zedcloud

package
v0.0.0-...-10c5b9e Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 3, 2025 License: Apache-2.0 Imports: 51 Imported by: 0

Documentation

Overview

Package httpproxy provides support for HTTP proxy determination based on environment variables, as provided by net/http's ProxyFromEnvironment function.

The API is not subject to the Go 1 compatibility promise and may change at any time. package httpproxy

Index

Constants

View Source 
const ContentTypeProto = "application/x-proto-binary"

ContentTypeProto : binary-encoded Protobuf content type

View Source 
const MaxWaitForRequests = 4 * time.Minute

MaxWaitForRequests : upper limit of time to send requests independent of how many management interfaces and source IP addresses we try

Variables

This section is empty.

Functions

func AddAuthentication 

func AddAuthentication(ctx *ZedCloudContext, b *bytes.Buffer, useOnboard bool) (*bytes.Buffer, error)

AddAuthentication adds an AuthContainer and signs it

func ClearCloudCert 

func ClearCloudCert(ctx *ZedCloudContext)

ClearCloudCert - zero out cached cloud certs in client zedcloudCtx

func ComputeSha 

func ComputeSha(data []byte) []byte

ComputeSha - Compute sha256 on data

func GetClientCert 

func GetClientCert() (tls.Certificate, error)

GetClientCert prepares tls.Certificate to connect to the cloud Controller

func GetContextForAllIntfFunctions 

func GetContextForAllIntfFunctions(ctx *ZedCloudContext) (context.Context, context.CancelFunc)

GetContextForAllIntfFunctions returns context with timeout to use with AllIntf functions it uses 3 times of defined NetworkSendTimeout and limits max wait up to MaxWaitForRequests

func GetTlsConfig 

func GetTlsConfig(dns *types.DeviceNetworkStatus, clientCert *tls.Certificate, ctx *ZedCloudContext) (*tls.Config, error)

GetTlsConfig creates and returns a TlsConfig based on current root CA certificates If a clientCert is specified it overrides the device*Name files. XXX why would ctx be nil??

func InitializeCertDir 

func InitializeCertDir(log *base.LogObject) error

InitializeCertDir is called by zedbox to make sure we have the initial files in /persist/certs from /config/ under a sha-based name. Also, the currently used base file is indicated by the content of /persist/certs/v2tlsbaseroot-certificates.sha256. This is to prepare for a future feature where the controller can update the base file. Note that programmatically we add any proxy certificates to the list of roots we trust separately from the file content.

func IntfLookupProxyCfg 

func IntfLookupProxyCfg(log *base.LogObject, status *types.DeviceNetworkStatus, ifname, downloadURL string,
	trType zedUpload.SyncTransportType) string

IntfLookupProxyCfg - check if the intf has proxy configured

func LoadSavedServerSigningCert 

func LoadSavedServerSigningCert(ctx *ZedCloudContext) error

LoadSavedServerSigningCert loads server (i.e. controller) signing certificate stored in the file into the zedcloud context.

func LoadServerSigningCert 

func LoadServerSigningCert(ctx *ZedCloudContext, certByte []byte) error

LoadServerSigningCert loads server (i.e. controller) signing certificate from bytes and into the zedcloud context.

func LookupProxy 

func LookupProxy(log *base.LogObject, status *types.DeviceNetworkStatus, ifname string,
	rawUrl string) (*url.URL, error)

func RSCombinedBytes 

func RSCombinedBytes(ctx *ZedCloudContext, rBytes, sBytes []byte, pubKey *ecdsa.PublicKey) ([]byte, error)

RSCombinedBytes - combine r & s into fixed length bytes

func RemoveAndVerifyAuthContainer 

func RemoveAndVerifyAuthContainer(ctx *ZedCloudContext,
	sendRV *SendRetval, skipVerify bool) error

RemoveAndVerifyAuthContainer is used to check that a correct authentication is present when expected. Modifies SendRetval received from SendOnAllIntf or SendOnIntf:

