Update sql

kylecarbs · kylecarbs · commit d7cc0ff9bb72 · 2022-10-14T22:36:51.000Z
diff --git a/cli/server.go b/cli/server.go
@@ -165,9 +165,10 @@ func Server(dflags *codersdk.DeploymentFlags, newAPI func(context.Context, *code
 			}
 			defer listener.Close()
 
+			var tlsConfig *tls.Config
 			if dflags.TLSEnable.Value {
-				listener, err = configureServerTLS(
-					listener, dflags.TLSMinVersion.Value,
+				tlsConfig, err = configureTLS(
+					dflags.TLSMinVersion.Value,
 					dflags.TLSClientAuth.Value,
 					dflags.TLSCertFiles.Value,
 					dflags.TLSKeyFiles.Value,
@@ -176,6 +177,7 @@ func Server(dflags *codersdk.DeploymentFlags, newAPI func(context.Context, *code
 				if err != nil {
 					return xerrors.Errorf("configure tls: %w", err)
 				}
+				listener = tls.NewListener(listener, tlsConfig)
 			}
 
 			tcpAddr, valid := listener.Addr().(*net.TCPAddr)
@@ -888,7 +890,7 @@ func loadCertificates(tlsCertFiles, tlsKeyFiles []string) ([]tls.Certificate, er
 	return certs, nil
 }
 
-func configureServerTLS(listener net.Listener, tlsMinVersion, tlsClientAuth string, tlsCertFiles, tlsKeyFiles []string, tlsClientCAFile string) (net.Listener, error) {
+func configureTLS(tlsMinVersion, tlsClientAuth string, tlsCertFiles, tlsKeyFiles []string, tlsClientCAFile string) (*tls.Config, error) {
 	tlsConfig := &tls.Config{
 		MinVersion: tls.VersionTLS12,
 	}
@@ -958,7 +960,7 @@ func configureServerTLS(listener net.Listener, tlsMinVersion, tlsClientAuth stri
 		tlsConfig.ClientCAs = caPool
 	}
 
-	return tls.NewListener(listener, tlsConfig), nil
+	return tlsConfig, nil
 }
 
 func configureGithubOAuth2(accessURL *url.URL, clientID, clientSecret string, allowSignups bool, allowOrgs []string, rawTeams []string, enterpriseBaseURL string) (*coderd.GithubOAuth2Config, error) {
diff --git a/coderd/database/migrations/000061_replicas.down.sql b/coderd/database/migrations/000061_replicas.down.sql
diff --git a/coderd/database/migrations/000061_replicas.up.sql b/coderd/database/migrations/000061_replicas.up.sql
diff --git a/codersdk/features.go b/codersdk/features.go
@@ -44,6 +44,7 @@ type Feature struct {
 type Entitlements struct {
 	Features     map[string]Feature `json:"features"`
 	Warnings     []string           `json:"warnings"`
+	Errors       []string           `json:"errors"`
 	HasLicense   bool               `json:"has_license"`
 	Experimental bool               `json:"experimental"`
 	Trial        bool               `json:"trial"`
diff --git a/enterprise/coderd/coderd.go b/enterprise/coderd/coderd.go
@@ -137,7 +137,7 @@ func New(ctx context.Context, options *Options) (*API, error) {
 	if err != nil {
 		return nil, xerrors.Errorf("initialize replica: %w", err)
 	}
-	api.derpMesh = derpmesh.New(options.Logger.Named("derpmesh"), api.DERPServer)
+	api.derpMesh = derpmesh.New(options.Logger.Named("derpmesh"), api.DERPServer, nil)
 
 	err = api.updateEntitlements(ctx)
 	if err != nil {
diff --git a/enterprise/coderd/license/license.go b/enterprise/coderd/license/license.go
@@ -30,6 +30,7 @@ func Entitlements(
 	entitlements := codersdk.Entitlements{
 		Features: map[string]codersdk.Feature{},
 		Warnings: []string{},
+		Errors:   []string{},
 	}
 	for _, featureName := range codersdk.FeatureNames {
 		entitlements.Features[featureName] = codersdk.Feature{
@@ -172,15 +173,15 @@ func Entitlements(
 		switch feature.Entitlement {
 		case codersdk.EntitlementNotEntitled:
 			if entitlements.HasLicense {
-				entitlements.Warnings = append(entitlements.Warnings,
-					"You have multiple replicas but your license is not entitled to high availability.")
+				entitlements.Errors = append(entitlements.Warnings,
+					"You have multiple replicas but your license is not entitled to high availability. You will be unable to connect to workspaces.")
 			} else {
-				entitlements.Warnings = append(entitlements.Warnings,
-					"You have multiple replicas but high availability is an Enterprise feature.")
+				entitlements.Errors = append(entitlements.Warnings,
+					"You have multiple replicas but high availability is an Enterprise feature. You will be unable to connect to workspaces.")
 			}
 		case codersdk.EntitlementGracePeriod:
 			entitlements.Warnings = append(entitlements.Warnings,
-				"You have multiple replicas but your license for high availability is expired.")
+				"You have multiple replicas but your license for high availability is expired. Reduce to one replica or workspace connections will stop working.")
 		}
 	}
 
