_and_validate_http_events(websocket, config.get_url(), 10)\n # send stop_streaming\n await websocket.send('{\"type\": \"stop_streaming\"}')\n\n @pytest.mark.asyncio\n async def test_streaming_logs_filters(self, tmp_path, component_tests_config):\n \"\"\"\n Validates that a streaming logs connection will stream logs \n but not http when filters applied.\n \"\"\"\n print(\"test_streaming_logs_filters\")\n config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False)\n LOGGER.debug(config)\n config_path = write_config(tmp_path, config.full_config)\n with start_cloudflared(tmp_path, config, cfd_args=[\"run\", \"--hello-world\"], new_process=True):\n wait_tunnel_ready(tunnel_url=config.get_url(), require_min_connections=1)\n cfd_cli = CloudflaredCli(config, config_path, LOGGER)\n url = cfd_cli.get_management_wsurl(\"logs\", config, config_path, resource=\"logs\")\n async with connect(url, open_timeout=5, close_timeout=5) as websocket:\n # send start_streaming with tcp logs only\n await websocket.send(json.dumps({\n \"type\": \"start_streaming\",\n \"filters\": {\n \"events\": [\"tcp\"],\n \"level\": \"debug\"\n }\n }))\n # don't expect any http logs\n await generate_and_validate_no_log_event(websocket, config.get_url())\n # send stop_streaming\n await websocket.send('{\"type\": \"stop_streaming\"}')\n \n @pytest.mark.asyncio\n async def test_streaming_logs_sampling(self, tmp_path, component_tests_config):\n \"\"\"\n Validates that a streaming logs connection will stream logs with sampling.\n \"\"\"\n print(\"test_streaming_logs_sampling\")\n config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False)\n LOGGER.debug(config)\n config_path = write_config(tmp_path, config.full_config)\n with start_cloudflared(tmp_path, config, cfd_args=[\"run\", \"--hello-world\"], new_process=True):\n wait_tunnel_ready(tunnel_url=config.get_url(), require_min_connections=1)\n cfd_cli = CloudflaredCli(config, config_path, LOGGER)\n url = cfd_cli.get_management_wsurl(\"logs\", config, config_path, resource=\"logs\")\n async with connect(url, open_timeout=5, close_timeout=5) as websocket:\n # send start_streaming with info logs only\n await websocket.send(json.dumps({\n \"type\": \"start_streaming\",\n \"filters\": {\n \"sampling\": 0.5,\n \"events\": [\"http\"]\n }\n }))\n # don't expect any http logs\n count = await generate_and_validate_http_events(websocket, config.get_url(), 10)\n assert count < (10 * 2) # There are typically always two log lines for http requests (request and response)\n # send stop_streaming\n await websocket.send('{\"type\": \"stop_streaming\"}')\n\n @pytest.mark.asyncio\n async def test_streaming_logs_actor_override(self, tmp_path, component_tests_config):\n \"\"\"\n Validates that a streaming logs session can be overriden by the same actor \n \"\"\"\n print(\"test_streaming_logs_actor_override\")\n config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False)\n LOGGER.debug(config)\n config_path = write_config(tmp_path, config.full_config)\n with start_cloudflared(tmp_path, config, cfd_args=[\"run\", \"--hello-world\"], new_process=True):\n wait_tunnel_ready(tunnel_url=config.get_url(), require_min_connections=1)\n cfd_cli = CloudflaredCli(config, config_path, LOGGER)\n url = cfd_cli.get_management_wsurl(\"logs\", config, config_path, resource=\"logs\")\n task = asyncio.ensure_future(start_streaming_to_be_remotely_closed(url))\n override_task = asyncio.ensure_future(start_streaming_override(url))\n await asyncio.wait([task, override_task])\n assert task.exception() == None, task.exception()\n assert override_task.exception() == None, override_task.exception()\n\nasync def start_streaming_to_be_remotely_closed(url):\n async with connect(url, open_timeout=5, close_timeout=5) as websocket:\n try:\n await websocket.send(json.dumps({\"type\": \"start_streaming\"}))\n await asyncio.sleep(10)\n assert websocket.closed, \"expected this request to be forcibly closed by the override\"\n except websockets.ConnectionClosed:\n # we expect the request to be closed\n pass\n\nasync def start_streaming_override(url):\n # wait for the first connection to be established\n await asyncio.sleep(1)\n async with connect(url, open_timeout=5, close_timeout=5) as websocket:\n await websocket.send(json.dumps({\"type\": \"start_streaming\"}))\n await asyncio.sleep(1)\n await websocket.send(json.dumps({\"type\": \"stop_streaming\"}))\n await asyncio.sleep(1)\n\n# Every http request has two log lines sent\nasync def generate_and_validate_http_events(websocket: WebSocketClientProtocol, url: str, count_send: int):\n for i in range(count_send):\n send_request(url)\n # There are typically always two log lines for http requests (request and response)\n count = 0\n while True:\n try:\n req_line = await asyncio.wait_for(websocket.recv(), 2)\n log_line = json.loads(req_line)\n assert log_line[\"type\"] == \"logs\"\n assert log_line[\"logs\"][0][\"event\"] == \"http\"\n count += 1\n except asyncio.TimeoutError:\n # ignore timeout from waiting for recv\n break\n return count\n\n# Every http request has two log lines sent\nasync def generate_and_validate_no_log_event(websocket: WebSocketClientProtocol, url: str):\n send_request(url)\n try:\n # wait for 5 seconds and make sure we hit the timeout and not recv any events\n req_line = await asyncio.wait_for(websocket.recv(), 5)\n assert req_line == None, \"expected no logs for the specified filters\"\n except asyncio.TimeoutError:\n pass\n\n@retry(stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)\ndef send_request(url, headers={}):\n with requests.Session() as s:\n resp = s.get(url, timeout=BACKOFF_SECS, headers=headers)\n assert resp.status_code == 200, f\"{url} returned {resp}\"\n return resp.status_code == 200" }, { "path": "component-tests/test_termination.py", "content": "#!/usr/bin/env python\nfrom contextlib import contextmanager\nimport platform\nimport signal\nimport threading\nimport time\n\nimport pytest\nimport requests\n\nfrom constants import protocols\nfrom util import start_cloudflared, wait_tunnel_ready, check_tunnel_not_connected\n\n\ndef supported_signals():\n if platform.system() == \"Windows\":\n return [signal.SIGTERM]\n return [signal.SIGTERM, signal.SIGINT]\n\n\nclass TestTermination:\n grace_period = 5\n timeout = 10\n sse_endpoint = \"/sse?freq=1s\"\n\n def _extra_config(self, protocol):\n return {\n \"grace-period\": f\"{self.grace_period}s\",\n \"protocol\": protocol,\n }\n\n @pytest.mark.parametrize(\"signal\", supported_signals())\n @pytest.mark.parametrize(\"protocol\", protocols())\n def test_graceful_shutdown(self, tmp_path, component_tests_config, signal, protocol):\n config = component_tests_config(self._extra_config(protocol))\n with start_cloudflared(\n tmp_path, config, cfd_pre_args=[\"tunnel\", \"--ha-connections\", \"1\"], new_process=True, capture_output=False) as cloudflared:\n wait_tunnel_ready(tunnel_url=config.get_url())\n\n connected = threading.Condition()\n in_flight_req = threading.Thread(\n target=self.stream_request, args=(config, connected, False, ))\n in_flight_req.start()\n\n with connected:\n connected.wait(self.timeout)\n # Send signal after the SSE connection is established\n with self.within_grace_period():\n self.terminate_by_signal(cloudflared, signal)\n self.wait_eyeball_thread(\n in_flight_req, self.grace_period + self.timeout)\n\n # test cloudflared terminates before grace period expires when all eyeball\n # connections are drained\n @pytest.mark.parametrize(\"signal\", supported_signals())\n @pytest.mark.parametrize(\"protocol\", protocols())\n def test_shutdown_once_no_connection(self, tmp_path, component_tests_config, signal, protocol):\n config = component_tests_config(self._extra_config(protocol))\n with start_cloudflared(\n tmp_path, config, cfd_pre_args=[\"tunnel\", \"--ha-connections\", \"1\"], new_process=True, capture_output=False) as cloudflared:\n wait_tunnel_ready(tunnel_url=config.get_url())\n\n connected = threading.Condition()\n in_flight_req = threading.Thread(\n target=self.stream_request, args=(config, connected, True, ))\n in_flight_req.start()\n\n with connected:\n connected.wait(self.timeout)\n with self.within_grace_period(has_connection=False):\n # Send signal after the SSE connection is established\n self.terminate_by_signal(cloudflared, signal)\n self.wait_eyeball_thread(in_flight_req, self.grace_period)\n\n @pytest.mark.parametrize(\"signal\", supported_signals())\n @pytest.mark.parametrize(\"protocol\", protocols())\n def test_no_connection_shutdown(self, tmp_path, component_tests_config, signal, protocol):\n config = component_tests_config(self._extra_config(protocol))\n with start_cloudflared(\n tmp_path, config, cfd_pre_args=[\"tunnel\", \"--ha-connections\", \"1\"], new_process=True, capture_output=False) as cloudflared:\n wait_tunnel_ready(tunnel_url=config.get_url())\n with self.within_grace_period(has_connection=False):\n self.terminate_by_signal(cloudflared, signal)\n\n def terminate_by_signal(self, cloudflared, sig):\n cloudflared.send_signal(sig)\n check_tunnel_not_connected()\n cloudflared.wait()\n\n def wait_eyeball_thread(self, thread, timeout):\n thread.join(timeout)\n assert thread.is_alive() == False, \"eyeball thread is still alive\"\n\n # Using this context asserts logic within the context is executed within grace period\n @contextmanager\n def within_grace_period(self, has_connection=True):\n try:\n start = time.time()\n yield\n finally:\n\n # If the request takes longer than the grace period then we need to wait at most the grace period.\n # If the request fell within the grace period cloudflared can close earlier, but to ensure that it doesn't\n # close immediately we add a minimum boundary. If cloudflared shutdown in less than 1s it's likely that\n # it shutdown as soon as it received SIGINT. The only way cloudflared can close immediately is if it has no\n # in-flight requests\n minimum = 1 if has_connection else 0\n duration = time.time() - start\n # Here we truncate to ensure that we don't fail on minute differences like 10.1 instead of 10\n assert minimum <= int(duration) <= self.grace_period\n\n def stream_request(self, config, connected, early_terminate):\n expected_terminate_message = \"502 Bad Gateway\"\n url = config.get_url() + self.sse_endpoint\n\n with requests.get(url, timeout=5, stream=True) as resp:\n with connected:\n connected.notifyAll()\n lines = 0\n for line in resp.iter_lines():\n if expected_terminate_message.encode() == line:\n break\n lines += 1\n if early_terminate and lines == 2:\n return\n # /sse returns count followed by 2 new lines\n assert lines >= (self.grace_period * 2)\n" }, { "path": "component-tests/test_token.py", "content": "import base64\nimport json\n\nfrom setup import get_config_from_file\nfrom util import start_cloudflared\n\n\nclass TestToken:\n def test_get_token(self, tmp_path, component_tests_config):\n config = component_tests_config()\n tunnel_id = config.get_tunnel_id()\n\n token_args = [\"--origincert\", cert_path(), \"token\", tunnel_id]\n output = start_cloudflared(tmp_path, config, token_args)\n\n assert parse_token(config.get_token()) == parse_token(output.stdout)\n\n def test_get_credentials_file(self, tmp_path, component_tests_config):\n config = component_tests_config()\n tunnel_id = config.get_tunnel_id()\n\n cred_file = tmp_path / \"test_get_credentials_file.json\"\n token_args = [\"--origincert\", cert_path(), \"token\", \"--cred-file\", cred_file, tunnel_id]\n start_cloudflared(tmp_path, config, token_args)\n\n with open(cred_file) as json_file:\n assert config.get_credentials_json() == json.load(json_file)\n\n\ndef cert_path():\n return get_config_from_file()[\"origincert\"]\n\n\ndef parse_token(token):\n return json.loads(base64.b64decode(token))\n" }, { "path": "component-tests/test_tunnel.py", "content": "#!/usr/bin/env python\nimport requests\nfrom conftest import CfdModes\nfrom constants import METRICS_PORT, MAX_RETRIES, BACKOFF_SECS\nfrom retrying import retry\nfrom cli import CloudflaredCli\nfrom util import LOGGER, write_config, start_cloudflared, wait_tunnel_ready, send_requests\nimport platform\n\nclass TestTunnel:\n '''Test tunnels with no ingress rules from config.yaml but ingress rules from CLI only'''\n\n def test_tunnel_hello_world(self, tmp_path, component_tests_config):\n config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False)\n LOGGER.debug(config)\n with start_cloudflared(tmp_path, config, cfd_pre_args=[\"tunnel\", \"--ha-connections\", \"1\"], cfd_args=[\"run\", \"--hello-world\"], new_process=True):\n wait_tunnel_ready(tunnel_url=config.get_url(),\n require_min_connections=1)\n \n def test_tunnel_url(self, tmp_path, component_tests_config):\n config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False)\n LOGGER.debug(config)\n with start_cloudflared(tmp_path, config, cfd_pre_args=[\"tunnel\", \"--ha-connections\", \"1\"], cfd_args=[\"run\", \"--url\", f\"http://localhost:{METRICS_PORT}/\"], new_process=True):\n wait_tunnel_ready(require_min_connections=1)\n send_requests(config.get_url()+\"/ready\", 3, True)\n\n def test_tunnel_no_ingress(self, tmp_path, component_tests_config):\n '''\n Running a tunnel with no ingress rules provided from either config.yaml or CLI will still work but return 503\n for all incoming requests.\n '''\n config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False)\n LOGGER.debug(config)\n with start_cloudflared(tmp_path, config, cfd_pre_args=[\"tunnel\", \"--ha-connections\", \"1\"], cfd_args=[\"run\"], new_process=True):\n wait_tunnel_ready(require_min_connections=1)\n expected_status_code = 503\n resp = send_request(config.get_url()+\"/\", expected_status_code)\n assert resp.status_code == expected_status_code, \"Expected cloudflared to return 503 for all requests with no ingress defined\"\n resp = send_request(config.get_url()+\"/test\", expected_status_code)\n assert resp.status_code == expected_status_code, \"Expected cloudflared to return 503 for all requests with no ingress defined\"\n\ndef retry_if_result_none(result):\n '''\n Returns True if the result is None, indicating that the function should be retried.\n '''\n return result is None\n\n@retry(retry_on_result=retry_if_result_none, stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)\ndef send_request(url, expected_status_code=200):\n with requests.Session() as s:\n resp = s.get(url, timeout=BACKOFF_SECS)\n return resp if resp.status_code == expected_status_code else None\n" }, { "path": "component-tests/util.py", "content": "import logging\nimport os\nimport platform\nimport subprocess\nfrom contextlib import contextmanager\nfrom time import sleep\nimport sys\n\nimport pytest\n\nimport requests\nimport yaml\nfrom retrying import retry\n\nfrom constants import METRICS_PORT, MAX_RETRIES, BACKOFF_SECS\n\ndef configure_logger():\n logger = logging.getLogger(__name__)\n logger.setLevel(logging.DEBUG)\n handler = logging.StreamHandler(sys.stdout)\n logger.addHandler(handler)\n return logger\n\nLOGGER = configure_logger()\n\ndef select_platform(plat):\n return pytest.mark.skipif(\n platform.system() != plat, reason=f\"Only runs on {plat}\")\n\ndef fips_enabled():\n env_fips = os.getenv(\"COMPONENT_TESTS_FIPS\")\n return env_fips is not None and env_fips != \"0\"\n\nnofips = pytest.mark.skipif(\n fips_enabled(), reason=f\"Only runs without FIPS (COMPONENT_TESTS_FIPS=0)\")\n\ndef skip_on_ci(reason):\n env_ci = os.getenv(\"CI\")\n running_in_ci = env_ci is not None and env_ci != \"0\"\n return pytest.mark.skipif(\n running_in_ci, reason=f\"This test can't run on CI due to: {reason}\")\n\ndef write_config(directory, config):\n config_path = directory / \"config.yml\"\n with open(config_path, 'w') as outfile:\n yaml.dump(config, outfile)\n return config_path\n\n\ndef start_cloudflared(directory, config, cfd_args=[\"run\"], cfd_pre_args=[\"tunnel\"], new_process=False,\n allow_input=False, capture_output=True, root=False, skip_config_flag=False, expect_success=True):\n\n config_path = None\n if not skip_config_flag:\n config_path = write_config(directory, config.full_config)\n\n cmd = cloudflared_cmd(config, config_path, cfd_args, cfd_pre_args, root)\n\n if new_process:\n return run_cloudflared_background(cmd, allow_input, capture_output)\n # By setting check=True, it will raise an exception if the process exits with non-zero exit code\n return subprocess.run(cmd, check=expect_success, capture_output=capture_output)\n\ndef cloudflared_cmd(config, config_path, cfd_args, cfd_pre_args, root):\n cmd = []\n if root:\n cmd += [\"sudo\"]\n cmd += [config.cloudflared_binary]\n cmd += cfd_pre_args\n\n if config_path is not None:\n cmd += [\"--config\", str(config_path)]\n\n cmd += cfd_args\n LOGGER.info(f\"Run cmd {cmd} with config {config}\")\n return cmd\n\n\n@contextmanager\ndef run_cloudflared_background(cmd, allow_input, capture_output):\n output = subprocess.PIPE if capture_output else subprocess.DEVNULL\n stdin = subprocess.PIPE if allow_input else None\n cfd = None\n try:\n cfd = subprocess.Popen(cmd, stdin=stdin, stdout=output, stderr=output)\n yield cfd\n finally:\n if cfd:\n cfd.terminate()\n if capture_output:\n LOGGER.info(f\"cloudflared log: {cfd.stderr.read()}\")\n \n\ndef get_quicktunnel_url():\n quicktunnel_url = f'http://localhost:{METRICS_PORT}/quicktunnel'\n with requests.Session() as s:\n resp = send_request(s, quicktunnel_url, True)\n\n hostname = resp.json()[\"hostname\"]\n assert hostname, \\\n f\"Quicktunnel endpoint returned {hostname} but we expected a url\"\n\n return f\"https://{hostname}\"\n\ndef wait_tunnel_ready(tunnel_url=None, require_min_connections=1, cfd_logs=None):\n try:\n inner_wait_tunnel_ready(tunnel_url, require_min_connections)\n except Exception as e:\n if cfd_logs is not None:\n _log_cloudflared_logs(cfd_logs)\n raise e\n\n\n@retry(stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)\ndef inner_wait_tunnel_ready(tunnel_url=None, require_min_connections=1):\n metrics_url = f'http://localhost:{METRICS_PORT}/ready'\n\n with requests.Session() as s:\n LOGGER.debug(\"Waiting for tunnel to be ready...\")\n resp = send_request(s, metrics_url, True)\n\n ready_connections = resp.json()[\"readyConnections\"]\n\n assert ready_connections >= require_min_connections, \\\n f\"Ready endpoint returned {resp.json()} but we expect at least {require_min_connections} connections\"\n\n if tunnel_url is not None:\n send_request(s, tunnel_url, True)\n\ndef _log_cloudflared_logs(cfd_logs):\n log_file = cfd_logs\n if os.path.isdir(cfd_logs):\n files = os.listdir(cfd_logs)\n if len(files) == 0:\n return\n log_file = os.path.join(cfd_logs, files[0])\n with open(log_file, \"r\") as f:\n LOGGER.warning(\"Cloudflared Tunnel was not ready:\")\n for line in f.readlines():\n LOGGER.warning(line)\n\n\n@retry(stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)\ndef check_tunnel_not_connected():\n url = f'http://localhost:{METRICS_PORT}/ready'\n\n try:\n resp = requests.get(url, timeout=BACKOFF_SECS)\n assert resp.status_code == 503, f\"Expect {url} returns 503, got {resp.status_code}\"\n assert resp.json()[\n \"readyConnections\"] == 0, \"Expected all connections to be terminated (pending reconnect)\"\n # cloudflared might already terminate\n except requests.exceptions.ConnectionError as e:\n LOGGER.warning(f\"Failed to connect to {url}, error: {e}\")\n\n\ndef get_tunnel_connector_id():\n url = f'http://localhost:{METRICS_PORT}/ready'\n\n try:\n resp = requests.get(url, timeout=1)\n return resp.json()[\"connectorId\"]\n # cloudflared might already terminated\n except requests.exceptions.ConnectionError as e:\n LOGGER.warning(f\"Failed to connect to {url}, error: {e}\")\n\n\n# In some cases we don't need to check response status, such as when sending batch requests to generate logs\ndef send_requests(url, count, require_ok=True):\n errors = 0\n with requests.Session() as s:\n for _ in range(count):\n resp = send_request(s, url, require_ok)\n if resp is None:\n errors += 1\n sleep(0.01)\n if errors > 0:\n LOGGER.warning(\n f\"{errors} out of {count} requests to {url} return non-200 status\")\n\n\n@retry(stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)\ndef send_request(session, url, require_ok):\n resp = session.get(url, timeout=BACKOFF_SECS)\n if require_ok:\n assert resp.status_code == 200, f\"{url} returned {resp}\"\n return resp if resp.status_code == 200 else None\n\n\ndef decode_jwt_payload(token):\n \"\"\"\n Decode the payload section of a JWT token without signature verification.\n \n JWT Structure:\n ==============\n A JWT consists of three Base64URL-encoded parts separated by dots:\n HEADER.PAYLOAD.SIGNATURE\n \n The payload contains the JWT claims (the actual data/permissions).\n \n Args:\n token (str): The complete JWT token string\n \n Returns:\n dict: The decoded payload as a dictionary containing JWT claims\n \n Raises:\n ValueError: If the token doesn't have exactly 3 parts\n \n Note:\n This function does NOT verify the signature - it only decodes the payload.\n Use this only when you trust the token source (e.g., tokens you just generated).\n \"\"\"\n import base64\n import json\n \n # Split JWT into its three components\n parts = token.split('.')\n if len(parts) != 3:\n raise ValueError(f\"Invalid JWT format: expected 3 parts, got {len(parts)}\")\n \n # Extract and decode the payload (middle section)\n # Base64 requires padding to be a multiple of 4 characters\n payload_encoded = parts[1]\n remainder = len(payload_encoded) % 4\n if remainder != 0:\n payload_padded = payload_encoded + '=' * (4 - remainder)\n else:\n payload_padded = payload_encoded\n \n # Decode from Base64URL format and parse JSON\n decoded_payload = base64.urlsafe_b64decode(payload_padded)\n return json.loads(decoded_payload)\n" }, { "path": "config/configuration.go", "content": "package config\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/url\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"runtime\"\n\t\"strconv\"\n\t\"time\"\n\n\thomedir \"github.com/mitchellh/go-homedir\"\n\t\"github.com/pkg/errors\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/urfave/cli/v2\"\n\tyaml \"gopkg.in/yaml.v3\"\n\n\t\"github.com/cloudflare/cloudflared/validation\"\n)\n\nvar (\n\t// DefaultConfigFiles is the file names from which we attempt to read configuration.\n\tDefaultConfigFiles = []string{\"config.yml\", \"config.yaml\"}\n\n\t// DefaultUnixConfigLocation is the primary location to find a config file\n\tDefaultUnixConfigLocation = \"/usr/local/etc/cloudflared\"\n\n\t// DefaultUnixLogLocation is the primary location to find log files\n\tDefaultUnixLogLocation = \"/var/log/cloudflared\"\n\n\t// Launchd doesn't set root env variables, so there is default\n\t// Windows default config dir was ~/cloudflare-warp in documentation; let's keep it compatible\n\tdefaultUserConfigDirs = []string{\"~/.cloudflared\", \"~/.cloudflare-warp\", \"~/cloudflare-warp\"}\n\tdefaultNixConfigDirs = []string{\"/etc/cloudflared\", DefaultUnixConfigLocation}\n\n\tErrNoConfigFile = fmt.Errorf(\"Cannot determine default configuration path. No file %v in %v\", DefaultConfigFiles, DefaultConfigSearchDirectories())\n)\n\nconst (\n\t// BastionFlag is to enable bastion, or jump host, operation\n\tBastionFlag = \"bastion\"\n)\n\n// DefaultConfigDirectory returns the default directory of the config file\nfunc DefaultConfigDirectory() string {\n\tif runtime.GOOS == \"windows\" {\n\t\tpath := os.Getenv(\"CFDPATH\")\n\t\tif path == \"\" {\n\t\t\tpath = filepath.Join(os.Getenv(\"ProgramFiles(x86)\"), \"cloudflared\")\n\t\t\tif _, err := os.Stat(path); os.IsNotExist(err) { // doesn't exist, so return an empty failure string\n\t\t\t\treturn \"\"\n\t\t\t}\n\t\t}\n\t\treturn path\n\t}\n\treturn DefaultUnixConfigLocation\n}\n\n// DefaultLogDirectory returns the default directory for log files\nfunc DefaultLogDirectory() string {\n\tif runtime.GOOS == \"windows\" {\n\t\treturn DefaultConfigDirectory()\n\t}\n\treturn DefaultUnixLogLocation\n}\n\n// DefaultConfigPath returns the default location of a config file\nfunc DefaultConfigPath() string {\n\tdir := DefaultConfigDirectory()\n\tif dir == \"\" {\n\t\treturn DefaultConfigFiles[0]\n\t}\n\treturn filepath.Join(dir, DefaultConfigFiles[0])\n}\n\n// DefaultConfigSearchDirectories returns the default folder locations of the config\nfunc DefaultConfigSearchDirectories() []string {\n\tdirs := make([]string, len(defaultUserConfigDirs))\n\tcopy(dirs, defaultUserConfigDirs)\n\tif runtime.GOOS != \"windows\" {\n\t\tdirs = append(dirs, defaultNixConfigDirs...)\n\t}\n\treturn dirs\n}\n\n// FileExists checks to see if a file exist at the provided path.\nfunc FileExists(path string) (bool, error) {\n\tf, err := os.Open(path)\n\tif err != nil {\n\t\tif os.IsNotExist(err) {\n\t\t\t// ignore missing files\n\t\t\treturn false, nil\n\t\t}\n\t\treturn false, err\n\t}\n\t_ = f.Close()\n\treturn true, nil\n}\n\n// FindDefaultConfigPath returns the first path that contains a config file.\n// If none of the combination of DefaultConfigSearchDirectories() and DefaultConfigFiles\n// contains a config file, return empty string.\nfunc FindDefaultConfigPath() string {\n\tfor _, configDir := range DefaultConfigSearchDirectories() {\n\t\tfor _, configFile := range DefaultConfigFiles {\n\t\t\tdirPath, err := homedir.Expand(configDir)\n\t\t\tif err != nil {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tpath := filepath.Join(dirPath, configFile)\n\t\t\tif ok, _ := FileExists(path); ok {\n\t\t\t\treturn path\n\t\t\t}\n\t\t}\n\t}\n\treturn \"\"\n}\n\n// FindOrCreateConfigPath returns the first path that contains a config file\n// or creates one in the primary default path if it doesn't exist\nfunc FindOrCreateConfigPath() string {\n\tpath := FindDefaultConfigPath()\n\n\tif path == \"\" {\n\t\t// create the default directory if it doesn't exist\n\t\tpath = DefaultConfigPath()\n\t\tif err := os.MkdirAll(filepath.Dir(path), os.ModePerm); err != nil {\n\t\t\treturn \"\"\n\t\t}\n\n\t\t// write a new config file out\n\t\tfile, err := os.Create(path)\n\t\tif err != nil {\n\t\t\treturn \"\"\n\t\t}\n\t\tdefer file.Close()\n\n\t\tlogDir := DefaultLogDirectory()\n\t\t_ = os.MkdirAll(logDir, os.ModePerm) // try and create it. Doesn't matter if it succeed or not, only byproduct will be no logs\n\n\t\tc := Root{\n\t\t\tLogDirectory: logDir,\n\t\t}\n\t\tif err := yaml.NewEncoder(file).Encode(&c); err != nil {\n\t\t\treturn \"\"\n\t\t}\n\t}\n\n\treturn path\n}\n\n// ValidateUnixSocket ensures --unix-socket param is used exclusively\n// i.e. it fails if a user specifies both --url and --unix-socket\nfunc ValidateUnixSocket(c *cli.Context) (string, error) {\n\tif c.IsSet(\"unix-socket\") && (c.IsSet(\"url\") || c.NArg() > 0) {\n\t\treturn \"\", errors.New(\"--unix-socket must be used exclusively.\")\n\t}\n\treturn c.String(\"unix-socket\"), nil\n}\n\n// ValidateUrl will validate url flag correctness. It can be either from --url or argument\n// Notice ValidateUnixSocket, it will enforce --unix-socket is not used with --url or argument\nfunc ValidateUrl(c *cli.Context, allowURLFromArgs bool) (*url.URL, error) {\n\tvar url = c.String(\"url\")\n\tif allowURLFromArgs && c.NArg() > 0 {\n\t\tif c.IsSet(\"url\") {\n\t\t\treturn nil, errors.New(\"Specified origin urls using both --url and argument. Decide which one you want, I can only support one.\")\n\t\t}\n\t\turl = c.Args().Get(0)\n\t}\n\tvalidUrl, err := validation.ValidateUrl(url)\n\treturn validUrl, err\n}\n\ntype UnvalidatedIngressRule struct {\n\tHostname string `json:\"hostname,omitempty\"`\n\tPath string `json:\"path,omitempty\"`\n\tService string `json:\"service,omitempty\"`\n\tOriginRequest OriginRequestConfig `yaml:\"originRequest\" json:\"originRequest\"`\n}\n\n// OriginRequestConfig is a set of optional fields that users may set to\n// customize how cloudflared sends requests to origin services. It is used to set\n// up general config that apply to all rules, and also, specific per-rule\n// config.\n// Note:\n// - To specify a time.Duration in go-yaml, use e.g. \"3s\" or \"24h\".\n// - To specify a time.Duration in json, use int64 of the nanoseconds\ntype OriginRequestConfig struct {\n\t// HTTP proxy timeout for establishing a new connection\n\tConnectTimeout *CustomDuration `yaml:\"connectTimeout\" json:\"connectTimeout,omitempty\"`\n\t// HTTP proxy timeout for completing a TLS handshake\n\tTLSTimeout *CustomDuration `yaml:\"tlsTimeout\" json:\"tlsTimeout,omitempty\"`\n\t// HTTP proxy TCP keepalive duration\n\tTCPKeepAlive *CustomDuration `yaml:\"tcpKeepAlive\" json:\"tcpKeepAlive,omitempty\"`\n\t// HTTP proxy should disable \"happy eyeballs\" for IPv4/v6 fallback\n\tNoHappyEyeballs *bool `yaml:\"noHappyEyeballs\" json:\"noHappyEyeballs,omitempty\"`\n\t// HTTP proxy maximum keepalive connection pool size\n\tKeepAliveConnections *int `yaml:\"keepAliveConnections\" json:\"keepAliveConnections,omitempty\"`\n\t// HTTP proxy timeout for closing an idle connection\n\tKeepAliveTimeout *CustomDuration `yaml:\"keepAliveTimeout\" json:\"keepAliveTimeout,omitempty\"`\n\t// Sets the HTTP Host header for the local webserver.\n\tHTTPHostHeader *string `yaml:\"httpHostHeader\" json:\"httpHostHeader,omitempty\"`\n\t// Hostname on the origin server certificate.\n\tOriginServerName *string `yaml:\"originServerName\" json:\"originServerName,omitempty\"`\n\t// Auto configure the Hostname on the origin server certificate.\n\tMatchSNIToHost *bool `yaml:\"matchSNItoHost\" json:\"matchSNItoHost,omitempty\"`\n\t// Path to the CA for the certificate of your origin.\n\t// This option should be used only if your certificate is not signed by Cloudflare.\n\tCAPool *string `yaml:\"caPool\" json:\"caPool,omitempty\"`\n\t// Disables TLS verification of the certificate presented by your origin.\n\t// Will allow any certificate from the origin to be accepted.\n\t// Note: The connection from your machine to Cloudflare's Edge is still encrypted.\n\tNoTLSVerify *bool `yaml:\"noTLSVerify\" json:\"noTLSVerify,omitempty\"`\n\t// Disables chunked transfer encoding.\n\t// Useful if you are running a WSGI server.\n\tDisableChunkedEncoding *bool `yaml:\"disableChunkedEncoding\" json:\"disableChunkedEncoding,omitempty\"`\n\t// Runs as jump host\n\tBastionMode *bool `yaml:\"bastionMode\" json:\"bastionMode,omitempty\"`\n\t// Listen address for the proxy.\n\tProxyAddress *string `yaml:\"proxyAddress\" json:\"proxyAddress,omitempty\"`\n\t// Listen port for the proxy.\n\tProxyPort *uint `yaml:\"proxyPort\" json:\"proxyPort,omitempty\"`\n\t// Valid options are 'socks' or empty.\n\tProxyType *string `yaml:\"proxyType\" json:\"proxyType,omitempty\"`\n\t// IP rules for the proxy service\n\tIPRules []IngressIPRule `yaml:\"ipRules\" json:\"ipRules,omitempty\"`\n\t// Attempt to connect to origin with HTTP/2\n\tHttp2Origin *bool `yaml:\"http2Origin\" json:\"http2Origin,omitempty\"`\n\t// Access holds all access related configs\n\tAccess *AccessConfig `yaml:\"access\" json:\"access,omitempty\"`\n}\n\ntype AccessConfig struct {\n\t// Required when set to true will fail every request that does not arrive through an access authenticated endpoint.\n\tRequired bool `yaml:\"required\" json:\"required,omitempty\"`\n\n\t// TeamName is the organization team name to get the public key certificates for.\n\tTeamName string `yaml:\"teamName\" json:\"teamName\"`\n\n\t// AudTag is the AudTag to verify access JWT against.\n\tAudTag []string `yaml:\"audTag\" json:\"audTag\"`\n\n\tEnvironment string `yaml:\"environment\" json:\"environment,omitempty\"`\n}\n\ntype IngressIPRule struct {\n\tPrefix *string `yaml:\"prefix\" json:\"prefix\"`\n\tPorts []int `yaml:\"ports\" json:\"ports\"`\n\tAllow bool `yaml:\"allow\" json:\"allow\"`\n}\n\ntype Configuration struct {\n\tTunnelID string `yaml:\"tunnel\"`\n\tIngress []UnvalidatedIngressRule\n\tWarpRouting WarpRoutingConfig `yaml:\"warp-routing\"`\n\tOriginRequest OriginRequestConfig `yaml:\"originRequest\"`\n\tsourceFile string\n}\n\ntype WarpRoutingConfig struct {\n\tConnectTimeout *CustomDuration `yaml:\"connectTimeout\" json:\"connectTimeout,omitempty\"`\n\tMaxActiveFlows *uint64 `yaml:\"maxActiveFlows\" json:\"maxActiveFlows,omitempty\"`\n\tTCPKeepAlive *CustomDuration `yaml:\"tcpKeepAlive\" json:\"tcpKeepAlive,omitempty\"`\n}\n\ntype configFileSettings struct {\n\tConfiguration `yaml:\",inline\"`\n\t// older settings will be aggregated into the generic map, should be read via cli.Context\n\tSettings map[string]interface{} `yaml:\",inline\"`\n}\n\nfunc (c *Configuration) Source() string {\n\treturn c.sourceFile\n}\n\nfunc (c *configFileSettings) Int(name string) (int, error) {\n\tif raw, ok := c.Settings[name]; ok {\n\t\tif v, ok := raw.(int); ok {\n\t\t\treturn v, nil\n\t\t}\n\t\treturn 0, fmt.Errorf(\"expected int found %T for %s\", raw, name)\n\t}\n\treturn 0, nil\n}\n\nfunc (c *configFileSettings) Duration(name string) (time.Duration, error) {\n\tif raw, ok := c.Settings[name]; ok {\n\t\tswitch v := raw.(type) {\n\t\tcase time.Duration:\n\t\t\treturn v, nil\n\t\tcase string:\n\t\t\treturn time.ParseDuration(v)\n\t\t}\n\t\treturn 0, fmt.Errorf(\"expected duration found %T for %s\", raw, name)\n\t}\n\treturn 0, nil\n}\n\nfunc (c *configFileSettings) Float64(name string) (float64, error) {\n\tif raw, ok := c.Settings[name]; ok {\n\t\tif v, ok := raw.(float64); ok {\n\t\t\treturn v, nil\n\t\t}\n\t\treturn 0, fmt.Errorf(\"expected float found %T for %s\", raw, name)\n\t}\n\treturn 0, nil\n}\n\nfunc (c *configFileSettings) String(name string) (string, error) {\n\tif raw, ok := c.Settings[name]; ok {\n\t\tif v, ok := raw.(string); ok {\n\t\t\treturn v, nil\n\t\t}\n\t\treturn \"\", fmt.Errorf(\"expected string found %T for %s\", raw, name)\n\t}\n\treturn \"\", nil\n}\n\nfunc (c *configFileSettings) StringSlice(name string) ([]string, error) {\n\tif raw, ok := c.Settings[name]; ok {\n\t\tif slice, ok := raw.([]interface{}); ok {\n\t\t\tstrSlice := make([]string, len(slice))\n\t\t\tfor i, v := range slice {\n\t\t\t\tstr, ok := v.(string)\n\t\t\t\tif !ok {\n\t\t\t\t\treturn nil, fmt.Errorf(\"expected string, found %T for %v\", i, v)\n\t\t\t\t}\n\t\t\t\tstrSlice[i] = str\n\t\t\t}\n\t\t\treturn strSlice, nil\n\t\t}\n\t\treturn nil, fmt.Errorf(\"expected string slice found %T for %s\", raw, name)\n\t}\n\treturn nil, nil\n}\n\nfunc (c *configFileSettings) IntSlice(name string) ([]int, error) {\n\tif raw, ok := c.Settings[name]; ok {\n\t\tif slice, ok := raw.([]interface{}); ok {\n\t\t\tintSlice := make([]int, len(slice))\n\t\t\tfor i, v := range slice {\n\t\t\t\tstr, ok := v.(int)\n\t\t\t\tif !ok {\n\t\t\t\t\treturn nil, fmt.Errorf(\"expected int, found %T for %v \", v, v)\n\t\t\t\t}\n\t\t\t\tintSlice[i] = str\n\t\t\t}\n\t\t\treturn intSlice, nil\n\t\t}\n\t\tif v, ok := raw.([]int); ok {\n\t\t\treturn v, nil\n\t\t}\n\t\treturn nil, fmt.Errorf(\"expected int slice found %T for %s\", raw, name)\n\t}\n\treturn nil, nil\n}\n\nfunc (c *configFileSettings) Generic(name string) (cli.Generic, error) {\n\treturn nil, errors.New(\"option type Generic not supported\")\n}\n\nfunc (c *configFileSettings) Bool(name string) (bool, error) {\n\tif raw, ok := c.Settings[name]; ok {\n\t\tif v, ok := raw.(bool); ok {\n\t\t\treturn v, nil\n\t\t}\n\t\treturn false, fmt.Errorf(\"expected boolean found %T for %s\", raw, name)\n\t}\n\treturn false, nil\n}\n\nvar configuration configFileSettings\n\nfunc GetConfiguration() *Configuration {\n\treturn &configuration.Configuration\n}\n\n// ReadConfigFile returns InputSourceContext initialized from the configuration file.\n// On repeat calls returns with the same file, returns without reading the file again; however,\n// if value of \"config\" flag changes, will read the new config file\nfunc ReadConfigFile(c *cli.Context, log *zerolog.Logger) (settings *configFileSettings, warnings string, err error) {\n\tconfigFile := c.String(\"config\")\n\tif configuration.Source() == configFile || configFile == \"\" {\n\t\tif configuration.Source() == \"\" {\n\t\t\treturn nil, \"\", ErrNoConfigFile\n\t\t}\n\t\treturn &configuration, \"\", nil\n\t}\n\n\tlog.Debug().Msgf(\"Loading configuration from %s\", configFile)\n\tfile, err := os.Open(configFile)\n\tif err != nil {\n\t\t// If does not exist and config file was not specificly specified then return ErrNoConfigFile found.\n\t\tif os.IsNotExist(err) && !c.IsSet(\"config\") {\n\t\t\terr = ErrNoConfigFile\n\t\t}\n\t\treturn nil, \"\", err\n\t}\n\tdefer file.Close()\n\tif err := yaml.NewDecoder(file).Decode(&configuration); err != nil {\n\t\tif err == io.EOF {\n\t\t\tlog.Error().Msgf(\"Configuration file %s was empty\", configFile)\n\t\t\treturn &configuration, \"\", nil\n\t\t}\n\t\treturn nil, \"\", errors.Wrap(err, \"error parsing YAML in config file at \"+configFile)\n\t}\n\tconfiguration.sourceFile = configFile\n\n\t// Parse it again, with strict mode, to find warnings.\n\tif file, err := os.Open(configFile); err == nil {\n\t\tdecoder := yaml.NewDecoder(file)\n\t\tdecoder.KnownFields(true)\n\t\tvar unusedConfig configFileSettings\n\t\tif err := decoder.Decode(&unusedConfig); err != nil {\n\t\t\twarnings = err.Error()\n\t\t}\n\t}\n\n\treturn &configuration, warnings, nil\n}\n\n// A CustomDuration is a Duration that has custom serialization for JSON.\n// JSON in Javascript assumes that int fields are 32 bits and Duration fields are deserialized assuming that numbers\n// are in nanoseconds, which in 32bit integers limits to just 2 seconds.\n// This type assumes that when serializing/deserializing from JSON, that the number is in seconds, while it maintains\n// the YAML serde assumptions.\ntype CustomDuration struct {\n\ttime.Duration\n}\n\nfunc (s CustomDuration) MarshalJSON() ([]byte, error) {\n\treturn json.Marshal(s.Duration.Seconds())\n}\n\nfunc (s *CustomDuration) UnmarshalJSON(data []byte) error {\n\tseconds, err := strconv.ParseInt(string(data), 10, 64)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\ts.Duration = time.Duration(seconds * int64(time.Second))\n\treturn nil\n}\n\nfunc (s *CustomDuration) MarshalYAML() (interface{}, error) {\n\treturn s.Duration.String(), nil\n}\n\nfunc (s *CustomDuration) UnmarshalYAML(unmarshal func(interface{}) error) error {\n\treturn unmarshal(&s.Duration)\n}\n" }, { "path": "config/configuration_test.go", "content": "package config\n\nimport (\n\t\"encoding/json\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\tyaml \"gopkg.in/yaml.v3\"\n)\n\nfunc TestConfigFileSettings(t *testing.T) {\n\tvar (\n\t\tfirstIngress = UnvalidatedIngressRule{\n\t\t\tHostname: \"tunnel1.example.com\",\n\t\t\tPath: \"/id\",\n\t\t\tService: \"https://localhost:8000\",\n\t\t}\n\t\tsecondIngress = UnvalidatedIngressRule{\n\t\t\tHostname: \"*\",\n\t\t\tPath: \"\",\n\t\t\tService: \"https://localhost:8001\",\n\t\t}\n\t\twarpRouting = WarpRoutingConfig{\n\t\t\tConnectTimeout: &CustomDuration{Duration: 2 * time.Second},\n\t\t\tTCPKeepAlive: &CustomDuration{Duration: 10 * time.Second},\n\t\t}\n\t)\n\trawYAML := `\ntunnel: config-file-test\noriginRequest:\n ipRules:\n - prefix: \"10.0.0.0/8\"\n ports:\n - 80\n - 8080\n allow: false\n - prefix: \"fc00::/7\"\n ports:\n - 443\n - 4443\n allow: true\ningress:\n - hostname: tunnel1.example.com\n path: /id\n service: https://localhost:8000\n - hostname: \"*\"\n service: https://localhost:8001\nwarp-routing: \n enabled: true\n connectTimeout: 2s\n tcpKeepAlive: 10s\n\nretries: 5\ngrace-period: 30s\npercentage: 3.14\nhostname: example.com\ntag:\n - test\n - central-1\ncounters:\n - 123\n - 456\n`\n\tvar config configFileSettings\n\terr := yaml.Unmarshal([]byte(rawYAML), &config)\n\tassert.NoError(t, err)\n\n\tassert.Equal(t, \"config-file-test\", config.TunnelID)\n\tassert.Equal(t, firstIngress, config.Ingress[0])\n\tassert.Equal(t, secondIngress, config.Ingress[1])\n\tassert.Equal(t, warpRouting, config.WarpRouting)\n\tprivateV4 := \"10.0.0.0/8\"\n\tprivateV6 := \"fc00::/7\"\n\tipRules := []IngressIPRule{\n\t\t{\n\t\t\tPrefix: &privateV4,\n\t\t\tPorts: []int{80, 8080},\n\t\t\tAllow: false,\n\t\t},\n\t\t{\n\t\t\tPrefix: &privateV6,\n\t\t\tPorts: []int{443, 4443},\n\t\t\tAllow: true,\n\t\t},\n\t}\n\tassert.Equal(t, ipRules, config.OriginRequest.IPRules)\n\n\tretries, err := config.Int(\"retries\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, 5, retries)\n\n\tgracePeriod, err := config.Duration(\"grace-period\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, time.Second*30, gracePeriod)\n\n\tpercentage, err := config.Float64(\"percentage\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, 3.14, percentage)\n\n\thostname, err := config.String(\"hostname\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, \"example.com\", hostname)\n\n\ttags, err := config.StringSlice(\"tag\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, \"test\", tags[0])\n\tassert.Equal(t, \"central-1\", tags[1])\n\n\tcounters, err := config.IntSlice(\"counters\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, 123, counters[0])\n\tassert.Equal(t, 456, counters[1])\n\n}\n\nvar rawJsonConfig = []byte(`\n{\n\t\"connectTimeout\": 10,\n\t\"tlsTimeout\": 30,\n\t\"tcpKeepAlive\": 30,\n\t\"noHappyEyeballs\": true,\n\t\"keepAliveTimeout\": 60,\n\t\"keepAliveConnections\": 10,\n\t\"httpHostHeader\": \"app.tunnel.com\",\n\t\"originServerName\": \"app.tunnel.com\",\n\t\"caPool\": \"/etc/capool\",\n\t\"noTLSVerify\": true,\n\t\"disableChunkedEncoding\": true,\n\t\"bastionMode\": true,\n\t\"proxyAddress\": \"127.0.0.3\",\n\t\"proxyPort\": 9000,\n\t\"proxyType\": \"socks\",\n\t\"ipRules\": [\n\t\t{\n\t\t\t\"prefix\": \"10.0.0.0/8\",\n\t\t\t\"ports\": [80, 8080],\n\t\t\t\"allow\": false\n\t\t},\n\t\t{\n\t\t\t\"prefix\": \"fc00::/7\",\n\t\t\t\"ports\": [443, 4443],\n\t\t\t\"allow\": true\n\t\t}\n\t],\n\t\"http2Origin\": true\n}\n`)\n\nfunc TestMarshalUnmarshalOriginRequest(t *testing.T) {\n\ttestCases := []struct {\n\t\tname string\n\t\tmarshalFunc func(in interface{}) (out []byte, err error)\n\t\tunMarshalFunc func(in []byte, out interface{}) (err error)\n\t}{\n\t\t{\"json\", json.Marshal, json.Unmarshal},\n\t\t{\"yaml\", yaml.Marshal, yaml.Unmarshal},\n\t}\n\n\tfor _, tc := range testCases {\n\t\tt.Run(tc.name, func(t *testing.T) {\n\t\t\tassertConfig(t, tc.marshalFunc, tc.unMarshalFunc)\n\t\t})\n\t}\n}\n\nfunc assertConfig(\n\tt *testing.T,\n\tmarshalFunc func(in interface{}) (out []byte, err error),\n\tunMarshalFunc func(in []byte, out interface{}) (err error),\n) {\n\tvar config OriginRequestConfig\n\tvar config2 OriginRequestConfig\n\n\tassert.NoError(t, json.Unmarshal(rawJsonConfig, &config))\n\n\tassert.Equal(t, time.Second*10, config.ConnectTimeout.Duration)\n\tassert.Equal(t, time.Second*30, config.TLSTimeout.Duration)\n\tassert.Equal(t, time.Second*30, config.TCPKeepAlive.Duration)\n\tassert.Equal(t, true, *config.NoHappyEyeballs)\n\tassert.Equal(t, time.Second*60, config.KeepAliveTimeout.Duration)\n\tassert.Equal(t, 10, *config.KeepAliveConnections)\n\tassert.Equal(t, \"app.tunnel.com\", *config.HTTPHostHeader)\n\tassert.Equal(t, \"app.tunnel.com\", *config.OriginServerName)\n\tassert.Equal(t, \"/etc/capool\", *config.CAPool)\n\tassert.Equal(t, true, *config.NoTLSVerify)\n\tassert.Equal(t, true, *config.DisableChunkedEncoding)\n\tassert.Equal(t, true, *config.BastionMode)\n\tassert.Equal(t, \"127.0.0.3\", *config.ProxyAddress)\n\tassert.Equal(t, true, *config.NoTLSVerify)\n\tassert.Equal(t, uint(9000), *config.ProxyPort)\n\tassert.Equal(t, \"socks\", *config.ProxyType)\n\tassert.Equal(t, true, *config.Http2Origin)\n\n\tprivateV4 := \"10.0.0.0/8\"\n\tprivateV6 := \"fc00::/7\"\n\tipRules := []IngressIPRule{\n\t\t{\n\t\t\tPrefix: &privateV4,\n\t\t\tPorts: []int{80, 8080},\n\t\t\tAllow: false,\n\t\t},\n\t\t{\n\t\t\tPrefix: &privateV6,\n\t\t\tPorts: []int{443, 4443},\n\t\t\tAllow: true,\n\t\t},\n\t}\n\tassert.Equal(t, ipRules, config.IPRules)\n\n\t// validate that serializing and deserializing again matches the deserialization from raw string\n\tresult, err := marshalFunc(config)\n\trequire.NoError(t, err)\n\terr = unMarshalFunc(result, &config2)\n\trequire.NoError(t, err)\n\n\trequire.Equal(t, config2, config)\n}\n" }, { "path": "config/manager.go", "content": "package config\n\nimport (\n\t\"io\"\n\t\"os\"\n\n\t\"github.com/pkg/errors\"\n\t\"github.com/rs/zerolog\"\n\tyaml \"gopkg.in/yaml.v3\"\n\n\t\"github.com/cloudflare/cloudflared/watcher\"\n)\n\n// Notifier sends out config updates\ntype Notifier interface {\n\tConfigDidUpdate(Root)\n}\n\n// Manager is the base functions of the config manager\ntype Manager interface {\n\tStart(Notifier) error\n\tShutdown()\n}\n\n// FileManager watches the yaml config for changes\n// sends updates to the service to reconfigure to match the updated config\ntype FileManager struct {\n\twatcher watcher.Notifier\n\tnotifier Notifier\n\tconfigPath string\n\tlog *zerolog.Logger\n\tReadConfig func(string, *zerolog.Logger) (Root, error)\n}\n\n// NewFileManager creates a config manager\nfunc NewFileManager(watcher watcher.Notifier, configPath string, log *zerolog.Logger) (*FileManager, error) {\n\tm := &FileManager{\n\t\twatcher: watcher,\n\t\tconfigPath: configPath,\n\t\tlog: log,\n\t\tReadConfig: readConfigFromPath,\n\t}\n\terr := watcher.Add(configPath)\n\treturn m, err\n}\n\n// Start starts the runloop to watch for config changes\nfunc (m *FileManager) Start(notifier Notifier) error {\n\tm.notifier = notifier\n\n\t// update the notifier with a fresh config on start\n\tconfig, err := m.GetConfig()\n\tif err != nil {\n\t\treturn err\n\t}\n\tnotifier.ConfigDidUpdate(config)\n\n\tm.watcher.Start(m)\n\treturn nil\n}\n\n// GetConfig reads the yaml file from the disk\nfunc (m *FileManager) GetConfig() (Root, error) {\n\treturn m.ReadConfig(m.configPath, m.log)\n}\n\n// Shutdown stops the watcher\nfunc (m *FileManager) Shutdown() {\n\tm.watcher.Shutdown()\n}\n\nfunc readConfigFromPath(configPath string, log *zerolog.Logger) (Root, error) {\n\tif configPath == \"\" {\n\t\treturn Root{}, errors.New(\"unable to find config file\")\n\t}\n\n\tfile, err := os.Open(configPath)\n\tif err != nil {\n\t\treturn Root{}, err\n\t}\n\tdefer file.Close()\n\n\tvar config Root\n\tif err := yaml.NewDecoder(file).Decode(&config); err != nil {\n\t\tif err == io.EOF {\n\t\t\tlog.Error().Msgf(\"Configuration file %s was empty\", configPath)\n\t\t\treturn Root{}, nil\n\t\t}\n\t\treturn Root{}, errors.Wrap(err, \"error parsing YAML in config file at \"+configPath)\n\t}\n\n\treturn config, nil\n}\n\n// File change notifications from the watcher\n\n// WatcherItemDidChange triggers when the yaml config is updated\n// sends the updated config to the service to reload its state\nfunc (m *FileManager) WatcherItemDidChange(filepath string) {\n\tconfig, err := m.GetConfig()\n\tif err != nil {\n\t\tm.log.Err(err).Msg(\"Failed to read new config\")\n\t\treturn\n\t}\n\tm.log.Info().Msg(\"Config file has been updated\")\n\tm.notifier.ConfigDidUpdate(config)\n}\n\n// WatcherDidError notifies of errors with the file watcher\nfunc (m *FileManager) WatcherDidError(err error) {\n\tm.log.Err(err).Msg(\"Config watcher encountered an error\")\n}\n" }, { "path": "config/manager_test.go", "content": "package config\n\nimport (\n\t\"os\"\n\t\"testing\"\n\n\t\"github.com/rs/zerolog\"\n\t\"github.com/stretchr/testify/assert\"\n\n\t\"github.com/cloudflare/cloudflared/watcher\"\n)\n\ntype mockNotifier struct {\n\tconfigs []Root\n}\n\nfunc (n *mockNotifier) ConfigDidUpdate(c Root) {\n\tn.configs = append(n.configs, c)\n}\n\ntype mockFileWatcher struct {\n\tpath string\n\tnotifier watcher.Notification\n\tready chan struct{}\n}\n\nfunc (w *mockFileWatcher) Start(n watcher.Notification) {\n\tw.notifier = n\n\tw.ready <- struct{}{}\n}\n\nfunc (w *mockFileWatcher) Add(string) error {\n\treturn nil\n}\n\nfunc (w *mockFileWatcher) Shutdown() {\n\n}\n\nfunc (w *mockFileWatcher) TriggerChange() {\n\tw.notifier.WatcherItemDidChange(w.path)\n}\n\nfunc TestConfigChanged(t *testing.T) {\n\tfilePath := \"config.yaml\"\n\tf, err := os.Create(filePath)\n\tassert.NoError(t, err)\n\tdefer func() {\n\t\t_ = f.Close()\n\t\t_ = os.Remove(filePath)\n\t}()\n\tc := &Root{\n\t\tForwarders: []Forwarder{\n\t\t\t{\n\t\t\t\tURL: \"test.daltoniam.com\",\n\t\t\t\tListener: \"127.0.0.1:8080\",\n\t\t\t},\n\t\t},\n\t}\n\tconfigRead := func(configPath string, log *zerolog.Logger) (Root, error) {\n\t\treturn *c, nil\n\t}\n\twait := make(chan struct{})\n\tw := &mockFileWatcher{path: filePath, ready: wait}\n\n\tlog := zerolog.Nop()\n\n\tservice, err := NewFileManager(w, filePath, &log)\n\tservice.ReadConfig = configRead\n\tassert.NoError(t, err)\n\n\tn := &mockNotifier{}\n\tgo service.Start(n)\n\n\t<-wait\n\tc.Forwarders = append(c.Forwarders, Forwarder{URL: \"add.daltoniam.com\", Listener: \"127.0.0.1:8081\"})\n\tw.TriggerChange()\n\n\tservice.Shutdown()\n\n\tassert.Len(t, n.configs, 2, \"did not get 2 config updates as expected\")\n\tassert.Len(t, n.configs[0].Forwarders, 1, \"not the amount of forwarders expected\")\n\tassert.Len(t, n.configs[1].Forwarders, 2, \"not the amount of forwarders expected\")\n\n\tassert.Equal(t, n.configs[0].Forwarders[0].Hash(), c.Forwarders[0].Hash(), \"forwarder hashes don't match\")\n\tassert.Equal(t, n.configs[1].Forwarders[0].Hash(), c.Forwarders[0].Hash(), \"forwarder hashes don't match\")\n\tassert.Equal(t, n.configs[1].Forwarders[1].Hash(), c.Forwarders[1].Hash(), \"forwarder hashes don't match\")\n}\n" }, { "path": "config/model.go", "content": "package config\n\nimport (\n\t\"crypto/sha256\"\n\t\"fmt\"\n\t\"io\"\n)\n\n// Forwarder represents a client side listener to forward traffic to the edge\ntype Forwarder struct {\n\tURL string `json:\"url\"`\n\tListener string `json:\"listener\"`\n\tTokenClientID string `json:\"service_token_id\" yaml:\"serviceTokenID\"`\n\tTokenSecret string `json:\"secret_token_id\" yaml:\"serviceTokenSecret\"`\n\tDestination string `json:\"destination\"`\n\tIsFedramp bool `json:\"is_fedramp\" yaml:\"isFedramp\"`\n}\n\n// Tunnel represents a tunnel that should be started\ntype Tunnel struct {\n\tURL string `json:\"url\"`\n\tOrigin string `json:\"origin\"`\n\tProtocolType string `json:\"type\"`\n}\n\n// Root is the base options to configure the service.\ntype Root struct {\n\tLogDirectory string `json:\"log_directory\" yaml:\"logDirectory,omitempty\"`\n\tLogLevel string `json:\"log_level\" yaml:\"logLevel,omitempty\"`\n\tForwarders []Forwarder `json:\"forwarders,omitempty\" yaml:\"forwarders,omitempty\"`\n\tTunnels []Tunnel `json:\"tunnels,omitempty\" yaml:\"tunnels,omitempty\"`\n\t// `resolver` key is reserved for a removed feature (proxy-dns) and should not be used.\n}\n\n// Hash returns the computed values to see if the forwarder values change\nfunc (f *Forwarder) Hash() string {\n\th := sha256.New()\n\t_, _ = io.WriteString(h, f.URL)\n\t_, _ = io.WriteString(h, f.Listener)\n\t_, _ = io.WriteString(h, f.TokenClientID)\n\t_, _ = io.WriteString(h, f.TokenSecret)\n\t_, _ = io.WriteString(h, f.Destination)\n\treturn fmt.Sprintf(\"%x\", h.Sum(nil))\n}\n" }, { "path": "connection/connection.go", "content": "package connection\n\nimport (\n\t\"context\"\n\t\"encoding/base64\"\n\t\"fmt\"\n\t\"io\"\n\t\"math\"\n\t\"net\"\n\t\"net/http\"\n\t\"strconv\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/pkg/errors\"\n\n\t\"github.com/cloudflare/cloudflared/tracing\"\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/pogs\"\n\t\"github.com/cloudflare/cloudflared/websocket\"\n)\n\nconst (\n\tlbProbeUserAgentPrefix = \"Mozilla/5.0 (compatible; Cloudflare-Traffic-Manager/1.0; +https://www.cloudflare.com/traffic-manager/;\"\n\tLogFieldConnIndex = \"connIndex\"\n\tMaxGracePeriod = time.Minute * 3\n\tMaxConcurrentStreams = math.MaxUint32\n\n\tcontentTypeHeader = \"content-type\"\n\tcontentLengthHeader = \"content-length\"\n\ttransferEncodingHeader = \"transfer-encoding\"\n\n\tsseContentType = \"text/event-stream\"\n\tgrpcContentType = \"application/grpc\"\n\tsseJsonContentType = \"application/x-ndjson\"\n\n\tchunkTransferEncoding = \"chunked\"\n)\n\nvar (\n\tswitchingProtocolText = fmt.Sprintf(\"%d %s\", http.StatusSwitchingProtocols, http.StatusText(http.StatusSwitchingProtocols))\n\tflushableContentTypes = []string{sseContentType, grpcContentType, sseJsonContentType}\n)\n\n// TunnelConnection represents the connection to the edge.\n// The Serve method is provided to allow clients to handle any errors from the connection encountered during\n// processing of the connection. Cancelling of the context provided to Serve will close the connection.\ntype TunnelConnection interface {\n\tServe(ctx context.Context) error\n}\n\ntype Orchestrator interface {\n\tUpdateConfig(version int32, config []byte) *pogs.UpdateConfigurationResponse\n\tGetConfigJSON() ([]byte, error)\n\tGetOriginProxy() (OriginProxy, error)\n}\n\ntype TunnelProperties struct {\n\tCredentials Credentials\n\tQuickTunnelUrl string\n}\n\n// Credentials are stored in the credentials file and contain all info needed to run a tunnel.\ntype Credentials struct {\n\tAccountTag string\n\tTunnelSecret []byte\n\tTunnelID uuid.UUID\n\tEndpoint string\n}\n\nfunc (c *Credentials) Auth() pogs.TunnelAuth {\n\treturn pogs.TunnelAuth{\n\t\tAccountTag: c.AccountTag,\n\t\tTunnelSecret: c.TunnelSecret,\n\t}\n}\n\n// TunnelToken are Credentials but encoded with custom fields namings.\ntype TunnelToken struct {\n\tAccountTag string `json:\"a\"`\n\tTunnelSecret []byte `json:\"s\"`\n\tTunnelID uuid.UUID `json:\"t\"`\n\tEndpoint string `json:\"e,omitempty\"`\n}\n\nfunc (t TunnelToken) Credentials() Credentials {\n\t// nolint: gosimple\n\treturn Credentials{\n\t\tAccountTag: t.AccountTag,\n\t\tTunnelSecret: t.TunnelSecret,\n\t\tTunnelID: t.TunnelID,\n\t\tEndpoint: t.Endpoint,\n\t}\n}\n\nfunc (t TunnelToken) Encode() (string, error) {\n\tval, err := json.Marshal(t)\n\tif err != nil {\n\t\treturn \"\", errors.Wrap(err, \"could not JSON encode token\")\n\t}\n\n\treturn base64.StdEncoding.EncodeToString(val), nil\n}\n\ntype ClassicTunnelProperties struct {\n\tHostname string\n\tOriginCert []byte\n\t// feature-flag to use new edge reconnect tokens\n\tUseReconnectToken bool\n}\n\n// Type indicates the connection type of the connection.\ntype Type int\n\nconst (\n\tTypeWebsocket Type = iota\n\tTypeTCP\n\tTypeControlStream\n\tTypeHTTP\n\tTypeConfiguration\n)\n\n// ShouldFlush returns whether this kind of connection should actively flush data\nfunc (t Type) shouldFlush() bool {\n\tswitch t {\n\tcase TypeWebsocket, TypeTCP, TypeControlStream:\n\t\treturn true\n\tdefault:\n\t\treturn false\n\t}\n}\n\nfunc (t Type) String() string {\n\tswitch t {\n\tcase TypeWebsocket:\n\t\treturn \"websocket\"\n\tcase TypeTCP:\n\t\treturn \"tcp\"\n\tcase TypeControlStream:\n\t\treturn \"control stream\"\n\tcase TypeHTTP:\n\t\treturn \"http\"\n\tdefault:\n\t\treturn fmt.Sprintf(\"Unknown Type %d\", t)\n\t}\n}\n\n// OriginProxy is how data flows from cloudflared to the origin services running behind it.\ntype OriginProxy interface {\n\tProxyHTTP(w ResponseWriter, tr *tracing.TracedHTTPRequest, isWebsocket bool) error\n\tProxyTCP(ctx context.Context, rwa ReadWriteAcker, req *TCPRequest) error\n}\n\n// TCPRequest defines the input format needed to perform a TCP proxy.\ntype TCPRequest struct {\n\tDest string\n\tCFRay string\n\tLBProbe bool\n\tFlowID string\n\tCfTraceID string\n\tConnIndex uint8\n}\n\n// ReadWriteAcker is a readwriter with the ability to Acknowledge to the downstream (edge) that the origin has\n// accepted the connection.\ntype ReadWriteAcker interface {\n\tio.ReadWriter\n\tAckConnection(tracePropagation string) error\n}\n\n// HTTPResponseReadWriteAcker is an HTTP implementation of ReadWriteAcker.\ntype HTTPResponseReadWriteAcker struct {\n\tr io.Reader\n\tw ResponseWriter\n\tf http.Flusher\n\treq *http.Request\n}\n\n// NewHTTPResponseReadWriterAcker returns a new instance of HTTPResponseReadWriteAcker.\nfunc NewHTTPResponseReadWriterAcker(w ResponseWriter, flusher http.Flusher, req *http.Request) *HTTPResponseReadWriteAcker {\n\treturn &HTTPResponseReadWriteAcker{\n\t\tr: req.Body,\n\t\tw: w,\n\t\tf: flusher,\n\t\treq: req,\n\t}\n}\n\nfunc (h *HTTPResponseReadWriteAcker) Read(p []byte) (int, error) {\n\treturn h.r.Read(p)\n}\n\nfunc (h *HTTPResponseReadWriteAcker) Write(p []byte) (int, error) {\n\tn, err := h.w.Write(p)\n\tif n > 0 {\n\t\th.f.Flush()\n\t}\n\treturn n, err\n}\n\n// AckConnection acks an HTTP connection by sending a switch protocols status code that enables the caller to\n// upgrade to streams.\nfunc (h *HTTPResponseReadWriteAcker) AckConnection(tracePropagation string) error {\n\tresp := &http.Response{\n\t\tStatus: switchingProtocolText,\n\t\tStatusCode: http.StatusSwitchingProtocols,\n\t\tContentLength: -1,\n\t\tHeader: http.Header{},\n\t}\n\n\tif secWebsocketKey := h.req.Header.Get(\"Sec-WebSocket-Key\"); secWebsocketKey != \"\" {\n\t\tresp.Header = websocket.NewResponseHeader(h.req)\n\t}\n\n\tif tracePropagation != \"\" {\n\t\tresp.Header.Add(tracing.CanonicalCloudflaredTracingHeader, tracePropagation)\n\t}\n\n\treturn h.w.WriteRespHeaders(resp.StatusCode, resp.Header)\n}\n\n// localProxyConnection emulates an incoming connection to cloudflared as a net.Conn.\n// Used when handling a \"hijacked\" connection from connection.ResponseWriter\ntype localProxyConnection struct {\n\tio.ReadWriteCloser\n}\n\nfunc (c *localProxyConnection) Read(b []byte) (int, error) {\n\treturn c.ReadWriteCloser.Read(b)\n}\n\nfunc (c *localProxyConnection) Write(b []byte) (int, error) {\n\treturn c.ReadWriteCloser.Write(b)\n}\n\nfunc (c *localProxyConnection) Close() error {\n\treturn c.ReadWriteCloser.Close()\n}\n\nfunc (c *localProxyConnection) LocalAddr() net.Addr {\n\t// Unused LocalAddr\n\treturn &net.TCPAddr{IP: net.IPv6loopback, Port: 0, Zone: \"\"}\n}\n\nfunc (c *localProxyConnection) RemoteAddr() net.Addr {\n\t// Unused RemoteAddr\n\treturn &net.TCPAddr{IP: net.IPv6loopback, Port: 0, Zone: \"\"}\n}\n\nfunc (c *localProxyConnection) SetDeadline(t time.Time) error {\n\t// ignored since we can't set the read/write Deadlines for the tunnel back to origintunneld\n\treturn nil\n}\n\nfunc (c *localProxyConnection) SetReadDeadline(t time.Time) error {\n\t// ignored since we can't set the read/write Deadlines for the tunnel back to origintunneld\n\treturn nil\n}\n\nfunc (c *localProxyConnection) SetWriteDeadline(t time.Time) error {\n\t// ignored since we can't set the read/write Deadlines for the tunnel back to origintunneld\n\treturn nil\n}\n\n// ResponseWriter is the response path for a request back through cloudflared's tunnel.\ntype ResponseWriter interface {\n\tWriteRespHeaders(status int, header http.Header) error\n\tAddTrailer(trailerName, trailerValue string)\n\thttp.ResponseWriter\n\thttp.Hijacker\n\tio.Writer\n}\n\ntype ConnectedFuse interface {\n\tConnected()\n\tIsConnected() bool\n}\n\n// Helper method to let the caller know what content-types should require a flush on every\n// write to a ResponseWriter.\nfunc shouldFlush(headers http.Header) bool {\n\t// When doing Server Side Events (SSE), some frameworks don't respect the `Content-Type` header.\n\t// Therefore, we need to rely on other ways to know whether we should flush on write or not. A good\n\t// approach is to assume that responses without `Content-Length` or with `Transfer-Encoding: chunked`\n\t// are streams, and therefore, should be flushed right away to the eyeball.\n\t// References:\n\t// - https://datatracker.ietf.org/doc/html/rfc7230#section-4.1\n\t// - https://datatracker.ietf.org/doc/html/rfc9112#section-6.1\n\tif contentLength := headers.Get(contentLengthHeader); contentLength == \"\" {\n\t\treturn true\n\t}\n\tif transferEncoding := headers.Get(transferEncodingHeader); transferEncoding != \"\" {\n\t\ttransferEncoding = strings.ToLower(transferEncoding)\n\t\tif strings.Contains(transferEncoding, chunkTransferEncoding) {\n\t\t\treturn true\n\t\t}\n\t}\n\tif contentType := headers.Get(contentTypeHeader); contentType != \"\" {\n\t\tcontentType = strings.ToLower(contentType)\n\t\tfor _, c := range flushableContentTypes {\n\t\t\tif strings.HasPrefix(contentType, c) {\n\t\t\t\treturn true\n\t\t\t}\n\t\t}\n\t}\n\treturn false\n}\n\nfunc uint8ToString(input uint8) string {\n\treturn strconv.FormatUint(uint64(input), 10)\n}\n\nfunc FindCfRayHeader(req *http.Request) string {\n\treturn req.Header.Get(\"Cf-Ray\")\n}\n\nfunc IsLBProbeRequest(req *http.Request) bool {\n\treturn strings.HasPrefix(req.UserAgent(), lbProbeUserAgentPrefix)\n}\n" }, { "path": "connection/connection_test.go", "content": "package connection\n\nimport (\n\t\"context\"\n\t\"crypto/rand\"\n\t\"fmt\"\n\t\"io\"\n\t\"math/big\"\n\t\"net/http\"\n\t\"testing\"\n\t\"time\"\n\n\tpkgerrors \"github.com/pkg/errors\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/stretchr/testify/require\"\n\n\tcfdflow \"github.com/cloudflare/cloudflared/flow\"\n\n\t\"github.com/cloudflare/cloudflared/stream\"\n\t\"github.com/cloudflare/cloudflared/tracing\"\n\ttunnelpogs \"github.com/cloudflare/cloudflared/tunnelrpc/pogs\"\n\t\"github.com/cloudflare/cloudflared/websocket\"\n)\n\nconst (\n\tlargeFileSize = 2 * 1024 * 1024\n\ttestGracePeriod = time.Millisecond * 100\n)\n\nvar (\n\ttestOrchestrator = &mockOrchestrator{\n\t\toriginProxy: &mockOriginProxy{},\n\t}\n\tlog = zerolog.Nop()\n\ttestLargeResp = make([]byte, largeFileSize)\n)\n\nvar _ ReadWriteAcker = (*HTTPResponseReadWriteAcker)(nil)\n\ntype testRequest struct {\n\tname string\n\tendpoint string\n\texpectedStatus int\n\texpectedBody []byte\n\tisProxyError bool\n}\n\ntype mockOrchestrator struct {\n\toriginProxy OriginProxy\n}\n\nfunc (mcr *mockOrchestrator) GetConfigJSON() ([]byte, error) {\n\treturn nil, fmt.Errorf(\"not implemented\")\n}\n\nfunc (*mockOrchestrator) UpdateConfig(version int32, config []byte) *tunnelpogs.UpdateConfigurationResponse {\n\treturn &tunnelpogs.UpdateConfigurationResponse{\n\t\tLastAppliedVersion: version,\n\t}\n}\n\nfunc (mcr *mockOrchestrator) GetOriginProxy() (OriginProxy, error) {\n\treturn mcr.originProxy, nil\n}\n\nfunc (mcr *mockOrchestrator) WarpRoutingEnabled() (enabled bool) {\n\treturn true\n}\n\ntype mockOriginProxy struct{}\n\nfunc (moc *mockOriginProxy) ProxyHTTP(\n\tw ResponseWriter,\n\ttr *tracing.TracedHTTPRequest,\n\tisWebsocket bool,\n) error {\n\treq := tr.Request\n\tif isWebsocket {\n\t\tswitch req.URL.Path {\n\t\tcase \"/ws/echo\":\n\t\t\treturn wsEchoEndpoint(w, req)\n\t\tcase \"/ws/flaky\":\n\t\t\treturn wsFlakyEndpoint(w, req)\n\t\tdefault:\n\t\t\toriginRespEndpoint(w, http.StatusNotFound, []byte(\"ws endpoint not found\"))\n\t\t\treturn fmt.Errorf(\"unknown websocket endpoint %s\", req.URL.Path)\n\t\t}\n\t}\n\tswitch req.URL.Path {\n\tcase \"/ok\":\n\t\toriginRespEndpoint(w, http.StatusOK, []byte(http.StatusText(http.StatusOK)))\n\tcase \"/large_file\":\n\t\toriginRespEndpoint(w, http.StatusOK, testLargeResp)\n\tcase \"/400\":\n\t\toriginRespEndpoint(w, http.StatusBadRequest, []byte(http.StatusText(http.StatusBadRequest)))\n\tcase \"/500\":\n\t\toriginRespEndpoint(w, http.StatusInternalServerError, []byte(http.StatusText(http.StatusInternalServerError)))\n\tcase \"/error\":\n\t\treturn fmt.Errorf(\"Failed to proxy to origin\")\n\tdefault:\n\t\toriginRespEndpoint(w, http.StatusNotFound, []byte(\"page not found\"))\n\t}\n\treturn nil\n}\n\nfunc (moc *mockOriginProxy) ProxyTCP(\n\tctx context.Context,\n\trwa ReadWriteAcker,\n\tr *TCPRequest,\n) error {\n\tif r.CfTraceID == \"flow-rate-limited\" {\n\t\treturn pkgerrors.Wrap(cfdflow.ErrTooManyActiveFlows, \"tcp flow rate limited\")\n\t}\n\n\treturn nil\n}\n\ntype echoPipe struct {\n\treader *io.PipeReader\n\twriter *io.PipeWriter\n}\n\nfunc (ep *echoPipe) Read(p []byte) (int, error) {\n\treturn ep.reader.Read(p)\n}\n\nfunc (ep *echoPipe) Write(p []byte) (int, error) {\n\treturn ep.writer.Write(p)\n}\n\n// A mock origin that echos data by streaming like a tcpOverWSConnection\n// https://github.com/cloudflare/cloudflared/blob/master/ingress/origin_connection.go\nfunc wsEchoEndpoint(w ResponseWriter, r *http.Request) error {\n\tresp := &http.Response{\n\t\tStatusCode: http.StatusSwitchingProtocols,\n\t}\n\tif err := w.WriteRespHeaders(resp.StatusCode, resp.Header); err != nil {\n\t\treturn err\n\t}\n\twsCtx, cancel := context.WithCancel(r.Context())\n\treadPipe, writePipe := io.Pipe()\n\n\twsConn := websocket.NewConn(wsCtx, NewHTTPResponseReadWriterAcker(w, w.(http.Flusher), r), &log)\n\tgo func() {\n\t\tselect {\n\t\tcase <-wsCtx.Done():\n\t\tcase <-r.Context().Done():\n\t\t}\n\t\treadPipe.Close()\n\t\twritePipe.Close()\n\t}()\n\n\toriginConn := &echoPipe{reader: readPipe, writer: writePipe}\n\tstream.Pipe(wsConn, originConn, &log)\n\tcancel()\n\twsConn.Close()\n\treturn nil\n}\n\ntype flakyConn struct {\n\tcloseAt time.Time\n}\n\nfunc (fc *flakyConn) Read(p []byte) (int, error) {\n\tif time.Now().After(fc.closeAt) {\n\t\treturn 0, io.EOF\n\t}\n\tn := copy(p, \"Read from flaky connection\")\n\treturn n, nil\n}\n\nfunc (fc *flakyConn) Write(p []byte) (int, error) {\n\tif time.Now().After(fc.closeAt) {\n\t\treturn 0, fmt.Errorf(\"flaky connection closed\")\n\t}\n\treturn len(p), nil\n}\n\nfunc wsFlakyEndpoint(w ResponseWriter, r *http.Request) error {\n\tresp := &http.Response{\n\t\tStatusCode: http.StatusSwitchingProtocols,\n\t}\n\tif err := w.WriteRespHeaders(resp.StatusCode, resp.Header); err != nil {\n\t\treturn err\n\t}\n\twsCtx, cancel := context.WithCancel(r.Context())\n\n\twsConn := websocket.NewConn(wsCtx, NewHTTPResponseReadWriterAcker(w, w.(http.Flusher), r), &log)\n\n\trInt, _ := rand.Int(rand.Reader, big.NewInt(50))\n\tclosedAfter := time.Millisecond * time.Duration(rInt.Int64())\n\toriginConn := &flakyConn{closeAt: time.Now().Add(closedAfter)}\n\tstream.Pipe(wsConn, originConn, &log)\n\tcancel()\n\twsConn.Close()\n\treturn nil\n}\n\nfunc originRespEndpoint(w ResponseWriter, status int, data []byte) {\n\tresp := &http.Response{\n\t\tStatusCode: status,\n\t}\n\t_ = w.WriteRespHeaders(resp.StatusCode, resp.Header)\n\t_, _ = w.Write(data)\n}\n\ntype mockConnectedFuse struct{}\n\nfunc (mcf mockConnectedFuse) Connected() {}\n\nfunc (mcf mockConnectedFuse) IsConnected() bool {\n\treturn true\n}\n\nfunc TestShouldFlushHeaders(t *testing.T) {\n\ttests := []struct {\n\t\theaders map[string]string\n\t\tshouldFlush bool\n\t}{\n\t\t{\n\t\t\theaders: map[string]string{contentTypeHeader: \"application/json\", contentLengthHeader: \"1\"},\n\t\t\tshouldFlush: false,\n\t\t},\n\t\t{\n\t\t\theaders: map[string]string{contentTypeHeader: \"text/html\", contentLengthHeader: \"1\"},\n\t\t\tshouldFlush: false,\n\t\t},\n\t\t{\n\t\t\theaders: map[string]string{contentTypeHeader: \"text/event-stream\", contentLengthHeader: \"1\"},\n\t\t\tshouldFlush: true,\n\t\t},\n\t\t{\n\t\t\theaders: map[string]string{contentTypeHeader: \"application/grpc\", contentLengthHeader: \"1\"},\n\t\t\tshouldFlush: true,\n\t\t},\n\t\t{\n\t\t\theaders: map[string]string{contentTypeHeader: \"application/x-ndjson\", contentLengthHeader: \"1\"},\n\t\t\tshouldFlush: true,\n\t\t},\n\t\t{\n\t\t\theaders: map[string]string{contentTypeHeader: \"application/json\"},\n\t\t\tshouldFlush: true,\n\t\t},\n\t\t{\n\t\t\theaders: map[string]string{contentTypeHeader: \"application/json\", contentLengthHeader: \"-1\", transferEncodingHeader: \"chunked\"},\n\t\t\tshouldFlush: true,\n\t\t},\n\t}\n\n\tfor _, test := range tests {\n\t\theaders := http.Header{}\n\t\tfor k, v := range test.headers {\n\t\t\theaders.Add(k, v)\n\t\t}\n\n\t\trequire.Equal(t, test.shouldFlush, shouldFlush(headers))\n\t}\n}\n" }, { "path": "connection/control.go", "content": "package connection\n\nimport (\n\t\"context\"\n\t\"io\"\n\t\"net\"\n\t\"time\"\n\n\t\"github.com/pkg/errors\"\n\n\t\"github.com/cloudflare/cloudflared/management\"\n\t\"github.com/cloudflare/cloudflared/tunnelrpc\"\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/pogs\"\n)\n\n// registerClient derives a named tunnel rpc client that can then be used to register and unregister connections.\ntype registerClientFunc func(context.Context, io.ReadWriteCloser, time.Duration) tunnelrpc.RegistrationClient\n\ntype controlStream struct {\n\tobserver *Observer\n\n\tconnectedFuse ConnectedFuse\n\ttunnelProperties *TunnelProperties\n\tconnIndex uint8\n\tedgeAddress net.IP\n\tprotocol Protocol\n\n\tregisterClientFunc registerClientFunc\n\tregisterTimeout time.Duration\n\n\tgracefulShutdownC <-chan struct{}\n\tgracePeriod time.Duration\n\tstoppedGracefully bool\n}\n\n// ControlStreamHandler registers connections with origintunneld and initiates graceful shutdown.\ntype ControlStreamHandler interface {\n\t// ServeControlStream handles the control plane of the transport in the current goroutine calling this\n\tServeControlStream(ctx context.Context, rw io.ReadWriteCloser, connOptions *pogs.ConnectionOptions, tunnelConfigGetter TunnelConfigJSONGetter) error\n\t// IsStopped tells whether the method above has finished\n\tIsStopped() bool\n}\n\ntype TunnelConfigJSONGetter interface {\n\tGetConfigJSON() ([]byte, error)\n}\n\n// NewControlStream returns a new instance of ControlStreamHandler\nfunc NewControlStream(\n\tobserver *Observer,\n\tconnectedFuse ConnectedFuse,\n\ttunnelProperties *TunnelProperties,\n\tconnIndex uint8,\n\tedgeAddress net.IP,\n\tregisterClientFunc registerClientFunc,\n\tregisterTimeout time.Duration,\n\tgracefulShutdownC <-chan struct{},\n\tgracePeriod time.Duration,\n\tprotocol Protocol,\n) ControlStreamHandler {\n\tif registerClientFunc == nil {\n\t\tregisterClientFunc = tunnelrpc.NewRegistrationClient\n\t}\n\treturn &controlStream{\n\t\tobserver: observer,\n\t\tconnectedFuse: connectedFuse,\n\t\ttunnelProperties: tunnelProperties,\n\t\tregisterClientFunc: registerClientFunc,\n\t\tregisterTimeout: registerTimeout,\n\t\tconnIndex: connIndex,\n\t\tedgeAddress: edgeAddress,\n\t\tgracefulShutdownC: gracefulShutdownC,\n\t\tgracePeriod: gracePeriod,\n\t\tprotocol: protocol,\n\t}\n}\n\nfunc (c *controlStream) ServeControlStream(\n\tctx context.Context,\n\trw io.ReadWriteCloser,\n\tconnOptions *pogs.ConnectionOptions,\n\ttunnelConfigGetter TunnelConfigJSONGetter,\n) error {\n\tregistrationClient := c.registerClientFunc(ctx, rw, c.registerTimeout)\n\tc.observer.logConnecting(c.connIndex, c.edgeAddress, c.protocol)\n\tregistrationDetails, err := registrationClient.RegisterConnection(\n\t\tctx,\n\t\tc.tunnelProperties.Credentials.Auth(),\n\t\tc.tunnelProperties.Credentials.TunnelID,\n\t\tconnOptions,\n\t\tc.connIndex,\n\t\tc.edgeAddress)\n\tif err != nil {\n\t\tdefer registrationClient.Close()\n\t\tif err.Error() == DuplicateConnectionError {\n\t\t\tc.observer.metrics.regFail.WithLabelValues(\"dup_edge_conn\", \"registerConnection\").Inc()\n\t\t\treturn errDuplicationConnection\n\t\t}\n\t\tc.observer.metrics.regFail.WithLabelValues(\"server_error\", \"registerConnection\").Inc()\n\t\treturn serverRegistrationErrorFromRPC(err)\n\t}\n\tc.observer.metrics.regSuccess.WithLabelValues(\"registerConnection\").Inc()\n\n\tc.observer.logConnected(registrationDetails.UUID, c.connIndex, registrationDetails.Location, c.edgeAddress, c.protocol)\n\tc.observer.sendConnectedEvent(c.connIndex, c.protocol, registrationDetails.Location, c.edgeAddress)\n\tc.connectedFuse.Connected()\n\n\t// if conn index is 0 and tunnel is not remotely managed, then send local ingress rules configuration\n\tif c.connIndex == 0 && !registrationDetails.TunnelIsRemotelyManaged {\n\t\tif tunnelConfig, err := tunnelConfigGetter.GetConfigJSON(); err == nil {\n\t\t\tif err := registrationClient.SendLocalConfiguration(ctx, tunnelConfig); err != nil {\n\t\t\t\tc.observer.metrics.localConfigMetrics.pushesErrors.Inc()\n\t\t\t\tc.observer.log.Err(err).Msg(\"unable to send local configuration\")\n\t\t\t}\n\t\t\tc.observer.metrics.localConfigMetrics.pushes.Inc()\n\t\t} else {\n\t\t\tc.observer.log.Err(err).Msg(\"failed to obtain current configuration\")\n\t\t}\n\t}\n\n\treturn c.waitForUnregister(ctx, registrationClient)\n}\n\nfunc (c *controlStream) waitForUnregister(ctx context.Context, registrationClient tunnelrpc.RegistrationClient) error {\n\t// wait for connection termination or start of graceful shutdown\n\tdefer registrationClient.Close()\n\tvar shutdownError error\n\tselect {\n\tcase <-ctx.Done():\n\t\tshutdownError = ctx.Err()\n\t\tbreak\n\tcase <-c.gracefulShutdownC:\n\t\tc.stoppedGracefully = true\n\t}\n\n\tc.observer.sendUnregisteringEvent(c.connIndex)\n\terr := registrationClient.GracefulShutdown(ctx, c.gracePeriod)\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"Error shutting down control stream\")\n\t}\n\tc.observer.log.Info().\n\t\tInt(management.EventTypeKey, int(management.Cloudflared)).\n\t\tUint8(LogFieldConnIndex, c.connIndex).\n\t\tIPAddr(LogFieldIPAddress, c.edgeAddress).\n\t\tMsg(\"Unregistered tunnel connection\")\n\treturn shutdownError\n}\n\nfunc (c *controlStream) IsStopped() bool {\n\treturn c.stoppedGracefully\n}\n" }, { "path": "connection/errors.go", "content": "package connection\n\nimport (\n\ttunnelpogs \"github.com/cloudflare/cloudflared/tunnelrpc/pogs\"\n)\n\nconst (\n\tDuplicateConnectionError = \"EDUPCONN\"\n)\n\ntype DupConnRegisterTunnelError struct{}\n\nvar errDuplicationConnection = DupConnRegisterTunnelError{}\n\nfunc (e DupConnRegisterTunnelError) Error() string {\n\treturn \"already connected to this server, trying another address\"\n}\n\n// Dial to edge server with quic failed\ntype EdgeQuicDialError struct {\n\tCause error\n}\n\nfunc (e *EdgeQuicDialError) Error() string {\n\treturn \"failed to dial to edge with quic: \" + e.Cause.Error()\n}\n\nfunc (e *EdgeQuicDialError) Unwrap() error {\n\treturn e.Cause\n}\n\n// RegisterTunnel error from server\ntype ServerRegisterTunnelError struct {\n\tCause error\n\tPermanent bool\n}\n\nfunc (e ServerRegisterTunnelError) Error() string {\n\treturn e.Cause.Error()\n}\n\nfunc serverRegistrationErrorFromRPC(err error) ServerRegisterTunnelError {\n\tif retryable, ok := err.(*tunnelpogs.RetryableError); ok {\n\t\treturn ServerRegisterTunnelError{\n\t\t\tCause: retryable.Unwrap(),\n\t\t\tPermanent: false,\n\t\t}\n\t}\n\treturn ServerRegisterTunnelError{\n\t\tCause: err,\n\t\tPermanent: true,\n\t}\n}\n\ntype ControlStreamError struct{}\n\nvar _ error = &ControlStreamError{}\n\nfunc (e *ControlStreamError) Error() string {\n\treturn \"control stream encountered a failure while serving\"\n}\n\ntype StreamListenerError struct{}\n\nvar _ error = &StreamListenerError{}\n\nfunc (e *StreamListenerError) Error() string {\n\treturn \"accept stream listener encountered a failure while serving\"\n}\n\ntype DatagramManagerError struct{}\n\nvar _ error = &DatagramManagerError{}\n\nfunc (e *DatagramManagerError) Error() string {\n\treturn \"datagram manager encountered a failure while serving\"\n}\n" }, { "path": "connection/event.go", "content": "package connection\n\nimport \"net\"\n\n// Event is something that happened to a connection, e.g. disconnection or registration.\ntype Event struct {\n\tIndex uint8\n\tEventType Status\n\tLocation string\n\tProtocol Protocol\n\tURL string\n\tEdgeAddress net.IP\n}\n\n// Status is the status of a connection.\ntype Status int\n\nconst (\n\t// Disconnected means the connection to the edge was broken.\n\tDisconnected Status = iota\n\t// Connected means the connection to the edge was successfully established.\n\tConnected\n\t// Reconnecting means the connection to the edge is being re-established.\n\tReconnecting\n\t// SetURL means this connection's tunnel was given a URL by the edge. Used for quick tunnels.\n\tSetURL\n\t// RegisteringTunnel means the non-named tunnel is registering its connection.\n\tRegisteringTunnel\n\t// We're unregistering tunnel from the edge in preparation for a disconnect\n\tUnregistering\n)\n" }, { "path": "connection/header.go", "content": "package connection\n\nimport (\n\t\"encoding/base64\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"strings\"\n\n\t\"github.com/pkg/errors\"\n)\n\nvar (\n\t// internal special headers\n\tRequestUserHeaders = \"cf-cloudflared-request-headers\"\n\tResponseUserHeaders = \"cf-cloudflared-response-headers\"\n\tResponseMetaHeader = \"cf-cloudflared-response-meta\"\n\n\t// internal special headers\n\tCanonicalResponseUserHeaders = http.CanonicalHeaderKey(ResponseUserHeaders)\n\tCanonicalResponseMetaHeader = http.CanonicalHeaderKey(ResponseMetaHeader)\n)\n\nvar (\n\t// pre-generate possible values for res\n\tresponseMetaHeaderCfd = mustInitRespMetaHeader(\"cloudflared\", false)\n\tresponseMetaHeaderCfdFlowRateLimited = mustInitRespMetaHeader(\"cloudflared\", true)\n\tresponseMetaHeaderOrigin = mustInitRespMetaHeader(\"origin\", false)\n)\n\n// HTTPHeader is a custom header struct that expects only ever one value for the header.\n// This structure is used to serialize the headers and attach them to the HTTP2 request when proxying.\ntype HTTPHeader struct {\n\tName string\n\tValue string\n}\n\ntype responseMetaHeader struct {\n\tSource string `json:\"src\"`\n\tFlowRateLimited bool `json:\"flow_rate_limited,omitempty\"`\n}\n\nfunc mustInitRespMetaHeader(src string, flowRateLimited bool) string {\n\theader, err := json.Marshal(responseMetaHeader{Source: src, FlowRateLimited: flowRateLimited})\n\tif err != nil {\n\t\tpanic(fmt.Sprintf(\"Failed to serialize response meta header = %s, err: %v\", src, err))\n\t}\n\treturn string(header)\n}\n\nvar headerEncoding = base64.RawStdEncoding\n\n// IsControlResponseHeader is called in the direction of eyeball <- origin.\nfunc IsControlResponseHeader(headerName string) bool {\n\treturn strings.HasPrefix(headerName, \":\") ||\n\t\tstrings.HasPrefix(headerName, \"cf-int-\") ||\n\t\tstrings.HasPrefix(headerName, \"cf-cloudflared-\") ||\n\t\tstrings.HasPrefix(headerName, \"cf-proxy-\")\n}\n\n// isWebsocketClientHeader returns true if the header name is required by the client to upgrade properly\nfunc IsWebsocketClientHeader(headerName string) bool {\n\treturn headerName == \"sec-websocket-accept\" ||\n\t\theaderName == \"connection\" ||\n\t\theaderName == \"upgrade\"\n}\n\n// Serialize HTTP1.x headers by base64-encoding each header name and value,\n// and then joining them in the format of [key:value;]\nfunc SerializeHeaders(h1Headers http.Header) string {\n\t// compute size of the fully serialized value and largest temp buffer we will need\n\tserializedLen := 0\n\tmaxTempLen := 0\n\tfor headerName, headerValues := range h1Headers {\n\t\tfor _, headerValue := range headerValues {\n\t\t\tnameLen := headerEncoding.EncodedLen(len(headerName))\n\t\t\tvalueLen := headerEncoding.EncodedLen(len(headerValue))\n\t\t\tconst delims = 2\n\t\t\tserializedLen += delims + nameLen + valueLen\n\t\t\tif nameLen > maxTempLen {\n\t\t\t\tmaxTempLen = nameLen\n\t\t\t}\n\t\t\tif valueLen > maxTempLen {\n\t\t\t\tmaxTempLen = valueLen\n\t\t\t}\n\t\t}\n\t}\n\tvar buf strings.Builder\n\tbuf.Grow(serializedLen)\n\n\ttemp := make([]byte, maxTempLen)\n\twriteB64 := func(s string) {\n\t\tn := headerEncoding.EncodedLen(len(s))\n\t\tif n > len(temp) {\n\t\t\ttemp = make([]byte, n)\n\t\t}\n\t\theaderEncoding.Encode(temp[:n], []byte(s))\n\t\tbuf.Write(temp[:n])\n\t}\n\n\tfor headerName, headerValues := range h1Headers {\n\t\tfor _, headerValue := range headerValues {\n\t\t\tif buf.Len() > 0 {\n\t\t\t\tbuf.WriteByte(';')\n\t\t\t}\n\t\t\twriteB64(headerName)\n\t\t\tbuf.WriteByte(':')\n\t\t\twriteB64(headerValue)\n\t\t}\n\t}\n\n\treturn buf.String()\n}\n\n// Deserialize headers serialized by `SerializeHeader`\nfunc DeserializeHeaders(serializedHeaders string) ([]HTTPHeader, error) {\n\tconst unableToDeserializeErr = \"Unable to deserialize headers\"\n\n\tdeserialized := make([]HTTPHeader, 0)\n\tfor _, serializedPair := range strings.Split(serializedHeaders, \";\") {\n\t\tif len(serializedPair) == 0 {\n\t\t\tcontinue\n\t\t}\n\n\t\tserializedHeaderParts := strings.Split(serializedPair, \":\")\n\t\tif len(serializedHeaderParts) != 2 {\n\t\t\treturn nil, errors.New(unableToDeserializeErr)\n\t\t}\n\n\t\tserializedName := serializedHeaderParts[0]\n\t\tserializedValue := serializedHeaderParts[1]\n\t\tdeserializedName := make([]byte, headerEncoding.DecodedLen(len(serializedName)))\n\t\tdeserializedValue := make([]byte, headerEncoding.DecodedLen(len(serializedValue)))\n\n\t\tif _, err := headerEncoding.Decode(deserializedName, []byte(serializedName)); err != nil {\n\t\t\treturn nil, errors.Wrap(err, unableToDeserializeErr)\n\t\t}\n\t\tif _, err := headerEncoding.Decode(deserializedValue, []byte(serializedValue)); err != nil {\n\t\t\treturn nil, errors.Wrap(err, unableToDeserializeErr)\n\t\t}\n\n\t\tdeserialized = append(deserialized, HTTPHeader{\n\t\t\tName: string(deserializedName),\n\t\t\tValue: string(deserializedValue),\n\t\t})\n\t}\n\n\treturn deserialized, nil\n}\n" }, { "path": "connection/header_test.go", "content": "package connection\n\nimport (\n\t\"net/http\"\n\t\"reflect\"\n\t\"sort\"\n\t\"testing\"\n\n\t\"github.com/stretchr/testify/require\"\n)\n\nfunc TestSerializeHeaders(t *testing.T) {\n\trequest, err := http.NewRequest(http.MethodGet, \"http://example.com\", nil)\n\trequire.NoError(t, err)\n\n\tmockHeaders := http.Header{\n\t\t\"Mock-Header-One\": {\"Mock header one value\", \"three\"},\n\t\t\"Mock-Header-Two-Long\": {\"Mock header two value\\nlong\"},\n\t\t\":;\": {\":;\", \";:\"},\n\t\t\":\": {\":\"},\n\t\t\";\": {\";\"},\n\t\t\";;\": {\";;\"},\n\t\t\"Empty values\": {\"\", \"\"},\n\t\t\"\": {\"Empty key\"},\n\t\t\"control\\tcharacter\\b\\n\": {\"value\\n\\b\\t\"},\n\t\t\";\\v:\": {\":\\v;\"},\n\t}\n\n\tfor header, values := range mockHeaders {\n\t\tfor _, value := range values {\n\t\t\t// Note that Golang's http library is opinionated;\n\t\t\t// at this point every header name will be title-cased in order to comply with the HTTP RFC\n\t\t\t// This means our proxy is not completely transparent when it comes to proxying headers\n\t\t\trequest.Header.Add(header, value)\n\t\t}\n\t}\n\n\tserializedHeaders := SerializeHeaders(request.Header)\n\n\t// Sanity check: the headers serialized to something that's not an empty string\n\trequire.NotEqual(t, \"\", serializedHeaders)\n\n\t// Deserialize back, and ensure we get the same set of headers\n\tdeserializedHeaders, err := DeserializeHeaders(serializedHeaders)\n\trequire.NoError(t, err)\n\n\trequire.Len(t, deserializedHeaders, 13)\n\texpectedHeaders := headerToReqHeader(mockHeaders)\n\n\tsort.Sort(ByName(deserializedHeaders))\n\tsort.Sort(ByName(expectedHeaders))\n\n\trequire.True(\n\t\tt,\n\t\treflect.DeepEqual(expectedHeaders, deserializedHeaders),\n\t\t\"got = %#v, want = %#v\\n\", deserializedHeaders, expectedHeaders,\n\t)\n}\n\ntype ByName []HTTPHeader\n\nfunc (a ByName) Len() int { return len(a) }\nfunc (a ByName) Swap(i, j int) { a[i], a[j] = a[j], a[i] }\nfunc (a ByName) Less(i, j int) bool {\n\tif a[i].Name == a[j].Name {\n\t\treturn a[i].Value < a[j].Value\n\t}\n\n\treturn a[i].Name < a[j].Name\n}\n\nfunc headerToReqHeader(headers http.Header) (reqHeaders []HTTPHeader) {\n\tfor name, values := range headers {\n\t\tfor _, value := range values {\n\t\t\treqHeaders = append(reqHeaders, HTTPHeader{Name: name, Value: value})\n\t\t}\n\t}\n\n\treturn reqHeaders\n}\n\nfunc TestSerializeNoHeaders(t *testing.T) {\n\trequest, err := http.NewRequest(http.MethodGet, \"http://example.com\", nil)\n\trequire.NoError(t, err)\n\n\tserializedHeaders := SerializeHeaders(request.Header)\n\tdeserializedHeaders, err := DeserializeHeaders(serializedHeaders)\n\trequire.NoError(t, err)\n\trequire.Empty(t, deserializedHeaders)\n}\n\nfunc TestDeserializeMalformed(t *testing.T) {\n\tvar err error\n\n\tmalformedData := []string{\n\t\t\"malformed data\",\n\t\t\"bW9jawo=\", // \"mock\"\n\t\t\"bW9jawo=:ZGF0YQo=:bW9jawo=\", // \"mock:data:mock\"\n\t\t\"::\",\n\t}\n\n\tfor _, malformedValue := range malformedData {\n\t\t_, err = DeserializeHeaders(malformedValue)\n\t\trequire.Error(t, err)\n\t}\n}\n\nfunc TestIsControlResponseHeader(t *testing.T) {\n\tcontrolResponseHeaders := []string{\n\t\t// Anything that begins with cf-int-, cf-cloudflared- or cf-proxy-\n\t\t\"cf-int-sample-header\",\n\t\t\"cf-cloudflared-sample-header\",\n\t\t\"cf-proxy-sample-header\",\n\t\t// Any http2 pseudoheader\n\t\t\":sample-pseudo-header\",\n\t}\n\n\tfor _, header := range controlResponseHeaders {\n\t\trequire.True(t, IsControlResponseHeader(header))\n\t}\n}\n\nfunc TestIsNotControlResponseHeader(t *testing.T) {\n\tnotControlResponseHeaders := []string{\n\t\t\"mock-header\",\n\t\t\"another-sample-header\",\n\t\t\"upgrade\",\n\t\t\"connection\",\n\t\t\"cf-whatever\", // On the response path, we only want to filter cf-int- and cf-cloudflared-\n\t}\n\n\tfor _, header := range notControlResponseHeaders {\n\t\trequire.False(t, IsControlResponseHeader(header))\n\t}\n}\n" }, { "path": "connection/http2.go", "content": "package connection\n\nimport (\n\t\"bufio\"\n\t\"context\"\n\tgojson \"encoding/json\"\n\t\"fmt\"\n\t\"io\"\n\t\"net\"\n\t\"net/http\"\n\t\"runtime/debug\"\n\t\"strings\"\n\t\"sync\"\n\n\t\"github.com/pkg/errors\"\n\t\"github.com/rs/zerolog\"\n\t\"golang.org/x/net/http2\"\n\n\t\"github.com/cloudflare/cloudflared/client\"\n\tcfdflow \"github.com/cloudflare/cloudflared/flow\"\n\n\t\"github.com/cloudflare/cloudflared/tracing\"\n)\n\n// note: these constants are exported so we can reuse them in the edge-side code\nconst (\n\tInternalUpgradeHeader = \"Cf-Cloudflared-Proxy-Connection-Upgrade\"\n\tInternalTCPProxySrcHeader = \"Cf-Cloudflared-Proxy-Src\"\n\tWebsocketUpgrade = \"websocket\"\n\tControlStreamUpgrade = \"control-stream\"\n\tConfigurationUpdate = \"update-configuration\"\n)\n\nvar errEdgeConnectionClosed = fmt.Errorf(\"connection with edge closed\")\n\n// HTTP2Connection represents a net.Conn that uses HTTP2 frames to proxy traffic from the edge to cloudflared on the\n// origin.\ntype HTTP2Connection struct {\n\tconn net.Conn\n\tserver *http2.Server\n\torchestrator Orchestrator\n\tconnOptions *client.ConnectionOptionsSnapshot\n\tobserver *Observer\n\tconnIndex uint8\n\n\tlog *zerolog.Logger\n\tactiveRequestsWG sync.WaitGroup\n\tcontrolStreamHandler ControlStreamHandler\n\tstoppedGracefully bool\n\tcontrolStreamErr error // result of running control stream handler\n}\n\n// NewHTTP2Connection returns a new instance of HTTP2Connection.\nfunc NewHTTP2Connection(\n\tconn net.Conn,\n\torchestrator Orchestrator,\n\tconnOptions *client.ConnectionOptionsSnapshot,\n\tobserver *Observer,\n\tconnIndex uint8,\n\tcontrolStreamHandler ControlStreamHandler,\n\tlog *zerolog.Logger,\n) *HTTP2Connection {\n\treturn &HTTP2Connection{\n\t\tconn: conn,\n\t\tserver: &http2.Server{\n\t\t\tMaxConcurrentStreams: MaxConcurrentStreams,\n\t\t},\n\t\torchestrator: orchestrator,\n\t\tconnOptions: connOptions,\n\t\tobserver: observer,\n\t\tconnIndex: connIndex,\n\t\tcontrolStreamHandler: controlStreamHandler,\n\t\tlog: log,\n\t}\n}\n\n// Serve serves an HTTP2 server that the edge can talk to.\nfunc (c *HTTP2Connection) Serve(ctx context.Context) error {\n\tgo func() {\n\t\t<-ctx.Done()\n\t\tc.close()\n\t}()\n\tc.server.ServeConn(c.conn, &http2.ServeConnOpts{\n\t\tContext: ctx,\n\t\tHandler: c,\n\t})\n\n\tswitch {\n\tcase c.controlStreamHandler.IsStopped():\n\t\treturn nil\n\tcase c.controlStreamErr != nil:\n\t\treturn c.controlStreamErr\n\tdefault:\n\t\tc.observer.log.Info().Uint8(LogFieldConnIndex, c.connIndex).Msg(\"Lost connection with the edge\")\n\t\treturn errEdgeConnectionClosed\n\t}\n}\n\nfunc (c *HTTP2Connection) ServeHTTP(w http.ResponseWriter, r *http.Request) {\n\tc.activeRequestsWG.Add(1)\n\tdefer c.activeRequestsWG.Done()\n\n\tconnType := determineHTTP2Type(r)\n\thandleMissingRequestParts(connType, r)\n\n\trespWriter, err := NewHTTP2RespWriter(r, w, connType, c.log)\n\tif err != nil {\n\t\tc.observer.log.Error().Msg(err.Error())\n\t\treturn\n\t}\n\n\toriginProxy, err := c.orchestrator.GetOriginProxy()\n\tif err != nil {\n\t\tc.observer.log.Error().Msg(err.Error())\n\t\treturn\n\t}\n\n\tvar requestErr error\n\tswitch connType {\n\tcase TypeControlStream:\n\t\trequestErr = c.controlStreamHandler.ServeControlStream(r.Context(), respWriter, c.connOptions.ConnectionOptions(), c.orchestrator)\n\t\tif requestErr != nil {\n\t\t\tc.controlStreamErr = requestErr\n\t\t}\n\n\tcase TypeConfiguration:\n\t\trequestErr = c.handleConfigurationUpdate(respWriter, r)\n\n\tcase TypeWebsocket, TypeHTTP:\n\t\tstripWebsocketUpgradeHeader(r)\n\t\t// Check for tracing on request\n\t\ttr := tracing.NewTracedHTTPRequest(r, c.connIndex, c.log)\n\t\tif err := originProxy.ProxyHTTP(respWriter, tr, connType == TypeWebsocket); err != nil {\n\t\t\trequestErr = fmt.Errorf(\"Failed to proxy HTTP: %w\", err)\n\t\t}\n\n\tcase TypeTCP:\n\t\thost, err := getRequestHost(r)\n\t\tif err != nil {\n\t\t\trequestErr = fmt.Errorf(`cloudflared received a warp-routing request with an empty host value: %w`, err)\n\t\t\tbreak\n\t\t}\n\n\t\trws := NewHTTPResponseReadWriterAcker(respWriter, respWriter, r)\n\t\trequestErr = originProxy.ProxyTCP(r.Context(), rws, &TCPRequest{\n\t\t\tDest: host,\n\t\t\tCFRay: FindCfRayHeader(r),\n\t\t\tLBProbe: IsLBProbeRequest(r),\n\t\t\tCfTraceID: r.Header.Get(tracing.TracerContextName),\n\t\t\tConnIndex: c.connIndex,\n\t\t})\n\n\tdefault:\n\t\trequestErr = fmt.Errorf(\"Received unknown connection type: %s\", connType)\n\t}\n\n\tif requestErr != nil {\n\t\tc.log.Error().Err(requestErr).Msg(\"failed to serve incoming request\")\n\n\t\t// WriteErrorResponse will return false if status was already written. we need to abort handler.\n\t\tif !respWriter.WriteErrorResponse(requestErr) {\n\t\t\tc.log.Debug().Msg(\"Handler aborted due to failure to write error response after status already sent\")\n\t\t\tpanic(http.ErrAbortHandler)\n\t\t}\n\t}\n}\n\n// ConfigurationUpdateBody is the representation followed by the edge to send updates to cloudflared.\ntype ConfigurationUpdateBody struct {\n\tVersion int32 `json:\"version\"`\n\tConfig gojson.RawMessage `json:\"config\"`\n}\n\nfunc (c *HTTP2Connection) handleConfigurationUpdate(respWriter *http2RespWriter, r *http.Request) error {\n\tvar configBody ConfigurationUpdateBody\n\tif err := json.NewDecoder(r.Body).Decode(&configBody); err != nil {\n\t\treturn err\n\t}\n\tresp := c.orchestrator.UpdateConfig(configBody.Version, configBody.Config)\n\tbdy, err := json.Marshal(resp)\n\tif err != nil {\n\t\treturn err\n\t}\n\t_, err = respWriter.Write(bdy)\n\treturn err\n}\n\nfunc (c *HTTP2Connection) close() {\n\t// Wait for all serve HTTP handlers to return\n\tc.activeRequestsWG.Wait()\n\tc.conn.Close()\n}\n\ntype http2RespWriter struct {\n\tr io.Reader\n\tw http.ResponseWriter\n\tflusher http.Flusher\n\tshouldFlush bool\n\tstatusWritten bool\n\trespHeaders http.Header\n\thijackedMutex sync.Mutex\n\thijackedv bool\n\tlog *zerolog.Logger\n}\n\nfunc NewHTTP2RespWriter(r *http.Request, w http.ResponseWriter, connType Type, log *zerolog.Logger) (*http2RespWriter, error) {\n\tflusher, isFlusher := w.(http.Flusher)\n\tif !isFlusher {\n\t\trespWriter := &http2RespWriter{\n\t\t\tr: r.Body,\n\t\t\tw: w,\n\t\t\tlog: log,\n\t\t}\n\t\terr := fmt.Errorf(\"%T doesn't implement http.Flusher\", w)\n\t\trespWriter.WriteErrorResponse(err)\n\t\treturn nil, err\n\t}\n\n\treturn &http2RespWriter{\n\t\tr: r.Body,\n\t\tw: w,\n\t\tflusher: flusher,\n\t\tshouldFlush: connType.shouldFlush(),\n\t\trespHeaders: make(http.Header),\n\t\tlog: log,\n\t}, nil\n}\n\nfunc (rp *http2RespWriter) AddTrailer(trailerName, trailerValue string) {\n\tif !rp.statusWritten {\n\t\trp.log.Warn().Msg(\"Tried to add Trailer to response before status written. Ignoring...\")\n\t\treturn\n\t}\n\n\trp.w.Header().Add(http2.TrailerPrefix+trailerName, trailerValue)\n}\n\nfunc (rp *http2RespWriter) WriteRespHeaders(status int, header http.Header) error {\n\tif rp.hijacked() {\n\t\trp.log.Warn().Msg(\"WriteRespHeaders after hijack\")\n\t\treturn nil\n\t}\n\tdest := rp.w.Header()\n\tuserHeaders := make(http.Header, len(header))\n\tfor name, values := range header {\n\t\t// lowercase headers for simplicity check\n\t\th2name := strings.ToLower(name)\n\n\t\tif h2name == \"content-length\" {\n\t\t\t// This header has meaning in HTTP/2 and will be used by the edge,\n\t\t\t// so it should be sent *also* as an HTTP/2 response header.\n\t\t\tdest[name] = values\n\t\t}\n\n\t\tif h2name == tracing.IntCloudflaredTracingHeader {\n\t\t\t// Add cf-int-cloudflared-tracing header outside of serialized userHeaders\n\t\t\tdest[tracing.CanonicalCloudflaredTracingHeader] = values\n\t\t\tcontinue\n\t\t}\n\n\t\tif !IsControlResponseHeader(h2name) || IsWebsocketClientHeader(h2name) {\n\t\t\t// User headers, on the other hand, must all be serialized so that\n\t\t\t// HTTP/2 header validation won't be applied to HTTP/1 header values\n\t\t\tuserHeaders[name] = values\n\t\t}\n\t}\n\n\t// Perform user header serialization and set them in the single header\n\tdest.Set(CanonicalResponseUserHeaders, SerializeHeaders(userHeaders))\n\n\trp.setResponseMetaHeader(responseMetaHeaderOrigin)\n\t// HTTP2 removes support for 101 Switching Protocols https://tools.ietf.org/html/rfc7540#section-8.1.1\n\tif status == http.StatusSwitchingProtocols {\n\t\tstatus = http.StatusOK\n\t}\n\trp.w.WriteHeader(status)\n\tif shouldFlush(header) {\n\t\trp.shouldFlush = true\n\t}\n\tif rp.shouldFlush {\n\t\trp.flusher.Flush()\n\t}\n\n\trp.statusWritten = true\n\treturn nil\n}\n\nfunc (rp *http2RespWriter) Header() http.Header {\n\treturn rp.respHeaders\n}\n\nfunc (rp *http2RespWriter) Flush() {\n\trp.flusher.Flush()\n}\n\nfunc (rp *http2RespWriter) WriteHeader(status int) {\n\tif rp.hijacked() {\n\t\trp.log.Warn().Msg(\"WriteHeader after hijack\")\n\t\treturn\n\t}\n\t_ = rp.WriteRespHeaders(status, rp.respHeaders)\n}\n\nfunc (rp *http2RespWriter) hijacked() bool {\n\trp.hijackedMutex.Lock()\n\tdefer rp.hijackedMutex.Unlock()\n\treturn rp.hijackedv\n}\n\nfunc (rp *http2RespWriter) Hijack() (net.Conn, *bufio.ReadWriter, error) {\n\tif !rp.statusWritten {\n\t\treturn nil, nil, fmt.Errorf(\"status not yet written before attempting to hijack connection\")\n\t}\n\t// Make sure to flush anything left in the buffer before hijacking\n\tif rp.shouldFlush {\n\t\trp.flusher.Flush()\n\t}\n\trp.hijackedMutex.Lock()\n\tdefer rp.hijackedMutex.Unlock()\n\tif rp.hijackedv {\n\t\treturn nil, nil, http.ErrHijacked\n\t}\n\trp.hijackedv = true\n\tconn := &localProxyConnection{rp}\n\t// We return the http2RespWriter here because we want to make sure that we flush after every write\n\t// otherwise the HTTP2 write buffer waits a few seconds before sending.\n\treadWriter := bufio.NewReadWriter(\n\t\tbufio.NewReader(rp),\n\t\tbufio.NewWriter(rp),\n\t)\n\treturn conn, readWriter, nil\n}\n\nfunc (rp *http2RespWriter) WriteErrorResponse(err error) bool {\n\tif rp.statusWritten {\n\t\treturn false\n\t}\n\n\tif errors.Is(err, cfdflow.ErrTooManyActiveFlows) {\n\t\trp.setResponseMetaHeader(responseMetaHeaderCfdFlowRateLimited)\n\t} else {\n\t\trp.setResponseMetaHeader(responseMetaHeaderCfd)\n\t}\n\trp.w.WriteHeader(http.StatusBadGateway)\n\trp.statusWritten = true\n\n\treturn true\n}\n\nfunc (rp *http2RespWriter) setResponseMetaHeader(value string) {\n\trp.w.Header().Set(CanonicalResponseMetaHeader, value)\n}\n\nfunc (rp *http2RespWriter) Read(p []byte) (n int, err error) {\n\treturn rp.r.Read(p)\n}\n\nfunc (rp *http2RespWriter) Write(p []byte) (n int, err error) {\n\tdefer func() {\n\t\t// Implementer of OriginClient should make sure it doesn't write to the connection after Proxy returns\n\t\t// Register a recover routine just in case.\n\t\tif r := recover(); r != nil {\n\t\t\trp.log.Debug().Msgf(\"Recover from http2 response writer panic, error %s\", debug.Stack())\n\t\t}\n\t}()\n\tn, err = rp.w.Write(p)\n\tif err == nil && rp.shouldFlush {\n\t\trp.flusher.Flush()\n\t}\n\treturn n, err\n}\n\nfunc (rp *http2RespWriter) Close() error {\n\treturn nil\n}\n\nfunc determineHTTP2Type(r *http.Request) Type {\n\tswitch {\n\tcase isConfigurationUpdate(r):\n\t\treturn TypeConfiguration\n\tcase isWebsocketUpgrade(r):\n\t\treturn TypeWebsocket\n\tcase IsTCPStream(r):\n\t\treturn TypeTCP\n\tcase isControlStreamUpgrade(r):\n\t\treturn TypeControlStream\n\tdefault:\n\t\treturn TypeHTTP\n\t}\n}\n\nfunc handleMissingRequestParts(connType Type, r *http.Request) {\n\tif connType == TypeHTTP {\n\t\t// http library has no guarantees that we receive a filled URL. If not, then we fill it, as we reuse the request\n\t\t// for proxying. For proxying they should not matter since we control the dialer on every egress proxied.\n\t\tif len(r.URL.Scheme) == 0 {\n\t\t\tr.URL.Scheme = \"http\"\n\t\t}\n\t\tif len(r.URL.Host) == 0 {\n\t\t\tr.URL.Host = \"localhost:8080\"\n\t\t}\n\t}\n}\n\nfunc isControlStreamUpgrade(r *http.Request) bool {\n\treturn r.Header.Get(InternalUpgradeHeader) == ControlStreamUpgrade\n}\n\nfunc isWebsocketUpgrade(r *http.Request) bool {\n\treturn r.Header.Get(InternalUpgradeHeader) == WebsocketUpgrade\n}\n\nfunc isConfigurationUpdate(r *http.Request) bool {\n\treturn r.Header.Get(InternalUpgradeHeader) == ConfigurationUpdate\n}\n\n// IsTCPStream discerns if the connection request needs a tcp stream proxy.\nfunc IsTCPStream(r *http.Request) bool {\n\treturn r.Header.Get(InternalTCPProxySrcHeader) != \"\"\n}\n\nfunc stripWebsocketUpgradeHeader(r *http.Request) {\n\tr.Header.Del(InternalUpgradeHeader)\n}\n\n// getRequestHost returns the host of the http.Request.\nfunc getRequestHost(r *http.Request) (string, error) {\n\tif r.Host != \"\" {\n\t\treturn r.Host, nil\n\t}\n\tif r.URL != nil {\n\t\treturn r.URL.Host, nil\n\t}\n\treturn \"\", errors.New(\"host not set in incoming request\")\n}\n" }, { "path": "connection/http2_test.go", "content": "package connection\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"sync\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/gobwas/ws/wsutil\"\n\t\"github.com/google/uuid\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\t\"golang.org/x/net/http2\"\n\n\t\"github.com/cloudflare/cloudflared/client\"\n\t\"github.com/cloudflare/cloudflared/tracing\"\n\n\t\"github.com/cloudflare/cloudflared/tunnelrpc\"\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/pogs\"\n)\n\nvar testTransport = http2.Transport{}\n\nfunc newTestHTTP2Connection() (*HTTP2Connection, net.Conn) {\n\tedgeConn, cfdConn := net.Pipe()\n\tconnIndex := uint8(0)\n\tlog := zerolog.Nop()\n\tobs := NewObserver(&log, &log)\n\tcontrolStream := NewControlStream(\n\t\tobs,\n\t\tmockConnectedFuse{},\n\t\t&TunnelProperties{},\n\t\tconnIndex,\n\t\tnil,\n\t\tnil,\n\t\t1*time.Second,\n\t\tnil,\n\t\t1*time.Second,\n\t\tHTTP2,\n\t)\n\treturn NewHTTP2Connection(\n\t\tcfdConn,\n\t\t// OriginProxy is set in testConfigManager\n\t\ttestOrchestrator,\n\t\t&client.ConnectionOptionsSnapshot{},\n\t\tobs,\n\t\tconnIndex,\n\t\tcontrolStream,\n\t\t&log,\n\t), edgeConn\n}\n\nfunc TestHTTP2ConfigurationSet(t *testing.T) {\n\thttp2Conn, edgeConn := newTestHTTP2Connection()\n\n\tctx, cancel := context.WithCancel(t.Context())\n\tvar wg sync.WaitGroup\n\twg.Add(1)\n\tgo func() {\n\t\tdefer wg.Done()\n\t\t_ = http2Conn.Serve(ctx)\n\t}()\n\n\tedgeHTTP2Conn, err := testTransport.NewClientConn(edgeConn)\n\trequire.NoError(t, err)\n\n\treqBody := []byte(`{\n\"version\": 2,\n\"config\": {\"warp-routing\": {\"enabled\": true}, \"originRequest\" : {\"connectTimeout\": 10}, \"ingress\" : [ {\"hostname\": \"test\", \"service\": \"https://localhost:8000\" } , {\"service\": \"http_status:404\"} ]}}\n`)\n\treader := bytes.NewReader(reqBody)\n\treq, err := http.NewRequestWithContext(ctx, http.MethodPut, \"http://localhost:8080/ok\", reader)\n\trequire.NoError(t, err)\n\treq.Header.Set(InternalUpgradeHeader, ConfigurationUpdate)\n\n\tresp, err := edgeHTTP2Conn.RoundTrip(req)\n\trequire.NoError(t, err)\n\trequire.Equal(t, http.StatusOK, resp.StatusCode)\n\tbdy, err := io.ReadAll(resp.Body)\n\tdefer resp.Body.Close()\n\trequire.NoError(t, err)\n\tassert.Equal(t, `{\"lastAppliedVersion\":2,\"err\":null}`, string(bdy))\n\tcancel()\n\twg.Wait()\n}\n\nfunc TestServeHTTP(t *testing.T) {\n\ttests := []testRequest{\n\t\t{\n\t\t\tname: \"ok\",\n\t\t\tendpoint: \"ok\",\n\t\t\texpectedStatus: http.StatusOK,\n\t\t\texpectedBody: []byte(http.StatusText(http.StatusOK)),\n\t\t},\n\t\t{\n\t\t\tname: \"large_file\",\n\t\t\tendpoint: \"large_file\",\n\t\t\texpectedStatus: http.StatusOK,\n\t\t\texpectedBody: testLargeResp,\n\t\t},\n\t\t{\n\t\t\tname: \"Bad request\",\n\t\t\tendpoint: \"400\",\n\t\t\texpectedStatus: http.StatusBadRequest,\n\t\t\texpectedBody: []byte(http.StatusText(http.StatusBadRequest)),\n\t\t},\n\t\t{\n\t\t\tname: \"Internal server error\",\n\t\t\tendpoint: \"500\",\n\t\t\texpectedStatus: http.StatusInternalServerError,\n\t\t\texpectedBody: []byte(http.StatusText(http.StatusInternalServerError)),\n\t\t},\n\t\t{\n\t\t\tname: \"Proxy error\",\n\t\t\tendpoint: \"error\",\n\t\t\texpectedStatus: http.StatusBadGateway,\n\t\t\texpectedBody: nil,\n\t\t\tisProxyError: true,\n\t\t},\n\t}\n\n\thttp2Conn, edgeConn := newTestHTTP2Connection()\n\n\tctx, cancel := context.WithCancel(t.Context())\n\tvar wg sync.WaitGroup\n\twg.Add(1)\n\tgo func() {\n\t\tdefer wg.Done()\n\t\t_ = http2Conn.Serve(ctx)\n\t}()\n\n\tedgeHTTP2Conn, err := testTransport.NewClientConn(edgeConn)\n\trequire.NoError(t, err)\n\n\tfor _, test := range tests {\n\t\tendpoint := fmt.Sprintf(\"http://localhost:8080/%s\", test.endpoint)\n\t\treq, err := http.NewRequestWithContext(ctx, http.MethodGet, endpoint, nil)\n\t\trequire.NoError(t, err)\n\n\t\tresp, err := edgeHTTP2Conn.RoundTrip(req)\n\t\trequire.NoError(t, err)\n\t\trequire.Equal(t, test.expectedStatus, resp.StatusCode)\n\t\tif test.expectedBody != nil {\n\t\t\trespBody, err := io.ReadAll(resp.Body)\n\t\t\trequire.NoError(t, err)\n\t\t\trequire.Equal(t, test.expectedBody, respBody)\n\t\t}\n\t\t_ = resp.Body.Close()\n\t\tif test.isProxyError {\n\t\t\trequire.Equal(t, responseMetaHeaderCfd, resp.Header.Get(ResponseMetaHeader))\n\t\t} else {\n\t\t\trequire.Equal(t, responseMetaHeaderOrigin, resp.Header.Get(ResponseMetaHeader))\n\t\t}\n\t}\n\tcancel()\n\twg.Wait()\n}\n\ntype mockNamedTunnelRPCClient struct {\n\tshouldFail error\n\tregistered chan struct{}\n\tunregistered chan struct{}\n}\n\nfunc (mc mockNamedTunnelRPCClient) SendLocalConfiguration(c context.Context, config []byte) error {\n\treturn nil\n}\n\nfunc (mc mockNamedTunnelRPCClient) RegisterConnection(\n\tctx context.Context,\n\tauth pogs.TunnelAuth,\n\ttunnelID uuid.UUID,\n\toptions *pogs.ConnectionOptions,\n\tconnIndex uint8,\n\tedgeAddress net.IP,\n) (*pogs.ConnectionDetails, error) {\n\tif mc.shouldFail != nil {\n\t\treturn nil, mc.shouldFail\n\t}\n\tclose(mc.registered)\n\treturn &pogs.ConnectionDetails{\n\t\tLocation: \"LIS\",\n\t\tUUID: uuid.New(),\n\t\tTunnelIsRemotelyManaged: false,\n\t}, nil\n}\n\nfunc (mc mockNamedTunnelRPCClient) GracefulShutdown(ctx context.Context, gracePeriod time.Duration) error {\n\tclose(mc.unregistered)\n\treturn nil\n}\n\nfunc (mockNamedTunnelRPCClient) Close() {}\n\ntype mockRPCClientFactory struct {\n\tshouldFail error\n\tregistered chan struct{}\n\tunregistered chan struct{}\n}\n\nfunc (mf *mockRPCClientFactory) newMockRPCClient(context.Context, io.ReadWriteCloser, time.Duration) tunnelrpc.RegistrationClient {\n\treturn &mockNamedTunnelRPCClient{\n\t\tshouldFail: mf.shouldFail,\n\t\tregistered: mf.registered,\n\t\tunregistered: mf.unregistered,\n\t}\n}\n\ntype wsRespWriter struct {\n\t*httptest.ResponseRecorder\n\treadPipe *io.PipeReader\n\twritePipe *io.PipeWriter\n\tclosed bool\n\tpanicked bool\n}\n\nfunc newWSRespWriter() *wsRespWriter {\n\treadPipe, writePipe := io.Pipe()\n\treturn &wsRespWriter{\n\t\thttptest.NewRecorder(),\n\t\treadPipe,\n\t\twritePipe,\n\t\tfalse,\n\t\tfalse,\n\t}\n}\n\ntype nowriter struct {\n\tio.Reader\n}\n\nfunc (nowriter) Write(_ []byte) (int, error) {\n\treturn 0, fmt.Errorf(\"writer not implemented\")\n}\n\nfunc (w *wsRespWriter) RespBody() io.ReadWriter {\n\treturn nowriter{w.readPipe}\n}\n\nfunc (w *wsRespWriter) Write(data []byte) (n int, err error) {\n\tif w.closed {\n\t\tw.panicked = true\n\t\treturn 0, errors.New(\"wsRespWriter panicked\")\n\t}\n\treturn w.writePipe.Write(data)\n}\n\nfunc (w *wsRespWriter) close() {\n\tw.closed = true\n}\n\nfunc TestServeWS(t *testing.T) {\n\thttp2Conn, _ := newTestHTTP2Connection()\n\n\tctx, cancel := context.WithCancel(t.Context())\n\n\trespWriter := newWSRespWriter()\n\treadPipe, writePipe := io.Pipe()\n\n\treq, err := http.NewRequestWithContext(ctx, http.MethodGet, \"http://localhost:8080/ws/echo\", readPipe)\n\trequire.NoError(t, err)\n\treq.Header.Set(InternalUpgradeHeader, WebsocketUpgrade)\n\n\tserveDone := make(chan struct{})\n\tgo func() {\n\t\tdefer close(serveDone)\n\t\thttp2Conn.ServeHTTP(respWriter, req)\n\t\trespWriter.close()\n\t}()\n\n\tdata := []byte(\"test websocket\")\n\terr = wsutil.WriteClientBinary(writePipe, data)\n\trequire.NoError(t, err)\n\n\trespBody, err := wsutil.ReadServerBinary(respWriter.RespBody())\n\trequire.NoError(t, err)\n\trequire.Equal(t, data, respBody, \"expect %s, got %s\", string(data), string(respBody))\n\n\tcancel()\n\tresp := respWriter.Result()\n\tdefer resp.Body.Close()\n\t// http2RespWriter should rewrite status 101 to 200\n\trequire.Equal(t, http.StatusOK, resp.StatusCode)\n\trequire.Equal(t, responseMetaHeaderOrigin, resp.Header.Get(ResponseMetaHeader))\n\n\t<-serveDone\n\trequire.False(t, respWriter.panicked)\n}\n\n// TestNoWriteAfterServeHTTPReturns is a regression test of https://jira.cfdata.org/browse/TUN-5184\n// to make sure we don't write to the ResponseWriter after the ServeHTTP method returns\nfunc TestNoWriteAfterServeHTTPReturns(t *testing.T) {\n\tcfdHTTP2Conn, edgeTCPConn := newTestHTTP2Connection()\n\n\tctx, cancel := context.WithCancel(t.Context())\n\tvar wg sync.WaitGroup\n\n\tserverDone := make(chan struct{})\n\tgo func() {\n\t\tdefer close(serverDone)\n\t\t_ = cfdHTTP2Conn.Serve(ctx)\n\t}()\n\n\tedgeTransport := http2.Transport{}\n\tedgeHTTP2Conn, err := edgeTransport.NewClientConn(edgeTCPConn)\n\trequire.NoError(t, err)\n\tmessage := []byte(t.Name())\n\n\tfor i := 0; i < 100; i++ {\n\t\twg.Add(1)\n\t\tgo func() {\n\t\t\tdefer wg.Done()\n\t\t\treadPipe, writePipe := io.Pipe()\n\t\t\treqCtx, reqCancel := context.WithCancel(ctx)\n\t\t\treq, err := http.NewRequestWithContext(reqCtx, http.MethodGet, \"http://localhost:8080/ws/flaky\", readPipe)\n\t\t\tassert.NoError(t, err)\n\n\t\t\treq.Header.Set(InternalUpgradeHeader, WebsocketUpgrade)\n\n\t\t\tresp, err := edgeHTTP2Conn.RoundTrip(req)\n\t\t\tassert.NoError(t, err)\n\t\t\t_ = resp.Body.Close()\n\n\t\t\t// http2RespWriter should rewrite status 101 to 200\n\t\t\tassert.Equal(t, http.StatusOK, resp.StatusCode)\n\n\t\t\twg.Add(1)\n\t\t\tgo func() {\n\t\t\t\tdefer wg.Done()\n\t\t\t\tfor {\n\t\t\t\t\tselect {\n\t\t\t\t\tcase <-reqCtx.Done():\n\t\t\t\t\t\treturn\n\t\t\t\t\tdefault:\n\t\t\t\t\t}\n\t\t\t\t\t_ = wsutil.WriteClientBinary(writePipe, message)\n\t\t\t\t}\n\t\t\t}()\n\n\t\t\ttime.Sleep(time.Millisecond * 100)\n\t\t\treqCancel()\n\t\t}()\n\t}\n\n\twg.Wait()\n\tcancel()\n\t<-serverDone\n}\n\nfunc TestServeControlStream(t *testing.T) {\n\thttp2Conn, edgeConn := newTestHTTP2Connection()\n\n\trpcClientFactory := mockRPCClientFactory{\n\t\tregistered: make(chan struct{}),\n\t\tunregistered: make(chan struct{}),\n\t}\n\n\tobs := NewObserver(&log, &log)\n\tcontrolStream := NewControlStream(\n\t\tobs,\n\t\tmockConnectedFuse{},\n\t\t&TunnelProperties{},\n\t\t1,\n\t\tnil,\n\t\trpcClientFactory.newMockRPCClient,\n\t\t1*time.Second,\n\t\tnil,\n\t\t1*time.Second,\n\t\tHTTP2,\n\t)\n\thttp2Conn.controlStreamHandler = controlStream\n\n\tctx, cancel := context.WithCancel(t.Context())\n\tvar wg sync.WaitGroup\n\twg.Add(1)\n\tgo func() {\n\t\tdefer wg.Done()\n\t\t_ = http2Conn.Serve(ctx)\n\t}()\n\n\treq, err := http.NewRequestWithContext(ctx, http.MethodGet, \"http://localhost:8080/\", nil)\n\trequire.NoError(t, err)\n\treq.Header.Set(InternalUpgradeHeader, ControlStreamUpgrade)\n\n\tedgeHTTP2Conn, err := testTransport.NewClientConn(edgeConn)\n\trequire.NoError(t, err)\n\n\twg.Add(1)\n\tgo func() {\n\t\tdefer wg.Done()\n\t\t// nolint: bodyclose\n\t\t_, _ = edgeHTTP2Conn.RoundTrip(req)\n\t}()\n\n\t<-rpcClientFactory.registered\n\tcancel()\n\t<-rpcClientFactory.unregistered\n\tassert.False(t, http2Conn.stoppedGracefully)\n\n\twg.Wait()\n}\n\nfunc TestFailRegistration(t *testing.T) {\n\thttp2Conn, edgeConn := newTestHTTP2Connection()\n\n\trpcClientFactory := mockRPCClientFactory{\n\t\tshouldFail: errDuplicationConnection,\n\t\tregistered: make(chan struct{}),\n\t\tunregistered: make(chan struct{}),\n\t}\n\n\tobs := NewObserver(&log, &log)\n\tcontrolStream := NewControlStream(\n\t\tobs,\n\t\tmockConnectedFuse{},\n\t\t&TunnelProperties{},\n\t\thttp2Conn.connIndex,\n\t\tnil,\n\t\trpcClientFactory.newMockRPCClient,\n\t\t1*time.Second,\n\t\tnil,\n\t\t1*time.Second,\n\t\tHTTP2,\n\t)\n\thttp2Conn.controlStreamHandler = controlStream\n\n\tctx, cancel := context.WithCancel(t.Context())\n\tvar wg sync.WaitGroup\n\twg.Add(1)\n\tgo func() {\n\t\tdefer wg.Done()\n\t\t_ = http2Conn.Serve(ctx)\n\t}()\n\n\treq, err := http.NewRequestWithContext(ctx, http.MethodGet, \"http://localhost:8080/\", nil)\n\trequire.NoError(t, err)\n\treq.Header.Set(InternalUpgradeHeader, ControlStreamUpgrade)\n\n\tedgeHTTP2Conn, err := testTransport.NewClientConn(edgeConn)\n\trequire.NoError(t, err)\n\tresp, err := edgeHTTP2Conn.RoundTrip(req)\n\trequire.NoError(t, err)\n\tdefer resp.Body.Close()\n\trequire.Equal(t, http.StatusBadGateway, resp.StatusCode)\n\n\trequire.Error(t, http2Conn.controlStreamErr)\n\tcancel()\n\twg.Wait()\n}\n\nfunc TestGracefulShutdownHTTP2(t *testing.T) {\n\thttp2Conn, edgeConn := newTestHTTP2Connection()\n\n\trpcClientFactory := mockRPCClientFactory{\n\t\tregistered: make(chan struct{}),\n\t\tunregistered: make(chan struct{}),\n\t}\n\tevents := &eventCollectorSink{}\n\n\tshutdownC := make(chan struct{})\n\tobs := NewObserver(&log, &log)\n\tobs.RegisterSink(events)\n\tcontrolStream := NewControlStream(\n\t\tobs,\n\t\tmockConnectedFuse{},\n\t\t&TunnelProperties{},\n\t\thttp2Conn.connIndex,\n\t\tnil,\n\t\trpcClientFactory.newMockRPCClient,\n\t\t1*time.Second,\n\t\tshutdownC,\n\t\t1*time.Second,\n\t\tHTTP2,\n\t)\n\n\thttp2Conn.controlStreamHandler = controlStream\n\n\tctx, cancel := context.WithCancel(t.Context())\n\tvar wg sync.WaitGroup\n\twg.Add(1)\n\tgo func() {\n\t\tdefer wg.Done()\n\t\t_ = http2Conn.Serve(ctx)\n\t}()\n\n\treq, err := http.NewRequestWithContext(ctx, http.MethodGet, \"http://localhost:8080/\", nil)\n\trequire.NoError(t, err)\n\treq.Header.Set(InternalUpgradeHeader, ControlStreamUpgrade)\n\n\tedgeHTTP2Conn, err := testTransport.NewClientConn(edgeConn)\n\trequire.NoError(t, err)\n\n\twg.Add(1)\n\tgo func() {\n\t\tdefer wg.Done()\n\t\t// nolint: bodyclose\n\t\t_, _ = edgeHTTP2Conn.RoundTrip(req)\n\t}()\n\n\tselect {\n\tcase <-rpcClientFactory.registered:\n\t\tbreak // ok\n\tcase <-time.Tick(time.Second):\n\t\tt.Fatal(\"timeout out waiting for registration\")\n\t}\n\n\t// signal graceful shutdown\n\tclose(shutdownC)\n\n\tselect {\n\tcase <-rpcClientFactory.unregistered:\n\t\tbreak // ok\n\tcase <-time.Tick(time.Second):\n\t\tt.Fatal(\"timeout out waiting for unregistered signal\")\n\t}\n\tassert.True(t, controlStream.IsStopped())\n\n\tcancel()\n\twg.Wait()\n\n\tevents.assertSawEvent(t, Event{\n\t\tIndex: http2Conn.connIndex,\n\t\tEventType: Unregistering,\n\t})\n}\n\nfunc TestServeTCP_RateLimited(t *testing.T) {\n\tctx, cancel := context.WithCancel(t.Context())\n\thttp2Conn, edgeConn := newTestHTTP2Connection()\n\n\tvar wg sync.WaitGroup\n\twg.Add(1)\n\tgo func() {\n\t\tdefer wg.Done()\n\t\t_ = http2Conn.Serve(ctx)\n\t}()\n\n\tedgeHTTP2Conn, err := testTransport.NewClientConn(edgeConn)\n\trequire.NoError(t, err)\n\n\treq, err := http.NewRequestWithContext(ctx, http.MethodGet, \"http://localhost:8080\", nil)\n\trequire.NoError(t, err)\n\treq.Header.Set(InternalTCPProxySrcHeader, \"tcp\")\n\treq.Header.Set(tracing.TracerContextName, \"flow-rate-limited\")\n\n\tresp, err := edgeHTTP2Conn.RoundTrip(req)\n\trequire.NoError(t, err)\n\tdefer resp.Body.Close()\n\n\trequire.Equal(t, http.StatusBadGateway, resp.StatusCode)\n\trequire.Equal(t, responseMetaHeaderCfdFlowRateLimited, resp.Header.Get(ResponseMetaHeader))\n\n\tcancel()\n\twg.Wait()\n}\n\nfunc benchmarkServeHTTP(b *testing.B, test testRequest) {\n\thttp2Conn, edgeConn := newTestHTTP2Connection()\n\n\tctx, cancel := context.WithCancel(b.Context())\n\tvar wg sync.WaitGroup\n\twg.Add(1)\n\tgo func() {\n\t\tdefer wg.Done()\n\t\t_ = http2Conn.Serve(ctx)\n\t}()\n\n\tendpoint := fmt.Sprintf(\"http://localhost:8080/%s\", test.endpoint)\n\treq, err := http.NewRequestWithContext(ctx, http.MethodGet, endpoint, nil)\n\trequire.NoError(b, err)\n\n\tedgeHTTP2Conn, err := testTransport.NewClientConn(edgeConn)\n\trequire.NoError(b, err)\n\n\tb.ResetTimer()\n\tfor i := 0; i < b.N; i++ {\n\t\tb.StartTimer()\n\t\tresp, err := edgeHTTP2Conn.RoundTrip(req)\n\t\tb.StopTimer()\n\t\trequire.NoError(b, err)\n\t\trequire.Equal(b, test.expectedStatus, resp.StatusCode)\n\t\tif test.expectedBody != nil {\n\t\t\trespBody, err := io.ReadAll(resp.Body)\n\t\t\trequire.NoError(b, err)\n\t\t\trequire.Equal(b, test.expectedBody, respBody)\n\t\t}\n\t\tresp.Body.Close()\n\t}\n\n\tcancel()\n\twg.Wait()\n}\n\nfunc BenchmarkServeHTTPSimple(b *testing.B) {\n\ttest := testRequest{\n\t\tname: \"ok\",\n\t\tendpoint: \"ok\",\n\t\texpectedStatus: http.StatusOK,\n\t\texpectedBody: []byte(http.StatusText(http.StatusOK)),\n\t}\n\n\tbenchmarkServeHTTP(b, test)\n}\n\nfunc BenchmarkServeHTTPLargeFile(b *testing.B) {\n\ttest := testRequest{\n\t\tname: \"large_file\",\n\t\tendpoint: \"large_file\",\n\t\texpectedStatus: http.StatusOK,\n\t\texpectedBody: testLargeResp,\n\t}\n\n\tbenchmarkServeHTTP(b, test)\n}\n" }, { "path": "connection/json.go", "content": "package connection\n\nimport (\n\tjsoniter \"github.com/json-iterator/go\"\n)\n\nvar json = jsoniter.ConfigFastest\n" }, { "path": "connection/metrics.go", "content": "package connection\n\nimport (\n\t\"sync\"\n\n\t\"github.com/prometheus/client_golang/prometheus\"\n)\n\nconst (\n\tMetricsNamespace = \"cloudflared\"\n\tTunnelSubsystem = \"tunnel\"\n\tmuxerSubsystem = \"muxer\"\n\tconfigSubsystem = \"config\"\n)\n\ntype localConfigMetrics struct {\n\tpushes prometheus.Counter\n\tpushesErrors prometheus.Counter\n}\n\ntype tunnelMetrics struct {\n\tserverLocations *prometheus.GaugeVec\n\t// locationLock is a mutex for oldServerLocations\n\tlocationLock sync.Mutex\n\t// oldServerLocations stores the last server the tunnel was connected to\n\toldServerLocations map[string]string\n\n\tregSuccess *prometheus.CounterVec\n\tregFail *prometheus.CounterVec\n\trpcFail *prometheus.CounterVec\n\n\ttunnelsHA tunnelsForHA\n\tuserHostnamesCounts *prometheus.CounterVec\n\n\tlocalConfigMetrics *localConfigMetrics\n}\n\nfunc newLocalConfigMetrics() *localConfigMetrics {\n\n\tpushesMetric := prometheus.NewCounter(\n\t\tprometheus.CounterOpts{\n\t\t\tNamespace: MetricsNamespace,\n\t\t\tSubsystem: configSubsystem,\n\t\t\tName: \"local_config_pushes\",\n\t\t\tHelp: \"Number of local configuration pushes to the edge\",\n\t\t},\n\t)\n\n\tpushesErrorsMetric := prometheus.NewCounter(\n\t\tprometheus.CounterOpts{\n\t\t\tNamespace: MetricsNamespace,\n\t\t\tSubsystem: configSubsystem,\n\t\t\tName: \"local_config_pushes_errors\",\n\t\t\tHelp: \"Number of errors occurred during local configuration pushes\",\n\t\t},\n\t)\n\n\tprometheus.MustRegister(\n\t\tpushesMetric,\n\t\tpushesErrorsMetric,\n\t)\n\n\treturn &localConfigMetrics{\n\t\tpushes: pushesMetric,\n\t\tpushesErrors: pushesErrorsMetric,\n\t}\n}\n\n// Metrics that can be collected without asking the edge\nfunc initTunnelMetrics() *tunnelMetrics {\n\tmaxConcurrentRequestsPerTunnel := prometheus.NewGaugeVec(\n\t\tprometheus.GaugeOpts{\n\t\t\tNamespace: MetricsNamespace,\n\t\t\tSubsystem: TunnelSubsystem,\n\t\t\tName: \"max_concurrent_requests_per_tunnel\",\n\t\t\tHelp: \"Largest number of concurrent requests proxied through each tunnel so far\",\n\t\t},\n\t\t[]string{\"connection_id\"},\n\t)\n\tprometheus.MustRegister(maxConcurrentRequestsPerTunnel)\n\n\tserverLocations := prometheus.NewGaugeVec(\n\t\tprometheus.GaugeOpts{\n\t\t\tNamespace: MetricsNamespace,\n\t\t\tSubsystem: TunnelSubsystem,\n\t\t\tName: \"server_locations\",\n\t\t\tHelp: \"Where each tunnel is connected to. 1 means current location, 0 means previous locations.\",\n\t\t},\n\t\t[]string{\"connection_id\", \"edge_location\"},\n\t)\n\tprometheus.MustRegister(serverLocations)\n\n\trpcFail := prometheus.NewCounterVec(\n\t\tprometheus.CounterOpts{\n\t\t\tNamespace: MetricsNamespace,\n\t\t\tSubsystem: TunnelSubsystem,\n\t\t\tName: \"tunnel_rpc_fail\",\n\t\t\tHelp: \"Count of RPC connection errors by type\",\n\t\t},\n\t\t[]string{\"error\", \"rpcName\"},\n\t)\n\tprometheus.MustRegister(rpcFail)\n\n\tregisterFail := prometheus.NewCounterVec(\n\t\tprometheus.CounterOpts{\n\t\t\tNamespace: MetricsNamespace,\n\t\t\tSubsystem: TunnelSubsystem,\n\t\t\tName: \"tunnel_register_fail\",\n\t\t\tHelp: \"Count of tunnel registration errors by type\",\n\t\t},\n\t\t[]string{\"error\", \"rpcName\"},\n\t)\n\tprometheus.MustRegister(registerFail)\n\n\tuserHostnamesCounts := prometheus.NewCounterVec(\n\t\tprometheus.CounterOpts{\n\t\t\tNamespace: MetricsNamespace,\n\t\t\tSubsystem: TunnelSubsystem,\n\t\t\tName: \"user_hostnames_counts\",\n\t\t\tHelp: \"Which user hostnames cloudflared is serving\",\n\t\t},\n\t\t[]string{\"userHostname\"},\n\t)\n\tprometheus.MustRegister(userHostnamesCounts)\n\n\tregisterSuccess := prometheus.NewCounterVec(\n\t\tprometheus.CounterOpts{\n\t\t\tNamespace: MetricsNamespace,\n\t\t\tSubsystem: TunnelSubsystem,\n\t\t\tName: \"tunnel_register_success\",\n\t\t\tHelp: \"Count of successful tunnel registrations\",\n\t\t},\n\t\t[]string{\"rpcName\"},\n\t)\n\tprometheus.MustRegister(registerSuccess)\n\n\treturn &tunnelMetrics{\n\t\tserverLocations: serverLocations,\n\t\toldServerLocations: make(map[string]string),\n\t\ttunnelsHA: newTunnelsForHA(),\n\t\tregSuccess: registerSuccess,\n\t\tregFail: registerFail,\n\t\trpcFail: rpcFail,\n\t\tuserHostnamesCounts: userHostnamesCounts,\n\t\tlocalConfigMetrics: newLocalConfigMetrics(),\n\t}\n}\n\nfunc (t *tunnelMetrics) registerServerLocation(connectionID, loc string) {\n\tt.locationLock.Lock()\n\tdefer t.locationLock.Unlock()\n\tif oldLoc, ok := t.oldServerLocations[connectionID]; ok && oldLoc == loc {\n\t\treturn\n\t} else if ok {\n\t\tt.serverLocations.WithLabelValues(connectionID, oldLoc).Dec()\n\t}\n\tt.serverLocations.WithLabelValues(connectionID, loc).Inc()\n\tt.oldServerLocations[connectionID] = loc\n}\n\nvar tunnelMetricsInternal struct {\n\tsync.Once\n\tmetrics *tunnelMetrics\n}\n\nfunc newTunnelMetrics() *tunnelMetrics {\n\ttunnelMetricsInternal.Do(func() {\n\t\ttunnelMetricsInternal.metrics = initTunnelMetrics()\n\t})\n\treturn tunnelMetricsInternal.metrics\n}\n" }, { "path": "connection/observer.go", "content": "package connection\n\nimport (\n\t\"net\"\n\t\"strings\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/rs/zerolog\"\n\n\t\"github.com/cloudflare/cloudflared/management\"\n)\n\nconst (\n\tLogFieldConnectionID = \"connection\"\n\tLogFieldLocation = \"location\"\n\tLogFieldIPAddress = \"ip\"\n\tLogFieldProtocol = \"protocol\"\n\tobserverChannelBufferSize = 16\n)\n\ntype Observer struct {\n\tlog *zerolog.Logger\n\tlogTransport *zerolog.Logger\n\tmetrics *tunnelMetrics\n\ttunnelEventChan chan Event\n\taddSinkChan chan EventSink\n}\n\ntype EventSink interface {\n\tOnTunnelEvent(event Event)\n}\n\nfunc NewObserver(log, logTransport *zerolog.Logger) *Observer {\n\to := &Observer{\n\t\tlog: log,\n\t\tlogTransport: logTransport,\n\t\tmetrics: newTunnelMetrics(),\n\t\ttunnelEventChan: make(chan Event, observerChannelBufferSize),\n\t\taddSinkChan: make(chan EventSink, observerChannelBufferSize),\n\t}\n\tgo o.dispatchEvents()\n\treturn o\n}\n\nfunc (o *Observer) RegisterSink(sink EventSink) {\n\to.addSinkChan <- sink\n}\n\nfunc (o *Observer) logConnecting(connIndex uint8, address net.IP, protocol Protocol) {\n\to.log.Debug().\n\t\tInt(management.EventTypeKey, int(management.Cloudflared)).\n\t\tUint8(LogFieldConnIndex, connIndex).\n\t\tIPAddr(LogFieldIPAddress, address).\n\t\tStr(LogFieldProtocol, protocol.String()).\n\t\tMsg(\"Registering tunnel connection\")\n}\n\nfunc (o *Observer) logConnected(connectionID uuid.UUID, connIndex uint8, location string, address net.IP, protocol Protocol) {\n\to.log.Info().\n\t\tInt(management.EventTypeKey, int(management.Cloudflared)).\n\t\tStr(LogFieldConnectionID, connectionID.String()).\n\t\tUint8(LogFieldConnIndex, connIndex).\n\t\tStr(LogFieldLocation, location).\n\t\tIPAddr(LogFieldIPAddress, address).\n\t\tStr(LogFieldProtocol, protocol.String()).\n\t\tMsg(\"Registered tunnel connection\")\n\to.metrics.registerServerLocation(uint8ToString(connIndex), location)\n}\n\nfunc (o *Observer) sendRegisteringEvent(connIndex uint8) {\n\to.sendEvent(Event{Index: connIndex, EventType: RegisteringTunnel})\n}\n\nfunc (o *Observer) sendConnectedEvent(connIndex uint8, protocol Protocol, location string, edgeAddress net.IP) {\n\to.sendEvent(Event{Index: connIndex, EventType: Connected, Protocol: protocol, Location: location, EdgeAddress: edgeAddress})\n}\n\nfunc (o *Observer) SendURL(url string) {\n\to.sendEvent(Event{EventType: SetURL, URL: url})\n\n\tif !strings.HasPrefix(url, \"https://\") {\n\t\t// We add https:// in the prefix for backwards compatibility as we used to do that with the old free tunnels\n\t\t// and some tools (like `wrangler tail`) are regexp-ing for that specifically.\n\t\turl = \"https://\" + url\n\t}\n\to.metrics.userHostnamesCounts.WithLabelValues(url).Inc()\n}\n\nfunc (o *Observer) SendReconnect(connIndex uint8) {\n\to.sendEvent(Event{Index: connIndex, EventType: Reconnecting})\n}\n\nfunc (o *Observer) sendUnregisteringEvent(connIndex uint8) {\n\to.sendEvent(Event{Index: connIndex, EventType: Unregistering})\n}\n\nfunc (o *Observer) SendDisconnect(connIndex uint8) {\n\to.sendEvent(Event{Index: connIndex, EventType: Disconnected})\n}\n\nfunc (o *Observer) sendEvent(e Event) {\n\tselect {\n\tcase o.tunnelEventChan <- e:\n\t\tbreak\n\tdefault:\n\t\to.log.Warn().Msg(\"observer channel buffer is full\")\n\t}\n}\n\nfunc (o *Observer) dispatchEvents() {\n\tvar sinks []EventSink\n\tfor {\n\t\tselect {\n\t\tcase sink := <-o.addSinkChan:\n\t\t\tsinks = append(sinks, sink)\n\t\tcase evt := <-o.tunnelEventChan:\n\t\t\tfor _, sink := range sinks {\n\t\t\t\tsink.OnTunnelEvent(evt)\n\t\t\t}\n\t\t}\n\t}\n}\n\ntype EventSinkFunc func(event Event)\n\nfunc (f EventSinkFunc) OnTunnelEvent(event Event) {\n\tf(event)\n}\n" }, { "path": "connection/observer_test.go", "content": "package connection\n\nimport (\n\t\"strconv\"\n\t\"sync\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/prometheus/client_golang/prometheus\"\n\tdto \"github.com/prometheus/client_model/go\"\n\t\"github.com/stretchr/testify/assert\"\n)\n\nfunc TestSendUrl(t *testing.T) {\n\tobserver := NewObserver(&log, &log)\n\n\tobserver.SendURL(\"my-url.com\")\n\tassert.Equal(t, 1.0, getCounterValue(t, observer.metrics.userHostnamesCounts, \"https://my-url.com\"))\n\n\tobserver.SendURL(\"https://another-long-one.com\")\n\tassert.Equal(t, 1.0, getCounterValue(t, observer.metrics.userHostnamesCounts, \"https://another-long-one.com\"))\n}\n\nfunc getCounterValue(t *testing.T, metric *prometheus.CounterVec, val string) float64 {\n\tvar m = &dto.Metric{}\n\terr := metric.WithLabelValues(val).Write(m)\n\tassert.NoError(t, err)\n\treturn m.Counter.GetValue()\n}\n\nfunc TestRegisterServerLocation(t *testing.T) {\n\tm := newTunnelMetrics()\n\ttunnels := 20\n\tvar wg sync.WaitGroup\n\twg.Add(tunnels)\n\tfor i := 0; i < tunnels; i++ {\n\t\tgo func(i int) {\n\t\t\tid := strconv.Itoa(i)\n\t\t\tm.registerServerLocation(id, \"LHR\")\n\t\t\twg.Done()\n\t\t}(i)\n\t}\n\twg.Wait()\n\tfor i := 0; i < tunnels; i++ {\n\t\tid := strconv.Itoa(i)\n\t\tassert.Equal(t, \"LHR\", m.oldServerLocations[id])\n\t}\n\n\twg.Add(tunnels)\n\tfor i := 0; i < tunnels; i++ {\n\t\tgo func(i int) {\n\t\t\tid := strconv.Itoa(i)\n\t\t\tm.registerServerLocation(id, \"AUS\")\n\t\t\twg.Done()\n\t\t}(i)\n\t}\n\twg.Wait()\n\tfor i := 0; i < tunnels; i++ {\n\t\tid := strconv.Itoa(i)\n\t\tassert.Equal(t, \"AUS\", m.oldServerLocations[id])\n\t}\n\n}\n\nfunc TestObserverEventsDontBlock(t *testing.T) {\n\tobserver := NewObserver(&log, &log)\n\tvar mu sync.Mutex\n\tobserver.RegisterSink(EventSinkFunc(func(_ Event) {\n\t\t// callback will block if lock is already held\n\t\tmu.Lock()\n\t\tmu.Unlock()\n\t}))\n\n\ttimeout := time.AfterFunc(5*time.Second, func() {\n\t\tmu.Unlock() // release the callback on timer expiration\n\t\tt.Fatal(\"observer is blocked\")\n\t})\n\n\tmu.Lock() // block the callback\n\tfor i := 0; i < 2*observerChannelBufferSize; i++ {\n\t\tobserver.sendRegisteringEvent(0)\n\t}\n\tif pending := timeout.Stop(); pending {\n\t\t// release the callback if timer hasn't expired yet\n\t\tmu.Unlock()\n\t}\n}\n\ntype eventCollectorSink struct {\n\tobservedEvents []Event\n\tmu sync.Mutex\n}\n\nfunc (s *eventCollectorSink) OnTunnelEvent(event Event) {\n\ts.mu.Lock()\n\tdefer s.mu.Unlock()\n\ts.observedEvents = append(s.observedEvents, event)\n}\n\nfunc (s *eventCollectorSink) assertSawEvent(t *testing.T, event Event) {\n\ts.mu.Lock()\n\tdefer s.mu.Unlock()\n\tassert.Contains(t, s.observedEvents, event)\n}\n" }, { "path": "connection/protocol.go", "content": "package connection\n\nimport (\n\t\"fmt\"\n\t\"hash/fnv\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/rs/zerolog\"\n\n\t\"github.com/cloudflare/cloudflared/edgediscovery\"\n)\n\nconst (\n\tAvailableProtocolFlagMessage = \"Available protocols: 'auto' - automatically chooses the best protocol over time (the default; and also the recommended one); 'quic' - based on QUIC, relying on UDP egress to Cloudflare edge; 'http2' - using Go's HTTP2 library, relying on TCP egress to Cloudflare edge\"\n\t// edgeH2muxTLSServerName is the server name to establish h2mux connection with edge (unused, but kept for legacy reference).\n\t_ = \"cftunnel.com\"\n\t// edgeH2TLSServerName is the server name to establish http2 connection with edge\n\tedgeH2TLSServerName = \"h2.cftunnel.com\"\n\t// edgeQUICServerName is the server name to establish quic connection with edge.\n\tedgeQUICServerName = \"quic.cftunnel.com\"\n\tAutoSelectFlag = \"auto\"\n\t// SRV and TXT record resolution TTL\n\tResolveTTL = time.Hour\n)\n\n// ProtocolList represents a list of supported protocols for communication with the edge\n// in order of precedence for remote percentage fetcher.\nvar ProtocolList = []Protocol{QUIC, HTTP2}\n\ntype Protocol int64\n\nconst (\n\t// HTTP2 using golang HTTP2 library for edge connections.\n\tHTTP2 Protocol = iota\n\t// QUIC using quic-go for edge connections.\n\tQUIC\n)\n\n// Fallback returns the fallback protocol and whether the protocol has a fallback\nfunc (p Protocol) fallback() (Protocol, bool) {\n\tswitch p {\n\tcase HTTP2:\n\t\treturn 0, false\n\tcase QUIC:\n\t\treturn HTTP2, true\n\tdefault:\n\t\treturn 0, false\n\t}\n}\n\nfunc (p Protocol) String() string {\n\tswitch p {\n\tcase HTTP2:\n\t\treturn \"http2\"\n\tcase QUIC:\n\t\treturn \"quic\"\n\tdefault:\n\t\treturn \"unknown protocol\"\n\t}\n}\n\nfunc (p Protocol) TLSSettings() *TLSSettings {\n\tswitch p {\n\tcase HTTP2:\n\t\treturn &TLSSettings{\n\t\t\tServerName: edgeH2TLSServerName,\n\t\t}\n\tcase QUIC:\n\t\treturn &TLSSettings{\n\t\t\tServerName: edgeQUICServerName,\n\t\t\tNextProtos: []string{\"argotunnel\"},\n\t\t}\n\tdefault:\n\t\treturn nil\n\t}\n}\n\ntype TLSSettings struct {\n\tServerName string\n\tNextProtos []string\n}\n\ntype ProtocolSelector interface {\n\tCurrent() Protocol\n\tFallback() (Protocol, bool)\n}\n\n// staticProtocolSelector will not provide a different protocol for Fallback\ntype staticProtocolSelector struct {\n\tcurrent Protocol\n}\n\nfunc (s *staticProtocolSelector) Current() Protocol {\n\treturn s.current\n}\n\nfunc (s *staticProtocolSelector) Fallback() (Protocol, bool) {\n\treturn s.current, false\n}\n\n// remoteProtocolSelector will fetch a list of remote protocols to provide for edge discovery\ntype remoteProtocolSelector struct {\n\tlock sync.RWMutex\n\n\tcurrent Protocol\n\n\t// protocolPool is desired protocols in the order of priority they should be picked in.\n\tprotocolPool []Protocol\n\n\tswitchThreshold int32\n\tfetchFunc edgediscovery.PercentageFetcher\n\trefreshAfter time.Time\n\tttl time.Duration\n\tlog *zerolog.Logger\n}\n\nfunc newRemoteProtocolSelector(\n\tcurrent Protocol,\n\tprotocolPool []Protocol,\n\tswitchThreshold int32,\n\tfetchFunc edgediscovery.PercentageFetcher,\n\tttl time.Duration,\n\tlog *zerolog.Logger,\n) *remoteProtocolSelector {\n\treturn &remoteProtocolSelector{\n\t\tcurrent: current,\n\t\tprotocolPool: protocolPool,\n\t\tswitchThreshold: switchThreshold,\n\t\tfetchFunc: fetchFunc,\n\t\trefreshAfter: time.Now().Add(ttl),\n\t\tttl: ttl,\n\t\tlog: log,\n\t}\n}\n\nfunc (s *remoteProtocolSelector) Current() Protocol {\n\ts.lock.Lock()\n\tdefer s.lock.Unlock()\n\tif time.Now().Before(s.refreshAfter) {\n\t\treturn s.current\n\t}\n\n\tprotocol, err := getProtocol(s.protocolPool, s.fetchFunc, s.switchThreshold)\n\tif err != nil {\n\t\ts.log.Err(err).Msg(\"Failed to refresh protocol\")\n\t\treturn s.current\n\t}\n\ts.current = protocol\n\n\ts.refreshAfter = time.Now().Add(s.ttl)\n\treturn s.current\n}\n\nfunc (s *remoteProtocolSelector) Fallback() (Protocol, bool) {\n\ts.lock.RLock()\n\tdefer s.lock.RUnlock()\n\treturn s.current.fallback()\n}\n\nfunc getProtocol(protocolPool []Protocol, fetchFunc edgediscovery.PercentageFetcher, switchThreshold int32) (Protocol, error) {\n\tprotocolPercentages, err := fetchFunc()\n\tif err != nil {\n\t\treturn 0, err\n\t}\n\tfor _, protocol := range protocolPool {\n\t\tprotocolPercentage := protocolPercentages.GetPercentage(protocol.String())\n\t\tif protocolPercentage > switchThreshold {\n\t\t\treturn protocol, nil\n\t\t}\n\t}\n\n\t// Default to first index in protocolPool list\n\treturn protocolPool[0], nil\n}\n\n// defaultProtocolSelector will allow for a protocol to have a fallback\ntype defaultProtocolSelector struct {\n\tlock sync.RWMutex\n\tcurrent Protocol\n}\n\nfunc newDefaultProtocolSelector(\n\tcurrent Protocol,\n) *defaultProtocolSelector {\n\treturn &defaultProtocolSelector{\n\t\tcurrent: current,\n\t}\n}\n\nfunc (s *defaultProtocolSelector) Current() Protocol {\n\ts.lock.Lock()\n\tdefer s.lock.Unlock()\n\treturn s.current\n}\n\nfunc (s *defaultProtocolSelector) Fallback() (Protocol, bool) {\n\ts.lock.RLock()\n\tdefer s.lock.RUnlock()\n\treturn s.current.fallback()\n}\n\nfunc NewProtocolSelector(\n\tprotocolFlag string,\n\taccountTag string,\n\ttunnelTokenProvided bool,\n\tneedPQ bool,\n\tprotocolFetcher edgediscovery.PercentageFetcher,\n\tresolveTTL time.Duration,\n\tlog *zerolog.Logger,\n) (ProtocolSelector, error) {\n\t// With --post-quantum, we force quic\n\tif needPQ {\n\t\treturn &staticProtocolSelector{\n\t\t\tcurrent: QUIC,\n\t\t}, nil\n\t}\n\n\tthreshold := switchThreshold(accountTag)\n\tfetchedProtocol, err := getProtocol(ProtocolList, protocolFetcher, threshold)\n\tlog.Debug().Msgf(\"Fetched protocol: %s\", fetchedProtocol)\n\tif err != nil {\n\t\tlog.Warn().Msg(\"Unable to lookup protocol percentage.\")\n\t\t// Falling through here since 'auto' is handled in the switch and failing\n\t\t// to do the protocol lookup isn't a failure since it can be triggered again\n\t\t// after the TTL.\n\t}\n\n\t// If the user picks a protocol, then we stick to it no matter what.\n\tswitch protocolFlag {\n\tcase \"h2mux\":\n\t\t// Any users still requesting h2mux will be upgraded to http2 instead\n\t\tlog.Warn().Msg(\"h2mux is no longer a supported protocol: upgrading edge connection to http2. Please remove '--protocol h2mux' from runtime arguments to remove this warning.\")\n\t\treturn &staticProtocolSelector{current: HTTP2}, nil\n\tcase QUIC.String():\n\t\treturn &staticProtocolSelector{current: QUIC}, nil\n\tcase HTTP2.String():\n\t\treturn &staticProtocolSelector{current: HTTP2}, nil\n\tcase AutoSelectFlag:\n\t\t// When a --token is provided, we want to start with QUIC but have fallback to HTTP2\n\t\tif tunnelTokenProvided {\n\t\t\treturn newDefaultProtocolSelector(QUIC), nil\n\t\t}\n\t\treturn newRemoteProtocolSelector(fetchedProtocol, ProtocolList, threshold, protocolFetcher, resolveTTL, log), nil\n\t}\n\n\treturn nil, fmt.Errorf(\"unknown protocol %s, %s\", protocolFlag, AvailableProtocolFlagMessage)\n}\n\nfunc switchThreshold(accountTag string) int32 {\n\th := fnv.New32a()\n\t_, _ = h.Write([]byte(accountTag))\n\treturn int32(h.Sum32() % 100) // nolint: gosec\n}\n" }, { "path": "connection/protocol_test.go", "content": "package connection\n\nimport (\n\t\"fmt\"\n\t\"testing\"\n\n\t\"github.com/stretchr/testify/assert\"\n\n\t\"github.com/cloudflare/cloudflared/edgediscovery\"\n)\n\nconst (\n\ttestNoTTL = 0\n\ttestAccountTag = \"testAccountTag\"\n)\n\nfunc mockFetcher(getError bool, protocolPercent ...edgediscovery.ProtocolPercent) edgediscovery.PercentageFetcher {\n\treturn func() (edgediscovery.ProtocolPercents, error) {\n\t\tif getError {\n\t\t\treturn nil, fmt.Errorf(\"failed to fetch percentage\")\n\t\t}\n\t\treturn protocolPercent, nil\n\t}\n}\n\ntype dynamicMockFetcher struct {\n\tprotocolPercents edgediscovery.ProtocolPercents\n\terr error\n}\n\nfunc (dmf *dynamicMockFetcher) fetch() edgediscovery.PercentageFetcher {\n\treturn func() (edgediscovery.ProtocolPercents, error) {\n\t\treturn dmf.protocolPercents, dmf.err\n\t}\n}\n\nfunc TestNewProtocolSelector(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\tprotocol string\n\t\ttunnelTokenProvided bool\n\t\tneedPQ bool\n\t\texpectedProtocol Protocol\n\t\thasFallback bool\n\t\texpectedFallback Protocol\n\t\twantErr bool\n\t}{\n\t\t{\n\t\t\tname: \"named tunnel with unknown protocol\",\n\t\t\tprotocol: \"unknown\",\n\t\t\twantErr: true,\n\t\t},\n\t\t{\n\t\t\tname: \"named tunnel with h2mux: force to http2\",\n\t\t\tprotocol: \"h2mux\",\n\t\t\texpectedProtocol: HTTP2,\n\t\t},\n\t\t{\n\t\t\tname: \"named tunnel with http2: no fallback\",\n\t\t\tprotocol: \"http2\",\n\t\t\texpectedProtocol: HTTP2,\n\t\t},\n\t\t{\n\t\t\tname: \"named tunnel with auto: quic\",\n\t\t\tprotocol: AutoSelectFlag,\n\t\t\texpectedProtocol: QUIC,\n\t\t\thasFallback: true,\n\t\t\texpectedFallback: HTTP2,\n\t\t},\n\t\t{\n\t\t\tname: \"named tunnel (post quantum)\",\n\t\t\tprotocol: AutoSelectFlag,\n\t\t\tneedPQ: true,\n\t\t\texpectedProtocol: QUIC,\n\t\t},\n\t\t{\n\t\t\tname: \"named tunnel (post quantum) w/http2\",\n\t\t\tprotocol: \"http2\",\n\t\t\tneedPQ: true,\n\t\t\texpectedProtocol: QUIC,\n\t\t},\n\t}\n\n\tfetcher := dynamicMockFetcher{\n\t\tprotocolPercents: edgediscovery.ProtocolPercents{},\n\t}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\tselector, err := NewProtocolSelector(test.protocol, testAccountTag, test.tunnelTokenProvided, test.needPQ, fetcher.fetch(), ResolveTTL, &log)\n\t\t\tif test.wantErr {\n\t\t\t\tassert.Error(t, err, fmt.Sprintf(\"test %s failed\", test.name))\n\t\t\t} else {\n\t\t\t\tassert.NoError(t, err, fmt.Sprintf(\"test %s failed\", test.name))\n\t\t\t\tassert.Equal(t, test.expectedProtocol, selector.Current(), fmt.Sprintf(\"test %s failed\", test.name))\n\t\t\t\tfallback, ok := selector.Fallback()\n\t\t\t\tassert.Equal(t, test.hasFallback, ok, fmt.Sprintf(\"test %s failed\", test.name))\n\t\t\t\tif test.hasFallback {\n\t\t\t\t\tassert.Equal(t, test.expectedFallback, fallback, fmt.Sprintf(\"test %s failed\", test.name))\n\t\t\t\t}\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestAutoProtocolSelectorRefresh(t *testing.T) {\n\tfetcher := dynamicMockFetcher{}\n\tselector, err := NewProtocolSelector(AutoSelectFlag, testAccountTag, false, false, fetcher.fetch(), testNoTTL, &log)\n\tassert.NoError(t, err)\n\tassert.Equal(t, QUIC, selector.Current())\n\n\tfetcher.protocolPercents = edgediscovery.ProtocolPercents{edgediscovery.ProtocolPercent{Protocol: \"http2\", Percentage: 100}}\n\tassert.Equal(t, HTTP2, selector.Current())\n\n\tfetcher.protocolPercents = edgediscovery.ProtocolPercents{edgediscovery.ProtocolPercent{Protocol: \"http2\", Percentage: 0}}\n\tassert.Equal(t, QUIC, selector.Current())\n\n\tfetcher.protocolPercents = edgediscovery.ProtocolPercents{edgediscovery.ProtocolPercent{Protocol: \"http2\", Percentage: 100}}\n\tassert.Equal(t, HTTP2, selector.Current())\n\n\tfetcher.err = fmt.Errorf(\"failed to fetch\")\n\tassert.Equal(t, HTTP2, selector.Current())\n\n\tfetcher.protocolPercents = edgediscovery.ProtocolPercents{edgediscovery.ProtocolPercent{Protocol: \"http2\", Percentage: -1}}\n\tfetcher.err = nil\n\tassert.Equal(t, QUIC, selector.Current())\n\n\tfetcher.protocolPercents = edgediscovery.ProtocolPercents{edgediscovery.ProtocolPercent{Protocol: \"http2\", Percentage: 0}}\n\tassert.Equal(t, QUIC, selector.Current())\n\n\tfetcher.protocolPercents = edgediscovery.ProtocolPercents{edgediscovery.ProtocolPercent{Protocol: \"quic\", Percentage: 100}}\n\tassert.Equal(t, QUIC, selector.Current())\n}\n\nfunc TestHTTP2ProtocolSelectorRefresh(t *testing.T) {\n\tfetcher := dynamicMockFetcher{}\n\t// Since the user chooses http2 on purpose, we always stick to it.\n\tselector, err := NewProtocolSelector(HTTP2.String(), testAccountTag, false, false, fetcher.fetch(), testNoTTL, &log)\n\tassert.NoError(t, err)\n\tassert.Equal(t, HTTP2, selector.Current())\n\n\tfetcher.protocolPercents = edgediscovery.ProtocolPercents{edgediscovery.ProtocolPercent{Protocol: \"http2\", Percentage: 100}}\n\tassert.Equal(t, HTTP2, selector.Current())\n\n\tfetcher.protocolPercents = edgediscovery.ProtocolPercents{edgediscovery.ProtocolPercent{Protocol: \"http2\", Percentage: 0}}\n\tassert.Equal(t, HTTP2, selector.Current())\n\n\tfetcher.err = fmt.Errorf(\"failed to fetch\")\n\tassert.Equal(t, HTTP2, selector.Current())\n\n\tfetcher.protocolPercents = edgediscovery.ProtocolPercents{edgediscovery.ProtocolPercent{Protocol: \"http2\", Percentage: -1}}\n\tfetcher.err = nil\n\tassert.Equal(t, HTTP2, selector.Current())\n\n\tfetcher.protocolPercents = edgediscovery.ProtocolPercents{edgediscovery.ProtocolPercent{Protocol: \"http2\", Percentage: 0}}\n\tassert.Equal(t, HTTP2, selector.Current())\n\n\tfetcher.protocolPercents = edgediscovery.ProtocolPercents{edgediscovery.ProtocolPercent{Protocol: \"http2\", Percentage: 100}}\n\tassert.Equal(t, HTTP2, selector.Current())\n\n\tfetcher.protocolPercents = edgediscovery.ProtocolPercents{edgediscovery.ProtocolPercent{Protocol: \"http2\", Percentage: -1}}\n\tassert.Equal(t, HTTP2, selector.Current())\n}\n\nfunc TestAutoProtocolSelectorNoRefreshWithToken(t *testing.T) {\n\tfetcher := dynamicMockFetcher{}\n\tselector, err := NewProtocolSelector(AutoSelectFlag, testAccountTag, true, false, fetcher.fetch(), testNoTTL, &log)\n\tassert.NoError(t, err)\n\tassert.Equal(t, QUIC, selector.Current())\n\n\tfetcher.protocolPercents = edgediscovery.ProtocolPercents{edgediscovery.ProtocolPercent{Protocol: \"http2\", Percentage: 100}}\n\tassert.Equal(t, QUIC, selector.Current())\n}\n" }, { "path": "connection/quic.go", "content": "package connection\n\nimport (\n\t\"context\"\n\t\"crypto/tls\"\n\t\"fmt\"\n\t\"net\"\n\t\"net/netip\"\n\t\"runtime\"\n\t\"sync\"\n\n\t\"github.com/quic-go/quic-go\"\n\t\"github.com/rs/zerolog\"\n)\n\nvar (\n\tportForConnIndex = make(map[uint8]int, 0)\n\tportMapMutex sync.Mutex\n)\n\nfunc DialQuic(\n\tctx context.Context,\n\tquicConfig *quic.Config,\n\ttlsConfig *tls.Config,\n\tedgeAddr netip.AddrPort,\n\tlocalAddr net.IP,\n\tconnIndex uint8,\n\tlogger *zerolog.Logger,\n) (quic.Connection, error) {\n\tudpConn, err := createUDPConnForConnIndex(connIndex, localAddr, edgeAddr, logger)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tconn, err := quic.Dial(ctx, udpConn, net.UDPAddrFromAddrPort(edgeAddr), tlsConfig, quicConfig)\n\tif err != nil {\n\t\t// close the udp server socket in case of error connecting to the edge\n\t\tudpConn.Close()\n\t\treturn nil, &EdgeQuicDialError{Cause: err}\n\t}\n\n\t// wrap the session, so that the UDPConn is closed after session is closed.\n\tconn = &wrapCloseableConnQuicConnection{\n\t\tconn,\n\t\tudpConn,\n\t}\n\treturn conn, nil\n}\n\nfunc createUDPConnForConnIndex(connIndex uint8, localIP net.IP, edgeIP netip.AddrPort, logger *zerolog.Logger) (*net.UDPConn, error) {\n\tportMapMutex.Lock()\n\tdefer portMapMutex.Unlock()\n\n\tlistenNetwork := \"udp\"\n\t// https://github.com/quic-go/quic-go/issues/3793 DF bit cannot be set for dual stack listener (\"udp\") on macOS,\n\t// to set the DF bit properly, the network string needs to be specific to the IP family.\n\tif runtime.GOOS == \"darwin\" {\n\t\tif edgeIP.Addr().Is4() {\n\t\t\tlistenNetwork = \"udp4\"\n\t\t} else {\n\t\t\tlistenNetwork = \"udp6\"\n\t\t}\n\t}\n\n\t// if port was not set yet, it will be zero, so bind will randomly allocate one.\n\tif port, ok := portForConnIndex[connIndex]; ok {\n\t\tudpConn, err := net.ListenUDP(listenNetwork, &net.UDPAddr{IP: localIP, Port: port})\n\t\t// if there wasn't an error, or if port was 0 (independently of error or not, just return)\n\t\tif err == nil {\n\t\t\treturn udpConn, nil\n\t\t} else {\n\t\t\tlogger.Debug().Err(err).Msgf(\"Unable to reuse port %d for connIndex %d. Falling back to random allocation.\", port, connIndex)\n\t\t}\n\t}\n\n\t// if we reached here, then there was an error or port as not been allocated it.\n\tudpConn, err := net.ListenUDP(listenNetwork, &net.UDPAddr{IP: localIP, Port: 0})\n\tif err == nil {\n\t\tudpAddr, ok := (udpConn.LocalAddr()).(*net.UDPAddr)\n\t\tif !ok {\n\t\t\treturn nil, fmt.Errorf(\"unable to cast to udpConn\")\n\t\t}\n\t\tportForConnIndex[connIndex] = udpAddr.Port\n\t} else {\n\t\tdelete(portForConnIndex, connIndex)\n\t}\n\n\treturn udpConn, err\n}\n\ntype wrapCloseableConnQuicConnection struct {\n\tquic.Connection\n\tudpConn *net.UDPConn\n}\n\nfunc (w *wrapCloseableConnQuicConnection) CloseWithError(errorCode quic.ApplicationErrorCode, reason string) error {\n\terr := w.Connection.CloseWithError(errorCode, reason)\n\tw.udpConn.Close()\n\n\treturn err\n}\n" }, { "path": "connection/quic_connection.go", "content": "package connection\n\nimport (\n\t\"bufio\"\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"net\"\n\t\"net/http\"\n\t\"strconv\"\n\t\"strings\"\n\t\"sync/atomic\"\n\t\"time\"\n\n\t\"github.com/quic-go/quic-go\"\n\t\"github.com/rs/zerolog\"\n\t\"golang.org/x/sync/errgroup\"\n\n\t\"github.com/cloudflare/cloudflared/client\"\n\tcfdflow \"github.com/cloudflare/cloudflared/flow\"\n\n\tcfdquic \"github.com/cloudflare/cloudflared/quic\"\n\t\"github.com/cloudflare/cloudflared/tracing\"\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/pogs\"\n\trpcquic \"github.com/cloudflare/cloudflared/tunnelrpc/quic\"\n)\n\nconst (\n\t// HTTPHeaderKey is used to get or set http headers in QUIC ALPN if the underlying proxy connection type is HTTP.\n\tHTTPHeaderKey = \"HttpHeader\"\n\t// HTTPMethodKey is used to get or set http method in QUIC ALPN if the underlying proxy connection type is HTTP.\n\tHTTPMethodKey = \"HttpMethod\"\n\t// HTTPHostKey is used to get or set http host in QUIC ALPN if the underlying proxy connection type is HTTP.\n\tHTTPHostKey = \"HttpHost\"\n\t// HTTPStatus is used to return http status code in QUIC ALPN if the underlying proxy connection type is HTTP.\n\tHTTPStatus = \"HttpStatus\"\n\n\tQUICMetadataFlowID = \"FlowID\"\n)\n\n// quicConnection represents the type that facilitates Proxying via QUIC streams.\ntype quicConnection struct {\n\tconn quic.Connection\n\tlogger *zerolog.Logger\n\torchestrator Orchestrator\n\tdatagramHandler DatagramSessionHandler\n\tcontrolStreamHandler ControlStreamHandler\n\tconnOptions *client.ConnectionOptionsSnapshot\n\tconnIndex uint8\n\n\trpcTimeout time.Duration\n\tstreamWriteTimeout time.Duration\n\tgracePeriod time.Duration\n}\n\n// NewTunnelConnection takes a [quic.Connection] to wrap it for use with cloudflared application logic.\nfunc NewTunnelConnection(\n\tctx context.Context,\n\tconn quic.Connection,\n\tconnIndex uint8,\n\torchestrator Orchestrator,\n\tdatagramSessionHandler DatagramSessionHandler,\n\tcontrolStreamHandler ControlStreamHandler,\n\tconnOptions *client.ConnectionOptionsSnapshot,\n\trpcTimeout time.Duration,\n\tstreamWriteTimeout time.Duration,\n\tgracePeriod time.Duration,\n\tlogger *zerolog.Logger,\n) TunnelConnection {\n\treturn &quicConnection{\n\t\tconn: conn,\n\t\tlogger: logger,\n\t\torchestrator: orchestrator,\n\t\tdatagramHandler: datagramSessionHandler,\n\t\tcontrolStreamHandler: controlStreamHandler,\n\t\tconnOptions: connOptions,\n\t\tconnIndex: connIndex,\n\t\trpcTimeout: rpcTimeout,\n\t\tstreamWriteTimeout: streamWriteTimeout,\n\t\tgracePeriod: gracePeriod,\n\t}\n}\n\n// Serve starts a QUIC connection that begins accepting streams.\n// Returning a nil error means cloudflared will exit for good and will not attempt to reconnect.\nfunc (q *quicConnection) Serve(ctx context.Context) error {\n\t// The edge assumes the first stream is used for the control plane\n\tcontrolStream, err := q.conn.OpenStream()\n\tif err != nil {\n\t\treturn fmt.Errorf(\"failed to open a registration control stream: %w\", err)\n\t}\n\n\t// If either goroutine returns a non nil error, then the error group cancels the context, thus also canceling the\n\t// other goroutines. We enforce returning a not-nil error for each function started in the errgroup by logging\n\t// the error returned and returning a custom error type instead.\n\terrGroup, ctx := errgroup.WithContext(ctx)\n\n\t// Close the quic connection if any of the following routines return from the errgroup (regardless of their error)\n\t// because they are no longer processing requests for the connection.\n\tdefer q.Close()\n\n\t// Start the control stream routine\n\terrGroup.Go(func() error {\n\t\t// err is equal to nil if we exit due to unregistration. If that happens we want to wait the full\n\t\t// amount of the grace period, allowing requests to finish before we cancel the context, which will\n\t\t// make cloudflared exit.\n\t\tif err := q.serveControlStream(ctx, controlStream); err == nil {\n\t\t\tif q.gracePeriod > 0 {\n\t\t\t\t// In Go1.23 this can be removed and replaced with time.Ticker\n\t\t\t\t// see https://pkg.go.dev/time#Tick\n\t\t\t\tticker := time.NewTicker(q.gracePeriod)\n\t\t\t\tdefer ticker.Stop()\n\t\t\t\tselect {\n\t\t\t\tcase <-ctx.Done():\n\t\t\t\tcase <-ticker.C:\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif err != nil {\n\t\t\tq.logger.Error().Err(err).Msg(\"failed to serve the control stream\")\n\t\t}\n\t\treturn &ControlStreamError{}\n\t})\n\t// Start the accept stream loop routine\n\terrGroup.Go(func() error {\n\t\terr := q.acceptStream(ctx)\n\t\tif err != nil {\n\t\t\tq.logger.Error().Err(err).Msg(\"failed to accept incoming stream requests\")\n\t\t}\n\t\treturn &StreamListenerError{}\n\t})\n\t// Start the datagram handler routine\n\terrGroup.Go(func() error {\n\t\terr := q.datagramHandler.Serve(ctx)\n\t\tif err != nil {\n\t\t\tq.logger.Error().Err(err).Msg(\"failed to run the datagram handler\")\n\t\t}\n\t\treturn &DatagramManagerError{}\n\t})\n\n\treturn errGroup.Wait()\n}\n\n// serveControlStream will serve the RPC; blocking until the control plane is done.\nfunc (q *quicConnection) serveControlStream(ctx context.Context, controlStream quic.Stream) error {\n\treturn q.controlStreamHandler.ServeControlStream(ctx, controlStream, q.connOptions.ConnectionOptions(), q.orchestrator)\n}\n\n// Close the connection with no errors specified.\nfunc (q *quicConnection) Close() {\n\t_ = q.conn.CloseWithError(0, \"\")\n}\n\nfunc (q *quicConnection) acceptStream(ctx context.Context) error {\n\tfor {\n\t\tquicStream, err := q.conn.AcceptStream(ctx)\n\t\tif err != nil {\n\t\t\t// context.Canceled is usually a user ctrl+c. We don't want to log an error here as it's intentional.\n\t\t\tif errors.Is(err, context.Canceled) || q.controlStreamHandler.IsStopped() {\n\t\t\t\treturn nil\n\t\t\t}\n\t\t\treturn fmt.Errorf(\"failed to accept QUIC stream: %w\", err)\n\t\t}\n\t\tgo q.runStream(quicStream)\n\t}\n}\n\nfunc (q *quicConnection) runStream(quicStream quic.Stream) {\n\tctx := quicStream.Context()\n\tstream := cfdquic.NewSafeStreamCloser(quicStream, q.streamWriteTimeout, q.logger)\n\tdefer stream.Close()\n\n\t// we are going to fuse readers/writers from stream <- cloudflared -> origin, and we want to guarantee that\n\t// code executed in the code path of handleStream don't trigger an earlier close to the downstream write stream.\n\t// So, we wrap the stream with a no-op write closer and only this method can actually close write side of the stream.\n\t// A call to close will simulate a close to the read-side, which will fail subsequent reads.\n\tnoCloseStream := &nopCloserReadWriter{ReadWriteCloser: stream}\n\tss := rpcquic.NewCloudflaredServer(q.handleDataStream, q.datagramHandler, q, q.rpcTimeout)\n\tif err := ss.Serve(ctx, noCloseStream); err != nil {\n\t\tq.logger.Debug().Err(err).Msg(\"Failed to handle QUIC stream\")\n\n\t\t// if we received an error at this level, then close write side of stream with an error, which will result in\n\t\t// RST_STREAM frame.\n\t\tquicStream.CancelWrite(0)\n\t}\n}\n\nfunc (q *quicConnection) handleDataStream(ctx context.Context, stream *rpcquic.RequestServerStream) error {\n\trequest, err := stream.ReadConnectRequestData()\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif err, connectResponseSent := q.dispatchRequest(ctx, stream, request); err != nil {\n\t\tq.logger.Err(err).Str(\"type\", request.Type.String()).Str(\"dest\", request.Dest).Msg(\"Request failed\")\n\n\t\t// if the connectResponse was already sent and we had an error, we need to propagate it up, so that the stream is\n\t\t// closed with an RST_STREAM frame\n\t\tif connectResponseSent {\n\t\t\treturn err\n\t\t}\n\n\t\tvar metadata []pogs.Metadata\n\t\t// Check the type of error that was throw and add metadata that will help identify it on OTD.\n\t\tif errors.Is(err, cfdflow.ErrTooManyActiveFlows) {\n\t\t\tmetadata = append(metadata, pogs.ErrorFlowConnectRateLimitedMetadata)\n\t\t}\n\n\t\tif writeRespErr := stream.WriteConnectResponseData(err, metadata...); writeRespErr != nil {\n\t\t\treturn writeRespErr\n\t\t}\n\t}\n\n\treturn nil\n}\n\n// dispatchRequest will dispatch the request to the origin depending on the type and returns an error if it occurs.\n// Also returns if the connect response was sent to the downstream during processing of the origin request.\nfunc (q *quicConnection) dispatchRequest(ctx context.Context, stream *rpcquic.RequestServerStream, request *pogs.ConnectRequest) (err error, connectResponseSent bool) {\n\toriginProxy, err := q.orchestrator.GetOriginProxy()\n\tif err != nil {\n\t\treturn err, false\n\t}\n\n\tswitch request.Type {\n\tcase pogs.ConnectionTypeHTTP, pogs.ConnectionTypeWebsocket:\n\t\ttracedReq, err := buildHTTPRequest(ctx, request, stream, q.connIndex, q.logger)\n\t\tif err != nil {\n\t\t\treturn err, false\n\t\t}\n\t\tw := newHTTPResponseAdapter(stream)\n\t\treturn originProxy.ProxyHTTP(&w, tracedReq, request.Type == pogs.ConnectionTypeWebsocket), w.connectResponseSent\n\n\tcase pogs.ConnectionTypeTCP:\n\t\trwa := &streamReadWriteAcker{RequestServerStream: stream}\n\t\tmetadata := request.MetadataMap()\n\t\treturn originProxy.ProxyTCP(ctx, rwa, &TCPRequest{\n\t\t\tDest: request.Dest,\n\t\t\tFlowID: metadata[QUICMetadataFlowID],\n\t\t\tCfTraceID: metadata[tracing.TracerContextName],\n\t\t\tConnIndex: q.connIndex,\n\t\t}), rwa.connectResponseSent\n\tdefault:\n\t\treturn fmt.Errorf(\"unsupported error type: %s\", request.Type), false\n\t}\n}\n\n// UpdateConfiguration is the RPC method invoked by edge when there is a new configuration\nfunc (q *quicConnection) UpdateConfiguration(ctx context.Context, version int32, config []byte) *pogs.UpdateConfigurationResponse {\n\treturn q.orchestrator.UpdateConfig(version, config)\n}\n\n// streamReadWriteAcker is a light wrapper over QUIC streams with a callback to send response back to\n// the client.\ntype streamReadWriteAcker struct {\n\t*rpcquic.RequestServerStream\n\tconnectResponseSent bool\n}\n\n// AckConnection acks response back to the proxy.\nfunc (s *streamReadWriteAcker) AckConnection(tracePropagation string) error {\n\tmetadata := []pogs.Metadata{}\n\t// Only add tracing if provided by the edge request\n\tif tracePropagation != \"\" {\n\t\tmetadata = append(metadata, pogs.Metadata{\n\t\t\tKey: tracing.CanonicalCloudflaredTracingHeader,\n\t\t\tVal: tracePropagation,\n\t\t})\n\t}\n\ts.connectResponseSent = true\n\treturn s.WriteConnectResponseData(nil, metadata...)\n}\n\n// httpResponseAdapter translates responses written by the HTTP Proxy into ones that can be used in QUIC.\ntype httpResponseAdapter struct {\n\t*rpcquic.RequestServerStream\n\theaders http.Header\n\tconnectResponseSent bool\n}\n\nfunc newHTTPResponseAdapter(s *rpcquic.RequestServerStream) httpResponseAdapter {\n\treturn httpResponseAdapter{RequestServerStream: s, headers: make(http.Header)}\n}\n\nfunc (hrw *httpResponseAdapter) AddTrailer(trailerName, trailerValue string) {\n\t// we do not support trailers over QUIC\n}\n\nfunc (hrw *httpResponseAdapter) WriteRespHeaders(status int, header http.Header) error {\n\tmetadata := make([]pogs.Metadata, 0)\n\tmetadata = append(metadata, pogs.Metadata{Key: HTTPStatus, Val: strconv.Itoa(status)})\n\tfor k, vv := range header {\n\t\tfor _, v := range vv {\n\t\t\thttpHeaderKey := fmt.Sprintf(\"%s:%s\", HTTPHeaderKey, k)\n\t\t\tmetadata = append(metadata, pogs.Metadata{Key: httpHeaderKey, Val: v})\n\t\t}\n\t}\n\n\treturn hrw.WriteConnectResponseData(nil, metadata...)\n}\n\nfunc (hrw *httpResponseAdapter) Write(p []byte) (int, error) {\n\t// Make sure to send WriteHeader response if not called yet\n\tif !hrw.connectResponseSent {\n\t\t_ = hrw.WriteRespHeaders(http.StatusOK, hrw.headers)\n\t}\n\treturn hrw.RequestServerStream.Write(p)\n}\n\nfunc (hrw *httpResponseAdapter) Header() http.Header {\n\treturn hrw.headers\n}\n\n// This is a no-op Flush because this adapter is over a quic.Stream and we don't need Flush here.\nfunc (hrw *httpResponseAdapter) Flush() {}\n\nfunc (hrw *httpResponseAdapter) WriteHeader(status int) {\n\t_ = hrw.WriteRespHeaders(status, hrw.headers)\n}\n\nfunc (hrw *httpResponseAdapter) Hijack() (net.Conn, *bufio.ReadWriter, error) {\n\tconn := &localProxyConnection{hrw.ReadWriteCloser}\n\treadWriter := bufio.NewReadWriter(\n\t\tbufio.NewReader(hrw.ReadWriteCloser),\n\t\tbufio.NewWriter(hrw.ReadWriteCloser),\n\t)\n\treturn conn, readWriter, nil\n}\n\nfunc (hrw *httpResponseAdapter) WriteErrorResponse(err error) {\n\t_ = hrw.WriteConnectResponseData(err, pogs.Metadata{Key: HTTPStatus, Val: strconv.Itoa(http.StatusBadGateway)})\n}\n\nfunc (hrw *httpResponseAdapter) WriteConnectResponseData(respErr error, metadata ...pogs.Metadata) error {\n\thrw.connectResponseSent = true\n\treturn hrw.RequestServerStream.WriteConnectResponseData(respErr, metadata...)\n}\n\nfunc buildHTTPRequest(\n\tctx context.Context,\n\tconnectRequest *pogs.ConnectRequest,\n\tbody io.ReadCloser,\n\tconnIndex uint8,\n\tlog *zerolog.Logger,\n) (*tracing.TracedHTTPRequest, error) {\n\tmetadata := connectRequest.MetadataMap()\n\tdest := connectRequest.Dest\n\tmethod := metadata[HTTPMethodKey]\n\thost := metadata[HTTPHostKey]\n\tisWebsocket := connectRequest.Type == pogs.ConnectionTypeWebsocket\n\n\treq, err := http.NewRequestWithContext(ctx, method, dest, body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treq.Host = host\n\tfor _, metadata := range connectRequest.Metadata {\n\t\tif strings.Contains(metadata.Key, HTTPHeaderKey) {\n\t\t\t// metadata.Key is off the format httpHeaderKey:\n\t\t\thttpHeaderKey := strings.Split(metadata.Key, \":\")\n\t\t\tif len(httpHeaderKey) != 2 {\n\t\t\t\treturn nil, fmt.Errorf(\"header Key: %s malformed\", metadata.Key)\n\t\t\t}\n\t\t\treq.Header.Add(httpHeaderKey[1], metadata.Val)\n\t\t}\n\t}\n\t// Go's http.Client automatically sends chunked request body if this value is not set on the\n\t// *http.Request struct regardless of header:\n\t// https://go.googlesource.com/go/+/go1.8rc2/src/net/http/transfer.go#154.\n\tif err := setContentLength(req); err != nil {\n\t\treturn nil, fmt.Errorf(\"Error setting content-length: %w\", err)\n\t}\n\n\t// Go's client defaults to chunked encoding after a 200ms delay if the following cases are true:\n\t// * the request body blocks\n\t// * the content length is not set (or set to -1)\n\t// * the method doesn't usually have a body (GET, HEAD, DELETE, ...)\n\t// * there is no transfer-encoding=chunked already set.\n\t// So, if transfer cannot be chunked and content length is 0, we dont set a request body.\n\tif !isWebsocket && !isTransferEncodingChunked(req) && req.ContentLength == 0 {\n\t\treq.Body = http.NoBody\n\t}\n\tstripWebsocketUpgradeHeader(req)\n\n\t// Check for tracing on request\n\ttracedReq := tracing.NewTracedHTTPRequest(req, connIndex, log)\n\treturn tracedReq, err\n}\n\nfunc setContentLength(req *http.Request) error {\n\tvar err error\n\tif contentLengthStr := req.Header.Get(\"Content-Length\"); contentLengthStr != \"\" {\n\t\treq.ContentLength, err = strconv.ParseInt(contentLengthStr, 10, 64)\n\t}\n\treturn err\n}\n\nfunc isTransferEncodingChunked(req *http.Request) bool {\n\ttransferEncodingVal := req.Header.Get(\"Transfer-Encoding\")\n\t// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Transfer-Encoding suggests that this can be a comma\n\t// separated value as well.\n\treturn strings.Contains(strings.ToLower(transferEncodingVal), \"chunked\")\n}\n\n// A helper struct that guarantees a call to close only affects read side, but not write side.\ntype nopCloserReadWriter struct {\n\tio.ReadWriteCloser\n\n\t// for use by Read only\n\t// we don't need a memory barrier here because there is an implicit assumption that\n\t// Read calls can't happen concurrently by different go-routines.\n\tsawEOF bool\n\t// should be updated and read using atomic primitives.\n\t// value is read in Read method and written in Close method, which could be done by different\n\t// go-routines.\n\tclosed uint32\n}\n\nfunc (np *nopCloserReadWriter) Read(p []byte) (n int, err error) {\n\tif np.sawEOF {\n\t\treturn 0, io.EOF\n\t}\n\n\tif atomic.LoadUint32(&np.closed) > 0 {\n\t\treturn 0, fmt.Errorf(\"closed by handler\")\n\t}\n\n\tn, err = np.ReadWriteCloser.Read(p)\n\tif err == io.EOF {\n\t\tnp.sawEOF = true\n\t}\n\n\treturn\n}\n\nfunc (np *nopCloserReadWriter) Close() error {\n\tatomic.StoreUint32(&np.closed, 1)\n\n\treturn nil\n}\n" }, { "path": "connection/quic_connection_test.go", "content": "package connection\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"crypto/rand\"\n\t\"crypto/rsa\"\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n\t\"encoding/pem\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"math/big\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/netip\"\n\t\"net/url\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/gobwas/ws/wsutil\"\n\t\"github.com/google/uuid\"\n\tpkgerrors \"github.com/pkg/errors\"\n\t\"github.com/quic-go/quic-go\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\t\"golang.org/x/net/nettest\"\n\n\t\"github.com/cloudflare/cloudflared/client\"\n\t\"github.com/cloudflare/cloudflared/config\"\n\tcfdflow \"github.com/cloudflare/cloudflared/flow\"\n\n\t\"github.com/cloudflare/cloudflared/datagramsession\"\n\t\"github.com/cloudflare/cloudflared/ingress\"\n\t\"github.com/cloudflare/cloudflared/packet\"\n\tcfdquic \"github.com/cloudflare/cloudflared/quic\"\n\t\"github.com/cloudflare/cloudflared/tracing\"\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/pogs\"\n\trpcquic \"github.com/cloudflare/cloudflared/tunnelrpc/quic\"\n)\n\nvar (\n\ttestTLSServerConfig = GenerateTLSConfig()\n\ttestQUICConfig = &quic.Config{\n\t\tKeepAlivePeriod: 5 * time.Second,\n\t\tEnableDatagrams: true,\n\t}\n\tdefaultQUICTimeout = 30 * time.Second\n)\n\nvar _ ReadWriteAcker = (*streamReadWriteAcker)(nil)\n\n// TestQUICServer tests if a quic server accepts and responds to a quic client with the acceptance protocol.\n// It also serves as a demonstration for communication with the QUIC connection started by a cloudflared.\nfunc TestQUICServer(t *testing.T) {\n\t// This is simply a sample websocket frame message.\n\twsBuf := &bytes.Buffer{}\n\terr := wsutil.WriteClientBinary(wsBuf, []byte(\"Hello\"))\n\trequire.NoError(t, err)\n\n\ttests := []struct {\n\t\tdesc string\n\t\tdest string\n\t\tconnectionType pogs.ConnectionType\n\t\tmetadata []pogs.Metadata\n\t\tmessage []byte\n\t\texpectedResponse []byte\n\t}{\n\t\t{\n\t\t\tdesc: \"test http proxy\",\n\t\t\tdest: \"/ok\",\n\t\t\tconnectionType: pogs.ConnectionTypeHTTP,\n\t\t\tmetadata: []pogs.Metadata{\n\t\t\t\t{\n\t\t\t\t\tKey: \"HttpHeader:Cf-Ray\",\n\t\t\t\t\tVal: \"123123123\",\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tKey: \"HttpHost\",\n\t\t\t\t\tVal: \"cf.host\",\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tKey: \"HttpMethod\",\n\t\t\t\t\tVal: \"GET\",\n\t\t\t\t},\n\t\t\t},\n\t\t\texpectedResponse: []byte(\"OK\"),\n\t\t},\n\t\t{\n\t\t\tdesc: \"test http body request streaming\",\n\t\t\tdest: \"/slow_echo_body\",\n\t\t\tconnectionType: pogs.ConnectionTypeHTTP,\n\t\t\tmetadata: []pogs.Metadata{\n\t\t\t\t{\n\t\t\t\t\tKey: \"HttpHeader:Cf-Ray\",\n\t\t\t\t\tVal: \"123123123\",\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tKey: \"HttpHost\",\n\t\t\t\t\tVal: \"cf.host\",\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tKey: \"HttpMethod\",\n\t\t\t\t\tVal: \"POST\",\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tKey: \"HttpHeader:Content-Length\",\n\t\t\t\t\tVal: \"24\",\n\t\t\t\t},\n\t\t\t},\n\t\t\tmessage: []byte(\"This is the message body\"),\n\t\t\texpectedResponse: []byte(\"This is the message body\"),\n\t\t},\n\t\t{\n\t\t\tdesc: \"test ws proxy\",\n\t\t\tdest: \"/ws/echo\",\n\t\t\tconnectionType: pogs.ConnectionTypeWebsocket,\n\t\t\tmetadata: []pogs.Metadata{\n\t\t\t\t{\n\t\t\t\t\tKey: \"HttpHeader:Cf-Cloudflared-Proxy-Connection-Upgrade\",\n\t\t\t\t\tVal: \"Websocket\",\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tKey: \"HttpHeader:Another-Header\",\n\t\t\t\t\tVal: \"Misc\",\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tKey: \"HttpHost\",\n\t\t\t\t\tVal: \"cf.host\",\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tKey: \"HttpMethod\",\n\t\t\t\t\tVal: \"get\",\n\t\t\t\t},\n\t\t\t},\n\t\t\tmessage: wsBuf.Bytes(),\n\t\t\texpectedResponse: []byte{0x82, 0x5, 0x48, 0x65, 0x6c, 0x6c, 0x6f},\n\t\t},\n\t\t{\n\t\t\tdesc: \"test tcp proxy\",\n\t\t\tconnectionType: pogs.ConnectionTypeTCP,\n\t\t\tmetadata: []pogs.Metadata{},\n\t\t\tmessage: []byte(\"Here is some tcp data\"),\n\t\t\texpectedResponse: []byte(\"Here is some tcp data\"),\n\t\t},\n\t}\n\n\tfor i, test := range tests {\n\t\tt.Run(test.desc, func(t *testing.T) {\n\t\t\tctx, cancel := context.WithCancel(t.Context())\n\t\t\t// Start a UDP Listener for QUIC.\n\t\t\tudpAddr, err := net.ResolveUDPAddr(\"udp\", \"127.0.0.1:0\")\n\t\t\trequire.NoError(t, err)\n\t\t\tudpListener, err := net.ListenUDP(udpAddr.Network(), udpAddr)\n\t\t\trequire.NoError(t, err)\n\t\t\tdefer udpListener.Close()\n\t\t\tquicTransport := &quic.Transport{Conn: udpListener, ConnectionIDLength: 16}\n\t\t\tquicListener, err := quicTransport.Listen(testTLSServerConfig, testQUICConfig)\n\t\t\trequire.NoError(t, err)\n\n\t\t\tserverDone := make(chan struct{})\n\t\t\tgo func() {\n\t\t\t\t// nolint: testifylint\n\t\t\t\tquicServer(\n\t\t\t\t\tctx, t, quicListener, test.dest, test.connectionType, test.metadata, test.message, test.expectedResponse,\n\t\t\t\t)\n\t\t\t\tclose(serverDone)\n\t\t\t}()\n\n\t\t\t// nolint: gosec\n\t\t\ttunnelConn, _ := testTunnelConnection(t, netip.MustParseAddrPort(udpListener.LocalAddr().String()), uint8(i))\n\n\t\t\tconnDone := make(chan struct{})\n\t\t\tgo func() {\n\t\t\t\t_ = tunnelConn.Serve(ctx)\n\t\t\t\tclose(connDone)\n\t\t\t}()\n\n\t\t\t<-serverDone\n\t\t\tcancel()\n\t\t\t<-connDone\n\t\t})\n\t}\n}\n\ntype fakeControlStream struct {\n\tControlStreamHandler\n}\n\nfunc (fakeControlStream) ServeControlStream(ctx context.Context, rw io.ReadWriteCloser, connOptions *pogs.ConnectionOptions, tunnelConfigGetter TunnelConfigJSONGetter) error {\n\t<-ctx.Done()\n\treturn nil\n}\n\nfunc (fakeControlStream) IsStopped() bool {\n\treturn true\n}\n\nfunc quicServer(\n\tctx context.Context,\n\tt *testing.T,\n\tlistener *quic.Listener,\n\tdest string,\n\tconnectionType pogs.ConnectionType,\n\tmetadata []pogs.Metadata,\n\tmessage []byte,\n\texpectedResponse []byte,\n) {\n\tsession, err := listener.Accept(ctx)\n\trequire.NoError(t, err)\n\n\tquicStream, err := session.OpenStreamSync(t.Context())\n\trequire.NoError(t, err)\n\tstream := cfdquic.NewSafeStreamCloser(quicStream, defaultQUICTimeout, &log)\n\n\treqClientStream := rpcquic.RequestClientStream{ReadWriteCloser: stream}\n\terr = reqClientStream.WriteConnectRequestData(dest, connectionType, metadata...)\n\trequire.NoError(t, err)\n\n\t_, err = reqClientStream.ReadConnectResponseData()\n\trequire.NoError(t, err)\n\n\tif message != nil {\n\t\t// ALPN successful. Write data.\n\t\t_, err := stream.Write(message)\n\t\trequire.NoError(t, err)\n\t}\n\n\tresponse := make([]byte, len(expectedResponse))\n\t_, err = stream.Read(response)\n\tif err != io.EOF {\n\t\trequire.NoError(t, err)\n\t}\n\n\t// For now it is an echo server. Verify if the same data is returned.\n\tassert.Equal(t, expectedResponse, response)\n}\n\ntype mockOriginProxyWithRequest struct{}\n\nfunc (moc *mockOriginProxyWithRequest) ProxyHTTP(w ResponseWriter, tr *tracing.TracedHTTPRequest, isWebsocket bool) error {\n\t// These are a series of crude tests to ensure the headers and http related data is transferred from\n\t// metadata.\n\tr := tr.Request\n\tif r.Method == \"\" {\n\t\treturn errors.New(\"method not sent\")\n\t}\n\tif r.Host == \"\" {\n\t\treturn errors.New(\"host not sent\")\n\t}\n\tif len(r.Header) == 0 {\n\t\treturn errors.New(\"headers not set\")\n\t}\n\n\tif isWebsocket {\n\t\treturn wsEchoEndpoint(w, r)\n\t}\n\tswitch r.URL.Path {\n\tcase \"/ok\":\n\t\toriginRespEndpoint(w, http.StatusOK, []byte(http.StatusText(http.StatusOK)))\n\tcase \"/slow_echo_body\":\n\t\ttime.Sleep(5 * time.Nanosecond)\n\t\tfallthrough\n\tcase \"/echo_body\":\n\t\tresp := &http.Response{\n\t\t\tStatusCode: http.StatusOK,\n\t\t}\n\t\t_ = w.WriteRespHeaders(resp.StatusCode, resp.Header)\n\t\t_, _ = io.Copy(w, r.Body)\n\tcase \"/error\":\n\t\treturn fmt.Errorf(\"Failed to proxy to origin\")\n\tdefault:\n\t\toriginRespEndpoint(w, http.StatusNotFound, []byte(\"page not found\"))\n\t}\n\treturn nil\n}\n\nfunc TestBuildHTTPRequest(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\tconnectRequest *pogs.ConnectRequest\n\t\tbody io.ReadCloser\n\t\treq *http.Request\n\t}{\n\t\t{\n\t\t\tname: \"check if http.Request is built correctly with content length\",\n\t\t\tconnectRequest: &pogs.ConnectRequest{\n\t\t\t\tDest: \"http://test.com\",\n\t\t\t\tMetadata: []pogs.Metadata{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: \"HttpHeader:Cf-Cloudflared-Proxy-Connection-Upgrade\",\n\t\t\t\t\t\tVal: \"Websocket\",\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: \"HttpHeader:Content-Length\",\n\t\t\t\t\t\tVal: \"514\",\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: \"HttpHeader:Another-Header\",\n\t\t\t\t\t\tVal: \"Misc\",\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: \"HttpHost\",\n\t\t\t\t\t\tVal: \"cf.host\",\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: \"HttpMethod\",\n\t\t\t\t\t\tVal: \"get\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\treq: &http.Request{\n\t\t\t\tMethod: \"get\",\n\t\t\t\tURL: &url.URL{\n\t\t\t\t\tScheme: \"http\",\n\t\t\t\t\tHost: \"test.com\",\n\t\t\t\t},\n\t\t\t\tProto: \"HTTP/1.1\",\n\t\t\t\tProtoMajor: 1,\n\t\t\t\tProtoMinor: 1,\n\t\t\t\tHeader: http.Header{\n\t\t\t\t\t\"Another-Header\": []string{\"Misc\"},\n\t\t\t\t\t\"Content-Length\": []string{\"514\"},\n\t\t\t\t},\n\t\t\t\tContentLength: 514,\n\t\t\t\tHost: \"cf.host\",\n\t\t\t\tBody: io.NopCloser(&bytes.Buffer{}),\n\t\t\t},\n\t\t\tbody: io.NopCloser(&bytes.Buffer{}),\n\t\t},\n\t\t{\n\t\t\tname: \"if content length isn't part of request headers, then it's not set\",\n\t\t\tconnectRequest: &pogs.ConnectRequest{\n\t\t\t\tDest: \"http://test.com\",\n\t\t\t\tMetadata: []pogs.Metadata{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: \"HttpHeader:Cf-Cloudflared-Proxy-Connection-Upgrade\",\n\t\t\t\t\t\tVal: \"Websocket\",\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: \"HttpHeader:Another-Header\",\n\t\t\t\t\t\tVal: \"Misc\",\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: \"HttpHost\",\n\t\t\t\t\t\tVal: \"cf.host\",\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: \"HttpMethod\",\n\t\t\t\t\t\tVal: \"get\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\treq: &http.Request{\n\t\t\t\tMethod: \"get\",\n\t\t\t\tURL: &url.URL{\n\t\t\t\t\tScheme: \"http\",\n\t\t\t\t\tHost: \"test.com\",\n\t\t\t\t},\n\t\t\t\tProto: \"HTTP/1.1\",\n\t\t\t\tProtoMajor: 1,\n\t\t\t\tProtoMinor: 1,\n\t\t\t\tHeader: http.Header{\n\t\t\t\t\t\"Another-Header\": []string{\"Misc\"},\n\t\t\t\t},\n\t\t\t\tContentLength: 0,\n\t\t\t\tHost: \"cf.host\",\n\t\t\t\tBody: http.NoBody,\n\t\t\t},\n\t\t\tbody: io.NopCloser(&bytes.Buffer{}),\n\t\t},\n\t\t{\n\t\t\tname: \"if content length is 0, but transfer-encoding is chunked, body is not nil\",\n\t\t\tconnectRequest: &pogs.ConnectRequest{\n\t\t\t\tDest: \"http://test.com\",\n\t\t\t\tMetadata: []pogs.Metadata{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: \"HttpHeader:Another-Header\",\n\t\t\t\t\t\tVal: \"Misc\",\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: \"HttpHeader:Transfer-Encoding\",\n\t\t\t\t\t\tVal: \"chunked\",\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: \"HttpHost\",\n\t\t\t\t\t\tVal: \"cf.host\",\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: \"HttpMethod\",\n\t\t\t\t\t\tVal: \"get\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\treq: &http.Request{\n\t\t\t\tMethod: \"get\",\n\t\t\t\tURL: &url.URL{\n\t\t\t\t\tScheme: \"http\",\n\t\t\t\t\tHost: \"test.com\",\n\t\t\t\t},\n\t\t\t\tProto: \"HTTP/1.1\",\n\t\t\t\tProtoMajor: 1,\n\t\t\t\tProtoMinor: 1,\n\t\t\t\tHeader: http.Header{\n\t\t\t\t\t\"Another-Header\": []string{\"Misc\"},\n\t\t\t\t\t\"Transfer-Encoding\": []string{\"chunked\"},\n\t\t\t\t},\n\t\t\t\tContentLength: 0,\n\t\t\t\tHost: \"cf.host\",\n\t\t\t\tBody: io.NopCloser(&bytes.Buffer{}),\n\t\t\t},\n\t\t\tbody: io.NopCloser(&bytes.Buffer{}),\n\t\t},\n\t\t{\n\t\t\tname: \"if content length is 0, but transfer-encoding is gzip,chunked, body is not nil\",\n\t\t\tconnectRequest: &pogs.ConnectRequest{\n\t\t\t\tDest: \"http://test.com\",\n\t\t\t\tMetadata: []pogs.Metadata{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: \"HttpHeader:Another-Header\",\n\t\t\t\t\t\tVal: \"Misc\",\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: \"HttpHeader:Transfer-Encoding\",\n\t\t\t\t\t\tVal: \"gzip,chunked\",\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: \"HttpHost\",\n\t\t\t\t\t\tVal: \"cf.host\",\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: \"HttpMethod\",\n\t\t\t\t\t\tVal: \"get\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\treq: &http.Request{\n\t\t\t\tMethod: \"get\",\n\t\t\t\tURL: &url.URL{\n\t\t\t\t\tScheme: \"http\",\n\t\t\t\t\tHost: \"test.com\",\n\t\t\t\t},\n\t\t\t\tProto: \"HTTP/1.1\",\n\t\t\t\tProtoMajor: 1,\n\t\t\t\tProtoMinor: 1,\n\t\t\t\tHeader: http.Header{\n\t\t\t\t\t\"Another-Header\": []string{\"Misc\"},\n\t\t\t\t\t\"Transfer-Encoding\": []string{\"gzip,chunked\"},\n\t\t\t\t},\n\t\t\t\tContentLength: 0,\n\t\t\t\tHost: \"cf.host\",\n\t\t\t\tBody: io.NopCloser(&bytes.Buffer{}),\n\t\t\t},\n\t\t\tbody: io.NopCloser(&bytes.Buffer{}),\n\t\t},\n\t\t{\n\t\t\tname: \"if content length is 0, and connect request is a websocket, body is not nil\",\n\t\t\tconnectRequest: &pogs.ConnectRequest{\n\t\t\t\tType: pogs.ConnectionTypeWebsocket,\n\t\t\t\tDest: \"http://test.com\",\n\t\t\t\tMetadata: []pogs.Metadata{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: \"HttpHeader:Another-Header\",\n\t\t\t\t\t\tVal: \"Misc\",\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: \"HttpHost\",\n\t\t\t\t\t\tVal: \"cf.host\",\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: \"HttpMethod\",\n\t\t\t\t\t\tVal: \"get\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\treq: &http.Request{\n\t\t\t\tMethod: \"get\",\n\t\t\t\tURL: &url.URL{\n\t\t\t\t\tScheme: \"http\",\n\t\t\t\t\tHost: \"test.com\",\n\t\t\t\t},\n\t\t\t\tProto: \"HTTP/1.1\",\n\t\t\t\tProtoMajor: 1,\n\t\t\t\tProtoMinor: 1,\n\t\t\t\tHeader: http.Header{\n\t\t\t\t\t\"Another-Header\": []string{\"Misc\"},\n\t\t\t\t},\n\t\t\t\tContentLength: 0,\n\t\t\t\tHost: \"cf.host\",\n\t\t\t\tBody: io.NopCloser(&bytes.Buffer{}),\n\t\t\t},\n\t\t\tbody: io.NopCloser(&bytes.Buffer{}),\n\t\t},\n\t}\n\n\tlog := zerolog.Nop()\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\treq, err := buildHTTPRequest(t.Context(), test.connectRequest, test.body, 0, &log)\n\t\t\trequire.NoError(t, err)\n\t\t\ttest.req = test.req.WithContext(req.Context())\n\t\t\trequire.Equal(t, test.req, req.Request)\n\t\t})\n\t}\n}\n\nfunc (moc *mockOriginProxyWithRequest) ProxyTCP(ctx context.Context, rwa ReadWriteAcker, tcpRequest *TCPRequest) error {\n\tif tcpRequest.Dest == \"rate-limit-me\" {\n\t\treturn pkgerrors.Wrap(cfdflow.ErrTooManyActiveFlows, \"failed tcp stream\")\n\t}\n\n\t_ = rwa.AckConnection(\"\")\n\t_, _ = io.Copy(rwa, rwa)\n\treturn nil\n}\n\nfunc TestServeUDPSession(t *testing.T) {\n\t// Start a UDP Listener for QUIC.\n\tudpAddr, err := net.ResolveUDPAddr(\"udp\", \"127.0.0.1:0\")\n\trequire.NoError(t, err)\n\tudpListener, err := net.ListenUDP(udpAddr.Network(), udpAddr)\n\trequire.NoError(t, err)\n\tdefer udpListener.Close()\n\n\tctx, cancel := context.WithCancel(t.Context())\n\n\t// Establish QUIC connection with edge\n\tedgeQUICSessionChan := make(chan quic.Connection)\n\tgo func() {\n\t\tearlyListener, err := quic.Listen(udpListener, testTLSServerConfig, testQUICConfig)\n\t\tassert.NoError(t, err)\n\n\t\tedgeQUICSession, err := earlyListener.Accept(ctx)\n\t\tassert.NoError(t, err)\n\n\t\tedgeQUICSessionChan <- edgeQUICSession\n\t}()\n\n\t// Random index to avoid reusing port\n\ttunnelConn, datagramConn := testTunnelConnection(t, netip.MustParseAddrPort(udpListener.LocalAddr().String()), 28)\n\tgo func() {\n\t\t_ = tunnelConn.Serve(ctx)\n\t}()\n\n\tedgeQUICSession := <-edgeQUICSessionChan\n\n\tserveSession(ctx, datagramConn, edgeQUICSession, closedByOrigin, io.EOF.Error(), t)\n\tserveSession(ctx, datagramConn, edgeQUICSession, closedByTimeout, datagramsession.SessionIdleErr(time.Millisecond*50).Error(), t)\n\tserveSession(ctx, datagramConn, edgeQUICSession, closedByRemote, \"eyeball closed connection\", t)\n\tcancel()\n}\n\nfunc TestNopCloserReadWriterCloseBeforeEOF(t *testing.T) {\n\treaderWriter := nopCloserReadWriter{ReadWriteCloser: &mockReaderNoopWriter{Reader: strings.NewReader(\"123456789\")}}\n\tbuffer := make([]byte, 5)\n\n\tn, err := readerWriter.Read(buffer)\n\trequire.NoError(t, err)\n\trequire.Equal(t, 5, n)\n\n\t// close\n\trequire.NoError(t, readerWriter.Close())\n\n\t// read should get error\n\tn, err = readerWriter.Read(buffer)\n\trequire.Equal(t, 0, n)\n\trequire.Equal(t, err, fmt.Errorf(\"closed by handler\"))\n}\n\nfunc TestNopCloserReadWriterCloseAfterEOF(t *testing.T) {\n\treaderWriter := nopCloserReadWriter{ReadWriteCloser: &mockReaderNoopWriter{Reader: strings.NewReader(\"123456789\")}}\n\tbuffer := make([]byte, 20)\n\n\tn, err := readerWriter.Read(buffer)\n\trequire.NoError(t, err)\n\trequire.Equal(t, 9, n)\n\n\t// force another read to read eof\n\t_, err = readerWriter.Read(buffer)\n\trequire.Equal(t, err, io.EOF)\n\n\t// close\n\trequire.NoError(t, readerWriter.Close())\n\n\t// read should get EOF still\n\tn, err = readerWriter.Read(buffer)\n\trequire.Equal(t, 0, n)\n\trequire.Equal(t, err, io.EOF)\n}\n\nfunc TestCreateUDPConnReuseSourcePort(t *testing.T) {\n\tedgeIPv4 := netip.MustParseAddrPort(\"0.0.0.0:0\")\n\tedgeIPv6 := netip.MustParseAddrPort(\"[::]:0\")\n\n\t// We assume the test environment has access to an IPv4 interface\n\ttestCreateUDPConnReuseSourcePortForEdgeIP(t, edgeIPv4)\n\n\tif nettest.SupportsIPv6() {\n\t\ttestCreateUDPConnReuseSourcePortForEdgeIP(t, edgeIPv6)\n\t}\n}\n\n// TestTCPProxy_FlowRateLimited tests if the pogs.ConnectResponse returns the expected error and metadata, when a\n// new flow is rate limited.\nfunc TestTCPProxy_FlowRateLimited(t *testing.T) {\n\tctx, cancel := context.WithCancel(t.Context())\n\n\t// Start a UDP Listener for QUIC.\n\tudpAddr, err := net.ResolveUDPAddr(\"udp\", \"127.0.0.1:0\")\n\trequire.NoError(t, err)\n\n\tudpListener, err := net.ListenUDP(udpAddr.Network(), udpAddr)\n\trequire.NoError(t, err)\n\tdefer udpListener.Close()\n\n\tquicTransport := &quic.Transport{Conn: udpListener, ConnectionIDLength: 16}\n\tquicListener, err := quicTransport.Listen(testTLSServerConfig, testQUICConfig)\n\trequire.NoError(t, err)\n\n\tserverDone := make(chan struct{})\n\tgo func() {\n\t\tdefer close(serverDone)\n\n\t\tsession, err := quicListener.Accept(ctx)\n\t\tassert.NoError(t, err)\n\n\t\tquicStream, err := session.OpenStreamSync(t.Context())\n\t\tassert.NoError(t, err)\n\t\tstream := cfdquic.NewSafeStreamCloser(quicStream, defaultQUICTimeout, &log)\n\n\t\treqClientStream := rpcquic.RequestClientStream{ReadWriteCloser: stream}\n\t\terr = reqClientStream.WriteConnectRequestData(\"rate-limit-me\", pogs.ConnectionTypeTCP)\n\t\tassert.NoError(t, err)\n\n\t\tresponse, err := reqClientStream.ReadConnectResponseData()\n\t\tassert.NoError(t, err)\n\n\t\t// Got Rate Limited\n\t\tassert.NotEmpty(t, response.Error)\n\t\tassert.Contains(t, response.Metadata, pogs.ErrorFlowConnectRateLimitedMetadata)\n\t}()\n\n\ttunnelConn, _ := testTunnelConnection(t, netip.MustParseAddrPort(udpListener.LocalAddr().String()), uint8(0))\n\n\tconnDone := make(chan struct{})\n\tgo func() {\n\t\tdefer close(connDone)\n\t\t_ = tunnelConn.Serve(ctx)\n\t}()\n\n\t<-serverDone\n\tcancel()\n\t<-connDone\n}\n\nfunc testCreateUDPConnReuseSourcePortForEdgeIP(t *testing.T, edgeIP netip.AddrPort) {\n\tlogger := zerolog.Nop()\n\tconn, err := createUDPConnForConnIndex(0, nil, edgeIP, &logger)\n\trequire.NoError(t, err)\n\n\tgetPortFunc := func(conn *net.UDPConn) int {\n\t\taddr := conn.LocalAddr().(*net.UDPAddr)\n\t\treturn addr.Port\n\t}\n\n\tinitialPort := getPortFunc(conn)\n\n\t// close conn\n\tconn.Close()\n\n\t// should get the same port as before.\n\tconn, err = createUDPConnForConnIndex(0, nil, edgeIP, &logger)\n\trequire.NoError(t, err)\n\trequire.Equal(t, initialPort, getPortFunc(conn))\n\n\t// new index, should get a different port\n\tconn1, err := createUDPConnForConnIndex(1, nil, edgeIP, &logger)\n\trequire.NoError(t, err)\n\trequire.NotEqual(t, initialPort, getPortFunc(conn1))\n\n\t// not closing the conn and trying to obtain a new conn for same index should give a different random port\n\tconn, err = createUDPConnForConnIndex(0, nil, edgeIP, &logger)\n\trequire.NoError(t, err)\n\trequire.NotEqual(t, initialPort, getPortFunc(conn))\n}\n\nfunc serveSession(ctx context.Context, datagramConn *datagramV2Connection, edgeQUICSession quic.Connection, closeType closeReason, expectedReason string, t *testing.T) {\n\tpayload := []byte(t.Name())\n\tsessionID := uuid.New()\n\tcfdConn, originConn := net.Pipe()\n\t// Registers and run a new session\n\tsession, err := datagramConn.sessionManager.RegisterSession(ctx, sessionID, cfdConn)\n\trequire.NoError(t, err)\n\n\tsessionDone := make(chan struct{})\n\tgo func() {\n\t\tdatagramConn.serveUDPSession(session, time.Millisecond*50)\n\t\tclose(sessionDone)\n\t}()\n\n\t// Send a message to the quic session on edge side, it should be deumx to this datagram v2 session\n\tmuxedPayload, err := cfdquic.SuffixSessionID(sessionID, payload)\n\trequire.NoError(t, err)\n\tmuxedPayload, err = cfdquic.SuffixType(muxedPayload, cfdquic.DatagramTypeUDP)\n\trequire.NoError(t, err)\n\n\terr = edgeQUICSession.SendDatagram(muxedPayload)\n\trequire.NoError(t, err)\n\n\treadBuffer := make([]byte, len(payload)+1)\n\tn, err := originConn.Read(readBuffer)\n\trequire.NoError(t, err)\n\trequire.Equal(t, len(payload), n)\n\trequire.True(t, bytes.Equal(payload, readBuffer[:n]))\n\n\t// Close connection to terminate session\n\tswitch closeType {\n\tcase closedByOrigin:\n\t\toriginConn.Close()\n\tcase closedByRemote:\n\t\terr = datagramConn.UnregisterUdpSession(ctx, sessionID, expectedReason)\n\t\trequire.NoError(t, err)\n\tcase closedByTimeout:\n\t}\n\n\tif closeType != closedByRemote {\n\t\t// Session was not closed by remote, so closeUDPSession should be invoked to unregister from remote\n\t\tunregisterFromEdgeChan := make(chan struct{})\n\t\tsessionRPCServer := &mockSessionRPCServer{\n\t\t\tsessionID: sessionID,\n\t\t\tunregisterReason: expectedReason,\n\t\t\tcalledUnregisterChan: unregisterFromEdgeChan,\n\t\t}\n\t\t// nolint: testifylint\n\t\tgo runRPCServer(ctx, edgeQUICSession, sessionRPCServer, nil, t)\n\n\t\t<-unregisterFromEdgeChan\n\t}\n\n\t<-sessionDone\n}\n\ntype closeReason uint8\n\nconst (\n\tclosedByOrigin closeReason = iota\n\tclosedByRemote\n\tclosedByTimeout\n)\n\nfunc runRPCServer(ctx context.Context, session quic.Connection, sessionRPCServer pogs.SessionManager, configRPCServer pogs.ConfigurationManager, t *testing.T) {\n\tstream, err := session.AcceptStream(ctx)\n\trequire.NoError(t, err)\n\n\tif stream.StreamID() == 0 {\n\t\t// Skip the first stream, it's the control stream of the QUIC connection\n\t\tstream, err = session.AcceptStream(ctx)\n\t\trequire.NoError(t, err)\n\t}\n\tss := rpcquic.NewCloudflaredServer(\n\t\tfunc(_ context.Context, _ *rpcquic.RequestServerStream) error {\n\t\t\treturn nil\n\t\t},\n\t\tsessionRPCServer,\n\t\tconfigRPCServer,\n\t\t10*time.Second,\n\t)\n\terr = ss.Serve(ctx, stream)\n\tassert.NoError(t, err)\n}\n\ntype mockSessionRPCServer struct {\n\tsessionID uuid.UUID\n\tunregisterReason string\n\tcalledUnregisterChan chan struct{}\n}\n\nfunc (s mockSessionRPCServer) RegisterUdpSession(ctx context.Context, sessionID uuid.UUID, dstIP net.IP, dstPort uint16, closeIdleAfter time.Duration, traceContext string) (*pogs.RegisterUdpSessionResponse, error) {\n\treturn nil, fmt.Errorf(\"mockSessionRPCServer doesn't implement RegisterUdpSession\")\n}\n\nfunc (s mockSessionRPCServer) UnregisterUdpSession(ctx context.Context, sessionID uuid.UUID, reason string) error {\n\tif s.sessionID != sessionID {\n\t\treturn fmt.Errorf(\"expect session ID %s, got %s\", s.sessionID, sessionID)\n\t}\n\tif s.unregisterReason != reason {\n\t\treturn fmt.Errorf(\"expect unregister reason %s, got %s\", s.unregisterReason, reason)\n\t}\n\tclose(s.calledUnregisterChan)\n\treturn nil\n}\n\nfunc testTunnelConnection(t *testing.T, serverAddr netip.AddrPort, index uint8) (TunnelConnection, *datagramV2Connection) {\n\ttlsClientConfig := &tls.Config{\n\t\t// nolint: gosec\n\t\tInsecureSkipVerify: true,\n\t\tNextProtos: []string{\"argotunnel\"},\n\t}\n\t// Start a mock httpProxy\n\tlog := zerolog.New(io.Discard)\n\tctx, cancel := context.WithCancel(t.Context())\n\tdefer cancel()\n\n\t// Dial the QUIC connection to the edge\n\tconn, err := DialQuic(\n\t\tctx,\n\t\ttestQUICConfig,\n\t\ttlsClientConfig,\n\t\tserverAddr,\n\t\tnil, // connect on a random port\n\t\tindex,\n\t\t&log,\n\t)\n\trequire.NoError(t, err)\n\n\t// Start a session manager for the connection\n\tsessionDemuxChan := make(chan *packet.Session, 4)\n\tdatagramMuxer := cfdquic.NewDatagramMuxerV2(conn, &log, sessionDemuxChan)\n\tsessionManager := datagramsession.NewManager(&log, datagramMuxer.SendToSession, sessionDemuxChan)\n\tvar connIndex uint8 = 0\n\tpacketRouter := ingress.NewPacketRouter(nil, datagramMuxer, connIndex, &log)\n\ttestDefaultDialer := ingress.NewDialer(ingress.WarpRoutingConfig{\n\t\tConnectTimeout: config.CustomDuration{Duration: 1 * time.Second},\n\t\tTCPKeepAlive: config.CustomDuration{Duration: 15 * time.Second},\n\t\tMaxActiveFlows: 0,\n\t})\n\toriginDialer := ingress.NewOriginDialer(ingress.OriginConfig{\n\t\tDefaultDialer: testDefaultDialer,\n\t\tTCPWriteTimeout: 1 * time.Second,\n\t}, &log)\n\n\tdatagramConn := &datagramV2Connection{\n\t\tconn,\n\t\tindex,\n\t\tsessionManager,\n\t\tcfdflow.NewLimiter(0),\n\t\tdatagramMuxer,\n\t\toriginDialer,\n\t\tpacketRouter,\n\t\t15 * time.Second,\n\t\t0 * time.Second,\n\t\t&log,\n\t}\n\n\ttunnelConn := NewTunnelConnection(\n\t\tctx,\n\t\tconn,\n\t\tindex,\n\t\t&mockOrchestrator{originProxy: &mockOriginProxyWithRequest{}},\n\t\tdatagramConn,\n\t\tfakeControlStream{},\n\t\t&client.ConnectionOptionsSnapshot{},\n\t\t15*time.Second,\n\t\t0*time.Second,\n\t\t0*time.Second,\n\t\t&log,\n\t)\n\treturn tunnelConn, datagramConn\n}\n\ntype mockReaderNoopWriter struct {\n\tio.Reader\n}\n\nfunc (m *mockReaderNoopWriter) Write(p []byte) (n int, err error) {\n\treturn len(p), nil\n}\n\nfunc (m *mockReaderNoopWriter) Close() error {\n\treturn nil\n}\n\n// GenerateTLSConfig sets up a bare-bones TLS config for a QUIC server\nfunc GenerateTLSConfig() *tls.Config {\n\t// nolint: gosec\n\tkey, err := rsa.GenerateKey(rand.Reader, 1024)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\ttemplate := x509.Certificate{SerialNumber: big.NewInt(1)}\n\tcertDER, err := x509.CreateCertificate(rand.Reader, &template, &template, &key.PublicKey, key)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\tkeyPEM := pem.EncodeToMemory(&pem.Block{Type: \"RSA PRIVATE KEY\", Bytes: x509.MarshalPKCS1PrivateKey(key)})\n\tcertPEM := pem.EncodeToMemory(&pem.Block{Type: \"CERTIFICATE\", Bytes: certDER})\n\n\ttlsCert, err := tls.X509KeyPair(certPEM, keyPEM)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\t// nolint: gosec\n\treturn &tls.Config{\n\t\tCertificates: []tls.Certificate{tlsCert},\n\t\tNextProtos: []string{\"argotunnel\"},\n\t}\n}\n" }, { "path": "connection/quic_datagram_v2.go", "content": "package connection\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"net\"\n\t\"net/netip\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/pkg/errors\"\n\tpkgerrors \"github.com/pkg/errors\"\n\t\"github.com/quic-go/quic-go\"\n\t\"github.com/rs/zerolog\"\n\t\"go.opentelemetry.io/otel/attribute\"\n\t\"go.opentelemetry.io/otel/trace\"\n\t\"golang.org/x/sync/errgroup\"\n\n\tcfdflow \"github.com/cloudflare/cloudflared/flow\"\n\n\t\"github.com/cloudflare/cloudflared/datagramsession\"\n\t\"github.com/cloudflare/cloudflared/ingress\"\n\t\"github.com/cloudflare/cloudflared/management\"\n\t\"github.com/cloudflare/cloudflared/packet\"\n\tcfdquic \"github.com/cloudflare/cloudflared/quic\"\n\t\"github.com/cloudflare/cloudflared/tracing\"\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/pogs\"\n\ttunnelpogs \"github.com/cloudflare/cloudflared/tunnelrpc/pogs\"\n\trpcquic \"github.com/cloudflare/cloudflared/tunnelrpc/quic\"\n)\n\nconst (\n\t// emperically this capacity has been working well\n\tdemuxChanCapacity = 16\n)\n\nvar (\n\terrInvalidDestinationIP = errors.New(\"unable to parse destination IP\")\n)\n\n// DatagramSessionHandler is a service that can serve datagrams for a connection and handle sessions from incoming\n// connection streams.\ntype DatagramSessionHandler interface {\n\tServe(context.Context) error\n\n\tpogs.SessionManager\n}\n\ntype datagramV2Connection struct {\n\tconn quic.Connection\n\tindex uint8\n\n\t// sessionManager tracks active sessions. It receives datagrams from quic connection via datagramMuxer\n\tsessionManager datagramsession.Manager\n\t// flowLimiter tracks active sessions across the tunnel and limits new sessions if they are above the limit.\n\tflowLimiter cfdflow.Limiter\n\n\t// datagramMuxer mux/demux datagrams from quic connection\n\tdatagramMuxer *cfdquic.DatagramMuxerV2\n\t// originDialer is the origin dialer for UDP requests\n\toriginDialer ingress.OriginUDPDialer\n\t// packetRouter acts as the origin router for ICMP requests\n\tpacketRouter *ingress.PacketRouter\n\n\trpcTimeout time.Duration\n\tstreamWriteTimeout time.Duration\n\n\tlogger *zerolog.Logger\n}\n\nfunc NewDatagramV2Connection(ctx context.Context,\n\tconn quic.Connection,\n\toriginDialer ingress.OriginUDPDialer,\n\ticmpRouter ingress.ICMPRouter,\n\tindex uint8,\n\trpcTimeout time.Duration,\n\tstreamWriteTimeout time.Duration,\n\tflowLimiter cfdflow.Limiter,\n\tlogger *zerolog.Logger,\n) DatagramSessionHandler {\n\tsessionDemuxChan := make(chan *packet.Session, demuxChanCapacity)\n\tdatagramMuxer := cfdquic.NewDatagramMuxerV2(conn, logger, sessionDemuxChan)\n\tsessionManager := datagramsession.NewManager(logger, datagramMuxer.SendToSession, sessionDemuxChan)\n\tpacketRouter := ingress.NewPacketRouter(icmpRouter, datagramMuxer, index, logger)\n\n\treturn &datagramV2Connection{\n\t\tconn: conn,\n\t\tindex: index,\n\t\tsessionManager: sessionManager,\n\t\tflowLimiter: flowLimiter,\n\t\tdatagramMuxer: datagramMuxer,\n\t\toriginDialer: originDialer,\n\t\tpacketRouter: packetRouter,\n\t\trpcTimeout: rpcTimeout,\n\t\tstreamWriteTimeout: streamWriteTimeout,\n\t\tlogger: logger,\n\t}\n}\n\nfunc (d *datagramV2Connection) Serve(ctx context.Context) error {\n\t// If either goroutine from the errgroup returns at all (error or nil), we rely on its cancellation to make sure\n\t// the other goroutines as well.\n\terrGroup, ctx := errgroup.WithContext(ctx)\n\n\terrGroup.Go(func() error {\n\t\treturn d.sessionManager.Serve(ctx)\n\t})\n\terrGroup.Go(func() error {\n\t\treturn d.datagramMuxer.ServeReceive(ctx)\n\t})\n\terrGroup.Go(func() error {\n\t\treturn d.packetRouter.Serve(ctx)\n\t})\n\n\treturn errGroup.Wait()\n}\n\n// RegisterUdpSession is the RPC method invoked by edge to register and run a session\nfunc (q *datagramV2Connection) RegisterUdpSession(ctx context.Context, sessionID uuid.UUID, dstIP net.IP, dstPort uint16, closeAfterIdleHint time.Duration, traceContext string) (*tunnelpogs.RegisterUdpSessionResponse, error) {\n\ttraceCtx := tracing.NewTracedContext(ctx, traceContext, q.logger)\n\tctx, registerSpan := traceCtx.Tracer().Start(traceCtx, \"register-session\", trace.WithAttributes(\n\t\tattribute.String(\"session-id\", sessionID.String()),\n\t\tattribute.String(\"dst\", fmt.Sprintf(\"%s:%d\", dstIP, dstPort)),\n\t))\n\tlog := q.logger.With().Int(management.EventTypeKey, int(management.UDP)).Logger()\n\n\t// Try to start a new session\n\tif err := q.flowLimiter.Acquire(management.UDP.String()); err != nil {\n\t\tlog.Warn().Msgf(\"Too many concurrent sessions being handled, rejecting udp proxy to %s:%d\", dstIP, dstPort)\n\n\t\terr := pkgerrors.Wrap(err, \"failed to start udp session due to rate limiting\")\n\t\ttracing.EndWithErrorStatus(registerSpan, err)\n\t\treturn nil, err\n\t}\n\t// We need to force the net.IP to IPv4 (if it's an IPv4 address) otherwise the net.IP conversion from capnp\n\t// will be a IPv4-mapped-IPv6 address.\n\t// In the case that the address is IPv6 we leave it untouched and parse it as normal.\n\tip := dstIP.To4()\n\tif ip == nil {\n\t\tip = dstIP\n\t}\n\t// Parse the dstIP and dstPort into a netip.AddrPort\n\t// This should never fail because the IP was already parsed as a valid net.IP\n\tdestAddr, ok := netip.AddrFromSlice(ip)\n\tif !ok {\n\t\tlog.Err(errInvalidDestinationIP).Msgf(\"Failed to parse destination proxy IP: %s\", ip)\n\t\ttracing.EndWithErrorStatus(registerSpan, errInvalidDestinationIP)\n\t\tq.flowLimiter.Release()\n\t\treturn nil, errInvalidDestinationIP\n\t}\n\tdstAddrPort := netip.AddrPortFrom(destAddr, dstPort)\n\n\t// Each session is a series of datagram from an eyeball to a dstIP:dstPort.\n\t// (src port, dst IP, dst port) uniquely identifies a session, so it needs a dedicated connected socket.\n\toriginProxy, err := q.originDialer.DialUDP(dstAddrPort)\n\tif err != nil {\n\t\tlog.Err(err).Msgf(\"Failed to create udp proxy to %s\", dstAddrPort)\n\t\ttracing.EndWithErrorStatus(registerSpan, err)\n\t\tq.flowLimiter.Release()\n\t\treturn nil, err\n\t}\n\tregisterSpan.SetAttributes(\n\t\tattribute.Bool(\"socket-bind-success\", true),\n\t\tattribute.String(\"src\", originProxy.LocalAddr().String()),\n\t)\n\n\tsession, err := q.sessionManager.RegisterSession(ctx, sessionID, originProxy)\n\tif err != nil {\n\t\toriginProxy.Close()\n\t\tlog.Err(err).Str(datagramsession.LogFieldSessionID, datagramsession.FormatSessionID(sessionID)).Msgf(\"Failed to register udp session\")\n\t\ttracing.EndWithErrorStatus(registerSpan, err)\n\t\tq.flowLimiter.Release()\n\t\treturn nil, err\n\t}\n\n\tgo func() {\n\t\tdefer q.flowLimiter.Release() // we do the release here, instead of inside the `serveUDPSession` just to keep all acquire/release calls in the same method.\n\t\tq.serveUDPSession(session, closeAfterIdleHint)\n\t}()\n\n\tlog.Debug().\n\t\tStr(datagramsession.LogFieldSessionID, datagramsession.FormatSessionID(sessionID)).\n\t\tStr(\"src\", originProxy.LocalAddr().String()).\n\t\tStr(\"dst\", fmt.Sprintf(\"%s:%d\", dstIP, dstPort)).\n\t\tMsgf(\"Registered session\")\n\ttracing.End(registerSpan)\n\n\tresp := tunnelpogs.RegisterUdpSessionResponse{\n\t\tSpans: traceCtx.GetProtoSpans(),\n\t}\n\n\treturn &resp, nil\n}\n\n// UnregisterUdpSession is the RPC method invoked by edge to unregister and terminate a sesssion\nfunc (q *datagramV2Connection) UnregisterUdpSession(ctx context.Context, sessionID uuid.UUID, message string) error {\n\treturn q.sessionManager.UnregisterSession(ctx, sessionID, message, true)\n}\n\nfunc (q *datagramV2Connection) serveUDPSession(session *datagramsession.Session, closeAfterIdleHint time.Duration) {\n\tctx := q.conn.Context()\n\tclosedByRemote, err := session.Serve(ctx, closeAfterIdleHint)\n\t// If session is terminated by remote, then we know it has been unregistered from session manager and edge\n\tif !closedByRemote {\n\t\tif err != nil {\n\t\t\tq.closeUDPSession(ctx, session.ID, err.Error())\n\t\t} else {\n\t\t\tq.closeUDPSession(ctx, session.ID, \"terminated without error\")\n\t\t}\n\t}\n\tq.logger.Debug().Err(err).\n\t\tInt(management.EventTypeKey, int(management.UDP)).\n\t\tStr(datagramsession.LogFieldSessionID, datagramsession.FormatSessionID(session.ID)).\n\t\tMsg(\"Session terminated\")\n}\n\n// closeUDPSession first unregisters the session from session manager, then it tries to unregister from edge\nfunc (q *datagramV2Connection) closeUDPSession(ctx context.Context, sessionID uuid.UUID, message string) {\n\t_ = q.sessionManager.UnregisterSession(ctx, sessionID, message, false)\n\tquicStream, err := q.conn.OpenStream()\n\tif err != nil {\n\t\t// Log this at debug because this is not an error if session was closed due to lost connection\n\t\t// with edge\n\t\tq.logger.Debug().Err(err).\n\t\t\tInt(management.EventTypeKey, int(management.UDP)).\n\t\t\tStr(datagramsession.LogFieldSessionID, datagramsession.FormatSessionID(sessionID)).\n\t\t\tMsgf(\"Failed to open quic stream to unregister udp session with edge\")\n\t\treturn\n\t}\n\n\tstream := cfdquic.NewSafeStreamCloser(quicStream, q.streamWriteTimeout, q.logger)\n\tdefer stream.Close()\n\trpcClientStream, err := rpcquic.NewSessionClient(ctx, stream, q.rpcTimeout)\n\tif err != nil {\n\t\t// Log this at debug because this is not an error if session was closed due to lost connection\n\t\t// with edge\n\t\tq.logger.Err(err).Str(datagramsession.LogFieldSessionID, datagramsession.FormatSessionID(sessionID)).\n\t\t\tMsgf(\"Failed to open rpc stream to unregister udp session with edge\")\n\t\treturn\n\t}\n\tdefer rpcClientStream.Close()\n\n\tif err := rpcClientStream.UnregisterUdpSession(ctx, sessionID, message); err != nil {\n\t\tq.logger.Err(err).Str(datagramsession.LogFieldSessionID, datagramsession.FormatSessionID(sessionID)).\n\t\t\tMsgf(\"Failed to unregister udp session with edge\")\n\t}\n}\n" }, { "path": "connection/quic_datagram_v2_test.go", "content": "package connection\n\nimport (\n\t\"context\"\n\t\"net\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/quic-go/quic-go\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/stretchr/testify/require\"\n\t\"go.uber.org/mock/gomock\"\n\n\tcfdflow \"github.com/cloudflare/cloudflared/flow\"\n\t\"github.com/cloudflare/cloudflared/mocks\"\n)\n\ntype mockQuicConnection struct{}\n\nfunc (m *mockQuicConnection) AcceptStream(_ context.Context) (quic.Stream, error) {\n\treturn nil, nil\n}\n\nfunc (m *mockQuicConnection) AcceptUniStream(_ context.Context) (quic.ReceiveStream, error) {\n\treturn nil, nil\n}\n\nfunc (m *mockQuicConnection) OpenStream() (quic.Stream, error) {\n\treturn nil, nil\n}\n\nfunc (m *mockQuicConnection) OpenStreamSync(_ context.Context) (quic.Stream, error) {\n\treturn nil, nil\n}\n\nfunc (m *mockQuicConnection) OpenUniStream() (quic.SendStream, error) {\n\treturn nil, nil\n}\n\nfunc (m *mockQuicConnection) OpenUniStreamSync(_ context.Context) (quic.SendStream, error) {\n\treturn nil, nil\n}\n\nfunc (m *mockQuicConnection) LocalAddr() net.Addr {\n\treturn nil\n}\n\nfunc (m *mockQuicConnection) RemoteAddr() net.Addr {\n\treturn nil\n}\n\nfunc (m *mockQuicConnection) CloseWithError(_ quic.ApplicationErrorCode, s string) error {\n\treturn nil\n}\n\nfunc (m *mockQuicConnection) Context() context.Context {\n\treturn nil\n}\n\nfunc (m *mockQuicConnection) ConnectionState() quic.ConnectionState {\n\tpanic(\"not meant to be called\")\n}\n\nfunc (m *mockQuicConnection) SendDatagram(_ []byte) error {\n\treturn nil\n}\n\nfunc (m *mockQuicConnection) ReceiveDatagram(_ context.Context) ([]byte, error) {\n\treturn nil, nil\n}\n\nfunc (m *mockQuicConnection) AddPath(*quic.Transport) (*quic.Path, error) {\n\treturn nil, nil\n}\n\nfunc TestRateLimitOnNewDatagramV2UDPSession(t *testing.T) {\n\tlog := zerolog.Nop()\n\tconn := &mockQuicConnection{}\n\tctrl := gomock.NewController(t)\n\tflowLimiterMock := mocks.NewMockLimiter(ctrl)\n\n\tdatagramConn := NewDatagramV2Connection(\n\t\tt.Context(),\n\t\tconn,\n\t\tnil,\n\t\tnil,\n\t\t0,\n\t\t0*time.Second,\n\t\t0*time.Second,\n\t\tflowLimiterMock,\n\t\t&log,\n\t)\n\n\tflowLimiterMock.EXPECT().Acquire(\"udp\").Return(cfdflow.ErrTooManyActiveFlows)\n\tflowLimiterMock.EXPECT().Release().Times(0)\n\n\t_, err := datagramConn.RegisterUdpSession(t.Context(), uuid.New(), net.IPv4(0, 0, 0, 0), 1000, 1*time.Second, \"\")\n\trequire.ErrorIs(t, err, cfdflow.ErrTooManyActiveFlows)\n}\n" }, { "path": "connection/quic_datagram_v3.go", "content": "package connection\n\nimport (\n\t\"context\"\n\t\"net\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/pkg/errors\"\n\t\"github.com/quic-go/quic-go\"\n\t\"github.com/rs/zerolog\"\n\n\t\"github.com/cloudflare/cloudflared/ingress\"\n\t\"github.com/cloudflare/cloudflared/management\"\n\tcfdquic \"github.com/cloudflare/cloudflared/quic/v3\"\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/pogs\"\n)\n\nvar (\n\tErrUnsupportedRPCUDPRegistration = errors.New(\"datagram v3 does not support RegisterUdpSession RPC\")\n\tErrUnsupportedRPCUDPUnregistration = errors.New(\"datagram v3 does not support UnregisterUdpSession RPC\")\n)\n\ntype datagramV3Connection struct {\n\tconn quic.Connection\n\tindex uint8\n\t// datagramMuxer mux/demux datagrams from quic connection\n\tdatagramMuxer cfdquic.DatagramConn\n\tmetrics cfdquic.Metrics\n\tlogger *zerolog.Logger\n}\n\nfunc NewDatagramV3Connection(ctx context.Context,\n\tconn quic.Connection,\n\tsessionManager cfdquic.SessionManager,\n\ticmpRouter ingress.ICMPRouter,\n\tindex uint8,\n\tmetrics cfdquic.Metrics,\n\tlogger *zerolog.Logger,\n) DatagramSessionHandler {\n\tlog := logger.\n\t\tWith().\n\t\tInt(management.EventTypeKey, int(management.UDP)).\n\t\tUint8(LogFieldConnIndex, index).\n\t\tLogger()\n\tdatagramMuxer := cfdquic.NewDatagramConn(conn, sessionManager, icmpRouter, index, metrics, &log)\n\n\treturn &datagramV3Connection{\n\t\tconn,\n\t\tindex,\n\t\tdatagramMuxer,\n\t\tmetrics,\n\t\tlogger,\n\t}\n}\n\nfunc (d *datagramV3Connection) Serve(ctx context.Context) error {\n\treturn d.datagramMuxer.Serve(ctx)\n}\n\nfunc (d *datagramV3Connection) RegisterUdpSession(ctx context.Context, sessionID uuid.UUID, dstIP net.IP, dstPort uint16, closeAfterIdleHint time.Duration, traceContext string) (*pogs.RegisterUdpSessionResponse, error) {\n\td.metrics.UnsupportedRemoteCommand(d.index, \"register_udp_session\")\n\treturn nil, ErrUnsupportedRPCUDPRegistration\n}\n\nfunc (d *datagramV3Connection) UnregisterUdpSession(ctx context.Context, sessionID uuid.UUID, message string) error {\n\td.metrics.UnsupportedRemoteCommand(d.index, \"unregister_udp_session\")\n\treturn ErrUnsupportedRPCUDPUnregistration\n}\n" }, { "path": "connection/tunnelsforha.go", "content": "package connection\n\nimport (\n\t\"fmt\"\n\t\"sync\"\n\n\t\"github.com/prometheus/client_golang/prometheus\"\n)\n\n// tunnelsForHA maps this cloudflared instance's HA connections to the tunnel IDs they serve.\ntype tunnelsForHA struct {\n\tsync.Mutex\n\tmetrics *prometheus.GaugeVec\n\tentries map[uint8]string\n}\n\n// NewTunnelsForHA initializes the Prometheus metrics etc for a tunnelsForHA.\nfunc newTunnelsForHA() tunnelsForHA {\n\tmetrics := prometheus.NewGaugeVec(\n\t\tprometheus.GaugeOpts{\n\t\t\tName: \"tunnel_ids\",\n\t\t\tHelp: \"The ID of all tunnels (and their corresponding HA connection ID) running in this instance of cloudflared.\",\n\t\t},\n\t\t[]string{\"tunnel_id\", \"ha_conn_id\"},\n\t)\n\tprometheus.MustRegister(metrics)\n\n\treturn tunnelsForHA{\n\t\tmetrics: metrics,\n\t\tentries: make(map[uint8]string),\n\t}\n}\n\n// Track a new tunnel ID, removing the disconnected tunnel (if any) and update metrics.\nfunc (t *tunnelsForHA) AddTunnelID(haConn uint8, tunnelID string) {\n\tt.Lock()\n\tdefer t.Unlock()\n\thaStr := fmt.Sprintf(\"%v\", haConn)\n\tif oldTunnelID, ok := t.entries[haConn]; ok {\n\t\tt.metrics.WithLabelValues(oldTunnelID, haStr).Dec()\n\t}\n\tt.entries[haConn] = tunnelID\n\tt.metrics.WithLabelValues(tunnelID, haStr).Inc()\n}\n\nfunc (t *tunnelsForHA) String() string {\n\tt.Lock()\n\tdefer t.Unlock()\n\treturn fmt.Sprintf(\"%v\", t.entries)\n}\n" }, { "path": "credentials/credentials.go", "content": "package credentials\n\nimport (\n\t\"github.com/pkg/errors\"\n\t\"github.com/rs/zerolog\"\n\n\t\"github.com/cloudflare/cloudflared/cfapi\"\n)\n\nconst (\n\tlogFieldOriginCertPath = \"originCertPath\"\n\tFedEndpoint = \"fed\"\n\tFedRampBaseApiURL = \"https://api.fed.cloudflare.com/client/v4\"\n\tFedRampHostname = \"management.fed.argotunnel.com\"\n)\n\ntype User struct {\n\tcert *OriginCert\n\tcertPath string\n}\n\nfunc (c User) AccountID() string {\n\treturn c.cert.AccountID\n}\n\nfunc (c User) Endpoint() string {\n\treturn c.cert.Endpoint\n}\n\nfunc (c User) ZoneID() string {\n\treturn c.cert.ZoneID\n}\n\nfunc (c User) APIToken() string {\n\treturn c.cert.APIToken\n}\n\nfunc (c User) CertPath() string {\n\treturn c.certPath\n}\n\nfunc (c User) IsFEDEndpoint() bool {\n\treturn c.cert.Endpoint == FedEndpoint\n}\n\n// Client uses the user credentials to create a Cloudflare API client\nfunc (c *User) Client(apiURL string, userAgent string, log *zerolog.Logger) (cfapi.Client, error) {\n\tif apiURL == \"\" {\n\t\treturn nil, errors.New(\"An api-url was not provided for the Cloudflare API client\")\n\t}\n\tclient, err := cfapi.NewRESTClient(\n\t\tapiURL,\n\t\tc.cert.AccountID,\n\t\tc.cert.ZoneID,\n\t\tc.cert.APIToken,\n\t\tuserAgent,\n\t\tlog,\n\t)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn client, nil\n}\n\n// Read will load and read the origin cert.pem to load the user credentials\nfunc Read(originCertPath string, log *zerolog.Logger) (*User, error) {\n\toriginCertLog := log.With().\n\t\tStr(logFieldOriginCertPath, originCertPath).\n\t\tLogger()\n\n\toriginCertPath, err := FindOriginCert(originCertPath, &originCertLog)\n\tif err != nil {\n\t\treturn nil, errors.Wrap(err, \"Error locating origin cert\")\n\t}\n\tblocks, err := readOriginCert(originCertPath)\n\tif err != nil {\n\t\treturn nil, errors.Wrapf(err, \"Can't read origin cert from %s\", originCertPath)\n\t}\n\n\tcert, err := decodeOriginCert(blocks)\n\tif err != nil {\n\t\treturn nil, errors.Wrap(err, \"Error decoding origin cert\")\n\t}\n\n\tif cert.AccountID == \"\" {\n\t\treturn nil, errors.Errorf(`Origin certificate needs to be refreshed before creating new tunnels.\\nDelete %s and run \"cloudflared login\" to obtain a new cert.`, originCertPath)\n\t}\n\n\treturn &User{\n\t\tcert: cert,\n\t\tcertPath: originCertPath,\n\t}, nil\n}\n" }, { "path": "credentials/credentials_test.go", "content": "package credentials\n\nimport (\n\t\"io/fs\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"testing\"\n\n\t\"github.com/stretchr/testify/require\"\n)\n\nfunc TestCredentialsRead(t *testing.T) {\n\tfile, err := os.ReadFile(\"test-cloudflare-tunnel-cert-json.pem\")\n\trequire.NoError(t, err)\n\tdir := t.TempDir()\n\tcertPath := filepath.Join(dir, originCertFile)\n\t_ = os.WriteFile(certPath, file, fs.ModePerm)\n\tuser, err := Read(certPath, &nopLog)\n\trequire.NoError(t, err)\n\trequire.Equal(t, certPath, user.CertPath())\n\trequire.Equal(t, \"test-service-key\", user.APIToken())\n\trequire.Equal(t, \"7b0a4d77dfb881c1a3b7d61ea9443e19\", user.ZoneID())\n\trequire.Equal(t, \"abcdabcdabcdabcd1234567890abcdef\", user.AccountID())\n}\n\nfunc TestCredentialsClient(t *testing.T) {\n\tuser := User{\n\t\tcertPath: \"/tmp/cert.pem\",\n\t\tcert: &OriginCert{\n\t\t\tZoneID: \"7b0a4d77dfb881c1a3b7d61ea9443e19\",\n\t\t\tAccountID: \"abcdabcdabcdabcd1234567890abcdef\",\n\t\t\tAPIToken: \"test-service-key\",\n\t\t},\n\t}\n\tclient, err := user.Client(\"example.com\", \"cloudflared/test\", &nopLog)\n\trequire.NoError(t, err)\n\trequire.NotNil(t, client)\n}\n" }, { "path": "credentials/origin_cert.go", "content": "package credentials\n\nimport (\n\t\"bytes\"\n\t\"encoding/json\"\n\t\"encoding/pem\"\n\t\"fmt\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n\n\t\"github.com/mitchellh/go-homedir\"\n\t\"github.com/rs/zerolog\"\n\n\t\"github.com/cloudflare/cloudflared/config\"\n)\n\nconst (\n\tDefaultCredentialFile = \"cert.pem\"\n)\n\ntype OriginCert struct {\n\tZoneID string `json:\"zoneID\"`\n\tAccountID string `json:\"accountID\"`\n\tAPIToken string `json:\"apiToken\"`\n\tEndpoint string `json:\"endpoint,omitempty\"`\n}\n\nfunc (oc *OriginCert) UnmarshalJSON(data []byte) error {\n\tvar aux struct {\n\t\tZoneID string `json:\"zoneID\"`\n\t\tAccountID string `json:\"accountID\"`\n\t\tAPIToken string `json:\"apiToken\"`\n\t\tEndpoint string `json:\"endpoint,omitempty\"`\n\t}\n\tif err := json.Unmarshal(data, &aux); err != nil {\n\t\treturn fmt.Errorf(\"error parsing OriginCert: %v\", err)\n\t}\n\toc.ZoneID = aux.ZoneID\n\toc.AccountID = aux.AccountID\n\toc.APIToken = aux.APIToken\n\toc.Endpoint = strings.ToLower(aux.Endpoint)\n\treturn nil\n}\n\n// FindDefaultOriginCertPath returns the first path that contains a cert.pem file. If none of the\n// DefaultConfigSearchDirectories contains a cert.pem file, return empty string\nfunc FindDefaultOriginCertPath() string {\n\tfor _, defaultConfigDir := range config.DefaultConfigSearchDirectories() {\n\t\toriginCertPath, _ := homedir.Expand(filepath.Join(defaultConfigDir, DefaultCredentialFile))\n\t\tif ok := fileExists(originCertPath); ok {\n\t\t\treturn originCertPath\n\t\t}\n\t}\n\treturn \"\"\n}\n\nfunc DecodeOriginCert(blocks []byte) (*OriginCert, error) {\n\treturn decodeOriginCert(blocks)\n}\n\nfunc (cert *OriginCert) EncodeOriginCert() ([]byte, error) {\n\tif cert == nil {\n\t\treturn nil, fmt.Errorf(\"originCert cannot be nil\")\n\t}\n\tbuffer, err := json.Marshal(cert)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"originCert marshal failed: %v\", err)\n\t}\n\tblock := pem.Block{\n\t\tType: \"ARGO TUNNEL TOKEN\",\n\t\tHeaders: map[string]string{},\n\t\tBytes: buffer,\n\t}\n\tvar out bytes.Buffer\n\terr = pem.Encode(&out, &block)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"pem encoding failed: %v\", err)\n\t}\n\treturn out.Bytes(), nil\n}\n\nfunc decodeOriginCert(blocks []byte) (*OriginCert, error) {\n\tif len(blocks) == 0 {\n\t\treturn nil, fmt.Errorf(\"cannot decode empty certificate\")\n\t}\n\toriginCert := OriginCert{}\n\tblock, rest := pem.Decode(blocks)\n\tfor block != nil {\n\t\tswitch block.Type {\n\t\tcase \"PRIVATE KEY\", \"CERTIFICATE\":\n\t\t\t// this is for legacy purposes.\n\t\tcase \"ARGO TUNNEL TOKEN\":\n\t\t\tif originCert.ZoneID != \"\" || originCert.APIToken != \"\" {\n\t\t\t\treturn nil, fmt.Errorf(\"found multiple tokens in the certificate\")\n\t\t\t}\n\t\t\t// The token is a string,\n\t\t\t// Try the newer JSON format\n\t\t\t_ = json.Unmarshal(block.Bytes, &originCert)\n\t\tdefault:\n\t\t\treturn nil, fmt.Errorf(\"unknown block %s in the certificate\", block.Type)\n\t\t}\n\t\tblock, rest = pem.Decode(rest)\n\t}\n\n\tif originCert.ZoneID == \"\" || originCert.APIToken == \"\" {\n\t\treturn nil, fmt.Errorf(\"missing token in the certificate\")\n\t}\n\n\treturn &originCert, nil\n}\n\nfunc readOriginCert(originCertPath string) ([]byte, error) {\n\toriginCert, err := os.ReadFile(originCertPath)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"cannot read %s to load origin certificate\", originCertPath)\n\t}\n\n\treturn originCert, nil\n}\n\n// FindOriginCert will check to make sure that the certificate exists at the specified file path.\nfunc FindOriginCert(originCertPath string, log *zerolog.Logger) (string, error) {\n\tif originCertPath == \"\" {\n\t\tlog.Error().Msgf(\"Cannot determine default origin certificate path. No file %s in %v. You need to specify the origin certificate path by specifying the origincert option in the configuration file, or set TUNNEL_ORIGIN_CERT environment variable\", DefaultCredentialFile, config.DefaultConfigSearchDirectories())\n\t\treturn \"\", fmt.Errorf(\"client didn't specify origincert path\")\n\t}\n\tvar err error\n\toriginCertPath, err = homedir.Expand(originCertPath)\n\tif err != nil {\n\t\tlog.Err(err).Msgf(\"Cannot resolve origin certificate path\")\n\t\treturn \"\", fmt.Errorf(\"cannot resolve path %s\", originCertPath)\n\t}\n\t// Check that the user has acquired a certificate using the login command\n\tok := fileExists(originCertPath)\n\tif !ok {\n\t\tlog.Error().Msgf(`Cannot find a valid certificate for your origin at the path:\n\n %s\n\nIf the path above is wrong, specify the path with the -origincert option.\nIf you don't have a certificate signed by Cloudflare, run the command:\n\n\tcloudflared login\n`, originCertPath)\n\t\treturn \"\", fmt.Errorf(\"cannot find a valid certificate at the path %s\", originCertPath)\n\t}\n\n\treturn originCertPath, nil\n}\n\n// FileExists checks to see if a file exist at the provided path.\nfunc fileExists(path string) bool {\n\tfileStat, err := os.Stat(path)\n\tif err != nil {\n\t\treturn false\n\t}\n\treturn !fileStat.IsDir()\n}\n" }, { "path": "credentials/origin_cert_test.go", "content": "package credentials\n\nimport (\n\t\"fmt\"\n\t\"io/fs\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"testing\"\n\n\t\"github.com/rs/zerolog\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n)\n\nconst (\n\toriginCertFile = \"cert.pem\"\n)\n\nvar nopLog = zerolog.Nop().With().Logger()\n\nfunc TestLoadOriginCert(t *testing.T) {\n\tcert, err := decodeOriginCert([]byte{})\n\tassert.Equal(t, fmt.Errorf(\"cannot decode empty certificate\"), err)\n\tassert.Nil(t, cert)\n\n\tblocks, err := os.ReadFile(\"test-cert-unknown-block.pem\")\n\trequire.NoError(t, err)\n\tcert, err = decodeOriginCert(blocks)\n\tassert.Equal(t, fmt.Errorf(\"unknown block RSA PRIVATE KEY in the certificate\"), err)\n\tassert.Nil(t, cert)\n}\n\nfunc TestJSONArgoTunnelTokenEmpty(t *testing.T) {\n\tblocks, err := os.ReadFile(\"test-cert-no-token.pem\")\n\trequire.NoError(t, err)\n\tcert, err := decodeOriginCert(blocks)\n\tassert.Equal(t, fmt.Errorf(\"missing token in the certificate\"), err)\n\tassert.Nil(t, cert)\n}\n\nfunc TestJSONArgoTunnelToken(t *testing.T) {\n\t// The given cert's Argo Tunnel Token was generated by base64 encoding this JSON:\n\t// {\n\t// \"zoneID\": \"7b0a4d77dfb881c1a3b7d61ea9443e19\",\n\t// \"apiToken\": \"test-service-key\",\n\t// \"accountID\": \"abcdabcdabcdabcd1234567890abcdef\"\n\t// }\n\tCloudflareTunnelTokenTest(t, \"test-cloudflare-tunnel-cert-json.pem\")\n}\n\nfunc CloudflareTunnelTokenTest(t *testing.T, path string) {\n\tblocks, err := os.ReadFile(path)\n\trequire.NoError(t, err)\n\tcert, err := decodeOriginCert(blocks)\n\trequire.NoError(t, err)\n\tassert.NotNil(t, cert)\n\tassert.Equal(t, \"7b0a4d77dfb881c1a3b7d61ea9443e19\", cert.ZoneID)\n\tkey := \"test-service-key\"\n\tassert.Equal(t, key, cert.APIToken)\n}\n\nfunc TestFindOriginCert_Valid(t *testing.T) {\n\tfile, err := os.ReadFile(\"test-cloudflare-tunnel-cert-json.pem\")\n\trequire.NoError(t, err)\n\tdir := t.TempDir()\n\tcertPath := filepath.Join(dir, originCertFile)\n\t_ = os.WriteFile(certPath, file, fs.ModePerm)\n\tpath, err := FindOriginCert(certPath, &nopLog)\n\trequire.NoError(t, err)\n\trequire.Equal(t, certPath, path)\n}\n\nfunc TestFindOriginCert_Missing(t *testing.T) {\n\tdir := t.TempDir()\n\tcertPath := filepath.Join(dir, originCertFile)\n\t_, err := FindOriginCert(certPath, &nopLog)\n\trequire.Error(t, err)\n}\n\nfunc TestEncodeDecodeOriginCert(t *testing.T) {\n\tcert := OriginCert{\n\t\tZoneID: \"zone\",\n\t\tAccountID: \"account\",\n\t\tAPIToken: \"token\",\n\t\tEndpoint: \"FED\",\n\t}\n\tblocks, err := cert.EncodeOriginCert()\n\trequire.NoError(t, err)\n\tdecodedCert, err := DecodeOriginCert(blocks)\n\trequire.NoError(t, err)\n\tassert.NotNil(t, cert)\n\tassert.Equal(t, \"zone\", decodedCert.ZoneID)\n\tassert.Equal(t, \"account\", decodedCert.AccountID)\n\tassert.Equal(t, \"token\", decodedCert.APIToken)\n\tassert.Equal(t, FedEndpoint, decodedCert.Endpoint)\n}\n\nfunc TestEncodeDecodeNilOriginCert(t *testing.T) {\n\tvar cert *OriginCert\n\tblocks, err := cert.EncodeOriginCert()\n\tassert.Equal(t, fmt.Errorf(\"originCert cannot be nil\"), err)\n\trequire.Nil(t, blocks)\n}\n" }, { "path": "credentials/test-cert-no-token.pem", "content": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCfGswL16Fz9Ei3\nsAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng6yHR1H5oX1Lg\n1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bxtG0uyrXYh7Mt\nz0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyXPE6SuDvMHIeX\n6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZAzNOxVKrUsyS\nx7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOglHJ2n0sMcZ+Ja\n1Y649mPVAgMBAAECggEAEbPF0ah9fH0IzTU/CPbIeh3flyY8GDuMpR1HvwUurSWB\nIFI9bLyVAXKb8vYP1TMaTnXi5qmFof+/JShgyZc3+1tZtWTfoaiC8Y1bRfE2yk+D\nxmwddhDmijYGG7i8uEaeddSdFEh2GKAqkbV/QgBvN2Nl4EVmIOAJXXNe9l5LFyjy\nsR10aNVJRYV1FahrCTwZ3SovHP4d4AUvHh/3FFZDukHc37CFA0+CcR4uehp5yedi\n2UdqaszXqunFo/3h+Tn9dW2C7gTTZx4+mfyaws3p3YOmdYArXvpejxHIc0FGwLBm\nsb9K7wGVUiF0Bt0ch+C1mdYrCaFNHnPuDswjmm3FwQKBgQDYtxOwwSLA6ZyppozX\nDoyx9a7PhiMHCFKSdVB4l8rpK545a+AmpG6LRScTtBsMTHBhT3IQ3QPWlVm1AhjF\nAvXMa1rOeaGbCbDn1xqEoEVPtj4tys8eTfyWmtU73jWTFauOt4/xpf/urEpg91xj\nm+Gl/8qgBrpm5rQxV5Y4MysRlQKBgQC78jzzlhocXGNvw0wT/K2NsknyeoZXqpIE\nQYL60FMl4geZn6w9hwxaL1r+g/tUjTnpBPQtS1r2Ed2gXby5zspN1g/PW8U3t3to\nP7zHIJ/sLBXrCh5RJko3hUgGhDNOOCIQj4IaKUfvHYvEIbIxlyI0vdsXsgXgMuQ8\npb9Yifn5QQKBgQCmGu0EtYQlyOlDP10EGSrN3Dm45l9CrKZdi326cN4eCkikSoLs\nG2x/YumouItiydP5QiNzuXOPrbmse4bwumwb2s0nJSMw6iSmDsFMlmuJxW2zO5e0\n6qGH7fUyhgcaTanJIfk6hrm7/mKkH/S4hGpYCc8NCRsmc/35M+D4AoAoYQKBgQC0\nLWpZaxDlF30MbAHHN3l6We2iU+vup0sMYXGb2ZOcwa/fir+ozIr++l8VmJmdWTan\nOWSM96zgMghx8Os4hhJTxF+rvqK242OfcVsc2x31X94zUaP2z+peh5uhA6Pb3Nxr\nW+iyA9k+Vujiwhr+h5D3VvtvH++aG6/KpGtoCf5nAQKBgQDXX2+d7bd5CLNLLFNd\nM2i4QoOFcSKIG+v4SuvgEJHgG8vGvxh2qlSxnMWuPV+7/1P5ATLqDj1PlKms+BNR\ny7sc5AT9PclkL3Y9MNzOu0LXyBkGYcl8M0EQfLv9VPbWT+NXiMg/O2CHiT02pAAz\nuQicoQq3yzeQh20wtrtaXzTNmA==\n-----END PRIVATE KEY-----\n-----BEGIN CERTIFICATE-----\nMIID+jCCA6CgAwIBAgIUJhFxUKEGvTRc3CjCok6dbPGH/P4wCgYIKoZIzj0EAwIw\ngagxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYD\nVQQLEy9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhv\ncml0eTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5p\nYTEXMBUGA1UEAxMOKGRldiB1c2Ugb25seSkwHhcNMTcxMDEzMTM1OTAwWhcNMzIx\nMDA5MTM1OTAwWjBiMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMR0wGwYDVQQL\nExRDbG91ZEZsYXJlIE9yaWdpbiBDQTEmMCQGA1UEAxMdQ2xvdWRGbGFyZSBPcmln\naW4gQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCf\nGswL16Fz9Ei3sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng\n6yHR1H5oX1Lg1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bx\ntG0uyrXYh7Mtz0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyX\nPE6SuDvMHIeX6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZ\nAzNOxVKrUsySx7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOgl\nHJ2n0sMcZ+Ja1Y649mPVAgMBAAGjggEgMIIBHDAOBgNVHQ8BAf8EBAMCBaAwEwYD\nVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUzA6f2Ajq\nzhX67c6piY2a1uTiUkwwHwYDVR0jBBgwFoAU2qfBlqxKMZnf0QeTeYiMelfqJfgw\nRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vb2NzcC5jbG91ZGZs\nYXJlLmNvbS9vcmlnaW5fZWNjX2NhMCMGA1UdEQQcMBqCDCouYXJub2xkLmNvbYIK\nYXJub2xkLmNvbTA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmNsb3VkZmxh\ncmUuY29tL29yaWdpbl9lY2NfY2EuY3JsMAoGCCqGSM49BAMCA0gAMEUCIDV7HoMj\nK5rShE/l+90YAOzHC89OH/wUz3I5KYOFuehoAiEA8e92aIf9XBkr0K6EvFCiSsD+\nx+Yo/cL8fGfVpPt4UM8=\n-----END CERTIFICATE-----\n-----BEGIN ARGO TUNNEL TOKEN-----\neyJ6b25lSUQiOiAiN2IwYTRkNzdkZmI4ODFjMWEzYjdkNjFlYTk0NDNlMTkiLCAiYWNjb3VudElE\nIjogImFiY2RhYmNkYWJjZGFiY2QxMjM0NTY3ODkwYWJjZGVmIn0=\n-----END ARGO TUNNEL TOKEN-----\n" }, { "path": "credentials/test-cert-unknown-block.pem", "content": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCfGswL16Fz9Ei3\nsAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng6yHR1H5oX1Lg\n1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bxtG0uyrXYh7Mt\nz0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyXPE6SuDvMHIeX\n6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZAzNOxVKrUsyS\nx7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOglHJ2n0sMcZ+Ja\n1Y649mPVAgMBAAECggEAEbPF0ah9fH0IzTU/CPbIeh3flyY8GDuMpR1HvwUurSWB\nIFI9bLyVAXKb8vYP1TMaTnXi5qmFof+/JShgyZc3+1tZtWTfoaiC8Y1bRfE2yk+D\nxmwddhDmijYGG7i8uEaeddSdFEh2GKAqkbV/QgBvN2Nl4EVmIOAJXXNe9l5LFyjy\nsR10aNVJRYV1FahrCTwZ3SovHP4d4AUvHh/3FFZDukHc37CFA0+CcR4uehp5yedi\n2UdqaszXqunFo/3h+Tn9dW2C7gTTZx4+mfyaws3p3YOmdYArXvpejxHIc0FGwLBm\nsb9K7wGVUiF0Bt0ch+C1mdYrCaFNHnPuDswjmm3FwQKBgQDYtxOwwSLA6ZyppozX\nDoyx9a7PhiMHCFKSdVB4l8rpK545a+AmpG6LRScTtBsMTHBhT3IQ3QPWlVm1AhjF\nAvXMa1rOeaGbCbDn1xqEoEVPtj4tys8eTfyWmtU73jWTFauOt4/xpf/urEpg91xj\nm+Gl/8qgBrpm5rQxV5Y4MysRlQKBgQC78jzzlhocXGNvw0wT/K2NsknyeoZXqpIE\nQYL60FMl4geZn6w9hwxaL1r+g/tUjTnpBPQtS1r2Ed2gXby5zspN1g/PW8U3t3to\nP7zHIJ/sLBXrCh5RJko3hUgGhDNOOCIQj4IaKUfvHYvEIbIxlyI0vdsXsgXgMuQ8\npb9Yifn5QQKBgQCmGu0EtYQlyOlDP10EGSrN3Dm45l9CrKZdi326cN4eCkikSoLs\nG2x/YumouItiydP5QiNzuXOPrbmse4bwumwb2s0nJSMw6iSmDsFMlmuJxW2zO5e0\n6qGH7fUyhgcaTanJIfk6hrm7/mKkH/S4hGpYCc8NCRsmc/35M+D4AoAoYQKBgQC0\nLWpZaxDlF30MbAHHN3l6We2iU+vup0sMYXGb2ZOcwa/fir+ozIr++l8VmJmdWTan\nOWSM96zgMghx8Os4hhJTxF+rvqK242OfcVsc2x31X94zUaP2z+peh5uhA6Pb3Nxr\nW+iyA9k+Vujiwhr+h5D3VvtvH++aG6/KpGtoCf5nAQKBgQDXX2+d7bd5CLNLLFNd\nM2i4QoOFcSKIG+v4SuvgEJHgG8vGvxh2qlSxnMWuPV+7/1P5ATLqDj1PlKms+BNR\ny7sc5AT9PclkL3Y9MNzOu0LXyBkGYcl8M0EQfLv9VPbWT+NXiMg/O2CHiT02pAAz\nuQicoQq3yzeQh20wtrtaXzTNmA==\n-----END PRIVATE KEY-----\n-----BEGIN CERTIFICATE-----\nMIID+jCCA6CgAwIBAgIUJhFxUKEGvTRc3CjCok6dbPGH/P4wCgYIKoZIzj0EAwIw\ngagxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYD\nVQQLEy9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhv\ncml0eTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5p\nYTEXMBUGA1UEAxMOKGRldiB1c2Ugb25seSkwHhcNMTcxMDEzMTM1OTAwWhcNMzIx\nMDA5MTM1OTAwWjBiMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMR0wGwYDVQQL\nExRDbG91ZEZsYXJlIE9yaWdpbiBDQTEmMCQGA1UEAxMdQ2xvdWRGbGFyZSBPcmln\naW4gQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCf\nGswL16Fz9Ei3sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng\n6yHR1H5oX1Lg1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bx\ntG0uyrXYh7Mtz0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyX\nPE6SuDvMHIeX6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZ\nAzNOxVKrUsySx7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOgl\nHJ2n0sMcZ+Ja1Y649mPVAgMBAAGjggEgMIIBHDAOBgNVHQ8BAf8EBAMCBaAwEwYD\nVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUzA6f2Ajq\nzhX67c6piY2a1uTiUkwwHwYDVR0jBBgwFoAU2qfBlqxKMZnf0QeTeYiMelfqJfgw\nRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vb2NzcC5jbG91ZGZs\nYXJlLmNvbS9vcmlnaW5fZWNjX2NhMCMGA1UdEQQcMBqCDCouYXJub2xkLmNvbYIK\nYXJub2xkLmNvbTA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmNsb3VkZmxh\ncmUuY29tL29yaWdpbl9lY2NfY2EuY3JsMAoGCCqGSM49BAMCA0gAMEUCIDV7HoMj\nK5rShE/l+90YAOzHC89OH/wUz3I5KYOFuehoAiEA8e92aIf9XBkr0K6EvFCiSsD+\nx+Yo/cL8fGfVpPt4UM8=\n-----END CERTIFICATE-----\n-----BEGIN ARGO TUNNEL TOKEN-----\nN2IwYTRkNzdkZmI4ODFjMWEzYjdkNjFlYTk0NDNlMTkKdjEuMC01OGJkNGY5ZTI4\nZjdiM2MyOGUwNWEzNWZmM2U4MGFiNGZkOTY0NGVmM2ZlY2U1MzdlYjBkMTJlMmU5\nMjU4MjE3LTE4MzQ0MmZiYjBiYmRiM2U1NzE1NThmZWM5YjU1ODllYmQ3N2FhZmM4\nNzQ5OGVlM2YwOWY2NGE0YWQ3OWZmZTg3OTFlZGJhZTA4YjM2YzFkOGYxZDcwYTg2\nNzBkZTU2OTIyZGZmOTJiMTVkMjE0YTUyNGY0ZWJmYTE5NTg4NTllLTdjZTgwZjc5\nOTIxMzEyYTYwMjJjNWQyNWUyZDM4MGY4MmNlYWVmZTNmYmRjNDNkZDEzYjA4MGUz\nZWYxZTI2Zjc=\n-----END ARGO TUNNEL TOKEN-----\n-----BEGIN RSA PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCfGswL16Fz9Ei3\nsAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng6yHR1H5oX1Lg\n1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bxtG0uyrXYh7Mt\nz0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyXPE6SuDvMHIeX\n6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZAzNOxVKrUsyS\nx7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOglHJ2n0sMcZ+Ja\n1Y649mPVAgMBAAECggEAEbPF0ah9fH0IzTU/CPbIeh3flyY8GDuMpR1HvwUurSWB\nIFI9bLyVAXKb8vYP1TMaTnXi5qmFof+/JShgyZc3+1tZtWTfoaiC8Y1bRfE2yk+D\nxmwddhDmijYGG7i8uEaeddSdFEh2GKAqkbV/QgBvN2Nl4EVmIOAJXXNe9l5LFyjy\nsR10aNVJRYV1FahrCTwZ3SovHP4d4AUvHh/3FFZDukHc37CFA0+CcR4uehp5yedi\n2UdqaszXqunFo/3h+Tn9dW2C7gTTZx4+mfyaws3p3YOmdYArXvpejxHIc0FGwLBm\nsb9K7wGVUiF0Bt0ch+C1mdYrCaFNHnPuDswjmm3FwQKBgQDYtxOwwSLA6ZyppozX\nDoyx9a7PhiMHCFKSdVB4l8rpK545a+AmpG6LRScTtBsMTHBhT3IQ3QPWlVm1AhjF\nAvXMa1rOeaGbCbDn1xqEoEVPtj4tys8eTfyWmtU73jWTFauOt4/xpf/urEpg91xj\nm+Gl/8qgBrpm5rQxV5Y4MysRlQKBgQC78jzzlhocXGNvw0wT/K2NsknyeoZXqpIE\nQYL60FMl4geZn6w9hwxaL1r+g/tUjTnpBPQtS1r2Ed2gXby5zspN1g/PW8U3t3to\nP7zHIJ/sLBXrCh5RJko3hUgGhDNOOCIQj4IaKUfvHYvEIbIxlyI0vdsXsgXgMuQ8\npb9Yifn5QQKBgQCmGu0EtYQlyOlDP10EGSrN3Dm45l9CrKZdi326cN4eCkikSoLs\nG2x/YumouItiydP5QiNzuXOPrbmse4bwumwb2s0nJSMw6iSmDsFMlmuJxW2zO5e0\n6qGH7fUyhgcaTanJIfk6hrm7/mKkH/S4hGpYCc8NCRsmc/35M+D4AoAoYQKBgQC0\nLWpZaxDlF30MbAHHN3l6We2iU+vup0sMYXGb2ZOcwa/fir+ozIr++l8VmJmdWTan\nOWSM96zgMghx8Os4hhJTxF+rvqK242OfcVsc2x31X94zUaP2z+peh5uhA6Pb3Nxr\nW+iyA9k+Vujiwhr+h5D3VvtvH++aG6/KpGtoCf5nAQKBgQDXX2+d7bd5CLNLLFNd\nM2i4QoOFcSKIG+v4SuvgEJHgG8vGvxh2qlSxnMWuPV+7/1P5ATLqDj1PlKms+BNR\ny7sc5AT9PclkL3Y9MNzOu0LXyBkGYcl8M0EQfLv9VPbWT+NXiMg/O2CHiT02pAAz\nuQicoQq3yzeQh20wtrtaXzTNmA==\n-----END RSA PRIVATE KEY-----\n\n" }, { "path": "credentials/test-cloudflare-tunnel-cert-json.pem", "content": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCfGswL16Fz9Ei3\nsAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng6yHR1H5oX1Lg\n1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bxtG0uyrXYh7Mt\nz0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyXPE6SuDvMHIeX\n6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZAzNOxVKrUsyS\nx7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOglHJ2n0sMcZ+Ja\n1Y649mPVAgMBAAECggEAEbPF0ah9fH0IzTU/CPbIeh3flyY8GDuMpR1HvwUurSWB\nIFI9bLyVAXKb8vYP1TMaTnXi5qmFof+/JShgyZc3+1tZtWTfoaiC8Y1bRfE2yk+D\nxmwddhDmijYGG7i8uEaeddSdFEh2GKAqkbV/QgBvN2Nl4EVmIOAJXXNe9l5LFyjy\nsR10aNVJRYV1FahrCTwZ3SovHP4d4AUvHh/3FFZDukHc37CFA0+CcR4uehp5yedi\n2UdqaszXqunFo/3h+Tn9dW2C7gTTZx4+mfyaws3p3YOmdYArXvpejxHIc0FGwLBm\nsb9K7wGVUiF0Bt0ch+C1mdYrCaFNHnPuDswjmm3FwQKBgQDYtxOwwSLA6ZyppozX\nDoyx9a7PhiMHCFKSdVB4l8rpK545a+AmpG6LRScTtBsMTHBhT3IQ3QPWlVm1AhjF\nAvXMa1rOeaGbCbDn1xqEoEVPtj4tys8eTfyWmtU73jWTFauOt4/xpf/urEpg91xj\nm+Gl/8qgBrpm5rQxV5Y4MysRlQKBgQC78jzzlhocXGNvw0wT/K2NsknyeoZXqpIE\nQYL60FMl4geZn6w9hwxaL1r+g/tUjTnpBPQtS1r2Ed2gXby5zspN1g/PW8U3t3to\nP7zHIJ/sLBXrCh5RJko3hUgGhDNOOCIQj4IaKUfvHYvEIbIxlyI0vdsXsgXgMuQ8\npb9Yifn5QQKBgQCmGu0EtYQlyOlDP10EGSrN3Dm45l9CrKZdi326cN4eCkikSoLs\nG2x/YumouItiydP5QiNzuXOPrbmse4bwumwb2s0nJSMw6iSmDsFMlmuJxW2zO5e0\n6qGH7fUyhgcaTanJIfk6hrm7/mKkH/S4hGpYCc8NCRsmc/35M+D4AoAoYQKBgQC0\nLWpZaxDlF30MbAHHN3l6We2iU+vup0sMYXGb2ZOcwa/fir+ozIr++l8VmJmdWTan\nOWSM96zgMghx8Os4hhJTxF+rvqK242OfcVsc2x31X94zUaP2z+peh5uhA6Pb3Nxr\nW+iyA9k+Vujiwhr+h5D3VvtvH++aG6/KpGtoCf5nAQKBgQDXX2+d7bd5CLNLLFNd\nM2i4QoOFcSKIG+v4SuvgEJHgG8vGvxh2qlSxnMWuPV+7/1P5ATLqDj1PlKms+BNR\ny7sc5AT9PclkL3Y9MNzOu0LXyBkGYcl8M0EQfLv9VPbWT+NXiMg/O2CHiT02pAAz\nuQicoQq3yzeQh20wtrtaXzTNmA==\n-----END PRIVATE KEY-----\n-----BEGIN CERTIFICATE-----\nMIID+jCCA6CgAwIBAgIUJhFxUKEGvTRc3CjCok6dbPGH/P4wCgYIKoZIzj0EAwIw\ngagxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYD\nVQQLEy9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhv\ncml0eTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5p\nYTEXMBUGA1UEAxMOKGRldiB1c2Ugb25seSkwHhcNMTcxMDEzMTM1OTAwWhcNMzIx\nMDA5MTM1OTAwWjBiMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMR0wGwYDVQQL\nExRDbG91ZEZsYXJlIE9yaWdpbiBDQTEmMCQGA1UEAxMdQ2xvdWRGbGFyZSBPcmln\naW4gQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCf\nGswL16Fz9Ei3sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng\n6yHR1H5oX1Lg1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bx\ntG0uyrXYh7Mtz0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyX\nPE6SuDvMHIeX6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZ\nAzNOxVKrUsySx7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOgl\nHJ2n0sMcZ+Ja1Y649mPVAgMBAAGjggEgMIIBHDAOBgNVHQ8BAf8EBAMCBaAwEwYD\nVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUzA6f2Ajq\nzhX67c6piY2a1uTiUkwwHwYDVR0jBBgwFoAU2qfBlqxKMZnf0QeTeYiMelfqJfgw\nRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vb2NzcC5jbG91ZGZs\nYXJlLmNvbS9vcmlnaW5fZWNjX2NhMCMGA1UdEQQcMBqCDCouYXJub2xkLmNvbYIK\nYXJub2xkLmNvbTA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmNsb3VkZmxh\ncmUuY29tL29yaWdpbl9lY2NfY2EuY3JsMAoGCCqGSM49BAMCA0gAMEUCIDV7HoMj\nK5rShE/l+90YAOzHC89OH/wUz3I5KYOFuehoAiEA8e92aIf9XBkr0K6EvFCiSsD+\nx+Yo/cL8fGfVpPt4UM8=\n-----END CERTIFICATE-----\n-----BEGIN ARGO TUNNEL TOKEN-----\neyJ6b25lSUQiOiAiN2IwYTRkNzdkZmI4ODFjMWEzYjdkNjFlYTk0NDNlMTkiLCAiYXBpVG9rZW4i\nOiAidGVzdC1zZXJ2aWNlLWtleSIsICJhY2NvdW50SUQiOiAiYWJjZGFiY2RhYmNkYWJjZDEyMzQ1\nNjc4OTBhYmNkZWYifQ==\n-----END ARGO TUNNEL TOKEN-----\n" }, { "path": "datagramsession/event.go", "content": "package datagramsession\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\n\t\"github.com/google/uuid\"\n)\n\n// registerSessionEvent is an event to start tracking a new session\ntype registerSessionEvent struct {\n\tsessionID uuid.UUID\n\toriginProxy io.ReadWriteCloser\n\tresultChan chan *Session\n}\n\nfunc newRegisterSessionEvent(sessionID uuid.UUID, originProxy io.ReadWriteCloser) *registerSessionEvent {\n\treturn ®isterSessionEvent{\n\t\tsessionID: sessionID,\n\t\toriginProxy: originProxy,\n\t\tresultChan: make(chan *Session, 1),\n\t}\n}\n\n// unregisterSessionEvent is an event to stop tracking and terminate the session.\ntype unregisterSessionEvent struct {\n\tsessionID uuid.UUID\n\terr *errClosedSession\n}\n\n// ClosedSessionError represent a condition that closes the session other than I/O\n// I/O error is not included, because the side that closes the session is ambiguous.\ntype errClosedSession struct {\n\tmessage string\n\tbyRemote bool\n}\n\nfunc (sc *errClosedSession) Error() string {\n\tif sc.byRemote {\n\t\treturn fmt.Sprintf(\"session closed by remote due to %s\", sc.message)\n\t} else {\n\t\treturn fmt.Sprintf(\"session closed by local due to %s\", sc.message)\n\t}\n}\n" }, { "path": "datagramsession/manager.go", "content": "package datagramsession\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"io\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/rs/zerolog\"\n\n\t\"github.com/cloudflare/cloudflared/management\"\n\t\"github.com/cloudflare/cloudflared/packet\"\n)\n\nconst (\n\trequestChanCapacity = 16\n\tdefaultReqTimeout = time.Second * 5\n)\n\nvar (\n\terrSessionManagerClosed = fmt.Errorf(\"session manager closed\")\n\tLogFieldSessionID = \"sessionID\"\n)\n\nfunc FormatSessionID(sessionID uuid.UUID) string {\n\tsessionIDStr := sessionID.String()\n\tsessionIDStr = strings.ReplaceAll(sessionIDStr, \"-\", \"\")\n\treturn sessionIDStr\n}\n\n// Manager defines the APIs to manage sessions from the same transport.\ntype Manager interface {\n\t// Serve starts the event loop\n\tServe(ctx context.Context) error\n\t// RegisterSession starts tracking a session. Caller is responsible for starting the session\n\tRegisterSession(ctx context.Context, sessionID uuid.UUID, dstConn io.ReadWriteCloser) (*Session, error)\n\t// UnregisterSession stops tracking the session and terminates it\n\tUnregisterSession(ctx context.Context, sessionID uuid.UUID, message string, byRemote bool) error\n\t// UpdateLogger updates the logger used by the Manager\n\tUpdateLogger(log *zerolog.Logger)\n}\n\ntype manager struct {\n\tregistrationChan chan *registerSessionEvent\n\tunregistrationChan chan *unregisterSessionEvent\n\tsendFunc transportSender\n\treceiveChan <-chan *packet.Session\n\tclosedChan <-chan struct{}\n\tsessions map[uuid.UUID]*Session\n\tlog *zerolog.Logger\n\t// timeout waiting for an API to finish. This can be overriden in test\n\ttimeout time.Duration\n}\n\nfunc NewManager(log *zerolog.Logger, sendF transportSender, receiveChan <-chan *packet.Session) *manager {\n\treturn &manager{\n\t\tregistrationChan: make(chan *registerSessionEvent),\n\t\tunregistrationChan: make(chan *unregisterSessionEvent),\n\t\tsendFunc: sendF,\n\t\treceiveChan: receiveChan,\n\t\tclosedChan: make(chan struct{}),\n\t\tsessions: make(map[uuid.UUID]*Session),\n\t\tlog: log,\n\t\ttimeout: defaultReqTimeout,\n\t}\n}\n\nfunc (m *manager) UpdateLogger(log *zerolog.Logger) {\n\t// Benign data race, no problem if the old pointer is read or not concurrently.\n\tm.log = log\n}\n\nfunc (m *manager) Serve(ctx context.Context) error {\n\tfor {\n\t\tselect {\n\t\tcase <-ctx.Done():\n\t\t\tm.shutdownSessions(ctx.Err())\n\t\t\treturn ctx.Err()\n\t\t// receiveChan is buffered, so the transport can read more datagrams from transport while the event loop is\n\t\t// processing other events\n\t\tcase datagram := <-m.receiveChan:\n\t\t\tm.sendToSession(datagram)\n\t\tcase registration := <-m.registrationChan:\n\t\t\tm.registerSession(ctx, registration)\n\t\tcase unregistration := <-m.unregistrationChan:\n\t\t\tm.unregisterSession(unregistration)\n\t\t}\n\t}\n}\n\nfunc (m *manager) shutdownSessions(err error) {\n\tif err == nil {\n\t\terr = errSessionManagerClosed\n\t}\n\tcloseSessionErr := &errClosedSession{\n\t\tmessage: err.Error(),\n\t\t// Usually connection with remote has been closed, so set this to true to skip unregistering from remote\n\t\tbyRemote: true,\n\t}\n\tfor _, s := range m.sessions {\n\t\tm.unregisterSession(&unregisterSessionEvent{\n\t\t\tsessionID: s.ID,\n\t\t\terr: closeSessionErr,\n\t\t})\n\t}\n}\n\nfunc (m *manager) RegisterSession(ctx context.Context, sessionID uuid.UUID, originProxy io.ReadWriteCloser) (*Session, error) {\n\tctx, cancel := context.WithTimeout(ctx, m.timeout)\n\tdefer cancel()\n\tevent := newRegisterSessionEvent(sessionID, originProxy)\n\tselect {\n\tcase <-ctx.Done():\n\t\tm.log.Error().Msg(\"Datagram session registration timeout\")\n\t\treturn nil, ctx.Err()\n\tcase m.registrationChan <- event:\n\t\tsession := <-event.resultChan\n\t\treturn session, nil\n\t// Once closedChan is closed, manager won't accept more registration because nothing is\n\t// reading from registrationChan and it's an unbuffered channel\n\tcase <-m.closedChan:\n\t\treturn nil, errSessionManagerClosed\n\t}\n}\n\nfunc (m *manager) registerSession(ctx context.Context, registration *registerSessionEvent) {\n\tsession := m.newSession(registration.sessionID, registration.originProxy)\n\tm.sessions[registration.sessionID] = session\n\tregistration.resultChan <- session\n\tincrementUDPSessions()\n}\n\nfunc (m *manager) newSession(id uuid.UUID, dstConn io.ReadWriteCloser) *Session {\n\tlogger := m.log.With().\n\t\tInt(management.EventTypeKey, int(management.UDP)).\n\t\tStr(LogFieldSessionID, FormatSessionID(id)).Logger()\n\treturn &Session{\n\t\tID: id,\n\t\tsendFunc: m.sendFunc,\n\t\tdstConn: dstConn,\n\t\t// activeAtChan has low capacity. It can be full when there are many concurrent read/write. markActive() will\n\t\t// drop instead of blocking because last active time only needs to be an approximation\n\t\tactiveAtChan: make(chan time.Time, 2),\n\t\t// capacity is 2 because close() and dstToTransport routine in Serve() can write to this channel\n\t\tcloseChan: make(chan error, 2),\n\t\tlog: &logger,\n\t}\n}\n\nfunc (m *manager) UnregisterSession(ctx context.Context, sessionID uuid.UUID, message string, byRemote bool) error {\n\tctx, cancel := context.WithTimeout(ctx, m.timeout)\n\tdefer cancel()\n\tevent := &unregisterSessionEvent{\n\t\tsessionID: sessionID,\n\t\terr: &errClosedSession{\n\t\t\tmessage: message,\n\t\t\tbyRemote: byRemote,\n\t\t},\n\t}\n\tselect {\n\tcase <-ctx.Done():\n\t\tm.log.Error().Msg(\"Datagram session unregistration timeout\")\n\t\treturn ctx.Err()\n\tcase m.unregistrationChan <- event:\n\t\treturn nil\n\tcase <-m.closedChan:\n\t\treturn errSessionManagerClosed\n\t}\n}\n\nfunc (m *manager) unregisterSession(unregistration *unregisterSessionEvent) {\n\tsession, ok := m.sessions[unregistration.sessionID]\n\tif ok {\n\t\tdelete(m.sessions, unregistration.sessionID)\n\t\tsession.close(unregistration.err)\n\t\tdecrementUDPActiveSessions()\n\t}\n}\n\nfunc (m *manager) sendToSession(datagram *packet.Session) {\n\tsession, ok := m.sessions[datagram.ID]\n\tif !ok {\n\t\tm.log.Error().Str(LogFieldSessionID, FormatSessionID(datagram.ID)).Msg(\"session not found\")\n\t\treturn\n\t}\n\t// session writes to destination over a connected UDP socket, which should not be blocking, so this call doesn't\n\t// need to run in another go routine\n\tsession.transportToDst(datagram.Payload)\n}\n" }, { "path": "datagramsession/manager_test.go", "content": "package datagramsession\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"fmt\"\n\t\"io\"\n\t\"net\"\n\t\"sync\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/stretchr/testify/require\"\n\t\"golang.org/x/sync/errgroup\"\n\n\t\"github.com/cloudflare/cloudflared/packet\"\n)\n\nvar (\n\tnopLogger = zerolog.Nop()\n)\n\nfunc TestManagerServe(t *testing.T) {\n\tconst (\n\t\tsessions = 2\n\t\tmsgs = 5\n\t\tremoteUnregisterMsg = \"eyeball closed connection\"\n\t)\n\n\trequestChan := make(chan *packet.Session)\n\ttransport := mockQUICTransport{\n\t\tsessions: make(map[uuid.UUID]chan []byte),\n\t}\n\tfor i := 0; i < sessions; i++ {\n\t\ttransport.sessions[uuid.New()] = make(chan []byte)\n\t}\n\n\tmg := NewManager(&nopLogger, transport.MuxSession, requestChan)\n\n\tctx, cancel := context.WithCancel(context.Background())\n\tserveDone := make(chan struct{})\n\tgo func(ctx context.Context) {\n\t\tmg.Serve(ctx)\n\t\tclose(serveDone)\n\t}(ctx)\n\n\terrGroup, ctx := errgroup.WithContext(ctx)\n\tfor sessionID, eyeballRespChan := range transport.sessions {\n\t\t// Assign loop variables to local variables\n\t\tsID := sessionID\n\t\tpayload := testPayload(sID)\n\t\texpectResp := testResponse(payload)\n\n\t\tcfdConn, originConn := net.Pipe()\n\n\t\torigin := mockOrigin{\n\t\t\texpectMsgCount: msgs,\n\t\t\texpectedMsg: payload,\n\t\t\texpectedResp: expectResp,\n\t\t\tconn: originConn,\n\t\t}\n\n\t\teyeball := mockEyeballSession{\n\t\t\tid: sID,\n\t\t\texpectedMsgCount: msgs,\n\t\t\texpectedMsg: payload,\n\t\t\texpectedResponse: expectResp,\n\t\t\trespReceiver: eyeballRespChan,\n\t\t}\n\n\t\t// Assign loop variables to local variables\n\t\terrGroup.Go(func() error {\n\t\t\tsession, err := mg.RegisterSession(ctx, sID, cfdConn)\n\t\t\trequire.NoError(t, err)\n\t\t\treqErrGroup, reqCtx := errgroup.WithContext(ctx)\n\t\t\treqErrGroup.Go(func() error {\n\t\t\t\treturn origin.serve()\n\t\t\t})\n\t\t\treqErrGroup.Go(func() error {\n\t\t\t\treturn eyeball.serve(reqCtx, requestChan)\n\t\t\t})\n\n\t\t\tsessionDone := make(chan struct{})\n\t\t\tgo func() {\n\t\t\t\tclosedByRemote, err := session.Serve(ctx, time.Minute*2)\n\t\t\t\tcloseSession := &errClosedSession{\n\t\t\t\t\tmessage: remoteUnregisterMsg,\n\t\t\t\t\tbyRemote: true,\n\t\t\t\t}\n\t\t\t\trequire.Equal(t, closeSession, err)\n\t\t\t\trequire.True(t, closedByRemote)\n\t\t\t\tclose(sessionDone)\n\t\t\t}()\n\n\t\t\t// Make sure eyeball and origin have received all messages before unregistering the session\n\t\t\trequire.NoError(t, reqErrGroup.Wait())\n\n\t\t\trequire.NoError(t, mg.UnregisterSession(ctx, sID, remoteUnregisterMsg, true))\n\t\t\t<-sessionDone\n\t\t\treturn nil\n\t\t})\n\t}\n\n\trequire.NoError(t, errGroup.Wait())\n\tcancel()\n\t<-serveDone\n}\n\nfunc TestTimeout(t *testing.T) {\n\tconst (\n\t\ttestTimeout = time.Millisecond * 50\n\t)\n\n\tmg := NewManager(&nopLogger, nil, nil)\n\tmg.timeout = testTimeout\n\tctx := context.Background()\n\tsessionID := uuid.New()\n\t// session manager is not running, so event loop is not running and therefore calling the APIs should timeout\n\tsession, err := mg.RegisterSession(ctx, sessionID, nil)\n\trequire.ErrorIs(t, err, context.DeadlineExceeded)\n\trequire.Nil(t, session)\n\n\terr = mg.UnregisterSession(ctx, sessionID, \"session gone\", true)\n\trequire.ErrorIs(t, err, context.DeadlineExceeded)\n}\n\nfunc TestUnregisterSessionCloseSession(t *testing.T) {\n\tsessionID := uuid.New()\n\tpayload := []byte(t.Name())\n\tsender := newMockTransportSender(sessionID, payload)\n\tmg := NewManager(&nopLogger, sender.muxSession, nil)\n\tctx, cancel := context.WithCancel(context.Background())\n\n\tmanagerDone := make(chan struct{})\n\tgo func() {\n\t\terr := mg.Serve(ctx)\n\t\trequire.Error(t, err)\n\t\tclose(managerDone)\n\t}()\n\n\tcfdConn, originConn := net.Pipe()\n\tsession, err := mg.RegisterSession(ctx, sessionID, cfdConn)\n\trequire.NoError(t, err)\n\trequire.NotNil(t, session)\n\n\tunregisteredChan := make(chan struct{})\n\tgo func() {\n\t\t_, err := originConn.Write(payload)\n\t\trequire.NoError(t, err)\n\n\t\terr = mg.UnregisterSession(ctx, sessionID, \"eyeball closed session\", true)\n\t\trequire.NoError(t, err)\n\n\t\tclose(unregisteredChan)\n\t}()\n\n\tclosedByRemote, err := session.Serve(ctx, time.Minute)\n\trequire.True(t, closedByRemote)\n\trequire.Error(t, err)\n\n\t<-unregisteredChan\n\tcancel()\n\t<-managerDone\n}\n\nfunc TestManagerCtxDoneCloseSessions(t *testing.T) {\n\tsessionID := uuid.New()\n\tpayload := []byte(t.Name())\n\tsender := newMockTransportSender(sessionID, payload)\n\tmg := NewManager(&nopLogger, sender.muxSession, nil)\n\tctx, cancel := context.WithCancel(context.Background())\n\n\tvar wg sync.WaitGroup\n\twg.Add(1)\n\tgo func() {\n\t\tdefer wg.Done()\n\t\terr := mg.Serve(ctx)\n\t\trequire.Error(t, err)\n\t}()\n\n\tcfdConn, originConn := net.Pipe()\n\tsession, err := mg.RegisterSession(ctx, sessionID, cfdConn)\n\trequire.NoError(t, err)\n\trequire.NotNil(t, session)\n\n\twg.Add(1)\n\tgo func() {\n\t\tdefer wg.Done()\n\t\t_, err := originConn.Write(payload)\n\t\trequire.NoError(t, err)\n\t\tcancel()\n\t}()\n\n\tclosedByRemote, err := session.Serve(ctx, time.Minute)\n\trequire.False(t, closedByRemote)\n\trequire.Error(t, err)\n\n\twg.Wait()\n}\n\ntype mockOrigin struct {\n\texpectMsgCount int\n\texpectedMsg []byte\n\texpectedResp []byte\n\tconn io.ReadWriteCloser\n}\n\nfunc (mo *mockOrigin) serve() error {\n\texpectedMsgLen := len(mo.expectedMsg)\n\treadBuffer := make([]byte, expectedMsgLen+1)\n\tfor i := 0; i < mo.expectMsgCount; i++ {\n\t\tn, err := mo.conn.Read(readBuffer)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif n != expectedMsgLen {\n\t\t\treturn fmt.Errorf(\"Expect to read %d bytes, read %d\", expectedMsgLen, n)\n\t\t}\n\t\tif !bytes.Equal(readBuffer[:n], mo.expectedMsg) {\n\t\t\treturn fmt.Errorf(\"Expect %v, read %v\", mo.expectedMsg, readBuffer[:n])\n\t\t}\n\t\t_, err = mo.conn.Write(mo.expectedResp)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc testPayload(sessionID uuid.UUID) []byte {\n\treturn []byte(fmt.Sprintf(\"Message from %s\", sessionID))\n}\n\nfunc testResponse(msg []byte) []byte {\n\treturn []byte(fmt.Sprintf(\"Response to %v\", msg))\n}\n\ntype mockQUICTransport struct {\n\tsessions map[uuid.UUID]chan []byte\n}\n\nfunc (me *mockQUICTransport) MuxSession(session *packet.Session) error {\n\ts := me.sessions[session.ID]\n\ts <- session.Payload\n\treturn nil\n}\n\ntype mockEyeballSession struct {\n\tid uuid.UUID\n\texpectedMsgCount int\n\texpectedMsg []byte\n\texpectedResponse []byte\n\trespReceiver <-chan []byte\n}\n\nfunc (me *mockEyeballSession) serve(ctx context.Context, requestChan chan *packet.Session) error {\n\tfor i := 0; i < me.expectedMsgCount; i++ {\n\t\trequestChan <- &packet.Session{\n\t\t\tID: me.id,\n\t\t\tPayload: me.expectedMsg,\n\t\t}\n\t\tresp := <-me.respReceiver\n\t\tif !bytes.Equal(resp, me.expectedResponse) {\n\t\t\treturn fmt.Errorf(\"Expect %v, read %v\", me.expectedResponse, resp)\n\t\t}\n\t\tfmt.Println(\"Resp\", resp)\n\t}\n\treturn nil\n}\n" }, { "path": "datagramsession/metrics.go", "content": "package datagramsession\n\nimport (\n\t\"github.com/prometheus/client_golang/prometheus\"\n)\n\nconst (\n\tnamespace = \"cloudflared\"\n)\n\nvar (\n\tactiveUDPSessions = prometheus.NewGauge(prometheus.GaugeOpts{\n\t\tNamespace: namespace,\n\t\tSubsystem: \"udp\",\n\t\tName: \"active_sessions\",\n\t\tHelp: \"Concurrent count of UDP sessions that are being proxied to any origin\",\n\t})\n\ttotalUDPSessions = prometheus.NewCounter(prometheus.CounterOpts{\n\t\tNamespace: namespace,\n\t\tSubsystem: \"udp\",\n\t\tName: \"total_sessions\",\n\t\tHelp: \"Total count of UDP sessions that have been proxied to any origin\",\n\t})\n)\n\nfunc init() {\n\tprometheus.MustRegister(\n\t\tactiveUDPSessions,\n\t\ttotalUDPSessions,\n\t)\n}\n\nfunc incrementUDPSessions() {\n\ttotalUDPSessions.Inc()\n\tactiveUDPSessions.Inc()\n}\n\nfunc decrementUDPActiveSessions() {\n\tactiveUDPSessions.Dec()\n}\n" }, { "path": "datagramsession/session.go", "content": "package datagramsession\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"net\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/rs/zerolog\"\n\n\t\"github.com/cloudflare/cloudflared/packet\"\n)\n\nconst (\n\tdefaultCloseIdleAfter = time.Second * 210\n)\n\nfunc SessionIdleErr(timeout time.Duration) error {\n\treturn fmt.Errorf(\"session idle for %v\", timeout)\n}\n\ntype transportSender func(session *packet.Session) error\n\n// ErrVithVariableSeverity are errors that have variable severity\ntype ErrVithVariableSeverity interface {\n\terror\n\t// LogLevel return the severity of this error\n\tLogLevel() zerolog.Level\n}\n\n// Session is a bidirectional pipe of datagrams between transport and dstConn\n// Destination can be a connection with origin or with eyeball\n// When the destination is origin:\n// - Manager receives datagrams from receiveChan and calls the transportToDst method of the Session to send to origin\n// - Datagrams from origin are read from conn and Send to transport using the transportSender callback. Transport will return them to eyeball\n// When the destination is eyeball:\n// - Datagrams from eyeball are read from conn and Send to transport. Transport will send them to cloudflared using the transportSender callback.\n// - Manager receives datagrams from receiveChan and calls the transportToDst method of the Session to send to the eyeball\ntype Session struct {\n\tID uuid.UUID\n\tsendFunc transportSender\n\tdstConn io.ReadWriteCloser\n\t// activeAtChan is used to communicate the last read/write time\n\tactiveAtChan chan time.Time\n\tcloseChan chan error\n\tlog *zerolog.Logger\n}\n\nfunc (s *Session) Serve(ctx context.Context, closeAfterIdle time.Duration) (closedByRemote bool, err error) {\n\tgo func() {\n\t\t// QUIC implementation copies data to another buffer before returning https://github.com/quic-go/quic-go/blob/v0.24.0/session.go#L1967-L1975\n\t\t// This makes it safe to share readBuffer between iterations\n\t\tconst maxPacketSize = 1500\n\t\treadBuffer := make([]byte, maxPacketSize)\n\t\tfor {\n\t\t\tif closeSession, err := s.dstToTransport(readBuffer); err != nil {\n\t\t\t\tif errors.Is(err, net.ErrClosed) || errors.Is(err, io.EOF) {\n\t\t\t\t\ts.log.Debug().Msg(\"Destination connection closed\")\n\t\t\t\t} else {\n\t\t\t\t\tlevel := zerolog.ErrorLevel\n\t\t\t\t\tif variableErr, ok := err.(ErrVithVariableSeverity); ok {\n\t\t\t\t\t\tlevel = variableErr.LogLevel()\n\t\t\t\t\t}\n\t\t\t\t\ts.log.WithLevel(level).Err(err).Msg(\"Failed to send session payload from destination to transport\")\n\t\t\t\t}\n\t\t\t\tif closeSession {\n\t\t\t\t\ts.closeChan <- err\n\t\t\t\t\treturn\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}()\n\terr = s.waitForCloseCondition(ctx, closeAfterIdle)\n\tif closeSession, ok := err.(*errClosedSession); ok {\n\t\tclosedByRemote = closeSession.byRemote\n\t}\n\treturn closedByRemote, err\n}\n\nfunc (s *Session) waitForCloseCondition(ctx context.Context, closeAfterIdle time.Duration) error {\n\t// Closing dstConn cancels read so dstToTransport routine in Serve() can return\n\tdefer s.dstConn.Close()\n\tif closeAfterIdle == 0 {\n\t\t// provide default is caller doesn't specify one\n\t\tcloseAfterIdle = defaultCloseIdleAfter\n\t}\n\n\tcheckIdleFreq := closeAfterIdle / 8\n\tcheckIdleTicker := time.NewTicker(checkIdleFreq)\n\tdefer checkIdleTicker.Stop()\n\n\tactiveAt := time.Now()\n\tfor {\n\t\tselect {\n\t\tcase <-ctx.Done():\n\t\t\treturn ctx.Err()\n\t\tcase reason := <-s.closeChan:\n\t\t\treturn reason\n\t\t// TODO: TUN-5423 evaluate if using atomic is more efficient\n\t\tcase now := <-checkIdleTicker.C:\n\t\t\t// The session is considered inactive if current time is after (last active time + allowed idle time)\n\t\t\tif now.After(activeAt.Add(closeAfterIdle)) {\n\t\t\t\treturn SessionIdleErr(closeAfterIdle)\n\t\t\t}\n\t\tcase activeAt = <-s.activeAtChan: // Update last active time\n\t\t}\n\t}\n}\n\nfunc (s *Session) dstToTransport(buffer []byte) (closeSession bool, err error) {\n\tn, err := s.dstConn.Read(buffer)\n\ts.markActive()\n\t// https://pkg.go.dev/io#Reader suggests caller should always process n > 0 bytes\n\tif n > 0 || err == nil {\n\t\tsession := packet.Session{\n\t\t\tID: s.ID,\n\t\t\tPayload: buffer[:n],\n\t\t}\n\t\tif sendErr := s.sendFunc(&session); sendErr != nil {\n\t\t\treturn false, sendErr\n\t\t}\n\t}\n\treturn err != nil, err\n}\n\nfunc (s *Session) transportToDst(payload []byte) (int, error) {\n\ts.markActive()\n\tn, err := s.dstConn.Write(payload)\n\tif err != nil {\n\t\ts.log.Err(err).Msg(\"Failed to write payload to session\")\n\t}\n\treturn n, err\n}\n\n// Sends the last active time to the idle checker loop without blocking. activeAtChan will only be full when there\n// are many concurrent read/write. It is fine to lose some precision\nfunc (s *Session) markActive() {\n\tselect {\n\tcase s.activeAtChan <- time.Now():\n\tdefault:\n\t}\n}\n\nfunc (s *Session) close(err *errClosedSession) {\n\ts.closeChan <- err\n}\n" }, { "path": "datagramsession/session_test.go", "content": "package datagramsession\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"fmt\"\n\t\"io\"\n\t\"net\"\n\t\"sync\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\t\"golang.org/x/sync/errgroup\"\n\n\t\"github.com/cloudflare/cloudflared/packet\"\n)\n\n// TestCloseSession makes sure a session will stop after context is done\nfunc TestSessionCtxDone(t *testing.T) {\n\ttestSessionReturns(t, closeByContext, time.Minute*2)\n}\n\n// TestCloseSession makes sure a session will stop after close method is called\nfunc TestCloseSession(t *testing.T) {\n\ttestSessionReturns(t, closeByCallingClose, time.Minute*2)\n}\n\n// TestCloseIdle makess sure a session will stop after there is no read/write for a period defined by closeAfterIdle\nfunc TestCloseIdle(t *testing.T) {\n\ttestSessionReturns(t, closeByTimeout, time.Millisecond*100)\n}\n\nfunc testSessionReturns(t *testing.T, closeBy closeMethod, closeAfterIdle time.Duration) {\n\tlocalCloseReason := &errClosedSession{\n\t\tmessage: \"connection closed by origin\",\n\t\tbyRemote: false,\n\t}\n\tsessionID := uuid.New()\n\tcfdConn, originConn := net.Pipe()\n\tpayload := testPayload(sessionID)\n\n\tlog := zerolog.Nop()\n\tmg := NewManager(&log, nil, nil)\n\tsession := mg.newSession(sessionID, cfdConn)\n\n\tctx, cancel := context.WithCancel(t.Context())\n\tsessionDone := make(chan struct{})\n\tgo func() {\n\t\tclosedByRemote, err := session.Serve(ctx, closeAfterIdle)\n\t\tswitch closeBy {\n\t\tcase closeByContext:\n\t\t\tassert.Equal(t, context.Canceled, err)\n\t\t\tassert.False(t, closedByRemote)\n\t\tcase closeByCallingClose:\n\t\t\tassert.Equal(t, localCloseReason, err)\n\t\t\tassert.Equal(t, localCloseReason.byRemote, closedByRemote)\n\t\tcase closeByTimeout:\n\t\t\tassert.Equal(t, SessionIdleErr(closeAfterIdle), err)\n\t\t\tassert.False(t, closedByRemote)\n\t\t}\n\t\tclose(sessionDone)\n\t}()\n\n\tgo func() {\n\t\tn, err := session.transportToDst(payload)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, len(payload), n)\n\t}()\n\n\treadBuffer := make([]byte, len(payload)+1)\n\tn, err := originConn.Read(readBuffer)\n\trequire.NoError(t, err)\n\trequire.Equal(t, len(payload), n)\n\n\tlastRead := time.Now()\n\n\tswitch closeBy {\n\tcase closeByContext:\n\t\tcancel()\n\tcase closeByCallingClose:\n\t\tsession.close(localCloseReason)\n\tdefault:\n\t\t// ignore\n\t}\n\n\t<-sessionDone\n\tif closeBy == closeByTimeout {\n\t\trequire.True(t, time.Now().After(lastRead.Add(closeAfterIdle)))\n\t}\n\t// call cancelled again otherwise the linter will warn about possible context leak\n\tcancel()\n}\n\ntype closeMethod int\n\nconst (\n\tcloseByContext closeMethod = iota\n\tcloseByCallingClose\n\tcloseByTimeout\n)\n\nfunc TestWriteToDstSessionPreventClosed(t *testing.T) {\n\ttestActiveSessionNotClosed(t, false, true)\n}\n\nfunc TestReadFromDstSessionPreventClosed(t *testing.T) {\n\ttestActiveSessionNotClosed(t, true, false)\n}\n\nfunc testActiveSessionNotClosed(t *testing.T, readFromDst bool, writeToDst bool) {\n\tconst closeAfterIdle = time.Millisecond * 100\n\tconst activeTime = time.Millisecond * 500\n\n\tsessionID := uuid.New()\n\tcfdConn, originConn := net.Pipe()\n\tpayload := testPayload(sessionID)\n\n\trespChan := make(chan *packet.Session)\n\tsender := newMockTransportSender(sessionID, payload)\n\tmg := NewManager(&nopLogger, sender.muxSession, respChan)\n\tsession := mg.newSession(sessionID, cfdConn)\n\n\tstartTime := time.Now()\n\tactiveUntil := startTime.Add(activeTime)\n\tctx, cancel := context.WithCancel(t.Context())\n\terrGroup, ctx := errgroup.WithContext(ctx)\n\terrGroup.Go(func() error {\n\t\t_, _ = session.Serve(ctx, closeAfterIdle)\n\t\tif time.Now().Before(startTime.Add(activeTime)) {\n\t\t\treturn fmt.Errorf(\"session closed while it's still active\")\n\t\t}\n\t\treturn nil\n\t})\n\n\tif readFromDst {\n\t\terrGroup.Go(func() error {\n\t\t\tfor {\n\t\t\t\tif time.Now().After(activeUntil) {\n\t\t\t\t\treturn nil\n\t\t\t\t}\n\t\t\t\tif _, err := originConn.Write(payload); err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\ttime.Sleep(closeAfterIdle / 2)\n\t\t\t}\n\t\t})\n\t}\n\tif writeToDst {\n\t\terrGroup.Go(func() error {\n\t\t\treadBuffer := make([]byte, len(payload))\n\t\t\tfor {\n\t\t\t\tn, err := originConn.Read(readBuffer)\n\t\t\t\tif err != nil {\n\t\t\t\t\tif err == io.EOF || err == io.ErrClosedPipe {\n\t\t\t\t\t\treturn nil\n\t\t\t\t\t}\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\tif !bytes.Equal(payload, readBuffer[:n]) {\n\t\t\t\t\treturn fmt.Errorf(\"payload %v is not equal to %v\", readBuffer[:n], payload)\n\t\t\t\t}\n\t\t\t}\n\t\t})\n\t\terrGroup.Go(func() error {\n\t\t\tfor {\n\t\t\t\tif time.Now().After(activeUntil) {\n\t\t\t\t\treturn nil\n\t\t\t\t}\n\t\t\t\tif _, err := session.transportToDst(payload); err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\ttime.Sleep(closeAfterIdle / 2)\n\t\t\t}\n\t\t})\n\t}\n\n\trequire.NoError(t, errGroup.Wait())\n\tcancel()\n}\n\nfunc TestMarkActiveNotBlocking(t *testing.T) {\n\tconst concurrentCalls = 50\n\tmg := NewManager(&nopLogger, nil, nil)\n\tsession := mg.newSession(uuid.New(), nil)\n\tvar wg sync.WaitGroup\n\twg.Add(concurrentCalls)\n\tfor i := 0; i < concurrentCalls; i++ {\n\t\tgo func() {\n\t\t\tsession.markActive()\n\t\t\twg.Done()\n\t\t}()\n\t}\n\twg.Wait()\n}\n\n// Some UDP application might send 0-size payload.\nfunc TestZeroBytePayload(t *testing.T) {\n\tsessionID := uuid.New()\n\tcfdConn, originConn := net.Pipe()\n\n\tsender := sendOnceTransportSender{\n\t\tbaseSender: newMockTransportSender(sessionID, make([]byte, 0)),\n\t\tsentChan: make(chan struct{}),\n\t}\n\tmg := NewManager(&nopLogger, sender.muxSession, nil)\n\tsession := mg.newSession(sessionID, cfdConn)\n\n\tctx, cancel := context.WithCancel(t.Context())\n\terrGroup, ctx := errgroup.WithContext(ctx)\n\terrGroup.Go(func() error {\n\t\t// Read from underlying conn and send to transport\n\t\tclosedByRemote, err := session.Serve(ctx, time.Minute*2)\n\t\trequire.Equal(t, context.Canceled, err)\n\t\trequire.False(t, closedByRemote)\n\t\treturn nil\n\t})\n\n\terrGroup.Go(func() error {\n\t\t// Write to underlying connection\n\t\tn, err := originConn.Write([]byte{})\n\t\trequire.NoError(t, err)\n\t\trequire.Equal(t, 0, n)\n\t\treturn nil\n\t})\n\n\t<-sender.sentChan\n\tcancel()\n\trequire.NoError(t, errGroup.Wait())\n}\n\ntype mockTransportSender struct {\n\texpectedSessionID uuid.UUID\n\texpectedPayload []byte\n}\n\nfunc newMockTransportSender(expectedSessionID uuid.UUID, expectedPayload []byte) *mockTransportSender {\n\treturn &mockTransportSender{\n\t\texpectedSessionID: expectedSessionID,\n\t\texpectedPayload: expectedPayload,\n\t}\n}\n\nfunc (mts *mockTransportSender) muxSession(session *packet.Session) error {\n\tif session.ID != mts.expectedSessionID {\n\t\treturn fmt.Errorf(\"Expect session %s, got %s\", mts.expectedSessionID, session.ID)\n\t}\n\tif !bytes.Equal(session.Payload, mts.expectedPayload) {\n\t\treturn fmt.Errorf(\"Expect %v, read %v\", mts.expectedPayload, session.Payload)\n\t}\n\treturn nil\n}\n\ntype sendOnceTransportSender struct {\n\tbaseSender *mockTransportSender\n\tsentChan chan struct{}\n}\n\nfunc (sots *sendOnceTransportSender) muxSession(session *packet.Session) error {\n\tdefer close(sots.sentChan)\n\treturn sots.baseSender.muxSession(session)\n}\n" }, { "path": "diagnostic/client.go", "content": "package diagnostic\n\nimport (\n\t\"context\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"strconv\"\n\n\tcfdflags \"github.com/cloudflare/cloudflared/cmd/cloudflared/flags\"\n)\n\ntype httpClient struct {\n\thttp.Client\n\tbaseURL *url.URL\n}\n\nfunc NewHTTPClient() *httpClient {\n\thttpTransport := http.Transport{\n\t\tTLSHandshakeTimeout: defaultTimeout,\n\t\tResponseHeaderTimeout: defaultTimeout,\n\t}\n\n\treturn &httpClient{\n\t\thttp.Client{\n\t\t\tTransport: &httpTransport,\n\t\t\tTimeout: defaultTimeout,\n\t\t},\n\t\tnil,\n\t}\n}\n\nfunc (client *httpClient) SetBaseURL(baseURL *url.URL) {\n\tclient.baseURL = baseURL\n}\n\nfunc (client *httpClient) GET(ctx context.Context, endpoint string) (*http.Response, error) {\n\tif client.baseURL == nil {\n\t\treturn nil, ErrNoBaseURL\n\t}\n\turl := client.baseURL.JoinPath(endpoint)\n\n\treq, err := http.NewRequestWithContext(ctx, http.MethodGet, url.String(), nil)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"error creating GET request: %w\", err)\n\t}\n\n\treq.Header.Add(\"Accept\", \"application/json;version=1\")\n\n\tresponse, err := client.Do(req)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"error GET request: %w\", err)\n\t}\n\n\treturn response, nil\n}\n\ntype LogConfiguration struct {\n\tlogFile string\n\tlogDirectory string\n\tuid int // the uid of the user that started cloudflared\n}\n\nfunc (client *httpClient) GetLogConfiguration(ctx context.Context) (*LogConfiguration, error) {\n\tresponse, err := client.GET(ctx, cliConfigurationEndpoint)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tdefer response.Body.Close()\n\n\tvar data map[string]string\n\tif err := json.NewDecoder(response.Body).Decode(&data); err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to decode body: %w\", err)\n\t}\n\n\tuidStr, exists := data[configurationKeyUID]\n\tif !exists {\n\t\treturn nil, ErrKeyNotFound\n\t}\n\n\tuid, err := strconv.Atoi(uidStr)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"error convertin pid to int: %w\", err)\n\t}\n\n\tlogFile, exists := data[cfdflags.LogFile]\n\tif exists {\n\t\treturn &LogConfiguration{logFile, \"\", uid}, nil\n\t}\n\n\tlogDirectory, exists := data[cfdflags.LogDirectory]\n\tif exists {\n\t\treturn &LogConfiguration{\"\", logDirectory, uid}, nil\n\t}\n\n\t// No log configured may happen when cloudflared is executed as a managed service or\n\t// when containerized\n\treturn &LogConfiguration{\"\", \"\", uid}, nil\n}\n\nfunc (client *httpClient) GetMemoryDump(ctx context.Context, writer io.Writer) error {\n\tresponse, err := client.GET(ctx, memoryDumpEndpoint)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\treturn copyToWriter(response, writer)\n}\n\nfunc (client *httpClient) GetGoroutineDump(ctx context.Context, writer io.Writer) error {\n\tresponse, err := client.GET(ctx, goroutineDumpEndpoint)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\treturn copyToWriter(response, writer)\n}\n\nfunc (client *httpClient) GetTunnelState(ctx context.Context) (*TunnelState, error) {\n\tresponse, err := client.GET(ctx, tunnelStateEndpoint)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tdefer response.Body.Close()\n\n\tvar state TunnelState\n\tif err := json.NewDecoder(response.Body).Decode(&state); err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to decode body: %w\", err)\n\t}\n\n\treturn &state, nil\n}\n\nfunc (client *httpClient) GetSystemInformation(ctx context.Context, writer io.Writer) error {\n\tresponse, err := client.GET(ctx, systemInformationEndpoint)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\treturn copyJSONToWriter(response, writer)\n}\n\nfunc (client *httpClient) GetMetrics(ctx context.Context, writer io.Writer) error {\n\tresponse, err := client.GET(ctx, metricsEndpoint)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\treturn copyToWriter(response, writer)\n}\n\nfunc (client *httpClient) GetTunnelConfiguration(ctx context.Context, writer io.Writer) error {\n\tresponse, err := client.GET(ctx, tunnelConfigurationEndpoint)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\treturn copyJSONToWriter(response, writer)\n}\n\nfunc (client *httpClient) GetCliConfiguration(ctx context.Context, writer io.Writer) error {\n\tresponse, err := client.GET(ctx, cliConfigurationEndpoint)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\treturn copyJSONToWriter(response, writer)\n}\n\nfunc copyToWriter(response *http.Response, writer io.Writer) error {\n\tdefer response.Body.Close()\n\n\t_, err := io.Copy(writer, response.Body)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"error writing response: %w\", err)\n\t}\n\n\treturn nil\n}\n\nfunc copyJSONToWriter(response *http.Response, writer io.Writer) error {\n\tdefer response.Body.Close()\n\n\tvar data interface{}\n\n\tdecoder := json.NewDecoder(response.Body)\n\n\terr := decoder.Decode(&data)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"diagnostic client error whilst reading response: %w\", err)\n\t}\n\n\tencoder := newFormattedEncoder(writer)\n\n\terr = encoder.Encode(data)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"diagnostic client error whilst writing json: %w\", err)\n\t}\n\n\treturn nil\n}\n\ntype HTTPClient interface {\n\tGetLogConfiguration(ctx context.Context) (*LogConfiguration, error)\n\tGetMemoryDump(ctx context.Context, writer io.Writer) error\n\tGetGoroutineDump(ctx context.Context, writer io.Writer) error\n\tGetTunnelState(ctx context.Context) (*TunnelState, error)\n\tGetSystemInformation(ctx context.Context, writer io.Writer) error\n\tGetMetrics(ctx context.Context, writer io.Writer) error\n\tGetCliConfiguration(ctx context.Context, writer io.Writer) error\n\tGetTunnelConfiguration(ctx context.Context, writer io.Writer) error\n}\n" }, { "path": "diagnostic/consts.go", "content": "package diagnostic\n\nimport \"time\"\n\nconst (\n\tdefaultCollectorTimeout = time.Second * 10 // This const define the timeout value of a collector operation.\n\tcollectorField = \"collector\" // used for logging purposes\n\tsystemCollectorName = \"system\" // used for logging purposes\n\ttunnelStateCollectorName = \"tunnelState\" // used for logging purposes\n\tconfigurationCollectorName = \"configuration\" // used for logging purposes\n\tdefaultTimeout = 15 * time.Second // timeout for the collectors\n\ttwoWeeksOffset = -14 * 24 * time.Hour // maximum offset for the logs\n\tlogFilename = \"cloudflared_logs.txt\" // name of the output log file\n\tconfigurationKeyUID = \"uid\" // Key used to set and get the UID value from the configuration map\n\ttailMaxNumberOfLines = \"10000\" // maximum number of log lines from a virtual runtime (docker or kubernetes)\n\n\t// Endpoints used by the diagnostic HTTP Client.\n\tcliConfigurationEndpoint = \"/diag/configuration\"\n\ttunnelStateEndpoint = \"/diag/tunnel\"\n\tsystemInformationEndpoint = \"/diag/system\"\n\tmemoryDumpEndpoint = \"debug/pprof/heap\"\n\tgoroutineDumpEndpoint = \"debug/pprof/goroutine\"\n\tmetricsEndpoint = \"metrics\"\n\ttunnelConfigurationEndpoint = \"/config\"\n\t// Base for filenames of the diagnostic procedure\n\tsystemInformationBaseName = \"systeminformation.json\"\n\tmetricsBaseName = \"metrics.txt\"\n\tzipName = \"cloudflared-diag\"\n\theapPprofBaseName = \"heap.pprof\"\n\tgoroutinePprofBaseName = \"goroutine.pprof\"\n\tnetworkBaseName = \"network.json\"\n\trawNetworkBaseName = \"raw-network.txt\"\n\ttunnelStateBaseName = \"tunnelstate.json\"\n\tcliConfigurationBaseName = \"cli-configuration.json\"\n\tconfigurationBaseName = \"configuration.json\"\n\ttaskResultBaseName = \"task-result.json\"\n)\n" }, { "path": "diagnostic/diagnostic.go", "content": "package diagnostic\n\nimport (\n\t\"context\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/url\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/rs/zerolog\"\n\n\tnetwork \"github.com/cloudflare/cloudflared/diagnostic/network\"\n)\n\nconst (\n\ttaskSuccess = \"success\"\n\ttaskFailure = \"failure\"\n\tjobReportName = \"job report\"\n\ttunnelStateJobName = \"tunnel state\"\n\tsystemInformationJobName = \"system information\"\n\tgoroutineJobName = \"goroutine profile\"\n\theapJobName = \"heap profile\"\n\tmetricsJobName = \"metrics\"\n\tlogInformationJobName = \"log information\"\n\trawNetworkInformationJobName = \"raw network information\"\n\tnetworkInformationJobName = \"network information\"\n\tcliConfigurationJobName = \"cli configuration\"\n\tconfigurationJobName = \"configuration\"\n)\n\n// Struct used to hold the results of different routines executing the network collection.\ntype taskResult struct {\n\tResult string `json:\"result,omitempty\"`\n\tErr error `json:\"error,omitempty\"`\n\tpath string\n}\n\nfunc (result taskResult) MarshalJSON() ([]byte, error) {\n\ts := map[string]string{\n\t\t\"result\": result.Result,\n\t}\n\tif result.Err != nil {\n\t\ts[\"error\"] = result.Err.Error()\n\t}\n\n\treturn json.Marshal(s)\n}\n\n// Struct used to hold the results of different routines executing the network collection.\ntype networkCollectionResult struct {\n\tname string\n\tinfo []*network.Hop\n\traw string\n\terr error\n}\n\n// This type represents the most common functions from the diagnostic http client\n// functions.\ntype collectToWriterFunc func(ctx context.Context, writer io.Writer) error\n\n// This type represents the common denominator among all the collection procedures.\ntype collectFunc func(ctx context.Context) (string, error)\n\n// collectJob is an internal struct that denotes holds the information necessary\n// to run a collection job.\ntype collectJob struct {\n\tjobName string\n\tfn collectFunc\n\tbypass bool\n}\n\n// The Toggles structure denotes the available toggles for the diagnostic procedure.\n// Each toggle enables/disables tasks from the diagnostic.\ntype Toggles struct {\n\tNoDiagLogs bool\n\tNoDiagMetrics bool\n\tNoDiagSystem bool\n\tNoDiagRuntime bool\n\tNoDiagNetwork bool\n}\n\n// The Options structure holds every option necessary for\n// the diagnostic procedure to work.\ntype Options struct {\n\tKnownAddresses []string\n\tAddress string\n\tContainerID string\n\tPodID string\n\tToggles Toggles\n}\n\nfunc collectLogs(\n\tctx context.Context,\n\tclient HTTPClient,\n\tdiagContainer, diagPod string,\n) (string, error) {\n\tvar collector LogCollector\n\tif diagPod != \"\" {\n\t\tcollector = NewKubernetesLogCollector(diagContainer, diagPod)\n\t} else if diagContainer != \"\" {\n\t\tcollector = NewDockerLogCollector(diagContainer)\n\t} else {\n\t\tcollector = NewHostLogCollector(client)\n\t}\n\n\tlogInformation, err := collector.Collect(ctx)\n\tif err != nil {\n\t\treturn \"\", fmt.Errorf(\"error collecting logs: %w\", err)\n\t}\n\n\tif logInformation.isDirectory {\n\t\treturn CopyFilesFromDirectory(logInformation.path)\n\t}\n\n\tif logInformation.wasCreated {\n\t\treturn logInformation.path, nil\n\t}\n\n\tlogHandle, err := os.Open(logInformation.path)\n\tif err != nil {\n\t\treturn \"\", fmt.Errorf(\"error opening log file while collecting logs: %w\", err)\n\t}\n\tdefer logHandle.Close()\n\n\toutputLogHandle, err := os.Create(filepath.Join(os.TempDir(), logFilename))\n\tif err != nil {\n\t\treturn \"\", ErrCreatingTemporaryFile\n\t}\n\tdefer outputLogHandle.Close()\n\n\t_, err = io.Copy(outputLogHandle, logHandle)\n\tif err != nil {\n\t\treturn \"\", fmt.Errorf(\"error copying logs while collecting logs: %w\", err)\n\t}\n\n\treturn outputLogHandle.Name(), err\n}\n\nfunc collectNetworkResultRoutine(\n\tctx context.Context,\n\tcollector network.NetworkCollector,\n\thostname string,\n\tuseIPv4 bool,\n\tresults chan networkCollectionResult,\n) {\n\tconst (\n\t\thopsNo = 5\n\t\ttimeout = time.Second * 5\n\t)\n\n\tname := hostname\n\n\tif useIPv4 {\n\t\tname += \"-v4\"\n\t} else {\n\t\tname += \"-v6\"\n\t}\n\n\thops, raw, err := collector.Collect(ctx, network.NewTraceOptions(hopsNo, timeout, hostname, useIPv4))\n\tresults <- networkCollectionResult{name, hops, raw, err}\n}\n\nfunc gatherNetworkInformation(ctx context.Context) map[string]networkCollectionResult {\n\tnetworkCollector := network.NetworkCollectorImpl{}\n\n\thostAndIPversionPairs := []struct {\n\t\thost string\n\t\tuseV4 bool\n\t}{\n\t\t{\"region1.v2.argotunnel.com\", true},\n\t\t{\"region1.v2.argotunnel.com\", false},\n\t\t{\"region2.v2.argotunnel.com\", true},\n\t\t{\"region2.v2.argotunnel.com\", false},\n\t}\n\n\t// the number of results is known thus use len to avoid footguns\n\tresults := make(chan networkCollectionResult, len(hostAndIPversionPairs))\n\n\tvar wgroup sync.WaitGroup\n\n\tfor _, item := range hostAndIPversionPairs {\n\t\twgroup.Add(1)\n\n\t\tgo func() {\n\t\t\tdefer wgroup.Done()\n\t\t\tcollectNetworkResultRoutine(ctx, &networkCollector, item.host, item.useV4, results)\n\t\t}()\n\t}\n\n\t// Wait for routines to end.\n\twgroup.Wait()\n\n\tresultMap := make(map[string]networkCollectionResult)\n\n\tfor range len(hostAndIPversionPairs) {\n\t\tresult := <-results\n\t\tresultMap[result.name] = result\n\t}\n\n\treturn resultMap\n}\n\nfunc networkInformationCollectors() (rawNetworkCollector, jsonNetworkCollector collectFunc) {\n\t// The network collector is an operation that takes most of the diagnostic time, thus,\n\t// the sync.Once is used to memoize the result of the collector and then create different\n\t// outputs.\n\tvar once sync.Once\n\n\tvar resultMap map[string]networkCollectionResult\n\n\trawNetworkCollector = func(ctx context.Context) (string, error) {\n\t\tonce.Do(func() { resultMap = gatherNetworkInformation(ctx) })\n\n\t\treturn rawNetworkInformationWriter(resultMap)\n\t}\n\tjsonNetworkCollector = func(ctx context.Context) (string, error) {\n\t\tonce.Do(func() { resultMap = gatherNetworkInformation(ctx) })\n\n\t\treturn jsonNetworkInformationWriter(resultMap)\n\t}\n\n\treturn rawNetworkCollector, jsonNetworkCollector\n}\n\nfunc rawNetworkInformationWriter(resultMap map[string]networkCollectionResult) (string, error) {\n\tnetworkDumpHandle, err := os.Create(filepath.Join(os.TempDir(), rawNetworkBaseName))\n\tif err != nil {\n\t\treturn \"\", ErrCreatingTemporaryFile\n\t}\n\n\tdefer networkDumpHandle.Close()\n\n\tvar exitErr error\n\n\tfor k, v := range resultMap {\n\t\tif v.err != nil {\n\t\t\tif exitErr == nil {\n\t\t\t\texitErr = v.err\n\t\t\t}\n\n\t\t\t_, err := networkDumpHandle.WriteString(k + \"\\nno content\\n\")\n\t\t\tif err != nil {\n\t\t\t\treturn networkDumpHandle.Name(), fmt.Errorf(\"error writing 'no content' to raw network file: %w\", err)\n\t\t\t}\n\t\t} else {\n\t\t\t_, err := networkDumpHandle.WriteString(k + \"\\n\" + v.raw + \"\\n\")\n\t\t\tif err != nil {\n\t\t\t\treturn networkDumpHandle.Name(), fmt.Errorf(\"error writing raw network information: %w\", err)\n\t\t\t}\n\t\t}\n\t}\n\n\treturn networkDumpHandle.Name(), exitErr\n}\n\nfunc jsonNetworkInformationWriter(resultMap map[string]networkCollectionResult) (string, error) {\n\tnetworkDumpHandle, err := os.Create(filepath.Join(os.TempDir(), networkBaseName))\n\tif err != nil {\n\t\treturn \"\", ErrCreatingTemporaryFile\n\t}\n\n\tdefer networkDumpHandle.Close()\n\n\tencoder := newFormattedEncoder(networkDumpHandle)\n\n\tvar exitErr error\n\n\tjsonMap := make(map[string][]*network.Hop, len(resultMap))\n\tfor k, v := range resultMap {\n\t\tjsonMap[k] = v.info\n\n\t\tif exitErr == nil && v.err != nil {\n\t\t\texitErr = v.err\n\t\t}\n\t}\n\n\terr = encoder.Encode(jsonMap)\n\tif err != nil {\n\t\treturn networkDumpHandle.Name(), fmt.Errorf(\"error encoding network information results: %w\", err)\n\t}\n\n\treturn networkDumpHandle.Name(), exitErr\n}\n\nfunc collectFromEndpointAdapter(collect collectToWriterFunc, fileName string) collectFunc {\n\treturn func(ctx context.Context) (string, error) {\n\t\tdumpHandle, err := os.Create(filepath.Join(os.TempDir(), fileName))\n\t\tif err != nil {\n\t\t\treturn \"\", ErrCreatingTemporaryFile\n\t\t}\n\t\tdefer dumpHandle.Close()\n\n\t\terr = collect(ctx, dumpHandle)\n\t\tif err != nil {\n\t\t\treturn dumpHandle.Name(), fmt.Errorf(\"error running collector: %w\", err)\n\t\t}\n\n\t\treturn dumpHandle.Name(), nil\n\t}\n}\n\nfunc tunnelStateCollectEndpointAdapter(client HTTPClient, tunnel *TunnelState, fileName string) collectFunc {\n\tendpointFunc := func(ctx context.Context, writer io.Writer) error {\n\t\tif tunnel == nil {\n\t\t\t// When the metrics server is not passed the diagnostic will query all known hosts\n\t\t\t// and get the tunnel state, however, when the metrics server is passed that won't\n\t\t\t// happen hence the check for nil in this function.\n\t\t\ttunnelResponse, err := client.GetTunnelState(ctx)\n\t\t\tif err != nil {\n\t\t\t\treturn fmt.Errorf(\"error retrieving tunnel state: %w\", err)\n\t\t\t}\n\n\t\t\ttunnel = tunnelResponse\n\t\t}\n\n\t\tencoder := newFormattedEncoder(writer)\n\n\t\terr := encoder.Encode(tunnel)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"error encoding tunnel state: %w\", err)\n\t\t}\n\n\t\treturn nil\n\t}\n\n\treturn collectFromEndpointAdapter(endpointFunc, fileName)\n}\n\n// resolveInstanceBaseURL is responsible to\n// resolve the base URL of the instance that should be diagnosed.\n// To resolve the instance it may be necessary to query the\n// /diag/tunnel endpoint of the known instances, thus, if a single\n// instance is found its state is also returned; if multiple instances\n// are found then their states are returned in an array along with an\n// error.\nfunc resolveInstanceBaseURL(\n\tmetricsServerAddress string,\n\tlog *zerolog.Logger,\n\tclient *httpClient,\n\taddresses []string,\n) (*url.URL, *TunnelState, []*AddressableTunnelState, error) {\n\tif metricsServerAddress != \"\" {\n\t\tif !strings.HasPrefix(metricsServerAddress, \"http://\") {\n\t\t\tmetricsServerAddress = \"http://\" + metricsServerAddress\n\t\t}\n\t\turl, err := url.Parse(metricsServerAddress)\n\t\tif err != nil {\n\t\t\treturn nil, nil, nil, fmt.Errorf(\"provided address is not valid: %w\", err)\n\t\t}\n\n\t\treturn url, nil, nil, nil\n\t}\n\n\ttunnelState, foundTunnelStates, err := FindMetricsServer(log, client, addresses)\n\tif err != nil {\n\t\treturn nil, nil, foundTunnelStates, err\n\t}\n\n\treturn tunnelState.URL, tunnelState.TunnelState, nil, nil\n}\n\nfunc createJobs(\n\tclient *httpClient,\n\ttunnel *TunnelState,\n\tdiagContainer string,\n\tdiagPod string,\n\tnoDiagSystem bool,\n\tnoDiagRuntime bool,\n\tnoDiagMetrics bool,\n\tnoDiagLogs bool,\n\tnoDiagNetwork bool,\n) []collectJob {\n\trawNetworkCollectorFunc, jsonNetworkCollectorFunc := networkInformationCollectors()\n\tjobs := []collectJob{\n\t\t{\n\t\t\tjobName: tunnelStateJobName,\n\t\t\tfn: tunnelStateCollectEndpointAdapter(client, tunnel, tunnelStateBaseName),\n\t\t\tbypass: false,\n\t\t},\n\t\t{\n\t\t\tjobName: systemInformationJobName,\n\t\t\tfn: collectFromEndpointAdapter(client.GetSystemInformation, systemInformationBaseName),\n\t\t\tbypass: noDiagSystem,\n\t\t},\n\t\t{\n\t\t\tjobName: goroutineJobName,\n\t\t\tfn: collectFromEndpointAdapter(client.GetGoroutineDump, goroutinePprofBaseName),\n\t\t\tbypass: noDiagRuntime,\n\t\t},\n\t\t{\n\t\t\tjobName: heapJobName,\n\t\t\tfn: collectFromEndpointAdapter(client.GetMemoryDump, heapPprofBaseName),\n\t\t\tbypass: noDiagRuntime,\n\t\t},\n\t\t{\n\t\t\tjobName: metricsJobName,\n\t\t\tfn: collectFromEndpointAdapter(client.GetMetrics, metricsBaseName),\n\t\t\tbypass: noDiagMetrics,\n\t\t},\n\t\t{\n\t\t\tjobName: logInformationJobName,\n\t\t\tfn: func(ctx context.Context) (string, error) {\n\t\t\t\treturn collectLogs(ctx, client, diagContainer, diagPod)\n\t\t\t},\n\t\t\tbypass: noDiagLogs,\n\t\t},\n\t\t{\n\t\t\tjobName: rawNetworkInformationJobName,\n\t\t\tfn: rawNetworkCollectorFunc,\n\t\t\tbypass: noDiagNetwork,\n\t\t},\n\t\t{\n\t\t\tjobName: networkInformationJobName,\n\t\t\tfn: jsonNetworkCollectorFunc,\n\t\t\tbypass: noDiagNetwork,\n\t\t},\n\t\t{\n\t\t\tjobName: cliConfigurationJobName,\n\t\t\tfn: collectFromEndpointAdapter(client.GetCliConfiguration, cliConfigurationBaseName),\n\t\t\tbypass: false,\n\t\t},\n\t\t{\n\t\t\tjobName: configurationJobName,\n\t\t\tfn: collectFromEndpointAdapter(client.GetTunnelConfiguration, configurationBaseName),\n\t\t\tbypass: false,\n\t\t},\n\t}\n\n\treturn jobs\n}\n\nfunc createTaskReport(taskReport map[string]taskResult) (string, error) {\n\tdumpHandle, err := os.Create(filepath.Join(os.TempDir(), taskResultBaseName))\n\tif err != nil {\n\t\treturn \"\", ErrCreatingTemporaryFile\n\t}\n\tdefer dumpHandle.Close()\n\n\tencoder := newFormattedEncoder(dumpHandle)\n\n\terr = encoder.Encode(taskReport)\n\tif err != nil {\n\t\treturn \"\", fmt.Errorf(\"error encoding task results: %w\", err)\n\t}\n\n\treturn dumpHandle.Name(), nil\n}\n\nfunc runJobs(ctx context.Context, jobs []collectJob, log *zerolog.Logger) map[string]taskResult {\n\tjobReport := make(map[string]taskResult, len(jobs))\n\n\tfor _, job := range jobs {\n\t\tif job.bypass {\n\t\t\tcontinue\n\t\t}\n\n\t\tlog.Info().Msgf(\"Collecting %s...\", job.jobName)\n\t\tpath, err := job.fn(ctx)\n\n\t\tvar result taskResult\n\t\tif err != nil {\n\t\t\tresult = taskResult{Result: taskFailure, Err: err, path: path}\n\n\t\t\tlog.Error().Err(err).Msgf(\"Job: %s finished with error.\", job.jobName)\n\t\t} else {\n\t\t\tresult = taskResult{Result: taskSuccess, Err: nil, path: path}\n\n\t\t\tlog.Info().Msgf(\"Collected %s.\", job.jobName)\n\t\t}\n\n\t\tjobReport[job.jobName] = result\n\t}\n\n\ttaskReportName, err := createTaskReport(jobReport)\n\n\tvar result taskResult\n\n\tif err != nil {\n\t\tresult = taskResult{\n\t\t\tResult: taskFailure,\n\t\t\tpath: taskReportName,\n\t\t\tErr: err,\n\t\t}\n\t} else {\n\t\tresult = taskResult{\n\t\t\tResult: taskSuccess,\n\t\t\tpath: taskReportName,\n\t\t\tErr: nil,\n\t\t}\n\t}\n\n\tjobReport[jobReportName] = result\n\n\treturn jobReport\n}\n\nfunc RunDiagnostic(\n\tlog *zerolog.Logger,\n\toptions Options,\n) ([]*AddressableTunnelState, error) {\n\tclient := NewHTTPClient()\n\n\tbaseURL, tunnel, foundTunnels, err := resolveInstanceBaseURL(options.Address, log, client, options.KnownAddresses)\n\tif err != nil {\n\t\treturn foundTunnels, err\n\t}\n\n\tlog.Info().Msgf(\"Selected server %s starting diagnostic...\", baseURL.String())\n\tclient.SetBaseURL(baseURL)\n\n\tconst timeout = 45 * time.Second\n\tctx, cancel := context.WithTimeout(context.Background(), timeout)\n\n\tdefer cancel()\n\n\tjobs := createJobs(\n\t\tclient,\n\t\ttunnel,\n\t\toptions.ContainerID,\n\t\toptions.PodID,\n\t\toptions.Toggles.NoDiagSystem,\n\t\toptions.Toggles.NoDiagRuntime,\n\t\toptions.Toggles.NoDiagMetrics,\n\t\toptions.Toggles.NoDiagLogs,\n\t\toptions.Toggles.NoDiagNetwork,\n\t)\n\n\tjobsReport := runJobs(ctx, jobs, log)\n\tpaths := make([]string, 0)\n\n\tvar gerr error\n\n\tfor _, v := range jobsReport {\n\t\tpaths = append(paths, v.path)\n\n\t\tif gerr == nil && v.Err != nil {\n\t\t\tgerr = v.Err\n\t\t}\n\n\t\tdefer func() {\n\t\t\tif !errors.Is(v.Err, ErrCreatingTemporaryFile) {\n\t\t\t\tos.Remove(v.path)\n\t\t\t}\n\t\t}()\n\t}\n\n\tzipfile, err := CreateDiagnosticZipFile(zipName, paths)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tlog.Info().Msgf(\"Diagnostic file written: %v\", zipfile)\n\n\treturn nil, gerr\n}\n" }, { "path": "diagnostic/diagnostic_utils.go", "content": "package diagnostic\n\nimport (\n\t\"archive/zip\"\n\t\"context\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/url\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/rs/zerolog\"\n)\n\n// CreateDiagnosticZipFile create a zip file with the contents from the all\n// files paths. The files will be written in the root of the zip file.\n// In case of an error occurs after whilst writing to the zip file\n// this will be removed.\nfunc CreateDiagnosticZipFile(base string, paths []string) (zipFileName string, err error) {\n\t// Create a zip file with all files from paths added to the root\n\tsuffix := time.Now().Format(time.RFC3339)\n\tzipFileName = base + \"-\" + suffix + \".zip\"\n\tzipFileName = strings.ReplaceAll(zipFileName, \":\", \"-\")\n\n\tarchive, cerr := os.Create(zipFileName)\n\tif cerr != nil {\n\t\treturn \"\", fmt.Errorf(\"error creating file %s: %w\", zipFileName, cerr)\n\t}\n\n\tarchiveWriter := zip.NewWriter(archive)\n\n\tdefer func() {\n\t\tarchiveWriter.Close()\n\t\tarchive.Close()\n\n\t\tif err != nil {\n\t\t\tos.Remove(zipFileName)\n\t\t}\n\t}()\n\n\tfor _, file := range paths {\n\t\tif file == \"\" {\n\t\t\tcontinue\n\t\t}\n\n\t\tvar handle *os.File\n\n\t\thandle, err = os.Open(file)\n\t\tif err != nil {\n\t\t\treturn \"\", fmt.Errorf(\"error opening file %s: %w\", zipFileName, err)\n\t\t}\n\n\t\tdefer handle.Close()\n\n\t\t// Keep the base only to not create sub directories in the\n\t\t// zip file.\n\t\tvar writer io.Writer\n\n\t\twriter, err = archiveWriter.Create(filepath.Base(file))\n\t\tif err != nil {\n\t\t\treturn \"\", fmt.Errorf(\"error creating archive writer from %s: %w\", file, err)\n\t\t}\n\n\t\tif _, err = io.Copy(writer, handle); err != nil {\n\t\t\treturn \"\", fmt.Errorf(\"error copying file %s: %w\", file, err)\n\t\t}\n\t}\n\n\tzipFileName = archive.Name()\n\treturn zipFileName, nil\n}\n\ntype AddressableTunnelState struct {\n\t*TunnelState\n\tURL *url.URL\n}\n\nfunc findMetricsServerPredicate(tunnelID, connectorID uuid.UUID) func(state *TunnelState) bool {\n\tif tunnelID != uuid.Nil && connectorID != uuid.Nil {\n\t\treturn func(state *TunnelState) bool {\n\t\t\treturn state.ConnectorID == connectorID && state.TunnelID == tunnelID\n\t\t}\n\t} else if tunnelID == uuid.Nil && connectorID != uuid.Nil {\n\t\treturn func(state *TunnelState) bool {\n\t\t\treturn state.ConnectorID == connectorID\n\t\t}\n\t} else if tunnelID != uuid.Nil && connectorID == uuid.Nil {\n\t\treturn func(state *TunnelState) bool {\n\t\t\treturn state.TunnelID == tunnelID\n\t\t}\n\t}\n\n\treturn func(*TunnelState) bool {\n\t\treturn true\n\t}\n}\n\n// The FindMetricsServer will try to find the metrics server url.\n// There are two possible error scenarios:\n// 1. No instance is found which will only return ErrMetricsServerNotFound\n// 2. Multiple instances are found which will return an array of state and ErrMultipleMetricsServerFound\n// In case of success, only the state for the instance is returned.\nfunc FindMetricsServer(\n\tlog *zerolog.Logger,\n\tclient *httpClient,\n\taddresses []string,\n) (*AddressableTunnelState, []*AddressableTunnelState, error) {\n\tinstances := make([]*AddressableTunnelState, 0)\n\n\tfor _, address := range addresses {\n\t\turl, err := url.Parse(\"http://\" + address)\n\t\tif err != nil {\n\t\t\tlog.Debug().Err(err).Msgf(\"error parsing address %s\", address)\n\n\t\t\tcontinue\n\t\t}\n\n\t\tclient.SetBaseURL(url)\n\n\t\tstate, err := client.GetTunnelState(context.Background())\n\t\tif err == nil {\n\t\t\tinstances = append(instances, &AddressableTunnelState{state, url})\n\t\t} else {\n\t\t\tlog.Debug().Err(err).Msgf(\"error getting tunnel state from address %s\", address)\n\t\t}\n\t}\n\n\tif len(instances) == 0 {\n\t\treturn nil, nil, ErrMetricsServerNotFound\n\t}\n\n\tif len(instances) == 1 {\n\t\treturn instances[0], nil, nil\n\t}\n\n\treturn nil, instances, ErrMultipleMetricsServerFound\n}\n\n// newFormattedEncoder return a JSON encoder with identation\nfunc newFormattedEncoder(w io.Writer) *json.Encoder {\n\tencoder := json.NewEncoder(w)\n\tencoder.SetIndent(\"\", \" \")\n\treturn encoder\n}\n" }, { "path": "diagnostic/diagnostic_utils_test.go", "content": "package diagnostic_test\n\nimport (\n\t\"context\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"sync\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/facebookgo/grace/gracenet\"\n\t\"github.com/google/uuid\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\n\t\"github.com/cloudflare/cloudflared/diagnostic\"\n\t\"github.com/cloudflare/cloudflared/metrics\"\n\t\"github.com/cloudflare/cloudflared/tunnelstate\"\n)\n\nfunc helperCreateServer(t *testing.T, listeners *gracenet.Net, tunnelID uuid.UUID, connectorID uuid.UUID) func() {\n\tt.Helper()\n\tlistener, err := metrics.CreateMetricsListener(listeners, \"localhost:0\")\n\trequire.NoError(t, err)\n\tlog := zerolog.Nop()\n\ttracker := tunnelstate.NewConnTracker(&log)\n\thandler := diagnostic.NewDiagnosticHandler(&log, 0, nil, tunnelID, connectorID, tracker, map[string]string{}, []string{})\n\trouter := http.NewServeMux()\n\trouter.HandleFunc(\"/diag/tunnel\", handler.TunnelStateHandler)\n\tserver := &http.Server{\n\t\tReadTimeout: 10 * time.Second,\n\t\tWriteTimeout: 10 * time.Second,\n\t\tHandler: router,\n\t}\n\n\tvar wgroup sync.WaitGroup\n\n\twgroup.Add(1)\n\n\tgo func() {\n\t\tdefer wgroup.Done()\n\n\t\t_ = server.Serve(listener)\n\t}()\n\n\tctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)\n\n\tcleanUp := func() {\n\t\t_ = server.Shutdown(ctx)\n\n\t\tcancel()\n\t\twgroup.Wait()\n\t}\n\n\treturn cleanUp\n}\n\nfunc TestFindMetricsServer_WhenSingleServerIsRunning_ReturnState(t *testing.T) {\n\tlisteners := gracenet.Net{}\n\ttid1 := uuid.New()\n\tcid1 := uuid.New()\n\n\tcleanUp := helperCreateServer(t, &listeners, tid1, cid1)\n\tdefer cleanUp()\n\n\tlog := zerolog.Nop()\n\tclient := diagnostic.NewHTTPClient()\n\taddresses := metrics.GetMetricsKnownAddresses(\"host\")\n\turl1, err := url.Parse(\"http://localhost:20241\")\n\trequire.NoError(t, err)\n\n\ttunnel1 := &diagnostic.AddressableTunnelState{\n\t\tTunnelState: &diagnostic.TunnelState{\n\t\t\tTunnelID: tid1,\n\t\t\tConnectorID: cid1,\n\t\t\tConnections: nil,\n\t\t},\n\t\tURL: url1,\n\t}\n\n\tstate, tunnels, err := diagnostic.FindMetricsServer(&log, client, addresses[:])\n\tif err != nil {\n\t\trequire.ErrorIs(t, err, diagnostic.ErrMultipleMetricsServerFound)\n\t}\n\n\tassert.Equal(t, tunnel1, state)\n\tassert.Nil(t, tunnels)\n}\n\nfunc TestFindMetricsServer_WhenMultipleServerAreRunning_ReturnError(t *testing.T) {\n\tlisteners := gracenet.Net{}\n\ttid1 := uuid.New()\n\tcid1 := uuid.New()\n\tcid2 := uuid.New()\n\n\tcleanUp := helperCreateServer(t, &listeners, tid1, cid1)\n\tdefer cleanUp()\n\n\tcleanUp = helperCreateServer(t, &listeners, tid1, cid2)\n\tdefer cleanUp()\n\n\tlog := zerolog.Nop()\n\tclient := diagnostic.NewHTTPClient()\n\taddresses := metrics.GetMetricsKnownAddresses(\"host\")\n\turl1, err := url.Parse(\"http://localhost:20241\")\n\trequire.NoError(t, err)\n\turl2, err := url.Parse(\"http://localhost:20242\")\n\trequire.NoError(t, err)\n\n\ttunnel1 := &diagnostic.AddressableTunnelState{\n\t\tTunnelState: &diagnostic.TunnelState{\n\t\t\tTunnelID: tid1,\n\t\t\tConnectorID: cid1,\n\t\t\tConnections: nil,\n\t\t},\n\t\tURL: url1,\n\t}\n\ttunnel2 := &diagnostic.AddressableTunnelState{\n\t\tTunnelState: &diagnostic.TunnelState{\n\t\t\tTunnelID: tid1,\n\t\t\tConnectorID: cid2,\n\t\t\tConnections: nil,\n\t\t},\n\t\tURL: url2,\n\t}\n\n\tstate, tunnels, err := diagnostic.FindMetricsServer(&log, client, addresses[:])\n\tif err != nil {\n\t\trequire.ErrorIs(t, err, diagnostic.ErrMultipleMetricsServerFound)\n\t}\n\n\tassert.Nil(t, state)\n\tassert.Equal(t, []*diagnostic.AddressableTunnelState{tunnel1, tunnel2}, tunnels)\n}\n\nfunc TestFindMetricsServer_WhenNoInstanceIsRuning_ReturnError(t *testing.T) {\n\tlog := zerolog.Nop()\n\tclient := diagnostic.NewHTTPClient()\n\taddresses := metrics.GetMetricsKnownAddresses(\"host\")\n\n\tstate, tunnels, err := diagnostic.FindMetricsServer(&log, client, addresses[:])\n\trequire.ErrorIs(t, err, diagnostic.ErrMetricsServerNotFound)\n\n\tassert.Nil(t, state)\n\tassert.Nil(t, tunnels)\n}\n" }, { "path": "diagnostic/error.go", "content": "package diagnostic\n\nimport (\n\t\"errors\"\n)\n\nvar (\n\t// Error used when there is no log directory available.\n\tErrManagedLogNotFound = errors.New(\"managed log directory not found\")\n\t// Error used when it is not possible to collect logs using the log configuration.\n\tErrLogConfigurationIsInvalid = errors.New(\"provided log configuration is invalid\")\n\t// Error used when parsing the fields of the output of collector.\n\tErrInsufficientLines = errors.New(\"insufficient lines\")\n\t// Error used when parsing the lines of the output of collector.\n\tErrInsuficientFields = errors.New(\"insufficient fields\")\n\t// Error used when given key is not found while parsing KV.\n\tErrKeyNotFound = errors.New(\"key not found\")\n\t// Error used when there is no disk volume information available.\n\tErrNoVolumeFound = errors.New(\"no disk volume information found\")\n\t// Error user when the base url of the diagnostic client is not provided.\n\tErrNoBaseURL = errors.New(\"no base url\")\n\t// Error used when no metrics server is found listening to the known addresses list (check [metrics.GetMetricsKnownAddresses]).\n\tErrMetricsServerNotFound = errors.New(\"metrics server not found\")\n\t// Error used when multiple metrics server are found listening to the known addresses list (check [metrics.GetMetricsKnownAddresses]).\n\tErrMultipleMetricsServerFound = errors.New(\"multiple metrics server found\")\n\t// Error used when a temporary file creation fails within the diagnostic procedure\n\tErrCreatingTemporaryFile = errors.New(\"temporary file creation failed\")\n)\n" }, { "path": "diagnostic/handlers.go", "content": "package diagnostic\n\nimport (\n\t\"context\"\n\t\"encoding/json\"\n\t\"net/http\"\n\t\"os\"\n\t\"strconv\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/rs/zerolog\"\n\n\t\"github.com/cloudflare/cloudflared/tunnelstate\"\n)\n\ntype Handler struct {\n\tlog *zerolog.Logger\n\ttimeout time.Duration\n\tsystemCollector SystemCollector\n\ttunnelID uuid.UUID\n\tconnectorID uuid.UUID\n\ttracker *tunnelstate.ConnTracker\n\tcliFlags map[string]string\n\ticmpSources []string\n}\n\nfunc NewDiagnosticHandler(\n\tlog *zerolog.Logger,\n\ttimeout time.Duration,\n\tsystemCollector SystemCollector,\n\ttunnelID uuid.UUID,\n\tconnectorID uuid.UUID,\n\ttracker *tunnelstate.ConnTracker,\n\tcliFlags map[string]string,\n\ticmpSources []string,\n) *Handler {\n\tlogger := log.With().Logger()\n\tif timeout == 0 {\n\t\ttimeout = defaultCollectorTimeout\n\t}\n\n\tcliFlags[configurationKeyUID] = strconv.Itoa(os.Getuid())\n\treturn &Handler{\n\t\tlog: &logger,\n\t\ttimeout: timeout,\n\t\tsystemCollector: systemCollector,\n\t\ttunnelID: tunnelID,\n\t\tconnectorID: connectorID,\n\t\ttracker: tracker,\n\t\tcliFlags: cliFlags,\n\t\ticmpSources: icmpSources,\n\t}\n}\n\nfunc (handler *Handler) InstallEndpoints(router *http.ServeMux) {\n\trouter.HandleFunc(cliConfigurationEndpoint, handler.ConfigurationHandler)\n\trouter.HandleFunc(tunnelStateEndpoint, handler.TunnelStateHandler)\n\trouter.HandleFunc(systemInformationEndpoint, handler.SystemHandler)\n}\n\ntype SystemInformationResponse struct {\n\tInfo *SystemInformation `json:\"info\"`\n\tErr error `json:\"errors\"`\n}\n\nfunc (handler *Handler) SystemHandler(writer http.ResponseWriter, request *http.Request) {\n\tlogger := handler.log.With().Str(collectorField, systemCollectorName).Logger()\n\tlogger.Info().Msg(\"Collection started\")\n\n\tdefer logger.Info().Msg(\"Collection finished\")\n\n\tctx, cancel := context.WithTimeout(request.Context(), handler.timeout)\n\n\tdefer cancel()\n\n\tinfo, err := handler.systemCollector.Collect(ctx)\n\n\tresponse := SystemInformationResponse{\n\t\tInfo: info,\n\t\tErr: err,\n\t}\n\n\tencoder := json.NewEncoder(writer)\n\terr = encoder.Encode(response)\n\tif err != nil {\n\t\tlogger.Error().Err(err).Msgf(\"error occurred whilst serializing information\")\n\t\twriter.WriteHeader(http.StatusInternalServerError)\n\t}\n}\n\ntype TunnelState struct {\n\tTunnelID uuid.UUID `json:\"tunnelID,omitempty\"`\n\tConnectorID uuid.UUID `json:\"connectorID,omitempty\"`\n\tConnections []tunnelstate.IndexedConnectionInfo `json:\"connections,omitempty\"`\n\tICMPSources []string `json:\"icmp_sources,omitempty\"`\n}\n\nfunc (handler *Handler) TunnelStateHandler(writer http.ResponseWriter, _ *http.Request) {\n\tlog := handler.log.With().Str(collectorField, tunnelStateCollectorName).Logger()\n\tlog.Info().Msg(\"Collection started\")\n\n\tdefer log.Info().Msg(\"Collection finished\")\n\n\tbody := TunnelState{\n\t\thandler.tunnelID,\n\t\thandler.connectorID,\n\t\thandler.tracker.GetActiveConnections(),\n\t\thandler.icmpSources,\n\t}\n\tencoder := json.NewEncoder(writer)\n\n\terr := encoder.Encode(body)\n\tif err != nil {\n\t\thandler.log.Error().Err(err).Msgf(\"error occurred whilst serializing information\")\n\t\twriter.WriteHeader(http.StatusInternalServerError)\n\t}\n}\n\nfunc (handler *Handler) ConfigurationHandler(writer http.ResponseWriter, _ *http.Request) {\n\tlog := handler.log.With().Str(collectorField, configurationCollectorName).Logger()\n\tlog.Info().Msg(\"Collection started\")\n\n\tdefer func() {\n\t\tlog.Info().Msg(\"Collection finished\")\n\t}()\n\n\tencoder := json.NewEncoder(writer)\n\n\terr := encoder.Encode(handler.cliFlags)\n\tif err != nil {\n\t\thandler.log.Error().Err(err).Msgf(\"error occurred whilst serializing response\")\n\t\twriter.WriteHeader(http.StatusInternalServerError)\n\t}\n}\n\nfunc writeResponse(w http.ResponseWriter, bytes []byte, logger *zerolog.Logger) {\n\tbytesWritten, err := w.Write(bytes)\n\tif err != nil {\n\t\tlogger.Error().Err(err).Msg(\"error occurred writing response\")\n\t} else if bytesWritten != len(bytes) {\n\t\tlogger.Error().Msgf(\"error incomplete write response %d/%d\", bytesWritten, len(bytes))\n\t}\n}\n" }, { "path": "diagnostic/handlers_test.go", "content": "package diagnostic_test\n\nimport (\n\t\"context\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"runtime\"\n\t\"testing\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\n\t\"github.com/cloudflare/cloudflared/connection\"\n\t\"github.com/cloudflare/cloudflared/diagnostic\"\n\t\"github.com/cloudflare/cloudflared/tunnelstate\"\n)\n\ntype SystemCollectorMock struct {\n\tsystemInfo *diagnostic.SystemInformation\n\terr error\n}\n\nconst (\n\tsystemInformationKey = \"sikey\"\n\terrorKey = \"errkey\"\n)\n\nfunc newTrackerFromConns(t *testing.T, connections []tunnelstate.IndexedConnectionInfo) *tunnelstate.ConnTracker {\n\tt.Helper()\n\n\tlog := zerolog.Nop()\n\ttracker := tunnelstate.NewConnTracker(&log)\n\n\tfor _, conn := range connections {\n\t\ttracker.OnTunnelEvent(connection.Event{\n\t\t\tIndex: conn.Index,\n\t\t\tEventType: connection.Connected,\n\t\t\tProtocol: conn.Protocol,\n\t\t\tEdgeAddress: conn.EdgeAddress,\n\t\t})\n\t}\n\n\treturn tracker\n}\n\nfunc (collector *SystemCollectorMock) Collect(context.Context) (*diagnostic.SystemInformation, error) {\n\treturn collector.systemInfo, collector.err\n}\n\nfunc TestSystemHandler(t *testing.T) {\n\tt.Parallel()\n\n\tlog := zerolog.Nop()\n\ttests := []struct {\n\t\tname string\n\t\tsystemInfo *diagnostic.SystemInformation\n\t\terr error\n\t\tstatusCode int\n\t}{\n\t\t{\n\t\t\tname: \"happy path\",\n\t\t\tsystemInfo: diagnostic.NewSystemInformation(\n\t\t\t\t0, 0, 0, 0,\n\t\t\t\t\"string\", \"string\", \"string\", \"string\",\n\t\t\t\t\"string\", \"string\",\n\t\t\t\truntime.Version(), runtime.GOARCH, nil,\n\t\t\t),\n\n\t\t\terr: nil,\n\t\t\tstatusCode: http.StatusOK,\n\t\t},\n\t\t{\n\t\t\tname: \"on error and no raw info\", systemInfo: nil,\n\t\t\terr: errors.New(\"an error\"), statusCode: http.StatusOK,\n\t\t},\n\t}\n\n\tfor _, tCase := range tests {\n\t\tt.Run(tCase.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\thandler := diagnostic.NewDiagnosticHandler(&log, 0, &SystemCollectorMock{\n\t\t\t\tsystemInfo: tCase.systemInfo,\n\t\t\t\terr: tCase.err,\n\t\t\t}, uuid.New(), uuid.New(), nil, map[string]string{}, nil)\n\t\t\trecorder := httptest.NewRecorder()\n\t\t\tctx := context.Background()\n\t\t\trequest, err := http.NewRequestWithContext(ctx, http.MethodGet, \"/diag/system\", nil)\n\t\t\trequire.NoError(t, err)\n\t\t\thandler.SystemHandler(recorder, request)\n\n\t\t\tassert.Equal(t, tCase.statusCode, recorder.Code)\n\t\t\tif tCase.statusCode == http.StatusOK && tCase.systemInfo != nil {\n\t\t\t\tvar response diagnostic.SystemInformationResponse\n\t\t\t\tdecoder := json.NewDecoder(recorder.Body)\n\t\t\t\terr := decoder.Decode(&response)\n\t\t\t\trequire.NoError(t, err)\n\t\t\t\tassert.Equal(t, tCase.systemInfo, response.Info)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestTunnelStateHandler(t *testing.T) {\n\tt.Parallel()\n\n\tlog := zerolog.Nop()\n\ttests := []struct {\n\t\tname string\n\t\ttunnelID uuid.UUID\n\t\tclientID uuid.UUID\n\t\tconnections []tunnelstate.IndexedConnectionInfo\n\t\ticmpSources []string\n\t}{\n\t\t{\n\t\t\tname: \"case1\",\n\t\t\ttunnelID: uuid.New(),\n\t\t\tclientID: uuid.New(),\n\t\t},\n\t\t{\n\t\t\tname: \"case2\",\n\t\t\ttunnelID: uuid.New(),\n\t\t\tclientID: uuid.New(),\n\t\t\ticmpSources: []string{\"172.17.0.3\", \"::1\"},\n\t\t\tconnections: []tunnelstate.IndexedConnectionInfo{{\n\t\t\t\tConnectionInfo: tunnelstate.ConnectionInfo{\n\t\t\t\t\tIsConnected: true,\n\t\t\t\t\tProtocol: connection.QUIC,\n\t\t\t\t\tEdgeAddress: net.IPv4(100, 100, 100, 100),\n\t\t\t\t},\n\t\t\t\tIndex: 0,\n\t\t\t}},\n\t\t},\n\t}\n\n\tfor _, tCase := range tests {\n\t\tt.Run(tCase.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\ttracker := newTrackerFromConns(t, tCase.connections)\n\t\t\thandler := diagnostic.NewDiagnosticHandler(\n\t\t\t\t&log,\n\t\t\t\t0,\n\t\t\t\tnil,\n\t\t\t\ttCase.tunnelID,\n\t\t\t\ttCase.clientID,\n\t\t\t\ttracker,\n\t\t\t\tmap[string]string{},\n\t\t\t\ttCase.icmpSources,\n\t\t\t)\n\t\t\trecorder := httptest.NewRecorder()\n\t\t\thandler.TunnelStateHandler(recorder, nil)\n\t\t\tdecoder := json.NewDecoder(recorder.Body)\n\n\t\t\tvar response diagnostic.TunnelState\n\t\t\terr := decoder.Decode(&response)\n\t\t\trequire.NoError(t, err)\n\t\t\tassert.Equal(t, http.StatusOK, recorder.Code)\n\t\t\tassert.Equal(t, tCase.tunnelID, response.TunnelID)\n\t\t\tassert.Equal(t, tCase.clientID, response.ConnectorID)\n\t\t\tassert.Equal(t, tCase.connections, response.Connections)\n\t\t\tassert.Equal(t, tCase.icmpSources, response.ICMPSources)\n\t\t})\n\t}\n}\n\nfunc TestConfigurationHandler(t *testing.T) {\n\tt.Parallel()\n\n\tlog := zerolog.Nop()\n\n\ttests := []struct {\n\t\tname string\n\t\tflags map[string]string\n\t\texpected map[string]string\n\t}{\n\t\t{\n\t\t\tname: \"empty cli\",\n\t\t\tflags: make(map[string]string),\n\t\t\texpected: map[string]string{\n\t\t\t\t\"uid\": \"0\",\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"cli with flags\",\n\t\t\tflags: map[string]string{\n\t\t\t\t\"b\": \"a\",\n\t\t\t\t\"c\": \"a\",\n\t\t\t\t\"d\": \"a\",\n\t\t\t\t\"uid\": \"0\",\n\t\t\t},\n\t\t\texpected: map[string]string{\n\t\t\t\t\"b\": \"a\",\n\t\t\t\t\"c\": \"a\",\n\t\t\t\t\"d\": \"a\",\n\t\t\t\t\"uid\": \"0\",\n\t\t\t},\n\t\t},\n\t}\n\n\tfor _, tCase := range tests {\n\t\tt.Run(tCase.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\tvar response map[string]string\n\n\t\t\thandler := diagnostic.NewDiagnosticHandler(&log, 0, nil, uuid.New(), uuid.New(), nil, tCase.flags, nil)\n\t\t\trecorder := httptest.NewRecorder()\n\t\t\thandler.ConfigurationHandler(recorder, nil)\n\t\t\tdecoder := json.NewDecoder(recorder.Body)\n\t\t\terr := decoder.Decode(&response)\n\t\t\trequire.NoError(t, err)\n\t\t\t_, ok := response[\"uid\"]\n\t\t\tassert.True(t, ok)\n\t\t\tdelete(tCase.expected, \"uid\")\n\t\t\tdelete(response, \"uid\")\n\t\t\tassert.Equal(t, http.StatusOK, recorder.Code)\n\t\t\tassert.Equal(t, tCase.expected, response)\n\t\t})\n\t}\n}\n" }, { "path": "diagnostic/log_collector.go", "content": "package diagnostic\n\nimport (\n\t\"context\"\n)\n\n// Represents the path of the log file or log directory.\n// This struct is meant to give some ergonimics regarding\n// the logging information.\ntype LogInformation struct {\n\tpath string // path to a file or directory\n\twasCreated bool // denotes if `path` was created\n\tisDirectory bool // denotes if `path` is a directory\n}\n\nfunc NewLogInformation(\n\tpath string,\n\twasCreated bool,\n\tisDirectory bool,\n) *LogInformation {\n\treturn &LogInformation{\n\t\tpath,\n\t\twasCreated,\n\t\tisDirectory,\n\t}\n}\n\ntype LogCollector interface {\n\t// This function is responsible for returning a path to a single file\n\t// whose contents are the logs of a cloudflared instance.\n\t// A new file may be create by a LogCollector, thus, its the caller\n\t// responsibility to remove the newly create file.\n\tCollect(ctx context.Context) (*LogInformation, error)\n}\n" }, { "path": "diagnostic/log_collector_docker.go", "content": "package diagnostic\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path/filepath\"\n\t\"time\"\n)\n\ntype DockerLogCollector struct {\n\tcontainerID string // This member identifies the container by identifier or name\n}\n\nfunc NewDockerLogCollector(containerID string) *DockerLogCollector {\n\treturn &DockerLogCollector{\n\t\tcontainerID,\n\t}\n}\n\nfunc (collector *DockerLogCollector) Collect(ctx context.Context) (*LogInformation, error) {\n\ttmp := os.TempDir()\n\n\toutputHandle, err := os.Create(filepath.Join(tmp, logFilename))\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"error opening output file: %w\", err)\n\t}\n\n\tdefer outputHandle.Close()\n\n\t// Calculate 2 weeks ago\n\tsince := time.Now().Add(twoWeeksOffset).Format(time.RFC3339)\n\n\tcommand := exec.CommandContext(\n\t\tctx,\n\t\t\"docker\",\n\t\t\"logs\",\n\t\t\"--tail\",\n\t\ttailMaxNumberOfLines,\n\t\t\"--since\",\n\t\tsince,\n\t\tcollector.containerID,\n\t)\n\n\treturn PipeCommandOutputToFile(command, outputHandle)\n}\n" }, { "path": "diagnostic/log_collector_host.go", "content": "package diagnostic\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path/filepath\"\n\t\"runtime\"\n)\n\nconst (\n\tlinuxManagedLogsPath = \"/var/log/cloudflared.err\"\n\tdarwinManagedLogsPath = \"/Library/Logs/com.cloudflare.cloudflared.err.log\"\n\tlinuxServiceConfigurationPath = \"/etc/systemd/system/cloudflared.service\"\n\tlinuxSystemdPath = \"/run/systemd/system\"\n)\n\ntype HostLogCollector struct {\n\tclient HTTPClient\n}\n\nfunc NewHostLogCollector(client HTTPClient) *HostLogCollector {\n\treturn &HostLogCollector{\n\t\tclient,\n\t}\n}\n\nfunc extractLogsFromJournalCtl(ctx context.Context) (*LogInformation, error) {\n\ttmp := os.TempDir()\n\n\toutputHandle, err := os.Create(filepath.Join(tmp, logFilename))\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"error opening output file: %w\", err)\n\t}\n\n\tdefer outputHandle.Close()\n\n\tcommand := exec.CommandContext(\n\t\tctx,\n\t\t\"journalctl\",\n\t\t\"--since\",\n\t\t\"2 weeks ago\",\n\t\t\"-u\",\n\t\t\"cloudflared.service\",\n\t)\n\n\treturn PipeCommandOutputToFile(command, outputHandle)\n}\n\nfunc getServiceLogPath() (string, error) {\n\tswitch runtime.GOOS {\n\tcase \"darwin\":\n\t\t{\n\t\t\tpath := darwinManagedLogsPath\n\t\t\tif _, err := os.Stat(path); err == nil {\n\t\t\t\treturn path, nil\n\t\t\t}\n\n\t\t\tuserHomeDir, err := os.UserHomeDir()\n\t\t\tif err != nil {\n\t\t\t\treturn \"\", fmt.Errorf(\"error getting user home: %w\", err)\n\t\t\t}\n\n\t\t\treturn filepath.Join(userHomeDir, darwinManagedLogsPath), nil\n\t\t}\n\tcase \"linux\":\n\t\t{\n\t\t\treturn linuxManagedLogsPath, nil\n\t\t}\n\tdefault:\n\t\treturn \"\", ErrManagedLogNotFound\n\t}\n}\n\nfunc (collector *HostLogCollector) Collect(ctx context.Context) (*LogInformation, error) {\n\tlogConfiguration, err := collector.client.GetLogConfiguration(ctx)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"error getting log configuration: %w\", err)\n\t}\n\n\tif logConfiguration.uid == 0 {\n\t\t_, statSystemdErr := os.Stat(linuxServiceConfigurationPath)\n\n\t\t_, statServiceConfigurationErr := os.Stat(linuxServiceConfigurationPath)\n\t\tif statSystemdErr == nil && statServiceConfigurationErr == nil && runtime.GOOS == \"linux\" {\n\t\t\treturn extractLogsFromJournalCtl(ctx)\n\t\t}\n\n\t\tpath, err := getServiceLogPath()\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\n\t\treturn NewLogInformation(path, false, false), nil\n\t}\n\n\tif logConfiguration.logFile != \"\" {\n\t\treturn NewLogInformation(logConfiguration.logFile, false, false), nil\n\t} else if logConfiguration.logDirectory != \"\" {\n\t\treturn NewLogInformation(logConfiguration.logDirectory, false, true), nil\n\t}\n\n\treturn nil, ErrLogConfigurationIsInvalid\n}\n" }, { "path": "diagnostic/log_collector_kubernetes.go", "content": "package diagnostic\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path/filepath\"\n\t\"time\"\n)\n\ntype KubernetesLogCollector struct {\n\tcontainerID string // This member identifies the container by identifier or name\n\tpod string // This member identifies the pod where the container is deployed\n}\n\nfunc NewKubernetesLogCollector(containerID, pod string) *KubernetesLogCollector {\n\treturn &KubernetesLogCollector{\n\t\tcontainerID,\n\t\tpod,\n\t}\n}\n\nfunc (collector *KubernetesLogCollector) Collect(ctx context.Context) (*LogInformation, error) {\n\ttmp := os.TempDir()\n\toutputHandle, err := os.Create(filepath.Join(tmp, logFilename))\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"error opening output file: %w\", err)\n\t}\n\n\tdefer outputHandle.Close()\n\n\tvar command *exec.Cmd\n\t// Calculate 2 weeks ago\n\tsince := time.Now().Add(twoWeeksOffset).Format(time.RFC3339)\n\tif collector.containerID != \"\" {\n\t\tcommand = exec.CommandContext(\n\t\t\tctx,\n\t\t\t\"kubectl\",\n\t\t\t\"logs\",\n\t\t\tcollector.pod,\n\t\t\t\"--since-time\",\n\t\t\tsince,\n\t\t\t\"--tail\",\n\t\t\ttailMaxNumberOfLines,\n\t\t\t\"-c\",\n\t\t\tcollector.containerID,\n\t\t)\n\t} else {\n\t\tcommand = exec.CommandContext(\n\t\t\tctx,\n\t\t\t\"kubectl\",\n\t\t\t\"logs\",\n\t\t\tcollector.pod,\n\t\t\t\"--since-time\",\n\t\t\tsince,\n\t\t\t\"--tail\",\n\t\t\ttailMaxNumberOfLines,\n\t\t)\n\t}\n\n\treturn PipeCommandOutputToFile(command, outputHandle)\n}\n" }, { "path": "diagnostic/log_collector_utils.go", "content": "package diagnostic\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path/filepath\"\n)\n\nfunc PipeCommandOutputToFile(command *exec.Cmd, outputHandle *os.File) (*LogInformation, error) {\n\tstdoutReader, err := command.StdoutPipe()\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\n\t\t\t\"error retrieving stdout from command '%s': %w\",\n\t\t\tcommand.String(),\n\t\t\terr,\n\t\t)\n\t}\n\n\tstderrReader, err := command.StderrPipe()\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\n\t\t\t\"error retrieving stderr from command '%s': %w\",\n\t\t\tcommand.String(),\n\t\t\terr,\n\t\t)\n\t}\n\n\tif err := command.Start(); err != nil {\n\t\treturn nil, fmt.Errorf(\n\t\t\t\"error running command '%s': %w\",\n\t\t\tcommand.String(),\n\t\t\terr,\n\t\t)\n\t}\n\n\t_, err = io.Copy(outputHandle, stdoutReader)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\n\t\t\t\"error copying stdout from %s to file %s: %w\",\n\t\t\tcommand.String(),\n\t\t\toutputHandle.Name(),\n\t\t\terr,\n\t\t)\n\t}\n\n\t_, err = io.Copy(outputHandle, stderrReader)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\n\t\t\t\"error copying stderr from %s to file %s: %w\",\n\t\t\tcommand.String(),\n\t\t\toutputHandle.Name(),\n\t\t\terr,\n\t\t)\n\t}\n\n\tif err := command.Wait(); err != nil {\n\t\treturn nil, fmt.Errorf(\n\t\t\t\"error waiting from command '%s': %w\",\n\t\t\tcommand.String(),\n\t\t\terr,\n\t\t)\n\t}\n\n\treturn NewLogInformation(outputHandle.Name(), true, false), nil\n}\n\nfunc CopyFilesFromDirectory(path string) (string, error) {\n\t// rolling logs have as suffix the current date thus\n\t// when iterating the path files they are already in\n\t// chronological order\n\tfiles, err := os.ReadDir(path)\n\tif err != nil {\n\t\treturn \"\", fmt.Errorf(\"error reading directory %s: %w\", path, err)\n\t}\n\n\toutputHandle, err := os.Create(filepath.Join(os.TempDir(), logFilename))\n\tif err != nil {\n\t\treturn \"\", fmt.Errorf(\"creating file %s: %w\", outputHandle.Name(), err)\n\t}\n\tdefer outputHandle.Close()\n\n\tfor _, file := range files {\n\t\tlogHandle, err := os.Open(filepath.Join(path, file.Name()))\n\t\tif err != nil {\n\t\t\treturn \"\", fmt.Errorf(\"error opening file %s:%w\", file.Name(), err)\n\t\t}\n\t\tdefer logHandle.Close()\n\n\t\t_, err = io.Copy(outputHandle, logHandle)\n\t\tif err != nil {\n\t\t\treturn \"\", fmt.Errorf(\"error copying file %s:%w\", logHandle.Name(), err)\n\t\t}\n\t}\n\n\tlogHandle, err := os.Open(filepath.Join(path, \"cloudflared.log\"))\n\tif err != nil {\n\t\treturn \"\", fmt.Errorf(\"error opening file %s:%w\", logHandle.Name(), err)\n\t}\n\tdefer logHandle.Close()\n\n\t_, err = io.Copy(outputHandle, logHandle)\n\tif err != nil {\n\t\treturn \"\", fmt.Errorf(\"error copying file %s:%w\", logHandle.Name(), err)\n\t}\n\n\treturn outputHandle.Name(), nil\n}\n" }, { "path": "diagnostic/network/collector.go", "content": "package diagnostic\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"time\"\n)\n\nconst MicrosecondsFactor = 1000.0\n\nvar ErrEmptyDomain = errors.New(\"domain must not be empty\")\n\n// For now only support ICMP is provided.\ntype IPVersion int\n\nconst (\n\tV4 IPVersion = iota\n\tV6 IPVersion = iota\n)\n\ntype Hop struct {\n\tHop uint8 `json:\"hop,omitempty\"` // hop number along the route\n\tDomain string `json:\"domain,omitempty\"` // domain and/or ip of the hop, this field will be '*' if the hop is a timeout\n\tRtts []time.Duration `json:\"rtts,omitempty\"` // RTT measurements in microseconds\n}\n\ntype TraceOptions struct {\n\tttl uint64 // number of hops to perform\n\ttimeout time.Duration // wait timeout for each response\n\taddress string // address to trace\n\tuseV4 bool\n}\n\nfunc NewTimeoutHop(\n\thop uint8,\n) *Hop {\n\t// Whenever there is a hop in the format of 'N * * *'\n\t// it means that the hop in the path didn't answer to\n\t// any probe.\n\treturn NewHop(\n\t\thop,\n\t\t\"*\",\n\t\tnil,\n\t)\n}\n\nfunc NewHop(hop uint8, domain string, rtts []time.Duration) *Hop {\n\treturn &Hop{\n\t\thop,\n\t\tdomain,\n\t\trtts,\n\t}\n}\n\nfunc NewTraceOptions(\n\tttl uint64,\n\ttimeout time.Duration,\n\taddress string,\n\tuseV4 bool,\n) TraceOptions {\n\treturn TraceOptions{\n\t\tttl,\n\t\ttimeout,\n\t\taddress,\n\t\tuseV4,\n\t}\n}\n\ntype NetworkCollector interface {\n\t// Performs a trace route operation with the specified options.\n\t// In case the trace fails, it will return a non-nil error and\n\t// it may return a string which represents the raw information\n\t// obtained.\n\t// In case it is successful it will only return an array of Hops\n\t// an empty string and a nil error.\n\tCollect(ctx context.Context, options TraceOptions) ([]*Hop, string, error)\n}\n" }, { "path": "diagnostic/network/collector_unix.go", "content": "//go:build darwin || linux\n\npackage diagnostic\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"os/exec\"\n\t\"strconv\"\n\t\"strings\"\n\t\"time\"\n)\n\ntype NetworkCollectorImpl struct{}\n\nfunc (tracer *NetworkCollectorImpl) Collect(ctx context.Context, options TraceOptions) ([]*Hop, string, error) {\n\targs := []string{\n\t\t\"-I\",\n\t\t\"-w\",\n\t\tstrconv.FormatInt(int64(options.timeout.Seconds()), 10),\n\t\t\"-m\",\n\t\tstrconv.FormatUint(options.ttl, 10),\n\t\toptions.address,\n\t}\n\n\tvar command string\n\n\tswitch options.useV4 {\n\tcase false:\n\t\tcommand = \"traceroute6\"\n\tdefault:\n\t\tcommand = \"traceroute\"\n\t}\n\n\tprocess := exec.CommandContext(ctx, command, args...)\n\n\treturn decodeNetworkOutputToFile(process, DecodeLine)\n}\n\nfunc DecodeLine(text string) (*Hop, error) {\n\tfields := strings.Fields(text)\n\tparts := []string{}\n\tfilter := func(s string) bool { return s != \"*\" && s != \"ms\" }\n\n\tfor _, field := range fields {\n\t\tif filter(field) {\n\t\t\tparts = append(parts, field)\n\t\t}\n\t}\n\n\tindex, err := strconv.ParseUint(parts[0], 10, 8)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"couldn't parse index from timeout hop: %w\", err)\n\t}\n\n\tif len(parts) == 1 {\n\t\treturn NewTimeoutHop(uint8(index)), nil\n\t}\n\n\tdomain := \"\"\n\trtts := []time.Duration{}\n\n\tfor _, part := range parts[1:] {\n\t\trtt, err := strconv.ParseFloat(part, 64)\n\t\tif err != nil {\n\t\t\tdomain += part + \" \"\n\t\t} else {\n\t\t\trtts = append(rtts, time.Duration(rtt*MicrosecondsFactor))\n\t\t}\n\t}\n\n\tdomain, _ = strings.CutSuffix(domain, \" \")\n\tif domain == \"\" {\n\t\treturn nil, ErrEmptyDomain\n\t}\n\n\treturn NewHop(uint8(index), domain, rtts), nil\n}\n" }, { "path": "diagnostic/network/collector_unix_test.go", "content": "//go:build darwin || linux\n\npackage diagnostic_test\n\nimport (\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\n\tdiagnostic \"github.com/cloudflare/cloudflared/diagnostic/network\"\n)\n\nfunc TestDecode(t *testing.T) {\n\tt.Parallel()\n\n\ttests := []struct {\n\t\tname string\n\t\ttext string\n\t\texpectedHops []*diagnostic.Hop\n\t}{\n\t\t{\n\t\t\t\"repeated hop index parse failure\",\n\t\t\t`1 172.68.101.121 (172.68.101.121) 12.874 ms 15.517 ms 15.311 ms\n2 172.68.101.121 (172.68.101.121) 12.874 ms 15.517 ms 15.311 ms\nsomeletters * * *\n4 172.68.101.121 (172.68.101.121) 12.874 ms 15.517 ms 15.311 ms `,\n\t\t\t[]*diagnostic.Hop{\n\t\t\t\tdiagnostic.NewHop(\n\t\t\t\t\tuint8(1),\n\t\t\t\t\t\"172.68.101.121 (172.68.101.121)\",\n\t\t\t\t\t[]time.Duration{\n\t\t\t\t\t\ttime.Duration(12874),\n\t\t\t\t\t\ttime.Duration(15517),\n\t\t\t\t\t\ttime.Duration(15311),\n\t\t\t\t\t},\n\t\t\t\t),\n\t\t\t\tdiagnostic.NewHop(\n\t\t\t\t\tuint8(2),\n\t\t\t\t\t\"172.68.101.121 (172.68.101.121)\",\n\t\t\t\t\t[]time.Duration{\n\t\t\t\t\t\ttime.Duration(12874),\n\t\t\t\t\t\ttime.Duration(15517),\n\t\t\t\t\t\ttime.Duration(15311),\n\t\t\t\t\t},\n\t\t\t\t),\n\t\t\t\tdiagnostic.NewHop(\n\t\t\t\t\tuint8(4),\n\t\t\t\t\t\"172.68.101.121 (172.68.101.121)\",\n\t\t\t\t\t[]time.Duration{\n\t\t\t\t\t\ttime.Duration(12874),\n\t\t\t\t\t\ttime.Duration(15517),\n\t\t\t\t\t\ttime.Duration(15311),\n\t\t\t\t\t},\n\t\t\t\t),\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\t\"hop index parse failure\",\n\t\t\t`1 172.68.101.121 (172.68.101.121) 12.874 ms 15.517 ms 15.311 ms\n2 172.68.101.121 (172.68.101.121) 12.874 ms 15.517 ms 15.311 ms\nsomeletters 8.8.8.8 8.8.8.9 abc ms 0.456 ms 0.789 ms`,\n\t\t\t[]*diagnostic.Hop{\n\t\t\t\tdiagnostic.NewHop(\n\t\t\t\t\tuint8(1),\n\t\t\t\t\t\"172.68.101.121 (172.68.101.121)\",\n\t\t\t\t\t[]time.Duration{\n\t\t\t\t\t\ttime.Duration(12874),\n\t\t\t\t\t\ttime.Duration(15517),\n\t\t\t\t\t\ttime.Duration(15311),\n\t\t\t\t\t},\n\t\t\t\t),\n\t\t\t\tdiagnostic.NewHop(\n\t\t\t\t\tuint8(2),\n\t\t\t\t\t\"172.68.101.121 (172.68.101.121)\",\n\t\t\t\t\t[]time.Duration{\n\t\t\t\t\t\ttime.Duration(12874),\n\t\t\t\t\t\ttime.Duration(15517),\n\t\t\t\t\t\ttime.Duration(15311),\n\t\t\t\t\t},\n\t\t\t\t),\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\t\"missing rtt\",\n\t\t\t`1 172.68.101.121 (172.68.101.121) 12.874 ms 15.517 ms 15.311 ms\n2 * 8.8.8.8 8.8.8.9 0.456 ms 0.789 ms`,\n\t\t\t[]*diagnostic.Hop{\n\t\t\t\tdiagnostic.NewHop(\n\t\t\t\t\tuint8(1),\n\t\t\t\t\t\"172.68.101.121 (172.68.101.121)\",\n\t\t\t\t\t[]time.Duration{\n\t\t\t\t\t\ttime.Duration(12874),\n\t\t\t\t\t\ttime.Duration(15517),\n\t\t\t\t\t\ttime.Duration(15311),\n\t\t\t\t\t},\n\t\t\t\t),\n\t\t\t\tdiagnostic.NewHop(\n\t\t\t\t\tuint8(2),\n\t\t\t\t\t\"8.8.8.8 8.8.8.9\",\n\t\t\t\t\t[]time.Duration{\n\t\t\t\t\t\ttime.Duration(456),\n\t\t\t\t\t\ttime.Duration(789),\n\t\t\t\t\t},\n\t\t\t\t),\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\t\"simple example ipv4\",\n\t\t\t`1 172.68.101.121 (172.68.101.121) 12.874 ms 15.517 ms 15.311 ms\n2 172.68.101.121 (172.68.101.121) 12.874 ms 15.517 ms 15.311 ms\n3 * * *`,\n\t\t\t[]*diagnostic.Hop{\n\t\t\t\tdiagnostic.NewHop(\n\t\t\t\t\tuint8(1),\n\t\t\t\t\t\"172.68.101.121 (172.68.101.121)\",\n\t\t\t\t\t[]time.Duration{\n\t\t\t\t\t\ttime.Duration(12874),\n\t\t\t\t\t\ttime.Duration(15517),\n\t\t\t\t\t\ttime.Duration(15311),\n\t\t\t\t\t},\n\t\t\t\t),\n\t\t\t\tdiagnostic.NewHop(\n\t\t\t\t\tuint8(2),\n\t\t\t\t\t\"172.68.101.121 (172.68.101.121)\",\n\t\t\t\t\t[]time.Duration{\n\t\t\t\t\t\ttime.Duration(12874),\n\t\t\t\t\t\ttime.Duration(15517),\n\t\t\t\t\t\ttime.Duration(15311),\n\t\t\t\t\t},\n\t\t\t\t),\n\t\t\t\tdiagnostic.NewTimeoutHop(uint8(3)),\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\t\"simple example ipv6\",\n\t\t\t` 1 2400:cb00:107:1024::ac44:6550 12.780 ms 9.118 ms 10.046 ms\n 2 2a09:bac1:: 9.945 ms 10.033 ms 11.562 ms`,\n\t\t\t[]*diagnostic.Hop{\n\t\t\t\tdiagnostic.NewHop(\n\t\t\t\t\tuint8(1),\n\t\t\t\t\t\"2400:cb00:107:1024::ac44:6550\",\n\t\t\t\t\t[]time.Duration{\n\t\t\t\t\t\ttime.Duration(12780),\n\t\t\t\t\t\ttime.Duration(9118),\n\t\t\t\t\t\ttime.Duration(10046),\n\t\t\t\t\t},\n\t\t\t\t),\n\t\t\t\tdiagnostic.NewHop(\n\t\t\t\t\tuint8(2),\n\t\t\t\t\t\"2a09:bac1::\",\n\t\t\t\t\t[]time.Duration{\n\t\t\t\t\t\ttime.Duration(9945),\n\t\t\t\t\t\ttime.Duration(10033),\n\t\t\t\t\t\ttime.Duration(11562),\n\t\t\t\t\t},\n\t\t\t\t),\n\t\t\t},\n\t\t},\n\t}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\thops, err := diagnostic.Decode(strings.NewReader(test.text), diagnostic.DecodeLine)\n\t\t\trequire.NoError(t, err)\n\t\t\tassert.Equal(t, test.expectedHops, hops)\n\t\t})\n\t}\n}\n" }, { "path": "diagnostic/network/collector_utils.go", "content": "package diagnostic\n\nimport (\n\t\"bufio\"\n\t\"bytes\"\n\t\"fmt\"\n\t\"io\"\n\t\"os/exec\"\n)\n\ntype DecodeLineFunc func(text string) (*Hop, error)\n\nfunc decodeNetworkOutputToFile(command *exec.Cmd, decodeLine DecodeLineFunc) ([]*Hop, string, error) {\n\tstdout, err := command.StdoutPipe()\n\tif err != nil {\n\t\treturn nil, \"\", fmt.Errorf(\"error piping traceroute's output: %w\", err)\n\t}\n\n\tif err := command.Start(); err != nil {\n\t\treturn nil, \"\", fmt.Errorf(\"error starting traceroute: %w\", err)\n\t}\n\n\t// Tee the output to a string to have the raw information\n\t// in case the decode call fails\n\t// This error is handled only after the Wait call below returns\n\t// otherwise the process can become a zombie\n\tbuf := bytes.NewBuffer([]byte{})\n\ttee := io.TeeReader(stdout, buf)\n\thops, err := Decode(tee, decodeLine)\n\t// regardless of success of the decoding\n\t// consume all output to have available in buf\n\t_, _ = io.ReadAll(tee)\n\n\tif werr := command.Wait(); werr != nil {\n\t\treturn nil, \"\", fmt.Errorf(\"error finishing traceroute: %w\", werr)\n\t}\n\n\tif err != nil {\n\t\treturn nil, buf.String(), err\n\t}\n\n\treturn hops, buf.String(), nil\n}\n\nfunc Decode(reader io.Reader, decodeLine DecodeLineFunc) ([]*Hop, error) {\n\tscanner := bufio.NewScanner(reader)\n\tscanner.Split(bufio.ScanLines)\n\n\tvar hops []*Hop\n\n\tfor scanner.Scan() {\n\t\ttext := scanner.Text()\n\t\tif text == \"\" {\n\t\t\tcontinue\n\t\t}\n\n\t\thop, err := decodeLine(text)\n\t\tif err != nil {\n\t\t\t// This continue is here on the error case because there are lines at the start and end\n\t\t\t// that may not be parsable. (check windows tracert output)\n\t\t\t// The skip is here because aside from the start and end lines the other lines should\n\t\t\t// always be parsable without errors.\n\t\t\tcontinue\n\t\t}\n\n\t\thops = append(hops, hop)\n\t}\n\n\tif scanner.Err() != nil {\n\t\treturn nil, fmt.Errorf(\"scanner reported an error: %w\", scanner.Err())\n\t}\n\n\treturn hops, nil\n}\n" }, { "path": "diagnostic/network/collector_windows.go", "content": "//go:build windows\n\npackage diagnostic\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"os/exec\"\n\t\"strconv\"\n\t\"strings\"\n\t\"time\"\n)\n\ntype NetworkCollectorImpl struct{}\n\nfunc (tracer *NetworkCollectorImpl) Collect(ctx context.Context, options TraceOptions) ([]*Hop, string, error) {\n\tipversion := \"-4\"\n\tif !options.useV4 {\n\t\tipversion = \"-6\"\n\t}\n\n\targs := []string{\n\t\tipversion,\n\t\t\"-w\",\n\t\tstrconv.FormatInt(int64(options.timeout.Seconds()), 10),\n\t\t\"-h\",\n\t\tstrconv.FormatUint(options.ttl, 10),\n\t\t// Do not resolve host names (can add 30+ seconds to run time)\n\t\t\"-d\",\n\t\toptions.address,\n\t}\n\tcommand := exec.CommandContext(ctx, \"tracert.exe\", args...)\n\n\treturn decodeNetworkOutputToFile(command, DecodeLine)\n}\n\nfunc DecodeLine(text string) (*Hop, error) {\n\tconst requestTimedOut = \"Request timed out.\"\n\n\tfields := strings.Fields(text)\n\tparts := []string{}\n\tfilter := func(s string) bool { return s != \"*\" && s != \"ms\" }\n\n\tfor _, field := range fields {\n\t\tif filter(field) {\n\t\t\tparts = append(parts, field)\n\t\t}\n\t}\n\n\tindex, err := strconv.ParseUint(parts[0], 10, 8)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"couldn't parse index from timeout hop: %w\", err)\n\t}\n\n\tdomain := \"\"\n\trtts := []time.Duration{}\n\n\tfor _, part := range parts[1:] {\n\n\t\trtt, err := strconv.ParseFloat(strings.TrimLeft(part, \"<\"), 64)\n\n\t\tif err != nil {\n\t\t\tdomain += part + \" \"\n\t\t} else {\n\t\t\trtts = append(rtts, time.Duration(rtt*MicrosecondsFactor))\n\t\t}\n\t}\n\n\tdomain, _ = strings.CutSuffix(domain, \" \")\n\t// If the domain is equal to \"Request timed out.\" then we build a\n\t// timeout hop.\n\tif domain == requestTimedOut {\n\t\treturn NewTimeoutHop(uint8(index)), nil\n\t}\n\n\tif domain == \"\" {\n\t\treturn nil, ErrEmptyDomain\n\t}\n\n\treturn NewHop(uint8(index), domain, rtts), nil\n}\n" }, { "path": "diagnostic/network/collector_windows_test.go", "content": "//go:build windows\n\npackage diagnostic_test\n\nimport (\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\n\tdiagnostic \"github.com/cloudflare/cloudflared/diagnostic/network\"\n)\n\nfunc TestDecode(t *testing.T) {\n\tt.Parallel()\n\n\ttests := []struct {\n\t\tname string\n\t\ttext string\n\t\texpectedHops []*diagnostic.Hop\n\t}{\n\n\t\t{\n\t\t\t\"tracert output\",\n\t\t\t`\nTracing route to region2.v2.argotunnel.com [198.41.200.73]\nover a maximum of 5 hops:\n\n 1 10 ms <1 ms 1 ms 192.168.64.1\n 2 27 ms 14 ms 5 ms 192.168.1.254\n 3 * * * Request timed out.\n 4 * * * Request timed out.\n 5 27 ms 5 ms 5 ms 195.8.30.245\n\nTrace complete.\n`,\n\t\t\t[]*diagnostic.Hop{\n\t\t\t\tdiagnostic.NewHop(\n\t\t\t\t\tuint8(1),\n\t\t\t\t\t\"192.168.64.1\",\n\t\t\t\t\t[]time.Duration{\n\t\t\t\t\t\ttime.Duration(10000),\n\t\t\t\t\t\ttime.Duration(1000),\n\t\t\t\t\t\ttime.Duration(1000),\n\t\t\t\t\t},\n\t\t\t\t),\n\t\t\t\tdiagnostic.NewHop(\n\t\t\t\t\tuint8(2),\n\t\t\t\t\t\"192.168.1.254\",\n\t\t\t\t\t[]time.Duration{\n\t\t\t\t\t\ttime.Duration(27000),\n\t\t\t\t\t\ttime.Duration(14000),\n\t\t\t\t\t\ttime.Duration(5000),\n\t\t\t\t\t},\n\t\t\t\t),\n\t\t\t\tdiagnostic.NewTimeoutHop(uint8(3)),\n\t\t\t\tdiagnostic.NewTimeoutHop(uint8(4)),\n\t\t\t\tdiagnostic.NewHop(\n\t\t\t\t\tuint8(5),\n\t\t\t\t\t\"195.8.30.245\",\n\t\t\t\t\t[]time.Duration{\n\t\t\t\t\t\ttime.Duration(27000),\n\t\t\t\t\t\ttime.Duration(5000),\n\t\t\t\t\t\ttime.Duration(5000),\n\t\t\t\t\t},\n\t\t\t\t),\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\t\"repeated hop index parse failure\",\n\t\t\t`1\t12.874 ms\t15.517 ms\t15.311 ms\t172.68.101.121 (172.68.101.121) \n2\t12.874 ms\t15.517 ms\t15.311 ms\t172.68.101.121 (172.68.101.121) \nsomeletters * * *`,\n\t\t\t[]*diagnostic.Hop{\n\t\t\t\tdiagnostic.NewHop(\n\t\t\t\t\tuint8(1),\n\t\t\t\t\t\"172.68.101.121 (172.68.101.121)\",\n\t\t\t\t\t[]time.Duration{\n\t\t\t\t\t\ttime.Duration(12874),\n\t\t\t\t\t\ttime.Duration(15517),\n\t\t\t\t\t\ttime.Duration(15311),\n\t\t\t\t\t},\n\t\t\t\t),\n\t\t\t\tdiagnostic.NewHop(\n\t\t\t\t\tuint8(2),\n\t\t\t\t\t\"172.68.101.121 (172.68.101.121)\",\n\t\t\t\t\t[]time.Duration{\n\t\t\t\t\t\ttime.Duration(12874),\n\t\t\t\t\t\ttime.Duration(15517),\n\t\t\t\t\t\ttime.Duration(15311),\n\t\t\t\t\t},\n\t\t\t\t),\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\t\"hop index parse failure\",\n\t\t\t`1\t12.874 ms\t15.517 ms\t15.311 ms\t172.68.101.121 (172.68.101.121) \n2\t12.874 ms\t15.517 ms\t15.311 ms\t172.68.101.121 (172.68.101.121) \nsomeletters abc ms 0.456 ms 0.789 ms 8.8.8.8 8.8.8.9`,\n\t\t\t[]*diagnostic.Hop{\n\t\t\t\tdiagnostic.NewHop(\n\t\t\t\t\tuint8(1),\n\t\t\t\t\t\"172.68.101.121 (172.68.101.121)\",\n\t\t\t\t\t[]time.Duration{\n\t\t\t\t\t\ttime.Duration(12874),\n\t\t\t\t\t\ttime.Duration(15517),\n\t\t\t\t\t\ttime.Duration(15311),\n\t\t\t\t\t},\n\t\t\t\t),\n\t\t\t\tdiagnostic.NewHop(\n\t\t\t\t\tuint8(2),\n\t\t\t\t\t\"172.68.101.121 (172.68.101.121)\",\n\t\t\t\t\t[]time.Duration{\n\t\t\t\t\t\ttime.Duration(12874),\n\t\t\t\t\t\ttime.Duration(15517),\n\t\t\t\t\t\ttime.Duration(15311),\n\t\t\t\t\t},\n\t\t\t\t),\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\t\"missing rtt\",\n\t\t\t`1\t<12.874 ms\t<15.517 ms\t<15.311 ms\t172.68.101.121 (172.68.101.121) \n2 * 0.456 ms 0.789 ms 8.8.8.8 8.8.8.9`,\n\t\t\t[]*diagnostic.Hop{\n\t\t\t\tdiagnostic.NewHop(\n\t\t\t\t\tuint8(1),\n\t\t\t\t\t\"172.68.101.121 (172.68.101.121)\",\n\t\t\t\t\t[]time.Duration{\n\t\t\t\t\t\ttime.Duration(12874),\n\t\t\t\t\t\ttime.Duration(15517),\n\t\t\t\t\t\ttime.Duration(15311),\n\t\t\t\t\t},\n\t\t\t\t),\n\t\t\t\tdiagnostic.NewHop(\n\t\t\t\t\tuint8(2),\n\t\t\t\t\t\"8.8.8.8 8.8.8.9\",\n\t\t\t\t\t[]time.Duration{\n\t\t\t\t\t\ttime.Duration(456),\n\t\t\t\t\t\ttime.Duration(789),\n\t\t\t\t\t},\n\t\t\t\t),\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\t\"simple example ipv4\",\n\t\t\t`1\t12.874 ms\t15.517 ms\t15.311 ms\t172.68.101.121 (172.68.101.121) \n2\t12.874 ms\t15.517 ms\t15.311 ms\t172.68.101.121 (172.68.101.121) \n3 * * * Request timed out.`,\n\t\t\t[]*diagnostic.Hop{\n\t\t\t\tdiagnostic.NewHop(\n\t\t\t\t\tuint8(1),\n\t\t\t\t\t\"172.68.101.121 (172.68.101.121)\",\n\t\t\t\t\t[]time.Duration{\n\t\t\t\t\t\ttime.Duration(12874),\n\t\t\t\t\t\ttime.Duration(15517),\n\t\t\t\t\t\ttime.Duration(15311),\n\t\t\t\t\t},\n\t\t\t\t),\n\t\t\t\tdiagnostic.NewHop(\n\t\t\t\t\tuint8(2),\n\t\t\t\t\t\"172.68.101.121 (172.68.101.121)\",\n\t\t\t\t\t[]time.Duration{\n\t\t\t\t\t\ttime.Duration(12874),\n\t\t\t\t\t\ttime.Duration(15517),\n\t\t\t\t\t\ttime.Duration(15311),\n\t\t\t\t\t},\n\t\t\t\t),\n\t\t\t\tdiagnostic.NewTimeoutHop(uint8(3)),\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\t\"simple example ipv6\",\n\t\t\t` 1 12.780 ms 9.118 ms 10.046 ms 2400:cb00:107:1024::ac44:6550\n 2 9.945 ms 10.033 ms 11.562 ms 2a09:bac1::`,\n\t\t\t[]*diagnostic.Hop{\n\t\t\t\tdiagnostic.NewHop(\n\t\t\t\t\tuint8(1),\n\t\t\t\t\t\"2400:cb00:107:1024::ac44:6550\",\n\t\t\t\t\t[]time.Duration{\n\t\t\t\t\t\ttime.Duration(12780),\n\t\t\t\t\t\ttime.Duration(9118),\n\t\t\t\t\t\ttime.Duration(10046),\n\t\t\t\t\t},\n\t\t\t\t),\n\t\t\t\tdiagnostic.NewHop(\n\t\t\t\t\tuint8(2),\n\t\t\t\t\t\"2a09:bac1::\",\n\t\t\t\t\t[]time.Duration{\n\t\t\t\t\t\ttime.Duration(9945),\n\t\t\t\t\t\ttime.Duration(10033),\n\t\t\t\t\t\ttime.Duration(11562),\n\t\t\t\t\t},\n\t\t\t\t),\n\t\t\t},\n\t\t},\n\t}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\thops, err := diagnostic.Decode(strings.NewReader(test.text), diagnostic.DecodeLine)\n\t\t\trequire.NoError(t, err)\n\t\t\tassert.Equal(t, test.expectedHops, hops)\n\t\t})\n\t}\n}\n" }, { "path": "diagnostic/system_collector.go", "content": "package diagnostic\n\nimport (\n\t\"context\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"strings\"\n)\n\ntype SystemInformationError struct {\n\tErr error `json:\"error\"`\n\tRawInfo string `json:\"rawInfo\"`\n}\n\nfunc (err SystemInformationError) Error() string {\n\treturn err.Err.Error()\n}\n\nfunc (err SystemInformationError) MarshalJSON() ([]byte, error) {\n\ts := map[string]string{\n\t\t\"error\": err.Err.Error(),\n\t\t\"rawInfo\": err.RawInfo,\n\t}\n\n\treturn json.Marshal(s)\n}\n\ntype SystemInformationGeneralError struct {\n\tOperatingSystemInformationError error\n\tMemoryInformationError error\n\tFileDescriptorsInformationError error\n\tDiskVolumeInformationError error\n}\n\nfunc (err SystemInformationGeneralError) Error() string {\n\tbuilder := &strings.Builder{}\n\tbuilder.WriteString(\"errors found:\")\n\n\tif err.OperatingSystemInformationError != nil {\n\t\tbuilder.WriteString(err.OperatingSystemInformationError.Error() + \", \")\n\t}\n\n\tif err.MemoryInformationError != nil {\n\t\tbuilder.WriteString(err.MemoryInformationError.Error() + \", \")\n\t}\n\n\tif err.FileDescriptorsInformationError != nil {\n\t\tbuilder.WriteString(err.FileDescriptorsInformationError.Error() + \", \")\n\t}\n\n\tif err.DiskVolumeInformationError != nil {\n\t\tbuilder.WriteString(err.DiskVolumeInformationError.Error() + \", \")\n\t}\n\n\treturn builder.String()\n}\n\nfunc (err SystemInformationGeneralError) MarshalJSON() ([]byte, error) {\n\tdata := map[string]SystemInformationError{}\n\n\tvar sysErr SystemInformationError\n\tif errors.As(err.OperatingSystemInformationError, &sysErr) {\n\t\tdata[\"operatingSystemInformationError\"] = sysErr\n\t}\n\n\tif errors.As(err.MemoryInformationError, &sysErr) {\n\t\tdata[\"memoryInformationError\"] = sysErr\n\t}\n\n\tif errors.As(err.FileDescriptorsInformationError, &sysErr) {\n\t\tdata[\"fileDescriptorsInformationError\"] = sysErr\n\t}\n\n\tif errors.As(err.DiskVolumeInformationError, &sysErr) {\n\t\tdata[\"diskVolumeInformationError\"] = sysErr\n\t}\n\n\treturn json.Marshal(data)\n}\n\ntype DiskVolumeInformation struct {\n\tName string `json:\"name\"` // represents the filesystem in linux/macos or device name in windows\n\tSizeMaximum uint64 `json:\"sizeMaximum\"` // represents the maximum size of the disk in kilobytes\n\tSizeCurrent uint64 `json:\"sizeCurrent\"` // represents the current size of the disk in kilobytes\n}\n\nfunc NewDiskVolumeInformation(name string, maximum, current uint64) *DiskVolumeInformation {\n\treturn &DiskVolumeInformation{\n\t\tname,\n\t\tmaximum,\n\t\tcurrent,\n\t}\n}\n\ntype SystemInformation struct {\n\tMemoryMaximum uint64 `json:\"memoryMaximum,omitempty\"` // represents the maximum memory of the system in kilobytes\n\tMemoryCurrent uint64 `json:\"memoryCurrent,omitempty\"` // represents the system's memory in use in kilobytes\n\tFileDescriptorMaximum uint64 `json:\"fileDescriptorMaximum,omitempty\"` // represents the maximum number of file descriptors of the system\n\tFileDescriptorCurrent uint64 `json:\"fileDescriptorCurrent,omitempty\"` // represents the system's file descriptors in use\n\tOsSystem string `json:\"osSystem,omitempty\"` // represents the operating system name i.e.: linux, windows, darwin\n\tHostName string `json:\"hostName,omitempty\"` // represents the system host name\n\tOsVersion string `json:\"osVersion,omitempty\"` // detailed information about the system's release version level\n\tOsRelease string `json:\"osRelease,omitempty\"` // detailed information about the system's release\n\tArchitecture string `json:\"architecture,omitempty\"` // represents the system's hardware platform i.e: arm64/amd64\n\tCloudflaredVersion string `json:\"cloudflaredVersion,omitempty\"` // the runtime version of cloudflared\n\tGoVersion string `json:\"goVersion,omitempty\"`\n\tGoArch string `json:\"goArch,omitempty\"`\n\tDisk []*DiskVolumeInformation `json:\"disk,omitempty\"`\n}\n\nfunc NewSystemInformation(\n\tmemoryMaximum,\n\tmemoryCurrent,\n\tfilesMaximum,\n\tfilesCurrent uint64,\n\tosystem,\n\tname,\n\tosVersion,\n\tosRelease,\n\tarchitecture,\n\tcloudflaredVersion,\n\tgoVersion,\n\tgoArchitecture string,\n\tdisk []*DiskVolumeInformation,\n) *SystemInformation {\n\treturn &SystemInformation{\n\t\tmemoryMaximum,\n\t\tmemoryCurrent,\n\t\tfilesMaximum,\n\t\tfilesCurrent,\n\t\tosystem,\n\t\tname,\n\t\tosVersion,\n\t\tosRelease,\n\t\tarchitecture,\n\t\tcloudflaredVersion,\n\t\tgoVersion,\n\t\tgoArchitecture,\n\t\tdisk,\n\t}\n}\n\ntype SystemCollector interface {\n\t// If the collection is successful it will return `SystemInformation` struct,\n\t// and a nil error.\n\t//\n\t// This function expects that the caller sets the context timeout to prevent\n\t// long-lived collectors.\n\tCollect(ctx context.Context) (*SystemInformation, error)\n}\n" }, { "path": "diagnostic/system_collector_linux.go", "content": "//go:build linux\n\npackage diagnostic\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"os/exec\"\n\t\"runtime\"\n\t\"strconv\"\n\t\"strings\"\n)\n\ntype SystemCollectorImpl struct {\n\tversion string\n}\n\nfunc NewSystemCollectorImpl(\n\tversion string,\n) *SystemCollectorImpl {\n\treturn &SystemCollectorImpl{\n\t\tversion,\n\t}\n}\n\nfunc (collector *SystemCollectorImpl) Collect(ctx context.Context) (*SystemInformation, error) {\n\tmemoryInfo, memoryInfoRaw, memoryInfoErr := collectMemoryInformation(ctx)\n\tfdInfo, fdInfoRaw, fdInfoErr := collectFileDescriptorInformation(ctx)\n\tdisks, disksRaw, diskErr := collectDiskVolumeInformationUnix(ctx)\n\tosInfo, osInfoRaw, osInfoErr := collectOSInformationUnix(ctx)\n\n\tvar memoryMaximum, memoryCurrent, fileDescriptorMaximum, fileDescriptorCurrent uint64\n\tvar osSystem, name, osVersion, osRelease, architecture string\n\tgerror := SystemInformationGeneralError{}\n\n\tif memoryInfoErr != nil {\n\t\tgerror.MemoryInformationError = SystemInformationError{\n\t\t\tErr: memoryInfoErr,\n\t\t\tRawInfo: memoryInfoRaw,\n\t\t}\n\t} else {\n\t\tmemoryMaximum = memoryInfo.MemoryMaximum\n\t\tmemoryCurrent = memoryInfo.MemoryCurrent\n\t}\n\n\tif fdInfoErr != nil {\n\t\tgerror.FileDescriptorsInformationError = SystemInformationError{\n\t\t\tErr: fdInfoErr,\n\t\t\tRawInfo: fdInfoRaw,\n\t\t}\n\t} else {\n\t\tfileDescriptorMaximum = fdInfo.FileDescriptorMaximum\n\t\tfileDescriptorCurrent = fdInfo.FileDescriptorCurrent\n\t}\n\n\tif diskErr != nil {\n\t\tgerror.DiskVolumeInformationError = SystemInformationError{\n\t\t\tErr: diskErr,\n\t\t\tRawInfo: disksRaw,\n\t\t}\n\t}\n\n\tif osInfoErr != nil {\n\t\tgerror.OperatingSystemInformationError = SystemInformationError{\n\t\t\tErr: osInfoErr,\n\t\t\tRawInfo: osInfoRaw,\n\t\t}\n\t} else {\n\t\tosSystem = osInfo.OsSystem\n\t\tname = osInfo.Name\n\t\tosVersion = osInfo.OsVersion\n\t\tosRelease = osInfo.OsRelease\n\t\tarchitecture = osInfo.Architecture\n\t}\n\n\tcloudflaredVersion := collector.version\n\tinfo := NewSystemInformation(\n\t\tmemoryMaximum,\n\t\tmemoryCurrent,\n\t\tfileDescriptorMaximum,\n\t\tfileDescriptorCurrent,\n\t\tosSystem,\n\t\tname,\n\t\tosVersion,\n\t\tosRelease,\n\t\tarchitecture,\n\t\tcloudflaredVersion,\n\t\truntime.Version(),\n\t\truntime.GOARCH,\n\t\tdisks,\n\t)\n\n\treturn info, gerror\n}\n\nfunc collectMemoryInformation(ctx context.Context) (*MemoryInformation, string, error) {\n\t// This function relies on the output of `cat /proc/meminfo` to retrieve\n\t// memoryMax and memoryCurrent.\n\t// The expected output is in the format of `KEY VALUE UNIT`.\n\tconst (\n\t\tmemTotalPrefix = \"MemTotal\"\n\t\tmemAvailablePrefix = \"MemAvailable\"\n\t)\n\n\tcommand := exec.CommandContext(ctx, \"cat\", \"/proc/meminfo\")\n\n\tstdout, err := command.Output()\n\tif err != nil {\n\t\treturn nil, \"\", fmt.Errorf(\"error retrieving output from command '%s': %w\", command.String(), err)\n\t}\n\n\toutput := string(stdout)\n\n\tmapper := func(field string) (uint64, error) {\n\t\tfield = strings.TrimRight(field, \" kB\")\n\n\t\treturn strconv.ParseUint(field, 10, 64)\n\t}\n\n\tmemoryInfo, err := ParseMemoryInformationFromKV(output, memTotalPrefix, memAvailablePrefix, mapper)\n\tif err != nil {\n\t\treturn nil, output, err\n\t}\n\n\t// returning raw output in case other collected information\n\t// resulted in errors\n\treturn memoryInfo, output, nil\n}\n\nfunc collectFileDescriptorInformation(ctx context.Context) (*FileDescriptorInformation, string, error) {\n\t// Command retrieved from https://docs.kernel.org/admin-guide/sysctl/fs.html#file-max-file-nr.\n\t// If the sysctl is not available the command with fail.\n\tcommand := exec.CommandContext(ctx, \"sysctl\", \"-n\", \"fs.file-nr\")\n\n\tstdout, err := command.Output()\n\tif err != nil {\n\t\treturn nil, \"\", fmt.Errorf(\"error retrieving output from command '%s': %w\", command.String(), err)\n\t}\n\n\toutput := string(stdout)\n\n\tfileDescriptorInfo, err := ParseSysctlFileDescriptorInformation(output)\n\tif err != nil {\n\t\treturn nil, output, err\n\t}\n\n\t// returning raw output in case other collected information\n\t// resulted in errors\n\treturn fileDescriptorInfo, output, nil\n}\n" }, { "path": "diagnostic/system_collector_macos.go", "content": "//go:build darwin\n\npackage diagnostic\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"os/exec\"\n\t\"runtime\"\n\t\"strconv\"\n)\n\ntype SystemCollectorImpl struct {\n\tversion string\n}\n\nfunc NewSystemCollectorImpl(\n\tversion string,\n) *SystemCollectorImpl {\n\treturn &SystemCollectorImpl{\n\t\tversion,\n\t}\n}\n\nfunc (collector *SystemCollectorImpl) Collect(ctx context.Context) (*SystemInformation, error) {\n\tmemoryInfo, memoryInfoRaw, memoryInfoErr := collectMemoryInformation(ctx)\n\tfdInfo, fdInfoRaw, fdInfoErr := collectFileDescriptorInformation(ctx)\n\tdisks, disksRaw, diskErr := collectDiskVolumeInformationUnix(ctx)\n\tosInfo, osInfoRaw, osInfoErr := collectOSInformationUnix(ctx)\n\n\tvar memoryMaximum, memoryCurrent, fileDescriptorMaximum, fileDescriptorCurrent uint64\n\tvar osSystem, name, osVersion, osRelease, architecture string\n\n\terr := SystemInformationGeneralError{\n\t\tOperatingSystemInformationError: nil,\n\t\tMemoryInformationError: nil,\n\t\tFileDescriptorsInformationError: nil,\n\t\tDiskVolumeInformationError: nil,\n\t}\n\n\tif memoryInfoErr != nil {\n\t\terr.MemoryInformationError = SystemInformationError{\n\t\t\tErr: memoryInfoErr,\n\t\t\tRawInfo: memoryInfoRaw,\n\t\t}\n\t} else {\n\t\tmemoryMaximum = memoryInfo.MemoryMaximum\n\t\tmemoryCurrent = memoryInfo.MemoryCurrent\n\t}\n\n\tif fdInfoErr != nil {\n\t\terr.FileDescriptorsInformationError = SystemInformationError{\n\t\t\tErr: fdInfoErr,\n\t\t\tRawInfo: fdInfoRaw,\n\t\t}\n\t} else {\n\t\tfileDescriptorMaximum = fdInfo.FileDescriptorMaximum\n\t\tfileDescriptorCurrent = fdInfo.FileDescriptorCurrent\n\t}\n\n\tif diskErr != nil {\n\t\terr.DiskVolumeInformationError = SystemInformationError{\n\t\t\tErr: diskErr,\n\t\t\tRawInfo: disksRaw,\n\t\t}\n\t}\n\n\tif osInfoErr != nil {\n\t\terr.OperatingSystemInformationError = SystemInformationError{\n\t\t\tErr: osInfoErr,\n\t\t\tRawInfo: osInfoRaw,\n\t\t}\n\t} else {\n\t\tosSystem = osInfo.OsSystem\n\t\tname = osInfo.Name\n\t\tosVersion = osInfo.OsVersion\n\t\tosRelease = osInfo.OsRelease\n\t\tarchitecture = osInfo.Architecture\n\t}\n\n\tcloudflaredVersion := collector.version\n\tinfo := NewSystemInformation(\n\t\tmemoryMaximum,\n\t\tmemoryCurrent,\n\t\tfileDescriptorMaximum,\n\t\tfileDescriptorCurrent,\n\t\tosSystem,\n\t\tname,\n\t\tosVersion,\n\t\tosRelease,\n\t\tarchitecture,\n\t\tcloudflaredVersion,\n\t\truntime.Version(),\n\t\truntime.GOARCH,\n\t\tdisks,\n\t)\n\n\treturn info, err\n}\n\nfunc collectFileDescriptorInformation(ctx context.Context) (\n\t*FileDescriptorInformation,\n\tstring,\n\terror,\n) {\n\tconst (\n\t\tfileDescriptorMaximumKey = \"kern.maxfiles\"\n\t\tfileDescriptorCurrentKey = \"kern.num_files\"\n\t)\n\n\tcommand := exec.CommandContext(ctx, \"sysctl\", fileDescriptorMaximumKey, fileDescriptorCurrentKey)\n\n\tstdout, err := command.Output()\n\tif err != nil {\n\t\treturn nil, \"\", fmt.Errorf(\"error retrieving output from command '%s': %w\", command.String(), err)\n\t}\n\n\toutput := string(stdout)\n\n\tfileDescriptorInfo, err := ParseFileDescriptorInformationFromKV(\n\t\toutput,\n\t\tfileDescriptorMaximumKey,\n\t\tfileDescriptorCurrentKey,\n\t)\n\tif err != nil {\n\t\treturn nil, output, err\n\t}\n\n\t// returning raw output in case other collected information\n\t// resulted in errors\n\treturn fileDescriptorInfo, output, nil\n}\n\nfunc collectMemoryInformation(ctx context.Context) (\n\t*MemoryInformation,\n\tstring,\n\terror,\n) {\n\tconst (\n\t\tmemoryMaximumKey = \"hw.memsize\"\n\t\tmemoryAvailableKey = \"hw.memsize_usable\"\n\t)\n\n\tcommand := exec.CommandContext(\n\t\tctx,\n\t\t\"sysctl\",\n\t\tmemoryMaximumKey,\n\t\tmemoryAvailableKey,\n\t)\n\n\tstdout, err := command.Output()\n\tif err != nil {\n\t\treturn nil, \"\", fmt.Errorf(\"error retrieving output from command '%s': %w\", command.String(), err)\n\t}\n\n\toutput := string(stdout)\n\n\tmapper := func(field string) (uint64, error) {\n\t\tconst kiloBytes = 1024\n\t\tvalue, err := strconv.ParseUint(field, 10, 64)\n\t\treturn value / kiloBytes, err\n\t}\n\n\tmemoryInfo, err := ParseMemoryInformationFromKV(output, memoryMaximumKey, memoryAvailableKey, mapper)\n\tif err != nil {\n\t\treturn nil, output, err\n\t}\n\n\t// returning raw output in case other collected information\n\t// resulted in errors\n\treturn memoryInfo, output, nil\n}\n" }, { "path": "diagnostic/system_collector_test.go", "content": "package diagnostic_test\n\nimport (\n\t\"strconv\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\n\t\"github.com/cloudflare/cloudflared/diagnostic\"\n)\n\nfunc TestParseMemoryInformationFromKV(t *testing.T) {\n\tt.Parallel()\n\n\tmapper := func(field string) (uint64, error) {\n\t\tvalue, err := strconv.ParseUint(field, 10, 64)\n\t\treturn value, err\n\t}\n\n\tlinuxMapper := func(field string) (uint64, error) {\n\t\tfield = strings.TrimRight(field, \" kB\")\n\t\treturn strconv.ParseUint(field, 10, 64)\n\t}\n\n\twindowsMemoryOutput := `\n\nFreeVirtualMemory : 5350472\nTotalVirtualMemorySize : 8903424\n\n\n`\n\tmacosMemoryOutput := `hw.memsize: 38654705664\nhw.memsize_usable: 38009012224`\n\tmemoryOutputWithMissingKey := `hw.memsize: 38654705664`\n\n\tlinuxMemoryOutput := `MemTotal: 8028860 kB\nMemFree: 731396 kB\nMemAvailable: 4678844 kB\nBuffers: 472632 kB\nCached: 3186492 kB\nSwapCached: 4196 kB\nActive: 3088988 kB\nInactive: 3468560 kB`\n\n\ttests := []struct {\n\t\tname string\n\t\toutput string\n\t\tmemoryMaximumKey string\n\t\tmemoryAvailableKey string\n\t\texpected *diagnostic.MemoryInformation\n\t\texpectedErr bool\n\t\tmapper func(string) (uint64, error)\n\t}{\n\t\t{\n\t\t\tname: \"parse linux memory values\",\n\t\t\toutput: linuxMemoryOutput,\n\t\t\tmemoryMaximumKey: \"MemTotal\",\n\t\t\tmemoryAvailableKey: \"MemAvailable\",\n\t\t\texpected: &diagnostic.MemoryInformation{\n\t\t\t\t8028860,\n\t\t\t\t8028860 - 4678844,\n\t\t\t},\n\t\t\texpectedErr: false,\n\t\t\tmapper: linuxMapper,\n\t\t},\n\t\t{\n\t\t\tname: \"parse memory values with missing key\",\n\t\t\toutput: memoryOutputWithMissingKey,\n\t\t\tmemoryMaximumKey: \"hw.memsize\",\n\t\t\tmemoryAvailableKey: \"hw.memsize_usable\",\n\t\t\texpected: nil,\n\t\t\texpectedErr: true,\n\t\t\tmapper: mapper,\n\t\t},\n\t\t{\n\t\t\tname: \"parse macos memory values\",\n\t\t\toutput: macosMemoryOutput,\n\t\t\tmemoryMaximumKey: \"hw.memsize\",\n\t\t\tmemoryAvailableKey: \"hw.memsize_usable\",\n\t\t\texpected: &diagnostic.MemoryInformation{\n\t\t\t\t38654705664,\n\t\t\t\t38654705664 - 38009012224,\n\t\t\t},\n\t\t\texpectedErr: false,\n\t\t\tmapper: mapper,\n\t\t},\n\t\t{\n\t\t\tname: \"parse windows memory values\",\n\t\t\toutput: windowsMemoryOutput,\n\t\t\tmemoryMaximumKey: \"TotalVirtualMemorySize\",\n\t\t\tmemoryAvailableKey: \"FreeVirtualMemory\",\n\t\t\texpected: &diagnostic.MemoryInformation{\n\t\t\t\t8903424,\n\t\t\t\t8903424 - 5350472,\n\t\t\t},\n\t\t\texpectedErr: false,\n\t\t\tmapper: mapper,\n\t\t},\n\t}\n\n\tfor _, tCase := range tests {\n\t\tt.Run(tCase.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\tmemoryInfo, err := diagnostic.ParseMemoryInformationFromKV(\n\t\t\t\ttCase.output,\n\t\t\t\ttCase.memoryMaximumKey,\n\t\t\t\ttCase.memoryAvailableKey,\n\t\t\t\ttCase.mapper,\n\t\t\t)\n\n\t\t\tif tCase.expectedErr {\n\t\t\t\tassert.Error(t, err)\n\t\t\t} else {\n\t\t\t\trequire.NoError(t, err)\n\t\t\t\tassert.Equal(t, tCase.expected, memoryInfo)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestParseUnameOutput(t *testing.T) {\n\tt.Parallel()\n\n\ttests := []struct {\n\t\tname string\n\t\toutput string\n\t\tos string\n\t\texpected *diagnostic.OsInfo\n\t\texpectedErr bool\n\t}{\n\t\t{\n\t\t\tname: \"darwin machine\",\n\t\t\toutput: \"Darwin APC 23.6.0 Darwin Kernel Version 99.6.0: Wed Jul 31 20:48:04 PDT 1997; root:xnu-66666.666.6.666.6~1/RELEASE_ARM64_T6666 arm64\",\n\t\t\tos: \"darwin\",\n\t\t\texpected: &diagnostic.OsInfo{\n\t\t\t\tArchitecture: \"arm64\",\n\t\t\t\tName: \"APC\",\n\t\t\t\tOsSystem: \"Darwin\",\n\t\t\t\tOsRelease: \"Darwin Kernel Version 99.6.0: Wed Jul 31 20:48:04 PDT 1997; root:xnu-66666.666.6.666.6~1/RELEASE_ARM64_T6666\",\n\t\t\t\tOsVersion: \"23.6.0\",\n\t\t\t},\n\t\t\texpectedErr: false,\n\t\t},\n\t\t{\n\t\t\tname: \"linux machine\",\n\t\t\toutput: \"Linux dab00d565591 6.6.31-linuxkit #1 SMP Thu May 23 08:36:57 UTC 2024 aarch64 GNU/Linux\",\n\t\t\tos: \"linux\",\n\t\t\texpected: &diagnostic.OsInfo{\n\t\t\t\tArchitecture: \"aarch64\",\n\t\t\t\tName: \"dab00d565591\",\n\t\t\t\tOsSystem: \"Linux\",\n\t\t\t\tOsRelease: \"#1 SMP Thu May 23 08:36:57 UTC 2024\",\n\t\t\t\tOsVersion: \"6.6.31-linuxkit\",\n\t\t\t},\n\t\t\texpectedErr: false,\n\t\t},\n\t\t{\n\t\t\tname: \"not enough fields\",\n\t\t\toutput: \"Linux \",\n\t\t\tos: \"linux\",\n\t\t\texpected: nil,\n\t\t\texpectedErr: true,\n\t\t},\n\t}\n\n\tfor _, tCase := range tests {\n\t\tt.Run(tCase.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\tmemoryInfo, err := diagnostic.ParseUnameOutput(\n\t\t\t\ttCase.output,\n\t\t\t\ttCase.os,\n\t\t\t)\n\n\t\t\tif tCase.expectedErr {\n\t\t\t\tassert.Error(t, err)\n\t\t\t} else {\n\t\t\t\trequire.NoError(t, err)\n\t\t\t\tassert.Equal(t, tCase.expected, memoryInfo)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestParseFileDescriptorInformationFromKV(t *testing.T) {\n\tconst (\n\t\tfileDescriptorMaximumKey = \"kern.maxfiles\"\n\t\tfileDescriptorCurrentKey = \"kern.num_files\"\n\t)\n\n\tt.Parallel()\n\n\tmemoryOutput := `kern.maxfiles: 276480\nkern.num_files: 11787`\n\tmemoryOutputWithMissingKey := `kern.maxfiles: 276480`\n\n\ttests := []struct {\n\t\tname string\n\t\toutput string\n\t\texpected *diagnostic.FileDescriptorInformation\n\t\texpectedErr bool\n\t}{\n\t\t{\n\t\t\tname: \"parse memory values with missing key\",\n\t\t\toutput: memoryOutputWithMissingKey,\n\t\t\texpected: nil,\n\t\t\texpectedErr: true,\n\t\t},\n\t\t{\n\t\t\tname: \"parse macos memory values\",\n\t\t\toutput: memoryOutput,\n\t\t\texpected: &diagnostic.FileDescriptorInformation{\n\t\t\t\t276480,\n\t\t\t\t11787,\n\t\t\t},\n\t\t\texpectedErr: false,\n\t\t},\n\t}\n\n\tfor _, tCase := range tests {\n\t\tt.Run(tCase.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\tfdInfo, err := diagnostic.ParseFileDescriptorInformationFromKV(\n\t\t\t\ttCase.output,\n\t\t\t\tfileDescriptorMaximumKey,\n\t\t\t\tfileDescriptorCurrentKey,\n\t\t\t)\n\n\t\t\tif tCase.expectedErr {\n\t\t\t\tassert.Error(t, err)\n\t\t\t} else {\n\t\t\t\trequire.NoError(t, err)\n\t\t\t\tassert.Equal(t, tCase.expected, fdInfo)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestParseSysctlFileDescriptorInformation(t *testing.T) {\n\tt.Parallel()\n\n\ttests := []struct {\n\t\tname string\n\t\toutput string\n\t\texpected *diagnostic.FileDescriptorInformation\n\t\texpectedErr bool\n\t}{\n\t\t{\n\t\t\tname: \"expected output\",\n\t\t\toutput: \"111 0 1111111\",\n\t\t\texpected: &diagnostic.FileDescriptorInformation{\n\t\t\t\tFileDescriptorMaximum: 1111111,\n\t\t\t\tFileDescriptorCurrent: 111,\n\t\t\t},\n\t\t\texpectedErr: false,\n\t\t},\n\t\t{\n\t\t\tname: \"not enough fields\",\n\t\t\toutput: \"111 111 \",\n\t\t\texpected: nil,\n\t\t\texpectedErr: true,\n\t\t},\n\t}\n\n\tfor _, tCase := range tests {\n\t\tt.Run(tCase.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\tfdsInfo, err := diagnostic.ParseSysctlFileDescriptorInformation(\n\t\t\t\ttCase.output,\n\t\t\t)\n\n\t\t\tif tCase.expectedErr {\n\t\t\t\tassert.Error(t, err)\n\t\t\t} else {\n\t\t\t\trequire.NoError(t, err)\n\t\t\t\tassert.Equal(t, tCase.expected, fdsInfo)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestParseWinOperatingSystemInfo(t *testing.T) {\n\tconst (\n\t\tarchitecturePrefix = \"OSArchitecture\"\n\t\tosSystemPrefix = \"Caption\"\n\t\tosVersionPrefix = \"Version\"\n\t\tosReleasePrefix = \"BuildNumber\"\n\t\tnamePrefix = \"CSName\"\n\t)\n\n\tt.Parallel()\n\n\twindowsIncompleteOsInfo := `\nOSArchitecture : ARM 64 bits\nCaption : Microsoft Windows 11 Home\nMorekeys : 121314\nCSName : UTILIZA-QO859QP\n`\n\twindowsCompleteOsInfo := `\nOSArchitecture : ARM 64 bits\nCaption : Microsoft Windows 11 Home\nVersion : 10.0.22631\nBuildNumber : 22631\nMorekeys : 121314\nCSName : UTILIZA-QO859QP\n`\n\n\ttests := []struct {\n\t\tname string\n\t\toutput string\n\t\texpected *diagnostic.OsInfo\n\t\texpectedErr bool\n\t}{\n\t\t{\n\t\t\tname: \"expected output\",\n\t\t\toutput: windowsCompleteOsInfo,\n\t\t\texpected: &diagnostic.OsInfo{\n\t\t\t\tArchitecture: \"ARM 64 bits\",\n\t\t\t\tName: \"UTILIZA-QO859QP\",\n\t\t\t\tOsSystem: \"Microsoft Windows 11 Home\",\n\t\t\t\tOsRelease: \"22631\",\n\t\t\t\tOsVersion: \"10.0.22631\",\n\t\t\t},\n\t\t\texpectedErr: false,\n\t\t},\n\t\t{\n\t\t\tname: \"missing keys\",\n\t\t\toutput: windowsIncompleteOsInfo,\n\t\t\texpected: nil,\n\t\t\texpectedErr: true,\n\t\t},\n\t}\n\n\tfor _, tCase := range tests {\n\t\tt.Run(tCase.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\tosInfo, err := diagnostic.ParseWinOperatingSystemInfo(\n\t\t\t\ttCase.output,\n\t\t\t\tarchitecturePrefix,\n\t\t\t\tosSystemPrefix,\n\t\t\t\tosVersionPrefix,\n\t\t\t\tosReleasePrefix,\n\t\t\t\tnamePrefix,\n\t\t\t)\n\n\t\t\tif tCase.expectedErr {\n\t\t\t\tassert.Error(t, err)\n\t\t\t} else {\n\t\t\t\trequire.NoError(t, err)\n\t\t\t\tassert.Equal(t, tCase.expected, osInfo)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestParseDiskVolumeInformationOutput(t *testing.T) {\n\tt.Parallel()\n\n\tinvalidUnixDiskVolumeInfo := `Filesystem Size Used Avail Use% Mounted on\noverlay 59G 19G 38G 33% /\ntmpfs 64M 0 64M 0% /dev\nshm 64M 0 64M 0% /dev/shm\n/run/host_mark/Users 461G 266G 195G 58% /tmp/cloudflared\n/dev/vda1 59G 19G 38G 33% /etc/hosts\ntmpfs 3.9G 0 3.9G 0% /sys/firmware\n`\n\n\tunixDiskVolumeInfo := `Filesystem Size Used Avail Use% Mounted on\noverlay 61202244 18881444 39179476 33% /\ntmpfs 65536 0 65536 0% /dev\nshm 65536 0 65536 0% /dev/shm\n/run/host_mark/Users 482797652 278648468 204149184 58% /tmp/cloudflared\n/dev/vda1 61202244 18881444 39179476 33% /etc/hosts\ntmpfs 4014428 0 4014428 0% /sys/firmware`\n\tmissingFields := ` DeviceID Size\n-------- ----\nC: size\nE: 235563008\nZ: 67754782720\n`\n\tinvalidTypeField := ` DeviceID Size FreeSpace\n-------- ---- ---------\nC: size 31318736896\nD:\nE: 235563008 0\nZ: 67754782720 31318732800\n`\n\n\twindowsDiskVolumeInfo := `\n\nDeviceID Size FreeSpace\n-------- ---- ---------\nC: 67754782720 31318736896\nE: 235563008 0\nZ: 67754782720 31318732800`\n\n\ttests := []struct {\n\t\tname string\n\t\toutput string\n\t\texpected []*diagnostic.DiskVolumeInformation\n\t\tskipLines int\n\t\texpectedErr bool\n\t}{\n\t\t{\n\t\t\tname: \"invalid unix disk volume information (numbers have units)\",\n\t\t\toutput: invalidUnixDiskVolumeInfo,\n\t\t\texpected: []*diagnostic.DiskVolumeInformation{},\n\t\t\tskipLines: 1,\n\t\t\texpectedErr: true,\n\t\t},\n\t\t{\n\t\t\tname: \"unix disk volume information\",\n\t\t\toutput: unixDiskVolumeInfo,\n\t\t\tskipLines: 1,\n\t\t\texpected: []*diagnostic.DiskVolumeInformation{\n\t\t\t\tdiagnostic.NewDiskVolumeInformation(\"overlay\", 61202244, 18881444),\n\t\t\t\tdiagnostic.NewDiskVolumeInformation(\"tmpfs\", 65536, 0),\n\t\t\t\tdiagnostic.NewDiskVolumeInformation(\"shm\", 65536, 0),\n\t\t\t\tdiagnostic.NewDiskVolumeInformation(\"/run/host_mark/Users\", 482797652, 278648468),\n\t\t\t\tdiagnostic.NewDiskVolumeInformation(\"/dev/vda1\", 61202244, 18881444),\n\t\t\t\tdiagnostic.NewDiskVolumeInformation(\"tmpfs\", 4014428, 0),\n\t\t\t},\n\t\t\texpectedErr: false,\n\t\t},\n\t\t{\n\t\t\tname: \"windows disk volume information\",\n\t\t\toutput: windowsDiskVolumeInfo,\n\t\t\texpected: []*diagnostic.DiskVolumeInformation{\n\t\t\t\tdiagnostic.NewDiskVolumeInformation(\"C:\", 67754782720, 31318736896),\n\t\t\t\tdiagnostic.NewDiskVolumeInformation(\"E:\", 235563008, 0),\n\t\t\t\tdiagnostic.NewDiskVolumeInformation(\"Z:\", 67754782720, 31318732800),\n\t\t\t},\n\t\t\tskipLines: 4,\n\t\t\texpectedErr: false,\n\t\t},\n\t\t{\n\t\t\tname: \"insuficient fields\",\n\t\t\toutput: missingFields,\n\t\t\texpected: nil,\n\t\t\tskipLines: 2,\n\t\t\texpectedErr: true,\n\t\t},\n\t\t{\n\t\t\tname: \"invalid field\",\n\t\t\toutput: invalidTypeField,\n\t\t\texpected: nil,\n\t\t\tskipLines: 2,\n\t\t\texpectedErr: true,\n\t\t},\n\t}\n\n\tfor _, tCase := range tests {\n\t\tt.Run(tCase.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\tdisks, err := diagnostic.ParseDiskVolumeInformationOutput(tCase.output, tCase.skipLines, 1)\n\n\t\t\tif tCase.expectedErr {\n\t\t\t\tassert.Error(t, err)\n\t\t\t} else {\n\t\t\t\trequire.NoError(t, err)\n\t\t\t\tassert.Equal(t, tCase.expected, disks)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "diagnostic/system_collector_utils.go", "content": "package diagnostic\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"os/exec\"\n\t\"runtime\"\n\t\"sort\"\n\t\"strconv\"\n\t\"strings\"\n)\n\nfunc findColonSeparatedPairs[V any](output string, keys []string, mapper func(string) (V, error)) map[string]V {\n\tconst (\n\t\tmemoryField = 1\n\t\tmemoryInformationFields = 2\n\t)\n\n\tlines := strings.Split(output, \"\\n\")\n\tpairs := make(map[string]V, 0)\n\n\t// sort keys and lines to allow incremental search\n\tsort.Strings(lines)\n\tsort.Strings(keys)\n\n\t// keeps track of the last key found\n\tlastIndex := 0\n\n\tfor _, line := range lines {\n\t\tif lastIndex == len(keys) {\n\t\t\t// already found all keys no need to continue iterating\n\t\t\t// over the other values\n\t\t\tbreak\n\t\t}\n\n\t\tfor index, key := range keys[lastIndex:] {\n\t\t\tline = strings.TrimSpace(line)\n\t\t\tif strings.HasPrefix(line, key) {\n\t\t\t\tfields := strings.Split(line, \":\")\n\t\t\t\tif len(fields) < memoryInformationFields {\n\t\t\t\t\tlastIndex = index + 1\n\n\t\t\t\t\tbreak\n\t\t\t\t}\n\n\t\t\t\tfield, err := mapper(strings.TrimSpace(fields[memoryField]))\n\t\t\t\tif err != nil {\n\t\t\t\t\tlastIndex = lastIndex + index + 1\n\n\t\t\t\t\tbreak\n\t\t\t\t}\n\n\t\t\t\tpairs[key] = field\n\t\t\t\tlastIndex = lastIndex + index + 1\n\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t}\n\n\treturn pairs\n}\n\nfunc ParseDiskVolumeInformationOutput(output string, skipLines int, scale float64) ([]*DiskVolumeInformation, error) {\n\tconst (\n\t\tdiskFieldsMinimum = 3\n\t\tnameField = 0\n\t\tsizeMaximumField = 1\n\t\tsizeCurrentField = 2\n\t)\n\n\tdisksRaw := strings.Split(output, \"\\n\")\n\tdisks := make([]*DiskVolumeInformation, 0)\n\n\tif skipLines > len(disksRaw) || skipLines < 0 {\n\t\tskipLines = 0\n\t}\n\n\tfor _, disk := range disksRaw[skipLines:] {\n\t\tif disk == \"\" {\n\t\t\t// skip empty line\n\t\t\tcontinue\n\t\t}\n\n\t\tfields := strings.Fields(disk)\n\t\tif len(fields) < diskFieldsMinimum {\n\t\t\treturn nil, fmt.Errorf(\"expected disk volume to have %d fields got %d: %w\",\n\t\t\t\tdiskFieldsMinimum, len(fields), ErrInsuficientFields,\n\t\t\t)\n\t\t}\n\n\t\tname := fields[nameField]\n\n\t\tsizeMaximum, err := strconv.ParseUint(fields[sizeMaximumField], 10, 64)\n\t\tif err != nil {\n\t\t\tcontinue\n\t\t}\n\n\t\tsizeCurrent, err := strconv.ParseUint(fields[sizeCurrentField], 10, 64)\n\t\tif err != nil {\n\t\t\tcontinue\n\t\t}\n\n\t\tdiskInfo := NewDiskVolumeInformation(\n\t\t\tname, uint64(float64(sizeMaximum)*scale), uint64(float64(sizeCurrent)*scale),\n\t\t)\n\t\tdisks = append(disks, diskInfo)\n\t}\n\n\tif len(disks) == 0 {\n\t\treturn nil, ErrNoVolumeFound\n\t}\n\n\treturn disks, nil\n}\n\ntype OsInfo struct {\n\tOsSystem string\n\tName string\n\tOsVersion string\n\tOsRelease string\n\tArchitecture string\n}\n\nfunc ParseUnameOutput(output string, system string) (*OsInfo, error) {\n\tconst (\n\t\tosystemField = 0\n\t\tnameField = 1\n\t\tosVersionField = 2\n\t\tosReleaseStartField = 3\n\t\tosInformationFieldsMinimum = 6\n\t\tdarwin = \"darwin\"\n\t)\n\n\tarchitectureOffset := 2\n\tif system == darwin {\n\t\tarchitectureOffset = 1\n\t}\n\n\tfields := strings.Fields(output)\n\tif len(fields) < osInformationFieldsMinimum {\n\t\treturn nil, fmt.Errorf(\"expected system information to have %d fields got %d: %w\",\n\t\t\tosInformationFieldsMinimum, len(fields), ErrInsuficientFields,\n\t\t)\n\t}\n\n\tarchitectureField := len(fields) - architectureOffset\n\tosystem := fields[osystemField]\n\tname := fields[nameField]\n\tosVersion := fields[osVersionField]\n\tosRelease := strings.Join(fields[osReleaseStartField:architectureField], \" \")\n\tarchitecture := fields[architectureField]\n\n\treturn &OsInfo{\n\t\tosystem,\n\t\tname,\n\t\tosVersion,\n\t\tosRelease,\n\t\tarchitecture,\n\t}, nil\n}\n\nfunc ParseWinOperatingSystemInfo(\n\toutput string,\n\tarchitectureKey string,\n\tosSystemKey string,\n\tosVersionKey string,\n\tosReleaseKey string,\n\tnameKey string,\n) (*OsInfo, error) {\n\tidentity := func(s string) (string, error) { return s, nil }\n\n\tkeys := []string{architectureKey, osSystemKey, osVersionKey, osReleaseKey, nameKey}\n\tpairs := findColonSeparatedPairs(\n\t\toutput,\n\t\tkeys,\n\t\tidentity,\n\t)\n\n\tarchitecture, exists := pairs[architectureKey]\n\tif !exists {\n\t\treturn nil, fmt.Errorf(\"parsing os information: %w, key=%s\", ErrKeyNotFound, architectureKey)\n\t}\n\n\tosSystem, exists := pairs[osSystemKey]\n\tif !exists {\n\t\treturn nil, fmt.Errorf(\"parsing os information: %w, key=%s\", ErrKeyNotFound, osSystemKey)\n\t}\n\n\tosVersion, exists := pairs[osVersionKey]\n\tif !exists {\n\t\treturn nil, fmt.Errorf(\"parsing os information: %w, key=%s\", ErrKeyNotFound, osVersionKey)\n\t}\n\n\tosRelease, exists := pairs[osReleaseKey]\n\tif !exists {\n\t\treturn nil, fmt.Errorf(\"parsing os information: %w, key=%s\", ErrKeyNotFound, osReleaseKey)\n\t}\n\n\tname, exists := pairs[nameKey]\n\tif !exists {\n\t\treturn nil, fmt.Errorf(\"parsing os information: %w, key=%s\", ErrKeyNotFound, nameKey)\n\t}\n\n\treturn &OsInfo{osSystem, name, osVersion, osRelease, architecture}, nil\n}\n\ntype FileDescriptorInformation struct {\n\tFileDescriptorMaximum uint64\n\tFileDescriptorCurrent uint64\n}\n\nfunc ParseSysctlFileDescriptorInformation(output string) (*FileDescriptorInformation, error) {\n\tconst (\n\t\topenFilesField = 0\n\t\tmaxFilesField = 2\n\t\tfileDescriptorLimitsFields = 3\n\t)\n\n\tfields := strings.Fields(output)\n\n\tif len(fields) != fileDescriptorLimitsFields {\n\t\treturn nil,\n\t\t\tfmt.Errorf(\n\t\t\t\t\"expected file descriptor information to have %d fields got %d: %w\",\n\t\t\t\tfileDescriptorLimitsFields,\n\t\t\t\tlen(fields),\n\t\t\t\tErrInsuficientFields,\n\t\t\t)\n\t}\n\n\tfileDescriptorCurrent, err := strconv.ParseUint(fields[openFilesField], 10, 64)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\n\t\t\t\"error parsing files current field '%s': %w\",\n\t\t\tfields[openFilesField],\n\t\t\terr,\n\t\t)\n\t}\n\n\tfileDescriptorMaximum, err := strconv.ParseUint(fields[maxFilesField], 10, 64)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"error parsing files max field '%s': %w\", fields[maxFilesField], err)\n\t}\n\n\treturn &FileDescriptorInformation{fileDescriptorMaximum, fileDescriptorCurrent}, nil\n}\n\nfunc ParseFileDescriptorInformationFromKV(\n\toutput string,\n\tfileDescriptorMaximumKey string,\n\tfileDescriptorCurrentKey string,\n) (*FileDescriptorInformation, error) {\n\tmapper := func(field string) (uint64, error) {\n\t\treturn strconv.ParseUint(field, 10, 64)\n\t}\n\n\tpairs := findColonSeparatedPairs(output, []string{fileDescriptorMaximumKey, fileDescriptorCurrentKey}, mapper)\n\n\tfileDescriptorMaximum, exists := pairs[fileDescriptorMaximumKey]\n\tif !exists {\n\t\treturn nil, fmt.Errorf(\n\t\t\t\"parsing file descriptor information: %w, key=%s\",\n\t\t\tErrKeyNotFound,\n\t\t\tfileDescriptorMaximumKey,\n\t\t)\n\t}\n\n\tfileDescriptorCurrent, exists := pairs[fileDescriptorCurrentKey]\n\tif !exists {\n\t\treturn nil, fmt.Errorf(\n\t\t\t\"parsing file descriptor information: %w, key=%s\",\n\t\t\tErrKeyNotFound,\n\t\t\tfileDescriptorCurrentKey,\n\t\t)\n\t}\n\n\treturn &FileDescriptorInformation{fileDescriptorMaximum, fileDescriptorCurrent}, nil\n}\n\ntype MemoryInformation struct {\n\tMemoryMaximum uint64 // size in KB\n\tMemoryCurrent uint64 // size in KB\n}\n\nfunc ParseMemoryInformationFromKV(\n\toutput string,\n\tmemoryMaximumKey string,\n\tmemoryAvailableKey string,\n\tmapper func(field string) (uint64, error),\n) (*MemoryInformation, error) {\n\tpairs := findColonSeparatedPairs(output, []string{memoryMaximumKey, memoryAvailableKey}, mapper)\n\n\tmemoryMaximum, exists := pairs[memoryMaximumKey]\n\tif !exists {\n\t\treturn nil, fmt.Errorf(\"parsing memory information: %w, key=%s\", ErrKeyNotFound, memoryMaximumKey)\n\t}\n\n\tmemoryAvailable, exists := pairs[memoryAvailableKey]\n\tif !exists {\n\t\treturn nil, fmt.Errorf(\"parsing memory information: %w, key=%s\", ErrKeyNotFound, memoryAvailableKey)\n\t}\n\n\tmemoryCurrent := memoryMaximum - memoryAvailable\n\n\treturn &MemoryInformation{memoryMaximum, memoryCurrent}, nil\n}\n\nfunc RawSystemInformation(osInfoRaw string, memoryInfoRaw string, fdInfoRaw string, disksRaw string) string {\n\tvar builder strings.Builder\n\n\tformatInfo := func(info string, builder *strings.Builder) {\n\t\tif info == \"\" {\n\t\t\tbuilder.WriteString(\"No information\\n\")\n\t\t} else {\n\t\t\tbuilder.WriteString(info)\n\t\t\tbuilder.WriteString(\"\\n\")\n\t\t}\n\t}\n\n\tbuilder.WriteString(\"---BEGIN Operating system information\\n\")\n\tformatInfo(osInfoRaw, &builder)\n\tbuilder.WriteString(\"---END Operating system information\\n\")\n\tbuilder.WriteString(\"---BEGIN Memory information\\n\")\n\tformatInfo(memoryInfoRaw, &builder)\n\tbuilder.WriteString(\"---END Memory information\\n\")\n\tbuilder.WriteString(\"---BEGIN File descriptors information\\n\")\n\tformatInfo(fdInfoRaw, &builder)\n\tbuilder.WriteString(\"---END File descriptors information\\n\")\n\tbuilder.WriteString(\"---BEGIN Disks information\\n\")\n\tformatInfo(disksRaw, &builder)\n\tbuilder.WriteString(\"---END Disks information\\n\")\n\n\trawInformation := builder.String()\n\n\treturn rawInformation\n}\n\nfunc collectDiskVolumeInformationUnix(ctx context.Context) ([]*DiskVolumeInformation, string, error) {\n\tcommand := exec.CommandContext(ctx, \"df\", \"-k\")\n\n\tstdout, err := command.Output()\n\tif err != nil {\n\t\treturn nil, \"\", fmt.Errorf(\"error retrieving output from command '%s': %w\", command.String(), err)\n\t}\n\n\toutput := string(stdout)\n\n\tdisks, err := ParseDiskVolumeInformationOutput(output, 1, 1)\n\tif err != nil {\n\t\treturn nil, output, err\n\t}\n\n\t// returning raw output in case other collected information\n\t// resulted in errors\n\treturn disks, output, nil\n}\n\nfunc collectOSInformationUnix(ctx context.Context) (*OsInfo, string, error) {\n\tcommand := exec.CommandContext(ctx, \"uname\", \"-a\")\n\n\tstdout, err := command.Output()\n\tif err != nil {\n\t\treturn nil, \"\", fmt.Errorf(\"error retrieving output from command '%s': %w\", command.String(), err)\n\t}\n\n\toutput := string(stdout)\n\n\tosInfo, err := ParseUnameOutput(output, runtime.GOOS)\n\tif err != nil {\n\t\treturn nil, output, err\n\t}\n\n\t// returning raw output in case other collected information\n\t// resulted in errors\n\treturn osInfo, output, nil\n}\n" }, { "path": "diagnostic/system_collector_windows.go", "content": "//go:build windows\n\npackage diagnostic\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"os/exec\"\n\t\"runtime\"\n\t\"strconv\"\n)\n\nconst kiloBytesScale = 1.0 / 1024\n\ntype SystemCollectorImpl struct {\n\tversion string\n}\n\nfunc NewSystemCollectorImpl(\n\tversion string,\n) *SystemCollectorImpl {\n\treturn &SystemCollectorImpl{\n\t\tversion,\n\t}\n}\n\nfunc (collector *SystemCollectorImpl) Collect(ctx context.Context) (*SystemInformation, error) {\n\tmemoryInfo, memoryInfoRaw, memoryInfoErr := collectMemoryInformation(ctx)\n\tdisks, disksRaw, diskErr := collectDiskVolumeInformation(ctx)\n\tosInfo, osInfoRaw, osInfoErr := collectOSInformation(ctx)\n\n\tvar memoryMaximum, memoryCurrent, fileDescriptorMaximum, fileDescriptorCurrent uint64\n\tvar osSystem, name, osVersion, osRelease, architecture string\n\n\terr := SystemInformationGeneralError{\n\t\tOperatingSystemInformationError: nil,\n\t\tMemoryInformationError: nil,\n\t\tFileDescriptorsInformationError: nil,\n\t\tDiskVolumeInformationError: nil,\n\t}\n\n\tif memoryInfoErr != nil {\n\t\terr.MemoryInformationError = SystemInformationError{\n\t\t\tErr: memoryInfoErr,\n\t\t\tRawInfo: memoryInfoRaw,\n\t\t}\n\t} else {\n\t\tmemoryMaximum = memoryInfo.MemoryMaximum\n\t\tmemoryCurrent = memoryInfo.MemoryCurrent\n\t}\n\n\tif diskErr != nil {\n\t\terr.DiskVolumeInformationError = SystemInformationError{\n\t\t\tErr: diskErr,\n\t\t\tRawInfo: disksRaw,\n\t\t}\n\t}\n\n\tif osInfoErr != nil {\n\t\terr.OperatingSystemInformationError = SystemInformationError{\n\t\t\tErr: osInfoErr,\n\t\t\tRawInfo: osInfoRaw,\n\t\t}\n\t} else {\n\t\tosSystem = osInfo.OsSystem\n\t\tname = osInfo.Name\n\t\tosVersion = osInfo.OsVersion\n\t\tosRelease = osInfo.OsRelease\n\t\tarchitecture = osInfo.Architecture\n\t}\n\n\tcloudflaredVersion := collector.version\n\tinfo := NewSystemInformation(\n\t\tmemoryMaximum,\n\t\tmemoryCurrent,\n\t\tfileDescriptorMaximum,\n\t\tfileDescriptorCurrent,\n\t\tosSystem,\n\t\tname,\n\t\tosVersion,\n\t\tosRelease,\n\t\tarchitecture,\n\t\tcloudflaredVersion,\n\t\truntime.Version(),\n\t\truntime.GOARCH,\n\t\tdisks,\n\t)\n\n\treturn info, err\n}\n\nfunc collectMemoryInformation(ctx context.Context) (*MemoryInformation, string, error) {\n\tconst (\n\t\tmemoryTotalPrefix = \"TotalVirtualMemorySize\"\n\t\tmemoryAvailablePrefix = \"FreeVirtualMemory\"\n\t)\n\n\tcommand := exec.CommandContext(\n\t\tctx,\n\t\t\"powershell\",\n\t\t\"-Command\",\n\t\t\"Get-CimInstance -Class Win32_OperatingSystem | Select-Object FreeVirtualMemory, TotalVirtualMemorySize | Format-List\",\n\t)\n\n\tstdout, err := command.Output()\n\tif err != nil {\n\t\treturn nil, \"\", fmt.Errorf(\"error retrieving output from command '%s': %w\", command.String(), err)\n\t}\n\n\toutput := string(stdout)\n\n\t// the result of the command above will return values in bytes hence\n\t// they need to be converted to kilobytes\n\tmapper := func(field string) (uint64, error) {\n\t\tvalue, err := strconv.ParseUint(field, 10, 64)\n\t\treturn uint64(float64(value) * kiloBytesScale), err\n\t}\n\n\tmemoryInfo, err := ParseMemoryInformationFromKV(output, memoryTotalPrefix, memoryAvailablePrefix, mapper)\n\tif err != nil {\n\t\treturn nil, output, err\n\t}\n\n\t// returning raw output in case other collected information\n\t// resulted in errors\n\treturn memoryInfo, output, nil\n}\n\nfunc collectDiskVolumeInformation(ctx context.Context) ([]*DiskVolumeInformation, string, error) {\n\n\tcommand := exec.CommandContext(\n\t\tctx,\n\t\t\"powershell\", \"-Command\", \"Get-CimInstance -Class Win32_LogicalDisk | Select-Object DeviceID, Size, FreeSpace\")\n\n\tstdout, err := command.Output()\n\tif err != nil {\n\t\treturn nil, \"\", fmt.Errorf(\"error retrieving output from command '%s': %w\", command.String(), err)\n\t}\n\n\toutput := string(stdout)\n\n\tdisks, err := ParseDiskVolumeInformationOutput(output, 2, kiloBytesScale)\n\tif err != nil {\n\t\treturn nil, output, err\n\t}\n\n\t// returning raw output in case other collected information\n\t// resulted in errors\n\treturn disks, output, nil\n}\n\nfunc collectOSInformation(ctx context.Context) (*OsInfo, string, error) {\n\tconst (\n\t\tarchitecturePrefix = \"OSArchitecture\"\n\t\tosSystemPrefix = \"Caption\"\n\t\tosVersionPrefix = \"Version\"\n\t\tosReleasePrefix = \"BuildNumber\"\n\t\tnamePrefix = \"CSName\"\n\t)\n\n\tcommand := exec.CommandContext(\n\t\tctx,\n\t\t\"powershell\",\n\t\t\"-Command\",\n\t\t\"Get-CimInstance -Class Win32_OperatingSystem | Select-Object OSArchitecture, Caption, Version, BuildNumber, CSName | Format-List\",\n\t)\n\n\tstdout, err := command.Output()\n\tif err != nil {\n\t\treturn nil, \"\", fmt.Errorf(\"error retrieving output from command '%s': %w\", command.String(), err)\n\t}\n\n\toutput := string(stdout)\n\n\tosInfo, err := ParseWinOperatingSystemInfo(output, architecturePrefix, osSystemPrefix, osVersionPrefix, osReleasePrefix, namePrefix)\n\tif err != nil {\n\t\treturn nil, output, err\n\t}\n\n\t// returning raw output in case other collected information\n\t// resulted in errors\n\treturn osInfo, output, nil\n}\n" }, { "path": "edgediscovery/allregions/address.go", "content": "package allregions\n\n// Region contains cloudflared edge addresses. The edge is partitioned into several regions for\n// redundancy purposes.\ntype AddrSet map[*EdgeAddr]UsedBy\n\n// AddrUsedBy finds the address used by the given connection in this region.\n// Returns nil if the connection isn't using any IP.\nfunc (a AddrSet) AddrUsedBy(connID int) *EdgeAddr {\n\tfor addr, used := range a {\n\t\tif used.Used && used.ConnID == connID {\n\t\t\treturn addr\n\t\t}\n\t}\n\treturn nil\n}\n\n// AvailableAddrs counts how many unused addresses this region contains.\nfunc (a AddrSet) AvailableAddrs() int {\n\tn := 0\n\tfor _, usedby := range a {\n\t\tif !usedby.Used {\n\t\t\tn++\n\t\t}\n\t}\n\treturn n\n}\n\n// GetUnusedIP returns a random unused address in this region.\n// Returns nil if all addresses are in use.\nfunc (a AddrSet) GetUnusedIP(excluding *EdgeAddr) *EdgeAddr {\n\tfor addr, usedby := range a {\n\t\tif !usedby.Used && addr != excluding {\n\t\t\treturn addr\n\t\t}\n\t}\n\treturn nil\n}\n\n// Use the address, assigning it to a proxy connection.\nfunc (a AddrSet) Use(addr *EdgeAddr, connID int) {\n\tif addr == nil {\n\t\treturn\n\t}\n\ta[addr] = InUse(connID)\n}\n\n// GetAnyAddress returns an arbitrary address from the region.\nfunc (a AddrSet) GetAnyAddress() *EdgeAddr {\n\tfor addr := range a {\n\t\treturn addr\n\t}\n\treturn nil\n}\n\n// GiveBack the address, ensuring it is no longer assigned to an IP.\n// Returns true if the address is in this region.\nfunc (a AddrSet) GiveBack(addr *EdgeAddr) (ok bool) {\n\tif _, ok := a[addr]; !ok {\n\t\treturn false\n\t}\n\ta[addr] = Unused()\n\treturn true\n}\n" }, { "path": "edgediscovery/allregions/address_test.go", "content": "package allregions\n\nimport (\n\t\"reflect\"\n\t\"testing\"\n)\n\nfunc TestAddrSet_AddrUsedBy(t *testing.T) {\n\ttype args struct {\n\t\tconnID int\n\t}\n\ttests := []struct {\n\t\tname string\n\t\taddrSet AddrSet\n\t\targs args\n\t\twant *EdgeAddr\n\t}{\n\t\t{\n\t\t\tname: \"happy trivial test\",\n\t\t\taddrSet: AddrSet{\n\t\t\t\t&addr0: InUse(0),\n\t\t\t},\n\t\t\targs: args{connID: 0},\n\t\t\twant: &addr0,\n\t\t},\n\t\t{\n\t\t\tname: \"sad trivial test\",\n\t\t\taddrSet: AddrSet{\n\t\t\t\t&addr0: InUse(0),\n\t\t\t},\n\t\t\targs: args{connID: 1},\n\t\t\twant: nil,\n\t\t},\n\t\t{\n\t\t\tname: \"sad test\",\n\t\t\taddrSet: AddrSet{\n\t\t\t\t&addr0: InUse(0),\n\t\t\t\t&addr1: InUse(1),\n\t\t\t\t&addr2: InUse(2),\n\t\t\t},\n\t\t\targs: args{connID: 3},\n\t\t\twant: nil,\n\t\t},\n\t\t{\n\t\t\tname: \"happy test\",\n\t\t\taddrSet: AddrSet{\n\t\t\t\t&addr0: InUse(0),\n\t\t\t\t&addr1: InUse(1),\n\t\t\t\t&addr2: InUse(2),\n\t\t\t},\n\t\t\targs: args{connID: 1},\n\t\t\twant: &addr1,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tif got := tt.addrSet.AddrUsedBy(tt.args.connID); !reflect.DeepEqual(got, tt.want) {\n\t\t\t\tt.Errorf(\"Region.AddrUsedBy() = %v, want %v\", got, tt.want)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestAddrSet_AvailableAddrs(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\taddrSet AddrSet\n\t\twant int\n\t}{\n\t\t{\n\t\t\tname: \"contains addresses\",\n\t\t\taddrSet: AddrSet{\n\t\t\t\t&addr0: InUse(0),\n\t\t\t\t&addr1: Unused(),\n\t\t\t\t&addr2: InUse(2),\n\t\t\t},\n\t\t\twant: 1,\n\t\t},\n\t\t{\n\t\t\tname: \"all free\",\n\t\t\taddrSet: AddrSet{\n\t\t\t\t&addr0: Unused(),\n\t\t\t\t&addr1: Unused(),\n\t\t\t\t&addr2: Unused(),\n\t\t\t},\n\t\t\twant: 3,\n\t\t},\n\t\t{\n\t\t\tname: \"all used\",\n\t\t\taddrSet: AddrSet{\n\t\t\t\t&addr0: InUse(0),\n\t\t\t\t&addr1: InUse(1),\n\t\t\t\t&addr2: InUse(2),\n\t\t\t},\n\t\t\twant: 0,\n\t\t},\n\t\t{\n\t\t\tname: \"empty\",\n\t\t\taddrSet: AddrSet{},\n\t\t\twant: 0,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tif got := tt.addrSet.AvailableAddrs(); got != tt.want {\n\t\t\t\tt.Errorf(\"Region.AvailableAddrs() = %v, want %v\", got, tt.want)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestAddrSet_GetUnusedIP(t *testing.T) {\n\ttype args struct {\n\t\texcluding *EdgeAddr\n\t}\n\ttests := []struct {\n\t\tname string\n\t\taddrSet AddrSet\n\t\targs args\n\t\twant *EdgeAddr\n\t}{\n\t\t{\n\t\t\tname: \"happy test with excluding set\",\n\t\t\taddrSet: AddrSet{\n\t\t\t\t&addr0: Unused(),\n\t\t\t\t&addr1: Unused(),\n\t\t\t\t&addr2: InUse(2),\n\t\t\t},\n\t\t\targs: args{excluding: &addr0},\n\t\t\twant: &addr1,\n\t\t},\n\t\t{\n\t\t\tname: \"happy test with no excluding\",\n\t\t\taddrSet: AddrSet{\n\t\t\t\t&addr0: InUse(0),\n\t\t\t\t&addr1: Unused(),\n\t\t\t\t&addr2: InUse(2),\n\t\t\t},\n\t\t\targs: args{excluding: nil},\n\t\t\twant: &addr1,\n\t\t},\n\t\t{\n\t\t\tname: \"sad test with no excluding\",\n\t\t\taddrSet: AddrSet{\n\t\t\t\t&addr0: InUse(0),\n\t\t\t\t&addr1: InUse(1),\n\t\t\t\t&addr2: InUse(2),\n\t\t\t},\n\t\t\targs: args{excluding: nil},\n\t\t\twant: nil,\n\t\t},\n\t\t{\n\t\t\tname: \"sad test with excluding\",\n\t\t\taddrSet: AddrSet{\n\t\t\t\t&addr0: Unused(),\n\t\t\t\t&addr1: InUse(1),\n\t\t\t\t&addr2: InUse(2),\n\t\t\t},\n\t\t\targs: args{excluding: &addr0},\n\t\t\twant: nil,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tif got := tt.addrSet.GetUnusedIP(tt.args.excluding); !reflect.DeepEqual(got, tt.want) {\n\t\t\t\tt.Errorf(\"Region.GetUnusedIP() = %v, want %v\", got, tt.want)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestAddrSet_GiveBack(t *testing.T) {\n\ttype args struct {\n\t\taddr *EdgeAddr\n\t}\n\ttests := []struct {\n\t\tname string\n\t\taddrSet AddrSet\n\t\targs args\n\t\twantOk bool\n\t\tavailableAfter int\n\t}{\n\t\t{\n\t\t\tname: \"sad test with excluding\",\n\t\t\taddrSet: AddrSet{\n\t\t\t\t&addr1: InUse(1),\n\t\t\t},\n\t\t\targs: args{addr: &addr1},\n\t\t\twantOk: true,\n\t\t\tavailableAfter: 1,\n\t\t},\n\t\t{\n\t\t\tname: \"sad test with excluding\",\n\t\t\taddrSet: AddrSet{\n\t\t\t\t&addr1: InUse(1),\n\t\t\t},\n\t\t\targs: args{addr: &addr2},\n\t\t\twantOk: false,\n\t\t\tavailableAfter: 0,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tif gotOk := tt.addrSet.GiveBack(tt.args.addr); gotOk != tt.wantOk {\n\t\t\t\tt.Errorf(\"Region.GiveBack() = %v, want %v\", gotOk, tt.wantOk)\n\t\t\t}\n\t\t\tif tt.availableAfter != tt.addrSet.AvailableAddrs() {\n\t\t\t\tt.Errorf(\"Region.AvailableAddrs() = %v, want %v\", tt.addrSet.AvailableAddrs(), tt.availableAfter)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestAddrSet_GetAnyAddress(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\taddrSet AddrSet\n\t\twantNil bool\n\t}{\n\t\t{\n\t\t\tname: \"Sad test -- GetAnyAddress should only fail if the region is empty\",\n\t\t\taddrSet: AddrSet{},\n\t\t\twantNil: true,\n\t\t},\n\t\t{\n\t\t\tname: \"Happy test (all addresses unused)\",\n\t\t\taddrSet: AddrSet{\n\t\t\t\t&addr0: Unused(),\n\t\t\t},\n\t\t\twantNil: false,\n\t\t},\n\t\t{\n\t\t\tname: \"Happy test (GetAnyAddress can still return addresses used by proxy conns)\",\n\t\t\taddrSet: AddrSet{\n\t\t\t\t&addr0: InUse(2),\n\t\t\t},\n\t\t\twantNil: false,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tif got := tt.addrSet.GetAnyAddress(); tt.wantNil != (got == nil) {\n\t\t\t\tt.Errorf(\"Region.GetAnyAddress() = %v, but should it return nil? %v\", got, tt.wantNil)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "edgediscovery/allregions/discovery.go", "content": "package allregions\n\nimport (\n\t\"context\"\n\t\"crypto/tls\"\n\t\"fmt\"\n\t\"net\"\n\t\"time\"\n\n\t\"github.com/pkg/errors\"\n\t\"github.com/rs/zerolog\"\n\n\t\"github.com/cloudflare/cloudflared/management\"\n)\n\nconst (\n\t// Used to discover HA origintunneld servers\n\tsrvService = \"v2-origintunneld\"\n\tsrvProto = \"tcp\"\n\tsrvName = \"argotunnel.com\"\n\n\t// Used to fallback to DoT when we can't use the default resolver to\n\t// discover HA origintunneld servers (GitHub issue #75).\n\tdotServerName = \"cloudflare-dns.com\"\n\tdotServerAddr = \"1.1.1.1:853\"\n\tdotTimeout = 15 * time.Second\n\n\tlogFieldAddress = \"address\"\n)\n\n// Redeclare network functions so they can be overridden in tests.\nvar (\n\tnetLookupSRV = net.LookupSRV\n\tnetLookupIP = net.LookupIP\n)\n\n// ConfigIPVersion is the selection of IP versions from config\ntype ConfigIPVersion int8\n\nconst (\n\tAuto ConfigIPVersion = 2\n\tIPv4Only ConfigIPVersion = 4\n\tIPv6Only ConfigIPVersion = 6\n)\n\nfunc (c ConfigIPVersion) String() string {\n\tswitch c {\n\tcase Auto:\n\t\treturn \"auto\"\n\tcase IPv4Only:\n\t\treturn \"4\"\n\tcase IPv6Only:\n\t\treturn \"6\"\n\tdefault:\n\t\treturn \"\"\n\t}\n}\n\n// IPVersion is the IP version of an EdgeAddr\ntype EdgeIPVersion int8\n\nconst (\n\tV4 EdgeIPVersion = 4\n\tV6 EdgeIPVersion = 6\n)\n\n// String returns the enum's constant name.\nfunc (c EdgeIPVersion) String() string {\n\tswitch c {\n\tcase V4:\n\t\treturn \"4\"\n\tcase V6:\n\t\treturn \"6\"\n\tdefault:\n\t\treturn \"\"\n\t}\n}\n\n// EdgeAddr is a representation of possible ways to refer an edge location.\ntype EdgeAddr struct {\n\tTCP *net.TCPAddr\n\tUDP *net.UDPAddr\n\tIPVersion EdgeIPVersion\n}\n\n// If the call to net.LookupSRV fails, try to fall back to DoT from Cloudflare directly.\n//\n// Note: Instead of DoT, we could also have used DoH. Either of these:\n// - directly via the JSON API (https://1.1.1.1/dns-query?ct=application/dns-json&name=_origintunneld._tcp.argotunnel.com&type=srv)\n// - indirectly via `tunneldns.NewUpstreamHTTPS()`\n//\n// But both of these cases miss out on a key feature from the stdlib:\n//\n//\t\"The returned records are sorted by priority and randomized by weight within a priority.\"\n//\t(https://golang.org/pkg/net/#Resolver.LookupSRV)\n//\n// Does this matter? I don't know. It may someday. Let's use DoT so we don't need to worry about it.\n// See also: Go feature request for stdlib-supported DoH: https://github.com/golang/go/issues/27552\nvar fallbackLookupSRV = lookupSRVWithDOT\n\nvar friendlyDNSErrorLines = []string{\n\t`Please try the following things to diagnose this issue:`,\n\t` 1. ensure that argotunnel.com is returning \"origintunneld\" service records.`,\n\t` Run your system's equivalent of: dig srv _origintunneld._tcp.argotunnel.com`,\n\t` 2. ensure that your DNS resolver is not returning compressed SRV records.`,\n\t` See GitHub issue https://github.com/golang/go/issues/27546`,\n\t` For example, you could use Cloudflare's 1.1.1.1 as your resolver:`,\n\t` https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/`,\n}\n\n// EdgeDiscovery implements HA service discovery lookup.\nfunc edgeDiscovery(log *zerolog.Logger, srvService string) ([][]*EdgeAddr, error) {\n\tlogger := log.With().Int(management.EventTypeKey, int(management.Cloudflared)).Logger()\n\tlogger.Debug().\n\t\tInt(management.EventTypeKey, int(management.Cloudflared)).\n\t\tStr(\"domain\", \"_\"+srvService+\"._\"+srvProto+\".\"+srvName).\n\t\tMsg(\"edge discovery: looking up edge SRV record\")\n\n\t_, addrs, err := netLookupSRV(srvService, srvProto, srvName)\n\tif err != nil {\n\t\t_, fallbackAddrs, fallbackErr := fallbackLookupSRV(srvService, srvProto, srvName)\n\t\tif fallbackErr != nil || len(fallbackAddrs) == 0 {\n\t\t\t// use the original DNS error `err` in messages, not `fallbackErr`\n\t\t\tlogger.Err(err).Msg(\"edge discovery: error looking up Cloudflare edge IPs: the DNS query failed\")\n\t\t\tfor _, s := range friendlyDNSErrorLines {\n\t\t\t\tlogger.Error().Msg(s)\n\t\t\t}\n\t\t\treturn nil, errors.Wrapf(err, \"Could not lookup srv records on _%v._%v.%v\", srvService, srvProto, srvName)\n\t\t}\n\t\t// Accept the fallback results and keep going\n\t\taddrs = fallbackAddrs\n\t}\n\n\tvar resolvedAddrPerCNAME [][]*EdgeAddr\n\tfor _, addr := range addrs {\n\t\tedgeAddrs, err := resolveSRV(addr)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tlogAddrs := make([]string, len(edgeAddrs))\n\t\tfor i, e := range edgeAddrs {\n\t\t\tlogAddrs[i] = e.UDP.IP.String()\n\t\t}\n\t\tlogger.Debug().\n\t\t\tStrs(\"addresses\", logAddrs).\n\t\t\tMsg(\"edge discovery: resolved edge addresses\")\n\t\tresolvedAddrPerCNAME = append(resolvedAddrPerCNAME, edgeAddrs)\n\t}\n\n\treturn resolvedAddrPerCNAME, nil\n}\n\nfunc lookupSRVWithDOT(srvService string, srvProto string, srvName string) (cname string, addrs []*net.SRV, err error) {\n\t// Inspiration: https://github.com/artyom/dot/blob/master/dot.go\n\tr := &net.Resolver{\n\t\tPreferGo: true,\n\t\tDial: func(ctx context.Context, _ string, _ string) (net.Conn, error) {\n\t\t\tvar dialer net.Dialer\n\t\t\tconn, err := dialer.DialContext(ctx, \"tcp\", dotServerAddr)\n\t\t\tif err != nil {\n\t\t\t\treturn nil, err\n\t\t\t}\n\t\t\ttlsConfig := &tls.Config{ServerName: dotServerName}\n\t\t\treturn tls.Client(conn, tlsConfig), nil\n\t\t},\n\t}\n\tctx, cancel := context.WithTimeout(context.Background(), dotTimeout)\n\tdefer cancel()\n\treturn r.LookupSRV(ctx, srvService, srvProto, srvName)\n}\n\nfunc resolveSRV(srv *net.SRV) ([]*EdgeAddr, error) {\n\tips, err := netLookupIP(srv.Target)\n\tif err != nil {\n\t\treturn nil, errors.Wrapf(err, \"Couldn't resolve SRV record %v\", srv)\n\t}\n\tif len(ips) == 0 {\n\t\treturn nil, fmt.Errorf(\"SRV record %v had no IPs\", srv)\n\t}\n\taddrs := make([]*EdgeAddr, len(ips))\n\tfor i, ip := range ips {\n\t\tversion := V6\n\t\tif ip.To4() != nil {\n\t\t\tversion = V4\n\t\t}\n\t\taddrs[i] = &EdgeAddr{\n\t\t\tTCP: &net.TCPAddr{IP: ip, Port: int(srv.Port)},\n\t\t\tUDP: &net.UDPAddr{IP: ip, Port: int(srv.Port)},\n\t\t\tIPVersion: version,\n\t\t}\n\t}\n\treturn addrs, nil\n}\n\n// ResolveAddrs resolves TCP address given a list of addresses. Address can be a hostname, however, it will return at most one\n// of the hostname's IP addresses.\nfunc ResolveAddrs(addrs []string, log *zerolog.Logger) (resolved []*EdgeAddr) {\n\tfor _, addr := range addrs {\n\t\ttcpAddr, err := net.ResolveTCPAddr(\"tcp\", addr)\n\t\tif err != nil {\n\t\t\tlog.Error().Int(management.EventTypeKey, int(management.Cloudflared)).\n\t\t\t\tStr(logFieldAddress, addr).Err(err).Msg(\"edge discovery: failed to resolve to TCP address\")\n\t\t\tcontinue\n\t\t}\n\n\t\tudpAddr, err := net.ResolveUDPAddr(\"udp\", addr)\n\t\tif err != nil {\n\t\t\tlog.Error().Int(management.EventTypeKey, int(management.Cloudflared)).\n\t\t\t\tStr(logFieldAddress, addr).Err(err).Msg(\"edge discovery: failed to resolve to UDP address\")\n\t\t\tcontinue\n\t\t}\n\t\tversion := V6\n\t\tif udpAddr.IP.To4() != nil {\n\t\t\tversion = V4\n\t\t}\n\t\tresolved = append(resolved, &EdgeAddr{\n\t\t\tTCP: tcpAddr,\n\t\t\tUDP: udpAddr,\n\t\t\tIPVersion: version,\n\t\t})\n\t}\n\treturn\n}\n" }, { "path": "edgediscovery/allregions/discovery_test.go", "content": "package allregions\n\nimport (\n\t\"fmt\"\n\t\"testing\"\n\n\t\"github.com/rs/zerolog\"\n\t\"github.com/stretchr/testify/assert\"\n)\n\nfunc (ea *EdgeAddr) String() string {\n\treturn fmt.Sprintf(\"%s-%s\", ea.TCP, ea.UDP)\n}\n\nfunc TestEdgeDiscovery(t *testing.T) {\n\tmockAddrs := newMockAddrs(19, 2, 5)\n\tnetLookupSRV = mockNetLookupSRV(mockAddrs)\n\tnetLookupIP = mockNetLookupIP(mockAddrs)\n\n\texpectedAddrSet := map[string]bool{}\n\tfor _, addrs := range mockAddrs.addrMap {\n\t\tfor _, addr := range addrs {\n\t\t\texpectedAddrSet[addr.String()] = true\n\t\t}\n\t}\n\n\tl := zerolog.Nop()\n\taddrLists, err := edgeDiscovery(&l, \"\")\n\tassert.NoError(t, err)\n\tactualAddrSet := map[string]bool{}\n\tfor _, addrs := range addrLists {\n\t\tfor _, addr := range addrs {\n\t\t\tactualAddrSet[addr.String()] = true\n\t\t}\n\t}\n\n\tassert.Equal(t, expectedAddrSet, actualAddrSet)\n}\n" }, { "path": "edgediscovery/allregions/mocks_for_test.go", "content": "package allregions\n\nimport (\n\t\"fmt\"\n\t\"math\"\n\t\"math/rand\"\n\t\"net\"\n\t\"reflect\"\n\t\"testing/quick\"\n)\n\nvar (\n\tv4Addrs = []*EdgeAddr{&addr0, &addr1, &addr2, &addr3}\n\tv6Addrs = []*EdgeAddr{&addr4, &addr5, &addr6, &addr7}\n\taddr0 = EdgeAddr{\n\t\tTCP: &net.TCPAddr{\n\t\t\tIP: net.ParseIP(\"123.4.5.0\"),\n\t\t\tPort: 8000,\n\t\t\tZone: \"\",\n\t\t},\n\t\tUDP: &net.UDPAddr{\n\t\t\tIP: net.ParseIP(\"123.4.5.0\"),\n\t\t\tPort: 8000,\n\t\t\tZone: \"\",\n\t\t},\n\t\tIPVersion: V4,\n\t}\n\taddr1 = EdgeAddr{\n\t\tTCP: &net.TCPAddr{\n\t\t\tIP: net.ParseIP(\"123.4.5.1\"),\n\t\t\tPort: 8000,\n\t\t\tZone: \"\",\n\t\t},\n\t\tUDP: &net.UDPAddr{\n\t\t\tIP: net.ParseIP(\"123.4.5.1\"),\n\t\t\tPort: 8000,\n\t\t\tZone: \"\",\n\t\t},\n\t\tIPVersion: V4,\n\t}\n\taddr2 = EdgeAddr{\n\t\tTCP: &net.TCPAddr{\n\t\t\tIP: net.ParseIP(\"123.4.5.2\"),\n\t\t\tPort: 8000,\n\t\t\tZone: \"\",\n\t\t},\n\t\tUDP: &net.UDPAddr{\n\t\t\tIP: net.ParseIP(\"123.4.5.2\"),\n\t\t\tPort: 8000,\n\t\t\tZone: \"\",\n\t\t},\n\t\tIPVersion: V4,\n\t}\n\taddr3 = EdgeAddr{\n\t\tTCP: &net.TCPAddr{\n\t\t\tIP: net.ParseIP(\"123.4.5.3\"),\n\t\t\tPort: 8000,\n\t\t\tZone: \"\",\n\t\t},\n\t\tUDP: &net.UDPAddr{\n\t\t\tIP: net.ParseIP(\"123.4.5.3\"),\n\t\t\tPort: 8000,\n\t\t\tZone: \"\",\n\t\t},\n\t\tIPVersion: V4,\n\t}\n\taddr4 = EdgeAddr{\n\t\tTCP: &net.TCPAddr{\n\t\t\tIP: net.ParseIP(\"2606:4700:a0::1\"),\n\t\t\tPort: 8000,\n\t\t\tZone: \"\",\n\t\t},\n\t\tUDP: &net.UDPAddr{\n\t\t\tIP: net.ParseIP(\"2606:4700:a0::1\"),\n\t\t\tPort: 8000,\n\t\t\tZone: \"\",\n\t\t},\n\t\tIPVersion: V6,\n\t}\n\taddr5 = EdgeAddr{\n\t\tTCP: &net.TCPAddr{\n\t\t\tIP: net.ParseIP(\"2606:4700:a0::2\"),\n\t\t\tPort: 8000,\n\t\t\tZone: \"\",\n\t\t},\n\t\tUDP: &net.UDPAddr{\n\t\t\tIP: net.ParseIP(\"2606:4700:a0::2\"),\n\t\t\tPort: 8000,\n\t\t\tZone: \"\",\n\t\t},\n\t\tIPVersion: V6,\n\t}\n\taddr6 = EdgeAddr{\n\t\tTCP: &net.TCPAddr{\n\t\t\tIP: net.ParseIP(\"2606:4700:a0::3\"),\n\t\t\tPort: 8000,\n\t\t\tZone: \"\",\n\t\t},\n\t\tUDP: &net.UDPAddr{\n\t\t\tIP: net.ParseIP(\"2606:4700:a0::3\"),\n\t\t\tPort: 8000,\n\t\t\tZone: \"\",\n\t\t},\n\t\tIPVersion: V6,\n\t}\n\taddr7 = EdgeAddr{\n\t\tTCP: &net.TCPAddr{\n\t\t\tIP: net.ParseIP(\"2606:4700:a0::4\"),\n\t\t\tPort: 8000,\n\t\t\tZone: \"\",\n\t\t},\n\t\tUDP: &net.UDPAddr{\n\t\t\tIP: net.ParseIP(\"2606:4700:a0::4\"),\n\t\t\tPort: 8000,\n\t\t\tZone: \"\",\n\t\t},\n\t\tIPVersion: V6,\n\t}\n)\n\ntype mockAddrs struct {\n\t// a set of synthetic SRV records\n\taddrMap map[net.SRV][]*EdgeAddr\n\t// the total number of addresses, aggregated across addrMap.\n\t// For the convenience of test code that would otherwise have to compute\n\t// this by hand every time.\n\tnumAddrs int\n}\n\nfunc newMockAddrs(port uint16, numRegions uint8, numAddrsPerRegion uint8) mockAddrs {\n\taddrMap := make(map[net.SRV][]*EdgeAddr)\n\tnumAddrs := 0\n\n\tfor r := uint8(0); r < numRegions; r++ {\n\t\tvar (\n\t\t\tsrv = net.SRV{Target: fmt.Sprintf(\"test-region-%v.example.com\", r), Port: port}\n\t\t\taddrs []*EdgeAddr\n\t\t)\n\t\tfor a := uint8(0); a < numAddrsPerRegion; a++ {\n\t\t\ttcpAddr := &net.TCPAddr{\n\t\t\t\tIP: net.ParseIP(fmt.Sprintf(\"10.0.%v.%v\", r, a)),\n\t\t\t\tPort: int(port),\n\t\t\t}\n\t\t\tudpAddr := &net.UDPAddr{\n\t\t\t\tIP: net.ParseIP(fmt.Sprintf(\"10.0.%v.%v\", r, a)),\n\t\t\t\tPort: int(port),\n\t\t\t}\n\t\t\taddrs = append(addrs, &EdgeAddr{tcpAddr, udpAddr, V4})\n\t\t}\n\t\taddrMap[srv] = addrs\n\t\tnumAddrs += len(addrs)\n\t}\n\treturn mockAddrs{addrMap: addrMap, numAddrs: numAddrs}\n}\n\nvar _ quick.Generator = mockAddrs{}\n\nfunc (mockAddrs) Generate(rand *rand.Rand, size int) reflect.Value {\n\tport := uint16(rand.Intn(math.MaxUint16))\n\tnumRegions := uint8(1 + rand.Intn(10))\n\tnumAddrsPerRegion := uint8(1 + rand.Intn(32))\n\tresult := newMockAddrs(port, numRegions, numAddrsPerRegion)\n\treturn reflect.ValueOf(result)\n}\n\n// Returns a function compatible with net.LookupSRV that will return the SRV\n// records from mockAddrs.\nfunc mockNetLookupSRV(\n\tm mockAddrs,\n) func(service, proto, name string) (cname string, addrs []*net.SRV, err error) {\n\tvar addrs []*net.SRV\n\tfor k := range m.addrMap {\n\t\taddr := k\n\t\taddrs = append(addrs, &addr)\n\t\t// We can't just do\n\t\t// addrs = append(addrs, &k)\n\t\t// `k` will be reused by subsequent loop iterations,\n\t\t// so all the copies of `&k` would point to the same location.\n\t}\n\treturn func(_, _, _ string) (string, []*net.SRV, error) {\n\t\treturn \"\", addrs, nil\n\t}\n}\n\n// Returns a function compatible with net.LookupIP that translates the SRV records\n// from mockAddrs into IP addresses, based on the TCP addresses in mockAddrs.\nfunc mockNetLookupIP(\n\tm mockAddrs,\n) func(host string) ([]net.IP, error) {\n\treturn func(host string) ([]net.IP, error) {\n\t\tfor srv, addrs := range m.addrMap {\n\t\t\tif srv.Target != host {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tresult := make([]net.IP, len(addrs))\n\t\t\tfor i, addr := range addrs {\n\t\t\t\tresult[i] = addr.TCP.IP\n\t\t\t}\n\t\t\treturn result, nil\n\t\t}\n\t\treturn nil, fmt.Errorf(\"No IPs for %v\", host)\n\t}\n}\n" }, { "path": "edgediscovery/allregions/region.go", "content": "package allregions\n\nimport \"time\"\n\nconst (\n\ttimeoutDuration = 10 * time.Minute\n)\n\n// Region contains cloudflared edge addresses. The edge is partitioned into several regions for\n// redundancy purposes.\ntype Region struct {\n\tprimaryIsActive bool\n\tactive AddrSet\n\tprimary AddrSet\n\tsecondary AddrSet\n\tprimaryTimeout time.Time\n\ttimeoutDuration time.Duration\n}\n\n// NewRegion creates a region with the given addresses, which are all unused.\nfunc NewRegion(addrs []*EdgeAddr, overrideIPVersion ConfigIPVersion) Region {\n\t// The zero value of UsedBy is Unused(), so we can just initialize the map's values with their\n\t// zero values.\n\tconnForv4 := make(AddrSet)\n\tconnForv6 := make(AddrSet)\n\tsystemPreference := V6\n\tfor i, addr := range addrs {\n\t\tif i == 0 {\n\t\t\t// First family of IPs returned is system preference of IP\n\t\t\tsystemPreference = addr.IPVersion\n\t\t}\n\t\tswitch addr.IPVersion {\n\t\tcase V4:\n\t\t\tconnForv4[addr] = Unused()\n\t\tcase V6:\n\t\t\tconnForv6[addr] = Unused()\n\t\t}\n\t}\n\n\t// Process as system preference\n\tvar primary AddrSet\n\tvar secondary AddrSet\n\tswitch systemPreference {\n\tcase V4:\n\t\tprimary = connForv4\n\t\tsecondary = connForv6\n\tcase V6:\n\t\tprimary = connForv6\n\t\tsecondary = connForv4\n\t}\n\n\t// Override with provided preference\n\tswitch overrideIPVersion {\n\tcase IPv4Only:\n\t\tprimary = connForv4\n\t\tsecondary = make(AddrSet) // empty\n\tcase IPv6Only:\n\t\tprimary = connForv6\n\t\tsecondary = make(AddrSet) // empty\n\tcase Auto:\n\t\t// no change\n\tdefault:\n\t\t// no change\n\t}\n\n\treturn Region{\n\t\tprimaryIsActive: true,\n\t\tactive: primary,\n\t\tprimary: primary,\n\t\tsecondary: secondary,\n\t\ttimeoutDuration: timeoutDuration,\n\t}\n}\n\n// AddrUsedBy finds the address used by the given connection in this region.\n// Returns nil if the connection isn't using any IP.\nfunc (r *Region) AddrUsedBy(connID int) *EdgeAddr {\n\tedgeAddr := r.primary.AddrUsedBy(connID)\n\tif edgeAddr == nil {\n\t\tedgeAddr = r.secondary.AddrUsedBy(connID)\n\t}\n\treturn edgeAddr\n}\n\n// AvailableAddrs counts how many unused addresses this region contains.\nfunc (r Region) AvailableAddrs() int {\n\treturn r.active.AvailableAddrs()\n}\n\n// AssignAnyAddress returns a random unused address in this region now\n// assigned to the connID excluding the provided EdgeAddr.\n// Returns nil if all addresses are in use for the region.\nfunc (r Region) AssignAnyAddress(connID int, excluding *EdgeAddr) *EdgeAddr {\n\tif addr := r.active.GetUnusedIP(excluding); addr != nil {\n\t\tr.active.Use(addr, connID)\n\t\treturn addr\n\t}\n\treturn nil\n}\n\n// GetAnyAddress returns an arbitrary address from the region.\nfunc (r Region) GetAnyAddress() *EdgeAddr {\n\treturn r.active.GetAnyAddress()\n}\n\n// GiveBack the address, ensuring it is no longer assigned to an IP.\n// Returns true if the address is in this region.\nfunc (r *Region) GiveBack(addr *EdgeAddr, hasConnectivityError bool) (ok bool) {\n\tif ok = r.primary.GiveBack(addr); !ok {\n\t\t// Attempt to give back the address in the secondary set\n\t\tif ok = r.secondary.GiveBack(addr); !ok {\n\t\t\t// Address is not in this region\n\t\t\treturn\n\t\t}\n\t}\n\n\t// No connectivity error: no worry\n\tif !hasConnectivityError {\n\t\treturn\n\t}\n\n\t// If using primary and returned address is IPv6 and secondary is available\n\tif r.primaryIsActive && addr.IPVersion == V6 && len(r.secondary) > 0 {\n\t\tr.active = r.secondary\n\t\tr.primaryIsActive = false\n\t\tr.primaryTimeout = time.Now().Add(r.timeoutDuration)\n\t\treturn\n\t}\n\n\t// Do nothing for IPv4 or if secondary is empty\n\tif r.primaryIsActive {\n\t\treturn\n\t}\n\n\t// Immediately return to primary pool, regardless of current primary timeout\n\tif addr.IPVersion == V4 {\n\t\tactivatePrimary(r)\n\t\treturn\n\t}\n\n\t// Timeout exceeded and can be reset to primary pool\n\tif r.primaryTimeout.Before(time.Now()) {\n\t\tactivatePrimary(r)\n\t\treturn\n\t}\n\n\treturn\n}\n\n// activatePrimary sets the primary set to the active set and resets the timeout.\nfunc activatePrimary(r *Region) {\n\tr.active = r.primary\n\tr.primaryIsActive = true\n\tr.primaryTimeout = time.Now() // reset timeout\n}\n" }, { "path": "edgediscovery/allregions/region_test.go", "content": "package allregions\n\nimport (\n\t\"net\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/stretchr/testify/assert\"\n)\n\nfunc makeAddrSet(addrs []*EdgeAddr) AddrSet {\n\taddrSet := make(AddrSet, len(addrs))\n\tfor _, addr := range addrs {\n\t\taddrSet[addr] = Unused()\n\t}\n\treturn addrSet\n}\n\nfunc TestRegion_New(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\taddrs []*EdgeAddr\n\t\tmode ConfigIPVersion\n\t\texpectedAddrs int\n\t\tprimary AddrSet\n\t\tsecondary AddrSet\n\t}{\n\t\t{\n\t\t\tname: \"IPv4 addresses with IPv4Only\",\n\t\t\taddrs: v4Addrs,\n\t\t\tmode: IPv4Only,\n\t\t\texpectedAddrs: len(v4Addrs),\n\t\t\tprimary: makeAddrSet(v4Addrs),\n\t\t\tsecondary: AddrSet{},\n\t\t},\n\t\t{\n\t\t\tname: \"IPv6 addresses with IPv4Only\",\n\t\t\taddrs: v6Addrs,\n\t\t\tmode: IPv4Only,\n\t\t\texpectedAddrs: 0,\n\t\t\tprimary: AddrSet{},\n\t\t\tsecondary: AddrSet{},\n\t\t},\n\t\t{\n\t\t\tname: \"IPv6 addresses with IPv6Only\",\n\t\t\taddrs: v6Addrs,\n\t\t\tmode: IPv6Only,\n\t\t\texpectedAddrs: len(v6Addrs),\n\t\t\tprimary: makeAddrSet(v6Addrs),\n\t\t\tsecondary: AddrSet{},\n\t\t},\n\t\t{\n\t\t\tname: \"IPv6 addresses with IPv4Only\",\n\t\t\taddrs: v6Addrs,\n\t\t\tmode: IPv4Only,\n\t\t\texpectedAddrs: 0,\n\t\t\tprimary: AddrSet{},\n\t\t\tsecondary: AddrSet{},\n\t\t},\n\t\t{\n\t\t\tname: \"IPv4 (first) and IPv6 addresses with Auto\",\n\t\t\taddrs: append(v4Addrs, v6Addrs...),\n\t\t\tmode: Auto,\n\t\t\texpectedAddrs: len(v4Addrs),\n\t\t\tprimary: makeAddrSet(v4Addrs),\n\t\t\tsecondary: makeAddrSet(v6Addrs),\n\t\t},\n\t\t{\n\t\t\tname: \"IPv6 (first) and IPv4 addresses with Auto\",\n\t\t\taddrs: append(v6Addrs, v4Addrs...),\n\t\t\tmode: Auto,\n\t\t\texpectedAddrs: len(v6Addrs),\n\t\t\tprimary: makeAddrSet(v6Addrs),\n\t\t\tsecondary: makeAddrSet(v4Addrs),\n\t\t},\n\t\t{\n\t\t\tname: \"IPv4 addresses with Auto\",\n\t\t\taddrs: v4Addrs,\n\t\t\tmode: Auto,\n\t\t\texpectedAddrs: len(v4Addrs),\n\t\t\tprimary: makeAddrSet(v4Addrs),\n\t\t\tsecondary: AddrSet{},\n\t\t},\n\t\t{\n\t\t\tname: \"IPv6 addresses with Auto\",\n\t\t\taddrs: v6Addrs,\n\t\t\tmode: Auto,\n\t\t\texpectedAddrs: len(v6Addrs),\n\t\t\tprimary: makeAddrSet(v6Addrs),\n\t\t\tsecondary: AddrSet{},\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tr := NewRegion(tt.addrs, tt.mode)\n\t\t\tassert.Equal(t, tt.expectedAddrs, r.AvailableAddrs())\n\t\t\tassert.Equal(t, tt.primary, r.primary)\n\t\t\tassert.Equal(t, tt.secondary, r.secondary)\n\t\t})\n\t}\n}\n\nfunc TestRegion_AnyAddress_EmptyActiveSet(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\taddrs []*EdgeAddr\n\t\tmode ConfigIPVersion\n\t}{\n\t\t{\n\t\t\tname: \"IPv6 addresses with IPv4Only\",\n\t\t\taddrs: v6Addrs,\n\t\t\tmode: IPv4Only,\n\t\t},\n\t\t{\n\t\t\tname: \"IPv4 addresses with IPv6Only\",\n\t\t\taddrs: v4Addrs,\n\t\t\tmode: IPv6Only,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tr := NewRegion(tt.addrs, tt.mode)\n\t\t\taddr := r.GetAnyAddress()\n\t\t\tassert.Nil(t, addr)\n\t\t\taddr = r.AssignAnyAddress(0, nil)\n\t\t\tassert.Nil(t, addr)\n\t\t})\n\t}\n}\n\nfunc TestRegion_AssignAnyAddress_FullyUsedActiveSet(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\taddrs []*EdgeAddr\n\t\tmode ConfigIPVersion\n\t}{\n\t\t{\n\t\t\tname: \"IPv6 addresses with IPv6Only\",\n\t\t\taddrs: v6Addrs,\n\t\t\tmode: IPv6Only,\n\t\t},\n\t\t{\n\t\t\tname: \"IPv4 addresses with IPv4Only\",\n\t\t\taddrs: v4Addrs,\n\t\t\tmode: IPv4Only,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tr := NewRegion(tt.addrs, tt.mode)\n\t\t\ttotal := r.active.AvailableAddrs()\n\t\t\tfor i := 0; i < total; i++ {\n\t\t\t\taddr := r.AssignAnyAddress(i, nil)\n\t\t\t\tassert.NotNil(t, addr)\n\t\t\t}\n\t\t\taddr := r.AssignAnyAddress(9, nil)\n\t\t\tassert.Nil(t, addr)\n\t\t})\n\t}\n}\n\nvar giveBackTests = []struct {\n\tname string\n\taddrs []*EdgeAddr\n\tmode ConfigIPVersion\n\texpectedAddrs int\n\tprimary AddrSet\n\tsecondary AddrSet\n\tprimarySwap bool\n}{\n\t{\n\t\tname: \"IPv4 addresses with IPv4Only\",\n\t\taddrs: v4Addrs,\n\t\tmode: IPv4Only,\n\t\texpectedAddrs: len(v4Addrs),\n\t\tprimary: makeAddrSet(v4Addrs),\n\t\tsecondary: AddrSet{},\n\t\tprimarySwap: false,\n\t},\n\t{\n\t\tname: \"IPv6 addresses with IPv6Only\",\n\t\taddrs: v6Addrs,\n\t\tmode: IPv6Only,\n\t\texpectedAddrs: len(v6Addrs),\n\t\tprimary: makeAddrSet(v6Addrs),\n\t\tsecondary: AddrSet{},\n\t\tprimarySwap: false,\n\t},\n\t{\n\t\tname: \"IPv4 (first) and IPv6 addresses with Auto\",\n\t\taddrs: append(v4Addrs, v6Addrs...),\n\t\tmode: Auto,\n\t\texpectedAddrs: len(v4Addrs),\n\t\tprimary: makeAddrSet(v4Addrs),\n\t\tsecondary: makeAddrSet(v6Addrs),\n\t\tprimarySwap: false,\n\t},\n\t{\n\t\tname: \"IPv6 (first) and IPv4 addresses with Auto\",\n\t\taddrs: append(v6Addrs, v4Addrs...),\n\t\tmode: Auto,\n\t\texpectedAddrs: len(v6Addrs),\n\t\tprimary: makeAddrSet(v6Addrs),\n\t\tsecondary: makeAddrSet(v4Addrs),\n\t\tprimarySwap: true,\n\t},\n\t{\n\t\tname: \"IPv4 addresses with Auto\",\n\t\taddrs: v4Addrs,\n\t\tmode: Auto,\n\t\texpectedAddrs: len(v4Addrs),\n\t\tprimary: makeAddrSet(v4Addrs),\n\t\tsecondary: AddrSet{},\n\t\tprimarySwap: false,\n\t},\n\t{\n\t\tname: \"IPv6 addresses with Auto\",\n\t\taddrs: v6Addrs,\n\t\tmode: Auto,\n\t\texpectedAddrs: len(v6Addrs),\n\t\tprimary: makeAddrSet(v6Addrs),\n\t\tsecondary: AddrSet{},\n\t\tprimarySwap: false,\n\t},\n}\n\nfunc TestRegion_GiveBack_NoConnectivityError(t *testing.T) {\n\tfor _, tt := range giveBackTests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tr := NewRegion(tt.addrs, tt.mode)\n\t\t\taddr := r.AssignAnyAddress(0, nil)\n\t\t\tassert.NotNil(t, addr)\n\t\t\tassert.True(t, r.GiveBack(addr, false))\n\t\t})\n\t}\n}\n\nfunc TestRegion_GiveBack_ForeignAddr(t *testing.T) {\n\tinvalid := EdgeAddr{\n\t\tTCP: &net.TCPAddr{\n\t\t\tIP: net.ParseIP(\"123.4.5.0\"),\n\t\t\tPort: 8000,\n\t\t\tZone: \"\",\n\t\t},\n\t\tUDP: &net.UDPAddr{\n\t\t\tIP: net.ParseIP(\"123.4.5.0\"),\n\t\t\tPort: 8000,\n\t\t\tZone: \"\",\n\t\t},\n\t\tIPVersion: V4,\n\t}\n\tfor _, tt := range giveBackTests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tr := NewRegion(tt.addrs, tt.mode)\n\t\t\tassert.False(t, r.GiveBack(&invalid, false))\n\t\t\tassert.False(t, r.GiveBack(&invalid, true))\n\t\t})\n\t}\n}\n\nfunc TestRegion_GiveBack_SwapPrimary(t *testing.T) {\n\tfor _, tt := range giveBackTests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tr := NewRegion(tt.addrs, tt.mode)\n\t\t\taddr := r.AssignAnyAddress(0, nil)\n\t\t\tassert.NotNil(t, addr)\n\t\t\tassert.True(t, r.GiveBack(addr, true))\n\t\t\tassert.Equal(t, tt.primarySwap, !r.primaryIsActive)\n\t\t\tif tt.primarySwap {\n\t\t\t\tassert.Equal(t, r.secondary, r.active)\n\t\t\t\tassert.False(t, r.primaryTimeout.IsZero())\n\t\t\t} else {\n\t\t\t\tassert.Equal(t, r.primary, r.active)\n\t\t\t\tassert.True(t, r.primaryTimeout.IsZero())\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestRegion_GiveBack_IPv4_ResetPrimary(t *testing.T) {\n\tr := NewRegion(append(v6Addrs, v4Addrs...), Auto)\n\t// Exhaust all IPv6 addresses\n\ta0 := r.AssignAnyAddress(0, nil)\n\ta1 := r.AssignAnyAddress(1, nil)\n\ta2 := r.AssignAnyAddress(2, nil)\n\ta3 := r.AssignAnyAddress(3, nil)\n\tassert.NotNil(t, a0)\n\tassert.NotNil(t, a1)\n\tassert.NotNil(t, a2)\n\tassert.NotNil(t, a3)\n\t// Give back the first IPv6 address to fallback to secondary IPv4 address set\n\tassert.True(t, r.GiveBack(a0, true))\n\tassert.False(t, r.primaryIsActive)\n\t// Give back another IPv6 address\n\tassert.True(t, r.GiveBack(a1, true))\n\t// Primary shouldn't change\n\tassert.False(t, r.primaryIsActive)\n\t// Request an address (should be IPv4 from secondary)\n\ta4_v4 := r.AssignAnyAddress(4, nil)\n\tassert.NotNil(t, a4_v4)\n\tassert.Equal(t, V4, a4_v4.IPVersion)\n\ta5_v4 := r.AssignAnyAddress(5, nil)\n\tassert.NotNil(t, a5_v4)\n\tassert.Equal(t, V4, a5_v4.IPVersion)\n\ta6_v4 := r.AssignAnyAddress(6, nil)\n\tassert.NotNil(t, a6_v4)\n\tassert.Equal(t, V4, a6_v4.IPVersion)\n\t// Return IPv4 address (without failure)\n\t// Primary shouldn't change because it is not a connectivity failure\n\tassert.True(t, r.GiveBack(a4_v4, false))\n\tassert.False(t, r.primaryIsActive)\n\t// Return IPv4 address (with failure)\n\t// Primary should change because it is a connectivity failure\n\tassert.True(t, r.GiveBack(a5_v4, true))\n\tassert.True(t, r.primaryIsActive)\n\t// Return IPv4 address (with failure)\n\t// Primary shouldn't change because the address is returned to the inactive\n\t// secondary address set\n\tassert.True(t, r.GiveBack(a6_v4, true))\n\tassert.True(t, r.primaryIsActive)\n\t// Return IPv6 address (without failure)\n\t// Primary shoudn't change because it is not a connectivity failure\n\tassert.True(t, r.GiveBack(a2, false))\n\tassert.True(t, r.primaryIsActive)\n}\n\nfunc TestRegion_GiveBack_Timeout(t *testing.T) {\n\tr := NewRegion(append(v6Addrs, v4Addrs...), Auto)\n\ta0 := r.AssignAnyAddress(0, nil)\n\ta1 := r.AssignAnyAddress(1, nil)\n\ta2 := r.AssignAnyAddress(2, nil)\n\tassert.NotNil(t, a0)\n\tassert.NotNil(t, a1)\n\tassert.NotNil(t, a2)\n\t// Give back IPv6 address to set timeout\n\tassert.True(t, r.GiveBack(a0, true))\n\tassert.False(t, r.primaryIsActive)\n\tassert.False(t, r.primaryTimeout.IsZero())\n\t// Request an address (should be IPv4 from secondary)\n\ta3_v4 := r.AssignAnyAddress(3, nil)\n\tassert.NotNil(t, a3_v4)\n\tassert.Equal(t, V4, a3_v4.IPVersion)\n\tassert.False(t, r.primaryIsActive)\n\t// Give back IPv6 address inside timeout (no change)\n\tassert.True(t, r.GiveBack(a2, true))\n\tassert.False(t, r.primaryIsActive)\n\tassert.False(t, r.primaryTimeout.IsZero())\n\t// Accelerate timeout\n\tr.primaryTimeout = time.Now().Add(-time.Minute)\n\t// Return IPv6 address\n\tassert.True(t, r.GiveBack(a1, true))\n\tassert.True(t, r.primaryIsActive)\n\t// Returning an IPv4 address after primary is active shouldn't change primary\n\t// even with a connectivity error\n\tassert.True(t, r.GiveBack(a3_v4, true))\n\tassert.True(t, r.primaryIsActive)\n}\n" }, { "path": "edgediscovery/allregions/regions.go", "content": "package allregions\n\nimport (\n\t\"fmt\"\n\t\"math/rand\"\n\n\t\"github.com/rs/zerolog\"\n)\n\n// Regions stores Cloudflare edge network IPs, partitioned into two regions.\n// This is NOT thread-safe. Users of this package should use it with a lock.\ntype Regions struct {\n\tregion1 Region\n\tregion2 Region\n}\n\n// ------------------------------------\n// Constructors\n// ------------------------------------\n\n// ResolveEdge resolves the Cloudflare edge, returning all regions discovered.\nfunc ResolveEdge(log *zerolog.Logger, region string, overrideIPVersion ConfigIPVersion) (*Regions, error) {\n\tedgeAddrs, err := edgeDiscovery(log, getRegionalServiceName(region))\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif len(edgeAddrs) < 2 {\n\t\treturn nil, fmt.Errorf(\"expected at least 2 Cloudflare Regions regions, but SRV only returned %v\", len(edgeAddrs))\n\t}\n\treturn &Regions{\n\t\tregion1: NewRegion(edgeAddrs[0], overrideIPVersion),\n\t\tregion2: NewRegion(edgeAddrs[1], overrideIPVersion),\n\t}, nil\n}\n\n// StaticEdge creates a list of edge addresses from the list of hostnames.\n// Mainly used for testing connectivity.\nfunc StaticEdge(hostnames []string, log *zerolog.Logger) (*Regions, error) {\n\tresolved := ResolveAddrs(hostnames, log)\n\tif len(resolved) == 0 {\n\t\treturn nil, fmt.Errorf(\"failed to resolve any edge address\")\n\t}\n\treturn NewNoResolve(resolved), nil\n}\n\n// NewNoResolve doesn't resolve the edge. Instead it just uses the given addresses.\n// You probably only need this for testing.\nfunc NewNoResolve(addrs []*EdgeAddr) *Regions {\n\tregion1 := make([]*EdgeAddr, 0)\n\tregion2 := make([]*EdgeAddr, 0)\n\tfor i, v := range addrs {\n\t\tif i%2 == 0 {\n\t\t\tregion1 = append(region1, v)\n\t\t} else {\n\t\t\tregion2 = append(region2, v)\n\t\t}\n\t}\n\n\treturn &Regions{\n\t\tregion1: NewRegion(region1, Auto),\n\t\tregion2: NewRegion(region2, Auto),\n\t}\n}\n\n// ------------------------------------\n// Methods\n// ------------------------------------\n\n// GetAnyAddress returns an arbitrary address from the larger region.\nfunc (rs *Regions) GetAnyAddress() *EdgeAddr {\n\tif addr := rs.region1.GetAnyAddress(); addr != nil {\n\t\treturn addr\n\t}\n\treturn rs.region2.GetAnyAddress()\n}\n\n// AddrUsedBy finds the address used by the given connection.\n// Returns nil if the connection isn't using an address.\nfunc (rs *Regions) AddrUsedBy(connID int) *EdgeAddr {\n\tif addr := rs.region1.AddrUsedBy(connID); addr != nil {\n\t\treturn addr\n\t}\n\treturn rs.region2.AddrUsedBy(connID)\n}\n\n// GetUnusedAddr gets an unused addr from the edge, excluding the given addr. Prefer to use addresses\n// evenly across both regions.\nfunc (rs *Regions) GetUnusedAddr(excluding *EdgeAddr, connID int) *EdgeAddr {\n\t// If both regions have the same number of available addrs, lets randomise which one\n\t// we pick. The rest of this algorithm will continue to make sure we always use addresses\n\t// evenly across both regions.\n\tif rs.region1.AvailableAddrs() == rs.region2.AvailableAddrs() {\n\t\tregions := []Region{rs.region1, rs.region2}\n\t\tfirstChoice := rand.Intn(2)\n\t\treturn getAddrs(excluding, connID, ®ions[firstChoice], ®ions[1-firstChoice])\n\t}\n\n\tif rs.region1.AvailableAddrs() > rs.region2.AvailableAddrs() {\n\t\treturn getAddrs(excluding, connID, &rs.region1, &rs.region2)\n\t}\n\n\treturn getAddrs(excluding, connID, &rs.region2, &rs.region1)\n}\n\n// getAddrs tries to grab address form `first` region, then `second` region\n// this is an unrolled loop over 2 element array\nfunc getAddrs(excluding *EdgeAddr, connID int, first *Region, second *Region) *EdgeAddr {\n\taddr := first.AssignAnyAddress(connID, excluding)\n\tif addr != nil {\n\t\treturn addr\n\t}\n\taddr = second.AssignAnyAddress(connID, excluding)\n\tif addr != nil {\n\t\treturn addr\n\t}\n\n\treturn nil\n}\n\n// AvailableAddrs returns how many edge addresses aren't used.\nfunc (rs *Regions) AvailableAddrs() int {\n\treturn rs.region1.AvailableAddrs() + rs.region2.AvailableAddrs()\n}\n\n// GiveBack the address so that other connections can use it.\n// Returns true if the address is in this edge.\nfunc (rs *Regions) GiveBack(addr *EdgeAddr, hasConnectivityError bool) bool {\n\tif found := rs.region1.GiveBack(addr, hasConnectivityError); found {\n\t\treturn found\n\t}\n\treturn rs.region2.GiveBack(addr, hasConnectivityError)\n}\n\n// Return regionalized service name if `region` isn't empty, otherwise return the global service name for origintunneld\nfunc getRegionalServiceName(region string) string {\n\tif region != \"\" {\n\t\treturn region + \"-\" + srvService // Example: `us-v2-origintunneld`\n\t}\n\n\treturn srvService // Global service is just `v2-origintunneld`\n}\n" }, { "path": "edgediscovery/allregions/regions_test.go", "content": "package allregions\n\nimport (\n\t\"testing\"\n\n\t\"github.com/stretchr/testify/assert\"\n)\n\nfunc makeRegions(addrs []*EdgeAddr, mode ConfigIPVersion) Regions {\n\tr1addrs := make([]*EdgeAddr, 0)\n\tr2addrs := make([]*EdgeAddr, 0)\n\tfor i, addr := range addrs {\n\t\tif i%2 == 0 {\n\t\t\tr1addrs = append(r1addrs, addr)\n\t\t} else {\n\t\t\tr2addrs = append(r2addrs, addr)\n\t\t}\n\t}\n\tr1 := NewRegion(r1addrs, mode)\n\tr2 := NewRegion(r2addrs, mode)\n\treturn Regions{region1: r1, region2: r2}\n}\n\nfunc TestRegions_AddrUsedBy(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\taddrs []*EdgeAddr\n\t\tmode ConfigIPVersion\n\t}{\n\t\t{\n\t\t\tname: \"IPv4 addresses with IPv4Only\",\n\t\t\taddrs: v4Addrs,\n\t\t\tmode: IPv4Only,\n\t\t},\n\t\t{\n\t\t\tname: \"IPv6 addresses with IPv6Only\",\n\t\t\taddrs: v6Addrs,\n\t\t\tmode: IPv6Only,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\trs := makeRegions(tt.addrs, tt.mode)\n\t\t\taddr1 := rs.GetUnusedAddr(nil, 1)\n\t\t\tassert.Equal(t, addr1, rs.AddrUsedBy(1))\n\t\t\taddr2 := rs.GetUnusedAddr(nil, 2)\n\t\t\tassert.Equal(t, addr2, rs.AddrUsedBy(2))\n\t\t\taddr3 := rs.GetUnusedAddr(nil, 3)\n\t\t\tassert.Equal(t, addr3, rs.AddrUsedBy(3))\n\t\t})\n\t}\n}\n\nfunc TestRegions_Giveback_Region1(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\taddrs []*EdgeAddr\n\t\tmode ConfigIPVersion\n\t}{\n\t\t{\n\t\t\tname: \"IPv4 addresses with IPv4Only\",\n\t\t\taddrs: v4Addrs,\n\t\t\tmode: IPv4Only,\n\t\t},\n\t\t{\n\t\t\tname: \"IPv6 addresses with IPv6Only\",\n\t\t\taddrs: v6Addrs,\n\t\t\tmode: IPv6Only,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\trs := makeRegions(tt.addrs, tt.mode)\n\t\t\taddr := rs.region1.AssignAnyAddress(0, nil)\n\t\t\trs.region1.AssignAnyAddress(1, nil)\n\t\t\trs.region2.AssignAnyAddress(2, nil)\n\t\t\trs.region2.AssignAnyAddress(3, nil)\n\n\t\t\tassert.Equal(t, 0, rs.AvailableAddrs())\n\n\t\t\trs.GiveBack(addr, false)\n\t\t\tassert.Equal(t, addr, rs.GetUnusedAddr(nil, 0))\n\t\t})\n\t}\n}\n\nfunc TestRegions_Giveback_Region2(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\taddrs []*EdgeAddr\n\t\tmode ConfigIPVersion\n\t}{\n\t\t{\n\t\t\tname: \"IPv4 addresses with IPv4Only\",\n\t\t\taddrs: v4Addrs,\n\t\t\tmode: IPv4Only,\n\t\t},\n\t\t{\n\t\t\tname: \"IPv6 addresses with IPv6Only\",\n\t\t\taddrs: v6Addrs,\n\t\t\tmode: IPv6Only,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\trs := makeRegions(tt.addrs, tt.mode)\n\t\t\trs.region1.AssignAnyAddress(0, nil)\n\t\t\trs.region1.AssignAnyAddress(1, nil)\n\t\t\taddr := rs.region2.AssignAnyAddress(2, nil)\n\t\t\trs.region2.AssignAnyAddress(3, nil)\n\n\t\t\tassert.Equal(t, 0, rs.AvailableAddrs())\n\n\t\t\trs.GiveBack(addr, false)\n\t\t\tassert.Equal(t, addr, rs.GetUnusedAddr(nil, 2))\n\t\t})\n\t}\n}\n\nfunc TestRegions_GetUnusedAddr_OneAddrLeft(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\taddrs []*EdgeAddr\n\t\tmode ConfigIPVersion\n\t}{\n\t\t{\n\t\t\tname: \"IPv4 addresses with IPv4Only\",\n\t\t\taddrs: v4Addrs,\n\t\t\tmode: IPv4Only,\n\t\t},\n\t\t{\n\t\t\tname: \"IPv6 addresses with IPv6Only\",\n\t\t\taddrs: v6Addrs,\n\t\t\tmode: IPv6Only,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\trs := makeRegions(tt.addrs, tt.mode)\n\t\t\trs.region1.AssignAnyAddress(0, nil)\n\t\t\trs.region1.AssignAnyAddress(1, nil)\n\t\t\trs.region2.AssignAnyAddress(2, nil)\n\t\t\taddr := rs.region2.active.GetUnusedIP(nil)\n\n\t\t\tassert.Equal(t, 1, rs.AvailableAddrs())\n\t\t\tassert.Equal(t, addr, rs.GetUnusedAddr(nil, 3))\n\t\t})\n\t}\n}\n\nfunc TestRegions_GetUnusedAddr_Excluding_Region1(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\taddrs []*EdgeAddr\n\t\tmode ConfigIPVersion\n\t}{\n\t\t{\n\t\t\tname: \"IPv4 addresses with IPv4Only\",\n\t\t\taddrs: v4Addrs,\n\t\t\tmode: IPv4Only,\n\t\t},\n\t\t{\n\t\t\tname: \"IPv6 addresses with IPv6Only\",\n\t\t\taddrs: v6Addrs,\n\t\t\tmode: IPv6Only,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\trs := makeRegions(tt.addrs, tt.mode)\n\n\t\t\trs.region1.AssignAnyAddress(0, nil)\n\t\t\trs.region1.AssignAnyAddress(1, nil)\n\t\t\taddr := rs.region2.active.GetUnusedIP(nil)\n\t\t\ta2 := rs.region2.active.GetUnusedIP(addr)\n\n\t\t\tassert.Equal(t, 2, rs.AvailableAddrs())\n\t\t\tassert.Equal(t, addr, rs.GetUnusedAddr(a2, 3))\n\t\t})\n\t}\n}\n\nfunc TestRegions_GetUnusedAddr_Excluding_Region2(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\taddrs []*EdgeAddr\n\t\tmode ConfigIPVersion\n\t}{\n\t\t{\n\t\t\tname: \"IPv4 addresses with IPv4Only\",\n\t\t\taddrs: v4Addrs,\n\t\t\tmode: IPv4Only,\n\t\t},\n\t\t{\n\t\t\tname: \"IPv6 addresses with IPv6Only\",\n\t\t\taddrs: v6Addrs,\n\t\t\tmode: IPv6Only,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\trs := makeRegions(tt.addrs, tt.mode)\n\n\t\t\trs.region2.AssignAnyAddress(0, nil)\n\t\t\trs.region2.AssignAnyAddress(1, nil)\n\t\t\taddr := rs.region1.active.GetUnusedIP(nil)\n\t\t\ta2 := rs.region1.active.GetUnusedIP(addr)\n\n\t\t\tassert.Equal(t, 2, rs.AvailableAddrs())\n\t\t\tassert.Equal(t, addr, rs.GetUnusedAddr(a2, 1))\n\t\t})\n\t}\n}\n\nfunc TestNewNoResolveBalancesRegions(t *testing.T) {\n\ttype args struct {\n\t\taddrs []*EdgeAddr\n\t}\n\ttests := []struct {\n\t\tname string\n\t\targs args\n\t}{\n\t\t{\n\t\t\tname: \"one address\",\n\t\t\targs: args{addrs: []*EdgeAddr{&addr0}},\n\t\t},\n\t\t{\n\t\t\tname: \"two addresses\",\n\t\t\targs: args{addrs: []*EdgeAddr{&addr0, &addr1}},\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tregions := NewNoResolve(tt.args.addrs)\n\t\t\tRegionsIsBalanced(t, regions)\n\t\t})\n\t}\n}\n\nfunc TestGetRegionalServiceName(t *testing.T) {\n\t// Empty region should just go to origintunneld\n\tglobalServiceName := getRegionalServiceName(\"\")\n\tassert.Equal(t, srvService, globalServiceName)\n\n\t// Non-empty region should go to the regional origintunneld variant\n\tfor _, region := range []string{\"us\", \"pt\", \"am\"} {\n\t\tregionalServiceName := getRegionalServiceName(region)\n\t\tassert.Equal(t, region+\"-\"+srvService, regionalServiceName)\n\t}\n}\n\nfunc RegionsIsBalanced(t *testing.T, rs *Regions) {\n\tdelta := rs.region1.AvailableAddrs() - rs.region2.AvailableAddrs()\n\tassert.True(t, abs(delta) <= 1)\n}\n\nfunc abs(x int) int {\n\tif x >= 0 {\n\t\treturn x\n\t}\n\treturn -x\n}\n" }, { "path": "edgediscovery/allregions/usedby.go", "content": "package allregions\n\ntype UsedBy struct {\n\tConnID int\n\tUsed bool\n}\n\nfunc InUse(connID int) UsedBy {\n\treturn UsedBy{ConnID: connID, Used: true}\n}\n\nfunc Unused() UsedBy {\n\treturn UsedBy{}\n}\n" }, { "path": "edgediscovery/dial.go", "content": "package edgediscovery\n\nimport (\n\t\"context\"\n\t\"crypto/tls\"\n\t\"net\"\n\t\"time\"\n\n\t\"github.com/pkg/errors\"\n)\n\n// DialEdge makes a TLS connection to a Cloudflare edge node\nfunc DialEdge(\n\tctx context.Context,\n\ttimeout time.Duration,\n\ttlsConfig *tls.Config,\n\tedgeTCPAddr *net.TCPAddr,\n\tlocalIP net.IP,\n) (net.Conn, error) {\n\t// Inherit from parent context so we can cancel (Ctrl-C) while dialing\n\tdialCtx, dialCancel := context.WithTimeout(ctx, timeout)\n\tdefer dialCancel()\n\n\tdialer := net.Dialer{}\n\tif localIP != nil {\n\t\tdialer.LocalAddr = &net.TCPAddr{IP: localIP, Port: 0}\n\t}\n\tedgeConn, err := dialer.DialContext(dialCtx, \"tcp\", edgeTCPAddr.String())\n\tif err != nil {\n\t\treturn nil, newDialError(err, \"DialContext error\")\n\t}\n\n\ttlsEdgeConn := tls.Client(edgeConn, tlsConfig)\n\ttlsEdgeConn.SetDeadline(time.Now().Add(timeout))\n\n\tif err = tlsEdgeConn.Handshake(); err != nil {\n\t\treturn nil, newDialError(err, \"TLS handshake with edge error\")\n\t}\n\t// clear the deadline on the conn; http2 has its own timeouts\n\ttlsEdgeConn.SetDeadline(time.Time{})\n\treturn tlsEdgeConn, nil\n}\n\n// DialError is an error returned from DialEdge\ntype DialError struct {\n\tcause error\n}\n\nfunc newDialError(err error, message string) error {\n\treturn DialError{cause: errors.Wrap(err, message)}\n}\n\nfunc (e DialError) Error() string {\n\treturn e.cause.Error()\n}\n\nfunc (e DialError) Cause() error {\n\treturn e.cause\n}\n" }, { "path": "edgediscovery/edgediscovery.go", "content": "package edgediscovery\n\nimport (\n\t\"sync\"\n\n\t\"github.com/rs/zerolog\"\n\n\t\"github.com/cloudflare/cloudflared/edgediscovery/allregions\"\n\t\"github.com/cloudflare/cloudflared/management\"\n)\n\nconst (\n\tLogFieldConnIndex = \"connIndex\"\n\tLogFieldIPAddress = \"ip\"\n)\n\nvar errNoAddressesLeft = ErrNoAddressesLeft{}\n\ntype ErrNoAddressesLeft struct{}\n\nfunc (e ErrNoAddressesLeft) Error() string {\n\treturn \"there are no free edge addresses left to resolve to\"\n}\n\n// Edge finds addresses on the Cloudflare edge and hands them out to connections.\ntype Edge struct {\n\tregions *allregions.Regions\n\tsync.Mutex\n\tlog *zerolog.Logger\n}\n\n// ------------------------------------\n// Constructors\n// ------------------------------------\n\n// ResolveEdge runs the initial discovery of the Cloudflare edge, finding Addrs that can be allocated\n// to connections.\nfunc ResolveEdge(log *zerolog.Logger, region string, edgeIpVersion allregions.ConfigIPVersion) (*Edge, error) {\n\tregions, err := allregions.ResolveEdge(log, region, edgeIpVersion)\n\tif err != nil {\n\t\treturn new(Edge), err\n\t}\n\treturn &Edge{\n\t\tlog: log,\n\t\tregions: regions,\n\t}, nil\n}\n\n// StaticEdge creates a list of edge addresses from the list of hostnames. Mainly used for testing connectivity.\nfunc StaticEdge(log *zerolog.Logger, hostnames []string) (*Edge, error) {\n\tregions, err := allregions.StaticEdge(hostnames, log)\n\tif err != nil {\n\t\treturn new(Edge), err\n\t}\n\treturn &Edge{\n\t\tlog: log,\n\t\tregions: regions,\n\t}, nil\n}\n\n// ------------------------------------\n// Methods\n// ------------------------------------\n\n// GetAddrForRPC gives this connection an edge Addr.\nfunc (ed *Edge) GetAddrForRPC() (*allregions.EdgeAddr, error) {\n\ted.Lock()\n\tdefer ed.Unlock()\n\taddr := ed.regions.GetAnyAddress()\n\tif addr == nil {\n\t\treturn nil, errNoAddressesLeft\n\t}\n\treturn addr, nil\n}\n\n// GetAddr gives this proxy connection an edge Addr. Prefer Addrs this connection has already used.\nfunc (ed *Edge) GetAddr(connIndex int) (*allregions.EdgeAddr, error) {\n\tlog := ed.log.With().\n\t\tInt(LogFieldConnIndex, connIndex).\n\t\tInt(management.EventTypeKey, int(management.Cloudflared)).\n\t\tLogger()\n\ted.Lock()\n\tdefer ed.Unlock()\n\n\t// If this connection has already used an edge addr, return it.\n\tif addr := ed.regions.AddrUsedBy(connIndex); addr != nil {\n\t\tlog.Debug().IPAddr(LogFieldIPAddress, addr.UDP.IP).Msg(\"edge discovery: returning same edge address back to pool\")\n\t\treturn addr, nil\n\t}\n\n\t// Otherwise, give it an unused one\n\taddr := ed.regions.GetUnusedAddr(nil, connIndex)\n\tif addr == nil {\n\t\tlog.Debug().Msg(\"edge discovery: no addresses left in pool to give proxy connection\")\n\t\treturn nil, errNoAddressesLeft\n\t}\n\tlog.Debug().IPAddr(LogFieldIPAddress, addr.UDP.IP).Msg(\"edge discovery: giving new address to connection\")\n\treturn addr, nil\n}\n\n// GetDifferentAddr gives back the proxy connection's edge Addr and uses a new one.\nfunc (ed *Edge) GetDifferentAddr(connIndex int, hasConnectivityError bool) (*allregions.EdgeAddr, error) {\n\tlog := ed.log.With().\n\t\tInt(LogFieldConnIndex, connIndex).\n\t\tInt(management.EventTypeKey, int(management.Cloudflared)).\n\t\tLogger()\n\ted.Lock()\n\tdefer ed.Unlock()\n\n\toldAddr := ed.regions.AddrUsedBy(connIndex)\n\tif oldAddr != nil {\n\t\ted.regions.GiveBack(oldAddr, hasConnectivityError)\n\t}\n\taddr := ed.regions.GetUnusedAddr(oldAddr, connIndex)\n\tif addr == nil {\n\t\tlog.Debug().Msg(\"edge discovery: no addresses left in pool to give proxy connection\")\n\t\t// note: if oldAddr were not nil, it will become available on the next iteration\n\t\treturn nil, errNoAddressesLeft\n\t}\n\tlog.Debug().\n\t\tIPAddr(LogFieldIPAddress, addr.UDP.IP).\n\t\tInt(\"available\", ed.regions.AvailableAddrs()).\n\t\tMsg(\"edge discovery: giving new address to connection\")\n\treturn addr, nil\n}\n\n// AvailableAddrs returns how many unused addresses there are left.\nfunc (ed *Edge) AvailableAddrs() int {\n\ted.Lock()\n\tdefer ed.Unlock()\n\treturn ed.regions.AvailableAddrs()\n}\n\n// GiveBack the address so that other connections can use it.\n// Returns true if the address is in this edge.\nfunc (ed *Edge) GiveBack(addr *allregions.EdgeAddr, hasConnectivityError bool) bool {\n\ted.Lock()\n\tdefer ed.Unlock()\n\ted.log.Debug().\n\t\tInt(management.EventTypeKey, int(management.Cloudflared)).\n\t\tIPAddr(LogFieldIPAddress, addr.UDP.IP).\n\t\tMsg(\"edge discovery: gave back address to the pool\")\n\treturn ed.regions.GiveBack(addr, hasConnectivityError)\n}\n" }, { "path": "edgediscovery/edgediscovery_test.go", "content": "package edgediscovery\n\nimport (\n\t\"net\"\n\t\"testing\"\n\n\t\"github.com/rs/zerolog\"\n\t\"github.com/stretchr/testify/assert\"\n\n\t\"github.com/cloudflare/cloudflared/edgediscovery/allregions\"\n)\n\nvar (\n\ttestLogger = zerolog.Nop()\n\tv4Addrs = []*allregions.EdgeAddr{&addr0, &addr1, &addr2, &addr3}\n\tv6Addrs = []*allregions.EdgeAddr{&addr4, &addr5, &addr6, &addr7}\n\taddr0 = allregions.EdgeAddr{\n\t\tTCP: &net.TCPAddr{\n\t\t\tIP: net.ParseIP(\"123.4.5.0\"),\n\t\t\tPort: 8000,\n\t\t\tZone: \"\",\n\t\t},\n\t\tUDP: &net.UDPAddr{\n\t\t\tIP: net.ParseIP(\"123.4.5.0\"),\n\t\t\tPort: 8000,\n\t\t\tZone: \"\",\n\t\t},\n\t\tIPVersion: allregions.V4,\n\t}\n\taddr1 = allregions.EdgeAddr{\n\t\tTCP: &net.TCPAddr{\n\t\t\tIP: net.ParseIP(\"123.4.5.1\"),\n\t\t\tPort: 8000,\n\t\t\tZone: \"\",\n\t\t},\n\t\tUDP: &net.UDPAddr{\n\t\t\tIP: net.ParseIP(\"123.4.5.1\"),\n\t\t\tPort: 8000,\n\t\t\tZone: \"\",\n\t\t},\n\t\tIPVersion: allregions.V4,\n\t}\n\taddr2 = allregions.EdgeAddr{\n\t\tTCP: &net.TCPAddr{\n\t\t\tIP: net.ParseIP(\"123.4.5.2\"),\n\t\t\tPort: 8000,\n\t\t\tZone: \"\",\n\t\t},\n\t\tUDP: &net.UDPAddr{\n\t\t\tIP: net.ParseIP(\"123.4.5.2\"),\n\t\t\tPort: 8000,\n\t\t\tZone: \"\",\n\t\t},\n\t\tIPVersion: allregions.V4,\n\t}\n\taddr3 = allregions.EdgeAddr{\n\t\tTCP: &net.TCPAddr{\n\t\t\tIP: net.ParseIP(\"123.4.5.3\"),\n\t\t\tPort: 8000,\n\t\t\tZone: \"\",\n\t\t},\n\t\tUDP: &net.UDPAddr{\n\t\t\tIP: net.ParseIP(\"123.4.5.3\"),\n\t\t\tPort: 8000,\n\t\t\tZone: \"\",\n\t\t},\n\t\tIPVersion: allregions.V4,\n\t}\n\taddr4 = allregions.EdgeAddr{\n\t\tTCP: &net.TCPAddr{\n\t\t\tIP: net.ParseIP(\"2606:4700:a0::1\"),\n\t\t\tPort: 8000,\n\t\t\tZone: \"\",\n\t\t},\n\t\tUDP: &net.UDPAddr{\n\t\t\tIP: net.ParseIP(\"2606:4700:a0::1\"),\n\t\t\tPort: 8000,\n\t\t\tZone: \"\",\n\t\t},\n\t\tIPVersion: allregions.V6,\n\t}\n\taddr5 = allregions.EdgeAddr{\n\t\tTCP: &net.TCPAddr{\n\t\t\tIP: net.ParseIP(\"2606:4700:a0::2\"),\n\t\t\tPort: 8000,\n\t\t\tZone: \"\",\n\t\t},\n\t\tUDP: &net.UDPAddr{\n\t\t\tIP: net.ParseIP(\"2606:4700:a0::2\"),\n\t\t\tPort: 8000,\n\t\t\tZone: \"\",\n\t\t},\n\t\tIPVersion: allregions.V6,\n\t}\n\taddr6 = allregions.EdgeAddr{\n\t\tTCP: &net.TCPAddr{\n\t\t\tIP: net.ParseIP(\"2606:4700:a0::3\"),\n\t\t\tPort: 8000,\n\t\t\tZone: \"\",\n\t\t},\n\t\tUDP: &net.UDPAddr{\n\t\t\tIP: net.ParseIP(\"2606:4700:a0::3\"),\n\t\t\tPort: 8000,\n\t\t\tZone: \"\",\n\t\t},\n\t\tIPVersion: allregions.V6,\n\t}\n\taddr7 = allregions.EdgeAddr{\n\t\tTCP: &net.TCPAddr{\n\t\t\tIP: net.ParseIP(\"2606:4700:a0::4\"),\n\t\t\tPort: 8000,\n\t\t\tZone: \"\",\n\t\t},\n\t\tUDP: &net.UDPAddr{\n\t\t\tIP: net.ParseIP(\"2606:4700:a0::4\"),\n\t\t\tPort: 8000,\n\t\t\tZone: \"\",\n\t\t},\n\t\tIPVersion: allregions.V6,\n\t}\n)\n\nfunc TestGiveBack(t *testing.T) {\n\tedge := MockEdge(&testLogger, []*allregions.EdgeAddr{&addr0, &addr1, &addr2, &addr3})\n\n\t// Give this connection an address\n\tassert.Equal(t, 4, edge.AvailableAddrs())\n\tconst connID = 0\n\taddr, err := edge.GetAddr(connID)\n\tassert.NoError(t, err)\n\tassert.NotNil(t, addr)\n\tassert.Equal(t, 3, edge.AvailableAddrs())\n\n\t// Get it back\n\tedge.GiveBack(addr, false)\n\tassert.Equal(t, 4, edge.AvailableAddrs())\n}\n\nfunc TestRPCAndProxyShareSingleEdgeIP(t *testing.T) {\n\t// Make an edge with a single IP\n\tedge := MockEdge(&testLogger, []*allregions.EdgeAddr{&addr0})\n\ttunnelConnID := 0\n\n\t// Use the IP for a tunnel\n\taddrTunnel, err := edge.GetAddr(tunnelConnID)\n\tassert.NoError(t, err)\n\n\t// Ensure the IP can be used for RPC too\n\taddrRPC, err := edge.GetAddrForRPC()\n\tassert.NoError(t, err)\n\tassert.Equal(t, addrTunnel, addrRPC)\n}\n\nfunc TestGetAddrForRPC(t *testing.T) {\n\tedge := MockEdge(&testLogger, []*allregions.EdgeAddr{&addr0, &addr1, &addr2, &addr3})\n\n\t// Get a connection\n\tassert.Equal(t, 4, edge.AvailableAddrs())\n\taddr, err := edge.GetAddrForRPC()\n\tassert.NoError(t, err)\n\tassert.NotNil(t, addr)\n\n\t// Using an address for RPC shouldn't consume it\n\tassert.Equal(t, 4, edge.AvailableAddrs())\n\n\t// Get it back\n\tedge.GiveBack(addr, false)\n\tassert.Equal(t, 4, edge.AvailableAddrs())\n}\n\nfunc TestOnePerRegion(t *testing.T) {\n\t// Make an edge with only one address\n\tedge := MockEdge(&testLogger, []*allregions.EdgeAddr{&addr0, &addr1})\n\n\t// Use the only address\n\tconst connID = 0\n\ta1, err := edge.GetAddr(connID)\n\tassert.NoError(t, err)\n\tassert.NotNil(t, a1)\n\n\t// if the first address is bad, get the second one\n\ta2, err := edge.GetDifferentAddr(connID, false)\n\tassert.NoError(t, err)\n\tassert.NotNil(t, a2)\n\tassert.NotEqual(t, a1, a2)\n\n\t// now that second one is bad, get the first one again\n\ta3, err := edge.GetDifferentAddr(connID, false)\n\tassert.NoError(t, err)\n\tassert.Equal(t, a1, a3)\n}\n\nfunc TestOnlyOneAddrLeft(t *testing.T) {\n\t// Make an edge with only one address\n\tedge := MockEdge(&testLogger, []*allregions.EdgeAddr{&addr0})\n\n\t// Use the only address\n\tconst connID = 0\n\taddr, err := edge.GetAddr(connID)\n\tassert.NoError(t, err)\n\tassert.NotNil(t, addr)\n\n\t// If that edge address is \"bad\", there's no alternative address.\n\t_, err = edge.GetDifferentAddr(connID, false)\n\tassert.Error(t, err)\n\n\t// previously bad address should become available again on next iteration.\n\taddr, err = edge.GetDifferentAddr(connID, false)\n\tassert.NoError(t, err)\n\tassert.NotNil(t, addr)\n}\n\nfunc TestNoAddrsLeft(t *testing.T) {\n\t// Make an edge with no addresses\n\tedge := MockEdge(&testLogger, []*allregions.EdgeAddr{})\n\n\t_, err := edge.GetAddr(2)\n\tassert.Error(t, err)\n\t_, err = edge.GetAddrForRPC()\n\tassert.Error(t, err)\n}\n\nfunc TestGetAddr(t *testing.T) {\n\tedge := MockEdge(&testLogger, []*allregions.EdgeAddr{&addr0, &addr1, &addr2, &addr3})\n\n\t// Give this connection an address\n\tconst connID = 0\n\taddr, err := edge.GetAddr(connID)\n\tassert.NoError(t, err)\n\tassert.NotNil(t, addr)\n\n\t// If the same connection requests another address, it should get the same one.\n\taddr2, err := edge.GetAddr(connID)\n\tassert.NoError(t, err)\n\tassert.Equal(t, addr, addr2)\n}\n\nfunc TestGetDifferentAddr(t *testing.T) {\n\tedge := MockEdge(&testLogger, []*allregions.EdgeAddr{&addr0, &addr1, &addr2, &addr3})\n\n\t// Give this connection an address\n\tassert.Equal(t, 4, edge.AvailableAddrs())\n\tconst connID = 0\n\taddr, err := edge.GetAddr(connID)\n\tassert.NoError(t, err)\n\tassert.NotNil(t, addr)\n\tassert.Equal(t, 3, edge.AvailableAddrs())\n\n\t// If the same connection requests another address, it should get the same one.\n\taddr2, err := edge.GetDifferentAddr(connID, false)\n\tassert.NoError(t, err)\n\tassert.NotEqual(t, addr, addr2)\n\tassert.Equal(t, 3, edge.AvailableAddrs())\n}\n\n// MockEdge creates a Cloudflare Edge from arbitrary TCP addresses. Used for testing.\nfunc MockEdge(log *zerolog.Logger, addrs []*allregions.EdgeAddr) *Edge {\n\tregions := allregions.NewNoResolve(addrs)\n\treturn &Edge{\n\t\tlog: log,\n\t\tregions: regions,\n\t}\n}\n" }, { "path": "edgediscovery/mocks_for_test.go", "content": "package edgediscovery\n\nimport (\n\t\"fmt\"\n\t\"math\"\n\t\"math/rand\"\n\t\"net\"\n\t\"reflect\"\n\t\"testing/quick\"\n)\n\ntype mockAddrs struct {\n\t// a set of synthetic SRV records\n\taddrMap map[net.SRV][]*net.TCPAddr\n\t// the total number of addresses, aggregated across addrMap.\n\t// For the convenience of test code that would otherwise have to compute\n\t// this by hand every time.\n\tnumAddrs int\n}\n\nfunc newMockAddrs(port uint16, numRegions uint8, numAddrsPerRegion uint8) mockAddrs {\n\taddrMap := make(map[net.SRV][]*net.TCPAddr)\n\tnumAddrs := 0\n\n\tfor r := uint8(0); r < numRegions; r++ {\n\t\tvar (\n\t\t\tsrv = net.SRV{Target: fmt.Sprintf(\"test-region-%v.example.com\", r), Port: port}\n\t\t\taddrs []*net.TCPAddr\n\t\t)\n\t\tfor a := uint8(0); a < numAddrsPerRegion; a++ {\n\t\t\taddrs = append(addrs, &net.TCPAddr{\n\t\t\t\tIP: net.ParseIP(fmt.Sprintf(\"10.0.%v.%v\", r, a)),\n\t\t\t\tPort: int(port),\n\t\t\t})\n\t\t}\n\t\taddrMap[srv] = addrs\n\t\tnumAddrs += len(addrs)\n\t}\n\treturn mockAddrs{addrMap: addrMap, numAddrs: numAddrs}\n}\n\nvar _ quick.Generator = mockAddrs{}\n\nfunc (mockAddrs) Generate(rand *rand.Rand, size int) reflect.Value {\n\tport := uint16(rand.Intn(math.MaxUint16))\n\tnumRegions := uint8(1 + rand.Intn(10))\n\tnumAddrsPerRegion := uint8(1 + rand.Intn(32))\n\tresult := newMockAddrs(port, numRegions, numAddrsPerRegion)\n\treturn reflect.ValueOf(result)\n}\n\n// Returns a function compatible with net.LookupSRV that will return the SRV\n// records from mockAddrs.\nfunc mockNetLookupSRV(\n\tm mockAddrs,\n) func(service, proto, name string) (cname string, addrs []*net.SRV, err error) {\n\tvar addrs []*net.SRV\n\tfor k := range m.addrMap {\n\t\taddr := k\n\t\taddrs = append(addrs, &addr)\n\t\t// We can't just do\n\t\t// addrs = append(addrs, &k)\n\t\t// `k` will be reused by subsequent loop iterations,\n\t\t// so all the copies of `&k` would point to the same location.\n\t}\n\treturn func(_, _, _ string) (string, []*net.SRV, error) {\n\t\treturn \"\", addrs, nil\n\t}\n}\n\n// Returns a function compatible with net.LookupIP that translates the SRV records\n// from mockAddrs into IP addresses, based on the TCP addresses in mockAddrs.\nfunc mockNetLookupIP(\n\tm mockAddrs,\n) func(host string) ([]net.IP, error) {\n\treturn func(host string) ([]net.IP, error) {\n\t\tfor srv, tcpAddrs := range m.addrMap {\n\t\t\tif srv.Target != host {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tresult := make([]net.IP, len(tcpAddrs))\n\t\t\tfor i, tcpAddr := range tcpAddrs {\n\t\t\t\tresult[i] = tcpAddr.IP\n\t\t\t}\n\t\t\treturn result, nil\n\t\t}\n\t\treturn nil, fmt.Errorf(\"No IPs for %v\", host)\n\t}\n}\n\ntype mockEdgeServiceDiscoverer struct {\n}\n\nfunc (mr *mockEdgeServiceDiscoverer) Addr() (*net.TCPAddr, error) {\n\treturn &net.TCPAddr{\n\t\tIP: net.ParseIP(\"127.0.0.1\"),\n\t\tPort: 63102,\n\t}, nil\n}\n\nfunc (mr *mockEdgeServiceDiscoverer) AnyAddr() (*net.TCPAddr, error) {\n\treturn &net.TCPAddr{\n\t\tIP: net.ParseIP(\"127.0.0.1\"),\n\t\tPort: 63102,\n\t}, nil\n}\n\nfunc (mr *mockEdgeServiceDiscoverer) ReplaceAddr(addr *net.TCPAddr) {}\n\nfunc (mr *mockEdgeServiceDiscoverer) MarkAddrBad(addr *net.TCPAddr) {}\n\nfunc (mr *mockEdgeServiceDiscoverer) AvailableAddrs() int {\n\treturn 1\n}\n\nfunc (mr *mockEdgeServiceDiscoverer) Refresh() error {\n\treturn nil\n}\n" }, { "path": "edgediscovery/protocol.go", "content": "package edgediscovery\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"net\"\n\t\"strings\"\n)\n\nconst (\n\tprotocolRecord = \"protocol-v2.argotunnel.com\"\n)\n\nvar (\n\terrNoProtocolRecord = fmt.Errorf(\"No TXT record found for %s to determine connection protocol\", protocolRecord)\n)\n\ntype PercentageFetcher func() (ProtocolPercents, error)\n\n// ProtocolPercent represents a single Protocol Percentage combination.\ntype ProtocolPercent struct {\n\tProtocol string `json:\"protocol\"`\n\tPercentage int32 `json:\"percentage\"`\n}\n\n// ProtocolPercents represents the preferred distribution ratio of protocols when protocol isn't specified.\ntype ProtocolPercents []ProtocolPercent\n\n// GetPercentage returns the threshold percentage of a single protocol.\nfunc (p ProtocolPercents) GetPercentage(protocol string) int32 {\n\tfor _, protocolPercent := range p {\n\t\tif strings.ToLower(protocolPercent.Protocol) == strings.ToLower(protocol) {\n\t\t\treturn protocolPercent.Percentage\n\t\t}\n\t}\n\treturn 0\n}\n\n// ProtocolPercentage returns the ratio of protocols and a specification ratio for their selection.\nfunc ProtocolPercentage() (ProtocolPercents, error) {\n\trecords, err := net.LookupTXT(protocolRecord)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif len(records) == 0 {\n\t\treturn nil, errNoProtocolRecord\n\t}\n\n\tvar protocolsWithPercent ProtocolPercents\n\terr = json.Unmarshal([]byte(records[0]), &protocolsWithPercent)\n\treturn protocolsWithPercent, err\n}\n" }, { "path": "edgediscovery/protocol_test.go", "content": "package edgediscovery\n\nimport (\n\t\"testing\"\n\n\t\"github.com/stretchr/testify/assert\"\n)\n\nfunc TestProtocolPercentage(t *testing.T) {\n\t_, err := ProtocolPercentage()\n\tassert.NoError(t, err)\n}\n" }, { "path": "features/features.go", "content": "package features\n\nimport \"slices\"\n\nconst (\n\tFeatureSerializedHeaders = \"serialized_headers\"\n\tFeatureQuickReconnects = \"quick_reconnects\"\n\tFeatureAllowRemoteConfig = \"allow_remote_config\"\n\tFeatureDatagramV2 = \"support_datagram_v2\"\n\tFeaturePostQuantum = \"postquantum\"\n\tFeatureQUICSupportEOF = \"support_quic_eof\"\n\tFeatureManagementLogs = \"management_logs\"\n\tFeatureDatagramV3_2 = \"support_datagram_v3_2\"\n\n\tDeprecatedFeatureDatagramV3 = \"support_datagram_v3\" // Deprecated: TUN-9291\n\tDeprecatedFeatureDatagramV3_1 = \"support_datagram_v3_1\" // Deprecated: TUN-9883\n)\n\nvar defaultFeatures = []string{\n\tFeatureAllowRemoteConfig,\n\tFeatureSerializedHeaders,\n\tFeatureDatagramV2,\n\tFeatureQUICSupportEOF,\n\tFeatureManagementLogs,\n}\n\n// List of features that are no longer in-use.\nvar deprecatedFeatures = []string{\n\tDeprecatedFeatureDatagramV3,\n\tDeprecatedFeatureDatagramV3_1,\n}\n\n// Features set by user provided flags\ntype staticFeatures struct {\n\tPostQuantumMode *PostQuantumMode\n}\n\ntype FeatureSnapshot struct {\n\tPostQuantum PostQuantumMode\n\tDatagramVersion DatagramVersion\n\n\t// We provide the list of features since we need it to send in the ConnectionOptions during connection\n\t// registrations.\n\tFeaturesList []string\n}\n\ntype PostQuantumMode uint8\n\nconst (\n\t// Prefer post quantum, but fallback if connection cannot be established\n\tPostQuantumPrefer PostQuantumMode = iota\n\t// If the user passes the --post-quantum flag, we override\n\t// CurvePreferences to only support hybrid post-quantum key agreements.\n\tPostQuantumStrict\n)\n\ntype DatagramVersion string\n\nconst (\n\t// DatagramV2 is the currently supported datagram protocol for UDP and ICMP packets\n\tDatagramV2 DatagramVersion = FeatureDatagramV2\n\t// DatagramV3 is a new datagram protocol for UDP and ICMP packets. It is not backwards compatible with datagram v2.\n\tDatagramV3 DatagramVersion = FeatureDatagramV3_2\n)\n\n// Remove any duplicate features from the list and remove deprecated features\nfunc dedupAndRemoveFeatures(features []string) []string {\n\t// Convert the slice into a set\n\tset := map[string]bool{}\n\tfor _, feature := range features {\n\t\t// Remove deprecated features from the provided list\n\t\tif slices.Contains(deprecatedFeatures, feature) {\n\t\t\tcontinue\n\t\t}\n\t\tset[feature] = true\n\t}\n\n\t// Convert the set back into a slice\n\tkeys := make([]string, len(set))\n\ti := 0\n\tfor str := range set {\n\t\tkeys[i] = str\n\t\ti++\n\t}\n\treturn keys\n}\n" }, { "path": "features/selector.go", "content": "package features\n\nimport (\n\t\"context\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"hash/fnv\"\n\t\"net\"\n\t\"slices\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/rs/zerolog\"\n)\n\nconst (\n\tfeatureSelectorHostname = \"cfd-features.argotunnel.com\"\n\tlookupTimeout = time.Second * 10\n\tdefaultLookupFreq = time.Hour\n)\n\n// If the TXT record adds other fields, the umarshal logic will ignore those keys\n// If the TXT record is missing a key, the field will unmarshal to the default Go value\n\ntype featuresRecord struct {\n\tDatagramV3Percentage uint32 `json:\"dv3_2\"`\n\n\t// DatagramV3Percentage int32 `json:\"dv3\"` // Removed in TUN-9291\n\t// DatagramV3Percentage uint32 `json:\"dv3_1\"` // Removed in TUN-9883\n\t// PostQuantumPercentage int32 `json:\"pq\"` // Removed in TUN-7970\n}\n\nfunc NewFeatureSelector(ctx context.Context, accountTag string, cliFeatures []string, pq bool, logger *zerolog.Logger) (FeatureSelector, error) {\n\treturn newFeatureSelector(ctx, accountTag, logger, newDNSResolver(), cliFeatures, pq, defaultLookupFreq)\n}\n\ntype FeatureSelector interface {\n\tSnapshot() FeatureSnapshot\n}\n\n// FeatureSelector determines if this account will try new features; loaded once during startup.\ntype featureSelector struct {\n\taccountHash uint32\n\tlogger *zerolog.Logger\n\tresolver resolver\n\n\tstaticFeatures staticFeatures\n\tcliFeatures []string\n\n\t// lock protects concurrent access to dynamic features\n\tlock sync.RWMutex\n\tremoteFeatures featuresRecord\n}\n\nfunc newFeatureSelector(ctx context.Context, accountTag string, logger *zerolog.Logger, resolver resolver, cliFeatures []string, pq bool, refreshFreq time.Duration) (*featureSelector, error) {\n\t// Combine default features and user-provided features\n\tvar pqMode *PostQuantumMode\n\tif pq {\n\t\tmode := PostQuantumStrict\n\t\tpqMode = &mode\n\t\tcliFeatures = append(cliFeatures, FeaturePostQuantum)\n\t}\n\tstaticFeatures := staticFeatures{\n\t\tPostQuantumMode: pqMode,\n\t}\n\tselector := &featureSelector{\n\t\taccountHash: switchThreshold(accountTag),\n\t\tlogger: logger,\n\t\tresolver: resolver,\n\t\tstaticFeatures: staticFeatures,\n\t\tcliFeatures: dedupAndRemoveFeatures(cliFeatures),\n\t}\n\n\t// Load the remote features\n\tif err := selector.refresh(ctx); err != nil {\n\t\tlogger.Err(err).Msg(\"Failed to fetch features, default to disable\")\n\t}\n\n\t// Spin off reloading routine\n\tgo selector.refreshLoop(ctx, refreshFreq)\n\n\treturn selector, nil\n}\n\nfunc (fs *featureSelector) Snapshot() FeatureSnapshot {\n\tfs.lock.RLock()\n\tdefer fs.lock.RUnlock()\n\treturn FeatureSnapshot{\n\t\tPostQuantum: fs.postQuantumMode(),\n\t\tDatagramVersion: fs.datagramVersion(),\n\t\tFeaturesList: fs.clientFeatures(),\n\t}\n}\n\nfunc (fs *featureSelector) accountEnabled(percentage uint32) bool {\n\treturn percentage > fs.accountHash\n}\n\nfunc (fs *featureSelector) postQuantumMode() PostQuantumMode {\n\tif fs.staticFeatures.PostQuantumMode != nil {\n\t\treturn *fs.staticFeatures.PostQuantumMode\n\t}\n\n\treturn PostQuantumPrefer\n}\n\nfunc (fs *featureSelector) datagramVersion() DatagramVersion {\n\t// If user provides the feature via the cli, we take it as priority over remote feature evaluation\n\tif slices.Contains(fs.cliFeatures, FeatureDatagramV3_2) {\n\t\treturn DatagramV3\n\t}\n\t// If the user specifies DatagramV2, we also take that over remote\n\tif slices.Contains(fs.cliFeatures, FeatureDatagramV2) {\n\t\treturn DatagramV2\n\t}\n\n\tif fs.accountEnabled(fs.remoteFeatures.DatagramV3Percentage) {\n\t\treturn DatagramV3\n\t}\n\n\treturn DatagramV2\n}\n\n// clientFeatures will return the list of currently available features that cloudflared should provide to the edge.\nfunc (fs *featureSelector) clientFeatures() []string {\n\t// Evaluate any remote features along with static feature list to construct the list of features\n\treturn dedupAndRemoveFeatures(slices.Concat(defaultFeatures, fs.cliFeatures, []string{string(fs.datagramVersion())}))\n}\n\nfunc (fs *featureSelector) refresh(ctx context.Context) error {\n\trecord, err := fs.resolver.lookupRecord(ctx)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tvar features featuresRecord\n\tif err := json.Unmarshal(record, &features); err != nil {\n\t\treturn err\n\t}\n\n\tfs.lock.Lock()\n\tdefer fs.lock.Unlock()\n\n\tfs.remoteFeatures = features\n\n\treturn nil\n}\n\nfunc (fs *featureSelector) refreshLoop(ctx context.Context, refreshFreq time.Duration) {\n\tticker := time.NewTicker(refreshFreq)\n\tfor {\n\t\tselect {\n\t\tcase <-ctx.Done():\n\t\t\treturn\n\t\tcase <-ticker.C:\n\t\t\terr := fs.refresh(ctx)\n\t\t\tif err != nil {\n\t\t\t\tfs.logger.Err(err).Msg(\"Failed to refresh feature selector\")\n\t\t\t}\n\t\t}\n\t}\n}\n\n// resolver represents an object that can look up featuresRecord\ntype resolver interface {\n\tlookupRecord(ctx context.Context) ([]byte, error)\n}\n\ntype dnsResolver struct {\n\tresolver *net.Resolver\n}\n\nfunc newDNSResolver() *dnsResolver {\n\treturn &dnsResolver{\n\t\tresolver: net.DefaultResolver,\n\t}\n}\n\nfunc (dr *dnsResolver) lookupRecord(ctx context.Context) ([]byte, error) {\n\tctx, cancel := context.WithTimeout(ctx, lookupTimeout)\n\tdefer cancel()\n\n\trecords, err := dr.resolver.LookupTXT(ctx, featureSelectorHostname)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tif len(records) == 0 {\n\t\treturn nil, fmt.Errorf(\"No TXT record found for %s to determine which features to opt-in\", featureSelectorHostname)\n\t}\n\n\treturn []byte(records[0]), nil\n}\n\nfunc switchThreshold(accountTag string) uint32 {\n\th := fnv.New32a()\n\t_, _ = h.Write([]byte(accountTag))\n\treturn h.Sum32() % 100\n}\n" }, { "path": "features/selector_test.go", "content": "package features\n\nimport (\n\t\"context\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/rs/zerolog\"\n\t\"github.com/stretchr/testify/require\"\n)\n\nconst (\n\ttestAccountTag = \"123456\"\n\ttestAccountHash = 74 // switchThreshold of `accountTag`\n)\n\nfunc TestUnmarshalFeaturesRecord(t *testing.T) {\n\ttests := []struct {\n\t\trecord []byte\n\t\texpectedPercentage uint32\n\t}{\n\t\t{\n\t\t\trecord: []byte(`{\"dv3_2\":0}`),\n\t\t\texpectedPercentage: 0,\n\t\t},\n\t\t{\n\t\t\trecord: []byte(`{\"dv3_2\":39}`),\n\t\t\texpectedPercentage: 39,\n\t\t},\n\t\t{\n\t\t\trecord: []byte(`{\"dv3_2\":100}`),\n\t\t\texpectedPercentage: 100,\n\t\t},\n\t\t{\n\t\t\trecord: []byte(`{}`), // Unmarshal to default struct if key is not present\n\t\t},\n\t\t{\n\t\t\trecord: []byte(`{\"kyber\":768}`), // Unmarshal to default struct if key is not present\n\t\t},\n\t\t{\n\t\t\trecord: []byte(`{\"pq\": 101,\"dv3\":100,\"dv3_1\":100}`), // Expired keys don't unmarshal to anything\n\t\t},\n\t}\n\n\tfor _, test := range tests {\n\t\tvar features featuresRecord\n\t\terr := json.Unmarshal(test.record, &features)\n\t\trequire.NoError(t, err)\n\t\trequire.Equal(t, test.expectedPercentage, features.DatagramV3Percentage, test)\n\t}\n}\n\nfunc TestFeaturePrecedenceEvaluationPostQuantum(t *testing.T) {\n\tlogger := zerolog.Nop()\n\ttests := []struct {\n\t\tname string\n\t\tcli bool\n\t\texpectedFeatures []string\n\t\texpectedVersion PostQuantumMode\n\t}{\n\t\t{\n\t\t\tname: \"default\",\n\t\t\tcli: false,\n\t\t\texpectedFeatures: defaultFeatures,\n\t\t\texpectedVersion: PostQuantumPrefer,\n\t\t},\n\t\t{\n\t\t\tname: \"user_specified\",\n\t\t\tcli: true,\n\t\t\texpectedFeatures: dedupAndRemoveFeatures(append(defaultFeatures, FeaturePostQuantum)),\n\t\t\texpectedVersion: PostQuantumStrict,\n\t\t},\n\t}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\tresolver := &staticResolver{record: featuresRecord{}}\n\t\t\tselector, err := newFeatureSelector(t.Context(), test.name, &logger, resolver, []string{}, test.cli, time.Second)\n\t\t\trequire.NoError(t, err)\n\t\t\tsnapshot := selector.Snapshot()\n\t\t\trequire.ElementsMatch(t, test.expectedFeatures, snapshot.FeaturesList)\n\t\t\trequire.Equal(t, test.expectedVersion, snapshot.PostQuantum)\n\t\t})\n\t}\n}\n\nfunc TestFeaturePrecedenceEvaluationDatagramVersion(t *testing.T) {\n\tlogger := zerolog.Nop()\n\ttests := []struct {\n\t\tname string\n\t\tcli []string\n\t\tremote featuresRecord\n\t\texpectedFeatures []string\n\t\texpectedVersion DatagramVersion\n\t}{\n\t\t{\n\t\t\tname: \"default\",\n\t\t\tcli: []string{},\n\t\t\tremote: featuresRecord{},\n\t\t\texpectedFeatures: defaultFeatures,\n\t\t\texpectedVersion: DatagramV2,\n\t\t},\n\t\t{\n\t\t\tname: \"user_specified_v2\",\n\t\t\tcli: []string{FeatureDatagramV2},\n\t\t\tremote: featuresRecord{},\n\t\t\texpectedFeatures: defaultFeatures,\n\t\t\texpectedVersion: DatagramV2,\n\t\t},\n\t\t{\n\t\t\tname: \"user_specified_v3\",\n\t\t\tcli: []string{FeatureDatagramV3_2},\n\t\t\tremote: featuresRecord{},\n\t\t\texpectedFeatures: dedupAndRemoveFeatures(append(defaultFeatures, FeatureDatagramV3_2)),\n\t\t\texpectedVersion: FeatureDatagramV3_2,\n\t\t},\n\t}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\tresolver := &staticResolver{record: test.remote}\n\t\t\tselector, err := newFeatureSelector(t.Context(), test.name, &logger, resolver, test.cli, false, time.Second)\n\t\t\trequire.NoError(t, err)\n\t\t\tsnapshot := selector.Snapshot()\n\t\t\trequire.ElementsMatch(t, test.expectedFeatures, snapshot.FeaturesList)\n\t\t\trequire.Equal(t, test.expectedVersion, snapshot.DatagramVersion)\n\t\t})\n\t}\n}\n\nfunc TestDeprecatedFeaturesRemoved(t *testing.T) {\n\tlogger := zerolog.Nop()\n\ttests := []struct {\n\t\tname string\n\t\tcli []string\n\t\tremote featuresRecord\n\t\texpectedFeatures []string\n\t}{\n\t\t{\n\t\t\tname: \"no_removals\",\n\t\t\tcli: []string{},\n\t\t\tremote: featuresRecord{},\n\t\t\texpectedFeatures: defaultFeatures,\n\t\t},\n\t\t{\n\t\t\tname: \"support_datagram_v3\",\n\t\t\tcli: []string{DeprecatedFeatureDatagramV3},\n\t\t\tremote: featuresRecord{},\n\t\t\texpectedFeatures: defaultFeatures,\n\t\t},\n\t\t{\n\t\t\tname: \"support_datagram_v3_1\",\n\t\t\tcli: []string{DeprecatedFeatureDatagramV3_1},\n\t\t\tremote: featuresRecord{},\n\t\t\texpectedFeatures: defaultFeatures,\n\t\t},\n\t}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\tresolver := &staticResolver{record: test.remote}\n\t\t\tselector, err := newFeatureSelector(t.Context(), test.name, &logger, resolver, test.cli, false, time.Second)\n\t\t\trequire.NoError(t, err)\n\t\t\tsnapshot := selector.Snapshot()\n\t\t\trequire.ElementsMatch(t, test.expectedFeatures, snapshot.FeaturesList)\n\t\t})\n\t}\n}\n\nfunc TestRefreshFeaturesRecord(t *testing.T) {\n\tpercentages := []uint32{0, 10, testAccountHash - 1, testAccountHash, testAccountHash + 1, 100, 101, 1000}\n\tselector := newTestSelector(t, percentages, false, time.Minute)\n\n\t// Starting out should default to DatagramV2\n\tsnapshot := selector.Snapshot()\n\trequire.Equal(t, DatagramV2, snapshot.DatagramVersion)\n\n\tfor _, percentage := range percentages {\n\t\tsnapshot = selector.Snapshot()\n\t\tif percentage > testAccountHash {\n\t\t\trequire.Equal(t, DatagramV3, snapshot.DatagramVersion)\n\t\t} else {\n\t\t\trequire.Equal(t, DatagramV2, snapshot.DatagramVersion)\n\t\t}\n\n\t\t// Manually progress the next refresh\n\t\t_ = selector.refresh(t.Context())\n\t}\n\n\t// Make sure a resolver error doesn't override the last fetched features\n\tsnapshot = selector.Snapshot()\n\trequire.Equal(t, DatagramV3, snapshot.DatagramVersion)\n}\n\nfunc TestSnapshotIsolation(t *testing.T) {\n\tpercentages := []uint32{testAccountHash, testAccountHash + 1}\n\tselector := newTestSelector(t, percentages, false, time.Minute)\n\n\t// Starting out should default to DatagramV2\n\tsnapshot := selector.Snapshot()\n\trequire.Equal(t, DatagramV2, snapshot.DatagramVersion)\n\n\t// Manually progress the next refresh\n\t_ = selector.refresh(t.Context())\n\n\tsnapshot2 := selector.Snapshot()\n\trequire.Equal(t, DatagramV3, snapshot2.DatagramVersion)\n\trequire.NotEqual(t, snapshot.DatagramVersion, snapshot2.DatagramVersion)\n}\n\nfunc TestStaticFeatures(t *testing.T) {\n\tpercentages := []uint32{0}\n\t// PostQuantum Enabled from user flag\n\tselector := newTestSelector(t, percentages, true, time.Second)\n\tsnapshot := selector.Snapshot()\n\trequire.Equal(t, PostQuantumStrict, snapshot.PostQuantum)\n\n\t// PostQuantum Disabled (or not set)\n\tselector = newTestSelector(t, percentages, false, time.Second)\n\tsnapshot = selector.Snapshot()\n\trequire.Equal(t, PostQuantumPrefer, snapshot.PostQuantum)\n}\n\nfunc newTestSelector(t *testing.T, percentages []uint32, pq bool, refreshFreq time.Duration) *featureSelector {\n\tlogger := zerolog.Nop()\n\n\tresolver := &mockResolver{\n\t\tpercentages: percentages,\n\t}\n\n\tselector, err := newFeatureSelector(t.Context(), testAccountTag, &logger, resolver, []string{}, pq, refreshFreq)\n\trequire.NoError(t, err)\n\n\treturn selector\n}\n\ntype mockResolver struct {\n\tnextIndex int\n\tpercentages []uint32\n}\n\nfunc (mr *mockResolver) lookupRecord(ctx context.Context) ([]byte, error) {\n\tif mr.nextIndex >= len(mr.percentages) {\n\t\treturn nil, fmt.Errorf(\"no more record to lookup\")\n\t}\n\n\trecord, err := json.Marshal(featuresRecord{\n\t\tDatagramV3Percentage: mr.percentages[mr.nextIndex],\n\t})\n\tmr.nextIndex++\n\n\treturn record, err\n}\n\ntype staticResolver struct {\n\trecord featuresRecord\n}\n\nfunc (r *staticResolver) lookupRecord(ctx context.Context) ([]byte, error) {\n\treturn json.Marshal(r.record)\n}\n" }, { "path": "fips/fips.go", "content": "//go:build fips\n\npackage fips\n\nimport (\n\t_ \"crypto/tls/fipsonly\"\n)\n\nfunc IsFipsEnabled() bool {\n\treturn true\n}\n" }, { "path": "fips/nofips.go", "content": "//go:build !fips\n\npackage fips\n\nfunc IsFipsEnabled() bool {\n\treturn false\n}\n" }, { "path": "flow/limiter.go", "content": "package flow\n\nimport (\n\t\"errors\"\n\t\"sync\"\n)\n\nconst (\n\tunlimitedActiveFlows = 0\n)\n\nvar (\n\tErrTooManyActiveFlows = errors.New(\"too many active flows\")\n)\n\ntype Limiter interface {\n\t// Acquire tries to acquire a free slot for a flow, if the value of flows is already above\n\t// the maximum it returns ErrTooManyActiveFlows.\n\tAcquire(flowType string) error\n\t// Release releases a slot for a flow.\n\tRelease()\n\t// SetLimit allows to hot swap the limit value of the limiter.\n\tSetLimit(uint64)\n}\n\ntype flowLimiter struct {\n\tlimiterLock sync.Mutex\n\tactiveFlowsCounter uint64\n\tmaxActiveFlows uint64\n\tunlimited bool\n}\n\nfunc NewLimiter(maxActiveFlows uint64) Limiter {\n\tflowLimiter := &flowLimiter{\n\t\tmaxActiveFlows: maxActiveFlows,\n\t\tunlimited: isUnlimited(maxActiveFlows),\n\t}\n\n\treturn flowLimiter\n}\n\nfunc (s *flowLimiter) Acquire(flowType string) error {\n\ts.limiterLock.Lock()\n\tdefer s.limiterLock.Unlock()\n\n\tif !s.unlimited && s.activeFlowsCounter >= s.maxActiveFlows {\n\t\tflowRegistrationsDropped.WithLabelValues(flowType).Inc()\n\t\treturn ErrTooManyActiveFlows\n\t}\n\n\ts.activeFlowsCounter++\n\treturn nil\n}\n\nfunc (s *flowLimiter) Release() {\n\ts.limiterLock.Lock()\n\tdefer s.limiterLock.Unlock()\n\n\tif s.activeFlowsCounter <= 0 {\n\t\treturn\n\t}\n\n\ts.activeFlowsCounter--\n}\n\nfunc (s *flowLimiter) SetLimit(newMaxActiveFlows uint64) {\n\ts.limiterLock.Lock()\n\tdefer s.limiterLock.Unlock()\n\n\ts.maxActiveFlows = newMaxActiveFlows\n\ts.unlimited = isUnlimited(newMaxActiveFlows)\n}\n\n// isUnlimited checks if the value received matches the configuration for the unlimited flow limiter.\nfunc isUnlimited(value uint64) bool {\n\treturn value == unlimitedActiveFlows\n}\n" }, { "path": "flow/limiter_test.go", "content": "package flow_test\n\nimport (\n\t\"testing\"\n\n\t\"github.com/stretchr/testify/require\"\n\n\t\"github.com/cloudflare/cloudflared/flow\"\n)\n\nfunc TestFlowLimiter_Unlimited(t *testing.T) {\n\tunlimitedLimiter := flow.NewLimiter(0)\n\n\tfor i := 0; i < 1000; i++ {\n\t\terr := unlimitedLimiter.Acquire(\"test\")\n\t\trequire.NoError(t, err)\n\t}\n}\n\nfunc TestFlowLimiter_Limited(t *testing.T) {\n\tmaxFlows := uint64(5)\n\tlimiter := flow.NewLimiter(maxFlows)\n\n\tfor i := uint64(0); i < maxFlows; i++ {\n\t\terr := limiter.Acquire(\"test\")\n\t\trequire.NoError(t, err)\n\t}\n\n\terr := limiter.Acquire(\"should fail\")\n\trequire.ErrorIs(t, err, flow.ErrTooManyActiveFlows)\n}\n\nfunc TestFlowLimiter_AcquireAndReleaseFlow(t *testing.T) {\n\tmaxFlows := uint64(5)\n\tlimiter := flow.NewLimiter(maxFlows)\n\n\t// Acquire the maximum number of flows\n\tfor i := uint64(0); i < maxFlows; i++ {\n\t\terr := limiter.Acquire(\"test\")\n\t\trequire.NoError(t, err)\n\t}\n\n\t// Validate acquire 1 more flows fails\n\terr := limiter.Acquire(\"should fail\")\n\trequire.ErrorIs(t, err, flow.ErrTooManyActiveFlows)\n\n\t// Release the maximum number of flows\n\tfor i := uint64(0); i < maxFlows; i++ {\n\t\tlimiter.Release()\n\t}\n\n\t// Validate acquire 1 more flows works\n\terr = limiter.Acquire(\"shouldn't fail\")\n\trequire.NoError(t, err)\n\n\t// Release a 10x the number of max flows\n\tfor i := uint64(0); i < 10*maxFlows; i++ {\n\t\tlimiter.Release()\n\t}\n\n\t// Validate it still can only acquire a value = number max flows.\n\tfor i := uint64(0); i < maxFlows; i++ {\n\t\terr := limiter.Acquire(\"test\")\n\t\trequire.NoError(t, err)\n\t}\n\terr = limiter.Acquire(\"should fail\")\n\trequire.ErrorIs(t, err, flow.ErrTooManyActiveFlows)\n}\n\nfunc TestFlowLimiter_SetLimit(t *testing.T) {\n\tmaxFlows := uint64(5)\n\tlimiter := flow.NewLimiter(maxFlows)\n\n\t// Acquire the maximum number of flows\n\tfor i := uint64(0); i < maxFlows; i++ {\n\t\terr := limiter.Acquire(\"test\")\n\t\trequire.NoError(t, err)\n\t}\n\n\t// Validate acquire 1 more flows fails\n\terr := limiter.Acquire(\"should fail\")\n\trequire.ErrorIs(t, err, flow.ErrTooManyActiveFlows)\n\n\t// Set the flow limiter to support one more request\n\tlimiter.SetLimit(maxFlows + 1)\n\n\t// Validate acquire 1 more flows now works\n\terr = limiter.Acquire(\"shouldn't fail\")\n\trequire.NoError(t, err)\n\n\t// Validate acquire 1 more flows doesn't work because we already reached the limit\n\terr = limiter.Acquire(\"should fail\")\n\trequire.ErrorIs(t, err, flow.ErrTooManyActiveFlows)\n\n\t// Release all flows\n\tfor i := uint64(0); i < maxFlows+1; i++ {\n\t\tlimiter.Release()\n\t}\n\n\t// Validate 1 flow works again\n\terr = limiter.Acquire(\"shouldn't fail\")\n\trequire.NoError(t, err)\n\n\t// Set the flow limit to 1\n\tlimiter.SetLimit(1)\n\n\t// Validate acquire 1 more flows doesn't work\n\terr = limiter.Acquire(\"should fail\")\n\trequire.ErrorIs(t, err, flow.ErrTooManyActiveFlows)\n\n\t// Set the flow limit to unlimited\n\tlimiter.SetLimit(0)\n\n\t// Validate it can acquire a lot of flows because it is now unlimited.\n\tfor i := uint64(0); i < 10*maxFlows; i++ {\n\t\terr := limiter.Acquire(\"shouldn't fail\")\n\t\trequire.NoError(t, err)\n\t}\n}\n" }, { "path": "flow/metrics.go", "content": "package flow\n\nimport (\n\t\"github.com/prometheus/client_golang/prometheus\"\n\t\"github.com/prometheus/client_golang/prometheus/promauto\"\n)\n\nconst (\n\tnamespace = \"flow\"\n)\n\nvar (\n\tlabels = []string{\"flow_type\"}\n\n\tflowRegistrationsDropped = promauto.NewCounterVec(prometheus.CounterOpts{\n\t\tNamespace: namespace,\n\t\tSubsystem: \"client\",\n\t\tName: \"registrations_rate_limited_total\",\n\t\tHelp: \"Count registrations dropped due to high number of concurrent flows being handled\",\n\t},\n\t\tlabels,\n\t)\n)\n" }, { "path": "github_message.py", "content": "#!/usr/bin/python3\n\"\"\"\nCreate Github Releases Notes with binary checksums from Workers KV\n\"\"\"\n\nimport argparse\nimport logging\nimport os\nimport requests\n\nfrom github import Github, UnknownObjectException\n\nFORMAT = \"%(levelname)s - %(asctime)s: %(message)s\"\nlogging.basicConfig(format=FORMAT, level=logging.INFO)\n\nCLOUDFLARED_REPO = os.environ.get(\"GITHUB_REPO\", \"cloudflare/cloudflared\")\nGITHUB_CONFLICT_CODE = \"already_exists\"\nBASE_KV_URL = 'https://api.cloudflare.com/client/v4/accounts/'\n\n\ndef kv_get_keys(prefix, account, namespace, api_token):\n \"\"\" get the KV keys for a given prefix \"\"\"\n response = requests.get(\n BASE_KV_URL + account + \"/storage/kv/namespaces/\" +\n namespace + \"/keys\" + \"?prefix=\" + prefix,\n headers={\n \"Content-Type\": \"application/json\",\n \"Authorization\": \"Bearer \" + api_token,\n },\n )\n if response.status_code != 200:\n jsonResponse = response.json()\n errors = jsonResponse[\"errors\"]\n if len(errors) > 0:\n raise Exception(\"failed to get checksums: {0}\", errors[0])\n return response.json()[\"result\"]\n\n\ndef kv_get_value(key, account, namespace, api_token):\n \"\"\" get the KV value for a provided key \"\"\"\n response = requests.get(\n BASE_KV_URL + account + \"/storage/kv/namespaces/\" + namespace + \"/values/\" + key,\n headers={\n \"Content-Type\": \"application/json\",\n \"Authorization\": \"Bearer \" + api_token,\n },\n )\n if response.status_code != 200:\n jsonResponse = response.json()\n errors = jsonResponse[\"errors\"]\n if len(errors) > 0:\n raise Exception(\"failed to get checksums: {0}\", errors[0])\n return response.text\n\n\ndef update_or_add_message(msg, name, sha):\n \"\"\" \n updates or builds the github version message for each new asset's sha256. \n Searches the existing message string to update or create. \n \"\"\"\n new_text = '{0}: {1}\\n'.format(name, sha)\n start = msg.find(name)\n if (start != -1):\n end = msg.find(\"\\n\", start)\n if (end != -1):\n return msg.replace(msg[start:end+1], new_text)\n back = msg.rfind(\"```\")\n if (back != -1):\n return '{0}{1}```'.format(msg[:back], new_text)\n return '{0} \\n### SHA256 Checksums:\\n```\\n{1}```'.format(msg, new_text)\n\n\ndef get_release(repo, version):\n \"\"\" Get a Github Release matching the version tag. \"\"\"\n try:\n release = repo.get_release(version)\n logging.info(\"Release %s found\", version)\n return release\n except UnknownObjectException:\n logging.info(\"Release %s not found\", version)\n\n\ndef parse_args():\n \"\"\" Parse and validate args \"\"\"\n parser = argparse.ArgumentParser(\n description=\"Updates a Github Release with checksums from KV\"\n )\n parser.add_argument(\n \"--api-key\", default=os.environ.get(\"API_KEY\"), help=\"Github API key\"\n )\n parser.add_argument(\n \"--kv-namespace-id\", default=os.environ.get(\"KV_NAMESPACE\"), help=\"workers KV namespace id\"\n )\n parser.add_argument(\n \"--kv-account-id\", default=os.environ.get(\"KV_ACCOUNT\"), help=\"workers KV account id\"\n )\n parser.add_argument(\n \"--kv-api-token\", default=os.environ.get(\"KV_API_TOKEN\"), help=\"workers KV API Token\"\n )\n parser.add_argument(\n \"--release-version\",\n metavar=\"version\",\n default=os.environ.get(\"VERSION\"),\n help=\"Release version\",\n )\n parser.add_argument(\n \"--dry-run\", action=\"store_true\", help=\"Do not modify the release message\"\n )\n\n args = parser.parse_args()\n is_valid = True\n if not args.release_version:\n logging.error(\"Missing release version\")\n is_valid = False\n\n if not args.api_key:\n logging.error(\"Missing API key\")\n is_valid = False\n\n if not args.kv_namespace_id:\n logging.error(\"Missing KV namespace id\")\n is_valid = False\n\n if not args.kv_account_id:\n logging.error(\"Missing KV account id\")\n is_valid = False\n\n if not args.kv_api_token:\n logging.error(\"Missing KV API token\")\n is_valid = False\n\n if is_valid:\n return args\n\n parser.print_usage()\n exit(1)\n\n\ndef main():\n \"\"\" Attempts to update the Github Release message with the github asset's checksums \"\"\"\n try:\n args = parse_args()\n client = Github(args.api_key)\n repo = client.get_repo(CLOUDFLARED_REPO)\n release = get_release(repo, args.release_version)\n\n msg = \"\"\n\n prefix = f\"update_{args.release_version}_\"\n keys = kv_get_keys(prefix, args.kv_account_id,\n args.kv_namespace_id, args.kv_api_token)\n for key in [k[\"name\"] for k in keys]:\n checksum = kv_get_value(\n key, args.kv_account_id, args.kv_namespace_id, args.kv_api_token)\n binary_name = key[len(prefix):]\n msg = update_or_add_message(msg, binary_name, checksum)\n\n if args.dry_run:\n logging.info(\"Skipping release message update because of dry-run\")\n logging.info(f\"Github message:\\n{msg}\")\n return\n\n # update the release body text\n release.update_release(args.release_version, msg)\n\n except Exception as e:\n logging.exception(e)\n exit(1)\n\n\nmain()\n" }, { "path": "github_release.py", "content": "#!/usr/bin/python3\n\"\"\"\nCreates Github Releases and uploads assets\n\"\"\"\n\nimport argparse\nimport logging\nimport os\nimport shutil\nimport hashlib\nimport requests\nimport tarfile\nfrom os import listdir\nfrom os.path import isfile, join, splitext\nimport re\nimport subprocess\n\nfrom github import Github, GithubException, UnknownObjectException\n\nFORMAT = \"%(levelname)s - %(asctime)s: %(message)s\"\nlogging.basicConfig(format=FORMAT, level=logging.INFO)\n\nCLOUDFLARED_REPO = os.environ.get(\"GITHUB_REPO\", \"cloudflare/cloudflared\")\nGITHUB_CONFLICT_CODE = \"already_exists\"\nBASE_KV_URL = 'https://api.cloudflare.com/client/v4/accounts/'\nUPDATER_PREFIX = 'update'\n\ndef get_sha256(filename):\n \"\"\" get the sha256 of a file \"\"\"\n sha256_hash = hashlib.sha256()\n with open(filename,\"rb\") as f:\n for byte_block in iter(lambda: f.read(4096),b\"\"):\n sha256_hash.update(byte_block)\n return sha256_hash.hexdigest()\n\ndef send_hash(pkg_hash, name, version, account, namespace, api_token):\n \"\"\" send the checksum of a file to workers kv \"\"\"\n key = '{0}_{1}_{2}'.format(UPDATER_PREFIX, version, name)\n headers = {\n \"Content-Type\": \"application/json\",\n \"Authorization\": \"Bearer \" + api_token,\n }\n response = requests.put(\n BASE_KV_URL + account + \"/storage/kv/namespaces/\" + namespace + \"/values/\" + key,\n headers=headers,\n data=pkg_hash\n )\n\n if response.status_code != 200:\n jsonResponse = response.json()\n errors = jsonResponse[\"errors\"]\n if len(errors) > 0:\n raise Exception(\"failed to upload checksum: {0}\", errors[0])\n\n\n\ndef assert_tag_exists(repo, version):\n \"\"\" Raise exception if repo does not contain a tag matching version \"\"\"\n tags = repo.get_tags()\n if not tags or tags[0].name != version:\n raise Exception(\"Tag {} not found\".format(version))\n\n\ndef get_or_create_release(repo, version, dry_run=False, is_draft=False):\n \"\"\"\n Get a Github Release matching the version tag or create a new one.\n If a conflict occurs on creation, attempt to fetch the Release on last time\n \"\"\"\n try:\n release = repo.get_release(version)\n logging.info(\"Release %s found\", version)\n return release\n except UnknownObjectException:\n logging.info(\"Release %s not found\", version)\n\n # We don't want to create a new release tag if one doesn't already exist\n assert_tag_exists(repo, version)\n\n if dry_run:\n logging.info(\"Skipping Release creation because of dry-run\")\n return\n\n try:\n if is_draft:\n logging.info(\"Drafting release %s\", version)\n else:\n logging.info(\"Creating release %s\", version)\n return repo.create_git_release(version, version, \"\", is_draft)\n except GithubException as e:\n errors = e.data.get(\"errors\", [])\n if e.status == 422 and any(\n [err.get(\"code\") == GITHUB_CONFLICT_CODE for err in errors]\n ):\n logging.warning(\n \"Conflict: Release was likely just made by a different build: %s\",\n e.data,\n )\n return repo.get_release(version)\n raise e\n\n\ndef parse_args():\n \"\"\" Parse and validate args \"\"\"\n parser = argparse.ArgumentParser(\n description=\"Creates Github Releases and uploads assets.\"\n )\n parser.add_argument(\n \"--api-key\", default=os.environ.get(\"API_KEY\"), help=\"Github API key\"\n )\n parser.add_argument(\n \"--release-version\",\n metavar=\"version\",\n default=os.environ.get(\"VERSION\"),\n help=\"Release version\",\n )\n parser.add_argument(\n \"--path\", default=os.environ.get(\"ASSET_PATH\"), help=\"Asset path\"\n )\n parser.add_argument(\n \"--name\", default=os.environ.get(\"ASSET_NAME\"), help=\"Asset Name\"\n )\n parser.add_argument(\n \"--namespace-id\", default=os.environ.get(\"KV_NAMESPACE\"), help=\"workersKV namespace id\"\n )\n parser.add_argument(\n \"--kv-account-id\", default=os.environ.get(\"KV_ACCOUNT\"), help=\"workersKV account id\"\n )\n parser.add_argument(\n \"--kv-api-token\", default=os.environ.get(\"KV_API_TOKEN\"), help=\"workersKV API Token\"\n )\n parser.add_argument(\n \"--dry-run\", action=\"store_true\", help=\"Do not create release or upload asset\"\n )\n\n parser.add_argument(\n \"--draft\", action=\"store_true\", help=\"Create a draft release\"\n )\n\n args = parser.parse_args()\n is_valid = True\n if not args.release_version:\n logging.error(\"Missing release version\")\n is_valid = False\n\n if not args.path:\n logging.error(\"Missing asset path\")\n is_valid = False\n\n if not args.name and not os.path.isdir(args.path):\n logging.error(\"Missing asset name\")\n is_valid = False\n\n if not args.api_key:\n logging.error(\"Missing API key\")\n is_valid = False\n \n if not args.namespace_id:\n logging.error(\"Missing KV namespace id\")\n is_valid = False\n\n if not args.kv_account_id:\n logging.error(\"Missing KV account id\")\n is_valid = False\n\n if not args.kv_api_token:\n logging.error(\"Missing KV API token\")\n is_valid = False\n\n if is_valid:\n return args\n\n parser.print_usage()\n exit(1)\n\ndef upload_asset(release, filepath, filename, release_version, kv_account_id, namespace_id, kv_api_token):\n logging.info(\"Uploading asset: %s\", filename)\n assets = release.get_assets()\n uploaded = False\n for asset in assets:\n if asset.name == filename:\n uploaded = True\n break\n \n if uploaded:\n logging.info(\"asset already uploaded, skipping upload\")\n return\n \n release.upload_asset(filepath, name=filename)\n\n # check and extract if the file is a tar and gzipped file (as is the case with the macos builds)\n binary_path = filepath\n if binary_path.endswith(\"tgz\"):\n try:\n shutil.rmtree('cfd')\n except OSError:\n pass\n zipfile = tarfile.open(binary_path, \"r:gz\")\n zipfile.extractall('cfd') # specify which folder to extract to\n zipfile.close()\n\n binary_path = os.path.join(os.getcwd(), 'cfd', 'cloudflared')\n\n # send the sha256 (the checksum) to workers kv\n logging.info(\"Uploading sha256 checksum for: %s\", filename)\n pkg_hash = get_sha256(binary_path)\n send_hash(pkg_hash, filename, release_version, kv_account_id, namespace_id, kv_api_token)\n\ndef move_asset(filepath, filename):\n # create the artifacts directory if it doesn't exist\n artifact_path = os.path.join(os.getcwd(), 'artifacts')\n if not os.path.isdir(artifact_path):\n os.mkdir(artifact_path)\n\n # copy the binary to the path\n copy_path = os.path.join(artifact_path, filename)\n try:\n shutil.copy(filepath, copy_path)\n except shutil.SameFileError:\n pass # the macOS release copy fails with being the same file (already in the artifacts directory)\n\ndef get_binary_version(binary_path):\n \"\"\"\n Sample output from go version -m :\n ...\n build\t-compiler=gc\n\tbuild\t-ldflags=\"-X \\\"main.Version=2024.8.3-6-gec072691\\\" -X \\\"main.BuildTime=2024-09-10-1027 UTC\\\" \"\n\tbuild\tCGO_ENABLED=1\n ...\n\n This function parses the above output to retrieve the following substring 2024.8.3-6-gec072691.\n To do this a start and end indexes are computed and the a slice is extracted from the output using them.\n \"\"\"\n needle = \"main.Version=\"\n cmd = ['go','version', '-m', binary_path]\n process = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)\n output, _ = process.communicate()\n version_info = output.decode()\n\n # Find start of needle\n needle_index = version_info.find(needle)\n # Find backward slash relative to the beggining of the needle\n relative_end_index = version_info[needle_index:].find(\"\\\\\")\n # Calculate needle position plus needle length to find version beggining\n start_index = needle_index + len(needle)\n # Calculate needle position plus relative position of the backward slash\n end_index = needle_index + relative_end_index\n return version_info[start_index:end_index]\n\ndef assert_asset_version(binary_path, release_version):\n \"\"\"\n Asserts that the artifacts have the correct release_version.\n The artifacts that are checked must not have an extension expecting .exe and .tgz.\n In the occurrence of any other extension the function exits early.\n \"\"\"\n try:\n shutil.rmtree('tmp')\n except OSError:\n pass\n _, ext = os.path.splitext(binary_path)\n if ext == '.exe' or ext == '':\n binary_version = get_binary_version(binary_path)\n elif ext == '.tgz':\n tar = tarfile.open(binary_path, \"r:gz\")\n tar.extractall(\"tmp\")\n tar.close()\n binary_path = os.path.join(os.getcwd(), 'tmp', 'cloudflared')\n binary_version = get_binary_version(binary_path)\n else:\n return\n\n if binary_version != release_version:\n logging.error(f\"Version mismatch {binary_path}, binary_version {binary_version} release_version {release_version}\")\n exit(1)\n\n\ndef main():\n \"\"\" Attempts to upload Asset to Github Release. Creates Release if it doesn't exist \"\"\"\n try:\n args = parse_args()\n\n if args.dry_run:\n if os.path.isdir(args.path):\n onlyfiles = [f for f in listdir(args.path) if isfile(join(args.path, f))]\n for filename in onlyfiles:\n binary_path = os.path.join(args.path, filename)\n logging.info(\"binary: \" + binary_path)\n assert_asset_version(binary_path, args.release_version)\n elif os.path.isfile(args.path):\n logging.info(\"binary: \" + binary_path)\n else:\n logging.error(\"dryrun failed\")\n return\n else:\n client = Github(args.api_key)\n repo = client.get_repo(CLOUDFLARED_REPO)\n\n if os.path.isdir(args.path):\n onlyfiles = [f for f in listdir(args.path) if isfile(join(args.path, f))]\n for filename in onlyfiles:\n binary_path = os.path.join(args.path, filename)\n assert_asset_version(binary_path, args.release_version)\n release = get_or_create_release(repo, args.release_version, args.dry_run, args.draft)\n for filename in onlyfiles:\n binary_path = os.path.join(args.path, filename)\n upload_asset(release, binary_path, filename, args.release_version, args.kv_account_id, args.namespace_id,\n args.kv_api_token)\n move_asset(binary_path, filename)\n else:\n raise Exception(\"the argument path must be a directory\")\n\n except Exception as e:\n logging.exception(e)\n exit(1)\n\nmain()\n" }, { "path": "go.mod", "content": "module github.com/cloudflare/cloudflared\n\ngo 1.24.0\n\nrequire (\n\tgithub.com/coreos/go-oidc/v3 v3.17.0\n\tgithub.com/coreos/go-systemd/v22 v22.5.0\n\tgithub.com/facebookgo/grace v0.0.0-20180706040059-75cf19382434\n\tgithub.com/fortytw2/leaktest v1.3.0\n\tgithub.com/fsnotify/fsnotify v1.4.9\n\tgithub.com/getsentry/sentry-go v0.43.0\n\tgithub.com/go-chi/chi/v5 v5.2.2\n\tgithub.com/go-chi/cors v1.2.1\n\tgithub.com/go-jose/go-jose/v4 v4.1.3\n\tgithub.com/gobwas/ws v1.2.1\n\tgithub.com/google/gopacket v1.1.19\n\tgithub.com/google/uuid v1.6.0\n\tgithub.com/gorilla/websocket v1.5.0\n\tgithub.com/json-iterator/go v1.1.12\n\tgithub.com/mattn/go-colorable v0.1.13\n\tgithub.com/mitchellh/go-homedir v1.1.0\n\tgithub.com/pkg/errors v0.9.1\n\tgithub.com/prometheus/client_golang v1.22.0\n\tgithub.com/prometheus/client_model v0.6.2\n\tgithub.com/quic-go/quic-go v0.52.0\n\tgithub.com/rs/zerolog v1.20.0\n\tgithub.com/stretchr/testify v1.11.1\n\tgithub.com/urfave/cli/v2 v2.3.0\n\tgo.opentelemetry.io/contrib/propagators v0.22.0\n\tgo.opentelemetry.io/otel v1.40.0\n\tgo.opentelemetry.io/otel/exporters/otlp/otlptrace v1.26.0\n\tgo.opentelemetry.io/otel/sdk v1.40.0\n\tgo.opentelemetry.io/otel/trace v1.40.0\n\tgo.opentelemetry.io/proto/otlp v1.2.0\n\tgo.uber.org/automaxprocs v1.6.0\n\tgo.uber.org/mock v0.5.1\n\tgolang.org/x/crypto v0.38.0\n\tgolang.org/x/net v0.40.0\n\tgolang.org/x/sync v0.14.0\n\tgolang.org/x/sys v0.40.0\n\tgolang.org/x/term v0.32.0\n\tgoogle.golang.org/protobuf v1.36.6\n\tgopkg.in/natefinch/lumberjack.v2 v2.0.0\n\tgopkg.in/yaml.v3 v3.0.1\n\tnhooyr.io/websocket v1.8.7\n\tzombiezen.com/go/capnproto2 v2.18.0+incompatible\n)\n\nrequire (\n\tgithub.com/BurntSushi/toml v1.2.0 // indirect\n\tgithub.com/beorn7/perks v1.0.1 // indirect\n\tgithub.com/bytedance/sonic v1.12.0 // indirect\n\tgithub.com/cespare/xxhash/v2 v2.3.0 // indirect\n\tgithub.com/cpuguy83/go-md2man/v2 v2.0.0 // indirect\n\tgithub.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect\n\tgithub.com/facebookgo/ensure v0.0.0-20160127193407-b4ab57deab51 // indirect\n\tgithub.com/facebookgo/freeport v0.0.0-20150612182905-d4adf43b75b9 // indirect\n\tgithub.com/facebookgo/stack v0.0.0-20160209184415-751773369052 // indirect\n\tgithub.com/facebookgo/subset v0.0.0-20150612182917-8dac2c3c4870 // indirect\n\tgithub.com/gin-gonic/gin v1.9.1 // indirect\n\tgithub.com/go-logr/logr v1.4.3 // indirect\n\tgithub.com/go-logr/stdr v1.2.2 // indirect\n\tgithub.com/go-playground/validator/v10 v10.15.1 // indirect\n\tgithub.com/go-task/slim-sprig/v3 v3.0.0 // indirect\n\tgithub.com/gobwas/httphead v0.1.0 // indirect\n\tgithub.com/gobwas/pool v0.2.1 // indirect\n\tgithub.com/google/pprof v0.0.0-20250418163039-24c5476c6587 // indirect\n\tgithub.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 // indirect\n\tgithub.com/klauspost/compress v1.18.0 // indirect\n\tgithub.com/klauspost/cpuid/v2 v2.2.5 // indirect\n\tgithub.com/mattn/go-isatty v0.0.20 // indirect\n\tgithub.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect\n\tgithub.com/modern-go/reflect2 v1.0.2 // indirect\n\tgithub.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect\n\tgithub.com/onsi/ginkgo/v2 v2.23.4 // indirect\n\tgithub.com/pelletier/go-toml/v2 v2.0.9 // indirect\n\tgithub.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect\n\tgithub.com/prometheus/common v0.64.0 // indirect\n\tgithub.com/prometheus/procfs v0.15.1 // indirect\n\tgithub.com/russross/blackfriday/v2 v2.1.0 // indirect\n\tgithub.com/tinylib/msgp v1.6.3 // indirect\n\tgo.opentelemetry.io/auto/sdk v1.2.1 // indirect\n\tgo.opentelemetry.io/otel/metric v1.40.0 // indirect\n\tgolang.org/x/arch v0.4.0 // indirect\n\tgolang.org/x/mod v0.24.0 // indirect\n\tgolang.org/x/oauth2 v0.30.0 // indirect\n\tgolang.org/x/text v0.25.0 // indirect\n\tgolang.org/x/tools v0.32.0 // indirect\n\tgoogle.golang.org/genproto/googleapis/api v0.0.0-20250505200425-f936aa4a68b2 // indirect\n\tgoogle.golang.org/genproto/googleapis/rpc v0.0.0-20250512202823-5a2f75b736a9 // indirect\n\tgoogle.golang.org/grpc v1.72.2 // indirect\n\tgopkg.in/yaml.v2 v2.4.0 // indirect\n)\n\nreplace github.com/urfave/cli/v2 => github.com/ipostelnik/cli/v2 v2.3.1-0.20210324024421-b6ea8234fe3d\n\n// Avoid 'CVE-2022-21698'\nreplace github.com/prometheus/golang_client => github.com/prometheus/golang_client v1.12.1\n\nreplace gopkg.in/yaml.v3 => gopkg.in/yaml.v3 v3.0.1\n\n// This fork is based on quic-go v0.45\nreplace github.com/quic-go/quic-go => github.com/chungthuang/quic-go v0.45.1-0.20250428085412-43229ad201fd\n" }, { "path": "go.sum", "content": "github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=\ngithub.com/BurntSushi/toml v1.2.0 h1:Rt8g24XnyGTyglgET/PRUNlrUeu9F5L+7FilkXfZgs0=\ngithub.com/BurntSushi/toml v1.2.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=\ngithub.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=\ngithub.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=\ngithub.com/bytedance/sonic v1.12.0 h1:YGPgxF9xzaCNvd/ZKdQ28yRovhfMFZQjuk6fKBzZ3ls=\ngithub.com/bytedance/sonic v1.12.0/go.mod h1:B8Gt/XvtZ3Fqj+iSKMypzymZxw/FVwgIGKzMzT9r/rk=\ngithub.com/bytedance/sonic/loader v0.2.0 h1:zNprn+lsIP06C/IqCHs3gPQIvnvpKbbxyXQP1iU4kWM=\ngithub.com/bytedance/sonic/loader v0.2.0/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU=\ngithub.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=\ngithub.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=\ngithub.com/chungthuang/quic-go v0.45.1-0.20250428085412-43229ad201fd h1:VdYI5zFQ2h1/qzoC6rhyPx479bkF8i177Qpg4Q2n1vk=\ngithub.com/chungthuang/quic-go v0.45.1-0.20250428085412-43229ad201fd/go.mod h1:MFlGGpcpJqRAfmYi6NC2cptDPSxRWTOGNuP4wqrWmzQ=\ngithub.com/cloudwego/base64x v0.1.4 h1:jwCgWpFanWmN8xoIUHa2rtzmkd5J2plF/dnLS6Xd/0Y=\ngithub.com/cloudwego/base64x v0.1.4/go.mod h1:0zlkT4Wn5C6NdauXdJRhSKRlJvmclQ1hhJgA0rcu/8w=\ngithub.com/cloudwego/iasm v0.2.0 h1:1KNIy1I1H9hNNFEEH3DVnI4UujN+1zjpuk6gwHLTssg=\ngithub.com/cloudwego/iasm v0.2.0/go.mod h1:8rXZaNYT2n95jn+zTI1sDr+IgcD2GVs0nlbbQPiEFhY=\ngithub.com/coreos/go-oidc/v3 v3.17.0 h1:hWBGaQfbi0iVviX4ibC7bk8OKT5qNr4klBaCHVNvehc=\ngithub.com/coreos/go-oidc/v3 v3.17.0/go.mod h1:wqPbKFrVnE90vty060SB40FCJ8fTHTxSwyXJqZH+sI8=\ngithub.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=\ngithub.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=\ngithub.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=\ngithub.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=\ngithub.com/cpuguy83/go-md2man/v2 v2.0.0 h1:EoUDS0afbrsXAZ9YQ9jdu/mZ2sXgT1/2yyNng4PGlyM=\ngithub.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=\ngithub.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=\ngithub.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=\ngithub.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=\ngithub.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=\ngithub.com/facebookgo/ensure v0.0.0-20160127193407-b4ab57deab51 h1:0JZ+dUmQeA8IIVUMzysrX4/AKuQwWhV2dYQuPZdvdSQ=\ngithub.com/facebookgo/ensure v0.0.0-20160127193407-b4ab57deab51/go.mod h1:Yg+htXGokKKdzcwhuNDwVvN+uBxDGXJ7G/VN1d8fa64=\ngithub.com/facebookgo/freeport v0.0.0-20150612182905-d4adf43b75b9 h1:wWke/RUCl7VRjQhwPlR/v0glZXNYzBHdNUzf/Am2Nmg=\ngithub.com/facebookgo/freeport v0.0.0-20150612182905-d4adf43b75b9/go.mod h1:uPmAp6Sws4L7+Q/OokbWDAK1ibXYhB3PXFP1kol5hPg=\ngithub.com/facebookgo/grace v0.0.0-20180706040059-75cf19382434 h1:mOp33BLbcbJ8fvTAmZacbBiOASfxN+MLcLxymZCIrGE=\ngithub.com/facebookgo/grace v0.0.0-20180706040059-75cf19382434/go.mod h1:KigFdumBXUPSwzLDbeuzyt0elrL7+CP7TKuhrhT4bcU=\ngithub.com/facebookgo/stack v0.0.0-20160209184415-751773369052 h1:JWuenKqqX8nojtoVVWjGfOF9635RETekkoH6Cc9SX0A=\ngithub.com/facebookgo/stack v0.0.0-20160209184415-751773369052/go.mod h1:UbMTZqLaRiH3MsBH8va0n7s1pQYcu3uTb8G4tygF4Zg=\ngithub.com/facebookgo/subset v0.0.0-20150612182917-8dac2c3c4870 h1:E2s37DuLxFhQDg5gKsWoLBOB0n+ZW8s599zru8FJ2/Y=\ngithub.com/facebookgo/subset v0.0.0-20150612182917-8dac2c3c4870/go.mod h1:5tD+neXqOorC30/tWg0LCSkrqj/AR6gu8yY8/fpw1q0=\ngithub.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw=\ngithub.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=\ngithub.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=\ngithub.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=\ngithub.com/gabriel-vasile/mimetype v1.4.2 h1:w5qFW6JKBz9Y393Y4q372O9A7cUSequkh1Q7OhCmWKU=\ngithub.com/gabriel-vasile/mimetype v1.4.2/go.mod h1:zApsH/mKG4w07erKIaJPFiX0Tsq9BFQgN3qGY5GnNgA=\ngithub.com/getsentry/sentry-go v0.43.0 h1:XbXLpFicpo8HmBDaInk7dum18G9KSLcjZiyUKS+hLW4=\ngithub.com/getsentry/sentry-go v0.43.0/go.mod h1:XDotiNZbgf5U8bPDUAfvcFmOnMQQceESxyKaObSssW0=\ngithub.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE=\ngithub.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI=\ngithub.com/gin-gonic/gin v1.6.3/go.mod h1:75u5sXoLsGZoRN5Sgbi1eraJ4GU3++wFwWzhwvtwp4M=\ngithub.com/gin-gonic/gin v1.9.1 h1:4idEAncQnU5cB7BeOkPtxjfCSye0AAm1R0RVIqJ+Jmg=\ngithub.com/gin-gonic/gin v1.9.1/go.mod h1:hPrL7YrpYKXt5YId3A/Tnip5kqbEAP+KLuI3SUcPTeU=\ngithub.com/go-chi/chi/v5 v5.2.2 h1:CMwsvRVTbXVytCk1Wd72Zy1LAsAh9GxMmSNWLHCG618=\ngithub.com/go-chi/chi/v5 v5.2.2/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=\ngithub.com/go-chi/cors v1.2.1 h1:xEC8UT3Rlp2QuWNEr4Fs/c2EAGVKBwy/1vHx3bppil4=\ngithub.com/go-chi/cors v1.2.1/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58=\ngithub.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=\ngithub.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=\ngithub.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=\ngithub.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=\ngithub.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=\ngithub.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=\ngithub.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=\ngithub.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=\ngithub.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=\ngithub.com/go-playground/assert/v2 v2.0.1/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=\ngithub.com/go-playground/locales v0.13.0/go.mod h1:taPMhCMXrRLJO55olJkUXHZBHCxTMfnGwq/HNwmWNS8=\ngithub.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=\ngithub.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=\ngithub.com/go-playground/universal-translator v0.17.0/go.mod h1:UkSxE5sNxxRwHyU+Scu5vgOQjsIJAF8j9muTVoKLVtA=\ngithub.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=\ngithub.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=\ngithub.com/go-playground/validator/v10 v10.2.0/go.mod h1:uOYAAleCW8F/7oMFd6aG0GOhaH6EGOAJShg8Id5JGkI=\ngithub.com/go-playground/validator/v10 v10.15.1 h1:BSe8uhN+xQ4r5guV/ywQI4gO59C2raYcGffYWZEjZzM=\ngithub.com/go-playground/validator/v10 v10.15.1/go.mod h1:9iXMNT7sEkjXb0I+enO7QXmzG6QCsPWY4zveKFVRSyU=\ngithub.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=\ngithub.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=\ngithub.com/gobwas/httphead v0.0.0-20180130184737-2c6c146eadee/go.mod h1:L0fX3K22YWvt/FAX9NnzrNzcI4wNYi9Yku4O0LKYflo=\ngithub.com/gobwas/httphead v0.1.0 h1:exrUm0f4YX0L7EBwZHuCF4GDp8aJfVeBrlLQrs6NqWU=\ngithub.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM=\ngithub.com/gobwas/pool v0.2.0/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=\ngithub.com/gobwas/pool v0.2.1 h1:xfeeEhW7pwmX8nuLVlqbzVc7udMDrwetjEv+TZIz1og=\ngithub.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=\ngithub.com/gobwas/ws v1.0.2/go.mod h1:szmBTxLgaFppYjEmNtny/v3w89xOydFnnZMcgRRu/EM=\ngithub.com/gobwas/ws v1.2.1 h1:F2aeBZrm2NDsc7vbovKrWSogd4wvfAxg0FQ89/iqOTk=\ngithub.com/gobwas/ws v1.2.1/go.mod h1:hRKAFb8wOxFROYNsT1bqfWnhX+b5MFeJM9r2ZSwg/KY=\ngithub.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU=\ngithub.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=\ngithub.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=\ngithub.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=\ngithub.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk=\ngithub.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=\ngithub.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=\ngithub.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=\ngithub.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=\ngithub.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=\ngithub.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=\ngithub.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=\ngithub.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=\ngithub.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=\ngithub.com/google/pprof v0.0.0-20250418163039-24c5476c6587 h1:b/8HpQhvKLSNzH5oTXN2WkNcMl6YB5K3FRbb+i+Ml34=\ngithub.com/google/pprof v0.0.0-20250418163039-24c5476c6587/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=\ngithub.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=\ngithub.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=\ngithub.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=\ngithub.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=\ngithub.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=\ngithub.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 h1:5ZPtiqj0JL5oKWmcsq4VMaAW5ukBEgSGXEN89zeH1Jo=\ngithub.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3/go.mod h1:ndYquD05frm2vACXE1nsccT4oJzjhw2arTS2cpUD1PI=\ngithub.com/ipostelnik/cli/v2 v2.3.1-0.20210324024421-b6ea8234fe3d h1:PRDnysJ9dF1vUMmEzBu6aHQeUluSQy4eWH3RsSSy/vI=\ngithub.com/ipostelnik/cli/v2 v2.3.1-0.20210324024421-b6ea8234fe3d/go.mod h1:LJmUH05zAU44vOAcrfzZQKsZbVcdbOG8rtL3/XcUArI=\ngithub.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=\ngithub.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=\ngithub.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=\ngithub.com/klauspost/compress v1.10.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=\ngithub.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=\ngithub.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=\ngithub.com/klauspost/cpuid/v2 v2.2.5 h1:0E5MSMDEoAulmXNFquVs//DdoomxaoTY1kUhbc/qbZg=\ngithub.com/klauspost/cpuid/v2 v2.2.5/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=\ngithub.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=\ngithub.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=\ngithub.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=\ngithub.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=\ngithub.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=\ngithub.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=\ngithub.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII=\ngithub.com/leodido/go-urn v1.2.4 h1:XlAE/cm/ms7TE/VMVoduSpNBoyc2dOxHs5MZSwAN63Q=\ngithub.com/leodido/go-urn v1.2.4/go.mod h1:7ZrI8mTSeBSHl/UaRyKQW1qZeMgak41ANeCNaVckg+4=\ngithub.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=\ngithub.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=\ngithub.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=\ngithub.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=\ngithub.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=\ngithub.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=\ngithub.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=\ngithub.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=\ngithub.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=\ngithub.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=\ngithub.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=\ngithub.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=\ngithub.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=\ngithub.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=\ngithub.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=\ngithub.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=\ngithub.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus=\ngithub.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8=\ngithub.com/onsi/gomega v1.36.3 h1:hID7cr8t3Wp26+cYnfcjR6HpJ00fdogN6dqZ1t6IylU=\ngithub.com/onsi/gomega v1.36.3/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0=\ngithub.com/pelletier/go-toml/v2 v2.0.9 h1:uH2qQXheeefCCkuBBSLi7jCiSmj3VRh2+Goq2N7Xxu0=\ngithub.com/pelletier/go-toml/v2 v2.0.9/go.mod h1:tJU2Z3ZkXwnxa4DPO899bsyIoywizdUvyaeZurnPPDc=\ngithub.com/philhofer/fwd v1.2.0 h1:e6DnBTl7vGY+Gz322/ASL4Gyp1FspeMvx1RNDoToZuM=\ngithub.com/philhofer/fwd v1.2.0/go.mod h1:RqIHx9QI14HlwKwm98g9Re5prTQ6LdeRQn+gXJFxsJM=\ngithub.com/pingcap/errors v0.11.4 h1:lFuQV/oaUMGcD2tqt+01ROSmJs75VG1ToEOkZIZ4nE4=\ngithub.com/pingcap/errors v0.11.4/go.mod h1:Oi8TUi2kEtXXLMJk9l1cGmz20kV3TaQ0usTwv5KuLY8=\ngithub.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=\ngithub.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=\ngithub.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=\ngithub.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=\ngithub.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=\ngithub.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=\ngithub.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=\ngithub.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U=\ngithub.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=\ngithub.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=\ngithub.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=\ngithub.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=\ngithub.com/prometheus/common v0.64.0 h1:pdZeA+g617P7oGv1CzdTzyeShxAGrTBsolKNOLQPGO4=\ngithub.com/prometheus/common v0.64.0/go.mod h1:0gZns+BLRQ3V6NdaerOhMbwwRbNh9hkGINtQAsP5GS8=\ngithub.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=\ngithub.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=\ngithub.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=\ngithub.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=\ngithub.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ=\ngithub.com/rs/zerolog v1.20.0 h1:38k9hgtUBdxFwE34yS8rTHmHBa4eN16E4DJlv177LNs=\ngithub.com/rs/zerolog v1.20.0/go.mod h1:IzD0RJ65iWH0w97OQQebJEvTZYvsCUm9WVLWBQrJRjo=\ngithub.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=\ngithub.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=\ngithub.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=\ngithub.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=\ngithub.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=\ngithub.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=\ngithub.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=\ngithub.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=\ngithub.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=\ngithub.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=\ngithub.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=\ngithub.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=\ngithub.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=\ngithub.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=\ngithub.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=\ngithub.com/tinylib/msgp v1.6.3 h1:bCSxiTz386UTgyT1i0MSCvdbWjVW+8sG3PjkGsZQt4s=\ngithub.com/tinylib/msgp v1.6.3/go.mod h1:RSp0LW9oSxFut3KzESt5Voq4GVWyS+PSulT77roAqEA=\ngithub.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=\ngithub.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=\ngithub.com/ugorji/go v1.1.7 h1:/68gy2h+1mWMrwZFeD1kQialdSzAb432dtpeJ42ovdo=\ngithub.com/ugorji/go v1.1.7/go.mod h1:kZn38zHttfInRq0xu/PH0az30d+z6vm202qpg1oXVMw=\ngithub.com/ugorji/go/codec v1.1.7/go.mod h1:Ax+UKWsSmolVDwsd+7N3ZtXu+yMGCf907BLYF3GoBXY=\ngithub.com/ugorji/go/codec v1.2.11 h1:BMaWp1Bb6fHwEtbplGBGJ498wD+LKlNSl25MjdZY4dU=\ngithub.com/ugorji/go/codec v1.2.11/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=\ngo.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=\ngo.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=\ngo.opentelemetry.io/contrib/propagators v0.22.0 h1:KGdv58M2//veiYLIhb31mofaI2LgkIPXXAZVeYVyfd8=\ngo.opentelemetry.io/contrib/propagators v0.22.0/go.mod h1:xGOuXr6lLIF9BXipA4pm6UuOSI0M98U6tsI3khbOiwU=\ngo.opentelemetry.io/otel v1.0.0-RC2/go.mod h1:w1thVQ7qbAy8MHb0IFj8a5Q2QU0l2ksf8u/CN8m3NOM=\ngo.opentelemetry.io/otel v1.40.0 h1:oA5YeOcpRTXq6NN7frwmwFR0Cn3RhTVZvXsP4duvCms=\ngo.opentelemetry.io/otel v1.40.0/go.mod h1:IMb+uXZUKkMXdPddhwAHm6UfOwJyh4ct1ybIlV14J0g=\ngo.opentelemetry.io/otel/exporters/otlp/otlptrace v1.26.0 h1:1u/AyyOqAWzy+SkPxDpahCNZParHV8Vid1RnI2clyDE=\ngo.opentelemetry.io/otel/exporters/otlp/otlptrace v1.26.0/go.mod h1:z46paqbJ9l7c9fIPCXTqTGwhQZ5XoTIsfeFYWboizjs=\ngo.opentelemetry.io/otel/metric v1.40.0 h1:rcZe317KPftE2rstWIBitCdVp89A2HqjkxR3c11+p9g=\ngo.opentelemetry.io/otel/metric v1.40.0/go.mod h1:ib/crwQH7N3r5kfiBZQbwrTge743UDc7DTFVZrrXnqc=\ngo.opentelemetry.io/otel/sdk v1.40.0 h1:KHW/jUzgo6wsPh9At46+h4upjtccTmuZCFAc9OJ71f8=\ngo.opentelemetry.io/otel/sdk v1.40.0/go.mod h1:Ph7EFdYvxq72Y8Li9q8KebuYUr2KoeyHx0DRMKrYBUE=\ngo.opentelemetry.io/otel/sdk/metric v1.40.0 h1:mtmdVqgQkeRxHgRv4qhyJduP3fYJRMX4AtAlbuWdCYw=\ngo.opentelemetry.io/otel/sdk/metric v1.40.0/go.mod h1:4Z2bGMf0KSK3uRjlczMOeMhKU2rhUqdWNoKcYrtcBPg=\ngo.opentelemetry.io/otel/trace v1.0.0-RC2/go.mod h1:JPQ+z6nNw9mqEGT8o3eoPTdnNI+Aj5JcxEsVGREIAy4=\ngo.opentelemetry.io/otel/trace v1.40.0 h1:WA4etStDttCSYuhwvEa8OP8I5EWu24lkOzp+ZYblVjw=\ngo.opentelemetry.io/otel/trace v1.40.0/go.mod h1:zeAhriXecNGP/s2SEG3+Y8X9ujcJOTqQ5RgdEJcawiA=\ngo.opentelemetry.io/proto/otlp v1.2.0 h1:pVeZGk7nXDC9O2hncA6nHldxEjm6LByfA2aN8IOkz94=\ngo.opentelemetry.io/proto/otlp v1.2.0/go.mod h1:gGpR8txAl5M03pDhMC79G6SdqNV26naRm/KDsgaHD8A=\ngo.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=\ngo.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=\ngo.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=\ngo.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=\ngo.uber.org/mock v0.5.1 h1:ASgazW/qBmR+A32MYFDB6E2POoTgOwT509VP0CT/fjs=\ngo.uber.org/mock v0.5.1/go.mod h1:ge71pBPLYDk7QIi1LupWxdAykm7KIEFchiOqd6z7qMM=\ngolang.org/x/arch v0.4.0 h1:A8WCeEWhLwPBKNbFi5Wv5UTCBx5zzubnXDlMOFAzFMc=\ngolang.org/x/arch v0.4.0/go.mod h1:5om86z9Hs0C8fWVUuoMHwpExlXzs5Tkyp9hOrfG7pp8=\ngolang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=\ngolang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=\ngolang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8=\ngolang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw=\ngolang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=\ngolang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=\ngolang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=\ngolang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=\ngolang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=\ngolang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=\ngolang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=\ngolang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=\ngolang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=\ngolang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=\ngolang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=\ngolang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=\ngolang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=\ngolang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ=\ngolang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=\ngolang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=\ngolang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=\ngolang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=\ngolang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=\ngolang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=\ngolang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=\ngolang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=\ngolang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=\ngolang.org/x/tools v0.0.0-20190828213141-aed303cbaa74/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=\ngolang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=\ngolang.org/x/tools v0.32.0 h1:Q7N1vhpkQv7ybVzLFtTjvQya2ewbwNDZzUgfXGqtMWU=\ngolang.org/x/tools v0.32.0/go.mod h1:ZxrU41P/wAbZD8EDa6dDCa6XfpkhJ7HFMjHJXfBDu8s=\ngolang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=\ngolang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=\ngolang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=\ngoogle.golang.org/genproto/googleapis/api v0.0.0-20250505200425-f936aa4a68b2 h1:vPV0tzlsK6EzEDHNNH5sa7Hs9bd7iXR7B1tSiPepkV0=\ngoogle.golang.org/genproto/googleapis/api v0.0.0-20250505200425-f936aa4a68b2/go.mod h1:pKLAc5OolXC3ViWGI62vvC0n10CpwAtRcTNCFwTKBEw=\ngoogle.golang.org/genproto/googleapis/rpc v0.0.0-20250512202823-5a2f75b736a9 h1:IkAfh6J/yllPtpYFU0zZN1hUPYdT0ogkBT/9hMxHjvg=\ngoogle.golang.org/genproto/googleapis/rpc v0.0.0-20250512202823-5a2f75b736a9/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=\ngoogle.golang.org/grpc v1.72.2 h1:TdbGzwb82ty4OusHWepvFWGLgIbNo1/SUynEN0ssqv8=\ngoogle.golang.org/grpc v1.72.2/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=\ngoogle.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=\ngoogle.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=\ngopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=\ngopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=\ngopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=\ngopkg.in/natefinch/lumberjack.v2 v2.0.0 h1:1Lc07Kr7qY4U2YPouBjpCLxpiyxIVoxqXgkXLknAOE8=\ngopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=\ngopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=\ngopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=\ngopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=\ngopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=\ngopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=\ngopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=\ngopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=\nnhooyr.io/websocket v1.8.7 h1:usjR2uOr/zjjkVMy0lW+PPohFok7PCow5sDjLgX4P4g=\nnhooyr.io/websocket v1.8.7/go.mod h1:B70DZP8IakI65RVQ51MsWP/8jndNma26DVA/nFSCgW0=\nzombiezen.com/go/capnproto2 v2.18.0+incompatible h1:mwfXZniffG5mXokQGHUJWGnqIBggoPfT/CEwon9Yess=\nzombiezen.com/go/capnproto2 v2.18.0+incompatible/go.mod h1:XO5Pr2SbXgqZwn0m0Ru54QBqpOf4K5AYBO+8LAOBQEQ=\n" }, { "path": "hello/hello.go", "content": "package hello\n\nimport (\n\t\"bytes\"\n\t\"crypto/tls\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"html/template\"\n\t\"io\"\n\t\"net\"\n\t\"net/http\"\n\t\"os\"\n\t\"time\"\n\n\t\"github.com/gorilla/websocket\"\n\t\"github.com/rs/zerolog\"\n\n\t\"github.com/cloudflare/cloudflared/tlsconfig\"\n)\n\nconst (\n\tUptimeRoute = \"/uptime\"\n\tWSRoute = \"/ws\"\n\tSSERoute = \"/sse\"\n\tHealthRoute = \"/_health\"\n\tdefaultSSEFreq = time.Second * 10\n)\n\ntype templateData struct {\n\tServerName string\n\tRequest *http.Request\n\tBody string\n}\n\ntype OriginUpTime struct {\n\tStartTime time.Time `json:\"startTime\"`\n\tUpTime string `json:\"uptime\"`\n}\n\nconst defaultServerName = \"the Cloudflare Tunnel test server\"\nconst indexTemplate = `\n\n\n \n \n \n \n Cloudflare Tunnel Connection\n \n \n \n \n \n \n \n
\n
\n \n \n \n \n \n \n

