fix: Replace access URL for built-in DERP servers

kylecarbs · kylecarbs · commit 62efacdedc08 · 2022-09-25T17:52:08.000Z
Fixes #4195.
diff --git a/agent/agent_test.go b/agent/agent_test.go
@@ -481,19 +481,6 @@ func TestAgent(t *testing.T) {
 		}
 	})
 
-	t.Run("Tailnet", func(t *testing.T) {
-		t.Parallel()
-		derpMap := tailnettest.RunDERPAndSTUN(t)
-		conn, _ := setupAgent(t, codersdk.WorkspaceAgentMetadata{
-			DERPMap: derpMap,
-		}, 0)
-		defer conn.Close()
-		require.Eventually(t, func() bool {
-			_, err := conn.Ping()
-			return err == nil
-		}, testutil.WaitLong, testutil.IntervalFast)
-	})
-
 	t.Run("Speedtest", func(t *testing.T) {
 		t.Parallel()
 		if testing.Short() {
diff --git a/cli/server.go b/cli/server.go
@@ -327,18 +327,21 @@ func Server(newAPI func(context.Context, *coderd.Options) (*coderd.API, error))
 				validatedAutoImportTemplates[i] = v
 			}
 
-			defaultRegion := &tailcfg.DERPRegion{
-				RegionID:   derpServerRegionID,
-				RegionCode: derpServerRegionCode,
-				RegionName: derpServerRegionName,
-				Nodes: []*tailcfg.DERPNode{{
-					Name:      fmt.Sprintf("%db", derpServerRegionID),
-					RegionID:  derpServerRegionID,
-					HostName:  accessURLParsed.Hostname(),
-					DERPPort:  accessURLPort,
-					STUNPort:  -1,
-					ForceHTTP: accessURLParsed.Scheme == "http",
-				}},
+			defaultRegion := &tailnet.DERPRegion{
+				DERPRegion: &tailcfg.DERPRegion{
+					RegionID:   derpServerRegionID,
+					RegionCode: derpServerRegionCode,
+					RegionName: derpServerRegionName,
+					Nodes: []*tailcfg.DERPNode{{
+						Name:      fmt.Sprintf("%db", derpServerRegionID),
+						RegionID:  derpServerRegionID,
+						HostName:  accessURLParsed.Hostname(),
+						DERPPort:  accessURLPort,
+						STUNPort:  -1,
+						ForceHTTP: accessURLParsed.Scheme == "http",
+					}},
+				},
+				EmbeddedRelay: true,
 			}
 			if !derpServerEnabled {
 				defaultRegion = nil
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -20,7 +20,6 @@ import (
 	"google.golang.org/api/idtoken"
 	"tailscale.com/derp"
 	"tailscale.com/derp/derphttp"
-	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 
 	"cdr.dev/slog"
@@ -75,7 +74,7 @@ type Options struct {
 	AutoImportTemplates  []AutoImportTemplate
 
 	TailnetCoordinator *tailnet.Coordinator
-	DERPMap            *tailcfg.DERPMap
+	DERPMap            *tailnet.DERPMap
 
 	MetricsCacheRefreshInterval time.Duration
 	AgentStatsRefreshInterval   time.Duration
diff --git a/coderd/workspaceagents.go b/coderd/workspaceagents.go
@@ -469,7 +469,7 @@ func convertApps(dbApps []database.WorkspaceApp) []codersdk.WorkspaceApp {
 	return apps
 }
 
