Skip to content

Commit a38fadf

Browse files
Merge branch 'main' into feature/pre-shared-key-for-proxy
2 parents a83bf24 + bbca744 commit a38fadf

File tree

15 files changed

+208
-129
lines changed

15 files changed

+208
-129
lines changed

.github/workflows/golang-test-linux.yml

Lines changed: 25 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -409,12 +409,19 @@ jobs:
409409
run: git --no-pager diff --exit-code
410410

411411
- name: Login to Docker hub
412-
if: matrix.store == 'mysql' && (github.repository == github.head.repo.full_name || !github.head_ref)
413-
uses: docker/login-action@v1
412+
if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
413+
uses: docker/login-action@v3
414414
with:
415415
username: ${{ secrets.DOCKER_USER }}
416416
password: ${{ secrets.DOCKER_TOKEN }}
417417

418+
- name: docker login for root user
419+
if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
420+
env:
421+
DOCKER_USER: ${{ secrets.DOCKER_USER }}
422+
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
423+
run: echo "$DOCKER_TOKEN" | sudo docker login --username "$DOCKER_USER" --password-stdin
424+
418425
- name: download mysql image
419426
if: matrix.store == 'mysql'
420427
run: docker pull mlsmaycon/warmed-mysql:8
@@ -497,15 +504,18 @@ jobs:
497504
run: git --no-pager diff --exit-code
498505

499506
- name: Login to Docker hub
500-
if: matrix.store == 'mysql' && (github.repository == github.head.repo.full_name || !github.head_ref)
501-
uses: docker/login-action@v1
507+
if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
508+
uses: docker/login-action@v3
502509
with:
503510
username: ${{ secrets.DOCKER_USER }}
504511
password: ${{ secrets.DOCKER_TOKEN }}
505512

506-
- name: download mysql image
507-
if: matrix.store == 'mysql'
508-
run: docker pull mlsmaycon/warmed-mysql:8
513+
- name: docker login for root user
514+
if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
515+
env:
516+
DOCKER_USER: ${{ secrets.DOCKER_USER }}
517+
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
518+
run: echo "$DOCKER_TOKEN" | sudo docker login --username "$DOCKER_USER" --password-stdin
509519

510520
- name: Test
511521
run: |
@@ -586,15 +596,18 @@ jobs:
586596
run: git --no-pager diff --exit-code
587597

588598
- name: Login to Docker hub
589-
if: matrix.store == 'mysql' && (github.repository == github.head.repo.full_name || !github.head_ref)
590-
uses: docker/login-action@v1
599+
if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
600+
uses: docker/login-action@v3
591601
with:
592602
username: ${{ secrets.DOCKER_USER }}
593603
password: ${{ secrets.DOCKER_TOKEN }}
594604

595-
- name: download mysql image
596-
if: matrix.store == 'mysql'
597-
run: docker pull mlsmaycon/warmed-mysql:8
605+
- name: docker login for root user
606+
if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
607+
env:
608+
DOCKER_USER: ${{ secrets.DOCKER_USER }}
609+
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
610+
run: echo "$DOCKER_TOKEN" | sudo docker login --username "$DOCKER_USER" --password-stdin
598611

599612
- name: Test
600613
run: |

client/internal/peer/conn.go

Lines changed: 10 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -434,14 +434,14 @@ func (conn *Conn) onICEStateDisconnected(sessionChanged bool) {
434434
conn.resetEndpoint()
435435
}
436436

437+
// todo consider to move after the ConfigureWGEndpoint
437438
conn.wgProxyRelay.Work()
438439

439440
presharedKey := conn.presharedKey(conn.rosenpassRemoteKey)
440-
if err := conn.endpointUpdater.ConfigureWGEndpoint(conn.wgProxyRelay.EndpointAddr(), presharedKey); err != nil {
441+
if err := conn.endpointUpdater.SwitchWGEndpoint(conn.wgProxyRelay.EndpointAddr(), presharedKey); err != nil {
441442
conn.Log.Errorf("failed to switch to relay conn: %v", err)
442443
}
443444

444-
conn.wgProxyRelay.Work()
445445
conn.currentConnPriority = conntype.Relay
446446
} else {
447447
conn.Log.Infof("ICE disconnected, do not switch to Relay. Reset priority to: %s", conntype.None.String())
@@ -503,20 +503,22 @@ func (conn *Conn) onRelayConnectionIsReady(rci RelayConnInfo) {
503503
return
504504
}
505505