Congrats! You created a tunnel!

\n

\n Cloudflare Tunnel exposes locally running applications to the internet by\n running an encrypted, virtual tunnel from your laptop or server to\n Cloudflare's edge network.\n

\n

Ready for the next step?

\n \n Get started here\n \n
\n

Request

\n
\n\t\t\t\t\t\t
Method: {{.Request.Method}}
\n\t\t\t\t\t\t
Protocol: {{.Request.Proto}}
\n\t\t\t\t\t\t
Request URL: {{.Request.URL}}
\n\t\t\t\t\t\t
Transfer encoding: {{.Request.TransferEncoding}}
\n\t\t\t\t\t\t
Host: {{.Request.Host}}
\n\t\t\t\t\t\t
Remote address: {{.Request.RemoteAddr}}
\n\t\t\t\t\t\t
Request URI: {{.Request.RequestURI}}
\n{{range $key, $value := .Request.Header}}\n\t\t\t\t\t\t
Header: {{$key}}, Value: {{$value}}
\n{{end}}\n\t\t\t\t\t\t
Body: {{.Body}}
\n\t\t\t\t\t
\n
\n
\n
\n \n\n`\n\nfunc StartHelloWorldServer(log *zerolog.Logger, listener net.Listener, shutdownC <-chan struct{}) error {\n\tlog.Info().Msgf(\"Starting Hello World server at %s\", listener.Addr())\n\tserverName := defaultServerName\n\tif hostname, err := os.Hostname(); err == nil {\n\t\tserverName = hostname\n\t}\n\n\tupgrader := websocket.Upgrader{\n\t\tReadBufferSize: 1024,\n\t\tWriteBufferSize: 1024,\n\t}\n\n\tmuxer := http.NewServeMux()\n\tmuxer.HandleFunc(UptimeRoute, uptimeHandler(time.Now()))\n\tmuxer.HandleFunc(WSRoute, websocketHandler(log, upgrader))\n\tmuxer.HandleFunc(SSERoute, sseHandler(log))\n\tmuxer.HandleFunc(HealthRoute, healthHandler())\n\tmuxer.HandleFunc(\"/\", rootHandler(serverName))\n\thttpServer := &http.Server{Addr: listener.Addr().String(), Handler: muxer}\n\tgo func() {\n\t\t<-shutdownC\n\t\t_ = httpServer.Close()\n\t}()\n\n\terr := httpServer.Serve(listener)\n\treturn err\n}\n\nfunc CreateTLSListener(address string) (net.Listener, error) {\n\tcertificate, err := tlsconfig.GetHelloCertificate()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\t// If the port in address is empty, a port number is automatically chosen\n\tlistener, err := tls.Listen(\n\t\t\"tcp\",\n\t\taddress,\n\t\t&tls.Config{Certificates: []tls.Certificate{certificate}})\n\n\treturn listener, err\n}\n\nfunc uptimeHandler(startTime time.Time) http.HandlerFunc {\n\treturn func(w http.ResponseWriter, r *http.Request) {\n\t\t// Note that if autoupdate is enabled, the uptime is reset when a new client\n\t\t// release is available\n\t\tresp := &OriginUpTime{StartTime: startTime, UpTime: time.Now().Sub(startTime).String()}\n\t\trespJson, err := json.Marshal(resp)\n\t\tif err != nil {\n\t\t\tw.WriteHeader(http.StatusInternalServerError)\n\t\t} else {\n\t\t\tw.Header().Set(\"Content-Type\", \"application/json\")\n\t\t\t_, _ = w.Write(respJson)\n\t\t}\n\t}\n}\n\n// This handler will echo message\nfunc websocketHandler(log *zerolog.Logger, upgrader websocket.Upgrader) http.HandlerFunc {\n\treturn func(w http.ResponseWriter, r *http.Request) {\n\t\t// This addresses the issue of r.Host includes port but origin header doesn't\n\t\thost, _, err := net.SplitHostPort(r.Host)\n\t\tif err == nil {\n\t\t\tr.Host = host\n\t\t}\n\n\t\tconn, err := upgrader.Upgrade(w, r, nil)\n\t\tif err != nil {\n\t\t\tlog.Err(err).Msg(\"failed to upgrade to websocket connection\")\n\t\t\treturn\n\t\t}\n\t\tdefer conn.Close()\n\t\tfor {\n\t\t\tmt, message, err := conn.ReadMessage()\n\t\t\tif err != nil {\n\t\t\t\tlog.Err(err).Msg(\"websocket read message error\")\n\t\t\t\tbreak\n\t\t\t}\n\n\t\t\tif err := conn.WriteMessage(mt, message); err != nil {\n\t\t\t\tlog.Err(err).Msg(\"websocket write message error\")\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t}\n}\n\nfunc sseHandler(log *zerolog.Logger) http.HandlerFunc {\n\treturn func(w http.ResponseWriter, r *http.Request) {\n\t\tw.Header().Set(\"Content-Type\", \"text/event-stream; charset=utf-8\")\n\t\tflusher, ok := w.(http.Flusher)\n\t\tif !ok {\n\t\t\tw.WriteHeader(http.StatusInternalServerError)\n\t\t\tlog.Error().Msgf(\"Can't support SSE. ResponseWriter %T doesn't implement http.Flusher interface\", w)\n\t\t\treturn\n\t\t}\n\n\t\tfreq := defaultSSEFreq\n\t\tif requestedFreq := r.URL.Query()[\"freq\"]; len(requestedFreq) > 0 {\n\t\t\tparsedFreq, err := time.ParseDuration(requestedFreq[0])\n\t\t\tif err == nil {\n\t\t\t\tfreq = parsedFreq\n\t\t\t}\n\t\t}\n\t\tlog.Info().Msgf(\"Server Sent Events every %s\", freq)\n\t\tticker := time.NewTicker(freq)\n\t\tcounter := 0\n\t\tfor {\n\t\t\tselect {\n\t\t\tcase <-r.Context().Done():\n\t\t\t\treturn\n\t\t\tcase <-ticker.C:\n\t\t\t}\n\t\t\t_, err := fmt.Fprintf(w, \"%d\\n\\n\", counter)\n\t\t\tif err != nil {\n\t\t\t\treturn\n\t\t\t}\n\t\t\tflusher.Flush()\n\t\t\tcounter++\n\t\t}\n\t}\n}\n\nfunc healthHandler() http.HandlerFunc {\n\treturn func(w http.ResponseWriter, r *http.Request) {\n\t\tw.Write([]byte(\"ok\"))\n\t}\n}\n\nfunc rootHandler(serverName string) http.HandlerFunc {\n\tresponseTemplate := template.Must(template.New(\"index\").Parse(indexTemplate))\n\treturn func(w http.ResponseWriter, r *http.Request) {\n\t\tvar buffer bytes.Buffer\n\t\tvar body string\n\t\trawBody, err := io.ReadAll(r.Body)\n\t\tif err == nil {\n\t\t\tbody = string(rawBody)\n\t\t} else {\n\t\t\tbody = \"\"\n\t\t}\n\t\terr = responseTemplate.Execute(&buffer, &templateData{\n\t\t\tServerName: serverName,\n\t\t\tRequest: r,\n\t\t\tBody: body,\n\t\t})\n\t\tif err != nil {\n\t\t\tw.WriteHeader(http.StatusInternalServerError)\n\t\t\t_, _ = fmt.Fprintf(w, \"error: %v\", err)\n\t\t} else {\n\t\t\t_, _ = buffer.WriteTo(w)\n\t\t}\n\t}\n}\n" }, { "path": "hello/hello_test.go", "content": "package hello\n\nimport (\n\t\"testing\"\n)\n\nfunc TestCreateTLSListenerHostAndPortSuccess(t *testing.T) {\n\tlistener, err := CreateTLSListener(\"localhost:1234\")\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\tdefer listener.Close()\n\tif listener.Addr().String() == \"\" {\n\t\tt.Fatal(\"Fail to find available port\")\n\t}\n}\n\nfunc TestCreateTLSListenerOnlyHostSuccess(t *testing.T) {\n\tlistener, err := CreateTLSListener(\"localhost:\")\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\tdefer listener.Close()\n\tif listener.Addr().String() == \"\" {\n\t\tt.Fatal(\"Fail to find available port\")\n\t}\n}\n\nfunc TestCreateTLSListenerOnlyPortSuccess(t *testing.T) {\n\tlistener, err := CreateTLSListener(\"localhost:8888\")\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\tdefer listener.Close()\n\tif listener.Addr().String() == \"\" {\n\t\tt.Fatal(\"Fail to find available port\")\n\t}\n}\n" }, { "path": "ingress/config.go", "content": "package ingress\n\nimport (\n\t\"encoding/json\"\n\t\"time\"\n\n\t\"github.com/urfave/cli/v2\"\n\n\t\"github.com/cloudflare/cloudflared/config\"\n\t\"github.com/cloudflare/cloudflared/ipaccess\"\n\t\"github.com/cloudflare/cloudflared/tlsconfig\"\n)\n\nvar (\n\tdefaultHTTPConnectTimeout = config.CustomDuration{Duration: 30 * time.Second}\n\tdefaultWarpRoutingConnectTimeout = config.CustomDuration{Duration: 5 * time.Second}\n\tdefaultTLSTimeout = config.CustomDuration{Duration: 10 * time.Second}\n\tdefaultTCPKeepAlive = config.CustomDuration{Duration: 30 * time.Second}\n\tdefaultKeepAliveTimeout = config.CustomDuration{Duration: 90 * time.Second}\n)\n\nconst (\n\tdefaultProxyAddress = \"127.0.0.1\"\n\tdefaultKeepAliveConnections = 100\n\tdefaultMaxActiveFlows = 0 // unlimited\n\tSSHServerFlag = \"ssh-server\"\n\tSocks5Flag = \"socks5\"\n\tProxyConnectTimeoutFlag = \"proxy-connect-timeout\"\n\tProxyTLSTimeoutFlag = \"proxy-tls-timeout\"\n\tProxyTCPKeepAliveFlag = \"proxy-tcp-keepalive\"\n\tProxyNoHappyEyeballsFlag = \"proxy-no-happy-eyeballs\"\n\tProxyKeepAliveConnectionsFlag = \"proxy-keepalive-connections\"\n\tProxyKeepAliveTimeoutFlag = \"proxy-keepalive-timeout\"\n\tHTTPHostHeaderFlag = \"http-host-header\"\n\tOriginServerNameFlag = \"origin-server-name\"\n\tMatchSNIToHostFlag = \"match-sni-to-host\"\n\tNoTLSVerifyFlag = \"no-tls-verify\"\n\tNoChunkedEncodingFlag = \"no-chunked-encoding\"\n\tProxyAddressFlag = \"proxy-address\"\n\tProxyPortFlag = \"proxy-port\"\n\tHttp2OriginFlag = \"http2-origin\"\n)\n\nconst (\n\tsocksProxy = \"socks\"\n)\n\ntype WarpRoutingConfig struct {\n\tConnectTimeout config.CustomDuration `yaml:\"connectTimeout\" json:\"connectTimeout,omitempty\"`\n\tMaxActiveFlows uint64 `yaml:\"maxActiveFlows\" json:\"MaxActiveFlows,omitempty\"`\n\tTCPKeepAlive config.CustomDuration `yaml:\"tcpKeepAlive\" json:\"tcpKeepAlive,omitempty\"`\n}\n\nfunc NewWarpRoutingConfig(raw *config.WarpRoutingConfig) WarpRoutingConfig {\n\tcfg := WarpRoutingConfig{\n\t\tConnectTimeout: defaultWarpRoutingConnectTimeout,\n\t\tMaxActiveFlows: defaultMaxActiveFlows,\n\t\tTCPKeepAlive: defaultTCPKeepAlive,\n\t}\n\tif raw.ConnectTimeout != nil {\n\t\tcfg.ConnectTimeout = *raw.ConnectTimeout\n\t}\n\tif raw.MaxActiveFlows != nil {\n\t\tcfg.MaxActiveFlows = *raw.MaxActiveFlows\n\t}\n\tif raw.TCPKeepAlive != nil {\n\t\tcfg.TCPKeepAlive = *raw.TCPKeepAlive\n\t}\n\treturn cfg\n}\n\nfunc (c *WarpRoutingConfig) RawConfig() config.WarpRoutingConfig {\n\traw := config.WarpRoutingConfig{}\n\tif c.ConnectTimeout.Duration != defaultWarpRoutingConnectTimeout.Duration {\n\t\traw.ConnectTimeout = &c.ConnectTimeout\n\t}\n\tif c.MaxActiveFlows != defaultMaxActiveFlows {\n\t\traw.MaxActiveFlows = &c.MaxActiveFlows\n\t}\n\tif c.TCPKeepAlive.Duration != defaultTCPKeepAlive.Duration {\n\t\traw.TCPKeepAlive = &c.TCPKeepAlive\n\t}\n\treturn raw\n}\n\n// RemoteConfig models ingress settings that can be managed remotely, for example through the dashboard.\ntype RemoteConfig struct {\n\tIngress Ingress\n\tWarpRouting WarpRoutingConfig\n}\n\ntype RemoteConfigJSON struct {\n\tGlobalOriginRequest *config.OriginRequestConfig `json:\"originRequest,omitempty\"`\n\tIngressRules []config.UnvalidatedIngressRule `json:\"ingress\"`\n\tWarpRouting config.WarpRoutingConfig `json:\"warp-routing\"`\n}\n\nfunc (rc *RemoteConfig) UnmarshalJSON(b []byte) error {\n\tvar rawConfig RemoteConfigJSON\n\n\tif err := json.Unmarshal(b, &rawConfig); err != nil {\n\t\treturn err\n\t}\n\n\t// if nil, just assume the default values.\n\tglobalOriginRequestConfig := rawConfig.GlobalOriginRequest\n\tif globalOriginRequestConfig == nil {\n\t\tglobalOriginRequestConfig = &config.OriginRequestConfig{}\n\t}\n\n\tingress, err := validateIngress(rawConfig.IngressRules, originRequestFromConfig(*globalOriginRequestConfig))\n\tif err != nil {\n\t\treturn err\n\t}\n\n\trc.Ingress = ingress\n\trc.WarpRouting = NewWarpRoutingConfig(&rawConfig.WarpRouting)\n\n\treturn nil\n}\n\nfunc originRequestFromSingleRule(c *cli.Context) OriginRequestConfig {\n\tvar connectTimeout = defaultHTTPConnectTimeout\n\tvar tlsTimeout = defaultTLSTimeout\n\tvar tcpKeepAlive = defaultTCPKeepAlive\n\tvar noHappyEyeballs bool\n\tvar keepAliveConnections = defaultKeepAliveConnections\n\tvar keepAliveTimeout = defaultKeepAliveTimeout\n\tvar httpHostHeader string\n\tvar originServerName string\n\tvar matchSNItoHost bool\n\tvar caPool string\n\tvar noTLSVerify bool\n\tvar disableChunkedEncoding bool\n\tvar bastionMode bool\n\tvar proxyAddress = defaultProxyAddress\n\tvar proxyPort uint\n\tvar proxyType string\n\tvar http2Origin bool\n\tif flag := ProxyConnectTimeoutFlag; c.IsSet(flag) {\n\t\tconnectTimeout = config.CustomDuration{Duration: c.Duration(flag)}\n\t}\n\tif flag := ProxyTLSTimeoutFlag; c.IsSet(flag) {\n\t\ttlsTimeout = config.CustomDuration{Duration: c.Duration(flag)}\n\t}\n\tif flag := ProxyTCPKeepAliveFlag; c.IsSet(flag) {\n\t\ttcpKeepAlive = config.CustomDuration{Duration: c.Duration(flag)}\n\t}\n\tif flag := ProxyNoHappyEyeballsFlag; c.IsSet(flag) {\n\t\tnoHappyEyeballs = c.Bool(flag)\n\t}\n\tif flag := ProxyKeepAliveConnectionsFlag; c.IsSet(flag) {\n\t\tkeepAliveConnections = c.Int(flag)\n\t}\n\tif flag := ProxyKeepAliveTimeoutFlag; c.IsSet(flag) {\n\t\tkeepAliveTimeout = config.CustomDuration{Duration: c.Duration(flag)}\n\t}\n\tif flag := HTTPHostHeaderFlag; c.IsSet(flag) {\n\t\thttpHostHeader = c.String(flag)\n\t}\n\tif flag := OriginServerNameFlag; c.IsSet(flag) {\n\t\toriginServerName = c.String(flag)\n\t}\n\tif flag := MatchSNIToHostFlag; c.IsSet(flag) {\n\t\tmatchSNItoHost = c.Bool(flag)\n\t}\n\tif flag := tlsconfig.OriginCAPoolFlag; c.IsSet(flag) {\n\t\tcaPool = c.String(flag)\n\t}\n\tif flag := NoTLSVerifyFlag; c.IsSet(flag) {\n\t\tnoTLSVerify = c.Bool(flag)\n\t}\n\tif flag := NoChunkedEncodingFlag; c.IsSet(flag) {\n\t\tdisableChunkedEncoding = c.Bool(flag)\n\t}\n\tif flag := config.BastionFlag; c.IsSet(flag) {\n\t\tbastionMode = c.Bool(flag)\n\t}\n\tif flag := ProxyAddressFlag; c.IsSet(flag) {\n\t\tproxyAddress = c.String(flag)\n\t}\n\tif flag := ProxyPortFlag; c.IsSet(flag) {\n\t\t// Note TUN-3758 , we use Int because UInt is not supported with altsrc\n\t\t// nolint: gosec\n\t\tproxyPort = uint(c.Int(flag))\n\t}\n\tif flag := Http2OriginFlag; c.IsSet(flag) {\n\t\thttp2Origin = c.Bool(flag)\n\t}\n\tif c.IsSet(Socks5Flag) {\n\t\tproxyType = socksProxy\n\t}\n\n\treturn OriginRequestConfig{\n\t\tConnectTimeout: connectTimeout,\n\t\tTLSTimeout: tlsTimeout,\n\t\tTCPKeepAlive: tcpKeepAlive,\n\t\tNoHappyEyeballs: noHappyEyeballs,\n\t\tKeepAliveConnections: keepAliveConnections,\n\t\tKeepAliveTimeout: keepAliveTimeout,\n\t\tHTTPHostHeader: httpHostHeader,\n\t\tOriginServerName: originServerName,\n\t\tMatchSNIToHost: matchSNItoHost,\n\t\tCAPool: caPool,\n\t\tNoTLSVerify: noTLSVerify,\n\t\tDisableChunkedEncoding: disableChunkedEncoding,\n\t\tBastionMode: bastionMode,\n\t\tProxyAddress: proxyAddress,\n\t\tProxyPort: proxyPort,\n\t\tProxyType: proxyType,\n\t\tHttp2Origin: http2Origin,\n\t}\n}\n\nfunc originRequestFromConfig(c config.OriginRequestConfig) OriginRequestConfig {\n\tout := OriginRequestConfig{\n\t\tConnectTimeout: defaultHTTPConnectTimeout,\n\t\tTLSTimeout: defaultTLSTimeout,\n\t\tTCPKeepAlive: defaultTCPKeepAlive,\n\t\tKeepAliveConnections: defaultKeepAliveConnections,\n\t\tKeepAliveTimeout: defaultKeepAliveTimeout,\n\t\tProxyAddress: defaultProxyAddress,\n\t}\n\tif c.ConnectTimeout != nil {\n\t\tout.ConnectTimeout = *c.ConnectTimeout\n\t}\n\tif c.TLSTimeout != nil {\n\t\tout.TLSTimeout = *c.TLSTimeout\n\t}\n\tif c.TCPKeepAlive != nil {\n\t\tout.TCPKeepAlive = *c.TCPKeepAlive\n\t}\n\tif c.NoHappyEyeballs != nil {\n\t\tout.NoHappyEyeballs = *c.NoHappyEyeballs\n\t}\n\tif c.KeepAliveConnections != nil {\n\t\tout.KeepAliveConnections = *c.KeepAliveConnections\n\t}\n\tif c.KeepAliveTimeout != nil {\n\t\tout.KeepAliveTimeout = *c.KeepAliveTimeout\n\t}\n\tif c.HTTPHostHeader != nil {\n\t\tout.HTTPHostHeader = *c.HTTPHostHeader\n\t}\n\tif c.OriginServerName != nil {\n\t\tout.OriginServerName = *c.OriginServerName\n\t}\n\tif c.MatchSNIToHost != nil {\n\t\tout.MatchSNIToHost = *c.MatchSNIToHost\n\t}\n\tif c.CAPool != nil {\n\t\tout.CAPool = *c.CAPool\n\t}\n\tif c.NoTLSVerify != nil {\n\t\tout.NoTLSVerify = *c.NoTLSVerify\n\t}\n\tif c.DisableChunkedEncoding != nil {\n\t\tout.DisableChunkedEncoding = *c.DisableChunkedEncoding\n\t}\n\tif c.BastionMode != nil {\n\t\tout.BastionMode = *c.BastionMode\n\t}\n\tif c.ProxyAddress != nil {\n\t\tout.ProxyAddress = *c.ProxyAddress\n\t}\n\tif c.ProxyPort != nil {\n\t\tout.ProxyPort = *c.ProxyPort\n\t}\n\tif c.ProxyType != nil {\n\t\tout.ProxyType = *c.ProxyType\n\t}\n\tif len(c.IPRules) > 0 {\n\t\tfor _, r := range c.IPRules {\n\t\t\trule, err := ipaccess.NewRuleByCIDR(r.Prefix, r.Ports, r.Allow)\n\t\t\tif err == nil {\n\t\t\t\tout.IPRules = append(out.IPRules, rule)\n\t\t\t}\n\t\t}\n\t}\n\tif c.Http2Origin != nil {\n\t\tout.Http2Origin = *c.Http2Origin\n\t}\n\tif c.Access != nil {\n\t\tout.Access = *c.Access\n\t}\n\treturn out\n}\n\n// OriginRequestConfig configures how Cloudflared sends requests to origin\n// services.\n// Note: To specify a time.Duration in go-yaml, use e.g. \"3s\" or \"24h\".\ntype OriginRequestConfig struct {\n\t// HTTP proxy timeout for establishing a new connection\n\tConnectTimeout config.CustomDuration `yaml:\"connectTimeout\" json:\"connectTimeout\"`\n\t// HTTP proxy timeout for completing a TLS handshake\n\tTLSTimeout config.CustomDuration `yaml:\"tlsTimeout\" json:\"tlsTimeout\"`\n\t// HTTP proxy TCP keepalive duration\n\tTCPKeepAlive config.CustomDuration `yaml:\"tcpKeepAlive\" json:\"tcpKeepAlive\"`\n\t// HTTP proxy should disable \"happy eyeballs\" for IPv4/v6 fallback\n\tNoHappyEyeballs bool `yaml:\"noHappyEyeballs\" json:\"noHappyEyeballs\"`\n\t// HTTP proxy timeout for closing an idle connection\n\tKeepAliveTimeout config.CustomDuration `yaml:\"keepAliveTimeout\" json:\"keepAliveTimeout\"`\n\t// HTTP proxy maximum keepalive connection pool size\n\tKeepAliveConnections int `yaml:\"keepAliveConnections\" json:\"keepAliveConnections\"`\n\t// Sets the HTTP Host header for the local webserver.\n\tHTTPHostHeader string `yaml:\"httpHostHeader\" json:\"httpHostHeader\"`\n\t// Hostname on the origin server certificate.\n\tOriginServerName string `yaml:\"originServerName\" json:\"originServerName\"`\n\t// Auto configure the Hostname on the origin server certificate.\n\tMatchSNIToHost bool `yaml:\"matchSNItoHost\" json:\"matchSNItoHost\"`\n\t// Path to the CA for the certificate of your origin.\n\t// This option should be used only if your certificate is not signed by Cloudflare.\n\tCAPool string `yaml:\"caPool\" json:\"caPool\"`\n\t// Disables TLS verification of the certificate presented by your origin.\n\t// Will allow any certificate from the origin to be accepted.\n\t// Note: The connection from your machine to Cloudflare's Edge is still encrypted.\n\tNoTLSVerify bool `yaml:\"noTLSVerify\" json:\"noTLSVerify\"`\n\t// Disables chunked transfer encoding.\n\t// Useful if you are running a WSGI server.\n\tDisableChunkedEncoding bool `yaml:\"disableChunkedEncoding\" json:\"disableChunkedEncoding\"`\n\t// Runs as jump host\n\tBastionMode bool `yaml:\"bastionMode\" json:\"bastionMode\"`\n\t// Listen address for the proxy.\n\tProxyAddress string `yaml:\"proxyAddress\" json:\"proxyAddress\"`\n\t// Listen port for the proxy.\n\tProxyPort uint `yaml:\"proxyPort\" json:\"proxyPort\"`\n\t// What sort of proxy should be started\n\tProxyType string `yaml:\"proxyType\" json:\"proxyType\"`\n\t// IP rules for the proxy service\n\tIPRules []ipaccess.Rule `yaml:\"ipRules\" json:\"ipRules\"`\n\t// Attempt to connect to origin with HTTP/2\n\tHttp2Origin bool `yaml:\"http2Origin\" json:\"http2Origin\"`\n\n\t// Access holds all access related configs\n\tAccess config.AccessConfig `yaml:\"access\" json:\"access,omitempty\"`\n}\n\nfunc (defaults *OriginRequestConfig) setConnectTimeout(overrides config.OriginRequestConfig) {\n\tif val := overrides.ConnectTimeout; val != nil {\n\t\tdefaults.ConnectTimeout = *val\n\t}\n}\n\nfunc (defaults *OriginRequestConfig) setTLSTimeout(overrides config.OriginRequestConfig) {\n\tif val := overrides.TLSTimeout; val != nil {\n\t\tdefaults.TLSTimeout = *val\n\t}\n}\n\nfunc (defaults *OriginRequestConfig) setNoHappyEyeballs(overrides config.OriginRequestConfig) {\n\tif val := overrides.NoHappyEyeballs; val != nil {\n\t\tdefaults.NoHappyEyeballs = *val\n\t}\n}\n\nfunc (defaults *OriginRequestConfig) setKeepAliveConnections(overrides config.OriginRequestConfig) {\n\tif val := overrides.KeepAliveConnections; val != nil {\n\t\tdefaults.KeepAliveConnections = *val\n\t}\n}\n\nfunc (defaults *OriginRequestConfig) setKeepAliveTimeout(overrides config.OriginRequestConfig) {\n\tif val := overrides.KeepAliveTimeout; val != nil {\n\t\tdefaults.KeepAliveTimeout = *val\n\t}\n}\n\nfunc (defaults *OriginRequestConfig) setTCPKeepAlive(overrides config.OriginRequestConfig) {\n\tif val := overrides.TCPKeepAlive; val != nil {\n\t\tdefaults.TCPKeepAlive = *val\n\t}\n}\n\nfunc (defaults *OriginRequestConfig) setHTTPHostHeader(overrides config.OriginRequestConfig) {\n\tif val := overrides.HTTPHostHeader; val != nil {\n\t\tdefaults.HTTPHostHeader = *val\n\t}\n}\n\nfunc (defaults *OriginRequestConfig) setOriginServerName(overrides config.OriginRequestConfig) {\n\tif val := overrides.OriginServerName; val != nil {\n\t\tdefaults.OriginServerName = *val\n\t}\n}\n\nfunc (defaults *OriginRequestConfig) setMatchSNIToHost(overrides config.OriginRequestConfig) {\n\tif val := overrides.MatchSNIToHost; val != nil {\n\t\tdefaults.MatchSNIToHost = *val\n\t}\n}\n\nfunc (defaults *OriginRequestConfig) setCAPool(overrides config.OriginRequestConfig) {\n\tif val := overrides.CAPool; val != nil {\n\t\tdefaults.CAPool = *val\n\t}\n}\n\nfunc (defaults *OriginRequestConfig) setNoTLSVerify(overrides config.OriginRequestConfig) {\n\tif val := overrides.NoTLSVerify; val != nil {\n\t\tdefaults.NoTLSVerify = *val\n\t}\n}\n\nfunc (defaults *OriginRequestConfig) setDisableChunkedEncoding(overrides config.OriginRequestConfig) {\n\tif val := overrides.DisableChunkedEncoding; val != nil {\n\t\tdefaults.DisableChunkedEncoding = *val\n\t}\n}\n\nfunc (defaults *OriginRequestConfig) setBastionMode(overrides config.OriginRequestConfig) {\n\tif val := overrides.BastionMode; val != nil {\n\t\tdefaults.BastionMode = *val\n\t}\n}\n\nfunc (defaults *OriginRequestConfig) setProxyPort(overrides config.OriginRequestConfig) {\n\tif val := overrides.ProxyPort; val != nil {\n\t\tdefaults.ProxyPort = *val\n\t}\n}\n\nfunc (defaults *OriginRequestConfig) setProxyAddress(overrides config.OriginRequestConfig) {\n\tif val := overrides.ProxyAddress; val != nil {\n\t\tdefaults.ProxyAddress = *val\n\t}\n}\n\nfunc (defaults *OriginRequestConfig) setProxyType(overrides config.OriginRequestConfig) {\n\tif val := overrides.ProxyType; val != nil {\n\t\tdefaults.ProxyType = *val\n\t}\n}\n\nfunc (defaults *OriginRequestConfig) setIPRules(overrides config.OriginRequestConfig) {\n\tif val := overrides.IPRules; len(val) > 0 {\n\t\tipAccessRule := make([]ipaccess.Rule, len(overrides.IPRules))\n\t\tfor i, r := range overrides.IPRules {\n\t\t\trule, err := ipaccess.NewRuleByCIDR(r.Prefix, r.Ports, r.Allow)\n\t\t\tif err == nil {\n\t\t\t\tipAccessRule[i] = rule\n\t\t\t}\n\t\t}\n\t\tdefaults.IPRules = ipAccessRule\n\t}\n}\n\nfunc (defaults *OriginRequestConfig) setHttp2Origin(overrides config.OriginRequestConfig) {\n\tif val := overrides.Http2Origin; val != nil {\n\t\tdefaults.Http2Origin = *val\n\t}\n}\n\nfunc (defaults *OriginRequestConfig) setAccess(overrides config.OriginRequestConfig) {\n\tif val := overrides.Access; val != nil {\n\t\tdefaults.Access = *val\n\t}\n}\n\n// SetConfig gets config for the requests that cloudflared sends to origins.\n// Each field has a setter method which sets a value for the field by trying to find:\n// 1. The user config for this rule\n// 2. The user config for the overall ingress config\n// 3. Defaults chosen by the cloudflared team\n// 4. Golang zero values for that type\n//\n// If an earlier option isn't set, it will try the next option down.\nfunc setConfig(defaults OriginRequestConfig, overrides config.OriginRequestConfig) OriginRequestConfig {\n\tcfg := defaults\n\tcfg.setConnectTimeout(overrides)\n\tcfg.setTLSTimeout(overrides)\n\tcfg.setNoHappyEyeballs(overrides)\n\tcfg.setKeepAliveConnections(overrides)\n\tcfg.setKeepAliveTimeout(overrides)\n\tcfg.setTCPKeepAlive(overrides)\n\tcfg.setHTTPHostHeader(overrides)\n\tcfg.setOriginServerName(overrides)\n\tcfg.setMatchSNIToHost(overrides)\n\tcfg.setCAPool(overrides)\n\tcfg.setNoTLSVerify(overrides)\n\tcfg.setDisableChunkedEncoding(overrides)\n\tcfg.setBastionMode(overrides)\n\tcfg.setProxyPort(overrides)\n\tcfg.setProxyAddress(overrides)\n\tcfg.setProxyType(overrides)\n\tcfg.setIPRules(overrides)\n\tcfg.setHttp2Origin(overrides)\n\tcfg.setAccess(overrides)\n\n\treturn cfg\n}\n\nfunc ConvertToRawOriginConfig(c OriginRequestConfig) config.OriginRequestConfig {\n\tvar connectTimeout *config.CustomDuration\n\tvar tlsTimeout *config.CustomDuration\n\tvar tcpKeepAlive *config.CustomDuration\n\tvar keepAliveConnections *int\n\tvar keepAliveTimeout *config.CustomDuration\n\tvar proxyAddress *string\n\tvar access *config.AccessConfig\n\n\tif c.ConnectTimeout != defaultHTTPConnectTimeout {\n\t\tconnectTimeout = &c.ConnectTimeout\n\t}\n\tif c.TLSTimeout != defaultTLSTimeout {\n\t\ttlsTimeout = &c.TLSTimeout\n\t}\n\tif c.TCPKeepAlive != defaultTCPKeepAlive {\n\t\ttcpKeepAlive = &c.TCPKeepAlive\n\t}\n\tif c.KeepAliveConnections != defaultKeepAliveConnections {\n\t\tkeepAliveConnections = &c.KeepAliveConnections\n\t}\n\tif c.KeepAliveTimeout != defaultKeepAliveTimeout {\n\t\tkeepAliveTimeout = &c.KeepAliveTimeout\n\t}\n\tif c.ProxyAddress != defaultProxyAddress {\n\t\tproxyAddress = &c.ProxyAddress\n\t}\n\tif c.Access.Required {\n\t\taccess = &c.Access\n\t}\n\n\treturn config.OriginRequestConfig{\n\t\tConnectTimeout: connectTimeout,\n\t\tTLSTimeout: tlsTimeout,\n\t\tTCPKeepAlive: tcpKeepAlive,\n\t\tNoHappyEyeballs: defaultBoolToNil(c.NoHappyEyeballs),\n\t\tKeepAliveConnections: keepAliveConnections,\n\t\tKeepAliveTimeout: keepAliveTimeout,\n\t\tHTTPHostHeader: emptyStringToNil(c.HTTPHostHeader),\n\t\tOriginServerName: emptyStringToNil(c.OriginServerName),\n\t\tMatchSNIToHost: defaultBoolToNil(c.MatchSNIToHost),\n\t\tCAPool: emptyStringToNil(c.CAPool),\n\t\tNoTLSVerify: defaultBoolToNil(c.NoTLSVerify),\n\t\tDisableChunkedEncoding: defaultBoolToNil(c.DisableChunkedEncoding),\n\t\tBastionMode: defaultBoolToNil(c.BastionMode),\n\t\tProxyAddress: proxyAddress,\n\t\tProxyPort: zeroUIntToNil(c.ProxyPort),\n\t\tProxyType: emptyStringToNil(c.ProxyType),\n\t\tIPRules: convertToRawIPRules(c.IPRules),\n\t\tHttp2Origin: defaultBoolToNil(c.Http2Origin),\n\t\tAccess: access,\n\t}\n}\n\nfunc convertToRawIPRules(ipRules []ipaccess.Rule) []config.IngressIPRule {\n\tresult := make([]config.IngressIPRule, 0)\n\tfor _, r := range ipRules {\n\t\tcidr := r.StringCIDR()\n\n\t\tnewRule := config.IngressIPRule{\n\t\t\tPrefix: &cidr,\n\t\t\tPorts: r.Ports(),\n\t\t\tAllow: r.RulePolicy(),\n\t\t}\n\n\t\tresult = append(result, newRule)\n\t}\n\n\treturn result\n}\n\nfunc defaultBoolToNil(b bool) *bool {\n\tif !b {\n\t\treturn nil\n\t}\n\n\treturn &b\n}\n\nfunc emptyStringToNil(s string) *string {\n\tif s == \"\" {\n\t\treturn nil\n\t}\n\n\treturn &s\n}\n\nfunc zeroUIntToNil(v uint) *uint {\n\tif v == 0 {\n\t\treturn nil\n\t}\n\n\treturn &v\n}\n" }, { "path": "ingress/config_test.go", "content": "package ingress\n\nimport (\n\t\"encoding/json\"\n\t\"flag\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/stretchr/testify/require\"\n\t\"github.com/urfave/cli/v2\"\n\tyaml \"gopkg.in/yaml.v3\"\n\n\t\"github.com/cloudflare/cloudflared/config\"\n\t\"github.com/cloudflare/cloudflared/ipaccess\"\n)\n\n// Ensure that the nullable config from `config` package and the\n// non-nullable config from `ingress` package have the same number of\n// fields.\n// This test ensures that programmers didn't add a new field to\n// one struct and forget to add it to the other ;)\nfunc TestCorrespondingFields(t *testing.T) {\n\trequire.Equal(\n\t\tt,\n\t\tCountFields(t, config.OriginRequestConfig{}),\n\t\tCountFields(t, OriginRequestConfig{}),\n\t)\n}\n\nfunc CountFields(t *testing.T, val interface{}) int {\n\tb, err := yaml.Marshal(val)\n\trequire.NoError(t, err)\n\tm := make(map[string]interface{}, 0)\n\terr = yaml.Unmarshal(b, &m)\n\trequire.NoError(t, err)\n\treturn len(m)\n}\n\nfunc TestUnmarshalRemoteConfigOverridesGlobal(t *testing.T) {\n\trawConfig := []byte(`\n{\n \"originRequest\": {\n \"connectTimeout\": 90,\n\t\t\"noHappyEyeballs\": true\n },\n \"ingress\": [\n {\n \"hostname\": \"jira.cfops.com\",\n \"service\": \"http://192.16.19.1:80\",\n \"originRequest\": {\n \"noTLSVerify\": true,\n \"connectTimeout\": 10\n }\n },\n {\n \"service\": \"http_status:404\"\n }\n ],\n \"warp-routing\": {\n \"enabled\": true\n }\n}\t\n`)\n\tvar remoteConfig RemoteConfig\n\terr := json.Unmarshal(rawConfig, &remoteConfig)\n\trequire.NoError(t, err)\n\trequire.True(t, remoteConfig.Ingress.Rules[0].Config.NoTLSVerify)\n\trequire.True(t, remoteConfig.Ingress.Defaults.NoHappyEyeballs)\n}\n\nfunc TestOriginRequestConfigOverrides(t *testing.T) {\n\tvalidate := func(ing Ingress) {\n\t\t// Rule 0 didn't override anything, so it inherits the user-specified\n\t\t// root-level configuration.\n\t\tactual0 := ing.Rules[0].Config\n\t\texpected0 := OriginRequestConfig{\n\t\t\tConnectTimeout: config.CustomDuration{Duration: 1 * time.Minute},\n\t\t\tTLSTimeout: config.CustomDuration{Duration: 1 * time.Second},\n\t\t\tTCPKeepAlive: config.CustomDuration{Duration: 1 * time.Second},\n\t\t\tNoHappyEyeballs: true,\n\t\t\tKeepAliveTimeout: config.CustomDuration{Duration: 1 * time.Second},\n\t\t\tKeepAliveConnections: 1,\n\t\t\tHTTPHostHeader: \"abc\",\n\t\t\tOriginServerName: \"a1\",\n\t\t\tCAPool: \"/tmp/path0\",\n\t\t\tNoTLSVerify: true,\n\t\t\tDisableChunkedEncoding: true,\n\t\t\tBastionMode: true,\n\t\t\tProxyAddress: \"127.1.2.3\",\n\t\t\tProxyPort: uint(100),\n\t\t\tProxyType: \"socks5\",\n\t\t\tIPRules: []ipaccess.Rule{\n\t\t\t\tnewIPRule(t, \"10.0.0.0/8\", []int{80, 8080}, false),\n\t\t\t\tnewIPRule(t, \"fc00::/7\", []int{443, 4443}, true),\n\t\t\t},\n\t\t}\n\t\trequire.Equal(t, expected0, actual0)\n\n\t\t// Rule 1 overrode all the root-level config.\n\t\tactual1 := ing.Rules[1].Config\n\t\texpected1 := OriginRequestConfig{\n\t\t\tConnectTimeout: config.CustomDuration{Duration: 2 * time.Minute},\n\t\t\tTLSTimeout: config.CustomDuration{Duration: 2 * time.Second},\n\t\t\tTCPKeepAlive: config.CustomDuration{Duration: 2 * time.Second},\n\t\t\tNoHappyEyeballs: false,\n\t\t\tKeepAliveTimeout: config.CustomDuration{Duration: 2 * time.Second},\n\t\t\tKeepAliveConnections: 2,\n\t\t\tHTTPHostHeader: \"def\",\n\t\t\tOriginServerName: \"b2\",\n\t\t\tCAPool: \"/tmp/path1\",\n\t\t\tNoTLSVerify: false,\n\t\t\tDisableChunkedEncoding: false,\n\t\t\tBastionMode: false,\n\t\t\tProxyAddress: \"interface\",\n\t\t\tProxyPort: uint(200),\n\t\t\tProxyType: \"\",\n\t\t\tIPRules: []ipaccess.Rule{\n\t\t\t\tnewIPRule(t, \"10.0.0.0/16\", []int{3000, 3030}, false),\n\t\t\t\tnewIPRule(t, \"192.16.0.0/24\", []int{5000, 5050}, true),\n\t\t\t},\n\t\t}\n\t\trequire.Equal(t, expected1, actual1)\n\t}\n\n\trulesYAML := `\noriginRequest:\n connectTimeout: 1m\n tlsTimeout: 1s\n noHappyEyeballs: true\n tcpKeepAlive: 1s\n keepAliveConnections: 1\n keepAliveTimeout: 1s\n httpHostHeader: abc\n originServerName: a1\n caPool: /tmp/path0\n noTLSVerify: true\n disableChunkedEncoding: true\n bastionMode: True\n proxyAddress: 127.1.2.3\n proxyPort: 100\n proxyType: socks5\n ipRules:\n - prefix: \"10.0.0.0/8\"\n ports:\n - 80\n - 8080\n allow: false\n - prefix: \"fc00::/7\"\n ports:\n - 443\n - 4443\n allow: true\ningress:\n- hostname: tun.example.com\n service: https://localhost:8000\n- hostname: \"*\"\n service: https://localhost:8001\n originRequest:\n connectTimeout: 2m\n tlsTimeout: 2s\n noHappyEyeballs: false\n tcpKeepAlive: 2s\n keepAliveConnections: 2\n keepAliveTimeout: 2s\n httpHostHeader: def\n originServerName: b2\n caPool: /tmp/path1\n noTLSVerify: false\n disableChunkedEncoding: false\n bastionMode: false\n proxyAddress: interface\n proxyPort: 200\n proxyType: \"\"\n ipRules:\n - prefix: \"10.0.0.0/16\"\n ports:\n - 3000\n - 3030\n allow: false\n - prefix: \"192.16.0.0/24\"\n ports:\n - 5000\n - 5050\n allow: true\n`\n\n\ting, err := ParseIngress(MustReadIngress(rulesYAML))\n\trequire.NoError(t, err)\n\tvalidate(ing)\n\n\trawConfig := []byte(`\n{\n \"originRequest\": {\n \"connectTimeout\": 60,\n\t\t\"tlsTimeout\": 1,\n\t\t\"noHappyEyeballs\": true,\n\t\t\"tcpKeepAlive\": 1,\n\t\t\"keepAliveConnections\": 1,\n\t\t\"keepAliveTimeout\": 1,\n\t\t\"httpHostHeader\": \"abc\",\n\t\t\"originServerName\": \"a1\",\n\t\t\"caPool\": \"/tmp/path0\",\n\t\t\"noTLSVerify\": true,\n\t\t\"disableChunkedEncoding\": true,\n\t\t\"bastionMode\": true,\n\t\t\"proxyAddress\": \"127.1.2.3\",\n\t\t\"proxyPort\": 100,\n\t\t\"proxyType\": \"socks5\",\n\t\t\"ipRules\": [\n\t\t\t{\n\t\t\t\t\"prefix\": \"10.0.0.0/8\",\n\t\t\t\t\"ports\": [80, 8080],\n\t\t\t\t\"allow\": false\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"prefix\": \"fc00::/7\",\n\t\t\t\t\"ports\": [443, 4443],\n\t\t\t\t\"allow\": true\n\t\t\t}\n\t\t]\n },\n \"ingress\": [\n {\n \"hostname\": \"tun.example.com\",\n \"service\": \"https://localhost:8000\"\n },\n {\n\t\t\t\"hostname\": \"*\",\n \"service\": \"https://localhost:8001\",\n\t\t\t\"originRequest\": {\n\t\t\t\t\"connectTimeout\": 120,\n\t\t\t\t\"tlsTimeout\": 2,\n\t\t\t\t\"noHappyEyeballs\": false,\n\t\t\t\t\"tcpKeepAlive\": 2,\n\t\t\t\t\"keepAliveConnections\": 2,\n\t\t\t\t\"keepAliveTimeout\": 2,\n\t\t\t\t\"httpHostHeader\": \"def\",\n\t\t\t\t\"originServerName\": \"b2\",\n\t\t\t\t\"caPool\": \"/tmp/path1\",\n\t\t\t\t\"noTLSVerify\": false,\n\t\t\t\t\"disableChunkedEncoding\": false,\n\t\t\t\t\"bastionMode\": false,\n\t\t\t\t\"proxyAddress\": \"interface\",\n\t\t\t\t\"proxyPort\": 200,\n\t\t\t\t\"proxyType\": \"\",\n\t\t\t\t\"ipRules\": [\n\t\t\t\t\t{\n\t\t\t\t\t\t\"prefix\": \"10.0.0.0/16\",\n\t\t\t\t\t\t\"ports\": [3000, 3030],\n\t\t\t\t\t\t\"allow\": false\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\t\"prefix\": \"192.16.0.0/24\",\n\t\t\t\t\t\t\"ports\": [5000, 5050],\n\t\t\t\t\t\t\"allow\": true\n\t\t\t\t\t}\n\t\t\t\t]\n \t\t}\n }\n ],\n \"warp-routing\": {\n \"enabled\": true\n }\n}\t\n`)\n\tvar remoteConfig RemoteConfig\n\terr = json.Unmarshal(rawConfig, &remoteConfig)\n\trequire.NoError(t, err)\n\tvalidate(remoteConfig.Ingress)\n}\n\nfunc TestOriginRequestConfigDefaults(t *testing.T) {\n\tvalidate := func(ing Ingress) {\n\t\t// Rule 0 didn't override anything, so it inherits the cloudflared defaults\n\t\tactual0 := ing.Rules[0].Config\n\t\texpected0 := OriginRequestConfig{\n\t\t\tConnectTimeout: defaultHTTPConnectTimeout,\n\t\t\tTLSTimeout: defaultTLSTimeout,\n\t\t\tTCPKeepAlive: defaultTCPKeepAlive,\n\t\t\tKeepAliveConnections: defaultKeepAliveConnections,\n\t\t\tKeepAliveTimeout: defaultKeepAliveTimeout,\n\t\t\tProxyAddress: defaultProxyAddress,\n\t\t}\n\t\trequire.Equal(t, expected0, actual0)\n\n\t\t// Rule 1 overrode all defaults.\n\t\tactual1 := ing.Rules[1].Config\n\t\texpected1 := OriginRequestConfig{\n\t\t\tConnectTimeout: config.CustomDuration{Duration: 2 * time.Minute},\n\t\t\tTLSTimeout: config.CustomDuration{Duration: 2 * time.Second},\n\t\t\tTCPKeepAlive: config.CustomDuration{Duration: 2 * time.Second},\n\t\t\tNoHappyEyeballs: false,\n\t\t\tKeepAliveTimeout: config.CustomDuration{Duration: 2 * time.Second},\n\t\t\tKeepAliveConnections: 2,\n\t\t\tHTTPHostHeader: \"def\",\n\t\t\tOriginServerName: \"b2\",\n\t\t\tCAPool: \"/tmp/path1\",\n\t\t\tNoTLSVerify: false,\n\t\t\tDisableChunkedEncoding: false,\n\t\t\tBastionMode: false,\n\t\t\tProxyAddress: \"interface\",\n\t\t\tProxyPort: uint(200),\n\t\t\tProxyType: \"\",\n\t\t\tIPRules: []ipaccess.Rule{\n\t\t\t\tnewIPRule(t, \"10.0.0.0/16\", []int{3000, 3030}, false),\n\t\t\t\tnewIPRule(t, \"192.16.0.0/24\", []int{5000, 5050}, true),\n\t\t\t},\n\t\t}\n\t\trequire.Equal(t, expected1, actual1)\n\t}\n\n\trulesYAML := `\ningress:\n- hostname: tun.example.com\n service: https://localhost:8000\n- hostname: \"*\"\n service: https://localhost:8001\n originRequest:\n connectTimeout: 2m\n tlsTimeout: 2s\n noHappyEyeballs: false\n tcpKeepAlive: 2s\n keepAliveConnections: 2\n keepAliveTimeout: 2s\n httpHostHeader: def\n originServerName: b2\n caPool: /tmp/path1\n noTLSVerify: false\n disableChunkedEncoding: false\n bastionMode: false\n proxyAddress: interface\n proxyPort: 200\n proxyType: \"\"\n ipRules:\n - prefix: \"10.0.0.0/16\"\n ports:\n - 3000\n - 3030\n allow: false\n - prefix: \"192.16.0.0/24\"\n ports:\n - 5000\n - 5050\n allow: true\n`\n\ting, err := ParseIngress(MustReadIngress(rulesYAML))\n\tif err != nil {\n\t\tt.Error(err)\n\t}\n\tvalidate(ing)\n\n\trawConfig := []byte(`\n{\n\t\"ingress\": [\n {\n \"hostname\": \"tun.example.com\",\n \"service\": \"https://localhost:8000\"\n },\n {\n\t\t\t\"hostname\": \"*\",\n \"service\": \"https://localhost:8001\",\n\t\t\t\"originRequest\": {\n\t\t\t\t\"connectTimeout\": 120,\n\t\t\t\t\"tlsTimeout\": 2,\n\t\t\t\t\"noHappyEyeballs\": false,\n\t\t\t\t\"tcpKeepAlive\": 2,\n\t\t\t\t\"keepAliveConnections\": 2,\n\t\t\t\t\"keepAliveTimeout\": 2,\n\t\t\t\t\"httpHostHeader\": \"def\",\n\t\t\t\t\"originServerName\": \"b2\",\n\t\t\t\t\"caPool\": \"/tmp/path1\",\n\t\t\t\t\"noTLSVerify\": false,\n\t\t\t\t\"disableChunkedEncoding\": false,\n\t\t\t\t\"bastionMode\": false,\n\t\t\t\t\"proxyAddress\": \"interface\",\n\t\t\t\t\"proxyPort\": 200,\n\t\t\t\t\"proxyType\": \"\",\n\t\t\t\t\"ipRules\": [\n\t\t\t\t\t{\n\t\t\t\t\t\t\"prefix\": \"10.0.0.0/16\",\n\t\t\t\t\t\t\"ports\": [3000, 3030],\n\t\t\t\t\t\t\"allow\": false\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\t\"prefix\": \"192.16.0.0/24\",\n\t\t\t\t\t\t\"ports\": [5000, 5050],\n\t\t\t\t\t\t\"allow\": true\n\t\t\t\t\t}\n\t\t\t\t]\n\t\t\t}\n\t\t}\n\t]\n}\n`)\n\n\tvar remoteConfig RemoteConfig\n\terr = json.Unmarshal(rawConfig, &remoteConfig)\n\trequire.NoError(t, err)\n\tvalidate(remoteConfig.Ingress)\n}\n\nfunc TestDefaultConfigFromCLI(t *testing.T) {\n\tset := flag.NewFlagSet(\"contrive\", 0)\n\tc := cli.NewContext(nil, set, nil)\n\n\texpected := OriginRequestConfig{\n\t\tConnectTimeout: defaultHTTPConnectTimeout,\n\t\tTLSTimeout: defaultTLSTimeout,\n\t\tTCPKeepAlive: defaultTCPKeepAlive,\n\t\tKeepAliveConnections: defaultKeepAliveConnections,\n\t\tKeepAliveTimeout: defaultKeepAliveTimeout,\n\t\tProxyAddress: defaultProxyAddress,\n\t}\n\tactual := originRequestFromSingleRule(c)\n\trequire.Equal(t, expected, actual)\n}\n\nfunc newIPRule(t *testing.T, prefix string, ports []int, allow bool) ipaccess.Rule {\n\trule, err := ipaccess.NewRuleByCIDR(&prefix, ports, allow)\n\trequire.NoError(t, err)\n\treturn rule\n}\n" }, { "path": "ingress/constants_test.go", "content": "package ingress\n\nimport \"github.com/cloudflare/cloudflared/logger\"\n\nvar (\n\tTestLogger = logger.Create(nil)\n)\n" }, { "path": "ingress/icmp_darwin.go", "content": "//go:build darwin\n\npackage ingress\n\n// This file implements ICMPProxy for Darwin. It uses a non-privileged ICMP socket to send echo requests and listen for\n// echo replies. The source IP of the requests are rewritten to the bind IP of the socket and the socket reads all\n// messages, so we use echo ID to distinguish the replies. Each (source IP, destination IP, echo ID) is assigned a\n// unique echo ID.\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"math\"\n\t\"net/netip\"\n\t\"strconv\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/rs/zerolog\"\n\t\"go.opentelemetry.io/otel/attribute\"\n\t\"golang.org/x/net/icmp\"\n\n\t\"github.com/cloudflare/cloudflared/packet\"\n\t\"github.com/cloudflare/cloudflared/tracing\"\n)\n\ntype icmpProxy struct {\n\tsrcFunnelTracker *packet.FunnelTracker\n\techoIDTracker *echoIDTracker\n\tconn *icmp.PacketConn\n\tlogger *zerolog.Logger\n\tidleTimeout time.Duration\n}\n\n// echoIDTracker tracks which ID has been assigned. It first loops through assignment from lastAssignment to then end,\n// then from the beginning to lastAssignment.\n// ICMP echo are short lived. By the time an ID is revisited, it should have been released.\ntype echoIDTracker struct {\n\tlock sync.Mutex\n\t// maps the source IP, destination IP and original echo ID to a unique echo ID obtained from assignment\n\tmapping map[flow3Tuple]uint16\n\t// assignment tracks if an ID is assigned using index as the ID\n\t// The size of the array is math.MaxUint16 because echo ID is 2 bytes\n\tassignment [math.MaxUint16]bool\n\t// nextAssignment is the next number to check for assigment\n\tnextAssignment uint16\n}\n\nfunc newEchoIDTracker() *echoIDTracker {\n\treturn &echoIDTracker{\n\t\tmapping: make(map[flow3Tuple]uint16),\n\t}\n}\n\n// Get assignment or assign a new ID.\nfunc (eit *echoIDTracker) getOrAssign(key flow3Tuple) (id uint16, success bool) {\n\teit.lock.Lock()\n\tdefer eit.lock.Unlock()\n\tid, exists := eit.mapping[key]\n\tif exists {\n\t\treturn id, true\n\t}\n\n\tif eit.nextAssignment == math.MaxUint16 {\n\t\teit.nextAssignment = 0\n\t}\n\n\tfor i, assigned := range eit.assignment[eit.nextAssignment:] {\n\t\tif !assigned {\n\t\t\techoID := uint16(i) + eit.nextAssignment\n\t\t\teit.set(key, echoID)\n\t\t\treturn echoID, true\n\t\t}\n\t}\n\tfor i, assigned := range eit.assignment[0:eit.nextAssignment] {\n\t\tif !assigned {\n\t\t\techoID := uint16(i)\n\t\t\teit.set(key, echoID)\n\t\t\treturn echoID, true\n\t\t}\n\t}\n\treturn 0, false\n}\n\n// Caller should hold the lock\nfunc (eit *echoIDTracker) set(key flow3Tuple, assignedEchoID uint16) {\n\teit.assignment[assignedEchoID] = true\n\teit.mapping[key] = assignedEchoID\n\teit.nextAssignment = assignedEchoID + 1\n}\n\nfunc (eit *echoIDTracker) release(key flow3Tuple, assigned uint16) bool {\n\teit.lock.Lock()\n\tdefer eit.lock.Unlock()\n\n\tcurrentEchoID, exists := eit.mapping[key]\n\tif exists && assigned == currentEchoID {\n\t\tdelete(eit.mapping, key)\n\t\teit.assignment[assigned] = false\n\t\treturn true\n\t}\n\treturn false\n}\n\ntype echoFunnelID uint16\n\nfunc (snf echoFunnelID) Type() string {\n\treturn \"echoID\"\n}\n\nfunc (snf echoFunnelID) String() string {\n\treturn strconv.FormatUint(uint64(snf), 10)\n}\n\nfunc newICMPProxy(listenIP netip.Addr, logger *zerolog.Logger, idleTimeout time.Duration) (*icmpProxy, error) {\n\tconn, err := newICMPConn(listenIP)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tlogger.Info().Msgf(\"Created ICMP proxy listening on %s\", conn.LocalAddr())\n\treturn &icmpProxy{\n\t\tsrcFunnelTracker: packet.NewFunnelTracker(),\n\t\techoIDTracker: newEchoIDTracker(),\n\t\tconn: conn,\n\t\tlogger: logger,\n\t\tidleTimeout: idleTimeout,\n\t}, nil\n}\n\nfunc (ip *icmpProxy) Request(ctx context.Context, pk *packet.ICMP, responder ICMPResponder) error {\n\t_, span := responder.RequestSpan(ctx, pk)\n\tdefer responder.ExportSpan()\n\n\toriginalEcho, err := getICMPEcho(pk.Message)\n\tif err != nil {\n\t\ttracing.EndWithErrorStatus(span, err)\n\t\treturn err\n\t}\n\tobserveICMPRequest(ip.logger, span, pk.Src.String(), pk.Dst.String(), originalEcho.ID, originalEcho.Seq)\n\n\techoIDTrackerKey := flow3Tuple{\n\t\tsrcIP: pk.Src,\n\t\tdstIP: pk.Dst,\n\t\toriginalEchoID: originalEcho.ID,\n\t}\n\tassignedEchoID, success := ip.echoIDTracker.getOrAssign(echoIDTrackerKey)\n\tif !success {\n\t\terr := fmt.Errorf(\"failed to assign unique echo ID\")\n\t\ttracing.EndWithErrorStatus(span, err)\n\t\treturn err\n\t}\n\tspan.SetAttributes(attribute.Int(\"assignedEchoID\", int(assignedEchoID)))\n\n\tshouldReplaceFunnelFunc := createShouldReplaceFunnelFunc(ip.logger, responder, pk, originalEcho.ID)\n\tnewFunnelFunc := func() (packet.Funnel, error) {\n\t\toriginalEcho, err := getICMPEcho(pk.Message)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tcloseCallback := func() error {\n\t\t\tip.echoIDTracker.release(echoIDTrackerKey, assignedEchoID)\n\t\t\treturn nil\n\t\t}\n\t\ticmpFlow := newICMPEchoFlow(pk.Src, closeCallback, ip.conn, responder, int(assignedEchoID), originalEcho.ID)\n\t\treturn icmpFlow, nil\n\t}\n\tfunnelID := echoFunnelID(assignedEchoID)\n\tfunnel, isNew, err := ip.srcFunnelTracker.GetOrRegister(funnelID, shouldReplaceFunnelFunc, newFunnelFunc)\n\tif err != nil {\n\t\ttracing.EndWithErrorStatus(span, err)\n\t\treturn err\n\t}\n\tif isNew {\n\t\tspan.SetAttributes(attribute.Bool(\"newFlow\", true))\n\t\tip.logger.Debug().\n\t\t\tStr(\"src\", pk.Src.String()).\n\t\t\tStr(\"dst\", pk.Dst.String()).\n\t\t\tInt(\"originalEchoID\", originalEcho.ID).\n\t\t\tInt(\"assignedEchoID\", int(assignedEchoID)).\n\t\t\tMsg(\"New flow\")\n\t}\n\ticmpFlow, err := toICMPEchoFlow(funnel)\n\tif err != nil {\n\t\ttracing.EndWithErrorStatus(span, err)\n\t\treturn err\n\t}\n\n\terr = icmpFlow.sendToDst(pk.Dst, pk.Message)\n\tif err != nil {\n\t\ttracing.EndWithErrorStatus(span, err)\n\t\treturn err\n\t}\n\ttracing.End(span)\n\treturn nil\n}\n\n// Serve listens for responses to the requests until context is done\nfunc (ip *icmpProxy) Serve(ctx context.Context) error {\n\tgo func() {\n\t\t<-ctx.Done()\n\t\tip.conn.Close()\n\t}()\n\tgo func() {\n\t\tip.srcFunnelTracker.ScheduleCleanup(ctx, ip.idleTimeout)\n\t}()\n\tbuf := make([]byte, mtu)\n\ticmpDecoder := packet.NewICMPDecoder()\n\tfor {\n\t\tn, from, err := ip.conn.ReadFrom(buf)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treply, err := parseReply(from, buf[:n])\n\t\tif err != nil {\n\t\t\tip.logger.Debug().Err(err).Str(\"dst\", from.String()).Msg(\"Failed to parse ICMP reply, continue to parse as full packet\")\n\t\t\t// In unit test, we found out when the listener listens on 0.0.0.0, the socket reads the full packet after\n\t\t\t// the second reply\n\t\t\tif err := ip.handleFullPacket(ctx, icmpDecoder, buf[:n]); err != nil {\n\t\t\t\tip.logger.Debug().Err(err).Str(\"dst\", from.String()).Msg(\"Failed to parse ICMP reply as full packet\")\n\t\t\t}\n\t\t\tcontinue\n\t\t}\n\t\tif !isEchoReply(reply.msg) {\n\t\t\tip.logger.Debug().Str(\"dst\", from.String()).Msgf(\"Drop ICMP %s from reply\", reply.msg.Type)\n\t\t\tcontinue\n\t\t}\n\t\tif err := ip.sendReply(ctx, reply); err != nil {\n\t\t\tip.logger.Debug().Err(err).Str(\"dst\", from.String()).Msg(\"Failed to send ICMP reply\")\n\t\t\tcontinue\n\t\t}\n\t}\n}\n\nfunc (ip *icmpProxy) handleFullPacket(ctx context.Context, decoder *packet.ICMPDecoder, rawPacket []byte) error {\n\ticmpPacket, err := decoder.Decode(packet.RawPacket{Data: rawPacket})\n\tif err != nil {\n\t\treturn err\n\t}\n\techo, err := getICMPEcho(icmpPacket.Message)\n\tif err != nil {\n\t\treturn err\n\t}\n\treply := echoReply{\n\t\tfrom: icmpPacket.Src,\n\t\tmsg: icmpPacket.Message,\n\t\techo: echo,\n\t}\n\tif ip.sendReply(ctx, &reply); err != nil {\n\t\treturn err\n\t}\n\treturn nil\n}\n\nfunc (ip *icmpProxy) sendReply(ctx context.Context, reply *echoReply) error {\n\tfunnelID := echoFunnelID(reply.echo.ID)\n\tfunnel, ok := ip.srcFunnelTracker.Get(funnelID)\n\tif !ok {\n\t\treturn packet.ErrFunnelNotFound\n\t}\n\ticmpFlow, err := toICMPEchoFlow(funnel)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\t_, span := icmpFlow.responder.ReplySpan(ctx, ip.logger)\n\tdefer icmpFlow.responder.ExportSpan()\n\n\tif err := icmpFlow.returnToSrc(reply); err != nil {\n\t\ttracing.EndWithErrorStatus(span, err)\n\t\treturn err\n\t}\n\tobserveICMPReply(ip.logger, span, reply.from.String(), reply.echo.ID, reply.echo.Seq)\n\tspan.SetAttributes(attribute.Int(\"originalEchoID\", icmpFlow.originalEchoID))\n\ttracing.End(span)\n\treturn nil\n}\n" }, { "path": "ingress/icmp_darwin_test.go", "content": "//go:build darwin\n\npackage ingress\n\nimport (\n\t\"math\"\n\t\"net/netip\"\n\t\"testing\"\n\n\t\"github.com/stretchr/testify/require\"\n\n\t\"github.com/cloudflare/cloudflared/packet\"\n)\n\nfunc TestSingleEchoIDTracker(t *testing.T) {\n\ttracker := newEchoIDTracker()\n\tkey := flow3Tuple{\n\t\tsrcIP: netip.MustParseAddr(\"172.16.0.1\"),\n\t\tdstIP: netip.MustParseAddr(\"172.16.0.2\"),\n\t\toriginalEchoID: 5182,\n\t}\n\n\t// not assigned yet, so nothing to release\n\trequire.False(t, tracker.release(key, 0))\n\n\techoID, ok := tracker.getOrAssign(key)\n\trequire.True(t, ok)\n\trequire.Equal(t, uint16(0), echoID)\n\n\t// Second time should return the same echo ID\n\techoID, ok = tracker.getOrAssign(key)\n\trequire.True(t, ok)\n\trequire.Equal(t, uint16(0), echoID)\n\n\t// releasing a different ID returns false\n\trequire.False(t, tracker.release(key, 1999))\n\trequire.True(t, tracker.release(key, echoID))\n\t// releasing the second time returns false\n\trequire.False(t, tracker.release(key, echoID))\n\n\t// Move to the next IP\n\techoID, ok = tracker.getOrAssign(key)\n\trequire.True(t, ok)\n\trequire.Equal(t, uint16(1), echoID)\n}\n\nfunc TestFullEchoIDTracker(t *testing.T) {\n\tvar (\n\t\tdstIP = netip.MustParseAddr(\"192.168.0.1\")\n\t\toriginalEchoID = 41820\n\t)\n\ttracker := newEchoIDTracker()\n\tfirstSrcIP := netip.MustParseAddr(\"172.16.0.1\")\n\tsrcIP := firstSrcIP\n\n\tfor i := uint16(0); i < math.MaxUint16; i++ {\n\t\tkey := flow3Tuple{\n\t\t\tsrcIP: srcIP,\n\t\t\tdstIP: dstIP,\n\t\t\toriginalEchoID: originalEchoID,\n\t\t}\n\t\techoID, ok := tracker.getOrAssign(key)\n\t\trequire.True(t, ok)\n\t\trequire.Equal(t, i, echoID)\n\n\t\techoID, ok = tracker.get(key)\n\t\trequire.True(t, ok)\n\t\trequire.Equal(t, i, echoID)\n\n\t\tsrcIP = srcIP.Next()\n\t}\n\n\tkey := flow3Tuple{\n\t\tsrcIP: srcIP.Next(),\n\t\tdstIP: dstIP,\n\t\toriginalEchoID: originalEchoID,\n\t}\n\t// All echo IDs are assigned\n\techoID, ok := tracker.getOrAssign(key)\n\trequire.False(t, ok)\n\trequire.Equal(t, uint16(0), echoID)\n\n\tsrcIP = firstSrcIP\n\tfor i := uint16(0); i < math.MaxUint16; i++ {\n\t\tkey := flow3Tuple{\n\t\t\tsrcIP: srcIP,\n\t\t\tdstIP: dstIP,\n\t\t\toriginalEchoID: originalEchoID,\n\t\t}\n\t\tok := tracker.release(key, i)\n\t\trequire.True(t, ok)\n\n\t\techoID, ok = tracker.get(key)\n\t\trequire.False(t, ok)\n\t\trequire.Equal(t, uint16(0), echoID)\n\t\tsrcIP = srcIP.Next()\n\t}\n\n\t// The IDs are assignable again\n\tsrcIP = firstSrcIP\n\tfor i := uint16(0); i < math.MaxUint16; i++ {\n\t\tkey := flow3Tuple{\n\t\t\tsrcIP: srcIP,\n\t\t\tdstIP: dstIP,\n\t\t\toriginalEchoID: originalEchoID,\n\t\t}\n\t\techoID, ok := tracker.getOrAssign(key)\n\t\trequire.True(t, ok)\n\t\trequire.Equal(t, i, echoID)\n\n\t\techoID, ok = tracker.get(key)\n\t\trequire.True(t, ok)\n\t\trequire.Equal(t, i, echoID)\n\t\tsrcIP = srcIP.Next()\n\t}\n}\n\nfunc (eit *echoIDTracker) get(key flow3Tuple) (id uint16, exist bool) {\n\teit.lock.Lock()\n\tdefer eit.lock.Unlock()\n\tid, exists := eit.mapping[key]\n\treturn id, exists\n}\n\nfunc getFunnel(t *testing.T, proxy *icmpProxy, tuple flow3Tuple) (packet.Funnel, bool) {\n\tassignedEchoID, success := proxy.echoIDTracker.getOrAssign(tuple)\n\trequire.True(t, success)\n\treturn proxy.srcFunnelTracker.Get(echoFunnelID(assignedEchoID))\n}\n" }, { "path": "ingress/icmp_generic.go", "content": "//go:build !darwin && !linux && (!windows || !cgo)\n\npackage ingress\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"net/netip\"\n\t\"runtime\"\n\t\"time\"\n\n\t\"github.com/rs/zerolog\"\n\n\t\"github.com/cloudflare/cloudflared/packet\"\n)\n\nvar errICMPProxyNotImplemented = fmt.Errorf(\"ICMP proxy is not implemented on %s %s\", runtime.GOOS, runtime.GOARCH)\n\ntype icmpProxy struct{}\n\nfunc (ip icmpProxy) Request(ctx context.Context, pk *packet.ICMP, responder ICMPResponder) error {\n\treturn errICMPProxyNotImplemented\n}\n\nfunc (ip *icmpProxy) Serve(ctx context.Context) error {\n\treturn errICMPProxyNotImplemented\n}\n\nfunc newICMPProxy(listenIP netip.Addr, logger *zerolog.Logger, idleTimeout time.Duration) (*icmpProxy, error) {\n\treturn nil, errICMPProxyNotImplemented\n}\n" }, { "path": "ingress/icmp_linux.go", "content": "//go:build linux\n\npackage ingress\n\n// This file implements ICMPProxy for Linux. Each (source IP, destination IP, echo ID) opens a non-privileged ICMP socket.\n// The source IP of the requests are rewritten to the bind IP of the socket and echo ID rewritten to the port number of\n// the socket. The kernel ensures the socket only reads replies whose echo ID matches the port number.\n// For more information about the socket, see https://man7.org/linux/man-pages/man7/icmp.7.html and https://lwn.net/Articles/422330/\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"net\"\n\t\"net/netip\"\n\t\"os\"\n\t\"regexp\"\n\t\"strconv\"\n\t\"time\"\n\n\t\"github.com/pkg/errors\"\n\t\"github.com/rs/zerolog\"\n\t\"go.opentelemetry.io/otel/attribute\"\n\n\t\"github.com/cloudflare/cloudflared/packet\"\n\t\"github.com/cloudflare/cloudflared/tracing\"\n)\n\nconst (\n\t// https://lwn.net/Articles/550551/ IPv4 and IPv6 share the same path\n\tpingGroupPath = \"/proc/sys/net/ipv4/ping_group_range\"\n)\n\nvar (\n\tfindGroupIDRegex = regexp.MustCompile(`\\d+`)\n)\n\ntype icmpProxy struct {\n\tsrcFunnelTracker *packet.FunnelTracker\n\tlistenIP netip.Addr\n\tlogger *zerolog.Logger\n\tidleTimeout time.Duration\n}\n\nfunc newICMPProxy(listenIP netip.Addr, logger *zerolog.Logger, idleTimeout time.Duration) (*icmpProxy, error) {\n\tif err := testPermission(listenIP, logger); err != nil {\n\t\treturn nil, err\n\t}\n\treturn &icmpProxy{\n\t\tsrcFunnelTracker: packet.NewFunnelTracker(),\n\t\tlistenIP: listenIP,\n\t\tlogger: logger,\n\t\tidleTimeout: idleTimeout,\n\t}, nil\n}\n\nfunc testPermission(listenIP netip.Addr, logger *zerolog.Logger) error {\n\t// Opens a non-privileged ICMP socket. On Linux the group ID of the process needs to be in ping_group_range\n\t// Only check ping_group_range once for IPv4\n\tif listenIP.Is4() {\n\t\tif err := checkInPingGroup(); err != nil {\n\t\t\tlogger.Warn().Err(err).Msgf(\"The user running cloudflared process has a GID (group ID) that is not within ping_group_range. You might need to add that user to a group within that range, or instead update the range to encompass a group the user is already in by modifying %s. Otherwise cloudflared will not be able to ping this network\", pingGroupPath)\n\t\t\treturn err\n\t\t}\n\t}\n\tconn, err := newICMPConn(listenIP)\n\tif err != nil {\n\t\treturn err\n\t}\n\t// This conn is only to test if cloudflared has permission to open this type of socket\n\tconn.Close()\n\treturn nil\n}\n\nfunc checkInPingGroup() error {\n\tfile, err := os.ReadFile(pingGroupPath)\n\tif err != nil {\n\t\treturn err\n\t}\n\tgroupID := uint64(os.Getegid())\n\t// Example content: 999\t 59999\n\tfound := findGroupIDRegex.FindAll(file, 2)\n\tif len(found) == 2 {\n\t\tgroupMin, err := strconv.ParseUint(string(found[0]), 10, 32)\n\t\tif err != nil {\n\t\t\treturn errors.Wrapf(err, \"failed to determine minimum ping group ID\")\n\t\t}\n\t\tgroupMax, err := strconv.ParseUint(string(found[1]), 10, 32)\n\t\tif err != nil {\n\t\t\treturn errors.Wrapf(err, \"failed to determine maximum ping group ID\")\n\t\t}\n\t\tif groupID < groupMin || groupID > groupMax {\n\t\t\treturn fmt.Errorf(\"Group ID %d is not between ping group %d to %d\", groupID, groupMin, groupMax)\n\t\t}\n\t\treturn nil\n\t}\n\treturn fmt.Errorf(\"did not find group range in %s\", pingGroupPath)\n}\n\nfunc (ip *icmpProxy) Request(ctx context.Context, pk *packet.ICMP, responder ICMPResponder) error {\n\tctx, span := responder.RequestSpan(ctx, pk)\n\tdefer responder.ExportSpan()\n\n\toriginalEcho, err := getICMPEcho(pk.Message)\n\tif err != nil {\n\t\ttracing.EndWithErrorStatus(span, err)\n\t\treturn err\n\t}\n\tobserveICMPRequest(ip.logger, span, pk.Src.String(), pk.Dst.String(), originalEcho.ID, originalEcho.Seq)\n\n\tshouldReplaceFunnelFunc := createShouldReplaceFunnelFunc(ip.logger, responder, pk, originalEcho.ID)\n\tnewFunnelFunc := func() (packet.Funnel, error) {\n\t\tconn, err := newICMPConn(ip.listenIP)\n\t\tif err != nil {\n\t\t\ttracing.EndWithErrorStatus(span, err)\n\t\t\treturn nil, errors.Wrap(err, \"failed to open ICMP socket\")\n\t\t}\n\t\tip.logger.Debug().Msgf(\"Opened ICMP socket listen on %s\", conn.LocalAddr())\n\t\tcloseCallback := func() error {\n\t\t\treturn conn.Close()\n\t\t}\n\t\tlocalUDPAddr, ok := conn.LocalAddr().(*net.UDPAddr)\n\t\tif !ok {\n\t\t\treturn nil, fmt.Errorf(\"ICMP listener address %s is not net.UDPAddr\", conn.LocalAddr())\n\t\t}\n\t\tspan.SetAttributes(attribute.Int(\"port\", localUDPAddr.Port))\n\n\t\techoID := localUDPAddr.Port\n\t\ticmpFlow := newICMPEchoFlow(pk.Src, closeCallback, conn, responder, echoID, originalEcho.ID)\n\t\treturn icmpFlow, nil\n\t}\n\tfunnelID := flow3Tuple{\n\t\tsrcIP: pk.Src,\n\t\tdstIP: pk.Dst,\n\t\toriginalEchoID: originalEcho.ID,\n\t}\n\tfunnel, isNew, err := ip.srcFunnelTracker.GetOrRegister(funnelID, shouldReplaceFunnelFunc, newFunnelFunc)\n\tif err != nil {\n\t\ttracing.EndWithErrorStatus(span, err)\n\t\treturn err\n\t}\n\ticmpFlow, err := toICMPEchoFlow(funnel)\n\tif err != nil {\n\t\ttracing.EndWithErrorStatus(span, err)\n\t\treturn err\n\t}\n\tif isNew {\n\t\tspan.SetAttributes(attribute.Bool(\"newFlow\", true))\n\t\tip.logger.Debug().\n\t\t\tStr(\"src\", pk.Src.String()).\n\t\t\tStr(\"dst\", pk.Dst.String()).\n\t\t\tInt(\"originalEchoID\", originalEcho.ID).\n\t\t\tMsg(\"New flow\")\n\t\tgo func() {\n\t\t\tip.listenResponse(ctx, icmpFlow)\n\t\t\tip.srcFunnelTracker.Unregister(funnelID, icmpFlow)\n\t\t}()\n\t}\n\tif err := icmpFlow.sendToDst(pk.Dst, pk.Message); err != nil {\n\t\ttracing.EndWithErrorStatus(span, err)\n\t\treturn errors.Wrap(err, \"failed to send ICMP echo request\")\n\t}\n\ttracing.End(span)\n\treturn nil\n}\n\nfunc (ip *icmpProxy) Serve(ctx context.Context) error {\n\tip.srcFunnelTracker.ScheduleCleanup(ctx, ip.idleTimeout)\n\treturn ctx.Err()\n}\n\nfunc (ip *icmpProxy) listenResponse(ctx context.Context, flow *icmpEchoFlow) {\n\tbuf := make([]byte, mtu)\n\tfor {\n\t\tif done := ip.handleResponse(ctx, flow, buf); done {\n\t\t\treturn\n\t\t}\n\t}\n}\n\n// Listens for ICMP response and handles error logging\nfunc (ip *icmpProxy) handleResponse(ctx context.Context, flow *icmpEchoFlow, buf []byte) (done bool) {\n\t_, span := flow.responder.ReplySpan(ctx, ip.logger)\n\tdefer flow.responder.ExportSpan()\n\n\tspan.SetAttributes(\n\t\tattribute.Int(\"originalEchoID\", flow.originalEchoID),\n\t)\n\n\tn, from, err := flow.originConn.ReadFrom(buf)\n\tif err != nil {\n\t\tif flow.IsClosed() {\n\t\t\ttracing.EndWithErrorStatus(span, fmt.Errorf(\"flow was closed\"))\n\t\t\treturn true\n\t\t}\n\t\tip.logger.Error().Err(err).Str(\"socket\", flow.originConn.LocalAddr().String()).Msg(\"Failed to read from ICMP socket\")\n\t\ttracing.EndWithErrorStatus(span, err)\n\t\treturn true\n\t}\n\treply, err := parseReply(from, buf[:n])\n\tif err != nil {\n\t\tip.logger.Error().Err(err).Str(\"dst\", from.String()).Msg(\"Failed to parse ICMP reply\")\n\t\ttracing.EndWithErrorStatus(span, err)\n\t\treturn false\n\t}\n\tif !isEchoReply(reply.msg) {\n\t\terr := fmt.Errorf(\"Expect ICMP echo reply, got %s\", reply.msg.Type)\n\t\tip.logger.Debug().Str(\"dst\", from.String()).Msgf(\"Drop ICMP %s from reply\", reply.msg.Type)\n\t\ttracing.EndWithErrorStatus(span, err)\n\t\treturn false\n\t}\n\n\tif err := flow.returnToSrc(reply); err != nil {\n\t\tip.logger.Error().Err(err).Str(\"dst\", from.String()).Msg(\"Failed to send ICMP reply\")\n\t\ttracing.EndWithErrorStatus(span, err)\n\t\treturn false\n\t}\n\n\tobserveICMPReply(ip.logger, span, from.String(), reply.echo.ID, reply.echo.Seq)\n\ttracing.End(span)\n\treturn false\n}\n\n// Only linux uses flow3Tuple as FunnelID\nfunc (ft flow3Tuple) Type() string {\n\treturn \"srcIP_dstIP_echoID\"\n}\n\nfunc (ft flow3Tuple) String() string {\n\treturn fmt.Sprintf(\"%s:%s:%d\", ft.srcIP, ft.dstIP, ft.originalEchoID)\n}\n" }, { "path": "ingress/icmp_linux_test.go", "content": "//go:build linux\n\npackage ingress\n\nimport (\n\t\"testing\"\n\n\t\"github.com/cloudflare/cloudflared/packet\"\n)\n\nfunc getFunnel(t *testing.T, proxy *icmpProxy, tuple flow3Tuple) (packet.Funnel, bool) {\n\treturn proxy.srcFunnelTracker.Get(tuple)\n}\n" }, { "path": "ingress/icmp_metrics.go", "content": "package ingress\n\nimport (\n\t\"github.com/prometheus/client_golang/prometheus\"\n)\n\nconst (\n\tnamespace = \"cloudflared\"\n)\n\nvar (\n\ticmpRequests = prometheus.NewCounter(prometheus.CounterOpts{\n\t\tNamespace: namespace,\n\t\tSubsystem: \"icmp\",\n\t\tName: \"total_requests\",\n\t\tHelp: \"Total count of ICMP requests that have been proxied to any origin\",\n\t})\n\ticmpReplies = prometheus.NewCounter(prometheus.CounterOpts{\n\t\tNamespace: namespace,\n\t\tSubsystem: \"icmp\",\n\t\tName: \"total_replies\",\n\t\tHelp: \"Total count of ICMP replies that have been proxied from any origin\",\n\t})\n)\n\nfunc init() {\n\tprometheus.MustRegister(\n\t\ticmpRequests,\n\t\ticmpReplies,\n\t)\n}\n\nfunc incrementICMPRequest() {\n\ticmpRequests.Inc()\n}\n\nfunc incrementICMPReply() {\n\ticmpReplies.Inc()\n}\n" }, { "path": "ingress/icmp_posix.go", "content": "//go:build darwin || linux\n\npackage ingress\n\n// This file extracts logic shared by Linux and Darwin implementation if ICMPProxy.\n\nimport (\n\t\"fmt\"\n\t\"net\"\n\t\"net/netip\"\n\t\"sync/atomic\"\n\n\t\"github.com/google/gopacket/layers\"\n\t\"github.com/rs/zerolog\"\n\t\"golang.org/x/net/icmp\"\n\n\t\"github.com/cloudflare/cloudflared/packet\"\n)\n\n// Opens a non-privileged ICMP socket on Linux and Darwin\nfunc newICMPConn(listenIP netip.Addr) (*icmp.PacketConn, error) {\n\tif listenIP.Is4() {\n\t\treturn icmp.ListenPacket(\"udp4\", listenIP.String())\n\t}\n\treturn icmp.ListenPacket(\"udp6\", listenIP.String())\n}\n\nfunc netipAddr(addr net.Addr) (netip.Addr, bool) {\n\tudpAddr, ok := addr.(*net.UDPAddr)\n\tif !ok {\n\t\treturn netip.Addr{}, false\n\t}\n\n\treturn udpAddr.AddrPort().Addr(), true\n}\n\ntype flow3Tuple struct {\n\tsrcIP netip.Addr\n\tdstIP netip.Addr\n\toriginalEchoID int\n}\n\n// icmpEchoFlow implements the packet.Funnel interface.\ntype icmpEchoFlow struct {\n\t*packet.ActivityTracker\n\tcloseCallback func() error\n\tclosed *atomic.Bool\n\tsrc netip.Addr\n\toriginConn *icmp.PacketConn\n\tresponder ICMPResponder\n\tassignedEchoID int\n\toriginalEchoID int\n}\n\nfunc newICMPEchoFlow(src netip.Addr, closeCallback func() error, originConn *icmp.PacketConn, responder ICMPResponder, assignedEchoID, originalEchoID int) *icmpEchoFlow {\n\treturn &icmpEchoFlow{\n\t\tActivityTracker: packet.NewActivityTracker(),\n\t\tcloseCallback: closeCallback,\n\t\tclosed: &atomic.Bool{},\n\t\tsrc: src,\n\t\toriginConn: originConn,\n\t\tresponder: responder,\n\t\tassignedEchoID: assignedEchoID,\n\t\toriginalEchoID: originalEchoID,\n\t}\n}\n\nfunc (ief *icmpEchoFlow) Equal(other packet.Funnel) bool {\n\totherICMPFlow, ok := other.(*icmpEchoFlow)\n\tif !ok {\n\t\treturn false\n\t}\n\tif otherICMPFlow.src != ief.src {\n\t\treturn false\n\t}\n\tif otherICMPFlow.originalEchoID != ief.originalEchoID {\n\t\treturn false\n\t}\n\tif otherICMPFlow.assignedEchoID != ief.assignedEchoID {\n\t\treturn false\n\t}\n\treturn true\n}\n\nfunc (ief *icmpEchoFlow) Close() error {\n\tief.closed.Store(true)\n\treturn ief.closeCallback()\n}\n\nfunc (ief *icmpEchoFlow) IsClosed() bool {\n\treturn ief.closed.Load()\n}\n\n// sendToDst rewrites the echo ID to the one assigned to this flow\nfunc (ief *icmpEchoFlow) sendToDst(dst netip.Addr, msg *icmp.Message) error {\n\tief.UpdateLastActive()\n\toriginalEcho, err := getICMPEcho(msg)\n\tif err != nil {\n\t\treturn err\n\t}\n\tsendMsg := icmp.Message{\n\t\tType: msg.Type,\n\t\tCode: msg.Code,\n\t\tBody: &icmp.Echo{\n\t\t\tID: ief.assignedEchoID,\n\t\t\tSeq: originalEcho.Seq,\n\t\t\tData: originalEcho.Data,\n\t\t},\n\t}\n\t// For IPv4, the pseudoHeader is not used because the checksum is always calculated\n\tvar pseudoHeader []byte = nil\n\tserializedPacket, err := sendMsg.Marshal(pseudoHeader)\n\tif err != nil {\n\t\treturn err\n\t}\n\t_, err = ief.originConn.WriteTo(serializedPacket, &net.UDPAddr{\n\t\tIP: dst.AsSlice(),\n\t})\n\treturn err\n}\n\n// returnToSrc rewrites the echo ID to the original echo ID from the eyeball\nfunc (ief *icmpEchoFlow) returnToSrc(reply *echoReply) error {\n\tief.UpdateLastActive()\n\treply.echo.ID = ief.originalEchoID\n\treply.msg.Body = reply.echo\n\tpk := packet.ICMP{\n\t\tIP: &packet.IP{\n\t\t\tSrc: reply.from,\n\t\t\tDst: ief.src,\n\t\t\tProtocol: layers.IPProtocol(reply.msg.Type.Protocol()),\n\t\t\tTTL: packet.DefaultTTL,\n\t\t},\n\t\tMessage: reply.msg,\n\t}\n\treturn ief.responder.ReturnPacket(&pk)\n}\n\ntype echoReply struct {\n\tfrom netip.Addr\n\tmsg *icmp.Message\n\techo *icmp.Echo\n}\n\nfunc parseReply(from net.Addr, rawMsg []byte) (*echoReply, error) {\n\tfromAddr, ok := netipAddr(from)\n\tif !ok {\n\t\treturn nil, fmt.Errorf(\"cannot convert %s to netip.Addr\", from)\n\t}\n\tproto := layers.IPProtocolICMPv4\n\tif fromAddr.Is6() {\n\t\tproto = layers.IPProtocolICMPv6\n\t}\n\tmsg, err := icmp.ParseMessage(int(proto), rawMsg)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\techo, err := getICMPEcho(msg)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn &echoReply{\n\t\tfrom: fromAddr,\n\t\tmsg: msg,\n\t\techo: echo,\n\t}, nil\n}\n\nfunc toICMPEchoFlow(funnel packet.Funnel) (*icmpEchoFlow, error) {\n\ticmpFlow, ok := funnel.(*icmpEchoFlow)\n\tif !ok {\n\t\treturn nil, fmt.Errorf(\"%v is not *ICMPEchoFunnel\", funnel)\n\t}\n\treturn icmpFlow, nil\n}\n\nfunc createShouldReplaceFunnelFunc(logger *zerolog.Logger, responder ICMPResponder, pk *packet.ICMP, originalEchoID int) func(packet.Funnel) bool {\n\treturn func(existing packet.Funnel) bool {\n\t\texistingFlow, err := toICMPEchoFlow(existing)\n\t\tif err != nil {\n\t\t\tlogger.Err(err).\n\t\t\t\tStr(\"src\", pk.Src.String()).\n\t\t\t\tStr(\"dst\", pk.Dst.String()).\n\t\t\t\tInt(\"originalEchoID\", originalEchoID).\n\t\t\t\tMsg(\"Funnel of wrong type found\")\n\t\t\treturn true\n\t\t}\n\t\t// Each quic connection should have a unique muxer.\n\t\t// If the existing flow has a different muxer, there's a new quic connection where return packets should be\n\t\t// routed. Otherwise, return packets will be send to the first observed incoming connection, rather than the\n\t\t// most recently observed connection.\n\t\tif existingFlow.responder.ConnectionIndex() != responder.ConnectionIndex() {\n\t\t\tlogger.Debug().\n\t\t\t\tStr(\"src\", pk.Src.String()).\n\t\t\t\tStr(\"dst\", pk.Dst.String()).\n\t\t\t\tInt(\"originalEchoID\", originalEchoID).\n\t\t\t\tMsg(\"Replacing funnel with new responder\")\n\t\t\treturn true\n\t\t}\n\t\treturn false\n\t}\n}\n" }, { "path": "ingress/icmp_posix_test.go", "content": "//go:build darwin || linux\n\npackage ingress\n\nimport (\n\t\"context\"\n\t\"os\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/fortytw2/leaktest\"\n\t\"github.com/google/gopacket/layers\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/stretchr/testify/require\"\n\t\"golang.org/x/net/icmp\"\n\t\"golang.org/x/net/ipv4\"\n\n\t\"github.com/cloudflare/cloudflared/packet\"\n)\n\nfunc TestFunnelIdleTimeout(t *testing.T) {\n\tdefer leaktest.Check(t)()\n\n\tconst (\n\t\tidleTimeout = time.Second\n\t\techoID = 42573\n\t\tstartSeq = 8129\n\t)\n\tlogger := zerolog.New(os.Stderr)\n\tproxy, err := newICMPProxy(localhostIP, &logger, idleTimeout)\n\trequire.NoError(t, err)\n\n\tctx, cancel := context.WithCancel(context.Background())\n\n\tproxyDone := make(chan struct{})\n\tgo func() {\n\t\tproxy.Serve(ctx)\n\t\tclose(proxyDone)\n\t}()\n\n\t// Send a packet to register the flow\n\tpk := packet.ICMP{\n\t\tIP: &packet.IP{\n\t\t\tSrc: localhostIP,\n\t\t\tDst: localhostIP,\n\t\t\tProtocol: layers.IPProtocolICMPv4,\n\t\t},\n\t\tMessage: &icmp.Message{\n\t\t\tType: ipv4.ICMPTypeEcho,\n\t\t\tCode: 0,\n\t\t\tBody: &icmp.Echo{\n\t\t\t\tID: echoID,\n\t\t\t\tSeq: startSeq,\n\t\t\t\tData: []byte(t.Name()),\n\t\t\t},\n\t\t},\n\t}\n\tmuxer := newMockMuxer(0)\n\tresponder := newPacketResponder(muxer, 0, packet.NewEncoder())\n\trequire.NoError(t, proxy.Request(ctx, &pk, responder))\n\tvalidateEchoFlow(t, <-muxer.cfdToEdge, &pk)\n\n\t// Send second request, should reuse the funnel\n\trequire.NoError(t, proxy.Request(ctx, &pk, responder))\n\tvalidateEchoFlow(t, <-muxer.cfdToEdge, &pk)\n\n\t// New muxer on a different connection should use a new flow\n\ttime.Sleep(idleTimeout * 2)\n\tnewMuxer := newMockMuxer(0)\n\tnewResponder := newPacketResponder(newMuxer, 1, packet.NewEncoder())\n\trequire.NoError(t, proxy.Request(ctx, &pk, newResponder))\n\tvalidateEchoFlow(t, <-newMuxer.cfdToEdge, &pk)\n\n\ttime.Sleep(idleTimeout * 2)\n\tcancel()\n\t<-proxyDone\n}\n\nfunc TestReuseFunnel(t *testing.T) {\n\tdefer leaktest.Check(t)()\n\n\tconst (\n\t\tidleTimeout = time.Millisecond * 100\n\t\techoID = 42573\n\t\tstartSeq = 8129\n\t)\n\tlogger := zerolog.New(os.Stderr)\n\tproxy, err := newICMPProxy(localhostIP, &logger, idleTimeout)\n\trequire.NoError(t, err)\n\n\tctx, cancel := context.WithCancel(context.Background())\n\n\tproxyDone := make(chan struct{})\n\tgo func() {\n\t\tproxy.Serve(ctx)\n\t\tclose(proxyDone)\n\t}()\n\n\t// Send a packet to register the flow\n\tpk := packet.ICMP{\n\t\tIP: &packet.IP{\n\t\t\tSrc: localhostIP,\n\t\t\tDst: localhostIP,\n\t\t\tProtocol: layers.IPProtocolICMPv4,\n\t\t},\n\t\tMessage: &icmp.Message{\n\t\t\tType: ipv4.ICMPTypeEcho,\n\t\t\tCode: 0,\n\t\t\tBody: &icmp.Echo{\n\t\t\t\tID: echoID,\n\t\t\t\tSeq: startSeq,\n\t\t\t\tData: []byte(t.Name()),\n\t\t\t},\n\t\t},\n\t}\n\ttuple := flow3Tuple{\n\t\tsrcIP: pk.Src,\n\t\tdstIP: pk.Dst,\n\t\toriginalEchoID: echoID,\n\t}\n\tmuxer := newMockMuxer(0)\n\tresponder := newPacketResponder(muxer, 0, packet.NewEncoder())\n\trequire.NoError(t, proxy.Request(ctx, &pk, responder))\n\tvalidateEchoFlow(t, <-muxer.cfdToEdge, &pk)\n\tfunnel1, found := getFunnel(t, proxy, tuple)\n\trequire.True(t, found)\n\n\t// Send second request, should reuse the funnel\n\trequire.NoError(t, proxy.Request(ctx, &pk, responder))\n\tvalidateEchoFlow(t, <-muxer.cfdToEdge, &pk)\n\tfunnel2, found := getFunnel(t, proxy, tuple)\n\trequire.True(t, found)\n\trequire.Equal(t, funnel1, funnel2)\n\n\ttime.Sleep(idleTimeout * 2)\n\n\tcancel()\n\t<-proxyDone\n}\n" }, { "path": "ingress/icmp_windows.go", "content": "//go:build windows && cgo\n\npackage ingress\n\n/*\n#include \n#include \n*/\nimport \"C\"\nimport (\n\t\"context\"\n\t\"encoding/binary\"\n\t\"fmt\"\n\t\"net/netip\"\n\t\"runtime/debug\"\n\t\"syscall\"\n\t\"time\"\n\t\"unsafe\"\n\n\t\"github.com/google/gopacket/layers\"\n\t\"github.com/pkg/errors\"\n\t\"github.com/rs/zerolog\"\n\t\"go.opentelemetry.io/otel/attribute\"\n\t\"golang.org/x/net/icmp\"\n\t\"golang.org/x/net/ipv4\"\n\t\"golang.org/x/net/ipv6\"\n\n\t\"github.com/cloudflare/cloudflared/packet\"\n\t\"github.com/cloudflare/cloudflared/tracing\"\n)\n\nconst (\n\t// Value defined in https://docs.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-wsasocketw\n\tAF_INET6 = 23\n\ticmpEchoReplyCode = 0\n\tnullParameter = uintptr(0)\n)\n\nvar (\n\tIphlpapi = syscall.NewLazyDLL(\"Iphlpapi.dll\")\n\tIcmpCreateFile_proc = Iphlpapi.NewProc(\"IcmpCreateFile\")\n\tIcmp6CreateFile_proc = Iphlpapi.NewProc(\"Icmp6CreateFile\")\n\tIcmpSendEcho_proc = Iphlpapi.NewProc(\"IcmpSendEcho\")\n\tIcmp6SendEcho_proc = Iphlpapi.NewProc(\"Icmp6SendEcho2\")\n\techoReplySize = unsafe.Sizeof(echoReply{})\n\techoV6ReplySize = unsafe.Sizeof(echoV6Reply{})\n\ticmpv6ErrMessageSize = 8\n\tioStatusBlockSize = unsafe.Sizeof(ioStatusBlock{})\n\tendian = binary.LittleEndian\n)\n\n// IP_STATUS code, see https://docs.microsoft.com/en-us/windows/win32/api/ipexport/ns-ipexport-icmp_echo_reply32#members\n// for possible values\ntype ipStatus uint32\n\nconst (\n\tsuccess ipStatus = 0\n\tbufTooSmall = iota + 11000\n\tdestNetUnreachable\n\tdestHostUnreachable\n\tdestProtocolUnreachable\n\tdestPortUnreachable\n\tnoResources\n\tbadOption\n\thwError\n\tpacketTooBig\n\treqTimedOut\n\tbadReq\n\tbadRoute\n\tttlExpiredTransit\n\tttlExpiredReassembly\n\tparamProblem\n\tsourceQuench\n\toptionTooBig\n\tbadDestination\n\t// Can be returned for malformed ICMP packets\n\tgeneralFailure = 11050\n)\n\n// Additional IP_STATUS codes for ICMPv6 https://docs.microsoft.com/en-us/windows/win32/api/ipexport/ns-ipexport-icmpv6_echo_reply_lh#members\nconst (\n\tipv6DestUnreachable ipStatus = iota + 11040\n\tipv6TimeExceeded\n\tipv6BadHeader\n\tipv6UnrecognizedNextHeader\n\tipv6ICMPError\n\tipv6DestScopeMismatch\n)\n\nfunc (is ipStatus) String() string {\n\tswitch is {\n\tcase success:\n\t\treturn \"Success\"\n\tcase bufTooSmall:\n\t\treturn \"The reply buffer too small\"\n\tcase destNetUnreachable:\n\t\treturn \"The destination network was unreachable\"\n\tcase destHostUnreachable:\n\t\treturn \"The destination host was unreachable\"\n\tcase destProtocolUnreachable:\n\t\treturn \"The destination protocol was unreachable\"\n\tcase destPortUnreachable:\n\t\treturn \"The destination port was unreachable\"\n\tcase noResources:\n\t\treturn \"Insufficient IP resources were available\"\n\tcase badOption:\n\t\treturn \"A bad IP option was specified\"\n\tcase hwError:\n\t\treturn \"A hardware error occurred\"\n\tcase packetTooBig:\n\t\treturn \"The packet was too big\"\n\tcase reqTimedOut:\n\t\treturn \"The request timed out\"\n\tcase badReq:\n\t\treturn \"Bad request\"\n\tcase badRoute:\n\t\treturn \"Bad route\"\n\tcase ttlExpiredTransit:\n\t\treturn \"The TTL expired in transit\"\n\tcase ttlExpiredReassembly:\n\t\treturn \"The TTL expired during fragment reassembly\"\n\tcase paramProblem:\n\t\treturn \"A parameter problem\"\n\tcase sourceQuench:\n\t\treturn \"Datagrams are arriving too fast to be processed and datagrams may have been discarded\"\n\tcase optionTooBig:\n\t\treturn \"The IP option was too big\"\n\tcase badDestination:\n\t\treturn \"Bad destination\"\n\tcase ipv6DestUnreachable:\n\t\treturn \"IPv6 destination unreachable\"\n\tcase ipv6TimeExceeded:\n\t\treturn \"IPv6 time exceeded\"\n\tcase ipv6BadHeader:\n\t\treturn \"IPv6 bad IP header\"\n\tcase ipv6UnrecognizedNextHeader:\n\t\treturn \"IPv6 unrecognized next header\"\n\tcase ipv6ICMPError:\n\t\treturn \"IPv6 ICMP error\"\n\tcase ipv6DestScopeMismatch:\n\t\treturn \"IPv6 destination scope ID mismatch\"\n\tcase generalFailure:\n\t\treturn \"The ICMP packet might be malformed\"\n\tdefault:\n\t\treturn fmt.Sprintf(\"Unknown ip status %d\", is)\n\t}\n}\n\n// https://docs.microsoft.com/en-us/windows/win32/api/ipexport/ns-ipexport-ip_option_information\ntype ipOption struct {\n\tTTL uint8\n\tTos uint8\n\tFlags uint8\n\tOptionsSize uint8\n\tOptionsData uintptr\n}\n\n// https://docs.microsoft.com/en-us/windows/win32/api/ipexport/ns-ipexport-icmp_echo_reply\ntype echoReply struct {\n\tAddress uint32\n\tStatus ipStatus\n\tRoundTripTime uint32\n\tDataSize uint16\n\tReserved uint16\n\t// The pointer size defers between 32-bit and 64-bit platforms\n\tDataPointer *byte\n\tOptions ipOption\n}\n\ntype echoV6Reply struct {\n\tAddress ipv6AddrEx\n\tStatus ipStatus\n\tRoundTripTime uint32\n}\n\n// https://docs.microsoft.com/en-us/windows/win32/api/ipexport/ns-ipexport-ipv6_address_ex\n// All the fields are in network byte order. The memory alignment is 4 bytes\ntype ipv6AddrEx struct {\n\tport uint16\n\t// flowInfo is uint32. Because of field alignment, when we cast reply buffer to ipv6AddrEx, it starts at the 5th byte\n\t// But looking at the raw bytes, flowInfo starts at the 3rd byte. We device flowInfo into 2 uint16 so it's aligned\n\tflowInfoUpper uint16\n\tflowInfoLower uint16\n\taddr [8]uint16\n\tscopeID uint32\n}\n\n// https://docs.microsoft.com/en-us/windows/win32/winsock/sockaddr-2\ntype sockAddrIn6 struct {\n\tfamily int16\n\t// Can't embed ipv6AddrEx, that changes the memory alignment\n\tport uint16\n\tflowInfo uint32\n\taddr [16]byte\n\tscopeID uint32\n}\n\nfunc newSockAddrIn6(addr netip.Addr) (*sockAddrIn6, error) {\n\tif !addr.Is6() {\n\t\treturn nil, fmt.Errorf(\"%s is not IPv6\", addr)\n\t}\n\treturn &sockAddrIn6{\n\t\tfamily: AF_INET6,\n\t\tport: 10,\n\t\taddr: addr.As16(),\n\t}, nil\n}\n\n// https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_io_status_block#syntax\ntype ioStatusBlock struct {\n\t// The first field is an union of NTSTATUS and PVOID. NTSTATUS is int32 while PVOID depends on the platform.\n\t// We model it as uintptr whose size depends on if the platform is 32-bit or 64-bit\n\t// https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\n\tstatusOrPointer uintptr\n\tinformation uintptr\n}\n\ntype icmpProxy struct {\n\t// An open handle that can send ICMP requests https://docs.microsoft.com/en-us/windows/win32/api/icmpapi/nf-icmpapi-icmpcreatefile\n\thandle uintptr\n\t// This is a ICMPv6 if srcSocketAddr is not nil\n\tsrcSocketAddr *sockAddrIn6\n\tlogger *zerolog.Logger\n}\n\nfunc newICMPProxy(listenIP netip.Addr, logger *zerolog.Logger, idleTimeout time.Duration) (*icmpProxy, error) {\n\tvar (\n\t\tsrcSocketAddr *sockAddrIn6\n\t\thandle uintptr\n\t\terr error\n\t)\n\tif listenIP.Is4() {\n\t\thandle, _, err = IcmpCreateFile_proc.Call()\n\t} else {\n\t\tsrcSocketAddr, err = newSockAddrIn6(listenIP)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\thandle, _, err = Icmp6CreateFile_proc.Call()\n\t}\n\t// Windows procedure calls always return non-nil error constructed from the result of GetLastError.\n\t// Caller need to inspect the primary returned value\n\tif syscall.Handle(handle) == syscall.InvalidHandle {\n\t\treturn nil, errors.Wrap(err, \"invalid ICMP handle\")\n\t}\n\treturn &icmpProxy{\n\t\thandle: handle,\n\t\tsrcSocketAddr: srcSocketAddr,\n\t\tlogger: logger,\n\t}, nil\n}\n\nfunc (ip *icmpProxy) Serve(ctx context.Context) error {\n\t<-ctx.Done()\n\tsyscall.CloseHandle(syscall.Handle(ip.handle))\n\treturn ctx.Err()\n}\n\n// Request sends an ICMP echo request and wait for a reply or timeout.\n// The async version of Win32 APIs take a callback whose memory is not garbage collected, so we use the synchronous version.\n// It's possible that a slow request will block other requests, so we set the timeout to only 1s.\nfunc (ip *icmpProxy) Request(ctx context.Context, pk *packet.ICMP, responder ICMPResponder) error {\n\tdefer func() {\n\t\tif r := recover(); r != nil {\n\t\t\tip.logger.Error().Interface(\"error\", r).Msgf(\"Recover panic from sending icmp request/response, error %s\", debug.Stack())\n\t\t}\n\t}()\n\n\t_, requestSpan := responder.RequestSpan(ctx, pk)\n\tdefer responder.ExportSpan()\n\n\techo, err := getICMPEcho(pk.Message)\n\tif err != nil {\n\t\treturn err\n\t}\n\tobserveICMPRequest(ip.logger, requestSpan, pk.Src.String(), pk.Dst.String(), echo.ID, echo.Seq)\n\n\tresp, err := ip.icmpEchoRoundtrip(pk.Dst, echo)\n\tif err != nil {\n\t\tip.logger.Err(err).Msg(\"ICMP echo roundtrip failed\")\n\t\ttracing.EndWithErrorStatus(requestSpan, err)\n\t\treturn err\n\t}\n\ttracing.End(requestSpan)\n\tresponder.ExportSpan()\n\n\t_, replySpan := responder.ReplySpan(ctx, ip.logger)\n\terr = ip.handleEchoReply(pk, echo, resp, responder)\n\tif err != nil {\n\t\tip.logger.Err(err).Msg(\"Failed to send ICMP reply\")\n\t\ttracing.EndWithErrorStatus(replySpan, err)\n\t\treturn errors.Wrap(err, \"failed to handle ICMP echo reply\")\n\t}\n\tobserveICMPReply(ip.logger, replySpan, pk.Dst.String(), echo.ID, echo.Seq)\n\treplySpan.SetAttributes(\n\t\tattribute.Int64(\"rtt\", int64(resp.rtt())),\n\t\tattribute.String(\"status\", resp.status().String()),\n\t)\n\ttracing.End(replySpan)\n\treturn nil\n}\n\nfunc (ip *icmpProxy) handleEchoReply(request *packet.ICMP, echoReq *icmp.Echo, resp echoResp, responder ICMPResponder) error {\n\tvar replyType icmp.Type\n\tif request.Dst.Is4() {\n\t\treplyType = ipv4.ICMPTypeEchoReply\n\t} else {\n\t\treplyType = ipv6.ICMPTypeEchoReply\n\t}\n\n\tpk := packet.ICMP{\n\t\tIP: &packet.IP{\n\t\t\tSrc: request.Dst,\n\t\t\tDst: request.Src,\n\t\t\tProtocol: layers.IPProtocol(request.Type.Protocol()),\n\t\t\tTTL: packet.DefaultTTL,\n\t\t},\n\t\tMessage: &icmp.Message{\n\t\t\tType: replyType,\n\t\t\tCode: icmpEchoReplyCode,\n\t\t\tBody: &icmp.Echo{\n\t\t\t\tID: echoReq.ID,\n\t\t\t\tSeq: echoReq.Seq,\n\t\t\t\tData: resp.payload(),\n\t\t\t},\n\t\t},\n\t}\n\treturn responder.ReturnPacket(&pk)\n}\n\nfunc (ip *icmpProxy) icmpEchoRoundtrip(dst netip.Addr, echo *icmp.Echo) (echoResp, error) {\n\tif dst.Is6() {\n\t\tif ip.srcSocketAddr == nil {\n\t\t\treturn nil, fmt.Errorf(\"cannot send ICMPv6 using ICMPv4 proxy\")\n\t\t}\n\t\tresp, err := ip.icmp6SendEcho(dst, echo)\n\t\tif err != nil {\n\n\t\t\treturn nil, errors.Wrap(err, \"failed to send/receive ICMPv6 echo\")\n\t\t}\n\t\treturn resp, nil\n\t}\n\tif ip.srcSocketAddr != nil {\n\t\treturn nil, fmt.Errorf(\"cannot send ICMPv4 using ICMPv6 proxy\")\n\t}\n\tresp, err := ip.icmpSendEcho(dst, echo)\n\tif err != nil {\n\t\treturn nil, errors.Wrap(err, \"failed to send/receive ICMPv4 echo\")\n\t}\n\treturn resp, nil\n}\n\n/*\nWrapper to call https://docs.microsoft.com/en-us/windows/win32/api/icmpapi/nf-icmpapi-icmpsendecho\nParameters:\n- IcmpHandle: Handle created by IcmpCreateFile\n- DestinationAddress: IPv4 in the form of https://docs.microsoft.com/en-us/windows/win32/api/inaddr/ns-inaddr-in_addr#syntax\n- RequestData: A pointer to echo data\n- RequestSize: Number of bytes in buffer pointed by echo data\n- RequestOptions: IP header options\n- ReplyBuffer: A pointer to the buffer for echoReply, options and data\n- ReplySize: Number of bytes allocated for ReplyBuffer\n- Timeout: Timeout in milliseconds to wait for a reply\nReturns:\n- the number of replies in uint32 https://docs.microsoft.com/en-us/windows/win32/api/icmpapi/nf-icmpapi-icmpsendecho#return-value\nTo retain the reference allocated objects, conversion from pointer to uintptr must happen as arguments to the\nsyscall function\n*/\nfunc (ip *icmpProxy) icmpSendEcho(dst netip.Addr, echo *icmp.Echo) (*echoV4Resp, error) {\n\tdataSize := len(echo.Data)\n\treplySize := echoReplySize + uintptr(dataSize)\n\treplyBuf := make([]byte, replySize)\n\tnoIPHeaderOption := nullParameter\n\tinAddr, err := inAddrV4(dst)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treplyCount, _, err := IcmpSendEcho_proc.Call(\n\t\tip.handle,\n\t\tuintptr(inAddr),\n\t\tuintptr(unsafe.Pointer(&echo.Data[0])),\n\t\tuintptr(dataSize),\n\t\tnoIPHeaderOption,\n\t\tuintptr(unsafe.Pointer(&replyBuf[0])),\n\t\treplySize,\n\t\ticmpRequestTimeoutMs,\n\t)\n\tif replyCount == 0 {\n\t\t// status is returned in 5th to 8th byte of reply buffer\n\t\tif status, parseErr := unmarshalIPStatus(replyBuf[4:8]); parseErr == nil && status != success {\n\t\t\treturn nil, errors.Wrapf(err, \"received ip status: %s\", status)\n\t\t}\n\t\treturn nil, errors.Wrap(err, \"did not receive ICMP echo reply\")\n\t} else if replyCount > 1 {\n\t\tip.logger.Warn().Msgf(\"Received %d ICMP echo replies, only sending 1 back\", replyCount)\n\t}\n\treturn newEchoV4Resp(replyBuf)\n}\n\n// Third definition of https://docs.microsoft.com/en-us/windows/win32/api/inaddr/ns-inaddr-in_addr#syntax is address in uint32\nfunc inAddrV4(ip netip.Addr) (uint32, error) {\n\tif !ip.Is4() {\n\t\treturn 0, fmt.Errorf(\"%s is not IPv4\", ip)\n\t}\n\tv4 := ip.As4()\n\treturn endian.Uint32(v4[:]), nil\n}\n\ntype echoResp interface {\n\tstatus() ipStatus\n\trtt() uint32\n\tpayload() []byte\n}\n\ntype echoV4Resp struct {\n\treply *echoReply\n\tdata []byte\n}\n\nfunc (r *echoV4Resp) status() ipStatus {\n\treturn r.reply.Status\n}\n\nfunc (r *echoV4Resp) rtt() uint32 {\n\treturn r.reply.RoundTripTime\n}\n\nfunc (r *echoV4Resp) payload() []byte {\n\treturn r.data\n}\n\nfunc newEchoV4Resp(replyBuf []byte) (*echoV4Resp, error) {\n\tif len(replyBuf) == 0 {\n\t\treturn nil, fmt.Errorf(\"reply buffer is empty\")\n\t}\n\t// This is pattern 1 of https://pkg.go.dev/unsafe@master#Pointer, conversion of *replyBuf to *echoReply\n\t// replyBuf size is larger than echoReply\n\treply := *(*echoReply)(unsafe.Pointer(&replyBuf[0]))\n\tif reply.Status != success {\n\t\treturn nil, fmt.Errorf(\"status %d\", reply.Status)\n\t}\n\tdataBufStart := len(replyBuf) - int(reply.DataSize)\n\tif dataBufStart < int(echoReplySize) {\n\t\treturn nil, fmt.Errorf(\"reply buffer size %d is too small to hold data of size %d\", len(replyBuf), int(reply.DataSize))\n\t}\n\treturn &echoV4Resp{\n\t\treply: &reply,\n\t\tdata: replyBuf[dataBufStart:],\n\t}, nil\n}\n\n/*\n\tWrapper to call https://docs.microsoft.com/en-us/windows/win32/api/icmpapi/nf-icmpapi-icmp6sendecho2\n\tParameters:\n\t- IcmpHandle: Handle created by Icmp6CreateFile\n\t- Event (optional): Event object to be signaled when a reply arrives\n\t- ApcRoutine (optional): Routine to call when the calling thread is in an alertable thread and a reply arrives\n\t- ApcContext (optional): Optional parameter to ApcRoutine\n\t- SourceAddress: Source address of the request\n\t- DestinationAddress: Destination address of the request\n\t- RequestData: A pointer to echo data\n\t- RequestSize: Number of bytes in buffer pointed by echo data\n\t- RequestOptions (optional): A pointer to the IPv6 header options\n\t- ReplyBuffer: A pointer to the buffer for echoReply, options and data\n\t- ReplySize: Number of bytes allocated for ReplyBuffer\n\t- Timeout: Timeout in milliseconds to wait for a reply\n\tReturns:\n\t- the number of replies in uint32\n\tTo retain the reference allocated objects, conversion from pointer to uintptr must happen as arguments to the\n\tsyscall function\n*/\n\nfunc (ip *icmpProxy) icmp6SendEcho(dst netip.Addr, echo *icmp.Echo) (*echoV6Resp, error) {\n\tdstAddr, err := newSockAddrIn6(dst)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdataSize := len(echo.Data)\n\t// Reply buffer needs to be big enough to hold an echoV6Reply, echo data, 8 bytes for ICMP error message\n\t// and ioStatusBlock\n\treplySize := echoV6ReplySize + uintptr(dataSize) + uintptr(icmpv6ErrMessageSize) + ioStatusBlockSize\n\treplyBuf := make([]byte, replySize)\n\tnoEvent := nullParameter\n\tnoApcRoutine := nullParameter\n\tnoAppCtx := nullParameter\n\tnoIPHeaderOption := nullParameter\n\treplyCount, _, err := Icmp6SendEcho_proc.Call(\n\t\tip.handle,\n\t\tnoEvent,\n\t\tnoApcRoutine,\n\t\tnoAppCtx,\n\t\tuintptr(unsafe.Pointer(ip.srcSocketAddr)),\n\t\tuintptr(unsafe.Pointer(dstAddr)),\n\t\tuintptr(unsafe.Pointer(&echo.Data[0])),\n\t\tuintptr(dataSize),\n\t\tnoIPHeaderOption,\n\t\tuintptr(unsafe.Pointer(&replyBuf[0])),\n\t\treplySize,\n\t\ticmpRequestTimeoutMs,\n\t)\n\tif replyCount == 0 {\n\t\t// status is in the 4 bytes after ipv6AddrEx. The reply buffer size is at least size of ipv6AddrEx + 4\n\t\tif status, parseErr := unmarshalIPStatus(replyBuf[unsafe.Sizeof(ipv6AddrEx{}) : unsafe.Sizeof(ipv6AddrEx{})+4]); parseErr == nil && status != success {\n\t\t\treturn nil, fmt.Errorf(\"received ip status: %s\", status)\n\t\t}\n\t\treturn nil, errors.Wrap(err, \"did not receive ICMP echo reply\")\n\t} else if replyCount > 1 {\n\t\tip.logger.Warn().Msgf(\"Received %d ICMP echo replies, only sending 1 back\", replyCount)\n\t}\n\treturn newEchoV6Resp(replyBuf, dataSize)\n}\n\ntype echoV6Resp struct {\n\treply *echoV6Reply\n\tdata []byte\n}\n\nfunc (r *echoV6Resp) status() ipStatus {\n\treturn r.reply.Status\n}\n\nfunc (r *echoV6Resp) rtt() uint32 {\n\treturn r.reply.RoundTripTime\n}\n\nfunc (r *echoV6Resp) payload() []byte {\n\treturn r.data\n}\n\nfunc newEchoV6Resp(replyBuf []byte, dataSize int) (*echoV6Resp, error) {\n\tif len(replyBuf) == 0 {\n\t\treturn nil, fmt.Errorf(\"reply buffer is empty\")\n\t}\n\treply := *(*echoV6Reply)(unsafe.Pointer(&replyBuf[0]))\n\tif reply.Status != success {\n\t\treturn nil, fmt.Errorf(\"status %d\", reply.Status)\n\t}\n\tif uintptr(len(replyBuf)) < unsafe.Sizeof(reply)+uintptr(dataSize) {\n\t\treturn nil, fmt.Errorf(\"reply buffer size %d is too small to hold reply size %d + data size %d\", len(replyBuf), echoV6ReplySize, dataSize)\n\t}\n\treturn &echoV6Resp{\n\t\treply: &reply,\n\t\tdata: replyBuf[echoV6ReplySize : echoV6ReplySize+uintptr(dataSize)],\n\t}, nil\n}\n\nfunc unmarshalIPStatus(replyBuf []byte) (ipStatus, error) {\n\tif len(replyBuf) != 4 {\n\t\treturn 0, fmt.Errorf(\"ipStatus needs to be 4 bytes, got %d\", len(replyBuf))\n\t}\n\treturn ipStatus(endian.Uint32(replyBuf)), nil\n}\n" }, { "path": "ingress/icmp_windows_test.go", "content": "//go:build windows && cgo\n\npackage ingress\n\nimport (\n\t\"bytes\"\n\t\"encoding/binary\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/netip\"\n\t\"testing\"\n\t\"time\"\n\t\"unsafe\"\n\n\t\"golang.org/x/net/icmp\"\n\n\t\"github.com/stretchr/testify/require\"\n)\n\n// TestParseEchoReply tests parsing raw bytes from icmpSendEcho into echoResp\nfunc TestParseEchoReply(t *testing.T) {\n\tdst, err := inAddrV4(netip.MustParseAddr(\"192.168.10.20\"))\n\trequire.NoError(t, err)\n\n\tvalidReplyData := []byte(t.Name())\n\tvalidReply := echoReply{\n\t\tAddress: dst,\n\t\tStatus: success,\n\t\tRoundTripTime: uint32(20),\n\t\tDataSize: uint16(len(validReplyData)),\n\t\tDataPointer: &validReplyData[0],\n\t\tOptions: ipOption{\n\t\t\tTTL: 59,\n\t\t},\n\t}\n\n\tdestHostUnreachableReply := validReply\n\tdestHostUnreachableReply.Status = destHostUnreachable\n\n\ttests := []struct {\n\t\ttestCase string\n\t\treplyBuf []byte\n\t\texpectedReply *echoReply\n\t\texpectedData []byte\n\t}{\n\t\t{\n\t\t\ttestCase: \"empty buffer\",\n\t\t},\n\t\t{\n\t\t\ttestCase: \"status not success\",\n\t\t\treplyBuf: destHostUnreachableReply.marshal(t, []byte{}),\n\t\t},\n\t\t{\n\t\t\ttestCase: \"valid reply\",\n\t\t\treplyBuf: validReply.marshal(t, validReplyData),\n\t\t\texpectedReply: &validReply,\n\t\t\texpectedData: validReplyData,\n\t\t},\n\t}\n\n\tfor _, test := range tests {\n\t\tresp, err := newEchoV4Resp(test.replyBuf)\n\t\tif test.expectedReply == nil {\n\t\t\trequire.Error(t, err)\n\t\t\trequire.Nil(t, resp)\n\t\t} else {\n\t\t\trequire.NoError(t, err)\n\t\t\trequire.Equal(t, resp.reply, test.expectedReply)\n\t\t\trequire.True(t, bytes.Equal(resp.data, test.expectedData))\n\t\t}\n\t}\n}\n\n// TestParseEchoV6Reply tests parsing raw bytes from icmp6SendEcho into echoV6Resp\nfunc TestParseEchoV6Reply(t *testing.T) {\n\tdst := netip.MustParseAddr(\"2606:3600:4500::3333\").As16()\n\tvar addr [8]uint16\n\tfor i := 0; i < 8; i++ {\n\t\taddr[i] = binary.BigEndian.Uint16(dst[i*2 : i*2+2])\n\t}\n\n\tvalidReplyData := []byte(t.Name())\n\tvalidReply := echoV6Reply{\n\t\tAddress: ipv6AddrEx{\n\t\t\taddr: addr,\n\t\t},\n\t\tStatus: success,\n\t\tRoundTripTime: 25,\n\t}\n\n\tdestHostUnreachableReply := validReply\n\tdestHostUnreachableReply.Status = ipv6DestUnreachable\n\n\ttests := []struct {\n\t\ttestCase string\n\t\treplyBuf []byte\n\t\texpectedReply *echoV6Reply\n\t\texpectedData []byte\n\t}{\n\t\t{\n\t\t\ttestCase: \"empty buffer\",\n\t\t},\n\t\t{\n\t\t\ttestCase: \"status not success\",\n\t\t\treplyBuf: destHostUnreachableReply.marshal(t, []byte{}),\n\t\t},\n\t\t{\n\t\t\ttestCase: \"valid reply\",\n\t\t\treplyBuf: validReply.marshal(t, validReplyData),\n\t\t\texpectedReply: &validReply,\n\t\t\texpectedData: validReplyData,\n\t\t},\n\t}\n\n\tfor _, test := range tests {\n\t\tresp, err := newEchoV6Resp(test.replyBuf, len(test.expectedData))\n\t\tif test.expectedReply == nil {\n\t\t\trequire.Error(t, err)\n\t\t\trequire.Nil(t, resp)\n\t\t} else {\n\t\t\trequire.NoError(t, err)\n\t\t\trequire.Equal(t, resp.reply, test.expectedReply)\n\t\t\trequire.True(t, bytes.Equal(resp.data, test.expectedData))\n\t\t}\n\t}\n}\n\n// TestSendEchoErrors makes sure icmpSendEcho handles error cases\nfunc TestSendEchoErrors(t *testing.T) {\n\ttestSendEchoErrors(t, netip.IPv4Unspecified())\n\ttestSendEchoErrors(t, netip.IPv6Unspecified())\n}\n\nfunc testSendEchoErrors(t *testing.T, listenIP netip.Addr) {\n\tproxy, err := newICMPProxy(listenIP, &noopLogger, time.Second)\n\trequire.NoError(t, err)\n\n\techo := icmp.Echo{\n\t\tID: 6193,\n\t\tSeq: 25712,\n\t\tData: []byte(t.Name()),\n\t}\n\tdocumentIP := netip.MustParseAddr(\"192.0.2.200\")\n\tif listenIP.Is6() {\n\t\tdocumentIP = netip.MustParseAddr(\"2001:db8::1\")\n\t}\n\tresp, err := proxy.icmpEchoRoundtrip(documentIP, &echo)\n\trequire.Error(t, err)\n\trequire.Nil(t, resp)\n}\n\nfunc (er *echoReply) marshal(t *testing.T, data []byte) []byte {\n\tbuf := new(bytes.Buffer)\n\n\tfor _, field := range []any{\n\t\ter.Address,\n\t\ter.Status,\n\t\ter.RoundTripTime,\n\t\ter.DataSize,\n\t\ter.Reserved,\n\t} {\n\t\trequire.NoError(t, binary.Write(buf, endian, field))\n\t}\n\n\trequire.NoError(t, marshalPointer(buf, uintptr(unsafe.Pointer(er.DataPointer))))\n\n\tfor _, field := range []any{\n\t\ter.Options.TTL,\n\t\ter.Options.Tos,\n\t\ter.Options.Flags,\n\t\ter.Options.OptionsSize,\n\t} {\n\t\trequire.NoError(t, binary.Write(buf, endian, field))\n\t}\n\n\trequire.NoError(t, marshalPointer(buf, er.Options.OptionsData))\n\n\tpadSize := buf.Len() % int(unsafe.Alignof(er))\n\tpadding := make([]byte, padSize)\n\tn, err := buf.Write(padding)\n\trequire.NoError(t, err)\n\trequire.Equal(t, padSize, n)\n\n\tn, err = buf.Write(data)\n\trequire.NoError(t, err)\n\trequire.Equal(t, len(data), n)\n\n\treturn buf.Bytes()\n}\n\nfunc marshalPointer(buf io.Writer, ptr uintptr) error {\n\tsize := unsafe.Sizeof(ptr)\n\tswitch size {\n\tcase 4:\n\t\treturn binary.Write(buf, endian, uint32(ptr))\n\tcase 8:\n\t\treturn binary.Write(buf, endian, uint64(ptr))\n\tdefault:\n\t\treturn fmt.Errorf(\"unexpected pointer size %d\", size)\n\t}\n}\n\nfunc (er *echoV6Reply) marshal(t *testing.T, data []byte) []byte {\n\tbuf := new(bytes.Buffer)\n\n\tfor _, field := range []any{\n\t\ter.Address.port,\n\t\ter.Address.flowInfoUpper,\n\t\ter.Address.flowInfoLower,\n\t\ter.Address.addr,\n\t\ter.Address.scopeID,\n\t} {\n\t\trequire.NoError(t, binary.Write(buf, endian, field))\n\t}\n\n\tpadSize := buf.Len() % int(unsafe.Alignof(er))\n\tpadding := make([]byte, padSize)\n\tn, err := buf.Write(padding)\n\trequire.NoError(t, err)\n\trequire.Equal(t, padSize, n)\n\n\tfor _, field := range []any{\n\t\ter.Status,\n\t\ter.RoundTripTime,\n\t} {\n\t\trequire.NoError(t, binary.Write(buf, endian, field))\n\t}\n\n\tn, err = buf.Write(data)\n\trequire.NoError(t, err)\n\trequire.Equal(t, len(data), n)\n\n\treturn buf.Bytes()\n}\n" }, { "path": "ingress/ingress.go", "content": "package ingress\n\nimport (\n\t\"fmt\"\n\t\"net\"\n\t\"net/url\"\n\t\"regexp\"\n\t\"strconv\"\n\t\"strings\"\n\n\t\"github.com/pkg/errors\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/urfave/cli/v2\"\n\t\"golang.org/x/net/idna\"\n\n\t\"github.com/cloudflare/cloudflared/config\"\n\t\"github.com/cloudflare/cloudflared/ingress/middleware\"\n\t\"github.com/cloudflare/cloudflared/ipaccess\"\n)\n\nvar (\n\tErrNoIngressRules = errors.New(\"The config file doesn't contain any ingress rules\")\n\tErrNoIngressRulesCLI = errors.New(\"No ingress rules were defined in provided config (if any) nor from the cli, cloudflared will return 503 for all incoming HTTP requests\")\n\terrLastRuleNotCatchAll = errors.New(\"The last ingress rule must match all URLs (i.e. it should not have a hostname or path filter)\")\n\terrBadWildcard = errors.New(\"Hostname patterns can have at most one wildcard character (\\\"*\\\") and it can only be used for subdomains, e.g. \\\"*.example.com\\\"\")\n\terrHostnameContainsPort = errors.New(\"Hostname cannot contain a port\")\n\tErrURLIncompatibleWithIngress = errors.New(\"You can't set the --url flag (or $TUNNEL_URL) when using multiple-origin ingress rules\")\n)\n\nconst (\n\tServiceBastion = \"bastion\"\n\tServiceSocksProxy = \"socks-proxy\"\n\tServiceWarpRouting = \"warp-routing\"\n)\n\n// FindMatchingRule returns the index of the Ingress Rule which matches the given\n// hostname and path. This function assumes the last rule matches everything,\n// which is the case if the rules were instantiated via the ingress#Validate method.\n//\n// Negative index rule signifies local cloudflared rules (not-user defined).\nfunc (ing Ingress) FindMatchingRule(hostname, path string) (*Rule, int) {\n\t// The hostname might contain port. We only want to compare the host part with the rule\n\thost, _, err := net.SplitHostPort(hostname)\n\tif err == nil {\n\t\thostname = host\n\t}\n\tfor i, rule := range ing.InternalRules {\n\t\tif rule.Matches(hostname, path) {\n\t\t\t// Local rule matches return a negative rule index to distiguish local rules from user-defined rules in logs\n\t\t\t// Full range would be [-1 .. )\n\t\t\treturn &rule, -1 - i\n\t\t}\n\t}\n\tfor i, rule := range ing.Rules {\n\t\tif rule.Matches(hostname, path) {\n\t\t\treturn &rule, i\n\t\t}\n\t}\n\n\ti := len(ing.Rules) - 1\n\treturn &ing.Rules[i], i\n}\n\nfunc matchHost(ruleHost, reqHost string) bool {\n\tif ruleHost == reqHost {\n\t\treturn true\n\t}\n\n\t// Validate hostnames that use wildcards at the start\n\tif strings.HasPrefix(ruleHost, \"*.\") {\n\t\ttoMatch := strings.TrimPrefix(ruleHost, \"*\")\n\t\treturn strings.HasSuffix(reqHost, toMatch)\n\t}\n\treturn false\n}\n\n// Ingress maps eyeball requests to origins.\ntype Ingress struct {\n\t// Set of ingress rules that are not added to remote config, e.g. management\n\tInternalRules []Rule\n\t// Rules that are provided by the user from remote or local configuration\n\tRules []Rule `json:\"ingress\"`\n\tDefaults OriginRequestConfig `json:\"originRequest\"`\n}\n\n// ParseIngress parses ingress rules, but does not send HTTP requests to the origins.\nfunc ParseIngress(conf *config.Configuration) (Ingress, error) {\n\tif conf == nil || len(conf.Ingress) == 0 {\n\t\treturn Ingress{}, ErrNoIngressRules\n\t}\n\treturn validateIngress(conf.Ingress, originRequestFromConfig(conf.OriginRequest))\n}\n\n// ParseIngressFromConfigAndCLI will parse the configuration rules from config files for ingress\n// rules and then attempt to parse CLI for ingress rules.\n// Will always return at least one valid ingress rule. If none are provided by the user, the default\n// will be to return 503 status code for all incoming requests.\nfunc ParseIngressFromConfigAndCLI(conf *config.Configuration, c *cli.Context, log *zerolog.Logger) (Ingress, error) {\n\t// Attempt to parse ingress rules from configuration\n\tingressRules, err := ParseIngress(conf)\n\tif err == nil && !ingressRules.IsEmpty() {\n\t\treturn ingressRules, nil\n\t}\n\tif err != ErrNoIngressRules {\n\t\treturn Ingress{}, err\n\t}\n\t// Attempt to parse ingress rules from CLI:\n\t// --url or --unix-socket flag for a tunnel HTTP ingress\n\t// --hello-world for a basic HTTP ingress self-served\n\t// --bastion for ssh bastion service\n\tingressRules, err = parseCLIIngress(c, false)\n\tif errors.Is(err, ErrNoIngressRulesCLI) {\n\t\t// If no token is provided, the probability of NOT being a remotely managed tunnel is higher.\n\t\t// So, we should warn the user that no ingress rules were found, because remote configuration will most likely not exist.\n\t\tif !c.IsSet(\"token\") {\n\t\t\tlog.Warn().Msg(ErrNoIngressRulesCLI.Error())\n\t\t}\n\t\treturn newDefaultOrigin(c, log), nil\n\t}\n\n\tif err != nil {\n\t\treturn Ingress{}, err\n\t}\n\n\treturn ingressRules, nil\n}\n\n// parseCLIIngress constructs an Ingress set with only one rule constructed from\n// CLI parameters: --url, --hello-world, --bastion, or --unix-socket\nfunc parseCLIIngress(c *cli.Context, allowURLFromArgs bool) (Ingress, error) {\n\tservice, err := parseSingleOriginService(c, allowURLFromArgs)\n\tif err != nil {\n\t\treturn Ingress{}, err\n\t}\n\n\t// Construct an Ingress with the single rule.\n\tdefaults := originRequestFromSingleRule(c)\n\ting := Ingress{\n\t\tRules: []Rule{\n\t\t\t{\n\t\t\t\tService: service,\n\t\t\t\tConfig: setConfig(defaults, config.OriginRequestConfig{}),\n\t\t\t},\n\t\t},\n\t\tDefaults: defaults,\n\t}\n\treturn ing, err\n}\n\n// newDefaultOrigin always returns a 503 response code to help indicate that there are no ingress\n// rules setup, but the tunnel is reachable.\nfunc newDefaultOrigin(c *cli.Context, log *zerolog.Logger) Ingress {\n\tdefaultRule := GetDefaultIngressRules(log)\n\tdefaults := originRequestFromSingleRule(c)\n\tingress := Ingress{\n\t\tRules: defaultRule,\n\t\tDefaults: defaults,\n\t}\n\treturn ingress\n}\n\n// Get a single origin service from the CLI/config.\nfunc parseSingleOriginService(c *cli.Context, allowURLFromArgs bool) (OriginService, error) {\n\tif c.IsSet(HelloWorldFlag) {\n\t\treturn new(helloWorld), nil\n\t}\n\tif c.IsSet(config.BastionFlag) {\n\t\treturn newBastionService(), nil\n\t}\n\tif c.IsSet(\"url\") {\n\t\toriginURL, err := config.ValidateUrl(c, allowURLFromArgs)\n\t\tif err != nil {\n\t\t\treturn nil, errors.Wrap(err, \"Error validating origin URL\")\n\t\t}\n\t\tif isHTTPService(originURL) {\n\t\t\treturn &httpService{\n\t\t\t\turl: originURL,\n\t\t\t}, nil\n\t\t}\n\t\treturn newTCPOverWSService(originURL), nil\n\t}\n\tif c.IsSet(\"unix-socket\") {\n\t\tpath, err := config.ValidateUnixSocket(c)\n\t\tif err != nil {\n\t\t\treturn nil, errors.Wrap(err, \"Error validating --unix-socket\")\n\t\t}\n\t\treturn &unixSocketPath{path: path, scheme: \"http\"}, nil\n\t}\n\treturn nil, ErrNoIngressRulesCLI\n}\n\n// IsEmpty checks if there are any ingress rules.\nfunc (ing Ingress) IsEmpty() bool {\n\treturn len(ing.Rules) == 0\n}\n\n// IsSingleRule checks if the user only specified a single ingress rule.\nfunc (ing Ingress) IsSingleRule() bool {\n\treturn len(ing.Rules) == 1\n}\n\n// StartOrigins will start any origin services managed by cloudflared, e.g. proxy servers or Hello World.\nfunc (ing Ingress) StartOrigins(\n\tlog *zerolog.Logger,\n\tshutdownC <-chan struct{},\n) error {\n\tfor _, rule := range ing.Rules {\n\t\tif err := rule.Service.start(log, shutdownC, rule.Config); err != nil {\n\t\t\treturn errors.Wrapf(err, \"Error starting local service %s\", rule.Service)\n\t\t}\n\t}\n\treturn nil\n}\n\n// CatchAll returns the catch-all rule (i.e. the last rule)\nfunc (ing Ingress) CatchAll() *Rule {\n\treturn &ing.Rules[len(ing.Rules)-1]\n}\n\n// Gets the default ingress rule that will be return 503 status\n// code for all incoming requests.\nfunc GetDefaultIngressRules(log *zerolog.Logger) []Rule {\n\tnoRulesService := newDefaultStatusCode(log)\n\treturn []Rule{\n\t\t{\n\t\t\tService: &noRulesService,\n\t\t},\n\t}\n}\n\nfunc validateAccessConfiguration(cfg *config.AccessConfig) error {\n\tif !cfg.Required {\n\t\treturn nil\n\t}\n\n\t// we allow for an initial setup where user can force Access but not configure the rest of the keys.\n\t// however, if the user specified audTags but forgot teamName, we should alert it.\n\tif cfg.TeamName == \"\" && len(cfg.AudTag) > 0 {\n\t\treturn errors.New(\"access.TeamName cannot be blank when access.audTags are present\")\n\t}\n\n\treturn nil\n}\n\nfunc validateIngress(ingress []config.UnvalidatedIngressRule, defaults OriginRequestConfig) (Ingress, error) {\n\trules := make([]Rule, len(ingress))\n\tfor i, r := range ingress {\n\t\tcfg := setConfig(defaults, r.OriginRequest)\n\t\tvar service OriginService\n\n\t\tif prefix := \"unix:\"; strings.HasPrefix(r.Service, prefix) {\n\t\t\t// No validation necessary for unix socket filepath services\n\t\t\tpath := strings.TrimPrefix(r.Service, prefix)\n\t\t\tservice = &unixSocketPath{path: path, scheme: \"http\"}\n\t\t} else if prefix := \"unix+tls:\"; strings.HasPrefix(r.Service, prefix) {\n\t\t\tpath := strings.TrimPrefix(r.Service, prefix)\n\t\t\tservice = &unixSocketPath{path: path, scheme: \"https\"}\n\t\t} else if prefix := \"http_status:\"; strings.HasPrefix(r.Service, prefix) {\n\t\t\tstatusCode, err := strconv.Atoi(strings.TrimPrefix(r.Service, prefix))\n\t\t\tif err != nil {\n\t\t\t\treturn Ingress{}, errors.Wrap(err, \"invalid HTTP status code\")\n\t\t\t}\n\t\t\tif statusCode < 100 || statusCode > 999 {\n\t\t\t\treturn Ingress{}, fmt.Errorf(\"invalid HTTP status code: %d\", statusCode)\n\t\t\t}\n\t\t\tsrv := newStatusCode(statusCode)\n\t\t\tservice = &srv\n\t\t} else if r.Service == HelloWorldFlag || r.Service == HelloWorldService {\n\t\t\tservice = new(helloWorld)\n\t\t} else if r.Service == ServiceSocksProxy {\n\t\t\trules := make([]ipaccess.Rule, len(r.OriginRequest.IPRules))\n\n\t\t\tfor i, ipRule := range r.OriginRequest.IPRules {\n\t\t\t\trule, err := ipaccess.NewRuleByCIDR(ipRule.Prefix, ipRule.Ports, ipRule.Allow)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn Ingress{}, fmt.Errorf(\"unable to create ip rule for %s: %s\", r.Service, err)\n\t\t\t\t}\n\t\t\t\trules[i] = rule\n\t\t\t}\n\n\t\t\taccessPolicy, err := ipaccess.NewPolicy(false, rules)\n\t\t\tif err != nil {\n\t\t\t\treturn Ingress{}, fmt.Errorf(\"unable to create ip access policy for %s: %s\", r.Service, err)\n\t\t\t}\n\n\t\t\tservice = newSocksProxyOverWSService(accessPolicy)\n\t\t} else if r.Service == ServiceBastion || cfg.BastionMode {\n\t\t\t// Bastion mode will always start a Websocket proxy server, which will\n\t\t\t// overwrite the localService.URL field when `start` is called. So,\n\t\t\t// leave the URL field empty for now.\n\t\t\tcfg.BastionMode = true\n\t\t\tservice = newBastionService()\n\t\t} else {\n\t\t\t// Validate URL services\n\t\t\tu, err := url.Parse(r.Service)\n\t\t\tif err != nil {\n\t\t\t\treturn Ingress{}, err\n\t\t\t}\n\n\t\t\tif u.Scheme == \"\" || u.Hostname() == \"\" {\n\t\t\t\treturn Ingress{}, fmt.Errorf(\"%s is an invalid address, please make sure it has a scheme and a hostname\", r.Service)\n\t\t\t}\n\n\t\t\tif u.Path != \"\" {\n\t\t\t\treturn Ingress{}, fmt.Errorf(\"%s is an invalid address, ingress rules don't support proxying to a different path on the origin service. The path will be the same as the eyeball request's path\", r.Service)\n\t\t\t}\n\t\t\tif isHTTPService(u) {\n\t\t\t\tservice = &httpService{url: u}\n\t\t\t} else {\n\t\t\t\tservice = newTCPOverWSService(u)\n\t\t\t}\n\t\t}\n\n\t\tvar handlers []middleware.Handler\n\t\tif access := r.OriginRequest.Access; access != nil {\n\t\t\tif err := validateAccessConfiguration(access); err != nil {\n\t\t\t\treturn Ingress{}, err\n\t\t\t}\n\t\t\tif access.Required {\n\t\t\t\tverifier := middleware.NewJWTValidator(access.TeamName, access.Environment, access.AudTag)\n\t\t\t\thandlers = append(handlers, verifier)\n\t\t\t}\n\t\t}\n\n\t\tif err := validateHostname(r, i, len(ingress)); err != nil {\n\t\t\treturn Ingress{}, err\n\t\t}\n\n\t\tisCatchAllRule := (r.Hostname == \"\" || r.Hostname == \"*\") && r.Path == \"\"\n\t\tpunycodeHostname := \"\"\n\t\tif !isCatchAllRule {\n\t\t\tpunycode, err := idna.Lookup.ToASCII(r.Hostname)\n\t\t\t// Don't provide the punycode hostname if it is the same as the original hostname\n\t\t\tif err == nil && punycode != r.Hostname {\n\t\t\t\tpunycodeHostname = punycode\n\t\t\t}\n\t\t}\n\n\t\tvar pathRegexp *Regexp\n\t\tif r.Path != \"\" {\n\t\t\tvar err error\n\t\t\tregex, err := regexp.Compile(r.Path)\n\t\t\tif err != nil {\n\t\t\t\treturn Ingress{}, errors.Wrapf(err, \"Rule #%d has an invalid regex\", i+1)\n\t\t\t}\n\t\t\tpathRegexp = &Regexp{Regexp: regex}\n\t\t}\n\n\t\trules[i] = Rule{\n\t\t\tHostname: r.Hostname,\n\t\t\tpunycodeHostname: punycodeHostname,\n\t\t\tService: service,\n\t\t\tPath: pathRegexp,\n\t\t\tHandlers: handlers,\n\t\t\tConfig: cfg,\n\t\t}\n\t}\n\treturn Ingress{Rules: rules, Defaults: defaults}, nil\n}\n\nfunc validateHostname(r config.UnvalidatedIngressRule, ruleIndex, totalRules int) error {\n\t// Ensure that the hostname doesn't contain port\n\t_, _, err := net.SplitHostPort(r.Hostname)\n\tif err == nil {\n\t\treturn errHostnameContainsPort\n\t}\n\t// Ensure that there are no wildcards anywhere except the first character\n\t// of the hostname.\n\tif strings.LastIndex(r.Hostname, \"*\") > 0 {\n\t\treturn errBadWildcard\n\t}\n\n\t// The last rule should catch all hostnames.\n\tisCatchAllRule := (r.Hostname == \"\" || r.Hostname == \"*\") && r.Path == \"\"\n\tisLastRule := ruleIndex == totalRules-1\n\tif isLastRule && !isCatchAllRule {\n\t\treturn errLastRuleNotCatchAll\n\t}\n\t// ONLY the last rule should catch all hostnames.\n\tif !isLastRule && isCatchAllRule {\n\t\treturn ruleShouldNotBeCatchAllError{index: ruleIndex, hostname: r.Hostname}\n\t}\n\treturn nil\n}\n\ntype ruleShouldNotBeCatchAllError struct {\n\tindex int\n\thostname string\n}\n\nfunc (e ruleShouldNotBeCatchAllError) Error() string {\n\treturn fmt.Sprintf(\"Rule #%d is matching the hostname '%s', but \"+\n\t\t\"this will match every hostname, meaning the rules which follow it \"+\n\t\t\"will never be triggered.\", e.index+1, e.hostname)\n}\n\nfunc isHTTPService(url *url.URL) bool {\n\treturn url.Scheme == \"http\" || url.Scheme == \"https\" || url.Scheme == \"ws\" || url.Scheme == \"wss\"\n}\n" }, { "path": "ingress/ingress_test.go", "content": "package ingress\n\nimport (\n\t\"flag\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"regexp\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\t\"github.com/urfave/cli/v2\"\n\tyaml \"gopkg.in/yaml.v3\"\n\n\t\"github.com/cloudflare/cloudflared/config\"\n\t\"github.com/cloudflare/cloudflared/ipaccess\"\n\t\"github.com/cloudflare/cloudflared/tlsconfig\"\n)\n\nfunc TestParseUnixSocket(t *testing.T) {\n\trawYAML := `\ningress:\n- service: unix:/tmp/echo.sock\n`\n\ting, err := ParseIngress(MustReadIngress(rawYAML))\n\trequire.NoError(t, err)\n\ts, ok := ing.Rules[0].Service.(*unixSocketPath)\n\trequire.True(t, ok)\n\trequire.Equal(t, \"http\", s.scheme)\n}\n\nfunc TestParseUnixSocketTLS(t *testing.T) {\n\trawYAML := `\ningress:\n- service: unix+tls:/tmp/echo.sock\n`\n\ting, err := ParseIngress(MustReadIngress(rawYAML))\n\trequire.NoError(t, err)\n\ts, ok := ing.Rules[0].Service.(*unixSocketPath)\n\trequire.True(t, ok)\n\trequire.Equal(t, \"https\", s.scheme)\n}\n\nfunc TestParseIngressNilConfig(t *testing.T) {\n\t_, err := ParseIngress(nil)\n\trequire.Error(t, err)\n}\n\nfunc TestParseIngress(t *testing.T) {\n\tlocalhost8000 := MustParseURL(t, \"https://localhost:8000\")\n\tlocalhost8001 := MustParseURL(t, \"https://localhost:8001\")\n\tfourOhFour := newStatusCode(404)\n\tdefaultConfig := setConfig(originRequestFromConfig(config.OriginRequestConfig{}), config.OriginRequestConfig{})\n\trequire.Equal(t, defaultKeepAliveConnections, defaultConfig.KeepAliveConnections)\n\ttr := true\n\ttype args struct {\n\t\trawYAML string\n\t}\n\ttests := []struct {\n\t\tname string\n\t\targs args\n\t\twant []Rule\n\t\twantErr bool\n\t}{\n\t\t{\n\t\t\tname: \"Empty file\",\n\t\t\targs: args{rawYAML: \"\"},\n\t\t\twantErr: true,\n\t\t},\n\t\t{\n\t\t\tname: \"Multiple rules\",\n\t\t\targs: args{rawYAML: `\ningress:\n - hostname: tunnel1.example.com\n service: https://localhost:8000\n - hostname: \"*\"\n service: https://localhost:8001\n`},\n\t\t\twant: []Rule{\n\t\t\t\t{\n\t\t\t\t\tHostname: \"tunnel1.example.com\",\n\t\t\t\t\tService: &httpService{url: localhost8000},\n\t\t\t\t\tConfig: defaultConfig,\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tHostname: \"*\",\n\t\t\t\t\tService: &httpService{url: localhost8001},\n\t\t\t\t\tConfig: defaultConfig,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"Extra keys\",\n\t\t\targs: args{rawYAML: `\ningress:\n - hostname: \"*\"\n service: https://localhost:8000\nextraKey: extraValue\n`},\n\t\t\twant: []Rule{\n\t\t\t\t{\n\t\t\t\t\tHostname: \"*\",\n\t\t\t\t\tService: &httpService{url: localhost8000},\n\t\t\t\t\tConfig: defaultConfig,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"ws service\",\n\t\t\targs: args{rawYAML: `\ningress:\n - hostname: \"*\"\n service: wss://localhost:8000\n`},\n\t\t\twant: []Rule{\n\t\t\t\t{\n\t\t\t\t\tHostname: \"*\",\n\t\t\t\t\tService: &httpService{url: MustParseURL(t, \"wss://localhost:8000\")},\n\t\t\t\t\tConfig: defaultConfig,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"Hostname can be omitted\",\n\t\t\targs: args{rawYAML: `\ningress:\n - service: https://localhost:8000\n`},\n\t\t\twant: []Rule{\n\t\t\t\t{\n\t\t\t\t\tService: &httpService{url: localhost8000},\n\t\t\t\t\tConfig: defaultConfig,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"Unicode domain\",\n\t\t\targs: args{rawYAML: `\ningress:\n - hostname: môô.cloudflare.com\n service: https://localhost:8000\n - service: https://localhost:8001\n`},\n\t\t\twant: []Rule{\n\t\t\t\t{\n\t\t\t\t\tHostname: \"môô.cloudflare.com\",\n\t\t\t\t\tpunycodeHostname: \"xn--m-xgaa.cloudflare.com\",\n\t\t\t\t\tService: &httpService{url: localhost8000},\n\t\t\t\t\tConfig: defaultConfig,\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tService: &httpService{url: localhost8001},\n\t\t\t\t\tConfig: defaultConfig,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"Invalid unicode domain\",\n\t\t\targs: args{rawYAML: fmt.Sprintf(`\ningress:\n - hostname: %s\n service: https://localhost:8000\n`, string(rune(0xd8f3))+\".cloudflare.com\")},\n\t\t\twantErr: true,\n\t\t},\n\t\t{\n\t\t\tname: \"Invalid service\",\n\t\t\targs: args{rawYAML: `\ningress:\n - hostname: \"*\"\n service: https://local host:8000\n`},\n\t\t\twantErr: true,\n\t\t},\n\t\t{\n\t\t\tname: \"Last rule isn't catchall\",\n\t\t\targs: args{rawYAML: `\ningress:\n - hostname: example.com\n service: https://localhost:8000\n`},\n\t\t\twantErr: true,\n\t\t},\n\t\t{\n\t\t\tname: \"First rule is catchall\",\n\t\t\targs: args{rawYAML: `\ningress:\n - service: https://localhost:8000\n - hostname: example.com\n service: https://localhost:8000\n`},\n\t\t\twantErr: true,\n\t\t},\n\t\t{\n\t\t\tname: \"Catch-all rule can't have a path\",\n\t\t\targs: args{rawYAML: `\ningress:\n - service: https://localhost:8001\n path: /subpath1/(.*)/subpath2\n`},\n\t\t\twantErr: true,\n\t\t},\n\t\t{\n\t\t\tname: \"Invalid regex\",\n\t\t\targs: args{rawYAML: `\ningress:\n - hostname: example.com\n service: https://localhost:8000\n path: \"*/subpath2\"\n - service: https://localhost:8001\n`},\n\t\t\twantErr: true,\n\t\t},\n\t\t{\n\t\t\tname: \"Service must have a scheme\",\n\t\t\targs: args{rawYAML: `\ningress:\n - service: localhost:8000\n`},\n\t\t\twantErr: true,\n\t\t},\n\t\t{\n\t\t\tname: \"Wildcard not at start\",\n\t\t\targs: args{rawYAML: `\ningress:\n - hostname: \"test.*.example.com\"\n service: https://localhost:8000\n`},\n\t\t\twantErr: true,\n\t\t},\n\t\t{\n\t\t\tname: \"Service can't have a path\",\n\t\t\targs: args{rawYAML: `\ningress:\n - service: https://localhost:8000/static/\n`},\n\t\t\twantErr: true,\n\t\t},\n\t\t{\n\t\t\tname: \"Invalid HTTP status\",\n\t\t\targs: args{rawYAML: `\ningress:\n - service: http_status:asdf\n`},\n\t\t\twantErr: true,\n\t\t},\n\t\t{\n\t\t\tname: \"Invalid HTTP status code\",\n\t\t\targs: args{rawYAML: `\ningress:\n - service: http_status:8080\n`},\n\t\t\twantErr: true,\n\t\t},\n\t\t{\n\t\t\tname: \"Valid HTTP status\",\n\t\t\targs: args{rawYAML: `\ningress:\n - service: http_status:404\n`},\n\t\t\twant: []Rule{\n\t\t\t\t{\n\t\t\t\t\tHostname: \"\",\n\t\t\t\t\tService: &fourOhFour,\n\t\t\t\t\tConfig: defaultConfig,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"Valid hello world service\",\n\t\t\targs: args{rawYAML: `\ningress:\n - service: hello_world\n`},\n\t\t\twant: []Rule{\n\t\t\t\t{\n\t\t\t\t\tHostname: \"\",\n\t\t\t\t\tService: new(helloWorld),\n\t\t\t\t\tConfig: defaultConfig,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"TCP services\",\n\t\t\targs: args{rawYAML: `\ningress:\n- hostname: tcp.foo.com\n service: tcp://127.0.0.1\n- hostname: tcp2.foo.com\n service: tcp://localhost:8000\n- service: http_status:404\n`},\n\t\t\twant: []Rule{\n\t\t\t\t{\n\t\t\t\t\tHostname: \"tcp.foo.com\",\n\t\t\t\t\tService: newTCPOverWSService(MustParseURL(t, \"tcp://127.0.0.1:7864\")),\n\t\t\t\t\tConfig: defaultConfig,\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tHostname: \"tcp2.foo.com\",\n\t\t\t\t\tService: newTCPOverWSService(MustParseURL(t, \"tcp://localhost:8000\")),\n\t\t\t\t\tConfig: defaultConfig,\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tService: &fourOhFour,\n\t\t\t\t\tConfig: defaultConfig,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"SSH services\",\n\t\t\targs: args{rawYAML: `\ningress:\n- service: ssh://127.0.0.1\n`},\n\t\t\twant: []Rule{\n\t\t\t\t{\n\t\t\t\t\tService: newTCPOverWSService(MustParseURL(t, \"ssh://127.0.0.1:22\")),\n\t\t\t\t\tConfig: defaultConfig,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"RDP services\",\n\t\t\targs: args{rawYAML: `\ningress:\n- service: rdp://127.0.0.1\n`},\n\t\t\twant: []Rule{\n\t\t\t\t{\n\t\t\t\t\tService: newTCPOverWSService(MustParseURL(t, \"rdp://127.0.0.1:3389\")),\n\t\t\t\t\tConfig: defaultConfig,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"SMB services\",\n\t\t\targs: args{rawYAML: `\ningress:\n- service: smb://127.0.0.1\n`},\n\t\t\twant: []Rule{\n\t\t\t\t{\n\t\t\t\t\tService: newTCPOverWSService(MustParseURL(t, \"smb://127.0.0.1:445\")),\n\t\t\t\t\tConfig: defaultConfig,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"Other TCP services\",\n\t\t\targs: args{rawYAML: `\ningress:\n- service: ftp://127.0.0.1\n`},\n\t\t\twant: []Rule{\n\t\t\t\t{\n\t\t\t\t\tService: newTCPOverWSService(MustParseURL(t, \"ftp://127.0.0.1\")),\n\t\t\t\t\tConfig: defaultConfig,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"SOCKS services\",\n\t\t\targs: args{rawYAML: `\ningress:\n- hostname: socks.foo.com\n service: socks-proxy\n originRequest:\n ipRules:\n - prefix: 1.1.1.0/24\n ports: [80, 443]\n allow: true\n - prefix: 0.0.0.0/0\n allow: false\n- service: http_status:404\n`},\n\t\t\twant: []Rule{\n\t\t\t\t{\n\t\t\t\t\tHostname: \"socks.foo.com\",\n\t\t\t\t\tService: newSocksProxyOverWSService(accessPolicy()),\n\t\t\t\t\tConfig: setConfig(originRequestFromConfig(config.OriginRequestConfig{}), config.OriginRequestConfig{IPRules: []config.IngressIPRule{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tPrefix: ipRulePrefix(\"1.1.1.0/24\"),\n\t\t\t\t\t\t\tPorts: []int{80, 443},\n\t\t\t\t\t\t\tAllow: true,\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tPrefix: ipRulePrefix(\"0.0.0.0/0\"),\n\t\t\t\t\t\t\tAllow: false,\n\t\t\t\t\t\t},\n\t\t\t\t\t}}),\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tService: &fourOhFour,\n\t\t\t\t\tConfig: defaultConfig,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"URL isn't necessary if using bastion\",\n\t\t\targs: args{rawYAML: `\ningress:\n- hostname: bastion.foo.com\n originRequest:\n bastionMode: true\n- service: http_status:404\n`},\n\t\t\twant: []Rule{\n\t\t\t\t{\n\t\t\t\t\tHostname: \"bastion.foo.com\",\n\t\t\t\t\tService: newBastionService(),\n\t\t\t\t\tConfig: setConfig(originRequestFromConfig(config.OriginRequestConfig{}), config.OriginRequestConfig{BastionMode: &tr}),\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tService: &fourOhFour,\n\t\t\t\t\tConfig: defaultConfig,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"Bastion service\",\n\t\t\targs: args{rawYAML: `\ningress:\n- hostname: bastion.foo.com\n service: bastion\n- service: http_status:404\n`},\n\t\t\twant: []Rule{\n\t\t\t\t{\n\t\t\t\t\tHostname: \"bastion.foo.com\",\n\t\t\t\t\tService: newBastionService(),\n\t\t\t\t\tConfig: setConfig(originRequestFromConfig(config.OriginRequestConfig{}), config.OriginRequestConfig{BastionMode: &tr}),\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tService: &fourOhFour,\n\t\t\t\t\tConfig: defaultConfig,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"Hostname contains port\",\n\t\t\targs: args{rawYAML: `\ningress:\n - hostname: \"test.example.com:443\"\n service: https://localhost:8000\n - hostname: \"*\"\n service: https://localhost:8001\n`},\n\t\t\twantErr: true,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tgot, err := ParseIngress(MustReadIngress(tt.args.rawYAML))\n\t\t\tif (err != nil) != tt.wantErr {\n\t\t\t\tt.Errorf(\"ParseIngress() error = %v, wantErr %v\", err, tt.wantErr)\n\t\t\t\treturn\n\t\t\t}\n\t\t\trequire.Equal(t, tt.want, got.Rules)\n\t\t})\n\t}\n}\n\nfunc ipRulePrefix(s string) *string {\n\treturn &s\n}\n\nfunc TestSingleOriginSetsConfig(t *testing.T) {\n\tflagSet := flag.NewFlagSet(t.Name(), flag.PanicOnError)\n\tflagSet.Bool(\"hello-world\", true, \"\")\n\tflagSet.Duration(ProxyConnectTimeoutFlag, time.Second, \"\")\n\tflagSet.Duration(ProxyTLSTimeoutFlag, time.Second, \"\")\n\tflagSet.Duration(ProxyTCPKeepAliveFlag, time.Second, \"\")\n\tflagSet.Bool(ProxyNoHappyEyeballsFlag, true, \"\")\n\tflagSet.Int(ProxyKeepAliveConnectionsFlag, 10, \"\")\n\tflagSet.Duration(ProxyKeepAliveTimeoutFlag, time.Second, \"\")\n\tflagSet.String(HTTPHostHeaderFlag, \"example.com:8080\", \"\")\n\tflagSet.String(OriginServerNameFlag, \"example.com\", \"\")\n\tflagSet.String(tlsconfig.OriginCAPoolFlag, \"/etc/certs/ca.pem\", \"\")\n\tflagSet.Bool(NoTLSVerifyFlag, true, \"\")\n\tflagSet.Bool(NoChunkedEncodingFlag, true, \"\")\n\tflagSet.Bool(config.BastionFlag, true, \"\")\n\tflagSet.String(ProxyAddressFlag, \"localhost:8080\", \"\")\n\tflagSet.Uint(ProxyPortFlag, 8080, \"\")\n\tflagSet.Bool(Socks5Flag, true, \"\")\n\n\tcliCtx := cli.NewContext(cli.NewApp(), flagSet, nil)\n\terr := cliCtx.Set(\"hello-world\", \"true\")\n\trequire.NoError(t, err)\n\terr = cliCtx.Set(ProxyConnectTimeoutFlag, \"1s\")\n\trequire.NoError(t, err)\n\terr = cliCtx.Set(ProxyTLSTimeoutFlag, \"1s\")\n\trequire.NoError(t, err)\n\terr = cliCtx.Set(ProxyTCPKeepAliveFlag, \"1s\")\n\trequire.NoError(t, err)\n\terr = cliCtx.Set(ProxyNoHappyEyeballsFlag, \"true\")\n\trequire.NoError(t, err)\n\terr = cliCtx.Set(ProxyKeepAliveConnectionsFlag, \"10\")\n\trequire.NoError(t, err)\n\terr = cliCtx.Set(ProxyKeepAliveTimeoutFlag, \"1s\")\n\trequire.NoError(t, err)\n\terr = cliCtx.Set(HTTPHostHeaderFlag, \"example.com:8080\")\n\trequire.NoError(t, err)\n\terr = cliCtx.Set(OriginServerNameFlag, \"example.com\")\n\trequire.NoError(t, err)\n\terr = cliCtx.Set(tlsconfig.OriginCAPoolFlag, \"/etc/certs/ca.pem\")\n\trequire.NoError(t, err)\n\terr = cliCtx.Set(NoTLSVerifyFlag, \"true\")\n\trequire.NoError(t, err)\n\terr = cliCtx.Set(NoChunkedEncodingFlag, \"true\")\n\trequire.NoError(t, err)\n\terr = cliCtx.Set(config.BastionFlag, \"true\")\n\trequire.NoError(t, err)\n\terr = cliCtx.Set(ProxyAddressFlag, \"localhost:8080\")\n\trequire.NoError(t, err)\n\terr = cliCtx.Set(ProxyPortFlag, \"8080\")\n\trequire.NoError(t, err)\n\terr = cliCtx.Set(Socks5Flag, \"true\")\n\trequire.NoError(t, err)\n\n\tallowURLFromArgs := false\n\trequire.NoError(t, err)\n\tingress, err := parseCLIIngress(cliCtx, allowURLFromArgs)\n\trequire.NoError(t, err)\n\n\tassert.Equal(t, config.CustomDuration{Duration: time.Second}, ingress.Rules[0].Config.ConnectTimeout)\n\tassert.Equal(t, config.CustomDuration{Duration: time.Second}, ingress.Rules[0].Config.TLSTimeout)\n\tassert.Equal(t, config.CustomDuration{Duration: time.Second}, ingress.Rules[0].Config.TCPKeepAlive)\n\tassert.True(t, ingress.Rules[0].Config.NoHappyEyeballs)\n\tassert.Equal(t, 10, ingress.Rules[0].Config.KeepAliveConnections)\n\tassert.Equal(t, config.CustomDuration{Duration: time.Second}, ingress.Rules[0].Config.KeepAliveTimeout)\n\tassert.Equal(t, \"example.com:8080\", ingress.Rules[0].Config.HTTPHostHeader)\n\tassert.Equal(t, \"example.com\", ingress.Rules[0].Config.OriginServerName)\n\tassert.Equal(t, \"/etc/certs/ca.pem\", ingress.Rules[0].Config.CAPool)\n\tassert.True(t, ingress.Rules[0].Config.NoTLSVerify)\n\tassert.True(t, ingress.Rules[0].Config.DisableChunkedEncoding)\n\tassert.True(t, ingress.Rules[0].Config.BastionMode)\n\tassert.Equal(t, \"localhost:8080\", ingress.Rules[0].Config.ProxyAddress)\n\tassert.Equal(t, uint(8080), ingress.Rules[0].Config.ProxyPort)\n\tassert.Equal(t, socksProxy, ingress.Rules[0].Config.ProxyType)\n}\n\nfunc TestSingleOriginServices(t *testing.T) {\n\thost := \"://localhost:8080\"\n\thttpURL := urlMustParse(\"http\" + host)\n\ttcpURL := urlMustParse(\"tcp\" + host)\n\tunix := \"unix://service\"\n\tnewCli := func(params ...string) *cli.Context {\n\t\tflagSet := flag.NewFlagSet(t.Name(), flag.PanicOnError)\n\t\tflagSet.Bool(\"hello-world\", false, \"\")\n\t\tflagSet.Bool(\"bastion\", false, \"\")\n\t\tflagSet.String(\"url\", \"\", \"\")\n\t\tflagSet.String(\"unix-socket\", \"\", \"\")\n\t\tcliCtx := cli.NewContext(cli.NewApp(), flagSet, nil)\n\t\tfor i := 0; i < len(params); i += 2 {\n\t\t\tcliCtx.Set(params[i], params[i+1])\n\t\t}\n\n\t\treturn cliCtx\n\t}\n\n\ttests := []struct {\n\t\tname string\n\t\tcli *cli.Context\n\t\texpectedService OriginService\n\t\terr error\n\t}{\n\t\t{\n\t\t\tname: \"Valid hello-world\",\n\t\t\tcli: newCli(\"hello-world\", \"true\"),\n\t\t\texpectedService: &helloWorld{},\n\t\t},\n\t\t{\n\t\t\tname: \"Valid bastion\",\n\t\t\tcli: newCli(\"bastion\", \"true\"),\n\t\t\texpectedService: newBastionService(),\n\t\t},\n\t\t{\n\t\t\tname: \"Valid http url\",\n\t\t\tcli: newCli(\"url\", httpURL.String()),\n\t\t\texpectedService: &httpService{url: httpURL},\n\t\t},\n\t\t{\n\t\t\tname: \"Valid tcp url\",\n\t\t\tcli: newCli(\"url\", tcpURL.String()),\n\t\t\texpectedService: newTCPOverWSService(tcpURL),\n\t\t},\n\t\t{\n\t\t\tname: \"Valid unix-socket\",\n\t\t\tcli: newCli(\"unix-socket\", unix),\n\t\t\texpectedService: &unixSocketPath{path: unix, scheme: \"http\"},\n\t\t},\n\t\t{\n\t\t\tname: \"No origins defined\",\n\t\t\tcli: newCli(),\n\t\t\terr: ErrNoIngressRulesCLI,\n\t\t},\n\t}\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\tingress, err := parseCLIIngress(test.cli, false)\n\t\t\trequire.Equal(t, err, test.err)\n\t\t\tif test.err != nil {\n\t\t\t\treturn\n\t\t\t}\n\t\t\trequire.Equal(t, 1, len(ingress.Rules))\n\t\t\trule := ingress.Rules[0]\n\t\t\trequire.Equal(t, test.expectedService, rule.Service)\n\t\t})\n\t}\n}\n\nfunc urlMustParse(s string) *url.URL {\n\tu, err := url.Parse(s)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\treturn u\n}\n\nfunc TestSingleOriginServices_URL(t *testing.T) {\n\thost := \"://localhost:8080\"\n\tnewCli := func(param string, value string) *cli.Context {\n\t\tflagSet := flag.NewFlagSet(t.Name(), flag.PanicOnError)\n\t\tflagSet.String(\"url\", \"\", \"\")\n\t\tcliCtx := cli.NewContext(cli.NewApp(), flagSet, nil)\n\t\tcliCtx.Set(param, value)\n\t\treturn cliCtx\n\t}\n\n\thttpTests := []string{\"http\", \"https\"}\n\tfor _, test := range httpTests {\n\t\tt.Run(test, func(t *testing.T) {\n\t\t\turl := urlMustParse(test + host)\n\t\t\tingress, err := parseCLIIngress(newCli(\"url\", url.String()), false)\n\t\t\trequire.NoError(t, err)\n\t\t\trequire.Equal(t, 1, len(ingress.Rules))\n\t\t\trule := ingress.Rules[0]\n\t\t\trequire.Equal(t, &httpService{url: url}, rule.Service)\n\t\t})\n\t}\n\n\ttcpTests := []string{\"ssh\", \"rdp\", \"smb\", \"tcp\"}\n\tfor _, test := range tcpTests {\n\t\tt.Run(test, func(t *testing.T) {\n\t\t\turl := urlMustParse(test + host)\n\t\t\tingress, err := parseCLIIngress(newCli(\"url\", url.String()), false)\n\t\t\trequire.NoError(t, err)\n\t\t\trequire.Equal(t, 1, len(ingress.Rules))\n\t\t\trule := ingress.Rules[0]\n\t\t\trequire.Equal(t, newTCPOverWSService(url), rule.Service)\n\t\t})\n\t}\n}\n\nfunc TestFindMatchingRule(t *testing.T) {\n\tingress := Ingress{\n\t\tRules: []Rule{\n\t\t\t{\n\t\t\t\tHostname: \"tunnel-a.example.com\",\n\t\t\t\tPath: nil,\n\t\t\t},\n\t\t\t{\n\t\t\t\tHostname: \"tunnel-b.example.com\",\n\t\t\t\tPath: MustParsePath(t, \"/health\"),\n\t\t\t},\n\t\t\t{\n\t\t\t\tHostname: \"*\",\n\t\t\t},\n\t\t},\n\t}\n\n\ttests := []struct {\n\t\thost string\n\t\tpath string\n\t\treq *http.Request\n\t\twantRuleIndex int\n\t}{\n\t\t{\n\t\t\thost: \"tunnel-a.example.com\",\n\t\t\tpath: \"/\",\n\t\t\twantRuleIndex: 0,\n\t\t},\n\t\t{\n\t\t\thost: \"tunnel-a.example.com\",\n\t\t\tpath: \"/pages/about\",\n\t\t\twantRuleIndex: 0,\n\t\t},\n\t\t{\n\t\t\thost: \"tunnel-a.example.com:443\",\n\t\t\tpath: \"/pages/about\",\n\t\t\twantRuleIndex: 0,\n\t\t},\n\t\t{\n\t\t\thost: \"tunnel-b.example.com\",\n\t\t\tpath: \"/health\",\n\t\t\twantRuleIndex: 1,\n\t\t},\n\t\t{\n\t\t\thost: \"tunnel-b.example.com\",\n\t\t\tpath: \"/index.html\",\n\t\t\twantRuleIndex: 2,\n\t\t},\n\t\t{\n\t\t\thost: \"tunnel-c.example.com\",\n\t\t\tpath: \"/\",\n\t\t\twantRuleIndex: 2,\n\t\t},\n\t}\n\n\tfor _, test := range tests {\n\t\t_, ruleIndex := ingress.FindMatchingRule(test.host, test.path)\n\t\tassert.Equal(t, test.wantRuleIndex, ruleIndex, fmt.Sprintf(\"Expect host=%s, path=%s to match rule %d, got %d\", test.host, test.path, test.wantRuleIndex, ruleIndex))\n\t}\n}\n\nfunc TestIsHTTPService(t *testing.T) {\n\ttests := []struct {\n\t\turl *url.URL\n\t\tisHTTP bool\n\t}{\n\t\t{\n\t\t\turl: MustParseURL(t, \"http://localhost\"),\n\t\t\tisHTTP: true,\n\t\t},\n\t\t{\n\t\t\turl: MustParseURL(t, \"https://127.0.0.1:8000\"),\n\t\t\tisHTTP: true,\n\t\t},\n\t\t{\n\t\t\turl: MustParseURL(t, \"ws://localhost\"),\n\t\t\tisHTTP: true,\n\t\t},\n\t\t{\n\t\t\turl: MustParseURL(t, \"wss://localhost:8000\"),\n\t\t\tisHTTP: true,\n\t\t},\n\t\t{\n\t\t\turl: MustParseURL(t, \"tcp://localhost:9000\"),\n\t\t\tisHTTP: false,\n\t\t},\n\t}\n\tfor _, test := range tests {\n\t\tassert.Equal(t, test.isHTTP, isHTTPService(test.url))\n\t}\n}\n\nfunc MustParsePath(t *testing.T, path string) *Regexp {\n\tregexp, err := regexp.Compile(path)\n\tassert.NoError(t, err)\n\treturn &Regexp{Regexp: regexp}\n}\n\nfunc MustParseURL(t *testing.T, rawURL string) *url.URL {\n\tu, err := url.Parse(rawURL)\n\trequire.NoError(t, err)\n\treturn u\n}\n\nfunc accessPolicy() *ipaccess.Policy {\n\tcidr1 := \"1.1.1.0/24\"\n\tcidr2 := \"0.0.0.0/0\"\n\trule1, _ := ipaccess.NewRuleByCIDR(&cidr1, []int{80, 443}, true)\n\trule2, _ := ipaccess.NewRuleByCIDR(&cidr2, nil, false)\n\trules := []ipaccess.Rule{rule1, rule2}\n\taccessPolicy, _ := ipaccess.NewPolicy(false, rules)\n\treturn accessPolicy\n}\n\nfunc BenchmarkFindMatch(b *testing.B) {\n\trulesYAML := `\ningress:\n - hostname: tunnel1.example.com\n service: https://localhost:8000\n - hostname: tunnel2.example.com\n service: https://localhost:8001\n - hostname: \"*\"\n service: https://localhost:8002\n`\n\n\ting, err := ParseIngress(MustReadIngress(rulesYAML))\n\tif err != nil {\n\t\tb.Error(err)\n\t}\n\n\tfor n := 0; n < b.N; n++ {\n\t\ting.FindMatchingRule(\"tunnel1.example.com\", \"\")\n\t\ting.FindMatchingRule(\"tunnel2.example.com\", \"\")\n\t\ting.FindMatchingRule(\"tunnel3.example.com\", \"\")\n\t}\n}\n\nfunc TestParseAccessConfig(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\tcfg config.AccessConfig\n\t\texpectError bool\n\t}{\n\t\t{\n\t\t\tname: \"Config required with teamName only\",\n\t\t\tcfg: config.AccessConfig{Required: true, TeamName: \"team\"},\n\t\t\texpectError: false,\n\t\t},\n\t\t{\n\t\t\tname: \"required false\",\n\t\t\tcfg: config.AccessConfig{Required: false},\n\t\t\texpectError: false,\n\t\t},\n\t\t{\n\t\t\tname: \"required true but empty config\",\n\t\t\tcfg: config.AccessConfig{Required: true},\n\t\t\texpectError: false,\n\t\t},\n\t\t{\n\t\t\tname: \"complete config\",\n\t\t\tcfg: config.AccessConfig{Required: true, TeamName: \"team\", AudTag: []string{\"a\"}},\n\t\t\texpectError: false,\n\t\t},\n\t\t{\n\t\t\tname: \"required true with audTags but no teamName\",\n\t\t\tcfg: config.AccessConfig{Required: true, AudTag: []string{\"a\"}},\n\t\t\texpectError: true,\n\t\t},\n\t}\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\terr := validateAccessConfiguration(&test.cfg)\n\t\t\trequire.Equal(t, err != nil, test.expectError)\n\t\t})\n\t}\n}\n\nfunc MustReadIngress(s string) *config.Configuration {\n\tvar conf config.Configuration\n\terr := yaml.Unmarshal([]byte(s), &conf)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\treturn &conf\n}\n" }, { "path": "ingress/middleware/jwtvalidator.go", "content": "package middleware\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"net/http\"\n\n\t\"github.com/coreos/go-oidc/v3/oidc\"\n\n\t\"github.com/cloudflare/cloudflared/credentials\"\n)\n\nconst (\n\theaderKeyAccessJWTAssertion = \"Cf-Access-Jwt-Assertion\"\n)\n\nvar (\n\tcloudflareAccessCertsURL = \"https://%s.cloudflareaccess.com\"\n\tcloudflareAccessFedCertsURL = \"https://%s.fed.cloudflareaccess.com\"\n)\n\n// JWTValidator is an implementation of Verifier that validates access based JWT tokens.\ntype JWTValidator struct {\n\t*oidc.IDTokenVerifier\n\taudTags []string\n}\n\nfunc NewJWTValidator(teamName string, environment string, audTags []string) *JWTValidator {\n\tvar certsURL string\n\tif environment == credentials.FedEndpoint {\n\t\tcertsURL = fmt.Sprintf(cloudflareAccessFedCertsURL, teamName)\n\t} else {\n\t\tcertsURL = fmt.Sprintf(cloudflareAccessCertsURL, teamName)\n\t}\n\n\tcertsEndpoint := fmt.Sprintf(\"%s/cdn-cgi/access/certs\", certsURL)\n\n\tconfig := &oidc.Config{\n\t\tSkipClientIDCheck: true,\n\t}\n\n\tctx := context.Background()\n\tkeySet := oidc.NewRemoteKeySet(ctx, certsEndpoint)\n\tverifier := oidc.NewVerifier(certsURL, keySet, config)\n\treturn &JWTValidator{\n\t\tIDTokenVerifier: verifier,\n\t\taudTags: audTags,\n\t}\n}\n\nfunc (v *JWTValidator) Name() string {\n\treturn \"AccessJWTValidator\"\n}\n\nfunc (v *JWTValidator) Handle(ctx context.Context, r *http.Request) (*HandleResult, error) {\n\taccessJWT := r.Header.Get(headerKeyAccessJWTAssertion)\n\tif accessJWT == \"\" {\n\t\t// log the exact error message here. the message is specific to the handler implementation logic, we don't gain anything\n\t\t// in passing it upstream. and each handler impl know what logging level to use for each.\n\t\treturn &HandleResult{\n\t\t\tShouldFilterRequest: true,\n\t\t\tStatusCode: http.StatusForbidden,\n\t\t\tReason: \"no access token in request\",\n\t\t}, nil\n\t}\n\n\ttoken, err := v.IDTokenVerifier.Verify(ctx, accessJWT)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\t// We want at least one audTag to match\n\tfor _, jwtAudTag := range token.Audience {\n\t\tfor _, acceptedAudTag := range v.audTags {\n\t\t\tif acceptedAudTag == jwtAudTag {\n\t\t\t\treturn &HandleResult{ShouldFilterRequest: false}, nil\n\t\t\t}\n\t\t}\n\t}\n\n\treturn &HandleResult{\n\t\tShouldFilterRequest: true,\n\t\tStatusCode: http.StatusForbidden,\n\t\tReason: fmt.Sprintf(\"Invalid token in jwt: %v\", token.Audience),\n\t}, nil\n}\n" }, { "path": "ingress/middleware/jwtvalidator_test.go", "content": "package middleware\n\nimport (\n\t\"context\"\n\t\"crypto\"\n\t\"crypto/ecdsa\"\n\t\"crypto/elliptic\"\n\t\"crypto/rand\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"net/http/httptest\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/coreos/go-oidc/v3/oidc\"\n\t\"github.com/go-jose/go-jose/v4\"\n\t\"github.com/go-jose/go-jose/v4/jwt\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n)\n\nvar (\n\tissuer = fmt.Sprintf(cloudflareAccessCertsURL, \"testteam\")\n)\n\ntype accessTokenClaims struct {\n\tEmail string `json:\"email\"`\n\tType string `json:\"type\"`\n\tjwt.Claims\n}\n\nfunc TestJWTValidator(t *testing.T) {\n\treq := httptest.NewRequest(\"GET\", \"http://example.com\", nil)\n\n\tkey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)\n\trequire.NoError(t, err)\n\tissued := time.Now()\n\tclaims := accessTokenClaims{\n\t\tEmail: \"test@example.com\",\n\t\tType: \"app\",\n\t\tClaims: jwt.Claims{\n\t\t\tIssuer: issuer,\n\t\t\tSubject: \"ee239b7a-e3e6-4173-972a-8fbe9d99c04f\",\n\t\t\tAudience: []string{\"\"},\n\t\t\tExpiry: jwt.NewNumericDate(issued.Add(time.Hour)),\n\t\t\tIssuedAt: jwt.NewNumericDate(issued),\n\t\t},\n\t}\n\ttoken := signToken(t, claims, key)\n\treq.Header.Add(headerKeyAccessJWTAssertion, token)\n\n\tkeySet := oidc.StaticKeySet{PublicKeys: []crypto.PublicKey{key.Public()}}\n\tconfig := &oidc.Config{\n\t\tSkipClientIDCheck: true,\n\t\tSupportedSigningAlgs: []string{string(jose.ES256)},\n\t}\n\tverifier := oidc.NewVerifier(issuer, &keySet, config)\n\n\ttests := []struct {\n\t\tname string\n\t\taudTags []string\n\t\taud jwt.Audience\n\t\terror bool\n\t}{\n\t\t{\n\t\t\tname: \"valid\",\n\t\t\taudTags: []string{\n\t\t\t\t\"0bc545634b1732494b3f9472794a549c883fabd48de9dfe0e0413e59c3f96c38\",\n\t\t\t\t\"d7ec5b7fda23ffa8f8c8559fb37c66a2278208a78dbe376a3394b5ffec6911ba\",\n\t\t\t},\n\t\t\taud: jwt.Audience{\"d7ec5b7fda23ffa8f8c8559fb37c66a2278208a78dbe376a3394b5ffec6911ba\"},\n\t\t\terror: false,\n\t\t},\n\t\t{\n\t\t\tname: \"invalid no match\",\n\t\t\taudTags: []string{\n\t\t\t\t\"0bc545634b1732494b3f9472794a549c883fabd48de9dfe0e0413e59c3f96c38\",\n\t\t\t\t\"d7ec5b7fda23ffa8f8c8559fb37c66a2278208a78dbe376a3394b5ffec6911ba\",\n\t\t\t},\n\t\t\taud: jwt.Audience{\"09dc377143841843ecca28b196bdb1ec1675af38c8b7b60c7def5876c8877157\"},\n\t\t\terror: true,\n\t\t},\n\t\t{\n\t\t\tname: \"invalid empty check\",\n\t\t\taudTags: []string{},\n\t\t\taud: jwt.Audience{\"09dc377143841843ecca28b196bdb1ec1675af38c8b7b60c7def5876c8877157\"},\n\t\t\terror: true,\n\t\t},\n\t\t{\n\t\t\tname: \"invalid absent aud\",\n\t\t\taudTags: []string{\n\t\t\t\t\"0bc545634b1732494b3f9472794a549c883fabd48de9dfe0e0413e59c3f96c38\",\n\t\t\t\t\"d7ec5b7fda23ffa8f8c8559fb37c66a2278208a78dbe376a3394b5ffec6911ba\",\n\t\t\t},\n\t\t\taud: jwt.Audience{\"\"},\n\t\t\terror: true,\n\t\t},\n\t}\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\tvalidator := JWTValidator{\n\t\t\t\tIDTokenVerifier: verifier,\n\t\t\t\taudTags: test.audTags,\n\t\t\t}\n\t\t\tclaims.Audience = test.aud\n\t\t\ttoken := signToken(t, claims, key)\n\t\t\treq.Header.Set(headerKeyAccessJWTAssertion, token)\n\n\t\t\tresult, err := validator.Handle(context.Background(), req)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, test.error, result.ShouldFilterRequest)\n\t\t})\n\t}\n}\n\nfunc signToken(t *testing.T, token accessTokenClaims, key *ecdsa.PrivateKey) string {\n\tsigner, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: key}, &jose.SignerOptions{})\n\trequire.NoError(t, err)\n\tpayload, err := json.Marshal(token)\n\trequire.NoError(t, err)\n\tjws, err := signer.Sign(payload)\n\trequire.NoError(t, err)\n\tjwt, err := jws.CompactSerialize()\n\trequire.NoError(t, err)\n\treturn jwt\n}\n" }, { "path": "ingress/middleware/middleware.go", "content": "package middleware\n\nimport (\n\t\"context\"\n\t\"net/http\"\n)\n\ntype HandleResult struct {\n\t// Tells that the request didn't passed the handler and should be filtered\n\tShouldFilterRequest bool\n\t// The status code to return in case ShouldFilterRequest is true.\n\tStatusCode int\n\tReason string\n}\n\ntype Handler interface {\n\tName() string\n\tHandle(ctx context.Context, r *http.Request) (result *HandleResult, err error)\n}\n" }, { "path": "ingress/origin_connection.go", "content": "package ingress\n\nimport (\n\t\"context\"\n\t\"io\"\n\t\"net\"\n\t\"time\"\n\n\t\"github.com/rs/zerolog\"\n\n\t\"github.com/cloudflare/cloudflared/ipaccess\"\n\t\"github.com/cloudflare/cloudflared/socks\"\n\t\"github.com/cloudflare/cloudflared/stream\"\n\t\"github.com/cloudflare/cloudflared/websocket\"\n)\n\n// OriginConnection is a way to stream to a service running on the user's origin.\n// Different concrete implementations will stream different protocols as long as they are io.ReadWriters.\ntype OriginConnection interface {\n\t// Stream should generally be implemented as a bidirectional io.Copy.\n\tStream(ctx context.Context, tunnelConn io.ReadWriter, log *zerolog.Logger)\n\tClose() error\n}\n\ntype streamHandlerFunc func(originConn io.ReadWriter, remoteConn net.Conn, log *zerolog.Logger)\n\n// DefaultStreamHandler is an implementation of streamHandlerFunc that\n// performs a two way io.Copy between originConn and remoteConn.\nfunc DefaultStreamHandler(originConn io.ReadWriter, remoteConn net.Conn, log *zerolog.Logger) {\n\tstream.Pipe(originConn, remoteConn, log)\n}\n\n// tcpConnection is an OriginConnection that directly streams to raw TCP.\ntype tcpConnection struct {\n\tnet.Conn\n\twriteTimeout time.Duration\n\tlogger *zerolog.Logger\n}\n\nfunc (tc *tcpConnection) Stream(_ context.Context, tunnelConn io.ReadWriter, _ *zerolog.Logger) {\n\tstream.Pipe(tunnelConn, tc, tc.logger)\n}\n\nfunc (tc *tcpConnection) Write(b []byte) (int, error) {\n\tif tc.writeTimeout > 0 {\n\t\tif err := tc.Conn.SetWriteDeadline(time.Now().Add(tc.writeTimeout)); err != nil {\n\t\t\ttc.logger.Err(err).Msg(\"Error setting write deadline for TCP connection\")\n\t\t}\n\t}\n\n\treturn tc.Conn.Write(b)\n}\n\n// tcpOverWSConnection is an OriginConnection that streams to TCP over WS.\ntype tcpOverWSConnection struct {\n\tconn net.Conn\n\tstreamHandler streamHandlerFunc\n}\n\nfunc (wc *tcpOverWSConnection) Stream(ctx context.Context, tunnelConn io.ReadWriter, log *zerolog.Logger) {\n\twsCtx, cancel := context.WithCancel(ctx)\n\twsConn := websocket.NewConn(wsCtx, tunnelConn, log)\n\twc.streamHandler(wsConn, wc.conn, log)\n\tcancel()\n\t// Makes sure wsConn stops sending ping before terminating the stream\n\twsConn.Close()\n}\n\nfunc (wc *tcpOverWSConnection) Close() error {\n\treturn wc.conn.Close()\n}\n\n// socksProxyOverWSConnection is an OriginConnection that streams SOCKS connections over WS.\n// The connection to the origin happens inside the SOCKS code as the client specifies the origin\n// details in the packet.\ntype socksProxyOverWSConnection struct {\n\taccessPolicy *ipaccess.Policy\n}\n\nfunc (sp *socksProxyOverWSConnection) Stream(ctx context.Context, tunnelConn io.ReadWriter, log *zerolog.Logger) {\n\twsCtx, cancel := context.WithCancel(ctx)\n\twsConn := websocket.NewConn(wsCtx, tunnelConn, log)\n\tsocks.StreamNetHandler(wsConn, sp.accessPolicy, log)\n\tcancel()\n\t// Makes sure wsConn stops sending ping before terminating the stream\n\twsConn.Close()\n}\n\nfunc (sp *socksProxyOverWSConnection) Close() error {\n\treturn nil\n}\n" }, { "path": "ingress/origin_connection_test.go", "content": "package ingress\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"fmt\"\n\t\"io\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"net/url\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/gobwas/ws/wsutil\"\n\tgorillaWS \"github.com/gorilla/websocket\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\t\"golang.org/x/net/proxy\"\n\t\"golang.org/x/sync/errgroup\"\n\n\t\"github.com/cloudflare/cloudflared/socks\"\n\t\"github.com/cloudflare/cloudflared/stream\"\n\t\"github.com/cloudflare/cloudflared/websocket\"\n)\n\nconst (\n\ttestStreamTimeout = time.Second * 3\n\techoHeaderName = \"Test-Cloudflared-Echo\"\n)\n\nvar (\n\ttestMessage = []byte(\"TestStreamOriginConnection\")\n\ttestResponse = []byte(fmt.Sprintf(\"echo-%s\", testMessage))\n)\n\nfunc TestStreamTCPConnection(t *testing.T) {\n\tcfdConn, originConn := net.Pipe()\n\ttcpConn := tcpConnection{\n\t\tConn: cfdConn,\n\t\twriteTimeout: 30 * time.Second,\n\t}\n\n\teyeballConn, edgeConn := net.Pipe()\n\n\tctx, cancel := context.WithTimeout(context.Background(), testStreamTimeout)\n\tdefer cancel()\n\n\terrGroup, ctx := errgroup.WithContext(ctx)\n\terrGroup.Go(func() error {\n\t\t_, err := eyeballConn.Write(testMessage)\n\t\trequire.NoError(t, err)\n\n\t\treadBuffer := make([]byte, len(testResponse))\n\t\t_, err = eyeballConn.Read(readBuffer)\n\t\trequire.NoError(t, err)\n\n\t\trequire.Equal(t, testResponse, readBuffer)\n\n\t\treturn nil\n\t})\n\terrGroup.Go(func() error {\n\t\techoTCPOrigin(t, originConn)\n\t\toriginConn.Close()\n\t\treturn nil\n\t})\n\n\ttcpConn.Stream(ctx, edgeConn, TestLogger)\n\trequire.NoError(t, errGroup.Wait())\n}\n\nfunc TestDefaultStreamWSOverTCPConnection(t *testing.T) {\n\tcfdConn, originConn := net.Pipe()\n\ttcpOverWSConn := tcpOverWSConnection{\n\t\tconn: cfdConn,\n\t\tstreamHandler: DefaultStreamHandler,\n\t}\n\n\teyeballConn, edgeConn := net.Pipe()\n\n\tctx, cancel := context.WithTimeout(context.Background(), testStreamTimeout)\n\tdefer cancel()\n\n\terrGroup, ctx := errgroup.WithContext(ctx)\n\terrGroup.Go(func() error {\n\t\techoWSEyeball(t, eyeballConn)\n\t\treturn nil\n\t})\n\terrGroup.Go(func() error {\n\t\techoTCPOrigin(t, originConn)\n\t\toriginConn.Close()\n\t\treturn nil\n\t})\n\n\ttcpOverWSConn.Stream(ctx, edgeConn, TestLogger)\n\trequire.NoError(t, errGroup.Wait())\n}\n\n// TestSocksStreamWSOverTCPConnection simulates proxying in socks mode.\n// Eyeball side runs cloudflared access tcp with --url flag to start a websocket forwarder which\n// wraps SOCKS5 traffic in websocket\n// Origin side runs a tcpOverWSConnection with socks.StreamHandler\nfunc TestSocksStreamWSOverTCPConnection(t *testing.T) {\n\tvar (\n\t\tsendMessage = t.Name()\n\t\techoHeaderIncomingValue = fmt.Sprintf(\"header-%s\", sendMessage)\n\t\techoMessage = fmt.Sprintf(\"echo-%s\", sendMessage)\n\t\techoHeaderReturnValue = fmt.Sprintf(\"echo-%s\", echoHeaderIncomingValue)\n\t)\n\n\tstatusCodes := []int{\n\t\thttp.StatusOK,\n\t\thttp.StatusTemporaryRedirect,\n\t\thttp.StatusBadRequest,\n\t\thttp.StatusInternalServerError,\n\t}\n\tfor _, status := range statusCodes {\n\t\thandler := func(w http.ResponseWriter, r *http.Request) {\n\t\t\tbody, err := io.ReadAll(r.Body)\n\t\t\trequire.NoError(t, err)\n\t\t\trequire.Equal(t, []byte(sendMessage), body)\n\n\t\t\trequire.Equal(t, echoHeaderIncomingValue, r.Header.Get(echoHeaderName))\n\t\t\tw.Header().Set(echoHeaderName, echoHeaderReturnValue)\n\n\t\t\tw.WriteHeader(status)\n\t\t\tw.Write([]byte(echoMessage))\n\t\t}\n\t\torigin := httptest.NewServer(http.HandlerFunc(handler))\n\t\tdefer origin.Close()\n\n\t\toriginURL, err := url.Parse(origin.URL)\n\t\trequire.NoError(t, err)\n\n\t\toriginConn, err := net.Dial(\"tcp\", originURL.Host)\n\t\trequire.NoError(t, err)\n\n\t\ttcpOverWSConn := tcpOverWSConnection{\n\t\t\tconn: originConn,\n\t\t\tstreamHandler: socks.StreamHandler,\n\t\t}\n\n\t\twsForwarderOutConn, edgeConn := net.Pipe()\n\t\tctx, cancel := context.WithTimeout(context.Background(), testStreamTimeout)\n\t\tdefer cancel()\n\n\t\terrGroup, ctx := errgroup.WithContext(ctx)\n\t\terrGroup.Go(func() error {\n\t\t\ttcpOverWSConn.Stream(ctx, edgeConn, TestLogger)\n\t\t\treturn nil\n\t\t})\n\n\t\twsForwarderListener, err := net.Listen(\"tcp\", \"127.0.0.1:0\")\n\t\trequire.NoError(t, err)\n\n\t\terrGroup.Go(func() error {\n\t\t\twsForwarderInConn, err := wsForwarderListener.Accept()\n\t\t\trequire.NoError(t, err)\n\t\t\tdefer wsForwarderInConn.Close()\n\n\t\t\tstream.Pipe(wsForwarderInConn, &wsEyeball{wsForwarderOutConn}, TestLogger)\n\t\t\treturn nil\n\t\t})\n\n\t\teyeballDialer, err := proxy.SOCKS5(\"tcp\", wsForwarderListener.Addr().String(), nil, proxy.Direct)\n\t\trequire.NoError(t, err)\n\n\t\ttransport := &http.Transport{\n\t\t\tDial: eyeballDialer.Dial,\n\t\t}\n\n\t\t// Request URL doesn't matter because the transport is using eyeballDialer to connectq\n\t\treq, err := http.NewRequestWithContext(ctx, \"GET\", \"http://test-socks-stream.com\", bytes.NewBuffer([]byte(sendMessage)))\n\t\tassert.NoError(t, err)\n\t\treq.Header.Set(echoHeaderName, echoHeaderIncomingValue)\n\n\t\tresp, err := transport.RoundTrip(req)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, status, resp.StatusCode)\n\t\trequire.Equal(t, echoHeaderReturnValue, resp.Header.Get(echoHeaderName))\n\t\tbody, err := io.ReadAll(resp.Body)\n\t\trequire.NoError(t, err)\n\t\trequire.Equal(t, []byte(echoMessage), body)\n\n\t\twsForwarderOutConn.Close()\n\t\tedgeConn.Close()\n\t\ttcpOverWSConn.Close()\n\n\t\trequire.NoError(t, errGroup.Wait())\n\t}\n}\n\nfunc TestWsConnReturnsBeforeStreamReturns(t *testing.T) {\n\thandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\teyeballConn := &readWriter{\n\t\t\tw: w,\n\t\t\tr: r.Body,\n\t\t}\n\n\t\tcfdConn, originConn := net.Pipe()\n\t\ttcpOverWSConn := tcpOverWSConnection{\n\t\t\tconn: cfdConn,\n\t\t\tstreamHandler: DefaultStreamHandler,\n\t\t}\n\t\tgo func() {\n\t\t\ttime.Sleep(time.Millisecond * 10)\n\t\t\t// Simulate losing connection to origin\n\t\t\toriginConn.Close()\n\t\t}()\n\t\tctx := context.WithValue(r.Context(), websocket.PingPeriodContextKey, time.Microsecond)\n\t\ttcpOverWSConn.Stream(ctx, eyeballConn, TestLogger)\n\t})\n\tserver := httptest.NewServer(handler)\n\tdefer server.Close()\n\tclient := server.Client()\n\n\tctx, cancel := context.WithTimeout(context.Background(), time.Second*10)\n\tdefer cancel()\n\n\terrGroup, ctx := errgroup.WithContext(ctx)\n\tfor i := 0; i < 50; i++ {\n\t\teyeballConn, edgeConn := net.Pipe()\n\t\treq, err := http.NewRequestWithContext(ctx, http.MethodConnect, server.URL, edgeConn)\n\t\tassert.NoError(t, err)\n\n\t\tresp, err := client.Transport.RoundTrip(req)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, resp.StatusCode, http.StatusOK)\n\n\t\terrGroup.Go(func() error {\n\t\t\tfor {\n\t\t\t\tif err := wsutil.WriteClientBinary(eyeballConn, testMessage); err != nil {\n\t\t\t\t\treturn nil\n\t\t\t\t}\n\t\t\t}\n\t\t})\n\t}\n\n\tassert.NoError(t, errGroup.Wait())\n}\n\ntype wsEyeball struct {\n\tconn net.Conn\n}\n\nfunc (wse *wsEyeball) Read(p []byte) (int, error) {\n\tdata, err := wsutil.ReadServerBinary(wse.conn)\n\tif err != nil {\n\t\treturn 0, err\n\t}\n\treturn copy(p, data), nil\n}\n\nfunc (wse *wsEyeball) Write(p []byte) (int, error) {\n\terr := wsutil.WriteClientBinary(wse.conn, p)\n\treturn len(p), err\n}\n\nfunc echoWSEyeball(t *testing.T, conn net.Conn) {\n\tdefer func() {\n\t\tassert.NoError(t, conn.Close())\n\t}()\n\n\tif !assert.NoError(t, wsutil.WriteClientBinary(conn, testMessage)) {\n\t\treturn\n\t}\n\n\treadMsg, err := wsutil.ReadServerBinary(conn)\n\tif !assert.NoError(t, err) {\n\t\treturn\n\t}\n\n\tassert.Equal(t, testResponse, readMsg)\n}\n\nfunc echoWSOrigin(t *testing.T, expectMessages bool) *httptest.Server {\n\tvar upgrader = gorillaWS.Upgrader{\n\t\tReadBufferSize: 10,\n\t\tWriteBufferSize: 10,\n\t}\n\n\tws := func(w http.ResponseWriter, r *http.Request) {\n\t\theader := make(http.Header)\n\t\tfor k, vs := range r.Header {\n\t\t\tif k == \"Test-Cloudflared-Echo\" {\n\t\t\t\theader[k] = vs\n\t\t\t}\n\t\t}\n\t\tconn, err := upgrader.Upgrade(w, r, header)\n\t\trequire.NoError(t, err)\n\t\tdefer conn.Close()\n\n\t\tsawMessage := false\n\t\tfor {\n\t\t\tmessageType, p, err := conn.ReadMessage()\n\t\t\tif err != nil {\n\t\t\t\tif expectMessages && !sawMessage {\n\t\t\t\t\tt.Errorf(\"unexpected error: %v\", err)\n\t\t\t\t}\n\t\t\t\treturn\n\t\t\t}\n\t\t\tassert.Equal(t, testMessage, p)\n\t\t\tsawMessage = true\n\t\t\tif err := conn.WriteMessage(messageType, testResponse); err != nil {\n\t\t\t\treturn\n\t\t\t}\n\t\t}\n\t}\n\n\t// NewTLSServer starts the server in another thread\n\treturn httptest.NewTLSServer(http.HandlerFunc(ws))\n}\n\nfunc echoTCPOrigin(t *testing.T, conn net.Conn) {\n\treadBuffer := make([]byte, len(testMessage))\n\t_, err := conn.Read(readBuffer)\n\tassert.NoError(t, err)\n\n\tassert.Equal(t, testMessage, readBuffer)\n\n\t_, err = conn.Write(testResponse)\n\tassert.NoError(t, err)\n}\n\ntype readWriter struct {\n\tw io.Writer\n\tr io.Reader\n}\n\nfunc (r *readWriter) Read(p []byte) (n int, err error) {\n\treturn r.r.Read(p)\n}\n\nfunc (r *readWriter) Write(p []byte) (n int, err error) {\n\treturn r.w.Write(p)\n}\n" }, { "path": "ingress/origin_dialer.go", "content": "package ingress\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"net\"\n\t\"net/netip\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/rs/zerolog\"\n)\n\nconst writeDeadlineUDP = 200 * time.Millisecond\n\n// OriginTCPDialer provides a TCP dial operation to a requested address.\ntype OriginTCPDialer interface {\n\tDialTCP(ctx context.Context, addr netip.AddrPort) (net.Conn, error)\n}\n\n// OriginUDPDialer provides a UDP dial operation to a requested address.\ntype OriginUDPDialer interface {\n\tDialUDP(addr netip.AddrPort) (net.Conn, error)\n}\n\n// OriginDialer provides both TCP and UDP dial operations to an address.\ntype OriginDialer interface {\n\tOriginTCPDialer\n\tOriginUDPDialer\n}\n\ntype OriginConfig struct {\n\t// The default Dialer used if no reserved services are found for an origin request.\n\tDefaultDialer OriginDialer\n\t// Timeout on write operations for TCP connections to the origin.\n\tTCPWriteTimeout time.Duration\n}\n\n// OriginDialerService provides a proxy TCP and UDP dialer to origin services while allowing reserved\n// services to be provided. These reserved services are assigned to specific [netip.AddrPort]s\n// and provide their own [OriginDialer]'s to handle origin dialing per protocol.\ntype OriginDialerService struct {\n\t// Reserved TCP services for reserved AddrPort values\n\treservedTCPServices map[netip.AddrPort]OriginTCPDialer\n\t// Reserved UDP services for reserved AddrPort values\n\treservedUDPServices map[netip.AddrPort]OriginUDPDialer\n\t// The default Dialer used if no reserved services are found for an origin request\n\tdefaultDialer OriginDialer\n\tdefaultDialerM sync.RWMutex\n\t// Write timeout for TCP connections\n\twriteTimeout time.Duration\n\n\tlogger *zerolog.Logger\n}\n\nfunc NewOriginDialer(config OriginConfig, logger *zerolog.Logger) *OriginDialerService {\n\treturn &OriginDialerService{\n\t\treservedTCPServices: map[netip.AddrPort]OriginTCPDialer{},\n\t\treservedUDPServices: map[netip.AddrPort]OriginUDPDialer{},\n\t\tdefaultDialer: config.DefaultDialer,\n\t\twriteTimeout: config.TCPWriteTimeout,\n\t\tlogger: logger,\n\t}\n}\n\n// AddReservedService adds a reserved virtual service to dial to.\n// Not locked and expected to be initialized before calling first dial and not afterwards.\nfunc (d *OriginDialerService) AddReservedService(service OriginDialer, addrs []netip.AddrPort) {\n\tfor _, addr := range addrs {\n\t\td.reservedTCPServices[addr] = service\n\t\td.reservedUDPServices[addr] = service\n\t}\n}\n\n// UpdateDefaultDialer updates the default dialer.\nfunc (d *OriginDialerService) UpdateDefaultDialer(dialer *Dialer) {\n\td.defaultDialerM.Lock()\n\tdefer d.defaultDialerM.Unlock()\n\td.defaultDialer = dialer\n}\n\n// DialTCP will perform a dial TCP to the requested addr.\nfunc (d *OriginDialerService) DialTCP(ctx context.Context, addr netip.AddrPort) (net.Conn, error) {\n\tconn, err := d.dialTCP(ctx, addr)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\t// Assign the write timeout for the TCP operations\n\treturn &tcpConnection{\n\t\tConn: conn,\n\t\twriteTimeout: d.writeTimeout,\n\t\tlogger: d.logger,\n\t}, nil\n}\n\nfunc (d *OriginDialerService) dialTCP(ctx context.Context, addr netip.AddrPort) (net.Conn, error) {\n\t// Check to see if any reserved services are available for this addr and call their dialer instead.\n\tif dialer, ok := d.reservedTCPServices[addr]; ok {\n\t\treturn dialer.DialTCP(ctx, addr)\n\t}\n\td.defaultDialerM.RLock()\n\tdialer := d.defaultDialer\n\td.defaultDialerM.RUnlock()\n\treturn dialer.DialTCP(ctx, addr)\n}\n\n// DialUDP will perform a dial UDP to the requested addr.\nfunc (d *OriginDialerService) DialUDP(addr netip.AddrPort) (net.Conn, error) {\n\t// Check to see if any reserved services are available for this addr and call their dialer instead.\n\tif dialer, ok := d.reservedUDPServices[addr]; ok {\n\t\treturn dialer.DialUDP(addr)\n\t}\n\td.defaultDialerM.RLock()\n\tdialer := d.defaultDialer\n\td.defaultDialerM.RUnlock()\n\treturn dialer.DialUDP(addr)\n}\n\ntype Dialer struct {\n\tDialer net.Dialer\n}\n\nfunc NewDialer(config WarpRoutingConfig) *Dialer {\n\treturn &Dialer{\n\t\tDialer: net.Dialer{\n\t\t\tTimeout: config.ConnectTimeout.Duration,\n\t\t\tKeepAlive: config.TCPKeepAlive.Duration,\n\t\t},\n\t}\n}\n\nfunc (d *Dialer) DialTCP(ctx context.Context, dest netip.AddrPort) (net.Conn, error) {\n\tconn, err := d.Dialer.DialContext(ctx, \"tcp\", dest.String())\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"unable to dial tcp to origin %s: %w\", dest, err)\n\t}\n\n\treturn conn, nil\n}\n\nfunc (d *Dialer) DialUDP(dest netip.AddrPort) (net.Conn, error) {\n\tconn, err := d.Dialer.Dial(\"udp\", dest.String())\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"unable to dial udp to origin %s: %w\", dest, err)\n\t}\n\treturn &writeDeadlineConn{\n\t\tConn: conn,\n\t}, nil\n}\n\n// writeDeadlineConn is a wrapper around a net.Conn that sets a write deadline of 200ms.\n// This is to prevent the socket from blocking on the write operation if it were to occur. However,\n// we typically never expect this to occur except under high load or kernel issues.\ntype writeDeadlineConn struct {\n\tnet.Conn\n}\n\nfunc (w *writeDeadlineConn) Write(b []byte) (int, error) {\n\tif err := w.SetWriteDeadline(time.Now().Add(writeDeadlineUDP)); err != nil {\n\t\treturn 0, err\n\t}\n\treturn w.Conn.Write(b)\n}\n" }, { "path": "ingress/origin_icmp_proxy.go", "content": "package ingress\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"net/netip\"\n\t\"time\"\n\n\t\"github.com/rs/zerolog\"\n\t\"go.opentelemetry.io/otel/attribute\"\n\t\"go.opentelemetry.io/otel/trace\"\n\t\"golang.org/x/net/icmp\"\n\t\"golang.org/x/net/ipv4\"\n\t\"golang.org/x/net/ipv6\"\n\n\t\"github.com/cloudflare/cloudflared/packet\"\n\t\"github.com/cloudflare/cloudflared/tracing\"\n)\n\nconst (\n\tmtu = 1500\n\t// icmpRequestTimeoutMs controls how long to wait for a reply\n\ticmpRequestTimeoutMs = 1000\n)\n\nvar (\n\terrPacketNil = fmt.Errorf(\"packet is nil\")\n)\n\n// ICMPRouterServer is a parent interface over-top of ICMPRouter that allows for the operation of the proxy origin listeners.\ntype ICMPRouterServer interface {\n\tICMPRouter\n\t// Serve runs the ICMPRouter proxy origin listeners for any of the IPv4 or IPv6 interfaces configured.\n\tServe(ctx context.Context) error\n}\n\n// ICMPRouter manages out-going ICMP requests towards the origin.\ntype ICMPRouter interface {\n\t// Request will send an ICMP packet towards the origin with an ICMPResponder to attach to the ICMP flow for the\n\t// response to utilize.\n\tRequest(ctx context.Context, pk *packet.ICMP, responder ICMPResponder) error\n\t// ConvertToTTLExceeded will take an ICMP packet and create a ICMP TTL Exceeded response origininating from the\n\t// ICMPRouter's IP interface.\n\tConvertToTTLExceeded(pk *packet.ICMP, rawPacket packet.RawPacket) *packet.ICMP\n}\n\n// ICMPResponder manages how to handle incoming ICMP messages coming from the origin to the edge.\ntype ICMPResponder interface {\n\tConnectionIndex() uint8\n\tReturnPacket(pk *packet.ICMP) error\n\tAddTraceContext(tracedCtx *tracing.TracedContext, serializedIdentity []byte)\n\tRequestSpan(ctx context.Context, pk *packet.ICMP) (context.Context, trace.Span)\n\tReplySpan(ctx context.Context, logger *zerolog.Logger) (context.Context, trace.Span)\n\tExportSpan()\n}\n\ntype icmpRouter struct {\n\tipv4Proxy *icmpProxy\n\tipv4Src netip.Addr\n\tipv6Proxy *icmpProxy\n\tipv6Src netip.Addr\n}\n\n// NewICMPRouter doesn't return an error if either ipv4 proxy or ipv6 proxy can be created. The machine might only\n// support one of them.\n// funnelIdleTimeout controls how long to wait to close a funnel without send/return\nfunc NewICMPRouter(ipv4Addr, ipv6Addr netip.Addr, logger *zerolog.Logger, funnelIdleTimeout time.Duration) (ICMPRouterServer, error) {\n\tipv4Proxy, ipv4Err := newICMPProxy(ipv4Addr, logger, funnelIdleTimeout)\n\tipv6Proxy, ipv6Err := newICMPProxy(ipv6Addr, logger, funnelIdleTimeout)\n\tif ipv4Err != nil && ipv6Err != nil {\n\t\terr := fmt.Errorf(\"cannot create ICMPv4 proxy: %v nor ICMPv6 proxy: %v\", ipv4Err, ipv6Err)\n\t\tlogger.Debug().Err(err).Msg(\"ICMP proxy feature is disabled\")\n\t\treturn nil, err\n\t}\n\tif ipv4Err != nil {\n\t\tlogger.Debug().Err(ipv4Err).Msg(\"failed to create ICMPv4 proxy, only ICMPv6 proxy is created\")\n\t\tipv4Proxy = nil\n\t}\n\tif ipv6Err != nil {\n\t\tlogger.Debug().Err(ipv6Err).Msg(\"failed to create ICMPv6 proxy, only ICMPv4 proxy is created\")\n\t\tipv6Proxy = nil\n\t}\n\treturn &icmpRouter{\n\t\tipv4Proxy: ipv4Proxy,\n\t\tipv4Src: ipv4Addr,\n\t\tipv6Proxy: ipv6Proxy,\n\t\tipv6Src: ipv6Addr,\n\t}, nil\n}\n\nfunc (ir *icmpRouter) Serve(ctx context.Context) error {\n\tif ir.ipv4Proxy != nil && ir.ipv6Proxy != nil {\n\t\terrC := make(chan error, 2)\n\t\tgo func() {\n\t\t\terrC <- ir.ipv4Proxy.Serve(ctx)\n\t\t}()\n\t\tgo func() {\n\t\t\terrC <- ir.ipv6Proxy.Serve(ctx)\n\t\t}()\n\t\treturn <-errC\n\t}\n\tif ir.ipv4Proxy != nil {\n\t\treturn ir.ipv4Proxy.Serve(ctx)\n\t}\n\tif ir.ipv6Proxy != nil {\n\t\treturn ir.ipv6Proxy.Serve(ctx)\n\t}\n\treturn fmt.Errorf(\"ICMPv4 proxy and ICMPv6 proxy are both nil\")\n}\n\nfunc (ir *icmpRouter) Request(ctx context.Context, pk *packet.ICMP, responder ICMPResponder) error {\n\tif pk == nil {\n\t\treturn errPacketNil\n\t}\n\tif pk.Dst.Is4() {\n\t\tif ir.ipv4Proxy != nil {\n\t\t\treturn ir.ipv4Proxy.Request(ctx, pk, responder)\n\t\t}\n\t\treturn fmt.Errorf(\"ICMPv4 proxy was not instantiated\")\n\t}\n\tif ir.ipv6Proxy != nil {\n\t\treturn ir.ipv6Proxy.Request(ctx, pk, responder)\n\t}\n\treturn fmt.Errorf(\"ICMPv6 proxy was not instantiated\")\n}\n\nfunc (ir *icmpRouter) ConvertToTTLExceeded(pk *packet.ICMP, rawPacket packet.RawPacket) *packet.ICMP {\n\tvar srcIP netip.Addr\n\tif pk.Dst.Is4() {\n\t\tsrcIP = ir.ipv4Src\n\t} else {\n\t\tsrcIP = ir.ipv6Src\n\t}\n\treturn packet.NewICMPTTLExceedPacket(pk.IP, rawPacket, srcIP)\n}\n\nfunc getICMPEcho(msg *icmp.Message) (*icmp.Echo, error) {\n\techo, ok := msg.Body.(*icmp.Echo)\n\tif !ok {\n\t\treturn nil, fmt.Errorf(\"expect ICMP echo, got %s\", msg.Type)\n\t}\n\treturn echo, nil\n}\n\nfunc isEchoReply(msg *icmp.Message) bool {\n\treturn msg.Type == ipv4.ICMPTypeEchoReply || msg.Type == ipv6.ICMPTypeEchoReply\n}\n\nfunc observeICMPRequest(logger *zerolog.Logger, span trace.Span, src string, dst string, echoID int, seq int) {\n\tincrementICMPRequest()\n\tlogger.Debug().\n\t\tStr(\"src\", src).\n\t\tStr(\"dst\", dst).\n\t\tInt(\"originalEchoID\", echoID).\n\t\tInt(\"originalEchoSeq\", seq).\n\t\tMsg(\"Received ICMP request\")\n\tspan.SetAttributes(\n\t\tattribute.Int(\"originalEchoID\", echoID),\n\t\tattribute.Int(\"seq\", seq),\n\t)\n}\n\nfunc observeICMPReply(logger *zerolog.Logger, span trace.Span, dst string, echoID int, seq int) {\n\tincrementICMPReply()\n\tlogger.Debug().Str(\"dst\", dst).Int(\"echoID\", echoID).Int(\"seq\", seq).Msg(\"Sent ICMP reply to edge\")\n\tspan.SetAttributes(\n\t\tattribute.String(\"dst\", dst),\n\t\tattribute.Int(\"echoID\", echoID),\n\t\tattribute.Int(\"seq\", seq),\n\t)\n}\n" }, { "path": "ingress/origin_icmp_proxy_test.go", "content": "package ingress\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"fmt\"\n\t\"net\"\n\t\"net/netip\"\n\t\"strings\"\n\t\"sync\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/fortytw2/leaktest\"\n\t\"github.com/google/gopacket/layers\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/stretchr/testify/require\"\n\t\"golang.org/x/net/icmp\"\n\t\"golang.org/x/net/ipv4\"\n\t\"golang.org/x/net/ipv6\"\n\n\t\"github.com/cloudflare/cloudflared/packet\"\n\tquicpogs \"github.com/cloudflare/cloudflared/quic\"\n\t\"github.com/cloudflare/cloudflared/tracing\"\n)\n\nvar (\n\tnoopLogger = zerolog.Nop()\n\tlocalhostIP = netip.MustParseAddr(\"127.0.0.1\")\n\tlocalhostIPv6 = netip.MustParseAddr(\"::1\")\n\ttestFunnelIdleTimeout = time.Millisecond * 10\n)\n\n// TestICMPProxyEcho makes sure we can send ICMP echo via the Request method and receives response via the\n// ListenResponse method\n//\n// Note: if this test fails on your device under Linux, then most likely you need to make sure that your user\n// is allowed in ping_group_range. See the following gist for how to do that:\n// https://github.com/ValentinBELYN/icmplib/blob/main/docs/6-use-icmplib-without-privileges.md\nfunc TestICMPRouterEcho(t *testing.T) {\n\ttestICMPRouterEcho(t, true)\n\ttestICMPRouterEcho(t, false)\n}\n\nfunc testICMPRouterEcho(t *testing.T, sendIPv4 bool) {\n\tdefer leaktest.Check(t)()\n\n\tconst (\n\t\techoID = 36571\n\t\tendSeq = 20\n\t)\n\n\trouter, err := NewICMPRouter(localhostIP, localhostIPv6, &noopLogger, testFunnelIdleTimeout)\n\trequire.NoError(t, err)\n\n\tproxyDone := make(chan struct{})\n\tctx, cancel := context.WithCancel(context.Background())\n\tgo func() {\n\t\trouter.Serve(ctx)\n\t\tclose(proxyDone)\n\t}()\n\n\tmuxer := newMockMuxer(1)\n\tresponder := newPacketResponder(muxer, 0, packet.NewEncoder())\n\n\tprotocol := layers.IPProtocolICMPv6\n\tif sendIPv4 {\n\t\tprotocol = layers.IPProtocolICMPv4\n\t}\n\tlocalIPs := getLocalIPs(t, sendIPv4)\n\tips := make([]*packet.IP, len(localIPs))\n\tfor i, localIP := range localIPs {\n\t\tips[i] = &packet.IP{\n\t\t\tSrc: localIP,\n\t\t\tDst: localIP,\n\t\t\tProtocol: protocol,\n\t\t\tTTL: packet.DefaultTTL,\n\t\t}\n\t}\n\n\tvar icmpType icmp.Type = ipv6.ICMPTypeEchoRequest\n\tif sendIPv4 {\n\t\ticmpType = ipv4.ICMPTypeEcho\n\t}\n\tfor seq := 0; seq < endSeq; seq++ {\n\t\tfor i, ip := range ips {\n\t\t\tpk := packet.ICMP{\n\t\t\t\tIP: ip,\n\t\t\t\tMessage: &icmp.Message{\n\t\t\t\t\tType: icmpType,\n\t\t\t\t\tCode: 0,\n\t\t\t\t\tBody: &icmp.Echo{\n\t\t\t\t\t\tID: echoID + i,\n\t\t\t\t\t\tSeq: seq,\n\t\t\t\t\t\tData: []byte(fmt.Sprintf(\"icmp echo seq %d\", seq)),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t}\n\t\t\trequire.NoError(t, router.Request(ctx, &pk, responder))\n\t\t\tvalidateEchoFlow(t, <-muxer.cfdToEdge, &pk)\n\t\t}\n\t}\n\n\t// Make sure funnel cleanup kicks in\n\ttime.Sleep(testFunnelIdleTimeout * 2)\n\tcancel()\n\t<-proxyDone\n}\n\nfunc TestTraceICMPRouterEcho(t *testing.T) {\n\tdefer leaktest.Check(t)()\n\n\ttracingCtx := \"ec31ad8a01fde11fdcabe2efdce36873:52726f6cabc144f5:0:1\"\n\n\trouter, err := NewICMPRouter(localhostIP, localhostIPv6, &noopLogger, testFunnelIdleTimeout)\n\trequire.NoError(t, err)\n\n\tproxyDone := make(chan struct{})\n\tctx, cancel := context.WithCancel(context.Background())\n\tgo func() {\n\t\trouter.Serve(ctx)\n\t\tclose(proxyDone)\n\t}()\n\n\t// Buffer 3 packets, request span, reply span and reply\n\tmuxer := newMockMuxer(3)\n\ttracingIdentity, err := tracing.NewIdentity(tracingCtx)\n\trequire.NoError(t, err)\n\tserializedIdentity, err := tracingIdentity.MarshalBinary()\n\trequire.NoError(t, err)\n\n\tresponder := newPacketResponder(muxer, 0, packet.NewEncoder())\n\tresponder.AddTraceContext(tracing.NewTracedContext(ctx, tracingIdentity.String(), &noopLogger), serializedIdentity)\n\n\techo := &icmp.Echo{\n\t\tID: 12910,\n\t\tSeq: 182,\n\t\tData: []byte(t.Name()),\n\t}\n\tpk := packet.ICMP{\n\t\tIP: &packet.IP{\n\t\t\tSrc: localhostIP,\n\t\t\tDst: localhostIP,\n\t\t\tProtocol: layers.IPProtocolICMPv4,\n\t\t\tTTL: packet.DefaultTTL,\n\t\t},\n\t\tMessage: &icmp.Message{\n\t\t\tType: ipv4.ICMPTypeEcho,\n\t\t\tCode: 0,\n\t\t\tBody: echo,\n\t\t},\n\t}\n\n\trequire.NoError(t, router.Request(ctx, &pk, responder))\n\tfirstPK := <-muxer.cfdToEdge\n\tvar requestSpan *quicpogs.TracingSpanPacket\n\t// The order of receiving reply or request span is not deterministic\n\tswitch firstPK.Type() {\n\tcase quicpogs.DatagramTypeIP:\n\t\t// reply packet\n\t\tvalidateEchoFlow(t, firstPK, &pk)\n\tcase quicpogs.DatagramTypeTracingSpan:\n\t\t// Request span\n\t\trequestSpan = firstPK.(*quicpogs.TracingSpanPacket)\n\t\trequire.NotEmpty(t, requestSpan.Spans)\n\t\trequire.True(t, bytes.Equal(serializedIdentity, requestSpan.TracingIdentity))\n\tdefault:\n\t\tpanic(fmt.Sprintf(\"received unexpected packet type %d\", firstPK.Type()))\n\t}\n\n\tsecondPK := <-muxer.cfdToEdge\n\tif requestSpan != nil {\n\t\t// If first packet is request span, second packet should be the reply\n\t\tvalidateEchoFlow(t, secondPK, &pk)\n\t} else {\n\t\trequestSpan = secondPK.(*quicpogs.TracingSpanPacket)\n\t\trequire.NotEmpty(t, requestSpan.Spans)\n\t\trequire.True(t, bytes.Equal(serializedIdentity, requestSpan.TracingIdentity))\n\t}\n\n\t// Reply span\n\tthirdPacket := <-muxer.cfdToEdge\n\treplySpan, ok := thirdPacket.(*quicpogs.TracingSpanPacket)\n\trequire.True(t, ok)\n\trequire.NotEmpty(t, replySpan.Spans)\n\trequire.True(t, bytes.Equal(serializedIdentity, replySpan.TracingIdentity))\n\trequire.False(t, bytes.Equal(requestSpan.Spans, replySpan.Spans))\n\n\techo.Seq++\n\tpk.Body = echo\n\t// Only first request for a flow is traced. The edge will not send tracing context for the second request\n\tnewResponder := newPacketResponder(muxer, 0, packet.NewEncoder())\n\trequire.NoError(t, router.Request(ctx, &pk, newResponder))\n\tvalidateEchoFlow(t, <-muxer.cfdToEdge, &pk)\n\n\tselect {\n\tcase receivedPacket := <-muxer.cfdToEdge:\n\t\tpanic(fmt.Sprintf(\"Receive unexpected packet %+v\", receivedPacket))\n\tdefault:\n\t}\n\n\ttime.Sleep(testFunnelIdleTimeout * 2)\n\tcancel()\n\t<-proxyDone\n}\n\n// TestConcurrentRequests makes sure icmpRouter can send concurrent requests to the same destination with different\n// echo ID. This simulates concurrent ping to the same destination.\nfunc TestConcurrentRequestsToSameDst(t *testing.T) {\n\tdefer leaktest.Check(t)()\n\n\tconst (\n\t\tconcurrentPings = 5\n\t\tendSeq = 5\n\t)\n\n\trouter, err := NewICMPRouter(localhostIP, localhostIPv6, &noopLogger, testFunnelIdleTimeout)\n\trequire.NoError(t, err)\n\n\tproxyDone := make(chan struct{})\n\tctx, cancel := context.WithCancel(context.Background())\n\tgo func() {\n\t\trouter.Serve(ctx)\n\t\tclose(proxyDone)\n\t}()\n\n\tvar wg sync.WaitGroup\n\t// icmpv4 and icmpv6 each has concurrentPings\n\twg.Add(concurrentPings * 2)\n\tfor i := 0; i < concurrentPings; i++ {\n\t\techoID := 38451 + i\n\t\tgo func() {\n\t\t\tdefer wg.Done()\n\n\t\t\tmuxer := newMockMuxer(1)\n\t\t\tresponder := newPacketResponder(muxer, 0, packet.NewEncoder())\n\t\t\tfor seq := 0; seq < endSeq; seq++ {\n\t\t\t\tpk := &packet.ICMP{\n\t\t\t\t\tIP: &packet.IP{\n\t\t\t\t\t\tSrc: localhostIP,\n\t\t\t\t\t\tDst: localhostIP,\n\t\t\t\t\t\tProtocol: layers.IPProtocolICMPv4,\n\t\t\t\t\t\tTTL: packet.DefaultTTL,\n\t\t\t\t\t},\n\t\t\t\t\tMessage: &icmp.Message{\n\t\t\t\t\t\tType: ipv4.ICMPTypeEcho,\n\t\t\t\t\t\tCode: 0,\n\t\t\t\t\t\tBody: &icmp.Echo{\n\t\t\t\t\t\t\tID: echoID,\n\t\t\t\t\t\t\tSeq: seq,\n\t\t\t\t\t\t\tData: []byte(fmt.Sprintf(\"icmpv4 echo id %d, seq %d\", echoID, seq)),\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t\trequire.NoError(t, router.Request(ctx, pk, responder))\n\t\t\t\tvalidateEchoFlow(t, <-muxer.cfdToEdge, pk)\n\t\t\t}\n\t\t}()\n\t\tgo func() {\n\t\t\tdefer wg.Done()\n\t\t\tmuxer := newMockMuxer(1)\n\t\t\tresponder := newPacketResponder(muxer, 0, packet.NewEncoder())\n\t\t\tfor seq := 0; seq < endSeq; seq++ {\n\t\t\t\tpk := &packet.ICMP{\n\t\t\t\t\tIP: &packet.IP{\n\t\t\t\t\t\tSrc: localhostIPv6,\n\t\t\t\t\t\tDst: localhostIPv6,\n\t\t\t\t\t\tProtocol: layers.IPProtocolICMPv6,\n\t\t\t\t\t\tTTL: packet.DefaultTTL,\n\t\t\t\t\t},\n\t\t\t\t\tMessage: &icmp.Message{\n\t\t\t\t\t\tType: ipv6.ICMPTypeEchoRequest,\n\t\t\t\t\t\tCode: 0,\n\t\t\t\t\t\tBody: &icmp.Echo{\n\t\t\t\t\t\t\tID: echoID,\n\t\t\t\t\t\t\tSeq: seq,\n\t\t\t\t\t\t\tData: []byte(fmt.Sprintf(\"icmpv6 echo id %d, seq %d\", echoID, seq)),\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t\trequire.NoError(t, router.Request(ctx, pk, responder))\n\t\t\t\tvalidateEchoFlow(t, <-muxer.cfdToEdge, pk)\n\t\t\t}\n\t\t}()\n\t}\n\twg.Wait()\n\n\ttime.Sleep(testFunnelIdleTimeout * 2)\n\tcancel()\n\t<-proxyDone\n}\n\n// TestICMPProxyRejectNotEcho makes sure it rejects messages other than echo\nfunc TestICMPRouterRejectNotEcho(t *testing.T) {\n\tdefer leaktest.Check(t)()\n\n\tmsgs := []icmp.Message{\n\t\t{\n\t\t\tType: ipv4.ICMPTypeDestinationUnreachable,\n\t\t\tCode: 1,\n\t\t\tBody: &icmp.DstUnreach{\n\t\t\t\tData: []byte(\"original packet\"),\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tType: ipv4.ICMPTypeTimeExceeded,\n\t\t\tCode: 1,\n\t\t\tBody: &icmp.TimeExceeded{\n\t\t\t\tData: []byte(\"original packet\"),\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tType: ipv4.ICMPType(2),\n\t\t\tCode: 0,\n\t\t\tBody: &icmp.PacketTooBig{\n\t\t\t\tMTU: 1280,\n\t\t\t\tData: []byte(\"original packet\"),\n\t\t\t},\n\t\t},\n\t}\n\ttestICMPRouterRejectNotEcho(t, localhostIP, msgs)\n\tmsgsV6 := []icmp.Message{\n\t\t{\n\t\t\tType: ipv6.ICMPTypeDestinationUnreachable,\n\t\t\tCode: 3,\n\t\t\tBody: &icmp.DstUnreach{\n\t\t\t\tData: []byte(\"original packet\"),\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tType: ipv6.ICMPTypeTimeExceeded,\n\t\t\tCode: 0,\n\t\t\tBody: &icmp.TimeExceeded{\n\t\t\t\tData: []byte(\"original packet\"),\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tType: ipv6.ICMPTypePacketTooBig,\n\t\t\tCode: 0,\n\t\t\tBody: &icmp.PacketTooBig{\n\t\t\t\tMTU: 1280,\n\t\t\t\tData: []byte(\"original packet\"),\n\t\t\t},\n\t\t},\n\t}\n\ttestICMPRouterRejectNotEcho(t, localhostIPv6, msgsV6)\n}\n\nfunc testICMPRouterRejectNotEcho(t *testing.T, srcDstIP netip.Addr, msgs []icmp.Message) {\n\trouter, err := NewICMPRouter(localhostIP, localhostIPv6, &noopLogger, testFunnelIdleTimeout)\n\trequire.NoError(t, err)\n\n\tmuxer := newMockMuxer(1)\n\tresponder := newPacketResponder(muxer, 0, packet.NewEncoder())\n\tprotocol := layers.IPProtocolICMPv4\n\tif srcDstIP.Is6() {\n\t\tprotocol = layers.IPProtocolICMPv6\n\t}\n\tfor _, m := range msgs {\n\t\tpk := packet.ICMP{\n\t\t\tIP: &packet.IP{\n\t\t\t\tSrc: srcDstIP,\n\t\t\t\tDst: srcDstIP,\n\t\t\t\tProtocol: protocol,\n\t\t\t\tTTL: packet.DefaultTTL,\n\t\t\t},\n\t\t\tMessage: &m,\n\t\t}\n\t\trequire.Error(t, router.Request(context.Background(), &pk, responder))\n\t}\n}\n\nfunc validateEchoFlow(t *testing.T, pk quicpogs.Packet, echoReq *packet.ICMP) {\n\tdecoder := packet.NewICMPDecoder()\n\tdecoded, err := decoder.Decode(packet.RawPacket{Data: pk.Payload()})\n\trequire.NoError(t, err, pk)\n\trequire.Equal(t, decoded.Src, echoReq.Dst)\n\trequire.Equal(t, decoded.Dst, echoReq.Src)\n\trequire.Equal(t, echoReq.Protocol, decoded.Protocol)\n\n\tif echoReq.Type == ipv4.ICMPTypeEcho {\n\t\trequire.Equal(t, ipv4.ICMPTypeEchoReply, decoded.Type)\n\t} else {\n\t\trequire.Equal(t, ipv6.ICMPTypeEchoReply, decoded.Type)\n\t}\n\trequire.Equal(t, 0, decoded.Code)\n\trequire.NotZero(t, decoded.Checksum)\n\n\trequire.Equal(t, echoReq.Body, decoded.Body)\n}\n\nfunc getLocalIPs(t *testing.T, ipv4 bool) []netip.Addr {\n\tinterfaces, err := net.Interfaces()\n\trequire.NoError(t, err)\n\tlocalIPs := []netip.Addr{}\n\tfor _, i := range interfaces {\n\t\t// Skip TUN devices, and Docker Networks\n\t\tif strings.Contains(i.Name, \"tun\") || strings.Contains(i.Name, \"docker\") || strings.HasPrefix(i.Name, \"br-\") {\n\t\t\tcontinue\n\t\t}\n\t\taddrs, err := i.Addrs()\n\t\trequire.NoError(t, err)\n\t\tfor _, addr := range addrs {\n\t\t\tif ipnet, ok := addr.(*net.IPNet); ok && (ipnet.IP.IsPrivate() || ipnet.IP.IsLoopback()) {\n\t\t\t\t// TODO DEVTOOLS-12514: We only run the IPv6 against the loopback interface due to issues on the CI runners.\n\t\t\t\tif (ipv4 && ipnet.IP.To4() != nil) || (!ipv4 && ipnet.IP.To4() == nil && ipnet.IP.IsLoopback()) {\n\t\t\t\t\tlocalIPs = append(localIPs, netip.MustParseAddr(ipnet.IP.String()))\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\treturn localIPs\n}\n" }, { "path": "ingress/origin_proxy.go", "content": "package ingress\n\nimport (\n\t\"context\"\n\t\"crypto/tls\"\n\t\"fmt\"\n\t\"net\"\n\t\"net/http\"\n\n\t\"github.com/rs/zerolog\"\n)\n\n// HTTPOriginProxy can be implemented by origin services that want to proxy http requests.\ntype HTTPOriginProxy interface {\n\t// RoundTripper is how cloudflared proxies eyeball requests to the actual origin services\n\thttp.RoundTripper\n}\n\n// StreamBasedOriginProxy can be implemented by origin services that want to proxy ws/TCP.\ntype StreamBasedOriginProxy interface {\n\tEstablishConnection(ctx context.Context, dest string, log *zerolog.Logger) (OriginConnection, error)\n}\n\n// HTTPLocalProxy can be implemented by cloudflared services that want to handle incoming http requests.\ntype HTTPLocalProxy interface {\n\t// Handler is how cloudflared proxies eyeball requests to the local cloudflared services\n\thttp.Handler\n}\n\nfunc (o *unixSocketPath) RoundTrip(req *http.Request) (*http.Response, error) {\n\treq.URL.Scheme = o.scheme\n\treturn o.transport.RoundTrip(req)\n}\n\nfunc (o *httpService) RoundTrip(req *http.Request) (*http.Response, error) {\n\t// Rewrite the request URL so that it goes to the origin service.\n\treq.URL.Host = o.url.Host\n\tswitch o.url.Scheme {\n\tcase \"ws\":\n\t\treq.URL.Scheme = \"http\"\n\tcase \"wss\":\n\t\treq.URL.Scheme = \"https\"\n\tdefault:\n\t\treq.URL.Scheme = o.url.Scheme\n\t}\n\n\tif o.hostHeader != \"\" {\n\t\t// For incoming requests, the Host header is promoted to the Request.Host field and removed from the Header map.\n\t\t// Pass the original Host header as X-Forwarded-Host.\n\t\treq.Header.Set(\"X-Forwarded-Host\", req.Host)\n\t\treq.Host = o.hostHeader\n\t}\n\n\tif o.matchSNIToHost {\n\t\to.SetOriginServerName(req)\n\t}\n\n\treturn o.transport.RoundTrip(req)\n}\n\nfunc (o *httpService) SetOriginServerName(req *http.Request) {\n\to.transport.DialTLSContext = func(ctx context.Context, network, addr string) (net.Conn, error) {\n\t\tconn, err := o.transport.DialContext(ctx, network, addr)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\treturn tls.Client(conn, &tls.Config{\n\t\t\tRootCAs: o.transport.TLSClientConfig.RootCAs,\n\t\t\tInsecureSkipVerify: o.transport.TLSClientConfig.InsecureSkipVerify, // nolint: gosec\n\t\t\tServerName: req.Host,\n\t\t}), nil\n\t}\n}\n\nfunc (o *statusCode) RoundTrip(_ *http.Request) (*http.Response, error) {\n\tif o.defaultResp {\n\t\to.log.Warn().Msg(ErrNoIngressRulesCLI.Error())\n\t}\n\tresp := &http.Response{\n\t\tStatusCode: o.code,\n\t\tStatus: fmt.Sprintf(\"%d %s\", o.code, http.StatusText(o.code)),\n\t\tBody: new(NopReadCloser),\n\t}\n\n\treturn resp, nil\n}\n\nfunc (o *rawTCPService) EstablishConnection(ctx context.Context, dest string, logger *zerolog.Logger) (OriginConnection, error) {\n\tconn, err := o.dialer.DialContext(ctx, \"tcp\", dest)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\toriginConn := &tcpConnection{\n\t\tConn: conn,\n\t\twriteTimeout: o.writeTimeout,\n\t\tlogger: logger,\n\t}\n\treturn originConn, nil\n}\n\nfunc (o *tcpOverWSService) EstablishConnection(ctx context.Context, dest string, _ *zerolog.Logger) (OriginConnection, error) {\n\tvar err error\n\tif !o.isBastion {\n\t\tdest = o.dest\n\t}\n\n\tconn, err := o.dialer.DialContext(ctx, \"tcp\", dest)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\toriginConn := &tcpOverWSConnection{\n\t\tconn: conn,\n\t\tstreamHandler: o.streamHandler,\n\t}\n\treturn originConn, nil\n}\n\nfunc (o *socksProxyOverWSService) EstablishConnection(_ context.Context, _ string, _ *zerolog.Logger) (OriginConnection, error) {\n\treturn o.conn, nil\n}\n" }, { "path": "ingress/origin_proxy_test.go", "content": "package ingress\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"io\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"net/url\"\n\t\"testing\"\n\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\n\t\"github.com/cloudflare/cloudflared/carrier\"\n\t\"github.com/cloudflare/cloudflared/websocket\"\n)\n\nfunc TestRawTCPServiceEstablishConnection(t *testing.T) {\n\toriginListener, err := net.Listen(\"tcp\", \"127.0.0.1:0\")\n\trequire.NoError(t, err)\n\n\tlistenerClosed := make(chan struct{})\n\ttcpListenRoutine(originListener, listenerClosed)\n\n\trawTCPService := &rawTCPService{name: ServiceWarpRouting}\n\n\treq, err := http.NewRequest(http.MethodGet, fmt.Sprintf(\"http://%s\", originListener.Addr()), nil)\n\trequire.NoError(t, err)\n\n\toriginListener.Close()\n\t<-listenerClosed\n\n\treq, err = http.NewRequest(http.MethodGet, fmt.Sprintf(\"http://%s\", originListener.Addr()), nil)\n\trequire.NoError(t, err)\n\n\t// Origin not listening for new connection, should return an error\n\t_, err = rawTCPService.EstablishConnection(context.Background(), req.URL.String(), TestLogger)\n\trequire.Error(t, err)\n}\n\nfunc TestTCPOverWSServiceEstablishConnection(t *testing.T) {\n\toriginListener, err := net.Listen(\"tcp\", \"127.0.0.1:0\")\n\trequire.NoError(t, err)\n\n\tlistenerClosed := make(chan struct{})\n\ttcpListenRoutine(originListener, listenerClosed)\n\n\toriginURL := &url.URL{\n\t\tScheme: \"tcp\",\n\t\tHost: originListener.Addr().String(),\n\t}\n\n\tbaseReq, err := http.NewRequest(http.MethodGet, \"https://place-holder\", nil)\n\trequire.NoError(t, err)\n\tbaseReq.Header.Set(\"Sec-Websocket-Key\", \"dGhlIHNhbXBsZSBub25jZQ==\")\n\n\tbastionReq := baseReq.Clone(context.Background())\n\tcarrier.SetBastionDest(bastionReq.Header, originListener.Addr().String())\n\n\ttests := []struct {\n\t\ttestCase string\n\t\tservice *tcpOverWSService\n\t\treq *http.Request\n\t\texpectErr bool\n\t}{\n\t\t{\n\t\t\ttestCase: \"specific TCP service\",\n\t\t\tservice: newTCPOverWSService(originURL),\n\t\t\treq: baseReq,\n\t\t},\n\t\t{\n\t\t\ttestCase: \"bastion service\",\n\t\t\tservice: newBastionService(),\n\t\t\treq: bastionReq,\n\t\t},\n\t\t{\n\t\t\ttestCase: \"invalid bastion request\",\n\t\t\tservice: newBastionService(),\n\t\t\treq: baseReq,\n\t\t\texpectErr: true,\n\t\t},\n\t}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.testCase, func(t *testing.T) {\n\t\t\tif test.expectErr {\n\t\t\t\tbastionHost, _ := carrier.ResolveBastionDest(test.req)\n\t\t\t\t_, err := test.service.EstablishConnection(context.Background(), bastionHost, TestLogger)\n\t\t\t\tassert.Error(t, err)\n\t\t\t}\n\t\t})\n\t}\n\n\toriginListener.Close()\n\t<-listenerClosed\n\n\tfor _, service := range []*tcpOverWSService{newTCPOverWSService(originURL), newBastionService()} {\n\t\t// Origin not listening for new connection, should return an error\n\t\tbastionHost, _ := carrier.ResolveBastionDest(bastionReq)\n\t\t_, err := service.EstablishConnection(context.Background(), bastionHost, TestLogger)\n\t\tassert.Error(t, err)\n\t}\n}\n\nfunc TestHTTPServiceHostHeaderOverride(t *testing.T) {\n\tcfg := OriginRequestConfig{\n\t\tHTTPHostHeader: t.Name(),\n\t}\n\thandler := func(w http.ResponseWriter, r *http.Request) {\n\t\trequire.Equal(t, r.Host, t.Name())\n\t\tif websocket.IsWebSocketUpgrade(r) {\n\t\t\trespHeaders := websocket.NewResponseHeader(r)\n\t\t\tfor k, v := range respHeaders {\n\t\t\t\tw.Header().Set(k, v[0])\n\t\t\t}\n\t\t\tw.WriteHeader(http.StatusSwitchingProtocols)\n\t\t\treturn\n\t\t}\n\t\t// return the X-Forwarded-Host header for assertions\n\t\t// as the httptest Server URL isn't available here yet\n\t\tw.Write([]byte(r.Header.Get(\"X-Forwarded-Host\")))\n\t}\n\torigin := httptest.NewServer(http.HandlerFunc(handler))\n\tdefer origin.Close()\n\n\toriginURL, err := url.Parse(origin.URL)\n\trequire.NoError(t, err)\n\n\thttpService := &httpService{\n\t\turl: originURL,\n\t}\n\tshutdownC := make(chan struct{})\n\trequire.NoError(t, httpService.start(TestLogger, shutdownC, cfg))\n\n\treq, err := http.NewRequest(http.MethodGet, originURL.String(), nil)\n\trequire.NoError(t, err)\n\n\tresp, err := httpService.RoundTrip(req)\n\trequire.NoError(t, err)\n\trequire.Equal(t, http.StatusOK, resp.StatusCode)\n\n\trespBody, err := io.ReadAll(resp.Body)\n\trequire.NoError(t, err)\n\trequire.Equal(t, respBody, []byte(originURL.Host))\n}\n\n// TestHTTPServiceUsesIngressRuleScheme makes sure httpService uses scheme defined in ingress rule and not by eyeball request\nfunc TestHTTPServiceUsesIngressRuleScheme(t *testing.T) {\n\thandler := func(w http.ResponseWriter, r *http.Request) {\n\t\trequire.NotNil(t, r.TLS)\n\t\t// Echo the X-Forwarded-Proto header for assertions\n\t\tw.Write([]byte(r.Header.Get(\"X-Forwarded-Proto\")))\n\t}\n\torigin := httptest.NewTLSServer(http.HandlerFunc(handler))\n\tdefer origin.Close()\n\n\toriginURL, err := url.Parse(origin.URL)\n\trequire.NoError(t, err)\n\trequire.Equal(t, \"https\", originURL.Scheme)\n\n\tcfg := OriginRequestConfig{\n\t\tNoTLSVerify: true,\n\t}\n\thttpService := &httpService{\n\t\turl: originURL,\n\t}\n\tshutdownC := make(chan struct{})\n\trequire.NoError(t, httpService.start(TestLogger, shutdownC, cfg))\n\n\t// Tunnel uses scheme defined in the service field of the ingress rule, independent of the X-Forwarded-Proto header\n\tprotos := []string{\"https\", \"http\", \"dne\"}\n\tfor _, p := range protos {\n\t\treq, err := http.NewRequest(http.MethodGet, originURL.String(), nil)\n\t\trequire.NoError(t, err)\n\t\treq.Header.Add(\"X-Forwarded-Proto\", p)\n\n\t\tresp, err := httpService.RoundTrip(req)\n\t\trequire.NoError(t, err)\n\t\trequire.Equal(t, http.StatusOK, resp.StatusCode)\n\n\t\trespBody, err := io.ReadAll(resp.Body)\n\t\trequire.NoError(t, err)\n\t\trequire.Equal(t, respBody, []byte(p))\n\t}\n}\n\nfunc tcpListenRoutine(listener net.Listener, closeChan chan struct{}) {\n\tgo func() {\n\t\tfor {\n\t\t\tconn, err := listener.Accept()\n\t\t\tif err != nil {\n\t\t\t\tclose(closeChan)\n\t\t\t\treturn\n\t\t\t}\n\t\t\t// Close immediately, this test is not about testing read/write on connection\n\t\t\tconn.Close()\n\t\t}\n\t}()\n}\n" }, { "path": "ingress/origin_service.go", "content": "package ingress\n\nimport (\n\t\"context\"\n\t\"crypto/tls\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"io\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"strconv\"\n\t\"time\"\n\n\t\"github.com/pkg/errors\"\n\t\"github.com/rs/zerolog\"\n\n\t\"github.com/cloudflare/cloudflared/hello\"\n\t\"github.com/cloudflare/cloudflared/ipaccess\"\n\t\"github.com/cloudflare/cloudflared/management\"\n\t\"github.com/cloudflare/cloudflared/socks\"\n\t\"github.com/cloudflare/cloudflared/tlsconfig\"\n)\n\nconst (\n\tHelloWorldService = \"hello_world\"\n\tHelloWorldFlag = \"hello-world\"\n\tHttpStatusService = \"http_status\"\n)\n\n// OriginService is something a tunnel can proxy traffic to.\ntype OriginService interface {\n\tString() string\n\t// Start the origin service if it's managed by cloudflared, e.g. proxy servers or Hello World.\n\t// If it's not managed by cloudflared, this is a no-op because the user is responsible for\n\t// starting the origin service.\n\t// Implementor of services managed by cloudflared should terminate the service if shutdownC is closed\n\tstart(log *zerolog.Logger, shutdownC <-chan struct{}, cfg OriginRequestConfig) error\n\tMarshalJSON() ([]byte, error)\n}\n\n// unixSocketPath is an OriginService representing a unix socket (which accepts HTTP or HTTPS)\ntype unixSocketPath struct {\n\tpath string\n\tscheme string\n\ttransport *http.Transport\n}\n\nfunc (o *unixSocketPath) String() string {\n\tscheme := \"\"\n\tif o.scheme == \"https\" {\n\t\tscheme = \"+tls\"\n\t}\n\treturn fmt.Sprintf(\"unix%s:%s\", scheme, o.path)\n}\n\nfunc (o *unixSocketPath) start(log *zerolog.Logger, _ <-chan struct{}, cfg OriginRequestConfig) error {\n\ttransport, err := newHTTPTransport(o, cfg, log)\n\tif err != nil {\n\t\treturn err\n\t}\n\to.transport = transport\n\treturn nil\n}\n\nfunc (o unixSocketPath) MarshalJSON() ([]byte, error) {\n\treturn json.Marshal(o.String())\n}\n\ntype httpService struct {\n\turl *url.URL\n\thostHeader string\n\ttransport *http.Transport\n\tmatchSNIToHost bool\n}\n\nfunc (o *httpService) start(log *zerolog.Logger, _ <-chan struct{}, cfg OriginRequestConfig) error {\n\ttransport, err := newHTTPTransport(o, cfg, log)\n\tif err != nil {\n\t\treturn err\n\t}\n\to.hostHeader = cfg.HTTPHostHeader\n\to.transport = transport\n\to.matchSNIToHost = cfg.MatchSNIToHost\n\treturn nil\n}\n\nfunc (o *httpService) String() string {\n\treturn o.url.String()\n}\n\nfunc (o httpService) MarshalJSON() ([]byte, error) {\n\treturn json.Marshal(o.String())\n}\n\n// rawTCPService dials TCP to the destination specified by the client\n// It's used by warp routing\ntype rawTCPService struct {\n\tname string\n\tdialer net.Dialer\n\twriteTimeout time.Duration\n\tlogger *zerolog.Logger\n}\n\nfunc (o *rawTCPService) String() string {\n\treturn o.name\n}\n\nfunc (o *rawTCPService) start(_ *zerolog.Logger, _ <-chan struct{}, _ OriginRequestConfig) error {\n\treturn nil\n}\n\nfunc (o rawTCPService) MarshalJSON() ([]byte, error) {\n\treturn json.Marshal(o.String())\n}\n\n// tcpOverWSService models TCP origins serving eyeballs connecting over websocket, such as\n// cloudflared access commands.\ntype tcpOverWSService struct {\n\tscheme string\n\tdest string\n\tisBastion bool\n\tstreamHandler streamHandlerFunc\n\tdialer net.Dialer\n}\n\ntype socksProxyOverWSService struct {\n\tconn *socksProxyOverWSConnection\n}\n\nfunc newTCPOverWSService(url *url.URL) *tcpOverWSService {\n\tswitch url.Scheme {\n\tcase \"ssh\":\n\t\taddPortIfMissing(url, 22)\n\tcase \"rdp\":\n\t\taddPortIfMissing(url, 3389)\n\tcase \"smb\":\n\t\taddPortIfMissing(url, 445)\n\tcase \"tcp\":\n\t\taddPortIfMissing(url, 7864) // just a random port since there isn't a default in this case\n\t}\n\treturn &tcpOverWSService{\n\t\tscheme: url.Scheme,\n\t\tdest: url.Host,\n\t}\n}\n\nfunc newBastionService() *tcpOverWSService {\n\treturn &tcpOverWSService{\n\t\tisBastion: true,\n\t}\n}\n\nfunc newSocksProxyOverWSService(accessPolicy *ipaccess.Policy) *socksProxyOverWSService {\n\tproxy := socksProxyOverWSService{\n\t\tconn: &socksProxyOverWSConnection{\n\t\t\taccessPolicy: accessPolicy,\n\t\t},\n\t}\n\n\treturn &proxy\n}\n\nfunc addPortIfMissing(uri *url.URL, port int) {\n\thostname := uri.Hostname()\n\n\tif uri.Port() == \"\" {\n\t\turi.Host = net.JoinHostPort(hostname, strconv.FormatInt(int64(port), 10))\n\t}\n}\n\nfunc (o *tcpOverWSService) String() string {\n\tif o.isBastion {\n\t\treturn ServiceBastion\n\t}\n\n\tif o.scheme != \"\" {\n\t\treturn fmt.Sprintf(\"%s://%s\", o.scheme, o.dest)\n\t} else {\n\t\treturn o.dest\n\t}\n}\n\nfunc (o *tcpOverWSService) start(log *zerolog.Logger, _ <-chan struct{}, cfg OriginRequestConfig) error {\n\tif cfg.ProxyType == socksProxy {\n\t\to.streamHandler = socks.StreamHandler\n\t} else {\n\t\to.streamHandler = DefaultStreamHandler\n\t}\n\to.dialer.Timeout = cfg.ConnectTimeout.Duration\n\to.dialer.KeepAlive = cfg.TCPKeepAlive.Duration\n\treturn nil\n}\n\nfunc (o tcpOverWSService) MarshalJSON() ([]byte, error) {\n\treturn json.Marshal(o.String())\n}\n\nfunc (o *socksProxyOverWSService) start(log *zerolog.Logger, _ <-chan struct{}, cfg OriginRequestConfig) error {\n\treturn nil\n}\n\nfunc (o *socksProxyOverWSService) String() string {\n\treturn ServiceSocksProxy\n}\n\nfunc (o socksProxyOverWSService) MarshalJSON() ([]byte, error) {\n\treturn json.Marshal(o.String())\n}\n\n// HelloWorld is an OriginService for the built-in Hello World server.\n// Users only use this for testing and experimenting with cloudflared.\ntype helloWorld struct {\n\thttpService\n\tserver net.Listener\n}\n\nfunc (o *helloWorld) String() string {\n\treturn HelloWorldService\n}\n\n// Start starts a HelloWorld server and stores its address in the Service receiver.\nfunc (o *helloWorld) start(\n\tlog *zerolog.Logger,\n\tshutdownC <-chan struct{},\n\tcfg OriginRequestConfig,\n) error {\n\tif err := o.httpService.start(log, shutdownC, cfg); err != nil {\n\t\treturn err\n\t}\n\n\thelloListener, err := hello.CreateTLSListener(\"127.0.0.1:\")\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"Cannot start Hello World Server\")\n\t}\n\tgo hello.StartHelloWorldServer(log, helloListener, shutdownC)\n\to.server = helloListener\n\n\to.httpService.url = &url.URL{\n\t\tScheme: \"https\",\n\t\tHost: o.server.Addr().String(),\n\t}\n\n\treturn nil\n}\n\nfunc (o helloWorld) MarshalJSON() ([]byte, error) {\n\treturn json.Marshal(o.String())\n}\n\n// statusCode is an OriginService that just responds with a given HTTP status.\n// Typical use-case is \"user wants the catch-all rule to just respond 404\".\ntype statusCode struct {\n\tcode int\n\n\t// Set only when the user has not defined any ingress rules\n\tdefaultResp bool\n\tlog *zerolog.Logger\n}\n\nfunc newStatusCode(status int) statusCode {\n\treturn statusCode{code: status}\n}\n\n// default status code (503) that is returned for requests to cloudflared that don't have any ingress rules setup\nfunc newDefaultStatusCode(log *zerolog.Logger) statusCode {\n\treturn statusCode{code: 503, defaultResp: true, log: log}\n}\n\nfunc (o *statusCode) String() string {\n\treturn fmt.Sprintf(\"http_status:%d\", o.code)\n}\n\nfunc (o *statusCode) start(\n\tlog *zerolog.Logger,\n\t_ <-chan struct{},\n\tcfg OriginRequestConfig,\n) error {\n\treturn nil\n}\n\nfunc (o statusCode) MarshalJSON() ([]byte, error) {\n\treturn json.Marshal(o.String())\n}\n\n// WarpRoutingService starts a tcp stream between the origin and requests from\n// warp clients.\ntype WarpRoutingService struct {\n\tProxy StreamBasedOriginProxy\n}\n\nfunc NewWarpRoutingService(config WarpRoutingConfig, writeTimeout time.Duration) *WarpRoutingService {\n\tsvc := &rawTCPService{\n\t\tname: ServiceWarpRouting,\n\t\tdialer: net.Dialer{\n\t\t\tTimeout: config.ConnectTimeout.Duration,\n\t\t\tKeepAlive: config.TCPKeepAlive.Duration,\n\t\t},\n\t\twriteTimeout: writeTimeout,\n\t}\n\n\treturn &WarpRoutingService{Proxy: svc}\n}\n\n// ManagementService starts a local HTTP server to handle incoming management requests.\ntype ManagementService struct {\n\tHTTPLocalProxy\n}\n\nfunc newManagementService(managementProxy HTTPLocalProxy) *ManagementService {\n\treturn &ManagementService{\n\t\tHTTPLocalProxy: managementProxy,\n\t}\n}\n\nfunc (o *ManagementService) start(log *zerolog.Logger, _ <-chan struct{}, cfg OriginRequestConfig) error {\n\treturn nil\n}\n\nfunc (o *ManagementService) String() string {\n\treturn \"management\"\n}\n\nfunc (o ManagementService) MarshalJSON() ([]byte, error) {\n\treturn json.Marshal(o.String())\n}\n\nfunc NewManagementRule(management *management.ManagementService) Rule {\n\treturn Rule{\n\t\tHostname: management.Hostname,\n\t\tService: newManagementService(management),\n\t}\n}\n\ntype NopReadCloser struct{}\n\n// Read always returns EOF to signal end of input\nfunc (nrc *NopReadCloser) Read(buf []byte) (int, error) {\n\treturn 0, io.EOF\n}\n\nfunc (nrc *NopReadCloser) Close() error {\n\treturn nil\n}\n\nfunc newHTTPTransport(service OriginService, cfg OriginRequestConfig, log *zerolog.Logger) (*http.Transport, error) {\n\toriginCertPool, err := tlsconfig.LoadOriginCA(cfg.CAPool, log)\n\tif err != nil {\n\t\treturn nil, errors.Wrap(err, \"Error loading cert pool\")\n\t}\n\n\thttpTransport := http.Transport{\n\t\tProxy: http.ProxyFromEnvironment,\n\t\tMaxIdleConns: cfg.KeepAliveConnections,\n\t\tMaxIdleConnsPerHost: cfg.KeepAliveConnections,\n\t\tIdleConnTimeout: cfg.KeepAliveTimeout.Duration,\n\t\tTLSHandshakeTimeout: cfg.TLSTimeout.Duration,\n\t\tExpectContinueTimeout: 1 * time.Second,\n\t\tTLSClientConfig: &tls.Config{RootCAs: originCertPool, InsecureSkipVerify: cfg.NoTLSVerify},\n\t\tForceAttemptHTTP2: cfg.Http2Origin,\n\t}\n\tif _, isHelloWorld := service.(*helloWorld); !isHelloWorld && cfg.OriginServerName != \"\" {\n\t\thttpTransport.TLSClientConfig.ServerName = cfg.OriginServerName\n\t}\n\n\tdialer := &net.Dialer{\n\t\tTimeout: cfg.ConnectTimeout.Duration,\n\t\tKeepAlive: cfg.TCPKeepAlive.Duration,\n\t}\n\tif cfg.NoHappyEyeballs {\n\t\tdialer.FallbackDelay = -1 // As of Golang 1.12, a negative delay disables \"happy eyeballs\"\n\t}\n\n\t// DialContext depends on which kind of origin is being used.\n\tdialContext := dialer.DialContext\n\tswitch service := service.(type) {\n\n\t// If this origin is a unix socket, enforce network type \"unix\".\n\tcase *unixSocketPath:\n\t\thttpTransport.DialContext = func(ctx context.Context, _, _ string) (net.Conn, error) {\n\t\t\treturn dialContext(ctx, \"unix\", service.path)\n\t\t}\n\n\t// Otherwise, use the regular network config.\n\tdefault:\n\t\thttpTransport.DialContext = dialContext\n\t}\n\n\treturn &httpTransport, nil\n}\n\n// MockOriginHTTPService should only be used by other packages to mock OriginService. Set Transport to configure desired RoundTripper behavior.\ntype MockOriginHTTPService struct {\n\tTransport http.RoundTripper\n}\n\nfunc (mos MockOriginHTTPService) RoundTrip(req *http.Request) (*http.Response, error) {\n\treturn mos.Transport.RoundTrip(req)\n}\n\nfunc (mos MockOriginHTTPService) String() string {\n\treturn \"MockOriginService\"\n}\n\nfunc (mos MockOriginHTTPService) start(log *zerolog.Logger, _ <-chan struct{}, cfg OriginRequestConfig) error {\n\treturn nil\n}\n\nfunc (mos MockOriginHTTPService) MarshalJSON() ([]byte, error) {\n\treturn json.Marshal(mos.String())\n}\n" }, { "path": "ingress/origin_service_test.go", "content": "package ingress\n\nimport (\n\t\"net/url\"\n\t\"testing\"\n\n\t\"github.com/stretchr/testify/require\"\n)\n\nfunc TestAddPortIfMissing(t *testing.T) {\n\ttestCases := []struct {\n\t\tinput string\n\t\texpected string\n\t}{\n\t\t{\"ssh://[::1]\", \"[::1]:22\"},\n\t\t{\"ssh://[::1]:38\", \"[::1]:38\"},\n\t\t{\"ssh://abc:38\", \"abc:38\"},\n\t\t{\"ssh://127.0.0.1:38\", \"127.0.0.1:38\"},\n\t\t{\"ssh://127.0.0.1\", \"127.0.0.1:22\"},\n\t}\n\n\tfor _, tc := range testCases {\n\t\tt.Run(tc.input, func(t *testing.T) {\n\t\t\turl1, _ := url.Parse(tc.input)\n\t\t\taddPortIfMissing(url1, 22)\n\t\t\trequire.Equal(t, tc.expected, url1.Host)\n\t\t})\n\t}\n}\n" }, { "path": "ingress/origins/dns.go", "content": "package origins\n\nimport (\n\t\"context\"\n\t\"crypto/rand\"\n\t\"math/big\"\n\t\"net\"\n\t\"net/netip\"\n\t\"slices\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/rs/zerolog\"\n\n\t\"github.com/cloudflare/cloudflared/ingress\"\n)\n\nconst (\n\t// We need a DNS record:\n\t// 1. That will be around for as long as cloudflared is\n\t// 2. That Cloudflare controls: to allow us to make changes if needed\n\t// 3. That is an external record to a typical customer's network: enforcing that the DNS request go to the\n\t// local DNS resolver over any local /etc/host configurations setup.\n\t// 4. That cloudflared would normally query: ensuring that users with a positive security model for DNS queries\n\t// don't need to adjust anything.\n\t//\n\t// This hostname is one that used during the edge discovery process and as such satisfies the above constraints.\n\tdefaultLookupHost = \"region1.v2.argotunnel.com\"\n\tdefaultResolverPort uint16 = 53\n\n\t// We want the refresh time to be short to accommodate DNS resolver changes locally, but not too frequent as to\n\t// shuffle the resolver if multiple are configured.\n\trefreshFreq = 5 * time.Minute\n\trefreshTimeout = 5 * time.Second\n)\n\nvar (\n\t// Virtual DNS service address\n\tVirtualDNSServiceAddr = netip.AddrPortFrom(netip.MustParseAddr(\"2606:4700:0cf1:2000:0000:0000:0000:0001\"), 53)\n\n\tdefaultResolverAddr = netip.AddrPortFrom(netip.MustParseAddr(\"127.0.0.1\"), defaultResolverPort)\n)\n\ntype netDial func(network string, address string) (net.Conn, error)\n\n// DNSResolverService will make DNS requests to the local DNS resolver via the Dial method.\ntype DNSResolverService struct {\n\taddresses []netip.AddrPort\n\taddressesM sync.RWMutex\n\tstatic bool\n\tdialer ingress.OriginDialer\n\tresolver peekResolver\n\tlogger *zerolog.Logger\n\tmetrics Metrics\n}\n\nfunc NewDNSResolverService(dialer ingress.OriginDialer, logger *zerolog.Logger, metrics Metrics) *DNSResolverService {\n\treturn &DNSResolverService{\n\t\taddresses: []netip.AddrPort{defaultResolverAddr},\n\t\tdialer: dialer,\n\t\tresolver: &resolver{dialFunc: net.Dial},\n\t\tlogger: logger,\n\t\tmetrics: metrics,\n\t}\n}\n\nfunc NewStaticDNSResolverService(resolverAddrs []netip.AddrPort, dialer ingress.OriginDialer, logger *zerolog.Logger, metrics Metrics) *DNSResolverService {\n\ts := NewDNSResolverService(dialer, logger, metrics)\n\ts.addresses = resolverAddrs\n\ts.static = true\n\treturn s\n}\n\nfunc (s *DNSResolverService) DialTCP(ctx context.Context, _ netip.AddrPort) (net.Conn, error) {\n\ts.metrics.IncrementDNSTCPRequests()\n\tdest := s.getAddress()\n\t// The dialer ignores the provided address because the request will instead go to the local DNS resolver.\n\treturn s.dialer.DialTCP(ctx, dest)\n}\n\nfunc (s *DNSResolverService) DialUDP(_ netip.AddrPort) (net.Conn, error) {\n\ts.metrics.IncrementDNSUDPRequests()\n\tdest := s.getAddress()\n\t// The dialer ignores the provided address because the request will instead go to the local DNS resolver.\n\treturn s.dialer.DialUDP(dest)\n}\n\n// StartRefreshLoop is a routine that is expected to run in the background to update the DNS local resolver if\n// adjusted while the cloudflared process is running.\n// Does not run when the resolver was provided with external resolver addresses via CLI.\nfunc (s *DNSResolverService) StartRefreshLoop(ctx context.Context) {\n\tif s.static {\n\t\ts.logger.Debug().Msgf(\"Canceled DNS local resolver refresh loop because static resolver addresses were provided: %s\", s.addresses)\n\t\treturn\n\t}\n\t// Call update first to load an address before handling traffic\n\terr := s.update(ctx)\n\tif err != nil {\n\t\ts.logger.Err(err).Msg(\"Failed to initialize DNS local resolver\")\n\t}\n\tfor {\n\t\tselect {\n\t\tcase <-ctx.Done():\n\t\t\treturn\n\t\tcase <-time.Tick(refreshFreq):\n\t\t\terr := s.update(ctx)\n\t\t\tif err != nil {\n\t\t\t\ts.logger.Err(err).Msg(\"Failed to refresh DNS local resolver\")\n\t\t\t}\n\t\t}\n\t}\n}\n\nfunc (s *DNSResolverService) update(ctx context.Context) error {\n\tctx, cancel := context.WithTimeout(ctx, refreshTimeout)\n\tdefer cancel()\n\t// Make a standard DNS request to a well-known DNS record that will last a long time\n\t_, err := s.resolver.lookupNetIP(ctx, defaultLookupHost)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\t// Validate the address before updating internal reference\n\t_, address := s.resolver.addr()\n\tpeekAddrPort, err := netip.ParseAddrPort(address)\n\tif err == nil {\n\t\ts.setAddress(peekAddrPort)\n\t\treturn nil\n\t}\n\t// It's possible that the address didn't have an attached port, attempt to parse just the address and use\n\t// the default port 53\n\tpeekAddr, err := netip.ParseAddr(address)\n\tif err != nil {\n\t\treturn err\n\t}\n\ts.setAddress(netip.AddrPortFrom(peekAddr, defaultResolverPort))\n\treturn nil\n}\n\n// returns the address from the peekResolver or from the static addresses if provided.\n// If multiple addresses are provided in the static addresses pick one randomly.\nfunc (s *DNSResolverService) getAddress() netip.AddrPort {\n\ts.addressesM.RLock()\n\tdefer s.addressesM.RUnlock()\n\tl := len(s.addresses)\n\tif l <= 0 {\n\t\treturn defaultResolverAddr\n\t}\n\tif l == 1 {\n\t\treturn s.addresses[0]\n\t}\n\t// Only initialize the random selection if there is more than one element in the list.\n\tvar i int64 = 0\n\tr, err := rand.Int(rand.Reader, big.NewInt(int64(l)))\n\t// We ignore errors from crypto rand and use index 0; this should be extremely unlikely and the\n\t// list index doesn't need to be cryptographically secure, but linters insist.\n\tif err == nil {\n\t\ti = r.Int64()\n\t}\n\treturn s.addresses[i]\n}\n\n// lock and update the address used for the local DNS resolver\nfunc (s *DNSResolverService) setAddress(addr netip.AddrPort) {\n\ts.addressesM.Lock()\n\tdefer s.addressesM.Unlock()\n\tif !slices.Contains(s.addresses, addr) {\n\t\ts.logger.Debug().Msgf(\"Updating DNS local resolver: %s\", addr)\n\t}\n\t// We only store one address when reading the peekResolver, so we just replace the whole list.\n\ts.addresses = []netip.AddrPort{addr}\n}\n\ntype peekResolver interface {\n\taddr() (network string, address string)\n\tlookupNetIP(ctx context.Context, host string) ([]netip.Addr, error)\n}\n\n// resolver is a shim that inspects the go runtime's DNS resolution process to capture the DNS resolver\n// address used to complete a DNS request.\ntype resolver struct {\n\tnetwork string\n\taddress string\n\tdialFunc netDial\n}\n\nfunc (r *resolver) addr() (network string, address string) {\n\treturn r.network, r.address\n}\n\nfunc (r *resolver) lookupNetIP(ctx context.Context, host string) ([]netip.Addr, error) {\n\tresolver := &net.Resolver{\n\t\tPreferGo: true,\n\t\t// Use the peekDial to inspect the results of the DNS resolver used during the LookupIPAddr call.\n\t\tDial: r.peekDial,\n\t}\n\treturn resolver.LookupNetIP(ctx, \"ip\", host)\n}\n\nfunc (r *resolver) peekDial(ctx context.Context, network, address string) (net.Conn, error) {\n\tr.network = network\n\tr.address = address\n\treturn r.dialFunc(network, address)\n}\n\n// NewDNSDialer creates a custom dialer for the DNS resolver service to utilize.\nfunc NewDNSDialer() *ingress.Dialer {\n\treturn &ingress.Dialer{\n\t\tDialer: net.Dialer{\n\t\t\t// We want short timeouts for the DNS requests\n\t\t\tTimeout: 5 * time.Second,\n\t\t\t// We do not want keep alive since the edge will not reuse TCP connections per request\n\t\t\tKeepAlive: -1,\n\t\t\tKeepAliveConfig: net.KeepAliveConfig{\n\t\t\t\tEnable: false,\n\t\t\t},\n\t\t},\n\t}\n}\n" }, { "path": "ingress/origins/dns_test.go", "content": "package origins\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"net\"\n\t\"net/netip\"\n\t\"slices\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/rs/zerolog\"\n)\n\nfunc TestDNSResolver_DefaultResolver(t *testing.T) {\n\tlog := zerolog.Nop()\n\tservice := NewDNSResolverService(NewDNSDialer(), &log, &noopMetrics{})\n\tmockResolver := &mockPeekResolver{\n\t\taddress: \"127.0.0.2:53\",\n\t}\n\tservice.resolver = mockResolver\n\tvalidateAddrs(t, []netip.AddrPort{defaultResolverAddr}, service.addresses)\n}\n\nfunc TestStaticDNSResolver_DefaultResolver(t *testing.T) {\n\tlog := zerolog.Nop()\n\taddresses := []netip.AddrPort{netip.MustParseAddrPort(\"1.1.1.1:53\"), netip.MustParseAddrPort(\"1.0.0.1:53\")}\n\tservice := NewStaticDNSResolverService(addresses, NewDNSDialer(), &log, &noopMetrics{})\n\tmockResolver := &mockPeekResolver{\n\t\taddress: \"127.0.0.2:53\",\n\t}\n\tservice.resolver = mockResolver\n\tvalidateAddrs(t, addresses, service.addresses)\n}\n\nfunc TestDNSResolver_UpdateResolverAddress(t *testing.T) {\n\tlog := zerolog.Nop()\n\tservice := NewDNSResolverService(NewDNSDialer(), &log, &noopMetrics{})\n\n\tmockResolver := &mockPeekResolver{}\n\tservice.resolver = mockResolver\n\n\ttests := []struct {\n\t\taddr string\n\t\texpected netip.AddrPort\n\t}{\n\t\t{\"127.0.0.2:53\", netip.MustParseAddrPort(\"127.0.0.2:53\")},\n\t\t// missing port should be added (even though this is unlikely to happen)\n\t\t{\"127.0.0.3\", netip.MustParseAddrPort(\"127.0.0.3:53\")},\n\t}\n\n\tfor _, test := range tests {\n\t\tmockResolver.address = test.addr\n\t\t// Update the resolver address\n\t\terr := service.update(t.Context())\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\t// Validate expected\n\t\tvalidateAddrs(t, []netip.AddrPort{test.expected}, service.addresses)\n\t}\n}\n\nfunc TestStaticDNSResolver_RefreshLoopExits(t *testing.T) {\n\tlog := zerolog.Nop()\n\taddresses := []netip.AddrPort{netip.MustParseAddrPort(\"1.1.1.1:53\"), netip.MustParseAddrPort(\"1.0.0.1:53\")}\n\tservice := NewStaticDNSResolverService(addresses, NewDNSDialer(), &log, &noopMetrics{})\n\n\tmockResolver := &mockPeekResolver{\n\t\taddress: \"127.0.0.2:53\",\n\t}\n\tservice.resolver = mockResolver\n\n\tctx, cancel := context.WithCancel(t.Context())\n\tdefer cancel()\n\n\tgo service.StartRefreshLoop(ctx)\n\n\t// Wait for the refresh loop to end _and_ not update the addresses\n\ttime.Sleep(10 * time.Millisecond)\n\n\t// Validate expected\n\tvalidateAddrs(t, addresses, service.addresses)\n}\n\nfunc TestDNSResolver_UpdateResolverAddressInvalid(t *testing.T) {\n\tlog := zerolog.Nop()\n\tservice := NewDNSResolverService(NewDNSDialer(), &log, &noopMetrics{})\n\tmockResolver := &mockPeekResolver{}\n\tservice.resolver = mockResolver\n\n\tinvalidAddresses := []string{\n\t\t\"999.999.999.999\",\n\t\t\"localhost\",\n\t\t\"255.255.255\",\n\t}\n\n\tfor _, addr := range invalidAddresses {\n\t\tmockResolver.address = addr\n\t\t// Update the resolver address should not update for these invalid addresses\n\t\terr := service.update(t.Context())\n\t\tif err == nil {\n\t\t\tt.Error(\"service update should throw an error\")\n\t\t}\n\t\t// Validate expected\n\t\tvalidateAddrs(t, []netip.AddrPort{defaultResolverAddr}, service.addresses)\n\t}\n}\n\nfunc TestDNSResolver_UpdateResolverErrorIgnored(t *testing.T) {\n\tlog := zerolog.Nop()\n\tservice := NewDNSResolverService(NewDNSDialer(), &log, &noopMetrics{})\n\tresolverErr := errors.New(\"test resolver error\")\n\tmockResolver := &mockPeekResolver{err: resolverErr}\n\tservice.resolver = mockResolver\n\n\t// Update the resolver address should not update when the resolver cannot complete the lookup\n\terr := service.update(t.Context())\n\tif err != resolverErr {\n\t\tt.Error(\"service update should throw an error\")\n\t}\n\t// Validate expected\n\tvalidateAddrs(t, []netip.AddrPort{defaultResolverAddr}, service.addresses)\n}\n\nfunc TestDNSResolver_DialUDPUsesResolvedAddress(t *testing.T) {\n\tlog := zerolog.Nop()\n\tmockDialer := &mockDialer{expected: defaultResolverAddr}\n\tservice := NewDNSResolverService(mockDialer, &log, &noopMetrics{})\n\tmockResolver := &mockPeekResolver{}\n\tservice.resolver = mockResolver\n\n\t// Attempt a dial to 127.0.0.2:53 which should be ignored and instead resolve to 127.0.0.1:53\n\t_, err := service.DialUDP(netip.MustParseAddrPort(\"127.0.0.2:53\"))\n\tif err != nil {\n\t\tt.Error(err)\n\t}\n}\n\nfunc TestDNSResolver_DialTCPUsesResolvedAddress(t *testing.T) {\n\tlog := zerolog.Nop()\n\tmockDialer := &mockDialer{expected: defaultResolverAddr}\n\tservice := NewDNSResolverService(mockDialer, &log, &noopMetrics{})\n\tmockResolver := &mockPeekResolver{}\n\tservice.resolver = mockResolver\n\n\t// Attempt a dial to 127.0.0.2:53 which should be ignored and instead resolve to 127.0.0.1:53\n\t_, err := service.DialTCP(t.Context(), netip.MustParseAddrPort(\"127.0.0.2:53\"))\n\tif err != nil {\n\t\tt.Error(err)\n\t}\n}\n\ntype mockPeekResolver struct {\n\terr error\n\taddress string\n}\n\nfunc (r *mockPeekResolver) addr() (network, address string) {\n\treturn \"udp\", r.address\n}\n\nfunc (r *mockPeekResolver) lookupNetIP(ctx context.Context, host string) ([]netip.Addr, error) {\n\t// We can return an empty result as it doesn't matter as long as the lookup doesn't fail\n\treturn []netip.Addr{}, r.err\n}\n\ntype mockDialer struct {\n\texpected netip.AddrPort\n}\n\nfunc (d *mockDialer) DialTCP(ctx context.Context, addr netip.AddrPort) (net.Conn, error) {\n\tif d.expected != addr {\n\t\treturn nil, errors.New(\"unexpected address dialed\")\n\t}\n\treturn nil, nil\n}\n\nfunc (d *mockDialer) DialUDP(addr netip.AddrPort) (net.Conn, error) {\n\tif d.expected != addr {\n\t\treturn nil, errors.New(\"unexpected address dialed\")\n\t}\n\treturn nil, nil\n}\n\nfunc validateAddrs(t *testing.T, expected []netip.AddrPort, actual []netip.AddrPort) {\n\tif len(actual) != len(expected) {\n\t\tt.Errorf(\"addresses should only contain one element: %s\", actual)\n\t}\n\tfor _, e := range expected {\n\t\tif !slices.Contains(actual, e) {\n\t\t\tt.Errorf(\"missing address: %s in %s\", e, actual)\n\t\t}\n\t}\n}\n" }, { "path": "ingress/origins/metrics.go", "content": "package origins\n\nimport (\n\t\"github.com/prometheus/client_golang/prometheus\"\n)\n\nconst (\n\tnamespace = \"cloudflared\"\n\tsubsystem = \"virtual_origins\"\n)\n\ntype Metrics interface {\n\tIncrementDNSUDPRequests()\n\tIncrementDNSTCPRequests()\n}\n\ntype metrics struct {\n\tdnsResolverRequests *prometheus.CounterVec\n}\n\nfunc (m *metrics) IncrementDNSUDPRequests() {\n\tm.dnsResolverRequests.WithLabelValues(\"udp\").Inc()\n}\n\nfunc (m *metrics) IncrementDNSTCPRequests() {\n\tm.dnsResolverRequests.WithLabelValues(\"tcp\").Inc()\n}\n\nfunc NewMetrics(registerer prometheus.Registerer) Metrics {\n\tm := &metrics{\n\t\tdnsResolverRequests: prometheus.NewCounterVec(prometheus.CounterOpts{\n\t\t\tNamespace: namespace,\n\t\t\tSubsystem: subsystem,\n\t\t\tName: \"dns_requests_total\",\n\t\t\tHelp: \"Total count of DNS requests that have been proxied to the virtual DNS resolver origin\",\n\t\t}, []string{\"protocol\"}),\n\t}\n\tregisterer.MustRegister(m.dnsResolverRequests)\n\treturn m\n}\n" }, { "path": "ingress/origins/metrics_test.go", "content": "package origins\n\ntype noopMetrics struct{}\n\nfunc (noopMetrics) IncrementDNSUDPRequests() {}\nfunc (noopMetrics) IncrementDNSTCPRequests() {}\n" }, { "path": "ingress/packet_router.go", "content": "package ingress\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\n\t\"github.com/rs/zerolog\"\n\t\"go.opentelemetry.io/otel/attribute\"\n\t\"go.opentelemetry.io/otel/trace\"\n\n\t\"github.com/cloudflare/cloudflared/packet\"\n\tquicpogs \"github.com/cloudflare/cloudflared/quic\"\n\t\"github.com/cloudflare/cloudflared/tracing\"\n)\n\n// Upstream of raw packets\ntype muxer interface {\n\tSendPacket(pk quicpogs.Packet) error\n\t// ReceivePacket waits for the next raw packet from upstream\n\tReceivePacket(ctx context.Context) (quicpogs.Packet, error)\n}\n\n// PacketRouter routes packets between Upstream and ICMPRouter. Currently it rejects all other type of ICMP packets\ntype PacketRouter struct {\n\ticmpRouter ICMPRouter\n\tmuxer muxer\n\tconnIndex uint8\n\tlogger *zerolog.Logger\n\tencoder *packet.Encoder\n\tdecoder *packet.ICMPDecoder\n}\n\n// NewPacketRouter creates a PacketRouter that handles ICMP packets. Packets are read from muxer but dropped if globalConfig is nil.\nfunc NewPacketRouter(icmpRouter ICMPRouter, muxer muxer, connIndex uint8, logger *zerolog.Logger) *PacketRouter {\n\treturn &PacketRouter{\n\t\ticmpRouter: icmpRouter,\n\t\tmuxer: muxer,\n\t\tconnIndex: connIndex,\n\t\tlogger: logger,\n\t\tencoder: packet.NewEncoder(),\n\t\tdecoder: packet.NewICMPDecoder(),\n\t}\n}\n\nfunc (r *PacketRouter) Serve(ctx context.Context) error {\n\tfor {\n\t\trawPacket, responder, err := r.nextPacket(ctx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tr.handlePacket(ctx, rawPacket, responder)\n\t}\n}\n\nfunc (r *PacketRouter) nextPacket(ctx context.Context) (packet.RawPacket, ICMPResponder, error) {\n\tpk, err := r.muxer.ReceivePacket(ctx)\n\tif err != nil {\n\t\treturn packet.RawPacket{}, nil, err\n\t}\n\tresponder := newPacketResponder(r.muxer, r.connIndex, packet.NewEncoder())\n\n\tswitch pk.Type() {\n\tcase quicpogs.DatagramTypeIP:\n\t\treturn packet.RawPacket{Data: pk.Payload()}, responder, nil\n\tcase quicpogs.DatagramTypeIPWithTrace:\n\t\tvar identity tracing.Identity\n\t\tif err := identity.UnmarshalBinary(pk.Metadata()); err != nil {\n\t\t\tr.logger.Err(err).Bytes(\"tracingIdentity\", pk.Metadata()).Msg(\"Failed to unmarshal tracing identity\")\n\t\t} else {\n\t\t\ttracedCtx := tracing.NewTracedContext(ctx, identity.String(), r.logger)\n\t\t\tresponder.AddTraceContext(tracedCtx, pk.Metadata())\n\t\t}\n\t\treturn packet.RawPacket{Data: pk.Payload()}, responder, nil\n\tdefault:\n\t\treturn packet.RawPacket{}, nil, fmt.Errorf(\"unexpected datagram type %d\", pk.Type())\n\t}\n}\n\nfunc (r *PacketRouter) handlePacket(ctx context.Context, rawPacket packet.RawPacket, responder ICMPResponder) {\n\t// ICMP Proxy feature is disabled, drop packets\n\tif r.icmpRouter == nil {\n\t\treturn\n\t}\n\n\ticmpPacket, err := r.decoder.Decode(rawPacket)\n\tif err != nil {\n\t\tr.logger.Err(err).Msg(\"Failed to decode ICMP packet from quic datagram\")\n\t\treturn\n\t}\n\n\tif icmpPacket.TTL <= 1 {\n\t\tif err := r.sendTTLExceedMsg(icmpPacket, rawPacket); err != nil {\n\t\t\tr.logger.Err(err).Msg(\"Failed to return ICMP TTL exceed error\")\n\t\t}\n\t\treturn\n\t}\n\ticmpPacket.TTL--\n\n\tif err := r.icmpRouter.Request(ctx, icmpPacket, responder); err != nil {\n\t\tr.logger.Err(err).\n\t\t\tStr(\"src\", icmpPacket.Src.String()).\n\t\t\tStr(\"dst\", icmpPacket.Dst.String()).\n\t\t\tInterface(\"type\", icmpPacket.Type).\n\t\t\tMsg(\"Failed to send ICMP packet\")\n\t}\n}\n\nfunc (r *PacketRouter) sendTTLExceedMsg(pk *packet.ICMP, rawPacket packet.RawPacket) error {\n\ticmpTTLPacket := r.icmpRouter.ConvertToTTLExceeded(pk, rawPacket)\n\tencodedTTLExceed, err := r.encoder.Encode(icmpTTLPacket)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn r.muxer.SendPacket(quicpogs.RawPacket(encodedTTLExceed))\n}\n\n// packetResponder should not be used concurrently. This assumption is upheld because reply packets are ready one-by-one\ntype packetResponder struct {\n\tdatagramMuxer muxer\n\tconnIndex uint8\n\tencoder *packet.Encoder\n\ttracedCtx *tracing.TracedContext\n\tserializedIdentity []byte\n\t// hadReply tracks if there has been any reply for this flow\n\thadReply bool\n}\n\nfunc newPacketResponder(datagramMuxer muxer, connIndex uint8, encoder *packet.Encoder) ICMPResponder {\n\treturn &packetResponder{\n\t\tdatagramMuxer: datagramMuxer,\n\t\tconnIndex: connIndex,\n\t\tencoder: encoder,\n\t}\n}\n\nfunc (pr *packetResponder) tracingEnabled() bool {\n\treturn pr.tracedCtx != nil\n}\n\nfunc (pr *packetResponder) ConnectionIndex() uint8 {\n\treturn pr.connIndex\n}\n\nfunc (pr *packetResponder) ReturnPacket(pk *packet.ICMP) error {\n\trawPacket, err := pr.encoder.Encode(pk)\n\tif err != nil {\n\t\treturn err\n\t}\n\tpr.hadReply = true\n\treturn pr.datagramMuxer.SendPacket(quicpogs.RawPacket(rawPacket))\n}\n\nfunc (pr *packetResponder) AddTraceContext(tracedCtx *tracing.TracedContext, serializedIdentity []byte) {\n\tpr.tracedCtx = tracedCtx\n\tpr.serializedIdentity = serializedIdentity\n}\n\nfunc (pr *packetResponder) RequestSpan(ctx context.Context, pk *packet.ICMP) (context.Context, trace.Span) {\n\tif !pr.tracingEnabled() {\n\t\treturn ctx, tracing.NewNoopSpan()\n\t}\n\treturn pr.tracedCtx.Tracer().Start(pr.tracedCtx, \"icmp-echo-request\", trace.WithAttributes(\n\t\tattribute.String(\"src\", pk.Src.String()),\n\t\tattribute.String(\"dst\", pk.Dst.String()),\n\t))\n}\n\nfunc (pr *packetResponder) ReplySpan(ctx context.Context, logger *zerolog.Logger) (context.Context, trace.Span) {\n\tif !pr.tracingEnabled() || pr.hadReply {\n\t\treturn ctx, tracing.NewNoopSpan()\n\t}\n\treturn pr.tracedCtx.Tracer().Start(pr.tracedCtx, \"icmp-echo-reply\")\n}\n\nfunc (pr *packetResponder) ExportSpan() {\n\tif !pr.tracingEnabled() {\n\t\treturn\n\t}\n\tspans := pr.tracedCtx.GetProtoSpans()\n\tif len(spans) > 0 {\n\t\tpr.datagramMuxer.SendPacket(&quicpogs.TracingSpanPacket{\n\t\t\tSpans: spans,\n\t\t\tTracingIdentity: pr.serializedIdentity,\n\t\t})\n\t}\n}\n" }, { "path": "ingress/packet_router_test.go", "content": "package ingress\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"fmt\"\n\t\"net/netip\"\n\t\"sync/atomic\"\n\t\"testing\"\n\n\t\"github.com/google/gopacket/layers\"\n\t\"github.com/stretchr/testify/require\"\n\t\"golang.org/x/net/icmp\"\n\t\"golang.org/x/net/ipv4\"\n\t\"golang.org/x/net/ipv6\"\n\n\t\"github.com/cloudflare/cloudflared/packet\"\n\tquicpogs \"github.com/cloudflare/cloudflared/quic\"\n)\n\nvar (\n\tdefaultRouter = &icmpRouter{\n\t\tipv4Proxy: nil,\n\t\tipv4Src: netip.MustParseAddr(\"172.16.0.1\"),\n\t\tipv6Proxy: nil,\n\t\tipv6Src: netip.MustParseAddr(\"fd51:2391:523:f4ee::1\"),\n\t}\n)\n\nfunc TestRouterReturnTTLExceed(t *testing.T) {\n\tmuxer := newMockMuxer(0)\n\trouter := NewPacketRouter(defaultRouter, muxer, 0, &noopLogger)\n\tctx, cancel := context.WithCancel(context.Background())\n\trouterStopped := make(chan struct{})\n\tgo func() {\n\t\trouter.Serve(ctx)\n\t\tclose(routerStopped)\n\t}()\n\n\tpk := packet.ICMP{\n\t\tIP: &packet.IP{\n\t\t\tSrc: netip.MustParseAddr(\"192.168.1.1\"),\n\t\t\tDst: netip.MustParseAddr(\"10.0.0.1\"),\n\t\t\tProtocol: layers.IPProtocolICMPv4,\n\t\t\tTTL: 1,\n\t\t},\n\t\tMessage: &icmp.Message{\n\t\t\tType: ipv4.ICMPTypeEcho,\n\t\t\tCode: 0,\n\t\t\tBody: &icmp.Echo{\n\t\t\t\tID: 12481,\n\t\t\t\tSeq: 8036,\n\t\t\t\tData: []byte(\"TTL exceed\"),\n\t\t\t},\n\t\t},\n\t}\n\tassertTTLExceed(t, &pk, defaultRouter.ipv4Src, muxer)\n\tpk = packet.ICMP{\n\t\tIP: &packet.IP{\n\t\t\tSrc: netip.MustParseAddr(\"fd51:2391:523:f4ee::1\"),\n\t\t\tDst: netip.MustParseAddr(\"fd51:2391:697:f4ee::2\"),\n\t\t\tProtocol: layers.IPProtocolICMPv6,\n\t\t\tTTL: 1,\n\t\t},\n\t\tMessage: &icmp.Message{\n\t\t\tType: ipv6.ICMPTypeEchoRequest,\n\t\t\tCode: 0,\n\t\t\tBody: &icmp.Echo{\n\t\t\t\tID: 42583,\n\t\t\t\tSeq: 7039,\n\t\t\t\tData: []byte(\"TTL exceed\"),\n\t\t\t},\n\t\t},\n\t}\n\tassertTTLExceed(t, &pk, defaultRouter.ipv6Src, muxer)\n\n\tcancel()\n\t<-routerStopped\n}\n\nfunc assertTTLExceed(t *testing.T, originalPacket *packet.ICMP, expectedSrc netip.Addr, muxer *mockMuxer) {\n\tencoder := packet.NewEncoder()\n\trawPacket, err := encoder.Encode(originalPacket)\n\trequire.NoError(t, err)\n\tmuxer.edgeToCfd <- quicpogs.RawPacket(rawPacket)\n\n\tresp := <-muxer.cfdToEdge\n\tdecoder := packet.NewICMPDecoder()\n\tdecoded, err := decoder.Decode(packet.RawPacket(resp.(quicpogs.RawPacket)))\n\trequire.NoError(t, err)\n\n\trequire.Equal(t, expectedSrc, decoded.Src)\n\trequire.Equal(t, originalPacket.Src, decoded.Dst)\n\trequire.Equal(t, originalPacket.Protocol, decoded.Protocol)\n\trequire.Equal(t, packet.DefaultTTL, decoded.TTL)\n\tif originalPacket.Dst.Is4() {\n\t\trequire.Equal(t, ipv4.ICMPTypeTimeExceeded, decoded.Type)\n\t} else {\n\t\trequire.Equal(t, ipv6.ICMPTypeTimeExceeded, decoded.Type)\n\t}\n\trequire.Equal(t, 0, decoded.Code)\n\ttimeExceed, ok := decoded.Body.(*icmp.TimeExceeded)\n\trequire.True(t, ok)\n\trequire.True(t, bytes.Equal(rawPacket.Data, timeExceed.Data))\n}\n\ntype mockMuxer struct {\n\tcfdToEdge chan quicpogs.Packet\n\tedgeToCfd chan quicpogs.Packet\n}\n\nfunc newMockMuxer(capacity int) *mockMuxer {\n\treturn &mockMuxer{\n\t\tcfdToEdge: make(chan quicpogs.Packet, capacity),\n\t\tedgeToCfd: make(chan quicpogs.Packet, capacity),\n\t}\n}\n\n// Copy packet, because icmpProxy expects the encoder buffer to be reusable after the packet is sent\nfunc (mm *mockMuxer) SendPacket(pk quicpogs.Packet) error {\n\tpayload := pk.Payload()\n\tcopiedPayload := make([]byte, len(payload))\n\tcopy(copiedPayload, payload)\n\n\tmetadata := pk.Metadata()\n\tcopiedMetadata := make([]byte, len(metadata))\n\tcopy(copiedMetadata, metadata)\n\n\tvar copiedPacket quicpogs.Packet\n\tswitch pk.Type() {\n\tcase quicpogs.DatagramTypeIP:\n\t\tcopiedPacket = quicpogs.RawPacket(packet.RawPacket{\n\t\t\tData: copiedPayload,\n\t\t})\n\tcase quicpogs.DatagramTypeIPWithTrace:\n\t\tcopiedPacket = &quicpogs.TracedPacket{\n\t\t\tPacket: packet.RawPacket{\n\t\t\t\tData: copiedPayload,\n\t\t\t},\n\t\t\tTracingIdentity: copiedMetadata,\n\t\t}\n\tcase quicpogs.DatagramTypeTracingSpan:\n\t\tcopiedPacket = &quicpogs.TracingSpanPacket{\n\t\t\tSpans: copiedPayload,\n\t\t\tTracingIdentity: copiedMetadata,\n\t\t}\n\tdefault:\n\t\treturn fmt.Errorf(\"unexpected metadata type %d\", pk.Type())\n\t}\n\tmm.cfdToEdge <- copiedPacket\n\treturn nil\n}\n\nfunc (mm *mockMuxer) ReceivePacket(ctx context.Context) (quicpogs.Packet, error) {\n\tselect {\n\tcase <-ctx.Done():\n\t\treturn nil, ctx.Err()\n\tcase pk := <-mm.edgeToCfd:\n\t\treturn pk, nil\n\t}\n}\n\ntype routerEnabledChecker struct {\n\tenabled uint32\n}\n\nfunc (rec *routerEnabledChecker) isEnabled() bool {\n\tif atomic.LoadUint32(&rec.enabled) == 0 {\n\t\treturn false\n\t}\n\treturn true\n}\n\nfunc (rec *routerEnabledChecker) set(enabled bool) {\n\tif enabled {\n\t\tatomic.StoreUint32(&rec.enabled, 1)\n\t} else {\n\t\tatomic.StoreUint32(&rec.enabled, 0)\n\t}\n}\n" }, { "path": "ingress/rule.go", "content": "package ingress\n\nimport (\n\t\"encoding/json\"\n\t\"regexp\"\n\t\"strings\"\n\n\t\"github.com/cloudflare/cloudflared/ingress/middleware\"\n)\n\n// Rule routes traffic from a hostname/path on the public internet to the\n// service running on the given URL.\ntype Rule struct {\n\t// Requests for this hostname will be proxied to this rule's service.\n\tHostname string `json:\"hostname\"`\n\n\t// punycodeHostname is an additional optional hostname converted to punycode.\n\tpunycodeHostname string\n\n\t// Path is an optional regex that can specify path-driven ingress rules.\n\tPath *Regexp `json:\"path\"`\n\n\t// A (probably local) address. Requests for a hostname which matches this\n\t// rule's hostname pattern will be proxied to the service running on this\n\t// address.\n\tService OriginService `json:\"service\"`\n\n\t// Handlers is a list of functions that acts as a middleware during ProxyHTTP\n\tHandlers []middleware.Handler\n\n\t// Configure the request cloudflared sends to this specific origin.\n\tConfig OriginRequestConfig `json:\"originRequest\"`\n}\n\n// MultiLineString is for outputting rules in a human-friendly way when Cloudflared\n// is used as a CLI tool (not as a daemon).\nfunc (r Rule) MultiLineString() string {\n\tvar out strings.Builder\n\tif r.Hostname != \"\" {\n\t\tout.WriteString(\"\\thostname: \")\n\t\tout.WriteString(r.Hostname)\n\t\tout.WriteRune('\\n')\n\t}\n\tif r.Path != nil && r.Path.Regexp != nil {\n\t\tout.WriteString(\"\\tpath: \")\n\t\tout.WriteString(r.Path.Regexp.String())\n\t\tout.WriteRune('\\n')\n\t}\n\tout.WriteString(\"\\tservice: \")\n\tout.WriteString(r.Service.String())\n\treturn out.String()\n}\n\n// Matches checks if the rule matches a given hostname/path combination.\nfunc (r *Rule) Matches(hostname, path string) bool {\n\thostMatch := false\n\tif r.Hostname == \"\" || r.Hostname == \"*\" {\n\t\thostMatch = true\n\t} else {\n\t\thostMatch = matchHost(r.Hostname, hostname)\n\t}\n\tpunycodeHostMatch := false\n\tif r.punycodeHostname != \"\" {\n\t\tpunycodeHostMatch = matchHost(r.punycodeHostname, hostname)\n\t}\n\tpathMatch := r.Path == nil || r.Path.Regexp == nil || r.Path.Regexp.MatchString(path)\n\treturn (hostMatch || punycodeHostMatch) && pathMatch\n}\n\n// Regexp adds unmarshalling from json for regexp.Regexp\ntype Regexp struct {\n\t*regexp.Regexp\n}\n\nfunc (r *Regexp) MarshalJSON() ([]byte, error) {\n\tif r.Regexp == nil {\n\t\treturn json.Marshal(nil)\n\t}\n\treturn json.Marshal(r.Regexp.String())\n}\n" }, { "path": "ingress/rule_test.go", "content": "package ingress\n\nimport (\n\t\"encoding/json\"\n\t\"io\"\n\t\"net/http/httptest\"\n\t\"net/url\"\n\t\"regexp\"\n\t\"testing\"\n\n\t\"github.com/stretchr/testify/require\"\n\n\t\"github.com/cloudflare/cloudflared/config\"\n)\n\nfunc Test_rule_matches(t *testing.T) {\n\ttype args struct {\n\t\trequestURL *url.URL\n\t}\n\ttests := []struct {\n\t\tname string\n\t\trule Rule\n\t\targs args\n\t\twant bool\n\t}{\n\t\t{\n\t\t\tname: \"Just hostname, pass\",\n\t\t\trule: Rule{\n\t\t\t\tHostname: \"example.com\",\n\t\t\t},\n\t\t\targs: args{\n\t\t\t\trequestURL: MustParseURL(t, \"https://example.com\"),\n\t\t\t},\n\t\t\twant: true,\n\t\t},\n\t\t{\n\t\t\tname: \"Unicode hostname with unicode request, pass\",\n\t\t\trule: Rule{\n\t\t\t\tHostname: \"môô.cloudflare.com\",\n\t\t\t\tpunycodeHostname: \"xn--m-xgaa.cloudflare.com\",\n\t\t\t},\n\t\t\targs: args{\n\t\t\t\trequestURL: MustParseURL(t, \"https://môô.cloudflare.com\"),\n\t\t\t},\n\t\t\twant: true,\n\t\t},\n\t\t{\n\t\t\tname: \"Unicode hostname with punycode request, pass\",\n\t\t\trule: Rule{\n\t\t\t\tHostname: \"môô.cloudflare.com\",\n\t\t\t\tpunycodeHostname: \"xn--m-xgaa.cloudflare.com\",\n\t\t\t},\n\t\t\targs: args{\n\t\t\t\trequestURL: MustParseURL(t, \"https://xn--m-xgaa.cloudflare.com\"),\n\t\t\t},\n\t\t\twant: true,\n\t\t},\n\t\t{\n\t\t\tname: \"Entire hostname is wildcard, should match everything\",\n\t\t\trule: Rule{\n\t\t\t\tHostname: \"*\",\n\t\t\t},\n\t\t\targs: args{\n\t\t\t\trequestURL: MustParseURL(t, \"https://example.com\"),\n\t\t\t},\n\t\t\twant: true,\n\t\t},\n\t\t{\n\t\t\tname: \"Just hostname, fail\",\n\t\t\trule: Rule{\n\t\t\t\tHostname: \"example.com\",\n\t\t\t},\n\t\t\targs: args{\n\t\t\t\trequestURL: MustParseURL(t, \"https://foo.bar\"),\n\t\t\t},\n\t\t\twant: false,\n\t\t},\n\t\t{\n\t\t\tname: \"Just wildcard hostname, pass\",\n\t\t\trule: Rule{\n\t\t\t\tHostname: \"*.example.com\",\n\t\t\t},\n\t\t\targs: args{\n\t\t\t\trequestURL: MustParseURL(t, \"https://adam.example.com\"),\n\t\t\t},\n\t\t\twant: true,\n\t\t},\n\t\t{\n\t\t\tname: \"Just wildcard hostname, fail\",\n\t\t\trule: Rule{\n\t\t\t\tHostname: \"*.example.com\",\n\t\t\t},\n\t\t\targs: args{\n\t\t\t\trequestURL: MustParseURL(t, \"https://tunnel.com\"),\n\t\t\t},\n\t\t\twant: false,\n\t\t},\n\t\t{\n\t\t\tname: \"Just wildcard outside of subdomain in hostname, fail\",\n\t\t\trule: Rule{\n\t\t\t\tHostname: \"*example.com\",\n\t\t\t},\n\t\t\targs: args{\n\t\t\t\trequestURL: MustParseURL(t, \"https://www.example.com\"),\n\t\t\t},\n\t\t\twant: false,\n\t\t},\n\t\t{\n\t\t\tname: \"Wildcard over multiple subdomains\",\n\t\t\trule: Rule{\n\t\t\t\tHostname: \"*.example.com\",\n\t\t\t},\n\t\t\targs: args{\n\t\t\t\trequestURL: MustParseURL(t, \"https://adam.chalmers.example.com\"),\n\t\t\t},\n\t\t\twant: true,\n\t\t},\n\t\t{\n\t\t\tname: \"Hostname and path\",\n\t\t\trule: Rule{\n\t\t\t\tHostname: \"*.example.com\",\n\t\t\t\tPath: &Regexp{Regexp: regexp.MustCompile(\"/static/.*\\\\.html\")},\n\t\t\t},\n\t\t\targs: args{\n\t\t\t\trequestURL: MustParseURL(t, \"https://www.example.com/static/index.html\"),\n\t\t\t},\n\t\t\twant: true,\n\t\t},\n\t\t{\n\t\t\tname: \"Hostname and empty Regex\",\n\t\t\trule: Rule{\n\t\t\t\tHostname: \"example.com\",\n\t\t\t\tPath: &Regexp{},\n\t\t\t},\n\t\t\targs: args{\n\t\t\t\trequestURL: MustParseURL(t, \"https://example.com/\"),\n\t\t\t},\n\t\t\twant: true,\n\t\t},\n\t\t{\n\t\t\tname: \"Hostname and nil path\",\n\t\t\trule: Rule{\n\t\t\t\tHostname: \"example.com\",\n\t\t\t\tPath: nil,\n\t\t\t},\n\t\t\targs: args{\n\t\t\t\trequestURL: MustParseURL(t, \"https://example.com/\"),\n\t\t\t},\n\t\t\twant: true,\n\t\t},\n\t\t{\n\t\t\tname: \"Hostname with wildcard should not match if no dot present\",\n\t\t\trule: Rule{\n\t\t\t\tHostname: \"*.api.abc.cloud\",\n\t\t\t},\n\t\t\targs: args{\n\t\t\t\trequestURL: MustParseURL(t, \"https://testing-api.abc.cloud\"),\n\t\t\t},\n\t\t\twant: false,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tu := tt.args.requestURL\n\t\t\tif got := tt.rule.Matches(u.Hostname(), u.Path); got != tt.want {\n\t\t\t\tt.Errorf(\"rule.matches() = %v, want %v\", got, tt.want)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestStaticHTTPStatus(t *testing.T) {\n\to := newStatusCode(404)\n\tbuf := make([]byte, 100)\n\n\tsendReq := func() {\n\t\tresp, err := o.RoundTrip(nil)\n\t\trequire.NoError(t, err)\n\t\t_, err = resp.Body.Read(buf)\n\t\trequire.Equal(t, io.EOF, err)\n\t\trequire.NoError(t, resp.Body.Close())\n\t\trequire.Equal(t, 404, resp.StatusCode)\n\n\t\tresp, err = o.RoundTrip(nil)\n\t\trequire.NoError(t, err)\n\t\tw := httptest.NewRecorder()\n\t\tn, err := io.Copy(w, resp.Body)\n\t\trequire.NoError(t, err)\n\t\trequire.Equal(t, int64(0), n)\n\t}\n\tsendReq()\n\tsendReq()\n}\n\nfunc TestMarshalJSON(t *testing.T) {\n\tlocalhost8000 := MustParseURL(t, \"https://localhost:8000\")\n\tdefaultConfig := setConfig(originRequestFromConfig(config.OriginRequestConfig{}), config.OriginRequestConfig{})\n\ttests := []struct {\n\t\tname string\n\t\tpath *Regexp\n\t\texpected string\n\t\twant bool\n\t}{\n\t\t{\n\t\t\tname: \"Nil\",\n\t\t\tpath: nil,\n\t\t\texpected: `{\"hostname\":\"example.com\",\"path\":null,\"service\":\"https://localhost:8000\",\"Handlers\":null,\"originRequest\":{\"connectTimeout\":30,\"tlsTimeout\":10,\"tcpKeepAlive\":30,\"noHappyEyeballs\":false,\"keepAliveTimeout\":90,\"keepAliveConnections\":100,\"httpHostHeader\":\"\",\"originServerName\":\"\",\"matchSNItoHost\":false,\"caPool\":\"\",\"noTLSVerify\":false,\"disableChunkedEncoding\":false,\"bastionMode\":false,\"proxyAddress\":\"127.0.0.1\",\"proxyPort\":0,\"proxyType\":\"\",\"ipRules\":null,\"http2Origin\":false,\"access\":{\"teamName\":\"\",\"audTag\":null}}}`,\n\t\t\twant: true,\n\t\t},\n\t\t{\n\t\t\tname: \"Nil regex\",\n\t\t\tpath: &Regexp{Regexp: nil},\n\t\t\texpected: `{\"hostname\":\"example.com\",\"path\":null,\"service\":\"https://localhost:8000\",\"Handlers\":null,\"originRequest\":{\"connectTimeout\":30,\"tlsTimeout\":10,\"tcpKeepAlive\":30,\"noHappyEyeballs\":false,\"keepAliveTimeout\":90,\"keepAliveConnections\":100,\"httpHostHeader\":\"\",\"originServerName\":\"\",\"matchSNItoHost\":false,\"caPool\":\"\",\"noTLSVerify\":false,\"disableChunkedEncoding\":false,\"bastionMode\":false,\"proxyAddress\":\"127.0.0.1\",\"proxyPort\":0,\"proxyType\":\"\",\"ipRules\":null,\"http2Origin\":false,\"access\":{\"teamName\":\"\",\"audTag\":null}}}`,\n\t\t\twant: true,\n\t\t},\n\t\t{\n\t\t\tname: \"Empty\",\n\t\t\tpath: &Regexp{Regexp: regexp.MustCompile(\"\")},\n\t\t\texpected: `{\"hostname\":\"example.com\",\"path\":\"\",\"service\":\"https://localhost:8000\",\"Handlers\":null,\"originRequest\":{\"connectTimeout\":30,\"tlsTimeout\":10,\"tcpKeepAlive\":30,\"noHappyEyeballs\":false,\"keepAliveTimeout\":90,\"keepAliveConnections\":100,\"httpHostHeader\":\"\",\"originServerName\":\"\",\"matchSNItoHost\":false,\"caPool\":\"\",\"noTLSVerify\":false,\"disableChunkedEncoding\":false,\"bastionMode\":false,\"proxyAddress\":\"127.0.0.1\",\"proxyPort\":0,\"proxyType\":\"\",\"ipRules\":null,\"http2Origin\":false,\"access\":{\"teamName\":\"\",\"audTag\":null}}}`,\n\t\t\twant: true,\n\t\t},\n\t\t{\n\t\t\tname: \"Basic\",\n\t\t\tpath: &Regexp{Regexp: regexp.MustCompile(\"/echo\")},\n\t\t\texpected: `{\"hostname\":\"example.com\",\"path\":\"/echo\",\"service\":\"https://localhost:8000\",\"Handlers\":null,\"originRequest\":{\"connectTimeout\":30,\"tlsTimeout\":10,\"tcpKeepAlive\":30,\"noHappyEyeballs\":false,\"keepAliveTimeout\":90,\"keepAliveConnections\":100,\"httpHostHeader\":\"\",\"originServerName\":\"\",\"matchSNItoHost\":false,\"caPool\":\"\",\"noTLSVerify\":false,\"disableChunkedEncoding\":false,\"bastionMode\":false,\"proxyAddress\":\"127.0.0.1\",\"proxyPort\":0,\"proxyType\":\"\",\"ipRules\":null,\"http2Origin\":false,\"access\":{\"teamName\":\"\",\"audTag\":null}}}`,\n\t\t\twant: true,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tr := Rule{\n\t\t\t\tHostname: \"example.com\",\n\t\t\t\tService: &httpService{url: localhost8000},\n\t\t\t\tPath: tt.path,\n\t\t\t\tConfig: defaultConfig,\n\t\t\t}\n\t\t\tbytes, err := json.Marshal(r)\n\t\t\trequire.NoError(t, err)\n\t\t\trequire.Equal(t, tt.expected, string(bytes))\n\t\t})\n\t}\n}\n" }, { "path": "internal/test/wstest.go", "content": "package test\n\n// copied from https://github.com/nhooyr/websocket/blob/master/internal/test/wstest/pipe.go\n\nimport (\n\t\"bufio\"\n\t\"context\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\n\t\"nhooyr.io/websocket\"\n)\n\n// Pipe is used to create an in memory connection\n// between two websockets analogous to net.Pipe.\nfunc WSPipe(dialOpts *websocket.DialOptions, acceptOpts *websocket.AcceptOptions) (clientConn, serverConn *websocket.Conn) {\n\ttt := fakeTransport{\n\t\th: func(w http.ResponseWriter, r *http.Request) {\n\t\t\tserverConn, _ = websocket.Accept(w, r, acceptOpts)\n\t\t},\n\t}\n\n\tif dialOpts == nil {\n\t\tdialOpts = &websocket.DialOptions{}\n\t}\n\tdialOpts = &*dialOpts\n\tdialOpts.HTTPClient = &http.Client{\n\t\tTransport: tt,\n\t}\n\n\tclientConn, _, _ = websocket.Dial(context.Background(), \"ws://example.com\", dialOpts)\n\treturn clientConn, serverConn\n}\n\ntype fakeTransport struct {\n\th http.HandlerFunc\n}\n\nfunc (t fakeTransport) RoundTrip(r *http.Request) (*http.Response, error) {\n\tclientConn, serverConn := net.Pipe()\n\n\thj := testHijacker{\n\t\tResponseRecorder: httptest.NewRecorder(),\n\t\tserverConn: serverConn,\n\t}\n\n\tt.h.ServeHTTP(hj, r)\n\n\tresp := hj.ResponseRecorder.Result()\n\tif resp.StatusCode == http.StatusSwitchingProtocols {\n\t\tresp.Body = clientConn\n\t}\n\treturn resp, nil\n}\n\ntype testHijacker struct {\n\t*httptest.ResponseRecorder\n\tserverConn net.Conn\n}\n\nvar _ http.Hijacker = testHijacker{}\n\nfunc (hj testHijacker) Hijack() (net.Conn, *bufio.ReadWriter, error) {\n\treturn hj.serverConn, bufio.NewReadWriter(bufio.NewReader(hj.serverConn), bufio.NewWriter(hj.serverConn)), nil\n}\n" }, { "path": "ipaccess/access.go", "content": "package ipaccess\n\nimport (\n\t\"fmt\"\n\t\"net\"\n\t\"sort\"\n)\n\ntype Policy struct {\n\tdefaultAllow bool\n\trules []Rule\n}\n\ntype Rule struct {\n\tipNet *net.IPNet\n\tports []int\n\tallow bool\n}\n\nfunc NewPolicy(defaultAllow bool, rules []Rule) (*Policy, error) {\n\tfor _, rule := range rules {\n\t\tif err := rule.Validate(); err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t}\n\n\tpolicy := Policy{\n\t\tdefaultAllow: defaultAllow,\n\t\trules: rules,\n\t}\n\n\treturn &policy, nil\n}\n\nfunc NewRuleByCIDR(prefix *string, ports []int, allow bool) (Rule, error) {\n\tif prefix == nil || len(*prefix) == 0 {\n\t\treturn Rule{}, fmt.Errorf(\"no prefix provided\")\n\t}\n\n\t_, ipnet, err := net.ParseCIDR(*prefix)\n\tif err != nil {\n\t\treturn Rule{}, fmt.Errorf(\"unable to parse cidr: %s\", *prefix)\n\t}\n\n\treturn NewRule(ipnet, ports, allow)\n}\n\nfunc NewRule(ipnet *net.IPNet, ports []int, allow bool) (Rule, error) {\n\trule := Rule{\n\t\tipNet: ipnet,\n\t\tports: ports,\n\t\tallow: allow,\n\t}\n\treturn rule, rule.Validate()\n}\n\nfunc (r *Rule) Validate() error {\n\tif r.ipNet == nil {\n\t\treturn fmt.Errorf(\"no ipnet set on the rule\")\n\t}\n\n\tif len(r.ports) > 0 {\n\t\tsort.Ints(r.ports)\n\t\tfor _, port := range r.ports {\n\t\t\tif port < 1 || port > 65535 {\n\t\t\t\treturn fmt.Errorf(\"invalid port %d, needs to be between 1 and 65535\", port)\n\t\t\t}\n\t\t}\n\t}\n\n\treturn nil\n}\n\nfunc (h *Policy) Allowed(ip net.IP, port int) (bool, *Rule) {\n\tif len(h.rules) == 0 {\n\t\treturn h.defaultAllow, nil\n\t}\n\n\tfor _, rule := range h.rules {\n\t\tif rule.ipNet.Contains(ip) {\n\t\t\tif len(rule.ports) == 0 {\n\t\t\t\treturn rule.allow, &rule\n\t\t\t} else if pos := sort.SearchInts(rule.ports, port); pos < len(rule.ports) && rule.ports[pos] == port {\n\t\t\t\treturn rule.allow, &rule\n\t\t\t}\n\t\t}\n\t}\n\n\treturn h.defaultAllow, nil\n}\n\nfunc (ipr *Rule) String() string {\n\treturn fmt.Sprintf(\"prefix:%s/port:%s/allow:%t\", ipr.ipNet, ipr.PortsString(), ipr.allow)\n}\n\nfunc (ipr *Rule) PortsString() string {\n\tif len(ipr.ports) > 0 {\n\t\treturn fmt.Sprint(ipr.ports)\n\t}\n\treturn \"all\"\n}\n\nfunc (ipr *Rule) Ports() []int {\n\treturn ipr.ports\n}\n\nfunc (ipr *Rule) RulePolicy() bool {\n\treturn ipr.allow\n}\n\nfunc (ipr *Rule) StringCIDR() string {\n\treturn ipr.ipNet.String()\n}\n" }, { "path": "ipaccess/access_test.go", "content": "package ipaccess\n\nimport (\n\t\"bytes\"\n\t\"net\"\n\t\"testing\"\n\n\t\"github.com/stretchr/testify/assert\"\n)\n\nfunc TestRuleCreation(t *testing.T) {\n\t_, ipnet, _ := net.ParseCIDR(\"1.1.1.1/24\")\n\n\t_, err := NewRule(nil, []int{80}, false)\n\tassert.Error(t, err, \"expected error as no ipnet provided\")\n\n\t_, err = NewRule(ipnet, []int{65536, 80}, false)\n\tassert.Error(t, err, \"expected error as port higher than 65535\")\n\n\t_, err = NewRule(ipnet, []int{80, -1}, false)\n\tassert.Error(t, err, \"expected error as port less than 0\")\n\n\trule, err := NewRule(ipnet, []int{443, 80}, false)\n\tassert.NoError(t, err)\n\tassert.True(t, ipnet.IP.Equal(rule.ipNet.IP) && bytes.Compare(ipnet.Mask, rule.ipNet.Mask) == 0, \"ipnet expected to be %+v, got: %+v\", ipnet, rule.ipNet)\n\tassert.True(t, len(rule.ports) == 2 && rule.ports[0] == 80 && rule.ports[1] == 443, \"expected ports to be sorted\")\n}\n\nfunc TestRuleCreationByCIDR(t *testing.T) {\n\tvar cidr *string\n\t_, err := NewRuleByCIDR(cidr, []int{80}, false)\n\tassert.Error(t, err, \"expected error as cidr is nil\")\n\n\tbadCidr := \"1.1.1.1\"\n\tcidr = &badCidr\n\t_, err = NewRuleByCIDR(cidr, []int{80}, false)\n\tassert.Error(t, err, \"expected error as the cidr is bad\")\n\n\tgoodCidr := \"1.1.1.1/24\"\n\t_, ipnet, _ := net.ParseCIDR(\"1.1.1.0/24\")\n\tcidr = &goodCidr\n\trule, err := NewRuleByCIDR(cidr, []int{80}, false)\n\tassert.NoError(t, err)\n\tassert.True(t, ipnet.IP.Equal(rule.ipNet.IP) && bytes.Compare(ipnet.Mask, rule.ipNet.Mask) == 0, \"ipnet expected to be %+v, got: %+v\", ipnet, rule.ipNet)\n}\n\nfunc TestRulesNoRules(t *testing.T) {\n\tip, _, _ := net.ParseCIDR(\"1.2.3.4/24\")\n\n\tpolicy, _ := NewPolicy(true, []Rule{})\n\n\tallowed, rule := policy.Allowed(ip, 80)\n\tassert.True(t, allowed, \"expected to be allowed as no rules and default allow\")\n\tassert.Nil(t, rule, \"expected to be nil as no rules\")\n\n\tpolicy, _ = NewPolicy(false, []Rule{})\n\n\tallowed, rule = policy.Allowed(ip, 80)\n\tassert.False(t, allowed, \"expected to be denied as no rules and default deny\")\n\tassert.Nil(t, rule, \"expected to be nil as no rules\")\n}\n\nfunc TestRulesMatchIPAndPort(t *testing.T) {\n\tip1, ipnet1, _ := net.ParseCIDR(\"1.2.3.4/24\")\n\tip2, _, _ := net.ParseCIDR(\"2.3.4.5/24\")\n\n\trule1, _ := NewRule(ipnet1, []int{80, 443}, true)\n\trules := []Rule{\n\t\trule1,\n\t}\n\n\tpolicy, _ := NewPolicy(false, rules)\n\n\tallowed, rule := policy.Allowed(ip1, 80)\n\tassert.True(t, allowed, \"expected to be allowed as matching rule\")\n\tassert.True(t, rule.ipNet == ipnet1, \"expected to match ipnet1\")\n\n\tallowed, rule = policy.Allowed(ip2, 80)\n\tassert.False(t, allowed, \"expected to be denied as no matching rule\")\n\tassert.Nil(t, rule, \"expected to be nil\")\n}\n\nfunc TestRulesMatchIPAndPort2(t *testing.T) {\n\tip1, ipnet1, _ := net.ParseCIDR(\"1.2.3.4/24\")\n\tip2, ipnet2, _ := net.ParseCIDR(\"2.3.4.5/24\")\n\n\trule1, _ := NewRule(ipnet1, []int{53, 80}, false)\n\trule2, _ := NewRule(ipnet2, []int{53, 80}, true)\n\trules := []Rule{\n\t\trule1,\n\t\trule2,\n\t}\n\n\tpolicy, _ := NewPolicy(false, rules)\n\n\tallowed, rule := policy.Allowed(ip1, 80)\n\tassert.False(t, allowed, \"expected to be denied as matching rule\")\n\tassert.True(t, rule.ipNet == ipnet1, \"expected to match ipnet1\")\n\n\tallowed, rule = policy.Allowed(ip2, 80)\n\tassert.True(t, allowed, \"expected to be allowed as matching rule\")\n\tassert.True(t, rule.ipNet == ipnet2, \"expected to match ipnet1\")\n\n\tallowed, rule = policy.Allowed(ip2, 81)\n\tassert.False(t, allowed, \"expected to be denied as no matching rule\")\n\tassert.Nil(t, rule, \"expected to be nil\")\n}\n" }, { "path": "logger/configuration.go", "content": "package logger\n\nimport (\n\t\"path/filepath\"\n)\n\nvar defaultConfig = createDefaultConfig()\n\n// Logging configuration\ntype Config struct {\n\tConsoleConfig *ConsoleConfig // If nil, the logger will not log into the console\n\tFileConfig *FileConfig // If nil, the logger will not use an individual log file\n\tRollingConfig *RollingConfig // If nil, the logger will not use a rolling log\n\n\tMinLevel string // debug | info | error | fatal\n}\n\ntype ConsoleConfig struct {\n\tnoColor bool\n\tasJSON bool\n}\n\ntype FileConfig struct {\n\tDirname string\n\tFilename string\n}\n\nfunc (fc *FileConfig) Fullpath() string {\n\treturn filepath.Join(fc.Dirname, fc.Filename)\n}\n\ntype RollingConfig struct {\n\tDirname string\n\tFilename string\n\n\tmaxSize int // megabytes\n\tmaxBackups int // files\n\tmaxAge int // days\n}\n\nfunc createDefaultConfig() Config {\n\tconst minLevel = \"info\"\n\n\tconst RollingMaxSize = 1 // Mb\n\tconst RollingMaxBackups = 5 // files\n\tconst RollingMaxAge = 0 // Keep forever\n\tconst defaultLogFilename = \"cloudflared.log\"\n\n\treturn Config{\n\t\tConsoleConfig: &ConsoleConfig{\n\t\t\tnoColor: false,\n\t\t\tasJSON: false,\n\t\t},\n\t\tFileConfig: &FileConfig{\n\t\t\tDirname: \"\",\n\t\t\tFilename: defaultLogFilename,\n\t\t},\n\t\tRollingConfig: &RollingConfig{\n\t\t\tDirname: \"\",\n\t\t\tFilename: defaultLogFilename,\n\t\t\tmaxSize: RollingMaxSize,\n\t\t\tmaxBackups: RollingMaxBackups,\n\t\t\tmaxAge: RollingMaxAge,\n\t\t},\n\t\tMinLevel: minLevel,\n\t}\n}\n\nfunc CreateConfig(\n\tminLevel string,\n\tdisableTerminal bool,\n\tformatJSON bool,\n\trollingLogPath, nonRollingLogFilePath string,\n) *Config {\n\tvar console *ConsoleConfig\n\tif !disableTerminal {\n\t\tconsole = createConsoleConfig(formatJSON)\n\t}\n\n\tvar file *FileConfig\n\tvar rolling *RollingConfig\n\tif nonRollingLogFilePath != \"\" {\n\t\tfile = createFileConfig(nonRollingLogFilePath)\n\t} else if rollingLogPath != \"\" {\n\t\trolling = createRollingConfig(rollingLogPath)\n\t}\n\n\tif minLevel == \"\" {\n\t\tminLevel = defaultConfig.MinLevel\n\t}\n\n\treturn &Config{\n\t\tConsoleConfig: console,\n\t\tFileConfig: file,\n\t\tRollingConfig: rolling,\n\n\t\tMinLevel: minLevel,\n\t}\n}\n\nfunc createConsoleConfig(formatJSON bool) *ConsoleConfig {\n\treturn &ConsoleConfig{\n\t\tnoColor: false,\n\t\tasJSON: formatJSON,\n\t}\n}\n\nfunc createFileConfig(fullpath string) *FileConfig {\n\tif fullpath == \"\" {\n\t\treturn defaultConfig.FileConfig\n\t}\n\n\tdirname, filename := filepath.Split(fullpath)\n\n\treturn &FileConfig{\n\t\tDirname: dirname,\n\t\tFilename: filename,\n\t}\n}\n\nfunc createRollingConfig(directory string) *RollingConfig {\n\tif directory == \"\" {\n\t\tdirectory = defaultConfig.RollingConfig.Dirname\n\t}\n\n\treturn &RollingConfig{\n\t\tDirname: directory,\n\t\tFilename: defaultConfig.RollingConfig.Filename,\n\t\tmaxSize: defaultConfig.RollingConfig.maxSize,\n\t\tmaxBackups: defaultConfig.RollingConfig.maxBackups,\n\t\tmaxAge: defaultConfig.RollingConfig.maxAge,\n\t}\n}\n" }, { "path": "logger/console.go", "content": "package logger\n\nimport (\n\t\"bytes\"\n\t\"fmt\"\n\t\"io\"\n\n\tjsoniter \"github.com/json-iterator/go\"\n)\n\nvar json = jsoniter.ConfigCompatibleWithStandardLibrary\n\n// consoleWriter allows us the simplicity to prevent duplicate json keys in the logger events reported.\n//\n// By default zerolog constructs the json event in parts by appending each additional key after the first. It\n// doesn't have any internal state or struct of the json message representation so duplicate keys can be\n// inserted without notice and no pruning will occur before writing the log event out to the io.Writer.\n//\n// To help prevent these duplicate keys, we will decode the json log event and then immediately re-encode it\n// again as writing it to the output io.Writer. Since we encode it to a map[string]any, duplicate keys\n// are pruned. We pay the cost of decoding and encoding the log event for each time, but helps prevent\n// us from needing to worry about adding duplicate keys in the log event from different areas of code.\ntype consoleWriter struct {\n\tout io.Writer\n}\n\nfunc (c *consoleWriter) Write(p []byte) (n int, err error) {\n\tvar evt map[string]any\n\td := json.NewDecoder(bytes.NewReader(p))\n\td.UseNumber()\n\terr = d.Decode(&evt)\n\tif err != nil {\n\t\treturn n, fmt.Errorf(\"cannot decode event: %s\", err)\n\t}\n\te := json.NewEncoder(c.out)\n\treturn len(p), e.Encode(evt)\n}\n" }, { "path": "logger/console_test.go", "content": "package logger\n\nimport (\n\t\"bytes\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/rs/zerolog\"\n)\n\nfunc TestConsoleLoggerDuplicateKeys(t *testing.T) {\n\tr := bytes.NewBuffer(make([]byte, 500))\n\tlogger := zerolog.New(&consoleWriter{out: r}).With().Timestamp().Logger()\n\tlogger.Debug().Str(\"test\", \"1234\").Int(\"number\", 45).Str(\"test\", \"5678\").Msg(\"log message\")\n\n\tevent, err := r.ReadString('\\n')\n\tif err != nil {\n\t\tt.Error(err)\n\t}\n\n\tif !strings.Contains(event, \"\\\"test\\\":\\\"5678\\\"\") {\n\t\tt.Errorf(\"log event missing key 'test': %s\", event)\n\t}\n\tif !strings.Contains(event, \"\\\"number\\\":45\") {\n\t\tt.Errorf(\"log event missing key 'number': %s\", event)\n\t}\n\tif !strings.Contains(event, \"\\\"time\\\":\") {\n\t\tt.Errorf(\"log event missing key 'time': %s\", event)\n\t}\n\tif !strings.Contains(event, \"\\\"level\\\":\\\"debug\\\"\") {\n\t\tt.Errorf(\"log event missing key 'level': %s\", event)\n\t}\n}\n" }, { "path": "logger/create.go", "content": "package logger\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/mattn/go-colorable\"\n\t\"github.com/rs/zerolog\"\n\tfallbacklog \"github.com/rs/zerolog/log\"\n\t\"github.com/urfave/cli/v2\"\n\t\"golang.org/x/term\"\n\t\"gopkg.in/natefinch/lumberjack.v2\"\n\n\tcfdflags \"github.com/cloudflare/cloudflared/cmd/cloudflared/flags\"\n\t\"github.com/cloudflare/cloudflared/management\"\n)\n\nconst (\n\tEnableTerminalLog = false\n\tDisableTerminalLog = true\n\n\tdirPermMode = 0744 // rwxr--r--\n\tfilePermMode = 0644 // rw-r--r--\n\n\tconsoleTimeFormat = time.RFC3339\n)\n\nvar (\n\tManagementLogger *management.Logger\n)\n\nfunc init() {\n\tzerolog.TimeFieldFormat = time.RFC3339\n\tzerolog.TimestampFunc = utcNow\n\n\tManagementLogger = management.NewLogger()\n}\n\nfunc utcNow() time.Time {\n\treturn time.Now().UTC()\n}\n\nfunc fallbackLogger(err error) *zerolog.Logger {\n\tfailLog := fallbacklog.With().Logger()\n\tfallbacklog.Error().Msgf(\"Falling back to a default logger due to logger setup failure: %s\", err)\n\n\treturn &failLog\n}\n\n// resilientMultiWriter is an alternative to zerolog's so that we can make it resilient to individual\n// writer's errors. E.g., when running as a Windows service, the console writer fails, but we don't want to\n// allow that to prevent all logging to fail due to breaking the for loop upon an error.\ntype resilientMultiWriter struct {\n\tlevel zerolog.Level\n\twriters []io.Writer\n\tmanagementWriter zerolog.LevelWriter\n}\n\nfunc (t resilientMultiWriter) Write(p []byte) (n int, err error) {\n\tfor _, w := range t.writers {\n\t\t_, _ = w.Write(p)\n\t}\n\tif t.managementWriter != nil {\n\t\t_, _ = t.managementWriter.Write(p)\n\t}\n\treturn len(p), nil\n}\n\nfunc (t resilientMultiWriter) WriteLevel(level zerolog.Level, p []byte) (n int, err error) {\n\t// Only write the event to normal writers if it exceeds the level, but always write to the\n\t// management logger and let it decided with the provided level of the log event.\n\tif t.level <= level {\n\t\tfor _, w := range t.writers {\n\t\t\t_, _ = w.Write(p)\n\t\t}\n\t}\n\tif t.managementWriter != nil {\n\t\t_, _ = t.managementWriter.WriteLevel(level, p)\n\t}\n\treturn len(p), nil\n}\n\nvar levelErrorLogged = false\n\nfunc newZerolog(loggerConfig *Config) *zerolog.Logger {\n\tvar writers []io.Writer\n\n\tif loggerConfig.ConsoleConfig != nil {\n\t\twriters = append(writers, createConsoleLogger(*loggerConfig.ConsoleConfig))\n\t}\n\n\tif loggerConfig.FileConfig != nil {\n\t\tfileLogger, err := createFileWriter(*loggerConfig.FileConfig)\n\t\tif err != nil {\n\t\t\treturn fallbackLogger(err)\n\t\t}\n\n\t\twriters = append(writers, fileLogger)\n\t}\n\n\tif loggerConfig.RollingConfig != nil {\n\t\trollingLogger, err := createRollingLogger(*loggerConfig.RollingConfig)\n\t\tif err != nil {\n\t\t\treturn fallbackLogger(err)\n\t\t}\n\n\t\twriters = append(writers, rollingLogger)\n\t}\n\n\tmanagementWriter := ManagementLogger\n\n\tlevel, levelErr := zerolog.ParseLevel(loggerConfig.MinLevel)\n\tif levelErr != nil {\n\t\tlevel = zerolog.InfoLevel\n\t}\n\n\tmulti := resilientMultiWriter{level, writers, managementWriter}\n\tlog := zerolog.New(multi).With().Timestamp().Logger()\n\tif !levelErrorLogged && levelErr != nil {\n\t\tlog.Error().Msgf(\"Failed to parse log level %q, using %q instead\", loggerConfig.MinLevel, level)\n\t\tlevelErrorLogged = true\n\t}\n\n\treturn &log\n}\n\nfunc CreateTransportLoggerFromContext(c *cli.Context, disableTerminal bool) *zerolog.Logger {\n\treturn createFromContext(c, cfdflags.TransportLogLevel, cfdflags.LogDirectory, disableTerminal)\n}\n\nfunc CreateLoggerFromContext(c *cli.Context, disableTerminal bool) *zerolog.Logger {\n\treturn createFromContext(c, cfdflags.LogLevel, cfdflags.LogDirectory, disableTerminal)\n}\n\nfunc CreateSSHLoggerFromContext(c *cli.Context, disableTerminal bool) *zerolog.Logger {\n\treturn createFromContext(c, cfdflags.LogLevelSSH, cfdflags.LogDirectory, disableTerminal)\n}\n\nfunc createFromContext(\n\tc *cli.Context,\n\tlogLevelFlagName,\n\tlogDirectoryFlagName string,\n\tdisableTerminal bool,\n) *zerolog.Logger {\n\tlogLevel := c.String(logLevelFlagName)\n\tlogFile := c.String(cfdflags.LogFile)\n\tlogDirectory := c.String(logDirectoryFlagName)\n\tvar logFormatJSON bool\n\tswitch c.String(cfdflags.LogFormatOutput) {\n\tcase cfdflags.LogFormatOutputValueJSON:\n\t\tlogFormatJSON = true\n\tcase cfdflags.LogFormatOutputValueDefault:\n\t\t// \"default\" and unset use the same logger output format\n\t\tfallthrough\n\tdefault:\n\t\tlogFormatJSON = false\n\t}\n\n\tloggerConfig := CreateConfig(\n\t\tlogLevel,\n\t\tdisableTerminal,\n\t\tlogFormatJSON,\n\t\tlogDirectory,\n\t\tlogFile,\n\t)\n\n\tlog := newZerolog(loggerConfig)\n\tif incompatibleFlagsSet := logFile != \"\" && logDirectory != \"\"; incompatibleFlagsSet {\n\t\tlog.Error().Msgf(\"Your config includes values for both %s (%s) and %s (%s), but they are incompatible. %s takes precedence.\", cfdflags.LogFile, logFile, logDirectoryFlagName, logDirectory, cfdflags.LogFile)\n\t}\n\treturn log\n}\n\nfunc Create(loggerConfig *Config) *zerolog.Logger {\n\tif loggerConfig == nil {\n\t\tloggerConfig = &Config{\n\t\t\tdefaultConfig.ConsoleConfig,\n\t\t\tnil,\n\t\t\tnil,\n\t\t\tdefaultConfig.MinLevel,\n\t\t}\n\t}\n\treturn newZerolog(loggerConfig)\n}\n\nfunc createConsoleLogger(config ConsoleConfig) io.Writer {\n\tif config.asJSON {\n\t\treturn &consoleWriter{out: os.Stderr}\n\t}\n\tconsoleOut := os.Stderr\n\treturn zerolog.ConsoleWriter{\n\t\tOut: colorable.NewColorable(consoleOut),\n\t\tNoColor: config.noColor || !term.IsTerminal(int(consoleOut.Fd())),\n\t\tTimeFormat: consoleTimeFormat,\n\t}\n}\n\ntype fileInitializer struct {\n\tonce sync.Once\n\twriter io.Writer\n\tcreationError error\n}\n\nvar (\n\tsingleFileInit fileInitializer\n\trotatingFileInit fileInitializer\n)\n\nfunc createFileWriter(config FileConfig) (io.Writer, error) {\n\tsingleFileInit.once.Do(func() {\n\t\tvar logFile io.Writer\n\t\tfullpath := config.Fullpath()\n\n\t\t// Try to open the existing file\n\t\tlogFile, err := os.OpenFile(fullpath, os.O_APPEND|os.O_WRONLY, filePermMode)\n\t\tif err != nil {\n\t\t\t// If the existing file wasn't found, or couldn't be opened, just ignore\n\t\t\t// it and recreate a new one.\n\t\t\tlogFile, err = createDirFile(config)\n\t\t\t// If creating a new logfile fails, then we have no choice but to error out.\n\t\t\tif err != nil {\n\t\t\t\tsingleFileInit.creationError = err\n\t\t\t\treturn\n\t\t\t}\n\t\t}\n\n\t\tsingleFileInit.writer = logFile\n\t})\n\n\treturn singleFileInit.writer, singleFileInit.creationError\n}\n\nfunc createDirFile(config FileConfig) (io.Writer, error) {\n\tif config.Dirname != \"\" {\n\t\terr := os.MkdirAll(config.Dirname, dirPermMode)\n\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"unable to create directories for new logfile: %s\", err)\n\t\t}\n\t}\n\n\tmode := os.FileMode(filePermMode)\n\n\tfullPath := filepath.Join(config.Dirname, config.Filename)\n\tlogFile, err := os.OpenFile(fullPath, os.O_CREATE|os.O_WRONLY|os.O_APPEND, mode)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"unable to create a new logfile: %s\", err)\n\t}\n\n\treturn logFile, nil\n}\n\nfunc createRollingLogger(config RollingConfig) (io.Writer, error) {\n\trotatingFileInit.once.Do(func() {\n\t\tif err := os.MkdirAll(config.Dirname, dirPermMode); err != nil {\n\t\t\trotatingFileInit.creationError = err\n\t\t\treturn\n\t\t}\n\n\t\trotatingFileInit.writer = &lumberjack.Logger{\n\t\t\tFilename: filepath.Join(config.Dirname, config.Filename),\n\t\t\tMaxBackups: config.maxBackups,\n\t\t\tMaxSize: config.maxSize,\n\t\t\tMaxAge: config.maxAge,\n\t\t}\n\t})\n\n\treturn rotatingFileInit.writer, rotatingFileInit.creationError\n}\n" }, { "path": "logger/create_test.go", "content": "package logger\n\nimport (\n\t\"io\"\n\t\"testing\"\n\n\t\"github.com/pkg/errors\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/stretchr/testify/assert\"\n)\n\ntype mockedWriter struct {\n\twantErr bool\n\twriteCalls int\n}\n\nfunc (c *mockedWriter) Write(p []byte) (int, error) {\n\tc.writeCalls++\n\n\tif c.wantErr {\n\t\treturn -1, errors.New(\"Expected error\")\n\t}\n\n\treturn len(p), nil\n}\n\n// Tests that a new writer is only used if it actually works.\nfunc TestResilientMultiWriter_Errors(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\twriters []*mockedWriter\n\t}{\n\t\t{\n\t\t\tname: \"All valid writers\",\n\t\t\twriters: []*mockedWriter{\n\t\t\t\t{\n\t\t\t\t\twantErr: false,\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\twantErr: false,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"All invalid writers\",\n\t\t\twriters: []*mockedWriter{\n\t\t\t\t{\n\t\t\t\t\twantErr: true,\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\twantErr: true,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"First invalid writer\",\n\t\t\twriters: []*mockedWriter{\n\t\t\t\t{\n\t\t\t\t\twantErr: true,\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\twantErr: false,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"First valid writer\",\n\t\t\twriters: []*mockedWriter{\n\t\t\t\t{\n\t\t\t\t\twantErr: false,\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\twantErr: true,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\twriters := []io.Writer{}\n\t\t\tfor _, w := range test.writers {\n\t\t\t\twriters = append(writers, w)\n\t\t\t}\n\t\t\tmultiWriter := resilientMultiWriter{zerolog.InfoLevel, writers, nil}\n\n\t\t\tlogger := zerolog.New(multiWriter).With().Timestamp().Logger()\n\t\t\tlogger.Info().Msg(\"Test msg\")\n\n\t\t\tfor _, w := range test.writers {\n\t\t\t\t// Expect each writer to be written to regardless of the previous writers returning an error\n\t\t\t\tassert.Equal(t, 1, w.writeCalls)\n\t\t\t}\n\t\t})\n\t}\n}\n\ntype mockedManagementWriter struct {\n\tWriteCalls int\n}\n\nfunc (c *mockedManagementWriter) Write(p []byte) (int, error) {\n\treturn len(p), nil\n}\n\nfunc (c *mockedManagementWriter) WriteLevel(level zerolog.Level, p []byte) (int, error) {\n\tc.WriteCalls++\n\treturn len(p), nil\n}\n\n// Tests that management writer receives write calls of all levels except Disabled\nfunc TestResilientMultiWriter_Management(t *testing.T) {\n\tfor _, level := range []zerolog.Level{\n\t\tzerolog.DebugLevel,\n\t\tzerolog.InfoLevel,\n\t\tzerolog.WarnLevel,\n\t\tzerolog.ErrorLevel,\n\t\tzerolog.FatalLevel,\n\t\tzerolog.PanicLevel,\n\t} {\n\t\tt.Run(level.String(), func(t *testing.T) {\n\t\t\tmanagementWriter := mockedManagementWriter{}\n\t\t\tmultiWriter := resilientMultiWriter{level, []io.Writer{&mockedWriter{}}, &managementWriter}\n\n\t\t\tlogger := zerolog.New(multiWriter).With().Timestamp().Logger()\n\t\t\tlogger.Info().Msg(\"Test msg\")\n\n\t\t\t// Always write to management\n\t\t\tassert.Equal(t, 1, managementWriter.WriteCalls)\n\t\t})\n\t}\n}\n" }, { "path": "management/events.go", "content": "package management\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\n\tjsoniter \"github.com/json-iterator/go\"\n\t\"github.com/rs/zerolog\"\n\t\"nhooyr.io/websocket\"\n)\n\nvar (\n\terrInvalidMessageType = fmt.Errorf(\"invalid message type was provided\")\n)\n\n// ServerEventType represents the event types that can come from the server\ntype ServerEventType string\n\n// ClientEventType represents the event types that can come from the client\ntype ClientEventType string\n\nconst (\n\tUnknownClientEventType ClientEventType = \"\"\n\tStartStreaming ClientEventType = \"start_streaming\"\n\tStopStreaming ClientEventType = \"stop_streaming\"\n\n\tUnknownServerEventType ServerEventType = \"\"\n\tLogs ServerEventType = \"logs\"\n)\n\n// ServerEvent is the base struct that informs, based of the Type field, which Event type was provided from the server.\ntype ServerEvent struct {\n\tType ServerEventType `json:\"type,omitempty\"`\n\t// The raw json message is provided to allow better deserialization once the type is known\n\tevent jsoniter.RawMessage\n}\n\n// ClientEvent is the base struct that informs, based of the Type field, which Event type was provided from the client.\ntype ClientEvent struct {\n\tType ClientEventType `json:\"type,omitempty\"`\n\t// The raw json message is provided to allow better deserialization once the type is known\n\tevent jsoniter.RawMessage\n}\n\n// EventStartStreaming signifies that the client wishes to start receiving log events.\n// Additional filters can be provided to augment the log events requested.\ntype EventStartStreaming struct {\n\tClientEvent\n\tFilters *StreamingFilters `json:\"filters,omitempty\"`\n}\n\ntype StreamingFilters struct {\n\tEvents []LogEventType `json:\"events,omitempty\"`\n\tLevel *LogLevel `json:\"level,omitempty\"`\n\tSampling float64 `json:\"sampling,omitempty\"`\n}\n\n// EventStopStreaming signifies that the client wishes to halt receiving log events.\ntype EventStopStreaming struct {\n\tClientEvent\n}\n\n// EventLog is the event that the server sends to the client with the log events.\ntype EventLog struct {\n\tServerEvent\n\tLogs []*Log `json:\"logs\"`\n}\n\n// LogEventType is the way that logging messages are able to be filtered.\n// Example: assigning LogEventType.Cloudflared to a zerolog event will allow the client to filter for only\n// the Cloudflared-related events.\ntype LogEventType int8\n\nconst (\n\t// Cloudflared events are significant to cloudflared operations like connection state changes.\n\t// Cloudflared is also the default event type for any events that haven't been separated into a proper event type.\n\tCloudflared LogEventType = iota\n\tHTTP\n\tTCP\n\tUDP\n)\n\nfunc ParseLogEventType(s string) (LogEventType, bool) {\n\tswitch s {\n\tcase \"cloudflared\":\n\t\treturn Cloudflared, true\n\tcase \"http\":\n\t\treturn HTTP, true\n\tcase \"tcp\":\n\t\treturn TCP, true\n\tcase \"udp\":\n\t\treturn UDP, true\n\t}\n\treturn -1, false\n}\n\nfunc (l LogEventType) String() string {\n\tswitch l {\n\tcase Cloudflared:\n\t\treturn \"cloudflared\"\n\tcase HTTP:\n\t\treturn \"http\"\n\tcase TCP:\n\t\treturn \"tcp\"\n\tcase UDP:\n\t\treturn \"udp\"\n\tdefault:\n\t\treturn \"\"\n\t}\n}\n\nfunc (l LogEventType) MarshalJSON() ([]byte, error) {\n\treturn json.Marshal(l.String())\n}\n\nfunc (e *LogEventType) UnmarshalJSON(data []byte) error {\n\tvar s string\n\tif err := json.Unmarshal(data, &s); err != nil {\n\t\treturn errors.New(\"unable to unmarshal LogEventType string\")\n\t}\n\tif event, ok := ParseLogEventType(s); ok {\n\t\t*e = event\n\t\treturn nil\n\t}\n\treturn errors.New(\"unable to unmarshal LogEventType\")\n}\n\n// LogLevel corresponds to the zerolog logging levels\n// \"panic\", \"fatal\", and \"trace\" are exempt from this list as they are rarely used and, at least\n// the first two are limited to failure conditions that lead to cloudflared shutting down.\ntype LogLevel int8\n\nconst (\n\tDebug LogLevel = 0\n\tInfo LogLevel = 1\n\tWarn LogLevel = 2\n\tError LogLevel = 3\n)\n\nfunc ParseLogLevel(l string) (LogLevel, bool) {\n\tswitch l {\n\tcase \"debug\":\n\t\treturn Debug, true\n\tcase \"info\":\n\t\treturn Info, true\n\tcase \"warn\":\n\t\treturn Warn, true\n\tcase \"error\":\n\t\treturn Error, true\n\t}\n\treturn -1, false\n}\n\nfunc (l LogLevel) String() string {\n\tswitch l {\n\tcase Debug:\n\t\treturn \"debug\"\n\tcase Info:\n\t\treturn \"info\"\n\tcase Warn:\n\t\treturn \"warn\"\n\tcase Error:\n\t\treturn \"error\"\n\tdefault:\n\t\treturn \"\"\n\t}\n}\n\nfunc (l LogLevel) MarshalJSON() ([]byte, error) {\n\treturn json.Marshal(l.String())\n}\n\nfunc (l *LogLevel) UnmarshalJSON(data []byte) error {\n\tvar s string\n\tif err := json.Unmarshal(data, &s); err != nil {\n\t\treturn errors.New(\"unable to unmarshal LogLevel string\")\n\t}\n\tif level, ok := ParseLogLevel(s); ok {\n\t\t*l = level\n\t\treturn nil\n\t}\n\treturn fmt.Errorf(\"unable to unmarshal LogLevel\")\n}\n\nconst (\n\t// TimeKey aligns with the zerolog.TimeFieldName\n\tTimeKey = \"time\"\n\t// LevelKey aligns with the zerolog.LevelFieldName\n\tLevelKey = \"level\"\n\t// LevelKey aligns with the zerolog.MessageFieldName\n\tMessageKey = \"message\"\n\t// EventTypeKey is the custom JSON key of the LogEventType in ZeroLogEvent\n\tEventTypeKey = \"event\"\n\t// FieldsKey is a custom JSON key to match and store every other key for a zerolog event\n\tFieldsKey = \"fields\"\n)\n\n// Log is the basic structure of the events that are sent to the client.\ntype Log struct {\n\tTime string `json:\"time,omitempty\"`\n\tLevel LogLevel `json:\"level,omitempty\"`\n\tMessage string `json:\"message,omitempty\"`\n\tEvent LogEventType `json:\"event,omitempty\"`\n\tFields map[string]interface{} `json:\"fields,omitempty\"`\n}\n\n// IntoClientEvent unmarshals the provided ClientEvent into the proper type.\nfunc IntoClientEvent[T EventStartStreaming | EventStopStreaming](e *ClientEvent, eventType ClientEventType) (*T, bool) {\n\tif e.Type != eventType {\n\t\treturn nil, false\n\t}\n\tevent := new(T)\n\terr := json.Unmarshal(e.event, event)\n\tif err != nil {\n\t\treturn nil, false\n\t}\n\treturn event, true\n}\n\n// IntoServerEvent unmarshals the provided ServerEvent into the proper type.\nfunc IntoServerEvent[T EventLog](e *ServerEvent, eventType ServerEventType) (*T, bool) {\n\tif e.Type != eventType {\n\t\treturn nil, false\n\t}\n\tevent := new(T)\n\terr := json.Unmarshal(e.event, event)\n\tif err != nil {\n\t\treturn nil, false\n\t}\n\treturn event, true\n}\n\n// ReadEvent will read a message from the websocket connection and parse it into a valid ServerEvent.\nfunc ReadServerEvent(c *websocket.Conn, ctx context.Context) (*ServerEvent, error) {\n\tmessage, err := readMessage(c, ctx)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tevent := ServerEvent{}\n\tif err := json.Unmarshal(message, &event); err != nil {\n\t\treturn nil, err\n\t}\n\tswitch event.Type {\n\tcase Logs:\n\t\tevent.event = message\n\t\treturn &event, nil\n\tcase UnknownServerEventType:\n\t\treturn nil, errInvalidMessageType\n\tdefault:\n\t\treturn nil, fmt.Errorf(\"invalid server message type was provided: %s\", event.Type)\n\t}\n}\n\n// ReadEvent will read a message from the websocket connection and parse it into a valid ClientEvent.\nfunc ReadClientEvent(c *websocket.Conn, ctx context.Context) (*ClientEvent, error) {\n\tmessage, err := readMessage(c, ctx)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tevent := ClientEvent{}\n\tif err := json.Unmarshal(message, &event); err != nil {\n\t\treturn nil, err\n\t}\n\tswitch event.Type {\n\tcase StartStreaming, StopStreaming:\n\t\tevent.event = message\n\t\treturn &event, nil\n\tcase UnknownClientEventType:\n\t\treturn nil, errInvalidMessageType\n\tdefault:\n\t\treturn nil, fmt.Errorf(\"invalid client message type was provided: %s\", event.Type)\n\t}\n}\n\n// readMessage will read a message from the websocket connection and return the payload.\nfunc readMessage(c *websocket.Conn, ctx context.Context) ([]byte, error) {\n\tmessageType, reader, err := c.Reader(ctx)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif messageType != websocket.MessageText {\n\t\treturn nil, errInvalidMessageType\n\t}\n\treturn io.ReadAll(reader)\n}\n\n// WriteEvent will write a Event type message to the websocket connection.\nfunc WriteEvent(c *websocket.Conn, ctx context.Context, event any) error {\n\tpayload, err := json.Marshal(event)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn c.Write(ctx, websocket.MessageText, payload)\n}\n\n// IsClosed returns true if the websocket error is a websocket.CloseError; returns false if not a\n// websocket.CloseError\nfunc IsClosed(err error, log *zerolog.Logger) bool {\n\tvar closeErr websocket.CloseError\n\tif errors.As(err, &closeErr) {\n\t\tif closeErr.Code != websocket.StatusNormalClosure {\n\t\t\tlog.Debug().Msgf(\"connection is already closed: (%d) %s\", closeErr.Code, closeErr.Reason)\n\t\t}\n\t\treturn true\n\t}\n\treturn false\n}\n\nfunc AsClosed(err error) *websocket.CloseError {\n\tvar closeErr websocket.CloseError\n\tif errors.As(err, &closeErr) {\n\t\treturn &closeErr\n\t}\n\treturn nil\n}\n" }, { "path": "management/events_test.go", "content": "package management\n\nimport (\n\t\"context\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/stretchr/testify/require\"\n\t\"nhooyr.io/websocket\"\n\n\t\"github.com/cloudflare/cloudflared/internal/test\"\n)\n\nvar (\n\tdebugLevel *LogLevel\n\tinfoLevel *LogLevel\n\twarnLevel *LogLevel\n\terrorLevel *LogLevel\n)\n\nfunc init() {\n\t// created here because we can't do a reference to a const enum, i.e. &Info\n\tdebugLevel := new(LogLevel)\n\t*debugLevel = Debug\n\tinfoLevel := new(LogLevel)\n\t*infoLevel = Info\n\twarnLevel := new(LogLevel)\n\t*warnLevel = Warn\n\terrorLevel := new(LogLevel)\n\t*errorLevel = Error\n}\n\nfunc TestIntoClientEvent_StartStreaming(t *testing.T) {\n\tfor _, test := range []struct {\n\t\tname string\n\t\texpected EventStartStreaming\n\t}{\n\t\t{\n\t\t\tname: \"no filters\",\n\t\t\texpected: EventStartStreaming{ClientEvent: ClientEvent{Type: StartStreaming}},\n\t\t},\n\t\t{\n\t\t\tname: \"level filter\",\n\t\t\texpected: EventStartStreaming{\n\t\t\t\tClientEvent: ClientEvent{Type: StartStreaming},\n\t\t\t\tFilters: &StreamingFilters{\n\t\t\t\t\tLevel: infoLevel,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"events filter\",\n\t\t\texpected: EventStartStreaming{\n\t\t\t\tClientEvent: ClientEvent{Type: StartStreaming},\n\t\t\t\tFilters: &StreamingFilters{\n\t\t\t\t\tEvents: []LogEventType{Cloudflared, HTTP},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"sampling filter\",\n\t\t\texpected: EventStartStreaming{\n\t\t\t\tClientEvent: ClientEvent{Type: StartStreaming},\n\t\t\t\tFilters: &StreamingFilters{\n\t\t\t\t\tSampling: 0.5,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"level and events filters\",\n\t\t\texpected: EventStartStreaming{\n\t\t\t\tClientEvent: ClientEvent{Type: StartStreaming},\n\t\t\t\tFilters: &StreamingFilters{\n\t\t\t\t\tLevel: infoLevel,\n\t\t\t\t\tEvents: []LogEventType{Cloudflared},\n\t\t\t\t\tSampling: 0.5,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t} {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\tdata, err := json.Marshal(test.expected)\n\t\t\trequire.NoError(t, err)\n\t\t\tevent := ClientEvent{}\n\t\t\terr = json.Unmarshal(data, &event)\n\t\t\trequire.NoError(t, err)\n\t\t\tevent.event = data\n\t\t\tce, ok := IntoClientEvent[EventStartStreaming](&event, StartStreaming)\n\t\t\trequire.True(t, ok)\n\t\t\trequire.Equal(t, test.expected.ClientEvent, ce.ClientEvent)\n\t\t\tif test.expected.Filters != nil {\n\t\t\t\tf := ce.Filters\n\t\t\t\tef := test.expected.Filters\n\t\t\t\tif ef.Level != nil {\n\t\t\t\t\trequire.Equal(t, *ef.Level, *f.Level)\n\t\t\t\t}\n\t\t\t\trequire.ElementsMatch(t, ef.Events, f.Events)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestIntoClientEvent_StopStreaming(t *testing.T) {\n\tevent := ClientEvent{\n\t\tType: StopStreaming,\n\t\tevent: []byte(`{\"type\": \"stop_streaming\"}`),\n\t}\n\tce, ok := IntoClientEvent[EventStopStreaming](&event, StopStreaming)\n\trequire.True(t, ok)\n\trequire.Equal(t, EventStopStreaming{ClientEvent: ClientEvent{Type: StopStreaming}}, *ce)\n}\n\nfunc TestIntoClientEvent_Invalid(t *testing.T) {\n\tevent := ClientEvent{\n\t\tType: UnknownClientEventType,\n\t\tevent: []byte(`{\"type\": \"invalid\"}`),\n\t}\n\t_, ok := IntoClientEvent[EventStartStreaming](&event, StartStreaming)\n\trequire.False(t, ok)\n}\n\nfunc TestIntoServerEvent_Logs(t *testing.T) {\n\tevent := ServerEvent{\n\t\tType: Logs,\n\t\tevent: []byte(`{\"type\": \"logs\"}`),\n\t}\n\tce, ok := IntoServerEvent(&event, Logs)\n\trequire.True(t, ok)\n\trequire.Equal(t, EventLog{ServerEvent: ServerEvent{Type: Logs}}, *ce)\n}\n\nfunc TestIntoServerEvent_Invalid(t *testing.T) {\n\tevent := ServerEvent{\n\t\tType: UnknownServerEventType,\n\t\tevent: []byte(`{\"type\": \"invalid\"}`),\n\t}\n\t_, ok := IntoServerEvent(&event, Logs)\n\trequire.False(t, ok)\n}\n\nfunc TestReadServerEvent(t *testing.T) {\n\tsentEvent := EventLog{\n\t\tServerEvent: ServerEvent{Type: Logs},\n\t\tLogs: []*Log{\n\t\t\t{\n\t\t\t\tTime: time.Now().UTC().Format(time.RFC3339),\n\t\t\t\tEvent: HTTP,\n\t\t\t\tLevel: Info,\n\t\t\t\tMessage: \"test\",\n\t\t\t},\n\t\t},\n\t}\n\tclient, server := test.WSPipe(nil, nil)\n\tserver.CloseRead(context.Background())\n\tdefer func() {\n\t\tserver.Close(websocket.StatusInternalError, \"\")\n\t}()\n\tgo func() {\n\t\terr := WriteEvent(server, context.Background(), &sentEvent)\n\t\trequire.NoError(t, err)\n\t}()\n\tevent, err := ReadServerEvent(client, context.Background())\n\trequire.NoError(t, err)\n\trequire.Equal(t, sentEvent.Type, event.Type)\n\tclient.Close(websocket.StatusInternalError, \"\")\n}\n\nfunc TestReadServerEvent_InvalidWebSocketMessageType(t *testing.T) {\n\tclient, server := test.WSPipe(nil, nil)\n\tserver.CloseRead(context.Background())\n\tdefer func() {\n\t\tserver.Close(websocket.StatusInternalError, \"\")\n\t}()\n\tgo func() {\n\t\terr := server.Write(context.Background(), websocket.MessageBinary, []byte(\"test1234\"))\n\t\trequire.NoError(t, err)\n\t}()\n\t_, err := ReadServerEvent(client, context.Background())\n\trequire.Error(t, err)\n\tclient.Close(websocket.StatusInternalError, \"\")\n}\n\nfunc TestReadServerEvent_InvalidMessageType(t *testing.T) {\n\tsentEvent := ClientEvent{Type: ClientEventType(UnknownServerEventType)}\n\tclient, server := test.WSPipe(nil, nil)\n\tserver.CloseRead(context.Background())\n\tdefer func() {\n\t\tserver.Close(websocket.StatusInternalError, \"\")\n\t}()\n\tgo func() {\n\t\terr := WriteEvent(server, context.Background(), &sentEvent)\n\t\trequire.NoError(t, err)\n\t}()\n\t_, err := ReadServerEvent(client, context.Background())\n\trequire.ErrorIs(t, err, errInvalidMessageType)\n\tclient.Close(websocket.StatusInternalError, \"\")\n}\n\nfunc TestReadClientEvent(t *testing.T) {\n\tsentEvent := EventStartStreaming{\n\t\tClientEvent: ClientEvent{Type: StartStreaming},\n\t}\n\tclient, server := test.WSPipe(nil, nil)\n\tclient.CloseRead(context.Background())\n\tdefer func() {\n\t\tclient.Close(websocket.StatusInternalError, \"\")\n\t}()\n\tgo func() {\n\t\terr := WriteEvent(client, context.Background(), &sentEvent)\n\t\trequire.NoError(t, err)\n\t}()\n\tevent, err := ReadClientEvent(server, context.Background())\n\trequire.NoError(t, err)\n\trequire.Equal(t, sentEvent.Type, event.Type)\n\tserver.Close(websocket.StatusInternalError, \"\")\n}\n\nfunc TestReadClientEvent_InvalidWebSocketMessageType(t *testing.T) {\n\tclient, server := test.WSPipe(nil, nil)\n\tclient.CloseRead(context.Background())\n\tdefer func() {\n\t\tclient.Close(websocket.StatusInternalError, \"\")\n\t}()\n\tgo func() {\n\t\terr := client.Write(context.Background(), websocket.MessageBinary, []byte(\"test1234\"))\n\t\trequire.NoError(t, err)\n\t}()\n\t_, err := ReadClientEvent(server, context.Background())\n\trequire.Error(t, err)\n\tserver.Close(websocket.StatusInternalError, \"\")\n}\n\nfunc TestReadClientEvent_InvalidMessageType(t *testing.T) {\n\tsentEvent := ClientEvent{Type: UnknownClientEventType}\n\tclient, server := test.WSPipe(nil, nil)\n\tclient.CloseRead(context.Background())\n\tdefer func() {\n\t\tclient.Close(websocket.StatusInternalError, \"\")\n\t}()\n\tgo func() {\n\t\terr := WriteEvent(client, context.Background(), &sentEvent)\n\t\trequire.NoError(t, err)\n\t}()\n\t_, err := ReadClientEvent(server, context.Background())\n\trequire.ErrorIs(t, err, errInvalidMessageType)\n\tserver.Close(websocket.StatusInternalError, \"\")\n}\n" }, { "path": "management/logger.go", "content": "package management\n\nimport (\n\t\"os\"\n\t\"sync\"\n\t\"time\"\n\n\tjsoniter \"github.com/json-iterator/go\"\n\t\"github.com/rs/zerolog\"\n)\n\nvar json = jsoniter.ConfigFastest\n\n// Logger manages the number of management streaming log sessions\ntype Logger struct {\n\tsessions []*session\n\tmu sync.RWMutex\n\n\t// Unique logger that isn't a io.Writer of the list of zerolog writers. This helps prevent management log\n\t// statements from creating infinite recursion to export messages to a session and allows basic debugging and\n\t// error statements to be issued in the management code itself.\n\tLog *zerolog.Logger\n}\n\nfunc NewLogger() *Logger {\n\tlog := zerolog.New(zerolog.ConsoleWriter{\n\t\tOut: os.Stdout,\n\t\tTimeFormat: time.RFC3339,\n\t}).With().Timestamp().Logger().Level(zerolog.InfoLevel)\n\treturn &Logger{\n\t\tLog: &log,\n\t}\n}\n\ntype LoggerListener interface {\n\t// ActiveSession returns the first active session for the requested actor.\n\tActiveSession(actor) *session\n\t// ActiveSession returns the count of active sessions.\n\tActiveSessions() int\n\t// Listen appends the session to the list of sessions that receive log events.\n\tListen(*session)\n\t// Remove a session from the available sessions that were receiving log events.\n\tRemove(*session)\n}\n\nfunc (l *Logger) ActiveSession(actor actor) *session {\n\tl.mu.RLock()\n\tdefer l.mu.RUnlock()\n\tfor _, session := range l.sessions {\n\t\tif session.actor.ID == actor.ID && session.active.Load() {\n\t\t\treturn session\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (l *Logger) ActiveSessions() int {\n\tl.mu.RLock()\n\tdefer l.mu.RUnlock()\n\tcount := 0\n\tfor _, session := range l.sessions {\n\t\tif session.active.Load() {\n\t\t\tcount += 1\n\t\t}\n\t}\n\treturn count\n}\n\nfunc (l *Logger) Listen(session *session) {\n\tl.mu.Lock()\n\tdefer l.mu.Unlock()\n\tsession.active.Store(true)\n\tl.sessions = append(l.sessions, session)\n}\n\nfunc (l *Logger) Remove(session *session) {\n\tl.mu.Lock()\n\tdefer l.mu.Unlock()\n\tindex := -1\n\tfor i, v := range l.sessions {\n\t\tif v == session {\n\t\t\tindex = i\n\t\t\tbreak\n\t\t}\n\t}\n\tif index == -1 {\n\t\t// Not found\n\t\treturn\n\t}\n\tcopy(l.sessions[index:], l.sessions[index+1:])\n\tl.sessions = l.sessions[:len(l.sessions)-1]\n}\n\n// Write will write the log event to all sessions that have available capacity. For those that are full, the message\n// will be dropped.\n// This function is the interface that zerolog expects to call when a log event is to be written out.\nfunc (l *Logger) Write(p []byte) (int, error) {\n\tl.mu.RLock()\n\tdefer l.mu.RUnlock()\n\t// return early if no active sessions\n\tif len(l.sessions) == 0 {\n\t\treturn len(p), nil\n\t}\n\tevent, err := parseZerologEvent(p)\n\t// drop event if unable to parse properly\n\tif err != nil {\n\t\tl.Log.Debug().Msg(\"unable to parse log event\")\n\t\treturn len(p), nil\n\t}\n\tfor _, session := range l.sessions {\n\t\tsession.Insert(event)\n\t}\n\treturn len(p), nil\n}\n\nfunc (l *Logger) WriteLevel(level zerolog.Level, p []byte) (n int, err error) {\n\treturn l.Write(p)\n}\n\nfunc parseZerologEvent(p []byte) (*Log, error) {\n\tvar fields map[string]interface{}\n\titer := json.BorrowIterator(p)\n\tdefer json.ReturnIterator(iter)\n\titer.ReadVal(&fields)\n\tif iter.Error != nil {\n\t\treturn nil, iter.Error\n\t}\n\tlogTime := time.Now().UTC().Format(zerolog.TimeFieldFormat)\n\tif t, ok := fields[TimeKey]; ok {\n\t\tif t, ok := t.(string); ok {\n\t\t\tlogTime = t\n\t\t}\n\t}\n\tlogLevel := Debug\n\t// A zerolog Debug event can be created and then an error can be added\n\t// via .Err(error), if so, we upgrade the level to error.\n\tif _, hasError := fields[\"error\"]; hasError {\n\t\tlogLevel = Error\n\t} else {\n\t\tif level, ok := fields[LevelKey]; ok {\n\t\t\tif level, ok := level.(string); ok {\n\t\t\t\tif logLevel, ok = ParseLogLevel(level); !ok {\n\t\t\t\t\tlogLevel = Debug\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\t// Assume the event type is Cloudflared if unable to parse/find. This could be from log events that haven't\n\t// yet been tagged with the appropriate EventType yet.\n\tlogEvent := Cloudflared\n\te := fields[EventTypeKey]\n\tif e != nil {\n\t\tif eventNumber, ok := e.(float64); ok {\n\t\t\tlogEvent = LogEventType(eventNumber)\n\t\t}\n\t}\n\tlogMessage := \"\"\n\tif m, ok := fields[MessageKey]; ok {\n\t\tif m, ok := m.(string); ok {\n\t\t\tlogMessage = m\n\t\t}\n\t}\n\tevent := Log{\n\t\tTime: logTime,\n\t\tLevel: logLevel,\n\t\tEvent: logEvent,\n\t\tMessage: logMessage,\n\t}\n\t// Remove the keys that have top level keys on Log\n\tdelete(fields, TimeKey)\n\tdelete(fields, LevelKey)\n\tdelete(fields, EventTypeKey)\n\tdelete(fields, MessageKey)\n\t// The rest of the keys go into the Fields\n\tevent.Fields = fields\n\treturn &event, nil\n}\n" }, { "path": "management/logger_test.go", "content": "package management\n\nimport (\n\t\"context\"\n\t\"testing\"\n\n\t\"github.com/rs/zerolog\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n)\n\n// No listening sessions will not write to the channel\nfunc TestLoggerWrite_NoSessions(t *testing.T) {\n\tlogger := NewLogger()\n\tzlog := zerolog.New(logger).With().Timestamp().Logger().Level(zerolog.InfoLevel)\n\n\tzlog.Info().Msg(\"hello\")\n}\n\n// Validate that the session receives the event\nfunc TestLoggerWrite_OneSession(t *testing.T) {\n\tlogger := NewLogger()\n\tzlog := zerolog.New(logger).With().Timestamp().Logger().Level(zerolog.InfoLevel)\n\t_, cancel := context.WithCancel(context.Background())\n\tdefer cancel()\n\n\tsession := newSession(logWindow, actor{ID: actorID}, cancel)\n\tlogger.Listen(session)\n\tdefer logger.Remove(session)\n\tassert.Equal(t, 1, logger.ActiveSessions())\n\tassert.Equal(t, session, logger.ActiveSession(actor{ID: actorID}))\n\tzlog.Info().Int(EventTypeKey, int(HTTP)).Msg(\"hello\")\n\tselect {\n\tcase event := <-session.listener:\n\t\tassert.NotEmpty(t, event.Time)\n\t\tassert.Equal(t, \"hello\", event.Message)\n\t\tassert.Equal(t, Info, event.Level)\n\t\tassert.Equal(t, HTTP, event.Event)\n\tdefault:\n\t\tassert.Fail(t, \"expected an event to be in the listener\")\n\t}\n}\n\n// Validate all sessions receive the same event\nfunc TestLoggerWrite_MultipleSessions(t *testing.T) {\n\tlogger := NewLogger()\n\tzlog := zerolog.New(logger).With().Timestamp().Logger().Level(zerolog.InfoLevel)\n\t_, cancel := context.WithCancel(context.Background())\n\tdefer cancel()\n\n\tsession1 := newSession(logWindow, actor{}, cancel)\n\tlogger.Listen(session1)\n\tdefer logger.Remove(session1)\n\tassert.Equal(t, 1, logger.ActiveSessions())\n\n\tsession2 := newSession(logWindow, actor{}, cancel)\n\tlogger.Listen(session2)\n\tassert.Equal(t, 2, logger.ActiveSessions())\n\n\tzlog.Info().Int(EventTypeKey, int(HTTP)).Msg(\"hello\")\n\tfor _, session := range []*session{session1, session2} {\n\t\tselect {\n\t\tcase event := <-session.listener:\n\t\t\tassert.NotEmpty(t, event.Time)\n\t\t\tassert.Equal(t, \"hello\", event.Message)\n\t\t\tassert.Equal(t, Info, event.Level)\n\t\t\tassert.Equal(t, HTTP, event.Event)\n\t\tdefault:\n\t\t\tassert.Fail(t, \"expected an event to be in the listener\")\n\t\t}\n\t}\n\n\t// Close session2 and make sure session1 still receives events\n\tlogger.Remove(session2)\n\tzlog.Info().Int(EventTypeKey, int(HTTP)).Msg(\"hello2\")\n\tselect {\n\tcase event := <-session1.listener:\n\t\tassert.NotEmpty(t, event.Time)\n\t\tassert.Equal(t, \"hello2\", event.Message)\n\t\tassert.Equal(t, Info, event.Level)\n\t\tassert.Equal(t, HTTP, event.Event)\n\tdefault:\n\t\tassert.Fail(t, \"expected an event to be in the listener\")\n\t}\n\n\t// Make sure a held reference to session2 doesn't receive events after being closed\n\tselect {\n\tcase <-session2.listener:\n\t\tassert.Fail(t, \"An event was not expected to be in the session listener\")\n\tdefault:\n\t\t// pass\n\t}\n}\n\ntype mockWriter struct {\n\tevent *Log\n\terr error\n}\n\nfunc (m *mockWriter) Write(p []byte) (int, error) {\n\tm.event, m.err = parseZerologEvent(p)\n\treturn len(p), nil\n}\n\n// Validate all event types are set properly\nfunc TestParseZerologEvent_EventTypes(t *testing.T) {\n\twriter := mockWriter{}\n\tzlog := zerolog.New(&writer).With().Timestamp().Logger().Level(zerolog.InfoLevel)\n\n\tfor _, test := range []LogEventType{\n\t\tCloudflared,\n\t\tHTTP,\n\t\tTCP,\n\t\tUDP,\n\t} {\n\t\tt.Run(test.String(), func(t *testing.T) {\n\t\t\tdefer func() { writer.err = nil }()\n\t\t\tzlog.Info().Int(EventTypeKey, int(test)).Msg(\"test\")\n\t\t\trequire.NoError(t, writer.err)\n\t\t\trequire.Equal(t, test, writer.event.Event)\n\t\t})\n\t}\n\n\t// Invalid defaults to Cloudflared LogEventType\n\tt.Run(\"invalid\", func(t *testing.T) {\n\t\tdefer func() { writer.err = nil }()\n\t\tzlog.Info().Str(EventTypeKey, \"unknown\").Msg(\"test\")\n\t\trequire.NoError(t, writer.err)\n\t\trequire.Equal(t, Cloudflared, writer.event.Event)\n\t})\n}\n\n// Validate top-level keys are removed from Fields\nfunc TestParseZerologEvent_Fields(t *testing.T) {\n\twriter := mockWriter{}\n\tzlog := zerolog.New(&writer).With().Timestamp().Logger().Level(zerolog.InfoLevel)\n\tzlog.Info().Int(EventTypeKey, int(Cloudflared)).Str(\"test\", \"test\").Msg(\"test message\")\n\trequire.NoError(t, writer.err)\n\tevent := writer.event\n\trequire.NotEmpty(t, event.Time)\n\trequire.Equal(t, Cloudflared, event.Event)\n\trequire.Equal(t, Info, event.Level)\n\trequire.Equal(t, \"test message\", event.Message)\n\n\t// Make sure Fields doesn't have other set keys used in the Log struct\n\trequire.NotEmpty(t, event.Fields)\n\trequire.Equal(t, \"test\", event.Fields[\"test\"])\n\trequire.NotContains(t, event.Fields, EventTypeKey)\n\trequire.NotContains(t, event.Fields, LevelKey)\n\trequire.NotContains(t, event.Fields, MessageKey)\n\trequire.NotContains(t, event.Fields, TimeKey)\n}\n" }, { "path": "management/middleware.go", "content": "package management\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"net/http\"\n)\n\ntype ctxKey int\n\nconst (\n\taccessClaimsCtxKey ctxKey = iota\n)\n\nvar errMissingAccessToken = managementError{Code: 1001, Message: \"missing access_token query parameter\"}\n\n// HTTP middleware setting the parsed access_token claims in the request context\nfunc ValidateAccessTokenQueryMiddleware(next http.Handler) http.Handler {\n\treturn http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\t// Validate access token\n\t\taccessToken := r.URL.Query().Get(\"access_token\")\n\t\tif accessToken == \"\" {\n\t\t\twriteHTTPErrorResponse(w, errMissingAccessToken)\n\t\t\treturn\n\t\t}\n\t\ttoken, err := ParseToken(accessToken)\n\t\tif err != nil {\n\t\t\twriteHTTPErrorResponse(w, errMissingAccessToken)\n\t\t\treturn\n\t\t}\n\t\tr = r.WithContext(context.WithValue(r.Context(), accessClaimsCtxKey, token))\n\t\tnext.ServeHTTP(w, r)\n\t})\n}\n\n// Middleware validation error struct for returning to the eyeball\ntype managementError struct {\n\tCode int `json:\"code,omitempty\"`\n\tMessage string `json:\"message,omitempty\"`\n}\n\nfunc (m *managementError) Error() string {\n\treturn m.Message\n}\n\n// Middleware validation error HTTP response JSON for returning to the eyeball\ntype managementErrorResponse struct {\n\tSuccess bool `json:\"success,omitempty\"`\n\tErrors []managementError `json:\"errors,omitempty\"`\n}\n\n// writeErrorResponse will respond to the eyeball with basic HTTP JSON payloads with validation failure information\nfunc writeHTTPErrorResponse(w http.ResponseWriter, errResp managementError) {\n\tw.Header().Set(\"Content-Type\", \"application/json\")\n\tw.WriteHeader(http.StatusBadRequest)\n\terr := json.NewEncoder(w).Encode(managementErrorResponse{\n\t\tSuccess: false,\n\t\tErrors: []managementError{errResp},\n\t})\n\t// we have already written the header, so write a basic error response if unable to encode the error\n\tif err != nil {\n\t\t// fallback to text message\n\t\thttp.Error(w, fmt.Sprintf(\n\t\t\t\"%d %s\",\n\t\t\thttp.StatusBadRequest,\n\t\t\thttp.StatusText(http.StatusBadRequest),\n\t\t), http.StatusBadRequest)\n\t}\n}\n" }, { "path": "management/middleware_test.go", "content": "package management\n\nimport (\n\t\"io\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"testing\"\n\n\t\"github.com/go-chi/chi/v5\"\n\t\"github.com/stretchr/testify/assert\"\n)\n\nfunc TestValidateAccessTokenQueryMiddleware(t *testing.T) {\n\tr := chi.NewRouter()\n\tr.Use(ValidateAccessTokenQueryMiddleware)\n\tr.Get(\"/valid\", func(w http.ResponseWriter, r *http.Request) {\n\t\tclaims, ok := r.Context().Value(accessClaimsCtxKey).(*managementTokenClaims)\n\t\tassert.True(t, ok)\n\t\tassert.True(t, claims.verify())\n\t\tw.WriteHeader(http.StatusOK)\n\t})\n\tr.Get(\"/invalid\", func(w http.ResponseWriter, r *http.Request) {\n\t\t_, ok := r.Context().Value(accessClaimsCtxKey).(*managementTokenClaims)\n\t\tassert.False(t, ok)\n\t\tw.WriteHeader(http.StatusOK)\n\t})\n\n\tts := httptest.NewServer(r)\n\tdefer ts.Close()\n\n\t// valid: with access_token query param\n\tpath := \"/valid?access_token=\" + validToken\n\tresp, _ := testRequest(t, ts, \"GET\", path, nil)\n\tassert.Equal(t, http.StatusOK, resp.StatusCode)\n\n\t// invalid: unset token\n\tpath = \"/invalid\"\n\tresp, err := testRequest(t, ts, \"GET\", path, nil)\n\tassert.Equal(t, http.StatusBadRequest, resp.StatusCode)\n\tassert.NotNil(t, err)\n\tassert.Equal(t, errMissingAccessToken, err.Errors[0])\n\n\t// invalid: invalid token\n\tpath = \"/invalid?access_token=eyJ\"\n\tresp, err = testRequest(t, ts, \"GET\", path, nil)\n\tassert.Equal(t, http.StatusBadRequest, resp.StatusCode)\n\tassert.NotNil(t, err)\n\tassert.Equal(t, errMissingAccessToken, err.Errors[0])\n}\n\nfunc testRequest(t *testing.T, ts *httptest.Server, method, path string, body io.Reader) (*http.Response, *managementErrorResponse) {\n\treq, err := http.NewRequest(method, ts.URL+path, body)\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\n\tresp, err := ts.Client().Do(req)\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\tvar claims managementErrorResponse\n\terr = json.NewDecoder(resp.Body).Decode(&claims)\n\tif err != nil {\n\t\treturn resp, nil\n\t}\n\tdefer resp.Body.Close()\n\n\treturn resp, &claims\n}\n" }, { "path": "management/service.go", "content": "package management\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/http/pprof\"\n\t\"os\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/go-chi/chi/v5\"\n\t\"github.com/go-chi/cors\"\n\t\"github.com/google/uuid\"\n\t\"github.com/prometheus/client_golang/prometheus/promhttp\"\n\t\"github.com/rs/zerolog\"\n\t\"nhooyr.io/websocket\"\n)\n\nconst (\n\t// In the current state, an invalid command was provided by the client\n\tStatusInvalidCommand websocket.StatusCode = 4001\n\treasonInvalidCommand = \"expected start streaming as first event\"\n\t// There are a limited number of available streaming log sessions that cloudflared will service, exceeding this\n\t// value will return this error to incoming requests.\n\tStatusSessionLimitExceeded websocket.StatusCode = 4002\n\treasonSessionLimitExceeded = \"limit exceeded for streaming sessions\"\n\t// There is a limited idle time while not actively serving a session for a request before dropping the connection.\n\tStatusIdleLimitExceeded websocket.StatusCode = 4003\n\treasonIdleLimitExceeded = \"session was idle for too long\"\n)\n\nvar (\n\t// CORS middleware required to allow dash to access management.argotunnel.com requests\n\tcorsHandler = cors.Handler(cors.Options{\n\t\t// Allows for any subdomain of cloudflare.com\n\t\tAllowedOrigins: []string{\"https://*.cloudflare.com\"},\n\t\t// Required to present cookies or other authentication across origin boundries\n\t\tAllowCredentials: true,\n\t\tMaxAge: 300, // Maximum value not ignored by any of major browsers\n\t})\n)\n\ntype ManagementService struct {\n\t// The management tunnel hostname\n\tHostname string\n\n\t// Host details related configurations\n\tserviceIP string\n\tclientID uuid.UUID\n\tlabel string\n\n\t// Additional Handlers\n\tmetricsHandler http.Handler\n\n\tlog *zerolog.Logger\n\trouter chi.Router\n\n\t// streamingMut is a lock to prevent concurrent requests to start streaming. Utilizing the atomic.Bool is not\n\t// sufficient to complete this operation since many other checks during an incoming new request are needed\n\t// to validate this before setting streaming to true.\n\tstreamingMut sync.Mutex\n\tlogger LoggerListener\n}\n\nfunc New(managementHostname string,\n\tenableDiagServices bool,\n\tserviceIP string,\n\tclientID uuid.UUID,\n\tlabel string,\n\tlog *zerolog.Logger,\n\tlogger LoggerListener,\n) *ManagementService {\n\ts := &ManagementService{\n\t\tHostname: managementHostname,\n\t\tlog: log,\n\t\tlogger: logger,\n\t\tserviceIP: serviceIP,\n\t\tclientID: clientID,\n\t\tlabel: label,\n\t\tmetricsHandler: promhttp.Handler(),\n\t}\n\tr := chi.NewRouter()\n\tr.Use(ValidateAccessTokenQueryMiddleware)\n\n\t// Default management services\n\tr.With(corsHandler).Get(\"/ping\", ping)\n\tr.With(corsHandler).Head(\"/ping\", ping)\n\tr.Get(\"/logs\", s.logs)\n\tr.With(corsHandler).Get(\"/host_details\", s.getHostDetails)\n\n\t// Diagnostic management services\n\tif enableDiagServices {\n\t\t// Prometheus endpoint\n\t\tr.With(corsHandler).Get(\"/metrics\", s.metricsHandler.ServeHTTP)\n\t\t// Supports only heap and goroutine\n\t\tr.With(corsHandler).Get(\"/debug/pprof/{profile:heap|goroutine}\", pprof.Index)\n\t}\n\n\ts.router = r\n\treturn s\n}\n\nfunc (m *ManagementService) ServeHTTP(w http.ResponseWriter, r *http.Request) {\n\tm.router.ServeHTTP(w, r)\n}\n\n// Management Ping handler\nfunc ping(w http.ResponseWriter, r *http.Request) {\n\tw.WriteHeader(200)\n}\n\n// The response provided by the /host_details endpoint\ntype getHostDetailsResponse struct {\n\tClientID string `json:\"connector_id\"`\n\tIP string `json:\"ip,omitempty\"`\n\tHostName string `json:\"hostname,omitempty\"`\n}\n\nfunc (m *ManagementService) getHostDetails(w http.ResponseWriter, r *http.Request) {\n\tvar getHostDetailsResponse = getHostDetailsResponse{\n\t\tClientID: m.clientID.String(),\n\t}\n\tif ip, err := getPrivateIP(m.serviceIP); err == nil {\n\t\tgetHostDetailsResponse.IP = ip\n\t}\n\tgetHostDetailsResponse.HostName = m.getLabel()\n\n\tw.Header().Set(\"Content-Type\", \"application/json\")\n\tw.WriteHeader(200)\n\tjson.NewEncoder(w).Encode(getHostDetailsResponse)\n}\n\nfunc (m *ManagementService) getLabel() string {\n\tif m.label != \"\" {\n\t\treturn fmt.Sprintf(\"custom:%s\", m.label)\n\t}\n\n\t// If no label is provided we return the system hostname. This is not\n\t// a fqdn hostname.\n\thostname, err := os.Hostname()\n\tif err != nil {\n\t\treturn \"unknown\"\n\t}\n\treturn hostname\n}\n\n// Get preferred private ip of this machine\nfunc getPrivateIP(addr string) (string, error) {\n\tconn, err := net.DialTimeout(\"tcp\", addr, 1*time.Second)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tdefer conn.Close()\n\tlocalAddr := conn.LocalAddr().String()\n\thost, _, err := net.SplitHostPort(localAddr)\n\treturn host, err\n}\n\n// readEvents will loop through all incoming websocket messages from a client and marshal them into the\n// proper Event structure and pass through to the events channel. Any invalid messages sent will automatically\n// terminate the connection.\nfunc (m *ManagementService) readEvents(c *websocket.Conn, ctx context.Context, events chan<- *ClientEvent) {\n\tfor {\n\t\tevent, err := ReadClientEvent(c, ctx)\n\t\tselect {\n\t\tcase <-ctx.Done():\n\t\t\treturn\n\t\tdefault:\n\t\t\tif err != nil {\n\t\t\t\t// If the client (or the server) already closed the connection, don't attempt to close it again\n\t\t\t\tif !IsClosed(err, m.log) {\n\t\t\t\t\tm.log.Err(err).Send()\n\t\t\t\t\tm.log.Err(c.Close(websocket.StatusUnsupportedData, err.Error())).Send()\n\t\t\t\t}\n\t\t\t\t// Any errors when reading the messages from the client will close the connection\n\t\t\t\treturn\n\t\t\t}\n\t\t\tevents <- event\n\t\t}\n\t}\n}\n\n// streamLogs will begin the process of reading from the Session listener and write the log events to the client.\nfunc (m *ManagementService) streamLogs(c *websocket.Conn, ctx context.Context, session *session) {\n\tfor session.Active() {\n\t\tselect {\n\t\tcase <-ctx.Done():\n\t\t\tsession.Stop()\n\t\t\treturn\n\t\tcase event := <-session.listener:\n\t\t\terr := WriteEvent(c, ctx, &EventLog{\n\t\t\t\tServerEvent: ServerEvent{Type: Logs},\n\t\t\t\tLogs: []*Log{event},\n\t\t\t})\n\t\t\tif err != nil {\n\t\t\t\t// If the client (or the server) already closed the connection, don't attempt to close it again\n\t\t\t\tif !IsClosed(err, m.log) {\n\t\t\t\t\tm.log.Err(err).Send()\n\t\t\t\t\tm.log.Err(c.Close(websocket.StatusInternalError, err.Error())).Send()\n\t\t\t\t}\n\t\t\t\t// Any errors when writing the messages to the client will stop streaming and close the connection\n\t\t\t\tsession.Stop()\n\t\t\t\treturn\n\t\t\t}\n\t\tdefault:\n\t\t\t// No messages to send\n\t\t}\n\t}\n}\n\n// canStartStream will check the conditions of the request and return if the session can begin streaming.\nfunc (m *ManagementService) canStartStream(session *session) bool {\n\tm.streamingMut.Lock()\n\tdefer m.streamingMut.Unlock()\n\t// Limits to one actor for streaming logs\n\tif m.logger.ActiveSessions() > 0 {\n\t\t// Allow the same user to preempt their existing session to disconnect their old session and start streaming\n\t\t// with this new session instead.\n\t\tif existingSession := m.logger.ActiveSession(session.actor); existingSession != nil {\n\t\t\tm.log.Info().\n\t\t\t\tMsgf(\"Another management session request for the same actor was requested; the other session will be disconnected to handle the new request.\")\n\t\t\texistingSession.Stop()\n\t\t\tm.logger.Remove(existingSession)\n\t\t\texistingSession.cancel()\n\t\t} else {\n\t\t\tm.log.Warn().\n\t\t\t\tMsgf(\"Another management session request was attempted but one session already being served; there is a limit of streaming log sessions to reduce overall performance impact.\")\n\t\t\treturn false\n\t\t}\n\t}\n\treturn true\n}\n\n// parseFilters will check the ClientEvent for start_streaming and assign filters if provided to the session\nfunc (m *ManagementService) parseFilters(c *websocket.Conn, event *ClientEvent, session *session) bool {\n\t// Expect the first incoming request\n\tstartEvent, ok := IntoClientEvent[EventStartStreaming](event, StartStreaming)\n\tif !ok {\n\t\treturn false\n\t}\n\tsession.Filters(startEvent.Filters)\n\treturn true\n}\n\n// Management Streaming Logs accept handler\nfunc (m *ManagementService) logs(w http.ResponseWriter, r *http.Request) {\n\tc, err := websocket.Accept(w, r, &websocket.AcceptOptions{\n\t\tOriginPatterns: []string{\n\t\t\t\"*.cloudflare.com\",\n\t\t},\n\t})\n\tif err != nil {\n\t\tm.log.Debug().Msgf(\"management handshake: %s\", err.Error())\n\t\treturn\n\t}\n\t// Make sure the connection is closed if other go routines fail to close the connection after completing.\n\tdefer c.Close(websocket.StatusInternalError, \"\")\n\tctx, cancel := context.WithCancel(r.Context())\n\tdefer cancel()\n\tevents := make(chan *ClientEvent)\n\tgo m.readEvents(c, ctx, events)\n\n\t// Send a heartbeat ping to hold the connection open even if not streaming.\n\tping := time.NewTicker(15 * time.Second)\n\tdefer ping.Stop()\n\n\t// Close the connection if no operation has occurred after the idle timeout. The timeout is halted\n\t// when streaming logs is active.\n\tidleTimeout := 5 * time.Minute\n\tidle := time.NewTimer(idleTimeout)\n\tdefer idle.Stop()\n\n\t// Fetch the claims from the request context to acquire the actor\n\tclaims, ok := ctx.Value(accessClaimsCtxKey).(*managementTokenClaims)\n\tif !ok || claims == nil {\n\t\t// Typically should never happen as it is provided in the context from the middleware\n\t\tm.log.Err(c.Close(websocket.StatusInternalError, \"missing access_token\")).Send()\n\t\treturn\n\t}\n\n\tsession := newSession(logWindow, claims.Actor, cancel)\n\tdefer m.logger.Remove(session)\n\n\tfor {\n\t\tselect {\n\t\tcase <-ctx.Done():\n\t\t\tm.log.Debug().Msgf(\"management logs: context cancelled\")\n\t\t\tc.Close(websocket.StatusNormalClosure, \"context closed\")\n\t\t\treturn\n\t\tcase event := <-events:\n\t\t\tswitch event.Type {\n\t\t\tcase StartStreaming:\n\t\t\t\tidle.Stop()\n\t\t\t\t// Expect the first incoming request\n\t\t\t\tstartEvent, ok := IntoClientEvent[EventStartStreaming](event, StartStreaming)\n\t\t\t\tif !ok {\n\t\t\t\t\tm.log.Warn().Msgf(\"expected start_streaming as first recieved event\")\n\t\t\t\t\tm.log.Err(c.Close(StatusInvalidCommand, reasonInvalidCommand)).Send()\n\t\t\t\t\treturn\n\t\t\t\t}\n\t\t\t\t// Make sure the session can start\n\t\t\t\tif !m.canStartStream(session) {\n\t\t\t\t\tm.log.Err(c.Close(StatusSessionLimitExceeded, reasonSessionLimitExceeded)).Send()\n\t\t\t\t\treturn\n\t\t\t\t}\n\t\t\t\tsession.Filters(startEvent.Filters)\n\t\t\t\tm.logger.Listen(session)\n\t\t\t\tm.log.Debug().Msgf(\"Streaming logs\")\n\t\t\t\tgo m.streamLogs(c, ctx, session)\n\t\t\t\tcontinue\n\t\t\tcase StopStreaming:\n\t\t\t\tidle.Reset(idleTimeout)\n\t\t\t\t// Stop the current session for the current actor who requested it\n\t\t\t\tsession.Stop()\n\t\t\t\tm.logger.Remove(session)\n\t\t\tcase UnknownClientEventType:\n\t\t\t\tfallthrough\n\t\t\tdefault:\n\t\t\t\t// Drop unknown events and close connection\n\t\t\t\tm.log.Debug().Msgf(\"unexpected management message received: %s\", event.Type)\n\t\t\t\t// If the client (or the server) already closed the connection, don't attempt to close it again\n\t\t\t\tif !IsClosed(err, m.log) {\n\t\t\t\t\tm.log.Err(err).Err(c.Close(websocket.StatusUnsupportedData, err.Error())).Send()\n\t\t\t\t}\n\t\t\t\treturn\n\t\t\t}\n\t\tcase <-ping.C:\n\t\t\tgo c.Ping(ctx)\n\t\tcase <-idle.C:\n\t\t\tc.Close(StatusIdleLimitExceeded, reasonIdleLimitExceeded)\n\t\t\treturn\n\t\t}\n\t}\n}\n" }, { "path": "management/service_test.go", "content": "package management\n\nimport (\n\t\"context\"\n\t\"io\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\t\"nhooyr.io/websocket\"\n\n\t\"github.com/cloudflare/cloudflared/internal/test\"\n)\n\nvar (\n\tnoopLogger = zerolog.New(io.Discard)\n\tmanagementHostname = \"https://management.argotunnel.com\"\n)\n\nfunc TestDisableDiagnosticRoutes(t *testing.T) {\n\tmgmt := New(\"management.argotunnel.com\", false, \"1.1.1.1:80\", uuid.Nil, \"\", &noopLogger, nil)\n\tfor _, path := range []string{\"/metrics\", \"/debug/pprof/goroutine\", \"/debug/pprof/heap\"} {\n\t\tt.Run(strings.Replace(path, \"/\", \"_\", -1), func(t *testing.T) {\n\t\t\treq := httptest.NewRequest(\"GET\", managementHostname+path+\"?access_token=\"+validToken, nil)\n\t\t\trecorder := httptest.NewRecorder()\n\t\t\tmgmt.ServeHTTP(recorder, req)\n\t\t\tresp := recorder.Result()\n\t\t\trequire.Equal(t, http.StatusNotFound, resp.StatusCode)\n\t\t})\n\t}\n}\n\nfunc TestReadEventsLoop(t *testing.T) {\n\tsentEvent := EventStartStreaming{\n\t\tClientEvent: ClientEvent{Type: StartStreaming},\n\t}\n\tclient, server := test.WSPipe(nil, nil)\n\tclient.CloseRead(context.Background())\n\tdefer func() {\n\t\tclient.Close(websocket.StatusInternalError, \"\")\n\t}()\n\tgo func() {\n\t\terr := WriteEvent(client, context.Background(), &sentEvent)\n\t\trequire.NoError(t, err)\n\t}()\n\tm := ManagementService{\n\t\tlog: &noopLogger,\n\t}\n\tevents := make(chan *ClientEvent)\n\tgo m.readEvents(server, context.Background(), events)\n\tevent := <-events\n\trequire.Equal(t, sentEvent.Type, event.Type)\n\tserver.Close(websocket.StatusInternalError, \"\")\n}\n\nfunc TestReadEventsLoop_ContextCancelled(t *testing.T) {\n\tclient, server := test.WSPipe(nil, nil)\n\tctx, cancel := context.WithCancel(context.Background())\n\tclient.CloseRead(ctx)\n\tdefer func() {\n\t\tclient.Close(websocket.StatusInternalError, \"\")\n\t}()\n\tm := ManagementService{\n\t\tlog: &noopLogger,\n\t}\n\tevents := make(chan *ClientEvent)\n\tgo func() {\n\t\ttime.Sleep(time.Second)\n\t\tcancel()\n\t}()\n\t// Want to make sure this function returns when context is cancelled\n\tm.readEvents(server, ctx, events)\n\tserver.Close(websocket.StatusInternalError, \"\")\n}\n\nfunc TestCanStartStream_NoSessions(t *testing.T) {\n\tm := ManagementService{\n\t\tlog: &noopLogger,\n\t\tlogger: &Logger{\n\t\t\tLog: &noopLogger,\n\t\t},\n\t}\n\t_, cancel := context.WithCancel(context.Background())\n\tsession := newSession(0, actor{}, cancel)\n\tassert.True(t, m.canStartStream(session))\n}\n\nfunc TestCanStartStream_ExistingSessionDifferentActor(t *testing.T) {\n\tm := ManagementService{\n\t\tlog: &noopLogger,\n\t\tlogger: &Logger{\n\t\t\tLog: &noopLogger,\n\t\t},\n\t}\n\t_, cancel := context.WithCancel(context.Background())\n\tsession1 := newSession(0, actor{ID: \"test\"}, cancel)\n\tassert.True(t, m.canStartStream(session1))\n\tm.logger.Listen(session1)\n\tassert.True(t, session1.Active())\n\n\t// Try another session\n\tsession2 := newSession(0, actor{ID: \"test2\"}, cancel)\n\tassert.Equal(t, 1, m.logger.ActiveSessions())\n\tassert.False(t, m.canStartStream(session2))\n\n\t// Close session1\n\tm.logger.Remove(session1)\n\tassert.True(t, session1.Active()) // Remove doesn't stop a session\n\tsession1.Stop()\n\tassert.False(t, session1.Active())\n\tassert.Equal(t, 0, m.logger.ActiveSessions())\n\n\t// Try session2 again\n\tassert.True(t, m.canStartStream(session2))\n}\n\nfunc TestCanStartStream_ExistingSessionSameActor(t *testing.T) {\n\tm := ManagementService{\n\t\tlog: &noopLogger,\n\t\tlogger: &Logger{\n\t\t\tLog: &noopLogger,\n\t\t},\n\t}\n\tactor := actor{ID: \"test\"}\n\t_, cancel := context.WithCancel(context.Background())\n\tsession1 := newSession(0, actor, cancel)\n\tassert.True(t, m.canStartStream(session1))\n\tm.logger.Listen(session1)\n\tassert.True(t, session1.Active())\n\n\t// Try another session\n\tsession2 := newSession(0, actor, cancel)\n\tassert.Equal(t, 1, m.logger.ActiveSessions())\n\tassert.True(t, m.canStartStream(session2))\n\t// session1 is removed and stopped\n\tassert.Equal(t, 0, m.logger.ActiveSessions())\n\tassert.False(t, session1.Active())\n}\n" }, { "path": "management/session.go", "content": "package management\n\nimport (\n\t\"context\"\n\t\"math/rand\"\n\t\"sync/atomic\"\n)\n\nconst (\n\t// Indicates how many log messages the listener will hold before dropping.\n\t// Provides a throttling mechanism to drop latest messages if the sender\n\t// can't keep up with the influx of log messages.\n\tlogWindow = 30\n)\n\n// session captures a streaming logs session for a connection of an actor.\ntype session struct {\n\t// Indicates if the session is streaming or not. Modifying this will affect the active session.\n\tactive atomic.Bool\n\t// Allows the session to control the context of the underlying connection to close it out when done. Mostly\n\t// used by the LoggerListener to close out and cleanup a session.\n\tcancel context.CancelFunc\n\t// Actor who started the session\n\tactor actor\n\t// Buffered channel that holds the recent log events\n\tlistener chan *Log\n\t// Types of log events that this session will provide through the listener\n\tfilters *StreamingFilters\n\t// Sampling of the log events this session will send (runs after all other filters if available)\n\tsampler *sampler\n}\n\n// NewSession creates a new session.\nfunc newSession(size int, actor actor, cancel context.CancelFunc) *session {\n\ts := &session{\n\t\tactive: atomic.Bool{},\n\t\tcancel: cancel,\n\t\tactor: actor,\n\t\tlistener: make(chan *Log, size),\n\t\tfilters: &StreamingFilters{},\n\t}\n\treturn s\n}\n\n// Filters assigns the StreamingFilters to the session\nfunc (s *session) Filters(filters *StreamingFilters) {\n\tif filters != nil {\n\t\ts.filters = filters\n\t\tsampling := filters.Sampling\n\t\t// clamp the sampling values between 0 and 1\n\t\tif sampling < 0 {\n\t\t\tsampling = 0\n\t\t}\n\t\tif sampling > 1 {\n\t\t\tsampling = 1\n\t\t}\n\t\ts.filters.Sampling = sampling\n\t\tif sampling > 0 && sampling < 1 {\n\t\t\ts.sampler = &sampler{\n\t\t\t\tp: int(sampling * 100),\n\t\t\t}\n\t\t}\n\t} else {\n\t\ts.filters = &StreamingFilters{}\n\t}\n}\n\n// Insert attempts to insert the log to the session. If the log event matches the provided session filters, it\n// will be applied to the listener.\nfunc (s *session) Insert(log *Log) {\n\t// Level filters are optional\n\tif s.filters.Level != nil {\n\t\tif *s.filters.Level > log.Level {\n\t\t\treturn\n\t\t}\n\t}\n\t// Event filters are optional\n\tif len(s.filters.Events) != 0 && !contains(s.filters.Events, log.Event) {\n\t\treturn\n\t}\n\t// Sampling is also optional\n\tif s.sampler != nil && !s.sampler.Sample() {\n\t\treturn\n\t}\n\tselect {\n\tcase s.listener <- log:\n\tdefault:\n\t\t// buffer is full, discard\n\t}\n}\n\n// Active returns if the session is active\nfunc (s *session) Active() bool {\n\treturn s.active.Load()\n}\n\n// Stop will halt the session\nfunc (s *session) Stop() {\n\ts.active.Store(false)\n}\n\nfunc contains(array []LogEventType, t LogEventType) bool {\n\tfor _, v := range array {\n\t\tif v == t {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\n// sampler will send approximately every p percentage log events out of 100.\ntype sampler struct {\n\tp int\n}\n\n// Sample returns true if the event should be part of the sample, false if the event should be dropped.\nfunc (s *sampler) Sample() bool {\n\treturn rand.Intn(100) <= s.p\n\n}\n" }, { "path": "management/session_test.go", "content": "package management\n\nimport (\n\t\"context\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n)\n\n// Validate the active states of the session\nfunc TestSession_ActiveControl(t *testing.T) {\n\t_, cancel := context.WithCancel(context.Background())\n\tdefer cancel()\n\tsession := newSession(4, actor{}, cancel)\n\t// session starts out not active\n\tassert.False(t, session.Active())\n\tsession.active.Store(true)\n\tassert.True(t, session.Active())\n\tsession.Stop()\n\tassert.False(t, session.Active())\n}\n\n// Validate that the session filters events\nfunc TestSession_Insert(t *testing.T) {\n\t_, cancel := context.WithCancel(context.Background())\n\tdefer cancel()\n\tinfoLevel := new(LogLevel)\n\t*infoLevel = Info\n\twarnLevel := new(LogLevel)\n\t*warnLevel = Warn\n\tfor _, test := range []struct {\n\t\tname string\n\t\tfilters StreamingFilters\n\t\texpectLog bool\n\t}{\n\t\t{\n\t\t\tname: \"none\",\n\t\t\texpectLog: true,\n\t\t},\n\t\t{\n\t\t\tname: \"level\",\n\t\t\tfilters: StreamingFilters{\n\t\t\t\tLevel: infoLevel,\n\t\t\t},\n\t\t\texpectLog: true,\n\t\t},\n\t\t{\n\t\t\tname: \"filtered out level\",\n\t\t\tfilters: StreamingFilters{\n\t\t\t\tLevel: warnLevel,\n\t\t\t},\n\t\t\texpectLog: false,\n\t\t},\n\t\t{\n\t\t\tname: \"events\",\n\t\t\tfilters: StreamingFilters{\n\t\t\t\tEvents: []LogEventType{HTTP},\n\t\t\t},\n\t\t\texpectLog: true,\n\t\t},\n\t\t{\n\t\t\tname: \"filtered out event\",\n\t\t\tfilters: StreamingFilters{\n\t\t\t\tEvents: []LogEventType{Cloudflared},\n\t\t\t},\n\t\t\texpectLog: false,\n\t\t},\n\t\t{\n\t\t\tname: \"sampling\",\n\t\t\tfilters: StreamingFilters{\n\t\t\t\tSampling: 0.9999999,\n\t\t\t},\n\t\t\texpectLog: true,\n\t\t},\n\t\t{\n\t\t\tname: \"sampling (invalid negative)\",\n\t\t\tfilters: StreamingFilters{\n\t\t\t\tSampling: -1.0,\n\t\t\t},\n\t\t\texpectLog: true,\n\t\t},\n\t\t{\n\t\t\tname: \"sampling (invalid too large)\",\n\t\t\tfilters: StreamingFilters{\n\t\t\t\tSampling: 2.0,\n\t\t\t},\n\t\t\texpectLog: true,\n\t\t},\n\t\t{\n\t\t\tname: \"filter and event\",\n\t\t\tfilters: StreamingFilters{\n\t\t\t\tLevel: infoLevel,\n\t\t\t\tEvents: []LogEventType{HTTP},\n\t\t\t},\n\t\t\texpectLog: true,\n\t\t},\n\t} {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\tsession := newSession(4, actor{}, cancel)\n\t\t\tsession.Filters(&test.filters)\n\t\t\tlog := Log{\n\t\t\t\tTime: time.Now().UTC().Format(time.RFC3339),\n\t\t\t\tEvent: HTTP,\n\t\t\t\tLevel: Info,\n\t\t\t\tMessage: \"test\",\n\t\t\t}\n\t\t\tsession.Insert(&log)\n\t\t\tselect {\n\t\t\tcase <-session.listener:\n\t\t\t\trequire.True(t, test.expectLog)\n\t\t\tdefault:\n\t\t\t\trequire.False(t, test.expectLog)\n\t\t\t}\n\t\t})\n\t}\n}\n\n// Validate that the session has a max amount of events to hold\nfunc TestSession_InsertOverflow(t *testing.T) {\n\t_, cancel := context.WithCancel(context.Background())\n\tdefer cancel()\n\tsession := newSession(1, actor{}, cancel)\n\tlog := Log{\n\t\tTime: time.Now().UTC().Format(time.RFC3339),\n\t\tEvent: HTTP,\n\t\tLevel: Info,\n\t\tMessage: \"test\",\n\t}\n\t// Insert 2 but only max channel size for 1\n\tsession.Insert(&log)\n\tsession.Insert(&log)\n\tselect {\n\tcase <-session.listener:\n\t\t// pass\n\tdefault:\n\t\trequire.Fail(t, \"expected one log event\")\n\t}\n\t// Second dequeue should fail\n\tselect {\n\tcase <-session.listener:\n\t\trequire.Fail(t, \"expected no more remaining log events\")\n\tdefault:\n\t\t// pass\n\t}\n}\n" }, { "path": "management/token.go", "content": "package management\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/go-jose/go-jose/v4\"\n\t\"github.com/go-jose/go-jose/v4/jwt\"\n)\n\nconst tunnelstoreFEDIssuer = \"fed-tunnelstore\"\n\ntype managementTokenClaims struct {\n\tTunnel tunnel `json:\"tun\"`\n\tActor actor `json:\"actor\"`\n\tjwt.Claims\n}\n\n// VerifyTunnel compares the tun claim isn't empty\nfunc (c *managementTokenClaims) verify() bool {\n\treturn c.Tunnel.verify() && c.Actor.verify()\n}\n\ntype tunnel struct {\n\tID string `json:\"id\"`\n\tAccountTag string `json:\"account_tag\"`\n}\n\n// verify compares the tun claim isn't empty\nfunc (t *tunnel) verify() bool {\n\treturn t.AccountTag != \"\" && t.ID != \"\"\n}\n\ntype actor struct {\n\tID string `json:\"id\"`\n\tSupport bool `json:\"support\"`\n}\n\n// verify checks the ID claim isn't empty\nfunc (t *actor) verify() bool {\n\treturn t.ID != \"\"\n}\n\nfunc ParseToken(token string) (*managementTokenClaims, error) {\n\tjwt, err := jwt.ParseSigned(token, []jose.SignatureAlgorithm{jose.ES256})\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"malformed jwt: %v\", err)\n\t}\n\n\tvar claims managementTokenClaims\n\t// This is actually safe because we verify the token in the edge before it reaches cloudflared\n\terr = jwt.UnsafeClaimsWithoutVerification(&claims)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"malformed jwt: %v\", err)\n\t}\n\tif !claims.verify() {\n\t\treturn nil, fmt.Errorf(\"invalid management token format provided\")\n\t}\n\treturn &claims, nil\n}\n\nfunc (m *managementTokenClaims) IsFed() bool {\n\treturn m.Issuer == tunnelstoreFEDIssuer\n}\n" }, { "path": "management/token_test.go", "content": "package management\n\nimport (\n\t\"crypto/ecdsa\"\n\t\"crypto/elliptic\"\n\t\"crypto/rand\"\n\t\"errors\"\n\t\"testing\"\n\n\t\"github.com/go-jose/go-jose/v4\"\n\t\"github.com/stretchr/testify/require\"\n)\n\nconst (\n\tvalidToken = \"eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IjEifQ.eyJ0dW4iOnsiaWQiOiI3YjA5ODE0OS01MWZlLTRlZTUtYTY4Ny0zZTM3NDQ2NmVmYzciLCJhY2NvdW50X3RhZyI6ImNkMzkxZTljMDYyNmE4Zjc2Y2IxZjY3MGY2NTkxYjA1In0sImFjdG9yIjp7ImlkIjoiZGNhcnJAY2xvdWRmbGFyZS5jb20iLCJzdXBwb3J0IjpmYWxzZX0sInJlcyI6WyJsb2dzIl0sImV4cCI6MTY3NzExNzY5NiwiaWF0IjoxNjc3MTE0MDk2LCJpc3MiOiJ0dW5uZWxzdG9yZSJ9.mKenOdOy3Xi4O-grldFnAAemdlE9WajEpTDC_FwezXQTstWiRTLwU65P5jt4vNsIiZA4OJRq7bH-QYID9wf9NA\" // nolint: gosec\n\n\taccountTag = \"cd391e9c0626a8f76cb1f670f6591b05\"\n\ttunnelID = \"7b098149-51fe-4ee5-a687-3e374466efc7\"\n\tactorID = \"45d2751e-6b59-45a9-814d-f630786bd0cd\"\n)\n\ntype invalidManagementTokenClaims struct {\n\tInvalid string `json:\"invalid\"`\n}\n\nfunc TestParseToken(t *testing.T) {\n\tkey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)\n\trequire.NoError(t, err)\n\n\tfor _, test := range []struct {\n\t\tname string\n\t\tclaims any\n\t\terr error\n\t}{\n\t\t{\n\t\t\tname: \"Valid\",\n\t\t\tclaims: managementTokenClaims{\n\t\t\t\tTunnel: tunnel{\n\t\t\t\t\tID: tunnelID,\n\t\t\t\t\tAccountTag: accountTag,\n\t\t\t\t},\n\t\t\t\tActor: actor{\n\t\t\t\t\tID: actorID,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"Invalid claims\",\n\t\t\tclaims: invalidManagementTokenClaims{Invalid: \"invalid\"},\n\t\t\terr: errors.New(\"invalid management token format provided\"),\n\t\t},\n\t\t{\n\t\t\tname: \"Missing Tunnel\",\n\t\t\tclaims: managementTokenClaims{\n\t\t\t\tActor: actor{\n\t\t\t\t\tID: actorID,\n\t\t\t\t},\n\t\t\t},\n\t\t\terr: errors.New(\"invalid management token format provided\"),\n\t\t},\n\t\t{\n\t\t\tname: \"Missing Tunnel ID\",\n\t\t\tclaims: managementTokenClaims{\n\t\t\t\tTunnel: tunnel{\n\t\t\t\t\tAccountTag: accountTag,\n\t\t\t\t},\n\t\t\t\tActor: actor{\n\t\t\t\t\tID: actorID,\n\t\t\t\t},\n\t\t\t},\n\t\t\terr: errors.New(\"invalid management token format provided\"),\n\t\t},\n\t\t{\n\t\t\tname: \"Missing Account Tag\",\n\t\t\tclaims: managementTokenClaims{\n\t\t\t\tTunnel: tunnel{\n\t\t\t\t\tID: tunnelID,\n\t\t\t\t},\n\t\t\t\tActor: actor{\n\t\t\t\t\tID: actorID,\n\t\t\t\t},\n\t\t\t},\n\t\t\terr: errors.New(\"invalid management token format provided\"),\n\t\t},\n\t\t{\n\t\t\tname: \"Missing Actor\",\n\t\t\tclaims: managementTokenClaims{\n\t\t\t\tTunnel: tunnel{\n\t\t\t\t\tID: tunnelID,\n\t\t\t\t\tAccountTag: accountTag,\n\t\t\t\t},\n\t\t\t},\n\t\t\terr: errors.New(\"invalid management token format provided\"),\n\t\t},\n\t\t{\n\t\t\tname: \"Missing Actor ID\",\n\t\t\tclaims: managementTokenClaims{\n\t\t\t\tTunnel: tunnel{\n\t\t\t\t\tID: tunnelID,\n\t\t\t\t},\n\t\t\t\tActor: actor{},\n\t\t\t},\n\t\t\terr: errors.New(\"invalid management token format provided\"),\n\t\t},\n\t} {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\tjwt := signToken(t, test.claims, key)\n\t\t\tclaims, err := ParseToken(jwt)\n\t\t\tif test.err != nil {\n\t\t\t\trequire.EqualError(t, err, test.err.Error())\n\t\t\t\treturn\n\t\t\t}\n\t\t\trequire.NoError(t, err)\n\t\t\trequire.Equal(t, test.claims, *claims)\n\t\t})\n\t}\n}\n\nfunc signToken(t *testing.T, token any, key *ecdsa.PrivateKey) string {\n\topts := (&jose.SignerOptions{}).WithType(\"JWT\").WithHeader(\"kid\", \"1\")\n\tsigner, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: key}, opts)\n\trequire.NoError(t, err)\n\tpayload, err := json.Marshal(token)\n\trequire.NoError(t, err)\n\tjws, err := signer.Sign(payload)\n\trequire.NoError(t, err)\n\tjwt, err := jws.CompactSerialize()\n\trequire.NoError(t, err)\n\treturn jwt\n}\n" }, { "path": "metrics/config.go", "content": "package metrics\n\ntype HistogramConfig struct {\n\tBucketsStart float64\n\tBucketsWidth float64\n\tBucketsCount int\n}\n" }, { "path": "metrics/metrics.go", "content": "package metrics\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"net\"\n\t\"net/http\"\n\t_ \"net/http/pprof\"\n\t\"runtime\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/facebookgo/grace/gracenet\"\n\t\"github.com/prometheus/client_golang/prometheus\"\n\t\"github.com/prometheus/client_golang/prometheus/promhttp\"\n\t\"github.com/rs/zerolog\"\n\t\"golang.org/x/net/trace\"\n\n\t\"github.com/cloudflare/cloudflared/diagnostic\"\n)\n\nconst (\n\tstartupTime = time.Millisecond * 500\n\tdefaultShutdownTimeout = time.Second * 15\n)\n\n// This variable is set at compile time to allow the default local address to change.\nvar Runtime = \"host\"\n\nfunc GetMetricsDefaultAddress(runtimeType string) string {\n\t// When issuing the diagnostic command we may have to reach a server that is\n\t// running in a virtual environment and in that case we must bind to 0.0.0.0\n\t// otherwise the server won't be reachable.\n\tswitch runtimeType {\n\tcase \"virtual\":\n\t\treturn \"0.0.0.0:0\"\n\tdefault:\n\t\treturn \"localhost:0\"\n\t}\n}\n\n// GetMetricsKnownAddresses returns the addresses used by the metrics server to bind at\n// startup time to allow a semi-deterministic approach to know where the server is listening at.\n// The ports were selected because at the time we are in 2024 and they do not collide with any\n// know/registered port according https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers.\nfunc GetMetricsKnownAddresses(runtimeType string) []string {\n\tswitch runtimeType {\n\tcase \"virtual\":\n\t\treturn []string{\"0.0.0.0:20241\", \"0.0.0.0:20242\", \"0.0.0.0:20243\", \"0.0.0.0:20244\", \"0.0.0.0:20245\"}\n\tdefault:\n\t\treturn []string{\"localhost:20241\", \"localhost:20242\", \"localhost:20243\", \"localhost:20244\", \"localhost:20245\"}\n\t}\n}\n\ntype Config struct {\n\tReadyServer *ReadyServer\n\tDiagnosticHandler *diagnostic.Handler\n\tQuickTunnelHostname string\n\tOrchestrator orchestrator\n\n\tShutdownTimeout time.Duration\n}\n\ntype orchestrator interface {\n\tGetVersionedConfigJSON() ([]byte, error)\n}\n\nfunc newMetricsHandler(\n\tconfig Config,\n\tlog *zerolog.Logger,\n) *http.ServeMux {\n\trouter := http.NewServeMux()\n\trouter.Handle(\"/debug/\", http.DefaultServeMux)\n\trouter.Handle(\"/metrics\", promhttp.Handler())\n\trouter.HandleFunc(\"/healthcheck\", func(w http.ResponseWriter, r *http.Request) {\n\t\t_, _ = fmt.Fprintf(w, \"OK\\n\")\n\t})\n\tif config.ReadyServer != nil {\n\t\trouter.Handle(\"/ready\", config.ReadyServer)\n\t}\n\trouter.HandleFunc(\"/quicktunnel\", func(w http.ResponseWriter, r *http.Request) {\n\t\t_, _ = fmt.Fprintf(w, `{\"hostname\":\"%s\"}`, config.QuickTunnelHostname)\n\t})\n\tif config.Orchestrator != nil {\n\t\trouter.HandleFunc(\"/config\", func(w http.ResponseWriter, r *http.Request) {\n\t\t\tjson, err := config.Orchestrator.GetVersionedConfigJSON()\n\t\t\tif err != nil {\n\t\t\t\tw.WriteHeader(500)\n\t\t\t\t_, _ = fmt.Fprintf(w, \"ERR: %v\", err)\n\t\t\t\tlog.Err(err).Msg(\"Failed to serve config\")\n\t\t\t\treturn\n\t\t\t}\n\t\t\t_, _ = w.Write(json)\n\t\t})\n\t}\n\n\tconfig.DiagnosticHandler.InstallEndpoints(router)\n\n\treturn router\n}\n\n// CreateMetricsListener will create a new [net.Listener] by using an\n// known set of ports when the default address is passed with the fallback\n// of choosing a random port when none is available.\n//\n// In case the provided address is not the default one then it will be used\n// as is.\nfunc CreateMetricsListener(listeners *gracenet.Net, laddr string) (net.Listener, error) {\n\tif laddr == GetMetricsDefaultAddress(Runtime) {\n\t\t// On the presence of the default address select\n\t\t// a port from the known set of addresses iteratively.