review

ethanndickson · ethanndickson · commit 416b5ff4d48f · 2024-08-27T12:29:04.000Z
diff --git a/cli/cliui/agent.go b/cli/cliui/agent.go
@@ -403,10 +403,10 @@ func ConnDiagnostics(w io.Writer, d ConnDiags) {
 	}
 
 	if d.ClientIPIsAWS {
-		_, _ = fmt.Fprint(w, "❗ Client IP address is within an AWS range, and is therefore behind a hard NAT\n")
+		_, _ = fmt.Fprint(w, "❗ Client IP address is within an AWS range, which is known to cause problems with forming direct connections (AWS uses hard NAT)\n")
 	}
 
 	if d.AgentIPIsAWS {
-		_, _ = fmt.Fprint(w, "❗ Agent IP address is within an AWS range, and is therefore behind a hard NAT\n")
+		_, _ = fmt.Fprint(w, "❗ Agent IP address is within an AWS range, which is known to cause problems with forming direct connections (AWS uses hard NAT)\n")
 	}
 }
diff --git a/cli/cliui/agent_test.go b/cli/cliui/agent_test.go
@@ -790,7 +790,7 @@ func TestConnDiagnostics(t *testing.T) {
 			},
 			want: []string{
 				`❗ You are connected via a DERP relay, not directly (p2p)`,
-				`❗ Client IP address is within an AWS range, and is therefore behind a hard NAT`,
+				`❗ Client IP address is within an AWS range, which is known to cause problems with forming direct connections (AWS uses hard NAT)`,
 			},
 		},
 		{
@@ -801,7 +801,7 @@ func TestConnDiagnostics(t *testing.T) {
 			},
 			want: []string{
 				`❗ You are connected via a DERP relay, not directly (p2p)`,
-				`❗ Agent IP address is within an AWS range, and is therefore behind a hard NAT`,
+				`❗ Agent IP address is within an AWS range, which is known to cause problems with forming direct connections (AWS uses hard NAT)`,
 			},
 		},
 	}
diff --git a/cli/cliutil/awscheck.go b/cli/cliutil/awscheck.go
@@ -11,33 +11,39 @@ import (
 	"golang.org/x/xerrors"
 )
 
-const awsIPRangesURL = "https://ip-ranges.amazonaws.com/ip-ranges.json"
+const AWSIPRangesURL = "https://ip-ranges.amazonaws.com/ip-ranges.json"
 
-type AWSIPv4Prefix struct {
+type awsIPv4Prefix struct {
 	Prefix             string `json:"ip_prefix"`
 	Region             string `json:"region"`
 	Service            string `json:"service"`
 	NetworkBorderGroup string `json:"network_border_group"`
 }
 
-type AWSIPv6Prefix struct {
-	Prefix  string `json:"ipv6_prefix"`
-	Region  string `json:"region"`
-	Service string `json:"service"`
+type awsIPv6Prefix struct {
+	Prefix             string `json:"ipv6_prefix"`
+	Region             string `json:"region"`
+	Service            string `json:"service"`
+	NetworkBorderGroup string `json:"network_border_group"`
 }
 
 type AWSIPRanges struct {
+	V4 []netip.Prefix
+	V6 []netip.Prefix
+}
+
+type awsIPRangesResponse struct {
 	SyncToken    string          `json:"syncToken"`
 	CreateDate   string          `json:"createDate"`
-	IPV4Prefixes []AWSIPv4Prefix `json:"prefixes"`
-	IPV6Prefixes []AWSIPv6Prefix `json:"ipv6_prefixes"`
+	IPV4Prefixes []awsIPv4Prefix `json:"prefixes"`
+	IPV6Prefixes []awsIPv6Prefix `json:"ipv6_prefixes"`
 }
 
-func NewAWSIPRanges(ctx context.Context) (*AWSIPRanges, error) {
+func FetchAWSIPRanges(ctx context.Context, url string) (*AWSIPRanges, error) {
 	client := &http.Client{}
 	reqCtx, reqCancel := context.WithTimeout(ctx, 5*time.Second)
 	defer reqCancel()
-	req, _ := http.NewRequestWithContext(reqCtx, http.MethodGet, awsIPRangesURL, nil)
+	req, _ := http.NewRequestWithContext(reqCtx, http.MethodGet, url, nil)
 	resp, err := client.Do(req)
 	if err != nil {
 		return nil, err
@@ -49,40 +55,54 @@ func NewAWSIPRanges(ctx context.Context) (*AWSIPRanges, error) {
 		return nil, xerrors.Errorf("unexpected status code %d: %s", resp.StatusCode, b)
 	}
 