506-
wgProxy.Work()
507-
presharedKey := conn.presharedKey(rci.rosenpassPubKey)
506+
controller := isController(conn.config)
508507

508+
if controller {
509+
wgProxy.Work()
510+
}
509511
conn.enableWgWatcherIfNeeded()
510-
511-
if err := conn.endpointUpdater.ConfigureWGEndpoint(wgProxy.EndpointAddr(), presharedKey); err != nil {
512+
if err := conn.endpointUpdater.ConfigureWGEndpoint(wgProxy.EndpointAddr(), conn.presharedKey(rci.rosenpassPubKey)); err != nil {
512513
if err := wgProxy.CloseConn(); err != nil {
513514
conn.Log.Warnf("Failed to close relay connection: %v", err)
514515
}
515516
conn.Log.Errorf("Failed to update WireGuard peer configuration: %v", err)
516517
return
517518
}
518-
519-
wgConfigWorkaround()
519+
if !controller {
520+
wgProxy.Work()
521+
}
520522
conn.rosenpassRemoteKey = rci.rosenpassPubKey
521523
conn.currentConnPriority = conntype.Relay
522524
conn.statusRelay.SetConnected()
@@ -877,9 +879,3 @@ func isController(config ConnConfig) bool {
877879
func isRosenpassEnabled(remoteRosenpassPubKey []byte) bool {
878880
return remoteRosenpassPubKey != nil
879881
}
880-
881-
// wgConfigWorkaround is a workaround for the issue with WireGuard configuration update
882-
// When update a peer configuration in near to each other time, the second update can be ignored by WireGuard
883-
func wgConfigWorkaround() {
884-
time.Sleep(100 * time.Millisecond)
885-
}

client/internal/peer/endpoint.go

Lines changed: 45 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -34,28 +34,27 @@ func NewEndpointUpdater(log *logrus.Entry, wgConfig WgConfig, initiator bool) *E
3434
}
3535
}
3636

37-
// ConfigureWGEndpoint sets up the WireGuard endpoint configuration.
38-
// The initiator immediately configures the endpoint, while the non-initiator
39-
// waits for a fallback period before configuring to avoid handshake congestion.
4037
func (e *EndpointUpdater) ConfigureWGEndpoint(addr *net.UDPAddr, presharedKey *wgtypes.Key) error {
4138
e.mu.Lock()
4239
defer e.mu.Unlock()
4340

4441
if e.initiator {
45-
e.log.Debugf("configure up WireGuard as initiatr")
46-
return e.updateWireGuardPeer(addr, presharedKey)
42+
e.log.Debugf("configure up WireGuard as initiator")
43+
return e.configureAsInitiator(addr, presharedKey)
4744
}
4845

46+
e.log.Debugf("configure up WireGuard as responder")
47+
return e.configureAsResponder(addr, presharedKey)
48+
}
49+
50+
func (e *EndpointUpdater) SwitchWGEndpoint(addr *net.UDPAddr, presharedKey *wgtypes.Key) error {
51+
e.mu.Lock()
52+
defer e.mu.Unlock()
53+
4954
// prevent to run new update while cancel the previous update
5055
e.waitForCloseTheDelayedUpdate()
5156

52-
var ctx context.Context
53-
ctx, e.cancelFunc = context.WithCancel(context.Background())
54-
e.updateWg.Add(1)
55-
go e.scheduleDelayedUpdate(ctx, addr, presharedKey)
56-
57-
e.log.Debugf("configure up WireGuard and wait for handshake")
58-
return e.updateWireGuardPeer(nil, presharedKey)
57+
return e.updateWireGuardPeer(addr, presharedKey)
5958
}
6059

6160
func (e *EndpointUpdater) RemoveWgPeer() error {
@@ -67,9 +66,37 @@ func (e *EndpointUpdater) RemoveWgPeer() error {
6766
}
6867

6968
func (e *EndpointUpdater) RemoveEndpointAddress() error {
69+
e.mu.Lock()
70+
defer e.mu.Unlock()
71+
72+
e.waitForCloseTheDelayedUpdate()
7073
return e.wgConfig.WgInterface.RemoveEndpointAddress(e.wgConfig.RemoteKey)
7174
}
7275

