chore: support old tunnel URLs and clients (#3)

Author: deansheather

cmd/tunnel/main.go

@@ -8,6 +8,7 @@ import (
 	"net"
 	"net/url"
 	"os"
+	"os/signal"
 	"time"
 
 	"github.com/urfave/cli/v2"
@@ -143,6 +144,12 @@ func runApp(ctx *cli.Context) error {
 		}
 	}()
 
+	_, _ = fmt.Fprintln(os.Stderr, "Tunnel is ready. You can now connect to one of the following URLs:")
+	_, _ = fmt.Fprintln(os.Stderr, "  -", tunnel.URL.String())
+	for _, u := range tunnel.OtherURLs {
+		_, _ = fmt.Fprintln(os.Stderr, "  -", u.String())
+	}
+
 	// Start forwarding traffic to/from the tunnel.
 	go func() {
 		for {
@@ -183,7 +190,15 @@ func runApp(ctx *cli.Context) error {
 
 	_, _ = fmt.Printf("\nTunnel is ready! You can now connect to %s\n", tunnel.URL.String())
 
-	// TODO: manual signal handling
-	<-tunnel.Wait()
+	notifyCtx, notifyStop := signal.NotifyContext(ctx.Context, InterruptSignals...)
+	defer notifyStop()
+
+	select {
+	case <-notifyCtx.Done():
+		_, _ = fmt.Printf("\nClosing tunnel due to signal...\n")
+		return tunnel.Close()
+	case <-tunnel.Wait():
+	}
+
 	return nil
 }

cmd/tunnel/signal_unix.go

@@ -0,0 +1,14 @@
+//go:build !windows
+
+package main
+
+import (
+	"os"
+	"syscall"
+)
+
+var InterruptSignals = []os.Signal{
+	os.Interrupt,
+	syscall.SIGTERM,
+	syscall.SIGHUP,
+}

cmd/tunnel/signal_windows.go

@@ -0,0 +1,9 @@
+//go:build windows
+
+package main
+
+import (
+	"os"
+)
+
+var InterruptSignals = []os.Signal{os.Interrupt}

tunneld/api.go

@@ -2,17 +2,21 @@ package tunneld
 
 import (
 	"context"
+	"encoding/hex"
 	"fmt"
 	"net"
 	"net/http"
 	"net/http/httputil"
 	"net/netip"
+	"net/url"
 	"strings"
 	"time"
 
 	"github.com/go-chi/chi"
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/trace"
+	"golang.org/x/xerrors"
+	"golang.zx2c4.com/wireguard/device"
 
 	"github.com/coder/wgtunnel/tunneld/httpapi"
 	"github.com/coder/wgtunnel/tunneld/httpmw"
@@ -32,7 +36,8 @@ func (api *API) Router() chi.Router {
 		httpmw.RateLimit(10, 10*time.Second),
 	)
 
-	r.Post("/api/v1/clients", api.postClients)
+	r.Post("/tun", api.postTun)
+	r.Post("/api/v2/clients", api.postClients)
 
 	r.NotFound(func(rw http.ResponseWriter, r *http.Request) {
 		httpapi.Write(r.Context(), rw, http.StatusNotFound, tunnelsdk.Response{
@@ -43,36 +48,127 @@ func (api *API) Router() chi.Router {
 	return r
 }
 
+type LegacyPostTunRequest struct {
+	PublicKey device.NoisePublicKey `json:"public_key"`
+}
+
+type LegacyPostTunResponse struct {
+	Hostname        string     `json:"hostname"`
+	ServerEndpoint  string     `json:"server_endpoint"`
+	ServerIP        netip.Addr `json:"server_ip"`
+	ServerPublicKey string     `json:"server_public_key"` // hex
+	ClientIP        netip.Addr `json:"client_ip"`
+}
+
+// postTun provides compatibility with the old tunnel client contained in older
+// versions of coder/coder. It essentially converts the old request format to a
+// newer request, and the newer response to the old response format.
+func (api *API) postTun(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	var req LegacyPostTunRequest
+	if !httpapi.Read(ctx, rw, r, &req) {
+		return
+	}
+
+	registerReq := tunnelsdk.ClientRegisterRequest{
+		Version:   tunnelsdk.TunnelVersion1,
+		PublicKey: req.PublicKey,
+	}
+
+	resp, exists, err := api.registerClient(registerReq)
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, tunnelsdk.Response{
+			Message: "Failed to register client.",
+			Detail:  err.Error(),
+		})
+		return
+	}
+
+	if len(resp.TunnelURLs) == 0 {
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, tunnelsdk.Response{
+			Message: "No tunnel URLs found.",
+		})
+		return
+	}
+
+	u, err := url.Parse(resp.TunnelURLs[0])
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, tunnelsdk.Response{
+			Message: "Failed to parse tunnel URL.",
+			Detail:  err.Error(),
+		})
+		return
+	}
+
+	status := http.StatusCreated
+	if exists {
+		status = http.StatusOK
+	}
+	httpapi.Write(ctx, rw, status, LegacyPostTunResponse{
+		Hostname:        u.Host,
+		ServerEndpoint:  resp.ServerEndpoint,
+		ServerIP:        resp.ServerIP,
+		ServerPublicKey: hex.EncodeToString(resp.ServerPublicKey[:]),
+		ClientIP:        resp.ClientIP,
+	})
+}
+
 func (api *API) postClients(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
 	var req tunnelsdk.ClientRegisterRequest
 	if !httpapi.Read(r.Context(), rw, r, &req) {
 		return
 	}
 
