Fix conncache with interface

kylecarbs · kylecarbs · commit 7fe91a2a018a · 2022-07-09T20:16:55.000Z
diff --git a/agent/agent.go b/agent/agent.go
@@ -865,6 +865,9 @@ func (a *agent) Close() error {
 	}
 	close(a.closed)
 	a.closeCancel()
+	if a.network != nil {
+		_ = a.network.Close()
+	}
 	_ = a.sshServer.Close()
 	a.connCloseWait.Wait()
 	return nil
diff --git a/agent/conn.go b/agent/conn.go
@@ -7,14 +7,17 @@ import (
 	"io"
 	"net"
 	"net/url"
+	"strconv"
 	"strings"
 	"time"
 
 	"golang.org/x/crypto/ssh"
 	"golang.org/x/xerrors"
+	"inet.af/netaddr"
 
 	"github.com/coder/coder/peer"
 	"github.com/coder/coder/peerbroker/proto"
+	"github.com/coder/coder/tailnet"
 )
 
 // ReconnectingPTYRequest is sent from the client to the server
@@ -130,3 +133,53 @@ func (c *WebRTCConn) Close() error {
 	_ = c.Negotiator.DRPCConn().Close()
 	return c.Conn.Close()
 }
+
+type TailnetConn struct {
+	Target netaddr.IP
+	*tailnet.Server
+}
+
+func (c *TailnetConn) Closed() <-chan struct{} {
+	return nil
+}
+
+func (c *TailnetConn) Ping() (time.Duration, error) {
+	return 0, nil
+}
+
+func (c *TailnetConn) CloseWithError(err error) error {
+	return c.Close()
+}
+
+func (c *TailnetConn) ReconnectingPTY(id string, height, width uint16, command string) (net.Conn, error) {
+	return nil, xerrors.New("not implemented")
+}
+
+func (c *TailnetConn) SSH() (net.Conn, error) {
+	return c.DialContextTCP(context.Background(), netaddr.IPPortFrom(c.Target, 12212))
+}
+
+// SSHClient calls SSH to create a client that uses a weak cipher
+// for high throughput.
+func (c *TailnetConn) SSHClient() (*ssh.Client, error) {
+	netConn, err := c.SSH()
+	if err != nil {
+		return nil, xerrors.Errorf("ssh: %w", err)
+	}
+	sshConn, channels, requests, err := ssh.NewClientConn(netConn, "localhost:22", &ssh.ClientConfig{
+		// SSH host validation isn't helpful, because obtaining a peer
+		// connection already signifies user-intent to dial a workspace.
+		// #nosec
+		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+	})
+	if err != nil {
+		return nil, xerrors.Errorf("ssh conn: %w", err)
+	}
+	return ssh.NewClient(sshConn, channels, requests), nil
+}
+
+func (c *TailnetConn) DialContext(ctx context.Context, network string, addr string) (net.Conn, error) {
+	_, rawPort, _ := net.SplitHostPort(addr)
+	port, _ := strconv.Atoi(rawPort)
+	return c.Server.DialContextTCP(ctx, netaddr.IPPortFrom(c.Target, uint16(port)))
+}
diff --git a/coderd/coderdtest/coderdtest.go b/coderd/coderdtest/coderdtest.go
@@ -181,11 +181,17 @@ func NewWithAPI(t *testing.T, options *Options) (*codersdk.Client, *coderd.API)
 					Nodes: []*tailcfg.DERPNode{{
 						Name:             "1a",
 						RegionID:         1,
-						HostName:         serverURL.Host,
+						IPv4:             "127.0.0.1",
 						DERPPort:         derpPort,
 						STUNPort:         -1,
 						InsecureForTests: true,
 						HTTPForTests:     true,
+					}, {
+						Name:     "1b",
+						RegionID: 1,
+						STUNOnly: true,
+						HostName: "stun.l.google.com",
+						STUNPort: 19302,
 					}},
 				},
 			},
diff --git a/coderd/workspaceagents.go b/coderd/workspaceagents.go
@@ -15,11 +15,10 @@ import (
 	"github.com/google/uuid"
 	"github.com/hashicorp/yamux"
 	"github.com/tabbed/pqtype"
-	"go4.org/mem"
 	"golang.org/x/xerrors"
 	"inet.af/netaddr"
 	"nhooyr.io/websocket"
-	"tailscale.com/types/key"
+	"nhooyr.io/websocket/wsjson"
 
