TUN-4597: Add a QUIC server skeleton

- Added a QUIC server to accept streams
- Unit test for this server also tests ALPN
- Temporary echo capability for HTTP ConnectionType

Author: sudarshan-reddy

connection/quic.go

@@ -0,0 +1,84 @@
+package connection
+
+import (
+	"context"
+	"crypto/tls"
+	"net"
+
+	"github.com/lucas-clemente/quic-go"
+	"github.com/pkg/errors"
+	"github.com/rs/zerolog"
+
+	quicpogs "github.com/cloudflare/cloudflared/quic"
+)
+
+// QUICConnection represents the type that facilitates Proxying via QUIC streams.
+type QUICConnection struct {
+	session quic.Session
+	logger  zerolog.Logger
+}
+
+// NewQUICConnection returns a new instance of QUICConnection.
+func NewQUICConnection(
+	ctx context.Context,
+	quicConfig *quic.Config,
+	edgeAddr net.Addr,
+	tlsConfig *tls.Config,
+	logger zerolog.Logger,
+) (*QUICConnection, error) {
+	session, err := quic.DialAddr(edgeAddr.String(), tlsConfig, quicConfig)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to dial to edge")
+	}
+
+	//TODO: RegisterConnectionRPC here.
+
+	return &QUICConnection{
+		session: session,
+		logger:  logger,
+	}, nil
+}
+
+// Serve starts a QUIC session that begins accepting streams.
+func (q *QUICConnection) Serve(ctx context.Context) error {
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	for {
+		stream, err := q.session.AcceptStream(ctx)
+		if err != nil {
+			return errors.Wrap(err, "failed to accept QUIC stream")
+		}
+		go func() {
+			defer stream.Close()
+			if err = q.handleStream(stream); err != nil {
+				q.logger.Err(err).Msg("Failed to handle QUIC stream")
+			}
+		}()
+	}
+}
+
+// Close calls this to close the QuicConnection stream.
+func (q *QUICConnection) Close() {
+	q.session.CloseWithError(0, "")
+}
+
+func (q *QUICConnection) handleStream(stream quic.Stream) error {
+	connectRequest, err := quicpogs.ReadConnectRequestData(stream)
+	if err != nil {
+		return err
+	}
+
+	switch connectRequest.Type {
+	case quicpogs.ConnectionTypeHTTP, quicpogs.ConnectionTypeWebsocket:
+		// Temporary dummy code for the unit test.
+		if err := quicpogs.WriteConnectResponseData(stream, nil, quicpogs.Metadata{Key: "HTTPStatus", Val: "200"}); err != nil {
+			return err
+		}
+
+		stream.Write([]byte("OK"))
+	case quicpogs.ConnectionTypeTCP:
+
+	}
+	return nil
+}