diff --git a/enterprise/coderd/license/license_test.go b/enterprise/coderd/license/license_test.go
@@ -227,8 +227,8 @@ func TestEntitlements(t *testing.T) {
 		entitlements, err := license.Entitlements(context.Background(), db, slog.Logger{}, 2, coderdenttest.Keys, all)
 		require.NoError(t, err)
 		require.False(t, entitlements.HasLicense)
-		require.Len(t, entitlements.Warnings, 1)
-		require.Equal(t, "You have multiple replicas but high availability is an Enterprise feature.", entitlements.Warnings[0])
+		require.Len(t, entitlements.Errors, 1)
+		require.Equal(t, "You have multiple replicas but high availability is an Enterprise feature. You will be unable to connect to workspaces.", entitlements.Errors[0])
 	})
 
 	t.Run("MultipleReplicasNotEntitled", func(t *testing.T) {
@@ -245,8 +245,8 @@ func TestEntitlements(t *testing.T) {
 		})
 		require.NoError(t, err)
 		require.True(t, entitlements.HasLicense)
-		require.Len(t, entitlements.Warnings, 1)
-		require.Equal(t, "You have multiple replicas but your license is not entitled to high availability.", entitlements.Warnings[0])
+		require.Len(t, entitlements.Errors, 1)
+		require.Equal(t, "You have multiple replicas but your license is not entitled to high availability. You will be unable to connect to workspaces.", entitlements.Errors[0])
 	})
 
 	t.Run("MultipleReplicasGrace", func(t *testing.T) {
@@ -266,6 +266,6 @@ func TestEntitlements(t *testing.T) {
 		require.NoError(t, err)
 		require.True(t, entitlements.HasLicense)
 		require.Len(t, entitlements.Warnings, 1)
-		require.Equal(t, "You have multiple replicas but your license for high availability is expired.", entitlements.Warnings[0])
+		require.Equal(t, "You have multiple replicas but your license for high availability is expired. Reduce to one replica or workspace connections will stop working.", entitlements.Warnings[0])
 	})
 }
diff --git a/enterprise/derpmesh/derpmesh.go b/enterprise/derpmesh/derpmesh.go
@@ -2,6 +2,7 @@ package derpmesh
 
 import (
 	"context"
+	"crypto/tls"
 	"net"
 	"net/url"
 	"sync"
@@ -17,20 +18,22 @@ import (
 )
 
 // New constructs a new mesh for DERP servers.
-func New(logger slog.Logger, server *derp.Server) *Mesh {
+func New(logger slog.Logger, server *derp.Server, tlsConfig *tls.Config) *Mesh {
 	return &Mesh{
-		logger: logger,
-		server: server,
-		ctx:    context.Background(),
-		closed: make(chan struct{}),
-		active: make(map[string]context.CancelFunc),
+		logger:    logger,
+		server:    server,
+		tlsConfig: tlsConfig,
+		ctx:       context.Background(),
+		closed:    make(chan struct{}),
+		active:    make(map[string]context.CancelFunc),
 	}
 }
 
 type Mesh struct {
-	logger slog.Logger
-	server *derp.Server
-	ctx    context.Context
+	logger    slog.Logger
+	server    *derp.Server
+	ctx       context.Context
+	tlsConfig *tls.Config
 
 	mutex  sync.Mutex
 	closed chan struct{}
@@ -93,6 +96,7 @@ func (m *Mesh) addAddress(address string) (bool, error) {
 	if err != nil {
 		return false, xerrors.Errorf("create derp client: %w", err)
 	}
+	client.TLSConfig = m.tlsConfig
 	client.MeshKey = m.server.MeshKey()
 	client.SetURLDialer(func(ctx context.Context, network, addr string) (net.Conn, error) {
 		var dialer net.Dialer
diff --git a/enterprise/derpmesh/derpmesh_test.go b/enterprise/derpmesh/derpmesh_test.go
@@ -1,11 +1,22 @@
 package derpmesh_test
 