\n\t\taddresses := GetMetricsKnownAddresses(Runtime)\n\t\tfor _, address := range addresses {\n\t\t\tlistener, err := listeners.Listen(\"tcp\", address)\n\t\t\tif err == nil {\n\t\t\t\treturn listener, nil\n\t\t\t}\n\t\t}\n\n\t\t// When no port is available then bind to a random one\n\t\tlistener, err := listeners.Listen(\"tcp\", laddr)\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"failed to listen to default metrics address: %w\", err)\n\t\t}\n\n\t\treturn listener, nil\n\t}\n\n\t// Explicitly got a local address then bind to it\n\tlistener, err := listeners.Listen(\"tcp\", laddr)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to bind to address (%s): %w\", laddr, err)\n\t}\n\n\treturn listener, nil\n}\n\nfunc ServeMetrics(\n\tl net.Listener,\n\tctx context.Context,\n\tconfig Config,\n\tlog *zerolog.Logger,\n) (err error) {\n\tvar wg sync.WaitGroup\n\t// Metrics port is privileged, so no need for further access control\n\ttrace.AuthRequest = func(*http.Request) (bool, bool) { return true, true }\n\t// TODO: parameterize ReadTimeout and WriteTimeout. The maximum time we can\n\t// profile CPU usage depends on WriteTimeout\n\th := newMetricsHandler(config, log)\n\tserver := &http.Server{\n\t\tReadTimeout: 10 * time.Second,\n\t\tWriteTimeout: 10 * time.Second,\n\t\tHandler: h,\n\t}\n\n\twg.Add(1)\n\tgo func() {\n\t\tdefer wg.Done()\n\t\terr = server.Serve(l)\n\t}()\n\tlog.Info().Msgf(\"Starting metrics server on %s\", fmt.Sprintf(\"%v/metrics\", l.Addr()))\n\t// server.Serve will hang if server.Shutdown is called before the server is\n\t// fully started up. So add artificial delay.\n\ttime.Sleep(startupTime)\n\n\t<-ctx.Done()\n\tshutdownTimeout := config.ShutdownTimeout\n\tif shutdownTimeout == 0 {\n\t\tshutdownTimeout = defaultShutdownTimeout\n\t}\n\n\tctx, cancel := context.WithTimeout(context.Background(), shutdownTimeout)\n\t_ = server.Shutdown(ctx)\n\tcancel()\n\n\twg.Wait()\n\tif err == http.ErrServerClosed {\n\t\tlog.Info().Msg(\"Metrics server stopped\")\n\t\treturn nil\n\t}\n\tlog.Err(err).Msg(\"Metrics server failed\")\n\treturn err\n}\n\nfunc RegisterBuildInfo(buildType, buildTime, version string) {\n\tbuildInfo := prometheus.NewGaugeVec(\n\t\tprometheus.GaugeOpts{\n\t\t\t// Don't namespace build_info, since we want it to be consistent across all Cloudflare services\n\t\t\tName: \"build_info\",\n\t\t\tHelp: \"Build and version information\",\n\t\t},\n\t\t[]string{\"goversion\", \"type\", \"revision\", \"version\"},\n\t)\n\tprometheus.MustRegister(buildInfo)\n\tbuildInfo.WithLabelValues(runtime.Version(), buildType, buildTime, version).Set(1)\n}\n" }, { "path": "metrics/metrics_test.go", "content": "package metrics_test\n\nimport (\n\t\"testing\"\n\n\t\"github.com/facebookgo/grace/gracenet\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\n\t\"github.com/cloudflare/cloudflared/metrics\"\n)\n\nfunc TestMetricsListenerCreation(t *testing.T) {\n\tt.Parallel()\n\tlisteners := gracenet.Net{}\n\tlistener1, err := metrics.CreateMetricsListener(&listeners, metrics.GetMetricsDefaultAddress(\"host\"))\n\tassert.Equal(t, \"127.0.0.1:20241\", listener1.Addr().String())\n\trequire.NoError(t, err)\n\tlistener2, err := metrics.CreateMetricsListener(&listeners, metrics.GetMetricsDefaultAddress(\"host\"))\n\tassert.Equal(t, \"127.0.0.1:20242\", listener2.Addr().String())\n\trequire.NoError(t, err)\n\tlistener3, err := metrics.CreateMetricsListener(&listeners, metrics.GetMetricsDefaultAddress(\"host\"))\n\tassert.Equal(t, \"127.0.0.1:20243\", listener3.Addr().String())\n\trequire.NoError(t, err)\n\tlistener4, err := metrics.CreateMetricsListener(&listeners, metrics.GetMetricsDefaultAddress(\"host\"))\n\tassert.Equal(t, \"127.0.0.1:20244\", listener4.Addr().String())\n\trequire.NoError(t, err)\n\tlistener5, err := metrics.CreateMetricsListener(&listeners, metrics.GetMetricsDefaultAddress(\"host\"))\n\tassert.Equal(t, \"127.0.0.1:20245\", listener5.Addr().String())\n\trequire.NoError(t, err)\n\tlistener6, err := metrics.CreateMetricsListener(&listeners, metrics.GetMetricsDefaultAddress(\"host\"))\n\taddresses := [5]string{\"127.0.0.1:20241\", \"127.0.0.1:20242\", \"127.0.0.1:20243\", \"127.0.0.1:20244\", \"127.0.0.1:20245\"}\n\tassert.NotContains(t, addresses, listener6.Addr().String())\n\trequire.NoError(t, err)\n\tlistener7, err := metrics.CreateMetricsListener(&listeners, \"localhost:12345\")\n\tassert.Equal(t, \"127.0.0.1:12345\", listener7.Addr().String())\n\trequire.NoError(t, err)\n\terr = listener1.Close()\n\trequire.NoError(t, err)\n\terr = listener2.Close()\n\trequire.NoError(t, err)\n\terr = listener3.Close()\n\trequire.NoError(t, err)\n\terr = listener4.Close()\n\trequire.NoError(t, err)\n\terr = listener5.Close()\n\trequire.NoError(t, err)\n\terr = listener6.Close()\n\trequire.NoError(t, err)\n\terr = listener7.Close()\n\trequire.NoError(t, err)\n}\n" }, { "path": "metrics/readiness.go", "content": "package metrics\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"net/http\"\n\n\t\"github.com/google/uuid\"\n\n\t\"github.com/cloudflare/cloudflared/tunnelstate\"\n)\n\n// ReadyServer serves HTTP 200 if the tunnel can serve traffic. Intended for k8s readiness checks.\ntype ReadyServer struct {\n\tclientID uuid.UUID\n\ttracker *tunnelstate.ConnTracker\n}\n\n// NewReadyServer initializes a ReadyServer and starts listening for dis/connection events.\nfunc NewReadyServer(\n\tclientID uuid.UUID,\n\ttracker *tunnelstate.ConnTracker,\n) *ReadyServer {\n\treturn &ReadyServer{\n\t\tclientID,\n\t\ttracker,\n\t}\n}\n\ntype body struct {\n\tStatus int `json:\"status\"`\n\tReadyConnections uint `json:\"readyConnections\"`\n\tConnectorID uuid.UUID `json:\"connectorId\"`\n}\n\n// ServeHTTP responds with HTTP 200 if the tunnel is connected to the edge.\nfunc (rs *ReadyServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {\n\tstatusCode, readyConnections := rs.makeResponse()\n\tw.WriteHeader(statusCode)\n\tbody := body{\n\t\tStatus: statusCode,\n\t\tReadyConnections: readyConnections,\n\t\tConnectorID: rs.clientID,\n\t}\n\tmsg, err := json.Marshal(body)\n\tif err != nil {\n\t\t_, _ = fmt.Fprintf(w, `{\"error\": \"%s\"}`, err)\n\t}\n\t_, _ = w.Write(msg)\n}\n\n// This is the bulk of the logic for ServeHTTP, broken into its own pure function\n// to make unit testing easy.\nfunc (rs *ReadyServer) makeResponse() (statusCode int, readyConnections uint) {\n\treadyConnections = rs.tracker.CountActiveConns()\n\tif readyConnections > 0 {\n\t\treturn http.StatusOK, readyConnections\n\t} else {\n\t\treturn http.StatusServiceUnavailable, readyConnections\n\t}\n}\n" }, { "path": "metrics/readiness_test.go", "content": "package metrics_test\n\nimport (\n\t\"encoding/json\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"testing\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\n\t\"github.com/cloudflare/cloudflared/connection\"\n\t\"github.com/cloudflare/cloudflared/metrics\"\n\t\"github.com/cloudflare/cloudflared/tunnelstate\"\n)\n\nfunc mockRequest(t *testing.T, readyServer *metrics.ReadyServer) (int, uint) {\n\tt.Helper()\n\n\tvar readyreadyConnections struct {\n\t\tStatus int `json:\"status\"`\n\t\tReadyConnections uint `json:\"readyConnections\"`\n\t\tConnectorID uuid.UUID `json:\"connectorId\"`\n\t}\n\trec := httptest.NewRecorder()\n\treadyServer.ServeHTTP(rec, nil)\n\n\tdecoder := json.NewDecoder(rec.Body)\n\terr := decoder.Decode(&readyreadyConnections)\n\trequire.NoError(t, err)\n\treturn rec.Code, readyreadyConnections.ReadyConnections\n}\n\nfunc TestReadinessEventHandling(t *testing.T) {\n\tnopLogger := zerolog.Nop()\n\ttracker := tunnelstate.NewConnTracker(&nopLogger)\n\trs := metrics.NewReadyServer(uuid.Nil, tracker)\n\n\t// start not ok\n\tcode, readyConnections := mockRequest(t, rs)\n\tassert.NotEqualValues(t, http.StatusOK, code)\n\tassert.Zero(t, readyConnections)\n\n\t// one connected => ok\n\ttracker.OnTunnelEvent(connection.Event{\n\t\tIndex: 1,\n\t\tEventType: connection.Connected,\n\t})\n\tcode, readyConnections = mockRequest(t, rs)\n\tassert.EqualValues(t, http.StatusOK, code)\n\tassert.EqualValues(t, 1, readyConnections)\n\n\t// another connected => still ok\n\ttracker.OnTunnelEvent(connection.Event{\n\t\tIndex: 2,\n\t\tEventType: connection.Connected,\n\t})\n\tcode, readyConnections = mockRequest(t, rs)\n\tassert.EqualValues(t, http.StatusOK, code)\n\tassert.EqualValues(t, 2, readyConnections)\n\n\t// one reconnecting => still ok\n\ttracker.OnTunnelEvent(connection.Event{\n\t\tIndex: 2,\n\t\tEventType: connection.Reconnecting,\n\t})\n\tcode, readyConnections = mockRequest(t, rs)\n\tassert.EqualValues(t, http.StatusOK, code)\n\tassert.EqualValues(t, 1, readyConnections)\n\n\t// Regression test for TUN-3777\n\ttracker.OnTunnelEvent(connection.Event{\n\t\tIndex: 1,\n\t\tEventType: connection.RegisteringTunnel,\n\t})\n\tcode, readyConnections = mockRequest(t, rs)\n\tassert.NotEqualValues(t, http.StatusOK, code)\n\tassert.Zero(t, readyConnections)\n\n\t// other connected then unregistered => not ok\n\ttracker.OnTunnelEvent(connection.Event{\n\t\tIndex: 1,\n\t\tEventType: connection.Connected,\n\t})\n\tcode, readyConnections = mockRequest(t, rs)\n\tassert.EqualValues(t, http.StatusOK, code)\n\tassert.EqualValues(t, 1, readyConnections)\n\ttracker.OnTunnelEvent(connection.Event{\n\t\tIndex: 1,\n\t\tEventType: connection.Unregistering,\n\t})\n\tcode, readyConnections = mockRequest(t, rs)\n\tassert.NotEqualValues(t, http.StatusOK, code)\n\tassert.Zero(t, readyConnections)\n\n\t// other disconnected => not ok\n\ttracker.OnTunnelEvent(connection.Event{\n\t\tIndex: 1,\n\t\tEventType: connection.Disconnected,\n\t})\n\tcode, readyConnections = mockRequest(t, rs)\n\tassert.NotEqualValues(t, http.StatusOK, code)\n\tassert.Zero(t, readyConnections)\n}\n" }, { "path": "mocks/mock_limiter.go", "content": "// Code generated by MockGen. DO NOT EDIT.\n// Source: ../flow/limiter.go\n//\n// Generated by this command:\n//\n//\tmockgen -typed -build_flags=-tags=gomock -package mocks -destination mock_limiter.go -source=../flow/limiter.go Limiter\n//\n\n// Package mocks is a generated GoMock package.\npackage mocks\n\nimport (\n\treflect \"reflect\"\n\n\tgomock \"go.uber.org/mock/gomock\"\n)\n\n// MockLimiter is a mock of Limiter interface.\ntype MockLimiter struct {\n\tctrl *gomock.Controller\n\trecorder *MockLimiterMockRecorder\n\tisgomock struct{}\n}\n\n// MockLimiterMockRecorder is the mock recorder for MockLimiter.\ntype MockLimiterMockRecorder struct {\n\tmock *MockLimiter\n}\n\n// NewMockLimiter creates a new mock instance.\nfunc NewMockLimiter(ctrl *gomock.Controller) *MockLimiter {\n\tmock := &MockLimiter{ctrl: ctrl}\n\tmock.recorder = &MockLimiterMockRecorder{mock}\n\treturn mock\n}\n\n// EXPECT returns an object that allows the caller to indicate expected use.\nfunc (m *MockLimiter) EXPECT() *MockLimiterMockRecorder {\n\treturn m.recorder\n}\n\n// Acquire mocks base method.\nfunc (m *MockLimiter) Acquire(flowType string) error {\n\tm.ctrl.T.Helper()\n\tret := m.ctrl.Call(m, \"Acquire\", flowType)\n\tret0, _ := ret[0].(error)\n\treturn ret0\n}\n\n// Acquire indicates an expected call of Acquire.\nfunc (mr *MockLimiterMockRecorder) Acquire(flowType any) *MockLimiterAcquireCall {\n\tmr.mock.ctrl.T.Helper()\n\tcall := mr.mock.ctrl.RecordCallWithMethodType(mr.mock, \"Acquire\", reflect.TypeOf((*MockLimiter)(nil).Acquire), flowType)\n\treturn &MockLimiterAcquireCall{Call: call}\n}\n\n// MockLimiterAcquireCall wrap *gomock.Call\ntype MockLimiterAcquireCall struct {\n\t*gomock.Call\n}\n\n// Return rewrite *gomock.Call.Return\nfunc (c *MockLimiterAcquireCall) Return(arg0 error) *MockLimiterAcquireCall {\n\tc.Call = c.Call.Return(arg0)\n\treturn c\n}\n\n// Do rewrite *gomock.Call.Do\nfunc (c *MockLimiterAcquireCall) Do(f func(string) error) *MockLimiterAcquireCall {\n\tc.Call = c.Call.Do(f)\n\treturn c\n}\n\n// DoAndReturn rewrite *gomock.Call.DoAndReturn\nfunc (c *MockLimiterAcquireCall) DoAndReturn(f func(string) error) *MockLimiterAcquireCall {\n\tc.Call = c.Call.DoAndReturn(f)\n\treturn c\n}\n\n// Release mocks base method.\nfunc (m *MockLimiter) Release() {\n\tm.ctrl.T.Helper()\n\tm.ctrl.Call(m, \"Release\")\n}\n\n// Release indicates an expected call of Release.\nfunc (mr *MockLimiterMockRecorder) Release() *MockLimiterReleaseCall {\n\tmr.mock.ctrl.T.Helper()\n\tcall := mr.mock.ctrl.RecordCallWithMethodType(mr.mock, \"Release\", reflect.TypeOf((*MockLimiter)(nil).Release))\n\treturn &MockLimiterReleaseCall{Call: call}\n}\n\n// MockLimiterReleaseCall wrap *gomock.Call\ntype MockLimiterReleaseCall struct {\n\t*gomock.Call\n}\n\n// Return rewrite *gomock.Call.Return\nfunc (c *MockLimiterReleaseCall) Return() *MockLimiterReleaseCall {\n\tc.Call = c.Call.Return()\n\treturn c\n}\n\n// Do rewrite *gomock.Call.Do\nfunc (c *MockLimiterReleaseCall) Do(f func()) *MockLimiterReleaseCall {\n\tc.Call = c.Call.Do(f)\n\treturn c\n}\n\n// DoAndReturn rewrite *gomock.Call.DoAndReturn\nfunc (c *MockLimiterReleaseCall) DoAndReturn(f func()) *MockLimiterReleaseCall {\n\tc.Call = c.Call.DoAndReturn(f)\n\treturn c\n}\n\n// SetLimit mocks base method.\nfunc (m *MockLimiter) SetLimit(arg0 uint64) {\n\tm.ctrl.T.Helper()\n\tm.ctrl.Call(m, \"SetLimit\", arg0)\n}\n\n// SetLimit indicates an expected call of SetLimit.\nfunc (mr *MockLimiterMockRecorder) SetLimit(arg0 any) *MockLimiterSetLimitCall {\n\tmr.mock.ctrl.T.Helper()\n\tcall := mr.mock.ctrl.RecordCallWithMethodType(mr.mock, \"SetLimit\", reflect.TypeOf((*MockLimiter)(nil).SetLimit), arg0)\n\treturn &MockLimiterSetLimitCall{Call: call}\n}\n\n// MockLimiterSetLimitCall wrap *gomock.Call\ntype MockLimiterSetLimitCall struct {\n\t*gomock.Call\n}\n\n// Return rewrite *gomock.Call.Return\nfunc (c *MockLimiterSetLimitCall) Return() *MockLimiterSetLimitCall {\n\tc.Call = c.Call.Return()\n\treturn c\n}\n\n// Do rewrite *gomock.Call.Do\nfunc (c *MockLimiterSetLimitCall) Do(f func(uint64)) *MockLimiterSetLimitCall {\n\tc.Call = c.Call.Do(f)\n\treturn c\n}\n\n// DoAndReturn rewrite *gomock.Call.DoAndReturn\nfunc (c *MockLimiterSetLimitCall) DoAndReturn(f func(uint64)) *MockLimiterSetLimitCall {\n\tc.Call = c.Call.DoAndReturn(f)\n\treturn c\n}\n" }, { "path": "mocks/mockgen.go", "content": "//go:build gomock || generate\n\npackage mocks\n\n//go:generate sh -c \"go run go.uber.org/mock/mockgen -typed -build_flags=\\\"-tags=gomock\\\" -package mocks -destination mock_limiter.go -source=../flow/limiter.go Limiter\"\n" }, { "path": "orchestration/config.go", "content": "package orchestration\n\nimport (\n\t\"encoding/json\"\n\n\t\"github.com/cloudflare/cloudflared/config\"\n\t\"github.com/cloudflare/cloudflared/ingress\"\n)\n\ntype newRemoteConfig struct {\n\tingress.RemoteConfig\n\t// Add more fields when we support other settings in tunnel orchestration\n}\n\ntype newLocalConfig struct {\n\tRemoteConfig ingress.RemoteConfig\n\tConfigurationFlags map[string]string `json:\"__configuration_flags,omitempty\"`\n}\n\n// Config is the original config as read and parsed by cloudflared.\ntype Config struct {\n\tIngress *ingress.Ingress\n\tWarpRouting ingress.WarpRoutingConfig\n\tOriginDialerService *ingress.OriginDialerService\n\n\t// Extra settings used to configure this instance but that are not eligible for remotely management\n\t// ie. (--protocol, --loglevel, ...)\n\tConfigurationFlags map[string]string\n}\n\nfunc (rc *newLocalConfig) MarshalJSON() ([]byte, error) {\n\tvar r = struct {\n\t\tConfigurationFlags map[string]string `json:\"__configuration_flags,omitempty\"`\n\t\tingress.RemoteConfigJSON\n\t}{\n\t\tConfigurationFlags: rc.ConfigurationFlags,\n\t\tRemoteConfigJSON: ingress.RemoteConfigJSON{\n\t\t\t// UI doesn't support top level configs, so we reconcile to individual ingress configs.\n\t\t\tGlobalOriginRequest: nil,\n\t\t\tIngressRules: convertToUnvalidatedIngressRules(rc.RemoteConfig.Ingress),\n\t\t\tWarpRouting: rc.RemoteConfig.WarpRouting.RawConfig(),\n\t\t},\n\t}\n\n\treturn json.Marshal(r)\n}\n\nfunc convertToUnvalidatedIngressRules(i ingress.Ingress) []config.UnvalidatedIngressRule {\n\tresult := make([]config.UnvalidatedIngressRule, 0)\n\tfor _, rule := range i.Rules {\n\t\tvar path string\n\t\tif rule.Path != nil {\n\t\t\tpath = rule.Path.String()\n\t\t}\n\n\t\tnewRule := config.UnvalidatedIngressRule{\n\t\t\tHostname: rule.Hostname,\n\t\t\tPath: path,\n\t\t\tService: rule.Service.String(),\n\t\t\tOriginRequest: ingress.ConvertToRawOriginConfig(rule.Config),\n\t\t}\n\n\t\tresult = append(result, newRule)\n\t}\n\n\treturn result\n}\n" }, { "path": "orchestration/config_test.go", "content": "package orchestration\n\nimport (\n\t\"encoding/json\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/stretchr/testify/require\"\n\n\t\"github.com/cloudflare/cloudflared/config\"\n\t\"github.com/cloudflare/cloudflared/ingress\"\n)\n\n// TestNewLocalConfig_MarshalJSON tests that we are able to converte a compiled and validated config back\n// into an \"unvalidated\" format which is compatible with Remote Managed configurations.\nfunc TestNewLocalConfig_MarshalJSON(t *testing.T) {\n\trawConfig := []byte(`\n\t{\n\t\t\"originRequest\": {\n\t\t\t\t\t\"connectTimeout\": 160,\n\t\t\t\t\t\"httpHostHeader\": \"default\"\n\t\t},\n\t\t\"ingress\": [\n\t\t\t{\n\t\t\t\t\"hostname\": \"tun.example.com\",\n\t\t\t\t\"service\": \"https://localhost:8000\"\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"hostname\": \"*\",\n\t\t\t\t\"service\": \"https://localhost:8001\",\n\t\t\t\t\"originRequest\": {\n\t\t\t\t\t\"connectTimeout\": 121,\n\t\t\t\t\t\"tlsTimeout\": 2,\n\t\t\t\t\t\"noHappyEyeballs\": false,\n\t\t\t\t\t\"tcpKeepAlive\": 2,\n\t\t\t\t\t\"keepAliveConnections\": 2,\n\t\t\t\t\t\"keepAliveTimeout\": 2,\n\t\t\t\t\t\"httpHostHeader\": \"def\",\n\t\t\t\t\t\"originServerName\": \"b2\",\n\t\t\t\t\t\"caPool\": \"/tmp/path1\",\n\t\t\t\t\t\"noTLSVerify\": false,\n\t\t\t\t\t\"disableChunkedEncoding\": false,\n\t\t\t\t\t\"bastionMode\": false,\n\t\t\t\t\t\"proxyAddress\": \"interface\",\n\t\t\t\t\t\"proxyPort\": 200,\n\t\t\t\t\t\"proxyType\": \"\",\n\t\t\t\t\t\"ipRules\": [\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\"prefix\": \"10.0.0.0/16\",\n\t\t\t\t\t\t\t\"ports\": [3000, 3030],\n\t\t\t\t\t\t\t\"allow\": false\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\"prefix\": \"192.16.0.0/24\",\n\t\t\t\t\t\t\t\"ports\": [5000, 5050],\n\t\t\t\t\t\t\t\"allow\": true\n\t\t\t\t\t\t}\n\t\t\t\t\t]\n\t\t\t\t}\n\t\t\t}\n\t\t],\n \"warp-routing\": {\n\t\t\t\"connectTimeout\": 1\n }\n\t}\n\t`)\n\n\tvar expectedConfig ingress.RemoteConfig\n\terr := json.Unmarshal(rawConfig, &expectedConfig)\n\trequire.NoError(t, err)\n\n\tc := &newLocalConfig{\n\t\tRemoteConfig: expectedConfig,\n\t\tConfigurationFlags: nil,\n\t}\n\n\tjsonSerde, err := json.Marshal(c)\n\trequire.NoError(t, err)\n\n\tvar remoteConfig ingress.RemoteConfig\n\terr = json.Unmarshal(jsonSerde, &remoteConfig)\n\trequire.NoError(t, err)\n\n\trequire.Equal(t, remoteConfig.WarpRouting, ingress.WarpRoutingConfig{\n\t\tConnectTimeout: config.CustomDuration{\n\t\t\tDuration: time.Second,\n\t\t},\n\t\tTCPKeepAlive: config.CustomDuration{\n\t\t\tDuration: 30 * time.Second, // default value is 30 seconds\n\t\t},\n\t})\n\trequire.Equal(t, remoteConfig.Ingress.Rules, expectedConfig.Ingress.Rules)\n}\n" }, { "path": "orchestration/metrics.go", "content": "package orchestration\n\nimport (\n\t\"github.com/prometheus/client_golang/prometheus\"\n)\n\nconst (\n\tMetricsNamespace = \"cloudflared\"\n\tMetricsSubsystem = \"orchestration\"\n)\n\nvar (\n\tconfigVersion = prometheus.NewGauge(\n\t\tprometheus.GaugeOpts{\n\t\t\tNamespace: MetricsNamespace,\n\t\t\tSubsystem: MetricsSubsystem,\n\t\t\tName: \"config_version\",\n\t\t\tHelp: \"Configuration Version\",\n\t\t},\n\t)\n)\n\nfunc init() {\n\tprometheus.MustRegister(configVersion)\n}\n" }, { "path": "orchestration/orchestrator.go", "content": "package orchestration\n\nimport (\n\t\"context\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"strconv\"\n\t\"sync\"\n\t\"sync/atomic\"\n\n\tpkgerrors \"github.com/pkg/errors\"\n\t\"github.com/rs/zerolog\"\n\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/flags\"\n\t\"github.com/cloudflare/cloudflared/config\"\n\t\"github.com/cloudflare/cloudflared/connection\"\n\tcfdflow \"github.com/cloudflare/cloudflared/flow\"\n\t\"github.com/cloudflare/cloudflared/ingress\"\n\t\"github.com/cloudflare/cloudflared/proxy\"\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/pogs\"\n)\n\n// Orchestrator manages configurations, so they can be updatable during runtime\n// properties are static, so it can be read without lock\n// currentVersion and config are read/write infrequently, so their access are synchronized with RWMutex\n// access to proxy is synchronized with atomic.Value, because it uses copy-on-write to provide scalable frequently\n// read when update is infrequent\ntype Orchestrator struct {\n\tcurrentVersion int32\n\t// Used by UpdateConfig to make sure one update at a time\n\tlock sync.RWMutex\n\t// Underlying value is proxy.Proxy, can be read without the lock, but still needs the lock to update\n\tproxy atomic.Value\n\t// Set of internal ingress rules defined at cloudflared startup (separate from user-defined ingress rules)\n\tinternalRules []ingress.Rule\n\t// cloudflared Configuration\n\tconfig *Config\n\ttags []pogs.Tag\n\t// flowLimiter tracks active sessions across the tunnel and limits new sessions if they are above the limit.\n\tflowLimiter cfdflow.Limiter\n\t// Origin dialer service to manage egress socket dialing.\n\toriginDialerService *ingress.OriginDialerService\n\tlog *zerolog.Logger\n\n\t// orchestrator must not handle any more updates after shutdownC is closed\n\tshutdownC <-chan struct{}\n\t// Closing proxyShutdownC will close the previous proxy\n\tproxyShutdownC chan<- struct{}\n}\n\nfunc NewOrchestrator(ctx context.Context,\n\tconfig *Config,\n\ttags []pogs.Tag,\n\tinternalRules []ingress.Rule,\n\tlog *zerolog.Logger,\n) (*Orchestrator, error) {\n\to := &Orchestrator{\n\t\t// Lowest possible version, any remote configuration will have version higher than this\n\t\t// Starting at -1 allows a configuration migration (local to remote) to override the current configuration as it\n\t\t// will start at version 0.\n\t\tcurrentVersion: -1,\n\t\tinternalRules: internalRules,\n\t\tconfig: config,\n\t\ttags: tags,\n\t\tflowLimiter: cfdflow.NewLimiter(config.WarpRouting.MaxActiveFlows),\n\t\toriginDialerService: config.OriginDialerService,\n\t\tlog: log,\n\t\tshutdownC: ctx.Done(),\n\t}\n\tif err := o.updateIngress(*config.Ingress, config.WarpRouting); err != nil {\n\t\treturn nil, err\n\t}\n\tgo o.waitToCloseLastProxy()\n\treturn o, nil\n}\n\n// UpdateConfig creates a new proxy with the new ingress rules\nfunc (o *Orchestrator) UpdateConfig(version int32, config []byte) *pogs.UpdateConfigurationResponse {\n\to.lock.Lock()\n\tdefer o.lock.Unlock()\n\n\tif o.currentVersion >= version {\n\t\to.log.Debug().\n\t\t\tInt32(\"current_version\", o.currentVersion).\n\t\t\tInt32(\"received_version\", version).\n\t\t\tMsg(\"Current version is equal or newer than received version\")\n\t\treturn &pogs.UpdateConfigurationResponse{\n\t\t\tLastAppliedVersion: o.currentVersion,\n\t\t}\n\t}\n\tvar newConf newRemoteConfig\n\tif err := json.Unmarshal(config, &newConf); err != nil {\n\t\to.log.Err(err).\n\t\t\tInt32(\"version\", version).\n\t\t\tStr(\"config\", string(config)).\n\t\t\tMsgf(\"Failed to deserialize new configuration\")\n\t\treturn &pogs.UpdateConfigurationResponse{\n\t\t\tLastAppliedVersion: o.currentVersion,\n\t\t\tErr: err,\n\t\t}\n\t}\n\n\tif err := o.updateIngress(newConf.Ingress, newConf.WarpRouting); err != nil {\n\t\to.log.Err(err).\n\t\t\tInt32(\"version\", version).\n\t\t\tStr(\"config\", string(config)).\n\t\t\tMsgf(\"Failed to update ingress\")\n\t\treturn &pogs.UpdateConfigurationResponse{\n\t\t\tLastAppliedVersion: o.currentVersion,\n\t\t\tErr: err,\n\t\t}\n\t}\n\to.currentVersion = version\n\n\to.log.Info().\n\t\tInt32(\"version\", version).\n\t\tStr(\"config\", string(config)).\n\t\tMsg(\"Updated to new configuration\")\n\tconfigVersion.Set(float64(version))\n\treturn &pogs.UpdateConfigurationResponse{\n\t\tLastAppliedVersion: o.currentVersion,\n\t}\n}\n\n// overrideRemoteWarpRoutingWithLocalValues overrides the ingress.WarpRoutingConfig that comes from the remote with\n// the local values if there is any.\nfunc (o *Orchestrator) overrideRemoteWarpRoutingWithLocalValues(remoteWarpRouting *ingress.WarpRoutingConfig) error {\n\treturn o.overrideMaxActiveFlows(o.config.ConfigurationFlags[flags.MaxActiveFlows], remoteWarpRouting)\n}\n\n// overrideMaxActiveFlows checks the local configuration flags, and if a value is found for the flags.MaxActiveFlows\n// overrides the value that comes on the remote ingress.WarpRoutingConfig with the local value.\nfunc (o *Orchestrator) overrideMaxActiveFlows(maxActiveFlowsLocalConfig string, remoteWarpRouting *ingress.WarpRoutingConfig) error {\n\t// If max active flows isn't defined locally just use the remote value\n\tif maxActiveFlowsLocalConfig == \"\" {\n\t\treturn nil\n\t}\n\n\tmaxActiveFlowsLocalOverride, err := strconv.ParseUint(maxActiveFlowsLocalConfig, 10, 64)\n\tif err != nil {\n\t\treturn pkgerrors.Wrapf(err, \"failed to parse %s\", flags.MaxActiveFlows)\n\t}\n\n\t// Override the value that comes from the remote with the local value\n\tremoteWarpRouting.MaxActiveFlows = maxActiveFlowsLocalOverride\n\treturn nil\n}\n\n// The caller is responsible to make sure there is no concurrent access\nfunc (o *Orchestrator) updateIngress(ingressRules ingress.Ingress, warpRouting ingress.WarpRoutingConfig) error {\n\tselect {\n\tcase <-o.shutdownC:\n\t\treturn fmt.Errorf(\"cloudflared already shutdown\")\n\tdefault:\n\t}\n\n\t// Overrides the local values, onto the remote values of the warp routing configuration\n\tif err := o.overrideRemoteWarpRoutingWithLocalValues(&warpRouting); err != nil {\n\t\treturn pkgerrors.Wrap(err, \"failed to merge local overrides into warp routing configuration\")\n\t}\n\n\t// Assign the internal ingress rules to the parsed ingress\n\tingressRules.InternalRules = o.internalRules\n\n\t// Check if ingress rules are empty, and add the default route if so.\n\tif ingressRules.IsEmpty() {\n\t\tingressRules.Rules = ingress.GetDefaultIngressRules(o.log)\n\t}\n\n\t// Start new proxy before closing the ones from last version.\n\t// The upside is we don't need to restart proxy from last version, which can fail\n\t// The downside is new version might have ingress rule that require previous version to be shutdown first\n\t// The downside is minimized because none of the ingress.OriginService implementation have that requirement\n\tproxyShutdownC := make(chan struct{})\n\tif err := ingressRules.StartOrigins(o.log, proxyShutdownC); err != nil {\n\t\treturn pkgerrors.Wrap(err, \"failed to start origin\")\n\t}\n\n\t// Update the flow limit since the configuration might have changed\n\to.flowLimiter.SetLimit(warpRouting.MaxActiveFlows)\n\n\t// Update the origin dialer service with the new dialer settings\n\t// We need to update the dialer here instead of creating a new instance of OriginDialerService because it has\n\t// its own references and go routines. Specifically, the UDP dialer is a reference to this same service all the\n\t// way into the datagram manager. Reconstructing the datagram manager is not something we currently provide during\n\t// runtime in response to a configuration push except when starting a tunnel connection.\n\to.originDialerService.UpdateDefaultDialer(ingress.NewDialer(warpRouting))\n\n\t// Create and replace the origin proxy with a new instance\n\tproxy := proxy.NewOriginProxy(ingressRules, o.originDialerService, o.tags, o.flowLimiter, o.log)\n\to.proxy.Store(proxy)\n\to.config.Ingress = &ingressRules\n\to.config.WarpRouting = warpRouting\n\n\t// If proxyShutdownC is nil, there is no previous running proxy\n\tif o.proxyShutdownC != nil {\n\t\tclose(o.proxyShutdownC)\n\t}\n\to.proxyShutdownC = proxyShutdownC\n\treturn nil\n}\n\n// GetConfigJSON returns the current json serialization of the config as the edge understands it\nfunc (o *Orchestrator) GetConfigJSON() ([]byte, error) {\n\to.lock.RLock()\n\tdefer o.lock.RUnlock()\n\n\tc := &newLocalConfig{\n\t\tRemoteConfig: ingress.RemoteConfig{\n\t\t\tIngress: *o.config.Ingress,\n\t\t\tWarpRouting: o.config.WarpRouting,\n\t\t},\n\t\tConfigurationFlags: o.config.ConfigurationFlags,\n\t}\n\n\treturn json.Marshal(c)\n}\n\n// GetVersionedConfigJSON returns the current version and configuration as JSON\nfunc (o *Orchestrator) GetVersionedConfigJSON() ([]byte, error) {\n\to.lock.RLock()\n\tdefer o.lock.RUnlock()\n\tvar currentConfiguration = struct {\n\t\tVersion int32 `json:\"version\"`\n\t\tConfig struct {\n\t\t\tIngress []ingress.Rule `json:\"ingress\"`\n\t\t\tWarpRouting config.WarpRoutingConfig `json:\"warp-routing\"`\n\t\t\tOriginRequest ingress.OriginRequestConfig `json:\"originRequest\"`\n\t\t} `json:\"config\"`\n\t}{\n\t\tVersion: o.currentVersion,\n\t\tConfig: struct {\n\t\t\tIngress []ingress.Rule `json:\"ingress\"`\n\t\t\tWarpRouting config.WarpRoutingConfig `json:\"warp-routing\"`\n\t\t\tOriginRequest ingress.OriginRequestConfig `json:\"originRequest\"`\n\t\t}{\n\t\t\tIngress: o.config.Ingress.Rules,\n\t\t\tWarpRouting: o.config.WarpRouting.RawConfig(),\n\t\t\tOriginRequest: o.config.Ingress.Defaults,\n\t\t},\n\t}\n\treturn json.Marshal(currentConfiguration)\n}\n\n// GetOriginProxy returns an interface to proxy to origin. It satisfies connection.ConfigManager interface\nfunc (o *Orchestrator) GetOriginProxy() (connection.OriginProxy, error) {\n\tval := o.proxy.Load()\n\tif val == nil {\n\t\terr := fmt.Errorf(\"origin proxy not configured\")\n\t\to.log.Error().Msg(err.Error())\n\t\treturn nil, err\n\t}\n\tproxy, ok := val.(connection.OriginProxy)\n\tif !ok {\n\t\terr := fmt.Errorf(\"origin proxy has unexpected value %+v\", val)\n\t\to.log.Error().Msg(err.Error())\n\t\treturn nil, err\n\t}\n\treturn proxy, nil\n}\n\n// GetFlowLimiter returns the flow limiter used across cloudflared, that can be hot reload when\n// the configuration changes.\nfunc (o *Orchestrator) GetFlowLimiter() cfdflow.Limiter {\n\treturn o.flowLimiter\n}\n\nfunc (o *Orchestrator) waitToCloseLastProxy() {\n\t<-o.shutdownC\n\to.lock.Lock()\n\tdefer o.lock.Unlock()\n\n\tif o.proxyShutdownC != nil {\n\t\tclose(o.proxyShutdownC)\n\t\to.proxyShutdownC = nil\n\t}\n}\n" }, { "path": "orchestration/orchestrator_test.go", "content": "package orchestration\n\nimport (\n\t\"context\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"io\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"sync\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/gobwas/ws/wsutil\"\n\t\"github.com/google/uuid\"\n\tgows \"github.com/gorilla/websocket\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\n\t\"github.com/cloudflare/cloudflared/cmd/cloudflared/flags\"\n\n\t\"github.com/cloudflare/cloudflared/config\"\n\t\"github.com/cloudflare/cloudflared/connection\"\n\t\"github.com/cloudflare/cloudflared/ingress\"\n\t\"github.com/cloudflare/cloudflared/management\"\n\t\"github.com/cloudflare/cloudflared/tracing\"\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/pogs\"\n)\n\nvar (\n\ttestLogger = zerolog.Nop()\n\ttestTags = []pogs.Tag{\n\t\t{\n\t\t\tName: \"package\",\n\t\t\tValue: \"orchestration\",\n\t\t},\n\t\t{\n\t\t\tName: \"purpose\",\n\t\t\tValue: \"test\",\n\t\t},\n\t}\n\ttestDefaultDialer = ingress.NewDialer(ingress.WarpRoutingConfig{\n\t\tConnectTimeout: config.CustomDuration{Duration: 1 * time.Second},\n\t\tTCPKeepAlive: config.CustomDuration{Duration: 15 * time.Second},\n\t\tMaxActiveFlows: 0,\n\t})\n)\n\n// TestUpdateConfiguration tests that\n// - configurations can be deserialized\n// - proxy can be updated\n// - last applied version and error are returned\n// - configurations can be deserialized\n// - receiving an old version is noop\nfunc TestUpdateConfiguration(t *testing.T) {\n\toriginDialer := ingress.NewOriginDialer(ingress.OriginConfig{\n\t\tDefaultDialer: testDefaultDialer,\n\t\tTCPWriteTimeout: 1 * time.Second,\n\t}, &testLogger)\n\tinitConfig := &Config{\n\t\tIngress: &ingress.Ingress{},\n\t\tOriginDialerService: originDialer,\n\t}\n\torchestrator, err := NewOrchestrator(t.Context(), initConfig, testTags, []ingress.Rule{ingress.NewManagementRule(management.New(\"management.argotunnel.com\", false, \"1.1.1.1:80\", uuid.Nil, \"\", &testLogger, nil))}, &testLogger)\n\trequire.NoError(t, err)\n\tinitOriginProxy, err := orchestrator.GetOriginProxy()\n\trequire.NoError(t, err)\n\trequire.Implements(t, (*connection.OriginProxy)(nil), initOriginProxy)\n\n\tconfigJSONV2 := []byte(`\n{\n\t\"unknown_field\": \"not_deserialized\",\n \"originRequest\": {\n \"connectTimeout\": 90,\n\t\t\"noHappyEyeballs\": true\n },\n \"ingress\": [\n {\n \"hostname\": \"jira.tunnel.org\",\n\t\t\t\"path\": \"^\\/login\",\n \"service\": \"http://192.16.19.1:443\",\n \"originRequest\": {\n \"noTLSVerify\": true,\n \"connectTimeout\": 10\n }\n },\n\t\t{\n \"hostname\": \"jira.tunnel.org\",\n \"service\": \"http://172.32.20.6:80\",\n \"originRequest\": {\n \"noTLSVerify\": true,\n \"connectTimeout\": 30\n }\n },\n {\n \"service\": \"http_status:404\"\n }\n ],\n \"warp-routing\": {\n \"connectTimeout\": 10\n }\n}\n`)\n\n\tupdateWithValidation(t, orchestrator, 2, configJSONV2)\n\tconfigV2 := orchestrator.config\n\t// Validate internal ingress rules\n\trequire.Equal(t, \"management.argotunnel.com\", configV2.Ingress.InternalRules[0].Hostname)\n\trequire.True(t, configV2.Ingress.InternalRules[0].Matches(\"management.argotunnel.com\", \"/ping\"))\n\trequire.Equal(t, \"management\", configV2.Ingress.InternalRules[0].Service.String())\n\t// Validate ingress rule 0\n\trequire.Equal(t, \"jira.tunnel.org\", configV2.Ingress.Rules[0].Hostname)\n\trequire.True(t, configV2.Ingress.Rules[0].Matches(\"jira.tunnel.org\", \"/login\"))\n\trequire.True(t, configV2.Ingress.Rules[0].Matches(\"jira.tunnel.org\", \"/login/2fa\"))\n\trequire.False(t, configV2.Ingress.Rules[0].Matches(\"jira.tunnel.org\", \"/users\"))\n\trequire.Equal(t, \"http://192.16.19.1:443\", configV2.Ingress.Rules[0].Service.String())\n\trequire.Len(t, configV2.Ingress.Rules, 3)\n\t// originRequest of this ingress rule overrides global default\n\trequire.Equal(t, config.CustomDuration{Duration: time.Second * 10}, configV2.Ingress.Rules[0].Config.ConnectTimeout)\n\trequire.True(t, configV2.Ingress.Rules[0].Config.NoTLSVerify)\n\t// Inherited from global default\n\trequire.True(t, configV2.Ingress.Rules[0].Config.NoHappyEyeballs)\n\t// Validate ingress rule 1\n\trequire.Equal(t, \"jira.tunnel.org\", configV2.Ingress.Rules[1].Hostname)\n\trequire.True(t, configV2.Ingress.Rules[1].Matches(\"jira.tunnel.org\", \"/users\"))\n\trequire.Equal(t, \"http://172.32.20.6:80\", configV2.Ingress.Rules[1].Service.String())\n\t// originRequest of this ingress rule overrides global default\n\trequire.Equal(t, config.CustomDuration{Duration: time.Second * 30}, configV2.Ingress.Rules[1].Config.ConnectTimeout)\n\trequire.True(t, configV2.Ingress.Rules[1].Config.NoTLSVerify)\n\t// Inherited from global default\n\trequire.True(t, configV2.Ingress.Rules[1].Config.NoHappyEyeballs)\n\t// Validate ingress rule 2, it's the catch-all rule\n\trequire.True(t, configV2.Ingress.Rules[2].Matches(\"blogs.tunnel.io\", \"/2022/02/10\"))\n\t// Inherited from global default\n\trequire.Equal(t, config.CustomDuration{Duration: time.Second * 90}, configV2.Ingress.Rules[2].Config.ConnectTimeout)\n\trequire.False(t, configV2.Ingress.Rules[2].Config.NoTLSVerify)\n\trequire.True(t, configV2.Ingress.Rules[2].Config.NoHappyEyeballs)\n\trequire.Equal(t, 10*time.Second, configV2.WarpRouting.ConnectTimeout.Duration)\n\n\toriginProxyV2, err := orchestrator.GetOriginProxy()\n\trequire.NoError(t, err)\n\trequire.Implements(t, (*connection.OriginProxy)(nil), originProxyV2)\n\trequire.NotEqual(t, originProxyV2, initOriginProxy)\n\n\t// Should not downgrade to an older version\n\tresp := orchestrator.UpdateConfig(1, nil)\n\trequire.NoError(t, resp.Err)\n\trequire.Equal(t, int32(2), resp.LastAppliedVersion)\n\n\tinvalidJSON := []byte(`\n{\n\t\"originRequest\":\n}\n\n`)\n\n\tresp = orchestrator.UpdateConfig(3, invalidJSON)\n\trequire.Error(t, resp.Err)\n\trequire.Equal(t, int32(2), resp.LastAppliedVersion)\n\toriginProxyV3, err := orchestrator.GetOriginProxy()\n\trequire.NoError(t, err)\n\trequire.Equal(t, originProxyV2, originProxyV3)\n\n\tconfigJSONV10 := []byte(`\n{\n \"ingress\": [\n {\n \"service\": \"hello-world\"\n }\n ],\n \"warp-routing\": {\n }\n}\n`)\n\tupdateWithValidation(t, orchestrator, 10, configJSONV10)\n\tconfigV10 := orchestrator.config\n\trequire.Len(t, configV10.Ingress.Rules, 1)\n\trequire.True(t, configV10.Ingress.Rules[0].Matches(\"blogs.tunnel.io\", \"/2022/02/10\"))\n\trequire.Equal(t, ingress.HelloWorldService, configV10.Ingress.Rules[0].Service.String())\n\n\toriginProxyV10, err := orchestrator.GetOriginProxy()\n\trequire.NoError(t, err)\n\trequire.Implements(t, (*connection.OriginProxy)(nil), originProxyV10)\n\trequire.NotEqual(t, originProxyV10, originProxyV2)\n}\n\n// Validates that a new version 0 will be applied if the configuration is loaded locally.\n// This will happen when a locally managed tunnel is migrated to remote configuration and receives its first configuration.\nfunc TestUpdateConfiguration_FromMigration(t *testing.T) {\n\toriginDialer := ingress.NewOriginDialer(ingress.OriginConfig{\n\t\tDefaultDialer: testDefaultDialer,\n\t\tTCPWriteTimeout: 1 * time.Second,\n\t}, &testLogger)\n\tinitConfig := &Config{\n\t\tIngress: &ingress.Ingress{},\n\t\tOriginDialerService: originDialer,\n\t}\n\torchestrator, err := NewOrchestrator(t.Context(), initConfig, testTags, []ingress.Rule{}, &testLogger)\n\trequire.NoError(t, err)\n\tinitOriginProxy, err := orchestrator.GetOriginProxy()\n\trequire.NoError(t, err)\n\trequire.Implements(t, (*connection.OriginProxy)(nil), initOriginProxy)\n\n\tconfigJSONV2 := []byte(`\n{\n \"ingress\": [\n {\n \"service\": \"http_status:404\"\n }\n ],\n \"warp-routing\": {\n }\n}\n`)\n\tupdateWithValidation(t, orchestrator, 0, configJSONV2)\n\trequire.Len(t, orchestrator.config.Ingress.Rules, 1)\n}\n\n// Validates that the default ingress rule will be set if there is no rule provided from the remote.\nfunc TestUpdateConfiguration_WithoutIngressRule(t *testing.T) {\n\toriginDialer := ingress.NewOriginDialer(ingress.OriginConfig{\n\t\tDefaultDialer: testDefaultDialer,\n\t\tTCPWriteTimeout: 1 * time.Second,\n\t}, &testLogger)\n\tinitConfig := &Config{\n\t\tIngress: &ingress.Ingress{},\n\t\tOriginDialerService: originDialer,\n\t}\n\torchestrator, err := NewOrchestrator(t.Context(), initConfig, testTags, []ingress.Rule{}, &testLogger)\n\trequire.NoError(t, err)\n\tinitOriginProxy, err := orchestrator.GetOriginProxy()\n\trequire.NoError(t, err)\n\trequire.Implements(t, (*connection.OriginProxy)(nil), initOriginProxy)\n\n\t// We need to create an empty RemoteConfigJSON because that will get unmarshalled to a RemoteConfig\n\temptyConfig := &ingress.RemoteConfigJSON{}\n\tconfigBytes, err := json.Marshal(emptyConfig)\n\tif err != nil {\n\t\trequire.FailNow(t, \"The RemoteConfigJSON shouldn't fail while being marshalled\")\n\t}\n\n\tupdateWithValidation(t, orchestrator, 0, configBytes)\n\trequire.Len(t, orchestrator.config.Ingress.Rules, 1)\n}\n\n// TestConcurrentUpdateAndRead makes sure orchestrator can receive updates and return origin proxy concurrently\nfunc TestConcurrentUpdateAndRead(t *testing.T) {\n\tconst (\n\t\tconcurrentRequests = 200\n\t\thostname = \"public.tunnels.org\"\n\t\texpectedHost = \"internal.tunnels.svc.cluster.local\"\n\t\ttcpBody = \"testProxyTCP\"\n\t)\n\n\thttpOrigin := httptest.NewServer(&validateHostHandler{\n\t\texpectedHost: expectedHost,\n\t\tbody: t.Name(),\n\t})\n\tdefer httpOrigin.Close()\n\n\ttcpOrigin, err := net.Listen(\"tcp\", \"127.0.0.1:0\")\n\trequire.NoError(t, err)\n\tdefer tcpOrigin.Close()\n\n\toriginDialer := ingress.NewOriginDialer(ingress.OriginConfig{\n\t\tDefaultDialer: testDefaultDialer,\n\t\tTCPWriteTimeout: 1 * time.Second,\n\t}, &testLogger)\n\n\tvar (\n\t\tconfigJSONV1 = []byte(fmt.Sprintf(`\n{\n \"originRequest\": {\n \"connectTimeout\": 90,\n\t\t\"noHappyEyeballs\": true\n },\n \"ingress\": [\n {\n \"hostname\": \"%s\",\n \"service\": \"%s\",\n \"originRequest\": {\n\t\t\t\t\"httpHostHeader\": \"%s\",\n \"connectTimeout\": 10\n }\n },\n {\n \"service\": \"http_status:404\"\n }\n ],\n \"warp-routing\": {\n }\n}\n`, hostname, httpOrigin.URL, expectedHost))\n\t\tconfigJSONV2 = []byte(`\n{\n \"ingress\": [\n {\n \"service\": \"http_status:204\"\n }\n ],\n \"warp-routing\": {\n }\n}\n`)\n\n\t\tconfigJSONV3 = []byte(`\n{\n \"ingress\": [\n {\n \"service\": \"http_status:418\"\n }\n ],\n \"warp-routing\": {\n }\n}\n`)\n\n\t\t// appliedV2 makes sure v3 is applied after v2\n\t\tappliedV2 = make(chan struct{})\n\n\t\tinitConfig = &Config{\n\t\t\tIngress: &ingress.Ingress{},\n\t\t\tOriginDialerService: originDialer,\n\t\t}\n\t)\n\n\tctx, cancel := context.WithCancel(t.Context())\n\tdefer cancel()\n\n\torchestrator, err := NewOrchestrator(ctx, initConfig, testTags, []ingress.Rule{}, &testLogger)\n\trequire.NoError(t, err)\n\n\tupdateWithValidation(t, orchestrator, 1, configJSONV1)\n\n\tvar wg sync.WaitGroup\n\t// tcpOrigin will be closed when the test exits. Only the handler routines are included in the wait group\n\tgo func() {\n\t\tserveTCPOrigin(t, tcpOrigin, &wg)\n\t}()\n\tfor i := range concurrentRequests {\n\t\toriginProxy, err := orchestrator.GetOriginProxy()\n\t\trequire.NoError(t, err)\n\t\twg.Add(1)\n\t\tgo func(i int, originProxy connection.OriginProxy) {\n\t\t\tdefer wg.Done()\n\t\t\tresp, err := proxyHTTP(originProxy, hostname)\n\t\t\tassert.NoError(t, err, \"proxyHTTP %d failed %v\", i, err)\n\t\t\tdefer resp.Body.Close()\n\n\t\t\t// The response can be from initOrigin, http_status:204 or http_status:418\n\t\t\tswitch resp.StatusCode {\n\t\t\t// v1 proxy\n\t\t\tcase 200:\n\t\t\t\tbody, err := io.ReadAll(resp.Body)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, t.Name(), string(body))\n\t\t\t// v2 proxy\n\t\t\tcase 204:\n\t\t\t\tassert.Greater(t, i, concurrentRequests/4)\n\t\t\t// v3 proxy\n\t\t\tcase 418:\n\t\t\t\tassert.Greater(t, i, concurrentRequests/2)\n\t\t\t}\n\n\t\t\t// Once we have originProxy, it won't be changed by configuration updates.\n\t\t\t// We can infer the version by the ProxyHTTP response code\n\t\t\tpr, pw := io.Pipe()\n\t\t\tw := newRespReadWriteFlusher()\n\n\t\t\t// Write TCP message and make sure it's echo back. This has to be done in a go routune since ProxyTCP doesn't\n\t\t\t// return until the stream is closed.\n\t\t\twg.Add(1)\n\t\t\tgo func() {\n\t\t\t\tdefer wg.Done()\n\t\t\t\tdefer pw.Close()\n\t\t\t\ttcpEyeball(t, pw, tcpBody, w)\n\t\t\t}()\n\n\t\t\terr = proxyTCP(ctx, originProxy, tcpOrigin.Addr().String(), w, pr)\n\t\t\tassert.NoError(t, err, \"proxyTCP %d failed %v\", i, err)\n\t\t}(i, originProxy)\n\n\t\tif i == concurrentRequests/4 {\n\t\t\twg.Add(1)\n\t\t\tgo func() {\n\t\t\t\tdefer wg.Done()\n\t\t\t\tupdateWithValidation(t, orchestrator, 2, configJSONV2)\n\t\t\t\tclose(appliedV2)\n\t\t\t}()\n\t\t}\n\n\t\tif i == concurrentRequests/2 {\n\t\t\twg.Add(1)\n\t\t\tgo func() {\n\t\t\t\tdefer wg.Done()\n\t\t\t\t// Makes sure v2 is applied before v3\n\t\t\t\t<-appliedV2\n\t\t\t\tupdateWithValidation(t, orchestrator, 3, configJSONV3)\n\t\t\t}()\n\t\t}\n\t}\n\n\twg.Wait()\n}\n\n// TestOverrideWarpRoutingConfigWithLocalValues tests that if a value is defined in the Config.ConfigurationFlags,\n// it will override the value that comes from the remote result.\nfunc TestOverrideWarpRoutingConfigWithLocalValues(t *testing.T) {\n\tctx, cancel := context.WithCancel(t.Context())\n\tdefer cancel()\n\n\tassertMaxActiveFlows := func(orchestrator *Orchestrator, expectedValue uint64) {\n\t\tconfigJson, err := orchestrator.GetConfigJSON()\n\t\trequire.NoError(t, err)\n\t\tvar result map[string]interface{}\n\t\terr = json.Unmarshal(configJson, &result)\n\t\trequire.NoError(t, err)\n\t\twarpRouting := result[\"warp-routing\"].(map[string]interface{})\n\t\trequire.EqualValues(t, expectedValue, warpRouting[\"maxActiveFlows\"])\n\t}\n\n\toriginDialer := ingress.NewOriginDialer(ingress.OriginConfig{\n\t\tDefaultDialer: testDefaultDialer,\n\t\tTCPWriteTimeout: 1 * time.Second,\n\t}, &testLogger)\n\n\t// All the possible values set for MaxActiveFlows from the various points that can provide it:\n\t// 1. Initialized value\n\t// 2. Local CLI flag config\n\t// 3. Remote configuration value\n\tinitValue := uint64(0)\n\tlocalValue := uint64(100)\n\tremoteValue := uint64(500)\n\n\tinitConfig := &Config{\n\t\tIngress: &ingress.Ingress{},\n\t\tWarpRouting: ingress.WarpRoutingConfig{\n\t\t\tMaxActiveFlows: initValue,\n\t\t},\n\t\tOriginDialerService: originDialer,\n\t\tConfigurationFlags: map[string]string{\n\t\t\tflags.MaxActiveFlows: fmt.Sprintf(\"%d\", localValue),\n\t\t},\n\t}\n\n\t// We expect the local configuration flag to be the starting value\n\torchestrator, err := NewOrchestrator(ctx, initConfig, testTags, []ingress.Rule{}, &testLogger)\n\trequire.NoError(t, err)\n\n\tassertMaxActiveFlows(orchestrator, localValue)\n\n\t// Assigning the MaxActiveFlows in the remote config should be ignored over the local config\n\tremoteWarpConfig := ingress.WarpRoutingConfig{\n\t\tMaxActiveFlows: remoteValue,\n\t}\n\n\t// Force a configuration refresh\n\terr = orchestrator.updateIngress(ingress.Ingress{}, remoteWarpConfig)\n\trequire.NoError(t, err)\n\n\t// Check the value being used is the local one\n\tassertMaxActiveFlows(orchestrator, localValue)\n}\n\nfunc proxyHTTP(originProxy connection.OriginProxy, hostname string) (*http.Response, error) {\n\treq, err := http.NewRequest(http.MethodGet, fmt.Sprintf(\"http://%s\", hostname), nil)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tw := httptest.NewRecorder()\n\tlog := zerolog.Nop()\n\trespWriter, err := connection.NewHTTP2RespWriter(req, w, connection.TypeHTTP, &log)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\terr = originProxy.ProxyHTTP(respWriter, tracing.NewTracedHTTPRequest(req, 0, &log), false)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn w.Result(), nil\n}\n\n// nolint: testifylint // this is used inside go routines so it can't use `require.`\nfunc tcpEyeball(t *testing.T, reqWriter io.WriteCloser, body string, respReadWriter *respReadWriteFlusher) {\n\twriteN, err := reqWriter.Write([]byte(body))\n\tassert.NoError(t, err)\n\n\treadBuffer := make([]byte, writeN)\n\tn, err := respReadWriter.Read(readBuffer)\n\tassert.NoError(t, err)\n\tassert.Equal(t, body, string(readBuffer[:n]))\n\tassert.Equal(t, writeN, n)\n}\n\nfunc proxyTCP(ctx context.Context, originProxy connection.OriginProxy, originAddr string, w http.ResponseWriter, reqBody io.ReadCloser) error {\n\treq, err := http.NewRequest(http.MethodGet, fmt.Sprintf(\"http://%s\", originAddr), reqBody)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tlog := zerolog.Nop()\n\trespWriter, err := connection.NewHTTP2RespWriter(req, w, connection.TypeTCP, &log)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\ttcpReq := &connection.TCPRequest{\n\t\tDest: originAddr,\n\t\tCFRay: \"123\",\n\t\tLBProbe: false,\n\t}\n\trws := connection.NewHTTPResponseReadWriterAcker(respWriter, w.(http.Flusher), req)\n\n\treturn originProxy.ProxyTCP(ctx, rws, tcpReq)\n}\n\nfunc serveTCPOrigin(t *testing.T, tcpOrigin net.Listener, wg *sync.WaitGroup) {\n\tfor {\n\t\tconn, err := tcpOrigin.Accept()\n\t\tif err != nil {\n\t\t\treturn\n\t\t}\n\t\twg.Add(1)\n\t\tgo func() {\n\t\t\tdefer wg.Done()\n\t\t\tdefer conn.Close()\n\n\t\t\techoTCP(t, conn)\n\t\t}()\n\t}\n}\n\n// nolint: testifylint // this is used inside go routines so it can't use `require.`\nfunc echoTCP(t *testing.T, conn net.Conn) {\n\treadBuf := make([]byte, 1000)\n\treadN, err := conn.Read(readBuf)\n\tassert.NoError(t, err)\n\n\twriteN, err := conn.Write(readBuf[:readN])\n\tassert.NoError(t, err)\n\tassert.Equal(t, readN, writeN)\n}\n\ntype validateHostHandler struct {\n\texpectedHost string\n\tbody string\n}\n\nfunc (vhh *validateHostHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {\n\tif r.Host != vhh.expectedHost {\n\t\tw.WriteHeader(http.StatusBadRequest)\n\t\treturn\n\t}\n\tw.WriteHeader(http.StatusOK)\n\t_, _ = w.Write([]byte(vhh.body))\n}\n\n// nolint: testifylint // this is used inside go routines so it can't use `require.`\nfunc updateWithValidation(t *testing.T, orchestrator *Orchestrator, version int32, config []byte) {\n\tresp := orchestrator.UpdateConfig(version, config)\n\tassert.NoError(t, resp.Err)\n\tassert.Equal(t, version, resp.LastAppliedVersion)\n}\n\n// TestClosePreviousProxies makes sure proxies started in the previous configuration version are shutdown\nfunc TestClosePreviousProxies(t *testing.T) {\n\toriginDialer := ingress.NewOriginDialer(ingress.OriginConfig{\n\t\tDefaultDialer: testDefaultDialer,\n\t\tTCPWriteTimeout: 1 * time.Second,\n\t}, &testLogger)\n\tvar (\n\t\thostname = \"hello.tunnel1.org\"\n\t\tconfigWithHelloWorld = []byte(fmt.Sprintf(`\n{\n \"ingress\": [\n {\n\t\t\t\"hostname\": \"%s\",\n \"service\": \"hello-world\"\n },\n\t\t{\n\t\t\t\"service\": \"http_status:404\"\n\t\t}\n ],\n \"warp-routing\": {\n }\n}\n`, hostname))\n\n\t\tconfigTeapot = []byte(`\n{\n \"ingress\": [\n\t\t{\n\t\t\t\"service\": \"http_status:418\"\n\t\t}\n ],\n \"warp-routing\": {\n }\n}\n`)\n\t\tinitConfig = &Config{\n\t\t\tIngress: &ingress.Ingress{},\n\t\t\tOriginDialerService: originDialer,\n\t\t}\n\t)\n\n\tctx, cancel := context.WithCancel(t.Context())\n\torchestrator, err := NewOrchestrator(ctx, initConfig, testTags, []ingress.Rule{}, &testLogger)\n\trequire.NoError(t, err)\n\n\tupdateWithValidation(t, orchestrator, 1, configWithHelloWorld)\n\n\toriginProxyV1, err := orchestrator.GetOriginProxy()\n\trequire.NoError(t, err)\n\t// nolint: bodyclose\n\tresp, err := proxyHTTP(originProxyV1, hostname)\n\trequire.NoError(t, err)\n\trequire.Equal(t, http.StatusOK, resp.StatusCode)\n\n\tupdateWithValidation(t, orchestrator, 2, configTeapot)\n\n\toriginProxyV2, err := orchestrator.GetOriginProxy()\n\trequire.NoError(t, err)\n\t// nolint: bodyclose\n\tresp, err = proxyHTTP(originProxyV2, hostname)\n\trequire.NoError(t, err)\n\trequire.Equal(t, http.StatusTeapot, resp.StatusCode)\n\n\t// The hello-world server in config v1 should have been stopped. We wait a bit since it's closed asynchronously.\n\ttime.Sleep(time.Millisecond * 10)\n\t// nolint: bodyclose\n\tresp, err = proxyHTTP(originProxyV1, hostname)\n\trequire.Error(t, err)\n\trequire.Nil(t, resp)\n\n\t// Apply the config with hello world server again, orchestrator should spin up another hello world server\n\tupdateWithValidation(t, orchestrator, 3, configWithHelloWorld)\n\n\toriginProxyV3, err := orchestrator.GetOriginProxy()\n\trequire.NoError(t, err)\n\trequire.NotEqual(t, originProxyV1, originProxyV3)\n\n\t// nolint: bodyclose\n\tresp, err = proxyHTTP(originProxyV3, hostname)\n\trequire.NoError(t, err)\n\trequire.Equal(t, http.StatusOK, resp.StatusCode)\n\n\t// cancel the context should terminate the last proxy\n\tcancel()\n\t// Wait for proxies to shutdown\n\ttime.Sleep(time.Millisecond * 10)\n\n\t// nolint: bodyclose\n\tresp, err = proxyHTTP(originProxyV3, hostname)\n\trequire.Error(t, err)\n\trequire.Nil(t, resp)\n}\n\n// TestPersistentConnection makes sure updating the ingress doesn't intefere with existing connections\nfunc TestPersistentConnection(t *testing.T) {\n\tconst (\n\t\thostname = \"http://ws.tunnel.org\"\n\t)\n\tmsg := t.Name()\n\toriginDialer := ingress.NewOriginDialer(ingress.OriginConfig{\n\t\tDefaultDialer: testDefaultDialer,\n\t\tTCPWriteTimeout: 1 * time.Second,\n\t}, &testLogger)\n\tinitConfig := &Config{\n\t\tIngress: &ingress.Ingress{},\n\t\tOriginDialerService: originDialer,\n\t}\n\torchestrator, err := NewOrchestrator(t.Context(), initConfig, testTags, []ingress.Rule{}, &testLogger)\n\trequire.NoError(t, err)\n\n\twsOrigin := httptest.NewServer(http.HandlerFunc(wsEcho))\n\tdefer wsOrigin.Close()\n\n\ttcpOrigin, err := net.Listen(\"tcp\", \"127.0.0.1:0\")\n\trequire.NoError(t, err)\n\tdefer tcpOrigin.Close()\n\n\tconfigWithWSAndWarp := []byte(fmt.Sprintf(`\n{\n \"ingress\": [\n {\n \"service\": \"%s\"\n }\n ],\n \"warp-routing\": {\n }\n}\n`, wsOrigin.URL))\n\n\tupdateWithValidation(t, orchestrator, 1, configWithWSAndWarp)\n\n\toriginProxy, err := orchestrator.GetOriginProxy()\n\trequire.NoError(t, err)\n\n\twsReqReader, wsReqWriter := io.Pipe()\n\twsRespReadWriter := newRespReadWriteFlusher()\n\n\ttcpReqReader, tcpReqWriter := io.Pipe()\n\ttcpRespReadWriter := newRespReadWriteFlusher()\n\n\tctx, cancel := context.WithCancel(t.Context())\n\tdefer cancel()\n\n\tvar wg sync.WaitGroup\n\twg.Add(3)\n\t// Start TCP origin\n\tgo func() {\n\t\tdefer wg.Done()\n\t\tconn, err := tcpOrigin.Accept()\n\t\tassert.NoError(t, err)\n\t\tdefer conn.Close()\n\n\t\t// Expect 3 TCP messages\n\t\tfor i := 0; i < 3; i++ {\n\t\t\techoTCP(t, conn)\n\t\t}\n\t}()\n\t// Simulate cloudflared receiving a TCP connection\n\tgo func() {\n\t\tdefer wg.Done()\n\t\tassert.NoError(t, proxyTCP(ctx, originProxy, tcpOrigin.Addr().String(), tcpRespReadWriter, tcpReqReader))\n\t}()\n\t// Simulate cloudflared receiving a WS connection\n\tgo func() {\n\t\tdefer wg.Done()\n\n\t\treq, err := http.NewRequest(http.MethodGet, hostname, wsReqReader)\n\t\tassert.NoError(t, err)\n\t\t// ProxyHTTP will add Connection, Upgrade and Sec-Websocket-Version headers\n\t\treq.Header.Add(\"Sec-WebSocket-Key\", \"dGhlIHNhbXBsZSBub25jZQ==\")\n\n\t\tlog := zerolog.Nop()\n\t\trespWriter, err := connection.NewHTTP2RespWriter(req, wsRespReadWriter, connection.TypeWebsocket, &log)\n\t\tassert.NoError(t, err)\n\n\t\terr = originProxy.ProxyHTTP(respWriter, tracing.NewTracedHTTPRequest(req, 0, &log), true)\n\t\tassert.NoError(t, err)\n\t}()\n\n\t// Simulate eyeball WS and TCP connections\n\tvalidateWsEcho(t, msg, wsReqWriter, wsRespReadWriter)\n\ttcpEyeball(t, tcpReqWriter, msg, tcpRespReadWriter)\n\n\tconfigNoWSAndWarp := []byte(`\n{\n \"ingress\": [\n {\n \"service\": \"http_status:404\"\n }\n ],\n \"warp-routing\": {\n }\n}\n`)\n\n\tupdateWithValidation(t, orchestrator, 2, configNoWSAndWarp)\n\t// Make sure connection is still up\n\tvalidateWsEcho(t, msg, wsReqWriter, wsRespReadWriter)\n\ttcpEyeball(t, tcpReqWriter, msg, tcpRespReadWriter)\n\n\tupdateWithValidation(t, orchestrator, 3, configWithWSAndWarp)\n\t// Make sure connection is still up\n\tvalidateWsEcho(t, msg, wsReqWriter, wsRespReadWriter)\n\ttcpEyeball(t, tcpReqWriter, msg, tcpRespReadWriter)\n\n\twsReqWriter.Close()\n\ttcpReqWriter.Close()\n\twg.Wait()\n}\n\nfunc TestSerializeLocalConfig(t *testing.T) {\n\tc := &newLocalConfig{\n\t\tRemoteConfig: ingress.RemoteConfig{\n\t\t\tIngress: ingress.Ingress{},\n\t\t},\n\t\tConfigurationFlags: map[string]string{\"a\": \"b\"},\n\t}\n\n\tresult, err := json.Marshal(c)\n\trequire.NoError(t, err)\n\trequire.JSONEq(t, `{\"__configuration_flags\":{\"a\":\"b\"},\"ingress\":[],\"warp-routing\":{\"connectTimeout\":0,\"tcpKeepAlive\":0}}`, string(result))\n}\n\nfunc wsEcho(w http.ResponseWriter, r *http.Request) {\n\tupgrader := gows.Upgrader{}\n\n\tconn, err := upgrader.Upgrade(w, r, nil)\n\tif err != nil {\n\t\treturn\n\t}\n\tdefer conn.Close()\n\tfor {\n\t\tmt, message, err := conn.ReadMessage()\n\t\tif err != nil {\n\t\t\tfmt.Println(\"read message err\", err)\n\t\t\tbreak\n\t\t}\n\t\terr = conn.WriteMessage(mt, message)\n\t\tif err != nil {\n\t\t\tfmt.Println(\"write message err\", err)\n\t\t\tbreak\n\t\t}\n\t}\n}\n\nfunc validateWsEcho(t *testing.T, msg string, reqWriter io.Writer, respReadWriter io.ReadWriter) {\n\terr := wsutil.WriteClientText(reqWriter, []byte(msg))\n\trequire.NoError(t, err)\n\n\treceivedMsg, err := wsutil.ReadServerText(respReadWriter)\n\trequire.NoError(t, err)\n\trequire.Equal(t, msg, string(receivedMsg))\n}\n\ntype respReadWriteFlusher struct {\n\tio.Reader\n\tw io.Writer\n\theaders http.Header\n\tstatusCode int\n\tsetStatusOnce sync.Once\n\thasStatus chan struct{}\n}\n\nfunc newRespReadWriteFlusher() *respReadWriteFlusher {\n\tpr, pw := io.Pipe()\n\treturn &respReadWriteFlusher{\n\t\tReader: pr,\n\t\tw: pw,\n\t\theaders: make(http.Header),\n\t\thasStatus: make(chan struct{}),\n\t}\n}\n\nfunc (rrw *respReadWriteFlusher) Write(buf []byte) (int, error) {\n\trrw.WriteHeader(http.StatusOK)\n\treturn rrw.w.Write(buf)\n}\n\nfunc (rrw *respReadWriteFlusher) Flush() {}\n\nfunc (rrw *respReadWriteFlusher) Header() http.Header {\n\treturn rrw.headers\n}\n\nfunc (rrw *respReadWriteFlusher) WriteHeader(statusCode int) {\n\trrw.setStatusOnce.Do(func() {\n\t\trrw.statusCode = statusCode\n\t\tclose(rrw.hasStatus)\n\t})\n}\n" }, { "path": "overwatch/app_manager.go", "content": "package overwatch\n\n// ServiceCallback is a service notify it's runloop finished.\n// the first parameter is the service type\n// the second parameter is the service name\n// the third parameter is an optional error if the service failed\ntype ServiceCallback func(string, string, error)\n\n// AppManager is the default implementation of overwatch service management\ntype AppManager struct {\n\tservices map[string]Service\n\tcallback ServiceCallback\n}\n\n// NewAppManager creates a new overwatch manager\nfunc NewAppManager(callback ServiceCallback) Manager {\n\treturn &AppManager{services: make(map[string]Service), callback: callback}\n}\n\n// Add takes in a new service to manage.\n// It stops the service if it already exist in the manager and is running\n// It then starts the newly added service\nfunc (m *AppManager) Add(service Service) {\n\t// check for existing service\n\tif currentService, ok := m.services[service.Name()]; ok {\n\t\tif currentService.Hash() == service.Hash() {\n\t\t\treturn // the exact same service, no changes, so move along\n\t\t}\n\t\tcurrentService.Shutdown() //shutdown the listener since a new one is starting\n\t}\n\tm.services[service.Name()] = service\n\n\t//start the service!\n\tgo m.serviceRun(service)\n}\n\n// Remove shutdowns the service by name and removes it from its current management list\nfunc (m *AppManager) Remove(name string) {\n\tif currentService, ok := m.services[name]; ok {\n\t\tcurrentService.Shutdown()\n\t}\n\tdelete(m.services, name)\n}\n\n// Services returns all the current Services being managed\nfunc (m *AppManager) Services() []Service {\n\tvalues := []Service{}\n\tfor _, value := range m.services {\n\t\tvalues = append(values, value)\n\t}\n\treturn values\n}\n\nfunc (m *AppManager) serviceRun(service Service) {\n\terr := service.Run()\n\tif m.callback != nil {\n\t\tm.callback(service.Type(), service.Name(), err)\n\t}\n}\n" }, { "path": "overwatch/manager.go", "content": "package overwatch\n\n// Service is the required functions for an object to be managed by the overwatch Manager\ntype Service interface {\n\tName() string\n\tType() string\n\tHash() string\n\tShutdown()\n\tRun() error\n}\n\n// Manager is based type to manage running services\ntype Manager interface {\n\tAdd(Service)\n\tRemove(string)\n\tServices() []Service\n}\n" }, { "path": "overwatch/manager_test.go", "content": "package overwatch\n\nimport (\n\t\"crypto/md5\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"testing\"\n\n\t\"github.com/stretchr/testify/assert\"\n)\n\ntype mockService struct {\n\tserviceName string\n\tserviceType string\n\trunError error\n}\n\nfunc (s *mockService) Name() string {\n\treturn s.serviceName\n}\n\nfunc (s *mockService) Type() string {\n\treturn s.serviceType\n}\n\nfunc (s *mockService) Hash() string {\n\th := md5.New()\n\tio.WriteString(h, s.serviceName)\n\tio.WriteString(h, s.serviceType)\n\treturn fmt.Sprintf(\"%x\", h.Sum(nil))\n}\n\nfunc (s *mockService) Shutdown() {\n}\n\nfunc (s *mockService) Run() error {\n\treturn s.runError\n}\n\nfunc TestManagerAddAndRemove(t *testing.T) {\n\tm := NewAppManager(nil)\n\n\tfirst := &mockService{serviceName: \"first\", serviceType: \"mock\"}\n\tsecond := &mockService{serviceName: \"second\", serviceType: \"mock\"}\n\tm.Add(first)\n\tm.Add(second)\n\tassert.Len(t, m.Services(), 2, \"expected 2 services in the list\")\n\n\tm.Remove(first.Name())\n\tservices := m.Services()\n\tassert.Len(t, services, 1, \"expected 1 service in the list\")\n\tassert.Equal(t, second.Hash(), services[0].Hash(), \"hashes should match. Wrong service was removed\")\n}\n\nfunc TestManagerDuplicate(t *testing.T) {\n\tm := NewAppManager(nil)\n\n\tfirst := &mockService{serviceName: \"first\", serviceType: \"mock\"}\n\tm.Add(first)\n\tm.Add(first)\n\tassert.Len(t, m.Services(), 1, \"expected 1 service in the list\")\n}\n\nfunc TestManagerErrorChannel(t *testing.T) {\n\terrChan := make(chan error)\n\tserviceCallback := func(t string, name string, err error) {\n\t\terrChan <- err\n\t}\n\tm := NewAppManager(serviceCallback)\n\n\terr := errors.New(\"test error\")\n\tfirst := &mockService{serviceName: \"first\", serviceType: \"mock\", runError: err}\n\tm.Add(first)\n\trespErr := <-errChan\n\tassert.Equal(t, err, respErr, \"errors don't match\")\n}\n" }, { "path": "packet/decoder.go", "content": "package packet\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/google/gopacket\"\n\t\"github.com/google/gopacket/layers\"\n\t\"github.com/pkg/errors\"\n\t\"golang.org/x/net/icmp\"\n)\n\nfunc FindProtocol(p []byte) (layers.IPProtocol, error) {\n\tversion, err := FindIPVersion(p)\n\tif err != nil {\n\t\treturn 0, err\n\t}\n\tswitch version {\n\tcase 4:\n\t\tif len(p) < ipv4MinHeaderLen {\n\t\t\treturn 0, fmt.Errorf(\"IPv4 packet should have at least %d bytes, got %d bytes\", ipv4MinHeaderLen, len(p))\n\t\t}\n\t\t// Protocol is in the 10th byte of IPv4 header\n\t\treturn layers.IPProtocol(p[9]), nil\n\tcase 6:\n\t\tif len(p) < ipv6HeaderLen {\n\t\t\treturn 0, fmt.Errorf(\"IPv6 packet should have at least %d bytes, got %d bytes\", ipv6HeaderLen, len(p))\n\t\t}\n\t\t// Next header is in the 7th byte of IPv6 header\n\t\treturn layers.IPProtocol(p[6]), nil\n\tdefault:\n\t\treturn 0, fmt.Errorf(\"unknown ip version %d\", version)\n\t}\n}\n\nfunc FindIPVersion(p []byte) (uint8, error) {\n\tif len(p) == 0 {\n\t\treturn 0, fmt.Errorf(\"packet length is 0\")\n\t}\n\treturn p[0] >> 4, nil\n}\n\n// IPDecoder decodes raw packets into IP. It can process packets sequentially without allocating\n// memory for the layers, so it cannot be called concurrently.\ntype IPDecoder struct {\n\tipv4 *layers.IPv4\n\tipv6 *layers.IPv6\n\tlayers uint8\n\n\tv4parser *gopacket.DecodingLayerParser\n\tv6parser *gopacket.DecodingLayerParser\n}\n\nfunc NewIPDecoder() *IPDecoder {\n\tvar (\n\t\tipv4 layers.IPv4\n\t\tipv6 layers.IPv6\n\t)\n\tdlpv4 := gopacket.NewDecodingLayerParser(layers.LayerTypeIPv4)\n\tdlpv4.SetDecodingLayerContainer(gopacket.DecodingLayerSparse(nil))\n\tdlpv4.AddDecodingLayer(&ipv4)\n\t// Stop parsing when it encounter a layer that it doesn't have a parser\n\tdlpv4.IgnoreUnsupported = true\n\n\tdlpv6 := gopacket.NewDecodingLayerParser(layers.LayerTypeIPv6)\n\tdlpv6.SetDecodingLayerContainer(gopacket.DecodingLayerSparse(nil))\n\tdlpv6.AddDecodingLayer(&ipv6)\n\tdlpv6.IgnoreUnsupported = true\n\n\treturn &IPDecoder{\n\t\tipv4: &ipv4,\n\t\tipv6: &ipv6,\n\t\tlayers: 1,\n\t\tv4parser: dlpv4,\n\t\tv6parser: dlpv6,\n\t}\n}\n\nfunc (pd *IPDecoder) Decode(packet RawPacket) (*IP, error) {\n\t// Should decode to IP layer\n\tdecoded, err := pd.decodeByVersion(packet.Data)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tfor _, layerType := range decoded {\n\t\tswitch layerType {\n\t\tcase layers.LayerTypeIPv4:\n\t\t\treturn newIPv4(pd.ipv4)\n\t\tcase layers.LayerTypeIPv6:\n\t\t\treturn newIPv6(pd.ipv6)\n\t\t}\n\t}\n\treturn nil, fmt.Errorf(\"no ip layer is decoded\")\n}\n\nfunc (pd *IPDecoder) decodeByVersion(packet []byte) ([]gopacket.LayerType, error) {\n\tversion, err := FindIPVersion(packet)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdecoded := make([]gopacket.LayerType, 0, pd.layers)\n\tswitch version {\n\tcase 4:\n\t\terr = pd.v4parser.DecodeLayers(packet, &decoded)\n\tcase 6:\n\t\terr = pd.v6parser.DecodeLayers(packet, &decoded)\n\tdefault:\n\t\terr = fmt.Errorf(\"unknown ip version %d\", version)\n\t}\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn decoded, nil\n}\n\n// ICMPDecoder decodes raw packets into IP and ICMP. It can process packets sequentially without allocating\n// memory for the layers, so it cannot be called concurrently.\ntype ICMPDecoder struct {\n\t*IPDecoder\n\ticmpv4 *layers.ICMPv4\n\ticmpv6 *layers.ICMPv6\n}\n\nfunc NewICMPDecoder() *ICMPDecoder {\n\tipDecoder := NewIPDecoder()\n\n\tvar (\n\t\ticmpv4 layers.ICMPv4\n\t\ticmpv6 layers.ICMPv6\n\t)\n\tipDecoder.layers++\n\tipDecoder.v4parser.AddDecodingLayer(&icmpv4)\n\tipDecoder.v6parser.AddDecodingLayer(&icmpv6)\n\n\treturn &ICMPDecoder{\n\t\tIPDecoder: ipDecoder,\n\t\ticmpv4: &icmpv4,\n\t\ticmpv6: &icmpv6,\n\t}\n}\n\nfunc (pd *ICMPDecoder) Decode(packet RawPacket) (*ICMP, error) {\n\t// Should decode to IP and optionally ICMP layer\n\tdecoded, err := pd.decodeByVersion(packet.Data)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tfor _, layerType := range decoded {\n\t\tswitch layerType {\n\t\tcase layers.LayerTypeICMPv4:\n\t\t\tipv4, err := newIPv4(pd.ipv4)\n\t\t\tif err != nil {\n\t\t\t\treturn nil, err\n\t\t\t}\n\t\t\tmsg, err := icmp.ParseMessage(int(layers.IPProtocolICMPv4), append(pd.icmpv4.Contents, pd.icmpv4.Payload...))\n\t\t\tif err != nil {\n\t\t\t\treturn nil, errors.Wrap(err, \"failed to parse ICMPv4 message\")\n\t\t\t}\n\t\t\treturn &ICMP{\n\t\t\t\tIP: ipv4,\n\t\t\t\tMessage: msg,\n\t\t\t}, nil\n\t\tcase layers.LayerTypeICMPv6:\n\t\t\tipv6, err := newIPv6(pd.ipv6)\n\t\t\tif err != nil {\n\t\t\t\treturn nil, err\n\t\t\t}\n\t\t\tmsg, err := icmp.ParseMessage(int(layers.IPProtocolICMPv6), append(pd.icmpv6.Contents, pd.icmpv6.Payload...))\n\t\t\tif err != nil {\n\t\t\t\treturn nil, errors.Wrap(err, \"failed to parse ICMPv6\")\n\t\t\t}\n\t\t\treturn &ICMP{\n\t\t\t\tIP: ipv6,\n\t\t\t\tMessage: msg,\n\t\t\t}, nil\n\t\t}\n\t}\n\tlayers := make([]string, len(decoded))\n\tfor i, l := range decoded {\n\t\tlayers[i] = l.String()\n\t}\n\treturn nil, fmt.Errorf(\"Expect to decode IP and ICMP layers, got %s\", layers)\n}\n" }, { "path": "packet/decoder_test.go", "content": "package packet\n\nimport (\n\t\"net\"\n\t\"net/netip\"\n\t\"testing\"\n\n\t\"github.com/google/gopacket\"\n\t\"github.com/google/gopacket/layers\"\n\t\"github.com/stretchr/testify/require\"\n\t\"golang.org/x/net/icmp\"\n\t\"golang.org/x/net/ipv4\"\n\t\"golang.org/x/net/ipv6\"\n)\n\nfunc TestDecodeIP(t *testing.T) {\n\tipDecoder := NewIPDecoder()\n\ticmpDecoder := NewICMPDecoder()\n\tudps := []UDP{\n\t\t{\n\t\t\tIP: IP{\n\t\t\t\tSrc: netip.MustParseAddr(\"172.16.0.1\"),\n\t\t\t\tDst: netip.MustParseAddr(\"10.0.0.1\"),\n\t\t\t\tProtocol: layers.IPProtocolUDP,\n\t\t\t},\n\t\t\tSrcPort: 31678,\n\t\t\tDstPort: 53,\n\t\t},\n\t\t{\n\n\t\t\tIP: IP{\n\t\t\t\tSrc: netip.MustParseAddr(\"fd51:2391:523:f4ee::1\"),\n\t\t\t\tDst: netip.MustParseAddr(\"fd51:2391:697:f4ee::2\"),\n\t\t\t\tProtocol: layers.IPProtocolUDP,\n\t\t\t},\n\t\t\tSrcPort: 52139,\n\t\t\tDstPort: 1053,\n\t\t},\n\t}\n\n\tencoder := NewEncoder()\n\tfor _, udp := range udps {\n\t\tp, err := encoder.Encode(&udp)\n\t\trequire.NoError(t, err)\n\n\t\tipPacket, err := ipDecoder.Decode(p)\n\t\trequire.NoError(t, err)\n\t\tassertIPLayer(t, &udp.IP, ipPacket)\n\n\t\ticmpPacket, err := icmpDecoder.Decode(p)\n\t\trequire.Error(t, err)\n\t\trequire.Nil(t, icmpPacket)\n\t}\n}\n\nfunc TestDecodeICMP(t *testing.T) {\n\tipDecoder := NewIPDecoder()\n\ticmpDecoder := NewICMPDecoder()\n\tvar (\n\t\tipv4Packet = IP{\n\t\t\tSrc: netip.MustParseAddr(\"172.16.0.1\"),\n\t\t\tDst: netip.MustParseAddr(\"10.0.0.1\"),\n\t\t\tProtocol: layers.IPProtocolICMPv4,\n\t\t\tTTL: DefaultTTL,\n\t\t}\n\t\tipv6Packet = IP{\n\t\t\tSrc: netip.MustParseAddr(\"fd51:2391:523:f4ee::1\"),\n\t\t\tDst: netip.MustParseAddr(\"fd51:2391:697:f4ee::2\"),\n\t\t\tProtocol: layers.IPProtocolICMPv6,\n\t\t\tTTL: DefaultTTL,\n\t\t}\n\t\ticmpID = 100\n\t\ticmpSeq = 52819\n\t)\n\ttests := []struct {\n\t\ttestCase string\n\t\tpacket *ICMP\n\t}{\n\t\t{\n\t\t\ttestCase: \"icmpv4 time exceed\",\n\t\t\tpacket: &ICMP{\n\t\t\t\tIP: &ipv4Packet,\n\t\t\t\tMessage: &icmp.Message{\n\t\t\t\t\tType: ipv4.ICMPTypeTimeExceeded,\n\t\t\t\t\tCode: 0,\n\t\t\t\t\tBody: &icmp.TimeExceeded{\n\t\t\t\t\t\tData: []byte(\"original packet\"),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\ttestCase: \"icmpv4 echo\",\n\t\t\tpacket: &ICMP{\n\t\t\t\tIP: &ipv4Packet,\n\t\t\t\tMessage: &icmp.Message{\n\t\t\t\t\tType: ipv4.ICMPTypeEcho,\n\t\t\t\t\tCode: 0,\n\t\t\t\t\tBody: &icmp.Echo{\n\t\t\t\t\t\tID: icmpID,\n\t\t\t\t\t\tSeq: icmpSeq,\n\t\t\t\t\t\tData: []byte(\"icmpv4 echo\"),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\ttestCase: \"icmpv6 destination unreachable\",\n\t\t\tpacket: &ICMP{\n\t\t\t\tIP: &ipv6Packet,\n\t\t\t\tMessage: &icmp.Message{\n\t\t\t\t\tType: ipv6.ICMPTypeDestinationUnreachable,\n\t\t\t\t\tCode: 4,\n\t\t\t\t\tBody: &icmp.DstUnreach{\n\t\t\t\t\t\tData: []byte(\"original packet\"),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\ttestCase: \"icmpv6 echo\",\n\t\t\tpacket: &ICMP{\n\t\t\t\tIP: &ipv6Packet,\n\t\t\t\tMessage: &icmp.Message{\n\t\t\t\t\tType: ipv6.ICMPTypeEchoRequest,\n\t\t\t\t\tCode: 0,\n\t\t\t\t\tBody: &icmp.Echo{\n\t\t\t\t\t\tID: icmpID,\n\t\t\t\t\t\tSeq: icmpSeq,\n\t\t\t\t\t\tData: []byte(\"icmpv6 echo\"),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\n\tencoder := NewEncoder()\n\tfor _, test := range tests {\n\t\tp, err := encoder.Encode(test.packet)\n\t\trequire.NoError(t, err)\n\n\t\tipPacket, err := ipDecoder.Decode(p)\n\t\trequire.NoError(t, err)\n\t\tif ipPacket.Src.Is4() {\n\t\t\tassertIPLayer(t, &ipv4Packet, ipPacket)\n\t\t} else {\n\t\t\tassertIPLayer(t, &ipv6Packet, ipPacket)\n\t\t}\n\t\ticmpPacket, err := icmpDecoder.Decode(p)\n\t\trequire.NoError(t, err)\n\t\trequire.Equal(t, ipPacket, icmpPacket.IP)\n\n\t\trequire.Equal(t, test.packet.Type, icmpPacket.Type)\n\t\trequire.Equal(t, test.packet.Code, icmpPacket.Code)\n\t\tassertICMPChecksum(t, icmpPacket)\n\t\trequire.Equal(t, test.packet.Body, icmpPacket.Body)\n\t\texpectedBody, err := test.packet.Body.Marshal(test.packet.Type.Protocol())\n\t\trequire.NoError(t, err)\n\t\tdecodedBody, err := icmpPacket.Body.Marshal(test.packet.Type.Protocol())\n\t\trequire.NoError(t, err)\n\t\trequire.Equal(t, expectedBody, decodedBody)\n\t}\n}\n\n// TestDecodeBadPackets makes sure decoders don't decode invalid packets\nfunc TestDecodeBadPackets(t *testing.T) {\n\tvar (\n\t\tsrcIPv4 = net.ParseIP(\"172.16.0.1\")\n\t\tdstIPv4 = net.ParseIP(\"10.0.0.1\")\n\t)\n\n\tipLayer := layers.IPv4{\n\t\tVersion: 10,\n\t\tSrcIP: srcIPv4,\n\t\tDstIP: dstIPv4,\n\t\tProtocol: layers.IPProtocolICMPv4,\n\t\tTTL: DefaultTTL,\n\t}\n\ticmpLayer := layers.ICMPv4{\n\t\tTypeCode: layers.CreateICMPv4TypeCode(uint8(ipv4.ICMPTypeEcho), 0),\n\t\tId: 100,\n\t\tSeq: 52819,\n\t}\n\twrongIPVersion, err := createPacket(&ipLayer, &icmpLayer, nil, nil)\n\trequire.NoError(t, err)\n\n\ttests := []struct {\n\t\ttestCase string\n\t\tpacket []byte\n\t}{\n\t\t{\n\t\t\ttestCase: \"unknown IP version\",\n\t\t\tpacket: wrongIPVersion,\n\t\t},\n\t\t{\n\t\t\ttestCase: \"invalid packet\",\n\t\t\tpacket: []byte(\"not a packet\"),\n\t\t},\n\t\t{\n\t\t\ttestCase: \"zero length packet\",\n\t\t\tpacket: []byte{},\n\t\t},\n\t}\n\n\tipDecoder := NewIPDecoder()\n\ticmpDecoder := NewICMPDecoder()\n\tfor _, test := range tests {\n\t\tipPacket, err := ipDecoder.Decode(RawPacket{Data: test.packet})\n\t\trequire.Error(t, err)\n\t\trequire.Nil(t, ipPacket)\n\n\t\ticmpPacket, err := icmpDecoder.Decode(RawPacket{Data: test.packet})\n\t\trequire.Error(t, err)\n\t\trequire.Nil(t, icmpPacket)\n\t}\n}\n\nfunc createPacket(ipLayer, secondLayer, thirdLayer gopacket.SerializableLayer, body []byte) ([]byte, error) {\n\tpayload := gopacket.Payload(body)\n\tpacket := gopacket.NewSerializeBuffer()\n\tvar err error\n\tif thirdLayer != nil {\n\t\terr = gopacket.SerializeLayers(packet, serializeOpts, ipLayer, secondLayer, thirdLayer, payload)\n\t} else {\n\t\terr = gopacket.SerializeLayers(packet, serializeOpts, ipLayer, secondLayer, payload)\n\t}\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn packet.Bytes(), nil\n}\n\nfunc assertIPLayer(t *testing.T, expected, actual *IP) {\n\trequire.Equal(t, expected.Src, actual.Src)\n\trequire.Equal(t, expected.Dst, actual.Dst)\n\trequire.Equal(t, expected.Protocol, actual.Protocol)\n\trequire.Equal(t, expected.TTL, actual.TTL)\n}\n\ntype UDP struct {\n\tIP\n\tSrcPort, DstPort layers.UDPPort\n}\n\nfunc (u *UDP) EncodeLayers() ([]gopacket.SerializableLayer, error) {\n\tipLayers, err := u.IP.EncodeLayers()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tudpLayer := layers.UDP{\n\t\tSrcPort: u.SrcPort,\n\t\tDstPort: u.DstPort,\n\t}\n\tudpLayer.SetNetworkLayerForChecksum(ipLayers[0].(gopacket.NetworkLayer))\n\treturn append(ipLayers, &udpLayer), nil\n}\n\nfunc FuzzIPDecoder(f *testing.F) {\n\tf.Fuzz(func(t *testing.T, data []byte) {\n\t\tipDecoder := NewIPDecoder()\n\t\tipDecoder.Decode(RawPacket{Data: data})\n\n\t})\n}\n\nfunc FuzzICMPDecoder(f *testing.F) {\n\tf.Fuzz(func(t *testing.T, data []byte) {\n\t\ticmpDecoder := NewICMPDecoder()\n\t\ticmpDecoder.Decode(RawPacket{Data: data})\n\t})\n}\n" }, { "path": "packet/encoder.go", "content": "package packet\n\nimport (\n\t\"github.com/google/gopacket\"\n)\n\nvar (\n\tserializeOpts = gopacket.SerializeOptions{\n\t\tFixLengths: true,\n\t\tComputeChecksums: true,\n\t}\n)\n\n// RawPacket represents a raw packet or one encoded by Encoder\ntype RawPacket struct {\n\tData []byte\n}\n\ntype Encoder struct {\n\t// buf is reusable because SerializeLayers calls the Clear method before each encoding\n\tbuf gopacket.SerializeBuffer\n}\n\nfunc NewEncoder() *Encoder {\n\treturn &Encoder{\n\t\tbuf: gopacket.NewSerializeBuffer(),\n\t}\n}\n\nfunc (e *Encoder) Encode(packet Packet) (RawPacket, error) {\n\tencodedLayers, err := packet.EncodeLayers()\n\tif err != nil {\n\t\treturn RawPacket{}, err\n\t}\n\tif err := gopacket.SerializeLayers(e.buf, serializeOpts, encodedLayers...); err != nil {\n\t\treturn RawPacket{}, err\n\t}\n\treturn RawPacket{\n\t\tData: e.buf.Bytes(),\n\t}, nil\n}\n" }, { "path": "packet/funnel.go", "content": "package packet\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net/netip\"\n\t\"sync\"\n\t\"sync/atomic\"\n\t\"time\"\n)\n\nvar (\n\tErrFunnelNotFound = errors.New(\"funnel not found\")\n)\n\n// Funnel is an abstraction to pipe from 1 src to 1 or more destinations\ntype Funnel interface {\n\t// Updates the last time traffic went through this funnel\n\tUpdateLastActive()\n\t// LastActive returns the last time there is traffic through this funnel\n\tLastActive() time.Time\n\t// Close closes the funnel. Further call to SendToDst or ReturnToSrc should return an error\n\tClose() error\n\t// Equal compares if 2 funnels are equivalent\n\tEqual(other Funnel) bool\n}\n\n// FunnelUniPipe is a unidirectional pipe for sending raw packets\ntype FunnelUniPipe interface {\n\t// SendPacket sends a packet to/from the funnel. It must not modify the packet,\n\t// and after return it must not read the packet\n\tSendPacket(dst netip.Addr, pk RawPacket) error\n\tClose() error\n}\n\ntype ActivityTracker struct {\n\t// last active unix time. Unit is seconds\n\tlastActive int64\n}\n\nfunc NewActivityTracker() *ActivityTracker {\n\treturn &ActivityTracker{\n\t\tlastActive: time.Now().Unix(),\n\t}\n}\n\nfunc (at *ActivityTracker) UpdateLastActive() {\n\tatomic.StoreInt64(&at.lastActive, time.Now().Unix())\n}\n\nfunc (at *ActivityTracker) LastActive() time.Time {\n\tlastActive := atomic.LoadInt64(&at.lastActive)\n\treturn time.Unix(lastActive, 0)\n}\n\n// FunnelID represents a key type that can be used by FunnelTracker\ntype FunnelID interface {\n\t// Type returns the name of the type that implements the FunnelID\n\tType() string\n\tfmt.Stringer\n}\n\n// FunnelTracker tracks funnel from the perspective of eyeball to origin\ntype FunnelTracker struct {\n\tlock sync.RWMutex\n\tfunnels map[FunnelID]Funnel\n}\n\nfunc NewFunnelTracker() *FunnelTracker {\n\treturn &FunnelTracker{\n\t\tfunnels: make(map[FunnelID]Funnel),\n\t}\n}\n\nfunc (ft *FunnelTracker) ScheduleCleanup(ctx context.Context, idleTimeout time.Duration) {\n\tcheckIdleTicker := time.NewTicker(idleTimeout)\n\tdefer checkIdleTicker.Stop()\n\n\tfor {\n\t\tselect {\n\t\tcase <-ctx.Done():\n\t\t\treturn\n\t\tcase <-checkIdleTicker.C:\n\t\t\tft.cleanup(idleTimeout)\n\t\t}\n\t}\n}\n\nfunc (ft *FunnelTracker) cleanup(idleTimeout time.Duration) {\n\tft.lock.Lock()\n\tdefer ft.lock.Unlock()\n\n\tnow := time.Now()\n\tfor id, funnel := range ft.funnels {\n\t\tlastActive := funnel.LastActive()\n\t\tif now.After(lastActive.Add(idleTimeout)) {\n\t\t\tfunnel.Close()\n\t\t\tdelete(ft.funnels, id)\n\t\t}\n\t}\n}\n\nfunc (ft *FunnelTracker) Get(id FunnelID) (Funnel, bool) {\n\tft.lock.RLock()\n\tdefer ft.lock.RUnlock()\n\tfunnel, ok := ft.funnels[id]\n\treturn funnel, ok\n}\n\n// Registers a funnel. If the `id` is already registered and `shouldReplaceFunc` returns true, it closes and replaces\n// the current funnel. If `newFunnelFunc` returns an error, the `id` will remain unregistered, even if it was registered\n// when calling this function.\nfunc (ft *FunnelTracker) GetOrRegister(\n\tid FunnelID,\n\tshouldReplaceFunc func(Funnel) bool,\n\tnewFunnelFunc func() (Funnel, error),\n) (funnel Funnel, new bool, err error) {\n\tft.lock.Lock()\n\tdefer ft.lock.Unlock()\n\tcurrentFunnel, exists := ft.funnels[id]\n\tif exists {\n\t\tif !shouldReplaceFunc(currentFunnel) {\n\t\t\treturn currentFunnel, false, nil\n\t\t}\n\t\tcurrentFunnel.Close()\n\t\tdelete(ft.funnels, id)\n\t}\n\tnewFunnel, err := newFunnelFunc()\n\tif err != nil {\n\t\treturn nil, false, err\n\t}\n\tft.funnels[id] = newFunnel\n\treturn newFunnel, true, nil\n}\n\n// Unregisters and closes a funnel if the funnel equals to the current funnel\nfunc (ft *FunnelTracker) Unregister(id FunnelID, funnel Funnel) (deleted bool) {\n\tft.lock.Lock()\n\tdefer ft.lock.Unlock()\n\tcurrentFunnel, exists := ft.funnels[id]\n\tif !exists {\n\t\treturn true\n\t}\n\tif currentFunnel.Equal(funnel) {\n\t\tcurrentFunnel.Close()\n\t\tdelete(ft.funnels, id)\n\t\treturn true\n\t}\n\treturn false\n}\n" }, { "path": "packet/funnel_test.go", "content": "package packet\n\nimport (\n\t\"fmt\"\n\t\"net/netip\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/stretchr/testify/require\"\n)\n\ntype mockFunnelUniPipe struct {\n\tuniPipe chan RawPacket\n}\n\nfunc (mfui *mockFunnelUniPipe) SendPacket(dst netip.Addr, pk RawPacket) error {\n\tmfui.uniPipe <- pk\n\treturn nil\n}\n\nfunc (mfui *mockFunnelUniPipe) Close() error {\n\treturn nil\n}\n\nfunc TestFunnelRegistration(t *testing.T) {\n\tid := testFunnelID{\"id1\"}\n\tfunnelErr := fmt.Errorf(\"expected error\")\n\tnewFunnelFuncErr := func() (Funnel, error) { return nil, funnelErr }\n\tnewFunnelFuncUncalled := func() (Funnel, error) {\n\t\trequire.FailNow(t, \"a new funnel should not be created\")\n\t\tpanic(\"unreached\")\n\t}\n\tfunnel1, newFunnelFunc1 := newFunnelAndFunc(\"funnel1\")\n\tfunnel2, newFunnelFunc2 := newFunnelAndFunc(\"funnel2\")\n\n\tft := NewFunnelTracker()\n\t// Register funnel1\n\tfunnel, new, err := ft.GetOrRegister(id, shouldReplaceFalse, newFunnelFunc1)\n\trequire.NoError(t, err)\n\trequire.True(t, new)\n\trequire.Equal(t, funnel1, funnel)\n\t// Register funnel, no replace\n\tfunnel, new, err = ft.GetOrRegister(id, shouldReplaceFalse, newFunnelFuncUncalled)\n\trequire.NoError(t, err)\n\trequire.False(t, new)\n\trequire.Equal(t, funnel1, funnel)\n\t// Register funnel2, replace\n\tfunnel, new, err = ft.GetOrRegister(id, shouldReplaceTrue, newFunnelFunc2)\n\trequire.NoError(t, err)\n\trequire.True(t, new)\n\trequire.Equal(t, funnel2, funnel)\n\trequire.True(t, funnel1.closed)\n\t// Register funnel error, replace\n\tfunnel, new, err = ft.GetOrRegister(id, shouldReplaceTrue, newFunnelFuncErr)\n\trequire.ErrorIs(t, err, funnelErr)\n\trequire.False(t, new)\n\trequire.Nil(t, funnel)\n\trequire.True(t, funnel2.closed)\n}\n\nfunc TestFunnelUnregister(t *testing.T) {\n\tid := testFunnelID{\"id1\"}\n\tfunnel1, newFunnelFunc1 := newFunnelAndFunc(\"funnel1\")\n\tfunnel2, newFunnelFunc2 := newFunnelAndFunc(\"funnel2\")\n\tfunnel3, newFunnelFunc3 := newFunnelAndFunc(\"funnel3\")\n\n\tft := NewFunnelTracker()\n\t// Register & unregister\n\t_, _, err := ft.GetOrRegister(id, shouldReplaceFalse, newFunnelFunc1)\n\trequire.NoError(t, err)\n\trequire.True(t, ft.Unregister(id, funnel1))\n\trequire.True(t, funnel1.closed)\n\trequire.True(t, ft.Unregister(id, funnel1))\n\t// Register, replace, and unregister\n\t_, _, err = ft.GetOrRegister(id, shouldReplaceFalse, newFunnelFunc2)\n\trequire.NoError(t, err)\n\t_, _, err = ft.GetOrRegister(id, shouldReplaceTrue, newFunnelFunc3)\n\trequire.NoError(t, err)\n\trequire.True(t, funnel2.closed)\n\trequire.False(t, ft.Unregister(id, funnel2))\n\trequire.True(t, ft.Unregister(id, funnel3))\n\trequire.True(t, funnel3.closed)\n}\n\nfunc shouldReplaceFalse(_ Funnel) bool {\n\treturn false\n}\n\nfunc shouldReplaceTrue(_ Funnel) bool {\n\treturn true\n}\n\nfunc newFunnelAndFunc(id string) (*testFunnel, func() (Funnel, error)) {\n\tfunnel := newTestFunnel(id)\n\tfunnelFunc := func() (Funnel, error) {\n\t\treturn funnel, nil\n\t}\n\treturn funnel, funnelFunc\n}\n\ntype testFunnelID struct {\n\tid string\n}\n\nfunc (t testFunnelID) Type() string {\n\treturn \"testFunnelID\"\n}\n\nfunc (t testFunnelID) String() string {\n\treturn t.id\n}\n\ntype testFunnel struct {\n\tid string\n\tclosed bool\n}\n\nfunc newTestFunnel(id string) *testFunnel {\n\treturn &testFunnel{\n\t\tid,\n\t\tfalse,\n\t}\n}\n\nfunc (tf *testFunnel) Close() error {\n\ttf.closed = true\n\treturn nil\n}\n\nfunc (tf *testFunnel) Equal(other Funnel) bool {\n\treturn tf.id == other.(*testFunnel).id\n}\n\nfunc (tf *testFunnel) LastActive() time.Time {\n\treturn time.Now()\n}\n\nfunc (tf *testFunnel) UpdateLastActive() {}\n" }, { "path": "packet/packet.go", "content": "package packet\n\nimport (\n\t\"encoding/binary\"\n\t\"fmt\"\n\t\"net/netip\"\n\n\t\"github.com/google/gopacket\"\n\t\"github.com/google/gopacket/layers\"\n\t\"golang.org/x/net/icmp\"\n\t\"golang.org/x/net/ipv4\"\n\t\"golang.org/x/net/ipv6\"\n)\n\nconst (\n\tipv4MinHeaderLen = 20\n\tipv6HeaderLen = 40\n\tipv4MinMTU = 576\n\tipv6MinMTU = 1280\n\ticmpHeaderLen = 8\n\t// https://www.rfc-editor.org/rfc/rfc792 and https://datatracker.ietf.org/doc/html/rfc4443#section-3.3 define 2 codes.\n\t// 0 = ttl exceed in transit, 1 = fragment reassembly time exceeded\n\ticmpTTLExceedInTransitCode = 0\n\tDefaultTTL uint8 = 255\n\tpseudoHeaderLen = 40\n)\n\n// Packet represents an IP packet or a packet that is encapsulated by IP\ntype Packet interface {\n\t// IPLayer returns the IP of the packet\n\tIPLayer() *IP\n\t// EncodeLayers returns the layers that make up this packet. They can be passed to an Encoder to serialize into RawPacket\n\tEncodeLayers() ([]gopacket.SerializableLayer, error)\n}\n\n// IP represents a generic IP packet. It can be embedded in more specific IP protocols\ntype IP struct {\n\tSrc netip.Addr\n\tDst netip.Addr\n\tProtocol layers.IPProtocol\n\tTTL uint8\n}\n\nfunc newIPv4(ipLayer *layers.IPv4) (*IP, error) {\n\tsrc, ok := netip.AddrFromSlice(ipLayer.SrcIP)\n\tif !ok {\n\t\treturn nil, fmt.Errorf(\"cannot convert source IP %s to netip.Addr\", ipLayer.SrcIP)\n\t}\n\tdst, ok := netip.AddrFromSlice(ipLayer.DstIP)\n\tif !ok {\n\t\treturn nil, fmt.Errorf(\"cannot convert source IP %s to netip.Addr\", ipLayer.DstIP)\n\t}\n\treturn &IP{\n\t\tSrc: src,\n\t\tDst: dst,\n\t\tProtocol: ipLayer.Protocol,\n\t\tTTL: ipLayer.TTL,\n\t}, nil\n}\n\nfunc newIPv6(ipLayer *layers.IPv6) (*IP, error) {\n\tsrc, ok := netip.AddrFromSlice(ipLayer.SrcIP)\n\tif !ok {\n\t\treturn nil, fmt.Errorf(\"cannot convert source IP %s to netip.Addr\", ipLayer.SrcIP)\n\t}\n\tdst, ok := netip.AddrFromSlice(ipLayer.DstIP)\n\tif !ok {\n\t\treturn nil, fmt.Errorf(\"cannot convert source IP %s to netip.Addr\", ipLayer.DstIP)\n\t}\n\treturn &IP{\n\t\tSrc: src,\n\t\tDst: dst,\n\t\tProtocol: ipLayer.NextHeader,\n\t\tTTL: ipLayer.HopLimit,\n\t}, nil\n}\n\nfunc (ip *IP) IPLayer() *IP {\n\treturn ip\n}\n\nfunc (ip *IP) isIPv4() bool {\n\treturn ip.Src.Is4()\n}\n\nfunc (ip *IP) EncodeLayers() ([]gopacket.SerializableLayer, error) {\n\tif ip.isIPv4() {\n\t\treturn []gopacket.SerializableLayer{\n\t\t\t&layers.IPv4{\n\t\t\t\tVersion: 4,\n\t\t\t\tSrcIP: ip.Src.AsSlice(),\n\t\t\t\tDstIP: ip.Dst.AsSlice(),\n\t\t\t\tProtocol: layers.IPProtocol(ip.Protocol),\n\t\t\t\tTTL: ip.TTL,\n\t\t\t},\n\t\t}, nil\n\t} else {\n\t\treturn []gopacket.SerializableLayer{\n\t\t\t&layers.IPv6{\n\t\t\t\tVersion: 6,\n\t\t\t\tSrcIP: ip.Src.AsSlice(),\n\t\t\t\tDstIP: ip.Dst.AsSlice(),\n\t\t\t\tNextHeader: layers.IPProtocol(ip.Protocol),\n\t\t\t\tHopLimit: ip.TTL,\n\t\t\t},\n\t\t}, nil\n\t}\n}\n\n// ICMP represents is an IP packet + ICMP message\ntype ICMP struct {\n\t*IP\n\t*icmp.Message\n}\n\nfunc (i *ICMP) EncodeLayers() ([]gopacket.SerializableLayer, error) {\n\tipLayers, err := i.IP.EncodeLayers()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tvar serializedPsh []byte = nil\n\tif i.Protocol == layers.IPProtocolICMPv6 {\n\t\tpsh := &PseudoHeader{\n\t\t\tSrcIP: i.Src.As16(),\n\t\t\tDstIP: i.Dst.As16(),\n\t\t\t// i.Marshal re-calculates the UpperLayerPacketLength\n\t\t\tUpperLayerPacketLength: 0,\n\t\t\tNextHeader: uint8(i.Protocol),\n\t\t}\n\t\tserializedPsh = psh.Marshal()\n\t}\n\tmsg, err := i.Marshal(serializedPsh)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\ticmpLayer := gopacket.Payload(msg)\n\treturn append(ipLayers, icmpLayer), nil\n}\n\n// https://www.rfc-editor.org/rfc/rfc2460#section-8.1\ntype PseudoHeader struct {\n\tSrcIP [16]byte\n\tDstIP [16]byte\n\tUpperLayerPacketLength uint32\n\tzero [3]byte\n\tNextHeader uint8\n}\n\nfunc (ph *PseudoHeader) Marshal() []byte {\n\tbuf := make([]byte, pseudoHeaderLen)\n\tindex := 0\n\tcopy(buf, ph.SrcIP[:])\n\tindex += 16\n\tcopy(buf[index:], ph.DstIP[:])\n\tindex += 16\n\tbinary.BigEndian.PutUint32(buf[index:], ph.UpperLayerPacketLength)\n\tindex += 4\n\tcopy(buf[index:], ph.zero[:])\n\tbuf[pseudoHeaderLen-1] = ph.NextHeader\n\treturn buf\n}\n\nfunc NewICMPTTLExceedPacket(originalIP *IP, originalPacket RawPacket, routerIP netip.Addr) *ICMP {\n\tvar (\n\t\tprotocol layers.IPProtocol\n\t\ticmpType icmp.Type\n\t)\n\tif originalIP.Dst.Is4() {\n\t\tprotocol = layers.IPProtocolICMPv4\n\t\ticmpType = ipv4.ICMPTypeTimeExceeded\n\t} else {\n\t\tprotocol = layers.IPProtocolICMPv6\n\t\ticmpType = ipv6.ICMPTypeTimeExceeded\n\t}\n\n\treturn &ICMP{\n\t\tIP: &IP{\n\t\t\tSrc: routerIP,\n\t\t\tDst: originalIP.Src,\n\t\t\tProtocol: protocol,\n\t\t\tTTL: DefaultTTL,\n\t\t},\n\t\tMessage: &icmp.Message{\n\t\t\tType: icmpType,\n\t\t\tCode: icmpTTLExceedInTransitCode,\n\t\t\tBody: &icmp.TimeExceeded{\n\t\t\t\tData: originalDatagram(originalPacket, originalIP.Dst.Is4()),\n\t\t\t},\n\t\t},\n\t}\n}\n\n// originalDatagram returns a slice of the original datagram for ICMP error messages\n// https://www.rfc-editor.org/rfc/rfc1812#section-4.3.2.3 suggests to copy as much without exceeding 576 bytes.\n// https://datatracker.ietf.org/doc/html/rfc4443#section-3.3 suggests to copy as much without exceeding 1280 bytes\nfunc originalDatagram(originalPacket RawPacket, isIPv4 bool) []byte {\n\tvar upperBound int\n\tif isIPv4 {\n\t\tupperBound = ipv4MinMTU - ipv4MinHeaderLen - icmpHeaderLen\n\t\tif upperBound > len(originalPacket.Data) {\n\t\t\tupperBound = len(originalPacket.Data)\n\t\t}\n\t} else {\n\t\tupperBound = ipv6MinMTU - ipv6HeaderLen - icmpHeaderLen\n\t\tif upperBound > len(originalPacket.Data) {\n\t\t\tupperBound = len(originalPacket.Data)\n\t\t}\n\t}\n\treturn originalPacket.Data[:upperBound]\n}\n" }, { "path": "packet/packet_test.go", "content": "package packet\n\nimport (\n\t\"bytes\"\n\t\"net/netip\"\n\t\"testing\"\n\n\t\"github.com/google/gopacket\"\n\t\"github.com/google/gopacket/layers\"\n\t\"github.com/stretchr/testify/require\"\n\t\"golang.org/x/net/icmp\"\n\t\"golang.org/x/net/ipv4\"\n\t\"golang.org/x/net/ipv6\"\n)\n\nfunc TestNewICMPTTLExceedPacket(t *testing.T) {\n\tipv4Packet := IP{\n\t\tSrc: netip.MustParseAddr(\"192.168.1.1\"),\n\t\tDst: netip.MustParseAddr(\"10.0.0.1\"),\n\t\tProtocol: layers.IPProtocolICMPv4,\n\t\tTTL: 0,\n\t}\n\ticmpV4Packet := ICMP{\n\t\tIP: &ipv4Packet,\n\t\tMessage: &icmp.Message{\n\t\t\tType: ipv4.ICMPTypeEcho,\n\t\t\tCode: 0,\n\t\t\tBody: &icmp.Echo{\n\t\t\t\tID: 25821,\n\t\t\t\tSeq: 58129,\n\t\t\t\tData: []byte(\"test ttl=0\"),\n\t\t\t},\n\t\t},\n\t}\n\tassertTTLExceedPacket(t, &icmpV4Packet)\n\ticmpV4Packet.Body = &icmp.Echo{\n\t\tID: 3487,\n\t\tSeq: 19183,\n\t\tData: make([]byte, ipv4MinMTU),\n\t}\n\tassertTTLExceedPacket(t, &icmpV4Packet)\n\tipv6Packet := IP{\n\t\tSrc: netip.MustParseAddr(\"fd51:2391:523:f4ee::1\"),\n\t\tDst: netip.MustParseAddr(\"fd51:2391:697:f4ee::2\"),\n\t\tProtocol: layers.IPProtocolICMPv6,\n\t\tTTL: 0,\n\t}\n\ticmpV6Packet := ICMP{\n\t\tIP: &ipv6Packet,\n\t\tMessage: &icmp.Message{\n\t\t\tType: ipv6.ICMPTypeEchoRequest,\n\t\t\tCode: 0,\n\t\t\tBody: &icmp.Echo{\n\t\t\t\tID: 25821,\n\t\t\t\tSeq: 58129,\n\t\t\t\tData: []byte(\"test ttl=0\"),\n\t\t\t},\n\t\t},\n\t}\n\tassertTTLExceedPacket(t, &icmpV6Packet)\n\ticmpV6Packet.Body = &icmp.Echo{\n\t\tID: 1497,\n\t\tSeq: 39284,\n\t\tData: make([]byte, ipv6MinMTU),\n\t}\n\tassertTTLExceedPacket(t, &icmpV6Packet)\n}\n\nfunc assertTTLExceedPacket(t *testing.T, pk *ICMP) {\n\tencoder := NewEncoder()\n\trawPacket, err := encoder.Encode(pk)\n\trequire.NoError(t, err)\n\n\tminMTU := ipv4MinMTU\n\theaderLen := ipv4MinHeaderLen\n\trouterIP := netip.MustParseAddr(\"172.16.0.3\")\n\tif pk.Dst.Is6() {\n\t\tminMTU = ipv6MinMTU\n\t\theaderLen = ipv6HeaderLen\n\t\trouterIP = netip.MustParseAddr(\"fd51:2391:697:f4ee::3\")\n\t}\n\n\tttlExceedPacket := NewICMPTTLExceedPacket(pk.IP, rawPacket, routerIP)\n\trequire.Equal(t, routerIP, ttlExceedPacket.Src)\n\trequire.Equal(t, pk.Src, ttlExceedPacket.Dst)\n\trequire.Equal(t, pk.Protocol, ttlExceedPacket.Protocol)\n\trequire.Equal(t, DefaultTTL, ttlExceedPacket.TTL)\n\n\ttimeExceed, ok := ttlExceedPacket.Body.(*icmp.TimeExceeded)\n\trequire.True(t, ok)\n\tif len(rawPacket.Data) > minMTU {\n\t\trequire.True(t, bytes.Equal(timeExceed.Data, rawPacket.Data[:minMTU-headerLen-icmpHeaderLen]))\n\t} else {\n\t\trequire.True(t, bytes.Equal(timeExceed.Data, rawPacket.Data))\n\t}\n\n\trawTTLExceedPacket, err := encoder.Encode(ttlExceedPacket)\n\trequire.NoError(t, err)\n\tif len(rawPacket.Data) > minMTU {\n\t\trequire.Len(t, rawTTLExceedPacket.Data, minMTU)\n\t} else {\n\t\trequire.Len(t, rawTTLExceedPacket.Data, headerLen+icmpHeaderLen+len(rawPacket.Data))\n\t\trequire.True(t, bytes.Equal(rawPacket.Data, rawTTLExceedPacket.Data[headerLen+icmpHeaderLen:]))\n\t}\n\n\tdecoder := NewICMPDecoder()\n\tdecodedPacket, err := decoder.Decode(rawTTLExceedPacket)\n\trequire.NoError(t, err)\n\tassertICMPChecksum(t, decodedPacket)\n}\n\nfunc assertICMPChecksum(t *testing.T, icmpPacket *ICMP) {\n\tbuf := gopacket.NewSerializeBuffer()\n\tif icmpPacket.Protocol == layers.IPProtocolICMPv4 {\n\t\ticmpv4 := layers.ICMPv4{\n\t\t\tTypeCode: layers.CreateICMPv4TypeCode(uint8(icmpPacket.Type.(ipv4.ICMPType)), uint8(icmpPacket.Code)),\n\t\t}\n\t\tswitch body := icmpPacket.Body.(type) {\n\t\tcase *icmp.Echo:\n\t\t\ticmpv4.Id = uint16(body.ID)\n\t\t\ticmpv4.Seq = uint16(body.Seq)\n\t\t\tpayload := gopacket.Payload(body.Data)\n\t\t\trequire.NoError(t, payload.SerializeTo(buf, serializeOpts))\n\t\tdefault:\n\t\t\trequire.NoError(t, serializeICMPAsPayload(icmpPacket.Message, buf))\n\t\t}\n\t\t// SerializeTo sets the checksum in icmpv4\n\t\trequire.NoError(t, icmpv4.SerializeTo(buf, serializeOpts))\n\t\trequire.Equal(t, icmpv4.Checksum, uint16(icmpPacket.Checksum))\n\t} else {\n\t\tswitch body := icmpPacket.Body.(type) {\n\t\tcase *icmp.Echo:\n\t\t\tpayload := gopacket.Payload(body.Data)\n\t\t\trequire.NoError(t, payload.SerializeTo(buf, serializeOpts))\n\t\t\techo := layers.ICMPv6Echo{\n\t\t\t\tIdentifier: uint16(body.ID),\n\t\t\t\tSeqNumber: uint16(body.Seq),\n\t\t\t}\n\t\t\trequire.NoError(t, echo.SerializeTo(buf, serializeOpts))\n\t\tdefault:\n\t\t\trequire.NoError(t, serializeICMPAsPayload(icmpPacket.Message, buf))\n\t\t}\n\n\t\ticmpv6 := layers.ICMPv6{\n\t\t\tTypeCode: layers.CreateICMPv6TypeCode(uint8(icmpPacket.Type.(ipv6.ICMPType)), uint8(icmpPacket.Code)),\n\t\t}\n\t\tipLayer := layers.IPv6{\n\t\t\tVersion: 6,\n\t\t\tSrcIP: icmpPacket.Src.AsSlice(),\n\t\t\tDstIP: icmpPacket.Dst.AsSlice(),\n\t\t\tNextHeader: icmpPacket.Protocol,\n\t\t\tHopLimit: icmpPacket.TTL,\n\t\t}\n\t\trequire.NoError(t, icmpv6.SetNetworkLayerForChecksum(&ipLayer))\n\n\t\t// SerializeTo sets the checksum in icmpv4\n\t\trequire.NoError(t, icmpv6.SerializeTo(buf, serializeOpts))\n\t\trequire.Equal(t, icmpv6.Checksum, uint16(icmpPacket.Checksum))\n\t}\n}\n\nfunc serializeICMPAsPayload(message *icmp.Message, buf gopacket.SerializeBuffer) error {\n\tserializedBody, err := message.Body.Marshal(message.Type.Protocol())\n\tif err != nil {\n\t\treturn err\n\t}\n\tpayload := gopacket.Payload(serializedBody)\n\treturn payload.SerializeTo(buf, serializeOpts)\n}\n\nfunc TestChecksum(t *testing.T) {\n\tdata := []byte{0x63, 0x2c, 0x49, 0xd6, 0x00, 0x0d, 0xc1, 0xda}\n\tpk := ICMP{\n\t\tIP: &IP{\n\t\t\tSrc: netip.MustParseAddr(\"2606:4700:110:89c1:c63a:861:e08c:b049\"),\n\t\t\tDst: netip.MustParseAddr(\"fde8:b693:d420:109b::2\"),\n\t\t\tProtocol: layers.IPProtocolICMPv6,\n\t\t\tTTL: 3,\n\t\t},\n\t\tMessage: &icmp.Message{\n\t\t\tType: ipv6.ICMPTypeEchoRequest,\n\t\t\tCode: 0,\n\t\t\tBody: &icmp.Echo{\n\t\t\t\tID: 0x20a7,\n\t\t\t\tSeq: 8,\n\t\t\t\tData: data,\n\t\t\t},\n\t\t},\n\t}\n\tencoder := NewEncoder()\n\tencoded, err := encoder.Encode(&pk)\n\trequire.NoError(t, err)\n\n\tdecoder := NewICMPDecoder()\n\tdecoded, err := decoder.Decode(encoded)\n\trequire.Equal(t, 0xff96, decoded.Checksum)\n}\n" }, { "path": "packet/session.go", "content": "package packet\n\nimport \"github.com/google/uuid\"\n\ntype Session struct {\n\tID uuid.UUID\n\tPayload []byte\n}\n" }, { "path": "postinst.sh", "content": "#!/bin/bash\nset -eu\nln -sf /usr/bin/cloudflared /usr/local/bin/cloudflared\nmkdir -p /usr/local/etc/cloudflared/\ntouch /usr/local/etc/cloudflared/.installedFromPackageManager || true\n" }, { "path": "postrm.sh", "content": "#!/bin/bash\nset -eu\nrm -f /usr/local/bin/cloudflared\nrm -f /usr/local/etc/cloudflared/.installedFromPackageManager\n" }, { "path": "proxy/logger.go", "content": "package proxy\n\nimport (\n\t\"net/http\"\n\t\"strconv\"\n\n\t\"github.com/rs/zerolog\"\n\n\t\"github.com/cloudflare/cloudflared/connection\"\n\t\"github.com/cloudflare/cloudflared/ingress\"\n\t\"github.com/cloudflare/cloudflared/management\"\n)\n\nconst (\n\tlogFieldCFRay = \"cfRay\"\n\tlogFieldLBProbe = \"lbProbe\"\n\tlogFieldRule = \"ingressRule\"\n\tlogFieldOriginService = \"originService\"\n\tlogFieldConnIndex = \"connIndex\"\n\tlogFieldDestAddr = \"destAddr\"\n)\n\nvar (\n\tLogFieldFlowID = \"flowID\"\n)\n\n// newHTTPLogger creates a child zerolog.Logger from the provided with added context from the HTTP request, ingress\n// services, and connection index.\nfunc newHTTPLogger(logger *zerolog.Logger, connIndex uint8, req *http.Request, rule int, serviceName string) zerolog.Logger {\n\tctx := logger.With().\n\t\tInt(management.EventTypeKey, int(management.HTTP)).\n\t\tUint8(logFieldConnIndex, connIndex)\n\tcfRay := connection.FindCfRayHeader(req)\n\tlbProbe := connection.IsLBProbeRequest(req)\n\tif cfRay != \"\" {\n\t\tctx.Str(logFieldCFRay, cfRay)\n\t}\n\tif lbProbe {\n\t\tctx.Bool(logFieldLBProbe, lbProbe)\n\t}\n\treturn ctx.\n\t\tStr(logFieldOriginService, serviceName).\n\t\tInterface(logFieldRule, rule).\n\t\tLogger()\n}\n\n// newTCPLogger creates a child zerolog.Logger from the provided with added context from the TCPRequest.\nfunc newTCPLogger(logger *zerolog.Logger, req *connection.TCPRequest) zerolog.Logger {\n\treturn logger.With().\n\t\tInt(management.EventTypeKey, int(management.TCP)).\n\t\tUint8(logFieldConnIndex, req.ConnIndex).\n\t\tStr(logFieldOriginService, ingress.ServiceWarpRouting).\n\t\tStr(LogFieldFlowID, req.FlowID).\n\t\tStr(logFieldDestAddr, req.Dest).\n\t\tUint8(logFieldConnIndex, req.ConnIndex).\n\t\tLogger()\n}\n\n// logHTTPRequest logs a Debug message with the corresponding HTTP request details from the eyeball.\nfunc logHTTPRequest(logger *zerolog.Logger, r *http.Request) {\n\tlogger.Debug().\n\t\tStr(\"host\", r.Host).\n\t\tStr(\"path\", r.URL.Path).\n\t\tInterface(\"headers\", r.Header).\n\t\tInt64(\"content-length\", r.ContentLength).\n\t\tMsgf(\"%s %s %s\", r.Method, r.URL, r.Proto)\n}\n\n// logOriginHTTPResponse logs a Debug message of the origin response.\nfunc logOriginHTTPResponse(logger *zerolog.Logger, resp *http.Response) {\n\tresponseByCode.WithLabelValues(strconv.Itoa(resp.StatusCode)).Inc()\n\tlogger.Debug().\n\t\tInt64(\"content-length\", resp.ContentLength).\n\t\tMsgf(\"%s\", resp.Status)\n}\n\n// logRequestError logs an error for the proxied request.\nfunc logRequestError(logger *zerolog.Logger, err error) {\n\trequestErrors.Inc()\n\tlogger.Error().Err(err).Send()\n}\n" }, { "path": "proxy/metrics.go", "content": "package proxy\n\nimport (\n\t\"github.com/prometheus/client_golang/prometheus\"\n\n\t\"github.com/cloudflare/cloudflared/connection\"\n)\n\n// Metrics uses connection.MetricsNamespace(aka cloudflared) as namespace and connection.TunnelSubsystem\n// (tunnel) as subsystem to keep them consistent with the previous qualifier.\n\nvar (\n\ttotalRequests = prometheus.NewCounter(\n\t\tprometheus.CounterOpts{\n\t\t\tNamespace: connection.MetricsNamespace,\n\t\t\tSubsystem: connection.TunnelSubsystem,\n\t\t\tName: \"total_requests\",\n\t\t\tHelp: \"Amount of requests proxied through all the tunnels\",\n\t\t},\n\t)\n\tconcurrentRequests = prometheus.NewGauge(\n\t\tprometheus.GaugeOpts{\n\t\t\tNamespace: connection.MetricsNamespace,\n\t\t\tSubsystem: connection.TunnelSubsystem,\n\t\t\tName: \"concurrent_requests_per_tunnel\",\n\t\t\tHelp: \"Concurrent requests proxied through each tunnel\",\n\t\t},\n\t)\n\tresponseByCode = prometheus.NewCounterVec(\n\t\tprometheus.CounterOpts{\n\t\t\tNamespace: connection.MetricsNamespace,\n\t\t\tSubsystem: connection.TunnelSubsystem,\n\t\t\tName: \"response_by_code\",\n\t\t\tHelp: \"Count of responses by HTTP status code\",\n\t\t},\n\t\t[]string{\"status_code\"},\n\t)\n\trequestErrors = prometheus.NewCounter(\n\t\tprometheus.CounterOpts{\n\t\t\tNamespace: connection.MetricsNamespace,\n\t\t\tSubsystem: connection.TunnelSubsystem,\n\t\t\tName: \"request_errors\",\n\t\t\tHelp: \"Count of error proxying to origin\",\n\t\t},\n\t)\n\tactiveTCPSessions = prometheus.NewGauge(\n\t\tprometheus.GaugeOpts{\n\t\t\tNamespace: connection.MetricsNamespace,\n\t\t\tSubsystem: \"tcp\",\n\t\t\tName: \"active_sessions\",\n\t\t\tHelp: \"Concurrent count of TCP sessions that are being proxied to any origin\",\n\t\t},\n\t)\n\ttotalTCPSessions = prometheus.NewCounter(\n\t\tprometheus.CounterOpts{\n\t\t\tNamespace: connection.MetricsNamespace,\n\t\t\tSubsystem: \"tcp\",\n\t\t\tName: \"total_sessions\",\n\t\t\tHelp: \"Total count of TCP sessions that have been proxied to any origin\",\n\t\t},\n\t)\n\tconnectLatency = prometheus.NewHistogram(\n\t\tprometheus.HistogramOpts{\n\t\t\tNamespace: connection.MetricsNamespace,\n\t\t\tSubsystem: \"proxy\",\n\t\t\tName: \"connect_latency\",\n\t\t\tHelp: \"Time it takes to establish and acknowledge connections in milliseconds\",\n\t\t\tBuckets: []float64{1, 10, 25, 50, 100, 500, 1000, 5000},\n\t\t},\n\t)\n\tconnectStreamErrors = prometheus.NewCounter(\n\t\tprometheus.CounterOpts{\n\t\t\tNamespace: connection.MetricsNamespace,\n\t\t\tSubsystem: \"proxy\",\n\t\t\tName: \"connect_streams_errors\",\n\t\t\tHelp: \"Total count of failure to establish and acknowledge connections\",\n\t\t},\n\t)\n)\n\nfunc init() {\n\tprometheus.MustRegister(\n\t\ttotalRequests,\n\t\tconcurrentRequests,\n\t\tresponseByCode,\n\t\trequestErrors,\n\t\tactiveTCPSessions,\n\t\ttotalTCPSessions,\n\t\tconnectLatency,\n\t\tconnectStreamErrors,\n\t)\n}\n\nfunc incrementRequests() {\n\ttotalRequests.Inc()\n\tconcurrentRequests.Inc()\n}\n\nfunc decrementConcurrentRequests() {\n\tconcurrentRequests.Dec()\n}\n\nfunc incrementTCPRequests() {\n\tincrementRequests()\n\ttotalTCPSessions.Inc()\n\tactiveTCPSessions.Inc()\n}\n\nfunc decrementTCPConcurrentRequests() {\n\tdecrementConcurrentRequests()\n\tactiveTCPSessions.Dec()\n}\n" }, { "path": "proxy/proxy.go", "content": "package proxy\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"net/netip\"\n\t\"strconv\"\n\t\"time\"\n\n\t\"github.com/pkg/errors\"\n\t\"github.com/rs/zerolog\"\n\t\"go.opentelemetry.io/otel/attribute\"\n\t\"go.opentelemetry.io/otel/trace\"\n\n\tcfdflow \"github.com/cloudflare/cloudflared/flow\"\n\t\"github.com/cloudflare/cloudflared/management\"\n\n\t\"github.com/cloudflare/cloudflared/carrier\"\n\t\"github.com/cloudflare/cloudflared/cfio\"\n\t\"github.com/cloudflare/cloudflared/connection\"\n\t\"github.com/cloudflare/cloudflared/ingress\"\n\t\"github.com/cloudflare/cloudflared/stream\"\n\t\"github.com/cloudflare/cloudflared/tracing\"\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/pogs\"\n)\n\nconst (\n\t// TagHeaderNamePrefix indicates a Cloudflared Warp Tag prefix that gets appended for warp traffic stream headers.\n\tTagHeaderNamePrefix = \"Cf-Warp-Tag-\"\n\ttrailerHeaderName = \"Trailer\"\n)\n\n// Proxy represents a means to Proxy between cloudflared and the origin services.\ntype Proxy struct {\n\tingressRules ingress.Ingress\n\toriginDialer ingress.OriginTCPDialer\n\ttags []pogs.Tag\n\tflowLimiter cfdflow.Limiter\n\tlog *zerolog.Logger\n}\n\n// NewOriginProxy returns a new instance of the Proxy struct.\nfunc NewOriginProxy(\n\tingressRules ingress.Ingress,\n\toriginDialer ingress.OriginDialer,\n\ttags []pogs.Tag,\n\tflowLimiter cfdflow.Limiter,\n\tlog *zerolog.Logger,\n) *Proxy {\n\tproxy := &Proxy{\n\t\tingressRules: ingressRules,\n\t\toriginDialer: originDialer,\n\t\ttags: tags,\n\t\tflowLimiter: flowLimiter,\n\t\tlog: log,\n\t}\n\n\treturn proxy\n}\n\nfunc (p *Proxy) applyIngressMiddleware(rule *ingress.Rule, r *http.Request, w connection.ResponseWriter) (error, bool) {\n\tfor _, handler := range rule.Handlers {\n\t\tresult, err := handler.Handle(r.Context(), r)\n\t\tif err != nil {\n\t\t\treturn errors.Wrap(err, fmt.Sprintf(\"error while processing middleware handler %s\", handler.Name())), false\n\t\t}\n\n\t\tif result.ShouldFilterRequest {\n\t\t\t_ = w.WriteRespHeaders(result.StatusCode, nil)\n\t\t\treturn fmt.Errorf(\"request filtered by middleware handler (%s) due to: %s\", handler.Name(), result.Reason), true\n\t\t}\n\t}\n\treturn nil, true\n}\n\n// ProxyHTTP further depends on ingress rules to establish a connection with the origin service. This may be\n// a simple roundtrip or a tcp/websocket dial depending on ingres rule setup.\nfunc (p *Proxy) ProxyHTTP(\n\tw connection.ResponseWriter,\n\ttr *tracing.TracedHTTPRequest,\n\tisWebsocket bool,\n) error {\n\tincrementRequests()\n\tdefer decrementConcurrentRequests()\n\n\treq := tr.Request\n\tp.appendTagHeaders(req)\n\n\t_, ruleSpan := tr.Tracer().Start(req.Context(), \"ingress_match\",\n\t\ttrace.WithAttributes(attribute.String(\"req-host\", req.Host)))\n\trule, ruleNum := p.ingressRules.FindMatchingRule(req.Host, req.URL.Path)\n\truleSpan.SetAttributes(attribute.Int(\"rule-num\", ruleNum))\n\truleSpan.End()\n\tlogger := newHTTPLogger(p.log, tr.ConnIndex, req, ruleNum, rule.Service.String())\n\tlogHTTPRequest(&logger, req)\n\tif err, applied := p.applyIngressMiddleware(rule, req, w); err != nil {\n\t\tif applied {\n\t\t\tlogRequestError(&logger, err)\n\t\t\treturn nil\n\t\t}\n\t\treturn err\n\t}\n\n\tswitch originProxy := rule.Service.(type) {\n\tcase ingress.HTTPOriginProxy:\n\t\tif err := p.proxyHTTPRequest(\n\t\t\tw,\n\t\t\ttr,\n\t\t\toriginProxy,\n\t\t\tisWebsocket,\n\t\t\trule.Config.DisableChunkedEncoding,\n\t\t\t&logger,\n\t\t); err != nil {\n\t\t\tlogRequestError(&logger, err)\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\tcase ingress.StreamBasedOriginProxy:\n\t\tdest, err := getDestFromRule(rule, req)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tflusher, ok := w.(http.Flusher)\n\t\tif !ok {\n\t\t\treturn fmt.Errorf(\"response writer is not a flusher\")\n\t\t}\n\t\trws := connection.NewHTTPResponseReadWriterAcker(w, flusher, req)\n\t\tlogger := logger.With().Str(logFieldDestAddr, dest).Logger()\n\t\tif err := p.proxyStream(tr.ToTracedContext(), rws, dest, originProxy, &logger); err != nil {\n\t\t\tlogRequestError(&logger, err)\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\tcase ingress.HTTPLocalProxy:\n\t\tp.proxyLocalRequest(originProxy, w, req, isWebsocket)\n\t\treturn nil\n\tdefault:\n\t\treturn fmt.Errorf(\"Unrecognized service: %s, %t\", rule.Service, originProxy)\n\t}\n}\n\n// ProxyTCP proxies to a TCP connection between the origin service and cloudflared.\nfunc (p *Proxy) ProxyTCP(\n\tctx context.Context,\n\tconn connection.ReadWriteAcker,\n\treq *connection.TCPRequest,\n) error {\n\tincrementTCPRequests()\n\tdefer decrementTCPConcurrentRequests()\n\n\tlogger := newTCPLogger(p.log, req)\n\n\t// Try to start a new flow\n\tif err := p.flowLimiter.Acquire(management.TCP.String()); err != nil {\n\t\tlogger.Warn().Msg(\"Too many concurrent flows being handled, rejecting tcp proxy\")\n\t\treturn errors.Wrap(err, \"failed to start tcp flow due to rate limiting\")\n\t}\n\tdefer p.flowLimiter.Release()\n\n\tserveCtx, cancel := context.WithCancel(ctx)\n\tdefer cancel()\n\n\ttracedCtx := tracing.NewTracedContext(serveCtx, req.CfTraceID, &logger)\n\tlogger.Debug().Msg(\"tcp proxy stream started\")\n\n\t// Parse the destination into a netip.AddrPort\n\tdest, err := netip.ParseAddrPort(req.Dest)\n\tif err != nil {\n\t\tlogRequestError(&logger, err)\n\t\treturn err\n\t}\n\n\tif err := p.proxyTCPStream(tracedCtx, conn, dest, p.originDialer, &logger); err != nil {\n\t\tlogRequestError(&logger, err)\n\t\treturn err\n\t}\n\n\tlogger.Debug().Msg(\"tcp proxy stream finished successfully\")\n\n\treturn nil\n}\n\n// ProxyHTTPRequest proxies requests of underlying type http and websocket to the origin service.\nfunc (p *Proxy) proxyHTTPRequest(\n\tw connection.ResponseWriter,\n\ttr *tracing.TracedHTTPRequest,\n\thttpService ingress.HTTPOriginProxy,\n\tisWebsocket bool,\n\tdisableChunkedEncoding bool,\n\tlogger *zerolog.Logger,\n) error {\n\troundTripReq := tr.Request\n\tif isWebsocket {\n\t\troundTripReq = tr.Clone(tr.Request.Context())\n\t\troundTripReq.Header.Set(\"Connection\", \"Upgrade\")\n\t\troundTripReq.Header.Set(\"Upgrade\", \"websocket\")\n\t\troundTripReq.Header.Set(\"Sec-Websocket-Version\", \"13\")\n\t\troundTripReq.ContentLength = 0\n\t\troundTripReq.Body = nil\n\t} else {\n\t\t// Support for WSGI Servers by switching transfer encoding from chunked to gzip/deflate\n\t\tif disableChunkedEncoding {\n\t\t\troundTripReq.TransferEncoding = []string{\"gzip\", \"deflate\"}\n\t\t\tcLength, err := strconv.Atoi(tr.Request.Header.Get(\"Content-Length\"))\n\t\t\tif err == nil {\n\t\t\t\troundTripReq.ContentLength = int64(cLength)\n\t\t\t}\n\t\t}\n\t\t// Request origin to keep connection alive to improve performance\n\t\troundTripReq.Header.Set(\"Connection\", \"keep-alive\")\n\t}\n\n\t// Set the User-Agent as an empty string if not provided to avoid inserting golang default UA\n\tif roundTripReq.Header.Get(\"User-Agent\") == \"\" {\n\t\troundTripReq.Header.Set(\"User-Agent\", \"\")\n\t}\n\n\t_, ttfbSpan := tr.Tracer().Start(tr.Context(), \"ttfb_origin\")\n\tresp, err := httpService.RoundTrip(roundTripReq)\n\tif err != nil {\n\t\ttracing.EndWithErrorStatus(ttfbSpan, err)\n\t\tif err := roundTripReq.Context().Err(); err != nil {\n\t\t\treturn errors.Wrap(err, \"Incoming request ended abruptly\")\n\t\t}\n\t\treturn errors.Wrap(err, \"Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared\")\n\t}\n\n\ttracing.EndWithStatusCode(ttfbSpan, resp.StatusCode)\n\tdefer resp.Body.Close()\n\n\theaders := make(http.Header, len(resp.Header))\n\t// copy headers\n\tfor k, v := range resp.Header {\n\t\theaders[k] = v\n\t}\n\n\t// Add spans to response header (if available)\n\ttr.AddSpans(headers)\n\n\terr = w.WriteRespHeaders(resp.StatusCode, headers)\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"Error writing response header\")\n\t}\n\n\tif resp.StatusCode == http.StatusSwitchingProtocols {\n\t\trwc, ok := resp.Body.(io.ReadWriteCloser)\n\t\tif !ok {\n\t\t\treturn errors.New(\"internal error: unsupported connection type\")\n\t\t}\n\t\tdefer rwc.Close()\n\n\t\teyeballStream := &bidirectionalStream{\n\t\t\twriter: w,\n\t\t\treader: tr.Request.Body,\n\t\t}\n\n\t\tstream.Pipe(eyeballStream, rwc, logger)\n\t\treturn nil\n\t}\n\n\tif _, err = cfio.Copy(w, resp.Body); err != nil {\n\t\treturn err\n\t}\n\n\t// copy trailers\n\tcopyTrailers(w, resp)\n\n\tlogOriginHTTPResponse(logger, resp)\n\treturn nil\n}\n\n// proxyStream proxies type TCP and other underlying types if the connection is defined as a stream oriented\n// ingress rule.\n// connectedLogger is used to log when the connection is acknowledged\nfunc (p *Proxy) proxyStream(\n\ttr *tracing.TracedContext,\n\trwa connection.ReadWriteAcker,\n\tdest string,\n\toriginDialer ingress.StreamBasedOriginProxy,\n\tlogger *zerolog.Logger,\n) error {\n\tctx := tr.Context\n\t_, connectSpan := tr.Tracer().Start(ctx, \"stream-connect\")\n\n\tstart := time.Now()\n\toriginConn, err := originDialer.EstablishConnection(ctx, dest, logger)\n\tif err != nil {\n\t\tconnectStreamErrors.Inc()\n\t\ttracing.EndWithErrorStatus(connectSpan, err)\n\t\treturn err\n\t}\n\tconnectSpan.End()\n\tdefer originConn.Close()\n\tlogger.Debug().Msg(\"origin connection established\")\n\n\tencodedSpans := tr.GetSpans()\n\n\tif err := rwa.AckConnection(encodedSpans); err != nil {\n\t\tconnectStreamErrors.Inc()\n\t\treturn err\n\t}\n\n\tconnectLatency.Observe(float64(time.Since(start).Milliseconds()))\n\tlogger.Debug().Msg(\"proxy stream acknowledged\")\n\n\toriginConn.Stream(ctx, rwa, logger)\n\treturn nil\n}\n\n// proxyTCPStream proxies private network type TCP connections as a stream towards an available origin.\n//\n// This is different than proxyStream because it's not leveraged ingress rule services and uses the\n// originDialer from OriginDialerService.\nfunc (p *Proxy) proxyTCPStream(\n\ttr *tracing.TracedContext,\n\ttunnelConn connection.ReadWriteAcker,\n\tdest netip.AddrPort,\n\toriginDialer ingress.OriginTCPDialer,\n\tlogger *zerolog.Logger,\n) error {\n\tctx := tr.Context\n\t_, connectSpan := tr.Tracer().Start(ctx, \"stream-connect\")\n\n\tstart := time.Now()\n\toriginConn, err := originDialer.DialTCP(ctx, dest)\n\tif err != nil {\n\t\tconnectStreamErrors.Inc()\n\t\ttracing.EndWithErrorStatus(connectSpan, err)\n\t\treturn err\n\t}\n\tconnectSpan.End()\n\tdefer originConn.Close()\n\tlogger.Debug().Msg(\"origin connection established\")\n\n\tencodedSpans := tr.GetSpans()\n\n\tif err := tunnelConn.AckConnection(encodedSpans); err != nil {\n\t\tconnectStreamErrors.Inc()\n\t\treturn err\n\t}\n\n\tconnectLatency.Observe(float64(time.Since(start).Milliseconds()))\n\tlogger.Debug().Msg(\"proxy stream acknowledged\")\n\n\tstream.Pipe(tunnelConn, originConn, logger)\n\treturn nil\n}\n\nfunc (p *Proxy) proxyLocalRequest(proxy ingress.HTTPLocalProxy, w connection.ResponseWriter, req *http.Request, isWebsocket bool) {\n\tif isWebsocket {\n\t\t// These headers are added since they are stripped off during an eyeball request to origintunneld, but they\n\t\t// are required during the Handshake process of a WebSocket request.\n\t\treq.Header.Set(\"Connection\", \"Upgrade\")\n\t\treq.Header.Set(\"Upgrade\", \"websocket\")\n\t\treq.Header.Set(\"Sec-Websocket-Version\", \"13\")\n\t}\n\tproxy.ServeHTTP(w, req)\n}\n\ntype bidirectionalStream struct {\n\treader io.Reader\n\twriter io.Writer\n}\n\nfunc (wr *bidirectionalStream) Read(p []byte) (n int, err error) {\n\treturn wr.reader.Read(p)\n}\n\nfunc (wr *bidirectionalStream) Write(p []byte) (n int, err error) {\n\treturn wr.writer.Write(p)\n}\n\nfunc (p *Proxy) appendTagHeaders(r *http.Request) {\n\tfor _, tag := range p.tags {\n\t\tr.Header.Add(TagHeaderNamePrefix+tag.Name, tag.Value)\n\t}\n}\n\nfunc copyTrailers(w connection.ResponseWriter, response *http.Response) {\n\tfor trailerHeader, trailerValues := range response.Trailer {\n\t\tfor _, trailerValue := range trailerValues {\n\t\t\tw.AddTrailer(trailerHeader, trailerValue)\n\t\t}\n\t}\n}\n\nfunc getDestFromRule(rule *ingress.Rule, req *http.Request) (string, error) {\n\tswitch rule.Service.String() {\n\tcase ingress.ServiceBastion:\n\t\treturn carrier.ResolveBastionDest(req)\n\tdefault:\n\t\treturn rule.Service.String(), nil\n\t}\n}\n" }, { "path": "proxy/proxy_posix_test.go", "content": "//go:build !windows\n\npackage proxy\n\nimport (\n\t\"net\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"os\"\n\t\"testing\"\n\n\t\"github.com/stretchr/testify/require\"\n\n\t\"github.com/cloudflare/cloudflared/config\"\n)\n\nfunc TestUnixSocketOrigin(t *testing.T) {\n\tfile, err := os.CreateTemp(\"\", \"unix.sock\")\n\trequire.NoError(t, err)\n\tos.Remove(file.Name()) // remove the file since binding the socket expects to create it\n\n\tl, err := net.Listen(\"unix\", file.Name())\n\trequire.NoError(t, err)\n\tdefer l.Close()\n\tdefer os.Remove(file.Name())\n\n\tapi := &httptest.Server{\n\t\tListener: l,\n\t\tConfig: &http.Server{Handler: mockAPI{}},\n\t}\n\tapi.Start()\n\tdefer api.Close()\n\n\tunvalidatedIngress := []config.UnvalidatedIngressRule{\n\t\t{\n\t\t\tHostname: \"unix.example.com\",\n\t\t\tService: \"unix:\" + file.Name(),\n\t\t},\n\t\t{\n\t\t\tHostname: \"*\",\n\t\t\tService: \"http_status:404\",\n\t\t},\n\t}\n\n\ttests := []MultipleIngressTest{\n\t\t{\n\t\t\turl: \"http://unix.example.com\",\n\t\t\texpectedStatus: http.StatusCreated,\n\t\t\texpectedBody: []byte(\"Created\"),\n\t\t},\n\t}\n\n\trunIngressTestScenarios(t, unvalidatedIngress, tests)\n}\n" }, { "path": "proxy/proxy_test.go", "content": "package proxy\n\nimport (\n\t\"bufio\"\n\t\"bytes\"\n\t\"context\"\n\t\"flag\"\n\t\"fmt\"\n\t\"io\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"strings\"\n\t\"sync\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/gobwas/ws/wsutil\"\n\tgorillaWS \"github.com/gorilla/websocket\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\t\"github.com/urfave/cli/v2\"\n\t\"go.uber.org/mock/gomock\"\n\t\"golang.org/x/sync/errgroup\"\n\n\t\"github.com/cloudflare/cloudflared/mocks\"\n\n\tcfdflow \"github.com/cloudflare/cloudflared/flow\"\n\n\t\"github.com/cloudflare/cloudflared/cfio\"\n\t\"github.com/cloudflare/cloudflared/config\"\n\t\"github.com/cloudflare/cloudflared/connection\"\n\t\"github.com/cloudflare/cloudflared/hello\"\n\t\"github.com/cloudflare/cloudflared/ingress\"\n\t\"github.com/cloudflare/cloudflared/tracing\"\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/pogs\"\n)\n\nvar (\n\ttestTags = []pogs.Tag{{Name: \"Name\", Value: \"value\"}}\n\ttestDefaultDialer = ingress.NewDialer(ingress.WarpRoutingConfig{\n\t\tConnectTimeout: config.CustomDuration{Duration: 1 * time.Second},\n\t\tTCPKeepAlive: config.CustomDuration{Duration: 15 * time.Second},\n\t\tMaxActiveFlows: 0,\n\t})\n)\n\ntype mockHTTPRespWriter struct {\n\t*httptest.ResponseRecorder\n}\n\nfunc newMockHTTPRespWriter() *mockHTTPRespWriter {\n\treturn &mockHTTPRespWriter{\n\t\thttptest.NewRecorder(),\n\t}\n}\n\nfunc (w *mockHTTPRespWriter) WriteResponse() error {\n\treturn nil\n}\n\nfunc (w *mockHTTPRespWriter) WriteRespHeaders(status int, header http.Header) error {\n\tw.WriteHeader(status)\n\tfor header, val := range header {\n\t\tw.Header()[header] = val\n\t}\n\treturn nil\n}\n\nfunc (w *mockHTTPRespWriter) AddTrailer(trailerName, trailerValue string) {\n\t// do nothing\n}\n\nfunc (w *mockHTTPRespWriter) Read(data []byte) (int, error) {\n\treturn 0, fmt.Errorf(\"mockHTTPRespWriter doesn't implement io.Reader\")\n}\n\nfunc (m *mockHTTPRespWriter) Hijack() (net.Conn, *bufio.ReadWriter, error) {\n\tpanic(\"Hijack not implemented\")\n}\n\ntype mockWSRespWriter struct {\n\t*mockHTTPRespWriter\n\twriteNotification chan []byte\n\treader io.Reader\n}\n\nfunc newMockWSRespWriter(reader io.Reader) *mockWSRespWriter {\n\treturn &mockWSRespWriter{\n\t\tnewMockHTTPRespWriter(),\n\t\tmake(chan []byte),\n\t\treader,\n\t}\n}\n\nfunc (w *mockWSRespWriter) Write(data []byte) (int, error) {\n\tw.writeNotification <- data\n\treturn len(data), nil\n}\n\nfunc (w *mockWSRespWriter) respBody() io.ReadWriter {\n\tdata := <-w.writeNotification\n\treturn bytes.NewBuffer(data)\n}\n\nfunc (w *mockWSRespWriter) Close() error {\n\tclose(w.writeNotification)\n\treturn nil\n}\n\nfunc (w *mockWSRespWriter) Read(data []byte) (int, error) {\n\treturn w.reader.Read(data)\n}\n\nfunc (w *mockWSRespWriter) Hijack() (net.Conn, *bufio.ReadWriter, error) {\n\tpanic(\"Hijack not implemented\")\n}\n\ntype mockSSERespWriter struct {\n\t*mockHTTPRespWriter\n\twriteNotification chan []byte\n}\n\nfunc newMockSSERespWriter() *mockSSERespWriter {\n\treturn &mockSSERespWriter{\n\t\tnewMockHTTPRespWriter(),\n\t\tmake(chan []byte),\n\t}\n}\n\nfunc (w *mockSSERespWriter) Write(data []byte) (int, error) {\n\tnewData := make([]byte, len(data))\n\tcopy(newData, data)\n\n\tw.writeNotification <- newData\n\treturn len(data), nil\n}\n\nfunc (w *mockSSERespWriter) WriteString(str string) (int, error) {\n\treturn w.Write([]byte(str))\n}\n\nfunc (w *mockSSERespWriter) ReadBytes() []byte {\n\treturn <-w.writeNotification\n}\n\nfunc TestProxySingleOrigin(t *testing.T) {\n\tlog := zerolog.Nop()\n\n\tctx, cancel := context.WithCancel(t.Context())\n\n\tflagSet := flag.NewFlagSet(t.Name(), flag.PanicOnError)\n\tflagSet.Bool(\"hello-world\", true, \"\")\n\n\tcliCtx := cli.NewContext(cli.NewApp(), flagSet, nil)\n\terr := cliCtx.Set(\"hello-world\", \"true\")\n\trequire.NoError(t, err)\n\n\tingressRule, err := ingress.ParseIngressFromConfigAndCLI(&config.Configuration{}, cliCtx, &log)\n\trequire.NoError(t, err)\n\n\trequire.NoError(t, ingressRule.StartOrigins(&log, ctx.Done()))\n\n\toriginDialer := ingress.NewOriginDialer(ingress.OriginConfig{\n\t\tDefaultDialer: testDefaultDialer,\n\t\tTCPWriteTimeout: 1 * time.Second,\n\t}, &log)\n\n\tproxy := NewOriginProxy(ingressRule, originDialer, testTags, cfdflow.NewLimiter(0), &log)\n\tt.Run(\"testProxyHTTP\", testProxyHTTP(proxy))\n\tt.Run(\"testProxyWebsocket\", testProxyWebsocket(proxy))\n\tt.Run(\"testProxySSE\", testProxySSE(proxy))\n\tcancel()\n}\n\nfunc testProxyHTTP(proxy connection.OriginProxy) func(t *testing.T) {\n\treturn func(t *testing.T) {\n\t\tresponseWriter := newMockHTTPRespWriter()\n\t\treq, err := http.NewRequest(http.MethodGet, \"http://localhost:8080\", nil)\n\t\trequire.NoError(t, err)\n\n\t\tlog := zerolog.Nop()\n\t\terr = proxy.ProxyHTTP(responseWriter, tracing.NewTracedHTTPRequest(req, 0, &log), false)\n\t\trequire.NoError(t, err)\n\t\tfor _, tag := range testTags {\n\t\t\tassert.Equal(t, tag.Value, req.Header.Get(TagHeaderNamePrefix+tag.Name))\n\t\t}\n\n\t\tassert.Equal(t, http.StatusOK, responseWriter.Code)\n\t}\n}\n\nfunc testProxyWebsocket(proxy connection.OriginProxy) func(t *testing.T) {\n\treturn func(t *testing.T) {\n\t\t// WSRoute is a websocket echo handler\n\t\tconst testTimeout = 5 * time.Second * 1000\n\t\tctx, cancel := context.WithTimeout(t.Context(), testTimeout)\n\t\tdefer cancel()\n\t\treadPipe, writePipe := io.Pipe()\n\t\treq, err := http.NewRequestWithContext(ctx, http.MethodGet, fmt.Sprintf(\"http://localhost:8080%s\", hello.WSRoute), readPipe)\n\t\treq.Header.Set(\"Sec-Websocket-Key\", \"dGhlIHNhbXBsZSBub25jZQ==\")\n\t\treq.Header.Set(\"Connection\", \"Upgrade\")\n\t\treq.Header.Set(\"Upgrade\", \"websocket\")\n\t\tresponseWriter := newMockWSRespWriter(nil)\n\n\t\tfinished := make(chan struct{})\n\n\t\terrGroup, ctx := errgroup.WithContext(ctx)\n\t\terrGroup.Go(func() error {\n\t\t\tlog := zerolog.Nop()\n\t\t\terr = proxy.ProxyHTTP(responseWriter, tracing.NewTracedHTTPRequest(req, 0, &log), true)\n\t\t\trequire.NoError(t, err)\n\n\t\t\trequire.Equal(t, http.StatusSwitchingProtocols, responseWriter.Code)\n\t\t\treturn nil\n\t\t})\n\n\t\terrGroup.Go(func() error {\n\t\t\tselect {\n\t\t\tcase <-finished:\n\t\t\tcase <-ctx.Done():\n\t\t\t}\n\t\t\tif ctx.Err() == context.DeadlineExceeded {\n\t\t\t\tt.Errorf(\"Test timed out\")\n\t\t\t\treadPipe.Close()\n\t\t\t\twritePipe.Close()\n\t\t\t\tresponseWriter.Close()\n\t\t\t}\n\t\t\treturn nil\n\t\t})\n\n\t\tmsg := []byte(\"test websocket\")\n\t\terr = wsutil.WriteClientText(writePipe, msg)\n\t\trequire.NoError(t, err)\n\n\t\t// ReadServerText reads next data message from rw, considering that caller represents proxy side.\n\t\treturnedMsg, err := wsutil.ReadServerText(responseWriter.respBody())\n\t\trequire.NoError(t, err)\n\t\trequire.Equal(t, msg, returnedMsg)\n\n\t\terr = wsutil.WriteClientBinary(writePipe, msg)\n\t\trequire.NoError(t, err)\n\n\t\treturnedMsg, err = wsutil.ReadServerBinary(responseWriter.respBody())\n\t\trequire.NoError(t, err)\n\t\trequire.Equal(t, msg, returnedMsg)\n\n\t\t_ = readPipe.Close()\n\t\t_ = writePipe.Close()\n\t\t_ = responseWriter.Close()\n\n\t\tclose(finished)\n\t\t_ = errGroup.Wait()\n\t}\n}\n\nfunc testProxySSE(proxy connection.OriginProxy) func(t *testing.T) {\n\treturn func(t *testing.T) {\n\t\tvar (\n\t\t\tpushCount = 50\n\t\t\tpushFreq = time.Millisecond * 10\n\t\t)\n\t\tresponseWriter := newMockSSERespWriter()\n\t\tctx, cancel := context.WithCancel(t.Context())\n\t\treq, err := http.NewRequestWithContext(ctx, http.MethodGet, fmt.Sprintf(\"http://localhost:8080%s?freq=%s\", hello.SSERoute, pushFreq), nil)\n\t\trequire.NoError(t, err)\n\n\t\tvar wg sync.WaitGroup\n\t\twg.Add(1)\n\t\tgo func() {\n\t\t\tdefer wg.Done()\n\t\t\tlog := zerolog.Nop()\n\t\t\terr = proxy.ProxyHTTP(responseWriter, tracing.NewTracedHTTPRequest(req, 0, &log), false)\n\t\t\trequire.Equal(t, \"context canceled\", err.Error())\n\n\t\t\trequire.Equal(t, http.StatusOK, responseWriter.Code)\n\t\t}()\n\n\t\tfor i := 0; i < pushCount; i++ {\n\t\t\tline := responseWriter.ReadBytes()\n\t\t\texpect := fmt.Sprintf(\"%d\\n\\n\", i)\n\t\t\trequire.Equal(t, []byte(expect), line, \"Expect to read %v, got %v\", expect, line)\n\t\t}\n\n\t\tcancel()\n\t\twg.Wait()\n\t}\n}\n\n// Regression test to guarantee that we always write the contents downstream even if EOF is reached without\n// hitting the delimiter\nfunc TestProxySSEAllData(t *testing.T) {\n\teyeballReader := io.NopCloser(strings.NewReader(\"data\\r\\r\"))\n\tresponseWriter := newMockSSERespWriter()\n\n\t// responseWriter uses an unbuffered channel, so we call in a different go-routine\n\tgo func() {\n\t\t_, _ = cfio.Copy(responseWriter, eyeballReader)\n\t}()\n\n\tresult := string(<-responseWriter.writeNotification)\n\trequire.Equal(t, \"data\\r\\r\", result)\n}\n\nfunc TestProxyMultipleOrigins(t *testing.T) {\n\tapi := httptest.NewServer(mockAPI{})\n\tdefer api.Close()\n\n\tunvalidatedIngress := []config.UnvalidatedIngressRule{\n\t\t{\n\t\t\tHostname: \"api.example.com\",\n\t\t\tService: api.URL,\n\t\t},\n\t\t{\n\t\t\tHostname: \"hello.example.com\",\n\t\t\tService: \"hello-world\",\n\t\t},\n\t\t{\n\t\t\tHostname: \"health.example.com\",\n\t\t\tPath: \"/health\",\n\t\t\tService: \"http_status:200\",\n\t\t},\n\t\t{\n\t\t\tHostname: \"*\",\n\t\t\tService: \"http_status:404\",\n\t\t},\n\t}\n\n\ttests := []MultipleIngressTest{\n\t\t{\n\t\t\turl: \"http://api.example.com\",\n\t\t\texpectedStatus: http.StatusCreated,\n\t\t\texpectedBody: []byte(\"Created\"),\n\t\t},\n\t\t{\n\t\t\turl: fmt.Sprintf(\"http://hello.example.com%s\", hello.HealthRoute),\n\t\t\texpectedStatus: http.StatusOK,\n\t\t\texpectedBody: []byte(\"ok\"),\n\t\t},\n\t\t{\n\t\t\turl: \"http://health.example.com/health\",\n\t\t\texpectedStatus: http.StatusOK,\n\t\t},\n\t\t{\n\t\t\turl: \"http://health.example.com/\",\n\t\t\texpectedStatus: http.StatusNotFound,\n\t\t},\n\t\t{\n\t\t\turl: \"http://not-found.example.com\",\n\t\t\texpectedStatus: http.StatusNotFound,\n\t\t},\n\t}\n\n\trunIngressTestScenarios(t, unvalidatedIngress, tests)\n}\n\ntype MultipleIngressTest struct {\n\turl string\n\texpectedStatus int\n\texpectedBody []byte\n}\n\nfunc runIngressTestScenarios(t *testing.T, unvalidatedIngress []config.UnvalidatedIngressRule, tests []MultipleIngressTest) {\n\tingressRule, err := ingress.ParseIngress(&config.Configuration{\n\t\tTunnelID: t.Name(),\n\t\tIngress: unvalidatedIngress,\n\t})\n\trequire.NoError(t, err)\n\n\tlog := zerolog.Nop()\n\n\tctx, cancel := context.WithCancel(t.Context())\n\trequire.NoError(t, ingressRule.StartOrigins(&log, ctx.Done()))\n\n\toriginDialer := ingress.NewOriginDialer(ingress.OriginConfig{\n\t\tDefaultDialer: testDefaultDialer,\n\t\tTCPWriteTimeout: 1 * time.Second,\n\t}, &log)\n\n\tproxy := NewOriginProxy(ingressRule, originDialer, testTags, cfdflow.NewLimiter(0), &log)\n\n\tfor _, test := range tests {\n\t\tresponseWriter := newMockHTTPRespWriter()\n\t\treq, err := http.NewRequest(http.MethodGet, test.url, nil)\n\t\trequire.NoError(t, err)\n\n\t\terr = proxy.ProxyHTTP(responseWriter, tracing.NewTracedHTTPRequest(req, 0, &log), false)\n\t\trequire.NoError(t, err)\n\n\t\tassert.Equal(t, test.expectedStatus, responseWriter.Code)\n\t\tif test.expectedBody != nil {\n\t\t\tassert.Equal(t, test.expectedBody, responseWriter.Body.Bytes())\n\t\t} else {\n\t\t\tassert.Equal(t, 0, responseWriter.Body.Len())\n\t\t}\n\t}\n\tcancel()\n}\n\ntype mockAPI struct{}\n\nfunc (ma mockAPI) ServeHTTP(w http.ResponseWriter, r *http.Request) {\n\tw.WriteHeader(http.StatusCreated)\n\t_, _ = w.Write([]byte(\"Created\"))\n}\n\ntype errorOriginTransport struct{}\n\nfunc (errorOriginTransport) RoundTrip(*http.Request) (*http.Response, error) {\n\treturn nil, fmt.Errorf(\"Proxy error\")\n}\n\nfunc TestProxyError(t *testing.T) {\n\ting := ingress.Ingress{\n\t\tRules: []ingress.Rule{\n\t\t\t{\n\t\t\t\tHostname: \"*\",\n\t\t\t\tPath: nil,\n\t\t\t\tService: ingress.MockOriginHTTPService{\n\t\t\t\t\tTransport: errorOriginTransport{},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\n\tlog := zerolog.Nop()\n\n\toriginDialer := ingress.NewOriginDialer(ingress.OriginConfig{\n\t\tDefaultDialer: testDefaultDialer,\n\t\tTCPWriteTimeout: 1 * time.Second,\n\t}, &log)\n\n\tproxy := NewOriginProxy(ing, originDialer, testTags, cfdflow.NewLimiter(0), &log)\n\n\tresponseWriter := newMockHTTPRespWriter()\n\treq, err := http.NewRequest(http.MethodGet, \"http://127.0.0.1\", nil)\n\trequire.NoError(t, err)\n\n\trequire.Error(t, proxy.ProxyHTTP(responseWriter, tracing.NewTracedHTTPRequest(req, 0, &log), false))\n}\n\ntype replayer struct {\n\tsync.RWMutex\n\trw *bytes.Buffer\n}\n\nfunc (r *replayer) Read(p []byte) (int, error) {\n\tr.RLock()\n\tdefer r.RUnlock()\n\treturn r.rw.Read(p)\n}\n\nfunc (r *replayer) Write(p []byte) (int, error) {\n\tr.Lock()\n\tdefer r.Unlock()\n\tn, err := r.rw.Write(p)\n\treturn n, err\n}\n\nfunc (r *replayer) String() string {\n\tr.Lock()\n\tdefer r.Unlock()\n\treturn r.rw.String()\n}\n\nfunc (r *replayer) Bytes() []byte {\n\tr.Lock()\n\tdefer r.Unlock()\n\treturn r.rw.Bytes()\n}\n\n// TestConnections tests every possible permutation of connection protocols\n// proxied by cloudflared.\n//\n// WS - WS : When a websocket based ingress is configured on the origin and\n// the eyeball is also a websocket client streaming data.\n// TCP - TCP : When teamnet is enabled and an http or tcp service is running\n// on the origin.\n// TCP - WS: When teamnet is enabled and a websocket based service is running\n// on the origin.\n// WS - TCP: When a tcp based ingress is configured on the origin and the\n// eyeball sends tcp packets wrapped in websockets. (E.g: cloudflared access).\nfunc TestConnections(t *testing.T) {\n\tlog := zerolog.Nop()\n\treplayer := &replayer{rw: bytes.NewBuffer([]byte{})}\n\ttype args struct {\n\t\tingressServiceScheme string\n\t\toriginService func(*testing.T, net.Listener)\n\t\teyeballResponseWriter connection.ResponseWriter\n\t\teyeballRequestBody io.ReadCloser\n\n\t\t// eyeball connection type.\n\t\tconnectionType connection.Type\n\n\t\t// requestheaders to be sent in the call to proxy.Proxy\n\t\trequestHeaders http.Header\n\n\t\t// flowLimiterResponse is the response of the cfdflow.Limiter#Acquire method call\n\t\tflowLimiterResponse error\n\t}\n\n\toriginDialer := ingress.NewOriginDialer(ingress.OriginConfig{\n\t\tDefaultDialer: testDefaultDialer,\n\t\tTCPWriteTimeout: 0,\n\t}, &log)\n\n\ttype want struct {\n\t\tmessage []byte\n\t\theaders http.Header\n\t\terr bool\n\t}\n\n\ttests := []struct {\n\t\tname string\n\t\targs args\n\t\twant want\n\t}{\n\t\t{\n\t\t\tname: \"ws-ws proxy\",\n\t\t\targs: args{\n\t\t\t\tingressServiceScheme: \"ws://\",\n\t\t\t\toriginService: runEchoWSService,\n\t\t\t\teyeballResponseWriter: newWSRespWriter(replayer),\n\t\t\t\teyeballRequestBody: newWSRequestBody([]byte(\"test1\")),\n\t\t\t\tconnectionType: connection.TypeWebsocket,\n\t\t\t\trequestHeaders: map[string][]string{\n\t\t\t\t\t// Example key from https://tools.ietf.org/html/rfc6455#section-1.2\n\t\t\t\t\t\"Sec-Websocket-Key\": {\"dGhlIHNhbXBsZSBub25jZQ==\"},\n\t\t\t\t\t\"Test-Cloudflared-Echo\": {\"Echo\"},\n\t\t\t\t},\n\t\t\t},\n\t\t\twant: want{\n\t\t\t\tmessage: []byte(\"echo-test1\"),\n\t\t\t\theaders: map[string][]string{\n\t\t\t\t\t\"Connection\": {\"Upgrade\"},\n\t\t\t\t\t\"Sec-Websocket-Accept\": {\"s3pPLMBiTxaQ9kYGzzhZRbK+xOo=\"},\n\t\t\t\t\t\"Upgrade\": {\"websocket\"},\n\t\t\t\t\t\"Test-Cloudflared-Echo\": {\"Echo\"},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"tcp-tcp proxy\",\n\t\t\targs: args{\n\t\t\t\tingressServiceScheme: \"tcp://\",\n\t\t\t\toriginService: runEchoTCPService,\n\t\t\t\teyeballResponseWriter: newTCPRespWriter(replayer),\n\t\t\t\teyeballRequestBody: newTCPRequestBody([]byte(\"test2\")),\n\t\t\t\tconnectionType: connection.TypeTCP,\n\t\t\t\trequestHeaders: map[string][]string{\n\t\t\t\t\t\"Cf-Cloudflared-Proxy-Src\": {\"non-blank-value\"},\n\t\t\t\t},\n\t\t\t},\n\t\t\twant: want{\n\t\t\t\tmessage: []byte(\"echo-test2\"),\n\t\t\t\theaders: http.Header{},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"tcp-ws proxy\",\n\t\t\targs: args{\n\t\t\t\tingressServiceScheme: \"ws://\",\n\t\t\t\toriginService: runEchoWSService,\n\t\t\t\t// eyeballResponseWriter gets set after roundtrip dial.\n\t\t\t\teyeballRequestBody: newPipedWSRequestBody([]byte(\"test3\")),\n\t\t\t\trequestHeaders: map[string][]string{\n\t\t\t\t\t\"Cf-Cloudflared-Proxy-Src\": {\"non-blank-value\"},\n\t\t\t\t},\n\t\t\t\tconnectionType: connection.TypeTCP,\n\t\t\t},\n\t\t\twant: want{\n\t\t\t\tmessage: []byte(\"echo-test3\"),\n\t\t\t\t// We expect no headers here because they are sent back via\n\t\t\t\t// the stream.\n\t\t\t\theaders: http.Header{},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"ws-tcp proxy\",\n\t\t\targs: args{\n\t\t\t\tingressServiceScheme: \"tcp://\",\n\t\t\t\toriginService: runEchoTCPService,\n\t\t\t\teyeballResponseWriter: newWSRespWriter(replayer),\n\t\t\t\teyeballRequestBody: newWSRequestBody([]byte(\"test4\")),\n\t\t\t\tconnectionType: connection.TypeWebsocket,\n\t\t\t\trequestHeaders: map[string][]string{\n\t\t\t\t\t// Example key from https://tools.ietf.org/html/rfc6455#section-1.2\n\t\t\t\t\t\"Sec-Websocket-Key\": {\"dGhlIHNhbXBsZSBub25jZQ==\"},\n\t\t\t\t},\n\t\t\t},\n\t\t\twant: want{\n\t\t\t\tmessage: []byte(\"echo-test4\"),\n\t\t\t\theaders: map[string][]string{\n\t\t\t\t\t\"Connection\": {\"Upgrade\"},\n\t\t\t\t\t\"Sec-Websocket-Accept\": {\"s3pPLMBiTxaQ9kYGzzhZRbK+xOo=\"},\n\t\t\t\t\t\"Upgrade\": {\"websocket\"},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\t// Send (unexpected) HTTP when origin expects WS (to unwrap for raw TCP)\n\t\t\tname: \"http-(ws)tcp proxy\",\n\t\t\targs: args{\n\t\t\t\tingressServiceScheme: \"tcp://\",\n\t\t\t\toriginService: runEchoTCPService,\n\t\t\t\teyeballResponseWriter: newMockHTTPRespWriter(),\n\t\t\t\teyeballRequestBody: http.NoBody,\n\t\t\t\tconnectionType: connection.TypeHTTP,\n\t\t\t\trequestHeaders: map[string][]string{\n\t\t\t\t\t\"Cf-Cloudflared-Proxy-Src\": {\"non-blank-value\"},\n\t\t\t\t},\n\t\t\t},\n\t\t\twant: want{\n\t\t\t\tmessage: []byte{},\n\t\t\t\theaders: map[string][]string{},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"ws-ws proxy when origin is different\",\n\t\t\targs: args{\n\t\t\t\tingressServiceScheme: \"ws://\",\n\t\t\t\toriginService: runEchoWSService,\n\t\t\t\teyeballResponseWriter: newWSRespWriter(replayer),\n\t\t\t\teyeballRequestBody: newWSRequestBody([]byte(\"test1\")),\n\t\t\t\tconnectionType: connection.TypeWebsocket,\n\t\t\t\trequestHeaders: map[string][]string{\n\t\t\t\t\t// Example key from https://tools.ietf.org/html/rfc6455#section-1.2\n\t\t\t\t\t\"Sec-Websocket-Key\": {\"dGhlIHNhbXBsZSBub25jZQ==\"},\n\t\t\t\t\t\"Origin\": {\"Different origin\"},\n\t\t\t\t},\n\t\t\t},\n\t\t\twant: want{\n\t\t\t\tmessage: []byte(\"Forbidden\\n\"),\n\t\t\t\terr: false,\n\t\t\t\theaders: map[string][]string{\n\t\t\t\t\t\"Content-Length\": {\"10\"},\n\t\t\t\t\t\"Content-Type\": {\"text/plain; charset=utf-8\"},\n\t\t\t\t\t\"Sec-Websocket-Version\": {\"13\"},\n\t\t\t\t\t\"X-Content-Type-Options\": {\"nosniff\"},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"tcp-* proxy when origin service has already closed the connection/ is no longer running\",\n\t\t\targs: args{\n\t\t\t\tingressServiceScheme: \"tcp://\",\n\t\t\t\toriginService: func(t *testing.T, ln net.Listener) {\n\t\t\t\t\t// closing the listener created by the test.\n\t\t\t\t\tln.Close()\n\t\t\t\t},\n\t\t\t\teyeballResponseWriter: newTCPRespWriter(replayer),\n\t\t\t\teyeballRequestBody: newTCPRequestBody([]byte(\"test2\")),\n\t\t\t\tconnectionType: connection.TypeTCP,\n\t\t\t\trequestHeaders: map[string][]string{\n\t\t\t\t\t\"Cf-Cloudflared-Proxy-Src\": {\"non-blank-value\"},\n\t\t\t\t},\n\t\t\t},\n\t\t\twant: want{\n\t\t\t\tmessage: []byte{},\n\t\t\t\terr: true,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"tcp-* proxy rate limited flow\",\n\t\t\targs: args{\n\t\t\t\tingressServiceScheme: \"tcp://\",\n\t\t\t\toriginService: runEchoTCPService,\n\t\t\t\teyeballResponseWriter: newTCPRespWriter(replayer),\n\t\t\t\teyeballRequestBody: newTCPRequestBody([]byte(\"rate-limited\")),\n\t\t\t\tconnectionType: connection.TypeTCP,\n\t\t\t\trequestHeaders: map[string][]string{\n\t\t\t\t\t\"Cf-Cloudflared-Proxy-Src\": {\"non-blank-value\"},\n\t\t\t\t},\n\t\t\t\tflowLimiterResponse: cfdflow.ErrTooManyActiveFlows,\n\t\t\t},\n\t\t\twant: want{\n\t\t\t\tmessage: []byte{},\n\t\t\t\terr: true,\n\t\t\t},\n\t\t},\n\t}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\tctx, cancel := context.WithCancel(t.Context())\n\t\t\tln, err := net.Listen(\"tcp\", \"127.0.0.1:0\")\n\t\t\trequire.NoError(t, err)\n\t\t\t// Starts origin service\n\t\t\ttest.args.originService(t, ln)\n\n\t\t\tingressRule := createSingleIngressConfig(t, test.args.ingressServiceScheme+ln.Addr().String())\n\t\t\t_ = ingressRule.StartOrigins(&log, ctx.Done())\n\n\t\t\t// Mock flow limiter\n\t\t\tctrl := gomock.NewController(t)\n\t\t\tdefer ctrl.Finish()\n\t\t\tflowLimiter := mocks.NewMockLimiter(ctrl)\n\t\t\tflowLimiter.EXPECT().Acquire(\"tcp\").AnyTimes().Return(test.args.flowLimiterResponse)\n\t\t\tflowLimiter.EXPECT().Release().AnyTimes()\n\n\t\t\tproxy := NewOriginProxy(ingressRule, originDialer, testTags, flowLimiter, &log)\n\n\t\t\tdest := ln.Addr().String()\n\t\t\treq, err := http.NewRequest(\n\t\t\t\thttp.MethodGet,\n\t\t\t\ttest.args.ingressServiceScheme+ln.Addr().String(),\n\t\t\t\ttest.args.eyeballRequestBody,\n\t\t\t)\n\t\t\trequire.NoError(t, err)\n\n\t\t\treq.Header = test.args.requestHeaders\n\t\t\trespWriter := test.args.eyeballResponseWriter\n\n\t\t\tif pipedReqBody, ok := test.args.eyeballRequestBody.(*pipedRequestBody); ok {\n\t\t\t\trespWriter = newTCPRespWriter(pipedReqBody.pipedConn)\n\t\t\t\tgo func() {\n\t\t\t\t\tresp := pipedReqBody.roundtrip(test.args.ingressServiceScheme + ln.Addr().String())\n\t\t\t\t\t_, _ = replayer.Write(resp)\n\t\t\t\t}()\n\t\t\t}\n\t\t\tif test.args.connectionType == connection.TypeTCP {\n\t\t\t\trwa := connection.NewHTTPResponseReadWriterAcker(respWriter, respWriter.(http.Flusher), req)\n\t\t\t\terr = proxy.ProxyTCP(ctx, rwa, &connection.TCPRequest{Dest: dest})\n\t\t\t} else {\n\t\t\t\tlog := zerolog.Nop()\n\t\t\t\terr = proxy.ProxyHTTP(respWriter, tracing.NewTracedHTTPRequest(req, 0, &log), test.args.connectionType == connection.TypeWebsocket)\n\t\t\t}\n\n\t\t\tcancel()\n\t\t\trequire.Equal(t, test.want.err, err != nil)\n\t\t\trequire.Equal(t, test.want.message, replayer.Bytes())\n\t\t\trequire.Equal(t, test.want.headers, respWriter.Header())\n\t\t\treplayer.rw.Reset()\n\t\t})\n\t}\n}\n\ntype requestBody struct {\n\tpw *io.PipeWriter\n\tpr *io.PipeReader\n}\n\nfunc newWSRequestBody(data []byte) *requestBody {\n\tpr, pw := io.Pipe()\n\tgo func() {\n\t\t_ = wsutil.WriteClientBinary(pw, data)\n\t}()\n\treturn &requestBody{\n\t\tpr: pr,\n\t\tpw: pw,\n\t}\n}\n\nfunc newTCPRequestBody(data []byte) *requestBody {\n\tpr, pw := io.Pipe()\n\tgo func() {\n\t\t_, _ = pw.Write(data)\n\t}()\n\treturn &requestBody{\n\t\tpr: pr,\n\t\tpw: pw,\n\t}\n}\n\nfunc (r *requestBody) Read(p []byte) (n int, err error) {\n\treturn r.pr.Read(p)\n}\n\nfunc (r *requestBody) Close() error {\n\t_ = r.pw.Close()\n\t_ = r.pr.Close()\n\treturn nil\n}\n\ntype pipedRequestBody struct {\n\tdialer gorillaWS.Dialer\n\tpipedConn net.Conn\n\twsConn net.Conn\n\tmessageToWrite []byte\n}\n\nfunc newPipedWSRequestBody(data []byte) *pipedRequestBody {\n\tconn1, conn2 := net.Pipe()\n\tdialer := gorillaWS.Dialer{\n\t\tNetDial: func(network, addr string) (net.Conn, error) {\n\t\t\treturn conn2, nil\n\t\t},\n\t}\n\treturn &pipedRequestBody{\n\t\tdialer: dialer,\n\t\tpipedConn: conn1,\n\t\twsConn: conn2,\n\t\tmessageToWrite: data,\n\t}\n}\n\nfunc (p *pipedRequestBody) roundtrip(addr string) []byte {\n\theader := http.Header{}\n\tconn, resp, err := p.dialer.Dial(addr, header)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\tdefer conn.Close()\n\tdefer resp.Body.Close()\n\n\tif resp.StatusCode != http.StatusSwitchingProtocols {\n\t\tpanic(fmt.Errorf(\"resp returned status code: %d\", resp.StatusCode))\n\t}\n\n\terr = conn.WriteMessage(gorillaWS.TextMessage, p.messageToWrite)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\n\t_, data, err := conn.ReadMessage()\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\n\treturn data\n}\n\nfunc (p *pipedRequestBody) Read(data []byte) (n int, err error) {\n\treturn p.pipedConn.Read(data)\n}\n\nfunc (p *pipedRequestBody) Close() error {\n\treturn nil\n}\n\ntype wsRespWriter struct {\n\tw io.Writer\n\tresponseHeaders http.Header\n\tcode int\n}\n\n// newWSRespWriter uses wsutil.WriteClientText to generate websocket frames.\n// and wsutil.ReadClientText to translate frames from server to byte data.\n// In essence, this acts as a wsClient.\nfunc newWSRespWriter(w io.Writer) *wsRespWriter {\n\treturn &wsRespWriter{\n\t\tw: w,\n\t}\n}\n\n// Write is written to by ingress.Stream and serves as the output to the client.\nfunc (w *wsRespWriter) Write(p []byte) (int, error) {\n\treturnedMsg, err := wsutil.ReadServerBinary(bytes.NewBuffer(p))\n\tif err != nil {\n\t\t// The data was not returned by a websocket connection.\n\t\tif err != io.ErrUnexpectedEOF {\n\t\t\treturn w.w.Write(p)\n\t\t}\n\t}\n\treturn w.w.Write(returnedMsg)\n}\n\nfunc (w *wsRespWriter) WriteRespHeaders(status int, header http.Header) error {\n\tw.responseHeaders = header\n\tw.code = status\n\treturn nil\n}\n\nfunc (w *wsRespWriter) Flush() {}\n\nfunc (w *wsRespWriter) AddTrailer(trailerName, trailerValue string) {\n\t// do nothing\n}\n\n// respHeaders is a test function to read respHeaders\nfunc (w *wsRespWriter) Header() http.Header {\n\t// Removing indeterminstic header because it cannot be asserted.\n\tw.responseHeaders.Del(\"Date\")\n\treturn w.responseHeaders\n}\n\nfunc (w *wsRespWriter) WriteHeader(status int) {\n\t// unused\n}\n\nfunc (m *wsRespWriter) Hijack() (net.Conn, *bufio.ReadWriter, error) {\n\tpanic(\"Hijack not implemented\")\n}\n\ntype mockTCPRespWriter struct {\n\tw io.Writer\n\tresponseHeaders http.Header\n\tcode int\n}\n\nfunc newTCPRespWriter(w io.Writer) *mockTCPRespWriter {\n\treturn &mockTCPRespWriter{\n\t\tw: w,\n\t}\n}\n\nfunc (m *mockTCPRespWriter) Read(p []byte) (n int, err error) {\n\treturn len(p), nil\n}\n\nfunc (m *mockTCPRespWriter) Write(p []byte) (n int, err error) {\n\treturn m.w.Write(p)\n}\n\nfunc (m *mockTCPRespWriter) Flush() {}\n\nfunc (m *mockTCPRespWriter) AddTrailer(trailerName, trailerValue string) {\n\t// do nothing\n}\n\nfunc (m *mockTCPRespWriter) WriteRespHeaders(status int, header http.Header) error {\n\tm.responseHeaders = header\n\tm.code = status\n\treturn nil\n}\n\n// respHeaders is a test function to read respHeaders\nfunc (m *mockTCPRespWriter) Header() http.Header {\n\treturn m.responseHeaders\n}\n\nfunc (m *mockTCPRespWriter) WriteHeader(status int) {\n\t// do nothing\n}\n\nfunc (m *mockTCPRespWriter) Hijack() (net.Conn, *bufio.ReadWriter, error) {\n\tpanic(\"Hijack not implemented\")\n}\n\nfunc createSingleIngressConfig(t *testing.T, service string) ingress.Ingress {\n\tingressConfig := &config.Configuration{\n\t\tIngress: []config.UnvalidatedIngressRule{\n\t\t\t{\n\t\t\t\tHostname: \"*\",\n\t\t\t\tService: service,\n\t\t\t},\n\t\t},\n\t}\n\tingressRule, err := ingress.ParseIngress(ingressConfig)\n\trequire.NoError(t, err)\n\treturn ingressRule\n}\n\nfunc runEchoTCPService(t *testing.T, l net.Listener) {\n\tgo func() {\n\t\tfor {\n\t\t\tconn, err := l.Accept()\n\t\t\tif err != nil {\n\t\t\t\tpanic(err)\n\t\t\t}\n\t\t\tdefer conn.Close()\n\n\t\t\tfor {\n\t\t\t\tbuf := make([]byte, 1024)\n\t\t\t\tsize, err := conn.Read(buf)\n\t\t\t\tif err == io.EOF {\n\t\t\t\t\treturn\n\t\t\t\t}\n\t\t\t\tdata := []byte(\"echo-\")\n\t\t\t\tdata = append(data, buf[:size]...)\n\t\t\t\t_, err = conn.Write(data)\n\t\t\t\tif err != nil {\n\t\t\t\t\tt.Log(err)\n\t\t\t\t}\n\t\t\t\treturn\n\t\t\t}\n\t\t}\n\t}()\n}\n\nfunc runEchoWSService(t *testing.T, l net.Listener) {\n\tupgrader := gorillaWS.Upgrader{\n\t\tReadBufferSize: 10,\n\t\tWriteBufferSize: 10,\n\t}\n\n\tws := func(w http.ResponseWriter, r *http.Request) {\n\t\theader := make(http.Header)\n\t\tfor k, vs := range r.Header {\n\t\t\tif k == \"Test-Cloudflared-Echo\" {\n\t\t\t\theader[k] = vs\n\t\t\t}\n\t\t}\n\t\tconn, err := upgrader.Upgrade(w, r, header)\n\t\tif err != nil {\n\t\t\tt.Log(err)\n\t\t\treturn\n\t\t}\n\t\tdefer conn.Close()\n\n\t\tfor {\n\t\t\tmessageType, p, err := conn.ReadMessage()\n\t\t\tif err != nil {\n\t\t\t\treturn\n\t\t\t}\n\t\t\tdata := []byte(\"echo-\")\n\t\t\tdata = append(data, p...)\n\t\t\tif err := conn.WriteMessage(messageType, data); err != nil {\n\t\t\t\treturn\n\t\t\t}\n\t\t}\n\t}\n\n\t// nolint: gosec\n\tserver := http.Server{\n\t\tHandler: http.HandlerFunc(ws),\n\t}\n\n\tgo func() {\n\t\terr := server.Serve(l)\n\t\tif err != nil {\n\t\t\tpanic(err)\n\t\t}\n\t}()\n}\n" }, { "path": "quic/constants.go", "content": "package quic\n\nimport \"time\"\n\nconst (\n\tHandshakeIdleTimeout = 5 * time.Second\n\tMaxIdleTimeout = 5 * time.Second\n\tMaxIdlePingPeriod = 1 * time.Second\n\n\t// MaxIncomingStreams is 2^60, which is the maximum supported value by Quic-Go\n\tMaxIncomingStreams = 1 << 60\n)\n" }, { "path": "quic/conversion.go", "content": "package quic\n\nimport (\n\t\"strconv\"\n\t\"time\"\n\n\t\"github.com/quic-go/quic-go/logging\"\n)\n\n// Helper to convert logging.ByteCount(alias for int64) to float64 used in prometheus\nfunc byteCountToPromCount(count logging.ByteCount) float64 {\n\treturn float64(count)\n}\n\n// Helper to convert Duration to float64 used in prometheus\nfunc durationToPromGauge(duration time.Duration) float64 {\n\treturn float64(duration.Milliseconds())\n}\n\n// Helper to convert https://pkg.go.dev/github.com/quic-go/quic-go@v0.23.0/logging#PacketType into string\nfunc packetTypeString(pt logging.PacketType) string {\n\tswitch pt {\n\tcase logging.PacketTypeInitial:\n\t\treturn \"initial\"\n\tcase logging.PacketTypeHandshake:\n\t\treturn \"handshake\"\n\tcase logging.PacketTypeRetry:\n\t\treturn \"retry\"\n\tcase logging.PacketType0RTT:\n\t\treturn \"0_rtt\"\n\tcase logging.PacketTypeVersionNegotiation:\n\t\treturn \"version_negotiation\"\n\tcase logging.PacketType1RTT:\n\t\treturn \"1_rtt\"\n\tcase logging.PacketTypeStatelessReset:\n\t\treturn \"stateless_reset\"\n\tcase logging.PacketTypeNotDetermined:\n\t\treturn \"undetermined\"\n\tdefault:\n\t\treturn \"unknown_packet_type\"\n\t}\n}\n\n// Helper to convert https://pkg.go.dev/github.com/quic-go/quic-go@v0.23.0/logging#PacketDropReason into string\nfunc packetDropReasonString(reason logging.PacketDropReason) string {\n\tswitch reason {\n\tcase logging.PacketDropKeyUnavailable:\n\t\treturn \"key_unavailable\"\n\tcase logging.PacketDropUnknownConnectionID:\n\t\treturn \"unknown_conn_id\"\n\tcase logging.PacketDropHeaderParseError:\n\t\treturn \"header_parse_err\"\n\tcase logging.PacketDropPayloadDecryptError:\n\t\treturn \"payload_decrypt_err\"\n\tcase logging.PacketDropProtocolViolation:\n\t\treturn \"protocol_violation\"\n\tcase logging.PacketDropDOSPrevention:\n\t\treturn \"dos_prevention\"\n\tcase logging.PacketDropUnsupportedVersion:\n\t\treturn \"unsupported_version\"\n\tcase logging.PacketDropUnexpectedPacket:\n\t\treturn \"unexpected_packet\"\n\tcase logging.PacketDropUnexpectedSourceConnectionID:\n\t\treturn \"unexpected_src_conn_id\"\n\tcase logging.PacketDropUnexpectedVersion:\n\t\treturn \"unexpected_version\"\n\tcase logging.PacketDropDuplicate:\n\t\treturn \"duplicate\"\n\tdefault:\n\t\treturn \"unknown_reason\"\n\t}\n}\n\n// Helper to convert https://pkg.go.dev/github.com/quic-go/quic-go@v0.23.0/logging#PacketLossReason into string\nfunc packetLossReasonString(reason logging.PacketLossReason) string {\n\tswitch reason {\n\tcase logging.PacketLossReorderingThreshold:\n\t\treturn \"reordering\"\n\tcase logging.PacketLossTimeThreshold:\n\t\treturn \"timeout\"\n\tdefault:\n\t\treturn \"unknown_loss_reason\"\n\t}\n}\n\nfunc uint8ToString(input uint8) string {\n\treturn strconv.FormatUint(uint64(input), 10)\n}\n" }, { "path": "quic/datagram.go", "content": "package quic\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/pkg/errors\"\n\t\"github.com/quic-go/quic-go\"\n\t\"github.com/rs/zerolog\"\n\n\t\"github.com/cloudflare/cloudflared/packet\"\n)\n\nconst (\n\tsessionIDLen = len(uuid.UUID{})\n)\n\ntype BaseDatagramMuxer interface {\n\t// SendToSession suffix the session ID to the payload so the other end of the QUIC connection can demultiplex the\n\t// payload from multiple datagram sessions.\n\tSendToSession(session *packet.Session) error\n\t// ServeReceive starts a loop to receive datagrams from the QUIC connection\n\tServeReceive(ctx context.Context) error\n}\n\ntype DatagramMuxer struct {\n\tsession quic.Connection\n\tlogger *zerolog.Logger\n\tdemuxChan chan<- *packet.Session\n}\n\nfunc NewDatagramMuxer(quicSession quic.Connection, log *zerolog.Logger, demuxChan chan<- *packet.Session) *DatagramMuxer {\n\tlogger := log.With().Uint8(\"datagramVersion\", 1).Logger()\n\treturn &DatagramMuxer{\n\t\tsession: quicSession,\n\t\tlogger: &logger,\n\t\tdemuxChan: demuxChan,\n\t}\n}\n\n// Maximum application payload to send to / receive from QUIC datagram frame\nfunc (dm *DatagramMuxer) mtu() int {\n\treturn maxDatagramPayloadSize\n}\n\nfunc (dm *DatagramMuxer) SendToSession(session *packet.Session) error {\n\tif len(session.Payload) > dm.mtu() {\n\t\tpacketTooBigDropped.Inc()\n\t\treturn fmt.Errorf(\"origin UDP payload has %d bytes, which exceeds transport MTU %d\", len(session.Payload), dm.mtu())\n\t}\n\tpayloadWithMetadata, err := SuffixSessionID(session.ID, session.Payload)\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"Failed to suffix session ID to datagram, it will be dropped\")\n\t}\n\tif err := dm.session.SendDatagram(payloadWithMetadata); err != nil {\n\t\treturn errors.Wrap(err, \"Failed to send datagram back to edge\")\n\t}\n\treturn nil\n}\n\nfunc (dm *DatagramMuxer) ServeReceive(ctx context.Context) error {\n\tfor {\n\t\t// Extracts datagram session ID, then sends the session ID and payload to receiver\n\t\t// which determines how to proxy to the origin. It assumes the datagram session has already been\n\t\t// registered with receiver through other side channel\n\t\tmsg, err := dm.session.ReceiveDatagram(ctx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif err := dm.demux(ctx, msg); err != nil {\n\t\t\tdm.logger.Error().Err(err).Msg(\"Failed to demux datagram\")\n\t\t\tif err == context.Canceled {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t}\n}\n\nfunc (dm *DatagramMuxer) demux(ctx context.Context, msg []byte) error {\n\tsessionID, payload, err := extractSessionID(msg)\n\tif err != nil {\n\t\treturn err\n\t}\n\tsessionDatagram := packet.Session{\n\t\tID: sessionID,\n\t\tPayload: payload,\n\t}\n\tselect {\n\tcase dm.demuxChan <- &sessionDatagram:\n\t\treturn nil\n\tcase <-ctx.Done():\n\t\treturn ctx.Err()\n\t}\n}\n\n// Each QUIC datagram should be suffixed with session ID.\n// extractSessionID extracts the session ID and a slice with only the payload\nfunc extractSessionID(b []byte) (uuid.UUID, []byte, error) {\n\tmsgLen := len(b)\n\tif msgLen < sessionIDLen {\n\t\treturn uuid.Nil, nil, fmt.Errorf(\"session ID has %d bytes, but data only has %d\", sessionIDLen, len(b))\n\t}\n\t// Parse last 16 bytess as UUID and remove it from slice\n\tsessionID, err := uuid.FromBytes(b[len(b)-sessionIDLen:])\n\tif err != nil {\n\t\treturn uuid.Nil, nil, err\n\t}\n\tb = b[:len(b)-sessionIDLen]\n\treturn sessionID, b, nil\n}\n\n// SuffixSessionID appends the session ID at the end of the payload. Suffix is more performant than prefix because\n// the payload slice might already have enough capacity to append the session ID at the end\nfunc SuffixSessionID(sessionID uuid.UUID, b []byte) ([]byte, error) {\n\treturn suffixMetadata(b, sessionID[:])\n}\n\nfunc suffixMetadata(payload, metadata []byte) ([]byte, error) {\n\tif len(payload)+len(metadata) > MaxDatagramFrameSize {\n\t\treturn nil, fmt.Errorf(\"datagram size exceed %d\", MaxDatagramFrameSize)\n\t}\n\treturn append(payload, metadata...), nil\n}\n" }, { "path": "quic/datagram_test.go", "content": "package quic\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"crypto/rand\"\n\t\"crypto/rsa\"\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n\t\"encoding/pem\"\n\t\"fmt\"\n\t\"math/big\"\n\t\"net\"\n\t\"net/netip\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/google/gopacket/layers\"\n\t\"github.com/google/uuid\"\n\t\"github.com/quic-go/quic-go\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/stretchr/testify/require\"\n\t\"golang.org/x/net/icmp\"\n\t\"golang.org/x/net/ipv4\"\n\t\"golang.org/x/sync/errgroup\"\n\n\t\"github.com/cloudflare/cloudflared/packet\"\n\t\"github.com/cloudflare/cloudflared/tracing\"\n)\n\nvar (\n\ttestSessionID = uuid.New()\n)\n\nfunc TestSuffixThenRemoveSessionID(t *testing.T) {\n\tmsg := []byte(t.Name())\n\tmsgWithID, err := SuffixSessionID(testSessionID, msg)\n\trequire.NoError(t, err)\n\trequire.Len(t, msgWithID, len(msg)+sessionIDLen)\n\n\tsessionID, msgWithoutID, err := extractSessionID(msgWithID)\n\trequire.NoError(t, err)\n\trequire.Equal(t, msg, msgWithoutID)\n\trequire.Equal(t, testSessionID, sessionID)\n}\n\nfunc TestRemoveSessionIDError(t *testing.T) {\n\t// message is too short to contain session ID\n\tmsg := []byte(\"test\")\n\t_, _, err := extractSessionID(msg)\n\trequire.Error(t, err)\n}\n\nfunc TestSuffixSessionIDError(t *testing.T) {\n\tmsg := make([]byte, MaxDatagramFrameSize-sessionIDLen)\n\t_, err := SuffixSessionID(testSessionID, msg)\n\trequire.NoError(t, err)\n\n\tmsg = make([]byte, MaxDatagramFrameSize-sessionIDLen+1)\n\t_, err = SuffixSessionID(testSessionID, msg)\n\trequire.Error(t, err)\n}\n\nfunc TestDatagram(t *testing.T) {\n\tmaxPayload := make([]byte, maxDatagramPayloadSize)\n\tnoPayloadSession := uuid.New()\n\tmaxPayloadSession := uuid.New()\n\tsessionToPayload := []*packet.Session{\n\t\t{\n\t\t\tID: noPayloadSession,\n\t\t\tPayload: make([]byte, 0),\n\t\t},\n\t\t{\n\t\t\tID: maxPayloadSession,\n\t\t\tPayload: maxPayload,\n\t\t},\n\t}\n\n\tpackets := []packet.ICMP{\n\t\t{\n\t\t\tIP: &packet.IP{\n\t\t\t\tSrc: netip.MustParseAddr(\"172.16.0.1\"),\n\t\t\t\tDst: netip.MustParseAddr(\"192.168.0.1\"),\n\t\t\t\tProtocol: layers.IPProtocolICMPv4,\n\t\t\t},\n\t\t\tMessage: &icmp.Message{\n\t\t\t\tType: ipv4.ICMPTypeTimeExceeded,\n\t\t\t\tCode: 0,\n\t\t\t\tBody: &icmp.TimeExceeded{\n\t\t\t\t\tData: []byte(\"original packet\"),\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tIP: &packet.IP{\n\t\t\t\tSrc: netip.MustParseAddr(\"172.16.0.2\"),\n\t\t\t\tDst: netip.MustParseAddr(\"192.168.0.2\"),\n\t\t\t\tProtocol: layers.IPProtocolICMPv4,\n\t\t\t},\n\t\t\tMessage: &icmp.Message{\n\t\t\t\tType: ipv4.ICMPTypeEcho,\n\t\t\t\tCode: 0,\n\t\t\t\tBody: &icmp.Echo{\n\t\t\t\t\tID: 6182,\n\t\t\t\t\tSeq: 9151,\n\t\t\t\t\tData: []byte(\"Test ICMP echo\"),\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\n\ttestDatagram(t, 1, sessionToPayload, nil)\n\ttestDatagram(t, 2, sessionToPayload, packets)\n}\n\nfunc testDatagram(t *testing.T, version uint8, sessionToPayloads []*packet.Session, packets []packet.ICMP) {\n\tquicConfig := &quic.Config{\n\t\tKeepAlivePeriod: 5 * time.Millisecond,\n\t\tEnableDatagrams: true,\n\t}\n\tquicListener := newQUICListener(t, quicConfig)\n\tdefer quicListener.Close()\n\n\tlogger := zerolog.Nop()\n\n\ttracingIdentity, err := tracing.NewIdentity(\"ec31ad8a01fde11fdcabe2efdce36873:52726f6cabc144f5:0:1\")\n\trequire.NoError(t, err)\n\tserializedTracingID, err := tracingIdentity.MarshalBinary()\n\trequire.NoError(t, err)\n\ttracingSpan := &TracingSpanPacket{\n\t\tSpans: []byte(\"tracing\"),\n\t\tTracingIdentity: serializedTracingID,\n\t}\n\n\terrGroup, ctx := errgroup.WithContext(context.Background())\n\t// Run edge side of datagram muxer\n\terrGroup.Go(func() error {\n\t\t// Accept quic connection\n\t\tquicSession, err := quicListener.Accept(ctx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\n\t\tsessionDemuxChan := make(chan *packet.Session, 16)\n\n\t\tswitch version {\n\t\tcase 1:\n\t\t\tmuxer := NewDatagramMuxer(quicSession, &logger, sessionDemuxChan)\n\t\t\tmuxer.ServeReceive(ctx)\n\t\tcase 2:\n\t\t\tmuxer := NewDatagramMuxerV2(quicSession, &logger, sessionDemuxChan)\n\t\t\tmuxer.ServeReceive(ctx)\n\n\t\t\tfor _, pk := range packets {\n\t\t\t\treceived, err := muxer.ReceivePacket(ctx)\n\t\t\t\trequire.NoError(t, err)\n\t\t\t\tvalidateIPPacket(t, received, &pk)\n\t\t\t\treceived, err = muxer.ReceivePacket(ctx)\n\t\t\t\trequire.NoError(t, err)\n\t\t\t\tvalidateIPPacketWithTracing(t, received, &pk, serializedTracingID)\n\t\t\t}\n\t\t\treceived, err := muxer.ReceivePacket(ctx)\n\t\t\trequire.NoError(t, err)\n\t\t\tvalidateTracingSpans(t, received, tracingSpan)\n\t\tdefault:\n\t\t\treturn fmt.Errorf(\"unknown datagram version %d\", version)\n\t\t}\n\n\t\tfor _, expectedPayload := range sessionToPayloads {\n\t\t\tactualPayload := <-sessionDemuxChan\n\t\t\trequire.Equal(t, expectedPayload, actualPayload)\n\t\t}\n\t\treturn nil\n\t})\n\n\tlargePayload := make([]byte, MaxDatagramFrameSize)\n\t// Run cloudflared side of datagram muxer\n\terrGroup.Go(func() error {\n\t\ttlsClientConfig := &tls.Config{\n\t\t\tInsecureSkipVerify: true,\n\t\t\tNextProtos: []string{\"argotunnel\"},\n\t\t}\n\t\tctx, cancel := context.WithCancel(context.Background())\n\t\tdefer cancel()\n\n\t\t// https://github.com/quic-go/quic-go/issues/3793 MTU discovery is disabled on OSX for dual stack listeners\n\t\tudpConn, err := net.ListenUDP(\"udp4\", &net.UDPAddr{IP: net.IPv4zero, Port: 0})\n\t\trequire.NoError(t, err)\n\t\t// Establish quic connection\n\t\tquicSession, err := quic.DialEarly(ctx, udpConn, quicListener.Addr(), tlsClientConfig, quicConfig)\n\t\trequire.NoError(t, err)\n\t\tdefer quicSession.CloseWithError(0, \"\")\n\n\t\t// Wait a few milliseconds for MTU discovery to take place\n\t\ttime.Sleep(time.Millisecond * 100)\n\n\t\tvar muxer BaseDatagramMuxer\n\t\tswitch version {\n\t\tcase 1:\n\t\t\tmuxer = NewDatagramMuxer(quicSession, &logger, nil)\n\t\tcase 2:\n\t\t\tmuxerV2 := NewDatagramMuxerV2(quicSession, &logger, nil)\n\t\t\tencoder := packet.NewEncoder()\n\t\t\tfor _, pk := range packets {\n\t\t\t\tencodedPacket, err := encoder.Encode(&pk)\n\t\t\t\trequire.NoError(t, err)\n\t\t\t\trequire.NoError(t, muxerV2.SendPacket(RawPacket(encodedPacket)))\n\t\t\t\trequire.NoError(t, muxerV2.SendPacket(&TracedPacket{\n\t\t\t\t\tPacket: encodedPacket,\n\t\t\t\t\tTracingIdentity: serializedTracingID,\n\t\t\t\t}))\n\t\t\t}\n\t\t\trequire.NoError(t, muxerV2.SendPacket(tracingSpan))\n\t\t\t// Payload larger than transport MTU, should not be sent\n\t\t\trequire.Error(t, muxerV2.SendPacket(RawPacket{\n\t\t\t\tData: largePayload,\n\t\t\t}))\n\t\t\tmuxer = muxerV2\n\t\tdefault:\n\t\t\treturn fmt.Errorf(\"unknown datagram version %d\", version)\n\t\t}\n\n\t\tfor _, session := range sessionToPayloads {\n\t\t\trequire.NoError(t, muxer.SendToSession(session))\n\t\t}\n\t\t// Payload larger than transport MTU, should not be sent\n\t\trequire.Error(t, muxer.SendToSession(&packet.Session{\n\t\t\tID: testSessionID,\n\t\t\tPayload: largePayload,\n\t\t}))\n\n\t\t// Wait for edge to finish receiving the messages\n\t\ttime.Sleep(time.Millisecond * 100)\n\n\t\treturn nil\n\t})\n\n\trequire.NoError(t, errGroup.Wait())\n}\n\nfunc validateIPPacket(t *testing.T, receivedPacket Packet, expectedICMP *packet.ICMP) {\n\trequire.Equal(t, DatagramTypeIP, receivedPacket.Type())\n\trawPacket := receivedPacket.(RawPacket)\n\tdecoder := packet.NewICMPDecoder()\n\treceivedICMP, err := decoder.Decode(packet.RawPacket(rawPacket))\n\trequire.NoError(t, err)\n\tvalidateICMP(t, expectedICMP, receivedICMP)\n}\n\nfunc validateIPPacketWithTracing(t *testing.T, receivedPacket Packet, expectedICMP *packet.ICMP, serializedTracingID []byte) {\n\trequire.Equal(t, DatagramTypeIPWithTrace, receivedPacket.Type())\n\ttracedPacket := receivedPacket.(*TracedPacket)\n\tdecoder := packet.NewICMPDecoder()\n\treceivedICMP, err := decoder.Decode(tracedPacket.Packet)\n\trequire.NoError(t, err)\n\tvalidateICMP(t, expectedICMP, receivedICMP)\n\trequire.True(t, bytes.Equal(tracedPacket.TracingIdentity, serializedTracingID))\n}\n\nfunc validateICMP(t *testing.T, expected, actual *packet.ICMP) {\n\trequire.Equal(t, expected.IP, actual.IP)\n\trequire.Equal(t, expected.Type, actual.Type)\n\trequire.Equal(t, expected.Code, actual.Code)\n\trequire.Equal(t, expected.Body, actual.Body)\n}\n\nfunc validateTracingSpans(t *testing.T, receivedPacket Packet, expectedSpan *TracingSpanPacket) {\n\trequire.Equal(t, DatagramTypeTracingSpan, receivedPacket.Type())\n\ttracingSpans := receivedPacket.(*TracingSpanPacket)\n\trequire.Equal(t, tracingSpans, expectedSpan)\n}\n\nfunc newQUICListener(t *testing.T, config *quic.Config) *quic.Listener {\n\t// Create a simple tls config.\n\ttlsConfig := generateTLSConfig()\n\n\tlistener, err := quic.ListenAddr(\"127.0.0.1:0\", tlsConfig, config)\n\trequire.NoError(t, err)\n\n\treturn listener\n}\n\nfunc generateTLSConfig() *tls.Config {\n\tkey, err := rsa.GenerateKey(rand.Reader, 1024)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\ttemplate := x509.Certificate{SerialNumber: big.NewInt(1)}\n\tcertDER, err := x509.CreateCertificate(rand.Reader, &template, &template, &key.PublicKey, key)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\tkeyPEM := pem.EncodeToMemory(&pem.Block{Type: \"RSA PRIVATE KEY\", Bytes: x509.MarshalPKCS1PrivateKey(key)})\n\tcertPEM := pem.EncodeToMemory(&pem.Block{Type: \"CERTIFICATE\", Bytes: certDER})\n\n\ttlsCert, err := tls.X509KeyPair(certPEM, keyPEM)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\treturn &tls.Config{\n\t\tCertificates: []tls.Certificate{tlsCert},\n\t\tNextProtos: []string{\"argotunnel\"},\n\t}\n}\n" }, { "path": "quic/datagramv2.go", "content": "package quic\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\n\t\"github.com/pkg/errors\"\n\t\"github.com/quic-go/quic-go\"\n\t\"github.com/rs/zerolog\"\n\n\t\"github.com/cloudflare/cloudflared/packet\"\n\t\"github.com/cloudflare/cloudflared/tracing\"\n)\n\ntype DatagramV2Type byte\n\nconst (\n\t// UDP payload\n\tDatagramTypeUDP DatagramV2Type = iota\n\t// Full IP packet\n\tDatagramTypeIP\n\t// DatagramTypeIP + tracing ID\n\tDatagramTypeIPWithTrace\n\t// Tracing spans in protobuf format\n\tDatagramTypeTracingSpan\n)\n\ntype Packet interface {\n\tType() DatagramV2Type\n\tPayload() []byte\n\tMetadata() []byte\n}\n\nconst (\n\ttypeIDLen = 1\n\t// Same as sessionDemuxChan capacity\n\tpacketChanCapacity = 128\n)\n\nfunc SuffixType(b []byte, datagramType DatagramV2Type) ([]byte, error) {\n\tif len(b)+typeIDLen > MaxDatagramFrameSize {\n\t\treturn nil, fmt.Errorf(\"datagram size %d exceeds max frame size %d\", len(b), MaxDatagramFrameSize)\n\t}\n\tb = append(b, byte(datagramType))\n\treturn b, nil\n}\n\n// Maximum application payload to send to / receive from QUIC datagram frame\nfunc (dm *DatagramMuxerV2) mtu() int {\n\treturn maxDatagramPayloadSize\n}\n\ntype DatagramMuxerV2 struct {\n\tsession quic.Connection\n\tlogger *zerolog.Logger\n\tsessionDemuxChan chan<- *packet.Session\n\tpacketDemuxChan chan Packet\n}\n\nfunc NewDatagramMuxerV2(\n\tquicSession quic.Connection,\n\tlog *zerolog.Logger,\n\tsessionDemuxChan chan<- *packet.Session,\n) *DatagramMuxerV2 {\n\tlogger := log.With().Uint8(\"datagramVersion\", 2).Logger()\n\treturn &DatagramMuxerV2{\n\t\tsession: quicSession,\n\t\tlogger: &logger,\n\t\tsessionDemuxChan: sessionDemuxChan,\n\t\tpacketDemuxChan: make(chan Packet, packetChanCapacity),\n\t}\n}\n\n// SendToSession suffix the session ID and datagram version to the payload so the other end of the QUIC connection can\n// demultiplex the payload from multiple datagram sessions\nfunc (dm *DatagramMuxerV2) SendToSession(session *packet.Session) error {\n\tif len(session.Payload) > dm.mtu() {\n\t\tpacketTooBigDropped.Inc()\n\t\treturn fmt.Errorf(\"origin UDP payload has %d bytes, which exceeds transport MTU %d\", len(session.Payload), dm.mtu())\n\t}\n\tmsgWithID, err := SuffixSessionID(session.ID, session.Payload)\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"Failed to suffix session ID to datagram, it will be dropped\")\n\t}\n\tmsgWithIDAndType, err := SuffixType(msgWithID, DatagramTypeUDP)\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"Failed to suffix datagram type, it will be dropped\")\n\t}\n\tif err := dm.session.SendDatagram(msgWithIDAndType); err != nil {\n\t\treturn errors.Wrap(err, \"Failed to send datagram back to edge\")\n\t}\n\treturn nil\n}\n\n// SendPacket sends a packet with datagram version in the suffix. If ctx is a TracedContext, it adds the tracing\n// context between payload and datagram version.\n// The other end of the QUIC connection can demultiplex by parsing the payload as IP and look at the source and destination.\nfunc (dm *DatagramMuxerV2) SendPacket(pk Packet) error {\n\tpayloadWithMetadata, err := suffixMetadata(pk.Payload(), pk.Metadata())\n\tif err != nil {\n\t\treturn err\n\t}\n\tpayloadWithMetadataAndType, err := SuffixType(payloadWithMetadata, pk.Type())\n\tif err != nil {\n\t\treturn errors.Wrap(err, \"Failed to suffix datagram type, it will be dropped\")\n\t}\n\tif err := dm.session.SendDatagram(payloadWithMetadataAndType); err != nil {\n\t\treturn errors.Wrap(err, \"Failed to send datagram back to edge\")\n\t}\n\treturn nil\n}\n\n// Demux reads datagrams from the QUIC connection and demuxes depending on whether it's a session or packet\nfunc (dm *DatagramMuxerV2) ServeReceive(ctx context.Context) error {\n\tfor {\n\t\tmsg, err := dm.session.ReceiveDatagram(ctx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif err := dm.demux(ctx, msg); err != nil {\n\t\t\tdm.logger.Error().Err(err).Msg(\"Failed to demux datagram\")\n\t\t\tif err == context.Canceled {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t}\n}\n\nfunc (dm *DatagramMuxerV2) ReceivePacket(ctx context.Context) (pk Packet, err error) {\n\tselect {\n\tcase <-ctx.Done():\n\t\treturn nil, ctx.Err()\n\tcase pk := <-dm.packetDemuxChan:\n\t\treturn pk, nil\n\t}\n}\n\nfunc (dm *DatagramMuxerV2) demux(ctx context.Context, msgWithType []byte) error {\n\tif len(msgWithType) < typeIDLen {\n\t\treturn fmt.Errorf(\"QUIC datagram should have at least %d byte\", typeIDLen)\n\t}\n\tmsgType := DatagramV2Type(msgWithType[len(msgWithType)-typeIDLen])\n\tmsg := msgWithType[0 : len(msgWithType)-typeIDLen]\n\tswitch msgType {\n\tcase DatagramTypeUDP:\n\t\treturn dm.handleSession(ctx, msg)\n\tdefault:\n\t\treturn dm.handlePacket(ctx, msg, msgType)\n\t}\n}\n\nfunc (dm *DatagramMuxerV2) handleSession(ctx context.Context, session []byte) error {\n\tsessionID, payload, err := extractSessionID(session)\n\tif err != nil {\n\t\treturn err\n\t}\n\tsessionDatagram := packet.Session{\n\t\tID: sessionID,\n\t\tPayload: payload,\n\t}\n\tselect {\n\tcase dm.sessionDemuxChan <- &sessionDatagram:\n\t\treturn nil\n\tcase <-ctx.Done():\n\t\treturn ctx.Err()\n\t}\n}\n\nfunc (dm *DatagramMuxerV2) handlePacket(ctx context.Context, pk []byte, msgType DatagramV2Type) error {\n\tvar demuxedPacket Packet\n\tswitch msgType {\n\tcase DatagramTypeIP:\n\t\tdemuxedPacket = RawPacket(packet.RawPacket{Data: pk})\n\tcase DatagramTypeIPWithTrace:\n\t\ttracingIdentity, payload, err := extractTracingIdentity(pk)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tdemuxedPacket = &TracedPacket{\n\t\t\tPacket: packet.RawPacket{Data: payload},\n\t\t\tTracingIdentity: tracingIdentity,\n\t\t}\n\tcase DatagramTypeTracingSpan:\n\t\ttracingIdentity, spans, err := extractTracingIdentity(pk)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tdemuxedPacket = &TracingSpanPacket{\n\t\t\tSpans: spans,\n\t\t\tTracingIdentity: tracingIdentity,\n\t\t}\n\tdefault:\n\t\treturn fmt.Errorf(\"Unexpected datagram type %d\", msgType)\n\t}\n\tselect {\n\tcase <-ctx.Done():\n\t\treturn ctx.Err()\n\tcase dm.packetDemuxChan <- demuxedPacket:\n\t\treturn nil\n\t}\n}\n\nfunc extractTracingIdentity(pk []byte) (tracingIdentity []byte, payload []byte, err error) {\n\tif len(pk) < tracing.IdentityLength {\n\t\treturn nil, nil, fmt.Errorf(\"packet with tracing context should have at least %d bytes, got %v\", tracing.IdentityLength, pk)\n\t}\n\ttracingIdentity = pk[len(pk)-tracing.IdentityLength:]\n\tpayload = pk[:len(pk)-tracing.IdentityLength]\n\treturn tracingIdentity, payload, nil\n}\n\ntype RawPacket packet.RawPacket\n\nfunc (rw RawPacket) Type() DatagramV2Type {\n\treturn DatagramTypeIP\n}\n\nfunc (rw RawPacket) Payload() []byte {\n\treturn rw.Data\n}\n\nfunc (rw RawPacket) Metadata() []byte {\n\treturn []byte{}\n}\n\ntype TracedPacket struct {\n\tPacket packet.RawPacket\n\tTracingIdentity []byte\n}\n\nfunc (tp *TracedPacket) Type() DatagramV2Type {\n\treturn DatagramTypeIPWithTrace\n}\n\nfunc (tp *TracedPacket) Payload() []byte {\n\treturn tp.Packet.Data\n}\n\nfunc (tp *TracedPacket) Metadata() []byte {\n\treturn tp.TracingIdentity\n}\n\ntype TracingSpanPacket struct {\n\tSpans []byte\n\tTracingIdentity []byte\n}\n\nfunc (tsp *TracingSpanPacket) Type() DatagramV2Type {\n\treturn DatagramTypeTracingSpan\n}\n\nfunc (tsp *TracingSpanPacket) Payload() []byte {\n\treturn tsp.Spans\n}\n\nfunc (tsp *TracingSpanPacket) Metadata() []byte {\n\treturn tsp.TracingIdentity\n}\n" }, { "path": "quic/metrics.go", "content": "package quic\n\nimport (\n\t\"reflect\"\n\t\"strings\"\n\t\"sync\"\n\n\t\"github.com/prometheus/client_golang/prometheus\"\n\t\"github.com/quic-go/quic-go/logging\"\n\t\"github.com/rs/zerolog\"\n)\n\nconst (\n\tnamespace = \"quic\"\n\tConnectionIndexMetricLabel = \"conn_index\"\n\tframeTypeMetricLabel = \"frame_type\"\n\tpacketTypeMetricLabel = \"packet_type\"\n\treasonMetricLabel = \"reason\"\n)\n\nvar (\n\tclientMetrics = struct {\n\t\ttotalConnections prometheus.Counter\n\t\tclosedConnections prometheus.Counter\n\t\tmaxUDPPayloadSize *prometheus.GaugeVec\n\t\tsentFrames *prometheus.CounterVec\n\t\tsentBytes *prometheus.CounterVec\n\t\treceivedFrames *prometheus.CounterVec\n\t\treceivedBytes *prometheus.CounterVec\n\t\tbufferedPackets *prometheus.CounterVec\n\t\tdroppedPackets *prometheus.CounterVec\n\t\tlostPackets *prometheus.CounterVec\n\t\tminRTT *prometheus.GaugeVec\n\t\tlatestRTT *prometheus.GaugeVec\n\t\tsmoothedRTT *prometheus.GaugeVec\n\t\tmtu *prometheus.GaugeVec\n\t\tcongestionWindow *prometheus.GaugeVec\n\t\tcongestionState *prometheus.GaugeVec\n\t}{\n\t\ttotalConnections: prometheus.NewCounter(\n\t\t\tprometheus.CounterOpts{ //nolint:promlinter\n\t\t\t\tNamespace: namespace,\n\t\t\t\tSubsystem: \"client\",\n\t\t\t\tName: \"total_connections\",\n\t\t\t\tHelp: \"Number of connections initiated\",\n\t\t\t},\n\t\t),\n\t\tclosedConnections: prometheus.NewCounter(\n\t\t\tprometheus.CounterOpts{ //nolint:promlinter\n\t\t\t\tNamespace: namespace,\n\t\t\t\tSubsystem: \"client\",\n\t\t\t\tName: \"closed_connections\",\n\t\t\t\tHelp: \"Number of connections that has been closed\",\n\t\t\t},\n\t\t),\n\t\tmaxUDPPayloadSize: prometheus.NewGaugeVec(\n\t\t\tprometheus.GaugeOpts{\n\t\t\t\tNamespace: namespace,\n\t\t\t\tSubsystem: \"client\",\n\t\t\t\tName: \"max_udp_payload\",\n\t\t\t\tHelp: \"Maximum UDP payload size in bytes for a QUIC packet\",\n\t\t\t},\n\t\t\t[]string{ConnectionIndexMetricLabel},\n\t\t),\n\t\tsentFrames: prometheus.NewCounterVec(\n\t\t\tprometheus.CounterOpts{ //nolint:promlinter\n\t\t\t\tNamespace: namespace,\n\t\t\t\tSubsystem: \"client\",\n\t\t\t\tName: \"sent_frames\",\n\t\t\t\tHelp: \"Number of frames that have been sent through a connection\",\n\t\t\t},\n\t\t\t[]string{ConnectionIndexMetricLabel, frameTypeMetricLabel},\n\t\t),\n\t\tsentBytes: prometheus.NewCounterVec(\n\t\t\tprometheus.CounterOpts{ //nolint:promlinter\n\t\t\t\tNamespace: namespace,\n\t\t\t\tSubsystem: \"client\",\n\t\t\t\tName: \"sent_bytes\",\n\t\t\t\tHelp: \"Number of bytes that have been sent through a connection\",\n\t\t\t},\n\t\t\t[]string{ConnectionIndexMetricLabel},\n\t\t),\n\t\treceivedFrames: prometheus.NewCounterVec(\n\t\t\tprometheus.CounterOpts{ //nolint:promlinter\n\t\t\t\tNamespace: namespace,\n\t\t\t\tSubsystem: \"client\",\n\t\t\t\tName: \"received_frames\",\n\t\t\t\tHelp: \"Number of frames that have been received through a connection\",\n\t\t\t},\n\t\t\t[]string{ConnectionIndexMetricLabel, frameTypeMetricLabel},\n\t\t),\n\t\treceivedBytes: prometheus.NewCounterVec(\n\t\t\tprometheus.CounterOpts{ //nolint:promlinter\n\t\t\t\tNamespace: namespace,\n\t\t\t\tSubsystem: \"client\",\n\t\t\t\tName: \"receive_bytes\",\n\t\t\t\tHelp: \"Number of bytes that have been received through a connection\",\n\t\t\t},\n\t\t\t[]string{ConnectionIndexMetricLabel},\n\t\t),\n\t\tbufferedPackets: prometheus.NewCounterVec(\n\t\t\tprometheus.CounterOpts{ //nolint:promlinter\n\t\t\t\tNamespace: namespace,\n\t\t\t\tSubsystem: \"client\",\n\t\t\t\tName: \"buffered_packets\",\n\t\t\t\tHelp: \"Number of bytes that have been buffered on a connection\",\n\t\t\t},\n\t\t\t[]string{ConnectionIndexMetricLabel, packetTypeMetricLabel},\n\t\t),\n\t\tdroppedPackets: prometheus.NewCounterVec(\n\t\t\tprometheus.CounterOpts{ //nolint:promlinter\n\t\t\t\tNamespace: namespace,\n\t\t\t\tSubsystem: \"client\",\n\t\t\t\tName: \"dropped_packets\",\n\t\t\t\tHelp: \"Number of bytes that have been dropped on a connection\",\n\t\t\t},\n\t\t\t[]string{ConnectionIndexMetricLabel, packetTypeMetricLabel, reasonMetricLabel},\n\t\t),\n\t\tlostPackets: prometheus.NewCounterVec(\n\t\t\tprometheus.CounterOpts{ //nolint:promlinter\n\t\t\t\tNamespace: namespace,\n\t\t\t\tSubsystem: \"client\",\n\t\t\t\tName: \"lost_packets\",\n\t\t\t\tHelp: \"Number of packets that have been lost from a connection\",\n\t\t\t},\n\t\t\t[]string{ConnectionIndexMetricLabel, reasonMetricLabel},\n\t\t),\n\t\tminRTT: prometheus.NewGaugeVec(\n\t\t\tprometheus.GaugeOpts{\n\t\t\t\tNamespace: namespace,\n\t\t\t\tSubsystem: \"client\",\n\t\t\t\tName: \"min_rtt\",\n\t\t\t\tHelp: \"Lowest RTT measured on a connection in millisec\",\n\t\t\t},\n\t\t\t[]string{ConnectionIndexMetricLabel},\n\t\t),\n\t\tlatestRTT: prometheus.NewGaugeVec(\n\t\t\tprometheus.GaugeOpts{\n\t\t\t\tNamespace: namespace,\n\t\t\t\tSubsystem: \"client\",\n\t\t\t\tName: \"latest_rtt\",\n\t\t\t\tHelp: \"Latest RTT measured on a connection\",\n\t\t\t},\n\t\t\t[]string{ConnectionIndexMetricLabel},\n\t\t),\n\t\tsmoothedRTT: prometheus.NewGaugeVec(\n\t\t\tprometheus.GaugeOpts{\n\t\t\t\tNamespace: namespace,\n\t\t\t\tSubsystem: \"client\",\n\t\t\t\tName: \"smoothed_rtt\",\n\t\t\t\tHelp: \"Calculated smoothed RTT measured on a connection in millisec\",\n\t\t\t},\n\t\t\t[]string{ConnectionIndexMetricLabel},\n\t\t),\n\t\tmtu: prometheus.NewGaugeVec(\n\t\t\tprometheus.GaugeOpts{\n\t\t\t\tNamespace: namespace,\n\t\t\t\tSubsystem: \"client\",\n\t\t\t\tName: \"mtu\",\n\t\t\t\tHelp: \"Current maximum transmission unit (MTU) of a connection\",\n\t\t\t},\n\t\t\t[]string{ConnectionIndexMetricLabel},\n\t\t),\n\t\tcongestionWindow: prometheus.NewGaugeVec(\n\t\t\tprometheus.GaugeOpts{\n\t\t\t\tNamespace: namespace,\n\t\t\t\tSubsystem: \"client\",\n\t\t\t\tName: \"congestion_window\",\n\t\t\t\tHelp: \"Current congestion window size\",\n\t\t\t},\n\t\t\t[]string{ConnectionIndexMetricLabel},\n\t\t),\n\t\tcongestionState: prometheus.NewGaugeVec(\n\t\t\tprometheus.GaugeOpts{\n\t\t\t\tNamespace: namespace,\n\t\t\t\tSubsystem: \"client\",\n\t\t\t\tName: \"congestion_state\",\n\t\t\t\tHelp: \"Current congestion control state. See https://pkg.go.dev/github.com/quic-go/quic-go@v0.45.0/logging#CongestionState for what each value maps to\",\n\t\t\t},\n\t\t\t[]string{ConnectionIndexMetricLabel},\n\t\t),\n\t}\n\n\tregisterClient = sync.Once{}\n\n\tpacketTooBigDropped = prometheus.NewCounter(prometheus.CounterOpts{ //nolint:promlinter\n\t\tNamespace: namespace,\n\t\tSubsystem: \"client\",\n\t\tName: \"packet_too_big_dropped\",\n\t\tHelp: \"Count of packets received from origin that are too big to send to the edge and are dropped as a result\",\n\t})\n)\n\ntype clientCollector struct {\n\tindex string\n\tlogger *zerolog.Logger\n}\n\nfunc newClientCollector(index string, logger *zerolog.Logger) *clientCollector {\n\tregisterClient.Do(func() {\n\t\tprometheus.MustRegister(\n\t\t\tclientMetrics.totalConnections,\n\t\t\tclientMetrics.closedConnections,\n\t\t\tclientMetrics.maxUDPPayloadSize,\n\t\t\tclientMetrics.sentFrames,\n\t\t\tclientMetrics.sentBytes,\n\t\t\tclientMetrics.receivedFrames,\n\t\t\tclientMetrics.receivedBytes,\n\t\t\tclientMetrics.bufferedPackets,\n\t\t\tclientMetrics.droppedPackets,\n\t\t\tclientMetrics.lostPackets,\n\t\t\tclientMetrics.minRTT,\n\t\t\tclientMetrics.latestRTT,\n\t\t\tclientMetrics.smoothedRTT,\n\t\t\tclientMetrics.mtu,\n\t\t\tclientMetrics.congestionWindow,\n\t\t\tclientMetrics.congestionState,\n\t\t\tpacketTooBigDropped,\n\t\t)\n\t})\n\n\treturn &clientCollector{\n\t\tindex: index,\n\t\tlogger: logger,\n\t}\n}\n\nfunc (cc *clientCollector) startedConnection() {\n\tclientMetrics.totalConnections.Inc()\n}\n\nfunc (cc *clientCollector) closedConnection(error) {\n\tclientMetrics.closedConnections.Inc()\n}\n\nfunc (cc *clientCollector) receivedTransportParameters(params *logging.TransportParameters) {\n\tclientMetrics.maxUDPPayloadSize.WithLabelValues(cc.index).Set(float64(params.MaxUDPPayloadSize))\n\tcc.logger.Debug().Msgf(\"Received transport parameters: MaxUDPPayloadSize=%d, MaxIdleTimeout=%v, MaxDatagramFrameSize=%d\", params.MaxUDPPayloadSize, params.MaxIdleTimeout, params.MaxDatagramFrameSize)\n}\n\nfunc (cc *clientCollector) sentPackets(size logging.ByteCount, frames []logging.Frame) {\n\tcc.collectPackets(size, frames, clientMetrics.sentFrames, clientMetrics.sentBytes, sent)\n}\n\nfunc (cc *clientCollector) receivedPackets(size logging.ByteCount, frames []logging.Frame) {\n\tcc.collectPackets(size, frames, clientMetrics.receivedFrames, clientMetrics.receivedBytes, received)\n}\n\nfunc (cc *clientCollector) bufferedPackets(packetType logging.PacketType) {\n\tclientMetrics.bufferedPackets.WithLabelValues(cc.index, packetTypeString(packetType)).Inc()\n}\n\nfunc (cc *clientCollector) droppedPackets(packetType logging.PacketType, size logging.ByteCount, reason logging.PacketDropReason) {\n\tclientMetrics.droppedPackets.WithLabelValues(\n\t\tcc.index,\n\t\tpacketTypeString(packetType),\n\t\tpacketDropReasonString(reason),\n\t).Add(byteCountToPromCount(size))\n}\n\nfunc (cc *clientCollector) lostPackets(reason logging.PacketLossReason) {\n\tclientMetrics.lostPackets.WithLabelValues(cc.index, packetLossReasonString(reason)).Inc()\n}\n\nfunc (cc *clientCollector) updatedRTT(rtt *logging.RTTStats) {\n\tclientMetrics.minRTT.WithLabelValues(cc.index).Set(durationToPromGauge(rtt.MinRTT()))\n\tclientMetrics.latestRTT.WithLabelValues(cc.index).Set(durationToPromGauge(rtt.LatestRTT()))\n\tclientMetrics.smoothedRTT.WithLabelValues(cc.index).Set(durationToPromGauge(rtt.SmoothedRTT()))\n}\n\nfunc (cc *clientCollector) updateCongestionWindow(size logging.ByteCount) {\n\tclientMetrics.congestionWindow.WithLabelValues(cc.index).Set(float64(size))\n}\n\nfunc (cc *clientCollector) updatedCongestionState(state logging.CongestionState) {\n\tclientMetrics.congestionState.WithLabelValues(cc.index).Set(float64(state))\n}\n\nfunc (cc *clientCollector) updateMTU(mtu logging.ByteCount) {\n\tclientMetrics.mtu.WithLabelValues(cc.index).Set(float64(mtu))\n\tcc.logger.Debug().Msgf(\"QUIC MTU updated to %d\", mtu)\n}\n\nfunc (cc *clientCollector) collectPackets(size logging.ByteCount, frames []logging.Frame, counter, bandwidth *prometheus.CounterVec, direction direction) {\n\tfor _, frame := range frames {\n\t\tswitch f := frame.(type) {\n\t\tcase logging.DataBlockedFrame:\n\t\t\tcc.logger.Debug().Msgf(\"%s data_blocked frame\", direction)\n\t\tcase logging.StreamDataBlockedFrame:\n\t\t\tcc.logger.Debug().Int64(\"streamID\", int64(f.StreamID)).Msgf(\"%s stream_data_blocked frame\", direction)\n\t\t}\n\t\tcounter.WithLabelValues(cc.index, frameName(frame)).Inc()\n\t}\n\tbandwidth.WithLabelValues(cc.index).Add(byteCountToPromCount(size))\n}\n\nfunc frameName(frame logging.Frame) string {\n\tif frame == nil {\n\t\treturn \"nil\"\n\t} else {\n\t\tname := reflect.TypeOf(frame).Elem().Name()\n\t\treturn strings.TrimSuffix(name, \"Frame\")\n\t}\n}\n\ntype direction uint8\n\nconst (\n\tsent direction = iota\n\treceived\n)\n\nfunc (d direction) String() string {\n\tif d == sent {\n\t\treturn \"sent\"\n\t}\n\treturn \"received\"\n}\n" }, { "path": "quic/param_unix.go", "content": "//go:build !windows\n\npackage quic\n\nconst (\n\tMaxDatagramFrameSize = 1350\n\t// maxDatagramPayloadSize is the maximum packet size allowed by warp client\n\tmaxDatagramPayloadSize = 1280\n)\n" }, { "path": "quic/param_windows.go", "content": "//go:build windows\n\npackage quic\n\nconst (\n\t// Due to https://github.com/quic-go/quic-go/issues/3273, MTU discovery is disabled on Windows\n\t// 1220 is the default value https://github.com/quic-go/quic-go/blob/84e03e59760ceee37359688871bb0688fcc4e98f/internal/protocol/params.go#L138\n\tMaxDatagramFrameSize = 1220\n\t// 3 more bytes are reserved at https://github.com/quic-go/quic-go/blob/v0.24.0/internal/wire/datagram_frame.go#L61\n\tmaxDatagramPayloadSize = MaxDatagramFrameSize - 3 - sessionIDLen - typeIDLen\n)\n" }, { "path": "quic/safe_stream.go", "content": "package quic\n\nimport (\n\t\"errors\"\n\t\"net\"\n\t\"sync\"\n\t\"sync/atomic\"\n\t\"time\"\n\n\t\"github.com/quic-go/quic-go\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/rs/zerolog/log\"\n)\n\n// The error that is throw by the writer when there is `no network activity`.\nvar idleTimeoutError = quic.IdleTimeoutError{}\n\ntype SafeStreamCloser struct {\n\tlock sync.Mutex\n\tstream quic.Stream\n\twriteTimeout time.Duration\n\tlog *zerolog.Logger\n\tclosing atomic.Bool\n}\n\nfunc NewSafeStreamCloser(stream quic.Stream, writeTimeout time.Duration, log *zerolog.Logger) *SafeStreamCloser {\n\treturn &SafeStreamCloser{\n\t\tstream: stream,\n\t\twriteTimeout: writeTimeout,\n\t\tlog: log,\n\t}\n}\n\nfunc (s *SafeStreamCloser) Read(p []byte) (n int, err error) {\n\treturn s.stream.Read(p)\n}\n\nfunc (s *SafeStreamCloser) Write(p []byte) (n int, err error) {\n\ts.lock.Lock()\n\tdefer s.lock.Unlock()\n\tif s.writeTimeout > 0 {\n\t\terr = s.stream.SetWriteDeadline(time.Now().Add(s.writeTimeout))\n\t\tif err != nil {\n\t\t\tlog.Err(err).Msg(\"Error setting write deadline for QUIC stream\")\n\t\t}\n\t}\n\tnBytes, err := s.stream.Write(p)\n\tif err != nil {\n\t\ts.handleWriteError(err)\n\t}\n\n\treturn nBytes, err\n}\n\n// Handles the timeout error in case it happened, by canceling the stream write.\nfunc (s *SafeStreamCloser) handleWriteError(err error) {\n\t// If we are closing the stream we just ignore any write error.\n\tif s.closing.Load() {\n\t\treturn\n\t}\n\tvar netErr net.Error\n\tif errors.As(err, &netErr) {\n\t\tif netErr.Timeout() {\n\t\t\t// We don't need to log if what cause the timeout was no network activity.\n\t\t\tif !errors.Is(netErr, &idleTimeoutError) {\n\t\t\t\ts.log.Error().Err(netErr).Msg(\"Closing quic stream due to timeout while writing\")\n\t\t\t}\n\t\t\t// We need to explicitly cancel the write so that it frees all buffers.\n\t\t\ts.stream.CancelWrite(0)\n\t\t}\n\t}\n}\n\nfunc (s *SafeStreamCloser) Close() error {\n\t// Set this stream to a closing state.\n\ts.closing.Store(true)\n\n\t// Make sure a possible writer does not block the lock forever. We need it, so we can close the writer\n\t// side of the stream safely.\n\t_ = s.stream.SetWriteDeadline(time.Now())\n\n\t// This lock is eventually acquired despite Write also acquiring it, because we set a deadline to writes.\n\ts.lock.Lock()\n\tdefer s.lock.Unlock()\n\n\t// We have to clean up the receiving stream ourselves since the Close in the bottom does not handle that.\n\ts.stream.CancelRead(0)\n\treturn s.stream.Close()\n}\n\nfunc (s *SafeStreamCloser) CloseWrite() error {\n\ts.lock.Lock()\n\tdefer s.lock.Unlock()\n\n\t// As documented by the quic-go library, this doesn't actually close the entire stream.\n\t// It prevents further writes, which in turn will result in an EOF signal being sent the other side of stream when\n\t// reading.\n\t// We can still read from this stream.\n\treturn s.stream.Close()\n}\n\nfunc (s *SafeStreamCloser) SetDeadline(deadline time.Time) error {\n\treturn s.stream.SetDeadline(deadline)\n}\n" }, { "path": "quic/safe_stream_test.go", "content": "package quic\n\nimport (\n\t\"context\"\n\t\"crypto/rand\"\n\t\"crypto/rsa\"\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n\t\"encoding/pem\"\n\t\"io\"\n\t\"math/big\"\n\t\"net\"\n\t\"sync\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/rs/zerolog\"\n\n\t\"github.com/quic-go/quic-go\"\n\t\"github.com/stretchr/testify/require\"\n)\n\nvar (\n\ttestTLSServerConfig = GenerateTLSConfig()\n\ttestQUICConfig = &quic.Config{\n\t\tKeepAlivePeriod: 5 * time.Second,\n\t\tEnableDatagrams: true,\n\t}\n\texchanges = 1000\n\tmsgsPerExchange = 10\n\ttestMsg = \"Ok message\"\n)\n\nfunc TestSafeStreamClose(t *testing.T) {\n\tudpAddr, err := net.ResolveUDPAddr(\"udp\", \"127.0.0.1:0\")\n\trequire.NoError(t, err)\n\tudpListener, err := net.ListenUDP(udpAddr.Network(), udpAddr)\n\trequire.NoError(t, err)\n\tdefer udpListener.Close()\n\n\tvar serverReady sync.WaitGroup\n\tserverReady.Add(1)\n\n\tvar done sync.WaitGroup\n\tdone.Add(1)\n\tgo func() {\n\t\tdefer done.Done()\n\t\tquicServer(t, &serverReady, udpListener)\n\t}()\n\n\tdone.Add(1)\n\tgo func() {\n\t\tserverReady.Wait()\n\t\tdefer done.Done()\n\t\tquicClient(t, udpListener.LocalAddr())\n\t}()\n\n\tdone.Wait()\n}\n\nfunc quicClient(t *testing.T, addr net.Addr) {\n\ttlsConf := &tls.Config{\n\t\tInsecureSkipVerify: true,\n\t\tNextProtos: []string{\"argotunnel\"},\n\t}\n\tctx, cancel := context.WithCancel(context.Background())\n\tdefer cancel()\n\tsession, err := quic.DialAddr(ctx, addr.String(), tlsConf, testQUICConfig)\n\trequire.NoError(t, err)\n\n\tvar wg sync.WaitGroup\n\tfor exchange := 0; exchange < exchanges; exchange++ {\n\t\tquicStream, err := session.AcceptStream(context.Background())\n\t\trequire.NoError(t, err)\n\t\twg.Add(1)\n\n\t\tgo func(iter int) {\n\t\t\tdefer wg.Done()\n\n\t\t\tlog := zerolog.Nop()\n\t\t\tstream := NewSafeStreamCloser(quicStream, 30*time.Second, &log)\n\t\t\tdefer stream.Close()\n\n\t\t\t// Do a bunch of round trips over this stream that should work.\n\t\t\tfor msg := 0; msg < msgsPerExchange; msg++ {\n\t\t\t\tclientRoundTrip(t, stream, true)\n\t\t\t}\n\t\t\t// And one that won't work necessarily, but shouldn't break other streams in the session.\n\t\t\tif iter%2 == 0 {\n\t\t\t\tclientRoundTrip(t, stream, false)\n\t\t\t}\n\t\t}(exchange)\n\t}\n\n\twg.Wait()\n}\n\nfunc quicServer(t *testing.T, serverReady *sync.WaitGroup, conn net.PacketConn) {\n\tctx, cancel := context.WithCancel(context.Background())\n\tdefer cancel()\n\n\tearlyListener, err := quic.Listen(conn, testTLSServerConfig, testQUICConfig)\n\trequire.NoError(t, err)\n\n\tserverReady.Done()\n\tsession, err := earlyListener.Accept(ctx)\n\trequire.NoError(t, err)\n\n\tvar wg sync.WaitGroup\n\tfor exchange := 0; exchange < exchanges; exchange++ {\n\t\tquicStream, err := session.OpenStreamSync(context.Background())\n\t\trequire.NoError(t, err)\n\t\twg.Add(1)\n\n\t\tgo func(iter int) {\n\t\t\tdefer wg.Done()\n\n\t\t\tlog := zerolog.Nop()\n\t\t\tstream := NewSafeStreamCloser(quicStream, 30*time.Second, &log)\n\t\t\tdefer stream.Close()\n\n\t\t\t// Do a bunch of round trips over this stream that should work.\n\t\t\tfor msg := 0; msg < msgsPerExchange; msg++ {\n\t\t\t\tserverRoundTrip(t, stream, true)\n\t\t\t}\n\t\t\t// And one that won't work necessarily, but shouldn't break other streams in the session.\n\t\t\tif iter%2 == 1 {\n\t\t\t\tserverRoundTrip(t, stream, false)\n\t\t\t}\n\t\t}(exchange)\n\t}\n\n\twg.Wait()\n}\n\nfunc clientRoundTrip(t *testing.T, stream io.ReadWriteCloser, mustWork bool) {\n\tresponse := make([]byte, len(testMsg))\n\t_, err := stream.Read(response)\n\tif !mustWork {\n\t\treturn\n\t}\n\tif err != io.EOF {\n\t\trequire.NoError(t, err)\n\t}\n\trequire.Equal(t, testMsg, string(response))\n}\n\nfunc serverRoundTrip(t *testing.T, stream io.ReadWriteCloser, mustWork bool) {\n\t_, err := stream.Write([]byte(testMsg))\n\tif !mustWork {\n\t\treturn\n\t}\n\trequire.NoError(t, err)\n}\n\n// GenerateTLSConfig sets up a bare-bones TLS config for a QUIC server\nfunc GenerateTLSConfig() *tls.Config {\n\tkey, err := rsa.GenerateKey(rand.Reader, 1024)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\ttemplate := x509.Certificate{SerialNumber: big.NewInt(1)}\n\tcertDER, err := x509.CreateCertificate(rand.Reader, &template, &template, &key.PublicKey, key)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\tkeyPEM := pem.EncodeToMemory(&pem.Block{Type: \"RSA PRIVATE KEY\", Bytes: x509.MarshalPKCS1PrivateKey(key)})\n\tcertPEM := pem.EncodeToMemory(&pem.Block{Type: \"CERTIFICATE\", Bytes: certDER})\n\n\ttlsCert, err := tls.X509KeyPair(certPEM, keyPEM)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\treturn &tls.Config{\n\t\tCertificates: []tls.Certificate{tlsCert},\n\t\tNextProtos: []string{\"argotunnel\"},\n\t}\n}\n" }, { "path": "quic/tracing.go", "content": "package quic\n\nimport (\n\t\"context\"\n\t\"net\"\n\n\t\"github.com/quic-go/quic-go/logging\"\n\t\"github.com/rs/zerolog\"\n)\n\n// QUICTracer is a wrapper to create new quicConnTracer\ntype tracer struct {\n\tindex string\n\tlogger *zerolog.Logger\n}\n\nfunc NewClientTracer(logger *zerolog.Logger, index uint8) func(context.Context, logging.Perspective, logging.ConnectionID) *logging.ConnectionTracer {\n\tt := &tracer{\n\t\tindex: uint8ToString(index),\n\t\tlogger: logger,\n\t}\n\treturn t.TracerForConnection\n}\n\nfunc (t *tracer) TracerForConnection(_ctx context.Context, _p logging.Perspective, _odcid logging.ConnectionID) *logging.ConnectionTracer {\n\treturn newConnTracer(newClientCollector(t.index, t.logger))\n}\n\n// connTracer collects connection level metrics\ntype connTracer struct {\n\tmetricsCollector *clientCollector\n}\n\nfunc newConnTracer(metricsCollector *clientCollector) *logging.ConnectionTracer {\n\ttracer := connTracer{\n\t\tmetricsCollector: metricsCollector,\n\t}\n\treturn &logging.ConnectionTracer{\n\t\tStartedConnection: tracer.StartedConnection,\n\t\tClosedConnection: tracer.ClosedConnection,\n\t\tReceivedTransportParameters: tracer.ReceivedTransportParameters,\n\t\tSentLongHeaderPacket: tracer.SentLongHeaderPacket,\n\t\tSentShortHeaderPacket: tracer.SentShortHeaderPacket,\n\t\tReceivedLongHeaderPacket: tracer.ReceivedLongHeaderPacket,\n\t\tReceivedShortHeaderPacket: tracer.ReceivedShortHeaderPacket,\n\t\tBufferedPacket: tracer.BufferedPacket,\n\t\tDroppedPacket: tracer.DroppedPacket,\n\t\tUpdatedMetrics: tracer.UpdatedMetrics,\n\t\tLostPacket: tracer.LostPacket,\n\t\tUpdatedMTU: tracer.UpdatedMTU,\n\t\tUpdatedCongestionState: tracer.UpdatedCongestionState,\n\t}\n}\n\nfunc (ct *connTracer) StartedConnection(local, remote net.Addr, srcConnID, destConnID logging.ConnectionID) {\n\tct.metricsCollector.startedConnection()\n}\n\nfunc (ct *connTracer) ClosedConnection(err error) {\n\tct.metricsCollector.closedConnection(err)\n}\n\nfunc (ct *connTracer) ReceivedTransportParameters(params *logging.TransportParameters) {\n\tct.metricsCollector.receivedTransportParameters(params)\n}\n\nfunc (ct *connTracer) BufferedPacket(pt logging.PacketType, size logging.ByteCount) {\n\tct.metricsCollector.bufferedPackets(pt)\n}\n\nfunc (ct *connTracer) DroppedPacket(pt logging.PacketType, number logging.PacketNumber, size logging.ByteCount, reason logging.PacketDropReason) {\n\tct.metricsCollector.droppedPackets(pt, size, reason)\n}\n\nfunc (ct *connTracer) LostPacket(level logging.EncryptionLevel, number logging.PacketNumber, reason logging.PacketLossReason) {\n\tct.metricsCollector.lostPackets(reason)\n}\n\nfunc (ct *connTracer) UpdatedMetrics(rttStats *logging.RTTStats, cwnd, bytesInFlight logging.ByteCount, packetsInFlight int) {\n\tct.metricsCollector.updatedRTT(rttStats)\n\tct.metricsCollector.updateCongestionWindow(cwnd)\n}\n\nfunc (ct *connTracer) SentLongHeaderPacket(hdr *logging.ExtendedHeader, size logging.ByteCount, ecn logging.ECN, ack *logging.AckFrame, frames []logging.Frame) {\n\tct.metricsCollector.sentPackets(size, frames)\n}\n\nfunc (ct *connTracer) SentShortHeaderPacket(hdr *logging.ShortHeader, size logging.ByteCount, ecn logging.ECN, ack *logging.AckFrame, frames []logging.Frame) {\n\tct.metricsCollector.sentPackets(size, frames)\n}\n\nfunc (ct *connTracer) ReceivedLongHeaderPacket(hdr *logging.ExtendedHeader, size logging.ByteCount, ecn logging.ECN, frames []logging.Frame) {\n\tct.metricsCollector.receivedPackets(size, frames)\n}\n\nfunc (ct *connTracer) ReceivedShortHeaderPacket(hdr *logging.ShortHeader, size logging.ByteCount, ecn logging.ECN, frames []logging.Frame) {\n\tct.metricsCollector.receivedPackets(size, frames)\n}\n\nfunc (ct *connTracer) UpdatedMTU(mtu logging.ByteCount, done bool) {\n\tct.metricsCollector.updateMTU(mtu)\n}\n\nfunc (ct *connTracer) UpdatedCongestionState(state logging.CongestionState) {\n\tct.metricsCollector.updatedCongestionState(state)\n}\n" }, { "path": "quic/v3/datagram.go", "content": "package v3\n\nimport (\n\t\"encoding/binary\"\n\t\"net/netip\"\n\t\"time\"\n)\n\ntype DatagramType byte\n\nconst (\n\t// UDP Registration\n\tUDPSessionRegistrationType DatagramType = 0x0\n\t// UDP Session Payload\n\tUDPSessionPayloadType DatagramType = 0x1\n\t// DatagramTypeICMP (supporting both ICMPv4 and ICMPv6)\n\tICMPType DatagramType = 0x2\n\t// UDP Session Registration Response\n\tUDPSessionRegistrationResponseType DatagramType = 0x3\n)\n\nconst (\n\t// Total number of bytes representing the [DatagramType]\n\tdatagramTypeLen = 1\n\n\t// 1280 is the default datagram packet length used before MTU discovery: https://github.com/quic-go/quic-go/blob/v0.45.0/internal/protocol/params.go#L12\n\tmaxDatagramPayloadLen = 1280\n)\n\nfunc ParseDatagramType(data []byte) (DatagramType, error) {\n\tif len(data) < datagramTypeLen {\n\t\treturn 0, ErrDatagramHeaderTooSmall\n\t}\n\treturn DatagramType(data[0]), nil\n}\n\n// UDPSessionRegistrationDatagram handles a request to initialize a UDP session on the remote client.\ntype UDPSessionRegistrationDatagram struct {\n\tRequestID RequestID\n\tDest netip.AddrPort\n\tTraced bool\n\tIdleDurationHint time.Duration\n\tPayload []byte\n}\n\nconst (\n\tsessionRegistrationFlagsIPMask byte = 0b0000_0001\n\tsessionRegistrationFlagsTracedMask byte = 0b0000_0010\n\tsessionRegistrationFlagsBundledMask byte = 0b0000_0100\n\n\tsessionRegistrationIPv4DatagramHeaderLen = datagramTypeLen +\n\t\t1 + // Flag length\n\t\t2 + // Destination port length\n\t\t2 + // Idle duration seconds length\n\t\tdatagramRequestIdLen + // Request ID length\n\t\t4 // IPv4 address length\n\n\t// The IPv4 and IPv6 address share space, so adding 12 to the header length gets the space taken by the IPv6 field.\n\tsessionRegistrationIPv6DatagramHeaderLen = sessionRegistrationIPv4DatagramHeaderLen + 12\n)\n\n// The datagram structure for UDPSessionRegistrationDatagram is:\n//\n// 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7\n// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n// 0| Type | Flags | Destination Port |\n// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n// 4| Idle Duration Seconds | |\n// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +\n// 8| |\n// + Session Identifier +\n// 12| (16 Bytes) |\n// + +\n// 16| |\n// + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n// 20| | Destination IPv4 Address |\n// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - - - - - - - - -+\n// 24| Destination IPv4 Address cont | |\n// +- - - - - - - - - - - - - - - - +\n// 28| Destination IPv6 Address |\n// + (extension of IPv4 region) +\n// 32| |\n// + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n// 36| | |\n// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +\n// . .\n// . Bundle Payload .\n// . .\n// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n\nfunc (s *UDPSessionRegistrationDatagram) MarshalBinary() (data []byte, err error) {\n\tipv6 := s.Dest.Addr().Is6()\n\tvar flags byte\n\tif s.Traced {\n\t\tflags |= sessionRegistrationFlagsTracedMask\n\t}\n\thasPayload := len(s.Payload) > 0\n\tif hasPayload {\n\t\tflags |= sessionRegistrationFlagsBundledMask\n\t}\n\tvar maxPayloadLen int\n\tif ipv6 {\n\t\tmaxPayloadLen = maxDatagramPayloadLen + sessionRegistrationIPv6DatagramHeaderLen\n\t\tflags |= sessionRegistrationFlagsIPMask\n\t} else {\n\t\tmaxPayloadLen = maxDatagramPayloadLen + sessionRegistrationIPv4DatagramHeaderLen\n\t}\n\t// Make sure that the payload being bundled can actually fit in the payload destination\n\tif len(s.Payload) > maxPayloadLen {\n\t\treturn nil, wrapMarshalErr(ErrDatagramPayloadTooLarge)\n\t}\n\t// Allocate the buffer with the right size for the destination IP family\n\tif ipv6 {\n\t\tdata = make([]byte, sessionRegistrationIPv6DatagramHeaderLen+len(s.Payload))\n\t} else {\n\t\tdata = make([]byte, sessionRegistrationIPv4DatagramHeaderLen+len(s.Payload))\n\t}\n\tdata[0] = byte(UDPSessionRegistrationType)\n\tdata[1] = flags\n\tbinary.BigEndian.PutUint16(data[2:4], s.Dest.Port())\n\tbinary.BigEndian.PutUint16(data[4:6], uint16(s.IdleDurationHint.Seconds()))\n\terr = s.RequestID.MarshalBinaryTo(data[6:22])\n\tif err != nil {\n\t\treturn nil, wrapMarshalErr(err)\n\t}\n\tvar end int\n\tif ipv6 {\n\t\tcopy(data[22:38], s.Dest.Addr().AsSlice())\n\t\tend = 38\n\t} else {\n\t\tcopy(data[22:26], s.Dest.Addr().AsSlice())\n\t\tend = 26\n\t}\n\n\tif hasPayload {\n\t\tcopy(data[end:], s.Payload)\n\t}\n\n\treturn data, nil\n}\n\nfunc (s *UDPSessionRegistrationDatagram) UnmarshalBinary(data []byte) error {\n\tdatagramType, err := ParseDatagramType(data)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif datagramType != UDPSessionRegistrationType {\n\t\treturn wrapUnmarshalErr(ErrInvalidDatagramType)\n\t}\n\n\trequestID, err := RequestIDFromSlice(data[6:22])\n\tif err != nil {\n\t\treturn wrapUnmarshalErr(err)\n\t}\n\n\ttraced := (data[1] & sessionRegistrationFlagsTracedMask) == sessionRegistrationFlagsTracedMask\n\tbundled := (data[1] & sessionRegistrationFlagsBundledMask) == sessionRegistrationFlagsBundledMask\n\tipv6 := (data[1] & sessionRegistrationFlagsIPMask) == sessionRegistrationFlagsIPMask\n\n\tport := binary.BigEndian.Uint16(data[2:4])\n\tvar datagramHeaderSize int\n\tvar dest netip.AddrPort\n\tif ipv6 {\n\t\tdatagramHeaderSize = sessionRegistrationIPv6DatagramHeaderLen\n\t\tdest = netip.AddrPortFrom(netip.AddrFrom16([16]byte(data[22:38])), port)\n\t} else {\n\t\tdatagramHeaderSize = sessionRegistrationIPv4DatagramHeaderLen\n\t\tdest = netip.AddrPortFrom(netip.AddrFrom4([4]byte(data[22:26])), port)\n\t}\n\n\tidle := time.Duration(binary.BigEndian.Uint16(data[4:6])) * time.Second\n\n\tvar payload []byte\n\tif bundled && len(data) >= datagramHeaderSize && len(data[datagramHeaderSize:]) > 0 {\n\t\tpayload = data[datagramHeaderSize:]\n\t}\n\n\t*s = UDPSessionRegistrationDatagram{\n\t\tRequestID: requestID,\n\t\tDest: dest,\n\t\tTraced: traced,\n\t\tIdleDurationHint: idle,\n\t\tPayload: payload,\n\t}\n\treturn nil\n}\n\n// UDPSessionPayloadDatagram provides the payload for a session to be send to either the origin or the client.\ntype UDPSessionPayloadDatagram struct {\n\tRequestID RequestID\n\tPayload []byte\n}\n\nconst (\n\tDatagramPayloadHeaderLen = datagramTypeLen + datagramRequestIdLen\n\n\t// The maximum size that a proxied UDP payload can be in a [UDPSessionPayloadDatagram]\n\tmaxPayloadPlusHeaderLen = maxDatagramPayloadLen + DatagramPayloadHeaderLen\n)\n\n// The datagram structure for UDPSessionPayloadDatagram is:\n//\n// 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7\n// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n// 0| Type | |\n// +-+-+-+-+-+-+-+-+ +\n// 4| |\n// + +\n// 8| Session Identifier |\n// + (16 Bytes) +\n// 12| |\n// + +-+-+-+-+-+-+-+-+\n// 16| | |\n// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +\n// . .\n// . Payload .\n// . .\n// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n\n// MarshalPayloadHeaderTo provides a way to insert the Session Payload header into an already existing byte slice\n// without having to allocate and copy the payload into the destination.\n//\n// This method should be used in-place of MarshalBinary which will allocate in-place the required byte array to return.\nfunc MarshalPayloadHeaderTo(requestID RequestID, payload []byte) error {\n\tif len(payload) < DatagramPayloadHeaderLen {\n\t\treturn wrapMarshalErr(ErrDatagramPayloadHeaderTooSmall)\n\t}\n\tpayload[0] = byte(UDPSessionPayloadType)\n\treturn requestID.MarshalBinaryTo(payload[1:DatagramPayloadHeaderLen])\n}\n\nfunc (s *UDPSessionPayloadDatagram) UnmarshalBinary(data []byte) error {\n\tdatagramType, err := ParseDatagramType(data)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif datagramType != UDPSessionPayloadType {\n\t\treturn wrapUnmarshalErr(ErrInvalidDatagramType)\n\t}\n\n\t// Make sure that the slice provided is the right size to be parsed.\n\tif len(data) < DatagramPayloadHeaderLen || len(data) > maxPayloadPlusHeaderLen {\n\t\treturn wrapUnmarshalErr(ErrDatagramPayloadInvalidSize)\n\t}\n\n\trequestID, err := RequestIDFromSlice(data[1:DatagramPayloadHeaderLen])\n\tif err != nil {\n\t\treturn wrapUnmarshalErr(err)\n\t}\n\n\t*s = UDPSessionPayloadDatagram{\n\t\tRequestID: requestID,\n\t\tPayload: data[DatagramPayloadHeaderLen:],\n\t}\n\treturn nil\n}\n\n// UDPSessionRegistrationResponseDatagram is used to either return a successful registration or error to the client\n// that requested the registration of a UDP session.\ntype UDPSessionRegistrationResponseDatagram struct {\n\tRequestID RequestID\n\tResponseType SessionRegistrationResp\n\tErrorMsg string\n}\n\nconst (\n\tdatagramRespTypeLen = 1\n\tdatagramRespErrMsgLen = 2\n\n\tdatagramSessionRegistrationResponseLen = datagramTypeLen + datagramRespTypeLen + datagramRequestIdLen + datagramRespErrMsgLen\n\n\t// The maximum size that an error message can be in a [UDPSessionRegistrationResponseDatagram].\n\tmaxResponseErrorMessageLen = maxDatagramPayloadLen - datagramSessionRegistrationResponseLen\n)\n\n// SessionRegistrationResp represents all of the responses that a UDP session registration response\n// can return back to the client.\ntype SessionRegistrationResp byte\n\nconst (\n\t// Session was received and is ready to proxy.\n\tResponseOk SessionRegistrationResp = 0x00\n\t// Session registration was unable to reach the requested origin destination.\n\tResponseDestinationUnreachable SessionRegistrationResp = 0x01\n\t// Session registration was unable to bind to a local UDP socket.\n\tResponseUnableToBindSocket SessionRegistrationResp = 0x02\n\t// Session registration failed due to the number of flows being higher than the limit.\n\tResponseTooManyActiveFlows SessionRegistrationResp = 0x03\n\t// Session registration failed with an unexpected error but provided a message.\n\tResponseErrorWithMsg SessionRegistrationResp = 0xff\n)\n\n// The datagram structure for UDPSessionRegistrationResponseDatagram is:\n//\n// 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7\n// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n// 0| Type | Resp Type | |\n// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +\n// 4| |\n// + Session Identifier +\n// 8| (16 Bytes) |\n// + +\n// 12| |\n// + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n// 16| | Error Length |\n// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n// . .\n// . .\n// . .\n// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n\nfunc (s *UDPSessionRegistrationResponseDatagram) MarshalBinary() (data []byte, err error) {\n\tif len(s.ErrorMsg) > maxResponseErrorMessageLen {\n\t\treturn nil, wrapMarshalErr(ErrDatagramResponseMsgInvalidSize)\n\t}\n\t// nolint: gosec\n\terrMsgLen := uint16(len(s.ErrorMsg))\n\n\tdata = make([]byte, datagramSessionRegistrationResponseLen+errMsgLen)\n\tdata[0] = byte(UDPSessionRegistrationResponseType)\n\tdata[1] = byte(s.ResponseType)\n\terr = s.RequestID.MarshalBinaryTo(data[2:18])\n\tif err != nil {\n\t\treturn nil, wrapMarshalErr(err)\n\t}\n\n\tif errMsgLen > 0 {\n\t\tbinary.BigEndian.PutUint16(data[18:20], errMsgLen)\n\t\tcopy(data[20:], []byte(s.ErrorMsg))\n\t}\n\n\treturn data, nil\n}\n\nfunc (s *UDPSessionRegistrationResponseDatagram) UnmarshalBinary(data []byte) error {\n\tdatagramType, err := ParseDatagramType(data)\n\tif err != nil {\n\t\treturn wrapUnmarshalErr(err)\n\t}\n\tif datagramType != UDPSessionRegistrationResponseType {\n\t\treturn wrapUnmarshalErr(ErrInvalidDatagramType)\n\t}\n\n\tif len(data) < datagramSessionRegistrationResponseLen {\n\t\treturn wrapUnmarshalErr(ErrDatagramResponseInvalidSize)\n\t}\n\n\trespType := SessionRegistrationResp(data[1])\n\n\trequestID, err := RequestIDFromSlice(data[2:18])\n\tif err != nil {\n\t\treturn wrapUnmarshalErr(err)\n\t}\n\n\terrMsgLen := binary.BigEndian.Uint16(data[18:20])\n\tif errMsgLen > maxResponseErrorMessageLen {\n\t\treturn wrapUnmarshalErr(ErrDatagramResponseMsgTooLargeMaximum)\n\t}\n\n\tif len(data[20:]) < int(errMsgLen) {\n\t\treturn wrapUnmarshalErr(ErrDatagramResponseMsgTooLargeDatagram)\n\t}\n\n\tvar errMsg string\n\tif errMsgLen > 0 {\n\t\terrMsg = string(data[20:])\n\t}\n\n\t*s = UDPSessionRegistrationResponseDatagram{\n\t\tRequestID: requestID,\n\t\tResponseType: respType,\n\t\tErrorMsg: errMsg,\n\t}\n\treturn nil\n}\n\n// ICMPDatagram is used to propagate ICMPv4 and ICMPv6 payloads.\ntype ICMPDatagram struct {\n\tPayload []byte\n}\n\n// The maximum size that an ICMP packet can be.\nconst maxICMPPayloadLen = maxDatagramPayloadLen\n\n// The datagram structure for ICMPDatagram is:\n//\n// 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7\n// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n// 0| Type | |\n// +-+-+-+-+-+-+-+-+ +\n// . Payload .\n// . .\n// . .\n// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n\nfunc (d *ICMPDatagram) MarshalBinary() (data []byte, err error) {\n\tif len(d.Payload) > maxICMPPayloadLen {\n\t\treturn nil, wrapMarshalErr(ErrDatagramICMPPayloadTooLarge)\n\t}\n\t// We shouldn't attempt to marshal an ICMP datagram with no ICMP payload provided\n\tif len(d.Payload) == 0 {\n\t\treturn nil, wrapMarshalErr(ErrDatagramICMPPayloadMissing)\n\t}\n\t// Make room for the 1 byte ICMPType header\n\tdatagram := make([]byte, len(d.Payload)+datagramTypeLen)\n\tdatagram[0] = byte(ICMPType)\n\tcopy(datagram[1:], d.Payload)\n\treturn datagram, nil\n}\n\nfunc (d *ICMPDatagram) UnmarshalBinary(data []byte) error {\n\tdatagramType, err := ParseDatagramType(data)\n\tif err != nil {\n\t\treturn wrapUnmarshalErr(err)\n\t}\n\tif datagramType != ICMPType {\n\t\treturn wrapUnmarshalErr(ErrInvalidDatagramType)\n\t}\n\n\tif len(data[1:]) > maxDatagramPayloadLen {\n\t\treturn wrapUnmarshalErr(ErrDatagramICMPPayloadTooLarge)\n\t}\n\n\t// We shouldn't attempt to unmarshal an ICMP datagram with no ICMP payload provided\n\tif len(data[1:]) == 0 {\n\t\treturn wrapUnmarshalErr(ErrDatagramICMPPayloadMissing)\n\t}\n\n\tpayload := make([]byte, len(data[1:]))\n\tcopy(payload, data[1:])\n\td.Payload = payload\n\treturn nil\n}\n" }, { "path": "quic/v3/datagram_errors.go", "content": "package v3\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n)\n\nvar (\n\tErrInvalidDatagramType error = errors.New(\"invalid datagram type expected\")\n\tErrDatagramHeaderTooSmall error = fmt.Errorf(\"datagram should have at least %d byte\", datagramTypeLen)\n\tErrDatagramPayloadTooLarge error = errors.New(\"payload length is too large to be bundled in datagram\")\n\tErrDatagramPayloadHeaderTooSmall error = errors.New(\"payload length is too small to fit the datagram header\")\n\tErrDatagramPayloadInvalidSize error = errors.New(\"datagram provided is an invalid size\")\n\tErrDatagramResponseMsgInvalidSize error = errors.New(\"datagram response message is an invalid size\")\n\tErrDatagramResponseInvalidSize error = errors.New(\"datagram response is an invalid size\")\n\tErrDatagramResponseMsgTooLargeMaximum error = fmt.Errorf(\"datagram response error message length exceeds the length of the datagram maximum: %d\", maxResponseErrorMessageLen)\n\tErrDatagramResponseMsgTooLargeDatagram error = fmt.Errorf(\"datagram response error message length exceeds the length of the provided datagram\")\n\tErrDatagramICMPPayloadTooLarge error = fmt.Errorf(\"datagram icmp payload exceeds %d bytes\", maxICMPPayloadLen)\n\tErrDatagramICMPPayloadMissing error = errors.New(\"datagram icmp payload is missing\")\n)\n\nfunc wrapMarshalErr(err error) error {\n\treturn fmt.Errorf(\"datagram marshal error: %w\", err)\n}\n\nfunc wrapUnmarshalErr(err error) error {\n\treturn fmt.Errorf(\"datagram unmarshal error: %w\", err)\n}\n" }, { "path": "quic/v3/datagram_test.go", "content": "package v3_test\n\nimport (\n\t\"crypto/rand\"\n\t\"encoding/binary\"\n\t\"errors\"\n\t\"net/netip\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/stretchr/testify/require\"\n\n\tv3 \"github.com/cloudflare/cloudflared/quic/v3\"\n)\n\nfunc makePayload(size int) []byte {\n\tpayload := make([]byte, size)\n\t_, _ = rand.Read(payload)\n\treturn payload\n}\n\nfunc makePayloads(size int, count int) [][]byte {\n\tpayloads := make([][]byte, count)\n\tfor i := range payloads {\n\t\tpayloads[i] = makePayload(size)\n\t}\n\treturn payloads\n}\n\nfunc TestSessionRegistration_MarshalUnmarshal(t *testing.T) {\n\tpayload := makePayload(1280)\n\ttests := []*v3.UDPSessionRegistrationDatagram{\n\t\t// Default (IPv4)\n\t\t{\n\t\t\tRequestID: testRequestID,\n\t\t\tDest: netip.MustParseAddrPort(\"1.1.1.1:8080\"),\n\t\t\tTraced: false,\n\t\t\tIdleDurationHint: 5 * time.Second,\n\t\t\tPayload: nil,\n\t\t},\n\t\t// Request ID (max)\n\t\t{\n\t\t\tRequestID: mustRequestID([16]byte{\n\t\t\t\t^uint8(0), ^uint8(0), ^uint8(0), ^uint8(0),\n\t\t\t\t^uint8(0), ^uint8(0), ^uint8(0), ^uint8(0),\n\t\t\t\t^uint8(0), ^uint8(0), ^uint8(0), ^uint8(0),\n\t\t\t\t^uint8(0), ^uint8(0), ^uint8(0), ^uint8(0),\n\t\t\t}),\n\t\t\tDest: netip.MustParseAddrPort(\"1.1.1.1:8080\"),\n\t\t\tTraced: false,\n\t\t\tIdleDurationHint: 5 * time.Second,\n\t\t\tPayload: nil,\n\t\t},\n\t\t// IPv6\n\t\t{\n\t\t\tRequestID: testRequestID,\n\t\t\tDest: netip.MustParseAddrPort(\"[fc00::0]:8080\"),\n\t\t\tTraced: false,\n\t\t\tIdleDurationHint: 5 * time.Second,\n\t\t\tPayload: nil,\n\t\t},\n\t\t// Traced\n\t\t{\n\t\t\tRequestID: testRequestID,\n\t\t\tDest: netip.MustParseAddrPort(\"1.1.1.1:8080\"),\n\t\t\tTraced: true,\n\t\t\tIdleDurationHint: 5 * time.Second,\n\t\t\tPayload: nil,\n\t\t},\n\t\t// IdleDurationHint (max)\n\t\t{\n\t\t\tRequestID: testRequestID,\n\t\t\tDest: netip.MustParseAddrPort(\"1.1.1.1:8080\"),\n\t\t\tTraced: false,\n\t\t\tIdleDurationHint: 65535 * time.Second,\n\t\t\tPayload: nil,\n\t\t},\n\t\t// Payload\n\t\t{\n\t\t\tRequestID: testRequestID,\n\t\t\tDest: netip.MustParseAddrPort(\"1.1.1.1:8080\"),\n\t\t\tTraced: false,\n\t\t\tIdleDurationHint: 5 * time.Second,\n\t\t\tPayload: []byte{0xff, 0xaa, 0xcc, 0x44},\n\t\t},\n\t\t// Payload (max: 1254) for IPv4\n\t\t{\n\t\t\tRequestID: testRequestID,\n\t\t\tDest: netip.MustParseAddrPort(\"1.1.1.1:8080\"),\n\t\t\tTraced: false,\n\t\t\tIdleDurationHint: 5 * time.Second,\n\t\t\tPayload: payload,\n\t\t},\n\t\t// Payload (max: 1242) for IPv4\n\t\t{\n\t\t\tRequestID: testRequestID,\n\t\t\tDest: netip.MustParseAddrPort(\"1.1.1.1:8080\"),\n\t\t\tTraced: false,\n\t\t\tIdleDurationHint: 5 * time.Second,\n\t\t\tPayload: payload[:1242],\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tmarshaled, err := tt.MarshalBinary()\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\tunmarshaled := v3.UDPSessionRegistrationDatagram{}\n\t\terr = unmarshaled.UnmarshalBinary(marshaled)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\tif !compareRegistrationDatagrams(t, tt, &unmarshaled) {\n\t\t\tt.Errorf(\"not equal:\\n%+v\\n%+v\", tt, &unmarshaled)\n\t\t}\n\t}\n}\n\nfunc TestSessionRegistration_MarshalBinary(t *testing.T) {\n\tt.Run(\"idle hint too large\", func(t *testing.T) {\n\t\t// idle hint duration overflows back to 1\n\t\tdatagram := &v3.UDPSessionRegistrationDatagram{\n\t\t\tRequestID: testRequestID,\n\t\t\tDest: netip.MustParseAddrPort(\"1.1.1.1:8080\"),\n\t\t\tTraced: false,\n\t\t\tIdleDurationHint: 65537 * time.Second,\n\t\t\tPayload: nil,\n\t\t}\n\t\texpected := &v3.UDPSessionRegistrationDatagram{\n\t\t\tRequestID: testRequestID,\n\t\t\tDest: netip.MustParseAddrPort(\"1.1.1.1:8080\"),\n\t\t\tTraced: false,\n\t\t\tIdleDurationHint: 1 * time.Second,\n\t\t\tPayload: nil,\n\t\t}\n\t\tmarshaled, err := datagram.MarshalBinary()\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\tunmarshaled := v3.UDPSessionRegistrationDatagram{}\n\t\terr = unmarshaled.UnmarshalBinary(marshaled)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\tif !compareRegistrationDatagrams(t, expected, &unmarshaled) {\n\t\t\tt.Errorf(\"not equal:\\n%+v\\n%+v\", expected, &unmarshaled)\n\t\t}\n\t})\n}\n\nfunc TestTypeUnmarshalErrors(t *testing.T) {\n\tt.Run(\"invalid length\", func(t *testing.T) {\n\t\td1 := v3.UDPSessionRegistrationDatagram{}\n\t\terr := d1.UnmarshalBinary([]byte{})\n\t\tif !errors.Is(err, v3.ErrDatagramHeaderTooSmall) {\n\t\t\tt.Errorf(\"expected invalid length to throw error\")\n\t\t}\n\n\t\td2 := v3.UDPSessionPayloadDatagram{}\n\t\terr = d2.UnmarshalBinary([]byte{})\n\t\tif !errors.Is(err, v3.ErrDatagramHeaderTooSmall) {\n\t\t\tt.Errorf(\"expected invalid length to throw error\")\n\t\t}\n\n\t\td3 := v3.UDPSessionRegistrationResponseDatagram{}\n\t\terr = d3.UnmarshalBinary([]byte{})\n\t\tif !errors.Is(err, v3.ErrDatagramHeaderTooSmall) {\n\t\t\tt.Errorf(\"expected invalid length to throw error\")\n\t\t}\n\n\t\td4 := v3.ICMPDatagram{}\n\t\terr = d4.UnmarshalBinary([]byte{})\n\t\tif !errors.Is(err, v3.ErrDatagramHeaderTooSmall) {\n\t\t\tt.Errorf(\"expected invalid length to throw error\")\n\t\t}\n\t})\n\n\tt.Run(\"invalid types\", func(t *testing.T) {\n\t\td1 := v3.UDPSessionRegistrationDatagram{}\n\t\terr := d1.UnmarshalBinary([]byte{byte(v3.UDPSessionRegistrationResponseType)})\n\t\tif !errors.Is(err, v3.ErrInvalidDatagramType) {\n\t\t\tt.Errorf(\"expected invalid type to throw error\")\n\t\t}\n\n\t\td2 := v3.UDPSessionPayloadDatagram{}\n\t\terr = d2.UnmarshalBinary([]byte{byte(v3.UDPSessionRegistrationType)})\n\t\tif !errors.Is(err, v3.ErrInvalidDatagramType) {\n\t\t\tt.Errorf(\"expected invalid type to throw error\")\n\t\t}\n\n\t\td3 := v3.UDPSessionRegistrationResponseDatagram{}\n\t\terr = d3.UnmarshalBinary([]byte{byte(v3.UDPSessionPayloadType)})\n\t\tif !errors.Is(err, v3.ErrInvalidDatagramType) {\n\t\t\tt.Errorf(\"expected invalid type to throw error\")\n\t\t}\n\n\t\td4 := v3.ICMPDatagram{}\n\t\terr = d4.UnmarshalBinary([]byte{byte(v3.UDPSessionPayloadType)})\n\t\tif !errors.Is(err, v3.ErrInvalidDatagramType) {\n\t\t\tt.Errorf(\"expected invalid type to throw error\")\n\t\t}\n\t})\n}\n\nfunc TestSessionPayload(t *testing.T) {\n\tt.Run(\"basic\", func(t *testing.T) {\n\t\tpayload := makePayload(128)\n\t\terr := v3.MarshalPayloadHeaderTo(testRequestID, payload[0:17])\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\tunmarshaled := v3.UDPSessionPayloadDatagram{}\n\t\terr = unmarshaled.UnmarshalBinary(payload)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\trequire.Equal(t, testRequestID, unmarshaled.RequestID)\n\t\trequire.Equal(t, payload[17:], unmarshaled.Payload)\n\t})\n\n\tt.Run(\"empty\", func(t *testing.T) {\n\t\tpayload := makePayload(17)\n\t\terr := v3.MarshalPayloadHeaderTo(testRequestID, payload)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\tunmarshaled := v3.UDPSessionPayloadDatagram{}\n\t\terr = unmarshaled.UnmarshalBinary(payload)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\trequire.Equal(t, testRequestID, unmarshaled.RequestID)\n\t\trequire.Equal(t, payload[17:], unmarshaled.Payload)\n\t})\n\n\tt.Run(\"header size too small\", func(t *testing.T) {\n\t\tpayload := makePayload(16)\n\t\terr := v3.MarshalPayloadHeaderTo(testRequestID, payload)\n\t\tif !errors.Is(err, v3.ErrDatagramPayloadHeaderTooSmall) {\n\t\t\tt.Errorf(\"expected an error\")\n\t\t}\n\t})\n\n\tt.Run(\"payload size too small\", func(t *testing.T) {\n\t\tpayload := makePayload(17)\n\t\terr := v3.MarshalPayloadHeaderTo(testRequestID, payload)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\tunmarshaled := v3.UDPSessionPayloadDatagram{}\n\t\terr = unmarshaled.UnmarshalBinary(payload[:16])\n\t\tif !errors.Is(err, v3.ErrDatagramPayloadInvalidSize) {\n\t\t\tt.Errorf(\"expected an error: %s\", err)\n\t\t}\n\t})\n\n\tt.Run(\"payload size too large\", func(t *testing.T) {\n\t\tdatagram := makePayload(17 + 1281) // 1280 is the largest payload size allowed\n\t\terr := v3.MarshalPayloadHeaderTo(testRequestID, datagram)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\tunmarshaled := v3.UDPSessionPayloadDatagram{}\n\t\terr = unmarshaled.UnmarshalBinary(datagram[:])\n\t\tif !errors.Is(err, v3.ErrDatagramPayloadInvalidSize) {\n\t\t\tt.Errorf(\"expected an error: %s\", err)\n\t\t}\n\t})\n}\n\nfunc TestSessionRegistrationResponse(t *testing.T) {\n\tvalidRespTypes := []v3.SessionRegistrationResp{\n\t\tv3.ResponseOk,\n\t\tv3.ResponseDestinationUnreachable,\n\t\tv3.ResponseUnableToBindSocket,\n\t\tv3.ResponseErrorWithMsg,\n\t}\n\tt.Run(\"basic\", func(t *testing.T) {\n\t\tfor _, responseType := range validRespTypes {\n\t\t\tdatagram := &v3.UDPSessionRegistrationResponseDatagram{\n\t\t\t\tRequestID: testRequestID,\n\t\t\t\tResponseType: responseType,\n\t\t\t\tErrorMsg: \"test\",\n\t\t\t}\n\t\t\tmarshaled, err := datagram.MarshalBinary()\n\t\t\tif err != nil {\n\t\t\t\tt.Error(err)\n\t\t\t}\n\t\t\tunmarshaled := &v3.UDPSessionRegistrationResponseDatagram{}\n\t\t\terr = unmarshaled.UnmarshalBinary(marshaled)\n\t\t\tif err != nil {\n\t\t\t\tt.Error(err)\n\t\t\t}\n\t\t\trequire.Equal(t, datagram, unmarshaled)\n\t\t}\n\t})\n\n\tt.Run(\"unsupported resp type is valid\", func(t *testing.T) {\n\t\tdatagram := &v3.UDPSessionRegistrationResponseDatagram{\n\t\t\tRequestID: testRequestID,\n\t\t\tResponseType: v3.SessionRegistrationResp(0xfc),\n\t\t\tErrorMsg: \"\",\n\t\t}\n\t\tmarshaled, err := datagram.MarshalBinary()\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\tunmarshaled := &v3.UDPSessionRegistrationResponseDatagram{}\n\t\terr = unmarshaled.UnmarshalBinary(marshaled)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\trequire.Equal(t, datagram, unmarshaled)\n\t})\n\n\tt.Run(\"too small to unmarshal\", func(t *testing.T) {\n\t\tpayload := makePayload(17)\n\t\tpayload[0] = byte(v3.UDPSessionRegistrationResponseType)\n\t\tunmarshaled := &v3.UDPSessionRegistrationResponseDatagram{}\n\t\terr := unmarshaled.UnmarshalBinary(payload)\n\t\tif !errors.Is(err, v3.ErrDatagramResponseInvalidSize) {\n\t\t\tt.Errorf(\"expected an error\")\n\t\t}\n\t})\n\n\tt.Run(\"error message too long\", func(t *testing.T) {\n\t\tmessage := \"\"\n\t\tfor i := 0; i < 1280; i++ {\n\t\t\tmessage += \"a\"\n\t\t}\n\t\tdatagram := &v3.UDPSessionRegistrationResponseDatagram{\n\t\t\tRequestID: testRequestID,\n\t\t\tResponseType: v3.SessionRegistrationResp(0xfc),\n\t\t\tErrorMsg: message,\n\t\t}\n\t\t_, err := datagram.MarshalBinary()\n\t\tif !errors.Is(err, v3.ErrDatagramResponseMsgInvalidSize) {\n\t\t\tt.Errorf(\"expected an error\")\n\t\t}\n\t})\n\n\tt.Run(\"error message too large to unmarshal\", func(t *testing.T) {\n\t\tpayload := makePayload(1280)\n\t\tpayload[0] = byte(v3.UDPSessionRegistrationResponseType)\n\t\tbinary.BigEndian.PutUint16(payload[18:20], 1280) // larger than the datagram size could be\n\t\tunmarshaled := &v3.UDPSessionRegistrationResponseDatagram{}\n\t\terr := unmarshaled.UnmarshalBinary(payload)\n\t\tif !errors.Is(err, v3.ErrDatagramResponseMsgTooLargeMaximum) {\n\t\t\tt.Errorf(\"expected an error: %v\", err)\n\t\t}\n\t})\n\n\tt.Run(\"error message larger than provided buffer\", func(t *testing.T) {\n\t\tpayload := makePayload(1000)\n\t\tpayload[0] = byte(v3.UDPSessionRegistrationResponseType)\n\t\tbinary.BigEndian.PutUint16(payload[18:20], 1001) // larger than the datagram size provided\n\t\tunmarshaled := &v3.UDPSessionRegistrationResponseDatagram{}\n\t\terr := unmarshaled.UnmarshalBinary(payload)\n\t\tif !errors.Is(err, v3.ErrDatagramResponseMsgTooLargeDatagram) {\n\t\t\tt.Errorf(\"expected an error: %v\", err)\n\t\t}\n\t})\n}\n\nfunc TestICMPDatagram(t *testing.T) {\n\tt.Run(\"basic\", func(t *testing.T) {\n\t\tpayload := makePayload(128)\n\t\tdatagram := v3.ICMPDatagram{Payload: payload}\n\t\tmarshaled, err := datagram.MarshalBinary()\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\tunmarshaled := &v3.ICMPDatagram{}\n\t\terr = unmarshaled.UnmarshalBinary(marshaled)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\trequire.Equal(t, payload, unmarshaled.Payload)\n\t})\n\n\tt.Run(\"payload size empty\", func(t *testing.T) {\n\t\tpayload := []byte{}\n\t\tdatagram := v3.ICMPDatagram{Payload: payload}\n\t\t_, err := datagram.MarshalBinary()\n\t\tif !errors.Is(err, v3.ErrDatagramICMPPayloadMissing) {\n\t\t\tt.Errorf(\"expected an error: %s\", err)\n\t\t}\n\t\tpayload = []byte{byte(v3.ICMPType)}\n\t\tunmarshaled := &v3.ICMPDatagram{}\n\t\terr = unmarshaled.UnmarshalBinary(payload)\n\t\tif !errors.Is(err, v3.ErrDatagramICMPPayloadMissing) {\n\t\t\tt.Errorf(\"expected an error: %s\", err)\n\t\t}\n\t})\n\n\tt.Run(\"payload size too large\", func(t *testing.T) {\n\t\tpayload := makePayload(1280 + 1) // larger than the datagram size could be\n\t\tdatagram := v3.ICMPDatagram{Payload: payload}\n\t\t_, err := datagram.MarshalBinary()\n\t\tif !errors.Is(err, v3.ErrDatagramICMPPayloadTooLarge) {\n\t\t\tt.Errorf(\"expected an error: %s\", err)\n\t\t}\n\t\tpayload = makePayload(1280 + 2) // larger than the datagram size could be + header\n\t\tpayload[0] = byte(v3.ICMPType)\n\t\tunmarshaled := &v3.ICMPDatagram{}\n\t\terr = unmarshaled.UnmarshalBinary(payload)\n\t\tif !errors.Is(err, v3.ErrDatagramICMPPayloadTooLarge) {\n\t\t\tt.Errorf(\"expected an error: %s\", err)\n\t\t}\n\t})\n}\n\nfunc compareRegistrationDatagrams(t *testing.T, l *v3.UDPSessionRegistrationDatagram, r *v3.UDPSessionRegistrationDatagram) bool {\n\trequire.Equal(t, l.Payload, r.Payload)\n\treturn l.RequestID == r.RequestID &&\n\t\tl.Dest == r.Dest &&\n\t\tl.IdleDurationHint == r.IdleDurationHint &&\n\t\tl.Traced == r.Traced\n}\n\nfunc FuzzRegistrationDatagram(f *testing.F) {\n\tf.Fuzz(func(t *testing.T, data []byte) {\n\t\tunmarshaled := v3.UDPSessionRegistrationDatagram{}\n\t\terr := unmarshaled.UnmarshalBinary(data)\n\t\tif err == nil {\n\t\t\t_, _ = unmarshaled.MarshalBinary()\n\t\t}\n\t})\n}\n\nfunc FuzzPayloadDatagram(f *testing.F) {\n\tf.Fuzz(func(t *testing.T, data []byte) {\n\t\tunmarshaled := v3.UDPSessionPayloadDatagram{}\n\t\t_ = unmarshaled.UnmarshalBinary(data)\n\t})\n}\n\nfunc FuzzRegistrationResponseDatagram(f *testing.F) {\n\tf.Fuzz(func(t *testing.T, data []byte) {\n\t\tunmarshaled := v3.UDPSessionRegistrationResponseDatagram{}\n\t\terr := unmarshaled.UnmarshalBinary(data)\n\t\tif err == nil {\n\t\t\t_, _ = unmarshaled.MarshalBinary()\n\t\t}\n\t})\n}\n\nfunc FuzzICMPDatagram(f *testing.F) {\n\tf.Fuzz(func(t *testing.T, data []byte) {\n\t\tunmarshaled := v3.ICMPDatagram{}\n\t\terr := unmarshaled.UnmarshalBinary(data)\n\t\tif err == nil {\n\t\t\t_, _ = unmarshaled.MarshalBinary()\n\t\t}\n\t})\n}\n" }, { "path": "quic/v3/icmp.go", "content": "package v3\n\nimport (\n\t\"context\"\n\n\t\"github.com/rs/zerolog\"\n\t\"go.opentelemetry.io/otel/trace\"\n\n\t\"github.com/cloudflare/cloudflared/ingress\"\n\t\"github.com/cloudflare/cloudflared/packet\"\n\t\"github.com/cloudflare/cloudflared/tracing\"\n)\n\n// packetResponder is an implementation of the [ingress.ICMPResponder] which provides the ICMP Flow manager the\n// return path to return and ICMP Echo response back to the QUIC muxer.\ntype packetResponder struct {\n\tdatagramMuxer DatagramICMPWriter\n\tconnID uint8\n}\n\nfunc newPacketResponder(datagramMuxer DatagramICMPWriter, connID uint8) ingress.ICMPResponder {\n\treturn &packetResponder{\n\t\tdatagramMuxer,\n\t\tconnID,\n\t}\n}\n\nfunc (pr *packetResponder) ConnectionIndex() uint8 {\n\treturn pr.connID\n}\n\nfunc (pr *packetResponder) ReturnPacket(pk *packet.ICMP) error {\n\treturn pr.datagramMuxer.SendICMPPacket(pk)\n}\n\nfunc (pr *packetResponder) AddTraceContext(tracedCtx *tracing.TracedContext, serializedIdentity []byte) {\n\t// datagram v3 does not support tracing ICMP packets\n}\n\nfunc (pr *packetResponder) RequestSpan(ctx context.Context, pk *packet.ICMP) (context.Context, trace.Span) {\n\t// datagram v3 does not support tracing ICMP packets\n\treturn ctx, tracing.NewNoopSpan()\n}\n\nfunc (pr *packetResponder) ReplySpan(ctx context.Context, logger *zerolog.Logger) (context.Context, trace.Span) {\n\t// datagram v3 does not support tracing ICMP packets\n\treturn ctx, tracing.NewNoopSpan()\n}\n\nfunc (pr *packetResponder) ExportSpan() {\n\t// datagram v3 does not support tracing ICMP packets\n}\n" }, { "path": "quic/v3/icmp_test.go", "content": "package v3_test\n\nimport (\n\t\"context\"\n\t\"testing\"\n\n\t\"github.com/cloudflare/cloudflared/ingress\"\n\t\"github.com/cloudflare/cloudflared/packet\"\n)\n\ntype noopICMPRouter struct{}\n\nfunc (noopICMPRouter) Request(ctx context.Context, pk *packet.ICMP, responder ingress.ICMPResponder) error {\n\treturn nil\n}\nfunc (noopICMPRouter) ConvertToTTLExceeded(pk *packet.ICMP, rawPacket packet.RawPacket) *packet.ICMP {\n\treturn nil\n}\n\ntype mockICMPRouter struct {\n\trecv chan *packet.ICMP\n}\n\nfunc newMockICMPRouter() *mockICMPRouter {\n\treturn &mockICMPRouter{\n\t\trecv: make(chan *packet.ICMP, 1),\n\t}\n}\n\nfunc (m *mockICMPRouter) Request(ctx context.Context, pk *packet.ICMP, responder ingress.ICMPResponder) error {\n\tm.recv <- pk\n\treturn nil\n}\nfunc (mockICMPRouter) ConvertToTTLExceeded(pk *packet.ICMP, rawPacket packet.RawPacket) *packet.ICMP {\n\treturn packet.NewICMPTTLExceedPacket(pk.IP, rawPacket, testLocalAddr.AddrPort().Addr())\n}\n\nfunc assertICMPEqual(t *testing.T, expected *packet.ICMP, actual *packet.ICMP) {\n\tif expected.Src != actual.Src {\n\t\tt.Fatalf(\"Src address not equal: %+v\\t%+v\", expected, actual)\n\t}\n\tif expected.Dst != actual.Dst {\n\t\tt.Fatalf(\"Dst address not equal: %+v\\t%+v\", expected, actual)\n\t}\n}\n" }, { "path": "quic/v3/manager.go", "content": "package v3\n\nimport (\n\t\"errors\"\n\t\"sync\"\n\n\t\"github.com/rs/zerolog\"\n\n\t\"github.com/cloudflare/cloudflared/ingress\"\n\t\"github.com/cloudflare/cloudflared/management\"\n\n\tcfdflow \"github.com/cloudflare/cloudflared/flow\"\n)\n\nvar (\n\t// ErrSessionNotFound indicates that a session has not been registered yet for the request id.\n\tErrSessionNotFound = errors.New(\"flow not found\")\n\t// ErrSessionBoundToOtherConn is returned when a registration already exists for a different connection.\n\tErrSessionBoundToOtherConn = errors.New(\"flow is in use by another connection\")\n\t// ErrSessionAlreadyRegistered is returned when a registration already exists for this connection.\n\tErrSessionAlreadyRegistered = errors.New(\"flow is already registered for this connection\")\n\t// ErrSessionRegistrationRateLimited is returned when a registration fails due to rate limiting on the number of active flows.\n\tErrSessionRegistrationRateLimited = errors.New(\"flow registration rate limited\")\n)\n\ntype SessionManager interface {\n\t// RegisterSession will register a new session if it does not already exist for the request ID.\n\t// During new session creation, the session will also bind the UDP socket for the origin.\n\t// If the session exists for a different connection, it will return [ErrSessionBoundToOtherConn].\n\tRegisterSession(request *UDPSessionRegistrationDatagram, conn DatagramConn) (Session, error)\n\t// GetSession returns an active session if available for the provided connection.\n\t// If the session does not exist, it will return [ErrSessionNotFound]. If the session exists for a different\n\t// connection, it will return [ErrSessionBoundToOtherConn].\n\tGetSession(requestID RequestID) (Session, error)\n\t// UnregisterSession will remove a session from the current session manager. It will attempt to close the session\n\t// before removal.\n\tUnregisterSession(requestID RequestID)\n}\n\ntype sessionManager struct {\n\tsessions map[RequestID]Session\n\tmutex sync.RWMutex\n\toriginDialer ingress.OriginUDPDialer\n\tlimiter cfdflow.Limiter\n\tmetrics Metrics\n\tlog *zerolog.Logger\n}\n\nfunc NewSessionManager(metrics Metrics, log *zerolog.Logger, originDialer ingress.OriginUDPDialer, limiter cfdflow.Limiter) SessionManager {\n\treturn &sessionManager{\n\t\tsessions: make(map[RequestID]Session),\n\t\toriginDialer: originDialer,\n\t\tlimiter: limiter,\n\t\tmetrics: metrics,\n\t\tlog: log,\n\t}\n}\n\nfunc (s *sessionManager) RegisterSession(request *UDPSessionRegistrationDatagram, conn DatagramConn) (Session, error) {\n\ts.mutex.Lock()\n\tdefer s.mutex.Unlock()\n\t// Check to make sure session doesn't already exist for requestID\n\tif session, exists := s.sessions[request.RequestID]; exists {\n\t\tif conn.ID() == session.ConnectionID() {\n\t\t\treturn nil, ErrSessionAlreadyRegistered\n\t\t}\n\t\treturn nil, ErrSessionBoundToOtherConn\n\t}\n\n\t// Try to start a new session\n\tif err := s.limiter.Acquire(management.UDP.String()); err != nil {\n\t\treturn nil, ErrSessionRegistrationRateLimited\n\t}\n\n\t// Attempt to bind the UDP socket for the new session\n\torigin, err := s.originDialer.DialUDP(request.Dest)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\t// Create and insert the new session in the map\n\tsession := NewSession(\n\t\trequest.RequestID,\n\t\trequest.IdleDurationHint,\n\t\torigin,\n\t\torigin.RemoteAddr(),\n\t\torigin.LocalAddr(),\n\t\tconn,\n\t\ts.metrics,\n\t\ts.log)\n\ts.sessions[request.RequestID] = session\n\treturn session, nil\n}\n\nfunc (s *sessionManager) GetSession(requestID RequestID) (Session, error) {\n\ts.mutex.RLock()\n\tdefer s.mutex.RUnlock()\n\tsession, exists := s.sessions[requestID]\n\tif exists {\n\t\treturn session, nil\n\t}\n\treturn nil, ErrSessionNotFound\n}\n\nfunc (s *sessionManager) UnregisterSession(requestID RequestID) {\n\ts.mutex.Lock()\n\tdefer s.mutex.Unlock()\n\t// Get the session and make sure to close it if it isn't already closed\n\tsession, exists := s.sessions[requestID]\n\tif exists {\n\t\t// We ignore any errors when attempting to close the session\n\t\t_ = session.Close()\n\t}\n\tdelete(s.sessions, requestID)\n\ts.limiter.Release()\n}\n" }, { "path": "quic/v3/manager_test.go", "content": "package v3_test\n\nimport (\n\t\"errors\"\n\t\"net/netip\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/rs/zerolog\"\n\t\"github.com/stretchr/testify/require\"\n\t\"go.uber.org/mock/gomock\"\n\n\t\"github.com/cloudflare/cloudflared/config\"\n\t\"github.com/cloudflare/cloudflared/mocks\"\n\n\tcfdflow \"github.com/cloudflare/cloudflared/flow\"\n\t\"github.com/cloudflare/cloudflared/ingress\"\n\tv3 \"github.com/cloudflare/cloudflared/quic/v3\"\n)\n\nvar (\n\ttestDefaultDialer = ingress.NewDialer(ingress.WarpRoutingConfig{\n\t\tConnectTimeout: config.CustomDuration{Duration: 1 * time.Second},\n\t\tTCPKeepAlive: config.CustomDuration{Duration: 15 * time.Second},\n\t\tMaxActiveFlows: 0,\n\t})\n)\n\nfunc TestRegisterSession(t *testing.T) {\n\tlog := zerolog.Nop()\n\toriginDialerService := ingress.NewOriginDialer(ingress.OriginConfig{\n\t\tDefaultDialer: testDefaultDialer,\n\t\tTCPWriteTimeout: 0,\n\t}, &log)\n\tmanager := v3.NewSessionManager(&noopMetrics{}, &log, originDialerService, cfdflow.NewLimiter(0))\n\n\trequest := v3.UDPSessionRegistrationDatagram{\n\t\tRequestID: testRequestID,\n\t\tDest: netip.MustParseAddrPort(\"127.0.0.1:5000\"),\n\t\tTraced: false,\n\t\tIdleDurationHint: 5 * time.Second,\n\t\tPayload: nil,\n\t}\n\tsession, err := manager.RegisterSession(&request, &noopEyeball{})\n\tif err != nil {\n\t\tt.Fatalf(\"register session should've succeeded: %v\", err)\n\t}\n\tif request.RequestID != session.ID() {\n\t\tt.Fatalf(\"session id doesn't match: %v != %v\", request.RequestID, session.ID())\n\t}\n\n\t// We shouldn't be able to register another session with the same request id\n\t_, err = manager.RegisterSession(&request, &noopEyeball{})\n\tif !errors.Is(err, v3.ErrSessionAlreadyRegistered) {\n\t\tt.Fatalf(\"session is already registered for this connection: %v\", err)\n\t}\n\n\t// We shouldn't be able to register another session with the same request id for a different connection\n\t_, err = manager.RegisterSession(&request, &noopEyeball{connID: 1})\n\tif !errors.Is(err, v3.ErrSessionBoundToOtherConn) {\n\t\tt.Fatalf(\"session is already registered for a separate connection: %v\", err)\n\t}\n\n\t// Get session\n\tsessionGet, err := manager.GetSession(request.RequestID)\n\tif err != nil {\n\t\tt.Fatalf(\"get session failed: %v\", err)\n\t}\n\tif session.ID() != sessionGet.ID() {\n\t\tt.Fatalf(\"session's do not match: %v != %v\", session.ID(), sessionGet.ID())\n\t}\n\n\t// Remove the session\n\tmanager.UnregisterSession(request.RequestID)\n\n\t// Get session should fail\n\t_, err = manager.GetSession(request.RequestID)\n\tif !errors.Is(err, v3.ErrSessionNotFound) {\n\t\tt.Fatalf(\"get session failed: %v\", err)\n\t}\n\n\t// Closing the original session should return that the socket is already closed (by the session unregistration)\n\terr = session.Close()\n\tif err != nil && !strings.Contains(err.Error(), \"use of closed network connection\") {\n\t\tt.Fatalf(\"session should've closed without issue: %v\", err)\n\t}\n}\n\nfunc TestGetSession_Empty(t *testing.T) {\n\tlog := zerolog.Nop()\n\toriginDialerService := ingress.NewOriginDialer(ingress.OriginConfig{\n\t\tDefaultDialer: testDefaultDialer,\n\t\tTCPWriteTimeout: 0,\n\t}, &log)\n\tmanager := v3.NewSessionManager(&noopMetrics{}, &log, originDialerService, cfdflow.NewLimiter(0))\n\n\t_, err := manager.GetSession(testRequestID)\n\tif !errors.Is(err, v3.ErrSessionNotFound) {\n\t\tt.Fatalf(\"get session find no session: %v\", err)\n\t}\n}\n\nfunc TestRegisterSessionRateLimit(t *testing.T) {\n\tlog := zerolog.Nop()\n\toriginDialerService := ingress.NewOriginDialer(ingress.OriginConfig{\n\t\tDefaultDialer: testDefaultDialer,\n\t\tTCPWriteTimeout: 0,\n\t}, &log)\n\tctrl := gomock.NewController(t)\n\n\tflowLimiterMock := mocks.NewMockLimiter(ctrl)\n\n\tflowLimiterMock.EXPECT().Acquire(\"udp\").Return(cfdflow.ErrTooManyActiveFlows)\n\tflowLimiterMock.EXPECT().Release().Times(0)\n\n\tmanager := v3.NewSessionManager(&noopMetrics{}, &log, originDialerService, flowLimiterMock)\n\n\trequest := v3.UDPSessionRegistrationDatagram{\n\t\tRequestID: testRequestID,\n\t\tDest: netip.MustParseAddrPort(\"127.0.0.1:5000\"),\n\t\tTraced: false,\n\t\tIdleDurationHint: 5 * time.Second,\n\t\tPayload: nil,\n\t}\n\t_, err := manager.RegisterSession(&request, &noopEyeball{})\n\trequire.ErrorIs(t, err, v3.ErrSessionRegistrationRateLimited)\n}\n" }, { "path": "quic/v3/metrics.go", "content": "package v3\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/prometheus/client_golang/prometheus\"\n\n\t\"github.com/cloudflare/cloudflared/quic\"\n)\n\nconst (\n\tnamespace = \"cloudflared\"\n\tsubsystem_udp = \"udp\"\n\tsubsystem_icmp = \"icmp\"\n\n\tcommandMetricLabel = \"command\"\n\treasonMetricLabel = \"reason\"\n)\n\ntype DroppedReason int\n\nconst (\n\tDroppedWriteFailed DroppedReason = iota\n\tDroppedWriteDeadlineExceeded\n\tDroppedWriteFull\n\tDroppedWriteFlowUnknown\n\tDroppedReadFailed\n\t// Origin payloads that are too large to proxy.\n\tDroppedReadTooLarge\n)\n\nvar droppedReason = map[DroppedReason]string{\n\tDroppedWriteFailed: \"write_failed\",\n\tDroppedWriteDeadlineExceeded: \"write_deadline_exceeded\",\n\tDroppedWriteFull: \"write_full\",\n\tDroppedWriteFlowUnknown: \"write_flow_unknown\",\n\tDroppedReadFailed: \"read_failed\",\n\tDroppedReadTooLarge: \"read_too_large\",\n}\n\nfunc (dr DroppedReason) String() string {\n\treturn droppedReason[dr]\n}\n\ntype Metrics interface {\n\tIncrementFlows(connIndex uint8)\n\tDecrementFlows(connIndex uint8)\n\tFailedFlow(connIndex uint8)\n\tRetryFlowResponse(connIndex uint8)\n\tMigrateFlow(connIndex uint8)\n\tUnsupportedRemoteCommand(connIndex uint8, command string)\n\tDroppedUDPDatagram(connIndex uint8, reason DroppedReason)\n\tDroppedICMPPackets(connIndex uint8, reason DroppedReason)\n}\n\ntype metrics struct {\n\tactiveUDPFlows *prometheus.GaugeVec\n\ttotalUDPFlows *prometheus.CounterVec\n\tretryFlowResponses *prometheus.CounterVec\n\tmigratedFlows *prometheus.CounterVec\n\tunsupportedRemoteCommands *prometheus.CounterVec\n\tdroppedUDPDatagrams *prometheus.CounterVec\n\tdroppedICMPPackets *prometheus.CounterVec\n\tfailedFlows *prometheus.CounterVec\n}\n\nfunc (m *metrics) IncrementFlows(connIndex uint8) {\n\tm.totalUDPFlows.WithLabelValues(fmt.Sprintf(\"%d\", connIndex)).Inc()\n\tm.activeUDPFlows.WithLabelValues(fmt.Sprintf(\"%d\", connIndex)).Inc()\n}\n\nfunc (m *metrics) DecrementFlows(connIndex uint8) {\n\tm.activeUDPFlows.WithLabelValues(fmt.Sprintf(\"%d\", connIndex)).Dec()\n}\n\nfunc (m *metrics) FailedFlow(connIndex uint8) {\n\tm.failedFlows.WithLabelValues(fmt.Sprintf(\"%d\", connIndex)).Inc()\n}\n\nfunc (m *metrics) RetryFlowResponse(connIndex uint8) {\n\tm.retryFlowResponses.WithLabelValues(fmt.Sprintf(\"%d\", connIndex)).Inc()\n}\n\nfunc (m *metrics) MigrateFlow(connIndex uint8) {\n\tm.migratedFlows.WithLabelValues(fmt.Sprintf(\"%d\", connIndex)).Inc()\n}\n\nfunc (m *metrics) UnsupportedRemoteCommand(connIndex uint8, command string) {\n\tm.unsupportedRemoteCommands.WithLabelValues(fmt.Sprintf(\"%d\", connIndex), command).Inc()\n}\n\nfunc (m *metrics) DroppedUDPDatagram(connIndex uint8, reason DroppedReason) {\n\tm.droppedUDPDatagrams.WithLabelValues(fmt.Sprintf(\"%d\", connIndex), reason.String()).Inc()\n}\n\nfunc (m *metrics) DroppedICMPPackets(connIndex uint8, reason DroppedReason) {\n\tm.droppedICMPPackets.WithLabelValues(fmt.Sprintf(\"%d\", connIndex), reason.String()).Inc()\n}\n\nfunc NewMetrics(registerer prometheus.Registerer) Metrics {\n\tm := &metrics{\n\t\tactiveUDPFlows: prometheus.NewGaugeVec(prometheus.GaugeOpts{\n\t\t\tNamespace: namespace,\n\t\t\tSubsystem: subsystem_udp,\n\t\t\tName: \"active_flows\",\n\t\t\tHelp: \"Concurrent count of UDP flows that are being proxied to any origin\",\n\t\t}, []string{quic.ConnectionIndexMetricLabel}),\n\t\ttotalUDPFlows: prometheus.NewCounterVec(prometheus.CounterOpts{ //nolint:promlinter\n\t\t\tNamespace: namespace,\n\t\t\tSubsystem: subsystem_udp,\n\t\t\tName: \"total_flows\",\n\t\t\tHelp: \"Total count of UDP flows that have been proxied to any origin\",\n\t\t}, []string{quic.ConnectionIndexMetricLabel}),\n\t\tfailedFlows: prometheus.NewCounterVec(prometheus.CounterOpts{ //nolint:promlinter\n\t\t\tNamespace: namespace,\n\t\t\tSubsystem: subsystem_udp,\n\t\t\tName: \"failed_flows\",\n\t\t\tHelp: \"Total count of flows that errored and closed\",\n\t\t}, []string{quic.ConnectionIndexMetricLabel}),\n\t\tretryFlowResponses: prometheus.NewCounterVec(prometheus.CounterOpts{ //nolint:promlinter\n\t\t\tNamespace: namespace,\n\t\t\tSubsystem: subsystem_udp,\n\t\t\tName: \"retry_flow_responses\",\n\t\t\tHelp: \"Total count of UDP flows that have had to send their registration response more than once\",\n\t\t}, []string{quic.ConnectionIndexMetricLabel}),\n\t\tmigratedFlows: prometheus.NewCounterVec(prometheus.CounterOpts{ //nolint:promlinter\n\t\t\tNamespace: namespace,\n\t\t\tSubsystem: subsystem_udp,\n\t\t\tName: \"migrated_flows\",\n\t\t\tHelp: \"Total count of UDP flows have been migrated across local connections\",\n\t\t}, []string{quic.ConnectionIndexMetricLabel}),\n\t\tunsupportedRemoteCommands: prometheus.NewCounterVec(prometheus.CounterOpts{ //nolint:promlinter\n\t\t\tNamespace: namespace,\n\t\t\tSubsystem: subsystem_udp,\n\t\t\tName: \"unsupported_remote_command_total\",\n\t\t\tHelp: \"Total count of unsupported remote RPC commands called\",\n\t\t}, []string{quic.ConnectionIndexMetricLabel, commandMetricLabel}),\n\t\tdroppedUDPDatagrams: prometheus.NewCounterVec(prometheus.CounterOpts{ //nolint:promlinter\n\t\t\tNamespace: namespace,\n\t\t\tSubsystem: subsystem_udp,\n\t\t\tName: \"dropped_datagrams\",\n\t\t\tHelp: \"Total count of UDP dropped datagrams\",\n\t\t}, []string{quic.ConnectionIndexMetricLabel, reasonMetricLabel}),\n\t\tdroppedICMPPackets: prometheus.NewCounterVec(prometheus.CounterOpts{ //nolint:promlinter\n\t\t\tNamespace: namespace,\n\t\t\tSubsystem: subsystem_icmp,\n\t\t\tName: \"dropped_packets\",\n\t\t\tHelp: \"Total count of ICMP dropped datagrams\",\n\t\t}, []string{quic.ConnectionIndexMetricLabel, reasonMetricLabel}),\n\t}\n\tregisterer.MustRegister(\n\t\tm.activeUDPFlows,\n\t\tm.totalUDPFlows,\n\t\tm.failedFlows,\n\t\tm.retryFlowResponses,\n\t\tm.migratedFlows,\n\t\tm.unsupportedRemoteCommands,\n\t\tm.droppedUDPDatagrams,\n\t\tm.droppedICMPPackets,\n\t)\n\treturn m\n}\n" }, { "path": "quic/v3/metrics_test.go", "content": "package v3_test\n\nimport v3 \"github.com/cloudflare/cloudflared/quic/v3\"\n\ntype noopMetrics struct{}\n\nfunc (noopMetrics) IncrementFlows(connIndex uint8) {}\nfunc (noopMetrics) DecrementFlows(connIndex uint8) {}\nfunc (noopMetrics) FailedFlow(connIndex uint8) {}\nfunc (noopMetrics) PayloadTooLarge(connIndex uint8) {}\nfunc (noopMetrics) RetryFlowResponse(connIndex uint8) {}\nfunc (noopMetrics) MigrateFlow(connIndex uint8) {}\nfunc (noopMetrics) UnsupportedRemoteCommand(connIndex uint8, command string) {}\nfunc (noopMetrics) DroppedUDPDatagram(connIndex uint8, reason v3.DroppedReason) {}\nfunc (noopMetrics) DroppedICMPPackets(connIndex uint8, reason v3.DroppedReason) {}\n" }, { "path": "quic/v3/muxer.go", "content": "package v3\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/rs/zerolog\"\n\n\t\"github.com/cloudflare/cloudflared/ingress\"\n\t\"github.com/cloudflare/cloudflared/packet\"\n)\n\nconst (\n\t// Allocating a 16 channel buffer here allows for the writer to be slightly faster than the reader.\n\t// This has worked previously well for datagramv2, so we will start with this as well\n\tdemuxChanCapacity = 16\n\t// This provides a small buffer for the PacketRouter to poll ICMP packets from the QUIC connection\n\t// before writing them to the origin.\n\ticmpDatagramChanCapacity = 128\n\n\tlogSrcKey = \"src\"\n\tlogDstKey = \"dst\"\n\tlogICMPTypeKey = \"type\"\n\tlogDurationKey = \"durationMS\"\n)\n\n// DatagramConn is the bridge that multiplexes writes and reads of datagrams for UDP sessions and ICMP packets to\n// a connection.\ntype DatagramConn interface {\n\tDatagramUDPWriter\n\tDatagramICMPWriter\n\t// Serve provides a server interface to process and handle incoming QUIC datagrams and demux their datagram v3 payloads.\n\tServe(context.Context) error\n\t// ID indicates connection index identifier\n\tID() uint8\n}\n\n// DatagramUDPWriter provides the Muxer interface to create proper UDP Datagrams when sending over a connection.\ntype DatagramUDPWriter interface {\n\tSendUDPSessionDatagram(datagram []byte) error\n\tSendUDPSessionResponse(id RequestID, resp SessionRegistrationResp) error\n}\n\n// DatagramICMPWriter provides the Muxer interface to create ICMP Datagrams when sending over a connection.\ntype DatagramICMPWriter interface {\n\tSendICMPPacket(icmp *packet.ICMP) error\n\tSendICMPTTLExceed(icmp *packet.ICMP, rawPacket packet.RawPacket) error\n}\n\n// QuicConnection provides an interface that matches [quic.Connection] for only the datagram operations.\n//\n// We currently rely on the mutex for the [quic.Connection.SendDatagram] and [quic.Connection.ReceiveDatagram] and\n// do not have any locking for them. If the implementation in quic-go were to ever change, we would need to make\n// sure that we lock properly on these operations.\ntype QuicConnection interface {\n\tContext() context.Context\n\tSendDatagram(payload []byte) error\n\tReceiveDatagram(context.Context) ([]byte, error)\n}\n\ntype datagramConn struct {\n\tconn QuicConnection\n\tindex uint8\n\tsessionManager SessionManager\n\ticmpRouter ingress.ICMPRouter\n\tmetrics Metrics\n\tlogger *zerolog.Logger\n\tdatagrams chan []byte\n\ticmpDatagramChan chan *ICMPDatagram\n\treadErrors chan error\n\n\ticmpEncoderPool sync.Pool // a pool of *packet.Encoder\n\ticmpDecoderPool sync.Pool\n}\n\nfunc NewDatagramConn(conn QuicConnection, sessionManager SessionManager, icmpRouter ingress.ICMPRouter, index uint8, metrics Metrics, logger *zerolog.Logger) DatagramConn {\n\tlog := logger.With().Uint8(\"datagramVersion\", 3).Logger()\n\treturn &datagramConn{\n\t\tconn: conn,\n\t\tindex: index,\n\t\tsessionManager: sessionManager,\n\t\ticmpRouter: icmpRouter,\n\t\tmetrics: metrics,\n\t\tlogger: &log,\n\t\tdatagrams: make(chan []byte, demuxChanCapacity),\n\t\ticmpDatagramChan: make(chan *ICMPDatagram, icmpDatagramChanCapacity),\n\t\treadErrors: make(chan error, 2),\n\t\ticmpEncoderPool: sync.Pool{\n\t\t\tNew: func() any {\n\t\t\t\treturn packet.NewEncoder()\n\t\t\t},\n\t\t},\n\t\ticmpDecoderPool: sync.Pool{\n\t\t\tNew: func() any {\n\t\t\t\treturn packet.NewICMPDecoder()\n\t\t\t},\n\t\t},\n\t}\n}\n\nfunc (c *datagramConn) ID() uint8 {\n\treturn c.index\n}\n\nfunc (c *datagramConn) SendUDPSessionDatagram(datagram []byte) error {\n\treturn c.conn.SendDatagram(datagram)\n}\n\nfunc (c *datagramConn) SendUDPSessionResponse(id RequestID, resp SessionRegistrationResp) error {\n\tdatagram := UDPSessionRegistrationResponseDatagram{\n\t\tRequestID: id,\n\t\tResponseType: resp,\n\t}\n\tdata, err := datagram.MarshalBinary()\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn c.conn.SendDatagram(data)\n}\n\nfunc (c *datagramConn) SendICMPPacket(icmp *packet.ICMP) error {\n\tcachedEncoder := c.icmpEncoderPool.Get()\n\t// The encoded packet is a slice to a buffer owned by the encoder, so we shouldn't return the encoder back to the\n\t// pool until the encoded packet is sent.\n\tdefer c.icmpEncoderPool.Put(cachedEncoder)\n\tencoder, ok := cachedEncoder.(*packet.Encoder)\n\tif !ok {\n\t\treturn fmt.Errorf(\"encoderPool returned %T, expect *packet.Encoder\", cachedEncoder)\n\t}\n\tpayload, err := encoder.Encode(icmp)\n\tif err != nil {\n\t\treturn err\n\t}\n\ticmpDatagram := ICMPDatagram{\n\t\tPayload: payload.Data,\n\t}\n\tdatagram, err := icmpDatagram.MarshalBinary()\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn c.conn.SendDatagram(datagram)\n}\n\nfunc (c *datagramConn) SendICMPTTLExceed(icmp *packet.ICMP, rawPacket packet.RawPacket) error {\n\treturn c.SendICMPPacket(c.icmpRouter.ConvertToTTLExceeded(icmp, rawPacket))\n}\n\n// pollDatagrams will read datagrams from the underlying connection until the provided context is done.\nfunc (c *datagramConn) pollDatagrams(ctx context.Context) {\n\tfor ctx.Err() == nil {\n\t\tdatagram, err := c.conn.ReceiveDatagram(ctx)\n\t\t// If the read returns an error, we want to return the failure to the channel.\n\t\tif err != nil {\n\t\t\tc.readErrors <- err\n\t\t\treturn\n\t\t}\n\t\tc.datagrams <- datagram\n\t}\n\tif ctx.Err() != nil {\n\t\tc.readErrors <- ctx.Err()\n\t}\n}\n\n// Serve will begin the process of receiving datagrams from the [quic.Connection] and demuxing them to their destination.\n// The [DatagramConn] when serving, will be responsible for the sessions it accepts.\nfunc (c *datagramConn) Serve(ctx context.Context) error {\n\tconnCtx := c.conn.Context()\n\t// We want to make sure that we cancel the reader context if the Serve method returns. This could also mean that the\n\t// underlying connection is also closing, but that is handled outside of the context of the datagram muxer.\n\treadCtx, cancel := context.WithCancel(connCtx)\n\tdefer cancel()\n\tgo c.pollDatagrams(readCtx)\n\t// Processing ICMP datagrams also monitors the reader context since the ICMP datagrams from the reader are the input\n\t// for the routine.\n\tgo c.processICMPDatagrams(readCtx)\n\tfor {\n\t\t// We make sure to monitor the context of cloudflared and the underlying connection to return if any errors occur.\n\t\tvar datagram []byte\n\t\tselect {\n\t\t// Monitor the context of cloudflared\n\t\tcase <-ctx.Done():\n\t\t\treturn ctx.Err()\n\t\t// Monitor the context of the underlying quic connection\n\t\tcase <-connCtx.Done():\n\t\t\treturn connCtx.Err()\n\t\t// Monitor for any hard errors from reading the connection\n\t\tcase err := <-c.readErrors:\n\t\t\treturn err\n\t\t// Wait and dequeue datagrams as they come in\n\t\tcase d := <-c.datagrams:\n\t\t\tdatagram = d\n\t\t}\n\n\t\t// Each incoming datagram will be processed in a new go routine to handle the demuxing and action associated.\n\t\ttyp, err := ParseDatagramType(datagram)\n\t\tif err != nil {\n\t\t\tc.logger.Err(err).Msgf(\"unable to parse datagram type: %d\", typ)\n\t\t\tcontinue\n\t\t}\n\t\tswitch typ {\n\t\tcase UDPSessionRegistrationType:\n\t\t\treg := &UDPSessionRegistrationDatagram{}\n\t\t\terr := reg.UnmarshalBinary(datagram)\n\t\t\tif err != nil {\n\t\t\t\tc.logger.Err(err).Msgf(\"unable to unmarshal session registration datagram\")\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tlogger := c.logger.With().Str(logFlowID, reg.RequestID.String()).Logger()\n\t\t\t// We bind the new session to the quic connection context instead of cloudflared context to allow for the\n\t\t\t// quic connection to close and close only the sessions bound to it. Closing of cloudflared will also\n\t\t\t// initiate the close of the quic connection, so we don't have to worry about the application context\n\t\t\t// in the scope of a session.\n\t\t\t//\n\t\t\t// Additionally, we spin out the registration into a separate go routine to handle the Serve'ing of the\n\t\t\t// session in a separate routine from the demuxer.\n\t\t\tgo c.handleSessionRegistrationDatagram(connCtx, reg, &logger)\n\t\tcase UDPSessionPayloadType:\n\t\t\tpayload := &UDPSessionPayloadDatagram{}\n\t\t\terr := payload.UnmarshalBinary(datagram)\n\t\t\tif err != nil {\n\t\t\t\tc.logger.Err(err).Msgf(\"unable to unmarshal session payload datagram\")\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tlogger := c.logger.With().Str(logFlowID, payload.RequestID.String()).Logger()\n\t\t\tc.handleSessionPayloadDatagram(payload, &logger)\n\t\tcase ICMPType:\n\t\t\tpacket := &ICMPDatagram{}\n\t\t\terr := packet.UnmarshalBinary(datagram)\n\t\t\tif err != nil {\n\t\t\t\tc.logger.Err(err).Msgf(\"unable to unmarshal icmp datagram\")\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tc.handleICMPPacket(packet)\n\t\tcase UDPSessionRegistrationResponseType:\n\t\t\t// cloudflared should never expect to receive UDP session responses as it will not initiate new\n\t\t\t// sessions towards the edge.\n\t\t\tc.logger.Error().Msgf(\"unexpected datagram type received: %d\", UDPSessionRegistrationResponseType)\n\t\t\tcontinue\n\t\tdefault:\n\t\t\tc.logger.Error().Msgf(\"unknown datagram type received: %d\", typ)\n\t\t}\n\t}\n}\n\n// This method handles new registrations of a session and the serve loop for the session.\nfunc (c *datagramConn) handleSessionRegistrationDatagram(ctx context.Context, datagram *UDPSessionRegistrationDatagram, logger *zerolog.Logger) {\n\tlog := logger.With().\n\t\tStr(logFlowID, datagram.RequestID.String()).\n\t\tStr(logDstKey, datagram.Dest.String()).\n\t\tLogger()\n\tsession, err := c.sessionManager.RegisterSession(datagram, c)\n\tif err != nil {\n\t\tswitch err {\n\t\tcase ErrSessionAlreadyRegistered:\n\t\t\t// Session is already registered and likely the response got lost\n\t\t\tc.handleSessionAlreadyRegistered(datagram.RequestID, &log)\n\t\tcase ErrSessionBoundToOtherConn:\n\t\t\t// Session is already registered but to a different connection\n\t\t\tc.handleSessionMigration(datagram.RequestID, &log)\n\t\tcase ErrSessionRegistrationRateLimited:\n\t\t\t// There are too many concurrent sessions so we return an error to force a retry later\n\t\t\tc.handleSessionRegistrationRateLimited(datagram, &log)\n\t\tdefault:\n\t\t\tlog.Err(err).Msg(\"flow registration failure\")\n\t\t\tc.handleSessionRegistrationFailure(datagram.RequestID, &log)\n\t\t}\n\t\treturn\n\t}\n\tlog = log.With().Str(logSrcKey, session.LocalAddr().String()).Logger()\n\tc.metrics.IncrementFlows(c.index)\n\t// Make sure to eventually remove the session from the session manager when the session is closed\n\tdefer c.sessionManager.UnregisterSession(session.ID())\n\tdefer c.metrics.DecrementFlows(c.index)\n\n\t// Respond that we are able to process the new session\n\terr = c.SendUDPSessionResponse(datagram.RequestID, ResponseOk)\n\tif err != nil {\n\t\tlog.Err(err).Msgf(\"flow registration failure: unable to send session registration response\")\n\t\treturn\n\t}\n\n\t// We bind the context of the session to the [quic.Connection] that initiated the session.\n\t// [Session.Serve] is blocking and will continue this go routine till the end of the session lifetime.\n\tstart := time.Now()\n\terr = session.Serve(ctx)\n\telapsedMS := time.Since(start).Milliseconds()\n\tlog = log.With().Int64(logDurationKey, elapsedMS).Logger()\n\tif err == nil {\n\t\t// We typically don't expect a session to close without some error response. [SessionIdleErr] is the typical\n\t\t// expected error response.\n\t\tlog.Warn().Msg(\"flow closed: no explicit close or timeout elapsed\")\n\t\treturn\n\t}\n\t// SessionIdleErr and SessionCloseErr are valid and successful error responses to end a session.\n\tif errors.Is(err, SessionIdleErr{}) || errors.Is(err, SessionCloseErr) {\n\t\tlog.Debug().Msgf(\"flow closed: %s\", err.Error())\n\t\treturn\n\t}\n\n\t// All other errors should be reported as errors\n\tlog.Err(err).Msgf(\"flow closed with an error\")\n}\n\nfunc (c *datagramConn) handleSessionAlreadyRegistered(requestID RequestID, logger *zerolog.Logger) {\n\t// Send another registration response since the session is already active\n\terr := c.SendUDPSessionResponse(requestID, ResponseOk)\n\tif err != nil {\n\t\tlogger.Err(err).Msgf(\"flow registration failure: unable to send an additional flow registration response\")\n\t\treturn\n\t}\n\n\tsession, err := c.sessionManager.GetSession(requestID)\n\tif err != nil {\n\t\t// If for some reason we can not find the session after attempting to register it, we can just return\n\t\t// instead of trying to reset the idle timer for it.\n\t\treturn\n\t}\n\t// The session is already running in another routine so we want to restart the idle timeout since no proxied\n\t// packets have come down yet.\n\tsession.ResetIdleTimer()\n\tc.metrics.RetryFlowResponse(c.index)\n\tlogger.Debug().Msgf(\"flow registration response retry\")\n}\n\nfunc (c *datagramConn) handleSessionMigration(requestID RequestID, logger *zerolog.Logger) {\n\t// We need to migrate the currently running session to this edge connection.\n\tsession, err := c.sessionManager.GetSession(requestID)\n\tif err != nil {\n\t\t// If for some reason we can not find the session after attempting to register it, we can just return\n\t\t// instead of trying to reset the idle timer for it.\n\t\treturn\n\t}\n\n\t// Migrate the session to use this edge connection instead of the currently running one.\n\t// We also pass in this connection's logger to override the existing logger for the session.\n\tsession.Migrate(c, c.conn.Context(), c.logger)\n\n\t// Send another registration response since the session is already active\n\terr = c.SendUDPSessionResponse(requestID, ResponseOk)\n\tif err != nil {\n\t\tlogger.Err(err).Msgf(\"flow registration failure: unable to send an additional flow registration response\")\n\t\treturn\n\t}\n\tlogger.Debug().Msgf(\"flow registration migration\")\n}\n\nfunc (c *datagramConn) handleSessionRegistrationFailure(requestID RequestID, logger *zerolog.Logger) {\n\terr := c.SendUDPSessionResponse(requestID, ResponseUnableToBindSocket)\n\tif err != nil {\n\t\tlogger.Err(err).Msgf(\"unable to send flow registration error response (%d)\", ResponseUnableToBindSocket)\n\t}\n}\n\nfunc (c *datagramConn) handleSessionRegistrationRateLimited(datagram *UDPSessionRegistrationDatagram, logger *zerolog.Logger) {\n\tc.logger.Warn().Msg(\"Too many concurrent sessions being handled, rejecting udp proxy\")\n\n\trateLimitResponse := ResponseTooManyActiveFlows\n\terr := c.SendUDPSessionResponse(datagram.RequestID, rateLimitResponse)\n\tif err != nil {\n\t\tlogger.Err(err).Msgf(\"unable to send flow registration error response (%d)\", rateLimitResponse)\n\t}\n}\n\n// Handles incoming datagrams that need to be sent to a registered session.\nfunc (c *datagramConn) handleSessionPayloadDatagram(datagram *UDPSessionPayloadDatagram, logger *zerolog.Logger) {\n\ts, err := c.sessionManager.GetSession(datagram.RequestID)\n\tif err != nil {\n\t\tc.metrics.DroppedUDPDatagram(c.index, DroppedWriteFlowUnknown)\n\t\tlogger.Err(err).Msgf(\"unable to find flow\")\n\t\treturn\n\t}\n\ts.Write(datagram.Payload)\n}\n\n// Handles incoming ICMP datagrams into a serialized channel to be handled by a single consumer.\nfunc (c *datagramConn) handleICMPPacket(datagram *ICMPDatagram) {\n\tif c.icmpRouter == nil {\n\t\t// ICMPRouter is disabled so we drop the current packet and ignore all incoming ICMP packets\n\t\treturn\n\t}\n\tselect {\n\tcase c.icmpDatagramChan <- datagram:\n\tdefault:\n\t\t// If the ICMP datagram channel is full, drop any additional incoming.\n\t\tc.metrics.DroppedICMPPackets(c.index, DroppedWriteFull)\n\t\tc.logger.Warn().Msg(\"failed to write icmp packet to origin: dropped\")\n\t}\n}\n\n// Consumes from the ICMP datagram channel to write out the ICMP requests to an origin.\nfunc (c *datagramConn) processICMPDatagrams(ctx context.Context) {\n\tif c.icmpRouter == nil {\n\t\t// ICMPRouter is disabled so we ignore all incoming ICMP packets\n\t\treturn\n\t}\n\n\tfor {\n\t\tselect {\n\t\t// If the provided context is closed we want to exit the write loop\n\t\tcase <-ctx.Done():\n\t\t\treturn\n\t\tcase datagram := <-c.icmpDatagramChan:\n\t\t\tc.writeICMPPacket(datagram)\n\t\t}\n\t}\n}\n\nfunc (c *datagramConn) writeICMPPacket(datagram *ICMPDatagram) {\n\t// Decode the provided ICMPDatagram as an ICMP packet\n\trawPacket := packet.RawPacket{Data: datagram.Payload}\n\tcachedDecoder := c.icmpDecoderPool.Get()\n\tdefer c.icmpDecoderPool.Put(cachedDecoder)\n\tdecoder, ok := cachedDecoder.(*packet.ICMPDecoder)\n\tif !ok {\n\t\tc.metrics.DroppedICMPPackets(c.index, DroppedWriteFailed)\n\t\tc.logger.Error().Msg(\"Could not get ICMPDecoder from the pool. Dropping packet\")\n\t\treturn\n\t}\n\n\ticmp, err := decoder.Decode(rawPacket)\n\n\tif err != nil {\n\t\tc.metrics.DroppedICMPPackets(c.index, DroppedWriteFailed)\n\t\tc.logger.Err(err).Msgf(\"unable to marshal icmp packet\")\n\t\treturn\n\t}\n\n\t// If the ICMP packet's TTL is expired, we won't send it to the origin and immediately return a TTL Exceeded Message\n\tif icmp.TTL <= 1 {\n\t\tif err := c.SendICMPTTLExceed(icmp, rawPacket); err != nil {\n\t\t\tc.metrics.DroppedICMPPackets(c.index, DroppedWriteFailed)\n\t\t\tc.logger.Err(err).Msg(\"failed to return ICMP TTL exceed error\")\n\t\t}\n\t\treturn\n\t}\n\ticmp.TTL--\n\n\t// The context isn't really needed here since it's only really used throughout the ICMP router as a way to store\n\t// the tracing context, however datagram V3 does not support tracing ICMP packets, so we just pass the current\n\t// connection context which will have no tracing information available.\n\terr = c.icmpRouter.Request(c.conn.Context(), icmp, newPacketResponder(c, c.index))\n\tif err != nil {\n\t\tc.metrics.DroppedICMPPackets(c.index, DroppedWriteFailed)\n\t\tc.logger.Err(err).\n\t\t\tStr(logSrcKey, icmp.Src.String()).\n\t\t\tStr(logDstKey, icmp.Dst.String()).\n\t\t\tInterface(logICMPTypeKey, icmp.Type).\n\t\t\tMsgf(\"unable to write icmp datagram to origin\")\n\t\treturn\n\t}\n}\n" }, { "path": "quic/v3/muxer_test.go", "content": "package v3_test\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net\"\n\t\"net/netip\"\n\t\"slices\"\n\t\"sort\"\n\t\"sync\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/fortytw2/leaktest\"\n\t\"github.com/google/gopacket/layers\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\t\"golang.org/x/net/icmp\"\n\t\"golang.org/x/net/ipv4\"\n\n\tcfdflow \"github.com/cloudflare/cloudflared/flow\"\n\t\"github.com/cloudflare/cloudflared/ingress\"\n\t\"github.com/cloudflare/cloudflared/packet\"\n\tv3 \"github.com/cloudflare/cloudflared/quic/v3\"\n)\n\ntype noopEyeball struct {\n\tconnID uint8\n}\n\nfunc (noopEyeball) Serve(ctx context.Context) error { return nil }\nfunc (n noopEyeball) ID() uint8 { return n.connID }\nfunc (noopEyeball) SendUDPSessionDatagram(datagram []byte) error { return nil }\nfunc (noopEyeball) SendUDPSessionResponse(id v3.RequestID, resp v3.SessionRegistrationResp) error {\n\treturn nil\n}\nfunc (noopEyeball) SendICMPPacket(icmp *packet.ICMP) error { return nil }\nfunc (noopEyeball) SendICMPTTLExceed(icmp *packet.ICMP, rawPacket packet.RawPacket) error { return nil }\n\ntype mockEyeball struct {\n\tconnID uint8\n\t// datagram sent via SendUDPSessionDatagram\n\trecvData chan []byte\n\t// responses sent via SendUDPSessionResponse\n\trecvResp chan struct {\n\t\tid v3.RequestID\n\t\tresp v3.SessionRegistrationResp\n\t}\n}\n\nfunc newMockEyeball() mockEyeball {\n\treturn mockEyeball{\n\t\tconnID: 0,\n\t\trecvData: make(chan []byte, 1),\n\t\trecvResp: make(chan struct {\n\t\t\tid v3.RequestID\n\t\t\tresp v3.SessionRegistrationResp\n\t\t}, 1),\n\t}\n}\n\nfunc (mockEyeball) Serve(ctx context.Context) error { return nil }\nfunc (m *mockEyeball) ID() uint8 { return m.connID }\n\nfunc (m *mockEyeball) SendUDPSessionDatagram(datagram []byte) error {\n\tb := make([]byte, len(datagram))\n\tcopy(b, datagram)\n\tm.recvData <- b\n\treturn nil\n}\n\nfunc (m *mockEyeball) SendUDPSessionResponse(id v3.RequestID, resp v3.SessionRegistrationResp) error {\n\tm.recvResp <- struct {\n\t\tid v3.RequestID\n\t\tresp v3.SessionRegistrationResp\n\t}{\n\t\tid, resp,\n\t}\n\treturn nil\n}\n\nfunc (m *mockEyeball) SendICMPPacket(icmp *packet.ICMP) error { return nil }\nfunc (m *mockEyeball) SendICMPTTLExceed(icmp *packet.ICMP, rawPacket packet.RawPacket) error {\n\treturn nil\n}\n\nfunc TestDatagramConn_New(t *testing.T) {\n\tlog := zerolog.Nop()\n\toriginDialerService := ingress.NewOriginDialer(ingress.OriginConfig{\n\t\tDefaultDialer: testDefaultDialer,\n\t\tTCPWriteTimeout: 0,\n\t}, &log)\n\tconn := v3.NewDatagramConn(newMockQuicConn(t.Context()), v3.NewSessionManager(&noopMetrics{}, &log, originDialerService, cfdflow.NewLimiter(0)), &noopICMPRouter{}, 0, &noopMetrics{}, &log)\n\tif conn == nil {\n\t\tt.Fatal(\"expected valid connection\")\n\t}\n}\n\nfunc TestDatagramConn_SendUDPSessionDatagram(t *testing.T) {\n\tlog := zerolog.Nop()\n\toriginDialerService := ingress.NewOriginDialer(ingress.OriginConfig{\n\t\tDefaultDialer: testDefaultDialer,\n\t\tTCPWriteTimeout: 0,\n\t}, &log)\n\tconnCtx, connCancel := context.WithCancelCause(t.Context())\n\tdefer connCancel(context.Canceled)\n\tquic := newMockQuicConn(connCtx)\n\tconn := v3.NewDatagramConn(quic, v3.NewSessionManager(&noopMetrics{}, &log, originDialerService, cfdflow.NewLimiter(0)), &noopICMPRouter{}, 0, &noopMetrics{}, &log)\n\n\tpayload := []byte{0xef, 0xef}\n\terr := conn.SendUDPSessionDatagram(payload)\n\trequire.NoError(t, err)\n\n\tp := <-quic.recv\n\tif !slices.Equal(p, payload) {\n\t\tt.Fatal(\"datagram sent does not match datagram received on quic side\")\n\t}\n}\n\nfunc TestDatagramConn_SendUDPSessionResponse(t *testing.T) {\n\tlog := zerolog.Nop()\n\toriginDialerService := ingress.NewOriginDialer(ingress.OriginConfig{\n\t\tDefaultDialer: testDefaultDialer,\n\t\tTCPWriteTimeout: 0,\n\t}, &log)\n\tconnCtx, connCancel := context.WithCancelCause(t.Context())\n\tdefer connCancel(context.Canceled)\n\tquic := newMockQuicConn(connCtx)\n\tconn := v3.NewDatagramConn(quic, v3.NewSessionManager(&noopMetrics{}, &log, originDialerService, cfdflow.NewLimiter(0)), &noopICMPRouter{}, 0, &noopMetrics{}, &log)\n\n\terr := conn.SendUDPSessionResponse(testRequestID, v3.ResponseDestinationUnreachable)\n\trequire.NoError(t, err)\n\n\tresp := <-quic.recv\n\tvar response v3.UDPSessionRegistrationResponseDatagram\n\terr = response.UnmarshalBinary(resp)\n\trequire.NoError(t, err)\n\n\texpected := v3.UDPSessionRegistrationResponseDatagram{\n\t\tRequestID: testRequestID,\n\t\tResponseType: v3.ResponseDestinationUnreachable,\n\t}\n\tif response != expected {\n\t\tt.Fatal(\"datagram response sent does not match expected datagram response received\")\n\t}\n}\n\nfunc TestDatagramConnServe_ApplicationClosed(t *testing.T) {\n\tlog := zerolog.Nop()\n\toriginDialerService := ingress.NewOriginDialer(ingress.OriginConfig{\n\t\tDefaultDialer: testDefaultDialer,\n\t\tTCPWriteTimeout: 0,\n\t}, &log)\n\tconnCtx, connCancel := context.WithCancelCause(t.Context())\n\tdefer connCancel(context.Canceled)\n\tquic := newMockQuicConn(connCtx)\n\tconn := v3.NewDatagramConn(quic, v3.NewSessionManager(&noopMetrics{}, &log, originDialerService, cfdflow.NewLimiter(0)), &noopICMPRouter{}, 0, &noopMetrics{}, &log)\n\n\tctx, cancel := context.WithTimeout(t.Context(), 1*time.Second)\n\tdefer cancel()\n\terr := conn.Serve(ctx)\n\tif !errors.Is(err, context.DeadlineExceeded) {\n\t\tt.Fatal(err)\n\t}\n}\n\nfunc TestDatagramConnServe_ConnectionClosed(t *testing.T) {\n\tlog := zerolog.Nop()\n\toriginDialerService := ingress.NewOriginDialer(ingress.OriginConfig{\n\t\tDefaultDialer: testDefaultDialer,\n\t\tTCPWriteTimeout: 0,\n\t}, &log)\n\tconnCtx, connCancel := context.WithCancelCause(t.Context())\n\tdefer connCancel(context.Canceled)\n\tquic := newMockQuicConn(connCtx)\n\tctx, cancel := context.WithTimeout(t.Context(), 1*time.Second)\n\tdefer cancel()\n\tquic.ctx = ctx\n\tconn := v3.NewDatagramConn(quic, v3.NewSessionManager(&noopMetrics{}, &log, originDialerService, cfdflow.NewLimiter(0)), &noopICMPRouter{}, 0, &noopMetrics{}, &log)\n\n\terr := conn.Serve(t.Context())\n\tif !errors.Is(err, context.DeadlineExceeded) {\n\t\tt.Fatal(err)\n\t}\n}\n\nfunc TestDatagramConnServe_ReceiveDatagramError(t *testing.T) {\n\tlog := zerolog.Nop()\n\toriginDialerService := ingress.NewOriginDialer(ingress.OriginConfig{\n\t\tDefaultDialer: testDefaultDialer,\n\t\tTCPWriteTimeout: 0,\n\t}, &log)\n\tquic := &mockQuicConnReadError{err: net.ErrClosed}\n\tconn := v3.NewDatagramConn(quic, v3.NewSessionManager(&noopMetrics{}, &log, originDialerService, cfdflow.NewLimiter(0)), &noopICMPRouter{}, 0, &noopMetrics{}, &log)\n\n\terr := conn.Serve(t.Context())\n\tif !errors.Is(err, net.ErrClosed) {\n\t\tt.Fatal(err)\n\t}\n}\n\nfunc TestDatagramConnServe_SessionRegistrationRateLimit(t *testing.T) {\n\tlog := zerolog.Nop()\n\tconnCtx, connCancel := context.WithCancelCause(t.Context())\n\tdefer connCancel(context.Canceled)\n\tquic := newMockQuicConn(connCtx)\n\tsessionManager := &mockSessionManager{\n\t\texpectedRegErr: v3.ErrSessionRegistrationRateLimited,\n\t}\n\tconn := v3.NewDatagramConn(quic, sessionManager, &noopICMPRouter{}, 0, &noopMetrics{}, &log)\n\n\t// Setup the muxer\n\tctx, cancel := context.WithCancelCause(t.Context())\n\tdefer cancel(context.Canceled)\n\tdone := make(chan error, 1)\n\tgo func() {\n\t\tdone <- conn.Serve(ctx)\n\t}()\n\n\t// Send new session registration\n\tdatagram := newRegisterSessionDatagram(testRequestID)\n\tquic.send <- datagram\n\n\t// Wait for session registration response with failure\n\tdatagram = <-quic.recv\n\tvar resp v3.UDPSessionRegistrationResponseDatagram\n\terr := resp.UnmarshalBinary(datagram)\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\n\trequire.EqualValues(t, testRequestID, resp.RequestID)\n\trequire.EqualValues(t, v3.ResponseTooManyActiveFlows, resp.ResponseType)\n\n\tassertContextClosed(t, ctx, done, cancel)\n}\n\nfunc TestDatagramConnServe_ErrorDatagramTypes(t *testing.T) {\n\tdefer leaktest.Check(t)()\n\tfor _, test := range []struct {\n\t\tname string\n\t\tinput []byte\n\t\texpected string\n\t}{\n\t\t{\n\t\t\t\"empty\",\n\t\t\t[]byte{},\n\t\t\t\"{\\\"level\\\":\\\"error\\\",\\\"datagramVersion\\\":3,\\\"error\\\":\\\"datagram should have at least 1 byte\\\",\\\"message\\\":\\\"unable to parse datagram type: 0\\\"}\\n\",\n\t\t},\n\t\t{\n\t\t\t\"unexpected\",\n\t\t\t[]byte{byte(v3.UDPSessionRegistrationResponseType)},\n\t\t\t\"{\\\"level\\\":\\\"error\\\",\\\"datagramVersion\\\":3,\\\"message\\\":\\\"unexpected datagram type received: 3\\\"}\\n\",\n\t\t},\n\t\t{\n\t\t\t\"unknown\",\n\t\t\t[]byte{99},\n\t\t\t\"{\\\"level\\\":\\\"error\\\",\\\"datagramVersion\\\":3,\\\"message\\\":\\\"unknown datagram type received: 99\\\"}\\n\",\n\t\t},\n\t} {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\tlogOutput := new(LockedBuffer)\n\t\t\tlog := zerolog.New(logOutput)\n\t\t\tconnCtx, connCancel := context.WithCancelCause(t.Context())\n\t\t\tdefer connCancel(context.Canceled)\n\t\t\tquic := newMockQuicConn(connCtx)\n\t\t\tquic.send <- test.input\n\t\t\tconn := v3.NewDatagramConn(quic, &mockSessionManager{}, &noopICMPRouter{}, 0, &noopMetrics{}, &log)\n\n\t\t\tctx, cancel := context.WithTimeout(t.Context(), 1*time.Second)\n\t\t\tdefer cancel()\n\t\t\terr := conn.Serve(ctx)\n\t\t\t// we cancel the Serve method to check to see if the log output was written since the unsupported datagram\n\t\t\t// is dropped with only a log message as a side-effect.\n\t\t\tif !errors.Is(err, context.DeadlineExceeded) {\n\t\t\t\tt.Fatal(err)\n\t\t\t}\n\n\t\t\tout := logOutput.String()\n\t\t\tif out != test.expected {\n\t\t\t\tt.Fatalf(\"incorrect log output expected: %s\", out)\n\t\t\t}\n\t\t})\n\t}\n}\n\ntype LockedBuffer struct {\n\tbytes.Buffer\n\tl sync.Mutex\n}\n\nfunc (b *LockedBuffer) Write(p []byte) (n int, err error) {\n\tb.l.Lock()\n\tdefer b.l.Unlock()\n\treturn b.Buffer.Write(p)\n}\n\nfunc (b *LockedBuffer) String() string {\n\tb.l.Lock()\n\tdefer b.l.Unlock()\n\treturn b.Buffer.String()\n}\n\nfunc TestDatagramConnServe_RegisterSession_SessionManagerError(t *testing.T) {\n\tdefer leaktest.Check(t)()\n\tlog := zerolog.Nop()\n\tconnCtx, connCancel := context.WithCancelCause(t.Context())\n\tdefer connCancel(context.Canceled)\n\tquic := newMockQuicConn(connCtx)\n\texpectedErr := errors.New(\"unable to register session\")\n\tsessionManager := mockSessionManager{expectedRegErr: expectedErr}\n\tconn := v3.NewDatagramConn(quic, &sessionManager, &noopICMPRouter{}, 0, &noopMetrics{}, &log)\n\n\t// Setup the muxer\n\tctx, cancel := context.WithCancelCause(t.Context())\n\tdefer cancel(errors.New(\"other error\"))\n\tdone := make(chan error, 1)\n\tgo func() {\n\t\tdone <- conn.Serve(ctx)\n\t}()\n\n\t// Send new session registration\n\tdatagram := newRegisterSessionDatagram(testRequestID)\n\tquic.send <- datagram\n\n\t// Wait for session registration response with failure\n\tdatagram = <-quic.recv\n\tvar resp v3.UDPSessionRegistrationResponseDatagram\n\terr := resp.UnmarshalBinary(datagram)\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\n\tif resp.RequestID != testRequestID || resp.ResponseType != v3.ResponseUnableToBindSocket {\n\t\tt.Fatalf(\"expected registration response failure\")\n\t}\n\n\t// Cancel the muxer Serve context and make sure it closes with the expected error\n\tassertContextClosed(t, ctx, done, cancel)\n}\n\nfunc TestDatagramConnServe(t *testing.T) {\n\tdefer leaktest.Check(t)()\n\tlog := zerolog.Nop()\n\tconnCtx, connCancel := context.WithCancelCause(t.Context())\n\tdefer connCancel(context.Canceled)\n\tquic := newMockQuicConn(connCtx)\n\tsession := newMockSession()\n\tsessionManager := mockSessionManager{session: &session}\n\tconn := v3.NewDatagramConn(quic, &sessionManager, &noopICMPRouter{}, 0, &noopMetrics{}, &log)\n\n\t// Setup the muxer\n\tctx, cancel := context.WithCancelCause(t.Context())\n\tdefer cancel(errors.New(\"other error\"))\n\tdone := make(chan error, 1)\n\tgo func() {\n\t\tdone <- conn.Serve(ctx)\n\t}()\n\n\t// Send new session registration\n\tdatagram := newRegisterSessionDatagram(testRequestID)\n\tquic.send <- datagram\n\n\t// Wait for session registration response with success\n\tdatagram = <-quic.recv\n\tvar resp v3.UDPSessionRegistrationResponseDatagram\n\terr := resp.UnmarshalBinary(datagram)\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\n\tif resp.RequestID != testRequestID || resp.ResponseType != v3.ResponseOk {\n\t\tt.Fatalf(\"expected registration response ok\")\n\t}\n\n\t// We expect the session to be served\n\ttimer := time.NewTimer(15 * time.Second)\n\tdefer timer.Stop()\n\tselect {\n\tcase <-session.served:\n\t\tbreak\n\tcase <-timer.C:\n\t\tt.Fatalf(\"expected session serve to be called\")\n\t}\n\n\t// Cancel the muxer Serve context and make sure it closes with the expected error\n\tassertContextClosed(t, ctx, done, cancel)\n}\n\n// This test exists because decoding multiple packets in parallel with the same decoder\n// instances causes inteference resulting in multiple different raw packets being decoded\n// as the same decoded packet.\nfunc TestDatagramConnServeDecodeMultipleICMPInParallel(t *testing.T) {\n\tdefer leaktest.Check(t)()\n\tlog := zerolog.Nop()\n\tconnCtx, connCancel := context.WithCancelCause(t.Context())\n\tdefer connCancel(context.Canceled)\n\tquic := newMockQuicConn(connCtx)\n\tsession := newMockSession()\n\tsessionManager := mockSessionManager{session: &session}\n\trouter := newMockICMPRouter()\n\tconn := v3.NewDatagramConn(quic, &sessionManager, router, 0, &noopMetrics{}, &log)\n\n\t// Setup the muxer\n\tctx, cancel := context.WithCancelCause(t.Context())\n\tdefer cancel(errors.New(\"other error\"))\n\tdone := make(chan error, 1)\n\tgo func() {\n\t\tdone <- conn.Serve(ctx)\n\t}()\n\n\tpacketCount := 100\n\tpackets := make([]*packet.ICMP, 100)\n\tipTemplate := \"10.0.0.%d\"\n\tfor i := 1; i <= packetCount; i++ {\n\t\tpackets[i-1] = &packet.ICMP{\n\t\t\tIP: &packet.IP{\n\t\t\t\tSrc: netip.MustParseAddr(\"192.168.1.1\"),\n\t\t\t\tDst: netip.MustParseAddr(fmt.Sprintf(ipTemplate, i)),\n\t\t\t\tProtocol: layers.IPProtocolICMPv4,\n\t\t\t\tTTL: 20,\n\t\t\t},\n\t\t\tMessage: &icmp.Message{\n\t\t\t\tType: ipv4.ICMPTypeEcho,\n\t\t\t\tCode: 0,\n\t\t\t\tBody: &icmp.Echo{\n\t\t\t\t\tID: 25821,\n\t\t\t\t\tSeq: 58129,\n\t\t\t\t\tData: []byte(\"test\"),\n\t\t\t\t},\n\t\t\t},\n\t\t}\n\t}\n\n\twg := sync.WaitGroup{}\n\tvar receivedPackets []*packet.ICMP\n\tgo func() {\n\t\tfor {\n\t\t\tselect {\n\t\t\tcase <-ctx.Done():\n\t\t\t\treturn\n\t\t\tcase icmpPacket := <-router.recv:\n\t\t\t\treceivedPackets = append(receivedPackets, icmpPacket)\n\t\t\t\twg.Done()\n\t\t\t}\n\t\t}\n\t}()\n\n\tfor _, p := range packets {\n\t\t// We increment here but only decrement when receiving the packet\n\t\twg.Add(1)\n\t\tgo func() {\n\t\t\tdatagram := newICMPDatagram(p)\n\t\t\tquic.send <- datagram\n\t\t}()\n\t}\n\n\twg.Wait()\n\n\t// If there were duplicates then we won't have the same number of IPs\n\tpacketSet := make(map[netip.Addr]*packet.ICMP, 0)\n\tfor _, p := range receivedPackets {\n\t\tpacketSet[p.Dst] = p\n\t}\n\tassert.Equal(t, len(packetSet), len(packets))\n\n\t// Sort the slice by last byte of IP address (the one we increment for each destination)\n\t// and then check that we have one match for each packet sent\n\tsort.Slice(receivedPackets, func(i, j int) bool {\n\t\treturn receivedPackets[i].Dst.As4()[3] < receivedPackets[j].Dst.As4()[3]\n\t})\n\tfor i, p := range receivedPackets {\n\t\tassert.Equal(t, p.Dst, packets[i].Dst)\n\t}\n\n\t// Cancel the muxer Serve context and make sure it closes with the expected error\n\tassertContextClosed(t, ctx, done, cancel)\n}\n\nfunc TestDatagramConnServe_RegisterTwice(t *testing.T) {\n\tdefer leaktest.Check(t)()\n\tlog := zerolog.Nop()\n\tconnCtx, connCancel := context.WithCancelCause(t.Context())\n\tdefer connCancel(context.Canceled)\n\tquic := newMockQuicConn(connCtx)\n\tsession := newMockSession()\n\tsessionManager := mockSessionManager{session: &session}\n\tconn := v3.NewDatagramConn(quic, &sessionManager, &noopICMPRouter{}, 0, &noopMetrics{}, &log)\n\n\t// Setup the muxer\n\tctx, cancel := context.WithCancelCause(t.Context())\n\tdefer cancel(errors.New(\"other error\"))\n\tdone := make(chan error, 1)\n\tgo func() {\n\t\tdone <- conn.Serve(ctx)\n\t}()\n\n\t// Send new session registration\n\tdatagram := newRegisterSessionDatagram(testRequestID)\n\tquic.send <- datagram\n\n\t// Wait for session registration response with success\n\tdatagram = <-quic.recv\n\tvar resp v3.UDPSessionRegistrationResponseDatagram\n\terr := resp.UnmarshalBinary(datagram)\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\n\tif resp.RequestID != testRequestID || resp.ResponseType != v3.ResponseOk {\n\t\tt.Fatalf(\"expected registration response ok\")\n\t}\n\n\t// Set the session manager to return already registered\n\tsessionManager.expectedRegErr = v3.ErrSessionAlreadyRegistered\n\t// Send the registration again as if we didn't receive it at the edge\n\tdatagram = newRegisterSessionDatagram(testRequestID)\n\tquic.send <- datagram\n\n\t// Wait for session registration response with success\n\tdatagram = <-quic.recv\n\terr = resp.UnmarshalBinary(datagram)\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\n\tif resp.RequestID != testRequestID || resp.ResponseType != v3.ResponseOk {\n\t\tt.Fatalf(\"expected registration response ok\")\n\t}\n\n\t// We expect the session to be served\n\ttimer := time.NewTimer(15 * time.Second)\n\tdefer timer.Stop()\n\tselect {\n\tcase <-session.served:\n\t\tbreak\n\tcase <-timer.C:\n\t\tt.Fatalf(\"expected session serve to be called\")\n\t}\n\n\t// Cancel the muxer Serve context and make sure it closes with the expected error\n\tassertContextClosed(t, ctx, done, cancel)\n}\n\nfunc TestDatagramConnServe_MigrateConnection(t *testing.T) {\n\tdefer leaktest.Check(t)()\n\tlog := zerolog.Nop()\n\tconnCtx, connCancel := context.WithCancelCause(t.Context())\n\tdefer connCancel(context.Canceled)\n\tquic := newMockQuicConn(connCtx)\n\tsession := newMockSession()\n\tsessionManager := mockSessionManager{session: &session}\n\tconn := v3.NewDatagramConn(quic, &sessionManager, &noopICMPRouter{}, 0, &noopMetrics{}, &log)\n\tconn2Ctx, conn2Cancel := context.WithCancelCause(t.Context())\n\tdefer conn2Cancel(context.Canceled)\n\tquic2 := newMockQuicConn(conn2Ctx)\n\tconn2 := v3.NewDatagramConn(quic2, &sessionManager, &noopICMPRouter{}, 1, &noopMetrics{}, &log)\n\n\t// Setup the muxer\n\tctx, cancel := context.WithCancelCause(t.Context())\n\tdefer cancel(errors.New(\"other error\"))\n\tdone := make(chan error, 1)\n\tgo func() {\n\t\tdone <- conn.Serve(ctx)\n\t}()\n\n\tctx2, cancel2 := context.WithCancelCause(t.Context())\n\tdefer cancel2(errors.New(\"other error\"))\n\tdone2 := make(chan error, 1)\n\tgo func() {\n\t\tdone2 <- conn2.Serve(ctx2)\n\t}()\n\n\t// Send new session registration\n\tdatagram := newRegisterSessionDatagram(testRequestID)\n\tquic.send <- datagram\n\n\t// Wait for session registration response with success\n\tdatagram = <-quic.recv\n\tvar resp v3.UDPSessionRegistrationResponseDatagram\n\terr := resp.UnmarshalBinary(datagram)\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\n\tif resp.RequestID != testRequestID || resp.ResponseType != v3.ResponseOk {\n\t\tt.Fatalf(\"expected registration response ok\")\n\t}\n\n\t// Set the session manager to return already registered to another connection\n\tsessionManager.expectedRegErr = v3.ErrSessionBoundToOtherConn\n\t// Send the registration again as if we didn't receive it at the edge for a new connection\n\tdatagram = newRegisterSessionDatagram(testRequestID)\n\tquic2.send <- datagram\n\n\t// Wait for session registration response with success\n\tdatagram = <-quic2.recv\n\terr = resp.UnmarshalBinary(datagram)\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\n\tif resp.RequestID != testRequestID || resp.ResponseType != v3.ResponseOk {\n\t\tt.Fatalf(\"expected registration response ok\")\n\t}\n\n\t// We expect the session to be served\n\ttimer := time.NewTimer(15 * time.Second)\n\tdefer timer.Stop()\n\tselect {\n\tcase <-session.served:\n\t\tbreak\n\tcase <-timer.C:\n\t\tt.Fatalf(\"expected session serve to be called\")\n\t}\n\n\t// Expect session to be migrated\n\tselect {\n\tcase id := <-session.migrated:\n\t\tif id != conn2.ID() {\n\t\t\tt.Fatalf(\"expected session to be migrated to connection 2\")\n\t\t}\n\tcase <-timer.C:\n\t\tt.Fatalf(\"expected session migration to be called\")\n\t}\n\n\t// Cancel the muxer Serve context and make sure it closes with the expected error\n\tassertContextClosed(t, ctx, done, cancel)\n\t// Cancel the second muxer Serve context and make sure it closes with the expected error\n\tassertContextClosed(t, ctx2, done2, cancel2)\n}\n\nfunc TestDatagramConnServe_Payload_GetSessionError(t *testing.T) {\n\tdefer leaktest.Check(t)()\n\tlog := zerolog.Nop()\n\tconnCtx, connCancel := context.WithCancelCause(t.Context())\n\tdefer connCancel(context.Canceled)\n\tquic := newMockQuicConn(connCtx)\n\t// mockSessionManager will return the ErrSessionNotFound for any session attempting to be queried by the muxer\n\tsessionManager := mockSessionManager{session: nil, expectedGetErr: v3.ErrSessionNotFound}\n\tconn := v3.NewDatagramConn(quic, &sessionManager, &noopICMPRouter{}, 0, &noopMetrics{}, &log)\n\n\t// Setup the muxer\n\tctx, cancel := context.WithCancelCause(t.Context())\n\tdefer cancel(errors.New(\"other error\"))\n\tdone := make(chan error, 1)\n\tgo func() {\n\t\tdone <- conn.Serve(ctx)\n\t}()\n\n\t// Send new session registration\n\tdatagram := newSessionPayloadDatagram(testRequestID, []byte{0xef, 0xef})\n\tquic.send <- datagram\n\n\t// Since the muxer should eventually discard a failed registration request, there is no side-effect\n\t// that the registration was failed beyond the muxer accepting the registration request. As such, the\n\t// test can only ensure that the quic.send channel was consumed and that the muxer closes normally\n\t// afterwards with the expected context cancelled trigger.\n\n\t// Cancel the muxer Serve context and make sure it closes with the expected error\n\tassertContextClosed(t, ctx, done, cancel)\n}\n\nfunc TestDatagramConnServe_Payloads(t *testing.T) {\n\tdefer leaktest.Check(t)()\n\tlog := zerolog.Nop()\n\tconnCtx, connCancel := context.WithCancelCause(t.Context())\n\tdefer connCancel(context.Canceled)\n\tquic := newMockQuicConn(connCtx)\n\tsession := newMockSession()\n\tsessionManager := mockSessionManager{session: &session}\n\tconn := v3.NewDatagramConn(quic, &sessionManager, &noopICMPRouter{}, 0, &noopMetrics{}, &log)\n\n\t// Setup the muxer\n\tctx, cancel := context.WithCancelCause(t.Context())\n\tdefer cancel(errors.New(\"other error\"))\n\tdone := make(chan error, 1)\n\tgo func() {\n\t\tdone <- conn.Serve(ctx)\n\t}()\n\n\t// Send session payloads\n\texpectedPayloads := makePayloads(256, 16)\n\tgo func() {\n\t\tfor _, payload := range expectedPayloads {\n\t\t\tdatagram := newSessionPayloadDatagram(testRequestID, payload)\n\t\t\tquic.send <- datagram\n\t\t}\n\t}()\n\n\t// Session should receive the payloads (in-order)\n\tfor i, payload := range expectedPayloads {\n\t\tselect {\n\t\tcase recv := <-session.recv:\n\t\t\tif !slices.Equal(recv, payload) {\n\t\t\t\tt.Fatalf(\"expected session receieve the payload[%d] sent via the muxer: (%x) (%x)\", i, recv[:16], payload[:16])\n\t\t\t}\n\t\tcase err := <-ctx.Done():\n\t\t\t// we expect the payload to return before the context to cancel on the session\n\t\t\tt.Fatal(err)\n\t\t}\n\t}\n\n\t// Cancel the muxer Serve context and make sure it closes with the expected error\n\tassertContextClosed(t, ctx, done, cancel)\n}\n\nfunc TestDatagramConnServe_ICMPDatagram_TTLDecremented(t *testing.T) {\n\tdefer leaktest.Check(t)()\n\tlog := zerolog.Nop()\n\tconnCtx, connCancel := context.WithCancelCause(t.Context())\n\tdefer connCancel(context.Canceled)\n\tquic := newMockQuicConn(connCtx)\n\trouter := newMockICMPRouter()\n\tconn := v3.NewDatagramConn(quic, &mockSessionManager{}, router, 0, &noopMetrics{}, &log)\n\n\t// Setup the muxer\n\tctx, cancel := context.WithCancelCause(t.Context())\n\tdefer cancel(errors.New(\"other error\"))\n\tdone := make(chan error, 1)\n\tgo func() {\n\t\tdone <- conn.Serve(ctx)\n\t}()\n\n\t// Send new ICMP Echo request\n\texpectedICMP := &packet.ICMP{\n\t\tIP: &packet.IP{\n\t\t\tSrc: netip.MustParseAddr(\"192.168.1.1\"),\n\t\t\tDst: netip.MustParseAddr(\"10.0.0.1\"),\n\t\t\tProtocol: layers.IPProtocolICMPv4,\n\t\t\tTTL: 20,\n\t\t},\n\t\tMessage: &icmp.Message{\n\t\t\tType: ipv4.ICMPTypeEcho,\n\t\t\tCode: 0,\n\t\t\tBody: &icmp.Echo{\n\t\t\t\tID: 25821,\n\t\t\t\tSeq: 58129,\n\t\t\t\tData: []byte(\"test ttl=0\"),\n\t\t\t},\n\t\t},\n\t}\n\tdatagram := newICMPDatagram(expectedICMP)\n\tquic.send <- datagram\n\n\t// Router should receive the packet\n\tactualICMP := <-router.recv\n\tassertICMPEqual(t, expectedICMP, actualICMP)\n\tif expectedICMP.TTL-1 != actualICMP.TTL {\n\t\tt.Fatalf(\"TTL should be decremented by one before sending to origin: %d, %d\", expectedICMP.TTL, actualICMP.TTL)\n\t}\n\n\t// Cancel the muxer Serve context and make sure it closes with the expected error\n\tassertContextClosed(t, ctx, done, cancel)\n}\n\nfunc TestDatagramConnServe_ICMPDatagram_TTLExceeded(t *testing.T) {\n\tdefer leaktest.Check(t)()\n\tlog := zerolog.Nop()\n\tconnCtx, connCancel := context.WithCancelCause(t.Context())\n\tdefer connCancel(context.Canceled)\n\tquic := newMockQuicConn(connCtx)\n\trouter := newMockICMPRouter()\n\tconn := v3.NewDatagramConn(quic, &mockSessionManager{}, router, 0, &noopMetrics{}, &log)\n\n\t// Setup the muxer\n\tctx, cancel := context.WithCancelCause(t.Context())\n\tdefer cancel(errors.New(\"other error\"))\n\tdone := make(chan error, 1)\n\tgo func() {\n\t\tdone <- conn.Serve(ctx)\n\t}()\n\n\t// Send new ICMP Echo request\n\texpectedICMP := &packet.ICMP{\n\t\tIP: &packet.IP{\n\t\t\tSrc: netip.MustParseAddr(\"192.168.1.1\"),\n\t\t\tDst: netip.MustParseAddr(\"10.0.0.1\"),\n\t\t\tProtocol: layers.IPProtocolICMPv4,\n\t\t\tTTL: 0,\n\t\t},\n\t\tMessage: &icmp.Message{\n\t\t\tType: ipv4.ICMPTypeEcho,\n\t\t\tCode: 0,\n\t\t\tBody: &icmp.Echo{\n\t\t\t\tID: 25821,\n\t\t\t\tSeq: 58129,\n\t\t\t\tData: []byte(\"test ttl=0\"),\n\t\t\t},\n\t\t},\n\t}\n\tdatagram := newICMPDatagram(expectedICMP)\n\tquic.send <- datagram\n\n\t// Origin should not receive a packet\n\tselect {\n\tcase <-router.recv:\n\t\tt.Fatalf(\"TTL should be expired and no origin ICMP sent\")\n\tdefault:\n\t}\n\n\t// Eyeball should receive the packet\n\tdatagram = <-quic.recv\n\ticmpDatagram := v3.ICMPDatagram{}\n\terr := icmpDatagram.UnmarshalBinary(datagram)\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\tdecoder := packet.NewICMPDecoder()\n\tttlExpiredICMP, err := decoder.Decode(packet.RawPacket{Data: icmpDatagram.Payload})\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\n\t// Packet should be a TTL Exceeded ICMP\n\tif ttlExpiredICMP.TTL != packet.DefaultTTL || ttlExpiredICMP.Message.Type != ipv4.ICMPTypeTimeExceeded {\n\t\tt.Fatalf(\"ICMP packet should be a ICMP Exceeded: %+v\", ttlExpiredICMP)\n\t}\n\n\t// Cancel the muxer Serve context and make sure it closes with the expected error\n\tassertContextClosed(t, ctx, done, cancel)\n}\n\nfunc newRegisterSessionDatagram(id v3.RequestID) []byte {\n\tdatagram := v3.UDPSessionRegistrationDatagram{\n\t\tRequestID: id,\n\t\tDest: netip.MustParseAddrPort(\"127.0.0.1:8080\"),\n\t\tIdleDurationHint: 5 * time.Second,\n\t}\n\tpayload, err := datagram.MarshalBinary()\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\treturn payload\n}\n\nfunc newSessionPayloadDatagram(id v3.RequestID, payload []byte) []byte {\n\tdatagram := make([]byte, len(payload)+17)\n\terr := v3.MarshalPayloadHeaderTo(id, datagram[:])\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\tcopy(datagram[17:], payload)\n\treturn datagram\n}\n\nfunc newICMPDatagram(pk *packet.ICMP) []byte {\n\tencoder := packet.NewEncoder()\n\trawPacket, err := encoder.Encode(pk)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\tdatagram := v3.ICMPDatagram{\n\t\tPayload: rawPacket.Data,\n\t}\n\tpayload, err := datagram.MarshalBinary()\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\treturn payload\n}\n\n// Cancel the provided context and make sure it closes with the expected cancellation error\nfunc assertContextClosed(t *testing.T, ctx context.Context, done <-chan error, cancel context.CancelCauseFunc) {\n\tcancel(errExpectedContextCanceled)\n\terr := <-done\n\tif !errors.Is(err, context.Canceled) {\n\t\tt.Fatal(err)\n\t}\n\tif !errors.Is(context.Cause(ctx), errExpectedContextCanceled) {\n\t\tt.Fatal(err)\n\t}\n}\n\ntype mockQuicConn struct {\n\tctx context.Context\n\tsend chan []byte\n\trecv chan []byte\n}\n\nfunc newMockQuicConn(ctx context.Context) *mockQuicConn {\n\treturn &mockQuicConn{\n\t\tctx: ctx,\n\t\tsend: make(chan []byte, 1),\n\t\trecv: make(chan []byte, 1),\n\t}\n}\n\nfunc (m *mockQuicConn) Context() context.Context {\n\treturn m.ctx\n}\n\nfunc (m *mockQuicConn) SendDatagram(payload []byte) error {\n\tb := make([]byte, len(payload))\n\tcopy(b, payload)\n\tm.recv <- b\n\treturn nil\n}\n\nfunc (m *mockQuicConn) ReceiveDatagram(_ context.Context) ([]byte, error) {\n\tselect {\n\tcase <-m.ctx.Done():\n\t\treturn nil, m.ctx.Err()\n\tcase b := <-m.send:\n\t\treturn b, nil\n\t}\n}\n\ntype mockQuicConnReadError struct {\n\terr error\n}\n\nfunc (m *mockQuicConnReadError) Context() context.Context {\n\treturn context.Background()\n}\n\nfunc (m *mockQuicConnReadError) SendDatagram(payload []byte) error {\n\treturn nil\n}\n\nfunc (m *mockQuicConnReadError) ReceiveDatagram(_ context.Context) ([]byte, error) {\n\treturn nil, m.err\n}\n\ntype mockSessionManager struct {\n\tsession v3.Session\n\n\texpectedRegErr error\n\texpectedGetErr error\n}\n\nfunc (m *mockSessionManager) RegisterSession(request *v3.UDPSessionRegistrationDatagram, conn v3.DatagramConn) (v3.Session, error) {\n\treturn m.session, m.expectedRegErr\n}\n\nfunc (m *mockSessionManager) GetSession(requestID v3.RequestID) (v3.Session, error) {\n\treturn m.session, m.expectedGetErr\n}\n\nfunc (m *mockSessionManager) UnregisterSession(requestID v3.RequestID) {}\n\ntype mockSession struct {\n\tserved chan struct{}\n\tmigrated chan uint8\n\trecv chan []byte\n}\n\nfunc newMockSession() mockSession {\n\treturn mockSession{\n\t\tserved: make(chan struct{}),\n\t\tmigrated: make(chan uint8, 2),\n\t\trecv: make(chan []byte, 1),\n\t}\n}\n\nfunc (m *mockSession) ID() v3.RequestID { return testRequestID }\nfunc (m *mockSession) RemoteAddr() net.Addr { return testOriginAddr }\nfunc (m *mockSession) LocalAddr() net.Addr { return testLocalAddr }\nfunc (m *mockSession) ConnectionID() uint8 { return 0 }\nfunc (m *mockSession) Migrate(conn v3.DatagramConn, ctx context.Context, log *zerolog.Logger) {\n\tm.migrated <- conn.ID()\n}\nfunc (m *mockSession) ResetIdleTimer() {}\n\nfunc (m *mockSession) Serve(ctx context.Context) error {\n\tclose(m.served)\n\treturn v3.SessionCloseErr\n}\n\nfunc (m *mockSession) Write(payload []byte) {\n\tb := make([]byte, len(payload))\n\tcopy(b, payload)\n\tm.recv <- b\n}\n\nfunc (m *mockSession) Close() error {\n\treturn nil\n}\n" }, { "path": "quic/v3/request.go", "content": "package v3\n\nimport (\n\t\"encoding/binary\"\n\t\"errors\"\n\t\"fmt\"\n)\n\nconst (\n\tdatagramRequestIdLen = 16\n)\n\nvar (\n\t// ErrInvalidRequestIDLen is returned when the provided request id can not be parsed from the provided byte slice.\n\tErrInvalidRequestIDLen error = errors.New(\"invalid request id length provided\")\n\t// ErrInvalidPayloadDestLen is returned when the provided destination byte slice cannot fit the whole request id.\n\tErrInvalidPayloadDestLen error = errors.New(\"invalid payload size provided\")\n)\n\n// RequestID is the request-id-v2 identifier, it is used to distinguish between specific flows or sessions proxied\n// from the edge to cloudflared.\ntype RequestID uint128\n\ntype uint128 struct {\n\thi uint64\n\tlo uint64\n}\n\n// RequestIDFromSlice reads a request ID from a byte slice.\nfunc RequestIDFromSlice(data []byte) (RequestID, error) {\n\tif len(data) != datagramRequestIdLen {\n\t\treturn RequestID{}, ErrInvalidRequestIDLen\n\t}\n\n\treturn RequestID{\n\t\thi: binary.BigEndian.Uint64(data[:8]),\n\t\tlo: binary.BigEndian.Uint64(data[8:]),\n\t}, nil\n}\n\nfunc (id RequestID) String() string {\n\treturn fmt.Sprintf(\"%016x%016x\", id.hi, id.lo)\n}\n\n// Compare returns an integer comparing two IPs.\n// The result will be 0 if id == id2, -1 if id < id2, and +1 if id > id2.\n// The definition of \"less than\" is the same as the [RequestID.Less] method.\nfunc (id RequestID) Compare(id2 RequestID) int {\n\thi1, hi2 := id.hi, id2.hi\n\tif hi1 < hi2 {\n\t\treturn -1\n\t}\n\tif hi1 > hi2 {\n\t\treturn 1\n\t}\n\tlo1, lo2 := id.lo, id2.lo\n\tif lo1 < lo2 {\n\t\treturn -1\n\t}\n\tif lo1 > lo2 {\n\t\treturn 1\n\t}\n\treturn 0\n}\n\n// Less reports whether id sorts before id2.\nfunc (id RequestID) Less(id2 RequestID) bool { return id.Compare(id2) == -1 }\n\n// MarshalBinaryTo writes the id to the provided destination byte slice; the byte slice must be of at least size 16.\nfunc (id RequestID) MarshalBinaryTo(data []byte) error {\n\tif len(data) < datagramRequestIdLen {\n\t\treturn ErrInvalidPayloadDestLen\n\t}\n\tbinary.BigEndian.PutUint64(data[:8], id.hi)\n\tbinary.BigEndian.PutUint64(data[8:], id.lo)\n\treturn nil\n}\n\nfunc (id *RequestID) UnmarshalBinary(data []byte) error {\n\tif len(data) != 16 {\n\t\treturn fmt.Errorf(\"invalid length slice provided to unmarshal: %d (expected 16)\", len(data))\n\t}\n\n\t*id = RequestID{\n\t\tbinary.BigEndian.Uint64(data[:8]),\n\t\tbinary.BigEndian.Uint64(data[8:]),\n\t}\n\treturn nil\n}\n" }, { "path": "quic/v3/request_test.go", "content": "package v3_test\n\nimport (\n\t\"crypto/rand\"\n\t\"slices\"\n\t\"testing\"\n\n\t\"github.com/stretchr/testify/require\"\n\n\tv3 \"github.com/cloudflare/cloudflared/quic/v3\"\n)\n\nvar (\n\ttestRequestIDBytes = [16]byte{\n\t\t0x00, 0x11, 0x22, 0x33,\n\t\t0x44, 0x55, 0x66, 0x77,\n\t\t0x88, 0x99, 0xaa, 0xbb,\n\t\t0xcc, 0xdd, 0xee, 0xff,\n\t}\n\ttestRequestID = mustRequestID(testRequestIDBytes)\n)\n\nfunc mustRequestID(data [16]byte) v3.RequestID {\n\tid, err := v3.RequestIDFromSlice(data[:])\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\treturn id\n}\n\nfunc TestRequestIDParsing(t *testing.T) {\n\tbuf1 := make([]byte, 16)\n\tn, err := rand.Read(buf1)\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\tif n != 16 {\n\t\tt.Fatalf(\"did not read 16 bytes: %d\", n)\n\t}\n\tid, err := v3.RequestIDFromSlice(buf1)\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\tbuf2 := make([]byte, 16)\n\terr = id.MarshalBinaryTo(buf2)\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\tif !slices.Equal(buf1, buf2) {\n\t\tt.Fatalf(\"buf1 != buf2: %+v %+v\", buf1, buf2)\n\t}\n}\n\nfunc TestRequestID_MarshalBinary(t *testing.T) {\n\tbuf := make([]byte, 16)\n\terr := testRequestID.MarshalBinaryTo(buf)\n\trequire.NoError(t, err)\n\trequire.Len(t, buf, 16)\n\n\tparsed := v3.RequestID{}\n\terr = parsed.UnmarshalBinary(buf)\n\trequire.NoError(t, err)\n\trequire.Equal(t, testRequestID, parsed)\n}\n" }, { "path": "quic/v3/session.go", "content": "package v3\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"net\"\n\t\"os\"\n\t\"sync\"\n\t\"sync/atomic\"\n\t\"time\"\n\n\t\"github.com/rs/zerolog\"\n)\n\nconst (\n\t// A default is provided in the case that the client does not provide a close idle timeout.\n\tdefaultCloseIdleAfter = 210 * time.Second\n\n\t// The maximum payload from the origin that we will be able to read. However, even though we will\n\t// read 1500 bytes from the origin, we limit the amount of bytes to be proxied to less than\n\t// this value (maxDatagramPayloadLen).\n\tmaxOriginUDPPacketSize = 1500\n\n\t// The maximum amount of datagrams a session will queue up before it begins dropping datagrams.\n\t// This channel buffer is small because we assume that the dedicated writer to the origin is typically\n\t// fast enought to keep the channel empty.\n\twriteChanCapacity = 512\n\n\tlogFlowID = \"flowID\"\n\tlogPacketSizeKey = \"packetSize\"\n)\n\n// SessionCloseErr indicates that the session's Close method was called.\nvar SessionCloseErr error = errors.New(\"flow was closed directly\") //nolint:errname\n\n// SessionIdleErr is returned when the session was closed because there was no communication\n// in either direction over the session for the timeout period.\ntype SessionIdleErr struct { //nolint:errname\n\ttimeout time.Duration\n}\n\nfunc (e SessionIdleErr) Error() string {\n\treturn fmt.Sprintf(\"flow was idle for %v\", e.timeout)\n}\n\nfunc (e SessionIdleErr) Is(target error) bool {\n\t_, ok := target.(SessionIdleErr)\n\treturn ok\n}\n\nfunc newSessionIdleErr(timeout time.Duration) error {\n\treturn SessionIdleErr{timeout}\n}\n\ntype Session interface {\n\tio.Closer\n\tID() RequestID\n\tConnectionID() uint8\n\tRemoteAddr() net.Addr\n\tLocalAddr() net.Addr\n\tResetIdleTimer()\n\tMigrate(eyeball DatagramConn, ctx context.Context, logger *zerolog.Logger)\n\t// Serve starts the event loop for processing UDP packets\n\tServe(ctx context.Context) error\n\tWrite(payload []byte)\n}\n\ntype session struct {\n\tid RequestID\n\tcloseAfterIdle time.Duration\n\torigin io.ReadWriteCloser\n\toriginAddr net.Addr\n\tlocalAddr net.Addr\n\teyeball atomic.Pointer[DatagramConn]\n\twriteChan chan []byte\n\t// activeAtChan is used to communicate the last read/write time\n\tactiveAtChan chan time.Time\n\terrChan chan error\n\t// The close channel signal only exists for the write loop because the read loop is always waiting on a read\n\t// from the UDP socket to the origin. To close the read loop we close the socket.\n\t// Additionally, we can't close the writeChan to indicate that writes are complete because the producer (edge)\n\t// side may still be trying to write to this session.\n\tcloseWrite chan struct{}\n\tcontextChan chan context.Context\n\tmetrics Metrics\n\tlog *zerolog.Logger\n\n\t// A special close function that we wrap with sync.Once to make sure it is only called once\n\tcloseFn func() error\n}\n\nfunc NewSession(\n\tid RequestID,\n\tcloseAfterIdle time.Duration,\n\torigin io.ReadWriteCloser,\n\toriginAddr net.Addr,\n\tlocalAddr net.Addr,\n\teyeball DatagramConn,\n\tmetrics Metrics,\n\tlog *zerolog.Logger,\n) Session {\n\tlogger := log.With().Str(logFlowID, id.String()).Logger()\n\twriteChan := make(chan []byte, writeChanCapacity)\n\t// errChan has three slots to allow for all writers (the closeFn, the read loop and the write loop) to\n\t// write to the channel without blocking since there is only ever one value read from the errChan by the\n\t// waitForCloseCondition.\n\terrChan := make(chan error, 3)\n\tcloseWrite := make(chan struct{})\n\tsession := &session{\n\t\tid: id,\n\t\tcloseAfterIdle: closeAfterIdle,\n\t\torigin: origin,\n\t\toriginAddr: originAddr,\n\t\tlocalAddr: localAddr,\n\t\teyeball: atomic.Pointer[DatagramConn]{},\n\t\twriteChan: writeChan,\n\t\t// activeAtChan has low capacity. It can be full when there are many concurrent read/write. markActive() will\n\t\t// drop instead of blocking because last active time only needs to be an approximation\n\t\tactiveAtChan: make(chan time.Time, 1),\n\t\terrChan: errChan,\n\t\tcloseWrite: closeWrite,\n\t\t// contextChan is an unbounded channel to help enforce one active migration of a session at a time.\n\t\tcontextChan: make(chan context.Context),\n\t\tmetrics: metrics,\n\t\tlog: &logger,\n\t\tcloseFn: sync.OnceValue(func() error {\n\t\t\t// We don't want to block on sending to the close channel if it is already full\n\t\t\tselect {\n\t\t\tcase errChan <- SessionCloseErr:\n\t\t\tdefault:\n\t\t\t}\n\t\t\t// Indicate to the write loop that the session is now closed\n\t\t\tclose(closeWrite)\n\t\t\t// Close the socket directly to unblock the read loop and cause it to also end\n\t\t\treturn origin.Close()\n\t\t}),\n\t}\n\tsession.eyeball.Store(&eyeball)\n\treturn session\n}\n\nfunc (s *session) ID() RequestID {\n\treturn s.id\n}\n\nfunc (s *session) RemoteAddr() net.Addr {\n\treturn s.originAddr\n}\n\nfunc (s *session) LocalAddr() net.Addr {\n\treturn s.localAddr\n}\n\nfunc (s *session) ConnectionID() uint8 {\n\teyeball := *(s.eyeball.Load())\n\treturn eyeball.ID()\n}\n\nfunc (s *session) Migrate(eyeball DatagramConn, ctx context.Context, logger *zerolog.Logger) {\n\tcurrent := *(s.eyeball.Load())\n\t// Only migrate if the connection ids are different.\n\tif current.ID() != eyeball.ID() {\n\t\ts.eyeball.Store(&eyeball)\n\t\ts.contextChan <- ctx\n\t\tlog := logger.With().Str(logFlowID, s.id.String()).Logger()\n\t\ts.log = &log\n\t}\n\t// The session is already running so we want to restart the idle timeout since no proxied packets have come down yet.\n\ts.markActive()\n\tconnectionIndex := eyeball.ID()\n\ts.metrics.MigrateFlow(connectionIndex)\n}\n\nfunc (s *session) Serve(ctx context.Context) error {\n\tgo s.writeLoop()\n\tgo s.readLoop()\n\treturn s.waitForCloseCondition(ctx, s.closeAfterIdle)\n}\n\n// Read datagrams from the origin and write them to the connection.\nfunc (s *session) readLoop() {\n\t// QUIC implementation copies data to another buffer before returning https://github.com/quic-go/quic-go/blob/v0.24.0/session.go#L1967-L1975\n\t// This makes it safe to share readBuffer between iterations\n\treadBuffer := [maxOriginUDPPacketSize + DatagramPayloadHeaderLen]byte{}\n\t// To perform a zero copy write when passing the datagram to the connection, we prepare the buffer with\n\t// the required datagram header information. We can reuse this buffer for this session since the header is the\n\t// same for the each read.\n\t_ = MarshalPayloadHeaderTo(s.id, readBuffer[:DatagramPayloadHeaderLen])\n\tfor {\n\t\t// Read from the origin UDP socket\n\t\tn, err := s.origin.Read(readBuffer[DatagramPayloadHeaderLen:])\n\t\tif err != nil {\n\t\t\tif isConnectionClosed(err) {\n\t\t\t\ts.log.Debug().Msgf(\"flow (read) connection closed: %v\", err)\n\t\t\t}\n\t\t\ts.closeSession(err)\n\t\t\treturn\n\t\t}\n\t\tif n < 0 {\n\t\t\ts.metrics.DroppedUDPDatagram(s.ConnectionID(), DroppedReadFailed)\n\t\t\ts.log.Warn().Int(logPacketSizeKey, n).Msg(\"flow (origin) packet read was negative and was dropped\")\n\t\t\tcontinue\n\t\t}\n\t\tif n > maxDatagramPayloadLen {\n\t\t\ts.metrics.DroppedUDPDatagram(s.ConnectionID(), DroppedReadTooLarge)\n\t\t\ts.log.Error().Int(logPacketSizeKey, n).Msg(\"flow (origin) packet read was too large and was dropped\")\n\t\t\tcontinue\n\t\t}\n\t\t// We need to synchronize on the eyeball in-case that the connection was migrated. This should be rarely a point\n\t\t// of lock contention, as a migration can only happen during startup of a session before traffic flow.\n\t\teyeball := *(s.eyeball.Load())\n\t\t// Sending a packet to the session does block on the [quic.Connection], however, this is okay because it\n\t\t// will cause back-pressure to the kernel buffer if the writes are not fast enough to the edge.\n\t\terr = eyeball.SendUDPSessionDatagram(readBuffer[:DatagramPayloadHeaderLen+n])\n\t\tif err != nil {\n\t\t\ts.closeSession(err)\n\t\t\treturn\n\t\t}\n\t\t// Mark the session as active since we proxied a valid packet from the origin.\n\t\ts.markActive()\n\t}\n}\n\nfunc (s *session) Write(payload []byte) {\n\tselect {\n\tcase s.writeChan <- payload:\n\tdefault:\n\t\ts.metrics.DroppedUDPDatagram(s.ConnectionID(), DroppedWriteFull)\n\t\ts.log.Error().Msg(\"failed to write flow payload to origin: dropped\")\n\t}\n}\n\n// Read datagrams from the write channel to the origin.\nfunc (s *session) writeLoop() {\n\tfor {\n\t\tselect {\n\t\tcase <-s.closeWrite:\n\t\t\t// When the closeWrite channel is closed, we will no longer write to the origin and end this\n\t\t\t// goroutine since the session is now closed.\n\t\t\treturn\n\t\tcase payload := <-s.writeChan:\n\t\t\tn, err := s.origin.Write(payload)\n\t\t\tif err != nil {\n\t\t\t\t// Check if this is a write deadline exceeded to the connection\n\t\t\t\tif errors.Is(err, os.ErrDeadlineExceeded) {\n\t\t\t\t\ts.metrics.DroppedUDPDatagram(s.ConnectionID(), DroppedWriteDeadlineExceeded)\n\t\t\t\t\ts.log.Warn().Err(err).Msg(\"flow (write) deadline exceeded: dropping packet\")\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tif isConnectionClosed(err) {\n\t\t\t\t\ts.log.Debug().Msgf(\"flow (write) connection closed: %v\", err)\n\t\t\t\t}\n\t\t\t\ts.log.Err(err).Msg(\"failed to write flow payload to origin\")\n\t\t\t\ts.closeSession(err)\n\t\t\t\t// If we fail to write to the origin socket, we need to end the writer and close the session\n\t\t\t\treturn\n\t\t\t}\n\t\t\t// Write must return a non-nil error if it returns n < len(p). https://pkg.go.dev/io#Writer\n\t\t\tif n < len(payload) {\n\t\t\t\ts.metrics.DroppedUDPDatagram(s.ConnectionID(), DroppedWriteFailed)\n\t\t\t\ts.log.Err(io.ErrShortWrite).Msg(\"failed to write the full flow payload to origin\")\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\t// Mark the session as active since we successfully proxied a packet to the origin.\n\t\t\ts.markActive()\n\t\t}\n\t}\n}\n\nfunc isConnectionClosed(err error) bool {\n\treturn errors.Is(err, net.ErrClosed) || errors.Is(err, io.EOF) || errors.Is(err, io.ErrUnexpectedEOF)\n}\n\n// Send an error to the error channel to report that an error has either happened on the tunnel or origin side of the\n// proxied connection.\nfunc (s *session) closeSession(err error) {\n\tselect {\n\tcase s.errChan <- err:\n\tdefault:\n\t\t// In the case that the errChan is already full, we will skip over it and return as to not block\n\t\t// the caller because we should start cleaning up the session.\n\t\ts.log.Warn().Msg(\"error channel was full\")\n\t}\n}\n\n// ResetIdleTimer will restart the current idle timer.\n//\n// This public method is used to allow operators of sessions the ability to extend the session using information that is\n// known external to the session itself.\nfunc (s *session) ResetIdleTimer() {\n\ts.markActive()\n}\n\n// Sends the last active time to the idle checker loop without blocking. activeAtChan will only be full when there\n// are many concurrent read/write. It is fine to lose some precision\nfunc (s *session) markActive() {\n\tselect {\n\tcase s.activeAtChan <- time.Now():\n\tdefault:\n\t}\n}\n\nfunc (s *session) Close() error {\n\t// Make sure that we only close the origin connection once\n\treturn s.closeFn()\n}\n\nfunc (s *session) waitForCloseCondition(ctx context.Context, closeAfterIdle time.Duration) error {\n\tconnCtx := ctx\n\t// Closing the session at the end cancels read so Serve() can return, additionally, it closes the\n\t// closeWrite channel which indicates to the write loop to return.\n\tdefer s.Close()\n\tif closeAfterIdle == 0 {\n\t\t// Provided that the default caller doesn't specify one\n\t\tcloseAfterIdle = defaultCloseIdleAfter\n\t}\n\n\tcheckIdleTimer := time.NewTimer(closeAfterIdle)\n\tdefer checkIdleTimer.Stop()\n\n\tfor {\n\t\tselect {\n\t\tcase <-connCtx.Done():\n\t\t\treturn connCtx.Err()\n\t\tcase newContext := <-s.contextChan:\n\t\t\t// During migration of a session, we need to make sure that the context of the new connection is used instead\n\t\t\t// of the old connection context. This will ensure that when the old connection goes away, this session will\n\t\t\t// still be active on the existing connection.\n\t\t\tconnCtx = newContext\n\t\t\tcontinue\n\t\tcase reason := <-s.errChan:\n\t\t\t// Any error returned here is from the read or write loops indicating that it can no longer process datagrams\n\t\t\t// and as such the session needs to close.\n\t\t\ts.metrics.FailedFlow(s.ConnectionID())\n\t\t\treturn reason\n\t\tcase <-checkIdleTimer.C:\n\t\t\t// The check idle timer will only return after an idle period since the last active\n\t\t\t// operation (read or write).\n\t\t\treturn newSessionIdleErr(closeAfterIdle)\n\t\tcase <-s.activeAtChan:\n\t\t\t// The session is still active, we want to reset the timer. First we have to stop the timer, drain the\n\t\t\t// current value and then reset. It's okay if we lose some time on this operation as we don't need to\n\t\t\t// close an idle session directly on-time.\n\t\t\tif !checkIdleTimer.Stop() {\n\t\t\t\t<-checkIdleTimer.C\n\t\t\t}\n\t\t\tcheckIdleTimer.Reset(closeAfterIdle)\n\t\t}\n\t}\n}\n" }, { "path": "quic/v3/session_fuzz_test.go", "content": "package v3_test\n\nimport (\n\t\"testing\"\n)\n\n// FuzzSessionWrite verifies that we don't run into any panics when writing a single variable sized payload to the origin.\nfunc FuzzSessionWrite(f *testing.F) {\n\tf.Fuzz(func(t *testing.T, b []byte) {\n\t\t// The origin transport read is bound to 1280 bytes\n\t\tif len(b) > 1280 {\n\t\t\tb = b[:1280]\n\t\t}\n\t\ttestSessionWrite(t, [][]byte{b})\n\t})\n}\n\n// FuzzSessionRead verifies that we don't run into any panics when reading a single variable sized payload from the origin.\nfunc FuzzSessionRead(f *testing.F) {\n\tf.Fuzz(func(t *testing.T, b []byte) {\n\t\t// The origin transport read is bound to 1280 bytes\n\t\tif len(b) > 1280 {\n\t\t\tb = b[:1280]\n\t\t}\n\t\ttestSessionRead(t, [][]byte{b})\n\t})\n}\n" }, { "path": "quic/v3/session_test.go", "content": "package v3_test\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"io\"\n\t\"net\"\n\t\"net/netip\"\n\t\"slices\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/fortytw2/leaktest\"\n\t\"github.com/rs/zerolog\"\n\n\tv3 \"github.com/cloudflare/cloudflared/quic/v3\"\n)\n\nvar (\n\terrExpectedContextCanceled = errors.New(\"expected context canceled\")\n\n\ttestOriginAddr = net.UDPAddrFromAddrPort(netip.MustParseAddrPort(\"127.0.0.1:0\"))\n\ttestLocalAddr = net.UDPAddrFromAddrPort(netip.MustParseAddrPort(\"127.0.0.1:0\"))\n)\n\nfunc TestSessionNew(t *testing.T) {\n\tlog := zerolog.Nop()\n\tsession := v3.NewSession(testRequestID, 5*time.Second, nil, testOriginAddr, testLocalAddr, &noopEyeball{}, &noopMetrics{}, &log)\n\tif testRequestID != session.ID() {\n\t\tt.Fatalf(\"session id doesn't match: %s != %s\", testRequestID, session.ID())\n\t}\n}\n\nfunc testSessionWrite(t *testing.T, payloads [][]byte) {\n\tlog := zerolog.Nop()\n\torigin, server := net.Pipe()\n\tdefer origin.Close()\n\tdefer server.Close()\n\t// Start origin server reads\n\tserverRead := make(chan []byte, len(payloads))\n\tgo func() {\n\t\tfor range len(payloads) {\n\t\t\tbuf := make([]byte, 1500)\n\t\t\t_, _ = server.Read(buf[:])\n\t\t\tserverRead <- buf\n\t\t}\n\t\tclose(serverRead)\n\t}()\n\n\t// Create a session\n\tsession := v3.NewSession(testRequestID, 5*time.Second, origin, testOriginAddr, testLocalAddr, &noopEyeball{}, &noopMetrics{}, &log)\n\tdefer session.Close()\n\t// Start the Serve to begin the writeLoop\n\tctx, cancel := context.WithCancelCause(t.Context())\n\tdefer cancel(context.Canceled)\n\tdone := make(chan error)\n\tgo func() {\n\t\tdone <- session.Serve(ctx)\n\t}()\n\t// Write the payloads to the session\n\tfor _, payload := range payloads {\n\t\tsession.Write(payload)\n\t}\n\n\t// Read from the origin to ensure the payloads were received (in-order)\n\tfor i, payload := range payloads {\n\t\tread := <-serverRead\n\t\tif !slices.Equal(payload, read[:len(payload)]) {\n\t\t\tt.Fatalf(\"payload[%d] provided from origin and read value are not the same (%x) and (%x)\", i, payload[:16], read[:16])\n\t\t}\n\t}\n\t_, more := <-serverRead\n\tif more {\n\t\tt.Fatalf(\"expected the session to have all of the origin payloads received: %d\", len(serverRead))\n\t}\n\n\tassertContextClosed(t, ctx, done, cancel)\n}\n\nfunc TestSessionWrite(t *testing.T) {\n\tdefer leaktest.Check(t)()\n\tfor i := range 1280 {\n\t\tpayloads := makePayloads(i, 16)\n\t\ttestSessionWrite(t, payloads)\n\t}\n}\n\nfunc testSessionRead(t *testing.T, payloads [][]byte) {\n\tlog := zerolog.Nop()\n\torigin, server := net.Pipe()\n\tdefer origin.Close()\n\tdefer server.Close()\n\teyeball := newMockEyeball()\n\tsession := v3.NewSession(testRequestID, 3*time.Second, origin, testOriginAddr, testLocalAddr, &eyeball, &noopMetrics{}, &log)\n\tdefer session.Close()\n\n\tctx, cancel := context.WithCancelCause(t.Context())\n\tdefer cancel(context.Canceled)\n\tdone := make(chan error)\n\tgo func() {\n\t\tdone <- session.Serve(ctx)\n\t}()\n\n\t// Write from the origin server to the eyeball\n\tgo func() {\n\t\tfor _, payload := range payloads {\n\t\t\t_, _ = server.Write(payload)\n\t\t}\n\t}()\n\n\t// Read from the eyeball to ensure the payloads were received (in-order)\n\tfor i, payload := range payloads {\n\t\tselect {\n\t\tcase data := <-eyeball.recvData:\n\t\t\t// check received data matches provided from origin\n\t\t\texpectedData := makePayload(1500)\n\t\t\t_ = v3.MarshalPayloadHeaderTo(testRequestID, expectedData[:])\n\t\t\tcopy(expectedData[17:], payload)\n\t\t\tif !slices.Equal(expectedData[:v3.DatagramPayloadHeaderLen+len(payload)], data) {\n\t\t\t\tt.Fatalf(\"expected datagram[%d] did not equal expected\", i)\n\t\t\t}\n\t\tcase err := <-ctx.Done():\n\t\t\t// we expect the payload to return before the context to cancel on the session\n\t\t\tt.Fatal(err)\n\t\t}\n\t}\n\n\tassertContextClosed(t, ctx, done, cancel)\n}\n\nfunc TestSessionRead(t *testing.T) {\n\tdefer leaktest.Check(t)()\n\tfor i := range 1280 {\n\t\tpayloads := makePayloads(i, 16)\n\t\ttestSessionRead(t, payloads)\n\t}\n}\n\nfunc TestSessionRead_OriginTooLarge(t *testing.T) {\n\tdefer leaktest.Check(t)()\n\tlog := zerolog.Nop()\n\teyeball := newMockEyeball()\n\tpayload := makePayload(1281)\n\torigin, server := net.Pipe()\n\tdefer origin.Close()\n\tdefer server.Close()\n\tsession := v3.NewSession(testRequestID, 2*time.Second, origin, testOriginAddr, testLocalAddr, &eyeball, &noopMetrics{}, &log)\n\tdefer session.Close()\n\n\tdone := make(chan error)\n\tgo func() {\n\t\tdone <- session.Serve(t.Context())\n\t}()\n\n\t// Attempt to write a payload too large from the origin\n\t_, err := server.Write(payload)\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\n\tselect {\n\tcase data := <-eyeball.recvData:\n\t\t// we never expect a read to make it here because the origin provided a payload that is too large\n\t\t// for cloudflared to proxy and it will drop it.\n\t\tt.Fatalf(\"we should never proxy a payload of this size: %d\", len(data))\n\tcase err := <-done:\n\t\tif !errors.Is(err, v3.SessionIdleErr{}) {\n\t\t\tt.Error(err)\n\t\t}\n\t}\n}\n\nfunc TestSessionServe_Migrate(t *testing.T) {\n\tdefer leaktest.Check(t)()\n\tlog := zerolog.Nop()\n\teyeball := newMockEyeball()\n\tpipe1, pipe2 := net.Pipe()\n\tsession := v3.NewSession(testRequestID, 2*time.Second, pipe2, testOriginAddr, testLocalAddr, &eyeball, &noopMetrics{}, &log)\n\tdefer session.Close()\n\n\tdone := make(chan error)\n\teyeball1Ctx, cancel := context.WithCancelCause(t.Context())\n\tgo func() {\n\t\tdone <- session.Serve(eyeball1Ctx)\n\t}()\n\n\t// Migrate the session to a new connection before origin sends data\n\teyeball2 := newMockEyeball()\n\teyeball2.connID = 1\n\teyeball2Ctx := t.Context()\n\tsession.Migrate(&eyeball2, eyeball2Ctx, &log)\n\n\t// Cancel the origin eyeball context; this should not cancel the session\n\tcontextCancelErr := errors.New(\"context canceled for first eyeball connection\")\n\tcancel(contextCancelErr)\n\tselect {\n\tcase <-done:\n\t\tt.Fatalf(\"expected session to still be running\")\n\tdefault:\n\t}\n\tif context.Cause(eyeball1Ctx) != contextCancelErr {\n\t\tt.Fatalf(\"first eyeball context should be cancelled manually: %+v\", context.Cause(eyeball1Ctx))\n\t}\n\n\t// Origin sends data\n\tpayload2 := []byte{0xde}\n\t_, _ = pipe1.Write(payload2)\n\n\t// Expect write to eyeball2\n\tdata := <-eyeball2.recvData\n\tif len(data) <= 17 || !slices.Equal(payload2, data[17:]) {\n\t\tt.Fatalf(\"expected data to write to eyeball2 after migration: %+v\", data)\n\t}\n\n\tselect {\n\tcase data := <-eyeball.recvData:\n\t\tt.Fatalf(\"expected no data to write to eyeball1 after migration: %+v\", data)\n\tdefault:\n\t}\n\n\terr := <-done\n\tif !errors.Is(err, v3.SessionIdleErr{}) {\n\t\tt.Error(err)\n\t}\n\tif eyeball2Ctx.Err() != nil {\n\t\tt.Fatalf(\"second eyeball context should be not be cancelled\")\n\t}\n}\n\nfunc TestSessionServe_Migrate_CloseContext2(t *testing.T) {\n\tdefer leaktest.Check(t)()\n\tlog := zerolog.Nop()\n\teyeball := newMockEyeball()\n\tpipe1, pipe2 := net.Pipe()\n\tsession := v3.NewSession(testRequestID, 2*time.Second, pipe2, testOriginAddr, testLocalAddr, &eyeball, &noopMetrics{}, &log)\n\tdefer session.Close()\n\n\tdone := make(chan error)\n\teyeball1Ctx, cancel := context.WithCancelCause(t.Context())\n\tgo func() {\n\t\tdone <- session.Serve(eyeball1Ctx)\n\t}()\n\n\t// Migrate the session to a new connection before origin sends data\n\teyeball2 := newMockEyeball()\n\teyeball2.connID = 1\n\teyeball2Ctx, cancel2 := context.WithCancelCause(t.Context())\n\tsession.Migrate(&eyeball2, eyeball2Ctx, &log)\n\n\t// Cancel the origin eyeball context; this should not cancel the session\n\tcontextCancelErr := errors.New(\"context canceled for first eyeball connection\")\n\tcancel(contextCancelErr)\n\tselect {\n\tcase <-done:\n\t\tt.Fatalf(\"expected session to still be running\")\n\tdefault:\n\t}\n\tif !errors.Is(context.Cause(eyeball1Ctx), contextCancelErr) {\n\t\tt.Fatalf(\"first eyeball context should be cancelled manually: %+v\", context.Cause(eyeball1Ctx))\n\t}\n\n\t// Origin sends data\n\tpayload2 := []byte{0xde}\n\t_, _ = pipe1.Write(payload2)\n\n\t// Expect write to eyeball2\n\tdata := <-eyeball2.recvData\n\tif len(data) <= 17 || !slices.Equal(payload2, data[17:]) {\n\t\tt.Fatalf(\"expected data to write to eyeball2 after migration: %+v\", data)\n\t}\n\n\tselect {\n\tcase data := <-eyeball.recvData:\n\t\tt.Fatalf(\"expected no data to write to eyeball1 after migration: %+v\", data)\n\tdefault:\n\t}\n\n\t// Close the connection2 context manually\n\tcontextCancel2Err := errors.New(\"context canceled for second eyeball connection\")\n\tcancel2(contextCancel2Err)\n\terr := <-done\n\tif err != context.Canceled {\n\t\tt.Fatalf(\"session Serve should be done: %+v\", err)\n\t}\n\tif context.Cause(eyeball2Ctx) != contextCancel2Err {\n\t\tt.Fatalf(\"second eyeball context should have been cancelled manually: %+v\", context.Cause(eyeball2Ctx))\n\t}\n}\n\nfunc TestSessionClose_Multiple(t *testing.T) {\n\tdefer leaktest.Check(t)()\n\tlog := zerolog.Nop()\n\torigin, server := net.Pipe()\n\tdefer origin.Close()\n\tdefer server.Close()\n\tsession := v3.NewSession(testRequestID, 5*time.Second, origin, testOriginAddr, testLocalAddr, &noopEyeball{}, &noopMetrics{}, &log)\n\terr := session.Close()\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\tb := [1500]byte{}\n\t_, err = server.Read(b[:])\n\tif !errors.Is(err, io.EOF) {\n\t\tt.Fatalf(\"origin server connection should be closed: %s\", err)\n\t}\n\t// subsequent closes shouldn't call close again or cause any errors\n\terr = session.Close()\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\t_, err = server.Read(b[:])\n\tif !errors.Is(err, io.EOF) {\n\t\tt.Fatalf(\"origin server connection should still be closed: %s\", err)\n\t}\n}\n\nfunc TestSessionServe_IdleTimeout(t *testing.T) {\n\tdefer leaktest.Check(t)()\n\tlog := zerolog.Nop()\n\torigin, server := net.Pipe()\n\tdefer origin.Close()\n\tdefer server.Close()\n\tcloseAfterIdle := 2 * time.Second\n\tsession := v3.NewSession(testRequestID, closeAfterIdle, origin, testOriginAddr, testLocalAddr, &noopEyeball{}, &noopMetrics{}, &log)\n\terr := session.Serve(t.Context())\n\n\t// Session should idle timeout if no reads or writes occur\n\tif !errors.Is(err, v3.SessionIdleErr{}) {\n\t\tt.Fatal(err)\n\t}\n\t// session should be closed\n\tb := [1500]byte{}\n\t_, err = server.Read(b[:])\n\tif !errors.Is(err, io.EOF) {\n\t\tt.Fatalf(\"session should be closed after Serve returns\")\n\t}\n\t// closing a session again should not return an error\n\terr = session.Close()\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n}\n\nfunc TestSessionServe_ParentContextCanceled(t *testing.T) {\n\tdefer leaktest.Check(t)()\n\tlog := zerolog.Nop()\n\torigin, server := net.Pipe()\n\tdefer origin.Close()\n\tdefer server.Close()\n\tcloseAfterIdle := 10 * time.Second\n\n\tsession := v3.NewSession(testRequestID, closeAfterIdle, origin, testOriginAddr, testLocalAddr, &noopEyeball{}, &noopMetrics{}, &log)\n\tctx, cancel := context.WithTimeout(t.Context(), 2*time.Second)\n\tdefer cancel()\n\terr := session.Serve(ctx)\n\tif !errors.Is(err, context.DeadlineExceeded) {\n\t\tt.Fatal(err)\n\t}\n\t// session should be closed\n\tb := [1500]byte{}\n\t_, err = server.Read(b[:])\n\tif !errors.Is(err, io.EOF) {\n\t\tt.Fatalf(\"session should be closed after Serve returns\")\n\t}\n\t// closing a session again should not return an error\n\terr = session.Close()\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n}\n\nfunc TestSessionServe_ReadErrors(t *testing.T) {\n\tdefer leaktest.Check(t)()\n\tlog := zerolog.Nop()\n\torigin := newTestErrOrigin(net.ErrClosed, nil)\n\tsession := v3.NewSession(testRequestID, 30*time.Second, &origin, testOriginAddr, testLocalAddr, &noopEyeball{}, &noopMetrics{}, &log)\n\terr := session.Serve(t.Context())\n\tif !errors.Is(err, net.ErrClosed) {\n\t\tt.Fatal(err)\n\t}\n}\n\ntype testErrOrigin struct {\n\treadErr error\n\twriteErr error\n}\n\nfunc newTestErrOrigin(readErr error, writeErr error) testErrOrigin {\n\treturn testErrOrigin{readErr, writeErr}\n}\n\nfunc (o *testErrOrigin) Read(p []byte) (n int, err error) {\n\treturn 0, o.readErr\n}\n\nfunc (o *testErrOrigin) Write(p []byte) (n int, err error) {\n\treturn len(p), o.writeErr\n}\n\nfunc (o *testErrOrigin) Close() error {\n\treturn nil\n}\n" }, { "path": "release/index.html", "content": "\n\n\n\n