connection/quic_test.go

@@ -0,0 +1,161 @@
+package connection
+
+import (
+	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/pem"
+	"io/ioutil"
+	"math/big"
+	"net"
+	"os"
+	"sync"
+	"testing"
+
+	"github.com/lucas-clemente/quic-go"
+	"github.com/rs/zerolog"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	quicpogs "github.com/cloudflare/cloudflared/quic"
+)
+
+// TestQUICServer tests if a quic server accepts and responds to a quic client with the acceptance protocol.
+// It also serves as a demonstration for communication with the QUIC connection started by a cloudflared.
+func TestQUICServer(t *testing.T) {
+	quicConfig := &quic.Config{
+		KeepAlive: true,
+	}
+
+	log := zerolog.New(os.Stdout)
+
+	udpAddr, err := net.ResolveUDPAddr("udp", "127.0.0.1:0")
+
+	require.NoError(t, err)
+	udpListener, err := net.ListenUDP(udpAddr.Network(), udpAddr)
+	require.NoError(t, err)
+	defer udpListener.Close()
+	tlsConfig := generateTLSConfig()
+	tlsConfClient := &tls.Config{
+		InsecureSkipVerify: true,
+		NextProtos:         []string{"argotunnel"},
+	}
+	var tests = []struct {
+		desc            string
+		dest            string
+		connectionType  quicpogs.ConnectionType
+		metadata        []quicpogs.Metadata
+		message         []byte
+		expectedMessage []byte
+	}{
+		{
+			desc:           "",
+			dest:           "somehost.com",
+			connectionType: quicpogs.ConnectionTypeWebsocket,
+			metadata: []quicpogs.Metadata{
+				quicpogs.Metadata{
+					Key: "key",
+					Val: "value",
+				},
+			},
+			expectedMessage: []byte("OK"),
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.desc, func(t *testing.T) {
+			ctx, cancel := context.WithCancel(context.Background())
+
+			var wg sync.WaitGroup
+			go func() {
+				wg.Add(1)
+				quicServer(
+					t, udpListener, tlsConfig, quicConfig,
+					test.dest, test.connectionType, test.metadata, test.message, test.expectedMessage,
+				)
+				wg.Done()
+			}()
+
+			qC, err := NewQUICConnection(context.Background(), quicConfig, udpListener.LocalAddr(), tlsConfClient, log)
+			require.NoError(t, err)
+
+			go func() {
+				wg.Wait()
+				cancel()
+			}()
+
+			qC.Serve(ctx)
+
+		})
+	}
+
+}
+
+func quicServer(
+	t *testing.T,
+	conn net.PacketConn,
+	tlsConf *tls.Config,
+	config *quic.Config,
+	dest string,
+	connectionType quicpogs.ConnectionType,
+	metadata []quicpogs.Metadata,
+	message []byte,
+	expectedResponse []byte,
+) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	earlyListener, err := quic.ListenEarly(conn, tlsConf, config)
+	require.NoError(t, err)
+
+	session, err := earlyListener.Accept(ctx)
+	require.NoError(t, err)
+
+	stream, err := session.OpenStreamSync(context.Background())
+	require.NoError(t, err)
+
+	// Start off ALPN
+	err = quicpogs.WriteConnectRequestData(stream, dest, connectionType, metadata...)
+	require.NoError(t, err)
+
+	_, err = quicpogs.ReadConnectResponseData(stream)
+	require.NoError(t, err)
+
+	if message != nil {
+		// ALPN successful. Write data.
+		_, err = stream.Write([]byte(message))
+		require.NoError(t, err)
+	}
+
+	response, err := ioutil.ReadAll(stream)
+	require.NoError(t, err)
+
+	// For now it is an echo server. Verify if the same data is returned.
+	assert.Equal(t, expectedResponse, response)
+}
+
+// Setup a bare-bones TLS config for the server
+func generateTLSConfig() *tls.Config {
+	key, err := rsa.GenerateKey(rand.Reader, 1024)
+	if err != nil {
+		panic(err)
+	}
+	template := x509.Certificate{SerialNumber: big.NewInt(1)}
+	certDER, err := x509.CreateCertificate(rand.Reader, &template, &template, &key.PublicKey, key)
+	if err != nil {
+		panic(err)
+	}
+	keyPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)})
+	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
+
+	tlsCert, err := tls.X509KeyPair(certPEM, keyPEM)
+	if err != nil {
+		panic(err)
+	}
+	return &tls.Config{
+		Certificates: []tls.Certificate{tlsCert},
+		NextProtos:   []string{"argotunnel"},
+	}
+}

go.mod

@@ -29,6 +29,7 @@ require (
 	github.com/json-iterator/go v1.1.10
 	github.com/kr/text v0.2.0 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
+	github.com/lucas-clemente/quic-go v0.21.1
 	github.com/mattn/go-colorable v0.1.8
 	github.com/miekg/dns v1.1.31
 	github.com/mitchellh/go-homedir v1.1.0
@@ -45,10 +46,10 @@ require (
 	github.com/urfave/cli/v2 v2.2.0
 	go.uber.org/automaxprocs v1.4.0
 	golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a
-	golang.org/x/net v0.0.0-20200904194848-62affa334b73
+	golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4
 	golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43 // indirect
-	golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208
-	golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4
+	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
+	golang.org/x/sys v0.0.0-20210510120138-977fb7262007
 	golang.org/x/term v0.0.0-20201210144234-2321bbc49cbf
 	google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d // indirect
 	google.golang.org/grpc v1.32.0 // indirect