 	"cdr.dev/slog"
 	"github.com/coder/coder/agent"
@@ -549,7 +548,6 @@ func (api *API) workspaceAgentNode(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 	defer conn.Close(websocket.StatusNormalClosure, "")
-	ctx, nc := websocketNetConn(r.Context(), conn, websocket.MessageBinary)
 	agentIDBytes, _ := workspaceAgent.ID.MarshalText()
 	subCancel, err := api.Pubsub.Subscribe("tailnet", func(ctx context.Context, message []byte) {
 		// Since we subscribe to all peer broadcasts, we do a light check to
@@ -560,25 +558,24 @@ func (api *API) workspaceAgentNode(rw http.ResponseWriter, r *http.Request) {
 			return
 		}
 		// We aren't the intended recipient.
-		if !bytes.Equal(message[:len(agentIDBytes)-1], agentIDBytes) {
+		if !bytes.Equal(message[:len(agentIDBytes)], agentIDBytes) {
 			return
 		}
-		_, _ = nc.Write(message)
+		_ = conn.Write(ctx, websocket.MessageText, message[len(agentIDBytes):])
 	})
 	if err != nil {
-		api.Logger.Error(ctx, "pubsub listen", slog.Error(err))
+		api.Logger.Error(context.Background(), "pubsub listen", slog.Error(err))
 		return
 	}
 	defer subCancel()
 
-	decoder := json.NewDecoder(nc)
 	for {
 		var node tailnet.Node
-		err = decoder.Decode(&node)
+		err = wsjson.Read(r.Context(), conn, &node)
 		if err != nil {
 			return
 		}
-		err := api.Database.UpdateWorkspaceAgentNetworkByID(ctx, database.UpdateWorkspaceAgentNetworkByIDParams{
+		err := api.Database.UpdateWorkspaceAgentNetworkByID(r.Context(), database.UpdateWorkspaceAgentNetworkByIDParams{
 			ID: workspaceAgent.ID,
 			NodePublicKey: sql.NullString{
 				String: node.Key.String(),
@@ -623,7 +620,8 @@ func (api *API) postWorkspaceAgentNode(rw http.ResponseWriter, r *http.Request)
 		})
 		return
 	}
-	data = append(workspaceAgent.ID[:], data...)
+	agentIDBytes, _ := workspaceAgent.ID.MarshalText()
+	data = append(agentIDBytes, data...)
 	err = api.Pubsub.Publish("tailnet", data)
 	if err != nil {
 		httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{
@@ -696,15 +694,13 @@ func convertWorkspaceAgent(dbAgent database.WorkspaceAgent, apps []codersdk.Work
 	}
 
 	if dbAgent.NodePublicKey.Valid {
-		var err error
-		workspaceAgent.NodePublicKey, err = key.ParseNodePublicUntyped(mem.S(dbAgent.NodePublicKey.String))
+		err := workspaceAgent.NodePublicKey.UnmarshalText([]byte(dbAgent.NodePublicKey.String))
 		if err != nil {
 			return codersdk.WorkspaceAgent{}, xerrors.Errorf("parse node public key: %w", err)
 		}
 	}
 	if dbAgent.DiscoPublicKey.Valid {
-		var err error
-		err = workspaceAgent.DiscoPublicKey.UnmarshalText([]byte(dbAgent.DiscoPublicKey.String))
+		err := workspaceAgent.DiscoPublicKey.UnmarshalText([]byte(dbAgent.DiscoPublicKey.String))
 		if err != nil {
 			return codersdk.WorkspaceAgent{}, xerrors.Errorf("parse disco public key: %w", err)
 		}
diff --git a/coderd/workspaceagents_test.go b/coderd/workspaceagents_test.go
@@ -4,6 +4,7 @@ import (
 	"bufio"
 	"context"
 	"encoding/json"
+	"fmt"
 	"runtime"
 	"strings"
 	"testing"
@@ -253,6 +254,68 @@ func TestWorkspaceAgentTURN(t *testing.T) {
 	require.NoError(t, err)
 }
 