Cloudflare packages

\n\n\n
\n

Cloudflared

\n\n\n\n

Warning: Public Key Rollover (30 October 2025)

\n

\n We have rolled our public key for package signing. If you are using RPM-based distributions (RHEL,\n CentOS, Amazon Linux, etc.) or Debian Trixie and have the old key installed, RPM/Deb packages will no longer work with the old key.\n Please update your repository configuration using the instructions below to ensure you can continue receiving\n package updates. The previous keys will still work for other distributions for the time being, but it is now DEPRECATED and will be removed on 30 April 2026\n

\n\n

Any Debian Based Distribution (Recommended)

\n
\n# Add cloudflare gpg key\nsudo mkdir -p --mode=0755 /usr/share/keyrings\ncurl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null\n\n# Add this repo to your apt repositories\n# Stable\necho 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared any main' | sudo tee /etc/apt/sources.list.d/cloudflared.list\n# Nightly\necho 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://next.pkg.cloudflare.com/cloudflared any main' | sudo tee /etc/apt/sources.list.d/cloudflared.list\n\n# install cloudflared\nsudo apt-get update && sudo apt-get install cloudflared\n
\n\n

Debian Bookworm

\n
\n# Add cloudflare gpg key\nsudo mkdir -p --mode=0755 /usr/share/keyrings\ncurl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null\n\n# Add this repo to your apt repositories\n# Stable\necho 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared bookworm main' | sudo tee /etc/apt/sources.list.d/cloudflared.list\n# Nightly\necho 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://next.pkg.cloudflare.com/cloudflared bookworm main' | sudo tee /etc/apt/sources.list.d/cloudflared.list\n\n# install cloudflared\nsudo apt-get update && sudo apt-get install cloudflared\n
\n\n

Ubuntu 20.04 (Focal Fossa)

\n
\n# Add cloudflare gpg key\nsudo mkdir -p --mode=0755 /usr/share/keyrings\ncurl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null\n\n# Add this repo to your apt repositories\n# Stable\necho 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared focal main' | sudo tee /etc/apt/sources.list.d/cloudflared.list\n# Nightly\necho 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://next.pkg.cloudflare.com/cloudflared focal main' | sudo tee /etc/apt/sources.list.d/cloudflared.list\n\n# install cloudflared\nsudo apt-get update && sudo apt-get install cloudflared\n
\n\n

Ubuntu 22.04 (Jammy Jellyfish)

\n
\n# Add cloudflare gpg key\nsudo mkdir -p --mode=0755 /usr/share/keyrings\ncurl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null\n\n# Add this repo to your apt repositories\n# Stable\necho 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared jammy main' | sudo tee /etc/apt/sources.list.d/cloudflared.list\n# Nightly\necho 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://next.pkg.cloudflare.com/cloudflared jammy main' | sudo tee /etc/apt/sources.list.d/cloudflared.list\n\n# install cloudflared\nsudo apt-get update && sudo apt-get install cloudflared\n
\n\n

Ubuntu 24.04 (Noble Numbat)

\n
\n# Add cloudflare gpg key\nsudo mkdir -p --mode=0755 /usr/share/keyrings\ncurl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null\n\n# Add this repo to your apt repositories\n# Stable\necho 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared noble main' | sudo tee /etc/apt/sources.list.d/cloudflared.list\n# Nightly\necho 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://next.pkg.cloudflare.com/cloudflared noble main' | sudo tee /etc/apt/sources.list.d/cloudflared.list\n\n# install cloudflared\nsudo apt-get update && sudo apt-get install cloudflared\n
\n\n

Amazon Linux

\n
\n# Add cloudflared.repo to /etc/yum.repos.d/\n# Stable\ncurl -fsSl https://pkg.cloudflare.com/cloudflared.repo | sudo tee /etc/yum.repos.d/cloudflared.repo\n# Nightly\ncurl -fsSl https://next.pkg.cloudflare.com/cloudflared.repo | sudo tee /etc/yum.repos.d/cloudflared.repo\n\n#update repo\nsudo yum update\n\n# install cloudflared\nsudo yum install cloudflared\n
\n\n\n

RHEL Generic

\n
\n# Add cloudflared.repo to /etc/yum.repos.d/\n# Stable\ncurl -fsSl https://pkg.cloudflare.com/cloudflared.repo | sudo tee /etc/yum.repos.d/cloudflared.repo\n# Nightly\ncurl -fsSl https://next.pkg.cloudflare.com/cloudflared.repo | sudo tee /etc/yum.repos.d/cloudflared.repo\n\n#update repo\nsudo yum update\n\n# install cloudflared\nsudo yum install cloudflared\n
\n\n\n

Centos 7

\n
\n# This requires yum config-manager\nsudo yum install yum-utils\n\n# Add cloudflared.repo to config-manager\n# Stable\nsudo yum-config-manager --add-repo https://pkg.cloudflare.com/cloudflared.repo\n# Nightly\nsudo yum-config-manager --add-repo https://next.pkg.cloudflare.com/cloudflared.repo\n\n# install cloudflared\nyum install cloudflared\n
\n\n

Centos 8

\n
\n# This requires dnf config-manager\n# Add cloudflared.repo to config-manager\n# Stable\nsudo dnf config-manager --add-repo https://pkg.cloudflare.com/cloudflared.repo\n# Nightly\nsudo dnf config-manager --add-repo https://next.pkg.cloudflare.com/cloudflared.repo\n\n# install cloudflared\nsudo dnf install cloudflared\n
\n\n

Centos Stream

\n
\n# This requires dnf config-manager\n# Add cloudflared.repo to config-manager\n# Stable\nsudo dnf config-manager --add-repo https://pkg.cloudflare.com/cloudflared.repo\n# Nightly\nsudo dnf config-manager --add-repo https://next.pkg.cloudflare.com/cloudflared.repo\n\n# install cloudflared\nsudo dnf install cloudflared\n
\n\n\n

Gokeyless

\n

Debian

\n
\nsudo mkdir -p --mode=0755 /usr/share/keyrings\ncurl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null\n\n# Add this repo to your apt repositories\necho 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/gokeyless buster main' | sudo tee /etc/apt/sources.list.d/cloudflare.list\n\n# install gokeyless\nsudo apt-get update && sudo apt-get install gokeyless\n
\n\n

