feat(cli): add aws check to ping p2p diagnostics

ethanndickson · ethanndickson · commit ef7f40a5f85e · 2024-08-27T09:06:11.000Z
diff --git a/cli/cliui/agent.go b/cli/cliui/agent.go
@@ -357,6 +357,8 @@ type ConnDiags struct {
 	LocalNetInfo    *tailcfg.NetInfo
 	LocalInterfaces *healthsdk.InterfacesReport
 	AgentNetcheck   *healthsdk.AgentNetcheckReport
+	ClientIPIsAWS   bool
+	AgentIPIsAWS    bool
 	// TODO: More diagnostics
 }
 
@@ -375,7 +377,6 @@ func ConnDiagnostics(w io.Writer, d ConnDiags) {
 
 	if d.PingP2P {
 		_, _ = fmt.Fprint(w, "✔ You are connected directly (p2p)\n")
-		return
 	}
 	_, _ = fmt.Fprint(w, "❗ You are connected via a DERP relay, not directly (p2p)\n")
 
@@ -400,4 +401,12 @@ func ConnDiagnostics(w io.Writer, d ConnDiags) {
 	if d.AgentNetcheck != nil && d.AgentNetcheck.NetInfo != nil && d.AgentNetcheck.NetInfo.MappingVariesByDestIP.EqualBool(true) {
 		_, _ = fmt.Fprint(w, "❗ Agent is potentially behind a hard NAT, as multiple endpoints were retrieved from different STUN servers\n")
 	}
+
+	if d.ClientIPIsAWS {
+		_, _ = fmt.Fprint(w, "❗ Client IP address is within an AWS range, and is therefore behind a hard NAT\n")
+	}
+
+	if d.AgentIPIsAWS {
+		_, _ = fmt.Fprint(w, "❗ Agent IP address is within an AWS range, and is therefore behind a hard NAT\n")
+	}
 }
diff --git a/cli/cliui/agent_test.go b/cli/cliui/agent_test.go
@@ -782,6 +782,28 @@ func TestConnDiagnostics(t *testing.T) {
 				`✔ You are connected directly (p2p)`,
 			},
 		},
+		{
+			name: "ClientAWSIP",
+			diags: cliui.ConnDiags{
+				ClientIPIsAWS: true,
+				AgentIPIsAWS:  false,
+			},
+			want: []string{
+				`❗ You are connected via a DERP relay, not directly (p2p)`,
+				`❗ Client IP address is within an AWS range, and is therefore behind a hard NAT`,
+			},
+		},
+		{
+			name: "AgentAWSIP",
+			diags: cliui.ConnDiags{
+				ClientIPIsAWS: false,
+				AgentIPIsAWS:  true,
+			},
+			want: []string{
+				`❗ You are connected via a DERP relay, not directly (p2p)`,
+				`❗ Agent IP address is within an AWS range, and is therefore behind a hard NAT`,
+			},
+		},
 	}
 	for _, tc := range testCases {
 		tc := tc
diff --git a/cli/cliutil/awscheck.go b/cli/cliutil/awscheck.go
@@ -0,0 +1,88 @@
+package cliutil
+
+import (
+	"context"
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/netip"
+	"time"
+
+	"golang.org/x/xerrors"
+)
+
+const awsIPRangesURL = "https://ip-ranges.amazonaws.com/ip-ranges.json"
+
+type AWSIPv4Prefix struct {
+	Prefix             string `json:"ip_prefix"`
+	Region             string `json:"region"`
+	Service            string `json:"service"`
+	NetworkBorderGroup string `json:"network_border_group"`
+}
+
+type AWSIPv6Prefix struct {
+	Prefix  string `json:"ipv6_prefix"`
+	Region  string `json:"region"`
+	Service string `json:"service"`
+}
+
+type AWSIPRanges struct {
+	SyncToken    string          `json:"syncToken"`
+	CreateDate   string          `json:"createDate"`
+	IPV4Prefixes []AWSIPv4Prefix `json:"prefixes"`
+	IPV6Prefixes []AWSIPv6Prefix `json:"ipv6_prefixes"`
+}
+
+func NewAWSIPRanges(ctx context.Context) (*AWSIPRanges, error) {
+	client := &http.Client{}
+	reqCtx, reqCancel := context.WithTimeout(ctx, 5*time.Second)