-func convertWorkspaceAgent(derpMap *tailcfg.DERPMap, coordinator *tailnet.Coordinator, dbAgent database.WorkspaceAgent, apps []codersdk.WorkspaceApp, agentInactiveDisconnectTimeout time.Duration) (codersdk.WorkspaceAgent, error) {
+func convertWorkspaceAgent(derpMap *tailnet.DERPMap, coordinator *tailnet.Coordinator, dbAgent database.WorkspaceAgent, apps []codersdk.WorkspaceApp, agentInactiveDisconnectTimeout time.Duration) (codersdk.WorkspaceAgent, error) {
 	var envs map[string]string
 	if dbAgent.EnvironmentVariables.Valid {
 		err := json.Unmarshal(dbAgent.EnvironmentVariables.RawMessage, &envs)
@@ -506,9 +506,11 @@ func convertWorkspaceAgent(derpMap *tailcfg.DERPMap, coordinator *tailnet.Coordi
 				// It's possible that a workspace agent is using an old DERPMap
 				// and reports regions that do not exist. If that's the case,
 				// report the region as unknown!
-				region = &tailcfg.DERPRegion{
-					RegionID:   regionID,
-					RegionName: fmt.Sprintf("Unnamed %d", regionID),
+				region = &tailnet.DERPRegion{
+					DERPRegion: &tailcfg.DERPRegion{
+						RegionID:   regionID,
+						RegionName: fmt.Sprintf("Unnamed %d", regionID),
+					},
 				}
 			}
 			workspaceAgent.DERPLatency[region.RegionName] = codersdk.DERPRegion{
diff --git a/codersdk/workspaceagents.go b/codersdk/workspaceagents.go
@@ -10,14 +10,14 @@ import (
 	"net/http"
 	"net/http/cookiejar"
 	"net/netip"
+	"strconv"
 	"time"
 
 	"cloud.google.com/go/compute/metadata"
 	"github.com/google/uuid"
 	"golang.org/x/xerrors"
 	"nhooyr.io/websocket"
 	"nhooyr.io/websocket/wsjson"
-	"tailscale.com/tailcfg"
 
 	"cdr.dev/slog"
 
@@ -53,7 +53,7 @@ type WorkspaceAgentAuthenticateResponse struct {
 // a connection with a workspace.
 // @typescript-ignore WorkspaceAgentConnectionInfo
 type WorkspaceAgentConnectionInfo struct {
-	DERPMap *tailcfg.DERPMap `json:"derp_map"`
+	DERPMap *tailnet.DERPMap `json:"derp_map"`
 }
 
 // @typescript-ignore PostWorkspaceAgentVersionRequest
@@ -63,7 +63,7 @@ type PostWorkspaceAgentVersionRequest struct {
 
 // @typescript-ignore WorkspaceAgentMetadata
 type WorkspaceAgentMetadata struct {
-	DERPMap              *tailcfg.DERPMap  `json:"derpmap"`
+	DERPMap              *tailnet.DERPMap  `json:"derpmap"`
 	EnvironmentVariables map[string]string `json:"environment_variables"`
 	StartupScript        string            `json:"startup_script"`
 	Directory            string            `json:"directory"`
@@ -208,7 +208,42 @@ func (c *Client) WorkspaceAgentMetadata(ctx context.Context) (WorkspaceAgentMeta
 		return WorkspaceAgentMetadata{}, readBodyAsError(res)
 	}
 	var agentMetadata WorkspaceAgentMetadata
-	return agentMetadata, json.NewDecoder(res.Body).Decode(&agentMetadata)
+	err = json.NewDecoder(res.Body).Decode(&agentMetadata)
+	if err != nil {
+		return WorkspaceAgentMetadata{}, err
+	}
+	accessingPort := c.URL.Port()
+	if accessingPort == "" {
+		accessingPort = "80"
+		if c.URL.Scheme == "https" {
+			accessingPort = "443"
+		}
+	}
+	accessPort, err := strconv.Atoi(accessingPort)
+	if err != nil {
+		return WorkspaceAgentMetadata{}, xerrors.Errorf("convert accessing port %q: %w", accessingPort, err)
+	}
+	// Agents can provide an arbitrary access URL that may be different
+	// that the globally configured one. This breaks the built-in DERP,
+	// which would continue to reference the global access URL.
+	//
+	// This converts all built-in DERPs to use the access URL that the
+	// metadata request was performed with.
+	for _, region := range agentMetadata.DERPMap.Regions {
+		if !region.EmbeddedRelay {
+			continue
+		}
+
+		for _, node := range region.Nodes {
+			if node.STUNOnly {
+				continue
+			}
+			node.HostName = c.URL.Hostname()
+			node.DERPPort = accessPort
+			node.ForceHTTP = c.URL.Scheme == "http"
+		}
+	}
+	return agentMetadata, nil
 }
 