  • SendRetval.RespContent is unwrapped to contain the content of the AuthContainer
  • SendRetval.Status is potentially updated to reflect the result of auth verification

If skipVerify we remove the envelope but do not verify the signature.

func SaveServerSigningCert 

func SaveServerSigningCert(ctx *ZedCloudContext, certByte []byte) error

SaveServerSigningCert saves server (i.e. controller) signing certificate into the persist partition.

func SendLocal 

func SendLocal(ctx *ZedCloudContext, destURL string, intf string, ipSrc net.IP,
	reqlen int64, b *bytes.Buffer, reqContentType string) (*http.Response, []byte, error)

SendLocal uses local routes to request the data

func SendLocalProto 

func SendLocalProto(ctx *ZedCloudContext, destURL string, intf string, ipSrc net.IP,
	req proto.Message, resp proto.Message) (*http.Response, error)

SendLocalProto is a variant of SendLocal which sends and receives proto messages.

func URLPathString 

func URLPathString(server string, isV2api bool, devUUID uuid.UUID, action string) string

URLPathString - generate url for either v1 or v1 API path

func UpdateTLSConfig 

func UpdateTLSConfig(zedcloudCtx *ZedCloudContext, clientCert *tls.Certificate) error

UpdateTLSConfig sets the TlsConfig based on current root CA certificates If a clientCert is specified it overrides the device*Name files.

func UpdateTLSProxyCerts 

func UpdateTLSProxyCerts(ctx *ZedCloudContext) bool

UpdateTLSProxyCerts - Update when DeviceNetworkStatus changes

func UseV2API 

func UseV2API() bool

UseV2API - check the controller cert file and use V2 api if it exist by default it is running V2, unless /config/Force-API-V1 file exists

func ValidateProtoContentType 

func ValidateProtoContentType(url string, r *http.Response) error

ValidateProtoContentType checks content-type of what is supposed to be binary encoded proto message.

func VerifyAuthContainer 

func VerifyAuthContainer(ctx *ZedCloudContext, sm *zauth.AuthContainer) (types.SenderStatus, error)

VerifyAuthContainer verifies the integrity of the payload inside AuthContainer.

func VerifyAuthContainerHeader 

func VerifyAuthContainerHeader(ctx *ZedCloudContext, sm *zauth.AuthContainer) (
	types.SenderStatus, error)

VerifyAuthContainerHeader verifies correctness of algorithm fields in header

func VerifyProtoSigningCertChain 

func VerifyProtoSigningCertChain(log *base.LogObject, content []byte) ([]byte, error)

VerifyProtoSigningCertChain - unmarshal and verify the content of ZControllerCert received from the controller. The function combines the unmarshalling of ZControllerCert with VerifySigningCertChain(). Returns content of the signing certificate and the verification error/nil value.

func VerifySigningCertChain 

func VerifySigningCertChain(log *base.LogObject, certs []*zcert.ZCert) ([]byte, error)

VerifySigningCertChain - verify signing certificate chain from controller Returns content of the signing certificate and the verification error/nil value.

Types

type AgentMetrics 

type AgentMetrics struct {
	sync.Mutex
	// contains filtered or unexported fields
}

AgentMetrics stores zedcloud related metrics for one agent (microservice). Able to properly handle concurrent access.

func NewAgentMetrics 

func NewAgentMetrics() *AgentMetrics

NewAgentMetrics creates instance of AgentMetrics.

func (*AgentMetrics) AddInto 

func (am *AgentMetrics) AddInto(log *base.LogObject, toMap types.MetricsMap)

AddInto adds metrics from this instance of AgentMetrics into the metrics map referenced by toMap.

func (*AgentMetrics) GetURLsWithSubstr 

func (am *AgentMetrics) GetURLsWithSubstr(log *base.LogObject, substr string) (set []string)

