TUN-5702: Allow to deserialize config from JSON

Author: chungthuang

config/configuration.go

@@ -175,60 +175,62 @@ func ValidateUrl(c *cli.Context, allowURLFromArgs bool) (*url.URL, error) {
 }
 
 type UnvalidatedIngressRule struct {
-	Hostname      string
-	Path          string
-	Service       string
-	OriginRequest OriginRequestConfig `yaml:"originRequest"`
+	Hostname      string              `json:"hostname"`
+	Path          string              `json:"path"`
+	Service       string              `json:"service"`
+	OriginRequest OriginRequestConfig `yaml:"originRequest" json:"originRequest"`
 }
 
 // OriginRequestConfig is a set of optional fields that users may set to
 // customize how cloudflared sends requests to origin services. It is used to set
 // up general config that apply to all rules, and also, specific per-rule
 // config.
-// Note: To specify a time.Duration in go-yaml, use e.g. "3s" or "24h".
+// Note:
+// - To specify a time.Duration in go-yaml, use e.g. "3s" or "24h".
+// - To specify a time.Duration in json, use int64 of the nanoseconds
 type OriginRequestConfig struct {
 	// HTTP proxy timeout for establishing a new connection
-	ConnectTimeout *time.Duration `yaml:"connectTimeout"`
+	ConnectTimeout *time.Duration `yaml:"connectTimeout" json:"connectTimeout"`
 	// HTTP proxy timeout for completing a TLS handshake
-	TLSTimeout *time.Duration `yaml:"tlsTimeout"`
+	TLSTimeout *time.Duration `yaml:"tlsTimeout" json:"tlsTimeout"`
 	// HTTP proxy TCP keepalive duration
-	TCPKeepAlive *time.Duration `yaml:"tcpKeepAlive"`
+	TCPKeepAlive *time.Duration `yaml:"tcpKeepAlive" json:"tcpKeepAlive"`
 	// HTTP proxy should disable "happy eyeballs" for IPv4/v6 fallback
-	NoHappyEyeballs *bool `yaml:"noHappyEyeballs"`
+	NoHappyEyeballs *bool `yaml:"noHappyEyeballs" json:"noHappyEyeballs"`
 	// HTTP proxy maximum keepalive connection pool size
-	KeepAliveConnections *int `yaml:"keepAliveConnections"`
+	KeepAliveConnections *int `yaml:"keepAliveConnections" json:"keepAliveConnections"`
 	// HTTP proxy timeout for closing an idle connection
-	KeepAliveTimeout *time.Duration `yaml:"keepAliveTimeout"`
+	KeepAliveTimeout *time.Duration `yaml:"keepAliveTimeout" json:"keepAliveTimeout"`
 	// Sets the HTTP Host header for the local webserver.
-	HTTPHostHeader *string `yaml:"httpHostHeader"`
+	HTTPHostHeader *string `yaml:"httpHostHeader" json:"httpHostHeader"`
 	// Hostname on the origin server certificate.
-	OriginServerName *string `yaml:"originServerName"`
+	OriginServerName *string `yaml:"originServerName" json:"originServerName"`
 	// Path to the CA for the certificate of your origin.
 	// This option should be used only if your certificate is not signed by Cloudflare.
-	CAPool *string `yaml:"caPool"`
+	CAPool *string `yaml:"caPool" json:"caPool"`
 	// Disables TLS verification of the certificate presented by your origin.
 	// Will allow any certificate from the origin to be accepted.
 	// Note: The connection from your machine to Cloudflare's Edge is still encrypted.
-	NoTLSVerify *bool `yaml:"noTLSVerify"`
+	NoTLSVerify *bool `yaml:"noTLSVerify" json:"noTLSVerify"`
 	// Disables chunked transfer encoding.
 	// Useful if you are running a WSGI server.
-	DisableChunkedEncoding *bool `yaml:"disableChunkedEncoding"`
+	DisableChunkedEncoding *bool `yaml:"disableChunkedEncoding" json:"disableChunkedEncoding"`
 	// Runs as jump host
-	BastionMode *bool `yaml:"bastionMode"`
+	BastionMode *bool `yaml:"bastionMode" json:"bastionMode"`
 	// Listen address for the proxy.
-	ProxyAddress *string `yaml:"proxyAddress"`
+	ProxyAddress *string `yaml:"proxyAddress" json:"proxyAddress"`
 	// Listen port for the proxy.
-	ProxyPort *uint `yaml:"proxyPort"`
+	ProxyPort *uint `yaml:"proxyPort" json:"proxyPort"`
 	// Valid options are 'socks' or empty.
-	ProxyType *string `yaml:"proxyType"`
+	ProxyType *string `yaml:"proxyType" json:"proxyType"`
 	// IP rules for the proxy service
-	IPRules []IngressIPRule `yaml:"ipRules"`
+	IPRules []IngressIPRule `yaml:"ipRules" json:"ipRules"`
 }
 