-	ip := api.WireguardPublicKeyToIP(req.PublicKey)
+	resp, _, err := api.registerClient(req)
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, tunnelsdk.Response{
+			Message: "Failed to register client.",
+			Detail:  err.Error(),
+		})
+		return
+	}
+
+	httpapi.Write(ctx, rw, http.StatusOK, resp)
+}
+
+func (api *API) registerClient(req tunnelsdk.ClientRegisterRequest) (tunnelsdk.ClientRegisterResponse, bool, error) {
+	if req.Version <= 0 || req.Version > tunnelsdk.TunnelVersionLatest {
+		req.Version = tunnelsdk.TunnelVersionLatest
+	}
+
+	ip, urls := api.WireguardPublicKeyToIPAndURLs(req.PublicKey, req.Version)
+
+	exists := true
 	if api.wgDevice.LookupPeer(req.PublicKey) == nil {
+		exists = false
+
 		err := api.wgDevice.IpcSet(fmt.Sprintf(`public_key=%x
 allowed_ip=%s/128`,
 			req.PublicKey,
 			ip.String(),
 		))
 		if err != nil {
-			httpapi.Write(r.Context(), rw, http.StatusInternalServerError, tunnelsdk.Response{
-				Message: "Failed to register client.",
-				Detail:  err.Error(),
-			})
-			return
+			return tunnelsdk.ClientRegisterResponse{}, false, xerrors.Errorf("register client with wireguard: %w", err)
 		}
 	}
 
-	httpapi.Write(r.Context(), rw, http.StatusOK, tunnelsdk.ClientRegisterResponse{
-		TunnelURL:       api.WireguardIPToTunnelURL(ip).String(),
+	urlsStr := make([]string, len(urls))
+	for i, u := range urls {
+		urlsStr[i] = u.String()
+	}
+
+	return tunnelsdk.ClientRegisterResponse{
+		Version:         req.Version,
+		TunnelURLs:      urlsStr,
 		ClientIP:        ip,
 		ServerEndpoint:  api.WireguardEndpoint,
 		ServerIP:        api.WireguardServerIP,
 		ServerPublicKey: api.WireguardKey.NoisePublicKey(),
 		WireguardMTU:    api.WireguardMTU,
-	})
+	}, exists, nil
 }
 
 func (api *API) handleTunnelMW(next http.Handler) http.Handler {

tunneld/api_test.go

@@ -2,13 +2,73 @@ package tunneld_test
 
 import (
 	"context"
+	"encoding/hex"
+	"encoding/json"
+	"net/http"
+	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/require"
 
+	"github.com/coder/wgtunnel/tunneld"
 	"github.com/coder/wgtunnel/tunnelsdk"
 )
 
