TUN-3868: Refactor singleTCPService and bridgeService to tcpOverWSService and rawTCPService

Author: chungthuang

connection/connection.go

@@ -87,6 +87,7 @@ func (t Type) String() string {
 }
 
 type OriginProxy interface {
+	// If Proxy returns an error, the caller is responsible for writing the error status to ResponseWriter
 	Proxy(w ResponseWriter, req *http.Request, sourceConnectionType Type) error
 }
 

ingress/ingress.go

@@ -25,7 +25,6 @@ var (
 )
 
 const (
-	ServiceBridge      = "bridge service"
 	ServiceBastion     = "bastion"
 	ServiceWarpRouting = "warp-routing"
 )
@@ -98,8 +97,7 @@ type WarpRoutingService struct {
 }
 
 func NewWarpRoutingService() *WarpRoutingService {
-	warpRoutingService := newBridgeService(DefaultStreamHandler, ServiceWarpRouting)
-	return &WarpRoutingService{Proxy: warpRoutingService}
+	return &WarpRoutingService{Proxy: &rawTCPService{name: ServiceWarpRouting}}
 }
 
 // Get a single origin service from the CLI/config.
@@ -108,7 +106,7 @@ func parseSingleOriginService(c *cli.Context, allowURLFromArgs bool) (originServ
 		return new(helloWorld), nil
 	}
 	if c.IsSet(config.BastionFlag) {
-		return newBridgeService(nil, ServiceBastion), nil
+		return newBastionService(), nil
 	}
 	if c.IsSet("url") {
 		originURL, err := config.ValidateUrl(c, allowURLFromArgs)
@@ -120,7 +118,7 @@ func parseSingleOriginService(c *cli.Context, allowURLFromArgs bool) (originServ
 				url: originURL,
 			}, nil
 		}
-		return newSingleTCPService(originURL), nil
+		return newTCPOverWSService(originURL), nil
 	}
 	if c.IsSet("unix-socket") {
 		path, err := config.ValidateUnixSocket(c)
@@ -182,7 +180,7 @@ func validate(ingress []config.UnvalidatedIngressRule, defaults OriginRequestCon
 			// overwrite the localService.URL field when `start` is called. So,
 			// leave the URL field empty for now.
 			cfg.BastionMode = true
-			service = newBridgeService(nil, ServiceBastion)
+			service = newBastionService()
 		} else {
 			// Validate URL services
 			u, err := url.Parse(r.Service)
@@ -200,7 +198,7 @@ func validate(ingress []config.UnvalidatedIngressRule, defaults OriginRequestCon
 			if isHTTPService(u) {
 				service = &httpService{url: u}
 			} else {
-				service = newSingleTCPService(u)
+				service = newTCPOverWSService(u)
 			}
 		}
 