 type IngressIPRule struct {
-	Prefix *string `yaml:"prefix"`
-	Ports  []int   `yaml:"ports"`
-	Allow  bool    `yaml:"allow"`
+	Prefix *string `yaml:"prefix" json:"prefix"`
+	Ports  []int   `yaml:"ports" json:"ports"`
+	Allow  bool    `yaml:"allow" json:"allow"`
 }
 
 type Configuration struct {
@@ -240,7 +242,7 @@ type Configuration struct {
 }
 
 type WarpRoutingConfig struct {
-	Enabled bool `yaml:"enabled"`
+	Enabled bool `yaml:"enabled" json:"enabled"`
 }
 
 type configFileSettings struct {

config/configuration_test.go

@@ -1,6 +1,7 @@
 package config
 
 import (
+	"encoding/json"
 	"testing"
 	"time"
 
@@ -26,6 +27,18 @@ func TestConfigFileSettings(t *testing.T) {
 	)
 	rawYAML := `
 tunnel: config-file-test
+originRequest:
+  ipRules:
+  - prefix: "10.0.0.0/8"
+    ports:
+    - 80
+    - 8080
+    allow: false
+  - prefix: "fc00::/7"
+    ports:
+    - 443
+    - 4443
+    allow: true
 ingress:
  - hostname: tunnel1.example.com
    path: /id
@@ -53,6 +66,21 @@ counters:
 	assert.Equal(t, firstIngress, config.Ingress[0])
 	assert.Equal(t, secondIngress, config.Ingress[1])
 	assert.Equal(t, warpRouting, config.WarpRouting)
+	privateV4 := "10.0.0.0/8"
+	privateV6 := "fc00::/7"
+	ipRules := []IngressIPRule{
+		{
+			Prefix: &privateV4,
+			Ports:  []int{80, 8080},
+			Allow:  false,
+		},
+		{
+			Prefix: &privateV6,
+			Ports:  []int{443, 4443},
+			Allow:  true,
+		},
+	}
+	assert.Equal(t, ipRules, config.OriginRequest.IPRules)
 
 	retries, err := config.Int("retries")
 	assert.NoError(t, err)
@@ -81,3 +109,71 @@ counters:
 	assert.Equal(t, 456, counters[1])
 
 }
+
+func TestUnmarshalOriginRequestConfig(t *testing.T) {
+	raw := []byte(`
+{
+	"connectTimeout": 10000000000,
+	"tlsTimeout": 30000000000,
+	"tcpKeepAlive": 30000000000,
+	"noHappyEyeballs": true,
+	"keepAliveTimeout": 60000000000,
+	"keepAliveConnections": 10,
+	"httpHostHeader": "app.tunnel.com",
+	"originServerName": "app.tunnel.com",
+	"caPool": "/etc/capool",
+	"noTLSVerify": true,
+	"disableChunkedEncoding": true,
+	"bastionMode": true,
+	"proxyAddress": "127.0.0.3",
+	"proxyPort": 9000,
+	"proxyType": "socks",
+	"ipRules": [
+		{
+			"prefix": "10.0.0.0/8",
+			"ports": [80, 8080],
+			"allow": false
+		},
+		{
+			"prefix": "fc00::/7",
+			"ports": [443, 4443],
+			"allow": true
+		}
+	]
+}
+`)
+	var config OriginRequestConfig
+	assert.NoError(t, json.Unmarshal(raw, &config))
+	assert.Equal(t, time.Second*10, *config.ConnectTimeout)
+	assert.Equal(t, time.Second*30, *config.TLSTimeout)
+	assert.Equal(t, time.Second*30, *config.TCPKeepAlive)
+	assert.Equal(t, true, *config.NoHappyEyeballs)
+	assert.Equal(t, time.Second*60, *config.KeepAliveTimeout)
+	assert.Equal(t, 10, *config.KeepAliveConnections)
+	assert.Equal(t, "app.tunnel.com", *config.HTTPHostHeader)
+	assert.Equal(t, "app.tunnel.com", *config.OriginServerName)
+	assert.Equal(t, "/etc/capool", *config.CAPool)
+	assert.Equal(t, true, *config.NoTLSVerify)
+	assert.Equal(t, true, *config.DisableChunkedEncoding)
+	assert.Equal(t, true, *config.BastionMode)
+	assert.Equal(t, "127.0.0.3", *config.ProxyAddress)
+	assert.Equal(t, true, *config.NoTLSVerify)
+	assert.Equal(t, uint(9000), *config.ProxyPort)
+	assert.Equal(t, "socks", *config.ProxyType)
+
+	privateV4 := "10.0.0.0/8"
+	privateV6 := "fc00::/7"
+	ipRules := []IngressIPRule{
+		{
+			Prefix: &privateV4,
+			Ports:  []int{80, 8080},
+			Allow:  false,
+		},
+		{
+			Prefix: &privateV6,
+			Ports:  []int{443, 4443},
+			Allow:  true,
+		},
+	}
+	assert.Equal(t, ipRules, config.IPRules)
+}