 func (c *Client) ListenWorkspaceAgentTailnet(ctx context.Context) (net.Conn, error) {
diff --git a/codersdk/workspaceagents_test.go b/codersdk/workspaceagents_test.go
@@ -0,0 +1,52 @@
+package codersdk_test
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"strconv"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"tailscale.com/tailcfg"
+
+	"github.com/coder/coder/coderd/httpapi"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/tailnet"
+)
+
+func TestWorkspaceAgentMetadata(t *testing.T) {
+	t.Parallel()
+	// This test ensures that the DERP map returned properly
+	// mutates built-in DERPs with the client access URL.
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		httpapi.Write(context.Background(), w, http.StatusOK, codersdk.WorkspaceAgentMetadata{
+			DERPMap: &tailnet.DERPMap{
+				Regions: map[int]*tailnet.DERPRegion{
+					1: {
+						EmbeddedRelay: true,
+						DERPRegion: &tailcfg.DERPRegion{
+							RegionID: 1,
+							Nodes: []*tailcfg.DERPNode{{
+								HostName: "bananas.org",
+								DERPPort: 1,
+							}},
+						},
+					},
+				},
+			},
+		})
+	}))
+	parsed, err := url.Parse(srv.URL)
+	require.NoError(t, err)
+	client := codersdk.New(parsed)
+	metadata, err := client.WorkspaceAgentMetadata(context.Background())
+	require.NoError(t, err)
+	region := metadata.DERPMap.Regions[1]
+	require.True(t, region.EmbeddedRelay)
+	require.Len(t, region.Nodes, 1)
+	node := region.Nodes[0]
+	require.Equal(t, parsed.Hostname(), node.HostName)
+	require.Equal(t, parsed.Port(), strconv.Itoa(node.DERPPort))
+}
diff --git a/tailnet/conn.go b/tailnet/conn.go
@@ -46,7 +46,7 @@ func init() {
 
 type Options struct {
 	Addresses []netip.Prefix
-	DERPMap   *tailcfg.DERPMap
+	DERPMap   *DERPMap
 
 	Logger slog.Logger
 }
@@ -161,7 +161,7 @@ func NewConn(options *Options) (*Conn, error) {
 		return nil, xerrors.Errorf("start netstack: %w", err)
 	}
 	wireguardEngine = wgengine.NewWatchdog(wireguardEngine)
-	wireguardEngine.SetDERPMap(options.DERPMap)
+	wireguardEngine.SetDERPMap(options.DERPMap.Convert())
 	netMapCopy := *netMap
 	wireguardEngine.SetNetworkMap(&netMapCopy)
 
@@ -279,12 +279,12 @@ func (c *Conn) SetNodeCallback(callback func(node *Node)) {
 }
 
 // SetDERPMap updates the DERPMap of a connection.
-func (c *Conn) SetDERPMap(derpMap *tailcfg.DERPMap) {
+func (c *Conn) SetDERPMap(derpMap *DERPMap) {
 	c.mutex.Lock()
 	defer c.mutex.Unlock()
-	c.netMap.DERPMap = derpMap
+	c.netMap.DERPMap = derpMap.Convert()
 	c.logger.Debug(context.Background(), "updating derp map", slog.F("derp_map", derpMap))
-	c.wireguardEngine.SetDERPMap(derpMap)
+	c.wireguardEngine.SetDERPMap(derpMap.Convert())
 }
 
 // UpdateNodes connects with a set of peers. This can be constantly updated,
diff --git a/tailnet/derpmap.go b/tailnet/derpmap.go
@@ -13,9 +13,31 @@ import (
 	"tailscale.com/tailcfg"
 )
 