ingress/ingress_test.go

@@ -238,12 +238,12 @@ ingress:
 			want: []Rule{
 				{
 					Hostname: "tcp.foo.com",
-					Service:  newSingleTCPService(MustParseURL(t, "tcp://127.0.0.1:7864")),
+					Service:  newTCPOverWSService(MustParseURL(t, "tcp://127.0.0.1:7864")),
 					Config:   defaultConfig,
 				},
 				{
 					Hostname: "tcp2.foo.com",
-					Service:  newSingleTCPService(MustParseURL(t, "tcp://localhost:8000")),
+					Service:  newTCPOverWSService(MustParseURL(t, "tcp://localhost:8000")),
 					Config:   defaultConfig,
 				},
 				{
@@ -260,7 +260,7 @@ ingress:
 `},
 			want: []Rule{
 				{
-					Service: newSingleTCPService(MustParseURL(t, "ssh://127.0.0.1:22")),
+					Service: newTCPOverWSService(MustParseURL(t, "ssh://127.0.0.1:22")),
 					Config:  defaultConfig,
 				},
 			},
@@ -273,7 +273,7 @@ ingress:
 `},
 			want: []Rule{
 				{
-					Service: newSingleTCPService(MustParseURL(t, "rdp://127.0.0.1:3389")),
+					Service: newTCPOverWSService(MustParseURL(t, "rdp://127.0.0.1:3389")),
 					Config:  defaultConfig,
 				},
 			},
@@ -286,7 +286,7 @@ ingress:
 `},
 			want: []Rule{
 				{
-					Service: newSingleTCPService(MustParseURL(t, "smb://127.0.0.1:445")),
+					Service: newTCPOverWSService(MustParseURL(t, "smb://127.0.0.1:445")),
 					Config:  defaultConfig,
 				},
 			},
@@ -299,7 +299,7 @@ ingress:
 `},
 			want: []Rule{
 				{
-					Service: newSingleTCPService(MustParseURL(t, "ftp://127.0.0.1")),
+					Service: newTCPOverWSService(MustParseURL(t, "ftp://127.0.0.1")),
 					Config:  defaultConfig,
 				},
 			},
@@ -316,7 +316,7 @@ ingress:
 			want: []Rule{
 				{
 					Hostname: "bastion.foo.com",
-					Service:  newBridgeService(nil, ServiceBastion),
+					Service:  newBastionService(),
 					Config:   setConfig(originRequestFromYAML(config.OriginRequestConfig{}), config.OriginRequestConfig{BastionMode: &tr}),
 				},
 				{
@@ -336,7 +336,7 @@ ingress:
 			want: []Rule{
 				{
 					Hostname: "bastion.foo.com",
-					Service:  newBridgeService(nil, ServiceBastion),
+					Service:  newBastionService(),
 					Config:   setConfig(originRequestFromYAML(config.OriginRequestConfig{}), config.OriginRequestConfig{BastionMode: &tr}),
 				},
 				{

ingress/origin_connection.go

@@ -1,11 +1,12 @@
 package ingress
 
 import (
+	"context"
+	"crypto/tls"
 	"io"
 	"net"
 	"net/http"
 
-	"github.com/cloudflare/cloudflared/connection"
 	"github.com/cloudflare/cloudflared/websocket"
 	gws "github.com/gorilla/websocket"
 	"github.com/rs/zerolog"
@@ -15,9 +16,8 @@ import (
 // Different concrete implementations will stream different protocols as long as they are io.ReadWriters.
 type OriginConnection interface {
 	// Stream should generally be implemented as a bidirectional io.Copy.
-	Stream(tunnelConn io.ReadWriter, log *zerolog.Logger)
+	Stream(ctx context.Context, tunnelConn io.ReadWriter, log *zerolog.Logger)
 	Close()
-	Type() connection.Type
 }
 
 type streamHandlerFunc func(originConn io.ReadWriter, remoteConn net.Conn, log *zerolog.Logger)
@@ -54,30 +54,38 @@ func DefaultStreamHandler(originConn io.ReadWriter, remoteConn net.Conn, log *ze
 
 // tcpConnection is an OriginConnection that directly streams to raw TCP.
 type tcpConnection struct {
-	conn          net.Conn
-	streamHandler streamHandlerFunc
+	conn net.Conn
 }
 
-func (tc *tcpConnection) Stream(tunnelConn io.ReadWriter, log *zerolog.Logger) {
-	tc.streamHandler(tunnelConn, tc.conn, log)
+func (tc *tcpConnection) Stream(ctx context.Context, tunnelConn io.ReadWriter, log *zerolog.Logger) {
+	Stream(tunnelConn, tc.conn, log)
 }
 
 func (tc *tcpConnection) Close() {
 	tc.conn.Close()
 }
 
-func (*tcpConnection) Type() connection.Type {
-	return connection.TypeTCP
+// tcpOverWSConnection is an OriginConnection that streams to TCP over WS.
+type tcpOverWSConnection struct {
+	conn          net.Conn
+	streamHandler streamHandlerFunc
+}
+
+func (wc *tcpOverWSConnection) Stream(ctx context.Context, tunnelConn io.ReadWriter, log *zerolog.Logger) {
+	wc.streamHandler(websocket.NewConn(ctx, tunnelConn, log), wc.conn, log)
+}
+
+func (wc *tcpOverWSConnection) Close() {
+	wc.conn.Close()
 }
 