76+
func (e *EndpointUpdater) configureAsInitiator(addr *net.UDPAddr, presharedKey *wgtypes.Key) error {
77+
if err := e.updateWireGuardPeer(addr, presharedKey); err != nil {
78+
return err
79+
}
80+
return nil
81+
}
82+
83+
func (e *EndpointUpdater) configureAsResponder(addr *net.UDPAddr, presharedKey *wgtypes.Key) error {
84+
// prevent to run new update while cancel the previous update
85+
e.waitForCloseTheDelayedUpdate()
86+
87+
e.log.Debugf("configure up WireGuard and wait for handshake")
88+
var ctx context.Context
89+
ctx, e.cancelFunc = context.WithCancel(context.Background())
90+
e.updateWg.Add(1)
91+
go e.scheduleDelayedUpdate(ctx, addr, presharedKey)
92+
93+
if err := e.updateWireGuardPeer(nil, presharedKey); err != nil {
94+
e.waitForCloseTheDelayedUpdate()
95+
return err
96+
}
97+
return nil
98+
}
99+
73100
func (e *EndpointUpdater) waitForCloseTheDelayedUpdate() {
74101
if e.cancelFunc == nil {
75102
return
@@ -105,3 +132,9 @@ func (e *EndpointUpdater) updateWireGuardPeer(endpoint *net.UDPAddr, presharedKe
105132
presharedKey,
106133
)
107134
}
135+
136+
// wgConfigWorkaround is a workaround for the issue with WireGuard configuration update
137+
// When update a peer configuration in near to each other time, the second update can be ignored by WireGuard
138+
func wgConfigWorkaround() {
139+
time.Sleep(100 * time.Millisecond)
140+
}

combined/cmd/root.go

Lines changed: 11 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -488,15 +488,17 @@ func createManagementServer(cfg *CombinedConfig, mgmtConfig *nbconfig.Config) (*
488488
mgmtPort, _ := strconv.Atoi(portStr)
489489

490490
mgmtSrv := mgmtServer.NewServer(
491-
mgmtConfig,
492-
dnsDomain,
493-
singleAccModeDomain,
494-
mgmtPort,
495-
cfg.Server.MetricsPort,
496-
mgmt.DisableAnonymousMetrics,
497-
mgmt.DisableGeoliteUpdate,
498-
// Always enable user deletion from IDP in combined server (embedded IdP is always enabled)
499-
true,
491+
&mgmtServer.Config{
492+
NbConfig: mgmtConfig,
493+
DNSDomain: dnsDomain,
494+
MgmtSingleAccModeDomain: singleAccModeDomain,
495+
MgmtPort: mgmtPort,
496+
MgmtMetricsPort: cfg.Server.MetricsPort,
497+
DisableMetrics: mgmt.DisableAnonymousMetrics,
498+
DisableGeoliteUpdate: mgmt.DisableGeoliteUpdate,
499+
// Always enable user deletion from IDP in combined server (embedded IdP is always enabled)
500+
UserDeleteFromIDPEnabled: true,
501+
},
500502
)
501503