GetURLsWithSubstr returns URLs containing the given substring.

func (*AgentMetrics) Publish 

func (am *AgentMetrics) Publish(log *base.LogObject, publication pubsub.Publication, key string) error

Publish the recorded metrics through the given publisher.

func (*AgentMetrics) RecordFailure 

func (am *AgentMetrics) RecordFailure(log *base.LogObject, ifname, url string, reqLen, respLen int64, authenFail bool)

RecordFailure records failed zedcloud API request.

func (*AgentMetrics) RecordSuccess 

func (am *AgentMetrics) RecordSuccess(log *base.LogObject, ifname, url string, reqLen, respLen, timeSpent int64, resume bool)

RecordSuccess records successful zedcloud API request.

func (*AgentMetrics) RemoveURLMetrics 

func (am *AgentMetrics) RemoveURLMetrics(log *base.LogObject, url string)

RemoveURLMetrics removes all metrics recorded for the given URL.

type Config 

type Config struct {
	// HTTPProxy represents the value of the HTTP_PROXY or
	// http_proxy environment variable. It will be used as the proxy
	// URL for HTTP requests and HTTPS requests unless overridden by
	// HTTPSProxy or NoProxy.
	HTTPProxy string

	// HTTPSProxy represents the HTTPS_PROXY or https_proxy
	// environment variable. It will be used as the proxy URL for
	// HTTPS requests unless overridden by NoProxy.
	HTTPSProxy string

	// NoProxy represents the NO_PROXY or no_proxy environment
	// variable. It specifies a string that contains comma-separated values
	// specifying hosts that should be excluded from proxying. Each value is
	// represented by an IP address prefix (1.2.3.4), an IP address prefix in
	// CIDR notation (1.2.3.4/8), a domain name, or a special DNS label (*).
	// An IP address prefix and domain name can also include a literal port
	// number (1.2.3.4:80).
	// A domain name matches that name and all subdomains. A domain name with
	// a leading "." matches subdomains only. For example "foo.com" matches
	// "foo.com" and "bar.foo.com"; ".y.com" matches "x.y.com" but not "y.com".
	// A single asterisk (*) indicates that no proxying should be done.
	// A best effort is made to parse the string and errors are
	// ignored.
	NoProxy string

	// CGI holds whether the current process is running
	// as a CGI handler (FromEnvironment infers this from the
	// presence of a REQUEST_METHOD environment variable).
	// When this is set, ProxyForURL will return an error
	// when HTTPProxy applies, because a client could be
	// setting HTTP_PROXY maliciously. See https://golang.org/s/cgihttpproxy.
	CGI bool
}

Config holds configuration for HTTP proxy settings. See FromEnvironment for details.

func (*Config) ProxyFunc 

func (cfg *Config) ProxyFunc() func(reqURL *url.URL) (*url.URL, error)

ProxyFunc returns a function that determines the proxy URL to use for a given request URL. Changing the contents of cfg will not affect proxy functions created earlier.

A nil URL and nil error are returned if no proxy is defined in the environment, or a proxy should not be used for the given request, as defined by NO_PROXY.

As a special case, if req.URL.Host is "localhost" (with or without a port number), then a nil URL and nil error will be returned.

type ContextOptions 

type ContextOptions struct {
	DevNetworkStatus  *types.DeviceNetworkStatus
	TLSConfig         *tls.Config
	AgentMetrics      *AgentMetrics
	SendTimeout       uint32
	DialTimeout       uint32
	Serial            string
	SoftSerial        string
	AgentName         string // XXX replace by NoLogFailures?
	NetTraceOpts      []nettrace.TraceOpt
	ResolverCacheFunc ResolverCacheFunc
}

ContextOptions - options to be passed at NewContext

type DeferredContext 

type DeferredContext struct {
	Ticker flextimer.FlexTickerHandle
	// contains filtered or unexported fields
}