+// DERPMap matches `*tailcfg.DERPMap` but with our region type.
+type DERPMap struct {
+	Regions map[int]*DERPRegion
+}
+
+func (d *DERPMap) Convert() *tailcfg.DERPMap {
+	n := &tailcfg.DERPMap{
+		Regions: map[int]*tailcfg.DERPRegion{},
+	}
+	for key, region := range d.Regions {
+		n.Regions[key] = region.DERPRegion
+	}
+	return n
+}
+
+// DERPRegion extends `*tailcfg.DERPRegion` to provide additional options.
+type DERPRegion struct {
+	*tailcfg.DERPRegion
+	// EmbeddedRelay specifies whether the region is built-in.
+	EmbeddedRelay bool
+}
+
 // NewDERPMap constructs a DERPMap from a set of STUN addresses and optionally a remote
 // URL to fetch a mapping from e.g. https://controlplane.tailscale.com/derpmap/default.
-func NewDERPMap(ctx context.Context, region *tailcfg.DERPRegion, stunAddrs []string, remoteURL, localPath string) (*tailcfg.DERPMap, error) {
+func NewDERPMap(ctx context.Context, region *DERPRegion, stunAddrs []string, remoteURL, localPath string) (*DERPMap, error) {
 	if remoteURL != "" && localPath != "" {
 		return nil, xerrors.New("a remote URL or local path must be specified, not both")
 	}
@@ -39,8 +61,8 @@ func NewDERPMap(ctx context.Context, region *tailcfg.DERPRegion, stunAddrs []str
 		}
 	}
 
-	derpMap := &tailcfg.DERPMap{
-		Regions: map[int]*tailcfg.DERPRegion{},
+	derpMap := &DERPMap{
+		Regions: map[int]*DERPRegion{},
 	}
 	if remoteURL != "" {
 		req, err := http.NewRequestWithContext(ctx, http.MethodGet, remoteURL, nil)
diff --git a/tailnet/derpmap_test.go b/tailnet/derpmap_test.go
@@ -19,9 +19,11 @@ func TestNewDERPMap(t *testing.T) {
 	t.Parallel()
 	t.Run("WithoutRemoteURL", func(t *testing.T) {
 		t.Parallel()
-		derpMap, err := tailnet.NewDERPMap(context.Background(), &tailcfg.DERPRegion{
-			RegionID: 1,
-			Nodes:    []*tailcfg.DERPNode{{}},
+		derpMap, err := tailnet.NewDERPMap(context.Background(), &tailnet.DERPRegion{
+			DERPRegion: &tailcfg.DERPRegion{
+				RegionID: 1,
+				Nodes:    []*tailcfg.DERPNode{{}},
+			},
 		}, []string{"stun.google.com:2345"}, "", "")
 		require.NoError(t, err)
 		require.Len(t, derpMap.Regions[1].Nodes, 2)
@@ -37,8 +39,10 @@ func TestNewDERPMap(t *testing.T) {
 			_, _ = w.Write(data)
 		}))
 		t.Cleanup(server.Close)
-		derpMap, err := tailnet.NewDERPMap(context.Background(), &tailcfg.DERPRegion{
-			RegionID: 2,
+		derpMap, err := tailnet.NewDERPMap(context.Background(), &tailnet.DERPRegion{
+			DERPRegion: &tailcfg.DERPRegion{
+				RegionID: 2,
+			},
 		}, []string{}, server.URL, "")
 		require.NoError(t, err)
 		require.Len(t, derpMap.Regions, 2)
@@ -54,8 +58,10 @@ func TestNewDERPMap(t *testing.T) {
 			_, _ = w.Write(data)
 		}))
 		t.Cleanup(server.Close)
-		_, err := tailnet.NewDERPMap(context.Background(), &tailcfg.DERPRegion{
-			RegionID: 1,
+		_, err := tailnet.NewDERPMap(context.Background(), &tailnet.DERPRegion{
+			DERPRegion: &tailcfg.DERPRegion{
+				RegionID: 1,
+			},
 		}, []string{}, server.URL, "")
 		require.Error(t, err)
 	})
@@ -70,8 +76,10 @@ func TestNewDERPMap(t *testing.T) {
 		require.NoError(t, err)
 		err = os.WriteFile(localPath, content, 0600)
 		require.NoError(t, err)
-		derpMap, err := tailnet.NewDERPMap(context.Background(), &tailcfg.DERPRegion{
-			RegionID: 2,
+		derpMap, err := tailnet.NewDERPMap(context.Background(), &tailnet.DERPRegion{
+			DERPRegion: &tailcfg.DERPRegion{
+				RegionID: 2,
+			},
 		}, []string{}, "", localPath)
 		require.NoError(t, err)
 		require.Len(t, derpMap.Regions, 2)
diff --git a/tailnet/tailnettest/tailnettest.go b/tailnet/tailnettest/tailnettest.go