+func TestWorkspaceAgentTailnet(t *testing.T) {
+	t.Parallel()
+	client, coderAPI := coderdtest.NewWithAPI(t, nil)
+	user := coderdtest.CreateFirstUser(t, client)
+	daemonCloser := coderdtest.NewProvisionerDaemon(t, coderAPI)
+	authToken := uuid.NewString()
+	version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+		Parse:           echo.ParseComplete,
+		ProvisionDryRun: echo.ProvisionComplete,
+		Provision: []*proto.Provision_Response{{
+			Type: &proto.Provision_Response_Complete{
+				Complete: &proto.Provision_Complete{
+					Resources: []*proto.Resource{{
+						Name: "example",
+						Type: "aws_instance",
+						Agents: []*proto.Agent{{
+							Id: uuid.NewString(),
+							Auth: &proto.Agent_Token{
+								Token: authToken,
+							},
+						}},
+					}},
+				},
+			},
+		}},
+	})
+	template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+	coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+	workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+	coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+	daemonCloser.Close()
+
+	agentClient := codersdk.New(client.URL)
+	agentClient.SessionToken = authToken
+	agentCloser := agent.New(agent.Options{
+		FetchMetadata: agentClient.WorkspaceAgentMetadata,
+		WebRTCDialer:  agentClient.ListenWorkspaceAgent,
+		EnableTailnet: true,
+		NodeDialer:    agentClient.WorkspaceAgentNodeBroker,
+		Logger:        slogtest.Make(t, nil).Named("agent").Leveled(slog.LevelDebug),
+	})
+	t.Cleanup(func() {
+		_ = agentCloser.Close()
+	})
+	resources := coderdtest.AwaitWorkspaceAgents(t, client, workspace.LatestBuild.ID)
+
+	time.Sleep(3 * time.Second)
+
+	conn, err := client.DialWorkspaceAgentTailnet(context.Background(), resources[0].Agents[0].ID, slogtest.Make(t, nil).Named("tailnet").Leveled(slog.LevelDebug))
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		_ = conn.Close()
+	})
+	sshClient, err := conn.SSHClient()
+	require.NoError(t, err)
+	session, err := sshClient.NewSession()
+	require.NoError(t, err)
+	output, err := session.CombinedOutput("echo test")
+	require.NoError(t, err)
+	fmt.Printf("Output: %s\n", output)
+}
+
 func TestWorkspaceAgentPTY(t *testing.T) {
 	t.Parallel()
 	if runtime.GOOS == "windows" {
diff --git a/coderd/wsconncache/wsconncache.go b/coderd/wsconncache/wsconncache.go
@@ -32,11 +32,11 @@ func New(dialer Dialer, inactiveTimeout time.Duration) *Cache {
 }
 
 // Dialer creates a new agent connection by ID.
-type Dialer func(r *http.Request, id uuid.UUID) (*agent.Conn, error)
+type Dialer func(r *http.Request, id uuid.UUID) (agent.Conn, error)
 
 // Conn wraps an agent connection with a reusable HTTP transport.
 type Conn struct {
-	*agent.Conn
+	agent.Conn
 
 	locks         atomic.Uint64
 	timeoutMutex  sync.Mutex
diff --git a/codersdk/workspaceagents.go b/codersdk/workspaceagents.go
@@ -15,8 +15,10 @@ import (
 	"github.com/pion/webrtc/v3"
 	"golang.org/x/net/proxy"
 	"golang.org/x/xerrors"
+	"inet.af/netaddr"
 	"nhooyr.io/websocket"
 	"nhooyr.io/websocket/wsjson"
+	"tailscale.com/tailcfg"
 
 	"cdr.dev/slog"
 