-	var out AWSIPRanges
-	err = json.NewDecoder(resp.Body).Decode(&out)
+	var body awsIPRangesResponse
+	err = json.NewDecoder(resp.Body).Decode(&body)
 	if err != nil {
 		return nil, xerrors.Errorf("json decode: %w", err)
 	}
-	return &out, nil
+
+	out := &AWSIPRanges{
+		V4: make([]netip.Prefix, 0, len(body.IPV4Prefixes)),
+		V6: make([]netip.Prefix, 0, len(body.IPV6Prefixes)),
+	}
+
+	for _, p := range body.IPV4Prefixes {
+		prefix, err := netip.ParsePrefix(p.Prefix)
+		if err != nil {
+			return nil, xerrors.Errorf("parse ip prefix: %w", err)
+		}
+		out.V4 = append(out.V4, prefix)
+	}
+
+	for _, p := range body.IPV6Prefixes {
+		prefix, err := netip.ParsePrefix(p.Prefix)
+		if err != nil {
+			return nil, xerrors.Errorf("parse ip prefix: %w", err)
+		}
+		out.V6 = append(out.V6, prefix)
+	}
+
+	return out, nil
 }
 
 // CheckIP checks if the given IP address is an AWS IP.
-func (r *AWSIPRanges) CheckIP(ip netip.Addr) (bool, error) {
+func (r *AWSIPRanges) CheckIP(ip netip.Addr) bool {
 	if ip.IsLoopback() || ip.IsLinkLocalMulticast() || ip.IsLinkLocalUnicast() || ip.IsPrivate() {
-		return false, nil
+		return false
 	}
 
 	if ip.Is4() {
-		for _, p := range r.IPV4Prefixes {
-			prefix, err := netip.ParsePrefix(p.Prefix)
-			if err != nil {
-				return false, xerrors.Errorf("parse ip prefix: %w", err)
-			}
-			if prefix.Contains(ip) {
-				return true, nil
+		for _, p := range r.V4 {
+			if p.Contains(ip) {
+				return true
 			}
 		}
 	} else {
-		for _, p := range r.IPV6Prefixes {
-			prefix, err := netip.ParsePrefix(p.Prefix)
-			if err != nil {
-				return false, xerrors.Errorf("parse ip prefix: %w", err)
-			}
-			if prefix.Contains(ip) {
-				return true, nil
+		for _, p := range r.V6 {
+			if p.Contains(ip) {
+				return true
 			}
 		}
 	}
-	return false, nil
+	return false
 }
diff --git a/cli/cliutil/awscheck_internal_test.go b/cli/cliutil/awscheck_internal_test.go
@@ -1,72 +1,95 @@
-package cliutil_test
+package cliutil
 
 import (
+	"context"
+	"net/http"
+	"net/http/httptest"
 	"net/netip"
 	"testing"
 
 	"github.com/stretchr/testify/require"
 
-	"github.com/coder/coder/v2/cli/cliutil"
+	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/testutil"
 )
 
 func TestIPV4Check(t *testing.T) {
 	t.Parallel()
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		httpapi.Write(context.Background(), w, http.StatusOK, awsIPRangesResponse{
+			IPV4Prefixes: []awsIPv4Prefix{
+				{
+					Prefix: "3.24.0.0/14",
+				},
+				{
+					Prefix: "15.230.15.29/32",
+				},
+				{
+					Prefix: "47.128.82.100/31",
+				},
+			},
+			IPV6Prefixes: []awsIPv6Prefix{
+				{
+					Prefix: "2600:9000:5206::/48",
+				},
+				{
+					Prefix: "2406:da70:8800::/40",
+				},
+				{
+					Prefix: "2600:1f68:5000::/40",
+				},
+			},
+		})
+	}))
 	ctx := testutil.Context(t, testutil.WaitShort)
-	ranges, err := cliutil.NewAWSIPRanges(ctx)
+	ranges, err := FetchAWSIPRanges(ctx, srv.URL)
 	require.NoError(t, err)
 
 	t.Run("Private/IPV4", func(t *testing.T) {
 		t.Parallel()
 		ip, err := netip.ParseAddr("192.168.0.1")
 		require.NoError(t, err)
-		isAws, err := ranges.CheckIP(ip)
-		require.NoError(t, err)
+		isAws := ranges.CheckIP(ip)
 		require.False(t, isAws)
 	})
 
 	t.Run("AWS/IPV4", func(t *testing.T) {
 		t.Parallel()
 		ip, err := netip.ParseAddr("3.25.61.113")
 		require.NoError(t, err)
-		isAws, err := ranges.CheckIP(ip)
-		require.NoError(t, err)
+		isAws := ranges.CheckIP(ip)
 		require.True(t, isAws)
 	})
 
 	t.Run("NonAWS/IPV4", func(t *testing.T) {
 		t.Parallel()
 		ip, err := netip.ParseAddr("159.196.123.40")
 		require.NoError(t, err)
-		isAws, err := ranges.CheckIP(ip)
-		require.NoError(t, err)
+		isAws := ranges.CheckIP(ip)
 		require.False(t, isAws)
 	})
 
 	t.Run("Private/IPV6", func(t *testing.T) {
 		t.Parallel()
 		ip, err := netip.ParseAddr("::1")
 		require.NoError(t, err)
-		isAws, err := ranges.CheckIP(ip)
-		require.NoError(t, err)
+		isAws := ranges.CheckIP(ip)
 		require.False(t, isAws)
 	})
 