Centos 8

\n
\n# This requires dnf config-manager\n# Add gokeyless.repo to config-manager\nsudo dnf config-manager --add-repo https://pkg.cloudflare.com/gokeyless.repo\n\n# install gokeyless\nsudo dnf install gokeyless\n
\n\n\n" }, { "path": "release_pkgs.py", "content": "\"\"\"\n This is a utility for creating deb and rpm packages, signing them \n and uploading them to a storage and adding metadata to workers KV.\n\n It has two over-arching responsiblities:\n 1. Create deb and yum repositories from .deb and .rpm files. \n This is also responsible for signing the packages and generally preparing \n them to be in an uploadable state.\n 2. Upload these packages to a storage in a format that apt and yum expect.\n\"\"\"\nimport argparse\nimport base64\nimport logging\nimport os\nimport shutil\nfrom pathlib import Path\nfrom subprocess import Popen, PIPE\n\nimport boto3\nimport gnupg\nfrom botocore.client import Config\nfrom botocore.exceptions import ClientError\n\n# The front facing R2 URL to access assets from.\nR2_ASSET_URL = 'https://demo-r2-worker.cloudflare-tunnel.workers.dev/'\n\n\nclass PkgUploader:\n def __init__(self, account_id, bucket_name, client_id, client_secret):\n self.account_id = account_id\n self.bucket_name = bucket_name\n self.client_id = client_id\n self.client_secret = client_secret\n\n def upload_pkg_to_r2(self, filename, upload_file_path):\n endpoint_url = f\"https://{self.account_id}.r2.cloudflarestorage.com\"\n\n config = Config(\n region_name='auto',\n s3={\n \"addressing_style\": \"path\",\n }\n )\n\n r2 = boto3.client(\n \"s3\",\n endpoint_url=endpoint_url,\n aws_access_key_id=self.client_id,\n aws_secret_access_key=self.client_secret,\n config=config,\n )\n\n print(f\"uploading asset: {filename} to {upload_file_path} in bucket {self.bucket_name}...\")\n try:\n r2.upload_file(filename, self.bucket_name, upload_file_path)\n except ClientError as e:\n raise e\n\n\nclass PkgCreator:\n \"\"\"\n The distribution conf is what dictates to reprepro, the debian packaging building\n and signing tool we use, what distros to support, what GPG key to use for signing\n and what to call the debian binary etc. This function creates it \"./conf/distributions\".\n\n origin - name of your package (String)\n label - label of your package (could be same as the name) (String)\n release - release you want this to be distributed for (List of Strings)\n components - could be a channel like main/stable/beta\n archs - Architecture (List of Strings)\n description - (String)\n gpg_key_id - gpg key id of what you want to use to sign the packages.(String) \n \"\"\"\n\n def create_distribution_conf(self,\n file_path,\n origin,\n label,\n releases,\n archs,\n components,\n description,\n gpg_key_id):\n with open(file_path, \"w+\") as distributions_file:\n for release in releases:\n distributions_file.write(f\"Origin: {origin}\\n\")\n distributions_file.write(f\"Label: {label}\\n\")\n distributions_file.write(f\"Codename: {release}\\n\")\n archs_list = \" \".join(archs)\n distributions_file.write(f\"Architectures: {archs_list}\\n\")\n distributions_file.write(f\"Components: {components}\\n\")\n distributions_file.write(f\"Description: {description} - {release}\\n\")\n distributions_file.write(f\"SignWith: {gpg_key_id}\\n\")\n distributions_file.write(\"\\n\")\n return distributions_file\n\n \"\"\"\n Uses the reprepro tool to generate packages, sign them and create the InRelease as specified\n by the distribution_conf file. \n\n This function creates three folders db, pool and dist. \n db and pool contain information and metadata about builds. We can ignore these.\n dist: contains all the pkgs and signed releases that are necessary for an apt download.\n \"\"\"\n\n def create_deb_pkgs(self, release, deb_file):\n print(f\"creating deb pkgs: {release} : {deb_file}\")\n p = Popen([\"reprepro\", \"includedeb\", release, deb_file], stdout=PIPE, stderr=PIPE)\n out, err = p.communicate()\n if p.returncode != 0:\n print(f\"create deb_pkgs result => {out}, {err}\")\n raise\n\n def create_rpm_pkgs(self, artifacts_path, gpg_key_name):\n self._setup_rpm_pkg_directories(artifacts_path, gpg_key_name)\n p = Popen([\"createrepo_c\", \"./rpm\"], stdout=PIPE, stderr=PIPE)\n out, err = p.communicate()\n if p.returncode != 0:\n print(f\"create rpm_pkgs result => {out}, {err}\")\n raise\n\n self._sign_repomd()\n\n \"\"\"\n creates a .repo file with details like so\n [cloudflared-stable]\n name=cloudflared-stable\n baseurl=https://pkg.cloudflare.com/cloudflared/rpm\n enabled=1\n type=rpm\n gpgcheck=1\n gpgkey=https://pkg.cloudflare.com/cloudflare-main.gpg\n \"\"\"\n\n def create_repo_file(self, file_path, binary_name, baseurl, gpgkey_url):\n repo_file_path = os.path.join(file_path, binary_name + '.repo')\n with open(repo_file_path, \"w+\") as repo_file:\n repo_file.write(f\"[{binary_name}-stable]\\n\")\n repo_file.write(f\"name={binary_name}-stable\\n\")\n repo_file.write(f\"baseurl={baseurl}/rpm\\n\")\n repo_file.write(\"enabled=1\\n\")\n repo_file.write(\"type=rpm\\n\")\n repo_file.write(\"gpgcheck=1\\n\")\n repo_file.write(f\"gpgkey={gpgkey_url}\\n\")\n return repo_file_path\n\n\n def _sign_rpms(self, file_path, gpg_key_name):\n p = Popen([\"rpm\", \"--define\", f\"_gpg_name {gpg_key_name}\", \"--addsign\", file_path], stdout=PIPE, stderr=PIPE)\n out, err = p.communicate()\n if p.returncode != 0:\n print(f\"rpm sign result result => {out}, {err}\")\n raise\n\n def _sign_repomd(self):\n p = Popen([\"gpg\", \"--batch\", \"--yes\", \"--detach-sign\", \"--armor\", \"./rpm/repodata/repomd.xml\"], stdout=PIPE, stderr=PIPE)\n out, err = p.communicate()\n if p.returncode != 0:\n print(f\"sign repomd result => {out}, {err}\")\n raise\n\n \"\"\"\n sets up and signs the RPM directories in the following format:\n - rpm \n - aarch64\n - x86_64\n - 386\n\n this assumes the assets are in the format -.rpm\n \"\"\"\n\n def _setup_rpm_pkg_directories(self, artifacts_path, gpg_key_name, archs=[\"aarch64\", \"x86_64\", \"386\"]):\n for arch in archs:\n for root, _, files in os.walk(artifacts_path):\n for file in files:\n if file.endswith(f\"{arch}.rpm\"):\n new_dir = f\"./rpm/{arch}\"\n os.makedirs(new_dir, exist_ok=True)\n old_path = os.path.join(root, file)\n new_path = os.path.join(new_dir, file)\n shutil.copyfile(old_path, new_path)\n self._sign_rpms(new_path, gpg_key_name)\n\n \"\"\"\n imports gpg keys into the system so reprepro and createrepo can use it to sign packages.\n it returns the GPG ID after a successful import\n \"\"\"\n\n def import_gpg_keys(self, private_key, public_key):\n gpg = gnupg.GPG()\n private_key = base64.b64decode(private_key)\n import_result = gpg.import_keys(private_key)\n if not import_result.fingerprints:\n raise Exception(\"Failed to import private key\")\n\n public_key = base64.b64decode(public_key)\n gpg.import_keys(public_key)\n\n imported_fingerprint = import_result.fingerprints[0]\n data = gpg.list_keys(secret=True)\n\n # Find the specific key we just imported by comparing fingerprints\n for key in data:\n if key[\"fingerprint\"] == imported_fingerprint:\n return (key[\"fingerprint\"], key[\"uids\"][0])\n\n raise Exception(f\"Could not find imported key with fingerprint {imported_fingerprint}\")\n\n def import_multiple_gpg_keys(self, primary_private_key, primary_public_key, secondary_private_key=None, secondary_public_key=None):\n \"\"\"\n Import one or two GPG keypairs. Returns a list of (fingerprint, uid) with the primary first.\n \"\"\"\n results = []\n if primary_private_key and primary_public_key:\n results.append(self.import_gpg_keys(primary_private_key, primary_public_key))\n if secondary_private_key and secondary_public_key:\n # Ensure secondary is imported and appended\n results.append(self.import_gpg_keys(secondary_private_key, secondary_public_key))\n return results\n\n \"\"\"\n basically rpm --import \n This enables us to sign rpms.\n \"\"\"\n\n def import_rpm_key(self, public_key):\n file_name = \"pb.key\"\n with open(file_name, \"wb\") as f:\n public_key = base64.b64decode(public_key)\n f.write(public_key)\n\n p = Popen([\"rpm\", \"--import\", file_name], stdout=PIPE, stderr=PIPE)\n out, err = p.communicate()\n if p.returncode != 0:\n print(f\"create rpm import result => {out}, {err}\")\n raise\n\n\n\"\"\"\n Walks through a directory and uploads it's assets to R2.\n directory : root directory to walk through (String).\n release: release string. If this value is none, a specific release path will not be created \n and the release will be uploaded to the default path. \n binary: name of the binary to upload\n\"\"\"\n\n\ndef upload_from_directories(pkg_uploader, directory, release, binary):\n for root, _, files in os.walk(directory):\n for file in files:\n upload_file_name = os.path.join(binary, root, file)\n if release:\n upload_file_name = os.path.join(release, upload_file_name)\n filename = os.path.join(root, file)\n try:\n pkg_uploader.upload_pkg_to_r2(filename, upload_file_name)\n except ClientError as e:\n logging.error(e)\n return\n\n\n\"\"\" \n 1. looks into a artifacts folder for cloudflared debs\n 2. creates Packages.gz, InRelease (signed) files\n 3. uploads them to Cloudflare R2 \n\n pkg_creator, pkg_uploader: are instantiations of the two classes above.\n\n gpg_key_id: is an id indicating the key the package should be signed with. The public key of this id will be \n uploaded to R2 so it can be presented to apt downloaders.\n\n release_version: is the cloudflared release version. Only provide this if you want a permanent backup.\n\"\"\"\n\n\ndef create_deb_packaging(pkg_creator, pkg_uploader, releases, primary_gpg_key_id, secondary_gpg_key_id, binary_name, archs, package_component,\n release_version):\n # set configuration for package creation.\n print(f\"initialising configuration for {binary_name} , {archs}\")\n Path(\"./conf\").mkdir(parents=True, exist_ok=True)\n # If in rollover mode (secondary provided), tell reprepro to sign with both keys.\n sign_with_ids = primary_gpg_key_id if not secondary_gpg_key_id else f\"{primary_gpg_key_id} {secondary_gpg_key_id}\"\n pkg_creator.create_distribution_conf(\n \"./conf/distributions\",\n binary_name,\n binary_name,\n releases,\n archs,\n package_component,\n f\"apt repository for {binary_name}\",\n sign_with_ids)\n\n # create deb pkgs\n for release in releases:\n for arch in archs:\n print(f\"creating deb pkgs for {release} and {arch}...\")\n pkg_creator.create_deb_pkgs(release, f\"./artifacts/cloudflared-linux-{arch}.deb\")\n\n print(\"uploading latest to r2...\")\n upload_from_directories(pkg_uploader, \"dists\", None, binary_name)\n upload_from_directories(pkg_uploader, \"pool\", None, binary_name)\n\n if release_version:\n print(f\"uploading versioned release {release_version} to r2...\")\n upload_from_directories(pkg_uploader, \"dists\", release_version, binary_name)\n upload_from_directories(pkg_uploader, \"pool\", release_version, binary_name)\n\n\ndef create_rpm_packaging(\n pkg_creator,\n pkg_uploader,\n artifacts_path,\n release_version,\n binary_name,\n gpg_key_name,\n base_url,\n gpg_key_url,\n upload_repo_file=False,\n):\n print(f\"creating rpm pkgs...\")\n pkg_creator.create_rpm_pkgs(artifacts_path, gpg_key_name)\n repo_file = pkg_creator.create_repo_file(artifacts_path, binary_name, base_url, gpg_key_url)\n\n print(\"Uploading repo file\")\n pkg_uploader.upload_pkg_to_r2(repo_file, binary_name + \".repo\")\n\n print(\"uploading latest to r2...\")\n upload_from_directories(pkg_uploader, \"rpm\", None, binary_name)\n\n if upload_repo_file:\n print(f\"uploading versioned release {release_version} to r2...\")\n upload_from_directories(pkg_uploader, \"rpm\", release_version, binary_name)\n\n\ndef parse_args():\n parser = argparse.ArgumentParser(\n description=\"Creates linux releases and uploads them in a packaged format\"\n )\n\n parser.add_argument(\n \"--bucket\", default=os.environ.get(\"R2_BUCKET\"), help=\"R2 Bucket name\"\n )\n parser.add_argument(\n \"--id\", default=os.environ.get(\"R2_CLIENT_ID\"), help=\"R2 Client ID\"\n )\n parser.add_argument(\n \"--secret\", default=os.environ.get(\"R2_CLIENT_SECRET\"), help=\"R2 Client Secret\"\n )\n parser.add_argument(\n \"--account\", default=os.environ.get(\"R2_ACCOUNT_ID\"), help=\"R2 Account Tag\"\n )\n parser.add_argument(\n \"--release-tag\", default=os.environ.get(\"RELEASE_VERSION\"), help=\"Release version you want your pkgs to be\\\n prefixed with. Leave empty if you don't want tagged release versions backed up to R2.\"\n )\n\n parser.add_argument(\n \"--binary\", default=os.environ.get(\"BINARY_NAME\"), help=\"The name of the binary the packages are for\"\n )\n\n parser.add_argument(\n \"--gpg-private-key\", default=os.environ.get(\"LINUX_SIGNING_PRIVATE_KEY\"), help=\"GPG private key to sign the\\\n packages\"\n )\n\n parser.add_argument(\n \"--gpg-public-key\", default=os.environ.get(\"LINUX_SIGNING_PUBLIC_KEY\"), help=\"GPG public key used for\\\n signing packages\"\n )\n\n # Optional secondary keypair for key rollover\n parser.add_argument(\n \"--gpg-private-key-2\", default=os.environ.get(\"LINUX_SIGNING_PRIVATE_KEY_2\"), help=\"Secondary GPG private key for rollover\"\n )\n parser.add_argument(\n \"--gpg-public-key-2\", default=os.environ.get(\"LINUX_SIGNING_PUBLIC_KEY_2\"), help=\"Secondary GPG public key for rollover\"\n )\n\n parser.add_argument(\n \"--gpg-public-key-url\", default=os.environ.get(\"GPG_PUBLIC_KEY_URL\"), help=\"GPG public key url that\\\n downloaders can use to verify signing\"\n )\n\n parser.add_argument(\n \"--pkg-upload-url\", default=os.environ.get(\"PKG_URL\"), help=\"URL to be used by downloaders\"\n )\n\n parser.add_argument(\n \"--deb-based-releases\", default=[\"any\", \"bookworm\", \"noble\", \"jammy\", \"focal\", \"bionic\", \"xenial\"],\n help=\"list of debian based releases that need to be packaged for\"\n )\n\n parser.add_argument(\n \"--archs\", default=[\"amd64\", \"386\", \"arm64\", \"arm\", \"armhf\"], help=\"list of architectures we want to package for. Note that\\\n it is the caller's responsiblity to ensure that these debs are already present in a directory. This script\\\n will not build binaries or create their debs.\"\n )\n\n parser.add_argument(\n \"--upload-repo-file\", action='store_true', help=\"Upload RPM repo file to R2\"\n )\n args = parser.parse_args()\n\n return args\n\n\nif __name__ == \"__main__\":\n try:\n args = parse_args()\n except Exception as e:\n logging.exception(e)\n exit(1)\n\n pkg_creator = PkgCreator()\n # Import one or two keypairs; primary first\n key_results = pkg_creator.import_multiple_gpg_keys(\n args.gpg_private_key,\n args.gpg_public_key,\n args.gpg_private_key_2,\n args.gpg_public_key_2,\n )\n if not key_results or len(key_results) == 0:\n raise SystemExit(\"No GPG keys were provided for signing\")\n primary_gpg_key_id, primary_gpg_key_name = key_results[0]\n secondary_gpg_key_id = None\n secondary_gpg_key_name = None\n if len(key_results) > 1:\n secondary_gpg_key_id, secondary_gpg_key_name = key_results[1]\n\n if args.gpg_private_key_2:\n print(f\"signing RPM with secondary gpg_key: {secondary_gpg_key_id}\")\n pkg_creator.import_rpm_key(args.gpg_public_key_2)\n else:\n print(f\"signing RPM with primary gpg_key: {primary_gpg_key_name}\")\n pkg_creator.import_rpm_key(args.gpg_public_key)\n\n\n pkg_uploader = PkgUploader(args.account, args.bucket, args.id, args.secret)\n print(f\"signing deb with primary gpg_key: {primary_gpg_key_id} and secondary gpg_key: {secondary_gpg_key_id}\")\n create_deb_packaging(\n pkg_creator,\n pkg_uploader,\n args.deb_based_releases,\n primary_gpg_key_id,\n secondary_gpg_key_id,\n args.binary,\n args.archs,\n \"main\",\n args.release_tag,\n )\n\n create_rpm_packaging(\n pkg_creator,\n pkg_uploader,\n \"./artifacts\",\n args.release_tag,\n args.binary,\n secondary_gpg_key_name,\n args.pkg_upload_url,\n args.gpg_public_key_url,\n args.upload_repo_file,\n )\n" }, { "path": "retry/backoffhandler.go", "content": "package retry\n\nimport (\n\t\"context\"\n\t\"math/rand\"\n\t\"time\"\n)\n\nconst (\n\tDefaultBaseTime time.Duration = time.Second\n)\n\n// Redeclare time functions so they can be overridden in tests.\ntype Clock struct {\n\tNow func() time.Time\n\tAfter func(d time.Duration) <-chan time.Time\n}\n\n// BackoffHandler manages exponential backoff and limits the maximum number of retries.\n// The base time period is 1 second, doubling with each retry.\n// After initial success, a grace period can be set to reset the backoff timer if\n// a connection is maintained successfully for a long enough period. The base grace period\n// is 2 seconds, doubling with each retry.\ntype BackoffHandler struct {\n\t// MaxRetries sets the maximum number of retries to perform. The default value\n\t// of 0 disables retry completely.\n\tmaxRetries uint\n\t// RetryForever caps the exponential backoff period according to MaxRetries\n\t// but allows you to retry indefinitely.\n\tretryForever bool\n\t// BaseTime sets the initial backoff period.\n\tbaseTime time.Duration\n\n\tretries uint\n\tresetDeadline time.Time\n\n\tClock Clock\n}\n\nfunc NewBackoff(maxRetries uint, baseTime time.Duration, retryForever bool) BackoffHandler {\n\treturn BackoffHandler{\n\t\tmaxRetries: maxRetries,\n\t\tbaseTime: baseTime,\n\t\tretryForever: retryForever,\n\t\tClock: Clock{Now: time.Now, After: time.After},\n\t}\n}\n\nfunc (b BackoffHandler) GetMaxBackoffDuration(ctx context.Context) (time.Duration, bool) {\n\t// Follows the same logic as Backoff, but without mutating the receiver.\n\t// This select has to happen first to reflect the actual behaviour of the Backoff function.\n\tselect {\n\tcase <-ctx.Done():\n\t\treturn time.Duration(0), false\n\tdefault:\n\t}\n\tif !b.resetDeadline.IsZero() && b.Clock.Now().After(b.resetDeadline) {\n\t\t// b.retries would be set to 0 at this point\n\t\treturn time.Second, true\n\t}\n\tif b.retries >= b.maxRetries && !b.retryForever {\n\t\treturn time.Duration(0), false\n\t}\n\tmaxTimeToWait := b.GetBaseTime() * 1 << (b.retries + 1)\n\treturn maxTimeToWait, true\n}\n\n// BackoffTimer returns a channel that sends the current time when the exponential backoff timeout expires.\n// Returns nil if the maximum number of retries have been used.\nfunc (b *BackoffHandler) BackoffTimer() <-chan time.Time {\n\tif !b.resetDeadline.IsZero() && b.Clock.Now().After(b.resetDeadline) {\n\t\tb.retries = 0\n\t\tb.resetDeadline = time.Time{}\n\t}\n\tif b.retries >= b.maxRetries {\n\t\tif !b.retryForever {\n\t\t\treturn nil\n\t\t}\n\t} else {\n\t\tb.retries++\n\t}\n\tmaxTimeToWait := b.GetBaseTime() * (1 << b.retries)\n\ttimeToWait := time.Duration(rand.Int63n(maxTimeToWait.Nanoseconds())) // #nosec G404\n\treturn b.Clock.After(timeToWait)\n}\n\n// Backoff is used to wait according to exponential backoff. Returns false if the\n// maximum number of retries have been used or if the underlying context has been cancelled.\nfunc (b *BackoffHandler) Backoff(ctx context.Context) bool {\n\tc := b.BackoffTimer()\n\tif c == nil {\n\t\treturn false\n\t}\n\tselect {\n\tcase <-c:\n\t\treturn true\n\tcase <-ctx.Done():\n\t\treturn false\n\t}\n}\n\n// Sets a grace period within which the backoff timer is maintained. After the grace\n// period expires, the number of retries & backoff duration is reset.\nfunc (b *BackoffHandler) SetGracePeriod() time.Duration {\n\tmaxTimeToWait := b.GetBaseTime() * 2 << (b.retries + 1)\n\ttimeToWait := time.Duration(rand.Int63n(maxTimeToWait.Nanoseconds())) // #nosec G404\n\tb.resetDeadline = b.Clock.Now().Add(timeToWait)\n\n\treturn timeToWait\n}\n\nfunc (b BackoffHandler) GetBaseTime() time.Duration {\n\tif b.baseTime == 0 {\n\t\treturn DefaultBaseTime\n\t}\n\treturn b.baseTime\n}\n\n// Retries returns the number of retries consumed so far.\nfunc (b *BackoffHandler) Retries() int {\n\treturn int(b.retries) // #nosec G115\n}\n\nfunc (b *BackoffHandler) ReachedMaxRetries() bool {\n\treturn b.retries == b.maxRetries\n}\n\nfunc (b *BackoffHandler) ResetNow() {\n\tb.resetDeadline = b.Clock.Now()\n\tb.retries = 0\n}\n" }, { "path": "retry/backoffhandler_test.go", "content": "package retry\n\nimport (\n\t\"context\"\n\t\"testing\"\n\t\"time\"\n)\n\nfunc immediateTimeAfter(time.Duration) <-chan time.Time {\n\tc := make(chan time.Time, 1)\n\tc <- time.Now()\n\treturn c\n}\n\nfunc TestBackoffRetries(t *testing.T) {\n\tctx := context.Background()\n\t// make backoff return immediately\n\tbackoff := BackoffHandler{maxRetries: 3, Clock: Clock{time.Now, immediateTimeAfter}}\n\tif !backoff.Backoff(ctx) {\n\t\tt.Fatalf(\"backoff failed immediately\")\n\t}\n\tif !backoff.Backoff(ctx) {\n\t\tt.Fatalf(\"backoff failed after 1 retry\")\n\t}\n\tif !backoff.Backoff(ctx) {\n\t\tt.Fatalf(\"backoff failed after 2 retry\")\n\t}\n\tif backoff.Backoff(ctx) {\n\t\tt.Fatalf(\"backoff allowed after 3 (max) retries\")\n\t}\n}\n\nfunc TestBackoffCancel(t *testing.T) {\n\tctx, cancelFunc := context.WithCancel(context.Background())\n\t// prevent backoff from returning normally\n\tafter := func(time.Duration) <-chan time.Time { return make(chan time.Time) }\n\tbackoff := BackoffHandler{maxRetries: 3, Clock: Clock{time.Now, after}}\n\tcancelFunc()\n\tif backoff.Backoff(ctx) {\n\t\tt.Fatalf(\"backoff allowed after cancel\")\n\t}\n\tif _, ok := backoff.GetMaxBackoffDuration(ctx); ok {\n\t\tt.Fatalf(\"backoff allowed after cancel\")\n\t}\n}\n\nfunc TestBackoffGracePeriod(t *testing.T) {\n\tctx := context.Background()\n\tcurrentTime := time.Now()\n\t// make Clock.Now return whatever we like\n\tnow := func() time.Time { return currentTime }\n\t// make backoff return immediately\n\tbackoff := BackoffHandler{maxRetries: 1, Clock: Clock{now, immediateTimeAfter}}\n\tif !backoff.Backoff(ctx) {\n\t\tt.Fatalf(\"backoff failed immediately\")\n\t}\n\t// the next call to Backoff would fail unless it's after the grace period\n\tgracePeriod := backoff.SetGracePeriod()\n\t// advance time to after the grace period, which at most will be 8 seconds, but we will advance +1 second.\n\tcurrentTime = currentTime.Add(gracePeriod + time.Second)\n\tif !backoff.Backoff(ctx) {\n\t\tt.Fatalf(\"backoff failed after the grace period expired\")\n\t}\n\t// confirm we ignore grace period after backoff\n\tif backoff.Backoff(ctx) {\n\t\tt.Fatalf(\"backoff allowed after 1 (max) retry\")\n\t}\n}\n\nfunc TestGetMaxBackoffDurationRetries(t *testing.T) {\n\tctx := context.Background()\n\t// make backoff return immediately\n\tbackoff := BackoffHandler{maxRetries: 3, Clock: Clock{time.Now, immediateTimeAfter}}\n\tif _, ok := backoff.GetMaxBackoffDuration(ctx); !ok {\n\t\tt.Fatalf(\"backoff failed immediately\")\n\t}\n\tbackoff.Backoff(ctx) // noop\n\tif _, ok := backoff.GetMaxBackoffDuration(ctx); !ok {\n\t\tt.Fatalf(\"backoff failed after 1 retry\")\n\t}\n\tbackoff.Backoff(ctx) // noop\n\tif _, ok := backoff.GetMaxBackoffDuration(ctx); !ok {\n\t\tt.Fatalf(\"backoff failed after 2 retry\")\n\t}\n\tbackoff.Backoff(ctx) // noop\n\tif _, ok := backoff.GetMaxBackoffDuration(ctx); ok {\n\t\tt.Fatalf(\"backoff allowed after 3 (max) retries\")\n\t}\n\tif backoff.Backoff(ctx) {\n\t\tt.Fatalf(\"backoff allowed after 3 (max) retries\")\n\t}\n}\n\nfunc TestGetMaxBackoffDuration(t *testing.T) {\n\tctx := context.Background()\n\t// make backoff return immediately\n\tbackoff := BackoffHandler{maxRetries: 3, Clock: Clock{time.Now, immediateTimeAfter}}\n\tif duration, ok := backoff.GetMaxBackoffDuration(ctx); !ok || duration > time.Second*2 {\n\t\tt.Fatalf(\"backoff (%s) didn't return < 2 seconds on first retry\", duration)\n\t}\n\tbackoff.Backoff(ctx) // noop\n\tif duration, ok := backoff.GetMaxBackoffDuration(ctx); !ok || duration > time.Second*4 {\n\t\tt.Fatalf(\"backoff (%s) didn't return < 4 seconds on second retry\", duration)\n\t}\n\tbackoff.Backoff(ctx) // noop\n\tif duration, ok := backoff.GetMaxBackoffDuration(ctx); !ok || duration > time.Second*8 {\n\t\tt.Fatalf(\"backoff (%s) didn't return < 8 seconds on third retry\", duration)\n\t}\n\tbackoff.Backoff(ctx) // noop\n\tif duration, ok := backoff.GetMaxBackoffDuration(ctx); ok || duration != 0 {\n\t\tt.Fatalf(\"backoff (%s) didn't return 0 seconds on fourth retry (exceeding limit)\", duration)\n\t}\n}\n\nfunc TestBackoffRetryForever(t *testing.T) {\n\tctx := context.Background()\n\t// make backoff return immediately\n\tbackoff := BackoffHandler{maxRetries: 3, retryForever: true, Clock: Clock{time.Now, immediateTimeAfter}}\n\tif duration, ok := backoff.GetMaxBackoffDuration(ctx); !ok || duration > time.Second*2 {\n\t\tt.Fatalf(\"backoff (%s) didn't return < 2 seconds on first retry\", duration)\n\t}\n\tbackoff.Backoff(ctx) // noop\n\tif duration, ok := backoff.GetMaxBackoffDuration(ctx); !ok || duration > time.Second*4 {\n\t\tt.Fatalf(\"backoff (%s) didn't return < 4 seconds on second retry\", duration)\n\t}\n\tbackoff.Backoff(ctx) // noop\n\tif duration, ok := backoff.GetMaxBackoffDuration(ctx); !ok || duration > time.Second*8 {\n\t\tt.Fatalf(\"backoff (%s) didn't return < 8 seconds on third retry\", duration)\n\t}\n\tif !backoff.Backoff(ctx) {\n\t\tt.Fatalf(\"backoff refused on fourth retry despire RetryForever\")\n\t}\n\tif duration, ok := backoff.GetMaxBackoffDuration(ctx); !ok || duration > time.Second*16 {\n\t\tt.Fatalf(\"backoff returned %v instead of 8 seconds on fourth retry\", duration)\n\t}\n\tif !backoff.Backoff(ctx) {\n\t\tt.Fatalf(\"backoff refused on fifth retry despire RetryForever\")\n\t}\n\tif duration, ok := backoff.GetMaxBackoffDuration(ctx); !ok || duration > time.Second*16 {\n\t\tt.Fatalf(\"backoff returned %v instead of 8 seconds on fifth retry\", duration)\n\t}\n}\n" }, { "path": "signal/safe_signal.go", "content": "package signal\n\nimport (\n\t\"sync\"\n)\n\n// Signal lets goroutines signal that some event has occurred. Other goroutines can wait for the signal.\ntype Signal struct {\n\tch chan struct{}\n\tonce sync.Once\n}\n\n// New wraps a channel and turns it into a signal for a one-time event.\nfunc New(ch chan struct{}) *Signal {\n\treturn &Signal{\n\t\tch: ch,\n\t\tonce: sync.Once{},\n\t}\n}\n\n// Notify alerts any goroutines waiting on this signal that the event has occurred.\n// After the first call to Notify(), future calls are no-op.\nfunc (s *Signal) Notify() {\n\ts.once.Do(func() {\n\t\tclose(s.ch)\n\t})\n}\n\n// Wait returns a channel which will be written to when Notify() is called for the first time.\n// This channel will never be written to a second time.\nfunc (s *Signal) Wait() <-chan struct{} {\n\treturn s.ch\n}\n" }, { "path": "signal/safe_signal_test.go", "content": "package signal\n\nimport (\n\t\"testing\"\n)\n\nfunc TestMultiNotifyDoesntCrash(t *testing.T) {\n\tsig := New(make(chan struct{}))\n\tsig.Notify()\n\tsig.Notify()\n\t// If code has reached here without crashing, the test has passed.\n}\n\nfunc TestWait(t *testing.T) {\n\tsig := New(make(chan struct{}))\n\tsig.Notify()\n\tselect {\n\tcase <-sig.Wait():\n\t\t// Test succeeds\n\t\treturn\n\tdefault:\n\t\t// sig.Wait() should have been read from, because sig.Notify() wrote to it.\n\t\tt.Fail()\n\t}\n}\n" }, { "path": "socks/auth_handler.go", "content": "package socks\n\nimport (\n\t\"fmt\"\n\t\"io\"\n)\n\nconst (\n\t// NoAuth means no authentication is used when connecting\n\tNoAuth = uint8(0)\n\n\t// UserPassAuth means a user/password is used when connecting\n\tUserPassAuth = uint8(2)\n\n\tnoAcceptable = uint8(255)\n\tuserAuthVersion = uint8(1)\n\tauthSuccess = uint8(0)\n\tauthFailure = uint8(1)\n)\n\n// AuthHandler handles socks authentication requests\ntype AuthHandler interface {\n\tHandle(io.Reader, io.Writer) error\n\tRegister(uint8, Authenticator)\n}\n\n// StandardAuthHandler loads the default authenticators\ntype StandardAuthHandler struct {\n\tauthenticators map[uint8]Authenticator\n}\n\n// NewAuthHandler creates a default auth handler\nfunc NewAuthHandler() AuthHandler {\n\tdefaults := make(map[uint8]Authenticator)\n\tdefaults[NoAuth] = NewNoAuthAuthenticator()\n\treturn &StandardAuthHandler{\n\t\tauthenticators: defaults,\n\t}\n}\n\n// Register adds/replaces an Authenticator to use when handling Authentication requests\nfunc (h *StandardAuthHandler) Register(method uint8, a Authenticator) {\n\th.authenticators[method] = a\n}\n\n// Handle gets the methods from the SOCKS5 client and authenticates with the first supported method\nfunc (h *StandardAuthHandler) Handle(bufConn io.Reader, conn io.Writer) error {\n\tmethods, err := readMethods(bufConn)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"Failed to read auth methods: %v\", err)\n\t}\n\n\t// first supported method is used\n\tfor _, method := range methods {\n\t\tauthenticator := h.authenticators[method]\n\t\tif authenticator != nil {\n\t\t\treturn authenticator.Handle(bufConn, conn)\n\t\t}\n\t}\n\n\t// failed to authenticate. No supported authentication type found\n\tconn.Write([]byte{socks5Version, noAcceptable})\n\treturn fmt.Errorf(\"unknown authentication type\")\n}\n\n// readMethods is used to read the number and type of methods\nfunc readMethods(r io.Reader) ([]byte, error) {\n\theader := []byte{0}\n\tif _, err := r.Read(header); err != nil {\n\t\treturn nil, err\n\t}\n\n\tnumMethods := int(header[0])\n\tmethods := make([]byte, numMethods)\n\t_, err := io.ReadAtLeast(r, methods, numMethods)\n\treturn methods, err\n}\n" }, { "path": "socks/authenticator.go", "content": "package socks\n\nimport (\n\t\"fmt\"\n\t\"io\"\n)\n\n// Authenticator is the connection passed in as a reader/writer to support different authentication types\ntype Authenticator interface {\n\tHandle(io.Reader, io.Writer) error\n}\n\n// NoAuthAuthenticator is used to handle the No Authentication mode\ntype NoAuthAuthenticator struct{}\n\n// NewNoAuthAuthenticator creates a authless Authenticator\nfunc NewNoAuthAuthenticator() Authenticator {\n\treturn &NoAuthAuthenticator{}\n}\n\n// Handle writes back the version and NoAuth\nfunc (a *NoAuthAuthenticator) Handle(reader io.Reader, writer io.Writer) error {\n\t_, err := writer.Write([]byte{socks5Version, NoAuth})\n\treturn err\n}\n\n// UserPassAuthAuthenticator is used to handle the user/password mode\ntype UserPassAuthAuthenticator struct {\n\tIsValid func(string, string) bool\n}\n\n// NewUserPassAuthAuthenticator creates a new username/password validator Authenticator\nfunc NewUserPassAuthAuthenticator(isValid func(string, string) bool) Authenticator {\n\treturn &UserPassAuthAuthenticator{\n\t\tIsValid: isValid,\n\t}\n}\n\n// Handle writes back the version and NoAuth\nfunc (a *UserPassAuthAuthenticator) Handle(reader io.Reader, writer io.Writer) error {\n\tif _, err := writer.Write([]byte{socks5Version, UserPassAuth}); err != nil {\n\t\treturn err\n\t}\n\n\t// Get the version and username length\n\theader := []byte{0, 0}\n\tif _, err := io.ReadAtLeast(reader, header, 2); err != nil {\n\t\treturn err\n\t}\n\n\t// Ensure compatibility. Someone call E-harmony\n\tif header[0] != userAuthVersion {\n\t\treturn fmt.Errorf(\"Unsupported auth version: %v\", header[0])\n\t}\n\n\t// Get the user name\n\tuserLen := int(header[1])\n\tuser := make([]byte, userLen)\n\tif _, err := io.ReadAtLeast(reader, user, userLen); err != nil {\n\t\treturn err\n\t}\n\n\t// Get the password length\n\tif _, err := reader.Read(header[:1]); err != nil {\n\t\treturn err\n\t}\n\n\t// Get the password\n\tpassLen := int(header[0])\n\tpass := make([]byte, passLen)\n\tif _, err := io.ReadAtLeast(reader, pass, passLen); err != nil {\n\t\treturn err\n\t}\n\n\t// Verify the password\n\tif a.IsValid(string(user), string(pass)) {\n\t\t_, err := writer.Write([]byte{userAuthVersion, authSuccess})\n\t\treturn err\n\t}\n\n\t// password failed. Write back failure\n\tif _, err := writer.Write([]byte{userAuthVersion, authFailure}); err != nil {\n\t\treturn err\n\t}\n\n\treturn fmt.Errorf(\"User authentication failed\")\n}\n" }, { "path": "socks/connection_handler.go", "content": "package socks\n\nimport (\n\t\"bufio\"\n\t\"fmt\"\n\t\"io\"\n)\n\n// ConnectionHandler is the Serve method to handle connections\n// from a local TCP listener of the standard library (net.Listener)\ntype ConnectionHandler interface {\n\tServe(io.ReadWriter) error\n}\n\n// StandardConnectionHandler is the base implementation of handling SOCKS5 requests\ntype StandardConnectionHandler struct {\n\trequestHandler RequestHandler\n\tauthHandler AuthHandler\n}\n\n// NewConnectionHandler creates a standard SOCKS5 connection handler\n// This process connections from a generic TCP listener from the standard library\nfunc NewConnectionHandler(requestHandler RequestHandler) ConnectionHandler {\n\treturn &StandardConnectionHandler{\n\t\trequestHandler: requestHandler,\n\t\tauthHandler: NewAuthHandler(),\n\t}\n}\n\n// Serve process new connection created after calling `Accept()` in the standard library\nfunc (h *StandardConnectionHandler) Serve(c io.ReadWriter) error {\n\tbufConn := bufio.NewReader(c)\n\n\t// read the version byte\n\tversion := []byte{0}\n\tif _, err := bufConn.Read(version); err != nil {\n\t\treturn err\n\t}\n\n\t// ensure compatibility\n\tif version[0] != socks5Version {\n\t\treturn fmt.Errorf(\"Unsupported SOCKS version: %v\", version)\n\t}\n\n\t// handle auth\n\tif err := h.authHandler.Handle(bufConn, c); err != nil {\n\t\treturn err\n\t}\n\n\t// process command/request\n\treq, err := NewRequest(bufConn)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\treturn h.requestHandler.Handle(req, c)\n}\n" }, { "path": "socks/connection_handler_test.go", "content": "package socks\n\nimport (\n\t\"encoding/json\"\n\t\"io\"\n\t\"net\"\n\t\"net/http\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/stretchr/testify/assert\"\n\t\"golang.org/x/net/proxy\"\n)\n\ntype successResponse struct {\n\tStatus string `json:\"status\"`\n}\n\nfunc sendSocksRequest(t *testing.T) []byte {\n\tdialer, err := proxy.SOCKS5(\"tcp\", \"127.0.0.1:8086\", nil, proxy.Direct)\n\tassert.NoError(t, err)\n\n\thttpTransport := &http.Transport{}\n\thttpClient := &http.Client{Transport: httpTransport}\n\t// set our socks5 as the dialer\n\thttpTransport.Dial = dialer.Dial\n\n\treq, err := http.NewRequest(\"GET\", \"http://127.0.0.1:8085\", nil)\n\tassert.NoError(t, err)\n\n\tresp, err := httpClient.Do(req)\n\tassert.NoError(t, err)\n\tdefer resp.Body.Close()\n\n\tb, err := io.ReadAll(resp.Body)\n\tassert.NoError(t, err)\n\n\treturn b\n}\n\nfunc startTestServer(t *testing.T, httpHandler func(w http.ResponseWriter, r *http.Request)) {\n\t// create a socks server\n\trequestHandler := NewRequestHandler(NewNetDialer(), nil)\n\tsocksServer := NewConnectionHandler(requestHandler)\n\tlistener, err := net.Listen(\"tcp\", \"localhost:8086\")\n\tassert.NoError(t, err)\n\n\tgo func() {\n\t\tdefer listener.Close()\n\t\tfor {\n\t\t\tconn, _ := listener.Accept()\n\t\t\tgo socksServer.Serve(conn)\n\t\t}\n\t}()\n\n\t// create an http server\n\tmux := http.NewServeMux()\n\tmux.HandleFunc(\"/\", httpHandler)\n\n\t// start the servers\n\tgo http.ListenAndServe(\"localhost:8085\", mux)\n}\n\nfunc respondWithJSON(w http.ResponseWriter, v interface{}, status int) {\n\tdata, _ := json.Marshal(v)\n\n\tw.Header().Set(\"Content-Type\", \"application/json\")\n\tw.WriteHeader(status)\n\tw.Write(data)\n}\n\nfunc OkJSONResponseHandler(w http.ResponseWriter, r *http.Request) {\n\tresp := successResponse{\n\t\tStatus: \"ok\",\n\t}\n\trespondWithJSON(w, resp, http.StatusOK)\n}\n\nfunc TestSocksConnection(t *testing.T) {\n\tstartTestServer(t, OkJSONResponseHandler)\n\ttime.Sleep(100 * time.Millisecond)\n\tb := sendSocksRequest(t)\n\tassert.True(t, len(b) > 0, \"no data returned!\")\n\n\tvar resp successResponse\n\tjson.Unmarshal(b, &resp)\n\n\tassert.True(t, resp.Status == \"ok\", \"response didn't return ok\")\n}\n" }, { "path": "socks/dialer.go", "content": "package socks\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\t\"net\"\n)\n\n// Dialer is used to provided the transport of the proxy\ntype Dialer interface {\n\tDial(string) (io.ReadWriteCloser, *AddrSpec, error)\n}\n\n// NetDialer is a standard TCP dialer\ntype NetDialer struct {\n}\n\n// NewNetDialer creates a new dialer\nfunc NewNetDialer() Dialer {\n\treturn &NetDialer{}\n}\n\n// Dial is a base TCP dialer\nfunc (d *NetDialer) Dial(address string) (io.ReadWriteCloser, *AddrSpec, error) {\n\tc, err := net.Dial(\"tcp\", address)\n\tif err != nil {\n\t\treturn nil, nil, err\n\t}\n\n\tlocal := c.LocalAddr().(*net.TCPAddr)\n\taddr := AddrSpec{IP: local.IP, Port: local.Port}\n\n\treturn c, &addr, nil\n}\n\n// ConnDialer is like NetDialer but with an existing TCP dialer already created\ntype ConnDialer struct {\n\tconn net.Conn\n}\n\n// NewConnDialer creates a new dialer with a already created net.conn (TCP expected)\nfunc NewConnDialer(conn net.Conn) Dialer {\n\treturn &ConnDialer{\n\t\tconn: conn,\n\t}\n}\n\n// Dial is a TCP dialer but already created\nfunc (d *ConnDialer) Dial(address string) (io.ReadWriteCloser, *AddrSpec, error) {\n\tlocal, ok := d.conn.LocalAddr().(*net.TCPAddr)\n\tif !ok {\n\t\treturn nil, nil, fmt.Errorf(\"not a tcp connection\")\n\t}\n\n\taddr := AddrSpec{IP: local.IP, Port: local.Port}\n\treturn d.conn, &addr, nil\n}\n" }, { "path": "socks/request.go", "content": "package socks\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\t\"net\"\n\t\"strconv\"\n)\n\nconst (\n\t// version\n\tsocks5Version = uint8(5)\n\n\t// commands https://tools.ietf.org/html/rfc1928#section-4\n\tconnectCommand = uint8(1)\n\tbindCommand = uint8(2)\n\tassociateCommand = uint8(3)\n\n\t// address types\n\tipv4Address = uint8(1)\n\tfqdnAddress = uint8(3)\n\tipv6Address = uint8(4)\n)\n\n// https://tools.ietf.org/html/rfc1928#section-6\nconst (\n\tsuccessReply uint8 = iota\n\tserverFailure\n\truleFailure\n\tnetworkUnreachable\n\thostUnreachable\n\tconnectionRefused\n\tttlExpired\n\tcommandNotSupported\n\taddrTypeNotSupported\n)\n\n// AddrSpec is used to return the target IPv4, IPv6, or a FQDN\ntype AddrSpec struct {\n\tFQDN string\n\tIP net.IP\n\tPort int\n}\n\n// String gives a host version of the Address\nfunc (a *AddrSpec) String() string {\n\tif a.FQDN != \"\" {\n\t\treturn fmt.Sprintf(\"%s (%s):%d\", a.FQDN, a.IP, a.Port)\n\t}\n\treturn fmt.Sprintf(\"%s:%d\", a.IP, a.Port)\n}\n\n// Address returns a string suitable to dial; prefer returning IP-based\n// address, fallback to FQDN\nfunc (a AddrSpec) Address() string {\n\tif len(a.IP) != 0 {\n\t\treturn net.JoinHostPort(a.IP.String(), strconv.Itoa(a.Port))\n\t}\n\treturn net.JoinHostPort(a.FQDN, strconv.Itoa(a.Port))\n}\n\n// Request is a SOCKS5 command with supporting field of the connection\ntype Request struct {\n\t// Protocol version\n\tVersion uint8\n\t// Requested command\n\tCommand uint8\n\t// AddrSpec of the destination\n\tDestAddr *AddrSpec\n\t// reading from the connection\n\tbufConn io.Reader\n}\n\n// NewRequest creates a new request from the connection data stream\nfunc NewRequest(bufConn io.Reader) (*Request, error) {\n\t// Read the version byte\n\theader := []byte{0, 0, 0}\n\tif _, err := io.ReadAtLeast(bufConn, header, 3); err != nil {\n\t\treturn nil, fmt.Errorf(\"Failed to get command version: %v\", err)\n\t}\n\n\t// ensure compatibility\n\tif header[0] != socks5Version {\n\t\treturn nil, fmt.Errorf(\"Unsupported command version: %v\", header[0])\n\t}\n\n\t// Read in the destination address\n\tdest, err := readAddrSpec(bufConn)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn &Request{\n\t\tVersion: socks5Version,\n\t\tCommand: header[1],\n\t\tDestAddr: dest,\n\t\tbufConn: bufConn,\n\t}, nil\n}\n\nfunc sendReply(w io.Writer, resp uint8, addr *AddrSpec) error {\n\tvar addrType uint8\n\tvar addrBody []byte\n\tvar addrPort uint16\n\tswitch {\n\tcase addr == nil:\n\t\taddrType = ipv4Address\n\t\taddrBody = []byte{0, 0, 0, 0}\n\t\taddrPort = 0\n\n\tcase addr.FQDN != \"\":\n\t\taddrType = fqdnAddress\n\t\taddrBody = append([]byte{byte(len(addr.FQDN))}, addr.FQDN...)\n\t\taddrPort = uint16(addr.Port)\n\n\tcase addr.IP.To4() != nil:\n\t\taddrType = ipv4Address\n\t\taddrBody = []byte(addr.IP.To4())\n\t\taddrPort = uint16(addr.Port)\n\n\tcase addr.IP.To16() != nil:\n\t\taddrType = ipv6Address\n\t\taddrBody = []byte(addr.IP.To16())\n\t\taddrPort = uint16(addr.Port)\n\n\tdefault:\n\t\treturn fmt.Errorf(\"Failed to format address: %v\", addr)\n\t}\n\n\t// Format the message\n\tmsg := make([]byte, 6+len(addrBody))\n\tmsg[0] = socks5Version\n\tmsg[1] = resp\n\tmsg[2] = 0 // Reserved\n\tmsg[3] = addrType\n\tcopy(msg[4:], addrBody)\n\tmsg[4+len(addrBody)] = byte(addrPort >> 8)\n\tmsg[4+len(addrBody)+1] = byte(addrPort & 0xff)\n\n\t// Send the message\n\t_, err := w.Write(msg)\n\treturn err\n}\n\n// readAddrSpec is used to read AddrSpec.\n// Expects an address type byte, followed by the address and port\nfunc readAddrSpec(r io.Reader) (*AddrSpec, error) {\n\td := &AddrSpec{}\n\n\t// Get the address type\n\taddrType := []byte{0}\n\tif _, err := r.Read(addrType); err != nil {\n\t\treturn nil, err\n\t}\n\n\t// Handle on a per type basis\n\tswitch addrType[0] {\n\tcase ipv4Address:\n\t\taddr := make([]byte, 4)\n\t\tif _, err := io.ReadAtLeast(r, addr, len(addr)); err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\td.IP = net.IP(addr)\n\n\tcase ipv6Address:\n\t\taddr := make([]byte, 16)\n\t\tif _, err := io.ReadAtLeast(r, addr, len(addr)); err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\td.IP = net.IP(addr)\n\n\tcase fqdnAddress:\n\t\tif _, err := r.Read(addrType); err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\taddrLen := int(addrType[0])\n\t\tfqdn := make([]byte, addrLen)\n\t\tif _, err := io.ReadAtLeast(r, fqdn, addrLen); err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\td.FQDN = string(fqdn)\n\n\tdefault:\n\t\treturn nil, fmt.Errorf(\"Unrecognized address type\")\n\t}\n\n\t// Read the port\n\tport := []byte{0, 0}\n\tif _, err := io.ReadAtLeast(r, port, 2); err != nil {\n\t\treturn nil, err\n\t}\n\td.Port = (int(port[0]) << 8) | int(port[1])\n\n\treturn d, nil\n}\n" }, { "path": "socks/request_handler.go", "content": "package socks\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\t\"net\"\n\t\"strings\"\n\n\t\"github.com/rs/zerolog\"\n\n\t\"github.com/cloudflare/cloudflared/ipaccess\"\n)\n\n// RequestHandler is the functions needed to handle a SOCKS5 command\ntype RequestHandler interface {\n\tHandle(*Request, io.ReadWriter) error\n}\n\n// StandardRequestHandler implements the base socks5 command processing\ntype StandardRequestHandler struct {\n\tdialer Dialer\n\taccessPolicy *ipaccess.Policy\n}\n\n// NewRequestHandler creates a standard SOCKS5 request handler\n// This handles the SOCKS5 commands and proxies them to their destination\nfunc NewRequestHandler(dialer Dialer, accessPolicy *ipaccess.Policy) RequestHandler {\n\treturn &StandardRequestHandler{\n\t\tdialer: dialer,\n\t\taccessPolicy: accessPolicy,\n\t}\n}\n\n// Handle processes and responds to socks5 commands\nfunc (h *StandardRequestHandler) Handle(req *Request, conn io.ReadWriter) error {\n\tswitch req.Command {\n\tcase connectCommand:\n\t\treturn h.handleConnect(conn, req)\n\tcase bindCommand:\n\t\treturn h.handleBind(conn, req)\n\tcase associateCommand:\n\t\treturn h.handleAssociate(conn, req)\n\tdefault:\n\t\tif err := sendReply(conn, commandNotSupported, nil); err != nil {\n\t\t\treturn fmt.Errorf(\"Failed to send reply: %v\", err)\n\t\t}\n\t\treturn fmt.Errorf(\"Unsupported command: %v\", req.Command)\n\t}\n}\n\n// handleConnect is used to handle a connect command\nfunc (h *StandardRequestHandler) handleConnect(conn io.ReadWriter, req *Request) error {\n\tif h.accessPolicy != nil {\n\t\tif req.DestAddr.IP == nil {\n\t\t\taddr, err := net.ResolveIPAddr(\"ip\", req.DestAddr.FQDN)\n\t\t\tif err != nil {\n\t\t\t\t_ = sendReply(conn, ruleFailure, req.DestAddr)\n\t\t\t\treturn fmt.Errorf(\"unable to resolve host to confirm access\")\n\t\t\t}\n\n\t\t\treq.DestAddr.IP = addr.IP\n\t\t}\n\t\tif allowed, rule := h.accessPolicy.Allowed(req.DestAddr.IP, req.DestAddr.Port); !allowed {\n\t\t\t_ = sendReply(conn, ruleFailure, req.DestAddr)\n\t\t\tif rule != nil {\n\t\t\t\treturn fmt.Errorf(\"Connect to %v denied due to iprule: %s\", req.DestAddr, rule.String())\n\t\t\t}\n\t\t\treturn fmt.Errorf(\"Connect to %v denied\", req.DestAddr)\n\t\t}\n\t}\n\n\ttarget, localAddr, err := h.dialer.Dial(req.DestAddr.Address())\n\tif err != nil {\n\t\tmsg := err.Error()\n\t\tresp := hostUnreachable\n\t\tif strings.Contains(msg, \"refused\") {\n\t\t\tresp = connectionRefused\n\t\t} else if strings.Contains(msg, \"network is unreachable\") {\n\t\t\tresp = networkUnreachable\n\t\t}\n\t\tif err := sendReply(conn, resp, nil); err != nil {\n\t\t\treturn fmt.Errorf(\"Failed to send reply: %v\", err)\n\t\t}\n\t\treturn fmt.Errorf(\"Connect to %v failed: %v\", req.DestAddr, err)\n\t}\n\tdefer target.Close()\n\n\t// Send success\n\tif err := sendReply(conn, successReply, localAddr); err != nil {\n\t\treturn fmt.Errorf(\"Failed to send reply: %v\", err)\n\t}\n\n\t// Start proxying\n\tproxyDone := make(chan error, 2)\n\n\tgo func() {\n\t\t_, e := io.Copy(target, req.bufConn)\n\t\tproxyDone <- e\n\t}()\n\n\tgo func() {\n\t\t_, e := io.Copy(conn, target)\n\t\tproxyDone <- e\n\t}()\n\n\t// Wait for both\n\tfor i := 0; i < 2; i++ {\n\t\te := <-proxyDone\n\t\tif e != nil {\n\t\t\treturn e\n\t\t}\n\t}\n\treturn nil\n}\n\n// handleBind is used to handle a bind command\n// TODO: Support bind command\nfunc (h *StandardRequestHandler) handleBind(conn io.ReadWriter, req *Request) error {\n\tif err := sendReply(conn, commandNotSupported, nil); err != nil {\n\t\treturn fmt.Errorf(\"Failed to send reply: %v\", err)\n\t}\n\treturn nil\n}\n\n// handleAssociate is used to handle a connect command\n// TODO: Support associate command\nfunc (h *StandardRequestHandler) handleAssociate(conn io.ReadWriter, req *Request) error {\n\tif err := sendReply(conn, commandNotSupported, nil); err != nil {\n\t\treturn fmt.Errorf(\"Failed to send reply: %v\", err)\n\t}\n\treturn nil\n}\n\nfunc StreamHandler(tunnelConn io.ReadWriter, originConn net.Conn, log *zerolog.Logger) {\n\tdialer := NewConnDialer(originConn)\n\trequestHandler := NewRequestHandler(dialer, nil)\n\tsocksServer := NewConnectionHandler(requestHandler)\n\n\tif err := socksServer.Serve(tunnelConn); err != nil {\n\t\tlog.Debug().Err(err).Msg(\"Socks stream handler error\")\n\t}\n}\n\nfunc StreamNetHandler(tunnelConn io.ReadWriter, accessPolicy *ipaccess.Policy, log *zerolog.Logger) {\n\tdialer := NewNetDialer()\n\trequestHandler := NewRequestHandler(dialer, accessPolicy)\n\tsocksServer := NewConnectionHandler(requestHandler)\n\n\tif err := socksServer.Serve(tunnelConn); err != nil {\n\t\tlog.Debug().Err(err).Msg(\"Socks stream handler error\")\n\t}\n}\n" }, { "path": "socks/request_handler_test.go", "content": "package socks\n\nimport (\n\t\"bytes\"\n\t\"testing\"\n\n\t\"github.com/stretchr/testify/assert\"\n\n\t\"github.com/cloudflare/cloudflared/ipaccess\"\n)\n\nfunc TestUnsupportedBind(t *testing.T) {\n\treq := createRequest(t, socks5Version, bindCommand, \"2001:db8::68\", 1337, false)\n\tvar b bytes.Buffer\n\n\trequestHandler := NewRequestHandler(NewNetDialer(), nil)\n\terr := requestHandler.Handle(req, &b)\n\tassert.NoError(t, err)\n\tassert.True(t, b.Bytes()[1] == commandNotSupported, \"expected a response\")\n}\n\nfunc TestUnsupportedAssociate(t *testing.T) {\n\treq := createRequest(t, socks5Version, associateCommand, \"127.0.0.1\", 1337, false)\n\tvar b bytes.Buffer\n\n\trequestHandler := NewRequestHandler(NewNetDialer(), nil)\n\terr := requestHandler.Handle(req, &b)\n\tassert.NoError(t, err)\n\tassert.True(t, b.Bytes()[1] == commandNotSupported, \"expected a response\")\n}\n\nfunc TestHandleConnect(t *testing.T) {\n\treq := createRequest(t, socks5Version, connectCommand, \"127.0.0.1\", 1337, false)\n\tvar b bytes.Buffer\n\n\trequestHandler := NewRequestHandler(NewNetDialer(), nil)\n\terr := requestHandler.Handle(req, &b)\n\tassert.Error(t, err)\n\tassert.True(t, b.Bytes()[1] == connectionRefused, \"expected a response\")\n}\n\nfunc TestHandleConnectIPAccess(t *testing.T) {\n\tprefix := \"127.0.0.0/24\"\n\trule1, _ := ipaccess.NewRuleByCIDR(&prefix, []int{1337}, true)\n\trule2, _ := ipaccess.NewRuleByCIDR(&prefix, []int{1338}, false)\n\trules := []ipaccess.Rule{rule1, rule2}\n\tvar b bytes.Buffer\n\n\taccessPolicy, _ := ipaccess.NewPolicy(false, nil)\n\trequestHandler := NewRequestHandler(NewNetDialer(), accessPolicy)\n\treq := createRequest(t, socks5Version, connectCommand, \"127.0.0.1\", 1337, false)\n\terr := requestHandler.Handle(req, &b)\n\tassert.Error(t, err)\n\tassert.True(t, b.Bytes()[1] == ruleFailure, \"expected to be denied as no rules and defaultAllow=false\")\n\n\tb.Reset()\n\taccessPolicy, _ = ipaccess.NewPolicy(true, nil)\n\trequestHandler = NewRequestHandler(NewNetDialer(), accessPolicy)\n\treq = createRequest(t, socks5Version, connectCommand, \"127.0.0.1\", 1337, false)\n\terr = requestHandler.Handle(req, &b)\n\tassert.Error(t, err)\n\tassert.True(t, b.Bytes()[1] == connectionRefused, \"expected to be allowed as no rules and defaultAllow=true\")\n\n\tb.Reset()\n\taccessPolicy, _ = ipaccess.NewPolicy(false, rules)\n\trequestHandler = NewRequestHandler(NewNetDialer(), accessPolicy)\n\treq = createRequest(t, socks5Version, connectCommand, \"127.0.0.1\", 1337, false)\n\terr = requestHandler.Handle(req, &b)\n\tassert.Error(t, err)\n\tassert.True(t, b.Bytes()[1] == connectionRefused, \"expected to be allowed as matching rule\")\n\n\tb.Reset()\n\treq = createRequest(t, socks5Version, connectCommand, \"127.0.0.1\", 1338, false)\n\terr = requestHandler.Handle(req, &b)\n\tassert.Error(t, err)\n\tassert.True(t, b.Bytes()[1] == ruleFailure, \"expected to be denied as matching rule\")\n\n\tb.Reset()\n\treq = createRequest(t, socks5Version, connectCommand, \"127.0.0.1\", 1339, false)\n\terr = requestHandler.Handle(req, &b)\n\tassert.Error(t, err)\n\tassert.True(t, b.Bytes()[1] == ruleFailure, \"expect to be denied as no matching rule and defaultAllow=false\")\n}\n" }, { "path": "socks/request_test.go", "content": "package socks\n\nimport (\n\t\"bytes\"\n\t\"encoding/binary\"\n\t\"net\"\n\t\"testing\"\n\n\t\"github.com/stretchr/testify/assert\"\n)\n\nfunc createRequestData(version, command uint8, ip net.IP, port uint16) []byte {\n\t// set the command\n\tb := []byte{version, command, 0}\n\n\t// append the ip\n\tif len(ip) == net.IPv4len {\n\t\tb = append(b, 1)\n\t\tb = append(b, ip.To4()...)\n\t} else {\n\t\tb = append(b, 4)\n\t\tb = append(b, ip.To16()...)\n\t}\n\n\t// append the port\n\tp := []byte{0, 0}\n\tbinary.BigEndian.PutUint16(p, port)\n\tb = append(b, p...)\n\n\treturn b\n}\n\nfunc createRequest(t *testing.T, version, command uint8, ipStr string, port uint16, shouldFail bool) *Request {\n\tip := net.ParseIP(ipStr)\n\tdata := createRequestData(version, command, ip, port)\n\treader := bytes.NewReader(data)\n\treq, err := NewRequest(reader)\n\tif shouldFail {\n\t\tassert.Error(t, err)\n\t\treturn nil\n\t}\n\tassert.NoError(t, err)\n\tassert.True(t, req.Version == socks5Version, \"version doesn't match expectation: %v\", req.Version)\n\tassert.True(t, req.Command == command, \"command doesn't match expectation: %v\", req.Command)\n\tassert.True(t, req.DestAddr.Port == int(port), \"port doesn't match expectation: %v\", req.DestAddr.Port)\n\tassert.True(t, req.DestAddr.IP.String() == ipStr, \"ip doesn't match expectation: %v\", req.DestAddr.IP.String())\n\n\treturn req\n}\n\nfunc TestValidConnectRequest(t *testing.T) {\n\tcreateRequest(t, socks5Version, connectCommand, \"127.0.0.1\", 1337, false)\n}\n\nfunc TestValidBindRequest(t *testing.T) {\n\tcreateRequest(t, socks5Version, bindCommand, \"2001:db8::68\", 1337, false)\n}\n\nfunc TestValidAssociateRequest(t *testing.T) {\n\tcreateRequest(t, socks5Version, associateCommand, \"127.0.0.1\", 1234, false)\n}\n\nfunc TestInValidVersionRequest(t *testing.T) {\n\tcreateRequest(t, 4, connectCommand, \"127.0.0.1\", 1337, true)\n}\n\nfunc TestInValidIPRequest(t *testing.T) {\n\tcreateRequest(t, 4, connectCommand, \"127.0.01\", 1337, true)\n}\n" }, { "path": "sshgen/sshgen.go", "content": "package sshgen\n\nimport (\n\t\"bytes\"\n\t\"crypto/ecdsa\"\n\t\"crypto/elliptic\"\n\t\"crypto/rand\"\n\t\"crypto/x509\"\n\t\"encoding/json\"\n\t\"encoding/pem\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"os\"\n\t\"time\"\n\n\t\"github.com/go-jose/go-jose/v4\"\n\t\"github.com/go-jose/go-jose/v4/jwt\"\n\thomedir \"github.com/mitchellh/go-homedir\"\n\t\"github.com/pkg/errors\"\n\tgossh \"golang.org/x/crypto/ssh\"\n\n\t\"github.com/cloudflare/cloudflared/config\"\n\tcfpath \"github.com/cloudflare/cloudflared/token\"\n)\n\nconst (\n\tsignEndpoint = \"/cdn-cgi/access/cert_sign\"\n\tkeyName = \"cf_key\"\n)\n\n// signPayload represents the request body sent to the sign handler API\ntype signPayload struct {\n\tPublicKey string `json:\"public_key\"`\n\tJWT string `json:\"jwt\"`\n\tIssuer string `json:\"issuer\"`\n}\n\n// signResponse represents the response body from the sign handler API\ntype signResponse struct {\n\tKeyID string `json:\"id\"`\n\tCertificate string `json:\"certificate\"`\n\tExpiresAt time.Time `json:\"expires_at\"`\n}\n\n// ErrorResponse struct stores error information after any error-prone function\ntype errorResponse struct {\n\tStatus int `json:\"status\"`\n\tMessage string `json:\"message\"`\n}\n\nvar mockRequest func(url, contentType string, body io.Reader) (*http.Response, error) = nil\n\nvar signatureAlgs = []jose.SignatureAlgorithm{jose.RS256}\n\n// GenerateShortLivedCertificate generates and stores a keypair for short lived certs\nfunc GenerateShortLivedCertificate(appURL *url.URL, token string) error {\n\tfullName, err := cfpath.GenerateSSHCertFilePathFromURL(appURL, keyName)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tcert, err := handleCertificateGeneration(token, fullName)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tname := fullName + \"-cert.pub\"\n\tif err := writeKey(name, []byte(cert)); err != nil {\n\t\treturn err\n\t}\n\n\treturn nil\n}\n\n// handleCertificateGeneration takes a JWT and uses it build a signPayload\n// to send to the Sign endpoint with the public key from the keypair it generated\nfunc handleCertificateGeneration(token, fullName string) (string, error) {\n\tpub, err := generateKeyPair(fullName)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\n\treturn SignCert(token, string(pub))\n}\n\nfunc SignCert(token, pubKey string) (string, error) {\n\tif token == \"\" {\n\t\treturn \"\", errors.New(\"invalid token\")\n\t}\n\n\tparsedToken, err := jwt.ParseSigned(token, signatureAlgs)\n\tif err != nil {\n\t\treturn \"\", errors.Wrap(err, \"failed to parse JWT\")\n\t}\n\n\tclaims := jwt.Claims{}\n\terr = parsedToken.UnsafeClaimsWithoutVerification(&claims)\n\tif err != nil {\n\t\treturn \"\", errors.Wrap(err, \"failed to retrieve JWT claims\")\n\t}\n\n\tbuf, err := json.Marshal(&signPayload{\n\t\tPublicKey: pubKey,\n\t\tJWT: token,\n\t\tIssuer: claims.Issuer,\n\t})\n\tif err != nil {\n\t\treturn \"\", errors.Wrap(err, \"failed to marshal signPayload\")\n\t}\n\tvar res *http.Response\n\tif mockRequest != nil {\n\t\tres, err = mockRequest(claims.Issuer+signEndpoint, \"application/json\", bytes.NewBuffer(buf))\n\t} else {\n\t\tclient := http.Client{\n\t\t\tTimeout: 10 * time.Second,\n\t\t}\n\t\tres, err = client.Post(claims.Issuer+signEndpoint, \"application/json\", bytes.NewBuffer(buf))\n\t}\n\n\tif err != nil {\n\t\treturn \"\", errors.Wrap(err, \"failed to send request\")\n\t}\n\tdefer res.Body.Close()\n\n\tdecoder := json.NewDecoder(res.Body)\n\n\tif res.StatusCode != 200 {\n\t\tvar errResponse errorResponse\n\t\tif err := decoder.Decode(&errResponse); err != nil {\n\t\t\treturn \"\", err\n\t\t}\n\t\treturn \"\", fmt.Errorf(\"%d: %s\", errResponse.Status, errResponse.Message)\n\t}\n\n\tvar signRes signResponse\n\tif err := decoder.Decode(&signRes); err != nil {\n\t\treturn \"\", errors.Wrap(err, \"failed to decode HTTP response\")\n\t}\n\treturn signRes.Certificate, nil\n}\n\n// generateKeyPair creates a EC keypair (P256) and stores them in the homedir.\n// returns the generated public key from the successful keypair generation\nfunc generateKeyPair(fullName string) ([]byte, error) {\n\tpubKeyName := fullName + \".pub\"\n\n\texist, err := config.FileExists(pubKeyName)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif exist {\n\t\treturn os.ReadFile(pubKeyName)\n\t}\n\n\tkey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tparsed, err := x509.MarshalECPrivateKey(key)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tif err := writeKey(fullName, pem.EncodeToMemory(&pem.Block{\n\t\tType: \"EC PRIVATE KEY\",\n\t\tBytes: parsed,\n\t})); err != nil {\n\t\treturn nil, err\n\t}\n\n\tpub, err := gossh.NewPublicKey(&key.PublicKey)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdata := gossh.MarshalAuthorizedKey(pub)\n\n\tif err := writeKey(pubKeyName, data); err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn data, nil\n}\n\n// writeKey will write a key to disk in DER format (it's a standard pem key)\nfunc writeKey(filename string, data []byte) error {\n\tfilepath, err := homedir.Expand(filename)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\treturn os.WriteFile(filepath, data, 0600)\n}\n" }, { "path": "sshgen/sshgen_test.go", "content": "//go:build !windows\n\npackage sshgen\n\nimport (\n\t\"crypto/rand\"\n\t\"crypto/rsa\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"net/url\"\n\t\"os\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/go-jose/go-jose/v4\"\n\t\"github.com/go-jose/go-jose/v4/jwt\"\n\t\"github.com/stretchr/testify/assert\"\n\n\t\"github.com/cloudflare/cloudflared/config\"\n\tcfpath \"github.com/cloudflare/cloudflared/token\"\n)\n\nconst (\n\taudTest = \"cf-test-aud\"\n\tnonceTest = \"asfd\"\n)\n\ntype signingArguments struct {\n\tPrincipals []string `json:\"principals\"`\n\tClientPubKey string `json:\"public_key\"`\n\tDuration string `json:\"duration\"`\n}\n\nfunc TestCertGenSuccess(t *testing.T) {\n\turl, _ := url.Parse(\"https://cf-test-access.com/testpath\")\n\ttoken := tokenGenerator()\n\n\tfullName, err := cfpath.GenerateSSHCertFilePathFromURL(url, keyName)\n\tassert.NoError(t, err)\n\tassert.True(t, strings.HasSuffix(fullName, \"/cf-test-access.com-testpath-cf_key\"))\n\n\tpubKeyName := fullName + \".pub\"\n\tcertKeyName := fullName + \"-cert.pub\"\n\n\tdefer func() {\n\t\tos.Remove(fullName)\n\t\tos.Remove(pubKeyName)\n\t\tos.Remove(certKeyName)\n\t}()\n\n\tresp := signingArguments{\n\t\tPrincipals: []string{\"dalton\"},\n\t\tClientPubKey: \"ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAg+0rYq4mNGIAHiH1xPOJXfmOpTEwFIcyXzGJieTOhRs8AAAAIbmlzdHAyNTYAAABBBJIcsq02e8ZaofJXOZKp7yQdKW/JIouJ90lybr76hHIRrZBL1t4JEimfLvNDphPrTW9VDQaIcBSKNaxRqHOS8jezoJbhFGWhqQAAAAEAAAAgZWU5OTliNGRkZmFmNjgxNDEwMTVhMDJiY2ZhMTdiN2UAAAAKAAAABmF1c3RpbgAAAABc1KFoAAAAAFzUohwAAAAAAAAARwAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAAGgAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAAhuaXN0cDI1NgAAAEEEeAuYR56XaxvH5Z1p0hDCTQ7wC4dbj0Gc+LOKu1f94og2ilZTv9tutg8cZrqAT97REmGH6j9KIOVLGsPVjajSKAAAAGQAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAEkAAAAhAORY9ZO3TQsrUm6ajnVW+arbnVfTkxYBYFlVoeOEXKZuAAAAIG96A8nQnTuprWXLSemWL68RXC1NVKnBOIPD2Z7UIOB1\",\n\t\tDuration: \"3m\",\n\t}\n\tw := httptest.NewRecorder()\n\trespJson, err := json.Marshal(resp)\n\tassert.NoError(t, err)\n\tw.Write(respJson)\n\tmockRequest = func(url, contentType string, body io.Reader) (*http.Response, error) {\n\t\tassert.Contains(t, \"/cdn-cgi/access/cert_sign\", url)\n\t\tassert.Equal(t, \"application/json\", contentType)\n\t\tbuf, err := io.ReadAll(body)\n\t\tassert.NoError(t, err)\n\t\tassert.NotEmpty(t, buf)\n\t\treturn w.Result(), nil\n\t}\n\n\terr = GenerateShortLivedCertificate(url, token)\n\tassert.NoError(t, err)\n\n\texist, err := config.FileExists(fullName)\n\tassert.NoError(t, err)\n\tif !exist {\n\t\tassert.FailNow(t, fmt.Sprintf(\"key should exist at: %s\", fullName), fullName)\n\t\treturn\n\t}\n\n\texist, err = config.FileExists(pubKeyName)\n\tassert.NoError(t, err)\n\tif !exist {\n\t\tassert.FailNow(t, fmt.Sprintf(\"key should exist at: %s\", pubKeyName), pubKeyName)\n\t\treturn\n\t}\n\n\texist, err = config.FileExists(certKeyName)\n\tassert.NoError(t, err)\n\tif !exist {\n\t\tassert.FailNow(t, fmt.Sprintf(\"key should exist at: %s\", certKeyName), certKeyName)\n\t\treturn\n\t}\n}\n\nfunc tokenGenerator() string {\n\tiat := time.Now()\n\texp := time.Now().Add(time.Minute * 5)\n\n\tclaims := jwt.Claims{\n\t\tAudience: jwt.Audience{audTest},\n\t\tIssuedAt: jwt.NewNumericDate(iat),\n\t\tExpiry: jwt.NewNumericDate(exp),\n\t}\n\n\tkey, err := rsa.GenerateKey(rand.Reader, 4096)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\tsigner, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.RS256, Key: key}, (&jose.SignerOptions{}).WithType(\"JWT\"))\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\n\tsignedToken, err := jwt.Signed(signer).Claims(claims).Serialize()\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\n\treturn signedToken\n}\n" }, { "path": "stream/debug.go", "content": "package stream\n\nimport (\n\t\"io\"\n\t\"sync/atomic\"\n\n\t\"github.com/rs/zerolog\"\n)\n\n// DebugStream will tee each read and write to the output logger as a debug message\ntype DebugStream struct {\n\treader io.Reader\n\twriter io.Writer\n\tlog *zerolog.Logger\n\tmax uint64\n\tcount atomic.Uint64\n}\n\nfunc NewDebugStream(stream io.ReadWriter, logger *zerolog.Logger, max uint64) *DebugStream {\n\treturn &DebugStream{\n\t\treader: stream,\n\t\twriter: stream,\n\t\tlog: logger,\n\t\tmax: max,\n\t}\n}\n\nfunc (d *DebugStream) Read(p []byte) (n int, err error) {\n\tn, err = d.reader.Read(p)\n\tif n > 0 && d.max > d.count.Load() {\n\t\td.count.Add(1)\n\t\tif err != nil {\n\t\t\td.log.Err(err).\n\t\t\t\tStr(\"dir\", \"r\").\n\t\t\t\tInt(\"count\", n).\n\t\t\t\tMsgf(\"%+q\", p[:n])\n\t\t} else {\n\t\t\td.log.Debug().\n\t\t\t\tStr(\"dir\", \"r\").\n\t\t\t\tInt(\"count\", n).\n\t\t\t\tMsgf(\"%+q\", p[:n])\n\t\t}\n\t}\n\treturn\n}\n\nfunc (d *DebugStream) Write(p []byte) (n int, err error) {\n\tn, err = d.writer.Write(p)\n\tif n > 0 && d.max > d.count.Load() {\n\t\td.count.Add(1)\n\t\tif err != nil {\n\t\t\td.log.Err(err).\n\t\t\t\tStr(\"dir\", \"w\").\n\t\t\t\tInt(\"count\", n).\n\t\t\t\tMsgf(\"%+q\", p[:n])\n\t\t} else {\n\t\t\td.log.Debug().\n\t\t\t\tStr(\"dir\", \"w\").\n\t\t\t\tInt(\"count\", n).\n\t\t\t\tMsgf(\"%+q\", p[:n])\n\t\t}\n\t}\n\treturn\n}\n" }, { "path": "stream/stream.go", "content": "package stream\n\nimport (\n\t\"encoding/hex\"\n\t\"fmt\"\n\t\"io\"\n\t\"runtime/debug\"\n\t\"sync/atomic\"\n\t\"time\"\n\n\t\"github.com/getsentry/sentry-go\"\n\t\"github.com/pkg/errors\"\n\t\"github.com/rs/zerolog\"\n\n\t\"github.com/cloudflare/cloudflared/cfio\"\n)\n\ntype Stream interface {\n\tReader\n\tWriterCloser\n}\n\ntype Reader interface {\n\tio.Reader\n}\n\ntype WriterCloser interface {\n\tio.Writer\n\tWriteCloser\n}\n\ntype WriteCloser interface {\n\tCloseWrite() error\n}\n\ntype nopCloseWriterAdapter struct {\n\tio.ReadWriter\n}\n\nfunc NopCloseWriterAdapter(stream io.ReadWriter) *nopCloseWriterAdapter {\n\treturn &nopCloseWriterAdapter{stream}\n}\n\nfunc (n *nopCloseWriterAdapter) CloseWrite() error {\n\treturn nil\n}\n\ntype bidirectionalStreamStatus struct {\n\tdoneChan chan struct{}\n\tanyDone uint32\n}\n\nfunc newBiStreamStatus() *bidirectionalStreamStatus {\n\treturn &bidirectionalStreamStatus{\n\t\tdoneChan: make(chan struct{}, 2),\n\t\tanyDone: 0,\n\t}\n}\n\nfunc (s *bidirectionalStreamStatus) markUniStreamDone() {\n\tatomic.StoreUint32(&s.anyDone, 1)\n\ts.doneChan <- struct{}{}\n}\n\nfunc (s *bidirectionalStreamStatus) wait(maxWaitForSecondStream time.Duration) error {\n\t<-s.doneChan\n\n\t// Only wait for second stream to finish if maxWait is greater than zero\n\tif maxWaitForSecondStream > 0 {\n\n\t\ttimer := time.NewTimer(maxWaitForSecondStream)\n\t\tdefer timer.Stop()\n\n\t\tselect {\n\t\tcase <-timer.C:\n\t\t\treturn fmt.Errorf(\"timeout waiting for second stream to finish\")\n\t\tcase <-s.doneChan:\n\t\t\treturn nil\n\t\t}\n\t}\n\n\treturn nil\n}\nfunc (s *bidirectionalStreamStatus) isAnyDone() bool {\n\treturn atomic.LoadUint32(&s.anyDone) > 0\n}\n\n// Pipe copies copy data to & from provided io.ReadWriters.\nfunc Pipe(tunnelConn, originConn io.ReadWriter, log *zerolog.Logger) {\n\tPipeBidirectional(NopCloseWriterAdapter(tunnelConn), NopCloseWriterAdapter(originConn), 0, log)\n}\n\n// PipeBidirectional copies data two BidirectionStreams. It is a special case of Pipe where it receives a concept that allows for Read and Write side to be closed independently.\n// The main difference is that when piping data from a reader to a writer, if EOF is read, then this implementation propagates the EOF signal to the destination/writer by closing the write side of the\n// Bidirectional Stream.\n// Finally, depending on once EOF is ready from one of the provided streams, the other direction of streaming data will have a configured time period to also finish, otherwise,\n// the method will return immediately with a timeout error. It is however, the responsability of the caller to close the associated streams in both ends in order to free all the resources/go-routines.\nfunc PipeBidirectional(downstream, upstream Stream, maxWaitForSecondStream time.Duration, log *zerolog.Logger) error {\n\tstatus := newBiStreamStatus()\n\n\tgo unidirectionalStream(downstream, upstream, \"upstream->downstream\", status, log)\n\tgo unidirectionalStream(upstream, downstream, \"downstream->upstream\", status, log)\n\n\tif err := status.wait(maxWaitForSecondStream); err != nil {\n\t\treturn errors.Wrap(err, \"unable to wait for both streams while proxying\")\n\t}\n\n\treturn nil\n}\n\nfunc unidirectionalStream(dst WriterCloser, src Reader, dir string, status *bidirectionalStreamStatus, log *zerolog.Logger) {\n\tdefer func() {\n\t\t// The bidirectional streaming spawns 2 goroutines to stream each direction.\n\t\t// If any ends, the callstack returns, meaning the Tunnel request/stream (depending on http2 vs quic) will\n\t\t// close. In such case, if the other direction did not stop (due to application level stopping, e.g., if a\n\t\t// server/origin listens forever until closure), it may read/write from the underlying ReadWriter (backed by\n\t\t// the Edge<->cloudflared transport) in an unexpected state.\n\t\t// Because of this, we set this recover() logic.\n\t\tif err := recover(); err != nil {\n\t\t\tif status.isAnyDone() {\n\t\t\t\t// We handle such unexpected errors only when we detect that one side of the streaming is done.\n\t\t\t\tlog.Debug().Msgf(\"recovered from panic in stream.Pipe for %s, error %s, %s\", dir, err, debug.Stack())\n\t\t\t} else {\n\t\t\t\t// Otherwise, this is unexpected, but we prevent the program from crashing anyway.\n\t\t\t\tlog.Warn().Msgf(\"recovered from panic in stream.Pipe for %s, error %s, %s\", dir, err, debug.Stack())\n\t\t\t\tsentry.CurrentHub().Recover(err)\n\t\t\t\tsentry.Flush(time.Second * 5)\n\t\t\t}\n\t\t}\n\t}()\n\n\tdefer dst.CloseWrite()\n\n\t_, err := copyData(dst, src, dir)\n\tif err != nil {\n\t\tlog.Debug().Msgf(\"%s copy: %v\", dir, err)\n\t}\n\tstatus.markUniStreamDone()\n}\n\n// when set to true, enables logging of content copied to/from origin and tunnel\nconst debugCopy = false\n\nfunc copyData(dst io.Writer, src io.Reader, dir string) (written int64, err error) {\n\tif debugCopy {\n\t\t// copyBuffer is based on stdio Copy implementation but shows copied data\n\t\tcopyBuffer := func(dst io.Writer, src io.Reader, dir string) (written int64, err error) {\n\t\t\tvar buf []byte\n\t\t\tsize := 32 * 1024\n\t\t\tbuf = make([]byte, size)\n\t\t\tfor {\n\t\t\t\tt := time.Now()\n\t\t\t\tnr, er := src.Read(buf)\n\t\t\t\tif nr > 0 {\n\t\t\t\t\tfmt.Println(dir, t.UnixNano(), \"\\n\"+hex.Dump(buf[0:nr]))\n\t\t\t\t\tnw, ew := dst.Write(buf[0:nr])\n\t\t\t\t\tif nw < 0 || nr < nw {\n\t\t\t\t\t\tnw = 0\n\t\t\t\t\t\tif ew == nil {\n\t\t\t\t\t\t\tew = errors.New(\"invalid write\")\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t\twritten += int64(nw)\n\t\t\t\t\tif ew != nil {\n\t\t\t\t\t\terr = ew\n\t\t\t\t\t\tbreak\n\t\t\t\t\t}\n\t\t\t\t\tif nr != nw {\n\t\t\t\t\t\terr = io.ErrShortWrite\n\t\t\t\t\t\tbreak\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tif er != nil {\n\t\t\t\t\tif er != io.EOF {\n\t\t\t\t\t\terr = er\n\t\t\t\t\t}\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn written, err\n\t\t}\n\t\treturn copyBuffer(dst, src, dir)\n\t} else {\n\t\treturn cfio.Copy(dst, src)\n\t}\n}\n" }, { "path": "stream/stream_test.go", "content": "package stream\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\t\"sync\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/rs/zerolog\"\n\t\"github.com/stretchr/testify/require\"\n)\n\nfunc TestPipeBidirectionalFinishBothSides(t *testing.T) {\n\tfun := func(upstream, downstream *mockedStream) {\n\t\tdownstream.closeReader()\n\t\tupstream.closeReader()\n\t}\n\n\ttestPipeBidirectionalUnblocking(t, fun, time.Millisecond*200, false)\n}\n\nfunc TestPipeBidirectionalFinishOneSideTimeout(t *testing.T) {\n\tfun := func(upstream, downstream *mockedStream) {\n\t\tdownstream.closeReader()\n\t}\n\n\ttestPipeBidirectionalUnblocking(t, fun, time.Millisecond*200, true)\n}\n\nfunc TestPipeBidirectionalClosingWriteBothSidesAlsoExists(t *testing.T) {\n\tfun := func(upstream, downstream *mockedStream) {\n\t\tdownstream.CloseWrite()\n\t\tupstream.CloseWrite()\n\n\t\tdownstream.writeToReader(\"abc\")\n\t\tupstream.writeToReader(\"abc\")\n\t}\n\n\ttestPipeBidirectionalUnblocking(t, fun, time.Millisecond*200, false)\n}\n\nfunc TestPipeBidirectionalClosingWriteSingleSideAlsoExists(t *testing.T) {\n\tfun := func(upstream, downstream *mockedStream) {\n\t\tdownstream.CloseWrite()\n\n\t\tdownstream.writeToReader(\"abc\")\n\t\tupstream.writeToReader(\"abc\")\n\t}\n\n\ttestPipeBidirectionalUnblocking(t, fun, time.Millisecond*200, true)\n}\n\nfunc testPipeBidirectionalUnblocking(t *testing.T, afterFun func(*mockedStream, *mockedStream), timeout time.Duration, expectTimeout bool) {\n\tlogger := zerolog.Nop()\n\n\tdownstream := newMockedStream()\n\tupstream := newMockedStream()\n\n\tresultCh := make(chan error)\n\tgo func() {\n\t\tresultCh <- PipeBidirectional(downstream, upstream, timeout, &logger)\n\t}()\n\n\tafterFun(upstream, downstream)\n\n\tselect {\n\tcase err := <-resultCh:\n\t\tif expectTimeout {\n\t\t\trequire.NotNil(t, err)\n\t\t} else {\n\t\t\trequire.Nil(t, err)\n\t\t}\n\n\tcase <-time.After(timeout * 2):\n\t\trequire.Fail(t, \"test timeout\")\n\t}\n}\n\nfunc newMockedStream() *mockedStream {\n\treturn &mockedStream{\n\t\treadCh: make(chan *string),\n\t\twriteCh: make(chan struct{}),\n\t}\n}\n\ntype mockedStream struct {\n\treadCh chan *string\n\twriteCh chan struct{}\n\n\twriteCloseOnce sync.Once\n}\n\nfunc (m *mockedStream) Read(p []byte) (n int, err error) {\n\tresult := <-m.readCh\n\tif result == nil {\n\t\treturn 0, io.EOF\n\t}\n\n\treturn len(*result), nil\n}\n\nfunc (m *mockedStream) Write(p []byte) (n int, err error) {\n\t<-m.writeCh\n\n\treturn 0, fmt.Errorf(\"closed\")\n}\n\nfunc (m *mockedStream) CloseWrite() error {\n\tm.writeCloseOnce.Do(func() {\n\t\tclose(m.writeCh)\n\t})\n\n\treturn nil\n}\n\nfunc (m *mockedStream) closeReader() {\n\tclose(m.readCh)\n}\nfunc (m *mockedStream) writeToReader(content string) {\n\tm.readCh <- &content\n}\n" }, { "path": "supervisor/conn_aware_logger.go", "content": "package supervisor\n\nimport (\n\t\"github.com/rs/zerolog\"\n\n\t\"github.com/cloudflare/cloudflared/connection\"\n\t\"github.com/cloudflare/cloudflared/tunnelstate\"\n)\n\ntype ConnAwareLogger struct {\n\ttracker *tunnelstate.ConnTracker\n\tlogger *zerolog.Logger\n}\n\nfunc NewConnAwareLogger(logger *zerolog.Logger, tracker *tunnelstate.ConnTracker, observer *connection.Observer) *ConnAwareLogger {\n\tconnAwareLogger := &ConnAwareLogger{\n\t\ttracker: tracker,\n\t\tlogger: logger,\n\t}\n\n\tobserver.RegisterSink(connAwareLogger.tracker)\n\n\treturn connAwareLogger\n}\n\nfunc (c *ConnAwareLogger) ReplaceLogger(logger *zerolog.Logger) *ConnAwareLogger {\n\treturn &ConnAwareLogger{\n\t\ttracker: c.tracker,\n\t\tlogger: logger,\n\t}\n}\n\nfunc (c *ConnAwareLogger) ConnAwareLogger() *zerolog.Event {\n\tif c.tracker.CountActiveConns() == 0 {\n\t\treturn c.logger.Error()\n\t}\n\treturn c.logger.Warn()\n}\n\nfunc (c *ConnAwareLogger) Logger() *zerolog.Logger {\n\treturn c.logger\n}\n" }, { "path": "supervisor/external_control.go", "content": "package supervisor\n\nimport (\n\t\"time\"\n)\n\ntype ReconnectSignal struct {\n\t// wait this many seconds before re-establish the connection\n\tDelay time.Duration\n}\n\n// Error allows us to use ReconnectSignal as a special error to force connection abort\nfunc (r ReconnectSignal) Error() string {\n\treturn \"reconnect signal\"\n}\n\nfunc (r ReconnectSignal) DelayBeforeReconnect() {\n\tif r.Delay > 0 {\n\t\ttime.Sleep(r.Delay)\n\t}\n}\n" }, { "path": "supervisor/fuse.go", "content": "package supervisor\n\nimport \"sync\"\n\n// booleanFuse is a data structure that can be set once to a particular value using Fuse(value).\n// Subsequent calls to Fuse() will have no effect.\ntype booleanFuse struct {\n\tvalue int32\n\tmu sync.Mutex\n\tcond *sync.Cond\n}\n\nfunc newBooleanFuse() *booleanFuse {\n\tf := &booleanFuse{}\n\tf.cond = sync.NewCond(&f.mu)\n\treturn f\n}\n\n// Value gets the value\nfunc (f *booleanFuse) Value() bool {\n\t// 0: unset\n\t// 1: set true\n\t// 2: set false\n\tf.mu.Lock()\n\tdefer f.mu.Unlock()\n\treturn f.value == 1\n}\n\nfunc (f *booleanFuse) Fuse(result bool) {\n\tf.mu.Lock()\n\tdefer f.mu.Unlock()\n\tnewValue := int32(2)\n\tif result {\n\t\tnewValue = 1\n\t}\n\tif f.value == 0 {\n\t\tf.value = newValue\n\t\tf.cond.Broadcast()\n\t}\n}\n\n// Await blocks until Fuse has been called at least once.\nfunc (f *booleanFuse) Await() bool {\n\tf.mu.Lock()\n\tdefer f.mu.Unlock()\n\tfor f.value == 0 {\n\t\tf.cond.Wait()\n\t}\n\treturn f.value == 1\n}\n" }, { "path": "supervisor/metrics.go", "content": "package supervisor\n\nimport (\n\t\"github.com/prometheus/client_golang/prometheus\"\n\n\t\"github.com/cloudflare/cloudflared/connection\"\n)\n\n// Metrics uses connection.MetricsNamespace(aka cloudflared) as namespace and connection.TunnelSubsystem\n// (tunnel) as subsystem to keep them consistent with the previous qualifier.\n\nvar (\n\thaConnections = prometheus.NewGauge(\n\t\tprometheus.GaugeOpts{\n\t\t\tNamespace: connection.MetricsNamespace,\n\t\t\tSubsystem: connection.TunnelSubsystem,\n\t\t\tName: \"ha_connections\",\n\t\t\tHelp: \"Number of active ha connections\",\n\t\t},\n\t)\n)\n\nfunc init() {\n\tprometheus.MustRegister(\n\t\thaConnections,\n\t)\n}\n" }, { "path": "supervisor/pqtunnels.go", "content": "package supervisor\n\nimport (\n\t\"crypto/tls\"\n\t\"fmt\"\n\n\t\"github.com/cloudflare/cloudflared/features\"\n)\n\nconst (\n\tX25519Kyber768Draft00PQKex = tls.CurveID(0x6399) // X25519Kyber768Draft00\n\tX25519Kyber768Draft00PQKexName = \"X25519Kyber768Draft00\"\n\tP256Kyber768Draft00PQKex = tls.CurveID(0xfe32) // P256Kyber768Draft00\n\tP256Kyber768Draft00PQKexName = \"P256Kyber768Draft00\"\n\tX25519MLKEM768PQKex = tls.CurveID(0x11ec) // X25519MLKEM768\n\tX25519MLKEM768PQKexName = \"X25519MLKEM768\"\n)\n\nvar (\n\tnonFipsPostQuantumStrictPKex []tls.CurveID = []tls.CurveID{X25519MLKEM768PQKex}\n\tnonFipsPostQuantumPreferPKex []tls.CurveID = []tls.CurveID{X25519MLKEM768PQKex}\n\tfipsPostQuantumStrictPKex []tls.CurveID = []tls.CurveID{P256Kyber768Draft00PQKex}\n\tfipsPostQuantumPreferPKex []tls.CurveID = []tls.CurveID{P256Kyber768Draft00PQKex, tls.CurveP256}\n)\n\nfunc removeDuplicates(curves []tls.CurveID) []tls.CurveID {\n\tbucket := make(map[tls.CurveID]bool)\n\tvar result []tls.CurveID\n\tfor _, curve := range curves {\n\t\tif _, ok := bucket[curve]; !ok {\n\t\t\tbucket[curve] = true\n\t\t\tresult = append(result, curve)\n\t\t}\n\t}\n\treturn result\n}\n\nfunc curvePreference(pqMode features.PostQuantumMode, fipsEnabled bool, currentCurve []tls.CurveID) ([]tls.CurveID, error) {\n\tswitch pqMode {\n\tcase features.PostQuantumStrict:\n\t\t// If the user passes the -post-quantum flag, we override\n\t\t// CurvePreferences to only support hybrid post-quantum key agreements.\n\t\tif fipsEnabled {\n\t\t\treturn fipsPostQuantumStrictPKex, nil\n\t\t}\n\t\treturn nonFipsPostQuantumStrictPKex, nil\n\tcase features.PostQuantumPrefer:\n\t\tif fipsEnabled {\n\t\t\t// Ensure that all curves returned are FIPS compliant.\n\t\t\t// Moreover the first curves are post-quantum and then the\n\t\t\t// non post-quantum.\n\t\t\treturn fipsPostQuantumPreferPKex, nil\n\t\t}\n\t\tcurves := append(nonFipsPostQuantumPreferPKex, currentCurve...)\n\t\tcurves = removeDuplicates(curves)\n\t\treturn curves, nil\n\tdefault:\n\t\treturn nil, fmt.Errorf(\"Unexpected post quantum mode\")\n\t}\n}\n" }, { "path": "supervisor/pqtunnels_test.go", "content": "package supervisor\n\nimport (\n\t\"crypto/tls\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"slices\"\n\t\"testing\"\n\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\n\t\"github.com/cloudflare/cloudflared/features\"\n\t\"github.com/cloudflare/cloudflared/fips\"\n)\n\nfunc TestCurvePreferences(t *testing.T) {\n\t// This tests if the correct curves are returned\n\t// given a PostQuantumMode and a FIPS enabled bool\n\tt.Parallel()\n\n\ttests := []struct {\n\t\tname string\n\t\tcurrentCurves []tls.CurveID\n\t\texpectedCurves []tls.CurveID\n\t\tpqMode features.PostQuantumMode\n\t\tfipsEnabled bool\n\t}{\n\t\t{\n\t\t\tname: \"FIPS with Prefer PQ\",\n\t\t\tpqMode: features.PostQuantumPrefer,\n\t\t\tfipsEnabled: true,\n\t\t\tcurrentCurves: []tls.CurveID{tls.CurveP384},\n\t\t\texpectedCurves: []tls.CurveID{P256Kyber768Draft00PQKex, tls.CurveP256},\n\t\t},\n\t\t{\n\t\t\tname: \"FIPS with Strict PQ\",\n\t\t\tpqMode: features.PostQuantumStrict,\n\t\t\tfipsEnabled: true,\n\t\t\tcurrentCurves: []tls.CurveID{tls.CurveP256, tls.CurveP384},\n\t\t\texpectedCurves: []tls.CurveID{P256Kyber768Draft00PQKex},\n\t\t},\n\t\t{\n\t\t\tname: \"FIPS with Prefer PQ - no duplicates\",\n\t\t\tpqMode: features.PostQuantumPrefer,\n\t\t\tfipsEnabled: true,\n\t\t\tcurrentCurves: []tls.CurveID{tls.CurveP256},\n\t\t\texpectedCurves: []tls.CurveID{P256Kyber768Draft00PQKex, tls.CurveP256},\n\t\t},\n\t\t{\n\t\t\tname: \"Non FIPS with Prefer PQ\",\n\t\t\tpqMode: features.PostQuantumPrefer,\n\t\t\tfipsEnabled: false,\n\t\t\tcurrentCurves: []tls.CurveID{tls.CurveP256},\n\t\t\texpectedCurves: []tls.CurveID{X25519MLKEM768PQKex, tls.CurveP256},\n\t\t},\n\t\t{\n\t\t\tname: \"Non FIPS with Prefer PQ - no duplicates\",\n\t\t\tpqMode: features.PostQuantumPrefer,\n\t\t\tfipsEnabled: false,\n\t\t\tcurrentCurves: []tls.CurveID{X25519Kyber768Draft00PQKex, tls.CurveP256},\n\t\t\texpectedCurves: []tls.CurveID{X25519MLKEM768PQKex, X25519Kyber768Draft00PQKex, tls.CurveP256},\n\t\t},\n\t\t{\n\t\t\tname: \"Non FIPS with Prefer PQ - correct preference order\",\n\t\t\tpqMode: features.PostQuantumPrefer,\n\t\t\tfipsEnabled: false,\n\t\t\tcurrentCurves: []tls.CurveID{tls.CurveP256, X25519Kyber768Draft00PQKex},\n\t\t\texpectedCurves: []tls.CurveID{X25519MLKEM768PQKex, tls.CurveP256, X25519Kyber768Draft00PQKex},\n\t\t},\n\t\t{\n\t\t\tname: \"Non FIPS with Strict PQ\",\n\t\t\tpqMode: features.PostQuantumStrict,\n\t\t\tfipsEnabled: false,\n\t\t\tcurrentCurves: []tls.CurveID{tls.CurveP256},\n\t\t\texpectedCurves: []tls.CurveID{X25519MLKEM768PQKex},\n\t\t},\n\t}\n\n\tfor _, tcase := range tests {\n\t\tt.Run(tcase.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\tcurves, err := curvePreference(tcase.pqMode, tcase.fipsEnabled, tcase.currentCurves)\n\t\t\trequire.NoError(t, err)\n\t\t\tassert.Equal(t, tcase.expectedCurves, curves)\n\t\t})\n\t}\n}\n\nfunc runClientServerHandshake(t *testing.T, curves []tls.CurveID) []tls.CurveID {\n\tvar advertisedCurves []tls.CurveID\n\tts := httptest.NewUnstartedServer(nil)\n\tts.TLS = &tls.Config{ // nolint: gosec\n\t\tGetConfigForClient: func(chi *tls.ClientHelloInfo) (*tls.Config, error) {\n\t\t\tadvertisedCurves = slices.Clone(chi.SupportedCurves)\n\t\t\treturn nil, nil\n\t\t},\n\t}\n\tts.StartTLS()\n\tdefer ts.Close()\n\tclientTlsConfig := ts.Client().Transport.(*http.Transport).TLSClientConfig\n\tclientTlsConfig.CurvePreferences = curves\n\tresp, err := ts.Client().Head(ts.URL)\n\tif err != nil {\n\t\tt.Error(err)\n\t\treturn nil\n\t}\n\tdefer resp.Body.Close()\n\treturn advertisedCurves\n}\n\nfunc TestSupportedCurvesNegotiation(t *testing.T) {\n\tfor _, tcase := range []features.PostQuantumMode{features.PostQuantumPrefer} {\n\t\tcurves, err := curvePreference(tcase, fips.IsFipsEnabled(), make([]tls.CurveID, 0))\n\t\trequire.NoError(t, err)\n\t\tadvertisedCurves := runClientServerHandshake(t, curves)\n\t\tassert.Equal(t, curves, advertisedCurves)\n\t}\n}\n" }, { "path": "supervisor/supervisor.go", "content": "package supervisor\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"net\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/prometheus/client_golang/prometheus\"\n\t\"github.com/quic-go/quic-go\"\n\t\"github.com/rs/zerolog\"\n\n\t\"github.com/cloudflare/cloudflared/connection\"\n\t\"github.com/cloudflare/cloudflared/edgediscovery\"\n\t\"github.com/cloudflare/cloudflared/orchestration\"\n\tv3 \"github.com/cloudflare/cloudflared/quic/v3\"\n\t\"github.com/cloudflare/cloudflared/retry\"\n\t\"github.com/cloudflare/cloudflared/signal\"\n\t\"github.com/cloudflare/cloudflared/tunnelstate\"\n)\n\nconst (\n\t// Waiting time before retrying a failed tunnel connection\n\ttunnelRetryDuration = time.Second * 10\n\t// Interval between registering new tunnels\n\tregistrationInterval = time.Second\n)\n\n// Supervisor manages non-declarative tunnels. Establishes TCP connections with the edge, and\n// reconnects them if they disconnect.\ntype Supervisor struct {\n\tconfig *TunnelConfig\n\torchestrator *orchestration.Orchestrator\n\tedgeIPs *edgediscovery.Edge\n\tedgeTunnelServer TunnelServer\n\ttunnelErrors chan tunnelError\n\ttunnelsConnecting map[int]chan struct{}\n\ttunnelsProtocolFallback map[int]*protocolFallback\n\t// nextConnectedIndex and nextConnectedSignal are used to wait for all\n\t// currently-connecting tunnels to finish connecting so we can reset backoff timer\n\tnextConnectedIndex int\n\tnextConnectedSignal chan struct{}\n\n\tlog *ConnAwareLogger\n\tlogTransport *zerolog.Logger\n\n\treconnectCh chan ReconnectSignal\n\tgracefulShutdownC <-chan struct{}\n}\n\nvar errEarlyShutdown = errors.New(\"shutdown started\")\n\ntype tunnelError struct {\n\tindex int\n\terr error\n}\n\nfunc NewSupervisor(config *TunnelConfig, orchestrator *orchestration.Orchestrator, reconnectCh chan ReconnectSignal, gracefulShutdownC <-chan struct{}) (*Supervisor, error) {\n\tisStaticEdge := len(config.EdgeAddrs) > 0\n\n\tvar err error\n\tvar edgeIPs *edgediscovery.Edge\n\tif isStaticEdge { // static edge addresses\n\t\tedgeIPs, err = edgediscovery.StaticEdge(config.Log, config.EdgeAddrs)\n\t} else {\n\t\tedgeIPs, err = edgediscovery.ResolveEdge(config.Log, config.Region, config.EdgeIPVersion)\n\t}\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\ttracker := tunnelstate.NewConnTracker(config.Log)\n\tlog := NewConnAwareLogger(config.Log, tracker, config.Observer)\n\n\tedgeAddrHandler := NewIPAddrFallback(config.MaxEdgeAddrRetries)\n\tedgeBindAddr := config.EdgeBindAddr\n\n\tdatagramMetrics := v3.NewMetrics(prometheus.DefaultRegisterer)\n\n\tsessionManager := v3.NewSessionManager(datagramMetrics, config.Log, config.OriginDialerService, orchestrator.GetFlowLimiter())\n\n\tedgeTunnelServer := EdgeTunnelServer{\n\t\tconfig: config,\n\t\torchestrator: orchestrator,\n\t\tsessionManager: sessionManager,\n\t\tdatagramMetrics: datagramMetrics,\n\t\tedgeAddrs: edgeIPs,\n\t\tedgeAddrHandler: edgeAddrHandler,\n\t\tedgeBindAddr: edgeBindAddr,\n\t\ttracker: tracker,\n\t\treconnectCh: reconnectCh,\n\t\tgracefulShutdownC: gracefulShutdownC,\n\t\tconnAwareLogger: log,\n\t}\n\n\treturn &Supervisor{\n\t\tconfig: config,\n\t\torchestrator: orchestrator,\n\t\tedgeIPs: edgeIPs,\n\t\tedgeTunnelServer: &edgeTunnelServer,\n\t\ttunnelErrors: make(chan tunnelError),\n\t\ttunnelsConnecting: map[int]chan struct{}{},\n\t\ttunnelsProtocolFallback: map[int]*protocolFallback{},\n\t\tlog: log,\n\t\tlogTransport: config.LogTransport,\n\t\treconnectCh: reconnectCh,\n\t\tgracefulShutdownC: gracefulShutdownC,\n\t}, nil\n}\n\nfunc (s *Supervisor) Run(\n\tctx context.Context,\n\tconnectedSignal *signal.Signal,\n) error {\n\tif s.config.ICMPRouterServer != nil {\n\t\tgo func() {\n\t\t\tif err := s.config.ICMPRouterServer.Serve(ctx); err != nil {\n\t\t\t\tif errors.Is(err, net.ErrClosed) {\n\t\t\t\t\ts.log.Logger().Info().Err(err).Msg(\"icmp router terminated\")\n\t\t\t\t} else {\n\t\t\t\t\ts.log.Logger().Err(err).Msg(\"icmp router terminated\")\n\t\t\t\t}\n\t\t\t}\n\t\t}()\n\t}\n\n\t// Setup DNS Resolver refresh\n\tgo s.config.OriginDNSService.StartRefreshLoop(ctx)\n\n\tif err := s.initialize(ctx, connectedSignal); err != nil {\n\t\tif err == errEarlyShutdown {\n\t\t\treturn nil\n\t\t}\n\t\ts.log.Logger().Error().Err(err).Msg(\"initial tunnel connection failed\")\n\t\treturn err\n\t}\n\tvar tunnelsWaiting []int\n\ttunnelsActive := s.config.HAConnections\n\n\tbackoff := retry.NewBackoff(s.config.Retries, tunnelRetryDuration, true)\n\tvar backoffTimer <-chan time.Time\n\n\tshuttingDown := false\n\tfor {\n\t\tselect {\n\t\t// Context cancelled\n\t\tcase <-ctx.Done():\n\t\t\tfor tunnelsActive > 0 {\n\t\t\t\t<-s.tunnelErrors\n\t\t\t\ttunnelsActive--\n\t\t\t}\n\t\t\treturn nil\n\t\t// startTunnel completed with a response\n\t\t// (note that this may also be caused by context cancellation)\n\t\tcase tunnelError := <-s.tunnelErrors:\n\t\t\ttunnelsActive--\n\t\t\ts.log.ConnAwareLogger().Err(tunnelError.err).Int(connection.LogFieldConnIndex, tunnelError.index).Msg(\"Connection terminated\")\n\t\t\tif tunnelError.err != nil && !shuttingDown {\n\t\t\t\tswitch tunnelError.err.(type) {\n\t\t\t\tcase ReconnectSignal:\n\t\t\t\t\t// For tunnels that closed with reconnect signal, we reconnect immediately\n\t\t\t\t\tgo s.startTunnel(ctx, tunnelError.index, s.newConnectedTunnelSignal(tunnelError.index))\n\t\t\t\t\ttunnelsActive++\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\t// Make sure we don't continue if there is no more fallback allowed\n\t\t\t\tif _, retry := s.tunnelsProtocolFallback[tunnelError.index].GetMaxBackoffDuration(ctx); !retry {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\ttunnelsWaiting = append(tunnelsWaiting, tunnelError.index)\n\t\t\t\ts.waitForNextTunnel(tunnelError.index)\n\n\t\t\t\tif backoffTimer == nil {\n\t\t\t\t\tbackoffTimer = backoff.BackoffTimer()\n\t\t\t\t}\n\t\t\t} else if tunnelsActive == 0 {\n\t\t\t\ts.log.ConnAwareLogger().Msg(\"no more connections active and exiting\")\n\t\t\t\t// All connected tunnels exited gracefully, no more work to do\n\t\t\t\treturn nil\n\t\t\t}\n\t\t// Backoff was set and its timer expired\n\t\tcase <-backoffTimer:\n\t\t\tbackoffTimer = nil\n\t\t\tfor _, index := range tunnelsWaiting {\n\t\t\t\tgo s.startTunnel(ctx, index, s.newConnectedTunnelSignal(index))\n\t\t\t}\n\t\t\ttunnelsActive += len(tunnelsWaiting)\n\t\t\ttunnelsWaiting = nil\n\t\t// Tunnel successfully connected\n\t\tcase <-s.nextConnectedSignal:\n\t\t\tif !s.waitForNextTunnel(s.nextConnectedIndex) && len(tunnelsWaiting) == 0 {\n\t\t\t\t// No more tunnels outstanding, clear backoff timer\n\t\t\t\tbackoff.SetGracePeriod()\n\t\t\t}\n\t\tcase <-s.gracefulShutdownC:\n\t\t\tshuttingDown = true\n\t\t}\n\t}\n}\n\n// Returns nil if initialization succeeded, else the initialization error.\n// Attempts here will be made to connect one tunnel, if successful, it will\n// connect the available tunnels up to config.HAConnections.\nfunc (s *Supervisor) initialize(\n\tctx context.Context,\n\tconnectedSignal *signal.Signal,\n) error {\n\tavailableAddrs := s.edgeIPs.AvailableAddrs()\n\tif s.config.HAConnections > availableAddrs {\n\t\ts.log.Logger().Info().Msgf(\"You requested %d HA connections but I can give you at most %d.\", s.config.HAConnections, availableAddrs)\n\t\ts.config.HAConnections = availableAddrs\n\t}\n\ts.tunnelsProtocolFallback[0] = &protocolFallback{\n\t\tretry.NewBackoff(s.config.Retries, retry.DefaultBaseTime, true),\n\t\ts.config.ProtocolSelector.Current(),\n\t\tfalse,\n\t}\n\n\tgo s.startFirstTunnel(ctx, connectedSignal)\n\n\t// Wait for response from first tunnel before proceeding to attempt other HA edge tunnels\n\tselect {\n\tcase <-ctx.Done():\n\t\t<-s.tunnelErrors\n\t\treturn ctx.Err()\n\tcase tunnelError := <-s.tunnelErrors:\n\t\treturn tunnelError.err\n\tcase <-s.gracefulShutdownC:\n\t\treturn errEarlyShutdown\n\tcase <-connectedSignal.Wait():\n\t}\n\n\t// At least one successful connection, so start the rest\n\tfor i := 1; i < s.config.HAConnections; i++ {\n\t\ts.tunnelsProtocolFallback[i] = &protocolFallback{\n\t\t\tretry.NewBackoff(s.config.Retries, retry.DefaultBaseTime, true),\n\t\t\t// Set the protocol we know the first tunnel connected with.\n\t\t\ts.tunnelsProtocolFallback[0].protocol,\n\t\t\tfalse,\n\t\t}\n\t\tgo s.startTunnel(ctx, i, s.newConnectedTunnelSignal(i))\n\t\ttime.Sleep(registrationInterval)\n\t}\n\treturn nil\n}\n\n// startTunnel starts the first tunnel connection. The resulting error will be sent on\n// s.tunnelErrors. It will send a signal via connectedSignal if registration succeed\nfunc (s *Supervisor) startFirstTunnel(\n\tctx context.Context,\n\tconnectedSignal *signal.Signal,\n) {\n\tvar err error\n\tconst firstConnIndex = 0\n\tisStaticEdge := len(s.config.EdgeAddrs) > 0\n\tdefer func() {\n\t\ts.tunnelErrors <- tunnelError{index: firstConnIndex, err: err}\n\t}()\n\n\t// If the first tunnel disconnects, keep restarting it.\n\tfor {\n\t\terr = s.edgeTunnelServer.Serve(ctx, firstConnIndex, s.tunnelsProtocolFallback[firstConnIndex], connectedSignal)\n\t\tif ctx.Err() != nil {\n\t\t\treturn\n\t\t}\n\t\tif err == nil {\n\t\t\treturn\n\t\t}\n\t\t// Make sure we don't continue if there is no more fallback allowed\n\t\tif _, retry := s.tunnelsProtocolFallback[firstConnIndex].GetMaxBackoffDuration(ctx); !retry {\n\t\t\treturn\n\t\t}\n\t\t// Try again for Unauthorized errors because we hope them to be\n\t\t// transient due to edge propagation lag on new Tunnels.\n\t\tif strings.Contains(err.Error(), \"Unauthorized\") {\n\t\t\tcontinue\n\t\t}\n\t\tswitch err.(type) {\n\t\tcase edgediscovery.ErrNoAddressesLeft:\n\t\t\t// If your provided addresses are not available, we will keep trying regardless.\n\t\t\tif !isStaticEdge {\n\t\t\t\treturn\n\t\t\t}\n\t\tcase connection.DupConnRegisterTunnelError,\n\t\t\t*quic.IdleTimeoutError,\n\t\t\t*quic.ApplicationError,\n\t\t\tedgediscovery.DialError,\n\t\t\t*connection.EdgeQuicDialError,\n\t\t\t*connection.ControlStreamError,\n\t\t\t*connection.StreamListenerError,\n\t\t\t*connection.DatagramManagerError:\n\t\t\t// Try again for these types of errors\n\t\tdefault:\n\t\t\t// Uncaught errors should bail startup\n\t\t\treturn\n\t\t}\n\t}\n}\n\n// startTunnel starts a new tunnel connection. The resulting error will be sent on\n// s.tunnelError as this is expected to run in a goroutine.\nfunc (s *Supervisor) startTunnel(\n\tctx context.Context,\n\tindex int,\n\tconnectedSignal *signal.Signal,\n) {\n\t// nolint: gosec\n\terr := s.edgeTunnelServer.Serve(ctx, uint8(index), s.tunnelsProtocolFallback[index], connectedSignal)\n\ts.tunnelErrors <- tunnelError{index: index, err: err}\n}\n\nfunc (s *Supervisor) newConnectedTunnelSignal(index int) *signal.Signal {\n\tsig := make(chan struct{})\n\ts.tunnelsConnecting[index] = sig\n\ts.nextConnectedSignal = sig\n\ts.nextConnectedIndex = index\n\treturn signal.New(sig)\n}\n\nfunc (s *Supervisor) waitForNextTunnel(index int) bool {\n\tdelete(s.tunnelsConnecting, index)\n\ts.nextConnectedSignal = nil\n\tfor k, v := range s.tunnelsConnecting {\n\t\ts.nextConnectedIndex = k\n\t\ts.nextConnectedSignal = v\n\t\treturn true\n\t}\n\treturn false\n}\n" }, { "path": "supervisor/tunnel.go", "content": "package supervisor\n\nimport (\n\t\"context\"\n\t\"crypto/tls\"\n\t\"fmt\"\n\t\"net\"\n\t\"net/netip\"\n\t\"runtime/debug\"\n\t\"strings\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/getsentry/sentry-go\"\n\t\"github.com/pkg/errors\"\n\t\"github.com/quic-go/quic-go\"\n\t\"github.com/rs/zerolog\"\n\t\"golang.org/x/sync/errgroup\"\n\n\t\"github.com/cloudflare/cloudflared/client\"\n\t\"github.com/cloudflare/cloudflared/connection\"\n\t\"github.com/cloudflare/cloudflared/edgediscovery\"\n\t\"github.com/cloudflare/cloudflared/edgediscovery/allregions\"\n\t\"github.com/cloudflare/cloudflared/features\"\n\t\"github.com/cloudflare/cloudflared/fips\"\n\t\"github.com/cloudflare/cloudflared/ingress\"\n\t\"github.com/cloudflare/cloudflared/ingress/origins\"\n\t\"github.com/cloudflare/cloudflared/management\"\n\t\"github.com/cloudflare/cloudflared/orchestration\"\n\tquicpogs \"github.com/cloudflare/cloudflared/quic\"\n\tv3 \"github.com/cloudflare/cloudflared/quic/v3\"\n\t\"github.com/cloudflare/cloudflared/retry\"\n\t\"github.com/cloudflare/cloudflared/signal\"\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/pogs\"\n\t\"github.com/cloudflare/cloudflared/tunnelstate\"\n)\n\nconst (\n\tdialTimeout = 15 * time.Second\n)\n\ntype TunnelConfig struct {\n\tClientConfig *client.Config\n\tGracePeriod time.Duration\n\tCloseConnOnce *sync.Once // Used to close connectedSignal no more than once\n\tEdgeAddrs []string\n\tRegion string\n\tEdgeIPVersion allregions.ConfigIPVersion\n\tEdgeBindAddr net.IP\n\tHAConnections int\n\tIsAutoupdated bool\n\tLBPool string\n\tTags []pogs.Tag\n\tLog *zerolog.Logger\n\tLogTransport *zerolog.Logger\n\tObserver *connection.Observer\n\tReportedVersion string\n\tRetries uint\n\tMaxEdgeAddrRetries uint8\n\tRunFromTerminal bool\n\n\tNeedPQ bool\n\n\tNamedTunnel *connection.TunnelProperties\n\tProtocolSelector connection.ProtocolSelector\n\tEdgeTLSConfigs map[connection.Protocol]*tls.Config\n\tICMPRouterServer ingress.ICMPRouterServer\n\tOriginDNSService *origins.DNSResolverService\n\tOriginDialerService *ingress.OriginDialerService\n\n\tRPCTimeout time.Duration\n\tWriteStreamTimeout time.Duration\n\n\tDisableQUICPathMTUDiscovery bool\n\tQUICConnectionLevelFlowControlLimit uint64\n\tQUICStreamLevelFlowControlLimit uint64\n}\n\nfunc (c *TunnelConfig) connectionOptions(originLocalAddr string, previousAttempts uint8) *client.ConnectionOptionsSnapshot {\n\t// attempt to parse out origin IP, but don't fail since it's informational field\n\thost, _, _ := net.SplitHostPort(originLocalAddr)\n\toriginIP := net.ParseIP(host)\n\treturn c.ClientConfig.ConnectionOptionsSnapshot(originIP, previousAttempts)\n}\n\nfunc StartTunnelDaemon(\n\tctx context.Context,\n\tconfig *TunnelConfig,\n\torchestrator *orchestration.Orchestrator,\n\tconnectedSignal *signal.Signal,\n\treconnectCh chan ReconnectSignal,\n\tgraceShutdownC <-chan struct{},\n) error {\n\ts, err := NewSupervisor(config, orchestrator, reconnectCh, graceShutdownC)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn s.Run(ctx, connectedSignal)\n}\n\ntype ConnectivityError struct {\n\treachedMaxRetries bool\n}\n\nfunc NewConnectivityError(hasReachedMaxRetries bool) *ConnectivityError {\n\treturn &ConnectivityError{\n\t\treachedMaxRetries: hasReachedMaxRetries,\n\t}\n}\n\nfunc (e *ConnectivityError) Error() string {\n\treturn fmt.Sprintf(\"connectivity error - reached max retries: %t\", e.HasReachedMaxRetries())\n}\n\nfunc (e *ConnectivityError) HasReachedMaxRetries() bool {\n\treturn e.reachedMaxRetries\n}\n\n// EdgeAddrHandler provides a mechanism switch between behaviors in ServeTunnel\n// for handling the errors when attempting to make edge connections.\ntype EdgeAddrHandler interface {\n\t// ShouldGetNewAddress will check the edge connection error and determine if\n\t// the edge address should be replaced with a new one. Also, will return if the\n\t// error should be recognized as a connectivity error, or otherwise, a general\n\t// application error.\n\tShouldGetNewAddress(connIndex uint8, err error) (needsNewAddress bool, connectivityError error)\n}\n\nfunc NewIPAddrFallback(maxRetries uint8) *ipAddrFallback {\n\treturn &ipAddrFallback{\n\t\tretriesByConnIndex: make(map[uint8]uint8),\n\t\tmaxRetries: maxRetries,\n\t}\n}\n\n// ipAddrFallback will have more conditions to fall back to a new address for certain\n// edge connection errors. This means that this handler will return true for isConnectivityError\n// for more cases like duplicate connection register and edge quic dial errors.\ntype ipAddrFallback struct {\n\tm sync.Mutex\n\tretriesByConnIndex map[uint8]uint8\n\tmaxRetries uint8\n}\n\nfunc (f *ipAddrFallback) ShouldGetNewAddress(connIndex uint8, err error) (needsNewAddress bool, connectivityError error) {\n\tf.m.Lock()\n\tdefer f.m.Unlock()\n\tswitch err.(type) {\n\tcase nil: // maintain current IP address\n\t// Try the next address if it was a quic.IdleTimeoutError\n\t// DupConnRegisterTunnelError needs to also receive a new ip address\n\tcase connection.DupConnRegisterTunnelError,\n\t\t*quic.IdleTimeoutError:\n\t\treturn true, nil\n\t// Network problems should be retried with new address immediately and report\n\t// as connectivity error\n\tcase edgediscovery.DialError, *connection.EdgeQuicDialError:\n\t\tif f.retriesByConnIndex[connIndex] >= f.maxRetries {\n\t\t\tf.retriesByConnIndex[connIndex] = 0\n\t\t\treturn true, NewConnectivityError(true)\n\t\t}\n\t\tf.retriesByConnIndex[connIndex]++\n\t\treturn true, NewConnectivityError(false)\n\tdefault: // maintain current IP address\n\t}\n\treturn false, nil\n}\n\ntype EdgeTunnelServer struct {\n\tconfig *TunnelConfig\n\torchestrator *orchestration.Orchestrator\n\tsessionManager v3.SessionManager\n\tdatagramMetrics v3.Metrics\n\tedgeAddrHandler EdgeAddrHandler\n\tedgeAddrs *edgediscovery.Edge\n\tedgeBindAddr net.IP\n\treconnectCh chan ReconnectSignal\n\tgracefulShutdownC <-chan struct{}\n\ttracker *tunnelstate.ConnTracker\n\n\tconnAwareLogger *ConnAwareLogger\n}\n\ntype TunnelServer interface {\n\tServe(ctx context.Context, connIndex uint8, protocolFallback *protocolFallback, connectedSignal *signal.Signal) error\n}\n\nfunc (e *EdgeTunnelServer) Serve(ctx context.Context, connIndex uint8, protocolFallback *protocolFallback, connectedSignal *signal.Signal) error {\n\thaConnections.Inc()\n\tdefer haConnections.Dec()\n\n\tconnectedFuse := newBooleanFuse()\n\tgo func() {\n\t\tif connectedFuse.Await() {\n\t\t\tconnectedSignal.Notify()\n\t\t}\n\t}()\n\t// Ensure the above goroutine will terminate if we return without connecting\n\tdefer connectedFuse.Fuse(false)\n\n\t// Fetch IP address to associated connection index\n\taddr, err := e.edgeAddrs.GetAddr(int(connIndex))\n\tswitch err.(type) {\n\tcase nil: // no error\n\tcase edgediscovery.ErrNoAddressesLeft:\n\t\treturn err\n\tdefault:\n\t\treturn err\n\t}\n\n\tlogger := e.config.Log.With().\n\t\tInt(management.EventTypeKey, int(management.Cloudflared)).\n\t\tIPAddr(connection.LogFieldIPAddress, addr.UDP.IP).\n\t\tUint8(connection.LogFieldConnIndex, connIndex).\n\t\tLogger()\n\tconnLog := e.connAwareLogger.ReplaceLogger(&logger)\n\n\t// Each connection to keep its own copy of protocol, because individual connections might fallback\n\t// to another protocol when a particular metal doesn't support new protocol\n\t// Each connection can also have it's own IP version because individual connections might fallback\n\t// to another IP version.\n\terr, shouldFallbackProtocol := e.serveTunnel(\n\t\tctx,\n\t\tconnLog,\n\t\taddr,\n\t\tconnIndex,\n\t\tconnectedFuse,\n\t\tprotocolFallback,\n\t\tprotocolFallback.protocol,\n\t)\n\n\t// Check if the connection error was from an IP issue with the host or\n\t// establishing a connection to the edge and if so, rotate the IP address.\n\tshouldRotateEdgeIP, cErr := e.edgeAddrHandler.ShouldGetNewAddress(connIndex, err)\n\tif shouldRotateEdgeIP {\n\t\t// rotate IP, but forcing internal state to assign a new IP to connection index.\n\t\tif _, err := e.edgeAddrs.GetDifferentAddr(int(connIndex), true); err != nil {\n\t\t\treturn err\n\t\t}\n\n\t\t// In addition, if it is a connectivity error, and we have exhausted the configurable maximum edge IPs to rotate,\n\t\t// then just fallback protocol on next iteration run.\n\t\tconnectivityErr, ok := cErr.(*ConnectivityError)\n\t\tif ok {\n\t\t\tshouldFallbackProtocol = connectivityErr.HasReachedMaxRetries()\n\t\t}\n\t}\n\n\t// set connection has re-connecting and log the next retrying backoff\n\tduration, ok := protocolFallback.GetMaxBackoffDuration(ctx)\n\tif !ok {\n\t\treturn err\n\t}\n\te.config.Observer.SendReconnect(connIndex)\n\tconnLog.Logger().Info().Msgf(\"Retrying connection in up to %s\", duration)\n\n\tselect {\n\tcase <-ctx.Done():\n\t\treturn ctx.Err()\n\tcase <-e.gracefulShutdownC:\n\t\treturn nil\n\tcase <-protocolFallback.BackoffTimer():\n\t\t// should we fallback protocol? If not, just return. Otherwise, set new protocol for next method call.\n\t\tif !shouldFallbackProtocol {\n\t\t\treturn err\n\t\t}\n\n\t\t// If a single connection has connected with the current protocol, we know we know we don't have to fallback\n\t\t// to a different protocol.\n\t\tif e.tracker.HasConnectedWith(e.config.ProtocolSelector.Current()) {\n\t\t\treturn err\n\t\t}\n\n\t\tif !selectNextProtocol(\n\t\t\tconnLog.Logger(),\n\t\t\tprotocolFallback,\n\t\t\te.config.ProtocolSelector,\n\t\t\terr,\n\t\t) {\n\t\t\treturn err\n\t\t}\n\t}\n\n\treturn err\n}\n\n// protocolFallback is a wrapper around backoffHandler that will try fallback option when backoff reaches\n// max retries\ntype protocolFallback struct {\n\tretry.BackoffHandler\n\tprotocol connection.Protocol\n\tinFallback bool\n}\n\nfunc (pf *protocolFallback) reset() {\n\tpf.ResetNow()\n\tpf.inFallback = false\n}\n\nfunc (pf *protocolFallback) fallback(fallback connection.Protocol) {\n\tpf.ResetNow()\n\tpf.protocol = fallback\n\tpf.inFallback = true\n}\n\n// selectNextProtocol picks connection protocol for the next retry iteration,\n// returns true if it was able to pick the protocol, false if we are out of options and should stop retrying\nfunc selectNextProtocol(\n\tconnLog *zerolog.Logger,\n\tprotocolBackoff *protocolFallback,\n\tselector connection.ProtocolSelector,\n\tcause error,\n) bool {\n\tisQuicBroken := isQuicBroken(cause)\n\t_, hasFallback := selector.Fallback()\n\n\tif protocolBackoff.ReachedMaxRetries() || (hasFallback && isQuicBroken) {\n\t\tif isQuicBroken {\n\t\t\tconnLog.Warn().Msg(\"If this log occurs persistently, and cloudflared is unable to connect to \" +\n\t\t\t\t\"Cloudflare Network with `quic` protocol, then most likely your machine/network is getting its egress \" +\n\t\t\t\t\"UDP to port 7844 (or others) blocked or dropped. Make sure to allow egress connectivity as per \" +\n\t\t\t\t\"https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/ports-and-ips/\\n\" +\n\t\t\t\t\"If you are using private routing to this Tunnel, then ICMP, UDP (and Private DNS Resolution) will not work \" +\n\t\t\t\t\"unless your cloudflared can connect with Cloudflare Network with `quic`.\")\n\t\t}\n\n\t\tfallback, hasFallback := selector.Fallback()\n\t\tif !hasFallback {\n\t\t\treturn false\n\t\t}\n\t\t// Already using fallback protocol, no point to retry\n\t\tif protocolBackoff.protocol == fallback {\n\t\t\treturn false\n\t\t}\n\t\tconnLog.Info().Msgf(\"Switching to fallback protocol %s\", fallback)\n\t\tprotocolBackoff.fallback(fallback)\n\t} else if !protocolBackoff.inFallback {\n\t\tcurrent := selector.Current()\n\t\tif protocolBackoff.protocol != current {\n\t\t\tprotocolBackoff.protocol = current\n\t\t\tconnLog.Info().Msgf(\"Changing protocol to %s\", current)\n\t\t}\n\t}\n\treturn true\n}\n\nfunc isQuicBroken(cause error) bool {\n\tvar idleTimeoutError *quic.IdleTimeoutError\n\tif errors.As(cause, &idleTimeoutError) {\n\t\treturn true\n\t}\n\n\tvar transportError *quic.TransportError\n\tif errors.As(cause, &transportError) && strings.Contains(cause.Error(), \"operation not permitted\") {\n\t\treturn true\n\t}\n\n\treturn false\n}\n\n// ServeTunnel runs a single tunnel connection, returns nil on graceful shutdown,\n// on error returns a flag indicating if error can be retried\nfunc (e *EdgeTunnelServer) serveTunnel(\n\tctx context.Context,\n\tconnLog *ConnAwareLogger,\n\taddr *allregions.EdgeAddr,\n\tconnIndex uint8,\n\tfuse *booleanFuse,\n\tbackoff *protocolFallback,\n\tprotocol connection.Protocol,\n) (err error, recoverable bool) {\n\t// Treat panics as recoverable errors\n\tdefer func() {\n\t\tif r := recover(); r != nil {\n\t\t\tvar ok bool\n\t\t\terr, ok = r.(error)\n\t\t\tif !ok {\n\t\t\t\terr = fmt.Errorf(\"ServeTunnel: %v\", r)\n\t\t\t}\n\t\t\terr = errors.Wrapf(err, \"stack trace: %s\", string(debug.Stack()))\n\t\t\trecoverable = true\n\t\t}\n\t}()\n\n\tdefer e.config.Observer.SendDisconnect(connIndex)\n\terr, recoverable = e.serveConnection(\n\t\tctx,\n\t\tconnLog,\n\t\taddr,\n\t\tconnIndex,\n\t\tfuse,\n\t\tbackoff,\n\t\tprotocol,\n\t)\n\n\tif err != nil {\n\t\tswitch err := err.(type) {\n\t\tcase connection.DupConnRegisterTunnelError:\n\t\t\tconnLog.ConnAwareLogger().Err(err).Msg(\"Unable to establish connection.\")\n\t\t\t// don't retry this connection anymore, let supervisor pick a new address\n\t\t\treturn err, false\n\t\tcase connection.ServerRegisterTunnelError:\n\t\t\tconnLog.ConnAwareLogger().Err(err).Msg(\"Register tunnel error from server side\")\n\t\t\t// Don't send registration error return from server to Sentry. They are\n\t\t\t// logged on server side\n\t\t\treturn err.Cause, !err.Permanent\n\t\tcase *connection.EdgeQuicDialError:\n\t\t\treturn err, false\n\t\tcase ReconnectSignal:\n\t\t\tconnLog.Logger().Info().\n\t\t\t\tIPAddr(connection.LogFieldIPAddress, addr.UDP.IP).\n\t\t\t\tUint8(connection.LogFieldConnIndex, connIndex).\n\t\t\t\tMsgf(\"Restarting connection due to reconnect signal in %s\", err.Delay)\n\t\t\terr.DelayBeforeReconnect()\n\t\t\treturn err, true\n\t\tdefault:\n\t\t\tif err == context.Canceled {\n\t\t\t\tconnLog.Logger().Debug().Err(err).Msgf(\"Serve tunnel error\")\n\t\t\t\treturn err, false\n\t\t\t}\n\t\t\tconnLog.ConnAwareLogger().Err(err).Msgf(\"Serve tunnel error\")\n\t\t\t_, permanent := err.(unrecoverableError)\n\t\t\treturn err, !permanent\n\t\t}\n\t}\n\treturn nil, false\n}\n\nfunc (e *EdgeTunnelServer) serveConnection(\n\tctx context.Context,\n\tconnLog *ConnAwareLogger,\n\taddr *allregions.EdgeAddr,\n\tconnIndex uint8,\n\tfuse *booleanFuse,\n\tbackoff *protocolFallback,\n\tprotocol connection.Protocol,\n) (err error, recoverable bool) {\n\tconnectedFuse := &connectedFuse{\n\t\tfuse: fuse,\n\t\tbackoff: backoff,\n\t}\n\tcontrolStream := connection.NewControlStream(\n\t\te.config.Observer,\n\t\tconnectedFuse,\n\t\te.config.NamedTunnel,\n\t\tconnIndex,\n\t\taddr.UDP.IP,\n\t\tnil,\n\t\te.config.RPCTimeout,\n\t\te.gracefulShutdownC,\n\t\te.config.GracePeriod,\n\t\tprotocol,\n\t)\n\n\tswitch protocol {\n\tcase connection.QUIC:\n\t\t// nolint: gosec\n\t\tconnOptions := e.config.connectionOptions(addr.UDP.String(), uint8(backoff.Retries()))\n\t\t// nolint: zerologlint\n\t\tconnOptions.LogFields(connLog.Logger().Debug().Uint8(connection.LogFieldConnIndex, connIndex)).Msgf(\"Tunnel connection options\")\n\t\treturn e.serveQUIC(ctx,\n\t\t\taddr.UDP.AddrPort(),\n\t\t\tconnLog,\n\t\t\tconnOptions,\n\t\t\tcontrolStream,\n\t\t\tconnIndex)\n\n\tcase connection.HTTP2:\n\t\tedgeConn, err := edgediscovery.DialEdge(ctx, dialTimeout, e.config.EdgeTLSConfigs[protocol], addr.TCP, e.edgeBindAddr)\n\t\tif err != nil {\n\t\t\tconnLog.ConnAwareLogger().Err(err).Msg(\"Unable to establish connection with Cloudflare edge\")\n\t\t\treturn err, true\n\t\t}\n\n\t\t// nolint: gosec\n\t\tconnOptions := e.config.connectionOptions(edgeConn.LocalAddr().String(), uint8(backoff.Retries()))\n\t\t// nolint: zerologlint\n\t\tconnOptions.LogFields(connLog.Logger().Debug().Uint8(connection.LogFieldConnIndex, connIndex)).Msgf(\"Tunnel connection options\")\n\t\tif err := e.serveHTTP2(\n\t\t\tctx,\n\t\t\tconnLog,\n\t\t\tedgeConn,\n\t\t\tconnOptions,\n\t\t\tcontrolStream,\n\t\t\tconnIndex,\n\t\t); err != nil {\n\t\t\treturn err, false\n\t\t}\n\n\tdefault:\n\t\treturn fmt.Errorf(\"invalid protocol selected: %s\", protocol), false\n\t}\n\treturn\n}\n\ntype unrecoverableError struct {\n\terr error\n}\n\nfunc (r unrecoverableError) Error() string {\n\treturn r.err.Error()\n}\n\nfunc (e *EdgeTunnelServer) serveHTTP2(\n\tctx context.Context,\n\tconnLog *ConnAwareLogger,\n\ttlsServerConn net.Conn,\n\tconnOptions *client.ConnectionOptionsSnapshot,\n\tcontrolStreamHandler connection.ControlStreamHandler,\n\tconnIndex uint8,\n) error {\n\tpqMode := connOptions.FeatureSnapshot.PostQuantum\n\tif pqMode == features.PostQuantumStrict {\n\t\treturn unrecoverableError{errors.New(\"HTTP/2 transport does not support post-quantum\")}\n\t}\n\n\tconnLog.Logger().Debug().Msgf(\"Connecting via http2\")\n\th2conn := connection.NewHTTP2Connection(\n\t\ttlsServerConn,\n\t\te.orchestrator,\n\t\tconnOptions,\n\t\te.config.Observer,\n\t\tconnIndex,\n\t\tcontrolStreamHandler,\n\t\te.config.Log,\n\t)\n\n\terrGroup, serveCtx := errgroup.WithContext(ctx)\n\terrGroup.Go(func() error {\n\t\treturn h2conn.Serve(serveCtx)\n\t})\n\n\terrGroup.Go(func() error {\n\t\terr := listenReconnect(serveCtx, e.reconnectCh, e.gracefulShutdownC)\n\t\tif err != nil {\n\t\t\t// forcefully break the connection (this is only used for testing)\n\t\t\t// errgroup will return context canceled for the h2conn.Serve\n\t\t\tconnLog.Logger().Debug().Msg(\"Forcefully breaking http2 connection\")\n\t\t}\n\t\treturn err\n\t})\n\n\treturn errGroup.Wait()\n}\n\nfunc (e *EdgeTunnelServer) serveQUIC(\n\tctx context.Context,\n\tedgeAddr netip.AddrPort,\n\tconnLogger *ConnAwareLogger,\n\tconnOptions *client.ConnectionOptionsSnapshot,\n\tcontrolStreamHandler connection.ControlStreamHandler,\n\tconnIndex uint8,\n) (err error, recoverable bool) {\n\ttlsConfig := e.config.EdgeTLSConfigs[connection.QUIC]\n\n\tpqMode := connOptions.FeatureSnapshot.PostQuantum\n\tcurvePref, err := curvePreference(pqMode, fips.IsFipsEnabled(), tlsConfig.CurvePreferences)\n\tif err != nil {\n\t\tconnLogger.ConnAwareLogger().Err(err).Msgf(\"failed to get curve preferences\")\n\t\treturn err, true\n\t}\n\n\tconnLogger.Logger().Info().Msgf(\"Tunnel connection curve preferences: %v\", curvePref)\n\n\ttlsConfig.CurvePreferences = curvePref\n\n\t// quic-go 0.44 increases the initial packet size to 1280 by default. That breaks anyone running tunnel through WARP\n\t// because WARP MTU is 1280.\n\tvar initialPacketSize uint16 = 1252\n\tif edgeAddr.Addr().Is4() {\n\t\tinitialPacketSize = 1232\n\t}\n\n\tquicConfig := &quic.Config{\n\t\tHandshakeIdleTimeout: quicpogs.HandshakeIdleTimeout,\n\t\tMaxIdleTimeout: quicpogs.MaxIdleTimeout,\n\t\tKeepAlivePeriod: quicpogs.MaxIdlePingPeriod,\n\t\tMaxIncomingStreams: quicpogs.MaxIncomingStreams,\n\t\tMaxIncomingUniStreams: quicpogs.MaxIncomingStreams,\n\t\tEnableDatagrams: true,\n\t\tTracer: quicpogs.NewClientTracer(connLogger.Logger(), connIndex),\n\t\tDisablePathMTUDiscovery: e.config.DisableQUICPathMTUDiscovery,\n\t\tMaxConnectionReceiveWindow: e.config.QUICConnectionLevelFlowControlLimit,\n\t\tMaxStreamReceiveWindow: e.config.QUICStreamLevelFlowControlLimit,\n\t\tInitialPacketSize: initialPacketSize,\n\t}\n\n\t// Dial the QUIC connection to the edge\n\tconn, err := connection.DialQuic(\n\t\tctx,\n\t\tquicConfig,\n\t\ttlsConfig,\n\t\tedgeAddr,\n\t\te.edgeBindAddr,\n\t\tconnIndex,\n\t\tconnLogger.Logger(),\n\t)\n\tif err != nil {\n\t\tconnLogger.ConnAwareLogger().Err(err).Msgf(\"Failed to dial a quic connection\")\n\n\t\te.reportErrorToSentry(err, connOptions.FeatureSnapshot.PostQuantum)\n\t\treturn err, true\n\t}\n\n\tvar datagramSessionManager connection.DatagramSessionHandler\n\tif connOptions.FeatureSnapshot.DatagramVersion == features.DatagramV3 {\n\t\tdatagramSessionManager = connection.NewDatagramV3Connection(\n\t\t\tctx,\n\t\t\tconn,\n\t\t\te.sessionManager,\n\t\t\te.config.ICMPRouterServer,\n\t\t\tconnIndex,\n\t\t\te.datagramMetrics,\n\t\t\tconnLogger.Logger(),\n\t\t)\n\t} else {\n\t\tdatagramSessionManager = connection.NewDatagramV2Connection(\n\t\t\tctx,\n\t\t\tconn,\n\t\t\te.config.OriginDialerService,\n\t\t\te.config.ICMPRouterServer,\n\t\t\tconnIndex,\n\t\t\te.config.RPCTimeout,\n\t\t\te.config.WriteStreamTimeout,\n\t\t\te.orchestrator.GetFlowLimiter(),\n\t\t\tconnLogger.Logger(),\n\t\t)\n\t}\n\n\t// Wrap the [quic.Connection] as a TunnelConnection\n\ttunnelConn := connection.NewTunnelConnection(\n\t\tctx,\n\t\tconn,\n\t\tconnIndex,\n\t\te.orchestrator,\n\t\tdatagramSessionManager,\n\t\tcontrolStreamHandler,\n\t\tconnOptions,\n\t\te.config.RPCTimeout,\n\t\te.config.WriteStreamTimeout,\n\t\te.config.GracePeriod,\n\t\tconnLogger.Logger(),\n\t)\n\n\t// Serve the TunnelConnection\n\terrGroup, serveCtx := errgroup.WithContext(ctx)\n\terrGroup.Go(func() error {\n\t\terr := tunnelConn.Serve(serveCtx)\n\t\tif err != nil {\n\t\t\tconnLogger.ConnAwareLogger().Err(err).Msg(\"failed to serve tunnel connection\")\n\t\t}\n\t\treturn err\n\t})\n\n\terrGroup.Go(func() error {\n\t\terr := listenReconnect(serveCtx, e.reconnectCh, e.gracefulShutdownC)\n\t\tif err != nil {\n\t\t\t// forcefully break the connection (this is only used for testing)\n\t\t\t// errgroup will return context canceled for the tunnelConn.Serve\n\t\t\tconnLogger.Logger().Debug().Msg(\"Forcefully breaking tunnel connection\")\n\t\t}\n\t\treturn err\n\t})\n\n\treturn errGroup.Wait(), false\n}\n\n// The reportErrorToSentry is an helper function that handles\n// verifies if an error should be reported to Sentry.\nfunc (e *EdgeTunnelServer) reportErrorToSentry(err error, pqMode features.PostQuantumMode) {\n\tdialErr, ok := err.(*connection.EdgeQuicDialError)\n\tif ok {\n\t\t// The TransportError provides an Unwrap function however\n\t\t// the err MAY not always be set\n\t\ttransportErr, ok := dialErr.Cause.(*quic.TransportError)\n\t\tif ok &&\n\t\t\ttransportErr.ErrorCode.IsCryptoError() &&\n\t\t\tfips.IsFipsEnabled() &&\n\t\t\tpqMode == features.PostQuantumStrict {\n\t\t\t// Only report to Sentry when using FIPS, PQ,\n\t\t\t// and the error is a Crypto error reported by\n\t\t\t// an EdgeQuicDialError\n\t\t\tsentry.CaptureException(err)\n\t\t}\n\t}\n}\n\nfunc listenReconnect(ctx context.Context, reconnectCh <-chan ReconnectSignal, gracefulShutdownCh <-chan struct{}) error {\n\tselect {\n\tcase reconnect := <-reconnectCh:\n\t\treturn reconnect\n\tcase <-gracefulShutdownCh:\n\t\treturn nil\n\tcase <-ctx.Done():\n\t\treturn nil\n\t}\n}\n\ntype connectedFuse struct {\n\tfuse *booleanFuse\n\tbackoff *protocolFallback\n}\n\nfunc (cf *connectedFuse) Connected() {\n\tcf.fuse.Fuse(true)\n\tcf.backoff.reset()\n}\n\nfunc (cf *connectedFuse) IsConnected() bool {\n\treturn cf.fuse.Value()\n}\n" }, { "path": "supervisor/tunnel_test.go", "content": "package supervisor\n\nimport (\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/quic-go/quic-go\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/stretchr/testify/assert\"\n\n\t\"github.com/cloudflare/cloudflared/connection\"\n\t\"github.com/cloudflare/cloudflared/edgediscovery\"\n\t\"github.com/cloudflare/cloudflared/retry\"\n)\n\ntype dynamicMockFetcher struct {\n\tprotocolPercents edgediscovery.ProtocolPercents\n\terr error\n}\n\nfunc (dmf *dynamicMockFetcher) fetch() edgediscovery.PercentageFetcher {\n\treturn func() (edgediscovery.ProtocolPercents, error) {\n\t\treturn dmf.protocolPercents, dmf.err\n\t}\n}\n\nfunc immediateTimeAfter(time.Duration) <-chan time.Time {\n\tc := make(chan time.Time, 1)\n\tc <- time.Now()\n\treturn c\n}\n\nfunc TestWaitForBackoffFallback(t *testing.T) {\n\tmaxRetries := uint(3)\n\tbackoff := retry.NewBackoff(maxRetries, 40*time.Millisecond, false)\n\tbackoff.Clock.After = immediateTimeAfter\n\tlog := zerolog.Nop()\n\tresolveTTL := 10 * time.Second\n\tmockFetcher := dynamicMockFetcher{\n\t\tprotocolPercents: edgediscovery.ProtocolPercents{edgediscovery.ProtocolPercent{Protocol: \"quic\", Percentage: 100}},\n\t}\n\tprotocolSelector, err := connection.NewProtocolSelector(\n\t\t\"auto\",\n\t\t\"\",\n\t\tfalse,\n\t\tfalse,\n\t\tmockFetcher.fetch(),\n\t\tresolveTTL,\n\t\t&log,\n\t)\n\tassert.NoError(t, err)\n\n\tinitProtocol := protocolSelector.Current()\n\tassert.Equal(t, connection.QUIC, initProtocol)\n\n\tprotoFallback := &protocolFallback{\n\t\tbackoff,\n\t\tinitProtocol,\n\t\tfalse,\n\t}\n\n\t// Retry #0 and #1. At retry #2, we switch protocol, so the fallback loop has one more retry than this\n\tfor i := 0; i < int(maxRetries-1); i++ {\n\t\tprotoFallback.BackoffTimer() // simulate retry\n\t\tok := selectNextProtocol(&log, protoFallback, protocolSelector, nil)\n\t\tassert.True(t, ok)\n\t\tassert.Equal(t, initProtocol, protoFallback.protocol)\n\t}\n\n\t// Retry fallback protocol\n\tprotoFallback.BackoffTimer() // simulate retry\n\tok := selectNextProtocol(&log, protoFallback, protocolSelector, nil)\n\tassert.True(t, ok)\n\tfallback, ok := protocolSelector.Fallback()\n\tassert.True(t, ok)\n\tassert.Equal(t, fallback, protoFallback.protocol)\n\tassert.Equal(t, connection.HTTP2, protoFallback.protocol)\n\n\tcurrentGlobalProtocol := protocolSelector.Current()\n\tassert.Equal(t, initProtocol, currentGlobalProtocol)\n\n\t// Simulate max retries again (retries reset after protocol switch)\n\tfor i := 0; i < int(maxRetries); i++ {\n\t\tprotoFallback.BackoffTimer()\n\t}\n\t// No protocol to fallback, return error\n\tok = selectNextProtocol(&log, protoFallback, protocolSelector, nil)\n\tassert.False(t, ok)\n\n\tprotoFallback.reset()\n\tprotoFallback.BackoffTimer() // simulate retry\n\tok = selectNextProtocol(&log, protoFallback, protocolSelector, nil)\n\tassert.True(t, ok)\n\tassert.Equal(t, initProtocol, protoFallback.protocol)\n\n\tprotoFallback.reset()\n\tprotoFallback.BackoffTimer() // simulate retry\n\tok = selectNextProtocol(&log, protoFallback, protocolSelector, &quic.IdleTimeoutError{})\n\t// Check that we get a true after the first try itself when this flag is true. This allows us to immediately\n\t// switch protocols when there is a fallback.\n\tassert.True(t, ok)\n\n\t// But if there is no fallback available, then we exhaust the retries despite the type of error.\n\t// The reason why there's no fallback available is because we pick a specific protocol instead of letting it be auto.\n\tprotocolSelector, err = connection.NewProtocolSelector(\n\t\t\"quic\",\n\t\t\"\",\n\t\tfalse,\n\t\tfalse,\n\t\tmockFetcher.fetch(),\n\t\tresolveTTL,\n\t\t&log,\n\t)\n\tassert.NoError(t, err)\n\tprotoFallback = &protocolFallback{backoff, protocolSelector.Current(), false}\n\tfor i := 0; i < int(maxRetries-1); i++ {\n\t\tprotoFallback.BackoffTimer() // simulate retry\n\t\tok := selectNextProtocol(&log, protoFallback, protocolSelector, &quic.IdleTimeoutError{})\n\t\tassert.True(t, ok)\n\t\tassert.Equal(t, connection.QUIC, protoFallback.protocol)\n\t}\n\t// And finally it fails as it should, with no fallback.\n\tprotoFallback.BackoffTimer()\n\tok = selectNextProtocol(&log, protoFallback, protocolSelector, &quic.IdleTimeoutError{})\n\tassert.False(t, ok)\n}\n" }, { "path": "supervisor/tunnelsforha.go", "content": "package supervisor\n\nimport (\n\t\"fmt\"\n\t\"sync\"\n\n\t\"github.com/prometheus/client_golang/prometheus\"\n)\n\n// tunnelsForHA maps this cloudflared instance's HA connections to the tunnel IDs they serve.\ntype tunnelsForHA struct {\n\tsync.Mutex\n\tmetrics *prometheus.GaugeVec\n\tentries map[uint8]string\n}\n\n// NewTunnelsForHA initializes the Prometheus metrics etc for a tunnelsForHA.\nfunc NewTunnelsForHA() tunnelsForHA {\n\tmetrics := prometheus.NewGaugeVec(\n\t\tprometheus.GaugeOpts{\n\t\t\tName: \"tunnel_ids\",\n\t\t\tHelp: \"The ID of all tunnels (and their corresponding HA connection ID) running in this instance of cloudflared.\",\n\t\t},\n\t\t[]string{\"tunnel_id\", \"ha_conn_id\"},\n\t)\n\tprometheus.MustRegister(metrics)\n\n\treturn tunnelsForHA{\n\t\tmetrics: metrics,\n\t\tentries: make(map[uint8]string),\n\t}\n}\n\n// Track a new tunnel ID, removing the disconnected tunnel (if any) and update metrics.\nfunc (t *tunnelsForHA) AddTunnelID(haConn uint8, tunnelID string) {\n\tt.Lock()\n\tdefer t.Unlock()\n\thaStr := fmt.Sprintf(\"%v\", haConn)\n\tif oldTunnelID, ok := t.entries[haConn]; ok {\n\t\tt.metrics.WithLabelValues(oldTunnelID, haStr).Dec()\n\t}\n\tt.entries[haConn] = tunnelID\n\tt.metrics.WithLabelValues(tunnelID, haStr).Inc()\n}\n\nfunc (t *tunnelsForHA) String() string {\n\tt.Lock()\n\tdefer t.Unlock()\n\treturn fmt.Sprintf(\"%v\", t.entries)\n}\n" }, { "path": "tlsconfig/certreloader.go", "content": "package tlsconfig\n\nimport (\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n\t\"fmt\"\n\t\"os\"\n\t\"runtime\"\n\t\"sync\"\n\n\t\"github.com/getsentry/sentry-go\"\n\t\"github.com/pkg/errors\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/urfave/cli/v2\"\n)\n\nconst (\n\tOriginCAPoolFlag = \"origin-ca-pool\"\n\tCaCertFlag = \"cacert\"\n)\n\n// CertReloader can load and reload a TLS certificate from a particular filepath.\n// Hooks into tls.Config's GetCertificate to allow a TLS server to update its certificate without restarting.\ntype CertReloader struct {\n\tsync.Mutex\n\tcertificate *tls.Certificate\n\tcertPath string\n\tkeyPath string\n}\n\n// NewCertReloader makes a CertReloader. It loads the cert during initialization to make sure certPath and keyPath are valid\nfunc NewCertReloader(certPath, keyPath string) (*CertReloader, error) {\n\tcr := new(CertReloader)\n\tcr.certPath = certPath\n\tcr.keyPath = keyPath\n\tif err := cr.LoadCert(); err != nil {\n\t\treturn nil, err\n\t}\n\treturn cr, nil\n}\n\n// Cert returns the TLS certificate most recently read by the CertReloader.\n// This method works as a direct utility method for tls.Config#Cert.\nfunc (cr *CertReloader) Cert(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {\n\tcr.Lock()\n\tdefer cr.Unlock()\n\treturn cr.certificate, nil\n}\n\n// ClientCert returns the TLS certificate most recently read by the CertReloader.\n// This method works as a direct utility method for tls.Config#ClientCert.\nfunc (cr *CertReloader) ClientCert(certRequestInfo *tls.CertificateRequestInfo) (*tls.Certificate, error) {\n\tcr.Lock()\n\tdefer cr.Unlock()\n\treturn cr.certificate, nil\n}\n\n// LoadCert loads a TLS certificate from the CertReloader's specified filepath.\n// Call this after writing a new certificate to the disk (e.g. after renewing a certificate)\nfunc (cr *CertReloader) LoadCert() error {\n\tcr.Lock()\n\tdefer cr.Unlock()\n\n\tcert, err := tls.LoadX509KeyPair(cr.certPath, cr.keyPath)\n\n\t// Keep the old certificate if there's a problem reading the new one.\n\tif err != nil {\n\t\tsentry.CaptureException(fmt.Errorf(\"Error parsing X509 key pair: %v\", err))\n\t\treturn err\n\t}\n\tcr.certificate = &cert\n\treturn nil\n}\n\nfunc LoadOriginCA(originCAPoolFilename string, log *zerolog.Logger) (*x509.CertPool, error) {\n\tvar originCustomCAPool []byte\n\n\tif originCAPoolFilename != \"\" {\n\t\tvar err error\n\t\toriginCustomCAPool, err = os.ReadFile(originCAPoolFilename)\n\t\tif err != nil {\n\t\t\treturn nil, errors.Wrap(err, fmt.Sprintf(\"unable to read the file %s for --%s\", originCAPoolFilename, OriginCAPoolFlag))\n\t\t}\n\t}\n\n\toriginCertPool, err := loadOriginCertPool(originCustomCAPool, log)\n\tif err != nil {\n\t\treturn nil, errors.Wrap(err, \"error loading the certificate pool\")\n\t}\n\n\t// Windows users should be notified that they can use the flag\n\tif runtime.GOOS == \"windows\" && originCAPoolFilename == \"\" {\n\t\tlog.Info().Msgf(\"cloudflared does not support loading the system root certificate pool on Windows. Please use --%s to specify the path to the certificate pool\", OriginCAPoolFlag)\n\t}\n\n\treturn originCertPool, nil\n}\n\nfunc LoadCustomOriginCA(originCAFilename string) (*x509.CertPool, error) {\n\t// First, obtain the system certificate pool\n\tcertPool, err := x509.SystemCertPool()\n\tif err != nil {\n\t\tcertPool = x509.NewCertPool()\n\t}\n\n\t// Next, append the Cloudflare CAs into the system pool\n\tcfRootCA, err := GetCloudflareRootCA()\n\tif err != nil {\n\t\treturn nil, errors.Wrap(err, \"could not append Cloudflare Root CAs to cloudflared certificate pool\")\n\t}\n\tfor _, cert := range cfRootCA {\n\t\tcertPool.AddCert(cert)\n\t}\n\n\tif originCAFilename == \"\" {\n\t\treturn certPool, nil\n\t}\n\n\tcustomOriginCA, err := os.ReadFile(originCAFilename)\n\tif err != nil {\n\t\treturn nil, errors.Wrap(err, fmt.Sprintf(\"unable to read the file %s\", originCAFilename))\n\t}\n\n\tif !certPool.AppendCertsFromPEM(customOriginCA) {\n\t\treturn nil, fmt.Errorf(\"error appending custom CA to cert pool\")\n\t}\n\treturn certPool, nil\n}\n\nfunc CreateTunnelConfig(c *cli.Context, serverName string) (*tls.Config, error) {\n\tvar rootCAs []string\n\tif c.String(CaCertFlag) != \"\" {\n\t\trootCAs = append(rootCAs, c.String(CaCertFlag))\n\t}\n\n\tuserConfig := &TLSParameters{RootCAs: rootCAs, ServerName: serverName}\n\ttlsConfig, err := GetConfig(userConfig)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tif tlsConfig.RootCAs == nil {\n\t\trootCAPool, err := x509.SystemCertPool()\n\t\tif err != nil {\n\t\t\treturn nil, errors.Wrap(err, \"unable to get x509 system cert pool\")\n\t\t}\n\t\tcfRootCA, err := GetCloudflareRootCA()\n\t\tif err != nil {\n\t\t\treturn nil, errors.Wrap(err, \"could not append Cloudflare Root CAs to cloudflared certificate pool\")\n\t\t}\n\t\tfor _, cert := range cfRootCA {\n\t\t\trootCAPool.AddCert(cert)\n\t\t}\n\t\ttlsConfig.RootCAs = rootCAPool\n\t}\n\n\tif tlsConfig.ServerName == \"\" && !tlsConfig.InsecureSkipVerify {\n\t\treturn nil, fmt.Errorf(\"either ServerName or InsecureSkipVerify must be specified in the tls.Config\")\n\t}\n\treturn tlsConfig, nil\n}\n\nfunc loadOriginCertPool(originCAPoolPEM []byte, log *zerolog.Logger) (*x509.CertPool, error) {\n\t// Get the global pool\n\tcertPool, err := loadGlobalCertPool(log)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\t// Then, add any custom origin CA pool the user may have passed\n\tif originCAPoolPEM != nil {\n\t\tif !certPool.AppendCertsFromPEM(originCAPoolPEM) {\n\t\t\tlog.Info().Msg(\"could not append the provided origin CA to the cloudflared certificate pool\")\n\t\t}\n\t}\n\n\treturn certPool, nil\n}\n\nfunc loadGlobalCertPool(log *zerolog.Logger) (*x509.CertPool, error) {\n\t// First, obtain the system certificate pool\n\tcertPool, err := x509.SystemCertPool()\n\tif err != nil {\n\t\tif runtime.GOOS != \"windows\" { // See https://github.com/golang/go/issues/16736\n\t\t\tlog.Err(err).Msg(\"error obtaining the system certificates\")\n\t\t}\n\t\tcertPool = x509.NewCertPool()\n\t}\n\n\t// Next, append the Cloudflare CAs into the system pool\n\tcfRootCA, err := GetCloudflareRootCA()\n\tif err != nil {\n\t\treturn nil, errors.Wrap(err, \"could not append Cloudflare Root CAs to cloudflared certificate pool\")\n\t}\n\tfor _, cert := range cfRootCA {\n\t\tcertPool.AddCert(cert)\n\t}\n\n\t// Finally, add the Hello certificate into the pool (since it's self-signed)\n\thelloCert, err := GetHelloCertificateX509()\n\tif err != nil {\n\t\treturn nil, errors.Wrap(err, \"could not append Hello server certificate to cloudflared certificate pool\")\n\t}\n\tcertPool.AddCert(helloCert)\n\n\treturn certPool, nil\n}\n" }, { "path": "tlsconfig/cloudflare_ca.go", "content": "package tlsconfig\n\nimport (\n\t\"crypto/x509\"\n\t\"encoding/pem\"\n)\n\n// TODO: remove the Origin CA root certs when migrated to Authenticated Origin Pull certs\nvar cloudflareRootCA = []byte(`\nIssuer: C=US, ST=California, L=San Francisco, O=CloudFlare, Inc., OU=CloudFlare Origin SSL ECC Certificate Authority\n-----BEGIN CERTIFICATE-----\nMIICiTCCAi6gAwIBAgIUXZP3MWb8MKwBE1Qbawsp1sfA/Y4wCgYIKoZIzj0EAwIw\ngY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL\nEy9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0\neTAeFw0xOTA4MjMyMTA4MDBaFw0yOTA4MTUxNzAwMDBaMIGPMQswCQYDVQQGEwJV\nUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZ\nMBcGA1UEChMQQ2xvdWRGbGFyZSwgSW5jLjE4MDYGA1UECxMvQ2xvdWRGbGFyZSBP\ncmlnaW4gU1NMIEVDQyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwWTATBgcqhkjOPQIB\nBggqhkjOPQMBBwNCAASR+sGALuaGshnUbcxKry+0LEXZ4NY6JUAtSeA6g87K3jaA\nxpIg9G50PokpfWkhbarLfpcZu0UAoYy2su0EhN7wo2YwZDAOBgNVHQ8BAf8EBAMC\nAQYwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUhTBdOypw1O3VkmcH/es5\ntBoOOKcwHwYDVR0jBBgwFoAUhTBdOypw1O3VkmcH/es5tBoOOKcwCgYIKoZIzj0E\nAwIDSQAwRgIhAKilfntP2ILGZjwajktkBtXE1pB4Y/fjAfLkIRUzrI15AiEA5UCL\nXYZZ9m2c3fKwIenMMojL1eqydsgqj/wK4p5kagQ=\n-----END CERTIFICATE-----\nIssuer: C=US, O=CloudFlare, Inc., OU=CloudFlare Origin SSL Certificate Authority, L=San Francisco, ST=California\n-----BEGIN CERTIFICATE-----\nMIIEADCCAuigAwIBAgIID+rOSdTGfGcwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNV\nBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTQwMgYDVQQLEytDbG91\nZEZsYXJlIE9yaWdpbiBTU0wgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQH\nEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMB4XDTE5MDgyMzIx\nMDgwMFoXDTI5MDgxNTE3MDAwMFowgYsxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBD\nbG91ZEZsYXJlLCBJbmMuMTQwMgYDVQQLEytDbG91ZEZsYXJlIE9yaWdpbiBTU0wg\nQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMw\nEQYDVQQIEwpDYWxpZm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\nAQEAwEiVZ/UoQpHmFsHvk5isBxRehukP8DG9JhFev3WZtG76WoTthvLJFRKFCHXm\nV6Z5/66Z4S09mgsUuFwvJzMnE6Ej6yIsYNCb9r9QORa8BdhrkNn6kdTly3mdnykb\nOomnwbUfLlExVgNdlP0XoRoeMwbQ4598foiHblO2B/LKuNfJzAMfS7oZe34b+vLB\nyrP/1bgCSLdc1AxQc1AC0EsQQhgcyTJNgnG4va1c7ogPlwKyhbDyZ4e59N5lbYPJ\nSmXI/cAe3jXj1FBLJZkwnoDKe0v13xeF+nF32smSH0qB7aJX2tBMW4TWtFPmzs5I\nlwrFSySWAdwYdgxw180yKU0dvwIDAQABo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYD\nVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUJOhTV118NECHqeuU27rhFnj8KaQw\nHwYDVR0jBBgwFoAUJOhTV118NECHqeuU27rhFnj8KaQwDQYJKoZIhvcNAQELBQAD\nggEBAHwOf9Ur1l0Ar5vFE6PNrZWrDfQIMyEfdgSKofCdTckbqXNTiXdgbHs+TWoQ\nwAB0pfJDAHJDXOTCWRyTeXOseeOi5Btj5CnEuw3P0oXqdqevM1/+uWp0CM35zgZ8\nVD4aITxity0djzE6Qnx3Syzz+ZkoBgTnNum7d9A66/V636x4vTeqbZFBr9erJzgz\nhhurjcoacvRNhnjtDRM0dPeiCJ50CP3wEYuvUzDHUaowOsnLCjQIkWbR7Ni6KEIk\nMOz2U0OBSif3FTkhCgZWQKOOLo1P42jHC3ssUZAtVNXrCk3fw9/E15k8NPkBazZ6\n0iykLhH1trywrKRMVw67F44IE8Y=\n-----END CERTIFICATE-----\nIssuer: C=US, O=CloudFlare, Inc., OU=Origin Pull, L=San Francisco, ST=California, CN=origin-pull.cloudflare.net\n-----BEGIN CERTIFICATE-----\nMIIGCjCCA/KgAwIBAgIIV5G6lVbCLmEwDQYJKoZIhvcNAQENBQAwgZAxCzAJBgNV\nBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMRQwEgYDVQQLEwtPcmln\naW4gUHVsbDEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZv\ncm5pYTEjMCEGA1UEAxMab3JpZ2luLXB1bGwuY2xvdWRmbGFyZS5uZXQwHhcNMTkx\nMDEwMTg0NTAwWhcNMjkxMTAxMTcwMDAwWjCBkDELMAkGA1UEBhMCVVMxGTAXBgNV\nBAoTEENsb3VkRmxhcmUsIEluYy4xFDASBgNVBAsTC09yaWdpbiBQdWxsMRYwFAYD\nVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMSMwIQYDVQQD\nExpvcmlnaW4tcHVsbC5jbG91ZGZsYXJlLm5ldDCCAiIwDQYJKoZIhvcNAQEBBQAD\nggIPADCCAgoCggIBAN2y2zojYfl0bKfhp0AJBFeV+jQqbCw3sHmvEPwLmqDLqynI\n42tZXR5y914ZB9ZrwbL/K5O46exd/LujJnV2b3dzcx5rtiQzso0xzljqbnbQT20e\nihx/WrF4OkZKydZzsdaJsWAPuplDH5P7J82q3re88jQdgE5hqjqFZ3clCG7lxoBw\nhLaazm3NJJlUfzdk97ouRvnFGAuXd5cQVx8jYOOeU60sWqmMe4QHdOvpqB91bJoY\nQSKVFjUgHeTpN8tNpKJfb9LIn3pun3bC9NKNHtRKMNX3Kl/sAPq7q/AlndvA2Kw3\nDkum2mHQUGdzVHqcOgea9BGjLK2h7SuX93zTWL02u799dr6Xkrad/WShHchfjjRn\naL35niJUDr02YJtPgxWObsrfOU63B8juLUphW/4BOjjJyAG5l9j1//aUGEi/sEe5\nlqVv0P78QrxoxR+MMXiJwQab5FB8TG/ac6mRHgF9CmkX90uaRh+OC07XjTdfSKGR\nPpM9hB2ZhLol/nf8qmoLdoD5HvODZuKu2+muKeVHXgw2/A6wM7OwrinxZiyBk5Hh\nCvaADH7PZpU6z/zv5NU5HSvXiKtCzFuDu4/Zfi34RfHXeCUfHAb4KfNRXJwMsxUa\n+4ZpSAX2G6RnGU5meuXpU5/V+DQJp/e69XyyY6RXDoMywaEFlIlXBqjRRA2pAgMB\nAAGjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1Ud\nDgQWBBRDWUsraYuA4REzalfNVzjann3F6zAfBgNVHSMEGDAWgBRDWUsraYuA4REz\nalfNVzjann3F6zANBgkqhkiG9w0BAQ0FAAOCAgEAkQ+T9nqcSlAuW/90DeYmQOW1\nQhqOor5psBEGvxbNGV2hdLJY8h6QUq48BCevcMChg/L1CkznBNI40i3/6heDn3IS\nzVEwXKf34pPFCACWVMZxbQjkNRTiH8iRur9EsaNQ5oXCPJkhwg2+IFyoPAAYURoX\nVcI9SCDUa45clmYHJ/XYwV1icGVI8/9b2JUqklnOTa5tugwIUi5sTfipNcJXHhgz\n6BKYDl0/UP0lLKbsUETXeTGDiDpxZYIgbcFrRDDkHC6BSvdWVEiH5b9mH2BON60z\n0O0j8EEKTwi9jnafVtZQXP/D8yoVowdFDjXcKkOPF/1gIh9qrFR6GdoPVgB3SkLc\n5ulBqZaCHm563jsvWb/kXJnlFxW+1bsO9BDD6DweBcGdNurgmH625wBXksSdD7y/\nfakk8DagjbjKShYlPEFOAqEcliwjF45eabL0t27MJV61O/jHzHL3dknXeE4BDa2j\nbA+JbyJeUMtU7KMsxvx82RmhqBEJJDBCJ3scVptvhDMRrtqDBW5JShxoAOcpFQGm\niYWicn46nPDjgTU0bX1ZPpTpryXbvciVL5RkVBuyX2ntcOLDPlZWgxZCBp96x07F\nAnOzKgZk4RzZPNAxCXERVxajn/FLcOhglVAKo5H0ac+AitlQ0ip55D2/mf8o72tM\nfVQ6VpyjEXdiIXWUq/o=\n-----END CERTIFICATE-----`)\n\nfunc GetCloudflareRootCA() ([]*x509.Certificate, error) {\n\tvar certs []*x509.Certificate\n\tpemBlocks := cloudflareRootCA\n\tfor len(pemBlocks) > 0 {\n\t\tvar block *pem.Block\n\t\tblock, pemBlocks = pem.Decode(pemBlocks)\n\t\tif block == nil {\n\t\t\tbreak\n\t\t}\n\t\tif block.Type != \"CERTIFICATE\" {\n\t\t\tcontinue\n\t\t}\n\n\t\tcert, err := x509.ParseCertificate(block.Bytes)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\n\t\tcerts = append(certs, cert)\n\t}\n\n\treturn certs, nil\n}\n" }, { "path": "tlsconfig/hello_ca.go", "content": "package tlsconfig\n\nimport (\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n)\n\nconst (\n\thelloKey = `\n-----BEGIN EC PARAMETERS-----\nBgUrgQQAIg==\n-----END EC PARAMETERS-----\n-----BEGIN EC PRIVATE KEY-----\nMIGkAgEBBDBGGfwhIJdiUiJUVIItqJjEIMmlXxsMa8TQeer47+g+cIZ466rgg8EK\n+Mdn6BY48GCgBwYFK4EEACKhZANiAASW//A9iDbPKg3OLkn7yJqLer32g9I5lBKR\ntPc/zBubQLLz9lAaYI6AOQiJXhGr5JkKmQfi1sYHK5rJITPFy4W8Et4hHLdazDZH\nWnEd+TStQABFUjrhtqXPWmGKcly0pOE=\n-----END EC PRIVATE KEY-----`\n\n\thelloCRT = `\n-----BEGIN CERTIFICATE-----\nMIICiDCCAg6gAwIBAgIJAJ/FfkBTtbuIMAkGByqGSM49BAEwfzELMAkGA1UEBhMC\nVVMxDjAMBgNVBAgMBVRleGFzMQ8wDQYDVQQHDAZBdXN0aW4xGTAXBgNVBAoMEENs\nb3VkZmxhcmUsIEluYy4xNDAyBgNVBAMMK0FyZ28gVHVubmVsIFNhbXBsZSBIZWxs\nbyBTZXJ2ZXIgQ2VydGlmaWNhdGUwHhcNMTgwMzE5MjMwNTMyWhcNMjgwMzE2MjMw\nNTMyWjB/MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxDzANBgNVBAcMBkF1\nc3RpbjEZMBcGA1UECgwQQ2xvdWRmbGFyZSwgSW5jLjE0MDIGA1UEAwwrQXJnbyBU\ndW5uZWwgU2FtcGxlIEhlbGxvIFNlcnZlciBDZXJ0aWZpY2F0ZTB2MBAGByqGSM49\nAgEGBSuBBAAiA2IABJb/8D2INs8qDc4uSfvImot6vfaD0jmUEpG09z/MG5tAsvP2\nUBpgjoA5CIleEavkmQqZB+LWxgcrmskhM8XLhbwS3iEct1rMNkdacR35NK1AAEVS\nOuG2pc9aYYpyXLSk4aNXMFUwUwYDVR0RBEwwSoIJbG9jYWxob3N0ghFjbG91ZGZs\nYXJlZC1oZWxsb4ISY2xvdWRmbGFyZWQyLWhlbGxvhwR/AAABhxAAAAAAAAAAAAAA\nAAAAAAABMAkGByqGSM49BAEDaQAwZgIxAPxkdghH6y8xLMnY9Bom3Llf4NYM6yB9\nPD1YsaNUJTsxjTk3YY1Jsp+yzK0yUKtTZwIxAPcdvqCF2/iR9H288pCT1TgtO0a9\ncJL9RY1lq7DIGN37v1ZXReWaD+3hNokY8NriVg==\n-----END CERTIFICATE-----`\n)\n\nfunc GetHelloCertificate() (tls.Certificate, error) {\n\treturn tls.X509KeyPair([]byte(helloCRT), []byte(helloKey))\n}\n\nfunc GetHelloCertificateX509() (*x509.Certificate, error) {\n\thelloCertificate, err := GetHelloCertificate()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn x509.ParseCertificate(helloCertificate.Certificate[0])\n}\n" }, { "path": "tlsconfig/testcert.pem", "content": "-----BEGIN CERTIFICATE-----\nMIICBjCCAbCgAwIBAgIJAPKk4bYMrSFMMA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV\nBAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEPMA0GA1UEBwwGQXVzdGluMRkwFwYDVQQK\nDBBDbG91ZGZsYXJlLCBJbmMuMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMTgxMTE1\nMjA1NzU3WhcNMjgxMTEyMjA1NzU3WjBdMQswCQYDVQQGEwJVUzEOMAwGA1UECAwF\nVGV4YXMxDzANBgNVBAcMBkF1c3RpbjEZMBcGA1UECgwQQ2xvdWRmbGFyZSwgSW5j\nLjESMBAGA1UEAwwJbG9jYWxob3N0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAOQN\npTRn5wLf8SSI5x2kpDvbdDy7lfhamJ2En4Q+wy1cSKp8bn8/oyhVF7QTsimDGTI4\n45pV9nDfNJPYB3IW0x0CAwEAAaNTMFEwHQYDVR0OBBYEFE4jIa97mIEiYFa02X++\nuu5mCEn+MB8GA1UdIwQYMBaAFE4jIa97mIEiYFa02X++uu5mCEn+MA8GA1UdEwEB\n/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADQQAkE+pDee0o5cNcZRUszy8sTQzB1Wlp\nJ6ucfmo16crqRaK7uGvhkMyibIc4D8z2Cxw3aI3IMMFoIIlYoYKiUcbd\n-----END CERTIFICATE-----" }, { "path": "tlsconfig/testcert2.pem", "content": "-----BEGIN CERTIFICATE-----\nMIICBjCCAbCgAwIBAgIJAN6cXRTbJtFnMA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV\nBAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEPMA0GA1UEBwwGQXVzdGluMRgwFgYDVQQK\nDA9DbG91ZGZsYXJlLCBJbmMxEzARBgNVBAMMCmxvY2FsaG9zdDIwHhcNMTgxMTE1\nMjExMTU4WhcNMjgxMTEyMjExMTU4WjBdMQswCQYDVQQGEwJVUzEOMAwGA1UECAwF\nVGV4YXMxDzANBgNVBAcMBkF1c3RpbjEYMBYGA1UECgwPQ2xvdWRmbGFyZSwgSW5j\nMRMwEQYDVQQDDApsb2NhbGhvc3QyMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKQx\nIMZ6QgXoul2ITF/7sly4fW2Ol+a/AYw42zCWhVqOXv8AhY21I0Q8lkRR6wOroQwZ\nO7jKKOcE5TnR/NRcZr8CAwEAAaNTMFEwHQYDVR0OBBYEFONKxLZc2RUD0KTHkAz4\n8nrb5688MB8GA1UdIwQYMBaAFONKxLZc2RUD0KTHkAz48nrb5688MA8GA1UdEwEB\n/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADQQA56pwhvGpNPjyLcWfJHu/vI3ZjdoLB\nLnrkRaMjJmv0H0Beh4upJhoz8u6lhMACerKQrrdQhEPB2u+maFrEBtmN\n-----END CERTIFICATE-----" }, { "path": "tlsconfig/testkey.pem", "content": "-----BEGIN PRIVATE KEY-----\nMIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEA5A2lNGfnAt/xJIjn\nHaSkO9t0PLuV+FqYnYSfhD7DLVxIqnxufz+jKFUXtBOyKYMZMjjjmlX2cN80k9gH\nchbTHQIDAQABAkAoeDtu91lJa1AxuZG58vOqI6GW/Xr5naojmdts7m5YaAhDa7DE\nzJUp4d8SP5cGBf1/PB3x6Cu9UviFNQ16wmzJAiEA8gUm4UYpWZD4Ze2l/xb+BK8D\nIglSUIy1VxW+X1G55wMCIQDxOfXiFzPqnv/e5avKGv6CU11Dhmbi1OpiyybZTjGz\nXwIhAM3bE/cJdqJ4bNBGE6umIupY8pFA3IMnLBempwbsvPOBAiEAgzJ+5OSxu92W\nVGidsmJUIhWtF9i1hJFAmVLcYjwBFAkCICtjP/vv0qOZWk4mAAn2zz9UVWp45DSR\np/FA8V77ohXD\n-----END PRIVATE KEY-----\n" }, { "path": "tlsconfig/tlsconfig.go", "content": "// Package tlsconfig provides convenience functions for configuring TLS connections from the\n// command line.\npackage tlsconfig\n\nimport (\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n\t\"os\"\n\n\t\"github.com/pkg/errors\"\n)\n\n// Config is the user provided parameters to create a tls.Config\ntype TLSParameters struct {\n\tCert string\n\tKey string\n\tGetCertificate *CertReloader\n\tGetClientCertificate *CertReloader\n\tClientCAs []string\n\tRootCAs []string\n\tServerName string\n\tCurvePreferences []tls.CurveID\n\tMinVersion uint16 // min tls version. If zero, TLS1.0 is defined as minimum.\n\tMaxVersion uint16 // max tls version. If zero, last TLS version is used defined as limit (currently TLS1.3)\n}\n\n// GetConfig returns a TLS configuration according to the Config set by the user.\nfunc GetConfig(p *TLSParameters) (*tls.Config, error) {\n\ttlsconfig := &tls.Config{}\n\tif p.Cert != \"\" && p.Key != \"\" {\n\t\tcert, err := tls.LoadX509KeyPair(p.Cert, p.Key)\n\t\tif err != nil {\n\t\t\treturn nil, errors.Wrap(err, \"Error parsing X509 key pair\")\n\t\t}\n\t\ttlsconfig.Certificates = []tls.Certificate{cert}\n\t\t// BuildNameToCertificate parses Certificates and builds NameToCertificate from common name\n\t\t// and SAN fields of leaf certificates\n\t\ttlsconfig.BuildNameToCertificate()\n\t}\n\n\tif p.GetCertificate != nil {\n\t\t// GetCertificate is called when client supplies SNI info or Certificates is empty.\n\t\t// Order of retrieving certificate is GetCertificate, NameToCertificate and lastly first element of Certificates\n\t\ttlsconfig.GetCertificate = p.GetCertificate.Cert\n\t}\n\n\tif p.GetClientCertificate != nil {\n\t\t// GetClientCertificate is called when using an HTTP client library and mTLS is required.\n\t\ttlsconfig.GetClientCertificate = p.GetClientCertificate.ClientCert\n\t}\n\n\tif len(p.ClientCAs) > 0 {\n\t\t// set of root certificate authorities that servers use if required to verify a client certificate\n\t\t// by the policy in ClientAuth\n\t\tclientCAs, err := LoadCert(p.ClientCAs)\n\t\tif err != nil {\n\t\t\treturn nil, errors.Wrap(err, \"Error loading client CAs\")\n\t\t}\n\t\ttlsconfig.ClientCAs = clientCAs\n\t\t// server's policy for TLS Client Authentication. Default is no client cert\n\t\ttlsconfig.ClientAuth = tls.RequireAndVerifyClientCert\n\t}\n\n\tif len(p.RootCAs) > 0 {\n\t\trootCAs, err := LoadCert(p.RootCAs)\n\t\tif err != nil {\n\t\t\treturn nil, errors.Wrap(err, \"Error loading root CAs\")\n\t\t}\n\t\ttlsconfig.RootCAs = rootCAs\n\t}\n\n\tif p.ServerName != \"\" {\n\t\ttlsconfig.ServerName = p.ServerName\n\t}\n\n\tif len(p.CurvePreferences) > 0 {\n\t\ttlsconfig.CurvePreferences = p.CurvePreferences\n\t} else {\n\t\t// Cloudflare optimize CurveP256\n\t\ttlsconfig.CurvePreferences = []tls.CurveID{tls.CurveP256}\n\t}\n\n\ttlsconfig.MinVersion = p.MinVersion\n\ttlsconfig.MaxVersion = p.MaxVersion\n\n\treturn tlsconfig, nil\n}\n\n// LoadCert creates a CertPool containing all certificates in a PEM-format file.\nfunc LoadCert(certPaths []string) (*x509.CertPool, error) {\n\tca := x509.NewCertPool()\n\tfor _, certPath := range certPaths {\n\t\tcaCert, err := os.ReadFile(certPath)\n\t\tif err != nil {\n\t\t\treturn nil, errors.Wrapf(err, \"Error reading certificate %s\", certPath)\n\t\t}\n\t\tif !ca.AppendCertsFromPEM(caCert) {\n\t\t\treturn nil, errors.Wrapf(err, \"Error parsing certificate %s\", certPath)\n\t\t}\n\t}\n\treturn ca, nil\n}\n" }, { "path": "tlsconfig/tlsconfig_test.go", "content": "package tlsconfig\n\nimport (\n\t\"crypto/tls\"\n\t\"testing\"\n\n\t\"github.com/stretchr/testify/assert\"\n)\n\n// testcert.pem and testcert2.pem are Generated using `openssl req -newkey rsa:512 -nodes -x509 -days 3650`\nconst (\n\ttestcertCommonName = \"localhost\"\n)\n\nfunc TestGetFromEmptyConfig(t *testing.T) {\n\tc := &TLSParameters{}\n\n\ttlsConfig, err := GetConfig(c)\n\tassert.NoError(t, err)\n\tassert.Empty(t, tlsConfig.Certificates)\n\n\tassert.Empty(t, tlsConfig.NameToCertificate)\n\n\tassert.Nil(t, tlsConfig.ClientCAs)\n\tassert.Equal(t, tls.NoClientCert, tlsConfig.ClientAuth)\n\n\tassert.Nil(t, tlsConfig.RootCAs)\n\n\tassert.Len(t, tlsConfig.CurvePreferences, 1)\n\tassert.Equal(t, tls.CurveP256, tlsConfig.CurvePreferences[0])\n}\n\nfunc TestGetConfig(t *testing.T) {\n\tcert, err := tls.LoadX509KeyPair(\"testcert.pem\", \"testkey.pem\")\n\tassert.NoError(t, err)\n\n\tc := &TLSParameters{\n\t\tCert: \"testcert.pem\",\n\t\tKey: \"testkey.pem\",\n\t\tClientCAs: []string{\"testcert.pem\", \"testcert2.pem\"},\n\t\tRootCAs: []string{\"testcert.pem\", \"testcert2.pem\"},\n\t\tServerName: \"test\",\n\t\tCurvePreferences: []tls.CurveID{tls.CurveP384},\n\t}\n\ttlsConfig, err := GetConfig(c)\n\tassert.NoError(t, err)\n\tassert.Len(t, tlsConfig.Certificates, 1)\n\tassert.Equal(t, cert, tlsConfig.Certificates[0])\n\n\tassert.Equal(t, cert, *tlsConfig.NameToCertificate[testcertCommonName])\n\n\tassert.NotNil(t, tlsConfig.ClientCAs)\n\tassert.Equal(t, tls.RequireAndVerifyClientCert, tlsConfig.ClientAuth)\n\n\tassert.NotNil(t, tlsConfig.RootCAs)\n\n\tassert.Len(t, tlsConfig.CurvePreferences, 1)\n\tassert.Equal(t, tls.CurveP384, tlsConfig.CurvePreferences[0])\n}\n\nfunc TestCertReloader(t *testing.T) {\n\texpectedCert, err := tls.LoadX509KeyPair(\"testcert.pem\", \"testkey.pem\")\n\tassert.NoError(t, err)\n\n\tcertReloader, err := NewCertReloader(\"testcert.pem\", \"testkey.pem\")\n\tassert.NoError(t, err)\n\n\tchi := &tls.ClientHelloInfo{ServerName: testcertCommonName}\n\tcert, err := certReloader.Cert(chi)\n\tassert.NoError(t, err)\n\tassert.Equal(t, expectedCert, *cert)\n\n\tc := &TLSParameters{\n\t\tGetCertificate: certReloader,\n\t}\n\ttlsConfig, err := GetConfig(c)\n\tassert.NoError(t, err)\n\n\tcert, err = tlsConfig.GetCertificate(chi)\n\tassert.NoError(t, err)\n\tassert.Equal(t, expectedCert, *cert)\n}\n" }, { "path": "token/encrypt.go", "content": "// Package encrypter is suitable for encrypting messages you would like to securely share between two points.\n// Useful for providing end to end encryption (E2EE). It uses Box (NaCl) for encrypting the messages.\n// tldr is it uses Elliptic Curves (Curve25519) for the keys, XSalsa20 and Poly1305 for encryption.\n// You can read more here https://godoc.org/golang.org/x/crypto/nacl/box.\n//\n//\tmsg := []byte(\"super safe message.\")\n//\talice, err := NewEncrypter(\"alice_priv_key.pem\", \"alice_pub_key.pem\")\n//\tif err != nil {\n//\t\tlog.Fatal(err)\n//\t}\n//\n//\tbob, err := NewEncrypter(\"bob_priv_key.pem\", \"bob_pub_key.pem\")\n//\tif err != nil {\n//\t\tlog.Fatal(err)\n//\t}\n//\tencrypted, err := alice.Encrypt(msg, bob.PublicKey())\n//\tif err != nil {\n//\t\tlog.Fatal(err)\n//\t}\n//\n//\tdata, err := bob.Decrypt(encrypted, alice.PublicKey())\n//\tif err != nil {\n//\t\tlog.Fatal(err)\n//\t}\n//\tfmt.Println(string(data))\npackage token\n\nimport (\n\t\"bytes\"\n\t\"crypto/rand\"\n\t\"encoding/base64\"\n\t\"encoding/pem\"\n\t\"errors\"\n\t\"io\"\n\t\"os\"\n\n\t\"golang.org/x/crypto/nacl/box\"\n)\n\n// Encrypter represents a keypair value with auxiliary functions to make\n// doing encryption and decryption easier\ntype Encrypter struct {\n\tprivateKey *[32]byte\n\tpublicKey *[32]byte\n}\n\n// NewEncrypter returns a new encrypter with initialized keypair\nfunc NewEncrypter(privateKey, publicKey string) (*Encrypter, error) {\n\te := &Encrypter{}\n\tpubKey, key, err := e.fetchOrGenerateKeys(privateKey, publicKey)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\te.privateKey, e.publicKey = key, pubKey\n\treturn e, nil\n}\n\n// PublicKey returns a base64 encoded public key. Useful for transport (like in HTTP requests)\nfunc (e *Encrypter) PublicKey() string {\n\treturn base64.URLEncoding.EncodeToString(e.publicKey[:])\n}\n\n// Decrypt data that was encrypted using our publicKey. It will use our privateKey and the sender's publicKey to decrypt\n// data is an encrypted buffer of data, mostly like from the Encrypt function. Messages contain the nonce data on the front\n// of the message.\n// senderPublicKey is a base64 encoded version of the sender's public key (most likely from the PublicKey function).\n// The return value is the decrypted buffer or an error.\nfunc (e *Encrypter) Decrypt(data []byte, senderPublicKey string) ([]byte, error) {\n\tvar decryptNonce [24]byte\n\tcopy(decryptNonce[:], data[:24]) // we pull the nonce from the front of the actual message.\n\tpubKey, err := e.decodePublicKey(senderPublicKey)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdecrypted, ok := box.Open(nil, data[24:], &decryptNonce, pubKey, e.privateKey)\n\tif !ok {\n\t\treturn nil, errors.New(\"failed to decrypt message\")\n\t}\n\treturn decrypted, nil\n}\n\n// Encrypt data using our privateKey and the recipient publicKey\n// data is a buffer of data that we would like to encrypt. Messages will have the nonce added to front\n// as they have to unique for each message shared.\n// recipientPublicKey is a base64 encoded version of the sender's public key (most likely from the PublicKey function).\n// The return value is the encrypted buffer or an error.\nfunc (e *Encrypter) Encrypt(data []byte, recipientPublicKey string) ([]byte, error) {\n\tvar nonce [24]byte\n\tif _, err := io.ReadFull(rand.Reader, nonce[:]); err != nil {\n\t\treturn nil, err\n\t}\n\n\tpubKey, err := e.decodePublicKey(recipientPublicKey)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\t// This encrypts msg and adds the nonce to the front of the message, since the nonce has to be\n\t// the same for encrypting and decrypting\n\treturn box.Seal(nonce[:], data, &nonce, pubKey, e.privateKey), nil\n}\n\n// WriteKeys keys will take the currently initialized keypair and write them to provided filenames\nfunc (e *Encrypter) WriteKeys(privateKey, publicKey string) error {\n\tif err := e.writeKey(e.privateKey[:], \"BOX PRIVATE KEY\", privateKey); err != nil {\n\t\treturn err\n\t}\n\treturn e.writeKey(e.publicKey[:], \"PUBLIC KEY\", publicKey)\n}\n\n// fetchOrGenerateKeys will either load or create a keypair if it doesn't exist\nfunc (e *Encrypter) fetchOrGenerateKeys(privateKey, publicKey string) (*[32]byte, *[32]byte, error) {\n\tkey, err := e.fetchKey(privateKey)\n\tif os.IsNotExist(err) {\n\t\treturn box.GenerateKey(rand.Reader)\n\t} else if err != nil {\n\t\treturn nil, nil, err\n\t}\n\n\tpub, err := e.fetchKey(publicKey)\n\tif os.IsNotExist(err) {\n\t\treturn box.GenerateKey(rand.Reader)\n\t} else if err != nil {\n\t\treturn nil, nil, err\n\t}\n\treturn pub, key, nil\n}\n\n// writeKey will write a key to disk in DER format (it's a standard pem key)\nfunc (e *Encrypter) writeKey(key []byte, pemType, filename string) error {\n\tdata := pem.EncodeToMemory(&pem.Block{\n\t\tType: pemType,\n\t\tBytes: key,\n\t})\n\n\tf, err := os.Create(filename)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\t_, err = f.Write(data)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\treturn nil\n}\n\n// fetchKey will load a a DER formatted key from disk\nfunc (e *Encrypter) fetchKey(filename string) (*[32]byte, error) {\n\tf, err := os.Open(filename)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tbuf := new(bytes.Buffer)\n\tio.Copy(buf, f)\n\n\tp, _ := pem.Decode(buf.Bytes())\n\tif p == nil {\n\t\treturn nil, errors.New(\"Failed to decode key\")\n\t}\n\tvar newKey [32]byte\n\tcopy(newKey[:], p.Bytes)\n\n\treturn &newKey, nil\n}\n\n// decodePublicKey will base64 decode the provided key to the box representation\nfunc (e *Encrypter) decodePublicKey(key string) (*[32]byte, error) {\n\tpub, err := base64.URLEncoding.DecodeString(key)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tvar newKey [32]byte\n\tcopy(newKey[:], pub)\n\treturn &newKey, nil\n}\n" }, { "path": "token/launch_browser_darwin.go", "content": "//go:build darwin\n\npackage token\n\nimport (\n\t\"os/exec\"\n)\n\nfunc getBrowserCmd(url string) *exec.Cmd {\n\treturn exec.Command(\"open\", url)\n}\n" }, { "path": "token/launch_browser_other.go", "content": "//go:build !windows && !darwin && !linux && !netbsd && !freebsd && !openbsd\n\npackage token\n\nimport (\n\t\"os/exec\"\n)\n\nfunc getBrowserCmd(url string) *exec.Cmd {\n\treturn nil\n}\n" }, { "path": "token/launch_browser_unix.go", "content": "//go:build linux || freebsd || openbsd || netbsd\n\npackage token\n\nimport (\n\t\"os/exec\"\n)\n\nfunc getBrowserCmd(url string) *exec.Cmd {\n\treturn exec.Command(\"xdg-open\", url)\n}\n" }, { "path": "token/launch_browser_windows.go", "content": "//go:build windows\n\npackage token\n\nimport (\n\t\"fmt\"\n\t\"os/exec\"\n\t\"syscall\"\n)\n\nfunc getBrowserCmd(url string) *exec.Cmd {\n\tcmd := exec.Command(\"cmd\")\n\t// CmdLine is only defined when compiling for windows.\n\t// Empty string is the cmd proc \"Title\". Needs to be included because the start command will interpret the first\n\t// quoted string as that field and we want to quote the URL.\n\tcmd.SysProcAttr = &syscall.SysProcAttr{CmdLine: fmt.Sprintf(`/c start \"\" \"%s\"`, url)}\n\treturn cmd\n}\n" }, { "path": "token/path.go", "content": "package token\n\nimport (\n\t\"fmt\"\n\t\"net/url\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n\n\thomedir \"github.com/mitchellh/go-homedir\"\n\n\t\"github.com/cloudflare/cloudflared/config\"\n)\n\n// GenerateSSHCertFilePathFromURL will return a file path for creating short lived certificates\nfunc GenerateSSHCertFilePathFromURL(url *url.URL, suffix string) (string, error) {\n\tconfigPath, err := getConfigPath()\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tname := strings.Replace(fmt.Sprintf(\"%s%s-%s\", url.Hostname(), url.EscapedPath(), suffix), \"/\", \"-\", -1)\n\treturn filepath.Join(configPath, name), nil\n}\n\n// GenerateAppTokenFilePathFromURL will return a filepath for given Access org token\nfunc GenerateAppTokenFilePathFromURL(appDomain, aud string, suffix string) (string, error) {\n\tconfigPath, err := getConfigPath()\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tname := fmt.Sprintf(\"%s-%s-%s\", appDomain, aud, suffix)\n\tname = strings.Replace(strings.Replace(name, \"/\", \"-\", -1), \"*\", \"-\", -1)\n\treturn filepath.Join(configPath, name), nil\n}\n\n// generateOrgTokenFilePathFromURL will return a filepath for given Access application token\nfunc generateOrgTokenFilePathFromURL(authDomain string) (string, error) {\n\tconfigPath, err := getConfigPath()\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tname := strings.Replace(fmt.Sprintf(\"%s-org-token\", authDomain), \"/\", \"-\", -1)\n\treturn filepath.Join(configPath, name), nil\n}\n\nfunc getConfigPath() (string, error) {\n\tconfigPath, err := homedir.Expand(config.DefaultConfigSearchDirectories()[0])\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tok, err := config.FileExists(configPath)\n\tif !ok && err == nil {\n\t\t// create config directory if doesn't already exist\n\t\terr = os.Mkdir(configPath, 0700)\n\t}\n\treturn configPath, err\n}\n" }, { "path": "token/shell.go", "content": "package token\n\n// OpenBrowser opens the specified URL in the default browser of the user\nfunc OpenBrowser(url string) error {\n\treturn getBrowserCmd(url).Start()\n}\n" }, { "path": "token/signal_test.go", "content": "//go:build linux || darwin\n\npackage token\n\nimport (\n\t\"os\"\n\t\"syscall\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n)\n\nfunc TestSignalHandler(t *testing.T) {\n\tsigHandler := signalHandler{signals: []os.Signal{syscall.SIGUSR1}}\n\thandlerRan := false\n\tdone := make(chan struct{})\n\ttimer := time.NewTimer(time.Second)\n\tsigHandler.register(func() {\n\t\thandlerRan = true\n\t\tdone <- struct{}{}\n\t})\n\n\tp, err := os.FindProcess(os.Getpid())\n\trequire.Nil(t, err)\n\tp.Signal(syscall.SIGUSR1)\n\n\t// Blocks for up to one second to make sure the handler callback runs before the assert.\n\tselect {\n\tcase <-done:\n\t\tassert.True(t, handlerRan)\n\tcase <-timer.C:\n\t\tt.Fail()\n\t}\n\tsigHandler.deregister()\n}\n\nfunc TestSignalHandlerClose(t *testing.T) {\n\tsigHandler := signalHandler{signals: []os.Signal{syscall.SIGUSR1}}\n\tdone := make(chan struct{})\n\ttimer := time.NewTimer(time.Second)\n\tsigHandler.register(func() { done <- struct{}{} })\n\tsigHandler.deregister()\n\n\tp, err := os.FindProcess(os.Getpid())\n\trequire.Nil(t, err)\n\tp.Signal(syscall.SIGUSR1)\n\tselect {\n\tcase <-done:\n\t\tt.Fail()\n\tcase <-timer.C:\n\t}\n}\n" }, { "path": "token/token.go", "content": "package token\n\nimport (\n\t\"context\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"os\"\n\t\"os/signal\"\n\t\"strings\"\n\t\"syscall\"\n\t\"time\"\n\n\t\"github.com/go-jose/go-jose/v4\"\n\t\"github.com/pkg/errors\"\n\t\"github.com/rs/zerolog\"\n\n\t\"github.com/cloudflare/cloudflared/config\"\n\t\"github.com/cloudflare/cloudflared/retry\"\n)\n\nconst (\n\tkeyName = \"token\"\n\ttokenCookie = \"CF_Authorization\"\n\tappSessionCookie = \"CF_AppSession\"\n\tappDomainHeader = \"CF-Access-Domain\"\n\tappAUDHeader = \"CF-Access-Aud\"\n\tAccessLoginWorkerPath = \"/cdn-cgi/access/login\"\n\tAccessAuthorizedWorkerPath = \"/cdn-cgi/access/authorized\"\n)\n\nvar (\n\tuserAgent = \"DEV\"\n\tsignatureAlgs = []jose.SignatureAlgorithm{jose.RS256}\n)\n\ntype AppInfo struct {\n\tAuthDomain string\n\tAppAUD string\n\tAppDomain string\n}\n\ntype lock struct {\n\tlockFilePath string\n\tbackoff *retry.BackoffHandler\n\tsigHandler *signalHandler\n}\n\ntype signalHandler struct {\n\tsigChannel chan os.Signal\n\tsignals []os.Signal\n}\n\ntype jwtPayload struct {\n\tAud []string `json:\"-\"`\n\tEmail string `json:\"email\"`\n\tExp int `json:\"exp\"`\n\tIat int `json:\"iat\"`\n\tNbf int `json:\"nbf\"`\n\tIss string `json:\"iss\"`\n\tType string `json:\"type\"`\n\tSubt string `json:\"sub\"`\n}\n\ntype transferServiceResponse struct {\n\tAppToken string `json:\"app_token\"`\n\tOrgToken string `json:\"org_token\"`\n}\n\nfunc (p *jwtPayload) UnmarshalJSON(data []byte) error {\n\ttype Alias jwtPayload\n\tif err := json.Unmarshal(data, (*Alias)(p)); err != nil {\n\t\treturn err\n\t}\n\tvar audParser struct {\n\t\tAud any `json:\"aud\"`\n\t}\n\tif err := json.Unmarshal(data, &audParser); err != nil {\n\t\treturn err\n\t}\n\tswitch aud := audParser.Aud.(type) {\n\tcase string:\n\t\tp.Aud = []string{aud}\n\tcase []any:\n\t\tfor _, a := range aud {\n\t\t\ts, ok := a.(string)\n\t\t\tif !ok {\n\t\t\t\treturn errors.New(\"aud array contains non-string elements\")\n\t\t\t}\n\t\t\tp.Aud = append(p.Aud, s)\n\t\t}\n\tdefault:\n\t\treturn errors.New(\"aud field is not a string or an array of strings\")\n\t}\n\treturn nil\n}\n\nfunc (p jwtPayload) isExpired() bool {\n\treturn int(time.Now().Unix()) > p.Exp\n}\n\nfunc (s *signalHandler) register(handler func()) {\n\ts.sigChannel = make(chan os.Signal, 1)\n\tsignal.Notify(s.sigChannel, s.signals...)\n\tgo func(s *signalHandler) {\n\t\tfor range s.sigChannel {\n\t\t\thandler()\n\t\t}\n\t}(s)\n}\n\nfunc (s *signalHandler) deregister() {\n\tsignal.Stop(s.sigChannel)\n\tclose(s.sigChannel)\n}\n\nfunc errDeleteTokenFailed(lockFilePath string) error {\n\treturn fmt.Errorf(\"failed to acquire a new Access token. Please try to delete %s\", lockFilePath)\n}\n\n// newLock will get a new file lock\nfunc newLock(path string) *lock {\n\tlockPath := path + \".lock\"\n\tbackoff := retry.NewBackoff(uint(7), retry.DefaultBaseTime, false)\n\treturn &lock{\n\t\tlockFilePath: lockPath,\n\t\tbackoff: &backoff,\n\t\tsigHandler: &signalHandler{\n\t\t\tsignals: []os.Signal{syscall.SIGINT, syscall.SIGTERM},\n\t\t},\n\t}\n}\n\nfunc (l *lock) Acquire() error {\n\t// Intercept SIGINT and SIGTERM to release lock before exiting\n\tl.sigHandler.register(func() {\n\t\t_ = l.deleteLockFile()\n\t\tos.Exit(0)\n\t})\n\n\t// Check for a lock file\n\t// if the lock file exists; start polling\n\t// if not, create the lock file and go through the normal flow.\n\t// See AUTH-1736 for the reason why we do all this\n\tfor isTokenLocked(l.lockFilePath) {\n\t\tif l.backoff.Backoff(context.Background()) {\n\t\t\tcontinue\n\t\t}\n\n\t\tif err := l.deleteLockFile(); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\t// Create a lock file so other processes won't also try to get the token at\n\t// the same time\n\tif err := os.WriteFile(l.lockFilePath, []byte{}, 0600); err != nil {\n\t\treturn err\n\t}\n\treturn nil\n}\n\nfunc (l *lock) deleteLockFile() error {\n\tif err := os.Remove(l.lockFilePath); err != nil && !os.IsNotExist(err) {\n\t\treturn errDeleteTokenFailed(l.lockFilePath)\n\t}\n\treturn nil\n}\n\nfunc (l *lock) Release() error {\n\tdefer l.sigHandler.deregister()\n\treturn l.deleteLockFile()\n}\n\n// isTokenLocked checks to see if there is another process attempting to get the token already\nfunc isTokenLocked(lockFilePath string) bool {\n\texists, err := config.FileExists(lockFilePath)\n\treturn exists && err == nil\n}\n\nfunc Init(version string) {\n\tuserAgent = fmt.Sprintf(\"cloudflared/%s\", version)\n}\n\n// FetchTokenWithRedirect will either load a stored token or generate a new one\n// it appends the full url as the redirect URL to the access cli request if opening the browser\nfunc FetchTokenWithRedirect(appURL *url.URL, appInfo *AppInfo, autoClose bool, isFedramp bool, log *zerolog.Logger) (string, error) {\n\treturn getToken(appURL, appInfo, false, autoClose, isFedramp, log)\n}\n\n// FetchToken will either load a stored token or generate a new one\n// it appends the host of the appURL as the redirect URL to the access cli request if opening the browser\nfunc FetchToken(appURL *url.URL, appInfo *AppInfo, autoClose bool, isFedramp bool, log *zerolog.Logger) (string, error) {\n\treturn getToken(appURL, appInfo, true, autoClose, isFedramp, log)\n}\n\n// getToken will either load a stored token or generate a new one\nfunc getToken(appURL *url.URL, appInfo *AppInfo, useHostOnly bool, autoClose bool, isFedramp bool, log *zerolog.Logger) (string, error) {\n\tif token, err := GetAppTokenIfExists(appInfo); token != \"\" && err == nil {\n\t\treturn token, nil\n\t}\n\n\tappTokenPath, err := GenerateAppTokenFilePathFromURL(appInfo.AppDomain, appInfo.AppAUD, keyName)\n\tif err != nil {\n\t\treturn \"\", errors.Wrap(err, \"failed to generate app token file path\")\n\t}\n\n\tfileLockAppToken := newLock(appTokenPath)\n\tif err = fileLockAppToken.Acquire(); err != nil {\n\t\treturn \"\", errors.Wrap(err, \"failed to acquire app token lock\")\n\t}\n\tdefer func() {\n\t\t_ = fileLockAppToken.Release()\n\t}()\n\n\t// check to see if another process has gotten a token while we waited for the lock\n\tif token, err := GetAppTokenIfExists(appInfo); token != \"\" && err == nil {\n\t\treturn token, nil\n\t}\n\n\t// If an app token couldn't be found on disk, check for an org token and attempt to exchange it for an app token.\n\tvar orgTokenPath string\n\torgToken, err := GetOrgTokenIfExists(appInfo.AuthDomain)\n\tif err != nil {\n\t\torgTokenPath, err = generateOrgTokenFilePathFromURL(appInfo.AuthDomain)\n\t\tif err != nil {\n\t\t\treturn \"\", errors.Wrap(err, \"failed to generate org token file path\")\n\t\t}\n\n\t\tfileLockOrgToken := newLock(orgTokenPath)\n\t\tif err = fileLockOrgToken.Acquire(); err != nil {\n\t\t\treturn \"\", errors.Wrap(err, \"failed to acquire org token lock\")\n\t\t}\n\t\tdefer func() {\n\t\t\t_ = fileLockOrgToken.Release()\n\t\t}()\n\t\t// check if an org token has been created since the lock was acquired\n\t\torgToken, err = GetOrgTokenIfExists(appInfo.AuthDomain)\n\t}\n\tif err == nil {\n\t\tif appToken, err := exchangeOrgToken(appURL, orgToken); err != nil {\n\t\t\tlog.Debug().Msgf(\"failed to exchange org token for app token: %s\", err)\n\t\t} else {\n\t\t\t// generate app path\n\t\t\tif err := os.WriteFile(appTokenPath, []byte(appToken), 0600); err != nil {\n\t\t\t\treturn \"\", errors.Wrap(err, \"failed to write app token to disk\")\n\t\t\t}\n\t\t\treturn appToken, nil\n\t\t}\n\t}\n\treturn getTokensFromEdge(appURL, appInfo.AppAUD, appTokenPath, orgTokenPath, useHostOnly, autoClose, isFedramp, log)\n}\n\n// getTokensFromEdge will attempt to use the transfer service to retrieve an app and org token, save them to disk,\n// and return the app token.\nfunc getTokensFromEdge(appURL *url.URL, appAUD, appTokenPath, orgTokenPath string, useHostOnly bool, autoClose bool, isFedramp bool, log *zerolog.Logger) (string, error) {\n\t// If no org token exists or if it couldn't be exchanged for an app token, then run the transfer service flow.\n\n\t// this weird parameter is the resource name (token) and the key/value\n\t// we want to send to the transfer service. the key is token and the value\n\t// is blank (basically just the id generated in the transfer service)\n\tresourceData, err := RunTransfer(appURL, appAUD, keyName, keyName, \"\", true, useHostOnly, autoClose, isFedramp, log)\n\tif err != nil {\n\t\treturn \"\", errors.Wrap(err, \"failed to run transfer service\")\n\t}\n\tvar resp transferServiceResponse\n\tif err = json.Unmarshal(resourceData, &resp); err != nil {\n\t\treturn \"\", errors.Wrap(err, \"failed to marshal transfer service response\")\n\t}\n\n\t// If we were able to get the auth domain and generate an org token path, lets write it to disk.\n\tif orgTokenPath != \"\" {\n\t\tif err := os.WriteFile(orgTokenPath, []byte(resp.OrgToken), 0600); err != nil {\n\t\t\treturn \"\", errors.Wrap(err, \"failed to write org token to disk\")\n\t\t}\n\t}\n\n\tif err := os.WriteFile(appTokenPath, []byte(resp.AppToken), 0600); err != nil {\n\t\treturn \"\", errors.Wrap(err, \"failed to write app token to disk\")\n\t}\n\n\treturn resp.AppToken, nil\n}\n\n// GetAppInfo makes a request to the appURL and stops at the first redirect. The 302 location header will contain the\n// auth domain\nfunc GetAppInfo(reqURL *url.URL) (*AppInfo, error) {\n\tclient := &http.Client{\n\t\t// do not follow redirects\n\t\tCheckRedirect: func(req *http.Request, via []*http.Request) error {\n\t\t\t// stop after hitting login endpoint since it will contain app path\n\t\t\tif strings.Contains(via[len(via)-1].URL.Path, AccessLoginWorkerPath) {\n\t\t\t\treturn http.ErrUseLastResponse\n\t\t\t}\n\t\t\treturn nil\n\t\t},\n\t\tTimeout: time.Second * 7,\n\t}\n\n\tappInfoReq, err := http.NewRequest(\"HEAD\", reqURL.String(), nil)\n\tif err != nil {\n\t\treturn nil, errors.Wrap(err, \"failed to create app info request\")\n\t}\n\tappInfoReq.Header.Add(\"User-Agent\", userAgent)\n\tresp, err := client.Do(appInfoReq)\n\tif err != nil {\n\t\treturn nil, errors.Wrap(err, \"failed to get app info\")\n\t}\n\tresp.Body.Close()\n\n\tvar aud string\n\tlocation := resp.Request.URL\n\tif strings.Contains(location.Path, AccessLoginWorkerPath) {\n\t\taud = resp.Request.URL.Query().Get(\"kid\")\n\t\tif aud == \"\" {\n\t\t\treturn nil, errors.New(\"Empty app aud\")\n\t\t}\n\t} else if audHeader := resp.Header.Get(appAUDHeader); audHeader != \"\" {\n\t\t// 403/401 from the edge will have aud in a header\n\t\taud = audHeader\n\t} else {\n\t\treturn nil, fmt.Errorf(\"failed to find Access application at %s\", reqURL.String())\n\t}\n\n\tdomain := resp.Header.Get(appDomainHeader)\n\tif domain == \"\" {\n\t\treturn nil, errors.New(\"Empty app domain\")\n\t}\n\n\treturn &AppInfo{location.Hostname(), aud, domain}, nil\n}\n\nfunc handleRedirects(req *http.Request, via []*http.Request, orgToken string) error {\n\t// attach org token to login request\n\tif strings.Contains(req.URL.Path, AccessLoginWorkerPath) {\n\t\treq.AddCookie(&http.Cookie{Name: tokenCookie, Value: orgToken})\n\t}\n\n\t// attach app session cookie to authorized request\n\tif strings.Contains(req.URL.Path, AccessAuthorizedWorkerPath) {\n\t\t// We need to check and see if the CF_APP_SESSION cookie was set\n\t\tfor _, prevReq := range via {\n\t\t\tif prevReq != nil && prevReq.Response != nil {\n\t\t\t\tfor _, c := range prevReq.Response.Cookies() {\n\t\t\t\t\tif c.Name == appSessionCookie {\n\t\t\t\t\t\treq.AddCookie(&http.Cookie{Name: appSessionCookie, Value: c.Value})\n\t\t\t\t\t\treturn nil\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\t// stop after hitting authorized endpoint since it will contain the app token\n\tif len(via) > 0 && strings.Contains(via[len(via)-1].URL.Path, AccessAuthorizedWorkerPath) {\n\t\treturn http.ErrUseLastResponse\n\t}\n\treturn nil\n}\n\n// exchangeOrgToken attaches an org token to a request to the appURL and returns an app token. This uses the Access SSO\n// flow to automatically generate and return an app token without the login page.\nfunc exchangeOrgToken(appURL *url.URL, orgToken string) (string, error) {\n\tclient := &http.Client{\n\t\tCheckRedirect: func(req *http.Request, via []*http.Request) error {\n\t\t\treturn handleRedirects(req, via, orgToken)\n\t\t},\n\t\tTimeout: time.Second * 7,\n\t}\n\n\tappTokenRequest, err := http.NewRequest(\"HEAD\", appURL.String(), nil)\n\tif err != nil {\n\t\treturn \"\", errors.Wrap(err, \"failed to create app token request\")\n\t}\n\tappTokenRequest.Header.Add(\"User-Agent\", userAgent)\n\tresp, err := client.Do(appTokenRequest)\n\tif err != nil {\n\t\treturn \"\", errors.Wrap(err, \"failed to get app token\")\n\t}\n\tresp.Body.Close()\n\tvar appToken string\n\tfor _, c := range resp.Cookies() {\n\t\t//if Org token revoked on exchange, getTokensFromEdge instead\n\t\tvalidAppToken := c.Name == tokenCookie && time.Now().Before(c.Expires)\n\t\tif validAppToken {\n\t\t\tappToken = c.Value\n\t\t\tbreak\n\t\t}\n\t}\n\n\tif len(appToken) > 0 {\n\t\treturn appToken, nil\n\t}\n\treturn \"\", fmt.Errorf(\"response from %s did not contain app token\", resp.Request.URL.String())\n}\n\nfunc GetOrgTokenIfExists(authDomain string) (string, error) {\n\tpath, err := generateOrgTokenFilePathFromURL(authDomain)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\ttoken, err := getTokenIfExists(path)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tvar payload jwtPayload\n\terr = json.Unmarshal(token.UnsafePayloadWithoutVerification(), &payload)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\n\tif payload.isExpired() {\n\t\terr := os.Remove(path)\n\t\treturn \"\", err\n\t}\n\treturn token.CompactSerialize()\n}\n\nfunc GetAppTokenIfExists(appInfo *AppInfo) (string, error) {\n\tpath, err := GenerateAppTokenFilePathFromURL(appInfo.AppDomain, appInfo.AppAUD, keyName)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\ttoken, err := getTokenIfExists(path)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tvar payload jwtPayload\n\terr = json.Unmarshal(token.UnsafePayloadWithoutVerification(), &payload)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\n\tif payload.isExpired() {\n\t\terr := os.Remove(path)\n\t\treturn \"\", err\n\t}\n\treturn token.CompactSerialize()\n}\n\n// GetTokenIfExists will return the token from local storage if it exists and not expired\nfunc getTokenIfExists(path string) (*jose.JSONWebSignature, error) {\n\tcontent, err := os.ReadFile(path)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\ttoken, err := jose.ParseSigned(string(content), signatureAlgs)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn token, nil\n}\n\n// RemoveTokenIfExists removes the a token from local storage if it exists\nfunc RemoveTokenIfExists(appInfo *AppInfo) error {\n\tpath, err := GenerateAppTokenFilePathFromURL(appInfo.AppDomain, appInfo.AppAUD, keyName)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif err := os.Remove(path); err != nil && !os.IsNotExist(err) {\n\t\treturn err\n\t}\n\n\treturn nil\n}\n" }, { "path": "token/token_test.go", "content": "package token\n\nimport (\n\t\"encoding/json\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"testing\"\n)\n\nfunc TestHandleRedirects_AttachOrgToken(t *testing.T) {\n\treq, _ := http.NewRequest(\"GET\", \"http://example.com/cdn-cgi/access/login\", nil)\n\tvia := []*http.Request{}\n\torgToken := \"orgTokenValue\"\n\n\t_ = handleRedirects(req, via, orgToken)\n\n\t// Check if the orgToken cookie is attached\n\tcookies := req.Cookies()\n\tfound := false\n\tfor _, cookie := range cookies {\n\t\tif cookie.Name == tokenCookie && cookie.Value == orgToken {\n\t\t\tfound = true\n\t\t\tbreak\n\t\t}\n\t}\n\n\tif !found {\n\t\tt.Errorf(\"OrgToken cookie not attached to the request.\")\n\t}\n}\n\nfunc TestHandleRedirects_AttachAppSessionCookie(t *testing.T) {\n\treq, _ := http.NewRequest(\"GET\", \"http://example.com/cdn-cgi/access/authorized\", nil)\n\tvia := []*http.Request{\n\t\t{\n\t\t\tURL: &url.URL{Path: \"/cdn-cgi/access/login\"},\n\t\t\tResponse: &http.Response{\n\t\t\t\tHeader: http.Header{\"Set-Cookie\": {\"CF_AppSession=appSessionValue\"}},\n\t\t\t},\n\t\t},\n\t}\n\torgToken := \"orgTokenValue\"\n\n\terr := handleRedirects(req, via, orgToken)\n\n\t// Check if the appSessionCookie is attached to the request\n\tcookies := req.Cookies()\n\tfound := false\n\tfor _, cookie := range cookies {\n\t\tif cookie.Name == appSessionCookie && cookie.Value == \"appSessionValue\" {\n\t\t\tfound = true\n\t\t\tbreak\n\t\t}\n\t}\n\n\tif !found {\n\t\tt.Errorf(\"AppSessionCookie not attached to the request.\")\n\t}\n\n\tif err != nil {\n\t\tt.Errorf(\"Expected no error, got %v\", err)\n\t}\n}\n\nfunc TestHandleRedirects_StopAtAuthorizedEndpoint(t *testing.T) {\n\treq, _ := http.NewRequest(\"GET\", \"http://example.com/cdn-cgi/access/authorized\", nil)\n\tvia := []*http.Request{\n\t\t{\n\t\t\tURL: &url.URL{Path: \"other\"},\n\t\t},\n\t\t{\n\t\t\tURL: &url.URL{Path: AccessAuthorizedWorkerPath},\n\t\t},\n\t}\n\torgToken := \"orgTokenValue\"\n\n\terr := handleRedirects(req, via, orgToken)\n\n\t// Check if ErrUseLastResponse is returned\n\tif err != http.ErrUseLastResponse {\n\t\tt.Errorf(\"Expected ErrUseLastResponse, got %v\", err)\n\t}\n}\n\nfunc TestJwtPayloadUnmarshal_AudAsString(t *testing.T) {\n\tjwt := `{\"aud\":\"7afbdaf987054f889b3bdd0d29ebfcd2\"}`\n\tvar payload jwtPayload\n\tif err := json.Unmarshal([]byte(jwt), &payload); err != nil {\n\t\tt.Errorf(\"Expected no error, got %v\", err)\n\t}\n\tif len(payload.Aud) != 1 || payload.Aud[0] != \"7afbdaf987054f889b3bdd0d29ebfcd2\" {\n\t\tt.Errorf(\"Expected aud to be 7afbdaf987054f889b3bdd0d29ebfcd2, got %v\", payload.Aud)\n\t}\n}\n\nfunc TestJwtPayloadUnmarshal_AudAsSlice(t *testing.T) {\n\tjwt := `{\"aud\":[\"7afbdaf987054f889b3bdd0d29ebfcd2\", \"f835c0016f894768976c01e076844efe\"]}`\n\tvar payload jwtPayload\n\tif err := json.Unmarshal([]byte(jwt), &payload); err != nil {\n\t\tt.Errorf(\"Expected no error, got %v\", err)\n\t}\n\tif len(payload.Aud) != 2 || payload.Aud[0] != \"7afbdaf987054f889b3bdd0d29ebfcd2\" || payload.Aud[1] != \"f835c0016f894768976c01e076844efe\" {\n\t\tt.Errorf(\"Expected aud to be [7afbdaf987054f889b3bdd0d29ebfcd2, f835c0016f894768976c01e076844efe], got %v\", payload.Aud)\n\t}\n}\n\nfunc TestJwtPayloadUnmarshal_FailsWhenAudIsInt(t *testing.T) {\n\tjwt := `{\"aud\":123}`\n\tvar payload jwtPayload\n\terr := json.Unmarshal([]byte(jwt), &payload)\n\twantErr := \"aud field is not a string or an array of strings\"\n\tif err.Error() != wantErr {\n\t\tt.Errorf(\"Expected %v, got %v\", wantErr, err)\n\t}\n}\n\nfunc TestJwtPayloadUnmarshal_FailsWhenAudIsArrayOfInts(t *testing.T) {\n\tjwt := `{\"aud\": [999, 123] }`\n\tvar payload jwtPayload\n\terr := json.Unmarshal([]byte(jwt), &payload)\n\twantErr := \"aud array contains non-string elements\"\n\tif err.Error() != wantErr {\n\t\tt.Errorf(\"Expected %v, got %v\", wantErr, err)\n\t}\n}\n\nfunc TestJwtPayloadUnmarshal_FailsWhenAudIsOmitted(t *testing.T) {\n\tjwt := `{}`\n\tvar payload jwtPayload\n\terr := json.Unmarshal([]byte(jwt), &payload)\n\twantErr := \"aud field is not a string or an array of strings\"\n\tif err.Error() != wantErr {\n\t\tt.Errorf(\"Expected %v, got %v\", wantErr, err)\n\t}\n}\n" }, { "path": "token/transfer.go", "content": "package token\n\nimport (\n\t\"bytes\"\n\t\"encoding/base64\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"os\"\n\t\"time\"\n\n\t\"github.com/pkg/errors\"\n\t\"github.com/rs/zerolog\"\n)\n\nconst (\n\tbaseStoreURL = \"https://login.cloudflareaccess.org/\"\n\tfedStoreURL = \"https://login.fed.cloudflareaccess.org/\"\n\tclientTimeout = time.Second * 60\n)\n\n// RunTransfer does the transfer \"dance\" with the end result downloading the supported resource.\n// The expanded description is run is encapsulation of shared business logic needed\n// to request a resource (token/cert/etc) from the transfer service (loginhelper).\n// The \"dance\" we refer to is building a HTTP request, opening that in a browser waiting for\n// the user to complete an action, while it long polls in the background waiting for an\n// action to be completed to download the resource.\nfunc RunTransfer(transferURL *url.URL, appAUD, resourceName, key, value string, shouldEncrypt bool, useHostOnly bool, autoClose bool, fedramp bool, log *zerolog.Logger) ([]byte, error) {\n\tencrypterClient, err := NewEncrypter(\"cloudflared_priv.pem\", \"cloudflared_pub.pem\")\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\trequestURL, err := buildRequestURL(transferURL, appAUD, key, value+encrypterClient.PublicKey(), shouldEncrypt, useHostOnly, autoClose)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\t// See AUTH-1423 for why we use stderr (the way git wraps ssh)\n\terr = OpenBrowser(requestURL)\n\tif err != nil {\n\t\tfmt.Fprintf(os.Stderr, \"Please open the following URL and log in with your Cloudflare account:\\n\\n%s\\n\\nLeave cloudflared running to download the %s automatically.\\n\", requestURL, resourceName)\n\t} else {\n\t\tfmt.Fprintf(os.Stderr, \"A browser window should have opened at the following URL:\\n\\n%s\\n\\nIf the browser failed to open, please visit the URL above directly in your browser.\\n\", requestURL)\n\t}\n\n\tvar resourceData []byte\n\n\tstoreURL := baseStoreURL\n\n\tif fedramp {\n\t\tstoreURL = fedStoreURL\n\t}\n\n\tif shouldEncrypt {\n\t\tbuf, key, err := transferRequest(storeURL+\"transfer/\"+encrypterClient.PublicKey(), log)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\n\t\tdecodedBuf, err := base64.StdEncoding.DecodeString(string(buf))\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tdecrypted, err := encrypterClient.Decrypt(decodedBuf, key)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\n\t\tresourceData = decrypted\n\t} else {\n\t\tbuf, _, err := transferRequest(storeURL+encrypterClient.PublicKey(), log)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tresourceData = buf\n\t}\n\n\treturn resourceData, nil\n}\n\n// BuildRequestURL creates a request suitable for a resource transfer.\n// it will return a constructed url based off the base url and query key/value provided.\n// cli will build a url for cli transfer request.\nfunc buildRequestURL(baseURL *url.URL, appAUD string, key, value string, cli, useHostOnly bool, autoClose bool) (string, error) {\n\tq := baseURL.Query()\n\tq.Set(key, value)\n\tq.Set(\"aud\", appAUD)\n\tbaseURL.RawQuery = q.Encode()\n\tif useHostOnly {\n\t\tbaseURL.Path = \"\"\n\t}\n\t// TODO: pass arg for tunnel login\n\tif !cli {\n\t\treturn baseURL.String(), nil\n\t}\n\tq.Set(\"redirect_url\", baseURL.String()) // we add the token as a query param on both the redirect_url and the main url\n\tq.Set(\"send_org_token\", \"true\") // indicates that the cli endpoint should return both the org and app token\n\tq.Set(\"edge_token_transfer\", \"true\") // use new LoginHelper service built on workers\n\tif autoClose {\n\t\tq.Set(\"close_interstitial\", \"true\") // Automatically close the success window.\n\t}\n\n\tbaseURL.RawQuery = q.Encode() // and this actual baseURL.\n\tbaseURL.Path = \"cdn-cgi/access/cli\"\n\treturn baseURL.String(), nil\n}\n\n// transferRequest downloads the requested resource from the request URL\nfunc transferRequest(requestURL string, log *zerolog.Logger) ([]byte, string, error) {\n\tclient := &http.Client{Timeout: clientTimeout}\n\tconst pollAttempts = 10\n\t// we do \"long polling\" on the endpoint to get the resource.\n\tfor i := 0; i < pollAttempts; i++ {\n\t\tbuf, key, err := poll(client, requestURL, log)\n\t\tif err != nil {\n\t\t\treturn nil, \"\", err\n\t\t} else if len(buf) > 0 {\n\t\t\treturn buf, key, nil\n\t\t}\n\t}\n\treturn nil, \"\", errors.New(\"Failed to fetch resource\")\n}\n\n// poll the endpoint for the request resource, waiting for the user interaction\nfunc poll(client *http.Client, requestURL string, log *zerolog.Logger) ([]byte, string, error) {\n\treq, err := http.NewRequest(http.MethodGet, requestURL, nil)\n\tif err != nil {\n\t\treturn nil, \"\", err\n\t}\n\treq.Header.Set(\"User-Agent\", userAgent)\n\tresp, err := client.Do(req)\n\tif err != nil {\n\t\treturn nil, \"\", err\n\t}\n\tdefer resp.Body.Close()\n\n\t// ignore everything other than server errors as the resource\n\t// may not exist until the user does the interaction\n\tif resp.StatusCode >= 500 {\n\t\tbuf := new(bytes.Buffer)\n\t\tif _, err := io.Copy(buf, resp.Body); err != nil {\n\t\t\treturn nil, \"\", err\n\t\t}\n\n\t\treturn nil, \"\", fmt.Errorf(\"error on request %d: %s\", resp.StatusCode, buf.String())\n\t}\n\tif resp.StatusCode != 200 {\n\t\tlog.Info().Msg(\"Waiting for login...\")\n\t\treturn nil, \"\", nil\n\t}\n\n\tbuf := new(bytes.Buffer)\n\tif _, err := io.Copy(buf, resp.Body); err != nil {\n\t\treturn nil, \"\", err\n\t}\n\treturn buf.Bytes(), resp.Header.Get(\"service-public-key\"), nil\n}\n" }, { "path": "tracing/client.go", "content": "package tracing\n\nimport (\n\t\"context\"\n\t\"encoding/base64\"\n\t\"errors\"\n\t\"sync\"\n\n\tcoltracepb \"go.opentelemetry.io/proto/otlp/collector/trace/v1\"\n\ttracepb \"go.opentelemetry.io/proto/otlp/trace/v1\"\n\t\"google.golang.org/protobuf/proto\"\n)\n\nconst (\n\tMaxTraceAmount = 20\n)\n\nvar (\n\terrNoTraces = errors.New(\"no traces recorded to be exported\")\n\terrNoopTracer = errors.New(\"noop tracer has no traces\")\n)\n\ntype InMemoryClient interface {\n\t// Spans returns a copy of the list of in-memory stored spans as a base64\n\t// encoded otlp protobuf string.\n\tSpans() (string, error)\n\t// ExportProtoSpans returns a copy of the list of in-memory stored spans as otlp\n\t// protobuf byte array and clears the in-memory spans.\n\tExportProtoSpans() ([]byte, error)\n}\n\n// InMemoryOtlpClient is a client implementation for otlptrace.Client\ntype InMemoryOtlpClient struct {\n\tmu sync.Mutex\n\tspans []*tracepb.ResourceSpans\n}\n\nfunc (mc *InMemoryOtlpClient) Start(_ context.Context) error {\n\treturn nil\n}\n\nfunc (mc *InMemoryOtlpClient) Stop(_ context.Context) error {\n\treturn nil\n}\n\n// UploadTraces adds the provided list of spans to the in-memory list.\nfunc (mc *InMemoryOtlpClient) UploadTraces(_ context.Context, protoSpans []*tracepb.ResourceSpans) error {\n\tmc.mu.Lock()\n\tdefer mc.mu.Unlock()\n\t// Catch to make sure too many traces aren't being added to response header.\n\t// Returning nil makes sure we don't fail to send the traces we already recorded.\n\tif len(mc.spans)+len(protoSpans) > MaxTraceAmount {\n\t\treturn nil\n\t}\n\tmc.spans = append(mc.spans, protoSpans...)\n\treturn nil\n}\n\n// Spans returns the list of in-memory stored spans as a base64 encoded otlp protobuf string.\nfunc (mc *InMemoryOtlpClient) Spans() (string, error) {\n\tdata, err := mc.ExportProtoSpans()\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\treturn base64.StdEncoding.EncodeToString(data), nil\n}\n\n// ProtoSpans returns the list of in-memory stored spans as the protobuf byte array.\nfunc (mc *InMemoryOtlpClient) ExportProtoSpans() ([]byte, error) {\n\tmc.mu.Lock()\n\tdefer mc.mu.Unlock()\n\tif len(mc.spans) <= 0 {\n\t\treturn nil, errNoTraces\n\t}\n\tpbRequest := &coltracepb.ExportTraceServiceRequest{\n\t\tResourceSpans: mc.spans,\n\t}\n\tserializedSpans, err := proto.Marshal(pbRequest)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tmc.spans = make([]*tracepb.ResourceSpans, 0)\n\treturn serializedSpans, nil\n}\n\n// NoopOtlpClient is a client implementation for otlptrace.Client that does nothing\ntype NoopOtlpClient struct{}\n\nfunc (mc *NoopOtlpClient) Start(_ context.Context) error {\n\treturn nil\n}\n\nfunc (mc *NoopOtlpClient) Stop(_ context.Context) error {\n\treturn nil\n}\n\nfunc (mc *NoopOtlpClient) UploadTraces(_ context.Context, _ []*tracepb.ResourceSpans) error {\n\treturn nil\n}\n\n// Spans always returns no traces error\nfunc (mc *NoopOtlpClient) Spans() (string, error) {\n\treturn \"\", errNoopTracer\n}\n\n// Spans always returns no traces error\nfunc (mc *NoopOtlpClient) ExportProtoSpans() ([]byte, error) {\n\treturn nil, errNoopTracer\n}\n\nfunc (mc *NoopOtlpClient) ClearSpans() {}\n" }, { "path": "tracing/client_test.go", "content": "package tracing\n\nimport (\n\t\"context\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/stretchr/testify/assert\"\n\t\"go.opentelemetry.io/otel/exporters/otlp/otlptrace\"\n\tsemconv \"go.opentelemetry.io/otel/semconv/v1.7.0\"\n\t\"go.opentelemetry.io/otel/trace\"\n\tcommonpb \"go.opentelemetry.io/proto/otlp/common/v1\"\n\tresourcepb \"go.opentelemetry.io/proto/otlp/resource/v1\"\n\ttracepb \"go.opentelemetry.io/proto/otlp/trace/v1\"\n)\n\nconst (\n\tresourceSchemaUrl = \"http://example.com/custom-resource-schema\"\n\tinstrumentSchemaUrl = semconv.SchemaURL\n)\n\nvar (\n\ttraceId = []byte{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F}\n\tspanId = []byte{0xFF, 0xFE, 0xFD, 0xFC, 0xFB, 0xFA, 0xF9, 0xF8}\n\tparentSpanId = []byte{0x0F, 0x0E, 0x0D, 0x0C, 0x0B, 0x0A, 0x09, 0x08}\n\tstartTime = time.Date(2022, 4, 4, 0, 0, 0, 0, time.UTC)\n\tendTime = startTime.Add(5 * time.Second)\n\n\ttraceState, _ = trace.ParseTraceState(\"key1=val1,key2=val2\")\n\tinstrScope = &commonpb.InstrumentationScope{Name: \"go.opentelemetry.io/test/otel\", Version: \"v1.6.0\"}\n\totlpKeyValues = []*commonpb.KeyValue{\n\t\t{\n\t\t\tKey: \"string_key\",\n\t\t\tValue: &commonpb.AnyValue{\n\t\t\t\tValue: &commonpb.AnyValue_StringValue{\n\t\t\t\t\tStringValue: \"string value\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tKey: \"bool_key\",\n\t\t\tValue: &commonpb.AnyValue{\n\t\t\t\tValue: &commonpb.AnyValue_BoolValue{\n\t\t\t\t\tBoolValue: true,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\totlpResource = &resourcepb.Resource{\n\t\tAttributes: []*commonpb.KeyValue{\n\t\t\t{\n\t\t\t\tKey: \"service.name\",\n\t\t\t\tValue: &commonpb.AnyValue{\n\t\t\t\t\tValue: &commonpb.AnyValue_StringValue{\n\t\t\t\t\t\tStringValue: \"service-name\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n)\n\nvar _ otlptrace.Client = (*InMemoryOtlpClient)(nil)\nvar _ InMemoryClient = (*InMemoryOtlpClient)(nil)\nvar _ otlptrace.Client = (*NoopOtlpClient)(nil)\nvar _ InMemoryClient = (*NoopOtlpClient)(nil)\n\nfunc TestUploadTraces(t *testing.T) {\n\tclient := &InMemoryOtlpClient{}\n\tspans := createResourceSpans([]*tracepb.Span{createOtlpSpan(traceId)})\n\tspans2 := createResourceSpans([]*tracepb.Span{createOtlpSpan(traceId)})\n\terr := client.UploadTraces(context.Background(), spans)\n\tassert.NoError(t, err)\n\terr = client.UploadTraces(context.Background(), spans2)\n\tassert.NoError(t, err)\n\tassert.Len(t, client.spans, 2)\n}\n\nfunc TestSpans(t *testing.T) {\n\tclient := &InMemoryOtlpClient{}\n\tspans := createResourceSpans([]*tracepb.Span{createOtlpSpan(traceId)})\n\terr := client.UploadTraces(context.Background(), spans)\n\tassert.NoError(t, err)\n\tassert.Len(t, client.spans, 1)\n\tenc, err := client.Spans()\n\tassert.NoError(t, err)\n\texpected := \"CsECCiAKHgoMc2VydmljZS5uYW1lEg4KDHNlcnZpY2UtbmFtZRLxAQonCh1nby5vcGVudGVsZW1ldHJ5LmlvL3Rlc3Qvb3RlbBIGdjEuNi4wEp0BChAAAQIDBAUGBwgJCgsMDQ4PEgj//v38+/r5+BoTa2V5MT12YWwxLGtleTI9dmFsMiIIDw4NDAsKCQgqCnRyYWNlX25hbWUwATkAANJvaYjiFkEA8teZaojiFkocCgpzdHJpbmdfa2V5Eg4KDHN0cmluZyB2YWx1ZUoOCghib29sX2tleRICEAF6EhIOc3RhdHVzIG1lc3NhZ2UYARomaHR0cHM6Ly9vcGVudGVsZW1ldHJ5LmlvL3NjaGVtYXMvMS43LjAaKWh0dHA6Ly9leGFtcGxlLmNvbS9jdXN0b20tcmVzb3VyY2Utc2NoZW1h\"\n\tassert.Equal(t, expected, enc)\n}\n\nfunc TestSpansEmpty(t *testing.T) {\n\tclient := &InMemoryOtlpClient{}\n\terr := client.UploadTraces(context.Background(), []*tracepb.ResourceSpans{})\n\tassert.NoError(t, err)\n\tassert.Len(t, client.spans, 0)\n\t_, err = client.Spans()\n\tassert.ErrorIs(t, err, errNoTraces)\n}\n\nfunc TestSpansNil(t *testing.T) {\n\tclient := &InMemoryOtlpClient{}\n\terr := client.UploadTraces(context.Background(), nil)\n\tassert.NoError(t, err)\n\tassert.Len(t, client.spans, 0)\n\t_, err = client.Spans()\n\tassert.ErrorIs(t, err, errNoTraces)\n}\n\nfunc TestSpansTooManySpans(t *testing.T) {\n\tclient := &InMemoryOtlpClient{}\n\tfor i := 0; i < MaxTraceAmount+1; i++ {\n\t\tspans := createResourceSpans([]*tracepb.Span{createOtlpSpan(traceId)})\n\t\terr := client.UploadTraces(context.Background(), spans)\n\t\tassert.NoError(t, err)\n\t}\n\tassert.Len(t, client.spans, MaxTraceAmount)\n\t_, err := client.Spans()\n\tassert.NoError(t, err)\n}\n\nfunc createResourceSpans(spans []*tracepb.Span) []*tracepb.ResourceSpans {\n\treturn []*tracepb.ResourceSpans{createResourceSpan(spans)}\n}\n\nfunc createResourceSpan(spans []*tracepb.Span) *tracepb.ResourceSpans {\n\treturn &tracepb.ResourceSpans{\n\t\tResource: otlpResource,\n\t\tScopeSpans: []*tracepb.ScopeSpans{\n\t\t\t{\n\t\t\t\tScope: instrScope,\n\t\t\t\tSpans: spans,\n\t\t\t\tSchemaUrl: instrumentSchemaUrl,\n\t\t\t},\n\t\t},\n\t\tSchemaUrl: resourceSchemaUrl,\n\t}\n}\n\nfunc createOtlpSpan(tid []byte) *tracepb.Span {\n\treturn &tracepb.Span{\n\t\tTraceId: tid,\n\t\tSpanId: spanId,\n\t\tTraceState: traceState.String(),\n\t\tParentSpanId: parentSpanId,\n\t\tName: \"trace_name\",\n\t\tKind: tracepb.Span_SPAN_KIND_INTERNAL,\n\t\tStartTimeUnixNano: uint64(startTime.UnixNano()),\n\t\tEndTimeUnixNano: uint64(endTime.UnixNano()),\n\t\tAttributes: otlpKeyValues,\n\t\tDroppedAttributesCount: 0,\n\t\tEvents: nil,\n\t\tDroppedEventsCount: 0,\n\t\tLinks: nil,\n\t\tDroppedLinksCount: 0,\n\t\tStatus: &tracepb.Status{\n\t\t\tMessage: \"status message\",\n\t\t\tCode: tracepb.Status_STATUS_CODE_OK,\n\t\t},\n\t}\n}\n" }, { "path": "tracing/identity.go", "content": "package tracing\n\nimport (\n\t\"bytes\"\n\t\"encoding/binary\"\n\t\"fmt\"\n\t\"strconv\"\n\t\"strings\"\n)\n\nconst (\n\t// 16 bytes for tracing ID, 8 bytes for span ID and 1 byte for flags\n\tIdentityLength = 16 + 8 + 1\n)\n\ntype Identity struct {\n\t// Based on https://www.jaegertracing.io/docs/1.36/client-libraries/#value\n\t// parent span ID is always 0 for our case\n\ttraceIDUpper uint64\n\ttraceIDLower uint64\n\tspanID uint64\n\tflags uint8\n}\n\n// TODO: TUN-6604 Remove this. To reconstruct into Jaeger propagation format, convert tracingContext to tracing.Identity\nfunc (tc *Identity) String() string {\n\treturn fmt.Sprintf(\"%016x%016x:%x:0:%x\", tc.traceIDUpper, tc.traceIDLower, tc.spanID, tc.flags)\n}\n\nfunc (tc *Identity) MarshalBinary() ([]byte, error) {\n\tbuf := bytes.NewBuffer(make([]byte, 0, IdentityLength))\n\tfor _, field := range []interface{}{\n\t\ttc.traceIDUpper,\n\t\ttc.traceIDLower,\n\t\ttc.spanID,\n\t\ttc.flags,\n\t} {\n\t\tif err := binary.Write(buf, binary.BigEndian, field); err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t}\n\treturn buf.Bytes(), nil\n}\n\nfunc (tc *Identity) UnmarshalBinary(data []byte) error {\n\tif len(data) < IdentityLength {\n\t\treturn fmt.Errorf(\"expect tracingContext to have at least %d bytes, got %d\", IdentityLength, len(data))\n\t}\n\n\tbuf := bytes.NewBuffer(data)\n\tfor _, field := range []interface{}{\n\t\t&tc.traceIDUpper,\n\t\t&tc.traceIDLower,\n\t\t&tc.spanID,\n\t\t&tc.flags,\n\t} {\n\t\tif err := binary.Read(buf, binary.BigEndian, field); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\treturn nil\n}\n\nfunc NewIdentity(trace string) (*Identity, error) {\n\tparts := strings.Split(trace, separator)\n\tif len(parts) != 4 {\n\t\treturn nil, fmt.Errorf(\"trace '%s' doesn't have exactly 4 parts separated by %s\", trace, separator)\n\t}\n\tconst base = 16\n\ttracingID, err := padTracingID(parts[0])\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\ttraceIDUpper, err := strconv.ParseUint(tracingID[:16], base, 64)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to parse first 16 bytes of tracing ID as uint64, err: %w\", err)\n\t}\n\ttraceIDLower, err := strconv.ParseUint(tracingID[16:], base, 64)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to parse last 16 bytes of tracing ID as uint64, err: %w\", err)\n\t}\n\tspanID, err := strconv.ParseUint(parts[1], base, 64)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to parse span ID as uint64, err: %w\", err)\n\t}\n\tflags, err := strconv.ParseUint(parts[3], base, 8)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to parse flag as uint8, err: %w\", err)\n\t}\n\treturn &Identity{\n\t\ttraceIDUpper: traceIDUpper,\n\t\ttraceIDLower: traceIDLower,\n\t\tspanID: spanID,\n\t\tflags: uint8(flags),\n\t}, nil\n}\n\nfunc padTracingID(tracingID string) (string, error) {\n\tif len(tracingID) == 0 {\n\t\treturn \"\", fmt.Errorf(\"missing tracing ID\")\n\t}\n\tif len(tracingID) == traceID128bitsWidth {\n\t\treturn tracingID, nil\n\t}\n\t// Correctly left pad the trace to a length of 32\n\tleft := traceID128bitsWidth - len(tracingID)\n\tpaddedTracingID := strings.Repeat(\"0\", left) + tracingID\n\treturn paddedTracingID, nil\n}\n" }, { "path": "tracing/identity_test.go", "content": "package tracing\n\nimport (\n\t\"testing\"\n\n\t\"github.com/stretchr/testify/require\"\n)\n\nfunc TestNewIdentity(t *testing.T) {\n\ttestCases := []struct {\n\t\ttestCase string\n\t\ttrace string\n\t\texpected string\n\t}{\n\t\t{\n\t\t\ttestCase: \"full length trace\",\n\t\t\ttrace: \"ec31ad8a01fde11fdcabe2efdce36873:52726f6cabc144f5:0:1\",\n\t\t\texpected: \"ec31ad8a01fde11fdcabe2efdce36873:52726f6cabc144f5:0:1\",\n\t\t},\n\t\t{\n\t\t\ttestCase: \"short trace ID\",\n\t\t\ttrace: \"ad8a01fde11fdcabe2efdce36873:52726f6cabc144f5:0:1\",\n\t\t\texpected: \"0000ad8a01fde11fdcabe2efdce36873:52726f6cabc144f5:0:1\",\n\t\t},\n\t\t{\n\t\t\ttestCase: \"short trace ID with 0s in the middle\",\n\t\t\ttrace: \"ad8a01fde11f000002efdce36873:52726f6cabc144f5:0:1\",\n\t\t\texpected: \"0000ad8a01fde11f000002efdce36873:52726f6cabc144f5:0:1\",\n\t\t},\n\t\t{\n\t\t\ttestCase: \"short trace ID with 0s in the beginning and middle\",\n\t\t\ttrace: \"001ad8a01fde11fdcabe2efdce36873:52726f6cabc144f5:0:1\",\n\t\t\texpected: \"0001ad8a01fde11fdcabe2efdce36873:52726f6cabc144f5:0:1\",\n\t\t},\n\t\t{\n\t\t\ttestCase: \"no trace\",\n\t\t\ttrace: \"\",\n\t\t},\n\t\t{\n\t\t\ttestCase: \"missing flags\",\n\t\t\ttrace: \"ec31ad8a01fde11fdcabe2efdce36873:52726f6cabc144f5:0\",\n\t\t},\n\t\t{\n\t\t\ttestCase: \"missing separator\",\n\t\t\ttrace: \"ec31ad8a01fde11fdcabe2efdce3687352726f6cabc144f501\",\n\t\t},\n\t}\n\n\tfor _, testCase := range testCases {\n\t\tidentity, err := NewIdentity(testCase.trace)\n\t\tif testCase.expected != \"\" {\n\t\t\trequire.NoError(t, err)\n\t\t\trequire.Equal(t, testCase.expected, identity.String())\n\n\t\t\tserializedIdentity, err := identity.MarshalBinary()\n\t\t\trequire.NoError(t, err)\n\t\t\tdeserializedIdentity := new(Identity)\n\t\t\terr = deserializedIdentity.UnmarshalBinary(serializedIdentity)\n\t\t\trequire.NoError(t, err)\n\t\t\trequire.Equal(t, identity, deserializedIdentity)\n\n\t\t} else {\n\t\t\trequire.Error(t, err)\n\t\t\trequire.Nil(t, identity)\n\t\t}\n\t}\n}\n" }, { "path": "tracing/tracing.go", "content": "package tracing\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"math\"\n\t\"net/http\"\n\t\"os\"\n\t\"runtime\"\n\t\"strings\"\n\n\t\"github.com/rs/zerolog\"\n\totelContrib \"go.opentelemetry.io/contrib/propagators/jaeger\"\n\t\"go.opentelemetry.io/otel\"\n\t\"go.opentelemetry.io/otel/attribute\"\n\t\"go.opentelemetry.io/otel/codes\"\n\t\"go.opentelemetry.io/otel/exporters/otlp/otlptrace\"\n\t\"go.opentelemetry.io/otel/propagation\"\n\t\"go.opentelemetry.io/otel/sdk/resource\"\n\ttracesdk \"go.opentelemetry.io/otel/sdk/trace\"\n\tsemconv \"go.opentelemetry.io/otel/semconv/v1.7.0\"\n\t\"go.opentelemetry.io/otel/trace\"\n)\n\nconst (\n\tservice = \"cloudflared\"\n\ttracerInstrumentName = \"origin\"\n\n\tTracerContextName = \"cf-trace-id\"\n\tTracerContextNameOverride = \"uber-trace-id\"\n\n\tIntCloudflaredTracingHeader = \"cf-int-cloudflared-tracing\"\n\n\tMaxErrorDescriptionLen = 100\n\ttraceHttpStatusCodeKey = \"upstreamStatusCode\"\n\n\ttraceID128bitsWidth = 128 / 4\n\tseparator = \":\"\n)\n\nvar (\n\tCanonicalCloudflaredTracingHeader = http.CanonicalHeaderKey(IntCloudflaredTracingHeader)\n\tHttp2TransportAttribute = trace.WithAttributes(transportAttributeKey.String(\"http2\"))\n\tQuicTransportAttribute = trace.WithAttributes(transportAttributeKey.String(\"quic\"))\n\tHostOSAttribute = semconv.HostTypeKey.String(runtime.GOOS)\n\tHostArchAttribute = semconv.HostArchKey.String(runtime.GOARCH)\n\n\totelVersionAttribute attribute.KeyValue\n\thostnameAttribute attribute.KeyValue\n\tcloudflaredVersionAttribute attribute.KeyValue\n\tserviceAttribute = semconv.ServiceNameKey.String(service)\n\n\ttransportAttributeKey = attribute.Key(\"transport\")\n\totelVersionAttributeKey = attribute.Key(\"jaeger.version\")\n\n\terrNoopTracerProvider = errors.New(\"noop tracer provider records no spans\")\n)\n\nfunc init() {\n\t// Register the jaeger propagator globally.\n\totel.SetTextMapPropagator(otelContrib.Jaeger{})\n\totelVersionAttribute = otelVersionAttributeKey.String(fmt.Sprintf(\"go-otel-%s\", otel.Version()))\n\tif hostname, err := os.Hostname(); err == nil {\n\t\thostnameAttribute = attribute.String(\"hostname\", hostname)\n\t}\n}\n\nfunc Init(version string) {\n\tcloudflaredVersionAttribute = semconv.ProcessRuntimeVersionKey.String(version)\n}\n\ntype TracedHTTPRequest struct {\n\t*http.Request\n\t*cfdTracer\n\tConnIndex uint8 // The connection index used to proxy the request\n}\n\n// NewTracedHTTPRequest creates a new tracer for the current HTTP request context.\nfunc NewTracedHTTPRequest(req *http.Request, connIndex uint8, log *zerolog.Logger) *TracedHTTPRequest {\n\tctx, exists := extractTrace(req)\n\tif !exists {\n\t\treturn &TracedHTTPRequest{req, &cfdTracer{trace.NewNoopTracerProvider(), &NoopOtlpClient{}, log}, connIndex}\n\t}\n\treturn &TracedHTTPRequest{req.WithContext(ctx), newCfdTracer(ctx, log), connIndex}\n}\n\nfunc (tr *TracedHTTPRequest) ToTracedContext() *TracedContext {\n\treturn &TracedContext{tr.Context(), tr.cfdTracer}\n}\n\ntype TracedContext struct {\n\tcontext.Context\n\t*cfdTracer\n}\n\n// NewTracedContext creates a new tracer for the current context.\nfunc NewTracedContext(ctx context.Context, traceContext string, log *zerolog.Logger) *TracedContext {\n\tctx, exists := extractTraceFromString(ctx, traceContext)\n\tif !exists {\n\t\treturn &TracedContext{ctx, &cfdTracer{trace.NewNoopTracerProvider(), &NoopOtlpClient{}, log}}\n\t}\n\treturn &TracedContext{ctx, newCfdTracer(ctx, log)}\n}\n\ntype cfdTracer struct {\n\ttrace.TracerProvider\n\texporter InMemoryClient\n\tlog *zerolog.Logger\n}\n\n// NewCfdTracer creates a new tracer for the current request context.\nfunc newCfdTracer(ctx context.Context, log *zerolog.Logger) *cfdTracer {\n\tmc := new(InMemoryOtlpClient)\n\texp, err := otlptrace.New(ctx, mc)\n\tif err != nil {\n\t\treturn &cfdTracer{trace.NewNoopTracerProvider(), &NoopOtlpClient{}, log}\n\t}\n\ttp := tracesdk.NewTracerProvider(\n\t\t// We want to dump to in-memory exporter immediately\n\t\ttracesdk.WithSyncer(exp),\n\t\t// Record information about this application in a Resource.\n\t\ttracesdk.WithResource(resource.NewWithAttributes(\n\t\t\tsemconv.SchemaURL,\n\t\t\tserviceAttribute,\n\t\t\totelVersionAttribute,\n\t\t\thostnameAttribute,\n\t\t\tcloudflaredVersionAttribute,\n\t\t\tHostOSAttribute,\n\t\t\tHostArchAttribute,\n\t\t)),\n\t)\n\n\treturn &cfdTracer{tp, mc, log}\n}\n\nfunc (cft *cfdTracer) Tracer() trace.Tracer {\n\treturn cft.TracerProvider.Tracer(tracerInstrumentName)\n}\n\n// GetSpans returns the spans as base64 encoded string of protobuf otlp traces.\nfunc (cft *cfdTracer) GetSpans() (enc string) {\n\tenc, err := cft.exporter.Spans()\n\tswitch err {\n\tcase nil:\n\t\tbreak\n\tcase errNoTraces:\n\t\tcft.log.Trace().Err(err).Msgf(\"expected traces to be available\")\n\t\treturn\n\tcase errNoopTracer:\n\t\treturn // noop tracer has no traces\n\tdefault:\n\t\tcft.log.Debug().Err(err)\n\t\treturn\n\t}\n\treturn\n}\n\n// GetProtoSpans returns the spans as the otlp traces in protobuf byte array.\nfunc (cft *cfdTracer) GetProtoSpans() (proto []byte) {\n\tproto, err := cft.exporter.ExportProtoSpans()\n\tswitch err {\n\tcase nil:\n\t\tbreak\n\tcase errNoTraces:\n\t\tcft.log.Trace().Err(err).Msgf(\"expected traces to be available\")\n\t\treturn\n\tcase errNoopTracer:\n\t\treturn // noop tracer has no traces\n\tdefault:\n\t\tcft.log.Debug().Err(err)\n\t\treturn\n\t}\n\treturn\n}\n\n// AddSpans assigns spans as base64 encoded protobuf otlp traces to provided\n// HTTP headers.\nfunc (cft *cfdTracer) AddSpans(headers http.Header) {\n\tif headers == nil {\n\t\treturn\n\t}\n\n\tenc := cft.GetSpans()\n\t// No need to add header if no traces\n\tif enc == \"\" {\n\t\treturn\n\t}\n\n\theaders[CanonicalCloudflaredTracingHeader] = []string{enc}\n}\n\n// End will set the OK status for the span and then end it.\nfunc End(span trace.Span) {\n\tendSpan(span, -1, codes.Ok, nil)\n}\n\n// EndWithErrorStatus will set a status for the span and then end it.\nfunc EndWithErrorStatus(span trace.Span, err error) {\n\tendSpan(span, -1, codes.Error, err)\n}\n\n// EndWithStatusCode will set a status for the span and then end it.\nfunc EndWithStatusCode(span trace.Span, statusCode int) {\n\tendSpan(span, statusCode, codes.Ok, nil)\n}\n\n// EndWithErrorStatus will set a status for the span and then end it.\nfunc endSpan(span trace.Span, upstreamStatusCode int, spanStatusCode codes.Code, err error) {\n\tif span == nil {\n\t\treturn\n\t}\n\n\tif upstreamStatusCode > 0 {\n\t\tspan.SetAttributes(attribute.Int(traceHttpStatusCodeKey, upstreamStatusCode))\n\t}\n\n\t// add error to status buf cap description\n\terrDescription := \"\"\n\tif err != nil {\n\t\terrDescription = err.Error()\n\t\tl := int(math.Min(float64(len(errDescription)), MaxErrorDescriptionLen))\n\t\terrDescription = errDescription[:l]\n\t}\n\n\tspan.SetStatus(spanStatusCode, errDescription)\n\tspan.End()\n}\n\n// extractTraceFromString will extract the trace information from the provided\n// propagated trace string context.\nfunc extractTraceFromString(ctx context.Context, trace string) (context.Context, bool) {\n\tif trace == \"\" {\n\t\treturn ctx, false\n\t}\n\t// Jaeger specific separator\n\tparts := strings.Split(trace, separator)\n\tif len(parts) != 4 {\n\t\treturn ctx, false\n\t}\n\tif parts[0] == \"\" {\n\t\treturn ctx, false\n\t}\n\t// Correctly left pad the trace to a length of 32\n\tif len(parts[0]) < traceID128bitsWidth {\n\t\tleft := traceID128bitsWidth - len(parts[0])\n\t\tparts[0] = strings.Repeat(\"0\", left) + parts[0]\n\t\ttrace = strings.Join(parts, separator)\n\t}\n\t// Override the 'cf-trace-id' as 'uber-trace-id' so the jaeger propagator can extract it.\n\ttraceHeader := map[string]string{TracerContextNameOverride: trace}\n\tremoteCtx := otel.GetTextMapPropagator().Extract(ctx, propagation.MapCarrier(traceHeader))\n\treturn remoteCtx, true\n}\n\n// extractTrace attempts to check for a cf-trace-id from a request and return the\n// trace context with the provided http.Request.\nfunc extractTrace(req *http.Request) (context.Context, bool) {\n\t// Only add tracing for requests with appropriately tagged headers\n\tremoteTraces := req.Header.Values(TracerContextName)\n\tif len(remoteTraces) <= 0 {\n\t\t// Strip the cf-trace-id header\n\t\treq.Header.Del(TracerContextName)\n\t\treturn nil, false\n\t}\n\n\ttraceHeader := map[string]string{}\n\tfor _, t := range remoteTraces {\n\t\t// Override the 'cf-trace-id' as 'uber-trace-id' so the jaeger propagator can extract it.\n\t\t// Last entry wins if multiple provided\n\t\ttraceHeader[TracerContextNameOverride] = t\n\t}\n\n\t// Strip the cf-trace-id header\n\treq.Header.Del(TracerContextName)\n\n\tif traceHeader[TracerContextNameOverride] == \"\" {\n\t\treturn nil, false\n\t}\n\n\tremoteCtx := otel.GetTextMapPropagator().Extract(req.Context(), propagation.MapCarrier(traceHeader))\n\treturn remoteCtx, true\n}\n\nfunc NewNoopSpan() trace.Span {\n\treturn trace.SpanFromContext(nil)\n}\n" }, { "path": "tracing/tracing_test.go", "content": "package tracing\n\nimport (\n\t\"context\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"testing\"\n\n\t\"github.com/rs/zerolog\"\n\t\"github.com/stretchr/testify/assert\"\n\ttracesdk \"go.opentelemetry.io/otel/sdk/trace\"\n\t\"go.opentelemetry.io/otel/trace\"\n\ttracepb \"go.opentelemetry.io/proto/otlp/trace/v1\"\n)\n\nfunc TestNewCfTracer(t *testing.T) {\n\tlog := zerolog.Nop()\n\treq := httptest.NewRequest(\"GET\", \"http://localhost\", nil)\n\treq.Header.Add(TracerContextName, \"14cb070dde8e51fc5ae8514e69ba42ca:b38f1bf5eae406f3:0:1\")\n\ttr := NewTracedHTTPRequest(req, 0, &log)\n\tassert.NotNil(t, tr)\n\tassert.IsType(t, tracesdk.NewTracerProvider(), tr.TracerProvider)\n\tassert.IsType(t, &InMemoryOtlpClient{}, tr.exporter)\n}\n\nfunc TestNewCfTracerMultiple(t *testing.T) {\n\tlog := zerolog.Nop()\n\treq := httptest.NewRequest(\"GET\", \"http://localhost\", nil)\n\treq.Header.Add(TracerContextName, \"1241ce3ecdefc68854e8514e69ba42ca:b38f1bf5eae406f3:0:1\")\n\treq.Header.Add(TracerContextName, \"14cb070dde8e51fc5ae8514e69ba42ca:b38f1bf5eae406f3:0:1\")\n\ttr := NewTracedHTTPRequest(req, 0, &log)\n\tassert.NotNil(t, tr)\n\tassert.IsType(t, tracesdk.NewTracerProvider(), tr.TracerProvider)\n\tassert.IsType(t, &InMemoryOtlpClient{}, tr.exporter)\n}\n\nfunc TestNewCfTracerNilHeader(t *testing.T) {\n\tlog := zerolog.Nop()\n\treq := httptest.NewRequest(\"GET\", \"http://localhost\", nil)\n\treq.Header[http.CanonicalHeaderKey(TracerContextName)] = nil\n\ttr := NewTracedHTTPRequest(req, 0, &log)\n\tassert.NotNil(t, tr)\n\tassert.IsType(t, trace.NewNoopTracerProvider(), tr.TracerProvider)\n\tassert.IsType(t, &NoopOtlpClient{}, tr.exporter)\n}\n\nfunc TestNewCfTracerInvalidHeaders(t *testing.T) {\n\tlog := zerolog.Nop()\n\treq := httptest.NewRequest(\"GET\", \"http://localhost\", nil)\n\tfor _, test := range [][]string{nil, {\"\"}} {\n\t\treq.Header[http.CanonicalHeaderKey(TracerContextName)] = test\n\t\ttr := NewTracedHTTPRequest(req, 0, &log)\n\t\tassert.NotNil(t, tr)\n\t\tassert.IsType(t, trace.NewNoopTracerProvider(), tr.TracerProvider)\n\t\tassert.IsType(t, &NoopOtlpClient{}, tr.exporter)\n\t}\n}\n\nfunc TestAddingSpansWithNilMap(t *testing.T) {\n\tlog := zerolog.Nop()\n\treq := httptest.NewRequest(\"GET\", \"http://localhost\", nil)\n\treq.Header.Add(TracerContextName, \"14cb070dde8e51fc5ae8514e69ba42ca:b38f1bf5eae406f3:0:1\")\n\ttr := NewTracedHTTPRequest(req, 0, &log)\n\n\texporter := tr.exporter.(*InMemoryOtlpClient)\n\n\t// add fake spans\n\tspans := createResourceSpans([]*tracepb.Span{createOtlpSpan(traceId)})\n\terr := exporter.UploadTraces(context.Background(), spans)\n\tassert.NoError(t, err)\n\n\t// a panic shouldn't occur\n\ttr.AddSpans(nil)\n}\n\nfunc FuzzNewIdentity(f *testing.F) {\n\tf.Fuzz(func(t *testing.T, trace string) {\n\t\t_, _ = NewIdentity(trace)\n\t})\n}\n" }, { "path": "tunnelrpc/metrics/metrics.go", "content": "package metrics\n\nimport (\n\t\"github.com/prometheus/client_golang/prometheus\"\n)\n\nconst (\n\tmetricsNamespace = \"cloudflared\"\n\trpcSubsystem = \"rpc\"\n)\n\n// CloudflaredServer operation labels\n// CloudflaredServer is an extension of SessionManager with additional methods, but it's helpful\n// to visualize it separately in the metrics since they are technically different client/servers.\nconst (\n\tCloudflared = \"cloudflared\"\n)\n\n// ConfigurationManager operation labels\nconst (\n\tConfigurationManager = \"config\"\n\n\tOperationUpdateConfiguration = \"update_configuration\"\n)\n\n// SessionManager operation labels\nconst (\n\tSessionManager = \"session\"\n\n\tOperationRegisterUdpSession = \"register_udp_session\"\n\tOperationUnregisterUdpSession = \"unregister_udp_session\"\n)\n\n// RegistrationServer operation labels\nconst (\n\tRegistration = \"registration\"\n\n\tOperationRegisterConnection = \"register_connection\"\n\tOperationUnregisterConnection = \"unregister_connection\"\n\tOperationUpdateLocalConfiguration = \"update_local_configuration\"\n)\n\ntype rpcMetrics struct {\n\tserverOperations *prometheus.CounterVec\n\tserverFailures *prometheus.CounterVec\n\tserverOperationsLatency *prometheus.HistogramVec\n\n\tClientOperations *prometheus.CounterVec\n\tClientFailures *prometheus.CounterVec\n\tClientOperationsLatency *prometheus.HistogramVec\n}\n\nvar CapnpMetrics *rpcMetrics = &rpcMetrics{\n\tserverOperations: prometheus.NewCounterVec(\n\t\tprometheus.CounterOpts{\n\t\t\tNamespace: metricsNamespace,\n\t\t\tSubsystem: rpcSubsystem,\n\t\t\tName: \"server_operations\",\n\t\t\tHelp: \"Number of rpc methods by handler served\",\n\t\t},\n\t\t[]string{\"handler\", \"method\"},\n\t),\n\tserverFailures: prometheus.NewCounterVec(\n\t\tprometheus.CounterOpts{\n\t\t\tNamespace: metricsNamespace,\n\t\t\tSubsystem: rpcSubsystem,\n\t\t\tName: \"server_failures\",\n\t\t\tHelp: \"Number of rpc methods failures by handler served\",\n\t\t},\n\t\t[]string{\"handler\", \"method\"},\n\t),\n\tserverOperationsLatency: prometheus.NewHistogramVec(\n\t\tprometheus.HistogramOpts{\n\t\t\tNamespace: metricsNamespace,\n\t\t\tSubsystem: rpcSubsystem,\n\t\t\tName: \"server_latency_secs\",\n\t\t\tHelp: \"Latency of rpc methods by handler served\",\n\t\t\t// Bucket starts at 50ms, each bucket grows by a factor of 3, up to 5 buckets and is expressed as seconds:\n\t\t\t// 50ms, 150ms, 450ms, 1350ms, 4050ms\n\t\t\tBuckets: prometheus.ExponentialBuckets(0.05, 3, 5),\n\t\t},\n\t\t[]string{\"handler\", \"method\"},\n\t),\n\tClientOperations: prometheus.NewCounterVec(\n\t\tprometheus.CounterOpts{\n\t\t\tNamespace: metricsNamespace,\n\t\t\tSubsystem: rpcSubsystem,\n\t\t\tName: \"client_operations\",\n\t\t\tHelp: \"Number of rpc methods by handler requested\",\n\t\t},\n\t\t[]string{\"handler\", \"method\"},\n\t),\n\tClientFailures: prometheus.NewCounterVec(\n\t\tprometheus.CounterOpts{\n\t\t\tNamespace: metricsNamespace,\n\t\t\tSubsystem: rpcSubsystem,\n\t\t\tName: \"client_failures\",\n\t\t\tHelp: \"Number of rpc method failures by handler requested\",\n\t\t},\n\t\t[]string{\"handler\", \"method\"},\n\t),\n\tClientOperationsLatency: prometheus.NewHistogramVec(\n\t\tprometheus.HistogramOpts{\n\t\t\tNamespace: metricsNamespace,\n\t\t\tSubsystem: rpcSubsystem,\n\t\t\tName: \"client_latency_secs\",\n\t\t\tHelp: \"Latency of rpc methods by handler requested\",\n\t\t\t// Bucket starts at 50ms, each bucket grows by a factor of 3, up to 5 buckets and is expressed as seconds:\n\t\t\t// 50ms, 150ms, 450ms, 1350ms, 4050ms\n\t\t\tBuckets: prometheus.ExponentialBuckets(0.05, 3, 5),\n\t\t},\n\t\t[]string{\"handler\", \"method\"},\n\t),\n}\n\nfunc ObserveServerHandler(inner func() error, handler, method string) error {\n\tdefer CapnpMetrics.serverOperations.WithLabelValues(handler, method).Inc()\n\ttimer := prometheus.NewTimer(prometheus.ObserverFunc(func(s float64) {\n\t\tCapnpMetrics.serverOperationsLatency.WithLabelValues(handler, method).Observe(s)\n\t}))\n\tdefer timer.ObserveDuration()\n\n\terr := inner()\n\tif err != nil {\n\t\tCapnpMetrics.serverFailures.WithLabelValues(handler, method).Inc()\n\t}\n\treturn err\n}\n\nfunc NewClientOperationLatencyObserver(server string, method string) *prometheus.Timer {\n\treturn prometheus.NewTimer(prometheus.ObserverFunc(func(s float64) {\n\t\tCapnpMetrics.ClientOperationsLatency.WithLabelValues(server, method).Observe(s)\n\t}))\n}\n\nfunc init() {\n\tprometheus.MustRegister(CapnpMetrics.serverOperations)\n\tprometheus.MustRegister(CapnpMetrics.serverFailures)\n\tprometheus.MustRegister(CapnpMetrics.serverOperationsLatency)\n\tprometheus.MustRegister(CapnpMetrics.ClientOperations)\n\tprometheus.MustRegister(CapnpMetrics.ClientFailures)\n\tprometheus.MustRegister(CapnpMetrics.ClientOperationsLatency)\n}\n" }, { "path": "tunnelrpc/pogs/cloudflared_server.go", "content": "package pogs\n\nimport (\n\tcapnp \"zombiezen.com/go/capnproto2\"\n\t\"zombiezen.com/go/capnproto2/rpc\"\n\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/proto\"\n)\n\ntype CloudflaredServer interface {\n\tSessionManager\n\tConfigurationManager\n}\n\ntype CloudflaredServer_PogsImpl struct {\n\tSessionManager_PogsImpl\n\tConfigurationManager_PogsImpl\n}\n\nfunc CloudflaredServer_ServerToClient(s SessionManager, c ConfigurationManager) proto.CloudflaredServer {\n\treturn proto.CloudflaredServer_ServerToClient(CloudflaredServer_PogsImpl{\n\t\tSessionManager_PogsImpl: SessionManager_PogsImpl{s},\n\t\tConfigurationManager_PogsImpl: ConfigurationManager_PogsImpl{c},\n\t})\n}\n\ntype CloudflaredServer_PogsClient struct {\n\tSessionManager_PogsClient\n\tConfigurationManager_PogsClient\n\tClient capnp.Client\n\tConn *rpc.Conn\n}\n\nfunc NewCloudflaredServer_PogsClient(client capnp.Client, conn *rpc.Conn) CloudflaredServer_PogsClient {\n\tsessionManagerClient := SessionManager_PogsClient{\n\t\tClient: client,\n\t\tConn: conn,\n\t}\n\tconfigManagerClient := ConfigurationManager_PogsClient{\n\t\tClient: client,\n\t\tConn: conn,\n\t}\n\treturn CloudflaredServer_PogsClient{\n\t\tSessionManager_PogsClient: sessionManagerClient,\n\t\tConfigurationManager_PogsClient: configManagerClient,\n\t\tClient: client,\n\t\tConn: conn,\n\t}\n}\n\nfunc (c CloudflaredServer_PogsClient) Close() error {\n\tc.Client.Close()\n\treturn c.Conn.Close()\n}\n" }, { "path": "tunnelrpc/pogs/configuration_manager.go", "content": "package pogs\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\n\tcapnp \"zombiezen.com/go/capnproto2\"\n\t\"zombiezen.com/go/capnproto2/rpc\"\n\t\"zombiezen.com/go/capnproto2/server\"\n\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/metrics\"\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/proto\"\n)\n\ntype ConfigurationManager interface {\n\t// UpdateConfiguration is the call provided to cloudflared to load the latest remote configuration.\n\tUpdateConfiguration(ctx context.Context, version int32, config []byte) *UpdateConfigurationResponse\n}\n\ntype ConfigurationManager_PogsImpl struct {\n\timpl ConfigurationManager\n}\n\nfunc ConfigurationManager_ServerToClient(c ConfigurationManager) proto.ConfigurationManager {\n\treturn proto.ConfigurationManager_ServerToClient(ConfigurationManager_PogsImpl{c})\n}\n\nfunc (i ConfigurationManager_PogsImpl) UpdateConfiguration(p proto.ConfigurationManager_updateConfiguration) error {\n\treturn metrics.ObserveServerHandler(func() error { return i.updateConfiguration(p) }, metrics.ConfigurationManager, metrics.OperationUpdateConfiguration)\n}\n\nfunc (i ConfigurationManager_PogsImpl) updateConfiguration(p proto.ConfigurationManager_updateConfiguration) error {\n\tserver.Ack(p.Options)\n\n\tversion := p.Params.Version()\n\tconfig, err := p.Params.Config()\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tresult, err := p.Results.NewResult()\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tupdateResp := i.impl.UpdateConfiguration(p.Ctx, version, config)\n\treturn updateResp.Marshal(result)\n}\n\ntype ConfigurationManager_PogsClient struct {\n\tClient capnp.Client\n\tConn *rpc.Conn\n}\n\nfunc (c ConfigurationManager_PogsClient) Close() error {\n\tc.Client.Close()\n\treturn c.Conn.Close()\n}\n\nfunc (c ConfigurationManager_PogsClient) UpdateConfiguration(ctx context.Context, version int32, config []byte) (*UpdateConfigurationResponse, error) {\n\tclient := proto.ConfigurationManager{Client: c.Client}\n\tpromise := client.UpdateConfiguration(ctx, func(p proto.ConfigurationManager_updateConfiguration_Params) error {\n\t\tp.SetVersion(version)\n\t\treturn p.SetConfig(config)\n\t})\n\tresult, err := promise.Result().Struct()\n\tif err != nil {\n\t\treturn nil, wrapRPCError(err)\n\t}\n\tresponse := new(UpdateConfigurationResponse)\n\n\terr = response.Unmarshal(result)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn response, nil\n}\n\ntype UpdateConfigurationResponse struct {\n\tLastAppliedVersion int32 `json:\"lastAppliedVersion\"`\n\tErr error `json:\"err\"`\n}\n\nfunc (p *UpdateConfigurationResponse) Marshal(s proto.UpdateConfigurationResponse) error {\n\ts.SetLatestAppliedVersion(p.LastAppliedVersion)\n\tif p.Err != nil {\n\t\treturn s.SetErr(p.Err.Error())\n\t}\n\treturn nil\n}\n\nfunc (p *UpdateConfigurationResponse) Unmarshal(s proto.UpdateConfigurationResponse) error {\n\tp.LastAppliedVersion = s.LatestAppliedVersion()\n\trespErr, err := s.Err()\n\tif err != nil {\n\t\treturn err\n\t}\n\tif respErr != \"\" {\n\t\tp.Err = fmt.Errorf(\"%s\", respErr)\n\t}\n\treturn nil\n}\n" }, { "path": "tunnelrpc/pogs/errors.go", "content": "package pogs\n\nimport (\n\t\"fmt\"\n\t\"time\"\n)\n\ntype RetryableError struct {\n\terr error\n\tDelay time.Duration\n}\n\nfunc (re *RetryableError) Error() string {\n\treturn re.err.Error()\n}\n\n// RetryErrorAfter wraps err to indicate that client should retry after delay\nfunc RetryErrorAfter(err error, delay time.Duration) *RetryableError {\n\treturn &RetryableError{\n\t\terr: err,\n\t\tDelay: delay,\n\t}\n}\n\nfunc (re *RetryableError) Unwrap() error {\n\treturn re.err\n}\n\n// RPCError is used to indicate errors returned by the RPC subsystem rather\n// than failure of a remote operation\ntype RPCError struct {\n\terr error\n}\n\nfunc (re *RPCError) Error() string {\n\treturn re.err.Error()\n}\n\nfunc wrapRPCError(err error) *RPCError {\n\tif err != nil {\n\t\treturn &RPCError{\n\t\t\terr: err,\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc newRPCError(format string, args ...interface{}) *RPCError {\n\treturn &RPCError{\n\t\tfmt.Errorf(format, args...),\n\t}\n}\n\nfunc (re *RPCError) Unwrap() error {\n\treturn re.err\n}\n" }, { "path": "tunnelrpc/pogs/quic_metadata_protocol.go", "content": "package pogs\n\nimport (\n\t\"fmt\"\n\n\tcapnp \"zombiezen.com/go/capnproto2\"\n\t\"zombiezen.com/go/capnproto2/pogs\"\n\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/proto\"\n)\n\n// ConnectionType indicates the type of underlying connection proxied within the QUIC stream.\ntype ConnectionType uint16\n\nconst (\n\tConnectionTypeHTTP ConnectionType = iota\n\tConnectionTypeWebsocket\n\tConnectionTypeTCP\n)\n\nvar (\n\t// ErrorFlowConnectRateLimitedMetadata is the Metadata entry that allows to know if a request was rate limited on connect.\n\tErrorFlowConnectRateLimitedMetadata = Metadata{Key: \"FlowConnectRateLimited\", Val: \"true\"}\n)\n\nfunc (c ConnectionType) String() string {\n\tswitch c {\n\tcase ConnectionTypeHTTP:\n\t\treturn \"http\"\n\tcase ConnectionTypeWebsocket:\n\t\treturn \"ws\"\n\tcase ConnectionTypeTCP:\n\t\treturn \"tcp\"\n\t}\n\tpanic(fmt.Sprintf(\"invalid ConnectionType: %d\", c))\n}\n\n// ConnectRequest is the representation of metadata sent at the start of a QUIC application handshake.\ntype ConnectRequest struct {\n\tDest string `capnp:\"dest\"`\n\tType ConnectionType `capnp:\"type\"`\n\tMetadata []Metadata `capnp:\"metadata\"`\n}\n\n// Metadata is a representation of key value based data sent via RequestMeta.\ntype Metadata struct {\n\tKey string `capnp:\"key\"`\n\tVal string `capnp:\"val\"`\n}\n\n// MetadataMap returns a map format of []Metadata.\nfunc (r *ConnectRequest) MetadataMap() map[string]string {\n\tmetadataMap := make(map[string]string)\n\tfor _, metadata := range r.Metadata {\n\t\tmetadataMap[metadata.Key] = metadata.Val\n\t}\n\treturn metadataMap\n}\n\nfunc (r *ConnectRequest) FromPogs(msg *capnp.Message) error {\n\tmetadata, err := proto.ReadRootConnectRequest(msg)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn pogs.Extract(r, proto.ConnectRequest_TypeID, metadata.Struct)\n}\n\nfunc (r *ConnectRequest) ToPogs() (*capnp.Message, error) {\n\tmsg, seg, err := capnp.NewMessage(capnp.SingleSegment(nil))\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\troot, err := proto.NewRootConnectRequest(seg)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tif err := pogs.Insert(proto.ConnectRequest_TypeID, root.Struct, r); err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn msg, nil\n}\n\n// ConnectResponse is a representation of metadata sent as a response to a QUIC application handshake.\ntype ConnectResponse struct {\n\tError string `capnp:\"error\"`\n\tMetadata []Metadata `capnp:\"metadata\"`\n}\n\nfunc (r *ConnectResponse) FromPogs(msg *capnp.Message) error {\n\tmetadata, err := proto.ReadRootConnectResponse(msg)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn pogs.Extract(r, proto.ConnectResponse_TypeID, metadata.Struct)\n}\n\nfunc (r *ConnectResponse) ToPogs() (*capnp.Message, error) {\n\tmsg, seg, err := capnp.NewMessage(capnp.SingleSegment(nil))\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\troot, err := proto.NewRootConnectResponse(seg)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tif err := pogs.Insert(proto.ConnectResponse_TypeID, root.Struct, r); err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn msg, nil\n}\n" }, { "path": "tunnelrpc/pogs/registration_server.go", "content": "package pogs\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"net\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\tcapnp \"zombiezen.com/go/capnproto2\"\n\t\"zombiezen.com/go/capnproto2/pogs\"\n\t\"zombiezen.com/go/capnproto2/rpc\"\n\t\"zombiezen.com/go/capnproto2/server\"\n\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/metrics\"\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/proto\"\n)\n\ntype RegistrationServer interface {\n\t// RegisterConnection is the call typically handled by the edge to initiate and authenticate a new connection\n\t// for cloudflared.\n\tRegisterConnection(ctx context.Context, auth TunnelAuth, tunnelID uuid.UUID, connIndex byte, options *ConnectionOptions) (*ConnectionDetails, error)\n\t// UnregisterConnection is the call typically handled by the edge to close an existing connection for cloudflared.\n\tUnregisterConnection(ctx context.Context)\n\t// UpdateLocalConfiguration is the call typically handled by the edge for cloudflared to provide the current\n\t// configuration it is operating with.\n\tUpdateLocalConfiguration(ctx context.Context, config []byte) error\n}\n\ntype RegistrationServer_PogsImpl struct {\n\timpl RegistrationServer\n}\n\nfunc RegistrationServer_ServerToClient(s RegistrationServer) proto.RegistrationServer {\n\treturn proto.RegistrationServer_ServerToClient(RegistrationServer_PogsImpl{s})\n}\n\nfunc (i RegistrationServer_PogsImpl) RegisterConnection(p proto.RegistrationServer_registerConnection) error {\n\treturn metrics.ObserveServerHandler(func() error { return i.registerConnection(p) }, metrics.Registration, metrics.OperationRegisterConnection)\n}\n\nfunc (i RegistrationServer_PogsImpl) registerConnection(p proto.RegistrationServer_registerConnection) error {\n\tserver.Ack(p.Options)\n\n\tauth, err := p.Params.Auth()\n\tif err != nil {\n\t\treturn err\n\t}\n\tvar pogsAuth TunnelAuth\n\terr = pogsAuth.UnmarshalCapnproto(auth)\n\tif err != nil {\n\t\treturn err\n\t}\n\tuuidBytes, err := p.Params.TunnelId()\n\tif err != nil {\n\t\treturn err\n\t}\n\ttunnelID, err := uuid.FromBytes(uuidBytes)\n\tif err != nil {\n\t\treturn err\n\t}\n\tconnIndex := p.Params.ConnIndex()\n\toptions, err := p.Params.Options()\n\tif err != nil {\n\t\treturn err\n\t}\n\tvar pogsOptions ConnectionOptions\n\terr = pogsOptions.UnmarshalCapnproto(options)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tconnDetails, callError := i.impl.RegisterConnection(p.Ctx, pogsAuth, tunnelID, connIndex, &pogsOptions)\n\n\tresp, err := p.Results.NewResult()\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif callError != nil {\n\t\tif connError, err := resp.Result().NewError(); err != nil {\n\t\t\treturn err\n\t\t} else {\n\t\t\treturn MarshalError(connError, callError)\n\t\t}\n\t}\n\n\tif details, err := resp.Result().NewConnectionDetails(); err != nil {\n\t\treturn err\n\t} else {\n\t\treturn connDetails.MarshalCapnproto(details)\n\t}\n}\n\nfunc (i RegistrationServer_PogsImpl) UnregisterConnection(p proto.RegistrationServer_unregisterConnection) error {\n\treturn metrics.ObserveServerHandler(func() error {\n\t\tserver.Ack(p.Options)\n\t\ti.impl.UnregisterConnection(p.Ctx)\n\t\treturn nil // No metrics will be reported for failure as this method has no return value\n\t}, metrics.Registration, metrics.OperationUnregisterConnection)\n}\n\nfunc (i RegistrationServer_PogsImpl) UpdateLocalConfiguration(p proto.RegistrationServer_updateLocalConfiguration) error {\n\treturn metrics.ObserveServerHandler(func() error { return i.updateLocalConfiguration(p) }, metrics.Registration, metrics.OperationUpdateLocalConfiguration)\n}\n\nfunc (i RegistrationServer_PogsImpl) updateLocalConfiguration(c proto.RegistrationServer_updateLocalConfiguration) error {\n\tserver.Ack(c.Options)\n\n\tconfigBytes, err := c.Params.Config()\n\tif err != nil {\n\t\treturn err\n\t}\n\n\treturn i.impl.UpdateLocalConfiguration(c.Ctx, configBytes)\n}\n\ntype RegistrationServer_PogsClient struct {\n\tClient capnp.Client\n\tConn *rpc.Conn\n}\n\nfunc NewRegistrationServer_PogsClient(client capnp.Client, conn *rpc.Conn) RegistrationServer_PogsClient {\n\treturn RegistrationServer_PogsClient{\n\t\tClient: client,\n\t\tConn: conn,\n\t}\n}\n\nfunc (c RegistrationServer_PogsClient) Close() error {\n\tc.Client.Close()\n\treturn c.Conn.Close()\n}\n\nfunc (c RegistrationServer_PogsClient) RegisterConnection(ctx context.Context, auth TunnelAuth, tunnelID uuid.UUID, connIndex byte, options *ConnectionOptions) (*ConnectionDetails, error) {\n\tclient := proto.TunnelServer{Client: c.Client}\n\tpromise := client.RegisterConnection(ctx, func(p proto.RegistrationServer_registerConnection_Params) error {\n\t\ttunnelAuth, err := p.NewAuth()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif err = auth.MarshalCapnproto(tunnelAuth); err != nil {\n\t\t\treturn err\n\t\t}\n\t\terr = p.SetAuth(tunnelAuth)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\terr = p.SetTunnelId(tunnelID[:])\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tp.SetConnIndex(connIndex)\n\t\tconnectionOptions, err := p.NewOptions()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\terr = options.MarshalCapnproto(connectionOptions)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n\tresponse, err := promise.Result().Struct()\n\tif err != nil {\n\t\treturn nil, wrapRPCError(err)\n\t}\n\tresult := response.Result()\n\tswitch result.Which() {\n\tcase proto.ConnectionResponse_result_Which_error:\n\t\tresultError, err := result.Error()\n\t\tif err != nil {\n\t\t\treturn nil, wrapRPCError(err)\n\t\t}\n\t\tcause, err := resultError.Cause()\n\t\tif err != nil {\n\t\t\treturn nil, wrapRPCError(err)\n\t\t}\n\t\terr = errors.New(cause)\n\t\tif resultError.ShouldRetry() {\n\t\t\terr = RetryErrorAfter(err, time.Duration(resultError.RetryAfter()))\n\t\t}\n\t\treturn nil, err\n\n\tcase proto.ConnectionResponse_result_Which_connectionDetails:\n\t\tconnDetails, err := result.ConnectionDetails()\n\t\tif err != nil {\n\t\t\treturn nil, wrapRPCError(err)\n\t\t}\n\t\tdetails := new(ConnectionDetails)\n\t\tif err = details.UnmarshalCapnproto(connDetails); err != nil {\n\t\t\treturn nil, wrapRPCError(err)\n\t\t}\n\t\treturn details, nil\n\t}\n\n\treturn nil, newRPCError(\"unknown result which %d\", result.Which())\n}\n\nfunc (c RegistrationServer_PogsClient) SendLocalConfiguration(ctx context.Context, config []byte) error {\n\tclient := proto.TunnelServer{Client: c.Client}\n\tpromise := client.UpdateLocalConfiguration(ctx, func(p proto.RegistrationServer_updateLocalConfiguration_Params) error {\n\t\tif err := p.SetConfig(config); err != nil {\n\t\t\treturn err\n\t\t}\n\n\t\treturn nil\n\t})\n\n\t_, err := promise.Struct()\n\tif err != nil {\n\t\treturn wrapRPCError(err)\n\t}\n\n\treturn nil\n}\n\nfunc (c RegistrationServer_PogsClient) UnregisterConnection(ctx context.Context) error {\n\tclient := proto.TunnelServer{Client: c.Client}\n\tpromise := client.UnregisterConnection(ctx, func(p proto.RegistrationServer_unregisterConnection_Params) error {\n\t\treturn nil\n\t})\n\t_, err := promise.Struct()\n\tif err != nil {\n\t\treturn wrapRPCError(err)\n\t}\n\treturn nil\n}\n\ntype ClientInfo struct {\n\tClientID []byte `capnp:\"clientId\"` // must be a slice for capnp compatibility\n\tFeatures []string\n\tVersion string\n\tArch string\n}\n\ntype ConnectionOptions struct {\n\tClient ClientInfo\n\tOriginLocalIP net.IP `capnp:\"originLocalIp\"`\n\tReplaceExisting bool\n\tCompressionQuality uint8\n\tNumPreviousAttempts uint8\n}\n\ntype TunnelAuth struct {\n\tAccountTag string\n\tTunnelSecret []byte\n}\n\nfunc (p *ConnectionOptions) MarshalCapnproto(s proto.ConnectionOptions) error {\n\treturn pogs.Insert(proto.ConnectionOptions_TypeID, s.Struct, p)\n}\n\nfunc (p *ConnectionOptions) UnmarshalCapnproto(s proto.ConnectionOptions) error {\n\treturn pogs.Extract(p, proto.ConnectionOptions_TypeID, s.Struct)\n}\n\nfunc (a *TunnelAuth) MarshalCapnproto(s proto.TunnelAuth) error {\n\treturn pogs.Insert(proto.TunnelAuth_TypeID, s.Struct, a)\n}\n\nfunc (a *TunnelAuth) UnmarshalCapnproto(s proto.TunnelAuth) error {\n\treturn pogs.Extract(a, proto.TunnelAuth_TypeID, s.Struct)\n}\n\ntype ConnectionDetails struct {\n\tUUID uuid.UUID\n\tLocation string\n\tTunnelIsRemotelyManaged bool\n}\n\nfunc (details *ConnectionDetails) MarshalCapnproto(s proto.ConnectionDetails) error {\n\tif err := s.SetUuid(details.UUID[:]); err != nil {\n\t\treturn err\n\t}\n\tif err := s.SetLocationName(details.Location); err != nil {\n\t\treturn err\n\t}\n\ts.SetTunnelIsRemotelyManaged(details.TunnelIsRemotelyManaged)\n\n\treturn nil\n}\n\nfunc (details *ConnectionDetails) UnmarshalCapnproto(s proto.ConnectionDetails) error {\n\tuuidBytes, err := s.Uuid()\n\tif err != nil {\n\t\treturn err\n\t}\n\tdetails.UUID, err = uuid.FromBytes(uuidBytes)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdetails.Location, err = s.LocationName()\n\tif err != nil {\n\t\treturn err\n\t}\n\tdetails.TunnelIsRemotelyManaged = s.TunnelIsRemotelyManaged()\n\n\treturn err\n}\n\nfunc MarshalError(s proto.ConnectionError, err error) error {\n\tif err := s.SetCause(err.Error()); err != nil {\n\t\treturn err\n\t}\n\tif retryableErr, ok := err.(*RetryableError); ok {\n\t\ts.SetShouldRetry(true)\n\t\ts.SetRetryAfter(int64(retryableErr.Delay))\n\t}\n\n\treturn nil\n}\n" }, { "path": "tunnelrpc/pogs/registration_server_test.go", "content": "package pogs\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"net\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\tcapnp \"zombiezen.com/go/capnproto2\"\n\t\"zombiezen.com/go/capnproto2/rpc\"\n\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/proto\"\n)\n\nconst testAccountTag = \"abc123\"\n\nfunc TestMarshalConnectionOptions(t *testing.T) {\n\tclientID := uuid.New()\n\torig := ConnectionOptions{\n\t\tClient: ClientInfo{\n\t\t\tClientID: clientID[:],\n\t\t\tFeatures: []string{\"a\", \"b\"},\n\t\t\tVersion: \"1.2.3\",\n\t\t\tArch: \"macos\",\n\t\t},\n\t\tOriginLocalIP: []byte{10, 2, 3, 4},\n\t\tReplaceExisting: false,\n\t\tCompressionQuality: 1,\n\t}\n\n\t_, seg, err := capnp.NewMessage(capnp.SingleSegment(nil))\n\trequire.NoError(t, err)\n\tcapnpOpts, err := proto.NewConnectionOptions(seg)\n\trequire.NoError(t, err)\n\n\terr = orig.MarshalCapnproto(capnpOpts)\n\tassert.NoError(t, err)\n\n\tvar pogsOpts ConnectionOptions\n\terr = pogsOpts.UnmarshalCapnproto(capnpOpts)\n\tassert.NoError(t, err)\n\n\tassert.Equal(t, orig, pogsOpts)\n}\n\nfunc TestConnectionRegistrationRPC(t *testing.T) {\n\tp1, p2 := net.Pipe()\n\n\tt1, t2 := rpc.StreamTransport(p1), rpc.StreamTransport(p2)\n\n\t// Server-side\n\ttestImpl := testConnectionRegistrationServer{}\n\tsrv := RegistrationServer_ServerToClient(&testImpl)\n\tserverConn := rpc.NewConn(t1, rpc.MainInterface(srv.Client))\n\tdefer serverConn.Wait()\n\n\tctx := context.Background()\n\tclientConn := rpc.NewConn(t2)\n\tdefer clientConn.Close()\n\tclient := RegistrationServer_PogsClient{\n\t\tClient: clientConn.Bootstrap(ctx),\n\t\tConn: clientConn,\n\t}\n\tdefer client.Close()\n\n\tclientID := uuid.New()\n\toptions := &ConnectionOptions{\n\t\tClient: ClientInfo{\n\t\t\tClientID: clientID[:],\n\t\t\tFeatures: []string{\"foo\"},\n\t\t\tVersion: \"1.2.3\",\n\t\t\tArch: \"macos\",\n\t\t},\n\t\tOriginLocalIP: net.IP{10, 20, 30, 40},\n\t\tReplaceExisting: true,\n\t\tCompressionQuality: 0,\n\t}\n\n\texpectedDetails := ConnectionDetails{\n\t\tUUID: uuid.New(),\n\t\tLocation: \"TEST\",\n\t}\n\ttestImpl.details = &expectedDetails\n\ttestImpl.err = nil\n\n\tauth := TunnelAuth{\n\t\tAccountTag: testAccountTag,\n\t\tTunnelSecret: []byte{1, 2, 3, 4},\n\t}\n\n\t// success\n\ttunnelID := uuid.New()\n\tdetails, err := client.RegisterConnection(ctx, auth, tunnelID, 2, options)\n\tassert.NoError(t, err)\n\tassert.Equal(t, expectedDetails, *details)\n\n\t// regular error\n\ttestImpl.details = nil\n\ttestImpl.err = errors.New(\"internal\")\n\n\t_, err = client.RegisterConnection(ctx, auth, tunnelID, 2, options)\n\tassert.EqualError(t, err, \"internal\")\n\n\t// retriable error\n\ttestImpl.details = nil\n\tconst delay = 27 * time.Second\n\ttestImpl.err = RetryErrorAfter(errors.New(\"retryable\"), delay)\n\n\t_, err = client.RegisterConnection(ctx, auth, tunnelID, 2, options)\n\tassert.EqualError(t, err, \"retryable\")\n\n\tre, ok := err.(*RetryableError)\n\tassert.True(t, ok)\n\tassert.Equal(t, delay, re.Delay)\n}\n\ntype testConnectionRegistrationServer struct {\n\tdetails *ConnectionDetails\n\terr error\n}\n\nfunc (t *testConnectionRegistrationServer) UpdateLocalConfiguration(ctx context.Context, config []byte) error {\n\t// do nothing at this point\n\treturn nil\n}\n\nfunc (t *testConnectionRegistrationServer) RegisterConnection(ctx context.Context, auth TunnelAuth, tunnelID uuid.UUID, connIndex byte, options *ConnectionOptions) (*ConnectionDetails, error) {\n\tif auth.AccountTag != testAccountTag {\n\t\tpanic(\"bad account tag: \" + auth.AccountTag)\n\t}\n\tif t.err != nil {\n\t\treturn nil, t.err\n\t}\n\tif t.details != nil {\n\t\treturn t.details, nil\n\t}\n\n\tpanic(\"either details or err mush be set\")\n}\n\nfunc (t *testConnectionRegistrationServer) UnregisterConnection(ctx context.Context) {\n\tpanic(\"unimplemented: UnregisterConnection\")\n}\n" }, { "path": "tunnelrpc/pogs/session_manager.go", "content": "package pogs\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"net\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\tcapnp \"zombiezen.com/go/capnproto2\"\n\t\"zombiezen.com/go/capnproto2/rpc\"\n\t\"zombiezen.com/go/capnproto2/server\"\n\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/metrics\"\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/proto\"\n)\n\ntype SessionManager interface {\n\t// RegisterUdpSession is the call provided to cloudflared to handle an incoming\n\t// capnproto RegisterUdpSession request from the edge.\n\tRegisterUdpSession(ctx context.Context, sessionID uuid.UUID, dstIP net.IP, dstPort uint16, closeAfterIdleHint time.Duration, traceContext string) (*RegisterUdpSessionResponse, error)\n\t// UnregisterUdpSession is the call provided to cloudflared to handle an incoming\n\t// capnproto UnregisterUdpSession request from the edge.\n\tUnregisterUdpSession(ctx context.Context, sessionID uuid.UUID, message string) error\n}\n\ntype SessionManager_PogsImpl struct {\n\timpl SessionManager\n}\n\nfunc SessionManager_ServerToClient(s SessionManager) proto.SessionManager {\n\treturn proto.SessionManager_ServerToClient(SessionManager_PogsImpl{s})\n}\n\nfunc (i SessionManager_PogsImpl) RegisterUdpSession(p proto.SessionManager_registerUdpSession) error {\n\treturn metrics.ObserveServerHandler(func() error { return i.registerUdpSession(p) }, metrics.SessionManager, metrics.OperationRegisterUdpSession)\n}\n\nfunc (i SessionManager_PogsImpl) registerUdpSession(p proto.SessionManager_registerUdpSession) error {\n\tserver.Ack(p.Options)\n\n\tsessionIDRaw, err := p.Params.SessionId()\n\tif err != nil {\n\t\treturn err\n\t}\n\tsessionID, err := uuid.FromBytes(sessionIDRaw)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tdstIPRaw, err := p.Params.DstIp()\n\tif err != nil {\n\t\treturn err\n\t}\n\tdstIP := net.IP(dstIPRaw)\n\tif dstIP == nil {\n\t\treturn fmt.Errorf(\"%v is not valid IP\", dstIPRaw)\n\t}\n\tdstPort := p.Params.DstPort()\n\n\tcloseIdleAfterHint := time.Duration(p.Params.CloseAfterIdleHint())\n\n\ttraceContext, err := p.Params.TraceContext()\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tresp, registrationErr := i.impl.RegisterUdpSession(p.Ctx, sessionID, dstIP, dstPort, closeIdleAfterHint, traceContext)\n\tif registrationErr != nil {\n\t\t// Make sure to assign a response even if one is not returned from register\n\t\tif resp == nil {\n\t\t\tresp = &RegisterUdpSessionResponse{}\n\t\t}\n\t\tresp.Err = registrationErr\n\t}\n\n\tresult, err := p.Results.NewResult()\n\tif err != nil {\n\t\treturn err\n\t}\n\n\treturn resp.Marshal(result)\n}\n\nfunc (i SessionManager_PogsImpl) UnregisterUdpSession(p proto.SessionManager_unregisterUdpSession) error {\n\treturn metrics.ObserveServerHandler(func() error { return i.unregisterUdpSession(p) }, metrics.SessionManager, metrics.OperationUnregisterUdpSession)\n}\n\nfunc (i SessionManager_PogsImpl) unregisterUdpSession(p proto.SessionManager_unregisterUdpSession) error {\n\tserver.Ack(p.Options)\n\n\tsessionIDRaw, err := p.Params.SessionId()\n\tif err != nil {\n\t\treturn err\n\t}\n\tsessionID, err := uuid.FromBytes(sessionIDRaw)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tmessage, err := p.Params.Message()\n\tif err != nil {\n\t\treturn err\n\t}\n\n\treturn i.impl.UnregisterUdpSession(p.Ctx, sessionID, message)\n}\n\ntype RegisterUdpSessionResponse struct {\n\tErr error\n\tSpans []byte // Spans in protobuf format\n}\n\nfunc (p *RegisterUdpSessionResponse) Marshal(s proto.RegisterUdpSessionResponse) error {\n\tif p.Err != nil {\n\t\treturn s.SetErr(p.Err.Error())\n\t}\n\tif err := s.SetSpans(p.Spans); err != nil {\n\t\treturn err\n\t}\n\treturn nil\n}\n\nfunc (p *RegisterUdpSessionResponse) Unmarshal(s proto.RegisterUdpSessionResponse) error {\n\trespErr, err := s.Err()\n\tif err != nil {\n\t\treturn err\n\t}\n\tif respErr != \"\" {\n\t\tp.Err = fmt.Errorf(\"%s\", respErr)\n\t}\n\tp.Spans, err = s.Spans()\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn nil\n}\n\ntype SessionManager_PogsClient struct {\n\tClient capnp.Client\n\tConn *rpc.Conn\n}\n\nfunc NewSessionManager_PogsClient(client capnp.Client, conn *rpc.Conn) SessionManager_PogsClient {\n\treturn SessionManager_PogsClient{\n\t\tClient: client,\n\t\tConn: conn,\n\t}\n}\n\nfunc (c SessionManager_PogsClient) Close() error {\n\tc.Client.Close()\n\treturn c.Conn.Close()\n}\n\nfunc (c SessionManager_PogsClient) RegisterUdpSession(ctx context.Context, sessionID uuid.UUID, dstIP net.IP, dstPort uint16, closeAfterIdleHint time.Duration, traceContext string) (*RegisterUdpSessionResponse, error) {\n\tclient := proto.SessionManager{Client: c.Client}\n\tpromise := client.RegisterUdpSession(ctx, func(p proto.SessionManager_registerUdpSession_Params) error {\n\t\tif err := p.SetSessionId(sessionID[:]); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif err := p.SetDstIp(dstIP); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tp.SetDstPort(dstPort)\n\t\tp.SetCloseAfterIdleHint(int64(closeAfterIdleHint))\n\t\t_ = p.SetTraceContext(traceContext)\n\t\treturn nil\n\t})\n\tresult, err := promise.Result().Struct()\n\tif err != nil {\n\t\treturn nil, wrapRPCError(err)\n\t}\n\tresponse := new(RegisterUdpSessionResponse)\n\n\terr = response.Unmarshal(result)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn response, nil\n}\n\nfunc (c SessionManager_PogsClient) UnregisterUdpSession(ctx context.Context, sessionID uuid.UUID, message string) error {\n\tclient := proto.SessionManager{Client: c.Client}\n\tpromise := client.UnregisterUdpSession(ctx, func(p proto.SessionManager_unregisterUdpSession_Params) error {\n\t\tif err := p.SetSessionId(sessionID[:]); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif err := p.SetMessage(message); err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n\t_, err := promise.Struct()\n\treturn err\n}\n" }, { "path": "tunnelrpc/pogs/tag.go", "content": "package pogs\n\n// Tag previously was a legacy tunnel capnp struct but was deprecated. To help reduce the amount of changes imposed\n// by removing this simple struct, it was copied out of the capnp and provided here instead.\ntype Tag struct {\n\tName string\n\tValue string\n}\n" }, { "path": "tunnelrpc/proto/go.capnp", "content": "# Generate go.capnp.out with:\n# capnp compile -o- go.capnp > go.capnp.out\n# Must run inside this directory to preserve paths.\n\n@0xd12a1c51fedd6c88;\n\nannotation package(file) :Text;\n# The Go package name for the generated file.\n\nannotation import(file) :Text;\n# The Go import path that the generated file is accessible from.\n# Used to generate import statements and check if two types are in the\n# same package.\n\nannotation doc(struct, field, enum) :Text;\n# Adds a doc comment to the generated code.\n\nannotation tag(enumerant) :Text;\n# Changes the string representation of the enum in the generated code.\n\nannotation notag(enumerant) :Void;\n# Removes the string representation of the enum in the generated code.\n\nannotation customtype(field) :Text;\n# OBSOLETE, not used by code generator.\n\nannotation name(struct, field, union, enum, enumerant, interface, method, param, annotation, const, group) :Text;\n# Used to rename the element in the generated code.\n\n$package(\"capnp\");\n$import(\"zombiezen.com/go/capnproto2\");\n" }, { "path": "tunnelrpc/proto/quic_metadata_protocol.capnp", "content": "using Go = import \"go.capnp\";\n@0xb29021ef7421cc32;\n\n$Go.package(\"proto\");\n$Go.import(\"github.com/cloudflare/cloudflared/tunnelrpc\");\n\n\nstruct ConnectRequest @0xc47116a1045e4061 {\n\tdest @0 :Text;\n\ttype @1 :ConnectionType;\n\tmetadata @2 :List(Metadata);\n}\n\nenum ConnectionType @0xc52e1bac26d379c8 {\n\thttp @0;\n\twebsocket @1;\n\ttcp @2;\n}\n\nstruct Metadata @0xe1446b97bfd1cd37 {\n key @0 :Text;\n\tval @1 :Text;\n}\n\nstruct ConnectResponse @0xb1032ec91cef8727 {\n\terror @0 :Text;\n\tmetadata @1 :List(Metadata);\n}\n" }, { "path": "tunnelrpc/proto/quic_metadata_protocol.capnp.go", "content": "// Code generated by capnpc-go. DO NOT EDIT.\n\npackage proto\n\nimport (\n\tcapnp \"zombiezen.com/go/capnproto2\"\n\ttext \"zombiezen.com/go/capnproto2/encoding/text\"\n\tschemas \"zombiezen.com/go/capnproto2/schemas\"\n)\n\ntype ConnectRequest struct{ capnp.Struct }\n\n// ConnectRequest_TypeID is the unique identifier for the type ConnectRequest.\nconst ConnectRequest_TypeID = 0xc47116a1045e4061\n\nfunc NewConnectRequest(s *capnp.Segment) (ConnectRequest, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 8, PointerCount: 2})\n\treturn ConnectRequest{st}, err\n}\n\nfunc NewRootConnectRequest(s *capnp.Segment) (ConnectRequest, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 8, PointerCount: 2})\n\treturn ConnectRequest{st}, err\n}\n\nfunc ReadRootConnectRequest(msg *capnp.Message) (ConnectRequest, error) {\n\troot, err := msg.RootPtr()\n\treturn ConnectRequest{root.Struct()}, err\n}\n\nfunc (s ConnectRequest) String() string {\n\tstr, _ := text.Marshal(0xc47116a1045e4061, s.Struct)\n\treturn str\n}\n\nfunc (s ConnectRequest) Dest() (string, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.Text(), err\n}\n\nfunc (s ConnectRequest) HasDest() bool {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s ConnectRequest) DestBytes() ([]byte, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.TextBytes(), err\n}\n\nfunc (s ConnectRequest) SetDest(v string) error {\n\treturn s.Struct.SetText(0, v)\n}\n\nfunc (s ConnectRequest) Type() ConnectionType {\n\treturn ConnectionType(s.Struct.Uint16(0))\n}\n\nfunc (s ConnectRequest) SetType(v ConnectionType) {\n\ts.Struct.SetUint16(0, uint16(v))\n}\n\nfunc (s ConnectRequest) Metadata() (Metadata_List, error) {\n\tp, err := s.Struct.Ptr(1)\n\treturn Metadata_List{List: p.List()}, err\n}\n\nfunc (s ConnectRequest) HasMetadata() bool {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s ConnectRequest) SetMetadata(v Metadata_List) error {\n\treturn s.Struct.SetPtr(1, v.List.ToPtr())\n}\n\n// NewMetadata sets the metadata field to a newly\n// allocated Metadata_List, preferring placement in s's segment.\nfunc (s ConnectRequest) NewMetadata(n int32) (Metadata_List, error) {\n\tl, err := NewMetadata_List(s.Struct.Segment(), n)\n\tif err != nil {\n\t\treturn Metadata_List{}, err\n\t}\n\terr = s.Struct.SetPtr(1, l.List.ToPtr())\n\treturn l, err\n}\n\n// ConnectRequest_List is a list of ConnectRequest.\ntype ConnectRequest_List struct{ capnp.List }\n\n// NewConnectRequest creates a new list of ConnectRequest.\nfunc NewConnectRequest_List(s *capnp.Segment, sz int32) (ConnectRequest_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 8, PointerCount: 2}, sz)\n\treturn ConnectRequest_List{l}, err\n}\n\nfunc (s ConnectRequest_List) At(i int) ConnectRequest { return ConnectRequest{s.List.Struct(i)} }\n\nfunc (s ConnectRequest_List) Set(i int, v ConnectRequest) error { return s.List.SetStruct(i, v.Struct) }\n\nfunc (s ConnectRequest_List) String() string {\n\tstr, _ := text.MarshalList(0xc47116a1045e4061, s.List)\n\treturn str\n}\n\n// ConnectRequest_Promise is a wrapper for a ConnectRequest promised by a client call.\ntype ConnectRequest_Promise struct{ *capnp.Pipeline }\n\nfunc (p ConnectRequest_Promise) Struct() (ConnectRequest, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn ConnectRequest{s}, err\n}\n\ntype ConnectionType uint16\n\n// ConnectionType_TypeID is the unique identifier for the type ConnectionType.\nconst ConnectionType_TypeID = 0xc52e1bac26d379c8\n\n// Values of ConnectionType.\nconst (\n\tConnectionType_http ConnectionType = 0\n\tConnectionType_websocket ConnectionType = 1\n\tConnectionType_tcp ConnectionType = 2\n)\n\n// String returns the enum's constant name.\nfunc (c ConnectionType) String() string {\n\tswitch c {\n\tcase ConnectionType_http:\n\t\treturn \"http\"\n\tcase ConnectionType_websocket:\n\t\treturn \"websocket\"\n\tcase ConnectionType_tcp:\n\t\treturn \"tcp\"\n\n\tdefault:\n\t\treturn \"\"\n\t}\n}\n\n// ConnectionTypeFromString returns the enum value with a name,\n// or the zero value if there's no such value.\nfunc ConnectionTypeFromString(c string) ConnectionType {\n\tswitch c {\n\tcase \"http\":\n\t\treturn ConnectionType_http\n\tcase \"websocket\":\n\t\treturn ConnectionType_websocket\n\tcase \"tcp\":\n\t\treturn ConnectionType_tcp\n\n\tdefault:\n\t\treturn 0\n\t}\n}\n\ntype ConnectionType_List struct{ capnp.List }\n\nfunc NewConnectionType_List(s *capnp.Segment, sz int32) (ConnectionType_List, error) {\n\tl, err := capnp.NewUInt16List(s, sz)\n\treturn ConnectionType_List{l.List}, err\n}\n\nfunc (l ConnectionType_List) At(i int) ConnectionType {\n\tul := capnp.UInt16List{List: l.List}\n\treturn ConnectionType(ul.At(i))\n}\n\nfunc (l ConnectionType_List) Set(i int, v ConnectionType) {\n\tul := capnp.UInt16List{List: l.List}\n\tul.Set(i, uint16(v))\n}\n\ntype Metadata struct{ capnp.Struct }\n\n// Metadata_TypeID is the unique identifier for the type Metadata.\nconst Metadata_TypeID = 0xe1446b97bfd1cd37\n\nfunc NewMetadata(s *capnp.Segment) (Metadata, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 2})\n\treturn Metadata{st}, err\n}\n\nfunc NewRootMetadata(s *capnp.Segment) (Metadata, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 2})\n\treturn Metadata{st}, err\n}\n\nfunc ReadRootMetadata(msg *capnp.Message) (Metadata, error) {\n\troot, err := msg.RootPtr()\n\treturn Metadata{root.Struct()}, err\n}\n\nfunc (s Metadata) String() string {\n\tstr, _ := text.Marshal(0xe1446b97bfd1cd37, s.Struct)\n\treturn str\n}\n\nfunc (s Metadata) Key() (string, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.Text(), err\n}\n\nfunc (s Metadata) HasKey() bool {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s Metadata) KeyBytes() ([]byte, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.TextBytes(), err\n}\n\nfunc (s Metadata) SetKey(v string) error {\n\treturn s.Struct.SetText(0, v)\n}\n\nfunc (s Metadata) Val() (string, error) {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.Text(), err\n}\n\nfunc (s Metadata) HasVal() bool {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s Metadata) ValBytes() ([]byte, error) {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.TextBytes(), err\n}\n\nfunc (s Metadata) SetVal(v string) error {\n\treturn s.Struct.SetText(1, v)\n}\n\n// Metadata_List is a list of Metadata.\ntype Metadata_List struct{ capnp.List }\n\n// NewMetadata creates a new list of Metadata.\nfunc NewMetadata_List(s *capnp.Segment, sz int32) (Metadata_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 0, PointerCount: 2}, sz)\n\treturn Metadata_List{l}, err\n}\n\nfunc (s Metadata_List) At(i int) Metadata { return Metadata{s.List.Struct(i)} }\n\nfunc (s Metadata_List) Set(i int, v Metadata) error { return s.List.SetStruct(i, v.Struct) }\n\nfunc (s Metadata_List) String() string {\n\tstr, _ := text.MarshalList(0xe1446b97bfd1cd37, s.List)\n\treturn str\n}\n\n// Metadata_Promise is a wrapper for a Metadata promised by a client call.\ntype Metadata_Promise struct{ *capnp.Pipeline }\n\nfunc (p Metadata_Promise) Struct() (Metadata, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn Metadata{s}, err\n}\n\ntype ConnectResponse struct{ capnp.Struct }\n\n// ConnectResponse_TypeID is the unique identifier for the type ConnectResponse.\nconst ConnectResponse_TypeID = 0xb1032ec91cef8727\n\nfunc NewConnectResponse(s *capnp.Segment) (ConnectResponse, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 2})\n\treturn ConnectResponse{st}, err\n}\n\nfunc NewRootConnectResponse(s *capnp.Segment) (ConnectResponse, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 2})\n\treturn ConnectResponse{st}, err\n}\n\nfunc ReadRootConnectResponse(msg *capnp.Message) (ConnectResponse, error) {\n\troot, err := msg.RootPtr()\n\treturn ConnectResponse{root.Struct()}, err\n}\n\nfunc (s ConnectResponse) String() string {\n\tstr, _ := text.Marshal(0xb1032ec91cef8727, s.Struct)\n\treturn str\n}\n\nfunc (s ConnectResponse) Error() (string, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.Text(), err\n}\n\nfunc (s ConnectResponse) HasError() bool {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s ConnectResponse) ErrorBytes() ([]byte, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.TextBytes(), err\n}\n\nfunc (s ConnectResponse) SetError(v string) error {\n\treturn s.Struct.SetText(0, v)\n}\n\nfunc (s ConnectResponse) Metadata() (Metadata_List, error) {\n\tp, err := s.Struct.Ptr(1)\n\treturn Metadata_List{List: p.List()}, err\n}\n\nfunc (s ConnectResponse) HasMetadata() bool {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s ConnectResponse) SetMetadata(v Metadata_List) error {\n\treturn s.Struct.SetPtr(1, v.List.ToPtr())\n}\n\n// NewMetadata sets the metadata field to a newly\n// allocated Metadata_List, preferring placement in s's segment.\nfunc (s ConnectResponse) NewMetadata(n int32) (Metadata_List, error) {\n\tl, err := NewMetadata_List(s.Struct.Segment(), n)\n\tif err != nil {\n\t\treturn Metadata_List{}, err\n\t}\n\terr = s.Struct.SetPtr(1, l.List.ToPtr())\n\treturn l, err\n}\n\n// ConnectResponse_List is a list of ConnectResponse.\ntype ConnectResponse_List struct{ capnp.List }\n\n// NewConnectResponse creates a new list of ConnectResponse.\nfunc NewConnectResponse_List(s *capnp.Segment, sz int32) (ConnectResponse_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 0, PointerCount: 2}, sz)\n\treturn ConnectResponse_List{l}, err\n}\n\nfunc (s ConnectResponse_List) At(i int) ConnectResponse { return ConnectResponse{s.List.Struct(i)} }\n\nfunc (s ConnectResponse_List) Set(i int, v ConnectResponse) error {\n\treturn s.List.SetStruct(i, v.Struct)\n}\n\nfunc (s ConnectResponse_List) String() string {\n\tstr, _ := text.MarshalList(0xb1032ec91cef8727, s.List)\n\treturn str\n}\n\n// ConnectResponse_Promise is a wrapper for a ConnectResponse promised by a client call.\ntype ConnectResponse_Promise struct{ *capnp.Pipeline }\n\nfunc (p ConnectResponse_Promise) Struct() (ConnectResponse, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn ConnectResponse{s}, err\n}\n\nconst schema_b29021ef7421cc32 = \"x\\xda\\xb4\\x911k\\x14A\\x1c\\xc5\\xdf\\x9b\\xcde-\\x0e\" +\n\t\"\\xf7\\x86KlT\\xc2\\x05Q\\x13\\xdc\\x8b\\xc9\\x09\\xa2 \\x1c\" +\n\t\"\\x18A%\\xc1\\x9b`mX7\\x83\\x09w\\xee\\xce\\xed\\xce\" +\n\t\"\\x19\\xee\\x13\\xd8\\xda\\x89\\xa5\\xbd \\x09X\\xdb((h!\" +\n\t\"\\x16\\xd6\\x0a66\\xf9\\x04\\xb22\\x0b\\x9b\\x83\\x90B\\x04\\xbb\" +\n\t\"\\xe1\\xcd\\x9by\\xbf\\xff\\xff5\\xbeu\\xc5r\\xed\\x11\\x01\\xd5\" +\n\t\"\\xa8M\\x17\\x17\\x9e\\x1e\\x9c\\xf9\\xd8\\xf6\\xf6 C\\x16+\\x9f\" +\n\t\"Z\\xf6\\xa0\\xf5l\\x1f5\\xe1\\x03\\xcb/~Q\\xbe\\xf1\\x01\" +\n\t\"\\xb9\\xb7\\x0b\\x16Q\\xf7\\xc1\\xd4\\xcbS\\xc3wP!\\x8fZ\" +\n\t\";-\\xfe`\\xf3\\x06}\\xa0y\\x8d\\xaf\\xc1\\xe2\\xc3\\xf8\\xeb\" +\n\t\"\\xf9W\\xa7\\xdb\\xef!C11\\x83\\x9d\\x9f\\xceI\\xf7\\xa8\" +\n\t\"\\xf9\\x9b\\xf7\\xc0\\xe2\\xea\\xe7/o\\x9f\\xf7W\\xbf\\x1fC\\xd0\" +\n\t\"\\x99\\x15\\xfbl\\x86\\xa5yA8\\x08;J\\x12=\\xc8\\xcc\" +\n\t\"t\\xbcd\\xb2\\xd4\\xa6K\\xc3\\xd1N\\xbc\\xf9X\\xdbh+\" +\n\t\"\\xb2\\xd1f\\xa9\\xc5\\xe9\\xa0\\x1dG&1\\xd7o\\xa6I\\xa2\" +\n\t\"c\\xbb\\xa1s\\x13\\xa4I\\xae{\\xa4:\\xe1M\\x01S\\x04\" +\n\t\"\\xe4\\xc2\\x0a\\xa0\\xceyT\\x97\\x05%9C'\\x86w\\x01\" +\n\t\"u\\xc9\\xa3\\xba-8\\xa7\\xb3,\\xcdX\\x87`\\x1d,\\xaa\" +\n\t\"\\x14\\x00<\\x09\\xf6<\\xb21\\xa1\\x07\\x9d\\xf8\\xaf\\x80\\xc3\\x91\" +\n\t\"\\xafs\\xeb\\xf8\\xea\\x87|\\xb7\\x16\\x01\\xd5\\xf5\\xa8\\xd6\\x04+\" +\n\t\"\\xbc;N[\\xf5\\xa8z\\x82Rp\\x86\\x02\\x90\\xeb\\x8ey\" +\n\t\"\\xcd\\xa3\\xda\\x16\\x0c\\xb6tn+\\xe4\\xc0\\x8e\\x8df0)\" +\n\t\"\\x03d\\xf0_'\\xd9I\\x93\\xfb\\xfe\\xd8\\x94\\x9b\\xae\\x97p\" +\n\t\"g\\x17\\xdd\\x87rv\\x03\\xa0\\x90r\\x1e\\x08\\xb6\\xad5\\xc5\" +\n\t\"\\xae~\\x98\\xa7q_\\x83\\xd6\\xb7\\xb19\\x8c\\xab\\xfdU\\xdc\" +\n\t\"\\xba\\xb6s\\xe5\\xc5\\x91J\\xe7\\x8f\\xab\\xd4\\x89\\x17=\\xaa+\" +\n\t\"\\x82~_\\x8f\\xab\\xed\\xf8O\\xa2Au\\xfe\\x13\\x00\\x00\\xff\" +\n\t\"\\xff\\x1d\\xce\\xd1\\xb0\"\n\nfunc init() {\n\tschemas.Register(schema_b29021ef7421cc32,\n\t\t0xb1032ec91cef8727,\n\t\t0xc47116a1045e4061,\n\t\t0xc52e1bac26d379c8,\n\t\t0xe1446b97bfd1cd37)\n}\n" }, { "path": "tunnelrpc/proto/tunnelrpc.capnp", "content": "using Go = import \"go.capnp\";\n@0xdb8274f9144abc7e;\n$Go.package(\"proto\");\n$Go.import(\"github.com/cloudflare/cloudflared/tunnelrpc\");\n\n# === DEPRECATED Legacy Tunnel Authentication and Registration methods/servers ===\n# \n# These structs and interfaces are no longer used but it is important to keep\n# them around to make sure backwards compatibility within the rpc protocol is\n# maintained.\n\nstruct Authentication @0xc082ef6e0d42ed1d {\n # DEPRECATED: Legacy tunnel authentication mechanism\n key @0 :Text;\n email @1 :Text;\n originCAKey @2 :Text;\n}\n\nstruct TunnelRegistration @0xf41a0f001ad49e46 {\n # DEPRECATED: Legacy tunnel authentication mechanism\n err @0 :Text;\n # the url to access the tunnel\n url @1 :Text;\n # Used to inform the client of actions taken.\n logLines @2 :List(Text);\n # In case of error, whether the client should attempt to reconnect.\n permanentFailure @3 :Bool;\n # Displayed to user\n tunnelID @4 :Text;\n # How long should this connection wait to retry in seconds, if the error wasn't permanent\n retryAfterSeconds @5 :UInt16;\n # A unique ID used to reconnect this tunnel.\n eventDigest @6 :Data;\n # A unique ID used to prove this tunnel was previously connected to a given metal.\n connDigest @7 :Data;\n}\n\nstruct RegistrationOptions @0xc793e50592935b4a {\n # DEPRECATED: Legacy tunnel authentication mechanism\n \n # The tunnel client's unique identifier, used to verify a reconnection.\n clientId @0 :Text;\n # Information about the running binary.\n version @1 :Text;\n os @2 :Text;\n # What to do with existing tunnels for the given hostname.\n existingTunnelPolicy @3 :ExistingTunnelPolicy;\n # If using the balancing policy, identifies the LB pool to use.\n poolName @4 :Text;\n # Client-defined tags to associate with the tunnel\n tags @5 :List(Tag);\n # A unique identifier for a high-availability connection made by a single client.\n connectionId @6 :UInt8;\n # origin LAN IP\n originLocalIp @7 :Text;\n # whether Argo Tunnel client has been autoupdated\n isAutoupdated @8 :Bool;\n # whether Argo Tunnel client is run from a terminal\n runFromTerminal @9 :Bool;\n # cross stream compression setting, 0 - off, 3 - high\n compressionQuality @10 :UInt64;\n uuid @11 :Text;\n # number of previous attempts to send RegisterTunnel/ReconnectTunnel\n numPreviousAttempts @12 :UInt8;\n # Set of features this cloudflared knows it supports\n features @13 :List(Text);\n}\n\nenum ExistingTunnelPolicy @0x84cb9536a2cf6d3c {\n # DEPRECATED: Legacy tunnel registration mechanism\n\n ignore @0;\n disconnect @1;\n balance @2;\n}\n\nstruct ServerInfo @0xf2c68e2547ec3866 {\n # DEPRECATED: Legacy tunnel registration mechanism\n\n locationName @0 :Text;\n}\n\nstruct AuthenticateResponse @0x82c325a07ad22a65 {\n # DEPRECATED: Legacy tunnel registration mechanism\n\n permanentErr @0 :Text;\n retryableErr @1 :Text;\n jwt @2 :Data;\n hoursUntilRefresh @3 :UInt8;\n}\n\ninterface TunnelServer @0xea58385c65416035 extends (RegistrationServer) {\n # DEPRECATED: Legacy tunnel authentication server\n\n registerTunnel @0 (originCert :Data, hostname :Text, options :RegistrationOptions) -> (result :TunnelRegistration);\n getServerInfo @1 () -> (result :ServerInfo);\n unregisterTunnel @2 (gracePeriodNanoSec :Int64) -> ();\n # obsoleteDeclarativeTunnelConnect RPC deprecated in TUN-3019\n obsoleteDeclarativeTunnelConnect @3 () -> ();\n authenticate @4 (originCert :Data, hostname :Text, options :RegistrationOptions) -> (result :AuthenticateResponse);\n reconnectTunnel @5 (jwt :Data, eventDigest :Data, connDigest :Data, hostname :Text, options :RegistrationOptions) -> (result :TunnelRegistration);\n}\n\nstruct Tag @0xcbd96442ae3bb01a {\n # DEPRECATED: Legacy tunnel additional HTTP header mechanism \n\n name @0 :Text;\n value @1 :Text;\n}\n\n# === End DEPRECATED Objects ===\n\nstruct ClientInfo @0x83ced0145b2f114b {\n # The tunnel client's unique identifier, used to verify a reconnection.\n clientId @0 :Data;\n # Set of features this cloudflared knows it supports\n features @1 :List(Text);\n # Information about the running binary.\n version @2 :Text;\n # Client OS and CPU info\n arch @3 :Text;\n}\n\nstruct ConnectionOptions @0xb4bf9861fe035d04 {\n # client details\n client @0 :ClientInfo;\n # origin LAN IP\n originLocalIp @1 :Data;\n # What to do if connection already exists\n replaceExisting @2 :Bool;\n # cross stream compression setting, 0 - off, 3 - high\n compressionQuality @3 :UInt8;\n # number of previous attempts to send RegisterConnection\n numPreviousAttempts @4 :UInt8;\n}\n\nstruct ConnectionResponse @0xdbaa9d03d52b62dc {\n result :union {\n error @0 :ConnectionError;\n connectionDetails @1 :ConnectionDetails;\n }\n}\n\nstruct ConnectionError @0xf5f383d2785edb86 {\n cause @0 :Text;\n # How long should this connection wait to retry in ns\n retryAfter @1 :Int64;\n shouldRetry @2 :Bool;\n}\n\nstruct ConnectionDetails @0xb5f39f082b9ac18a {\n # identifier of this connection\n uuid @0 :Data;\n # airport code of the colo where this connection landed\n locationName @1 :Text;\n # tells if the tunnel is remotely managed\n tunnelIsRemotelyManaged @2: Bool;\n}\n\nstruct TunnelAuth @0x9496331ab9cd463f {\n accountTag @0 :Text;\n tunnelSecret @1 :Data;\n}\n\ninterface RegistrationServer @0xf71695ec7fe85497 {\n registerConnection @0 (auth :TunnelAuth, tunnelId :Data, connIndex :UInt8, options :ConnectionOptions) -> (result :ConnectionResponse);\n unregisterConnection @1 () -> ();\n updateLocalConfiguration @2 (config :Data) -> ();\n}\n\nstruct RegisterUdpSessionResponse @0xab6d5210c1f26687 {\n err @0 :Text;\n spans @1 :Data;\n}\n\ninterface SessionManager @0x839445a59fb01686 {\n # Let the edge decide closeAfterIdle to make sure cloudflared doesn't close session before the edge closes its side\n registerUdpSession @0 (sessionId :Data, dstIp :Data, dstPort :UInt16, closeAfterIdleHint :Int64, traceContext :Text = \"\") -> (result :RegisterUdpSessionResponse);\n unregisterUdpSession @1 (sessionId :Data, message :Text) -> ();\n}\n\nstruct UpdateConfigurationResponse @0xdb58ff694ba05cf9 {\n # Latest configuration that was applied successfully. The err field might be populated at the same time to indicate\n # that cloudflared is using an older configuration because the latest cannot be applied\n latestAppliedVersion @0 :Int32;\n # Any error encountered when trying to apply the last configuration\n err @1 :Text;\n}\n\n# ConfigurationManager defines RPC to manage cloudflared configuration remotely\ninterface ConfigurationManager @0xb48edfbdaa25db04 {\n updateConfiguration @0 (version :Int32, config :Data) -> (result: UpdateConfigurationResponse);\n}\n\ninterface CloudflaredServer @0xf548cef9dea2a4a1 extends(SessionManager, ConfigurationManager) {}" }, { "path": "tunnelrpc/proto/tunnelrpc.capnp.go", "content": "// Code generated by capnpc-go. DO NOT EDIT.\n\npackage proto\n\nimport (\n\tstrconv \"strconv\"\n\n\tcontext \"golang.org/x/net/context\"\n\tcapnp \"zombiezen.com/go/capnproto2\"\n\ttext \"zombiezen.com/go/capnproto2/encoding/text\"\n\tschemas \"zombiezen.com/go/capnproto2/schemas\"\n\tserver \"zombiezen.com/go/capnproto2/server\"\n)\n\ntype Authentication struct{ capnp.Struct }\n\n// Authentication_TypeID is the unique identifier for the type Authentication.\nconst Authentication_TypeID = 0xc082ef6e0d42ed1d\n\nfunc NewAuthentication(s *capnp.Segment) (Authentication, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 3})\n\treturn Authentication{st}, err\n}\n\nfunc NewRootAuthentication(s *capnp.Segment) (Authentication, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 3})\n\treturn Authentication{st}, err\n}\n\nfunc ReadRootAuthentication(msg *capnp.Message) (Authentication, error) {\n\troot, err := msg.RootPtr()\n\treturn Authentication{root.Struct()}, err\n}\n\nfunc (s Authentication) String() string {\n\tstr, _ := text.Marshal(0xc082ef6e0d42ed1d, s.Struct)\n\treturn str\n}\n\nfunc (s Authentication) Key() (string, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.Text(), err\n}\n\nfunc (s Authentication) HasKey() bool {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s Authentication) KeyBytes() ([]byte, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.TextBytes(), err\n}\n\nfunc (s Authentication) SetKey(v string) error {\n\treturn s.Struct.SetText(0, v)\n}\n\nfunc (s Authentication) Email() (string, error) {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.Text(), err\n}\n\nfunc (s Authentication) HasEmail() bool {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s Authentication) EmailBytes() ([]byte, error) {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.TextBytes(), err\n}\n\nfunc (s Authentication) SetEmail(v string) error {\n\treturn s.Struct.SetText(1, v)\n}\n\nfunc (s Authentication) OriginCAKey() (string, error) {\n\tp, err := s.Struct.Ptr(2)\n\treturn p.Text(), err\n}\n\nfunc (s Authentication) HasOriginCAKey() bool {\n\tp, err := s.Struct.Ptr(2)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s Authentication) OriginCAKeyBytes() ([]byte, error) {\n\tp, err := s.Struct.Ptr(2)\n\treturn p.TextBytes(), err\n}\n\nfunc (s Authentication) SetOriginCAKey(v string) error {\n\treturn s.Struct.SetText(2, v)\n}\n\n// Authentication_List is a list of Authentication.\ntype Authentication_List struct{ capnp.List }\n\n// NewAuthentication creates a new list of Authentication.\nfunc NewAuthentication_List(s *capnp.Segment, sz int32) (Authentication_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 0, PointerCount: 3}, sz)\n\treturn Authentication_List{l}, err\n}\n\nfunc (s Authentication_List) At(i int) Authentication { return Authentication{s.List.Struct(i)} }\n\nfunc (s Authentication_List) Set(i int, v Authentication) error { return s.List.SetStruct(i, v.Struct) }\n\nfunc (s Authentication_List) String() string {\n\tstr, _ := text.MarshalList(0xc082ef6e0d42ed1d, s.List)\n\treturn str\n}\n\n// Authentication_Promise is a wrapper for a Authentication promised by a client call.\ntype Authentication_Promise struct{ *capnp.Pipeline }\n\nfunc (p Authentication_Promise) Struct() (Authentication, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn Authentication{s}, err\n}\n\ntype TunnelRegistration struct{ capnp.Struct }\n\n// TunnelRegistration_TypeID is the unique identifier for the type TunnelRegistration.\nconst TunnelRegistration_TypeID = 0xf41a0f001ad49e46\n\nfunc NewTunnelRegistration(s *capnp.Segment) (TunnelRegistration, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 8, PointerCount: 6})\n\treturn TunnelRegistration{st}, err\n}\n\nfunc NewRootTunnelRegistration(s *capnp.Segment) (TunnelRegistration, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 8, PointerCount: 6})\n\treturn TunnelRegistration{st}, err\n}\n\nfunc ReadRootTunnelRegistration(msg *capnp.Message) (TunnelRegistration, error) {\n\troot, err := msg.RootPtr()\n\treturn TunnelRegistration{root.Struct()}, err\n}\n\nfunc (s TunnelRegistration) String() string {\n\tstr, _ := text.Marshal(0xf41a0f001ad49e46, s.Struct)\n\treturn str\n}\n\nfunc (s TunnelRegistration) Err() (string, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.Text(), err\n}\n\nfunc (s TunnelRegistration) HasErr() bool {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s TunnelRegistration) ErrBytes() ([]byte, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.TextBytes(), err\n}\n\nfunc (s TunnelRegistration) SetErr(v string) error {\n\treturn s.Struct.SetText(0, v)\n}\n\nfunc (s TunnelRegistration) Url() (string, error) {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.Text(), err\n}\n\nfunc (s TunnelRegistration) HasUrl() bool {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s TunnelRegistration) UrlBytes() ([]byte, error) {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.TextBytes(), err\n}\n\nfunc (s TunnelRegistration) SetUrl(v string) error {\n\treturn s.Struct.SetText(1, v)\n}\n\nfunc (s TunnelRegistration) LogLines() (capnp.TextList, error) {\n\tp, err := s.Struct.Ptr(2)\n\treturn capnp.TextList{List: p.List()}, err\n}\n\nfunc (s TunnelRegistration) HasLogLines() bool {\n\tp, err := s.Struct.Ptr(2)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s TunnelRegistration) SetLogLines(v capnp.TextList) error {\n\treturn s.Struct.SetPtr(2, v.List.ToPtr())\n}\n\n// NewLogLines sets the logLines field to a newly\n// allocated capnp.TextList, preferring placement in s's segment.\nfunc (s TunnelRegistration) NewLogLines(n int32) (capnp.TextList, error) {\n\tl, err := capnp.NewTextList(s.Struct.Segment(), n)\n\tif err != nil {\n\t\treturn capnp.TextList{}, err\n\t}\n\terr = s.Struct.SetPtr(2, l.List.ToPtr())\n\treturn l, err\n}\n\nfunc (s TunnelRegistration) PermanentFailure() bool {\n\treturn s.Struct.Bit(0)\n}\n\nfunc (s TunnelRegistration) SetPermanentFailure(v bool) {\n\ts.Struct.SetBit(0, v)\n}\n\nfunc (s TunnelRegistration) TunnelID() (string, error) {\n\tp, err := s.Struct.Ptr(3)\n\treturn p.Text(), err\n}\n\nfunc (s TunnelRegistration) HasTunnelID() bool {\n\tp, err := s.Struct.Ptr(3)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s TunnelRegistration) TunnelIDBytes() ([]byte, error) {\n\tp, err := s.Struct.Ptr(3)\n\treturn p.TextBytes(), err\n}\n\nfunc (s TunnelRegistration) SetTunnelID(v string) error {\n\treturn s.Struct.SetText(3, v)\n}\n\nfunc (s TunnelRegistration) RetryAfterSeconds() uint16 {\n\treturn s.Struct.Uint16(2)\n}\n\nfunc (s TunnelRegistration) SetRetryAfterSeconds(v uint16) {\n\ts.Struct.SetUint16(2, v)\n}\n\nfunc (s TunnelRegistration) EventDigest() ([]byte, error) {\n\tp, err := s.Struct.Ptr(4)\n\treturn []byte(p.Data()), err\n}\n\nfunc (s TunnelRegistration) HasEventDigest() bool {\n\tp, err := s.Struct.Ptr(4)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s TunnelRegistration) SetEventDigest(v []byte) error {\n\treturn s.Struct.SetData(4, v)\n}\n\nfunc (s TunnelRegistration) ConnDigest() ([]byte, error) {\n\tp, err := s.Struct.Ptr(5)\n\treturn []byte(p.Data()), err\n}\n\nfunc (s TunnelRegistration) HasConnDigest() bool {\n\tp, err := s.Struct.Ptr(5)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s TunnelRegistration) SetConnDigest(v []byte) error {\n\treturn s.Struct.SetData(5, v)\n}\n\n// TunnelRegistration_List is a list of TunnelRegistration.\ntype TunnelRegistration_List struct{ capnp.List }\n\n// NewTunnelRegistration creates a new list of TunnelRegistration.\nfunc NewTunnelRegistration_List(s *capnp.Segment, sz int32) (TunnelRegistration_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 8, PointerCount: 6}, sz)\n\treturn TunnelRegistration_List{l}, err\n}\n\nfunc (s TunnelRegistration_List) At(i int) TunnelRegistration {\n\treturn TunnelRegistration{s.List.Struct(i)}\n}\n\nfunc (s TunnelRegistration_List) Set(i int, v TunnelRegistration) error {\n\treturn s.List.SetStruct(i, v.Struct)\n}\n\nfunc (s TunnelRegistration_List) String() string {\n\tstr, _ := text.MarshalList(0xf41a0f001ad49e46, s.List)\n\treturn str\n}\n\n// TunnelRegistration_Promise is a wrapper for a TunnelRegistration promised by a client call.\ntype TunnelRegistration_Promise struct{ *capnp.Pipeline }\n\nfunc (p TunnelRegistration_Promise) Struct() (TunnelRegistration, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn TunnelRegistration{s}, err\n}\n\ntype RegistrationOptions struct{ capnp.Struct }\n\n// RegistrationOptions_TypeID is the unique identifier for the type RegistrationOptions.\nconst RegistrationOptions_TypeID = 0xc793e50592935b4a\n\nfunc NewRegistrationOptions(s *capnp.Segment) (RegistrationOptions, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 16, PointerCount: 8})\n\treturn RegistrationOptions{st}, err\n}\n\nfunc NewRootRegistrationOptions(s *capnp.Segment) (RegistrationOptions, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 16, PointerCount: 8})\n\treturn RegistrationOptions{st}, err\n}\n\nfunc ReadRootRegistrationOptions(msg *capnp.Message) (RegistrationOptions, error) {\n\troot, err := msg.RootPtr()\n\treturn RegistrationOptions{root.Struct()}, err\n}\n\nfunc (s RegistrationOptions) String() string {\n\tstr, _ := text.Marshal(0xc793e50592935b4a, s.Struct)\n\treturn str\n}\n\nfunc (s RegistrationOptions) ClientId() (string, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.Text(), err\n}\n\nfunc (s RegistrationOptions) HasClientId() bool {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s RegistrationOptions) ClientIdBytes() ([]byte, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.TextBytes(), err\n}\n\nfunc (s RegistrationOptions) SetClientId(v string) error {\n\treturn s.Struct.SetText(0, v)\n}\n\nfunc (s RegistrationOptions) Version() (string, error) {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.Text(), err\n}\n\nfunc (s RegistrationOptions) HasVersion() bool {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s RegistrationOptions) VersionBytes() ([]byte, error) {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.TextBytes(), err\n}\n\nfunc (s RegistrationOptions) SetVersion(v string) error {\n\treturn s.Struct.SetText(1, v)\n}\n\nfunc (s RegistrationOptions) Os() (string, error) {\n\tp, err := s.Struct.Ptr(2)\n\treturn p.Text(), err\n}\n\nfunc (s RegistrationOptions) HasOs() bool {\n\tp, err := s.Struct.Ptr(2)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s RegistrationOptions) OsBytes() ([]byte, error) {\n\tp, err := s.Struct.Ptr(2)\n\treturn p.TextBytes(), err\n}\n\nfunc (s RegistrationOptions) SetOs(v string) error {\n\treturn s.Struct.SetText(2, v)\n}\n\nfunc (s RegistrationOptions) ExistingTunnelPolicy() ExistingTunnelPolicy {\n\treturn ExistingTunnelPolicy(s.Struct.Uint16(0))\n}\n\nfunc (s RegistrationOptions) SetExistingTunnelPolicy(v ExistingTunnelPolicy) {\n\ts.Struct.SetUint16(0, uint16(v))\n}\n\nfunc (s RegistrationOptions) PoolName() (string, error) {\n\tp, err := s.Struct.Ptr(3)\n\treturn p.Text(), err\n}\n\nfunc (s RegistrationOptions) HasPoolName() bool {\n\tp, err := s.Struct.Ptr(3)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s RegistrationOptions) PoolNameBytes() ([]byte, error) {\n\tp, err := s.Struct.Ptr(3)\n\treturn p.TextBytes(), err\n}\n\nfunc (s RegistrationOptions) SetPoolName(v string) error {\n\treturn s.Struct.SetText(3, v)\n}\n\nfunc (s RegistrationOptions) Tags() (Tag_List, error) {\n\tp, err := s.Struct.Ptr(4)\n\treturn Tag_List{List: p.List()}, err\n}\n\nfunc (s RegistrationOptions) HasTags() bool {\n\tp, err := s.Struct.Ptr(4)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s RegistrationOptions) SetTags(v Tag_List) error {\n\treturn s.Struct.SetPtr(4, v.List.ToPtr())\n}\n\n// NewTags sets the tags field to a newly\n// allocated Tag_List, preferring placement in s's segment.\nfunc (s RegistrationOptions) NewTags(n int32) (Tag_List, error) {\n\tl, err := NewTag_List(s.Struct.Segment(), n)\n\tif err != nil {\n\t\treturn Tag_List{}, err\n\t}\n\terr = s.Struct.SetPtr(4, l.List.ToPtr())\n\treturn l, err\n}\n\nfunc (s RegistrationOptions) ConnectionId() uint8 {\n\treturn s.Struct.Uint8(2)\n}\n\nfunc (s RegistrationOptions) SetConnectionId(v uint8) {\n\ts.Struct.SetUint8(2, v)\n}\n\nfunc (s RegistrationOptions) OriginLocalIp() (string, error) {\n\tp, err := s.Struct.Ptr(5)\n\treturn p.Text(), err\n}\n\nfunc (s RegistrationOptions) HasOriginLocalIp() bool {\n\tp, err := s.Struct.Ptr(5)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s RegistrationOptions) OriginLocalIpBytes() ([]byte, error) {\n\tp, err := s.Struct.Ptr(5)\n\treturn p.TextBytes(), err\n}\n\nfunc (s RegistrationOptions) SetOriginLocalIp(v string) error {\n\treturn s.Struct.SetText(5, v)\n}\n\nfunc (s RegistrationOptions) IsAutoupdated() bool {\n\treturn s.Struct.Bit(24)\n}\n\nfunc (s RegistrationOptions) SetIsAutoupdated(v bool) {\n\ts.Struct.SetBit(24, v)\n}\n\nfunc (s RegistrationOptions) RunFromTerminal() bool {\n\treturn s.Struct.Bit(25)\n}\n\nfunc (s RegistrationOptions) SetRunFromTerminal(v bool) {\n\ts.Struct.SetBit(25, v)\n}\n\nfunc (s RegistrationOptions) CompressionQuality() uint64 {\n\treturn s.Struct.Uint64(8)\n}\n\nfunc (s RegistrationOptions) SetCompressionQuality(v uint64) {\n\ts.Struct.SetUint64(8, v)\n}\n\nfunc (s RegistrationOptions) Uuid() (string, error) {\n\tp, err := s.Struct.Ptr(6)\n\treturn p.Text(), err\n}\n\nfunc (s RegistrationOptions) HasUuid() bool {\n\tp, err := s.Struct.Ptr(6)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s RegistrationOptions) UuidBytes() ([]byte, error) {\n\tp, err := s.Struct.Ptr(6)\n\treturn p.TextBytes(), err\n}\n\nfunc (s RegistrationOptions) SetUuid(v string) error {\n\treturn s.Struct.SetText(6, v)\n}\n\nfunc (s RegistrationOptions) NumPreviousAttempts() uint8 {\n\treturn s.Struct.Uint8(4)\n}\n\nfunc (s RegistrationOptions) SetNumPreviousAttempts(v uint8) {\n\ts.Struct.SetUint8(4, v)\n}\n\nfunc (s RegistrationOptions) Features() (capnp.TextList, error) {\n\tp, err := s.Struct.Ptr(7)\n\treturn capnp.TextList{List: p.List()}, err\n}\n\nfunc (s RegistrationOptions) HasFeatures() bool {\n\tp, err := s.Struct.Ptr(7)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s RegistrationOptions) SetFeatures(v capnp.TextList) error {\n\treturn s.Struct.SetPtr(7, v.List.ToPtr())\n}\n\n// NewFeatures sets the features field to a newly\n// allocated capnp.TextList, preferring placement in s's segment.\nfunc (s RegistrationOptions) NewFeatures(n int32) (capnp.TextList, error) {\n\tl, err := capnp.NewTextList(s.Struct.Segment(), n)\n\tif err != nil {\n\t\treturn capnp.TextList{}, err\n\t}\n\terr = s.Struct.SetPtr(7, l.List.ToPtr())\n\treturn l, err\n}\n\n// RegistrationOptions_List is a list of RegistrationOptions.\ntype RegistrationOptions_List struct{ capnp.List }\n\n// NewRegistrationOptions creates a new list of RegistrationOptions.\nfunc NewRegistrationOptions_List(s *capnp.Segment, sz int32) (RegistrationOptions_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 16, PointerCount: 8}, sz)\n\treturn RegistrationOptions_List{l}, err\n}\n\nfunc (s RegistrationOptions_List) At(i int) RegistrationOptions {\n\treturn RegistrationOptions{s.List.Struct(i)}\n}\n\nfunc (s RegistrationOptions_List) Set(i int, v RegistrationOptions) error {\n\treturn s.List.SetStruct(i, v.Struct)\n}\n\nfunc (s RegistrationOptions_List) String() string {\n\tstr, _ := text.MarshalList(0xc793e50592935b4a, s.List)\n\treturn str\n}\n\n// RegistrationOptions_Promise is a wrapper for a RegistrationOptions promised by a client call.\ntype RegistrationOptions_Promise struct{ *capnp.Pipeline }\n\nfunc (p RegistrationOptions_Promise) Struct() (RegistrationOptions, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn RegistrationOptions{s}, err\n}\n\ntype ExistingTunnelPolicy uint16\n\n// ExistingTunnelPolicy_TypeID is the unique identifier for the type ExistingTunnelPolicy.\nconst ExistingTunnelPolicy_TypeID = 0x84cb9536a2cf6d3c\n\n// Values of ExistingTunnelPolicy.\nconst (\n\tExistingTunnelPolicy_ignore ExistingTunnelPolicy = 0\n\tExistingTunnelPolicy_disconnect ExistingTunnelPolicy = 1\n\tExistingTunnelPolicy_balance ExistingTunnelPolicy = 2\n)\n\n// String returns the enum's constant name.\nfunc (c ExistingTunnelPolicy) String() string {\n\tswitch c {\n\tcase ExistingTunnelPolicy_ignore:\n\t\treturn \"ignore\"\n\tcase ExistingTunnelPolicy_disconnect:\n\t\treturn \"disconnect\"\n\tcase ExistingTunnelPolicy_balance:\n\t\treturn \"balance\"\n\n\tdefault:\n\t\treturn \"\"\n\t}\n}\n\n// ExistingTunnelPolicyFromString returns the enum value with a name,\n// or the zero value if there's no such value.\nfunc ExistingTunnelPolicyFromString(c string) ExistingTunnelPolicy {\n\tswitch c {\n\tcase \"ignore\":\n\t\treturn ExistingTunnelPolicy_ignore\n\tcase \"disconnect\":\n\t\treturn ExistingTunnelPolicy_disconnect\n\tcase \"balance\":\n\t\treturn ExistingTunnelPolicy_balance\n\n\tdefault:\n\t\treturn 0\n\t}\n}\n\ntype ExistingTunnelPolicy_List struct{ capnp.List }\n\nfunc NewExistingTunnelPolicy_List(s *capnp.Segment, sz int32) (ExistingTunnelPolicy_List, error) {\n\tl, err := capnp.NewUInt16List(s, sz)\n\treturn ExistingTunnelPolicy_List{l.List}, err\n}\n\nfunc (l ExistingTunnelPolicy_List) At(i int) ExistingTunnelPolicy {\n\tul := capnp.UInt16List{List: l.List}\n\treturn ExistingTunnelPolicy(ul.At(i))\n}\n\nfunc (l ExistingTunnelPolicy_List) Set(i int, v ExistingTunnelPolicy) {\n\tul := capnp.UInt16List{List: l.List}\n\tul.Set(i, uint16(v))\n}\n\ntype ServerInfo struct{ capnp.Struct }\n\n// ServerInfo_TypeID is the unique identifier for the type ServerInfo.\nconst ServerInfo_TypeID = 0xf2c68e2547ec3866\n\nfunc NewServerInfo(s *capnp.Segment) (ServerInfo, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 1})\n\treturn ServerInfo{st}, err\n}\n\nfunc NewRootServerInfo(s *capnp.Segment) (ServerInfo, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 1})\n\treturn ServerInfo{st}, err\n}\n\nfunc ReadRootServerInfo(msg *capnp.Message) (ServerInfo, error) {\n\troot, err := msg.RootPtr()\n\treturn ServerInfo{root.Struct()}, err\n}\n\nfunc (s ServerInfo) String() string {\n\tstr, _ := text.Marshal(0xf2c68e2547ec3866, s.Struct)\n\treturn str\n}\n\nfunc (s ServerInfo) LocationName() (string, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.Text(), err\n}\n\nfunc (s ServerInfo) HasLocationName() bool {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s ServerInfo) LocationNameBytes() ([]byte, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.TextBytes(), err\n}\n\nfunc (s ServerInfo) SetLocationName(v string) error {\n\treturn s.Struct.SetText(0, v)\n}\n\n// ServerInfo_List is a list of ServerInfo.\ntype ServerInfo_List struct{ capnp.List }\n\n// NewServerInfo creates a new list of ServerInfo.\nfunc NewServerInfo_List(s *capnp.Segment, sz int32) (ServerInfo_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 0, PointerCount: 1}, sz)\n\treturn ServerInfo_List{l}, err\n}\n\nfunc (s ServerInfo_List) At(i int) ServerInfo { return ServerInfo{s.List.Struct(i)} }\n\nfunc (s ServerInfo_List) Set(i int, v ServerInfo) error { return s.List.SetStruct(i, v.Struct) }\n\nfunc (s ServerInfo_List) String() string {\n\tstr, _ := text.MarshalList(0xf2c68e2547ec3866, s.List)\n\treturn str\n}\n\n// ServerInfo_Promise is a wrapper for a ServerInfo promised by a client call.\ntype ServerInfo_Promise struct{ *capnp.Pipeline }\n\nfunc (p ServerInfo_Promise) Struct() (ServerInfo, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn ServerInfo{s}, err\n}\n\ntype AuthenticateResponse struct{ capnp.Struct }\n\n// AuthenticateResponse_TypeID is the unique identifier for the type AuthenticateResponse.\nconst AuthenticateResponse_TypeID = 0x82c325a07ad22a65\n\nfunc NewAuthenticateResponse(s *capnp.Segment) (AuthenticateResponse, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 8, PointerCount: 3})\n\treturn AuthenticateResponse{st}, err\n}\n\nfunc NewRootAuthenticateResponse(s *capnp.Segment) (AuthenticateResponse, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 8, PointerCount: 3})\n\treturn AuthenticateResponse{st}, err\n}\n\nfunc ReadRootAuthenticateResponse(msg *capnp.Message) (AuthenticateResponse, error) {\n\troot, err := msg.RootPtr()\n\treturn AuthenticateResponse{root.Struct()}, err\n}\n\nfunc (s AuthenticateResponse) String() string {\n\tstr, _ := text.Marshal(0x82c325a07ad22a65, s.Struct)\n\treturn str\n}\n\nfunc (s AuthenticateResponse) PermanentErr() (string, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.Text(), err\n}\n\nfunc (s AuthenticateResponse) HasPermanentErr() bool {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s AuthenticateResponse) PermanentErrBytes() ([]byte, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.TextBytes(), err\n}\n\nfunc (s AuthenticateResponse) SetPermanentErr(v string) error {\n\treturn s.Struct.SetText(0, v)\n}\n\nfunc (s AuthenticateResponse) RetryableErr() (string, error) {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.Text(), err\n}\n\nfunc (s AuthenticateResponse) HasRetryableErr() bool {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s AuthenticateResponse) RetryableErrBytes() ([]byte, error) {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.TextBytes(), err\n}\n\nfunc (s AuthenticateResponse) SetRetryableErr(v string) error {\n\treturn s.Struct.SetText(1, v)\n}\n\nfunc (s AuthenticateResponse) Jwt() ([]byte, error) {\n\tp, err := s.Struct.Ptr(2)\n\treturn []byte(p.Data()), err\n}\n\nfunc (s AuthenticateResponse) HasJwt() bool {\n\tp, err := s.Struct.Ptr(2)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s AuthenticateResponse) SetJwt(v []byte) error {\n\treturn s.Struct.SetData(2, v)\n}\n\nfunc (s AuthenticateResponse) HoursUntilRefresh() uint8 {\n\treturn s.Struct.Uint8(0)\n}\n\nfunc (s AuthenticateResponse) SetHoursUntilRefresh(v uint8) {\n\ts.Struct.SetUint8(0, v)\n}\n\n// AuthenticateResponse_List is a list of AuthenticateResponse.\ntype AuthenticateResponse_List struct{ capnp.List }\n\n// NewAuthenticateResponse creates a new list of AuthenticateResponse.\nfunc NewAuthenticateResponse_List(s *capnp.Segment, sz int32) (AuthenticateResponse_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 8, PointerCount: 3}, sz)\n\treturn AuthenticateResponse_List{l}, err\n}\n\nfunc (s AuthenticateResponse_List) At(i int) AuthenticateResponse {\n\treturn AuthenticateResponse{s.List.Struct(i)}\n}\n\nfunc (s AuthenticateResponse_List) Set(i int, v AuthenticateResponse) error {\n\treturn s.List.SetStruct(i, v.Struct)\n}\n\nfunc (s AuthenticateResponse_List) String() string {\n\tstr, _ := text.MarshalList(0x82c325a07ad22a65, s.List)\n\treturn str\n}\n\n// AuthenticateResponse_Promise is a wrapper for a AuthenticateResponse promised by a client call.\ntype AuthenticateResponse_Promise struct{ *capnp.Pipeline }\n\nfunc (p AuthenticateResponse_Promise) Struct() (AuthenticateResponse, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn AuthenticateResponse{s}, err\n}\n\ntype TunnelServer struct{ Client capnp.Client }\n\n// TunnelServer_TypeID is the unique identifier for the type TunnelServer.\nconst TunnelServer_TypeID = 0xea58385c65416035\n\nfunc (c TunnelServer) RegisterTunnel(ctx context.Context, params func(TunnelServer_registerTunnel_Params) error, opts ...capnp.CallOption) TunnelServer_registerTunnel_Results_Promise {\n\tif c.Client == nil {\n\t\treturn TunnelServer_registerTunnel_Results_Promise{Pipeline: capnp.NewPipeline(capnp.ErrorAnswer(capnp.ErrNullClient))}\n\t}\n\tcall := &capnp.Call{\n\t\tCtx: ctx,\n\t\tMethod: capnp.Method{\n\t\t\tInterfaceID: 0xea58385c65416035,\n\t\t\tMethodID: 0,\n\t\t\tInterfaceName: \"tunnelrpc/proto/tunnelrpc.capnp:TunnelServer\",\n\t\t\tMethodName: \"registerTunnel\",\n\t\t},\n\t\tOptions: capnp.NewCallOptions(opts),\n\t}\n\tif params != nil {\n\t\tcall.ParamsSize = capnp.ObjectSize{DataSize: 0, PointerCount: 3}\n\t\tcall.ParamsFunc = func(s capnp.Struct) error { return params(TunnelServer_registerTunnel_Params{Struct: s}) }\n\t}\n\treturn TunnelServer_registerTunnel_Results_Promise{Pipeline: capnp.NewPipeline(c.Client.Call(call))}\n}\nfunc (c TunnelServer) GetServerInfo(ctx context.Context, params func(TunnelServer_getServerInfo_Params) error, opts ...capnp.CallOption) TunnelServer_getServerInfo_Results_Promise {\n\tif c.Client == nil {\n\t\treturn TunnelServer_getServerInfo_Results_Promise{Pipeline: capnp.NewPipeline(capnp.ErrorAnswer(capnp.ErrNullClient))}\n\t}\n\tcall := &capnp.Call{\n\t\tCtx: ctx,\n\t\tMethod: capnp.Method{\n\t\t\tInterfaceID: 0xea58385c65416035,\n\t\t\tMethodID: 1,\n\t\t\tInterfaceName: \"tunnelrpc/proto/tunnelrpc.capnp:TunnelServer\",\n\t\t\tMethodName: \"getServerInfo\",\n\t\t},\n\t\tOptions: capnp.NewCallOptions(opts),\n\t}\n\tif params != nil {\n\t\tcall.ParamsSize = capnp.ObjectSize{DataSize: 0, PointerCount: 0}\n\t\tcall.ParamsFunc = func(s capnp.Struct) error { return params(TunnelServer_getServerInfo_Params{Struct: s}) }\n\t}\n\treturn TunnelServer_getServerInfo_Results_Promise{Pipeline: capnp.NewPipeline(c.Client.Call(call))}\n}\nfunc (c TunnelServer) UnregisterTunnel(ctx context.Context, params func(TunnelServer_unregisterTunnel_Params) error, opts ...capnp.CallOption) TunnelServer_unregisterTunnel_Results_Promise {\n\tif c.Client == nil {\n\t\treturn TunnelServer_unregisterTunnel_Results_Promise{Pipeline: capnp.NewPipeline(capnp.ErrorAnswer(capnp.ErrNullClient))}\n\t}\n\tcall := &capnp.Call{\n\t\tCtx: ctx,\n\t\tMethod: capnp.Method{\n\t\t\tInterfaceID: 0xea58385c65416035,\n\t\t\tMethodID: 2,\n\t\t\tInterfaceName: \"tunnelrpc/proto/tunnelrpc.capnp:TunnelServer\",\n\t\t\tMethodName: \"unregisterTunnel\",\n\t\t},\n\t\tOptions: capnp.NewCallOptions(opts),\n\t}\n\tif params != nil {\n\t\tcall.ParamsSize = capnp.ObjectSize{DataSize: 8, PointerCount: 0}\n\t\tcall.ParamsFunc = func(s capnp.Struct) error { return params(TunnelServer_unregisterTunnel_Params{Struct: s}) }\n\t}\n\treturn TunnelServer_unregisterTunnel_Results_Promise{Pipeline: capnp.NewPipeline(c.Client.Call(call))}\n}\nfunc (c TunnelServer) ObsoleteDeclarativeTunnelConnect(ctx context.Context, params func(TunnelServer_obsoleteDeclarativeTunnelConnect_Params) error, opts ...capnp.CallOption) TunnelServer_obsoleteDeclarativeTunnelConnect_Results_Promise {\n\tif c.Client == nil {\n\t\treturn TunnelServer_obsoleteDeclarativeTunnelConnect_Results_Promise{Pipeline: capnp.NewPipeline(capnp.ErrorAnswer(capnp.ErrNullClient))}\n\t}\n\tcall := &capnp.Call{\n\t\tCtx: ctx,\n\t\tMethod: capnp.Method{\n\t\t\tInterfaceID: 0xea58385c65416035,\n\t\t\tMethodID: 3,\n\t\t\tInterfaceName: \"tunnelrpc/proto/tunnelrpc.capnp:TunnelServer\",\n\t\t\tMethodName: \"obsoleteDeclarativeTunnelConnect\",\n\t\t},\n\t\tOptions: capnp.NewCallOptions(opts),\n\t}\n\tif params != nil {\n\t\tcall.ParamsSize = capnp.ObjectSize{DataSize: 0, PointerCount: 0}\n\t\tcall.ParamsFunc = func(s capnp.Struct) error {\n\t\t\treturn params(TunnelServer_obsoleteDeclarativeTunnelConnect_Params{Struct: s})\n\t\t}\n\t}\n\treturn TunnelServer_obsoleteDeclarativeTunnelConnect_Results_Promise{Pipeline: capnp.NewPipeline(c.Client.Call(call))}\n}\nfunc (c TunnelServer) Authenticate(ctx context.Context, params func(TunnelServer_authenticate_Params) error, opts ...capnp.CallOption) TunnelServer_authenticate_Results_Promise {\n\tif c.Client == nil {\n\t\treturn TunnelServer_authenticate_Results_Promise{Pipeline: capnp.NewPipeline(capnp.ErrorAnswer(capnp.ErrNullClient))}\n\t}\n\tcall := &capnp.Call{\n\t\tCtx: ctx,\n\t\tMethod: capnp.Method{\n\t\t\tInterfaceID: 0xea58385c65416035,\n\t\t\tMethodID: 4,\n\t\t\tInterfaceName: \"tunnelrpc/proto/tunnelrpc.capnp:TunnelServer\",\n\t\t\tMethodName: \"authenticate\",\n\t\t},\n\t\tOptions: capnp.NewCallOptions(opts),\n\t}\n\tif params != nil {\n\t\tcall.ParamsSize = capnp.ObjectSize{DataSize: 0, PointerCount: 3}\n\t\tcall.ParamsFunc = func(s capnp.Struct) error { return params(TunnelServer_authenticate_Params{Struct: s}) }\n\t}\n\treturn TunnelServer_authenticate_Results_Promise{Pipeline: capnp.NewPipeline(c.Client.Call(call))}\n}\nfunc (c TunnelServer) ReconnectTunnel(ctx context.Context, params func(TunnelServer_reconnectTunnel_Params) error, opts ...capnp.CallOption) TunnelServer_reconnectTunnel_Results_Promise {\n\tif c.Client == nil {\n\t\treturn TunnelServer_reconnectTunnel_Results_Promise{Pipeline: capnp.NewPipeline(capnp.ErrorAnswer(capnp.ErrNullClient))}\n\t}\n\tcall := &capnp.Call{\n\t\tCtx: ctx,\n\t\tMethod: capnp.Method{\n\t\t\tInterfaceID: 0xea58385c65416035,\n\t\t\tMethodID: 5,\n\t\t\tInterfaceName: \"tunnelrpc/proto/tunnelrpc.capnp:TunnelServer\",\n\t\t\tMethodName: \"reconnectTunnel\",\n\t\t},\n\t\tOptions: capnp.NewCallOptions(opts),\n\t}\n\tif params != nil {\n\t\tcall.ParamsSize = capnp.ObjectSize{DataSize: 0, PointerCount: 5}\n\t\tcall.ParamsFunc = func(s capnp.Struct) error { return params(TunnelServer_reconnectTunnel_Params{Struct: s}) }\n\t}\n\treturn TunnelServer_reconnectTunnel_Results_Promise{Pipeline: capnp.NewPipeline(c.Client.Call(call))}\n}\nfunc (c TunnelServer) RegisterConnection(ctx context.Context, params func(RegistrationServer_registerConnection_Params) error, opts ...capnp.CallOption) RegistrationServer_registerConnection_Results_Promise {\n\tif c.Client == nil {\n\t\treturn RegistrationServer_registerConnection_Results_Promise{Pipeline: capnp.NewPipeline(capnp.ErrorAnswer(capnp.ErrNullClient))}\n\t}\n\tcall := &capnp.Call{\n\t\tCtx: ctx,\n\t\tMethod: capnp.Method{\n\t\t\tInterfaceID: 0xf71695ec7fe85497,\n\t\t\tMethodID: 0,\n\t\t\tInterfaceName: \"tunnelrpc/proto/tunnelrpc.capnp:RegistrationServer\",\n\t\t\tMethodName: \"registerConnection\",\n\t\t},\n\t\tOptions: capnp.NewCallOptions(opts),\n\t}\n\tif params != nil {\n\t\tcall.ParamsSize = capnp.ObjectSize{DataSize: 8, PointerCount: 3}\n\t\tcall.ParamsFunc = func(s capnp.Struct) error { return params(RegistrationServer_registerConnection_Params{Struct: s}) }\n\t}\n\treturn RegistrationServer_registerConnection_Results_Promise{Pipeline: capnp.NewPipeline(c.Client.Call(call))}\n}\nfunc (c TunnelServer) UnregisterConnection(ctx context.Context, params func(RegistrationServer_unregisterConnection_Params) error, opts ...capnp.CallOption) RegistrationServer_unregisterConnection_Results_Promise {\n\tif c.Client == nil {\n\t\treturn RegistrationServer_unregisterConnection_Results_Promise{Pipeline: capnp.NewPipeline(capnp.ErrorAnswer(capnp.ErrNullClient))}\n\t}\n\tcall := &capnp.Call{\n\t\tCtx: ctx,\n\t\tMethod: capnp.Method{\n\t\t\tInterfaceID: 0xf71695ec7fe85497,\n\t\t\tMethodID: 1,\n\t\t\tInterfaceName: \"tunnelrpc/proto/tunnelrpc.capnp:RegistrationServer\",\n\t\t\tMethodName: \"unregisterConnection\",\n\t\t},\n\t\tOptions: capnp.NewCallOptions(opts),\n\t}\n\tif params != nil {\n\t\tcall.ParamsSize = capnp.ObjectSize{DataSize: 0, PointerCount: 0}\n\t\tcall.ParamsFunc = func(s capnp.Struct) error { return params(RegistrationServer_unregisterConnection_Params{Struct: s}) }\n\t}\n\treturn RegistrationServer_unregisterConnection_Results_Promise{Pipeline: capnp.NewPipeline(c.Client.Call(call))}\n}\nfunc (c TunnelServer) UpdateLocalConfiguration(ctx context.Context, params func(RegistrationServer_updateLocalConfiguration_Params) error, opts ...capnp.CallOption) RegistrationServer_updateLocalConfiguration_Results_Promise {\n\tif c.Client == nil {\n\t\treturn RegistrationServer_updateLocalConfiguration_Results_Promise{Pipeline: capnp.NewPipeline(capnp.ErrorAnswer(capnp.ErrNullClient))}\n\t}\n\tcall := &capnp.Call{\n\t\tCtx: ctx,\n\t\tMethod: capnp.Method{\n\t\t\tInterfaceID: 0xf71695ec7fe85497,\n\t\t\tMethodID: 2,\n\t\t\tInterfaceName: \"tunnelrpc/proto/tunnelrpc.capnp:RegistrationServer\",\n\t\t\tMethodName: \"updateLocalConfiguration\",\n\t\t},\n\t\tOptions: capnp.NewCallOptions(opts),\n\t}\n\tif params != nil {\n\t\tcall.ParamsSize = capnp.ObjectSize{DataSize: 0, PointerCount: 1}\n\t\tcall.ParamsFunc = func(s capnp.Struct) error {\n\t\t\treturn params(RegistrationServer_updateLocalConfiguration_Params{Struct: s})\n\t\t}\n\t}\n\treturn RegistrationServer_updateLocalConfiguration_Results_Promise{Pipeline: capnp.NewPipeline(c.Client.Call(call))}\n}\n\ntype TunnelServer_Server interface {\n\tRegisterTunnel(TunnelServer_registerTunnel) error\n\n\tGetServerInfo(TunnelServer_getServerInfo) error\n\n\tUnregisterTunnel(TunnelServer_unregisterTunnel) error\n\n\tObsoleteDeclarativeTunnelConnect(TunnelServer_obsoleteDeclarativeTunnelConnect) error\n\n\tAuthenticate(TunnelServer_authenticate) error\n\n\tReconnectTunnel(TunnelServer_reconnectTunnel) error\n\n\tRegisterConnection(RegistrationServer_registerConnection) error\n\n\tUnregisterConnection(RegistrationServer_unregisterConnection) error\n\n\tUpdateLocalConfiguration(RegistrationServer_updateLocalConfiguration) error\n}\n\nfunc TunnelServer_ServerToClient(s TunnelServer_Server) TunnelServer {\n\tc, _ := s.(server.Closer)\n\treturn TunnelServer{Client: server.New(TunnelServer_Methods(nil, s), c)}\n}\n\nfunc TunnelServer_Methods(methods []server.Method, s TunnelServer_Server) []server.Method {\n\tif cap(methods) == 0 {\n\t\tmethods = make([]server.Method, 0, 9)\n\t}\n\n\tmethods = append(methods, server.Method{\n\t\tMethod: capnp.Method{\n\t\t\tInterfaceID: 0xea58385c65416035,\n\t\t\tMethodID: 0,\n\t\t\tInterfaceName: \"tunnelrpc/proto/tunnelrpc.capnp:TunnelServer\",\n\t\t\tMethodName: \"registerTunnel\",\n\t\t},\n\t\tImpl: func(c context.Context, opts capnp.CallOptions, p, r capnp.Struct) error {\n\t\t\tcall := TunnelServer_registerTunnel{c, opts, TunnelServer_registerTunnel_Params{Struct: p}, TunnelServer_registerTunnel_Results{Struct: r}}\n\t\t\treturn s.RegisterTunnel(call)\n\t\t},\n\t\tResultsSize: capnp.ObjectSize{DataSize: 0, PointerCount: 1},\n\t})\n\n\tmethods = append(methods, server.Method{\n\t\tMethod: capnp.Method{\n\t\t\tInterfaceID: 0xea58385c65416035,\n\t\t\tMethodID: 1,\n\t\t\tInterfaceName: \"tunnelrpc/proto/tunnelrpc.capnp:TunnelServer\",\n\t\t\tMethodName: \"getServerInfo\",\n\t\t},\n\t\tImpl: func(c context.Context, opts capnp.CallOptions, p, r capnp.Struct) error {\n\t\t\tcall := TunnelServer_getServerInfo{c, opts, TunnelServer_getServerInfo_Params{Struct: p}, TunnelServer_getServerInfo_Results{Struct: r}}\n\t\t\treturn s.GetServerInfo(call)\n\t\t},\n\t\tResultsSize: capnp.ObjectSize{DataSize: 0, PointerCount: 1},\n\t})\n\n\tmethods = append(methods, server.Method{\n\t\tMethod: capnp.Method{\n\t\t\tInterfaceID: 0xea58385c65416035,\n\t\t\tMethodID: 2,\n\t\t\tInterfaceName: \"tunnelrpc/proto/tunnelrpc.capnp:TunnelServer\",\n\t\t\tMethodName: \"unregisterTunnel\",\n\t\t},\n\t\tImpl: func(c context.Context, opts capnp.CallOptions, p, r capnp.Struct) error {\n\t\t\tcall := TunnelServer_unregisterTunnel{c, opts, TunnelServer_unregisterTunnel_Params{Struct: p}, TunnelServer_unregisterTunnel_Results{Struct: r}}\n\t\t\treturn s.UnregisterTunnel(call)\n\t\t},\n\t\tResultsSize: capnp.ObjectSize{DataSize: 0, PointerCount: 0},\n\t})\n\n\tmethods = append(methods, server.Method{\n\t\tMethod: capnp.Method{\n\t\t\tInterfaceID: 0xea58385c65416035,\n\t\t\tMethodID: 3,\n\t\t\tInterfaceName: \"tunnelrpc/proto/tunnelrpc.capnp:TunnelServer\",\n\t\t\tMethodName: \"obsoleteDeclarativeTunnelConnect\",\n\t\t},\n\t\tImpl: func(c context.Context, opts capnp.CallOptions, p, r capnp.Struct) error {\n\t\t\tcall := TunnelServer_obsoleteDeclarativeTunnelConnect{c, opts, TunnelServer_obsoleteDeclarativeTunnelConnect_Params{Struct: p}, TunnelServer_obsoleteDeclarativeTunnelConnect_Results{Struct: r}}\n\t\t\treturn s.ObsoleteDeclarativeTunnelConnect(call)\n\t\t},\n\t\tResultsSize: capnp.ObjectSize{DataSize: 0, PointerCount: 0},\n\t})\n\n\tmethods = append(methods, server.Method{\n\t\tMethod: capnp.Method{\n\t\t\tInterfaceID: 0xea58385c65416035,\n\t\t\tMethodID: 4,\n\t\t\tInterfaceName: \"tunnelrpc/proto/tunnelrpc.capnp:TunnelServer\",\n\t\t\tMethodName: \"authenticate\",\n\t\t},\n\t\tImpl: func(c context.Context, opts capnp.CallOptions, p, r capnp.Struct) error {\n\t\t\tcall := TunnelServer_authenticate{c, opts, TunnelServer_authenticate_Params{Struct: p}, TunnelServer_authenticate_Results{Struct: r}}\n\t\t\treturn s.Authenticate(call)\n\t\t},\n\t\tResultsSize: capnp.ObjectSize{DataSize: 0, PointerCount: 1},\n\t})\n\n\tmethods = append(methods, server.Method{\n\t\tMethod: capnp.Method{\n\t\t\tInterfaceID: 0xea58385c65416035,\n\t\t\tMethodID: 5,\n\t\t\tInterfaceName: \"tunnelrpc/proto/tunnelrpc.capnp:TunnelServer\",\n\t\t\tMethodName: \"reconnectTunnel\",\n\t\t},\n\t\tImpl: func(c context.Context, opts capnp.CallOptions, p, r capnp.Struct) error {\n\t\t\tcall := TunnelServer_reconnectTunnel{c, opts, TunnelServer_reconnectTunnel_Params{Struct: p}, TunnelServer_reconnectTunnel_Results{Struct: r}}\n\t\t\treturn s.ReconnectTunnel(call)\n\t\t},\n\t\tResultsSize: capnp.ObjectSize{DataSize: 0, PointerCount: 1},\n\t})\n\n\tmethods = append(methods, server.Method{\n\t\tMethod: capnp.Method{\n\t\t\tInterfaceID: 0xf71695ec7fe85497,\n\t\t\tMethodID: 0,\n\t\t\tInterfaceName: \"tunnelrpc/proto/tunnelrpc.capnp:RegistrationServer\",\n\t\t\tMethodName: \"registerConnection\",\n\t\t},\n\t\tImpl: func(c context.Context, opts capnp.CallOptions, p, r capnp.Struct) error {\n\t\t\tcall := RegistrationServer_registerConnection{c, opts, RegistrationServer_registerConnection_Params{Struct: p}, RegistrationServer_registerConnection_Results{Struct: r}}\n\t\t\treturn s.RegisterConnection(call)\n\t\t},\n\t\tResultsSize: capnp.ObjectSize{DataSize: 0, PointerCount: 1},\n\t})\n\n\tmethods = append(methods, server.Method{\n\t\tMethod: capnp.Method{\n\t\t\tInterfaceID: 0xf71695ec7fe85497,\n\t\t\tMethodID: 1,\n\t\t\tInterfaceName: \"tunnelrpc/proto/tunnelrpc.capnp:RegistrationServer\",\n\t\t\tMethodName: \"unregisterConnection\",\n\t\t},\n\t\tImpl: func(c context.Context, opts capnp.CallOptions, p, r capnp.Struct) error {\n\t\t\tcall := RegistrationServer_unregisterConnection{c, opts, RegistrationServer_unregisterConnection_Params{Struct: p}, RegistrationServer_unregisterConnection_Results{Struct: r}}\n\t\t\treturn s.UnregisterConnection(call)\n\t\t},\n\t\tResultsSize: capnp.ObjectSize{DataSize: 0, PointerCount: 0},\n\t})\n\n\tmethods = append(methods, server.Method{\n\t\tMethod: capnp.Method{\n\t\t\tInterfaceID: 0xf71695ec7fe85497,\n\t\t\tMethodID: 2,\n\t\t\tInterfaceName: \"tunnelrpc/proto/tunnelrpc.capnp:RegistrationServer\",\n\t\t\tMethodName: \"updateLocalConfiguration\",\n\t\t},\n\t\tImpl: func(c context.Context, opts capnp.CallOptions, p, r capnp.Struct) error {\n\t\t\tcall := RegistrationServer_updateLocalConfiguration{c, opts, RegistrationServer_updateLocalConfiguration_Params{Struct: p}, RegistrationServer_updateLocalConfiguration_Results{Struct: r}}\n\t\t\treturn s.UpdateLocalConfiguration(call)\n\t\t},\n\t\tResultsSize: capnp.ObjectSize{DataSize: 0, PointerCount: 0},\n\t})\n\n\treturn methods\n}\n\n// TunnelServer_registerTunnel holds the arguments for a server call to TunnelServer.registerTunnel.\ntype TunnelServer_registerTunnel struct {\n\tCtx context.Context\n\tOptions capnp.CallOptions\n\tParams TunnelServer_registerTunnel_Params\n\tResults TunnelServer_registerTunnel_Results\n}\n\n// TunnelServer_getServerInfo holds the arguments for a server call to TunnelServer.getServerInfo.\ntype TunnelServer_getServerInfo struct {\n\tCtx context.Context\n\tOptions capnp.CallOptions\n\tParams TunnelServer_getServerInfo_Params\n\tResults TunnelServer_getServerInfo_Results\n}\n\n// TunnelServer_unregisterTunnel holds the arguments for a server call to TunnelServer.unregisterTunnel.\ntype TunnelServer_unregisterTunnel struct {\n\tCtx context.Context\n\tOptions capnp.CallOptions\n\tParams TunnelServer_unregisterTunnel_Params\n\tResults TunnelServer_unregisterTunnel_Results\n}\n\n// TunnelServer_obsoleteDeclarativeTunnelConnect holds the arguments for a server call to TunnelServer.obsoleteDeclarativeTunnelConnect.\ntype TunnelServer_obsoleteDeclarativeTunnelConnect struct {\n\tCtx context.Context\n\tOptions capnp.CallOptions\n\tParams TunnelServer_obsoleteDeclarativeTunnelConnect_Params\n\tResults TunnelServer_obsoleteDeclarativeTunnelConnect_Results\n}\n\n// TunnelServer_authenticate holds the arguments for a server call to TunnelServer.authenticate.\ntype TunnelServer_authenticate struct {\n\tCtx context.Context\n\tOptions capnp.CallOptions\n\tParams TunnelServer_authenticate_Params\n\tResults TunnelServer_authenticate_Results\n}\n\n// TunnelServer_reconnectTunnel holds the arguments for a server call to TunnelServer.reconnectTunnel.\ntype TunnelServer_reconnectTunnel struct {\n\tCtx context.Context\n\tOptions capnp.CallOptions\n\tParams TunnelServer_reconnectTunnel_Params\n\tResults TunnelServer_reconnectTunnel_Results\n}\n\ntype TunnelServer_registerTunnel_Params struct{ capnp.Struct }\n\n// TunnelServer_registerTunnel_Params_TypeID is the unique identifier for the type TunnelServer_registerTunnel_Params.\nconst TunnelServer_registerTunnel_Params_TypeID = 0xb70431c0dc014915\n\nfunc NewTunnelServer_registerTunnel_Params(s *capnp.Segment) (TunnelServer_registerTunnel_Params, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 3})\n\treturn TunnelServer_registerTunnel_Params{st}, err\n}\n\nfunc NewRootTunnelServer_registerTunnel_Params(s *capnp.Segment) (TunnelServer_registerTunnel_Params, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 3})\n\treturn TunnelServer_registerTunnel_Params{st}, err\n}\n\nfunc ReadRootTunnelServer_registerTunnel_Params(msg *capnp.Message) (TunnelServer_registerTunnel_Params, error) {\n\troot, err := msg.RootPtr()\n\treturn TunnelServer_registerTunnel_Params{root.Struct()}, err\n}\n\nfunc (s TunnelServer_registerTunnel_Params) String() string {\n\tstr, _ := text.Marshal(0xb70431c0dc014915, s.Struct)\n\treturn str\n}\n\nfunc (s TunnelServer_registerTunnel_Params) OriginCert() ([]byte, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn []byte(p.Data()), err\n}\n\nfunc (s TunnelServer_registerTunnel_Params) HasOriginCert() bool {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s TunnelServer_registerTunnel_Params) SetOriginCert(v []byte) error {\n\treturn s.Struct.SetData(0, v)\n}\n\nfunc (s TunnelServer_registerTunnel_Params) Hostname() (string, error) {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.Text(), err\n}\n\nfunc (s TunnelServer_registerTunnel_Params) HasHostname() bool {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s TunnelServer_registerTunnel_Params) HostnameBytes() ([]byte, error) {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.TextBytes(), err\n}\n\nfunc (s TunnelServer_registerTunnel_Params) SetHostname(v string) error {\n\treturn s.Struct.SetText(1, v)\n}\n\nfunc (s TunnelServer_registerTunnel_Params) Options() (RegistrationOptions, error) {\n\tp, err := s.Struct.Ptr(2)\n\treturn RegistrationOptions{Struct: p.Struct()}, err\n}\n\nfunc (s TunnelServer_registerTunnel_Params) HasOptions() bool {\n\tp, err := s.Struct.Ptr(2)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s TunnelServer_registerTunnel_Params) SetOptions(v RegistrationOptions) error {\n\treturn s.Struct.SetPtr(2, v.Struct.ToPtr())\n}\n\n// NewOptions sets the options field to a newly\n// allocated RegistrationOptions struct, preferring placement in s's segment.\nfunc (s TunnelServer_registerTunnel_Params) NewOptions() (RegistrationOptions, error) {\n\tss, err := NewRegistrationOptions(s.Struct.Segment())\n\tif err != nil {\n\t\treturn RegistrationOptions{}, err\n\t}\n\terr = s.Struct.SetPtr(2, ss.Struct.ToPtr())\n\treturn ss, err\n}\n\n// TunnelServer_registerTunnel_Params_List is a list of TunnelServer_registerTunnel_Params.\ntype TunnelServer_registerTunnel_Params_List struct{ capnp.List }\n\n// NewTunnelServer_registerTunnel_Params creates a new list of TunnelServer_registerTunnel_Params.\nfunc NewTunnelServer_registerTunnel_Params_List(s *capnp.Segment, sz int32) (TunnelServer_registerTunnel_Params_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 0, PointerCount: 3}, sz)\n\treturn TunnelServer_registerTunnel_Params_List{l}, err\n}\n\nfunc (s TunnelServer_registerTunnel_Params_List) At(i int) TunnelServer_registerTunnel_Params {\n\treturn TunnelServer_registerTunnel_Params{s.List.Struct(i)}\n}\n\nfunc (s TunnelServer_registerTunnel_Params_List) Set(i int, v TunnelServer_registerTunnel_Params) error {\n\treturn s.List.SetStruct(i, v.Struct)\n}\n\nfunc (s TunnelServer_registerTunnel_Params_List) String() string {\n\tstr, _ := text.MarshalList(0xb70431c0dc014915, s.List)\n\treturn str\n}\n\n// TunnelServer_registerTunnel_Params_Promise is a wrapper for a TunnelServer_registerTunnel_Params promised by a client call.\ntype TunnelServer_registerTunnel_Params_Promise struct{ *capnp.Pipeline }\n\nfunc (p TunnelServer_registerTunnel_Params_Promise) Struct() (TunnelServer_registerTunnel_Params, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn TunnelServer_registerTunnel_Params{s}, err\n}\n\nfunc (p TunnelServer_registerTunnel_Params_Promise) Options() RegistrationOptions_Promise {\n\treturn RegistrationOptions_Promise{Pipeline: p.Pipeline.GetPipeline(2)}\n}\n\ntype TunnelServer_registerTunnel_Results struct{ capnp.Struct }\n\n// TunnelServer_registerTunnel_Results_TypeID is the unique identifier for the type TunnelServer_registerTunnel_Results.\nconst TunnelServer_registerTunnel_Results_TypeID = 0xf2c122394f447e8e\n\nfunc NewTunnelServer_registerTunnel_Results(s *capnp.Segment) (TunnelServer_registerTunnel_Results, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 1})\n\treturn TunnelServer_registerTunnel_Results{st}, err\n}\n\nfunc NewRootTunnelServer_registerTunnel_Results(s *capnp.Segment) (TunnelServer_registerTunnel_Results, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 1})\n\treturn TunnelServer_registerTunnel_Results{st}, err\n}\n\nfunc ReadRootTunnelServer_registerTunnel_Results(msg *capnp.Message) (TunnelServer_registerTunnel_Results, error) {\n\troot, err := msg.RootPtr()\n\treturn TunnelServer_registerTunnel_Results{root.Struct()}, err\n}\n\nfunc (s TunnelServer_registerTunnel_Results) String() string {\n\tstr, _ := text.Marshal(0xf2c122394f447e8e, s.Struct)\n\treturn str\n}\n\nfunc (s TunnelServer_registerTunnel_Results) Result() (TunnelRegistration, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn TunnelRegistration{Struct: p.Struct()}, err\n}\n\nfunc (s TunnelServer_registerTunnel_Results) HasResult() bool {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s TunnelServer_registerTunnel_Results) SetResult(v TunnelRegistration) error {\n\treturn s.Struct.SetPtr(0, v.Struct.ToPtr())\n}\n\n// NewResult sets the result field to a newly\n// allocated TunnelRegistration struct, preferring placement in s's segment.\nfunc (s TunnelServer_registerTunnel_Results) NewResult() (TunnelRegistration, error) {\n\tss, err := NewTunnelRegistration(s.Struct.Segment())\n\tif err != nil {\n\t\treturn TunnelRegistration{}, err\n\t}\n\terr = s.Struct.SetPtr(0, ss.Struct.ToPtr())\n\treturn ss, err\n}\n\n// TunnelServer_registerTunnel_Results_List is a list of TunnelServer_registerTunnel_Results.\ntype TunnelServer_registerTunnel_Results_List struct{ capnp.List }\n\n// NewTunnelServer_registerTunnel_Results creates a new list of TunnelServer_registerTunnel_Results.\nfunc NewTunnelServer_registerTunnel_Results_List(s *capnp.Segment, sz int32) (TunnelServer_registerTunnel_Results_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 0, PointerCount: 1}, sz)\n\treturn TunnelServer_registerTunnel_Results_List{l}, err\n}\n\nfunc (s TunnelServer_registerTunnel_Results_List) At(i int) TunnelServer_registerTunnel_Results {\n\treturn TunnelServer_registerTunnel_Results{s.List.Struct(i)}\n}\n\nfunc (s TunnelServer_registerTunnel_Results_List) Set(i int, v TunnelServer_registerTunnel_Results) error {\n\treturn s.List.SetStruct(i, v.Struct)\n}\n\nfunc (s TunnelServer_registerTunnel_Results_List) String() string {\n\tstr, _ := text.MarshalList(0xf2c122394f447e8e, s.List)\n\treturn str\n}\n\n// TunnelServer_registerTunnel_Results_Promise is a wrapper for a TunnelServer_registerTunnel_Results promised by a client call.\ntype TunnelServer_registerTunnel_Results_Promise struct{ *capnp.Pipeline }\n\nfunc (p TunnelServer_registerTunnel_Results_Promise) Struct() (TunnelServer_registerTunnel_Results, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn TunnelServer_registerTunnel_Results{s}, err\n}\n\nfunc (p TunnelServer_registerTunnel_Results_Promise) Result() TunnelRegistration_Promise {\n\treturn TunnelRegistration_Promise{Pipeline: p.Pipeline.GetPipeline(0)}\n}\n\ntype TunnelServer_getServerInfo_Params struct{ capnp.Struct }\n\n// TunnelServer_getServerInfo_Params_TypeID is the unique identifier for the type TunnelServer_getServerInfo_Params.\nconst TunnelServer_getServerInfo_Params_TypeID = 0xdc3ed6801961e502\n\nfunc NewTunnelServer_getServerInfo_Params(s *capnp.Segment) (TunnelServer_getServerInfo_Params, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 0})\n\treturn TunnelServer_getServerInfo_Params{st}, err\n}\n\nfunc NewRootTunnelServer_getServerInfo_Params(s *capnp.Segment) (TunnelServer_getServerInfo_Params, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 0})\n\treturn TunnelServer_getServerInfo_Params{st}, err\n}\n\nfunc ReadRootTunnelServer_getServerInfo_Params(msg *capnp.Message) (TunnelServer_getServerInfo_Params, error) {\n\troot, err := msg.RootPtr()\n\treturn TunnelServer_getServerInfo_Params{root.Struct()}, err\n}\n\nfunc (s TunnelServer_getServerInfo_Params) String() string {\n\tstr, _ := text.Marshal(0xdc3ed6801961e502, s.Struct)\n\treturn str\n}\n\n// TunnelServer_getServerInfo_Params_List is a list of TunnelServer_getServerInfo_Params.\ntype TunnelServer_getServerInfo_Params_List struct{ capnp.List }\n\n// NewTunnelServer_getServerInfo_Params creates a new list of TunnelServer_getServerInfo_Params.\nfunc NewTunnelServer_getServerInfo_Params_List(s *capnp.Segment, sz int32) (TunnelServer_getServerInfo_Params_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 0, PointerCount: 0}, sz)\n\treturn TunnelServer_getServerInfo_Params_List{l}, err\n}\n\nfunc (s TunnelServer_getServerInfo_Params_List) At(i int) TunnelServer_getServerInfo_Params {\n\treturn TunnelServer_getServerInfo_Params{s.List.Struct(i)}\n}\n\nfunc (s TunnelServer_getServerInfo_Params_List) Set(i int, v TunnelServer_getServerInfo_Params) error {\n\treturn s.List.SetStruct(i, v.Struct)\n}\n\nfunc (s TunnelServer_getServerInfo_Params_List) String() string {\n\tstr, _ := text.MarshalList(0xdc3ed6801961e502, s.List)\n\treturn str\n}\n\n// TunnelServer_getServerInfo_Params_Promise is a wrapper for a TunnelServer_getServerInfo_Params promised by a client call.\ntype TunnelServer_getServerInfo_Params_Promise struct{ *capnp.Pipeline }\n\nfunc (p TunnelServer_getServerInfo_Params_Promise) Struct() (TunnelServer_getServerInfo_Params, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn TunnelServer_getServerInfo_Params{s}, err\n}\n\ntype TunnelServer_getServerInfo_Results struct{ capnp.Struct }\n\n// TunnelServer_getServerInfo_Results_TypeID is the unique identifier for the type TunnelServer_getServerInfo_Results.\nconst TunnelServer_getServerInfo_Results_TypeID = 0xe3e37d096a5b564e\n\nfunc NewTunnelServer_getServerInfo_Results(s *capnp.Segment) (TunnelServer_getServerInfo_Results, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 1})\n\treturn TunnelServer_getServerInfo_Results{st}, err\n}\n\nfunc NewRootTunnelServer_getServerInfo_Results(s *capnp.Segment) (TunnelServer_getServerInfo_Results, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 1})\n\treturn TunnelServer_getServerInfo_Results{st}, err\n}\n\nfunc ReadRootTunnelServer_getServerInfo_Results(msg *capnp.Message) (TunnelServer_getServerInfo_Results, error) {\n\troot, err := msg.RootPtr()\n\treturn TunnelServer_getServerInfo_Results{root.Struct()}, err\n}\n\nfunc (s TunnelServer_getServerInfo_Results) String() string {\n\tstr, _ := text.Marshal(0xe3e37d096a5b564e, s.Struct)\n\treturn str\n}\n\nfunc (s TunnelServer_getServerInfo_Results) Result() (ServerInfo, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn ServerInfo{Struct: p.Struct()}, err\n}\n\nfunc (s TunnelServer_getServerInfo_Results) HasResult() bool {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s TunnelServer_getServerInfo_Results) SetResult(v ServerInfo) error {\n\treturn s.Struct.SetPtr(0, v.Struct.ToPtr())\n}\n\n// NewResult sets the result field to a newly\n// allocated ServerInfo struct, preferring placement in s's segment.\nfunc (s TunnelServer_getServerInfo_Results) NewResult() (ServerInfo, error) {\n\tss, err := NewServerInfo(s.Struct.Segment())\n\tif err != nil {\n\t\treturn ServerInfo{}, err\n\t}\n\terr = s.Struct.SetPtr(0, ss.Struct.ToPtr())\n\treturn ss, err\n}\n\n// TunnelServer_getServerInfo_Results_List is a list of TunnelServer_getServerInfo_Results.\ntype TunnelServer_getServerInfo_Results_List struct{ capnp.List }\n\n// NewTunnelServer_getServerInfo_Results creates a new list of TunnelServer_getServerInfo_Results.\nfunc NewTunnelServer_getServerInfo_Results_List(s *capnp.Segment, sz int32) (TunnelServer_getServerInfo_Results_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 0, PointerCount: 1}, sz)\n\treturn TunnelServer_getServerInfo_Results_List{l}, err\n}\n\nfunc (s TunnelServer_getServerInfo_Results_List) At(i int) TunnelServer_getServerInfo_Results {\n\treturn TunnelServer_getServerInfo_Results{s.List.Struct(i)}\n}\n\nfunc (s TunnelServer_getServerInfo_Results_List) Set(i int, v TunnelServer_getServerInfo_Results) error {\n\treturn s.List.SetStruct(i, v.Struct)\n}\n\nfunc (s TunnelServer_getServerInfo_Results_List) String() string {\n\tstr, _ := text.MarshalList(0xe3e37d096a5b564e, s.List)\n\treturn str\n}\n\n// TunnelServer_getServerInfo_Results_Promise is a wrapper for a TunnelServer_getServerInfo_Results promised by a client call.\ntype TunnelServer_getServerInfo_Results_Promise struct{ *capnp.Pipeline }\n\nfunc (p TunnelServer_getServerInfo_Results_Promise) Struct() (TunnelServer_getServerInfo_Results, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn TunnelServer_getServerInfo_Results{s}, err\n}\n\nfunc (p TunnelServer_getServerInfo_Results_Promise) Result() ServerInfo_Promise {\n\treturn ServerInfo_Promise{Pipeline: p.Pipeline.GetPipeline(0)}\n}\n\ntype TunnelServer_unregisterTunnel_Params struct{ capnp.Struct }\n\n// TunnelServer_unregisterTunnel_Params_TypeID is the unique identifier for the type TunnelServer_unregisterTunnel_Params.\nconst TunnelServer_unregisterTunnel_Params_TypeID = 0x9b87b390babc2ccf\n\nfunc NewTunnelServer_unregisterTunnel_Params(s *capnp.Segment) (TunnelServer_unregisterTunnel_Params, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 8, PointerCount: 0})\n\treturn TunnelServer_unregisterTunnel_Params{st}, err\n}\n\nfunc NewRootTunnelServer_unregisterTunnel_Params(s *capnp.Segment) (TunnelServer_unregisterTunnel_Params, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 8, PointerCount: 0})\n\treturn TunnelServer_unregisterTunnel_Params{st}, err\n}\n\nfunc ReadRootTunnelServer_unregisterTunnel_Params(msg *capnp.Message) (TunnelServer_unregisterTunnel_Params, error) {\n\troot, err := msg.RootPtr()\n\treturn TunnelServer_unregisterTunnel_Params{root.Struct()}, err\n}\n\nfunc (s TunnelServer_unregisterTunnel_Params) String() string {\n\tstr, _ := text.Marshal(0x9b87b390babc2ccf, s.Struct)\n\treturn str\n}\n\nfunc (s TunnelServer_unregisterTunnel_Params) GracePeriodNanoSec() int64 {\n\treturn int64(s.Struct.Uint64(0))\n}\n\nfunc (s TunnelServer_unregisterTunnel_Params) SetGracePeriodNanoSec(v int64) {\n\ts.Struct.SetUint64(0, uint64(v))\n}\n\n// TunnelServer_unregisterTunnel_Params_List is a list of TunnelServer_unregisterTunnel_Params.\ntype TunnelServer_unregisterTunnel_Params_List struct{ capnp.List }\n\n// NewTunnelServer_unregisterTunnel_Params creates a new list of TunnelServer_unregisterTunnel_Params.\nfunc NewTunnelServer_unregisterTunnel_Params_List(s *capnp.Segment, sz int32) (TunnelServer_unregisterTunnel_Params_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 8, PointerCount: 0}, sz)\n\treturn TunnelServer_unregisterTunnel_Params_List{l}, err\n}\n\nfunc (s TunnelServer_unregisterTunnel_Params_List) At(i int) TunnelServer_unregisterTunnel_Params {\n\treturn TunnelServer_unregisterTunnel_Params{s.List.Struct(i)}\n}\n\nfunc (s TunnelServer_unregisterTunnel_Params_List) Set(i int, v TunnelServer_unregisterTunnel_Params) error {\n\treturn s.List.SetStruct(i, v.Struct)\n}\n\nfunc (s TunnelServer_unregisterTunnel_Params_List) String() string {\n\tstr, _ := text.MarshalList(0x9b87b390babc2ccf, s.List)\n\treturn str\n}\n\n// TunnelServer_unregisterTunnel_Params_Promise is a wrapper for a TunnelServer_unregisterTunnel_Params promised by a client call.\ntype TunnelServer_unregisterTunnel_Params_Promise struct{ *capnp.Pipeline }\n\nfunc (p TunnelServer_unregisterTunnel_Params_Promise) Struct() (TunnelServer_unregisterTunnel_Params, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn TunnelServer_unregisterTunnel_Params{s}, err\n}\n\ntype TunnelServer_unregisterTunnel_Results struct{ capnp.Struct }\n\n// TunnelServer_unregisterTunnel_Results_TypeID is the unique identifier for the type TunnelServer_unregisterTunnel_Results.\nconst TunnelServer_unregisterTunnel_Results_TypeID = 0xa29a916d4ebdd894\n\nfunc NewTunnelServer_unregisterTunnel_Results(s *capnp.Segment) (TunnelServer_unregisterTunnel_Results, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 0})\n\treturn TunnelServer_unregisterTunnel_Results{st}, err\n}\n\nfunc NewRootTunnelServer_unregisterTunnel_Results(s *capnp.Segment) (TunnelServer_unregisterTunnel_Results, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 0})\n\treturn TunnelServer_unregisterTunnel_Results{st}, err\n}\n\nfunc ReadRootTunnelServer_unregisterTunnel_Results(msg *capnp.Message) (TunnelServer_unregisterTunnel_Results, error) {\n\troot, err := msg.RootPtr()\n\treturn TunnelServer_unregisterTunnel_Results{root.Struct()}, err\n}\n\nfunc (s TunnelServer_unregisterTunnel_Results) String() string {\n\tstr, _ := text.Marshal(0xa29a916d4ebdd894, s.Struct)\n\treturn str\n}\n\n// TunnelServer_unregisterTunnel_Results_List is a list of TunnelServer_unregisterTunnel_Results.\ntype TunnelServer_unregisterTunnel_Results_List struct{ capnp.List }\n\n// NewTunnelServer_unregisterTunnel_Results creates a new list of TunnelServer_unregisterTunnel_Results.\nfunc NewTunnelServer_unregisterTunnel_Results_List(s *capnp.Segment, sz int32) (TunnelServer_unregisterTunnel_Results_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 0, PointerCount: 0}, sz)\n\treturn TunnelServer_unregisterTunnel_Results_List{l}, err\n}\n\nfunc (s TunnelServer_unregisterTunnel_Results_List) At(i int) TunnelServer_unregisterTunnel_Results {\n\treturn TunnelServer_unregisterTunnel_Results{s.List.Struct(i)}\n}\n\nfunc (s TunnelServer_unregisterTunnel_Results_List) Set(i int, v TunnelServer_unregisterTunnel_Results) error {\n\treturn s.List.SetStruct(i, v.Struct)\n}\n\nfunc (s TunnelServer_unregisterTunnel_Results_List) String() string {\n\tstr, _ := text.MarshalList(0xa29a916d4ebdd894, s.List)\n\treturn str\n}\n\n// TunnelServer_unregisterTunnel_Results_Promise is a wrapper for a TunnelServer_unregisterTunnel_Results promised by a client call.\ntype TunnelServer_unregisterTunnel_Results_Promise struct{ *capnp.Pipeline }\n\nfunc (p TunnelServer_unregisterTunnel_Results_Promise) Struct() (TunnelServer_unregisterTunnel_Results, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn TunnelServer_unregisterTunnel_Results{s}, err\n}\n\ntype TunnelServer_obsoleteDeclarativeTunnelConnect_Params struct{ capnp.Struct }\n\n// TunnelServer_obsoleteDeclarativeTunnelConnect_Params_TypeID is the unique identifier for the type TunnelServer_obsoleteDeclarativeTunnelConnect_Params.\nconst TunnelServer_obsoleteDeclarativeTunnelConnect_Params_TypeID = 0xa766b24d4fe5da35\n\nfunc NewTunnelServer_obsoleteDeclarativeTunnelConnect_Params(s *capnp.Segment) (TunnelServer_obsoleteDeclarativeTunnelConnect_Params, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 0})\n\treturn TunnelServer_obsoleteDeclarativeTunnelConnect_Params{st}, err\n}\n\nfunc NewRootTunnelServer_obsoleteDeclarativeTunnelConnect_Params(s *capnp.Segment) (TunnelServer_obsoleteDeclarativeTunnelConnect_Params, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 0})\n\treturn TunnelServer_obsoleteDeclarativeTunnelConnect_Params{st}, err\n}\n\nfunc ReadRootTunnelServer_obsoleteDeclarativeTunnelConnect_Params(msg *capnp.Message) (TunnelServer_obsoleteDeclarativeTunnelConnect_Params, error) {\n\troot, err := msg.RootPtr()\n\treturn TunnelServer_obsoleteDeclarativeTunnelConnect_Params{root.Struct()}, err\n}\n\nfunc (s TunnelServer_obsoleteDeclarativeTunnelConnect_Params) String() string {\n\tstr, _ := text.Marshal(0xa766b24d4fe5da35, s.Struct)\n\treturn str\n}\n\n// TunnelServer_obsoleteDeclarativeTunnelConnect_Params_List is a list of TunnelServer_obsoleteDeclarativeTunnelConnect_Params.\ntype TunnelServer_obsoleteDeclarativeTunnelConnect_Params_List struct{ capnp.List }\n\n// NewTunnelServer_obsoleteDeclarativeTunnelConnect_Params creates a new list of TunnelServer_obsoleteDeclarativeTunnelConnect_Params.\nfunc NewTunnelServer_obsoleteDeclarativeTunnelConnect_Params_List(s *capnp.Segment, sz int32) (TunnelServer_obsoleteDeclarativeTunnelConnect_Params_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 0, PointerCount: 0}, sz)\n\treturn TunnelServer_obsoleteDeclarativeTunnelConnect_Params_List{l}, err\n}\n\nfunc (s TunnelServer_obsoleteDeclarativeTunnelConnect_Params_List) At(i int) TunnelServer_obsoleteDeclarativeTunnelConnect_Params {\n\treturn TunnelServer_obsoleteDeclarativeTunnelConnect_Params{s.List.Struct(i)}\n}\n\nfunc (s TunnelServer_obsoleteDeclarativeTunnelConnect_Params_List) Set(i int, v TunnelServer_obsoleteDeclarativeTunnelConnect_Params) error {\n\treturn s.List.SetStruct(i, v.Struct)\n}\n\nfunc (s TunnelServer_obsoleteDeclarativeTunnelConnect_Params_List) String() string {\n\tstr, _ := text.MarshalList(0xa766b24d4fe5da35, s.List)\n\treturn str\n}\n\n// TunnelServer_obsoleteDeclarativeTunnelConnect_Params_Promise is a wrapper for a TunnelServer_obsoleteDeclarativeTunnelConnect_Params promised by a client call.\ntype TunnelServer_obsoleteDeclarativeTunnelConnect_Params_Promise struct{ *capnp.Pipeline }\n\nfunc (p TunnelServer_obsoleteDeclarativeTunnelConnect_Params_Promise) Struct() (TunnelServer_obsoleteDeclarativeTunnelConnect_Params, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn TunnelServer_obsoleteDeclarativeTunnelConnect_Params{s}, err\n}\n\ntype TunnelServer_obsoleteDeclarativeTunnelConnect_Results struct{ capnp.Struct }\n\n// TunnelServer_obsoleteDeclarativeTunnelConnect_Results_TypeID is the unique identifier for the type TunnelServer_obsoleteDeclarativeTunnelConnect_Results.\nconst TunnelServer_obsoleteDeclarativeTunnelConnect_Results_TypeID = 0xfeac5c8f4899ef7c\n\nfunc NewTunnelServer_obsoleteDeclarativeTunnelConnect_Results(s *capnp.Segment) (TunnelServer_obsoleteDeclarativeTunnelConnect_Results, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 0})\n\treturn TunnelServer_obsoleteDeclarativeTunnelConnect_Results{st}, err\n}\n\nfunc NewRootTunnelServer_obsoleteDeclarativeTunnelConnect_Results(s *capnp.Segment) (TunnelServer_obsoleteDeclarativeTunnelConnect_Results, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 0})\n\treturn TunnelServer_obsoleteDeclarativeTunnelConnect_Results{st}, err\n}\n\nfunc ReadRootTunnelServer_obsoleteDeclarativeTunnelConnect_Results(msg *capnp.Message) (TunnelServer_obsoleteDeclarativeTunnelConnect_Results, error) {\n\troot, err := msg.RootPtr()\n\treturn TunnelServer_obsoleteDeclarativeTunnelConnect_Results{root.Struct()}, err\n}\n\nfunc (s TunnelServer_obsoleteDeclarativeTunnelConnect_Results) String() string {\n\tstr, _ := text.Marshal(0xfeac5c8f4899ef7c, s.Struct)\n\treturn str\n}\n\n// TunnelServer_obsoleteDeclarativeTunnelConnect_Results_List is a list of TunnelServer_obsoleteDeclarativeTunnelConnect_Results.\ntype TunnelServer_obsoleteDeclarativeTunnelConnect_Results_List struct{ capnp.List }\n\n// NewTunnelServer_obsoleteDeclarativeTunnelConnect_Results creates a new list of TunnelServer_obsoleteDeclarativeTunnelConnect_Results.\nfunc NewTunnelServer_obsoleteDeclarativeTunnelConnect_Results_List(s *capnp.Segment, sz int32) (TunnelServer_obsoleteDeclarativeTunnelConnect_Results_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 0, PointerCount: 0}, sz)\n\treturn TunnelServer_obsoleteDeclarativeTunnelConnect_Results_List{l}, err\n}\n\nfunc (s TunnelServer_obsoleteDeclarativeTunnelConnect_Results_List) At(i int) TunnelServer_obsoleteDeclarativeTunnelConnect_Results {\n\treturn TunnelServer_obsoleteDeclarativeTunnelConnect_Results{s.List.Struct(i)}\n}\n\nfunc (s TunnelServer_obsoleteDeclarativeTunnelConnect_Results_List) Set(i int, v TunnelServer_obsoleteDeclarativeTunnelConnect_Results) error {\n\treturn s.List.SetStruct(i, v.Struct)\n}\n\nfunc (s TunnelServer_obsoleteDeclarativeTunnelConnect_Results_List) String() string {\n\tstr, _ := text.MarshalList(0xfeac5c8f4899ef7c, s.List)\n\treturn str\n}\n\n// TunnelServer_obsoleteDeclarativeTunnelConnect_Results_Promise is a wrapper for a TunnelServer_obsoleteDeclarativeTunnelConnect_Results promised by a client call.\ntype TunnelServer_obsoleteDeclarativeTunnelConnect_Results_Promise struct{ *capnp.Pipeline }\n\nfunc (p TunnelServer_obsoleteDeclarativeTunnelConnect_Results_Promise) Struct() (TunnelServer_obsoleteDeclarativeTunnelConnect_Results, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn TunnelServer_obsoleteDeclarativeTunnelConnect_Results{s}, err\n}\n\ntype TunnelServer_authenticate_Params struct{ capnp.Struct }\n\n// TunnelServer_authenticate_Params_TypeID is the unique identifier for the type TunnelServer_authenticate_Params.\nconst TunnelServer_authenticate_Params_TypeID = 0x85c8cea1ab1894f3\n\nfunc NewTunnelServer_authenticate_Params(s *capnp.Segment) (TunnelServer_authenticate_Params, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 3})\n\treturn TunnelServer_authenticate_Params{st}, err\n}\n\nfunc NewRootTunnelServer_authenticate_Params(s *capnp.Segment) (TunnelServer_authenticate_Params, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 3})\n\treturn TunnelServer_authenticate_Params{st}, err\n}\n\nfunc ReadRootTunnelServer_authenticate_Params(msg *capnp.Message) (TunnelServer_authenticate_Params, error) {\n\troot, err := msg.RootPtr()\n\treturn TunnelServer_authenticate_Params{root.Struct()}, err\n}\n\nfunc (s TunnelServer_authenticate_Params) String() string {\n\tstr, _ := text.Marshal(0x85c8cea1ab1894f3, s.Struct)\n\treturn str\n}\n\nfunc (s TunnelServer_authenticate_Params) OriginCert() ([]byte, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn []byte(p.Data()), err\n}\n\nfunc (s TunnelServer_authenticate_Params) HasOriginCert() bool {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s TunnelServer_authenticate_Params) SetOriginCert(v []byte) error {\n\treturn s.Struct.SetData(0, v)\n}\n\nfunc (s TunnelServer_authenticate_Params) Hostname() (string, error) {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.Text(), err\n}\n\nfunc (s TunnelServer_authenticate_Params) HasHostname() bool {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s TunnelServer_authenticate_Params) HostnameBytes() ([]byte, error) {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.TextBytes(), err\n}\n\nfunc (s TunnelServer_authenticate_Params) SetHostname(v string) error {\n\treturn s.Struct.SetText(1, v)\n}\n\nfunc (s TunnelServer_authenticate_Params) Options() (RegistrationOptions, error) {\n\tp, err := s.Struct.Ptr(2)\n\treturn RegistrationOptions{Struct: p.Struct()}, err\n}\n\nfunc (s TunnelServer_authenticate_Params) HasOptions() bool {\n\tp, err := s.Struct.Ptr(2)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s TunnelServer_authenticate_Params) SetOptions(v RegistrationOptions) error {\n\treturn s.Struct.SetPtr(2, v.Struct.ToPtr())\n}\n\n// NewOptions sets the options field to a newly\n// allocated RegistrationOptions struct, preferring placement in s's segment.\nfunc (s TunnelServer_authenticate_Params) NewOptions() (RegistrationOptions, error) {\n\tss, err := NewRegistrationOptions(s.Struct.Segment())\n\tif err != nil {\n\t\treturn RegistrationOptions{}, err\n\t}\n\terr = s.Struct.SetPtr(2, ss.Struct.ToPtr())\n\treturn ss, err\n}\n\n// TunnelServer_authenticate_Params_List is a list of TunnelServer_authenticate_Params.\ntype TunnelServer_authenticate_Params_List struct{ capnp.List }\n\n// NewTunnelServer_authenticate_Params creates a new list of TunnelServer_authenticate_Params.\nfunc NewTunnelServer_authenticate_Params_List(s *capnp.Segment, sz int32) (TunnelServer_authenticate_Params_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 0, PointerCount: 3}, sz)\n\treturn TunnelServer_authenticate_Params_List{l}, err\n}\n\nfunc (s TunnelServer_authenticate_Params_List) At(i int) TunnelServer_authenticate_Params {\n\treturn TunnelServer_authenticate_Params{s.List.Struct(i)}\n}\n\nfunc (s TunnelServer_authenticate_Params_List) Set(i int, v TunnelServer_authenticate_Params) error {\n\treturn s.List.SetStruct(i, v.Struct)\n}\n\nfunc (s TunnelServer_authenticate_Params_List) String() string {\n\tstr, _ := text.MarshalList(0x85c8cea1ab1894f3, s.List)\n\treturn str\n}\n\n// TunnelServer_authenticate_Params_Promise is a wrapper for a TunnelServer_authenticate_Params promised by a client call.\ntype TunnelServer_authenticate_Params_Promise struct{ *capnp.Pipeline }\n\nfunc (p TunnelServer_authenticate_Params_Promise) Struct() (TunnelServer_authenticate_Params, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn TunnelServer_authenticate_Params{s}, err\n}\n\nfunc (p TunnelServer_authenticate_Params_Promise) Options() RegistrationOptions_Promise {\n\treturn RegistrationOptions_Promise{Pipeline: p.Pipeline.GetPipeline(2)}\n}\n\ntype TunnelServer_authenticate_Results struct{ capnp.Struct }\n\n// TunnelServer_authenticate_Results_TypeID is the unique identifier for the type TunnelServer_authenticate_Results.\nconst TunnelServer_authenticate_Results_TypeID = 0xfc5edf80e39c0796\n\nfunc NewTunnelServer_authenticate_Results(s *capnp.Segment) (TunnelServer_authenticate_Results, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 1})\n\treturn TunnelServer_authenticate_Results{st}, err\n}\n\nfunc NewRootTunnelServer_authenticate_Results(s *capnp.Segment) (TunnelServer_authenticate_Results, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 1})\n\treturn TunnelServer_authenticate_Results{st}, err\n}\n\nfunc ReadRootTunnelServer_authenticate_Results(msg *capnp.Message) (TunnelServer_authenticate_Results, error) {\n\troot, err := msg.RootPtr()\n\treturn TunnelServer_authenticate_Results{root.Struct()}, err\n}\n\nfunc (s TunnelServer_authenticate_Results) String() string {\n\tstr, _ := text.Marshal(0xfc5edf80e39c0796, s.Struct)\n\treturn str\n}\n\nfunc (s TunnelServer_authenticate_Results) Result() (AuthenticateResponse, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn AuthenticateResponse{Struct: p.Struct()}, err\n}\n\nfunc (s TunnelServer_authenticate_Results) HasResult() bool {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s TunnelServer_authenticate_Results) SetResult(v AuthenticateResponse) error {\n\treturn s.Struct.SetPtr(0, v.Struct.ToPtr())\n}\n\n// NewResult sets the result field to a newly\n// allocated AuthenticateResponse struct, preferring placement in s's segment.\nfunc (s TunnelServer_authenticate_Results) NewResult() (AuthenticateResponse, error) {\n\tss, err := NewAuthenticateResponse(s.Struct.Segment())\n\tif err != nil {\n\t\treturn AuthenticateResponse{}, err\n\t}\n\terr = s.Struct.SetPtr(0, ss.Struct.ToPtr())\n\treturn ss, err\n}\n\n// TunnelServer_authenticate_Results_List is a list of TunnelServer_authenticate_Results.\ntype TunnelServer_authenticate_Results_List struct{ capnp.List }\n\n// NewTunnelServer_authenticate_Results creates a new list of TunnelServer_authenticate_Results.\nfunc NewTunnelServer_authenticate_Results_List(s *capnp.Segment, sz int32) (TunnelServer_authenticate_Results_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 0, PointerCount: 1}, sz)\n\treturn TunnelServer_authenticate_Results_List{l}, err\n}\n\nfunc (s TunnelServer_authenticate_Results_List) At(i int) TunnelServer_authenticate_Results {\n\treturn TunnelServer_authenticate_Results{s.List.Struct(i)}\n}\n\nfunc (s TunnelServer_authenticate_Results_List) Set(i int, v TunnelServer_authenticate_Results) error {\n\treturn s.List.SetStruct(i, v.Struct)\n}\n\nfunc (s TunnelServer_authenticate_Results_List) String() string {\n\tstr, _ := text.MarshalList(0xfc5edf80e39c0796, s.List)\n\treturn str\n}\n\n// TunnelServer_authenticate_Results_Promise is a wrapper for a TunnelServer_authenticate_Results promised by a client call.\ntype TunnelServer_authenticate_Results_Promise struct{ *capnp.Pipeline }\n\nfunc (p TunnelServer_authenticate_Results_Promise) Struct() (TunnelServer_authenticate_Results, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn TunnelServer_authenticate_Results{s}, err\n}\n\nfunc (p TunnelServer_authenticate_Results_Promise) Result() AuthenticateResponse_Promise {\n\treturn AuthenticateResponse_Promise{Pipeline: p.Pipeline.GetPipeline(0)}\n}\n\ntype TunnelServer_reconnectTunnel_Params struct{ capnp.Struct }\n\n// TunnelServer_reconnectTunnel_Params_TypeID is the unique identifier for the type TunnelServer_reconnectTunnel_Params.\nconst TunnelServer_reconnectTunnel_Params_TypeID = 0xa353a3556df74984\n\nfunc NewTunnelServer_reconnectTunnel_Params(s *capnp.Segment) (TunnelServer_reconnectTunnel_Params, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 5})\n\treturn TunnelServer_reconnectTunnel_Params{st}, err\n}\n\nfunc NewRootTunnelServer_reconnectTunnel_Params(s *capnp.Segment) (TunnelServer_reconnectTunnel_Params, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 5})\n\treturn TunnelServer_reconnectTunnel_Params{st}, err\n}\n\nfunc ReadRootTunnelServer_reconnectTunnel_Params(msg *capnp.Message) (TunnelServer_reconnectTunnel_Params, error) {\n\troot, err := msg.RootPtr()\n\treturn TunnelServer_reconnectTunnel_Params{root.Struct()}, err\n}\n\nfunc (s TunnelServer_reconnectTunnel_Params) String() string {\n\tstr, _ := text.Marshal(0xa353a3556df74984, s.Struct)\n\treturn str\n}\n\nfunc (s TunnelServer_reconnectTunnel_Params) Jwt() ([]byte, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn []byte(p.Data()), err\n}\n\nfunc (s TunnelServer_reconnectTunnel_Params) HasJwt() bool {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s TunnelServer_reconnectTunnel_Params) SetJwt(v []byte) error {\n\treturn s.Struct.SetData(0, v)\n}\n\nfunc (s TunnelServer_reconnectTunnel_Params) EventDigest() ([]byte, error) {\n\tp, err := s.Struct.Ptr(1)\n\treturn []byte(p.Data()), err\n}\n\nfunc (s TunnelServer_reconnectTunnel_Params) HasEventDigest() bool {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s TunnelServer_reconnectTunnel_Params) SetEventDigest(v []byte) error {\n\treturn s.Struct.SetData(1, v)\n}\n\nfunc (s TunnelServer_reconnectTunnel_Params) ConnDigest() ([]byte, error) {\n\tp, err := s.Struct.Ptr(2)\n\treturn []byte(p.Data()), err\n}\n\nfunc (s TunnelServer_reconnectTunnel_Params) HasConnDigest() bool {\n\tp, err := s.Struct.Ptr(2)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s TunnelServer_reconnectTunnel_Params) SetConnDigest(v []byte) error {\n\treturn s.Struct.SetData(2, v)\n}\n\nfunc (s TunnelServer_reconnectTunnel_Params) Hostname() (string, error) {\n\tp, err := s.Struct.Ptr(3)\n\treturn p.Text(), err\n}\n\nfunc (s TunnelServer_reconnectTunnel_Params) HasHostname() bool {\n\tp, err := s.Struct.Ptr(3)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s TunnelServer_reconnectTunnel_Params) HostnameBytes() ([]byte, error) {\n\tp, err := s.Struct.Ptr(3)\n\treturn p.TextBytes(), err\n}\n\nfunc (s TunnelServer_reconnectTunnel_Params) SetHostname(v string) error {\n\treturn s.Struct.SetText(3, v)\n}\n\nfunc (s TunnelServer_reconnectTunnel_Params) Options() (RegistrationOptions, error) {\n\tp, err := s.Struct.Ptr(4)\n\treturn RegistrationOptions{Struct: p.Struct()}, err\n}\n\nfunc (s TunnelServer_reconnectTunnel_Params) HasOptions() bool {\n\tp, err := s.Struct.Ptr(4)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s TunnelServer_reconnectTunnel_Params) SetOptions(v RegistrationOptions) error {\n\treturn s.Struct.SetPtr(4, v.Struct.ToPtr())\n}\n\n// NewOptions sets the options field to a newly\n// allocated RegistrationOptions struct, preferring placement in s's segment.\nfunc (s TunnelServer_reconnectTunnel_Params) NewOptions() (RegistrationOptions, error) {\n\tss, err := NewRegistrationOptions(s.Struct.Segment())\n\tif err != nil {\n\t\treturn RegistrationOptions{}, err\n\t}\n\terr = s.Struct.SetPtr(4, ss.Struct.ToPtr())\n\treturn ss, err\n}\n\n// TunnelServer_reconnectTunnel_Params_List is a list of TunnelServer_reconnectTunnel_Params.\ntype TunnelServer_reconnectTunnel_Params_List struct{ capnp.List }\n\n// NewTunnelServer_reconnectTunnel_Params creates a new list of TunnelServer_reconnectTunnel_Params.\nfunc NewTunnelServer_reconnectTunnel_Params_List(s *capnp.Segment, sz int32) (TunnelServer_reconnectTunnel_Params_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 0, PointerCount: 5}, sz)\n\treturn TunnelServer_reconnectTunnel_Params_List{l}, err\n}\n\nfunc (s TunnelServer_reconnectTunnel_Params_List) At(i int) TunnelServer_reconnectTunnel_Params {\n\treturn TunnelServer_reconnectTunnel_Params{s.List.Struct(i)}\n}\n\nfunc (s TunnelServer_reconnectTunnel_Params_List) Set(i int, v TunnelServer_reconnectTunnel_Params) error {\n\treturn s.List.SetStruct(i, v.Struct)\n}\n\nfunc (s TunnelServer_reconnectTunnel_Params_List) String() string {\n\tstr, _ := text.MarshalList(0xa353a3556df74984, s.List)\n\treturn str\n}\n\n// TunnelServer_reconnectTunnel_Params_Promise is a wrapper for a TunnelServer_reconnectTunnel_Params promised by a client call.\ntype TunnelServer_reconnectTunnel_Params_Promise struct{ *capnp.Pipeline }\n\nfunc (p TunnelServer_reconnectTunnel_Params_Promise) Struct() (TunnelServer_reconnectTunnel_Params, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn TunnelServer_reconnectTunnel_Params{s}, err\n}\n\nfunc (p TunnelServer_reconnectTunnel_Params_Promise) Options() RegistrationOptions_Promise {\n\treturn RegistrationOptions_Promise{Pipeline: p.Pipeline.GetPipeline(4)}\n}\n\ntype TunnelServer_reconnectTunnel_Results struct{ capnp.Struct }\n\n// TunnelServer_reconnectTunnel_Results_TypeID is the unique identifier for the type TunnelServer_reconnectTunnel_Results.\nconst TunnelServer_reconnectTunnel_Results_TypeID = 0xd4d18de97bb12de3\n\nfunc NewTunnelServer_reconnectTunnel_Results(s *capnp.Segment) (TunnelServer_reconnectTunnel_Results, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 1})\n\treturn TunnelServer_reconnectTunnel_Results{st}, err\n}\n\nfunc NewRootTunnelServer_reconnectTunnel_Results(s *capnp.Segment) (TunnelServer_reconnectTunnel_Results, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 1})\n\treturn TunnelServer_reconnectTunnel_Results{st}, err\n}\n\nfunc ReadRootTunnelServer_reconnectTunnel_Results(msg *capnp.Message) (TunnelServer_reconnectTunnel_Results, error) {\n\troot, err := msg.RootPtr()\n\treturn TunnelServer_reconnectTunnel_Results{root.Struct()}, err\n}\n\nfunc (s TunnelServer_reconnectTunnel_Results) String() string {\n\tstr, _ := text.Marshal(0xd4d18de97bb12de3, s.Struct)\n\treturn str\n}\n\nfunc (s TunnelServer_reconnectTunnel_Results) Result() (TunnelRegistration, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn TunnelRegistration{Struct: p.Struct()}, err\n}\n\nfunc (s TunnelServer_reconnectTunnel_Results) HasResult() bool {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s TunnelServer_reconnectTunnel_Results) SetResult(v TunnelRegistration) error {\n\treturn s.Struct.SetPtr(0, v.Struct.ToPtr())\n}\n\n// NewResult sets the result field to a newly\n// allocated TunnelRegistration struct, preferring placement in s's segment.\nfunc (s TunnelServer_reconnectTunnel_Results) NewResult() (TunnelRegistration, error) {\n\tss, err := NewTunnelRegistration(s.Struct.Segment())\n\tif err != nil {\n\t\treturn TunnelRegistration{}, err\n\t}\n\terr = s.Struct.SetPtr(0, ss.Struct.ToPtr())\n\treturn ss, err\n}\n\n// TunnelServer_reconnectTunnel_Results_List is a list of TunnelServer_reconnectTunnel_Results.\ntype TunnelServer_reconnectTunnel_Results_List struct{ capnp.List }\n\n// NewTunnelServer_reconnectTunnel_Results creates a new list of TunnelServer_reconnectTunnel_Results.\nfunc NewTunnelServer_reconnectTunnel_Results_List(s *capnp.Segment, sz int32) (TunnelServer_reconnectTunnel_Results_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 0, PointerCount: 1}, sz)\n\treturn TunnelServer_reconnectTunnel_Results_List{l}, err\n}\n\nfunc (s TunnelServer_reconnectTunnel_Results_List) At(i int) TunnelServer_reconnectTunnel_Results {\n\treturn TunnelServer_reconnectTunnel_Results{s.List.Struct(i)}\n}\n\nfunc (s TunnelServer_reconnectTunnel_Results_List) Set(i int, v TunnelServer_reconnectTunnel_Results) error {\n\treturn s.List.SetStruct(i, v.Struct)\n}\n\nfunc (s TunnelServer_reconnectTunnel_Results_List) String() string {\n\tstr, _ := text.MarshalList(0xd4d18de97bb12de3, s.List)\n\treturn str\n}\n\n// TunnelServer_reconnectTunnel_Results_Promise is a wrapper for a TunnelServer_reconnectTunnel_Results promised by a client call.\ntype TunnelServer_reconnectTunnel_Results_Promise struct{ *capnp.Pipeline }\n\nfunc (p TunnelServer_reconnectTunnel_Results_Promise) Struct() (TunnelServer_reconnectTunnel_Results, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn TunnelServer_reconnectTunnel_Results{s}, err\n}\n\nfunc (p TunnelServer_reconnectTunnel_Results_Promise) Result() TunnelRegistration_Promise {\n\treturn TunnelRegistration_Promise{Pipeline: p.Pipeline.GetPipeline(0)}\n}\n\ntype Tag struct{ capnp.Struct }\n\n// Tag_TypeID is the unique identifier for the type Tag.\nconst Tag_TypeID = 0xcbd96442ae3bb01a\n\nfunc NewTag(s *capnp.Segment) (Tag, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 2})\n\treturn Tag{st}, err\n}\n\nfunc NewRootTag(s *capnp.Segment) (Tag, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 2})\n\treturn Tag{st}, err\n}\n\nfunc ReadRootTag(msg *capnp.Message) (Tag, error) {\n\troot, err := msg.RootPtr()\n\treturn Tag{root.Struct()}, err\n}\n\nfunc (s Tag) String() string {\n\tstr, _ := text.Marshal(0xcbd96442ae3bb01a, s.Struct)\n\treturn str\n}\n\nfunc (s Tag) Name() (string, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.Text(), err\n}\n\nfunc (s Tag) HasName() bool {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s Tag) NameBytes() ([]byte, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.TextBytes(), err\n}\n\nfunc (s Tag) SetName(v string) error {\n\treturn s.Struct.SetText(0, v)\n}\n\nfunc (s Tag) Value() (string, error) {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.Text(), err\n}\n\nfunc (s Tag) HasValue() bool {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s Tag) ValueBytes() ([]byte, error) {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.TextBytes(), err\n}\n\nfunc (s Tag) SetValue(v string) error {\n\treturn s.Struct.SetText(1, v)\n}\n\n// Tag_List is a list of Tag.\ntype Tag_List struct{ capnp.List }\n\n// NewTag creates a new list of Tag.\nfunc NewTag_List(s *capnp.Segment, sz int32) (Tag_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 0, PointerCount: 2}, sz)\n\treturn Tag_List{l}, err\n}\n\nfunc (s Tag_List) At(i int) Tag { return Tag{s.List.Struct(i)} }\n\nfunc (s Tag_List) Set(i int, v Tag) error { return s.List.SetStruct(i, v.Struct) }\n\nfunc (s Tag_List) String() string {\n\tstr, _ := text.MarshalList(0xcbd96442ae3bb01a, s.List)\n\treturn str\n}\n\n// Tag_Promise is a wrapper for a Tag promised by a client call.\ntype Tag_Promise struct{ *capnp.Pipeline }\n\nfunc (p Tag_Promise) Struct() (Tag, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn Tag{s}, err\n}\n\ntype ClientInfo struct{ capnp.Struct }\n\n// ClientInfo_TypeID is the unique identifier for the type ClientInfo.\nconst ClientInfo_TypeID = 0x83ced0145b2f114b\n\nfunc NewClientInfo(s *capnp.Segment) (ClientInfo, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 4})\n\treturn ClientInfo{st}, err\n}\n\nfunc NewRootClientInfo(s *capnp.Segment) (ClientInfo, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 4})\n\treturn ClientInfo{st}, err\n}\n\nfunc ReadRootClientInfo(msg *capnp.Message) (ClientInfo, error) {\n\troot, err := msg.RootPtr()\n\treturn ClientInfo{root.Struct()}, err\n}\n\nfunc (s ClientInfo) String() string {\n\tstr, _ := text.Marshal(0x83ced0145b2f114b, s.Struct)\n\treturn str\n}\n\nfunc (s ClientInfo) ClientId() ([]byte, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn []byte(p.Data()), err\n}\n\nfunc (s ClientInfo) HasClientId() bool {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s ClientInfo) SetClientId(v []byte) error {\n\treturn s.Struct.SetData(0, v)\n}\n\nfunc (s ClientInfo) Features() (capnp.TextList, error) {\n\tp, err := s.Struct.Ptr(1)\n\treturn capnp.TextList{List: p.List()}, err\n}\n\nfunc (s ClientInfo) HasFeatures() bool {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s ClientInfo) SetFeatures(v capnp.TextList) error {\n\treturn s.Struct.SetPtr(1, v.List.ToPtr())\n}\n\n// NewFeatures sets the features field to a newly\n// allocated capnp.TextList, preferring placement in s's segment.\nfunc (s ClientInfo) NewFeatures(n int32) (capnp.TextList, error) {\n\tl, err := capnp.NewTextList(s.Struct.Segment(), n)\n\tif err != nil {\n\t\treturn capnp.TextList{}, err\n\t}\n\terr = s.Struct.SetPtr(1, l.List.ToPtr())\n\treturn l, err\n}\n\nfunc (s ClientInfo) Version() (string, error) {\n\tp, err := s.Struct.Ptr(2)\n\treturn p.Text(), err\n}\n\nfunc (s ClientInfo) HasVersion() bool {\n\tp, err := s.Struct.Ptr(2)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s ClientInfo) VersionBytes() ([]byte, error) {\n\tp, err := s.Struct.Ptr(2)\n\treturn p.TextBytes(), err\n}\n\nfunc (s ClientInfo) SetVersion(v string) error {\n\treturn s.Struct.SetText(2, v)\n}\n\nfunc (s ClientInfo) Arch() (string, error) {\n\tp, err := s.Struct.Ptr(3)\n\treturn p.Text(), err\n}\n\nfunc (s ClientInfo) HasArch() bool {\n\tp, err := s.Struct.Ptr(3)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s ClientInfo) ArchBytes() ([]byte, error) {\n\tp, err := s.Struct.Ptr(3)\n\treturn p.TextBytes(), err\n}\n\nfunc (s ClientInfo) SetArch(v string) error {\n\treturn s.Struct.SetText(3, v)\n}\n\n// ClientInfo_List is a list of ClientInfo.\ntype ClientInfo_List struct{ capnp.List }\n\n// NewClientInfo creates a new list of ClientInfo.\nfunc NewClientInfo_List(s *capnp.Segment, sz int32) (ClientInfo_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 0, PointerCount: 4}, sz)\n\treturn ClientInfo_List{l}, err\n}\n\nfunc (s ClientInfo_List) At(i int) ClientInfo { return ClientInfo{s.List.Struct(i)} }\n\nfunc (s ClientInfo_List) Set(i int, v ClientInfo) error { return s.List.SetStruct(i, v.Struct) }\n\nfunc (s ClientInfo_List) String() string {\n\tstr, _ := text.MarshalList(0x83ced0145b2f114b, s.List)\n\treturn str\n}\n\n// ClientInfo_Promise is a wrapper for a ClientInfo promised by a client call.\ntype ClientInfo_Promise struct{ *capnp.Pipeline }\n\nfunc (p ClientInfo_Promise) Struct() (ClientInfo, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn ClientInfo{s}, err\n}\n\ntype ConnectionOptions struct{ capnp.Struct }\n\n// ConnectionOptions_TypeID is the unique identifier for the type ConnectionOptions.\nconst ConnectionOptions_TypeID = 0xb4bf9861fe035d04\n\nfunc NewConnectionOptions(s *capnp.Segment) (ConnectionOptions, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 8, PointerCount: 2})\n\treturn ConnectionOptions{st}, err\n}\n\nfunc NewRootConnectionOptions(s *capnp.Segment) (ConnectionOptions, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 8, PointerCount: 2})\n\treturn ConnectionOptions{st}, err\n}\n\nfunc ReadRootConnectionOptions(msg *capnp.Message) (ConnectionOptions, error) {\n\troot, err := msg.RootPtr()\n\treturn ConnectionOptions{root.Struct()}, err\n}\n\nfunc (s ConnectionOptions) String() string {\n\tstr, _ := text.Marshal(0xb4bf9861fe035d04, s.Struct)\n\treturn str\n}\n\nfunc (s ConnectionOptions) Client() (ClientInfo, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn ClientInfo{Struct: p.Struct()}, err\n}\n\nfunc (s ConnectionOptions) HasClient() bool {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s ConnectionOptions) SetClient(v ClientInfo) error {\n\treturn s.Struct.SetPtr(0, v.Struct.ToPtr())\n}\n\n// NewClient sets the client field to a newly\n// allocated ClientInfo struct, preferring placement in s's segment.\nfunc (s ConnectionOptions) NewClient() (ClientInfo, error) {\n\tss, err := NewClientInfo(s.Struct.Segment())\n\tif err != nil {\n\t\treturn ClientInfo{}, err\n\t}\n\terr = s.Struct.SetPtr(0, ss.Struct.ToPtr())\n\treturn ss, err\n}\n\nfunc (s ConnectionOptions) OriginLocalIp() ([]byte, error) {\n\tp, err := s.Struct.Ptr(1)\n\treturn []byte(p.Data()), err\n}\n\nfunc (s ConnectionOptions) HasOriginLocalIp() bool {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s ConnectionOptions) SetOriginLocalIp(v []byte) error {\n\treturn s.Struct.SetData(1, v)\n}\n\nfunc (s ConnectionOptions) ReplaceExisting() bool {\n\treturn s.Struct.Bit(0)\n}\n\nfunc (s ConnectionOptions) SetReplaceExisting(v bool) {\n\ts.Struct.SetBit(0, v)\n}\n\nfunc (s ConnectionOptions) CompressionQuality() uint8 {\n\treturn s.Struct.Uint8(1)\n}\n\nfunc (s ConnectionOptions) SetCompressionQuality(v uint8) {\n\ts.Struct.SetUint8(1, v)\n}\n\nfunc (s ConnectionOptions) NumPreviousAttempts() uint8 {\n\treturn s.Struct.Uint8(2)\n}\n\nfunc (s ConnectionOptions) SetNumPreviousAttempts(v uint8) {\n\ts.Struct.SetUint8(2, v)\n}\n\n// ConnectionOptions_List is a list of ConnectionOptions.\ntype ConnectionOptions_List struct{ capnp.List }\n\n// NewConnectionOptions creates a new list of ConnectionOptions.\nfunc NewConnectionOptions_List(s *capnp.Segment, sz int32) (ConnectionOptions_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 8, PointerCount: 2}, sz)\n\treturn ConnectionOptions_List{l}, err\n}\n\nfunc (s ConnectionOptions_List) At(i int) ConnectionOptions {\n\treturn ConnectionOptions{s.List.Struct(i)}\n}\n\nfunc (s ConnectionOptions_List) Set(i int, v ConnectionOptions) error {\n\treturn s.List.SetStruct(i, v.Struct)\n}\n\nfunc (s ConnectionOptions_List) String() string {\n\tstr, _ := text.MarshalList(0xb4bf9861fe035d04, s.List)\n\treturn str\n}\n\n// ConnectionOptions_Promise is a wrapper for a ConnectionOptions promised by a client call.\ntype ConnectionOptions_Promise struct{ *capnp.Pipeline }\n\nfunc (p ConnectionOptions_Promise) Struct() (ConnectionOptions, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn ConnectionOptions{s}, err\n}\n\nfunc (p ConnectionOptions_Promise) Client() ClientInfo_Promise {\n\treturn ClientInfo_Promise{Pipeline: p.Pipeline.GetPipeline(0)}\n}\n\ntype ConnectionResponse struct{ capnp.Struct }\ntype ConnectionResponse_result ConnectionResponse\ntype ConnectionResponse_result_Which uint16\n\nconst (\n\tConnectionResponse_result_Which_error ConnectionResponse_result_Which = 0\n\tConnectionResponse_result_Which_connectionDetails ConnectionResponse_result_Which = 1\n)\n\nfunc (w ConnectionResponse_result_Which) String() string {\n\tconst s = \"errorconnectionDetails\"\n\tswitch w {\n\tcase ConnectionResponse_result_Which_error:\n\t\treturn s[0:5]\n\tcase ConnectionResponse_result_Which_connectionDetails:\n\t\treturn s[5:22]\n\n\t}\n\treturn \"ConnectionResponse_result_Which(\" + strconv.FormatUint(uint64(w), 10) + \")\"\n}\n\n// ConnectionResponse_TypeID is the unique identifier for the type ConnectionResponse.\nconst ConnectionResponse_TypeID = 0xdbaa9d03d52b62dc\n\nfunc NewConnectionResponse(s *capnp.Segment) (ConnectionResponse, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 8, PointerCount: 1})\n\treturn ConnectionResponse{st}, err\n}\n\nfunc NewRootConnectionResponse(s *capnp.Segment) (ConnectionResponse, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 8, PointerCount: 1})\n\treturn ConnectionResponse{st}, err\n}\n\nfunc ReadRootConnectionResponse(msg *capnp.Message) (ConnectionResponse, error) {\n\troot, err := msg.RootPtr()\n\treturn ConnectionResponse{root.Struct()}, err\n}\n\nfunc (s ConnectionResponse) String() string {\n\tstr, _ := text.Marshal(0xdbaa9d03d52b62dc, s.Struct)\n\treturn str\n}\n\nfunc (s ConnectionResponse) Result() ConnectionResponse_result { return ConnectionResponse_result(s) }\n\nfunc (s ConnectionResponse_result) Which() ConnectionResponse_result_Which {\n\treturn ConnectionResponse_result_Which(s.Struct.Uint16(0))\n}\nfunc (s ConnectionResponse_result) Error() (ConnectionError, error) {\n\tif s.Struct.Uint16(0) != 0 {\n\t\tpanic(\"Which() != error\")\n\t}\n\tp, err := s.Struct.Ptr(0)\n\treturn ConnectionError{Struct: p.Struct()}, err\n}\n\nfunc (s ConnectionResponse_result) HasError() bool {\n\tif s.Struct.Uint16(0) != 0 {\n\t\treturn false\n\t}\n\tp, err := s.Struct.Ptr(0)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s ConnectionResponse_result) SetError(v ConnectionError) error {\n\ts.Struct.SetUint16(0, 0)\n\treturn s.Struct.SetPtr(0, v.Struct.ToPtr())\n}\n\n// NewError sets the error field to a newly\n// allocated ConnectionError struct, preferring placement in s's segment.\nfunc (s ConnectionResponse_result) NewError() (ConnectionError, error) {\n\ts.Struct.SetUint16(0, 0)\n\tss, err := NewConnectionError(s.Struct.Segment())\n\tif err != nil {\n\t\treturn ConnectionError{}, err\n\t}\n\terr = s.Struct.SetPtr(0, ss.Struct.ToPtr())\n\treturn ss, err\n}\n\nfunc (s ConnectionResponse_result) ConnectionDetails() (ConnectionDetails, error) {\n\tif s.Struct.Uint16(0) != 1 {\n\t\tpanic(\"Which() != connectionDetails\")\n\t}\n\tp, err := s.Struct.Ptr(0)\n\treturn ConnectionDetails{Struct: p.Struct()}, err\n}\n\nfunc (s ConnectionResponse_result) HasConnectionDetails() bool {\n\tif s.Struct.Uint16(0) != 1 {\n\t\treturn false\n\t}\n\tp, err := s.Struct.Ptr(0)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s ConnectionResponse_result) SetConnectionDetails(v ConnectionDetails) error {\n\ts.Struct.SetUint16(0, 1)\n\treturn s.Struct.SetPtr(0, v.Struct.ToPtr())\n}\n\n// NewConnectionDetails sets the connectionDetails field to a newly\n// allocated ConnectionDetails struct, preferring placement in s's segment.\nfunc (s ConnectionResponse_result) NewConnectionDetails() (ConnectionDetails, error) {\n\ts.Struct.SetUint16(0, 1)\n\tss, err := NewConnectionDetails(s.Struct.Segment())\n\tif err != nil {\n\t\treturn ConnectionDetails{}, err\n\t}\n\terr = s.Struct.SetPtr(0, ss.Struct.ToPtr())\n\treturn ss, err\n}\n\n// ConnectionResponse_List is a list of ConnectionResponse.\ntype ConnectionResponse_List struct{ capnp.List }\n\n// NewConnectionResponse creates a new list of ConnectionResponse.\nfunc NewConnectionResponse_List(s *capnp.Segment, sz int32) (ConnectionResponse_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 8, PointerCount: 1}, sz)\n\treturn ConnectionResponse_List{l}, err\n}\n\nfunc (s ConnectionResponse_List) At(i int) ConnectionResponse {\n\treturn ConnectionResponse{s.List.Struct(i)}\n}\n\nfunc (s ConnectionResponse_List) Set(i int, v ConnectionResponse) error {\n\treturn s.List.SetStruct(i, v.Struct)\n}\n\nfunc (s ConnectionResponse_List) String() string {\n\tstr, _ := text.MarshalList(0xdbaa9d03d52b62dc, s.List)\n\treturn str\n}\n\n// ConnectionResponse_Promise is a wrapper for a ConnectionResponse promised by a client call.\ntype ConnectionResponse_Promise struct{ *capnp.Pipeline }\n\nfunc (p ConnectionResponse_Promise) Struct() (ConnectionResponse, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn ConnectionResponse{s}, err\n}\n\nfunc (p ConnectionResponse_Promise) Result() ConnectionResponse_result_Promise {\n\treturn ConnectionResponse_result_Promise{p.Pipeline}\n}\n\n// ConnectionResponse_result_Promise is a wrapper for a ConnectionResponse_result promised by a client call.\ntype ConnectionResponse_result_Promise struct{ *capnp.Pipeline }\n\nfunc (p ConnectionResponse_result_Promise) Struct() (ConnectionResponse_result, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn ConnectionResponse_result{s}, err\n}\n\nfunc (p ConnectionResponse_result_Promise) Error() ConnectionError_Promise {\n\treturn ConnectionError_Promise{Pipeline: p.Pipeline.GetPipeline(0)}\n}\n\nfunc (p ConnectionResponse_result_Promise) ConnectionDetails() ConnectionDetails_Promise {\n\treturn ConnectionDetails_Promise{Pipeline: p.Pipeline.GetPipeline(0)}\n}\n\ntype ConnectionError struct{ capnp.Struct }\n\n// ConnectionError_TypeID is the unique identifier for the type ConnectionError.\nconst ConnectionError_TypeID = 0xf5f383d2785edb86\n\nfunc NewConnectionError(s *capnp.Segment) (ConnectionError, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 16, PointerCount: 1})\n\treturn ConnectionError{st}, err\n}\n\nfunc NewRootConnectionError(s *capnp.Segment) (ConnectionError, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 16, PointerCount: 1})\n\treturn ConnectionError{st}, err\n}\n\nfunc ReadRootConnectionError(msg *capnp.Message) (ConnectionError, error) {\n\troot, err := msg.RootPtr()\n\treturn ConnectionError{root.Struct()}, err\n}\n\nfunc (s ConnectionError) String() string {\n\tstr, _ := text.Marshal(0xf5f383d2785edb86, s.Struct)\n\treturn str\n}\n\nfunc (s ConnectionError) Cause() (string, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.Text(), err\n}\n\nfunc (s ConnectionError) HasCause() bool {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s ConnectionError) CauseBytes() ([]byte, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.TextBytes(), err\n}\n\nfunc (s ConnectionError) SetCause(v string) error {\n\treturn s.Struct.SetText(0, v)\n}\n\nfunc (s ConnectionError) RetryAfter() int64 {\n\treturn int64(s.Struct.Uint64(0))\n}\n\nfunc (s ConnectionError) SetRetryAfter(v int64) {\n\ts.Struct.SetUint64(0, uint64(v))\n}\n\nfunc (s ConnectionError) ShouldRetry() bool {\n\treturn s.Struct.Bit(64)\n}\n\nfunc (s ConnectionError) SetShouldRetry(v bool) {\n\ts.Struct.SetBit(64, v)\n}\n\n// ConnectionError_List is a list of ConnectionError.\ntype ConnectionError_List struct{ capnp.List }\n\n// NewConnectionError creates a new list of ConnectionError.\nfunc NewConnectionError_List(s *capnp.Segment, sz int32) (ConnectionError_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 16, PointerCount: 1}, sz)\n\treturn ConnectionError_List{l}, err\n}\n\nfunc (s ConnectionError_List) At(i int) ConnectionError { return ConnectionError{s.List.Struct(i)} }\n\nfunc (s ConnectionError_List) Set(i int, v ConnectionError) error {\n\treturn s.List.SetStruct(i, v.Struct)\n}\n\nfunc (s ConnectionError_List) String() string {\n\tstr, _ := text.MarshalList(0xf5f383d2785edb86, s.List)\n\treturn str\n}\n\n// ConnectionError_Promise is a wrapper for a ConnectionError promised by a client call.\ntype ConnectionError_Promise struct{ *capnp.Pipeline }\n\nfunc (p ConnectionError_Promise) Struct() (ConnectionError, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn ConnectionError{s}, err\n}\n\ntype ConnectionDetails struct{ capnp.Struct }\n\n// ConnectionDetails_TypeID is the unique identifier for the type ConnectionDetails.\nconst ConnectionDetails_TypeID = 0xb5f39f082b9ac18a\n\nfunc NewConnectionDetails(s *capnp.Segment) (ConnectionDetails, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 8, PointerCount: 2})\n\treturn ConnectionDetails{st}, err\n}\n\nfunc NewRootConnectionDetails(s *capnp.Segment) (ConnectionDetails, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 8, PointerCount: 2})\n\treturn ConnectionDetails{st}, err\n}\n\nfunc ReadRootConnectionDetails(msg *capnp.Message) (ConnectionDetails, error) {\n\troot, err := msg.RootPtr()\n\treturn ConnectionDetails{root.Struct()}, err\n}\n\nfunc (s ConnectionDetails) String() string {\n\tstr, _ := text.Marshal(0xb5f39f082b9ac18a, s.Struct)\n\treturn str\n}\n\nfunc (s ConnectionDetails) Uuid() ([]byte, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn []byte(p.Data()), err\n}\n\nfunc (s ConnectionDetails) HasUuid() bool {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s ConnectionDetails) SetUuid(v []byte) error {\n\treturn s.Struct.SetData(0, v)\n}\n\nfunc (s ConnectionDetails) LocationName() (string, error) {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.Text(), err\n}\n\nfunc (s ConnectionDetails) HasLocationName() bool {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s ConnectionDetails) LocationNameBytes() ([]byte, error) {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.TextBytes(), err\n}\n\nfunc (s ConnectionDetails) SetLocationName(v string) error {\n\treturn s.Struct.SetText(1, v)\n}\n\nfunc (s ConnectionDetails) TunnelIsRemotelyManaged() bool {\n\treturn s.Struct.Bit(0)\n}\n\nfunc (s ConnectionDetails) SetTunnelIsRemotelyManaged(v bool) {\n\ts.Struct.SetBit(0, v)\n}\n\n// ConnectionDetails_List is a list of ConnectionDetails.\ntype ConnectionDetails_List struct{ capnp.List }\n\n// NewConnectionDetails creates a new list of ConnectionDetails.\nfunc NewConnectionDetails_List(s *capnp.Segment, sz int32) (ConnectionDetails_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 8, PointerCount: 2}, sz)\n\treturn ConnectionDetails_List{l}, err\n}\n\nfunc (s ConnectionDetails_List) At(i int) ConnectionDetails {\n\treturn ConnectionDetails{s.List.Struct(i)}\n}\n\nfunc (s ConnectionDetails_List) Set(i int, v ConnectionDetails) error {\n\treturn s.List.SetStruct(i, v.Struct)\n}\n\nfunc (s ConnectionDetails_List) String() string {\n\tstr, _ := text.MarshalList(0xb5f39f082b9ac18a, s.List)\n\treturn str\n}\n\n// ConnectionDetails_Promise is a wrapper for a ConnectionDetails promised by a client call.\ntype ConnectionDetails_Promise struct{ *capnp.Pipeline }\n\nfunc (p ConnectionDetails_Promise) Struct() (ConnectionDetails, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn ConnectionDetails{s}, err\n}\n\ntype TunnelAuth struct{ capnp.Struct }\n\n// TunnelAuth_TypeID is the unique identifier for the type TunnelAuth.\nconst TunnelAuth_TypeID = 0x9496331ab9cd463f\n\nfunc NewTunnelAuth(s *capnp.Segment) (TunnelAuth, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 2})\n\treturn TunnelAuth{st}, err\n}\n\nfunc NewRootTunnelAuth(s *capnp.Segment) (TunnelAuth, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 2})\n\treturn TunnelAuth{st}, err\n}\n\nfunc ReadRootTunnelAuth(msg *capnp.Message) (TunnelAuth, error) {\n\troot, err := msg.RootPtr()\n\treturn TunnelAuth{root.Struct()}, err\n}\n\nfunc (s TunnelAuth) String() string {\n\tstr, _ := text.Marshal(0x9496331ab9cd463f, s.Struct)\n\treturn str\n}\n\nfunc (s TunnelAuth) AccountTag() (string, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.Text(), err\n}\n\nfunc (s TunnelAuth) HasAccountTag() bool {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s TunnelAuth) AccountTagBytes() ([]byte, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.TextBytes(), err\n}\n\nfunc (s TunnelAuth) SetAccountTag(v string) error {\n\treturn s.Struct.SetText(0, v)\n}\n\nfunc (s TunnelAuth) TunnelSecret() ([]byte, error) {\n\tp, err := s.Struct.Ptr(1)\n\treturn []byte(p.Data()), err\n}\n\nfunc (s TunnelAuth) HasTunnelSecret() bool {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s TunnelAuth) SetTunnelSecret(v []byte) error {\n\treturn s.Struct.SetData(1, v)\n}\n\n// TunnelAuth_List is a list of TunnelAuth.\ntype TunnelAuth_List struct{ capnp.List }\n\n// NewTunnelAuth creates a new list of TunnelAuth.\nfunc NewTunnelAuth_List(s *capnp.Segment, sz int32) (TunnelAuth_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 0, PointerCount: 2}, sz)\n\treturn TunnelAuth_List{l}, err\n}\n\nfunc (s TunnelAuth_List) At(i int) TunnelAuth { return TunnelAuth{s.List.Struct(i)} }\n\nfunc (s TunnelAuth_List) Set(i int, v TunnelAuth) error { return s.List.SetStruct(i, v.Struct) }\n\nfunc (s TunnelAuth_List) String() string {\n\tstr, _ := text.MarshalList(0x9496331ab9cd463f, s.List)\n\treturn str\n}\n\n// TunnelAuth_Promise is a wrapper for a TunnelAuth promised by a client call.\ntype TunnelAuth_Promise struct{ *capnp.Pipeline }\n\nfunc (p TunnelAuth_Promise) Struct() (TunnelAuth, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn TunnelAuth{s}, err\n}\n\ntype RegistrationServer struct{ Client capnp.Client }\n\n// RegistrationServer_TypeID is the unique identifier for the type RegistrationServer.\nconst RegistrationServer_TypeID = 0xf71695ec7fe85497\n\nfunc (c RegistrationServer) RegisterConnection(ctx context.Context, params func(RegistrationServer_registerConnection_Params) error, opts ...capnp.CallOption) RegistrationServer_registerConnection_Results_Promise {\n\tif c.Client == nil {\n\t\treturn RegistrationServer_registerConnection_Results_Promise{Pipeline: capnp.NewPipeline(capnp.ErrorAnswer(capnp.ErrNullClient))}\n\t}\n\tcall := &capnp.Call{\n\t\tCtx: ctx,\n\t\tMethod: capnp.Method{\n\t\t\tInterfaceID: 0xf71695ec7fe85497,\n\t\t\tMethodID: 0,\n\t\t\tInterfaceName: \"tunnelrpc/proto/tunnelrpc.capnp:RegistrationServer\",\n\t\t\tMethodName: \"registerConnection\",\n\t\t},\n\t\tOptions: capnp.NewCallOptions(opts),\n\t}\n\tif params != nil {\n\t\tcall.ParamsSize = capnp.ObjectSize{DataSize: 8, PointerCount: 3}\n\t\tcall.ParamsFunc = func(s capnp.Struct) error { return params(RegistrationServer_registerConnection_Params{Struct: s}) }\n\t}\n\treturn RegistrationServer_registerConnection_Results_Promise{Pipeline: capnp.NewPipeline(c.Client.Call(call))}\n}\nfunc (c RegistrationServer) UnregisterConnection(ctx context.Context, params func(RegistrationServer_unregisterConnection_Params) error, opts ...capnp.CallOption) RegistrationServer_unregisterConnection_Results_Promise {\n\tif c.Client == nil {\n\t\treturn RegistrationServer_unregisterConnection_Results_Promise{Pipeline: capnp.NewPipeline(capnp.ErrorAnswer(capnp.ErrNullClient))}\n\t}\n\tcall := &capnp.Call{\n\t\tCtx: ctx,\n\t\tMethod: capnp.Method{\n\t\t\tInterfaceID: 0xf71695ec7fe85497,\n\t\t\tMethodID: 1,\n\t\t\tInterfaceName: \"tunnelrpc/proto/tunnelrpc.capnp:RegistrationServer\",\n\t\t\tMethodName: \"unregisterConnection\",\n\t\t},\n\t\tOptions: capnp.NewCallOptions(opts),\n\t}\n\tif params != nil {\n\t\tcall.ParamsSize = capnp.ObjectSize{DataSize: 0, PointerCount: 0}\n\t\tcall.ParamsFunc = func(s capnp.Struct) error { return params(RegistrationServer_unregisterConnection_Params{Struct: s}) }\n\t}\n\treturn RegistrationServer_unregisterConnection_Results_Promise{Pipeline: capnp.NewPipeline(c.Client.Call(call))}\n}\nfunc (c RegistrationServer) UpdateLocalConfiguration(ctx context.Context, params func(RegistrationServer_updateLocalConfiguration_Params) error, opts ...capnp.CallOption) RegistrationServer_updateLocalConfiguration_Results_Promise {\n\tif c.Client == nil {\n\t\treturn RegistrationServer_updateLocalConfiguration_Results_Promise{Pipeline: capnp.NewPipeline(capnp.ErrorAnswer(capnp.ErrNullClient))}\n\t}\n\tcall := &capnp.Call{\n\t\tCtx: ctx,\n\t\tMethod: capnp.Method{\n\t\t\tInterfaceID: 0xf71695ec7fe85497,\n\t\t\tMethodID: 2,\n\t\t\tInterfaceName: \"tunnelrpc/proto/tunnelrpc.capnp:RegistrationServer\",\n\t\t\tMethodName: \"updateLocalConfiguration\",\n\t\t},\n\t\tOptions: capnp.NewCallOptions(opts),\n\t}\n\tif params != nil {\n\t\tcall.ParamsSize = capnp.ObjectSize{DataSize: 0, PointerCount: 1}\n\t\tcall.ParamsFunc = func(s capnp.Struct) error {\n\t\t\treturn params(RegistrationServer_updateLocalConfiguration_Params{Struct: s})\n\t\t}\n\t}\n\treturn RegistrationServer_updateLocalConfiguration_Results_Promise{Pipeline: capnp.NewPipeline(c.Client.Call(call))}\n}\n\ntype RegistrationServer_Server interface {\n\tRegisterConnection(RegistrationServer_registerConnection) error\n\n\tUnregisterConnection(RegistrationServer_unregisterConnection) error\n\n\tUpdateLocalConfiguration(RegistrationServer_updateLocalConfiguration) error\n}\n\nfunc RegistrationServer_ServerToClient(s RegistrationServer_Server) RegistrationServer {\n\tc, _ := s.(server.Closer)\n\treturn RegistrationServer{Client: server.New(RegistrationServer_Methods(nil, s), c)}\n}\n\nfunc RegistrationServer_Methods(methods []server.Method, s RegistrationServer_Server) []server.Method {\n\tif cap(methods) == 0 {\n\t\tmethods = make([]server.Method, 0, 3)\n\t}\n\n\tmethods = append(methods, server.Method{\n\t\tMethod: capnp.Method{\n\t\t\tInterfaceID: 0xf71695ec7fe85497,\n\t\t\tMethodID: 0,\n\t\t\tInterfaceName: \"tunnelrpc/proto/tunnelrpc.capnp:RegistrationServer\",\n\t\t\tMethodName: \"registerConnection\",\n\t\t},\n\t\tImpl: func(c context.Context, opts capnp.CallOptions, p, r capnp.Struct) error {\n\t\t\tcall := RegistrationServer_registerConnection{c, opts, RegistrationServer_registerConnection_Params{Struct: p}, RegistrationServer_registerConnection_Results{Struct: r}}\n\t\t\treturn s.RegisterConnection(call)\n\t\t},\n\t\tResultsSize: capnp.ObjectSize{DataSize: 0, PointerCount: 1},\n\t})\n\n\tmethods = append(methods, server.Method{\n\t\tMethod: capnp.Method{\n\t\t\tInterfaceID: 0xf71695ec7fe85497,\n\t\t\tMethodID: 1,\n\t\t\tInterfaceName: \"tunnelrpc/proto/tunnelrpc.capnp:RegistrationServer\",\n\t\t\tMethodName: \"unregisterConnection\",\n\t\t},\n\t\tImpl: func(c context.Context, opts capnp.CallOptions, p, r capnp.Struct) error {\n\t\t\tcall := RegistrationServer_unregisterConnection{c, opts, RegistrationServer_unregisterConnection_Params{Struct: p}, RegistrationServer_unregisterConnection_Results{Struct: r}}\n\t\t\treturn s.UnregisterConnection(call)\n\t\t},\n\t\tResultsSize: capnp.ObjectSize{DataSize: 0, PointerCount: 0},\n\t})\n\n\tmethods = append(methods, server.Method{\n\t\tMethod: capnp.Method{\n\t\t\tInterfaceID: 0xf71695ec7fe85497,\n\t\t\tMethodID: 2,\n\t\t\tInterfaceName: \"tunnelrpc/proto/tunnelrpc.capnp:RegistrationServer\",\n\t\t\tMethodName: \"updateLocalConfiguration\",\n\t\t},\n\t\tImpl: func(c context.Context, opts capnp.CallOptions, p, r capnp.Struct) error {\n\t\t\tcall := RegistrationServer_updateLocalConfiguration{c, opts, RegistrationServer_updateLocalConfiguration_Params{Struct: p}, RegistrationServer_updateLocalConfiguration_Results{Struct: r}}\n\t\t\treturn s.UpdateLocalConfiguration(call)\n\t\t},\n\t\tResultsSize: capnp.ObjectSize{DataSize: 0, PointerCount: 0},\n\t})\n\n\treturn methods\n}\n\n// RegistrationServer_registerConnection holds the arguments for a server call to RegistrationServer.registerConnection.\ntype RegistrationServer_registerConnection struct {\n\tCtx context.Context\n\tOptions capnp.CallOptions\n\tParams RegistrationServer_registerConnection_Params\n\tResults RegistrationServer_registerConnection_Results\n}\n\n// RegistrationServer_unregisterConnection holds the arguments for a server call to RegistrationServer.unregisterConnection.\ntype RegistrationServer_unregisterConnection struct {\n\tCtx context.Context\n\tOptions capnp.CallOptions\n\tParams RegistrationServer_unregisterConnection_Params\n\tResults RegistrationServer_unregisterConnection_Results\n}\n\n// RegistrationServer_updateLocalConfiguration holds the arguments for a server call to RegistrationServer.updateLocalConfiguration.\ntype RegistrationServer_updateLocalConfiguration struct {\n\tCtx context.Context\n\tOptions capnp.CallOptions\n\tParams RegistrationServer_updateLocalConfiguration_Params\n\tResults RegistrationServer_updateLocalConfiguration_Results\n}\n\ntype RegistrationServer_registerConnection_Params struct{ capnp.Struct }\n\n// RegistrationServer_registerConnection_Params_TypeID is the unique identifier for the type RegistrationServer_registerConnection_Params.\nconst RegistrationServer_registerConnection_Params_TypeID = 0xe6646dec8feaa6ee\n\nfunc NewRegistrationServer_registerConnection_Params(s *capnp.Segment) (RegistrationServer_registerConnection_Params, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 8, PointerCount: 3})\n\treturn RegistrationServer_registerConnection_Params{st}, err\n}\n\nfunc NewRootRegistrationServer_registerConnection_Params(s *capnp.Segment) (RegistrationServer_registerConnection_Params, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 8, PointerCount: 3})\n\treturn RegistrationServer_registerConnection_Params{st}, err\n}\n\nfunc ReadRootRegistrationServer_registerConnection_Params(msg *capnp.Message) (RegistrationServer_registerConnection_Params, error) {\n\troot, err := msg.RootPtr()\n\treturn RegistrationServer_registerConnection_Params{root.Struct()}, err\n}\n\nfunc (s RegistrationServer_registerConnection_Params) String() string {\n\tstr, _ := text.Marshal(0xe6646dec8feaa6ee, s.Struct)\n\treturn str\n}\n\nfunc (s RegistrationServer_registerConnection_Params) Auth() (TunnelAuth, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn TunnelAuth{Struct: p.Struct()}, err\n}\n\nfunc (s RegistrationServer_registerConnection_Params) HasAuth() bool {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s RegistrationServer_registerConnection_Params) SetAuth(v TunnelAuth) error {\n\treturn s.Struct.SetPtr(0, v.Struct.ToPtr())\n}\n\n// NewAuth sets the auth field to a newly\n// allocated TunnelAuth struct, preferring placement in s's segment.\nfunc (s RegistrationServer_registerConnection_Params) NewAuth() (TunnelAuth, error) {\n\tss, err := NewTunnelAuth(s.Struct.Segment())\n\tif err != nil {\n\t\treturn TunnelAuth{}, err\n\t}\n\terr = s.Struct.SetPtr(0, ss.Struct.ToPtr())\n\treturn ss, err\n}\n\nfunc (s RegistrationServer_registerConnection_Params) TunnelId() ([]byte, error) {\n\tp, err := s.Struct.Ptr(1)\n\treturn []byte(p.Data()), err\n}\n\nfunc (s RegistrationServer_registerConnection_Params) HasTunnelId() bool {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s RegistrationServer_registerConnection_Params) SetTunnelId(v []byte) error {\n\treturn s.Struct.SetData(1, v)\n}\n\nfunc (s RegistrationServer_registerConnection_Params) ConnIndex() uint8 {\n\treturn s.Struct.Uint8(0)\n}\n\nfunc (s RegistrationServer_registerConnection_Params) SetConnIndex(v uint8) {\n\ts.Struct.SetUint8(0, v)\n}\n\nfunc (s RegistrationServer_registerConnection_Params) Options() (ConnectionOptions, error) {\n\tp, err := s.Struct.Ptr(2)\n\treturn ConnectionOptions{Struct: p.Struct()}, err\n}\n\nfunc (s RegistrationServer_registerConnection_Params) HasOptions() bool {\n\tp, err := s.Struct.Ptr(2)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s RegistrationServer_registerConnection_Params) SetOptions(v ConnectionOptions) error {\n\treturn s.Struct.SetPtr(2, v.Struct.ToPtr())\n}\n\n// NewOptions sets the options field to a newly\n// allocated ConnectionOptions struct, preferring placement in s's segment.\nfunc (s RegistrationServer_registerConnection_Params) NewOptions() (ConnectionOptions, error) {\n\tss, err := NewConnectionOptions(s.Struct.Segment())\n\tif err != nil {\n\t\treturn ConnectionOptions{}, err\n\t}\n\terr = s.Struct.SetPtr(2, ss.Struct.ToPtr())\n\treturn ss, err\n}\n\n// RegistrationServer_registerConnection_Params_List is a list of RegistrationServer_registerConnection_Params.\ntype RegistrationServer_registerConnection_Params_List struct{ capnp.List }\n\n// NewRegistrationServer_registerConnection_Params creates a new list of RegistrationServer_registerConnection_Params.\nfunc NewRegistrationServer_registerConnection_Params_List(s *capnp.Segment, sz int32) (RegistrationServer_registerConnection_Params_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 8, PointerCount: 3}, sz)\n\treturn RegistrationServer_registerConnection_Params_List{l}, err\n}\n\nfunc (s RegistrationServer_registerConnection_Params_List) At(i int) RegistrationServer_registerConnection_Params {\n\treturn RegistrationServer_registerConnection_Params{s.List.Struct(i)}\n}\n\nfunc (s RegistrationServer_registerConnection_Params_List) Set(i int, v RegistrationServer_registerConnection_Params) error {\n\treturn s.List.SetStruct(i, v.Struct)\n}\n\nfunc (s RegistrationServer_registerConnection_Params_List) String() string {\n\tstr, _ := text.MarshalList(0xe6646dec8feaa6ee, s.List)\n\treturn str\n}\n\n// RegistrationServer_registerConnection_Params_Promise is a wrapper for a RegistrationServer_registerConnection_Params promised by a client call.\ntype RegistrationServer_registerConnection_Params_Promise struct{ *capnp.Pipeline }\n\nfunc (p RegistrationServer_registerConnection_Params_Promise) Struct() (RegistrationServer_registerConnection_Params, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn RegistrationServer_registerConnection_Params{s}, err\n}\n\nfunc (p RegistrationServer_registerConnection_Params_Promise) Auth() TunnelAuth_Promise {\n\treturn TunnelAuth_Promise{Pipeline: p.Pipeline.GetPipeline(0)}\n}\n\nfunc (p RegistrationServer_registerConnection_Params_Promise) Options() ConnectionOptions_Promise {\n\treturn ConnectionOptions_Promise{Pipeline: p.Pipeline.GetPipeline(2)}\n}\n\ntype RegistrationServer_registerConnection_Results struct{ capnp.Struct }\n\n// RegistrationServer_registerConnection_Results_TypeID is the unique identifier for the type RegistrationServer_registerConnection_Results.\nconst RegistrationServer_registerConnection_Results_TypeID = 0xea50d822450d1f17\n\nfunc NewRegistrationServer_registerConnection_Results(s *capnp.Segment) (RegistrationServer_registerConnection_Results, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 1})\n\treturn RegistrationServer_registerConnection_Results{st}, err\n}\n\nfunc NewRootRegistrationServer_registerConnection_Results(s *capnp.Segment) (RegistrationServer_registerConnection_Results, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 1})\n\treturn RegistrationServer_registerConnection_Results{st}, err\n}\n\nfunc ReadRootRegistrationServer_registerConnection_Results(msg *capnp.Message) (RegistrationServer_registerConnection_Results, error) {\n\troot, err := msg.RootPtr()\n\treturn RegistrationServer_registerConnection_Results{root.Struct()}, err\n}\n\nfunc (s RegistrationServer_registerConnection_Results) String() string {\n\tstr, _ := text.Marshal(0xea50d822450d1f17, s.Struct)\n\treturn str\n}\n\nfunc (s RegistrationServer_registerConnection_Results) Result() (ConnectionResponse, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn ConnectionResponse{Struct: p.Struct()}, err\n}\n\nfunc (s RegistrationServer_registerConnection_Results) HasResult() bool {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s RegistrationServer_registerConnection_Results) SetResult(v ConnectionResponse) error {\n\treturn s.Struct.SetPtr(0, v.Struct.ToPtr())\n}\n\n// NewResult sets the result field to a newly\n// allocated ConnectionResponse struct, preferring placement in s's segment.\nfunc (s RegistrationServer_registerConnection_Results) NewResult() (ConnectionResponse, error) {\n\tss, err := NewConnectionResponse(s.Struct.Segment())\n\tif err != nil {\n\t\treturn ConnectionResponse{}, err\n\t}\n\terr = s.Struct.SetPtr(0, ss.Struct.ToPtr())\n\treturn ss, err\n}\n\n// RegistrationServer_registerConnection_Results_List is a list of RegistrationServer_registerConnection_Results.\ntype RegistrationServer_registerConnection_Results_List struct{ capnp.List }\n\n// NewRegistrationServer_registerConnection_Results creates a new list of RegistrationServer_registerConnection_Results.\nfunc NewRegistrationServer_registerConnection_Results_List(s *capnp.Segment, sz int32) (RegistrationServer_registerConnection_Results_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 0, PointerCount: 1}, sz)\n\treturn RegistrationServer_registerConnection_Results_List{l}, err\n}\n\nfunc (s RegistrationServer_registerConnection_Results_List) At(i int) RegistrationServer_registerConnection_Results {\n\treturn RegistrationServer_registerConnection_Results{s.List.Struct(i)}\n}\n\nfunc (s RegistrationServer_registerConnection_Results_List) Set(i int, v RegistrationServer_registerConnection_Results) error {\n\treturn s.List.SetStruct(i, v.Struct)\n}\n\nfunc (s RegistrationServer_registerConnection_Results_List) String() string {\n\tstr, _ := text.MarshalList(0xea50d822450d1f17, s.List)\n\treturn str\n}\n\n// RegistrationServer_registerConnection_Results_Promise is a wrapper for a RegistrationServer_registerConnection_Results promised by a client call.\ntype RegistrationServer_registerConnection_Results_Promise struct{ *capnp.Pipeline }\n\nfunc (p RegistrationServer_registerConnection_Results_Promise) Struct() (RegistrationServer_registerConnection_Results, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn RegistrationServer_registerConnection_Results{s}, err\n}\n\nfunc (p RegistrationServer_registerConnection_Results_Promise) Result() ConnectionResponse_Promise {\n\treturn ConnectionResponse_Promise{Pipeline: p.Pipeline.GetPipeline(0)}\n}\n\ntype RegistrationServer_unregisterConnection_Params struct{ capnp.Struct }\n\n// RegistrationServer_unregisterConnection_Params_TypeID is the unique identifier for the type RegistrationServer_unregisterConnection_Params.\nconst RegistrationServer_unregisterConnection_Params_TypeID = 0xf9cb7f4431a307d0\n\nfunc NewRegistrationServer_unregisterConnection_Params(s *capnp.Segment) (RegistrationServer_unregisterConnection_Params, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 0})\n\treturn RegistrationServer_unregisterConnection_Params{st}, err\n}\n\nfunc NewRootRegistrationServer_unregisterConnection_Params(s *capnp.Segment) (RegistrationServer_unregisterConnection_Params, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 0})\n\treturn RegistrationServer_unregisterConnection_Params{st}, err\n}\n\nfunc ReadRootRegistrationServer_unregisterConnection_Params(msg *capnp.Message) (RegistrationServer_unregisterConnection_Params, error) {\n\troot, err := msg.RootPtr()\n\treturn RegistrationServer_unregisterConnection_Params{root.Struct()}, err\n}\n\nfunc (s RegistrationServer_unregisterConnection_Params) String() string {\n\tstr, _ := text.Marshal(0xf9cb7f4431a307d0, s.Struct)\n\treturn str\n}\n\n// RegistrationServer_unregisterConnection_Params_List is a list of RegistrationServer_unregisterConnection_Params.\ntype RegistrationServer_unregisterConnection_Params_List struct{ capnp.List }\n\n// NewRegistrationServer_unregisterConnection_Params creates a new list of RegistrationServer_unregisterConnection_Params.\nfunc NewRegistrationServer_unregisterConnection_Params_List(s *capnp.Segment, sz int32) (RegistrationServer_unregisterConnection_Params_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 0, PointerCount: 0}, sz)\n\treturn RegistrationServer_unregisterConnection_Params_List{l}, err\n}\n\nfunc (s RegistrationServer_unregisterConnection_Params_List) At(i int) RegistrationServer_unregisterConnection_Params {\n\treturn RegistrationServer_unregisterConnection_Params{s.List.Struct(i)}\n}\n\nfunc (s RegistrationServer_unregisterConnection_Params_List) Set(i int, v RegistrationServer_unregisterConnection_Params) error {\n\treturn s.List.SetStruct(i, v.Struct)\n}\n\nfunc (s RegistrationServer_unregisterConnection_Params_List) String() string {\n\tstr, _ := text.MarshalList(0xf9cb7f4431a307d0, s.List)\n\treturn str\n}\n\n// RegistrationServer_unregisterConnection_Params_Promise is a wrapper for a RegistrationServer_unregisterConnection_Params promised by a client call.\ntype RegistrationServer_unregisterConnection_Params_Promise struct{ *capnp.Pipeline }\n\nfunc (p RegistrationServer_unregisterConnection_Params_Promise) Struct() (RegistrationServer_unregisterConnection_Params, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn RegistrationServer_unregisterConnection_Params{s}, err\n}\n\ntype RegistrationServer_unregisterConnection_Results struct{ capnp.Struct }\n\n// RegistrationServer_unregisterConnection_Results_TypeID is the unique identifier for the type RegistrationServer_unregisterConnection_Results.\nconst RegistrationServer_unregisterConnection_Results_TypeID = 0xb046e578094b1ead\n\nfunc NewRegistrationServer_unregisterConnection_Results(s *capnp.Segment) (RegistrationServer_unregisterConnection_Results, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 0})\n\treturn RegistrationServer_unregisterConnection_Results{st}, err\n}\n\nfunc NewRootRegistrationServer_unregisterConnection_Results(s *capnp.Segment) (RegistrationServer_unregisterConnection_Results, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 0})\n\treturn RegistrationServer_unregisterConnection_Results{st}, err\n}\n\nfunc ReadRootRegistrationServer_unregisterConnection_Results(msg *capnp.Message) (RegistrationServer_unregisterConnection_Results, error) {\n\troot, err := msg.RootPtr()\n\treturn RegistrationServer_unregisterConnection_Results{root.Struct()}, err\n}\n\nfunc (s RegistrationServer_unregisterConnection_Results) String() string {\n\tstr, _ := text.Marshal(0xb046e578094b1ead, s.Struct)\n\treturn str\n}\n\n// RegistrationServer_unregisterConnection_Results_List is a list of RegistrationServer_unregisterConnection_Results.\ntype RegistrationServer_unregisterConnection_Results_List struct{ capnp.List }\n\n// NewRegistrationServer_unregisterConnection_Results creates a new list of RegistrationServer_unregisterConnection_Results.\nfunc NewRegistrationServer_unregisterConnection_Results_List(s *capnp.Segment, sz int32) (RegistrationServer_unregisterConnection_Results_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 0, PointerCount: 0}, sz)\n\treturn RegistrationServer_unregisterConnection_Results_List{l}, err\n}\n\nfunc (s RegistrationServer_unregisterConnection_Results_List) At(i int) RegistrationServer_unregisterConnection_Results {\n\treturn RegistrationServer_unregisterConnection_Results{s.List.Struct(i)}\n}\n\nfunc (s RegistrationServer_unregisterConnection_Results_List) Set(i int, v RegistrationServer_unregisterConnection_Results) error {\n\treturn s.List.SetStruct(i, v.Struct)\n}\n\nfunc (s RegistrationServer_unregisterConnection_Results_List) String() string {\n\tstr, _ := text.MarshalList(0xb046e578094b1ead, s.List)\n\treturn str\n}\n\n// RegistrationServer_unregisterConnection_Results_Promise is a wrapper for a RegistrationServer_unregisterConnection_Results promised by a client call.\ntype RegistrationServer_unregisterConnection_Results_Promise struct{ *capnp.Pipeline }\n\nfunc (p RegistrationServer_unregisterConnection_Results_Promise) Struct() (RegistrationServer_unregisterConnection_Results, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn RegistrationServer_unregisterConnection_Results{s}, err\n}\n\ntype RegistrationServer_updateLocalConfiguration_Params struct{ capnp.Struct }\n\n// RegistrationServer_updateLocalConfiguration_Params_TypeID is the unique identifier for the type RegistrationServer_updateLocalConfiguration_Params.\nconst RegistrationServer_updateLocalConfiguration_Params_TypeID = 0xc5d6e311876a3604\n\nfunc NewRegistrationServer_updateLocalConfiguration_Params(s *capnp.Segment) (RegistrationServer_updateLocalConfiguration_Params, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 1})\n\treturn RegistrationServer_updateLocalConfiguration_Params{st}, err\n}\n\nfunc NewRootRegistrationServer_updateLocalConfiguration_Params(s *capnp.Segment) (RegistrationServer_updateLocalConfiguration_Params, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 1})\n\treturn RegistrationServer_updateLocalConfiguration_Params{st}, err\n}\n\nfunc ReadRootRegistrationServer_updateLocalConfiguration_Params(msg *capnp.Message) (RegistrationServer_updateLocalConfiguration_Params, error) {\n\troot, err := msg.RootPtr()\n\treturn RegistrationServer_updateLocalConfiguration_Params{root.Struct()}, err\n}\n\nfunc (s RegistrationServer_updateLocalConfiguration_Params) String() string {\n\tstr, _ := text.Marshal(0xc5d6e311876a3604, s.Struct)\n\treturn str\n}\n\nfunc (s RegistrationServer_updateLocalConfiguration_Params) Config() ([]byte, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn []byte(p.Data()), err\n}\n\nfunc (s RegistrationServer_updateLocalConfiguration_Params) HasConfig() bool {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s RegistrationServer_updateLocalConfiguration_Params) SetConfig(v []byte) error {\n\treturn s.Struct.SetData(0, v)\n}\n\n// RegistrationServer_updateLocalConfiguration_Params_List is a list of RegistrationServer_updateLocalConfiguration_Params.\ntype RegistrationServer_updateLocalConfiguration_Params_List struct{ capnp.List }\n\n// NewRegistrationServer_updateLocalConfiguration_Params creates a new list of RegistrationServer_updateLocalConfiguration_Params.\nfunc NewRegistrationServer_updateLocalConfiguration_Params_List(s *capnp.Segment, sz int32) (RegistrationServer_updateLocalConfiguration_Params_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 0, PointerCount: 1}, sz)\n\treturn RegistrationServer_updateLocalConfiguration_Params_List{l}, err\n}\n\nfunc (s RegistrationServer_updateLocalConfiguration_Params_List) At(i int) RegistrationServer_updateLocalConfiguration_Params {\n\treturn RegistrationServer_updateLocalConfiguration_Params{s.List.Struct(i)}\n}\n\nfunc (s RegistrationServer_updateLocalConfiguration_Params_List) Set(i int, v RegistrationServer_updateLocalConfiguration_Params) error {\n\treturn s.List.SetStruct(i, v.Struct)\n}\n\nfunc (s RegistrationServer_updateLocalConfiguration_Params_List) String() string {\n\tstr, _ := text.MarshalList(0xc5d6e311876a3604, s.List)\n\treturn str\n}\n\n// RegistrationServer_updateLocalConfiguration_Params_Promise is a wrapper for a RegistrationServer_updateLocalConfiguration_Params promised by a client call.\ntype RegistrationServer_updateLocalConfiguration_Params_Promise struct{ *capnp.Pipeline }\n\nfunc (p RegistrationServer_updateLocalConfiguration_Params_Promise) Struct() (RegistrationServer_updateLocalConfiguration_Params, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn RegistrationServer_updateLocalConfiguration_Params{s}, err\n}\n\ntype RegistrationServer_updateLocalConfiguration_Results struct{ capnp.Struct }\n\n// RegistrationServer_updateLocalConfiguration_Results_TypeID is the unique identifier for the type RegistrationServer_updateLocalConfiguration_Results.\nconst RegistrationServer_updateLocalConfiguration_Results_TypeID = 0xe5ceae5d6897d7be\n\nfunc NewRegistrationServer_updateLocalConfiguration_Results(s *capnp.Segment) (RegistrationServer_updateLocalConfiguration_Results, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 0})\n\treturn RegistrationServer_updateLocalConfiguration_Results{st}, err\n}\n\nfunc NewRootRegistrationServer_updateLocalConfiguration_Results(s *capnp.Segment) (RegistrationServer_updateLocalConfiguration_Results, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 0})\n\treturn RegistrationServer_updateLocalConfiguration_Results{st}, err\n}\n\nfunc ReadRootRegistrationServer_updateLocalConfiguration_Results(msg *capnp.Message) (RegistrationServer_updateLocalConfiguration_Results, error) {\n\troot, err := msg.RootPtr()\n\treturn RegistrationServer_updateLocalConfiguration_Results{root.Struct()}, err\n}\n\nfunc (s RegistrationServer_updateLocalConfiguration_Results) String() string {\n\tstr, _ := text.Marshal(0xe5ceae5d6897d7be, s.Struct)\n\treturn str\n}\n\n// RegistrationServer_updateLocalConfiguration_Results_List is a list of RegistrationServer_updateLocalConfiguration_Results.\ntype RegistrationServer_updateLocalConfiguration_Results_List struct{ capnp.List }\n\n// NewRegistrationServer_updateLocalConfiguration_Results creates a new list of RegistrationServer_updateLocalConfiguration_Results.\nfunc NewRegistrationServer_updateLocalConfiguration_Results_List(s *capnp.Segment, sz int32) (RegistrationServer_updateLocalConfiguration_Results_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 0, PointerCount: 0}, sz)\n\treturn RegistrationServer_updateLocalConfiguration_Results_List{l}, err\n}\n\nfunc (s RegistrationServer_updateLocalConfiguration_Results_List) At(i int) RegistrationServer_updateLocalConfiguration_Results {\n\treturn RegistrationServer_updateLocalConfiguration_Results{s.List.Struct(i)}\n}\n\nfunc (s RegistrationServer_updateLocalConfiguration_Results_List) Set(i int, v RegistrationServer_updateLocalConfiguration_Results) error {\n\treturn s.List.SetStruct(i, v.Struct)\n}\n\nfunc (s RegistrationServer_updateLocalConfiguration_Results_List) String() string {\n\tstr, _ := text.MarshalList(0xe5ceae5d6897d7be, s.List)\n\treturn str\n}\n\n// RegistrationServer_updateLocalConfiguration_Results_Promise is a wrapper for a RegistrationServer_updateLocalConfiguration_Results promised by a client call.\ntype RegistrationServer_updateLocalConfiguration_Results_Promise struct{ *capnp.Pipeline }\n\nfunc (p RegistrationServer_updateLocalConfiguration_Results_Promise) Struct() (RegistrationServer_updateLocalConfiguration_Results, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn RegistrationServer_updateLocalConfiguration_Results{s}, err\n}\n\ntype RegisterUdpSessionResponse struct{ capnp.Struct }\n\n// RegisterUdpSessionResponse_TypeID is the unique identifier for the type RegisterUdpSessionResponse.\nconst RegisterUdpSessionResponse_TypeID = 0xab6d5210c1f26687\n\nfunc NewRegisterUdpSessionResponse(s *capnp.Segment) (RegisterUdpSessionResponse, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 2})\n\treturn RegisterUdpSessionResponse{st}, err\n}\n\nfunc NewRootRegisterUdpSessionResponse(s *capnp.Segment) (RegisterUdpSessionResponse, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 2})\n\treturn RegisterUdpSessionResponse{st}, err\n}\n\nfunc ReadRootRegisterUdpSessionResponse(msg *capnp.Message) (RegisterUdpSessionResponse, error) {\n\troot, err := msg.RootPtr()\n\treturn RegisterUdpSessionResponse{root.Struct()}, err\n}\n\nfunc (s RegisterUdpSessionResponse) String() string {\n\tstr, _ := text.Marshal(0xab6d5210c1f26687, s.Struct)\n\treturn str\n}\n\nfunc (s RegisterUdpSessionResponse) Err() (string, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.Text(), err\n}\n\nfunc (s RegisterUdpSessionResponse) HasErr() bool {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s RegisterUdpSessionResponse) ErrBytes() ([]byte, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.TextBytes(), err\n}\n\nfunc (s RegisterUdpSessionResponse) SetErr(v string) error {\n\treturn s.Struct.SetText(0, v)\n}\n\nfunc (s RegisterUdpSessionResponse) Spans() ([]byte, error) {\n\tp, err := s.Struct.Ptr(1)\n\treturn []byte(p.Data()), err\n}\n\nfunc (s RegisterUdpSessionResponse) HasSpans() bool {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s RegisterUdpSessionResponse) SetSpans(v []byte) error {\n\treturn s.Struct.SetData(1, v)\n}\n\n// RegisterUdpSessionResponse_List is a list of RegisterUdpSessionResponse.\ntype RegisterUdpSessionResponse_List struct{ capnp.List }\n\n// NewRegisterUdpSessionResponse creates a new list of RegisterUdpSessionResponse.\nfunc NewRegisterUdpSessionResponse_List(s *capnp.Segment, sz int32) (RegisterUdpSessionResponse_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 0, PointerCount: 2}, sz)\n\treturn RegisterUdpSessionResponse_List{l}, err\n}\n\nfunc (s RegisterUdpSessionResponse_List) At(i int) RegisterUdpSessionResponse {\n\treturn RegisterUdpSessionResponse{s.List.Struct(i)}\n}\n\nfunc (s RegisterUdpSessionResponse_List) Set(i int, v RegisterUdpSessionResponse) error {\n\treturn s.List.SetStruct(i, v.Struct)\n}\n\nfunc (s RegisterUdpSessionResponse_List) String() string {\n\tstr, _ := text.MarshalList(0xab6d5210c1f26687, s.List)\n\treturn str\n}\n\n// RegisterUdpSessionResponse_Promise is a wrapper for a RegisterUdpSessionResponse promised by a client call.\ntype RegisterUdpSessionResponse_Promise struct{ *capnp.Pipeline }\n\nfunc (p RegisterUdpSessionResponse_Promise) Struct() (RegisterUdpSessionResponse, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn RegisterUdpSessionResponse{s}, err\n}\n\ntype SessionManager struct{ Client capnp.Client }\n\n// SessionManager_TypeID is the unique identifier for the type SessionManager.\nconst SessionManager_TypeID = 0x839445a59fb01686\n\nfunc (c SessionManager) RegisterUdpSession(ctx context.Context, params func(SessionManager_registerUdpSession_Params) error, opts ...capnp.CallOption) SessionManager_registerUdpSession_Results_Promise {\n\tif c.Client == nil {\n\t\treturn SessionManager_registerUdpSession_Results_Promise{Pipeline: capnp.NewPipeline(capnp.ErrorAnswer(capnp.ErrNullClient))}\n\t}\n\tcall := &capnp.Call{\n\t\tCtx: ctx,\n\t\tMethod: capnp.Method{\n\t\t\tInterfaceID: 0x839445a59fb01686,\n\t\t\tMethodID: 0,\n\t\t\tInterfaceName: \"tunnelrpc/proto/tunnelrpc.capnp:SessionManager\",\n\t\t\tMethodName: \"registerUdpSession\",\n\t\t},\n\t\tOptions: capnp.NewCallOptions(opts),\n\t}\n\tif params != nil {\n\t\tcall.ParamsSize = capnp.ObjectSize{DataSize: 16, PointerCount: 3}\n\t\tcall.ParamsFunc = func(s capnp.Struct) error { return params(SessionManager_registerUdpSession_Params{Struct: s}) }\n\t}\n\treturn SessionManager_registerUdpSession_Results_Promise{Pipeline: capnp.NewPipeline(c.Client.Call(call))}\n}\nfunc (c SessionManager) UnregisterUdpSession(ctx context.Context, params func(SessionManager_unregisterUdpSession_Params) error, opts ...capnp.CallOption) SessionManager_unregisterUdpSession_Results_Promise {\n\tif c.Client == nil {\n\t\treturn SessionManager_unregisterUdpSession_Results_Promise{Pipeline: capnp.NewPipeline(capnp.ErrorAnswer(capnp.ErrNullClient))}\n\t}\n\tcall := &capnp.Call{\n\t\tCtx: ctx,\n\t\tMethod: capnp.Method{\n\t\t\tInterfaceID: 0x839445a59fb01686,\n\t\t\tMethodID: 1,\n\t\t\tInterfaceName: \"tunnelrpc/proto/tunnelrpc.capnp:SessionManager\",\n\t\t\tMethodName: \"unregisterUdpSession\",\n\t\t},\n\t\tOptions: capnp.NewCallOptions(opts),\n\t}\n\tif params != nil {\n\t\tcall.ParamsSize = capnp.ObjectSize{DataSize: 0, PointerCount: 2}\n\t\tcall.ParamsFunc = func(s capnp.Struct) error { return params(SessionManager_unregisterUdpSession_Params{Struct: s}) }\n\t}\n\treturn SessionManager_unregisterUdpSession_Results_Promise{Pipeline: capnp.NewPipeline(c.Client.Call(call))}\n}\n\ntype SessionManager_Server interface {\n\tRegisterUdpSession(SessionManager_registerUdpSession) error\n\n\tUnregisterUdpSession(SessionManager_unregisterUdpSession) error\n}\n\nfunc SessionManager_ServerToClient(s SessionManager_Server) SessionManager {\n\tc, _ := s.(server.Closer)\n\treturn SessionManager{Client: server.New(SessionManager_Methods(nil, s), c)}\n}\n\nfunc SessionManager_Methods(methods []server.Method, s SessionManager_Server) []server.Method {\n\tif cap(methods) == 0 {\n\t\tmethods = make([]server.Method, 0, 2)\n\t}\n\n\tmethods = append(methods, server.Method{\n\t\tMethod: capnp.Method{\n\t\t\tInterfaceID: 0x839445a59fb01686,\n\t\t\tMethodID: 0,\n\t\t\tInterfaceName: \"tunnelrpc/proto/tunnelrpc.capnp:SessionManager\",\n\t\t\tMethodName: \"registerUdpSession\",\n\t\t},\n\t\tImpl: func(c context.Context, opts capnp.CallOptions, p, r capnp.Struct) error {\n\t\t\tcall := SessionManager_registerUdpSession{c, opts, SessionManager_registerUdpSession_Params{Struct: p}, SessionManager_registerUdpSession_Results{Struct: r}}\n\t\t\treturn s.RegisterUdpSession(call)\n\t\t},\n\t\tResultsSize: capnp.ObjectSize{DataSize: 0, PointerCount: 1},\n\t})\n\n\tmethods = append(methods, server.Method{\n\t\tMethod: capnp.Method{\n\t\t\tInterfaceID: 0x839445a59fb01686,\n\t\t\tMethodID: 1,\n\t\t\tInterfaceName: \"tunnelrpc/proto/tunnelrpc.capnp:SessionManager\",\n\t\t\tMethodName: \"unregisterUdpSession\",\n\t\t},\n\t\tImpl: func(c context.Context, opts capnp.CallOptions, p, r capnp.Struct) error {\n\t\t\tcall := SessionManager_unregisterUdpSession{c, opts, SessionManager_unregisterUdpSession_Params{Struct: p}, SessionManager_unregisterUdpSession_Results{Struct: r}}\n\t\t\treturn s.UnregisterUdpSession(call)\n\t\t},\n\t\tResultsSize: capnp.ObjectSize{DataSize: 0, PointerCount: 0},\n\t})\n\n\treturn methods\n}\n\n// SessionManager_registerUdpSession holds the arguments for a server call to SessionManager.registerUdpSession.\ntype SessionManager_registerUdpSession struct {\n\tCtx context.Context\n\tOptions capnp.CallOptions\n\tParams SessionManager_registerUdpSession_Params\n\tResults SessionManager_registerUdpSession_Results\n}\n\n// SessionManager_unregisterUdpSession holds the arguments for a server call to SessionManager.unregisterUdpSession.\ntype SessionManager_unregisterUdpSession struct {\n\tCtx context.Context\n\tOptions capnp.CallOptions\n\tParams SessionManager_unregisterUdpSession_Params\n\tResults SessionManager_unregisterUdpSession_Results\n}\n\ntype SessionManager_registerUdpSession_Params struct{ capnp.Struct }\n\n// SessionManager_registerUdpSession_Params_TypeID is the unique identifier for the type SessionManager_registerUdpSession_Params.\nconst SessionManager_registerUdpSession_Params_TypeID = 0x904e297b87fbecea\n\nfunc NewSessionManager_registerUdpSession_Params(s *capnp.Segment) (SessionManager_registerUdpSession_Params, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 16, PointerCount: 3})\n\treturn SessionManager_registerUdpSession_Params{st}, err\n}\n\nfunc NewRootSessionManager_registerUdpSession_Params(s *capnp.Segment) (SessionManager_registerUdpSession_Params, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 16, PointerCount: 3})\n\treturn SessionManager_registerUdpSession_Params{st}, err\n}\n\nfunc ReadRootSessionManager_registerUdpSession_Params(msg *capnp.Message) (SessionManager_registerUdpSession_Params, error) {\n\troot, err := msg.RootPtr()\n\treturn SessionManager_registerUdpSession_Params{root.Struct()}, err\n}\n\nfunc (s SessionManager_registerUdpSession_Params) String() string {\n\tstr, _ := text.Marshal(0x904e297b87fbecea, s.Struct)\n\treturn str\n}\n\nfunc (s SessionManager_registerUdpSession_Params) SessionId() ([]byte, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn []byte(p.Data()), err\n}\n\nfunc (s SessionManager_registerUdpSession_Params) HasSessionId() bool {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s SessionManager_registerUdpSession_Params) SetSessionId(v []byte) error {\n\treturn s.Struct.SetData(0, v)\n}\n\nfunc (s SessionManager_registerUdpSession_Params) DstIp() ([]byte, error) {\n\tp, err := s.Struct.Ptr(1)\n\treturn []byte(p.Data()), err\n}\n\nfunc (s SessionManager_registerUdpSession_Params) HasDstIp() bool {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s SessionManager_registerUdpSession_Params) SetDstIp(v []byte) error {\n\treturn s.Struct.SetData(1, v)\n}\n\nfunc (s SessionManager_registerUdpSession_Params) DstPort() uint16 {\n\treturn s.Struct.Uint16(0)\n}\n\nfunc (s SessionManager_registerUdpSession_Params) SetDstPort(v uint16) {\n\ts.Struct.SetUint16(0, v)\n}\n\nfunc (s SessionManager_registerUdpSession_Params) CloseAfterIdleHint() int64 {\n\treturn int64(s.Struct.Uint64(8))\n}\n\nfunc (s SessionManager_registerUdpSession_Params) SetCloseAfterIdleHint(v int64) {\n\ts.Struct.SetUint64(8, uint64(v))\n}\n\nfunc (s SessionManager_registerUdpSession_Params) TraceContext() (string, error) {\n\tp, err := s.Struct.Ptr(2)\n\treturn p.Text(), err\n}\n\nfunc (s SessionManager_registerUdpSession_Params) HasTraceContext() bool {\n\tp, err := s.Struct.Ptr(2)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s SessionManager_registerUdpSession_Params) TraceContextBytes() ([]byte, error) {\n\tp, err := s.Struct.Ptr(2)\n\treturn p.TextBytes(), err\n}\n\nfunc (s SessionManager_registerUdpSession_Params) SetTraceContext(v string) error {\n\treturn s.Struct.SetText(2, v)\n}\n\n// SessionManager_registerUdpSession_Params_List is a list of SessionManager_registerUdpSession_Params.\ntype SessionManager_registerUdpSession_Params_List struct{ capnp.List }\n\n// NewSessionManager_registerUdpSession_Params creates a new list of SessionManager_registerUdpSession_Params.\nfunc NewSessionManager_registerUdpSession_Params_List(s *capnp.Segment, sz int32) (SessionManager_registerUdpSession_Params_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 16, PointerCount: 3}, sz)\n\treturn SessionManager_registerUdpSession_Params_List{l}, err\n}\n\nfunc (s SessionManager_registerUdpSession_Params_List) At(i int) SessionManager_registerUdpSession_Params {\n\treturn SessionManager_registerUdpSession_Params{s.List.Struct(i)}\n}\n\nfunc (s SessionManager_registerUdpSession_Params_List) Set(i int, v SessionManager_registerUdpSession_Params) error {\n\treturn s.List.SetStruct(i, v.Struct)\n}\n\nfunc (s SessionManager_registerUdpSession_Params_List) String() string {\n\tstr, _ := text.MarshalList(0x904e297b87fbecea, s.List)\n\treturn str\n}\n\n// SessionManager_registerUdpSession_Params_Promise is a wrapper for a SessionManager_registerUdpSession_Params promised by a client call.\ntype SessionManager_registerUdpSession_Params_Promise struct{ *capnp.Pipeline }\n\nfunc (p SessionManager_registerUdpSession_Params_Promise) Struct() (SessionManager_registerUdpSession_Params, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn SessionManager_registerUdpSession_Params{s}, err\n}\n\ntype SessionManager_registerUdpSession_Results struct{ capnp.Struct }\n\n// SessionManager_registerUdpSession_Results_TypeID is the unique identifier for the type SessionManager_registerUdpSession_Results.\nconst SessionManager_registerUdpSession_Results_TypeID = 0x8635c6b4f45bf5cd\n\nfunc NewSessionManager_registerUdpSession_Results(s *capnp.Segment) (SessionManager_registerUdpSession_Results, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 1})\n\treturn SessionManager_registerUdpSession_Results{st}, err\n}\n\nfunc NewRootSessionManager_registerUdpSession_Results(s *capnp.Segment) (SessionManager_registerUdpSession_Results, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 1})\n\treturn SessionManager_registerUdpSession_Results{st}, err\n}\n\nfunc ReadRootSessionManager_registerUdpSession_Results(msg *capnp.Message) (SessionManager_registerUdpSession_Results, error) {\n\troot, err := msg.RootPtr()\n\treturn SessionManager_registerUdpSession_Results{root.Struct()}, err\n}\n\nfunc (s SessionManager_registerUdpSession_Results) String() string {\n\tstr, _ := text.Marshal(0x8635c6b4f45bf5cd, s.Struct)\n\treturn str\n}\n\nfunc (s SessionManager_registerUdpSession_Results) Result() (RegisterUdpSessionResponse, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn RegisterUdpSessionResponse{Struct: p.Struct()}, err\n}\n\nfunc (s SessionManager_registerUdpSession_Results) HasResult() bool {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s SessionManager_registerUdpSession_Results) SetResult(v RegisterUdpSessionResponse) error {\n\treturn s.Struct.SetPtr(0, v.Struct.ToPtr())\n}\n\n// NewResult sets the result field to a newly\n// allocated RegisterUdpSessionResponse struct, preferring placement in s's segment.\nfunc (s SessionManager_registerUdpSession_Results) NewResult() (RegisterUdpSessionResponse, error) {\n\tss, err := NewRegisterUdpSessionResponse(s.Struct.Segment())\n\tif err != nil {\n\t\treturn RegisterUdpSessionResponse{}, err\n\t}\n\terr = s.Struct.SetPtr(0, ss.Struct.ToPtr())\n\treturn ss, err\n}\n\n// SessionManager_registerUdpSession_Results_List is a list of SessionManager_registerUdpSession_Results.\ntype SessionManager_registerUdpSession_Results_List struct{ capnp.List }\n\n// NewSessionManager_registerUdpSession_Results creates a new list of SessionManager_registerUdpSession_Results.\nfunc NewSessionManager_registerUdpSession_Results_List(s *capnp.Segment, sz int32) (SessionManager_registerUdpSession_Results_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 0, PointerCount: 1}, sz)\n\treturn SessionManager_registerUdpSession_Results_List{l}, err\n}\n\nfunc (s SessionManager_registerUdpSession_Results_List) At(i int) SessionManager_registerUdpSession_Results {\n\treturn SessionManager_registerUdpSession_Results{s.List.Struct(i)}\n}\n\nfunc (s SessionManager_registerUdpSession_Results_List) Set(i int, v SessionManager_registerUdpSession_Results) error {\n\treturn s.List.SetStruct(i, v.Struct)\n}\n\nfunc (s SessionManager_registerUdpSession_Results_List) String() string {\n\tstr, _ := text.MarshalList(0x8635c6b4f45bf5cd, s.List)\n\treturn str\n}\n\n// SessionManager_registerUdpSession_Results_Promise is a wrapper for a SessionManager_registerUdpSession_Results promised by a client call.\ntype SessionManager_registerUdpSession_Results_Promise struct{ *capnp.Pipeline }\n\nfunc (p SessionManager_registerUdpSession_Results_Promise) Struct() (SessionManager_registerUdpSession_Results, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn SessionManager_registerUdpSession_Results{s}, err\n}\n\nfunc (p SessionManager_registerUdpSession_Results_Promise) Result() RegisterUdpSessionResponse_Promise {\n\treturn RegisterUdpSessionResponse_Promise{Pipeline: p.Pipeline.GetPipeline(0)}\n}\n\ntype SessionManager_unregisterUdpSession_Params struct{ capnp.Struct }\n\n// SessionManager_unregisterUdpSession_Params_TypeID is the unique identifier for the type SessionManager_unregisterUdpSession_Params.\nconst SessionManager_unregisterUdpSession_Params_TypeID = 0x96b74375ce9b0ef6\n\nfunc NewSessionManager_unregisterUdpSession_Params(s *capnp.Segment) (SessionManager_unregisterUdpSession_Params, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 2})\n\treturn SessionManager_unregisterUdpSession_Params{st}, err\n}\n\nfunc NewRootSessionManager_unregisterUdpSession_Params(s *capnp.Segment) (SessionManager_unregisterUdpSession_Params, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 2})\n\treturn SessionManager_unregisterUdpSession_Params{st}, err\n}\n\nfunc ReadRootSessionManager_unregisterUdpSession_Params(msg *capnp.Message) (SessionManager_unregisterUdpSession_Params, error) {\n\troot, err := msg.RootPtr()\n\treturn SessionManager_unregisterUdpSession_Params{root.Struct()}, err\n}\n\nfunc (s SessionManager_unregisterUdpSession_Params) String() string {\n\tstr, _ := text.Marshal(0x96b74375ce9b0ef6, s.Struct)\n\treturn str\n}\n\nfunc (s SessionManager_unregisterUdpSession_Params) SessionId() ([]byte, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn []byte(p.Data()), err\n}\n\nfunc (s SessionManager_unregisterUdpSession_Params) HasSessionId() bool {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s SessionManager_unregisterUdpSession_Params) SetSessionId(v []byte) error {\n\treturn s.Struct.SetData(0, v)\n}\n\nfunc (s SessionManager_unregisterUdpSession_Params) Message() (string, error) {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.Text(), err\n}\n\nfunc (s SessionManager_unregisterUdpSession_Params) HasMessage() bool {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s SessionManager_unregisterUdpSession_Params) MessageBytes() ([]byte, error) {\n\tp, err := s.Struct.Ptr(1)\n\treturn p.TextBytes(), err\n}\n\nfunc (s SessionManager_unregisterUdpSession_Params) SetMessage(v string) error {\n\treturn s.Struct.SetText(1, v)\n}\n\n// SessionManager_unregisterUdpSession_Params_List is a list of SessionManager_unregisterUdpSession_Params.\ntype SessionManager_unregisterUdpSession_Params_List struct{ capnp.List }\n\n// NewSessionManager_unregisterUdpSession_Params creates a new list of SessionManager_unregisterUdpSession_Params.\nfunc NewSessionManager_unregisterUdpSession_Params_List(s *capnp.Segment, sz int32) (SessionManager_unregisterUdpSession_Params_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 0, PointerCount: 2}, sz)\n\treturn SessionManager_unregisterUdpSession_Params_List{l}, err\n}\n\nfunc (s SessionManager_unregisterUdpSession_Params_List) At(i int) SessionManager_unregisterUdpSession_Params {\n\treturn SessionManager_unregisterUdpSession_Params{s.List.Struct(i)}\n}\n\nfunc (s SessionManager_unregisterUdpSession_Params_List) Set(i int, v SessionManager_unregisterUdpSession_Params) error {\n\treturn s.List.SetStruct(i, v.Struct)\n}\n\nfunc (s SessionManager_unregisterUdpSession_Params_List) String() string {\n\tstr, _ := text.MarshalList(0x96b74375ce9b0ef6, s.List)\n\treturn str\n}\n\n// SessionManager_unregisterUdpSession_Params_Promise is a wrapper for a SessionManager_unregisterUdpSession_Params promised by a client call.\ntype SessionManager_unregisterUdpSession_Params_Promise struct{ *capnp.Pipeline }\n\nfunc (p SessionManager_unregisterUdpSession_Params_Promise) Struct() (SessionManager_unregisterUdpSession_Params, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn SessionManager_unregisterUdpSession_Params{s}, err\n}\n\ntype SessionManager_unregisterUdpSession_Results struct{ capnp.Struct }\n\n// SessionManager_unregisterUdpSession_Results_TypeID is the unique identifier for the type SessionManager_unregisterUdpSession_Results.\nconst SessionManager_unregisterUdpSession_Results_TypeID = 0xf24ec4ab5891b676\n\nfunc NewSessionManager_unregisterUdpSession_Results(s *capnp.Segment) (SessionManager_unregisterUdpSession_Results, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 0})\n\treturn SessionManager_unregisterUdpSession_Results{st}, err\n}\n\nfunc NewRootSessionManager_unregisterUdpSession_Results(s *capnp.Segment) (SessionManager_unregisterUdpSession_Results, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 0})\n\treturn SessionManager_unregisterUdpSession_Results{st}, err\n}\n\nfunc ReadRootSessionManager_unregisterUdpSession_Results(msg *capnp.Message) (SessionManager_unregisterUdpSession_Results, error) {\n\troot, err := msg.RootPtr()\n\treturn SessionManager_unregisterUdpSession_Results{root.Struct()}, err\n}\n\nfunc (s SessionManager_unregisterUdpSession_Results) String() string {\n\tstr, _ := text.Marshal(0xf24ec4ab5891b676, s.Struct)\n\treturn str\n}\n\n// SessionManager_unregisterUdpSession_Results_List is a list of SessionManager_unregisterUdpSession_Results.\ntype SessionManager_unregisterUdpSession_Results_List struct{ capnp.List }\n\n// NewSessionManager_unregisterUdpSession_Results creates a new list of SessionManager_unregisterUdpSession_Results.\nfunc NewSessionManager_unregisterUdpSession_Results_List(s *capnp.Segment, sz int32) (SessionManager_unregisterUdpSession_Results_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 0, PointerCount: 0}, sz)\n\treturn SessionManager_unregisterUdpSession_Results_List{l}, err\n}\n\nfunc (s SessionManager_unregisterUdpSession_Results_List) At(i int) SessionManager_unregisterUdpSession_Results {\n\treturn SessionManager_unregisterUdpSession_Results{s.List.Struct(i)}\n}\n\nfunc (s SessionManager_unregisterUdpSession_Results_List) Set(i int, v SessionManager_unregisterUdpSession_Results) error {\n\treturn s.List.SetStruct(i, v.Struct)\n}\n\nfunc (s SessionManager_unregisterUdpSession_Results_List) String() string {\n\tstr, _ := text.MarshalList(0xf24ec4ab5891b676, s.List)\n\treturn str\n}\n\n// SessionManager_unregisterUdpSession_Results_Promise is a wrapper for a SessionManager_unregisterUdpSession_Results promised by a client call.\ntype SessionManager_unregisterUdpSession_Results_Promise struct{ *capnp.Pipeline }\n\nfunc (p SessionManager_unregisterUdpSession_Results_Promise) Struct() (SessionManager_unregisterUdpSession_Results, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn SessionManager_unregisterUdpSession_Results{s}, err\n}\n\ntype UpdateConfigurationResponse struct{ capnp.Struct }\n\n// UpdateConfigurationResponse_TypeID is the unique identifier for the type UpdateConfigurationResponse.\nconst UpdateConfigurationResponse_TypeID = 0xdb58ff694ba05cf9\n\nfunc NewUpdateConfigurationResponse(s *capnp.Segment) (UpdateConfigurationResponse, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 8, PointerCount: 1})\n\treturn UpdateConfigurationResponse{st}, err\n}\n\nfunc NewRootUpdateConfigurationResponse(s *capnp.Segment) (UpdateConfigurationResponse, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 8, PointerCount: 1})\n\treturn UpdateConfigurationResponse{st}, err\n}\n\nfunc ReadRootUpdateConfigurationResponse(msg *capnp.Message) (UpdateConfigurationResponse, error) {\n\troot, err := msg.RootPtr()\n\treturn UpdateConfigurationResponse{root.Struct()}, err\n}\n\nfunc (s UpdateConfigurationResponse) String() string {\n\tstr, _ := text.Marshal(0xdb58ff694ba05cf9, s.Struct)\n\treturn str\n}\n\nfunc (s UpdateConfigurationResponse) LatestAppliedVersion() int32 {\n\treturn int32(s.Struct.Uint32(0))\n}\n\nfunc (s UpdateConfigurationResponse) SetLatestAppliedVersion(v int32) {\n\ts.Struct.SetUint32(0, uint32(v))\n}\n\nfunc (s UpdateConfigurationResponse) Err() (string, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.Text(), err\n}\n\nfunc (s UpdateConfigurationResponse) HasErr() bool {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s UpdateConfigurationResponse) ErrBytes() ([]byte, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.TextBytes(), err\n}\n\nfunc (s UpdateConfigurationResponse) SetErr(v string) error {\n\treturn s.Struct.SetText(0, v)\n}\n\n// UpdateConfigurationResponse_List is a list of UpdateConfigurationResponse.\ntype UpdateConfigurationResponse_List struct{ capnp.List }\n\n// NewUpdateConfigurationResponse creates a new list of UpdateConfigurationResponse.\nfunc NewUpdateConfigurationResponse_List(s *capnp.Segment, sz int32) (UpdateConfigurationResponse_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 8, PointerCount: 1}, sz)\n\treturn UpdateConfigurationResponse_List{l}, err\n}\n\nfunc (s UpdateConfigurationResponse_List) At(i int) UpdateConfigurationResponse {\n\treturn UpdateConfigurationResponse{s.List.Struct(i)}\n}\n\nfunc (s UpdateConfigurationResponse_List) Set(i int, v UpdateConfigurationResponse) error {\n\treturn s.List.SetStruct(i, v.Struct)\n}\n\nfunc (s UpdateConfigurationResponse_List) String() string {\n\tstr, _ := text.MarshalList(0xdb58ff694ba05cf9, s.List)\n\treturn str\n}\n\n// UpdateConfigurationResponse_Promise is a wrapper for a UpdateConfigurationResponse promised by a client call.\ntype UpdateConfigurationResponse_Promise struct{ *capnp.Pipeline }\n\nfunc (p UpdateConfigurationResponse_Promise) Struct() (UpdateConfigurationResponse, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn UpdateConfigurationResponse{s}, err\n}\n\ntype ConfigurationManager struct{ Client capnp.Client }\n\n// ConfigurationManager_TypeID is the unique identifier for the type ConfigurationManager.\nconst ConfigurationManager_TypeID = 0xb48edfbdaa25db04\n\nfunc (c ConfigurationManager) UpdateConfiguration(ctx context.Context, params func(ConfigurationManager_updateConfiguration_Params) error, opts ...capnp.CallOption) ConfigurationManager_updateConfiguration_Results_Promise {\n\tif c.Client == nil {\n\t\treturn ConfigurationManager_updateConfiguration_Results_Promise{Pipeline: capnp.NewPipeline(capnp.ErrorAnswer(capnp.ErrNullClient))}\n\t}\n\tcall := &capnp.Call{\n\t\tCtx: ctx,\n\t\tMethod: capnp.Method{\n\t\t\tInterfaceID: 0xb48edfbdaa25db04,\n\t\t\tMethodID: 0,\n\t\t\tInterfaceName: \"tunnelrpc/proto/tunnelrpc.capnp:ConfigurationManager\",\n\t\t\tMethodName: \"updateConfiguration\",\n\t\t},\n\t\tOptions: capnp.NewCallOptions(opts),\n\t}\n\tif params != nil {\n\t\tcall.ParamsSize = capnp.ObjectSize{DataSize: 8, PointerCount: 1}\n\t\tcall.ParamsFunc = func(s capnp.Struct) error { return params(ConfigurationManager_updateConfiguration_Params{Struct: s}) }\n\t}\n\treturn ConfigurationManager_updateConfiguration_Results_Promise{Pipeline: capnp.NewPipeline(c.Client.Call(call))}\n}\n\ntype ConfigurationManager_Server interface {\n\tUpdateConfiguration(ConfigurationManager_updateConfiguration) error\n}\n\nfunc ConfigurationManager_ServerToClient(s ConfigurationManager_Server) ConfigurationManager {\n\tc, _ := s.(server.Closer)\n\treturn ConfigurationManager{Client: server.New(ConfigurationManager_Methods(nil, s), c)}\n}\n\nfunc ConfigurationManager_Methods(methods []server.Method, s ConfigurationManager_Server) []server.Method {\n\tif cap(methods) == 0 {\n\t\tmethods = make([]server.Method, 0, 1)\n\t}\n\n\tmethods = append(methods, server.Method{\n\t\tMethod: capnp.Method{\n\t\t\tInterfaceID: 0xb48edfbdaa25db04,\n\t\t\tMethodID: 0,\n\t\t\tInterfaceName: \"tunnelrpc/proto/tunnelrpc.capnp:ConfigurationManager\",\n\t\t\tMethodName: \"updateConfiguration\",\n\t\t},\n\t\tImpl: func(c context.Context, opts capnp.CallOptions, p, r capnp.Struct) error {\n\t\t\tcall := ConfigurationManager_updateConfiguration{c, opts, ConfigurationManager_updateConfiguration_Params{Struct: p}, ConfigurationManager_updateConfiguration_Results{Struct: r}}\n\t\t\treturn s.UpdateConfiguration(call)\n\t\t},\n\t\tResultsSize: capnp.ObjectSize{DataSize: 0, PointerCount: 1},\n\t})\n\n\treturn methods\n}\n\n// ConfigurationManager_updateConfiguration holds the arguments for a server call to ConfigurationManager.updateConfiguration.\ntype ConfigurationManager_updateConfiguration struct {\n\tCtx context.Context\n\tOptions capnp.CallOptions\n\tParams ConfigurationManager_updateConfiguration_Params\n\tResults ConfigurationManager_updateConfiguration_Results\n}\n\ntype ConfigurationManager_updateConfiguration_Params struct{ capnp.Struct }\n\n// ConfigurationManager_updateConfiguration_Params_TypeID is the unique identifier for the type ConfigurationManager_updateConfiguration_Params.\nconst ConfigurationManager_updateConfiguration_Params_TypeID = 0xb177ca2526a3ca76\n\nfunc NewConfigurationManager_updateConfiguration_Params(s *capnp.Segment) (ConfigurationManager_updateConfiguration_Params, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 8, PointerCount: 1})\n\treturn ConfigurationManager_updateConfiguration_Params{st}, err\n}\n\nfunc NewRootConfigurationManager_updateConfiguration_Params(s *capnp.Segment) (ConfigurationManager_updateConfiguration_Params, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 8, PointerCount: 1})\n\treturn ConfigurationManager_updateConfiguration_Params{st}, err\n}\n\nfunc ReadRootConfigurationManager_updateConfiguration_Params(msg *capnp.Message) (ConfigurationManager_updateConfiguration_Params, error) {\n\troot, err := msg.RootPtr()\n\treturn ConfigurationManager_updateConfiguration_Params{root.Struct()}, err\n}\n\nfunc (s ConfigurationManager_updateConfiguration_Params) String() string {\n\tstr, _ := text.Marshal(0xb177ca2526a3ca76, s.Struct)\n\treturn str\n}\n\nfunc (s ConfigurationManager_updateConfiguration_Params) Version() int32 {\n\treturn int32(s.Struct.Uint32(0))\n}\n\nfunc (s ConfigurationManager_updateConfiguration_Params) SetVersion(v int32) {\n\ts.Struct.SetUint32(0, uint32(v))\n}\n\nfunc (s ConfigurationManager_updateConfiguration_Params) Config() ([]byte, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn []byte(p.Data()), err\n}\n\nfunc (s ConfigurationManager_updateConfiguration_Params) HasConfig() bool {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s ConfigurationManager_updateConfiguration_Params) SetConfig(v []byte) error {\n\treturn s.Struct.SetData(0, v)\n}\n\n// ConfigurationManager_updateConfiguration_Params_List is a list of ConfigurationManager_updateConfiguration_Params.\ntype ConfigurationManager_updateConfiguration_Params_List struct{ capnp.List }\n\n// NewConfigurationManager_updateConfiguration_Params creates a new list of ConfigurationManager_updateConfiguration_Params.\nfunc NewConfigurationManager_updateConfiguration_Params_List(s *capnp.Segment, sz int32) (ConfigurationManager_updateConfiguration_Params_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 8, PointerCount: 1}, sz)\n\treturn ConfigurationManager_updateConfiguration_Params_List{l}, err\n}\n\nfunc (s ConfigurationManager_updateConfiguration_Params_List) At(i int) ConfigurationManager_updateConfiguration_Params {\n\treturn ConfigurationManager_updateConfiguration_Params{s.List.Struct(i)}\n}\n\nfunc (s ConfigurationManager_updateConfiguration_Params_List) Set(i int, v ConfigurationManager_updateConfiguration_Params) error {\n\treturn s.List.SetStruct(i, v.Struct)\n}\n\nfunc (s ConfigurationManager_updateConfiguration_Params_List) String() string {\n\tstr, _ := text.MarshalList(0xb177ca2526a3ca76, s.List)\n\treturn str\n}\n\n// ConfigurationManager_updateConfiguration_Params_Promise is a wrapper for a ConfigurationManager_updateConfiguration_Params promised by a client call.\ntype ConfigurationManager_updateConfiguration_Params_Promise struct{ *capnp.Pipeline }\n\nfunc (p ConfigurationManager_updateConfiguration_Params_Promise) Struct() (ConfigurationManager_updateConfiguration_Params, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn ConfigurationManager_updateConfiguration_Params{s}, err\n}\n\ntype ConfigurationManager_updateConfiguration_Results struct{ capnp.Struct }\n\n// ConfigurationManager_updateConfiguration_Results_TypeID is the unique identifier for the type ConfigurationManager_updateConfiguration_Results.\nconst ConfigurationManager_updateConfiguration_Results_TypeID = 0x958096448eb3373e\n\nfunc NewConfigurationManager_updateConfiguration_Results(s *capnp.Segment) (ConfigurationManager_updateConfiguration_Results, error) {\n\tst, err := capnp.NewStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 1})\n\treturn ConfigurationManager_updateConfiguration_Results{st}, err\n}\n\nfunc NewRootConfigurationManager_updateConfiguration_Results(s *capnp.Segment) (ConfigurationManager_updateConfiguration_Results, error) {\n\tst, err := capnp.NewRootStruct(s, capnp.ObjectSize{DataSize: 0, PointerCount: 1})\n\treturn ConfigurationManager_updateConfiguration_Results{st}, err\n}\n\nfunc ReadRootConfigurationManager_updateConfiguration_Results(msg *capnp.Message) (ConfigurationManager_updateConfiguration_Results, error) {\n\troot, err := msg.RootPtr()\n\treturn ConfigurationManager_updateConfiguration_Results{root.Struct()}, err\n}\n\nfunc (s ConfigurationManager_updateConfiguration_Results) String() string {\n\tstr, _ := text.Marshal(0x958096448eb3373e, s.Struct)\n\treturn str\n}\n\nfunc (s ConfigurationManager_updateConfiguration_Results) Result() (UpdateConfigurationResponse, error) {\n\tp, err := s.Struct.Ptr(0)\n\treturn UpdateConfigurationResponse{Struct: p.Struct()}, err\n}\n\nfunc (s ConfigurationManager_updateConfiguration_Results) HasResult() bool {\n\tp, err := s.Struct.Ptr(0)\n\treturn p.IsValid() || err != nil\n}\n\nfunc (s ConfigurationManager_updateConfiguration_Results) SetResult(v UpdateConfigurationResponse) error {\n\treturn s.Struct.SetPtr(0, v.Struct.ToPtr())\n}\n\n// NewResult sets the result field to a newly\n// allocated UpdateConfigurationResponse struct, preferring placement in s's segment.\nfunc (s ConfigurationManager_updateConfiguration_Results) NewResult() (UpdateConfigurationResponse, error) {\n\tss, err := NewUpdateConfigurationResponse(s.Struct.Segment())\n\tif err != nil {\n\t\treturn UpdateConfigurationResponse{}, err\n\t}\n\terr = s.Struct.SetPtr(0, ss.Struct.ToPtr())\n\treturn ss, err\n}\n\n// ConfigurationManager_updateConfiguration_Results_List is a list of ConfigurationManager_updateConfiguration_Results.\ntype ConfigurationManager_updateConfiguration_Results_List struct{ capnp.List }\n\n// NewConfigurationManager_updateConfiguration_Results creates a new list of ConfigurationManager_updateConfiguration_Results.\nfunc NewConfigurationManager_updateConfiguration_Results_List(s *capnp.Segment, sz int32) (ConfigurationManager_updateConfiguration_Results_List, error) {\n\tl, err := capnp.NewCompositeList(s, capnp.ObjectSize{DataSize: 0, PointerCount: 1}, sz)\n\treturn ConfigurationManager_updateConfiguration_Results_List{l}, err\n}\n\nfunc (s ConfigurationManager_updateConfiguration_Results_List) At(i int) ConfigurationManager_updateConfiguration_Results {\n\treturn ConfigurationManager_updateConfiguration_Results{s.List.Struct(i)}\n}\n\nfunc (s ConfigurationManager_updateConfiguration_Results_List) Set(i int, v ConfigurationManager_updateConfiguration_Results) error {\n\treturn s.List.SetStruct(i, v.Struct)\n}\n\nfunc (s ConfigurationManager_updateConfiguration_Results_List) String() string {\n\tstr, _ := text.MarshalList(0x958096448eb3373e, s.List)\n\treturn str\n}\n\n// ConfigurationManager_updateConfiguration_Results_Promise is a wrapper for a ConfigurationManager_updateConfiguration_Results promised by a client call.\ntype ConfigurationManager_updateConfiguration_Results_Promise struct{ *capnp.Pipeline }\n\nfunc (p ConfigurationManager_updateConfiguration_Results_Promise) Struct() (ConfigurationManager_updateConfiguration_Results, error) {\n\ts, err := p.Pipeline.Struct()\n\treturn ConfigurationManager_updateConfiguration_Results{s}, err\n}\n\nfunc (p ConfigurationManager_updateConfiguration_Results_Promise) Result() UpdateConfigurationResponse_Promise {\n\treturn UpdateConfigurationResponse_Promise{Pipeline: p.Pipeline.GetPipeline(0)}\n}\n\ntype CloudflaredServer struct{ Client capnp.Client }\n\n// CloudflaredServer_TypeID is the unique identifier for the type CloudflaredServer.\nconst CloudflaredServer_TypeID = 0xf548cef9dea2a4a1\n\nfunc (c CloudflaredServer) RegisterUdpSession(ctx context.Context, params func(SessionManager_registerUdpSession_Params) error, opts ...capnp.CallOption) SessionManager_registerUdpSession_Results_Promise {\n\tif c.Client == nil {\n\t\treturn SessionManager_registerUdpSession_Results_Promise{Pipeline: capnp.NewPipeline(capnp.ErrorAnswer(capnp.ErrNullClient))}\n\t}\n\tcall := &capnp.Call{\n\t\tCtx: ctx,\n\t\tMethod: capnp.Method{\n\t\t\tInterfaceID: 0x839445a59fb01686,\n\t\t\tMethodID: 0,\n\t\t\tInterfaceName: \"tunnelrpc/proto/tunnelrpc.capnp:SessionManager\",\n\t\t\tMethodName: \"registerUdpSession\",\n\t\t},\n\t\tOptions: capnp.NewCallOptions(opts),\n\t}\n\tif params != nil {\n\t\tcall.ParamsSize = capnp.ObjectSize{DataSize: 16, PointerCount: 3}\n\t\tcall.ParamsFunc = func(s capnp.Struct) error { return params(SessionManager_registerUdpSession_Params{Struct: s}) }\n\t}\n\treturn SessionManager_registerUdpSession_Results_Promise{Pipeline: capnp.NewPipeline(c.Client.Call(call))}\n}\nfunc (c CloudflaredServer) UnregisterUdpSession(ctx context.Context, params func(SessionManager_unregisterUdpSession_Params) error, opts ...capnp.CallOption) SessionManager_unregisterUdpSession_Results_Promise {\n\tif c.Client == nil {\n\t\treturn SessionManager_unregisterUdpSession_Results_Promise{Pipeline: capnp.NewPipeline(capnp.ErrorAnswer(capnp.ErrNullClient))}\n\t}\n\tcall := &capnp.Call{\n\t\tCtx: ctx,\n\t\tMethod: capnp.Method{\n\t\t\tInterfaceID: 0x839445a59fb01686,\n\t\t\tMethodID: 1,\n\t\t\tInterfaceName: \"tunnelrpc/proto/tunnelrpc.capnp:SessionManager\",\n\t\t\tMethodName: \"unregisterUdpSession\",\n\t\t},\n\t\tOptions: capnp.NewCallOptions(opts),\n\t}\n\tif params != nil {\n\t\tcall.ParamsSize = capnp.ObjectSize{DataSize: 0, PointerCount: 2}\n\t\tcall.ParamsFunc = func(s capnp.Struct) error { return params(SessionManager_unregisterUdpSession_Params{Struct: s}) }\n\t}\n\treturn SessionManager_unregisterUdpSession_Results_Promise{Pipeline: capnp.NewPipeline(c.Client.Call(call))}\n}\nfunc (c CloudflaredServer) UpdateConfiguration(ctx context.Context, params func(ConfigurationManager_updateConfiguration_Params) error, opts ...capnp.CallOption) ConfigurationManager_updateConfiguration_Results_Promise {\n\tif c.Client == nil {\n\t\treturn ConfigurationManager_updateConfiguration_Results_Promise{Pipeline: capnp.NewPipeline(capnp.ErrorAnswer(capnp.ErrNullClient))}\n\t}\n\tcall := &capnp.Call{\n\t\tCtx: ctx,\n\t\tMethod: capnp.Method{\n\t\t\tInterfaceID: 0xb48edfbdaa25db04,\n\t\t\tMethodID: 0,\n\t\t\tInterfaceName: \"tunnelrpc/proto/tunnelrpc.capnp:ConfigurationManager\",\n\t\t\tMethodName: \"updateConfiguration\",\n\t\t},\n\t\tOptions: capnp.NewCallOptions(opts),\n\t}\n\tif params != nil {\n\t\tcall.ParamsSize = capnp.ObjectSize{DataSize: 8, PointerCount: 1}\n\t\tcall.ParamsFunc = func(s capnp.Struct) error { return params(ConfigurationManager_updateConfiguration_Params{Struct: s}) }\n\t}\n\treturn ConfigurationManager_updateConfiguration_Results_Promise{Pipeline: capnp.NewPipeline(c.Client.Call(call))}\n}\n\ntype CloudflaredServer_Server interface {\n\tRegisterUdpSession(SessionManager_registerUdpSession) error\n\n\tUnregisterUdpSession(SessionManager_unregisterUdpSession) error\n\n\tUpdateConfiguration(ConfigurationManager_updateConfiguration) error\n}\n\nfunc CloudflaredServer_ServerToClient(s CloudflaredServer_Server) CloudflaredServer {\n\tc, _ := s.(server.Closer)\n\treturn CloudflaredServer{Client: server.New(CloudflaredServer_Methods(nil, s), c)}\n}\n\nfunc CloudflaredServer_Methods(methods []server.Method, s CloudflaredServer_Server) []server.Method {\n\tif cap(methods) == 0 {\n\t\tmethods = make([]server.Method, 0, 3)\n\t}\n\n\tmethods = append(methods, server.Method{\n\t\tMethod: capnp.Method{\n\t\t\tInterfaceID: 0x839445a59fb01686,\n\t\t\tMethodID: 0,\n\t\t\tInterfaceName: \"tunnelrpc/proto/tunnelrpc.capnp:SessionManager\",\n\t\t\tMethodName: \"registerUdpSession\",\n\t\t},\n\t\tImpl: func(c context.Context, opts capnp.CallOptions, p, r capnp.Struct) error {\n\t\t\tcall := SessionManager_registerUdpSession{c, opts, SessionManager_registerUdpSession_Params{Struct: p}, SessionManager_registerUdpSession_Results{Struct: r}}\n\t\t\treturn s.RegisterUdpSession(call)\n\t\t},\n\t\tResultsSize: capnp.ObjectSize{DataSize: 0, PointerCount: 1},\n\t})\n\n\tmethods = append(methods, server.Method{\n\t\tMethod: capnp.Method{\n\t\t\tInterfaceID: 0x839445a59fb01686,\n\t\t\tMethodID: 1,\n\t\t\tInterfaceName: \"tunnelrpc/proto/tunnelrpc.capnp:SessionManager\",\n\t\t\tMethodName: \"unregisterUdpSession\",\n\t\t},\n\t\tImpl: func(c context.Context, opts capnp.CallOptions, p, r capnp.Struct) error {\n\t\t\tcall := SessionManager_unregisterUdpSession{c, opts, SessionManager_unregisterUdpSession_Params{Struct: p}, SessionManager_unregisterUdpSession_Results{Struct: r}}\n\t\t\treturn s.UnregisterUdpSession(call)\n\t\t},\n\t\tResultsSize: capnp.ObjectSize{DataSize: 0, PointerCount: 0},\n\t})\n\n\tmethods = append(methods, server.Method{\n\t\tMethod: capnp.Method{\n\t\t\tInterfaceID: 0xb48edfbdaa25db04,\n\t\t\tMethodID: 0,\n\t\t\tInterfaceName: \"tunnelrpc/proto/tunnelrpc.capnp:ConfigurationManager\",\n\t\t\tMethodName: \"updateConfiguration\",\n\t\t},\n\t\tImpl: func(c context.Context, opts capnp.CallOptions, p, r capnp.Struct) error {\n\t\t\tcall := ConfigurationManager_updateConfiguration{c, opts, ConfigurationManager_updateConfiguration_Params{Struct: p}, ConfigurationManager_updateConfiguration_Results{Struct: r}}\n\t\t\treturn s.UpdateConfiguration(call)\n\t\t},\n\t\tResultsSize: capnp.ObjectSize{DataSize: 0, PointerCount: 1},\n\t})\n\n\treturn methods\n}\n\nconst schema_db8274f9144abc7e = \"x\\xda\\xccZ}t\\x14\\xd7u\\xbfw\\xde.#\\xc9\\x12\" +\n\t\"\\xbb\\xe3\\xd9\\x04!E^G\\x07\\xda\\x9a\\x04cAIm\" +\n\t\"\\x9aD\\x12\\x96\\x88\\x85\\x01k\\xb4\\x90\\xe3\\x83q\\x8eG\\xbb\" +\n\t\"O\\xd2\\xa8\\xbb3\\x9b\\x99Y\\x19\\x11;|\\x04\\x8c\\xf1\\xb1\" +\n\t\"\\x1dC\\xc06Jh\\x08\\x8e\\xdbS9IM\\x8c\\x9b\\xa6\" +\n\t\"\\xc7nM\\x1a\\xc7\\x89\\x1d\\x13\\xe3cR\\x08N\\xd3\\x94\\xd0\" +\n\t\"6>\\xa4\\xae\\xbf\\x9a\\xc3i\\xea\\xe9\\xb93;\\x1f\\xda\\x15\" +\n\t\"H\\x82\\xf6\\x9c\\xfe\\x07w\\xef\\xbc\\xf7\\xee\\xef\\xfd\\xee}\\xbf\" +\n\t\"w\\x9f\\xae{\\xb1\\xb6Ch\\x8boN\\x00(G\\xe2\\xb3\" +\n\t\"\\x1c\\xbe\\xe0\\xd5M\\x07\\xe7\\xff\\xfd6P\\xaeFt>\\xff\" +\n\t\"\\xcc\\xca\\xd4y{\\xdbi\\x883\\x11`\\xc9\\xe3\\xe28\\xca\" +\n\t\"\\xcf\\x8a\\\"\\x80\\xfc]\\xf1_\\x01\\x9d{>\\xf8\\xe4W\\x1f\" +\n\t\"\\xef\\xde\\xfb\\x05\\x90\\xaef\\xa13\\xe0\\x92\\x035\\x9bP>\" +\n\t\"\\\\C\\x9e\\xdf\\xac\\xd9)7\\xd4\\x8a\\x00\\xce\\xcd\\xd2\\xa2\\xdb\" +\n\t\"R\\xaf\\x1c#\\xef\\xe8\\xd01\\x1a\\xfa\\xbd\\x9a\\xf5(\\xd7\\x92\" +\n\t\"\\x9b\\x1c\\xaf\\xa5\\xa1?^\\xf8\\xc9\\xa1\\x8f\\xed{i;H\" +\n\t\"W\\x0b\\x13\\x86~\\xabv\\x1c\\xe5\\xda:\\xd7\\xb3\\xee\\x16@\" +\n\t\"\\xe7\\x9d\\xbd\\x8dO|\\xed\\xd8\\x0fw\\x80\\xb4\\x10\\xa1\\xbc\\xd2\" +\n\t\"\\x96\\xba:\\x01P^Z\\xf7\\x97\\x80\\xce\\xcb\\xef\\xdd\\xf6\\xee\" +\n\t\"\\x91\\x1f,\\xbd\\x07\\xa4E\\xe4\\x80\\xe4p\\xa2\\xae\\x8f\\x1c\\xde\" +\n\t\"\\xaak\\x07t\\xde8\\xf7_;?w\\xcd\\x9a\\x87@Y\" +\n\t\"\\x84\\x82?\\x84t\\xc5J\\x01p\\xc9\\xc2+\\xd2\\x08\\xe8\\xb4\" +\n\t\"\\xafx\\xf9\\xbbMK\\x1e\\xde[\\xb1v\\x81<\\x95\\xfa\\xf5\" +\n\t\"(\\xf3zZ\\x91Z\\x7f'\\xa0\\xf3\\xc9?z\\xea\\xc1\\xae\" +\n\t\"\\x87\\xb7\\xec\\x03ii0\\xe1\\xf3\\xf5\\xf7\\xd1\\x84g\\xebi\" +\n\t\"\\xc2\\xff\\x9c\\xfd\\xe5c\\xa5\\x1b\\xbf\\xf3pyE\\xee(\\xf1\" +\n\t\"\\x86\\xf5\\xe4\\xf0\\xe1\\x06\\x1a\\xa1ud\\xfe\\x1d\\xdf{\\xfe\\xa9\" +\n\t\"G@Y\\x82\\xe8\\xbc\\xde\\xff\\x91\\x13\\xec\\xc0\\xf8iX\\x87\" +\n\t\"\\\"-p\\xc9\\xd6\\x86W\\x11P\\xde\\xe7\\xfa\\xfe\\xe4\\xa3\\xcf\" +\n\t\"\\xfc\\xcdCO\\xed\\xfc2(\\x0b\\x11\\x01\\\\8\\xcf7,\" +\n\t\"\\xa0\\xc1\\xa4\\xd94\\xdb\\xde\\x93\\xcf\\xae)\\xec\\x1e;\\xe4\\x01\" +\n\t\"\\xe4\\xfe~\\xc3\\xec\\xc5\\x02\\xc4\\x9c\\xed=\\xbf-\\xac{,\" +\n\t\"\\xf3X\\x19\\xba8\\xfd\\xd46\\xbb\\x95\\xe2\\xee\\x99\\xed\\xc6\\xbd\" +\n\t\"\\xf4ggoY\\xfd\\xed\\x81?\\x8f|\\xcb\\x13\\xe3\\xf4\\xed\" +\n\t\"\\xce\\x81\\xb7\\x8f&\\xfb\\x0aOL\\x86\\x08O\\xfc\\x0c\\xe5\\xad\" +\n\t\"\\x09B\\xe4\\xee\\x04\\xad\\xf1\\x9bW\\xdd\\\\\\xbb\\xf1\\xec\\x8a'\" +\n\t\"AZ\\xe2\\x0fs*\\xb1\\x8d\\x86\\x19y\\xf1\\xb1\\xdf\\x9b\\xff\" +\n\t\"\\xe2\\x9d\\x87AY\\x8a\\xe1\\xee\\xd0o(\\xbf\\xe5~\\x1b;\" +\n\t\"=\\x7f\\xfc\\xd9_\\xfaw\" +\n\t\"G*\\x09\\xec\\xaek4\\xb9\\x07=\\xbf%\\x0f$\\xdd\\xf8\" +\n\t\"\\xee;:\\xf6\\x91\\x9a\\xaf\\xbe\\xf3\\xf4\\xa4\\xeeOK{P\" +\n\t\"~Y\\xa2\\x09~$\\x11\\x93>\\xd0\\x83\\xaf?\\xd7\\x16\\xfb\" +\n\t\"N\\x94j\\x85+\\x9bh\\xad;\\xae$\\x87\\x96\\xdf,o\" +\n\t\"\\xd0\\xdf\\xdc\\xf6\\\\\\x05(\\xae\\xe3|y\\x13\\xca7\\xc84\" +\n\t\"\\xdaR\\x99\\x9cc\\x1f\\x1b\\xde)\\x9d\\xf9\\xe9\\xf3\\x1e(^\" +\n\t\"\\xe4\\xc7\\xe517r\\x996n\\xe5m_\\xda\\x13?\\xfb\" +\n\t\"\\xa5\\x17hq\\x91$\\x88\\xd7\\xb8\\xfcL\\x1dB\\xf9\\x9a\\x94\" +\n\t\";rj\\x0e\\x03t\\x9a\\x9e\\xfc\\xe3o-\\xcf\\x9dzi\" +\n\t\"\\xb2\\x1dy|N+\\xcaO\\xcf\\xa1\\xc9\\x0f\\xcf!T\\xcf\" +\n\t\",<\\xfc\\xb9_?p\\xfc\\xb5r(\\xee\\xe4\\x0d\\x8d.\" +\n\t\"k\\xe67\\xd2\\xe4\\xe77\\x1c\\xbcYsn=]\\x89\\x8c\" +\n\t\"\\xeb\\xd9\\xdd\\xf8\\xcf(\\xab\\x8d4\\xdc\\xed\\x8d4\\\\@\\xd1\" +\n\t\"\\xc9\\xbc\\x8f6\\x8e\\xa1|\\xca\\xf5>\\xe1\\x8e-\\x9cU\\xe7\" +\n\t\"n\\xf9\\xe9'_\\x8f\\xb0\\xeaT\\xe3\\x95D\\x875\\x9f\\xbe\" +\n\t\"m\\xb8\\xf6\\xee3g\\xa2\\xcb:\\xde\\xe8\\\"\\xfck\\xf7\\xd3\" +\n\t\"\\xbf\\xfd\\x87G\\x86n\\xff\\xd6\\xb1\\xb3\\x11&\\xd5\\xce=D\" +\n\t\"\\x9f\\xfe\\xfb\\x9f\\xbd\\xf1\\xc5s\\x85\\xdc\\xbf\\xb89\\xe3\\xefN\" +\n\t\"\\xed\\xdca7\\xa4\\xb9TS\\xe6\\xa4\\x1b\\xba[O\\xf6\\xbe\" +\n\t\"\\x11\\x05\\x1c\\x9bLrhi\\xa2\\xc1\\x97\\xde\\xd1\\xc97\\\\\" +\n\t\"\\x7f\\xeb\\x1bUT\\xfbD\\xd30\\xcaJ\\x13}\\xb0\\xbai\" +\n\t\"'\\xca\\xbcy\\x0e\\x803\\xf2W\\xbbo}\\xe2\\xfbk\\xde\" +\n\t\"\\xf6\\xd2\\xd8]\\xcb\\xba\\xe6~Z\\xcb\\x83\\x9f\\xef\\xba\\xe5\\x86\" +\n\t\"\\xd6\\xa3oG\\xc3P\\x9a)\\xb1d\\xad\\x99f\\x1a\\xb8\\xfe\" +\n\t\"\\xdc\\xa7\\xe6?\\xf8\\x83\\xb7+\\xf6\\xcau\\xdc\\xd5\\xbc\\x1e\\xe5\" +\n\t\"\\x03\\xcd\\x04\\xd7~r~s\\xc5\\x9f\\xbe\\xd6\\x94hz\\xb7\" +\n\t\"\\x02\\xdaY\\xe4\\xfbl\\xf3\\x18\\xca'\\x9a]\\x98\\x9a_ \" +\n\t\"F\\x7f\\xed\\xeb\\x87\\xfe\\xf1\\xfc\\xb1\\x9b\\xde\\xab\\x8a\\xe1\\xf9\\x96\" +\n\t\"=(\\xff\\xbc\\x85\\x86=\\xd5\\\"\\xca\\xa7Z~\\x1f\\xc0\\xb9\" +\n\t\"\\xe7\\xf4g6\\xbe\\xfa\\x85w\\xde\\xab\\xa4\\x98\\x07|\\xcb6\" +\n\t\"\\x94\\xcf\\xba_\\xfc\\xb2\\x85\\x18\\xfb\\xc8\\xda\\x7f\\xdb|n\\xdf\" +\n\t\"\\x07\\x7f[5\\xf6\\xd6\\xab\\xc6P\\xde\\x7f\\x15y\\xee\\xbb\\xea\" +\n\t\"\\x05\\xf9\\x9a4\\xa5\\xe2+\\xe2cm]\\x9b_:\\x1f\\xd9\" +\n\t\"*)\\xbd\\x89\\xe0yX\\xfc\\xca\\x99-\\xbf\\xf8\\xcc\\xef&\" +\n\t\"\\x90/}\\xa5\\xbbSi\\x82\\xe7\\xae7\\xf7\\xdf\\xf4\\xc5\\x0d\" +\n\t\"\\xdfx?B\\x90\\xee\\xf4\\xb7\\xe9S\\xbb\\xa4\\xeb\\xa8Y67q]\\xae\" +\n\t\"\\xe8\\x0e\\xcd\\x0c\\xbd\\x03\\x9d\\x92\\xee\\xfd\\x80\\xdc\\xf4~H\\xd0\" +\n\t\"\\xa4\\x1d\\xd8\\x8b\\xd3X\\xe2\\x8dy\\x8d\\xebv\\x8f\\xce\\x06\\x8c\" +\n\t\"\\x0a\\xf4WN\\x86\\xfe\\xca2\\xfa\\xdb#\\xe8o]\\x0e\\xa0\" +\n\t\"\\xdc\\xc5P\\xb9W@\\x89\\x95\\xe1\\xdf\\xb1\\x00@\\xd9\\xc2P\" +\n\t\"\\xb9_@'\\xebM\\x92\\x03\\x80\\x00\\xd8\\x01\\xae\\xda%\\x93\" +\n\t\"[d\\x9b\\x0d\\xd8\\xcb\\xd0\\xc5\\x7f6\\xe0\\xe6\\x11nR\\x04\" +\n\t\"\\xfe~$T3;\\x14\\xec\\xd9\\x94\\xcc\\xea\\xde\\xa8Y\\xb6\" +\n\t\"\\xa6\\x0f\\xaeu\\xed\\xbdF\\\"\\xafeG)\\xb6zw\\xb5\" +\n\t\"-\\xcb\\x00\\x10\\xa5\\x0f\\xac\\x07@A\\x92\\x96\\x03\\xb4k\\x83\" +\n\t\"\\xbaar'\\xa7YYC\\xd79\\xb0\\xac\\xbd\\xb9_\\xcd\" +\n\t\"\\xabz\\x96\\x07\\xd3\\x89\\x17\\x9a\\xce\\x9b&\\xc3\\xcd\\x11n^\" +\n\t\"\\xabFX=\\xafW5\\xd5\\x82\\x05\\xa0\\xd4\\x07\\xa0v\\xaf\" +\n\t\"\\x07P\\xba\\x18*\\xbd\\x11PW\\x13\\xa8\\xab\\x18*\\xb7F\" +\n\t\"@]G\\xa0\\xf62T6\\x08\\xe8\\x18\\xa66\\xa8\\xe97\" +\n\t\"r`f\\x94\\x99\\x96\\xad\\xab\\x05N\\x00\\x96\\xc1\\xd9l\\x14\" +\n\t\"m\\xcd\\xd0-L\\x86\\x87\\x12 &#\\xb0\\xd5L\\xc5U\" +\n\t\"\\x8f\\xaa\\xd7\\xfa\\\\\\xf3\\xa9f\\xe8\\xf3\\xfa\\xb8U\\xca\\xdbh\" +\n\t\")\\xb1 \\x9e\\x86e\\x00J\\x0dC%%`\\xbb\\xe9\\xfd\" +\n\t\"\\x9e\\x0c5\\xc7\\xff\\xde\\xdc\\x01\\x96\\xa9`\\xee\\xbb\\xfb\\\"\\xb4\" +\n\t\"\\xf3\\xb1\\xdc\\xb18\\xa4\\x1d\\x96\\xa1\\xdcEPng\\xa8<\" +\n\t\"D\\xfcD\\x8f\\x9f\\x0f\\x8c\\x01(\\x0f1T\\xbe\\\"\\xa0\\x14\" +\n\t\"\\x13R\\x18C\\x94\\xf6Sqy\\x94\\xa1\\xf2u\\x01\\x1d\\xcb\" +\n\t\"\\x9b\\xba\\x070\\xe7c\\x9e\\xceYvO\\xd1\\xff\\xdf\\xe6\\x9c\" +\n\t\"e\\xf7\\x1a\\xa6\\x8d\\\"\\x08(\\x02\\xd1\\xdc\\xb0x\\xe7\\x00%\" +\n\t\"bO.\\xcfo\\xd2\\x98nc\\x1c\\x04\\x8c\\x13\\x08\\xa6\\x9a\" +\n\t\"\\xe57\\x1aT\\x82\\xf8F\\xbb\\xbcc a\\x1d\\xc0\\xd4Y\" +\n\t\"\\xea\\x91\\xac\\xb3\\xc4\\xec!\\xaf\\x88\\xf8 \\\\C\\x84\\xfa\\x03\" +\n\t\"\\x86\\xca\\x1fF@h\\xa30\\xaec\\xa8|\\\\@G\\xcd\" +\n\t\"f\\x8d\\x92n\\xaf\\x05\\xa6\\x0eV$Q\\x86C\\\"k\\xf2\" +\n\t\"\\x90R\\xfe\\xb4\\xb5\\x17\\xac\\x16\\x86>\\xa0\\x0d\\x96L\\xd5\\x8e\" +\n\t\"lW\\xa9\\x98Sm>\\xe1\\xa72Wh\\xc3\\xa6\\\"K\" +\n\t\" `.\\x91,~\\xf5\\xab\\xa2\\x0b+XQ\\xa0\\xfa&\" +\n\t\"\\x03\\x8a\\x98\\xf1Q\\x86\\xca\\xf5\\x93\\xef\\xf7\\xe6\\x02\\xb7,u\" +\n\t\"\\x90W\\x15\\x9fY\\x17\\x01H\\xe7Y\\x82\\x80\\x0e5:\\xd3\" +\n\t\"\\xaeu#E\\x9b\\xd6R\\xef8\\xdeb\\x88\\xa5\\xf3\\x18*\" +\n\t\"\\xd7\\x09\\xd8\\x80\\xef;\\xdej\\x16\\xee\\x09\\xb7-\\xcdM\\xd3\" +\n\t\"01\\x19\\x9e\\xfcex\\xb2\\xe5\\x09\\xd0\\xd0\\xbb\\xb8\\xadj\" +\n\t\"y\\xa4l\\x0f\\xf4q\\x05\\x88\\xd3\\xabZ!\\x84\\x9ey^\" +\n\t\"\\xaf\\x9a\\xa0t\\x8b\\xee\\x1d\\xa5K\\x92\\xa1\\xf2!\\x01\\x9dA\" +\n\t\"\\xa2r/7Q3rkT\\xdd\\xc80\\x9e\\x0dy~\" +\n\t\"yS\\xf7\\xf1\\xb4\\xcb\\x9c\\x19\\x8ec\\xf220A\\x04\\xa6\" +\n\t\"H\\x11D\\xcaEk\\xa8\\x07\\x02\\x02l\\xed\\x0f\\xcbEP\" +\n\t\"zwQN\\xdd\\xcbP\\xd9\\x1b9\\xcfv\\xaf\\x8c\\xd6\\x8b\" +\n\t\"X\\x0ac\\x00\\xd2~\\xe2\\xcf^\\x86\\xcaAa\\xa2j\\xe0\" +\n\t\"#\\\\\\xb7\\xbb\\xb4A\\x10\\xb9\\x15Zi\\x89]\\xda \\x07\" +\n\t\"f]n\\x19\\xaf\\x9d\\x16*F\\xbfe\\xe4\\xb9\\xcd\\xbbx\" +\n\t\"6\\xafRf\\x8ep\\xef\\xf72M\\xfd\\x8d\\x9e\\x9a\\xd7}\" +\n\t\"U9\\xe6\\xf1\\x9by\\xa2-\\x92g\\xad!\\xb5\\x03\\x98\\x17\" +\n\t\".\\x0e\\x93O\\xe4\\xa1\\xd2J[EU\\xb7\\xaa\\xca\\x8f|\" +\n\t\"\\xf1Ux%\\xa6\\x8a@a\\xea\\x05\\xd5'\\xf8\\xfer\\xcb\" +\n\t\"Y\\xf9\\xf8\\x89\\xc6\\xb9<\\x8c3\\x08sY\\x18f b\" +\n\t\"b `\\x0c\\xb0=\\xeb\\x0eX\\x15k|\\xbakK\\xf8\" +\n\t\"\\x0a2\\xe6*H\\xffB\\x8e~\\x17C\\x92\\x0e\\x81 5\" +\n\t\"\\x88\\x8e\\xbf~\\xf4\\xbf\\x17\\xab\\xd4`|\\xea\\xf2u\\x8bK\" +\n\t\"A\\xb4h\\xc6H\\x12-\\x9b,\\x89\\xccI\\xce\\xdcm\\xd1\" +\n\t\"\\x1c*\\x9f\\xb9\\xbb\\xc7\\xc2t\\xf1\\xce\\\\\\x00\\xe9\\xc0!\\x00\" +\n\t\"\\xe5 C\\xe5\\x1b\\x02\\xb6{B\\x11\\x93a\\x13\\xaa\\xcc{\" +\n\t\"O\\x01\\xad2 \\x9dU\\xf3\\xe1\\x11\\xec\\x98\\xbc\\x98W\\xb3\" +\n\t\"\\xbc\\x1b\\xcb\\xa2\\x0f\\x10A@t\\x93\\xadP4\\xb9e\\xa1\" +\n\t\"f\\xe8JI\\xcdk\\xcc\\x1e\\x0d\\x94\\xbb^*\\xf4\\x9a|\" +\n\t\"DC\\xa3du\\xda6/\\x88E\\xdb\\xaa\\xd2\\xf5\\xd3\\x80\" +\n\t\"\\xc9\\xaf\\xc1\\xae\\xbe\\x0ce\\x1e\\x89\\xdf\\x0e\\x86\\xca\\xaa\\x08L\" +\n\t\"=t*\\xdf\\xc4PY\\x1b\\xc2\\xa4|\\x0f@Y\\xcbP\" +\n\t\"\\xb9C\\xc0D\\xa9\\xa4\\x05'\\x8f\\x937\\xb2\\xee\\xceCb\" +\n\t\"\\x8dZ\\xa8<\\x80z,\\xa1\\x8f\\x17\\x0c\\x9b\\xe7G=\\xd6\" +\n\t\"\\xe6\\xc2\\xb8gZ7+\\x0a\\xbfwn\\xfe\\x7fR\\xac\\xb1\" +\n\t\"\\xa9\\xae\\x90\\xed\\x1eR\\x15[\\xd0:\\xd9\\x16,\\x8e\\x04\\xe3\" +\n\t\"\\xaf{u\\x7f\\x18\\x8c\\xf8'|4(N\\xbc@[\\xeb\" +\n\t\"#_\\x8e\\xa8\\x13\\xc4\\x9bC\\x9f\\xa9\\xeb\\xf1d%\\xcbM\" +\n\t\"\\xd0UFV\\xcdWW\\x19V\\xb8\\xa0\\xbe\\x9ei\\x05\\x89\" +\n\t\"NM\\xe9,\\x1a\\xba\\xcb\\xd3\\xeb\\xfd\\xe1\\xe5Q\\\\\\x09\\x90\" +\n\t\"\\xd9\\x88\\x0c3\\xdb1\\xc4I\\xde\\x8a\\xcb\\x012w\\x91\\xfd\" +\n\t\"^\\x0c\\xa1\\x92w`\\x13@f\\x0b\\xd9\\xef\\xc7\\xe0\\xaa-\" +\n\t\"\\xef\\xc2q\\x80\\xcc\\xfdd~\\x94\\xdcc\\xccMmy\\x9f\" +\n\t\";\\xfc^\\xb2\\x1f${<\\x96\\xc28\\x80|\\x00\\x17\\x00\" +\n\t\"d\\x1e%\\xfb\\x11\\xb2\\xcf\\x12R8\\x0b@>\\x8c\\xc3\\x00\" +\n\t\"\\x99'\\xc9\\xfe\\x0c\\xd9\\xc5x\\x0a\\xdd.6\\x9a\\x00\\x99\\xbf\" +\n\t\"&\\xfb\\xf7\\xc9^\\xd3\\x98\\xc2\\x1a\\x00\\xf9\\xa8k\\x7f\\x8e\\xec\" +\n\t\"?&{\\xed\\xdc\\x14\\xd6\\x02\\xc8?\\xc2m\\x00\\x99\\x1f\\x92\" +\n\t\"\\xfd5\\xb2\\xd7a\\x8ad\\xb6|\\x1c\\xc7\\x002\\xaf\\x91\\xfd\" +\n\t\"\\x9f\\xc8~\\xc5\\xac\\x14^\\x01 \\xff\\xdc]\\xcfI\\xb2\\xff\" +\n\t\"\\x8a\\xec\\xf5\\xb1\\x14is\\xf9\\x97x\\x08 \\xf3+\\xb2\\xff\" +\n\t\"\\x07\\xd9\\x1b\\xc4\\x146\\x00\\xc8\\xbfq\\xe3:G\\xf6\\x1a\\xa1\" +\n\t\"\\xe2z\\xeb\\xf3\\xba\\xe2\\x0e\\xcb\\x0c+\\xe0\\x0c/\\xd7*\\x9c\" +\n\t\"pC\\xc5D\\xd8L\\x07\\xc4\\x04\\xa0S4\\x8c\\xfc\\x9a\\x89\" +\n\t\"\\xf9\\x92\\xb0\\xd5A\\xcb\\xbf/'\\xc3^\\\" \\x19\\x03u\" +\n\t\"\\x08\\x09C\\xef\\xc9\\x05\\x05\\xad\\xb2z\\xfa+\\xd1\\xac\\xce\\x92\" +\n\t\"m\\x94\\x8a\\x90&F\\xe6\\x82\\x1ab\\x96\\xf4\\x15\\xa6QX\" +\n\t\"\\x8b\\xdc,h\\xba\\x9a\\x9f\\xa2\\xaa\\xd6\\x82\\x80\\xb5P.`\" +\n\t\"\\xfe\\xd8\\x17/\\xb1\\x17\\xbe\\xfd\\x07\\xbcf\\x17\\xe2\\xb5\\xb8V\" +\n\t\"\\x1d\\xac\\x10\\x1d\\x0b\\xa6\\x10\\x1d\\x09=RD\\xd3#j\\xbe\" +\n\t\"T\\xad\\xe9/Mh\\xf6q+AZc\\xaa{\\x8e\\xdf\" +\n\t\"\\x1d\\xac(n\\x17\\x14\\\\\\xeb\\xaaU\\x88\\xab\\xb8D\\xbdJ\" +\n\t\"q\\x8d\\x87\\x97\\x18?\\xf6\\xa5\\xad\\x91\\x1b`^\\xb5\\xb9e\" +\n\t\"w\\x16\\xb1\\x98\\xd7x\\xee\\xd3\\xdcLD\\x85IT\\x8f\\xcd\" +\n\t\"\\xe4\\xe4\\x9b\\xa0\\xff\\xdc\\xe01\\xf2 B \\x08\\xe5\\xe0g\" +\n\t\"\\x88\\xf0 \\xb7\\xbd\\x7f\\xf5\\xe8\\x03\\x86\\xa7\\xbc\\xd0\\xba\\xac1\" +\n\t\"\\\\9\\xc8\\xa6\\xde\\xa3\\xb0\\xdd;]\\xb5=\\x93\\xeaN\\xab\" +\n\t\"\\x10\\xa37\\x9b\\x9a\\x19\\x8c:\\x89\\xc8\\xf5/i\\x91\\x96\\x1d\" +\n\t\"\\xa5\\xc1\\x06\\x86\\xcaP$\\x0d8\\x9d\\xd59\\x86J1\\x94\" +\n\t\"\\x1d\\x85\\xbe\\xb0_*1\\xa1\\xdc0\\xa5\\xf3\\xbb\\xc8P\\xb9\" +\n\t\"K\\xc0\\x84Z\\xb2\\x870\\x19\\xbe\\xa7M\\x00db#\\x8f\" +\n\t\"\\xf2\\xa1G\\xcfq\\xc0\\x8d~zGN\\xf5\\xe0\\xa1g\\xba\" +\n\t\"\\xd7\\xfb\\xe9\\x05\\xef_\\x13\\xa7\\xdc\\xd2\\xe0\\xc5c\\xba\\xaa\\xc2\" +\n\t\"\\xe7Q\\x82\\xa6&n7\\xbaz\\xdb\\x7fSB\\xff\\xcd@\" +\n\t\":\\xbc\\x09\\x04\\xe9/D\\x0c\\xdfI\\xd0\\x7f\\x16\\x91\\x0e\\x98\" +\n\t\" H\\xfbD\\x14\\x82g?\\xf4\\x9f\\xf7\\xa4]\\xf7\\x81 \" +\n\t\"\\xed\\x10\\x91\\x05\\xafv\\xe8\\xf7\\xd1\\xdbF\\xeb\\x10\\x04\\xe9n\" +\n\t\"\\x11c\\xc1{)\\xfa]x\\xe9\\xb3\\xc3 H\\x9a\\x88\\xf1\" +\n\t\"\\xe0A\\x10\\xfd\\xe7!\\xe9\\xf6m H\\xeb\\xc2\\x161\\xb4\" +\n\t\"{qt\\xa0\\xe3\\xe7\\x02\\xa4\\xddl\\x98\\xd80\\xf6\\xbc\\x00\" +\n\t\":\\xd0\\xf1/\\x8b\\xecB\\xb7E\\xd7\\xcb\\xefpB\\\"\\xab\" +\n\t\"\\xda\\xbc\\x83\\x14\\xb8W\\x10\\xb1\\\\\\x11\\xa1\\x03\\x95\\x18F\\x1e\" +\n\t\"!\\\"\\xfd\\xad\\xcb\\xea\\xe9T\\xe5\\xcf%)\\\\\\x7f\\x94K\" +\n\t\"\\xac\\xd7\\x17i\\xf5{\\xe5\\xa6\\xdcG\\x8f\\x8c>\\xecv\\x80\" +\n\t\"Qi\\x14\\xa6P\\xf5\\x17)\\xbb\\xde\\xe2\\xc3\\xd4`\\x9e\\xdc\" +\n\t\"\\xbd:\\x98\\xe58\\x15\\xfc\\x1f3TNFR\\xff\\x04\\x19\" +\n\t\"_a\\xa8\\xbc\\x1e\\x91\\xbb\\xa7\\xa8\\x1e\\x9cd\\xa8\\xbc\\x1b\\xbe\" +\n\t\"\\x95\\xbcu\\x1f\\x80\\xf2.\\xc3\\xbe\\x88z\\x93\\xfe\\x9b\\x1c\\x7f\" +\n\t\"G\\x1a\\xc7\\xd5n\\xe8i\\xb78\\xee\\x01\\xc8\\xd4\\x90\\xf6I\" +\n\t\"\\xb9\\xda-\\xe6i7\\x09\\xfb\\x012I\\xb2\\x7f(\\xaa\\xdd\" +\n\t\"\\xe6\\xe2z\\x80L#\\xd9\\xe7\\xe1\\xc4\\xdb\\xbfX2Cy\" +\n\t\"\\x9d7\\x06Wi\\xfa\\xa4\\x82\\xc0\\x7f\\xbcA{\\x85\\xaa\\xe5\" +\n\t\"K&\\x87\\xca\\xdbNOWD\\\"y\\xaf:^\\x1b6\" +\n\t\"C\\xe4\\xcc\\xa1\\x15\\xb4hg\\xd0\\x98\\x99\\xfa,\\xcc\\x1b\\xa5\" +\n\t\"\\xdc@^5y\\xce\\xdd}\\xa4r\\xd1\\xcb\\xe2J\\x0dF\" +\n\t\"\\xfe\\xe6\\x02 |\\x1a\\x8f\\xa4\\xc24N\\xd8n\\xd34L\" +\n\t\"\\xa8\\xb8\\xd6,\\x0e\\xaf5\\xc1\\xadf}x\\xb1\\x94\\x84\\x8e\" +\n\t\"\\xf2\\xcd\\xb2?\\xbc\\x8d\\xa5\\xb3j\\xc9\\xe2U\\xf8\\x00\\xe3f\" +\n\t\"\\xd0\\xb6\\xb3\\x86\\x8cR>\\xd7\\xc7A\\xb4\\xcd\\xd1\\xaa\\xcbd\" +\n\t\"|\\xba\\xd5\\x9ay5\\xb3\\xde\\xad\\x99\\xfeS/\\xfa/\\xba\" +\n\t\"\\x922\\x06\\x82\\xb4\\x9aj\\xa6\\xff\\xea\\x88\\xfe\\xdf\\x1cH\\x9d\" +\n\t\"\\xe3 H\\x9f\\xa0\\x9a\\xe9\\xbf\\xb8\\xa3\\xff\\x8a,\\xb5\\xbd\\x08\" +\n\t\"\\x82\\xd4\\x16y\\x01\\xf3Q\\xaaz\\x01\\xf3~H\\xd8\\x9a\\xf7\" +\n\t\"C\\xf90\\x16*Oc\\xaae\\xd1\\x8eH\\xcd\\xe5\\xb6\\x9c\" +\n\t\"\\xda\\xbd\\x16\\xd1\\xe5\\xbc\\x17M\\xfb}%\\xf8\\xeb\\x9f\\xff\\x9b\" +\n\t\"\\xa6\\xa0\\x7f\\xb6\\xfeO\\x00\\x00\\x00\\xff\\xff\\xb4\\x0bQ\\xfc\"\n\nfunc init() {\n\tschemas.Register(schema_db8274f9144abc7e,\n\t\t0x82c325a07ad22a65,\n\t\t0x839445a59fb01686,\n\t\t0x83ced0145b2f114b,\n\t\t0x84cb9536a2cf6d3c,\n\t\t0x85c8cea1ab1894f3,\n\t\t0x8635c6b4f45bf5cd,\n\t\t0x904e297b87fbecea,\n\t\t0x9496331ab9cd463f,\n\t\t0x958096448eb3373e,\n\t\t0x96b74375ce9b0ef6,\n\t\t0x97b3c5c260257622,\n\t\t0x9b87b390babc2ccf,\n\t\t0xa29a916d4ebdd894,\n\t\t0xa353a3556df74984,\n\t\t0xa766b24d4fe5da35,\n\t\t0xab6d5210c1f26687,\n\t\t0xb046e578094b1ead,\n\t\t0xb177ca2526a3ca76,\n\t\t0xb48edfbdaa25db04,\n\t\t0xb4bf9861fe035d04,\n\t\t0xb5f39f082b9ac18a,\n\t\t0xb70431c0dc014915,\n\t\t0xc082ef6e0d42ed1d,\n\t\t0xc5d6e311876a3604,\n\t\t0xc793e50592935b4a,\n\t\t0xcbd96442ae3bb01a,\n\t\t0xd4d18de97bb12de3,\n\t\t0xdb58ff694ba05cf9,\n\t\t0xdbaa9d03d52b62dc,\n\t\t0xdc3ed6801961e502,\n\t\t0xe3e37d096a5b564e,\n\t\t0xe5ceae5d6897d7be,\n\t\t0xe6646dec8feaa6ee,\n\t\t0xea50d822450d1f17,\n\t\t0xea58385c65416035,\n\t\t0xf24ec4ab5891b676,\n\t\t0xf2c122394f447e8e,\n\t\t0xf2c68e2547ec3866,\n\t\t0xf41a0f001ad49e46,\n\t\t0xf548cef9dea2a4a1,\n\t\t0xf5f383d2785edb86,\n\t\t0xf71695ec7fe85497,\n\t\t0xf9cb7f4431a307d0,\n\t\t0xfc5edf80e39c0796,\n\t\t0xfeac5c8f4899ef7c)\n}\n" }, { "path": "tunnelrpc/quic/cloudflared_client.go", "content": "package quic\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"io\"\n\t\"net\"\n\t\"time\"\n\n\t\"zombiezen.com/go/capnproto2/rpc\"\n\n\t\"github.com/google/uuid\"\n\n\t\"github.com/cloudflare/cloudflared/tunnelrpc\"\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/metrics\"\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/pogs\"\n)\n\n// CloudflaredClient calls capnp rpc methods of SessionManager and ConfigurationManager.\ntype CloudflaredClient struct {\n\tclient pogs.CloudflaredServer_PogsClient\n\ttransport rpc.Transport\n\trequestTimeout time.Duration\n}\n\nfunc NewCloudflaredClient(ctx context.Context, stream io.ReadWriteCloser, requestTimeout time.Duration) (*CloudflaredClient, error) {\n\tn, err := stream.Write(rpcStreamProtocolSignature[:])\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif n != len(rpcStreamProtocolSignature) {\n\t\treturn nil, fmt.Errorf(\"expect to write %d bytes for RPC stream protocol signature, wrote %d\", len(rpcStreamProtocolSignature), n)\n\t}\n\ttransport := tunnelrpc.SafeTransport(stream)\n\tconn := tunnelrpc.NewClientConn(transport)\n\tclient := pogs.NewCloudflaredServer_PogsClient(conn.Bootstrap(ctx), conn)\n\treturn &CloudflaredClient{\n\t\tclient: client,\n\t\ttransport: transport,\n\t\trequestTimeout: requestTimeout,\n\t}, nil\n}\n\nfunc (c *CloudflaredClient) RegisterUdpSession(ctx context.Context, sessionID uuid.UUID, dstIP net.IP, dstPort uint16, closeIdleAfterHint time.Duration, traceContext string) (*pogs.RegisterUdpSessionResponse, error) {\n\tctx, cancel := context.WithTimeout(ctx, c.requestTimeout)\n\tdefer cancel()\n\tdefer metrics.CapnpMetrics.ClientOperations.WithLabelValues(metrics.Cloudflared, metrics.OperationRegisterUdpSession).Inc()\n\ttimer := metrics.NewClientOperationLatencyObserver(metrics.Cloudflared, metrics.OperationRegisterUdpSession)\n\tdefer timer.ObserveDuration()\n\n\tresp, err := c.client.RegisterUdpSession(ctx, sessionID, dstIP, dstPort, closeIdleAfterHint, traceContext)\n\tif err != nil {\n\t\tmetrics.CapnpMetrics.ClientFailures.WithLabelValues(metrics.Cloudflared, metrics.OperationRegisterUdpSession).Inc()\n\t}\n\treturn resp, err\n}\n\nfunc (c *CloudflaredClient) UnregisterUdpSession(ctx context.Context, sessionID uuid.UUID, message string) error {\n\tctx, cancel := context.WithTimeout(ctx, c.requestTimeout)\n\tdefer cancel()\n\tdefer metrics.CapnpMetrics.ClientOperations.WithLabelValues(metrics.Cloudflared, metrics.OperationUnregisterUdpSession).Inc()\n\ttimer := metrics.NewClientOperationLatencyObserver(metrics.Cloudflared, metrics.OperationUnregisterUdpSession)\n\tdefer timer.ObserveDuration()\n\n\terr := c.client.UnregisterUdpSession(ctx, sessionID, message)\n\tif err != nil {\n\t\tmetrics.CapnpMetrics.ClientFailures.WithLabelValues(metrics.Cloudflared, metrics.OperationUnregisterUdpSession).Inc()\n\t}\n\treturn err\n}\n\nfunc (c *CloudflaredClient) UpdateConfiguration(ctx context.Context, version int32, config []byte) (*pogs.UpdateConfigurationResponse, error) {\n\tctx, cancel := context.WithTimeout(ctx, c.requestTimeout)\n\tdefer cancel()\n\tdefer metrics.CapnpMetrics.ClientOperations.WithLabelValues(metrics.Cloudflared, metrics.OperationUpdateConfiguration).Inc()\n\ttimer := metrics.NewClientOperationLatencyObserver(metrics.Cloudflared, metrics.OperationUpdateConfiguration)\n\tdefer timer.ObserveDuration()\n\n\tresp, err := c.client.UpdateConfiguration(ctx, version, config)\n\tif err != nil {\n\t\tmetrics.CapnpMetrics.ClientFailures.WithLabelValues(metrics.Cloudflared, metrics.OperationUpdateConfiguration).Inc()\n\t}\n\treturn resp, err\n}\n\nfunc (c *CloudflaredClient) Close() {\n\t_ = c.client.Close()\n\t_ = c.transport.Close()\n}\n" }, { "path": "tunnelrpc/quic/cloudflared_server.go", "content": "package quic\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"io\"\n\t\"time\"\n\n\t\"github.com/cloudflare/cloudflared/tunnelrpc\"\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/pogs\"\n)\n\n// HandleRequestFunc wraps the proxied request from the upstream and also provides methods on the stream to\n// handle the response back.\ntype HandleRequestFunc = func(ctx context.Context, stream *RequestServerStream) error\n\n// CloudflaredServer provides a handler interface for a client to provide methods to handle the different types of\n// requests that can be communicated by the stream.\ntype CloudflaredServer struct {\n\thandleRequest HandleRequestFunc\n\tsessionManager pogs.SessionManager\n\tconfigManager pogs.ConfigurationManager\n\tresponseTimeout time.Duration\n}\n\nfunc NewCloudflaredServer(handleRequest HandleRequestFunc, sessionManager pogs.SessionManager, configManager pogs.ConfigurationManager, responseTimeout time.Duration) *CloudflaredServer {\n\treturn &CloudflaredServer{\n\t\thandleRequest: handleRequest,\n\t\tsessionManager: sessionManager,\n\t\tconfigManager: configManager,\n\t\tresponseTimeout: responseTimeout,\n\t}\n}\n\n// Serve executes the defined handlers in ServerStream on the provided stream if it is a proper RPC stream with the\n// correct preamble protocol signature.\nfunc (s *CloudflaredServer) Serve(ctx context.Context, stream io.ReadWriteCloser) error {\n\tsignature, err := determineProtocol(stream)\n\tif err != nil {\n\t\treturn err\n\t}\n\tswitch signature {\n\tcase dataStreamProtocolSignature:\n\t\treturn s.handleRequest(ctx, &RequestServerStream{stream})\n\tcase rpcStreamProtocolSignature:\n\t\treturn s.handleRPC(ctx, stream)\n\tdefault:\n\t\treturn fmt.Errorf(\"unknown protocol %v\", signature)\n\t}\n}\n\nfunc (s *CloudflaredServer) handleRPC(ctx context.Context, stream io.ReadWriteCloser) error {\n\tctx, cancel := context.WithTimeout(ctx, s.responseTimeout)\n\tdefer cancel()\n\ttransport := tunnelrpc.SafeTransport(stream)\n\tdefer transport.Close()\n\n\tmain := pogs.CloudflaredServer_ServerToClient(s.sessionManager, s.configManager)\n\trpcConn := tunnelrpc.NewServerConn(transport, main.Client)\n\tdefer rpcConn.Close()\n\n\t// We ignore the errors here because if cloudflared fails to handle a request, we will just move on.\n\tselect {\n\tcase <-rpcConn.Done():\n\tcase <-ctx.Done():\n\t}\n\treturn nil\n}\n" }, { "path": "tunnelrpc/quic/protocol.go", "content": "package quic\n\nimport (\n\t\"fmt\"\n\t\"io\"\n)\n\n// protocolSignature defines the first 6 bytes of the stream, which is used to distinguish the type of stream. It\n// ensures whoever performs a handshake does not write data before writing the metadata.\ntype protocolSignature [6]byte\n\nvar (\n\t// dataStreamProtocolSignature is a custom protocol signature for data stream\n\tdataStreamProtocolSignature = protocolSignature{0x0A, 0x36, 0xCD, 0x12, 0xA1, 0x3E}\n\n\t// rpcStreamProtocolSignature is a custom protocol signature for RPC stream\n\trpcStreamProtocolSignature = protocolSignature{0x52, 0xBB, 0x82, 0x5C, 0xDB, 0x65}\n\n\terrDataStreamNotSupported = fmt.Errorf(\"data protocol not supported\")\n\terrRPCStreamNotSupported = fmt.Errorf(\"rpc protocol not supported\")\n)\n\ntype protocolVersion string\n\nconst (\n\tprotocolV1 protocolVersion = \"01\"\n\n\tprotocolVersionLength = 2\n)\n\n// determineProtocol reads the first 6 bytes from the stream to determine which protocol is spoken by the client.\n// The protocols are magic byte arrays understood by both sides of the stream.\nfunc determineProtocol(stream io.Reader) (protocolSignature, error) {\n\tsignature, err := readSignature(stream)\n\tif err != nil {\n\t\treturn protocolSignature{}, err\n\t}\n\tswitch signature {\n\tcase dataStreamProtocolSignature:\n\t\treturn dataStreamProtocolSignature, nil\n\tcase rpcStreamProtocolSignature:\n\t\treturn rpcStreamProtocolSignature, nil\n\tdefault:\n\t\treturn protocolSignature{}, fmt.Errorf(\"unknown signature %v\", signature)\n\t}\n}\n\nfunc writeDataStreamPreamble(stream io.Writer) error {\n\tif err := writeSignature(stream, dataStreamProtocolSignature); err != nil {\n\t\treturn err\n\t}\n\n\treturn writeVersion(stream)\n}\n\nfunc writeVersion(stream io.Writer) error {\n\t_, err := stream.Write([]byte(protocolV1)[:protocolVersionLength])\n\treturn err\n}\n\nfunc readVersion(stream io.Reader) (string, error) {\n\tversion := make([]byte, protocolVersionLength)\n\t_, err := stream.Read(version)\n\treturn string(version), err\n}\n\nfunc readSignature(stream io.Reader) (protocolSignature, error) {\n\tvar signature protocolSignature\n\tif _, err := io.ReadFull(stream, signature[:]); err != nil {\n\t\treturn protocolSignature{}, err\n\t}\n\treturn signature, nil\n}\n\nfunc writeSignature(stream io.Writer, signature protocolSignature) error {\n\t_, err := stream.Write(signature[:])\n\treturn err\n}\n" }, { "path": "tunnelrpc/quic/request_client_stream.go", "content": "package quic\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\n\tcapnp \"zombiezen.com/go/capnproto2\"\n\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/pogs\"\n)\n\n// RequestClientStream is a stream to provide requests to the server. This operation is typically driven by the edge service.\ntype RequestClientStream struct {\n\tio.ReadWriteCloser\n}\n\n// WriteConnectRequestData writes requestMeta to a stream.\nfunc (rcs *RequestClientStream) WriteConnectRequestData(dest string, connectionType pogs.ConnectionType, metadata ...pogs.Metadata) error {\n\tconnectRequest := &pogs.ConnectRequest{\n\t\tDest: dest,\n\t\tType: connectionType,\n\t\tMetadata: metadata,\n\t}\n\n\tmsg, err := connectRequest.ToPogs()\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif err := writeDataStreamPreamble(rcs); err != nil {\n\t\treturn err\n\t}\n\treturn capnp.NewEncoder(rcs).Encode(msg)\n}\n\n// ReadConnectResponseData reads the response from the rpc stream to a ConnectResponse.\nfunc (rcs *RequestClientStream) ReadConnectResponseData() (*pogs.ConnectResponse, error) {\n\tsignature, err := determineProtocol(rcs)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif signature != dataStreamProtocolSignature {\n\t\treturn nil, fmt.Errorf(\"wrong protocol signature %v\", signature)\n\t}\n\n\t// This is a NO-OP for now. We could cause a branching if we wanted to use multiple versions.\n\tif _, err := readVersion(rcs); err != nil {\n\t\treturn nil, err\n\t}\n\n\tmsg, err := capnp.NewDecoder(rcs).Decode()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tr := &pogs.ConnectResponse{}\n\tif err := r.FromPogs(msg); err != nil {\n\t\treturn nil, err\n\t}\n\treturn r, nil\n}\n" }, { "path": "tunnelrpc/quic/request_server_stream.go", "content": "package quic\n\nimport (\n\t\"io\"\n\n\tcapnp \"zombiezen.com/go/capnproto2\"\n\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/pogs\"\n)\n\n// RequestServerStream is a stream to serve requests\ntype RequestServerStream struct {\n\tio.ReadWriteCloser\n}\n\n// ReadConnectRequestData reads the handshake data from a QUIC stream.\nfunc (rss *RequestServerStream) ReadConnectRequestData() (*pogs.ConnectRequest, error) {\n\t// This is a NO-OP for now. We could cause a branching if we wanted to use multiple versions.\n\tif _, err := readVersion(rss); err != nil {\n\t\treturn nil, err\n\t}\n\n\tmsg, err := capnp.NewDecoder(rss).Decode()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tr := &pogs.ConnectRequest{}\n\tif err := r.FromPogs(msg); err != nil {\n\t\treturn nil, err\n\t}\n\treturn r, nil\n}\n\n// WriteConnectResponseData writes response to a QUIC stream.\nfunc (rss *RequestServerStream) WriteConnectResponseData(respErr error, metadata ...pogs.Metadata) error {\n\tvar connectResponse *pogs.ConnectResponse\n\tif respErr != nil {\n\t\tconnectResponse = &pogs.ConnectResponse{\n\t\t\tError: respErr.Error(),\n\t\t\tMetadata: metadata,\n\t\t}\n\t} else {\n\t\tconnectResponse = &pogs.ConnectResponse{\n\t\t\tMetadata: metadata,\n\t\t}\n\t}\n\n\tmsg, err := connectResponse.ToPogs()\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif err := writeDataStreamPreamble(rss); err != nil {\n\t\treturn err\n\t}\n\treturn capnp.NewEncoder(rss).Encode(msg)\n}\n" }, { "path": "tunnelrpc/quic/request_server_stream_test.go", "content": "package quic\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"net\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/pogs\"\n)\n\nconst (\n\ttestCloseIdleAfterHint = time.Minute * 2\n)\n\nfunc TestConnectRequestData(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\thostname string\n\t\tconnectionType pogs.ConnectionType\n\t\tmetadata []pogs.Metadata\n\t}{\n\t\t{\n\t\t\tname: \"Signature verified and request metadata is unmarshaled and read correctly\",\n\t\t\thostname: \"tunnel.com\",\n\t\t\tconnectionType: pogs.ConnectionTypeHTTP,\n\t\t\tmetadata: []pogs.Metadata{\n\t\t\t\t{\n\t\t\t\t\tKey: \"key\",\n\t\t\t\t\tVal: \"1234\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\tb := &bytes.Buffer{}\n\t\t\treqClientStream := RequestClientStream{noopCloser{b}}\n\t\t\terr := reqClientStream.WriteConnectRequestData(test.hostname, test.connectionType, test.metadata...)