DeferredContext is part of ZedcloudContext

func CreateDeferredCtx 

func CreateDeferredCtx(zedcloudCtx *ZedCloudContext,
	ps *pubsub.PubSub, agentName string, ctxName string,
	warningTime time.Duration, errorTime time.Duration,
	sentHandler *SentHandlerFunction,
	priorityCheckFunctions ...TypePriorityCheckFunction) *DeferredContext

CreateDeferredCtx creates and returns a deferred context We always keep a flextimer running so that we can return the associated channel. We adjust the times when we start and stop the timer. sentHandler is callback which will be run on successful sent priorityCheckFunctions may be added to send item with matched itemType firstly default function at the end of priorityCheckFunctions added to serve non-priority items

func (*DeferredContext) KickTimerNow 

func (ctx *DeferredContext) KickTimerNow()

KickTimerNow kicks the timer for immediate execution

func (*DeferredContext) KickTimerWithinMinute 

func (ctx *DeferredContext) KickTimerWithinMinute()

KickTimerWithinMinute kicks the timer for execution in random time within a minute (reasonable time) to avoid an avalanche of messages once connection being restored to the controller.

func (*DeferredContext) RemoveDeferred 

func (ctx *DeferredContext) RemoveDeferred(key string)

RemoveDeferred removes key from deferred items if exists

func (*DeferredContext) SetDeferred 

func (ctx *DeferredContext) SetDeferred(
	key string, buf *bytes.Buffer, size int64, url string, bailOnHTTPErr,
	withNetTracing, ignoreErr bool, itemType interface{})

SetDeferred sets or replaces any item for the specified key and starts the timer. Key is used for identifying the channel. Please note that for deviceUUID key is used for attestUrl, which is not the same for other Urls, where in other case, the key is very specific for the object. If @ignoreErr is true the queue processing is not stopped on any error and will continue, although all errors will be passed to @sentHandler callback (see the CreateDeferredCtx()).

type ResolverCacheFunc 

type ResolverCacheFunc func(hostname string) []types.CachedIP

ResolverCacheFunc is a callback that the caller may provide to give access to cached resolved IP addresses. SendOnIntf will try to use the cached IPs to avoid unnecessary DNS lookups.

type SendAttempt 

type SendAttempt struct {
	// Non-nil if the attempt failed.
	Err error
	// Name of the interface through which the data were send.
	IfName string
	// Source IP address used by the send operation.
	SourceAddr net.IP
}

SendAttempt - single attempt to send data made by SendOnIntf function.

func (SendAttempt) String 

func (sa SendAttempt) String() string

String describes single Send* attempt.

type SendError 

type SendError struct {
	// A summary error for the failed Send operation.
	Err error
	// Information about individual Send attempts.
	Attempts []SendAttempt
}

SendError - error that may be returned by VerifyAllIntf and SendOn* functions below, summarizing all errors from all the attempts.

func (*SendError) Error 

func (e *SendError) Error() string

Error message.

func (*SendError) Unwrap 

func (e *SendError) Unwrap() error

Unwrap - return wrapped error.

type SendRetval 

type SendRetval struct {
	ReqURL       string // Used by e.g. RemoveAndVerifyAuthContainer().
	Status       types.SenderStatus
	HTTPResp     *http.Response
	RespContents []byte
	TracedReqs   []netdump.TracedNetRequest
}

SendRetval is returned from non-local variants of Send* functions. (from SendOnAllIntf and SendOnIntf).

func SendOnAllIntf 

func SendOnAllIntf(ctxWork context.Context, ctx *ZedCloudContext, url string, reqlen int64,
	b *bytes.Buffer, iteration int, bailOnHTTPErr, withNetTracing bool) (SendRetval, error)