+	defer reqCancel()
+	req, _ := http.NewRequestWithContext(reqCtx, http.MethodGet, awsIPRangesURL, nil)
+	resp, err := client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		b, _ := io.ReadAll(resp.Body)
+		return nil, xerrors.Errorf("unexpected status code %d: %s", resp.StatusCode, b)
+	}
+
+	var out AWSIPRanges
+	err = json.NewDecoder(resp.Body).Decode(&out)
+	if err != nil {
+		return nil, xerrors.Errorf("json decode: %w", err)
+	}
+	return &out, nil
+}
+
+// CheckIP checks if the given IP address is an AWS IP.
+func (r *AWSIPRanges) CheckIP(ip netip.Addr) (bool, error) {
+	if ip.IsLoopback() || ip.IsLinkLocalMulticast() || ip.IsLinkLocalUnicast() || ip.IsPrivate() {
+		return false, nil
+	}
+
+	if ip.Is4() {
+		for _, p := range r.IPV4Prefixes {
+			prefix, err := netip.ParsePrefix(p.Prefix)
+			if err != nil {
+				return false, xerrors.Errorf("parse ip prefix: %w", err)
+			}
+			if prefix.Contains(ip) {
+				return true, nil
+			}
+		}
+	} else {
+		for _, p := range r.IPV6Prefixes {
+			prefix, err := netip.ParsePrefix(p.Prefix)
+			if err != nil {
+				return false, xerrors.Errorf("parse ip prefix: %w", err)
+			}
+			if prefix.Contains(ip) {
+				return true, nil
+			}
+		}
+	}
+	return false, nil
+}
diff --git a/cli/cliutil/awscheck_test.go b/cli/cliutil/awscheck_test.go
@@ -0,0 +1,72 @@
+package cliutil_test
+
+import (
+	"net/netip"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/v2/cli/cliutil"
+	"github.com/coder/coder/v2/testutil"
+)
+
+func TestIPV4Check(t *testing.T) {
+	t.Parallel()
+	ctx := testutil.Context(t, testutil.WaitShort)
+	ranges, err := cliutil.NewAWSIPRanges(ctx)
+	require.NoError(t, err)
+
+	t.Run("Private/IPV4", func(t *testing.T) {
+		t.Parallel()
+		ip, err := netip.ParseAddr("192.168.0.1")
+		require.NoError(t, err)
+		isAws, err := ranges.CheckIP(ip)
+		require.NoError(t, err)
+		require.False(t, isAws)
+	})
+
+	t.Run("AWS/IPV4", func(t *testing.T) {
+		t.Parallel()
+		ip, err := netip.ParseAddr("3.25.61.113")
+		require.NoError(t, err)
+		isAws, err := ranges.CheckIP(ip)
+		require.NoError(t, err)
+		require.True(t, isAws)
+	})
+
+	t.Run("NonAWS/IPV4", func(t *testing.T) {
+		t.Parallel()
+		ip, err := netip.ParseAddr("159.196.123.40")
+		require.NoError(t, err)
+		isAws, err := ranges.CheckIP(ip)
+		require.NoError(t, err)
+		require.False(t, isAws)
+	})
+
+	t.Run("Private/IPV6", func(t *testing.T) {
+		t.Parallel()
+		ip, err := netip.ParseAddr("::1")
+		require.NoError(t, err)
+		isAws, err := ranges.CheckIP(ip)
+		require.NoError(t, err)
+		require.False(t, isAws)
+	})
+
+	t.Run("AWS/IPV6", func(t *testing.T) {
+		t.Parallel()
+		ip, err := netip.ParseAddr("2600:9000:5206:0001:0000:0000:0000:0001")
+		require.NoError(t, err)
+		isAws, err := ranges.CheckIP(ip)
+		require.NoError(t, err)
+		require.True(t, isAws)
+	})
+
+	t.Run("NonAWS/IPV6", func(t *testing.T) {
+		t.Parallel()
+		ip, err := netip.ParseAddr("2403:5807:885f:0:a544:49d4:58f8:aedf")
+		require.NoError(t, err)
+		isAws, err := ranges.CheckIP(ip)
+		require.NoError(t, err)
+		require.False(t, isAws)
+	})
+}
diff --git a/cli/ping.go b/cli/ping.go
@@ -5,16 +5,19 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"net/netip"
 	"time"
 