ingress/origin_request_config.go renamed to ingress/config.go

@@ -1,6 +1,7 @@
 package ingress
 
 import (
+	"encoding/json"
 	"time"
 
 	"github.com/urfave/cli/v2"
@@ -38,6 +39,34 @@ const (
 	socksProxy = "socks"
 )
 
+// RemoteConfig models ingress settings that can be managed remotely, for example through the dashboard.
+type RemoteConfig struct {
+	Ingress     Ingress
+	WarpRouting config.WarpRoutingConfig
+}
+
+type remoteConfigJSON struct {
+	GlobalOriginRequest config.OriginRequestConfig      `json:"originRequest"`
+	IngressRules        []config.UnvalidatedIngressRule `json:"ingress"`
+	WarpRouting         config.WarpRoutingConfig        `json:"warp-routing"`
+}
+
+func (rc *RemoteConfig) UnmarshalJSON(b []byte) error {
+	var rawConfig remoteConfigJSON
+	if err := json.Unmarshal(b, &rawConfig); err != nil {
+		return err
+	}
+	ingress, err := validateIngress(rawConfig.IngressRules, originRequestFromConfig(rawConfig.GlobalOriginRequest))
+	if err != nil {
+		return err
+	}
+
+	rc.Ingress = ingress
+	rc.WarpRouting = rawConfig.WarpRouting
+
+	return nil
+}
+
 func originRequestFromSingeRule(c *cli.Context) OriginRequestConfig {
 	var connectTimeout time.Duration = defaultConnectTimeout
 	var tlsTimeout time.Duration = defaultTLSTimeout
@@ -119,7 +148,7 @@ func originRequestFromSingeRule(c *cli.Context) OriginRequestConfig {
 	}
 }
 