 import (
+	"bytes"
 	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
 	"errors"
 	"io"
+	"math/big"
+	"net"
 	"net/http/httptest"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -29,12 +40,41 @@ func TestDERPMesh(t *testing.T) {
 	t.Run("ExchangeMessages", func(t *testing.T) {
 		// This tests messages passing through multiple DERP servers.
 		t.Parallel()
-		firstServer, firstServerURL := startDERP(t)
+		firstServer, firstServerURL, firstTLSName := startDERP(t)
 		defer firstServer.Close()
-		secondServer, secondServerURL := startDERP(t)
-		firstMesh := derpmesh.New(slogtest.Make(t, nil).Named("first").Leveled(slog.LevelDebug), firstServer)
+		secondServer, secondServerURL, secondTLSName := startDERP(t)
+		firstMesh := derpmesh.New(slogtest.Make(t, nil).Named("first").Leveled(slog.LevelDebug), firstServer, firstTLSName)
 		firstMesh.SetAddresses([]string{secondServerURL})
-		secondMesh := derpmesh.New(slogtest.Make(t, nil).Named("second").Leveled(slog.LevelDebug), secondServer)
+		secondMesh := derpmesh.New(slogtest.Make(t, nil).Named("second").Leveled(slog.LevelDebug), secondServer, secondTLSName)
+		secondMesh.SetAddresses([]string{firstServerURL})
+		defer firstMesh.Close()
+		defer secondMesh.Close()
+
+		first := key.NewNode()
+		second := key.NewNode()
+		firstClient, err := derphttp.NewClient(first, secondServerURL, tailnet.Logger(slogtest.Make(t, nil)))
+		require.NoError(t, err)
+		secondClient, err := derphttp.NewClient(second, firstServerURL, tailnet.Logger(slogtest.Make(t, nil)))
+		require.NoError(t, err)
+		err = secondClient.Connect(context.Background())
+		require.NoError(t, err)
+
+		sent := []byte("hello world")
+		err = firstClient.Send(second.Public(), sent)
+		require.NoError(t, err)
+
+		got := recvData(t, secondClient)
+		require.Equal(t, sent, got)
+	})
+	t.Run("ExchangeMessages", func(t *testing.T) {
+		// This tests messages passing through multiple DERP servers.
+		t.Parallel()
+		firstServer, firstServerURL, firstTLSName := startDERP(t)
+		defer firstServer.Close()
+		secondServer, secondServerURL, secondTLSName := startDERP(t)
+		firstMesh := derpmesh.New(slogtest.Make(t, nil).Named("first").Leveled(slog.LevelDebug), firstServer, firstTLSName)
+		firstMesh.SetAddresses([]string{secondServerURL})
+		secondMesh := derpmesh.New(slogtest.Make(t, nil).Named("second").Leveled(slog.LevelDebug), secondServer, secondTLSName)
 		secondMesh.SetAddresses([]string{firstServerURL})
 		defer firstMesh.Close()
 		defer secondMesh.Close()
@@ -58,8 +98,8 @@ func TestDERPMesh(t *testing.T) {
 	t.Run("RemoveAddress", func(t *testing.T) {
 		// This tests messages passing through multiple DERP servers.
 		t.Parallel()
-		server, serverURL := startDERP(t)
-		mesh := derpmesh.New(slogtest.Make(t, nil).Named("first").Leveled(slog.LevelDebug), server)
+		server, serverURL, tlsName := startDERP(t)
+		mesh := derpmesh.New(slogtest.Make(t, nil).Named("first").Leveled(slog.LevelDebug), server, tlsName)
 		mesh.SetAddresses([]string{"http://fake.com"})
 		// This should trigger a removal...
 		mesh.SetAddresses([]string{})
@@ -84,8 +124,8 @@ func TestDERPMesh(t *testing.T) {
 		meshes := make([]*derpmesh.Mesh, 0, 20)
 		serverURLs := make([]string, 0, 20)
 		for i := 0; i < 20; i++ {
-			server, url := startDERP(t)
-			mesh := derpmesh.New(slogtest.Make(t, nil).Named("mesh").Leveled(slog.LevelDebug), server)
+			server, url, tlsName := startDERP(t)
+			mesh := derpmesh.New(slogtest.Make(t, nil).Named("mesh").Leveled(slog.LevelDebug), server, tlsName)
 			t.Cleanup(func() {
 				_ = server.Close()
 				_ = mesh.Close()
@@ -132,15 +172,54 @@ func recvData(t *testing.T, client *derphttp.Client) []byte {
 	}
 }
 