 	t.Run("AWS/IPV6", func(t *testing.T) {
 		t.Parallel()
 		ip, err := netip.ParseAddr("2600:9000:5206:0001:0000:0000:0000:0001")
 		require.NoError(t, err)
-		isAws, err := ranges.CheckIP(ip)
-		require.NoError(t, err)
+		isAws := ranges.CheckIP(ip)
 		require.True(t, isAws)
 	})
 
 	t.Run("NonAWS/IPV6", func(t *testing.T) {
 		t.Parallel()
 		ip, err := netip.ParseAddr("2403:5807:885f:0:a544:49d4:58f8:aedf")
 		require.NoError(t, err)
-		isAws, err := ranges.CheckIP(ip)
-		require.NoError(t, err)
+		isAws := ranges.CheckIP(ip)
 		require.False(t, isAws)
 	})
 }
diff --git a/cli/ping.go b/cli/ping.go
@@ -160,16 +160,12 @@ func (r *RootCmd) ping() *serpent.Command {
 				LocalNetInfo:  ni,
 			}
 
-			awsRanges, err := cliutil.NewAWSIPRanges(ctx)
+			awsRanges, err := cliutil.FetchAWSIPRanges(ctx, cliutil.AWSIPRangesURL)
 			if err != nil {
 				_, _ = fmt.Fprintf(inv.Stdout, "Failed to retrieve AWS IP ranges: %v\n", err)
 			}
 
-			clientIPIsAWS, err := isAWSIP(awsRanges, ni)
-			if err != nil {
-				_, _ = fmt.Fprintf(inv.Stdout, "Failed to determine if client IP is AWS: %v\n", err)
-			}
-			connDiags.ClientIPIsAWS = clientIPIsAWS
+			connDiags.ClientIPIsAWS = isAWSIP(awsRanges, ni)
 
 			connInfo, err := client.AgentConnectionInfoGeneric(ctx)
 			if err == nil {
@@ -187,11 +183,7 @@ func (r *RootCmd) ping() *serpent.Command {
 			agentNetcheck, err := conn.Netcheck(ctx)
 			if err == nil {
 				connDiags.AgentNetcheck = &agentNetcheck
-				agentIPIsAws, err := isAWSIP(awsRanges, agentNetcheck.NetInfo)
-				if err != nil {
-					_, _ = fmt.Fprintf(inv.Stdout, "Failed to determine if agent IP is AWS: %v\n", err)
-				}
-				connDiags.AgentIPIsAWS = agentIPIsAws
+				connDiags.AgentIPIsAWS = isAWSIP(awsRanges, agentNetcheck.NetInfo)
 			} else {
 				var sdkErr *codersdk.Error
 				if errors.As(err, &sdkErr) && sdkErr.StatusCode() == http.StatusNotFound {
@@ -231,23 +223,11 @@ func (r *RootCmd) ping() *serpent.Command {
 	return cmd
 }
 
-func isAWSIP(awsRanges *cliutil.AWSIPRanges, ni *tailcfg.NetInfo) (bool, error) {
-	var strIP string
-	if ni.GlobalV4 != "" {
-		strIP = ni.GlobalV4
-	} else if ni.GlobalV6 != "" {
-		strIP = ni.GlobalV6
-	} else {
-		return false, xerrors.Errorf("no public IP address found")
+func isAWSIP(awsRanges *cliutil.AWSIPRanges, ni *tailcfg.NetInfo) bool {
+	checkIP := func(ipStr string) bool {
+		ip, err := netip.ParseAddr(ipStr)
+		return err == nil && awsRanges.CheckIP(ip)
 	}
 
-	ip, err := netip.ParseAddr(strIP)
-	if err != nil {
-		return false, err
-	}
-	isAWS, err := awsRanges.CheckIP(ip)
-	if err != nil {
-		return false, err
-	}
-	return isAWS, nil
+	return checkIP(ni.GlobalV4) || checkIP(ni.GlobalV6)
 }

Original file line number	Diff line number	Diff line change
`@@ -403,10 +403,10 @@ func ConnDiagnostics(w io.Writer, d ConnDiags) {`
`403`	`403`	`}`
`404`	`404`
`405`	`405`	`if d.ClientIPIsAWS {`
`406`		`- _, _ = fmt.Fprint(w, "❗ Client IP address is within an AWS range, and is therefore behind a hard NAT\n")`
	`406`	`+ _, _ = fmt.Fprint(w, "❗ Client IP address is within an AWS range, which is known to cause problems with forming direct connections (AWS uses hard NAT)\n")`
`407`	`407`	`}`
`408`	`408`
`409`	`409`	`if d.AgentIPIsAWS {`
`410`		`- _, _ = fmt.Fprint(w, "❗ Agent IP address is within an AWS range, and is therefore behind a hard NAT\n")`
	`410`	`+ _, _ = fmt.Fprint(w, "❗ Agent IP address is within an AWS range, which is known to cause problems with forming direct connections (AWS uses hard NAT)\n")`
`411`	`411`	`}`
`412`	`412`	`}`