 	"golang.org/x/xerrors"
+	"tailscale.com/tailcfg"
 
 	"cdr.dev/slog"
 	"cdr.dev/slog/sloggers/sloghuman"
 
 	"github.com/coder/pretty"
 
 	"github.com/coder/coder/v2/cli/cliui"
+	"github.com/coder/coder/v2/cli/cliutil"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/codersdk/healthsdk"
 	"github.com/coder/coder/v2/codersdk/workspacesdk"
@@ -150,11 +153,24 @@ func (r *RootCmd) ping() *serpent.Command {
 			diags := conn.GetPeerDiagnostics()
 			cliui.PeerDiagnostics(inv.Stdout, diags)
 
+			ni := conn.GetNetInfo()
 			connDiags := cliui.ConnDiags{
 				PingP2P:       didP2p,
 				DisableDirect: r.disableDirect,
-				LocalNetInfo:  conn.GetNetInfo(),
+				LocalNetInfo:  ni,
 			}
+
+			awsRanges, err := cliutil.NewAWSIPRanges(ctx)
+			if err != nil {
+				_, _ = fmt.Fprintf(inv.Stdout, "Failed to retrieve AWS IP ranges: %v\n", err)
+			}
+
+			clientIPIsAWS, err := isAWSIP(awsRanges, ni)
+			if err != nil {
+				_, _ = fmt.Fprintf(inv.Stdout, "Failed to determine if client IP is AWS: %v\n", err)
+			}
+			connDiags.ClientIPIsAWS = clientIPIsAWS
+
 			connInfo, err := client.AgentConnectionInfoGeneric(ctx)
 			if err == nil {
 				connDiags.ConnInfo = &connInfo
@@ -167,9 +183,15 @@ func (r *RootCmd) ping() *serpent.Command {
 			} else {
 				_, _ = fmt.Fprintf(inv.Stdout, "Failed to retrieve local interfaces report: %v\n", err)
 			}
+
 			agentNetcheck, err := conn.Netcheck(ctx)
 			if err == nil {
 				connDiags.AgentNetcheck = &agentNetcheck
+				agentIPIsAws, err := isAWSIP(awsRanges, agentNetcheck.NetInfo)
+				if err != nil {
+					_, _ = fmt.Fprintf(inv.Stdout, "Failed to determine if agent IP is AWS: %v\n", err)
+				}
+				connDiags.AgentIPIsAWS = agentIPIsAws
 			} else {
 				var sdkErr *codersdk.Error
 				if errors.As(err, &sdkErr) && sdkErr.StatusCode() == http.StatusNotFound {
@@ -178,6 +200,7 @@ func (r *RootCmd) ping() *serpent.Command {
 					_, _ = fmt.Fprintf(inv.Stdout, "Failed to retrieve connection report from agent: %v\n", err)
 				}
 			}
+
 			cliui.ConnDiagnostics(inv.Stdout, connDiags)
 			return nil
 		},
@@ -207,3 +230,24 @@ func (r *RootCmd) ping() *serpent.Command {
 	}
 	return cmd
 }
+
+func isAWSIP(awsRanges *cliutil.AWSIPRanges, ni *tailcfg.NetInfo) (bool, error) {
+	var strIP string
+	if ni.GlobalV4 != "" {
+		strIP = ni.GlobalV4
+	} else if ni.GlobalV6 != "" {
+		strIP = ni.GlobalV6
+	} else {
+		return false, xerrors.Errorf("no public IP address found")
+	}
+
+	ip, err := netip.ParseAddr(strIP)
+	if err != nil {
+		return false, err
+	}
+	isAWS, err := awsRanges.CheckIP(ip)
+	if err != nil {
+		return false, err
+	}
+	return isAWS, nil
+}