+// Test for the compatibility endpoint which allows old tunnels to connect to
+// the new server.
+func Test_postTun(t *testing.T) {
+	t.Parallel()
+
+	td, client := createTestTunneld(t, nil)
+
+	key, err := tunnelsdk.GeneratePrivateKey()
+	require.NoError(t, err)
+
+	expectedIP, expectedURLs := td.WireguardPublicKeyToIPAndURLs(key.NoisePublicKey(), tunnelsdk.TunnelVersion1)
+	require.Len(t, expectedURLs, 2)
+	require.Len(t, strings.Split(expectedURLs[0].Host, ".")[0], 32)
+	expectedHostname := expectedURLs[0].Host
+
+	// First request should return a 201.
+	resp, err := client.Request(context.Background(), http.MethodPost, "/tun", tunneld.LegacyPostTunRequest{
+		PublicKey: key.NoisePublicKey(),
+	})
+	require.NoError(t, err)
+	defer resp.Body.Close()
+	require.Equal(t, http.StatusCreated, resp.StatusCode)
+
+	var legacyRes tunneld.LegacyPostTunResponse
+	require.NoError(t, json.NewDecoder(resp.Body).Decode(&legacyRes))
+	require.Equal(t, expectedIP, legacyRes.ClientIP)
+	require.Equal(t, expectedHostname, legacyRes.Hostname)
+
+	// Register on the new endpoint so we can compare the values to the legacy
+	// endpoint.
+	newRes, err := client.ClientRegister(context.Background(), tunnelsdk.ClientRegisterRequest{
+		Version:   tunnelsdk.TunnelVersion1,
+		PublicKey: key.NoisePublicKey(),
+	})
+	require.NoError(t, err)
+	require.Equal(t, tunnelsdk.TunnelVersion1, newRes.Version)
+
+	require.Equal(t, legacyRes.ServerEndpoint, newRes.ServerEndpoint)
+	require.Equal(t, legacyRes.ServerIP, newRes.ServerIP)
+	require.Equal(t, legacyRes.ServerPublicKey, hex.EncodeToString(newRes.ServerPublicKey[:]))
+	require.Equal(t, legacyRes.ClientIP, newRes.ClientIP)
+
+	// Second request should return a 200.
+	resp, err = client.Request(context.Background(), http.MethodPost, "/tun", tunneld.LegacyPostTunRequest{
+		PublicKey: key.NoisePublicKey(),
+	})
+	require.NoError(t, err)
+	defer resp.Body.Close()
+	require.Equal(t, http.StatusOK, resp.StatusCode)
+
+	var legacyRes2 tunneld.LegacyPostTunResponse
+	require.NoError(t, json.NewDecoder(resp.Body).Decode(&legacyRes2))
+	require.Equal(t, legacyRes, legacyRes2)
+}
+
 func Test_postClients(t *testing.T) {
 	t.Parallel()
 
@@ -17,16 +77,22 @@ func Test_postClients(t *testing.T) {
 	key, err := tunnelsdk.GeneratePrivateKey()
 	require.NoError(t, err)
 
-	expectedIP := td.WireguardPublicKeyToIP(key.NoisePublicKey())
-	expectedURL := td.WireguardIPToTunnelURL(expectedIP)
+	expectedIP, expectedURLs := td.WireguardPublicKeyToIPAndURLs(key.NoisePublicKey(), tunnelsdk.TunnelVersion2)
+
+	expectedURLsStr := make([]string, len(expectedURLs))
+	for i, u := range expectedURLs {
+		expectedURLsStr[i] = u.String()
+	}
 
 	// Register a client.
 	res, err := client.ClientRegister(context.Background(), tunnelsdk.ClientRegisterRequest{
+		// No version should default to 2.
 		PublicKey: key.NoisePublicKey(),
 	})
 	require.NoError(t, err)
 
-	require.Equal(t, expectedURL.String(), res.TunnelURL)
+	require.Equal(t, tunnelsdk.TunnelVersion2, res.Version)
+	require.Equal(t, expectedURLsStr, res.TunnelURLs)
 	require.Equal(t, expectedIP, res.ClientIP)
 	require.Equal(t, td.WireguardEndpoint, res.ServerEndpoint)
 	require.Equal(t, td.WireguardServerIP, res.ServerIP)
@@ -35,8 +101,22 @@ func Test_postClients(t *testing.T) {
 
 	// Register the same client again.
 	res2, err := client.ClientRegister(context.Background(), tunnelsdk.ClientRegisterRequest{
+		Version:   tunnelsdk.TunnelVersion2,
 		PublicKey: key.NoisePublicKey(),
 	})
 	require.NoError(t, err)
 	require.Equal(t, res, res2)
+
+	// Register the same client with the old version.
+	res3, err := client.ClientRegister(context.Background(), tunnelsdk.ClientRegisterRequest{
+		Version:   tunnelsdk.TunnelVersion1,
+		PublicKey: key.NoisePublicKey(),
+	})
+	require.NoError(t, err)
+
+	// Should be equal after reversing the URL list.
+	require.Equal(t, tunnelsdk.TunnelVersion1, res3.Version)
+	res3.TunnelURLs[0], res3.TunnelURLs[1] = res3.TunnelURLs[1], res3.TunnelURLs[0]
+	res3.Version = tunnelsdk.TunnelVersion2
+	require.Equal(t, res, res3)
 }