\n\t\t\trequire.NoError(t, err)\n\t\t\tprotocol, err := determineProtocol(b)\n\t\t\trequire.NoError(t, err)\n\t\t\trequire.Equal(t, dataStreamProtocolSignature, protocol)\n\t\t\treqServerStream := RequestServerStream{&noopCloser{b}}\n\n\t\t\treqMeta, err := reqServerStream.ReadConnectRequestData()\n\t\t\trequire.NoError(t, err)\n\n\t\t\tassert.Equal(t, test.metadata, reqMeta.Metadata)\n\t\t\tassert.Equal(t, test.hostname, reqMeta.Dest)\n\t\t\tassert.Equal(t, test.connectionType, reqMeta.Type)\n\t\t})\n\t}\n}\n\nfunc TestConnectResponseMeta(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\terr error\n\t\tmetadata []pogs.Metadata\n\t}{\n\t\t{\n\t\t\tname: \"Signature verified and response metadata is unmarshaled and read correctly\",\n\t\t\tmetadata: []pogs.Metadata{\n\t\t\t\t{\n\t\t\t\t\tKey: \"key\",\n\t\t\t\t\tVal: \"1234\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"If error is not empty, other fields should be blank\",\n\t\t\terr: errors.New(\"something happened\"),\n\t\t\tmetadata: []pogs.Metadata{\n\t\t\t\t{\n\t\t\t\t\tKey: \"key\",\n\t\t\t\t\tVal: \"1234\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\tb := &bytes.Buffer{}\n\t\t\treqServerStream := RequestServerStream{noopCloser{b}}\n\t\t\terr := reqServerStream.WriteConnectResponseData(test.err, test.metadata...)\n\t\t\trequire.NoError(t, err)\n\n\t\t\treqClientStream := RequestClientStream{noopCloser{b}}\n\t\t\trespMeta, err := reqClientStream.ReadConnectResponseData()\n\t\t\trequire.NoError(t, err)\n\t\t\trequire.Equal(t, test.metadata, respMeta.Metadata)\n\t\t})\n\t}\n}\n\nfunc TestRegisterUdpSession(t *testing.T) {\n\tunregisterMessage := \"closed by eyeball\"\n\n\ttests := []struct {\n\t\tname string\n\t\tsessionRPCServer mockSessionRPCServer\n\t}{\n\t\t{\n\t\t\tname: \"RegisterUdpSession (no trace context)\",\n\t\t\tsessionRPCServer: mockSessionRPCServer{\n\t\t\t\tsessionID: uuid.New(),\n\t\t\t\tdstIP: net.IP{172, 16, 0, 1},\n\t\t\t\tdstPort: 8000,\n\t\t\t\tcloseIdleAfter: testCloseIdleAfterHint,\n\t\t\t\tunregisterMessage: unregisterMessage,\n\t\t\t\ttraceContext: \"\",\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"RegisterUdpSession (with trace context)\",\n\t\t\tsessionRPCServer: mockSessionRPCServer{\n\t\t\t\tsessionID: uuid.New(),\n\t\t\t\tdstIP: net.IP{172, 16, 0, 1},\n\t\t\t\tdstPort: 8000,\n\t\t\t\tcloseIdleAfter: testCloseIdleAfterHint,\n\t\t\t\tunregisterMessage: unregisterMessage,\n\t\t\t\ttraceContext: \"1241ce3ecdefc68854e8514e69ba42ca:b38f1bf5eae406f3:0:1\",\n\t\t\t},\n\t\t},\n\t}\n\n\tfor _, test := range tests {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\tclientStream, serverStream := newMockRPCStreams()\n\t\t\tsessionRegisteredChan := make(chan struct{})\n\t\t\tgo func() {\n\t\t\t\tss := NewCloudflaredServer(nil, test.sessionRPCServer, nil, 10*time.Second)\n\t\t\t\terr := ss.Serve(t.Context(), serverStream)\n\t\t\t\tassert.NoError(t, err)\n\n\t\t\t\tserverStream.Close()\n\t\t\t\tclose(sessionRegisteredChan)\n\t\t\t}()\n\n\t\t\trpcClientStream, err := NewCloudflaredClient(t.Context(), clientStream, 5*time.Second)\n\t\t\trequire.NoError(t, err)\n\n\t\t\treg, err := rpcClientStream.RegisterUdpSession(t.Context(), test.sessionRPCServer.sessionID, test.sessionRPCServer.dstIP, test.sessionRPCServer.dstPort, testCloseIdleAfterHint, test.sessionRPCServer.traceContext)\n\t\t\trequire.NoError(t, err)\n\t\t\trequire.NoError(t, reg.Err)\n\n\t\t\t// Different sessionID, the RPC server should reject the registration\n\t\t\treg, err = rpcClientStream.RegisterUdpSession(t.Context(), uuid.New(), test.sessionRPCServer.dstIP, test.sessionRPCServer.dstPort, testCloseIdleAfterHint, test.sessionRPCServer.traceContext)\n\t\t\trequire.NoError(t, err)\n\t\t\trequire.Error(t, reg.Err)\n\n\t\t\trequire.NoError(t, rpcClientStream.UnregisterUdpSession(t.Context(), test.sessionRPCServer.sessionID, unregisterMessage))\n\n\t\t\t// Different sessionID, the RPC server should reject the unregistration\n\t\t\trequire.Error(t, rpcClientStream.UnregisterUdpSession(t.Context(), uuid.New(), unregisterMessage))\n\n\t\t\trpcClientStream.Close()\n\t\t\t<-sessionRegisteredChan\n\t\t})\n\t}\n}\n\nfunc TestManageConfiguration(t *testing.T) {\n\tvar (\n\t\tversion int32 = 168\n\t\tconfig = []byte(t.Name())\n\t)\n\tclientStream, serverStream := newMockRPCStreams()\n\n\tconfigRPCServer := mockConfigRPCServer{\n\t\tversion: version,\n\t\tconfig: config,\n\t}\n\n\tupdatedChan := make(chan struct{})\n\tgo func() {\n\t\tserver := NewCloudflaredServer(nil, nil, configRPCServer, 10*time.Second)\n\t\terr := server.Serve(t.Context(), serverStream)\n\t\tassert.NoError(t, err)\n\n\t\tserverStream.Close()\n\t\tclose(updatedChan)\n\t}()\n\n\tctx, cancel := context.WithTimeout(t.Context(), time.Second)\n\tdefer cancel()\n\trpcClientStream, err := NewCloudflaredClient(ctx, clientStream, 5*time.Second)\n\trequire.NoError(t, err)\n\n\tresult, err := rpcClientStream.UpdateConfiguration(ctx, version, config)\n\trequire.NoError(t, err)\n\n\trequire.Equal(t, version, result.LastAppliedVersion)\n\trequire.NoError(t, result.Err)\n\n\trpcClientStream.Close()\n\t<-updatedChan\n}\n\ntype mockSessionRPCServer struct {\n\tsessionID uuid.UUID\n\tdstIP net.IP\n\tdstPort uint16\n\tcloseIdleAfter time.Duration\n\tunregisterMessage string\n\ttraceContext string\n}\n\nfunc (s mockSessionRPCServer) RegisterUdpSession(_ context.Context, sessionID uuid.UUID, dstIP net.IP, dstPort uint16, closeIdleAfter time.Duration, traceContext string) (*pogs.RegisterUdpSessionResponse, error) {\n\tif s.sessionID != sessionID {\n\t\treturn nil, fmt.Errorf(\"expect session ID %s, got %s\", s.sessionID, sessionID)\n\t}\n\tif !s.dstIP.Equal(dstIP) {\n\t\treturn nil, fmt.Errorf(\"expect destination IP %s, got %s\", s.dstIP, dstIP)\n\t}\n\tif s.dstPort != dstPort {\n\t\treturn nil, fmt.Errorf(\"expect destination port %d, got %d\", s.dstPort, dstPort)\n\t}\n\tif s.closeIdleAfter != closeIdleAfter {\n\t\treturn nil, fmt.Errorf(\"expect closeIdleAfter %d, got %d\", s.closeIdleAfter, closeIdleAfter)\n\t}\n\tif s.traceContext != traceContext {\n\t\treturn nil, fmt.Errorf(\"expect traceContext %s, got %s\", s.traceContext, traceContext)\n\t}\n\treturn &pogs.RegisterUdpSessionResponse{}, nil\n}\n\nfunc (s mockSessionRPCServer) UnregisterUdpSession(_ context.Context, sessionID uuid.UUID, message string) error {\n\tif s.sessionID != sessionID {\n\t\treturn fmt.Errorf(\"expect session ID %s, got %s\", s.sessionID, sessionID)\n\t}\n\tif s.unregisterMessage != message {\n\t\treturn fmt.Errorf(\"expect unregister message %s, got %s\", s.unregisterMessage, message)\n\t}\n\treturn nil\n}\n\ntype mockConfigRPCServer struct {\n\tversion int32\n\tconfig []byte\n}\n\nfunc (s mockConfigRPCServer) UpdateConfiguration(_ context.Context, version int32, config []byte) *pogs.UpdateConfigurationResponse {\n\tif s.version != version {\n\t\treturn &pogs.UpdateConfigurationResponse{\n\t\t\tErr: fmt.Errorf(\"expect version %d, got %d\", s.version, version),\n\t\t}\n\t}\n\tif !bytes.Equal(s.config, config) {\n\t\treturn &pogs.UpdateConfigurationResponse{\n\t\t\tErr: fmt.Errorf(\"expect config %v, got %v\", s.config, config),\n\t\t}\n\t}\n\treturn &pogs.UpdateConfigurationResponse{LastAppliedVersion: version}\n}\n\ntype mockRPCStream struct {\n\tio.ReadCloser\n\tio.WriteCloser\n}\n\nfunc newMockRPCStreams() (client io.ReadWriteCloser, server io.ReadWriteCloser) {\n\tclientReader, serverWriter := io.Pipe()\n\tserverReader, clientWriter := io.Pipe()\n\n\tclient = mockRPCStream{clientReader, clientWriter}\n\tserver = mockRPCStream{serverReader, serverWriter}\n\treturn\n}\n\nfunc (s mockRPCStream) Close() error {\n\t_ = s.ReadCloser.Close()\n\t_ = s.WriteCloser.Close()\n\treturn nil\n}\n\ntype noopCloser struct {\n\tio.ReadWriter\n}\n\nfunc (noopCloser) Close() error {\n\treturn nil\n}\n" }, { "path": "tunnelrpc/quic/session_client.go", "content": "package quic\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"io\"\n\t\"net\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\t\"zombiezen.com/go/capnproto2/rpc\"\n\n\t\"github.com/cloudflare/cloudflared/tunnelrpc\"\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/metrics\"\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/pogs\"\n)\n\n// SessionClient calls capnp rpc methods of SessionManager.\ntype SessionClient struct {\n\tclient pogs.SessionManager_PogsClient\n\ttransport rpc.Transport\n\trequestTimeout time.Duration\n}\n\nfunc NewSessionClient(ctx context.Context, stream io.ReadWriteCloser, requestTimeout time.Duration) (*SessionClient, error) {\n\tn, err := stream.Write(rpcStreamProtocolSignature[:])\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif n != len(rpcStreamProtocolSignature) {\n\t\treturn nil, fmt.Errorf(\"expect to write %d bytes for RPC stream protocol signature, wrote %d\", len(rpcStreamProtocolSignature), n)\n\t}\n\ttransport := tunnelrpc.SafeTransport(stream)\n\tconn := tunnelrpc.NewClientConn(transport)\n\treturn &SessionClient{\n\t\tclient: pogs.NewSessionManager_PogsClient(conn.Bootstrap(ctx), conn),\n\t\ttransport: transport,\n\t\trequestTimeout: requestTimeout,\n\t}, nil\n}\n\nfunc (c *SessionClient) RegisterUdpSession(ctx context.Context, sessionID uuid.UUID, dstIP net.IP, dstPort uint16, closeIdleAfterHint time.Duration, traceContext string) (*pogs.RegisterUdpSessionResponse, error) {\n\tctx, cancel := context.WithTimeout(ctx, c.requestTimeout)\n\tdefer cancel()\n\tdefer metrics.CapnpMetrics.ClientOperations.WithLabelValues(metrics.SessionManager, metrics.OperationRegisterUdpSession).Inc()\n\ttimer := metrics.NewClientOperationLatencyObserver(metrics.SessionManager, metrics.OperationRegisterUdpSession)\n\tdefer timer.ObserveDuration()\n\n\tresp, err := c.client.RegisterUdpSession(ctx, sessionID, dstIP, dstPort, closeIdleAfterHint, traceContext)\n\tif err != nil {\n\t\tmetrics.CapnpMetrics.ClientFailures.WithLabelValues(metrics.SessionManager, metrics.OperationRegisterUdpSession).Inc()\n\t}\n\treturn resp, err\n}\n\nfunc (c *SessionClient) UnregisterUdpSession(ctx context.Context, sessionID uuid.UUID, message string) error {\n\tctx, cancel := context.WithTimeout(ctx, c.requestTimeout)\n\tdefer cancel()\n\tdefer metrics.CapnpMetrics.ClientOperations.WithLabelValues(metrics.SessionManager, metrics.OperationUnregisterUdpSession).Inc()\n\ttimer := metrics.NewClientOperationLatencyObserver(metrics.SessionManager, metrics.OperationUnregisterUdpSession)\n\tdefer timer.ObserveDuration()\n\n\terr := c.client.UnregisterUdpSession(ctx, sessionID, message)\n\tif err != nil {\n\t\tmetrics.CapnpMetrics.ClientFailures.WithLabelValues(metrics.SessionManager, metrics.OperationUnregisterUdpSession).Inc()\n\t}\n\treturn err\n}\n\nfunc (c *SessionClient) Close() {\n\t_ = c.client.Close()\n\t_ = c.transport.Close()\n}\n" }, { "path": "tunnelrpc/quic/session_server.go", "content": "package quic\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"io\"\n\t\"time\"\n\n\t\"github.com/cloudflare/cloudflared/tunnelrpc\"\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/pogs\"\n)\n\n// SessionManagerServer handles streams with the SessionManager RPCs.\ntype SessionManagerServer struct {\n\tsessionManager pogs.SessionManager\n\tresponseTimeout time.Duration\n}\n\nfunc NewSessionManagerServer(sessionManager pogs.SessionManager, responseTimeout time.Duration) *SessionManagerServer {\n\treturn &SessionManagerServer{\n\t\tsessionManager: sessionManager,\n\t\tresponseTimeout: responseTimeout,\n\t}\n}\n\nfunc (s *SessionManagerServer) Serve(ctx context.Context, stream io.ReadWriteCloser) error {\n\tsignature, err := determineProtocol(stream)\n\tif err != nil {\n\t\treturn err\n\t}\n\tswitch signature {\n\tcase rpcStreamProtocolSignature:\n\t\tbreak\n\tcase dataStreamProtocolSignature:\n\t\treturn errDataStreamNotSupported\n\tdefault:\n\t\treturn fmt.Errorf(\"unknown protocol %v\", signature)\n\t}\n\n\t// Every new quic.Stream request aligns to a new RPC request, this is why there is a timeout for the server-side\n\t// of the RPC request.\n\tctx, cancel := context.WithTimeout(ctx, s.responseTimeout)\n\tdefer cancel()\n\n\ttransport := tunnelrpc.SafeTransport(stream)\n\tdefer transport.Close()\n\n\tmain := pogs.SessionManager_ServerToClient(s.sessionManager)\n\trpcConn := tunnelrpc.NewServerConn(transport, main.Client)\n\tdefer rpcConn.Close()\n\n\tselect {\n\tcase <-rpcConn.Done():\n\t\treturn nil\n\tcase <-ctx.Done():\n\t\treturn ctx.Err()\n\t}\n}\n" }, { "path": "tunnelrpc/registration_client.go", "content": "package tunnelrpc\n\nimport (\n\t\"context\"\n\t\"io\"\n\t\"net\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\t\"zombiezen.com/go/capnproto2/rpc\"\n\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/metrics\"\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/pogs\"\n)\n\ntype RegistrationClient interface {\n\tRegisterConnection(\n\t\tctx context.Context,\n\t\tauth pogs.TunnelAuth,\n\t\ttunnelID uuid.UUID,\n\t\toptions *pogs.ConnectionOptions,\n\t\tconnIndex uint8,\n\t\tedgeAddress net.IP,\n\t) (*pogs.ConnectionDetails, error)\n\tSendLocalConfiguration(ctx context.Context, config []byte) error\n\tGracefulShutdown(ctx context.Context, gracePeriod time.Duration) error\n\tClose()\n}\n\ntype registrationClient struct {\n\tclient pogs.RegistrationServer_PogsClient\n\ttransport rpc.Transport\n\trequestTimeout time.Duration\n}\n\nfunc NewRegistrationClient(ctx context.Context, stream io.ReadWriteCloser, requestTimeout time.Duration) RegistrationClient {\n\ttransport := SafeTransport(stream)\n\tconn := NewClientConn(transport)\n\tclient := pogs.NewRegistrationServer_PogsClient(conn.Bootstrap(ctx), conn)\n\treturn ®istrationClient{\n\t\tclient: client,\n\t\ttransport: transport,\n\t\trequestTimeout: requestTimeout,\n\t}\n}\n\nfunc (r *registrationClient) RegisterConnection(\n\tctx context.Context,\n\tauth pogs.TunnelAuth,\n\ttunnelID uuid.UUID,\n\toptions *pogs.ConnectionOptions,\n\tconnIndex uint8,\n\tedgeAddress net.IP,\n) (*pogs.ConnectionDetails, error) {\n\tctx, cancel := context.WithTimeout(ctx, r.requestTimeout)\n\tdefer cancel()\n\tdefer metrics.CapnpMetrics.ClientOperations.WithLabelValues(metrics.Registration, metrics.OperationRegisterConnection).Inc()\n\ttimer := metrics.NewClientOperationLatencyObserver(metrics.Registration, metrics.OperationRegisterConnection)\n\tdefer timer.ObserveDuration()\n\n\tconn, err := r.client.RegisterConnection(ctx, auth, tunnelID, connIndex, options)\n\tif err != nil {\n\t\tmetrics.CapnpMetrics.ClientFailures.WithLabelValues(metrics.Registration, metrics.OperationRegisterConnection).Inc()\n\t}\n\treturn conn, err\n}\n\nfunc (r *registrationClient) SendLocalConfiguration(ctx context.Context, config []byte) error {\n\tctx, cancel := context.WithTimeout(ctx, r.requestTimeout)\n\tdefer cancel()\n\tdefer metrics.CapnpMetrics.ClientOperations.WithLabelValues(metrics.Registration, metrics.OperationUpdateLocalConfiguration).Inc()\n\ttimer := metrics.NewClientOperationLatencyObserver(metrics.Registration, metrics.OperationUpdateLocalConfiguration)\n\tdefer timer.ObserveDuration()\n\n\terr := r.client.SendLocalConfiguration(ctx, config)\n\tif err != nil {\n\t\tmetrics.CapnpMetrics.ClientFailures.WithLabelValues(metrics.Registration, metrics.OperationUpdateLocalConfiguration).Inc()\n\t}\n\treturn err\n}\n\nfunc (r *registrationClient) GracefulShutdown(ctx context.Context, gracePeriod time.Duration) error {\n\tctx, cancel := context.WithTimeout(ctx, gracePeriod)\n\tdefer cancel()\n\tdefer metrics.CapnpMetrics.ClientOperations.WithLabelValues(metrics.Registration, metrics.OperationUnregisterConnection).Inc()\n\ttimer := metrics.NewClientOperationLatencyObserver(metrics.Registration, metrics.OperationUnregisterConnection)\n\tdefer timer.ObserveDuration()\n\terr := r.client.UnregisterConnection(ctx)\n\tif err != nil {\n\t\tmetrics.CapnpMetrics.ClientFailures.WithLabelValues(metrics.Registration, metrics.OperationUnregisterConnection).Inc()\n\t\treturn err\n\t}\n\treturn nil\n}\n\nfunc (r *registrationClient) Close() {\n\t// Closing the client will also close the connection\n\t_ = r.client.Close()\n\t// Closing the transport also closes the stream\n\t_ = r.transport.Close()\n}\n" }, { "path": "tunnelrpc/registration_server.go", "content": "package tunnelrpc\n\nimport (\n\t\"context\"\n\t\"io\"\n\n\t\"github.com/cloudflare/cloudflared/tunnelrpc/pogs\"\n)\n\n// RegistrationServer provides a handler interface for a client to provide methods to handle the different types of\n// requests that can be communicated by the stream.\ntype RegistrationServer struct {\n\tregistrationServer pogs.RegistrationServer\n}\n\nfunc NewRegistrationServer(registrationServer pogs.RegistrationServer) *RegistrationServer {\n\treturn &RegistrationServer{\n\t\tregistrationServer: registrationServer,\n\t}\n}\n\n// Serve listens for all RegistrationServer RPCs, including UnregisterConnection until the underlying connection\n// is terminated.\nfunc (s *RegistrationServer) Serve(ctx context.Context, stream io.ReadWriteCloser) error {\n\ttransport := SafeTransport(stream)\n\tdefer transport.Close()\n\n\tmain := pogs.RegistrationServer_ServerToClient(s.registrationServer)\n\trpcConn := NewServerConn(transport, main.Client)\n\n\tselect {\n\tcase <-rpcConn.Done():\n\t\treturn rpcConn.Wait()\n\tcase <-ctx.Done():\n\t\treturn ctx.Err()\n\t}\n}\n" }, { "path": "tunnelrpc/utils.go", "content": "package tunnelrpc\n\nimport (\n\t\"context\"\n\t\"io\"\n\t\"time\"\n\n\t\"github.com/pkg/errors\"\n\tcapnp \"zombiezen.com/go/capnproto2\"\n\t\"zombiezen.com/go/capnproto2/rpc\"\n)\n\nconst (\n\t// These default values are here so that we give some time for the underlying connection/stream\n\t// to recover in the face of what we believe to be temporarily errors.\n\t// We don't want to be too aggressive, as the end result of giving a final error (non-temporary)\n\t// will result in the connection to be dropped.\n\t// In turn, the other side will probably reconnect, which will put again more pressure in the overall system.\n\t// So, the best solution is to give it some conservative time to recover.\n\tdefaultSleepBetweenTemporaryError = 500 * time.Millisecond\n\tdefaultMaxRetries = 3\n)\n\ntype readWriterSafeTemporaryErrorCloser struct {\n\tio.ReadWriteCloser\n\n\tretries int\n\tsleepBetweenRetries time.Duration\n\tmaxRetries int\n}\n\nfunc (r *readWriterSafeTemporaryErrorCloser) Read(p []byte) (n int, err error) {\n\tn, err = r.ReadWriteCloser.Read(p)\n\n\t// if there was a failure reading from the read closer, and the error is temporary, try again in some seconds\n\t// otherwise, just fail without a temporary error.\n\tif n == 0 && err != nil && isTemporaryError(err) {\n\t\tif r.retries >= r.maxRetries {\n\t\t\treturn 0, errors.Wrap(err, \"failed read from capnproto ReaderWriter after multiple temporary errors\")\n\t\t} else {\n\t\t\tr.retries += 1\n\n\t\t\t// sleep for some time to prevent quick read loops that cause exhaustion of CPU resources\n\t\t\ttime.Sleep(r.sleepBetweenRetries)\n\t\t}\n\t}\n\n\tif err == nil {\n\t\tr.retries = 0\n\t}\n\n\treturn n, err\n}\n\nfunc SafeTransport(rw io.ReadWriteCloser) rpc.Transport {\n\treturn rpc.StreamTransport(&readWriterSafeTemporaryErrorCloser{\n\t\tReadWriteCloser: rw,\n\t\tmaxRetries: defaultMaxRetries,\n\t\tsleepBetweenRetries: defaultSleepBetweenTemporaryError,\n\t})\n}\n\n// isTemporaryError reports whether e has a Temporary() method that\n// returns true.\nfunc isTemporaryError(e error) bool {\n\ttype temp interface {\n\t\tTemporary() bool\n\t}\n\tt, ok := e.(temp)\n\treturn ok && t.Temporary()\n}\n\n// NoopCapnpLogger provides a logger to discard all capnp rpc internal logging messages as\n// they are by default provided to stdout if no logger interface is provided. These logging\n// messages in cloudflared have typically not provided a high amount of pratical value\n// as the messages are extremely verbose and don't provide a good insight into the message\n// contents or rpc method names.\ntype noopCapnpLogger struct{}\n\nfunc (noopCapnpLogger) Infof(ctx context.Context, format string, args ...interface{}) {}\nfunc (noopCapnpLogger) Errorf(ctx context.Context, format string, args ...interface{}) {}\n\nfunc NewClientConn(transport rpc.Transport) *rpc.Conn {\n\treturn rpc.NewConn(transport, rpc.ConnLog(noopCapnpLogger{}))\n}\n\nfunc NewServerConn(transport rpc.Transport, client capnp.Client) *rpc.Conn {\n\treturn rpc.NewConn(transport, rpc.MainInterface(client), rpc.ConnLog(noopCapnpLogger{}))\n}\n" }, { "path": "tunnelstate/conntracker.go", "content": "package tunnelstate\n\nimport (\n\t\"net\"\n\t\"sync\"\n\n\t\"github.com/rs/zerolog\"\n\n\t\"github.com/cloudflare/cloudflared/connection\"\n)\n\ntype ConnTracker struct {\n\tmutex sync.RWMutex\n\t// int is the connection Index\n\tconnectionInfo map[uint8]ConnectionInfo\n\tlog *zerolog.Logger\n}\n\ntype ConnectionInfo struct {\n\tIsConnected bool `json:\"isConnected,omitempty\"`\n\tProtocol connection.Protocol `json:\"protocol,omitempty\"`\n\tEdgeAddress net.IP `json:\"edgeAddress,omitempty\"`\n}\n\n// Convinience struct to extend the connection with its index.\ntype IndexedConnectionInfo struct {\n\tConnectionInfo\n\tIndex uint8 `json:\"index,omitempty\"`\n}\n\nfunc NewConnTracker(\n\tlog *zerolog.Logger,\n) *ConnTracker {\n\treturn &ConnTracker{\n\t\tconnectionInfo: make(map[uint8]ConnectionInfo, 0),\n\t\tlog: log,\n\t}\n}\n\nfunc (ct *ConnTracker) OnTunnelEvent(c connection.Event) {\n\tswitch c.EventType {\n\tcase connection.Connected:\n\t\tct.mutex.Lock()\n\t\tci := ConnectionInfo{\n\t\t\tIsConnected: true,\n\t\t\tProtocol: c.Protocol,\n\t\t\tEdgeAddress: c.EdgeAddress,\n\t\t}\n\t\tct.connectionInfo[c.Index] = ci\n\t\tct.mutex.Unlock()\n\tcase connection.Disconnected, connection.Reconnecting, connection.RegisteringTunnel, connection.Unregistering:\n\t\tct.mutex.Lock()\n\t\tci := ct.connectionInfo[c.Index]\n\t\tci.IsConnected = false\n\t\tct.connectionInfo[c.Index] = ci\n\t\tct.mutex.Unlock()\n\tdefault:\n\t\tct.log.Error().Msgf(\"Unknown connection event case %v\", c)\n\t}\n}\n\nfunc (ct *ConnTracker) CountActiveConns() uint {\n\tct.mutex.RLock()\n\tdefer ct.mutex.RUnlock()\n\tactive := uint(0)\n\tfor _, ci := range ct.connectionInfo {\n\t\tif ci.IsConnected {\n\t\t\tactive++\n\t\t}\n\t}\n\treturn active\n}\n\n// HasConnectedWith checks if we've ever had a successful connection to the edge\n// with said protocol.\nfunc (ct *ConnTracker) HasConnectedWith(protocol connection.Protocol) bool {\n\tct.mutex.RLock()\n\tdefer ct.mutex.RUnlock()\n\tfor _, ci := range ct.connectionInfo {\n\t\tif ci.Protocol == protocol {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\n// Returns the connection information iff it is connected this\n// also leverages the [IndexedConnectionInfo] to also provide the connection index\nfunc (ct *ConnTracker) GetActiveConnections() []IndexedConnectionInfo {\n\tct.mutex.RLock()\n\tdefer ct.mutex.RUnlock()\n\n\tconnections := make([]IndexedConnectionInfo, 0)\n\n\tfor key, value := range ct.connectionInfo {\n\t\tif value.IsConnected {\n\t\t\tinfo := IndexedConnectionInfo{value, key}\n\t\t\tconnections = append(connections, info)\n\t\t}\n\t}\n\n\treturn connections\n}\n" }, { "path": "validation/validation.go", "content": "package validation\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/coreos/go-oidc/v3/oidc\"\n\t\"github.com/pkg/errors\"\n\t\"golang.org/x/net/idna\"\n)\n\nconst (\n\tdefaultScheme = \"http\"\n\taccessDomain = \"cloudflareaccess.com\"\n\taccessCertPath = \"/cdn-cgi/access/certs\"\n\taccessJwtHeader = \"Cf-access-jwt-assertion\"\n)\n\nvar (\n\tsupportedProtocols = []string{\"http\", \"https\", \"rdp\", \"ssh\", \"smb\", \"tcp\"}\n\tvalidationTimeout = time.Duration(30 * time.Second)\n)\n\nfunc ValidateHostname(hostname string) (string, error) {\n\tif hostname == \"\" {\n\t\treturn \"\", nil\n\t}\n\t// users gives url(contains schema) not just hostname\n\tif strings.Contains(hostname, \":\") || strings.Contains(hostname, \"%3A\") {\n\t\tunescapeHostname, err := url.PathUnescape(hostname)\n\t\tif err != nil {\n\t\t\treturn \"\", fmt.Errorf(\"Hostname(actually a URL) %s has invalid escape characters %s\", hostname, unescapeHostname)\n\t\t}\n\t\thostnameToURL, err := url.Parse(unescapeHostname)\n\t\tif err != nil {\n\t\t\treturn \"\", fmt.Errorf(\"Hostname(actually a URL) %s has invalid format %s\", hostname, hostnameToURL)\n\t\t}\n\t\tasciiHostname, err := idna.ToASCII(hostnameToURL.Hostname())\n\t\tif err != nil {\n\t\t\treturn \"\", fmt.Errorf(\"Hostname(actually a URL) %s has invalid ASCII encdoing %s\", hostname, asciiHostname)\n\t\t}\n\t\treturn asciiHostname, nil\n\t}\n\n\tasciiHostname, err := idna.ToASCII(hostname)\n\tif err != nil {\n\t\treturn \"\", fmt.Errorf(\"Hostname %s has invalid ASCII encdoing %s\", hostname, asciiHostname)\n\t}\n\thostnameToURL, err := url.Parse(asciiHostname)\n\tif err != nil {\n\t\treturn \"\", fmt.Errorf(\"Hostname %s is not valid\", hostnameToURL)\n\t}\n\treturn hostnameToURL.RequestURI(), nil\n\n}\n\n// ValidateUrl returns a validated version of `originUrl` with a scheme prepended (by default http://).\n// Note: when originUrl contains a scheme, the path is removed:\n//\n//\tValidateUrl(\"https://localhost:8080/api/\") => \"https://localhost:8080\"\n//\n// but when it does not, the path is preserved:\n//\n//\tValidateUrl(\"localhost:8080/api/\") => \"http://localhost:8080/api/\"\n//\n// This is arguably a bug, but changing it might break some cloudflared users.\nfunc ValidateUrl(originUrl string) (*url.URL, error) {\n\turlStr, err := validateUrlString(originUrl)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn url.Parse(urlStr)\n}\n\nfunc validateUrlString(originUrl string) (string, error) {\n\tif originUrl == \"\" {\n\t\treturn \"\", fmt.Errorf(\"URL should not be empty\")\n\t}\n\n\tif net.ParseIP(originUrl) != nil {\n\t\treturn validateIP(\"\", originUrl, \"\")\n\t} else if strings.HasPrefix(originUrl, \"[\") && strings.HasSuffix(originUrl, \"]\") {\n\t\t// ParseIP doesn't recoginze [::1]\n\t\treturn validateIP(\"\", originUrl[1:len(originUrl)-1], \"\")\n\t}\n\n\thost, port, err := net.SplitHostPort(originUrl)\n\t// user might pass in an ip address like 127.0.0.1\n\tif err == nil && net.ParseIP(host) != nil {\n\t\treturn validateIP(\"\", host, port)\n\t}\n\n\tunescapedUrl, err := url.PathUnescape(originUrl)\n\tif err != nil {\n\t\treturn \"\", fmt.Errorf(\"URL %s has invalid escape characters %s\", originUrl, unescapedUrl)\n\t}\n\n\tparsedUrl, err := url.Parse(unescapedUrl)\n\tif err != nil {\n\t\treturn \"\", fmt.Errorf(\"URL %s has invalid format\", originUrl)\n\t}\n\n\t// if the url is in the form of host:port, IsAbs() will think host is the schema\n\tvar hostname string\n\thasScheme := parsedUrl.IsAbs() && parsedUrl.Host != \"\"\n\tif hasScheme {\n\t\terr := validateScheme(parsedUrl.Scheme)\n\t\tif err != nil {\n\t\t\treturn \"\", err\n\t\t}\n\t\t// The earlier check for ip address will miss the case http://[::1]\n\t\t// and http://[::1]:8080\n\t\tif net.ParseIP(parsedUrl.Hostname()) != nil {\n\t\t\treturn validateIP(parsedUrl.Scheme, parsedUrl.Hostname(), parsedUrl.Port())\n\t\t}\n\t\thostname, err = ValidateHostname(parsedUrl.Hostname())\n\t\tif err != nil {\n\t\t\treturn \"\", fmt.Errorf(\"URL %s has invalid format\", originUrl)\n\t\t}\n\t\tif parsedUrl.Port() != \"\" {\n\t\t\treturn fmt.Sprintf(\"%s://%s\", parsedUrl.Scheme, net.JoinHostPort(hostname, parsedUrl.Port())), nil\n\t\t}\n\t\treturn fmt.Sprintf(\"%s://%s\", parsedUrl.Scheme, hostname), nil\n\t} else {\n\t\tif host == \"\" {\n\t\t\thostname, err = ValidateHostname(originUrl)\n\t\t\tif err != nil {\n\t\t\t\treturn \"\", fmt.Errorf(\"URL no %s has invalid format\", originUrl)\n\t\t\t}\n\t\t\treturn fmt.Sprintf(\"%s://%s\", defaultScheme, hostname), nil\n\t\t} else {\n\t\t\thostname, err = ValidateHostname(host)\n\t\t\tif err != nil {\n\t\t\t\treturn \"\", fmt.Errorf(\"URL %s has invalid format\", originUrl)\n\t\t\t}\n\t\t\t// This is why the path is preserved when `originUrl` doesn't have a schema.\n\t\t\t// Using `parsedUrl.Port()` here, instead of `port`, would remove the path\n\t\t\treturn fmt.Sprintf(\"%s://%s\", defaultScheme, net.JoinHostPort(hostname, port)), nil\n\t\t}\n\t}\n\n}\n\nfunc validateScheme(scheme string) error {\n\tfor _, protocol := range supportedProtocols {\n\t\tif scheme == protocol {\n\t\t\treturn nil\n\t\t}\n\t}\n\treturn fmt.Errorf(\"Currently Cloudflare Tunnel does not support %s protocol.\", scheme)\n}\n\nfunc validateIP(scheme, host, port string) (string, error) {\n\tif scheme == \"\" {\n\t\tscheme = defaultScheme\n\t}\n\tif port != \"\" {\n\t\treturn fmt.Sprintf(\"%s://%s\", scheme, net.JoinHostPort(host, port)), nil\n\t} else if strings.Contains(host, \":\") {\n\t\t// IPv6\n\t\treturn fmt.Sprintf(\"%s://[%s]\", scheme, host), nil\n\t}\n\treturn fmt.Sprintf(\"%s://%s\", scheme, host), nil\n}\n\n// Access checks if a JWT from Cloudflare Access is valid.\ntype Access struct {\n\tverifier *oidc.IDTokenVerifier\n}\n\nfunc NewAccessValidator(ctx context.Context, domain, issuer, applicationAUD string) (*Access, error) {\n\tdomainURL, err := validateUrlString(domain)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tissuerURL, err := validateUrlString(issuer)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\t// An issuerURL from Cloudflare Access will always use HTTPS.\n\tissuerURL = strings.Replace(issuerURL, \"http:\", \"https:\", 1)\n\n\tkeySet := oidc.NewRemoteKeySet(ctx, domainURL+accessCertPath)\n\treturn &Access{oidc.NewVerifier(issuerURL, keySet, &oidc.Config{ClientID: applicationAUD})}, nil\n}\n\nfunc (a *Access) Validate(ctx context.Context, jwt string) error {\n\ttoken, err := a.verifier.Verify(ctx, jwt)\n\n\tif err != nil {\n\t\treturn errors.Wrapf(err, \"token is invalid: %s\", jwt)\n\t}\n\n\t// Perform extra sanity checks, just to be safe.\n\n\tif token == nil {\n\t\treturn fmt.Errorf(\"token is nil: %s\", jwt)\n\t}\n\n\tif !strings.HasSuffix(token.Issuer, accessDomain) {\n\t\treturn fmt.Errorf(\"token has non-cloudflare issuer of %s: %s\", token.Issuer, jwt)\n\t}\n\n\treturn nil\n}\n\nfunc (a *Access) ValidateRequest(ctx context.Context, r *http.Request) error {\n\treturn a.Validate(ctx, r.Header.Get(accessJwtHeader))\n}\n" }, { "path": "validation/validation_test.go", "content": "package validation\n\nimport (\n\t\"bytes\"\n\t\"fmt\"\n\t\"io\"\n\t\"testing\"\n\n\t\"context\"\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"net/url\"\n\t\"strings\"\n\n\t\"github.com/stretchr/testify/assert\"\n)\n\nfunc TestValidateHostname(t *testing.T) {\n\tvar inputHostname string\n\thostname, err := ValidateHostname(inputHostname)\n\tassert.Equal(t, err, nil)\n\tassert.Empty(t, hostname)\n\n\tinputHostname = \"hello.example.com\"\n\thostname, err = ValidateHostname(inputHostname)\n\tassert.Nil(t, err)\n\tassert.Equal(t, \"hello.example.com\", hostname)\n\n\tinputHostname = \"http://hello.example.com\"\n\thostname, err = ValidateHostname(inputHostname)\n\tassert.Nil(t, err)\n\tassert.Equal(t, \"hello.example.com\", hostname)\n\n\tinputHostname = \"bücher.example.com\"\n\thostname, err = ValidateHostname(inputHostname)\n\tassert.Nil(t, err)\n\tassert.Equal(t, \"xn--bcher-kva.example.com\", hostname)\n\n\tinputHostname = \"http://bücher.example.com\"\n\thostname, err = ValidateHostname(inputHostname)\n\tassert.Nil(t, err)\n\tassert.Equal(t, \"xn--bcher-kva.example.com\", hostname)\n\n\tinputHostname = \"http%3A%2F%2Fhello.example.com\"\n\thostname, err = ValidateHostname(inputHostname)\n\tassert.Nil(t, err)\n\tassert.Equal(t, \"hello.example.com\", hostname)\n\n}\n\nfunc TestValidateUrl(t *testing.T) {\n\ttype testCase struct {\n\t\tinput string\n\t\texpectedOutput string\n\t}\n\ttestCases := []testCase{\n\t\t{\"http://localhost\", \"http://localhost\"},\n\t\t{\"http://localhost/\", \"http://localhost\"},\n\t\t{\"http://localhost/api\", \"http://localhost\"},\n\t\t{\"http://localhost/api/\", \"http://localhost\"},\n\t\t{\"https://localhost\", \"https://localhost\"},\n\t\t{\"https://localhost/\", \"https://localhost\"},\n\t\t{\"https://localhost/api\", \"https://localhost\"},\n\t\t{\"https://localhost/api/\", \"https://localhost\"},\n\t\t{\"https://localhost:8080\", \"https://localhost:8080\"},\n\t\t{\"https://localhost:8080/\", \"https://localhost:8080\"},\n\t\t{\"https://localhost:8080/api\", \"https://localhost:8080\"},\n\t\t{\"https://localhost:8080/api/\", \"https://localhost:8080\"},\n\t\t{\"localhost\", \"http://localhost\"},\n\t\t{\"localhost/\", \"http://localhost/\"},\n\t\t{\"localhost/api\", \"http://localhost/api\"},\n\t\t{\"localhost/api/\", \"http://localhost/api/\"},\n\t\t{\"localhost:8080\", \"http://localhost:8080\"},\n\t\t{\"localhost:8080/\", \"http://localhost:8080/\"},\n\t\t{\"localhost:8080/api\", \"http://localhost:8080/api\"},\n\t\t{\"localhost:8080/api/\", \"http://localhost:8080/api/\"},\n\t\t{\"localhost:8080/api/?asdf\", \"http://localhost:8080/api/?asdf\"},\n\t\t{\"http://127.0.0.1:8080\", \"http://127.0.0.1:8080\"},\n\t\t{\"127.0.0.1:8080\", \"http://127.0.0.1:8080\"},\n\t\t{\"127.0.0.1\", \"http://127.0.0.1\"},\n\t\t{\"https://127.0.0.1:8080\", \"https://127.0.0.1:8080\"},\n\t\t{\"[::1]:8080\", \"http://[::1]:8080\"},\n\t\t{\"http://[::1]\", \"http://[::1]\"},\n\t\t{\"http://[::1]:8080\", \"http://[::1]:8080\"},\n\t\t{\"[::1]\", \"http://[::1]\"},\n\t\t{\"https://example.com\", \"https://example.com\"},\n\t\t{\"example.com\", \"http://example.com\"},\n\t\t{\"http://hello.example.com\", \"http://hello.example.com\"},\n\t\t{\"hello.example.com\", \"http://hello.example.com\"},\n\t\t{\"hello.example.com:8080\", \"http://hello.example.com:8080\"},\n\t\t{\"https://hello.example.com:8080\", \"https://hello.example.com:8080\"},\n\t\t{\"https://bücher.example.com\", \"https://xn--bcher-kva.example.com\"},\n\t\t{\"bücher.example.com\", \"http://xn--bcher-kva.example.com\"},\n\t\t{\"https%3A%2F%2Fhello.example.com\", \"https://hello.example.com\"},\n\t\t{\"https://alex:12345@hello.example.com:8080\", \"https://hello.example.com:8080\"},\n\t}\n\tfor i, testCase := range testCases {\n\t\tvalidUrl, err := ValidateUrl(testCase.input)\n\t\tassert.NoError(t, err, \"test case %v\", i)\n\t\tassert.Equal(t, testCase.expectedOutput, validUrl.String(), \"test case %v\", i)\n\t}\n\n\tvalidUrl, err := ValidateUrl(\"\")\n\tassert.Equal(t, fmt.Errorf(\"URL should not be empty\"), err)\n\tassert.Empty(t, validUrl)\n\n\tvalidUrl, err = ValidateUrl(\"ftp://alex:12345@hello.example.com:8080/robot.txt\")\n\tassert.Equal(t, \"Currently Cloudflare Tunnel does not support ftp protocol.\", err.Error())\n\tassert.Empty(t, validUrl)\n\n}\n\nfunc TestNewAccessValidatorOk(t *testing.T) {\n\tctx := context.Background()\n\turl := \"test.cloudflareaccess.com\"\n\taccess, err := NewAccessValidator(ctx, url, url, \"\")\n\n\tassert.NoError(t, err)\n\tassert.NotNil(t, access)\n\n\tassert.Error(t, access.Validate(ctx, \"\"))\n\tassert.Error(t, access.Validate(ctx, \"invalid\"))\n\n\treq := httptest.NewRequest(\"GET\", \"https://test.cloudflareaccess.com\", nil)\n\treq.Header.Set(accessJwtHeader, \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c\")\n\tassert.Error(t, access.ValidateRequest(ctx, req))\n}\n\nfunc TestNewAccessValidatorErr(t *testing.T) {\n\tctx := context.Background()\n\n\turls := []string{\n\t\t\"\",\n\t\t\"ftp://test.cloudflareaccess.com\",\n\t\t\"wss://cloudflarenone.com\",\n\t}\n\n\tfor _, url := range urls {\n\t\taccess, err := NewAccessValidator(ctx, url, url, \"\")\n\n\t\tassert.Error(t, err, url)\n\t\tassert.Nil(t, access)\n\t}\n}\n\ntype testRoundTripper func(req *http.Request) (*http.Response, error)\n\nfunc (f testRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {\n\treturn f(req)\n}\n\nfunc emptyResponse(statusCode int) *http.Response {\n\treturn &http.Response{\n\t\tStatusCode: statusCode,\n\t\tBody: io.NopCloser(bytes.NewReader(nil)),\n\t\tHeader: make(http.Header),\n\t}\n}\n\nfunc createMockServerAndClient(handler http.Handler) (*httptest.Server, *http.Client, error) {\n\tclient := http.DefaultClient\n\tserver := httptest.NewServer(handler)\n\n\tclient.Transport = &http.Transport{\n\t\tProxy: func(req *http.Request) (*url.URL, error) {\n\t\t\treturn url.Parse(server.URL)\n\t\t},\n\t}\n\n\treturn server, client, nil\n}\n\nfunc createSecureMockServerAndClient(handler http.Handler) (*httptest.Server, *http.Client, error) {\n\tclient := http.DefaultClient\n\tserver := httptest.NewTLSServer(handler)\n\n\tcert, err := x509.ParseCertificate(server.TLS.Certificates[0].Certificate[0])\n\tif err != nil {\n\t\tserver.Close()\n\t\treturn nil, nil, err\n\t}\n\n\tcertpool := x509.NewCertPool()\n\tcertpool.AddCert(cert)\n\n\tclient.Transport = &http.Transport{\n\t\tDialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {\n\t\t\treturn net.Dial(\"tcp\", server.URL[strings.LastIndex(server.URL, \"/\")+1:])\n\t\t},\n\t\tTLSClientConfig: &tls.Config{\n\t\t\tRootCAs: certpool,\n\t\t},\n\t}\n\n\treturn server, client, nil\n}\n\nfunc FuzzNewAccessValidator(f *testing.F) {\n\tf.Fuzz(func(t *testing.T, domain string, issuer string, applicationAUD string) {\n\t\tctx := context.Background()\n\t\t_, _ = NewAccessValidator(ctx, domain, issuer, applicationAUD)\n\t})\n}\n" }, { "path": "vendor/github.com/BurntSushi/toml/.gitignore", "content": "/toml.test\n/toml-test\n" }, { "path": "vendor/github.com/BurntSushi/toml/COPYING", "content": "The MIT License (MIT)\n\nCopyright (c) 2013 TOML authors\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in\nall copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN\nTHE SOFTWARE.\n" }, { "path": "vendor/github.com/BurntSushi/toml/README.md", "content": "TOML stands for Tom's Obvious, Minimal Language. This Go package provides a\nreflection interface similar to Go's standard library `json` and `xml` packages.\n\nCompatible with TOML version [v1.0.0](https://toml.io/en/v1.0.0).\n\nDocumentation: https://godocs.io/github.com/BurntSushi/toml\n\nSee the [releases page](https://github.com/BurntSushi/toml/releases) for a\nchangelog; this information is also in the git tag annotations (e.g. `git show\nv0.4.0`).\n\nThis library requires Go 1.13 or newer; add it to your go.mod with:\n\n % go get github.com/BurntSushi/toml@latest\n\nIt also comes with a TOML validator CLI tool:\n\n % go install github.com/BurntSushi/toml/cmd/tomlv@latest\n % tomlv some-toml-file.toml\n\n### Examples\nFor the simplest example, consider some TOML file as just a list of keys and\nvalues:\n\n```toml\nAge = 25\nCats = [ \"Cauchy\", \"Plato\" ]\nPi = 3.14\nPerfection = [ 6, 28, 496, 8128 ]\nDOB = 1987-07-05T05:45:00Z\n```\n\nWhich can be decoded with:\n\n```go\ntype Config struct {\n\tAge int\n\tCats []string\n\tPi float64\n\tPerfection []int\n\tDOB time.Time\n}\n\nvar conf Config\n_, err := toml.Decode(tomlData, &conf)\n```\n\nYou can also use struct tags if your struct field name doesn't map to a TOML key\nvalue directly:\n\n```toml\nsome_key_NAME = \"wat\"\n```\n\n```go\ntype TOML struct {\n ObscureKey string `toml:\"some_key_NAME\"`\n}\n```\n\nBeware that like other decoders **only exported fields** are considered when\nencoding and decoding; private fields are silently ignored.\n\n### Using the `Marshaler` and `encoding.TextUnmarshaler` interfaces\nHere's an example that automatically parses values in a `mail.Address`:\n\n```toml\ncontacts = [\n \"Donald Duck \",\n \"Scrooge McDuck \",\n]\n```\n\nCan be decoded with:\n\n```go\n// Create address type which satisfies the encoding.TextUnmarshaler interface.\ntype address struct {\n\t*mail.Address\n}\n\nfunc (a *address) UnmarshalText(text []byte) error {\n\tvar err error\n\ta.Address, err = mail.ParseAddress(string(text))\n\treturn err\n}\n\n// Decode it.\nfunc decode() {\n\tblob := `\n\t\tcontacts = [\n\t\t\t\"Donald Duck \",\n\t\t\t\"Scrooge McDuck \",\n\t\t]\n\t`\n\n\tvar contacts struct {\n\t\tContacts []address\n\t}\n\n\t_, err := toml.Decode(blob, &contacts)\n\tif err != nil {\n\t\tlog.Fatal(err)\n\t}\n\n\tfor _, c := range contacts.Contacts {\n\t\tfmt.Printf(\"%#v\\n\", c.Address)\n\t}\n\n\t// Output:\n\t// &mail.Address{Name:\"Donald Duck\", Address:\"donald@duckburg.com\"}\n\t// &mail.Address{Name:\"Scrooge McDuck\", Address:\"scrooge@duckburg.com\"}\n}\n```\n\nTo target TOML specifically you can implement `UnmarshalTOML` TOML interface in\na similar way.\n\n### More complex usage\nSee the [`_example/`](/_example) directory for a more complex example.\n" }, { "path": "vendor/github.com/BurntSushi/toml/decode.go", "content": "package toml\n\nimport (\n\t\"bytes\"\n\t\"encoding\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"io\"\n\t\"io/ioutil\"\n\t\"math\"\n\t\"os\"\n\t\"reflect\"\n\t\"strconv\"\n\t\"strings\"\n\t\"time\"\n)\n\n// Unmarshaler is the interface implemented by objects that can unmarshal a\n// TOML description of themselves.\ntype Unmarshaler interface {\n\tUnmarshalTOML(interface{}) error\n}\n\n// Unmarshal decodes the contents of `data` in TOML format into a pointer `v`.\nfunc Unmarshal(data []byte, v interface{}) error {\n\t_, err := NewDecoder(bytes.NewReader(data)).Decode(v)\n\treturn err\n}\n\n// Decode the TOML data in to the pointer v.\n//\n// See the documentation on Decoder for a description of the decoding process.\nfunc Decode(data string, v interface{}) (MetaData, error) {\n\treturn NewDecoder(strings.NewReader(data)).Decode(v)\n}\n\n// DecodeFile is just like Decode, except it will automatically read the\n// contents of the file at path and decode it for you.\nfunc DecodeFile(path string, v interface{}) (MetaData, error) {\n\tfp, err := os.Open(path)\n\tif err != nil {\n\t\treturn MetaData{}, err\n\t}\n\tdefer fp.Close()\n\treturn NewDecoder(fp).Decode(v)\n}\n\n// Primitive is a TOML value that hasn't been decoded into a Go value.\n//\n// This type can be used for any value, which will cause decoding to be delayed.\n// You can use the PrimitiveDecode() function to \"manually\" decode these values.\n//\n// NOTE: The underlying representation of a `Primitive` value is subject to\n// change. Do not rely on it.\n//\n// NOTE: Primitive values are still parsed, so using them will only avoid the\n// overhead of reflection. They can be useful when you don't know the exact type\n// of TOML data until runtime.\ntype Primitive struct {\n\tundecoded interface{}\n\tcontext Key\n}\n\n// The significand precision for float32 and float64 is 24 and 53 bits; this is\n// the range a natural number can be stored in a float without loss of data.\nconst (\n\tmaxSafeFloat32Int = 16777215 // 2^24-1\n\tmaxSafeFloat64Int = int64(9007199254740991) // 2^53-1\n)\n\n// Decoder decodes TOML data.\n//\n// TOML tables correspond to Go structs or maps (dealer's choice – they can be\n// used interchangeably).\n//\n// TOML table arrays correspond to either a slice of structs or a slice of maps.\n//\n// TOML datetimes correspond to Go time.Time values. Local datetimes are parsed\n// in the local timezone.\n//\n// time.Duration types are treated as nanoseconds if the TOML value is an\n// integer, or they're parsed with time.ParseDuration() if they're strings.\n//\n// All other TOML types (float, string, int, bool and array) correspond to the\n// obvious Go types.\n//\n// An exception to the above rules is if a type implements the TextUnmarshaler\n// interface, in which case any primitive TOML value (floats, strings, integers,\n// booleans, datetimes) will be converted to a []byte and given to the value's\n// UnmarshalText method. See the Unmarshaler example for a demonstration with\n// email addresses.\n//\n// Key mapping\n//\n// TOML keys can map to either keys in a Go map or field names in a Go struct.\n// The special `toml` struct tag can be used to map TOML keys to struct fields\n// that don't match the key name exactly (see the example). A case insensitive\n// match to struct names will be tried if an exact match can't be found.\n//\n// The mapping between TOML values and Go values is loose. That is, there may\n// exist TOML values that cannot be placed into your representation, and there\n// may be parts of your representation that do not correspond to TOML values.\n// This loose mapping can be made stricter by using the IsDefined and/or\n// Undecoded methods on the MetaData returned.\n//\n// This decoder does not handle cyclic types. Decode will not terminate if a\n// cyclic type is passed.\ntype Decoder struct {\n\tr io.Reader\n}\n\n// NewDecoder creates a new Decoder.\nfunc NewDecoder(r io.Reader) *Decoder {\n\treturn &Decoder{r: r}\n}\n\nvar (\n\tunmarshalToml = reflect.TypeOf((*Unmarshaler)(nil)).Elem()\n\tunmarshalText = reflect.TypeOf((*encoding.TextUnmarshaler)(nil)).Elem()\n\tprimitiveType = reflect.TypeOf((*Primitive)(nil)).Elem()\n)\n\n// Decode TOML data in to the pointer `v`.\nfunc (dec *Decoder) Decode(v interface{}) (MetaData, error) {\n\trv := reflect.ValueOf(v)\n\tif rv.Kind() != reflect.Ptr {\n\t\ts := \"%q\"\n\t\tif reflect.TypeOf(v) == nil {\n\t\t\ts = \"%v\"\n\t\t}\n\n\t\treturn MetaData{}, fmt.Errorf(\"toml: cannot decode to non-pointer \"+s, reflect.TypeOf(v))\n\t}\n\tif rv.IsNil() {\n\t\treturn MetaData{}, fmt.Errorf(\"toml: cannot decode to nil value of %q\", reflect.TypeOf(v))\n\t}\n\n\t// Check if this is a supported type: struct, map, interface{}, or something\n\t// that implements UnmarshalTOML or UnmarshalText.\n\trv = indirect(rv)\n\trt := rv.Type()\n\tif rv.Kind() != reflect.Struct && rv.Kind() != reflect.Map &&\n\t\t!(rv.Kind() == reflect.Interface && rv.NumMethod() == 0) &&\n\t\t!rt.Implements(unmarshalToml) && !rt.Implements(unmarshalText) {\n\t\treturn MetaData{}, fmt.Errorf(\"toml: cannot decode to type %s\", rt)\n\t}\n\n\t// TODO: parser should read from io.Reader? Or at the very least, make it\n\t// read from []byte rather than string\n\tdata, err := ioutil.ReadAll(dec.r)\n\tif err != nil {\n\t\treturn MetaData{}, err\n\t}\n\n\tp, err := parse(string(data))\n\tif err != nil {\n\t\treturn MetaData{}, err\n\t}\n\n\tmd := MetaData{\n\t\tmapping: p.mapping,\n\t\tkeyInfo: p.keyInfo,\n\t\tkeys: p.ordered,\n\t\tdecoded: make(map[string]struct{}, len(p.ordered)),\n\t\tcontext: nil,\n\t\tdata: data,\n\t}\n\treturn md, md.unify(p.mapping, rv)\n}\n\n// PrimitiveDecode is just like the other `Decode*` functions, except it\n// decodes a TOML value that has already been parsed. Valid primitive values\n// can *only* be obtained from values filled by the decoder functions,\n// including this method. (i.e., `v` may contain more `Primitive`\n// values.)\n//\n// Meta data for primitive values is included in the meta data returned by\n// the `Decode*` functions with one exception: keys returned by the Undecoded\n// method will only reflect keys that were decoded. Namely, any keys hidden\n// behind a Primitive will be considered undecoded. Executing this method will\n// update the undecoded keys in the meta data. (See the example.)\nfunc (md *MetaData) PrimitiveDecode(primValue Primitive, v interface{}) error {\n\tmd.context = primValue.context\n\tdefer func() { md.context = nil }()\n\treturn md.unify(primValue.undecoded, rvalue(v))\n}\n\n// unify performs a sort of type unification based on the structure of `rv`,\n// which is the client representation.\n//\n// Any type mismatch produces an error. Finding a type that we don't know\n// how to handle produces an unsupported type error.\nfunc (md *MetaData) unify(data interface{}, rv reflect.Value) error {\n\t// Special case. Look for a `Primitive` value.\n\t// TODO: #76 would make this superfluous after implemented.\n\tif rv.Type() == primitiveType {\n\t\t// Save the undecoded data and the key context into the primitive\n\t\t// value.\n\t\tcontext := make(Key, len(md.context))\n\t\tcopy(context, md.context)\n\t\trv.Set(reflect.ValueOf(Primitive{\n\t\t\tundecoded: data,\n\t\t\tcontext: context,\n\t\t}))\n\t\treturn nil\n\t}\n\n\trvi := rv.Interface()\n\tif v, ok := rvi.(Unmarshaler); ok {\n\t\treturn v.UnmarshalTOML(data)\n\t}\n\tif v, ok := rvi.(encoding.TextUnmarshaler); ok {\n\t\treturn md.unifyText(data, v)\n\t}\n\n\t// TODO:\n\t// The behavior here is incorrect whenever a Go type satisfies the\n\t// encoding.TextUnmarshaler interface but also corresponds to a TOML hash or\n\t// array. In particular, the unmarshaler should only be applied to primitive\n\t// TOML values. But at this point, it will be applied to all kinds of values\n\t// and produce an incorrect error whenever those values are hashes or arrays\n\t// (including arrays of tables).\n\n\tk := rv.Kind()\n\n\tif k >= reflect.Int && k <= reflect.Uint64 {\n\t\treturn md.unifyInt(data, rv)\n\t}\n\tswitch k {\n\tcase reflect.Ptr:\n\t\telem := reflect.New(rv.Type().Elem())\n\t\terr := md.unify(data, reflect.Indirect(elem))\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\trv.Set(elem)\n\t\treturn nil\n\tcase reflect.Struct:\n\t\treturn md.unifyStruct(data, rv)\n\tcase reflect.Map:\n\t\treturn md.unifyMap(data, rv)\n\tcase reflect.Array:\n\t\treturn md.unifyArray(data, rv)\n\tcase reflect.Slice:\n\t\treturn md.unifySlice(data, rv)\n\tcase reflect.String:\n\t\treturn md.unifyString(data, rv)\n\tcase reflect.Bool:\n\t\treturn md.unifyBool(data, rv)\n\tcase reflect.Interface:\n\t\tif rv.NumMethod() > 0 { // Only support empty interfaces are supported.\n\t\t\treturn md.e(\"unsupported type %s\", rv.Type())\n\t\t}\n\t\treturn md.unifyAnything(data, rv)\n\tcase reflect.Float32, reflect.Float64:\n\t\treturn md.unifyFloat64(data, rv)\n\t}\n\treturn md.e(\"unsupported type %s\", rv.Kind())\n}\n\nfunc (md *MetaData) unifyStruct(mapping interface{}, rv reflect.Value) error {\n\ttmap, ok := mapping.(map[string]interface{})\n\tif !ok {\n\t\tif mapping == nil {\n\t\t\treturn nil\n\t\t}\n\t\treturn md.e(\"type mismatch for %s: expected table but found %T\",\n\t\t\trv.Type().String(), mapping)\n\t}\n\n\tfor key, datum := range tmap {\n\t\tvar f *field\n\t\tfields := cachedTypeFields(rv.Type())\n\t\tfor i := range fields {\n\t\t\tff := &fields[i]\n\t\t\tif ff.name == key {\n\t\t\t\tf = ff\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tif f == nil && strings.EqualFold(ff.name, key) {\n\t\t\t\tf = ff\n\t\t\t}\n\t\t}\n\t\tif f != nil {\n\t\t\tsubv := rv\n\t\t\tfor _, i := range f.index {\n\t\t\t\tsubv = indirect(subv.Field(i))\n\t\t\t}\n\n\t\t\tif isUnifiable(subv) {\n\t\t\t\tmd.decoded[md.context.add(key).String()] = struct{}{}\n\t\t\t\tmd.context = append(md.context, key)\n\n\t\t\t\terr := md.unify(datum, subv)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\tmd.context = md.context[0 : len(md.context)-1]\n\t\t\t} else if f.name != \"\" {\n\t\t\t\treturn md.e(\"cannot write unexported field %s.%s\", rv.Type().String(), f.name)\n\t\t\t}\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (md *MetaData) unifyMap(mapping interface{}, rv reflect.Value) error {\n\tkeyType := rv.Type().Key().Kind()\n\tif keyType != reflect.String && keyType != reflect.Interface {\n\t\treturn fmt.Errorf(\"toml: cannot decode to a map with non-string key type (%s in %q)\",\n\t\t\tkeyType, rv.Type())\n\t}\n\n\ttmap, ok := mapping.(map[string]interface{})\n\tif !ok {\n\t\tif tmap == nil {\n\t\t\treturn nil\n\t\t}\n\t\treturn md.badtype(\"map\", mapping)\n\t}\n\tif rv.IsNil() {\n\t\trv.Set(reflect.MakeMap(rv.Type()))\n\t}\n\tfor k, v := range tmap {\n\t\tmd.decoded[md.context.add(k).String()] = struct{}{}\n\t\tmd.context = append(md.context, k)\n\n\t\trvval := reflect.Indirect(reflect.New(rv.Type().Elem()))\n\n\t\terr := md.unify(v, indirect(rvval))\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tmd.context = md.context[0 : len(md.context)-1]\n\n\t\trvkey := indirect(reflect.New(rv.Type().Key()))\n\n\t\tswitch keyType {\n\t\tcase reflect.Interface:\n\t\t\trvkey.Set(reflect.ValueOf(k))\n\t\tcase reflect.String:\n\t\t\trvkey.SetString(k)\n\t\t}\n\n\t\trv.SetMapIndex(rvkey, rvval)\n\t}\n\treturn nil\n}\n\nfunc (md *MetaData) unifyArray(data interface{}, rv reflect.Value) error {\n\tdatav := reflect.ValueOf(data)\n\tif datav.Kind() != reflect.Slice {\n\t\tif !datav.IsValid() {\n\t\t\treturn nil\n\t\t}\n\t\treturn md.badtype(\"slice\", data)\n\t}\n\tif l := datav.Len(); l != rv.Len() {\n\t\treturn md.e(\"expected array length %d; got TOML array of length %d\", rv.Len(), l)\n\t}\n\treturn md.unifySliceArray(datav, rv)\n}\n\nfunc (md *MetaData) unifySlice(data interface{}, rv reflect.Value) error {\n\tdatav := reflect.ValueOf(data)\n\tif datav.Kind() != reflect.Slice {\n\t\tif !datav.IsValid() {\n\t\t\treturn nil\n\t\t}\n\t\treturn md.badtype(\"slice\", data)\n\t}\n\tn := datav.Len()\n\tif rv.IsNil() || rv.Cap() < n {\n\t\trv.Set(reflect.MakeSlice(rv.Type(), n, n))\n\t}\n\trv.SetLen(n)\n\treturn md.unifySliceArray(datav, rv)\n}\n\nfunc (md *MetaData) unifySliceArray(data, rv reflect.Value) error {\n\tl := data.Len()\n\tfor i := 0; i < l; i++ {\n\t\terr := md.unify(data.Index(i).Interface(), indirect(rv.Index(i)))\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (md *MetaData) unifyString(data interface{}, rv reflect.Value) error {\n\t_, ok := rv.Interface().(json.Number)\n\tif ok {\n\t\tif i, ok := data.(int64); ok {\n\t\t\trv.SetString(strconv.FormatInt(i, 10))\n\t\t} else if f, ok := data.(float64); ok {\n\t\t\trv.SetString(strconv.FormatFloat(f, 'f', -1, 64))\n\t\t} else {\n\t\t\treturn md.badtype(\"string\", data)\n\t\t}\n\t\treturn nil\n\t}\n\n\tif s, ok := data.(string); ok {\n\t\trv.SetString(s)\n\t\treturn nil\n\t}\n\treturn md.badtype(\"string\", data)\n}\n\nfunc (md *MetaData) unifyFloat64(data interface{}, rv reflect.Value) error {\n\trvk := rv.Kind()\n\n\tif num, ok := data.(float64); ok {\n\t\tswitch rvk {\n\t\tcase reflect.Float32:\n\t\t\tif num < -math.MaxFloat32 || num > math.MaxFloat32 {\n\t\t\t\treturn md.parseErr(errParseRange{i: num, size: rvk.String()})\n\t\t\t}\n\t\t\tfallthrough\n\t\tcase reflect.Float64:\n\t\t\trv.SetFloat(num)\n\t\tdefault:\n\t\t\tpanic(\"bug\")\n\t\t}\n\t\treturn nil\n\t}\n\n\tif num, ok := data.(int64); ok {\n\t\tif (rvk == reflect.Float32 && (num < -maxSafeFloat32Int || num > maxSafeFloat32Int)) ||\n\t\t\t(rvk == reflect.Float64 && (num < -maxSafeFloat64Int || num > maxSafeFloat64Int)) {\n\t\t\treturn md.parseErr(errParseRange{i: num, size: rvk.String()})\n\t\t}\n\t\trv.SetFloat(float64(num))\n\t\treturn nil\n\t}\n\n\treturn md.badtype(\"float\", data)\n}\n\nfunc (md *MetaData) unifyInt(data interface{}, rv reflect.Value) error {\n\t_, ok := rv.Interface().(time.Duration)\n\tif ok {\n\t\t// Parse as string duration, and fall back to regular integer parsing\n\t\t// (as nanosecond) if this is not a string.\n\t\tif s, ok := data.(string); ok {\n\t\t\tdur, err := time.ParseDuration(s)\n\t\t\tif err != nil {\n\t\t\t\treturn md.parseErr(errParseDuration{s})\n\t\t\t}\n\t\t\trv.SetInt(int64(dur))\n\t\t\treturn nil\n\t\t}\n\t}\n\n\tnum, ok := data.(int64)\n\tif !ok {\n\t\treturn md.badtype(\"integer\", data)\n\t}\n\n\trvk := rv.Kind()\n\tswitch {\n\tcase rvk >= reflect.Int && rvk <= reflect.Int64:\n\t\tif (rvk == reflect.Int8 && (num < math.MinInt8 || num > math.MaxInt8)) ||\n\t\t\t(rvk == reflect.Int16 && (num < math.MinInt16 || num > math.MaxInt16)) ||\n\t\t\t(rvk == reflect.Int32 && (num < math.MinInt32 || num > math.MaxInt32)) {\n\t\t\treturn md.parseErr(errParseRange{i: num, size: rvk.String()})\n\t\t}\n\t\trv.SetInt(num)\n\tcase rvk >= reflect.Uint && rvk <= reflect.Uint64:\n\t\tunum := uint64(num)\n\t\tif rvk == reflect.Uint8 && (num < 0 || unum > math.MaxUint8) ||\n\t\t\trvk == reflect.Uint16 && (num < 0 || unum > math.MaxUint16) ||\n\t\t\trvk == reflect.Uint32 && (num < 0 || unum > math.MaxUint32) {\n\t\t\treturn md.parseErr(errParseRange{i: num, size: rvk.String()})\n\t\t}\n\t\trv.SetUint(unum)\n\tdefault:\n\t\tpanic(\"unreachable\")\n\t}\n\treturn nil\n}\n\nfunc (md *MetaData) unifyBool(data interface{}, rv reflect.Value) error {\n\tif b, ok := data.(bool); ok {\n\t\trv.SetBool(b)\n\t\treturn nil\n\t}\n\treturn md.badtype(\"boolean\", data)\n}\n\nfunc (md *MetaData) unifyAnything(data interface{}, rv reflect.Value) error {\n\trv.Set(reflect.ValueOf(data))\n\treturn nil\n}\n\nfunc (md *MetaData) unifyText(data interface{}, v encoding.TextUnmarshaler) error {\n\tvar s string\n\tswitch sdata := data.(type) {\n\tcase Marshaler:\n\t\ttext, err := sdata.MarshalTOML()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ts = string(text)\n\tcase encoding.TextMarshaler:\n\t\ttext, err := sdata.MarshalText()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ts = string(text)\n\tcase fmt.Stringer:\n\t\ts = sdata.String()\n\tcase string:\n\t\ts = sdata\n\tcase bool:\n\t\ts = fmt.Sprintf(\"%v\", sdata)\n\tcase int64:\n\t\ts = fmt.Sprintf(\"%d\", sdata)\n\tcase float64:\n\t\ts = fmt.Sprintf(\"%f\", sdata)\n\tdefault:\n\t\treturn md.badtype(\"primitive (string-like)\", data)\n\t}\n\tif err := v.UnmarshalText([]byte(s)); err != nil {\n\t\treturn err\n\t}\n\treturn nil\n}\n\nfunc (md *MetaData) badtype(dst string, data interface{}) error {\n\treturn md.e(\"incompatible types: TOML value has type %T; destination has type %s\", data, dst)\n}\n\nfunc (md *MetaData) parseErr(err error) error {\n\tk := md.context.String()\n\treturn ParseError{\n\t\tLastKey: k,\n\t\tPosition: md.keyInfo[k].pos,\n\t\tLine: md.keyInfo[k].pos.Line,\n\t\terr: err,\n\t\tinput: string(md.data),\n\t}\n}\n\nfunc (md *MetaData) e(format string, args ...interface{}) error {\n\tf := \"toml: \"\n\tif len(md.context) > 0 {\n\t\tf = fmt.Sprintf(\"toml: (last key %q): \", md.context)\n\t\tp := md.keyInfo[md.context.String()].pos\n\t\tif p.Line > 0 {\n\t\t\tf = fmt.Sprintf(\"toml: line %d (last key %q): \", p.Line, md.context)\n\t\t}\n\t}\n\treturn fmt.Errorf(f+format, args...)\n}\n\n// rvalue returns a reflect.Value of `v`. All pointers are resolved.\nfunc rvalue(v interface{}) reflect.Value {\n\treturn indirect(reflect.ValueOf(v))\n}\n\n// indirect returns the value pointed to by a pointer.\n//\n// Pointers are followed until the value is not a pointer. New values are\n// allocated for each nil pointer.\n//\n// An exception to this rule is if the value satisfies an interface of interest\n// to us (like encoding.TextUnmarshaler).\nfunc indirect(v reflect.Value) reflect.Value {\n\tif v.Kind() != reflect.Ptr {\n\t\tif v.CanSet() {\n\t\t\tpv := v.Addr()\n\t\t\tpvi := pv.Interface()\n\t\t\tif _, ok := pvi.(encoding.TextUnmarshaler); ok {\n\t\t\t\treturn pv\n\t\t\t}\n\t\t\tif _, ok := pvi.(Unmarshaler); ok {\n\t\t\t\treturn pv\n\t\t\t}\n\t\t}\n\t\treturn v\n\t}\n\tif v.IsNil() {\n\t\tv.Set(reflect.New(v.Type().Elem()))\n\t}\n\treturn indirect(reflect.Indirect(v))\n}\n\nfunc isUnifiable(rv reflect.Value) bool {\n\tif rv.CanSet() {\n\t\treturn true\n\t}\n\trvi := rv.Interface()\n\tif _, ok := rvi.(encoding.TextUnmarshaler); ok {\n\t\treturn true\n\t}\n\tif _, ok := rvi.(Unmarshaler); ok {\n\t\treturn true\n\t}\n\treturn false\n}\n" }, { "path": "vendor/github.com/BurntSushi/toml/decode_go116.go", "content": "//go:build go1.16\n// +build go1.16\n\npackage toml\n\nimport (\n\t\"io/fs\"\n)\n\n// DecodeFS is just like Decode, except it will automatically read the contents\n// of the file at `path` from a fs.FS instance.\nfunc DecodeFS(fsys fs.FS, path string, v interface{}) (MetaData, error) {\n\tfp, err := fsys.Open(path)\n\tif err != nil {\n\t\treturn MetaData{}, err\n\t}\n\tdefer fp.Close()\n\treturn NewDecoder(fp).Decode(v)\n}\n" }, { "path": "vendor/github.com/BurntSushi/toml/deprecated.go", "content": "package toml\n\nimport (\n\t\"encoding\"\n\t\"io\"\n)\n\n// Deprecated: use encoding.TextMarshaler\ntype TextMarshaler encoding.TextMarshaler\n\n// Deprecated: use encoding.TextUnmarshaler\ntype TextUnmarshaler encoding.TextUnmarshaler\n\n// Deprecated: use MetaData.PrimitiveDecode.\nfunc PrimitiveDecode(primValue Primitive, v interface{}) error {\n\tmd := MetaData{decoded: make(map[string]struct{})}\n\treturn md.unify(primValue.undecoded, rvalue(v))\n}\n\n// Deprecated: use NewDecoder(reader).Decode(&value).\nfunc DecodeReader(r io.Reader, v interface{}) (MetaData, error) { return NewDecoder(r).Decode(v) }\n" }, { "path": "vendor/github.com/BurntSushi/toml/doc.go", "content": "/*\nPackage toml implements decoding and encoding of TOML files.\n\nThis package supports TOML v1.0.0, as listed on https://toml.io\n\nThere is also support for delaying decoding with the Primitive type, and\nquerying the set of keys in a TOML document with the MetaData type.\n\nThe github.com/BurntSushi/toml/cmd/tomlv package implements a TOML validator,\nand can be used to verify if TOML document is valid. It can also be used to\nprint the type of each key.\n*/\npackage toml\n" }, { "path": "vendor/github.com/BurntSushi/toml/encode.go", "content": "package toml\n\nimport (\n\t\"bufio\"\n\t\"encoding\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"math\"\n\t\"reflect\"\n\t\"sort\"\n\t\"strconv\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/BurntSushi/toml/internal\"\n)\n\ntype tomlEncodeError struct{ error }\n\nvar (\n\terrArrayNilElement = errors.New(\"toml: cannot encode array with nil element\")\n\terrNonString = errors.New(\"toml: cannot encode a map with non-string key type\")\n\terrNoKey = errors.New(\"toml: top-level values must be Go maps or structs\")\n\terrAnything = errors.New(\"\") // used in testing\n)\n\nvar dblQuotedReplacer = strings.NewReplacer(\n\t\"\\\"\", \"\\\\\\\"\",\n\t\"\\\\\", \"\\\\\\\\\",\n\t\"\\x00\", `\\u0000`,\n\t\"\\x01\", `\\u0001`,\n\t\"\\x02\", `\\u0002`,\n\t\"\\x03\", `\\u0003`,\n\t\"\\x04\", `\\u0004`,\n\t\"\\x05\", `\\u0005`,\n\t\"\\x06\", `\\u0006`,\n\t\"\\x07\", `\\u0007`,\n\t\"\\b\", `\\b`,\n\t\"\\t\", `\\t`,\n\t\"\\n\", `\\n`,\n\t\"\\x0b\", `\\u000b`,\n\t\"\\f\", `\\f`,\n\t\"\\r\", `\\r`,\n\t\"\\x0e\", `\\u000e`,\n\t\"\\x0f\", `\\u000f`,\n\t\"\\x10\", `\\u0010`,\n\t\"\\x11\", `\\u0011`,\n\t\"\\x12\", `\\u0012`,\n\t\"\\x13\", `\\u0013`,\n\t\"\\x14\", `\\u0014`,\n\t\"\\x15\", `\\u0015`,\n\t\"\\x16\", `\\u0016`,\n\t\"\\x17\", `\\u0017`,\n\t\"\\x18\", `\\u0018`,\n\t\"\\x19\", `\\u0019`,\n\t\"\\x1a\", `\\u001a`,\n\t\"\\x1b\", `\\u001b`,\n\t\"\\x1c\", `\\u001c`,\n\t\"\\x1d\", `\\u001d`,\n\t\"\\x1e\", `\\u001e`,\n\t\"\\x1f\", `\\u001f`,\n\t\"\\x7f\", `\\u007f`,\n)\n\nvar (\n\tmarshalToml = reflect.TypeOf((*Marshaler)(nil)).Elem()\n\tmarshalText = reflect.TypeOf((*encoding.TextMarshaler)(nil)).Elem()\n\ttimeType = reflect.TypeOf((*time.Time)(nil)).Elem()\n)\n\n// Marshaler is the interface implemented by types that can marshal themselves\n// into valid TOML.\ntype Marshaler interface {\n\tMarshalTOML() ([]byte, error)\n}\n\n// Encoder encodes a Go to a TOML document.\n//\n// The mapping between Go values and TOML values should be precisely the same as\n// for the Decode* functions.\n//\n// time.Time is encoded as a RFC 3339 string, and time.Duration as its string\n// representation.\n//\n// The toml.Marshaler and encoder.TextMarshaler interfaces are supported to\n// encoding the value as custom TOML.\n//\n// If you want to write arbitrary binary data then you will need to use\n// something like base64 since TOML does not have any binary types.\n//\n// When encoding TOML hashes (Go maps or structs), keys without any sub-hashes\n// are encoded first.\n//\n// Go maps will be sorted alphabetically by key for deterministic output.\n//\n// The toml struct tag can be used to provide the key name; if omitted the\n// struct field name will be used. If the \"omitempty\" option is present the\n// following value will be skipped:\n//\n// - arrays, slices, maps, and string with len of 0\n// - struct with all zero values\n// - bool false\n//\n// If omitzero is given all int and float types with a value of 0 will be\n// skipped.\n//\n// Encoding Go values without a corresponding TOML representation will return an\n// error. Examples of this includes maps with non-string keys, slices with nil\n// elements, embedded non-struct types, and nested slices containing maps or\n// structs. (e.g. [][]map[string]string is not allowed but []map[string]string\n// is okay, as is []map[string][]string).\n//\n// NOTE: only exported keys are encoded due to the use of reflection. Unexported\n// keys are silently discarded.\ntype Encoder struct {\n\t// String to use for a single indentation level; default is two spaces.\n\tIndent string\n\n\tw *bufio.Writer\n\thasWritten bool // written any output to w yet?\n}\n\n// NewEncoder create a new Encoder.\nfunc NewEncoder(w io.Writer) *Encoder {\n\treturn &Encoder{\n\t\tw: bufio.NewWriter(w),\n\t\tIndent: \" \",\n\t}\n}\n\n// Encode writes a TOML representation of the Go value to the Encoder's writer.\n//\n// An error is returned if the value given cannot be encoded to a valid TOML\n// document.\nfunc (enc *Encoder) Encode(v interface{}) error {\n\trv := eindirect(reflect.ValueOf(v))\n\tif err := enc.safeEncode(Key([]string{}), rv); err != nil {\n\t\treturn err\n\t}\n\treturn enc.w.Flush()\n}\n\nfunc (enc *Encoder) safeEncode(key Key, rv reflect.Value) (err error) {\n\tdefer func() {\n\t\tif r := recover(); r != nil {\n\t\t\tif terr, ok := r.(tomlEncodeError); ok {\n\t\t\t\terr = terr.error\n\t\t\t\treturn\n\t\t\t}\n\t\t\tpanic(r)\n\t\t}\n\t}()\n\tenc.encode(key, rv)\n\treturn nil\n}\n\nfunc (enc *Encoder) encode(key Key, rv reflect.Value) {\n\t// If we can marshal the type to text, then we use that. This prevents the\n\t// encoder for handling these types as generic structs (or whatever the\n\t// underlying type of a TextMarshaler is).\n\tswitch {\n\tcase isMarshaler(rv):\n\t\tenc.writeKeyValue(key, rv, false)\n\t\treturn\n\tcase rv.Type() == primitiveType: // TODO: #76 would make this superfluous after implemented.\n\t\tenc.encode(key, reflect.ValueOf(rv.Interface().(Primitive).undecoded))\n\t\treturn\n\t}\n\n\tk := rv.Kind()\n\tswitch k {\n\tcase reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32,\n\t\treflect.Int64,\n\t\treflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32,\n\t\treflect.Uint64,\n\t\treflect.Float32, reflect.Float64, reflect.String, reflect.Bool:\n\t\tenc.writeKeyValue(key, rv, false)\n\tcase reflect.Array, reflect.Slice:\n\t\tif typeEqual(tomlArrayHash, tomlTypeOfGo(rv)) {\n\t\t\tenc.eArrayOfTables(key, rv)\n\t\t} else {\n\t\t\tenc.writeKeyValue(key, rv, false)\n\t\t}\n\tcase reflect.Interface:\n\t\tif rv.IsNil() {\n\t\t\treturn\n\t\t}\n\t\tenc.encode(key, rv.Elem())\n\tcase reflect.Map:\n\t\tif rv.IsNil() {\n\t\t\treturn\n\t\t}\n\t\tenc.eTable(key, rv)\n\tcase reflect.Ptr:\n\t\tif rv.IsNil() {\n\t\t\treturn\n\t\t}\n\t\tenc.encode(key, rv.Elem())\n\tcase reflect.Struct:\n\t\tenc.eTable(key, rv)\n\tdefault:\n\t\tencPanic(fmt.Errorf(\"unsupported type for key '%s': %s\", key, k))\n\t}\n}\n\n// eElement encodes any value that can be an array element.\nfunc (enc *Encoder) eElement(rv reflect.Value) {\n\tswitch v := rv.Interface().(type) {\n\tcase time.Time: // Using TextMarshaler adds extra quotes, which we don't want.\n\t\tformat := time.RFC3339Nano\n\t\tswitch v.Location() {\n\t\tcase internal.LocalDatetime:\n\t\t\tformat = \"2006-01-02T15:04:05.999999999\"\n\t\tcase internal.LocalDate:\n\t\t\tformat = \"2006-01-02\"\n\t\tcase internal.LocalTime:\n\t\t\tformat = \"15:04:05.999999999\"\n\t\t}\n\t\tswitch v.Location() {\n\t\tdefault:\n\t\t\tenc.wf(v.Format(format))\n\t\tcase internal.LocalDatetime, internal.LocalDate, internal.LocalTime:\n\t\t\tenc.wf(v.In(time.UTC).Format(format))\n\t\t}\n\t\treturn\n\tcase Marshaler:\n\t\ts, err := v.MarshalTOML()\n\t\tif err != nil {\n\t\t\tencPanic(err)\n\t\t}\n\t\tif s == nil {\n\t\t\tencPanic(errors.New(\"MarshalTOML returned nil and no error\"))\n\t\t}\n\t\tenc.w.Write(s)\n\t\treturn\n\tcase encoding.TextMarshaler:\n\t\ts, err := v.MarshalText()\n\t\tif err != nil {\n\t\t\tencPanic(err)\n\t\t}\n\t\tif s == nil {\n\t\t\tencPanic(errors.New(\"MarshalText returned nil and no error\"))\n\t\t}\n\t\tenc.writeQuoted(string(s))\n\t\treturn\n\tcase time.Duration:\n\t\tenc.writeQuoted(v.String())\n\t\treturn\n\tcase json.Number:\n\t\tn, _ := rv.Interface().(json.Number)\n\n\t\tif n == \"\" { /// Useful zero value.\n\t\t\tenc.w.WriteByte('0')\n\t\t\treturn\n\t\t} else if v, err := n.Int64(); err == nil {\n\t\t\tenc.eElement(reflect.ValueOf(v))\n\t\t\treturn\n\t\t} else if v, err := n.Float64(); err == nil {\n\t\t\tenc.eElement(reflect.ValueOf(v))\n\t\t\treturn\n\t\t}\n\t\tencPanic(errors.New(fmt.Sprintf(\"Unable to convert \\\"%s\\\" to neither int64 nor float64\", n)))\n\t}\n\n\tswitch rv.Kind() {\n\tcase reflect.Ptr:\n\t\tenc.eElement(rv.Elem())\n\t\treturn\n\tcase reflect.String:\n\t\tenc.writeQuoted(rv.String())\n\tcase reflect.Bool:\n\t\tenc.wf(strconv.FormatBool(rv.Bool()))\n\tcase reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:\n\t\tenc.wf(strconv.FormatInt(rv.Int(), 10))\n\tcase reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:\n\t\tenc.wf(strconv.FormatUint(rv.Uint(), 10))\n\tcase reflect.Float32:\n\t\tf := rv.Float()\n\t\tif math.IsNaN(f) {\n\t\t\tenc.wf(\"nan\")\n\t\t} else if math.IsInf(f, 0) {\n\t\t\tenc.wf(\"%cinf\", map[bool]byte{true: '-', false: '+'}[math.Signbit(f)])\n\t\t} else {\n\t\t\tenc.wf(floatAddDecimal(strconv.FormatFloat(f, 'f', -1, 32)))\n\t\t}\n\tcase reflect.Float64:\n\t\tf := rv.Float()\n\t\tif math.IsNaN(f) {\n\t\t\tenc.wf(\"nan\")\n\t\t} else if math.IsInf(f, 0) {\n\t\t\tenc.wf(\"%cinf\", map[bool]byte{true: '-', false: '+'}[math.Signbit(f)])\n\t\t} else {\n\t\t\tenc.wf(floatAddDecimal(strconv.FormatFloat(f, 'f', -1, 64)))\n\t\t}\n\tcase reflect.Array, reflect.Slice:\n\t\tenc.eArrayOrSliceElement(rv)\n\tcase reflect.Struct:\n\t\tenc.eStruct(nil, rv, true)\n\tcase reflect.Map:\n\t\tenc.eMap(nil, rv, true)\n\tcase reflect.Interface:\n\t\tenc.eElement(rv.Elem())\n\tdefault:\n\t\tencPanic(fmt.Errorf(\"unexpected type: %T\", rv.Interface()))\n\t}\n}\n\n// By the TOML spec, all floats must have a decimal with at least one number on\n// either side.\nfunc floatAddDecimal(fstr string) string {\n\tif !strings.Contains(fstr, \".\") {\n\t\treturn fstr + \".0\"\n\t}\n\treturn fstr\n}\n\nfunc (enc *Encoder) writeQuoted(s string) {\n\tenc.wf(\"\\\"%s\\\"\", dblQuotedReplacer.Replace(s))\n}\n\nfunc (enc *Encoder) eArrayOrSliceElement(rv reflect.Value) {\n\tlength := rv.Len()\n\tenc.wf(\"[\")\n\tfor i := 0; i < length; i++ {\n\t\telem := eindirect(rv.Index(i))\n\t\tenc.eElement(elem)\n\t\tif i != length-1 {\n\t\t\tenc.wf(\", \")\n\t\t}\n\t}\n\tenc.wf(\"]\")\n}\n\nfunc (enc *Encoder) eArrayOfTables(key Key, rv reflect.Value) {\n\tif len(key) == 0 {\n\t\tencPanic(errNoKey)\n\t}\n\tfor i := 0; i < rv.Len(); i++ {\n\t\ttrv := eindirect(rv.Index(i))\n\t\tif isNil(trv) {\n\t\t\tcontinue\n\t\t}\n\t\tenc.newline()\n\t\tenc.wf(\"%s[[%s]]\", enc.indentStr(key), key)\n\t\tenc.newline()\n\t\tenc.eMapOrStruct(key, trv, false)\n\t}\n}\n\nfunc (enc *Encoder) eTable(key Key, rv reflect.Value) {\n\tif len(key) == 1 {\n\t\t// Output an extra newline between top-level tables.\n\t\t// (The newline isn't written if nothing else has been written though.)\n\t\tenc.newline()\n\t}\n\tif len(key) > 0 {\n\t\tenc.wf(\"%s[%s]\", enc.indentStr(key), key)\n\t\tenc.newline()\n\t}\n\tenc.eMapOrStruct(key, rv, false)\n}\n\nfunc (enc *Encoder) eMapOrStruct(key Key, rv reflect.Value, inline bool) {\n\tswitch rv.Kind() {\n\tcase reflect.Map:\n\t\tenc.eMap(key, rv, inline)\n\tcase reflect.Struct:\n\t\tenc.eStruct(key, rv, inline)\n\tdefault:\n\t\t// Should never happen?\n\t\tpanic(\"eTable: unhandled reflect.Value Kind: \" + rv.Kind().String())\n\t}\n}\n\nfunc (enc *Encoder) eMap(key Key, rv reflect.Value, inline bool) {\n\trt := rv.Type()\n\tif rt.Key().Kind() != reflect.String {\n\t\tencPanic(errNonString)\n\t}\n\n\t// Sort keys so that we have deterministic output. And write keys directly\n\t// underneath this key first, before writing sub-structs or sub-maps.\n\tvar mapKeysDirect, mapKeysSub []string\n\tfor _, mapKey := range rv.MapKeys() {\n\t\tk := mapKey.String()\n\t\tif typeIsTable(tomlTypeOfGo(eindirect(rv.MapIndex(mapKey)))) {\n\t\t\tmapKeysSub = append(mapKeysSub, k)\n\t\t} else {\n\t\t\tmapKeysDirect = append(mapKeysDirect, k)\n\t\t}\n\t}\n\n\tvar writeMapKeys = func(mapKeys []string, trailC bool) {\n\t\tsort.Strings(mapKeys)\n\t\tfor i, mapKey := range mapKeys {\n\t\t\tval := eindirect(rv.MapIndex(reflect.ValueOf(mapKey)))\n\t\t\tif isNil(val) {\n\t\t\t\tcontinue\n\t\t\t}\n\n\t\t\tif inline {\n\t\t\t\tenc.writeKeyValue(Key{mapKey}, val, true)\n\t\t\t\tif trailC || i != len(mapKeys)-1 {\n\t\t\t\t\tenc.wf(\", \")\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tenc.encode(key.add(mapKey), val)\n\t\t\t}\n\t\t}\n\t}\n\n\tif inline {\n\t\tenc.wf(\"{\")\n\t}\n\twriteMapKeys(mapKeysDirect, len(mapKeysSub) > 0)\n\twriteMapKeys(mapKeysSub, false)\n\tif inline {\n\t\tenc.wf(\"}\")\n\t}\n}\n\nconst is32Bit = (32 << (^uint(0) >> 63)) == 32\n\nfunc pointerTo(t reflect.Type) reflect.Type {\n\tif t.Kind() == reflect.Ptr {\n\t\treturn pointerTo(t.Elem())\n\t}\n\treturn t\n}\n\nfunc (enc *Encoder) eStruct(key Key, rv reflect.Value, inline bool) {\n\t// Write keys for fields directly under this key first, because if we write\n\t// a field that creates a new table then all keys under it will be in that\n\t// table (not the one we're writing here).\n\t//\n\t// Fields is a [][]int: for fieldsDirect this always has one entry (the\n\t// struct index). For fieldsSub it contains two entries: the parent field\n\t// index from tv, and the field indexes for the fields of the sub.\n\tvar (\n\t\trt = rv.Type()\n\t\tfieldsDirect, fieldsSub [][]int\n\t\taddFields func(rt reflect.Type, rv reflect.Value, start []int)\n\t)\n\taddFields = func(rt reflect.Type, rv reflect.Value, start []int) {\n\t\tfor i := 0; i < rt.NumField(); i++ {\n\t\t\tf := rt.Field(i)\n\t\t\tisEmbed := f.Anonymous && pointerTo(f.Type).Kind() == reflect.Struct\n\t\t\tif f.PkgPath != \"\" && !isEmbed { /// Skip unexported fields.\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\topts := getOptions(f.Tag)\n\t\t\tif opts.skip {\n\t\t\t\tcontinue\n\t\t\t}\n\n\t\t\tfrv := eindirect(rv.Field(i))\n\n\t\t\t// Treat anonymous struct fields with tag names as though they are\n\t\t\t// not anonymous, like encoding/json does.\n\t\t\t//\n\t\t\t// Non-struct anonymous fields use the normal encoding logic.\n\t\t\tif isEmbed {\n\t\t\t\tif getOptions(f.Tag).name == \"\" && frv.Kind() == reflect.Struct {\n\t\t\t\t\taddFields(frv.Type(), frv, append(start, f.Index...))\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif typeIsTable(tomlTypeOfGo(frv)) {\n\t\t\t\tfieldsSub = append(fieldsSub, append(start, f.Index...))\n\t\t\t} else {\n\t\t\t\t// Copy so it works correct on 32bit archs; not clear why this\n\t\t\t\t// is needed. See #314, and https://www.reddit.com/r/golang/comments/pnx8v4\n\t\t\t\t// This also works fine on 64bit, but 32bit archs are somewhat\n\t\t\t\t// rare and this is a wee bit faster.\n\t\t\t\tif is32Bit {\n\t\t\t\t\tcopyStart := make([]int, len(start))\n\t\t\t\t\tcopy(copyStart, start)\n\t\t\t\t\tfieldsDirect = append(fieldsDirect, append(copyStart, f.Index...))\n\t\t\t\t} else {\n\t\t\t\t\tfieldsDirect = append(fieldsDirect, append(start, f.Index...))\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\taddFields(rt, rv, nil)\n\n\twriteFields := func(fields [][]int) {\n\t\tfor _, fieldIndex := range fields {\n\t\t\tfieldType := rt.FieldByIndex(fieldIndex)\n\t\t\tfieldVal := eindirect(rv.FieldByIndex(fieldIndex))\n\n\t\t\tif isNil(fieldVal) { /// Don't write anything for nil fields.\n\t\t\t\tcontinue\n\t\t\t}\n\n\t\t\topts := getOptions(fieldType.Tag)\n\t\t\tif opts.skip {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tkeyName := fieldType.Name\n\t\t\tif opts.name != \"\" {\n\t\t\t\tkeyName = opts.name\n\t\t\t}\n\t\t\tif opts.omitempty && isEmpty(fieldVal) {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tif opts.omitzero && isZero(fieldVal) {\n\t\t\t\tcontinue\n\t\t\t}\n\n\t\t\tif inline {\n\t\t\t\tenc.writeKeyValue(Key{keyName}, fieldVal, true)\n\t\t\t\tif fieldIndex[0] != len(fields)-1 {\n\t\t\t\t\tenc.wf(\", \")\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tenc.encode(key.add(keyName), fieldVal)\n\t\t\t}\n\t\t}\n\t}\n\n\tif inline {\n\t\tenc.wf(\"{\")\n\t}\n\twriteFields(fieldsDirect)\n\twriteFields(fieldsSub)\n\tif inline {\n\t\tenc.wf(\"}\")\n\t}\n}\n\n// tomlTypeOfGo returns the TOML type name of the Go value's type.\n//\n// It is used to determine whether the types of array elements are mixed (which\n// is forbidden). If the Go value is nil, then it is illegal for it to be an\n// array element, and valueIsNil is returned as true.\n//\n// The type may be `nil`, which means no concrete TOML type could be found.\nfunc tomlTypeOfGo(rv reflect.Value) tomlType {\n\tif isNil(rv) || !rv.IsValid() {\n\t\treturn nil\n\t}\n\n\tif rv.Kind() == reflect.Struct {\n\t\tif rv.Type() == timeType {\n\t\t\treturn tomlDatetime\n\t\t}\n\t\tif isMarshaler(rv) {\n\t\t\treturn tomlString\n\t\t}\n\t\treturn tomlHash\n\t}\n\n\tif isMarshaler(rv) {\n\t\treturn tomlString\n\t}\n\n\tswitch rv.Kind() {\n\tcase reflect.Bool:\n\t\treturn tomlBool\n\tcase reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32,\n\t\treflect.Int64,\n\t\treflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32,\n\t\treflect.Uint64:\n\t\treturn tomlInteger\n\tcase reflect.Float32, reflect.Float64:\n\t\treturn tomlFloat\n\tcase reflect.Array, reflect.Slice:\n\t\tif isTableArray(rv) {\n\t\t\treturn tomlArrayHash\n\t\t}\n\t\treturn tomlArray\n\tcase reflect.Ptr, reflect.Interface:\n\t\treturn tomlTypeOfGo(rv.Elem())\n\tcase reflect.String:\n\t\treturn tomlString\n\tcase reflect.Map:\n\t\treturn tomlHash\n\tdefault:\n\t\tencPanic(errors.New(\"unsupported type: \" + rv.Kind().String()))\n\t\tpanic(\"unreachable\")\n\t}\n}\n\nfunc isMarshaler(rv reflect.Value) bool {\n\treturn rv.Type().Implements(marshalText) || rv.Type().Implements(marshalToml)\n}\n\n// isTableArray reports if all entries in the array or slice are a table.\nfunc isTableArray(arr reflect.Value) bool {\n\tif isNil(arr) || !arr.IsValid() || arr.Len() == 0 {\n\t\treturn false\n\t}\n\n\tret := true\n\tfor i := 0; i < arr.Len(); i++ {\n\t\ttt := tomlTypeOfGo(eindirect(arr.Index(i)))\n\t\t// Don't allow nil.\n\t\tif tt == nil {\n\t\t\tencPanic(errArrayNilElement)\n\t\t}\n\n\t\tif ret && !typeEqual(tomlHash, tt) {\n\t\t\tret = false\n\t\t}\n\t}\n\treturn ret\n}\n\ntype tagOptions struct {\n\tskip bool // \"-\"\n\tname string\n\tomitempty bool\n\tomitzero bool\n}\n\nfunc getOptions(tag reflect.StructTag) tagOptions {\n\tt := tag.Get(\"toml\")\n\tif t == \"-\" {\n\t\treturn tagOptions{skip: true}\n\t}\n\tvar opts tagOptions\n\tparts := strings.Split(t, \",\")\n\topts.name = parts[0]\n\tfor _, s := range parts[1:] {\n\t\tswitch s {\n\t\tcase \"omitempty\":\n\t\t\topts.omitempty = true\n\t\tcase \"omitzero\":\n\t\t\topts.omitzero = true\n\t\t}\n\t}\n\treturn opts\n}\n\nfunc isZero(rv reflect.Value) bool {\n\tswitch rv.Kind() {\n\tcase reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:\n\t\treturn rv.Int() == 0\n\tcase reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:\n\t\treturn rv.Uint() == 0\n\tcase reflect.Float32, reflect.Float64:\n\t\treturn rv.Float() == 0.0\n\t}\n\treturn false\n}\n\nfunc isEmpty(rv reflect.Value) bool {\n\tswitch rv.Kind() {\n\tcase reflect.Array, reflect.Slice, reflect.Map, reflect.String:\n\t\treturn rv.Len() == 0\n\tcase reflect.Struct:\n\t\treturn reflect.Zero(rv.Type()).Interface() == rv.Interface()\n\tcase reflect.Bool:\n\t\treturn !rv.Bool()\n\t}\n\treturn false\n}\n\nfunc (enc *Encoder) newline() {\n\tif enc.hasWritten {\n\t\tenc.wf(\"\\n\")\n\t}\n}\n\n// Write a key/value pair:\n//\n// key = \n//\n// This is also used for \"k = v\" in inline tables; so something like this will\n// be written in three calls:\n//\n// ┌────────────────────┐\n// │ ┌───┐ ┌─────┐│\n// v v v v vv\n// key = {k = v, k2 = v2}\n//\nfunc (enc *Encoder) writeKeyValue(key Key, val reflect.Value, inline bool) {\n\tif len(key) == 0 {\n\t\tencPanic(errNoKey)\n\t}\n\tenc.wf(\"%s%s = \", enc.indentStr(key), key.maybeQuoted(len(key)-1))\n\tenc.eElement(val)\n\tif !inline {\n\t\tenc.newline()\n\t}\n}\n\nfunc (enc *Encoder) wf(format string, v ...interface{}) {\n\t_, err := fmt.Fprintf(enc.w, format, v...)\n\tif err != nil {\n\t\tencPanic(err)\n\t}\n\tenc.hasWritten = true\n}\n\nfunc (enc *Encoder) indentStr(key Key) string {\n\treturn strings.Repeat(enc.Indent, len(key)-1)\n}\n\nfunc encPanic(err error) {\n\tpanic(tomlEncodeError{err})\n}\n\n// Resolve any level of pointers to the actual value (e.g. **string → string).\nfunc eindirect(v reflect.Value) reflect.Value {\n\tif v.Kind() != reflect.Ptr && v.Kind() != reflect.Interface {\n\t\tif isMarshaler(v) {\n\t\t\treturn v\n\t\t}\n\t\tif v.CanAddr() { /// Special case for marshalers; see #358.\n\t\t\tif pv := v.Addr(); isMarshaler(pv) {\n\t\t\t\treturn pv\n\t\t\t}\n\t\t}\n\t\treturn v\n\t}\n\n\tif v.IsNil() {\n\t\treturn v\n\t}\n\n\treturn eindirect(v.Elem())\n}\n\nfunc isNil(rv reflect.Value) bool {\n\tswitch rv.Kind() {\n\tcase reflect.Interface, reflect.Map, reflect.Ptr, reflect.Slice:\n\t\treturn rv.IsNil()\n\tdefault:\n\t\treturn false\n\t}\n}\n" }, { "path": "vendor/github.com/BurntSushi/toml/error.go", "content": "package toml\n\nimport (\n\t\"fmt\"\n\t\"strings\"\n)\n\n// ParseError is returned when there is an error parsing the TOML syntax.\n//\n// For example invalid syntax, duplicate keys, etc.\n//\n// In addition to the error message itself, you can also print detailed location\n// information with context by using ErrorWithPosition():\n//\n// toml: error: Key 'fruit' was already created and cannot be used as an array.\n//\n// At line 4, column 2-7:\n//\n// 2 | fruit = []\n// 3 |\n// 4 | [[fruit]] # Not allowed\n// ^^^^^\n//\n// Furthermore, the ErrorWithUsage() can be used to print the above with some\n// more detailed usage guidance:\n//\n// toml: error: newlines not allowed within inline tables\n//\n// At line 1, column 18:\n//\n// 1 | x = [{ key = 42 #\n// ^\n//\n// Error help:\n//\n// Inline tables must always be on a single line:\n//\n// table = {key = 42, second = 43}\n//\n// It is invalid to split them over multiple lines like so:\n//\n// # INVALID\n// table = {\n// key = 42,\n// second = 43\n// }\n//\n// Use regular for this:\n//\n// [table]\n// key = 42\n// second = 43\ntype ParseError struct {\n\tMessage string // Short technical message.\n\tUsage string // Longer message with usage guidance; may be blank.\n\tPosition Position // Position of the error\n\tLastKey string // Last parsed key, may be blank.\n\tLine int // Line the error occurred. Deprecated: use Position.\n\n\terr error\n\tinput string\n}\n\n// Position of an error.\ntype Position struct {\n\tLine int // Line number, starting at 1.\n\tStart int // Start of error, as byte offset starting at 0.\n\tLen int // Lenght in bytes.\n}\n\nfunc (pe ParseError) Error() string {\n\tmsg := pe.Message\n\tif msg == \"\" { // Error from errorf()\n\t\tmsg = pe.err.Error()\n\t}\n\n\tif pe.LastKey == \"\" {\n\t\treturn fmt.Sprintf(\"toml: line %d: %s\", pe.Position.Line, msg)\n\t}\n\treturn fmt.Sprintf(\"toml: line %d (last key %q): %s\",\n\t\tpe.Position.Line, pe.LastKey, msg)\n}\n\n// ErrorWithUsage() returns the error with detailed location context.\n//\n// See the documentation on ParseError.\nfunc (pe ParseError) ErrorWithPosition() string {\n\tif pe.input == \"\" { // Should never happen, but just in case.\n\t\treturn pe.Error()\n\t}\n\n\tvar (\n\t\tlines = strings.Split(pe.input, \"\\n\")\n\t\tcol = pe.column(lines)\n\t\tb = new(strings.Builder)\n\t)\n\n\tmsg := pe.Message\n\tif msg == \"\" {\n\t\tmsg = pe.err.Error()\n\t}\n\n\t// TODO: don't show control characters as literals? This may not show up\n\t// well everywhere.\n\n\tif pe.Position.Len == 1 {\n\t\tfmt.Fprintf(b, \"toml: error: %s\\n\\nAt line %d, column %d:\\n\\n\",\n\t\t\tmsg, pe.Position.Line, col+1)\n\t} else {\n\t\tfmt.Fprintf(b, \"toml: error: %s\\n\\nAt line %d, column %d-%d:\\n\\n\",\n\t\t\tmsg, pe.Position.Line, col, col+pe.Position.Len)\n\t}\n\tif pe.Position.Line > 2 {\n\t\tfmt.Fprintf(b, \"% 7d | %s\\n\", pe.Position.Line-2, lines[pe.Position.Line-3])\n\t}\n\tif pe.Position.Line > 1 {\n\t\tfmt.Fprintf(b, \"% 7d | %s\\n\", pe.Position.Line-1, lines[pe.Position.Line-2])\n\t}\n\tfmt.Fprintf(b, \"% 7d | %s\\n\", pe.Position.Line, lines[pe.Position.Line-1])\n\tfmt.Fprintf(b, \"% 10s%s%s\\n\", \"\", strings.Repeat(\" \", col), strings.Repeat(\"^\", pe.Position.Len))\n\treturn b.String()\n}\n\n// ErrorWithUsage() returns the error with detailed location context and usage\n// guidance.\n//\n// See the documentation on ParseError.\nfunc (pe ParseError) ErrorWithUsage() string {\n\tm := pe.ErrorWithPosition()\n\tif u, ok := pe.err.(interface{ Usage() string }); ok && u.Usage() != \"\" {\n\t\tlines := strings.Split(strings.TrimSpace(u.Usage()), \"\\n\")\n\t\tfor i := range lines {\n\t\t\tif lines[i] != \"\" {\n\t\t\t\tlines[i] = \" \" + lines[i]\n\t\t\t}\n\t\t}\n\t\treturn m + \"Error help:\\n\\n\" + strings.Join(lines, \"\\n\") + \"\\n\"\n\t}\n\treturn m\n}\n\nfunc (pe ParseError) column(lines []string) int {\n\tvar pos, col int\n\tfor i := range lines {\n\t\tll := len(lines[i]) + 1 // +1 for the removed newline\n\t\tif pos+ll >= pe.Position.Start {\n\t\t\tcol = pe.Position.Start - pos\n\t\t\tif col < 0 { // Should never happen, but just in case.\n\t\t\t\tcol = 0\n\t\t\t}\n\t\t\tbreak\n\t\t}\n\t\tpos += ll\n\t}\n\n\treturn col\n}\n\ntype (\n\terrLexControl struct{ r rune }\n\terrLexEscape struct{ r rune }\n\terrLexUTF8 struct{ b byte }\n\terrLexInvalidNum struct{ v string }\n\terrLexInvalidDate struct{ v string }\n\terrLexInlineTableNL struct{}\n\terrLexStringNL struct{}\n\terrParseRange struct {\n\t\ti interface{} // int or float\n\t\tsize string // \"int64\", \"uint16\", etc.\n\t}\n\terrParseDuration struct{ d string }\n)\n\nfunc (e errLexControl) Error() string {\n\treturn fmt.Sprintf(\"TOML files cannot contain control characters: '0x%02x'\", e.r)\n}\nfunc (e errLexControl) Usage() string { return \"\" }\n\nfunc (e errLexEscape) Error() string { return fmt.Sprintf(`invalid escape in string '\\%c'`, e.r) }\nfunc (e errLexEscape) Usage() string { return usageEscape }\nfunc (e errLexUTF8) Error() string { return fmt.Sprintf(\"invalid UTF-8 byte: 0x%02x\", e.b) }\nfunc (e errLexUTF8) Usage() string { return \"\" }\nfunc (e errLexInvalidNum) Error() string { return fmt.Sprintf(\"invalid number: %q\", e.v) }\nfunc (e errLexInvalidNum) Usage() string { return \"\" }\nfunc (e errLexInvalidDate) Error() string { return fmt.Sprintf(\"invalid date: %q\", e.v) }\nfunc (e errLexInvalidDate) Usage() string { return \"\" }\nfunc (e errLexInlineTableNL) Error() string { return \"newlines not allowed within inline tables\" }\nfunc (e errLexInlineTableNL) Usage() string { return usageInlineNewline }\nfunc (e errLexStringNL) Error() string { return \"strings cannot contain newlines\" }\nfunc (e errLexStringNL) Usage() string { return usageStringNewline }\nfunc (e errParseRange) Error() string { return fmt.Sprintf(\"%v is out of range for %s\", e.i, e.size) }\nfunc (e errParseRange) Usage() string { return usageIntOverflow }\nfunc (e errParseDuration) Error() string { return fmt.Sprintf(\"invalid duration: %q\", e.d) }\nfunc (e errParseDuration) Usage() string { return usageDuration }\n\nconst usageEscape = `\nA '\\' inside a \"-delimited string is interpreted as an escape character.\n\nThe following escape sequences are supported:\n\\b, \\t, \\n, \\f, \\r, \\\", \\\\, \\uXXXX, and \\UXXXXXXXX\n\nTo prevent a '\\' from being recognized as an escape character, use either:\n\n- a ' or '''-delimited string; escape characters aren't processed in them; or\n- write two backslashes to get a single backslash: '\\\\'.\n\nIf you're trying to add a Windows path (e.g. \"C:\\Users\\martin\") then using '/'\ninstead of '\\' will usually also work: \"C:/Users/martin\".\n`\n\nconst usageInlineNewline = `\nInline tables must always be on a single line:\n\n table = {key = 42, second = 43}\n\nIt is invalid to split them over multiple lines like so:\n\n # INVALID\n table = {\n key = 42,\n second = 43\n }\n\nUse regular for this:\n\n [table]\n key = 42\n second = 43\n`\n\nconst usageStringNewline = `\nStrings must always be on a single line, and cannot span more than one line:\n\n # INVALID\n string = \"Hello,\n world!\"\n\nInstead use \"\"\" or ''' to split strings over multiple lines:\n\n string = \"\"\"Hello,\n world!\"\"\"\n`\n\nconst usageIntOverflow = `\nThis number is too large; this may be an error in the TOML, but it can also be a\nbug in the program that uses too small of an integer.\n\nThe maximum and minimum values are:\n\n size │ lowest │ highest\n ───────┼────────────────┼──────────\n int8 │ -128 │ 127\n int16 │ -32,768 │ 32,767\n int32 │ -2,147,483,648 │ 2,147,483,647\n int64 │ -9.2 × 10¹⁷ │ 9.2 × 10¹⁷\n uint8 │ 0 │ 255\n uint16 │ 0 │ 65535\n uint32 │ 0 │ 4294967295\n uint64 │ 0 │ 1.8 × 10¹⁸\n\nint refers to int32 on 32-bit systems and int64 on 64-bit systems.\n`\n\nconst usageDuration = `\nA duration must be as \"number\", without any spaces. Valid units are:\n\n ns nanoseconds (billionth of a second)\n us, µs microseconds (millionth of a second)\n ms milliseconds (thousands of a second)\n s seconds\n m minutes\n h hours\n\nYou can combine multiple units; for example \"5m10s\" for 5 minutes and 10\nseconds.\n`\n" }, { "path": "vendor/github.com/BurntSushi/toml/internal/tz.go", "content": "package internal\n\nimport \"time\"\n\n// Timezones used for local datetime, date, and time TOML types.\n//\n// The exact way times and dates without a timezone should be interpreted is not\n// well-defined in the TOML specification and left to the implementation. These\n// defaults to current local timezone offset of the computer, but this can be\n// changed by changing these variables before decoding.\n//\n// TODO:\n// Ideally we'd like to offer people the ability to configure the used timezone\n// by setting Decoder.Timezone and Encoder.Timezone; however, this is a bit\n// tricky: the reason we use three different variables for this is to support\n// round-tripping – without these specific TZ names we wouldn't know which\n// format to use.\n//\n// There isn't a good way to encode this right now though, and passing this sort\n// of information also ties in to various related issues such as string format\n// encoding, encoding of comments, etc.\n//\n// So, for the time being, just put this in internal until we can write a good\n// comprehensive API for doing all of this.\n//\n// The reason they're exported is because they're referred from in e.g.\n// internal/tag.\n//\n// Note that this behaviour is valid according to the TOML spec as the exact\n// behaviour is left up to implementations.\nvar (\n\tlocalOffset = func() int { _, o := time.Now().Zone(); return o }()\n\tLocalDatetime = time.FixedZone(\"datetime-local\", localOffset)\n\tLocalDate = time.FixedZone(\"date-local\", localOffset)\n\tLocalTime = time.FixedZone(\"time-local\", localOffset)\n)\n" }, { "path": "vendor/github.com/BurntSushi/toml/lex.go", "content": "package toml\n\nimport (\n\t\"fmt\"\n\t\"reflect\"\n\t\"runtime\"\n\t\"strings\"\n\t\"unicode\"\n\t\"unicode/utf8\"\n)\n\ntype itemType int\n\nconst (\n\titemError itemType = iota\n\titemNIL // used in the parser to indicate no type\n\titemEOF\n\titemText\n\titemString\n\titemRawString\n\titemMultilineString\n\titemRawMultilineString\n\titemBool\n\titemInteger\n\titemFloat\n\titemDatetime\n\titemArray // the start of an array\n\titemArrayEnd\n\titemTableStart\n\titemTableEnd\n\titemArrayTableStart\n\titemArrayTableEnd\n\titemKeyStart\n\titemKeyEnd\n\titemCommentStart\n\titemInlineTableStart\n\titemInlineTableEnd\n)\n\nconst eof = 0\n\ntype stateFn func(lx *lexer) stateFn\n\nfunc (p Position) String() string {\n\treturn fmt.Sprintf(\"at line %d; start %d; length %d\", p.Line, p.Start, p.Len)\n}\n\ntype lexer struct {\n\tinput string\n\tstart int\n\tpos int\n\tline int\n\tstate stateFn\n\titems chan item\n\n\t// Allow for backing up up to 4 runes. This is necessary because TOML\n\t// contains 3-rune tokens (\"\"\" and ''').\n\tprevWidths [4]int\n\tnprev int // how many of prevWidths are in use\n\tatEOF bool // If we emit an eof, we can still back up, but it is not OK to call next again.\n\n\t// A stack of state functions used to maintain context.\n\t//\n\t// The idea is to reuse parts of the state machine in various places. For\n\t// example, values can appear at the top level or within arbitrarily nested\n\t// arrays. The last state on the stack is used after a value has been lexed.\n\t// Similarly for comments.\n\tstack []stateFn\n}\n\ntype item struct {\n\ttyp itemType\n\tval string\n\terr error\n\tpos Position\n}\n\nfunc (lx *lexer) nextItem() item {\n\tfor {\n\t\tselect {\n\t\tcase item := <-lx.items:\n\t\t\treturn item\n\t\tdefault:\n\t\t\tlx.state = lx.state(lx)\n\t\t\t//fmt.Printf(\" STATE %-24s current: %-10s\tstack: %s\\n\", lx.state, lx.current(), lx.stack)\n\t\t}\n\t}\n}\n\nfunc lex(input string) *lexer {\n\tlx := &lexer{\n\t\tinput: input,\n\t\tstate: lexTop,\n\t\titems: make(chan item, 10),\n\t\tstack: make([]stateFn, 0, 10),\n\t\tline: 1,\n\t}\n\treturn lx\n}\n\nfunc (lx *lexer) push(state stateFn) {\n\tlx.stack = append(lx.stack, state)\n}\n\nfunc (lx *lexer) pop() stateFn {\n\tif len(lx.stack) == 0 {\n\t\treturn lx.errorf(\"BUG in lexer: no states to pop\")\n\t}\n\tlast := lx.stack[len(lx.stack)-1]\n\tlx.stack = lx.stack[0 : len(lx.stack)-1]\n\treturn last\n}\n\nfunc (lx *lexer) current() string {\n\treturn lx.input[lx.start:lx.pos]\n}\n\nfunc (lx lexer) getPos() Position {\n\tp := Position{\n\t\tLine: lx.line,\n\t\tStart: lx.start,\n\t\tLen: lx.pos - lx.start,\n\t}\n\tif p.Len <= 0 {\n\t\tp.Len = 1\n\t}\n\treturn p\n}\n\nfunc (lx *lexer) emit(typ itemType) {\n\t// Needed for multiline strings ending with an incomplete UTF-8 sequence.\n\tif lx.start > lx.pos {\n\t\tlx.error(errLexUTF8{lx.input[lx.pos]})\n\t\treturn\n\t}\n\tlx.items <- item{typ: typ, pos: lx.getPos(), val: lx.current()}\n\tlx.start = lx.pos\n}\n\nfunc (lx *lexer) emitTrim(typ itemType) {\n\tlx.items <- item{typ: typ, pos: lx.getPos(), val: strings.TrimSpace(lx.current())}\n\tlx.start = lx.pos\n}\n\nfunc (lx *lexer) next() (r rune) {\n\tif lx.atEOF {\n\t\tpanic(\"BUG in lexer: next called after EOF\")\n\t}\n\tif lx.pos >= len(lx.input) {\n\t\tlx.atEOF = true\n\t\treturn eof\n\t}\n\n\tif lx.input[lx.pos] == '\\n' {\n\t\tlx.line++\n\t}\n\tlx.prevWidths[3] = lx.prevWidths[2]\n\tlx.prevWidths[2] = lx.prevWidths[1]\n\tlx.prevWidths[1] = lx.prevWidths[0]\n\tif lx.nprev < 4 {\n\t\tlx.nprev++\n\t}\n\n\tr, w := utf8.DecodeRuneInString(lx.input[lx.pos:])\n\tif r == utf8.RuneError {\n\t\tlx.error(errLexUTF8{lx.input[lx.pos]})\n\t\treturn utf8.RuneError\n\t}\n\n\t// Note: don't use peek() here, as this calls next().\n\tif isControl(r) || (r == '\\r' && (len(lx.input)-1 == lx.pos || lx.input[lx.pos+1] != '\\n')) {\n\t\tlx.errorControlChar(r)\n\t\treturn utf8.RuneError\n\t}\n\n\tlx.prevWidths[0] = w\n\tlx.pos += w\n\treturn r\n}\n\n// ignore skips over the pending input before this point.\nfunc (lx *lexer) ignore() {\n\tlx.start = lx.pos\n}\n\n// backup steps back one rune. Can be called 4 times between calls to next.\nfunc (lx *lexer) backup() {\n\tif lx.atEOF {\n\t\tlx.atEOF = false\n\t\treturn\n\t}\n\tif lx.nprev < 1 {\n\t\tpanic(\"BUG in lexer: backed up too far\")\n\t}\n\tw := lx.prevWidths[0]\n\tlx.prevWidths[0] = lx.prevWidths[1]\n\tlx.prevWidths[1] = lx.prevWidths[2]\n\tlx.prevWidths[2] = lx.prevWidths[3]\n\tlx.nprev--\n\n\tlx.pos -= w\n\tif lx.pos < len(lx.input) && lx.input[lx.pos] == '\\n' {\n\t\tlx.line--\n\t}\n}\n\n// accept consumes the next rune if it's equal to `valid`.\nfunc (lx *lexer) accept(valid rune) bool {\n\tif lx.next() == valid {\n\t\treturn true\n\t}\n\tlx.backup()\n\treturn false\n}\n\n// peek returns but does not consume the next rune in the input.\nfunc (lx *lexer) peek() rune {\n\tr := lx.next()\n\tlx.backup()\n\treturn r\n}\n\n// skip ignores all input that matches the given predicate.\nfunc (lx *lexer) skip(pred func(rune) bool) {\n\tfor {\n\t\tr := lx.next()\n\t\tif pred(r) {\n\t\t\tcontinue\n\t\t}\n\t\tlx.backup()\n\t\tlx.ignore()\n\t\treturn\n\t}\n}\n\n// error stops all lexing by emitting an error and returning `nil`.\n//\n// Note that any value that is a character is escaped if it's a special\n// character (newlines, tabs, etc.).\nfunc (lx *lexer) error(err error) stateFn {\n\tif lx.atEOF {\n\t\treturn lx.errorPrevLine(err)\n\t}\n\tlx.items <- item{typ: itemError, pos: lx.getPos(), err: err}\n\treturn nil\n}\n\n// errorfPrevline is like error(), but sets the position to the last column of\n// the previous line.\n//\n// This is so that unexpected EOF or NL errors don't show on a new blank line.\nfunc (lx *lexer) errorPrevLine(err error) stateFn {\n\tpos := lx.getPos()\n\tpos.Line--\n\tpos.Len = 1\n\tpos.Start = lx.pos - 1\n\tlx.items <- item{typ: itemError, pos: pos, err: err}\n\treturn nil\n}\n\n// errorPos is like error(), but allows explicitly setting the position.\nfunc (lx *lexer) errorPos(start, length int, err error) stateFn {\n\tpos := lx.getPos()\n\tpos.Start = start\n\tpos.Len = length\n\tlx.items <- item{typ: itemError, pos: pos, err: err}\n\treturn nil\n}\n\n// errorf is like error, and creates a new error.\nfunc (lx *lexer) errorf(format string, values ...interface{}) stateFn {\n\tif lx.atEOF {\n\t\tpos := lx.getPos()\n\t\tpos.Line--\n\t\tpos.Len = 1\n\t\tpos.Start = lx.pos - 1\n\t\tlx.items <- item{typ: itemError, pos: pos, err: fmt.Errorf(format, values...)}\n\t\treturn nil\n\t}\n\tlx.items <- item{typ: itemError, pos: lx.getPos(), err: fmt.Errorf(format, values...)}\n\treturn nil\n}\n\nfunc (lx *lexer) errorControlChar(cc rune) stateFn {\n\treturn lx.errorPos(lx.pos-1, 1, errLexControl{cc})\n}\n\n// lexTop consumes elements at the top level of TOML data.\nfunc lexTop(lx *lexer) stateFn {\n\tr := lx.next()\n\tif isWhitespace(r) || isNL(r) {\n\t\treturn lexSkip(lx, lexTop)\n\t}\n\tswitch r {\n\tcase '#':\n\t\tlx.push(lexTop)\n\t\treturn lexCommentStart\n\tcase '[':\n\t\treturn lexTableStart\n\tcase eof:\n\t\tif lx.pos > lx.start {\n\t\t\treturn lx.errorf(\"unexpected EOF\")\n\t\t}\n\t\tlx.emit(itemEOF)\n\t\treturn nil\n\t}\n\n\t// At this point, the only valid item can be a key, so we back up\n\t// and let the key lexer do the rest.\n\tlx.backup()\n\tlx.push(lexTopEnd)\n\treturn lexKeyStart\n}\n\n// lexTopEnd is entered whenever a top-level item has been consumed. (A value\n// or a table.) It must see only whitespace, and will turn back to lexTop\n// upon a newline. If it sees EOF, it will quit the lexer successfully.\nfunc lexTopEnd(lx *lexer) stateFn {\n\tr := lx.next()\n\tswitch {\n\tcase r == '#':\n\t\t// a comment will read to a newline for us.\n\t\tlx.push(lexTop)\n\t\treturn lexCommentStart\n\tcase isWhitespace(r):\n\t\treturn lexTopEnd\n\tcase isNL(r):\n\t\tlx.ignore()\n\t\treturn lexTop\n\tcase r == eof:\n\t\tlx.emit(itemEOF)\n\t\treturn nil\n\t}\n\treturn lx.errorf(\n\t\t\"expected a top-level item to end with a newline, comment, or EOF, but got %q instead\",\n\t\tr)\n}\n\n// lexTable lexes the beginning of a table. Namely, it makes sure that\n// it starts with a character other than '.' and ']'.\n// It assumes that '[' has already been consumed.\n// It also handles the case that this is an item in an array of tables.\n// e.g., '[[name]]'.\nfunc lexTableStart(lx *lexer) stateFn {\n\tif lx.peek() == '[' {\n\t\tlx.next()\n\t\tlx.emit(itemArrayTableStart)\n\t\tlx.push(lexArrayTableEnd)\n\t} else {\n\t\tlx.emit(itemTableStart)\n\t\tlx.push(lexTableEnd)\n\t}\n\treturn lexTableNameStart\n}\n\nfunc lexTableEnd(lx *lexer) stateFn {\n\tlx.emit(itemTableEnd)\n\treturn lexTopEnd\n}\n\nfunc lexArrayTableEnd(lx *lexer) stateFn {\n\tif r := lx.next(); r != ']' {\n\t\treturn lx.errorf(\"expected end of table array name delimiter ']', but got %q instead\", r)\n\t}\n\tlx.emit(itemArrayTableEnd)\n\treturn lexTopEnd\n}\n\nfunc lexTableNameStart(lx *lexer) stateFn {\n\tlx.skip(isWhitespace)\n\tswitch r := lx.peek(); {\n\tcase r == ']' || r == eof:\n\t\treturn lx.errorf(\"unexpected end of table name (table names cannot be empty)\")\n\tcase r == '.':\n\t\treturn lx.errorf(\"unexpected table separator (table names cannot be empty)\")\n\tcase r == '\"' || r == '\\'':\n\t\tlx.ignore()\n\t\tlx.push(lexTableNameEnd)\n\t\treturn lexQuotedName\n\tdefault:\n\t\tlx.push(lexTableNameEnd)\n\t\treturn lexBareName\n\t}\n}\n\n// lexTableNameEnd reads the end of a piece of a table name, optionally\n// consuming whitespace.\nfunc lexTableNameEnd(lx *lexer) stateFn {\n\tlx.skip(isWhitespace)\n\tswitch r := lx.next(); {\n\tcase isWhitespace(r):\n\t\treturn lexTableNameEnd\n\tcase r == '.':\n\t\tlx.ignore()\n\t\treturn lexTableNameStart\n\tcase r == ']':\n\t\treturn lx.pop()\n\tdefault:\n\t\treturn lx.errorf(\"expected '.' or ']' to end table name, but got %q instead\", r)\n\t}\n}\n\n// lexBareName lexes one part of a key or table.\n//\n// It assumes that at least one valid character for the table has already been\n// read.\n//\n// Lexes only one part, e.g. only 'a' inside 'a.b'.\nfunc lexBareName(lx *lexer) stateFn {\n\tr := lx.next()\n\tif isBareKeyChar(r) {\n\t\treturn lexBareName\n\t}\n\tlx.backup()\n\tlx.emit(itemText)\n\treturn lx.pop()\n}\n\n// lexBareName lexes one part of a key or table.\n//\n// It assumes that at least one valid character for the table has already been\n// read.\n//\n// Lexes only one part, e.g. only '\"a\"' inside '\"a\".b'.\nfunc lexQuotedName(lx *lexer) stateFn {\n\tr := lx.next()\n\tswitch {\n\tcase isWhitespace(r):\n\t\treturn lexSkip(lx, lexValue)\n\tcase r == '\"':\n\t\tlx.ignore() // ignore the '\"'\n\t\treturn lexString\n\tcase r == '\\'':\n\t\tlx.ignore() // ignore the \"'\"\n\t\treturn lexRawString\n\tcase r == eof:\n\t\treturn lx.errorf(\"unexpected EOF; expected value\")\n\tdefault:\n\t\treturn lx.errorf(\"expected value but found %q instead\", r)\n\t}\n}\n\n// lexKeyStart consumes all key parts until a '='.\nfunc lexKeyStart(lx *lexer) stateFn {\n\tlx.skip(isWhitespace)\n\tswitch r := lx.peek(); {\n\tcase r == '=' || r == eof:\n\t\treturn lx.errorf(\"unexpected '=': key name appears blank\")\n\tcase r == '.':\n\t\treturn lx.errorf(\"unexpected '.': keys cannot start with a '.'\")\n\tcase r == '\"' || r == '\\'':\n\t\tlx.ignore()\n\t\tfallthrough\n\tdefault: // Bare key\n\t\tlx.emit(itemKeyStart)\n\t\treturn lexKeyNameStart\n\t}\n}\n\nfunc lexKeyNameStart(lx *lexer) stateFn {\n\tlx.skip(isWhitespace)\n\tswitch r := lx.peek(); {\n\tcase r == '=' || r == eof:\n\t\treturn lx.errorf(\"unexpected '='\")\n\tcase r == '.':\n\t\treturn lx.errorf(\"unexpected '.'\")\n\tcase r == '\"' || r == '\\'':\n\t\tlx.ignore()\n\t\tlx.push(lexKeyEnd)\n\t\treturn lexQuotedName\n\tdefault:\n\t\tlx.push(lexKeyEnd)\n\t\treturn lexBareName\n\t}\n}\n\n// lexKeyEnd consumes the end of a key and trims whitespace (up to the key\n// separator).\nfunc lexKeyEnd(lx *lexer) stateFn {\n\tlx.skip(isWhitespace)\n\tswitch r := lx.next(); {\n\tcase isWhitespace(r):\n\t\treturn lexSkip(lx, lexKeyEnd)\n\tcase r == eof:\n\t\treturn lx.errorf(\"unexpected EOF; expected key separator '='\")\n\tcase r == '.':\n\t\tlx.ignore()\n\t\treturn lexKeyNameStart\n\tcase r == '=':\n\t\tlx.emit(itemKeyEnd)\n\t\treturn lexSkip(lx, lexValue)\n\tdefault:\n\t\treturn lx.errorf(\"expected '.' or '=', but got %q instead\", r)\n\t}\n}\n\n// lexValue starts the consumption of a value anywhere a value is expected.\n// lexValue will ignore whitespace.\n// After a value is lexed, the last state on the next is popped and returned.\nfunc lexValue(lx *lexer) stateFn {\n\t// We allow whitespace to precede a value, but NOT newlines.\n\t// In array syntax, the array states are responsible for ignoring newlines.\n\tr := lx.next()\n\tswitch {\n\tcase isWhitespace(r):\n\t\treturn lexSkip(lx, lexValue)\n\tcase isDigit(r):\n\t\tlx.backup() // avoid an extra state and use the same as above\n\t\treturn lexNumberOrDateStart\n\t}\n\tswitch r {\n\tcase '[':\n\t\tlx.ignore()\n\t\tlx.emit(itemArray)\n\t\treturn lexArrayValue\n\tcase '{':\n\t\tlx.ignore()\n\t\tlx.emit(itemInlineTableStart)\n\t\treturn lexInlineTableValue\n\tcase '\"':\n\t\tif lx.accept('\"') {\n\t\t\tif lx.accept('\"') {\n\t\t\t\tlx.ignore() // Ignore \"\"\"\n\t\t\t\treturn lexMultilineString\n\t\t\t}\n\t\t\tlx.backup()\n\t\t}\n\t\tlx.ignore() // ignore the '\"'\n\t\treturn lexString\n\tcase '\\'':\n\t\tif lx.accept('\\'') {\n\t\t\tif lx.accept('\\'') {\n\t\t\t\tlx.ignore() // Ignore \"\"\"\n\t\t\t\treturn lexMultilineRawString\n\t\t\t}\n\t\t\tlx.backup()\n\t\t}\n\t\tlx.ignore() // ignore the \"'\"\n\t\treturn lexRawString\n\tcase '.': // special error case, be kind to users\n\t\treturn lx.errorf(\"floats must start with a digit, not '.'\")\n\tcase 'i', 'n':\n\t\tif (lx.accept('n') && lx.accept('f')) || (lx.accept('a') && lx.accept('n')) {\n\t\t\tlx.emit(itemFloat)\n\t\t\treturn lx.pop()\n\t\t}\n\tcase '-', '+':\n\t\treturn lexDecimalNumberStart\n\t}\n\tif unicode.IsLetter(r) {\n\t\t// Be permissive here; lexBool will give a nice error if the\n\t\t// user wrote something like\n\t\t// x = foo\n\t\t// (i.e. not 'true' or 'false' but is something else word-like.)\n\t\tlx.backup()\n\t\treturn lexBool\n\t}\n\tif r == eof {\n\t\treturn lx.errorf(\"unexpected EOF; expected value\")\n\t}\n\treturn lx.errorf(\"expected value but found %q instead\", r)\n}\n\n// lexArrayValue consumes one value in an array. It assumes that '[' or ','\n// have already been consumed. All whitespace and newlines are ignored.\nfunc lexArrayValue(lx *lexer) stateFn {\n\tr := lx.next()\n\tswitch {\n\tcase isWhitespace(r) || isNL(r):\n\t\treturn lexSkip(lx, lexArrayValue)\n\tcase r == '#':\n\t\tlx.push(lexArrayValue)\n\t\treturn lexCommentStart\n\tcase r == ',':\n\t\treturn lx.errorf(\"unexpected comma\")\n\tcase r == ']':\n\t\treturn lexArrayEnd\n\t}\n\n\tlx.backup()\n\tlx.push(lexArrayValueEnd)\n\treturn lexValue\n}\n\n// lexArrayValueEnd consumes everything between the end of an array value and\n// the next value (or the end of the array): it ignores whitespace and newlines\n// and expects either a ',' or a ']'.\nfunc lexArrayValueEnd(lx *lexer) stateFn {\n\tswitch r := lx.next(); {\n\tcase isWhitespace(r) || isNL(r):\n\t\treturn lexSkip(lx, lexArrayValueEnd)\n\tcase r == '#':\n\t\tlx.push(lexArrayValueEnd)\n\t\treturn lexCommentStart\n\tcase r == ',':\n\t\tlx.ignore()\n\t\treturn lexArrayValue // move on to the next value\n\tcase r == ']':\n\t\treturn lexArrayEnd\n\tdefault:\n\t\treturn lx.errorf(\"expected a comma (',') or array terminator (']'), but got %s\", runeOrEOF(r))\n\t}\n}\n\n// lexArrayEnd finishes the lexing of an array.\n// It assumes that a ']' has just been consumed.\nfunc lexArrayEnd(lx *lexer) stateFn {\n\tlx.ignore()\n\tlx.emit(itemArrayEnd)\n\treturn lx.pop()\n}\n\n// lexInlineTableValue consumes one key/value pair in an inline table.\n// It assumes that '{' or ',' have already been consumed. Whitespace is ignored.\nfunc lexInlineTableValue(lx *lexer) stateFn {\n\tr := lx.next()\n\tswitch {\n\tcase isWhitespace(r):\n\t\treturn lexSkip(lx, lexInlineTableValue)\n\tcase isNL(r):\n\t\treturn lx.errorPrevLine(errLexInlineTableNL{})\n\tcase r == '#':\n\t\tlx.push(lexInlineTableValue)\n\t\treturn lexCommentStart\n\tcase r == ',':\n\t\treturn lx.errorf(\"unexpected comma\")\n\tcase r == '}':\n\t\treturn lexInlineTableEnd\n\t}\n\tlx.backup()\n\tlx.push(lexInlineTableValueEnd)\n\treturn lexKeyStart\n}\n\n// lexInlineTableValueEnd consumes everything between the end of an inline table\n// key/value pair and the next pair (or the end of the table):\n// it ignores whitespace and expects either a ',' or a '}'.\nfunc lexInlineTableValueEnd(lx *lexer) stateFn {\n\tswitch r := lx.next(); {\n\tcase isWhitespace(r):\n\t\treturn lexSkip(lx, lexInlineTableValueEnd)\n\tcase isNL(r):\n\t\treturn lx.errorPrevLine(errLexInlineTableNL{})\n\tcase r == '#':\n\t\tlx.push(lexInlineTableValueEnd)\n\t\treturn lexCommentStart\n\tcase r == ',':\n\t\tlx.ignore()\n\t\tlx.skip(isWhitespace)\n\t\tif lx.peek() == '}' {\n\t\t\treturn lx.errorf(\"trailing comma not allowed in inline tables\")\n\t\t}\n\t\treturn lexInlineTableValue\n\tcase r == '}':\n\t\treturn lexInlineTableEnd\n\tdefault:\n\t\treturn lx.errorf(\"expected a comma or an inline table terminator '}', but got %s instead\", runeOrEOF(r))\n\t}\n}\n\nfunc runeOrEOF(r rune) string {\n\tif r == eof {\n\t\treturn \"end of file\"\n\t}\n\treturn \"'\" + string(r) + \"'\"\n}\n\n// lexInlineTableEnd finishes the lexing of an inline table.\n// It assumes that a '}' has just been consumed.\nfunc lexInlineTableEnd(lx *lexer) stateFn {\n\tlx.ignore()\n\tlx.emit(itemInlineTableEnd)\n\treturn lx.pop()\n}\n\n// lexString consumes the inner contents of a string. It assumes that the\n// beginning '\"' has already been consumed and ignored.\nfunc lexString(lx *lexer) stateFn {\n\tr := lx.next()\n\tswitch {\n\tcase r == eof:\n\t\treturn lx.errorf(`unexpected EOF; expected '\"'`)\n\tcase isNL(r):\n\t\treturn lx.errorPrevLine(errLexStringNL{})\n\tcase r == '\\\\':\n\t\tlx.push(lexString)\n\t\treturn lexStringEscape\n\tcase r == '\"':\n\t\tlx.backup()\n\t\tlx.emit(itemString)\n\t\tlx.next()\n\t\tlx.ignore()\n\t\treturn lx.pop()\n\t}\n\treturn lexString\n}\n\n// lexMultilineString consumes the inner contents of a string. It assumes that\n// the beginning '\"\"\"' has already been consumed and ignored.\nfunc lexMultilineString(lx *lexer) stateFn {\n\tr := lx.next()\n\tswitch r {\n\tdefault:\n\t\treturn lexMultilineString\n\tcase eof:\n\t\treturn lx.errorf(`unexpected EOF; expected '\"\"\"'`)\n\tcase '\\\\':\n\t\treturn lexMultilineStringEscape\n\tcase '\"':\n\t\t/// Found \" → try to read two more \"\".\n\t\tif lx.accept('\"') {\n\t\t\tif lx.accept('\"') {\n\t\t\t\t/// Peek ahead: the string can contain \" and \"\", including at the\n\t\t\t\t/// end: \"\"\"str\"\"\"\"\"\n\t\t\t\t/// 6 or more at the end, however, is an error.\n\t\t\t\tif lx.peek() == '\"' {\n\t\t\t\t\t/// Check if we already lexed 5 's; if so we have 6 now, and\n\t\t\t\t\t/// that's just too many man!\n\t\t\t\t\t///\n\t\t\t\t\t/// Second check is for the edge case:\n\t\t\t\t\t///\n\t\t\t\t\t/// two quotes allowed.\n\t\t\t\t\t/// vv\n\t\t\t\t\t/// \"\"\"lol \\\"\"\"\"\"\"\n\t\t\t\t\t/// ^^ ^^^---- closing three\n\t\t\t\t\t/// escaped\n\t\t\t\t\t///\n\t\t\t\t\t/// But ugly, but it works\n\t\t\t\t\tif strings.HasSuffix(lx.current(), `\"\"\"\"\"`) && !strings.HasSuffix(lx.current(), `\\\"\"\"\"\"`) {\n\t\t\t\t\t\treturn lx.errorf(`unexpected '\"\"\"\"\"\"'`)\n\t\t\t\t\t}\n\t\t\t\t\tlx.backup()\n\t\t\t\t\tlx.backup()\n\t\t\t\t\treturn lexMultilineString\n\t\t\t\t}\n\n\t\t\t\tlx.backup() /// backup: don't include the \"\"\" in the item.\n\t\t\t\tlx.backup()\n\t\t\t\tlx.backup()\n\t\t\t\tlx.emit(itemMultilineString)\n\t\t\t\tlx.next() /// Read over ''' again and discard it.\n\t\t\t\tlx.next()\n\t\t\t\tlx.next()\n\t\t\t\tlx.ignore()\n\t\t\t\treturn lx.pop()\n\t\t\t}\n\t\t\tlx.backup()\n\t\t}\n\t\treturn lexMultilineString\n\t}\n}\n\n// lexRawString consumes a raw string. Nothing can be escaped in such a string.\n// It assumes that the beginning \"'\" has already been consumed and ignored.\nfunc lexRawString(lx *lexer) stateFn {\n\tr := lx.next()\n\tswitch {\n\tdefault:\n\t\treturn lexRawString\n\tcase r == eof:\n\t\treturn lx.errorf(`unexpected EOF; expected \"'\"`)\n\tcase isNL(r):\n\t\treturn lx.errorPrevLine(errLexStringNL{})\n\tcase r == '\\'':\n\t\tlx.backup()\n\t\tlx.emit(itemRawString)\n\t\tlx.next()\n\t\tlx.ignore()\n\t\treturn lx.pop()\n\t}\n}\n\n// lexMultilineRawString consumes a raw string. Nothing can be escaped in such\n// a string. It assumes that the beginning \"'''\" has already been consumed and\n// ignored.\nfunc lexMultilineRawString(lx *lexer) stateFn {\n\tr := lx.next()\n\tswitch r {\n\tdefault:\n\t\treturn lexMultilineRawString\n\tcase eof:\n\t\treturn lx.errorf(`unexpected EOF; expected \"'''\"`)\n\tcase '\\'':\n\t\t/// Found ' → try to read two more ''.\n\t\tif lx.accept('\\'') {\n\t\t\tif lx.accept('\\'') {\n\t\t\t\t/// Peek ahead: the string can contain ' and '', including at the\n\t\t\t\t/// end: '''str'''''\n\t\t\t\t/// 6 or more at the end, however, is an error.\n\t\t\t\tif lx.peek() == '\\'' {\n\t\t\t\t\t/// Check if we already lexed 5 's; if so we have 6 now, and\n\t\t\t\t\t/// that's just too many man!\n\t\t\t\t\tif strings.HasSuffix(lx.current(), \"'''''\") {\n\t\t\t\t\t\treturn lx.errorf(`unexpected \"''''''\"`)\n\t\t\t\t\t}\n\t\t\t\t\tlx.backup()\n\t\t\t\t\tlx.backup()\n\t\t\t\t\treturn lexMultilineRawString\n\t\t\t\t}\n\n\t\t\t\tlx.backup() /// backup: don't include the ''' in the item.\n\t\t\t\tlx.backup()\n\t\t\t\tlx.backup()\n\t\t\t\tlx.emit(itemRawMultilineString)\n\t\t\t\tlx.next() /// Read over ''' again and discard it.\n\t\t\t\tlx.next()\n\t\t\t\tlx.next()\n\t\t\t\tlx.ignore()\n\t\t\t\treturn lx.pop()\n\t\t\t}\n\t\t\tlx.backup()\n\t\t}\n\t\treturn lexMultilineRawString\n\t}\n}\n\n// lexMultilineStringEscape consumes an escaped character. It assumes that the\n// preceding '\\\\' has already been consumed.\nfunc lexMultilineStringEscape(lx *lexer) stateFn {\n\tif isNL(lx.next()) { /// \\ escaping newline.\n\t\treturn lexMultilineString\n\t}\n\tlx.backup()\n\tlx.push(lexMultilineString)\n\treturn lexStringEscape(lx)\n}\n\nfunc lexStringEscape(lx *lexer) stateFn {\n\tr := lx.next()\n\tswitch r {\n\tcase 'b':\n\t\tfallthrough\n\tcase 't':\n\t\tfallthrough\n\tcase 'n':\n\t\tfallthrough\n\tcase 'f':\n\t\tfallthrough\n\tcase 'r':\n\t\tfallthrough\n\tcase '\"':\n\t\tfallthrough\n\tcase ' ', '\\t':\n\t\t// Inside \"\"\" .. \"\"\" strings you can use \\ to escape newlines, and any\n\t\t// amount of whitespace can be between the \\ and \\n.\n\t\tfallthrough\n\tcase '\\\\':\n\t\treturn lx.pop()\n\tcase 'u':\n\t\treturn lexShortUnicodeEscape\n\tcase 'U':\n\t\treturn lexLongUnicodeEscape\n\t}\n\treturn lx.error(errLexEscape{r})\n}\n\nfunc lexShortUnicodeEscape(lx *lexer) stateFn {\n\tvar r rune\n\tfor i := 0; i < 4; i++ {\n\t\tr = lx.next()\n\t\tif !isHexadecimal(r) {\n\t\t\treturn lx.errorf(\n\t\t\t\t`expected four hexadecimal digits after '\\u', but got %q instead`,\n\t\t\t\tlx.current())\n\t\t}\n\t}\n\treturn lx.pop()\n}\n\nfunc lexLongUnicodeEscape(lx *lexer) stateFn {\n\tvar r rune\n\tfor i := 0; i < 8; i++ {\n\t\tr = lx.next()\n\t\tif !isHexadecimal(r) {\n\t\t\treturn lx.errorf(\n\t\t\t\t`expected eight hexadecimal digits after '\\U', but got %q instead`,\n\t\t\t\tlx.current())\n\t\t}\n\t}\n\treturn lx.pop()\n}\n\n// lexNumberOrDateStart processes the first character of a value which begins\n// with a digit. It exists to catch values starting with '0', so that\n// lexBaseNumberOrDate can differentiate base prefixed integers from other\n// types.\nfunc lexNumberOrDateStart(lx *lexer) stateFn {\n\tr := lx.next()\n\tswitch r {\n\tcase '0':\n\t\treturn lexBaseNumberOrDate\n\t}\n\n\tif !isDigit(r) {\n\t\t// The only way to reach this state is if the value starts\n\t\t// with a digit, so specifically treat anything else as an\n\t\t// error.\n\t\treturn lx.errorf(\"expected a digit but got %q\", r)\n\t}\n\n\treturn lexNumberOrDate\n}\n\n// lexNumberOrDate consumes either an integer, float or datetime.\nfunc lexNumberOrDate(lx *lexer) stateFn {\n\tr := lx.next()\n\tif isDigit(r) {\n\t\treturn lexNumberOrDate\n\t}\n\tswitch r {\n\tcase '-', ':':\n\t\treturn lexDatetime\n\tcase '_':\n\t\treturn lexDecimalNumber\n\tcase '.', 'e', 'E':\n\t\treturn lexFloat\n\t}\n\n\tlx.backup()\n\tlx.emit(itemInteger)\n\treturn lx.pop()\n}\n\n// lexDatetime consumes a Datetime, to a first approximation.\n// The parser validates that it matches one of the accepted formats.\nfunc lexDatetime(lx *lexer) stateFn {\n\tr := lx.next()\n\tif isDigit(r) {\n\t\treturn lexDatetime\n\t}\n\tswitch r {\n\tcase '-', ':', 'T', 't', ' ', '.', 'Z', 'z', '+':\n\t\treturn lexDatetime\n\t}\n\n\tlx.backup()\n\tlx.emitTrim(itemDatetime)\n\treturn lx.pop()\n}\n\n// lexHexInteger consumes a hexadecimal integer after seeing the '0x' prefix.\nfunc lexHexInteger(lx *lexer) stateFn {\n\tr := lx.next()\n\tif isHexadecimal(r) {\n\t\treturn lexHexInteger\n\t}\n\tswitch r {\n\tcase '_':\n\t\treturn lexHexInteger\n\t}\n\n\tlx.backup()\n\tlx.emit(itemInteger)\n\treturn lx.pop()\n}\n\n// lexOctalInteger consumes an octal integer after seeing the '0o' prefix.\nfunc lexOctalInteger(lx *lexer) stateFn {\n\tr := lx.next()\n\tif isOctal(r) {\n\t\treturn lexOctalInteger\n\t}\n\tswitch r {\n\tcase '_':\n\t\treturn lexOctalInteger\n\t}\n\n\tlx.backup()\n\tlx.emit(itemInteger)\n\treturn lx.pop()\n}\n\n// lexBinaryInteger consumes a binary integer after seeing the '0b' prefix.\nfunc lexBinaryInteger(lx *lexer) stateFn {\n\tr := lx.next()\n\tif isBinary(r) {\n\t\treturn lexBinaryInteger\n\t}\n\tswitch r {\n\tcase '_':\n\t\treturn lexBinaryInteger\n\t}\n\n\tlx.backup()\n\tlx.emit(itemInteger)\n\treturn lx.pop()\n}\n\n// lexDecimalNumber consumes a decimal float or integer.\nfunc lexDecimalNumber(lx *lexer) stateFn {\n\tr := lx.next()\n\tif isDigit(r) {\n\t\treturn lexDecimalNumber\n\t}\n\tswitch r {\n\tcase '.', 'e', 'E':\n\t\treturn lexFloat\n\tcase '_':\n\t\treturn lexDecimalNumber\n\t}\n\n\tlx.backup()\n\tlx.emit(itemInteger)\n\treturn lx.pop()\n}\n\n// lexDecimalNumber consumes the first digit of a number beginning with a sign.\n// It assumes the sign has already been consumed. Values which start with a sign\n// are only allowed to be decimal integers or floats.\n//\n// The special \"nan\" and \"inf\" values are also recognized.\nfunc lexDecimalNumberStart(lx *lexer) stateFn {\n\tr := lx.next()\n\n\t// Special error cases to give users better error messages\n\tswitch r {\n\tcase 'i':\n\t\tif !lx.accept('n') || !lx.accept('f') {\n\t\t\treturn lx.errorf(\"invalid float: '%s'\", lx.current())\n\t\t}\n\t\tlx.emit(itemFloat)\n\t\treturn lx.pop()\n\tcase 'n':\n\t\tif !lx.accept('a') || !lx.accept('n') {\n\t\t\treturn lx.errorf(\"invalid float: '%s'\", lx.current())\n\t\t}\n\t\tlx.emit(itemFloat)\n\t\treturn lx.pop()\n\tcase '0':\n\t\tp := lx.peek()\n\t\tswitch p {\n\t\tcase 'b', 'o', 'x':\n\t\t\treturn lx.errorf(\"cannot use sign with non-decimal numbers: '%s%c'\", lx.current(), p)\n\t\t}\n\tcase '.':\n\t\treturn lx.errorf(\"floats must start with a digit, not '.'\")\n\t}\n\n\tif isDigit(r) {\n\t\treturn lexDecimalNumber\n\t}\n\n\treturn lx.errorf(\"expected a digit but got %q\", r)\n}\n\n// lexBaseNumberOrDate differentiates between the possible values which\n// start with '0'. It assumes that before reaching this state, the initial '0'\n// has been consumed.\nfunc lexBaseNumberOrDate(lx *lexer) stateFn {\n\tr := lx.next()\n\t// Note: All datetimes start with at least two digits, so we don't\n\t// handle date characters (':', '-', etc.) here.\n\tif isDigit(r) {\n\t\treturn lexNumberOrDate\n\t}\n\tswitch r {\n\tcase '_':\n\t\t// Can only be decimal, because there can't be an underscore\n\t\t// between the '0' and the base designator, and dates can't\n\t\t// contain underscores.\n\t\treturn lexDecimalNumber\n\tcase '.', 'e', 'E':\n\t\treturn lexFloat\n\tcase 'b':\n\t\tr = lx.peek()\n\t\tif !isBinary(r) {\n\t\t\tlx.errorf(\"not a binary number: '%s%c'\", lx.current(), r)\n\t\t}\n\t\treturn lexBinaryInteger\n\tcase 'o':\n\t\tr = lx.peek()\n\t\tif !isOctal(r) {\n\t\t\tlx.errorf(\"not an octal number: '%s%c'\", lx.current(), r)\n\t\t}\n\t\treturn lexOctalInteger\n\tcase 'x':\n\t\tr = lx.peek()\n\t\tif !isHexadecimal(r) {\n\t\t\tlx.errorf(\"not a hexidecimal number: '%s%c'\", lx.current(), r)\n\t\t}\n\t\treturn lexHexInteger\n\t}\n\n\tlx.backup()\n\tlx.emit(itemInteger)\n\treturn lx.pop()\n}\n\n// lexFloat consumes the elements of a float. It allows any sequence of\n// float-like characters, so floats emitted by the lexer are only a first\n// approximation and must be validated by the parser.\nfunc lexFloat(lx *lexer) stateFn {\n\tr := lx.next()\n\tif isDigit(r) {\n\t\treturn lexFloat\n\t}\n\tswitch r {\n\tcase '_', '.', '-', '+', 'e', 'E':\n\t\treturn lexFloat\n\t}\n\n\tlx.backup()\n\tlx.emit(itemFloat)\n\treturn lx.pop()\n}\n\n// lexBool consumes a bool string: 'true' or 'false.\nfunc lexBool(lx *lexer) stateFn {\n\tvar rs []rune\n\tfor {\n\t\tr := lx.next()\n\t\tif !unicode.IsLetter(r) {\n\t\t\tlx.backup()\n\t\t\tbreak\n\t\t}\n\t\trs = append(rs, r)\n\t}\n\ts := string(rs)\n\tswitch s {\n\tcase \"true\", \"false\":\n\t\tlx.emit(itemBool)\n\t\treturn lx.pop()\n\t}\n\treturn lx.errorf(\"expected value but found %q instead\", s)\n}\n\n// lexCommentStart begins the lexing of a comment. It will emit\n// itemCommentStart and consume no characters, passing control to lexComment.\nfunc lexCommentStart(lx *lexer) stateFn {\n\tlx.ignore()\n\tlx.emit(itemCommentStart)\n\treturn lexComment\n}\n\n// lexComment lexes an entire comment. It assumes that '#' has been consumed.\n// It will consume *up to* the first newline character, and pass control\n// back to the last state on the stack.\nfunc lexComment(lx *lexer) stateFn {\n\tswitch r := lx.next(); {\n\tcase isNL(r) || r == eof:\n\t\tlx.backup()\n\t\tlx.emit(itemText)\n\t\treturn lx.pop()\n\tdefault:\n\t\treturn lexComment\n\t}\n}\n\n// lexSkip ignores all slurped input and moves on to the next state.\nfunc lexSkip(lx *lexer, nextState stateFn) stateFn {\n\tlx.ignore()\n\treturn nextState\n}\n\nfunc (s stateFn) String() string {\n\tname := runtime.FuncForPC(reflect.ValueOf(s).Pointer()).Name()\n\tif i := strings.LastIndexByte(name, '.'); i > -1 {\n\t\tname = name[i+1:]\n\t}\n\tif s == nil {\n\t\tname = \"\"\n\t}\n\treturn name + \"()\"\n}\n\nfunc (itype itemType) String() string {\n\tswitch itype {\n\tcase itemError:\n\t\treturn \"Error\"\n\tcase itemNIL:\n\t\treturn \"NIL\"\n\tcase itemEOF:\n\t\treturn \"EOF\"\n\tcase itemText:\n\t\treturn \"Text\"\n\tcase itemString, itemRawString, itemMultilineString, itemRawMultilineString:\n\t\treturn \"String\"\n\tcase itemBool:\n\t\treturn \"Bool\"\n\tcase itemInteger:\n\t\treturn \"Integer\"\n\tcase itemFloat:\n\t\treturn \"Float\"\n\tcase itemDatetime:\n\t\treturn \"DateTime\"\n\tcase itemTableStart:\n\t\treturn \"TableStart\"\n\tcase itemTableEnd:\n\t\treturn \"TableEnd\"\n\tcase itemKeyStart:\n\t\treturn \"KeyStart\"\n\tcase itemKeyEnd:\n\t\treturn \"KeyEnd\"\n\tcase itemArray:\n\t\treturn \"Array\"\n\tcase itemArrayEnd:\n\t\treturn \"ArrayEnd\"\n\tcase itemCommentStart:\n\t\treturn \"CommentStart\"\n\tcase itemInlineTableStart:\n\t\treturn \"InlineTableStart\"\n\tcase itemInlineTableEnd:\n\t\treturn \"InlineTableEnd\"\n\t}\n\tpanic(fmt.Sprintf(\"BUG: Unknown type '%d'.\", int(itype)))\n}\n\nfunc (item item) String() string {\n\treturn fmt.Sprintf(\"(%s, %s)\", item.typ.String(), item.val)\n}\n\nfunc isWhitespace(r rune) bool { return r == '\\t' || r == ' ' }\nfunc isNL(r rune) bool { return r == '\\n' || r == '\\r' }\nfunc isControl(r rune) bool { // Control characters except \\t, \\r, \\n\n\tswitch r {\n\tcase '\\t', '\\r', '\\n':\n\t\treturn false\n\tdefault:\n\t\treturn (r >= 0x00 && r <= 0x1f) || r == 0x7f\n\t}\n}\nfunc isDigit(r rune) bool { return r >= '0' && r <= '9' }\nfunc isBinary(r rune) bool { return r == '0' || r == '1' }\nfunc isOctal(r rune) bool { return r >= '0' && r <= '7' }\nfunc isHexadecimal(r rune) bool {\n\treturn (r >= '0' && r <= '9') || (r >= 'a' && r <= 'f') || (r >= 'A' && r <= 'F')\n}\nfunc isBareKeyChar(r rune) bool {\n\treturn (r >= 'A' && r <= 'Z') ||\n\t\t(r >= 'a' && r <= 'z') ||\n\t\t(r >= '0' && r <= '9') ||\n\t\tr == '_' || r == '-'\n}\n" }, { "path": "vendor/github.com/BurntSushi/toml/meta.go", "content": "package toml\n\nimport (\n\t\"strings\"\n)\n\n// MetaData allows access to meta information about TOML data that's not\n// accessible otherwise.\n//\n// It allows checking if a key is defined in the TOML data, whether any keys\n// were undecoded, and the TOML type of a key.\ntype MetaData struct {\n\tcontext Key // Used only during decoding.\n\n\tkeyInfo map[string]keyInfo\n\tmapping map[string]interface{}\n\tkeys []Key\n\tdecoded map[string]struct{}\n\tdata []byte // Input file; for errors.\n}\n\n// IsDefined reports if the key exists in the TOML data.\n//\n// The key should be specified hierarchically, for example to access the TOML\n// key \"a.b.c\" you would use IsDefined(\"a\", \"b\", \"c\"). Keys are case sensitive.\n//\n// Returns false for an empty key.\nfunc (md *MetaData) IsDefined(key ...string) bool {\n\tif len(key) == 0 {\n\t\treturn false\n\t}\n\n\tvar (\n\t\thash map[string]interface{}\n\t\tok bool\n\t\thashOrVal interface{} = md.mapping\n\t)\n\tfor _, k := range key {\n\t\tif hash, ok = hashOrVal.(map[string]interface{}); !ok {\n\t\t\treturn false\n\t\t}\n\t\tif hashOrVal, ok = hash[k]; !ok {\n\t\t\treturn false\n\t\t}\n\t}\n\treturn true\n}\n\n// Type returns a string representation of the type of the key specified.\n//\n// Type will return the empty string if given an empty key or a key that does\n// not exist. Keys are case sensitive.\nfunc (md *MetaData) Type(key ...string) string {\n\tif ki, ok := md.keyInfo[Key(key).String()]; ok {\n\t\treturn ki.tomlType.typeString()\n\t}\n\treturn \"\"\n}\n\n// Keys returns a slice of every key in the TOML data, including key groups.\n//\n// Each key is itself a slice, where the first element is the top of the\n// hierarchy and the last is the most specific. The list will have the same\n// order as the keys appeared in the TOML data.\n//\n// All keys returned are non-empty.\nfunc (md *MetaData) Keys() []Key {\n\treturn md.keys\n}\n\n// Undecoded returns all keys that have not been decoded in the order in which\n// they appear in the original TOML document.\n//\n// This includes keys that haven't been decoded because of a Primitive value.\n// Once the Primitive value is decoded, the keys will be considered decoded.\n//\n// Also note that decoding into an empty interface will result in no decoding,\n// and so no keys will be considered decoded.\n//\n// In this sense, the Undecoded keys correspond to keys in the TOML document\n// that do not have a concrete type in your representation.\nfunc (md *MetaData) Undecoded() []Key {\n\tundecoded := make([]Key, 0, len(md.keys))\n\tfor _, key := range md.keys {\n\t\tif _, ok := md.decoded[key.String()]; !ok {\n\t\t\tundecoded = append(undecoded, key)\n\t\t}\n\t}\n\treturn undecoded\n}\n\n// Key represents any TOML key, including key groups. Use (MetaData).Keys to get\n// values of this type.\ntype Key []string\n\nfunc (k Key) String() string {\n\tss := make([]string, len(k))\n\tfor i := range k {\n\t\tss[i] = k.maybeQuoted(i)\n\t}\n\treturn strings.Join(ss, \".\")\n}\n\nfunc (k Key) maybeQuoted(i int) string {\n\tif k[i] == \"\" {\n\t\treturn `\"\"`\n\t}\n\tfor _, c := range k[i] {\n\t\tif !isBareKeyChar(c) {\n\t\t\treturn `\"` + dblQuotedReplacer.Replace(k[i]) + `\"`\n\t\t}\n\t}\n\treturn k[i]\n}\n\nfunc (k Key) add(piece string) Key {\n\tnewKey := make(Key, len(k)+1)\n\tcopy(newKey, k)\n\tnewKey[len(k)] = piece\n\treturn newKey\n}\n" }, { "path": "vendor/github.com/BurntSushi/toml/parse.go", "content": "package toml\n\nimport (\n\t\"fmt\"\n\t\"strconv\"\n\t\"strings\"\n\t\"time\"\n\t\"unicode/utf8\"\n\n\t\"github.com/BurntSushi/toml/internal\"\n)\n\ntype parser struct {\n\tlx *lexer\n\tcontext Key // Full key for the current hash in scope.\n\tcurrentKey string // Base key name for everything except hashes.\n\tpos Position // Current position in the TOML file.\n\n\tordered []Key // List of keys in the order that they appear in the TOML data.\n\n\tkeyInfo map[string]keyInfo // Map keyname → info about the TOML key.\n\tmapping map[string]interface{} // Map keyname → key value.\n\timplicits map[string]struct{} // Record implicit keys (e.g. \"key.group.names\").\n}\n\ntype keyInfo struct {\n\tpos Position\n\ttomlType tomlType\n}\n\nfunc parse(data string) (p *parser, err error) {\n\tdefer func() {\n\t\tif r := recover(); r != nil {\n\t\t\tif pErr, ok := r.(ParseError); ok {\n\t\t\t\tpErr.input = data\n\t\t\t\terr = pErr\n\t\t\t\treturn\n\t\t\t}\n\t\t\tpanic(r)\n\t\t}\n\t}()\n\n\t// Read over BOM; do this here as the lexer calls utf8.DecodeRuneInString()\n\t// which mangles stuff.\n\tif strings.HasPrefix(data, \"\\xff\\xfe\") || strings.HasPrefix(data, \"\\xfe\\xff\") {\n\t\tdata = data[2:]\n\t}\n\n\t// Examine first few bytes for NULL bytes; this probably means it's a UTF-16\n\t// file (second byte in surrogate pair being NULL). Again, do this here to\n\t// avoid having to deal with UTF-8/16 stuff in the lexer.\n\tex := 6\n\tif len(data) < 6 {\n\t\tex = len(data)\n\t}\n\tif i := strings.IndexRune(data[:ex], 0); i > -1 {\n\t\treturn nil, ParseError{\n\t\t\tMessage: \"files cannot contain NULL bytes; probably using UTF-16; TOML files must be UTF-8\",\n\t\t\tPosition: Position{Line: 1, Start: i, Len: 1},\n\t\t\tLine: 1,\n\t\t\tinput: data,\n\t\t}\n\t}\n\n\tp = &parser{\n\t\tkeyInfo: make(map[string]keyInfo),\n\t\tmapping: make(map[string]interface{}),\n\t\tlx: lex(data),\n\t\tordered: make([]Key, 0),\n\t\timplicits: make(map[string]struct{}),\n\t}\n\tfor {\n\t\titem := p.next()\n\t\tif item.typ == itemEOF {\n\t\t\tbreak\n\t\t}\n\t\tp.topLevel(item)\n\t}\n\n\treturn p, nil\n}\n\nfunc (p *parser) panicErr(it item, err error) {\n\tpanic(ParseError{\n\t\terr: err,\n\t\tPosition: it.pos,\n\t\tLine: it.pos.Len,\n\t\tLastKey: p.current(),\n\t})\n}\n\nfunc (p *parser) panicItemf(it item, format string, v ...interface{}) {\n\tpanic(ParseError{\n\t\tMessage: fmt.Sprintf(format, v...),\n\t\tPosition: it.pos,\n\t\tLine: it.pos.Len,\n\t\tLastKey: p.current(),\n\t})\n}\n\nfunc (p *parser) panicf(format string, v ...interface{}) {\n\tpanic(ParseError{\n\t\tMessage: fmt.Sprintf(format, v...),\n\t\tPosition: p.pos,\n\t\tLine: p.pos.Line,\n\t\tLastKey: p.current(),\n\t})\n}\n\nfunc (p *parser) next() item {\n\tit := p.lx.nextItem()\n\t//fmt.Printf(\"ITEM %-18s line %-3d │ %q\\n\", it.typ, it.pos.Line, it.val)\n\tif it.typ == itemError {\n\t\tif it.err != nil {\n\t\t\tpanic(ParseError{\n\t\t\t\tPosition: it.pos,\n\t\t\t\tLine: it.pos.Line,\n\t\t\t\tLastKey: p.current(),\n\t\t\t\terr: it.err,\n\t\t\t})\n\t\t}\n\n\t\tp.panicItemf(it, \"%s\", it.val)\n\t}\n\treturn it\n}\n\nfunc (p *parser) nextPos() item {\n\tit := p.next()\n\tp.pos = it.pos\n\treturn it\n}\n\nfunc (p *parser) bug(format string, v ...interface{}) {\n\tpanic(fmt.Sprintf(\"BUG: \"+format+\"\\n\\n\", v...))\n}\n\nfunc (p *parser) expect(typ itemType) item {\n\tit := p.next()\n\tp.assertEqual(typ, it.typ)\n\treturn it\n}\n\nfunc (p *parser) assertEqual(expected, got itemType) {\n\tif expected != got {\n\t\tp.bug(\"Expected '%s' but got '%s'.\", expected, got)\n\t}\n}\n\nfunc (p *parser) topLevel(item item) {\n\tswitch item.typ {\n\tcase itemCommentStart: // # ..\n\t\tp.expect(itemText)\n\tcase itemTableStart: // [ .. ]\n\t\tname := p.nextPos()\n\n\t\tvar key Key\n\t\tfor ; name.typ != itemTableEnd && name.typ != itemEOF; name = p.next() {\n\t\t\tkey = append(key, p.keyString(name))\n\t\t}\n\t\tp.assertEqual(itemTableEnd, name.typ)\n\n\t\tp.addContext(key, false)\n\t\tp.setType(\"\", tomlHash, item.pos)\n\t\tp.ordered = append(p.ordered, key)\n\tcase itemArrayTableStart: // [[ .. ]]\n\t\tname := p.nextPos()\n\n\t\tvar key Key\n\t\tfor ; name.typ != itemArrayTableEnd && name.typ != itemEOF; name = p.next() {\n\t\t\tkey = append(key, p.keyString(name))\n\t\t}\n\t\tp.assertEqual(itemArrayTableEnd, name.typ)\n\n\t\tp.addContext(key, true)\n\t\tp.setType(\"\", tomlArrayHash, item.pos)\n\t\tp.ordered = append(p.ordered, key)\n\tcase itemKeyStart: // key = ..\n\t\touterContext := p.context\n\t\t/// Read all the key parts (e.g. 'a' and 'b' in 'a.b')\n\t\tk := p.nextPos()\n\t\tvar key Key\n\t\tfor ; k.typ != itemKeyEnd && k.typ != itemEOF; k = p.next() {\n\t\t\tkey = append(key, p.keyString(k))\n\t\t}\n\t\tp.assertEqual(itemKeyEnd, k.typ)\n\n\t\t/// The current key is the last part.\n\t\tp.currentKey = key[len(key)-1]\n\n\t\t/// All the other parts (if any) are the context; need to set each part\n\t\t/// as implicit.\n\t\tcontext := key[:len(key)-1]\n\t\tfor i := range context {\n\t\t\tp.addImplicitContext(append(p.context, context[i:i+1]...))\n\t\t}\n\n\t\t/// Set value.\n\t\tvItem := p.next()\n\t\tval, typ := p.value(vItem, false)\n\t\tp.set(p.currentKey, val, typ, vItem.pos)\n\t\tp.ordered = append(p.ordered, p.context.add(p.currentKey))\n\n\t\t/// Remove the context we added (preserving any context from [tbl] lines).\n\t\tp.context = outerContext\n\t\tp.currentKey = \"\"\n\tdefault:\n\t\tp.bug(\"Unexpected type at top level: %s\", item.typ)\n\t}\n}\n\n// Gets a string for a key (or part of a key in a table name).\nfunc (p *parser) keyString(it item) string {\n\tswitch it.typ {\n\tcase itemText:\n\t\treturn it.val\n\tcase itemString, itemMultilineString,\n\t\titemRawString, itemRawMultilineString:\n\t\ts, _ := p.value(it, false)\n\t\treturn s.(string)\n\tdefault:\n\t\tp.bug(\"Unexpected key type: %s\", it.typ)\n\t}\n\tpanic(\"unreachable\")\n}\n\nvar datetimeRepl = strings.NewReplacer(\n\t\"z\", \"Z\",\n\t\"t\", \"T\",\n\t\" \", \"T\")\n\n// value translates an expected value from the lexer into a Go value wrapped\n// as an empty interface.\nfunc (p *parser) value(it item, parentIsArray bool) (interface{}, tomlType) {\n\tswitch it.typ {\n\tcase itemString:\n\t\treturn p.replaceEscapes(it, it.val), p.typeOfPrimitive(it)\n\tcase itemMultilineString:\n\t\treturn p.replaceEscapes(it, stripFirstNewline(p.stripEscapedNewlines(it.val))), p.typeOfPrimitive(it)\n\tcase itemRawString:\n\t\treturn it.val, p.typeOfPrimitive(it)\n\tcase itemRawMultilineString:\n\t\treturn stripFirstNewline(it.val), p.typeOfPrimitive(it)\n\tcase itemInteger:\n\t\treturn p.valueInteger(it)\n\tcase itemFloat:\n\t\treturn p.valueFloat(it)\n\tcase itemBool:\n\t\tswitch it.val {\n\t\tcase \"true\":\n\t\t\treturn true, p.typeOfPrimitive(it)\n\t\tcase \"false\":\n\t\t\treturn false, p.typeOfPrimitive(it)\n\t\tdefault:\n\t\t\tp.bug(\"Expected boolean value, but got '%s'.\", it.val)\n\t\t}\n\tcase itemDatetime:\n\t\treturn p.valueDatetime(it)\n\tcase itemArray:\n\t\treturn p.valueArray(it)\n\tcase itemInlineTableStart:\n\t\treturn p.valueInlineTable(it, parentIsArray)\n\tdefault:\n\t\tp.bug(\"Unexpected value type: %s\", it.typ)\n\t}\n\tpanic(\"unreachable\")\n}\n\nfunc (p *parser) valueInteger(it item) (interface{}, tomlType) {\n\tif !numUnderscoresOK(it.val) {\n\t\tp.panicItemf(it, \"Invalid integer %q: underscores must be surrounded by digits\", it.val)\n\t}\n\tif numHasLeadingZero(it.val) {\n\t\tp.panicItemf(it, \"Invalid integer %q: cannot have leading zeroes\", it.val)\n\t}\n\n\tnum, err := strconv.ParseInt(it.val, 0, 64)\n\tif err != nil {\n\t\t// Distinguish integer values. Normally, it'd be a bug if the lexer\n\t\t// provides an invalid integer, but it's possible that the number is\n\t\t// out of range of valid values (which the lexer cannot determine).\n\t\t// So mark the former as a bug but the latter as a legitimate user\n\t\t// error.\n\t\tif e, ok := err.(*strconv.NumError); ok && e.Err == strconv.ErrRange {\n\t\t\tp.panicErr(it, errParseRange{i: it.val, size: \"int64\"})\n\t\t} else {\n\t\t\tp.bug(\"Expected integer value, but got '%s'.\", it.val)\n\t\t}\n\t}\n\treturn num, p.typeOfPrimitive(it)\n}\n\nfunc (p *parser) valueFloat(it item) (interface{}, tomlType) {\n\tparts := strings.FieldsFunc(it.val, func(r rune) bool {\n\t\tswitch r {\n\t\tcase '.', 'e', 'E':\n\t\t\treturn true\n\t\t}\n\t\treturn false\n\t})\n\tfor _, part := range parts {\n\t\tif !numUnderscoresOK(part) {\n\t\t\tp.panicItemf(it, \"Invalid float %q: underscores must be surrounded by digits\", it.val)\n\t\t}\n\t}\n\tif len(parts) > 0 && numHasLeadingZero(parts[0]) {\n\t\tp.panicItemf(it, \"Invalid float %q: cannot have leading zeroes\", it.val)\n\t}\n\tif !numPeriodsOK(it.val) {\n\t\t// As a special case, numbers like '123.' or '1.e2',\n\t\t// which are valid as far as Go/strconv are concerned,\n\t\t// must be rejected because TOML says that a fractional\n\t\t// part consists of '.' followed by 1+ digits.\n\t\tp.panicItemf(it, \"Invalid float %q: '.' must be followed by one or more digits\", it.val)\n\t}\n\tval := strings.Replace(it.val, \"_\", \"\", -1)\n\tif val == \"+nan\" || val == \"-nan\" { // Go doesn't support this, but TOML spec does.\n\t\tval = \"nan\"\n\t}\n\tnum, err := strconv.ParseFloat(val, 64)\n\tif err != nil {\n\t\tif e, ok := err.(*strconv.NumError); ok && e.Err == strconv.ErrRange {\n\t\t\tp.panicErr(it, errParseRange{i: it.val, size: \"float64\"})\n\t\t} else {\n\t\t\tp.panicItemf(it, \"Invalid float value: %q\", it.val)\n\t\t}\n\t}\n\treturn num, p.typeOfPrimitive(it)\n}\n\nvar dtTypes = []struct {\n\tfmt string\n\tzone *time.Location\n}{\n\t{time.RFC3339Nano, time.Local},\n\t{\"2006-01-02T15:04:05.999999999\", internal.LocalDatetime},\n\t{\"2006-01-02\", internal.LocalDate},\n\t{\"15:04:05.999999999\", internal.LocalTime},\n}\n\nfunc (p *parser) valueDatetime(it item) (interface{}, tomlType) {\n\tit.val = datetimeRepl.Replace(it.val)\n\tvar (\n\t\tt time.Time\n\t\tok bool\n\t\terr error\n\t)\n\tfor _, dt := range dtTypes {\n\t\tt, err = time.ParseInLocation(dt.fmt, it.val, dt.zone)\n\t\tif err == nil {\n\t\t\tok = true\n\t\t\tbreak\n\t\t}\n\t}\n\tif !ok {\n\t\tp.panicItemf(it, \"Invalid TOML Datetime: %q.\", it.val)\n\t}\n\treturn t, p.typeOfPrimitive(it)\n}\n\nfunc (p *parser) valueArray(it item) (interface{}, tomlType) {\n\tp.setType(p.currentKey, tomlArray, it.pos)\n\n\tvar (\n\t\ttypes []tomlType\n\n\t\t// Initialize to a non-nil empty slice. This makes it consistent with\n\t\t// how S = [] decodes into a non-nil slice inside something like struct\n\t\t// { S []string }. See #338\n\t\tarray = []interface{}{}\n\t)\n\tfor it = p.next(); it.typ != itemArrayEnd; it = p.next() {\n\t\tif it.typ == itemCommentStart {\n\t\t\tp.expect(itemText)\n\t\t\tcontinue\n\t\t}\n\n\t\tval, typ := p.value(it, true)\n\t\tarray = append(array, val)\n\t\ttypes = append(types, typ)\n\n\t\t// XXX: types isn't used here, we need it to record the accurate type\n\t\t// information.\n\t\t//\n\t\t// Not entirely sure how to best store this; could use \"key[0]\",\n\t\t// \"key[1]\" notation, or maybe store it on the Array type?\n\t}\n\treturn array, tomlArray\n}\n\nfunc (p *parser) valueInlineTable(it item, parentIsArray bool) (interface{}, tomlType) {\n\tvar (\n\t\thash = make(map[string]interface{})\n\t\touterContext = p.context\n\t\touterKey = p.currentKey\n\t)\n\n\tp.context = append(p.context, p.currentKey)\n\tprevContext := p.context\n\tp.currentKey = \"\"\n\n\tp.addImplicit(p.context)\n\tp.addContext(p.context, parentIsArray)\n\n\t/// Loop over all table key/value pairs.\n\tfor it := p.next(); it.typ != itemInlineTableEnd; it = p.next() {\n\t\tif it.typ == itemCommentStart {\n\t\t\tp.expect(itemText)\n\t\t\tcontinue\n\t\t}\n\n\t\t/// Read all key parts.\n\t\tk := p.nextPos()\n\t\tvar key Key\n\t\tfor ; k.typ != itemKeyEnd && k.typ != itemEOF; k = p.next() {\n\t\t\tkey = append(key, p.keyString(k))\n\t\t}\n\t\tp.assertEqual(itemKeyEnd, k.typ)\n\n\t\t/// The current key is the last part.\n\t\tp.currentKey = key[len(key)-1]\n\n\t\t/// All the other parts (if any) are the context; need to set each part\n\t\t/// as implicit.\n\t\tcontext := key[:len(key)-1]\n\t\tfor i := range context {\n\t\t\tp.addImplicitContext(append(p.context, context[i:i+1]...))\n\t\t}\n\n\t\t/// Set the value.\n\t\tval, typ := p.value(p.next(), false)\n\t\tp.set(p.currentKey, val, typ, it.pos)\n\t\tp.ordered = append(p.ordered, p.context.add(p.currentKey))\n\t\thash[p.currentKey] = val\n\n\t\t/// Restore context.\n\t\tp.context = prevContext\n\t}\n\tp.context = outerContext\n\tp.currentKey = outerKey\n\treturn hash, tomlHash\n}\n\n// numHasLeadingZero checks if this number has leading zeroes, allowing for '0',\n// +/- signs, and base prefixes.\nfunc numHasLeadingZero(s string) bool {\n\tif len(s) > 1 && s[0] == '0' && !(s[1] == 'b' || s[1] == 'o' || s[1] == 'x') { // Allow 0b, 0o, 0x\n\t\treturn true\n\t}\n\tif len(s) > 2 && (s[0] == '-' || s[0] == '+') && s[1] == '0' {\n\t\treturn true\n\t}\n\treturn false\n}\n\n// numUnderscoresOK checks whether each underscore in s is surrounded by\n// characters that are not underscores.\nfunc numUnderscoresOK(s string) bool {\n\tswitch s {\n\tcase \"nan\", \"+nan\", \"-nan\", \"inf\", \"-inf\", \"+inf\":\n\t\treturn true\n\t}\n\taccept := false\n\tfor _, r := range s {\n\t\tif r == '_' {\n\t\t\tif !accept {\n\t\t\t\treturn false\n\t\t\t}\n\t\t}\n\n\t\t// isHexadecimal is a superset of all the permissable characters\n\t\t// surrounding an underscore.\n\t\taccept = isHexadecimal(r)\n\t}\n\treturn accept\n}\n\n// numPeriodsOK checks whether every period in s is followed by a digit.\nfunc numPeriodsOK(s string) bool {\n\tperiod := false\n\tfor _, r := range s {\n\t\tif period && !isDigit(r) {\n\t\t\treturn false\n\t\t}\n\t\tperiod = r == '.'\n\t}\n\treturn !period\n}\n\n// Set the current context of the parser, where the context is either a hash or\n// an array of hashes, depending on the value of the `array` parameter.\n//\n// Establishing the context also makes sure that the key isn't a duplicate, and\n// will create implicit hashes automatically.\nfunc (p *parser) addContext(key Key, array bool) {\n\tvar ok bool\n\n\t// Always start at the top level and drill down for our context.\n\thashContext := p.mapping\n\tkeyContext := make(Key, 0)\n\n\t// We only need implicit hashes for key[0:-1]\n\tfor _, k := range key[0 : len(key)-1] {\n\t\t_, ok = hashContext[k]\n\t\tkeyContext = append(keyContext, k)\n\n\t\t// No key? Make an implicit hash and move on.\n\t\tif !ok {\n\t\t\tp.addImplicit(keyContext)\n\t\t\thashContext[k] = make(map[string]interface{})\n\t\t}\n\n\t\t// If the hash context is actually an array of tables, then set\n\t\t// the hash context to the last element in that array.\n\t\t//\n\t\t// Otherwise, it better be a table, since this MUST be a key group (by\n\t\t// virtue of it not being the last element in a key).\n\t\tswitch t := hashContext[k].(type) {\n\t\tcase []map[string]interface{}:\n\t\t\thashContext = t[len(t)-1]\n\t\tcase map[string]interface{}:\n\t\t\thashContext = t\n\t\tdefault:\n\t\t\tp.panicf(\"Key '%s' was already created as a hash.\", keyContext)\n\t\t}\n\t}\n\n\tp.context = keyContext\n\tif array {\n\t\t// If this is the first element for this array, then allocate a new\n\t\t// list of tables for it.\n\t\tk := key[len(key)-1]\n\t\tif _, ok := hashContext[k]; !ok {\n\t\t\thashContext[k] = make([]map[string]interface{}, 0, 4)\n\t\t}\n\n\t\t// Add a new table. But make sure the key hasn't already been used\n\t\t// for something else.\n\t\tif hash, ok := hashContext[k].([]map[string]interface{}); ok {\n\t\t\thashContext[k] = append(hash, make(map[string]interface{}))\n\t\t} else {\n\t\t\tp.panicf(\"Key '%s' was already created and cannot be used as an array.\", key)\n\t\t}\n\t} else {\n\t\tp.setValue(key[len(key)-1], make(map[string]interface{}))\n\t}\n\tp.context = append(p.context, key[len(key)-1])\n}\n\n// set calls setValue and setType.\nfunc (p *parser) set(key string, val interface{}, typ tomlType, pos Position) {\n\tp.setValue(key, val)\n\tp.setType(key, typ, pos)\n\n}\n\n// setValue sets the given key to the given value in the current context.\n// It will make sure that the key hasn't already been defined, account for\n// implicit key groups.\nfunc (p *parser) setValue(key string, value interface{}) {\n\tvar (\n\t\ttmpHash interface{}\n\t\tok bool\n\t\thash = p.mapping\n\t\tkeyContext Key\n\t)\n\tfor _, k := range p.context {\n\t\tkeyContext = append(keyContext, k)\n\t\tif tmpHash, ok = hash[k]; !ok {\n\t\t\tp.bug(\"Context for key '%s' has not been established.\", keyContext)\n\t\t}\n\t\tswitch t := tmpHash.(type) {\n\t\tcase []map[string]interface{}:\n\t\t\t// The context is a table of hashes. Pick the most recent table\n\t\t\t// defined as the current hash.\n\t\t\thash = t[len(t)-1]\n\t\tcase map[string]interface{}:\n\t\t\thash = t\n\t\tdefault:\n\t\t\tp.panicf(\"Key '%s' has already been defined.\", keyContext)\n\t\t}\n\t}\n\tkeyContext = append(keyContext, key)\n\n\tif _, ok := hash[key]; ok {\n\t\t// Normally redefining keys isn't allowed, but the key could have been\n\t\t// defined implicitly and it's allowed to be redefined concretely. (See\n\t\t// the `valid/implicit-and-explicit-after.toml` in toml-test)\n\t\t//\n\t\t// But we have to make sure to stop marking it as an implicit. (So that\n\t\t// another redefinition provokes an error.)\n\t\t//\n\t\t// Note that since it has already been defined (as a hash), we don't\n\t\t// want to overwrite it. So our business is done.\n\t\tif p.isArray(keyContext) {\n\t\t\tp.removeImplicit(keyContext)\n\t\t\thash[key] = value\n\t\t\treturn\n\t\t}\n\t\tif p.isImplicit(keyContext) {\n\t\t\tp.removeImplicit(keyContext)\n\t\t\treturn\n\t\t}\n\n\t\t// Otherwise, we have a concrete key trying to override a previous\n\t\t// key, which is *always* wrong.\n\t\tp.panicf(\"Key '%s' has already been defined.\", keyContext)\n\t}\n\n\thash[key] = value\n}\n\n// setType sets the type of a particular value at a given key. It should be\n// called immediately AFTER setValue.\n//\n// Note that if `key` is empty, then the type given will be applied to the\n// current context (which is either a table or an array of tables).\nfunc (p *parser) setType(key string, typ tomlType, pos Position) {\n\tkeyContext := make(Key, 0, len(p.context)+1)\n\tkeyContext = append(keyContext, p.context...)\n\tif len(key) > 0 { // allow type setting for hashes\n\t\tkeyContext = append(keyContext, key)\n\t}\n\t// Special case to make empty keys (\"\" = 1) work.\n\t// Without it it will set \"\" rather than `\"\"`.\n\t// TODO: why is this needed? And why is this only needed here?\n\tif len(keyContext) == 0 {\n\t\tkeyContext = Key{\"\"}\n\t}\n\tp.keyInfo[keyContext.String()] = keyInfo{tomlType: typ, pos: pos}\n}\n\n// Implicit keys need to be created when tables are implied in \"a.b.c.d = 1\" and\n// \"[a.b.c]\" (the \"a\", \"b\", and \"c\" hashes are never created explicitly).\nfunc (p *parser) addImplicit(key Key) { p.implicits[key.String()] = struct{}{} }\nfunc (p *parser) removeImplicit(key Key) { delete(p.implicits, key.String()) }\nfunc (p *parser) isImplicit(key Key) bool { _, ok := p.implicits[key.String()]; return ok }\nfunc (p *parser) isArray(key Key) bool { return p.keyInfo[key.String()].tomlType == tomlArray }\nfunc (p *parser) addImplicitContext(key Key) {\n\tp.addImplicit(key)\n\tp.addContext(key, false)\n}\n\n// current returns the full key name of the current context.\nfunc (p *parser) current() string {\n\tif len(p.currentKey) == 0 {\n\t\treturn p.context.String()\n\t}\n\tif len(p.context) == 0 {\n\t\treturn p.currentKey\n\t}\n\treturn fmt.Sprintf(\"%s.%s\", p.context, p.currentKey)\n}\n\nfunc stripFirstNewline(s string) string {\n\tif len(s) > 0 && s[0] == '\\n' {\n\t\treturn s[1:]\n\t}\n\tif len(s) > 1 && s[0] == '\\r' && s[1] == '\\n' {\n\t\treturn s[2:]\n\t}\n\treturn s\n}\n\n// Remove newlines inside triple-quoted strings if a line ends with \"\\\".\nfunc (p *parser) stripEscapedNewlines(s string) string {\n\tsplit := strings.Split(s, \"\\n\")\n\tif len(split) < 1 {\n\t\treturn s\n\t}\n\n\tescNL := false // Keep track of the last non-blank line was escaped.\n\tfor i, line := range split {\n\t\tline = strings.TrimRight(line, \" \\t\\r\")\n\n\t\tif len(line) == 0 || line[len(line)-1] != '\\\\' {\n\t\t\tsplit[i] = strings.TrimRight(split[i], \"\\r\")\n\t\t\tif !escNL && i != len(split)-1 {\n\t\t\t\tsplit[i] += \"\\n\"\n\t\t\t}\n\t\t\tcontinue\n\t\t}\n\n\t\tescBS := true\n\t\tfor j := len(line) - 1; j >= 0 && line[j] == '\\\\'; j-- {\n\t\t\tescBS = !escBS\n\t\t}\n\t\tif escNL {\n\t\t\tline = strings.TrimLeft(line, \" \\t\\r\")\n\t\t}\n\t\tescNL = !escBS\n\n\t\tif escBS {\n\t\t\tsplit[i] += \"\\n\"\n\t\t\tcontinue\n\t\t}\n\n\t\tif i == len(split)-1 {\n\t\t\tp.panicf(\"invalid escape: '\\\\ '\")\n\t\t}\n\n\t\tsplit[i] = line[:len(line)-1] // Remove \\\n\t\tif len(split)-1 > i {\n\t\t\tsplit[i+1] = strings.TrimLeft(split[i+1], \" \\t\\r\")\n\t\t}\n\t}\n\treturn strings.Join(split, \"\")\n}\n\nfunc (p *parser) replaceEscapes(it item, str string) string {\n\treplaced := make([]rune, 0, len(str))\n\ts := []byte(str)\n\tr := 0\n\tfor r < len(s) {\n\t\tif s[r] != '\\\\' {\n\t\t\tc, size := utf8.DecodeRune(s[r:])\n\t\t\tr += size\n\t\t\treplaced = append(replaced, c)\n\t\t\tcontinue\n\t\t}\n\t\tr += 1\n\t\tif r >= len(s) {\n\t\t\tp.bug(\"Escape sequence at end of string.\")\n\t\t\treturn \"\"\n\t\t}\n\t\tswitch s[r] {\n\t\tdefault:\n\t\t\tp.bug(\"Expected valid escape code after \\\\, but got %q.\", s[r])\n\t\tcase ' ', '\\t':\n\t\t\tp.panicItemf(it, \"invalid escape: '\\\\%c'\", s[r])\n\t\tcase 'b':\n\t\t\treplaced = append(replaced, rune(0x0008))\n\t\t\tr += 1\n\t\tcase 't':\n\t\t\treplaced = append(replaced, rune(0x0009))\n\t\t\tr += 1\n\t\tcase 'n':\n\t\t\treplaced = append(replaced, rune(0x000A))\n\t\t\tr += 1\n\t\tcase 'f':\n\t\t\treplaced = append(replaced, rune(0x000C))\n\t\t\tr += 1\n\t\tcase 'r':\n\t\t\treplaced = append(replaced, rune(0x000D))\n\t\t\tr += 1\n\t\tcase '\"':\n\t\t\treplaced = append(replaced, rune(0x0022))\n\t\t\tr += 1\n\t\tcase '\\\\':\n\t\t\treplaced = append(replaced, rune(0x005C))\n\t\t\tr += 1\n\t\tcase 'u':\n\t\t\t// At this point, we know we have a Unicode escape of the form\n\t\t\t// `uXXXX` at [r, r+5). (Because the lexer guarantees this\n\t\t\t// for us.)\n\t\t\tescaped := p.asciiEscapeToUnicode(it, s[r+1:r+5])\n\t\t\treplaced = append(replaced, escaped)\n\t\t\tr += 5\n\t\tcase 'U':\n\t\t\t// At this point, we know we have a Unicode escape of the form\n\t\t\t// `uXXXX` at [r, r+9). (Because the lexer guarantees this\n\t\t\t// for us.)\n\t\t\tescaped := p.asciiEscapeToUnicode(it, s[r+1:r+9])\n\t\t\treplaced = append(replaced, escaped)\n\t\t\tr += 9\n\t\t}\n\t}\n\treturn string(replaced)\n}\n\nfunc (p *parser) asciiEscapeToUnicode(it item, bs []byte) rune {\n\ts := string(bs)\n\thex, err := strconv.ParseUint(strings.ToLower(s), 16, 32)\n\tif err != nil {\n\t\tp.bug(\"Could not parse '%s' as a hexadecimal number, but the lexer claims it's OK: %s\", s, err)\n\t}\n\tif !utf8.ValidRune(rune(hex)) {\n\t\tp.panicItemf(it, \"Escaped character '\\\\u%s' is not valid UTF-8.\", s)\n\t}\n\treturn rune(hex)\n}\n" }, { "path": "vendor/github.com/BurntSushi/toml/type_fields.go", "content": "package toml\n\n// Struct field handling is adapted from code in encoding/json:\n//\n// Copyright 2010 The Go Authors. All rights reserved.\n// Use of this source code is governed by a BSD-style\n// license that can be found in the Go distribution.\n\nimport (\n\t\"reflect\"\n\t\"sort\"\n\t\"sync\"\n)\n\n// A field represents a single field found in a struct.\ntype field struct {\n\tname string // the name of the field (`toml` tag included)\n\ttag bool // whether field has a `toml` tag\n\tindex []int // represents the depth of an anonymous field\n\ttyp reflect.Type // the type of the field\n}\n\n// byName sorts field by name, breaking ties with depth,\n// then breaking ties with \"name came from toml tag\", then\n// breaking ties with index sequence.\ntype byName []field\n\nfunc (x byName) Len() int { return len(x) }\n\nfunc (x byName) Swap(i, j int) { x[i], x[j] = x[j], x[i] }\n\nfunc (x byName) Less(i, j int) bool {\n\tif x[i].name != x[j].name {\n\t\treturn x[i].name < x[j].name\n\t}\n\tif len(x[i].index) != len(x[j].index) {\n\t\treturn len(x[i].index) < len(x[j].index)\n\t}\n\tif x[i].tag != x[j].tag {\n\t\treturn x[i].tag\n\t}\n\treturn byIndex(x).Less(i, j)\n}\n\n// byIndex sorts field by index sequence.\ntype byIndex []field\n\nfunc (x byIndex) Len() int { return len(x) }\n\nfunc (x byIndex) Swap(i, j int) { x[i], x[j] = x[j], x[i] }\n\nfunc (x byIndex) Less(i, j int) bool {\n\tfor k, xik := range x[i].index {\n\t\tif k >= len(x[j].index) {\n\t\t\treturn false\n\t\t}\n\t\tif xik != x[j].index[k] {\n\t\t\treturn xik < x[j].index[k]\n\t\t}\n\t}\n\treturn len(x[i].index) < len(x[j].index)\n}\n\n// typeFields returns a list of fields that TOML should recognize for the given\n// type. The algorithm is breadth-first search over the set of structs to\n// include - the top struct and then any reachable anonymous structs.\nfunc typeFields(t reflect.Type) []field {\n\t// Anonymous fields to explore at the current level and the next.\n\tcurrent := []field{}\n\tnext := []field{{typ: t}}\n\n\t// Count of queued names for current level and the next.\n\tvar count map[reflect.Type]int\n\tvar nextCount map[reflect.Type]int\n\n\t// Types already visited at an earlier level.\n\tvisited := map[reflect.Type]bool{}\n\n\t// Fields found.\n\tvar fields []field\n\n\tfor len(next) > 0 {\n\t\tcurrent, next = next, current[:0]\n\t\tcount, nextCount = nextCount, map[reflect.Type]int{}\n\n\t\tfor _, f := range current {\n\t\t\tif visited[f.typ] {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tvisited[f.typ] = true\n\n\t\t\t// Scan f.typ for fields to include.\n\t\t\tfor i := 0; i < f.typ.NumField(); i++ {\n\t\t\t\tsf := f.typ.Field(i)\n\t\t\t\tif sf.PkgPath != \"\" && !sf.Anonymous { // unexported\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\topts := getOptions(sf.Tag)\n\t\t\t\tif opts.skip {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tindex := make([]int, len(f.index)+1)\n\t\t\t\tcopy(index, f.index)\n\t\t\t\tindex[len(f.index)] = i\n\n\t\t\t\tft := sf.Type\n\t\t\t\tif ft.Name() == \"\" && ft.Kind() == reflect.Ptr {\n\t\t\t\t\t// Follow pointer.\n\t\t\t\t\tft = ft.Elem()\n\t\t\t\t}\n\n\t\t\t\t// Record found field and index sequence.\n\t\t\t\tif opts.name != \"\" || !sf.Anonymous || ft.Kind() != reflect.Struct {\n\t\t\t\t\ttagged := opts.name != \"\"\n\t\t\t\t\tname := opts.name\n\t\t\t\t\tif name == \"\" {\n\t\t\t\t\t\tname = sf.Name\n\t\t\t\t\t}\n\t\t\t\t\tfields = append(fields, field{name, tagged, index, ft})\n\t\t\t\t\tif count[f.typ] > 1 {\n\t\t\t\t\t\t// If there were multiple instances, add a second,\n\t\t\t\t\t\t// so that the annihilation code will see a duplicate.\n\t\t\t\t\t\t// It only cares about the distinction between 1 or 2,\n\t\t\t\t\t\t// so don't bother generating any more copies.\n\t\t\t\t\t\tfields = append(fields, fields[len(fields)-1])\n\t\t\t\t\t}\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\n\t\t\t\t// Record new anonymous struct to explore in next round.\n\t\t\t\tnextCount[ft]++\n\t\t\t\tif nextCount[ft] == 1 {\n\t\t\t\t\tf := field{name: ft.Name(), index: index, typ: ft}\n\t\t\t\t\tnext = append(next, f)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\tsort.Sort(byName(fields))\n\n\t// Delete all fields that are hidden by the Go rules for embedded fields,\n\t// except that fields with TOML tags are promoted.\n\n\t// The fields are sorted in primary order of name, secondary order\n\t// of field index length. Loop over names; for each name, delete\n\t// hidden fields by choosing the one dominant field that survives.\n\tout := fields[:0]\n\tfor advance, i := 0, 0; i < len(fields); i += advance {\n\t\t// One iteration per name.\n\t\t// Find the sequence of fields with the name of this first field.\n\t\tfi := fields[i]\n\t\tname := fi.name\n\t\tfor advance = 1; i+advance < len(fields); advance++ {\n\t\t\tfj := fields[i+advance]\n\t\t\tif fj.name != name {\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t\tif advance == 1 { // Only one field with this name\n\t\t\tout = append(out, fi)\n\t\t\tcontinue\n\t\t}\n\t\tdominant, ok := dominantField(fields[i : i+advance])\n\t\tif ok {\n\t\t\tout = append(out, dominant)\n\t\t}\n\t}\n\n\tfields = out\n\tsort.Sort(byIndex(fields))\n\n\treturn fields\n}\n\n// dominantField looks through the fields, all of which are known to\n// have the same name, to find the single field that dominates the\n// others using Go's embedding rules, modified by the presence of\n// TOML tags. If there are multiple top-level fields, the boolean\n// will be false: This condition is an error in Go and we skip all\n// the fields.\nfunc dominantField(fields []field) (field, bool) {\n\t// The fields are sorted in increasing index-length order. The winner\n\t// must therefore be one with the shortest index length. Drop all\n\t// longer entries, which is easy: just truncate the slice.\n\tlength := len(fields[0].index)\n\ttagged := -1 // Index of first tagged field.\n\tfor i, f := range fields {\n\t\tif len(f.index) > length {\n\t\t\tfields = fields[:i]\n\t\t\tbreak\n\t\t}\n\t\tif f.tag {\n\t\t\tif tagged >= 0 {\n\t\t\t\t// Multiple tagged fields at the same level: conflict.\n\t\t\t\t// Return no field.\n\t\t\t\treturn field{}, false\n\t\t\t}\n\t\t\ttagged = i\n\t\t}\n\t}\n\tif tagged >= 0 {\n\t\treturn fields[tagged], true\n\t}\n\t// All remaining fields have the same length. If there's more than one,\n\t// we have a conflict (two fields named \"X\" at the same level) and we\n\t// return no field.\n\tif len(fields) > 1 {\n\t\treturn field{}, false\n\t}\n\treturn fields[0], true\n}\n\nvar fieldCache struct {\n\tsync.RWMutex\n\tm map[reflect.Type][]field\n}\n\n// cachedTypeFields is like typeFields but uses a cache to avoid repeated work.\nfunc cachedTypeFields(t reflect.Type) []field {\n\tfieldCache.RLock()\n\tf := fieldCache.m[t]\n\tfieldCache.RUnlock()\n\tif f != nil {\n\t\treturn f\n\t}\n\n\t// Compute fields without lock.\n\t// Might duplicate effort but won't hold other computations back.\n\tf = typeFields(t)\n\tif f == nil {\n\t\tf = []field{}\n\t}\n\n\tfieldCache.Lock()\n\tif fieldCache.m == nil {\n\t\tfieldCache.m = map[reflect.Type][]field{}\n\t}\n\tfieldCache.m[t] = f\n\tfieldCache.Unlock()\n\treturn f\n}\n" }, { "path": "vendor/github.com/BurntSushi/toml/type_toml.go", "content": "package toml\n\n// tomlType represents any Go type that corresponds to a TOML type.\n// While the first draft of the TOML spec has a simplistic type system that\n// probably doesn't need this level of sophistication, we seem to be militating\n// toward adding real composite types.\ntype tomlType interface {\n\ttypeString() string\n}\n\n// typeEqual accepts any two types and returns true if they are equal.\nfunc typeEqual(t1, t2 tomlType) bool {\n\tif t1 == nil || t2 == nil {\n\t\treturn false\n\t}\n\treturn t1.typeString() == t2.typeString()\n}\n\nfunc typeIsTable(t tomlType) bool {\n\treturn typeEqual(t, tomlHash) || typeEqual(t, tomlArrayHash)\n}\n\ntype tomlBaseType string\n\nfunc (btype tomlBaseType) typeString() string {\n\treturn string(btype)\n}\n\nfunc (btype tomlBaseType) String() string {\n\treturn btype.typeString()\n}\n\nvar (\n\ttomlInteger tomlBaseType = \"Integer\"\n\ttomlFloat tomlBaseType = \"Float\"\n\ttomlDatetime tomlBaseType = \"Datetime\"\n\ttomlString tomlBaseType = \"String\"\n\ttomlBool tomlBaseType = \"Bool\"\n\ttomlArray tomlBaseType = \"Array\"\n\ttomlHash tomlBaseType = \"Hash\"\n\ttomlArrayHash tomlBaseType = \"ArrayHash\"\n)\n\n// typeOfPrimitive returns a tomlType of any primitive value in TOML.\n// Primitive values are: Integer, Float, Datetime, String and Bool.\n//\n// Passing a lexer item other than the following will cause a BUG message\n// to occur: itemString, itemBool, itemInteger, itemFloat, itemDatetime.\nfunc (p *parser) typeOfPrimitive(lexItem item) tomlType {\n\tswitch lexItem.typ {\n\tcase itemInteger:\n\t\treturn tomlInteger\n\tcase itemFloat:\n\t\treturn tomlFloat\n\tcase itemDatetime:\n\t\treturn tomlDatetime\n\tcase itemString:\n\t\treturn tomlString\n\tcase itemMultilineString:\n\t\treturn tomlString\n\tcase itemRawString:\n\t\treturn tomlString\n\tcase itemRawMultilineString:\n\t\treturn tomlString\n\tcase itemBool:\n\t\treturn tomlBool\n\t}\n\tp.bug(\"Cannot infer primitive type of lex item '%s'.\", lexItem)\n\tpanic(\"unreachable\")\n}\n" }, { "path": "vendor/github.com/beorn7/perks/LICENSE", "content": "Copyright (C) 2013 Blake Mizerany\n\nPermission is hereby granted, free of charge, to any person obtaining\na copy of this software and associated documentation files (the\n\"Software\"), to deal in the Software without restriction, including\nwithout limitation the rights to use, copy, modify, merge, publish,\ndistribute, sublicense, and/or sell copies of the Software, and to\npermit persons to whom the Software is furnished to do so, subject to\nthe following conditions:\n\nThe above copyright notice and this permission notice shall be\nincluded in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND,\nEXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF\nMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND\nNONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE\nLIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION\nOF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION\nWITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n" }, { "path": "vendor/github.com/beorn7/perks/quantile/exampledata.txt", "content": "8\n5\n26\n12\n5\n235\n13\n6\n28\n30\n3\n3\n3\n3\n5\n2\n33\n7\n2\n4\n7\n12\n14\n5\n8\n3\n10\n4\n5\n3\n6\n6\n209\n20\n3\n10\n14\n3\n4\n6\n8\n5\n11\n7\n3\n2\n3\n3\n212\n5\n222\n4\n10\n10\n5\n6\n3\n8\n3\n10\n254\n220\n2\n3\n5\n24\n5\n4\n222\n7\n3\n3\n223\n8\n15\n12\n14\n14\n3\n2\n2\n3\n13\n3\n11\n4\n4\n6\n5\n7\n13\n5\n3\n5\n2\n5\n3\n5\n2\n7\n15\n17\n14\n3\n6\n6\n3\n17\n5\n4\n7\n6\n4\n4\n8\n6\n8\n3\n9\n3\n6\n3\n4\n5\n3\n3\n660\n4\n6\n10\n3\n6\n3\n2\n5\n13\n2\n4\n4\n10\n4\n8\n4\n3\n7\n9\n9\n3\n10\n37\n3\n13\n4\n12\n3\n6\n10\n8\n5\n21\n2\n3\n8\n3\n2\n3\n3\n4\n12\n2\n4\n8\n8\n4\n3\n2\n20\n1\n6\n32\n2\n11\n6\n18\n3\n8\n11\n3\n212\n3\n4\n2\n6\n7\n12\n11\n3\n2\n16\n10\n6\n4\n6\n3\n2\n7\n3\n2\n2\n2\n2\n5\n6\n4\n3\n10\n3\n4\n6\n5\n3\n4\n4\n5\n6\n4\n3\n4\n4\n5\n7\n5\n5\n3\n2\n7\n2\n4\n12\n4\n5\n6\n2\n4\n4\n8\n4\n15\n13\n7\n16\n5\n3\n23\n5\n5\n7\n3\n2\n9\n8\n7\n5\n8\n11\n4\n10\n76\n4\n47\n4\n3\n2\n7\n4\n2\n3\n37\n10\n4\n2\n20\n5\n4\n4\n10\n10\n4\n3\n7\n23\n240\n7\n13\n5\n5\n3\n3\n2\n5\n4\n2\n8\n7\n19\n2\n23\n8\n7\n2\n5\n3\n8\n3\n8\n13\n5\n5\n5\n2\n3\n23\n4\n9\n8\n4\n3\n3\n5\n220\n2\n3\n4\n6\n14\n3\n53\n6\n2\n5\n18\n6\n3\n219\n6\n5\n2\n5\n3\n6\n5\n15\n4\n3\n17\n3\n2\n4\n7\n2\n3\n3\n4\n4\n3\n2\n664\n6\n3\n23\n5\n5\n16\n5\n8\n2\n4\n2\n24\n12\n3\n2\n3\n5\n8\n3\n5\n4\n3\n14\n3\n5\n8\n2\n3\n7\n9\n4\n2\n3\n6\n8\n4\n3\n4\n6\n5\n3\n3\n6\n3\n19\n4\n4\n6\n3\n6\n3\n5\n22\n5\n4\n4\n3\n8\n11\n4\n9\n7\n6\n13\n4\n4\n4\n6\n17\n9\n3\n3\n3\n4\n3\n221\n5\n11\n3\n4\n2\n12\n6\n3\n5\n7\n5\n7\n4\n9\n7\n14\n37\n19\n217\n16\n3\n5\n2\n2\n7\n19\n7\n6\n7\n4\n24\n5\n11\n4\n7\n7\n9\n13\n3\n4\n3\n6\n28\n4\n4\n5\n5\n2\n5\n6\n4\n4\n6\n10\n5\n4\n3\n2\n3\n3\n6\n5\n5\n4\n3\n2\n3\n7\n4\n6\n18\n16\n8\n16\n4\n5\n8\n6\n9\n13\n1545\n6\n215\n6\n5\n6\n3\n45\n31\n5\n2\n2\n4\n3\n3\n2\n5\n4\n3\n5\n7\n7\n4\n5\n8\n5\n4\n749\n2\n31\n9\n11\n2\n11\n5\n4\n4\n7\n9\n11\n4\n5\n4\n7\n3\n4\n6\n2\n15\n3\n4\n3\n4\n3\n5\n2\n13\n5\n5\n3\n3\n23\n4\n4\n5\n7\n4\n13\n2\n4\n3\n4\n2\n6\n2\n7\n3\n5\n5\n3\n29\n5\n4\n4\n3\n10\n2\n3\n79\n16\n6\n6\n7\n7\n3\n5\n5\n7\n4\n3\n7\n9\n5\n6\n5\n9\n6\n3\n6\n4\n17\n2\n10\n9\n3\n6\n2\n3\n21\n22\n5\n11\n4\n2\n17\n2\n224\n2\n14\n3\n4\n4\n2\n4\n4\n4\n4\n5\n3\n4\n4\n10\n2\n6\n3\n3\n5\n7\n2\n7\n5\n6\n3\n218\n2\n2\n5\n2\n6\n3\n5\n222\n14\n6\n33\n3\n2\n5\n3\n3\n3\n9\n5\n3\n3\n2\n7\n4\n3\n4\n3\n5\n6\n5\n26\n4\n13\n9\n7\n3\n221\n3\n3\n4\n4\n4\n4\n2\n18\n5\n3\n7\n9\n6\n8\n3\n10\n3\n11\n9\n5\n4\n17\n5\n5\n6\n6\n3\n2\n4\n12\n17\n6\n7\n218\n4\n2\n4\n10\n3\n5\n15\n3\n9\n4\n3\n3\n6\n29\n3\n3\n4\n5\n5\n3\n8\n5\n6\n6\n7\n5\n3\n5\n3\n29\n2\n31\n5\n15\n24\n16\n5\n207\n4\n3\n3\n2\n15\n4\n4\n13\n5\n5\n4\n6\n10\n2\n7\n8\n4\n6\n20\n5\n3\n4\n3\n12\n12\n5\n17\n7\n3\n3\n3\n6\n10\n3\n5\n25\n80\n4\n9\n3\n2\n11\n3\n3\n2\n3\n8\n7\n5\n5\n19\n5\n3\n3\n12\n11\n2\n6\n5\n5\n5\n3\n3\n3\n4\n209\n14\n3\n2\n5\n19\n4\n4\n3\n4\n14\n5\n6\n4\n13\n9\n7\n4\n7\n10\n2\n9\n5\n7\n2\n8\n4\n6\n5\n5\n222\n8\n7\n12\n5\n216\n3\n4\n4\n6\n3\n14\n8\n7\n13\n4\n3\n3\n3\n3\n17\n5\n4\n3\n33\n6\n6\n33\n7\n5\n3\n8\n7\n5\n2\n9\n4\n2\n233\n24\n7\n4\n8\n10\n3\n4\n15\n2\n16\n3\n3\n13\n12\n7\n5\n4\n207\n4\n2\n4\n27\n15\n2\n5\n2\n25\n6\n5\n5\n6\n13\n6\n18\n6\n4\n12\n225\n10\n7\n5\n2\n2\n11\n4\n14\n21\n8\n10\n3\n5\n4\n232\n2\n5\n5\n3\n7\n17\n11\n6\n6\n23\n4\n6\n3\n5\n4\n2\n17\n3\n6\n5\n8\n3\n2\n2\n14\n9\n4\n4\n2\n5\n5\n3\n7\n6\n12\n6\n10\n3\n6\n2\n2\n19\n5\n4\n4\n9\n2\n4\n13\n3\n5\n6\n3\n6\n5\n4\n9\n6\n3\n5\n7\n3\n6\n6\n4\n3\n10\n6\n3\n221\n3\n5\n3\n6\n4\n8\n5\n3\n6\n4\n4\n2\n54\n5\n6\n11\n3\n3\n4\n4\n4\n3\n7\n3\n11\n11\n7\n10\n6\n13\n223\n213\n15\n231\n7\n3\n7\n228\n2\n3\n4\n4\n5\n6\n7\n4\n13\n3\n4\n5\n3\n6\n4\n6\n7\n2\n4\n3\n4\n3\n3\n6\n3\n7\n3\n5\n18\n5\n6\n8\n10\n3\n3\n3\n2\n4\n2\n4\n4\n5\n6\n6\n4\n10\n13\n3\n12\n5\n12\n16\n8\n4\n19\n11\n2\n4\n5\n6\n8\n5\n6\n4\n18\n10\n4\n2\n216\n6\n6\n6\n2\n4\n12\n8\n3\n11\n5\n6\n14\n5\n3\n13\n4\n5\n4\n5\n3\n28\n6\n3\n7\n219\n3\n9\n7\n3\n10\n6\n3\n4\n19\n5\n7\n11\n6\n15\n19\n4\n13\n11\n3\n7\n5\n10\n2\n8\n11\n2\n6\n4\n6\n24\n6\n3\n3\n3\n3\n6\n18\n4\n11\n4\n2\n5\n10\n8\n3\n9\n5\n3\n4\n5\n6\n2\n5\n7\n4\n4\n14\n6\n4\n4\n5\n5\n7\n2\n4\n3\n7\n3\n3\n6\n4\n5\n4\n4\n4\n3\n3\n3\n3\n8\n14\n2\n3\n5\n3\n2\n4\n5\n3\n7\n3\n3\n18\n3\n4\n4\n5\n7\n3\n3\n3\n13\n5\n4\n8\n211\n5\n5\n3\n5\n2\n5\n4\n2\n655\n6\n3\n5\n11\n2\n5\n3\n12\n9\n15\n11\n5\n12\n217\n2\n6\n17\n3\n3\n207\n5\n5\n4\n5\n9\n3\n2\n8\n5\n4\n3\n2\n5\n12\n4\n14\n5\n4\n2\n13\n5\n8\n4\n225\n4\n3\n4\n5\n4\n3\n3\n6\n23\n9\n2\n6\n7\n233\n4\n4\n6\n18\n3\n4\n6\n3\n4\n4\n2\n3\n7\n4\n13\n227\n4\n3\n5\n4\n2\n12\n9\n17\n3\n7\n14\n6\n4\n5\n21\n4\n8\n9\n2\n9\n25\n16\n3\n6\n4\n7\n8\n5\n2\n3\n5\n4\n3\n3\n5\n3\n3\n3\n2\n3\n19\n2\n4\n3\n4\n2\n3\n4\n4\n2\n4\n3\n3\n3\n2\n6\n3\n17\n5\n6\n4\n3\n13\n5\n3\n3\n3\n4\n9\n4\n2\n14\n12\n4\n5\n24\n4\n3\n37\n12\n11\n21\n3\n4\n3\n13\n4\n2\n3\n15\n4\n11\n4\n4\n3\n8\n3\n4\n4\n12\n8\n5\n3\n3\n4\n2\n220\n3\n5\n223\n3\n3\n3\n10\n3\n15\n4\n241\n9\n7\n3\n6\n6\n23\n4\n13\n7\n3\n4\n7\n4\n9\n3\n3\n4\n10\n5\n5\n1\n5\n24\n2\n4\n5\n5\n6\n14\n3\n8\n2\n3\n5\n13\n13\n3\n5\n2\n3\n15\n3\n4\n2\n10\n4\n4\n4\n5\n5\n3\n5\n3\n4\n7\n4\n27\n3\n6\n4\n15\n3\n5\n6\n6\n5\n4\n8\n3\n9\n2\n6\n3\n4\n3\n7\n4\n18\n3\n11\n3\n3\n8\n9\n7\n24\n3\n219\n7\n10\n4\n5\n9\n12\n2\n5\n4\n4\n4\n3\n3\n19\n5\n8\n16\n8\n6\n22\n3\n23\n3\n242\n9\n4\n3\n3\n5\n7\n3\n3\n5\n8\n3\n7\n5\n14\n8\n10\n3\n4\n3\n7\n4\n6\n7\n4\n10\n4\n3\n11\n3\n7\n10\n3\n13\n6\n8\n12\n10\n5\n7\n9\n3\n4\n7\n7\n10\n8\n30\n9\n19\n4\n3\n19\n15\n4\n13\n3\n215\n223\n4\n7\n4\n8\n17\n16\n3\n7\n6\n5\n5\n4\n12\n3\n7\n4\n4\n13\n4\n5\n2\n5\n6\n5\n6\n6\n7\n10\n18\n23\n9\n3\n3\n6\n5\n2\n4\n2\n7\n3\n3\n2\n5\n5\n14\n10\n224\n6\n3\n4\n3\n7\n5\n9\n3\n6\n4\n2\n5\n11\n4\n3\n3\n2\n8\n4\n7\n4\n10\n7\n3\n3\n18\n18\n17\n3\n3\n3\n4\n5\n3\n3\n4\n12\n7\n3\n11\n13\n5\n4\n7\n13\n5\n4\n11\n3\n12\n3\n6\n4\n4\n21\n4\n6\n9\n5\n3\n10\n8\n4\n6\n4\n4\n6\n5\n4\n8\n6\n4\n6\n4\n4\n5\n9\n6\n3\n4\n2\n9\n3\n18\n2\n4\n3\n13\n3\n6\n6\n8\n7\n9\n3\n2\n16\n3\n4\n6\n3\n2\n33\n22\n14\n4\n9\n12\n4\n5\n6\n3\n23\n9\n4\n3\n5\n5\n3\n4\n5\n3\n5\n3\n10\n4\n5\n5\n8\n4\n4\n6\n8\n5\n4\n3\n4\n6\n3\n3\n3\n5\n9\n12\n6\n5\n9\n3\n5\n3\n2\n2\n2\n18\n3\n2\n21\n2\n5\n4\n6\n4\n5\n10\n3\n9\n3\n2\n10\n7\n3\n6\n6\n4\n4\n8\n12\n7\n3\n7\n3\n3\n9\n3\n4\n5\n4\n4\n5\n5\n10\n15\n4\n4\n14\n6\n227\n3\n14\n5\n216\n22\n5\n4\n2\n2\n6\n3\n4\n2\n9\n9\n4\n3\n28\n13\n11\n4\n5\n3\n3\n2\n3\n3\n5\n3\n4\n3\n5\n23\n26\n3\n4\n5\n6\n4\n6\n3\n5\n5\n3\n4\n3\n2\n2\n2\n7\n14\n3\n6\n7\n17\n2\n2\n15\n14\n16\n4\n6\n7\n13\n6\n4\n5\n6\n16\n3\n3\n28\n3\n6\n15\n3\n9\n2\n4\n6\n3\n3\n22\n4\n12\n6\n7\n2\n5\n4\n10\n3\n16\n6\n9\n2\n5\n12\n7\n5\n5\n5\n5\n2\n11\n9\n17\n4\n3\n11\n7\n3\n5\n15\n4\n3\n4\n211\n8\n7\n5\n4\n7\n6\n7\n6\n3\n6\n5\n6\n5\n3\n4\n4\n26\n4\n6\n10\n4\n4\n3\n2\n3\n3\n4\n5\n9\n3\n9\n4\n4\n5\n5\n8\n2\n4\n2\n3\n8\n4\n11\n19\n5\n8\n6\n3\n5\n6\n12\n3\n2\n4\n16\n12\n3\n4\n4\n8\n6\n5\n6\n6\n219\n8\n222\n6\n16\n3\n13\n19\n5\n4\n3\n11\n6\n10\n4\n7\n7\n12\n5\n3\n3\n5\n6\n10\n3\n8\n2\n5\n4\n7\n2\n4\n4\n2\n12\n9\n6\n4\n2\n40\n2\n4\n10\n4\n223\n4\n2\n20\n6\n7\n24\n5\n4\n5\n2\n20\n16\n6\n5\n13\n2\n3\n3\n19\n3\n2\n4\n5\n6\n7\n11\n12\n5\n6\n7\n7\n3\n5\n3\n5\n3\n14\n3\n4\n4\n2\n11\n1\n7\n3\n9\n6\n11\n12\n5\n8\n6\n221\n4\n2\n12\n4\n3\n15\n4\n5\n226\n7\n218\n7\n5\n4\n5\n18\n4\n5\n9\n4\n4\n2\n9\n18\n18\n9\n5\n6\n6\n3\n3\n7\n3\n5\n4\n4\n4\n12\n3\n6\n31\n5\n4\n7\n3\n6\n5\n6\n5\n11\n2\n2\n11\n11\n6\n7\n5\n8\n7\n10\n5\n23\n7\n4\n3\n5\n34\n2\n5\n23\n7\n3\n6\n8\n4\n4\n4\n2\n5\n3\n8\n5\n4\n8\n25\n2\n3\n17\n8\n3\n4\n8\n7\n3\n15\n6\n5\n7\n21\n9\n5\n6\n6\n5\n3\n2\n3\n10\n3\n6\n3\n14\n7\n4\n4\n8\n7\n8\n2\n6\n12\n4\n213\n6\n5\n21\n8\n2\n5\n23\n3\n11\n2\n3\n6\n25\n2\n3\n6\n7\n6\n6\n4\n4\n6\n3\n17\n9\n7\n6\n4\n3\n10\n7\n2\n3\n3\n3\n11\n8\n3\n7\n6\n4\n14\n36\n3\n4\n3\n3\n22\n13\n21\n4\n2\n7\n4\n4\n17\n15\n3\n7\n11\n2\n4\n7\n6\n209\n6\n3\n2\n2\n24\n4\n9\n4\n3\n3\n3\n29\n2\n2\n4\n3\n3\n5\n4\n6\n3\n3\n2\n4\n" }, { "path": "vendor/github.com/beorn7/perks/quantile/stream.go", "content": "// Package quantile computes approximate quantiles over an unbounded data\n// stream within low memory and CPU bounds.\n//\n// A small amount of accuracy is traded to achieve the above properties.\n//\n// Multiple streams can be merged before calling Query to generate a single set\n// of results. This is meaningful when the streams represent the same type of\n// data. See Merge and Samples.\n//\n// For more detailed information about the algorithm used, see:\n//\n// Effective Computation of Biased Quantiles over Data Streams\n//\n// http://www.cs.rutgers.edu/~muthu/bquant.pdf\npackage quantile\n\nimport (\n\t\"math\"\n\t\"sort\"\n)\n\n// Sample holds an observed value and meta information for compression. JSON\n// tags have been added for convenience.\ntype Sample struct {\n\tValue float64 `json:\",string\"`\n\tWidth float64 `json:\",string\"`\n\tDelta float64 `json:\",string\"`\n}\n\n// Samples represents a slice of samples. It implements sort.Interface.\ntype Samples []Sample\n\nfunc (a Samples) Len() int { return len(a) }\nfunc (a Samples) Less(i, j int) bool { return a[i].Value < a[j].Value }\nfunc (a Samples) Swap(i, j int) { a[i], a[j] = a[j], a[i] }\n\ntype invariant func(s *stream, r float64) float64\n\n// NewLowBiased returns an initialized Stream for low-biased quantiles\n// (e.g. 0.01, 0.1, 0.5) where the needed quantiles are not known a priori, but\n// error guarantees can still be given even for the lower ranks of the data\n// distribution.\n//\n// The provided epsilon is a relative error, i.e. the true quantile of a value\n// returned by a query is guaranteed to be within (1±Epsilon)*Quantile.\n//\n// See http://www.cs.rutgers.edu/~muthu/bquant.pdf for time, space, and error\n// properties.\nfunc NewLowBiased(epsilon float64) *Stream {\n\tƒ := func(s *stream, r float64) float64 {\n\t\treturn 2 * epsilon * r\n\t}\n\treturn newStream(ƒ)\n}\n\n// NewHighBiased returns an initialized Stream for high-biased quantiles\n// (e.g. 0.01, 0.1, 0.5) where the needed quantiles are not known a priori, but\n// error guarantees can still be given even for the higher ranks of the data\n// distribution.\n//\n// The provided epsilon is a relative error, i.e. the true quantile of a value\n// returned by a query is guaranteed to be within 1-(1±Epsilon)*(1-Quantile).\n//\n// See http://www.cs.rutgers.edu/~muthu/bquant.pdf for time, space, and error\n// properties.\nfunc NewHighBiased(epsilon float64) *Stream {\n\tƒ := func(s *stream, r float64) float64 {\n\t\treturn 2 * epsilon * (s.n - r)\n\t}\n\treturn newStream(ƒ)\n}\n\n// NewTargeted returns an initialized Stream concerned with a particular set of\n// quantile values that are supplied a priori. Knowing these a priori reduces\n// space and computation time. The targets map maps the desired quantiles to\n// their absolute errors, i.e. the true quantile of a value returned by a query\n// is guaranteed to be within (Quantile±Epsilon).\n//\n// See http://www.cs.rutgers.edu/~muthu/bquant.pdf for time, space, and error properties.\nfunc NewTargeted(targetMap map[float64]float64) *Stream {\n\t// Convert map to slice to avoid slow iterations on a map.\n\t// ƒ is called on the hot path, so converting the map to a slice\n\t// beforehand results in significant CPU savings.\n\ttargets := targetMapToSlice(targetMap)\n\n\tƒ := func(s *stream, r float64) float64 {\n\t\tvar m = math.MaxFloat64\n\t\tvar f float64\n\t\tfor _, t := range targets {\n\t\t\tif t.quantile*s.n <= r {\n\t\t\t\tf = (2 * t.epsilon * r) / t.quantile\n\t\t\t} else {\n\t\t\t\tf = (2 * t.epsilon * (s.n - r)) / (1 - t.quantile)\n\t\t\t}\n\t\t\tif f < m {\n\t\t\t\tm = f\n\t\t\t}\n\t\t}\n\t\treturn m\n\t}\n\treturn newStream(ƒ)\n}\n\ntype target struct {\n\tquantile float64\n\tepsilon float64\n}\n\nfunc targetMapToSlice(targetMap map[float64]float64) []target {\n\ttargets := make([]target, 0, len(targetMap))\n\n\tfor quantile, epsilon := range targetMap {\n\t\tt := target{\n\t\t\tquantile: quantile,\n\t\t\tepsilon: epsilon,\n\t\t}\n\t\ttargets = append(targets, t)\n\t}\n\n\treturn targets\n}\n\n// Stream computes quantiles for a stream of float64s. It is not thread-safe by\n// design. Take care when using across multiple goroutines.\ntype Stream struct {\n\t*stream\n\tb Samples\n\tsorted bool\n}\n\nfunc newStream(ƒ invariant) *Stream {\n\tx := &stream{ƒ: ƒ}\n\treturn &Stream{x, make(Samples, 0, 500), true}\n}\n\n// Insert inserts v into the stream.\nfunc (s *Stream) Insert(v float64) {\n\ts.insert(Sample{Value: v, Width: 1})\n}\n\nfunc (s *Stream) insert(sample Sample) {\n\ts.b = append(s.b, sample)\n\ts.sorted = false\n\tif len(s.b) == cap(s.b) {\n\t\ts.flush()\n\t}\n}\n\n// Query returns the computed qth percentiles value. If s was created with\n// NewTargeted, and q is not in the set of quantiles provided a priori, Query\n// will return an unspecified result.\nfunc (s *Stream) Query(q float64) float64 {\n\tif !s.flushed() {\n\t\t// Fast path when there hasn't been enough data for a flush;\n\t\t// this also yields better accuracy for small sets of data.\n\t\tl := len(s.b)\n\t\tif l == 0 {\n\t\t\treturn 0\n\t\t}\n\t\ti := int(math.Ceil(float64(l) * q))\n\t\tif i > 0 {\n\t\t\ti -= 1\n\t\t}\n\t\ts.maybeSort()\n\t\treturn s.b[i].Value\n\t}\n\ts.flush()\n\treturn s.stream.query(q)\n}\n\n// Merge merges samples into the underlying streams samples. This is handy when\n// merging multiple streams from separate threads, database shards, etc.\n//\n// ATTENTION: This method is broken and does not yield correct results. The\n// underlying algorithm is not capable of merging streams correctly.\nfunc (s *Stream) Merge(samples Samples) {\n\tsort.Sort(samples)\n\ts.stream.merge(samples)\n}\n\n// Reset reinitializes and clears the list reusing the samples buffer memory.\nfunc (s *Stream) Reset() {\n\ts.stream.reset()\n\ts.b = s.b[:0]\n}\n\n// Samples returns stream samples held by s.\nfunc (s *Stream) Samples() Samples {\n\tif !s.flushed() {\n\t\treturn s.b\n\t}\n\ts.flush()\n\treturn s.stream.samples()\n}\n\n// Count returns the total number of samples observed in the stream\n// since initialization.\nfunc (s *Stream) Count() int {\n\treturn len(s.b) + s.stream.count()\n}\n\nfunc (s *Stream) flush() {\n\ts.maybeSort()\n\ts.stream.merge(s.b)\n\ts.b = s.b[:0]\n}\n\nfunc (s *Stream) maybeSort() {\n\tif !s.sorted {\n\t\ts.sorted = true\n\t\tsort.Sort(s.b)\n\t}\n}\n\nfunc (s *Stream) flushed() bool {\n\treturn len(s.stream.l) > 0\n}\n\ntype stream struct {\n\tn float64\n\tl []Sample\n\tƒ invariant\n}\n\nfunc (s *stream) reset() {\n\ts.l = s.l[:0]\n\ts.n = 0\n}\n\nfunc (s *stream) insert(v float64) {\n\ts.merge(Samples{{v, 1, 0}})\n}\n\nfunc (s *stream) merge(samples Samples) {\n\t// TODO(beorn7): This tries to merge not only individual samples, but\n\t// whole summaries. The paper doesn't mention merging summaries at\n\t// all. Unittests show that the merging is inaccurate. Find out how to\n\t// do merges properly.\n\tvar r float64\n\ti := 0\n\tfor _, sample := range samples {\n\t\tfor ; i < len(s.l); i++ {\n\t\t\tc := s.l[i]\n\t\t\tif c.Value > sample.Value {\n\t\t\t\t// Insert at position i.\n\t\t\t\ts.l = append(s.l, Sample{})\n\t\t\t\tcopy(s.l[i+1:], s.l[i:])\n\t\t\t\ts.l[i] = Sample{\n\t\t\t\t\tsample.Value,\n\t\t\t\t\tsample.Width,\n\t\t\t\t\tmath.Max(sample.Delta, math.Floor(s.ƒ(s, r))-1),\n\t\t\t\t\t// TODO(beorn7): How to calculate delta correctly?\n\t\t\t\t}\n\t\t\t\ti++\n\t\t\t\tgoto inserted\n\t\t\t}\n\t\t\tr += c.Width\n\t\t}\n\t\ts.l = append(s.l, Sample{sample.Value, sample.Width, 0})\n\t\ti++\n\tinserted:\n\t\ts.n += sample.Width\n\t\tr += sample.Width\n\t}\n\ts.compress()\n}\n\nfunc (s *stream) count() int {\n\treturn int(s.n)\n}\n\nfunc (s *stream) query(q float64) float64 {\n\tt := math.Ceil(q * s.n)\n\tt += math.Ceil(s.ƒ(s, t) / 2)\n\tp := s.l[0]\n\tvar r float64\n\tfor _, c := range s.l[1:] {\n\t\tr += p.Width\n\t\tif r+c.Width+c.Delta > t {\n\t\t\treturn p.Value\n\t\t}\n\t\tp = c\n\t}\n\treturn p.Value\n}\n\nfunc (s *stream) compress() {\n\tif len(s.l) < 2 {\n\t\treturn\n\t}\n\tx := s.l[len(s.l)-1]\n\txi := len(s.l) - 1\n\tr := s.n - 1 - x.Width\n\n\tfor i := len(s.l) - 2; i >= 0; i-- {\n\t\tc := s.l[i]\n\t\tif c.Width+x.Width+x.Delta <= s.ƒ(s, r) {\n\t\t\tx.Width += c.Width\n\t\t\ts.l[xi] = x\n\t\t\t// Remove element at i.\n\t\t\tcopy(s.l[i:], s.l[i+1:])\n\t\t\ts.l = s.l[:len(s.l)-1]\n\t\t\txi -= 1\n\t\t} else {\n\t\t\tx = c\n\t\t\txi = i\n\t\t}\n\t\tr -= c.Width\n\t}\n}\n\nfunc (s *stream) samples() Samples {\n\tsamples := make(Samples, len(s.l))\n\tcopy(samples, s.l)\n\treturn samples\n}\n" }, { "path": "vendor/github.com/cespare/xxhash/v2/LICENSE.txt", "content": "Copyright (c) 2016 Caleb Spare\n\nMIT License\n\nPermission is hereby granted, free of charge, to any person obtaining\na copy of this software and associated documentation files (the\n\"Software\"), to deal in the Software without restriction, including\nwithout limitation the rights to use, copy, modify, merge, publish,\ndistribute, sublicense, and/or sell copies of the Software, and to\npermit persons to whom the Software is furnished to do so, subject to\nthe following conditions:\n\nThe above copyright notice and this permission notice shall be\nincluded in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND,\nEXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF\nMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND\nNONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE\nLIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION\nOF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION\nWITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n" }, { "path": "vendor/github.com/cespare/xxhash/v2/README.md", "content": "# xxhash\n\n[![Go Reference](https://pkg.go.dev/badge/github.com/cespare/xxhash/v2.svg)](https://pkg.go.dev/github.com/cespare/xxhash/v2)\n[![Test](https://github.com/cespare/xxhash/actions/workflows/test.yml/badge.svg)](https://github.com/cespare/xxhash/actions/workflows/test.yml)\n\nxxhash is a Go implementation of the 64-bit [xxHash] algorithm, XXH64. This is a\nhigh-quality hashing algorithm that is much faster than anything in the Go\nstandard library.\n\nThis package provides a straightforward API:\n\n```\nfunc Sum64(b []byte) uint64\nfunc Sum64String(s string) uint64\ntype Digest struct{ ... }\n func New() *Digest\n```\n\nThe `Digest` type implements hash.Hash64. Its key methods are:\n\n```\nfunc (*Digest) Write([]byte) (int, error)\nfunc (*Digest) WriteString(string) (int, error)\nfunc (*Digest) Sum64() uint64\n```\n\nThe package is written with optimized pure Go and also contains even faster\nassembly implementations for amd64 and arm64. If desired, the `purego` build tag\nopts into using the Go code even on those architectures.\n\n[xxHash]: http://cyan4973.github.io/xxHash/\n\n## Compatibility\n\nThis package is in a module and the latest code is in version 2 of the module.\nYou need a version of Go with at least \"minimal module compatibility\" to use\ngithub.com/cespare/xxhash/v2:\n\n* 1.9.7+ for Go 1.9\n* 1.10.3+ for Go 1.10\n* Go 1.11 or later\n\nI recommend using the latest release of Go.\n\n## Benchmarks\n\nHere are some quick benchmarks comparing the pure-Go and assembly\nimplementations of Sum64.\n\n| input size | purego | asm |\n| ---------- | --------- | --------- |\n| 4 B | 1.3 GB/s | 1.2 GB/s |\n| 16 B | 2.9 GB/s | 3.5 GB/s |\n| 100 B | 6.9 GB/s | 8.1 GB/s |\n| 4 KB | 11.7 GB/s | 16.7 GB/s |\n| 10 MB | 12.0 GB/s | 17.3 GB/s |\n\nThese numbers were generated on Ubuntu 20.04 with an Intel Xeon Platinum 8252C\nCPU using the following commands under Go 1.19.2:\n\n```\nbenchstat <(go test -tags purego -benchtime 500ms -count 15 -bench 'Sum64$')\nbenchstat <(go test -benchtime 500ms -count 15 -bench 'Sum64$')\n```\n\n## Projects using this package\n\n- [InfluxDB](https://github.com/influxdata/influxdb)\n- [Prometheus](https://github.com/prometheus/prometheus)\n- [VictoriaMetrics](https://github.com/VictoriaMetrics/VictoriaMetrics)\n- [FreeCache](https://github.com/coocood/freecache)\n- [FastCache](https://github.com/VictoriaMetrics/fastcache)\n- [Ristretto](https://github.com/dgraph-io/ristretto)\n- [Badger](https://github.com/dgraph-io/badger)\n" }, { "path": "vendor/github.com/cespare/xxhash/v2/testall.sh", "content": "#!/bin/bash\nset -eu -o pipefail\n\n# Small convenience script for running the tests with various combinations of\n# arch/tags. This assumes we're running on amd64 and have qemu available.\n\ngo test ./...\ngo test -tags purego ./...\nGOARCH=arm64 go test\nGOARCH=arm64 go test -tags purego\n" }, { "path": "vendor/github.com/cespare/xxhash/v2/xxhash.go", "content": "// Package xxhash implements the 64-bit variant of xxHash (XXH64) as described\n// at http://cyan4973.github.io/xxHash/.\npackage xxhash\n\nimport (\n\t\"encoding/binary\"\n\t\"errors\"\n\t\"math/bits\"\n)\n\nconst (\n\tprime1 uint64 = 11400714785074694791\n\tprime2 uint64 = 14029467366897019727\n\tprime3 uint64 = 1609587929392839161\n\tprime4 uint64 = 9650029242287828579\n\tprime5 uint64 = 2870177450012600261\n)\n\n// Store the primes in an array as well.\n//\n// The consts are used when possible in Go code to avoid MOVs but we need a\n// contiguous array for the assembly code.\nvar primes = [...]uint64{prime1, prime2, prime3, prime4, prime5}\n\n// Digest implements hash.Hash64.\n//\n// Note that a zero-valued Digest is not ready to receive writes.\n// Call Reset or create a Digest using New before calling other methods.\ntype Digest struct {\n\tv1 uint64\n\tv2 uint64\n\tv3 uint64\n\tv4 uint64\n\ttotal uint64\n\tmem [32]byte\n\tn int // how much of mem is used\n}\n\n// New creates a new Digest with a zero seed.\nfunc New() *Digest {\n\treturn NewWithSeed(0)\n}\n\n// NewWithSeed creates a new Digest with the given seed.\nfunc NewWithSeed(seed uint64) *Digest {\n\tvar d Digest\n\td.ResetWithSeed(seed)\n\treturn &d\n}\n\n// Reset clears the Digest's state so that it can be reused.\n// It uses a seed value of zero.\nfunc (d *Digest) Reset() {\n\td.ResetWithSeed(0)\n}\n\n// ResetWithSeed clears the Digest's state so that it can be reused.\n// It uses the given seed to initialize the state.\nfunc (d *Digest) ResetWithSeed(seed uint64) {\n\td.v1 = seed + prime1 + prime2\n\td.v2 = seed + prime2\n\td.v3 = seed\n\td.v4 = seed - prime1\n\td.total = 0\n\td.n = 0\n}\n\n// Size always returns 8 bytes.\nfunc (d *Digest) Size() int { return 8 }\n\n// BlockSize always returns 32 bytes.\nfunc (d *Digest) BlockSize() int { return 32 }\n\n// Write adds more data to d. It always returns len(b), nil.\nfunc (d *Digest) Write(b []byte) (n int, err error) {\n\tn = len(b)\n\td.total += uint64(n)\n\n\tmemleft := d.mem[d.n&(len(d.mem)-1):]\n\n\tif d.n+n < 32 {\n\t\t// This new data doesn't even fill the current block.\n\t\tcopy(memleft, b)\n\t\td.n += n\n\t\treturn\n\t}\n\n\tif d.n > 0 {\n\t\t// Finish off the partial block.\n\t\tc := copy(memleft, b)\n\t\td.v1 = round(d.v1, u64(d.mem[0:8]))\n\t\td.v2 = round(d.v2, u64(d.mem[8:16]))\n\t\td.v3 = round(d.v3, u64(d.mem[16:24]))\n\t\td.v4 = round(d.v4, u64(d.mem[24:32]))\n\t\tb = b[c:]\n\t\td.n = 0\n\t}\n\n\tif len(b) >= 32 {\n\t\t// One or more full blocks left.\n\t\tnw := writeBlocks(d, b)\n\t\tb = b[nw:]\n\t}\n\n\t// Store any remaining partial block.\n\tcopy(d.mem[:], b)\n\td.n = len(b)\n\n\treturn\n}\n\n// Sum appends the current hash to b and returns the resulting slice.\nfunc (d *Digest) Sum(b []byte) []byte {\n\ts := d.Sum64()\n\treturn append(\n\t\tb,\n\t\tbyte(s>>56),\n\t\tbyte(s>>48),\n\t\tbyte(s>>40),\n\t\tbyte(s>>32),\n\t\tbyte(s>>24),\n\t\tbyte(s>>16),\n\t\tbyte(s>>8),\n\t\tbyte(s),\n\t)\n}\n\n// Sum64 returns the current hash.\nfunc (d *Digest) Sum64() uint64 {\n\tvar h uint64\n\n\tif d.total >= 32 {\n\t\tv1, v2, v3, v4 := d.v1, d.v2, d.v3, d.v4\n\t\th = rol1(v1) + rol7(v2) + rol12(v3) + rol18(v4)\n\t\th = mergeRound(h, v1)\n\t\th = mergeRound(h, v2)\n\t\th = mergeRound(h, v3)\n\t\th = mergeRound(h, v4)\n\t} else {\n\t\th = d.v3 + prime5\n\t}\n\n\th += d.total\n\n\tb := d.mem[:d.n&(len(d.mem)-1)]\n\tfor ; len(b) >= 8; b = b[8:] {\n\t\tk1 := round(0, u64(b[:8]))\n\t\th ^= k1\n\t\th = rol27(h)*prime1 + prime4\n\t}\n\tif len(b) >= 4 {\n\t\th ^= uint64(u32(b[:4])) * prime1\n\t\th = rol23(h)*prime2 + prime3\n\t\tb = b[4:]\n\t}\n\tfor ; len(b) > 0; b = b[1:] {\n\t\th ^= uint64(b[0]) * prime5\n\t\th = rol11(h) * prime1\n\t}\n\n\th ^= h >> 33\n\th *= prime2\n\th ^= h >> 29\n\th *= prime3\n\th ^= h >> 32\n\n\treturn h\n}\n\nconst (\n\tmagic = \"xxh\\x06\"\n\tmarshaledSize = len(magic) + 8*5 + 32\n)\n\n// MarshalBinary implements the encoding.BinaryMarshaler interface.\nfunc (d *Digest) MarshalBinary() ([]byte, error) {\n\tb := make([]byte, 0, marshaledSize)\n\tb = append(b, magic...)\n\tb = appendUint64(b, d.v1)\n\tb = appendUint64(b, d.v2)\n\tb = appendUint64(b, d.v3)\n\tb = appendUint64(b, d.v4)\n\tb = appendUint64(b, d.total)\n\tb = append(b, d.mem[:d.n]...)\n\tb = b[:len(b)+len(d.mem)-d.n]\n\treturn b, nil\n}\n\n// UnmarshalBinary implements the encoding.BinaryUnmarshaler interface.\nfunc (d *Digest) UnmarshalBinary(b []byte) error {\n\tif len(b) < len(magic) || string(b[:len(magic)]) != magic {\n\t\treturn errors.New(\"xxhash: invalid hash state identifier\")\n\t}\n\tif len(b) != marshaledSize {\n\t\treturn errors.New(\"xxhash: invalid hash state size\")\n\t}\n\tb = b[len(magic):]\n\tb, d.v1 = consumeUint64(b)\n\tb, d.v2 = consumeUint64(b)\n\tb, d.v3 = consumeUint64(b)\n\tb, d.v4 = consumeUint64(b)\n\tb, d.total = consumeUint64(b)\n\tcopy(d.mem[:], b)\n\td.n = int(d.total % uint64(len(d.mem)))\n\treturn nil\n}\n\nfunc appendUint64(b []byte, x uint64) []byte {\n\tvar a [8]byte\n\tbinary.LittleEndian.PutUint64(a[:], x)\n\treturn append(b, a[:]...)\n}\n\nfunc consumeUint64(b []byte) ([]byte, uint64) {\n\tx := u64(b)\n\treturn b[8:], x\n}\n\nfunc u64(b []byte) uint64 { return binary.LittleEndian.Uint64(b) }\nfunc u32(b []byte) uint32 { return binary.LittleEndian.Uint32(b) }\n\nfunc round(acc, input uint64) uint64 {\n\tacc += input * prime2\n\tacc = rol31(acc)\n\tacc *= prime1\n\treturn acc\n}\n\nfunc mergeRound(acc, val uint64) uint64 {\n\tval = round(0, val)\n\tacc ^= val\n\tacc = acc*prime1 + prime4\n\treturn acc\n}\n\nfunc rol1(x uint64) uint64 { return bits.RotateLeft64(x, 1) }\nfunc rol7(x uint64) uint64 { return bits.RotateLeft64(x, 7) }\nfunc rol11(x uint64) uint64 { return bits.RotateLeft64(x, 11) }\nfunc rol12(x uint64) uint64 { return bits.RotateLeft64(x, 12) }\nfunc rol18(x uint64) uint64 { return bits.RotateLeft64(x, 18) }\nfunc rol23(x uint64) uint64 { return bits.RotateLeft64(x, 23) }\nfunc rol27(x uint64) uint64 { return bits.RotateLeft64(x, 27) }\nfunc rol31(x uint64) uint64 { return bits.RotateLeft64(x, 31) }\n" }, { "path": "vendor/github.com/cespare/xxhash/v2/xxhash_amd64.s", "content": "//go:build !appengine && gc && !purego\n// +build !appengine\n// +build gc\n// +build !purego\n\n#include \"textflag.h\"\n\n// Registers:\n#define h AX\n#define d AX\n#define p SI // pointer to advance through b\n#define n DX\n#define end BX // loop end\n#define v1 R8\n#define v2 R9\n#define v3 R10\n#define v4 R11\n#define x R12\n#define prime1 R13\n#define prime2 R14\n#define prime4 DI\n\n#define round(acc, x) \\\n\tIMULQ prime2, x \\\n\tADDQ x, acc \\\n\tROLQ $31, acc \\\n\tIMULQ prime1, acc\n\n// round0 performs the operation x = round(0, x).\n#define round0(x) \\\n\tIMULQ prime2, x \\\n\tROLQ $31, x \\\n\tIMULQ prime1, x\n\n// mergeRound applies a merge round on the two registers acc and x.\n// It assumes that prime1, prime2, and prime4 have been loaded.\n#define mergeRound(acc, x) \\\n\tround0(x) \\\n\tXORQ x, acc \\\n\tIMULQ prime1, acc \\\n\tADDQ prime4, acc\n\n// blockLoop processes as many 32-byte blocks as possible,\n// updating v1, v2, v3, and v4. It assumes that there is at least one block\n// to process.\n#define blockLoop() \\\nloop: \\\n\tMOVQ +0(p), x \\\n\tround(v1, x) \\\n\tMOVQ +8(p), x \\\n\tround(v2, x) \\\n\tMOVQ +16(p), x \\\n\tround(v3, x) \\\n\tMOVQ +24(p), x \\\n\tround(v4, x) \\\n\tADDQ $32, p \\\n\tCMPQ p, end \\\n\tJLE loop\n\n// func Sum64(b []byte) uint64\nTEXT ·Sum64(SB), NOSPLIT|NOFRAME, $0-32\n\t// Load fixed primes.\n\tMOVQ ·primes+0(SB), prime1\n\tMOVQ ·primes+8(SB), prime2\n\tMOVQ ·primes+24(SB), prime4\n\n\t// Load slice.\n\tMOVQ b_base+0(FP), p\n\tMOVQ b_len+8(FP), n\n\tLEAQ (p)(n*1), end\n\n\t// The first loop limit will be len(b)-32.\n\tSUBQ $32, end\n\n\t// Check whether we have at least one block.\n\tCMPQ n, $32\n\tJLT noBlocks\n\n\t// Set up initial state (v1, v2, v3, v4).\n\tMOVQ prime1, v1\n\tADDQ prime2, v1\n\tMOVQ prime2, v2\n\tXORQ v3, v3\n\tXORQ v4, v4\n\tSUBQ prime1, v4\n\n\tblockLoop()\n\n\tMOVQ v1, h\n\tROLQ $1, h\n\tMOVQ v2, x\n\tROLQ $7, x\n\tADDQ x, h\n\tMOVQ v3, x\n\tROLQ $12, x\n\tADDQ x, h\n\tMOVQ v4, x\n\tROLQ $18, x\n\tADDQ x, h\n\n\tmergeRound(h, v1)\n\tmergeRound(h, v2)\n\tmergeRound(h, v3)\n\tmergeRound(h, v4)\n\n\tJMP afterBlocks\n\nnoBlocks:\n\tMOVQ ·primes+32(SB), h\n\nafterBlocks:\n\tADDQ n, h\n\n\tADDQ $24, end\n\tCMPQ p, end\n\tJG try4\n\nloop8:\n\tMOVQ (p), x\n\tADDQ $8, p\n\tround0(x)\n\tXORQ x, h\n\tROLQ $27, h\n\tIMULQ prime1, h\n\tADDQ prime4, h\n\n\tCMPQ p, end\n\tJLE loop8\n\ntry4:\n\tADDQ $4, end\n\tCMPQ p, end\n\tJG try1\n\n\tMOVL (p), x\n\tADDQ $4, p\n\tIMULQ prime1, x\n\tXORQ x, h\n\n\tROLQ $23, h\n\tIMULQ prime2, h\n\tADDQ ·primes+16(SB), h\n\ntry1:\n\tADDQ $4, end\n\tCMPQ p, end\n\tJGE finalize\n\nloop1:\n\tMOVBQZX (p), x\n\tADDQ $1, p\n\tIMULQ ·primes+32(SB), x\n\tXORQ x, h\n\tROLQ $11, h\n\tIMULQ prime1, h\n\n\tCMPQ p, end\n\tJL loop1\n\nfinalize:\n\tMOVQ h, x\n\tSHRQ $33, x\n\tXORQ x, h\n\tIMULQ prime2, h\n\tMOVQ h, x\n\tSHRQ $29, x\n\tXORQ x, h\n\tIMULQ ·primes+16(SB), h\n\tMOVQ h, x\n\tSHRQ $32, x\n\tXORQ x, h\n\n\tMOVQ h, ret+24(FP)\n\tRET\n\n// func writeBlocks(d *Digest, b []byte) int\nTEXT ·writeBlocks(SB), NOSPLIT|NOFRAME, $0-40\n\t// Load fixed primes needed for round.\n\tMOVQ ·primes+0(SB), prime1\n\tMOVQ ·primes+8(SB), prime2\n\n\t// Load slice.\n\tMOVQ b_base+8(FP), p\n\tMOVQ b_len+16(FP), n\n\tLEAQ (p)(n*1), end\n\tSUBQ $32, end\n\n\t// Load vN from d.\n\tMOVQ s+0(FP), d\n\tMOVQ 0(d), v1\n\tMOVQ 8(d), v2\n\tMOVQ 16(d), v3\n\tMOVQ 24(d), v4\n\n\t// We don't need to check the loop condition here; this function is\n\t// always called with at least one block of data to process.\n\tblockLoop()\n\n\t// Copy vN back to d.\n\tMOVQ v1, 0(d)\n\tMOVQ v2, 8(d)\n\tMOVQ v3, 16(d)\n\tMOVQ v4, 24(d)\n\n\t// The number of bytes written is p minus the old base pointer.\n\tSUBQ b_base+8(FP), p\n\tMOVQ p, ret+32(FP)\n\n\tRET\n" }, { "path": "vendor/github.com/cespare/xxhash/v2/xxhash_arm64.s", "content": "//go:build !appengine && gc && !purego\n// +build !appengine\n// +build gc\n// +build !purego\n\n#include \"textflag.h\"\n\n// Registers:\n#define digest\tR1\n#define h\tR2 // return value\n#define p\tR3 // input pointer\n#define n\tR4 // input length\n#define nblocks\tR5 // n / 32\n#define prime1\tR7\n#define prime2\tR8\n#define prime3\tR9\n#define prime4\tR10\n#define prime5\tR11\n#define v1\tR12\n#define v2\tR13\n#define v3\tR14\n#define v4\tR15\n#define x1\tR20\n#define x2\tR21\n#define x3\tR22\n#define x4\tR23\n\n#define round(acc, x) \\\n\tMADD prime2, acc, x, acc \\\n\tROR $64-31, acc \\\n\tMUL prime1, acc\n\n// round0 performs the operation x = round(0, x).\n#define round0(x) \\\n\tMUL prime2, x \\\n\tROR $64-31, x \\\n\tMUL prime1, x\n\n#define mergeRound(acc, x) \\\n\tround0(x) \\\n\tEOR x, acc \\\n\tMADD acc, prime4, prime1, acc\n\n// blockLoop processes as many 32-byte blocks as possible,\n// updating v1, v2, v3, and v4. It assumes that n >= 32.\n#define blockLoop() \\\n\tLSR $5, n, nblocks \\\n\tPCALIGN $16 \\\n\tloop: \\\n\tLDP.P 16(p), (x1, x2) \\\n\tLDP.P 16(p), (x3, x4) \\\n\tround(v1, x1) \\\n\tround(v2, x2) \\\n\tround(v3, x3) \\\n\tround(v4, x4) \\\n\tSUB $1, nblocks \\\n\tCBNZ nblocks, loop\n\n// func Sum64(b []byte) uint64\nTEXT ·Sum64(SB), NOSPLIT|NOFRAME, $0-32\n\tLDP b_base+0(FP), (p, n)\n\n\tLDP ·primes+0(SB), (prime1, prime2)\n\tLDP ·primes+16(SB), (prime3, prime4)\n\tMOVD ·primes+32(SB), prime5\n\n\tCMP $32, n\n\tCSEL LT, prime5, ZR, h // if n < 32 { h = prime5 } else { h = 0 }\n\tBLT afterLoop\n\n\tADD prime1, prime2, v1\n\tMOVD prime2, v2\n\tMOVD $0, v3\n\tNEG prime1, v4\n\n\tblockLoop()\n\n\tROR $64-1, v1, x1\n\tROR $64-7, v2, x2\n\tADD x1, x2\n\tROR $64-12, v3, x3\n\tROR $64-18, v4, x4\n\tADD x3, x4\n\tADD x2, x4, h\n\n\tmergeRound(h, v1)\n\tmergeRound(h, v2)\n\tmergeRound(h, v3)\n\tmergeRound(h, v4)\n\nafterLoop:\n\tADD n, h\n\n\tTBZ $4, n, try8\n\tLDP.P 16(p), (x1, x2)\n\n\tround0(x1)\n\n\t// NOTE: here and below, sequencing the EOR after the ROR (using a\n\t// rotated register) is worth a small but measurable speedup for small\n\t// inputs.\n\tROR $64-27, h\n\tEOR x1 @> 64-27, h, h\n\tMADD h, prime4, prime1, h\n\n\tround0(x2)\n\tROR $64-27, h\n\tEOR x2 @> 64-27, h, h\n\tMADD h, prime4, prime1, h\n\ntry8:\n\tTBZ $3, n, try4\n\tMOVD.P 8(p), x1\n\n\tround0(x1)\n\tROR $64-27, h\n\tEOR x1 @> 64-27, h, h\n\tMADD h, prime4, prime1, h\n\ntry4:\n\tTBZ $2, n, try2\n\tMOVWU.P 4(p), x2\n\n\tMUL prime1, x2\n\tROR $64-23, h\n\tEOR x2 @> 64-23, h, h\n\tMADD h, prime3, prime2, h\n\ntry2:\n\tTBZ $1, n, try1\n\tMOVHU.P 2(p), x3\n\tAND $255, x3, x1\n\tLSR $8, x3, x2\n\n\tMUL prime5, x1\n\tROR $64-11, h\n\tEOR x1 @> 64-11, h, h\n\tMUL prime1, h\n\n\tMUL prime5, x2\n\tROR $64-11, h\n\tEOR x2 @> 64-11, h, h\n\tMUL prime1, h\n\ntry1:\n\tTBZ $0, n, finalize\n\tMOVBU (p), x4\n\n\tMUL prime5, x4\n\tROR $64-11, h\n\tEOR x4 @> 64-11, h, h\n\tMUL prime1, h\n\nfinalize:\n\tEOR h >> 33, h\n\tMUL prime2, h\n\tEOR h >> 29, h\n\tMUL prime3, h\n\tEOR h >> 32, h\n\n\tMOVD h, ret+24(FP)\n\tRET\n\n// func writeBlocks(d *Digest, b []byte) int\nTEXT ·writeBlocks(SB), NOSPLIT|NOFRAME, $0-40\n\tLDP ·primes+0(SB), (prime1, prime2)\n\n\t// Load state. Assume v[1-4] are stored contiguously.\n\tMOVD d+0(FP), digest\n\tLDP 0(digest), (v1, v2)\n\tLDP 16(digest), (v3, v4)\n\n\tLDP b_base+8(FP), (p, n)\n\n\tblockLoop()\n\n\t// Store updated state.\n\tSTP (v1, v2), 0(digest)\n\tSTP (v3, v4), 16(digest)\n\n\tBIC $31, n\n\tMOVD n, ret+32(FP)\n\tRET\n" }, { "path": "vendor/github.com/cespare/xxhash/v2/xxhash_asm.go", "content": "//go:build (amd64 || arm64) && !appengine && gc && !purego\n// +build amd64 arm64\n// +build !appengine\n// +build gc\n// +build !purego\n\npackage xxhash\n\n// Sum64 computes the 64-bit xxHash digest of b with a zero seed.\n//\n//go:noescape\nfunc Sum64(b []byte) uint64\n\n//go:noescape\nfunc writeBlocks(d *Digest, b []byte) int\n" }, { "path": "vendor/github.com/cespare/xxhash/v2/xxhash_other.go", "content": "//go:build (!amd64 && !arm64) || appengine || !gc || purego\n// +build !amd64,!arm64 appengine !gc purego\n\npackage xxhash\n\n// Sum64 computes the 64-bit xxHash digest of b with a zero seed.\nfunc Sum64(b []byte) uint64 {\n\t// A simpler version would be\n\t// d := New()\n\t// d.Write(b)\n\t// return d.Sum64()\n\t// but this is faster, particularly for small inputs.\n\n\tn := len(b)\n\tvar h uint64\n\n\tif n >= 32 {\n\t\tv1 := primes[0] + prime2\n\t\tv2 := prime2\n\t\tv3 := uint64(0)\n\t\tv4 := -primes[0]\n\t\tfor len(b) >= 32 {\n\t\t\tv1 = round(v1, u64(b[0:8:len(b)]))\n\t\t\tv2 = round(v2, u64(b[8:16:len(b)]))\n\t\t\tv3 = round(v3, u64(b[16:24:len(b)]))\n\t\t\tv4 = round(v4, u64(b[24:32:len(b)]))\n\t\t\tb = b[32:len(b):len(b)]\n\t\t}\n\t\th = rol1(v1) + rol7(v2) + rol12(v3) + rol18(v4)\n\t\th = mergeRound(h, v1)\n\t\th = mergeRound(h, v2)\n\t\th = mergeRound(h, v3)\n\t\th = mergeRound(h, v4)\n\t} else {\n\t\th = prime5\n\t}\n\n\th += uint64(n)\n\n\tfor ; len(b) >= 8; b = b[8:] {\n\t\tk1 := round(0, u64(b[:8]))\n\t\th ^= k1\n\t\th = rol27(h)*prime1 + prime4\n\t}\n\tif len(b) >= 4 {\n\t\th ^= uint64(u32(b[:4])) * prime1\n\t\th = rol23(h)*prime2 + prime3\n\t\tb = b[4:]\n\t}\n\tfor ; len(b) > 0; b = b[1:] {\n\t\th ^= uint64(b[0]) * prime5\n\t\th = rol11(h) * prime1\n\t}\n\n\th ^= h >> 33\n\th *= prime2\n\th ^= h >> 29\n\th *= prime3\n\th ^= h >> 32\n\n\treturn h\n}\n\nfunc writeBlocks(d *Digest, b []byte) int {\n\tv1, v2, v3, v4 := d.v1, d.v2, d.v3, d.v4\n\tn := len(b)\n\tfor len(b) >= 32 {\n\t\tv1 = round(v1, u64(b[0:8:len(b)]))\n\t\tv2 = round(v2, u64(b[8:16:len(b)]))\n\t\tv3 = round(v3, u64(b[16:24:len(b)]))\n\t\tv4 = round(v4, u64(b[24:32:len(b)]))\n\t\tb = b[32:len(b):len(b)]\n\t}\n\td.v1, d.v2, d.v3, d.v4 = v1, v2, v3, v4\n\treturn n - len(b)\n}\n" }, { "path": "vendor/github.com/cespare/xxhash/v2/xxhash_safe.go", "content": "//go:build appengine\n// +build appengine\n\n// This file contains the safe implementations of otherwise unsafe-using code.\n\npackage xxhash\n\n// Sum64String computes the 64-bit xxHash digest of s with a zero seed.\nfunc Sum64String(s string) uint64 {\n\treturn Sum64([]byte(s))\n}\n\n// WriteString adds more data to d. It always returns len(s), nil.\nfunc (d *Digest) WriteString(s string) (n int, err error) {\n\treturn d.Write([]byte(s))\n}\n" }, { "path": "vendor/github.com/cespare/xxhash/v2/xxhash_unsafe.go", "content": "//go:build !appengine\n// +build !appengine\n\n// This file encapsulates usage of unsafe.\n// xxhash_safe.go contains the safe implementations.\n\npackage xxhash\n\nimport (\n\t\"unsafe\"\n)\n\n// In the future it's possible that compiler optimizations will make these\n// XxxString functions unnecessary by realizing that calls such as\n// Sum64([]byte(s)) don't need to copy s. See https://go.dev/issue/2205.\n// If that happens, even if we keep these functions they can be replaced with\n// the trivial safe code.\n\n// NOTE: The usual way of doing an unsafe string-to-[]byte conversion is:\n//\n// var b []byte\n// bh := (*reflect.SliceHeader)(unsafe.Pointer(&b))\n// bh.Data = (*reflect.StringHeader)(unsafe.Pointer(&s)).Data\n// bh.Len = len(s)\n// bh.Cap = len(s)\n//\n// Unfortunately, as of Go 1.15.3 the inliner's cost model assigns a high enough\n// weight to this sequence of expressions that any function that uses it will\n// not be inlined. Instead, the functions below use a different unsafe\n// conversion designed to minimize the inliner weight and allow both to be\n// inlined. There is also a test (TestInlining) which verifies that these are\n// inlined.\n//\n// See https://github.com/golang/go/issues/42739 for discussion.\n\n// Sum64String computes the 64-bit xxHash digest of s with a zero seed.\n// It may be faster than Sum64([]byte(s)) by avoiding a copy.\nfunc Sum64String(s string) uint64 {\n\tb := *(*[]byte)(unsafe.Pointer(&sliceHeader{s, len(s)}))\n\treturn Sum64(b)\n}\n\n// WriteString adds more data to d. It always returns len(s), nil.\n// It may be faster than Write([]byte(s)) by avoiding a copy.\nfunc (d *Digest) WriteString(s string) (n int, err error) {\n\td.Write(*(*[]byte)(unsafe.Pointer(&sliceHeader{s, len(s)})))\n\t// d.Write always returns len(s), nil.\n\t// Ignoring the return output and returning these fixed values buys a\n\t// savings of 6 in the inliner's cost model.\n\treturn len(s), nil\n}\n\n// sliceHeader is similar to reflect.SliceHeader, but it assumes that the layout\n// of the first two words is the same as the layout of a string.\ntype sliceHeader struct {\n\ts string\n\tcap int\n}\n" }, { "path": "vendor/github.com/coreos/go-oidc/v3/LICENSE", "content": "Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"{}\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright {yyyy} {name of copyright owner}\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n\n" }, { "path": "vendor/github.com/coreos/go-oidc/v3/NOTICE", "content": "CoreOS Project\nCopyright 2014 CoreOS, Inc\n\nThis product includes software developed at CoreOS, Inc.\n(http://www.coreos.com/).\n" }, { "path": "vendor/github.com/coreos/go-oidc/v3/oidc/jose.go", "content": "package oidc\n\nimport jose \"github.com/go-jose/go-jose/v4\"\n\n// JOSE asymmetric signing algorithm values as defined by RFC 7518\n//\n// see: https://tools.ietf.org/html/rfc7518#section-3.1\nconst (\n\tRS256 = \"RS256\" // RSASSA-PKCS-v1.5 using SHA-256\n\tRS384 = \"RS384\" // RSASSA-PKCS-v1.5 using SHA-384\n\tRS512 = \"RS512\" // RSASSA-PKCS-v1.5 using SHA-512\n\tES256 = \"ES256\" // ECDSA using P-256 and SHA-256\n\tES384 = \"ES384\" // ECDSA using P-384 and SHA-384\n\tES512 = \"ES512\" // ECDSA using P-521 and SHA-512\n\tPS256 = \"PS256\" // RSASSA-PSS using SHA256 and MGF1-SHA256\n\tPS384 = \"PS384\" // RSASSA-PSS using SHA384 and MGF1-SHA384\n\tPS512 = \"PS512\" // RSASSA-PSS using SHA512 and MGF1-SHA512\n\tEdDSA = \"EdDSA\" // Ed25519 using SHA-512\n)\n\nvar allAlgs = []jose.SignatureAlgorithm{\n\tjose.RS256,\n\tjose.RS384,\n\tjose.RS512,\n\tjose.ES256,\n\tjose.ES384,\n\tjose.ES512,\n\tjose.PS256,\n\tjose.PS384,\n\tjose.PS512,\n\tjose.EdDSA,\n}\n" }, { "path": "vendor/github.com/coreos/go-oidc/v3/oidc/jwks.go", "content": "package oidc\n\nimport (\n\t\"context\"\n\t\"crypto\"\n\t\"crypto/ecdsa\"\n\t\"crypto/ed25519\"\n\t\"crypto/rsa\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"sync\"\n\n\tjose \"github.com/go-jose/go-jose/v4\"\n)\n\n// StaticKeySet is a verifier that validates JWT against a static set of public keys.\ntype StaticKeySet struct {\n\t// PublicKeys used to verify the JWT. Supported types are *rsa.PublicKey and\n\t// *ecdsa.PublicKey.\n\tPublicKeys []crypto.PublicKey\n}\n\n// VerifySignature compares the signature against a static set of public keys.\nfunc (s *StaticKeySet) VerifySignature(ctx context.Context, jwt string) ([]byte, error) {\n\t// Algorithms are already checked by Verifier, so this parse method accepts\n\t// any algorithm.\n\tjws, err := jose.ParseSigned(jwt, allAlgs)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"parsing jwt: %v\", err)\n\t}\n\tfor _, pub := range s.PublicKeys {\n\t\tswitch pub.(type) {\n\t\tcase *rsa.PublicKey:\n\t\tcase *ecdsa.PublicKey:\n\t\tcase ed25519.PublicKey:\n\t\tdefault:\n\t\t\treturn nil, fmt.Errorf(\"invalid public key type provided: %T\", pub)\n\t\t}\n\t\tpayload, err := jws.Verify(pub)\n\t\tif err != nil {\n\t\t\tcontinue\n\t\t}\n\t\treturn payload, nil\n\t}\n\treturn nil, fmt.Errorf(\"no public keys able to verify jwt\")\n}\n\n// NewRemoteKeySet returns a KeySet that can validate JSON web tokens by using HTTP\n// GETs to fetch JSON web token sets hosted at a remote URL. This is automatically\n// used by NewProvider using the URLs returned by OpenID Connect discovery, but is\n// exposed for providers that don't support discovery or to prevent round trips to the\n// discovery URL.\n//\n// The returned KeySet is a long lived verifier that caches keys based on any\n// keys change. Reuse a common remote key set instead of creating new ones as needed.\nfunc NewRemoteKeySet(ctx context.Context, jwksURL string) *RemoteKeySet {\n\treturn newRemoteKeySet(ctx, jwksURL)\n}\n\nfunc newRemoteKeySet(ctx context.Context, jwksURL string) *RemoteKeySet {\n\treturn &RemoteKeySet{\n\t\tjwksURL: jwksURL,\n\t\t// For historical reasons, this package uses contexts for configuration, not just\n\t\t// cancellation. In hindsight, this was a bad idea.\n\t\t//\n\t\t// Attemps to reason about how cancels should work with background requests have\n\t\t// largely lead to confusion. Use the context here as a config bag-of-values and\n\t\t// ignore the cancel function.\n\t\tctx: context.WithoutCancel(ctx),\n\t}\n}\n\n// RemoteKeySet is a KeySet implementation that validates JSON web tokens against\n// a jwks_uri endpoint.\ntype RemoteKeySet struct {\n\tjwksURL string\n\n\t// Used for configuration. Cancelation is ignored.\n\tctx context.Context\n\n\t// guard all other fields\n\tmu sync.RWMutex\n\n\t// inflight suppresses parallel execution of updateKeys and allows\n\t// multiple goroutines to wait for its result.\n\tinflight *inflight\n\n\t// A set of cached keys.\n\tcachedKeys []jose.JSONWebKey\n}\n\n// inflight is used to wait on some in-flight request from multiple goroutines.\ntype inflight struct {\n\tdoneCh chan struct{}\n\n\tkeys []jose.JSONWebKey\n\terr error\n}\n\nfunc newInflight() *inflight {\n\treturn &inflight{doneCh: make(chan struct{})}\n}\n\n// wait returns a channel that multiple goroutines can receive on. Once it returns\n// a value, the inflight request is done and result() can be inspected.\nfunc (i *inflight) wait() <-chan struct{} {\n\treturn i.doneCh\n}\n\n// done can only be called by a single goroutine. It records the result of the\n// inflight request and signals other goroutines that the result is safe to\n// inspect.\nfunc (i *inflight) done(keys []jose.JSONWebKey, err error) {\n\ti.keys = keys\n\ti.err = err\n\tclose(i.doneCh)\n}\n\n// result cannot be called until the wait() channel has returned a value.\nfunc (i *inflight) result() ([]jose.JSONWebKey, error) {\n\treturn i.keys, i.err\n}\n\n// paresdJWTKey is a context key that allows common setups to avoid parsing the\n// JWT twice. It holds a *jose.JSONWebSignature value.\nvar parsedJWTKey contextKey\n\n// VerifySignature validates a payload against a signature from the jwks_uri.\n//\n// Users MUST NOT call this method directly and should use an IDTokenVerifier\n// instead. This method skips critical validations such as 'alg' values and is\n// only exported to implement the KeySet interface.\nfunc (r *RemoteKeySet) VerifySignature(ctx context.Context, jwt string) ([]byte, error) {\n\tjws, ok := ctx.Value(parsedJWTKey).(*jose.JSONWebSignature)\n\tif !ok {\n\t\t// The algorithm values are already enforced by the Validator, which also sets\n\t\t// the context value above to pre-parsed signature.\n\t\t//\n\t\t// Practically, this codepath isn't called in normal use of this package, but\n\t\t// if it is, the algorithms have already been checked.\n\t\tvar err error\n\t\tjws, err = jose.ParseSigned(jwt, allAlgs)\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"oidc: malformed jwt: %v\", err)\n\t\t}\n\t}\n\treturn r.verify(ctx, jws)\n}\n\nfunc (r *RemoteKeySet) verify(ctx context.Context, jws *jose.JSONWebSignature) ([]byte, error) {\n\t// We don't support JWTs signed with multiple signatures.\n\tkeyID := \"\"\n\tfor _, sig := range jws.Signatures {\n\t\tkeyID = sig.Header.KeyID\n\t\tbreak\n\t}\n\n\tkeys := r.keysFromCache()\n\tfor _, key := range keys {\n\t\tif keyID == \"\" || key.KeyID == keyID {\n\t\t\tif payload, err := jws.Verify(&key); err == nil {\n\t\t\t\treturn payload, nil\n\t\t\t}\n\t\t}\n\t}\n\n\t// If the kid doesn't match, check for new keys from the remote. This is the\n\t// strategy recommended by the spec.\n\t//\n\t// https://openid.net/specs/openid-connect-core-1_0.html#RotateSigKeys\n\tkeys, err := r.keysFromRemote(ctx)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"fetching keys %w\", err)\n\t}\n\n\tfor _, key := range keys {\n\t\tif keyID == \"\" || key.KeyID == keyID {\n\t\t\tif payload, err := jws.Verify(&key); err == nil {\n\t\t\t\treturn payload, nil\n\t\t\t}\n\t\t}\n\t}\n\treturn nil, errors.New(\"failed to verify id token signature\")\n}\n\nfunc (r *RemoteKeySet) keysFromCache() (keys []jose.JSONWebKey) {\n\tr.mu.RLock()\n\tdefer r.mu.RUnlock()\n\treturn r.cachedKeys\n}\n\n// keysFromRemote syncs the key set from the remote set, records the values in the\n// cache, and returns the key set.\nfunc (r *RemoteKeySet) keysFromRemote(ctx context.Context) ([]jose.JSONWebKey, error) {\n\t// Need to lock to inspect the inflight request field.\n\tr.mu.Lock()\n\t// If there's not a current inflight request, create one.\n\tif r.inflight == nil {\n\t\tr.inflight = newInflight()\n\n\t\t// This goroutine has exclusive ownership over the current inflight\n\t\t// request. It releases the resource by nil'ing the inflight field\n\t\t// once the goroutine is done.\n\t\tgo func() {\n\t\t\t// Sync keys and finish inflight when that's done.\n\t\t\tkeys, err := r.updateKeys()\n\n\t\t\tr.inflight.done(keys, err)\n\n\t\t\t// Lock to update the keys and indicate that there is no longer an\n\t\t\t// inflight request.\n\t\t\tr.mu.Lock()\n\t\t\tdefer r.mu.Unlock()\n\n\t\t\tif err == nil {\n\t\t\t\tr.cachedKeys = keys\n\t\t\t}\n\n\t\t\t// Free inflight so a different request can run.\n\t\t\tr.inflight = nil\n\t\t}()\n\t}\n\tinflight := r.inflight\n\tr.mu.Unlock()\n\n\tselect {\n\tcase <-ctx.Done():\n\t\treturn nil, ctx.Err()\n\tcase <-inflight.wait():\n\t\treturn inflight.result()\n\t}\n}\n\nfunc (r *RemoteKeySet) updateKeys() ([]jose.JSONWebKey, error) {\n\treq, err := http.NewRequest(\"GET\", r.jwksURL, nil)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"oidc: can't create request: %v\", err)\n\t}\n\n\tresp, err := doRequest(r.ctx, req)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"oidc: get keys failed %w\", err)\n\t}\n\tdefer resp.Body.Close()\n\n\tbody, err := io.ReadAll(resp.Body)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"unable to read response body: %v\", err)\n\t}\n\n\tif resp.StatusCode != http.StatusOK {\n\t\treturn nil, fmt.Errorf(\"oidc: get keys failed: %s %s\", resp.Status, body)\n\t}\n\n\tvar keySet jose.JSONWebKeySet\n\terr = unmarshalResp(resp, body, &keySet)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"oidc: failed to decode keys: %v %s\", err, body)\n\t}\n\treturn keySet.Keys, nil\n}\n" }, { "path": "vendor/github.com/coreos/go-oidc/v3/oidc/oidc.go", "content": "// Package oidc implements OpenID Connect client logic for the golang.org/x/oauth2 package.\npackage oidc\n\nimport (\n\t\"context\"\n\t\"crypto/sha256\"\n\t\"crypto/sha512\"\n\t\"encoding/base64\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"hash\"\n\t\"io\"\n\t\"mime\"\n\t\"net/http\"\n\t\"strings\"\n\t\"sync\"\n\t\"time\"\n\n\t\"golang.org/x/oauth2\"\n)\n\nconst (\n\t// ScopeOpenID is the mandatory scope for all OpenID Connect OAuth2 requests.\n\tScopeOpenID = \"openid\"\n\n\t// ScopeOfflineAccess is an optional scope defined by OpenID Connect for requesting\n\t// OAuth2 refresh tokens.\n\t//\n\t// Support for this scope differs between OpenID Connect providers. For instance\n\t// Google rejects it, favoring appending \"access_type=offline\" as part of the\n\t// authorization request instead.\n\t//\n\t// See: https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess\n\tScopeOfflineAccess = \"offline_access\"\n)\n\nvar (\n\terrNoAtHash = errors.New(\"id token did not have an access token hash\")\n\terrInvalidAtHash = errors.New(\"access token hash does not match value in ID token\")\n)\n\ntype contextKey int\n\nvar issuerURLKey contextKey\n\n// ClientContext returns a new Context that carries the provided HTTP client.\n//\n// This method sets the same context key used by the golang.org/x/oauth2 package,\n// so the returned context works for that package too.\n//\n//\tmyClient := &http.Client{}\n//\tctx := oidc.ClientContext(parentContext, myClient)\n//\n//\t// This will use the custom client\n//\tprovider, err := oidc.NewProvider(ctx, \"https://accounts.example.com\")\nfunc ClientContext(ctx context.Context, client *http.Client) context.Context {\n\treturn context.WithValue(ctx, oauth2.HTTPClient, client)\n}\n\nfunc getClient(ctx context.Context) *http.Client {\n\tif c, ok := ctx.Value(oauth2.HTTPClient).(*http.Client); ok {\n\t\treturn c\n\t}\n\treturn nil\n}\n\n// InsecureIssuerURLContext allows discovery to work when the issuer_url reported\n// by upstream is mismatched with the discovery URL. This is meant for integration\n// with off-spec providers such as Azure.\n//\n//\tdiscoveryBaseURL := \"https://login.microsoftonline.com/organizations/v2.0\"\n//\tissuerURL := \"https://login.microsoftonline.com/my-tenantid/v2.0\"\n//\n//\tctx := oidc.InsecureIssuerURLContext(parentContext, issuerURL)\n//\n//\t// Provider will be discovered with the discoveryBaseURL, but use issuerURL\n//\t// for future issuer validation.\n//\tprovider, err := oidc.NewProvider(ctx, discoveryBaseURL)\n//\n// This is insecure because validating the correct issuer is critical for multi-tenant\n// providers. Any overrides here MUST be carefully reviewed.\nfunc InsecureIssuerURLContext(ctx context.Context, issuerURL string) context.Context {\n\treturn context.WithValue(ctx, issuerURLKey, issuerURL)\n}\n\nfunc doRequest(ctx context.Context, req *http.Request) (*http.Response, error) {\n\tclient := http.DefaultClient\n\tif c := getClient(ctx); c != nil {\n\t\tclient = c\n\t}\n\treturn client.Do(req.WithContext(ctx))\n}\n\n// Provider represents an OpenID Connect server's configuration.\ntype Provider struct {\n\tissuer string\n\tauthURL string\n\ttokenURL string\n\tdeviceAuthURL string\n\tuserInfoURL string\n\tjwksURL string\n\talgorithms []string\n\n\t// Raw claims returned by the server.\n\trawClaims []byte\n\n\t// Guards all of the following fields.\n\tmu sync.Mutex\n\t// HTTP client specified from the initial NewProvider request. This is used\n\t// when creating the common key set.\n\tclient *http.Client\n\t// A key set that uses context.Background() and is shared between all code paths\n\t// that don't have a convinent way of supplying a unique context.\n\tcommonRemoteKeySet KeySet\n}\n\nfunc (p *Provider) remoteKeySet() KeySet {\n\tp.mu.Lock()\n\tdefer p.mu.Unlock()\n\tif p.commonRemoteKeySet == nil {\n\t\tctx := context.Background()\n\t\tif p.client != nil {\n\t\t\tctx = ClientContext(ctx, p.client)\n\t\t}\n\t\tp.commonRemoteKeySet = NewRemoteKeySet(ctx, p.jwksURL)\n\t}\n\treturn p.commonRemoteKeySet\n}\n\ntype providerJSON struct {\n\tIssuer string `json:\"issuer\"`\n\tAuthURL string `json:\"authorization_endpoint\"`\n\tTokenURL string `json:\"token_endpoint\"`\n\tDeviceAuthURL string `json:\"device_authorization_endpoint\"`\n\tJWKSURL string `json:\"jwks_uri\"`\n\tUserInfoURL string `json:\"userinfo_endpoint\"`\n\tAlgorithms []string `json:\"id_token_signing_alg_values_supported\"`\n}\n\n// supportedAlgorithms is a list of algorithms explicitly supported by this\n// package. If a provider supports other algorithms, such as HS256 or none,\n// those values won't be passed to the IDTokenVerifier.\nvar supportedAlgorithms = map[string]bool{\n\tRS256: true,\n\tRS384: true,\n\tRS512: true,\n\tES256: true,\n\tES384: true,\n\tES512: true,\n\tPS256: true,\n\tPS384: true,\n\tPS512: true,\n\tEdDSA: true,\n}\n\n// ProviderConfig allows direct creation of a [Provider] from metadata\n// configuration. This is intended for interop with providers that don't support\n// discovery, or host the JSON discovery document at an off-spec path.\n//\n// The ProviderConfig struct specifies JSON struct tags to support document\n// parsing.\n//\n//\t// Directly fetch the metadata document.\n//\tresp, err := http.Get(\"https://login.example.com/custom-metadata-path\")\n//\tif err != nil {\n//\t\t// ...\n//\t}\n//\tdefer resp.Body.Close()\n//\n//\t// Parse config from JSON metadata.\n//\tconfig := &oidc.ProviderConfig{}\n//\tif err := json.NewDecoder(resp.Body).Decode(config); err != nil {\n//\t\t// ...\n//\t}\n//\tp := config.NewProvider(context.Background())\n//\n// For providers that implement discovery, use [NewProvider] instead.\n//\n// See: https://openid.net/specs/openid-connect-discovery-1_0.html\ntype ProviderConfig struct {\n\t// IssuerURL is the identity of the provider, and the string it uses to sign\n\t// ID tokens with. For example \"https://accounts.google.com\". This value MUST\n\t// match ID tokens exactly.\n\tIssuerURL string `json:\"issuer\"`\n\t// AuthURL is the endpoint used by the provider to support the OAuth 2.0\n\t// authorization endpoint.\n\tAuthURL string `json:\"authorization_endpoint\"`\n\t// TokenURL is the endpoint used by the provider to support the OAuth 2.0\n\t// token endpoint.\n\tTokenURL string `json:\"token_endpoint\"`\n\t// DeviceAuthURL is the endpoint used by the provider to support the OAuth 2.0\n\t// device authorization endpoint.\n\tDeviceAuthURL string `json:\"device_authorization_endpoint\"`\n\t// UserInfoURL is the endpoint used by the provider to support the OpenID\n\t// Connect UserInfo flow.\n\t//\n\t// https://openid.net/specs/openid-connect-core-1_0.html#UserInfo\n\tUserInfoURL string `json:\"userinfo_endpoint\"`\n\t// JWKSURL is the endpoint used by the provider to advertise public keys to\n\t// verify issued ID tokens. This endpoint is polled as new keys are made\n\t// available.\n\tJWKSURL string `json:\"jwks_uri\"`\n\n\t// Algorithms, if provided, indicate a list of JWT algorithms allowed to sign\n\t// ID tokens. If not provided, this defaults to the algorithms advertised by\n\t// the JWK endpoint, then the set of algorithms supported by this package.\n\tAlgorithms []string `json:\"id_token_signing_alg_values_supported\"`\n}\n\n// NewProvider initializes a provider from a set of endpoints, rather than\n// through discovery.\n//\n// The provided context is only used for [http.Client] configuration through\n// [ClientContext], not cancelation.\nfunc (p *ProviderConfig) NewProvider(ctx context.Context) *Provider {\n\treturn &Provider{\n\t\tissuer: p.IssuerURL,\n\t\tauthURL: p.AuthURL,\n\t\ttokenURL: p.TokenURL,\n\t\tdeviceAuthURL: p.DeviceAuthURL,\n\t\tuserInfoURL: p.UserInfoURL,\n\t\tjwksURL: p.JWKSURL,\n\t\talgorithms: p.Algorithms,\n\t\tclient: getClient(ctx),\n\t}\n}\n\n// NewProvider uses the OpenID Connect discovery mechanism to construct a Provider.\n// The issuer is the URL identifier for the service. For example: \"https://accounts.google.com\"\n// or \"https://login.salesforce.com\".\n//\n// OpenID Connect providers that don't implement discovery or host the discovery\n// document at a non-spec complaint path (such as requiring a URL parameter),\n// should use [ProviderConfig] instead.\n//\n// See: https://openid.net/specs/openid-connect-discovery-1_0.html\nfunc NewProvider(ctx context.Context, issuer string) (*Provider, error) {\n\twellKnown := strings.TrimSuffix(issuer, \"/\") + \"/.well-known/openid-configuration\"\n\treq, err := http.NewRequest(\"GET\", wellKnown, nil)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tresp, err := doRequest(ctx, req)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tbody, err := io.ReadAll(resp.Body)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"unable to read response body: %v\", err)\n\t}\n\n\tif resp.StatusCode != http.StatusOK {\n\t\treturn nil, fmt.Errorf(\"%s: %s\", resp.Status, body)\n\t}\n\n\tvar p providerJSON\n\terr = unmarshalResp(resp, body, &p)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"oidc: failed to decode provider discovery object: %v\", err)\n\t}\n\n\tissuerURL, skipIssuerValidation := ctx.Value(issuerURLKey).(string)\n\tif !skipIssuerValidation {\n\t\tissuerURL = issuer\n\t}\n\tif p.Issuer != issuerURL && !skipIssuerValidation {\n\t\treturn nil, fmt.Errorf(\"oidc: issuer URL provided to client (%q) did not match the issuer URL returned by provider (%q)\", issuer, p.Issuer)\n\t}\n\tvar algs []string\n\tfor _, a := range p.Algorithms {\n\t\tif supportedAlgorithms[a] {\n\t\t\talgs = append(algs, a)\n\t\t}\n\t}\n\treturn &Provider{\n\t\tissuer: issuerURL,\n\t\tauthURL: p.AuthURL,\n\t\ttokenURL: p.TokenURL,\n\t\tdeviceAuthURL: p.DeviceAuthURL,\n\t\tuserInfoURL: p.UserInfoURL,\n\t\tjwksURL: p.JWKSURL,\n\t\talgorithms: algs,\n\t\trawClaims: body,\n\t\tclient: getClient(ctx),\n\t}, nil\n}\n\n// Claims unmarshals raw fields returned by the server during discovery.\n//\n//\tvar claims struct {\n//\t ScopesSupported []string `json:\"scopes_supported\"`\n//\t ClaimsSupported []string `json:\"claims_supported\"`\n//\t}\n//\n//\tif err := provider.Claims(&claims); err != nil {\n//\t // handle unmarshaling error\n//\t}\n//\n// For a list of fields defined by the OpenID Connect spec see:\n// https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata\nfunc (p *Provider) Claims(v interface{}) error {\n\tif p.rawClaims == nil {\n\t\treturn errors.New(\"oidc: claims not set\")\n\t}\n\treturn json.Unmarshal(p.rawClaims, v)\n}\n\n// Endpoint returns the OAuth2 auth and token endpoints for the given provider.\nfunc (p *Provider) Endpoint() oauth2.Endpoint {\n\treturn oauth2.Endpoint{AuthURL: p.authURL, DeviceAuthURL: p.deviceAuthURL, TokenURL: p.tokenURL}\n}\n\n// UserInfoEndpoint returns the OpenID Connect userinfo endpoint for the given\n// provider.\nfunc (p *Provider) UserInfoEndpoint() string {\n\treturn p.userInfoURL\n}\n\n// UserInfo represents the OpenID Connect userinfo claims.\ntype UserInfo struct {\n\tSubject string `json:\"sub\"`\n\tProfile string `json:\"profile\"`\n\tEmail string `json:\"email\"`\n\tEmailVerified bool `json:\"email_verified\"`\n\n\tclaims []byte\n}\n\ntype userInfoRaw struct {\n\tSubject string `json:\"sub\"`\n\tProfile string `json:\"profile\"`\n\tEmail string `json:\"email\"`\n\t// Handle providers that return email_verified as a string\n\t// https://forums.aws.amazon.com/thread.jspa?messageID=949441󧳁 and\n\t// https://discuss.elastic.co/t/openid-error-after-authenticating-against-aws-cognito/206018/11\n\tEmailVerified stringAsBool `json:\"email_verified\"`\n}\n\n// Claims unmarshals the raw JSON object claims into the provided object.\nfunc (u *UserInfo) Claims(v interface{}) error {\n\tif u.claims == nil {\n\t\treturn errors.New(\"oidc: claims not set\")\n\t}\n\treturn json.Unmarshal(u.claims, v)\n}\n\n// UserInfo uses the token source to query the provider's user info endpoint.\nfunc (p *Provider) UserInfo(ctx context.Context, tokenSource oauth2.TokenSource) (*UserInfo, error) {\n\tif p.userInfoURL == \"\" {\n\t\treturn nil, errors.New(\"oidc: user info endpoint is not supported by this provider\")\n\t}\n\n\treq, err := http.NewRequest(\"GET\", p.userInfoURL, nil)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"oidc: create GET request: %v\", err)\n\t}\n\n\ttoken, err := tokenSource.Token()\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"oidc: get access token: %v\", err)\n\t}\n\ttoken.SetAuthHeader(req)\n\n\tresp, err := doRequest(ctx, req)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\tbody, err := io.ReadAll(resp.Body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif resp.StatusCode != http.StatusOK {\n\t\treturn nil, fmt.Errorf(\"%s: %s\", resp.Status, body)\n\t}\n\n\tct := resp.Header.Get(\"Content-Type\")\n\tmediaType, _, parseErr := mime.ParseMediaType(ct)\n\tif parseErr == nil && mediaType == \"application/jwt\" {\n\t\tpayload, err := p.remoteKeySet().VerifySignature(ctx, string(body))\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"oidc: invalid userinfo jwt signature %v\", err)\n\t\t}\n\t\tbody = payload\n\t}\n\n\tvar userInfo userInfoRaw\n\tif err := json.Unmarshal(body, &userInfo); err != nil {\n\t\treturn nil, fmt.Errorf(\"oidc: failed to decode userinfo: %v\", err)\n\t}\n\treturn &UserInfo{\n\t\tSubject: userInfo.Subject,\n\t\tProfile: userInfo.Profile,\n\t\tEmail: userInfo.Email,\n\t\tEmailVerified: bool(userInfo.EmailVerified),\n\t\tclaims: body,\n\t}, nil\n}\n\n// IDToken is an OpenID Connect extension that provides a predictable representation\n// of an authorization event.\n//\n// The ID Token only holds fields OpenID Connect requires. To access additional\n// claims returned by the server, use the Claims method.\ntype IDToken struct {\n\t// The URL of the server which issued this token. OpenID Connect\n\t// requires this value always be identical to the URL used for\n\t// initial discovery.\n\t//\n\t// Note: Because of a known issue with Google Accounts' implementation\n\t// this value may differ when using Google.\n\t//\n\t// See: https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo\n\tIssuer string\n\n\t// The client ID, or set of client IDs, that this token is issued for. For\n\t// common uses, this is the client that initialized the auth flow.\n\t//\n\t// This package ensures the audience contains an expected value.\n\tAudience []string\n\n\t// A unique string which identifies the end user.\n\tSubject string\n\n\t// Expiry of the token. Ths package will not process tokens that have\n\t// expired unless that validation is explicitly turned off.\n\tExpiry time.Time\n\t// When the token was issued by the provider.\n\tIssuedAt time.Time\n\n\t// Initial nonce provided during the authentication redirect.\n\t//\n\t// This package does NOT provided verification on the value of this field\n\t// and it's the user's responsibility to ensure it contains a valid value.\n\tNonce string\n\n\t// at_hash claim, if set in the ID token. Callers can verify an access token\n\t// that corresponds to the ID token using the VerifyAccessToken method.\n\tAccessTokenHash string\n\n\t// signature algorithm used for ID token, needed to compute a verification hash of an\n\t// access token\n\tsigAlgorithm string\n\n\t// Raw payload of the id_token.\n\tclaims []byte\n\n\t// Map of distributed claim names to claim sources\n\tdistributedClaims map[string]claimSource\n}\n\n// Claims unmarshals the raw JSON payload of the ID Token into a provided struct.\n//\n//\tidToken, err := idTokenVerifier.Verify(rawIDToken)\n//\tif err != nil {\n//\t\t// handle error\n//\t}\n//\tvar claims struct {\n//\t\tEmail string `json:\"email\"`\n//\t\tEmailVerified bool `json:\"email_verified\"`\n//\t}\n//\tif err := idToken.Claims(&claims); err != nil {\n//\t\t// handle error\n//\t}\nfunc (i *IDToken) Claims(v interface{}) error {\n\tif i.claims == nil {\n\t\treturn errors.New(\"oidc: claims not set\")\n\t}\n\treturn json.Unmarshal(i.claims, v)\n}\n\n// VerifyAccessToken verifies that the hash of the access token that corresponds to the iD token\n// matches the hash in the id token. It returns an error if the hashes don't match.\n// It is the caller's responsibility to ensure that the optional access token hash is present for the ID token\n// before calling this method. See https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken\nfunc (i *IDToken) VerifyAccessToken(accessToken string) error {\n\tif i.AccessTokenHash == \"\" {\n\t\treturn errNoAtHash\n\t}\n\tvar h hash.Hash\n\tswitch i.sigAlgorithm {\n\tcase RS256, ES256, PS256:\n\t\th = sha256.New()\n\tcase RS384, ES384, PS384:\n\t\th = sha512.New384()\n\tcase RS512, ES512, PS512, EdDSA:\n\t\th = sha512.New()\n\tdefault:\n\t\treturn fmt.Errorf(\"oidc: unsupported signing algorithm %q\", i.sigAlgorithm)\n\t}\n\th.Write([]byte(accessToken)) // hash documents that Write will never return an error\n\tsum := h.Sum(nil)[:h.Size()/2]\n\tactual := base64.RawURLEncoding.EncodeToString(sum)\n\tif actual != i.AccessTokenHash {\n\t\treturn errInvalidAtHash\n\t}\n\treturn nil\n}\n\ntype idToken struct {\n\tIssuer string `json:\"iss\"`\n\tSubject string `json:\"sub\"`\n\tAudience audience `json:\"aud\"`\n\tExpiry jsonTime `json:\"exp\"`\n\tIssuedAt jsonTime `json:\"iat\"`\n\tNotBefore *jsonTime `json:\"nbf\"`\n\tNonce string `json:\"nonce\"`\n\tAtHash string `json:\"at_hash\"`\n\tClaimNames map[string]string `json:\"_claim_names\"`\n\tClaimSources map[string]claimSource `json:\"_claim_sources\"`\n}\n\ntype claimSource struct {\n\tEndpoint string `json:\"endpoint\"`\n\tAccessToken string `json:\"access_token\"`\n}\n\ntype stringAsBool bool\n\nfunc (sb *stringAsBool) UnmarshalJSON(b []byte) error {\n\tswitch string(b) {\n\tcase \"true\", `\"true\"`:\n\t\t*sb = true\n\tcase \"false\", `\"false\"`:\n\t\t*sb = false\n\tdefault:\n\t\treturn errors.New(\"invalid value for boolean\")\n\t}\n\treturn nil\n}\n\ntype audience []string\n\nfunc (a *audience) UnmarshalJSON(b []byte) error {\n\tvar s string\n\tif json.Unmarshal(b, &s) == nil {\n\t\t*a = audience{s}\n\t\treturn nil\n\t}\n\tvar auds []string\n\tif err := json.Unmarshal(b, &auds); err != nil {\n\t\treturn err\n\t}\n\t*a = auds\n\treturn nil\n}\n\ntype jsonTime time.Time\n\nfunc (j *jsonTime) UnmarshalJSON(b []byte) error {\n\tvar n json.Number\n\tif err := json.Unmarshal(b, &n); err != nil {\n\t\treturn err\n\t}\n\tvar unix int64\n\n\tif t, err := n.Int64(); err == nil {\n\t\tunix = t\n\t} else {\n\t\tf, err := n.Float64()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tunix = int64(f)\n\t}\n\t*j = jsonTime(time.Unix(unix, 0))\n\treturn nil\n}\n\nfunc unmarshalResp(r *http.Response, body []byte, v interface{}) error {\n\terr := json.Unmarshal(body, &v)\n\tif err == nil {\n\t\treturn nil\n\t}\n\tct := r.Header.Get(\"Content-Type\")\n\tmediaType, _, parseErr := mime.ParseMediaType(ct)\n\tif parseErr == nil && mediaType == \"application/json\" {\n\t\treturn fmt.Errorf(\"got Content-Type = application/json, but could not unmarshal as JSON: %v\", err)\n\t}\n\treturn fmt.Errorf(\"expected Content-Type = application/json, got %q: %v\", ct, err)\n}\n" }, { "path": "vendor/github.com/coreos/go-oidc/v3/oidc/verify.go", "content": "package oidc\n\nimport (\n\t\"context\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"time\"\n\n\tjose \"github.com/go-jose/go-jose/v4\"\n\t\"golang.org/x/oauth2\"\n)\n\nconst (\n\tissuerGoogleAccounts = \"https://accounts.google.com\"\n\tissuerGoogleAccountsNoScheme = \"accounts.google.com\"\n)\n\n// TokenExpiredError indicates that Verify failed because the token was expired. This\n// error does NOT indicate that the token is not also invalid for other reasons. Other\n// checks might have failed if the expiration check had not failed.\ntype TokenExpiredError struct {\n\t// Expiry is the time when the token expired.\n\tExpiry time.Time\n}\n\nfunc (e *TokenExpiredError) Error() string {\n\treturn fmt.Sprintf(\"oidc: token is expired (Token Expiry: %v)\", e.Expiry)\n}\n\n// KeySet is a set of publc JSON Web Keys that can be used to validate the signature\n// of JSON web tokens. This is expected to be backed by a remote key set through\n// provider metadata discovery or an in-memory set of keys delivered out-of-band.\ntype KeySet interface {\n\t// VerifySignature parses the JSON web token, verifies the signature, and returns\n\t// the raw payload. Header and claim fields are validated by other parts of the\n\t// package. For example, the KeySet does not need to check values such as signature\n\t// algorithm, issuer, and audience since the IDTokenVerifier validates these values\n\t// independently.\n\t//\n\t// If VerifySignature makes HTTP requests to verify the token, it's expected to\n\t// use any HTTP client associated with the context through ClientContext.\n\tVerifySignature(ctx context.Context, jwt string) (payload []byte, err error)\n}\n\n// IDTokenVerifier provides verification for ID Tokens.\ntype IDTokenVerifier struct {\n\tkeySet KeySet\n\tconfig *Config\n\tissuer string\n}\n\n// NewVerifier returns a verifier manually constructed from a key set and issuer URL.\n//\n// It's easier to use provider discovery to construct an IDTokenVerifier than creating\n// one directly. This method is intended to be used with provider that don't support\n// metadata discovery, or avoiding round trips when the key set URL is already known.\n//\n// This constructor can be used to create a verifier directly using the issuer URL and\n// JSON Web Key Set URL without using discovery:\n//\n//\tkeySet := oidc.NewRemoteKeySet(ctx, \"https://www.googleapis.com/oauth2/v3/certs\")\n//\tverifier := oidc.NewVerifier(\"https://accounts.google.com\", keySet, config)\n//\n// Or a static key set (e.g. for testing):\n//\n//\tkeySet := &oidc.StaticKeySet{PublicKeys: []crypto.PublicKey{pub1, pub2}}\n//\tverifier := oidc.NewVerifier(\"https://accounts.google.com\", keySet, config)\nfunc NewVerifier(issuerURL string, keySet KeySet, config *Config) *IDTokenVerifier {\n\treturn &IDTokenVerifier{keySet: keySet, config: config, issuer: issuerURL}\n}\n\n// Config is the configuration for an IDTokenVerifier.\ntype Config struct {\n\t// Expected audience of the token. For a majority of the cases this is expected to be\n\t// the ID of the client that initialized the login flow. It may occasionally differ if\n\t// the provider supports the authorizing party (azp) claim.\n\t//\n\t// If not provided, users must explicitly set SkipClientIDCheck.\n\tClientID string\n\t// If specified, only this set of algorithms may be used to sign the JWT.\n\t//\n\t// If the IDTokenVerifier is created from a provider with (*Provider).Verifier, this\n\t// defaults to the set of algorithms the provider supports. Otherwise this values\n\t// defaults to RS256.\n\tSupportedSigningAlgs []string\n\n\t// If true, no ClientID check performed. Must be true if ClientID field is empty.\n\tSkipClientIDCheck bool\n\t// If true, token expiry is not checked.\n\tSkipExpiryCheck bool\n\n\t// SkipIssuerCheck is intended for specialized cases where the the caller wishes to\n\t// defer issuer validation. When enabled, callers MUST independently verify the Token's\n\t// Issuer is a known good value.\n\t//\n\t// Mismatched issuers often indicate client mis-configuration. If mismatches are\n\t// unexpected, evaluate if the provided issuer URL is incorrect instead of enabling\n\t// this option.\n\tSkipIssuerCheck bool\n\n\t// Time function to check Token expiry. Defaults to time.Now\n\tNow func() time.Time\n\n\t// InsecureSkipSignatureCheck causes this package to skip JWT signature validation.\n\t// It's intended for special cases where providers (such as Azure), use the \"none\"\n\t// algorithm.\n\t//\n\t// This option can only be enabled safely when the ID Token is received directly\n\t// from the provider after the token exchange.\n\t//\n\t// This option MUST NOT be used when receiving an ID Token from sources other\n\t// than the token endpoint.\n\tInsecureSkipSignatureCheck bool\n}\n\n// VerifierContext returns an IDTokenVerifier that uses the provider's key set to\n// verify JWTs. As opposed to Verifier, the context is used to configure requests\n// to the upstream JWKs endpoint. The provided context's cancellation is ignored.\nfunc (p *Provider) VerifierContext(ctx context.Context, config *Config) *IDTokenVerifier {\n\treturn p.newVerifier(NewRemoteKeySet(ctx, p.jwksURL), config)\n}\n\n// Verifier returns an IDTokenVerifier that uses the provider's key set to verify JWTs.\n//\n// The returned verifier uses a background context for all requests to the upstream\n// JWKs endpoint. To control that context, use VerifierContext instead.\nfunc (p *Provider) Verifier(config *Config) *IDTokenVerifier {\n\treturn p.newVerifier(p.remoteKeySet(), config)\n}\n\nfunc (p *Provider) newVerifier(keySet KeySet, config *Config) *IDTokenVerifier {\n\tif len(config.SupportedSigningAlgs) == 0 && len(p.algorithms) > 0 {\n\t\t// Make a copy so we don't modify the config values.\n\t\tcp := &Config{}\n\t\t*cp = *config\n\t\tcp.SupportedSigningAlgs = p.algorithms\n\t\tconfig = cp\n\t}\n\treturn NewVerifier(p.issuer, keySet, config)\n}\n\nfunc contains(sli []string, ele string) bool {\n\tfor _, s := range sli {\n\t\tif s == ele {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\n// Returns the Claims from the distributed JWT token\nfunc resolveDistributedClaim(ctx context.Context, verifier *IDTokenVerifier, src claimSource) ([]byte, error) {\n\treq, err := http.NewRequest(\"GET\", src.Endpoint, nil)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"malformed request: %v\", err)\n\t}\n\tif src.AccessToken != \"\" {\n\t\treq.Header.Set(\"Authorization\", \"Bearer \"+src.AccessToken)\n\t}\n\n\tresp, err := doRequest(ctx, req)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"oidc: Request to endpoint failed: %v\", err)\n\t}\n\tdefer resp.Body.Close()\n\n\tbody, err := io.ReadAll(resp.Body)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"unable to read response body: %v\", err)\n\t}\n\n\tif resp.StatusCode != http.StatusOK {\n\t\treturn nil, fmt.Errorf(\"oidc: request failed: %v\", resp.StatusCode)\n\t}\n\n\ttoken, err := verifier.Verify(ctx, string(body))\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"malformed response body: %v\", err)\n\t}\n\n\treturn token.claims, nil\n}\n\n// Verify parses a raw ID Token, verifies it's been signed by the provider, performs\n// any additional checks depending on the Config, and returns the payload.\n//\n// Verify does NOT do nonce validation, which is the callers responsibility.\n//\n// See: https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation\n//\n//\toauth2Token, err := oauth2Config.Exchange(ctx, r.URL.Query().Get(\"code\"))\n//\tif err != nil {\n//\t // handle error\n//\t}\n//\n//\t// Extract the ID Token from oauth2 token.\n//\trawIDToken, ok := oauth2Token.Extra(\"id_token\").(string)\n//\tif !ok {\n//\t // handle error\n//\t}\n//\n//\ttoken, err := verifier.Verify(ctx, rawIDToken)\nfunc (v *IDTokenVerifier) Verify(ctx context.Context, rawIDToken string) (*IDToken, error) {\n\tvar supportedSigAlgs []jose.SignatureAlgorithm\n\tfor _, alg := range v.config.SupportedSigningAlgs {\n\t\tsupportedSigAlgs = append(supportedSigAlgs, jose.SignatureAlgorithm(alg))\n\t}\n\tif len(supportedSigAlgs) == 0 {\n\t\t// If no algorithms were specified by both the config and discovery, default\n\t\t// to the one mandatory algorithm \"RS256\".\n\t\tsupportedSigAlgs = []jose.SignatureAlgorithm{jose.RS256}\n\t}\n\tif v.config.InsecureSkipSignatureCheck {\n\t\t// \"none\" is a required value to even parse a JWT with the \"none\" algorithm\n\t\t// using go-jose.\n\t\tsupportedSigAlgs = append(supportedSigAlgs, \"none\")\n\t}\n\n\t// Parse and verify the signature first. This at least forces the user to have\n\t// a valid, signed ID token before we do any other processing.\n\tjws, err := jose.ParseSigned(rawIDToken, supportedSigAlgs)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"oidc: malformed jwt: %v\", err)\n\t}\n\tswitch len(jws.Signatures) {\n\tcase 0:\n\t\treturn nil, fmt.Errorf(\"oidc: id token not signed\")\n\tcase 1:\n\tdefault:\n\t\treturn nil, fmt.Errorf(\"oidc: multiple signatures on id token not supported\")\n\t}\n\tsig := jws.Signatures[0]\n\n\tvar payload []byte\n\tif v.config.InsecureSkipSignatureCheck {\n\t\t// Yolo mode.\n\t\tpayload = jws.UnsafePayloadWithoutVerification()\n\t} else {\n\t\t// The JWT is attached here for the happy path to avoid the verifier from\n\t\t// having to parse the JWT twice.\n\t\tctx = context.WithValue(ctx, parsedJWTKey, jws)\n\t\tpayload, err = v.keySet.VerifySignature(ctx, rawIDToken)\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"failed to verify signature: %v\", err)\n\t\t}\n\t}\n\tvar token idToken\n\tif err := json.Unmarshal(payload, &token); err != nil {\n\t\treturn nil, fmt.Errorf(\"oidc: failed to unmarshal claims: %v\", err)\n\t}\n\n\tdistributedClaims := make(map[string]claimSource)\n\n\t//step through the token to map claim names to claim sources\"\n\tfor cn, src := range token.ClaimNames {\n\t\tif src == \"\" {\n\t\t\treturn nil, fmt.Errorf(\"oidc: failed to obtain source from claim name\")\n\t\t}\n\t\ts, ok := token.ClaimSources[src]\n\t\tif !ok {\n\t\t\treturn nil, fmt.Errorf(\"oidc: source does not exist\")\n\t\t}\n\t\tdistributedClaims[cn] = s\n\t}\n\n\tt := &IDToken{\n\t\tIssuer: token.Issuer,\n\t\tSubject: token.Subject,\n\t\tAudience: []string(token.Audience),\n\t\tExpiry: time.Time(token.Expiry),\n\t\tIssuedAt: time.Time(token.IssuedAt),\n\t\tNonce: token.Nonce,\n\t\tAccessTokenHash: token.AtHash,\n\t\tclaims: payload,\n\t\tdistributedClaims: distributedClaims,\n\t\tsigAlgorithm: sig.Header.Algorithm,\n\t}\n\n\t// Check issuer.\n\tif !v.config.SkipIssuerCheck && t.Issuer != v.issuer {\n\t\t// Google sometimes returns \"accounts.google.com\" as the issuer claim instead of\n\t\t// the required \"https://accounts.google.com\". Detect this case and allow it only\n\t\t// for Google.\n\t\t//\n\t\t// We will not add hooks to let other providers go off spec like this.\n\t\tif !(v.issuer == issuerGoogleAccounts && t.Issuer == issuerGoogleAccountsNoScheme) {\n\t\t\treturn nil, fmt.Errorf(\"oidc: id token issued by a different provider, expected %q got %q\", v.issuer, t.Issuer)\n\t\t}\n\t}\n\n\t// If a client ID has been provided, make sure it's part of the audience. SkipClientIDCheck must be true if ClientID is empty.\n\t//\n\t// This check DOES NOT ensure that the ClientID is the party to which the ID Token was issued (i.e. Authorized party).\n\tif !v.config.SkipClientIDCheck {\n\t\tif v.config.ClientID != \"\" {\n\t\t\tif !contains(t.Audience, v.config.ClientID) {\n\t\t\t\treturn nil, fmt.Errorf(\"oidc: expected audience %q got %q\", v.config.ClientID, t.Audience)\n\t\t\t}\n\t\t} else {\n\t\t\treturn nil, fmt.Errorf(\"oidc: invalid configuration, clientID must be provided or SkipClientIDCheck must be set\")\n\t\t}\n\t}\n\n\t// If a SkipExpiryCheck is false, make sure token is not expired.\n\tif !v.config.SkipExpiryCheck {\n\t\tnow := time.Now\n\t\tif v.config.Now != nil {\n\t\t\tnow = v.config.Now\n\t\t}\n\t\tnowTime := now()\n\n\t\tif t.Expiry.Before(nowTime) {\n\t\t\treturn nil, &TokenExpiredError{Expiry: t.Expiry}\n\t\t}\n\n\t\t// If nbf claim is provided in token, ensure that it is indeed in the past.\n\t\tif token.NotBefore != nil {\n\t\t\tnbfTime := time.Time(*token.NotBefore)\n\t\t\t// Set to 5 minutes since this is what other OpenID Connect providers do to deal with clock skew.\n\t\t\t// https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/6.12.2/src/Microsoft.IdentityModel.Tokens/TokenValidationParameters.cs#L149-L153\n\t\t\tleeway := 5 * time.Minute\n\n\t\t\tif nowTime.Add(leeway).Before(nbfTime) {\n\t\t\t\treturn nil, fmt.Errorf(\"oidc: current time %v before the nbf (not before) time: %v\", nowTime, nbfTime)\n\t\t\t}\n\t\t}\n\t}\n\n\treturn t, nil\n}\n\n// Nonce returns an auth code option which requires the ID Token created by the\n// OpenID Connect provider to contain the specified nonce.\nfunc Nonce(nonce string) oauth2.AuthCodeOption {\n\treturn oauth2.SetAuthURLParam(\"nonce\", nonce)\n}\n" }, { "path": "vendor/github.com/coreos/go-systemd/v22/LICENSE", "content": "Apache License\nVersion 2.0, January 2004\nhttp://www.apache.org/licenses/\n\nTERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n1. Definitions.\n\n\"License\" shall mean the terms and conditions for use, reproduction, and\ndistribution as defined by Sections 1 through 9 of this document.\n\n\"Licensor\" shall mean the copyright owner or entity authorized by the copyright\nowner that is granting the License.\n\n\"Legal Entity\" shall mean the union of the acting entity and all other entities\nthat control, are controlled by, or are under common control with that entity.\nFor the purposes of this definition, \"control\" means (i) the power, direct or\nindirect, to cause the direction or management of such entity, whether by\ncontract or otherwise, or (ii) ownership of fifty percent (50%) or more of the\noutstanding shares, or (iii) beneficial ownership of such entity.\n\n\"You\" (or \"Your\") shall mean an individual or Legal Entity exercising\npermissions granted by this License.\n\n\"Source\" form shall mean the preferred form for making modifications, including\nbut not limited to software source code, documentation source, and configuration\nfiles.\n\n\"Object\" form shall mean any form resulting from mechanical transformation or\ntranslation of a Source form, including but not limited to compiled object code,\ngenerated documentation, and conversions to other media types.\n\n\"Work\" shall mean the work of authorship, whether in Source or Object form, made\navailable under the License, as indicated by a copyright notice that is included\nin or attached to the work (an example is provided in the Appendix below).\n\n\"Derivative Works\" shall mean any work, whether in Source or Object form, that\nis based on (or derived from) the Work and for which the editorial revisions,\nannotations, elaborations, or other modifications represent, as a whole, an\noriginal work of authorship. For the purposes of this License, Derivative Works\nshall not include works that remain separable from, or merely link (or bind by\nname) to the interfaces of, the Work and Derivative Works thereof.\n\n\"Contribution\" shall mean any work of authorship, including the original version\nof the Work and any modifications or additions to that Work or Derivative Works\nthereof, that is intentionally submitted to Licensor for inclusion in the Work\nby the copyright owner or by an individual or Legal Entity authorized to submit\non behalf of the copyright owner. For the purposes of this definition,\n\"submitted\" means any form of electronic, verbal, or written communication sent\nto the Licensor or its representatives, including but not limited to\ncommunication on electronic mailing lists, source code control systems, and\nissue tracking systems that are managed by, or on behalf of, the Licensor for\nthe purpose of discussing and improving the Work, but excluding communication\nthat is conspicuously marked or otherwise designated in writing by the copyright\nowner as \"Not a Contribution.\"\n\n\"Contributor\" shall mean Licensor and any individual or Legal Entity on behalf\nof whom a Contribution has been received by Licensor and subsequently\nincorporated within the Work.\n\n2. Grant of Copyright License.\n\nSubject to the terms and conditions of this License, each Contributor hereby\ngrants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free,\nirrevocable copyright license to reproduce, prepare Derivative Works of,\npublicly display, publicly perform, sublicense, and distribute the Work and such\nDerivative Works in Source or Object form.\n\n3. Grant of Patent License.\n\nSubject to the terms and conditions of this License, each Contributor hereby\ngrants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free,\nirrevocable (except as stated in this section) patent license to make, have\nmade, use, offer to sell, sell, import, and otherwise transfer the Work, where\nsuch license applies only to those patent claims licensable by such Contributor\nthat are necessarily infringed by their Contribution(s) alone or by combination\nof their Contribution(s) with the Work to which such Contribution(s) was\nsubmitted. If You institute patent litigation against any entity (including a\ncross-claim or counterclaim in a lawsuit) alleging that the Work or a\nContribution incorporated within the Work constitutes direct or contributory\npatent infringement, then any patent licenses granted to You under this License\nfor that Work shall terminate as of the date such litigation is filed.\n\n4. Redistribution.\n\nYou may reproduce and distribute copies of the Work or Derivative Works thereof\nin any medium, with or without modifications, and in Source or Object form,\nprovided that You meet the following conditions:\n\nYou must give any other recipients of the Work or Derivative Works a copy of\nthis License; and\nYou must cause any modified files to carry prominent notices stating that You\nchanged the files; and\nYou must retain, in the Source form of any Derivative Works that You distribute,\nall copyright, patent, trademark, and attribution notices from the Source form\nof the Work, excluding those notices that do not pertain to any part of the\nDerivative Works; and\nIf the Work includes a \"NOTICE\" text file as part of its distribution, then any\nDerivative Works that You distribute must include a readable copy of the\nattribution notices contained within such NOTICE file, excluding those notices\nthat do not pertain to any part of the Derivative Works, in at least one of the\nfollowing places: within a NOTICE text file distributed as part of the\nDerivative Works; within the Source form or documentation, if provided along\nwith the Derivative Works; or, within a display generated by the Derivative\nWorks, if and wherever such third-party notices normally appear. The contents of\nthe NOTICE file are for informational purposes only and do not modify the\nLicense. You may add Your own attribution notices within Derivative Works that\nYou distribute, alongside or as an addendum to the NOTICE text from the Work,\nprovided that such additional attribution notices cannot be construed as\nmodifying the License.\nYou may add Your own copyright statement to Your modifications and may provide\nadditional or different license terms and conditions for use, reproduction, or\ndistribution of Your modifications, or for any such Derivative Works as a whole,\nprovided Your use, reproduction, and distribution of the Work otherwise complies\nwith the conditions stated in this License.\n\n5. Submission of Contributions.\n\nUnless You explicitly state otherwise, any Contribution intentionally submitted\nfor inclusion in the Work by You to the Licensor shall be under the terms and\nconditions of this License, without any additional terms or conditions.\nNotwithstanding the above, nothing herein shall supersede or modify the terms of\nany separate license agreement you may have executed with Licensor regarding\nsuch Contributions.\n\n6. Trademarks.\n\nThis License does not grant permission to use the trade names, trademarks,\nservice marks, or product names of the Licensor, except as required for\nreasonable and customary use in describing the origin of the Work and\nreproducing the content of the NOTICE file.\n\n7. Disclaimer of Warranty.\n\nUnless required by applicable law or agreed to in writing, Licensor provides the\nWork (and each Contributor provides its Contributions) on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied,\nincluding, without limitation, any warranties or conditions of TITLE,\nNON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are\nsolely responsible for determining the appropriateness of using or\nredistributing the Work and assume any risks associated with Your exercise of\npermissions under this License.\n\n8. Limitation of Liability.\n\nIn no event and under no legal theory, whether in tort (including negligence),\ncontract, or otherwise, unless required by applicable law (such as deliberate\nand grossly negligent acts) or agreed to in writing, shall any Contributor be\nliable to You for damages, including any direct, indirect, special, incidental,\nor consequential damages of any character arising as a result of this License or\nout of the use or inability to use the Work (including but not limited to\ndamages for loss of goodwill, work stoppage, computer failure or malfunction, or\nany and all other commercial damages or losses), even if such Contributor has\nbeen advised of the possibility of such damages.\n\n9. Accepting Warranty or Additional Liability.\n\nWhile redistributing the Work or Derivative Works thereof, You may choose to\noffer, and charge a fee for, acceptance of support, warranty, indemnity, or\nother liability obligations and/or rights consistent with this License. However,\nin accepting such obligations, You may act only on Your own behalf and on Your\nsole responsibility, not on behalf of any other Contributor, and only if You\nagree to indemnify, defend, and hold each Contributor harmless for any liability\nincurred by, or claims asserted against, such Contributor by reason of your\naccepting any such warranty or additional liability.\n\nEND OF TERMS AND CONDITIONS\n\nAPPENDIX: How to apply the Apache License to your work\n\nTo apply the Apache License to your work, attach the following boilerplate\nnotice, with the fields enclosed by brackets \"[]\" replaced with your own\nidentifying information. (Don't include the brackets!) The text should be\nenclosed in the appropriate comment syntax for the file format. We also\nrecommend that a file or class name and description of purpose be included on\nthe same \"printed page\" as the copyright notice for easier identification within\nthird-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "vendor/github.com/coreos/go-systemd/v22/NOTICE", "content": "CoreOS Project\nCopyright 2018 CoreOS, Inc\n\nThis product includes software developed at CoreOS, Inc.\n(http://www.coreos.com/).\n" }, { "path": "vendor/github.com/coreos/go-systemd/v22/daemon/sdnotify.go", "content": "// Copyright 2014 Docker, Inc.\n// Copyright 2015-2018 CoreOS, Inc.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n//\n\n// Package daemon provides a Go implementation of the sd_notify protocol.\n// It can be used to inform systemd of service start-up completion, watchdog\n// events, and other status changes.\n//\n// https://www.freedesktop.org/software/systemd/man/sd_notify.html#Description\npackage daemon\n\nimport (\n\t\"net\"\n\t\"os\"\n)\n\nconst (\n\t// SdNotifyReady tells the service manager that service startup is finished\n\t// or the service finished loading its configuration.\n\tSdNotifyReady = \"READY=1\"\n\n\t// SdNotifyStopping tells the service manager that the service is beginning\n\t// its shutdown.\n\tSdNotifyStopping = \"STOPPING=1\"\n\n\t// SdNotifyReloading tells the service manager that this service is\n\t// reloading its configuration. Note that you must call SdNotifyReady when\n\t// it completed reloading.\n\tSdNotifyReloading = \"RELOADING=1\"\n\n\t// SdNotifyWatchdog tells the service manager to update the watchdog\n\t// timestamp for the service.\n\tSdNotifyWatchdog = \"WATCHDOG=1\"\n)\n\n// SdNotify sends a message to the init daemon. It is common to ignore the error.\n// If `unsetEnvironment` is true, the environment variable `NOTIFY_SOCKET`\n// will be unconditionally unset.\n//\n// It returns one of the following:\n// (false, nil) - notification not supported (i.e. NOTIFY_SOCKET is unset)\n// (false, err) - notification supported, but failure happened (e.g. error connecting to NOTIFY_SOCKET or while sending data)\n// (true, nil) - notification supported, data has been sent\nfunc SdNotify(unsetEnvironment bool, state string) (bool, error) {\n\tsocketAddr := &net.UnixAddr{\n\t\tName: os.Getenv(\"NOTIFY_SOCKET\"),\n\t\tNet: \"unixgram\",\n\t}\n\n\t// NOTIFY_SOCKET not set\n\tif socketAddr.Name == \"\" {\n\t\treturn false, nil\n\t}\n\n\tif unsetEnvironment {\n\t\tif err := os.Unsetenv(\"NOTIFY_SOCKET\"); err != nil {\n\t\t\treturn false, err\n\t\t}\n\t}\n\n\tconn, err := net.DialUnix(socketAddr.Net, nil, socketAddr)\n\t// Error connecting to NOTIFY_SOCKET\n\tif err != nil {\n\t\treturn false, err\n\t}\n\tdefer conn.Close()\n\n\tif _, err = conn.Write([]byte(state)); err != nil {\n\t\treturn false, err\n\t}\n\treturn true, nil\n}\n" }, { "path": "vendor/github.com/coreos/go-systemd/v22/daemon/watchdog.go", "content": "// Copyright 2016 CoreOS, Inc.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage daemon\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\t\"strconv\"\n\t\"time\"\n)\n\n// SdWatchdogEnabled returns watchdog information for a service.\n// Processes should call daemon.SdNotify(false, daemon.SdNotifyWatchdog) every\n// time / 2.\n// If `unsetEnvironment` is true, the environment variables `WATCHDOG_USEC` and\n// `WATCHDOG_PID` will be unconditionally unset.\n//\n// It returns one of the following:\n// (0, nil) - watchdog isn't enabled or we aren't the watched PID.\n// (0, err) - an error happened (e.g. error converting time).\n// (time, nil) - watchdog is enabled and we can send ping. time is delay\n// before inactive service will be killed.\nfunc SdWatchdogEnabled(unsetEnvironment bool) (time.Duration, error) {\n\twusec := os.Getenv(\"WATCHDOG_USEC\")\n\twpid := os.Getenv(\"WATCHDOG_PID\")\n\tif unsetEnvironment {\n\t\twusecErr := os.Unsetenv(\"WATCHDOG_USEC\")\n\t\twpidErr := os.Unsetenv(\"WATCHDOG_PID\")\n\t\tif wusecErr != nil {\n\t\t\treturn 0, wusecErr\n\t\t}\n\t\tif wpidErr != nil {\n\t\t\treturn 0, wpidErr\n\t\t}\n\t}\n\n\tif wusec == \"\" {\n\t\treturn 0, nil\n\t}\n\ts, err := strconv.Atoi(wusec)\n\tif err != nil {\n\t\treturn 0, fmt.Errorf(\"error converting WATCHDOG_USEC: %s\", err)\n\t}\n\tif s <= 0 {\n\t\treturn 0, fmt.Errorf(\"error WATCHDOG_USEC must be a positive number\")\n\t}\n\tinterval := time.Duration(s) * time.Microsecond\n\n\tif wpid == \"\" {\n\t\treturn interval, nil\n\t}\n\tp, err := strconv.Atoi(wpid)\n\tif err != nil {\n\t\treturn 0, fmt.Errorf(\"error converting WATCHDOG_PID: %s\", err)\n\t}\n\tif os.Getpid() != p {\n\t\treturn 0, nil\n\t}\n\n\treturn interval, nil\n}\n" }, { "path": "vendor/github.com/cpuguy83/go-md2man/v2/LICENSE.md", "content": "The MIT License (MIT)\n\nCopyright (c) 2014 Brian Goff\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "vendor/github.com/cpuguy83/go-md2man/v2/md2man/md2man.go", "content": "package md2man\n\nimport (\n\t\"github.com/russross/blackfriday/v2\"\n)\n\n// Render converts a markdown document into a roff formatted document.\nfunc Render(doc []byte) []byte {\n\trenderer := NewRoffRenderer()\n\n\treturn blackfriday.Run(doc,\n\t\t[]blackfriday.Option{blackfriday.WithRenderer(renderer),\n\t\t\tblackfriday.WithExtensions(renderer.GetExtensions())}...)\n}\n" }, { "path": "vendor/github.com/cpuguy83/go-md2man/v2/md2man/roff.go", "content": "package md2man\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\t\"os\"\n\t\"strings\"\n\n\t\"github.com/russross/blackfriday/v2\"\n)\n\n// roffRenderer implements the blackfriday.Renderer interface for creating\n// roff format (manpages) from markdown text\ntype roffRenderer struct {\n\textensions blackfriday.Extensions\n\tlistCounters []int\n\tfirstHeader bool\n\tdefineTerm bool\n\tlistDepth int\n}\n\nconst (\n\ttitleHeader = \".TH \"\n\ttopLevelHeader = \"\\n\\n.SH \"\n\tsecondLevelHdr = \"\\n.SH \"\n\totherHeader = \"\\n.SS \"\n\tcrTag = \"\\n\"\n\temphTag = \"\\\\fI\"\n\temphCloseTag = \"\\\\fP\"\n\tstrongTag = \"\\\\fB\"\n\tstrongCloseTag = \"\\\\fP\"\n\tbreakTag = \"\\n.br\\n\"\n\tparaTag = \"\\n.PP\\n\"\n\thruleTag = \"\\n.ti 0\\n\\\\l'\\\\n(.lu'\\n\"\n\tlinkTag = \"\\n\\\\[la]\"\n\tlinkCloseTag = \"\\\\[ra]\"\n\tcodespanTag = \"\\\\fB\\\\fC\"\n\tcodespanCloseTag = \"\\\\fR\"\n\tcodeTag = \"\\n.PP\\n.RS\\n\\n.nf\\n\"\n\tcodeCloseTag = \"\\n.fi\\n.RE\\n\"\n\tquoteTag = \"\\n.PP\\n.RS\\n\"\n\tquoteCloseTag = \"\\n.RE\\n\"\n\tlistTag = \"\\n.RS\\n\"\n\tlistCloseTag = \"\\n.RE\\n\"\n\targlistTag = \"\\n.TP\\n\"\n\ttableStart = \"\\n.TS\\nallbox;\\n\"\n\ttableEnd = \".TE\\n\"\n\ttableCellStart = \"T{\\n\"\n\ttableCellEnd = \"\\nT}\\n\"\n)\n\n// NewRoffRenderer creates a new blackfriday Renderer for generating roff documents\n// from markdown\nfunc NewRoffRenderer() *roffRenderer { // nolint: golint\n\tvar extensions blackfriday.Extensions\n\n\textensions |= blackfriday.NoIntraEmphasis\n\textensions |= blackfriday.Tables\n\textensions |= blackfriday.FencedCode\n\textensions |= blackfriday.SpaceHeadings\n\textensions |= blackfriday.Footnotes\n\textensions |= blackfriday.Titleblock\n\textensions |= blackfriday.DefinitionLists\n\treturn &roffRenderer{\n\t\textensions: extensions,\n\t}\n}\n\n// GetExtensions returns the list of extensions used by this renderer implementation\nfunc (r *roffRenderer) GetExtensions() blackfriday.Extensions {\n\treturn r.extensions\n}\n\n// RenderHeader handles outputting the header at document start\nfunc (r *roffRenderer) RenderHeader(w io.Writer, ast *blackfriday.Node) {\n\t// disable hyphenation\n\tout(w, \".nh\\n\")\n}\n\n// RenderFooter handles outputting the footer at the document end; the roff\n// renderer has no footer information\nfunc (r *roffRenderer) RenderFooter(w io.Writer, ast *blackfriday.Node) {\n}\n\n// RenderNode is called for each node in a markdown document; based on the node\n// type the equivalent roff output is sent to the writer\nfunc (r *roffRenderer) RenderNode(w io.Writer, node *blackfriday.Node, entering bool) blackfriday.WalkStatus {\n\n\tvar walkAction = blackfriday.GoToNext\n\n\tswitch node.Type {\n\tcase blackfriday.Text:\n\t\tr.handleText(w, node, entering)\n\tcase blackfriday.Softbreak:\n\t\tout(w, crTag)\n\tcase blackfriday.Hardbreak:\n\t\tout(w, breakTag)\n\tcase blackfriday.Emph:\n\t\tif entering {\n\t\t\tout(w, emphTag)\n\t\t} else {\n\t\t\tout(w, emphCloseTag)\n\t\t}\n\tcase blackfriday.Strong:\n\t\tif entering {\n\t\t\tout(w, strongTag)\n\t\t} else {\n\t\t\tout(w, strongCloseTag)\n\t\t}\n\tcase blackfriday.Link:\n\t\tif !entering {\n\t\t\tout(w, linkTag+string(node.LinkData.Destination)+linkCloseTag)\n\t\t}\n\tcase blackfriday.Image:\n\t\t// ignore images\n\t\twalkAction = blackfriday.SkipChildren\n\tcase blackfriday.Code:\n\t\tout(w, codespanTag)\n\t\tescapeSpecialChars(w, node.Literal)\n\t\tout(w, codespanCloseTag)\n\tcase blackfriday.Document:\n\t\tbreak\n\tcase blackfriday.Paragraph:\n\t\t// roff .PP markers break lists\n\t\tif r.listDepth > 0 {\n\t\t\treturn blackfriday.GoToNext\n\t\t}\n\t\tif entering {\n\t\t\tout(w, paraTag)\n\t\t} else {\n\t\t\tout(w, crTag)\n\t\t}\n\tcase blackfriday.BlockQuote:\n\t\tif entering {\n\t\t\tout(w, quoteTag)\n\t\t} else {\n\t\t\tout(w, quoteCloseTag)\n\t\t}\n\tcase blackfriday.Heading:\n\t\tr.handleHeading(w, node, entering)\n\tcase blackfriday.HorizontalRule:\n\t\tout(w, hruleTag)\n\tcase blackfriday.List:\n\t\tr.handleList(w, node, entering)\n\tcase blackfriday.Item:\n\t\tr.handleItem(w, node, entering)\n\tcase blackfriday.CodeBlock:\n\t\tout(w, codeTag)\n\t\tescapeSpecialChars(w, node.Literal)\n\t\tout(w, codeCloseTag)\n\tcase blackfriday.Table:\n\t\tr.handleTable(w, node, entering)\n\tcase blackfriday.TableCell:\n\t\tr.handleTableCell(w, node, entering)\n\tcase blackfriday.TableHead:\n\tcase blackfriday.TableBody:\n\tcase blackfriday.TableRow:\n\t\t// no action as cell entries do all the nroff formatting\n\t\treturn blackfriday.GoToNext\n\tdefault:\n\t\tfmt.Fprintln(os.Stderr, \"WARNING: go-md2man does not handle node type \"+node.Type.String())\n\t}\n\treturn walkAction\n}\n\nfunc (r *roffRenderer) handleText(w io.Writer, node *blackfriday.Node, entering bool) {\n\tvar (\n\t\tstart, end string\n\t)\n\t// handle special roff table cell text encapsulation\n\tif node.Parent.Type == blackfriday.TableCell {\n\t\tif len(node.Literal) > 30 {\n\t\t\tstart = tableCellStart\n\t\t\tend = tableCellEnd\n\t\t} else {\n\t\t\t// end rows that aren't terminated by \"tableCellEnd\" with a cr if end of row\n\t\t\tif node.Parent.Next == nil && !node.Parent.IsHeader {\n\t\t\t\tend = crTag\n\t\t\t}\n\t\t}\n\t}\n\tout(w, start)\n\tescapeSpecialChars(w, node.Literal)\n\tout(w, end)\n}\n\nfunc (r *roffRenderer) handleHeading(w io.Writer, node *blackfriday.Node, entering bool) {\n\tif entering {\n\t\tswitch node.Level {\n\t\tcase 1:\n\t\t\tif !r.firstHeader {\n\t\t\t\tout(w, titleHeader)\n\t\t\t\tr.firstHeader = true\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tout(w, topLevelHeader)\n\t\tcase 2:\n\t\t\tout(w, secondLevelHdr)\n\t\tdefault:\n\t\t\tout(w, otherHeader)\n\t\t}\n\t}\n}\n\nfunc (r *roffRenderer) handleList(w io.Writer, node *blackfriday.Node, entering bool) {\n\topenTag := listTag\n\tcloseTag := listCloseTag\n\tif node.ListFlags&blackfriday.ListTypeDefinition != 0 {\n\t\t// tags for definition lists handled within Item node\n\t\topenTag = \"\"\n\t\tcloseTag = \"\"\n\t}\n\tif entering {\n\t\tr.listDepth++\n\t\tif node.ListFlags&blackfriday.ListTypeOrdered != 0 {\n\t\t\tr.listCounters = append(r.listCounters, 1)\n\t\t}\n\t\tout(w, openTag)\n\t} else {\n\t\tif node.ListFlags&blackfriday.ListTypeOrdered != 0 {\n\t\t\tr.listCounters = r.listCounters[:len(r.listCounters)-1]\n\t\t}\n\t\tout(w, closeTag)\n\t\tr.listDepth--\n\t}\n}\n\nfunc (r *roffRenderer) handleItem(w io.Writer, node *blackfriday.Node, entering bool) {\n\tif entering {\n\t\tif node.ListFlags&blackfriday.ListTypeOrdered != 0 {\n\t\t\tout(w, fmt.Sprintf(\".IP \\\"%3d.\\\" 5\\n\", r.listCounters[len(r.listCounters)-1]))\n\t\t\tr.listCounters[len(r.listCounters)-1]++\n\t\t} else if node.ListFlags&blackfriday.ListTypeDefinition != 0 {\n\t\t\t// state machine for handling terms and following definitions\n\t\t\t// since blackfriday does not distinguish them properly, nor\n\t\t\t// does it seperate them into separate lists as it should\n\t\t\tif !r.defineTerm {\n\t\t\t\tout(w, arglistTag)\n\t\t\t\tr.defineTerm = true\n\t\t\t} else {\n\t\t\t\tr.defineTerm = false\n\t\t\t}\n\t\t} else {\n\t\t\tout(w, \".IP \\\\(bu 2\\n\")\n\t\t}\n\t} else {\n\t\tout(w, \"\\n\")\n\t}\n}\n\nfunc (r *roffRenderer) handleTable(w io.Writer, node *blackfriday.Node, entering bool) {\n\tif entering {\n\t\tout(w, tableStart)\n\t\t//call walker to count cells (and rows?) so format section can be produced\n\t\tcolumns := countColumns(node)\n\t\tout(w, strings.Repeat(\"l \", columns)+\"\\n\")\n\t\tout(w, strings.Repeat(\"l \", columns)+\".\\n\")\n\t} else {\n\t\tout(w, tableEnd)\n\t}\n}\n\nfunc (r *roffRenderer) handleTableCell(w io.Writer, node *blackfriday.Node, entering bool) {\n\tvar (\n\t\tstart, end string\n\t)\n\tif node.IsHeader {\n\t\tstart = codespanTag\n\t\tend = codespanCloseTag\n\t}\n\tif entering {\n\t\tif node.Prev != nil && node.Prev.Type == blackfriday.TableCell {\n\t\t\tout(w, \"\\t\"+start)\n\t\t} else {\n\t\t\tout(w, start)\n\t\t}\n\t} else {\n\t\t// need to carriage return if we are at the end of the header row\n\t\tif node.IsHeader && node.Next == nil {\n\t\t\tend = end + crTag\n\t\t}\n\t\tout(w, end)\n\t}\n}\n\n// because roff format requires knowing the column count before outputting any table\n// data we need to walk a table tree and count the columns\nfunc countColumns(node *blackfriday.Node) int {\n\tvar columns int\n\n\tnode.Walk(func(node *blackfriday.Node, entering bool) blackfriday.WalkStatus {\n\t\tswitch node.Type {\n\t\tcase blackfriday.TableRow:\n\t\t\tif !entering {\n\t\t\t\treturn blackfriday.Terminate\n\t\t\t}\n\t\tcase blackfriday.TableCell:\n\t\t\tif entering {\n\t\t\t\tcolumns++\n\t\t\t}\n\t\tdefault:\n\t\t}\n\t\treturn blackfriday.GoToNext\n\t})\n\treturn columns\n}\n\nfunc out(w io.Writer, output string) {\n\tio.WriteString(w, output) // nolint: errcheck\n}\n\nfunc needsBackslash(c byte) bool {\n\tfor _, r := range []byte(\"-_&\\\\~\") {\n\t\tif c == r {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\nfunc escapeSpecialChars(w io.Writer, text []byte) {\n\tfor i := 0; i < len(text); i++ {\n\t\t// escape initial apostrophe or period\n\t\tif len(text) >= 1 && (text[0] == '\\'' || text[0] == '.') {\n\t\t\tout(w, \"\\\\&\")\n\t\t}\n\n\t\t// directly copy normal characters\n\t\torg := i\n\n\t\tfor i < len(text) && !needsBackslash(text[i]) {\n\t\t\ti++\n\t\t}\n\t\tif i > org {\n\t\t\tw.Write(text[org:i]) // nolint: errcheck\n\t\t}\n\n\t\t// escape a character\n\t\tif i >= len(text) {\n\t\t\tbreak\n\t\t}\n\n\t\tw.Write([]byte{'\\\\', text[i]}) // nolint: errcheck\n\t}\n}\n" }, { "path": "vendor/github.com/davecgh/go-spew/LICENSE", "content": "ISC License\n\nCopyright (c) 2012-2016 Dave Collins \n\nPermission to use, copy, modify, and/or distribute this software for any\npurpose with or without fee is hereby granted, provided that the above\ncopyright notice and this permission notice appear in all copies.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\nWITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\nMERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR\nANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\nWHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN\nACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF\nOR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.\n" }, { "path": "vendor/github.com/davecgh/go-spew/spew/bypass.go", "content": "// Copyright (c) 2015-2016 Dave Collins \n//\n// Permission to use, copy, modify, and distribute this software for any\n// purpose with or without fee is hereby granted, provided that the above\n// copyright notice and this permission notice appear in all copies.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR\n// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN\n// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF\n// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.\n\n// NOTE: Due to the following build constraints, this file will only be compiled\n// when the code is not running on Google App Engine, compiled by GopherJS, and\n// \"-tags safe\" is not added to the go build command line. The \"disableunsafe\"\n// tag is deprecated and thus should not be used.\n// Go versions prior to 1.4 are disabled because they use a different layout\n// for interfaces which make the implementation of unsafeReflectValue more complex.\n// +build !js,!appengine,!safe,!disableunsafe,go1.4\n\npackage spew\n\nimport (\n\t\"reflect\"\n\t\"unsafe\"\n)\n\nconst (\n\t// UnsafeDisabled is a build-time constant which specifies whether or\n\t// not access to the unsafe package is available.\n\tUnsafeDisabled = false\n\n\t// ptrSize is the size of a pointer on the current arch.\n\tptrSize = unsafe.Sizeof((*byte)(nil))\n)\n\ntype flag uintptr\n\nvar (\n\t// flagRO indicates whether the value field of a reflect.Value\n\t// is read-only.\n\tflagRO flag\n\n\t// flagAddr indicates whether the address of the reflect.Value's\n\t// value may be taken.\n\tflagAddr flag\n)\n\n// flagKindMask holds the bits that make up the kind\n// part of the flags field. In all the supported versions,\n// it is in the lower 5 bits.\nconst flagKindMask = flag(0x1f)\n\n// Different versions of Go have used different\n// bit layouts for the flags type. This table\n// records the known combinations.\nvar okFlags = []struct {\n\tro, addr flag\n}{{\n\t// From Go 1.4 to 1.5\n\tro: 1 << 5,\n\taddr: 1 << 7,\n}, {\n\t// Up to Go tip.\n\tro: 1<<5 | 1<<6,\n\taddr: 1 << 8,\n}}\n\nvar flagValOffset = func() uintptr {\n\tfield, ok := reflect.TypeOf(reflect.Value{}).FieldByName(\"flag\")\n\tif !ok {\n\t\tpanic(\"reflect.Value has no flag field\")\n\t}\n\treturn field.Offset\n}()\n\n// flagField returns a pointer to the flag field of a reflect.Value.\nfunc flagField(v *reflect.Value) *flag {\n\treturn (*flag)(unsafe.Pointer(uintptr(unsafe.Pointer(v)) + flagValOffset))\n}\n\n// unsafeReflectValue converts the passed reflect.Value into a one that bypasses\n// the typical safety restrictions preventing access to unaddressable and\n// unexported data. It works by digging the raw pointer to the underlying\n// value out of the protected value and generating a new unprotected (unsafe)\n// reflect.Value to it.\n//\n// This allows us to check for implementations of the Stringer and error\n// interfaces to be used for pretty printing ordinarily unaddressable and\n// inaccessible values such as unexported struct fields.\nfunc unsafeReflectValue(v reflect.Value) reflect.Value {\n\tif !v.IsValid() || (v.CanInterface() && v.CanAddr()) {\n\t\treturn v\n\t}\n\tflagFieldPtr := flagField(&v)\n\t*flagFieldPtr &^= flagRO\n\t*flagFieldPtr |= flagAddr\n\treturn v\n}\n\n// Sanity checks against future reflect package changes\n// to the type or semantics of the Value.flag field.\nfunc init() {\n\tfield, ok := reflect.TypeOf(reflect.Value{}).FieldByName(\"flag\")\n\tif !ok {\n\t\tpanic(\"reflect.Value has no flag field\")\n\t}\n\tif field.Type.Kind() != reflect.TypeOf(flag(0)).Kind() {\n\t\tpanic(\"reflect.Value flag field has changed kind\")\n\t}\n\ttype t0 int\n\tvar t struct {\n\t\tA t0\n\t\t// t0 will have flagEmbedRO set.\n\t\tt0\n\t\t// a will have flagStickyRO set\n\t\ta t0\n\t}\n\tvA := reflect.ValueOf(t).FieldByName(\"A\")\n\tva := reflect.ValueOf(t).FieldByName(\"a\")\n\tvt0 := reflect.ValueOf(t).FieldByName(\"t0\")\n\n\t// Infer flagRO from the difference between the flags\n\t// for the (otherwise identical) fields in t.\n\tflagPublic := *flagField(&vA)\n\tflagWithRO := *flagField(&va) | *flagField(&vt0)\n\tflagRO = flagPublic ^ flagWithRO\n\n\t// Infer flagAddr from the difference between a value\n\t// taken from a pointer and not.\n\tvPtrA := reflect.ValueOf(&t).Elem().FieldByName(\"A\")\n\tflagNoPtr := *flagField(&vA)\n\tflagPtr := *flagField(&vPtrA)\n\tflagAddr = flagNoPtr ^ flagPtr\n\n\t// Check that the inferred flags tally with one of the known versions.\n\tfor _, f := range okFlags {\n\t\tif flagRO == f.ro && flagAddr == f.addr {\n\t\t\treturn\n\t\t}\n\t}\n\tpanic(\"reflect.Value read-only flag has changed semantics\")\n}\n" }, { "path": "vendor/github.com/davecgh/go-spew/spew/bypasssafe.go", "content": "// Copyright (c) 2015-2016 Dave Collins \n//\n// Permission to use, copy, modify, and distribute this software for any\n// purpose with or without fee is hereby granted, provided that the above\n// copyright notice and this permission notice appear in all copies.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR\n// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN\n// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF\n// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.\n\n// NOTE: Due to the following build constraints, this file will only be compiled\n// when the code is running on Google App Engine, compiled by GopherJS, or\n// \"-tags safe\" is added to the go build command line. The \"disableunsafe\"\n// tag is deprecated and thus should not be used.\n// +build js appengine safe disableunsafe !go1.4\n\npackage spew\n\nimport \"reflect\"\n\nconst (\n\t// UnsafeDisabled is a build-time constant which specifies whether or\n\t// not access to the unsafe package is available.\n\tUnsafeDisabled = true\n)\n\n// unsafeReflectValue typically converts the passed reflect.Value into a one\n// that bypasses the typical safety restrictions preventing access to\n// unaddressable and unexported data. However, doing this relies on access to\n// the unsafe package. This is a stub version which simply returns the passed\n// reflect.Value when the unsafe package is not available.\nfunc unsafeReflectValue(v reflect.Value) reflect.Value {\n\treturn v\n}\n" }, { "path": "vendor/github.com/davecgh/go-spew/spew/common.go", "content": "/*\n * Copyright (c) 2013-2016 Dave Collins \n *\n * Permission to use, copy, modify, and distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR\n * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN\n * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF\n * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.\n */\n\npackage spew\n\nimport (\n\t\"bytes\"\n\t\"fmt\"\n\t\"io\"\n\t\"reflect\"\n\t\"sort\"\n\t\"strconv\"\n)\n\n// Some constants in the form of bytes to avoid string overhead. This mirrors\n// the technique used in the fmt package.\nvar (\n\tpanicBytes = []byte(\"(PANIC=\")\n\tplusBytes = []byte(\"+\")\n\tiBytes = []byte(\"i\")\n\ttrueBytes = []byte(\"true\")\n\tfalseBytes = []byte(\"false\")\n\tinterfaceBytes = []byte(\"(interface {})\")\n\tcommaNewlineBytes = []byte(\",\\n\")\n\tnewlineBytes = []byte(\"\\n\")\n\topenBraceBytes = []byte(\"{\")\n\topenBraceNewlineBytes = []byte(\"{\\n\")\n\tcloseBraceBytes = []byte(\"}\")\n\tasteriskBytes = []byte(\"*\")\n\tcolonBytes = []byte(\":\")\n\tcolonSpaceBytes = []byte(\": \")\n\topenParenBytes = []byte(\"(\")\n\tcloseParenBytes = []byte(\")\")\n\tspaceBytes = []byte(\" \")\n\tpointerChainBytes = []byte(\"->\")\n\tnilAngleBytes = []byte(\"\")\n\tmaxNewlineBytes = []byte(\"\\n\")\n\tmaxShortBytes = []byte(\"\")\n\tcircularBytes = []byte(\"\")\n\tcircularShortBytes = []byte(\"\")\n\tinvalidAngleBytes = []byte(\"\")\n\topenBracketBytes = []byte(\"[\")\n\tcloseBracketBytes = []byte(\"]\")\n\tpercentBytes = []byte(\"%\")\n\tprecisionBytes = []byte(\".\")\n\topenAngleBytes = []byte(\"<\")\n\tcloseAngleBytes = []byte(\">\")\n\topenMapBytes = []byte(\"map[\")\n\tcloseMapBytes = []byte(\"]\")\n\tlenEqualsBytes = []byte(\"len=\")\n\tcapEqualsBytes = []byte(\"cap=\")\n)\n\n// hexDigits is used to map a decimal value to a hex digit.\nvar hexDigits = \"0123456789abcdef\"\n\n// catchPanic handles any panics that might occur during the handleMethods\n// calls.\nfunc catchPanic(w io.Writer, v reflect.Value) {\n\tif err := recover(); err != nil {\n\t\tw.Write(panicBytes)\n\t\tfmt.Fprintf(w, \"%v\", err)\n\t\tw.Write(closeParenBytes)\n\t}\n}\n\n// handleMethods attempts to call the Error and String methods on the underlying\n// type the passed reflect.Value represents and outputes the result to Writer w.\n//\n// It handles panics in any called methods by catching and displaying the error\n// as the formatted value.\nfunc handleMethods(cs *ConfigState, w io.Writer, v reflect.Value) (handled bool) {\n\t// We need an interface to check if the type implements the error or\n\t// Stringer interface. However, the reflect package won't give us an\n\t// interface on certain things like unexported struct fields in order\n\t// to enforce visibility rules. We use unsafe, when it's available,\n\t// to bypass these restrictions since this package does not mutate the\n\t// values.\n\tif !v.CanInterface() {\n\t\tif UnsafeDisabled {\n\t\t\treturn false\n\t\t}\n\n\t\tv = unsafeReflectValue(v)\n\t}\n\n\t// Choose whether or not to do error and Stringer interface lookups against\n\t// the base type or a pointer to the base type depending on settings.\n\t// Technically calling one of these methods with a pointer receiver can\n\t// mutate the value, however, types which choose to satisify an error or\n\t// Stringer interface with a pointer receiver should not be mutating their\n\t// state inside these interface methods.\n\tif !cs.DisablePointerMethods && !UnsafeDisabled && !v.CanAddr() {\n\t\tv = unsafeReflectValue(v)\n\t}\n\tif v.CanAddr() {\n\t\tv = v.Addr()\n\t}\n\n\t// Is it an error or Stringer?\n\tswitch iface := v.Interface().(type) {\n\tcase error:\n\t\tdefer catchPanic(w, v)\n\t\tif cs.ContinueOnMethod {\n\t\t\tw.Write(openParenBytes)\n\t\t\tw.Write([]byte(iface.Error()))\n\t\t\tw.Write(closeParenBytes)\n\t\t\tw.Write(spaceBytes)\n\t\t\treturn false\n\t\t}\n\n\t\tw.Write([]byte(iface.Error()))\n\t\treturn true\n\n\tcase fmt.Stringer:\n\t\tdefer catchPanic(w, v)\n\t\tif cs.ContinueOnMethod {\n\t\t\tw.Write(openParenBytes)\n\t\t\tw.Write([]byte(iface.String()))\n\t\t\tw.Write(closeParenBytes)\n\t\t\tw.Write(spaceBytes)\n\t\t\treturn false\n\t\t}\n\t\tw.Write([]byte(iface.String()))\n\t\treturn true\n\t}\n\treturn false\n}\n\n// printBool outputs a boolean value as true or false to Writer w.\nfunc printBool(w io.Writer, val bool) {\n\tif val {\n\t\tw.Write(trueBytes)\n\t} else {\n\t\tw.Write(falseBytes)\n\t}\n}\n\n// printInt outputs a signed integer value to Writer w.\nfunc printInt(w io.Writer, val int64, base int) {\n\tw.Write([]byte(strconv.FormatInt(val, base)))\n}\n\n// printUint outputs an unsigned integer value to Writer w.\nfunc printUint(w io.Writer, val uint64, base int) {\n\tw.Write([]byte(strconv.FormatUint(val, base)))\n}\n\n// printFloat outputs a floating point value using the specified precision,\n// which is expected to be 32 or 64bit, to Writer w.\nfunc printFloat(w io.Writer, val float64, precision int) {\n\tw.Write([]byte(strconv.FormatFloat(val, 'g', -1, precision)))\n}\n\n// printComplex outputs a complex value using the specified float precision\n// for the real and imaginary parts to Writer w.\nfunc printComplex(w io.Writer, c complex128, floatPrecision int) {\n\tr := real(c)\n\tw.Write(openParenBytes)\n\tw.Write([]byte(strconv.FormatFloat(r, 'g', -1, floatPrecision)))\n\ti := imag(c)\n\tif i >= 0 {\n\t\tw.Write(plusBytes)\n\t}\n\tw.Write([]byte(strconv.FormatFloat(i, 'g', -1, floatPrecision)))\n\tw.Write(iBytes)\n\tw.Write(closeParenBytes)\n}\n\n// printHexPtr outputs a uintptr formatted as hexadecimal with a leading '0x'\n// prefix to Writer w.\nfunc printHexPtr(w io.Writer, p uintptr) {\n\t// Null pointer.\n\tnum := uint64(p)\n\tif num == 0 {\n\t\tw.Write(nilAngleBytes)\n\t\treturn\n\t}\n\n\t// Max uint64 is 16 bytes in hex + 2 bytes for '0x' prefix\n\tbuf := make([]byte, 18)\n\n\t// It's simpler to construct the hex string right to left.\n\tbase := uint64(16)\n\ti := len(buf) - 1\n\tfor num >= base {\n\t\tbuf[i] = hexDigits[num%base]\n\t\tnum /= base\n\t\ti--\n\t}\n\tbuf[i] = hexDigits[num]\n\n\t// Add '0x' prefix.\n\ti--\n\tbuf[i] = 'x'\n\ti--\n\tbuf[i] = '0'\n\n\t// Strip unused leading bytes.\n\tbuf = buf[i:]\n\tw.Write(buf)\n}\n\n// valuesSorter implements sort.Interface to allow a slice of reflect.Value\n// elements to be sorted.\ntype valuesSorter struct {\n\tvalues []reflect.Value\n\tstrings []string // either nil or same len and values\n\tcs *ConfigState\n}\n\n// newValuesSorter initializes a valuesSorter instance, which holds a set of\n// surrogate keys on which the data should be sorted. It uses flags in\n// ConfigState to decide if and how to populate those surrogate keys.\nfunc newValuesSorter(values []reflect.Value, cs *ConfigState) sort.Interface {\n\tvs := &valuesSorter{values: values, cs: cs}\n\tif canSortSimply(vs.values[0].Kind()) {\n\t\treturn vs\n\t}\n\tif !cs.DisableMethods {\n\t\tvs.strings = make([]string, len(values))\n\t\tfor i := range vs.values {\n\t\t\tb := bytes.Buffer{}\n\t\t\tif !handleMethods(cs, &b, vs.values[i]) {\n\t\t\t\tvs.strings = nil\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tvs.strings[i] = b.String()\n\t\t}\n\t}\n\tif vs.strings == nil && cs.SpewKeys {\n\t\tvs.strings = make([]string, len(values))\n\t\tfor i := range vs.values {\n\t\t\tvs.strings[i] = Sprintf(\"%#v\", vs.values[i].Interface())\n\t\t}\n\t}\n\treturn vs\n}\n\n// canSortSimply tests whether a reflect.Kind is a primitive that can be sorted\n// directly, or whether it should be considered for sorting by surrogate keys\n// (if the ConfigState allows it).\nfunc canSortSimply(kind reflect.Kind) bool {\n\t// This switch parallels valueSortLess, except for the default case.\n\tswitch kind {\n\tcase reflect.Bool:\n\t\treturn true\n\tcase reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64, reflect.Int:\n\t\treturn true\n\tcase reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uint:\n\t\treturn true\n\tcase reflect.Float32, reflect.Float64:\n\t\treturn true\n\tcase reflect.String:\n\t\treturn true\n\tcase reflect.Uintptr:\n\t\treturn true\n\tcase reflect.Array:\n\t\treturn true\n\t}\n\treturn false\n}\n\n// Len returns the number of values in the slice. It is part of the\n// sort.Interface implementation.\nfunc (s *valuesSorter) Len() int {\n\treturn len(s.values)\n}\n\n// Swap swaps the values at the passed indices. It is part of the\n// sort.Interface implementation.\nfunc (s *valuesSorter) Swap(i, j int) {\n\ts.values[i], s.values[j] = s.values[j], s.values[i]\n\tif s.strings != nil {\n\t\ts.strings[i], s.strings[j] = s.strings[j], s.strings[i]\n\t}\n}\n\n// valueSortLess returns whether the first value should sort before the second\n// value. It is used by valueSorter.Less as part of the sort.Interface\n// implementation.\nfunc valueSortLess(a, b reflect.Value) bool {\n\tswitch a.Kind() {\n\tcase reflect.Bool:\n\t\treturn !a.Bool() && b.Bool()\n\tcase reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64, reflect.Int:\n\t\treturn a.Int() < b.Int()\n\tcase reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uint:\n\t\treturn a.Uint() < b.Uint()\n\tcase reflect.Float32, reflect.Float64:\n\t\treturn a.Float() < b.Float()\n\tcase reflect.String:\n\t\treturn a.String() < b.String()\n\tcase reflect.Uintptr:\n\t\treturn a.Uint() < b.Uint()\n\tcase reflect.Array:\n\t\t// Compare the contents of both arrays.\n\t\tl := a.Len()\n\t\tfor i := 0; i < l; i++ {\n\t\t\tav := a.Index(i)\n\t\t\tbv := b.Index(i)\n\t\t\tif av.Interface() == bv.Interface() {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\treturn valueSortLess(av, bv)\n\t\t}\n\t}\n\treturn a.String() < b.String()\n}\n\n// Less returns whether the value at index i should sort before the\n// value at index j. It is part of the sort.Interface implementation.\nfunc (s *valuesSorter) Less(i, j int) bool {\n\tif s.strings == nil {\n\t\treturn valueSortLess(s.values[i], s.values[j])\n\t}\n\treturn s.strings[i] < s.strings[j]\n}\n\n// sortValues is a sort function that handles both native types and any type that\n// can be converted to error or Stringer. Other inputs are sorted according to\n// their Value.String() value to ensure display stability.\nfunc sortValues(values []reflect.Value, cs *ConfigState) {\n\tif len(values) == 0 {\n\t\treturn\n\t}\n\tsort.Sort(newValuesSorter(values, cs))\n}\n" }, { "path": "vendor/github.com/davecgh/go-spew/spew/config.go", "content": "/*\n * Copyright (c) 2013-2016 Dave Collins \n *\n * Permission to use, copy, modify, and distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR\n * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN\n * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF\n * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.\n */\n\npackage spew\n\nimport (\n\t\"bytes\"\n\t\"fmt\"\n\t\"io\"\n\t\"os\"\n)\n\n// ConfigState houses the configuration options used by spew to format and\n// display values. There is a global instance, Config, that is used to control\n// all top-level Formatter and Dump functionality. Each ConfigState instance\n// provides methods equivalent to the top-level functions.\n//\n// The zero value for ConfigState provides no indentation. You would typically\n// want to set it to a space or a tab.\n//\n// Alternatively, you can use NewDefaultConfig to get a ConfigState instance\n// with default settings. See the documentation of NewDefaultConfig for default\n// values.\ntype ConfigState struct {\n\t// Indent specifies the string to use for each indentation level. The\n\t// global config instance that all top-level functions use set this to a\n\t// single space by default. If you would like more indentation, you might\n\t// set this to a tab with \"\\t\" or perhaps two spaces with \" \".\n\tIndent string\n\n\t// MaxDepth controls the maximum number of levels to descend into nested\n\t// data structures. The default, 0, means there is no limit.\n\t//\n\t// NOTE: Circular data structures are properly detected, so it is not\n\t// necessary to set this value unless you specifically want to limit deeply\n\t// nested data structures.\n\tMaxDepth int\n\n\t// DisableMethods specifies whether or not error and Stringer interfaces are\n\t// invoked for types that implement them.\n\tDisableMethods bool\n\n\t// DisablePointerMethods specifies whether or not to check for and invoke\n\t// error and Stringer interfaces on types which only accept a pointer\n\t// receiver when the current type is not a pointer.\n\t//\n\t// NOTE: This might be an unsafe action since calling one of these methods\n\t// with a pointer receiver could technically mutate the value, however,\n\t// in practice, types which choose to satisify an error or Stringer\n\t// interface with a pointer receiver should not be mutating their state\n\t// inside these interface methods. As a result, this option relies on\n\t// access to the unsafe package, so it will not have any effect when\n\t// running in environments without access to the unsafe package such as\n\t// Google App Engine or with the \"safe\" build tag specified.\n\tDisablePointerMethods bool\n\n\t// DisablePointerAddresses specifies whether to disable the printing of\n\t// pointer addresses. This is useful when diffing data structures in tests.\n\tDisablePointerAddresses bool\n\n\t// DisableCapacities specifies whether to disable the printing of capacities\n\t// for arrays, slices, maps and channels. This is useful when diffing\n\t// data structures in tests.\n\tDisableCapacities bool\n\n\t// ContinueOnMethod specifies whether or not recursion should continue once\n\t// a custom error or Stringer interface is invoked. The default, false,\n\t// means it will print the results of invoking the custom error or Stringer\n\t// interface and return immediately instead of continuing to recurse into\n\t// the internals of the data type.\n\t//\n\t// NOTE: This flag does not have any effect if method invocation is disabled\n\t// via the DisableMethods or DisablePointerMethods options.\n\tContinueOnMethod bool\n\n\t// SortKeys specifies map keys should be sorted before being printed. Use\n\t// this to have a more deterministic, diffable output. Note that only\n\t// native types (bool, int, uint, floats, uintptr and string) and types\n\t// that support the error or Stringer interfaces (if methods are\n\t// enabled) are supported, with other types sorted according to the\n\t// reflect.Value.String() output which guarantees display stability.\n\tSortKeys bool\n\n\t// SpewKeys specifies that, as a last resort attempt, map keys should\n\t// be spewed to strings and sorted by those strings. This is only\n\t// considered if SortKeys is true.\n\tSpewKeys bool\n}\n\n// Config is the active configuration of the top-level functions.\n// The configuration can be changed by modifying the contents of spew.Config.\nvar Config = ConfigState{Indent: \" \"}\n\n// Errorf is a wrapper for fmt.Errorf that treats each argument as if it were\n// passed with a Formatter interface returned by c.NewFormatter. It returns\n// the formatted string as a value that satisfies error. See NewFormatter\n// for formatting details.\n//\n// This function is shorthand for the following syntax:\n//\n//\tfmt.Errorf(format, c.NewFormatter(a), c.NewFormatter(b))\nfunc (c *ConfigState) Errorf(format string, a ...interface{}) (err error) {\n\treturn fmt.Errorf(format, c.convertArgs(a)...)\n}\n\n// Fprint is a wrapper for fmt.Fprint that treats each argument as if it were\n// passed with a Formatter interface returned by c.NewFormatter. It returns\n// the number of bytes written and any write error encountered. See\n// NewFormatter for formatting details.\n//\n// This function is shorthand for the following syntax:\n//\n//\tfmt.Fprint(w, c.NewFormatter(a), c.NewFormatter(b))\nfunc (c *ConfigState) Fprint(w io.Writer, a ...interface{}) (n int, err error) {\n\treturn fmt.Fprint(w, c.convertArgs(a)...)\n}\n\n// Fprintf is a wrapper for fmt.Fprintf that treats each argument as if it were\n// passed with a Formatter interface returned by c.NewFormatter. It returns\n// the number of bytes written and any write error encountered. See\n// NewFormatter for formatting details.\n//\n// This function is shorthand for the following syntax:\n//\n//\tfmt.Fprintf(w, format, c.NewFormatter(a), c.NewFormatter(b))\nfunc (c *ConfigState) Fprintf(w io.Writer, format string, a ...interface{}) (n int, err error) {\n\treturn fmt.Fprintf(w, format, c.convertArgs(a)...)\n}\n\n// Fprintln is a wrapper for fmt.Fprintln that treats each argument as if it\n// passed with a Formatter interface returned by c.NewFormatter. See\n// NewFormatter for formatting details.\n//\n// This function is shorthand for the following syntax:\n//\n//\tfmt.Fprintln(w, c.NewFormatter(a), c.NewFormatter(b))\nfunc (c *ConfigState) Fprintln(w io.Writer, a ...interface{}) (n int, err error) {\n\treturn fmt.Fprintln(w, c.convertArgs(a)...)\n}\n\n// Print is a wrapper for fmt.Print that treats each argument as if it were\n// passed with a Formatter interface returned by c.NewFormatter. It returns\n// the number of bytes written and any write error encountered. See\n// NewFormatter for formatting details.\n//\n// This function is shorthand for the following syntax:\n//\n//\tfmt.Print(c.NewFormatter(a), c.NewFormatter(b))\nfunc (c *ConfigState) Print(a ...interface{}) (n int, err error) {\n\treturn fmt.Print(c.convertArgs(a)...)\n}\n\n// Printf is a wrapper for fmt.Printf that treats each argument as if it were\n// passed with a Formatter interface returned by c.NewFormatter. It returns\n// the number of bytes written and any write error encountered. See\n// NewFormatter for formatting details.\n//\n// This function is shorthand for the following syntax:\n//\n//\tfmt.Printf(format, c.NewFormatter(a), c.NewFormatter(b))\nfunc (c *ConfigState) Printf(format string, a ...interface{}) (n int, err error) {\n\treturn fmt.Printf(format, c.convertArgs(a)...)\n}\n\n// Println is a wrapper for fmt.Println that treats each argument as if it were\n// passed with a Formatter interface returned by c.NewFormatter. It returns\n// the number of bytes written and any write error encountered. See\n// NewFormatter for formatting details.\n//\n// This function is shorthand for the following syntax:\n//\n//\tfmt.Println(c.NewFormatter(a), c.NewFormatter(b))\nfunc (c *ConfigState) Println(a ...interface{}) (n int, err error) {\n\treturn fmt.Println(c.convertArgs(a)...)\n}\n\n// Sprint is a wrapper for fmt.Sprint that treats each argument as if it were\n// passed with a Formatter interface returned by c.NewFormatter. It returns\n// the resulting string. See NewFormatter for formatting details.\n//\n// This function is shorthand for the following syntax:\n//\n//\tfmt.Sprint(c.NewFormatter(a), c.NewFormatter(b))\nfunc (c *ConfigState) Sprint(a ...interface{}) string {\n\treturn fmt.Sprint(c.convertArgs(a)...)\n}\n\n// Sprintf is a wrapper for fmt.Sprintf that treats each argument as if it were\n// passed with a Formatter interface returned by c.NewFormatter. It returns\n// the resulting string. See NewFormatter for formatting details.\n//\n// This function is shorthand for the following syntax:\n//\n//\tfmt.Sprintf(format, c.NewFormatter(a), c.NewFormatter(b))\nfunc (c *ConfigState) Sprintf(format string, a ...interface{}) string {\n\treturn fmt.Sprintf(format, c.convertArgs(a)...)\n}\n\n// Sprintln is a wrapper for fmt.Sprintln that treats each argument as if it\n// were passed with a Formatter interface returned by c.NewFormatter. It\n// returns the resulting string. See NewFormatter for formatting details.\n//\n// This function is shorthand for the following syntax:\n//\n//\tfmt.Sprintln(c.NewFormatter(a), c.NewFormatter(b))\nfunc (c *ConfigState) Sprintln(a ...interface{}) string {\n\treturn fmt.Sprintln(c.convertArgs(a)...)\n}\n\n/*\nNewFormatter returns a custom formatter that satisfies the fmt.Formatter\ninterface. As a result, it integrates cleanly with standard fmt package\nprinting functions. The formatter is useful for inline printing of smaller data\ntypes similar to the standard %v format specifier.\n\nThe custom formatter only responds to the %v (most compact), %+v (adds pointer\naddresses), %#v (adds types), and %#+v (adds types and pointer addresses) verb\ncombinations. Any other verbs such as %x and %q will be sent to the the\nstandard fmt package for formatting. In addition, the custom formatter ignores\nthe width and precision arguments (however they will still work on the format\nspecifiers not handled by the custom formatter).\n\nTypically this function shouldn't be called directly. It is much easier to make\nuse of the custom formatter by calling one of the convenience functions such as\nc.Printf, c.Println, or c.Printf.\n*/\nfunc (c *ConfigState) NewFormatter(v interface{}) fmt.Formatter {\n\treturn newFormatter(c, v)\n}\n\n// Fdump formats and displays the passed arguments to io.Writer w. It formats\n// exactly the same as Dump.\nfunc (c *ConfigState) Fdump(w io.Writer, a ...interface{}) {\n\tfdump(c, w, a...)\n}\n\n/*\nDump displays the passed parameters to standard out with newlines, customizable\nindentation, and additional debug information such as complete types and all\npointer addresses used to indirect to the final value. It provides the\nfollowing features over the built-in printing facilities provided by the fmt\npackage:\n\n\t* Pointers are dereferenced and followed\n\t* Circular data structures are detected and handled properly\n\t* Custom Stringer/error interfaces are optionally invoked, including\n\t on unexported types\n\t* Custom types which only implement the Stringer/error interfaces via\n\t a pointer receiver are optionally invoked when passing non-pointer\n\t variables\n\t* Byte arrays and slices are dumped like the hexdump -C command which\n\t includes offsets, byte values in hex, and ASCII output\n\nThe configuration options are controlled by modifying the public members\nof c. See ConfigState for options documentation.\n\nSee Fdump if you would prefer dumping to an arbitrary io.Writer or Sdump to\nget the formatted result as a string.\n*/\nfunc (c *ConfigState) Dump(a ...interface{}) {\n\tfdump(c, os.Stdout, a...)\n}\n\n// Sdump returns a string with the passed arguments formatted exactly the same\n// as Dump.\nfunc (c *ConfigState) Sdump(a ...interface{}) string {\n\tvar buf bytes.Buffer\n\tfdump(c, &buf, a...)\n\treturn buf.String()\n}\n\n// convertArgs accepts a slice of arguments and returns a slice of the same\n// length with each argument converted to a spew Formatter interface using\n// the ConfigState associated with s.\nfunc (c *ConfigState) convertArgs(args []interface{}) (formatters []interface{}) {\n\tformatters = make([]interface{}, len(args))\n\tfor index, arg := range args {\n\t\tformatters[index] = newFormatter(c, arg)\n\t}\n\treturn formatters\n}\n\n// NewDefaultConfig returns a ConfigState with the following default settings.\n//\n// \tIndent: \" \"\n// \tMaxDepth: 0\n// \tDisableMethods: false\n// \tDisablePointerMethods: false\n// \tContinueOnMethod: false\n// \tSortKeys: false\nfunc NewDefaultConfig() *ConfigState {\n\treturn &ConfigState{Indent: \" \"}\n}\n" }, { "path": "vendor/github.com/davecgh/go-spew/spew/doc.go", "content": "/*\n * Copyright (c) 2013-2016 Dave Collins \n *\n * Permission to use, copy, modify, and distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR\n * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN\n * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF\n * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.\n */\n\n/*\nPackage spew implements a deep pretty printer for Go data structures to aid in\ndebugging.\n\nA quick overview of the additional features spew provides over the built-in\nprinting facilities for Go data types are as follows:\n\n\t* Pointers are dereferenced and followed\n\t* Circular data structures are detected and handled properly\n\t* Custom Stringer/error interfaces are optionally invoked, including\n\t on unexported types\n\t* Custom types which only implement the Stringer/error interfaces via\n\t a pointer receiver are optionally invoked when passing non-pointer\n\t variables\n\t* Byte arrays and slices are dumped like the hexdump -C command which\n\t includes offsets, byte values in hex, and ASCII output (only when using\n\t Dump style)\n\nThere are two different approaches spew allows for dumping Go data structures:\n\n\t* Dump style which prints with newlines, customizable indentation,\n\t and additional debug information such as types and all pointer addresses\n\t used to indirect to the final value\n\t* A custom Formatter interface that integrates cleanly with the standard fmt\n\t package and replaces %v, %+v, %#v, and %#+v to provide inline printing\n\t similar to the default %v while providing the additional functionality\n\t outlined above and passing unsupported format verbs such as %x and %q\n\t along to fmt\n\nQuick Start\n\nThis section demonstrates how to quickly get started with spew. See the\nsections below for further details on formatting and configuration options.\n\nTo dump a variable with full newlines, indentation, type, and pointer\ninformation use Dump, Fdump, or Sdump:\n\tspew.Dump(myVar1, myVar2, ...)\n\tspew.Fdump(someWriter, myVar1, myVar2, ...)\n\tstr := spew.Sdump(myVar1, myVar2, ...)\n\nAlternatively, if you would prefer to use format strings with a compacted inline\nprinting style, use the convenience wrappers Printf, Fprintf, etc with\n%v (most compact), %+v (adds pointer addresses), %#v (adds types), or\n%#+v (adds types and pointer addresses):\n\tspew.Printf(\"myVar1: %v -- myVar2: %+v\", myVar1, myVar2)\n\tspew.Printf(\"myVar3: %#v -- myVar4: %#+v\", myVar3, myVar4)\n\tspew.Fprintf(someWriter, \"myVar1: %v -- myVar2: %+v\", myVar1, myVar2)\n\tspew.Fprintf(someWriter, \"myVar3: %#v -- myVar4: %#+v\", myVar3, myVar4)\n\nConfiguration Options\n\nConfiguration of spew is handled by fields in the ConfigState type. For\nconvenience, all of the top-level functions use a global state available\nvia the spew.Config global.\n\nIt is also possible to create a ConfigState instance that provides methods\nequivalent to the top-level functions. This allows concurrent configuration\noptions. See the ConfigState documentation for more details.\n\nThe following configuration options are available:\n\t* Indent\n\t\tString to use for each indentation level for Dump functions.\n\t\tIt is a single space by default. A popular alternative is \"\\t\".\n\n\t* MaxDepth\n\t\tMaximum number of levels to descend into nested data structures.\n\t\tThere is no limit by default.\n\n\t* DisableMethods\n\t\tDisables invocation of error and Stringer interface methods.\n\t\tMethod invocation is enabled by default.\n\n\t* DisablePointerMethods\n\t\tDisables invocation of error and Stringer interface methods on types\n\t\twhich only accept pointer receivers from non-pointer variables.\n\t\tPointer method invocation is enabled by default.\n\n\t* DisablePointerAddresses\n\t\tDisablePointerAddresses specifies whether to disable the printing of\n\t\tpointer addresses. This is useful when diffing data structures in tests.\n\n\t* DisableCapacities\n\t\tDisableCapacities specifies whether to disable the printing of\n\t\tcapacities for arrays, slices, maps and channels. This is useful when\n\t\tdiffing data structures in tests.\n\n\t* ContinueOnMethod\n\t\tEnables recursion into types after invoking error and Stringer interface\n\t\tmethods. Recursion after method invocation is disabled by default.\n\n\t* SortKeys\n\t\tSpecifies map keys should be sorted before being printed. Use\n\t\tthis to have a more deterministic, diffable output. Note that\n\t\tonly native types (bool, int, uint, floats, uintptr and string)\n\t\tand types which implement error or Stringer interfaces are\n\t\tsupported with other types sorted according to the\n\t\treflect.Value.String() output which guarantees display\n\t\tstability. Natural map order is used by default.\n\n\t* SpewKeys\n\t\tSpecifies that, as a last resort attempt, map keys should be\n\t\tspewed to strings and sorted by those strings. This is only\n\t\tconsidered if SortKeys is true.\n\nDump Usage\n\nSimply call spew.Dump with a list of variables you want to dump:\n\n\tspew.Dump(myVar1, myVar2, ...)\n\nYou may also call spew.Fdump if you would prefer to output to an arbitrary\nio.Writer. For example, to dump to standard error:\n\n\tspew.Fdump(os.Stderr, myVar1, myVar2, ...)\n\nA third option is to call spew.Sdump to get the formatted output as a string:\n\n\tstr := spew.Sdump(myVar1, myVar2, ...)\n\nSample Dump Output\n\nSee the Dump example for details on the setup of the types and variables being\nshown here.\n\n\t(main.Foo) {\n\t unexportedField: (*main.Bar)(0xf84002e210)({\n\t flag: (main.Flag) flagTwo,\n\t data: (uintptr) \n\t }),\n\t ExportedField: (map[interface {}]interface {}) (len=1) {\n\t (string) (len=3) \"one\": (bool) true\n\t }\n\t}\n\nByte (and uint8) arrays and slices are displayed uniquely like the hexdump -C\ncommand as shown.\n\t([]uint8) (len=32 cap=32) {\n\t 00000000 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 |............... |\n\t 00000010 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 |!\"#$%&'()*+,-./0|\n\t 00000020 31 32 |12|\n\t}\n\nCustom Formatter\n\nSpew provides a custom formatter that implements the fmt.Formatter interface\nso that it integrates cleanly with standard fmt package printing functions. The\nformatter is useful for inline printing of smaller data types similar to the\nstandard %v format specifier.\n\nThe custom formatter only responds to the %v (most compact), %+v (adds pointer\naddresses), %#v (adds types), or %#+v (adds types and pointer addresses) verb\ncombinations. Any other verbs such as %x and %q will be sent to the the\nstandard fmt package for formatting. In addition, the custom formatter ignores\nthe width and precision arguments (however they will still work on the format\nspecifiers not handled by the custom formatter).\n\nCustom Formatter Usage\n\nThe simplest way to make use of the spew custom formatter is to call one of the\nconvenience functions such as spew.Printf, spew.Println, or spew.Printf. The\nfunctions have syntax you are most likely already familiar with:\n\n\tspew.Printf(\"myVar1: %v -- myVar2: %+v\", myVar1, myVar2)\n\tspew.Printf(\"myVar3: %#v -- myVar4: %#+v\", myVar3, myVar4)\n\tspew.Println(myVar, myVar2)\n\tspew.Fprintf(os.Stderr, \"myVar1: %v -- myVar2: %+v\", myVar1, myVar2)\n\tspew.Fprintf(os.Stderr, \"myVar3: %#v -- myVar4: %#+v\", myVar3, myVar4)\n\nSee the Index for the full list convenience functions.\n\nSample Formatter Output\n\nDouble pointer to a uint8:\n\t %v: <**>5\n\t %+v: <**>(0xf8400420d0->0xf8400420c8)5\n\t %#v: (**uint8)5\n\t%#+v: (**uint8)(0xf8400420d0->0xf8400420c8)5\n\nPointer to circular struct with a uint8 field and a pointer to itself:\n\t %v: <*>{1 <*>}\n\t %+v: <*>(0xf84003e260){ui8:1 c:<*>(0xf84003e260)}\n\t %#v: (*main.circular){ui8:(uint8)1 c:(*main.circular)}\n\t%#+v: (*main.circular)(0xf84003e260){ui8:(uint8)1 c:(*main.circular)(0xf84003e260)}\n\nSee the Printf example for details on the setup of variables being shown\nhere.\n\nErrors\n\nSince it is possible for custom Stringer/error interfaces to panic, spew\ndetects them and handles them internally by printing the panic information\ninline with the output. Since spew is intended to provide deep pretty printing\ncapabilities on structures, it intentionally does not return any errors.\n*/\npackage spew\n" }, { "path": "vendor/github.com/davecgh/go-spew/spew/dump.go", "content": "/*\n * Copyright (c) 2013-2016 Dave Collins \n *\n * Permission to use, copy, modify, and distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR\n * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN\n * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF\n * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.\n */\n\npackage spew\n\nimport (\n\t\"bytes\"\n\t\"encoding/hex\"\n\t\"fmt\"\n\t\"io\"\n\t\"os\"\n\t\"reflect\"\n\t\"regexp\"\n\t\"strconv\"\n\t\"strings\"\n)\n\nvar (\n\t// uint8Type is a reflect.Type representing a uint8. It is used to\n\t// convert cgo types to uint8 slices for hexdumping.\n\tuint8Type = reflect.TypeOf(uint8(0))\n\n\t// cCharRE is a regular expression that matches a cgo char.\n\t// It is used to detect character arrays to hexdump them.\n\tcCharRE = regexp.MustCompile(`^.*\\._Ctype_char$`)\n\n\t// cUnsignedCharRE is a regular expression that matches a cgo unsigned\n\t// char. It is used to detect unsigned character arrays to hexdump\n\t// them.\n\tcUnsignedCharRE = regexp.MustCompile(`^.*\\._Ctype_unsignedchar$`)\n\n\t// cUint8tCharRE is a regular expression that matches a cgo uint8_t.\n\t// It is used to detect uint8_t arrays to hexdump them.\n\tcUint8tCharRE = regexp.MustCompile(`^.*\\._Ctype_uint8_t$`)\n)\n\n// dumpState contains information about the state of a dump operation.\ntype dumpState struct {\n\tw io.Writer\n\tdepth int\n\tpointers map[uintptr]int\n\tignoreNextType bool\n\tignoreNextIndent bool\n\tcs *ConfigState\n}\n\n// indent performs indentation according to the depth level and cs.Indent\n// option.\nfunc (d *dumpState) indent() {\n\tif d.ignoreNextIndent {\n\t\td.ignoreNextIndent = false\n\t\treturn\n\t}\n\td.w.Write(bytes.Repeat([]byte(d.cs.Indent), d.depth))\n}\n\n// unpackValue returns values inside of non-nil interfaces when possible.\n// This is useful for data types like structs, arrays, slices, and maps which\n// can contain varying types packed inside an interface.\nfunc (d *dumpState) unpackValue(v reflect.Value) reflect.Value {\n\tif v.Kind() == reflect.Interface && !v.IsNil() {\n\t\tv = v.Elem()\n\t}\n\treturn v\n}\n\n// dumpPtr handles formatting of pointers by indirecting them as necessary.\nfunc (d *dumpState) dumpPtr(v reflect.Value) {\n\t// Remove pointers at or below the current depth from map used to detect\n\t// circular refs.\n\tfor k, depth := range d.pointers {\n\t\tif depth >= d.depth {\n\t\t\tdelete(d.pointers, k)\n\t\t}\n\t}\n\n\t// Keep list of all dereferenced pointers to show later.\n\tpointerChain := make([]uintptr, 0)\n\n\t// Figure out how many levels of indirection there are by dereferencing\n\t// pointers and unpacking interfaces down the chain while detecting circular\n\t// references.\n\tnilFound := false\n\tcycleFound := false\n\tindirects := 0\n\tve := v\n\tfor ve.Kind() == reflect.Ptr {\n\t\tif ve.IsNil() {\n\t\t\tnilFound = true\n\t\t\tbreak\n\t\t}\n\t\tindirects++\n\t\taddr := ve.Pointer()\n\t\tpointerChain = append(pointerChain, addr)\n\t\tif pd, ok := d.pointers[addr]; ok && pd < d.depth {\n\t\t\tcycleFound = true\n\t\t\tindirects--\n\t\t\tbreak\n\t\t}\n\t\td.pointers[addr] = d.depth\n\n\t\tve = ve.Elem()\n\t\tif ve.Kind() == reflect.Interface {\n\t\t\tif ve.IsNil() {\n\t\t\t\tnilFound = true\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tve = ve.Elem()\n\t\t}\n\t}\n\n\t// Display type information.\n\td.w.Write(openParenBytes)\n\td.w.Write(bytes.Repeat(asteriskBytes, indirects))\n\td.w.Write([]byte(ve.Type().String()))\n\td.w.Write(closeParenBytes)\n\n\t// Display pointer information.\n\tif !d.cs.DisablePointerAddresses && len(pointerChain) > 0 {\n\t\td.w.Write(openParenBytes)\n\t\tfor i, addr := range pointerChain {\n\t\t\tif i > 0 {\n\t\t\t\td.w.Write(pointerChainBytes)\n\t\t\t}\n\t\t\tprintHexPtr(d.w, addr)\n\t\t}\n\t\td.w.Write(closeParenBytes)\n\t}\n\n\t// Display dereferenced value.\n\td.w.Write(openParenBytes)\n\tswitch {\n\tcase nilFound:\n\t\td.w.Write(nilAngleBytes)\n\n\tcase cycleFound:\n\t\td.w.Write(circularBytes)\n\n\tdefault:\n\t\td.ignoreNextType = true\n\t\td.dump(ve)\n\t}\n\td.w.Write(closeParenBytes)\n}\n\n// dumpSlice handles formatting of arrays and slices. Byte (uint8 under\n// reflection) arrays and slices are dumped in hexdump -C fashion.\nfunc (d *dumpState) dumpSlice(v reflect.Value) {\n\t// Determine whether this type should be hex dumped or not. Also,\n\t// for types which should be hexdumped, try to use the underlying data\n\t// first, then fall back to trying to convert them to a uint8 slice.\n\tvar buf []uint8\n\tdoConvert := false\n\tdoHexDump := false\n\tnumEntries := v.Len()\n\tif numEntries > 0 {\n\t\tvt := v.Index(0).Type()\n\t\tvts := vt.String()\n\t\tswitch {\n\t\t// C types that need to be converted.\n\t\tcase cCharRE.MatchString(vts):\n\t\t\tfallthrough\n\t\tcase cUnsignedCharRE.MatchString(vts):\n\t\t\tfallthrough\n\t\tcase cUint8tCharRE.MatchString(vts):\n\t\t\tdoConvert = true\n\n\t\t// Try to use existing uint8 slices and fall back to converting\n\t\t// and copying if that fails.\n\t\tcase vt.Kind() == reflect.Uint8:\n\t\t\t// We need an addressable interface to convert the type\n\t\t\t// to a byte slice. However, the reflect package won't\n\t\t\t// give us an interface on certain things like\n\t\t\t// unexported struct fields in order to enforce\n\t\t\t// visibility rules. We use unsafe, when available, to\n\t\t\t// bypass these restrictions since this package does not\n\t\t\t// mutate the values.\n\t\t\tvs := v\n\t\t\tif !vs.CanInterface() || !vs.CanAddr() {\n\t\t\t\tvs = unsafeReflectValue(vs)\n\t\t\t}\n\t\t\tif !UnsafeDisabled {\n\t\t\t\tvs = vs.Slice(0, numEntries)\n\n\t\t\t\t// Use the existing uint8 slice if it can be\n\t\t\t\t// type asserted.\n\t\t\t\tiface := vs.Interface()\n\t\t\t\tif slice, ok := iface.([]uint8); ok {\n\t\t\t\t\tbuf = slice\n\t\t\t\t\tdoHexDump = true\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// The underlying data needs to be converted if it can't\n\t\t\t// be type asserted to a uint8 slice.\n\t\t\tdoConvert = true\n\t\t}\n\n\t\t// Copy and convert the underlying type if needed.\n\t\tif doConvert && vt.ConvertibleTo(uint8Type) {\n\t\t\t// Convert and copy each element into a uint8 byte\n\t\t\t// slice.\n\t\t\tbuf = make([]uint8, numEntries)\n\t\t\tfor i := 0; i < numEntries; i++ {\n\t\t\t\tvv := v.Index(i)\n\t\t\t\tbuf[i] = uint8(vv.Convert(uint8Type).Uint())\n\t\t\t}\n\t\t\tdoHexDump = true\n\t\t}\n\t}\n\n\t// Hexdump the entire slice as needed.\n\tif doHexDump {\n\t\tindent := strings.Repeat(d.cs.Indent, d.depth)\n\t\tstr := indent + hex.Dump(buf)\n\t\tstr = strings.Replace(str, \"\\n\", \"\\n\"+indent, -1)\n\t\tstr = strings.TrimRight(str, d.cs.Indent)\n\t\td.w.Write([]byte(str))\n\t\treturn\n\t}\n\n\t// Recursively call dump for each item.\n\tfor i := 0; i < numEntries; i++ {\n\t\td.dump(d.unpackValue(v.Index(i)))\n\t\tif i < (numEntries - 1) {\n\t\t\td.w.Write(commaNewlineBytes)\n\t\t} else {\n\t\t\td.w.Write(newlineBytes)\n\t\t}\n\t}\n}\n\n// dump is the main workhorse for dumping a value. It uses the passed reflect\n// value to figure out what kind of object we are dealing with and formats it\n// appropriately. It is a recursive function, however circular data structures\n// are detected and handled properly.\nfunc (d *dumpState) dump(v reflect.Value) {\n\t// Handle invalid reflect values immediately.\n\tkind := v.Kind()\n\tif kind == reflect.Invalid {\n\t\td.w.Write(invalidAngleBytes)\n\t\treturn\n\t}\n\n\t// Handle pointers specially.\n\tif kind == reflect.Ptr {\n\t\td.indent()\n\t\td.dumpPtr(v)\n\t\treturn\n\t}\n\n\t// Print type information unless already handled elsewhere.\n\tif !d.ignoreNextType {\n\t\td.indent()\n\t\td.w.Write(openParenBytes)\n\t\td.w.Write([]byte(v.Type().String()))\n\t\td.w.Write(closeParenBytes)\n\t\td.w.Write(spaceBytes)\n\t}\n\td.ignoreNextType = false\n\n\t// Display length and capacity if the built-in len and cap functions\n\t// work with the value's kind and the len/cap itself is non-zero.\n\tvalueLen, valueCap := 0, 0\n\tswitch v.Kind() {\n\tcase reflect.Array, reflect.Slice, reflect.Chan:\n\t\tvalueLen, valueCap = v.Len(), v.Cap()\n\tcase reflect.Map, reflect.String:\n\t\tvalueLen = v.Len()\n\t}\n\tif valueLen != 0 || !d.cs.DisableCapacities && valueCap != 0 {\n\t\td.w.Write(openParenBytes)\n\t\tif valueLen != 0 {\n\t\t\td.w.Write(lenEqualsBytes)\n\t\t\tprintInt(d.w, int64(valueLen), 10)\n\t\t}\n\t\tif !d.cs.DisableCapacities && valueCap != 0 {\n\t\t\tif valueLen != 0 {\n\t\t\t\td.w.Write(spaceBytes)\n\t\t\t}\n\t\t\td.w.Write(capEqualsBytes)\n\t\t\tprintInt(d.w, int64(valueCap), 10)\n\t\t}\n\t\td.w.Write(closeParenBytes)\n\t\td.w.Write(spaceBytes)\n\t}\n\n\t// Call Stringer/error interfaces if they exist and the handle methods flag\n\t// is enabled\n\tif !d.cs.DisableMethods {\n\t\tif (kind != reflect.Invalid) && (kind != reflect.Interface) {\n\t\t\tif handled := handleMethods(d.cs, d.w, v); handled {\n\t\t\t\treturn\n\t\t\t}\n\t\t}\n\t}\n\n\tswitch kind {\n\tcase reflect.Invalid:\n\t\t// Do nothing. We should never get here since invalid has already\n\t\t// been handled above.\n\n\tcase reflect.Bool:\n\t\tprintBool(d.w, v.Bool())\n\n\tcase reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64, reflect.Int:\n\t\tprintInt(d.w, v.Int(), 10)\n\n\tcase reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uint:\n\t\tprintUint(d.w, v.Uint(), 10)\n\n\tcase reflect.Float32:\n\t\tprintFloat(d.w, v.Float(), 32)\n\n\tcase reflect.Float64:\n\t\tprintFloat(d.w, v.Float(), 64)\n\n\tcase reflect.Complex64:\n\t\tprintComplex(d.w, v.Complex(), 32)\n\n\tcase reflect.Complex128:\n\t\tprintComplex(d.w, v.Complex(), 64)\n\n\tcase reflect.Slice:\n\t\tif v.IsNil() {\n\t\t\td.w.Write(nilAngleBytes)\n\t\t\tbreak\n\t\t}\n\t\tfallthrough\n\n\tcase reflect.Array:\n\t\td.w.Write(openBraceNewlineBytes)\n\t\td.depth++\n\t\tif (d.cs.MaxDepth != 0) && (d.depth > d.cs.MaxDepth) {\n\t\t\td.indent()\n\t\t\td.w.Write(maxNewlineBytes)\n\t\t} else {\n\t\t\td.dumpSlice(v)\n\t\t}\n\t\td.depth--\n\t\td.indent()\n\t\td.w.Write(closeBraceBytes)\n\n\tcase reflect.String:\n\t\td.w.Write([]byte(strconv.Quote(v.String())))\n\n\tcase reflect.Interface:\n\t\t// The only time we should get here is for nil interfaces due to\n\t\t// unpackValue calls.\n\t\tif v.IsNil() {\n\t\t\td.w.Write(nilAngleBytes)\n\t\t}\n\n\tcase reflect.Ptr:\n\t\t// Do nothing. We should never get here since pointers have already\n\t\t// been handled above.\n\n\tcase reflect.Map:\n\t\t// nil maps should be indicated as different than empty maps\n\t\tif v.IsNil() {\n\t\t\td.w.Write(nilAngleBytes)\n\t\t\tbreak\n\t\t}\n\n\t\td.w.Write(openBraceNewlineBytes)\n\t\td.depth++\n\t\tif (d.cs.MaxDepth != 0) && (d.depth > d.cs.MaxDepth) {\n\t\t\td.indent()\n\t\t\td.w.Write(maxNewlineBytes)\n\t\t} else {\n\t\t\tnumEntries := v.Len()\n\t\t\tkeys := v.MapKeys()\n\t\t\tif d.cs.SortKeys {\n\t\t\t\tsortValues(keys, d.cs)\n\t\t\t}\n\t\t\tfor i, key := range keys {\n\t\t\t\td.dump(d.unpackValue(key))\n\t\t\t\td.w.Write(colonSpaceBytes)\n\t\t\t\td.ignoreNextIndent = true\n\t\t\t\td.dump(d.unpackValue(v.MapIndex(key)))\n\t\t\t\tif i < (numEntries - 1) {\n\t\t\t\t\td.w.Write(commaNewlineBytes)\n\t\t\t\t} else {\n\t\t\t\t\td.w.Write(newlineBytes)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\td.depth--\n\t\td.indent()\n\t\td.w.Write(closeBraceBytes)\n\n\tcase reflect.Struct:\n\t\td.w.Write(openBraceNewlineBytes)\n\t\td.depth++\n\t\tif (d.cs.MaxDepth != 0) && (d.depth > d.cs.MaxDepth) {\n\t\t\td.indent()\n\t\t\td.w.Write(maxNewlineBytes)\n\t\t} else {\n\t\t\tvt := v.Type()\n\t\t\tnumFields := v.NumField()\n\t\t\tfor i := 0; i < numFields; i++ {\n\t\t\t\td.indent()\n\t\t\t\tvtf := vt.Field(i)\n\t\t\t\td.w.Write([]byte(vtf.Name))\n\t\t\t\td.w.Write(colonSpaceBytes)\n\t\t\t\td.ignoreNextIndent = true\n\t\t\t\td.dump(d.unpackValue(v.Field(i)))\n\t\t\t\tif i < (numFields - 1) {\n\t\t\t\t\td.w.Write(commaNewlineBytes)\n\t\t\t\t} else {\n\t\t\t\t\td.w.Write(newlineBytes)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\td.depth--\n\t\td.indent()\n\t\td.w.Write(closeBraceBytes)\n\n\tcase reflect.Uintptr:\n\t\tprintHexPtr(d.w, uintptr(v.Uint()))\n\n\tcase reflect.UnsafePointer, reflect.Chan, reflect.Func:\n\t\tprintHexPtr(d.w, v.Pointer())\n\n\t// There were not any other types at the time this code was written, but\n\t// fall back to letting the default fmt package handle it in case any new\n\t// types are added.\n\tdefault:\n\t\tif v.CanInterface() {\n\t\t\tfmt.Fprintf(d.w, \"%v\", v.Interface())\n\t\t} else {\n\t\t\tfmt.Fprintf(d.w, \"%v\", v.String())\n\t\t}\n\t}\n}\n\n// fdump is a helper function to consolidate the logic from the various public\n// methods which take varying writers and config states.\nfunc fdump(cs *ConfigState, w io.Writer, a ...interface{}) {\n\tfor _, arg := range a {\n\t\tif arg == nil {\n\t\t\tw.Write(interfaceBytes)\n\t\t\tw.Write(spaceBytes)\n\t\t\tw.Write(nilAngleBytes)\n\t\t\tw.Write(newlineBytes)\n\t\t\tcontinue\n\t\t}\n\n\t\td := dumpState{w: w, cs: cs}\n\t\td.pointers = make(map[uintptr]int)\n\t\td.dump(reflect.ValueOf(arg))\n\t\td.w.Write(newlineBytes)\n\t}\n}\n\n// Fdump formats and displays the passed arguments to io.Writer w. It formats\n// exactly the same as Dump.\nfunc Fdump(w io.Writer, a ...interface{}) {\n\tfdump(&Config, w, a...)\n}\n\n// Sdump returns a string with the passed arguments formatted exactly the same\n// as Dump.\nfunc Sdump(a ...interface{}) string {\n\tvar buf bytes.Buffer\n\tfdump(&Config, &buf, a...)\n\treturn buf.String()\n}\n\n/*\nDump displays the passed parameters to standard out with newlines, customizable\nindentation, and additional debug information such as complete types and all\npointer addresses used to indirect to the final value. It provides the\nfollowing features over the built-in printing facilities provided by the fmt\npackage:\n\n\t* Pointers are dereferenced and followed\n\t* Circular data structures are detected and handled properly\n\t* Custom Stringer/error interfaces are optionally invoked, including\n\t on unexported types\n\t* Custom types which only implement the Stringer/error interfaces via\n\t a pointer receiver are optionally invoked when passing non-pointer\n\t variables\n\t* Byte arrays and slices are dumped like the hexdump -C command which\n\t includes offsets, byte values in hex, and ASCII output\n\nThe configuration options are controlled by an exported package global,\nspew.Config. See ConfigState for options documentation.\n\nSee Fdump if you would prefer dumping to an arbitrary io.Writer or Sdump to\nget the formatted result as a string.\n*/\nfunc Dump(a ...interface{}) {\n\tfdump(&Config, os.Stdout, a...)\n}\n" }, { "path": "vendor/github.com/davecgh/go-spew/spew/format.go", "content": "/*\n * Copyright (c) 2013-2016 Dave Collins \n *\n * Permission to use, copy, modify, and distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR\n * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN\n * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF\n * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.\n */\n\npackage spew\n\nimport (\n\t\"bytes\"\n\t\"fmt\"\n\t\"reflect\"\n\t\"strconv\"\n\t\"strings\"\n)\n\n// supportedFlags is a list of all the character flags supported by fmt package.\nconst supportedFlags = \"0-+# \"\n\n// formatState implements the fmt.Formatter interface and contains information\n// about the state of a formatting operation. The NewFormatter function can\n// be used to get a new Formatter which can be used directly as arguments\n// in standard fmt package printing calls.\ntype formatState struct {\n\tvalue interface{}\n\tfs fmt.State\n\tdepth int\n\tpointers map[uintptr]int\n\tignoreNextType bool\n\tcs *ConfigState\n}\n\n// buildDefaultFormat recreates the original format string without precision\n// and width information to pass in to fmt.Sprintf in the case of an\n// unrecognized type. Unless new types are added to the language, this\n// function won't ever be called.\nfunc (f *formatState) buildDefaultFormat() (format string) {\n\tbuf := bytes.NewBuffer(percentBytes)\n\n\tfor _, flag := range supportedFlags {\n\t\tif f.fs.Flag(int(flag)) {\n\t\t\tbuf.WriteRune(flag)\n\t\t}\n\t}\n\n\tbuf.WriteRune('v')\n\n\tformat = buf.String()\n\treturn format\n}\n\n// constructOrigFormat recreates the original format string including precision\n// and width information to pass along to the standard fmt package. This allows\n// automatic deferral of all format strings this package doesn't support.\nfunc (f *formatState) constructOrigFormat(verb rune) (format string) {\n\tbuf := bytes.NewBuffer(percentBytes)\n\n\tfor _, flag := range supportedFlags {\n\t\tif f.fs.Flag(int(flag)) {\n\t\t\tbuf.WriteRune(flag)\n\t\t}\n\t}\n\n\tif width, ok := f.fs.Width(); ok {\n\t\tbuf.WriteString(strconv.Itoa(width))\n\t}\n\n\tif precision, ok := f.fs.Precision(); ok {\n\t\tbuf.Write(precisionBytes)\n\t\tbuf.WriteString(strconv.Itoa(precision))\n\t}\n\n\tbuf.WriteRune(verb)\n\n\tformat = buf.String()\n\treturn format\n}\n\n// unpackValue returns values inside of non-nil interfaces when possible and\n// ensures that types for values which have been unpacked from an interface\n// are displayed when the show types flag is also set.\n// This is useful for data types like structs, arrays, slices, and maps which\n// can contain varying types packed inside an interface.\nfunc (f *formatState) unpackValue(v reflect.Value) reflect.Value {\n\tif v.Kind() == reflect.Interface {\n\t\tf.ignoreNextType = false\n\t\tif !v.IsNil() {\n\t\t\tv = v.Elem()\n\t\t}\n\t}\n\treturn v\n}\n\n// formatPtr handles formatting of pointers by indirecting them as necessary.\nfunc (f *formatState) formatPtr(v reflect.Value) {\n\t// Display nil if top level pointer is nil.\n\tshowTypes := f.fs.Flag('#')\n\tif v.IsNil() && (!showTypes || f.ignoreNextType) {\n\t\tf.fs.Write(nilAngleBytes)\n\t\treturn\n\t}\n\n\t// Remove pointers at or below the current depth from map used to detect\n\t// circular refs.\n\tfor k, depth := range f.pointers {\n\t\tif depth >= f.depth {\n\t\t\tdelete(f.pointers, k)\n\t\t}\n\t}\n\n\t// Keep list of all dereferenced pointers to possibly show later.\n\tpointerChain := make([]uintptr, 0)\n\n\t// Figure out how many levels of indirection there are by derferencing\n\t// pointers and unpacking interfaces down the chain while detecting circular\n\t// references.\n\tnilFound := false\n\tcycleFound := false\n\tindirects := 0\n\tve := v\n\tfor ve.Kind() == reflect.Ptr {\n\t\tif ve.IsNil() {\n\t\t\tnilFound = true\n\t\t\tbreak\n\t\t}\n\t\tindirects++\n\t\taddr := ve.Pointer()\n\t\tpointerChain = append(pointerChain, addr)\n\t\tif pd, ok := f.pointers[addr]; ok && pd < f.depth {\n\t\t\tcycleFound = true\n\t\t\tindirects--\n\t\t\tbreak\n\t\t}\n\t\tf.pointers[addr] = f.depth\n\n\t\tve = ve.Elem()\n\t\tif ve.Kind() == reflect.Interface {\n\t\t\tif ve.IsNil() {\n\t\t\t\tnilFound = true\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tve = ve.Elem()\n\t\t}\n\t}\n\n\t// Display type or indirection level depending on flags.\n\tif showTypes && !f.ignoreNextType {\n\t\tf.fs.Write(openParenBytes)\n\t\tf.fs.Write(bytes.Repeat(asteriskBytes, indirects))\n\t\tf.fs.Write([]byte(ve.Type().String()))\n\t\tf.fs.Write(closeParenBytes)\n\t} else {\n\t\tif nilFound || cycleFound {\n\t\t\tindirects += strings.Count(ve.Type().String(), \"*\")\n\t\t}\n\t\tf.fs.Write(openAngleBytes)\n\t\tf.fs.Write([]byte(strings.Repeat(\"*\", indirects)))\n\t\tf.fs.Write(closeAngleBytes)\n\t}\n\n\t// Display pointer information depending on flags.\n\tif f.fs.Flag('+') && (len(pointerChain) > 0) {\n\t\tf.fs.Write(openParenBytes)\n\t\tfor i, addr := range pointerChain {\n\t\t\tif i > 0 {\n\t\t\t\tf.fs.Write(pointerChainBytes)\n\t\t\t}\n\t\t\tprintHexPtr(f.fs, addr)\n\t\t}\n\t\tf.fs.Write(closeParenBytes)\n\t}\n\n\t// Display dereferenced value.\n\tswitch {\n\tcase nilFound:\n\t\tf.fs.Write(nilAngleBytes)\n\n\tcase cycleFound:\n\t\tf.fs.Write(circularShortBytes)\n\n\tdefault:\n\t\tf.ignoreNextType = true\n\t\tf.format(ve)\n\t}\n}\n\n// format is the main workhorse for providing the Formatter interface. It\n// uses the passed reflect value to figure out what kind of object we are\n// dealing with and formats it appropriately. It is a recursive function,\n// however circular data structures are detected and handled properly.\nfunc (f *formatState) format(v reflect.Value) {\n\t// Handle invalid reflect values immediately.\n\tkind := v.Kind()\n\tif kind == reflect.Invalid {\n\t\tf.fs.Write(invalidAngleBytes)\n\t\treturn\n\t}\n\n\t// Handle pointers specially.\n\tif kind == reflect.Ptr {\n\t\tf.formatPtr(v)\n\t\treturn\n\t}\n\n\t// Print type information unless already handled elsewhere.\n\tif !f.ignoreNextType && f.fs.Flag('#') {\n\t\tf.fs.Write(openParenBytes)\n\t\tf.fs.Write([]byte(v.Type().String()))\n\t\tf.fs.Write(closeParenBytes)\n\t}\n\tf.ignoreNextType = false\n\n\t// Call Stringer/error interfaces if they exist and the handle methods\n\t// flag is enabled.\n\tif !f.cs.DisableMethods {\n\t\tif (kind != reflect.Invalid) && (kind != reflect.Interface) {\n\t\t\tif handled := handleMethods(f.cs, f.fs, v); handled {\n\t\t\t\treturn\n\t\t\t}\n\t\t}\n\t}\n\n\tswitch kind {\n\tcase reflect.Invalid:\n\t\t// Do nothing. We should never get here since invalid has already\n\t\t// been handled above.\n\n\tcase reflect.Bool:\n\t\tprintBool(f.fs, v.Bool())\n\n\tcase reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64, reflect.Int:\n\t\tprintInt(f.fs, v.Int(), 10)\n\n\tcase reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uint:\n\t\tprintUint(f.fs, v.Uint(), 10)\n\n\tcase reflect.Float32:\n\t\tprintFloat(f.fs, v.Float(), 32)\n\n\tcase reflect.Float64:\n\t\tprintFloat(f.fs, v.Float(), 64)\n\n\tcase reflect.Complex64:\n\t\tprintComplex(f.fs, v.Complex(), 32)\n\n\tcase reflect.Complex128:\n\t\tprintComplex(f.fs, v.Complex(), 64)\n\n\tcase reflect.Slice:\n\t\tif v.IsNil() {\n\t\t\tf.fs.Write(nilAngleBytes)\n\t\t\tbreak\n\t\t}\n\t\tfallthrough\n\n\tcase reflect.Array:\n\t\tf.fs.Write(openBracketBytes)\n\t\tf.depth++\n\t\tif (f.cs.MaxDepth != 0) && (f.depth > f.cs.MaxDepth) {\n\t\t\tf.fs.Write(maxShortBytes)\n\t\t} else {\n\t\t\tnumEntries := v.Len()\n\t\t\tfor i := 0; i < numEntries; i++ {\n\t\t\t\tif i > 0 {\n\t\t\t\t\tf.fs.Write(spaceBytes)\n\t\t\t\t}\n\t\t\t\tf.ignoreNextType = true\n\t\t\t\tf.format(f.unpackValue(v.Index(i)))\n\t\t\t}\n\t\t}\n\t\tf.depth--\n\t\tf.fs.Write(closeBracketBytes)\n\n\tcase reflect.String:\n\t\tf.fs.Write([]byte(v.String()))\n\n\tcase reflect.Interface:\n\t\t// The only time we should get here is for nil interfaces due to\n\t\t// unpackValue calls.\n\t\tif v.IsNil() {\n\t\t\tf.fs.Write(nilAngleBytes)\n\t\t}\n\n\tcase reflect.Ptr:\n\t\t// Do nothing. We should never get here since pointers have already\n\t\t// been handled above.\n\n\tcase reflect.Map:\n\t\t// nil maps should be indicated as different than empty maps\n\t\tif v.IsNil() {\n\t\t\tf.fs.Write(nilAngleBytes)\n\t\t\tbreak\n\t\t}\n\n\t\tf.fs.Write(openMapBytes)\n\t\tf.depth++\n\t\tif (f.cs.MaxDepth != 0) && (f.depth > f.cs.MaxDepth) {\n\t\t\tf.fs.Write(maxShortBytes)\n\t\t} else {\n\t\t\tkeys := v.MapKeys()\n\t\t\tif f.cs.SortKeys {\n\t\t\t\tsortValues(keys, f.cs)\n\t\t\t}\n\t\t\tfor i, key := range keys {\n\t\t\t\tif i > 0 {\n\t\t\t\t\tf.fs.Write(spaceBytes)\n\t\t\t\t}\n\t\t\t\tf.ignoreNextType = true\n\t\t\t\tf.format(f.unpackValue(key))\n\t\t\t\tf.fs.Write(colonBytes)\n\t\t\t\tf.ignoreNextType = true\n\t\t\t\tf.format(f.unpackValue(v.MapIndex(key)))\n\t\t\t}\n\t\t}\n\t\tf.depth--\n\t\tf.fs.Write(closeMapBytes)\n\n\tcase reflect.Struct:\n\t\tnumFields := v.NumField()\n\t\tf.fs.Write(openBraceBytes)\n\t\tf.depth++\n\t\tif (f.cs.MaxDepth != 0) && (f.depth > f.cs.MaxDepth) {\n\t\t\tf.fs.Write(maxShortBytes)\n\t\t} else {\n\t\t\tvt := v.Type()\n\t\t\tfor i := 0; i < numFields; i++ {\n\t\t\t\tif i > 0 {\n\t\t\t\t\tf.fs.Write(spaceBytes)\n\t\t\t\t}\n\t\t\t\tvtf := vt.Field(i)\n\t\t\t\tif f.fs.Flag('+') || f.fs.Flag('#') {\n\t\t\t\t\tf.fs.Write([]byte(vtf.Name))\n\t\t\t\t\tf.fs.Write(colonBytes)\n\t\t\t\t}\n\t\t\t\tf.format(f.unpackValue(v.Field(i)))\n\t\t\t}\n\t\t}\n\t\tf.depth--\n\t\tf.fs.Write(closeBraceBytes)\n\n\tcase reflect.Uintptr:\n\t\tprintHexPtr(f.fs, uintptr(v.Uint()))\n\n\tcase reflect.UnsafePointer, reflect.Chan, reflect.Func:\n\t\tprintHexPtr(f.fs, v.Pointer())\n\n\t// There were not any other types at the time this code was written, but\n\t// fall back to letting the default fmt package handle it if any get added.\n\tdefault:\n\t\tformat := f.buildDefaultFormat()\n\t\tif v.CanInterface() {\n\t\t\tfmt.Fprintf(f.fs, format, v.Interface())\n\t\t} else {\n\t\t\tfmt.Fprintf(f.fs, format, v.String())\n\t\t}\n\t}\n}\n\n// Format satisfies the fmt.Formatter interface. See NewFormatter for usage\n// details.\nfunc (f *formatState) Format(fs fmt.State, verb rune) {\n\tf.fs = fs\n\n\t// Use standard formatting for verbs that are not v.\n\tif verb != 'v' {\n\t\tformat := f.constructOrigFormat(verb)\n\t\tfmt.Fprintf(fs, format, f.value)\n\t\treturn\n\t}\n\n\tif f.value == nil {\n\t\tif fs.Flag('#') {\n\t\t\tfs.Write(interfaceBytes)\n\t\t}\n\t\tfs.Write(nilAngleBytes)\n\t\treturn\n\t}\n\n\tf.format(reflect.ValueOf(f.value))\n}\n\n// newFormatter is a helper function to consolidate the logic from the various\n// public methods which take varying config states.\nfunc newFormatter(cs *ConfigState, v interface{}) fmt.Formatter {\n\tfs := &formatState{value: v, cs: cs}\n\tfs.pointers = make(map[uintptr]int)\n\treturn fs\n}\n\n/*\nNewFormatter returns a custom formatter that satisfies the fmt.Formatter\ninterface. As a result, it integrates cleanly with standard fmt package\nprinting functions. The formatter is useful for inline printing of smaller data\ntypes similar to the standard %v format specifier.\n\nThe custom formatter only responds to the %v (most compact), %+v (adds pointer\naddresses), %#v (adds types), or %#+v (adds types and pointer addresses) verb\ncombinations. Any other verbs such as %x and %q will be sent to the the\nstandard fmt package for formatting. In addition, the custom formatter ignores\nthe width and precision arguments (however they will still work on the format\nspecifiers not handled by the custom formatter).\n\nTypically this function shouldn't be called directly. It is much easier to make\nuse of the custom formatter by calling one of the convenience functions such as\nPrintf, Println, or Fprintf.\n*/\nfunc NewFormatter(v interface{}) fmt.Formatter {\n\treturn newFormatter(&Config, v)\n}\n" }, { "path": "vendor/github.com/davecgh/go-spew/spew/spew.go", "content": "/*\n * Copyright (c) 2013-2016 Dave Collins \n *\n * Permission to use, copy, modify, and distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR\n * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN\n * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF\n * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.\n */\n\npackage spew\n\nimport (\n\t\"fmt\"\n\t\"io\"\n)\n\n// Errorf is a wrapper for fmt.Errorf that treats each argument as if it were\n// passed with a default Formatter interface returned by NewFormatter. It\n// returns the formatted string as a value that satisfies error. See\n// NewFormatter for formatting details.\n//\n// This function is shorthand for the following syntax:\n//\n//\tfmt.Errorf(format, spew.NewFormatter(a), spew.NewFormatter(b))\nfunc Errorf(format string, a ...interface{}) (err error) {\n\treturn fmt.Errorf(format, convertArgs(a)...)\n}\n\n// Fprint is a wrapper for fmt.Fprint that treats each argument as if it were\n// passed with a default Formatter interface returned by NewFormatter. It\n// returns the number of bytes written and any write error encountered. See\n// NewFormatter for formatting details.\n//\n// This function is shorthand for the following syntax:\n//\n//\tfmt.Fprint(w, spew.NewFormatter(a), spew.NewFormatter(b))\nfunc Fprint(w io.Writer, a ...interface{}) (n int, err error) {\n\treturn fmt.Fprint(w, convertArgs(a)...)\n}\n\n// Fprintf is a wrapper for fmt.Fprintf that treats each argument as if it were\n// passed with a default Formatter interface returned by NewFormatter. It\n// returns the number of bytes written and any write error encountered. See\n// NewFormatter for formatting details.\n//\n// This function is shorthand for the following syntax:\n//\n//\tfmt.Fprintf(w, format, spew.NewFormatter(a), spew.NewFormatter(b))\nfunc Fprintf(w io.Writer, format string, a ...interface{}) (n int, err error) {\n\treturn fmt.Fprintf(w, format, convertArgs(a)...)\n}\n\n// Fprintln is a wrapper for fmt.Fprintln that treats each argument as if it\n// passed with a default Formatter interface returned by NewFormatter. See\n// NewFormatter for formatting details.\n//\n// This function is shorthand for the following syntax:\n//\n//\tfmt.Fprintln(w, spew.NewFormatter(a), spew.NewFormatter(b))\nfunc Fprintln(w io.Writer, a ...interface{}) (n int, err error) {\n\treturn fmt.Fprintln(w, convertArgs(a)...)\n}\n\n// Print is a wrapper for fmt.Print that treats each argument as if it were\n// passed with a default Formatter interface returned by NewFormatter. It\n// returns the number of bytes written and any write error encountered. See\n// NewFormatter for formatting details.\n//\n// This function is shorthand for the following syntax:\n//\n//\tfmt.Print(spew.NewFormatter(a), spew.NewFormatter(b))\nfunc Print(a ...interface{}) (n int, err error) {\n\treturn fmt.Print(convertArgs(a)...)\n}\n\n// Printf is a wrapper for fmt.Printf that treats each argument as if it were\n// passed with a default Formatter interface returned by NewFormatter. It\n// returns the number of bytes written and any write error encountered. See\n// NewFormatter for formatting details.\n//\n// This function is shorthand for the following syntax:\n//\n//\tfmt.Printf(format, spew.NewFormatter(a), spew.NewFormatter(b))\nfunc Printf(format string, a ...interface{}) (n int, err error) {\n\treturn fmt.Printf(format, convertArgs(a)...)\n}\n\n// Println is a wrapper for fmt.Println that treats each argument as if it were\n// passed with a default Formatter interface returned by NewFormatter. It\n// returns the number of bytes written and any write error encountered. See\n// NewFormatter for formatting details.\n//\n// This function is shorthand for the following syntax:\n//\n//\tfmt.Println(spew.NewFormatter(a), spew.NewFormatter(b))\nfunc Println(a ...interface{}) (n int, err error) {\n\treturn fmt.Println(convertArgs(a)...)\n}\n\n// Sprint is a wrapper for fmt.Sprint that treats each argument as if it were\n// passed with a default Formatter interface returned by NewFormatter. It\n// returns the resulting string. See NewFormatter for formatting details.\n//\n// This function is shorthand for the following syntax:\n//\n//\tfmt.Sprint(spew.NewFormatter(a), spew.NewFormatter(b))\nfunc Sprint(a ...interface{}) string {\n\treturn fmt.Sprint(convertArgs(a)...)\n}\n\n// Sprintf is a wrapper for fmt.Sprintf that treats each argument as if it were\n// passed with a default Formatter interface returned by NewFormatter. It\n// returns the resulting string. See NewFormatter for formatting details.\n//\n// This function is shorthand for the following syntax:\n//\n//\tfmt.Sprintf(format, spew.NewFormatter(a), spew.NewFormatter(b))\nfunc Sprintf(format string, a ...interface{}) string {\n\treturn fmt.Sprintf(format, convertArgs(a)...)\n}\n\n// Sprintln is a wrapper for fmt.Sprintln that treats each argument as if it\n// were passed with a default Formatter interface returned by NewFormatter. It\n// returns the resulting string. See NewFormatter for formatting details.\n//\n// This function is shorthand for the following syntax:\n//\n//\tfmt.Sprintln(spew.NewFormatter(a), spew.NewFormatter(b))\nfunc Sprintln(a ...interface{}) string {\n\treturn fmt.Sprintln(convertArgs(a)...)\n}\n\n// convertArgs accepts a slice of arguments and returns a slice of the same\n// length with each argument converted to a default spew Formatter interface.\nfunc convertArgs(args []interface{}) (formatters []interface{}) {\n\tformatters = make([]interface{}, len(args))\n\tfor index, arg := range args {\n\t\tformatters[index] = NewFormatter(arg)\n\t}\n\treturn formatters\n}\n" }, { "path": "vendor/github.com/facebookgo/grace/gracenet/net.go", "content": "// Package gracenet provides a family of Listen functions that either open a\n// fresh connection or provide an inherited connection from when the process\n// was started. The behave like their counterparts in the net package, but\n// transparently provide support for graceful restarts without dropping\n// connections. This is provided in a systemd socket activation compatible form\n// to allow using socket activation.\n//\n// BUG: Doesn't handle closing of listeners.\npackage gracenet\n\nimport (\n\t\"fmt\"\n\t\"net\"\n\t\"os\"\n\t\"os/exec\"\n\t\"strconv\"\n\t\"strings\"\n\t\"sync\"\n)\n\nconst (\n\t// Used to indicate a graceful restart in the new process.\n\tenvCountKey = \"LISTEN_FDS\"\n\tenvCountKeyPrefix = envCountKey + \"=\"\n)\n\n// In order to keep the working directory the same as when we started we record\n// it at startup.\nvar originalWD, _ = os.Getwd()\n\n// Net provides the family of Listen functions and maintains the associated\n// state. Typically you will have only once instance of Net per application.\ntype Net struct {\n\tinherited []net.Listener\n\tactive []net.Listener\n\tmutex sync.Mutex\n\tinheritOnce sync.Once\n\n\t// used in tests to override the default behavior of starting from fd 3.\n\tfdStart int\n}\n\nfunc (n *Net) inherit() error {\n\tvar retErr error\n\tn.inheritOnce.Do(func() {\n\t\tn.mutex.Lock()\n\t\tdefer n.mutex.Unlock()\n\t\tcountStr := os.Getenv(envCountKey)\n\t\tif countStr == \"\" {\n\t\t\treturn\n\t\t}\n\t\tcount, err := strconv.Atoi(countStr)\n\t\tif err != nil {\n\t\t\tretErr = fmt.Errorf(\"found invalid count value: %s=%s\", envCountKey, countStr)\n\t\t\treturn\n\t\t}\n\n\t\t// In tests this may be overridden.\n\t\tfdStart := n.fdStart\n\t\tif fdStart == 0 {\n\t\t\t// In normal operations if we are inheriting, the listeners will begin at\n\t\t\t// fd 3.\n\t\t\tfdStart = 3\n\t\t}\n\n\t\tfor i := fdStart; i < fdStart+count; i++ {\n\t\t\tfile := os.NewFile(uintptr(i), \"listener\")\n\t\t\tl, err := net.FileListener(file)\n\t\t\tif err != nil {\n\t\t\t\tfile.Close()\n\t\t\t\tretErr = fmt.Errorf(\"error inheriting socket fd %d: %s\", i, err)\n\t\t\t\treturn\n\t\t\t}\n\t\t\tif err := file.Close(); err != nil {\n\t\t\t\tretErr = fmt.Errorf(\"error closing inherited socket fd %d: %s\", i, err)\n\t\t\t\treturn\n\t\t\t}\n\t\t\tn.inherited = append(n.inherited, l)\n\t\t}\n\t})\n\treturn retErr\n}\n\n// Listen announces on the local network address laddr. The network net must be\n// a stream-oriented network: \"tcp\", \"tcp4\", \"tcp6\", \"unix\" or \"unixpacket\". It\n// returns an inherited net.Listener for the matching network and address, or\n// creates a new one using net.Listen.\nfunc (n *Net) Listen(nett, laddr string) (net.Listener, error) {\n\tswitch nett {\n\tdefault:\n\t\treturn nil, net.UnknownNetworkError(nett)\n\tcase \"tcp\", \"tcp4\", \"tcp6\":\n\t\taddr, err := net.ResolveTCPAddr(nett, laddr)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\treturn n.ListenTCP(nett, addr)\n\tcase \"unix\", \"unixpacket\", \"invalid_unix_net_for_test\":\n\t\taddr, err := net.ResolveUnixAddr(nett, laddr)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\treturn n.ListenUnix(nett, addr)\n\t}\n}\n\n// ListenTCP announces on the local network address laddr. The network net must\n// be: \"tcp\", \"tcp4\" or \"tcp6\". It returns an inherited net.Listener for the\n// matching network and address, or creates a new one using net.ListenTCP.\nfunc (n *Net) ListenTCP(nett string, laddr *net.TCPAddr) (*net.TCPListener, error) {\n\tif err := n.inherit(); err != nil {\n\t\treturn nil, err\n\t}\n\n\tn.mutex.Lock()\n\tdefer n.mutex.Unlock()\n\n\t// look for an inherited listener\n\tfor i, l := range n.inherited {\n\t\tif l == nil { // we nil used inherited listeners\n\t\t\tcontinue\n\t\t}\n\t\tif isSameAddr(l.Addr(), laddr) {\n\t\t\tn.inherited[i] = nil\n\t\t\tn.active = append(n.active, l)\n\t\t\treturn l.(*net.TCPListener), nil\n\t\t}\n\t}\n\n\t// make a fresh listener\n\tl, err := net.ListenTCP(nett, laddr)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tn.active = append(n.active, l)\n\treturn l, nil\n}\n\n// ListenUnix announces on the local network address laddr. The network net\n// must be a: \"unix\" or \"unixpacket\". It returns an inherited net.Listener for\n// the matching network and address, or creates a new one using net.ListenUnix.\nfunc (n *Net) ListenUnix(nett string, laddr *net.UnixAddr) (*net.UnixListener, error) {\n\tif err := n.inherit(); err != nil {\n\t\treturn nil, err\n\t}\n\n\tn.mutex.Lock()\n\tdefer n.mutex.Unlock()\n\n\t// look for an inherited listener\n\tfor i, l := range n.inherited {\n\t\tif l == nil { // we nil used inherited listeners\n\t\t\tcontinue\n\t\t}\n\t\tif isSameAddr(l.Addr(), laddr) {\n\t\t\tn.inherited[i] = nil\n\t\t\tn.active = append(n.active, l)\n\t\t\treturn l.(*net.UnixListener), nil\n\t\t}\n\t}\n\n\t// make a fresh listener\n\tl, err := net.ListenUnix(nett, laddr)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tn.active = append(n.active, l)\n\treturn l, nil\n}\n\n// activeListeners returns a snapshot copy of the active listeners.\nfunc (n *Net) activeListeners() ([]net.Listener, error) {\n\tn.mutex.Lock()\n\tdefer n.mutex.Unlock()\n\tls := make([]net.Listener, len(n.active))\n\tcopy(ls, n.active)\n\treturn ls, nil\n}\n\nfunc isSameAddr(a1, a2 net.Addr) bool {\n\tif a1.Network() != a2.Network() {\n\t\treturn false\n\t}\n\ta1s := a1.String()\n\ta2s := a2.String()\n\tif a1s == a2s {\n\t\treturn true\n\t}\n\n\t// This allows for ipv6 vs ipv4 local addresses to compare as equal. This\n\t// scenario is common when listening on localhost.\n\tconst ipv6prefix = \"[::]\"\n\ta1s = strings.TrimPrefix(a1s, ipv6prefix)\n\ta2s = strings.TrimPrefix(a2s, ipv6prefix)\n\tconst ipv4prefix = \"0.0.0.0\"\n\ta1s = strings.TrimPrefix(a1s, ipv4prefix)\n\ta2s = strings.TrimPrefix(a2s, ipv4prefix)\n\treturn a1s == a2s\n}\n\n// StartProcess starts a new process passing it the active listeners. It\n// doesn't fork, but starts a new process using the same environment and\n// arguments as when it was originally started. This allows for a newly\n// deployed binary to be started. It returns the pid of the newly started\n// process when successful.\nfunc (n *Net) StartProcess() (int, error) {\n\tlisteners, err := n.activeListeners()\n\tif err != nil {\n\t\treturn 0, err\n\t}\n\n\t// Extract the fds from the listeners.\n\tfiles := make([]*os.File, len(listeners))\n\tfor i, l := range listeners {\n\t\tfiles[i], err = l.(filer).File()\n\t\tif err != nil {\n\t\t\treturn 0, err\n\t\t}\n\t\tdefer files[i].Close()\n\t}\n\n\t// Use the original binary location. This works with symlinks such that if\n\t// the file it points to has been changed we will use the updated symlink.\n\targv0, err := exec.LookPath(os.Args[0])\n\tif err != nil {\n\t\treturn 0, err\n\t}\n\n\t// Pass on the environment and replace the old count key with the new one.\n\tvar env []string\n\tfor _, v := range os.Environ() {\n\t\tif !strings.HasPrefix(v, envCountKeyPrefix) {\n\t\t\tenv = append(env, v)\n\t\t}\n\t}\n\tenv = append(env, fmt.Sprintf(\"%s%d\", envCountKeyPrefix, len(listeners)))\n\n\tallFiles := append([]*os.File{os.Stdin, os.Stdout, os.Stderr}, files...)\n\tprocess, err := os.StartProcess(argv0, os.Args, &os.ProcAttr{\n\t\tDir: originalWD,\n\t\tEnv: env,\n\t\tFiles: allFiles,\n\t})\n\tif err != nil {\n\t\treturn 0, err\n\t}\n\treturn process.Pid, nil\n}\n\ntype filer interface {\n\tFile() (*os.File, error)\n}\n" }, { "path": "vendor/github.com/fortytw2/leaktest/.travis.yml", "content": "language: go\ngo:\n - 1.8\n - 1.9\n - \"1.10\"\n - \"1.11\"\n - tip\n\nscript:\n - go test -v -race -parallel 5 -coverprofile=coverage.txt -covermode=atomic ./\n - go test github.com/fortytw2/leaktest -run ^TestEmptyLeak$\n\nbefore_install:\n - pip install --user codecov\nafter_success:\n - codecov\n" }, { "path": "vendor/github.com/fortytw2/leaktest/LICENSE", "content": "Copyright (c) 2012 The Go Authors. All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google Inc. nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "vendor/github.com/fortytw2/leaktest/README.md", "content": "## Leaktest [![Build Status](https://travis-ci.org/fortytw2/leaktest.svg?branch=master)](https://travis-ci.org/fortytw2/leaktest) [![codecov](https://codecov.io/gh/fortytw2/leaktest/branch/master/graph/badge.svg)](https://codecov.io/gh/fortytw2/leaktest) [![Sourcegraph](https://sourcegraph.com/github.com/fortytw2/leaktest/-/badge.svg)](https://sourcegraph.com/github.com/fortytw2/leaktest?badge) [![Documentation](https://godoc.org/github.com/fortytw2/gpt?status.svg)](http://godoc.org/github.com/fortytw2/leaktest)\n\nRefactored, tested variant of the goroutine leak detector found in both\n`net/http` tests and the `cockroachdb` source tree.\n\nTakes a snapshot of running goroutines at the start of a test, and at the end -\ncompares the two and _voila_. Ignores runtime/sys goroutines. Doesn't play nice\nwith `t.Parallel()` right now, but there are plans to do so.\n\n### Installation\n\nGo 1.7+\n\n```\ngo get -u github.com/fortytw2/leaktest\n```\n\nGo 1.5/1.6 need to use the tag `v1.0.0`, as newer versions depend on\n`context.Context`.\n\n### Example\n\nThese tests fail, because they leak a goroutine\n\n```go\n// Default \"Check\" will poll for 5 seconds to check that all\n// goroutines are cleaned up\nfunc TestPool(t *testing.T) {\n defer leaktest.Check(t)()\n\n go func() {\n for {\n time.Sleep(time.Second)\n }\n }()\n}\n\n// Helper function to timeout after X duration\nfunc TestPoolTimeout(t *testing.T) {\n defer leaktest.CheckTimeout(t, time.Second)()\n\n go func() {\n for {\n time.Sleep(time.Second)\n }\n }()\n}\n\n// Use Go 1.7+ context.Context for cancellation\nfunc TestPoolContext(t *testing.T) {\n ctx, _ := context.WithTimeout(context.Background(), time.Second)\n defer leaktest.CheckContext(ctx, t)()\n\n go func() {\n for {\n time.Sleep(time.Second)\n }\n }()\n}\n```\n\n## LICENSE\n\nSame BSD-style as Go, see LICENSE\n" }, { "path": "vendor/github.com/fortytw2/leaktest/leaktest.go", "content": "// Copyright 2013 The Go Authors. All rights reserved.\n// Use of this source code is governed by a BSD-style\n// license that can be found in the LICENSE file.\n\n// Package leaktest provides tools to detect leaked goroutines in tests.\n// To use it, call \"defer leaktest.Check(t)()\" at the beginning of each\n// test that may use goroutines.\n// copied out of the cockroachdb source tree with slight modifications to be\n// more re-useable\npackage leaktest\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"runtime\"\n\t\"sort\"\n\t\"strconv\"\n\t\"strings\"\n\t\"time\"\n)\n\ntype goroutine struct {\n\tid uint64\n\tstack string\n}\n\ntype goroutineByID []*goroutine\n\nfunc (g goroutineByID) Len() int { return len(g) }\nfunc (g goroutineByID) Less(i, j int) bool { return g[i].id < g[j].id }\nfunc (g goroutineByID) Swap(i, j int) { g[i], g[j] = g[j], g[i] }\n\nfunc interestingGoroutine(g string) (*goroutine, error) {\n\tsl := strings.SplitN(g, \"\\n\", 2)\n\tif len(sl) != 2 {\n\t\treturn nil, fmt.Errorf(\"error parsing stack: %q\", g)\n\t}\n\tstack := strings.TrimSpace(sl[1])\n\tif strings.HasPrefix(stack, \"testing.RunTests\") {\n\t\treturn nil, nil\n\t}\n\n\tif stack == \"\" ||\n\t\t// Ignore HTTP keep alives\n\t\tstrings.Contains(stack, \").readLoop(\") ||\n\t\tstrings.Contains(stack, \").writeLoop(\") ||\n\t\t// Below are the stacks ignored by the upstream leaktest code.\n\t\tstrings.Contains(stack, \"testing.Main(\") ||\n\t\tstrings.Contains(stack, \"testing.(*T).Run(\") ||\n\t\tstrings.Contains(stack, \"runtime.goexit\") ||\n\t\tstrings.Contains(stack, \"created by runtime.gc\") ||\n\t\tstrings.Contains(stack, \"interestingGoroutines\") ||\n\t\tstrings.Contains(stack, \"runtime.MHeap_Scavenger\") ||\n\t\tstrings.Contains(stack, \"signal.signal_recv\") ||\n\t\tstrings.Contains(stack, \"sigterm.handler\") ||\n\t\tstrings.Contains(stack, \"runtime_mcall\") ||\n\t\tstrings.Contains(stack, \"goroutine in C code\") {\n\t\treturn nil, nil\n\t}\n\n\t// Parse the goroutine's ID from the header line.\n\th := strings.SplitN(sl[0], \" \", 3)\n\tif len(h) < 3 {\n\t\treturn nil, fmt.Errorf(\"error parsing stack header: %q\", sl[0])\n\t}\n\tid, err := strconv.ParseUint(h[1], 10, 64)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"error parsing goroutine id: %s\", err)\n\t}\n\n\treturn &goroutine{id: id, stack: strings.TrimSpace(g)}, nil\n}\n\n// interestingGoroutines returns all goroutines we care about for the purpose\n// of leak checking. It excludes testing or runtime ones.\nfunc interestingGoroutines(t ErrorReporter) []*goroutine {\n\tbuf := make([]byte, 2<<20)\n\tbuf = buf[:runtime.Stack(buf, true)]\n\tvar gs []*goroutine\n\tfor _, g := range strings.Split(string(buf), \"\\n\\n\") {\n\t\tgr, err := interestingGoroutine(g)\n\t\tif err != nil {\n\t\t\tt.Errorf(\"leaktest: %s\", err)\n\t\t\tcontinue\n\t\t} else if gr == nil {\n\t\t\tcontinue\n\t\t}\n\t\tgs = append(gs, gr)\n\t}\n\tsort.Sort(goroutineByID(gs))\n\treturn gs\n}\n\n// ErrorReporter is a tiny subset of a testing.TB to make testing not such a\n// massive pain\ntype ErrorReporter interface {\n\tErrorf(format string, args ...interface{})\n}\n\n// Check snapshots the currently-running goroutines and returns a\n// function to be run at the end of tests to see whether any\n// goroutines leaked, waiting up to 5 seconds in error conditions\nfunc Check(t ErrorReporter) func() {\n\treturn CheckTimeout(t, 5*time.Second)\n}\n\n// CheckTimeout is the same as Check, but with a configurable timeout\nfunc CheckTimeout(t ErrorReporter, dur time.Duration) func() {\n\tctx, cancel := context.WithCancel(context.Background())\n\tfn := CheckContext(ctx, t)\n\treturn func() {\n\t\ttimer := time.AfterFunc(dur, cancel)\n\t\tfn()\n\t\t// Remember to clean up the timer and context\n\t\ttimer.Stop()\n\t\tcancel()\n\t}\n}\n\n// CheckContext is the same as Check, but uses a context.Context for\n// cancellation and timeout control\nfunc CheckContext(ctx context.Context, t ErrorReporter) func() {\n\torig := map[uint64]bool{}\n\tfor _, g := range interestingGoroutines(t) {\n\t\torig[g.id] = true\n\t}\n\treturn func() {\n\t\tvar leaked []string\n\t\tfor {\n\t\t\tselect {\n\t\t\tcase <-ctx.Done():\n\t\t\t\tt.Errorf(\"leaktest: timed out checking goroutines\")\n\t\t\tdefault:\n\t\t\t\tleaked = make([]string, 0)\n\t\t\t\tfor _, g := range interestingGoroutines(t) {\n\t\t\t\t\tif !orig[g.id] {\n\t\t\t\t\t\tleaked = append(leaked, g.stack)\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tif len(leaked) == 0 {\n\t\t\t\t\treturn\n\t\t\t\t}\n\t\t\t\t// don't spin needlessly\n\t\t\t\ttime.Sleep(time.Millisecond * 50)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tbreak\n\t\t}\n\t\tfor _, g := range leaked {\n\t\t\tt.Errorf(\"leaktest: leaked goroutine: %v\", g)\n\t\t}\n\t}\n}\n" }, { "path": "vendor/github.com/fsnotify/fsnotify/.editorconfig", "content": "root = true\n\n[*.go]\nindent_style = tab\nindent_size = 4\ninsert_final_newline = true\n\n[*.{yml,yaml}]\nindent_style = space\nindent_size = 2\ninsert_final_newline = true\ntrim_trailing_whitespace = true\n" }, { "path": "vendor/github.com/fsnotify/fsnotify/.gitattributes", "content": "go.sum linguist-generated\n" }, { "path": "vendor/github.com/fsnotify/fsnotify/.gitignore", "content": "# Setup a Global .gitignore for OS and editor generated files:\n# https://help.github.com/articles/ignoring-files\n# git config --global core.excludesfile ~/.gitignore_global\n\n.vagrant\n*.sublime-project\n" }, { "path": "vendor/github.com/fsnotify/fsnotify/.travis.yml", "content": "sudo: false\nlanguage: go\n\ngo:\n - \"stable\"\n - \"1.11.x\"\n - \"1.10.x\"\n - \"1.9.x\"\n\nmatrix:\n include:\n - go: \"stable\"\n env: GOLINT=true\n allow_failures:\n - go: tip\n fast_finish: true\n\n\nbefore_install:\n - if [ ! -z \"${GOLINT}\" ]; then go get -u golang.org/x/lint/golint; fi\n\nscript:\n - go test --race ./...\n\nafter_script:\n - test -z \"$(gofmt -s -l -w . | tee /dev/stderr)\"\n - if [ ! -z \"${GOLINT}\" ]; then echo running golint; golint --set_exit_status ./...; else echo skipping golint; fi\n - go vet ./...\n\nos:\n - linux\n - osx\n - windows\n\nnotifications:\n email: false\n" }, { "path": "vendor/github.com/fsnotify/fsnotify/AUTHORS", "content": "# Names should be added to this file as\n#\tName or Organization \n# The email address is not required for organizations.\n\n# You can update this list using the following command:\n#\n# $ git shortlog -se | awk '{print $2 \" \" $3 \" \" $4}'\n\n# Please keep the list sorted.\n\nAaron L \nAdrien Bustany \nAmit Krishnan \nAnmol Sethi \nBjørn Erik Pedersen \nBruno Bigras \nCaleb Spare \nCase Nelson \nChris Howey \nChristoffer Buchholz \nDaniel Wagner-Hall \nDave Cheney \nEvan Phoenix \nFrancisco Souza \nHari haran \nJohn C Barstow\nKelvin Fo \nKen-ichirou MATSUZAWA \nMatt Layher \nNathan Youngman \nNickolai Zeldovich \nPatrick \nPaul Hammond \nPawel Knap \nPieter Droogendijk \nPursuit92 \nRiku Voipio \nRob Figueiredo \nRodrigo Chiossi \nSlawek Ligus \nSoge Zhang \nTiffany Jernigan \nTilak Sharma \nTom Payne \nTravis Cline \nTudor Golubenco \nVahe Khachikyan \nYukang \nbronze1man \ndebrando \nhenrikedwards \n铁哥 \n" }, { "path": "vendor/github.com/fsnotify/fsnotify/CHANGELOG.md", "content": "# Changelog\n\n## v1.4.7 / 2018-01-09\n\n* BSD/macOS: Fix possible deadlock on closing the watcher on kqueue (thanks @nhooyr and @glycerine)\n* Tests: Fix missing verb on format string (thanks @rchiossi)\n* Linux: Fix deadlock in Remove (thanks @aarondl)\n* Linux: Watch.Add improvements (avoid race, fix consistency, reduce garbage) (thanks @twpayne)\n* Docs: Moved FAQ into the README (thanks @vahe)\n* Linux: Properly handle inotify's IN_Q_OVERFLOW event (thanks @zeldovich)\n* Docs: replace references to OS X with macOS\n\n## v1.4.2 / 2016-10-10\n\n* Linux: use InotifyInit1 with IN_CLOEXEC to stop leaking a file descriptor to a child process when using fork/exec [#178](https://github.com/fsnotify/fsnotify/pull/178) (thanks @pattyshack)\n\n## v1.4.1 / 2016-10-04\n\n* Fix flaky inotify stress test on Linux [#177](https://github.com/fsnotify/fsnotify/pull/177) (thanks @pattyshack)\n\n## v1.4.0 / 2016-10-01\n\n* add a String() method to Event.Op [#165](https://github.com/fsnotify/fsnotify/pull/165) (thanks @oozie)\n\n## v1.3.1 / 2016-06-28\n\n* Windows: fix for double backslash when watching the root of a drive [#151](https://github.com/fsnotify/fsnotify/issues/151) (thanks @brunoqc)\n\n## v1.3.0 / 2016-04-19\n\n* Support linux/arm64 by [patching](https://go-review.googlesource.com/#/c/21971/) x/sys/unix and switching to to it from syscall (thanks @suihkulokki) [#135](https://github.com/fsnotify/fsnotify/pull/135)\n\n## v1.2.10 / 2016-03-02\n\n* Fix golint errors in windows.go [#121](https://github.com/fsnotify/fsnotify/pull/121) (thanks @tiffanyfj)\n\n## v1.2.9 / 2016-01-13\n\nkqueue: Fix logic for CREATE after REMOVE [#111](https://github.com/fsnotify/fsnotify/pull/111) (thanks @bep)\n\n## v1.2.8 / 2015-12-17\n\n* kqueue: fix race condition in Close [#105](https://github.com/fsnotify/fsnotify/pull/105) (thanks @djui for reporting the issue and @ppknap for writing a failing test)\n* inotify: fix race in test\n* enable race detection for continuous integration (Linux, Mac, Windows)\n\n## v1.2.5 / 2015-10-17\n\n* inotify: use epoll_create1 for arm64 support (requires Linux 2.6.27 or later) [#100](https://github.com/fsnotify/fsnotify/pull/100) (thanks @suihkulokki)\n* inotify: fix path leaks [#73](https://github.com/fsnotify/fsnotify/pull/73) (thanks @chamaken)\n* kqueue: watch for rename events on subdirectories [#83](https://github.com/fsnotify/fsnotify/pull/83) (thanks @guotie)\n* kqueue: avoid infinite loops from symlinks cycles [#101](https://github.com/fsnotify/fsnotify/pull/101) (thanks @illicitonion)\n\n## v1.2.1 / 2015-10-14\n\n* kqueue: don't watch named pipes [#98](https://github.com/fsnotify/fsnotify/pull/98) (thanks @evanphx)\n\n## v1.2.0 / 2015-02-08\n\n* inotify: use epoll to wake up readEvents [#66](https://github.com/fsnotify/fsnotify/pull/66) (thanks @PieterD)\n* inotify: closing watcher should now always shut down goroutine [#63](https://github.com/fsnotify/fsnotify/pull/63) (thanks @PieterD)\n* kqueue: close kqueue after removing watches, fixes [#59](https://github.com/fsnotify/fsnotify/issues/59)\n\n## v1.1.1 / 2015-02-05\n\n* inotify: Retry read on EINTR [#61](https://github.com/fsnotify/fsnotify/issues/61) (thanks @PieterD)\n\n## v1.1.0 / 2014-12-12\n\n* kqueue: rework internals [#43](https://github.com/fsnotify/fsnotify/pull/43)\n * add low-level functions\n * only need to store flags on directories\n * less mutexes [#13](https://github.com/fsnotify/fsnotify/issues/13)\n * done can be an unbuffered channel\n * remove calls to os.NewSyscallError\n* More efficient string concatenation for Event.String() [#52](https://github.com/fsnotify/fsnotify/pull/52) (thanks @mdlayher)\n* kqueue: fix regression in rework causing subdirectories to be watched [#48](https://github.com/fsnotify/fsnotify/issues/48)\n* kqueue: cleanup internal watch before sending remove event [#51](https://github.com/fsnotify/fsnotify/issues/51)\n\n## v1.0.4 / 2014-09-07\n\n* kqueue: add dragonfly to the build tags.\n* Rename source code files, rearrange code so exported APIs are at the top.\n* Add done channel to example code. [#37](https://github.com/fsnotify/fsnotify/pull/37) (thanks @chenyukang)\n\n## v1.0.3 / 2014-08-19\n\n* [Fix] Windows MOVED_TO now translates to Create like on BSD and Linux. [#36](https://github.com/fsnotify/fsnotify/issues/36)\n\n## v1.0.2 / 2014-08-17\n\n* [Fix] Missing create events on macOS. [#14](https://github.com/fsnotify/fsnotify/issues/14) (thanks @zhsso)\n* [Fix] Make ./path and path equivalent. (thanks @zhsso)\n\n## v1.0.0 / 2014-08-15\n\n* [API] Remove AddWatch on Windows, use Add.\n* Improve documentation for exported identifiers. [#30](https://github.com/fsnotify/fsnotify/issues/30)\n* Minor updates based on feedback from golint.\n\n## dev / 2014-07-09\n\n* Moved to [github.com/fsnotify/fsnotify](https://github.com/fsnotify/fsnotify).\n* Use os.NewSyscallError instead of returning errno (thanks @hariharan-uno)\n\n## dev / 2014-07-04\n\n* kqueue: fix incorrect mutex used in Close()\n* Update example to demonstrate usage of Op.\n\n## dev / 2014-06-28\n\n* [API] Don't set the Write Op for attribute notifications [#4](https://github.com/fsnotify/fsnotify/issues/4)\n* Fix for String() method on Event (thanks Alex Brainman)\n* Don't build on Plan 9 or Solaris (thanks @4ad)\n\n## dev / 2014-06-21\n\n* Events channel of type Event rather than *Event.\n* [internal] use syscall constants directly for inotify and kqueue.\n* [internal] kqueue: rename events to kevents and fileEvent to event.\n\n## dev / 2014-06-19\n\n* Go 1.3+ required on Windows (uses syscall.ERROR_MORE_DATA internally).\n* [internal] remove cookie from Event struct (unused).\n* [internal] Event struct has the same definition across every OS.\n* [internal] remove internal watch and removeWatch methods.\n\n## dev / 2014-06-12\n\n* [API] Renamed Watch() to Add() and RemoveWatch() to Remove().\n* [API] Pluralized channel names: Events and Errors.\n* [API] Renamed FileEvent struct to Event.\n* [API] Op constants replace methods like IsCreate().\n\n## dev / 2014-06-12\n\n* Fix data race on kevent buffer (thanks @tilaks) [#98](https://github.com/howeyc/fsnotify/pull/98)\n\n## dev / 2014-05-23\n\n* [API] Remove current implementation of WatchFlags.\n * current implementation doesn't take advantage of OS for efficiency\n * provides little benefit over filtering events as they are received, but has extra bookkeeping and mutexes\n * no tests for the current implementation\n * not fully implemented on Windows [#93](https://github.com/howeyc/fsnotify/issues/93#issuecomment-39285195)\n\n## v0.9.3 / 2014-12-31\n\n* kqueue: cleanup internal watch before sending remove event [#51](https://github.com/fsnotify/fsnotify/issues/51)\n\n## v0.9.2 / 2014-08-17\n\n* [Backport] Fix missing create events on macOS. [#14](https://github.com/fsnotify/fsnotify/issues/14) (thanks @zhsso)\n\n## v0.9.1 / 2014-06-12\n\n* Fix data race on kevent buffer (thanks @tilaks) [#98](https://github.com/howeyc/fsnotify/pull/98)\n\n## v0.9.0 / 2014-01-17\n\n* IsAttrib() for events that only concern a file's metadata [#79][] (thanks @abustany)\n* [Fix] kqueue: fix deadlock [#77][] (thanks @cespare)\n* [NOTICE] Development has moved to `code.google.com/p/go.exp/fsnotify` in preparation for inclusion in the Go standard library.\n\n## v0.8.12 / 2013-11-13\n\n* [API] Remove FD_SET and friends from Linux adapter\n\n## v0.8.11 / 2013-11-02\n\n* [Doc] Add Changelog [#72][] (thanks @nathany)\n* [Doc] Spotlight and double modify events on macOS [#62][] (reported by @paulhammond)\n\n## v0.8.10 / 2013-10-19\n\n* [Fix] kqueue: remove file watches when parent directory is removed [#71][] (reported by @mdwhatcott)\n* [Fix] kqueue: race between Close and readEvents [#70][] (reported by @bernerdschaefer)\n* [Doc] specify OS-specific limits in README (thanks @debrando)\n\n## v0.8.9 / 2013-09-08\n\n* [Doc] Contributing (thanks @nathany)\n* [Doc] update package path in example code [#63][] (thanks @paulhammond)\n* [Doc] GoCI badge in README (Linux only) [#60][]\n* [Doc] Cross-platform testing with Vagrant [#59][] (thanks @nathany)\n\n## v0.8.8 / 2013-06-17\n\n* [Fix] Windows: handle `ERROR_MORE_DATA` on Windows [#49][] (thanks @jbowtie)\n\n## v0.8.7 / 2013-06-03\n\n* [API] Make syscall flags internal\n* [Fix] inotify: ignore event changes\n* [Fix] race in symlink test [#45][] (reported by @srid)\n* [Fix] tests on Windows\n* lower case error messages\n\n## v0.8.6 / 2013-05-23\n\n* kqueue: Use EVT_ONLY flag on Darwin\n* [Doc] Update README with full example\n\n## v0.8.5 / 2013-05-09\n\n* [Fix] inotify: allow monitoring of \"broken\" symlinks (thanks @tsg)\n\n## v0.8.4 / 2013-04-07\n\n* [Fix] kqueue: watch all file events [#40][] (thanks @ChrisBuchholz)\n\n## v0.8.3 / 2013-03-13\n\n* [Fix] inoitfy/kqueue memory leak [#36][] (reported by @nbkolchin)\n* [Fix] kqueue: use fsnFlags for watching a directory [#33][] (reported by @nbkolchin)\n\n## v0.8.2 / 2013-02-07\n\n* [Doc] add Authors\n* [Fix] fix data races for map access [#29][] (thanks @fsouza)\n\n## v0.8.1 / 2013-01-09\n\n* [Fix] Windows path separators\n* [Doc] BSD License\n\n## v0.8.0 / 2012-11-09\n\n* kqueue: directory watching improvements (thanks @vmirage)\n* inotify: add `IN_MOVED_TO` [#25][] (requested by @cpisto)\n* [Fix] kqueue: deleting watched directory [#24][] (reported by @jakerr)\n\n## v0.7.4 / 2012-10-09\n\n* [Fix] inotify: fixes from https://codereview.appspot.com/5418045/ (ugorji)\n* [Fix] kqueue: preserve watch flags when watching for delete [#21][] (reported by @robfig)\n* [Fix] kqueue: watch the directory even if it isn't a new watch (thanks @robfig)\n* [Fix] kqueue: modify after recreation of file\n\n## v0.7.3 / 2012-09-27\n\n* [Fix] kqueue: watch with an existing folder inside the watched folder (thanks @vmirage)\n* [Fix] kqueue: no longer get duplicate CREATE events\n\n## v0.7.2 / 2012-09-01\n\n* kqueue: events for created directories\n\n## v0.7.1 / 2012-07-14\n\n* [Fix] for renaming files\n\n## v0.7.0 / 2012-07-02\n\n* [Feature] FSNotify flags\n* [Fix] inotify: Added file name back to event path\n\n## v0.6.0 / 2012-06-06\n\n* kqueue: watch files after directory created (thanks @tmc)\n\n## v0.5.1 / 2012-05-22\n\n* [Fix] inotify: remove all watches before Close()\n\n## v0.5.0 / 2012-05-03\n\n* [API] kqueue: return errors during watch instead of sending over channel\n* kqueue: match symlink behavior on Linux\n* inotify: add `DELETE_SELF` (requested by @taralx)\n* [Fix] kqueue: handle EINTR (reported by @robfig)\n* [Doc] Godoc example [#1][] (thanks @davecheney)\n\n## v0.4.0 / 2012-03-30\n\n* Go 1 released: build with go tool\n* [Feature] Windows support using winfsnotify\n* Windows does not have attribute change notifications\n* Roll attribute notifications into IsModify\n\n## v0.3.0 / 2012-02-19\n\n* kqueue: add files when watch directory\n\n## v0.2.0 / 2011-12-30\n\n* update to latest Go weekly code\n\n## v0.1.0 / 2011-10-19\n\n* kqueue: add watch on file creation to match inotify\n* kqueue: create file event\n* inotify: ignore `IN_IGNORED` events\n* event String()\n* linux: common FileEvent functions\n* initial commit\n\n[#79]: https://github.com/howeyc/fsnotify/pull/79\n[#77]: https://github.com/howeyc/fsnotify/pull/77\n[#72]: https://github.com/howeyc/fsnotify/issues/72\n[#71]: https://github.com/howeyc/fsnotify/issues/71\n[#70]: https://github.com/howeyc/fsnotify/issues/70\n[#63]: https://github.com/howeyc/fsnotify/issues/63\n[#62]: https://github.com/howeyc/fsnotify/issues/62\n[#60]: https://github.com/howeyc/fsnotify/issues/60\n[#59]: https://github.com/howeyc/fsnotify/issues/59\n[#49]: https://github.com/howeyc/fsnotify/issues/49\n[#45]: https://github.com/howeyc/fsnotify/issues/45\n[#40]: https://github.com/howeyc/fsnotify/issues/40\n[#36]: https://github.com/howeyc/fsnotify/issues/36\n[#33]: https://github.com/howeyc/fsnotify/issues/33\n[#29]: https://github.com/howeyc/fsnotify/issues/29\n[#25]: https://github.com/howeyc/fsnotify/issues/25\n[#24]: https://github.com/howeyc/fsnotify/issues/24\n[#21]: https://github.com/howeyc/fsnotify/issues/21\n" }, { "path": "vendor/github.com/fsnotify/fsnotify/CONTRIBUTING.md", "content": "# Contributing\n\n## Issues\n\n* Request features and report bugs using the [GitHub Issue Tracker](https://github.com/fsnotify/fsnotify/issues).\n* Please indicate the platform you are using fsnotify on.\n* A code example to reproduce the problem is appreciated.\n\n## Pull Requests\n\n### Contributor License Agreement\n\nfsnotify is derived from code in the [golang.org/x/exp](https://godoc.org/golang.org/x/exp) package and it may be included [in the standard library](https://github.com/fsnotify/fsnotify/issues/1) in the future. Therefore fsnotify carries the same [LICENSE](https://github.com/fsnotify/fsnotify/blob/master/LICENSE) as Go. Contributors retain their copyright, so you need to fill out a short form before we can accept your contribution: [Google Individual Contributor License Agreement](https://developers.google.com/open-source/cla/individual).\n\nPlease indicate that you have signed the CLA in your pull request.\n\n### How fsnotify is Developed\n\n* Development is done on feature branches.\n* Tests are run on BSD, Linux, macOS and Windows.\n* Pull requests are reviewed and [applied to master][am] using [hub][].\n * Maintainers may modify or squash commits rather than asking contributors to.\n* To issue a new release, the maintainers will:\n * Update the CHANGELOG\n * Tag a version, which will become available through gopkg.in.\n \n### How to Fork\n\nFor smooth sailing, always use the original import path. Installing with `go get` makes this easy. \n\n1. Install from GitHub (`go get -u github.com/fsnotify/fsnotify`)\n2. Create your feature branch (`git checkout -b my-new-feature`)\n3. Ensure everything works and the tests pass (see below)\n4. Commit your changes (`git commit -am 'Add some feature'`)\n\nContribute upstream:\n\n1. Fork fsnotify on GitHub\n2. Add your remote (`git remote add fork git@github.com:mycompany/repo.git`)\n3. Push to the branch (`git push fork my-new-feature`)\n4. Create a new Pull Request on GitHub\n\nThis workflow is [thoroughly explained by Katrina Owen](https://splice.com/blog/contributing-open-source-git-repositories-go/).\n\n### Testing\n\nfsnotify uses build tags to compile different code on Linux, BSD, macOS, and Windows.\n\nBefore doing a pull request, please do your best to test your changes on multiple platforms, and list which platforms you were able/unable to test on.\n\nTo aid in cross-platform testing there is a Vagrantfile for Linux and BSD.\n\n* Install [Vagrant](http://www.vagrantup.com/) and [VirtualBox](https://www.virtualbox.org/)\n* Setup [Vagrant Gopher](https://github.com/nathany/vagrant-gopher) in your `src` folder.\n* Run `vagrant up` from the project folder. You can also setup just one box with `vagrant up linux` or `vagrant up bsd` (note: the BSD box doesn't support Windows hosts at this time, and NFS may prompt for your host OS password)\n* Once setup, you can run the test suite on a given OS with a single command `vagrant ssh linux -c 'cd fsnotify/fsnotify; go test'`.\n* When you're done, you will want to halt or destroy the Vagrant boxes.\n\nNotice: fsnotify file system events won't trigger in shared folders. The tests get around this limitation by using the /tmp directory.\n\nRight now there is no equivalent solution for Windows and macOS, but there are Windows VMs [freely available from Microsoft](http://www.modern.ie/en-us/virtualization-tools#downloads).\n\n### Maintainers\n\nHelp maintaining fsnotify is welcome. To be a maintainer:\n\n* Submit a pull request and sign the CLA as above.\n* You must be able to run the test suite on Mac, Windows, Linux and BSD.\n\nTo keep master clean, the fsnotify project uses the \"apply mail\" workflow outlined in Nathaniel Talbott's post [\"Merge pull request\" Considered Harmful][am]. This requires installing [hub][].\n\nAll code changes should be internal pull requests.\n\nReleases are tagged using [Semantic Versioning](http://semver.org/).\n\n[hub]: https://github.com/github/hub\n[am]: http://blog.spreedly.com/2014/06/24/merge-pull-request-considered-harmful/#.VGa5yZPF_Zs\n" }, { "path": "vendor/github.com/fsnotify/fsnotify/LICENSE", "content": "Copyright (c) 2012 The Go Authors. All rights reserved.\nCopyright (c) 2012-2019 fsnotify Authors. All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google Inc. nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "vendor/github.com/fsnotify/fsnotify/README.md", "content": "# File system notifications for Go\n\n[![GoDoc](https://godoc.org/github.com/fsnotify/fsnotify?status.svg)](https://godoc.org/github.com/fsnotify/fsnotify) [![Go Report Card](https://goreportcard.com/badge/github.com/fsnotify/fsnotify)](https://goreportcard.com/report/github.com/fsnotify/fsnotify)\n\nfsnotify utilizes [golang.org/x/sys](https://godoc.org/golang.org/x/sys) rather than `syscall` from the standard library. Ensure you have the latest version installed by running:\n\n```console\ngo get -u golang.org/x/sys/...\n```\n\nCross platform: Windows, Linux, BSD and macOS.\n\n| Adapter | OS | Status |\n| --------------------- | -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------- |\n| inotify | Linux 2.6.27 or later, Android\\* | Supported [![Build Status](https://travis-ci.org/fsnotify/fsnotify.svg?branch=master)](https://travis-ci.org/fsnotify/fsnotify) |\n| kqueue | BSD, macOS, iOS\\* | Supported [![Build Status](https://travis-ci.org/fsnotify/fsnotify.svg?branch=master)](https://travis-ci.org/fsnotify/fsnotify) |\n| ReadDirectoryChangesW | Windows | Supported [![Build Status](https://travis-ci.org/fsnotify/fsnotify.svg?branch=master)](https://travis-ci.org/fsnotify/fsnotify) |\n| FSEvents | macOS | [Planned](https://github.com/fsnotify/fsnotify/issues/11) |\n| FEN | Solaris 11 | [In Progress](https://github.com/fsnotify/fsnotify/issues/12) |\n| fanotify | Linux 2.6.37+ | [Planned](https://github.com/fsnotify/fsnotify/issues/114) |\n| USN Journals | Windows | [Maybe](https://github.com/fsnotify/fsnotify/issues/53) |\n| Polling | *All* | [Maybe](https://github.com/fsnotify/fsnotify/issues/9) |\n\n\\* Android and iOS are untested.\n\nPlease see [the documentation](https://godoc.org/github.com/fsnotify/fsnotify) and consult the [FAQ](#faq) for usage information.\n\n## API stability\n\nfsnotify is a fork of [howeyc/fsnotify](https://godoc.org/github.com/howeyc/fsnotify) with a new API as of v1.0. The API is based on [this design document](http://goo.gl/MrYxyA). \n\nAll [releases](https://github.com/fsnotify/fsnotify/releases) are tagged based on [Semantic Versioning](http://semver.org/). Further API changes are [planned](https://github.com/fsnotify/fsnotify/milestones), and will be tagged with a new major revision number.\n\nGo 1.6 supports dependencies located in the `vendor/` folder. Unless you are creating a library, it is recommended that you copy fsnotify into `vendor/github.com/fsnotify/fsnotify` within your project, and likewise for `golang.org/x/sys`.\n\n## Usage\n\n```go\npackage main\n\nimport (\n\t\"log\"\n\n\t\"github.com/fsnotify/fsnotify\"\n)\n\nfunc main() {\n\twatcher, err := fsnotify.NewWatcher()\n\tif err != nil {\n\t\tlog.Fatal(err)\n\t}\n\tdefer watcher.Close()\n\n\tdone := make(chan bool)\n\tgo func() {\n\t\tfor {\n\t\t\tselect {\n\t\t\tcase event, ok := <-watcher.Events:\n\t\t\t\tif !ok {\n\t\t\t\t\treturn\n\t\t\t\t}\n\t\t\t\tlog.Println(\"event:\", event)\n\t\t\t\tif event.Op&fsnotify.Write == fsnotify.Write {\n\t\t\t\t\tlog.Println(\"modified file:\", event.Name)\n\t\t\t\t}\n\t\t\tcase err, ok := <-watcher.Errors:\n\t\t\t\tif !ok {\n\t\t\t\t\treturn\n\t\t\t\t}\n\t\t\t\tlog.Println(\"error:\", err)\n\t\t\t}\n\t\t}\n\t}()\n\n\terr = watcher.Add(\"/tmp/foo\")\n\tif err != nil {\n\t\tlog.Fatal(err)\n\t}\n\t<-done\n}\n```\n\n## Contributing\n\nPlease refer to [CONTRIBUTING][] before opening an issue or pull request.\n\n## Example\n\nSee [example_test.go](https://github.com/fsnotify/fsnotify/blob/master/example_test.go).\n\n## FAQ\n\n**When a file is moved to another directory is it still being watched?**\n\nNo (it shouldn't be, unless you are watching where it was moved to).\n\n**When I watch a directory, are all subdirectories watched as well?**\n\nNo, you must add watches for any directory you want to watch (a recursive watcher is on the roadmap [#18][]).\n\n**Do I have to watch the Error and Event channels in a separate goroutine?**\n\nAs of now, yes. Looking into making this single-thread friendly (see [howeyc #7][#7])\n\n**Why am I receiving multiple events for the same file on OS X?**\n\nSpotlight indexing on OS X can result in multiple events (see [howeyc #62][#62]). A temporary workaround is to add your folder(s) to the *Spotlight Privacy settings* until we have a native FSEvents implementation (see [#11][]).\n\n**How many files can be watched at once?**\n\nThere are OS-specific limits as to how many watches can be created:\n* Linux: /proc/sys/fs/inotify/max_user_watches contains the limit, reaching this limit results in a \"no space left on device\" error.\n* BSD / OSX: sysctl variables \"kern.maxfiles\" and \"kern.maxfilesperproc\", reaching these limits results in a \"too many open files\" error.\n\n**Why don't notifications work with NFS filesystems or filesystem in userspace (FUSE)?**\n\nfsnotify requires support from underlying OS to work. The current NFS protocol does not provide network level support for file notifications.\n\n[#62]: https://github.com/howeyc/fsnotify/issues/62\n[#18]: https://github.com/fsnotify/fsnotify/issues/18\n[#11]: https://github.com/fsnotify/fsnotify/issues/11\n[#7]: https://github.com/howeyc/fsnotify/issues/7\n\n[contributing]: https://github.com/fsnotify/fsnotify/blob/master/CONTRIBUTING.md\n\n## Related Projects\n\n* [notify](https://github.com/rjeczalik/notify)\n* [fsevents](https://github.com/fsnotify/fsevents)\n\n" }, { "path": "vendor/github.com/fsnotify/fsnotify/fen.go", "content": "// Copyright 2010 The Go Authors. All rights reserved.\n// Use of this source code is governed by a BSD-style\n// license that can be found in the LICENSE file.\n\n// +build solaris\n\npackage fsnotify\n\nimport (\n\t\"errors\"\n)\n\n// Watcher watches a set of files, delivering events to a channel.\ntype Watcher struct {\n\tEvents chan Event\n\tErrors chan error\n}\n\n// NewWatcher establishes a new watcher with the underlying OS and begins waiting for events.\nfunc NewWatcher() (*Watcher, error) {\n\treturn nil, errors.New(\"FEN based watcher not yet supported for fsnotify\\n\")\n}\n\n// Close removes all watches and closes the events channel.\nfunc (w *Watcher) Close() error {\n\treturn nil\n}\n\n// Add starts watching the named file or directory (non-recursively).\nfunc (w *Watcher) Add(name string) error {\n\treturn nil\n}\n\n// Remove stops watching the the named file or directory (non-recursively).\nfunc (w *Watcher) Remove(name string) error {\n\treturn nil\n}\n" }, { "path": "vendor/github.com/fsnotify/fsnotify/fsnotify.go", "content": "// Copyright 2012 The Go Authors. All rights reserved.\n// Use of this source code is governed by a BSD-style\n// license that can be found in the LICENSE file.\n\n// +build !plan9\n\n// Package fsnotify provides a platform-independent interface for file system notifications.\npackage fsnotify\n\nimport (\n\t\"bytes\"\n\t\"errors\"\n\t\"fmt\"\n)\n\n// Event represents a single file system notification.\ntype Event struct {\n\tName string // Relative path to the file or directory.\n\tOp Op // File operation that triggered the event.\n}\n\n// Op describes a set of file operations.\ntype Op uint32\n\n// These are the generalized file operations that can trigger a notification.\nconst (\n\tCreate Op = 1 << iota\n\tWrite\n\tRemove\n\tRename\n\tChmod\n)\n\nfunc (op Op) String() string {\n\t// Use a buffer for efficient string concatenation\n\tvar buffer bytes.Buffer\n\n\tif op&Create == Create {\n\t\tbuffer.WriteString(\"|CREATE\")\n\t}\n\tif op&Remove == Remove {\n\t\tbuffer.WriteString(\"|REMOVE\")\n\t}\n\tif op&Write == Write {\n\t\tbuffer.WriteString(\"|WRITE\")\n\t}\n\tif op&Rename == Rename {\n\t\tbuffer.WriteString(\"|RENAME\")\n\t}\n\tif op&Chmod == Chmod {\n\t\tbuffer.WriteString(\"|CHMOD\")\n\t}\n\tif buffer.Len() == 0 {\n\t\treturn \"\"\n\t}\n\treturn buffer.String()[1:] // Strip leading pipe\n}\n\n// String returns a string representation of the event in the form\n// \"file: REMOVE|WRITE|...\"\nfunc (e Event) String() string {\n\treturn fmt.Sprintf(\"%q: %s\", e.Name, e.Op.String())\n}\n\n// Common errors that can be reported by a watcher\nvar (\n\tErrEventOverflow = errors.New(\"fsnotify queue overflow\")\n)\n" }, { "path": "vendor/github.com/fsnotify/fsnotify/inotify.go", "content": "// Copyright 2010 The Go Authors. All rights reserved.\n// Use of this source code is governed by a BSD-style\n// license that can be found in the LICENSE file.\n\n// +build linux\n\npackage fsnotify\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n\t\"sync\"\n\t\"unsafe\"\n\n\t\"golang.org/x/sys/unix\"\n)\n\n// Watcher watches a set of files, delivering events to a channel.\ntype Watcher struct {\n\tEvents chan Event\n\tErrors chan error\n\tmu sync.Mutex // Map access\n\tfd int\n\tpoller *fdPoller\n\twatches map[string]*watch // Map of inotify watches (key: path)\n\tpaths map[int]string // Map of watched paths (key: watch descriptor)\n\tdone chan struct{} // Channel for sending a \"quit message\" to the reader goroutine\n\tdoneResp chan struct{} // Channel to respond to Close\n}\n\n// NewWatcher establishes a new watcher with the underlying OS and begins waiting for events.\nfunc NewWatcher() (*Watcher, error) {\n\t// Create inotify fd\n\tfd, errno := unix.InotifyInit1(unix.IN_CLOEXEC)\n\tif fd == -1 {\n\t\treturn nil, errno\n\t}\n\t// Create epoll\n\tpoller, err := newFdPoller(fd)\n\tif err != nil {\n\t\tunix.Close(fd)\n\t\treturn nil, err\n\t}\n\tw := &Watcher{\n\t\tfd: fd,\n\t\tpoller: poller,\n\t\twatches: make(map[string]*watch),\n\t\tpaths: make(map[int]string),\n\t\tEvents: make(chan Event),\n\t\tErrors: make(chan error),\n\t\tdone: make(chan struct{}),\n\t\tdoneResp: make(chan struct{}),\n\t}\n\n\tgo w.readEvents()\n\treturn w, nil\n}\n\nfunc (w *Watcher) isClosed() bool {\n\tselect {\n\tcase <-w.done:\n\t\treturn true\n\tdefault:\n\t\treturn false\n\t}\n}\n\n// Close removes all watches and closes the events channel.\nfunc (w *Watcher) Close() error {\n\tif w.isClosed() {\n\t\treturn nil\n\t}\n\n\t// Send 'close' signal to goroutine, and set the Watcher to closed.\n\tclose(w.done)\n\n\t// Wake up goroutine\n\tw.poller.wake()\n\n\t// Wait for goroutine to close\n\t<-w.doneResp\n\n\treturn nil\n}\n\n// Add starts watching the named file or directory (non-recursively).\nfunc (w *Watcher) Add(name string) error {\n\tname = filepath.Clean(name)\n\tif w.isClosed() {\n\t\treturn errors.New(\"inotify instance already closed\")\n\t}\n\n\tconst agnosticEvents = unix.IN_MOVED_TO | unix.IN_MOVED_FROM |\n\t\tunix.IN_CREATE | unix.IN_ATTRIB | unix.IN_MODIFY |\n\t\tunix.IN_MOVE_SELF | unix.IN_DELETE | unix.IN_DELETE_SELF\n\n\tvar flags uint32 = agnosticEvents\n\n\tw.mu.Lock()\n\tdefer w.mu.Unlock()\n\twatchEntry := w.watches[name]\n\tif watchEntry != nil {\n\t\tflags |= watchEntry.flags | unix.IN_MASK_ADD\n\t}\n\twd, errno := unix.InotifyAddWatch(w.fd, name, flags)\n\tif wd == -1 {\n\t\treturn errno\n\t}\n\n\tif watchEntry == nil {\n\t\tw.watches[name] = &watch{wd: uint32(wd), flags: flags}\n\t\tw.paths[wd] = name\n\t} else {\n\t\twatchEntry.wd = uint32(wd)\n\t\twatchEntry.flags = flags\n\t}\n\n\treturn nil\n}\n\n// Remove stops watching the named file or directory (non-recursively).\nfunc (w *Watcher) Remove(name string) error {\n\tname = filepath.Clean(name)\n\n\t// Fetch the watch.\n\tw.mu.Lock()\n\tdefer w.mu.Unlock()\n\twatch, ok := w.watches[name]\n\n\t// Remove it from inotify.\n\tif !ok {\n\t\treturn fmt.Errorf(\"can't remove non-existent inotify watch for: %s\", name)\n\t}\n\n\t// We successfully removed the watch if InotifyRmWatch doesn't return an\n\t// error, we need to clean up our internal state to ensure it matches\n\t// inotify's kernel state.\n\tdelete(w.paths, int(watch.wd))\n\tdelete(w.watches, name)\n\n\t// inotify_rm_watch will return EINVAL if the file has been deleted;\n\t// the inotify will already have been removed.\n\t// watches and pathes are deleted in ignoreLinux() implicitly and asynchronously\n\t// by calling inotify_rm_watch() below. e.g. readEvents() goroutine receives IN_IGNORE\n\t// so that EINVAL means that the wd is being rm_watch()ed or its file removed\n\t// by another thread and we have not received IN_IGNORE event.\n\tsuccess, errno := unix.InotifyRmWatch(w.fd, watch.wd)\n\tif success == -1 {\n\t\t// TODO: Perhaps it's not helpful to return an error here in every case.\n\t\t// the only two possible errors are:\n\t\t// EBADF, which happens when w.fd is not a valid file descriptor of any kind.\n\t\t// EINVAL, which is when fd is not an inotify descriptor or wd is not a valid watch descriptor.\n\t\t// Watch descriptors are invalidated when they are removed explicitly or implicitly;\n\t\t// explicitly by inotify_rm_watch, implicitly when the file they are watching is deleted.\n\t\treturn errno\n\t}\n\n\treturn nil\n}\n\ntype watch struct {\n\twd uint32 // Watch descriptor (as returned by the inotify_add_watch() syscall)\n\tflags uint32 // inotify flags of this watch (see inotify(7) for the list of valid flags)\n}\n\n// readEvents reads from the inotify file descriptor, converts the\n// received events into Event objects and sends them via the Events channel\nfunc (w *Watcher) readEvents() {\n\tvar (\n\t\tbuf [unix.SizeofInotifyEvent * 4096]byte // Buffer for a maximum of 4096 raw events\n\t\tn int // Number of bytes read with read()\n\t\terrno error // Syscall errno\n\t\tok bool // For poller.wait\n\t)\n\n\tdefer close(w.doneResp)\n\tdefer close(w.Errors)\n\tdefer close(w.Events)\n\tdefer unix.Close(w.fd)\n\tdefer w.poller.close()\n\n\tfor {\n\t\t// See if we have been closed.\n\t\tif w.isClosed() {\n\t\t\treturn\n\t\t}\n\n\t\tok, errno = w.poller.wait()\n\t\tif errno != nil {\n\t\t\tselect {\n\t\t\tcase w.Errors <- errno:\n\t\t\tcase <-w.done:\n\t\t\t\treturn\n\t\t\t}\n\t\t\tcontinue\n\t\t}\n\n\t\tif !ok {\n\t\t\tcontinue\n\t\t}\n\n\t\tn, errno = unix.Read(w.fd, buf[:])\n\t\t// If a signal interrupted execution, see if we've been asked to close, and try again.\n\t\t// http://man7.org/linux/man-pages/man7/signal.7.html :\n\t\t// \"Before Linux 3.8, reads from an inotify(7) file descriptor were not restartable\"\n\t\tif errno == unix.EINTR {\n\t\t\tcontinue\n\t\t}\n\n\t\t// unix.Read might have been woken up by Close. If so, we're done.\n\t\tif w.isClosed() {\n\t\t\treturn\n\t\t}\n\n\t\tif n < unix.SizeofInotifyEvent {\n\t\t\tvar err error\n\t\t\tif n == 0 {\n\t\t\t\t// If EOF is received. This should really never happen.\n\t\t\t\terr = io.EOF\n\t\t\t} else if n < 0 {\n\t\t\t\t// If an error occurred while reading.\n\t\t\t\terr = errno\n\t\t\t} else {\n\t\t\t\t// Read was too short.\n\t\t\t\terr = errors.New(\"notify: short read in readEvents()\")\n\t\t\t}\n\t\t\tselect {\n\t\t\tcase w.Errors <- err:\n\t\t\tcase <-w.done:\n\t\t\t\treturn\n\t\t\t}\n\t\t\tcontinue\n\t\t}\n\n\t\tvar offset uint32\n\t\t// We don't know how many events we just read into the buffer\n\t\t// While the offset points to at least one whole event...\n\t\tfor offset <= uint32(n-unix.SizeofInotifyEvent) {\n\t\t\t// Point \"raw\" to the event in the buffer\n\t\t\traw := (*unix.InotifyEvent)(unsafe.Pointer(&buf[offset]))\n\n\t\t\tmask := uint32(raw.Mask)\n\t\t\tnameLen := uint32(raw.Len)\n\n\t\t\tif mask&unix.IN_Q_OVERFLOW != 0 {\n\t\t\t\tselect {\n\t\t\t\tcase w.Errors <- ErrEventOverflow:\n\t\t\t\tcase <-w.done:\n\t\t\t\t\treturn\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// If the event happened to the watched directory or the watched file, the kernel\n\t\t\t// doesn't append the filename to the event, but we would like to always fill the\n\t\t\t// the \"Name\" field with a valid filename. We retrieve the path of the watch from\n\t\t\t// the \"paths\" map.\n\t\t\tw.mu.Lock()\n\t\t\tname, ok := w.paths[int(raw.Wd)]\n\t\t\t// IN_DELETE_SELF occurs when the file/directory being watched is removed.\n\t\t\t// This is a sign to clean up the maps, otherwise we are no longer in sync\n\t\t\t// with the inotify kernel state which has already deleted the watch\n\t\t\t// automatically.\n\t\t\tif ok && mask&unix.IN_DELETE_SELF == unix.IN_DELETE_SELF {\n\t\t\t\tdelete(w.paths, int(raw.Wd))\n\t\t\t\tdelete(w.watches, name)\n\t\t\t}\n\t\t\tw.mu.Unlock()\n\n\t\t\tif nameLen > 0 {\n\t\t\t\t// Point \"bytes\" at the first byte of the filename\n\t\t\t\tbytes := (*[unix.PathMax]byte)(unsafe.Pointer(&buf[offset+unix.SizeofInotifyEvent]))\n\t\t\t\t// The filename is padded with NULL bytes. TrimRight() gets rid of those.\n\t\t\t\tname += \"/\" + strings.TrimRight(string(bytes[0:nameLen]), \"\\000\")\n\t\t\t}\n\n\t\t\tevent := newEvent(name, mask)\n\n\t\t\t// Send the events that are not ignored on the events channel\n\t\t\tif !event.ignoreLinux(mask) {\n\t\t\t\tselect {\n\t\t\t\tcase w.Events <- event:\n\t\t\t\tcase <-w.done:\n\t\t\t\t\treturn\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// Move to the next event in the buffer\n\t\t\toffset += unix.SizeofInotifyEvent + nameLen\n\t\t}\n\t}\n}\n\n// Certain types of events can be \"ignored\" and not sent over the Events\n// channel. Such as events marked ignore by the kernel, or MODIFY events\n// against files that do not exist.\nfunc (e *Event) ignoreLinux(mask uint32) bool {\n\t// Ignore anything the inotify API says to ignore\n\tif mask&unix.IN_IGNORED == unix.IN_IGNORED {\n\t\treturn true\n\t}\n\n\t// If the event is not a DELETE or RENAME, the file must exist.\n\t// Otherwise the event is ignored.\n\t// *Note*: this was put in place because it was seen that a MODIFY\n\t// event was sent after the DELETE. This ignores that MODIFY and\n\t// assumes a DELETE will come or has come if the file doesn't exist.\n\tif !(e.Op&Remove == Remove || e.Op&Rename == Rename) {\n\t\t_, statErr := os.Lstat(e.Name)\n\t\treturn os.IsNotExist(statErr)\n\t}\n\treturn false\n}\n\n// newEvent returns an platform-independent Event based on an inotify mask.\nfunc newEvent(name string, mask uint32) Event {\n\te := Event{Name: name}\n\tif mask&unix.IN_CREATE == unix.IN_CREATE || mask&unix.IN_MOVED_TO == unix.IN_MOVED_TO {\n\t\te.Op |= Create\n\t}\n\tif mask&unix.IN_DELETE_SELF == unix.IN_DELETE_SELF || mask&unix.IN_DELETE == unix.IN_DELETE {\n\t\te.Op |= Remove\n\t}\n\tif mask&unix.IN_MODIFY == unix.IN_MODIFY {\n\t\te.Op |= Write\n\t}\n\tif mask&unix.IN_MOVE_SELF == unix.IN_MOVE_SELF || mask&unix.IN_MOVED_FROM == unix.IN_MOVED_FROM {\n\t\te.Op |= Rename\n\t}\n\tif mask&unix.IN_ATTRIB == unix.IN_ATTRIB {\n\t\te.Op |= Chmod\n\t}\n\treturn e\n}\n" }, { "path": "vendor/github.com/fsnotify/fsnotify/inotify_poller.go", "content": "// Copyright 2015 The Go Authors. All rights reserved.\n// Use of this source code is governed by a BSD-style\n// license that can be found in the LICENSE file.\n\n// +build linux\n\npackage fsnotify\n\nimport (\n\t\"errors\"\n\n\t\"golang.org/x/sys/unix\"\n)\n\ntype fdPoller struct {\n\tfd int // File descriptor (as returned by the inotify_init() syscall)\n\tepfd int // Epoll file descriptor\n\tpipe [2]int // Pipe for waking up\n}\n\nfunc emptyPoller(fd int) *fdPoller {\n\tpoller := new(fdPoller)\n\tpoller.fd = fd\n\tpoller.epfd = -1\n\tpoller.pipe[0] = -1\n\tpoller.pipe[1] = -1\n\treturn poller\n}\n\n// Create a new inotify poller.\n// This creates an inotify handler, and an epoll handler.\nfunc newFdPoller(fd int) (*fdPoller, error) {\n\tvar errno error\n\tpoller := emptyPoller(fd)\n\tdefer func() {\n\t\tif errno != nil {\n\t\t\tpoller.close()\n\t\t}\n\t}()\n\tpoller.fd = fd\n\n\t// Create epoll fd\n\tpoller.epfd, errno = unix.EpollCreate1(unix.EPOLL_CLOEXEC)\n\tif poller.epfd == -1 {\n\t\treturn nil, errno\n\t}\n\t// Create pipe; pipe[0] is the read end, pipe[1] the write end.\n\terrno = unix.Pipe2(poller.pipe[:], unix.O_NONBLOCK|unix.O_CLOEXEC)\n\tif errno != nil {\n\t\treturn nil, errno\n\t}\n\n\t// Register inotify fd with epoll\n\tevent := unix.EpollEvent{\n\t\tFd: int32(poller.fd),\n\t\tEvents: unix.EPOLLIN,\n\t}\n\terrno = unix.EpollCtl(poller.epfd, unix.EPOLL_CTL_ADD, poller.fd, &event)\n\tif errno != nil {\n\t\treturn nil, errno\n\t}\n\n\t// Register pipe fd with epoll\n\tevent = unix.EpollEvent{\n\t\tFd: int32(poller.pipe[0]),\n\t\tEvents: unix.EPOLLIN,\n\t}\n\terrno = unix.EpollCtl(poller.epfd, unix.EPOLL_CTL_ADD, poller.pipe[0], &event)\n\tif errno != nil {\n\t\treturn nil, errno\n\t}\n\n\treturn poller, nil\n}\n\n// Wait using epoll.\n// Returns true if something is ready to be read,\n// false if there is not.\nfunc (poller *fdPoller) wait() (bool, error) {\n\t// 3 possible events per fd, and 2 fds, makes a maximum of 6 events.\n\t// I don't know whether epoll_wait returns the number of events returned,\n\t// or the total number of events ready.\n\t// I decided to catch both by making the buffer one larger than the maximum.\n\tevents := make([]unix.EpollEvent, 7)\n\tfor {\n\t\tn, errno := unix.EpollWait(poller.epfd, events, -1)\n\t\tif n == -1 {\n\t\t\tif errno == unix.EINTR {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\treturn false, errno\n\t\t}\n\t\tif n == 0 {\n\t\t\t// If there are no events, try again.\n\t\t\tcontinue\n\t\t}\n\t\tif n > 6 {\n\t\t\t// This should never happen. More events were returned than should be possible.\n\t\t\treturn false, errors.New(\"epoll_wait returned more events than I know what to do with\")\n\t\t}\n\t\tready := events[:n]\n\t\tepollhup := false\n\t\tepollerr := false\n\t\tepollin := false\n\t\tfor _, event := range ready {\n\t\t\tif event.Fd == int32(poller.fd) {\n\t\t\t\tif event.Events&unix.EPOLLHUP != 0 {\n\t\t\t\t\t// This should not happen, but if it does, treat it as a wakeup.\n\t\t\t\t\tepollhup = true\n\t\t\t\t}\n\t\t\t\tif event.Events&unix.EPOLLERR != 0 {\n\t\t\t\t\t// If an error is waiting on the file descriptor, we should pretend\n\t\t\t\t\t// something is ready to read, and let unix.Read pick up the error.\n\t\t\t\t\tepollerr = true\n\t\t\t\t}\n\t\t\t\tif event.Events&unix.EPOLLIN != 0 {\n\t\t\t\t\t// There is data to read.\n\t\t\t\t\tepollin = true\n\t\t\t\t}\n\t\t\t}\n\t\t\tif event.Fd == int32(poller.pipe[0]) {\n\t\t\t\tif event.Events&unix.EPOLLHUP != 0 {\n\t\t\t\t\t// Write pipe descriptor was closed, by us. This means we're closing down the\n\t\t\t\t\t// watcher, and we should wake up.\n\t\t\t\t}\n\t\t\t\tif event.Events&unix.EPOLLERR != 0 {\n\t\t\t\t\t// If an error is waiting on the pipe file descriptor.\n\t\t\t\t\t// This is an absolute mystery, and should never ever happen.\n\t\t\t\t\treturn false, errors.New(\"Error on the pipe descriptor.\")\n\t\t\t\t}\n\t\t\t\tif event.Events&unix.EPOLLIN != 0 {\n\t\t\t\t\t// This is a regular wakeup, so we have to clear the buffer.\n\t\t\t\t\terr := poller.clearWake()\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\treturn false, err\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tif epollhup || epollerr || epollin {\n\t\t\treturn true, nil\n\t\t}\n\t\treturn false, nil\n\t}\n}\n\n// Close the write end of the poller.\nfunc (poller *fdPoller) wake() error {\n\tbuf := make([]byte, 1)\n\tn, errno := unix.Write(poller.pipe[1], buf)\n\tif n == -1 {\n\t\tif errno == unix.EAGAIN {\n\t\t\t// Buffer is full, poller will wake.\n\t\t\treturn nil\n\t\t}\n\t\treturn errno\n\t}\n\treturn nil\n}\n\nfunc (poller *fdPoller) clearWake() error {\n\t// You have to be woken up a LOT in order to get to 100!\n\tbuf := make([]byte, 100)\n\tn, errno := unix.Read(poller.pipe[0], buf)\n\tif n == -1 {\n\t\tif errno == unix.EAGAIN {\n\t\t\t// Buffer is empty, someone else cleared our wake.\n\t\t\treturn nil\n\t\t}\n\t\treturn errno\n\t}\n\treturn nil\n}\n\n// Close all poller file descriptors, but not the one passed to it.\nfunc (poller *fdPoller) close() {\n\tif poller.pipe[1] != -1 {\n\t\tunix.Close(poller.pipe[1])\n\t}\n\tif poller.pipe[0] != -1 {\n\t\tunix.Close(poller.pipe[0])\n\t}\n\tif poller.epfd != -1 {\n\t\tunix.Close(poller.epfd)\n\t}\n}\n" }, { "path": "vendor/github.com/fsnotify/fsnotify/kqueue.go", "content": "// Copyright 2010 The Go Authors. All rights reserved.\n// Use of this source code is governed by a BSD-style\n// license that can be found in the LICENSE file.\n\n// +build freebsd openbsd netbsd dragonfly darwin\n\npackage fsnotify\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"io/ioutil\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"sync\"\n\t\"time\"\n\n\t\"golang.org/x/sys/unix\"\n)\n\n// Watcher watches a set of files, delivering events to a channel.\ntype Watcher struct {\n\tEvents chan Event\n\tErrors chan error\n\tdone chan struct{} // Channel for sending a \"quit message\" to the reader goroutine\n\n\tkq int // File descriptor (as returned by the kqueue() syscall).\n\n\tmu sync.Mutex // Protects access to watcher data\n\twatches map[string]int // Map of watched file descriptors (key: path).\n\texternalWatches map[string]bool // Map of watches added by user of the library.\n\tdirFlags map[string]uint32 // Map of watched directories to fflags used in kqueue.\n\tpaths map[int]pathInfo // Map file descriptors to path names for processing kqueue events.\n\tfileExists map[string]bool // Keep track of if we know this file exists (to stop duplicate create events).\n\tisClosed bool // Set to true when Close() is first called\n}\n\ntype pathInfo struct {\n\tname string\n\tisDir bool\n}\n\n// NewWatcher establishes a new watcher with the underlying OS and begins waiting for events.\nfunc NewWatcher() (*Watcher, error) {\n\tkq, err := kqueue()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tw := &Watcher{\n\t\tkq: kq,\n\t\twatches: make(map[string]int),\n\t\tdirFlags: make(map[string]uint32),\n\t\tpaths: make(map[int]pathInfo),\n\t\tfileExists: make(map[string]bool),\n\t\texternalWatches: make(map[string]bool),\n\t\tEvents: make(chan Event),\n\t\tErrors: make(chan error),\n\t\tdone: make(chan struct{}),\n\t}\n\n\tgo w.readEvents()\n\treturn w, nil\n}\n\n// Close removes all watches and closes the events channel.\nfunc (w *Watcher) Close() error {\n\tw.mu.Lock()\n\tif w.isClosed {\n\t\tw.mu.Unlock()\n\t\treturn nil\n\t}\n\tw.isClosed = true\n\n\t// copy paths to remove while locked\n\tvar pathsToRemove = make([]string, 0, len(w.watches))\n\tfor name := range w.watches {\n\t\tpathsToRemove = append(pathsToRemove, name)\n\t}\n\tw.mu.Unlock()\n\t// unlock before calling Remove, which also locks\n\n\tfor _, name := range pathsToRemove {\n\t\tw.Remove(name)\n\t}\n\n\t// send a \"quit\" message to the reader goroutine\n\tclose(w.done)\n\n\treturn nil\n}\n\n// Add starts watching the named file or directory (non-recursively).\nfunc (w *Watcher) Add(name string) error {\n\tw.mu.Lock()\n\tw.externalWatches[name] = true\n\tw.mu.Unlock()\n\t_, err := w.addWatch(name, noteAllEvents)\n\treturn err\n}\n\n// Remove stops watching the the named file or directory (non-recursively).\nfunc (w *Watcher) Remove(name string) error {\n\tname = filepath.Clean(name)\n\tw.mu.Lock()\n\twatchfd, ok := w.watches[name]\n\tw.mu.Unlock()\n\tif !ok {\n\t\treturn fmt.Errorf(\"can't remove non-existent kevent watch for: %s\", name)\n\t}\n\n\tconst registerRemove = unix.EV_DELETE\n\tif err := register(w.kq, []int{watchfd}, registerRemove, 0); err != nil {\n\t\treturn err\n\t}\n\n\tunix.Close(watchfd)\n\n\tw.mu.Lock()\n\tisDir := w.paths[watchfd].isDir\n\tdelete(w.watches, name)\n\tdelete(w.paths, watchfd)\n\tdelete(w.dirFlags, name)\n\tw.mu.Unlock()\n\n\t// Find all watched paths that are in this directory that are not external.\n\tif isDir {\n\t\tvar pathsToRemove []string\n\t\tw.mu.Lock()\n\t\tfor _, path := range w.paths {\n\t\t\twdir, _ := filepath.Split(path.name)\n\t\t\tif filepath.Clean(wdir) == name {\n\t\t\t\tif !w.externalWatches[path.name] {\n\t\t\t\t\tpathsToRemove = append(pathsToRemove, path.name)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tw.mu.Unlock()\n\t\tfor _, name := range pathsToRemove {\n\t\t\t// Since these are internal, not much sense in propagating error\n\t\t\t// to the user, as that will just confuse them with an error about\n\t\t\t// a path they did not explicitly watch themselves.\n\t\t\tw.Remove(name)\n\t\t}\n\t}\n\n\treturn nil\n}\n\n// Watch all events (except NOTE_EXTEND, NOTE_LINK, NOTE_REVOKE)\nconst noteAllEvents = unix.NOTE_DELETE | unix.NOTE_WRITE | unix.NOTE_ATTRIB | unix.NOTE_RENAME\n\n// keventWaitTime to block on each read from kevent\nvar keventWaitTime = durationToTimespec(100 * time.Millisecond)\n\n// addWatch adds name to the watched file set.\n// The flags are interpreted as described in kevent(2).\n// Returns the real path to the file which was added, if any, which may be different from the one passed in the case of symlinks.\nfunc (w *Watcher) addWatch(name string, flags uint32) (string, error) {\n\tvar isDir bool\n\t// Make ./name and name equivalent\n\tname = filepath.Clean(name)\n\n\tw.mu.Lock()\n\tif w.isClosed {\n\t\tw.mu.Unlock()\n\t\treturn \"\", errors.New(\"kevent instance already closed\")\n\t}\n\twatchfd, alreadyWatching := w.watches[name]\n\t// We already have a watch, but we can still override flags.\n\tif alreadyWatching {\n\t\tisDir = w.paths[watchfd].isDir\n\t}\n\tw.mu.Unlock()\n\n\tif !alreadyWatching {\n\t\tfi, err := os.Lstat(name)\n\t\tif err != nil {\n\t\t\treturn \"\", err\n\t\t}\n\n\t\t// Don't watch sockets.\n\t\tif fi.Mode()&os.ModeSocket == os.ModeSocket {\n\t\t\treturn \"\", nil\n\t\t}\n\n\t\t// Don't watch named pipes.\n\t\tif fi.Mode()&os.ModeNamedPipe == os.ModeNamedPipe {\n\t\t\treturn \"\", nil\n\t\t}\n\n\t\t// Follow Symlinks\n\t\t// Unfortunately, Linux can add bogus symlinks to watch list without\n\t\t// issue, and Windows can't do symlinks period (AFAIK). To maintain\n\t\t// consistency, we will act like everything is fine. There will simply\n\t\t// be no file events for broken symlinks.\n\t\t// Hence the returns of nil on errors.\n\t\tif fi.Mode()&os.ModeSymlink == os.ModeSymlink {\n\t\t\tname, err = filepath.EvalSymlinks(name)\n\t\t\tif err != nil {\n\t\t\t\treturn \"\", nil\n\t\t\t}\n\n\t\t\tw.mu.Lock()\n\t\t\t_, alreadyWatching = w.watches[name]\n\t\t\tw.mu.Unlock()\n\n\t\t\tif alreadyWatching {\n\t\t\t\treturn name, nil\n\t\t\t}\n\n\t\t\tfi, err = os.Lstat(name)\n\t\t\tif err != nil {\n\t\t\t\treturn \"\", nil\n\t\t\t}\n\t\t}\n\n\t\twatchfd, err = unix.Open(name, openMode, 0700)\n\t\tif watchfd == -1 {\n\t\t\treturn \"\", err\n\t\t}\n\n\t\tisDir = fi.IsDir()\n\t}\n\n\tconst registerAdd = unix.EV_ADD | unix.EV_CLEAR | unix.EV_ENABLE\n\tif err := register(w.kq, []int{watchfd}, registerAdd, flags); err != nil {\n\t\tunix.Close(watchfd)\n\t\treturn \"\", err\n\t}\n\n\tif !alreadyWatching {\n\t\tw.mu.Lock()\n\t\tw.watches[name] = watchfd\n\t\tw.paths[watchfd] = pathInfo{name: name, isDir: isDir}\n\t\tw.mu.Unlock()\n\t}\n\n\tif isDir {\n\t\t// Watch the directory if it has not been watched before,\n\t\t// or if it was watched before, but perhaps only a NOTE_DELETE (watchDirectoryFiles)\n\t\tw.mu.Lock()\n\n\t\twatchDir := (flags&unix.NOTE_WRITE) == unix.NOTE_WRITE &&\n\t\t\t(!alreadyWatching || (w.dirFlags[name]&unix.NOTE_WRITE) != unix.NOTE_WRITE)\n\t\t// Store flags so this watch can be updated later\n\t\tw.dirFlags[name] = flags\n\t\tw.mu.Unlock()\n\n\t\tif watchDir {\n\t\t\tif err := w.watchDirectoryFiles(name); err != nil {\n\t\t\t\treturn \"\", err\n\t\t\t}\n\t\t}\n\t}\n\treturn name, nil\n}\n\n// readEvents reads from kqueue and converts the received kevents into\n// Event values that it sends down the Events channel.\nfunc (w *Watcher) readEvents() {\n\teventBuffer := make([]unix.Kevent_t, 10)\n\nloop:\n\tfor {\n\t\t// See if there is a message on the \"done\" channel\n\t\tselect {\n\t\tcase <-w.done:\n\t\t\tbreak loop\n\t\tdefault:\n\t\t}\n\n\t\t// Get new events\n\t\tkevents, err := read(w.kq, eventBuffer, &keventWaitTime)\n\t\t// EINTR is okay, the syscall was interrupted before timeout expired.\n\t\tif err != nil && err != unix.EINTR {\n\t\t\tselect {\n\t\t\tcase w.Errors <- err:\n\t\t\tcase <-w.done:\n\t\t\t\tbreak loop\n\t\t\t}\n\t\t\tcontinue\n\t\t}\n\n\t\t// Flush the events we received to the Events channel\n\t\tfor len(kevents) > 0 {\n\t\t\tkevent := &kevents[0]\n\t\t\twatchfd := int(kevent.Ident)\n\t\t\tmask := uint32(kevent.Fflags)\n\t\t\tw.mu.Lock()\n\t\t\tpath := w.paths[watchfd]\n\t\t\tw.mu.Unlock()\n\t\t\tevent := newEvent(path.name, mask)\n\n\t\t\tif path.isDir && !(event.Op&Remove == Remove) {\n\t\t\t\t// Double check to make sure the directory exists. This can happen when\n\t\t\t\t// we do a rm -fr on a recursively watched folders and we receive a\n\t\t\t\t// modification event first but the folder has been deleted and later\n\t\t\t\t// receive the delete event\n\t\t\t\tif _, err := os.Lstat(event.Name); os.IsNotExist(err) {\n\t\t\t\t\t// mark is as delete event\n\t\t\t\t\tevent.Op |= Remove\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif event.Op&Rename == Rename || event.Op&Remove == Remove {\n\t\t\t\tw.Remove(event.Name)\n\t\t\t\tw.mu.Lock()\n\t\t\t\tdelete(w.fileExists, event.Name)\n\t\t\t\tw.mu.Unlock()\n\t\t\t}\n\n\t\t\tif path.isDir && event.Op&Write == Write && !(event.Op&Remove == Remove) {\n\t\t\t\tw.sendDirectoryChangeEvents(event.Name)\n\t\t\t} else {\n\t\t\t\t// Send the event on the Events channel.\n\t\t\t\tselect {\n\t\t\t\tcase w.Events <- event:\n\t\t\t\tcase <-w.done:\n\t\t\t\t\tbreak loop\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif event.Op&Remove == Remove {\n\t\t\t\t// Look for a file that may have overwritten this.\n\t\t\t\t// For example, mv f1 f2 will delete f2, then create f2.\n\t\t\t\tif path.isDir {\n\t\t\t\t\tfileDir := filepath.Clean(event.Name)\n\t\t\t\t\tw.mu.Lock()\n\t\t\t\t\t_, found := w.watches[fileDir]\n\t\t\t\t\tw.mu.Unlock()\n\t\t\t\t\tif found {\n\t\t\t\t\t\t// make sure the directory exists before we watch for changes. When we\n\t\t\t\t\t\t// do a recursive watch and perform rm -fr, the parent directory might\n\t\t\t\t\t\t// have gone missing, ignore the missing directory and let the\n\t\t\t\t\t\t// upcoming delete event remove the watch from the parent directory.\n\t\t\t\t\t\tif _, err := os.Lstat(fileDir); err == nil {\n\t\t\t\t\t\t\tw.sendDirectoryChangeEvents(fileDir)\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t} else {\n\t\t\t\t\tfilePath := filepath.Clean(event.Name)\n\t\t\t\t\tif fileInfo, err := os.Lstat(filePath); err == nil {\n\t\t\t\t\t\tw.sendFileCreatedEventIfNew(filePath, fileInfo)\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// Move to next event\n\t\t\tkevents = kevents[1:]\n\t\t}\n\t}\n\n\t// cleanup\n\terr := unix.Close(w.kq)\n\tif err != nil {\n\t\t// only way the previous loop breaks is if w.done was closed so we need to async send to w.Errors.\n\t\tselect {\n\t\tcase w.Errors <- err:\n\t\tdefault:\n\t\t}\n\t}\n\tclose(w.Events)\n\tclose(w.Errors)\n}\n\n// newEvent returns an platform-independent Event based on kqueue Fflags.\nfunc newEvent(name string, mask uint32) Event {\n\te := Event{Name: name}\n\tif mask&unix.NOTE_DELETE == unix.NOTE_DELETE {\n\t\te.Op |= Remove\n\t}\n\tif mask&unix.NOTE_WRITE == unix.NOTE_WRITE {\n\t\te.Op |= Write\n\t}\n\tif mask&unix.NOTE_RENAME == unix.NOTE_RENAME {\n\t\te.Op |= Rename\n\t}\n\tif mask&unix.NOTE_ATTRIB == unix.NOTE_ATTRIB {\n\t\te.Op |= Chmod\n\t}\n\treturn e\n}\n\nfunc newCreateEvent(name string) Event {\n\treturn Event{Name: name, Op: Create}\n}\n\n// watchDirectoryFiles to mimic inotify when adding a watch on a directory\nfunc (w *Watcher) watchDirectoryFiles(dirPath string) error {\n\t// Get all files\n\tfiles, err := ioutil.ReadDir(dirPath)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tfor _, fileInfo := range files {\n\t\tfilePath := filepath.Join(dirPath, fileInfo.Name())\n\t\tfilePath, err = w.internalWatch(filePath, fileInfo)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\n\t\tw.mu.Lock()\n\t\tw.fileExists[filePath] = true\n\t\tw.mu.Unlock()\n\t}\n\n\treturn nil\n}\n\n// sendDirectoryEvents searches the directory for newly created files\n// and sends them over the event channel. This functionality is to have\n// the BSD version of fsnotify match Linux inotify which provides a\n// create event for files created in a watched directory.\nfunc (w *Watcher) sendDirectoryChangeEvents(dirPath string) {\n\t// Get all files\n\tfiles, err := ioutil.ReadDir(dirPath)\n\tif err != nil {\n\t\tselect {\n\t\tcase w.Errors <- err:\n\t\tcase <-w.done:\n\t\t\treturn\n\t\t}\n\t}\n\n\t// Search for new files\n\tfor _, fileInfo := range files {\n\t\tfilePath := filepath.Join(dirPath, fileInfo.Name())\n\t\terr := w.sendFileCreatedEventIfNew(filePath, fileInfo)\n\n\t\tif err != nil {\n\t\t\treturn\n\t\t}\n\t}\n}\n\n// sendFileCreatedEvent sends a create event if the file isn't already being tracked.\nfunc (w *Watcher) sendFileCreatedEventIfNew(filePath string, fileInfo os.FileInfo) (err error) {\n\tw.mu.Lock()\n\t_, doesExist := w.fileExists[filePath]\n\tw.mu.Unlock()\n\tif !doesExist {\n\t\t// Send create event\n\t\tselect {\n\t\tcase w.Events <- newCreateEvent(filePath):\n\t\tcase <-w.done:\n\t\t\treturn\n\t\t}\n\t}\n\n\t// like watchDirectoryFiles (but without doing another ReadDir)\n\tfilePath, err = w.internalWatch(filePath, fileInfo)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tw.mu.Lock()\n\tw.fileExists[filePath] = true\n\tw.mu.Unlock()\n\n\treturn nil\n}\n\nfunc (w *Watcher) internalWatch(name string, fileInfo os.FileInfo) (string, error) {\n\tif fileInfo.IsDir() {\n\t\t// mimic Linux providing delete events for subdirectories\n\t\t// but preserve the flags used if currently watching subdirectory\n\t\tw.mu.Lock()\n\t\tflags := w.dirFlags[name]\n\t\tw.mu.Unlock()\n\n\t\tflags |= unix.NOTE_DELETE | unix.NOTE_RENAME\n\t\treturn w.addWatch(name, flags)\n\t}\n\n\t// watch file to mimic Linux inotify\n\treturn w.addWatch(name, noteAllEvents)\n}\n\n// kqueue creates a new kernel event queue and returns a descriptor.\nfunc kqueue() (kq int, err error) {\n\tkq, err = unix.Kqueue()\n\tif kq == -1 {\n\t\treturn kq, err\n\t}\n\treturn kq, nil\n}\n\n// register events with the queue\nfunc register(kq int, fds []int, flags int, fflags uint32) error {\n\tchanges := make([]unix.Kevent_t, len(fds))\n\n\tfor i, fd := range fds {\n\t\t// SetKevent converts int to the platform-specific types:\n\t\tunix.SetKevent(&changes[i], fd, unix.EVFILT_VNODE, flags)\n\t\tchanges[i].Fflags = fflags\n\t}\n\n\t// register the events\n\tsuccess, err := unix.Kevent(kq, changes, nil, nil)\n\tif success == -1 {\n\t\treturn err\n\t}\n\treturn nil\n}\n\n// read retrieves pending events, or waits until an event occurs.\n// A timeout of nil blocks indefinitely, while 0 polls the queue.\nfunc read(kq int, events []unix.Kevent_t, timeout *unix.Timespec) ([]unix.Kevent_t, error) {\n\tn, err := unix.Kevent(kq, nil, events, timeout)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn events[0:n], nil\n}\n\n// durationToTimespec prepares a timeout value\nfunc durationToTimespec(d time.Duration) unix.Timespec {\n\treturn unix.NsecToTimespec(d.Nanoseconds())\n}\n" }, { "path": "vendor/github.com/fsnotify/fsnotify/open_mode_bsd.go", "content": "// Copyright 2013 The Go Authors. All rights reserved.\n// Use of this source code is governed by a BSD-style\n// license that can be found in the LICENSE file.\n\n// +build freebsd openbsd netbsd dragonfly\n\npackage fsnotify\n\nimport \"golang.org/x/sys/unix\"\n\nconst openMode = unix.O_NONBLOCK | unix.O_RDONLY | unix.O_CLOEXEC\n" }, { "path": "vendor/github.com/fsnotify/fsnotify/open_mode_darwin.go", "content": "// Copyright 2013 The Go Authors. All rights reserved.\n// Use of this source code is governed by a BSD-style\n// license that can be found in the LICENSE file.\n\n// +build darwin\n\npackage fsnotify\n\nimport \"golang.org/x/sys/unix\"\n\n// note: this constant is not defined on BSD\nconst openMode = unix.O_EVTONLY | unix.O_CLOEXEC\n" }, { "path": "vendor/github.com/fsnotify/fsnotify/windows.go", "content": "// Copyright 2011 The Go Authors. All rights reserved.\n// Use of this source code is governed by a BSD-style\n// license that can be found in the LICENSE file.\n\n// +build windows\n\npackage fsnotify\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"runtime\"\n\t\"sync\"\n\t\"syscall\"\n\t\"unsafe\"\n)\n\n// Watcher watches a set of files, delivering events to a channel.\ntype Watcher struct {\n\tEvents chan Event\n\tErrors chan error\n\tisClosed bool // Set to true when Close() is first called\n\tmu sync.Mutex // Map access\n\tport syscall.Handle // Handle to completion port\n\twatches watchMap // Map of watches (key: i-number)\n\tinput chan *input // Inputs to the reader are sent on this channel\n\tquit chan chan<- error\n}\n\n// NewWatcher establishes a new watcher with the underlying OS and begins waiting for events.\nfunc NewWatcher() (*Watcher, error) {\n\tport, e := syscall.CreateIoCompletionPort(syscall.InvalidHandle, 0, 0, 0)\n\tif e != nil {\n\t\treturn nil, os.NewSyscallError(\"CreateIoCompletionPort\", e)\n\t}\n\tw := &Watcher{\n\t\tport: port,\n\t\twatches: make(watchMap),\n\t\tinput: make(chan *input, 1),\n\t\tEvents: make(chan Event, 50),\n\t\tErrors: make(chan error),\n\t\tquit: make(chan chan<- error, 1),\n\t}\n\tgo w.readEvents()\n\treturn w, nil\n}\n\n// Close removes all watches and closes the events channel.\nfunc (w *Watcher) Close() error {\n\tif w.isClosed {\n\t\treturn nil\n\t}\n\tw.isClosed = true\n\n\t// Send \"quit\" message to the reader goroutine\n\tch := make(chan error)\n\tw.quit <- ch\n\tif err := w.wakeupReader(); err != nil {\n\t\treturn err\n\t}\n\treturn <-ch\n}\n\n// Add starts watching the named file or directory (non-recursively).\nfunc (w *Watcher) Add(name string) error {\n\tif w.isClosed {\n\t\treturn errors.New(\"watcher already closed\")\n\t}\n\tin := &input{\n\t\top: opAddWatch,\n\t\tpath: filepath.Clean(name),\n\t\tflags: sysFSALLEVENTS,\n\t\treply: make(chan error),\n\t}\n\tw.input <- in\n\tif err := w.wakeupReader(); err != nil {\n\t\treturn err\n\t}\n\treturn <-in.reply\n}\n\n// Remove stops watching the the named file or directory (non-recursively).\nfunc (w *Watcher) Remove(name string) error {\n\tin := &input{\n\t\top: opRemoveWatch,\n\t\tpath: filepath.Clean(name),\n\t\treply: make(chan error),\n\t}\n\tw.input <- in\n\tif err := w.wakeupReader(); err != nil {\n\t\treturn err\n\t}\n\treturn <-in.reply\n}\n\nconst (\n\t// Options for AddWatch\n\tsysFSONESHOT = 0x80000000\n\tsysFSONLYDIR = 0x1000000\n\n\t// Events\n\tsysFSACCESS = 0x1\n\tsysFSALLEVENTS = 0xfff\n\tsysFSATTRIB = 0x4\n\tsysFSCLOSE = 0x18\n\tsysFSCREATE = 0x100\n\tsysFSDELETE = 0x200\n\tsysFSDELETESELF = 0x400\n\tsysFSMODIFY = 0x2\n\tsysFSMOVE = 0xc0\n\tsysFSMOVEDFROM = 0x40\n\tsysFSMOVEDTO = 0x80\n\tsysFSMOVESELF = 0x800\n\n\t// Special events\n\tsysFSIGNORED = 0x8000\n\tsysFSQOVERFLOW = 0x4000\n)\n\nfunc newEvent(name string, mask uint32) Event {\n\te := Event{Name: name}\n\tif mask&sysFSCREATE == sysFSCREATE || mask&sysFSMOVEDTO == sysFSMOVEDTO {\n\t\te.Op |= Create\n\t}\n\tif mask&sysFSDELETE == sysFSDELETE || mask&sysFSDELETESELF == sysFSDELETESELF {\n\t\te.Op |= Remove\n\t}\n\tif mask&sysFSMODIFY == sysFSMODIFY {\n\t\te.Op |= Write\n\t}\n\tif mask&sysFSMOVE == sysFSMOVE || mask&sysFSMOVESELF == sysFSMOVESELF || mask&sysFSMOVEDFROM == sysFSMOVEDFROM {\n\t\te.Op |= Rename\n\t}\n\tif mask&sysFSATTRIB == sysFSATTRIB {\n\t\te.Op |= Chmod\n\t}\n\treturn e\n}\n\nconst (\n\topAddWatch = iota\n\topRemoveWatch\n)\n\nconst (\n\tprovisional uint64 = 1 << (32 + iota)\n)\n\ntype input struct {\n\top int\n\tpath string\n\tflags uint32\n\treply chan error\n}\n\ntype inode struct {\n\thandle syscall.Handle\n\tvolume uint32\n\tindex uint64\n}\n\ntype watch struct {\n\tov syscall.Overlapped\n\tino *inode // i-number\n\tpath string // Directory path\n\tmask uint64 // Directory itself is being watched with these notify flags\n\tnames map[string]uint64 // Map of names being watched and their notify flags\n\trename string // Remembers the old name while renaming a file\n\tbuf [4096]byte\n}\n\ntype indexMap map[uint64]*watch\ntype watchMap map[uint32]indexMap\n\nfunc (w *Watcher) wakeupReader() error {\n\te := syscall.PostQueuedCompletionStatus(w.port, 0, 0, nil)\n\tif e != nil {\n\t\treturn os.NewSyscallError(\"PostQueuedCompletionStatus\", e)\n\t}\n\treturn nil\n}\n\nfunc getDir(pathname string) (dir string, err error) {\n\tattr, e := syscall.GetFileAttributes(syscall.StringToUTF16Ptr(pathname))\n\tif e != nil {\n\t\treturn \"\", os.NewSyscallError(\"GetFileAttributes\", e)\n\t}\n\tif attr&syscall.FILE_ATTRIBUTE_DIRECTORY != 0 {\n\t\tdir = pathname\n\t} else {\n\t\tdir, _ = filepath.Split(pathname)\n\t\tdir = filepath.Clean(dir)\n\t}\n\treturn\n}\n\nfunc getIno(path string) (ino *inode, err error) {\n\th, e := syscall.CreateFile(syscall.StringToUTF16Ptr(path),\n\t\tsyscall.FILE_LIST_DIRECTORY,\n\t\tsyscall.FILE_SHARE_READ|syscall.FILE_SHARE_WRITE|syscall.FILE_SHARE_DELETE,\n\t\tnil, syscall.OPEN_EXISTING,\n\t\tsyscall.FILE_FLAG_BACKUP_SEMANTICS|syscall.FILE_FLAG_OVERLAPPED, 0)\n\tif e != nil {\n\t\treturn nil, os.NewSyscallError(\"CreateFile\", e)\n\t}\n\tvar fi syscall.ByHandleFileInformation\n\tif e = syscall.GetFileInformationByHandle(h, &fi); e != nil {\n\t\tsyscall.CloseHandle(h)\n\t\treturn nil, os.NewSyscallError(\"GetFileInformationByHandle\", e)\n\t}\n\tino = &inode{\n\t\thandle: h,\n\t\tvolume: fi.VolumeSerialNumber,\n\t\tindex: uint64(fi.FileIndexHigh)<<32 | uint64(fi.FileIndexLow),\n\t}\n\treturn ino, nil\n}\n\n// Must run within the I/O thread.\nfunc (m watchMap) get(ino *inode) *watch {\n\tif i := m[ino.volume]; i != nil {\n\t\treturn i[ino.index]\n\t}\n\treturn nil\n}\n\n// Must run within the I/O thread.\nfunc (m watchMap) set(ino *inode, watch *watch) {\n\ti := m[ino.volume]\n\tif i == nil {\n\t\ti = make(indexMap)\n\t\tm[ino.volume] = i\n\t}\n\ti[ino.index] = watch\n}\n\n// Must run within the I/O thread.\nfunc (w *Watcher) addWatch(pathname string, flags uint64) error {\n\tdir, err := getDir(pathname)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif flags&sysFSONLYDIR != 0 && pathname != dir {\n\t\treturn nil\n\t}\n\tino, err := getIno(dir)\n\tif err != nil {\n\t\treturn err\n\t}\n\tw.mu.Lock()\n\twatchEntry := w.watches.get(ino)\n\tw.mu.Unlock()\n\tif watchEntry == nil {\n\t\tif _, e := syscall.CreateIoCompletionPort(ino.handle, w.port, 0, 0); e != nil {\n\t\t\tsyscall.CloseHandle(ino.handle)\n\t\t\treturn os.NewSyscallError(\"CreateIoCompletionPort\", e)\n\t\t}\n\t\twatchEntry = &watch{\n\t\t\tino: ino,\n\t\t\tpath: dir,\n\t\t\tnames: make(map[string]uint64),\n\t\t}\n\t\tw.mu.Lock()\n\t\tw.watches.set(ino, watchEntry)\n\t\tw.mu.Unlock()\n\t\tflags |= provisional\n\t} else {\n\t\tsyscall.CloseHandle(ino.handle)\n\t}\n\tif pathname == dir {\n\t\twatchEntry.mask |= flags\n\t} else {\n\t\twatchEntry.names[filepath.Base(pathname)] |= flags\n\t}\n\tif err = w.startRead(watchEntry); err != nil {\n\t\treturn err\n\t}\n\tif pathname == dir {\n\t\twatchEntry.mask &= ^provisional\n\t} else {\n\t\twatchEntry.names[filepath.Base(pathname)] &= ^provisional\n\t}\n\treturn nil\n}\n\n// Must run within the I/O thread.\nfunc (w *Watcher) remWatch(pathname string) error {\n\tdir, err := getDir(pathname)\n\tif err != nil {\n\t\treturn err\n\t}\n\tino, err := getIno(dir)\n\tif err != nil {\n\t\treturn err\n\t}\n\tw.mu.Lock()\n\twatch := w.watches.get(ino)\n\tw.mu.Unlock()\n\tif watch == nil {\n\t\treturn fmt.Errorf(\"can't remove non-existent watch for: %s\", pathname)\n\t}\n\tif pathname == dir {\n\t\tw.sendEvent(watch.path, watch.mask&sysFSIGNORED)\n\t\twatch.mask = 0\n\t} else {\n\t\tname := filepath.Base(pathname)\n\t\tw.sendEvent(filepath.Join(watch.path, name), watch.names[name]&sysFSIGNORED)\n\t\tdelete(watch.names, name)\n\t}\n\treturn w.startRead(watch)\n}\n\n// Must run within the I/O thread.\nfunc (w *Watcher) deleteWatch(watch *watch) {\n\tfor name, mask := range watch.names {\n\t\tif mask&provisional == 0 {\n\t\t\tw.sendEvent(filepath.Join(watch.path, name), mask&sysFSIGNORED)\n\t\t}\n\t\tdelete(watch.names, name)\n\t}\n\tif watch.mask != 0 {\n\t\tif watch.mask&provisional == 0 {\n\t\t\tw.sendEvent(watch.path, watch.mask&sysFSIGNORED)\n\t\t}\n\t\twatch.mask = 0\n\t}\n}\n\n// Must run within the I/O thread.\nfunc (w *Watcher) startRead(watch *watch) error {\n\tif e := syscall.CancelIo(watch.ino.handle); e != nil {\n\t\tw.Errors <- os.NewSyscallError(\"CancelIo\", e)\n\t\tw.deleteWatch(watch)\n\t}\n\tmask := toWindowsFlags(watch.mask)\n\tfor _, m := range watch.names {\n\t\tmask |= toWindowsFlags(m)\n\t}\n\tif mask == 0 {\n\t\tif e := syscall.CloseHandle(watch.ino.handle); e != nil {\n\t\t\tw.Errors <- os.NewSyscallError(\"CloseHandle\", e)\n\t\t}\n\t\tw.mu.Lock()\n\t\tdelete(w.watches[watch.ino.volume], watch.ino.index)\n\t\tw.mu.Unlock()\n\t\treturn nil\n\t}\n\te := syscall.ReadDirectoryChanges(watch.ino.handle, &watch.buf[0],\n\t\tuint32(unsafe.Sizeof(watch.buf)), false, mask, nil, &watch.ov, 0)\n\tif e != nil {\n\t\terr := os.NewSyscallError(\"ReadDirectoryChanges\", e)\n\t\tif e == syscall.ERROR_ACCESS_DENIED && watch.mask&provisional == 0 {\n\t\t\t// Watched directory was probably removed\n\t\t\tif w.sendEvent(watch.path, watch.mask&sysFSDELETESELF) {\n\t\t\t\tif watch.mask&sysFSONESHOT != 0 {\n\t\t\t\t\twatch.mask = 0\n\t\t\t\t}\n\t\t\t}\n\t\t\terr = nil\n\t\t}\n\t\tw.deleteWatch(watch)\n\t\tw.startRead(watch)\n\t\treturn err\n\t}\n\treturn nil\n}\n\n// readEvents reads from the I/O completion port, converts the\n// received events into Event objects and sends them via the Events channel.\n// Entry point to the I/O thread.\nfunc (w *Watcher) readEvents() {\n\tvar (\n\t\tn, key uint32\n\t\tov *syscall.Overlapped\n\t)\n\truntime.LockOSThread()\n\n\tfor {\n\t\te := syscall.GetQueuedCompletionStatus(w.port, &n, &key, &ov, syscall.INFINITE)\n\t\twatch := (*watch)(unsafe.Pointer(ov))\n\n\t\tif watch == nil {\n\t\t\tselect {\n\t\t\tcase ch := <-w.quit:\n\t\t\t\tw.mu.Lock()\n\t\t\t\tvar indexes []indexMap\n\t\t\t\tfor _, index := range w.watches {\n\t\t\t\t\tindexes = append(indexes, index)\n\t\t\t\t}\n\t\t\t\tw.mu.Unlock()\n\t\t\t\tfor _, index := range indexes {\n\t\t\t\t\tfor _, watch := range index {\n\t\t\t\t\t\tw.deleteWatch(watch)\n\t\t\t\t\t\tw.startRead(watch)\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tvar err error\n\t\t\t\tif e := syscall.CloseHandle(w.port); e != nil {\n\t\t\t\t\terr = os.NewSyscallError(\"CloseHandle\", e)\n\t\t\t\t}\n\t\t\t\tclose(w.Events)\n\t\t\t\tclose(w.Errors)\n\t\t\t\tch <- err\n\t\t\t\treturn\n\t\t\tcase in := <-w.input:\n\t\t\t\tswitch in.op {\n\t\t\t\tcase opAddWatch:\n\t\t\t\t\tin.reply <- w.addWatch(in.path, uint64(in.flags))\n\t\t\t\tcase opRemoveWatch:\n\t\t\t\t\tin.reply <- w.remWatch(in.path)\n\t\t\t\t}\n\t\t\tdefault:\n\t\t\t}\n\t\t\tcontinue\n\t\t}\n\n\t\tswitch e {\n\t\tcase syscall.ERROR_MORE_DATA:\n\t\t\tif watch == nil {\n\t\t\t\tw.Errors <- errors.New(\"ERROR_MORE_DATA has unexpectedly null lpOverlapped buffer\")\n\t\t\t} else {\n\t\t\t\t// The i/o succeeded but the buffer is full.\n\t\t\t\t// In theory we should be building up a full packet.\n\t\t\t\t// In practice we can get away with just carrying on.\n\t\t\t\tn = uint32(unsafe.Sizeof(watch.buf))\n\t\t\t}\n\t\tcase syscall.ERROR_ACCESS_DENIED:\n\t\t\t// Watched directory was probably removed\n\t\t\tw.sendEvent(watch.path, watch.mask&sysFSDELETESELF)\n\t\t\tw.deleteWatch(watch)\n\t\t\tw.startRead(watch)\n\t\t\tcontinue\n\t\tcase syscall.ERROR_OPERATION_ABORTED:\n\t\t\t// CancelIo was called on this handle\n\t\t\tcontinue\n\t\tdefault:\n\t\t\tw.Errors <- os.NewSyscallError(\"GetQueuedCompletionPort\", e)\n\t\t\tcontinue\n\t\tcase nil:\n\t\t}\n\n\t\tvar offset uint32\n\t\tfor {\n\t\t\tif n == 0 {\n\t\t\t\tw.Events <- newEvent(\"\", sysFSQOVERFLOW)\n\t\t\t\tw.Errors <- errors.New(\"short read in readEvents()\")\n\t\t\t\tbreak\n\t\t\t}\n\n\t\t\t// Point \"raw\" to the event in the buffer\n\t\t\traw := (*syscall.FileNotifyInformation)(unsafe.Pointer(&watch.buf[offset]))\n\t\t\tbuf := (*[syscall.MAX_PATH]uint16)(unsafe.Pointer(&raw.FileName))\n\t\t\tname := syscall.UTF16ToString(buf[:raw.FileNameLength/2])\n\t\t\tfullname := filepath.Join(watch.path, name)\n\n\t\t\tvar mask uint64\n\t\t\tswitch raw.Action {\n\t\t\tcase syscall.FILE_ACTION_REMOVED:\n\t\t\t\tmask = sysFSDELETESELF\n\t\t\tcase syscall.FILE_ACTION_MODIFIED:\n\t\t\t\tmask = sysFSMODIFY\n\t\t\tcase syscall.FILE_ACTION_RENAMED_OLD_NAME:\n\t\t\t\twatch.rename = name\n\t\t\tcase syscall.FILE_ACTION_RENAMED_NEW_NAME:\n\t\t\t\tif watch.names[watch.rename] != 0 {\n\t\t\t\t\twatch.names[name] |= watch.names[watch.rename]\n\t\t\t\t\tdelete(watch.names, watch.rename)\n\t\t\t\t\tmask = sysFSMOVESELF\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tsendNameEvent := func() {\n\t\t\t\tif w.sendEvent(fullname, watch.names[name]&mask) {\n\t\t\t\t\tif watch.names[name]&sysFSONESHOT != 0 {\n\t\t\t\t\t\tdelete(watch.names, name)\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\tif raw.Action != syscall.FILE_ACTION_RENAMED_NEW_NAME {\n\t\t\t\tsendNameEvent()\n\t\t\t}\n\t\t\tif raw.Action == syscall.FILE_ACTION_REMOVED {\n\t\t\t\tw.sendEvent(fullname, watch.names[name]&sysFSIGNORED)\n\t\t\t\tdelete(watch.names, name)\n\t\t\t}\n\t\t\tif w.sendEvent(fullname, watch.mask&toFSnotifyFlags(raw.Action)) {\n\t\t\t\tif watch.mask&sysFSONESHOT != 0 {\n\t\t\t\t\twatch.mask = 0\n\t\t\t\t}\n\t\t\t}\n\t\t\tif raw.Action == syscall.FILE_ACTION_RENAMED_NEW_NAME {\n\t\t\t\tfullname = filepath.Join(watch.path, watch.rename)\n\t\t\t\tsendNameEvent()\n\t\t\t}\n\n\t\t\t// Move to the next event in the buffer\n\t\t\tif raw.NextEntryOffset == 0 {\n\t\t\t\tbreak\n\t\t\t}\n\t\t\toffset += raw.NextEntryOffset\n\n\t\t\t// Error!\n\t\t\tif offset >= n {\n\t\t\t\tw.Errors <- errors.New(\"Windows system assumed buffer larger than it is, events have likely been missed.\")\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\n\t\tif err := w.startRead(watch); err != nil {\n\t\t\tw.Errors <- err\n\t\t}\n\t}\n}\n\nfunc (w *Watcher) sendEvent(name string, mask uint64) bool {\n\tif mask == 0 {\n\t\treturn false\n\t}\n\tevent := newEvent(name, uint32(mask))\n\tselect {\n\tcase ch := <-w.quit:\n\t\tw.quit <- ch\n\tcase w.Events <- event:\n\t}\n\treturn true\n}\n\nfunc toWindowsFlags(mask uint64) uint32 {\n\tvar m uint32\n\tif mask&sysFSACCESS != 0 {\n\t\tm |= syscall.FILE_NOTIFY_CHANGE_LAST_ACCESS\n\t}\n\tif mask&sysFSMODIFY != 0 {\n\t\tm |= syscall.FILE_NOTIFY_CHANGE_LAST_WRITE\n\t}\n\tif mask&sysFSATTRIB != 0 {\n\t\tm |= syscall.FILE_NOTIFY_CHANGE_ATTRIBUTES\n\t}\n\tif mask&(sysFSMOVE|sysFSCREATE|sysFSDELETE) != 0 {\n\t\tm |= syscall.FILE_NOTIFY_CHANGE_FILE_NAME | syscall.FILE_NOTIFY_CHANGE_DIR_NAME\n\t}\n\treturn m\n}\n\nfunc toFSnotifyFlags(action uint32) uint64 {\n\tswitch action {\n\tcase syscall.FILE_ACTION_ADDED:\n\t\treturn sysFSCREATE\n\tcase syscall.FILE_ACTION_REMOVED:\n\t\treturn sysFSDELETE\n\tcase syscall.FILE_ACTION_MODIFIED:\n\t\treturn sysFSMODIFY\n\tcase syscall.FILE_ACTION_RENAMED_OLD_NAME:\n\t\treturn sysFSMOVEDFROM\n\tcase syscall.FILE_ACTION_RENAMED_NEW_NAME:\n\t\treturn sysFSMOVEDTO\n\t}\n\treturn 0\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/.codecov.yml", "content": "codecov:\n # across\n notify:\n # Do not notify until at least this number of reports have been uploaded\n # from the CI pipeline. We normally have more than that number, but 6\n # should be enough to get a first notification.\n after_n_builds: 6\ncoverage:\n status:\n project:\n default:\n # Do not fail the commit status if the coverage was reduced up to this value\n threshold: 0.5%\n patch:\n default:\n informational: true\nignore:\n - \"log_fallback.go\"\n - \"internal/testutils\"\n" }, { "path": "vendor/github.com/getsentry/sentry-go/.craft.yml", "content": "minVersion: 2.14.0\nchangelog:\n policy: auto\nversioning:\n policy: auto\nartifactProvider:\n name: none\ntargets:\n - name: github\n tagPrefix: v\n - name: github\n tagPrefix: otel/v\n tagOnly: true\n - name: github\n tagPrefix: echo/v\n tagOnly: true\n - name: github\n tagPrefix: fasthttp/v\n tagOnly: true\n - name: github\n tagPrefix: fiber/v\n tagOnly: true\n - name: github\n tagPrefix: gin/v\n tagOnly: true\n - name: github\n tagPrefix: iris/v\n tagOnly: true\n - name: github\n tagPrefix: negroni/v\n tagOnly: true\n - name: github\n tagPrefix: logrus/v\n tagOnly: true\n - name: github\n tagPrefix: slog/v\n tagOnly: true\n - name: github\n tagPrefix: zerolog/v\n tagOnly: true\n - name: github\n tagPrefix: zap/v\n tagOnly: true\n - name: registry\n sdks:\n github:getsentry/sentry-go:\n" }, { "path": "vendor/github.com/getsentry/sentry-go/.gitattributes", "content": "# Tell Git to use LF for line endings on all platforms.\n# Required to have correct test data on Windows.\n# https://github.com/mvdan/github-actions-golang#caveats\n# https://github.com/actions/checkout/issues/135#issuecomment-613361104\n* text eol=lf\n" }, { "path": "vendor/github.com/getsentry/sentry-go/.gitignore", "content": "# Code coverage artifacts\ncoverage.txt\ncoverage.out\ncoverage.html\n.coverage/\n\n# Just my personal way of tracking stuff — Kamil\nFIXME.md\nTODO.md\n!NOTES.md\n\n# IDE system files\n.idea\n.vscode\n\n# Local Claude Code settings that should not be committed\n.claude/settings.local.json\n" }, { "path": "vendor/github.com/getsentry/sentry-go/.golangci.yml", "content": "version: \"2\"\nlinters:\n default: none\n enable:\n - bodyclose\n - dogsled\n - dupl\n - errcheck\n - gochecknoinits\n - goconst\n - gocritic\n - gocyclo\n - godot\n - gosec\n - govet\n - ineffassign\n - misspell\n - nakedret\n - prealloc\n - revive\n - staticcheck\n - unconvert\n - unparam\n - unused\n - whitespace\n exclusions:\n generated: lax\n presets:\n - comments\n - common-false-positives\n - legacy\n - std-error-handling\n rules:\n - linters:\n - goconst\n - prealloc\n path: _test\\.go\n - linters:\n - gosec\n path: _test\\.go\n text: 'G306:'\n - linters:\n - unused\n path: errors_test\\.go\n - linters:\n - bodyclose\n - errcheck\n path: http/example_test\\.go\n paths:\n - third_party$\n - builtin$\n - examples$\nformatters:\n enable:\n - gofmt\n - goimports\n exclusions:\n generated: lax\n paths:\n - third_party$\n - builtin$\n - examples$\n" }, { "path": "vendor/github.com/getsentry/sentry-go/CHANGELOG.md", "content": "# Changelog\n\n## 0.43.0\n\n### Breaking Changes 🛠\n\n- Add support for go 1.26 by @giortzisg in [#1193](https://github.com/getsentry/sentry-go/pull/1193)\n - bump minimum supported go version to 1.24\n- change type signature of attributes for Logs and Metrics. by @giortzisg in [#1205](https://github.com/getsentry/sentry-go/pull/1205)\n - users are not supposed to modify Attributes directly on the Log/Metric itself, but this is still is a breaking change on the type.\n- Send uint64 overflowing attributes as numbers. by @giortzisg in [#1198](https://github.com/getsentry/sentry-go/pull/1198)\n - The SDK was converting overflowing uint64 attributes to strings for slog and logrus integrations. To eliminate double types for these attributes, the SDK now sends the overflowing attribute as is, and lets the server handle the overflow appropriately.\n - It is expected that overflowing unsigned integers would now get dropped, instead of converted to strings.\n\n### New Features ✨\n\n- Add zap logging integration by @giortzisg in [#1184](https://github.com/getsentry/sentry-go/pull/1184)\n- Log specific message for RequestEntityTooLarge by @giortzisg in [#1185](https://github.com/getsentry/sentry-go/pull/1185)\n\n### Bug Fixes 🐛\n\n- Improve otel span map cleanup performance by @giortzisg in [#1200](https://github.com/getsentry/sentry-go/pull/1200)\n- Ensure correct signal delivery on multi-client setups by @giortzisg in [#1190](https://github.com/getsentry/sentry-go/pull/1190)\n\n### Internal Changes 🔧\n\n#### Deps\n\n- Bump golang.org/x/crypto to 0.48.0 by @giortzisg in [#1196](https://github.com/getsentry/sentry-go/pull/1196)\n- Use go1.24.0 by @giortzisg in [#1195](https://github.com/getsentry/sentry-go/pull/1195)\n- Bump github.com/gofiber/fiber/v2 from 2.52.9 to 2.52.11 in /fiber by @dependabot in [#1191](https://github.com/getsentry/sentry-go/pull/1191)\n- Bump getsentry/craft from 2.19.0 to 2.20.1 by @dependabot in [#1187](https://github.com/getsentry/sentry-go/pull/1187)\n\n#### Other\n\n- Add omitzero and remove custom serialization by @giortzisg in [#1197](https://github.com/getsentry/sentry-go/pull/1197)\n- Rename Telemetry Processor components by @giortzisg in [#1186](https://github.com/getsentry/sentry-go/pull/1186)\n\n## 0.42.0\n\n### Breaking Changes 🛠\n\n- refactor Telemetry Processor to use TelemetryItem instead of ItemConvertible by @giortzisg in [#1180](https://github.com/getsentry/sentry-go/pull/1180)\n - remove ToEnvelopeItem from single log items\n - rename TelemetryBuffer to Telemetry Processor to adhere to spec\n - remove unsed ToEnvelopeItem(dsn) from Event.\n\n### New Features ✨\n\n- Add metric support by @aldy505 in [#1151](https://github.com/getsentry/sentry-go/pull/1151)\n - support for three metric methods (counter, gauge, distribution)\n - custom metric units\n - unexport batchlogger\n\n### Internal Changes 🔧\n\n#### Release\n\n- Fix changelog-preview permissions by @BYK in [#1181](https://github.com/getsentry/sentry-go/pull/1181)\n- Switch from action-prepare-release to Craft by @BYK in [#1167](https://github.com/getsentry/sentry-go/pull/1167)\n\n#### Other\n\n- (repo) Add Claude Code settings with basic permissions by @philipphofmann in [#1175](https://github.com/getsentry/sentry-go/pull/1175)\n- Update release and changelog-preview workflows by @giortzisg in [#1177](https://github.com/getsentry/sentry-go/pull/1177)\n- Bump echo to 4.10.1 by @giortzisg in [#1174](https://github.com/getsentry/sentry-go/pull/1174)\n\n## 0.41.0\n\nThe Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.41.0.\n\n### Features\n\n- Add HTTP client integration for distributed tracing via `sentryhttpclient` package ([#876](https://github.com/getsentry/sentry-go/pull/876))\n - Provides an `http.RoundTripper` implementation that automatically creates spans for outgoing HTTP requests\n - Supports trace propagation targets configuration via `WithTracePropagationTargets` option\n - Example usage:\n ```go\n import sentryhttpclient \"github.com/getsentry/sentry-go/httpclient\"\n\n roundTripper := sentryhttpclient.NewSentryRoundTripper(nil)\n client := &http.Client{\n Transport: roundTripper,\n }\n ```\n- Add `ClientOptions.PropagateTraceparent` option to control W3C `traceparent` header propagation in outgoing HTTP requests ([#1161](https://github.com/getsentry/sentry-go/pull/1161))\n- Add `SpanID` field to structured logs ([#1169](https://github.com/getsentry/sentry-go/pull/1169))\n\n## 0.40.0\n\nThe Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.40.0.\n\n### Bug Fixes\n\n- Disable `DisableTelemetryBuffer` flag and noop Telemetry Buffer, to prevent a panic at runtime ([#1149](https://github.com/getsentry/sentry-go/pull/1149)).\n\n## 0.39.0\n\nThe Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.39.0.\n\n### Features\n\n- Drop events from the telemetry buffer when rate-limited or transport is full, allowing the buffer queue to empty itself under load ([#1138](https://github.com/getsentry/sentry-go/pull/1138)).\n\n### Bug Fixes\n\n- Fix scheduler's `hasWork()` method to check if buffers are ready to flush. The previous implementation was causing CPU spikes ([#1143](https://github.com/getsentry/sentry-go/pull/1143)).\n\n## 0.38.0\n\n### Breaking Changes\n\n### Features\n\n- Introduce a new async envelope transport and telemetry buffer to prioritize and batch events ([#1094](https://github.com/getsentry/sentry-go/pull/1094), [#1093](https://github.com/getsentry/sentry-go/pull/1093), [#1107](https://github.com/getsentry/sentry-go/pull/1107)).\n - Advantages:\n - Prioritized, per-category buffers (errors, transactions, logs, check-ins) reduce starvation and improve resilience under load\n - Batching for high-volume logs (up to 100 items or 5s) cuts network overhead\n - Bounded memory with eviction policies\n - Improved flush behavior with context-aware flushing\n- Add `ClientOptions.DisableTelemetryBuffer` to opt out and fall back to the legacy transport layer (`HTTPTransport` / `HTTPSyncTransport`).\n \n ```go\n err := sentry.Init(sentry.ClientOptions{\n Dsn: \"__DSN__\",\n DisableTelemetryBuffer: true, // fallback to legacy transport\n })\n ```\n\n### Notes\n\n- If a custom `Transport` is provided, the SDK automatically disables the telemetry buffer and uses the legacy transport for compatibility.\n\n## 0.37.0\n\nThe Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.37.0.\n\n### Breaking Changes\n\n- Behavioral change for the `TraceIgnoreStatusCodes` option. The option now defaults to ignoring 404 status codes ([#1122](https://github.com/getsentry/sentry-go/pull/1122)).\n\n### Features\n\n- Add `sentry.origin` attribute to structured logs to identify log origin for `slog` and `logrus` integrations (`auto.log.slog`, `auto.log.logrus`) ([#1121](https://github.com/getsentry/sentry-go/pull/1121)).\n\n### Bug Fixes\n\n- Fix `slog` event handler to use the initial context, ensuring events use the correct hub/span when the emission context lacks one ([#1133](https://github.com/getsentry/sentry-go/pull/1133)).\n- Improve exception chain processing by checking pointer values when tracking visited errors, avoiding instability for certain wrapped errors ([#1132](https://github.com/getsentry/sentry-go/pull/1132)).\n\n### Misc\n\n- Bump `golang.org/x/net` to v0.38.0 ([#1126](https://github.com/getsentry/sentry-go/pull/1126)).\n\n## 0.36.2\n\nThe Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.36.2.\n\n### Bug Fixes\n\n- Fix context propagation for logs to ensure logger instances correctly inherit span and hub information from their creation context ([#1118](https://github.com/getsentry/sentry-go/pull/1118))\n - Logs now properly propagate trace context from the logger's original context, even when emitted in a different context\n - The logger will first check the emission context, then fall back to its creation context, and finally to the current hub\n\n## 0.36.1\n\nThe Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.36.1.\n\n### Bug Fixes\n\n- Prevent panic when converting error chains containing non-comparable error types by using a safe fallback for visited detection in exception conversion ([#1113](https://github.com/getsentry/sentry-go/pull/1113))\n\n## 0.36.0\n\nThe Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.36.0.\n\n### Breaking Changes\n\n- Behavioral change for the `MaxBreadcrumbs` client option. Removed the hard limit of 100 breadcrumbs, allowing users to set a larger limit and also changed the default limit from 30 to 100 ([#1106](https://github.com/getsentry/sentry-go/pull/1106)))\n\n- The changes to error handling ([#1075](https://github.com/getsentry/sentry-go/pull/1075)) will affect issue grouping. It is expected that any wrapped and complex errors will be grouped under a new issue group.\n\n### Features\n\n- Add support for improved issue grouping with enhanced error chain handling ([#1075](https://github.com/getsentry/sentry-go/pull/1075))\n\n The SDK now provides better handling of complex error scenarios, particularly when dealing with multiple related errors or error chains. This feature automatically detects and properly structures errors created with Go's `errors.Join()` function and other multi-error patterns.\n\n ```go\n // Multiple errors are now properly grouped and displayed in Sentry\n err1 := errors.New(\"err1\")\n err2 := errors.New(\"err2\") \n combinedErr := errors.Join(err1, err2)\n \n // When captured, these will be shown as related exceptions in Sentry\n sentry.CaptureException(combinedErr)\n ```\n\n- Add `TraceIgnoreStatusCodes` option to allow filtering of HTTP transactions based on status codes ([#1089](https://github.com/getsentry/sentry-go/pull/1089))\n - Configure which HTTP status codes should not be traced by providing single codes or ranges\n - Example: `TraceIgnoreStatusCodes: [][]int{{404}, {500, 599}}` ignores 404 and server errors 500-599\n\n### Bug Fixes\n\n- Fix logs being incorrectly filtered by `BeforeSend` callback ([#1109](https://github.com/getsentry/sentry-go/pull/1109))\n - Logs now bypass the `processEvent` method and are sent directly to the transport\n - This ensures logs are only filtered by `BeforeSendLog`, not by the error/message `BeforeSend` callback\n\n### Misc\n\n- Add support for Go 1.25 and drop support for Go 1.22 ([#1103](https://github.com/getsentry/sentry-go/pull/1103))\n\n## 0.35.3\n\nThe Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.35.3.\n\n### Bug Fixes\n\n- Add missing rate limit categories ([#1082](https://github.com/getsentry/sentry-go/pull/1082))\n\n## 0.35.2\n\nThe Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.35.2.\n\n### Bug Fixes\n\n- Fix OpenTelemetry spans being created as transactions instead of child spans ([#1073](https://github.com/getsentry/sentry-go/pull/1073))\n\n### Misc\n\n- Add `MockTransport` to test clients for improved testing ([#1071](https://github.com/getsentry/sentry-go/pull/1071))\n\n## 0.35.1\n\nThe Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.35.1.\n\n### Bug Fixes\n\n- Fix race conditions when accessing the scope during logging operations ([#1050](https://github.com/getsentry/sentry-go/pull/1050))\n- Fix nil pointer dereference with malformed URLs when tracing is enabled in `fasthttp` and `fiber` integrations ([#1055](https://github.com/getsentry/sentry-go/pull/1055))\n\n### Misc\n\n- Bump `github.com/gofiber/fiber/v2` from 2.52.5 to 2.52.9 in `/fiber` ([#1067](https://github.com/getsentry/sentry-go/pull/1067))\n\n## 0.35.0\n\nThe Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.35.0.\n\n### Breaking Changes\n\n- Changes to the logging API ([#1046](https://github.com/getsentry/sentry-go/pull/1046))\n\nThe logging API now supports a fluent interface for structured logging with attributes:\n\n```go\n// usage before\nlogger := sentry.NewLogger(ctx)\n// attributes weren't being set permanently\nlogger.SetAttributes(\n attribute.String(\"version\", \"1.0.0\"),\n)\nlogger.Infof(ctx, \"Message with parameters %d and %d\", 1, 2)\n\n// new behavior\nctx := context.Background()\nlogger := sentry.NewLogger(ctx)\n\n// Set permanent attributes on the logger\nlogger.SetAttributes(\n attribute.String(\"version\", \"1.0.0\"),\n)\n\n// Chain attributes on individual log entries\nlogger.Info().\n String(\"key.string\", \"value\").\n Int(\"key.int\", 42).\n Bool(\"key.bool\", true).\n Emitf(\"Message with parameters %d and %d\", 1, 2)\n```\n\n### Bug Fixes\n\n- Correctly serialize `FailureIssueThreshold` and `RecoveryThreshold` onto check-in payloads ([#1060](https://github.com/getsentry/sentry-go/pull/1060))\n\n## 0.34.1\n\nThe Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.34.1.\n\n### Bug Fixes\n\n- Allow flush to be used multiple times without issues, particularly for the batch logger ([#1051](https://github.com/getsentry/sentry-go/pull/1051))\n- Fix race condition in `Scope.GetSpan()` method by adding proper mutex locking ([#1044](https://github.com/getsentry/sentry-go/pull/1044))\n- Guard transport on `Close()` to prevent panic when called multiple times ([#1044](https://github.com/getsentry/sentry-go/pull/1044))\n\n## 0.34.0\n\nThe Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.34.0.\n\n### Breaking Changes\n\n- Logrus structured logging support replaces the `sentrylogrus.Hook` signature from a `*Hook` to an interface.\n\n```go\nvar hook *sentrylogrus.Hook\nhook = sentrylogrus.New(\n // ... your setup\n)\n\n// should change the definition to \nvar hook sentrylogrus.Hook\nhook = sentrylogrus.New(\n // ... your setup\n)\n```\n\n### Features\n\n- Structured logging support for [slog](https://pkg.go.dev/log/slog). ([#1033](https://github.com/getsentry/sentry-go/pull/1033))\n\n```go\nctx := context.Background()\nhandler := sentryslog.Option{\n EventLevel: []slog.Level{slog.LevelError, sentryslog.LevelFatal}, // Only Error and Fatal as events\n LogLevel: []slog.Level{slog.LevelWarn, slog.LevelInfo}, // Only Warn and Info as logs\n}.NewSentryHandler(ctx)\nlogger := slog.New(handler)\nlogger.Info(\"hello\"))\n```\n\n- Structured logging support for [logrus](https://github.com/sirupsen/logrus). ([#1036](https://github.com/getsentry/sentry-go/pull/1036))\n```go\nlogHook, _ := sentrylogrus.NewLogHook(\n []logrus.Level{logrus.InfoLevel, logrus.WarnLevel}, \n sentry.ClientOptions{\n Dsn: \"your-dsn\",\n EnableLogs: true, // Required for log entries \n })\ndefer logHook.Flush(5 * time.Secod)\nlogrus.RegisterExitHandler(func() {\n logHook.Flush(5 * time.Second)\n})\n\nlogger := logrus.New()\nlogger.AddHook(logHook)\nlogger.Infof(\"hello\")\n```\n\n- Add support for flushing events with context using `FlushWithContext()`. ([#935](https://github.com/getsentry/sentry-go/pull/935))\n\n```go\nctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)\ndefer cancel()\n\nif !sentry.FlushWithContext(ctx) {\n // Handle timeout or cancellation\n}\n```\n\n- Add support for custom fingerprints in slog integration. ([#1039](https://github.com/getsentry/sentry-go/pull/1039))\n\n### Deprecations \n\n- Slog structured logging support replaces `Level` option with `EventLevel` and `LogLevel` options, for specifying fine-grained levels for capturing events and logs.\n\n```go \nhandler := sentryslog.Option{\n EventLevel: []slog.Level{slog.LevelWarn, slog.LevelError, sentryslog.LevelFatal},\n LogLevel: []slog.Level{slog.LevelDebug, slog.LevelInfo, slog.LevelWarn, slog.LevelError, sentryslog.LevelFatal},\n}.NewSentryHandler(ctx)\n```\n\n- Logrus structured logging support replaces `New` and `NewFromClient` functions to `NewEventHook`, `NewEventHookFromClient`, to match the newly added `NewLogHook` functions, and specify the hook type being created each time.\n\n```go\nlogHook, err := sentrylogrus.NewLogHook(\n []logrus.Level{logrus.InfoLevel},\n sentry.ClientOptions{})\neventHook, err := sentrylogrus.NewEventHook([]logrus.Level{\n logrus.ErrorLevel,\n logrus.FatalLevel,\n logrus.PanicLevel,\n}, sentry.ClientOptions{})\n```\n\n### Bug Fixes\n\n- Fix issue where `ContinueTrace()` would panic when `sentry-trace` header does not exist. ([#1026](https://github.com/getsentry/sentry-go/pull/1026))\n- Fix incorrect log level signature in structured logging. ([#1034](https://github.com/getsentry/sentry-go/pull/1034))\n- Remove `sentry.origin` attribute from Sentry logger to prevent confusion in spans. ([#1038](https://github.com/getsentry/sentry-go/pull/1038))\n- Don't gate user information behind `SendDefaultPII` flag for logs. ([#1032](https://github.com/getsentry/sentry-go/pull/1032))\n\n### Misc\n\n- Add more sensitive HTTP headers to the default list of headers that are scrubbed by default. ([#1008](https://github.com/getsentry/sentry-go/pull/1008))\n\n## 0.33.0\n\nThe Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.33.0.\n\n\n### Breaking Changes\n\n- Rename the internal `Logger` to `DebugLogger`. This feature was only used when you set `Debug: True` in your `sentry.Init()` call. If you haven't used the Logger directly, no changes are necessary. ([#1012](https://github.com/getsentry/sentry-go/issues/1012))\n\n### Features\n\n- Add support for [Structured Logging](https://docs.sentry.io/product/explore/logs/). ([#1010](https://github.com/getsentry/sentry-go/issues/1010))\n\n ```go\n logger := sentry.NewLogger(ctx)\n logger.Info(ctx, \"Hello, Logs!\")\n ```\n\n You can learn more about Sentry Logs on our [docs](https://docs.sentry.io/product/explore/logs/) and the [examples](https://github.com/getsentry/sentry-go/blob/master/_examples/logs/main.go).\n\n- Add new attributes APIs, which are currently only exposed on logs. ([#1007](https://github.com/getsentry/sentry-go/issues/1007))\n\n### Bug Fixes\n\n- Do not push a new scope on `StartSpan`. ([#1013](https://github.com/getsentry/sentry-go/issues/1013))\n- Fix an issue where the propagated smapling decision wasn't used. ([#995](https://github.com/getsentry/sentry-go/issues/995))\n- [Otel] Prefer `httpRoute` over `httpTarget` for span descriptions. ([#1002](https://github.com/getsentry/sentry-go/issues/1002))\n\n### Misc\n\n- Update `github.com/stretchr/testify` to v1.8.4. ([#988](https://github.com/getsentry/sentry-go/issues/988)) \n\n## 0.32.0\n\nThe Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.32.0.\n\n### Breaking Changes\n\n- Bump the minimum Go version to 1.22. The supported versions are 1.22, 1.23 and 1.24. ([#967](https://github.com/getsentry/sentry-go/issues/967))\n- Setting any values on `span.Extra` has no effect anymore. Use `SetData(name string, value interface{})` instead. ([#864](https://github.com/getsentry/sentry-go/pull/864))\n\n### Features\n\n- Add a `MockTransport` and `MockScope`. ([#972](https://github.com/getsentry/sentry-go/pull/972))\n\n### Bug Fixes\n\n- Fix writing `*http.Request` in the Logrus JSONFormatter. ([#955](https://github.com/getsentry/sentry-go/issues/955))\n\n### Misc\n\n- Transaction `data` attributes are now seralized as trace context data attributes, allowing you to query these attributes in the [Trace Explorer](https://docs.sentry.io/product/explore/traces/).\n\n## 0.31.1\n\nThe Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.31.1.\n\n### Bug Fixes\n\n- Correct wrong module name for `sentry-go/logrus` ([#950](https://github.com/getsentry/sentry-go/pull/950))\n\n## 0.31.0\n\nThe Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.31.0.\n\n### Breaking Changes\n\n- Remove support for metrics. Read more about the end of the Metrics beta [here](https://sentry.zendesk.com/hc/en-us/articles/26369339769883-Metrics-Beta-Ended-on-October-7th). ([#914](https://github.com/getsentry/sentry-go/pull/914))\n\n- Remove support for profiling. ([#915](https://github.com/getsentry/sentry-go/pull/915))\n\n- Remove `Segment` field from the `User` struct. This field is no longer used in the Sentry product. ([#928](https://github.com/getsentry/sentry-go/pull/928))\n\n- Every integration is now a separate module, reducing the binary size and number of dependencies. Once you update `sentry-go` to latest version, you'll need to `go get` the integration you want to use. For example, if you want to use the `echo` integration, you'll need to run `go get github.com/getsentry/sentry-go/echo` ([#919](github.com/getsentry/sentry-go/pull/919)).\n\n### Features\n\nAdd the ability to override `hub` in `context` for integrations that use custom context. ([#931](https://github.com/getsentry/sentry-go/pull/931))\n\n- Add `HubProvider` Hook for `sentrylogrus`, enabling dynamic Sentry hub allocation for each log entry or goroutine. ([#936](https://github.com/getsentry/sentry-go/pull/936))\n\nThis change enhances compatibility with Sentry's recommendation of using separate hubs per goroutine. To ensure a separate Sentry hub for each goroutine, configure the `HubProvider` like this:\n\n```go\nhook, err := sentrylogrus.New(nil, sentry.ClientOptions{})\nif err != nil {\n log.Fatalf(\"Failed to initialize Sentry hook: %v\", err)\n}\n\n// Set a custom HubProvider to generate a new hub for each goroutine or log entry\nhook.SetHubProvider(func() *sentry.Hub {\n client, _ := sentry.NewClient(sentry.ClientOptions{})\n return sentry.NewHub(client, sentry.NewScope())\n})\n\nlogrus.AddHook(hook)\n```\n\n### Bug Fixes\n\n- Add support for closing worker goroutines started by the `HTTPTranport` to prevent goroutine leaks. ([#894](https://github.com/getsentry/sentry-go/pull/894))\n\n```go\nclient, _ := sentry.NewClient()\ndefer client.Close()\n```\n\nWorker can be also closed by calling `Close()` method on the `HTTPTransport` instance. `Close` should be called after `Flush` and before terminating the program otherwise some events may be lost.\n\n```go\ntransport := sentry.NewHTTPTransport()\ndefer transport.Close()\n```\n\n### Misc\n\n- Bump [gin-gonic/gin](https://github.com/gin-gonic/gin) to v1.9.1. ([#946](https://github.com/getsentry/sentry-go/pull/946))\n\n## 0.30.0\n\nThe Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.30.0.\n\n### Features\n\n- Add `sentryzerolog` integration ([#857](https://github.com/getsentry/sentry-go/pull/857))\n- Add `sentryslog` integration ([#865](https://github.com/getsentry/sentry-go/pull/865))\n- Always set Mechanism Type to generic ([#896](https://github.com/getsentry/sentry-go/pull/897))\n\n### Bug Fixes\n\n- Prevent panic in `fasthttp` and `fiber` integration in case a malformed URL has to be parsed ([#912](https://github.com/getsentry/sentry-go/pull/912))\n\n### Misc\n\nDrop support for Go 1.18, 1.19 and 1.20. The currently supported Go versions are the last 3 stable releases: 1.23, 1.22 and 1.21.\n\n## 0.29.1\n\nThe Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.29.1.\n\n### Bug Fixes\n\n- Correlate errors to the current trace ([#886](https://github.com/getsentry/sentry-go/pull/886))\n- Set the trace context when the transaction finishes ([#888](https://github.com/getsentry/sentry-go/pull/888))\n\n### Misc\n\n- Update the `sentrynegroni` integration to use the latest (v3.1.1) version of Negroni ([#885](https://github.com/getsentry/sentry-go/pull/885))\n\n## 0.29.0\n\nThe Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.29.0.\n\n### Breaking Changes\n\n- Remove the `sentrymartini` integration ([#861](https://github.com/getsentry/sentry-go/pull/861))\n- The `WrapResponseWriter` has been moved from the `sentryhttp` package to the `internal/httputils` package. If you've imported it previosuly, you'll need to copy the implementation in your project. ([#871](https://github.com/getsentry/sentry-go/pull/871))\n\n### Features\n\n- Add new convenience methods to continue a trace and propagate tracing headers for error-only use cases. ([#862](https://github.com/getsentry/sentry-go/pull/862))\n\n If you are not using one of our integrations, you can manually continue an incoming trace by using `sentry.ContinueTrace()` by providing the `sentry-trace` and `baggage` header received from a downstream SDK.\n\n ```go\n hub := sentry.CurrentHub()\n sentry.ContinueTrace(hub, r.Header.Get(sentry.SentryTraceHeader), r.Header.Get(sentry.SentryBaggageHeader)),\n ```\n\n You can use `hub.GetTraceparent()` and `hub.GetBaggage()` to fetch the necessary header values for outgoing HTTP requests.\n\n ```go\n hub := sentry.GetHubFromContext(ctx)\n req, _ := http.NewRequest(\"GET\", \"http://localhost:3000\", nil)\n req.Header.Add(sentry.SentryTraceHeader, hub.GetTraceparent())\n req.Header.Add(sentry.SentryBaggageHeader, hub.GetBaggage())\n ```\n\n### Bug Fixes\n\n- Initialize `HTTPTransport.limit` if `nil` ([#844](https://github.com/getsentry/sentry-go/pull/844))\n- Fix `sentry.StartTransaction()` returning a transaction with an outdated context on existing transactions ([#854](https://github.com/getsentry/sentry-go/pull/854))\n- Treat `Proxy-Authorization` as a sensitive header ([#859](https://github.com/getsentry/sentry-go/pull/859))\n- Add support for the `http.Hijacker` interface to the `sentrynegroni` package ([#871](https://github.com/getsentry/sentry-go/pull/871))\n- Go version >= 1.23: Use value from `http.Request.Pattern` for HTTP transaction names when using `sentryhttp` & `sentrynegroni` ([#875](https://github.com/getsentry/sentry-go/pull/875))\n- Go version >= 1.21: Fix closure functions name grouping ([#877](https://github.com/getsentry/sentry-go/pull/877))\n\n### Misc\n\n- Collect `span` origins ([#849](https://github.com/getsentry/sentry-go/pull/849))\n\n## 0.28.1\n\nThe Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.28.1.\n\n### Bug Fixes\n\n- Implement `http.ResponseWriter` to hook into various parts of the response process ([#837](https://github.com/getsentry/sentry-go/pull/837))\n\n## 0.28.0\n\nThe Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.28.0.\n\n### Features\n\n- Add a `Fiber` performance tracing & error reporting integration ([#795](https://github.com/getsentry/sentry-go/pull/795))\n- Add performance tracing to the `Echo` integration ([#722](https://github.com/getsentry/sentry-go/pull/722))\n- Add performance tracing to the `FastHTTP` integration ([#732](https://github.com/getsentry/sentry-go/pull/723))\n- Add performance tracing to the `Iris` integration ([#809](https://github.com/getsentry/sentry-go/pull/809))\n- Add performance tracing to the `Negroni` integration ([#808](https://github.com/getsentry/sentry-go/pull/808))\n- Add `FailureIssueThreshold` & `RecoveryThreshold` to `MonitorConfig` ([#775](https://github.com/getsentry/sentry-go/pull/775))\n- Use `errors.Unwrap()` to create exception groups ([#792](https://github.com/getsentry/sentry-go/pull/792))\n- Add support for matching on strings for `ClientOptions.IgnoreErrors` & `ClientOptions.IgnoreTransactions` ([#819](https://github.com/getsentry/sentry-go/pull/819))\n- Add `http.request.method` attribute for performance span data ([#786](https://github.com/getsentry/sentry-go/pull/786))\n- Accept `interface{}` for span data values ([#784](https://github.com/getsentry/sentry-go/pull/784))\n\n### Bug Fixes\n\n- Fix missing stack trace for parsing error in `logrusentry` ([#689](https://github.com/getsentry/sentry-go/pull/689))\n\n## 0.27.0\n\nThe Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.27.0.\n\n### Breaking Changes\n\n- `Exception.ThreadId` is now typed as `uint64`. It was wrongly typed as `string` before. ([#770](https://github.com/getsentry/sentry-go/pull/770))\n\n### Misc\n\n- Export `Event.Attachments` ([#771](https://github.com/getsentry/sentry-go/pull/771))\n\n## 0.26.0\n\nThe Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.26.0.\n\n### Breaking Changes\n\nAs previously announced, this release removes some methods from the SDK.\n\n- `sentry.TransactionName()` use `sentry.WithTransactionName()` instead.\n- `sentry.OpName()` use `sentry.WithOpName()` instead.\n- `sentry.TransctionSource()` use `sentry.WithTransactionSource()` instead.\n- `sentry.SpanSampled()` use `sentry.WithSpanSampled()` instead.\n\n### Features\n\n- Add `WithDescription` span option ([#751](https://github.com/getsentry/sentry-go/pull/751))\n\n ```go\n span := sentry.StartSpan(ctx, \"http.client\", WithDescription(\"GET /api/users\"))\n ```\n- Add support for package name parsing in Go 1.20 and higher ([#730](https://github.com/getsentry/sentry-go/pull/730))\n\n### Bug Fixes\n\n- Apply `ClientOptions.SampleRate` only to errors & messages ([#754](https://github.com/getsentry/sentry-go/pull/754))\n- Check if git is available before executing any git commands ([#737](https://github.com/getsentry/sentry-go/pull/737))\n\n## 0.25.0\n\nThe Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.25.0.\n\n### Breaking Changes\n\nAs previously announced, this release removes two global constants from the SDK.\n\n- `sentry.Version` was removed. Use `sentry.SDKVersion` instead ([#727](https://github.com/getsentry/sentry-go/pull/727))\n- `sentry.SDKIdentifier` was removed. Use `Client.GetSDKIdentifier()` instead ([#727](https://github.com/getsentry/sentry-go/pull/727))\n\n### Features\n\n- Add `ClientOptions.IgnoreTransactions`, which allows you to ignore specific transactions based on their name ([#717](https://github.com/getsentry/sentry-go/pull/717))\n- Add `ClientOptions.Tags`, which allows you to set global tags that are applied to all events. You can also define tags by setting `SENTRY_TAGS_` environment variables ([#718](https://github.com/getsentry/sentry-go/pull/718))\n\n### Bug fixes\n\n- Fix an issue in the profiler that would cause an infinite loop if the duration of a transaction is longer than 30 seconds ([#724](https://github.com/getsentry/sentry-go/issues/724))\n\n### Misc\n\n- `dsn.RequestHeaders()` is not to be removed, though it is still considered deprecated and should only be used when using a custom transport that sends events to the `/store` endpoint ([#720](https://github.com/getsentry/sentry-go/pull/720))\n\n## 0.24.1\n\nThe Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.24.1.\n\n### Bug fixes\n\n- Prevent a panic in `sentryotel.flushSpanProcessor()` ([(#711)](https://github.com/getsentry/sentry-go/pull/711))\n- Prevent a panic when setting the SDK identifier ([#715](https://github.com/getsentry/sentry-go/pull/715))\n\n## 0.24.0\n\nThe Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.24.0.\n\n### Deprecations\n\n- `sentry.Version` to be removed in 0.25.0. Use `sentry.SDKVersion` instead.\n- `sentry.SDKIdentifier` to be removed in 0.25.0. Use `Client.GetSDKIdentifier()` instead.\n- `dsn.RequestHeaders()` to be removed after 0.25.0, but no earlier than December 1, 2023. Requests to the `/envelope` endpoint are authenticated using the DSN in the envelope header.\n\n### Features\n\n- Run a single instance of the profiler instead of multiple ones for each Go routine ([#655](https://github.com/getsentry/sentry-go/pull/655))\n- Use the route path as the transaction names when using the Gin integration ([#675](https://github.com/getsentry/sentry-go/pull/675))\n- Set the SDK name accordingly when a framework integration is used ([#694](https://github.com/getsentry/sentry-go/pull/694))\n- Read release information (VCS revision) from `debug.ReadBuildInfo` ([#704](https://github.com/getsentry/sentry-go/pull/704))\n\n### Bug fixes\n\n- [otel] Fix incorrect usage of `attributes.Value.AsString` ([#684](https://github.com/getsentry/sentry-go/pull/684))\n- Fix trace function name parsing in profiler on go1.21+ ([#695](https://github.com/getsentry/sentry-go/pull/695))\n\n### Misc\n\n- Test against Go 1.21 ([#695](https://github.com/getsentry/sentry-go/pull/695))\n- Make tests more robust ([#698](https://github.com/getsentry/sentry-go/pull/698), [#699](https://github.com/getsentry/sentry-go/pull/699), [#700](https://github.com/getsentry/sentry-go/pull/700), [#702](https://github.com/getsentry/sentry-go/pull/702))\n\n## 0.23.0\n\nThe Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.23.0.\n\n### Features\n\n- Initial support for [Cron Monitoring](https://docs.sentry.io/product/crons/) ([#661](https://github.com/getsentry/sentry-go/pull/661))\n\n This is how the basic usage of the feature looks like:\n\n ```go\n // 🟡 Notify Sentry your job is running:\n checkinId := sentry.CaptureCheckIn(\n &sentry.CheckIn{\n MonitorSlug: \"\",\n Status: sentry.CheckInStatusInProgress,\n },\n nil,\n )\n\n // Execute your scheduled task here...\n\n // 🟢 Notify Sentry your job has completed successfully:\n sentry.CaptureCheckIn(\n &sentry.CheckIn{\n ID: *checkinId,\n MonitorSlug: \"\",\n Status: sentry.CheckInStatusOK,\n },\n nil,\n )\n ```\n\n A full example of using Crons Monitoring is available [here](https://github.com/getsentry/sentry-go/blob/dde4d360660838f3c2e0ced8205bc8f7a8d312d9/_examples/crons/main.go).\n\n More documentation on configuring and using Crons [can be found here](https://docs.sentry.io/platforms/go/crons/).\n\n- Add support for [Event Attachments](https://docs.sentry.io/platforms/go/enriching-events/attachments/) ([#670](https://github.com/getsentry/sentry-go/pull/670))\n\n It's now possible to add file/binary payloads to Sentry events:\n\n ```go\n sentry.ConfigureScope(func(scope *sentry.Scope) {\n scope.AddAttachment(&Attachment{\n Filename: \"report.html\",\n ContentType: \"text/html\",\n Payload: []byte(\"