502504
return mgmtSrv, nil

go.mod

Lines changed: 11 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,7 @@ require (
4040
github.com/c-robinson/iplib v1.0.3
4141
github.com/caddyserver/certmagic v0.21.3
4242
github.com/cilium/ebpf v0.15.0
43-
github.com/coder/websocket v1.8.13
43+
github.com/coder/websocket v1.8.14
4444
github.com/coreos/go-iptables v0.7.0
4545
github.com/coreos/go-oidc/v3 v3.14.1
4646
github.com/creack/pty v1.1.24
@@ -93,10 +93,10 @@ require (
9393
github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966
9494
github.com/songgao/water v0.0.0-20200317203138-2b4b6d7c09d8
9595
github.com/stretchr/testify v1.11.1
96-
github.com/testcontainers/testcontainers-go v0.31.0
97-
github.com/testcontainers/testcontainers-go/modules/mysql v0.31.0
98-
github.com/testcontainers/testcontainers-go/modules/postgres v0.31.0
99-
github.com/testcontainers/testcontainers-go/modules/redis v0.31.0
96+
github.com/testcontainers/testcontainers-go v0.37.0
97+
github.com/testcontainers/testcontainers-go/modules/mysql v0.37.0
98+
github.com/testcontainers/testcontainers-go/modules/postgres v0.37.0
99+
github.com/testcontainers/testcontainers-go/modules/redis v0.37.0
100100
github.com/things-go/go-socks5 v0.0.4
101101
github.com/ti-mo/conntrack v0.5.1
102102
github.com/ti-mo/netfilter v0.5.2
@@ -142,7 +142,6 @@ require (
142142
github.com/Masterminds/semver/v3 v3.3.0 // indirect
143143
github.com/Masterminds/sprig/v3 v3.3.0 // indirect
144144
github.com/Microsoft/go-winio v0.6.2 // indirect
145-
github.com/Microsoft/hcsshim v0.12.3 // indirect
146145
github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be // indirect
147146
github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect
148147
github.com/awnumar/memcall v0.4.0 // indirect
@@ -166,16 +165,16 @@ require (
166165
github.com/beorn7/perks v1.0.1 // indirect
167166
github.com/caddyserver/zerossl v0.1.3 // indirect
168167
github.com/cespare/xxhash/v2 v2.3.0 // indirect
169-
github.com/containerd/containerd v1.7.29 // indirect
170168
github.com/containerd/log v0.1.0 // indirect
171169
github.com/containerd/platforms v0.2.1 // indirect
172170
github.com/cpuguy83/dockercfg v0.3.2 // indirect
173171
github.com/davecgh/go-spew v1.1.1 // indirect
174172
github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
175173
github.com/distribution/reference v0.6.0 // indirect
176-
github.com/docker/docker v26.1.5+incompatible // indirect
174+
github.com/docker/docker v28.0.1+incompatible // indirect
177175
github.com/docker/go-connections v0.5.0 // indirect
178176
github.com/docker/go-units v0.5.0 // indirect
177+
github.com/ebitengine/purego v0.8.2 // indirect
179178
github.com/felixge/httpsnoop v1.0.4 // indirect
180179
github.com/fredbi/uri v1.1.1 // indirect
181180
github.com/fyne-io/gl-js v0.2.0 // indirect
@@ -221,9 +220,10 @@ require (
221220
github.com/lib/pq v1.10.9 // indirect
222221
github.com/libdns/libdns v0.2.2 // indirect
223222
github.com/lufia/plan9stats v0.0.0-20240513124658-fba389f38bae // indirect
224-
github.com/magiconair/properties v1.8.7 // indirect
223+
github.com/magiconair/properties v1.8.10 // indirect
225224
github.com/mattermost/xml-roundtrip-validator v0.1.0 // indirect
226225
github.com/mattn/go-sqlite3 v1.14.32 // indirect
226+
github.com/mdelapenya/tlscert v0.2.0 // indirect
227227
github.com/mdlayher/genetlink v1.3.2 // indirect
228228
github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 // indirect
229229
github.com/mholt/acmez/v2 v2.0.1 // indirect
@@ -242,7 +242,7 @@ require (
242242
github.com/nxadm/tail v1.4.8 // indirect
243243
github.com/onsi/ginkgo/v2 v2.9.5 // indirect
244244
github.com/opencontainers/go-digest v1.0.0 // indirect
245-
github.com/opencontainers/image-spec v1.1.0 // indirect
245+
github.com/opencontainers/image-spec v1.1.1 // indirect
246246
github.com/pion/dtls/v2 v2.2.10 // indirect
247247
github.com/pion/dtls/v3 v3.0.9 // indirect
248248
github.com/pion/mdns/v2 v2.0.7 // indirect
@@ -256,6 +256,7 @@ require (
256256
github.com/prometheus/procfs v0.16.1 // indirect
257257
github.com/russellhaering/goxmldsig v1.5.0 // indirect
258258
github.com/rymdport/portal v0.4.2 // indirect
259+
github.com/shirou/gopsutil/v4 v4.25.1 // indirect
259260
github.com/shoenig/go-m1cpu v0.1.6 // indirect
260261
github.com/shopspring/decimal v1.4.0 // indirect
261262
github.com/spf13/cast v1.7.0 // indirect

0 commit comments

Comments
 (0)