@@ -302,6 +304,67 @@ func (c *Client) WorkspaceAgentNodeBroker(ctx context.Context) (agent.NodeBroker
 	return &workspaceAgentNodeBroker{conn}, nil
 }
 
+func (c *Client) DialWorkspaceAgentTailnet(ctx context.Context, agentID uuid.UUID, logger slog.Logger) (agent.Conn, error) {
+	res, err := c.Request(ctx, http.MethodGet, fmt.Sprintf("/api/v2/workspaceagents/%s/derpmap", agentID), nil)
+	if err != nil {
+		return nil, err
+	}
+	defer res.Body.Close()
+	if res.StatusCode != http.StatusOK {
+		return nil, readBodyAsError(res)
+	}
+	var derpMap tailcfg.DERPMap
+	err = json.NewDecoder(res.Body).Decode(&derpMap)
+	if err != nil {
+		return nil, xerrors.Errorf("decode derpmap: %w", err)
+	}
+	ip := tailnet.IP()
+
+	server, err := tailnet.New(&tailnet.Options{
+		Addresses: []netaddr.IPPrefix{netaddr.IPPrefixFrom(ip, 128)},
+		DERPMap:   &derpMap,
+		Logger:    logger,
+	})
+	if err != nil {
+		return nil, xerrors.Errorf("create tailnet: %w", err)
+	}
+	server.SetNodeCallback(func(node *tailnet.Node) {
+		res, err := c.Request(ctx, http.MethodPost, fmt.Sprintf("/api/v2/workspaceagents/%s/node", agentID), node)
+		if err != nil {
+			logger.Error(ctx, "update node", slog.Error(err), slog.F("node", node))
+			return
+		}
+		defer res.Body.Close()
+		if res.StatusCode != http.StatusOK {
+			logger.Error(ctx, "update node", slog.F("status_code", res.StatusCode), slog.F("node", node))
+		}
+	})
+	workspaceAgent, err := c.WorkspaceAgent(ctx, agentID)
+	if err != nil {
+		return nil, xerrors.Errorf("get workspace agent: %w", err)
+	}
+	ipRanges := make([]netaddr.IPPrefix, 0, len(workspaceAgent.IPAddresses))
+	for _, address := range workspaceAgent.IPAddresses {
+		ipRanges = append(ipRanges, netaddr.IPPrefixFrom(address, 128))
+	}
+	agentNode := &tailnet.Node{
+		Key:           workspaceAgent.NodePublicKey,
+		DiscoKey:      workspaceAgent.DiscoPublicKey,
+		PreferredDERP: workspaceAgent.PreferredDERP,
+		Addresses:     ipRanges,
+		AllowedIPs:    ipRanges,
+	}
+	logger.Debug(ctx, "adding agent node", slog.F("node", agentNode))
+	err = server.UpdateNodes([]*tailnet.Node{agentNode})
+	if err != nil {
+		return nil, xerrors.Errorf("update nodes: %w", err)
+	}
+	return &agent.TailnetConn{
+		Target: workspaceAgent.IPAddresses[0],
+		Server: server,
+	}, nil
+}
+
 // DialWorkspaceAgent creates a connection to the specified resource.
 func (c *Client) DialWorkspaceAgent(ctx context.Context, agentID uuid.UUID, options *peer.ConnOptions) (agent.Conn, error) {
 	serverURL, err := c.URL.Parse(fmt.Sprintf("/api/v2/workspaceagents/%s/dial", agentID.String()))
@@ -447,9 +510,9 @@ type workspaceAgentNodeBroker struct {
 }
 
 func (w *workspaceAgentNodeBroker) Read(ctx context.Context) (*tailnet.Node, error) {
-	var node *tailnet.Node
-	err := wsjson.Read(ctx, w.conn, node)
-	return node, err
+	var node tailnet.Node
+	err := wsjson.Read(ctx, w.conn, &node)
+	return &node, err
 }
 
 func (w *workspaceAgentNodeBroker) Write(ctx context.Context, node *tailnet.Node) error {