-// wsConnection is an OriginConnection that streams to TCP packets by encapsulating them in Websockets.
-// TODO: TUN-3710 Remove wsConnection and have helloworld service reuse tcpConnection like bridgeService does.
+// wsConnection is an OriginConnection that streams WS between eyeball and origin.
 type wsConnection struct {
 	wsConn *gws.Conn
 	resp   *http.Response
 }
 
-func (wsc *wsConnection) Stream(tunnelConn io.ReadWriter, log *zerolog.Logger) {
+func (wsc *wsConnection) Stream(ctx context.Context, tunnelConn io.ReadWriter, log *zerolog.Logger) {
 	Stream(tunnelConn, wsc.wsConn.UnderlyingConn(), log)
 }
 
@@ -86,13 +94,9 @@ func (wsc *wsConnection) Close() {
 	wsc.wsConn.Close()
 }
 
-func (wsc *wsConnection) Type() connection.Type {
-	return connection.TypeWebsocket
-}
-
-func newWSConnection(transport *http.Transport, r *http.Request) (OriginConnection, *http.Response, error) {
+func newWSConnection(clientTLSConfig *tls.Config, r *http.Request) (OriginConnection, *http.Response, error) {
 	d := &gws.Dialer{
-		TLSClientConfig: transport.TLSClientConfig,
+		TLSClientConfig: clientTLSConfig,
 	}
 	wsConn, resp, err := websocket.ClientConnect(r, d)
 	if err != nil {