Look, HTML

\"),\n })\n })\n ```\n\n The attachment will then be accessible on the Issue Details page.\n\n- Add sampling decision to trace envelope header ([#666](https://github.com/getsentry/sentry-go/pull/666))\n- Expose SpanFromContext function ([#672](https://github.com/getsentry/sentry-go/pull/672))\n\n### Bug fixes\n\n- Make `Span.Finish` a no-op when the span is already finished ([#660](https://github.com/getsentry/sentry-go/pull/660))\n\n## 0.22.0\n\nThe Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.22.0.\n\nThis release contains initial [profiling](https://docs.sentry.io/product/profiling/) support, as well as a few bug fixes and improvements.\n\n### Features\n\n- Initial (alpha) support for [profiling](https://docs.sentry.io/product/profiling/) ([#626](https://github.com/getsentry/sentry-go/pull/626))\n\n Profiling is disabled by default. To enable it, configure both `TracesSampleRate` and `ProfilesSampleRate` when initializing the SDK:\n\n ```go\n err := sentry.Init(sentry.ClientOptions{\n Dsn: \"__DSN__\",\n EnableTracing: true,\n TracesSampleRate: 1.0,\n // The sampling rate for profiling is relative to TracesSampleRate. In this case, we'll capture profiles for 100% of transactions.\n ProfilesSampleRate: 1.0,\n })\n ```\n\n More documentation on profiling and current limitations [can be found here](https://docs.sentry.io/platforms/go/profiling/).\n\n- Add transactions/tracing support go the Gin integration ([#644](https://github.com/getsentry/sentry-go/pull/644))\n\n### Bug fixes\n\n- Always set a valid source on transactions ([#637](https://github.com/getsentry/sentry-go/pull/637))\n- Clone scope.Context in more places to avoid panics on concurrent reads and writes ([#638](https://github.com/getsentry/sentry-go/pull/638))\n - Fixes [#570](https://github.com/getsentry/sentry-go/issues/570)\n- Fix frames recognized as not being in-app still showing as in-app ([#647](https://github.com/getsentry/sentry-go/pull/647))\n\n## 0.21.0\n\nThe Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.21.0.\n\nNote: this release includes one **breaking change** and some **deprecations**, which are listed below.\n\n### Breaking Changes\n\n**This change does not apply if you use [https://sentry.io](https://sentry.io)**\n\n- Remove support for the `/store` endpoint ([#631](https://github.com/getsentry/sentry-go/pull/631))\n - This change requires a self-hosted version of Sentry 20.6.0 or higher. If you are using a version of [self-hosted Sentry](https://develop.sentry.dev/self-hosted/) (aka *on-premise*) older than 20.6.0, then you will need to [upgrade](https://develop.sentry.dev/self-hosted/releases/) your instance.\n\n### Features\n\n- Rename four span option functions ([#611](https://github.com/getsentry/sentry-go/pull/611), [#624](https://github.com/getsentry/sentry-go/pull/624))\n - `TransctionSource` -> `WithTransactionSource`\n - `SpanSampled` -> `WithSpanSampled`\n - `OpName` -> `WithOpName`\n - `TransactionName` -> `WithTransactionName`\n - Old functions `TransctionSource`, `SpanSampled`, `OpName`, and `TransactionName` are still available but are now **deprecated** and will be removed in a future release.\n- Make `client.EventFromMessage` and `client.EventFromException` methods public ([#607](https://github.com/getsentry/sentry-go/pull/607))\n- Add `client.SetException` method ([#607](https://github.com/getsentry/sentry-go/pull/607))\n - This allows to set or add errors to an existing `Event`.\n\n### Bug Fixes\n\n- Protect from panics while doing concurrent reads/writes to Span data fields ([#609](https://github.com/getsentry/sentry-go/pull/609))\n- [otel] Improve detection of Sentry-related spans ([#632](https://github.com/getsentry/sentry-go/pull/632), [#636](https://github.com/getsentry/sentry-go/pull/636))\n - Fixes cases when HTTP spans containing requests to Sentry were captured by Sentry ([#627](https://github.com/getsentry/sentry-go/issues/627))\n\n### Misc\n\n- Drop testing in (legacy) GOPATH mode ([#618](https://github.com/getsentry/sentry-go/pull/618))\n- Remove outdated documentation from https://pkg.go.dev/github.com/getsentry/sentry-go ([#623](https://github.com/getsentry/sentry-go/pull/623))\n\n## 0.20.0\n\nThe Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.20.0.\n\nNote: this release has some **breaking changes**, which are listed below.\n\n### Breaking Changes\n\n- Remove the following methods: `Scope.SetTransaction()`, `Scope.Transaction()` ([#605](https://github.com/getsentry/sentry-go/pull/605))\n\n Span.Name should be used instead to access the transaction's name.\n\n For example, the following [`TracesSampler`](https://docs.sentry.io/platforms/go/configuration/sampling/#setting-a-sampling-function) function should be now written as follows:\n\n **Before:**\n ```go\n TracesSampler: func(ctx sentry.SamplingContext) float64 {\n hub := sentry.GetHubFromContext(ctx.Span.Context())\n if hub.Scope().Transaction() == \"GET /health\" {\n return 0\n }\n return 1\n },\n ```\n\n **After:**\n ```go\n TracesSampler: func(ctx sentry.SamplingContext) float64 {\n if ctx.Span.Name == \"GET /health\" {\n return 0\n }\n return 1\n },\n ```\n\n### Features\n\n- Add `Span.SetContext()` method ([#599](https://github.com/getsentry/sentry-go/pull/599/))\n - It is recommended to use it instead of `hub.Scope().SetContext` when setting or updating context on transactions.\n- Add `DebugMeta` interface to `Event` and extend `Frame` structure with more fields ([#606](https://github.com/getsentry/sentry-go/pull/606))\n - More about DebugMeta interface [here](https://develop.sentry.dev/sdk/event-payloads/debugmeta/).\n\n### Bug Fixes\n\n- [otel] Fix missing OpenTelemetry context on some events ([#599](https://github.com/getsentry/sentry-go/pull/599), [#605](https://github.com/getsentry/sentry-go/pull/605))\n - Fixes ([#596](https://github.com/getsentry/sentry-go/issues/596)).\n- [otel] Better handling for HTTP span attributes ([#610](https://github.com/getsentry/sentry-go/pull/610))\n\n### Misc\n\n- Bump minimum versions: `github.com/kataras/iris/v12` to 12.2.0, `github.com/labstack/echo/v4` to v4.10.0 ([#595](https://github.com/getsentry/sentry-go/pull/595))\n - Resolves [GO-2022-1144 / CVE-2022-41717](https://deps.dev/advisory/osv/GO-2022-1144), [GO-2023-1495 / CVE-2022-41721](https://deps.dev/advisory/osv/GO-2023-1495), [GO-2022-1059 / CVE-2022-32149](https://deps.dev/advisory/osv/GO-2022-1059).\n- Bump `google.golang.org/protobuf` minimum required version to 1.29.1 ([#604](https://github.com/getsentry/sentry-go/pull/604))\n - This fixes a potential denial of service issue ([CVE-2023-24535](https://github.com/advisories/GHSA-hw7c-3rfg-p46j)).\n- Exclude the `otel` module when building in GOPATH mode ([#615](https://github.com/getsentry/sentry-go/pull/615))\n\n## 0.19.0\n\nThe Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.19.0.\n\n### Features\n\n- Add support for exception mechanism metadata ([#564](https://github.com/getsentry/sentry-go/pull/564/))\n - More about exception mechanisms [here](https://develop.sentry.dev/sdk/event-payloads/exception/#exception-mechanism).\n\n### Bug Fixes\n- [otel] Use the correct \"trace\" context when sending a Sentry error ([#580](https://github.com/getsentry/sentry-go/pull/580/))\n\n\n### Misc\n- Drop support for Go 1.17, add support for Go 1.20 ([#563](https://github.com/getsentry/sentry-go/pull/563/))\n - According to our policy, we're officially supporting the last three minor releases of Go.\n- Switch repository license to MIT ([#583](https://github.com/getsentry/sentry-go/pull/583/))\n - More about Sentry licensing [here](https://open.sentry.io/licensing/).\n- Bump `golang.org/x/text` minimum required version to 0.3.8 ([#586](https://github.com/getsentry/sentry-go/pull/586))\n - This fixes [CVE-2022-32149](https://github.com/advisories/GHSA-69ch-w2m2-3vjp) vulnerability.\n\n## 0.18.0\n\nThe Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.18.0.\nThis release contains initial support for [OpenTelemetry](https://opentelemetry.io/) and various other bug fixes and improvements.\n\n**Note**: This is the last release supporting Go 1.17.\n\n### Features\n\n- Initial support for [OpenTelemetry](https://opentelemetry.io/).\n You can now send all your OpenTelemetry spans to Sentry.\n\n Install the `otel` module\n\n ```bash\n go get github.com/getsentry/sentry-go \\\n github.com/getsentry/sentry-go/otel\n ```\n\n Configure the Sentry and OpenTelemetry SDKs\n\n ```go\n import (\n \"go.opentelemetry.io/otel\"\n sdktrace \"go.opentelemetry.io/otel/sdk/trace\"\n \"github.com/getsentry/sentry-go\"\n \"github.com/getsentry/sentry-go/otel\"\n // ...\n )\n\n // Initlaize the Sentry SDK\n sentry.Init(sentry.ClientOptions{\n Dsn: \"__DSN__\",\n EnableTracing: true,\n TracesSampleRate: 1.0,\n })\n\n // Set up the Sentry span processor\n tp := sdktrace.NewTracerProvider(\n sdktrace.WithSpanProcessor(sentryotel.NewSentrySpanProcessor()),\n // ...\n )\n otel.SetTracerProvider(tp)\n\n // Set up the Sentry propagator\n otel.SetTextMapPropagator(sentryotel.NewSentryPropagator())\n ```\n\n You can read more about using OpenTelemetry with Sentry in our [docs](https://docs.sentry.io/platforms/go/performance/instrumentation/opentelemetry/).\n\n### Bug Fixes\n\n- Do not freeze the Dynamic Sampling Context when no Sentry values are present in the baggage header ([#532](https://github.com/getsentry/sentry-go/pull/532))\n- Create a frozen Dynamic Sampling Context when calling `span.ToBaggage()` ([#566](https://github.com/getsentry/sentry-go/pull/566))\n- Fix baggage parsing and encoding in vendored otel package ([#568](https://github.com/getsentry/sentry-go/pull/568))\n\n### Misc\n\n- Add `Span.SetDynamicSamplingContext()` ([#539](https://github.com/getsentry/sentry-go/pull/539/))\n- Add various getters for `Dsn` ([#540](https://github.com/getsentry/sentry-go/pull/540))\n- Add `SpanOption::SpanSampled` ([#546](https://github.com/getsentry/sentry-go/pull/546))\n- Add `Span.SetData()` ([#542](https://github.com/getsentry/sentry-go/pull/542))\n- Add `Span.IsTransaction()` ([#543](https://github.com/getsentry/sentry-go/pull/543))\n- Add `Span.GetTransaction()` method ([#558](https://github.com/getsentry/sentry-go/pull/558))\n\n## 0.17.0\n\nThe Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.17.0.\nThis release contains a new `BeforeSendTransaction` hook option and corrects two regressions introduced in `0.16.0`.\n\n### Features\n\n- Add `BeforeSendTransaction` hook to `ClientOptions` ([#517](https://github.com/getsentry/sentry-go/pull/517))\n - Here's [an example](https://github.com/getsentry/sentry-go/blob/master/_examples/http/main.go#L56-L66) of how BeforeSendTransaction can be used to modify or drop transaction events.\n\n### Bug Fixes\n\n- Do not crash in Span.Finish() when the Client is empty [#520](https://github.com/getsentry/sentry-go/pull/520)\n - Fixes [#518](https://github.com/getsentry/sentry-go/issues/518)\n- Attach non-PII/non-sensitive request headers to events when `ClientOptions.SendDefaultPii` is set to `false` ([#524](https://github.com/getsentry/sentry-go/pull/524))\n - Fixes [#523](https://github.com/getsentry/sentry-go/issues/523)\n\n### Misc\n\n- Clarify how to handle logrus.Fatalf events ([#501](https://github.com/getsentry/sentry-go/pull/501/))\n- Rename the `examples` directory to `_examples` ([#521](https://github.com/getsentry/sentry-go/pull/521))\n - This removes an indirect dependency to `github.com/golang-jwt/jwt`\n\n## 0.16.0\n\nThe Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.16.0.\nDue to ongoing work towards a stable API for `v1.0.0`, we sadly had to include **two breaking changes** in this release.\n\n### Breaking Changes\n\n- Add `EnableTracing`, a boolean option flag to enable performance monitoring (`false` by default).\n - If you're using `TracesSampleRate` or `TracesSampler`, this option is **required** to enable performance monitoring.\n\n ```go\n sentry.Init(sentry.ClientOptions{\n EnableTracing: true,\n TracesSampleRate: 1.0,\n })\n ```\n- Unify TracesSampler [#498](https://github.com/getsentry/sentry-go/pull/498)\n - `TracesSampler` was changed to a callback that must return a `float64` between `0.0` and `1.0`.\n\n For example, you can apply a sample rate of `1.0` (100%) to all `/api` transactions, and a sample rate of `0.5` (50%) to all other transactions.\n You can read more about this in our [SDK docs](https://docs.sentry.io/platforms/go/configuration/filtering/#using-sampling-to-filter-transaction-events).\n\n ```go\n sentry.Init(sentry.ClientOptions{\n TracesSampler: sentry.TracesSampler(func(ctx sentry.SamplingContext) float64 {\n hub := sentry.GetHubFromContext(ctx.Span.Context())\n name := hub.Scope().Transaction()\n\n if strings.HasPrefix(name, \"GET /api\") {\n return 1.0\n }\n\n return 0.5\n }),\n }\n ```\n\n### Features\n\n- Send errors logged with [Logrus](https://github.com/sirupsen/logrus) to Sentry.\n - Have a look at our [logrus examples](https://github.com/getsentry/sentry-go/blob/master/_examples/logrus/main.go) on how to use the integration.\n- Add support for Dynamic Sampling [#491](https://github.com/getsentry/sentry-go/pull/491)\n - You can read more about Dynamic Sampling in our [product docs](https://docs.sentry.io/product/data-management-settings/dynamic-sampling/).\n- Add detailed logging about the reason transactions are being dropped.\n - You can enable SDK logging via `sentry.ClientOptions.Debug: true`.\n\n### Bug Fixes\n\n- Do not clone the hub when calling `StartTransaction` [#505](https://github.com/getsentry/sentry-go/pull/505)\n - Fixes [#502](https://github.com/getsentry/sentry-go/issues/502)\n\n## 0.15.0\n\n- fix: Scope values should not override Event values (#446)\n- feat: Make maximum amount of spans configurable (#460)\n- feat: Add a method to start a transaction (#482)\n- feat: Extend User interface by adding Data, Name and Segment (#483)\n- feat: Add ClientOptions.SendDefaultPII (#485)\n\n## 0.14.0\n\n- feat: Add function to continue from trace string (#434)\n- feat: Add `max-depth` options (#428)\n- *[breaking]* ref: Use a `Context` type mapping to a `map[string]interface{}` for all event contexts (#444)\n- *[breaking]* ref: Replace deprecated `ioutil` pkg with `os` & `io` (#454)\n- ref: Optimize `stacktrace.go` from size and speed (#467)\n- ci: Test against `go1.19` and `go1.18`, drop `go1.16` and `go1.15` support (#432, #477)\n- deps: Dependency update to fix CVEs (#462, #464, #477)\n\n_NOTE:_ This version drops support for Go 1.16 and Go 1.15. The currently supported Go versions are the last 3 stable releases: 1.19, 1.18 and 1.17.\n\n## v0.13.0\n\n- ref: Change DSN ProjectID to be a string (#420)\n- fix: When extracting PCs from stack frames, try the `PC` field (#393)\n- build: Bump gin-gonic/gin from v1.4.0 to v1.7.7 (#412)\n- build: Bump Go version in go.mod (#410)\n- ci: Bump golangci-lint version in GH workflow (#419)\n- ci: Update GraphQL config with appropriate permissions (#417)\n- ci: ci: Add craft release automation (#422)\n\n## v0.12.0\n\n- feat: Automatic Release detection (#363, #369, #386, #400)\n- fix: Do not change Hub.lastEventID for transactions (#379)\n- fix: Do not clear LastEventID when events are dropped (#382)\n- Updates to documentation (#366, #385)\n\n_NOTE:_\nThis version drops support for Go 1.14, however no changes have been made that would make the SDK not work with Go 1.14. The currently supported Go versions are the last 3 stable releases: 1.15, 1.16 and 1.17.\nThere are two behavior changes related to `LastEventID`, both of which were intended to align the behavior of the Sentry Go SDK with other Sentry SDKs.\nThe new [automatic release detection feature](https://github.com/getsentry/sentry-go/issues/335) makes it easier to use Sentry and separate events per release without requiring extra work from users. We intend to improve this functionality in a future release by utilizing information that will be available in runtime starting with Go 1.18. The tracking issue is [#401](https://github.com/getsentry/sentry-go/issues/401).\n\n## v0.11.0\n\n- feat(transports): Category-based Rate Limiting ([#354](https://github.com/getsentry/sentry-go/pull/354))\n- feat(transports): Report User-Agent identifying SDK ([#357](https://github.com/getsentry/sentry-go/pull/357))\n- fix(scope): Include event processors in clone ([#349](https://github.com/getsentry/sentry-go/pull/349))\n- Improvements to `go doc` documentation ([#344](https://github.com/getsentry/sentry-go/pull/344), [#350](https://github.com/getsentry/sentry-go/pull/350), [#351](https://github.com/getsentry/sentry-go/pull/351))\n- Miscellaneous changes to our testing infrastructure with GitHub Actions\n ([57123a40](https://github.com/getsentry/sentry-go/commit/57123a409be55f61b1d5a6da93c176c55a399ad0), [#128](https://github.com/getsentry/sentry-go/pull/128), [#338](https://github.com/getsentry/sentry-go/pull/338), [#345](https://github.com/getsentry/sentry-go/pull/345), [#346](https://github.com/getsentry/sentry-go/pull/346), [#352](https://github.com/getsentry/sentry-go/pull/352), [#353](https://github.com/getsentry/sentry-go/pull/353), [#355](https://github.com/getsentry/sentry-go/pull/355))\n\n_NOTE:_\nThis version drops support for Go 1.13. The currently supported Go versions are the last 3 stable releases: 1.14, 1.15 and 1.16.\nUsers of the tracing functionality (`StartSpan`, etc) should upgrade to this version to benefit from separate rate limits for errors and transactions.\nThere are no breaking changes and upgrading should be a smooth experience for all users.\n\n## v0.10.0\n\n- feat: Debug connection reuse (#323)\n- fix: Send root span data as `Event.Extra` (#329)\n- fix: Do not double sample transactions (#328)\n- fix: Do not override trace context of transactions (#327)\n- fix: Drain and close API response bodies (#322)\n- ci: Run tests against Go tip (#319)\n- ci: Move away from Travis in favor of GitHub Actions (#314) (#321)\n\n## v0.9.0\n\n- feat: Initial tracing and performance monitoring support (#285)\n- doc: Revamp sentryhttp documentation (#304)\n- fix: Hub.PopScope never empties the scope stack (#300)\n- ref: Report Event.Timestamp in local time (#299)\n- ref: Report Breadcrumb.Timestamp in local time (#299)\n\n_NOTE:_\nThis version introduces support for [Sentry's Performance Monitoring](https://docs.sentry.io/platforms/go/performance/).\nThe new tracing capabilities are beta, and we plan to expand them on future versions. Feedback is welcome, please open new issues on GitHub.\nThe `sentryhttp` package got better API docs, an [updated usage example](https://github.com/getsentry/sentry-go/tree/master/_examples/http) and support for creating automatic transactions as part of Performance Monitoring.\n\n## v0.8.0\n\n- build: Bump required version of Iris (#296)\n- fix: avoid unnecessary allocation in Client.processEvent (#293)\n- doc: Remove deprecation of sentryhttp.HandleFunc (#284)\n- ref: Update sentryhttp example (#283)\n- doc: Improve documentation of sentryhttp package (#282)\n- doc: Clarify SampleRate documentation (#279)\n- fix: Remove RawStacktrace (#278)\n- docs: Add example of custom HTTP transport\n- ci: Test against go1.15, drop go1.12 support (#271)\n\n_NOTE:_\nThis version comes with a few updates. Some examples and documentation have been\nimproved. We've bumped the supported version of the Iris framework to avoid\nLGPL-licensed modules in the module dependency graph.\nThe `Exception.RawStacktrace` and `Thread.RawStacktrace` fields have been\nremoved to conform to Sentry's ingestion protocol, only `Exception.Stacktrace`\nand `Thread.Stacktrace` should appear in user code.\n\n## v0.7.0\n\n- feat: Include original error when event cannot be encoded as JSON (#258)\n- feat: Use Hub from request context when available (#217, #259)\n- feat: Extract stack frames from golang.org/x/xerrors (#262)\n- feat: Make Environment Integration preserve existing context data (#261)\n- feat: Recover and RecoverWithContext with arbitrary types (#268)\n- feat: Report bad usage of CaptureMessage and CaptureEvent (#269)\n- feat: Send debug logging to stderr by default (#266)\n- feat: Several improvements to documentation (#223, #245, #250, #265)\n- feat: Example of Recover followed by panic (#241, #247)\n- feat: Add Transactions and Spans (to support OpenTelemetry Sentry Exporter) (#235, #243, #254)\n- fix: Set either Frame.Filename or Frame.AbsPath (#233)\n- fix: Clone requestBody to new Scope (#244)\n- fix: Synchronize access and mutation of Hub.lastEventID (#264)\n- fix: Avoid repeated syscalls in prepareEvent (#256)\n- fix: Do not allocate new RNG for every event (#256)\n- fix: Remove stale replace directive in go.mod (#255)\n- fix(http): Deprecate HandleFunc, remove duplication (#260)\n\n_NOTE:_\nThis version comes packed with several fixes and improvements and no breaking\nchanges.\nNotably, there is a change in how the SDK reports file names in stack traces\nthat should resolve any ambiguity when looking at stack traces and using the\nSuspect Commits feature.\nWe recommend all users to upgrade.\n\n## v0.6.1\n\n- fix: Use NewEvent to init Event struct (#220)\n\n_NOTE:_\nA change introduced in v0.6.0 with the intent of avoiding allocations made a\npattern used in official examples break in certain circumstances (attempting\nto write to a nil map).\nThis release reverts the change such that maps in the Event struct are always\nallocated.\n\n## v0.6.0\n\n- feat: Read module dependencies from runtime/debug (#199)\n- feat: Support chained errors using Unwrap (#206)\n- feat: Report chain of errors when available (#185)\n- **[breaking]** fix: Accept http.RoundTripper to customize transport (#205)\n Before the SDK accepted a concrete value of type `*http.Transport` in\n `ClientOptions`, now it accepts any value implementing the `http.RoundTripper`\n interface. Note that `*http.Transport` implements `http.RoundTripper`, so most\n code bases will continue to work unchanged.\n Users of custom transport gain the ability to pass in other implementations of\n `http.RoundTripper` and may be able to simplify their code bases.\n- fix: Do not panic when scope event processor drops event (#192)\n- **[breaking]** fix: Use time.Time for timestamps (#191)\n Users of sentry-go typically do not need to manipulate timestamps manually.\n For those who do, the field type changed from `int64` to `time.Time`, which\n should be more convenient to use. The recommended way to get the current time\n is `time.Now().UTC()`.\n- fix: Report usage error including stack trace (#189)\n- feat: Add Exception.ThreadID field (#183)\n- ci: Test against Go 1.14, drop 1.11 (#170)\n- feat: Limit reading bytes from request bodies (#168)\n- **[breaking]** fix: Rename fasthttp integration package sentryhttp => sentryfasthttp\n The current recommendation is to use a named import, in which case existing\n code should not require any change:\n ```go\n package main\n\n import (\n \t\"fmt\"\n\n \t\"github.com/getsentry/sentry-go\"\n \tsentryfasthttp \"github.com/getsentry/sentry-go/fasthttp\"\n \t\"github.com/valyala/fasthttp\"\n )\n ```\n\n_NOTE:_\nThis version includes some new features and a few breaking changes, none of\nwhich should pose troubles with upgrading. Most code bases should be able to\nupgrade without any changes.\n\n## v0.5.1\n\n- fix: Ignore err.Cause() when it is nil (#160)\n\n## v0.5.0\n\n- fix: Synchronize access to HTTPTransport.disabledUntil (#158)\n- docs: Update Flush documentation (#153)\n- fix: HTTPTransport.Flush panic and data race (#140)\n\n_NOTE:_\nThis version changes the implementation of the default transport, modifying the\nbehavior of `sentry.Flush`. The previous behavior was to wait until there were\nno buffered events; new concurrent events kept `Flush` from returning. The new\nbehavior is to wait until the last event prior to the call to `Flush` has been\nsent or the timeout; new concurrent events have no effect. The new behavior is\ninline with the [Unified API\nGuidelines](https://docs.sentry.io/development/sdk-dev/unified-api/).\n\nWe have updated the documentation and examples to clarify that `Flush` is meant\nto be called typically only once before program termination, to wait for\nin-flight events to be sent to Sentry. Calling `Flush` after every event is not\nrecommended, as it introduces unnecessary latency to the surrounding function.\nPlease verify the usage of `sentry.Flush` in your code base.\n\n## v0.4.0\n\n- fix(stacktrace): Correctly report package names (#127)\n- fix(stacktrace): Do not rely on AbsPath of files (#123)\n- build: Require github.com/ugorji/go@v1.1.7 (#110)\n- fix: Correctly store last event id (#99)\n- fix: Include request body in event payload (#94)\n- build: Reset go.mod version to 1.11 (#109)\n- fix: Eliminate data race in modules integration (#105)\n- feat: Add support for path prefixes in the DSN (#102)\n- feat: Add HTTPClient option (#86)\n- feat: Extract correct type and value from top-most error (#85)\n- feat: Check for broken pipe errors in Gin integration (#82)\n- fix: Client.CaptureMessage accept nil EventModifier (#72)\n\n## v0.3.1\n\n- feat: Send extra information exposed by the Go runtime (#76)\n- fix: Handle new lines in module integration (#65)\n- fix: Make sure that cache is locked when updating for contextifyFramesIntegration\n- ref: Update Iris integration and example to version 12\n- misc: Remove indirect dependencies in order to move them to separate go.mod files\n\n## v0.3.0\n\n- feat: Retry event marshaling without contextual data if the first pass fails\n- fix: Include `url.Parse` error in `DsnParseError`\n- fix: Make more `Scope` methods safe for concurrency\n- fix: Synchronize concurrent access to `Hub.client`\n- ref: Remove mutex from `Scope` exported API\n- ref: Remove mutex from `Hub` exported API\n- ref: Compile regexps for `filterFrames` only once\n- ref: Change `SampleRate` type to `float64`\n- doc: `Scope.Clear` not safe for concurrent use\n- ci: Test sentry-go with `go1.13`, drop `go1.10`\n\n_NOTE:_\nThis version removes some of the internal APIs that landed publicly (namely `Hub/Scope` mutex structs) and may require (but shouldn't) some changes to your code.\nIt's not done through major version update, as we are still in `0.x` stage.\n\n## v0.2.1\n\n- fix: Run `Contextify` integration on `Threads` as well\n\n## v0.2.0\n\n- feat: Add `SetTransaction()` method on the `Scope`\n- feat: `fasthttp` framework support with `sentryfasthttp` package\n- fix: Add `RWMutex` locks to internal `Hub` and `Scope` changes\n\n## v0.1.3\n\n- feat: Move frames context reading into `contextifyFramesIntegration` (#28)\n\n_NOTE:_\nIn case of any performance issues due to source contexts IO, you can let us know and turn off the integration in the meantime with:\n\n```go\nsentry.Init(sentry.ClientOptions{\n\tIntegrations: func(integrations []sentry.Integration) []sentry.Integration {\n\t\tvar filteredIntegrations []sentry.Integration\n\t\tfor _, integration := range integrations {\n\t\t\tif integration.Name() == \"ContextifyFrames\" {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tfilteredIntegrations = append(filteredIntegrations, integration)\n\t\t}\n\t\treturn filteredIntegrations\n\t},\n})\n```\n\n## v0.1.2\n\n- feat: Better source code location resolution and more useful inapp frames (#26)\n- feat: Use `noopTransport` when no `Dsn` provided (#27)\n- ref: Allow empty `Dsn` instead of returning an error (#22)\n- fix: Use `NewScope` instead of literal struct inside a `scope.Clear` call (#24)\n- fix: Add to `WaitGroup` before the request is put inside a buffer (#25)\n\n## v0.1.1\n\n- fix: Check for initialized `Client` in `AddBreadcrumbs` (#20)\n- build: Bump version when releasing with Craft (#19)\n\n## v0.1.0\n\n- First stable release! \\o/\n\n## v0.0.1-beta.5\n\n- feat: **[breaking]** Add `NewHTTPTransport` and `NewHTTPSyncTransport` which accepts all transport options\n- feat: New `HTTPSyncTransport` that blocks after each call\n- feat: New `Echo` integration\n- ref: **[breaking]** Remove `BufferSize` option from `ClientOptions` and move it to `HTTPTransport` instead\n- ref: Export default `HTTPTransport`\n- ref: Export `net/http` integration handler\n- ref: Set `Request` instantly in the package handlers, not in `recoverWithSentry` so it can be accessed later on\n- ci: Add craft config\n\n## v0.0.1-beta.4\n\n- feat: `IgnoreErrors` client option and corresponding integration\n- ref: Reworked `net/http` integration, wrote better example and complete readme\n- ref: Reworked `Gin` integration, wrote better example and complete readme\n- ref: Reworked `Iris` integration, wrote better example and complete readme\n- ref: Reworked `Negroni` integration, wrote better example and complete readme\n- ref: Reworked `Martini` integration, wrote better example and complete readme\n- ref: Remove `Handle()` from frameworks handlers and return it directly from New\n\n## v0.0.1-beta.3\n\n- feat: `Iris` framework support with `sentryiris` package\n- feat: `Gin` framework support with `sentrygin` package\n- feat: `Martini` framework support with `sentrymartini` package\n- feat: `Negroni` framework support with `sentrynegroni` package\n- feat: Add `Hub.Clone()` for easier frameworks integration\n- feat: Return `EventID` from `Recovery` methods\n- feat: Add `NewScope` and `NewEvent` functions and use them in the whole codebase\n- feat: Add `AddEventProcessor` to the `Client`\n- fix: Operate on requests body copy instead of the original\n- ref: Try to read source files from the root directory, based on the filename as well, to make it work on AWS Lambda\n- ref: Remove `gocertifi` dependence and document how to provide your own certificates\n- ref: **[breaking]** Remove `Decorate` and `DecorateFunc` methods in favor of `sentryhttp` package\n- ref: **[breaking]** Allow for integrations to live on the client, by passing client instance in `SetupOnce` method\n- ref: **[breaking]** Remove `GetIntegration` from the `Hub`\n- ref: **[breaking]** Remove `GlobalEventProcessors` getter from the public API\n\n## v0.0.1-beta.2\n\n- feat: Add `AttachStacktrace` client option to include stacktrace for messages\n- feat: Add `BufferSize` client option to configure transport buffer size\n- feat: Add `SetRequest` method on a `Scope` to control `Request` context data\n- feat: Add `FromHTTPRequest` for `Request` type for easier extraction\n- ref: Extract `Request` information more accurately\n- fix: Attach `ServerName`, `Release`, `Dist`, `Environment` options to the event\n- fix: Don't log events dropped due to full transport buffer as sent\n- fix: Don't panic and create an appropriate event when called `CaptureException` or `Recover` with `nil` value\n\n## v0.0.1-beta\n\n- Initial release\n" }, { "path": "vendor/github.com/getsentry/sentry-go/CONTRIBUTING.md", "content": "# Contributing to sentry-go\n\nHey, thank you if you're reading this, we welcome your contribution!\n\n## Sending a Pull Request\n\nPlease help us save time when reviewing your PR by following this simple\nprocess:\n\n1. Is your PR a simple typo fix? Read no further, **click that green \"Create\n pull request\" button**!\n\n2. For more complex PRs that involve behavior changes or new APIs, please\n consider [opening an **issue**][new-issue] describing the problem you're\n trying to solve if there's not one already.\n\n A PR is often one specific solution to a problem and sometimes talking about\n the problem unfolds new possible solutions. Remember we will be responsible\n for maintaining the changes later.\n\n3. Fixing a bug and changing a behavior? Please add automated tests to prevent\n future regression.\n\n4. Practice writing good commit messages. We have [commit\n guidelines][commit-guide].\n\n5. We have [guidelines for PR submitters][pr-guide]. A short summary:\n\n - Good PR descriptions are very helpful and most of the time they include\n **why** something is done and why done in this particular way. Also list\n other possible solutions that were considered and discarded.\n - Be your own first reviewer. Make sure your code compiles and passes the\n existing tests.\n\n[new-issue]: https://github.com/getsentry/sentry-go/issues/new/choose\n[commit-guide]: https://develop.sentry.dev/code-review/#commit-guidelines\n[pr-guide]: https://develop.sentry.dev/code-review/#guidelines-for-submitters\n\nPlease also read through our [SDK Development docs](https://develop.sentry.dev/sdk/).\nIt contains information about SDK features, expected payloads and best practices for\ncontributing to Sentry SDKs.\n\n## Community\n\nThe public-facing channels for support and development of Sentry SDKs can be found on [Discord](https://discord.gg/Ww9hbqr).\n\n## Testing\n\n```console\n$ go test\n```\n\n### Watch mode\n\nUse: https://github.com/cespare/reflex\n\n```console\n$ reflex -g '*.go' -d \"none\" -- sh -c 'printf \"\\n\"; go test'\n```\n\n### With data race detection\n\n```console\n$ go test -race\n```\n\n### Coverage\n\n```console\n$ go test -race -coverprofile=coverage.txt -covermode=atomic && go tool cover -html coverage.txt\n```\n\n## Linting\n\nLint with [`golangci-lint`](https://github.com/golangci/golangci-lint):\n\n```console\n$ golangci-lint run\n```\n\n## Release\n\n1. Update `CHANGELOG.md` with new version in `vX.X.X` format title and list of changes.\n\n The command below can be used to get a list of changes since the last tag, with the format used in `CHANGELOG.md`:\n\n ```console\n $ git log --no-merges --format=%s $(git describe --abbrev=0).. | sed 's/^/- /'\n ```\n\n2. Commit with `misc: vX.X.X changelog` commit message and push to `master`.\n\n3. Let [`craft`](https://github.com/getsentry/craft) do the rest:\n\n ```console\n $ craft prepare X.X.X\n $ craft publish X.X.X\n ```\n" }, { "path": "vendor/github.com/getsentry/sentry-go/LICENSE", "content": "MIT License\n\nCopyright (c) 2019 Functional Software, Inc. dba Sentry\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "vendor/github.com/getsentry/sentry-go/MIGRATION.md", "content": "# `raven-go` to `sentry-go` Migration Guide\n\nA [`raven-go` to `sentry-go` migration guide](https://docs.sentry.io/platforms/go/migration/) is available at the official Sentry documentation site.\n" }, { "path": "vendor/github.com/getsentry/sentry-go/Makefile", "content": ".DEFAULT_GOAL := help\n\nMKFILE_PATH := $(abspath $(lastword $(MAKEFILE_LIST)))\nMKFILE_DIR := $(dir $(MKFILE_PATH))\nALL_GO_MOD_DIRS := $(shell find . -type f -name 'go.mod' -exec dirname {} \\; | sort)\nGO = go\nTIMEOUT = 300\n\n# Parse Makefile and display the help\nhelp: ## Show help\n\t@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = \":.*?## \"}; {printf \"\\033[36m%-30s\\033[0m %s\\n\", $$1, $$2}'\n.PHONY: help\n\nbuild: ## Build everything\n\tfor dir in $(ALL_GO_MOD_DIRS); do \\\n\t\tcd \"$${dir}\"; \\\n\t\techo \">>> Running 'go build' for module: $${dir}\"; \\\n\t\tgo build ./...; \\\n\tdone;\n.PHONY: build\n\n### Tests (inspired by https://github.com/open-telemetry/opentelemetry-go/blob/main/Makefile)\nTEST_TARGETS := test-short test-verbose test-race\ntest-race: ARGS=-race\ntest-short: ARGS=-short\ntest-verbose: ARGS=-v -race\n$(TEST_TARGETS): test\ntest: $(ALL_GO_MOD_DIRS:%=test/%) ## Run tests\ntest/%: DIR=$*\ntest/%:\n\t@echo \">>> Running tests for module: $(DIR)\"\n\t@# We use '-count=1' to disable test caching.\n\t(cd $(DIR) && $(GO) test -count=1 -timeout $(TIMEOUT)s $(ARGS) ./...)\n.PHONY: $(TEST_TARGETS) test\n\n# Coverage\nCOVERAGE_MODE = atomic\nCOVERAGE_PROFILE = coverage.out\nCOVERAGE_REPORT_DIR = .coverage\nCOVERAGE_REPORT_DIR_ABS = \"$(MKFILE_DIR)/$(COVERAGE_REPORT_DIR)\"\n$(COVERAGE_REPORT_DIR):\n\tmkdir -p $(COVERAGE_REPORT_DIR)\nclean-report-dir: $(COVERAGE_REPORT_DIR)\n\ttest $(COVERAGE_REPORT_DIR) && rm -f $(COVERAGE_REPORT_DIR)/*\ntest-coverage: $(COVERAGE_REPORT_DIR) clean-report-dir ## Test with coverage enabled\n\tset -e ; \\\n\tfor dir in $(ALL_GO_MOD_DIRS); do \\\n\t echo \">>> Running tests with coverage for module: $${dir}\"; \\\n\t DIR_ABS=$$(python -c 'import os, sys; print(os.path.realpath(sys.argv[1]))' $${dir}) ; \\\n\t REPORT_NAME=$$(basename $${DIR_ABS}); \\\n\t (cd \"$${dir}\" && \\\n\t $(GO) test -count=1 -timeout $(TIMEOUT)s -coverpkg=./... -covermode=$(COVERAGE_MODE) -coverprofile=\"$(COVERAGE_PROFILE)\" ./... && \\\n\t\tcp $(COVERAGE_PROFILE) \"$(COVERAGE_REPORT_DIR_ABS)/$${REPORT_NAME}_$(COVERAGE_PROFILE)\" && \\\n\t $(GO) tool cover -html=$(COVERAGE_PROFILE) -o coverage.html); \\\n\tdone;\n.PHONY: test-coverage clean-report-dir\ntest-race-coverage: $(COVERAGE_REPORT_DIR) clean-report-dir ## Run tests with race detection and coverage\n\tset -e ; \\\n\tfor dir in $(ALL_GO_MOD_DIRS); do \\\n\t echo \">>> Running tests with race detection and coverage for module: $${dir}\"; \\\n\t DIR_ABS=$$(python -c 'import os, sys; print(os.path.realpath(sys.argv[1]))' $${dir}) ; \\\n\t REPORT_NAME=$$(basename $${DIR_ABS}); \\\n\t (cd \"$${dir}\" && \\\n\t $(GO) test -count=1 -timeout $(TIMEOUT)s -race -coverpkg=./... -covermode=$(COVERAGE_MODE) -coverprofile=\"$(COVERAGE_PROFILE)\" ./... && \\\n\t\tcp $(COVERAGE_PROFILE) \"$(COVERAGE_REPORT_DIR_ABS)/$${REPORT_NAME}_$(COVERAGE_PROFILE)\" && \\\n\t $(GO) tool cover -html=$(COVERAGE_PROFILE) -o coverage.html); \\\n\tdone;\n.PHONY: test-race-coverage\nmod-tidy: ## Check go.mod tidiness\n\tset -e ; \\\n\tfor dir in $(ALL_GO_MOD_DIRS); do \\\n\t\techo \">>> Running 'go mod tidy' for module: $${dir}\"; \\\n\t\t(cd \"$${dir}\" && GOTOOLCHAIN=local go mod tidy -go=1.24.0 -compat=1.24.0); \\\n\tdone; \\\n\tgit diff --exit-code;\n.PHONY: mod-tidy\n\nvet: ## Run \"go vet\"\n\tset -e ; \\\n\tfor dir in $(ALL_GO_MOD_DIRS); do \\\n\t\techo \">>> Running 'go vet' for module: $${dir}\"; \\\n\t\t(cd \"$${dir}\" && go vet ./...); \\\n\tdone;\n.PHONY: vet\n\n\nlint: ## Lint (using \"golangci-lint\")\n\tgolangci-lint run\n.PHONY: lint\n\nfmt: ## Format all Go files\n\tgofmt -l -w -s .\n.PHONY: fmt\n" }, { "path": "vendor/github.com/getsentry/sentry-go/README.md", "content": "