SendOnAllIntf tries all interfaces (free first) until one succeeds. iteration arg ensure load spreading across multiple interfaces. Returns response for first success. Caller can not use SendRetval.HTTPResp.Body but can use SendRetval.RespContents byte slice. If bailOnHTTPErr is set we immediately return when we get a 4xx or 5xx error without trying the other interfaces. XXX also 1010 from CloudFlare? http.StatusForbidden is a special case i.e. even if bailOnHTTPErr is not set we bail out, since caller needs to be notified immediately for triggering any reaction based on this. We return a SendRetval.Status enum for various error cases. The caller is responsible to handle any required AuthContainer by calling RemoveAndVerifyAuthContainer

func SendOnIntf 

func SendOnIntf(workContext context.Context, ctx *ZedCloudContext, destURL string,
	intf string, reqlen int64, b *bytes.Buffer, allowProxy, useOnboard, withNetTracing,
	dryRun bool) (SendRetval, error)

SendOnIntf : Tries all source addresses on interface until one succeeds. Returns response for first success. Caller can not use SendRetval.HTTPResp.Body but can use SendRetval.RespContents contents return. If we get a http response, we return that even if it was an error to allow the caller to look at StatusCode. We return a SendRetval.Status enum for the caller to differentiate various error cases. For example, the controller might be accessible but is overloaded, or has certificate issues. The caller is responsible to handle any required AuthContainer by calling RemoveAndVerifyAuthContainer Enable dryRun to just perform all pre-send interface checks without actually sending any data.

type SentHandlerFunction 

type SentHandlerFunction func(
	itemType interface{}, data *bytes.Buffer, result types.SenderStatus,
	traces []netdump.TracedNetRequest)

SentHandlerFunction allow doing something with data if it was handled result indicates sending result

type TypePriorityCheckFunction 

type TypePriorityCheckFunction func(itemType interface{}) bool

TypePriorityCheckFunction returns true in case of find type with high priority

type VerifyRetval 

type VerifyRetval struct {
	CloudReachable    bool
	RemoteTempFailure bool
	IntfStatusMap     types.IntfStatusMap
	TracedReqs        []netdump.TracedNetRequest
}

VerifyRetval is returned from connectivity verification (VerifyAllIntf).

func VerifyAllIntf 

func VerifyAllIntf(ctx *ZedCloudContext, url string, requiredSuccessCount uint,
	iteration int, withNetTracing bool) (VerifyRetval, error)

VerifyAllIntf : verify the state of connectivity for *all* uplink interfaces. The interfaces are tested in the order of decreasing priority (i.e. increasing cost). Until we find enough working management interfaces (the limit is currently hard-coded to 1 working mgmt interface), every iterated management interface undergoes full end-to-end testing. First we run local checks:

  • Does interface (i.e. link) exist in the kernel?
  • Does interface have a routable IP address?
  • Is there any DNS server associated with the interface?
  • If there is a proxy config, is it valid?
  • If this is a wwan interface, is the modem connected and are there any errors reported by the wwan microservice?
  • etc.

Additionally, for the full interface testing we run an HTTP GET request for the provided URL to test connectivity with a remote endpoint (typically controller). Once we find enough working management interfaces, the remaining interfaces (of lower priority, higher cost) are only verified using the aforementioned local checks. Non-management interfaces (i.e. app-shared) are always tested using local checks only, we never run HTTP requests for these types of interfaces. The idea is to limit the amount or completely avoid generating traffic for interfaces (of potentially higher cost) which are currently not going to be used by EVE for connectivity with the controller. At the same time we want to provide at least some status for all interfaces and avoid publishing old and potentially obsolete interface state data.