-func startDERP(t *testing.T) (*derp.Server, string) {
+func startDERP(t *testing.T) (*derp.Server, string, *tls.Config) {
 	logf := tailnet.Logger(slogtest.Make(t, nil))
 	d := derp.NewServer(key.NewNode(), logf)
 	d.SetMeshKey("some-key")
 	server := httptest.NewUnstartedServer(derphttp.Handler(d))
+	commonName := "something.org"
+	server.TLS = &tls.Config{
+		Certificates: []tls.Certificate{generateTLSCertificate(t, commonName)},
+	}
 	server.Start()
 	t.Cleanup(func() {
 		_ = d.Close()
 	})
 	t.Cleanup(server.Close)
-	return d, server.URL
+	return d, server.URL, server.TLS
+}
+
+func generateTLSCertificate(t testing.TB, commonName string) tls.Certificate {
+	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	require.NoError(t, err)
+	template := x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			Organization: []string{"Acme Co"},
+			CommonName:   commonName,
+		},
+		DNSNames:  []string{commonName},
+		NotBefore: time.Now(),
+		NotAfter:  time.Now().Add(time.Hour * 24 * 180),
+
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		IPAddresses:           []net.IP{net.ParseIP("127.0.0.1")},
+	}
+
+	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &privateKey.PublicKey, privateKey)
+	require.NoError(t, err)
+	var certFile bytes.Buffer
+	require.NoError(t, err)
+	_, err = certFile.Write(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes}))
+	require.NoError(t, err)
+	privateKeyBytes, err := x509.MarshalPKCS8PrivateKey(privateKey)
+	require.NoError(t, err)
+	var keyFile bytes.Buffer
+	err = pem.Encode(&keyFile, &pem.Block{Type: "PRIVATE KEY", Bytes: privateKeyBytes})
+	require.NoError(t, err)
+	cert, err := tls.X509KeyPair(certFile.Bytes(), keyFile.Bytes())
+	require.NoError(t, err)
+	return cert
 }
diff --git a/go.mod b/go.mod
@@ -40,7 +40,7 @@ replace github.com/tcnksm/go-httpstat => github.com/kylecarbs/go-httpstat v0.0.0
 
 // There are a few minor changes we make to Tailscale that we're slowly upstreaming. Compare here:
 // https://github.com/tailscale/tailscale/compare/main...coder:tailscale:main
-replace tailscale.com => github.com/coder/tailscale v1.1.1-0.20220926024748-50f068456c6c
+replace tailscale.com => github.com/coder/tailscale v1.1.1-0.20221014173742-9f1da7795630
 
 // Switch to our fork that imports fixes from http://github.com/tailscale/ssh.
 // See: https://github.com/coder/coder/issues/3371
diff --git a/go.sum b/go.sum
@@ -351,8 +351,8 @@ github.com/coder/retry v1.3.0 h1:5lAAwt/2Cm6lVmnfBY7sOMXcBOwcwJhmV5QGSELIVWY=
 github.com/coder/retry v1.3.0/go.mod h1:tXuRgZgWjUnU5LZPT4lJh4ew2elUhexhlnXzrJWdyFY=
 github.com/coder/ssh v0.0.0-20220811105153-fcea99919338 h1:tN5GKFT68YLVzJoA8AHuiMNJ0qlhoD3pGN3JY9gxSko=
 github.com/coder/ssh v0.0.0-20220811105153-fcea99919338/go.mod h1:ZSS+CUoKHDrqVakTfTWUlKSr9MtMFkC4UvtQKD7O914=
-github.com/coder/tailscale v1.1.1-0.20220926024748-50f068456c6c h1:xa6lr5Pj87Is26tgpzwBsEGKL7aVz7/fRGgY9QIbf3E=
-github.com/coder/tailscale v1.1.1-0.20220926024748-50f068456c6c/go.mod h1:5amxy08qijEa8bcTW2SeIy4MIqcmd7LMsuOxqOlj2Ak=
+github.com/coder/tailscale v1.1.1-0.20221014173742-9f1da7795630 h1:FgWWdu0fnFEpUNjW0vOaCuOxOZ/GQzn6oo7p5IMlSA0=
+github.com/coder/tailscale v1.1.1-0.20221014173742-9f1da7795630/go.mod h1:5amxy08qijEa8bcTW2SeIy4MIqcmd7LMsuOxqOlj2Ak=
 github.com/containerd/aufs v0.0.0-20200908144142-dab0cbea06f4/go.mod h1:nukgQABAEopAHvB6j7cnP5zJ+/3aVcE7hCYqvIwAHyE=
 github.com/containerd/aufs v0.0.0-20201003224125-76a6863f2989/go.mod h1:AkGGQs9NM2vtYHaUen+NljV0/baGCAPELGm2q9ZXpWU=
 github.com/containerd/aufs v0.0.0-20210316121734-20793ff83c97/go.mod h1:kL5kd6KM5TzQjR79jljyi4olc1Vrx6XBlcyj3gNv2PU=