ingress/origin_connection_test.go

@@ -0,0 +1,177 @@
+package ingress
+
+import (
+	"context"
+	"crypto/tls"
+	"fmt"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/cloudflare/cloudflared/logger"
+	"github.com/gobwas/ws/wsutil"
+	"github.com/gorilla/websocket"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"golang.org/x/sync/errgroup"
+)
+
+const (
+	testStreamTimeout = time.Second * 3
+)
+
+var (
+	testLogger   = logger.Create(nil)
+	testMessage  = []byte("TestStreamOriginConnection")
+	testResponse = []byte(fmt.Sprintf("echo-%s", testMessage))
+)
+
+func TestStreamTCPConnection(t *testing.T) {
+	cfdConn, originConn := net.Pipe()
+	tcpConn := tcpConnection{
+		conn: cfdConn,
+	}
+
+	eyeballConn, edgeConn := net.Pipe()
+
+	ctx, cancel := context.WithTimeout(context.Background(), testStreamTimeout)
+	defer cancel()
+
+	errGroup, ctx := errgroup.WithContext(ctx)
+	errGroup.Go(func() error {
+		_, err := eyeballConn.Write(testMessage)
+
+		readBuffer := make([]byte, len(testResponse))
+		_, err = eyeballConn.Read(readBuffer)
+		require.NoError(t, err)
+
+		require.Equal(t, testResponse, readBuffer)
+
+		return nil
+	})
+	errGroup.Go(func() error {
+		echoTCPOrigin(t, originConn)
+		originConn.Close()
+		return nil
+	})
+
+	tcpConn.Stream(ctx, edgeConn, testLogger)
+	require.NoError(t, errGroup.Wait())
+}
+
+func TestStreamWSOverTCPConnection(t *testing.T) {
+	cfdConn, originConn := net.Pipe()
+	tcpOverWSConn := tcpOverWSConnection{
+		conn:          cfdConn,
+		streamHandler: DefaultStreamHandler,
+	}
+
+	eyeballConn, edgeConn := net.Pipe()
+
+	ctx, cancel := context.WithTimeout(context.Background(), testStreamTimeout)
+	defer cancel()
+
+	errGroup, ctx := errgroup.WithContext(ctx)
+	errGroup.Go(func() error {
+		echoWSEyeball(t, eyeballConn)
+		return nil
+	})
+	errGroup.Go(func() error {
+		echoTCPOrigin(t, originConn)
+		originConn.Close()
+		return nil
+	})
+
+	tcpOverWSConn.Stream(ctx, edgeConn, testLogger)
+	require.NoError(t, errGroup.Wait())
+}
+
+func TestStreamWSConnection(t *testing.T) {
+	eyeballConn, edgeConn := net.Pipe()
+
+	origin := echoWSOrigin(t)
+	defer origin.Close()
+
+	req, err := http.NewRequest(http.MethodGet, origin.URL, nil)
+	require.NoError(t, err)
+	req.Header.Set("Sec-Websocket-Key", "dGhlIHNhbXBsZSBub25jZQ==")
+
+	clientTLSConfig := &tls.Config{
+		InsecureSkipVerify: true,
+	}
+	wsConn, resp, err := newWSConnection(clientTLSConfig, req)
+	require.NoError(t, err)
+	require.Equal(t, http.StatusSwitchingProtocols, resp.StatusCode)
+	require.Equal(t, "Upgrade", resp.Header.Get("Connection"))
+	require.Equal(t, "s3pPLMBiTxaQ9kYGzzhZRbK+xOo=", resp.Header.Get("Sec-Websocket-Accept"))
+	require.Equal(t, "websocket", resp.Header.Get("Upgrade"))
+
+	ctx, cancel := context.WithTimeout(context.Background(), testStreamTimeout)
+	defer cancel()
+
+	errGroup, ctx := errgroup.WithContext(ctx)
+	errGroup.Go(func() error {
+		echoWSEyeball(t, eyeballConn)
+		return nil
+	})
+
+	wsConn.Stream(ctx, edgeConn, testLogger)
+	require.NoError(t, errGroup.Wait())
+}
+
+func echoWSEyeball(t *testing.T, conn net.Conn) {
+	require.NoError(t, wsutil.WriteClientBinary(conn, testMessage))
+
+	readMsg, err := wsutil.ReadServerBinary(conn)
+	require.NoError(t, err)
+
+	require.Equal(t, testResponse, readMsg)
+
+	require.NoError(t, conn.Close())
+}
+
+func echoWSOrigin(t *testing.T) *httptest.Server {
+	var upgrader = websocket.Upgrader{
+		ReadBufferSize:  10,
+		WriteBufferSize: 10,
+	}
+
+	ws := func(w http.ResponseWriter, r *http.Request) {
+		header := make(http.Header)
+		for k, vs := range r.Header {
+			if k == "Test-Cloudflared-Echo" {
+				header[k] = vs
+			}
+		}
+		conn, err := upgrader.Upgrade(w, r, header)
+		require.NoError(t, err)
+		defer conn.Close()
+
+		for {
+			messageType, p, err := conn.ReadMessage()
+			if err != nil {
+				return
+			}
+			require.Equal(t, testMessage, p)
+			if err := conn.WriteMessage(messageType, testResponse); err != nil {
+				return
+			}
+		}
+	}
+
+	// NewTLSServer starts the server in another thread
+	return httptest.NewTLSServer(http.HandlerFunc(ws))
+}
+
+func echoTCPOrigin(t *testing.T, conn net.Conn) {
+	readBuffer := make([]byte, len(testMessage))
+	_, err := conn.Read(readBuffer)
+	assert.NoError(t, err)
+
+	assert.Equal(t, testMessage, readBuffer)
+
+	_, err = conn.Write(testResponse)
+	assert.NoError(t, err)
+}