We return a bool VerifyRetval.RemoteTempFailure for the cases when we reached the controller but it is overloaded, or has certificate issues. Return Values: VerifyRetval, error

  • If Failure, VerifyRetval.RemoteTempFailure - indicates if it is a remote failure error - indicates details of Errors
  • VerifyRetval.IntfStatusMap - Status for each verified interface. Includes entries for all interfaces that were tested. If an intf is success, Error == "", else - Set to appropriate Error ErrorTime will always be set for the interface.

type WSConnection 

type WSConnection struct {
	// contains filtered or unexported fields
}

WSConnection represents a single websocket connection

type WSTunnelClient 

type WSTunnelClient struct {
	TunnelServerNameAndPort string            // hostname[:port] string representation of remote tunnel server
	Tunnel                  string            // websocket server to connect to (ws[s]://hostname[:port])
	DestURL                 string            // formatted websocket endpoint URL
	LocalRelayServer        string            // local server to send received requests to
	Timeout                 time.Duration     // timeout on websocket
	Connected               bool              // true when we have an active connection to remote server
	Dialer                  *websocket.Dialer // dialer connection initialized & tested for success
	// contains filtered or unexported fields
}

WSTunnelClient represents a persistent tunnel that can cycle through many websockets. The conn field points to the latest websocket, but it's important to realize that there may be goroutines handling older websockets that are not fully closed yet running at any point in time

func InitializeTunnelClient 

func InitializeTunnelClient(log *base.LogObject, serverNameAndPort string, localRelay string) *WSTunnelClient

InitializeTunnelClient returns a websocket tunnel client configured with the requested remote and local servers.

func (*WSTunnelClient) Start 

func (t *WSTunnelClient) Start()

Start triggers workflow to establish the websocket session with remote tunnel server

func (*WSTunnelClient) Stop 

func (t *WSTunnelClient) Stop()

Stop tunnel client

func (*WSTunnelClient) TestConnection 

func (t *WSTunnelClient) TestConnection(devNetStatus *types.DeviceNetworkStatus, proxyURL *url.URL, localAddr net.IP, devUUID uuid.UUID) error

TestConnection validates the configured parameters for correctness and further attempts an actual connection request to confirm if the client can successfully connect to remote backend server.

type ZedCloudContext 

type ZedCloudContext struct {
	DeviceNetworkStatus *types.DeviceNetworkStatus
	// revive:disable-next-line
	TlsConfig          *tls.Config
	FailureFunc        func(log *base.LogObject, intf string, url string, reqLen int64, respLen int64, authFail bool)
	SuccessFunc        func(log *base.LogObject, intf string, url string, reqLen int64, respLen int64, timeSpent int64, resume bool)
	ResolverCacheFunc  ResolverCacheFunc
	NoLedManager       bool // Don't call UpdateLedManagerConfig
	DevUUID            uuid.UUID
	DevSerial          string
	DevSoftSerial      string
	NetworkSendTimeout uint32 // In seconds
	NetworkDialTimeout uint32 // In seconds
	V2API              bool   // XXX Needed?
	AgentName          string // the agent process name
	NetTraceOpts       []nettrace.TraceOpt
	// V2 related items
	PrevCertPEM [][]byte // cached proxy certs for later comparison

	ServerSigningCert *x509.Certificate

	// All controller HTTP requests which can't be dropped and send
	// should be repeated in case of a transmission error are added to
	// this queue.
	DeferredEventCtx *DeferredContext
	// All periodic controller HTTP requests are added to this queue,
	// sending errors of which can be ignored. This means even the
	// request has failed, it will be removed from the queue, so there
	// is no need to `kick` this queue once connectivity has restored.
	DeferredPeriodicCtx *DeferredContext
	// All periodic LOC HTTP requests are added to this queue,
	// sending errors of which can be ignored. This means even the
	// request has failed, it will be removed from the queue, so there
	// is no need to `kick` this queue once connectivity has restored.
	DeferredLOCPeriodicCtx *DeferredContext
	// contains filtered or unexported fields
}

ZedCloudContext is set up by NewContext() below revive:disable-next-line Needs to be fixed in other files as well, which then lets new yetus warnings arise

func NewContext 

func NewContext(log *base.LogObject, opt ContextOptions) ZedCloudContext

NewContext - return initialized cloud context

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.