\n \n \n \n \n \"Sentry\"\n \n \n

\n\n# Official Sentry SDK for Go\n\n[![Build Status](https://github.com/getsentry/sentry-go/actions/workflows/test.yml/badge.svg)](https://github.com/getsentry/sentry-go/actions/workflows/test.yml)\n[![Go Report Card](https://goreportcard.com/badge/github.com/getsentry/sentry-go)](https://goreportcard.com/report/github.com/getsentry/sentry-go)\n[![Discord](https://img.shields.io/discord/621778831602221064)](https://discord.gg/Ww9hbqr)\n[![X Follow](https://img.shields.io/twitter/follow/sentry?label=sentry&style=social)](https://x.com/intent/follow?screen_name=sentry)\n[![go.dev](https://img.shields.io/badge/go.dev-pkg-007d9c.svg?style=flat)](https://pkg.go.dev/github.com/getsentry/sentry-go)\n\n`sentry-go` provides a Sentry client implementation for the Go programming\nlanguage. This is the next generation of the Go SDK for [Sentry](https://sentry.io/),\nintended to replace the `raven-go` package.\n\n> Looking for the old `raven-go` SDK documentation? See the Legacy client section [here](https://docs.sentry.io/clients/go/).\n> If you want to start using `sentry-go` instead, check out the [migration guide](https://docs.sentry.io/platforms/go/migration/).\n\n## Requirements\n\nThe only requirement is a Go compiler.\n\nWe verify this package against the 3 most recent releases of Go. Those are the\nsupported versions. The exact versions are defined in\n[`GitHub workflow`](.github/workflows/test.yml).\n\nIn addition, we run tests against the current master branch of the Go toolchain,\nthough support for this configuration is best-effort.\n\n## Installation\n\n`sentry-go` can be installed like any other Go library through `go get`:\n\n```console\n$ go get github.com/getsentry/sentry-go@latest\n```\n\nCheck out the [list of released versions](https://github.com/getsentry/sentry-go/releases).\n\n## Configuration\n\nTo use `sentry-go`, you’ll need to import the `sentry-go` package and initialize\nit with your DSN and other [options](https://pkg.go.dev/github.com/getsentry/sentry-go#ClientOptions).\n\nIf not specified in the SDK initialization, the\n[DSN](https://docs.sentry.io/product/sentry-basics/dsn-explainer/),\n[Release](https://docs.sentry.io/product/releases/) and\n[Environment](https://docs.sentry.io/product/sentry-basics/environments/)\nare read from the environment variables `SENTRY_DSN`, `SENTRY_RELEASE` and\n`SENTRY_ENVIRONMENT`, respectively.\n\nMore on this in the [Configuration section of the official Sentry Go SDK documentation](https://docs.sentry.io/platforms/go/configuration/).\n\n## Usage\n\nThe SDK supports reporting errors and tracking application performance.\n\nTo get started, have a look at one of our [examples](_examples/):\n- [Basic error instrumentation](_examples/basic/main.go)\n- [Error and tracing for HTTP servers](_examples/http/main.go)\n\nWe also provide a [complete API reference](https://pkg.go.dev/github.com/getsentry/sentry-go).\n\nFor more detailed information about how to get the most out of `sentry-go`,\ncheck out the official documentation:\n\n- [Sentry Go SDK documentation](https://docs.sentry.io/platforms/go/)\n- Guides:\n - [net/http](https://docs.sentry.io/platforms/go/guides/http/)\n - [echo](https://docs.sentry.io/platforms/go/guides/echo/)\n - [fasthttp](https://docs.sentry.io/platforms/go/guides/fasthttp/)\n - [fiber](https://docs.sentry.io/platforms/go/guides/fiber/)\n - [gin](https://docs.sentry.io/platforms/go/guides/gin/)\n - [iris](https://docs.sentry.io/platforms/go/guides/iris/)\n - [logrus](https://docs.sentry.io/platforms/go/guides/logrus/)\n - [negroni](https://docs.sentry.io/platforms/go/guides/negroni/)\n - [slog](https://docs.sentry.io/platforms/go/guides/slog/)\n - [zerolog](https://docs.sentry.io/platforms/go/guides/zerolog/)\n\n## Resources\n\n- [Bug Tracker](https://github.com/getsentry/sentry-go/issues)\n- [GitHub Project](https://github.com/getsentry/sentry-go)\n- [![go.dev](https://img.shields.io/badge/go.dev-pkg-007d9c.svg?style=flat)](https://pkg.go.dev/github.com/getsentry/sentry-go)\n- [![Documentation](https://img.shields.io/badge/documentation-sentry.io-green.svg)](https://docs.sentry.io/platforms/go/)\n- [![Discussions](https://img.shields.io/github/discussions/getsentry/sentry-go.svg)](https://github.com/getsentry/sentry-go/discussions)\n- [![Discord](https://img.shields.io/discord/621778831602221064)](https://discord.gg/Ww9hbqr)\n- [![Stack Overflow](https://img.shields.io/badge/stack%20overflow-sentry-green.svg)](http://stackoverflow.com/questions/tagged/sentry)\n- [![Twitter Follow](https://img.shields.io/twitter/follow/getsentry?label=getsentry&style=social)](https://twitter.com/intent/follow?screen_name=getsentry)\n\n## License\n\nLicensed under\n[The MIT License](https://opensource.org/licenses/mit/), see\n[`LICENSE`](LICENSE).\n\n## Community\n\nJoin Sentry's [`#go` channel on Discord](https://discord.gg/Ww9hbqr) to get\ninvolved and help us improve the SDK!\n" }, { "path": "vendor/github.com/getsentry/sentry-go/attribute/builder.go", "content": "package attribute\n\ntype Builder struct {\n\tKey string\n\tValue Value\n}\n\n// String returns a Builder for a string value.\nfunc String(key, value string) Builder {\n\treturn Builder{key, StringValue(value)}\n}\n\n// Int64 returns a Builder for an int64.\nfunc Int64(key string, value int64) Builder {\n\treturn Builder{key, Int64Value(value)}\n}\n\n// Int returns a Builder for an int64.\nfunc Int(key string, value int) Builder {\n\treturn Builder{key, IntValue(value)}\n}\n\n// Float64 returns a Builder for a float64.\nfunc Float64(key string, v float64) Builder {\n\treturn Builder{key, Float64Value(v)}\n}\n\n// Bool returns a Builder for a boolean.\nfunc Bool(key string, v bool) Builder {\n\treturn Builder{key, BoolValue(v)}\n}\n\n// Valid checks for valid key and type.\nfunc (b *Builder) Valid() bool {\n\treturn len(b.Key) > 0 && b.Value.Type() != INVALID\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/attribute/rawhelpers.go", "content": "// Copied from https://github.com/open-telemetry/opentelemetry-go/blob/cc43e01c27892252aac9a8f20da28cdde957a289/attribute/rawhelpers.go\n// Copyright The OpenTelemetry Authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage attribute\n\nimport (\n\t\"math\"\n)\n\nfunc boolToRaw(b bool) uint64 { // b is not a control flag.\n\tif b {\n\t\treturn 1\n\t}\n\treturn 0\n}\n\nfunc rawToBool(r uint64) bool {\n\treturn r != 0\n}\n\nfunc int64ToRaw(i int64) uint64 {\n\t// Assumes original was a valid int64 (overflow not checked).\n\treturn uint64(i) // nolint: gosec\n}\n\nfunc rawToInt64(r uint64) int64 {\n\t// Assumes original was a valid int64 (overflow not checked).\n\treturn int64(r) // nolint: gosec\n}\n\nfunc float64ToRaw(f float64) uint64 {\n\treturn math.Float64bits(f)\n}\n\nfunc rawToFloat64(r uint64) float64 {\n\treturn math.Float64frombits(r)\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/attribute/value.go", "content": "// Adapted from https://github.com/open-telemetry/opentelemetry-go/blob/cc43e01c27892252aac9a8f20da28cdde957a289/attribute/value.go\n//\n// Copyright The OpenTelemetry Authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage attribute\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"strconv\"\n)\n\n// Type describes the type of the data Value holds.\ntype Type int // redefines builtin Type.\n\n// Value represents the value part in key-value pairs.\ntype Value struct {\n\tvtype Type\n\tnumeric uint64\n\tstringly string\n}\n\nconst (\n\t// INVALID is used for a Value with no value set.\n\tINVALID Type = iota\n\t// BOOL is a boolean Type Value.\n\tBOOL\n\t// INT64 is a 64-bit signed integral Type Value.\n\tINT64\n\t// FLOAT64 is a 64-bit floating point Type Value.\n\tFLOAT64\n\t// STRING is a string Type Value.\n\tSTRING\n\t// UINT64 is a 64-bit unsigned integral Type Value.\n\t//\n\t// This type is intentionally not exposed through the Builder API.\n\tUINT64\n)\n\n// BoolValue creates a BOOL Value.\nfunc BoolValue(v bool) Value {\n\treturn Value{\n\t\tvtype: BOOL,\n\t\tnumeric: boolToRaw(v),\n\t}\n}\n\n// IntValue creates an INT64 Value.\nfunc IntValue(v int) Value {\n\treturn Int64Value(int64(v))\n}\n\n// Int64Value creates an INT64 Value.\nfunc Int64Value(v int64) Value {\n\treturn Value{\n\t\tvtype: INT64,\n\t\tnumeric: int64ToRaw(v),\n\t}\n}\n\n// Float64Value creates a FLOAT64 Value.\nfunc Float64Value(v float64) Value {\n\treturn Value{\n\t\tvtype: FLOAT64,\n\t\tnumeric: float64ToRaw(v),\n\t}\n}\n\n// StringValue creates a STRING Value.\nfunc StringValue(v string) Value {\n\treturn Value{\n\t\tvtype: STRING,\n\t\tstringly: v,\n\t}\n}\n\n// Uint64Value creates a UINT64 Value.\n//\n// This constructor is intentionally not exposed through the Builder API.\nfunc Uint64Value(v uint64) Value {\n\treturn Value{\n\t\tvtype: UINT64,\n\t\tnumeric: v,\n\t}\n}\n\n// Type returns a type of the Value.\nfunc (v Value) Type() Type {\n\treturn v.vtype\n}\n\n// AsBool returns the bool value. Make sure that the Value's type is\n// BOOL.\nfunc (v Value) AsBool() bool {\n\treturn rawToBool(v.numeric)\n}\n\n// AsInt64 returns the int64 value. Make sure that the Value's type is\n// INT64.\nfunc (v Value) AsInt64() int64 {\n\treturn rawToInt64(v.numeric)\n}\n\n// AsFloat64 returns the float64 value. Make sure that the Value's\n// type is FLOAT64.\nfunc (v Value) AsFloat64() float64 {\n\treturn rawToFloat64(v.numeric)\n}\n\n// AsString returns the string value. Make sure that the Value's type\n// is STRING.\nfunc (v Value) AsString() string {\n\treturn v.stringly\n}\n\n// AsUint64 returns the uint64 value. Make sure that the Value's type is\n// UINT64.\nfunc (v Value) AsUint64() uint64 {\n\treturn v.numeric\n}\n\ntype unknownValueType struct{}\n\n// AsInterface returns Value's data as interface{}.\nfunc (v Value) AsInterface() interface{} {\n\tswitch v.Type() {\n\tcase BOOL:\n\t\treturn v.AsBool()\n\tcase INT64:\n\t\treturn v.AsInt64()\n\tcase FLOAT64:\n\t\treturn v.AsFloat64()\n\tcase STRING:\n\t\treturn v.stringly\n\tcase UINT64:\n\t\treturn v.numeric\n\t}\n\treturn unknownValueType{}\n}\n\n// String returns a string representation of Value's data.\nfunc (v Value) String() string {\n\tswitch v.Type() {\n\tcase BOOL:\n\t\treturn strconv.FormatBool(v.AsBool())\n\tcase INT64:\n\t\treturn strconv.FormatInt(v.AsInt64(), 10)\n\tcase FLOAT64:\n\t\treturn fmt.Sprint(v.AsFloat64())\n\tcase STRING:\n\t\treturn v.stringly\n\tcase UINT64:\n\t\treturn strconv.FormatUint(v.numeric, 10)\n\tdefault:\n\t\treturn \"unknown\"\n\t}\n}\n\n// MarshalJSON returns the JSON encoding of the Value.\nfunc (v Value) MarshalJSON() ([]byte, error) {\n\tvar jsonVal struct {\n\t\tValue any `json:\"value\"`\n\t\tType string `json:\"type\"`\n\t}\n\tjsonVal.Type = mapTypesToStr[v.Type()]\n\tjsonVal.Value = v.AsInterface()\n\treturn json.Marshal(jsonVal)\n}\n\nfunc (t Type) String() string {\n\tswitch t {\n\tcase BOOL:\n\t\treturn \"bool\"\n\tcase INT64:\n\t\treturn \"int64\"\n\tcase FLOAT64:\n\t\treturn \"float64\"\n\tcase STRING:\n\t\treturn \"string\"\n\tcase UINT64:\n\t\treturn \"uint64\"\n\t}\n\treturn \"invalid\"\n}\n\n// mapTypesToStr is a map from attribute.Type to the primitive types the server understands.\n// https://develop.sentry.dev/sdk/foundations/data-model/attributes/#primitive-types\nvar mapTypesToStr = map[Type]string{\n\tINVALID: \"\",\n\tBOOL: \"boolean\",\n\tINT64: \"integer\",\n\tFLOAT64: \"double\",\n\tSTRING: \"string\",\n\tUINT64: \"integer\", // wire format: same \"integer\" type\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/batch_processor.go", "content": "package sentry\n\nimport (\n\t\"context\"\n\t\"sync\"\n\t\"time\"\n)\n\nconst (\n\tbatchSize = 100\n\tdefaultBatchTimeout = 5 * time.Second\n)\n\ntype batchProcessor[T any] struct {\n\tsendBatch func([]T)\n\titemCh chan T\n\tflushCh chan chan struct{}\n\tcancel context.CancelFunc\n\twg sync.WaitGroup\n\tstartOnce sync.Once\n\tshutdownOnce sync.Once\n\tbatchTimeout time.Duration\n}\n\nfunc newBatchProcessor[T any](sendBatch func([]T)) *batchProcessor[T] {\n\treturn &batchProcessor[T]{\n\t\titemCh: make(chan T, batchSize),\n\t\tflushCh: make(chan chan struct{}),\n\t\tsendBatch: sendBatch,\n\t\tbatchTimeout: defaultBatchTimeout,\n\t}\n}\n\n// WithBatchTimeout sets a custom batch timeout for the processor.\n// This is useful for testing or when different timing behavior is needed.\nfunc (p *batchProcessor[T]) WithBatchTimeout(timeout time.Duration) *batchProcessor[T] {\n\tp.batchTimeout = timeout\n\treturn p\n}\n\nfunc (p *batchProcessor[T]) Send(item T) bool {\n\tselect {\n\tcase p.itemCh <- item:\n\t\treturn true\n\tdefault:\n\t\treturn false\n\t}\n}\n\nfunc (p *batchProcessor[T]) Start() {\n\tp.startOnce.Do(func() {\n\t\tctx, cancel := context.WithCancel(context.Background())\n\t\tp.cancel = cancel\n\t\tp.wg.Add(1)\n\t\tgo p.run(ctx)\n\t})\n}\n\nfunc (p *batchProcessor[T]) Flush(timeout <-chan struct{}) {\n\tdone := make(chan struct{})\n\tselect {\n\tcase p.flushCh <- done:\n\t\tselect {\n\t\tcase <-done:\n\t\tcase <-timeout:\n\t\t}\n\tcase <-timeout:\n\t}\n}\n\nfunc (p *batchProcessor[T]) Shutdown() {\n\tp.shutdownOnce.Do(func() {\n\t\tif p.cancel != nil {\n\t\t\tp.cancel()\n\t\t\tp.wg.Wait()\n\t\t}\n\t})\n}\n\nfunc (p *batchProcessor[T]) run(ctx context.Context) {\n\tdefer p.wg.Done()\n\tvar items []T\n\ttimer := time.NewTimer(0)\n\ttimer.Stop()\n\tdefer timer.Stop()\n\n\tfor {\n\t\tselect {\n\t\tcase item := <-p.itemCh:\n\t\t\tif len(items) == 0 {\n\t\t\t\ttimer.Reset(p.batchTimeout)\n\t\t\t}\n\t\t\titems = append(items, item)\n\t\t\tif len(items) >= batchSize {\n\t\t\t\tp.sendBatch(items)\n\t\t\t\titems = nil\n\t\t\t}\n\t\tcase <-timer.C:\n\t\t\tif len(items) > 0 {\n\t\t\t\tp.sendBatch(items)\n\t\t\t\titems = nil\n\t\t\t}\n\t\tcase done := <-p.flushCh:\n\t\tflushDrain:\n\t\t\tfor {\n\t\t\t\tselect {\n\t\t\t\tcase item := <-p.itemCh:\n\t\t\t\t\titems = append(items, item)\n\t\t\t\tdefault:\n\t\t\t\t\tbreak flushDrain\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif len(items) > 0 {\n\t\t\t\tp.sendBatch(items)\n\t\t\t\titems = nil\n\t\t\t}\n\t\t\tclose(done)\n\t\tcase <-ctx.Done():\n\t\tdrain:\n\t\t\tfor {\n\t\t\t\tselect {\n\t\t\t\tcase item := <-p.itemCh:\n\t\t\t\t\titems = append(items, item)\n\t\t\t\tdefault:\n\t\t\t\t\tbreak drain\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif len(items) > 0 {\n\t\t\t\tp.sendBatch(items)\n\t\t\t}\n\t\t\treturn\n\t\t}\n\t}\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/check_in.go", "content": "package sentry\n\nimport \"time\"\n\ntype CheckInStatus string\n\nconst (\n\tCheckInStatusInProgress CheckInStatus = \"in_progress\"\n\tCheckInStatusOK CheckInStatus = \"ok\"\n\tCheckInStatusError CheckInStatus = \"error\"\n)\n\ntype checkInScheduleType string\n\nconst (\n\tcheckInScheduleTypeCrontab checkInScheduleType = \"crontab\"\n\tcheckInScheduleTypeInterval checkInScheduleType = \"interval\"\n)\n\ntype MonitorSchedule interface {\n\t// scheduleType is a private method that must be implemented for monitor schedule\n\t// implementation. It should never be called. This method is made for having\n\t// specific private implementation of MonitorSchedule interface.\n\tscheduleType() checkInScheduleType\n}\n\ntype crontabSchedule struct {\n\tType string `json:\"type\"`\n\tValue string `json:\"value\"`\n}\n\nfunc (c crontabSchedule) scheduleType() checkInScheduleType {\n\treturn checkInScheduleTypeCrontab\n}\n\n// CrontabSchedule defines the MonitorSchedule with a cron format.\n// Example: \"8 * * * *\".\nfunc CrontabSchedule(scheduleString string) MonitorSchedule {\n\treturn crontabSchedule{\n\t\tType: string(checkInScheduleTypeCrontab),\n\t\tValue: scheduleString,\n\t}\n}\n\ntype intervalSchedule struct {\n\tType string `json:\"type\"`\n\tValue int64 `json:\"value\"`\n\tUnit string `json:\"unit\"`\n}\n\nfunc (i intervalSchedule) scheduleType() checkInScheduleType {\n\treturn checkInScheduleTypeInterval\n}\n\ntype MonitorScheduleUnit string\n\nconst (\n\tMonitorScheduleUnitMinute MonitorScheduleUnit = \"minute\"\n\tMonitorScheduleUnitHour MonitorScheduleUnit = \"hour\"\n\tMonitorScheduleUnitDay MonitorScheduleUnit = \"day\"\n\tMonitorScheduleUnitWeek MonitorScheduleUnit = \"week\"\n\tMonitorScheduleUnitMonth MonitorScheduleUnit = \"month\"\n\tMonitorScheduleUnitYear MonitorScheduleUnit = \"year\"\n)\n\n// IntervalSchedule defines the MonitorSchedule with an interval format.\n//\n// Example:\n//\n//\tIntervalSchedule(1, sentry.MonitorScheduleUnitDay)\nfunc IntervalSchedule(value int64, unit MonitorScheduleUnit) MonitorSchedule {\n\treturn intervalSchedule{\n\t\tType: string(checkInScheduleTypeInterval),\n\t\tValue: value,\n\t\tUnit: string(unit),\n\t}\n}\n\ntype MonitorConfig struct { //nolint: maligned // prefer readability over optimal memory layout\n\tSchedule MonitorSchedule `json:\"schedule,omitempty\"`\n\t// The allowed margin of minutes after the expected check-in time that\n\t// the monitor will not be considered missed for.\n\tCheckInMargin int64 `json:\"checkin_margin,omitempty\"`\n\t// The allowed duration in minutes that the monitor may be `in_progress`\n\t// for before being considered failed due to timeout.\n\tMaxRuntime int64 `json:\"max_runtime,omitempty\"`\n\t// A tz database string representing the timezone which the monitor's execution schedule is in.\n\t// See: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones\n\tTimezone string `json:\"timezone,omitempty\"`\n\t// The number of consecutive failed check-ins it takes before an issue is created.\n\tFailureIssueThreshold int64 `json:\"failure_issue_threshold,omitempty\"`\n\t// The number of consecutive OK check-ins it takes before an issue is resolved.\n\tRecoveryThreshold int64 `json:\"recovery_threshold,omitempty\"`\n}\n\ntype CheckIn struct { //nolint: maligned // prefer readability over optimal memory layout\n\t// Check-In ID (unique and client generated)\n\tID EventID `json:\"check_in_id\"`\n\t// The distinct slug of the monitor.\n\tMonitorSlug string `json:\"monitor_slug\"`\n\t// The status of the check-in.\n\tStatus CheckInStatus `json:\"status\"`\n\t// The duration of the check-in. Will only take effect if the status is ok or error.\n\tDuration time.Duration `json:\"duration,omitempty\"`\n}\n\n// serializedCheckIn is used by checkInMarshalJSON method on Event struct.\n// See https://develop.sentry.dev/sdk/check-ins/\ntype serializedCheckIn struct { //nolint: maligned\n\t// Check-In ID (unique and client generated).\n\tCheckInID string `json:\"check_in_id\"`\n\t// The distinct slug of the monitor.\n\tMonitorSlug string `json:\"monitor_slug\"`\n\t// The status of the check-in.\n\tStatus CheckInStatus `json:\"status\"`\n\t// The duration of the check-in in seconds. Will only take effect if the status is ok or error.\n\tDuration float64 `json:\"duration,omitempty\"`\n\tRelease string `json:\"release,omitempty\"`\n\tEnvironment string `json:\"environment,omitempty\"`\n\tMonitorConfig *MonitorConfig `json:\"monitor_config,omitempty\"`\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/client.go", "content": "package sentry\n\nimport (\n\t\"context\"\n\t\"crypto/x509\"\n\t\"fmt\"\n\t\"io\"\n\t\"math/rand\"\n\t\"net/http\"\n\t\"os\"\n\t\"sort\"\n\t\"strings\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/getsentry/sentry-go/internal/debug\"\n\t\"github.com/getsentry/sentry-go/internal/debuglog\"\n\thttpInternal \"github.com/getsentry/sentry-go/internal/http\"\n\t\"github.com/getsentry/sentry-go/internal/protocol\"\n\t\"github.com/getsentry/sentry-go/internal/ratelimit\"\n\t\"github.com/getsentry/sentry-go/internal/telemetry\"\n)\n\n// The identifier of the SDK.\nconst sdkIdentifier = \"sentry.go\"\n\nconst (\n\t// maxErrorDepth is the maximum number of errors reported in a chain of errors.\n\t// This protects the SDK from an arbitrarily long chain of wrapped errors.\n\t//\n\t// An additional consideration is that arguably reporting a long chain of errors\n\t// is of little use when debugging production errors with Sentry. The Sentry UI\n\t// is not optimized for long chains either. The top-level error together with a\n\t// stack trace is often the most useful information.\n\tmaxErrorDepth = 100\n\n\t// defaultMaxSpans limits the default number of recorded spans per transaction. The limit is\n\t// meant to bound memory usage and prevent too large transaction events that\n\t// would be rejected by Sentry.\n\tdefaultMaxSpans = 1000\n\n\t// defaultMaxBreadcrumbs is the default maximum number of breadcrumbs added to\n\t// an event. Can be overwritten with the MaxBreadcrumbs option.\n\tdefaultMaxBreadcrumbs = 100\n)\n\n// hostname is the host name reported by the kernel. It is precomputed once to\n// avoid syscalls when capturing events.\n//\n// The error is ignored because retrieving the host name is best-effort. If the\n// error is non-nil, there is nothing to do other than retrying. We choose not\n// to retry for now.\nvar hostname, _ = os.Hostname()\n\n// lockedRand is a random number generator safe for concurrent use. Its API is\n// intentionally limited and it is not meant as a full replacement for a\n// rand.Rand.\ntype lockedRand struct {\n\tmu sync.Mutex\n\tr *rand.Rand\n}\n\n// Float64 returns a pseudo-random number in [0.0,1.0).\nfunc (r *lockedRand) Float64() float64 {\n\tr.mu.Lock()\n\tdefer r.mu.Unlock()\n\treturn r.r.Float64()\n}\n\n// rng is the internal random number generator.\n//\n// We do not use the global functions from math/rand because, while they are\n// safe for concurrent use, any package in a build could change the seed and\n// affect the generated numbers, for instance making them deterministic. On the\n// other hand, the source returned from rand.NewSource is not safe for\n// concurrent use, so we need to couple its use with a sync.Mutex.\nvar rng = &lockedRand{\n\t// #nosec G404 -- We are fine using transparent, non-secure value here.\n\tr: rand.New(rand.NewSource(time.Now().UnixNano())),\n}\n\n// usageError is used to report to Sentry an SDK usage error.\n//\n// It is not exported because it is never returned by any function or method in\n// the exported API.\ntype usageError struct {\n\terror\n}\n\n// DebugLogger is an instance of log.Logger that is used to provide debug information about running Sentry Client\n// can be enabled by either using debuglog.SetOutput directly or with Debug client option.\nvar DebugLogger = debuglog.GetLogger()\n\n// EventProcessor is a function that processes an event.\n// Event processors are used to change an event before it is sent to Sentry.\ntype EventProcessor func(event *Event, hint *EventHint) *Event\n\n// EventModifier is the interface that wraps the ApplyToEvent method.\n//\n// ApplyToEvent changes an event based on external data and/or\n// an event hint.\ntype EventModifier interface {\n\tApplyToEvent(event *Event, hint *EventHint, client *Client) *Event\n}\n\nvar globalEventProcessors []EventProcessor\n\n// AddGlobalEventProcessor adds processor to the global list of event\n// processors. Global event processors apply to all events.\n//\n// AddGlobalEventProcessor is deprecated. Most users will prefer to initialize\n// the SDK with Init and provide a ClientOptions.BeforeSend function or use\n// Scope.AddEventProcessor instead.\nfunc AddGlobalEventProcessor(processor EventProcessor) {\n\tglobalEventProcessors = append(globalEventProcessors, processor)\n}\n\n// Integration allows for registering a functions that modify or discard captured events.\ntype Integration interface {\n\tName() string\n\tSetupOnce(client *Client)\n}\n\n// ClientOptions that configures a SDK Client.\ntype ClientOptions struct {\n\t// The DSN to use. If the DSN is not set, the client is effectively\n\t// disabled.\n\tDsn string\n\t// In debug mode, the debug information is printed to stdout to help you\n\t// understand what sentry is doing.\n\tDebug bool\n\t// Configures whether SDK should generate and attach stacktraces to pure\n\t// capture message calls.\n\tAttachStacktrace bool\n\t// The sample rate for event submission in the range [0.0, 1.0]. By default,\n\t// all events are sent. Thus, as a historical special case, the sample rate\n\t// 0.0 is treated as if it was 1.0. To drop all events, set the DSN to the\n\t// empty string.\n\tSampleRate float64\n\t// Enable performance tracing.\n\tEnableTracing bool\n\t// The sample rate for sampling traces in the range [0.0, 1.0].\n\tTracesSampleRate float64\n\t// Used to customize the sampling of traces, overrides TracesSampleRate.\n\tTracesSampler TracesSampler\n\t// Control with URLs trace propagation should be enabled. Does not support regex patterns.\n\tTracePropagationTargets []string\n\t// PropagateTraceparent is used to control whether the W3C Trace Context HTTP traceparent header\n\t// is propagated on outgoing http requests.\n\tPropagateTraceparent bool\n\t// List of regexp strings that will be used to match against event's message\n\t// and if applicable, caught errors type and value.\n\t// If the match is found, then a whole event will be dropped.\n\tIgnoreErrors []string\n\t// List of regexp strings that will be used to match against a transaction's\n\t// name. If a match is found, then the transaction will be dropped.\n\tIgnoreTransactions []string\n\t// If this flag is enabled, certain personally identifiable information (PII) is added by active integrations.\n\t// By default, no such data is sent.\n\tSendDefaultPII bool\n\t// BeforeSend is called before error events are sent to Sentry.\n\t// You can use it to mutate the event or return nil to discard it.\n\tBeforeSend func(event *Event, hint *EventHint) *Event\n\t// BeforeSendLong is called before log events are sent to Sentry.\n\t// You can use it to mutate the log event or return nil to discard it.\n\tBeforeSendLog func(event *Log) *Log\n\t// BeforeSendTransaction is called before transaction events are sent to Sentry.\n\t// Use it to mutate the transaction or return nil to discard the transaction.\n\tBeforeSendTransaction func(event *Event, hint *EventHint) *Event\n\t// Before breadcrumb add callback.\n\tBeforeBreadcrumb func(breadcrumb *Breadcrumb, hint *BreadcrumbHint) *Breadcrumb\n\t// BeforeSendMetric is called before metric events are sent to Sentry.\n\t// You can use it to mutate the metric or return nil to discard it.\n\tBeforeSendMetric func(metric *Metric) *Metric\n\t// Integrations to be installed on the current Client, receives default\n\t// integrations.\n\tIntegrations func([]Integration) []Integration\n\t// io.Writer implementation that should be used with the Debug mode.\n\tDebugWriter io.Writer\n\t// The transport to use. Defaults to HTTPTransport.\n\tTransport Transport\n\t// The server name to be reported.\n\tServerName string\n\t// The release to be sent with events.\n\t//\n\t// Some Sentry features are built around releases, and, thus, reporting\n\t// events with a non-empty release improves the product experience. See\n\t// https://docs.sentry.io/product/releases/.\n\t//\n\t// If Release is not set, the SDK will try to derive a default value\n\t// from environment variables or the Git repository in the working\n\t// directory.\n\t//\n\t// If you distribute a compiled binary, it is recommended to set the\n\t// Release value explicitly at build time. As an example, you can use:\n\t//\n\t// \tgo build -ldflags='-X main.release=VALUE'\n\t//\n\t// That will set the value of a predeclared variable 'release' in the\n\t// 'main' package to 'VALUE'. Then, use that variable when initializing\n\t// the SDK:\n\t//\n\t// \tsentry.Init(ClientOptions{Release: release})\n\t//\n\t// See https://golang.org/cmd/go/ and https://golang.org/cmd/link/ for\n\t// the official documentation of -ldflags and -X, respectively.\n\tRelease string\n\t// The dist to be sent with events.\n\tDist string\n\t// The environment to be sent with events.\n\tEnvironment string\n\t// Maximum number of breadcrumbs\n\t// when MaxBreadcrumbs is negative then ignore breadcrumbs.\n\tMaxBreadcrumbs int\n\t// Maximum number of spans.\n\t//\n\t// See https://develop.sentry.dev/sdk/envelopes/#size-limits for size limits\n\t// applied during event ingestion. Events that exceed these limits might get dropped.\n\tMaxSpans int\n\t// An optional pointer to http.Client that will be used with a default\n\t// HTTPTransport. Using your own client will make HTTPTransport, HTTPProxy,\n\t// HTTPSProxy and CaCerts options ignored.\n\tHTTPClient *http.Client\n\t// An optional pointer to http.Transport that will be used with a default\n\t// HTTPTransport. Using your own transport will make HTTPProxy, HTTPSProxy\n\t// and CaCerts options ignored.\n\tHTTPTransport http.RoundTripper\n\t// An optional HTTP proxy to use.\n\t// This will default to the HTTP_PROXY environment variable.\n\tHTTPProxy string\n\t// An optional HTTPS proxy to use.\n\t// This will default to the HTTPS_PROXY environment variable.\n\t// HTTPS_PROXY takes precedence over HTTP_PROXY for https requests.\n\tHTTPSProxy string\n\t// An optional set of SSL certificates to use.\n\tCaCerts *x509.CertPool\n\t// MaxErrorDepth is the maximum number of errors reported in a chain of errors.\n\t// This protects the SDK from an arbitrarily long chain of wrapped errors.\n\t//\n\t// An additional consideration is that arguably reporting a long chain of errors\n\t// is of little use when debugging production errors with Sentry. The Sentry UI\n\t// is not optimized for long chains either. The top-level error together with a\n\t// stack trace is often the most useful information.\n\tMaxErrorDepth int\n\t// Default event tags. These are overridden by tags set on a scope.\n\tTags map[string]string\n\t// EnableLogs controls when logs should be emitted.\n\tEnableLogs bool\n\t// DisableMetrics controls when metrics should be emitted.\n\tDisableMetrics bool\n\t// TraceIgnoreStatusCodes is a list of HTTP status codes that should not be traced.\n\t// Each element can be either:\n\t// - A single-element slice [code] for a specific status code\n\t// - A two-element slice [min, max] for a range of status codes (inclusive)\n\t// When an HTTP request results in a status code that matches any of these codes or ranges,\n\t// the transaction will not be sent to Sentry.\n\t//\n\t// Examples:\n\t// [][]int{{404}} // ignore only status code 404\n\t// [][]int{{400, 405}} // ignore status codes 400-405\n\t// [][]int{{404}, {500}} // ignore status codes 404 and 500\n\t// [][]int{{404}, {400, 405}, {500, 599}} // ignore 404, range 400-405, and range 500-599\n\t//\n\t// By default, this ignores 404 status codes.\n\t//\n\t// IMPORTANT: to not ignore any status codes, the option should be an empty slice and not nil. The nil option is\n\t// used for defaulting to 404 ignores.\n\tTraceIgnoreStatusCodes [][]int\n\t// DisableTelemetryBuffer disables the telemetry buffer layer for prioritizing events and uses the old transport layer.\n\tDisableTelemetryBuffer bool\n}\n\n// Client is the underlying processor that is used by the main API and Hub\n// instances. It must be created with NewClient.\ntype Client struct {\n\tmu sync.RWMutex\n\toptions ClientOptions\n\tdsn *Dsn\n\teventProcessors []EventProcessor\n\tintegrations []Integration\n\tsdkIdentifier string\n\tsdkVersion string\n\t// Transport is read-only. Replacing the transport of an existing client is\n\t// not supported, create a new client instead.\n\tTransport Transport\n\tbatchLogger *logBatchProcessor\n\tbatchMeter *metricBatchProcessor\n\ttelemetryProcessor *telemetry.Processor\n}\n\n// NewClient creates and returns an instance of Client configured using\n// ClientOptions.\n//\n// Most users will not create clients directly. Instead, initialize the SDK with\n// Init and use the package-level functions (for simple programs that run on a\n// single goroutine) or hub methods (for concurrent programs, for example web\n// servers).\nfunc NewClient(options ClientOptions) (*Client, error) {\n\t// The default error event sample rate for all SDKs is 1.0 (send all).\n\t//\n\t// In Go, the zero value (default) for float64 is 0.0, which means that\n\t// constructing a client with NewClient(ClientOptions{}), or, equivalently,\n\t// initializing the SDK with Init(ClientOptions{}) without an explicit\n\t// SampleRate would drop all events.\n\t//\n\t// To retain the desired default behavior, we exceptionally flip SampleRate\n\t// from 0.0 to 1.0 here. Setting the sample rate to 0.0 is not very useful\n\t// anyway, and the same end result can be achieved in many other ways like\n\t// not initializing the SDK, setting the DSN to the empty string or using an\n\t// event processor that always returns nil.\n\t//\n\t// An alternative API could be such that default options don't need to be\n\t// the same as Go's zero values, for example using the Functional Options\n\t// pattern. That would either require a breaking change if we want to reuse\n\t// the obvious NewClient name, or a new function as an alternative\n\t// constructor.\n\tif options.SampleRate == 0.0 {\n\t\toptions.SampleRate = 1.0\n\t}\n\n\tif options.Debug {\n\t\tdebugWriter := options.DebugWriter\n\t\tif debugWriter == nil {\n\t\t\tdebugWriter = os.Stderr\n\t\t}\n\t\tdebuglog.SetOutput(debugWriter)\n\t}\n\n\tif options.Dsn == \"\" {\n\t\toptions.Dsn = os.Getenv(\"SENTRY_DSN\")\n\t}\n\n\tif options.Release == \"\" {\n\t\toptions.Release = defaultRelease()\n\t}\n\n\tif options.Environment == \"\" {\n\t\toptions.Environment = os.Getenv(\"SENTRY_ENVIRONMENT\")\n\t}\n\n\tif options.MaxErrorDepth == 0 {\n\t\toptions.MaxErrorDepth = maxErrorDepth\n\t}\n\n\tif options.MaxSpans == 0 {\n\t\toptions.MaxSpans = defaultMaxSpans\n\t}\n\n\tif options.TraceIgnoreStatusCodes == nil {\n\t\toptions.TraceIgnoreStatusCodes = [][]int{{404}}\n\t}\n\n\t// SENTRYGODEBUG is a comma-separated list of key=value pairs (similar\n\t// to GODEBUG). It is not a supported feature: recognized debug options\n\t// may change any time.\n\t//\n\t// The intended public is SDK developers. It is orthogonal to\n\t// options.Debug, which is also available for SDK users.\n\tdbg := strings.Split(os.Getenv(\"SENTRYGODEBUG\"), \",\")\n\tsort.Strings(dbg)\n\t// dbgOpt returns true when the given debug option is enabled, for\n\t// example SENTRYGODEBUG=someopt=1.\n\tdbgOpt := func(opt string) bool {\n\t\ts := opt + \"=1\"\n\t\treturn dbg[sort.SearchStrings(dbg, s)%len(dbg)] == s\n\t}\n\tif dbgOpt(\"httpdump\") || dbgOpt(\"httptrace\") {\n\t\toptions.HTTPTransport = &debug.Transport{\n\t\t\tRoundTripper: http.DefaultTransport,\n\t\t\tOutput: os.Stderr,\n\t\t\tDump: dbgOpt(\"httpdump\"),\n\t\t\tTrace: dbgOpt(\"httptrace\"),\n\t\t}\n\t}\n\n\tvar dsn *Dsn\n\tif options.Dsn != \"\" {\n\t\tvar err error\n\t\tdsn, err = NewDsn(options.Dsn)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t}\n\n\tclient := Client{\n\t\toptions: options,\n\t\tdsn: dsn,\n\t\tsdkIdentifier: sdkIdentifier,\n\t\tsdkVersion: SDKVersion,\n\t}\n\n\tclient.setupTransport()\n\n\t// noop Telemetry Buffers and Processor fow now\n\t// if !options.DisableTelemetryBuffer {\n\t// \tclient.setupTelemetryProcessor()\n\t// } else\n\tif options.EnableLogs {\n\t\tclient.batchLogger = newLogBatchProcessor(&client)\n\t\tclient.batchLogger.Start()\n\t}\n\n\tif !options.DisableMetrics {\n\t\tclient.batchMeter = newMetricBatchProcessor(&client)\n\t\tclient.batchMeter.Start()\n\t}\n\n\tclient.setupIntegrations()\n\n\treturn &client, nil\n}\n\nfunc (client *Client) setupTransport() {\n\topts := client.options\n\ttransport := opts.Transport\n\n\tif transport == nil {\n\t\tif opts.Dsn == \"\" {\n\t\t\ttransport = new(noopTransport)\n\t\t} else {\n\t\t\ttransport = NewHTTPTransport()\n\t\t}\n\t}\n\n\ttransport.Configure(opts)\n\tclient.Transport = transport\n}\n\nfunc (client *Client) setupTelemetryProcessor() { // nolint: unused\n\tif client.options.DisableTelemetryBuffer {\n\t\treturn\n\t}\n\n\tif client.dsn == nil {\n\t\tdebuglog.Println(\"Telemetry buffer disabled: no DSN configured\")\n\t\treturn\n\t}\n\n\t// We currently disallow using custom Transport with the new Telemetry Processor, due to the difference in transport signatures.\n\t// The option should be enabled when the new Transport interface signature changes.\n\tif client.options.Transport != nil {\n\t\tdebuglog.Println(\"Cannot enable Telemetry Processor/Buffers with custom Transport: fallback to old transport\")\n\t\tif client.options.EnableLogs {\n\t\t\tclient.batchLogger = newLogBatchProcessor(client)\n\t\t\tclient.batchLogger.Start()\n\t\t}\n\t\tif !client.options.DisableMetrics {\n\t\t\tclient.batchMeter = newMetricBatchProcessor(client)\n\t\t\tclient.batchMeter.Start()\n\t\t}\n\t\treturn\n\t}\n\n\ttransport := httpInternal.NewAsyncTransport(httpInternal.TransportOptions{\n\t\tDsn: client.options.Dsn,\n\t\tHTTPClient: client.options.HTTPClient,\n\t\tHTTPTransport: client.options.HTTPTransport,\n\t\tHTTPProxy: client.options.HTTPProxy,\n\t\tHTTPSProxy: client.options.HTTPSProxy,\n\t\tCaCerts: client.options.CaCerts,\n\t})\n\tclient.Transport = &internalAsyncTransportAdapter{transport: transport}\n\n\tbuffers := map[ratelimit.Category]telemetry.Buffer[protocol.TelemetryItem]{\n\t\tratelimit.CategoryError: telemetry.NewRingBuffer[protocol.TelemetryItem](ratelimit.CategoryError, 100, telemetry.OverflowPolicyDropOldest, 1, 0),\n\t\tratelimit.CategoryTransaction: telemetry.NewRingBuffer[protocol.TelemetryItem](ratelimit.CategoryTransaction, 1000, telemetry.OverflowPolicyDropOldest, 1, 0),\n\t\tratelimit.CategoryLog: telemetry.NewRingBuffer[protocol.TelemetryItem](ratelimit.CategoryLog, 10*100, telemetry.OverflowPolicyDropOldest, 100, 5*time.Second),\n\t\tratelimit.CategoryMonitor: telemetry.NewRingBuffer[protocol.TelemetryItem](ratelimit.CategoryMonitor, 100, telemetry.OverflowPolicyDropOldest, 1, 0),\n\t\tratelimit.CategoryTraceMetric: telemetry.NewRingBuffer[protocol.TelemetryItem](ratelimit.CategoryTraceMetric, 10*100, telemetry.OverflowPolicyDropOldest, 100, 5*time.Second),\n\t}\n\n\tsdkInfo := &protocol.SdkInfo{\n\t\tName: client.sdkIdentifier,\n\t\tVersion: client.sdkVersion,\n\t}\n\n\tclient.telemetryProcessor = telemetry.NewProcessor(buffers, transport, &client.dsn.Dsn, sdkInfo)\n}\n\nfunc (client *Client) setupIntegrations() {\n\tintegrations := []Integration{\n\t\tnew(contextifyFramesIntegration),\n\t\tnew(environmentIntegration),\n\t\tnew(modulesIntegration),\n\t\tnew(ignoreErrorsIntegration),\n\t\tnew(ignoreTransactionsIntegration),\n\t\tnew(globalTagsIntegration),\n\t}\n\n\tif client.options.Integrations != nil {\n\t\tintegrations = client.options.Integrations(integrations)\n\t}\n\n\tfor _, integration := range integrations {\n\t\tif client.integrationAlreadyInstalled(integration.Name()) {\n\t\t\tdebuglog.Printf(\"Integration %s is already installed\\n\", integration.Name())\n\t\t\tcontinue\n\t\t}\n\t\tclient.integrations = append(client.integrations, integration)\n\t\tintegration.SetupOnce(client)\n\t\tdebuglog.Printf(\"Integration installed: %s\\n\", integration.Name())\n\t}\n\n\tsort.Slice(client.integrations, func(i, j int) bool {\n\t\treturn client.integrations[i].Name() < client.integrations[j].Name()\n\t})\n}\n\n// AddEventProcessor adds an event processor to the client. It must not be\n// called from concurrent goroutines. Most users will prefer to use\n// ClientOptions.BeforeSend or Scope.AddEventProcessor instead.\n//\n// Note that typical programs have only a single client created by Init and the\n// client is shared among multiple hubs, one per goroutine, such that adding an\n// event processor to the client affects all hubs that share the client.\nfunc (client *Client) AddEventProcessor(processor EventProcessor) {\n\tclient.eventProcessors = append(client.eventProcessors, processor)\n}\n\n// Options return ClientOptions for the current Client.\nfunc (client *Client) Options() ClientOptions {\n\t// Note: internally, consider using `client.options` instead of `client.Options()` to avoid copying the object each time.\n\treturn client.options\n}\n\n// CaptureMessage captures an arbitrary message.\nfunc (client *Client) CaptureMessage(message string, hint *EventHint, scope EventModifier) *EventID {\n\tevent := client.EventFromMessage(message, LevelInfo)\n\treturn client.CaptureEvent(event, hint, scope)\n}\n\n// CaptureException captures an error.\nfunc (client *Client) CaptureException(exception error, hint *EventHint, scope EventModifier) *EventID {\n\tevent := client.EventFromException(exception, LevelError)\n\treturn client.CaptureEvent(event, hint, scope)\n}\n\n// CaptureCheckIn captures a check in.\nfunc (client *Client) CaptureCheckIn(checkIn *CheckIn, monitorConfig *MonitorConfig, scope EventModifier) *EventID {\n\tevent := client.EventFromCheckIn(checkIn, monitorConfig)\n\tif event != nil && event.CheckIn != nil {\n\t\tclient.CaptureEvent(event, nil, scope)\n\t\treturn &event.CheckIn.ID\n\t}\n\treturn nil\n}\n\n// CaptureEvent captures an event on the currently active client if any.\n//\n// The event must already be assembled. Typically, code would instead use\n// the utility methods like CaptureException. The return value is the\n// event ID. In case Sentry is disabled or event was dropped, the return value will be nil.\nfunc (client *Client) CaptureEvent(event *Event, hint *EventHint, scope EventModifier) *EventID {\n\treturn client.processEvent(event, hint, scope)\n}\n\nfunc (client *Client) captureLog(log *Log, _ *Scope) bool {\n\tif log == nil {\n\t\treturn false\n\t}\n\n\tif client.options.BeforeSendLog != nil {\n\t\tlog = client.options.BeforeSendLog(log)\n\t\tif log == nil {\n\t\t\tdebuglog.Println(\"Log dropped due to BeforeSendLog callback.\")\n\t\t\treturn false\n\t\t}\n\t}\n\n\tif client.telemetryProcessor != nil {\n\t\tif !client.telemetryProcessor.Add(log) {\n\t\t\tdebuglog.Print(\"Dropping log: telemetry buffer full or category missing\")\n\t\t\treturn false\n\t\t}\n\t} else if client.batchLogger != nil {\n\t\tif !client.batchLogger.Send(log) {\n\t\t\tdebuglog.Printf(\"Dropping log [%s]: buffer full\", log.Level)\n\t\t\treturn false\n\t\t}\n\t}\n\n\treturn true\n}\n\nfunc (client *Client) captureMetric(metric *Metric, _ *Scope) bool {\n\tif metric == nil {\n\t\treturn false\n\t}\n\n\tif client.options.BeforeSendMetric != nil {\n\t\tmetric = client.options.BeforeSendMetric(metric)\n\t\tif metric == nil {\n\t\t\tdebuglog.Println(\"Metric dropped due to BeforeSendMetric callback.\")\n\t\t\treturn false\n\t\t}\n\t}\n\n\tif client.telemetryProcessor != nil {\n\t\tif !client.telemetryProcessor.Add(metric) {\n\t\t\tdebuglog.Printf(\"Dropping metric: telemetry buffer full or category missing\")\n\t\t\treturn false\n\t\t}\n\t} else if client.batchMeter != nil {\n\t\tif !client.batchMeter.Send(metric) {\n\t\t\tdebuglog.Printf(\"Dropping metric %q: buffer full\", metric.Name)\n\t\t\treturn false\n\t\t}\n\t}\n\n\treturn true\n}\n\n// Recover captures a panic.\n// Returns EventID if successfully, or nil if there's no error to recover from.\nfunc (client *Client) Recover(err interface{}, hint *EventHint, scope EventModifier) *EventID {\n\tif err == nil {\n\t\terr = recover()\n\t}\n\n\t// Normally we would not pass a nil Context, but RecoverWithContext doesn't\n\t// use the Context for communicating deadline nor cancelation. All it does\n\t// is store the Context in the EventHint and there nil means the Context is\n\t// not available.\n\t// nolint: staticcheck\n\treturn client.RecoverWithContext(nil, err, hint, scope)\n}\n\n// RecoverWithContext captures a panic and passes relevant context object.\n// Returns EventID if successfully, or nil if there's no error to recover from.\nfunc (client *Client) RecoverWithContext(\n\tctx context.Context,\n\terr interface{},\n\thint *EventHint,\n\tscope EventModifier,\n) *EventID {\n\tif err == nil {\n\t\terr = recover()\n\t}\n\tif err == nil {\n\t\treturn nil\n\t}\n\n\tif ctx != nil {\n\t\tif hint == nil {\n\t\t\thint = &EventHint{}\n\t\t}\n\t\tif hint.Context == nil {\n\t\t\thint.Context = ctx\n\t\t}\n\t}\n\n\tvar event *Event\n\tswitch err := err.(type) {\n\tcase error:\n\t\tevent = client.EventFromException(err, LevelFatal)\n\tcase string:\n\t\tevent = client.EventFromMessage(err, LevelFatal)\n\tdefault:\n\t\tevent = client.EventFromMessage(fmt.Sprintf(\"%#v\", err), LevelFatal)\n\t}\n\treturn client.CaptureEvent(event, hint, scope)\n}\n\n// Flush waits until the underlying Transport sends any buffered events to the\n// Sentry server, blocking for at most the given timeout. It returns false if\n// the timeout was reached. In that case, some events may not have been sent.\n//\n// Flush should be called before terminating the program to avoid\n// unintentionally dropping events.\n//\n// Do not call Flush indiscriminately after every call to CaptureEvent,\n// CaptureException or CaptureMessage. Instead, to have the SDK send events over\n// the network synchronously, configure it to use the HTTPSyncTransport in the\n// call to Init.\nfunc (client *Client) Flush(timeout time.Duration) bool {\n\tif client.batchLogger != nil || client.batchMeter != nil || client.telemetryProcessor != nil {\n\t\tctx, cancel := context.WithTimeout(context.Background(), timeout)\n\t\tdefer cancel()\n\t\treturn client.FlushWithContext(ctx)\n\t}\n\treturn client.Transport.Flush(timeout)\n}\n\n// FlushWithContext waits until the underlying Transport sends any buffered events\n// to the Sentry server, blocking for at most the duration specified by the context.\n// It returns false if the context is canceled before the events are sent. In such a case,\n// some events may not be delivered.\n//\n// FlushWithContext should be called before terminating the program to ensure no\n// events are unintentionally dropped.\n//\n// Avoid calling FlushWithContext indiscriminately after each call to CaptureEvent,\n// CaptureException, or CaptureMessage. To send events synchronously over the network,\n// configure the SDK to use HTTPSyncTransport during initialization with Init.\n\nfunc (client *Client) FlushWithContext(ctx context.Context) bool {\n\tif client.batchLogger != nil {\n\t\tclient.batchLogger.Flush(ctx.Done())\n\t}\n\tif client.batchMeter != nil {\n\t\tclient.batchMeter.Flush(ctx.Done())\n\t}\n\tif client.telemetryProcessor != nil {\n\t\treturn client.telemetryProcessor.FlushWithContext(ctx)\n\t}\n\treturn client.Transport.FlushWithContext(ctx)\n}\n\n// Close clean up underlying Transport resources.\n//\n// Close should be called after Flush and before terminating the program\n// otherwise some events may be lost.\nfunc (client *Client) Close() {\n\tif client.telemetryProcessor != nil {\n\t\tclient.telemetryProcessor.Close(5 * time.Second)\n\t}\n\tif client.batchLogger != nil {\n\t\tclient.batchLogger.Shutdown()\n\t}\n\tif client.batchMeter != nil {\n\t\tclient.batchMeter.Shutdown()\n\t}\n\tclient.Transport.Close()\n}\n\n// EventFromMessage creates an event from the given message string.\nfunc (client *Client) EventFromMessage(message string, level Level) *Event {\n\tif message == \"\" {\n\t\terr := usageError{fmt.Errorf(\"%s called with empty message\", callerFunctionName())}\n\t\treturn client.EventFromException(err, level)\n\t}\n\tevent := NewEvent()\n\tevent.Level = level\n\tevent.Message = message\n\n\tif client.options.AttachStacktrace {\n\t\tevent.Threads = []Thread{{\n\t\t\tStacktrace: NewStacktrace(),\n\t\t\tCrashed: false,\n\t\t\tCurrent: true,\n\t\t}}\n\t}\n\n\treturn event\n}\n\n// EventFromException creates a new Sentry event from the given `error` instance.\nfunc (client *Client) EventFromException(exception error, level Level) *Event {\n\tevent := NewEvent()\n\tevent.Level = level\n\n\terr := exception\n\tif err == nil {\n\t\terr = usageError{fmt.Errorf(\"%s called with nil error\", callerFunctionName())}\n\t}\n\n\tevent.SetException(err, client.options.MaxErrorDepth)\n\n\treturn event\n}\n\n// EventFromCheckIn creates a new Sentry event from the given `check_in` instance.\nfunc (client *Client) EventFromCheckIn(checkIn *CheckIn, monitorConfig *MonitorConfig) *Event {\n\tif checkIn == nil {\n\t\treturn nil\n\t}\n\n\tevent := NewEvent()\n\tevent.Type = checkInType\n\n\tvar checkInID EventID\n\tif checkIn.ID == \"\" {\n\t\tcheckInID = EventID(uuid())\n\t} else {\n\t\tcheckInID = checkIn.ID\n\t}\n\n\tevent.CheckIn = &CheckIn{\n\t\tID: checkInID,\n\t\tMonitorSlug: checkIn.MonitorSlug,\n\t\tStatus: checkIn.Status,\n\t\tDuration: checkIn.Duration,\n\t}\n\tevent.MonitorConfig = monitorConfig\n\n\treturn event\n}\n\nfunc (client *Client) SetSDKIdentifier(identifier string) {\n\tclient.mu.Lock()\n\tdefer client.mu.Unlock()\n\n\tclient.sdkIdentifier = identifier\n}\n\nfunc (client *Client) GetSDKIdentifier() string {\n\tclient.mu.RLock()\n\tdefer client.mu.RUnlock()\n\n\treturn client.sdkIdentifier\n}\n\nfunc (client *Client) processEvent(event *Event, hint *EventHint, scope EventModifier) *EventID {\n\tif event == nil {\n\t\terr := usageError{fmt.Errorf(\"%s called with nil event\", callerFunctionName())}\n\t\treturn client.CaptureException(err, hint, scope)\n\t}\n\n\t// Transactions are sampled by options.TracesSampleRate or\n\t// options.TracesSampler when they are started. Other events\n\t// (errors, messages) are sampled here. Does not apply to check-ins.\n\tif event.Type != transactionType && event.Type != checkInType && !sample(client.options.SampleRate) {\n\t\tdebuglog.Println(\"Event dropped due to SampleRate hit.\")\n\t\treturn nil\n\t}\n\n\tif event = client.prepareEvent(event, hint, scope); event == nil {\n\t\treturn nil\n\t}\n\n\t// Apply beforeSend* processors\n\tif hint == nil {\n\t\thint = &EventHint{}\n\t}\n\tswitch event.Type {\n\tcase transactionType:\n\t\tif client.options.BeforeSendTransaction != nil {\n\t\t\tif event = client.options.BeforeSendTransaction(event, hint); event == nil {\n\t\t\t\tdebuglog.Println(\"Transaction dropped due to BeforeSendTransaction callback.\")\n\t\t\t\treturn nil\n\t\t\t}\n\t\t}\n\tcase checkInType: // not a default case, since we shouldn't apply BeforeSend on check-in events\n\tdefault:\n\t\tif client.options.BeforeSend != nil {\n\t\t\tif event = client.options.BeforeSend(event, hint); event == nil {\n\t\t\t\tdebuglog.Println(\"Event dropped due to BeforeSend callback.\")\n\t\t\t\treturn nil\n\t\t\t}\n\t\t}\n\t}\n\n\tif client.telemetryProcessor != nil {\n\t\tif !client.telemetryProcessor.Add(event) {\n\t\t\tdebuglog.Println(\"Event dropped: telemetry buffer full or unavailable\")\n\t\t}\n\t} else {\n\t\tclient.Transport.SendEvent(event)\n\t}\n\n\treturn &event.EventID\n}\n\nfunc (client *Client) prepareEvent(event *Event, hint *EventHint, scope EventModifier) *Event {\n\tif event.EventID == \"\" {\n\t\t// TODO set EventID when the event is created, same as in other SDKs. It's necessary for profileTransaction.ID.\n\t\tevent.EventID = EventID(uuid())\n\t}\n\n\tif event.Timestamp.IsZero() {\n\t\tevent.Timestamp = time.Now()\n\t}\n\n\tif event.Level == \"\" {\n\t\tevent.Level = LevelInfo\n\t}\n\n\tif event.ServerName == \"\" {\n\t\tevent.ServerName = client.options.ServerName\n\n\t\tif event.ServerName == \"\" {\n\t\t\tevent.ServerName = hostname\n\t\t}\n\t}\n\n\tif event.Release == \"\" {\n\t\tevent.Release = client.options.Release\n\t}\n\n\tif event.Dist == \"\" {\n\t\tevent.Dist = client.options.Dist\n\t}\n\n\tif event.Environment == \"\" {\n\t\tevent.Environment = client.options.Environment\n\t}\n\n\tevent.Platform = \"go\"\n\tevent.Sdk = SdkInfo{\n\t\tName: client.GetSDKIdentifier(),\n\t\tVersion: SDKVersion,\n\t\tIntegrations: client.listIntegrations(),\n\t\tPackages: []SdkPackage{{\n\t\t\tName: \"sentry-go\",\n\t\t\tVersion: SDKVersion,\n\t\t}},\n\t}\n\n\tif scope != nil {\n\t\tevent = scope.ApplyToEvent(event, hint, client)\n\t\tif event == nil {\n\t\t\treturn nil\n\t\t}\n\t}\n\n\tfor _, processor := range client.eventProcessors {\n\t\tid := event.EventID\n\t\tevent = processor(event, hint)\n\t\tif event == nil {\n\t\t\tdebuglog.Printf(\"Event dropped by one of the Client EventProcessors: %s\\n\", id)\n\t\t\treturn nil\n\t\t}\n\t}\n\n\tfor _, processor := range globalEventProcessors {\n\t\tid := event.EventID\n\t\tevent = processor(event, hint)\n\t\tif event == nil {\n\t\t\tdebuglog.Printf(\"Event dropped by one of the Global EventProcessors: %s\\n\", id)\n\t\t\treturn nil\n\t\t}\n\t}\n\n\treturn event\n}\n\nfunc (client *Client) listIntegrations() []string {\n\tintegrations := make([]string, len(client.integrations))\n\tfor i, integration := range client.integrations {\n\t\tintegrations[i] = integration.Name()\n\t}\n\treturn integrations\n}\n\nfunc (client *Client) integrationAlreadyInstalled(name string) bool {\n\tfor _, integration := range client.integrations {\n\t\tif integration.Name() == name {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\n// sample returns true with the given probability, which must be in the range\n// [0.0, 1.0].\nfunc sample(probability float64) bool {\n\treturn rng.Float64() < probability\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/doc.go", "content": "/*\nPackage repository: https://github.com/getsentry/sentry-go/\n\nFor more information about Sentry and SDK features, please have a look at the official documentation site: https://docs.sentry.io/platforms/go/\n*/\npackage sentry\n" }, { "path": "vendor/github.com/getsentry/sentry-go/dsn.go", "content": "package sentry\n\nimport (\n\t\"github.com/getsentry/sentry-go/internal/protocol\"\n)\n\n// Re-export protocol types to maintain public API compatibility\n\n// Dsn is used as the remote address source to client transport.\ntype Dsn struct {\n\tprotocol.Dsn\n}\n\n// DsnParseError represents an error that occurs if a Sentry\n// DSN cannot be parsed.\ntype DsnParseError = protocol.DsnParseError\n\n// NewDsn creates a Dsn by parsing rawURL. Most users will never call this\n// function directly. It is provided for use in custom Transport\n// implementations.\nfunc NewDsn(rawURL string) (*Dsn, error) {\n\tprotocolDsn, err := protocol.NewDsn(rawURL)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn &Dsn{Dsn: *protocolDsn}, nil\n}\n\n// RequestHeaders returns all the necessary headers that have to be used in the transport when sending events\n// to the /store endpoint.\n//\n// Deprecated: This method shall only be used if you want to implement your own transport that sends events to\n// the /store endpoint. If you're using the transport provided by the SDK, all necessary headers to authenticate\n// against the /envelope endpoint are added automatically.\nfunc (dsn Dsn) RequestHeaders() map[string]string {\n\treturn dsn.Dsn.RequestHeaders(SDKVersion)\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/dynamic_sampling_context.go", "content": "package sentry\n\nimport (\n\t\"strconv\"\n\t\"strings\"\n\n\t\"github.com/getsentry/sentry-go/internal/otel/baggage\"\n)\n\nconst (\n\tsentryPrefix = \"sentry-\"\n)\n\n// DynamicSamplingContext holds information about the current event that can be used to make dynamic sampling decisions.\ntype DynamicSamplingContext struct {\n\tEntries map[string]string\n\tFrozen bool\n}\n\nfunc DynamicSamplingContextFromHeader(header []byte) (DynamicSamplingContext, error) {\n\tbag, err := baggage.Parse(string(header))\n\tif err != nil {\n\t\treturn DynamicSamplingContext{}, err\n\t}\n\n\tentries := map[string]string{}\n\tfor _, member := range bag.Members() {\n\t\t// We only store baggage members if their key starts with \"sentry-\".\n\t\tif k, v := member.Key(), member.Value(); strings.HasPrefix(k, sentryPrefix) {\n\t\t\tentries[strings.TrimPrefix(k, sentryPrefix)] = v\n\t\t}\n\t}\n\n\treturn DynamicSamplingContext{\n\t\tEntries: entries,\n\t\t// If there's at least one Sentry value, we consider the DSC frozen\n\t\tFrozen: len(entries) > 0,\n\t}, nil\n}\n\nfunc DynamicSamplingContextFromTransaction(span *Span) DynamicSamplingContext {\n\thub := hubFromContext(span.Context())\n\tscope := hub.Scope()\n\tclient := hub.Client()\n\n\tif client == nil || scope == nil {\n\t\treturn DynamicSamplingContext{\n\t\t\tEntries: map[string]string{},\n\t\t\tFrozen: false,\n\t\t}\n\t}\n\n\tentries := make(map[string]string)\n\n\tif traceID := span.TraceID.String(); traceID != \"\" {\n\t\tentries[\"trace_id\"] = traceID\n\t}\n\tif sampleRate := span.sampleRate; sampleRate != 0 {\n\t\tentries[\"sample_rate\"] = strconv.FormatFloat(sampleRate, 'f', -1, 64)\n\t}\n\n\tif dsn := client.dsn; dsn != nil {\n\t\tif publicKey := dsn.GetPublicKey(); publicKey != \"\" {\n\t\t\tentries[\"public_key\"] = publicKey\n\t\t}\n\t}\n\tif release := client.options.Release; release != \"\" {\n\t\tentries[\"release\"] = release\n\t}\n\tif environment := client.options.Environment; environment != \"\" {\n\t\tentries[\"environment\"] = environment\n\t}\n\n\t// Only include the transaction name if it's of good quality (not empty and not SourceURL)\n\tif span.Source != \"\" && span.Source != SourceURL {\n\t\tif span.IsTransaction() {\n\t\t\tentries[\"transaction\"] = span.Name\n\t\t}\n\t}\n\n\tentries[\"sampled\"] = strconv.FormatBool(span.Sampled.Bool())\n\n\treturn DynamicSamplingContext{Entries: entries, Frozen: true}\n}\n\nfunc (d DynamicSamplingContext) HasEntries() bool {\n\treturn len(d.Entries) > 0\n}\n\nfunc (d DynamicSamplingContext) IsFrozen() bool {\n\treturn d.Frozen\n}\n\nfunc (d DynamicSamplingContext) String() string {\n\tmembers := []baggage.Member{}\n\tfor k, entry := range d.Entries {\n\t\tmember, err := baggage.NewMember(sentryPrefix+k, entry)\n\t\tif err != nil {\n\t\t\tcontinue\n\t\t}\n\t\tmembers = append(members, member)\n\t}\n\n\tif len(members) == 0 {\n\t\treturn \"\"\n\t}\n\n\tbaggage, err := baggage.New(members...)\n\tif err != nil {\n\t\treturn \"\"\n\t}\n\n\treturn baggage.String()\n}\n\n// Constructs a new DynamicSamplingContext using a scope and client. Accessing\n// fields on the scope are not thread safe, and this function should only be\n// called within scope methods.\nfunc DynamicSamplingContextFromScope(scope *Scope, client *Client) DynamicSamplingContext {\n\tentries := map[string]string{}\n\n\tif client == nil || scope == nil {\n\t\treturn DynamicSamplingContext{\n\t\t\tEntries: entries,\n\t\t\tFrozen: false,\n\t\t}\n\t}\n\n\tpropagationContext := scope.propagationContext\n\n\tif traceID := propagationContext.TraceID.String(); traceID != \"\" {\n\t\tentries[\"trace_id\"] = traceID\n\t}\n\tif sampleRate := client.options.TracesSampleRate; sampleRate != 0 {\n\t\tentries[\"sample_rate\"] = strconv.FormatFloat(sampleRate, 'f', -1, 64)\n\t}\n\n\tif dsn := client.dsn; dsn != nil {\n\t\tif publicKey := dsn.GetPublicKey(); publicKey != \"\" {\n\t\t\tentries[\"public_key\"] = publicKey\n\t\t}\n\t}\n\tif release := client.options.Release; release != \"\" {\n\t\tentries[\"release\"] = release\n\t}\n\tif environment := client.options.Environment; environment != \"\" {\n\t\tentries[\"environment\"] = environment\n\t}\n\n\treturn DynamicSamplingContext{\n\t\tEntries: entries,\n\t\tFrozen: true,\n\t}\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/exception.go", "content": "package sentry\n\nimport (\n\t\"fmt\"\n\t\"reflect\"\n\t\"slices\"\n)\n\nconst (\n\tMechanismTypeGeneric string = \"generic\"\n\tMechanismTypeChained string = \"chained\"\n\tMechanismTypeUnwrap string = \"unwrap\"\n\tMechanismSourceCause string = \"cause\"\n)\n\ntype visited struct {\n\tptrs map[uintptr]struct{}\n\tmsgs map[string]struct{}\n}\n\nfunc (v *visited) seenError(err error) bool {\n\tt := reflect.ValueOf(err)\n\tif t.Kind() == reflect.Ptr && !t.IsNil() {\n\t\tptr := t.Pointer()\n\t\tif _, ok := v.ptrs[ptr]; ok {\n\t\t\treturn true\n\t\t}\n\t\tv.ptrs[ptr] = struct{}{}\n\t\treturn false\n\t}\n\n\tkey := t.String() + err.Error()\n\tif _, ok := v.msgs[key]; ok {\n\t\treturn true\n\t}\n\tv.msgs[key] = struct{}{}\n\treturn false\n}\n\nfunc convertErrorToExceptions(err error, maxErrorDepth int) []Exception {\n\tvar exceptions []Exception\n\tvis := &visited{\n\t\tptrs: make(map[uintptr]struct{}),\n\t\tmsgs: make(map[string]struct{}),\n\t}\n\tconvertErrorDFS(err, &exceptions, nil, \"\", vis, maxErrorDepth, 0)\n\n\t// mechanism type is used for debugging purposes, but since we can't really distinguish the origin of who invoked\n\t// captureException, we set it to nil if the error is not chained.\n\tif len(exceptions) == 1 {\n\t\texceptions[0].Mechanism = nil\n\t}\n\n\tslices.Reverse(exceptions)\n\n\t// Add a trace of the current stack to the top level(outermost) error in a chain if\n\t// it doesn't have a stack trace yet.\n\t// We only add to the most recent error to avoid duplication and because the\n\t// current stack is most likely unrelated to errors deeper in the chain.\n\tif len(exceptions) > 0 && exceptions[len(exceptions)-1].Stacktrace == nil {\n\t\texceptions[len(exceptions)-1].Stacktrace = NewStacktrace()\n\t}\n\n\treturn exceptions\n}\n\nfunc convertErrorDFS(err error, exceptions *[]Exception, parentID *int, source string, visited *visited, maxErrorDepth int, currentDepth int) {\n\tif err == nil {\n\t\treturn\n\t}\n\n\tif visited.seenError(err) {\n\t\treturn\n\t}\n\n\t_, isExceptionGroup := err.(interface{ Unwrap() []error })\n\n\texception := Exception{\n\t\tValue: err.Error(),\n\t\tType: reflect.TypeOf(err).String(),\n\t\tStacktrace: ExtractStacktrace(err),\n\t}\n\n\tcurrentID := len(*exceptions)\n\n\tvar mechanismType string\n\n\tif parentID == nil {\n\t\tmechanismType = MechanismTypeGeneric\n\t\tsource = \"\"\n\t} else {\n\t\tmechanismType = MechanismTypeChained\n\t}\n\n\texception.Mechanism = &Mechanism{\n\t\tType: mechanismType,\n\t\tExceptionID: currentID,\n\t\tParentID: parentID,\n\t\tSource: source,\n\t\tIsExceptionGroup: isExceptionGroup,\n\t}\n\n\t*exceptions = append(*exceptions, exception)\n\n\tif maxErrorDepth >= 0 && currentDepth >= maxErrorDepth {\n\t\treturn\n\t}\n\n\tswitch v := err.(type) {\n\tcase interface{ Unwrap() []error }:\n\t\tunwrapped := v.Unwrap()\n\t\tfor i := range unwrapped {\n\t\t\tif unwrapped[i] != nil {\n\t\t\t\tchildSource := fmt.Sprintf(\"errors[%d]\", i)\n\t\t\t\tconvertErrorDFS(unwrapped[i], exceptions, ¤tID, childSource, visited, maxErrorDepth, currentDepth+1)\n\t\t\t}\n\t\t}\n\tcase interface{ Unwrap() error }:\n\t\tunwrapped := v.Unwrap()\n\t\tif unwrapped != nil {\n\t\t\tconvertErrorDFS(unwrapped, exceptions, ¤tID, MechanismTypeUnwrap, visited, maxErrorDepth, currentDepth+1)\n\t\t}\n\tcase interface{ Cause() error }:\n\t\tcause := v.Cause()\n\t\tif cause != nil {\n\t\t\tconvertErrorDFS(cause, exceptions, ¤tID, MechanismSourceCause, visited, maxErrorDepth, currentDepth+1)\n\t\t}\n\t}\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/hub.go", "content": "package sentry\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/getsentry/sentry-go/internal/debuglog\"\n)\n\ntype contextKey int\n\n// Keys used to store values in a Context. Use with Context.Value to access\n// values stored by the SDK.\nconst (\n\t// HubContextKey is the key used to store the current Hub.\n\tHubContextKey = contextKey(1)\n\t// RequestContextKey is the key used to store the current http.Request.\n\tRequestContextKey = contextKey(2)\n)\n\n// currentHub is the initial Hub with no Client bound and an empty Scope.\nvar currentHub = NewHub(nil, NewScope())\n\n// Hub is the central object that manages scopes and clients.\n//\n// This can be used to capture events and manage the scope.\n// The default hub that is available automatically.\n//\n// In most situations developers do not need to interface the hub. Instead\n// toplevel convenience functions are exposed that will automatically dispatch\n// to global (CurrentHub) hub. In some situations this might not be\n// possible in which case it might become necessary to manually work with the\n// hub. This is for instance the case when working with async code.\ntype Hub struct {\n\tmu sync.RWMutex\n\tstack *stack\n\tlastEventID EventID\n}\n\ntype layer struct {\n\t// mu protects concurrent reads and writes to client.\n\tmu sync.RWMutex\n\tclient *Client\n\t// scope is read-only, not protected by mu.\n\tscope *Scope\n}\n\n// Client returns the layer's client. Safe for concurrent use.\nfunc (l *layer) Client() *Client {\n\tl.mu.RLock()\n\tdefer l.mu.RUnlock()\n\treturn l.client\n}\n\n// SetClient sets the layer's client. Safe for concurrent use.\nfunc (l *layer) SetClient(c *Client) {\n\tl.mu.Lock()\n\tdefer l.mu.Unlock()\n\tl.client = c\n}\n\ntype stack []*layer\n\n// NewHub returns an instance of a Hub with provided Client and Scope bound.\nfunc NewHub(client *Client, scope *Scope) *Hub {\n\thub := Hub{\n\t\tstack: &stack{{\n\t\t\tclient: client,\n\t\t\tscope: scope,\n\t\t}},\n\t}\n\treturn &hub\n}\n\n// CurrentHub returns an instance of previously initialized Hub stored in the global namespace.\nfunc CurrentHub() *Hub {\n\treturn currentHub\n}\n\n// LastEventID returns the ID of the last event (error or message) captured\n// through the hub and sent to the underlying transport.\n//\n// Transactions and events dropped by sampling or event processors do not change\n// the last event ID.\n//\n// LastEventID is a convenience method to cover use cases in which errors are\n// captured indirectly and the ID is needed. For example, it can be used as part\n// of an HTTP middleware to log the ID of the last error, if any.\n//\n// For more flexibility, consider instead using the ClientOptions.BeforeSend\n// function or event processors.\nfunc (hub *Hub) LastEventID() EventID {\n\thub.mu.RLock()\n\tdefer hub.mu.RUnlock()\n\n\treturn hub.lastEventID\n}\n\n// stackTop returns the top layer of the hub stack. Valid hubs always have at\n// least one layer, therefore stackTop always return a non-nil pointer.\nfunc (hub *Hub) stackTop() *layer {\n\thub.mu.RLock()\n\tdefer hub.mu.RUnlock()\n\n\tstack := hub.stack\n\tstackLen := len(*stack)\n\ttop := (*stack)[stackLen-1]\n\treturn top\n}\n\n// Clone returns a copy of the current Hub with top-most scope and client copied over.\nfunc (hub *Hub) Clone() *Hub {\n\ttop := hub.stackTop()\n\tscope := top.scope\n\tif scope != nil {\n\t\tscope = scope.Clone()\n\t}\n\treturn NewHub(top.Client(), scope)\n}\n\n// Scope returns top-level Scope of the current Hub or nil if no Scope is bound.\nfunc (hub *Hub) Scope() *Scope {\n\ttop := hub.stackTop()\n\treturn top.scope\n}\n\n// Client returns top-level Client of the current Hub or nil if no Client is bound.\nfunc (hub *Hub) Client() *Client {\n\ttop := hub.stackTop()\n\treturn top.Client()\n}\n\n// PushScope pushes a new scope for the current Hub and reuses previously bound Client.\nfunc (hub *Hub) PushScope() *Scope {\n\ttop := hub.stackTop()\n\n\tvar scope *Scope\n\tif top.scope != nil {\n\t\tscope = top.scope.Clone()\n\t} else {\n\t\tscope = NewScope()\n\t}\n\n\thub.mu.Lock()\n\tdefer hub.mu.Unlock()\n\n\t*hub.stack = append(*hub.stack, &layer{\n\t\tclient: top.Client(),\n\t\tscope: scope,\n\t})\n\n\treturn scope\n}\n\n// PopScope drops the most recent scope.\n//\n// Calls to PopScope must be coordinated with PushScope. For most cases, using\n// WithScope should be more convenient.\n//\n// Calls to PopScope that do not match previous calls to PushScope are silently\n// ignored.\nfunc (hub *Hub) PopScope() {\n\thub.mu.Lock()\n\tdefer hub.mu.Unlock()\n\n\tstack := *hub.stack\n\tstackLen := len(stack)\n\tif stackLen > 1 {\n\t\t// Never pop the last item off the stack, the stack should always have\n\t\t// at least one item.\n\t\t*hub.stack = stack[0 : stackLen-1]\n\t}\n}\n\n// BindClient binds a new Client for the current Hub.\nfunc (hub *Hub) BindClient(client *Client) {\n\ttop := hub.stackTop()\n\ttop.SetClient(client)\n}\n\n// WithScope runs f in an isolated temporary scope.\n//\n// It is useful when extra data should be sent with a single capture call, for\n// instance a different level or tags.\n//\n// The scope passed to f starts as a clone of the current scope and can be\n// freely modified without affecting the current scope.\n//\n// It is a shorthand for PushScope followed by PopScope.\nfunc (hub *Hub) WithScope(f func(scope *Scope)) {\n\tscope := hub.PushScope()\n\tdefer hub.PopScope()\n\tf(scope)\n}\n\n// ConfigureScope runs f in the current scope.\n//\n// It is useful to set data that applies to all events that share the current\n// scope.\n//\n// Modifying the scope affects all references to the current scope.\n//\n// See also WithScope for making isolated temporary changes.\nfunc (hub *Hub) ConfigureScope(f func(scope *Scope)) {\n\tscope := hub.Scope()\n\tf(scope)\n}\n\n// CaptureEvent calls the method of a same name on currently bound Client instance\n// passing it a top-level Scope.\n// Returns EventID if successfully, or nil if there's no Scope or Client available.\nfunc (hub *Hub) CaptureEvent(event *Event) *EventID {\n\tclient, scope := hub.Client(), hub.Scope()\n\tif client == nil || scope == nil {\n\t\treturn nil\n\t}\n\teventID := client.CaptureEvent(event, nil, scope)\n\n\tif event.Type != transactionType && eventID != nil {\n\t\thub.mu.Lock()\n\t\thub.lastEventID = *eventID\n\t\thub.mu.Unlock()\n\t}\n\treturn eventID\n}\n\n// CaptureMessage calls the method of a same name on currently bound Client instance\n// passing it a top-level Scope.\n// Returns EventID if successfully, or nil if there's no Scope or Client available.\nfunc (hub *Hub) CaptureMessage(message string) *EventID {\n\tclient, scope := hub.Client(), hub.Scope()\n\tif client == nil || scope == nil {\n\t\treturn nil\n\t}\n\teventID := client.CaptureMessage(message, nil, scope)\n\n\tif eventID != nil {\n\t\thub.mu.Lock()\n\t\thub.lastEventID = *eventID\n\t\thub.mu.Unlock()\n\t}\n\treturn eventID\n}\n\n// CaptureException calls the method of a same name on currently bound Client instance\n// passing it a top-level Scope.\n// Returns EventID if successfully, or nil if there's no Scope or Client available.\nfunc (hub *Hub) CaptureException(exception error) *EventID {\n\tclient, scope := hub.Client(), hub.Scope()\n\tif client == nil || scope == nil {\n\t\treturn nil\n\t}\n\teventID := client.CaptureException(exception, &EventHint{OriginalException: exception}, scope)\n\n\tif eventID != nil {\n\t\thub.mu.Lock()\n\t\thub.lastEventID = *eventID\n\t\thub.mu.Unlock()\n\t}\n\treturn eventID\n}\n\n// CaptureCheckIn calls the method of the same name on currently bound Client instance\n// passing it a top-level Scope.\n// Returns CheckInID if the check-in was captured successfully, or nil otherwise.\nfunc (hub *Hub) CaptureCheckIn(checkIn *CheckIn, monitorConfig *MonitorConfig) *EventID {\n\tclient, scope := hub.Client(), hub.Scope()\n\tif client == nil {\n\t\treturn nil\n\t}\n\n\treturn client.CaptureCheckIn(checkIn, monitorConfig, scope)\n}\n\n// AddBreadcrumb records a new breadcrumb.\n//\n// The total number of breadcrumbs that can be recorded are limited by the\n// configuration on the client.\nfunc (hub *Hub) AddBreadcrumb(breadcrumb *Breadcrumb, hint *BreadcrumbHint) {\n\tclient := hub.Client()\n\n\t// If there's no client, just store it on the scope straight away\n\tif client == nil {\n\t\thub.Scope().AddBreadcrumb(breadcrumb, defaultMaxBreadcrumbs)\n\t\treturn\n\t}\n\n\tlimit := client.options.MaxBreadcrumbs\n\tswitch {\n\tcase limit < 0:\n\t\treturn\n\tcase limit == 0:\n\t\tlimit = defaultMaxBreadcrumbs\n\t}\n\n\tif client.options.BeforeBreadcrumb != nil {\n\t\tif hint == nil {\n\t\t\thint = &BreadcrumbHint{}\n\t\t}\n\t\tif breadcrumb = client.options.BeforeBreadcrumb(breadcrumb, hint); breadcrumb == nil {\n\t\t\tdebuglog.Println(\"breadcrumb dropped due to BeforeBreadcrumb callback.\")\n\t\t\treturn\n\t\t}\n\t}\n\n\thub.Scope().AddBreadcrumb(breadcrumb, limit)\n}\n\n// Recover calls the method of a same name on currently bound Client instance\n// passing it a top-level Scope.\n// Returns EventID if successfully, or nil if there's no Scope or Client available.\nfunc (hub *Hub) Recover(err interface{}) *EventID {\n\tif err == nil {\n\t\terr = recover()\n\t}\n\tclient, scope := hub.Client(), hub.Scope()\n\tif client == nil || scope == nil {\n\t\treturn nil\n\t}\n\treturn client.Recover(err, &EventHint{RecoveredException: err}, scope)\n}\n\n// RecoverWithContext calls the method of a same name on currently bound Client instance\n// passing it a top-level Scope.\n// Returns EventID if successfully, or nil if there's no Scope or Client available.\nfunc (hub *Hub) RecoverWithContext(ctx context.Context, err interface{}) *EventID {\n\tif err == nil {\n\t\terr = recover()\n\t}\n\tclient, scope := hub.Client(), hub.Scope()\n\tif client == nil || scope == nil {\n\t\treturn nil\n\t}\n\treturn client.RecoverWithContext(ctx, err, &EventHint{RecoveredException: err}, scope)\n}\n\n// Flush waits until the underlying Transport sends any buffered events to the\n// Sentry server, blocking for at most the given timeout. It returns false if\n// the timeout was reached. In that case, some events may not have been sent.\n//\n// Flush should be called before terminating the program to avoid\n// unintentionally dropping events.\n//\n// Do not call Flush indiscriminately after every call to CaptureEvent,\n// CaptureException or CaptureMessage. Instead, to have the SDK send events over\n// the network synchronously, configure it to use the HTTPSyncTransport in the\n// call to Init.\nfunc (hub *Hub) Flush(timeout time.Duration) bool {\n\tclient := hub.Client()\n\n\tif client == nil {\n\t\treturn false\n\t}\n\n\treturn client.Flush(timeout)\n}\n\n// FlushWithContext waits until the underlying Transport sends any buffered events\n// to the Sentry server, blocking for at most the duration specified by the context.\n// It returns false if the context is canceled before the events are sent. In such a case,\n// some events may not be delivered.\n//\n// FlushWithContext should be called before terminating the program to ensure no\n// events are unintentionally dropped.\n//\n// Avoid calling FlushWithContext indiscriminately after each call to CaptureEvent,\n// CaptureException, or CaptureMessage. To send events synchronously over the network,\n// configure the SDK to use HTTPSyncTransport during initialization with Init.\n\nfunc (hub *Hub) FlushWithContext(ctx context.Context) bool {\n\tclient := hub.Client()\n\n\tif client == nil {\n\t\treturn false\n\t}\n\n\treturn client.FlushWithContext(ctx)\n}\n\n// GetTraceparent returns the current Sentry traceparent string, to be used as a HTTP header value\n// or HTML meta tag value.\n// This function is context aware, as in it either returns the traceparent based\n// on the current span, or the scope's propagation context.\nfunc (hub *Hub) GetTraceparent() string {\n\tscope := hub.Scope()\n\n\tif scope.span != nil {\n\t\treturn scope.span.ToSentryTrace()\n\t}\n\n\treturn fmt.Sprintf(\"%s-%s\", scope.propagationContext.TraceID, scope.propagationContext.SpanID)\n}\n\n// GetTraceparentW3C returns the current traceparent string in W3C format.\n// This is intended for propagation to downstream services that expect the W3C header.\nfunc (hub *Hub) GetTraceparentW3C() string {\n\tscope := hub.Scope()\n\tif scope.span != nil {\n\t\treturn scope.span.ToTraceparent()\n\t}\n\n\treturn fmt.Sprintf(\"00-%s-%s-00\", scope.propagationContext.TraceID, scope.propagationContext.SpanID)\n}\n\n// GetBaggage returns the current Sentry baggage string, to be used as a HTTP header value\n// or HTML meta tag value.\n// This function is context aware, as in it either returns the baggage based\n// on the current span or the scope's propagation context.\nfunc (hub *Hub) GetBaggage() string {\n\tscope := hub.Scope()\n\n\tif scope.span != nil {\n\t\treturn scope.span.ToBaggage()\n\t}\n\n\treturn scope.propagationContext.DynamicSamplingContext.String()\n}\n\n// HasHubOnContext checks whether Hub instance is bound to a given Context struct.\nfunc HasHubOnContext(ctx context.Context) bool {\n\t_, ok := ctx.Value(HubContextKey).(*Hub)\n\treturn ok\n}\n\n// GetHubFromContext tries to retrieve Hub instance from the given Context struct\n// or return nil if one is not found.\nfunc GetHubFromContext(ctx context.Context) *Hub {\n\tif hub, ok := ctx.Value(HubContextKey).(*Hub); ok {\n\t\treturn hub\n\t}\n\treturn nil\n}\n\n// hubFromContext returns either a hub stored in the context or the current hub.\n// The return value is guaranteed to be non-nil, unlike GetHubFromContext.\nfunc hubFromContext(ctx context.Context) *Hub {\n\tif hub, ok := ctx.Value(HubContextKey).(*Hub); ok {\n\t\treturn hub\n\t}\n\treturn currentHub\n}\n\n// SetHubOnContext stores given Hub instance on the Context struct and returns a new Context.\nfunc SetHubOnContext(ctx context.Context, hub *Hub) context.Context {\n\treturn context.WithValue(ctx, HubContextKey, hub)\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/integrations.go", "content": "package sentry\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\t\"regexp\"\n\t\"runtime\"\n\t\"runtime/debug\"\n\t\"strings\"\n\t\"sync\"\n\n\t\"github.com/getsentry/sentry-go/internal/debuglog\"\n)\n\n// ================================\n// Modules Integration\n// ================================\n\ntype modulesIntegration struct {\n\tonce sync.Once\n\tmodules map[string]string\n}\n\nfunc (mi *modulesIntegration) Name() string {\n\treturn \"Modules\"\n}\n\nfunc (mi *modulesIntegration) SetupOnce(client *Client) {\n\tclient.AddEventProcessor(mi.processor)\n}\n\nfunc (mi *modulesIntegration) processor(event *Event, _ *EventHint) *Event {\n\tif len(event.Modules) == 0 {\n\t\tmi.once.Do(func() {\n\t\t\tinfo, ok := debug.ReadBuildInfo()\n\t\t\tif !ok {\n\t\t\t\tdebuglog.Print(\"The Modules integration is not available in binaries built without module support.\")\n\t\t\t\treturn\n\t\t\t}\n\t\t\tmi.modules = extractModules(info)\n\t\t})\n\t}\n\tevent.Modules = mi.modules\n\treturn event\n}\n\nfunc extractModules(info *debug.BuildInfo) map[string]string {\n\tmodules := map[string]string{\n\t\tinfo.Main.Path: info.Main.Version,\n\t}\n\tfor _, dep := range info.Deps {\n\t\tver := dep.Version\n\t\tif dep.Replace != nil {\n\t\t\tver += fmt.Sprintf(\" => %s %s\", dep.Replace.Path, dep.Replace.Version)\n\t\t}\n\t\tmodules[dep.Path] = strings.TrimSuffix(ver, \" \")\n\t}\n\treturn modules\n}\n\n// ================================\n// Environment Integration\n// ================================\n\ntype environmentIntegration struct{}\n\nfunc (ei *environmentIntegration) Name() string {\n\treturn \"Environment\"\n}\n\nfunc (ei *environmentIntegration) SetupOnce(client *Client) {\n\tclient.AddEventProcessor(ei.processor)\n}\n\nfunc (ei *environmentIntegration) processor(event *Event, _ *EventHint) *Event {\n\t// Initialize maps as necessary.\n\tcontextNames := []string{\"device\", \"os\", \"runtime\"}\n\tif event.Contexts == nil {\n\t\tevent.Contexts = make(map[string]Context, len(contextNames))\n\t}\n\tfor _, name := range contextNames {\n\t\tif event.Contexts[name] == nil {\n\t\t\tevent.Contexts[name] = make(Context)\n\t\t}\n\t}\n\n\t// Set contextual information preserving existing data. For each context, if\n\t// the existing value is not of type map[string]interface{}, then no\n\t// additional information is added.\n\tif deviceContext, ok := event.Contexts[\"device\"]; ok {\n\t\tif _, ok := deviceContext[\"arch\"]; !ok {\n\t\t\tdeviceContext[\"arch\"] = runtime.GOARCH\n\t\t}\n\t\tif _, ok := deviceContext[\"num_cpu\"]; !ok {\n\t\t\tdeviceContext[\"num_cpu\"] = runtime.NumCPU()\n\t\t}\n\t}\n\tif osContext, ok := event.Contexts[\"os\"]; ok {\n\t\tif _, ok := osContext[\"name\"]; !ok {\n\t\t\tosContext[\"name\"] = runtime.GOOS\n\t\t}\n\t}\n\tif runtimeContext, ok := event.Contexts[\"runtime\"]; ok {\n\t\tif _, ok := runtimeContext[\"name\"]; !ok {\n\t\t\truntimeContext[\"name\"] = \"go\"\n\t\t}\n\t\tif _, ok := runtimeContext[\"version\"]; !ok {\n\t\t\truntimeContext[\"version\"] = runtime.Version()\n\t\t}\n\t\tif _, ok := runtimeContext[\"go_numroutines\"]; !ok {\n\t\t\truntimeContext[\"go_numroutines\"] = runtime.NumGoroutine()\n\t\t}\n\t\tif _, ok := runtimeContext[\"go_maxprocs\"]; !ok {\n\t\t\truntimeContext[\"go_maxprocs\"] = runtime.GOMAXPROCS(0)\n\t\t}\n\t\tif _, ok := runtimeContext[\"go_numcgocalls\"]; !ok {\n\t\t\truntimeContext[\"go_numcgocalls\"] = runtime.NumCgoCall()\n\t\t}\n\t}\n\treturn event\n}\n\n// ================================\n// Ignore Errors Integration\n// ================================\n\ntype ignoreErrorsIntegration struct {\n\tignoreErrors []*regexp.Regexp\n}\n\nfunc (iei *ignoreErrorsIntegration) Name() string {\n\treturn \"IgnoreErrors\"\n}\n\nfunc (iei *ignoreErrorsIntegration) SetupOnce(client *Client) {\n\tiei.ignoreErrors = transformStringsIntoRegexps(client.options.IgnoreErrors)\n\tclient.AddEventProcessor(iei.processor)\n}\n\nfunc (iei *ignoreErrorsIntegration) processor(event *Event, _ *EventHint) *Event {\n\tsuspects := getIgnoreErrorsSuspects(event)\n\n\tfor _, suspect := range suspects {\n\t\tfor _, pattern := range iei.ignoreErrors {\n\t\t\tif pattern.Match([]byte(suspect)) || strings.Contains(suspect, pattern.String()) {\n\t\t\t\tdebuglog.Printf(\"Event dropped due to being matched by `IgnoreErrors` option.\"+\n\t\t\t\t\t\"| Value matched: %s | Filter used: %s\", suspect, pattern)\n\t\t\t\treturn nil\n\t\t\t}\n\t\t}\n\t}\n\n\treturn event\n}\n\nfunc transformStringsIntoRegexps(strings []string) []*regexp.Regexp {\n\tvar exprs []*regexp.Regexp\n\n\tfor _, s := range strings {\n\t\tr, err := regexp.Compile(s)\n\t\tif err == nil {\n\t\t\texprs = append(exprs, r)\n\t\t}\n\t}\n\n\treturn exprs\n}\n\nfunc getIgnoreErrorsSuspects(event *Event) []string {\n\tsuspects := []string{}\n\n\tif event.Message != \"\" {\n\t\tsuspects = append(suspects, event.Message)\n\t}\n\n\tfor _, ex := range event.Exception {\n\t\tsuspects = append(suspects, ex.Type, ex.Value)\n\t}\n\n\treturn suspects\n}\n\n// ================================\n// Ignore Transactions Integration\n// ================================\n\ntype ignoreTransactionsIntegration struct {\n\tignoreTransactions []*regexp.Regexp\n}\n\nfunc (iei *ignoreTransactionsIntegration) Name() string {\n\treturn \"IgnoreTransactions\"\n}\n\nfunc (iei *ignoreTransactionsIntegration) SetupOnce(client *Client) {\n\tiei.ignoreTransactions = transformStringsIntoRegexps(client.options.IgnoreTransactions)\n\tclient.AddEventProcessor(iei.processor)\n}\n\nfunc (iei *ignoreTransactionsIntegration) processor(event *Event, _ *EventHint) *Event {\n\tsuspect := event.Transaction\n\tif suspect == \"\" {\n\t\treturn event\n\t}\n\n\tfor _, pattern := range iei.ignoreTransactions {\n\t\tif pattern.Match([]byte(suspect)) || strings.Contains(suspect, pattern.String()) {\n\t\t\tdebuglog.Printf(\"Transaction dropped due to being matched by `IgnoreTransactions` option.\"+\n\t\t\t\t\"| Value matched: %s | Filter used: %s\", suspect, pattern)\n\t\t\treturn nil\n\t\t}\n\t}\n\n\treturn event\n}\n\n// ================================\n// Contextify Frames Integration\n// ================================\n\ntype contextifyFramesIntegration struct {\n\tsr sourceReader\n\tcontextLines int\n\tcachedLocations sync.Map\n}\n\nfunc (cfi *contextifyFramesIntegration) Name() string {\n\treturn \"ContextifyFrames\"\n}\n\nfunc (cfi *contextifyFramesIntegration) SetupOnce(client *Client) {\n\tcfi.sr = newSourceReader()\n\tcfi.contextLines = 5\n\n\tclient.AddEventProcessor(cfi.processor)\n}\n\nfunc (cfi *contextifyFramesIntegration) processor(event *Event, _ *EventHint) *Event {\n\t// Range over all exceptions\n\tfor _, ex := range event.Exception {\n\t\t// If it has no stacktrace, just bail out\n\t\tif ex.Stacktrace == nil {\n\t\t\tcontinue\n\t\t}\n\n\t\t// If it does, it should have frames, so try to contextify them\n\t\tex.Stacktrace.Frames = cfi.contextify(ex.Stacktrace.Frames)\n\t}\n\n\t// Range over all threads\n\tfor _, th := range event.Threads {\n\t\t// If it has no stacktrace, just bail out\n\t\tif th.Stacktrace == nil {\n\t\t\tcontinue\n\t\t}\n\n\t\t// If it does, it should have frames, so try to contextify them\n\t\tth.Stacktrace.Frames = cfi.contextify(th.Stacktrace.Frames)\n\t}\n\n\treturn event\n}\n\nfunc (cfi *contextifyFramesIntegration) contextify(frames []Frame) []Frame {\n\tcontextifiedFrames := make([]Frame, 0, len(frames))\n\n\tfor _, frame := range frames {\n\t\tif !frame.InApp {\n\t\t\tcontextifiedFrames = append(contextifiedFrames, frame)\n\t\t\tcontinue\n\t\t}\n\n\t\tvar path string\n\n\t\tif cachedPath, ok := cfi.cachedLocations.Load(frame.AbsPath); ok {\n\t\t\tif p, ok := cachedPath.(string); ok {\n\t\t\t\tpath = p\n\t\t\t}\n\t\t} else {\n\t\t\t// Optimize for happy path here\n\t\t\tif fileExists(frame.AbsPath) {\n\t\t\t\tpath = frame.AbsPath\n\t\t\t} else {\n\t\t\t\tpath = cfi.findNearbySourceCodeLocation(frame.AbsPath)\n\t\t\t}\n\t\t}\n\n\t\tif path == \"\" {\n\t\t\tcontextifiedFrames = append(contextifiedFrames, frame)\n\t\t\tcontinue\n\t\t}\n\n\t\tlines, contextLine := cfi.sr.readContextLines(path, frame.Lineno, cfi.contextLines)\n\t\tcontextifiedFrames = append(contextifiedFrames, cfi.addContextLinesToFrame(frame, lines, contextLine))\n\t}\n\n\treturn contextifiedFrames\n}\n\nfunc (cfi *contextifyFramesIntegration) findNearbySourceCodeLocation(originalPath string) string {\n\ttrimmedPath := strings.TrimPrefix(originalPath, \"/\")\n\tcomponents := strings.Split(trimmedPath, \"/\")\n\n\tfor len(components) > 0 {\n\t\tcomponents = components[1:]\n\t\tpossibleLocation := strings.Join(components, \"/\")\n\n\t\tif fileExists(possibleLocation) {\n\t\t\tcfi.cachedLocations.Store(originalPath, possibleLocation)\n\t\t\treturn possibleLocation\n\t\t}\n\t}\n\n\tcfi.cachedLocations.Store(originalPath, \"\")\n\treturn \"\"\n}\n\nfunc (cfi *contextifyFramesIntegration) addContextLinesToFrame(frame Frame, lines [][]byte, contextLine int) Frame {\n\tfor i, line := range lines {\n\t\tswitch {\n\t\tcase i < contextLine:\n\t\t\tframe.PreContext = append(frame.PreContext, string(line))\n\t\tcase i == contextLine:\n\t\t\tframe.ContextLine = string(line)\n\t\tdefault:\n\t\t\tframe.PostContext = append(frame.PostContext, string(line))\n\t\t}\n\t}\n\treturn frame\n}\n\n// ================================\n// Global Tags Integration\n// ================================\n\nconst envTagsPrefix = \"SENTRY_TAGS_\"\n\ntype globalTagsIntegration struct {\n\ttags map[string]string\n\tenvTags map[string]string\n}\n\nfunc (ti *globalTagsIntegration) Name() string {\n\treturn \"GlobalTags\"\n}\n\nfunc (ti *globalTagsIntegration) SetupOnce(client *Client) {\n\tti.tags = make(map[string]string, len(client.options.Tags))\n\tfor k, v := range client.options.Tags {\n\t\tti.tags[k] = v\n\t}\n\n\tti.envTags = loadEnvTags()\n\n\tclient.AddEventProcessor(ti.processor)\n}\n\nfunc (ti *globalTagsIntegration) processor(event *Event, _ *EventHint) *Event {\n\tif len(ti.tags) == 0 && len(ti.envTags) == 0 {\n\t\treturn event\n\t}\n\n\tif event.Tags == nil {\n\t\tevent.Tags = make(map[string]string, len(ti.tags)+len(ti.envTags))\n\t}\n\n\tfor k, v := range ti.tags {\n\t\tif _, ok := event.Tags[k]; !ok {\n\t\t\tevent.Tags[k] = v\n\t\t}\n\t}\n\n\tfor k, v := range ti.envTags {\n\t\tif _, ok := event.Tags[k]; !ok {\n\t\t\tevent.Tags[k] = v\n\t\t}\n\t}\n\n\treturn event\n}\n\nfunc loadEnvTags() map[string]string {\n\ttags := map[string]string{}\n\tfor _, pair := range os.Environ() {\n\t\tparts := strings.Split(pair, \"=\")\n\t\tif !strings.HasPrefix(parts[0], envTagsPrefix) {\n\t\t\tcontinue\n\t\t}\n\t\ttag := strings.TrimPrefix(parts[0], envTagsPrefix)\n\t\ttags[tag] = parts[1]\n\t}\n\treturn tags\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/interfaces.go", "content": "package sentry\n\nimport (\n\t\"context\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"net\"\n\t\"net/http\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/getsentry/sentry-go/attribute\"\n\t\"github.com/getsentry/sentry-go/internal/debuglog\"\n\t\"github.com/getsentry/sentry-go/internal/protocol\"\n\t\"github.com/getsentry/sentry-go/internal/ratelimit\"\n)\n\nconst errorType = \"\"\nconst eventType = \"event\"\nconst transactionType = \"transaction\"\nconst checkInType = \"check_in\"\n\nvar logEvent = struct {\n\tType string\n\tContentType string\n}{\n\t\"log\",\n\t\"application/vnd.sentry.items.log+json\",\n}\n\nvar traceMetricEvent = struct {\n\tType string\n\tContentType string\n}{\n\t\"trace_metric\",\n\t\"application/vnd.sentry.items.trace-metric+json\",\n}\n\n// Level marks the severity of the event.\ntype Level string\n\n// Describes the severity of the event.\nconst (\n\tLevelDebug Level = \"debug\"\n\tLevelInfo Level = \"info\"\n\tLevelWarning Level = \"warning\"\n\tLevelError Level = \"error\"\n\tLevelFatal Level = \"fatal\"\n)\n\n// SdkInfo contains all metadata about the SDK.\ntype SdkInfo = protocol.SdkInfo\ntype SdkPackage = protocol.SdkPackage\n\n// TODO: This type could be more useful, as map of interface{} is too generic\n// and requires a lot of type assertions in beforeBreadcrumb calls\n// plus it could just be map[string]interface{} then.\n\n// BreadcrumbHint contains information that can be associated with a Breadcrumb.\ntype BreadcrumbHint map[string]interface{}\n\n// Breadcrumb specifies an application event that occurred before a Sentry event.\n// An event may contain one or more breadcrumbs.\ntype Breadcrumb struct {\n\tType string `json:\"type,omitempty\"`\n\tCategory string `json:\"category,omitempty\"`\n\tMessage string `json:\"message,omitempty\"`\n\tData map[string]interface{} `json:\"data,omitempty\"`\n\tLevel Level `json:\"level,omitempty\"`\n\tTimestamp time.Time `json:\"timestamp,omitzero\"`\n}\n\n// TODO: provide constants for known breadcrumb types.\n// See https://develop.sentry.dev/sdk/event-payloads/breadcrumbs/#breadcrumb-types.\n\n// Logger provides a chaining API for structured logging to Sentry.\ntype Logger interface {\n\t// Write implements the io.Writer interface. Currently, the [sentry.Hub] is\n\t// context aware, in order to get the correct trace correlation. Using this\n\t// might result in incorrect span association on logs. If you need to use\n\t// Write it is recommended to create a NewLogger so that the associated context\n\t// is passed correctly.\n\tWrite(p []byte) (n int, err error)\n\n\t// SetAttributes allows attaching parameters to the logger using the attribute API.\n\t// These attributes will be included in all subsequent log entries.\n\tSetAttributes(...attribute.Builder)\n\n\t// Trace defines the [sentry.LogLevel] for the log entry.\n\tTrace() LogEntry\n\t// Debug defines the [sentry.LogLevel] for the log entry.\n\tDebug() LogEntry\n\t// Info defines the [sentry.LogLevel] for the log entry.\n\tInfo() LogEntry\n\t// Warn defines the [sentry.LogLevel] for the log entry.\n\tWarn() LogEntry\n\t// Error defines the [sentry.LogLevel] for the log entry.\n\tError() LogEntry\n\t// Fatal defines the [sentry.LogLevel] for the log entry.\n\tFatal() LogEntry\n\t// Panic defines the [sentry.LogLevel] for the log entry.\n\tPanic() LogEntry\n\t// LFatal defines the [sentry.LogLevel] for the log entry. This only sets\n\t// the level to fatal, but does not panic or exit.\n\tLFatal() LogEntry\n\t// GetCtx returns the [context.Context] set on the logger.\n\tGetCtx() context.Context\n}\n\n// LogEntry defines the interface for a log entry that supports chaining attributes.\ntype LogEntry interface {\n\t// WithCtx creates a new LogEntry with the specified context without overwriting the previous one.\n\tWithCtx(ctx context.Context) LogEntry\n\t// String adds a string attribute to the LogEntry.\n\tString(key, value string) LogEntry\n\t// Int adds an int attribute to the LogEntry.\n\tInt(key string, value int) LogEntry\n\t// Int64 adds an int64 attribute to the LogEntry.\n\tInt64(key string, value int64) LogEntry\n\t// Float64 adds a float64 attribute to the LogEntry.\n\tFloat64(key string, value float64) LogEntry\n\t// Bool adds a bool attribute to the LogEntry.\n\tBool(key string, value bool) LogEntry\n\t// Emit emits the LogEntry with the provided arguments.\n\tEmit(args ...interface{})\n\t// Emitf emits the LogEntry using a format string and arguments.\n\tEmitf(format string, args ...interface{})\n}\n\n// Meter provides an interface for recording metrics.\ntype Meter interface {\n\t// WithCtx returns a new Meter that uses the given context for trace/span association.\n\tWithCtx(ctx context.Context) Meter\n\t// SetAttributes allows attaching parameters to the meter using the attribute API.\n\t// These attributes will be included in all subsequent metrics.\n\tSetAttributes(attrs ...attribute.Builder)\n\t// Count records a count metric.\n\tCount(name string, count int64, opts ...MeterOption)\n\t// Gauge records a gauge metric.\n\tGauge(name string, value float64, opts ...MeterOption)\n\t// Distribution records a distribution metric.\n\tDistribution(name string, sample float64, opts ...MeterOption)\n}\n\n// MeterOption configures a metric recording call.\ntype MeterOption func(*meterOptions)\n\ntype meterOptions struct {\n\tunit string\n\tscope *Scope\n\tattributes map[string]attribute.Value\n}\n\n// WithUnit sets the unit for the metric (e.g., \"millisecond\", \"byte\").\nfunc WithUnit(unit string) MeterOption {\n\treturn func(o *meterOptions) {\n\t\to.unit = unit\n\t}\n}\n\n// WithScopeOverride sets a custom scope for the metric, overriding the default scope from the hub.\nfunc WithScopeOverride(scope *Scope) MeterOption {\n\treturn func(o *meterOptions) {\n\t\to.scope = scope\n\t}\n}\n\n// WithAttributes sets attributes for the metric.\nfunc WithAttributes(attrs ...attribute.Builder) MeterOption {\n\treturn func(o *meterOptions) {\n\t\tif o.attributes == nil {\n\t\t\to.attributes = make(map[string]attribute.Value, len(attrs))\n\t\t}\n\t\tfor _, a := range attrs {\n\t\t\tif a.Value.Type() == attribute.INVALID {\n\t\t\t\tdebuglog.Printf(\"invalid attribute: %v\", a)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\to.attributes[a.Key] = a.Value\n\t\t}\n\t}\n}\n\n// Attachment allows associating files with your events to aid in investigation.\n// An event may contain one or more attachments.\ntype Attachment struct {\n\tFilename string\n\tContentType string\n\tPayload []byte\n}\n\n// User describes the user associated with an Event. If this is used, at least\n// an ID or an IP address should be provided.\ntype User struct {\n\tID string `json:\"id,omitempty\"`\n\tEmail string `json:\"email,omitempty\"`\n\tIPAddress string `json:\"ip_address,omitempty\"`\n\tUsername string `json:\"username,omitempty\"`\n\tName string `json:\"name,omitempty\"`\n\tData map[string]string `json:\"data,omitempty\"`\n}\n\nfunc (u User) IsEmpty() bool {\n\tif u.ID != \"\" {\n\t\treturn false\n\t}\n\n\tif u.Email != \"\" {\n\t\treturn false\n\t}\n\n\tif u.IPAddress != \"\" {\n\t\treturn false\n\t}\n\n\tif u.Username != \"\" {\n\t\treturn false\n\t}\n\n\tif u.Name != \"\" {\n\t\treturn false\n\t}\n\n\tif len(u.Data) > 0 {\n\t\treturn false\n\t}\n\n\treturn true\n}\n\n// Request contains information on a HTTP request related to the event.\ntype Request struct {\n\tURL string `json:\"url,omitempty\"`\n\tMethod string `json:\"method,omitempty\"`\n\tData string `json:\"data,omitempty\"`\n\tQueryString string `json:\"query_string,omitempty\"`\n\tCookies string `json:\"cookies,omitempty\"`\n\tHeaders map[string]string `json:\"headers,omitempty\"`\n\tEnv map[string]string `json:\"env,omitempty\"`\n}\n\nvar sensitiveHeaders = map[string]struct{}{\n\t\"_csrf\": {},\n\t\"_csrf_token\": {},\n\t\"_session\": {},\n\t\"_xsrf\": {},\n\t\"Api-Key\": {},\n\t\"Apikey\": {},\n\t\"Auth\": {},\n\t\"Authorization\": {},\n\t\"Cookie\": {},\n\t\"Credentials\": {},\n\t\"Csrf\": {},\n\t\"Csrf-Token\": {},\n\t\"Csrftoken\": {},\n\t\"Ip-Address\": {},\n\t\"Passwd\": {},\n\t\"Password\": {},\n\t\"Private-Key\": {},\n\t\"Privatekey\": {},\n\t\"Proxy-Authorization\": {},\n\t\"Remote-Addr\": {},\n\t\"Secret\": {},\n\t\"Session\": {},\n\t\"Sessionid\": {},\n\t\"Token\": {},\n\t\"User-Session\": {},\n\t\"X-Api-Key\": {},\n\t\"X-Csrftoken\": {},\n\t\"X-Forwarded-For\": {},\n\t\"X-Real-Ip\": {},\n\t\"XSRF-TOKEN\": {},\n}\n\n// NewRequest returns a new Sentry Request from the given http.Request.\n//\n// NewRequest avoids operations that depend on network access. In particular, it\n// does not read r.Body.\nfunc NewRequest(r *http.Request) *Request {\n\tprot := protocol.SchemeHTTP\n\tif r.TLS != nil || r.Header.Get(\"X-Forwarded-Proto\") == \"https\" {\n\t\tprot = protocol.SchemeHTTPS\n\t}\n\turl := fmt.Sprintf(\"%s://%s%s\", prot, r.Host, r.URL.Path)\n\n\tvar cookies string\n\tvar env map[string]string\n\theaders := map[string]string{}\n\n\tif client := CurrentHub().Client(); client != nil && client.options.SendDefaultPII {\n\t\t// We read only the first Cookie header because of the specification:\n\t\t// https://tools.ietf.org/html/rfc6265#section-5.4\n\t\t// When the user agent generates an HTTP request, the user agent MUST NOT\n\t\t// attach more than one Cookie header field.\n\t\tcookies = r.Header.Get(\"Cookie\")\n\n\t\theaders = make(map[string]string, len(r.Header))\n\t\tfor k, v := range r.Header {\n\t\t\theaders[k] = strings.Join(v, \",\")\n\t\t}\n\n\t\tif addr, port, err := net.SplitHostPort(r.RemoteAddr); err == nil {\n\t\t\tenv = map[string]string{\"REMOTE_ADDR\": addr, \"REMOTE_PORT\": port}\n\t\t}\n\t} else {\n\t\tfor k, v := range r.Header {\n\t\t\tif _, ok := sensitiveHeaders[k]; !ok {\n\t\t\t\theaders[k] = strings.Join(v, \",\")\n\t\t\t}\n\t\t}\n\t}\n\n\theaders[\"Host\"] = r.Host\n\n\treturn &Request{\n\t\tURL: url,\n\t\tMethod: r.Method,\n\t\tQueryString: r.URL.RawQuery,\n\t\tCookies: cookies,\n\t\tHeaders: headers,\n\t\tEnv: env,\n\t}\n}\n\n// Mechanism is the mechanism by which an exception was generated and handled.\ntype Mechanism struct {\n\tType string `json:\"type\"`\n\tDescription string `json:\"description,omitempty\"`\n\tHelpLink string `json:\"help_link,omitempty\"`\n\tSource string `json:\"source,omitempty\"`\n\tHandled *bool `json:\"handled,omitempty\"`\n\tParentID *int `json:\"parent_id,omitempty\"`\n\tExceptionID int `json:\"exception_id\"`\n\tIsExceptionGroup bool `json:\"is_exception_group,omitempty\"`\n\tData map[string]any `json:\"data,omitempty\"`\n}\n\n// SetUnhandled indicates that the exception is an unhandled exception, i.e.\n// from a panic.\nfunc (m *Mechanism) SetUnhandled() {\n\tm.Handled = Pointer(false)\n}\n\n// Exception specifies an error that occurred.\ntype Exception struct {\n\tType string `json:\"type,omitempty\"` // used as the main issue title\n\tValue string `json:\"value,omitempty\"` // used as the main issue subtitle\n\tModule string `json:\"module,omitempty\"`\n\tThreadID uint64 `json:\"thread_id,omitempty\"`\n\tStacktrace *Stacktrace `json:\"stacktrace,omitempty\"`\n\tMechanism *Mechanism `json:\"mechanism,omitempty\"`\n}\n\n// SDKMetaData is a struct to stash data which is needed at some point in the SDK's event processing pipeline\n// but which shouldn't get send to Sentry.\ntype SDKMetaData struct {\n\tdsc DynamicSamplingContext\n}\n\n// Contains information about how the name of the transaction was determined.\ntype TransactionInfo struct {\n\tSource TransactionSource `json:\"source,omitempty\"`\n}\n\n// The DebugMeta interface is not used in Golang apps, but may be populated\n// when proxying Events from other platforms, like iOS, Android, and the\n// Web. (See: https://develop.sentry.dev/sdk/event-payloads/debugmeta/ ).\ntype DebugMeta struct {\n\tSdkInfo *DebugMetaSdkInfo `json:\"sdk_info,omitempty\"`\n\tImages []DebugMetaImage `json:\"images,omitempty\"`\n}\n\ntype DebugMetaSdkInfo struct {\n\tSdkName string `json:\"sdk_name,omitempty\"`\n\tVersionMajor int `json:\"version_major,omitempty\"`\n\tVersionMinor int `json:\"version_minor,omitempty\"`\n\tVersionPatchlevel int `json:\"version_patchlevel,omitempty\"`\n}\n\ntype DebugMetaImage struct {\n\tType string `json:\"type,omitempty\"` // all\n\tImageAddr string `json:\"image_addr,omitempty\"` // macho,elf,pe\n\tImageSize int `json:\"image_size,omitempty\"` // macho,elf,pe\n\tDebugID string `json:\"debug_id,omitempty\"` // macho,elf,pe,wasm,sourcemap\n\tDebugFile string `json:\"debug_file,omitempty\"` // macho,elf,pe,wasm\n\tCodeID string `json:\"code_id,omitempty\"` // macho,elf,pe,wasm\n\tCodeFile string `json:\"code_file,omitempty\"` // macho,elf,pe,wasm,sourcemap\n\tImageVmaddr string `json:\"image_vmaddr,omitempty\"` // macho,elf,pe\n\tArch string `json:\"arch,omitempty\"` // macho,elf,pe\n\tUUID string `json:\"uuid,omitempty\"` // proguard\n}\n\n// EventID is a hexadecimal string representing a unique uuid4 for an Event.\n// An EventID must be 32 characters long, lowercase and not have any dashes.\ntype EventID string\n\ntype Context = map[string]interface{}\n\n// Event is the fundamental data structure that is sent to Sentry.\ntype Event struct {\n\tBreadcrumbs []*Breadcrumb `json:\"breadcrumbs,omitempty\"`\n\tContexts map[string]Context `json:\"contexts,omitempty\"`\n\tDist string `json:\"dist,omitempty\"`\n\tEnvironment string `json:\"environment,omitempty\"`\n\tEventID EventID `json:\"event_id,omitempty\"`\n\tExtra map[string]interface{} `json:\"extra,omitempty\"`\n\tFingerprint []string `json:\"fingerprint,omitempty\"`\n\tLevel Level `json:\"level,omitempty\"`\n\tMessage string `json:\"message,omitempty\"`\n\tPlatform string `json:\"platform,omitempty\"`\n\tRelease string `json:\"release,omitempty\"`\n\tSdk SdkInfo `json:\"sdk,omitempty\"`\n\tServerName string `json:\"server_name,omitempty\"`\n\tThreads []Thread `json:\"threads,omitempty\"`\n\tTags map[string]string `json:\"tags,omitempty\"`\n\tTimestamp time.Time `json:\"timestamp,omitzero\"`\n\tTransaction string `json:\"transaction,omitempty\"`\n\tUser User `json:\"user,omitempty\"`\n\tLogger string `json:\"logger,omitempty\"`\n\tModules map[string]string `json:\"modules,omitempty\"`\n\tRequest *Request `json:\"request,omitempty\"`\n\tException []Exception `json:\"exception,omitempty\"`\n\tDebugMeta *DebugMeta `json:\"debug_meta,omitempty\"`\n\tAttachments []*Attachment `json:\"-\"`\n\n\t// The fields below are only relevant for transactions.\n\n\tType string `json:\"type,omitempty\"`\n\tStartTime time.Time `json:\"start_timestamp,omitzero\"`\n\tSpans []*Span `json:\"spans,omitempty\"`\n\tTransactionInfo *TransactionInfo `json:\"transaction_info,omitempty\"`\n\n\t// The fields below are only relevant for crons/check ins\n\n\tCheckIn *CheckIn `json:\"check_in,omitempty\"`\n\tMonitorConfig *MonitorConfig `json:\"monitor_config,omitempty\"`\n\n\t// The fields below are only relevant for logs\n\tLogs []Log `json:\"-\"`\n\n\t// The fields below are only relevant for metrics\n\tMetrics []Metric `json:\"-\"`\n\n\t// The fields below are not part of the final JSON payload.\n\n\tsdkMetaData SDKMetaData\n}\n\n// SetException appends the unwrapped errors to the event's exception list.\n//\n// maxErrorDepth is the maximum depth of the error chain we will look\n// into while unwrapping the errors. If maxErrorDepth is -1, we will\n// unwrap all errors in the chain.\nfunc (e *Event) SetException(exception error, maxErrorDepth int) {\n\tif exception == nil {\n\t\treturn\n\t}\n\n\texceptions := convertErrorToExceptions(exception, maxErrorDepth)\n\tif len(exceptions) == 0 {\n\t\treturn\n\t}\n\n\te.Exception = exceptions\n}\n\n// ToEnvelopeItem converts the Event to a Sentry envelope item.\nfunc (e *Event) ToEnvelopeItem() (*protocol.EnvelopeItem, error) {\n\teventBody, err := json.Marshal(e)\n\tif err != nil {\n\t\t// Try fallback: remove problematic fields and retry\n\t\te.Breadcrumbs = nil\n\t\te.Contexts = nil\n\t\te.Extra = map[string]interface{}{\n\t\t\t\"info\": fmt.Sprintf(\"Could not encode original event as JSON. \"+\n\t\t\t\t\"Succeeded by removing Breadcrumbs, Contexts and Extra. \"+\n\t\t\t\t\"Please verify the data you attach to the scope. \"+\n\t\t\t\t\"Error: %s\", err),\n\t\t}\n\n\t\teventBody, err = json.Marshal(e)\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"event could not be marshaled even with fallback: %w\", err)\n\t\t}\n\n\t\tDebugLogger.Printf(\"Event marshaling succeeded with fallback after removing problematic fields\")\n\t}\n\n\t// TODO: all event types should be abstracted to implement EnvelopeItemConvertible and convert themselves.\n\tvar item *protocol.EnvelopeItem\n\tswitch e.Type {\n\tcase transactionType:\n\t\titem = protocol.NewEnvelopeItem(protocol.EnvelopeItemTypeTransaction, eventBody)\n\tcase checkInType:\n\t\titem = protocol.NewEnvelopeItem(protocol.EnvelopeItemTypeCheckIn, eventBody)\n\tcase logEvent.Type:\n\t\titem = protocol.NewLogItem(len(e.Logs), eventBody)\n\tcase traceMetricEvent.Type:\n\t\titem = protocol.NewTraceMetricItem(len(e.Metrics), eventBody)\n\tdefault:\n\t\titem = protocol.NewEnvelopeItem(protocol.EnvelopeItemTypeEvent, eventBody)\n\t}\n\n\treturn item, nil\n}\n\n// GetCategory returns the rate limit category for this event.\nfunc (e *Event) GetCategory() ratelimit.Category {\n\treturn e.toCategory()\n}\n\n// GetEventID returns the event ID.\nfunc (e *Event) GetEventID() string {\n\treturn string(e.EventID)\n}\n\n// GetSdkInfo returns SDK information for the envelope header.\nfunc (e *Event) GetSdkInfo() *protocol.SdkInfo {\n\treturn &e.Sdk\n}\n\n// GetDynamicSamplingContext returns trace context for the envelope header.\nfunc (e *Event) GetDynamicSamplingContext() map[string]string {\n\ttrace := make(map[string]string)\n\tif dsc := e.sdkMetaData.dsc; dsc.HasEntries() {\n\t\tfor k, v := range dsc.Entries {\n\t\t\ttrace[k] = v\n\t\t}\n\t}\n\treturn trace\n}\n\n// TODO: Event.Contexts map[string]interface{} => map[string]EventContext,\n// to prevent accidentally storing T when we mean *T.\n// For example, the TraceContext must be stored as *TraceContext to pick up the\n// MarshalJSON method (and avoid copying).\n// type EventContext interface{ EventContext() }\n\n// MarshalJSON converts the Event struct to JSON.\nfunc (e *Event) MarshalJSON() ([]byte, error) {\n\tif e.Type == checkInType {\n\t\treturn e.checkInMarshalJSON()\n\t}\n\treturn e.defaultMarshalJSON()\n}\n\nfunc (e *Event) defaultMarshalJSON() ([]byte, error) {\n\t// event aliases Event to allow calling json.Marshal without an infinite\n\t// loop. It preserves all fields while none of the attached methods.\n\ttype event Event\n\n\tif e.Type == transactionType {\n\t\treturn json.Marshal(struct{ *event }{(*event)(e)})\n\t}\n\t// metrics and logs should be serialized under the same `items` json field.\n\tif e.Type == logEvent.Type {\n\t\ttype logEvent struct {\n\t\t\t*event\n\t\t\tItems []Log `json:\"items,omitempty\"`\n\t\t\tType json.RawMessage `json:\"type,omitempty\"`\n\t\t}\n\t\treturn json.Marshal(logEvent{event: (*event)(e), Items: e.Logs})\n\t}\n\n\tif e.Type == traceMetricEvent.Type {\n\t\ttype metricEvent struct {\n\t\t\t*event\n\t\t\tItems []Metric `json:\"items,omitempty\"`\n\t\t\tType json.RawMessage `json:\"type,omitempty\"`\n\t\t}\n\t\treturn json.Marshal(metricEvent{event: (*event)(e), Items: e.Metrics})\n\t}\n\n\t// errorEvent is like Event with shadowed fields for customizing JSON\n\t// marshaling.\n\ttype errorEvent struct {\n\t\t*event\n\n\t\t// The fields below are not part of error events and only make sense to\n\t\t// be sent for transactions. They shadow the respective fields in Event\n\t\t// and are meant to remain nil, triggering the omitempty behavior.\n\n\t\tType json.RawMessage `json:\"type,omitempty\"`\n\t\tStartTime json.RawMessage `json:\"start_timestamp,omitempty\"`\n\t\tSpans json.RawMessage `json:\"spans,omitempty\"`\n\t\tTransactionInfo json.RawMessage `json:\"transaction_info,omitempty\"`\n\t}\n\n\tx := errorEvent{event: (*event)(e)}\n\treturn json.Marshal(x)\n}\n\nfunc (e *Event) checkInMarshalJSON() ([]byte, error) {\n\tcheckIn := serializedCheckIn{\n\t\tCheckInID: string(e.CheckIn.ID),\n\t\tMonitorSlug: e.CheckIn.MonitorSlug,\n\t\tStatus: e.CheckIn.Status,\n\t\tDuration: e.CheckIn.Duration.Seconds(),\n\t\tRelease: e.Release,\n\t\tEnvironment: e.Environment,\n\t\tMonitorConfig: nil,\n\t}\n\n\tif e.MonitorConfig != nil {\n\t\tcheckIn.MonitorConfig = &MonitorConfig{\n\t\t\tSchedule: e.MonitorConfig.Schedule,\n\t\t\tCheckInMargin: e.MonitorConfig.CheckInMargin,\n\t\t\tMaxRuntime: e.MonitorConfig.MaxRuntime,\n\t\t\tTimezone: e.MonitorConfig.Timezone,\n\t\t\tFailureIssueThreshold: e.MonitorConfig.FailureIssueThreshold,\n\t\t\tRecoveryThreshold: e.MonitorConfig.RecoveryThreshold,\n\t\t}\n\t}\n\n\treturn json.Marshal(checkIn)\n}\n\nfunc (e *Event) toCategory() ratelimit.Category {\n\tswitch e.Type {\n\tcase errorType:\n\t\treturn ratelimit.CategoryError\n\tcase transactionType:\n\t\treturn ratelimit.CategoryTransaction\n\tcase logEvent.Type:\n\t\treturn ratelimit.CategoryLog\n\tcase checkInType:\n\t\treturn ratelimit.CategoryMonitor\n\tcase traceMetricEvent.Type:\n\t\treturn ratelimit.CategoryTraceMetric\n\tdefault:\n\t\treturn ratelimit.CategoryUnknown\n\t}\n}\n\n// NewEvent creates a new Event.\nfunc NewEvent() *Event {\n\treturn &Event{\n\t\tContexts: make(map[string]Context),\n\t\tExtra: make(map[string]interface{}),\n\t\tTags: make(map[string]string),\n\t\tModules: make(map[string]string),\n\t}\n}\n\n// Thread specifies threads that were running at the time of an event.\ntype Thread struct {\n\tID string `json:\"id,omitempty\"`\n\tName string `json:\"name,omitempty\"`\n\tStacktrace *Stacktrace `json:\"stacktrace,omitempty\"`\n\tCrashed bool `json:\"crashed,omitempty\"`\n\tCurrent bool `json:\"current,omitempty\"`\n}\n\n// EventHint contains information that can be associated with an Event.\ntype EventHint struct {\n\tData interface{}\n\tEventID string\n\tOriginalException error\n\tRecoveredException interface{}\n\tContext context.Context\n\tRequest *http.Request\n\tResponse *http.Response\n}\n\ntype Log struct {\n\tTimestamp time.Time `json:\"timestamp,omitzero\"`\n\tTraceID TraceID `json:\"trace_id\"`\n\tSpanID SpanID `json:\"span_id,omitzero\"`\n\tLevel LogLevel `json:\"level\"`\n\tSeverity int `json:\"severity_number,omitempty\"`\n\tBody string `json:\"body\"`\n\tAttributes map[string]attribute.Value `json:\"attributes,omitempty\"`\n}\n\n// GetCategory returns the rate limit category for logs.\nfunc (l *Log) GetCategory() ratelimit.Category {\n\treturn ratelimit.CategoryLog\n}\n\n// GetEventID returns empty string (event ID set when batching).\nfunc (l *Log) GetEventID() string {\n\treturn \"\"\n}\n\n// GetSdkInfo returns nil (SDK info set when batching).\nfunc (l *Log) GetSdkInfo() *protocol.SdkInfo {\n\treturn nil\n}\n\n// GetDynamicSamplingContext returns nil (trace context set when batching).\nfunc (l *Log) GetDynamicSamplingContext() map[string]string {\n\treturn nil\n}\n\ntype MetricType string\n\nconst (\n\tMetricTypeInvalid MetricType = \"\"\n\tMetricTypeCounter MetricType = \"counter\"\n\tMetricTypeGauge MetricType = \"gauge\"\n\tMetricTypeDistribution MetricType = \"distribution\"\n)\n\ntype Metric struct {\n\tTimestamp time.Time `json:\"timestamp,omitzero\"`\n\tTraceID TraceID `json:\"trace_id\"`\n\tSpanID SpanID `json:\"span_id,omitzero\"`\n\tType MetricType `json:\"type\"`\n\tName string `json:\"name\"`\n\tValue MetricValue `json:\"value\"`\n\tUnit string `json:\"unit,omitempty\"`\n\tAttributes map[string]attribute.Value `json:\"attributes,omitempty\"`\n}\n\n// GetCategory returns the rate limit category for metrics.\nfunc (m *Metric) GetCategory() ratelimit.Category {\n\treturn ratelimit.CategoryTraceMetric\n}\n\n// GetEventID returns empty string (event ID set when batching).\nfunc (m *Metric) GetEventID() string {\n\treturn \"\"\n}\n\n// GetSdkInfo returns nil (SDK info set when batching).\nfunc (m *Metric) GetSdkInfo() *protocol.SdkInfo {\n\treturn nil\n}\n\n// GetDynamicSamplingContext returns nil (trace context set when batching).\nfunc (m *Metric) GetDynamicSamplingContext() map[string]string {\n\treturn nil\n}\n\n// MetricValue stores metric values with full precision.\n// It supports int64 (for counters) and float64 (for gauges and distributions).\ntype MetricValue struct {\n\tvalue attribute.Value\n}\n\n// Int64MetricValue creates a MetricValue from an int64.\n// Used for counter metrics to preserve full int64 precision.\nfunc Int64MetricValue(v int64) MetricValue {\n\treturn MetricValue{value: attribute.Int64Value(v)}\n}\n\n// Float64MetricValue creates a MetricValue from a float64.\n// Used for gauge and distribution metrics.\nfunc Float64MetricValue(v float64) MetricValue {\n\treturn MetricValue{value: attribute.Float64Value(v)}\n}\n\n// Type returns the type of the stored value (attribute.INT64 or attribute.FLOAT64).\nfunc (v MetricValue) Type() attribute.Type {\n\treturn v.value.Type()\n}\n\n// Int64 returns the value as int64 if it holds an int64.\n// The second return value indicates whether the type matched.\nfunc (v MetricValue) Int64() (int64, bool) {\n\tif v.value.Type() == attribute.INT64 {\n\t\treturn v.value.AsInt64(), true\n\t}\n\treturn 0, false\n}\n\n// Float64 returns the value as float64 if it holds a float64.\n// The second return value indicates whether the type matched.\nfunc (v MetricValue) Float64() (float64, bool) {\n\tif v.value.Type() == attribute.FLOAT64 {\n\t\treturn v.value.AsFloat64(), true\n\t}\n\treturn 0, false\n}\n\n// AsInterface returns the value as int64 or float64.\n// Use type assertion or type switch to handle the result.\nfunc (v MetricValue) AsInterface() any {\n\treturn v.value.AsInterface()\n}\n\n// MarshalJSON serializes the value as a bare number.\nfunc (v MetricValue) MarshalJSON() ([]byte, error) {\n\treturn json.Marshal(v.value.AsInterface())\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/internal/debug/transport.go", "content": "package debug\n\nimport (\n\t\"bytes\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"net/http/httptrace\"\n\t\"net/http/httputil\"\n)\n\n// Transport implements http.RoundTripper and can be used to wrap other HTTP\n// transports for debugging, normally http.DefaultTransport.\ntype Transport struct {\n\thttp.RoundTripper\n\tOutput io.Writer\n\t// Dump controls whether to dump HTTP request and responses.\n\tDump bool\n\t// Trace enables usage of net/http/httptrace.\n\tTrace bool\n}\n\nfunc (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) {\n\tvar buf bytes.Buffer\n\tif t.Dump {\n\t\tb, err := httputil.DumpRequestOut(req, true)\n\t\tif err != nil {\n\t\t\tpanic(err)\n\t\t}\n\t\t_, err = buf.Write(ensureTrailingNewline(b))\n\t\tif err != nil {\n\t\t\tpanic(err)\n\t\t}\n\t}\n\tif t.Trace {\n\t\ttrace := &httptrace.ClientTrace{\n\t\t\tDNSDone: func(di httptrace.DNSDoneInfo) {\n\t\t\t\tfmt.Fprintf(&buf, \"* DNS %v → %v\\n\", req.Host, di.Addrs)\n\t\t\t},\n\t\t\tGotConn: func(ci httptrace.GotConnInfo) {\n\t\t\t\tfmt.Fprintf(&buf, \"* Connection local=%v remote=%v\", ci.Conn.LocalAddr(), ci.Conn.RemoteAddr())\n\t\t\t\tif ci.Reused {\n\t\t\t\t\tfmt.Fprint(&buf, \" (reused)\")\n\t\t\t\t}\n\t\t\t\tif ci.WasIdle {\n\t\t\t\t\tfmt.Fprintf(&buf, \" (idle %v)\", ci.IdleTime)\n\t\t\t\t}\n\t\t\t\tfmt.Fprintln(&buf)\n\t\t\t},\n\t\t}\n\t\treq = req.WithContext(httptrace.WithClientTrace(req.Context(), trace))\n\t}\n\tresp, err := t.RoundTripper.RoundTrip(req)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif t.Dump {\n\t\tb, err := httputil.DumpResponse(resp, true)\n\t\tif err != nil {\n\t\t\tpanic(err)\n\t\t}\n\t\t_, err = buf.Write(ensureTrailingNewline(b))\n\t\tif err != nil {\n\t\t\tpanic(err)\n\t\t}\n\t}\n\t_, err = io.Copy(t.Output, &buf)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\treturn resp, nil\n}\n\nfunc ensureTrailingNewline(b []byte) []byte {\n\tif len(b) > 0 && b[len(b)-1] != '\\n' {\n\t\tb = append(b, '\\n')\n\t}\n\treturn b\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/internal/debuglog/log.go", "content": "package debuglog\n\nimport (\n\t\"io\"\n\t\"log\"\n)\n\n// logger is the global debug logger instance.\nvar logger = log.New(io.Discard, \"[Sentry] \", log.LstdFlags)\n\n// SetOutput changes the output destination of the logger.\nfunc SetOutput(w io.Writer) {\n\tlogger.SetOutput(w)\n}\n\n// GetLogger returns the current logger instance.\n// This function is thread-safe and can be called concurrently.\nfunc GetLogger() *log.Logger {\n\treturn logger\n}\n\n// Printf calls Printf on the underlying logger.\nfunc Printf(format string, args ...interface{}) {\n\tlogger.Printf(format, args...)\n}\n\n// Println calls Println on the underlying logger.\nfunc Println(args ...interface{}) {\n\tlogger.Println(args...)\n}\n\n// Print calls Print on the underlying logger.\nfunc Print(args ...interface{}) {\n\tlogger.Print(args...)\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/internal/http/transport.go", "content": "package http\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"sync\"\n\t\"sync/atomic\"\n\t\"time\"\n\n\t\"github.com/getsentry/sentry-go/internal/debuglog\"\n\t\"github.com/getsentry/sentry-go/internal/protocol\"\n\t\"github.com/getsentry/sentry-go/internal/ratelimit\"\n\t\"github.com/getsentry/sentry-go/internal/util\"\n)\n\nconst (\n\tapiVersion = 7\n\n\tdefaultTimeout = time.Second * 30\n\tdefaultQueueSize = 1000\n)\n\nvar (\n\tErrTransportQueueFull = errors.New(\"transport queue full\")\n\tErrTransportClosed = errors.New(\"transport is closed\")\n\tErrEmptyEnvelope = errors.New(\"empty envelope provided\")\n)\n\ntype TransportOptions struct {\n\tDsn string\n\tHTTPClient *http.Client\n\tHTTPTransport http.RoundTripper\n\tHTTPProxy string\n\tHTTPSProxy string\n\tCaCerts *x509.CertPool\n}\n\nfunc getProxyConfig(options TransportOptions) func(*http.Request) (*url.URL, error) {\n\tif len(options.HTTPSProxy) > 0 {\n\t\treturn func(*http.Request) (*url.URL, error) {\n\t\t\treturn url.Parse(options.HTTPSProxy)\n\t\t}\n\t}\n\n\tif len(options.HTTPProxy) > 0 {\n\t\treturn func(*http.Request) (*url.URL, error) {\n\t\t\treturn url.Parse(options.HTTPProxy)\n\t\t}\n\t}\n\n\treturn http.ProxyFromEnvironment\n}\n\nfunc getTLSConfig(options TransportOptions) *tls.Config {\n\tif options.CaCerts != nil {\n\t\treturn &tls.Config{\n\t\t\tRootCAs: options.CaCerts,\n\t\t\tMinVersion: tls.VersionTLS12,\n\t\t}\n\t}\n\n\treturn nil\n}\n\nfunc getSentryRequestFromEnvelope(ctx context.Context, dsn *protocol.Dsn, envelope *protocol.Envelope) (r *http.Request, err error) {\n\tdefer func() {\n\t\tif r != nil {\n\t\t\tsdkName := envelope.Header.Sdk.Name\n\t\t\tsdkVersion := envelope.Header.Sdk.Version\n\n\t\t\tr.Header.Set(\"User-Agent\", fmt.Sprintf(\"%s/%s\", sdkName, sdkVersion))\n\t\t\tr.Header.Set(\"Content-Type\", \"application/x-sentry-envelope\")\n\n\t\t\tauth := fmt.Sprintf(\"Sentry sentry_version=%d, \"+\n\t\t\t\t\"sentry_client=%s/%s, sentry_key=%s\", apiVersion, sdkName, sdkVersion, dsn.GetPublicKey())\n\n\t\t\tif dsn.GetSecretKey() != \"\" {\n\t\t\t\tauth = fmt.Sprintf(\"%s, sentry_secret=%s\", auth, dsn.GetSecretKey())\n\t\t\t}\n\n\t\t\tr.Header.Set(\"X-Sentry-Auth\", auth)\n\t\t}\n\t}()\n\n\tvar buf bytes.Buffer\n\t_, err = envelope.WriteTo(&buf)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn http.NewRequestWithContext(\n\t\tctx,\n\t\thttp.MethodPost,\n\t\tdsn.GetAPIURL().String(),\n\t\t&buf,\n\t)\n}\n\nfunc categoryFromEnvelope(envelope *protocol.Envelope) ratelimit.Category {\n\tif envelope == nil || len(envelope.Items) == 0 {\n\t\treturn ratelimit.CategoryAll\n\t}\n\n\tfor _, item := range envelope.Items {\n\t\tif item == nil || item.Header == nil {\n\t\t\tcontinue\n\t\t}\n\n\t\tswitch item.Header.Type {\n\t\tcase protocol.EnvelopeItemTypeEvent:\n\t\t\treturn ratelimit.CategoryError\n\t\tcase protocol.EnvelopeItemTypeTransaction:\n\t\t\treturn ratelimit.CategoryTransaction\n\t\tcase protocol.EnvelopeItemTypeCheckIn:\n\t\t\treturn ratelimit.CategoryMonitor\n\t\tcase protocol.EnvelopeItemTypeLog:\n\t\t\treturn ratelimit.CategoryLog\n\t\tcase protocol.EnvelopeItemTypeAttachment:\n\t\t\tcontinue\n\t\tdefault:\n\t\t\treturn ratelimit.CategoryAll\n\t\t}\n\t}\n\n\treturn ratelimit.CategoryAll\n}\n\n// SyncTransport is a blocking implementation of Transport.\n//\n// Clients using this transport will send requests to Sentry sequentially and\n// block until a response is returned.\n//\n// The blocking behavior is useful in a limited set of use cases. For example,\n// use it when deploying code to a Function as a Service (\"Serverless\")\n// platform, where any work happening in a background goroutine is not\n// guaranteed to execute.\n//\n// For most cases, prefer AsyncTransport.\ntype SyncTransport struct {\n\tdsn *protocol.Dsn\n\tclient *http.Client\n\ttransport http.RoundTripper\n\n\tmu sync.Mutex\n\tlimits ratelimit.Map\n\n\tTimeout time.Duration\n}\n\nfunc NewSyncTransport(options TransportOptions) protocol.TelemetryTransport {\n\tdsn, err := protocol.NewDsn(options.Dsn)\n\tif err != nil || dsn == nil {\n\t\tdebuglog.Printf(\"Transport is disabled: invalid dsn: %v\\n\", err)\n\t\treturn NewNoopTransport()\n\t}\n\n\ttransport := &SyncTransport{\n\t\tTimeout: defaultTimeout,\n\t\tlimits: make(ratelimit.Map),\n\t\tdsn: dsn,\n\t}\n\n\tif options.HTTPTransport != nil {\n\t\ttransport.transport = options.HTTPTransport\n\t} else {\n\t\ttransport.transport = &http.Transport{\n\t\t\tProxy: getProxyConfig(options),\n\t\t\tTLSClientConfig: getTLSConfig(options),\n\t\t}\n\t}\n\n\tif options.HTTPClient != nil {\n\t\ttransport.client = options.HTTPClient\n\t} else {\n\t\ttransport.client = &http.Client{\n\t\t\tTransport: transport.transport,\n\t\t\tTimeout: transport.Timeout,\n\t\t}\n\t}\n\n\treturn transport\n}\n\nfunc (t *SyncTransport) SendEnvelope(envelope *protocol.Envelope) error {\n\treturn t.SendEnvelopeWithContext(context.Background(), envelope)\n}\n\nfunc (t *SyncTransport) Close() {}\n\nfunc (t *SyncTransport) IsRateLimited(category ratelimit.Category) bool {\n\treturn t.disabled(category)\n}\n\nfunc (t *SyncTransport) HasCapacity() bool { return true }\n\nfunc (t *SyncTransport) SendEnvelopeWithContext(ctx context.Context, envelope *protocol.Envelope) error {\n\tif envelope == nil || len(envelope.Items) == 0 {\n\t\treturn ErrEmptyEnvelope\n\t}\n\n\tcategory := categoryFromEnvelope(envelope)\n\tif t.disabled(category) {\n\t\treturn nil\n\t}\n\n\trequest, err := getSentryRequestFromEnvelope(ctx, t.dsn, envelope)\n\tif err != nil {\n\t\tdebuglog.Printf(\"There was an issue creating the request: %v\", err)\n\t\treturn err\n\t}\n\tidentifier := util.EnvelopeIdentifier(envelope)\n\tdebuglog.Printf(\n\t\t\"Sending %s to %s project: %s\",\n\t\tidentifier,\n\t\tt.dsn.GetHost(),\n\t\tt.dsn.GetProjectID(),\n\t)\n\n\tresponse, err := t.client.Do(request)\n\tif err != nil {\n\t\tdebuglog.Printf(\"There was an issue with sending an event: %v\", err)\n\t\treturn err\n\t}\n\tutil.HandleHTTPResponse(response, identifier)\n\n\tt.mu.Lock()\n\tif t.limits == nil {\n\t\tt.limits = make(ratelimit.Map)\n\t}\n\tt.limits.Merge(ratelimit.FromResponse(response))\n\tt.mu.Unlock()\n\n\t_, _ = io.CopyN(io.Discard, response.Body, util.MaxDrainResponseBytes)\n\treturn response.Body.Close()\n}\n\nfunc (t *SyncTransport) Flush(_ time.Duration) bool {\n\treturn true\n}\n\nfunc (t *SyncTransport) FlushWithContext(_ context.Context) bool {\n\treturn true\n}\n\nfunc (t *SyncTransport) disabled(c ratelimit.Category) bool {\n\tt.mu.Lock()\n\tdefer t.mu.Unlock()\n\tdisabled := t.limits.IsRateLimited(c)\n\tif disabled {\n\t\tdebuglog.Printf(\"Too many requests for %q, backing off till: %v\", c, t.limits.Deadline(c))\n\t}\n\treturn disabled\n}\n\n// AsyncTransport is the default, non-blocking, implementation of Transport.\n//\n// Clients using this transport will enqueue requests in a queue and return to\n// the caller before any network communication has happened. Requests are sent\n// to Sentry sequentially from a background goroutine.\ntype AsyncTransport struct {\n\tdsn *protocol.Dsn\n\tclient *http.Client\n\ttransport http.RoundTripper\n\n\tqueue chan *protocol.Envelope\n\n\tmu sync.RWMutex\n\tlimits ratelimit.Map\n\n\tdone chan struct{}\n\twg sync.WaitGroup\n\n\tflushRequest chan chan struct{}\n\n\tsentCount int64\n\tdroppedCount int64\n\terrorCount int64\n\n\tQueueSize int\n\tTimeout time.Duration\n\n\tstartOnce sync.Once\n\tcloseOnce sync.Once\n}\n\nfunc NewAsyncTransport(options TransportOptions) protocol.TelemetryTransport {\n\tdsn, err := protocol.NewDsn(options.Dsn)\n\tif err != nil || dsn == nil {\n\t\tdebuglog.Printf(\"Transport is disabled: invalid dsn: %v\", err)\n\t\treturn NewNoopTransport()\n\t}\n\n\ttransport := &AsyncTransport{\n\t\tQueueSize: defaultQueueSize,\n\t\tTimeout: defaultTimeout,\n\t\tdone: make(chan struct{}),\n\t\tlimits: make(ratelimit.Map),\n\t\tdsn: dsn,\n\t}\n\n\ttransport.queue = make(chan *protocol.Envelope, transport.QueueSize)\n\ttransport.flushRequest = make(chan chan struct{})\n\n\tif options.HTTPTransport != nil {\n\t\ttransport.transport = options.HTTPTransport\n\t} else {\n\t\ttransport.transport = &http.Transport{\n\t\t\tProxy: getProxyConfig(options),\n\t\t\tTLSClientConfig: getTLSConfig(options),\n\t\t}\n\t}\n\n\tif options.HTTPClient != nil {\n\t\ttransport.client = options.HTTPClient\n\t} else {\n\t\ttransport.client = &http.Client{\n\t\t\tTransport: transport.transport,\n\t\t\tTimeout: transport.Timeout,\n\t\t}\n\t}\n\n\ttransport.start()\n\treturn transport\n}\n\nfunc (t *AsyncTransport) start() {\n\tt.startOnce.Do(func() {\n\t\tt.wg.Add(1)\n\t\tgo t.worker()\n\t})\n}\n\n// HasCapacity reports whether the async transport queue appears to have space\n// for at least one more envelope. This is a best-effort, non-blocking check.\nfunc (t *AsyncTransport) HasCapacity() bool {\n\tt.mu.RLock()\n\tdefer t.mu.RUnlock()\n\tselect {\n\tcase <-t.done:\n\t\treturn false\n\tdefault:\n\t}\n\treturn len(t.queue) < cap(t.queue)\n}\n\nfunc (t *AsyncTransport) SendEnvelope(envelope *protocol.Envelope) error {\n\tselect {\n\tcase <-t.done:\n\t\treturn ErrTransportClosed\n\tdefault:\n\t}\n\n\tif envelope == nil || len(envelope.Items) == 0 {\n\t\treturn ErrEmptyEnvelope\n\t}\n\n\tcategory := categoryFromEnvelope(envelope)\n\tif t.isRateLimited(category) {\n\t\treturn nil\n\t}\n\n\tselect {\n\tcase t.queue <- envelope:\n\t\tidentifier := util.EnvelopeIdentifier(envelope)\n\t\tdebuglog.Printf(\n\t\t\t\"Sending %s to %s project: %s\",\n\t\t\tidentifier,\n\t\t\tt.dsn.GetHost(),\n\t\t\tt.dsn.GetProjectID(),\n\t\t)\n\t\treturn nil\n\tdefault:\n\t\tatomic.AddInt64(&t.droppedCount, 1)\n\t\treturn ErrTransportQueueFull\n\t}\n}\n\nfunc (t *AsyncTransport) Flush(timeout time.Duration) bool {\n\tctx, cancel := context.WithTimeout(context.Background(), timeout)\n\tdefer cancel()\n\treturn t.FlushWithContext(ctx)\n}\n\nfunc (t *AsyncTransport) FlushWithContext(ctx context.Context) bool {\n\tflushResponse := make(chan struct{})\n\tselect {\n\tcase t.flushRequest <- flushResponse:\n\t\tselect {\n\t\tcase <-flushResponse:\n\t\t\tdebuglog.Println(\"Buffer flushed successfully.\")\n\t\t\treturn true\n\t\tcase <-ctx.Done():\n\t\t\tdebuglog.Println(\"Failed to flush, buffer timed out.\")\n\t\t\treturn false\n\t\t}\n\tcase <-ctx.Done():\n\t\tdebuglog.Println(\"Failed to flush, buffer timed out.\")\n\t\treturn false\n\t}\n}\n\nfunc (t *AsyncTransport) Close() {\n\tt.closeOnce.Do(func() {\n\t\tclose(t.done)\n\t\tclose(t.queue)\n\t\tclose(t.flushRequest)\n\t\tt.wg.Wait()\n\t})\n}\n\nfunc (t *AsyncTransport) IsRateLimited(category ratelimit.Category) bool {\n\treturn t.isRateLimited(category)\n}\n\nfunc (t *AsyncTransport) worker() {\n\tdefer t.wg.Done()\n\n\tfor {\n\t\tselect {\n\t\tcase <-t.done:\n\t\t\treturn\n\t\tcase envelope, open := <-t.queue:\n\t\t\tif !open {\n\t\t\t\treturn\n\t\t\t}\n\t\t\tt.processEnvelope(envelope)\n\t\tcase flushResponse, open := <-t.flushRequest:\n\t\t\tif !open {\n\t\t\t\treturn\n\t\t\t}\n\t\t\tt.drainQueue()\n\t\t\tclose(flushResponse)\n\t\t}\n\t}\n}\n\nfunc (t *AsyncTransport) drainQueue() {\n\tfor {\n\t\tselect {\n\t\tcase envelope, open := <-t.queue:\n\t\t\tif !open {\n\t\t\t\treturn\n\t\t\t}\n\t\t\tt.processEnvelope(envelope)\n\t\tdefault:\n\t\t\treturn\n\t\t}\n\t}\n}\n\nfunc (t *AsyncTransport) processEnvelope(envelope *protocol.Envelope) {\n\tif t.sendEnvelopeHTTP(envelope) {\n\t\tatomic.AddInt64(&t.sentCount, 1)\n\t} else {\n\t\tatomic.AddInt64(&t.errorCount, 1)\n\t}\n}\n\nfunc (t *AsyncTransport) sendEnvelopeHTTP(envelope *protocol.Envelope) bool {\n\tcategory := categoryFromEnvelope(envelope)\n\tif t.isRateLimited(category) {\n\t\treturn false\n\t}\n\n\tctx, cancel := context.WithTimeout(context.Background(), defaultTimeout)\n\tdefer cancel()\n\n\trequest, err := getSentryRequestFromEnvelope(ctx, t.dsn, envelope)\n\tif err != nil {\n\t\tdebuglog.Printf(\"Failed to create request from envelope: %v\", err)\n\t\treturn false\n\t}\n\n\tresponse, err := t.client.Do(request)\n\tif err != nil {\n\t\tdebuglog.Printf(\"HTTP request failed: %v\", err)\n\t\treturn false\n\t}\n\tdefer response.Body.Close()\n\n\tidentifier := util.EnvelopeIdentifier(envelope)\n\tsuccess := util.HandleHTTPResponse(response, identifier)\n\n\tt.mu.Lock()\n\tif t.limits == nil {\n\t\tt.limits = make(ratelimit.Map)\n\t}\n\tt.limits.Merge(ratelimit.FromResponse(response))\n\tt.mu.Unlock()\n\n\t_, _ = io.CopyN(io.Discard, response.Body, util.MaxDrainResponseBytes)\n\treturn success\n}\n\nfunc (t *AsyncTransport) isRateLimited(category ratelimit.Category) bool {\n\tt.mu.RLock()\n\tdefer t.mu.RUnlock()\n\tlimited := t.limits.IsRateLimited(category)\n\tif limited {\n\t\tdebuglog.Printf(\"Rate limited for category %q until %v\", category, t.limits.Deadline(category))\n\t}\n\treturn limited\n}\n\n// NoopTransport is a transport implementation that drops all events.\n// Used internally when an empty or invalid DSN is provided.\ntype NoopTransport struct{}\n\nfunc NewNoopTransport() *NoopTransport {\n\tdebuglog.Println(\"Transport initialized with invalid DSN. Using NoopTransport. No events will be delivered.\")\n\treturn &NoopTransport{}\n}\n\nfunc (t *NoopTransport) SendEnvelope(_ *protocol.Envelope) error {\n\tdebuglog.Println(\"Envelope dropped due to NoopTransport usage.\")\n\treturn nil\n}\n\nfunc (t *NoopTransport) IsRateLimited(_ ratelimit.Category) bool {\n\treturn false\n}\n\nfunc (t *NoopTransport) Flush(_ time.Duration) bool {\n\treturn true\n}\n\nfunc (t *NoopTransport) FlushWithContext(_ context.Context) bool {\n\treturn true\n}\n\nfunc (t *NoopTransport) Close() {\n\t// Nothing to close\n}\n\nfunc (t *NoopTransport) HasCapacity() bool { return true }\n" }, { "path": "vendor/github.com/getsentry/sentry-go/internal/otel/baggage/README.md", "content": "## Why do we have this \"otel/baggage\" folder?\n\nThe root sentry-go SDK (namely, the Dynamic Sampling functionality) needs an implementation of the [baggage spec](https://www.w3.org/TR/baggage/).\nFor that reason, we've taken the existing baggage implementation from the [opentelemetry-go](https://github.com/open-telemetry/opentelemetry-go/) repository, and fixed a few things that in our opinion were violating the specification.\n\nThese issues are:\n1. Baggage string value `one%20two` should be properly parsed as \"one two\"\n1. Baggage string value `one+two` should be parsed as \"one+two\"\n1. Go string value \"one two\" should be encoded as `one%20two` (percent encoding), and NOT as `one+two` (URL query encoding).\n1. Go string value \"1=1\" might be encoded as `1=1`, because the spec says: \"Note, value MAY contain any number of the equal sign (=) characters. Parsers MUST NOT assume that the equal sign is only used to separate key and value.\". `1%3D1` is also valid, but to simplify the implementation we're not doing it.\n\nChanges were made in this PR: https://github.com/getsentry/sentry-go/pull/568\n" }, { "path": "vendor/github.com/getsentry/sentry-go/internal/otel/baggage/baggage.go", "content": "// Adapted from https://github.com/open-telemetry/opentelemetry-go/blob/c21b6b6bb31a2f74edd06e262f1690f3f6ea3d5c/baggage/baggage.go\n//\n// Copyright The OpenTelemetry Authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage baggage\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"net/url\"\n\t\"regexp\"\n\t\"strings\"\n\t\"unicode/utf8\"\n\n\t\"github.com/getsentry/sentry-go/internal/otel/baggage/internal/baggage\"\n)\n\nconst (\n\tmaxMembers = 180\n\tmaxBytesPerMembers = 4096\n\tmaxBytesPerBaggageString = 8192\n\n\tlistDelimiter = \",\"\n\tkeyValueDelimiter = \"=\"\n\tpropertyDelimiter = \";\"\n\n\tkeyDef = `([\\x21\\x23-\\x27\\x2A\\x2B\\x2D\\x2E\\x30-\\x39\\x41-\\x5a\\x5e-\\x7a\\x7c\\x7e]+)`\n\tvalueDef = `([\\x21\\x23-\\x2b\\x2d-\\x3a\\x3c-\\x5B\\x5D-\\x7e]*)`\n\tkeyValueDef = `\\s*` + keyDef + `\\s*` + keyValueDelimiter + `\\s*` + valueDef + `\\s*`\n)\n\nvar (\n\tkeyRe = regexp.MustCompile(`^` + keyDef + `$`)\n\tvalueRe = regexp.MustCompile(`^` + valueDef + `$`)\n\tpropertyRe = regexp.MustCompile(`^(?:\\s*` + keyDef + `\\s*|` + keyValueDef + `)$`)\n)\n\nvar (\n\terrInvalidKey = errors.New(\"invalid key\")\n\terrInvalidValue = errors.New(\"invalid value\")\n\terrInvalidProperty = errors.New(\"invalid baggage list-member property\")\n\terrInvalidMember = errors.New(\"invalid baggage list-member\")\n\terrMemberNumber = errors.New(\"too many list-members in baggage-string\")\n\terrMemberBytes = errors.New(\"list-member too large\")\n\terrBaggageBytes = errors.New(\"baggage-string too large\")\n)\n\n// Property is an additional metadata entry for a baggage list-member.\ntype Property struct {\n\tkey, value string\n\n\t// hasValue indicates if a zero-value value means the property does not\n\t// have a value or if it was the zero-value.\n\thasValue bool\n\n\t// hasData indicates whether the created property contains data or not.\n\t// Properties that do not contain data are invalid with no other check\n\t// required.\n\thasData bool\n}\n\n// NewKeyProperty returns a new Property for key.\n//\n// If key is invalid, an error will be returned.\nfunc NewKeyProperty(key string) (Property, error) {\n\tif !keyRe.MatchString(key) {\n\t\treturn newInvalidProperty(), fmt.Errorf(\"%w: %q\", errInvalidKey, key)\n\t}\n\n\tp := Property{key: key, hasData: true}\n\treturn p, nil\n}\n\n// NewKeyValueProperty returns a new Property for key with value.\n//\n// If key or value are invalid, an error will be returned.\nfunc NewKeyValueProperty(key, value string) (Property, error) {\n\tif !keyRe.MatchString(key) {\n\t\treturn newInvalidProperty(), fmt.Errorf(\"%w: %q\", errInvalidKey, key)\n\t}\n\tif !valueRe.MatchString(value) {\n\t\treturn newInvalidProperty(), fmt.Errorf(\"%w: %q\", errInvalidValue, value)\n\t}\n\n\tp := Property{\n\t\tkey: key,\n\t\tvalue: value,\n\t\thasValue: true,\n\t\thasData: true,\n\t}\n\treturn p, nil\n}\n\nfunc newInvalidProperty() Property {\n\treturn Property{}\n}\n\n// parseProperty attempts to decode a Property from the passed string. It\n// returns an error if the input is invalid according to the W3C Baggage\n// specification.\nfunc parseProperty(property string) (Property, error) {\n\tif property == \"\" {\n\t\treturn newInvalidProperty(), nil\n\t}\n\n\tmatch := propertyRe.FindStringSubmatch(property)\n\tif len(match) != 4 {\n\t\treturn newInvalidProperty(), fmt.Errorf(\"%w: %q\", errInvalidProperty, property)\n\t}\n\n\tp := Property{hasData: true}\n\tif match[1] != \"\" {\n\t\tp.key = match[1]\n\t} else {\n\t\tp.key = match[2]\n\t\tp.value = match[3]\n\t\tp.hasValue = true\n\t}\n\n\treturn p, nil\n}\n\n// validate ensures p conforms to the W3C Baggage specification, returning an\n// error otherwise.\nfunc (p Property) validate() error {\n\terrFunc := func(err error) error {\n\t\treturn fmt.Errorf(\"invalid property: %w\", err)\n\t}\n\n\tif !p.hasData {\n\t\treturn errFunc(fmt.Errorf(\"%w: %q\", errInvalidProperty, p))\n\t}\n\n\tif !keyRe.MatchString(p.key) {\n\t\treturn errFunc(fmt.Errorf(\"%w: %q\", errInvalidKey, p.key))\n\t}\n\tif p.hasValue && !valueRe.MatchString(p.value) {\n\t\treturn errFunc(fmt.Errorf(\"%w: %q\", errInvalidValue, p.value))\n\t}\n\tif !p.hasValue && p.value != \"\" {\n\t\treturn errFunc(errors.New(\"inconsistent value\"))\n\t}\n\treturn nil\n}\n\n// Key returns the Property key.\nfunc (p Property) Key() string {\n\treturn p.key\n}\n\n// Value returns the Property value. Additionally, a boolean value is returned\n// indicating if the returned value is the empty if the Property has a value\n// that is empty or if the value is not set.\nfunc (p Property) Value() (string, bool) {\n\treturn p.value, p.hasValue\n}\n\n// String encodes Property into a string compliant with the W3C Baggage\n// specification.\nfunc (p Property) String() string {\n\tif p.hasValue {\n\t\treturn fmt.Sprintf(\"%s%s%v\", p.key, keyValueDelimiter, p.value)\n\t}\n\treturn p.key\n}\n\ntype properties []Property\n\nfunc fromInternalProperties(iProps []baggage.Property) properties {\n\tif len(iProps) == 0 {\n\t\treturn nil\n\t}\n\n\tprops := make(properties, len(iProps))\n\tfor i, p := range iProps {\n\t\tprops[i] = Property{\n\t\t\tkey: p.Key,\n\t\t\tvalue: p.Value,\n\t\t\thasValue: p.HasValue,\n\t\t}\n\t}\n\treturn props\n}\n\nfunc (p properties) asInternal() []baggage.Property {\n\tif len(p) == 0 {\n\t\treturn nil\n\t}\n\n\tiProps := make([]baggage.Property, len(p))\n\tfor i, prop := range p {\n\t\tiProps[i] = baggage.Property{\n\t\t\tKey: prop.key,\n\t\t\tValue: prop.value,\n\t\t\tHasValue: prop.hasValue,\n\t\t}\n\t}\n\treturn iProps\n}\n\nfunc (p properties) Copy() properties {\n\tif len(p) == 0 {\n\t\treturn nil\n\t}\n\n\tprops := make(properties, len(p))\n\tcopy(props, p)\n\treturn props\n}\n\n// validate ensures each Property in p conforms to the W3C Baggage\n// specification, returning an error otherwise.\nfunc (p properties) validate() error {\n\tfor _, prop := range p {\n\t\tif err := prop.validate(); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\treturn nil\n}\n\n// String encodes properties into a string compliant with the W3C Baggage\n// specification.\nfunc (p properties) String() string {\n\tprops := make([]string, len(p))\n\tfor i, prop := range p {\n\t\tprops[i] = prop.String()\n\t}\n\treturn strings.Join(props, propertyDelimiter)\n}\n\n// Member is a list-member of a baggage-string as defined by the W3C Baggage\n// specification.\ntype Member struct {\n\tkey, value string\n\tproperties properties\n\n\t// hasData indicates whether the created property contains data or not.\n\t// Properties that do not contain data are invalid with no other check\n\t// required.\n\thasData bool\n}\n\n// NewMember returns a new Member from the passed arguments. The key will be\n// used directly while the value will be url decoded after validation. An error\n// is returned if the created Member would be invalid according to the W3C\n// Baggage specification.\nfunc NewMember(key, value string, props ...Property) (Member, error) {\n\tm := Member{\n\t\tkey: key,\n\t\tvalue: value,\n\t\tproperties: properties(props).Copy(),\n\t\thasData: true,\n\t}\n\tif err := m.validate(); err != nil {\n\t\treturn newInvalidMember(), err\n\t}\n\t//// NOTE(anton): I don't think we need to unescape here\n\t// decodedValue, err := url.PathUnescape(value)\n\t// if err != nil {\n\t// \treturn newInvalidMember(), fmt.Errorf(\"%w: %q\", errInvalidValue, value)\n\t// }\n\t// m.value = decodedValue\n\treturn m, nil\n}\n\nfunc newInvalidMember() Member {\n\treturn Member{}\n}\n\n// parseMember attempts to decode a Member from the passed string. It returns\n// an error if the input is invalid according to the W3C Baggage\n// specification.\nfunc parseMember(member string) (Member, error) {\n\tif n := len(member); n > maxBytesPerMembers {\n\t\treturn newInvalidMember(), fmt.Errorf(\"%w: %d\", errMemberBytes, n)\n\t}\n\n\tvar (\n\t\tkey, value string\n\t\tprops properties\n\t)\n\n\tparts := strings.SplitN(member, propertyDelimiter, 2)\n\tswitch len(parts) {\n\tcase 2:\n\t\t// Parse the member properties.\n\t\tfor _, pStr := range strings.Split(parts[1], propertyDelimiter) {\n\t\t\tp, err := parseProperty(pStr)\n\t\t\tif err != nil {\n\t\t\t\treturn newInvalidMember(), err\n\t\t\t}\n\t\t\tprops = append(props, p)\n\t\t}\n\t\tfallthrough\n\tcase 1:\n\t\t// Parse the member key/value pair.\n\n\t\t// Take into account a value can contain equal signs (=).\n\t\tkv := strings.SplitN(parts[0], keyValueDelimiter, 2)\n\t\tif len(kv) != 2 {\n\t\t\treturn newInvalidMember(), fmt.Errorf(\"%w: %q\", errInvalidMember, member)\n\t\t}\n\t\t// \"Leading and trailing whitespaces are allowed but MUST be trimmed\n\t\t// when converting the header into a data structure.\"\n\t\tkey = strings.TrimSpace(kv[0])\n\t\tvalue = strings.TrimSpace(kv[1])\n\t\tvar err error\n\t\tif !keyRe.MatchString(key) {\n\t\t\treturn newInvalidMember(), fmt.Errorf(\"%w: %q\", errInvalidKey, key)\n\t\t}\n\t\tif !valueRe.MatchString(value) {\n\t\t\treturn newInvalidMember(), fmt.Errorf(\"%w: %q\", errInvalidValue, value)\n\t\t}\n\t\tdecodedValue, err := url.PathUnescape(value)\n\t\tif err != nil {\n\t\t\treturn newInvalidMember(), fmt.Errorf(\"%w: %q\", err, value)\n\t\t}\n\t\tvalue = decodedValue\n\tdefault:\n\t\t// This should never happen unless a developer has changed the string\n\t\t// splitting somehow. Panic instead of failing silently and allowing\n\t\t// the bug to slip past the CI checks.\n\t\tpanic(\"failed to parse baggage member\")\n\t}\n\n\treturn Member{key: key, value: value, properties: props, hasData: true}, nil\n}\n\n// validate ensures m conforms to the W3C Baggage specification.\n// A key is just an ASCII string, but a value must be URL encoded UTF-8,\n// returning an error otherwise.\nfunc (m Member) validate() error {\n\tif !m.hasData {\n\t\treturn fmt.Errorf(\"%w: %q\", errInvalidMember, m)\n\t}\n\n\tif !keyRe.MatchString(m.key) {\n\t\treturn fmt.Errorf(\"%w: %q\", errInvalidKey, m.key)\n\t}\n\t//// NOTE(anton): IMO it's too early to validate the value here.\n\t// if !valueRe.MatchString(m.value) {\n\t// \treturn fmt.Errorf(\"%w: %q\", errInvalidValue, m.value)\n\t// }\n\treturn m.properties.validate()\n}\n\n// Key returns the Member key.\nfunc (m Member) Key() string { return m.key }\n\n// Value returns the Member value.\nfunc (m Member) Value() string { return m.value }\n\n// Properties returns a copy of the Member properties.\nfunc (m Member) Properties() []Property { return m.properties.Copy() }\n\n// String encodes Member into a string compliant with the W3C Baggage\n// specification.\nfunc (m Member) String() string {\n\t// A key is just an ASCII string, but a value is URL encoded UTF-8.\n\ts := fmt.Sprintf(\"%s%s%s\", m.key, keyValueDelimiter, percentEncodeValue(m.value))\n\tif len(m.properties) > 0 {\n\t\ts = fmt.Sprintf(\"%s%s%s\", s, propertyDelimiter, m.properties.String())\n\t}\n\treturn s\n}\n\n// percentEncodeValue encodes the baggage value, using percent-encoding for\n// disallowed octets.\nfunc percentEncodeValue(s string) string {\n\tconst upperhex = \"0123456789ABCDEF\"\n\tvar sb strings.Builder\n\n\tfor byteIndex, width := 0, 0; byteIndex < len(s); byteIndex += width {\n\t\truneValue, w := utf8.DecodeRuneInString(s[byteIndex:])\n\t\twidth = w\n\t\tchar := string(runeValue)\n\t\tif valueRe.MatchString(char) && char != \"%\" {\n\t\t\t// The character is returned as is, no need to percent-encode\n\t\t\tsb.WriteString(char)\n\t\t} else {\n\t\t\t// We need to percent-encode each byte of the multi-octet character\n\t\t\tfor j := 0; j < width; j++ {\n\t\t\t\tb := s[byteIndex+j]\n\t\t\t\tsb.WriteByte('%')\n\t\t\t\t// Bitwise operations are inspired by \"net/url\"\n\t\t\t\tsb.WriteByte(upperhex[b>>4])\n\t\t\t\tsb.WriteByte(upperhex[b&15])\n\t\t\t}\n\t\t}\n\t}\n\treturn sb.String()\n}\n\n// Baggage is a list of baggage members representing the baggage-string as\n// defined by the W3C Baggage specification.\ntype Baggage struct { //nolint:golint\n\tlist baggage.List\n}\n\n// New returns a new valid Baggage. It returns an error if it results in a\n// Baggage exceeding limits set in that specification.\n//\n// It expects all the provided members to have already been validated.\nfunc New(members ...Member) (Baggage, error) {\n\tif len(members) == 0 {\n\t\treturn Baggage{}, nil\n\t}\n\n\tb := make(baggage.List)\n\tfor _, m := range members {\n\t\tif !m.hasData {\n\t\t\treturn Baggage{}, errInvalidMember\n\t\t}\n\n\t\t// OpenTelemetry resolves duplicates by last-one-wins.\n\t\tb[m.key] = baggage.Item{\n\t\t\tValue: m.value,\n\t\t\tProperties: m.properties.asInternal(),\n\t\t}\n\t}\n\n\t// Check member numbers after deduplication.\n\tif len(b) > maxMembers {\n\t\treturn Baggage{}, errMemberNumber\n\t}\n\n\tbag := Baggage{b}\n\tif n := len(bag.String()); n > maxBytesPerBaggageString {\n\t\treturn Baggage{}, fmt.Errorf(\"%w: %d\", errBaggageBytes, n)\n\t}\n\n\treturn bag, nil\n}\n\n// Parse attempts to decode a baggage-string from the passed string. It\n// returns an error if the input is invalid according to the W3C Baggage\n// specification.\n//\n// If there are duplicate list-members contained in baggage, the last one\n// defined (reading left-to-right) will be the only one kept. This diverges\n// from the W3C Baggage specification which allows duplicate list-members, but\n// conforms to the OpenTelemetry Baggage specification.\nfunc Parse(bStr string) (Baggage, error) {\n\tif bStr == \"\" {\n\t\treturn Baggage{}, nil\n\t}\n\n\tif n := len(bStr); n > maxBytesPerBaggageString {\n\t\treturn Baggage{}, fmt.Errorf(\"%w: %d\", errBaggageBytes, n)\n\t}\n\n\tb := make(baggage.List)\n\tfor _, memberStr := range strings.Split(bStr, listDelimiter) {\n\t\tm, err := parseMember(memberStr)\n\t\tif err != nil {\n\t\t\treturn Baggage{}, err\n\t\t}\n\t\t// OpenTelemetry resolves duplicates by last-one-wins.\n\t\tb[m.key] = baggage.Item{\n\t\t\tValue: m.value,\n\t\t\tProperties: m.properties.asInternal(),\n\t\t}\n\t}\n\n\t// OpenTelemetry does not allow for duplicate list-members, but the W3C\n\t// specification does. Now that we have deduplicated, ensure the baggage\n\t// does not exceed list-member limits.\n\tif len(b) > maxMembers {\n\t\treturn Baggage{}, errMemberNumber\n\t}\n\n\treturn Baggage{b}, nil\n}\n\n// Member returns the baggage list-member identified by key.\n//\n// If there is no list-member matching the passed key the returned Member will\n// be a zero-value Member.\n// The returned member is not validated, as we assume the validation happened\n// when it was added to the Baggage.\nfunc (b Baggage) Member(key string) Member {\n\tv, ok := b.list[key]\n\tif !ok {\n\t\t// We do not need to worry about distinguishing between the situation\n\t\t// where a zero-valued Member is included in the Baggage because a\n\t\t// zero-valued Member is invalid according to the W3C Baggage\n\t\t// specification (it has an empty key).\n\t\treturn newInvalidMember()\n\t}\n\n\treturn Member{\n\t\tkey: key,\n\t\tvalue: v.Value,\n\t\tproperties: fromInternalProperties(v.Properties),\n\t\thasData: true,\n\t}\n}\n\n// Members returns all the baggage list-members.\n// The order of the returned list-members does not have significance.\n//\n// The returned members are not validated, as we assume the validation happened\n// when they were added to the Baggage.\nfunc (b Baggage) Members() []Member {\n\tif len(b.list) == 0 {\n\t\treturn nil\n\t}\n\n\tmembers := make([]Member, 0, len(b.list))\n\tfor k, v := range b.list {\n\t\tmembers = append(members, Member{\n\t\t\tkey: k,\n\t\t\tvalue: v.Value,\n\t\t\tproperties: fromInternalProperties(v.Properties),\n\t\t\thasData: true,\n\t\t})\n\t}\n\treturn members\n}\n\n// SetMember returns a copy the Baggage with the member included. If the\n// baggage contains a Member with the same key the existing Member is\n// replaced.\n//\n// If member is invalid according to the W3C Baggage specification, an error\n// is returned with the original Baggage.\nfunc (b Baggage) SetMember(member Member) (Baggage, error) {\n\tif !member.hasData {\n\t\treturn b, errInvalidMember\n\t}\n\n\tn := len(b.list)\n\tif _, ok := b.list[member.key]; !ok {\n\t\tn++\n\t}\n\tlist := make(baggage.List, n)\n\n\tfor k, v := range b.list {\n\t\t// Do not copy if we are just going to overwrite.\n\t\tif k == member.key {\n\t\t\tcontinue\n\t\t}\n\t\tlist[k] = v\n\t}\n\n\tlist[member.key] = baggage.Item{\n\t\tValue: member.value,\n\t\tProperties: member.properties.asInternal(),\n\t}\n\n\treturn Baggage{list: list}, nil\n}\n\n// DeleteMember returns a copy of the Baggage with the list-member identified\n// by key removed.\nfunc (b Baggage) DeleteMember(key string) Baggage {\n\tn := len(b.list)\n\tif _, ok := b.list[key]; ok {\n\t\tn--\n\t}\n\tlist := make(baggage.List, n)\n\n\tfor k, v := range b.list {\n\t\tif k == key {\n\t\t\tcontinue\n\t\t}\n\t\tlist[k] = v\n\t}\n\n\treturn Baggage{list: list}\n}\n\n// Len returns the number of list-members in the Baggage.\nfunc (b Baggage) Len() int {\n\treturn len(b.list)\n}\n\n// String encodes Baggage into a string compliant with the W3C Baggage\n// specification. The returned string will be invalid if the Baggage contains\n// any invalid list-members.\nfunc (b Baggage) String() string {\n\tmembers := make([]string, 0, len(b.list))\n\tfor k, v := range b.list {\n\t\tmembers = append(members, Member{\n\t\t\tkey: k,\n\t\t\tvalue: v.Value,\n\t\t\tproperties: fromInternalProperties(v.Properties),\n\t\t}.String())\n\t}\n\treturn strings.Join(members, listDelimiter)\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/internal/otel/baggage/internal/baggage/baggage.go", "content": "// Adapted from https://github.com/open-telemetry/opentelemetry-go/blob/c21b6b6bb31a2f74edd06e262f1690f3f6ea3d5c/internal/baggage/baggage.go\n//\n// Copyright The OpenTelemetry Authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n/*\nPackage baggage provides base types and functionality to store and retrieve\nbaggage in Go context. This package exists because the OpenTracing bridge to\nOpenTelemetry needs to synchronize state whenever baggage for a context is\nmodified and that context contains an OpenTracing span. If it were not for\nthis need this package would not need to exist and the\n`go.opentelemetry.io/otel/baggage` package would be the singular place where\nW3C baggage is handled.\n*/\npackage baggage\n\n// List is the collection of baggage members. The W3C allows for duplicates,\n// but OpenTelemetry does not, therefore, this is represented as a map.\ntype List map[string]Item\n\n// Item is the value and metadata properties part of a list-member.\ntype Item struct {\n\tValue string\n\tProperties []Property\n}\n\n// Property is a metadata entry for a list-member.\ntype Property struct {\n\tKey, Value string\n\n\t// HasValue indicates if a zero-value value means the property does not\n\t// have a value or if it was the zero-value.\n\tHasValue bool\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/internal/protocol/dsn.go", "content": "package protocol\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"net/url\"\n\t\"strconv\"\n\t\"strings\"\n\t\"time\"\n)\n\n// apiVersion is the version of the Sentry API.\nconst apiVersion = \"7\"\n\ntype scheme string\n\nconst (\n\tSchemeHTTP scheme = \"http\"\n\tSchemeHTTPS scheme = \"https\"\n)\n\nfunc (scheme scheme) defaultPort() int {\n\tswitch scheme {\n\tcase SchemeHTTPS:\n\t\treturn 443\n\tcase SchemeHTTP:\n\t\treturn 80\n\tdefault:\n\t\treturn 80\n\t}\n}\n\n// DsnParseError represents an error that occurs if a Sentry\n// DSN cannot be parsed.\ntype DsnParseError struct {\n\tMessage string\n}\n\nfunc (e DsnParseError) Error() string {\n\treturn \"[Sentry] DsnParseError: \" + e.Message\n}\n\n// Dsn is used as the remote address source to client transport.\ntype Dsn struct {\n\tscheme scheme\n\tpublicKey string\n\tsecretKey string\n\thost string\n\tport int\n\tpath string\n\tprojectID string\n}\n\n// NewDsn creates a Dsn by parsing rawURL. Most users will never call this\n// function directly. It is provided for use in custom Transport\n// implementations.\nfunc NewDsn(rawURL string) (*Dsn, error) {\n\t// Parse\n\tparsedURL, err := url.Parse(rawURL)\n\tif err != nil {\n\t\treturn nil, &DsnParseError{fmt.Sprintf(\"invalid url: %v\", err)}\n\t}\n\n\t// Scheme\n\tvar scheme scheme\n\tswitch parsedURL.Scheme {\n\tcase \"http\":\n\t\tscheme = SchemeHTTP\n\tcase \"https\":\n\t\tscheme = SchemeHTTPS\n\tdefault:\n\t\treturn nil, &DsnParseError{\"invalid scheme\"}\n\t}\n\n\t// PublicKey\n\tpublicKey := parsedURL.User.Username()\n\tif publicKey == \"\" {\n\t\treturn nil, &DsnParseError{\"empty username\"}\n\t}\n\n\t// SecretKey\n\tvar secretKey string\n\tif parsedSecretKey, ok := parsedURL.User.Password(); ok {\n\t\tsecretKey = parsedSecretKey\n\t}\n\n\t// Host\n\thost := parsedURL.Hostname()\n\tif host == \"\" {\n\t\treturn nil, &DsnParseError{\"empty host\"}\n\t}\n\n\t// Port\n\tvar port int\n\tif p := parsedURL.Port(); p != \"\" {\n\t\tport, err = strconv.Atoi(p)\n\t\tif err != nil {\n\t\t\treturn nil, &DsnParseError{\"invalid port\"}\n\t\t}\n\t} else {\n\t\tport = scheme.defaultPort()\n\t}\n\n\t// ProjectID\n\tif parsedURL.Path == \"\" || parsedURL.Path == \"/\" {\n\t\treturn nil, &DsnParseError{\"empty project id\"}\n\t}\n\tpathSegments := strings.Split(parsedURL.Path[1:], \"/\")\n\tprojectID := pathSegments[len(pathSegments)-1]\n\n\tif projectID == \"\" {\n\t\treturn nil, &DsnParseError{\"empty project id\"}\n\t}\n\n\t// Path\n\tvar path string\n\tif len(pathSegments) > 1 {\n\t\tpath = \"/\" + strings.Join(pathSegments[0:len(pathSegments)-1], \"/\")\n\t}\n\n\treturn &Dsn{\n\t\tscheme: scheme,\n\t\tpublicKey: publicKey,\n\t\tsecretKey: secretKey,\n\t\thost: host,\n\t\tport: port,\n\t\tpath: path,\n\t\tprojectID: projectID,\n\t}, nil\n}\n\n// String formats Dsn struct into a valid string url.\nfunc (dsn Dsn) String() string {\n\tvar url string\n\turl += fmt.Sprintf(\"%s://%s\", dsn.scheme, dsn.publicKey)\n\tif dsn.secretKey != \"\" {\n\t\turl += fmt.Sprintf(\":%s\", dsn.secretKey)\n\t}\n\turl += fmt.Sprintf(\"@%s\", dsn.host)\n\tif dsn.port != dsn.scheme.defaultPort() {\n\t\turl += fmt.Sprintf(\":%d\", dsn.port)\n\t}\n\tif dsn.path != \"\" {\n\t\turl += dsn.path\n\t}\n\turl += fmt.Sprintf(\"/%s\", dsn.projectID)\n\treturn url\n}\n\n// Get the scheme of the DSN.\nfunc (dsn Dsn) GetScheme() string {\n\treturn string(dsn.scheme)\n}\n\n// Get the public key of the DSN.\nfunc (dsn Dsn) GetPublicKey() string {\n\treturn dsn.publicKey\n}\n\n// Get the secret key of the DSN.\nfunc (dsn Dsn) GetSecretKey() string {\n\treturn dsn.secretKey\n}\n\n// Get the host of the DSN.\nfunc (dsn Dsn) GetHost() string {\n\treturn dsn.host\n}\n\n// Get the port of the DSN.\nfunc (dsn Dsn) GetPort() int {\n\treturn dsn.port\n}\n\n// Get the path of the DSN.\nfunc (dsn Dsn) GetPath() string {\n\treturn dsn.path\n}\n\n// Get the project ID of the DSN.\nfunc (dsn Dsn) GetProjectID() string {\n\treturn dsn.projectID\n}\n\n// GetAPIURL returns the URL of the envelope endpoint of the project\n// associated with the DSN.\nfunc (dsn Dsn) GetAPIURL() *url.URL {\n\tvar rawURL string\n\trawURL += fmt.Sprintf(\"%s://%s\", dsn.scheme, dsn.host)\n\tif dsn.port != dsn.scheme.defaultPort() {\n\t\trawURL += fmt.Sprintf(\":%d\", dsn.port)\n\t}\n\tif dsn.path != \"\" {\n\t\trawURL += dsn.path\n\t}\n\trawURL += fmt.Sprintf(\"/api/%s/%s/\", dsn.projectID, \"envelope\")\n\tparsedURL, _ := url.Parse(rawURL)\n\treturn parsedURL\n}\n\n// RequestHeaders returns all the necessary headers that have to be used in the transport when sending events\n// to the /store endpoint.\n//\n// Deprecated: This method shall only be used if you want to implement your own transport that sends events to\n// the /store endpoint. If you're using the transport provided by the SDK, all necessary headers to authenticate\n// against the /envelope endpoint are added automatically.\nfunc (dsn Dsn) RequestHeaders(sdkVersion string) map[string]string {\n\tauth := fmt.Sprintf(\"Sentry sentry_version=%s, sentry_timestamp=%d, \"+\n\t\t\"sentry_client=sentry.go/%s, sentry_key=%s\", apiVersion, time.Now().Unix(), sdkVersion, dsn.publicKey)\n\n\tif dsn.secretKey != \"\" {\n\t\tauth = fmt.Sprintf(\"%s, sentry_secret=%s\", auth, dsn.secretKey)\n\t}\n\n\treturn map[string]string{\n\t\t\"Content-Type\": \"application/json\",\n\t\t\"X-Sentry-Auth\": auth,\n\t}\n}\n\n// MarshalJSON converts the Dsn struct to JSON.\nfunc (dsn Dsn) MarshalJSON() ([]byte, error) {\n\treturn json.Marshal(dsn.String())\n}\n\n// UnmarshalJSON converts JSON data to the Dsn struct.\nfunc (dsn *Dsn) UnmarshalJSON(data []byte) error {\n\tvar str string\n\t_ = json.Unmarshal(data, &str)\n\tnewDsn, err := NewDsn(str)\n\tif err != nil {\n\t\treturn err\n\t}\n\t*dsn = *newDsn\n\treturn nil\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/internal/protocol/envelope.go", "content": "package protocol\n\nimport (\n\t\"bytes\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"io\"\n\t\"time\"\n)\n\n// Envelope represents a Sentry envelope containing headers and items.\ntype Envelope struct {\n\tHeader *EnvelopeHeader `json:\"-\"`\n\tItems []*EnvelopeItem `json:\"-\"`\n}\n\n// EnvelopeHeader represents the header of a Sentry envelope.\ntype EnvelopeHeader struct {\n\t// EventID is the unique identifier for this event\n\tEventID string `json:\"event_id\"`\n\n\t// SentAt is the timestamp when the event was sent from the SDK as string in RFC 3339 format.\n\t// Used for clock drift correction of the event timestamp. The time zone must be UTC.\n\tSentAt time.Time `json:\"sent_at,omitzero\"`\n\n\t// Dsn can be used for self-authenticated envelopes.\n\t// This means that the envelope has all the information necessary to be sent to sentry.\n\t// In this case the full DSN must be stored in this key.\n\tDsn string `json:\"dsn,omitempty\"`\n\n\t// Sdk carries the same payload as the sdk interface in the event payload but can be carried for all events.\n\t// This means that SDK information can be carried for minidumps, session data and other submissions.\n\tSdk *SdkInfo `json:\"sdk,omitempty\"`\n\n\t// Trace contains the [Dynamic Sampling Context](https://develop.sentry.dev/sdk/telemetry/traces/dynamic-sampling-context/)\n\tTrace map[string]string `json:\"trace,omitempty\"`\n}\n\n// EnvelopeItemType represents the type of envelope item.\ntype EnvelopeItemType string\n\n// Constants for envelope item types as defined in the Sentry documentation.\nconst (\n\tEnvelopeItemTypeEvent EnvelopeItemType = \"event\"\n\tEnvelopeItemTypeTransaction EnvelopeItemType = \"transaction\"\n\tEnvelopeItemTypeCheckIn EnvelopeItemType = \"check_in\"\n\tEnvelopeItemTypeAttachment EnvelopeItemType = \"attachment\"\n\tEnvelopeItemTypeLog EnvelopeItemType = \"log\"\n\tEnvelopeItemTypeTraceMetric EnvelopeItemType = \"trace_metric\"\n)\n\n// EnvelopeItemHeader represents the header of an envelope item.\ntype EnvelopeItemHeader struct {\n\t// Type specifies the type of this Item and its contents.\n\t// Based on the Item type, more headers may be required.\n\tType EnvelopeItemType `json:\"type\"`\n\n\t// Length is the length of the payload in bytes.\n\t// If no length is specified, the payload implicitly goes to the next newline.\n\t// For payloads containing newline characters, the length must be specified.\n\tLength *int `json:\"length,omitempty\"`\n\n\t// Filename is the name of the attachment file (used for attachments)\n\tFilename string `json:\"filename,omitempty\"`\n\n\t// ContentType is the MIME type of the item payload (used for attachments and some other item types)\n\tContentType string `json:\"content_type,omitempty\"`\n\n\t// ItemCount is the number of items in a batch (used for logs)\n\tItemCount *int `json:\"item_count,omitempty\"`\n}\n\n// EnvelopeItem represents a single item or batch within an envelope.\ntype EnvelopeItem struct {\n\tHeader *EnvelopeItemHeader `json:\"-\"`\n\tPayload []byte `json:\"-\"`\n}\n\n// NewEnvelope creates a new envelope with the given header.\nfunc NewEnvelope(header *EnvelopeHeader) *Envelope {\n\treturn &Envelope{\n\t\tHeader: header,\n\t\tItems: make([]*EnvelopeItem, 0),\n\t}\n}\n\n// AddItem adds an item to the envelope.\nfunc (e *Envelope) AddItem(item *EnvelopeItem) {\n\tif item == nil {\n\t\treturn\n\t}\n\te.Items = append(e.Items, item)\n}\n\n// Serialize serializes the envelope to the Sentry envelope format.\n//\n// Format: Headers \"\\n\" { Item } [ \"\\n\" ]\n// Item: Headers \"\\n\" Payload \"\\n\".\nfunc (e *Envelope) Serialize() ([]byte, error) {\n\tvar buf bytes.Buffer\n\n\theaderBytes, err := json.Marshal(e.Header)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to marshal envelope header: %w\", err)\n\t}\n\n\tif _, err := buf.Write(headerBytes); err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to write envelope header: %w\", err)\n\t}\n\n\tif _, err := buf.WriteString(\"\\n\"); err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to write newline after envelope header: %w\", err)\n\t}\n\n\tfor _, item := range e.Items {\n\t\tif err := e.writeItem(&buf, item); err != nil {\n\t\t\treturn nil, fmt.Errorf(\"failed to write envelope item: %w\", err)\n\t\t}\n\t}\n\n\treturn buf.Bytes(), nil\n}\n\n// WriteTo writes the envelope to the given writer in the Sentry envelope format.\nfunc (e *Envelope) WriteTo(w io.Writer) (int64, error) {\n\tdata, err := e.Serialize()\n\tif err != nil {\n\t\treturn 0, err\n\t}\n\n\tn, err := w.Write(data)\n\treturn int64(n), err\n}\n\n// writeItem writes a single envelope item to the buffer.\nfunc (e *Envelope) writeItem(buf *bytes.Buffer, item *EnvelopeItem) error {\n\theaderBytes, err := json.Marshal(item.Header)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"failed to marshal item header: %w\", err)\n\t}\n\n\tif _, err := buf.Write(headerBytes); err != nil {\n\t\treturn fmt.Errorf(\"failed to write item header: %w\", err)\n\t}\n\n\tif _, err := buf.WriteString(\"\\n\"); err != nil {\n\t\treturn fmt.Errorf(\"failed to write newline after item header: %w\", err)\n\t}\n\n\tif len(item.Payload) > 0 {\n\t\tif _, err := buf.Write(item.Payload); err != nil {\n\t\t\treturn fmt.Errorf(\"failed to write item payload: %w\", err)\n\t\t}\n\t}\n\n\tif _, err := buf.WriteString(\"\\n\"); err != nil {\n\t\treturn fmt.Errorf(\"failed to write newline after item payload: %w\", err)\n\t}\n\n\treturn nil\n}\n\n// Size returns the total size of the envelope when serialized.\nfunc (e *Envelope) Size() (int, error) {\n\tdata, err := e.Serialize()\n\tif err != nil {\n\t\treturn 0, err\n\t}\n\treturn len(data), nil\n}\n\n// NewEnvelopeItem creates a new envelope item with the specified type and payload.\nfunc NewEnvelopeItem(itemType EnvelopeItemType, payload []byte) *EnvelopeItem {\n\tlength := len(payload)\n\treturn &EnvelopeItem{\n\t\tHeader: &EnvelopeItemHeader{\n\t\t\tType: itemType,\n\t\t\tLength: &length,\n\t\t},\n\t\tPayload: payload,\n\t}\n}\n\n// NewAttachmentItem creates a new envelope item for an attachment.\n// Parameters: filename, contentType, payload.\nfunc NewAttachmentItem(filename, contentType string, payload []byte) *EnvelopeItem {\n\tlength := len(payload)\n\treturn &EnvelopeItem{\n\t\tHeader: &EnvelopeItemHeader{\n\t\t\tType: EnvelopeItemTypeAttachment,\n\t\t\tLength: &length,\n\t\t\tContentType: contentType,\n\t\t\tFilename: filename,\n\t\t},\n\t\tPayload: payload,\n\t}\n}\n\n// NewLogItem creates a new envelope item for logs.\nfunc NewLogItem(itemCount int, payload []byte) *EnvelopeItem {\n\tlength := len(payload)\n\treturn &EnvelopeItem{\n\t\tHeader: &EnvelopeItemHeader{\n\t\t\tType: EnvelopeItemTypeLog,\n\t\t\tLength: &length,\n\t\t\tItemCount: &itemCount,\n\t\t\tContentType: \"application/vnd.sentry.items.log+json\",\n\t\t},\n\t\tPayload: payload,\n\t}\n}\n\n// NewTraceMetricItem creates a new envelope item for trace metrics.\nfunc NewTraceMetricItem(itemCount int, payload []byte) *EnvelopeItem {\n\tlength := len(payload)\n\treturn &EnvelopeItem{\n\t\tHeader: &EnvelopeItemHeader{\n\t\t\tType: EnvelopeItemTypeTraceMetric,\n\t\t\tLength: &length,\n\t\t\tItemCount: &itemCount,\n\t\t\tContentType: \"application/vnd.sentry.items.trace-metric+json\",\n\t\t},\n\t\tPayload: payload,\n\t}\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/internal/protocol/interfaces.go", "content": "package protocol\n\nimport (\n\t\"context\"\n\t\"time\"\n\n\t\"github.com/getsentry/sentry-go/internal/ratelimit\"\n)\n\n// TelemetryItem represents any telemetry data that can be stored in buffers and sent to Sentry.\n// This is the base interface that all telemetry items must implement.\ntype TelemetryItem interface {\n\t// GetCategory returns the rate limit category for this item.\n\tGetCategory() ratelimit.Category\n\n\t// GetEventID returns the event ID for this item.\n\tGetEventID() string\n\n\t// GetSdkInfo returns SDK information for the envelope header.\n\tGetSdkInfo() *SdkInfo\n\n\t// GetDynamicSamplingContext returns trace context for the envelope header.\n\tGetDynamicSamplingContext() map[string]string\n}\n\n// EnvelopeItemConvertible represents items that can be converted directly to envelope items.\ntype EnvelopeItemConvertible interface {\n\tTelemetryItem\n\n\t// ToEnvelopeItem converts the item to a Sentry envelope item.\n\tToEnvelopeItem() (*EnvelopeItem, error)\n}\n\n// TelemetryTransport represents the envelope-first transport interface.\n// This interface is designed for the telemetry buffer system and provides\n// non-blocking sends with backpressure signals.\ntype TelemetryTransport interface {\n\t// SendEnvelope sends an envelope to Sentry. Returns immediately with\n\t// backpressure error if the queue is full.\n\tSendEnvelope(envelope *Envelope) error\n\n\t// HasCapacity reports whether the transport has capacity to accept at least one more envelope.\n\tHasCapacity() bool\n\n\t// IsRateLimited checks if a specific category is currently rate limited\n\tIsRateLimited(category ratelimit.Category) bool\n\n\t// Flush waits for all pending envelopes to be sent, with timeout\n\tFlush(timeout time.Duration) bool\n\n\t// FlushWithContext waits for all pending envelopes to be sent\n\tFlushWithContext(ctx context.Context) bool\n\n\t// Close shuts down the transport gracefully\n\tClose()\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/internal/protocol/log_batch.go", "content": "package protocol\n\nimport (\n\t\"encoding/json\"\n\n\t\"github.com/getsentry/sentry-go/internal/ratelimit\"\n)\n\n// LogAttribute is the JSON representation for a single log attribute value.\ntype LogAttribute struct {\n\tValue any `json:\"value\"`\n\tType string `json:\"type\"`\n}\n\n// Logs is a container for multiple log items which knows how to convert\n// itself into a single batched log envelope item.\ntype Logs []TelemetryItem\n\nfunc (ls Logs) ToEnvelopeItem() (*EnvelopeItem, error) {\n\t// Convert each log to its JSON representation\n\titems := make([]json.RawMessage, 0, len(ls))\n\tfor _, log := range ls {\n\t\tlogPayload, err := json.Marshal(log)\n\t\tif err != nil {\n\t\t\tcontinue\n\t\t}\n\t\titems = append(items, logPayload)\n\t}\n\n\tif len(items) == 0 {\n\t\treturn nil, nil\n\t}\n\n\twrapper := struct {\n\t\tItems []json.RawMessage `json:\"items\"`\n\t}{Items: items}\n\n\tpayload, err := json.Marshal(wrapper)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn NewLogItem(len(ls), payload), nil\n}\n\nfunc (Logs) GetCategory() ratelimit.Category { return ratelimit.CategoryLog }\nfunc (Logs) GetEventID() string { return \"\" }\nfunc (Logs) GetSdkInfo() *SdkInfo { return nil }\nfunc (Logs) GetDynamicSamplingContext() map[string]string { return nil }\n" }, { "path": "vendor/github.com/getsentry/sentry-go/internal/protocol/metric_batch.go", "content": "package protocol\n\nimport (\n\t\"encoding/json\"\n\n\t\"github.com/getsentry/sentry-go/internal/ratelimit\"\n)\n\ntype Metrics []TelemetryItem\n\nfunc (ms Metrics) ToEnvelopeItem() (*EnvelopeItem, error) {\n\t// Convert each metric to its JSON representation\n\titems := make([]json.RawMessage, 0, len(ms))\n\tfor _, metric := range ms {\n\t\tmetricPayload, err := json.Marshal(metric)\n\t\tif err != nil {\n\t\t\tcontinue\n\t\t}\n\t\titems = append(items, metricPayload)\n\t}\n\n\tif len(items) == 0 {\n\t\treturn nil, nil\n\t}\n\n\twrapper := struct {\n\t\tItems []json.RawMessage `json:\"items\"`\n\t}{Items: items}\n\n\tpayload, err := json.Marshal(wrapper)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn NewTraceMetricItem(len(items), payload), nil\n}\n\nfunc (Metrics) GetCategory() ratelimit.Category { return ratelimit.CategoryTraceMetric }\nfunc (Metrics) GetEventID() string { return \"\" }\nfunc (Metrics) GetSdkInfo() *SdkInfo { return nil }\nfunc (Metrics) GetDynamicSamplingContext() map[string]string { return nil }\n" }, { "path": "vendor/github.com/getsentry/sentry-go/internal/protocol/types.go", "content": "package protocol\n\n// SdkInfo contains SDK metadata.\ntype SdkInfo struct {\n\tName string `json:\"name,omitempty\"`\n\tVersion string `json:\"version,omitempty\"`\n\tIntegrations []string `json:\"integrations,omitempty\"`\n\tPackages []SdkPackage `json:\"packages,omitempty\"`\n}\n\n// SdkPackage describes a package that was installed.\ntype SdkPackage struct {\n\tName string `json:\"name,omitempty\"`\n\tVersion string `json:\"version,omitempty\"`\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/internal/protocol/uuid.go", "content": "package protocol\n\nimport (\n\t\"crypto/rand\"\n\t\"encoding/hex\"\n)\n\n// GenerateEventID generates a random UUID v4 for use as a Sentry event ID.\nfunc GenerateEventID() string {\n\tid := make([]byte, 16)\n\t// Prefer rand.Read over rand.Reader, see https://go-review.googlesource.com/c/go/+/272326/.\n\t_, _ = rand.Read(id)\n\tid[6] &= 0x0F // clear version\n\tid[6] |= 0x40 // set version to 4 (random uuid)\n\tid[8] &= 0x3F // clear variant\n\tid[8] |= 0x80 // set to IETF variant\n\treturn hex.EncodeToString(id)\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/internal/ratelimit/category.go", "content": "package ratelimit\n\nimport (\n\t\"strings\"\n\n\t\"golang.org/x/text/cases\"\n\t\"golang.org/x/text/language\"\n)\n\n// Reference:\n// https://github.com/getsentry/relay/blob/46dfaa850b8717a6e22c3e9a275ba17fe673b9da/relay-base-schema/src/data_category.rs#L231-L271\n\n// Category classifies supported payload types that can be ingested by Sentry\n// and, therefore, rate limited.\ntype Category string\n\n// Known rate limit categories that are specified in rate limit headers.\nconst (\n\tCategoryUnknown Category = \"unknown\" // Unknown category should not get rate limited\n\tCategoryAll Category = \"\" // Special category for empty categories (applies to all)\n\tCategoryError Category = \"error\"\n\tCategoryTransaction Category = \"transaction\"\n\tCategoryLog Category = \"log_item\"\n\tCategoryMonitor Category = \"monitor\"\n\tCategoryTraceMetric Category = \"trace_metric\"\n)\n\n// knownCategories is the set of currently known categories. Other categories\n// are ignored for the purpose of rate-limiting.\nvar knownCategories = map[Category]struct{}{\n\tCategoryAll: {},\n\tCategoryError: {},\n\tCategoryTransaction: {},\n\tCategoryLog: {},\n\tCategoryMonitor: {},\n\tCategoryTraceMetric: {},\n}\n\n// String returns the category formatted for debugging.\nfunc (c Category) String() string {\n\tswitch c {\n\tcase CategoryAll:\n\t\treturn \"CategoryAll\"\n\tcase CategoryError:\n\t\treturn \"CategoryError\"\n\tcase CategoryTransaction:\n\t\treturn \"CategoryTransaction\"\n\tcase CategoryLog:\n\t\treturn \"CategoryLog\"\n\tcase CategoryMonitor:\n\t\treturn \"CategoryMonitor\"\n\tcase CategoryTraceMetric:\n\t\treturn \"CategoryTraceMetric\"\n\tdefault:\n\t\t// For unknown categories, use the original formatting logic\n\t\tcaser := cases.Title(language.English)\n\t\trv := \"Category\"\n\t\tfor _, w := range strings.Fields(string(c)) {\n\t\t\trv += caser.String(w)\n\t\t}\n\t\treturn rv\n\t}\n}\n\n// Priority represents the importance level of a category for buffer management.\ntype Priority int\n\nconst (\n\tPriorityCritical Priority = iota + 1\n\tPriorityHigh\n\tPriorityMedium\n\tPriorityLow\n\tPriorityLowest\n)\n\nfunc (p Priority) String() string {\n\tswitch p {\n\tcase PriorityCritical:\n\t\treturn \"critical\"\n\tcase PriorityHigh:\n\t\treturn \"high\"\n\tcase PriorityMedium:\n\t\treturn \"medium\"\n\tcase PriorityLow:\n\t\treturn \"low\"\n\tcase PriorityLowest:\n\t\treturn \"lowest\"\n\tdefault:\n\t\treturn \"unknown\"\n\t}\n}\n\n// GetPriority returns the priority level for this category.\nfunc (c Category) GetPriority() Priority {\n\tswitch c {\n\tcase CategoryError:\n\t\treturn PriorityCritical\n\tcase CategoryMonitor:\n\t\treturn PriorityHigh\n\tcase CategoryLog:\n\t\treturn PriorityLow\n\tcase CategoryTransaction:\n\t\treturn PriorityMedium\n\tcase CategoryTraceMetric:\n\t\treturn PriorityLow\n\tdefault:\n\t\treturn PriorityMedium\n\t}\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/internal/ratelimit/deadline.go", "content": "package ratelimit\n\nimport \"time\"\n\n// A Deadline is a time instant when a rate limit expires.\ntype Deadline time.Time\n\n// After reports whether the deadline d is after other.\nfunc (d Deadline) After(other Deadline) bool {\n\treturn time.Time(d).After(time.Time(other))\n}\n\n// Equal reports whether d and e represent the same deadline.\nfunc (d Deadline) Equal(e Deadline) bool {\n\treturn time.Time(d).Equal(time.Time(e))\n}\n\n// String returns the deadline formatted for debugging.\nfunc (d Deadline) String() string {\n\t// Like time.Time.String, but without the monotonic clock reading.\n\treturn time.Time(d).Round(0).String()\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/internal/ratelimit/doc.go", "content": "// Package ratelimit provides tools to work with rate limits imposed by Sentry's\n// data ingestion pipeline.\npackage ratelimit\n" }, { "path": "vendor/github.com/getsentry/sentry-go/internal/ratelimit/map.go", "content": "package ratelimit\n\nimport (\n\t\"net/http\"\n\t\"time\"\n)\n\n// Map maps categories to rate limit deadlines.\n//\n// A rate limit is in effect for a given category if either the category's\n// deadline or the deadline for the special CategoryAll has not yet expired.\n//\n// Use IsRateLimited to check whether a category is rate-limited.\ntype Map map[Category]Deadline\n\n// IsRateLimited returns true if the category is currently rate limited.\nfunc (m Map) IsRateLimited(c Category) bool {\n\treturn m.isRateLimited(c, time.Now())\n}\n\nfunc (m Map) isRateLimited(c Category, now time.Time) bool {\n\treturn m.Deadline(c).After(Deadline(now))\n}\n\n// Deadline returns the deadline when the rate limit for the given category or\n// the special CategoryAll expire, whichever is furthest into the future.\nfunc (m Map) Deadline(c Category) Deadline {\n\tcategoryDeadline := m[c]\n\tallDeadline := m[CategoryAll]\n\tif categoryDeadline.After(allDeadline) {\n\t\treturn categoryDeadline\n\t}\n\treturn allDeadline\n}\n\n// Merge merges the other map into m.\n//\n// If a category appears in both maps, the deadline that is furthest into the\n// future is preserved.\nfunc (m Map) Merge(other Map) {\n\tfor c, d := range other {\n\t\tif d.After(m[c]) {\n\t\t\tm[c] = d\n\t\t}\n\t}\n}\n\n// FromResponse returns a rate limit map from an HTTP response.\nfunc FromResponse(r *http.Response) Map {\n\treturn fromResponse(r, time.Now())\n}\n\nfunc fromResponse(r *http.Response, now time.Time) Map {\n\ts := r.Header.Get(\"X-Sentry-Rate-Limits\")\n\tif s != \"\" {\n\t\treturn parseXSentryRateLimits(s, now)\n\t}\n\tif r.StatusCode == http.StatusTooManyRequests {\n\t\ts := r.Header.Get(\"Retry-After\")\n\t\tdeadline, _ := parseRetryAfter(s, now)\n\t\treturn Map{CategoryAll: deadline}\n\t}\n\treturn Map{}\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/internal/ratelimit/rate_limits.go", "content": "package ratelimit\n\nimport (\n\t\"errors\"\n\t\"math\"\n\t\"strconv\"\n\t\"strings\"\n\t\"time\"\n)\n\nvar errInvalidXSRLRetryAfter = errors.New(\"invalid retry-after value\")\n\n// parseXSentryRateLimits returns a RateLimits map by parsing an input string in\n// the format of the X-Sentry-Rate-Limits header.\n//\n// Example\n//\n//\tX-Sentry-Rate-Limits: 60:transaction, 2700:default;error;security\n//\n// This will rate limit transactions for the next 60 seconds and errors for the\n// next 2700 seconds.\n//\n// Limits for unknown categories are ignored.\nfunc parseXSentryRateLimits(s string, now time.Time) Map {\n\t// https://github.com/getsentry/relay/blob/0424a2e017d193a93918053c90cdae9472d164bf/relay-server/src/utils/rate_limits.rs#L44-L82\n\tm := make(Map, len(knownCategories))\n\tfor _, limit := range strings.Split(s, \",\") {\n\t\tlimit = strings.TrimSpace(limit)\n\t\tif limit == \"\" {\n\t\t\tcontinue\n\t\t}\n\t\tcomponents := strings.Split(limit, \":\")\n\t\tif len(components) == 0 {\n\t\t\tcontinue\n\t\t}\n\t\tretryAfter, err := parseXSRLRetryAfter(strings.TrimSpace(components[0]), now)\n\t\tif err != nil {\n\t\t\tcontinue\n\t\t}\n\t\tcategories := \"\"\n\t\tif len(components) > 1 {\n\t\t\tcategories = components[1]\n\t\t}\n\t\tfor _, category := range strings.Split(categories, \";\") {\n\t\t\tc := Category(strings.ToLower(strings.TrimSpace(category)))\n\t\t\tif _, ok := knownCategories[c]; !ok {\n\t\t\t\t// skip unknown categories, keep m small\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\t// always keep the deadline furthest into the future\n\t\t\tif retryAfter.After(m[c]) {\n\t\t\t\tm[c] = retryAfter\n\t\t\t}\n\t\t}\n\t}\n\treturn m\n}\n\n// parseXSRLRetryAfter parses a string into a retry-after rate limit deadline.\n//\n// Valid input is a number, possibly signed and possibly floating-point,\n// indicating the number of seconds to wait before sending another request.\n// Negative values are treated as zero. Fractional values are rounded to the\n// next integer.\nfunc parseXSRLRetryAfter(s string, now time.Time) (Deadline, error) {\n\t// https://github.com/getsentry/relay/blob/0424a2e017d193a93918053c90cdae9472d164bf/relay-quotas/src/rate_limit.rs#L88-L96\n\tf, err := strconv.ParseFloat(s, 64)\n\tif err != nil {\n\t\treturn Deadline{}, errInvalidXSRLRetryAfter\n\t}\n\td := time.Duration(math.Ceil(math.Max(f, 0.0))) * time.Second\n\tif d < 0 {\n\t\td = 0\n\t}\n\treturn Deadline(now.Add(d)), nil\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/internal/ratelimit/retry_after.go", "content": "package ratelimit\n\nimport (\n\t\"errors\"\n\t\"strconv\"\n\t\"time\"\n)\n\nconst defaultRetryAfter = 1 * time.Minute\n\nvar errInvalidRetryAfter = errors.New(\"invalid input\")\n\n// parseRetryAfter parses a string s as in the standard Retry-After HTTP header\n// and returns a deadline until when requests are rate limited and therefore new\n// requests should not be sent. The input may be either a date or a non-negative\n// integer number of seconds.\n//\n// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Retry-After\n//\n// parseRetryAfter always returns a usable deadline, even in case of an error.\n//\n// This is the original rate limiting mechanism used by Sentry, superseeded by\n// the X-Sentry-Rate-Limits response header.\nfunc parseRetryAfter(s string, now time.Time) (Deadline, error) {\n\tif s == \"\" {\n\t\tgoto invalid\n\t}\n\tif n, err := strconv.Atoi(s); err == nil {\n\t\tif n < 0 {\n\t\t\tgoto invalid\n\t\t}\n\t\td := time.Duration(n) * time.Second\n\t\treturn Deadline(now.Add(d)), nil\n\t}\n\tif date, err := time.Parse(time.RFC1123, s); err == nil {\n\t\treturn Deadline(date), nil\n\t}\ninvalid:\n\treturn Deadline(now.Add(defaultRetryAfter)), errInvalidRetryAfter\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/internal/telemetry/bucketed_buffer.go", "content": "package telemetry\n\nimport (\n\t\"sync\"\n\t\"sync/atomic\"\n\t\"time\"\n\n\t\"github.com/getsentry/sentry-go/internal/ratelimit\"\n)\n\nconst (\n\tdefaultBucketedCapacity = 100\n\tperBucketItemLimit = 100\n)\n\ntype Bucket[T any] struct {\n\ttraceID string\n\titems []T\n\tcreatedAt time.Time\n\tlastUpdatedAt time.Time\n}\n\n// BucketedBuffer groups items by trace id, flushing per bucket.\ntype BucketedBuffer[T any] struct {\n\tmu sync.RWMutex\n\n\tbuckets []*Bucket[T]\n\ttraceIndex map[string]int\n\n\thead int\n\ttail int\n\n\titemCapacity int\n\tbucketCapacity int\n\n\ttotalItems int\n\tbucketCount int\n\n\tcategory ratelimit.Category\n\tpriority ratelimit.Priority\n\toverflowPolicy OverflowPolicy\n\tbatchSize int\n\ttimeout time.Duration\n\tlastFlushTime time.Time\n\n\toffered int64\n\tdropped int64\n\tonDropped func(item T, reason string)\n}\n\nfunc NewBucketedBuffer[T any](\n\tcategory ratelimit.Category,\n\tcapacity int,\n\toverflowPolicy OverflowPolicy,\n\tbatchSize int,\n\ttimeout time.Duration,\n) *BucketedBuffer[T] {\n\tif capacity <= 0 {\n\t\tcapacity = defaultBucketedCapacity\n\t}\n\tif batchSize <= 0 {\n\t\tbatchSize = 1\n\t}\n\tif timeout < 0 {\n\t\ttimeout = 0\n\t}\n\n\tbucketCapacity := capacity / 10\n\tif bucketCapacity < 10 {\n\t\tbucketCapacity = 10\n\t}\n\n\treturn &BucketedBuffer[T]{\n\t\tbuckets: make([]*Bucket[T], bucketCapacity),\n\t\ttraceIndex: make(map[string]int),\n\t\titemCapacity: capacity,\n\t\tbucketCapacity: bucketCapacity,\n\t\tcategory: category,\n\t\tpriority: category.GetPriority(),\n\t\toverflowPolicy: overflowPolicy,\n\t\tbatchSize: batchSize,\n\t\ttimeout: timeout,\n\t\tlastFlushTime: time.Now(),\n\t}\n}\n\nfunc (b *BucketedBuffer[T]) Offer(item T) bool {\n\tatomic.AddInt64(&b.offered, 1)\n\n\ttraceID := \"\"\n\tif ta, ok := any(item).(TraceAware); ok {\n\t\tif tid, hasTrace := ta.GetTraceID(); hasTrace {\n\t\t\ttraceID = tid\n\t\t}\n\t}\n\n\tb.mu.Lock()\n\tdefer b.mu.Unlock()\n\treturn b.offerToBucket(item, traceID)\n}\n\nfunc (b *BucketedBuffer[T]) offerToBucket(item T, traceID string) bool {\n\tif traceID != \"\" {\n\t\tif idx, exists := b.traceIndex[traceID]; exists {\n\t\t\tbucket := b.buckets[idx]\n\t\t\tif len(bucket.items) >= perBucketItemLimit {\n\t\t\t\tdelete(b.traceIndex, traceID)\n\t\t\t} else {\n\t\t\t\tbucket.items = append(bucket.items, item)\n\t\t\t\tbucket.lastUpdatedAt = time.Now()\n\t\t\t\tb.totalItems++\n\t\t\t\treturn true\n\t\t\t}\n\t\t}\n\t}\n\n\tif b.totalItems >= b.itemCapacity {\n\t\treturn b.handleOverflow(item, traceID)\n\t}\n\tif b.bucketCount >= b.bucketCapacity {\n\t\treturn b.handleOverflow(item, traceID)\n\t}\n\n\tbucket := &Bucket[T]{\n\t\ttraceID: traceID,\n\t\titems: []T{item},\n\t\tcreatedAt: time.Now(),\n\t\tlastUpdatedAt: time.Now(),\n\t}\n\tb.buckets[b.tail] = bucket\n\tif traceID != \"\" {\n\t\tb.traceIndex[traceID] = b.tail\n\t}\n\tb.tail = (b.tail + 1) % b.bucketCapacity\n\tb.bucketCount++\n\tb.totalItems++\n\treturn true\n}\n\nfunc (b *BucketedBuffer[T]) handleOverflow(item T, traceID string) bool {\n\tswitch b.overflowPolicy {\n\tcase OverflowPolicyDropOldest:\n\t\toldestBucket := b.buckets[b.head]\n\t\tif oldestBucket == nil {\n\t\t\tatomic.AddInt64(&b.dropped, 1)\n\t\t\tif b.onDropped != nil {\n\t\t\t\tb.onDropped(item, \"buffer_full_invalid_state\")\n\t\t\t}\n\t\t\treturn false\n\t\t}\n\t\tif oldestBucket.traceID != \"\" {\n\t\t\tdelete(b.traceIndex, oldestBucket.traceID)\n\t\t}\n\t\tdroppedCount := len(oldestBucket.items)\n\t\tatomic.AddInt64(&b.dropped, int64(droppedCount))\n\t\tif b.onDropped != nil {\n\t\t\tfor _, di := range oldestBucket.items {\n\t\t\t\tb.onDropped(di, \"buffer_full_drop_oldest_bucket\")\n\t\t\t}\n\t\t}\n\t\tb.totalItems -= droppedCount\n\t\tb.bucketCount--\n\t\tb.head = (b.head + 1) % b.bucketCapacity\n\t\t// add new bucket\n\t\tbucket := &Bucket[T]{traceID: traceID, items: []T{item}, createdAt: time.Now(), lastUpdatedAt: time.Now()}\n\t\tb.buckets[b.tail] = bucket\n\t\tif traceID != \"\" {\n\t\t\tb.traceIndex[traceID] = b.tail\n\t\t}\n\t\tb.tail = (b.tail + 1) % b.bucketCapacity\n\t\tb.bucketCount++\n\t\tb.totalItems++\n\t\treturn true\n\tcase OverflowPolicyDropNewest:\n\t\tatomic.AddInt64(&b.dropped, 1)\n\t\tif b.onDropped != nil {\n\t\t\tb.onDropped(item, \"buffer_full_drop_newest\")\n\t\t}\n\t\treturn false\n\tdefault:\n\t\tatomic.AddInt64(&b.dropped, 1)\n\t\tif b.onDropped != nil {\n\t\t\tb.onDropped(item, \"unknown_overflow_policy\")\n\t\t}\n\t\treturn false\n\t}\n}\n\nfunc (b *BucketedBuffer[T]) Poll() (T, bool) {\n\tb.mu.Lock()\n\tdefer b.mu.Unlock()\n\tvar zero T\n\tif b.bucketCount == 0 {\n\t\treturn zero, false\n\t}\n\tbucket := b.buckets[b.head]\n\tif bucket == nil || len(bucket.items) == 0 {\n\t\treturn zero, false\n\t}\n\titem := bucket.items[0]\n\tbucket.items = bucket.items[1:]\n\tb.totalItems--\n\tif len(bucket.items) == 0 {\n\t\tif bucket.traceID != \"\" {\n\t\t\tdelete(b.traceIndex, bucket.traceID)\n\t\t}\n\t\tb.buckets[b.head] = nil\n\t\tb.head = (b.head + 1) % b.bucketCapacity\n\t\tb.bucketCount--\n\t}\n\treturn item, true\n}\n\nfunc (b *BucketedBuffer[T]) PollBatch(maxItems int) []T {\n\tif maxItems <= 0 {\n\t\treturn nil\n\t}\n\tb.mu.Lock()\n\tdefer b.mu.Unlock()\n\tif b.bucketCount == 0 {\n\t\treturn nil\n\t}\n\tres := make([]T, 0, maxItems)\n\tfor len(res) < maxItems && b.bucketCount > 0 {\n\t\tbucket := b.buckets[b.head]\n\t\tif bucket == nil {\n\t\t\tbreak\n\t\t}\n\t\tn := maxItems - len(res)\n\t\tif n > len(bucket.items) {\n\t\t\tn = len(bucket.items)\n\t\t}\n\t\tres = append(res, bucket.items[:n]...)\n\t\tbucket.items = bucket.items[n:]\n\t\tb.totalItems -= n\n\t\tif len(bucket.items) == 0 {\n\t\t\tif bucket.traceID != \"\" {\n\t\t\t\tdelete(b.traceIndex, bucket.traceID)\n\t\t\t}\n\t\t\tb.buckets[b.head] = nil\n\t\t\tb.head = (b.head + 1) % b.bucketCapacity\n\t\t\tb.bucketCount--\n\t\t}\n\t}\n\treturn res\n}\n\nfunc (b *BucketedBuffer[T]) PollIfReady() []T {\n\tb.mu.Lock()\n\tdefer b.mu.Unlock()\n\tif b.bucketCount == 0 {\n\t\treturn nil\n\t}\n\tready := b.totalItems >= b.batchSize || (b.timeout > 0 && time.Since(b.lastFlushTime) >= b.timeout)\n\tif !ready {\n\t\treturn nil\n\t}\n\toldest := b.buckets[b.head]\n\tif oldest == nil {\n\t\treturn nil\n\t}\n\titems := oldest.items\n\tif oldest.traceID != \"\" {\n\t\tdelete(b.traceIndex, oldest.traceID)\n\t}\n\tb.buckets[b.head] = nil\n\tb.head = (b.head + 1) % b.bucketCapacity\n\tb.totalItems -= len(items)\n\tb.bucketCount--\n\tb.lastFlushTime = time.Now()\n\treturn items\n}\n\nfunc (b *BucketedBuffer[T]) Drain() []T {\n\tb.mu.Lock()\n\tdefer b.mu.Unlock()\n\tif b.bucketCount == 0 {\n\t\treturn nil\n\t}\n\tres := make([]T, 0, b.totalItems)\n\tfor i := 0; i < b.bucketCount; i++ {\n\t\tidx := (b.head + i) % b.bucketCapacity\n\t\tbucket := b.buckets[idx]\n\t\tif bucket != nil {\n\t\t\tres = append(res, bucket.items...)\n\t\t\tb.buckets[idx] = nil\n\t\t}\n\t}\n\tb.traceIndex = make(map[string]int)\n\tb.head = 0\n\tb.tail = 0\n\tb.totalItems = 0\n\tb.bucketCount = 0\n\treturn res\n}\n\nfunc (b *BucketedBuffer[T]) Peek() (T, bool) {\n\tb.mu.RLock()\n\tdefer b.mu.RUnlock()\n\tvar zero T\n\tif b.bucketCount == 0 {\n\t\treturn zero, false\n\t}\n\tbucket := b.buckets[b.head]\n\tif bucket == nil || len(bucket.items) == 0 {\n\t\treturn zero, false\n\t}\n\treturn bucket.items[0], true\n}\n\nfunc (b *BucketedBuffer[T]) Size() int { b.mu.RLock(); defer b.mu.RUnlock(); return b.totalItems }\nfunc (b *BucketedBuffer[T]) Capacity() int { b.mu.RLock(); defer b.mu.RUnlock(); return b.itemCapacity }\nfunc (b *BucketedBuffer[T]) Category() ratelimit.Category {\n\tb.mu.RLock()\n\tdefer b.mu.RUnlock()\n\treturn b.category\n}\nfunc (b *BucketedBuffer[T]) Priority() ratelimit.Priority {\n\tb.mu.RLock()\n\tdefer b.mu.RUnlock()\n\treturn b.priority\n}\nfunc (b *BucketedBuffer[T]) IsEmpty() bool {\n\tb.mu.RLock()\n\tdefer b.mu.RUnlock()\n\treturn b.bucketCount == 0\n}\nfunc (b *BucketedBuffer[T]) IsFull() bool {\n\tb.mu.RLock()\n\tdefer b.mu.RUnlock()\n\treturn b.totalItems >= b.itemCapacity\n}\nfunc (b *BucketedBuffer[T]) Utilization() float64 {\n\tb.mu.RLock()\n\tdefer b.mu.RUnlock()\n\tif b.itemCapacity == 0 {\n\t\treturn 0\n\t}\n\treturn float64(b.totalItems) / float64(b.itemCapacity)\n}\nfunc (b *BucketedBuffer[T]) OfferedCount() int64 { return atomic.LoadInt64(&b.offered) }\nfunc (b *BucketedBuffer[T]) DroppedCount() int64 { return atomic.LoadInt64(&b.dropped) }\nfunc (b *BucketedBuffer[T]) AcceptedCount() int64 { return b.OfferedCount() - b.DroppedCount() }\nfunc (b *BucketedBuffer[T]) DropRate() float64 {\n\toff := b.OfferedCount()\n\tif off == 0 {\n\t\treturn 0\n\t}\n\treturn float64(b.DroppedCount()) / float64(off)\n}\n\nfunc (b *BucketedBuffer[T]) GetMetrics() BufferMetrics {\n\tb.mu.RLock()\n\tsize := b.totalItems\n\tutil := 0.0\n\tif b.itemCapacity > 0 {\n\t\tutil = float64(b.totalItems) / float64(b.itemCapacity)\n\t}\n\tb.mu.RUnlock()\n\treturn BufferMetrics{Category: b.category, Priority: b.priority, Capacity: b.itemCapacity, Size: size, Utilization: util, OfferedCount: b.OfferedCount(), DroppedCount: b.DroppedCount(), AcceptedCount: b.AcceptedCount(), DropRate: b.DropRate(), LastUpdated: time.Now()}\n}\n\nfunc (b *BucketedBuffer[T]) SetDroppedCallback(callback func(item T, reason string)) {\n\tb.mu.Lock()\n\tdefer b.mu.Unlock()\n\tb.onDropped = callback\n}\nfunc (b *BucketedBuffer[T]) Clear() {\n\tb.mu.Lock()\n\tdefer b.mu.Unlock()\n\tfor i := 0; i < b.bucketCapacity; i++ {\n\t\tb.buckets[i] = nil\n\t}\n\tb.traceIndex = make(map[string]int)\n\tb.head = 0\n\tb.tail = 0\n\tb.totalItems = 0\n\tb.bucketCount = 0\n}\nfunc (b *BucketedBuffer[T]) IsReadyToFlush() bool {\n\tb.mu.RLock()\n\tdefer b.mu.RUnlock()\n\tif b.bucketCount == 0 {\n\t\treturn false\n\t}\n\tif b.totalItems >= b.batchSize {\n\t\treturn true\n\t}\n\tif b.timeout > 0 && time.Since(b.lastFlushTime) >= b.timeout {\n\t\treturn true\n\t}\n\treturn false\n}\nfunc (b *BucketedBuffer[T]) MarkFlushed() {\n\tb.mu.Lock()\n\tdefer b.mu.Unlock()\n\tb.lastFlushTime = time.Now()\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/internal/telemetry/buffer.go", "content": "package telemetry\n\nimport (\n\t\"github.com/getsentry/sentry-go/internal/ratelimit\"\n)\n\n// Buffer defines the common interface for all buffer implementations.\ntype Buffer[T any] interface {\n\t// Core operations\n\tOffer(item T) bool\n\tPoll() (T, bool)\n\tPollBatch(maxItems int) []T\n\tPollIfReady() []T\n\tDrain() []T\n\tPeek() (T, bool)\n\n\t// State queries\n\tSize() int\n\tCapacity() int\n\tIsEmpty() bool\n\tIsFull() bool\n\tUtilization() float64\n\n\t// Flush management\n\tIsReadyToFlush() bool\n\tMarkFlushed()\n\n\t// Category/Priority\n\tCategory() ratelimit.Category\n\tPriority() ratelimit.Priority\n\n\t// Metrics\n\tOfferedCount() int64\n\tDroppedCount() int64\n\tAcceptedCount() int64\n\tDropRate() float64\n\tGetMetrics() BufferMetrics\n\n\t// Configuration\n\tSetDroppedCallback(callback func(item T, reason string))\n\tClear()\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/internal/telemetry/processor.go", "content": "package telemetry\n\nimport (\n\t\"context\"\n\t\"time\"\n\n\t\"github.com/getsentry/sentry-go/internal/protocol\"\n\t\"github.com/getsentry/sentry-go/internal/ratelimit\"\n)\n\n// Processor is the top-level object that wraps the scheduler and buffers.\ntype Processor struct {\n\tscheduler *Scheduler\n}\n\n// NewProcessor creates a new Processor with the given configuration.\nfunc NewProcessor(\n\tbuffers map[ratelimit.Category]Buffer[protocol.TelemetryItem],\n\ttransport protocol.TelemetryTransport,\n\tdsn *protocol.Dsn,\n\tsdkInfo *protocol.SdkInfo,\n) *Processor {\n\tscheduler := NewScheduler(buffers, transport, dsn, sdkInfo)\n\tscheduler.Start()\n\n\treturn &Processor{\n\t\tscheduler: scheduler,\n\t}\n}\n\n// Add adds a TelemetryItem to the appropriate buffer based on its category.\nfunc (b *Processor) Add(item protocol.TelemetryItem) bool {\n\treturn b.scheduler.Add(item)\n}\n\n// Flush forces all buffers to flush within the given timeout.\nfunc (b *Processor) Flush(timeout time.Duration) bool {\n\treturn b.scheduler.Flush(timeout)\n}\n\n// FlushWithContext flushes with a custom context for cancellation.\nfunc (b *Processor) FlushWithContext(ctx context.Context) bool {\n\treturn b.scheduler.FlushWithContext(ctx)\n}\n\n// Close stops the buffer, flushes remaining data, and releases resources.\nfunc (b *Processor) Close(timeout time.Duration) {\n\tb.scheduler.Stop(timeout)\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/internal/telemetry/ring_buffer.go", "content": "package telemetry\n\nimport (\n\t\"sync\"\n\t\"sync/atomic\"\n\t\"time\"\n\n\t\"github.com/getsentry/sentry-go/internal/ratelimit\"\n)\n\nconst defaultCapacity = 100\n\n// RingBuffer is a thread-safe ring buffer with overflow policies.\ntype RingBuffer[T any] struct {\n\tmu sync.RWMutex\n\titems []T\n\thead int\n\ttail int\n\tsize int\n\tcapacity int\n\n\tcategory ratelimit.Category\n\tpriority ratelimit.Priority\n\toverflowPolicy OverflowPolicy\n\n\tbatchSize int\n\ttimeout time.Duration\n\tlastFlushTime time.Time\n\n\toffered int64\n\tdropped int64\n\tonDropped func(item T, reason string)\n}\n\nfunc NewRingBuffer[T any](category ratelimit.Category, capacity int, overflowPolicy OverflowPolicy, batchSize int, timeout time.Duration) *RingBuffer[T] {\n\tif capacity <= 0 {\n\t\tcapacity = defaultCapacity\n\t}\n\n\tif batchSize <= 0 {\n\t\tbatchSize = 1\n\t}\n\n\tif timeout < 0 {\n\t\ttimeout = 0\n\t}\n\n\treturn &RingBuffer[T]{\n\t\titems: make([]T, capacity),\n\t\tcapacity: capacity,\n\t\tcategory: category,\n\t\tpriority: category.GetPriority(),\n\t\toverflowPolicy: overflowPolicy,\n\t\tbatchSize: batchSize,\n\t\ttimeout: timeout,\n\t\tlastFlushTime: time.Now(),\n\t}\n}\n\nfunc (b *RingBuffer[T]) SetDroppedCallback(callback func(item T, reason string)) {\n\tb.mu.Lock()\n\tdefer b.mu.Unlock()\n\tb.onDropped = callback\n}\n\nfunc (b *RingBuffer[T]) Offer(item T) bool {\n\tatomic.AddInt64(&b.offered, 1)\n\n\tb.mu.Lock()\n\tdefer b.mu.Unlock()\n\n\tif b.size < b.capacity {\n\t\tb.items[b.tail] = item\n\t\tb.tail = (b.tail + 1) % b.capacity\n\t\tb.size++\n\t\treturn true\n\t}\n\n\tswitch b.overflowPolicy {\n\tcase OverflowPolicyDropOldest:\n\t\toldItem := b.items[b.head]\n\t\tb.items[b.head] = item\n\t\tb.head = (b.head + 1) % b.capacity\n\t\tb.tail = (b.tail + 1) % b.capacity\n\n\t\tatomic.AddInt64(&b.dropped, 1)\n\t\tif b.onDropped != nil {\n\t\t\tb.onDropped(oldItem, \"buffer_full_drop_oldest\")\n\t\t}\n\t\treturn true\n\n\tcase OverflowPolicyDropNewest:\n\t\tatomic.AddInt64(&b.dropped, 1)\n\t\tif b.onDropped != nil {\n\t\t\tb.onDropped(item, \"buffer_full_drop_newest\")\n\t\t}\n\t\treturn false\n\n\tdefault:\n\t\tatomic.AddInt64(&b.dropped, 1)\n\t\tif b.onDropped != nil {\n\t\t\tb.onDropped(item, \"unknown_overflow_policy\")\n\t\t}\n\t\treturn false\n\t}\n}\n\nfunc (b *RingBuffer[T]) Poll() (T, bool) {\n\tb.mu.Lock()\n\tdefer b.mu.Unlock()\n\n\tvar zero T\n\tif b.size == 0 {\n\t\treturn zero, false\n\t}\n\n\titem := b.items[b.head]\n\tb.items[b.head] = zero\n\tb.head = (b.head + 1) % b.capacity\n\tb.size--\n\n\treturn item, true\n}\n\nfunc (b *RingBuffer[T]) PollBatch(maxItems int) []T {\n\tif maxItems <= 0 {\n\t\treturn nil\n\t}\n\n\tb.mu.Lock()\n\tdefer b.mu.Unlock()\n\n\tif b.size == 0 {\n\t\treturn nil\n\t}\n\n\titemCount := maxItems\n\tif itemCount > b.size {\n\t\titemCount = b.size\n\t}\n\n\tresult := make([]T, itemCount)\n\tvar zero T\n\n\tfor i := 0; i < itemCount; i++ {\n\t\tresult[i] = b.items[b.head]\n\t\tb.items[b.head] = zero\n\t\tb.head = (b.head + 1) % b.capacity\n\t\tb.size--\n\t}\n\n\treturn result\n}\n\nfunc (b *RingBuffer[T]) Drain() []T {\n\tb.mu.Lock()\n\tdefer b.mu.Unlock()\n\n\tif b.size == 0 {\n\t\treturn nil\n\t}\n\n\tresult := make([]T, b.size)\n\tindex := 0\n\tvar zero T\n\n\tfor i := 0; i < b.size; i++ {\n\t\tpos := (b.head + i) % b.capacity\n\t\tresult[index] = b.items[pos]\n\t\tb.items[pos] = zero\n\t\tindex++\n\t}\n\n\tb.head = 0\n\tb.tail = 0\n\tb.size = 0\n\n\treturn result\n}\n\nfunc (b *RingBuffer[T]) Peek() (T, bool) {\n\tb.mu.RLock()\n\tdefer b.mu.RUnlock()\n\n\tvar zero T\n\tif b.size == 0 {\n\t\treturn zero, false\n\t}\n\n\treturn b.items[b.head], true\n}\n\nfunc (b *RingBuffer[T]) Size() int {\n\tb.mu.RLock()\n\tdefer b.mu.RUnlock()\n\treturn b.size\n}\n\nfunc (b *RingBuffer[T]) Capacity() int {\n\tb.mu.RLock()\n\tdefer b.mu.RUnlock()\n\treturn b.capacity\n}\n\nfunc (b *RingBuffer[T]) Category() ratelimit.Category {\n\tb.mu.RLock()\n\tdefer b.mu.RUnlock()\n\treturn b.category\n}\n\nfunc (b *RingBuffer[T]) Priority() ratelimit.Priority {\n\tb.mu.RLock()\n\tdefer b.mu.RUnlock()\n\treturn b.priority\n}\n\nfunc (b *RingBuffer[T]) IsEmpty() bool {\n\tb.mu.RLock()\n\tdefer b.mu.RUnlock()\n\treturn b.size == 0\n}\n\nfunc (b *RingBuffer[T]) IsFull() bool {\n\tb.mu.RLock()\n\tdefer b.mu.RUnlock()\n\treturn b.size == b.capacity\n}\n\nfunc (b *RingBuffer[T]) Utilization() float64 {\n\tb.mu.RLock()\n\tdefer b.mu.RUnlock()\n\treturn float64(b.size) / float64(b.capacity)\n}\n\nfunc (b *RingBuffer[T]) OfferedCount() int64 {\n\treturn atomic.LoadInt64(&b.offered)\n}\n\nfunc (b *RingBuffer[T]) DroppedCount() int64 {\n\treturn atomic.LoadInt64(&b.dropped)\n}\n\nfunc (b *RingBuffer[T]) AcceptedCount() int64 {\n\treturn b.OfferedCount() - b.DroppedCount()\n}\n\nfunc (b *RingBuffer[T]) DropRate() float64 {\n\toffered := b.OfferedCount()\n\tif offered == 0 {\n\t\treturn 0.0\n\t}\n\treturn float64(b.DroppedCount()) / float64(offered)\n}\n\nfunc (b *RingBuffer[T]) Clear() {\n\tb.mu.Lock()\n\tdefer b.mu.Unlock()\n\n\tvar zero T\n\tfor i := 0; i < b.capacity; i++ {\n\t\tb.items[i] = zero\n\t}\n\n\tb.head = 0\n\tb.tail = 0\n\tb.size = 0\n}\n\nfunc (b *RingBuffer[T]) GetMetrics() BufferMetrics {\n\tb.mu.RLock()\n\tsize := b.size\n\tutil := float64(b.size) / float64(b.capacity)\n\tb.mu.RUnlock()\n\n\treturn BufferMetrics{\n\t\tCategory: b.category,\n\t\tPriority: b.priority,\n\t\tCapacity: b.capacity,\n\t\tSize: size,\n\t\tUtilization: util,\n\t\tOfferedCount: b.OfferedCount(),\n\t\tDroppedCount: b.DroppedCount(),\n\t\tAcceptedCount: b.AcceptedCount(),\n\t\tDropRate: b.DropRate(),\n\t\tLastUpdated: time.Now(),\n\t}\n}\n\nfunc (b *RingBuffer[T]) IsReadyToFlush() bool {\n\tb.mu.RLock()\n\tdefer b.mu.RUnlock()\n\n\tif b.size == 0 {\n\t\treturn false\n\t}\n\n\tif b.size >= b.batchSize {\n\t\treturn true\n\t}\n\n\tif b.timeout > 0 && time.Since(b.lastFlushTime) >= b.timeout {\n\t\treturn true\n\t}\n\n\treturn false\n}\n\nfunc (b *RingBuffer[T]) MarkFlushed() {\n\tb.mu.Lock()\n\tdefer b.mu.Unlock()\n\tb.lastFlushTime = time.Now()\n}\n\nfunc (b *RingBuffer[T]) PollIfReady() []T {\n\tb.mu.Lock()\n\tdefer b.mu.Unlock()\n\n\tif b.size == 0 {\n\t\treturn nil\n\t}\n\n\tready := b.size >= b.batchSize ||\n\t\t(b.timeout > 0 && time.Since(b.lastFlushTime) >= b.timeout)\n\n\tif !ready {\n\t\treturn nil\n\t}\n\n\titemCount := b.batchSize\n\tif itemCount > b.size {\n\t\titemCount = b.size\n\t}\n\n\tresult := make([]T, itemCount)\n\tvar zero T\n\n\tfor i := 0; i < itemCount; i++ {\n\t\tresult[i] = b.items[b.head]\n\t\tb.items[b.head] = zero\n\t\tb.head = (b.head + 1) % b.capacity\n\t\tb.size--\n\t}\n\n\tb.lastFlushTime = time.Now()\n\treturn result\n}\n\ntype BufferMetrics struct {\n\tCategory ratelimit.Category `json:\"category\"`\n\tPriority ratelimit.Priority `json:\"priority\"`\n\tCapacity int `json:\"capacity\"`\n\tSize int `json:\"size\"`\n\tUtilization float64 `json:\"utilization\"`\n\tOfferedCount int64 `json:\"offered_count\"`\n\tDroppedCount int64 `json:\"dropped_count\"`\n\tAcceptedCount int64 `json:\"accepted_count\"`\n\tDropRate float64 `json:\"drop_rate\"`\n\tLastUpdated time.Time `json:\"last_updated\"`\n}\n\n// OverflowPolicy defines how the ring buffer handles overflow.\ntype OverflowPolicy int\n\nconst (\n\tOverflowPolicyDropOldest OverflowPolicy = iota\n\tOverflowPolicyDropNewest\n)\n\nfunc (op OverflowPolicy) String() string {\n\tswitch op {\n\tcase OverflowPolicyDropOldest:\n\t\treturn \"drop_oldest\"\n\tcase OverflowPolicyDropNewest:\n\t\treturn \"drop_newest\"\n\tdefault:\n\t\treturn \"unknown\"\n\t}\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/internal/telemetry/scheduler.go", "content": "package telemetry\n\nimport (\n\t\"context\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/getsentry/sentry-go/internal/debuglog\"\n\t\"github.com/getsentry/sentry-go/internal/protocol\"\n\t\"github.com/getsentry/sentry-go/internal/ratelimit\"\n)\n\n// Scheduler implements a weighted round-robin scheduler for processing buffered events.\ntype Scheduler struct {\n\tbuffers map[ratelimit.Category]Buffer[protocol.TelemetryItem]\n\ttransport protocol.TelemetryTransport\n\tdsn *protocol.Dsn\n\tsdkInfo *protocol.SdkInfo\n\n\tcurrentCycle []ratelimit.Priority\n\tcyclePos int\n\n\tctx context.Context\n\tcancel context.CancelFunc\n\tprocessingWg sync.WaitGroup\n\n\tmu sync.Mutex\n\tcond *sync.Cond\n\tstartOnce sync.Once\n\tfinishOnce sync.Once\n}\n\nfunc NewScheduler(\n\tbuffers map[ratelimit.Category]Buffer[protocol.TelemetryItem],\n\ttransport protocol.TelemetryTransport,\n\tdsn *protocol.Dsn,\n\tsdkInfo *protocol.SdkInfo,\n) *Scheduler {\n\tctx, cancel := context.WithCancel(context.Background())\n\n\tpriorityWeights := map[ratelimit.Priority]int{\n\t\tratelimit.PriorityCritical: 5,\n\t\tratelimit.PriorityHigh: 4,\n\t\tratelimit.PriorityMedium: 3,\n\t\tratelimit.PriorityLow: 2,\n\t\tratelimit.PriorityLowest: 1,\n\t}\n\n\tvar currentCycle []ratelimit.Priority\n\tfor priority, weight := range priorityWeights {\n\t\thasBuffers := false\n\t\tfor _, buffer := range buffers {\n\t\t\tif buffer.Priority() == priority {\n\t\t\t\thasBuffers = true\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\n\t\tif hasBuffers {\n\t\t\tfor i := 0; i < weight; i++ {\n\t\t\t\tcurrentCycle = append(currentCycle, priority)\n\t\t\t}\n\t\t}\n\t}\n\n\ts := &Scheduler{\n\t\tbuffers: buffers,\n\t\ttransport: transport,\n\t\tdsn: dsn,\n\t\tsdkInfo: sdkInfo,\n\t\tcurrentCycle: currentCycle,\n\t\tctx: ctx,\n\t\tcancel: cancel,\n\t}\n\ts.cond = sync.NewCond(&s.mu)\n\n\treturn s\n}\n\nfunc (s *Scheduler) Start() {\n\ts.startOnce.Do(func() {\n\t\ts.processingWg.Add(1)\n\t\tgo s.run()\n\t})\n}\n\nfunc (s *Scheduler) Stop(timeout time.Duration) {\n\ts.finishOnce.Do(func() {\n\t\ts.Flush(timeout)\n\n\t\ts.cancel()\n\t\ts.cond.Broadcast()\n\n\t\tdone := make(chan struct{})\n\t\tgo func() {\n\t\t\tdefer close(done)\n\t\t\ts.processingWg.Wait()\n\t\t}()\n\n\t\tselect {\n\t\tcase <-done:\n\t\tcase <-time.After(timeout):\n\t\t\tdebuglog.Printf(\"scheduler stop timed out after %v\", timeout)\n\t\t}\n\t})\n}\n\nfunc (s *Scheduler) Signal() {\n\ts.cond.Signal()\n}\n\nfunc (s *Scheduler) Add(item protocol.TelemetryItem) bool {\n\tcategory := item.GetCategory()\n\tbuffer, exists := s.buffers[category]\n\tif !exists {\n\t\treturn false\n\t}\n\n\taccepted := buffer.Offer(item)\n\tif accepted {\n\t\ts.Signal()\n\t}\n\treturn accepted\n}\n\nfunc (s *Scheduler) Flush(timeout time.Duration) bool {\n\tctx, cancel := context.WithTimeout(context.Background(), timeout)\n\tdefer cancel()\n\treturn s.FlushWithContext(ctx)\n}\n\nfunc (s *Scheduler) FlushWithContext(ctx context.Context) bool {\n\ts.flushBuffers()\n\treturn s.transport.FlushWithContext(ctx)\n}\n\nfunc (s *Scheduler) run() {\n\tdefer s.processingWg.Done()\n\n\tgo func() {\n\t\tticker := time.NewTicker(100 * time.Millisecond)\n\t\tdefer ticker.Stop()\n\n\t\tfor {\n\t\t\tselect {\n\t\t\tcase <-ticker.C:\n\t\t\t\ts.cond.Broadcast()\n\t\t\tcase <-s.ctx.Done():\n\t\t\t\treturn\n\t\t\t}\n\t\t}\n\t}()\n\n\tfor {\n\t\ts.mu.Lock()\n\n\t\tfor !s.hasWork() && s.ctx.Err() == nil {\n\t\t\ts.cond.Wait()\n\t\t}\n\n\t\tif s.ctx.Err() != nil {\n\t\t\ts.mu.Unlock()\n\t\t\treturn\n\t\t}\n\n\t\ts.mu.Unlock()\n\t\ts.processNextBatch()\n\t}\n}\n\nfunc (s *Scheduler) hasWork() bool {\n\tfor _, buffer := range s.buffers {\n\t\tif buffer.IsReadyToFlush() {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\nfunc (s *Scheduler) processNextBatch() {\n\tif len(s.currentCycle) == 0 {\n\t\treturn\n\t}\n\n\tpriority := s.currentCycle[s.cyclePos]\n\ts.cyclePos = (s.cyclePos + 1) % len(s.currentCycle)\n\n\tvar bufferToProcess Buffer[protocol.TelemetryItem]\n\tvar categoryToProcess ratelimit.Category\n\tfor category, buffer := range s.buffers {\n\t\tif buffer.Priority() == priority && buffer.IsReadyToFlush() {\n\t\t\tbufferToProcess = buffer\n\t\t\tcategoryToProcess = category\n\t\t\tbreak\n\t\t}\n\t}\n\n\tif bufferToProcess != nil {\n\t\ts.processItems(bufferToProcess, categoryToProcess, false)\n\t}\n}\n\nfunc (s *Scheduler) processItems(buffer Buffer[protocol.TelemetryItem], category ratelimit.Category, force bool) {\n\tvar items []protocol.TelemetryItem\n\n\tif force {\n\t\titems = buffer.Drain()\n\t} else {\n\t\titems = buffer.PollIfReady()\n\t}\n\n\t// drop the current batch if rate-limited or if transport is full\n\tif len(items) == 0 || s.isRateLimited(category) || !s.transport.HasCapacity() {\n\t\treturn\n\t}\n\n\tswitch category {\n\tcase ratelimit.CategoryLog:\n\t\tlogs := protocol.Logs(items)\n\t\theader := &protocol.EnvelopeHeader{EventID: protocol.GenerateEventID(), SentAt: time.Now(), Sdk: s.sdkInfo}\n\t\tif s.dsn != nil {\n\t\t\theader.Dsn = s.dsn.String()\n\t\t}\n\t\tenvelope := protocol.NewEnvelope(header)\n\t\titem, err := logs.ToEnvelopeItem()\n\t\tif err != nil {\n\t\t\tdebuglog.Printf(\"error creating log batch envelope item: %v\", err)\n\t\t\treturn\n\t\t}\n\t\tenvelope.AddItem(item)\n\t\tif err := s.transport.SendEnvelope(envelope); err != nil {\n\t\t\tdebuglog.Printf(\"error sending envelope: %v\", err)\n\t\t}\n\t\treturn\n\tcase ratelimit.CategoryTraceMetric:\n\t\tmetrics := protocol.Metrics(items)\n\t\theader := &protocol.EnvelopeHeader{EventID: protocol.GenerateEventID(), SentAt: time.Now(), Sdk: s.sdkInfo}\n\t\tif s.dsn != nil {\n\t\t\theader.Dsn = s.dsn.String()\n\t\t}\n\t\tenvelope := protocol.NewEnvelope(header)\n\t\titem, err := metrics.ToEnvelopeItem()\n\t\tif err != nil {\n\t\t\tdebuglog.Printf(\"error creating trace metric batch envelope item: %v\", err)\n\t\t\treturn\n\t\t}\n\t\tenvelope.AddItem(item)\n\t\tif err := s.transport.SendEnvelope(envelope); err != nil {\n\t\t\tdebuglog.Printf(\"error sending envelope: %v\", err)\n\t\t}\n\t\treturn\n\tdefault:\n\t\t// if the buffers are properly configured, buffer.PollIfReady should return a single item for every category\n\t\t// other than logs. We still iterate over the items just in case, because we don't want to send broken envelopes.\n\t\tfor _, it := range items {\n\t\t\tconvertible, ok := it.(protocol.EnvelopeItemConvertible)\n\t\t\tif !ok {\n\t\t\t\tdebuglog.Printf(\"item does not implement EnvelopeItemConvertible: %T\", it)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\ts.sendItem(convertible)\n\t\t}\n\t}\n}\n\nfunc (s *Scheduler) sendItem(item protocol.EnvelopeItemConvertible) {\n\theader := &protocol.EnvelopeHeader{\n\t\tEventID: item.GetEventID(),\n\t\tSentAt: time.Now(),\n\t\tTrace: item.GetDynamicSamplingContext(),\n\t\tSdk: s.sdkInfo,\n\t}\n\tif header.EventID == \"\" {\n\t\theader.EventID = protocol.GenerateEventID()\n\t}\n\tif s.dsn != nil {\n\t\theader.Dsn = s.dsn.String()\n\t}\n\tenvelope := protocol.NewEnvelope(header)\n\tenvItem, err := item.ToEnvelopeItem()\n\tif err != nil {\n\t\tdebuglog.Printf(\"error while converting to envelope item: %v\", err)\n\t\treturn\n\t}\n\tenvelope.AddItem(envItem)\n\tif err := s.transport.SendEnvelope(envelope); err != nil {\n\t\tdebuglog.Printf(\"error sending envelope: %v\", err)\n\t}\n}\n\nfunc (s *Scheduler) flushBuffers() {\n\tfor category, buffer := range s.buffers {\n\t\tif !buffer.IsEmpty() {\n\t\t\ts.processItems(buffer, category, true)\n\t\t}\n\t}\n}\n\nfunc (s *Scheduler) isRateLimited(category ratelimit.Category) bool {\n\treturn s.transport.IsRateLimited(category)\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/internal/telemetry/trace_aware.go", "content": "package telemetry\n\n// TraceAware is implemented by items that can expose a trace ID.\n// BucketedBuffer uses this to group items by trace.\ntype TraceAware interface {\n\tGetTraceID() (string, bool)\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/internal/util/map.go", "content": "package util\n\nimport \"sync\"\n\ntype SyncMap[K comparable, V any] struct {\n\tm sync.Map\n}\n\nfunc (s *SyncMap[K, V]) Store(key K, value V) {\n\ts.m.Store(key, value)\n}\n\nfunc (s *SyncMap[K, V]) CompareAndDelete(key K, value V) {\n\ts.m.CompareAndDelete(key, value)\n}\n\nfunc (s *SyncMap[K, V]) Load(key K) (V, bool) {\n\tv, ok := s.m.Load(key)\n\tif !ok {\n\t\tvar zero V\n\t\treturn zero, false\n\t}\n\treturn v.(V), true\n}\n\nfunc (s *SyncMap[K, V]) Delete(key K) {\n\ts.m.Delete(key)\n}\n\nfunc (s *SyncMap[K, V]) LoadOrStore(key K, value V) (V, bool) {\n\tactual, loaded := s.m.LoadOrStore(key, value)\n\treturn actual.(V), loaded\n}\n\nfunc (s *SyncMap[K, V]) Clear() {\n\ts.m.Clear()\n}\n\nfunc (s *SyncMap[K, V]) Range(f func(key K, value V) bool) {\n\ts.m.Range(func(key, value any) bool {\n\t\treturn f(key.(K), value.(V))\n\t})\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/internal/util/util.go", "content": "package util\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\n\t\"github.com/getsentry/sentry-go/internal/debuglog\"\n\t\"github.com/getsentry/sentry-go/internal/protocol\"\n)\n\n// MaxDrainResponseBytes is the maximum number of bytes that transport\n// implementations will read from response bodies when draining them.\nconst MaxDrainResponseBytes = 16 << 10\n\n// HandleHTTPResponse is a helper method that reads the HTTP response and handles debug output.\nfunc HandleHTTPResponse(response *http.Response, identifier string) bool {\n\tif response.StatusCode >= 200 && response.StatusCode < 300 {\n\t\treturn true\n\t}\n\n\tif response.StatusCode >= 400 && response.StatusCode <= 599 {\n\t\tbody, err := io.ReadAll(io.LimitReader(response.Body, MaxDrainResponseBytes))\n\t\tif err != nil {\n\t\t\tdebuglog.Printf(\"Error while reading response body: %v\", err)\n\t\t\treturn false\n\t\t}\n\n\t\tswitch {\n\t\tcase response.StatusCode == http.StatusRequestEntityTooLarge:\n\t\t\tdebuglog.Printf(\"Sending %s failed because the request was too large: %s\", identifier, string(body))\n\t\tcase response.StatusCode >= 500:\n\t\t\tdebuglog.Printf(\"Sending %s failed with server error %d: %s\", identifier, response.StatusCode, string(body))\n\t\tdefault:\n\t\t\tdebuglog.Printf(\"Sending %s failed with client error %d: %s\", identifier, response.StatusCode, string(body))\n\t\t}\n\t\treturn false\n\t}\n\n\tdebuglog.Printf(\"Unexpected status code %d for event %s\", response.StatusCode, identifier)\n\treturn false\n}\n\n// EnvelopeIdentifier returns a human-readable identifier for the event to be used in log messages.\n// Format: \" []\".\nfunc EnvelopeIdentifier(envelope *protocol.Envelope) string {\n\tif envelope == nil || len(envelope.Items) == 0 {\n\t\treturn \"empty envelope\"\n\t}\n\n\tvar description string\n\t// we don't currently support mixed envelope types, so all event types would have the same type.\n\titemType := envelope.Items[0].Header.Type\n\n\tswitch itemType {\n\tcase protocol.EnvelopeItemTypeEvent:\n\t\tdescription = \"error\"\n\tcase protocol.EnvelopeItemTypeTransaction:\n\t\tdescription = \"transaction\"\n\tcase protocol.EnvelopeItemTypeCheckIn:\n\t\tdescription = \"check-in\"\n\tcase protocol.EnvelopeItemTypeLog:\n\t\tlogCount := 0\n\t\tfor _, item := range envelope.Items {\n\t\t\tif item != nil && item.Header != nil && item.Header.Type == protocol.EnvelopeItemTypeLog && item.Header.ItemCount != nil {\n\t\t\t\tlogCount += *item.Header.ItemCount\n\t\t\t}\n\t\t}\n\t\tdescription = fmt.Sprintf(\"%d log events\", logCount)\n\tcase protocol.EnvelopeItemTypeTraceMetric:\n\t\tmetricCount := 0\n\t\tfor _, item := range envelope.Items {\n\t\t\tif item != nil && item.Header != nil && item.Header.Type == protocol.EnvelopeItemTypeTraceMetric && item.Header.ItemCount != nil {\n\t\t\t\tmetricCount += *item.Header.ItemCount\n\t\t\t}\n\t\t}\n\t\tdescription = fmt.Sprintf(\"%d metric events\", metricCount)\n\tdefault:\n\t\tdescription = fmt.Sprintf(\"%s event\", itemType)\n\t}\n\n\treturn fmt.Sprintf(\"%s [%s]\", description, envelope.Header.EventID)\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/log.go", "content": "package sentry\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"maps\"\n\t\"os\"\n\t\"strings\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/getsentry/sentry-go/attribute\"\n\t\"github.com/getsentry/sentry-go/internal/debuglog\"\n)\n\ntype LogLevel string\n\nconst (\n\tLogLevelTrace LogLevel = \"trace\"\n\tLogLevelDebug LogLevel = \"debug\"\n\tLogLevelInfo LogLevel = \"info\"\n\tLogLevelWarn LogLevel = \"warn\"\n\tLogLevelError LogLevel = \"error\"\n\tLogLevelFatal LogLevel = \"fatal\"\n)\n\nconst (\n\tLogSeverityTrace int = 1\n\tLogSeverityDebug int = 5\n\tLogSeverityInfo int = 9\n\tLogSeverityWarning int = 13\n\tLogSeverityError int = 17\n\tLogSeverityFatal int = 21\n)\n\ntype sentryLogger struct {\n\tctx context.Context\n\thub *Hub\n\tattributes map[string]attribute.Value\n\tdefaultAttributes map[string]attribute.Value\n\tmu sync.RWMutex\n}\n\ntype logEntry struct {\n\tlogger *sentryLogger\n\tctx context.Context\n\tlevel LogLevel\n\tseverity int\n\tattributes map[string]attribute.Value\n\tshouldPanic bool\n\tshouldFatal bool\n}\n\n// NewLogger returns a Logger that emits logs to Sentry. If logging is turned off, all logs get discarded.\nfunc NewLogger(ctx context.Context) Logger { // nolint: dupl\n\tvar hub *Hub\n\thub = GetHubFromContext(ctx)\n\tif hub == nil {\n\t\thub = CurrentHub()\n\t}\n\n\tclient := hub.Client()\n\tif client != nil && client.options.EnableLogs {\n\t\t// Build default attrs\n\t\tserverAddr := client.options.ServerName\n\t\tif serverAddr == \"\" {\n\t\t\tserverAddr, _ = os.Hostname()\n\t\t}\n\n\t\tdefaults := map[string]string{\n\t\t\t\"sentry.release\": client.options.Release,\n\t\t\t\"sentry.environment\": client.options.Environment,\n\t\t\t\"sentry.server.address\": serverAddr,\n\t\t\t\"sentry.sdk.name\": client.sdkIdentifier,\n\t\t\t\"sentry.sdk.version\": client.sdkVersion,\n\t\t}\n\n\t\tdefaultAttrs := make(map[string]attribute.Value, len(defaults))\n\t\tfor k, v := range defaults {\n\t\t\tif v != \"\" {\n\t\t\t\tdefaultAttrs[k] = attribute.StringValue(v)\n\t\t\t}\n\t\t}\n\n\t\treturn &sentryLogger{\n\t\t\tctx: ctx,\n\t\t\thub: hub,\n\t\t\tattributes: make(map[string]attribute.Value),\n\t\t\tdefaultAttributes: defaultAttrs,\n\t\t\tmu: sync.RWMutex{},\n\t\t}\n\t}\n\n\tdebuglog.Println(\"fallback to noopLogger: enableLogs disabled\")\n\treturn &noopLogger{}\n}\n\nfunc (l *sentryLogger) Write(p []byte) (int, error) {\n\tmsg := strings.TrimRight(string(p), \"\\n\")\n\tl.Info().Emit(msg)\n\treturn len(p), nil\n}\n\nfunc (l *sentryLogger) log(ctx context.Context, level LogLevel, severity int, message string, entryAttrs map[string]attribute.Value, args ...interface{}) {\n\tif message == \"\" {\n\t\treturn\n\t}\n\n\thub := hubFromContexts(ctx, l.ctx)\n\tif hub == nil {\n\t\thub = l.hub\n\t}\n\tclient := hub.Client()\n\tif client == nil {\n\t\treturn\n\t}\n\n\tscope := hub.Scope()\n\ttraceID, spanID := resolveTrace(scope, ctx, l.ctx)\n\n\t// Pre-allocate with capacity hint to avoid map growth reallocations\n\testimatedCap := len(l.defaultAttributes) + len(entryAttrs) + len(args) + 8 // scope ~3 + instance ~5\n\tattrs := make(map[string]attribute.Value, estimatedCap)\n\n\t// attribute precedence: default -> scope -> instance (from SetAttrs) -> entry-specific\n\tfor k, v := range l.defaultAttributes {\n\t\tattrs[k] = v\n\t}\n\tscope.populateAttrs(attrs)\n\n\tl.mu.RLock()\n\tfor k, v := range l.attributes {\n\t\tattrs[k] = v\n\t}\n\tl.mu.RUnlock()\n\n\tfor k, v := range entryAttrs {\n\t\tattrs[k] = v\n\t}\n\n\tif len(args) > 0 {\n\t\tattrs[\"sentry.message.template\"] = attribute.StringValue(message)\n\t\tfor i, p := range args {\n\t\t\tattrs[fmt.Sprintf(\"sentry.message.parameters.%d\", i)] = attribute.StringValue(fmt.Sprintf(\"%+v\", p))\n\t\t}\n\t}\n\n\tlog := &Log{\n\t\tTimestamp: time.Now(),\n\t\tTraceID: traceID,\n\t\tSpanID: spanID,\n\t\tLevel: level,\n\t\tSeverity: severity,\n\t\tBody: fmt.Sprintf(message, args...),\n\t\tAttributes: attrs,\n\t}\n\n\tclient.captureLog(log, scope)\n\tif client.options.Debug {\n\t\tdebuglog.Printf(message, args...)\n\t}\n}\n\nfunc (l *sentryLogger) SetAttributes(attrs ...attribute.Builder) {\n\tl.mu.Lock()\n\tdefer l.mu.Unlock()\n\n\tfor _, a := range attrs {\n\t\tif a.Value.Type() == attribute.INVALID {\n\t\t\tdebuglog.Printf(\"invalid attribute: %v\", a)\n\t\t\tcontinue\n\t\t}\n\t\tl.attributes[a.Key] = a.Value\n\t}\n}\n\nfunc (l *sentryLogger) Trace() LogEntry {\n\treturn &logEntry{\n\t\tlogger: l,\n\t\tctx: l.ctx,\n\t\tlevel: LogLevelTrace,\n\t\tseverity: LogSeverityTrace,\n\t\tattributes: make(map[string]attribute.Value),\n\t}\n}\n\nfunc (l *sentryLogger) Debug() LogEntry {\n\treturn &logEntry{\n\t\tlogger: l,\n\t\tctx: l.ctx,\n\t\tlevel: LogLevelDebug,\n\t\tseverity: LogSeverityDebug,\n\t\tattributes: make(map[string]attribute.Value),\n\t}\n}\n\nfunc (l *sentryLogger) Info() LogEntry {\n\treturn &logEntry{\n\t\tlogger: l,\n\t\tctx: l.ctx,\n\t\tlevel: LogLevelInfo,\n\t\tseverity: LogSeverityInfo,\n\t\tattributes: make(map[string]attribute.Value),\n\t}\n}\n\nfunc (l *sentryLogger) Warn() LogEntry {\n\treturn &logEntry{\n\t\tlogger: l,\n\t\tctx: l.ctx,\n\t\tlevel: LogLevelWarn,\n\t\tseverity: LogSeverityWarning,\n\t\tattributes: make(map[string]attribute.Value),\n\t}\n}\n\nfunc (l *sentryLogger) Error() LogEntry {\n\treturn &logEntry{\n\t\tlogger: l,\n\t\tctx: l.ctx,\n\t\tlevel: LogLevelError,\n\t\tseverity: LogSeverityError,\n\t\tattributes: make(map[string]attribute.Value),\n\t}\n}\n\nfunc (l *sentryLogger) Fatal() LogEntry {\n\treturn &logEntry{\n\t\tlogger: l,\n\t\tctx: l.ctx,\n\t\tlevel: LogLevelFatal,\n\t\tseverity: LogSeverityFatal,\n\t\tattributes: make(map[string]attribute.Value),\n\t\tshouldFatal: true,\n\t}\n}\n\nfunc (l *sentryLogger) Panic() LogEntry {\n\treturn &logEntry{\n\t\tlogger: l,\n\t\tctx: l.ctx,\n\t\tlevel: LogLevelFatal,\n\t\tseverity: LogSeverityFatal,\n\t\tattributes: make(map[string]attribute.Value),\n\t\tshouldPanic: true,\n\t}\n}\n\nfunc (l *sentryLogger) LFatal() LogEntry {\n\treturn &logEntry{\n\t\tlogger: l,\n\t\tctx: l.ctx,\n\t\tlevel: LogLevelFatal,\n\t\tseverity: LogSeverityFatal,\n\t\tattributes: make(map[string]attribute.Value),\n\t}\n}\n\nfunc (l *sentryLogger) GetCtx() context.Context {\n\treturn l.ctx\n}\n\nfunc (e *logEntry) WithCtx(ctx context.Context) LogEntry {\n\treturn &logEntry{\n\t\tlogger: e.logger,\n\t\tctx: ctx,\n\t\tlevel: e.level,\n\t\tseverity: e.severity,\n\t\tattributes: maps.Clone(e.attributes),\n\t\tshouldPanic: e.shouldPanic,\n\t\tshouldFatal: e.shouldFatal,\n\t}\n}\n\nfunc (e *logEntry) String(key, value string) LogEntry {\n\te.attributes[key] = attribute.StringValue(value)\n\treturn e\n}\n\nfunc (e *logEntry) Int(key string, value int) LogEntry {\n\te.attributes[key] = attribute.Int64Value(int64(value))\n\treturn e\n}\n\nfunc (e *logEntry) Int64(key string, value int64) LogEntry {\n\te.attributes[key] = attribute.Int64Value(value)\n\treturn e\n}\n\nfunc (e *logEntry) Float64(key string, value float64) LogEntry {\n\te.attributes[key] = attribute.Float64Value(value)\n\treturn e\n}\n\nfunc (e *logEntry) Bool(key string, value bool) LogEntry {\n\te.attributes[key] = attribute.BoolValue(value)\n\treturn e\n}\n\n// Uint64 adds uint64 attributes to the log entry.\n//\n// This method is intentionally not part of the LogEntry interface to avoid exposing uint64 in the public API.\nfunc (e *logEntry) Uint64(key string, value uint64) LogEntry {\n\te.attributes[key] = attribute.Uint64Value(value)\n\treturn e\n}\n\nfunc (e *logEntry) Emit(args ...interface{}) {\n\te.logger.log(e.ctx, e.level, e.severity, fmt.Sprint(args...), e.attributes)\n\n\tif e.level == LogLevelFatal {\n\t\tif e.shouldPanic {\n\t\t\tpanic(fmt.Sprint(args...))\n\t\t}\n\t\tif e.shouldFatal {\n\t\t\tos.Exit(1)\n\t\t}\n\t}\n}\n\nfunc (e *logEntry) Emitf(format string, args ...interface{}) {\n\te.logger.log(e.ctx, e.level, e.severity, format, e.attributes, args...)\n\n\tif e.level == LogLevelFatal {\n\t\tif e.shouldPanic {\n\t\t\tformattedMessage := fmt.Sprintf(format, args...)\n\t\t\tpanic(formattedMessage)\n\t\t}\n\t\tif e.shouldFatal {\n\t\t\tos.Exit(1)\n\t\t}\n\t}\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/log_batch_processor.go", "content": "package sentry\n\nimport (\n\t\"time\"\n)\n\n// logBatchProcessor batches logs and sends them to Sentry.\ntype logBatchProcessor struct {\n\t*batchProcessor[Log]\n}\n\nfunc newLogBatchProcessor(client *Client) *logBatchProcessor {\n\treturn &logBatchProcessor{\n\t\tbatchProcessor: newBatchProcessor(func(items []Log) {\n\t\t\tif len(items) == 0 {\n\t\t\t\treturn\n\t\t\t}\n\n\t\t\tevent := NewEvent()\n\t\t\tevent.Timestamp = time.Now()\n\t\t\tevent.EventID = EventID(uuid())\n\t\t\tevent.Type = logEvent.Type\n\t\t\tevent.Logs = items\n\n\t\t\tclient.Transport.SendEvent(event)\n\t\t}),\n\t}\n}\n\nfunc (p *logBatchProcessor) Send(log *Log) bool {\n\treturn p.batchProcessor.Send(*log)\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/log_fallback.go", "content": "package sentry\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"os\"\n\n\t\"github.com/getsentry/sentry-go/attribute\"\n\t\"github.com/getsentry/sentry-go/internal/debuglog\"\n)\n\n// Fallback, no-op logger if logging is disabled.\ntype noopLogger struct{}\n\n// noopLogEntry implements LogEntry for the no-op logger.\ntype noopLogEntry struct {\n\tlevel LogLevel\n\tshouldPanic bool\n\tshouldFatal bool\n}\n\nfunc (n *noopLogEntry) WithCtx(_ context.Context) LogEntry {\n\treturn n\n}\n\nfunc (n *noopLogEntry) String(_, _ string) LogEntry {\n\treturn n\n}\n\nfunc (n *noopLogEntry) Int(_ string, _ int) LogEntry {\n\treturn n\n}\n\nfunc (n *noopLogEntry) Int64(_ string, _ int64) LogEntry {\n\treturn n\n}\n\nfunc (n *noopLogEntry) Float64(_ string, _ float64) LogEntry {\n\treturn n\n}\n\nfunc (n *noopLogEntry) Bool(_ string, _ bool) LogEntry {\n\treturn n\n}\n\nfunc (n *noopLogEntry) Attributes(_ ...attribute.Builder) LogEntry {\n\treturn n\n}\n\nfunc (n *noopLogEntry) Emit(args ...interface{}) {\n\tdebuglog.Printf(\"Log with level=[%v] is being dropped. Turn on logging via EnableLogs\", n.level)\n\tif n.level == LogLevelFatal {\n\t\tif n.shouldPanic {\n\t\t\tpanic(args)\n\t\t}\n\t\tif n.shouldFatal {\n\t\t\tos.Exit(1)\n\t\t}\n\t}\n}\n\nfunc (n *noopLogEntry) Emitf(message string, args ...interface{}) {\n\tdebuglog.Printf(\"Log with level=[%v] is being dropped. Turn on logging via EnableLogs\", n.level)\n\tif n.level == LogLevelFatal {\n\t\tif n.shouldPanic {\n\t\t\tpanic(fmt.Sprintf(message, args...))\n\t\t}\n\t\tif n.shouldFatal {\n\t\t\tos.Exit(1)\n\t\t}\n\t}\n}\n\nfunc (n *noopLogger) GetCtx() context.Context { return context.Background() }\n\nfunc (*noopLogger) Trace() LogEntry {\n\treturn &noopLogEntry{level: LogLevelTrace}\n}\n\nfunc (*noopLogger) Debug() LogEntry {\n\treturn &noopLogEntry{level: LogLevelDebug}\n}\n\nfunc (*noopLogger) Info() LogEntry {\n\treturn &noopLogEntry{level: LogLevelInfo}\n}\n\nfunc (*noopLogger) Warn() LogEntry {\n\treturn &noopLogEntry{level: LogLevelWarn}\n}\n\nfunc (*noopLogger) Error() LogEntry {\n\treturn &noopLogEntry{level: LogLevelError}\n}\n\nfunc (*noopLogger) Fatal() LogEntry {\n\treturn &noopLogEntry{level: LogLevelFatal, shouldFatal: true}\n}\n\nfunc (*noopLogger) Panic() LogEntry {\n\treturn &noopLogEntry{level: LogLevelFatal, shouldPanic: true}\n}\n\nfunc (*noopLogger) LFatal() LogEntry {\n\treturn &noopLogEntry{level: LogLevelFatal}\n}\n\nfunc (*noopLogger) SetAttributes(...attribute.Builder) {\n\tdebuglog.Printf(\"No attributes attached. Turn on logging via EnableLogs\")\n}\n\nfunc (*noopLogger) Write(_ []byte) (n int, err error) {\n\treturn 0, fmt.Errorf(\"log with level=[%v] is being dropped. Turn on logging via EnableLogs\", LogLevelInfo)\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/metric_batch_processor.go", "content": "package sentry\n\nimport (\n\t\"time\"\n)\n\n// metricBatchProcessor batches metrics and sends them to Sentry.\ntype metricBatchProcessor struct {\n\t*batchProcessor[Metric]\n}\n\nfunc newMetricBatchProcessor(client *Client) *metricBatchProcessor {\n\treturn &metricBatchProcessor{\n\t\tbatchProcessor: newBatchProcessor(func(items []Metric) {\n\t\t\tif len(items) == 0 {\n\t\t\t\treturn\n\t\t\t}\n\n\t\t\tevent := NewEvent()\n\t\t\tevent.Timestamp = time.Now()\n\t\t\tevent.EventID = EventID(uuid())\n\t\t\tevent.Type = traceMetricEvent.Type\n\t\t\tevent.Metrics = items\n\n\t\t\tclient.Transport.SendEvent(event)\n\t\t}),\n\t}\n}\n\nfunc (p *metricBatchProcessor) Send(metric *Metric) bool {\n\treturn p.batchProcessor.Send(*metric)\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/metrics.go", "content": "package sentry\n\nimport (\n\t\"context\"\n\t\"maps\"\n\t\"os\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/getsentry/sentry-go/attribute\"\n\t\"github.com/getsentry/sentry-go/internal/debuglog\"\n)\n\n// Duration Units.\nconst (\n\tUnitNanosecond = \"nanosecond\"\n\tUnitMicrosecond = \"microsecond\"\n\tUnitMillisecond = \"millisecond\"\n\tUnitSecond = \"second\"\n\tUnitMinute = \"minute\"\n\tUnitHour = \"hour\"\n\tUnitDay = \"day\"\n\tUnitWeek = \"week\"\n)\n\n// Information Units.\nconst (\n\tUnitBit = \"bit\"\n\tUnitByte = \"byte\"\n\tUnitKilobyte = \"kilobyte\"\n\tUnitKibibyte = \"kibibyte\"\n\tUnitMegabyte = \"megabyte\"\n\tUnitMebibyte = \"mebibyte\"\n\tUnitGigabyte = \"gigabyte\"\n\tUnitGibibyte = \"gibibyte\"\n\tUnitTerabyte = \"terabyte\"\n\tUnitTebibyte = \"tebibyte\"\n\tUnitPetabyte = \"petabyte\"\n\tUnitPebibyte = \"pebibyte\"\n\tUnitExabyte = \"exabyte\"\n\tUnitExbibyte = \"exbibyte\"\n)\n\n// Fraction Units.\nconst (\n\tUnitRatio = \"ratio\"\n\tUnitPercent = \"percent\"\n)\n\n// NewMeter returns a new Meter. If there is no Client bound to the current hub, or if metrics are disabled,\n// it returns a no-op Meter that discards all metrics.\nfunc NewMeter(ctx context.Context) Meter {\n\thub := GetHubFromContext(ctx)\n\tif hub == nil {\n\t\thub = CurrentHub()\n\t}\n\tclient := hub.Client()\n\tif client != nil && !client.options.DisableMetrics {\n\t\t// build default attrs\n\t\tserverAddr := client.options.ServerName\n\t\tif serverAddr == \"\" {\n\t\t\tserverAddr, _ = os.Hostname()\n\t\t}\n\n\t\tdefaults := map[string]string{\n\t\t\t\"sentry.release\": client.options.Release,\n\t\t\t\"sentry.environment\": client.options.Environment,\n\t\t\t\"sentry.server.address\": serverAddr,\n\t\t\t\"sentry.sdk.name\": client.sdkIdentifier,\n\t\t\t\"sentry.sdk.version\": client.sdkVersion,\n\t\t}\n\n\t\tdefaultAttrs := make(map[string]attribute.Value)\n\t\tfor k, v := range defaults {\n\t\t\tif v != \"\" {\n\t\t\t\tdefaultAttrs[k] = attribute.StringValue(v)\n\t\t\t}\n\t\t}\n\n\t\treturn &sentryMeter{\n\t\t\tctx: ctx,\n\t\t\thub: hub,\n\t\t\tattributes: make(map[string]attribute.Value),\n\t\t\tdefaultAttributes: defaultAttrs,\n\t\t\tmu: sync.RWMutex{},\n\t\t}\n\t}\n\n\tdebuglog.Printf(\"fallback to noopMeter: metrics disabled\")\n\treturn &noopMeter{}\n}\n\ntype sentryMeter struct {\n\tctx context.Context\n\thub *Hub\n\tattributes map[string]attribute.Value\n\tdefaultAttributes map[string]attribute.Value\n\tmu sync.RWMutex\n}\n\nfunc (m *sentryMeter) emit(ctx context.Context, metricType MetricType, name string, value MetricValue, unit string, attributes map[string]attribute.Value, customScope *Scope) {\n\tif name == \"\" {\n\t\tdebuglog.Println(\"empty name provided, dropping metric\")\n\t\treturn\n\t}\n\n\thub := hubFromContexts(ctx, m.ctx)\n\tif hub == nil {\n\t\thub = m.hub\n\t}\n\n\tclient := hub.Client()\n\tif client == nil {\n\t\treturn\n\t}\n\n\tscope := hub.Scope()\n\tif customScope != nil {\n\t\tscope = customScope\n\t}\n\ttraceID, spanID := resolveTrace(scope, ctx, m.ctx)\n\n\t// Pre-allocate with capacity hint to avoid map growth reallocations\n\testimatedCap := len(m.defaultAttributes) + len(attributes) + 8 // scope ~3 + call-specific ~5\n\tattrs := make(map[string]attribute.Value, estimatedCap)\n\n\t// attribute precedence: default -> scope -> instance (from SetAttrs) -> entry-specific\n\tfor k, v := range m.defaultAttributes {\n\t\tattrs[k] = v\n\t}\n\tscope.populateAttrs(attrs)\n\n\tm.mu.RLock()\n\tfor k, v := range m.attributes {\n\t\tattrs[k] = v\n\t}\n\tm.mu.RUnlock()\n\n\tfor k, v := range attributes {\n\t\tattrs[k] = v\n\t}\n\n\tmetric := &Metric{\n\t\tTimestamp: time.Now(),\n\t\tTraceID: traceID,\n\t\tSpanID: spanID,\n\t\tType: metricType,\n\t\tName: name,\n\t\tValue: value,\n\t\tUnit: unit,\n\t\tAttributes: attrs,\n\t}\n\n\tif client.captureMetric(metric, scope) && client.options.Debug {\n\t\tdebuglog.Printf(\"Metric %s [%s]: %v %s\", metricType, name, value.AsInterface(), unit)\n\t}\n}\n\n// WithCtx returns a new Meter that uses the given context for trace/span association.\nfunc (m *sentryMeter) WithCtx(ctx context.Context) Meter {\n\tm.mu.RLock()\n\tattrsCopy := maps.Clone(m.attributes)\n\tm.mu.RUnlock()\n\n\treturn &sentryMeter{\n\t\tctx: ctx,\n\t\thub: m.hub,\n\t\tattributes: attrsCopy,\n\t\tdefaultAttributes: m.defaultAttributes,\n\t\tmu: sync.RWMutex{},\n\t}\n}\n\nfunc (m *sentryMeter) applyOptions(opts []MeterOption) *meterOptions {\n\to := &meterOptions{}\n\tfor _, opt := range opts {\n\t\topt(o)\n\t}\n\treturn o\n}\n\n// Count implements Meter.\nfunc (m *sentryMeter) Count(name string, count int64, opts ...MeterOption) {\n\to := m.applyOptions(opts)\n\tm.emit(m.ctx, MetricTypeCounter, name, Int64MetricValue(count), o.unit, o.attributes, o.scope)\n}\n\n// Distribution implements Meter.\nfunc (m *sentryMeter) Distribution(name string, sample float64, opts ...MeterOption) {\n\to := m.applyOptions(opts)\n\tm.emit(m.ctx, MetricTypeDistribution, name, Float64MetricValue(sample), o.unit, o.attributes, o.scope)\n}\n\n// Gauge implements Meter.\nfunc (m *sentryMeter) Gauge(name string, value float64, opts ...MeterOption) {\n\to := m.applyOptions(opts)\n\tm.emit(m.ctx, MetricTypeGauge, name, Float64MetricValue(value), o.unit, o.attributes, o.scope)\n}\n\n// SetAttributes implements Meter.\nfunc (m *sentryMeter) SetAttributes(attrs ...attribute.Builder) {\n\tm.mu.Lock()\n\tdefer m.mu.Unlock()\n\n\tfor _, a := range attrs {\n\t\tif a.Value.Type() == attribute.INVALID {\n\t\t\tdebuglog.Printf(\"invalid attribute: %v\", a)\n\t\t\tcontinue\n\t\t}\n\t\tm.attributes[a.Key] = a.Value\n\t}\n}\n\n// noopMeter is a no-operation implementation of Meter.\n// This is used when there is no client available in the context or when metrics are disabled.\ntype noopMeter struct{}\n\n// WithCtx implements Meter.\nfunc (n *noopMeter) WithCtx(_ context.Context) Meter {\n\treturn n\n}\n\n// Count implements Meter.\nfunc (n *noopMeter) Count(name string, _ int64, _ ...MeterOption) {\n\tdebuglog.Printf(\"Metric %q is being dropped. Turn on metrics by setting DisableMetrics to false\", name)\n}\n\n// Distribution implements Meter.\nfunc (n *noopMeter) Distribution(name string, _ float64, _ ...MeterOption) {\n\tdebuglog.Printf(\"Metric %q is being dropped. Turn on metrics by setting DisableMetrics to false\", name)\n}\n\n// Gauge implements Meter.\nfunc (n *noopMeter) Gauge(name string, _ float64, _ ...MeterOption) {\n\tdebuglog.Printf(\"Metric %q is being dropped. Turn on metrics by setting DisableMetrics to false\", name)\n}\n\n// SetAttributes implements Meter.\nfunc (n *noopMeter) SetAttributes(_ ...attribute.Builder) {\n\tdebuglog.Printf(\"No attributes attached. Turn on metrics by setting DisableMetrics to false\")\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/mocks.go", "content": "package sentry\n\nimport (\n\t\"context\"\n\t\"sync\"\n\t\"time\"\n)\n\n// MockScope implements [Scope] for use in tests.\ntype MockScope struct {\n\tbreadcrumb *Breadcrumb\n\tshouldDropEvent bool\n}\n\nfunc (scope *MockScope) AddBreadcrumb(breadcrumb *Breadcrumb, _ int) {\n\tscope.breadcrumb = breadcrumb\n}\n\nfunc (scope *MockScope) ApplyToEvent(event *Event, _ *EventHint, _ *Client) *Event {\n\tif scope.shouldDropEvent {\n\t\treturn nil\n\t}\n\treturn event\n}\n\n// MockTransport implements [Transport] for use in tests.\ntype MockTransport struct {\n\tmu sync.Mutex\n\tevents []*Event\n\tlastEvent *Event\n}\n\nfunc (t *MockTransport) Configure(_ ClientOptions) {}\nfunc (t *MockTransport) SendEvent(event *Event) {\n\tt.mu.Lock()\n\tdefer t.mu.Unlock()\n\tt.events = append(t.events, event)\n\tt.lastEvent = event\n}\nfunc (t *MockTransport) Flush(_ time.Duration) bool {\n\treturn true\n}\nfunc (t *MockTransport) FlushWithContext(_ context.Context) bool { return true }\nfunc (t *MockTransport) Events() []*Event {\n\tt.mu.Lock()\n\tdefer t.mu.Unlock()\n\treturn t.events\n}\nfunc (t *MockTransport) Close() {}\n\n// MockLogEntry implements [sentry.LogEntry] for use in tests.\ntype MockLogEntry struct {\n\tAttributes map[string]any\n}\n\nfunc NewMockLogEntry() *MockLogEntry {\n\treturn &MockLogEntry{Attributes: make(map[string]any)}\n}\n\nfunc (m *MockLogEntry) WithCtx(_ context.Context) LogEntry { return m }\nfunc (m *MockLogEntry) String(key, value string) LogEntry { m.Attributes[key] = value; return m }\nfunc (m *MockLogEntry) Int(key string, value int) LogEntry {\n\tm.Attributes[key] = int64(value)\n\treturn m\n}\nfunc (m *MockLogEntry) Int64(key string, value int64) LogEntry {\n\tm.Attributes[key] = value\n\treturn m\n}\nfunc (m *MockLogEntry) Float64(key string, value float64) LogEntry {\n\tm.Attributes[key] = value\n\treturn m\n}\nfunc (m *MockLogEntry) Bool(key string, value bool) LogEntry {\n\tm.Attributes[key] = value\n\treturn m\n}\nfunc (m *MockLogEntry) Emit(...any) {}\nfunc (m *MockLogEntry) Emitf(string, ...any) {}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/propagation_context.go", "content": "package sentry\n\nimport (\n\t\"crypto/rand\"\n)\n\ntype PropagationContext struct {\n\tTraceID TraceID `json:\"trace_id\"`\n\tSpanID SpanID `json:\"span_id\"`\n\tParentSpanID SpanID `json:\"parent_span_id,omitzero\"`\n\tDynamicSamplingContext DynamicSamplingContext `json:\"-\"`\n}\n\nfunc (p PropagationContext) Map() map[string]interface{} {\n\tm := map[string]interface{}{\n\t\t\"trace_id\": p.TraceID,\n\t\t\"span_id\": p.SpanID,\n\t}\n\n\tif p.ParentSpanID != zeroSpanID {\n\t\tm[\"parent_span_id\"] = p.ParentSpanID\n\t}\n\n\treturn m\n}\n\nfunc NewPropagationContext() PropagationContext {\n\tp := PropagationContext{}\n\n\tif _, err := rand.Read(p.TraceID[:]); err != nil {\n\t\tpanic(err)\n\t}\n\n\tif _, err := rand.Read(p.SpanID[:]); err != nil {\n\t\tpanic(err)\n\t}\n\n\treturn p\n}\n\nfunc PropagationContextFromHeaders(trace, baggage string) (PropagationContext, error) {\n\tp := NewPropagationContext()\n\n\tif _, err := rand.Read(p.SpanID[:]); err != nil {\n\t\tpanic(err)\n\t}\n\n\thasTrace := false\n\tif trace != \"\" {\n\t\tif tpc, valid := ParseTraceParentContext([]byte(trace)); valid {\n\t\t\thasTrace = true\n\t\t\tp.TraceID = tpc.TraceID\n\t\t\tp.ParentSpanID = tpc.ParentSpanID\n\t\t}\n\t}\n\n\tif baggage != \"\" {\n\t\tdsc, err := DynamicSamplingContextFromHeader([]byte(baggage))\n\t\tif err != nil {\n\t\t\treturn PropagationContext{}, err\n\t\t}\n\t\tp.DynamicSamplingContext = dsc\n\t}\n\n\t// In case a sentry-trace header is present but there are no sentry-related\n\t// values in the baggage, create an empty, frozen DynamicSamplingContext.\n\tif hasTrace && !p.DynamicSamplingContext.HasEntries() {\n\t\tp.DynamicSamplingContext = DynamicSamplingContext{\n\t\t\tFrozen: true,\n\t\t}\n\t}\n\n\treturn p, nil\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/scope.go", "content": "package sentry\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"io\"\n\t\"net/http\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/getsentry/sentry-go/attribute\"\n\t\"github.com/getsentry/sentry-go/internal/debuglog\"\n)\n\n// Scope holds contextual data for the current scope.\n//\n// The scope is an object that can cloned efficiently and stores data that is\n// locally relevant to an event. For instance the scope will hold recorded\n// breadcrumbs and similar information.\n//\n// The scope can be interacted with in two ways. First, the scope is routinely\n// updated with information by functions such as AddBreadcrumb which will modify\n// the current scope. Second, the current scope can be configured through the\n// ConfigureScope function or Hub method of the same name.\n//\n// The scope is meant to be modified but not inspected directly. When preparing\n// an event for reporting, the current client adds information from the current\n// scope into the event.\ntype Scope struct {\n\tmu sync.RWMutex\n\tbreadcrumbs []*Breadcrumb\n\tattachments []*Attachment\n\tuser User\n\ttags map[string]string\n\tcontexts map[string]Context\n\textra map[string]interface{}\n\tfingerprint []string\n\tlevel Level\n\trequest *http.Request\n\t// requestBody holds a reference to the original request.Body.\n\trequestBody interface {\n\t\t// Bytes returns bytes from the original body, lazily buffered as the\n\t\t// original body is read.\n\t\tBytes() []byte\n\t\t// Overflow returns true if the body is larger than the maximum buffer\n\t\t// size.\n\t\tOverflow() bool\n\t}\n\teventProcessors []EventProcessor\n\n\tpropagationContext PropagationContext\n\tspan *Span\n}\n\n// NewScope creates a new Scope.\nfunc NewScope() *Scope {\n\treturn &Scope{\n\t\tbreadcrumbs: make([]*Breadcrumb, 0),\n\t\tattachments: make([]*Attachment, 0),\n\t\ttags: make(map[string]string),\n\t\tcontexts: make(map[string]Context),\n\t\textra: make(map[string]interface{}),\n\t\tfingerprint: make([]string, 0),\n\t\tpropagationContext: NewPropagationContext(),\n\t}\n}\n\n// AddBreadcrumb adds new breadcrumb to the current scope\n// and optionally throws the old one if limit is reached.\nfunc (scope *Scope) AddBreadcrumb(breadcrumb *Breadcrumb, limit int) {\n\tif breadcrumb.Timestamp.IsZero() {\n\t\tbreadcrumb.Timestamp = time.Now()\n\t}\n\n\tscope.mu.Lock()\n\tdefer scope.mu.Unlock()\n\n\tscope.breadcrumbs = append(scope.breadcrumbs, breadcrumb)\n\tif len(scope.breadcrumbs) > limit {\n\t\tscope.breadcrumbs = scope.breadcrumbs[1 : limit+1]\n\t}\n}\n\n// ClearBreadcrumbs clears all breadcrumbs from the current scope.\nfunc (scope *Scope) ClearBreadcrumbs() {\n\tscope.mu.Lock()\n\tdefer scope.mu.Unlock()\n\n\tscope.breadcrumbs = []*Breadcrumb{}\n}\n\n// AddAttachment adds new attachment to the current scope.\nfunc (scope *Scope) AddAttachment(attachment *Attachment) {\n\tscope.mu.Lock()\n\tdefer scope.mu.Unlock()\n\n\tscope.attachments = append(scope.attachments, attachment)\n}\n\n// ClearAttachments clears all attachments from the current scope.\nfunc (scope *Scope) ClearAttachments() {\n\tscope.mu.Lock()\n\tdefer scope.mu.Unlock()\n\n\tscope.attachments = []*Attachment{}\n}\n\n// SetUser sets the user for the current scope.\nfunc (scope *Scope) SetUser(user User) {\n\tscope.mu.Lock()\n\tdefer scope.mu.Unlock()\n\n\tscope.user = user\n}\n\n// SetRequest sets the request for the current scope.\nfunc (scope *Scope) SetRequest(r *http.Request) {\n\tscope.mu.Lock()\n\tdefer scope.mu.Unlock()\n\n\tscope.request = r\n\n\tif r == nil {\n\t\treturn\n\t}\n\n\t// Don't buffer request body if we know it is oversized.\n\tif r.ContentLength > maxRequestBodyBytes {\n\t\treturn\n\t}\n\t// Don't buffer if there is no body.\n\tif r.Body == nil || r.Body == http.NoBody {\n\t\treturn\n\t}\n\tbuf := &limitedBuffer{Capacity: maxRequestBodyBytes}\n\tr.Body = readCloser{\n\t\tReader: io.TeeReader(r.Body, buf),\n\t\tCloser: r.Body,\n\t}\n\tscope.requestBody = buf\n}\n\n// SetRequestBody sets the request body for the current scope.\n//\n// This method should only be called when the body bytes are already available\n// in memory. Typically, the request body is buffered lazily from the\n// Request.Body from SetRequest.\nfunc (scope *Scope) SetRequestBody(b []byte) {\n\tscope.mu.Lock()\n\tdefer scope.mu.Unlock()\n\n\tcapacity := maxRequestBodyBytes\n\toverflow := false\n\tif len(b) > capacity {\n\t\toverflow = true\n\t\tb = b[:capacity]\n\t}\n\tscope.requestBody = &limitedBuffer{\n\t\tCapacity: capacity,\n\t\tBuffer: *bytes.NewBuffer(b),\n\t\toverflow: overflow,\n\t}\n}\n\n// maxRequestBodyBytes is the default maximum request body size to send to\n// Sentry.\nconst maxRequestBodyBytes = 10 * 1024\n\n// A limitedBuffer is like a bytes.Buffer, but limited to store at most Capacity\n// bytes. Any writes past the capacity are silently discarded, similar to\n// io.Discard.\ntype limitedBuffer struct {\n\tCapacity int\n\n\tbytes.Buffer\n\toverflow bool\n}\n\n// Write implements io.Writer.\nfunc (b *limitedBuffer) Write(p []byte) (n int, err error) {\n\t// Silently ignore writes after overflow.\n\tif b.overflow {\n\t\treturn len(p), nil\n\t}\n\tleft := b.Capacity - b.Len()\n\tif left < 0 {\n\t\tleft = 0\n\t}\n\tif len(p) > left {\n\t\tb.overflow = true\n\t\tp = p[:left]\n\t}\n\treturn b.Buffer.Write(p)\n}\n\n// Overflow returns true if the limitedBuffer discarded bytes written to it.\nfunc (b *limitedBuffer) Overflow() bool {\n\treturn b.overflow\n}\n\n// readCloser combines an io.Reader and an io.Closer to implement io.ReadCloser.\ntype readCloser struct {\n\tio.Reader\n\tio.Closer\n}\n\n// SetTag adds a tag to the current scope.\nfunc (scope *Scope) SetTag(key, value string) {\n\tscope.mu.Lock()\n\tdefer scope.mu.Unlock()\n\n\tscope.tags[key] = value\n}\n\n// SetTags assigns multiple tags to the current scope.\nfunc (scope *Scope) SetTags(tags map[string]string) {\n\tscope.mu.Lock()\n\tdefer scope.mu.Unlock()\n\n\tfor k, v := range tags {\n\t\tscope.tags[k] = v\n\t}\n}\n\n// RemoveTag removes a tag from the current scope.\nfunc (scope *Scope) RemoveTag(key string) {\n\tscope.mu.Lock()\n\tdefer scope.mu.Unlock()\n\n\tdelete(scope.tags, key)\n}\n\n// SetContext adds a context to the current scope.\nfunc (scope *Scope) SetContext(key string, value Context) {\n\tscope.mu.Lock()\n\tdefer scope.mu.Unlock()\n\n\tscope.contexts[key] = value\n}\n\n// SetContexts assigns multiple contexts to the current scope.\nfunc (scope *Scope) SetContexts(contexts map[string]Context) {\n\tscope.mu.Lock()\n\tdefer scope.mu.Unlock()\n\n\tfor k, v := range contexts {\n\t\tscope.contexts[k] = v\n\t}\n}\n\n// RemoveContext removes a context from the current scope.\nfunc (scope *Scope) RemoveContext(key string) {\n\tscope.mu.Lock()\n\tdefer scope.mu.Unlock()\n\n\tdelete(scope.contexts, key)\n}\n\n// SetExtra adds an extra to the current scope.\nfunc (scope *Scope) SetExtra(key string, value interface{}) {\n\tscope.mu.Lock()\n\tdefer scope.mu.Unlock()\n\n\tscope.extra[key] = value\n}\n\n// SetExtras assigns multiple extras to the current scope.\nfunc (scope *Scope) SetExtras(extra map[string]interface{}) {\n\tscope.mu.Lock()\n\tdefer scope.mu.Unlock()\n\n\tfor k, v := range extra {\n\t\tscope.extra[k] = v\n\t}\n}\n\n// RemoveExtra removes a extra from the current scope.\nfunc (scope *Scope) RemoveExtra(key string) {\n\tscope.mu.Lock()\n\tdefer scope.mu.Unlock()\n\n\tdelete(scope.extra, key)\n}\n\n// SetFingerprint sets new fingerprint for the current scope.\nfunc (scope *Scope) SetFingerprint(fingerprint []string) {\n\tscope.mu.Lock()\n\tdefer scope.mu.Unlock()\n\n\tscope.fingerprint = fingerprint\n}\n\n// SetLevel sets new level for the current scope.\nfunc (scope *Scope) SetLevel(level Level) {\n\tscope.mu.Lock()\n\tdefer scope.mu.Unlock()\n\n\tscope.level = level\n}\n\n// SetPropagationContext sets the propagation context for the current scope.\nfunc (scope *Scope) SetPropagationContext(propagationContext PropagationContext) {\n\tscope.mu.Lock()\n\tdefer scope.mu.Unlock()\n\n\tscope.propagationContext = propagationContext\n}\n\n// GetSpan returns the span from the current scope.\nfunc (scope *Scope) GetSpan() *Span {\n\tscope.mu.RLock()\n\tdefer scope.mu.RUnlock()\n\n\treturn scope.span\n}\n\n// SetSpan sets a span for the current scope.\nfunc (scope *Scope) SetSpan(span *Span) {\n\tscope.mu.Lock()\n\tdefer scope.mu.Unlock()\n\n\tscope.span = span\n}\n\n// Clone returns a copy of the current scope with all data copied over.\nfunc (scope *Scope) Clone() *Scope {\n\tscope.mu.RLock()\n\tdefer scope.mu.RUnlock()\n\n\tclone := NewScope()\n\tclone.user = scope.user\n\tclone.breadcrumbs = make([]*Breadcrumb, len(scope.breadcrumbs))\n\tcopy(clone.breadcrumbs, scope.breadcrumbs)\n\tclone.attachments = make([]*Attachment, len(scope.attachments))\n\tcopy(clone.attachments, scope.attachments)\n\tfor key, value := range scope.tags {\n\t\tclone.tags[key] = value\n\t}\n\tfor key, value := range scope.contexts {\n\t\tclone.contexts[key] = cloneContext(value)\n\t}\n\tfor key, value := range scope.extra {\n\t\tclone.extra[key] = value\n\t}\n\tclone.fingerprint = make([]string, len(scope.fingerprint))\n\tcopy(clone.fingerprint, scope.fingerprint)\n\tclone.level = scope.level\n\tclone.request = scope.request\n\tclone.requestBody = scope.requestBody\n\tclone.eventProcessors = scope.eventProcessors\n\tclone.propagationContext = scope.propagationContext\n\tclone.span = scope.span\n\treturn clone\n}\n\n// Clear removes the data from the current scope. Not safe for concurrent use.\nfunc (scope *Scope) Clear() {\n\t*scope = *NewScope()\n}\n\n// AddEventProcessor adds an event processor to the current scope.\nfunc (scope *Scope) AddEventProcessor(processor EventProcessor) {\n\tscope.mu.Lock()\n\tdefer scope.mu.Unlock()\n\n\tscope.eventProcessors = append(scope.eventProcessors, processor)\n}\n\n// ApplyToEvent takes the data from the current scope and attaches it to the event.\nfunc (scope *Scope) ApplyToEvent(event *Event, hint *EventHint, client *Client) *Event {\n\tscope.mu.RLock()\n\tdefer scope.mu.RUnlock()\n\n\tif len(scope.breadcrumbs) > 0 {\n\t\tevent.Breadcrumbs = append(event.Breadcrumbs, scope.breadcrumbs...)\n\t}\n\n\tif len(scope.attachments) > 0 {\n\t\tevent.Attachments = append(event.Attachments, scope.attachments...)\n\t}\n\n\tif len(scope.tags) > 0 {\n\t\tif event.Tags == nil {\n\t\t\tevent.Tags = make(map[string]string, len(scope.tags))\n\t\t}\n\n\t\tfor key, value := range scope.tags {\n\t\t\tevent.Tags[key] = value\n\t\t}\n\t}\n\n\tif len(scope.contexts) > 0 {\n\t\tif event.Contexts == nil {\n\t\t\tevent.Contexts = make(map[string]Context)\n\t\t}\n\n\t\tfor key, value := range scope.contexts {\n\t\t\tif key == \"trace\" && event.Type == transactionType {\n\t\t\t\t// Do not override trace context of\n\t\t\t\t// transactions, otherwise it breaks the\n\t\t\t\t// transaction event representation.\n\t\t\t\t// For error events, the trace context is used\n\t\t\t\t// to link errors and traces/spans in Sentry.\n\t\t\t\tcontinue\n\t\t\t}\n\n\t\t\t// Ensure we are not overwriting event fields\n\t\t\tif _, ok := event.Contexts[key]; !ok {\n\t\t\t\tevent.Contexts[key] = cloneContext(value)\n\t\t\t}\n\t\t}\n\t}\n\n\tif event.Contexts == nil {\n\t\tevent.Contexts = make(map[string]Context)\n\t}\n\n\tif scope.span != nil {\n\t\tif _, ok := event.Contexts[\"trace\"]; !ok {\n\t\t\tevent.Contexts[\"trace\"] = scope.span.traceContext().Map()\n\t\t}\n\n\t\ttransaction := scope.span.GetTransaction()\n\t\tif transaction != nil {\n\t\t\tevent.sdkMetaData.dsc = DynamicSamplingContextFromTransaction(transaction)\n\t\t}\n\t} else {\n\t\tevent.Contexts[\"trace\"] = scope.propagationContext.Map()\n\n\t\tdsc := scope.propagationContext.DynamicSamplingContext\n\t\tif !dsc.HasEntries() && client != nil {\n\t\t\tdsc = DynamicSamplingContextFromScope(scope, client)\n\t\t}\n\t\tevent.sdkMetaData.dsc = dsc\n\t}\n\n\tif len(scope.extra) > 0 {\n\t\tif event.Extra == nil {\n\t\t\tevent.Extra = make(map[string]interface{}, len(scope.extra))\n\t\t}\n\n\t\tfor key, value := range scope.extra {\n\t\t\tevent.Extra[key] = value\n\t\t}\n\t}\n\n\tif event.User.IsEmpty() {\n\t\tevent.User = scope.user\n\t}\n\n\tif len(event.Fingerprint) == 0 {\n\t\tevent.Fingerprint = append(event.Fingerprint, scope.fingerprint...)\n\t}\n\n\tif scope.level != \"\" {\n\t\tevent.Level = scope.level\n\t}\n\n\tif event.Request == nil && scope.request != nil {\n\t\tevent.Request = NewRequest(scope.request)\n\t\t// NOTE: The SDK does not attempt to send partial request body data.\n\t\t//\n\t\t// The reason being that Sentry's ingest pipeline and UI are optimized\n\t\t// to show structured data. Additionally, tooling around PII scrubbing\n\t\t// relies on structured data; truncated request bodies would create\n\t\t// invalid payloads that are more prone to leaking PII data.\n\t\t//\n\t\t// Users can still send more data along their events if they want to,\n\t\t// for example using Event.Extra.\n\t\tif scope.requestBody != nil && !scope.requestBody.Overflow() {\n\t\t\tevent.Request.Data = string(scope.requestBody.Bytes())\n\t\t}\n\t}\n\n\tfor _, processor := range scope.eventProcessors {\n\t\tid := event.EventID\n\t\tevent = processor(event, hint)\n\t\tif event == nil {\n\t\t\tdebuglog.Printf(\"Event dropped by one of the Scope EventProcessors: %s\\n\", id)\n\t\t\treturn nil\n\t\t}\n\t}\n\n\treturn event\n}\n\n// cloneContext returns a new context with keys and values copied from the passed one.\n//\n// Note: a new Context (map) is returned, but the function does NOT do\n// a proper deep copy: if some context values are pointer types (e.g. maps),\n// they won't be properly copied.\nfunc cloneContext(c Context) Context {\n\tres := make(Context, len(c))\n\tfor k, v := range c {\n\t\tres[k] = v\n\t}\n\treturn res\n}\n\nfunc (scope *Scope) populateAttrs(attrs map[string]attribute.Value) {\n\tif scope == nil {\n\t\treturn\n\t}\n\n\tscope.mu.RLock()\n\tdefer scope.mu.RUnlock()\n\n\t// Add user-related attributes\n\tif !scope.user.IsEmpty() {\n\t\tif scope.user.ID != \"\" {\n\t\t\tattrs[\"user.id\"] = attribute.StringValue(scope.user.ID)\n\t\t}\n\t\tif scope.user.Name != \"\" {\n\t\t\tattrs[\"user.name\"] = attribute.StringValue(scope.user.Name)\n\t\t}\n\t\tif scope.user.Email != \"\" {\n\t\t\tattrs[\"user.email\"] = attribute.StringValue(scope.user.Email)\n\t\t}\n\t}\n\n\t// In the future, add scope.attributes here\n\t// for k, v := range scope.attributes {\n\t// attrs[k] = v\n\t// }\n}\n\n// hubFromContexts is a helper to return the first hub found in the given contexts.\nfunc hubFromContexts(ctxs ...context.Context) *Hub {\n\tfor _, ctx := range ctxs {\n\t\tif ctx == nil {\n\t\t\tcontinue\n\t\t}\n\t\tif hub := GetHubFromContext(ctx); hub != nil {\n\t\t\treturn hub\n\t\t}\n\t}\n\treturn nil\n}\n\n// resolveTrace resolves trace ID and span ID from the given scope and contexts.\n//\n// The resolution order follows a most-specific-to-least-specific pattern:\n// 1. Check for span directly in contexts (SpanFromContext) - this is the most specific\n// source as it represents a span explicitly attached to the current operation's context\n// 2. Check scope's span - provides access to span set on the hub's scope\n// 3. Fall back to scope's propagation context trace ID\n//\n// This ordering ensures we always use the most contextually relevant tracing information.\n// For example, if a specific span is active for an operation, we use that span's trace/span IDs\n// rather than accidentally using a different span that might be set on the hub's scope.\nfunc resolveTrace(scope *Scope, ctxs ...context.Context) (traceID TraceID, spanID SpanID) {\n\tvar span *Span\n\n\tfor _, ctx := range ctxs {\n\t\tif ctx == nil {\n\t\t\tcontinue\n\t\t}\n\t\tif span = SpanFromContext(ctx); span != nil {\n\t\t\tbreak\n\t\t}\n\t}\n\n\tif scope != nil {\n\t\tscope.mu.RLock()\n\t\tif span == nil {\n\t\t\tspan = scope.span\n\t\t}\n\t\tif span != nil {\n\t\t\ttraceID = span.TraceID\n\t\t\tspanID = span.SpanID\n\t\t} else {\n\t\t\ttraceID = scope.propagationContext.TraceID\n\t\t}\n\t\tscope.mu.RUnlock()\n\t}\n\n\treturn traceID, spanID\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/sentry.go", "content": "package sentry\n\nimport (\n\t\"context\"\n\t\"time\"\n)\n\n// The version of the SDK.\nconst SDKVersion = \"0.43.0\"\n\n// apiVersion is the minimum version of the Sentry API compatible with the\n// sentry-go SDK.\nconst apiVersion = \"7\"\n\n// Init initializes the SDK with options. The returned error is non-nil if\n// options is invalid, for instance if a malformed DSN is provided.\nfunc Init(options ClientOptions) error {\n\thub := CurrentHub()\n\tclient, err := NewClient(options)\n\tif err != nil {\n\t\treturn err\n\t}\n\thub.BindClient(client)\n\treturn nil\n}\n\n// AddBreadcrumb records a new breadcrumb.\n//\n// The total number of breadcrumbs that can be recorded are limited by the\n// configuration on the client.\nfunc AddBreadcrumb(breadcrumb *Breadcrumb) {\n\thub := CurrentHub()\n\thub.AddBreadcrumb(breadcrumb, nil)\n}\n\n// CaptureMessage captures an arbitrary message.\nfunc CaptureMessage(message string) *EventID {\n\thub := CurrentHub()\n\treturn hub.CaptureMessage(message)\n}\n\n// CaptureException captures an error.\nfunc CaptureException(exception error) *EventID {\n\thub := CurrentHub()\n\treturn hub.CaptureException(exception)\n}\n\n// CaptureCheckIn captures a (cron) monitor check-in.\nfunc CaptureCheckIn(checkIn *CheckIn, monitorConfig *MonitorConfig) *EventID {\n\thub := CurrentHub()\n\treturn hub.CaptureCheckIn(checkIn, monitorConfig)\n}\n\n// CaptureEvent captures an event on the currently active client if any.\n//\n// The event must already be assembled. Typically code would instead use\n// the utility methods like CaptureException. The return value is the\n// event ID. In case Sentry is disabled or event was dropped, the return value will be nil.\nfunc CaptureEvent(event *Event) *EventID {\n\thub := CurrentHub()\n\treturn hub.CaptureEvent(event)\n}\n\n// Recover captures a panic.\nfunc Recover() *EventID {\n\tif err := recover(); err != nil {\n\t\thub := CurrentHub()\n\t\treturn hub.Recover(err)\n\t}\n\treturn nil\n}\n\n// RecoverWithContext captures a panic and passes relevant context object.\nfunc RecoverWithContext(ctx context.Context) *EventID {\n\terr := recover()\n\tif err == nil {\n\t\treturn nil\n\t}\n\n\thub := GetHubFromContext(ctx)\n\tif hub == nil {\n\t\thub = CurrentHub()\n\t}\n\n\treturn hub.RecoverWithContext(ctx, err)\n}\n\n// WithScope is a shorthand for CurrentHub().WithScope.\nfunc WithScope(f func(scope *Scope)) {\n\thub := CurrentHub()\n\thub.WithScope(f)\n}\n\n// ConfigureScope is a shorthand for CurrentHub().ConfigureScope.\nfunc ConfigureScope(f func(scope *Scope)) {\n\thub := CurrentHub()\n\thub.ConfigureScope(f)\n}\n\n// PushScope is a shorthand for CurrentHub().PushScope.\nfunc PushScope() {\n\thub := CurrentHub()\n\thub.PushScope()\n}\n\n// PopScope is a shorthand for CurrentHub().PopScope.\nfunc PopScope() {\n\thub := CurrentHub()\n\thub.PopScope()\n}\n\n// Flush waits until the underlying Transport sends any buffered events to the\n// Sentry server, blocking for at most the given timeout. It returns false if\n// the timeout was reached. In that case, some events may not have been sent.\n//\n// Flush should be called before terminating the program to avoid\n// unintentionally dropping events.\n//\n// Do not call Flush indiscriminately after every call to CaptureEvent,\n// CaptureException or CaptureMessage. Instead, to have the SDK send events over\n// the network synchronously, configure it to use the HTTPSyncTransport in the\n// call to Init.\nfunc Flush(timeout time.Duration) bool {\n\thub := CurrentHub()\n\treturn hub.Flush(timeout)\n}\n\n// FlushWithContext waits until the underlying Transport sends any buffered events\n// to the Sentry server, blocking for at most the duration specified by the context.\n// It returns false if the context is canceled before the events are sent. In such a case,\n// some events may not be delivered.\n//\n// FlushWithContext should be called before terminating the program to ensure no\n// events are unintentionally dropped.\n//\n// Avoid calling FlushWithContext indiscriminately after each call to CaptureEvent,\n// CaptureException, or CaptureMessage. To send events synchronously over the network,\n// configure the SDK to use HTTPSyncTransport during initialization with Init.\n\nfunc FlushWithContext(ctx context.Context) bool {\n\thub := CurrentHub()\n\treturn hub.FlushWithContext(ctx)\n}\n\n// LastEventID returns an ID of last captured event.\nfunc LastEventID() EventID {\n\thub := CurrentHub()\n\treturn hub.LastEventID()\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/sourcereader.go", "content": "package sentry\n\nimport (\n\t\"bytes\"\n\t\"os\"\n\t\"sync\"\n)\n\ntype sourceReader struct {\n\tmu sync.Mutex\n\tcache map[string][][]byte\n}\n\nfunc newSourceReader() sourceReader {\n\treturn sourceReader{\n\t\tcache: make(map[string][][]byte),\n\t}\n}\n\nfunc (sr *sourceReader) readContextLines(filename string, line, context int) ([][]byte, int) {\n\tsr.mu.Lock()\n\tdefer sr.mu.Unlock()\n\n\tlines, ok := sr.cache[filename]\n\n\tif !ok {\n\t\tdata, err := os.ReadFile(filename)\n\t\tif err != nil {\n\t\t\tsr.cache[filename] = nil\n\t\t\treturn nil, 0\n\t\t}\n\t\tlines = bytes.Split(data, []byte{'\\n'})\n\t\tsr.cache[filename] = lines\n\t}\n\n\treturn sr.calculateContextLines(lines, line, context)\n}\n\nfunc (sr *sourceReader) calculateContextLines(lines [][]byte, line, context int) ([][]byte, int) {\n\t// Stacktrace lines are 1-indexed, slices are 0-indexed\n\tline--\n\n\t// contextLine points to a line that caused an issue itself, in relation to\n\t// returned slice.\n\tcontextLine := context\n\n\tif lines == nil || line >= len(lines) || line < 0 {\n\t\treturn nil, 0\n\t}\n\n\tif context < 0 {\n\t\tcontext = 0\n\t\tcontextLine = 0\n\t}\n\n\tstart := line - context\n\n\tif start < 0 {\n\t\tcontextLine += start\n\t\tstart = 0\n\t}\n\n\tend := line + context + 1\n\n\tif end > len(lines) {\n\t\tend = len(lines)\n\t}\n\n\treturn lines[start:end], contextLine\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/span_recorder.go", "content": "package sentry\n\nimport (\n\t\"sync\"\n\n\t\"github.com/getsentry/sentry-go/internal/debuglog\"\n)\n\n// A spanRecorder stores a span tree that makes up a transaction. Safe for\n// concurrent use. It is okay to add child spans from multiple goroutines.\ntype spanRecorder struct {\n\tmu sync.Mutex\n\tspans []*Span\n\toverflowOnce sync.Once\n}\n\n// record stores a span. The first stored span is assumed to be the root of a\n// span tree.\nfunc (r *spanRecorder) record(s *Span) {\n\tmaxSpans := defaultMaxSpans\n\tif client := CurrentHub().Client(); client != nil {\n\t\tmaxSpans = client.options.MaxSpans\n\t}\n\tr.mu.Lock()\n\tdefer r.mu.Unlock()\n\tif len(r.spans) >= maxSpans {\n\t\tr.overflowOnce.Do(func() {\n\t\t\troot := r.spans[0]\n\t\t\tdebuglog.Printf(\"Too many spans: dropping spans from transaction with TraceID=%s SpanID=%s limit=%d\",\n\t\t\t\troot.TraceID, root.SpanID, maxSpans)\n\t\t})\n\t\t// TODO(tracing): mark the transaction event in some way to\n\t\t// communicate that spans were dropped.\n\t\treturn\n\t}\n\tr.spans = append(r.spans, s)\n}\n\n// root returns the first recorded span. Returns nil if none have been recorded.\nfunc (r *spanRecorder) root() *Span {\n\tr.mu.Lock()\n\tdefer r.mu.Unlock()\n\tif len(r.spans) == 0 {\n\t\treturn nil\n\t}\n\treturn r.spans[0]\n}\n\n// children returns a list of all recorded spans, except the root. Returns nil\n// if there are no children.\nfunc (r *spanRecorder) children() []*Span {\n\tr.mu.Lock()\n\tdefer r.mu.Unlock()\n\tif len(r.spans) < 2 {\n\t\treturn nil\n\t}\n\treturn r.spans[1:]\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/stacktrace.go", "content": "package sentry\n\nimport (\n\t\"go/build\"\n\t\"reflect\"\n\t\"runtime\"\n\t\"slices\"\n\t\"strings\"\n)\n\nconst unknown string = \"unknown\"\n\n// The module download is split into two parts: downloading the go.mod and downloading the actual code.\n// If you have dependencies only needed for tests, then they will show up in your go.mod,\n// and go get will download their go.mods, but it will not download their code.\n// The test-only dependencies get downloaded only when you need it, such as the first time you run go test.\n//\n// https://github.com/golang/go/issues/26913#issuecomment-411976222\n\n// Stacktrace holds information about the frames of the stack.\ntype Stacktrace struct {\n\tFrames []Frame `json:\"frames,omitempty\"`\n\tFramesOmitted []uint `json:\"frames_omitted,omitempty\"`\n}\n\n// NewStacktrace creates a stacktrace using runtime.Callers.\nfunc NewStacktrace() *Stacktrace {\n\tpcs := make([]uintptr, 100)\n\tn := runtime.Callers(1, pcs)\n\n\tif n == 0 {\n\t\treturn nil\n\t}\n\n\truntimeFrames := extractFrames(pcs[:n])\n\tframes := createFrames(runtimeFrames)\n\n\tstacktrace := Stacktrace{\n\t\tFrames: frames,\n\t}\n\n\treturn &stacktrace\n}\n\n// TODO: Make it configurable so that anyone can provide their own implementation?\n// Use of reflection allows us to not have a hard dependency on any given\n// package, so we don't have to import it.\n\n// ExtractStacktrace creates a new Stacktrace based on the given error.\nfunc ExtractStacktrace(err error) *Stacktrace {\n\tmethod := extractReflectedStacktraceMethod(err)\n\n\tvar pcs []uintptr\n\n\tif method.IsValid() {\n\t\tpcs = extractPcs(method)\n\t} else {\n\t\tpcs = extractXErrorsPC(err)\n\t}\n\n\tif len(pcs) == 0 {\n\t\treturn nil\n\t}\n\n\truntimeFrames := extractFrames(pcs)\n\tframes := createFrames(runtimeFrames)\n\n\tstacktrace := Stacktrace{\n\t\tFrames: frames,\n\t}\n\n\treturn &stacktrace\n}\n\nfunc extractReflectedStacktraceMethod(err error) reflect.Value {\n\terrValue := reflect.ValueOf(err)\n\n\t// https://github.com/go-errors/errors\n\tmethodStackFrames := errValue.MethodByName(\"StackFrames\")\n\tif methodStackFrames.IsValid() {\n\t\treturn methodStackFrames\n\t}\n\n\t// https://github.com/pkg/errors\n\tmethodStackTrace := errValue.MethodByName(\"StackTrace\")\n\tif methodStackTrace.IsValid() {\n\t\treturn methodStackTrace\n\t}\n\n\t// https://github.com/pingcap/errors\n\tmethodGetStackTracer := errValue.MethodByName(\"GetStackTracer\")\n\tif methodGetStackTracer.IsValid() {\n\t\tstacktracer := methodGetStackTracer.Call(nil)[0]\n\t\tstacktracerStackTrace := reflect.ValueOf(stacktracer).MethodByName(\"StackTrace\")\n\n\t\tif stacktracerStackTrace.IsValid() {\n\t\t\treturn stacktracerStackTrace\n\t\t}\n\t}\n\n\treturn reflect.Value{}\n}\n\nfunc extractPcs(method reflect.Value) []uintptr {\n\tvar pcs []uintptr\n\n\tstacktrace := method.Call(nil)[0]\n\n\tif stacktrace.Kind() != reflect.Slice {\n\t\treturn nil\n\t}\n\n\tfor i := 0; i < stacktrace.Len(); i++ {\n\t\tpc := stacktrace.Index(i)\n\n\t\tswitch pc.Kind() {\n\t\tcase reflect.Uintptr:\n\t\t\tpcs = append(pcs, uintptr(pc.Uint()))\n\t\tcase reflect.Struct:\n\t\t\tfor _, fieldName := range []string{\"ProgramCounter\", \"PC\"} {\n\t\t\t\tfield := pc.FieldByName(fieldName)\n\t\t\t\tif !field.IsValid() {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tif field.Kind() == reflect.Uintptr {\n\t\t\t\t\tpcs = append(pcs, uintptr(field.Uint()))\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\treturn pcs\n}\n\n// extractXErrorsPC extracts program counters from error values compatible with\n// the error types from golang.org/x/xerrors.\n//\n// It returns nil if err is not compatible with errors from that package or if\n// no program counters are stored in err.\nfunc extractXErrorsPC(err error) []uintptr {\n\t// This implementation uses the reflect package to avoid a hard dependency\n\t// on third-party packages.\n\n\t// We don't know if err matches the expected type. For simplicity, instead\n\t// of trying to account for all possible ways things can go wrong, some\n\t// assumptions are made and if they are violated the code will panic. We\n\t// recover from any panic and ignore it, returning nil.\n\t//nolint: errcheck\n\tdefer func() { recover() }()\n\n\tfield := reflect.ValueOf(err).Elem().FieldByName(\"frame\") // type Frame struct{ frames [3]uintptr }\n\tfield = field.FieldByName(\"frames\")\n\tfield = field.Slice(1, field.Len()) // drop first pc pointing to xerrors.New\n\tpc := make([]uintptr, field.Len())\n\tfor i := 0; i < field.Len(); i++ {\n\t\tpc[i] = uintptr(field.Index(i).Uint())\n\t}\n\treturn pc\n}\n\n// Frame represents a function call and it's metadata. Frames are associated\n// with a Stacktrace.\ntype Frame struct {\n\tFunction string `json:\"function,omitempty\"`\n\tSymbol string `json:\"symbol,omitempty\"`\n\t// Module is, despite the name, the Sentry protocol equivalent of a Go\n\t// package's import path.\n\tModule string `json:\"module,omitempty\"`\n\tFilename string `json:\"filename,omitempty\"`\n\tAbsPath string `json:\"abs_path,omitempty\"`\n\tLineno int `json:\"lineno,omitempty\"`\n\tColno int `json:\"colno,omitempty\"`\n\tPreContext []string `json:\"pre_context,omitempty\"`\n\tContextLine string `json:\"context_line,omitempty\"`\n\tPostContext []string `json:\"post_context,omitempty\"`\n\tInApp bool `json:\"in_app\"`\n\tVars map[string]interface{} `json:\"vars,omitempty\"`\n\t// Package and the below are not used for Go stack trace frames. In\n\t// other platforms it refers to a container where the Module can be\n\t// found. For example, a Java JAR, a .NET Assembly, or a native\n\t// dynamic library. They exists for completeness, allowing the\n\t// construction and reporting of custom event payloads.\n\tPackage string `json:\"package,omitempty\"`\n\tInstructionAddr string `json:\"instruction_addr,omitempty\"`\n\tAddrMode string `json:\"addr_mode,omitempty\"`\n\tSymbolAddr string `json:\"symbol_addr,omitempty\"`\n\tImageAddr string `json:\"image_addr,omitempty\"`\n\tPlatform string `json:\"platform,omitempty\"`\n\tStackStart bool `json:\"stack_start,omitempty\"`\n}\n\n// NewFrame assembles a stacktrace frame out of runtime.Frame.\nfunc NewFrame(f runtime.Frame) Frame {\n\tfunction := f.Function\n\tvar pkg string\n\n\tif function != \"\" {\n\t\tpkg, function = splitQualifiedFunctionName(function)\n\t}\n\n\treturn newFrame(pkg, function, f.File, f.Line)\n}\n\n// Like filepath.IsAbs() but doesn't care what platform you run this on.\n// I.e. it also recognizies `/path/to/file` when run on Windows.\nfunc isAbsPath(path string) bool {\n\tif len(path) == 0 {\n\t\treturn false\n\t}\n\n\t// If the volume name starts with a double slash, this is an absolute path.\n\tif len(path) >= 1 && (path[0] == '/' || path[0] == '\\\\') {\n\t\treturn true\n\t}\n\n\t// Windows absolute path, see https://learn.microsoft.com/en-us/dotnet/standard/io/file-path-formats\n\tif len(path) >= 3 && path[1] == ':' && (path[2] == '/' || path[2] == '\\\\') {\n\t\treturn true\n\t}\n\n\treturn false\n}\n\nfunc newFrame(module string, function string, file string, line int) Frame {\n\tframe := Frame{\n\t\tLineno: line,\n\t\tModule: module,\n\t\tFunction: function,\n\t}\n\n\tswitch {\n\tcase len(file) == 0:\n\t\tframe.Filename = unknown\n\t\t// Leave abspath as the empty string to be omitted when serializing event as JSON.\n\tcase isAbsPath(file):\n\t\tframe.AbsPath = file\n\t\t// TODO: in the general case, it is not trivial to come up with a\n\t\t// \"project relative\" path with the data we have in run time.\n\t\t// We shall not use filepath.Base because it creates ambiguous paths and\n\t\t// affects the \"Suspect Commits\" feature.\n\t\t// For now, leave relpath empty to be omitted when serializing the event\n\t\t// as JSON. Improve this later.\n\tdefault:\n\t\t// f.File is a relative path. This may happen when the binary is built\n\t\t// with the -trimpath flag.\n\t\tframe.Filename = file\n\t\t// Omit abspath when serializing the event as JSON.\n\t}\n\n\tsetInAppFrame(&frame)\n\n\treturn frame\n}\n\n// splitQualifiedFunctionName splits a package path-qualified function name into\n// package name and function name. Such qualified names are found in\n// runtime.Frame.Function values.\nfunc splitQualifiedFunctionName(name string) (pkg string, fun string) {\n\tpkg = packageName(name)\n\tif len(pkg) > 0 {\n\t\tfun = name[len(pkg)+1:]\n\t}\n\treturn\n}\n\nfunc extractFrames(pcs []uintptr) []runtime.Frame {\n\tvar frames = make([]runtime.Frame, 0, len(pcs))\n\tcallersFrames := runtime.CallersFrames(pcs)\n\n\tfor {\n\t\tcallerFrame, more := callersFrames.Next()\n\n\t\tframes = append(frames, callerFrame)\n\n\t\tif !more {\n\t\t\tbreak\n\t\t}\n\t}\n\n\tslices.Reverse(frames)\n\treturn frames\n}\n\n// createFrames creates Frame objects while filtering out frames that are not\n// meant to be reported to Sentry, those are frames internal to the SDK or Go.\nfunc createFrames(frames []runtime.Frame) []Frame {\n\tif len(frames) == 0 {\n\t\treturn nil\n\t}\n\n\tresult := make([]Frame, 0, len(frames))\n\n\tfor _, frame := range frames {\n\t\tfunction := frame.Function\n\t\tvar pkg string\n\t\tif function != \"\" {\n\t\t\tpkg, function = splitQualifiedFunctionName(function)\n\t\t}\n\n\t\tif !shouldSkipFrame(pkg) {\n\t\t\tresult = append(result, newFrame(pkg, function, frame.File, frame.Line))\n\t\t}\n\t}\n\n\t// Fix issues grouping errors with the new fully qualified function names\n\t// introduced from Go 1.21\n\tresult = cleanupFunctionNamePrefix(result)\n\treturn result\n}\n\n// TODO ID: why do we want to do this?\n// I'm not aware of other SDKs skipping all Sentry frames, regardless of their position in the stactrace.\n// For example, in the .NET SDK, only the first frames are skipped until the call to the SDK.\n// As is, this will also hide any intermediate frames in the stack and make debugging issues harder.\nfunc shouldSkipFrame(module string) bool {\n\t// Skip Go internal frames.\n\tif module == \"runtime\" || module == \"testing\" {\n\t\treturn true\n\t}\n\n\t// Skip Sentry internal frames, except for frames in _test packages (for testing).\n\tif strings.HasPrefix(module, \"github.com/getsentry/sentry-go\") &&\n\t\t!strings.HasSuffix(module, \"_test\") {\n\t\treturn true\n\t}\n\n\treturn false\n}\n\n// On Windows, GOROOT has backslashes, but we want forward slashes.\nvar goRoot = strings.ReplaceAll(build.Default.GOROOT, \"\\\\\", \"/\")\n\nfunc setInAppFrame(frame *Frame) {\n\tframe.InApp = true\n\tif strings.HasPrefix(frame.AbsPath, goRoot) || strings.Contains(frame.Module, \"vendor\") ||\n\t\tstrings.Contains(frame.Module, \"third_party\") {\n\t\tframe.InApp = false\n\t}\n}\n\nfunc callerFunctionName() string {\n\tpcs := make([]uintptr, 1)\n\truntime.Callers(3, pcs)\n\tcallersFrames := runtime.CallersFrames(pcs)\n\tcallerFrame, _ := callersFrames.Next()\n\treturn baseName(callerFrame.Function)\n}\n\n// packageName returns the package part of the symbol name, or the empty string\n// if there is none.\n// It replicates https://golang.org/pkg/debug/gosym/#Sym.PackageName, avoiding a\n// dependency on debug/gosym.\nfunc packageName(name string) string {\n\tif isCompilerGeneratedSymbol(name) {\n\t\treturn \"\"\n\t}\n\n\tpathend := strings.LastIndex(name, \"/\")\n\tif pathend < 0 {\n\t\tpathend = 0\n\t}\n\n\tif i := strings.Index(name[pathend:], \".\"); i != -1 {\n\t\treturn name[:pathend+i]\n\t}\n\treturn \"\"\n}\n\n// baseName returns the symbol name without the package or receiver name.\n// It replicates https://golang.org/pkg/debug/gosym/#Sym.BaseName, avoiding a\n// dependency on debug/gosym.\nfunc baseName(name string) string {\n\tif i := strings.LastIndex(name, \".\"); i != -1 {\n\t\treturn name[i+1:]\n\t}\n\treturn name\n}\n\nfunc isCompilerGeneratedSymbol(name string) bool {\n\t// In versions of Go 1.20 and above a prefix of \"type:\" and \"go:\" is a\n\t// compiler-generated symbol that doesn't belong to any package.\n\t// See variable reservedimports in cmd/compile/internal/gc/subr.go\n\tif strings.HasPrefix(name, \"go:\") || strings.HasPrefix(name, \"type:\") {\n\t\treturn true\n\t}\n\treturn false\n}\n\n// Walk backwards through the results and for the current function name\n// remove it's parent function's prefix, leaving only it's actual name. This\n// fixes issues grouping errors with the new fully qualified function names\n// introduced from Go 1.21.\nfunc cleanupFunctionNamePrefix(f []Frame) []Frame {\n\tfor i := len(f) - 1; i > 0; i-- {\n\t\tname := f[i].Function\n\t\tparentName := f[i-1].Function + \".\"\n\n\t\tif !strings.HasPrefix(name, parentName) {\n\t\t\tcontinue\n\t\t}\n\n\t\tf[i].Function = name[len(parentName):]\n\t}\n\n\treturn f\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/traces_sampler.go", "content": "package sentry\n\n// A SamplingContext is passed to a TracesSampler to determine a sampling\n// decision.\n//\n// TODO(tracing): possibly expand SamplingContext to include custom /\n// user-provided data.\ntype SamplingContext struct {\n\tSpan *Span // The current span, always non-nil.\n\tParent *Span // The parent span, may be nil.\n}\n\n// The TracesSample type is an adapter to allow the use of ordinary\n// functions as a TracesSampler.\ntype TracesSampler func(ctx SamplingContext) float64\n\nfunc (f TracesSampler) Sample(ctx SamplingContext) float64 {\n\treturn f(ctx)\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/tracing.go", "content": "package sentry\n\nimport (\n\t\"context\"\n\t\"crypto/rand\"\n\t\"encoding/hex\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"regexp\"\n\t\"strconv\"\n\t\"strings\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/getsentry/sentry-go/internal/debuglog\"\n)\n\nconst (\n\tSentryTraceHeader = \"sentry-trace\"\n\tSentryBaggageHeader = \"baggage\"\n\tTraceparentHeader = \"traceparent\"\n)\n\n// SpanOrigin indicates what created a trace or a span. See: https://develop.sentry.dev/sdk/performance/trace-origin/\ntype SpanOrigin string\n\nconst (\n\tSpanOriginManual = \"manual\"\n\tSpanOriginEcho = \"auto.http.echo\"\n\tSpanOriginFastHTTP = \"auto.http.fasthttp\"\n\tSpanOriginFiber = \"auto.http.fiber\"\n\tSpanOriginGin = \"auto.http.gin\"\n\tSpanOriginStdLib = \"auto.http.stdlib\"\n\tSpanOriginIris = \"auto.http.iris\"\n\tSpanOriginNegroni = \"auto.http.negroni\"\n)\n\n// A Span is the building block of a Sentry transaction. Spans build up a tree\n// structure of timed operations. The span tree makes up a transaction event\n// that is sent to Sentry when the root span is finished.\n//\n// Spans must be started with either StartSpan or Span.StartChild.\ntype Span struct { //nolint: maligned // prefer readability over optimal memory layout (see note below *)\n\tTraceID TraceID `json:\"trace_id\"`\n\tSpanID SpanID `json:\"span_id\"`\n\tParentSpanID SpanID `json:\"parent_span_id,omitzero\"`\n\tName string `json:\"name,omitempty\"`\n\tOp string `json:\"op,omitempty\"`\n\tDescription string `json:\"description,omitempty\"`\n\tStatus SpanStatus `json:\"status,omitempty\"`\n\tTags map[string]string `json:\"tags,omitempty\"`\n\tStartTime time.Time `json:\"start_timestamp,omitzero\"`\n\tEndTime time.Time `json:\"timestamp,omitzero\"`\n\t// Deprecated: use Data instead. To be removed in 0.33.0\n\tExtra map[string]interface{} `json:\"-\"`\n\tData map[string]interface{} `json:\"data,omitempty\"`\n\tSampled Sampled `json:\"-\"`\n\tSource TransactionSource `json:\"-\"`\n\tOrigin SpanOrigin `json:\"origin,omitempty\"`\n\n\t// mu protects concurrent writes to map fields\n\tmu sync.RWMutex\n\t// sample rate the span was sampled with.\n\tsampleRate float64\n\t// ctx is the context where the span was started. Always non-nil.\n\tctx context.Context\n\t// Dynamic Sampling context\n\tdynamicSamplingContext DynamicSamplingContext\n\t// parent refers to the immediate local parent span. A remote parent span is\n\t// only referenced by setting ParentSpanID.\n\tparent *Span\n\t// recorder stores all spans in a transaction. Guaranteed to be non-nil.\n\trecorder *spanRecorder\n\t// span context, can only be set on transactions\n\tcontexts map[string]Context\n\t// a Once instance to make sure that Finish() is only called once.\n\tfinishOnce sync.Once\n\t// explicitSampled is a flag for configuring sampling by using `WithSpanSampled` option.\n\texplicitSampled Sampled\n}\n\n// TraceParentContext describes the context of a (remote) parent span.\n//\n// The context is normally extracted from a received \"sentry-trace\" header and\n// used to initialize a new transaction.\n//\n// Note: the name might be not the best one. It was taken mostly to stay aligned\n// with other SDKs, and it alludes to W3C \"traceparent\" header (https://www.w3.org/TR/trace-context/),\n// which serves a similar purpose to \"sentry-trace\". We should eventually consider\n// making this type internal-only and give it a better name.\ntype TraceParentContext struct {\n\tTraceID TraceID\n\tParentSpanID SpanID\n\tSampled Sampled\n}\n\n// (*) Note on maligned:\n//\n// We prefer readability over optimal memory layout. If we ever decide to\n// reorder fields, we can use a tool:\n//\n// go run honnef.co/go/tools/cmd/structlayout -json . Span | go run honnef.co/go/tools/cmd/structlayout-optimize\n//\n// Other structs would deserve reordering as well, for example Event.\n\n// TODO: make Span.Tags and Span.Data opaque types (struct{unexported []slice}).\n// An opaque type allows us to add methods and make it more convenient to use\n// than maps, because maps require careful nil checks to use properly or rely on\n// explicit initialization for every span, even when there might be no\n// tags/data. For Span.Data, must gracefully handle values that cannot be\n// marshaled into JSON (see transport.go:getRequestBodyFromEvent).\n\n// StartSpan starts a new span to describe an operation. The new span will be a\n// child of the last span stored in ctx, if any.\n//\n// One or more options can be used to modify the span properties. Typically one\n// option as a function literal is enough. Combining multiple options can be\n// useful to define and reuse specific properties with named functions.\n//\n// Caller should call the Finish method on the span to mark its end. Finishing a\n// root span sends the span and all of its children, recursively, as a\n// transaction to Sentry.\nfunc StartSpan(ctx context.Context, operation string, options ...SpanOption) *Span {\n\tparent, hasParent := ctx.Value(spanContextKey{}).(*Span)\n\tvar span Span\n\tspan = Span{\n\t\t// defaults\n\t\tOp: operation,\n\t\tStartTime: time.Now(),\n\t\tSampled: SampledUndefined,\n\n\t\tctx: context.WithValue(ctx, spanContextKey{}, &span),\n\t\tparent: parent,\n\t}\n\n\t_, err := rand.Read(span.SpanID[:])\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\n\tif hasParent {\n\t\tspan.TraceID = parent.TraceID\n\t\tspan.ParentSpanID = parent.SpanID\n\t\tspan.Origin = parent.Origin\n\t} else {\n\t\t// Only set the Source if this is a transaction\n\t\tspan.Source = SourceCustom\n\t\tspan.Origin = SpanOriginManual\n\n\t\t// Implementation note:\n\t\t//\n\t\t// While math/rand is ~2x faster than crypto/rand (exact\n\t\t// difference depends on hardware / OS), crypto/rand is probably\n\t\t// fast enough and a safer choice.\n\t\t//\n\t\t// For reference, OpenTelemetry [1] uses crypto/rand to seed\n\t\t// math/rand. AFAICT this approach does not preserve the\n\t\t// properties from crypto/rand that make it suitable for\n\t\t// cryptography. While it might be debatable whether those\n\t\t// properties are important for us here, again, we're taking the\n\t\t// safer path.\n\t\t//\n\t\t// See [2a] & [2b] for a discussion of some of the properties we\n\t\t// obtain by using crypto/rand and [3a] & [3b] for why we avoid\n\t\t// math/rand.\n\t\t//\n\t\t// Because the math/rand seed has only 64 bits (int64), if the\n\t\t// first thing we do after seeding an RNG is to read in a random\n\t\t// TraceID, there are only 2^64 possible values. Compared to\n\t\t// UUID v4 that have 122 random bits, there is a much greater\n\t\t// chance of collision [4a] & [4b].\n\t\t//\n\t\t// [1]: https://github.com/open-telemetry/opentelemetry-go/blob/958041ddf619a128/sdk/trace/trace.go#L25-L31\n\t\t// [2a]: https://security.stackexchange.com/q/120352/246345\n\t\t// [2b]: https://security.stackexchange.com/a/120365/246345\n\t\t// [3a]: https://github.com/golang/go/issues/11871#issuecomment-126333686\n\t\t// [3b]: https://github.com/golang/go/issues/11871#issuecomment-126357889\n\t\t// [4a]: https://en.wikipedia.org/wiki/Universally_unique_identifier#Collisions\n\t\t// [4b]: https://www.wolframalpha.com/input/?i=sqrt%282*2%5E64*ln%281%2F%281-0.5%29%29%29\n\t\t_, err := rand.Read(span.TraceID[:])\n\t\tif err != nil {\n\t\t\tpanic(err)\n\t\t}\n\t}\n\n\t// Apply options to override defaults.\n\tfor _, option := range options {\n\t\toption(&span)\n\t}\n\n\tspan.Sampled = span.sample()\n\n\tspan.recorder = &spanRecorder{}\n\tif hasParent {\n\t\tspan.recorder = parent.spanRecorder()\n\t}\n\n\tspan.recorder.record(&span)\n\n\tclientOptions := span.clientOptions()\n\tif clientOptions.EnableTracing {\n\t\thub := hubFromContext(ctx)\n\t\thub.Scope().SetSpan(&span)\n\t}\n\n\treturn &span\n}\n\n// Finish sets the span's end time, unless already set. If the span is the root\n// of a span tree, Finish sends the span tree to Sentry as a transaction.\n//\n// The logic is executed at most once per span, so that (incorrectly) calling it twice\n// never double sends to Sentry.\nfunc (s *Span) Finish() {\n\ts.finishOnce.Do(s.doFinish)\n}\n\n// Context returns the context containing the span.\nfunc (s *Span) Context() context.Context { return s.ctx }\n\n// StartChild starts a new child span.\n//\n// The call span.StartChild(operation, options...) is a shortcut for\n// StartSpan(span.Context(), operation, options...).\nfunc (s *Span) StartChild(operation string, options ...SpanOption) *Span {\n\treturn StartSpan(s.Context(), operation, options...)\n}\n\n// SetTag sets a tag on the span. It is recommended to use SetTag instead of\n// accessing the tags map directly as SetTag takes care of initializing the map\n// when necessary.\nfunc (s *Span) SetTag(name, value string) {\n\ts.mu.Lock()\n\tdefer s.mu.Unlock()\n\n\tif s.Tags == nil {\n\t\ts.Tags = make(map[string]string)\n\t}\n\ts.Tags[name] = value\n}\n\n// SetData sets a data on the span. It is recommended to use SetData instead of\n// accessing the data map directly as SetData takes care of initializing the map\n// when necessary.\nfunc (s *Span) SetData(name string, value interface{}) {\n\tif value == nil {\n\t\treturn\n\t}\n\n\ts.mu.Lock()\n\tdefer s.mu.Unlock()\n\n\tif s.Data == nil {\n\t\ts.Data = make(map[string]interface{})\n\t}\n\ts.Data[name] = value\n}\n\n// SetContext sets a context on the span. It is recommended to use SetContext instead of\n// accessing the contexts map directly as SetContext takes care of initializing the map\n// when necessary.\nfunc (s *Span) SetContext(key string, value Context) {\n\ts.mu.Lock()\n\tdefer s.mu.Unlock()\n\n\tif s.contexts == nil {\n\t\ts.contexts = make(map[string]Context)\n\t}\n\ts.contexts[key] = value\n}\n\n// IsTransaction checks if the given span is a transaction.\nfunc (s *Span) IsTransaction() bool {\n\treturn s.parent == nil\n}\n\n// GetTransaction returns the transaction that contains this span.\n//\n// For transaction spans it returns itself. For spans that were created manually\n// the method returns \"nil\".\nfunc (s *Span) GetTransaction() *Span {\n\tspanRecorder := s.spanRecorder()\n\tif spanRecorder == nil {\n\t\t// This probably means that the Span was created manually (not via\n\t\t// StartTransaction/StartSpan or StartChild).\n\t\t// Return \"nil\" to indicate that it's not a normal situation.\n\t\treturn nil\n\t}\n\trecorderRoot := spanRecorder.root()\n\tif recorderRoot == nil {\n\t\t// Same as above: manually created Span.\n\t\treturn nil\n\t}\n\treturn recorderRoot\n}\n\n// TODO(tracing): maybe add shortcuts to get/set transaction name. Right now the\n// transaction name is in the Scope, as it has existed there historically, prior\n// to tracing.\n//\n// See Scope.Transaction() and Scope.SetTransaction().\n//\n// func (s *Span) TransactionName() string\n// func (s *Span) SetTransactionName(name string)\n\n// ToSentryTrace returns the serialized TraceParentContext from a transaction/span.\n// Use this function to propagate the TraceParentContext to a downstream SDK,\n// either as the value of the \"sentry-trace\" HTTP header, or as an html \"sentry-trace\" meta tag.\nfunc (s *Span) ToSentryTrace() string {\n\t// TODO(tracing): add instrumentation for outgoing HTTP requests using\n\t// ToSentryTrace.\n\tvar b strings.Builder\n\tfmt.Fprintf(&b, \"%s-%s\", s.TraceID.Hex(), s.SpanID.Hex())\n\tswitch s.Sampled {\n\tcase SampledTrue:\n\t\tb.WriteString(\"-1\")\n\tcase SampledFalse:\n\t\tb.WriteString(\"-0\")\n\t}\n\treturn b.String()\n}\n\n// ToTraceparent returns the W3C traceparent header value for the span.\nfunc (s *Span) ToTraceparent() string {\n\ttraceFlags := \"00\"\n\tif s.Sampled == SampledTrue {\n\t\ttraceFlags = \"01\"\n\t}\n\treturn fmt.Sprintf(\"00-%s-%s-%s\", s.TraceID.String(), s.SpanID.String(), traceFlags)\n}\n\n// ToBaggage returns the serialized DynamicSamplingContext from a transaction.\n// Use this function to propagate the DynamicSamplingContext to a downstream SDK,\n// either as the value of the \"baggage\" HTTP header, or as an html \"baggage\" meta tag.\nfunc (s *Span) ToBaggage() string {\n\tt := s.GetTransaction()\n\tif t == nil {\n\t\treturn \"\"\n\t}\n\n\t// In case there is currently no frozen DynamicSamplingContext attached to the transaction,\n\t// create one from the properties of the transaction.\n\tif !s.dynamicSamplingContext.IsFrozen() {\n\t\t// This will return a frozen DynamicSamplingContext.\n\t\tif dsc := DynamicSamplingContextFromTransaction(t); dsc.HasEntries() {\n\t\t\tt.dynamicSamplingContext = dsc\n\t\t}\n\t}\n\n\treturn t.dynamicSamplingContext.String()\n}\n\n// SetDynamicSamplingContext sets the given dynamic sampling context on the\n// current transaction.\nfunc (s *Span) SetDynamicSamplingContext(dsc DynamicSamplingContext) {\n\tif s.IsTransaction() {\n\t\ts.dynamicSamplingContext = dsc\n\t}\n}\n\n// shouldIgnoreStatusCode checks if the transaction should be ignored based on HTTP status code.\nfunc (s *Span) shouldIgnoreStatusCode() bool {\n\tif !s.IsTransaction() {\n\t\treturn false\n\t}\n\n\tignoreStatusCodes := s.clientOptions().TraceIgnoreStatusCodes\n\tif len(ignoreStatusCodes) == 0 {\n\t\treturn false\n\t}\n\n\ts.mu.Lock()\n\tstatusCodeData, exists := s.Data[\"http.response.status_code\"]\n\ts.mu.Unlock()\n\n\tif !exists {\n\t\treturn false\n\t}\n\n\tstatusCode, ok := statusCodeData.(int)\n\tif !ok {\n\t\treturn false\n\t}\n\n\tfor _, ignoredRange := range ignoreStatusCodes {\n\t\tswitch len(ignoredRange) {\n\t\tcase 1:\n\t\t\t// Single status code\n\t\t\tif statusCode == ignoredRange[0] {\n\t\t\t\ts.mu.Lock()\n\t\t\t\ts.Sampled = SampledFalse\n\t\t\t\ts.mu.Unlock()\n\t\t\t\tdebuglog.Printf(\"dropping transaction with status code %v: found in TraceIgnoreStatusCodes\", statusCode)\n\t\t\t\treturn true\n\t\t\t}\n\t\tcase 2:\n\t\t\t// Range of status codes [min, max]\n\t\t\tif ignoredRange[0] <= statusCode && statusCode <= ignoredRange[1] {\n\t\t\t\ts.mu.Lock()\n\t\t\t\ts.Sampled = SampledFalse\n\t\t\t\ts.mu.Unlock()\n\t\t\t\tdebuglog.Printf(\"dropping transaction with status code %v: found in TraceIgnoreStatusCodes range [%d, %d]\", statusCode, ignoredRange[0], ignoredRange[1])\n\t\t\t\treturn true\n\t\t\t}\n\t\tdefault:\n\t\t\tdebuglog.Printf(\"incorrect TraceIgnoreStatusCodes format: %v\", ignoredRange)\n\t\t}\n\t}\n\n\treturn false\n}\n\n// doFinish runs the actual Span.Finish() logic.\nfunc (s *Span) doFinish() {\n\tif s.EndTime.IsZero() {\n\t\ts.EndTime = monotonicTimeSince(s.StartTime)\n\t}\n\n\thub := hubFromContext(s.ctx)\n\tif !s.IsTransaction() {\n\t\tif s.parent != nil {\n\t\t\thub.Scope().SetSpan(s.parent)\n\t\t}\n\t}\n\n\tif s.shouldIgnoreStatusCode() {\n\t\treturn\n\t}\n\n\tif !s.Sampled.Bool() {\n\t\treturn\n\t}\n\tevent := s.toEvent()\n\tif event == nil {\n\t\treturn\n\t}\n\n\t// TODO(tracing): add breadcrumbs\n\t// (see https://github.com/getsentry/sentry-python/blob/f6f3525f8812f609/sentry_sdk/tracing.py#L372)\n\n\thub.CaptureEvent(event)\n}\n\n// sentryTracePattern matches either\n//\n//\tTRACE_ID - SPAN_ID\n//\t[[:xdigit:]]{32}-[[:xdigit:]]{16}\n//\n// or\n//\n//\tTRACE_ID - SPAN_ID - SAMPLED\n//\t[[:xdigit:]]{32}-[[:xdigit:]]{16}-[01]\nvar sentryTracePattern = regexp.MustCompile(`^([[:xdigit:]]{32})-([[:xdigit:]]{16})(?:-([01]))?$`)\n\n// updateFromSentryTrace parses a sentry-trace HTTP header (as returned by\n// ToSentryTrace) and updates fields of the span. If the header cannot be\n// recognized as valid, the span is left unchanged. The returned value indicates\n// whether the span was updated.\nfunc (s *Span) updateFromSentryTrace(header []byte) (updated bool) {\n\tm := sentryTracePattern.FindSubmatch(header)\n\tif m == nil {\n\t\t// no match\n\t\treturn false\n\t}\n\t_, _ = hex.Decode(s.TraceID[:], m[1])\n\t_, _ = hex.Decode(s.ParentSpanID[:], m[2])\n\tif len(m[3]) != 0 {\n\t\tswitch m[3][0] {\n\t\tcase '0':\n\t\t\ts.Sampled = SampledFalse\n\t\tcase '1':\n\t\t\ts.Sampled = SampledTrue\n\t\t}\n\t}\n\treturn true\n}\n\nfunc (s *Span) updateFromBaggage(header []byte) {\n\tif s.IsTransaction() {\n\t\tdsc, err := DynamicSamplingContextFromHeader(header)\n\t\tif err != nil {\n\t\t\treturn\n\t\t}\n\n\t\ts.dynamicSamplingContext = dsc\n\t}\n}\n\nfunc (s *Span) clientOptions() *ClientOptions {\n\tclient := hubFromContext(s.ctx).Client()\n\tif client != nil {\n\t\treturn &client.options\n\t}\n\treturn &ClientOptions{}\n}\n\nfunc (s *Span) sample() Sampled {\n\tclientOptions := s.clientOptions()\n\t// https://develop.sentry.dev/sdk/performance/#sampling\n\t// #1 tracing is not enabled.\n\tif !clientOptions.EnableTracing {\n\t\tdebuglog.Printf(\"Dropping transaction: EnableTracing is set to %t\", clientOptions.EnableTracing)\n\t\ts.sampleRate = 0.0\n\t\treturn SampledFalse\n\t}\n\n\t// #2 explicit sampling decision via StartSpan/StartTransaction options.\n\tif s.explicitSampled != SampledUndefined {\n\t\tdebuglog.Printf(\"Using explicit sampling decision from StartSpan/StartTransaction: %v\", s.explicitSampled)\n\t\tswitch s.explicitSampled {\n\t\tcase SampledTrue:\n\t\t\ts.sampleRate = 1.0\n\t\tcase SampledFalse:\n\t\t\ts.sampleRate = 0.0\n\t\t}\n\t\treturn s.explicitSampled\n\t}\n\n\t// Variant for non-transaction spans: they inherit the parent decision.\n\t// Note: non-transaction should always have a parent, but we check both\n\t// conditions anyway -- the first for semantic meaning, the second to\n\t// avoid a nil pointer dereference.\n\tif !s.IsTransaction() && s.parent != nil {\n\t\treturn s.parent.Sampled\n\t}\n\n\t// #3 use TracesSampler from ClientOptions.\n\tsampler := clientOptions.TracesSampler\n\tsamplingContext := SamplingContext{\n\t\tSpan: s,\n\t\tParent: s.parent,\n\t}\n\n\tif sampler != nil {\n\t\ttracesSamplerSampleRate := sampler.Sample(samplingContext)\n\t\ts.sampleRate = tracesSamplerSampleRate\n\t\t// tracesSampler can update the sample_rate on frozen DSC\n\t\tif s.dynamicSamplingContext.HasEntries() {\n\t\t\ts.dynamicSamplingContext.Entries[\"sample_rate\"] = strconv.FormatFloat(tracesSamplerSampleRate, 'f', -1, 64)\n\t\t}\n\t\tif tracesSamplerSampleRate < 0.0 || tracesSamplerSampleRate > 1.0 {\n\t\t\tdebuglog.Printf(\"Dropping transaction: Returned TracesSampler rate is out of range [0.0, 1.0]: %f\", tracesSamplerSampleRate)\n\t\t\treturn SampledFalse\n\t\t}\n\t\tif tracesSamplerSampleRate == 0.0 {\n\t\t\tdebuglog.Printf(\"Dropping transaction: Returned TracesSampler rate is: %f\", tracesSamplerSampleRate)\n\t\t\treturn SampledFalse\n\t\t}\n\n\t\tif rng.Float64() < tracesSamplerSampleRate {\n\t\t\treturn SampledTrue\n\t\t}\n\t\tdebuglog.Printf(\"Dropping transaction: TracesSampler returned rate: %f\", tracesSamplerSampleRate)\n\n\t\treturn SampledFalse\n\t}\n\n\t// #4 inherit parent decision.\n\tif s.Sampled != SampledUndefined {\n\t\tdebuglog.Printf(\"Using sampling decision from parent: %v\", s.Sampled)\n\t\tswitch s.Sampled {\n\t\tcase SampledTrue:\n\t\t\ts.sampleRate = 1.0\n\t\tcase SampledFalse:\n\t\t\ts.sampleRate = 0.0\n\t\t}\n\t\treturn s.Sampled\n\t}\n\n\t// #5 use TracesSampleRate from ClientOptions.\n\tsampleRate := clientOptions.TracesSampleRate\n\ts.sampleRate = sampleRate\n\t// tracesSampleRate can update the sample_rate on frozen DSC\n\tif s.dynamicSamplingContext.HasEntries() {\n\t\ts.dynamicSamplingContext.Entries[\"sample_rate\"] = strconv.FormatFloat(sampleRate, 'f', -1, 64)\n\t}\n\tif sampleRate < 0.0 || sampleRate > 1.0 {\n\t\tdebuglog.Printf(\"Dropping transaction: TracesSampleRate out of range [0.0, 1.0]: %f\", sampleRate)\n\t\treturn SampledFalse\n\t}\n\tif sampleRate == 0.0 {\n\t\tdebuglog.Printf(\"Dropping transaction: TracesSampleRate rate is: %f\", sampleRate)\n\t\treturn SampledFalse\n\t}\n\n\tif rng.Float64() < sampleRate {\n\t\treturn SampledTrue\n\t}\n\n\treturn SampledFalse\n}\n\nfunc (s *Span) toEvent() *Event {\n\ts.mu.Lock()\n\tdefer s.mu.Unlock()\n\n\tif !s.IsTransaction() {\n\t\treturn nil // only transactions can be transformed into events\n\t}\n\n\tchildren := s.recorder.children()\n\tfinished := make([]*Span, 0, len(children))\n\tfor _, child := range children {\n\t\tif child.EndTime.IsZero() {\n\t\t\tdebuglog.Printf(\"Dropped unfinished span: Op=%q TraceID=%s SpanID=%s\", child.Op, child.TraceID, child.SpanID)\n\t\t\tcontinue\n\t\t}\n\t\tfinished = append(finished, child)\n\t}\n\n\t// Create and attach a DynamicSamplingContext to the transaction.\n\t// If the DynamicSamplingContext is not frozen at this point, we can assume being head of trace.\n\tif !s.dynamicSamplingContext.IsFrozen() {\n\t\ts.dynamicSamplingContext = DynamicSamplingContextFromTransaction(s)\n\t}\n\n\tcontexts := make(map[string]Context, len(s.contexts)+1)\n\tfor k, v := range s.contexts {\n\t\tcontexts[k] = cloneContext(v)\n\t}\n\tcontexts[\"trace\"] = s.traceContext().Map()\n\n\t// Make sure that the transaction source is valid\n\ttransactionSource := s.Source\n\tif !transactionSource.isValid() {\n\t\ttransactionSource = SourceCustom\n\t}\n\n\treturn &Event{\n\t\tType: transactionType,\n\t\tTransaction: s.Name,\n\t\tContexts: contexts,\n\t\tTags: s.Tags,\n\t\tTimestamp: s.EndTime,\n\t\tStartTime: s.StartTime,\n\t\tSpans: finished,\n\t\tTransactionInfo: &TransactionInfo{\n\t\t\tSource: transactionSource,\n\t\t},\n\t\tsdkMetaData: SDKMetaData{\n\t\t\tdsc: s.dynamicSamplingContext,\n\t\t},\n\t}\n}\n\nfunc (s *Span) traceContext() *TraceContext {\n\treturn &TraceContext{\n\t\tTraceID: s.TraceID,\n\t\tSpanID: s.SpanID,\n\t\tParentSpanID: s.ParentSpanID,\n\t\tOp: s.Op,\n\t\tData: s.Data,\n\t\tDescription: s.Description,\n\t\tStatus: s.Status,\n\t}\n}\n\n// spanRecorder stores the span tree. Guaranteed to be non-nil.\nfunc (s *Span) spanRecorder() *spanRecorder { return s.recorder }\n\n// ParseTraceParentContext parses a sentry-trace header and builds a TraceParentContext from the\n// parsed values. If the header was parsed correctly, the second returned argument\n// (\"valid\") will be set to true, otherwise (e.g., empty or malformed header) it will\n// be false.\nfunc ParseTraceParentContext(header []byte) (traceParentContext TraceParentContext, valid bool) {\n\ts := Span{}\n\tupdated := s.updateFromSentryTrace(header)\n\tif !updated {\n\t\treturn TraceParentContext{}, false\n\t}\n\treturn TraceParentContext{\n\t\tTraceID: s.TraceID,\n\t\tParentSpanID: s.ParentSpanID,\n\t\tSampled: s.Sampled,\n\t}, true\n}\n\n// TraceID identifies a trace.\ntype TraceID [16]byte\n\nfunc (id TraceID) Hex() []byte {\n\tb := make([]byte, hex.EncodedLen(len(id)))\n\thex.Encode(b, id[:])\n\treturn b\n}\n\nfunc (id TraceID) String() string {\n\treturn string(id.Hex())\n}\n\nfunc (id TraceID) MarshalText() ([]byte, error) {\n\treturn id.Hex(), nil\n}\n\n// SpanID identifies a span.\ntype SpanID [8]byte\n\nfunc (id SpanID) Hex() []byte {\n\tb := make([]byte, hex.EncodedLen(len(id)))\n\thex.Encode(b, id[:])\n\treturn b\n}\n\nfunc (id SpanID) String() string {\n\treturn string(id.Hex())\n}\n\nfunc (id SpanID) MarshalText() ([]byte, error) {\n\treturn id.Hex(), nil\n}\n\n// Zero values of TraceID and SpanID used for comparisons.\nvar (\n\tzeroTraceID TraceID\n\tzeroSpanID SpanID\n)\n\n// Contains information about how the name of the transaction was determined.\ntype TransactionSource string\n\nconst (\n\tSourceCustom TransactionSource = \"custom\"\n\tSourceURL TransactionSource = \"url\"\n\tSourceRoute TransactionSource = \"route\"\n\tSourceView TransactionSource = \"view\"\n\tSourceComponent TransactionSource = \"component\"\n\tSourceTask TransactionSource = \"task\"\n)\n\n// A set of all valid transaction sources.\nvar allTransactionSources = map[TransactionSource]struct{}{\n\tSourceCustom: {},\n\tSourceURL: {},\n\tSourceRoute: {},\n\tSourceView: {},\n\tSourceComponent: {},\n\tSourceTask: {},\n}\n\n// isValid returns 'true' if the given transaction source is a valid\n// source as recognized by the envelope protocol:\n// https://develop.sentry.dev/sdk/event-payloads/transaction/#transaction-annotations\nfunc (ts TransactionSource) isValid() bool {\n\t_, found := allTransactionSources[ts]\n\treturn found\n}\n\n// SpanStatus is the status of a span.\ntype SpanStatus uint8\n\n// Implementation note:\n//\n// In Relay (ingestion), the SpanStatus type is an enum used as\n// Annotated when embedded in structs, making it effectively\n// Option. It means the status is either null or one of the known\n// string values.\n//\n// In Snuba (search), the SpanStatus is stored as an uint8 and defaulted to 2\n// (\"unknown\") when not set. It means that Discover searches for\n// `transaction.status:unknown` return both transactions/spans with status\n// `null` or `\"unknown\"`. Searches for `transaction.status:\"\"` return nothing.\n//\n// With that in mind, the Go SDK default is SpanStatusUndefined, which is\n// null/omitted when serializing to JSON, but integrations may update the status\n// automatically based on contextual information.\n\nconst (\n\tSpanStatusUndefined SpanStatus = iota\n\tSpanStatusOK\n\tSpanStatusCanceled\n\tSpanStatusUnknown\n\tSpanStatusInvalidArgument\n\tSpanStatusDeadlineExceeded\n\tSpanStatusNotFound\n\tSpanStatusAlreadyExists\n\tSpanStatusPermissionDenied\n\tSpanStatusResourceExhausted\n\tSpanStatusFailedPrecondition\n\tSpanStatusAborted\n\tSpanStatusOutOfRange\n\tSpanStatusUnimplemented\n\tSpanStatusInternalError\n\tSpanStatusUnavailable\n\tSpanStatusDataLoss\n\tSpanStatusUnauthenticated\n\tmaxSpanStatus\n)\n\nvar spanStatuses = [maxSpanStatus]string{\n\t\"\",\n\t\"ok\",\n\t\"cancelled\", // [sic]\n\t\"unknown\",\n\t\"invalid_argument\",\n\t\"deadline_exceeded\",\n\t\"not_found\",\n\t\"already_exists\",\n\t\"permission_denied\",\n\t\"resource_exhausted\",\n\t\"failed_precondition\",\n\t\"aborted\",\n\t\"out_of_range\",\n\t\"unimplemented\",\n\t\"internal_error\",\n\t\"unavailable\",\n\t\"data_loss\",\n\t\"unauthenticated\",\n}\n\nfunc (ss SpanStatus) String() string {\n\tif ss >= maxSpanStatus {\n\t\treturn \"\"\n\t}\n\treturn spanStatuses[ss]\n}\n\nfunc (ss SpanStatus) MarshalJSON() ([]byte, error) {\n\ts := ss.String()\n\tif s == \"\" {\n\t\treturn []byte(\"null\"), nil\n\t}\n\treturn json.Marshal(s)\n}\n\n// A TraceContext carries information about an ongoing trace and is meant to be\n// stored in Event.Contexts (as *TraceContext).\ntype TraceContext struct {\n\tTraceID TraceID `json:\"trace_id\"`\n\tSpanID SpanID `json:\"span_id\"`\n\tParentSpanID SpanID `json:\"parent_span_id,omitzero\"`\n\tOp string `json:\"op,omitempty\"`\n\tDescription string `json:\"description,omitempty\"`\n\tStatus SpanStatus `json:\"status,omitempty\"`\n\tData map[string]interface{} `json:\"data,omitempty\"`\n}\n\nfunc (tc TraceContext) Map() map[string]interface{} {\n\tm := map[string]interface{}{\n\t\t\"trace_id\": tc.TraceID,\n\t\t\"span_id\": tc.SpanID,\n\t}\n\n\tif tc.ParentSpanID != [8]byte{} {\n\t\tm[\"parent_span_id\"] = tc.ParentSpanID\n\t}\n\n\tif tc.Op != \"\" {\n\t\tm[\"op\"] = tc.Op\n\t}\n\n\tif tc.Description != \"\" {\n\t\tm[\"description\"] = tc.Description\n\t}\n\n\tif tc.Status > 0 && tc.Status < maxSpanStatus {\n\t\tm[\"status\"] = tc.Status\n\t}\n\n\tif len(tc.Data) > 0 {\n\t\tm[\"data\"] = tc.Data\n\t}\n\n\treturn m\n}\n\n// Sampled signifies a sampling decision.\ntype Sampled int8\n\n// The possible trace sampling decisions are: SampledFalse, SampledUndefined\n// (default) and SampledTrue.\nconst (\n\tSampledFalse Sampled = -1\n\tSampledUndefined Sampled = 0\n\tSampledTrue Sampled = 1\n)\n\nfunc (s Sampled) String() string {\n\tswitch s {\n\tcase SampledFalse:\n\t\treturn \"SampledFalse\"\n\tcase SampledUndefined:\n\t\treturn \"SampledUndefined\"\n\tcase SampledTrue:\n\t\treturn \"SampledTrue\"\n\tdefault:\n\t\treturn fmt.Sprintf(\"SampledInvalid(%d)\", s)\n\t}\n}\n\n// Bool returns true if the sample decision is SampledTrue, false otherwise.\nfunc (s Sampled) Bool() bool {\n\treturn s == SampledTrue\n}\n\n// A SpanOption is a function that can modify the properties of a span.\ntype SpanOption func(s *Span)\n\n// WithTransactionName option sets the name of the current transaction.\n//\n// A span tree has a single transaction name, therefore using this option when\n// starting a span affects the span tree as a whole, potentially overwriting a\n// name set previously.\nfunc WithTransactionName(name string) SpanOption {\n\treturn func(s *Span) {\n\t\ts.Name = name\n\t}\n}\n\n// WithDescription sets the description of a span.\nfunc WithDescription(description string) SpanOption {\n\treturn func(s *Span) {\n\t\ts.Description = description\n\t}\n}\n\n// WithOpName sets the operation name for a given span.\nfunc WithOpName(name string) SpanOption {\n\treturn func(s *Span) {\n\t\ts.Op = name\n\t}\n}\n\n// WithTransactionSource sets the source of the transaction name.\n//\n// Note: if the transaction source is not a valid source (as described\n// by the spec https://develop.sentry.dev/sdk/event-payloads/transaction/#transaction-annotations),\n// it will be corrected to \"custom\" eventually, before the transaction is sent.\nfunc WithTransactionSource(source TransactionSource) SpanOption {\n\treturn func(s *Span) {\n\t\ts.Source = source\n\t}\n}\n\n// WithSpanSampled updates the sampling flag for a given span.\nfunc WithSpanSampled(sampled Sampled) SpanOption {\n\treturn func(s *Span) {\n\t\ts.explicitSampled = sampled\n\t}\n}\n\n// WithSpanOrigin sets the origin of the span.\nfunc WithSpanOrigin(origin SpanOrigin) SpanOption {\n\treturn func(s *Span) {\n\t\ts.Origin = origin\n\t}\n}\n\n// ContinueTrace continues a trace based on traceparent and baggage values.\n// If the SDK is configured with tracing enabled,\n// this function returns populated SpanOption.\n// In any other cases, it populates the propagation context on the scope.\nfunc ContinueTrace(hub *Hub, traceparent, baggage string) SpanOption {\n\tscope := hub.Scope()\n\tpropagationContext, _ := PropagationContextFromHeaders(traceparent, baggage)\n\tscope.SetPropagationContext(propagationContext)\n\n\treturn ContinueFromHeaders(traceparent, baggage)\n}\n\n// ContinueFromRequest returns a span option that updates the span to continue\n// an existing trace. If it cannot detect an existing trace in the request, the\n// span will be left unchanged.\n//\n// ContinueFromRequest is an alias for:\n//\n// ContinueFromHeaders(r.Header.Get(SentryTraceHeader), r.Header.Get(SentryBaggageHeader)).\nfunc ContinueFromRequest(r *http.Request) SpanOption {\n\treturn ContinueFromHeaders(r.Header.Get(SentryTraceHeader), r.Header.Get(SentryBaggageHeader))\n}\n\n// ContinueFromHeaders returns a span option that updates the span to continue\n// an existing TraceID and propagates the Dynamic Sampling context.\nfunc ContinueFromHeaders(trace, baggage string) SpanOption {\n\treturn func(s *Span) {\n\t\tif trace != \"\" {\n\t\t\ts.updateFromSentryTrace([]byte(trace))\n\n\t\t\tif baggage != \"\" {\n\t\t\t\ts.updateFromBaggage([]byte(baggage))\n\t\t\t}\n\n\t\t\t// In case a sentry-trace header is present but there are no sentry-related\n\t\t\t// values in the baggage, create an empty, frozen DynamicSamplingContext.\n\t\t\tif !s.dynamicSamplingContext.HasEntries() {\n\t\t\t\ts.dynamicSamplingContext = DynamicSamplingContext{\n\t\t\t\t\tFrozen: true,\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n}\n\n// ContinueFromTrace returns a span option that updates the span to continue\n// an existing TraceID.\nfunc ContinueFromTrace(trace string) SpanOption {\n\treturn func(s *Span) {\n\t\tif trace == \"\" {\n\t\t\treturn\n\t\t}\n\t\ts.updateFromSentryTrace([]byte(trace))\n\t}\n}\n\n// spanContextKey is used to store span values in contexts.\ntype spanContextKey struct{}\n\n// TransactionFromContext returns the root span of the current transaction. It\n// returns nil if no transaction is tracked in the context.\nfunc TransactionFromContext(ctx context.Context) *Span {\n\tif span, ok := ctx.Value(spanContextKey{}).(*Span); ok {\n\t\treturn span.recorder.root()\n\t}\n\treturn nil\n}\n\n// SpanFromContext returns the last span stored in the context, or nil if no span\n// is set on the context.\nfunc SpanFromContext(ctx context.Context) *Span {\n\tif span, ok := ctx.Value(spanContextKey{}).(*Span); ok {\n\t\treturn span\n\t}\n\treturn nil\n}\n\n// StartTransaction will create a transaction (root span) if there's no existing\n// transaction in the context otherwise, it will return the existing transaction.\nfunc StartTransaction(ctx context.Context, name string, options ...SpanOption) *Span {\n\tcurrentTransaction, exists := ctx.Value(spanContextKey{}).(*Span)\n\tif exists {\n\t\tcurrentTransaction.ctx = ctx\n\t\treturn currentTransaction\n\t}\n\n\toptions = append(options, WithTransactionName(name))\n\treturn StartSpan(\n\t\tctx,\n\t\t\"\",\n\t\toptions...,\n\t)\n}\n\n// HTTPtoSpanStatus converts an HTTP status code to a SpanStatus.\nfunc HTTPtoSpanStatus(code int) SpanStatus {\n\tif code < http.StatusBadRequest {\n\t\treturn SpanStatusOK\n\t}\n\tif http.StatusBadRequest <= code && code < http.StatusInternalServerError {\n\t\tswitch code {\n\t\tcase http.StatusForbidden:\n\t\t\treturn SpanStatusPermissionDenied\n\t\tcase http.StatusNotFound:\n\t\t\treturn SpanStatusNotFound\n\t\tcase http.StatusTooManyRequests:\n\t\t\treturn SpanStatusResourceExhausted\n\t\tcase http.StatusRequestEntityTooLarge:\n\t\t\treturn SpanStatusFailedPrecondition\n\t\tcase http.StatusUnauthorized:\n\t\t\treturn SpanStatusUnauthenticated\n\t\tcase http.StatusConflict:\n\t\t\treturn SpanStatusAlreadyExists\n\t\tdefault:\n\t\t\treturn SpanStatusInvalidArgument\n\t\t}\n\t}\n\tif http.StatusInternalServerError <= code && code < 600 {\n\t\tswitch code {\n\t\tcase http.StatusGatewayTimeout:\n\t\t\treturn SpanStatusDeadlineExceeded\n\t\tcase http.StatusNotImplemented:\n\t\t\treturn SpanStatusUnimplemented\n\t\tcase http.StatusServiceUnavailable:\n\t\t\treturn SpanStatusUnavailable\n\t\tdefault:\n\t\t\treturn SpanStatusInternalError\n\t\t}\n\t}\n\treturn SpanStatusUnknown\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/transport.go", "content": "package sentry\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"crypto/tls\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/getsentry/sentry-go/internal/debuglog\"\n\thttpinternal \"github.com/getsentry/sentry-go/internal/http\"\n\t\"github.com/getsentry/sentry-go/internal/protocol\"\n\t\"github.com/getsentry/sentry-go/internal/ratelimit\"\n\t\"github.com/getsentry/sentry-go/internal/util\"\n)\n\nconst (\n\tdefaultBufferSize = 1000\n\tdefaultTimeout = time.Second * 30\n)\n\n// Transport is used by the Client to deliver events to remote server.\ntype Transport interface {\n\tFlush(timeout time.Duration) bool\n\tFlushWithContext(ctx context.Context) bool\n\tConfigure(options ClientOptions)\n\tSendEvent(event *Event)\n\tClose()\n}\n\nfunc getProxyConfig(options ClientOptions) func(*http.Request) (*url.URL, error) {\n\tif options.HTTPSProxy != \"\" {\n\t\treturn func(*http.Request) (*url.URL, error) {\n\t\t\treturn url.Parse(options.HTTPSProxy)\n\t\t}\n\t}\n\n\tif options.HTTPProxy != \"\" {\n\t\treturn func(*http.Request) (*url.URL, error) {\n\t\t\treturn url.Parse(options.HTTPProxy)\n\t\t}\n\t}\n\n\treturn http.ProxyFromEnvironment\n}\n\nfunc getTLSConfig(options ClientOptions) *tls.Config {\n\tif options.CaCerts != nil {\n\t\t// #nosec G402 -- We should be using `MinVersion: tls.VersionTLS12`,\n\t\t// \t\t\t\t but we don't want to break peoples code without the major bump.\n\t\treturn &tls.Config{\n\t\t\tRootCAs: options.CaCerts,\n\t\t}\n\t}\n\n\treturn nil\n}\n\nfunc getRequestBodyFromEvent(event *Event) []byte {\n\tbody, err := json.Marshal(event)\n\tif err == nil {\n\t\treturn body\n\t}\n\n\tmsg := fmt.Sprintf(\"Could not encode original event as JSON. \"+\n\t\t\"Succeeded by removing Breadcrumbs, Contexts and Extra. \"+\n\t\t\"Please verify the data you attach to the scope. \"+\n\t\t\"Error: %s\", err)\n\t// Try to serialize the event, with all the contextual data that allows for interface{} stripped.\n\tevent.Breadcrumbs = nil\n\tevent.Contexts = nil\n\tevent.Extra = map[string]interface{}{\n\t\t\"info\": msg,\n\t}\n\tbody, err = json.Marshal(event)\n\tif err == nil {\n\t\tdebuglog.Println(msg)\n\t\treturn body\n\t}\n\n\t// This should _only_ happen when Event.Exception[0].Stacktrace.Frames[0].Vars is unserializable\n\t// Which won't ever happen, as we don't use it now (although it's the part of public interface accepted by Sentry)\n\t// Juuust in case something, somehow goes utterly wrong.\n\tdebuglog.Println(\"Event couldn't be marshaled, even with stripped contextual data. Skipping delivery. \" +\n\t\t\"Please notify the SDK owners with possibly broken payload.\")\n\treturn nil\n}\n\nfunc encodeAttachment(enc *json.Encoder, b io.Writer, attachment *Attachment) error {\n\t// Attachment header\n\terr := enc.Encode(struct {\n\t\tType string `json:\"type\"`\n\t\tLength int `json:\"length\"`\n\t\tFilename string `json:\"filename\"`\n\t\tContentType string `json:\"content_type,omitempty\"`\n\t}{\n\t\tType: \"attachment\",\n\t\tLength: len(attachment.Payload),\n\t\tFilename: attachment.Filename,\n\t\tContentType: attachment.ContentType,\n\t})\n\tif err != nil {\n\t\treturn err\n\t}\n\n\t// Attachment payload\n\tif _, err = b.Write(attachment.Payload); err != nil {\n\t\treturn err\n\t}\n\n\t// \"Envelopes should be terminated with a trailing newline.\"\n\t//\n\t// [1]: https://develop.sentry.dev/sdk/envelopes/#envelopes\n\tif _, err := b.Write([]byte(\"\\n\")); err != nil {\n\t\treturn err\n\t}\n\n\treturn nil\n}\n\nfunc encodeEnvelopeItem(enc *json.Encoder, itemType string, body json.RawMessage) error {\n\t// Item header\n\terr := enc.Encode(struct {\n\t\tType string `json:\"type\"`\n\t\tLength int `json:\"length\"`\n\t}{\n\t\tType: itemType,\n\t\tLength: len(body),\n\t})\n\tif err == nil {\n\t\t// payload\n\t\terr = enc.Encode(body)\n\t}\n\treturn err\n}\n\nfunc encodeEnvelopeLogs(enc *json.Encoder, count int, body json.RawMessage) error {\n\terr := enc.Encode(\n\t\tstruct {\n\t\t\tType string `json:\"type\"`\n\t\t\tItemCount int `json:\"item_count\"`\n\t\t\tContentType string `json:\"content_type\"`\n\t\t}{\n\t\t\tType: logEvent.Type,\n\t\t\tItemCount: count,\n\t\t\tContentType: logEvent.ContentType,\n\t\t})\n\tif err == nil {\n\t\terr = enc.Encode(body)\n\t}\n\treturn err\n}\n\nfunc encodeEnvelopeMetrics(enc *json.Encoder, count int, body json.RawMessage) error {\n\terr := enc.Encode(\n\t\tstruct {\n\t\t\tType string `json:\"type\"`\n\t\t\tItemCount int `json:\"item_count\"`\n\t\t\tContentType string `json:\"content_type\"`\n\t\t}{\n\t\t\tType: traceMetricEvent.Type,\n\t\t\tItemCount: count,\n\t\t\tContentType: traceMetricEvent.ContentType,\n\t\t})\n\tif err == nil {\n\t\terr = enc.Encode(body)\n\t}\n\treturn err\n}\n\nfunc envelopeFromBody(event *Event, dsn *Dsn, sentAt time.Time, body json.RawMessage) (*bytes.Buffer, error) {\n\tvar b bytes.Buffer\n\tenc := json.NewEncoder(&b)\n\n\t// Construct the trace envelope header\n\tvar trace = map[string]string{}\n\tif dsc := event.sdkMetaData.dsc; dsc.HasEntries() {\n\t\tfor k, v := range dsc.Entries {\n\t\t\ttrace[k] = v\n\t\t}\n\t}\n\n\t// Envelope header\n\terr := enc.Encode(struct {\n\t\tEventID EventID `json:\"event_id\"`\n\t\tSentAt time.Time `json:\"sent_at\"`\n\t\tDsn string `json:\"dsn\"`\n\t\tSdk map[string]string `json:\"sdk\"`\n\t\tTrace map[string]string `json:\"trace,omitempty\"`\n\t}{\n\t\tEventID: event.EventID,\n\t\tSentAt: sentAt,\n\t\tTrace: trace,\n\t\tDsn: dsn.String(),\n\t\tSdk: map[string]string{\n\t\t\t\"name\": event.Sdk.Name,\n\t\t\t\"version\": event.Sdk.Version,\n\t\t},\n\t})\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tswitch event.Type {\n\tcase transactionType, checkInType:\n\t\terr = encodeEnvelopeItem(enc, event.Type, body)\n\tcase logEvent.Type:\n\t\terr = encodeEnvelopeLogs(enc, len(event.Logs), body)\n\tcase traceMetricEvent.Type:\n\t\terr = encodeEnvelopeMetrics(enc, len(event.Metrics), body)\n\tdefault:\n\t\terr = encodeEnvelopeItem(enc, eventType, body)\n\t}\n\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\t// Attachments\n\tfor _, attachment := range event.Attachments {\n\t\tif err := encodeAttachment(enc, &b, attachment); err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t}\n\n\treturn &b, nil\n}\n\nfunc getRequestFromEvent(ctx context.Context, event *Event, dsn *Dsn) (r *http.Request, err error) {\n\tdefer func() {\n\t\tif r != nil {\n\t\t\tr.Header.Set(\"User-Agent\", fmt.Sprintf(\"%s/%s\", event.Sdk.Name, event.Sdk.Version))\n\t\t\tr.Header.Set(\"Content-Type\", \"application/x-sentry-envelope\")\n\n\t\t\tauth := fmt.Sprintf(\"Sentry sentry_version=%s, \"+\n\t\t\t\t\"sentry_client=%s/%s, sentry_key=%s\", apiVersion, event.Sdk.Name, event.Sdk.Version, dsn.GetPublicKey())\n\n\t\t\t// The key sentry_secret is effectively deprecated and no longer needs to be set.\n\t\t\t// However, since it was required in older self-hosted versions,\n\t\t\t// it should still passed through to Sentry if set.\n\t\t\tif dsn.GetSecretKey() != \"\" {\n\t\t\t\tauth = fmt.Sprintf(\"%s, sentry_secret=%s\", auth, dsn.GetSecretKey())\n\t\t\t}\n\n\t\t\tr.Header.Set(\"X-Sentry-Auth\", auth)\n\t\t}\n\t}()\n\n\tbody := getRequestBodyFromEvent(event)\n\tif body == nil {\n\t\treturn nil, errors.New(\"event could not be marshaled\")\n\t}\n\n\tenvelope, err := envelopeFromBody(event, dsn, time.Now(), body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tif ctx == nil {\n\t\tctx = context.Background()\n\t}\n\n\treturn http.NewRequestWithContext(\n\t\tctx,\n\t\thttp.MethodPost,\n\t\tdsn.GetAPIURL().String(),\n\t\tenvelope,\n\t)\n}\n\n// ================================\n// HTTPTransport\n// ================================\n\n// A batch groups items that are processed sequentially.\ntype batch struct {\n\titems chan batchItem\n\tstarted chan struct{} // closed to signal items started to be worked on\n\tdone chan struct{} // closed to signal completion of all items\n}\n\ntype batchItem struct {\n\trequest *http.Request\n\tcategory ratelimit.Category\n\teventIdentifier string\n}\n\n// HTTPTransport is the default, non-blocking, implementation of Transport.\n//\n// Clients using this transport will enqueue requests in a buffer and return to\n// the caller before any network communication has happened. Requests are sent\n// to Sentry sequentially from a background goroutine.\ntype HTTPTransport struct {\n\tdsn *Dsn\n\tclient *http.Client\n\ttransport http.RoundTripper\n\n\t// buffer is a channel of batches. Calling Flush terminates work on the\n\t// current in-flight items and starts a new batch for subsequent events.\n\tbuffer chan batch\n\n\tstartOnce sync.Once\n\tcloseOnce sync.Once\n\n\t// Size of the transport buffer. Defaults to 30.\n\tBufferSize int\n\t// HTTP Client request timeout. Defaults to 30 seconds.\n\tTimeout time.Duration\n\n\tmu sync.RWMutex\n\tlimits ratelimit.Map\n\n\t// receiving signal will terminate worker.\n\tdone chan struct{}\n}\n\n// NewHTTPTransport returns a new pre-configured instance of HTTPTransport.\nfunc NewHTTPTransport() *HTTPTransport {\n\ttransport := HTTPTransport{\n\t\tBufferSize: defaultBufferSize,\n\t\tTimeout: defaultTimeout,\n\t\tdone: make(chan struct{}),\n\t}\n\treturn &transport\n}\n\n// Configure is called by the Client itself, providing it it's own ClientOptions.\nfunc (t *HTTPTransport) Configure(options ClientOptions) {\n\tdsn, err := NewDsn(options.Dsn)\n\tif err != nil {\n\t\tdebuglog.Printf(\"%v\\n\", err)\n\t\treturn\n\t}\n\tt.dsn = dsn\n\n\t// A buffered channel with capacity 1 works like a mutex, ensuring only one\n\t// goroutine can access the current batch at a given time. Access is\n\t// synchronized by reading from and writing to the channel.\n\tt.buffer = make(chan batch, 1)\n\tt.buffer <- batch{\n\t\titems: make(chan batchItem, t.BufferSize),\n\t\tstarted: make(chan struct{}),\n\t\tdone: make(chan struct{}),\n\t}\n\n\tif options.HTTPTransport != nil {\n\t\tt.transport = options.HTTPTransport\n\t} else {\n\t\tt.transport = &http.Transport{\n\t\t\tProxy: getProxyConfig(options),\n\t\t\tTLSClientConfig: getTLSConfig(options),\n\t\t}\n\t}\n\n\tif options.HTTPClient != nil {\n\t\tt.client = options.HTTPClient\n\t} else {\n\t\tt.client = &http.Client{\n\t\t\tTransport: t.transport,\n\t\t\tTimeout: t.Timeout,\n\t\t}\n\t}\n\n\tt.startOnce.Do(func() {\n\t\tgo t.worker()\n\t})\n}\n\n// SendEvent assembles a new packet out of Event and sends it to the remote server.\nfunc (t *HTTPTransport) SendEvent(event *Event) {\n\tt.SendEventWithContext(context.Background(), event)\n}\n\n// SendEventWithContext assembles a new packet out of Event and sends it to the remote server.\nfunc (t *HTTPTransport) SendEventWithContext(ctx context.Context, event *Event) {\n\tif t.dsn == nil {\n\t\treturn\n\t}\n\n\tcategory := event.toCategory()\n\n\tif t.disabled(category) {\n\t\treturn\n\t}\n\n\trequest, err := getRequestFromEvent(ctx, event, t.dsn)\n\tif err != nil {\n\t\treturn\n\t}\n\n\t// <-t.buffer is equivalent to acquiring a lock to access the current batch.\n\t// A few lines below, t.buffer <- b releases the lock.\n\t//\n\t// The lock must be held during the select block below to guarantee that\n\t// b.items is not closed while trying to send to it. Remember that sending\n\t// on a closed channel panics.\n\t//\n\t// Note that the select block takes a bounded amount of CPU time because of\n\t// the default case that is executed if sending on b.items would block. That\n\t// is, the event is dropped if it cannot be sent immediately to the b.items\n\t// channel (used as a queue).\n\tb := <-t.buffer\n\n\tidentifier := eventIdentifier(event)\n\n\tselect {\n\tcase b.items <- batchItem{\n\t\trequest: request,\n\t\tcategory: category,\n\t\teventIdentifier: identifier,\n\t}:\n\t\tdebuglog.Printf(\n\t\t\t\"Sending %s to %s project: %s\",\n\t\t\tidentifier,\n\t\t\tt.dsn.GetHost(),\n\t\t\tt.dsn.GetProjectID(),\n\t\t)\n\tdefault:\n\t\tdebuglog.Println(\"Event dropped due to transport buffer being full.\")\n\t}\n\n\tt.buffer <- b\n}\n\n// Flush waits until any buffered events are sent to the Sentry server, blocking\n// for at most the given timeout. It returns false if the timeout was reached.\n// In that case, some events may not have been sent.\n//\n// Flush should be called before terminating the program to avoid\n// unintentionally dropping events.\n//\n// Do not call Flush indiscriminately after every call to SendEvent. Instead, to\n// have the SDK send events over the network synchronously, configure it to use\n// the HTTPSyncTransport in the call to Init.\nfunc (t *HTTPTransport) Flush(timeout time.Duration) bool {\n\tctx, cancel := context.WithTimeout(context.Background(), timeout)\n\tdefer cancel()\n\treturn t.FlushWithContext(ctx)\n}\n\n// FlushWithContext works like Flush, but it accepts a context.Context instead of a timeout.\nfunc (t *HTTPTransport) FlushWithContext(ctx context.Context) bool {\n\treturn t.flushInternal(ctx.Done())\n}\n\nfunc (t *HTTPTransport) flushInternal(timeout <-chan struct{}) bool {\n\t// Wait until processing the current batch has started or the timeout.\n\t//\n\t// We must wait until the worker has seen the current batch, because it is\n\t// the only way b.done will be closed. If we do not wait, there is a\n\t// possible execution flow in which b.done is never closed, and the only way\n\t// out of Flush would be waiting for the timeout, which is undesired.\n\tvar b batch\n\n\tfor {\n\t\tselect {\n\t\tcase b = <-t.buffer:\n\t\t\tselect {\n\t\t\tcase <-b.started:\n\t\t\t\tgoto started\n\t\t\tdefault:\n\t\t\t\tt.buffer <- b\n\t\t\t}\n\t\tcase <-timeout:\n\t\t\tgoto fail\n\t\t}\n\t}\n\nstarted:\n\t// Signal that there won't be any more items in this batch, so that the\n\t// worker inner loop can end.\n\tclose(b.items)\n\t// Start a new batch for subsequent events.\n\tt.buffer <- batch{\n\t\titems: make(chan batchItem, t.BufferSize),\n\t\tstarted: make(chan struct{}),\n\t\tdone: make(chan struct{}),\n\t}\n\n\t// Wait until the current batch is done or the timeout.\n\tselect {\n\tcase <-b.done:\n\t\tdebuglog.Println(\"Buffer flushed successfully.\")\n\t\treturn true\n\tcase <-timeout:\n\t\tgoto fail\n\t}\n\nfail:\n\tdebuglog.Println(\"Buffer flushing was canceled or timed out.\")\n\treturn false\n}\n\n// Close will terminate events sending loop.\n// It useful to prevent goroutines leak in case of multiple HTTPTransport instances initiated.\n//\n// Close should be called after Flush and before terminating the program\n// otherwise some events may be lost.\nfunc (t *HTTPTransport) Close() {\n\tt.closeOnce.Do(func() {\n\t\tclose(t.done)\n\t})\n}\n\nfunc (t *HTTPTransport) worker() {\n\tfor b := range t.buffer {\n\t\t// Signal that processing of the current batch has started.\n\t\tclose(b.started)\n\n\t\t// Return the batch to the buffer so that other goroutines can use it.\n\t\t// Equivalent to releasing a lock.\n\t\tt.buffer <- b\n\n\t\t// Process all batch items.\n\tloop:\n\t\tfor {\n\t\t\tselect {\n\t\t\tcase <-t.done:\n\t\t\t\treturn\n\t\t\tcase item, open := <-b.items:\n\t\t\t\tif !open {\n\t\t\t\t\tbreak loop\n\t\t\t\t}\n\t\t\t\tif t.disabled(item.category) {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\n\t\t\t\tresponse, err := t.client.Do(item.request)\n\t\t\t\tif err != nil {\n\t\t\t\t\tdebuglog.Printf(\"There was an issue with sending an event: %v\", err)\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tutil.HandleHTTPResponse(response, item.eventIdentifier)\n\n\t\t\t\tt.mu.Lock()\n\t\t\t\tif t.limits == nil {\n\t\t\t\t\tt.limits = make(ratelimit.Map)\n\t\t\t\t}\n\t\t\t\tt.limits.Merge(ratelimit.FromResponse(response))\n\t\t\t\tt.mu.Unlock()\n\n\t\t\t\t// Drain body up to a limit and close it, allowing the\n\t\t\t\t// transport to reuse TCP connections.\n\t\t\t\t_, _ = io.CopyN(io.Discard, response.Body, util.MaxDrainResponseBytes)\n\t\t\t\tresponse.Body.Close()\n\t\t\t}\n\t\t}\n\n\t\t// Signal that processing of the batch is done.\n\t\tclose(b.done)\n\t}\n}\n\nfunc (t *HTTPTransport) disabled(c ratelimit.Category) bool {\n\tt.mu.RLock()\n\tdefer t.mu.RUnlock()\n\tdisabled := t.limits.IsRateLimited(c)\n\tif disabled {\n\t\tdebuglog.Printf(\"Too many requests for %q, backing off till: %v\", c, t.limits.Deadline(c))\n\t}\n\treturn disabled\n}\n\n// ================================\n// HTTPSyncTransport\n// ================================\n\n// HTTPSyncTransport is a blocking implementation of Transport.\n//\n// Clients using this transport will send requests to Sentry sequentially and\n// block until a response is returned.\n//\n// The blocking behavior is useful in a limited set of use cases. For example,\n// use it when deploying code to a Function as a Service (\"Serverless\")\n// platform, where any work happening in a background goroutine is not\n// guaranteed to execute.\n//\n// For most cases, prefer HTTPTransport.\ntype HTTPSyncTransport struct {\n\tdsn *Dsn\n\tclient *http.Client\n\ttransport http.RoundTripper\n\n\tmu sync.Mutex\n\tlimits ratelimit.Map\n\n\t// HTTP Client request timeout. Defaults to 30 seconds.\n\tTimeout time.Duration\n}\n\n// NewHTTPSyncTransport returns a new pre-configured instance of HTTPSyncTransport.\nfunc NewHTTPSyncTransport() *HTTPSyncTransport {\n\ttransport := HTTPSyncTransport{\n\t\tTimeout: defaultTimeout,\n\t\tlimits: make(ratelimit.Map),\n\t}\n\n\treturn &transport\n}\n\n// Configure is called by the Client itself, providing it it's own ClientOptions.\nfunc (t *HTTPSyncTransport) Configure(options ClientOptions) {\n\tdsn, err := NewDsn(options.Dsn)\n\tif err != nil {\n\t\tdebuglog.Printf(\"%v\\n\", err)\n\t\treturn\n\t}\n\tt.dsn = dsn\n\n\tif options.HTTPTransport != nil {\n\t\tt.transport = options.HTTPTransport\n\t} else {\n\t\tt.transport = &http.Transport{\n\t\t\tProxy: getProxyConfig(options),\n\t\t\tTLSClientConfig: getTLSConfig(options),\n\t\t}\n\t}\n\n\tif options.HTTPClient != nil {\n\t\tt.client = options.HTTPClient\n\t} else {\n\t\tt.client = &http.Client{\n\t\t\tTransport: t.transport,\n\t\t\tTimeout: t.Timeout,\n\t\t}\n\t}\n}\n\n// SendEvent assembles a new packet out of Event and sends it to the remote server.\nfunc (t *HTTPSyncTransport) SendEvent(event *Event) {\n\tt.SendEventWithContext(context.Background(), event)\n}\n\nfunc (t *HTTPSyncTransport) Close() {}\n\n// SendEventWithContext assembles a new packet out of Event and sends it to the remote server.\nfunc (t *HTTPSyncTransport) SendEventWithContext(ctx context.Context, event *Event) {\n\tif t.dsn == nil {\n\t\treturn\n\t}\n\n\tif t.disabled(event.toCategory()) {\n\t\treturn\n\t}\n\n\trequest, err := getRequestFromEvent(ctx, event, t.dsn)\n\tif err != nil {\n\t\treturn\n\t}\n\n\tidentifier := eventIdentifier(event)\n\tdebuglog.Printf(\n\t\t\"Sending %s to %s project: %s\",\n\t\tidentifier,\n\t\tt.dsn.GetHost(),\n\t\tt.dsn.GetProjectID(),\n\t)\n\n\tresponse, err := t.client.Do(request)\n\tif err != nil {\n\t\tdebuglog.Printf(\"There was an issue with sending an event: %v\", err)\n\t\treturn\n\t}\n\tutil.HandleHTTPResponse(response, identifier)\n\n\tt.mu.Lock()\n\tif t.limits == nil {\n\t\tt.limits = make(ratelimit.Map)\n\t}\n\n\tt.limits.Merge(ratelimit.FromResponse(response))\n\tt.mu.Unlock()\n\n\t// Drain body up to a limit and close it, allowing the\n\t// transport to reuse TCP connections.\n\t_, _ = io.CopyN(io.Discard, response.Body, util.MaxDrainResponseBytes)\n\tresponse.Body.Close()\n}\n\n// Flush is a no-op for HTTPSyncTransport. It always returns true immediately.\nfunc (t *HTTPSyncTransport) Flush(_ time.Duration) bool {\n\treturn true\n}\n\n// FlushWithContext is a no-op for HTTPSyncTransport. It always returns true immediately.\nfunc (t *HTTPSyncTransport) FlushWithContext(_ context.Context) bool {\n\treturn true\n}\n\nfunc (t *HTTPSyncTransport) disabled(c ratelimit.Category) bool {\n\tt.mu.Lock()\n\tdefer t.mu.Unlock()\n\tdisabled := t.limits.IsRateLimited(c)\n\tif disabled {\n\t\tdebuglog.Printf(\"Too many requests for %q, backing off till: %v\", c, t.limits.Deadline(c))\n\t}\n\treturn disabled\n}\n\n// ================================\n// noopTransport\n// ================================\n\n// noopTransport is an implementation of Transport interface which drops all the events.\n// Only used internally when an empty DSN is provided, which effectively disables the SDK.\ntype noopTransport struct{}\n\nvar _ Transport = noopTransport{}\n\nfunc (noopTransport) Configure(ClientOptions) {\n\tdebuglog.Println(\"Sentry client initialized with an empty DSN. Using noopTransport. No events will be delivered.\")\n}\n\nfunc (noopTransport) SendEvent(*Event) {\n\tdebuglog.Println(\"Event dropped due to noopTransport usage.\")\n}\n\nfunc (noopTransport) Flush(time.Duration) bool {\n\treturn true\n}\n\nfunc (noopTransport) FlushWithContext(context.Context) bool {\n\treturn true\n}\n\nfunc (noopTransport) Close() {}\n\n// ================================\n// Internal Transport Adapters\n// ================================\n\n// newInternalAsyncTransport creates a new AsyncTransport from internal/http\n// wrapped to satisfy the Transport interface.\n//\n// This is not yet exposed in the public API and is for internal experimentation.\nfunc newInternalAsyncTransport() Transport {\n\treturn &internalAsyncTransportAdapter{}\n}\n\n// internalAsyncTransportAdapter wraps the internal AsyncTransport to implement\n// the root-level Transport interface.\ntype internalAsyncTransportAdapter struct {\n\ttransport protocol.TelemetryTransport\n\tdsn *protocol.Dsn\n}\n\nfunc (a *internalAsyncTransportAdapter) Configure(options ClientOptions) {\n\ttransportOptions := httpinternal.TransportOptions{\n\t\tDsn: options.Dsn,\n\t\tHTTPClient: options.HTTPClient,\n\t\tHTTPTransport: options.HTTPTransport,\n\t\tHTTPProxy: options.HTTPProxy,\n\t\tHTTPSProxy: options.HTTPSProxy,\n\t\tCaCerts: options.CaCerts,\n\t}\n\n\ta.transport = httpinternal.NewAsyncTransport(transportOptions)\n\n\tif options.Dsn != \"\" {\n\t\tdsn, err := protocol.NewDsn(options.Dsn)\n\t\tif err != nil {\n\t\t\tdebuglog.Printf(\"Failed to parse DSN in adapter: %v\\n\", err)\n\t\t} else {\n\t\t\ta.dsn = dsn\n\t\t}\n\t}\n}\n\nfunc (a *internalAsyncTransportAdapter) SendEvent(event *Event) {\n\theader := &protocol.EnvelopeHeader{EventID: string(event.EventID), SentAt: time.Now(), Sdk: &protocol.SdkInfo{Name: event.Sdk.Name, Version: event.Sdk.Version}}\n\tif a.dsn != nil {\n\t\theader.Dsn = a.dsn.String()\n\t}\n\tif header.EventID == \"\" {\n\t\theader.EventID = protocol.GenerateEventID()\n\t}\n\tenvelope := protocol.NewEnvelope(header)\n\titem, err := event.ToEnvelopeItem()\n\tif err != nil {\n\t\tdebuglog.Printf(\"Failed to convert event to envelope item: %v\", err)\n\t\treturn\n\t}\n\tenvelope.AddItem(item)\n\n\tfor _, attachment := range event.Attachments {\n\t\tattachmentItem := protocol.NewAttachmentItem(attachment.Filename, attachment.ContentType, attachment.Payload)\n\t\tenvelope.AddItem(attachmentItem)\n\t}\n\n\tif err := a.transport.SendEnvelope(envelope); err != nil {\n\t\tdebuglog.Printf(\"Error sending envelope: %v\", err)\n\t}\n}\n\nfunc (a *internalAsyncTransportAdapter) Flush(timeout time.Duration) bool {\n\treturn a.transport.Flush(timeout)\n}\n\nfunc (a *internalAsyncTransportAdapter) FlushWithContext(ctx context.Context) bool {\n\treturn a.transport.FlushWithContext(ctx)\n}\n\nfunc (a *internalAsyncTransportAdapter) Close() {\n\ta.transport.Close()\n}\n" }, { "path": "vendor/github.com/getsentry/sentry-go/util.go", "content": "package sentry\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"os\"\n\t\"runtime/debug\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/getsentry/sentry-go/internal/debuglog\"\n\t\"github.com/getsentry/sentry-go/internal/protocol\"\n\texec \"golang.org/x/sys/execabs\"\n)\n\nfunc uuid() string {\n\treturn protocol.GenerateEventID()\n}\n\nfunc fileExists(fileName string) bool {\n\t_, err := os.Stat(fileName)\n\treturn err == nil\n}\n\n// monotonicTimeSince replaces uses of time.Now() to take into account the\n// monotonic clock reading stored in start, such that duration = end - start is\n// unaffected by changes in the system wall clock.\nfunc monotonicTimeSince(start time.Time) (end time.Time) {\n\treturn start.Add(time.Since(start))\n}\n\n// nolint: unused\nfunc prettyPrint(data interface{}) {\n\tdbg, _ := json.MarshalIndent(data, \"\", \" \")\n\tfmt.Println(string(dbg))\n}\n\n// defaultRelease attempts to guess a default release for the currently running\n// program.\nfunc defaultRelease() (release string) {\n\t// Return first non-empty environment variable known to hold release info, if any.\n\tenvs := []string{\n\t\t\"SENTRY_RELEASE\",\n\t\t\"HEROKU_SLUG_COMMIT\",\n\t\t\"SOURCE_VERSION\",\n\t\t\"CODEBUILD_RESOLVED_SOURCE_VERSION\",\n\t\t\"CIRCLE_SHA1\",\n\t\t\"GAE_DEPLOYMENT_ID\",\n\t\t\"GITHUB_SHA\", // GitHub Actions - https://help.github.com/en/actions\n\t\t\"COMMIT_REF\", // Netlify - https://docs.netlify.com/\n\t\t\"VERCEL_GIT_COMMIT_SHA\", // Vercel - https://vercel.com/\n\t\t\"ZEIT_GITHUB_COMMIT_SHA\", // Zeit (now known as Vercel)\n\t\t\"ZEIT_GITLAB_COMMIT_SHA\",\n\t\t\"ZEIT_BITBUCKET_COMMIT_SHA\",\n\t}\n\tfor _, e := range envs {\n\t\tif release = os.Getenv(e); release != \"\" {\n\t\t\tdebuglog.Printf(\"Using release from environment variable %s: %s\", e, release)\n\t\t\treturn release\n\t\t}\n\t}\n\n\tif info, ok := debug.ReadBuildInfo(); ok {\n\t\tbuildInfoVcsRevision := revisionFromBuildInfo(info)\n\t\tif len(buildInfoVcsRevision) > 0 {\n\t\t\treturn buildInfoVcsRevision\n\t\t}\n\t}\n\n\t// Derive a version string from Git. Example outputs:\n\t// \tv1.0.1-0-g9de4\n\t// \tv2.0-8-g77df-dirty\n\t// \t4f72d7\n\tif _, err := exec.LookPath(\"git\"); err == nil {\n\t\tcmd := exec.Command(\"git\", \"describe\", \"--long\", \"--always\", \"--dirty\")\n\t\tb, err := cmd.Output()\n\t\tif err != nil {\n\t\t\t// Either Git is not available or the current directory is not a\n\t\t\t// Git repository.\n\t\t\tvar s strings.Builder\n\t\t\tfmt.Fprintf(&s, \"Release detection failed: %v\", err)\n\t\t\tif err, ok := err.(*exec.ExitError); ok && len(err.Stderr) > 0 {\n\t\t\t\tfmt.Fprintf(&s, \": %s\", err.Stderr)\n\t\t\t}\n\t\t\tdebuglog.Print(s.String())\n\t\t} else {\n\t\t\trelease = strings.TrimSpace(string(b))\n\t\t\tdebuglog.Printf(\"Using release from Git: %s\", release)\n\t\t\treturn release\n\t\t}\n\t}\n\n\tdebuglog.Print(\"Some Sentry features will not be available. See https://docs.sentry.io/product/releases/.\")\n\tdebuglog.Print(\"To stop seeing this message, pass a Release to sentry.Init or set the SENTRY_RELEASE environment variable.\")\n\treturn \"\"\n}\n\nfunc revisionFromBuildInfo(info *debug.BuildInfo) string {\n\tfor _, setting := range info.Settings {\n\t\tif setting.Key == \"vcs.revision\" && setting.Value != \"\" {\n\t\t\tdebuglog.Printf(\"Using release from debug info: %s\", setting.Value)\n\t\t\treturn setting.Value\n\t\t}\n\t}\n\n\treturn \"\"\n}\n\nfunc Pointer[T any](v T) *T {\n\treturn &v\n}\n\n// eventIdentifier returns a human-readable identifier for the event to be used in log messages.\n// Format: \" []\".\nfunc eventIdentifier(event *Event) string {\n\tvar description string\n\tswitch event.Type {\n\tcase errorType:\n\t\tdescription = \"error\"\n\tcase transactionType:\n\t\tdescription = \"transaction\"\n\tcase checkInType:\n\t\tdescription = \"check-in\"\n\tcase logEvent.Type:\n\t\tdescription = fmt.Sprintf(\"%d log events\", len(event.Logs))\n\tcase traceMetricEvent.Type:\n\t\tdescription = fmt.Sprintf(\"%d metric events\", len(event.Metrics))\n\tdefault:\n\t\tdescription = fmt.Sprintf(\"%s event\", event.Type)\n\t}\n\treturn fmt.Sprintf(\"%s [%s]\", description, event.EventID)\n}\n" }, { "path": "vendor/github.com/go-chi/chi/v5/.gitignore", "content": ".idea\n*.sw?\n.vscode\n" }, { "path": "vendor/github.com/go-chi/chi/v5/CHANGELOG.md", "content": "# Changelog\n\n## v5.0.12 (2024-02-16)\n\n- History of changes: see https://github.com/go-chi/chi/compare/v5.0.11...v5.0.12\n\n\n## v5.0.11 (2023-12-19)\n\n- History of changes: see https://github.com/go-chi/chi/compare/v5.0.10...v5.0.11\n\n\n## v5.0.10 (2023-07-13)\n\n- Fixed small edge case in tests of v5.0.9 for older Go versions\n- History of changes: see https://github.com/go-chi/chi/compare/v5.0.9...v5.0.10\n\n\n## v5.0.9 (2023-07-13)\n\n- History of changes: see https://github.com/go-chi/chi/compare/v5.0.8...v5.0.9\n\n\n## v5.0.8 (2022-12-07)\n\n- History of changes: see https://github.com/go-chi/chi/compare/v5.0.7...v5.0.8\n\n\n## v5.0.7 (2021-11-18)\n\n- History of changes: see https://github.com/go-chi/chi/compare/v5.0.6...v5.0.7\n\n\n## v5.0.6 (2021-11-15)\n\n- History of changes: see https://github.com/go-chi/chi/compare/v5.0.5...v5.0.6\n\n\n## v5.0.5 (2021-10-27)\n\n- History of changes: see https://github.com/go-chi/chi/compare/v5.0.4...v5.0.5\n\n\n## v5.0.4 (2021-08-29)\n\n- History of changes: see https://github.com/go-chi/chi/compare/v5.0.3...v5.0.4\n\n\n## v5.0.3 (2021-04-29)\n\n- History of changes: see https://github.com/go-chi/chi/compare/v5.0.2...v5.0.3\n\n\n## v5.0.2 (2021-03-25)\n\n- History of changes: see https://github.com/go-chi/chi/compare/v5.0.1...v5.0.2\n\n\n## v5.0.1 (2021-03-10)\n\n- Small improvements\n- History of changes: see https://github.com/go-chi/chi/compare/v5.0.0...v5.0.1\n\n\n## v5.0.0 (2021-02-27)\n\n- chi v5, `github.com/go-chi/chi/v5` introduces the adoption of Go's SIV to adhere to the current state-of-the-tools in Go.\n- chi v1.5.x did not work out as planned, as the Go tooling is too powerful and chi's adoption is too wide.\n The most responsible thing to do for everyone's benefit is to just release v5 with SIV, so I present to you all,\n chi v5 at `github.com/go-chi/chi/v5`. I hope someday the developer experience and ergonomics I've been seeking\n will still come to fruition in some form, see https://github.com/golang/go/issues/44550\n- History of changes: see https://github.com/go-chi/chi/compare/v1.5.4...v5.0.0\n\n\n## v1.5.4 (2021-02-27)\n\n- Undo prior retraction in v1.5.3 as we prepare for v5.0.0 release\n- History of changes: see https://github.com/go-chi/chi/compare/v1.5.3...v1.5.4\n\n\n## v1.5.3 (2021-02-21)\n\n- Update go.mod to go 1.16 with new retract directive marking all versions without prior go.mod support\n- History of changes: see https://github.com/go-chi/chi/compare/v1.5.2...v1.5.3\n\n\n## v1.5.2 (2021-02-10)\n\n- Reverting allocation optimization as a precaution as go test -race fails.\n- Minor improvements, see history below\n- History of changes: see https://github.com/go-chi/chi/compare/v1.5.1...v1.5.2\n\n\n## v1.5.1 (2020-12-06)\n\n- Performance improvement: removing 1 allocation by foregoing context.WithValue, thank you @bouk for\n your contribution (https://github.com/go-chi/chi/pull/555). Note: new benchmarks posted in README.\n- `middleware.CleanPath`: new middleware that clean's request path of double slashes\n- deprecate & remove `chi.ServerBaseContext` in favour of stdlib `http.Server#BaseContext`\n- plus other tiny improvements, see full commit history below\n- History of changes: see https://github.com/go-chi/chi/compare/v4.1.2...v1.5.1\n\n\n## v1.5.0 (2020-11-12) - now with go.mod support\n\n`chi` dates back to 2016 with it's original implementation as one of the first routers to adopt the newly introduced\ncontext.Context api to the stdlib -- set out to design a router that is faster, more modular and simpler than anything\nelse out there -- while not introducing any custom handler types or dependencies. Today, `chi` still has zero dependencies,\nand in many ways is future proofed from changes, given it's minimal nature. Between versions, chi's iterations have been very\nincremental, with the architecture and api being the same today as it was originally designed in 2016. For this reason it \nmakes chi a pretty easy project to maintain, as well thanks to the many amazing community contributions over the years\nto who all help make chi better (total of 86 contributors to date -- thanks all!).\n\nChi has been a labour of love, art and engineering, with the goals to offer beautiful ergonomics, flexibility, performance\nand simplicity when building HTTP services with Go. I've strived to keep the router very minimal in surface area / code size,\nand always improving the code wherever possible -- and as of today the `chi` package is just 1082 lines of code (not counting\nmiddlewares, which are all optional). As well, I don't have the exact metrics, but from my analysis and email exchanges from\ncompanies and developers, chi is used by thousands of projects around the world -- thank you all as there is no better form of\njoy for me than to have art I had started be helpful and enjoyed by others. And of course I use chi in all of my own projects too :)\n\nFor me, the aesthetics of chi's code and usage are very important. With the introduction of Go's module support\n(which I'm a big fan of), chi's past versioning scheme choice to v2, v3 and v4 would mean I'd require the import path\nof \"github.com/go-chi/chi/v4\", leading to the lengthy discussion at https://github.com/go-chi/chi/issues/462.\nHaha, to some, you may be scratching your head why I've spent > 1 year stalling to adopt \"/vXX\" convention in the import\npath -- which isn't horrible in general -- but for chi, I'm unable to accept it as I strive for perfection in it's API design,\naesthetics and simplicity. It just doesn't feel good to me given chi's simple nature -- I do not foresee a \"v5\" or \"v6\",\nand upgrading between versions in the future will also be just incremental.\n\nI do understand versioning is a part of the API design as well, which is why the solution for a while has been to \"do nothing\",\nas Go supports both old and new import paths with/out go.mod. However, now that Go module support has had time to iron out kinks and\nis adopted everywhere, it's time for chi to get with the times. Luckily, I've discovered a path forward that will make me happy,\nwhile also not breaking anyone's app who adopted a prior versioning from tags in v2/v3/v4. I've made an experimental release of\nv1.5.0 with go.mod silently, and tested it with new and old projects, to ensure the developer experience is preserved, and it's\nlargely unnoticed. Fortunately, Go's toolchain will check the tags of a repo and consider the \"latest\" tag the one with go.mod.\nHowever, you can still request a specific older tag such as v4.1.2, and everything will \"just work\". But new users can just\n`go get github.com/go-chi/chi` or `go get github.com/go-chi/chi@latest` and they will get the latest version which contains\ngo.mod support, which is v1.5.0+. `chi` will not change very much over the years, just like it hasn't changed much from 4 years ago.\nTherefore, we will stay on v1.x from here on, starting from v1.5.0. Any breaking changes will bump a \"minor\" release and\nbackwards-compatible improvements/fixes will bump a \"tiny\" release.\n\nFor existing projects who want to upgrade to the latest go.mod version, run: `go get -u github.com/go-chi/chi@v1.5.0`,\nwhich will get you on the go.mod version line (as Go's mod cache may still remember v4.x). Brand new systems can run\n`go get -u github.com/go-chi/chi` or `go get -u github.com/go-chi/chi@latest` to install chi, which will install v1.5.0+\nbuilt with go.mod support.\n\nMy apologies to the developers who will disagree with the decisions above, but, hope you'll try it and see it's a very\nminor request which is backwards compatible and won't break your existing installations.\n\nCheers all, happy coding!\n\n\n---\n\n\n## v4.1.2 (2020-06-02)\n\n- fix that handles MethodNotAllowed with path variables, thank you @caseyhadden for your contribution\n- fix to replace nested wildcards correctly in RoutePattern, thank you @@unmultimedio for your contribution\n- History of changes: see https://github.com/go-chi/chi/compare/v4.1.1...v4.1.2\n\n\n## v4.1.1 (2020-04-16)\n\n- fix for issue https://github.com/go-chi/chi/issues/411 which allows for overlapping regexp\n route to the correct handler through a recursive tree search, thanks to @Jahaja for the PR/fix!\n- new middleware.RouteHeaders as a simple router for request headers with wildcard support\n- History of changes: see https://github.com/go-chi/chi/compare/v4.1.0...v4.1.1\n\n\n## v4.1.0 (2020-04-1)\n\n- middleware.LogEntry: Write method on interface now passes the response header\n and an extra interface type useful for custom logger implementations.\n- middleware.WrapResponseWriter: minor fix\n- middleware.Recoverer: a bit prettier\n- History of changes: see https://github.com/go-chi/chi/compare/v4.0.4...v4.1.0\n\n## v4.0.4 (2020-03-24)\n\n- middleware.Recoverer: new pretty stack trace printing (https://github.com/go-chi/chi/pull/496)\n- a few minor improvements and fixes\n- History of changes: see https://github.com/go-chi/chi/compare/v4.0.3...v4.0.4\n\n\n## v4.0.3 (2020-01-09)\n\n- core: fix regexp routing to include default value when param is not matched\n- middleware: rewrite of middleware.Compress\n- middleware: suppress http.ErrAbortHandler in middleware.Recoverer\n- History of changes: see https://github.com/go-chi/chi/compare/v4.0.2...v4.0.3\n\n\n## v4.0.2 (2019-02-26)\n\n- Minor fixes\n- History of changes: see https://github.com/go-chi/chi/compare/v4.0.1...v4.0.2\n\n\n## v4.0.1 (2019-01-21)\n\n- Fixes issue with compress middleware: #382 #385\n- History of changes: see https://github.com/go-chi/chi/compare/v4.0.0...v4.0.1\n\n\n## v4.0.0 (2019-01-10)\n\n- chi v4 requires Go 1.10.3+ (or Go 1.9.7+) - we have deprecated support for Go 1.7 and 1.8\n- router: respond with 404 on router with no routes (#362)\n- router: additional check to ensure wildcard is at the end of a url pattern (#333)\n- middleware: deprecate use of http.CloseNotifier (#347)\n- middleware: fix RedirectSlashes to include query params on redirect (#334)\n- History of changes: see https://github.com/go-chi/chi/compare/v3.3.4...v4.0.0\n\n\n## v3.3.4 (2019-01-07)\n\n- Minor middleware improvements. No changes to core library/router. Moving v3 into its\n- own branch as a version of chi for Go 1.7, 1.8, 1.9, 1.10, 1.11\n- History of changes: see https://github.com/go-chi/chi/compare/v3.3.3...v3.3.4\n\n\n## v3.3.3 (2018-08-27)\n\n- Minor release\n- See https://github.com/go-chi/chi/compare/v3.3.2...v3.3.3\n\n\n## v3.3.2 (2017-12-22)\n\n- Support to route trailing slashes on mounted sub-routers (#281)\n- middleware: new `ContentCharset` to check matching charsets. Thank you\n @csucu for your community contribution!\n\n\n## v3.3.1 (2017-11-20)\n\n- middleware: new `AllowContentType` handler for explicit whitelist of accepted request Content-Types\n- middleware: new `SetHeader` handler for short-hand middleware to set a response header key/value\n- Minor bug fixes\n\n\n## v3.3.0 (2017-10-10)\n\n- New chi.RegisterMethod(method) to add support for custom HTTP methods, see _examples/custom-method for usage\n- Deprecated LINK and UNLINK methods from the default list, please use `chi.RegisterMethod(\"LINK\")` and `chi.RegisterMethod(\"UNLINK\")` in an `init()` function\n\n\n## v3.2.1 (2017-08-31)\n\n- Add new `Match(rctx *Context, method, path string) bool` method to `Routes` interface\n and `Mux`. Match searches the mux's routing tree for a handler that matches the method/path\n- Add new `RouteMethod` to `*Context`\n- Add new `Routes` pointer to `*Context`\n- Add new `middleware.GetHead` to route missing HEAD requests to GET handler\n- Updated benchmarks (see README)\n\n\n## v3.1.5 (2017-08-02)\n\n- Setup golint and go vet for the project\n- As per golint, we've redefined `func ServerBaseContext(h http.Handler, baseCtx context.Context) http.Handler`\n to `func ServerBaseContext(baseCtx context.Context, h http.Handler) http.Handler`\n\n\n## v3.1.0 (2017-07-10)\n\n- Fix a few minor issues after v3 release\n- Move `docgen` sub-pkg to https://github.com/go-chi/docgen\n- Move `render` sub-pkg to https://github.com/go-chi/render\n- Add new `URLFormat` handler to chi/middleware sub-pkg to make working with url mime \n suffixes easier, ie. parsing `/articles/1.json` and `/articles/1.xml`. See comments in\n https://github.com/go-chi/chi/blob/master/middleware/url_format.go for example usage.\n\n\n## v3.0.0 (2017-06-21)\n\n- Major update to chi library with many exciting updates, but also some *breaking changes*\n- URL parameter syntax changed from `/:id` to `/{id}` for even more flexible routing, such as\n `/articles/{month}-{day}-{year}-{slug}`, `/articles/{id}`, and `/articles/{id}.{ext}` on the\n same router\n- Support for regexp for routing patterns, in the form of `/{paramKey:regExp}` for example:\n `r.Get(\"/articles/{name:[a-z]+}\", h)` and `chi.URLParam(r, \"name\")`\n- Add `Method` and `MethodFunc` to `chi.Router` to allow routing definitions such as\n `r.Method(\"GET\", \"/\", h)` which provides a cleaner interface for custom handlers like\n in `_examples/custom-handler`\n- Deprecating `mux#FileServer` helper function. Instead, we encourage users to create their\n own using file handler with the stdlib, see `_examples/fileserver` for an example\n- Add support for LINK/UNLINK http methods via `r.Method()` and `r.MethodFunc()`\n- Moved the chi project to its own organization, to allow chi-related community packages to\n be easily discovered and supported, at: https://github.com/go-chi\n- *NOTE:* please update your import paths to `\"github.com/go-chi/chi\"`\n- *NOTE:* chi v2 is still available at https://github.com/go-chi/chi/tree/v2\n\n\n## v2.1.0 (2017-03-30)\n\n- Minor improvements and update to the chi core library\n- Introduced a brand new `chi/render` sub-package to complete the story of building\n APIs to offer a pattern for managing well-defined request / response payloads. Please\n check out the updated `_examples/rest` example for how it works.\n- Added `MethodNotAllowed(h http.HandlerFunc)` to chi.Router interface\n\n\n## v2.0.0 (2017-01-06)\n\n- After many months of v2 being in an RC state with many companies and users running it in\n production, the inclusion of some improvements to the middlewares, we are very pleased to\n announce v2.0.0 of chi.\n\n\n## v2.0.0-rc1 (2016-07-26)\n\n- Huge update! chi v2 is a large refactor targeting Go 1.7+. As of Go 1.7, the popular\n community `\"net/context\"` package has been included in the standard library as `\"context\"` and\n utilized by `\"net/http\"` and `http.Request` to managing deadlines, cancelation signals and other\n request-scoped values. We're very excited about the new context addition and are proud to\n introduce chi v2, a minimal and powerful routing package for building large HTTP services,\n with zero external dependencies. Chi focuses on idiomatic design and encourages the use of \n stdlib HTTP handlers and middlewares.\n- chi v2 deprecates its `chi.Handler` interface and requires `http.Handler` or `http.HandlerFunc`\n- chi v2 stores URL routing parameters and patterns in the standard request context: `r.Context()`\n- chi v2 lower-level routing context is accessible by `chi.RouteContext(r.Context()) *chi.Context`,\n which provides direct access to URL routing parameters, the routing path and the matching\n routing patterns.\n- Users upgrading from chi v1 to v2, need to:\n 1. Update the old chi.Handler signature, `func(ctx context.Context, w http.ResponseWriter, r *http.Request)` to\n the standard http.Handler: `func(w http.ResponseWriter, r *http.Request)`\n 2. Use `chi.URLParam(r *http.Request, paramKey string) string`\n or `URLParamFromCtx(ctx context.Context, paramKey string) string` to access a url parameter value\n\n\n## v1.0.0 (2016-07-01)\n\n- Released chi v1 stable https://github.com/go-chi/chi/tree/v1.0.0 for Go 1.6 and older.\n\n\n## v0.9.0 (2016-03-31)\n\n- Reuse context objects via sync.Pool for zero-allocation routing [#33](https://github.com/go-chi/chi/pull/33)\n- BREAKING NOTE: due to subtle API changes, previously `chi.URLParams(ctx)[\"id\"]` used to access url parameters\n has changed to: `chi.URLParam(ctx, \"id\")`\n" }, { "path": "vendor/github.com/go-chi/chi/v5/CONTRIBUTING.md", "content": "# Contributing\n\n## Prerequisites\n\n1. [Install Go][go-install].\n2. Download the sources and switch the working directory:\n\n ```bash\n go get -u -d github.com/go-chi/chi\n cd $GOPATH/src/github.com/go-chi/chi\n ```\n\n## Submitting a Pull Request\n\nA typical workflow is:\n\n1. [Fork the repository.][fork]\n2. [Create a topic branch.][branch]\n3. Add tests for your change.\n4. Run `go test`. If your tests pass, return to the step 3.\n5. Implement the change and ensure the steps from the previous step pass.\n6. Run `goimports -w .`, to ensure the new code conforms to Go formatting guideline.\n7. [Add, commit and push your changes.][git-help]\n8. [Submit a pull request.][pull-req]\n\n[go-install]: https://golang.org/doc/install\n[fork]: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/fork-a-repo\n[branch]: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-branches \n[git-help]: https://docs.github.com/en\n[pull-req]: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-pull-requests\n\n" }, { "path": "vendor/github.com/go-chi/chi/v5/LICENSE", "content": "Copyright (c) 2015-present Peter Kieltyka (https://github.com/pkieltyka), Google Inc.\n\nMIT License\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of\nthis software and associated documentation files (the \"Software\"), to deal in\nthe Software without restriction, including without limitation the rights to\nuse, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of\nthe Software, and to permit persons to whom the Software is furnished to do so,\nsubject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS\nFOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\nCOPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER\nIN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN\nCONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n" }, { "path": "vendor/github.com/go-chi/chi/v5/Makefile", "content": ".PHONY: all\nall:\n\t@echo \"**********************************************************\"\n\t@echo \"** chi build tool **\"\n\t@echo \"**********************************************************\"\n\n\n.PHONY: test\ntest:\n\tgo clean -testcache && $(MAKE) test-router && $(MAKE) test-middleware\n\n.PHONY: test-router\ntest-router:\n\tgo test -race -v .\n\n.PHONY: test-middleware\ntest-middleware:\n\tgo test -race -v ./middleware\n\n.PHONY: docs\ndocs:\n\tnpx docsify-cli serve ./docs\n" }, { "path": "vendor/github.com/go-chi/chi/v5/README.md", "content": "# \"chi\"\n\n\n[![GoDoc Widget]][GoDoc]\n\n`chi` is a lightweight, idiomatic and composable router for building Go HTTP services. It's\nespecially good at helping you write large REST API services that are kept maintainable as your\nproject grows and changes. `chi` is built on the new `context` package introduced in Go 1.7 to\nhandle signaling, cancelation and request-scoped values across a handler chain.\n\nThe focus of the project has been to seek out an elegant and comfortable design for writing\nREST API servers, written during the development of the Pressly API service that powers our\npublic API service, which in turn powers all of our client-side applications.\n\nThe key considerations of chi's design are: project structure, maintainability, standard http\nhandlers (stdlib-only), developer productivity, and deconstructing a large system into many small\nparts. The core router `github.com/go-chi/chi` is quite small (less than 1000 LOC), but we've also\nincluded some useful/optional subpackages: [middleware](/middleware), [render](https://github.com/go-chi/render)\nand [docgen](https://github.com/go-chi/docgen). We hope you enjoy it too!\n\n## Install\n\n```sh\ngo get -u github.com/go-chi/chi/v5\n```\n\n\n## Features\n\n* **Lightweight** - cloc'd in ~1000 LOC for the chi router\n* **Fast** - yes, see [benchmarks](#benchmarks)\n* **100% compatible with net/http** - use any http or middleware pkg in the ecosystem that is also compatible with `net/http`\n* **Designed for modular/composable APIs** - middlewares, inline middlewares, route groups and sub-router mounting\n* **Context control** - built on new `context` package, providing value chaining, cancellations and timeouts\n* **Robust** - in production at Pressly, Cloudflare, Heroku, 99Designs, and many others (see [discussion](https://github.com/go-chi/chi/issues/91))\n* **Doc generation** - `docgen` auto-generates routing documentation from your source to JSON or Markdown\n* **Go.mod support** - as of v5, go.mod support (see [CHANGELOG](https://github.com/go-chi/chi/blob/master/CHANGELOG.md))\n* **No external dependencies** - plain ol' Go stdlib + net/http\n\n\n## Examples\n\nSee [_examples/](https://github.com/go-chi/chi/blob/master/_examples/) for a variety of examples.\n\n\n**As easy as:**\n\n```go\npackage main\n\nimport (\n\t\"net/http\"\n\n\t\"github.com/go-chi/chi/v5\"\n\t\"github.com/go-chi/chi/v5/middleware\"\n)\n\nfunc main() {\n\tr := chi.NewRouter()\n\tr.Use(middleware.Logger)\n\tr.Get(\"/\", func(w http.ResponseWriter, r *http.Request) {\n\t\tw.Write([]byte(\"welcome\"))\n\t})\n\thttp.ListenAndServe(\":3000\", r)\n}\n```\n\n**REST Preview:**\n\nHere is a little preview of what routing looks like with chi. Also take a look at the generated routing docs\nin JSON ([routes.json](https://github.com/go-chi/chi/blob/master/_examples/rest/routes.json)) and in\nMarkdown ([routes.md](https://github.com/go-chi/chi/blob/master/_examples/rest/routes.md)).\n\nI highly recommend reading the source of the [examples](https://github.com/go-chi/chi/blob/master/_examples/) listed\nabove, they will show you all the features of chi and serve as a good form of documentation.\n\n```go\nimport (\n //...\n \"context\"\n \"github.com/go-chi/chi/v5\"\n \"github.com/go-chi/chi/v5/middleware\"\n)\n\nfunc main() {\n r := chi.NewRouter()\n\n // A good base middleware stack\n r.Use(middleware.RequestID)\n r.Use(middleware.RealIP)\n r.Use(middleware.Logger)\n r.Use(middleware.Recoverer)\n\n // Set a timeout value on the request context (ctx), that will signal\n // through ctx.Done() that the request has timed out and further\n // processing should be stopped.\n r.Use(middleware.Timeout(60 * time.Second))\n\n r.Get(\"/\", func(w http.ResponseWriter, r *http.Request) {\n w.Write([]byte(\"hi\"))\n })\n\n // RESTy routes for \"articles\" resource\n r.Route(\"/articles\", func(r chi.Router) {\n r.With(paginate).Get(\"/\", listArticles) // GET /articles\n r.With(paginate).Get(\"/{month}-{day}-{year}\", listArticlesByDate) // GET /articles/01-16-2017\n\n r.Post(\"/\", createArticle) // POST /articles\n r.Get(\"/search\", searchArticles) // GET /articles/search\n\n // Regexp url parameters:\n r.Get(\"/{articleSlug:[a-z-]+}\", getArticleBySlug) // GET /articles/home-is-toronto\n\n // Subrouters:\n r.Route(\"/{articleID}\", func(r chi.Router) {\n r.Use(ArticleCtx)\n r.Get(\"/\", getArticle) // GET /articles/123\n r.Put(\"/\", updateArticle) // PUT /articles/123\n r.Delete(\"/\", deleteArticle) // DELETE /articles/123\n })\n })\n\n // Mount the admin sub-router\n r.Mount(\"/admin\", adminRouter())\n\n http.ListenAndServe(\":3333\", r)\n}\n\nfunc ArticleCtx(next http.Handler) http.Handler {\n return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n articleID := chi.URLParam(r, \"articleID\")\n article, err := dbGetArticle(articleID)\n if err != nil {\n http.Error(w, http.StatusText(404), 404)\n return\n }\n ctx := context.WithValue(r.Context(), \"article\", article)\n next.ServeHTTP(w, r.WithContext(ctx))\n })\n}\n\nfunc getArticle(w http.ResponseWriter, r *http.Request) {\n ctx := r.Context()\n article, ok := ctx.Value(\"article\").(*Article)\n if !ok {\n http.Error(w, http.StatusText(422), 422)\n return\n }\n w.Write([]byte(fmt.Sprintf(\"title:%s\", article.Title)))\n}\n\n// A completely separate router for administrator routes\nfunc adminRouter() http.Handler {\n r := chi.NewRouter()\n r.Use(AdminOnly)\n r.Get(\"/\", adminIndex)\n r.Get(\"/accounts\", adminListAccounts)\n return r\n}\n\nfunc AdminOnly(next http.Handler) http.Handler {\n return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n ctx := r.Context()\n perm, ok := ctx.Value(\"acl.permission\").(YourPermissionType)\n if !ok || !perm.IsAdmin() {\n http.Error(w, http.StatusText(403), 403)\n return\n }\n next.ServeHTTP(w, r)\n })\n}\n```\n\n\n## Router interface\n\nchi's router is based on a kind of [Patricia Radix trie](https://en.wikipedia.org/wiki/Radix_tree).\nThe router is fully compatible with `net/http`.\n\nBuilt on top of the tree is the `Router` interface:\n\n```go\n// Router consisting of the core routing methods used by chi's Mux,\n// using only the standard net/http.\ntype Router interface {\n\thttp.Handler\n\tRoutes\n\n\t// Use appends one or more middlewares onto the Router stack.\n\tUse(middlewares ...func(http.Handler) http.Handler)\n\n\t// With adds inline middlewares for an endpoint handler.\n\tWith(middlewares ...func(http.Handler) http.Handler) Router\n\n\t// Group adds a new inline-Router along the current routing\n\t// path, with a fresh middleware stack for the inline-Router.\n\tGroup(fn func(r Router)) Router\n\n\t// Route mounts a sub-Router along a `pattern` string.\n\tRoute(pattern string, fn func(r Router)) Router\n\n\t// Mount attaches another http.Handler along ./pattern/*\n\tMount(pattern string, h http.Handler)\n\n\t// Handle and HandleFunc adds routes for `pattern` that matches\n\t// all HTTP methods.\n\tHandle(pattern string, h http.Handler)\n\tHandleFunc(pattern string, h http.HandlerFunc)\n\n\t// Method and MethodFunc adds routes for `pattern` that matches\n\t// the `method` HTTP method.\n\tMethod(method, pattern string, h http.Handler)\n\tMethodFunc(method, pattern string, h http.HandlerFunc)\n\n\t// HTTP-method routing along `pattern`\n\tConnect(pattern string, h http.HandlerFunc)\n\tDelete(pattern string, h http.HandlerFunc)\n\tGet(pattern string, h http.HandlerFunc)\n\tHead(pattern string, h http.HandlerFunc)\n\tOptions(pattern string, h http.HandlerFunc)\n\tPatch(pattern string, h http.HandlerFunc)\n\tPost(pattern string, h http.HandlerFunc)\n\tPut(pattern string, h http.HandlerFunc)\n\tTrace(pattern string, h http.HandlerFunc)\n\n\t// NotFound defines a handler to respond whenever a route could\n\t// not be found.\n\tNotFound(h http.HandlerFunc)\n\n\t// MethodNotAllowed defines a handler to respond whenever a method is\n\t// not allowed.\n\tMethodNotAllowed(h http.HandlerFunc)\n}\n\n// Routes interface adds two methods for router traversal, which is also\n// used by the github.com/go-chi/docgen package to generate documentation for Routers.\ntype Routes interface {\n\t// Routes returns the routing tree in an easily traversable structure.\n\tRoutes() []Route\n\n\t// Middlewares returns the list of middlewares in use by the router.\n\tMiddlewares() Middlewares\n\n\t// Match searches the routing tree for a handler that matches\n\t// the method/path - similar to routing a http request, but without\n\t// executing the handler thereafter.\n\tMatch(rctx *Context, method, path string) bool\n}\n```\n\nEach routing method accepts a URL `pattern` and chain of `handlers`. The URL pattern\nsupports named params (ie. `/users/{userID}`) and wildcards (ie. `/admin/*`). URL parameters\ncan be fetched at runtime by calling `chi.URLParam(r, \"userID\")` for named parameters\nand `chi.URLParam(r, \"*\")` for a wildcard parameter.\n\n\n### Middleware handlers\n\nchi's middlewares are just stdlib net/http middleware handlers. There is nothing special\nabout them, which means the router and all the tooling is designed to be compatible and\nfriendly with any middleware in the community. This offers much better extensibility and reuse\nof packages and is at the heart of chi's purpose.\n\nHere is an example of a standard net/http middleware where we assign a context key `\"user\"`\nthe value of `\"123\"`. This middleware sets a hypothetical user identifier on the request\ncontext and calls the next handler in the chain.\n\n```go\n// HTTP middleware setting a value on the request context\nfunc MyMiddleware(next http.Handler) http.Handler {\n return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n // create new context from `r` request context, and assign key `\"user\"`\n // to value of `\"123\"`\n ctx := context.WithValue(r.Context(), \"user\", \"123\")\n\n // call the next handler in the chain, passing the response writer and\n // the updated request object with the new context value.\n //\n // note: context.Context values are nested, so any previously set\n // values will be accessible as well, and the new `\"user\"` key\n // will be accessible from this point forward.\n next.ServeHTTP(w, r.WithContext(ctx))\n })\n}\n```\n\n\n### Request handlers\n\nchi uses standard net/http request handlers. This little snippet is an example of a http.Handler\nfunc that reads a user identifier from the request context - hypothetically, identifying\nthe user sending an authenticated request, validated+set by a previous middleware handler.\n\n```go\n// HTTP handler accessing data from the request context.\nfunc MyRequestHandler(w http.ResponseWriter, r *http.Request) {\n // here we read from the request context and fetch out `\"user\"` key set in\n // the MyMiddleware example above.\n user := r.Context().Value(\"user\").(string)\n\n // respond to the client\n w.Write([]byte(fmt.Sprintf(\"hi %s\", user)))\n}\n```\n\n\n### URL parameters\n\nchi's router parses and stores URL parameters right onto the request context. Here is\nan example of how to access URL params in your net/http handlers. And of course, middlewares\nare able to access the same information.\n\n```go\n// HTTP handler accessing the url routing parameters.\nfunc MyRequestHandler(w http.ResponseWriter, r *http.Request) {\n // fetch the url parameter `\"userID\"` from the request of a matching\n // routing pattern. An example routing pattern could be: /users/{userID}\n userID := chi.URLParam(r, \"userID\")\n\n // fetch `\"key\"` from the request context\n ctx := r.Context()\n key := ctx.Value(\"key\").(string)\n\n // respond to the client\n w.Write([]byte(fmt.Sprintf(\"hi %v, %v\", userID, key)))\n}\n```\n\n\n## Middlewares\n\nchi comes equipped with an optional `middleware` package, providing a suite of standard\n`net/http` middlewares. Please note, any middleware in the ecosystem that is also compatible\nwith `net/http` can be used with chi's mux.\n\n### Core middlewares\n\n----------------------------------------------------------------------------------------------------\n| chi/middleware Handler | description |\n| :--------------------- | :---------------------------------------------------------------------- |\n| [AllowContentEncoding] | Enforces a whitelist of request Content-Encoding headers |\n| [AllowContentType] | Explicit whitelist of accepted request Content-Types |\n| [BasicAuth] | Basic HTTP authentication |\n| [Compress] | Gzip compression for clients that accept compressed responses |\n| [ContentCharset] | Ensure charset for Content-Type request headers |\n| [CleanPath] | Clean double slashes from request path |\n| [GetHead] | Automatically route undefined HEAD requests to GET handlers |\n| [Heartbeat] | Monitoring endpoint to check the servers pulse |\n| [Logger] | Logs the start and end of each request with the elapsed processing time |\n| [NoCache] | Sets response headers to prevent clients from caching |\n| [Profiler] | Easily attach net/http/pprof to your routers |\n| [RealIP] | Sets a http.Request's RemoteAddr to either X-Real-IP or X-Forwarded-For |\n| [Recoverer] | Gracefully absorb panics and prints the stack trace |\n| [RequestID] | Injects a request ID into the context of each request |\n| [RedirectSlashes] | Redirect slashes on routing paths |\n| [RouteHeaders] | Route handling for request headers |\n| [SetHeader] | Short-hand middleware to set a response header key/value |\n| [StripSlashes] | Strip slashes on routing paths |\n| [Sunset] | Sunset set Deprecation/Sunset header to response |\n| [Throttle] | Puts a ceiling on the number of concurrent requests |\n| [Timeout] | Signals to the request context when the timeout deadline is reached |\n| [URLFormat] | Parse extension from url and put it on request context |\n| [WithValue] | Short-hand middleware to set a key/value on the request context |\n----------------------------------------------------------------------------------------------------\n\n[AllowContentEncoding]: https://pkg.go.dev/github.com/go-chi/chi/middleware#AllowContentEncoding\n[AllowContentType]: https://pkg.go.dev/github.com/go-chi/chi/middleware#AllowContentType\n[BasicAuth]: https://pkg.go.dev/github.com/go-chi/chi/middleware#BasicAuth\n[Compress]: https://pkg.go.dev/github.com/go-chi/chi/middleware#Compress\n[ContentCharset]: https://pkg.go.dev/github.com/go-chi/chi/middleware#ContentCharset\n[CleanPath]: https://pkg.go.dev/github.com/go-chi/chi/middleware#CleanPath\n[GetHead]: https://pkg.go.dev/github.com/go-chi/chi/middleware#GetHead\n[GetReqID]: https://pkg.go.dev/github.com/go-chi/chi/middleware#GetReqID\n[Heartbeat]: https://pkg.go.dev/github.com/go-chi/chi/middleware#Heartbeat\n[Logger]: https://pkg.go.dev/github.com/go-chi/chi/middleware#Logger\n[NoCache]: https://pkg.go.dev/github.com/go-chi/chi/middleware#NoCache\n[Profiler]: https://pkg.go.dev/github.com/go-chi/chi/middleware#Profiler\n[RealIP]: https://pkg.go.dev/github.com/go-chi/chi/middleware#RealIP\n[Recoverer]: https://pkg.go.dev/github.com/go-chi/chi/middleware#Recoverer\n[RedirectSlashes]: https://pkg.go.dev/github.com/go-chi/chi/middleware#RedirectSlashes\n[RequestLogger]: https://pkg.go.dev/github.com/go-chi/chi/middleware#RequestLogger\n[RequestID]: https://pkg.go.dev/github.com/go-chi/chi/middleware#RequestID\n[RouteHeaders]: https://pkg.go.dev/github.com/go-chi/chi/middleware#RouteHeaders\n[SetHeader]: https://pkg.go.dev/github.com/go-chi/chi/middleware#SetHeader\n[StripSlashes]: https://pkg.go.dev/github.com/go-chi/chi/middleware#StripSlashes\n[Sunset]: https://pkg.go.dev/github.com/go-chi/chi/v5/middleware#Sunset\n[Throttle]: https://pkg.go.dev/github.com/go-chi/chi/middleware#Throttle\n[ThrottleBacklog]: https://pkg.go.dev/github.com/go-chi/chi/middleware#ThrottleBacklog\n[ThrottleWithOpts]: https://pkg.go.dev/github.com/go-chi/chi/middleware#ThrottleWithOpts\n[Timeout]: https://pkg.go.dev/github.com/go-chi/chi/middleware#Timeout\n[URLFormat]: https://pkg.go.dev/github.com/go-chi/chi/middleware#URLFormat\n[WithLogEntry]: https://pkg.go.dev/github.com/go-chi/chi/middleware#WithLogEntry\n[WithValue]: https://pkg.go.dev/github.com/go-chi/chi/middleware#WithValue\n[Compressor]: https://pkg.go.dev/github.com/go-chi/chi/middleware#Compressor\n[DefaultLogFormatter]: https://pkg.go.dev/github.com/go-chi/chi/middleware#DefaultLogFormatter\n[EncoderFunc]: https://pkg.go.dev/github.com/go-chi/chi/middleware#EncoderFunc\n[HeaderRoute]: https://pkg.go.dev/github.com/go-chi/chi/middleware#HeaderRoute\n[HeaderRouter]: https://pkg.go.dev/github.com/go-chi/chi/middleware#HeaderRouter\n[LogEntry]: https://pkg.go.dev/github.com/go-chi/chi/middleware#LogEntry\n[LogFormatter]: https://pkg.go.dev/github.com/go-chi/chi/middleware#LogFormatter\n[LoggerInterface]: https://pkg.go.dev/github.com/go-chi/chi/middleware#LoggerInterface\n[ThrottleOpts]: https://pkg.go.dev/github.com/go-chi/chi/middleware#ThrottleOpts\n[WrapResponseWriter]: https://pkg.go.dev/github.com/go-chi/chi/middleware#WrapResponseWriter\n\n### Extra middlewares & packages\n\nPlease see https://github.com/go-chi for additional packages.\n\n--------------------------------------------------------------------------------------------------------------------\n| package | description |\n|:---------------------------------------------------|:-------------------------------------------------------------\n| [cors](https://github.com/go-chi/cors) | Cross-origin resource sharing (CORS) |\n| [docgen](https://github.com/go-chi/docgen) | Print chi.Router routes at runtime |\n| [jwtauth](https://github.com/go-chi/jwtauth) | JWT authentication |\n| [hostrouter](https://github.com/go-chi/hostrouter) | Domain/host based request routing |\n| [httplog](https://github.com/go-chi/httplog) | Small but powerful structured HTTP request logging |\n| [httprate](https://github.com/go-chi/httprate) | HTTP request rate limiter |\n| [httptracer](https://github.com/go-chi/httptracer) | HTTP request performance tracing library |\n| [httpvcr](https://github.com/go-chi/httpvcr) | Write deterministic tests for external sources |\n| [stampede](https://github.com/go-chi/stampede) | HTTP request coalescer |\n--------------------------------------------------------------------------------------------------------------------\n\n\n## context?\n\n`context` is a tiny pkg that provides simple interface to signal context across call stacks\nand goroutines. It was originally written by [Sameer Ajmani](https://github.com/Sajmani)\nand is available in stdlib since go1.7.\n\nLearn more at https://blog.golang.org/context\n\nand..\n* Docs: https://golang.org/pkg/context\n* Source: https://github.com/golang/go/tree/master/src/context\n\n\n## Benchmarks\n\nThe benchmark suite: https://github.com/pkieltyka/go-http-routing-benchmark\n\nResults as of Nov 29, 2020 with Go 1.15.5 on Linux AMD 3950x\n\n```shell\nBenchmarkChi_Param \t3075895\t 384 ns/op\t 400 B/op 2 allocs/op\nBenchmarkChi_Param5 \t2116603\t 566 ns/op\t 400 B/op 2 allocs/op\nBenchmarkChi_Param20 \t 964117\t 1227 ns/op\t 400 B/op 2 allocs/op\nBenchmarkChi_ParamWrite \t2863413\t 420 ns/op\t 400 B/op 2 allocs/op\nBenchmarkChi_GithubStatic \t3045488\t 395 ns/op\t 400 B/op 2 allocs/op\nBenchmarkChi_GithubParam \t2204115\t 540 ns/op\t 400 B/op 2 allocs/op\nBenchmarkChi_GithubAll \t 10000\t 113811 ns/op\t 81203 B/op 406 allocs/op\nBenchmarkChi_GPlusStatic \t3337485\t 359 ns/op\t 400 B/op 2 allocs/op\nBenchmarkChi_GPlusParam \t2825853\t 423 ns/op\t 400 B/op 2 allocs/op\nBenchmarkChi_GPlus2Params \t2471697\t 483 ns/op\t 400 B/op 2 allocs/op\nBenchmarkChi_GPlusAll \t 194220\t 5950 ns/op\t 5200 B/op 26 allocs/op\nBenchmarkChi_ParseStatic \t3365324\t 356 ns/op\t 400 B/op 2 allocs/op\nBenchmarkChi_ParseParam \t2976614\t 404 ns/op\t 400 B/op 2 allocs/op\nBenchmarkChi_Parse2Params \t2638084\t 439 ns/op\t 400 B/op 2 allocs/op\nBenchmarkChi_ParseAll \t 109567\t 11295 ns/op\t 10400 B/op 52 allocs/op\nBenchmarkChi_StaticAll \t 16846\t 71308 ns/op\t 62802 B/op 314 allocs/op\n```\n\nComparison with other routers: https://gist.github.com/pkieltyka/123032f12052520aaccab752bd3e78cc\n\nNOTE: the allocs in the benchmark above are from the calls to http.Request's\n`WithContext(context.Context)` method that clones the http.Request, sets the `Context()`\non the duplicated (alloc'd) request and returns it the new request object. This is just\nhow setting context on a request in Go works.\n\n\n## Credits\n\n* Carl Jackson for https://github.com/zenazn/goji\n * Parts of chi's thinking comes from goji, and chi's middleware package\n sources from [goji](https://github.com/zenazn/goji/tree/master/web/middleware).\n * Please see goji's [LICENSE](https://github.com/zenazn/goji/blob/master/LICENSE) (MIT)\n* Armon Dadgar for https://github.com/armon/go-radix\n* Contributions: [@VojtechVitek](https://github.com/VojtechVitek)\n\nWe'll be more than happy to see [your contributions](./CONTRIBUTING.md)!\n\n\n## Beyond REST\n\nchi is just a http router that lets you decompose request handling into many smaller layers.\nMany companies use chi to write REST services for their public APIs. But, REST is just a convention\nfor managing state via HTTP, and there's a lot of other pieces required to write a complete client-server\nsystem or network of microservices.\n\nLooking beyond REST, I also recommend some newer works in the field:\n* [webrpc](https://github.com/webrpc/webrpc) - Web-focused RPC client+server framework with code-gen\n* [gRPC](https://github.com/grpc/grpc-go) - Google's RPC framework via protobufs\n* [graphql](https://github.com/99designs/gqlgen) - Declarative query language\n* [NATS](https://nats.io) - lightweight pub-sub\n\n\n## License\n\nCopyright (c) 2015-present [Peter Kieltyka](https://github.com/pkieltyka)\n\nLicensed under [MIT License](./LICENSE)\n\n[GoDoc]: https://pkg.go.dev/github.com/go-chi/chi/v5\n[GoDoc Widget]: https://godoc.org/github.com/go-chi/chi?status.svg\n[Travis]: https://travis-ci.org/go-chi/chi\n[Travis Widget]: https://travis-ci.org/go-chi/chi.svg?branch=master\n" }, { "path": "vendor/github.com/go-chi/chi/v5/SECURITY.md", "content": "# Reporting Security Issues\n\nWe appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.\n\nTo report a security issue, please use the GitHub Security Advisory [\"Report a Vulnerability\"](https://github.com/go-chi/chi/security/advisories/new) tab.\n" }, { "path": "vendor/github.com/go-chi/chi/v5/chain.go", "content": "package chi\n\nimport \"net/http\"\n\n// Chain returns a Middlewares type from a slice of middleware handlers.\nfunc Chain(middlewares ...func(http.Handler) http.Handler) Middlewares {\n\treturn Middlewares(middlewares)\n}\n\n// Handler builds and returns a http.Handler from the chain of middlewares,\n// with `h http.Handler` as the final handler.\nfunc (mws Middlewares) Handler(h http.Handler) http.Handler {\n\treturn &ChainHandler{h, chain(mws, h), mws}\n}\n\n// HandlerFunc builds and returns a http.Handler from the chain of middlewares,\n// with `h http.Handler` as the final handler.\nfunc (mws Middlewares) HandlerFunc(h http.HandlerFunc) http.Handler {\n\treturn &ChainHandler{h, chain(mws, h), mws}\n}\n\n// ChainHandler is a http.Handler with support for handler composition and\n// execution.\ntype ChainHandler struct {\n\tEndpoint http.Handler\n\tchain http.Handler\n\tMiddlewares Middlewares\n}\n\nfunc (c *ChainHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {\n\tc.chain.ServeHTTP(w, r)\n}\n\n// chain builds a http.Handler composed of an inline middleware stack and endpoint\n// handler in the order they are passed.\nfunc chain(middlewares []func(http.Handler) http.Handler, endpoint http.Handler) http.Handler {\n\t// Return ahead of time if there aren't any middlewares for the chain\n\tif len(middlewares) == 0 {\n\t\treturn endpoint\n\t}\n\n\t// Wrap the end handler with the middleware chain\n\th := middlewares[len(middlewares)-1](endpoint)\n\tfor i := len(middlewares) - 2; i >= 0; i-- {\n\t\th = middlewares[i](h)\n\t}\n\n\treturn h\n}\n" }, { "path": "vendor/github.com/go-chi/chi/v5/chi.go", "content": "// Package chi is a small, idiomatic and composable router for building HTTP services.\n//\n// chi requires Go 1.14 or newer.\n//\n// Example:\n//\n//\tpackage main\n//\n//\timport (\n//\t\t\"net/http\"\n//\n//\t\t\"github.com/go-chi/chi/v5\"\n//\t\t\"github.com/go-chi/chi/v5/middleware\"\n//\t)\n//\n//\tfunc main() {\n//\t\tr := chi.NewRouter()\n//\t\tr.Use(middleware.Logger)\n//\t\tr.Use(middleware.Recoverer)\n//\n//\t\tr.Get(\"/\", func(w http.ResponseWriter, r *http.Request) {\n//\t\t\tw.Write([]byte(\"root.\"))\n//\t\t})\n//\n//\t\thttp.ListenAndServe(\":3333\", r)\n//\t}\n//\n// See github.com/go-chi/chi/_examples/ for more in-depth examples.\n//\n// URL patterns allow for easy matching of path components in HTTP\n// requests. The matching components can then be accessed using\n// chi.URLParam(). All patterns must begin with a slash.\n//\n// A simple named placeholder {name} matches any sequence of characters\n// up to the next / or the end of the URL. Trailing slashes on paths must\n// be handled explicitly.\n//\n// A placeholder with a name followed by a colon allows a regular\n// expression match, for example {number:\\\\d+}. The regular expression\n// syntax is Go's normal regexp RE2 syntax, except that / will never be\n// matched. An anonymous regexp pattern is allowed, using an empty string\n// before the colon in the placeholder, such as {:\\\\d+}\n//\n// The special placeholder of asterisk matches the rest of the requested\n// URL. Any trailing characters in the pattern are ignored. This is the only\n// placeholder which will match / characters.\n//\n// Examples:\n//\n//\t\"/user/{name}\" matches \"/user/jsmith\" but not \"/user/jsmith/info\" or \"/user/jsmith/\"\n//\t\"/user/{name}/info\" matches \"/user/jsmith/info\"\n//\t\"/page/*\" matches \"/page/intro/latest\"\n//\t\"/page/{other}/latest\" also matches \"/page/intro/latest\"\n//\t\"/date/{yyyy:\\\\d\\\\d\\\\d\\\\d}/{mm:\\\\d\\\\d}/{dd:\\\\d\\\\d}\" matches \"/date/2017/04/01\"\npackage chi\n\nimport \"net/http\"\n\n// NewRouter returns a new Mux object that implements the Router interface.\nfunc NewRouter() *Mux {\n\treturn NewMux()\n}\n\n// Router consisting of the core routing methods used by chi's Mux,\n// using only the standard net/http.\ntype Router interface {\n\thttp.Handler\n\tRoutes\n\n\t// Use appends one or more middlewares onto the Router stack.\n\tUse(middlewares ...func(http.Handler) http.Handler)\n\n\t// With adds inline middlewares for an endpoint handler.\n\tWith(middlewares ...func(http.Handler) http.Handler) Router\n\n\t// Group adds a new inline-Router along the current routing\n\t// path, with a fresh middleware stack for the inline-Router.\n\tGroup(fn func(r Router)) Router\n\n\t// Route mounts a sub-Router along a `pattern`` string.\n\tRoute(pattern string, fn func(r Router)) Router\n\n\t// Mount attaches another http.Handler along ./pattern/*\n\tMount(pattern string, h http.Handler)\n\n\t// Handle and HandleFunc adds routes for `pattern` that matches\n\t// all HTTP methods.\n\tHandle(pattern string, h http.Handler)\n\tHandleFunc(pattern string, h http.HandlerFunc)\n\n\t// Method and MethodFunc adds routes for `pattern` that matches\n\t// the `method` HTTP method.\n\tMethod(method, pattern string, h http.Handler)\n\tMethodFunc(method, pattern string, h http.HandlerFunc)\n\n\t// HTTP-method routing along `pattern`\n\tConnect(pattern string, h http.HandlerFunc)\n\tDelete(pattern string, h http.HandlerFunc)\n\tGet(pattern string, h http.HandlerFunc)\n\tHead(pattern string, h http.HandlerFunc)\n\tOptions(pattern string, h http.HandlerFunc)\n\tPatch(pattern string, h http.HandlerFunc)\n\tPost(pattern string, h http.HandlerFunc)\n\tPut(pattern string, h http.HandlerFunc)\n\tTrace(pattern string, h http.HandlerFunc)\n\n\t// NotFound defines a handler to respond whenever a route could\n\t// not be found.\n\tNotFound(h http.HandlerFunc)\n\n\t// MethodNotAllowed defines a handler to respond whenever a method is\n\t// not allowed.\n\tMethodNotAllowed(h http.HandlerFunc)\n}\n\n// Routes interface adds two methods for router traversal, which is also\n// used by the `docgen` subpackage to generation documentation for Routers.\ntype Routes interface {\n\t// Routes returns the routing tree in an easily traversable structure.\n\tRoutes() []Route\n\n\t// Middlewares returns the list of middlewares in use by the router.\n\tMiddlewares() Middlewares\n\n\t// Match searches the routing tree for a handler that matches\n\t// the method/path - similar to routing a http request, but without\n\t// executing the handler thereafter.\n\tMatch(rctx *Context, method, path string) bool\n\n\t// Find searches the routing tree for the pattern that matches\n\t// the method/path.\n\tFind(rctx *Context, method, path string) string\n}\n\n// Middlewares type is a slice of standard middleware handlers with methods\n// to compose middleware chains and http.Handler's.\ntype Middlewares []func(http.Handler) http.Handler\n" }, { "path": "vendor/github.com/go-chi/chi/v5/context.go", "content": "package chi\n\nimport (\n\t\"context\"\n\t\"net/http\"\n\t\"strings\"\n)\n\n// URLParam returns the url parameter from a http.Request object.\nfunc URLParam(r *http.Request, key string) string {\n\tif rctx := RouteContext(r.Context()); rctx != nil {\n\t\treturn rctx.URLParam(key)\n\t}\n\treturn \"\"\n}\n\n// URLParamFromCtx returns the url parameter from a http.Request Context.\nfunc URLParamFromCtx(ctx context.Context, key string) string {\n\tif rctx := RouteContext(ctx); rctx != nil {\n\t\treturn rctx.URLParam(key)\n\t}\n\treturn \"\"\n}\n\n// RouteContext returns chi's routing Context object from a\n// http.Request Context.\nfunc RouteContext(ctx context.Context) *Context {\n\tval, _ := ctx.Value(RouteCtxKey).(*Context)\n\treturn val\n}\n\n// NewRouteContext returns a new routing Context object.\nfunc NewRouteContext() *Context {\n\treturn &Context{}\n}\n\nvar (\n\t// RouteCtxKey is the context.Context key to store the request context.\n\tRouteCtxKey = &contextKey{\"RouteContext\"}\n)\n\n// Context is the default routing context set on the root node of a\n// request context to track route patterns, URL parameters and\n// an optional routing path.\ntype Context struct {\n\tRoutes Routes\n\n\t// parentCtx is the parent of this one, for using Context as a\n\t// context.Context directly. This is an optimization that saves\n\t// 1 allocation.\n\tparentCtx context.Context\n\n\t// Routing path/method override used during the route search.\n\t// See Mux#routeHTTP method.\n\tRoutePath string\n\tRouteMethod string\n\n\t// URLParams are the stack of routeParams captured during the\n\t// routing lifecycle across a stack of sub-routers.\n\tURLParams RouteParams\n\n\t// Route parameters matched for the current sub-router. It is\n\t// intentionally unexported so it can't be tampered.\n\trouteParams RouteParams\n\n\t// The endpoint routing pattern that matched the request URI path\n\t// or `RoutePath` of the current sub-router. This value will update\n\t// during the lifecycle of a request passing through a stack of\n\t// sub-routers.\n\troutePattern string\n\n\t// Routing pattern stack throughout the lifecycle of the request,\n\t// across all connected routers. It is a record of all matching\n\t// patterns across a stack of sub-routers.\n\tRoutePatterns []string\n\n\tmethodsAllowed []methodTyp // allowed methods in case of a 405\n\tmethodNotAllowed bool\n}\n\n// Reset a routing context to its initial state.\nfunc (x *Context) Reset() {\n\tx.Routes = nil\n\tx.RoutePath = \"\"\n\tx.RouteMethod = \"\"\n\tx.RoutePatterns = x.RoutePatterns[:0]\n\tx.URLParams.Keys = x.URLParams.Keys[:0]\n\tx.URLParams.Values = x.URLParams.Values[:0]\n\n\tx.routePattern = \"\"\n\tx.routeParams.Keys = x.routeParams.Keys[:0]\n\tx.routeParams.Values = x.routeParams.Values[:0]\n\tx.methodNotAllowed = false\n\tx.methodsAllowed = x.methodsAllowed[:0]\n\tx.parentCtx = nil\n}\n\n// URLParam returns the corresponding URL parameter value from the request\n// routing context.\nfunc (x *Context) URLParam(key string) string {\n\tfor k := len(x.URLParams.Keys) - 1; k >= 0; k-- {\n\t\tif x.URLParams.Keys[k] == key {\n\t\t\treturn x.URLParams.Values[k]\n\t\t}\n\t}\n\treturn \"\"\n}\n\n// RoutePattern builds the routing pattern string for the particular\n// request, at the particular point during routing. This means, the value\n// will change throughout the execution of a request in a router. That is\n// why it's advised to only use this value after calling the next handler.\n//\n// For example,\n//\n//\tfunc Instrument(next http.Handler) http.Handler {\n//\t\treturn http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n//\t\t\tnext.ServeHTTP(w, r)\n//\t\t\troutePattern := chi.RouteContext(r.Context()).RoutePattern()\n//\t\t\tmeasure(w, r, routePattern)\n//\t\t})\n//\t}\nfunc (x *Context) RoutePattern() string {\n\tif x == nil {\n\t\treturn \"\"\n\t}\n\troutePattern := strings.Join(x.RoutePatterns, \"\")\n\troutePattern = replaceWildcards(routePattern)\n\tif routePattern != \"/\" {\n\t\troutePattern = strings.TrimSuffix(routePattern, \"//\")\n\t\troutePattern = strings.TrimSuffix(routePattern, \"/\")\n\t}\n\treturn routePattern\n}\n\n// replaceWildcards takes a route pattern and recursively replaces all\n// occurrences of \"/*/\" to \"/\".\nfunc replaceWildcards(p string) string {\n\tif strings.Contains(p, \"/*/\") {\n\t\treturn replaceWildcards(strings.Replace(p, \"/*/\", \"/\", -1))\n\t}\n\treturn p\n}\n\n// RouteParams is a structure to track URL routing parameters efficiently.\ntype RouteParams struct {\n\tKeys, Values []string\n}\n\n// Add will append a URL parameter to the end of the route param\nfunc (s *RouteParams) Add(key, value string) {\n\ts.Keys = append(s.Keys, key)\n\ts.Values = append(s.Values, value)\n}\n\n// contextKey is a value for use with context.WithValue. It's used as\n// a pointer so it fits in an interface{} without allocation. This technique\n// for defining context keys was copied from Go 1.7's new use of context in net/http.\ntype contextKey struct {\n\tname string\n}\n\nfunc (k *contextKey) String() string {\n\treturn \"chi context value \" + k.name\n}\n" }, { "path": "vendor/github.com/go-chi/chi/v5/mux.go", "content": "package chi\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"strings\"\n\t\"sync\"\n)\n\nvar _ Router = &Mux{}\n\n// Mux is a simple HTTP route multiplexer that parses a request path,\n// records any URL params, and executes an end handler. It implements\n// the http.Handler interface and is friendly with the standard library.\n//\n// Mux is designed to be fast, minimal and offer a powerful API for building\n// modular and composable HTTP services with a large set of handlers. It's\n// particularly useful for writing large REST API services that break a handler\n// into many smaller parts composed of middlewares and end handlers.\ntype Mux struct {\n\t// The computed mux handler made of the chained middleware stack and\n\t// the tree router\n\thandler http.Handler\n\n\t// The radix trie router\n\ttree *node\n\n\t// Custom method not allowed handler\n\tmethodNotAllowedHandler http.HandlerFunc\n\n\t// A reference to the parent mux used by subrouters when mounting\n\t// to a parent mux\n\tparent *Mux\n\n\t// Routing context pool\n\tpool *sync.Pool\n\n\t// Custom route not found handler\n\tnotFoundHandler http.HandlerFunc\n\n\t// The middleware stack\n\tmiddlewares []func(http.Handler) http.Handler\n\n\t// Controls the behaviour of middleware chain generation when a mux\n\t// is registered as an inline group inside another mux.\n\tinline bool\n}\n\n// NewMux returns a newly initialized Mux object that implements the Router\n// interface.\nfunc NewMux() *Mux {\n\tmux := &Mux{tree: &node{}, pool: &sync.Pool{}}\n\tmux.pool.New = func() interface{} {\n\t\treturn NewRouteContext()\n\t}\n\treturn mux\n}\n\n// ServeHTTP is the single method of the http.Handler interface that makes\n// Mux interoperable with the standard library. It uses a sync.Pool to get and\n// reuse routing contexts for each request.\nfunc (mx *Mux) ServeHTTP(w http.ResponseWriter, r *http.Request) {\n\t// Ensure the mux has some routes defined on the mux\n\tif mx.handler == nil {\n\t\tmx.NotFoundHandler().ServeHTTP(w, r)\n\t\treturn\n\t}\n\n\t// Check if a routing context already exists from a parent router.\n\trctx, _ := r.Context().Value(RouteCtxKey).(*Context)\n\tif rctx != nil {\n\t\tmx.handler.ServeHTTP(w, r)\n\t\treturn\n\t}\n\n\t// Fetch a RouteContext object from the sync pool, and call the computed\n\t// mx.handler that is comprised of mx.middlewares + mx.routeHTTP.\n\t// Once the request is finished, reset the routing context and put it back\n\t// into the pool for reuse from another request.\n\trctx = mx.pool.Get().(*Context)\n\trctx.Reset()\n\trctx.Routes = mx\n\trctx.parentCtx = r.Context()\n\n\t// NOTE: r.WithContext() causes 2 allocations and context.WithValue() causes 1 allocation\n\tr = r.WithContext(context.WithValue(r.Context(), RouteCtxKey, rctx))\n\n\t// Serve the request and once its done, put the request context back in the sync pool\n\tmx.handler.ServeHTTP(w, r)\n\tmx.pool.Put(rctx)\n}\n\n// Use appends a middleware handler to the Mux middleware stack.\n//\n// The middleware stack for any Mux will execute before searching for a matching\n// route to a specific handler, which provides opportunity to respond early,\n// change the course of the request execution, or set request-scoped values for\n// the next http.Handler.\nfunc (mx *Mux) Use(middlewares ...func(http.Handler) http.Handler) {\n\tif mx.handler != nil {\n\t\tpanic(\"chi: all middlewares must be defined before routes on a mux\")\n\t}\n\tmx.middlewares = append(mx.middlewares, middlewares...)\n}\n\n// Handle adds the route `pattern` that matches any http method to\n// execute the `handler` http.Handler.\nfunc (mx *Mux) Handle(pattern string, handler http.Handler) {\n\tif method, rest, found := strings.Cut(pattern, \" \"); found {\n\t\tmx.Method(method, rest, handler)\n\t\treturn\n\t}\n\n\tmx.handle(mALL, pattern, handler)\n}\n\n// HandleFunc adds the route `pattern` that matches any http method to\n// execute the `handlerFn` http.HandlerFunc.\nfunc (mx *Mux) HandleFunc(pattern string, handlerFn http.HandlerFunc) {\n\tif method, rest, found := strings.Cut(pattern, \" \"); found {\n\t\tmx.Method(method, rest, handlerFn)\n\t\treturn\n\t}\n\n\tmx.handle(mALL, pattern, handlerFn)\n}\n\n// Method adds the route `pattern` that matches `method` http method to\n// execute the `handler` http.Handler.\nfunc (mx *Mux) Method(method, pattern string, handler http.Handler) {\n\tm, ok := methodMap[strings.ToUpper(method)]\n\tif !ok {\n\t\tpanic(fmt.Sprintf(\"chi: '%s' http method is not supported.\", method))\n\t}\n\tmx.handle(m, pattern, handler)\n}\n\n// MethodFunc adds the route `pattern` that matches `method` http method to\n// execute the `handlerFn` http.HandlerFunc.\nfunc (mx *Mux) MethodFunc(method, pattern string, handlerFn http.HandlerFunc) {\n\tmx.Method(method, pattern, handlerFn)\n}\n\n// Connect adds the route `pattern` that matches a CONNECT http method to\n// execute the `handlerFn` http.HandlerFunc.\nfunc (mx *Mux) Connect(pattern string, handlerFn http.HandlerFunc) {\n\tmx.handle(mCONNECT, pattern, handlerFn)\n}\n\n// Delete adds the route `pattern` that matches a DELETE http method to\n// execute the `handlerFn` http.HandlerFunc.\nfunc (mx *Mux) Delete(pattern string, handlerFn http.HandlerFunc) {\n\tmx.handle(mDELETE, pattern, handlerFn)\n}\n\n// Get adds the route `pattern` that matches a GET http method to\n// execute the `handlerFn` http.HandlerFunc.\nfunc (mx *Mux) Get(pattern string, handlerFn http.HandlerFunc) {\n\tmx.handle(mGET, pattern, handlerFn)\n}\n\n// Head adds the route `pattern` that matches a HEAD http method to\n// execute the `handlerFn` http.HandlerFunc.\nfunc (mx *Mux) Head(pattern string, handlerFn http.HandlerFunc) {\n\tmx.handle(mHEAD, pattern, handlerFn)\n}\n\n// Options adds the route `pattern` that matches an OPTIONS http method to\n// execute the `handlerFn` http.HandlerFunc.\nfunc (mx *Mux) Options(pattern string, handlerFn http.HandlerFunc) {\n\tmx.handle(mOPTIONS, pattern, handlerFn)\n}\n\n// Patch adds the route `pattern` that matches a PATCH http method to\n// execute the `handlerFn` http.HandlerFunc.\nfunc (mx *Mux) Patch(pattern string, handlerFn http.HandlerFunc) {\n\tmx.handle(mPATCH, pattern, handlerFn)\n}\n\n// Post adds the route `pattern` that matches a POST http method to\n// execute the `handlerFn` http.HandlerFunc.\nfunc (mx *Mux) Post(pattern string, handlerFn http.HandlerFunc) {\n\tmx.handle(mPOST, pattern, handlerFn)\n}\n\n// Put adds the route `pattern` that matches a PUT http method to\n// execute the `handlerFn` http.HandlerFunc.\nfunc (mx *Mux) Put(pattern string, handlerFn http.HandlerFunc) {\n\tmx.handle(mPUT, pattern, handlerFn)\n}\n\n// Trace adds the route `pattern` that matches a TRACE http method to\n// execute the `handlerFn` http.HandlerFunc.\nfunc (mx *Mux) Trace(pattern string, handlerFn http.HandlerFunc) {\n\tmx.handle(mTRACE, pattern, handlerFn)\n}\n\n// NotFound sets a custom http.HandlerFunc for routing paths that could\n// not be found. The default 404 handler is `http.NotFound`.\nfunc (mx *Mux) NotFound(handlerFn http.HandlerFunc) {\n\t// Build NotFound handler chain\n\tm := mx\n\thFn := handlerFn\n\tif mx.inline && mx.parent != nil {\n\t\tm = mx.parent\n\t\thFn = Chain(mx.middlewares...).HandlerFunc(hFn).ServeHTTP\n\t}\n\n\t// Update the notFoundHandler from this point forward\n\tm.notFoundHandler = hFn\n\tm.updateSubRoutes(func(subMux *Mux) {\n\t\tif subMux.notFoundHandler == nil {\n\t\t\tsubMux.NotFound(hFn)\n\t\t}\n\t})\n}\n\n// MethodNotAllowed sets a custom http.HandlerFunc for routing paths where the\n// method is unresolved. The default handler returns a 405 with an empty body.\nfunc (mx *Mux) MethodNotAllowed(handlerFn http.HandlerFunc) {\n\t// Build MethodNotAllowed handler chain\n\tm := mx\n\thFn := handlerFn\n\tif mx.inline && mx.parent != nil {\n\t\tm = mx.parent\n\t\thFn = Chain(mx.middlewares...).HandlerFunc(hFn).ServeHTTP\n\t}\n\n\t// Update the methodNotAllowedHandler from this point forward\n\tm.methodNotAllowedHandler = hFn\n\tm.updateSubRoutes(func(subMux *Mux) {\n\t\tif subMux.methodNotAllowedHandler == nil {\n\t\t\tsubMux.MethodNotAllowed(hFn)\n\t\t}\n\t})\n}\n\n// With adds inline middlewares for an endpoint handler.\nfunc (mx *Mux) With(middlewares ...func(http.Handler) http.Handler) Router {\n\t// Similarly as in handle(), we must build the mux handler once additional\n\t// middleware registration isn't allowed for this stack, like now.\n\tif !mx.inline && mx.handler == nil {\n\t\tmx.updateRouteHandler()\n\t}\n\n\t// Copy middlewares from parent inline muxs\n\tvar mws Middlewares\n\tif mx.inline {\n\t\tmws = make(Middlewares, len(mx.middlewares))\n\t\tcopy(mws, mx.middlewares)\n\t}\n\tmws = append(mws, middlewares...)\n\n\tim := &Mux{\n\t\tpool: mx.pool, inline: true, parent: mx, tree: mx.tree, middlewares: mws,\n\t\tnotFoundHandler: mx.notFoundHandler, methodNotAllowedHandler: mx.methodNotAllowedHandler,\n\t}\n\n\treturn im\n}\n\n// Group creates a new inline-Mux with a copy of middleware stack. It's useful\n// for a group of handlers along the same routing path that use an additional\n// set of middlewares. See _examples/.\nfunc (mx *Mux) Group(fn func(r Router)) Router {\n\tim := mx.With()\n\tif fn != nil {\n\t\tfn(im)\n\t}\n\treturn im\n}\n\n// Route creates a new Mux and mounts it along the `pattern` as a subrouter.\n// Effectively, this is a short-hand call to Mount. See _examples/.\nfunc (mx *Mux) Route(pattern string, fn func(r Router)) Router {\n\tif fn == nil {\n\t\tpanic(fmt.Sprintf(\"chi: attempting to Route() a nil subrouter on '%s'\", pattern))\n\t}\n\tsubRouter := NewRouter()\n\tfn(subRouter)\n\tmx.Mount(pattern, subRouter)\n\treturn subRouter\n}\n\n// Mount attaches another http.Handler or chi Router as a subrouter along a routing\n// path. It's very useful to split up a large API as many independent routers and\n// compose them as a single service using Mount. See _examples/.\n//\n// Note that Mount() simply sets a wildcard along the `pattern` that will continue\n// routing at the `handler`, which in most cases is another chi.Router. As a result,\n// if you define two Mount() routes on the exact same pattern the mount will panic.\nfunc (mx *Mux) Mount(pattern string, handler http.Handler) {\n\tif handler == nil {\n\t\tpanic(fmt.Sprintf(\"chi: attempting to Mount() a nil handler on '%s'\", pattern))\n\t}\n\n\t// Provide runtime safety for ensuring a pattern isn't mounted on an existing\n\t// routing pattern.\n\tif mx.tree.findPattern(pattern+\"*\") || mx.tree.findPattern(pattern+\"/*\") {\n\t\tpanic(fmt.Sprintf(\"chi: attempting to Mount() a handler on an existing path, '%s'\", pattern))\n\t}\n\n\t// Assign sub-Router's with the parent not found & method not allowed handler if not specified.\n\tsubr, ok := handler.(*Mux)\n\tif ok && subr.notFoundHandler == nil && mx.notFoundHandler != nil {\n\t\tsubr.NotFound(mx.notFoundHandler)\n\t}\n\tif ok && subr.methodNotAllowedHandler == nil && mx.methodNotAllowedHandler != nil {\n\t\tsubr.MethodNotAllowed(mx.methodNotAllowedHandler)\n\t}\n\n\tmountHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\trctx := RouteContext(r.Context())\n\n\t\t// shift the url path past the previous subrouter\n\t\trctx.RoutePath = mx.nextRoutePath(rctx)\n\n\t\t// reset the wildcard URLParam which connects the subrouter\n\t\tn := len(rctx.URLParams.Keys) - 1\n\t\tif n >= 0 && rctx.URLParams.Keys[n] == \"*\" && len(rctx.URLParams.Values) > n {\n\t\t\trctx.URLParams.Values[n] = \"\"\n\t\t}\n\n\t\thandler.ServeHTTP(w, r)\n\t})\n\n\tif pattern == \"\" || pattern[len(pattern)-1] != '/' {\n\t\tmx.handle(mALL|mSTUB, pattern, mountHandler)\n\t\tmx.handle(mALL|mSTUB, pattern+\"/\", mountHandler)\n\t\tpattern += \"/\"\n\t}\n\n\tmethod := mALL\n\tsubroutes, _ := handler.(Routes)\n\tif subroutes != nil {\n\t\tmethod |= mSTUB\n\t}\n\tn := mx.handle(method, pattern+\"*\", mountHandler)\n\n\tif subroutes != nil {\n\t\tn.subroutes = subroutes\n\t}\n}\n\n// Routes returns a slice of routing information from the tree,\n// useful for traversing available routes of a router.\nfunc (mx *Mux) Routes() []Route {\n\treturn mx.tree.routes()\n}\n\n// Middlewares returns a slice of middleware handler functions.\nfunc (mx *Mux) Middlewares() Middlewares {\n\treturn mx.middlewares\n}\n\n// Match searches the routing tree for a handler that matches the method/path.\n// It's similar to routing a http request, but without executing the handler\n// thereafter.\n//\n// Note: the *Context state is updated during execution, so manage\n// the state carefully or make a NewRouteContext().\nfunc (mx *Mux) Match(rctx *Context, method, path string) bool {\n\treturn mx.Find(rctx, method, path) != \"\"\n}\n\n// Find searches the routing tree for the pattern that matches\n// the method/path.\n//\n// Note: the *Context state is updated during execution, so manage\n// the state carefully or make a NewRouteContext().\nfunc (mx *Mux) Find(rctx *Context, method, path string) string {\n\tm, ok := methodMap[method]\n\tif !ok {\n\t\treturn \"\"\n\t}\n\n\tnode, _, _ := mx.tree.FindRoute(rctx, m, path)\n\tpattern := rctx.routePattern\n\n\tif node != nil {\n\t\tif node.subroutes == nil {\n\t\t\te := node.endpoints[m]\n\t\t\treturn e.pattern\n\t\t}\n\n\t\trctx.RoutePath = mx.nextRoutePath(rctx)\n\t\tsubPattern := node.subroutes.Find(rctx, method, rctx.RoutePath)\n\t\tif subPattern == \"\" {\n\t\t\treturn \"\"\n\t\t}\n\n\t\tpattern = strings.TrimSuffix(pattern, \"/*\")\n\t\tpattern += subPattern\n\t}\n\n\treturn pattern\n}\n\n// NotFoundHandler returns the default Mux 404 responder whenever a route\n// cannot be found.\nfunc (mx *Mux) NotFoundHandler() http.HandlerFunc {\n\tif mx.notFoundHandler != nil {\n\t\treturn mx.notFoundHandler\n\t}\n\treturn http.NotFound\n}\n\n// MethodNotAllowedHandler returns the default Mux 405 responder whenever\n// a method cannot be resolved for a route.\nfunc (mx *Mux) MethodNotAllowedHandler(methodsAllowed ...methodTyp) http.HandlerFunc {\n\tif mx.methodNotAllowedHandler != nil {\n\t\treturn mx.methodNotAllowedHandler\n\t}\n\treturn methodNotAllowedHandler(methodsAllowed...)\n}\n\n// handle registers a http.Handler in the routing tree for a particular http method\n// and routing pattern.\nfunc (mx *Mux) handle(method methodTyp, pattern string, handler http.Handler) *node {\n\tif len(pattern) == 0 || pattern[0] != '/' {\n\t\tpanic(fmt.Sprintf(\"chi: routing pattern must begin with '/' in '%s'\", pattern))\n\t}\n\n\t// Build the computed routing handler for this routing pattern.\n\tif !mx.inline && mx.handler == nil {\n\t\tmx.updateRouteHandler()\n\t}\n\n\t// Build endpoint handler with inline middlewares for the route\n\tvar h http.Handler\n\tif mx.inline {\n\t\tmx.handler = http.HandlerFunc(mx.routeHTTP)\n\t\th = Chain(mx.middlewares...).Handler(handler)\n\t} else {\n\t\th = handler\n\t}\n\n\t// Add the endpoint to the tree and return the node\n\treturn mx.tree.InsertRoute(method, pattern, h)\n}\n\n// routeHTTP routes a http.Request through the Mux routing tree to serve\n// the matching handler for a particular http method.\nfunc (mx *Mux) routeHTTP(w http.ResponseWriter, r *http.Request) {\n\t// Grab the route context object\n\trctx := r.Context().Value(RouteCtxKey).(*Context)\n\n\t// The request routing path\n\troutePath := rctx.RoutePath\n\tif routePath == \"\" {\n\t\tif r.URL.RawPath != \"\" {\n\t\t\troutePath = r.URL.RawPath\n\t\t} else {\n\t\t\troutePath = r.URL.Path\n\t\t}\n\t\tif routePath == \"\" {\n\t\t\troutePath = \"/\"\n\t\t}\n\t}\n\n\t// Check if method is supported by chi\n\tif rctx.RouteMethod == \"\" {\n\t\trctx.RouteMethod = r.Method\n\t}\n\tmethod, ok := methodMap[rctx.RouteMethod]\n\tif !ok {\n\t\tmx.MethodNotAllowedHandler().ServeHTTP(w, r)\n\t\treturn\n\t}\n\n\t// Find the route\n\tif _, _, h := mx.tree.FindRoute(rctx, method, routePath); h != nil {\n\t\tif supportsPathValue {\n\t\t\tsetPathValue(rctx, r)\n\t\t}\n\n\t\th.ServeHTTP(w, r)\n\t\treturn\n\t}\n\tif rctx.methodNotAllowed {\n\t\tmx.MethodNotAllowedHandler(rctx.methodsAllowed...).ServeHTTP(w, r)\n\t} else {\n\t\tmx.NotFoundHandler().ServeHTTP(w, r)\n\t}\n}\n\nfunc (mx *Mux) nextRoutePath(rctx *Context) string {\n\troutePath := \"/\"\n\tnx := len(rctx.routeParams.Keys) - 1 // index of last param in list\n\tif nx >= 0 && rctx.routeParams.Keys[nx] == \"*\" && len(rctx.routeParams.Values) > nx {\n\t\troutePath = \"/\" + rctx.routeParams.Values[nx]\n\t}\n\treturn routePath\n}\n\n// Recursively update data on child routers.\nfunc (mx *Mux) updateSubRoutes(fn func(subMux *Mux)) {\n\tfor _, r := range mx.tree.routes() {\n\t\tsubMux, ok := r.SubRoutes.(*Mux)\n\t\tif !ok {\n\t\t\tcontinue\n\t\t}\n\t\tfn(subMux)\n\t}\n}\n\n// updateRouteHandler builds the single mux handler that is a chain of the middleware\n// stack, as defined by calls to Use(), and the tree router (Mux) itself. After this\n// point, no other middlewares can be registered on this Mux's stack. But you can still\n// compose additional middlewares via Group()'s or using a chained middleware handler.\nfunc (mx *Mux) updateRouteHandler() {\n\tmx.handler = chain(mx.middlewares, http.HandlerFunc(mx.routeHTTP))\n}\n\n// methodNotAllowedHandler is a helper function to respond with a 405,\n// method not allowed. It sets the Allow header with the list of allowed\n// methods for the route.\nfunc methodNotAllowedHandler(methodsAllowed ...methodTyp) func(w http.ResponseWriter, r *http.Request) {\n\treturn func(w http.ResponseWriter, r *http.Request) {\n\t\tfor _, m := range methodsAllowed {\n\t\t\tw.Header().Add(\"Allow\", reverseMethodMap[m])\n\t\t}\n\t\tw.WriteHeader(405)\n\t\tw.Write(nil)\n\t}\n}\n" }, { "path": "vendor/github.com/go-chi/chi/v5/path_value.go", "content": "//go:build go1.22 && !tinygo\n// +build go1.22,!tinygo\n\n\npackage chi\n\nimport \"net/http\"\n\n// supportsPathValue is true if the Go version is 1.22 and above.\n//\n// If this is true, `net/http.Request` has methods `SetPathValue` and `PathValue`.\nconst supportsPathValue = true\n\n// setPathValue sets the path values in the Request value\n// based on the provided request context.\nfunc setPathValue(rctx *Context, r *http.Request) {\n\tfor i, key := range rctx.URLParams.Keys {\n\t\tvalue := rctx.URLParams.Values[i]\n\t\tr.SetPathValue(key, value)\n\t}\n}\n" }, { "path": "vendor/github.com/go-chi/chi/v5/path_value_fallback.go", "content": "//go:build !go1.22 || tinygo\n// +build !go1.22 tinygo\n\npackage chi\n\nimport \"net/http\"\n\n// supportsPathValue is true if the Go version is 1.22 and above.\n//\n// If this is true, `net/http.Request` has methods `SetPathValue` and `PathValue`.\nconst supportsPathValue = false\n\n// setPathValue sets the path values in the Request value\n// based on the provided request context.\n//\n// setPathValue is only supported in Go 1.22 and above so\n// this is just a blank function so that it compiles.\nfunc setPathValue(rctx *Context, r *http.Request) {\n}\n" }, { "path": "vendor/github.com/go-chi/chi/v5/tree.go", "content": "package chi\n\n// Radix tree implementation below is a based on the original work by\n// Armon Dadgar in https://github.com/armon/go-radix/blob/master/radix.go\n// (MIT licensed). It's been heavily modified for use as a HTTP routing tree.\n\nimport (\n\t\"fmt\"\n\t\"net/http\"\n\t\"regexp\"\n\t\"sort\"\n\t\"strconv\"\n\t\"strings\"\n)\n\ntype methodTyp uint\n\nconst (\n\tmSTUB methodTyp = 1 << iota\n\tmCONNECT\n\tmDELETE\n\tmGET\n\tmHEAD\n\tmOPTIONS\n\tmPATCH\n\tmPOST\n\tmPUT\n\tmTRACE\n)\n\nvar mALL = mCONNECT | mDELETE | mGET | mHEAD |\n\tmOPTIONS | mPATCH | mPOST | mPUT | mTRACE\n\nvar methodMap = map[string]methodTyp{\n\thttp.MethodConnect: mCONNECT,\n\thttp.MethodDelete: mDELETE,\n\thttp.MethodGet: mGET,\n\thttp.MethodHead: mHEAD,\n\thttp.MethodOptions: mOPTIONS,\n\thttp.MethodPatch: mPATCH,\n\thttp.MethodPost: mPOST,\n\thttp.MethodPut: mPUT,\n\thttp.MethodTrace: mTRACE,\n}\n\nvar reverseMethodMap = map[methodTyp]string{\n\tmCONNECT: http.MethodConnect,\n\tmDELETE: http.MethodDelete,\n\tmGET: http.MethodGet,\n\tmHEAD: http.MethodHead,\n\tmOPTIONS: http.MethodOptions,\n\tmPATCH: http.MethodPatch,\n\tmPOST: http.MethodPost,\n\tmPUT: http.MethodPut,\n\tmTRACE: http.MethodTrace,\n}\n\n// RegisterMethod adds support for custom HTTP method handlers, available\n// via Router#Method and Router#MethodFunc\nfunc RegisterMethod(method string) {\n\tif method == \"\" {\n\t\treturn\n\t}\n\tmethod = strings.ToUpper(method)\n\tif _, ok := methodMap[method]; ok {\n\t\treturn\n\t}\n\tn := len(methodMap)\n\tif n > strconv.IntSize-2 {\n\t\tpanic(fmt.Sprintf(\"chi: max number of methods reached (%d)\", strconv.IntSize))\n\t}\n\tmt := methodTyp(2 << n)\n\tmethodMap[method] = mt\n\tmALL |= mt\n}\n\ntype nodeTyp uint8\n\nconst (\n\tntStatic nodeTyp = iota // /home\n\tntRegexp // /{id:[0-9]+}\n\tntParam // /{user}\n\tntCatchAll // /api/v1/*\n)\n\ntype node struct {\n\t// subroutes on the leaf node\n\tsubroutes Routes\n\n\t// regexp matcher for regexp nodes\n\trex *regexp.Regexp\n\n\t// HTTP handler endpoints on the leaf node\n\tendpoints endpoints\n\n\t// prefix is the common prefix we ignore\n\tprefix string\n\n\t// child nodes should be stored in-order for iteration,\n\t// in groups of the node type.\n\tchildren [ntCatchAll + 1]nodes\n\n\t// first byte of the child prefix\n\ttail byte\n\n\t// node type: static, regexp, param, catchAll\n\ttyp nodeTyp\n\n\t// first byte of the prefix\n\tlabel byte\n}\n\n// endpoints is a mapping of http method constants to handlers\n// for a given route.\ntype endpoints map[methodTyp]*endpoint\n\ntype endpoint struct {\n\t// endpoint handler\n\thandler http.Handler\n\n\t// pattern is the routing pattern for handler nodes\n\tpattern string\n\n\t// parameter keys recorded on handler nodes\n\tparamKeys []string\n}\n\nfunc (s endpoints) Value(method methodTyp) *endpoint {\n\tmh, ok := s[method]\n\tif !ok {\n\t\tmh = &endpoint{}\n\t\ts[method] = mh\n\t}\n\treturn mh\n}\n\nfunc (n *node) InsertRoute(method methodTyp, pattern string, handler http.Handler) *node {\n\tvar parent *node\n\tsearch := pattern\n\n\tfor {\n\t\t// Handle key exhaustion\n\t\tif len(search) == 0 {\n\t\t\t// Insert or update the node's leaf handler\n\t\t\tn.setEndpoint(method, handler, pattern)\n\t\t\treturn n\n\t\t}\n\n\t\t// We're going to be searching for a wild node next,\n\t\t// in this case, we need to get the tail\n\t\tvar label = search[0]\n\t\tvar segTail byte\n\t\tvar segEndIdx int\n\t\tvar segTyp nodeTyp\n\t\tvar segRexpat string\n\t\tif label == '{' || label == '*' {\n\t\t\tsegTyp, _, segRexpat, segTail, _, segEndIdx = patNextSegment(search)\n\t\t}\n\n\t\tvar prefix string\n\t\tif segTyp == ntRegexp {\n\t\t\tprefix = segRexpat\n\t\t}\n\n\t\t// Look for the edge to attach to\n\t\tparent = n\n\t\tn = n.getEdge(segTyp, label, segTail, prefix)\n\n\t\t// No edge, create one\n\t\tif n == nil {\n\t\t\tchild := &node{label: label, tail: segTail, prefix: search}\n\t\t\thn := parent.addChild(child, search)\n\t\t\thn.setEndpoint(method, handler, pattern)\n\n\t\t\treturn hn\n\t\t}\n\n\t\t// Found an edge to match the pattern\n\n\t\tif n.typ > ntStatic {\n\t\t\t// We found a param node, trim the param from the search path and continue.\n\t\t\t// This param/wild pattern segment would already be on the tree from a previous\n\t\t\t// call to addChild when creating a new node.\n\t\t\tsearch = search[segEndIdx:]\n\t\t\tcontinue\n\t\t}\n\n\t\t// Static nodes fall below here.\n\t\t// Determine longest prefix of the search key on match.\n\t\tcommonPrefix := longestPrefix(search, n.prefix)\n\t\tif commonPrefix == len(n.prefix) {\n\t\t\t// the common prefix is as long as the current node's prefix we're attempting to insert.\n\t\t\t// keep the search going.\n\t\t\tsearch = search[commonPrefix:]\n\t\t\tcontinue\n\t\t}\n\n\t\t// Split the node\n\t\tchild := &node{\n\t\t\ttyp: ntStatic,\n\t\t\tprefix: search[:commonPrefix],\n\t\t}\n\t\tparent.replaceChild(search[0], segTail, child)\n\n\t\t// Restore the existing node\n\t\tn.label = n.prefix[commonPrefix]\n\t\tn.prefix = n.prefix[commonPrefix:]\n\t\tchild.addChild(n, n.prefix)\n\n\t\t// If the new key is a subset, set the method/handler on this node and finish.\n\t\tsearch = search[commonPrefix:]\n\t\tif len(search) == 0 {\n\t\t\tchild.setEndpoint(method, handler, pattern)\n\t\t\treturn child\n\t\t}\n\n\t\t// Create a new edge for the node\n\t\tsubchild := &node{\n\t\t\ttyp: ntStatic,\n\t\t\tlabel: search[0],\n\t\t\tprefix: search,\n\t\t}\n\t\thn := child.addChild(subchild, search)\n\t\thn.setEndpoint(method, handler, pattern)\n\t\treturn hn\n\t}\n}\n\n// addChild appends the new `child` node to the tree using the `pattern` as the trie key.\n// For a URL router like chi's, we split the static, param, regexp and wildcard segments\n// into different nodes. In addition, addChild will recursively call itself until every\n// pattern segment is added to the url pattern tree as individual nodes, depending on type.\nfunc (n *node) addChild(child *node, prefix string) *node {\n\tsearch := prefix\n\n\t// handler leaf node added to the tree is the child.\n\t// this may be overridden later down the flow\n\thn := child\n\n\t// Parse next segment\n\tsegTyp, _, segRexpat, segTail, segStartIdx, segEndIdx := patNextSegment(search)\n\n\t// Add child depending on next up segment\n\tswitch segTyp {\n\n\tcase ntStatic:\n\t\t// Search prefix is all static (that is, has no params in path)\n\t\t// noop\n\n\tdefault:\n\t\t// Search prefix contains a param, regexp or wildcard\n\n\t\tif segTyp == ntRegexp {\n\t\t\trex, err := regexp.Compile(segRexpat)\n\t\t\tif err != nil {\n\t\t\t\tpanic(fmt.Sprintf(\"chi: invalid regexp pattern '%s' in route param\", segRexpat))\n\t\t\t}\n\t\t\tchild.prefix = segRexpat\n\t\t\tchild.rex = rex\n\t\t}\n\n\t\tif segStartIdx == 0 {\n\t\t\t// Route starts with a param\n\t\t\tchild.typ = segTyp\n\n\t\t\tif segTyp == ntCatchAll {\n\t\t\t\tsegStartIdx = -1\n\t\t\t} else {\n\t\t\t\tsegStartIdx = segEndIdx\n\t\t\t}\n\t\t\tif segStartIdx < 0 {\n\t\t\t\tsegStartIdx = len(search)\n\t\t\t}\n\t\t\tchild.tail = segTail // for params, we set the tail\n\n\t\t\tif segStartIdx != len(search) {\n\t\t\t\t// add static edge for the remaining part, split the end.\n\t\t\t\t// its not possible to have adjacent param nodes, so its certainly\n\t\t\t\t// going to be a static node next.\n\n\t\t\t\tsearch = search[segStartIdx:] // advance search position\n\n\t\t\t\tnn := &node{\n\t\t\t\t\ttyp: ntStatic,\n\t\t\t\t\tlabel: search[0],\n\t\t\t\t\tprefix: search,\n\t\t\t\t}\n\t\t\t\thn = child.addChild(nn, search)\n\t\t\t}\n\n\t\t} else if segStartIdx > 0 {\n\t\t\t// Route has some param\n\n\t\t\t// starts with a static segment\n\t\t\tchild.typ = ntStatic\n\t\t\tchild.prefix = search[:segStartIdx]\n\t\t\tchild.rex = nil\n\n\t\t\t// add the param edge node\n\t\t\tsearch = search[segStartIdx:]\n\n\t\t\tnn := &node{\n\t\t\t\ttyp: segTyp,\n\t\t\t\tlabel: search[0],\n\t\t\t\ttail: segTail,\n\t\t\t}\n\t\t\thn = child.addChild(nn, search)\n\n\t\t}\n\t}\n\n\tn.children[child.typ] = append(n.children[child.typ], child)\n\tn.children[child.typ].Sort()\n\treturn hn\n}\n\nfunc (n *node) replaceChild(label, tail byte, child *node) {\n\tfor i := 0; i < len(n.children[child.typ]); i++ {\n\t\tif n.children[child.typ][i].label == label && n.children[child.typ][i].tail == tail {\n\t\t\tn.children[child.typ][i] = child\n\t\t\tn.children[child.typ][i].label = label\n\t\t\tn.children[child.typ][i].tail = tail\n\t\t\treturn\n\t\t}\n\t}\n\tpanic(\"chi: replacing missing child\")\n}\n\nfunc (n *node) getEdge(ntyp nodeTyp, label, tail byte, prefix string) *node {\n\tnds := n.children[ntyp]\n\tfor i := 0; i < len(nds); i++ {\n\t\tif nds[i].label == label && nds[i].tail == tail {\n\t\t\tif ntyp == ntRegexp && nds[i].prefix != prefix {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\treturn nds[i]\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (n *node) setEndpoint(method methodTyp, handler http.Handler, pattern string) {\n\t// Set the handler for the method type on the node\n\tif n.endpoints == nil {\n\t\tn.endpoints = make(endpoints)\n\t}\n\n\tparamKeys := patParamKeys(pattern)\n\n\tif method&mSTUB == mSTUB {\n\t\tn.endpoints.Value(mSTUB).handler = handler\n\t}\n\tif method&mALL == mALL {\n\t\th := n.endpoints.Value(mALL)\n\t\th.handler = handler\n\t\th.pattern = pattern\n\t\th.paramKeys = paramKeys\n\t\tfor _, m := range methodMap {\n\t\t\th := n.endpoints.Value(m)\n\t\t\th.handler = handler\n\t\t\th.pattern = pattern\n\t\t\th.paramKeys = paramKeys\n\t\t}\n\t} else {\n\t\th := n.endpoints.Value(method)\n\t\th.handler = handler\n\t\th.pattern = pattern\n\t\th.paramKeys = paramKeys\n\t}\n}\n\nfunc (n *node) FindRoute(rctx *Context, method methodTyp, path string) (*node, endpoints, http.Handler) {\n\t// Reset the context routing pattern and params\n\trctx.routePattern = \"\"\n\trctx.routeParams.Keys = rctx.routeParams.Keys[:0]\n\trctx.routeParams.Values = rctx.routeParams.Values[:0]\n\n\t// Find the routing handlers for the path\n\trn := n.findRoute(rctx, method, path)\n\tif rn == nil {\n\t\treturn nil, nil, nil\n\t}\n\n\t// Record the routing params in the request lifecycle\n\trctx.URLParams.Keys = append(rctx.URLParams.Keys, rctx.routeParams.Keys...)\n\trctx.URLParams.Values = append(rctx.URLParams.Values, rctx.routeParams.Values...)\n\n\t// Record the routing pattern in the request lifecycle\n\tif rn.endpoints[method].pattern != \"\" {\n\t\trctx.routePattern = rn.endpoints[method].pattern\n\t\trctx.RoutePatterns = append(rctx.RoutePatterns, rctx.routePattern)\n\t}\n\n\treturn rn, rn.endpoints, rn.endpoints[method].handler\n}\n\n// Recursive edge traversal by checking all nodeTyp groups along the way.\n// It's like searching through a multi-dimensional radix trie.\nfunc (n *node) findRoute(rctx *Context, method methodTyp, path string) *node {\n\tnn := n\n\tsearch := path\n\n\tfor t, nds := range nn.children {\n\t\tntyp := nodeTyp(t)\n\t\tif len(nds) == 0 {\n\t\t\tcontinue\n\t\t}\n\n\t\tvar xn *node\n\t\txsearch := search\n\n\t\tvar label byte\n\t\tif search != \"\" {\n\t\t\tlabel = search[0]\n\t\t}\n\n\t\tswitch ntyp {\n\t\tcase ntStatic:\n\t\t\txn = nds.findEdge(label)\n\t\t\tif xn == nil || !strings.HasPrefix(xsearch, xn.prefix) {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\txsearch = xsearch[len(xn.prefix):]\n\n\t\tcase ntParam, ntRegexp:\n\t\t\t// short-circuit and return no matching route for empty param values\n\t\t\tif xsearch == \"\" {\n\t\t\t\tcontinue\n\t\t\t}\n\n\t\t\t// serially loop through each node grouped by the tail delimiter\n\t\t\tfor idx := 0; idx < len(nds); idx++ {\n\t\t\t\txn = nds[idx]\n\n\t\t\t\t// label for param nodes is the delimiter byte\n\t\t\t\tp := strings.IndexByte(xsearch, xn.tail)\n\n\t\t\t\tif p < 0 {\n\t\t\t\t\tif xn.tail == '/' {\n\t\t\t\t\t\tp = len(xsearch)\n\t\t\t\t\t} else {\n\t\t\t\t\t\tcontinue\n\t\t\t\t\t}\n\t\t\t\t} else if ntyp == ntRegexp && p == 0 {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\n\t\t\t\tif ntyp == ntRegexp && xn.rex != nil {\n\t\t\t\t\tif !xn.rex.MatchString(xsearch[:p]) {\n\t\t\t\t\t\tcontinue\n\t\t\t\t\t}\n\t\t\t\t} else if strings.IndexByte(xsearch[:p], '/') != -1 {\n\t\t\t\t\t// avoid a match across path segments\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\n\t\t\t\tprevlen := len(rctx.routeParams.Values)\n\t\t\t\trctx.routeParams.Values = append(rctx.routeParams.Values, xsearch[:p])\n\t\t\t\txsearch = xsearch[p:]\n\n\t\t\t\tif len(xsearch) == 0 {\n\t\t\t\t\tif xn.isLeaf() {\n\t\t\t\t\t\th := xn.endpoints[method]\n\t\t\t\t\t\tif h != nil && h.handler != nil {\n\t\t\t\t\t\t\trctx.routeParams.Keys = append(rctx.routeParams.Keys, h.paramKeys...)\n\t\t\t\t\t\t\treturn xn\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tfor endpoints := range xn.endpoints {\n\t\t\t\t\t\t\tif endpoints == mALL || endpoints == mSTUB {\n\t\t\t\t\t\t\t\tcontinue\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\trctx.methodsAllowed = append(rctx.methodsAllowed, endpoints)\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\t// flag that the routing context found a route, but not a corresponding\n\t\t\t\t\t\t// supported method\n\t\t\t\t\t\trctx.methodNotAllowed = true\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\t// recursively find the next node on this branch\n\t\t\t\tfin := xn.findRoute(rctx, method, xsearch)\n\t\t\t\tif fin != nil {\n\t\t\t\t\treturn fin\n\t\t\t\t}\n\n\t\t\t\t// not found on this branch, reset vars\n\t\t\t\trctx.routeParams.Values = rctx.routeParams.Values[:prevlen]\n\t\t\t\txsearch = search\n\t\t\t}\n\n\t\t\trctx.routeParams.Values = append(rctx.routeParams.Values, \"\")\n\n\t\tdefault:\n\t\t\t// catch-all nodes\n\t\t\trctx.routeParams.Values = append(rctx.routeParams.Values, search)\n\t\t\txn = nds[0]\n\t\t\txsearch = \"\"\n\t\t}\n\n\t\tif xn == nil {\n\t\t\tcontinue\n\t\t}\n\n\t\t// did we find it yet?\n\t\tif len(xsearch) == 0 {\n\t\t\tif xn.isLeaf() {\n\t\t\t\th := xn.endpoints[method]\n\t\t\t\tif h != nil && h.handler != nil {\n\t\t\t\t\trctx.routeParams.Keys = append(rctx.routeParams.Keys, h.paramKeys...)\n\t\t\t\t\treturn xn\n\t\t\t\t}\n\n\t\t\t\tfor endpoints := range xn.endpoints {\n\t\t\t\t\tif endpoints == mALL || endpoints == mSTUB {\n\t\t\t\t\t\tcontinue\n\t\t\t\t\t}\n\t\t\t\t\trctx.methodsAllowed = append(rctx.methodsAllowed, endpoints)\n\t\t\t\t}\n\n\t\t\t\t// flag that the routing context found a route, but not a corresponding\n\t\t\t\t// supported method\n\t\t\t\trctx.methodNotAllowed = true\n\t\t\t}\n\t\t}\n\n\t\t// recursively find the next node..\n\t\tfin := xn.findRoute(rctx, method, xsearch)\n\t\tif fin != nil {\n\t\t\treturn fin\n\t\t}\n\n\t\t// Did not find final handler, let's remove the param here if it was set\n\t\tif xn.typ > ntStatic {\n\t\t\tif len(rctx.routeParams.Values) > 0 {\n\t\t\t\trctx.routeParams.Values = rctx.routeParams.Values[:len(rctx.routeParams.Values)-1]\n\t\t\t}\n\t\t}\n\n\t}\n\n\treturn nil\n}\n\nfunc (n *node) findEdge(ntyp nodeTyp, label byte) *node {\n\tnds := n.children[ntyp]\n\tnum := len(nds)\n\tidx := 0\n\n\tswitch ntyp {\n\tcase ntStatic, ntParam, ntRegexp:\n\t\ti, j := 0, num-1\n\t\tfor i <= j {\n\t\t\tidx = i + (j-i)/2\n\t\t\tif label > nds[idx].label {\n\t\t\t\ti = idx + 1\n\t\t\t} else if label < nds[idx].label {\n\t\t\t\tj = idx - 1\n\t\t\t} else {\n\t\t\t\ti = num // breaks cond\n\t\t\t}\n\t\t}\n\t\tif nds[idx].label != label {\n\t\t\treturn nil\n\t\t}\n\t\treturn nds[idx]\n\n\tdefault: // catch all\n\t\treturn nds[idx]\n\t}\n}\n\nfunc (n *node) isLeaf() bool {\n\treturn n.endpoints != nil\n}\n\nfunc (n *node) findPattern(pattern string) bool {\n\tnn := n\n\tfor _, nds := range nn.children {\n\t\tif len(nds) == 0 {\n\t\t\tcontinue\n\t\t}\n\n\t\tn = nn.findEdge(nds[0].typ, pattern[0])\n\t\tif n == nil {\n\t\t\tcontinue\n\t\t}\n\n\t\tvar idx int\n\t\tvar xpattern string\n\n\t\tswitch n.typ {\n\t\tcase ntStatic:\n\t\t\tidx = longestPrefix(pattern, n.prefix)\n\t\t\tif idx < len(n.prefix) {\n\t\t\t\tcontinue\n\t\t\t}\n\n\t\tcase ntParam, ntRegexp:\n\t\t\tidx = strings.IndexByte(pattern, '}') + 1\n\n\t\tcase ntCatchAll:\n\t\t\tidx = longestPrefix(pattern, \"*\")\n\n\t\tdefault:\n\t\t\tpanic(\"chi: unknown node type\")\n\t\t}\n\n\t\txpattern = pattern[idx:]\n\t\tif len(xpattern) == 0 {\n\t\t\treturn true\n\t\t}\n\n\t\treturn n.findPattern(xpattern)\n\t}\n\treturn false\n}\n\nfunc (n *node) routes() []Route {\n\trts := []Route{}\n\n\tn.walk(func(eps endpoints, subroutes Routes) bool {\n\t\tif eps[mSTUB] != nil && eps[mSTUB].handler != nil && subroutes == nil {\n\t\t\treturn false\n\t\t}\n\n\t\t// Group methodHandlers by unique patterns\n\t\tpats := make(map[string]endpoints)\n\n\t\tfor mt, h := range eps {\n\t\t\tif h.pattern == \"\" {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tp, ok := pats[h.pattern]\n\t\t\tif !ok {\n\t\t\t\tp = endpoints{}\n\t\t\t\tpats[h.pattern] = p\n\t\t\t}\n\t\t\tp[mt] = h\n\t\t}\n\n\t\tfor p, mh := range pats {\n\t\t\ths := make(map[string]http.Handler)\n\t\t\tif mh[mALL] != nil && mh[mALL].handler != nil {\n\t\t\t\ths[\"*\"] = mh[mALL].handler\n\t\t\t}\n\n\t\t\tfor mt, h := range mh {\n\t\t\t\tif h.handler == nil {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tm := methodTypString(mt)\n\t\t\t\tif m == \"\" {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\ths[m] = h.handler\n\t\t\t}\n\n\t\t\trt := Route{subroutes, hs, p}\n\t\t\trts = append(rts, rt)\n\t\t}\n\n\t\treturn false\n\t})\n\n\treturn rts\n}\n\nfunc (n *node) walk(fn func(eps endpoints, subroutes Routes) bool) bool {\n\t// Visit the leaf values if any\n\tif (n.endpoints != nil || n.subroutes != nil) && fn(n.endpoints, n.subroutes) {\n\t\treturn true\n\t}\n\n\t// Recurse on the children\n\tfor _, ns := range n.children {\n\t\tfor _, cn := range ns {\n\t\t\tif cn.walk(fn) {\n\t\t\t\treturn true\n\t\t\t}\n\t\t}\n\t}\n\treturn false\n}\n\n// patNextSegment returns the next segment details from a pattern:\n// node type, param key, regexp string, param tail byte, param starting index, param ending index\nfunc patNextSegment(pattern string) (nodeTyp, string, string, byte, int, int) {\n\tps := strings.Index(pattern, \"{\")\n\tws := strings.Index(pattern, \"*\")\n\n\tif ps < 0 && ws < 0 {\n\t\treturn ntStatic, \"\", \"\", 0, 0, len(pattern) // we return the entire thing\n\t}\n\n\t// Sanity check\n\tif ps >= 0 && ws >= 0 && ws < ps {\n\t\tpanic(\"chi: wildcard '*' must be the last pattern in a route, otherwise use a '{param}'\")\n\t}\n\n\tvar tail byte = '/' // Default endpoint tail to / byte\n\n\tif ps >= 0 {\n\t\t// Param/Regexp pattern is next\n\t\tnt := ntParam\n\n\t\t// Read to closing } taking into account opens and closes in curl count (cc)\n\t\tcc := 0\n\t\tpe := ps\n\t\tfor i, c := range pattern[ps:] {\n\t\t\tif c == '{' {\n\t\t\t\tcc++\n\t\t\t} else if c == '}' {\n\t\t\t\tcc--\n\t\t\t\tif cc == 0 {\n\t\t\t\t\tpe = ps + i\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif pe == ps {\n\t\t\tpanic(\"chi: route param closing delimiter '}' is missing\")\n\t\t}\n\n\t\tkey := pattern[ps+1 : pe]\n\t\tpe++ // set end to next position\n\n\t\tif pe < len(pattern) {\n\t\t\ttail = pattern[pe]\n\t\t}\n\n\t\tkey, rexpat, isRegexp := strings.Cut(key, \":\")\n\t\tif isRegexp {\n\t\t\tnt = ntRegexp\n\t\t}\n\n\t\tif len(rexpat) > 0 {\n\t\t\tif rexpat[0] != '^' {\n\t\t\t\trexpat = \"^\" + rexpat\n\t\t\t}\n\t\t\tif rexpat[len(rexpat)-1] != '$' {\n\t\t\t\trexpat += \"$\"\n\t\t\t}\n\t\t}\n\n\t\treturn nt, key, rexpat, tail, ps, pe\n\t}\n\n\t// Wildcard pattern as finale\n\tif ws < len(pattern)-1 {\n\t\tpanic(\"chi: wildcard '*' must be the last value in a route. trim trailing text or use a '{param}' instead\")\n\t}\n\treturn ntCatchAll, \"*\", \"\", 0, ws, len(pattern)\n}\n\nfunc patParamKeys(pattern string) []string {\n\tpat := pattern\n\tparamKeys := []string{}\n\tfor {\n\t\tptyp, paramKey, _, _, _, e := patNextSegment(pat)\n\t\tif ptyp == ntStatic {\n\t\t\treturn paramKeys\n\t\t}\n\t\tfor i := 0; i < len(paramKeys); i++ {\n\t\t\tif paramKeys[i] == paramKey {\n\t\t\t\tpanic(fmt.Sprintf(\"chi: routing pattern '%s' contains duplicate param key, '%s'\", pattern, paramKey))\n\t\t\t}\n\t\t}\n\t\tparamKeys = append(paramKeys, paramKey)\n\t\tpat = pat[e:]\n\t}\n}\n\n// longestPrefix finds the length of the shared prefix\n// of two strings\nfunc longestPrefix(k1, k2 string) int {\n\tmax := len(k1)\n\tif l := len(k2); l < max {\n\t\tmax = l\n\t}\n\tvar i int\n\tfor i = 0; i < max; i++ {\n\t\tif k1[i] != k2[i] {\n\t\t\tbreak\n\t\t}\n\t}\n\treturn i\n}\n\nfunc methodTypString(method methodTyp) string {\n\tfor s, t := range methodMap {\n\t\tif method == t {\n\t\t\treturn s\n\t\t}\n\t}\n\treturn \"\"\n}\n\ntype nodes []*node\n\n// Sort the list of nodes by label\nfunc (ns nodes) Sort() { sort.Sort(ns); ns.tailSort() }\nfunc (ns nodes) Len() int { return len(ns) }\nfunc (ns nodes) Swap(i, j int) { ns[i], ns[j] = ns[j], ns[i] }\nfunc (ns nodes) Less(i, j int) bool { return ns[i].label < ns[j].label }\n\n// tailSort pushes nodes with '/' as the tail to the end of the list for param nodes.\n// The list order determines the traversal order.\nfunc (ns nodes) tailSort() {\n\tfor i := len(ns) - 1; i >= 0; i-- {\n\t\tif ns[i].typ > ntStatic && ns[i].tail == '/' {\n\t\t\tns.Swap(i, len(ns)-1)\n\t\t\treturn\n\t\t}\n\t}\n}\n\nfunc (ns nodes) findEdge(label byte) *node {\n\tnum := len(ns)\n\tidx := 0\n\ti, j := 0, num-1\n\tfor i <= j {\n\t\tidx = i + (j-i)/2\n\t\tif label > ns[idx].label {\n\t\t\ti = idx + 1\n\t\t} else if label < ns[idx].label {\n\t\t\tj = idx - 1\n\t\t} else {\n\t\t\ti = num // breaks cond\n\t\t}\n\t}\n\tif ns[idx].label != label {\n\t\treturn nil\n\t}\n\treturn ns[idx]\n}\n\n// Route describes the details of a routing handler.\n// Handlers map key is an HTTP method\ntype Route struct {\n\tSubRoutes Routes\n\tHandlers map[string]http.Handler\n\tPattern string\n}\n\n// WalkFunc is the type of the function called for each method and route visited by Walk.\ntype WalkFunc func(method string, route string, handler http.Handler, middlewares ...func(http.Handler) http.Handler) error\n\n// Walk walks any router tree that implements Routes interface.\nfunc Walk(r Routes, walkFn WalkFunc) error {\n\treturn walk(r, walkFn, \"\")\n}\n\nfunc walk(r Routes, walkFn WalkFunc, parentRoute string, parentMw ...func(http.Handler) http.Handler) error {\n\tfor _, route := range r.Routes() {\n\t\tmws := make([]func(http.Handler) http.Handler, len(parentMw))\n\t\tcopy(mws, parentMw)\n\t\tmws = append(mws, r.Middlewares()...)\n\n\t\tif route.SubRoutes != nil {\n\t\t\tif err := walk(route.SubRoutes, walkFn, parentRoute+route.Pattern, mws...); err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tcontinue\n\t\t}\n\n\t\tfor method, handler := range route.Handlers {\n\t\t\tif method == \"*\" {\n\t\t\t\t// Ignore a \"catchAll\" method, since we pass down all the specific methods for each route.\n\t\t\t\tcontinue\n\t\t\t}\n\n\t\t\tfullRoute := parentRoute + route.Pattern\n\t\t\tfullRoute = strings.Replace(fullRoute, \"/*/\", \"/\", -1)\n\n\t\t\tif chain, ok := handler.(*ChainHandler); ok {\n\t\t\t\tif err := walkFn(method, fullRoute, chain.Endpoint, append(mws, chain.Middlewares...)...); err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tif err := walkFn(method, fullRoute, handler, mws...); err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\treturn nil\n}\n" }, { "path": "vendor/github.com/go-chi/cors/LICENSE", "content": "Copyright (c) 2014 Olivier Poitrey \nCopyright (c) 2016-Present https://github.com/go-chi authors\n\nMIT License\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of\nthis software and associated documentation files (the \"Software\"), to deal in\nthe Software without restriction, including without limitation the rights to\nuse, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of\nthe Software, and to permit persons to whom the Software is furnished to do so,\nsubject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS\nFOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\nCOPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER\nIN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN\nCONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n" }, { "path": "vendor/github.com/go-chi/cors/README.md", "content": "# CORS net/http middleware\n\n[go-chi/cors](https://github.com/go-chi/cors) is a fork of [github.com/rs/cors](https://github.com/rs/cors) that\nprovides a `net/http` compatible middleware for performing preflight CORS checks on the server side. These headers\nare required for using the browser native [Fetch API](https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API).\n\nThis middleware is designed to be used as a top-level middleware on the [chi](https://github.com/go-chi/chi) router.\nApplying with within a `r.Group()` or using `With()` will not work without routes matching `OPTIONS` added.\n\n## Usage\n\n```go\nfunc main() {\n r := chi.NewRouter()\n\n // Basic CORS\n // for more ideas, see: https://developer.github.com/v3/#cross-origin-resource-sharing\n r.Use(cors.Handler(cors.Options{\n // AllowedOrigins: []string{\"https://foo.com\"}, // Use this to allow specific origin hosts\n AllowedOrigins: []string{\"https://*\", \"http://*\"},\n // AllowOriginFunc: func(r *http.Request, origin string) bool { return true },\n AllowedMethods: []string{\"GET\", \"POST\", \"PUT\", \"DELETE\", \"OPTIONS\"},\n AllowedHeaders: []string{\"Accept\", \"Authorization\", \"Content-Type\", \"X-CSRF-Token\"},\n ExposedHeaders: []string{\"Link\"},\n AllowCredentials: false,\n MaxAge: 300, // Maximum value not ignored by any of major browsers\n }))\n\n r.Get(\"/\", func(w http.ResponseWriter, r *http.Request) {\n w.Write([]byte(\"welcome\"))\n })\n\n http.ListenAndServe(\":3000\", r)\n}\n```\n\n## Credits\n\nAll credit for the original work of this middleware goes out to [github.com/rs](github.com/rs).\n" }, { "path": "vendor/github.com/go-chi/cors/cors.go", "content": "// cors package is net/http handler to handle CORS related requests\n// as defined by http://www.w3.org/TR/cors/\n//\n// You can configure it by passing an option struct to cors.New:\n//\n// c := cors.New(cors.Options{\n// AllowedOrigins: []string{\"foo.com\"},\n// AllowedMethods: []string{\"GET\", \"POST\", \"DELETE\"},\n// AllowCredentials: true,\n// })\n//\n// Then insert the handler in the chain:\n//\n// handler = c.Handler(handler)\n//\n// See Options documentation for more options.\n//\n// The resulting handler is a standard net/http handler.\npackage cors\n\nimport (\n\t\"log\"\n\t\"net/http\"\n\t\"os\"\n\t\"strconv\"\n\t\"strings\"\n)\n\n// Options is a configuration container to setup the CORS middleware.\ntype Options struct {\n\t// AllowedOrigins is a list of origins a cross-domain request can be executed from.\n\t// If the special \"*\" value is present in the list, all origins will be allowed.\n\t// An origin may contain a wildcard (*) to replace 0 or more characters\n\t// (i.e.: http://*.domain.com). Usage of wildcards implies a small performance penalty.\n\t// Only one wildcard can be used per origin.\n\t// Default value is [\"*\"]\n\tAllowedOrigins []string\n\n\t// AllowOriginFunc is a custom function to validate the origin. It takes the origin\n\t// as argument and returns true if allowed or false otherwise. If this option is\n\t// set, the content of AllowedOrigins is ignored.\n\tAllowOriginFunc func(r *http.Request, origin string) bool\n\n\t// AllowedMethods is a list of methods the client is allowed to use with\n\t// cross-domain requests. Default value is simple methods (HEAD, GET and POST).\n\tAllowedMethods []string\n\n\t// AllowedHeaders is list of non simple headers the client is allowed to use with\n\t// cross-domain requests.\n\t// If the special \"*\" value is present in the list, all headers will be allowed.\n\t// Default value is [] but \"Origin\" is always appended to the list.\n\tAllowedHeaders []string\n\n\t// ExposedHeaders indicates which headers are safe to expose to the API of a CORS\n\t// API specification\n\tExposedHeaders []string\n\n\t// AllowCredentials indicates whether the request can include user credentials like\n\t// cookies, HTTP authentication or client side SSL certificates.\n\tAllowCredentials bool\n\n\t// MaxAge indicates how long (in seconds) the results of a preflight request\n\t// can be cached\n\tMaxAge int\n\n\t// OptionsPassthrough instructs preflight to let other potential next handlers to\n\t// process the OPTIONS method. Turn this on if your application handles OPTIONS.\n\tOptionsPassthrough bool\n\n\t// Debugging flag adds additional output to debug server side CORS issues\n\tDebug bool\n}\n\n// Logger generic interface for logger\ntype Logger interface {\n\tPrintf(string, ...interface{})\n}\n\n// Cors http handler\ntype Cors struct {\n\t// Debug logger\n\tLog Logger\n\n\t// Normalized list of plain allowed origins\n\tallowedOrigins []string\n\n\t// List of allowed origins containing wildcards\n\tallowedWOrigins []wildcard\n\n\t// Optional origin validator function\n\tallowOriginFunc func(r *http.Request, origin string) bool\n\n\t// Normalized list of allowed headers\n\tallowedHeaders []string\n\n\t// Normalized list of allowed methods\n\tallowedMethods []string\n\n\t// Normalized list of exposed headers\n\texposedHeaders []string\n\tmaxAge int\n\n\t// Set to true when allowed origins contains a \"*\"\n\tallowedOriginsAll bool\n\n\t// Set to true when allowed headers contains a \"*\"\n\tallowedHeadersAll bool\n\n\tallowCredentials bool\n\toptionPassthrough bool\n}\n\n// New creates a new Cors handler with the provided options.\nfunc New(options Options) *Cors {\n\tc := &Cors{\n\t\texposedHeaders: convert(options.ExposedHeaders, http.CanonicalHeaderKey),\n\t\tallowOriginFunc: options.AllowOriginFunc,\n\t\tallowCredentials: options.AllowCredentials,\n\t\tmaxAge: options.MaxAge,\n\t\toptionPassthrough: options.OptionsPassthrough,\n\t}\n\tif options.Debug && c.Log == nil {\n\t\tc.Log = log.New(os.Stdout, \"[cors] \", log.LstdFlags)\n\t}\n\n\t// Normalize options\n\t// Note: for origins and methods matching, the spec requires a case-sensitive matching.\n\t// As it may error prone, we chose to ignore the spec here.\n\n\t// Allowed Origins\n\tif len(options.AllowedOrigins) == 0 {\n\t\tif options.AllowOriginFunc == nil {\n\t\t\t// Default is all origins\n\t\t\tc.allowedOriginsAll = true\n\t\t}\n\t} else {\n\t\tc.allowedOrigins = []string{}\n\t\tc.allowedWOrigins = []wildcard{}\n\t\tfor _, origin := range options.AllowedOrigins {\n\t\t\t// Normalize\n\t\t\torigin = strings.ToLower(origin)\n\t\t\tif origin == \"*\" {\n\t\t\t\t// If \"*\" is present in the list, turn the whole list into a match all\n\t\t\t\tc.allowedOriginsAll = true\n\t\t\t\tc.allowedOrigins = nil\n\t\t\t\tc.allowedWOrigins = nil\n\t\t\t\tbreak\n\t\t\t} else if i := strings.IndexByte(origin, '*'); i >= 0 {\n\t\t\t\t// Split the origin in two: start and end string without the *\n\t\t\t\tw := wildcard{origin[0:i], origin[i+1:]}\n\t\t\t\tc.allowedWOrigins = append(c.allowedWOrigins, w)\n\t\t\t} else {\n\t\t\t\tc.allowedOrigins = append(c.allowedOrigins, origin)\n\t\t\t}\n\t\t}\n\t}\n\n\t// Allowed Headers\n\tif len(options.AllowedHeaders) == 0 {\n\t\t// Use sensible defaults\n\t\tc.allowedHeaders = []string{\"Origin\", \"Accept\", \"Content-Type\"}\n\t} else {\n\t\t// Origin is always appended as some browsers will always request for this header at preflight\n\t\tc.allowedHeaders = convert(append(options.AllowedHeaders, \"Origin\"), http.CanonicalHeaderKey)\n\t\tfor _, h := range options.AllowedHeaders {\n\t\t\tif h == \"*\" {\n\t\t\t\tc.allowedHeadersAll = true\n\t\t\t\tc.allowedHeaders = nil\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t}\n\n\t// Allowed Methods\n\tif len(options.AllowedMethods) == 0 {\n\t\t// Default is spec's \"simple\" methods\n\t\tc.allowedMethods = []string{http.MethodGet, http.MethodPost, http.MethodHead}\n\t} else {\n\t\tc.allowedMethods = convert(options.AllowedMethods, strings.ToUpper)\n\t}\n\n\treturn c\n}\n\n// Handler creates a new Cors handler with passed options.\nfunc Handler(options Options) func(next http.Handler) http.Handler {\n\tc := New(options)\n\treturn c.Handler\n}\n\n// AllowAll create a new Cors handler with permissive configuration allowing all\n// origins with all standard methods with any header and credentials.\nfunc AllowAll() *Cors {\n\treturn New(Options{\n\t\tAllowedOrigins: []string{\"*\"},\n\t\tAllowedMethods: []string{\n\t\t\thttp.MethodHead,\n\t\t\thttp.MethodGet,\n\t\t\thttp.MethodPost,\n\t\t\thttp.MethodPut,\n\t\t\thttp.MethodPatch,\n\t\t\thttp.MethodDelete,\n\t\t},\n\t\tAllowedHeaders: []string{\"*\"},\n\t\tAllowCredentials: false,\n\t})\n}\n\n// Handler apply the CORS specification on the request, and add relevant CORS headers\n// as necessary.\nfunc (c *Cors) Handler(next http.Handler) http.Handler {\n\treturn http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\tif r.Method == http.MethodOptions && r.Header.Get(\"Access-Control-Request-Method\") != \"\" {\n\t\t\tc.logf(\"Handler: Preflight request\")\n\t\t\tc.handlePreflight(w, r)\n\t\t\t// Preflight requests are standalone and should stop the chain as some other\n\t\t\t// middleware may not handle OPTIONS requests correctly. One typical example\n\t\t\t// is authentication middleware ; OPTIONS requests won't carry authentication\n\t\t\t// headers (see #1)\n\t\t\tif c.optionPassthrough {\n\t\t\t\tnext.ServeHTTP(w, r)\n\t\t\t} else {\n\t\t\t\tw.WriteHeader(http.StatusOK)\n\t\t\t}\n\t\t} else {\n\t\t\tc.logf(\"Handler: Actual request\")\n\t\t\tc.handleActualRequest(w, r)\n\t\t\tnext.ServeHTTP(w, r)\n\t\t}\n\t})\n}\n\n// handlePreflight handles pre-flight CORS requests\nfunc (c *Cors) handlePreflight(w http.ResponseWriter, r *http.Request) {\n\theaders := w.Header()\n\torigin := r.Header.Get(\"Origin\")\n\n\tif r.Method != http.MethodOptions {\n\t\tc.logf(\"Preflight aborted: %s!=OPTIONS\", r.Method)\n\t\treturn\n\t}\n\t// Always set Vary headers\n\t// see https://github.com/rs/cors/issues/10,\n\t// https://github.com/rs/cors/commit/dbdca4d95feaa7511a46e6f1efb3b3aa505bc43f#commitcomment-12352001\n\theaders.Add(\"Vary\", \"Origin\")\n\theaders.Add(\"Vary\", \"Access-Control-Request-Method\")\n\theaders.Add(\"Vary\", \"Access-Control-Request-Headers\")\n\n\tif origin == \"\" {\n\t\tc.logf(\"Preflight aborted: empty origin\")\n\t\treturn\n\t}\n\tif !c.isOriginAllowed(r, origin) {\n\t\tc.logf(\"Preflight aborted: origin '%s' not allowed\", origin)\n\t\treturn\n\t}\n\n\treqMethod := r.Header.Get(\"Access-Control-Request-Method\")\n\tif !c.isMethodAllowed(reqMethod) {\n\t\tc.logf(\"Preflight aborted: method '%s' not allowed\", reqMethod)\n\t\treturn\n\t}\n\treqHeaders := parseHeaderList(r.Header.Get(\"Access-Control-Request-Headers\"))\n\tif !c.areHeadersAllowed(reqHeaders) {\n\t\tc.logf(\"Preflight aborted: headers '%v' not allowed\", reqHeaders)\n\t\treturn\n\t}\n\tif c.allowedOriginsAll {\n\t\theaders.Set(\"Access-Control-Allow-Origin\", \"*\")\n\t} else {\n\t\theaders.Set(\"Access-Control-Allow-Origin\", origin)\n\t}\n\t// Spec says: Since the list of methods can be unbounded, simply returning the method indicated\n\t// by Access-Control-Request-Method (if supported) can be enough\n\theaders.Set(\"Access-Control-Allow-Methods\", strings.ToUpper(reqMethod))\n\tif len(reqHeaders) > 0 {\n\n\t\t// Spec says: Since the list of headers can be unbounded, simply returning supported headers\n\t\t// from Access-Control-Request-Headers can be enough\n\t\theaders.Set(\"Access-Control-Allow-Headers\", strings.Join(reqHeaders, \", \"))\n\t}\n\tif c.allowCredentials {\n\t\theaders.Set(\"Access-Control-Allow-Credentials\", \"true\")\n\t}\n\tif c.maxAge > 0 {\n\t\theaders.Set(\"Access-Control-Max-Age\", strconv.Itoa(c.maxAge))\n\t}\n\tc.logf(\"Preflight response headers: %v\", headers)\n}\n\n// handleActualRequest handles simple cross-origin requests, actual request or redirects\nfunc (c *Cors) handleActualRequest(w http.ResponseWriter, r *http.Request) {\n\theaders := w.Header()\n\torigin := r.Header.Get(\"Origin\")\n\n\t// Always set Vary, see https://github.com/rs/cors/issues/10\n\theaders.Add(\"Vary\", \"Origin\")\n\tif origin == \"\" {\n\t\tc.logf(\"Actual request no headers added: missing origin\")\n\t\treturn\n\t}\n\tif !c.isOriginAllowed(r, origin) {\n\t\tc.logf(\"Actual request no headers added: origin '%s' not allowed\", origin)\n\t\treturn\n\t}\n\n\t// Note that spec does define a way to specifically disallow a simple method like GET or\n\t// POST. Access-Control-Allow-Methods is only used for pre-flight requests and the\n\t// spec doesn't instruct to check the allowed methods for simple cross-origin requests.\n\t// We think it's a nice feature to be able to have control on those methods though.\n\tif !c.isMethodAllowed(r.Method) {\n\t\tc.logf(\"Actual request no headers added: method '%s' not allowed\", r.Method)\n\n\t\treturn\n\t}\n\tif c.allowedOriginsAll {\n\t\theaders.Set(\"Access-Control-Allow-Origin\", \"*\")\n\t} else {\n\t\theaders.Set(\"Access-Control-Allow-Origin\", origin)\n\t}\n\tif len(c.exposedHeaders) > 0 {\n\t\theaders.Set(\"Access-Control-Expose-Headers\", strings.Join(c.exposedHeaders, \", \"))\n\t}\n\tif c.allowCredentials {\n\t\theaders.Set(\"Access-Control-Allow-Credentials\", \"true\")\n\t}\n\tc.logf(\"Actual response added headers: %v\", headers)\n}\n\n// convenience method. checks if a logger is set.\nfunc (c *Cors) logf(format string, a ...interface{}) {\n\tif c.Log != nil {\n\t\tc.Log.Printf(format, a...)\n\t}\n}\n\n// isOriginAllowed checks if a given origin is allowed to perform cross-domain requests\n// on the endpoint\nfunc (c *Cors) isOriginAllowed(r *http.Request, origin string) bool {\n\tif c.allowOriginFunc != nil {\n\t\treturn c.allowOriginFunc(r, origin)\n\t}\n\tif c.allowedOriginsAll {\n\t\treturn true\n\t}\n\torigin = strings.ToLower(origin)\n\tfor _, o := range c.allowedOrigins {\n\t\tif o == origin {\n\t\t\treturn true\n\t\t}\n\t}\n\tfor _, w := range c.allowedWOrigins {\n\t\tif w.match(origin) {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\n// isMethodAllowed checks if a given method can be used as part of a cross-domain request\n// on the endpoint\nfunc (c *Cors) isMethodAllowed(method string) bool {\n\tif len(c.allowedMethods) == 0 {\n\t\t// If no method allowed, always return false, even for preflight request\n\t\treturn false\n\t}\n\tmethod = strings.ToUpper(method)\n\tif method == http.MethodOptions {\n\t\t// Always allow preflight requests\n\t\treturn true\n\t}\n\tfor _, m := range c.allowedMethods {\n\t\tif m == method {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\n// areHeadersAllowed checks if a given list of headers are allowed to used within\n// a cross-domain request.\nfunc (c *Cors) areHeadersAllowed(requestedHeaders []string) bool {\n\tif c.allowedHeadersAll || len(requestedHeaders) == 0 {\n\t\treturn true\n\t}\n\tfor _, header := range requestedHeaders {\n\t\theader = http.CanonicalHeaderKey(header)\n\t\tfound := false\n\t\tfor _, h := range c.allowedHeaders {\n\t\t\tif h == header {\n\t\t\t\tfound = true\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t\tif !found {\n\t\t\treturn false\n\t\t}\n\t}\n\treturn true\n}\n" }, { "path": "vendor/github.com/go-chi/cors/utils.go", "content": "package cors\n\nimport \"strings\"\n\nconst toLower = 'a' - 'A'\n\ntype converter func(string) string\n\ntype wildcard struct {\n\tprefix string\n\tsuffix string\n}\n\nfunc (w wildcard) match(s string) bool {\n\treturn len(s) >= len(w.prefix+w.suffix) && strings.HasPrefix(s, w.prefix) && strings.HasSuffix(s, w.suffix)\n}\n\n// convert converts a list of string using the passed converter function\nfunc convert(s []string, c converter) []string {\n\tout := []string{}\n\tfor _, i := range s {\n\t\tout = append(out, c(i))\n\t}\n\treturn out\n}\n\n// parseHeaderList tokenize + normalize a string containing a list of headers\nfunc parseHeaderList(headerList string) []string {\n\tl := len(headerList)\n\th := make([]byte, 0, l)\n\tupper := true\n\t// Estimate the number headers in order to allocate the right splice size\n\tt := 0\n\tfor i := 0; i < l; i++ {\n\t\tif headerList[i] == ',' {\n\t\t\tt++\n\t\t}\n\t}\n\theaders := make([]string, 0, t)\n\tfor i := 0; i < l; i++ {\n\t\tb := headerList[i]\n\t\tif b >= 'a' && b <= 'z' {\n\t\t\tif upper {\n\t\t\t\th = append(h, b-toLower)\n\t\t\t} else {\n\t\t\t\th = append(h, b)\n\t\t\t}\n\t\t} else if b >= 'A' && b <= 'Z' {\n\t\t\tif !upper {\n\t\t\t\th = append(h, b+toLower)\n\t\t\t} else {\n\t\t\t\th = append(h, b)\n\t\t\t}\n\t\t} else if b == '-' || b == '_' || b == '.' || (b >= '0' && b <= '9') {\n\t\t\th = append(h, b)\n\t\t}\n\n\t\tif b == ' ' || b == ',' || i == l-1 {\n\t\t\tif len(h) > 0 {\n\t\t\t\t// Flush the found header\n\t\t\t\theaders = append(headers, string(h))\n\t\t\t\th = h[:0]\n\t\t\t\tupper = true\n\t\t\t}\n\t\t} else {\n\t\t\tupper = b == '-'\n\t\t}\n\t}\n\treturn headers\n}\n" }, { "path": "vendor/github.com/go-jose/go-jose/v4/.gitignore", "content": "jose-util/jose-util\njose-util.t.err" }, { "path": "vendor/github.com/go-jose/go-jose/v4/.golangci.yml", "content": "# https://github.com/golangci/golangci-lint\n\nrun:\n skip-files:\n - doc_test.go\n modules-download-mode: readonly\n\nlinters:\n enable-all: true\n disable:\n - gochecknoglobals\n - goconst\n - lll\n - maligned\n - nakedret\n - scopelint\n - unparam\n - funlen # added in 1.18 (requires go-jose changes before it can be enabled)\n\nlinters-settings:\n gocyclo:\n min-complexity: 35\n\nissues:\n exclude-rules:\n - text: \"don't use ALL_CAPS in Go names\"\n linters:\n - golint\n - text: \"hardcoded credentials\"\n linters:\n - gosec\n - text: \"weak cryptographic primitive\"\n linters:\n - gosec\n - path: json/\n linters:\n - dupl\n - errcheck\n - gocritic\n - gocyclo\n - golint\n - govet\n - ineffassign\n - staticcheck\n - structcheck\n - stylecheck\n - unused\n - path: _test\\.go\n linters:\n - scopelint\n - path: jwk.go\n linters:\n - gocyclo\n" }, { "path": "vendor/github.com/go-jose/go-jose/v4/.travis.yml", "content": "language: go\n\nmatrix:\n fast_finish: true\n allow_failures:\n - go: tip\n\ngo:\n - \"1.13.x\"\n - \"1.14.x\"\n - tip\n\nbefore_script:\n - export PATH=$HOME/.local/bin:$PATH\n\nbefore_install:\n - go get -u github.com/mattn/goveralls github.com/wadey/gocovmerge\n - curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b $(go env GOPATH)/bin v1.18.0\n - pip install cram --user\n\nscript:\n - go test -v -covermode=count -coverprofile=profile.cov .\n - go test -v -covermode=count -coverprofile=cryptosigner/profile.cov ./cryptosigner\n - go test -v -covermode=count -coverprofile=cipher/profile.cov ./cipher\n - go test -v -covermode=count -coverprofile=jwt/profile.cov ./jwt\n - go test -v ./json # no coverage for forked encoding/json package\n - golangci-lint run\n - cd jose-util && go build && PATH=$PWD:$PATH cram -v jose-util.t # cram tests jose-util\n - cd ..\n\nafter_success:\n - gocovmerge *.cov */*.cov > merged.coverprofile\n - goveralls -coverprofile merged.coverprofile -service=travis-ci\n" }, { "path": "vendor/github.com/go-jose/go-jose/v4/CONTRIBUTING.md", "content": "# Contributing\n\nIf you would like to contribute code to go-jose you can do so through GitHub by\nforking the repository and sending a pull request.\n\nWhen submitting code, please make every effort to follow existing conventions\nand style in order to keep the code as readable as possible. Please also make\nsure all tests pass by running `go test`, and format your code with `go fmt`.\nWe also recommend using `golint` and `errcheck`.\n" }, { "path": "vendor/github.com/go-jose/go-jose/v4/LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "vendor/github.com/go-jose/go-jose/v4/README.md", "content": "# Go JOSE\n\n[![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v4.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v4)\n[![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v4/jwt.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v4/jwt)\n[![license](https://img.shields.io/badge/license-apache_2.0-blue.svg?style=flat)](https://raw.githubusercontent.com/go-jose/go-jose/master/LICENSE)\n\nPackage jose aims to provide an implementation of the Javascript Object Signing\nand Encryption set of standards. This includes support for JSON Web Encryption,\nJSON Web Signature, and JSON Web Token standards.\n\n## Overview\n\nThe implementation follows the\n[JSON Web Encryption](https://dx.doi.org/10.17487/RFC7516) (RFC 7516),\n[JSON Web Signature](https://dx.doi.org/10.17487/RFC7515) (RFC 7515), and\n[JSON Web Token](https://dx.doi.org/10.17487/RFC7519) (RFC 7519) specifications.\nTables of supported algorithms are shown below. The library supports both\nthe compact and JWS/JWE JSON Serialization formats, and has optional support for\nmultiple recipients. It also comes with a small command-line utility\n([`jose-util`](https://pkg.go.dev/github.com/go-jose/go-jose/jose-util))\nfor dealing with JOSE messages in a shell.\n\n**Note**: We use a forked version of the `encoding/json` package from the Go\nstandard library which uses case-sensitive matching for member names (instead\nof [case-insensitive matching](https://www.ietf.org/mail-archive/web/json/current/msg03763.html)).\nThis is to avoid differences in interpretation of messages between go-jose and\nlibraries in other languages.\n\n### Versions\n\nThe forthcoming Version 5 will be released with several breaking API changes,\nand will require Golang's `encoding/json/v2`, which is currently requires \nGo 1.25 built with GOEXPERIMENT=jsonv2.\n\nVersion 4 is the current stable version:\n\n import \"github.com/go-jose/go-jose/v4\"\n\nIt supports at least the current and previous Golang release. Currently it\nrequires Golang 1.24.\n\nVersion 3 is only receiving critical security updates. Migration to Version 4 is recommended.\n\nVersions 1 and 2 are obsolete, but can be found in the old repository, [square/go-jose](https://github.com/square/go-jose).\n\n### Supported algorithms\n\nSee below for a table of supported algorithms. Algorithm identifiers match\nthe names in the [JSON Web Algorithms](https://dx.doi.org/10.17487/RFC7518)\nstandard where possible. The Godoc reference has a list of constants.\n\n| Key encryption | Algorithm identifier(s) |\n|:-----------------------|:-----------------------------------------------|\n| RSA-PKCS#1v1.5 | RSA1_5 |\n| RSA-OAEP | RSA-OAEP, RSA-OAEP-256 |\n| AES key wrap | A128KW, A192KW, A256KW |\n| AES-GCM key wrap | A128GCMKW, A192GCMKW, A256GCMKW |\n| ECDH-ES + AES key wrap | ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW |\n| ECDH-ES (direct) | ECDH-ES1 |\n| Direct encryption | dir1 |\n\n1. Not supported in multi-recipient mode\n\n| Signing / MAC | Algorithm identifier(s) |\n|:------------------|:------------------------|\n| RSASSA-PKCS#1v1.5 | RS256, RS384, RS512 |\n| RSASSA-PSS | PS256, PS384, PS512 |\n| HMAC | HS256, HS384, HS512 |\n| ECDSA | ES256, ES384, ES512 |\n| Ed25519 | EdDSA2 |\n\n2. Only available in version 2 of the package\n\n| Content encryption | Algorithm identifier(s) |\n|:-------------------|:--------------------------------------------|\n| AES-CBC+HMAC | A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 |\n| AES-GCM | A128GCM, A192GCM, A256GCM |\n\n| Compression | Algorithm identifiers(s) |\n|:-------------------|--------------------------|\n| DEFLATE (RFC 1951) | DEF |\n\n### Supported key types\n\nSee below for a table of supported key types. These are understood by the\nlibrary, and can be passed to corresponding functions such as `NewEncrypter` or\n`NewSigner`. Each of these keys can also be wrapped in a JWK if desired, which\nallows attaching a key id.\n\n| Algorithm(s) | Corresponding types |\n|:------------------|--------------------------------------------------------------------------------------------------------------------------------------|\n| RSA | *[rsa.PublicKey](https://pkg.go.dev/crypto/rsa/#PublicKey), *[rsa.PrivateKey](https://pkg.go.dev/crypto/rsa/#PrivateKey) |\n| ECDH, ECDSA | *[ecdsa.PublicKey](https://pkg.go.dev/crypto/ecdsa/#PublicKey), *[ecdsa.PrivateKey](https://pkg.go.dev/crypto/ecdsa/#PrivateKey) |\n| EdDSA1 | [ed25519.PublicKey](https://pkg.go.dev/crypto/ed25519#PublicKey), [ed25519.PrivateKey](https://pkg.go.dev/crypto/ed25519#PrivateKey) |\n| AES, HMAC | []byte |\n\n1. Only available in version 2 or later of the package\n\n## Examples\n\n[![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v4.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v4)\n[![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v4/jwt.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v4/jwt)\n\nExamples can be found in the Godoc\nreference for this package. The\n[`jose-util`](https://github.com/go-jose/go-jose/tree/main/jose-util)\nsubdirectory also contains a small command-line utility which might be useful\nas an example as well.\n" }, { "path": "vendor/github.com/go-jose/go-jose/v4/SECURITY.md", "content": "# Security Policy\nThis document explains how to contact the Let's Encrypt security team to report security vulnerabilities.\n\n## Supported Versions\n| Version | Supported |\n| ------- | ----------|\n| >= v3 | ✓ |\n| v2 | ✗ |\n| v1 | ✗ |\n\n## Reporting a vulnerability\n\nPlease see [https://letsencrypt.org/contact/#security](https://letsencrypt.org/contact/#security) for the email address to report a vulnerability. Ensure that the subject line for your report contains the word `vulnerability` and is descriptive. Your email should be acknowledged within 24 hours. If you do not receive a response within 24 hours, please follow-up again with another email.\n" }, { "path": "vendor/github.com/go-jose/go-jose/v4/asymmetric.go", "content": "/*-\n * Copyright 2014 Square Inc.\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\npackage jose\n\nimport (\n\t\"crypto\"\n\t\"crypto/aes\"\n\t\"crypto/ecdsa\"\n\t\"crypto/ed25519\"\n\t\"crypto/rand\"\n\t\"crypto/rsa\"\n\t\"crypto/sha1\"\n\t\"crypto/sha256\"\n\t\"errors\"\n\t\"fmt\"\n\t\"math/big\"\n\n\tjosecipher \"github.com/go-jose/go-jose/v4/cipher\"\n\t\"github.com/go-jose/go-jose/v4/json\"\n)\n\n// A generic RSA-based encrypter/verifier\ntype rsaEncrypterVerifier struct {\n\tpublicKey *rsa.PublicKey\n}\n\n// A generic RSA-based decrypter/signer\ntype rsaDecrypterSigner struct {\n\tprivateKey *rsa.PrivateKey\n}\n\n// A generic EC-based encrypter/verifier\ntype ecEncrypterVerifier struct {\n\tpublicKey *ecdsa.PublicKey\n}\n\ntype edEncrypterVerifier struct {\n\tpublicKey ed25519.PublicKey\n}\n\n// A key generator for ECDH-ES\ntype ecKeyGenerator struct {\n\tsize int\n\talgID string\n\tpublicKey *ecdsa.PublicKey\n}\n\n// A generic EC-based decrypter/signer\ntype ecDecrypterSigner struct {\n\tprivateKey *ecdsa.PrivateKey\n}\n\ntype edDecrypterSigner struct {\n\tprivateKey ed25519.PrivateKey\n}\n\n// newRSARecipient creates recipientKeyInfo based on the given key.\nfunc newRSARecipient(keyAlg KeyAlgorithm, publicKey *rsa.PublicKey) (recipientKeyInfo, error) {\n\t// Verify that key management algorithm is supported by this encrypter\n\tswitch keyAlg {\n\tcase RSA1_5, RSA_OAEP, RSA_OAEP_256:\n\tdefault:\n\t\treturn recipientKeyInfo{}, ErrUnsupportedAlgorithm\n\t}\n\n\tif publicKey == nil {\n\t\treturn recipientKeyInfo{}, errors.New(\"invalid public key\")\n\t}\n\n\treturn recipientKeyInfo{\n\t\tkeyAlg: keyAlg,\n\t\tkeyEncrypter: &rsaEncrypterVerifier{\n\t\t\tpublicKey: publicKey,\n\t\t},\n\t}, nil\n}\n\n// newRSASigner creates a recipientSigInfo based on the given key.\nfunc newRSASigner(sigAlg SignatureAlgorithm, privateKey *rsa.PrivateKey) (recipientSigInfo, error) {\n\t// Verify that key management algorithm is supported by this encrypter\n\tswitch sigAlg {\n\tcase RS256, RS384, RS512, PS256, PS384, PS512:\n\tdefault:\n\t\treturn recipientSigInfo{}, ErrUnsupportedAlgorithm\n\t}\n\n\tif privateKey == nil {\n\t\treturn recipientSigInfo{}, errors.New(\"invalid private key\")\n\t}\n\n\treturn recipientSigInfo{\n\t\tsigAlg: sigAlg,\n\t\tpublicKey: staticPublicKey(&JSONWebKey{\n\t\t\tKey: privateKey.Public(),\n\t\t}),\n\t\tsigner: &rsaDecrypterSigner{\n\t\t\tprivateKey: privateKey,\n\t\t},\n\t}, nil\n}\n\nfunc newEd25519Signer(sigAlg SignatureAlgorithm, privateKey ed25519.PrivateKey) (recipientSigInfo, error) {\n\tif sigAlg != EdDSA {\n\t\treturn recipientSigInfo{}, ErrUnsupportedAlgorithm\n\t}\n\n\tif privateKey == nil {\n\t\treturn recipientSigInfo{}, errors.New(\"invalid private key\")\n\t}\n\treturn recipientSigInfo{\n\t\tsigAlg: sigAlg,\n\t\tpublicKey: staticPublicKey(&JSONWebKey{\n\t\t\tKey: privateKey.Public(),\n\t\t}),\n\t\tsigner: &edDecrypterSigner{\n\t\t\tprivateKey: privateKey,\n\t\t},\n\t}, nil\n}\n\n// newECDHRecipient creates recipientKeyInfo based on the given key.\nfunc newECDHRecipient(keyAlg KeyAlgorithm, publicKey *ecdsa.PublicKey) (recipientKeyInfo, error) {\n\t// Verify that key management algorithm is supported by this encrypter\n\tswitch keyAlg {\n\tcase ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW:\n\tdefault:\n\t\treturn recipientKeyInfo{}, ErrUnsupportedAlgorithm\n\t}\n\n\tif publicKey == nil || !publicKey.Curve.IsOnCurve(publicKey.X, publicKey.Y) {\n\t\treturn recipientKeyInfo{}, errors.New(\"invalid public key\")\n\t}\n\n\treturn recipientKeyInfo{\n\t\tkeyAlg: keyAlg,\n\t\tkeyEncrypter: &ecEncrypterVerifier{\n\t\t\tpublicKey: publicKey,\n\t\t},\n\t}, nil\n}\n\n// newECDSASigner creates a recipientSigInfo based on the given key.\nfunc newECDSASigner(sigAlg SignatureAlgorithm, privateKey *ecdsa.PrivateKey) (recipientSigInfo, error) {\n\t// Verify that key management algorithm is supported by this encrypter\n\tswitch sigAlg {\n\tcase ES256, ES384, ES512:\n\tdefault:\n\t\treturn recipientSigInfo{}, ErrUnsupportedAlgorithm\n\t}\n\n\tif privateKey == nil {\n\t\treturn recipientSigInfo{}, errors.New(\"invalid private key\")\n\t}\n\n\treturn recipientSigInfo{\n\t\tsigAlg: sigAlg,\n\t\tpublicKey: staticPublicKey(&JSONWebKey{\n\t\t\tKey: privateKey.Public(),\n\t\t}),\n\t\tsigner: &ecDecrypterSigner{\n\t\t\tprivateKey: privateKey,\n\t\t},\n\t}, nil\n}\n\n// Encrypt the given payload and update the object.\nfunc (ctx rsaEncrypterVerifier) encryptKey(cek []byte, alg KeyAlgorithm) (recipientInfo, error) {\n\tencryptedKey, err := ctx.encrypt(cek, alg)\n\tif err != nil {\n\t\treturn recipientInfo{}, err\n\t}\n\n\treturn recipientInfo{\n\t\tencryptedKey: encryptedKey,\n\t\theader: &rawHeader{},\n\t}, nil\n}\n\n// Encrypt the given payload. Based on the key encryption algorithm,\n// this will either use RSA-PKCS1v1.5 or RSA-OAEP (with SHA-1 or SHA-256).\nfunc (ctx rsaEncrypterVerifier) encrypt(cek []byte, alg KeyAlgorithm) ([]byte, error) {\n\tswitch alg {\n\tcase RSA1_5:\n\t\treturn rsa.EncryptPKCS1v15(RandReader, ctx.publicKey, cek)\n\tcase RSA_OAEP:\n\t\treturn rsa.EncryptOAEP(sha1.New(), RandReader, ctx.publicKey, cek, []byte{})\n\tcase RSA_OAEP_256:\n\t\treturn rsa.EncryptOAEP(sha256.New(), RandReader, ctx.publicKey, cek, []byte{})\n\t}\n\n\treturn nil, ErrUnsupportedAlgorithm\n}\n\n// Decrypt the given payload and return the content encryption key.\nfunc (ctx rsaDecrypterSigner) decryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) {\n\treturn ctx.decrypt(recipient.encryptedKey, headers.getAlgorithm(), generator)\n}\n\n// Decrypt the given payload. Based on the key encryption algorithm,\n// this will either use RSA-PKCS1v1.5 or RSA-OAEP (with SHA-1 or SHA-256).\nfunc (ctx rsaDecrypterSigner) decrypt(jek []byte, alg KeyAlgorithm, generator keyGenerator) ([]byte, error) {\n\t// Note: The random reader on decrypt operations is only used for blinding,\n\t// so stubbing is meanlingless (hence the direct use of rand.Reader).\n\tswitch alg {\n\tcase RSA1_5:\n\t\tdefer func() {\n\t\t\t// DecryptPKCS1v15SessionKey sometimes panics on an invalid payload\n\t\t\t// because of an index out of bounds error, which we want to ignore.\n\t\t\t// This has been fixed in Go 1.3.1 (released 2014/08/13), the recover()\n\t\t\t// only exists for preventing crashes with unpatched versions.\n\t\t\t// See: https://groups.google.com/forum/#!topic/golang-dev/7ihX6Y6kx9k\n\t\t\t// See: https://code.google.com/p/go/source/detail?r=58ee390ff31602edb66af41ed10901ec95904d33\n\t\t\t_ = recover()\n\t\t}()\n\n\t\t// Perform some input validation.\n\t\tkeyBytes := ctx.privateKey.PublicKey.N.BitLen() / 8\n\t\tif keyBytes != len(jek) {\n\t\t\t// Input size is incorrect, the encrypted payload should always match\n\t\t\t// the size of the public modulus (e.g. using a 2048 bit key will\n\t\t\t// produce 256 bytes of output). Reject this since it's invalid input.\n\t\t\treturn nil, ErrCryptoFailure\n\t\t}\n\n\t\tcek, _, err := generator.genKey()\n\t\tif err != nil {\n\t\t\treturn nil, ErrCryptoFailure\n\t\t}\n\n\t\t// When decrypting an RSA-PKCS1v1.5 payload, we must take precautions to\n\t\t// prevent chosen-ciphertext attacks as described in RFC 3218, \"Preventing\n\t\t// the Million Message Attack on Cryptographic Message Syntax\". We are\n\t\t// therefore deliberately ignoring errors here.\n\t\t_ = rsa.DecryptPKCS1v15SessionKey(rand.Reader, ctx.privateKey, jek, cek)\n\n\t\treturn cek, nil\n\tcase RSA_OAEP:\n\t\t// Use rand.Reader for RSA blinding\n\t\treturn rsa.DecryptOAEP(sha1.New(), rand.Reader, ctx.privateKey, jek, []byte{})\n\tcase RSA_OAEP_256:\n\t\t// Use rand.Reader for RSA blinding\n\t\treturn rsa.DecryptOAEP(sha256.New(), rand.Reader, ctx.privateKey, jek, []byte{})\n\t}\n\n\treturn nil, ErrUnsupportedAlgorithm\n}\n\n// Sign the given payload\nfunc (ctx rsaDecrypterSigner) signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error) {\n\tvar hash crypto.Hash\n\n\tswitch alg {\n\tcase RS256, PS256:\n\t\thash = crypto.SHA256\n\tcase RS384, PS384:\n\t\thash = crypto.SHA384\n\tcase RS512, PS512:\n\t\thash = crypto.SHA512\n\tdefault:\n\t\treturn Signature{}, ErrUnsupportedAlgorithm\n\t}\n\n\thasher := hash.New()\n\n\t// According to documentation, Write() on hash never fails\n\t_, _ = hasher.Write(payload)\n\thashed := hasher.Sum(nil)\n\n\tvar out []byte\n\tvar err error\n\n\tswitch alg {\n\tcase RS256, RS384, RS512:\n\t\t// TODO(https://github.com/go-jose/go-jose/issues/40): As of go1.20, the\n\t\t// random parameter is legacy and ignored, and it can be nil.\n\t\t// https://cs.opensource.google/go/go/+/refs/tags/go1.20:src/crypto/rsa/pkcs1v15.go;l=263;bpv=0;bpt=1\n\t\tout, err = rsa.SignPKCS1v15(RandReader, ctx.privateKey, hash, hashed)\n\tcase PS256, PS384, PS512:\n\t\tout, err = rsa.SignPSS(RandReader, ctx.privateKey, hash, hashed, &rsa.PSSOptions{\n\t\t\tSaltLength: rsa.PSSSaltLengthEqualsHash,\n\t\t})\n\t}\n\n\tif err != nil {\n\t\treturn Signature{}, err\n\t}\n\n\treturn Signature{\n\t\tSignature: out,\n\t\tprotected: &rawHeader{},\n\t}, nil\n}\n\n// Verify the given payload\nfunc (ctx rsaEncrypterVerifier) verifyPayload(payload []byte, signature []byte, alg SignatureAlgorithm) error {\n\tvar hash crypto.Hash\n\n\tswitch alg {\n\tcase RS256, PS256:\n\t\thash = crypto.SHA256\n\tcase RS384, PS384:\n\t\thash = crypto.SHA384\n\tcase RS512, PS512:\n\t\thash = crypto.SHA512\n\tdefault:\n\t\treturn ErrUnsupportedAlgorithm\n\t}\n\n\thasher := hash.New()\n\n\t// According to documentation, Write() on hash never fails\n\t_, _ = hasher.Write(payload)\n\thashed := hasher.Sum(nil)\n\n\tswitch alg {\n\tcase RS256, RS384, RS512:\n\t\treturn rsa.VerifyPKCS1v15(ctx.publicKey, hash, hashed, signature)\n\tcase PS256, PS384, PS512:\n\t\treturn rsa.VerifyPSS(ctx.publicKey, hash, hashed, signature, nil)\n\t}\n\n\treturn ErrUnsupportedAlgorithm\n}\n\n// Encrypt the given payload and update the object.\nfunc (ctx ecEncrypterVerifier) encryptKey(cek []byte, alg KeyAlgorithm) (recipientInfo, error) {\n\tswitch alg {\n\tcase ECDH_ES:\n\t\t// ECDH-ES mode doesn't wrap a key, the shared secret is used directly as the key.\n\t\treturn recipientInfo{\n\t\t\theader: &rawHeader{},\n\t\t}, nil\n\tcase ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW:\n\tdefault:\n\t\treturn recipientInfo{}, ErrUnsupportedAlgorithm\n\t}\n\n\tgenerator := ecKeyGenerator{\n\t\talgID: string(alg),\n\t\tpublicKey: ctx.publicKey,\n\t}\n\n\tswitch alg {\n\tcase ECDH_ES_A128KW:\n\t\tgenerator.size = 16\n\tcase ECDH_ES_A192KW:\n\t\tgenerator.size = 24\n\tcase ECDH_ES_A256KW:\n\t\tgenerator.size = 32\n\t}\n\n\tkek, header, err := generator.genKey()\n\tif err != nil {\n\t\treturn recipientInfo{}, err\n\t}\n\n\tblock, err := aes.NewCipher(kek)\n\tif err != nil {\n\t\treturn recipientInfo{}, err\n\t}\n\n\tjek, err := josecipher.KeyWrap(block, cek)\n\tif err != nil {\n\t\treturn recipientInfo{}, err\n\t}\n\n\treturn recipientInfo{\n\t\tencryptedKey: jek,\n\t\theader: &header,\n\t}, nil\n}\n\n// Get key size for EC key generator\nfunc (ctx ecKeyGenerator) keySize() int {\n\treturn ctx.size\n}\n\n// Get a content encryption key for ECDH-ES\nfunc (ctx ecKeyGenerator) genKey() ([]byte, rawHeader, error) {\n\tpriv, err := ecdsa.GenerateKey(ctx.publicKey.Curve, RandReader)\n\tif err != nil {\n\t\treturn nil, rawHeader{}, err\n\t}\n\n\tout := josecipher.DeriveECDHES(ctx.algID, []byte{}, []byte{}, priv, ctx.publicKey, ctx.size)\n\n\tb, err := json.Marshal(&JSONWebKey{\n\t\tKey: &priv.PublicKey,\n\t})\n\tif err != nil {\n\t\treturn nil, nil, err\n\t}\n\n\theaders := rawHeader{\n\t\theaderEPK: makeRawMessage(b),\n\t}\n\n\treturn out, headers, nil\n}\n\n// Decrypt the given payload and return the content encryption key.\nfunc (ctx ecDecrypterSigner) decryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) {\n\tepk, err := headers.getEPK()\n\tif err != nil {\n\t\treturn nil, errors.New(\"go-jose/go-jose: invalid epk header\")\n\t}\n\tif epk == nil {\n\t\treturn nil, errors.New(\"go-jose/go-jose: missing epk header\")\n\t}\n\n\tpublicKey, ok := epk.Key.(*ecdsa.PublicKey)\n\tif publicKey == nil || !ok {\n\t\treturn nil, errors.New(\"go-jose/go-jose: invalid epk header\")\n\t}\n\n\tif !ctx.privateKey.Curve.IsOnCurve(publicKey.X, publicKey.Y) {\n\t\treturn nil, errors.New(\"go-jose/go-jose: invalid public key in epk header\")\n\t}\n\n\tapuData, err := headers.getAPU()\n\tif err != nil {\n\t\treturn nil, errors.New(\"go-jose/go-jose: invalid apu header\")\n\t}\n\tapvData, err := headers.getAPV()\n\tif err != nil {\n\t\treturn nil, errors.New(\"go-jose/go-jose: invalid apv header\")\n\t}\n\n\tderiveKey := func(algID string, size int) []byte {\n\t\treturn josecipher.DeriveECDHES(algID, apuData.bytes(), apvData.bytes(), ctx.privateKey, publicKey, size)\n\t}\n\n\tvar keySize int\n\n\talgorithm := headers.getAlgorithm()\n\tswitch algorithm {\n\tcase ECDH_ES:\n\t\t// ECDH-ES uses direct key agreement, no key unwrapping necessary.\n\t\treturn deriveKey(string(headers.getEncryption()), generator.keySize()), nil\n\tcase ECDH_ES_A128KW:\n\t\tkeySize = 16\n\tcase ECDH_ES_A192KW:\n\t\tkeySize = 24\n\tcase ECDH_ES_A256KW:\n\t\tkeySize = 32\n\tdefault:\n\t\treturn nil, ErrUnsupportedAlgorithm\n\t}\n\n\tkey := deriveKey(string(algorithm), keySize)\n\tblock, err := aes.NewCipher(key)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn josecipher.KeyUnwrap(block, recipient.encryptedKey)\n}\n\nfunc (ctx edDecrypterSigner) signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error) {\n\tif alg != EdDSA {\n\t\treturn Signature{}, ErrUnsupportedAlgorithm\n\t}\n\n\tsig, err := ctx.privateKey.Sign(RandReader, payload, crypto.Hash(0))\n\tif err != nil {\n\t\treturn Signature{}, err\n\t}\n\n\treturn Signature{\n\t\tSignature: sig,\n\t\tprotected: &rawHeader{},\n\t}, nil\n}\n\nfunc (ctx edEncrypterVerifier) verifyPayload(payload []byte, signature []byte, alg SignatureAlgorithm) error {\n\tif alg != EdDSA {\n\t\treturn ErrUnsupportedAlgorithm\n\t}\n\tok := ed25519.Verify(ctx.publicKey, payload, signature)\n\tif !ok {\n\t\treturn errors.New(\"go-jose/go-jose: ed25519 signature failed to verify\")\n\t}\n\treturn nil\n}\n\n// Sign the given payload\nfunc (ctx ecDecrypterSigner) signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error) {\n\tvar expectedBitSize int\n\tvar hash crypto.Hash\n\n\tswitch alg {\n\tcase ES256:\n\t\texpectedBitSize = 256\n\t\thash = crypto.SHA256\n\tcase ES384:\n\t\texpectedBitSize = 384\n\t\thash = crypto.SHA384\n\tcase ES512:\n\t\texpectedBitSize = 521\n\t\thash = crypto.SHA512\n\t}\n\n\tcurveBits := ctx.privateKey.Curve.Params().BitSize\n\tif expectedBitSize != curveBits {\n\t\treturn Signature{}, fmt.Errorf(\"go-jose/go-jose: expected %d bit key, got %d bits instead\", expectedBitSize, curveBits)\n\t}\n\n\thasher := hash.New()\n\n\t// According to documentation, Write() on hash never fails\n\t_, _ = hasher.Write(payload)\n\thashed := hasher.Sum(nil)\n\n\tr, s, err := ecdsa.Sign(RandReader, ctx.privateKey, hashed)\n\tif err != nil {\n\t\treturn Signature{}, err\n\t}\n\n\tkeyBytes := curveBits / 8\n\tif curveBits%8 > 0 {\n\t\tkeyBytes++\n\t}\n\n\t// We serialize the outputs (r and s) into big-endian byte arrays and pad\n\t// them with zeros on the left to make sure the sizes work out. Both arrays\n\t// must be keyBytes long, and the output must be 2*keyBytes long.\n\trBytes := r.Bytes()\n\trBytesPadded := make([]byte, keyBytes)\n\tcopy(rBytesPadded[keyBytes-len(rBytes):], rBytes)\n\n\tsBytes := s.Bytes()\n\tsBytesPadded := make([]byte, keyBytes)\n\tcopy(sBytesPadded[keyBytes-len(sBytes):], sBytes)\n\n\tout := append(rBytesPadded, sBytesPadded...)\n\n\treturn Signature{\n\t\tSignature: out,\n\t\tprotected: &rawHeader{},\n\t}, nil\n}\n\n// Verify the given payload\nfunc (ctx ecEncrypterVerifier) verifyPayload(payload []byte, signature []byte, alg SignatureAlgorithm) error {\n\tvar keySize int\n\tvar hash crypto.Hash\n\n\tswitch alg {\n\tcase ES256:\n\t\tkeySize = 32\n\t\thash = crypto.SHA256\n\tcase ES384:\n\t\tkeySize = 48\n\t\thash = crypto.SHA384\n\tcase ES512:\n\t\tkeySize = 66\n\t\thash = crypto.SHA512\n\tdefault:\n\t\treturn ErrUnsupportedAlgorithm\n\t}\n\n\tif len(signature) != 2*keySize {\n\t\treturn fmt.Errorf(\"go-jose/go-jose: invalid signature size, have %d bytes, wanted %d\", len(signature), 2*keySize)\n\t}\n\n\thasher := hash.New()\n\n\t// According to documentation, Write() on hash never fails\n\t_, _ = hasher.Write(payload)\n\thashed := hasher.Sum(nil)\n\n\tr := big.NewInt(0).SetBytes(signature[:keySize])\n\ts := big.NewInt(0).SetBytes(signature[keySize:])\n\n\tmatch := ecdsa.Verify(ctx.publicKey, hashed, r, s)\n\tif !match {\n\t\treturn errors.New(\"go-jose/go-jose: ecdsa signature failed to verify\")\n\t}\n\n\treturn nil\n}\n" }, { "path": "vendor/github.com/go-jose/go-jose/v4/cipher/cbc_hmac.go", "content": "/*-\n * Copyright 2014 Square Inc.\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\npackage josecipher\n\nimport (\n\t\"bytes\"\n\t\"crypto/cipher\"\n\t\"crypto/hmac\"\n\t\"crypto/sha256\"\n\t\"crypto/sha512\"\n\t\"crypto/subtle\"\n\t\"encoding/binary\"\n\t\"errors\"\n\t\"hash\"\n)\n\nconst (\n\tnonceBytes = 16\n)\n\n// NewCBCHMAC instantiates a new AEAD based on CBC+HMAC.\nfunc NewCBCHMAC(key []byte, newBlockCipher func([]byte) (cipher.Block, error)) (cipher.AEAD, error) {\n\tkeySize := len(key) / 2\n\tintegrityKey := key[:keySize]\n\tencryptionKey := key[keySize:]\n\n\tblockCipher, err := newBlockCipher(encryptionKey)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tvar hash func() hash.Hash\n\tswitch keySize {\n\tcase 16:\n\t\thash = sha256.New\n\tcase 24:\n\t\thash = sha512.New384\n\tcase 32:\n\t\thash = sha512.New\n\t}\n\n\treturn &cbcAEAD{\n\t\thash: hash,\n\t\tblockCipher: blockCipher,\n\t\tauthtagBytes: keySize,\n\t\tintegrityKey: integrityKey,\n\t}, nil\n}\n\n// An AEAD based on CBC+HMAC\ntype cbcAEAD struct {\n\thash func() hash.Hash\n\tauthtagBytes int\n\tintegrityKey []byte\n\tblockCipher cipher.Block\n}\n\nfunc (ctx *cbcAEAD) NonceSize() int {\n\treturn nonceBytes\n}\n\nfunc (ctx *cbcAEAD) Overhead() int {\n\t// Maximum overhead is block size (for padding) plus auth tag length, where\n\t// the length of the auth tag is equivalent to the key size.\n\treturn ctx.blockCipher.BlockSize() + ctx.authtagBytes\n}\n\n// Seal encrypts and authenticates the plaintext.\nfunc (ctx *cbcAEAD) Seal(dst, nonce, plaintext, data []byte) []byte {\n\t// Output buffer -- must take care not to mangle plaintext input.\n\tciphertext := make([]byte, uint64(len(plaintext))+uint64(ctx.Overhead()))[:len(plaintext)]\n\tcopy(ciphertext, plaintext)\n\tciphertext = padBuffer(ciphertext, ctx.blockCipher.BlockSize())\n\n\tcbc := cipher.NewCBCEncrypter(ctx.blockCipher, nonce)\n\n\tcbc.CryptBlocks(ciphertext, ciphertext)\n\tauthtag := ctx.computeAuthTag(data, nonce, ciphertext)\n\n\tret, out := resize(dst, uint64(len(dst))+uint64(len(ciphertext))+uint64(len(authtag)))\n\tcopy(out, ciphertext)\n\tcopy(out[len(ciphertext):], authtag)\n\n\treturn ret\n}\n\n// Open decrypts and authenticates the ciphertext.\nfunc (ctx *cbcAEAD) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) {\n\tif len(ciphertext) < ctx.authtagBytes {\n\t\treturn nil, errors.New(\"go-jose/go-jose: invalid ciphertext (too short)\")\n\t}\n\n\toffset := len(ciphertext) - ctx.authtagBytes\n\texpectedTag := ctx.computeAuthTag(data, nonce, ciphertext[:offset])\n\tmatch := subtle.ConstantTimeCompare(expectedTag, ciphertext[offset:])\n\tif match != 1 {\n\t\treturn nil, errors.New(\"go-jose/go-jose: invalid ciphertext (auth tag mismatch)\")\n\t}\n\n\tcbc := cipher.NewCBCDecrypter(ctx.blockCipher, nonce)\n\n\t// Make copy of ciphertext buffer, don't want to modify in place\n\tbuffer := append([]byte{}, ciphertext[:offset]...)\n\n\tif len(buffer)%ctx.blockCipher.BlockSize() > 0 {\n\t\treturn nil, errors.New(\"go-jose/go-jose: invalid ciphertext (invalid length)\")\n\t}\n\n\tcbc.CryptBlocks(buffer, buffer)\n\n\t// Remove padding\n\tplaintext, err := unpadBuffer(buffer, ctx.blockCipher.BlockSize())\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tret, out := resize(dst, uint64(len(dst))+uint64(len(plaintext)))\n\tcopy(out, plaintext)\n\n\treturn ret, nil\n}\n\n// Compute an authentication tag\nfunc (ctx *cbcAEAD) computeAuthTag(aad, nonce, ciphertext []byte) []byte {\n\tbuffer := make([]byte, uint64(len(aad))+uint64(len(nonce))+uint64(len(ciphertext))+8)\n\tn := 0\n\tn += copy(buffer, aad)\n\tn += copy(buffer[n:], nonce)\n\tn += copy(buffer[n:], ciphertext)\n\tbinary.BigEndian.PutUint64(buffer[n:], uint64(len(aad))*8)\n\n\t// According to documentation, Write() on hash.Hash never fails.\n\thmac := hmac.New(ctx.hash, ctx.integrityKey)\n\t_, _ = hmac.Write(buffer)\n\n\treturn hmac.Sum(nil)[:ctx.authtagBytes]\n}\n\n// resize ensures that the given slice has a capacity of at least n bytes.\n// If the capacity of the slice is less than n, a new slice is allocated\n// and the existing data will be copied.\nfunc resize(in []byte, n uint64) (head, tail []byte) {\n\tif uint64(cap(in)) >= n {\n\t\thead = in[:n]\n\t} else {\n\t\thead = make([]byte, n)\n\t\tcopy(head, in)\n\t}\n\n\ttail = head[len(in):]\n\treturn\n}\n\n// Apply padding\nfunc padBuffer(buffer []byte, blockSize int) []byte {\n\tmissing := blockSize - (len(buffer) % blockSize)\n\tret, out := resize(buffer, uint64(len(buffer))+uint64(missing))\n\tpadding := bytes.Repeat([]byte{byte(missing)}, missing)\n\tcopy(out, padding)\n\treturn ret\n}\n\n// Remove padding\nfunc unpadBuffer(buffer []byte, blockSize int) ([]byte, error) {\n\tif len(buffer)%blockSize != 0 {\n\t\treturn nil, errors.New(\"go-jose/go-jose: invalid padding\")\n\t}\n\n\tlast := buffer[len(buffer)-1]\n\tcount := int(last)\n\n\tif count == 0 || count > blockSize || count > len(buffer) {\n\t\treturn nil, errors.New(\"go-jose/go-jose: invalid padding\")\n\t}\n\n\tpadding := bytes.Repeat([]byte{last}, count)\n\tif !bytes.HasSuffix(buffer, padding) {\n\t\treturn nil, errors.New(\"go-jose/go-jose: invalid padding\")\n\t}\n\n\treturn buffer[:len(buffer)-count], nil\n}\n" }, { "path": "vendor/github.com/go-jose/go-jose/v4/cipher/concat_kdf.go", "content": "/*-\n * Copyright 2014 Square Inc.\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\npackage josecipher\n\nimport (\n\t\"crypto\"\n\t\"encoding/binary\"\n\t\"hash\"\n\t\"io\"\n)\n\ntype concatKDF struct {\n\tz, info []byte\n\ti uint32\n\tcache []byte\n\thasher hash.Hash\n}\n\n// NewConcatKDF builds a KDF reader based on the given inputs.\nfunc NewConcatKDF(hash crypto.Hash, z, algID, ptyUInfo, ptyVInfo, supPubInfo, supPrivInfo []byte) io.Reader {\n\tbuffer := make([]byte, uint64(len(algID))+uint64(len(ptyUInfo))+uint64(len(ptyVInfo))+uint64(len(supPubInfo))+uint64(len(supPrivInfo)))\n\tn := 0\n\tn += copy(buffer, algID)\n\tn += copy(buffer[n:], ptyUInfo)\n\tn += copy(buffer[n:], ptyVInfo)\n\tn += copy(buffer[n:], supPubInfo)\n\tcopy(buffer[n:], supPrivInfo)\n\n\thasher := hash.New()\n\n\treturn &concatKDF{\n\t\tz: z,\n\t\tinfo: buffer,\n\t\thasher: hasher,\n\t\tcache: []byte{},\n\t\ti: 1,\n\t}\n}\n\nfunc (ctx *concatKDF) Read(out []byte) (int, error) {\n\tcopied := copy(out, ctx.cache)\n\tctx.cache = ctx.cache[copied:]\n\n\tfor copied < len(out) {\n\t\tctx.hasher.Reset()\n\n\t\t// Write on a hash.Hash never fails\n\t\t_ = binary.Write(ctx.hasher, binary.BigEndian, ctx.i)\n\t\t_, _ = ctx.hasher.Write(ctx.z)\n\t\t_, _ = ctx.hasher.Write(ctx.info)\n\n\t\thash := ctx.hasher.Sum(nil)\n\t\tchunkCopied := copy(out[copied:], hash)\n\t\tcopied += chunkCopied\n\t\tctx.cache = hash[chunkCopied:]\n\n\t\tctx.i++\n\t}\n\n\treturn copied, nil\n}\n" }, { "path": "vendor/github.com/go-jose/go-jose/v4/cipher/ecdh_es.go", "content": "/*-\n * Copyright 2014 Square Inc.\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\npackage josecipher\n\nimport (\n\t\"bytes\"\n\t\"crypto\"\n\t\"crypto/ecdsa\"\n\t\"crypto/elliptic\"\n\t\"encoding/binary\"\n)\n\n// DeriveECDHES derives a shared encryption key using ECDH/ConcatKDF as described in JWE/JWA.\n// It is an error to call this function with a private/public key that are not on the same\n// curve. Callers must ensure that the keys are valid before calling this function. Output\n// size may be at most 1<<16 bytes (64 KiB).\nfunc DeriveECDHES(alg string, apuData, apvData []byte, priv *ecdsa.PrivateKey, pub *ecdsa.PublicKey, size int) []byte {\n\tif size > 1<<16 {\n\t\tpanic(\"ECDH-ES output size too large, must be less than or equal to 1<<16\")\n\t}\n\n\t// algId, partyUInfo, partyVInfo inputs must be prefixed with the length\n\talgID := lengthPrefixed([]byte(alg))\n\tptyUInfo := lengthPrefixed(apuData)\n\tptyVInfo := lengthPrefixed(apvData)\n\n\t// suppPubInfo is the encoded length of the output size in bits\n\tsupPubInfo := make([]byte, 4)\n\tbinary.BigEndian.PutUint32(supPubInfo, uint32(size)*8)\n\n\tif !priv.PublicKey.Curve.IsOnCurve(pub.X, pub.Y) {\n\t\tpanic(\"public key not on same curve as private key\")\n\t}\n\n\tz, _ := priv.Curve.ScalarMult(pub.X, pub.Y, priv.D.Bytes())\n\tzBytes := z.Bytes()\n\n\t// Note that calling z.Bytes() on a big.Int may strip leading zero bytes from\n\t// the returned byte array. This can lead to a problem where zBytes will be\n\t// shorter than expected which breaks the key derivation. Therefore we must pad\n\t// to the full length of the expected coordinate here before calling the KDF.\n\toctSize := dSize(priv.Curve)\n\tif len(zBytes) != octSize {\n\t\tzBytes = append(bytes.Repeat([]byte{0}, octSize-len(zBytes)), zBytes...)\n\t}\n\n\treader := NewConcatKDF(crypto.SHA256, zBytes, algID, ptyUInfo, ptyVInfo, supPubInfo, []byte{})\n\tkey := make([]byte, size)\n\n\t// Read on the KDF will never fail\n\t_, _ = reader.Read(key)\n\n\treturn key\n}\n\n// dSize returns the size in octets for a coordinate on a elliptic curve.\nfunc dSize(curve elliptic.Curve) int {\n\torder := curve.Params().P\n\tbitLen := order.BitLen()\n\tsize := bitLen / 8\n\tif bitLen%8 != 0 {\n\t\tsize++\n\t}\n\treturn size\n}\n\nfunc lengthPrefixed(data []byte) []byte {\n\tout := make([]byte, len(data)+4)\n\tbinary.BigEndian.PutUint32(out, uint32(len(data)))\n\tcopy(out[4:], data)\n\treturn out\n}\n" }, { "path": "vendor/github.com/go-jose/go-jose/v4/cipher/key_wrap.go", "content": "/*-\n * Copyright 2014 Square Inc.\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\npackage josecipher\n\nimport (\n\t\"crypto/cipher\"\n\t\"crypto/subtle\"\n\t\"encoding/binary\"\n\t\"errors\"\n)\n\nvar defaultIV = []byte{0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6}\n\n// KeyWrap implements NIST key wrapping; it wraps a content encryption key (cek) with the given block cipher.\nfunc KeyWrap(block cipher.Block, cek []byte) ([]byte, error) {\n\tif len(cek)%8 != 0 {\n\t\treturn nil, errors.New(\"go-jose/go-jose: key wrap input must be 8 byte blocks\")\n\t}\n\n\tn := len(cek) / 8\n\tr := make([][]byte, n)\n\n\tfor i := range r {\n\t\tr[i] = make([]byte, 8)\n\t\tcopy(r[i], cek[i*8:])\n\t}\n\n\tbuffer := make([]byte, 16)\n\ttBytes := make([]byte, 8)\n\tcopy(buffer, defaultIV)\n\n\tfor t := 0; t < 6*n; t++ {\n\t\tcopy(buffer[8:], r[t%n])\n\n\t\tblock.Encrypt(buffer, buffer)\n\n\t\tbinary.BigEndian.PutUint64(tBytes, uint64(t+1))\n\n\t\tfor i := 0; i < 8; i++ {\n\t\t\tbuffer[i] ^= tBytes[i]\n\t\t}\n\t\tcopy(r[t%n], buffer[8:])\n\t}\n\n\tout := make([]byte, (n+1)*8)\n\tcopy(out, buffer[:8])\n\tfor i := range r {\n\t\tcopy(out[(i+1)*8:], r[i])\n\t}\n\n\treturn out, nil\n}\n\n// KeyUnwrap implements NIST key unwrapping; it unwraps a content encryption key (cek) with the given block cipher.\nfunc KeyUnwrap(block cipher.Block, ciphertext []byte) ([]byte, error) {\n\tif len(ciphertext)%8 != 0 {\n\t\treturn nil, errors.New(\"go-jose/go-jose: key wrap input must be 8 byte blocks\")\n\t}\n\n\tn := (len(ciphertext) / 8) - 1\n\tr := make([][]byte, n)\n\n\tfor i := range r {\n\t\tr[i] = make([]byte, 8)\n\t\tcopy(r[i], ciphertext[(i+1)*8:])\n\t}\n\n\tbuffer := make([]byte, 16)\n\ttBytes := make([]byte, 8)\n\tcopy(buffer[:8], ciphertext[:8])\n\n\tfor t := 6*n - 1; t >= 0; t-- {\n\t\tbinary.BigEndian.PutUint64(tBytes, uint64(t+1))\n\n\t\tfor i := 0; i < 8; i++ {\n\t\t\tbuffer[i] ^= tBytes[i]\n\t\t}\n\t\tcopy(buffer[8:], r[t%n])\n\n\t\tblock.Decrypt(buffer, buffer)\n\n\t\tcopy(r[t%n], buffer[8:])\n\t}\n\n\tif subtle.ConstantTimeCompare(buffer[:8], defaultIV) == 0 {\n\t\treturn nil, errors.New(\"go-jose/go-jose: failed to unwrap key\")\n\t}\n\n\tout := make([]byte, n*8)\n\tfor i := range r {\n\t\tcopy(out[i*8:], r[i])\n\t}\n\n\treturn out, nil\n}\n" }, { "path": "vendor/github.com/go-jose/go-jose/v4/crypter.go", "content": "/*-\n * Copyright 2014 Square Inc.\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\npackage jose\n\nimport (\n\t\"crypto/ecdsa\"\n\t\"crypto/rsa\"\n\t\"errors\"\n\t\"fmt\"\n\n\t\"github.com/go-jose/go-jose/v4/json\"\n)\n\n// Encrypter represents an encrypter which produces an encrypted JWE object.\ntype Encrypter interface {\n\tEncrypt(plaintext []byte) (*JSONWebEncryption, error)\n\tEncryptWithAuthData(plaintext []byte, aad []byte) (*JSONWebEncryption, error)\n\tOptions() EncrypterOptions\n}\n\n// A generic content cipher\ntype contentCipher interface {\n\tkeySize() int\n\tencrypt(cek []byte, aad, plaintext []byte) (*aeadParts, error)\n\tdecrypt(cek []byte, aad []byte, parts *aeadParts) ([]byte, error)\n}\n\n// A key generator (for generating/getting a CEK)\ntype keyGenerator interface {\n\tkeySize() int\n\tgenKey() ([]byte, rawHeader, error)\n}\n\n// A generic key encrypter\ntype keyEncrypter interface {\n\tencryptKey(cek []byte, alg KeyAlgorithm) (recipientInfo, error) // Encrypt a key\n}\n\n// A generic key decrypter\ntype keyDecrypter interface {\n\tdecryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) // Decrypt a key\n}\n\n// A generic encrypter based on the given key encrypter and content cipher.\ntype genericEncrypter struct {\n\tcontentAlg ContentEncryption\n\tcompressionAlg CompressionAlgorithm\n\tcipher contentCipher\n\trecipients []recipientKeyInfo\n\tkeyGenerator keyGenerator\n\textraHeaders map[HeaderKey]interface{}\n}\n\ntype recipientKeyInfo struct {\n\tkeyID string\n\tkeyAlg KeyAlgorithm\n\tkeyEncrypter keyEncrypter\n}\n\n// EncrypterOptions represents options that can be set on new encrypters.\ntype EncrypterOptions struct {\n\tCompression CompressionAlgorithm\n\n\t// Optional map of name/value pairs to be inserted into the protected\n\t// header of a JWS object. Some specifications which make use of\n\t// JWS require additional values here.\n\t//\n\t// Values will be serialized by [json.Marshal] and must be valid inputs to\n\t// that function.\n\t//\n\t// [json.Marshal]: https://pkg.go.dev/encoding/json#Marshal\n\tExtraHeaders map[HeaderKey]interface{}\n}\n\n// WithHeader adds an arbitrary value to the ExtraHeaders map, initializing it\n// if necessary, and returns the updated EncrypterOptions.\n//\n// The v parameter will be serialized by [json.Marshal] and must be a valid\n// input to that function.\n//\n// [json.Marshal]: https://pkg.go.dev/encoding/json#Marshal\nfunc (eo *EncrypterOptions) WithHeader(k HeaderKey, v interface{}) *EncrypterOptions {\n\tif eo.ExtraHeaders == nil {\n\t\teo.ExtraHeaders = map[HeaderKey]interface{}{}\n\t}\n\teo.ExtraHeaders[k] = v\n\treturn eo\n}\n\n// WithContentType adds a content type (\"cty\") header and returns the updated\n// EncrypterOptions.\nfunc (eo *EncrypterOptions) WithContentType(contentType ContentType) *EncrypterOptions {\n\treturn eo.WithHeader(HeaderContentType, contentType)\n}\n\n// WithType adds a type (\"typ\") header and returns the updated EncrypterOptions.\nfunc (eo *EncrypterOptions) WithType(typ ContentType) *EncrypterOptions {\n\treturn eo.WithHeader(HeaderType, typ)\n}\n\n// Recipient represents an algorithm/key to encrypt messages to.\n//\n// PBES2Count and PBES2Salt correspond with the \"p2c\" and \"p2s\" headers used\n// on the password-based encryption algorithms PBES2-HS256+A128KW,\n// PBES2-HS384+A192KW, and PBES2-HS512+A256KW. If they are not provided a safe\n// default of 100000 will be used for the count and a 128-bit random salt will\n// be generated.\ntype Recipient struct {\n\tAlgorithm KeyAlgorithm\n\t// Key must have one of these types:\n\t// - ed25519.PublicKey\n\t// - *ecdsa.PublicKey\n\t// - *rsa.PublicKey\n\t// - *JSONWebKey\n\t// - JSONWebKey\n\t// - []byte (a symmetric key)\n\t// - Any type that satisfies the OpaqueKeyEncrypter interface\n\t//\n\t// The type of Key must match the value of Algorithm.\n\tKey interface{}\n\tKeyID string\n\tPBES2Count int\n\tPBES2Salt []byte\n}\n\n// NewEncrypter creates an appropriate encrypter based on the key type\nfunc NewEncrypter(enc ContentEncryption, rcpt Recipient, opts *EncrypterOptions) (Encrypter, error) {\n\tencrypter := &genericEncrypter{\n\t\tcontentAlg: enc,\n\t\trecipients: []recipientKeyInfo{},\n\t\tcipher: getContentCipher(enc),\n\t}\n\tif opts != nil {\n\t\tencrypter.compressionAlg = opts.Compression\n\t\tencrypter.extraHeaders = opts.ExtraHeaders\n\t}\n\n\tif encrypter.cipher == nil {\n\t\treturn nil, ErrUnsupportedAlgorithm\n\t}\n\n\tvar keyID string\n\tvar rawKey interface{}\n\tswitch encryptionKey := rcpt.Key.(type) {\n\tcase JSONWebKey:\n\t\tkeyID, rawKey = encryptionKey.KeyID, encryptionKey.Key\n\tcase *JSONWebKey:\n\t\tkeyID, rawKey = encryptionKey.KeyID, encryptionKey.Key\n\tcase OpaqueKeyEncrypter:\n\t\tkeyID, rawKey = encryptionKey.KeyID(), encryptionKey\n\tdefault:\n\t\trawKey = encryptionKey\n\t}\n\n\tswitch rcpt.Algorithm {\n\tcase DIRECT:\n\t\t// Direct encryption mode must be treated differently\n\t\tkeyBytes, ok := rawKey.([]byte)\n\t\tif !ok {\n\t\t\treturn nil, ErrUnsupportedKeyType\n\t\t}\n\t\tif encrypter.cipher.keySize() != len(keyBytes) {\n\t\t\treturn nil, ErrInvalidKeySize\n\t\t}\n\t\tencrypter.keyGenerator = staticKeyGenerator{\n\t\t\tkey: keyBytes,\n\t\t}\n\t\trecipientInfo, _ := newSymmetricRecipient(rcpt.Algorithm, keyBytes)\n\t\trecipientInfo.keyID = keyID\n\t\tif rcpt.KeyID != \"\" {\n\t\t\trecipientInfo.keyID = rcpt.KeyID\n\t\t}\n\t\tencrypter.recipients = []recipientKeyInfo{recipientInfo}\n\t\treturn encrypter, nil\n\tcase ECDH_ES:\n\t\t// ECDH-ES (w/o key wrapping) is similar to DIRECT mode\n\t\tkeyDSA, ok := rawKey.(*ecdsa.PublicKey)\n\t\tif !ok {\n\t\t\treturn nil, ErrUnsupportedKeyType\n\t\t}\n\t\tencrypter.keyGenerator = ecKeyGenerator{\n\t\t\tsize: encrypter.cipher.keySize(),\n\t\t\talgID: string(enc),\n\t\t\tpublicKey: keyDSA,\n\t\t}\n\t\trecipientInfo, _ := newECDHRecipient(rcpt.Algorithm, keyDSA)\n\t\trecipientInfo.keyID = keyID\n\t\tif rcpt.KeyID != \"\" {\n\t\t\trecipientInfo.keyID = rcpt.KeyID\n\t\t}\n\t\tencrypter.recipients = []recipientKeyInfo{recipientInfo}\n\t\treturn encrypter, nil\n\tdefault:\n\t\t// Can just add a standard recipient\n\t\tencrypter.keyGenerator = randomKeyGenerator{\n\t\t\tsize: encrypter.cipher.keySize(),\n\t\t}\n\t\terr := encrypter.addRecipient(rcpt)\n\t\treturn encrypter, err\n\t}\n}\n\n// NewMultiEncrypter creates a multi-encrypter based on the given parameters\nfunc NewMultiEncrypter(enc ContentEncryption, rcpts []Recipient, opts *EncrypterOptions) (Encrypter, error) {\n\tcipher := getContentCipher(enc)\n\n\tif cipher == nil {\n\t\treturn nil, ErrUnsupportedAlgorithm\n\t}\n\tif len(rcpts) == 0 {\n\t\treturn nil, fmt.Errorf(\"go-jose/go-jose: recipients is nil or empty\")\n\t}\n\n\tencrypter := &genericEncrypter{\n\t\tcontentAlg: enc,\n\t\trecipients: []recipientKeyInfo{},\n\t\tcipher: cipher,\n\t\tkeyGenerator: randomKeyGenerator{\n\t\t\tsize: cipher.keySize(),\n\t\t},\n\t}\n\n\tif opts != nil {\n\t\tencrypter.compressionAlg = opts.Compression\n\t\tencrypter.extraHeaders = opts.ExtraHeaders\n\t}\n\n\tfor _, recipient := range rcpts {\n\t\terr := encrypter.addRecipient(recipient)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t}\n\n\treturn encrypter, nil\n}\n\nfunc (ctx *genericEncrypter) addRecipient(recipient Recipient) (err error) {\n\tvar recipientInfo recipientKeyInfo\n\n\tswitch recipient.Algorithm {\n\tcase DIRECT, ECDH_ES:\n\t\treturn fmt.Errorf(\"go-jose/go-jose: key algorithm '%s' not supported in multi-recipient mode\", recipient.Algorithm)\n\t}\n\n\trecipientInfo, err = makeJWERecipient(recipient.Algorithm, recipient.Key)\n\tif recipient.KeyID != \"\" {\n\t\trecipientInfo.keyID = recipient.KeyID\n\t}\n\n\tswitch recipient.Algorithm {\n\tcase PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW:\n\t\tif sr, ok := recipientInfo.keyEncrypter.(*symmetricKeyCipher); ok {\n\t\t\tsr.p2c = recipient.PBES2Count\n\t\t\tsr.p2s = recipient.PBES2Salt\n\t\t}\n\t}\n\n\tif err == nil {\n\t\tctx.recipients = append(ctx.recipients, recipientInfo)\n\t}\n\treturn err\n}\n\nfunc makeJWERecipient(alg KeyAlgorithm, encryptionKey interface{}) (recipientKeyInfo, error) {\n\tswitch encryptionKey := encryptionKey.(type) {\n\tcase *rsa.PublicKey:\n\t\treturn newRSARecipient(alg, encryptionKey)\n\tcase *ecdsa.PublicKey:\n\t\treturn newECDHRecipient(alg, encryptionKey)\n\tcase []byte:\n\t\treturn newSymmetricRecipient(alg, encryptionKey)\n\tcase string:\n\t\treturn newSymmetricRecipient(alg, []byte(encryptionKey))\n\tcase JSONWebKey:\n\t\trecipient, err := makeJWERecipient(alg, encryptionKey.Key)\n\t\trecipient.keyID = encryptionKey.KeyID\n\t\treturn recipient, err\n\tcase *JSONWebKey:\n\t\trecipient, err := makeJWERecipient(alg, encryptionKey.Key)\n\t\trecipient.keyID = encryptionKey.KeyID\n\t\treturn recipient, err\n\tcase OpaqueKeyEncrypter:\n\t\treturn newOpaqueKeyEncrypter(alg, encryptionKey)\n\t}\n\treturn recipientKeyInfo{}, ErrUnsupportedKeyType\n}\n\n// newDecrypter creates an appropriate decrypter based on the key type\nfunc newDecrypter(decryptionKey interface{}) (keyDecrypter, error) {\n\tswitch decryptionKey := decryptionKey.(type) {\n\tcase *rsa.PrivateKey:\n\t\treturn &rsaDecrypterSigner{\n\t\t\tprivateKey: decryptionKey,\n\t\t}, nil\n\tcase *ecdsa.PrivateKey:\n\t\treturn &ecDecrypterSigner{\n\t\t\tprivateKey: decryptionKey,\n\t\t}, nil\n\tcase []byte:\n\t\treturn &symmetricKeyCipher{\n\t\t\tkey: decryptionKey,\n\t\t}, nil\n\tcase string:\n\t\treturn &symmetricKeyCipher{\n\t\t\tkey: []byte(decryptionKey),\n\t\t}, nil\n\tcase JSONWebKey:\n\t\treturn newDecrypter(decryptionKey.Key)\n\tcase *JSONWebKey:\n\t\treturn newDecrypter(decryptionKey.Key)\n\tcase OpaqueKeyDecrypter:\n\t\treturn &opaqueKeyDecrypter{decrypter: decryptionKey}, nil\n\tdefault:\n\t\treturn nil, ErrUnsupportedKeyType\n\t}\n}\n\n// Implementation of encrypt method producing a JWE object.\nfunc (ctx *genericEncrypter) Encrypt(plaintext []byte) (*JSONWebEncryption, error) {\n\treturn ctx.EncryptWithAuthData(plaintext, nil)\n}\n\n// Implementation of encrypt method producing a JWE object.\nfunc (ctx *genericEncrypter) EncryptWithAuthData(plaintext, aad []byte) (*JSONWebEncryption, error) {\n\tobj := &JSONWebEncryption{}\n\tobj.aad = aad\n\n\tobj.protected = &rawHeader{}\n\terr := obj.protected.set(headerEncryption, ctx.contentAlg)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tobj.recipients = make([]recipientInfo, len(ctx.recipients))\n\n\tif len(ctx.recipients) == 0 {\n\t\treturn nil, fmt.Errorf(\"go-jose/go-jose: no recipients to encrypt to\")\n\t}\n\n\tcek, headers, err := ctx.keyGenerator.genKey()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tobj.protected.merge(&headers)\n\n\tfor i, info := range ctx.recipients {\n\t\trecipient, err := info.keyEncrypter.encryptKey(cek, info.keyAlg)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\n\t\terr = recipient.header.set(headerAlgorithm, info.keyAlg)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\n\t\tif info.keyID != \"\" {\n\t\t\terr = recipient.header.set(headerKeyID, info.keyID)\n\t\t\tif err != nil {\n\t\t\t\treturn nil, err\n\t\t\t}\n\t\t}\n\t\tobj.recipients[i] = recipient\n\t}\n\n\tif len(ctx.recipients) == 1 {\n\t\t// Move per-recipient headers into main protected header if there's\n\t\t// only a single recipient.\n\t\tobj.protected.merge(obj.recipients[0].header)\n\t\tobj.recipients[0].header = nil\n\t}\n\n\tif ctx.compressionAlg != NONE {\n\t\tplaintext, err = compress(ctx.compressionAlg, plaintext)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\n\t\terr = obj.protected.set(headerCompression, ctx.compressionAlg)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t}\n\n\tfor k, v := range ctx.extraHeaders {\n\t\tb, err := json.Marshal(v)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\t(*obj.protected)[k] = makeRawMessage(b)\n\t}\n\n\tauthData := obj.computeAuthData()\n\tparts, err := ctx.cipher.encrypt(cek, authData, plaintext)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tobj.iv = parts.iv\n\tobj.ciphertext = parts.ciphertext\n\tobj.tag = parts.tag\n\n\treturn obj, nil\n}\n\nfunc (ctx *genericEncrypter) Options() EncrypterOptions {\n\treturn EncrypterOptions{\n\t\tCompression: ctx.compressionAlg,\n\t\tExtraHeaders: ctx.extraHeaders,\n\t}\n}\n\n// Decrypt and validate the object and return the plaintext. This\n// function does not support multi-recipient. If you desire multi-recipient\n// decryption use DecryptMulti instead.\n//\n// The decryptionKey argument must contain a private or symmetric key\n// and must have one of these types:\n// - *ecdsa.PrivateKey\n// - *rsa.PrivateKey\n// - *JSONWebKey\n// - JSONWebKey\n// - *JSONWebKeySet\n// - JSONWebKeySet\n// - []byte (a symmetric key)\n// - string (a symmetric key)\n// - Any type that satisfies the OpaqueKeyDecrypter interface.\n//\n// Note that ed25519 is only available for signatures, not encryption, so is\n// not an option here.\n//\n// Automatically decompresses plaintext, but returns an error if the decompressed\n// data would be >250kB or >10x the size of the compressed data, whichever is larger.\nfunc (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) {\n\theaders := obj.mergedHeaders(nil)\n\n\tif len(obj.recipients) > 1 {\n\t\treturn nil, errors.New(\"go-jose/go-jose: too many recipients in payload; expecting only one\")\n\t}\n\n\terr := headers.checkNoCritical()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tkey, err := tryJWKS(decryptionKey, obj.Header)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdecrypter, err := newDecrypter(key)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tcipher := getContentCipher(headers.getEncryption())\n\tif cipher == nil {\n\t\treturn nil, fmt.Errorf(\"go-jose/go-jose: unsupported enc value '%s'\", string(headers.getEncryption()))\n\t}\n\n\tgenerator := randomKeyGenerator{\n\t\tsize: cipher.keySize(),\n\t}\n\n\tparts := &aeadParts{\n\t\tiv: obj.iv,\n\t\tciphertext: obj.ciphertext,\n\t\ttag: obj.tag,\n\t}\n\n\tauthData := obj.computeAuthData()\n\n\tvar plaintext []byte\n\trecipient := obj.recipients[0]\n\trecipientHeaders := obj.mergedHeaders(&recipient)\n\n\tcek, err := decrypter.decryptKey(recipientHeaders, &recipient, generator)\n\tif err == nil {\n\t\t// Found a valid CEK -- let's try to decrypt.\n\t\tplaintext, err = cipher.decrypt(cek, authData, parts)\n\t}\n\n\tif plaintext == nil {\n\t\treturn nil, ErrCryptoFailure\n\t}\n\n\t// The \"zip\" header parameter may only be present in the protected header.\n\tif comp := obj.protected.getCompression(); comp != \"\" {\n\t\tplaintext, err = decompress(comp, plaintext)\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"go-jose/go-jose: failed to decompress plaintext: %v\", err)\n\t\t}\n\t}\n\n\treturn plaintext, nil\n}\n\n// DecryptMulti decrypts and validates the object and returns the plaintexts,\n// with support for multiple recipients. It returns the index of the recipient\n// for which the decryption was successful, the merged headers for that recipient,\n// and the plaintext.\n//\n// The decryptionKey argument must have one of the types allowed for the\n// decryptionKey argument of Decrypt().\n//\n// Automatically decompresses plaintext, but returns an error if the decompressed\n// data would be >250kB or >3x the size of the compressed data, whichever is larger.\nfunc (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Header, []byte, error) {\n\tglobalHeaders := obj.mergedHeaders(nil)\n\n\terr := globalHeaders.checkNoCritical()\n\tif err != nil {\n\t\treturn -1, Header{}, nil, err\n\t}\n\n\tkey, err := tryJWKS(decryptionKey, obj.Header)\n\tif err != nil {\n\t\treturn -1, Header{}, nil, err\n\t}\n\tdecrypter, err := newDecrypter(key)\n\tif err != nil {\n\t\treturn -1, Header{}, nil, err\n\t}\n\n\tencryption := globalHeaders.getEncryption()\n\tcipher := getContentCipher(encryption)\n\tif cipher == nil {\n\t\treturn -1, Header{}, nil, fmt.Errorf(\"go-jose/go-jose: unsupported enc value '%s'\", string(encryption))\n\t}\n\n\tgenerator := randomKeyGenerator{\n\t\tsize: cipher.keySize(),\n\t}\n\n\tparts := &aeadParts{\n\t\tiv: obj.iv,\n\t\tciphertext: obj.ciphertext,\n\t\ttag: obj.tag,\n\t}\n\n\tauthData := obj.computeAuthData()\n\n\tindex := -1\n\tvar plaintext []byte\n\tvar headers rawHeader\n\n\tfor i, recipient := range obj.recipients {\n\t\trecipientHeaders := obj.mergedHeaders(&recipient)\n\n\t\tcek, err := decrypter.decryptKey(recipientHeaders, &recipient, generator)\n\t\tif err == nil {\n\t\t\t// Found a valid CEK -- let's try to decrypt.\n\t\t\tplaintext, err = cipher.decrypt(cek, authData, parts)\n\t\t\tif err == nil {\n\t\t\t\tindex = i\n\t\t\t\theaders = recipientHeaders\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t}\n\n\tif plaintext == nil {\n\t\treturn -1, Header{}, nil, ErrCryptoFailure\n\t}\n\n\t// The \"zip\" header parameter may only be present in the protected header.\n\tif comp := obj.protected.getCompression(); comp != \"\" {\n\t\tplaintext, err = decompress(comp, plaintext)\n\t\tif err != nil {\n\t\t\treturn -1, Header{}, nil, fmt.Errorf(\"go-jose/go-jose: failed to decompress plaintext: %v\", err)\n\t\t}\n\t}\n\n\tsanitized, err := headers.sanitized()\n\tif err != nil {\n\t\treturn -1, Header{}, nil, fmt.Errorf(\"go-jose/go-jose: failed to sanitize header: %v\", err)\n\t}\n\n\treturn index, sanitized, plaintext, err\n}\n" }, { "path": "vendor/github.com/go-jose/go-jose/v4/doc.go", "content": "/*-\n * Copyright 2014 Square Inc.\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\n/*\nPackage jose aims to provide an implementation of the Javascript Object Signing\nand Encryption set of standards. It implements encryption and signing based on\nthe JSON Web Encryption and JSON Web Signature standards, with optional JSON Web\nToken support available in a sub-package. The library supports both the compact\nand JWS/JWE JSON Serialization formats, and has optional support for multiple\nrecipients.\n*/\npackage jose\n" }, { "path": "vendor/github.com/go-jose/go-jose/v4/encoding.go", "content": "/*-\n * Copyright 2014 Square Inc.\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\npackage jose\n\nimport (\n\t\"bytes\"\n\t\"compress/flate\"\n\t\"encoding/base64\"\n\t\"encoding/binary\"\n\t\"fmt\"\n\t\"io\"\n\t\"math/big\"\n\t\"strings\"\n\t\"unicode\"\n\n\t\"github.com/go-jose/go-jose/v4/json\"\n)\n\n// Helper function to serialize known-good objects.\n// Precondition: value is not a nil pointer.\nfunc mustSerializeJSON(value interface{}) []byte {\n\tout, err := json.Marshal(value)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\t// We never want to serialize the top-level value \"null,\" since it's not a\n\t// valid JOSE message. But if a caller passes in a nil pointer to this method,\n\t// MarshalJSON will happily serialize it as the top-level value \"null\". If\n\t// that value is then embedded in another operation, for instance by being\n\t// base64-encoded and fed as input to a signing algorithm\n\t// (https://github.com/go-jose/go-jose/issues/22), the result will be\n\t// incorrect. Because this method is intended for known-good objects, and a nil\n\t// pointer is not a known-good object, we are free to panic in this case.\n\t// Note: It's not possible to directly check whether the data pointed at by an\n\t// interface is a nil pointer, so we do this hacky workaround.\n\t// https://groups.google.com/forum/#!topic/golang-nuts/wnH302gBa4I\n\tif string(out) == \"null\" {\n\t\tpanic(\"Tried to serialize a nil pointer.\")\n\t}\n\treturn out\n}\n\n// Strip all newlines and whitespace\nfunc stripWhitespace(data string) string {\n\tbuf := strings.Builder{}\n\tbuf.Grow(len(data))\n\tfor _, r := range data {\n\t\tif !unicode.IsSpace(r) {\n\t\t\tbuf.WriteRune(r)\n\t\t}\n\t}\n\treturn buf.String()\n}\n\n// Perform compression based on algorithm\nfunc compress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) {\n\tswitch algorithm {\n\tcase DEFLATE:\n\t\treturn deflate(input)\n\tdefault:\n\t\treturn nil, ErrUnsupportedAlgorithm\n\t}\n}\n\n// Perform decompression based on algorithm\nfunc decompress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) {\n\tswitch algorithm {\n\tcase DEFLATE:\n\t\treturn inflate(input)\n\tdefault:\n\t\treturn nil, ErrUnsupportedAlgorithm\n\t}\n}\n\n// deflate compresses the input.\nfunc deflate(input []byte) ([]byte, error) {\n\toutput := new(bytes.Buffer)\n\n\t// Writing to byte buffer, err is always nil\n\twriter, _ := flate.NewWriter(output, 1)\n\t_, _ = io.Copy(writer, bytes.NewBuffer(input))\n\n\terr := writer.Close()\n\treturn output.Bytes(), err\n}\n\n// inflate decompresses the input.\n//\n// Errors if the decompressed data would be >250kB or >10x the size of the\n// compressed data, whichever is larger.\nfunc inflate(input []byte) ([]byte, error) {\n\toutput := new(bytes.Buffer)\n\treader := flate.NewReader(bytes.NewBuffer(input))\n\n\tmaxCompressedSize := max(250_000, 10*int64(len(input)))\n\n\tlimit := maxCompressedSize + 1\n\tn, err := io.CopyN(output, reader, limit)\n\tif err != nil && err != io.EOF {\n\t\treturn nil, err\n\t}\n\tif n == limit {\n\t\treturn nil, fmt.Errorf(\"uncompressed data would be too large (>%d bytes)\", maxCompressedSize)\n\t}\n\n\terr = reader.Close()\n\treturn output.Bytes(), err\n}\n\n// byteBuffer represents a slice of bytes that can be serialized to url-safe base64.\ntype byteBuffer struct {\n\tdata []byte\n}\n\nfunc newBuffer(data []byte) *byteBuffer {\n\tif data == nil {\n\t\treturn nil\n\t}\n\treturn &byteBuffer{\n\t\tdata: data,\n\t}\n}\n\nfunc newFixedSizeBuffer(data []byte, length int) *byteBuffer {\n\tif len(data) > length {\n\t\tpanic(\"go-jose/go-jose: invalid call to newFixedSizeBuffer (len(data) > length)\")\n\t}\n\tpad := make([]byte, length-len(data))\n\treturn newBuffer(append(pad, data...))\n}\n\nfunc newBufferFromInt(num uint64) *byteBuffer {\n\tdata := make([]byte, 8)\n\tbinary.BigEndian.PutUint64(data, num)\n\treturn newBuffer(bytes.TrimLeft(data, \"\\x00\"))\n}\n\nfunc (b *byteBuffer) MarshalJSON() ([]byte, error) {\n\treturn json.Marshal(b.base64())\n}\n\nfunc (b *byteBuffer) UnmarshalJSON(data []byte) error {\n\tvar encoded string\n\terr := json.Unmarshal(data, &encoded)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif encoded == \"\" {\n\t\treturn nil\n\t}\n\n\tdecoded, err := base64.RawURLEncoding.DecodeString(encoded)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\t*b = *newBuffer(decoded)\n\n\treturn nil\n}\n\nfunc (b *byteBuffer) base64() string {\n\treturn base64.RawURLEncoding.EncodeToString(b.data)\n}\n\nfunc (b *byteBuffer) bytes() []byte {\n\t// Handling nil here allows us to transparently handle nil slices when serializing.\n\tif b == nil {\n\t\treturn nil\n\t}\n\treturn b.data\n}\n\nfunc (b byteBuffer) bigInt() *big.Int {\n\treturn new(big.Int).SetBytes(b.data)\n}\n\nfunc (b byteBuffer) toInt() int {\n\treturn int(b.bigInt().Int64())\n}\n\nfunc base64EncodeLen(sl []byte) int {\n\treturn base64.RawURLEncoding.EncodedLen(len(sl))\n}\n\nfunc base64JoinWithDots(inputs ...[]byte) string {\n\tif len(inputs) == 0 {\n\t\treturn \"\"\n\t}\n\n\t// Count of dots.\n\ttotalCount := len(inputs) - 1\n\n\tfor _, input := range inputs {\n\t\ttotalCount += base64EncodeLen(input)\n\t}\n\n\tout := make([]byte, totalCount)\n\tstartEncode := 0\n\tfor i, input := range inputs {\n\t\tbase64.RawURLEncoding.Encode(out[startEncode:], input)\n\n\t\tif i == len(inputs)-1 {\n\t\t\tcontinue\n\t\t}\n\n\t\tstartEncode += base64EncodeLen(input)\n\t\tout[startEncode] = '.'\n\t\tstartEncode++\n\t}\n\n\treturn string(out)\n}\n" }, { "path": "vendor/github.com/go-jose/go-jose/v4/json/LICENSE", "content": "Copyright (c) 2012 The Go Authors. All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n * Neither the name of Google Inc. nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "vendor/github.com/go-jose/go-jose/v4/json/README.md", "content": "# Safe JSON\n\nThis repository contains a fork of the `encoding/json` package from Go 1.6.\n\nThe following changes were made:\n\n* Object deserialization uses case-sensitive member name matching instead of\n [case-insensitive matching](https://www.ietf.org/mail-archive/web/json/current/msg03763.html).\n This is to avoid differences in the interpretation of JOSE messages between\n go-jose and libraries written in other languages.\n* When deserializing a JSON object, we check for duplicate keys and reject the\n input whenever we detect a duplicate. Rather than trying to work with malformed\n data, we prefer to reject it right away.\n" }, { "path": "vendor/github.com/go-jose/go-jose/v4/json/decode.go", "content": "// Copyright 2010 The Go Authors. All rights reserved.\n// Use of this source code is governed by a BSD-style\n// license that can be found in the LICENSE file.\n\n// Represents JSON data structure using native Go types: booleans, floats,\n// strings, arrays, and maps.\n\npackage json\n\nimport (\n\t\"bytes\"\n\t\"encoding\"\n\t\"encoding/base64\"\n\t\"errors\"\n\t\"fmt\"\n\t\"math\"\n\t\"reflect\"\n\t\"runtime\"\n\t\"strconv\"\n\t\"unicode\"\n\t\"unicode/utf16\"\n\t\"unicode/utf8\"\n)\n\n// Unmarshal parses the JSON-encoded data and stores the result\n// in the value pointed to by v.\n//\n// Unmarshal uses the inverse of the encodings that\n// Marshal uses, allocating maps, slices, and pointers as necessary,\n// with the following additional rules:\n//\n// To unmarshal JSON into a pointer, Unmarshal first handles the case of\n// the JSON being the JSON literal null. In that case, Unmarshal sets\n// the pointer to nil. Otherwise, Unmarshal unmarshals the JSON into\n// the value pointed at by the pointer. If the pointer is nil, Unmarshal\n// allocates a new value for it to point to.\n//\n// To unmarshal JSON into a struct, Unmarshal matches incoming object\n// keys to the keys used by Marshal (either the struct field name or its tag),\n// preferring an exact match but also accepting a case-insensitive match.\n// Unmarshal will only set exported fields of the struct.\n//\n// To unmarshal JSON into an interface value,\n// Unmarshal stores one of these in the interface value:\n//\n//\tbool, for JSON booleans\n//\tfloat64, for JSON numbers\n//\tstring, for JSON strings\n//\t[]interface{}, for JSON arrays\n//\tmap[string]interface{}, for JSON objects\n//\tnil for JSON null\n//\n// To unmarshal a JSON array into a slice, Unmarshal resets the slice length\n// to zero and then appends each element to the slice.\n// As a special case, to unmarshal an empty JSON array into a slice,\n// Unmarshal replaces the slice with a new empty slice.\n//\n// To unmarshal a JSON array into a Go array, Unmarshal decodes\n// JSON array elements into corresponding Go array elements.\n// If the Go array is smaller than the JSON array,\n// the additional JSON array elements are discarded.\n// If the JSON array is smaller than the Go array,\n// the additional Go array elements are set to zero values.\n//\n// To unmarshal a JSON object into a string-keyed map, Unmarshal first\n// establishes a map to use, If the map is nil, Unmarshal allocates a new map.\n// Otherwise Unmarshal reuses the existing map, keeping existing entries.\n// Unmarshal then stores key-value pairs from the JSON object into the map.\n//\n// If a JSON value is not appropriate for a given target type,\n// or if a JSON number overflows the target type, Unmarshal\n// skips that field and completes the unmarshaling as best it can.\n// If no more serious errors are encountered, Unmarshal returns\n// an UnmarshalTypeError describing the earliest such error.\n//\n// The JSON null value unmarshals into an interface, map, pointer, or slice\n// by setting that Go value to nil. Because null is often used in JSON to mean\n// “not present,” unmarshaling a JSON null into any other Go type has no effect\n// on the value and produces no error.\n//\n// When unmarshaling quoted strings, invalid UTF-8 or\n// invalid UTF-16 surrogate pairs are not treated as an error.\n// Instead, they are replaced by the Unicode replacement\n// character U+FFFD.\nfunc Unmarshal(data []byte, v interface{}) error {\n\t// Check for well-formedness.\n\t// Avoids filling out half a data structure\n\t// before discovering a JSON syntax error.\n\tvar d decodeState\n\terr := checkValid(data, &d.scan)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\td.init(data)\n\treturn d.unmarshal(v)\n}\n\n// Unmarshaler is the interface implemented by objects\n// that can unmarshal a JSON description of themselves.\n// The input can be assumed to be a valid encoding of\n// a JSON value. UnmarshalJSON must copy the JSON data\n// if it wishes to retain the data after returning.\ntype Unmarshaler interface {\n\tUnmarshalJSON([]byte) error\n}\n\n// An UnmarshalTypeError describes a JSON value that was\n// not appropriate for a value of a specific Go type.\ntype UnmarshalTypeError struct {\n\tValue string // description of JSON value - \"bool\", \"array\", \"number -5\"\n\tType reflect.Type // type of Go value it could not be assigned to\n\tOffset int64 // error occurred after reading Offset bytes\n}\n\nfunc (e *UnmarshalTypeError) Error() string {\n\treturn \"json: cannot unmarshal \" + e.Value + \" into Go value of type \" + e.Type.String()\n}\n\n// An UnmarshalFieldError describes a JSON object key that\n// led to an unexported (and therefore unwritable) struct field.\n// (No longer used; kept for compatibility.)\ntype UnmarshalFieldError struct {\n\tKey string\n\tType reflect.Type\n\tField reflect.StructField\n}\n\nfunc (e *UnmarshalFieldError) Error() string {\n\treturn \"json: cannot unmarshal object key \" + strconv.Quote(e.Key) + \" into unexported field \" + e.Field.Name + \" of type \" + e.Type.String()\n}\n\n// An InvalidUnmarshalError describes an invalid argument passed to Unmarshal.\n// (The argument to Unmarshal must be a non-nil pointer.)\ntype InvalidUnmarshalError struct {\n\tType reflect.Type\n}\n\nfunc (e *InvalidUnmarshalError) Error() string {\n\tif e.Type == nil {\n\t\treturn \"json: Unmarshal(nil)\"\n\t}\n\n\tif e.Type.Kind() != reflect.Ptr {\n\t\treturn \"json: Unmarshal(non-pointer \" + e.Type.String() + \")\"\n\t}\n\treturn \"json: Unmarshal(nil \" + e.Type.String() + \")\"\n}\n\nfunc (d *decodeState) unmarshal(v interface{}) (err error) {\n\tdefer func() {\n\t\tif r := recover(); r != nil {\n\t\t\tif _, ok := r.(runtime.Error); ok {\n\t\t\t\tpanic(r)\n\t\t\t}\n\t\t\terr = r.(error)\n\t\t}\n\t}()\n\n\trv := reflect.ValueOf(v)\n\tif rv.Kind() != reflect.Ptr || rv.IsNil() {\n\t\treturn &InvalidUnmarshalError{reflect.TypeOf(v)}\n\t}\n\n\td.scan.reset()\n\t// We decode rv not rv.Elem because the Unmarshaler interface\n\t// test must be applied at the top level of the value.\n\td.value(rv)\n\treturn d.savedError\n}\n\n// A Number represents a JSON number literal.\ntype Number string\n\n// String returns the literal text of the number.\nfunc (n Number) String() string { return string(n) }\n\n// Float64 returns the number as a float64.\nfunc (n Number) Float64() (float64, error) {\n\treturn strconv.ParseFloat(string(n), 64)\n}\n\n// Int64 returns the number as an int64.\nfunc (n Number) Int64() (int64, error) {\n\treturn strconv.ParseInt(string(n), 10, 64)\n}\n\n// isValidNumber reports whether s is a valid JSON number literal.\nfunc isValidNumber(s string) bool {\n\t// This function implements the JSON numbers grammar.\n\t// See https://tools.ietf.org/html/rfc7159#section-6\n\t// and http://json.org/number.gif\n\n\tif s == \"\" {\n\t\treturn false\n\t}\n\n\t// Optional -\n\tif s[0] == '-' {\n\t\ts = s[1:]\n\t\tif s == \"\" {\n\t\t\treturn false\n\t\t}\n\t}\n\n\t// Digits\n\tswitch {\n\tdefault:\n\t\treturn false\n\n\tcase s[0] == '0':\n\t\ts = s[1:]\n\n\tcase '1' <= s[0] && s[0] <= '9':\n\t\ts = s[1:]\n\t\tfor len(s) > 0 && '0' <= s[0] && s[0] <= '9' {\n\t\t\ts = s[1:]\n\t\t}\n\t}\n\n\t// . followed by 1 or more digits.\n\tif len(s) >= 2 && s[0] == '.' && '0' <= s[1] && s[1] <= '9' {\n\t\ts = s[2:]\n\t\tfor len(s) > 0 && '0' <= s[0] && s[0] <= '9' {\n\t\t\ts = s[1:]\n\t\t}\n\t}\n\n\t// e or E followed by an optional - or + and\n\t// 1 or more digits.\n\tif len(s) >= 2 && (s[0] == 'e' || s[0] == 'E') {\n\t\ts = s[1:]\n\t\tif s[0] == '+' || s[0] == '-' {\n\t\t\ts = s[1:]\n\t\t\tif s == \"\" {\n\t\t\t\treturn false\n\t\t\t}\n\t\t}\n\t\tfor len(s) > 0 && '0' <= s[0] && s[0] <= '9' {\n\t\t\ts = s[1:]\n\t\t}\n\t}\n\n\t// Make sure we are at the end.\n\treturn s == \"\"\n}\n\ntype NumberUnmarshalType int\n\nconst (\n\t// unmarshal a JSON number into an interface{} as a float64\n\tUnmarshalFloat NumberUnmarshalType = iota\n\t// unmarshal a JSON number into an interface{} as a `json.Number`\n\tUnmarshalJSONNumber\n\t// unmarshal a JSON number into an interface{} as a int64\n\t// if value is an integer otherwise float64\n\tUnmarshalIntOrFloat\n)\n\n// decodeState represents the state while decoding a JSON value.\ntype decodeState struct {\n\tdata []byte\n\toff int // read offset in data\n\tscan scanner\n\tnextscan scanner // for calls to nextValue\n\tsavedError error\n\tnumberType NumberUnmarshalType\n}\n\n// errPhase is used for errors that should not happen unless\n// there is a bug in the JSON decoder or something is editing\n// the data slice while the decoder executes.\nvar errPhase = errors.New(\"JSON decoder out of sync - data changing underfoot?\")\n\nfunc (d *decodeState) init(data []byte) *decodeState {\n\td.data = data\n\td.off = 0\n\td.savedError = nil\n\treturn d\n}\n\n// error aborts the decoding by panicking with err.\nfunc (d *decodeState) error(err error) {\n\tpanic(err)\n}\n\n// saveError saves the first err it is called with,\n// for reporting at the end of the unmarshal.\nfunc (d *decodeState) saveError(err error) {\n\tif d.savedError == nil {\n\t\td.savedError = err\n\t}\n}\n\n// next cuts off and returns the next full JSON value in d.data[d.off:].\n// The next value is known to be an object or array, not a literal.\nfunc (d *decodeState) next() []byte {\n\tc := d.data[d.off]\n\titem, rest, err := nextValue(d.data[d.off:], &d.nextscan)\n\tif err != nil {\n\t\td.error(err)\n\t}\n\td.off = len(d.data) - len(rest)\n\n\t// Our scanner has seen the opening brace/bracket\n\t// and thinks we're still in the middle of the object.\n\t// invent a closing brace/bracket to get it out.\n\tif c == '{' {\n\t\td.scan.step(&d.scan, '}')\n\t} else {\n\t\td.scan.step(&d.scan, ']')\n\t}\n\n\treturn item\n}\n\n// scanWhile processes bytes in d.data[d.off:] until it\n// receives a scan code not equal to op.\n// It updates d.off and returns the new scan code.\nfunc (d *decodeState) scanWhile(op int) int {\n\tvar newOp int\n\tfor {\n\t\tif d.off >= len(d.data) {\n\t\t\tnewOp = d.scan.eof()\n\t\t\td.off = len(d.data) + 1 // mark processed EOF with len+1\n\t\t} else {\n\t\t\tc := d.data[d.off]\n\t\t\td.off++\n\t\t\tnewOp = d.scan.step(&d.scan, c)\n\t\t}\n\t\tif newOp != op {\n\t\t\tbreak\n\t\t}\n\t}\n\treturn newOp\n}\n\n// value decodes a JSON value from d.data[d.off:] into the value.\n// it updates d.off to point past the decoded value.\nfunc (d *decodeState) value(v reflect.Value) {\n\tif !v.IsValid() {\n\t\t_, rest, err := nextValue(d.data[d.off:], &d.nextscan)\n\t\tif err != nil {\n\t\t\td.error(err)\n\t\t}\n\t\td.off = len(d.data) - len(rest)\n\n\t\t// d.scan thinks we're still at the beginning of the item.\n\t\t// Feed in an empty string - the shortest, simplest value -\n\t\t// so that it knows we got to the end of the value.\n\t\tif d.scan.redo {\n\t\t\t// rewind.\n\t\t\td.scan.redo = false\n\t\t\td.scan.step = stateBeginValue\n\t\t}\n\t\td.scan.step(&d.scan, '\"')\n\t\td.scan.step(&d.scan, '\"')\n\n\t\tn := len(d.scan.parseState)\n\t\tif n > 0 && d.scan.parseState[n-1] == parseObjectKey {\n\t\t\t// d.scan thinks we just read an object key; finish the object\n\t\t\td.scan.step(&d.scan, ':')\n\t\t\td.scan.step(&d.scan, '\"')\n\t\t\td.scan.step(&d.scan, '\"')\n\t\t\td.scan.step(&d.scan, '}')\n\t\t}\n\n\t\treturn\n\t}\n\n\tswitch op := d.scanWhile(scanSkipSpace); op {\n\tdefault:\n\t\td.error(errPhase)\n\n\tcase scanBeginArray:\n\t\td.array(v)\n\n\tcase scanBeginObject:\n\t\td.object(v)\n\n\tcase scanBeginLiteral:\n\t\td.literal(v)\n\t}\n}\n\ntype unquotedValue struct{}\n\n// valueQuoted is like value but decodes a\n// quoted string literal or literal null into an interface value.\n// If it finds anything other than a quoted string literal or null,\n// valueQuoted returns unquotedValue{}.\nfunc (d *decodeState) valueQuoted() interface{} {\n\tswitch op := d.scanWhile(scanSkipSpace); op {\n\tdefault:\n\t\td.error(errPhase)\n\n\tcase scanBeginArray:\n\t\td.array(reflect.Value{})\n\n\tcase scanBeginObject:\n\t\td.object(reflect.Value{})\n\n\tcase scanBeginLiteral:\n\t\tswitch v := d.literalInterface().(type) {\n\t\tcase nil, string:\n\t\t\treturn v\n\t\t}\n\t}\n\treturn unquotedValue{}\n}\n\n// indirect walks down v allocating pointers as needed,\n// until it gets to a non-pointer.\n// if it encounters an Unmarshaler, indirect stops and returns that.\n// if decodingNull is true, indirect stops at the last pointer so it can be set to nil.\nfunc (d *decodeState) indirect(v reflect.Value, decodingNull bool) (Unmarshaler, encoding.TextUnmarshaler, reflect.Value) {\n\t// If v is a named type and is addressable,\n\t// start with its address, so that if the type has pointer methods,\n\t// we find them.\n\tif v.Kind() != reflect.Ptr && v.Type().Name() != \"\" && v.CanAddr() {\n\t\tv = v.Addr()\n\t}\n\tfor {\n\t\t// Load value from interface, but only if the result will be\n\t\t// usefully addressable.\n\t\tif v.Kind() == reflect.Interface && !v.IsNil() {\n\t\t\te := v.Elem()\n\t\t\tif e.Kind() == reflect.Ptr && !e.IsNil() && (!decodingNull || e.Elem().Kind() == reflect.Ptr) {\n\t\t\t\tv = e\n\t\t\t\tcontinue\n\t\t\t}\n\t\t}\n\n\t\tif v.Kind() != reflect.Ptr {\n\t\t\tbreak\n\t\t}\n\n\t\tif v.Elem().Kind() != reflect.Ptr && decodingNull && v.CanSet() {\n\t\t\tbreak\n\t\t}\n\t\tif v.IsNil() {\n\t\t\tv.Set(reflect.New(v.Type().Elem()))\n\t\t}\n\t\tif v.Type().NumMethod() > 0 {\n\t\t\tif u, ok := v.Interface().(Unmarshaler); ok {\n\t\t\t\treturn u, nil, reflect.Value{}\n\t\t\t}\n\t\t\tif u, ok := v.Interface().(encoding.TextUnmarshaler); ok {\n\t\t\t\treturn nil, u, reflect.Value{}\n\t\t\t}\n\t\t}\n\t\tv = v.Elem()\n\t}\n\treturn nil, nil, v\n}\n\n// array consumes an array from d.data[d.off-1:], decoding into the value v.\n// the first byte of the array ('[') has been read already.\nfunc (d *decodeState) array(v reflect.Value) {\n\t// Check for unmarshaler.\n\tu, ut, pv := d.indirect(v, false)\n\tif u != nil {\n\t\td.off--\n\t\terr := u.UnmarshalJSON(d.next())\n\t\tif err != nil {\n\t\t\td.error(err)\n\t\t}\n\t\treturn\n\t}\n\tif ut != nil {\n\t\td.saveError(&UnmarshalTypeError{\"array\", v.Type(), int64(d.off)})\n\t\td.off--\n\t\td.next()\n\t\treturn\n\t}\n\n\tv = pv\n\n\t// Check type of target.\n\tswitch v.Kind() {\n\tcase reflect.Interface:\n\t\tif v.NumMethod() == 0 {\n\t\t\t// Decoding into nil interface? Switch to non-reflect code.\n\t\t\tv.Set(reflect.ValueOf(d.arrayInterface()))\n\t\t\treturn\n\t\t}\n\t\t// Otherwise it's invalid.\n\t\tfallthrough\n\tdefault:\n\t\td.saveError(&UnmarshalTypeError{\"array\", v.Type(), int64(d.off)})\n\t\td.off--\n\t\td.next()\n\t\treturn\n\tcase reflect.Array:\n\tcase reflect.Slice:\n\t\tbreak\n\t}\n\n\ti := 0\n\tfor {\n\t\t// Look ahead for ] - can only happen on first iteration.\n\t\top := d.scanWhile(scanSkipSpace)\n\t\tif op == scanEndArray {\n\t\t\tbreak\n\t\t}\n\n\t\t// Back up so d.value can have the byte we just read.\n\t\td.off--\n\t\td.scan.undo(op)\n\n\t\t// Get element of array, growing if necessary.\n\t\tif v.Kind() == reflect.Slice {\n\t\t\t// Grow slice if necessary\n\t\t\tif i >= v.Cap() {\n\t\t\t\tnewcap := v.Cap() + v.Cap()/2\n\t\t\t\tif newcap < 4 {\n\t\t\t\t\tnewcap = 4\n\t\t\t\t}\n\t\t\t\tnewv := reflect.MakeSlice(v.Type(), v.Len(), newcap)\n\t\t\t\treflect.Copy(newv, v)\n\t\t\t\tv.Set(newv)\n\t\t\t}\n\t\t\tif i >= v.Len() {\n\t\t\t\tv.SetLen(i + 1)\n\t\t\t}\n\t\t}\n\n\t\tif i < v.Len() {\n\t\t\t// Decode into element.\n\t\t\td.value(v.Index(i))\n\t\t} else {\n\t\t\t// Ran out of fixed array: skip.\n\t\t\td.value(reflect.Value{})\n\t\t}\n\t\ti++\n\n\t\t// Next token must be , or ].\n\t\top = d.scanWhile(scanSkipSpace)\n\t\tif op == scanEndArray {\n\t\t\tbreak\n\t\t}\n\t\tif op != scanArrayValue {\n\t\t\td.error(errPhase)\n\t\t}\n\t}\n\n\tif i < v.Len() {\n\t\tif v.Kind() == reflect.Array {\n\t\t\t// Array. Zero the rest.\n\t\t\tz := reflect.Zero(v.Type().Elem())\n\t\t\tfor ; i < v.Len(); i++ {\n\t\t\t\tv.Index(i).Set(z)\n\t\t\t}\n\t\t} else {\n\t\t\tv.SetLen(i)\n\t\t}\n\t}\n\tif i == 0 && v.Kind() == reflect.Slice {\n\t\tv.Set(reflect.MakeSlice(v.Type(), 0, 0))\n\t}\n}\n\nvar nullLiteral = []byte(\"null\")\n\n// object consumes an object from d.data[d.off-1:], decoding into the value v.\n// the first byte ('{') of the object has been read already.\nfunc (d *decodeState) object(v reflect.Value) {\n\t// Check for unmarshaler.\n\tu, ut, pv := d.indirect(v, false)\n\tif u != nil {\n\t\td.off--\n\t\terr := u.UnmarshalJSON(d.next())\n\t\tif err != nil {\n\t\t\td.error(err)\n\t\t}\n\t\treturn\n\t}\n\tif ut != nil {\n\t\td.saveError(&UnmarshalTypeError{\"object\", v.Type(), int64(d.off)})\n\t\td.off--\n\t\td.next() // skip over { } in input\n\t\treturn\n\t}\n\tv = pv\n\n\t// Decoding into nil interface? Switch to non-reflect code.\n\tif v.Kind() == reflect.Interface && v.NumMethod() == 0 {\n\t\tv.Set(reflect.ValueOf(d.objectInterface()))\n\t\treturn\n\t}\n\n\t// Check type of target: struct or map[string]T\n\tswitch v.Kind() {\n\tcase reflect.Map:\n\t\t// map must have string kind\n\t\tt := v.Type()\n\t\tif t.Key().Kind() != reflect.String {\n\t\t\td.saveError(&UnmarshalTypeError{\"object\", v.Type(), int64(d.off)})\n\t\t\td.off--\n\t\t\td.next() // skip over { } in input\n\t\t\treturn\n\t\t}\n\t\tif v.IsNil() {\n\t\t\tv.Set(reflect.MakeMap(t))\n\t\t}\n\tcase reflect.Struct:\n\n\tdefault:\n\t\td.saveError(&UnmarshalTypeError{\"object\", v.Type(), int64(d.off)})\n\t\td.off--\n\t\td.next() // skip over { } in input\n\t\treturn\n\t}\n\n\tvar mapElem reflect.Value\n\tkeys := map[string]bool{}\n\n\tfor {\n\t\t// Read opening \" of string key or closing }.\n\t\top := d.scanWhile(scanSkipSpace)\n\t\tif op == scanEndObject {\n\t\t\t// closing } - can only happen on first iteration.\n\t\t\tbreak\n\t\t}\n\t\tif op != scanBeginLiteral {\n\t\t\td.error(errPhase)\n\t\t}\n\n\t\t// Read key.\n\t\tstart := d.off - 1\n\t\top = d.scanWhile(scanContinue)\n\t\titem := d.data[start : d.off-1]\n\t\tkey, ok := unquote(item)\n\t\tif !ok {\n\t\t\td.error(errPhase)\n\t\t}\n\n\t\t// Check for duplicate keys.\n\t\t_, ok = keys[key]\n\t\tif !ok {\n\t\t\tkeys[key] = true\n\t\t} else {\n\t\t\td.error(fmt.Errorf(\"json: duplicate key '%s' in object\", key))\n\t\t}\n\n\t\t// Figure out field corresponding to key.\n\t\tvar subv reflect.Value\n\t\tdestring := false // whether the value is wrapped in a string to be decoded first\n\n\t\tif v.Kind() == reflect.Map {\n\t\t\telemType := v.Type().Elem()\n\t\t\tif !mapElem.IsValid() {\n\t\t\t\tmapElem = reflect.New(elemType).Elem()\n\t\t\t} else {\n\t\t\t\tmapElem.Set(reflect.Zero(elemType))\n\t\t\t}\n\t\t\tsubv = mapElem\n\t\t} else {\n\t\t\tvar f *field\n\t\t\tfields := cachedTypeFields(v.Type())\n\t\t\tfor i := range fields {\n\t\t\t\tff := &fields[i]\n\t\t\t\tif bytes.Equal(ff.nameBytes, []byte(key)) {\n\t\t\t\t\tf = ff\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t}\n\t\t\tif f != nil {\n\t\t\t\tsubv = v\n\t\t\t\tdestring = f.quoted\n\t\t\t\tfor _, i := range f.index {\n\t\t\t\t\tif subv.Kind() == reflect.Ptr {\n\t\t\t\t\t\tif subv.IsNil() {\n\t\t\t\t\t\t\tsubv.Set(reflect.New(subv.Type().Elem()))\n\t\t\t\t\t\t}\n\t\t\t\t\t\tsubv = subv.Elem()\n\t\t\t\t\t}\n\t\t\t\t\tsubv = subv.Field(i)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\t// Read : before value.\n\t\tif op == scanSkipSpace {\n\t\t\top = d.scanWhile(scanSkipSpace)\n\t\t}\n\t\tif op != scanObjectKey {\n\t\t\td.error(errPhase)\n\t\t}\n\n\t\t// Read value.\n\t\tif destring {\n\t\t\tswitch qv := d.valueQuoted().(type) {\n\t\t\tcase nil:\n\t\t\t\td.literalStore(nullLiteral, subv, false)\n\t\t\tcase string:\n\t\t\t\td.literalStore([]byte(qv), subv, true)\n\t\t\tdefault:\n\t\t\t\td.saveError(fmt.Errorf(\"json: invalid use of ,string struct tag, trying to unmarshal unquoted value into %v\", subv.Type()))\n\t\t\t}\n\t\t} else {\n\t\t\td.value(subv)\n\t\t}\n\n\t\t// Write value back to map;\n\t\t// if using struct, subv points into struct already.\n\t\tif v.Kind() == reflect.Map {\n\t\t\tkv := reflect.ValueOf(key).Convert(v.Type().Key())\n\t\t\tv.SetMapIndex(kv, subv)\n\t\t}\n\n\t\t// Next token must be , or }.\n\t\top = d.scanWhile(scanSkipSpace)\n\t\tif op == scanEndObject {\n\t\t\tbreak\n\t\t}\n\t\tif op != scanObjectValue {\n\t\t\td.error(errPhase)\n\t\t}\n\t}\n}\n\n// literal consumes a literal from d.data[d.off-1:], decoding into the value v.\n// The first byte of the literal has been read already\n// (that's how the caller knows it's a literal).\nfunc (d *decodeState) literal(v reflect.Value) {\n\t// All bytes inside literal return scanContinue op code.\n\tstart := d.off - 1\n\top := d.scanWhile(scanContinue)\n\n\t// Scan read one byte too far; back up.\n\td.off--\n\td.scan.undo(op)\n\n\td.literalStore(d.data[start:d.off], v, false)\n}\n\n// convertNumber converts the number literal s to a float64, int64 or a Number\n// depending on d.numberDecodeType.\nfunc (d *decodeState) convertNumber(s string) (interface{}, error) {\n\tswitch d.numberType {\n\n\tcase UnmarshalJSONNumber:\n\t\treturn Number(s), nil\n\tcase UnmarshalIntOrFloat:\n\t\tv, err := strconv.ParseInt(s, 10, 64)\n\t\tif err == nil {\n\t\t\treturn v, nil\n\t\t}\n\n\t\t// tries to parse integer number in scientific notation\n\t\tf, err := strconv.ParseFloat(s, 64)\n\t\tif err != nil {\n\t\t\treturn nil, &UnmarshalTypeError{\"number \" + s, reflect.TypeOf(0.0), int64(d.off)}\n\t\t}\n\n\t\t// if it has no decimal value use int64\n\t\tif fi, fd := math.Modf(f); fd == 0.0 {\n\t\t\treturn int64(fi), nil\n\t\t}\n\t\treturn f, nil\n\tdefault:\n\t\tf, err := strconv.ParseFloat(s, 64)\n\t\tif err != nil {\n\t\t\treturn nil, &UnmarshalTypeError{\"number \" + s, reflect.TypeOf(0.0), int64(d.off)}\n\t\t}\n\t\treturn f, nil\n\t}\n\n}\n\nvar numberType = reflect.TypeOf(Number(\"\"))\n\n// literalStore decodes a literal stored in item into v.\n//\n// fromQuoted indicates whether this literal came from unwrapping a\n// string from the \",string\" struct tag option. this is used only to\n// produce more helpful error messages.\nfunc (d *decodeState) literalStore(item []byte, v reflect.Value, fromQuoted bool) {\n\t// Check for unmarshaler.\n\tif len(item) == 0 {\n\t\t//Empty string given\n\t\td.saveError(fmt.Errorf(\"json: invalid use of ,string struct tag, trying to unmarshal %q into %v\", item, v.Type()))\n\t\treturn\n\t}\n\twantptr := item[0] == 'n' // null\n\tu, ut, pv := d.indirect(v, wantptr)\n\tif u != nil {\n\t\terr := u.UnmarshalJSON(item)\n\t\tif err != nil {\n\t\t\td.error(err)\n\t\t}\n\t\treturn\n\t}\n\tif ut != nil {\n\t\tif item[0] != '\"' {\n\t\t\tif fromQuoted {\n\t\t\t\td.saveError(fmt.Errorf(\"json: invalid use of ,string struct tag, trying to unmarshal %q into %v\", item, v.Type()))\n\t\t\t} else {\n\t\t\t\td.saveError(&UnmarshalTypeError{\"string\", v.Type(), int64(d.off)})\n\t\t\t}\n\t\t\treturn\n\t\t}\n\t\ts, ok := unquoteBytes(item)\n\t\tif !ok {\n\t\t\tif fromQuoted {\n\t\t\t\td.error(fmt.Errorf(\"json: invalid use of ,string struct tag, trying to unmarshal %q into %v\", item, v.Type()))\n\t\t\t} else {\n\t\t\t\td.error(errPhase)\n\t\t\t}\n\t\t}\n\t\terr := ut.UnmarshalText(s)\n\t\tif err != nil {\n\t\t\td.error(err)\n\t\t}\n\t\treturn\n\t}\n\n\tv = pv\n\n\tswitch c := item[0]; c {\n\tcase 'n': // null\n\t\tswitch v.Kind() {\n\t\tcase reflect.Interface, reflect.Ptr, reflect.Map, reflect.Slice:\n\t\t\tv.Set(reflect.Zero(v.Type()))\n\t\t\t// otherwise, ignore null for primitives/string\n\t\t}\n\tcase 't', 'f': // true, false\n\t\tvalue := c == 't'\n\t\tswitch v.Kind() {\n\t\tdefault:\n\t\t\tif fromQuoted {\n\t\t\t\td.saveError(fmt.Errorf(\"json: invalid use of ,string struct tag, trying to unmarshal %q into %v\", item, v.Type()))\n\t\t\t} else {\n\t\t\t\td.saveError(&UnmarshalTypeError{\"bool\", v.Type(), int64(d.off)})\n\t\t\t}\n\t\tcase reflect.Bool:\n\t\t\tv.SetBool(value)\n\t\tcase reflect.Interface:\n\t\t\tif v.NumMethod() == 0 {\n\t\t\t\tv.Set(reflect.ValueOf(value))\n\t\t\t} else {\n\t\t\t\td.saveError(&UnmarshalTypeError{\"bool\", v.Type(), int64(d.off)})\n\t\t\t}\n\t\t}\n\n\tcase '\"': // string\n\t\ts, ok := unquoteBytes(item)\n\t\tif !ok {\n\t\t\tif fromQuoted {\n\t\t\t\td.error(fmt.Errorf(\"json: invalid use of ,string struct tag, trying to unmarshal %q into %v\", item, v.Type()))\n\t\t\t} else {\n\t\t\t\td.error(errPhase)\n\t\t\t}\n\t\t}\n\t\tswitch v.Kind() {\n\t\tdefault:\n\t\t\td.saveError(&UnmarshalTypeError{\"string\", v.Type(), int64(d.off)})\n\t\tcase reflect.Slice:\n\t\t\tif v.Type().Elem().Kind() != reflect.Uint8 {\n\t\t\t\td.saveError(&UnmarshalTypeError{\"string\", v.Type(), int64(d.off)})\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tb := make([]byte, base64.StdEncoding.DecodedLen(len(s)))\n\t\t\tn, err := base64.StdEncoding.Decode(b, s)\n\t\t\tif err != nil {\n\t\t\t\td.saveError(err)\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tv.SetBytes(b[:n])\n\t\tcase reflect.String:\n\t\t\tv.SetString(string(s))\n\t\tcase reflect.Interface:\n\t\t\tif v.NumMethod() == 0 {\n\t\t\t\tv.Set(reflect.ValueOf(string(s)))\n\t\t\t} else {\n\t\t\t\td.saveError(&UnmarshalTypeError{\"string\", v.Type(), int64(d.off)})\n\t\t\t}\n\t\t}\n\n\tdefault: // number\n\t\tif c != '-' && (c < '0' || c > '9') {\n\t\t\tif fromQuoted {\n\t\t\t\td.error(fmt.Errorf(\"json: invalid use of ,string struct tag, trying to unmarshal %q into %v\", item, v.Type()))\n\t\t\t} else {\n\t\t\t\td.error(errPhase)\n\t\t\t}\n\t\t}\n\t\ts := string(item)\n\t\tswitch v.Kind() {\n\t\tdefault:\n\t\t\tif v.Kind() == reflect.String && v.Type() == numberType {\n\t\t\t\tv.SetString(s)\n\t\t\t\tif !isValidNumber(s) {\n\t\t\t\t\td.error(fmt.Errorf(\"json: invalid number literal, trying to unmarshal %q into Number\", item))\n\t\t\t\t}\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tif fromQuoted {\n\t\t\t\td.error(fmt.Errorf(\"json: invalid use of ,string struct tag, trying to unmarshal %q into %v\", item, v.Type()))\n\t\t\t} else {\n\t\t\t\td.error(&UnmarshalTypeError{\"number\", v.Type(), int64(d.off)})\n\t\t\t}\n\t\tcase reflect.Interface:\n\t\t\tn, err := d.convertNumber(s)\n\t\t\tif err != nil {\n\t\t\t\td.saveError(err)\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tif v.NumMethod() != 0 {\n\t\t\t\td.saveError(&UnmarshalTypeError{\"number\", v.Type(), int64(d.off)})\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tv.Set(reflect.ValueOf(n))\n\n\t\tcase reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:\n\t\t\tn, err := strconv.ParseInt(s, 10, 64)\n\t\t\tif err != nil || v.OverflowInt(n) {\n\t\t\t\td.saveError(&UnmarshalTypeError{\"number \" + s, v.Type(), int64(d.off)})\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tv.SetInt(n)\n\n\t\tcase reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:\n\t\t\tn, err := strconv.ParseUint(s, 10, 64)\n\t\t\tif err != nil || v.OverflowUint(n) {\n\t\t\t\td.saveError(&UnmarshalTypeError{\"number \" + s, v.Type(), int64(d.off)})\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tv.SetUint(n)\n\n\t\tcase reflect.Float32, reflect.Float64:\n\t\t\tn, err := strconv.ParseFloat(s, v.Type().Bits())\n\t\t\tif err != nil || v.OverflowFloat(n) {\n\t\t\t\td.saveError(&UnmarshalTypeError{\"number \" + s, v.Type(), int64(d.off)})\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tv.SetFloat(n)\n\t\t}\n\t}\n}\n\n// The xxxInterface routines build up a value to be stored\n// in an empty interface. They are not strictly necessary,\n// but they avoid the weight of reflection in this common case.\n\n// valueInterface is like value but returns interface{}\nfunc (d *decodeState) valueInterface() interface{} {\n\tswitch d.scanWhile(scanSkipSpace) {\n\tdefault:\n\t\td.error(errPhase)\n\t\tpanic(\"unreachable\")\n\tcase scanBeginArray:\n\t\treturn d.arrayInterface()\n\tcase scanBeginObject:\n\t\treturn d.objectInterface()\n\tcase scanBeginLiteral:\n\t\treturn d.literalInterface()\n\t}\n}\n\n// arrayInterface is like array but returns []interface{}.\nfunc (d *decodeState) arrayInterface() []interface{} {\n\tvar v = make([]interface{}, 0)\n\tfor {\n\t\t// Look ahead for ] - can only happen on first iteration.\n\t\top := d.scanWhile(scanSkipSpace)\n\t\tif op == scanEndArray {\n\t\t\tbreak\n\t\t}\n\n\t\t// Back up so d.value can have the byte we just read.\n\t\td.off--\n\t\td.scan.undo(op)\n\n\t\tv = append(v, d.valueInterface())\n\n\t\t// Next token must be , or ].\n\t\top = d.scanWhile(scanSkipSpace)\n\t\tif op == scanEndArray {\n\t\t\tbreak\n\t\t}\n\t\tif op != scanArrayValue {\n\t\t\td.error(errPhase)\n\t\t}\n\t}\n\treturn v\n}\n\n// objectInterface is like object but returns map[string]interface{}.\nfunc (d *decodeState) objectInterface() map[string]interface{} {\n\tm := make(map[string]interface{})\n\tkeys := map[string]bool{}\n\n\tfor {\n\t\t// Read opening \" of string key or closing }.\n\t\top := d.scanWhile(scanSkipSpace)\n\t\tif op == scanEndObject {\n\t\t\t// closing } - can only happen on first iteration.\n\t\t\tbreak\n\t\t}\n\t\tif op != scanBeginLiteral {\n\t\t\td.error(errPhase)\n\t\t}\n\n\t\t// Read string key.\n\t\tstart := d.off - 1\n\t\top = d.scanWhile(scanContinue)\n\t\titem := d.data[start : d.off-1]\n\t\tkey, ok := unquote(item)\n\t\tif !ok {\n\t\t\td.error(errPhase)\n\t\t}\n\n\t\t// Check for duplicate keys.\n\t\t_, ok = keys[key]\n\t\tif !ok {\n\t\t\tkeys[key] = true\n\t\t} else {\n\t\t\td.error(fmt.Errorf(\"json: duplicate key '%s' in object\", key))\n\t\t}\n\n\t\t// Read : before value.\n\t\tif op == scanSkipSpace {\n\t\t\top = d.scanWhile(scanSkipSpace)\n\t\t}\n\t\tif op != scanObjectKey {\n\t\t\td.error(errPhase)\n\t\t}\n\n\t\t// Read value.\n\t\tm[key] = d.valueInterface()\n\n\t\t// Next token must be , or }.\n\t\top = d.scanWhile(scanSkipSpace)\n\t\tif op == scanEndObject {\n\t\t\tbreak\n\t\t}\n\t\tif op != scanObjectValue {\n\t\t\td.error(errPhase)\n\t\t}\n\t}\n\treturn m\n}\n\n// literalInterface is like literal but returns an interface value.\nfunc (d *decodeState) literalInterface() interface{} {\n\t// All bytes inside literal return scanContinue op code.\n\tstart := d.off - 1\n\top := d.scanWhile(scanContinue)\n\n\t// Scan read one byte too far; back up.\n\td.off--\n\td.scan.undo(op)\n\titem := d.data[start:d.off]\n\n\tswitch c := item[0]; c {\n\tcase 'n': // null\n\t\treturn nil\n\n\tcase 't', 'f': // true, false\n\t\treturn c == 't'\n\n\tcase '\"': // string\n\t\ts, ok := unquote(item)\n\t\tif !ok {\n\t\t\td.error(errPhase)\n\t\t}\n\t\treturn s\n\n\tdefault: // number\n\t\tif c != '-' && (c < '0' || c > '9') {\n\t\t\td.error(errPhase)\n\t\t}\n\t\tn, err := d.convertNumber(string(item))\n\t\tif err != nil {\n\t\t\td.saveError(err)\n\t\t}\n\t\treturn n\n\t}\n}\n\n// getu4 decodes \\uXXXX from the beginning of s, returning the hex value,\n// or it returns -1.\nfunc getu4(s []byte) rune {\n\tif len(s) < 6 || s[0] != '\\\\' || s[1] != 'u' {\n\t\treturn -1\n\t}\n\tr, err := strconv.ParseUint(string(s[2:6]), 16, 64)\n\tif err != nil {\n\t\treturn -1\n\t}\n\treturn rune(r)\n}\n\n// unquote converts a quoted JSON string literal s into an actual string t.\n// The rules are different than for Go, so cannot use strconv.Unquote.\nfunc unquote(s []byte) (t string, ok bool) {\n\ts, ok = unquoteBytes(s)\n\tt = string(s)\n\treturn\n}\n\nfunc unquoteBytes(s []byte) (t []byte, ok bool) {\n\tif len(s) < 2 || s[0] != '\"' || s[len(s)-1] != '\"' {\n\t\treturn\n\t}\n\ts = s[1 : len(s)-1]\n\n\t// Check for unusual characters. If there are none,\n\t// then no unquoting is needed, so return a slice of the\n\t// original bytes.\n\tr := 0\n\tfor r < len(s) {\n\t\tc := s[r]\n\t\tif c == '\\\\' || c == '\"' || c < ' ' {\n\t\t\tbreak\n\t\t}\n\t\tif c < utf8.RuneSelf {\n\t\t\tr++\n\t\t\tcontinue\n\t\t}\n\t\trr, size := utf8.DecodeRune(s[r:])\n\t\tif rr == utf8.RuneError && size == 1 {\n\t\t\tbreak\n\t\t}\n\t\tr += size\n\t}\n\tif r == len(s) {\n\t\treturn s, true\n\t}\n\n\tb := make([]byte, len(s)+2*utf8.UTFMax)\n\tw := copy(b, s[0:r])\n\tfor r < len(s) {\n\t\t// Out of room? Can only happen if s is full of\n\t\t// malformed UTF-8 and we're replacing each\n\t\t// byte with RuneError.\n\t\tif w >= len(b)-2*utf8.UTFMax {\n\t\t\tnb := make([]byte, (len(b)+utf8.UTFMax)*2)\n\t\t\tcopy(nb, b[0:w])\n\t\t\tb = nb\n\t\t}\n\t\tswitch c := s[r]; {\n\t\tcase c == '\\\\':\n\t\t\tr++\n\t\t\tif r >= len(s) {\n\t\t\t\treturn\n\t\t\t}\n\t\t\tswitch s[r] {\n\t\t\tdefault:\n\t\t\t\treturn\n\t\t\tcase '\"', '\\\\', '/', '\\'':\n\t\t\t\tb[w] = s[r]\n\t\t\t\tr++\n\t\t\t\tw++\n\t\t\tcase 'b':\n\t\t\t\tb[w] = '\\b'\n\t\t\t\tr++\n\t\t\t\tw++\n\t\t\tcase 'f':\n\t\t\t\tb[w] = '\\f'\n\t\t\t\tr++\n\t\t\t\tw++\n\t\t\tcase 'n':\n\t\t\t\tb[w] = '\\n'\n\t\t\t\tr++\n\t\t\t\tw++\n\t\t\tcase 'r':\n\t\t\t\tb[w] = '\\r'\n\t\t\t\tr++\n\t\t\t\tw++\n\t\t\tcase 't':\n\t\t\t\tb[w] = '\\t'\n\t\t\t\tr++\n\t\t\t\tw++\n\t\t\tcase 'u':\n\t\t\t\tr--\n\t\t\t\trr := getu4(s[r:])\n\t\t\t\tif rr < 0 {\n\t\t\t\t\treturn\n\t\t\t\t}\n\t\t\t\tr += 6\n\t\t\t\tif utf16.IsSurrogate(rr) {\n\t\t\t\t\trr1 := getu4(s[r:])\n\t\t\t\t\tif dec := utf16.DecodeRune(rr, rr1); dec != unicode.ReplacementChar {\n\t\t\t\t\t\t// A valid pair; consume.\n\t\t\t\t\t\tr += 6\n\t\t\t\t\t\tw += utf8.EncodeRune(b[w:], dec)\n\t\t\t\t\t\tbreak\n\t\t\t\t\t}\n\t\t\t\t\t// Invalid surrogate; fall back to replacement rune.\n\t\t\t\t\trr = unicode.ReplacementChar\n\t\t\t\t}\n\t\t\t\tw += utf8.EncodeRune(b[w:], rr)\n\t\t\t}\n\n\t\t// Quote, control characters are invalid.\n\t\tcase c == '\"', c < ' ':\n\t\t\treturn\n\n\t\t// ASCII\n\t\tcase c < utf8.RuneSelf:\n\t\t\tb[w] = c\n\t\t\tr++\n\t\t\tw++\n\n\t\t// Coerce to well-formed UTF-8.\n\t\tdefault:\n\t\t\trr, size := utf8.DecodeRune(s[r:])\n\t\t\tr += size\n\t\t\tw += utf8.EncodeRune(b[w:], rr)\n\t\t}\n\t}\n\treturn b[0:w], true\n}\n" }, { "path": "vendor/github.com/go-jose/go-jose/v4/json/encode.go", "content": "// Copyright 2010 The Go Authors. All rights reserved.\n// Use of this source code is governed by a BSD-style\n// license that can be found in the LICENSE file.\n\n// Package json implements encoding and decoding of JSON objects as defined in\n// RFC 4627. The mapping between JSON objects and Go values is described\n// in the documentation for the Marshal and Unmarshal functions.\n//\n// See \"JSON and Go\" for an introduction to this package:\n// https://golang.org/doc/articles/json_and_go.html\npackage json\n\nimport (\n\t\"bytes\"\n\t\"encoding\"\n\t\"encoding/base64\"\n\t\"fmt\"\n\t\"math\"\n\t\"reflect\"\n\t\"runtime\"\n\t\"sort\"\n\t\"strconv\"\n\t\"strings\"\n\t\"sync\"\n\t\"unicode\"\n\t\"unicode/utf8\"\n)\n\n// Marshal returns the JSON encoding of v.\n//\n// Marshal traverses the value v recursively.\n// If an encountered value implements the Marshaler interface\n// and is not a nil pointer, Marshal calls its MarshalJSON method\n// to produce JSON. If no MarshalJSON method is present but the\n// value implements encoding.TextMarshaler instead, Marshal calls\n// its MarshalText method.\n// The nil pointer exception is not strictly necessary\n// but mimics a similar, necessary exception in the behavior of\n// UnmarshalJSON.\n//\n// Otherwise, Marshal uses the following type-dependent default encodings:\n//\n// Boolean values encode as JSON booleans.\n//\n// Floating point, integer, and Number values encode as JSON numbers.\n//\n// String values encode as JSON strings coerced to valid UTF-8,\n// replacing invalid bytes with the Unicode replacement rune.\n// The angle brackets \"<\" and \">\" are escaped to \"\\u003c\" and \"\\u003e\"\n// to keep some browsers from misinterpreting JSON output as HTML.\n// Ampersand \"&\" is also escaped to \"\\u0026\" for the same reason.\n//\n// Array and slice values encode as JSON arrays, except that\n// []byte encodes as a base64-encoded string, and a nil slice\n// encodes as the null JSON object.\n//\n// Struct values encode as JSON objects. Each exported struct field\n// becomes a member of the object unless\n// - the field's tag is \"-\", or\n// - the field is empty and its tag specifies the \"omitempty\" option.\n//\n// The empty values are false, 0, any\n// nil pointer or interface value, and any array, slice, map, or string of\n// length zero. The object's default key string is the struct field name\n// but can be specified in the struct field's tag value. The \"json\" key in\n// the struct field's tag value is the key name, followed by an optional comma\n// and options. Examples:\n//\n//\t// Field is ignored by this package.\n//\tField int `json:\"-\"`\n//\n//\t// Field appears in JSON as key \"myName\".\n//\tField int `json:\"myName\"`\n//\n//\t// Field appears in JSON as key \"myName\" and\n//\t// the field is omitted from the object if its value is empty,\n//\t// as defined above.\n//\tField int `json:\"myName,omitempty\"`\n//\n//\t// Field appears in JSON as key \"Field\" (the default), but\n//\t// the field is skipped if empty.\n//\t// Note the leading comma.\n//\tField int `json:\",omitempty\"`\n//\n// The \"string\" option signals that a field is stored as JSON inside a\n// JSON-encoded string. It applies only to fields of string, floating point,\n// integer, or boolean types. This extra level of encoding is sometimes used\n// when communicating with JavaScript programs:\n//\n//\tInt64String int64 `json:\",string\"`\n//\n// The key name will be used if it's a non-empty string consisting of\n// only Unicode letters, digits, dollar signs, percent signs, hyphens,\n// underscores and slashes.\n//\n// Anonymous struct fields are usually marshaled as if their inner exported fields\n// were fields in the outer struct, subject to the usual Go visibility rules amended\n// as described in the next paragraph.\n// An anonymous struct field with a name given in its JSON tag is treated as\n// having that name, rather than being anonymous.\n// An anonymous struct field of interface type is treated the same as having\n// that type as its name, rather than being anonymous.\n//\n// The Go visibility rules for struct fields are amended for JSON when\n// deciding which field to marshal or unmarshal. If there are\n// multiple fields at the same level, and that level is the least\n// nested (and would therefore be the nesting level selected by the\n// usual Go rules), the following extra rules apply:\n//\n// 1) Of those fields, if any are JSON-tagged, only tagged fields are considered,\n// even if there are multiple untagged fields that would otherwise conflict.\n// 2) If there is exactly one field (tagged or not according to the first rule), that is selected.\n// 3) Otherwise there are multiple fields, and all are ignored; no error occurs.\n//\n// Handling of anonymous struct fields is new in Go 1.1.\n// Prior to Go 1.1, anonymous struct fields were ignored. To force ignoring of\n// an anonymous struct field in both current and earlier versions, give the field\n// a JSON tag of \"-\".\n//\n// Map values encode as JSON objects.\n// The map's key type must be string; the map keys are used as JSON object\n// keys, subject to the UTF-8 coercion described for string values above.\n//\n// Pointer values encode as the value pointed to.\n// A nil pointer encodes as the null JSON object.\n//\n// Interface values encode as the value contained in the interface.\n// A nil interface value encodes as the null JSON object.\n//\n// Channel, complex, and function values cannot be encoded in JSON.\n// Attempting to encode such a value causes Marshal to return\n// an UnsupportedTypeError.\n//\n// JSON cannot represent cyclic data structures and Marshal does not\n// handle them. Passing cyclic structures to Marshal will result in\n// an infinite recursion.\nfunc Marshal(v interface{}) ([]byte, error) {\n\te := &encodeState{}\n\terr := e.marshal(v)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn e.Bytes(), nil\n}\n\n// MarshalIndent is like Marshal but applies Indent to format the output.\nfunc MarshalIndent(v interface{}, prefix, indent string) ([]byte, error) {\n\tb, err := Marshal(v)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tvar buf bytes.Buffer\n\terr = Indent(&buf, b, prefix, indent)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn buf.Bytes(), nil\n}\n\n// HTMLEscape appends to dst the JSON-encoded src with <, >, &, U+2028 and U+2029\n// characters inside string literals changed to \\u003c, \\u003e, \\u0026, \\u2028, \\u2029\n// so that the JSON will be safe to embed inside HTML