-func originRequestFromYAML(y config.OriginRequestConfig) OriginRequestConfig {
+func originRequestFromConfig(c config.OriginRequestConfig) OriginRequestConfig {
 	out := OriginRequestConfig{
 		ConnectTimeout:       defaultConnectTimeout,
 		TLSTimeout:           defaultTLSTimeout,
@@ -128,50 +157,58 @@ func originRequestFromYAML(y config.OriginRequestConfig) OriginRequestConfig {
 		KeepAliveTimeout:     defaultKeepAliveTimeout,
 		ProxyAddress:         defaultProxyAddress,
 	}
-	if y.ConnectTimeout != nil {
-		out.ConnectTimeout = *y.ConnectTimeout
+	if c.ConnectTimeout != nil {
+		out.ConnectTimeout = *c.ConnectTimeout
+	}
+	if c.TLSTimeout != nil {
+		out.TLSTimeout = *c.TLSTimeout
 	}
-	if y.TLSTimeout != nil {
-		out.TLSTimeout = *y.TLSTimeout
+	if c.TCPKeepAlive != nil {
+		out.TCPKeepAlive = *c.TCPKeepAlive
 	}
-	if y.TCPKeepAlive != nil {
-		out.TCPKeepAlive = *y.TCPKeepAlive
+	if c.NoHappyEyeballs != nil {
+		out.NoHappyEyeballs = *c.NoHappyEyeballs
 	}
-	if y.NoHappyEyeballs != nil {
-		out.NoHappyEyeballs = *y.NoHappyEyeballs
+	if c.KeepAliveConnections != nil {
+		out.KeepAliveConnections = *c.KeepAliveConnections
 	}
-	if y.KeepAliveConnections != nil {
-		out.KeepAliveConnections = *y.KeepAliveConnections
+	if c.KeepAliveTimeout != nil {
+		out.KeepAliveTimeout = *c.KeepAliveTimeout
 	}
-	if y.KeepAliveTimeout != nil {
-		out.KeepAliveTimeout = *y.KeepAliveTimeout
+	if c.HTTPHostHeader != nil {
+		out.HTTPHostHeader = *c.HTTPHostHeader
 	}
-	if y.HTTPHostHeader != nil {
-		out.HTTPHostHeader = *y.HTTPHostHeader
+	if c.OriginServerName != nil {
+		out.OriginServerName = *c.OriginServerName
 	}
-	if y.OriginServerName != nil {
-		out.OriginServerName = *y.OriginServerName
+	if c.CAPool != nil {
+		out.CAPool = *c.CAPool
 	}
-	if y.CAPool != nil {
-		out.CAPool = *y.CAPool
+	if c.NoTLSVerify != nil {
+		out.NoTLSVerify = *c.NoTLSVerify
 	}
-	if y.NoTLSVerify != nil {
-		out.NoTLSVerify = *y.NoTLSVerify
+	if c.DisableChunkedEncoding != nil {
+		out.DisableChunkedEncoding = *c.DisableChunkedEncoding
 	}
-	if y.DisableChunkedEncoding != nil {
-		out.DisableChunkedEncoding = *y.DisableChunkedEncoding
+	if c.BastionMode != nil {
+		out.BastionMode = *c.BastionMode
 	}
-	if y.BastionMode != nil {
-		out.BastionMode = *y.BastionMode
+	if c.ProxyAddress != nil {
+		out.ProxyAddress = *c.ProxyAddress
 	}
-	if y.ProxyAddress != nil {
-		out.ProxyAddress = *y.ProxyAddress
+	if c.ProxyPort != nil {
+		out.ProxyPort = *c.ProxyPort
 	}
-	if y.ProxyPort != nil {
-		out.ProxyPort = *y.ProxyPort
+	if c.ProxyType != nil {
+		out.ProxyType = *c.ProxyType
 	}
-	if y.ProxyType != nil {
-		out.ProxyType = *y.ProxyType
+	if len(c.IPRules) > 0 {
+		for _, r := range c.IPRules {
+			rule, err := ipaccess.NewRuleByCIDR(r.Prefix, r.Ports, r.Allow)
+			if err == nil {
+				out.IPRules = append(out.IPRules, rule)
+			}
+		}
 	}
 	return out
 }
@@ -188,10 +225,10 @@ type OriginRequestConfig struct {
 	TCPKeepAlive time.Duration `yaml:"tcpKeepAlive"`
 	// HTTP proxy should disable "happy eyeballs" for IPv4/v6 fallback
 	NoHappyEyeballs bool `yaml:"noHappyEyeballs"`
-	// HTTP proxy maximum keepalive connection pool size
-	KeepAliveConnections int `yaml:"keepAliveConnections"`
 	// HTTP proxy timeout for closing an idle connection
 	KeepAliveTimeout time.Duration `yaml:"keepAliveTimeout"`
+	// HTTP proxy maximum keepalive connection pool size
+	KeepAliveConnections int `yaml:"keepAliveConnections"`
 	// Sets the HTTP Host header for the local webserver.
 	HTTPHostHeader string `yaml:"httpHostHeader"`
 	// Hostname on the origin server certificate.
@@ -308,6 +345,19 @@ func (defaults *OriginRequestConfig) setProxyType(overrides config.OriginRequest
 	}
 }
 
+func (defaults *OriginRequestConfig) setIPRules(overrides config.OriginRequestConfig) {
+	if val := overrides.IPRules; len(val) > 0 {
+		ipAccessRule := make([]ipaccess.Rule, len(overrides.IPRules))
+		for i, r := range overrides.IPRules {
+			rule, err := ipaccess.NewRuleByCIDR(r.Prefix, r.Ports, r.Allow)
+			if err == nil {
+				ipAccessRule[i] = rule
+			}
+		}
+		defaults.IPRules = ipAccessRule
+	}
+}
+
 // SetConfig gets config for the requests that cloudflared sends to origins.
 // Each field has a setter method which sets a value for the field by trying to find:
 //   1. The user config for this rule
@@ -332,5 +382,6 @@ func setConfig(defaults OriginRequestConfig, overrides config.OriginRequestConfi
 	cfg.setProxyPort(overrides)
 	cfg.setProxyAddress(overrides)
 	cfg.setProxyType(overrides)
+	cfg.setIPRules(overrides)
 	return cfg
 }