Original file line number	Diff line number	Diff line change
`@@ -165,9 +165,10 @@ func Server(dflags codersdk.DeploymentFlags, newAPI func(context.Context, code`
`165`	`165`	`}`
`166`	`166`	`defer listener.Close()`
`167`	`167`
	`168`	`+ var tlsConfig *tls.Config`
`168`	`169`	`if dflags.TLSEnable.Value {`
`169`		`- listener, err = configureServerTLS(`
`170`		`- listener, dflags.TLSMinVersion.Value,`
	`170`	`+ tlsConfig, err = configureTLS(`
	`171`	`+ dflags.TLSMinVersion.Value,`
`171`	`172`	`dflags.TLSClientAuth.Value,`
`172`	`173`	`dflags.TLSCertFiles.Value,`
`173`	`174`	`dflags.TLSKeyFiles.Value,`
`@@ -176,6 +177,7 @@ func Server(dflags codersdk.DeploymentFlags, newAPI func(context.Context, code`
`176`	`177`	`if err != nil {`
`177`	`178`	`return xerrors.Errorf("configure tls: %w", err)`
`178`	`179`	`}`
	`180`	`+ listener = tls.NewListener(listener, tlsConfig)`
`179`	`181`	`}`
`180`	`182`
`181`	`183`	`tcpAddr, valid := listener.Addr().(*net.TCPAddr)`
`@@ -888,7 +890,7 @@ func loadCertificates(tlsCertFiles, tlsKeyFiles []string) ([]tls.Certificate, er`
`888`	`890`	`return certs, nil`
`889`	`891`	`}`
`890`	`892`
`891`		`-func configureServerTLS(listener net.Listener, tlsMinVersion, tlsClientAuth string, tlsCertFiles, tlsKeyFiles []string, tlsClientCAFile string) (net.Listener, error) {`
	`893`	`+func configureTLS(tlsMinVersion, tlsClientAuth string, tlsCertFiles, tlsKeyFiles []string, tlsClientCAFile string) (*tls.Config, error) {`
`892`	`894`	`tlsConfig := &tls.Config{`
`893`	`895`	`MinVersion: tls.VersionTLS12,`
`894`	`896`	`}`
`@@ -958,7 +960,7 @@ func configureServerTLS(listener net.Listener, tlsMinVersion, tlsClientAuth stri`
`958`	`960`	`tlsConfig.ClientCAs = caPool`
`959`	`961`	`}`
`960`	`962`
`961`		`- return tls.NewListener(listener, tlsConfig), nil`
	`963`	`+ return tlsConfig, nil`
`962`	`964`	`}`
`963`	`965`
`964`	`966`	`func configureGithubOAuth2(accessURL url.URL, clientID, clientSecret string, allowSignups bool, allowOrgs []string, rawTeams []string, enterpriseBaseURL string) (coderd.GithubOAuth2Config, error) {`
Original file line number	Diff line number	Diff line change
`@@ -137,7 +137,7 @@ func New(ctx context.Context, options Options) (API, error) {`
`137`	`137`	`if err != nil {`
`138`	`138`	`return nil, xerrors.Errorf("initialize replica: %w", err)`
`139`	`139`	`}`
`140`		`- api.derpMesh = derpmesh.New(options.Logger.Named("derpmesh"), api.DERPServer)`
	`140`	`+ api.derpMesh = derpmesh.New(options.Logger.Named("derpmesh"), api.DERPServer, nil)`
`141`	`141`
`142`	`142`	`err = api.updateEntitlements(ctx)`
`143`	`143`	`if err != nil {`