-
Notifications
You must be signed in to change notification settings - Fork 278
/
listeners.go
276 lines (238 loc) · 8.02 KB
/
listeners.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
package worker
import (
"context"
"crypto/tls"
stderrers "errors"
"fmt"
"log"
"math"
"net"
"net/http"
"os"
"time"
"github.com/hashicorp/boundary/internal/cmd/base"
"github.com/hashicorp/boundary/internal/daemon/common"
"github.com/hashicorp/boundary/internal/daemon/worker/session"
"github.com/hashicorp/boundary/internal/errors"
"github.com/hashicorp/boundary/internal/observability/event"
"github.com/hashicorp/go-multierror"
nodee "github.com/hashicorp/nodeenrollment"
"github.com/hashicorp/nodeenrollment/multihop"
nodeenet "github.com/hashicorp/nodeenrollment/net"
"github.com/hashicorp/nodeenrollment/protocol"
"github.com/hashicorp/nodeenrollment/types"
"github.com/hashicorp/nodeenrollment/util/temperror"
"google.golang.org/grpc"
)
// the function that handles a secondary connection over a provided listener
var handleSecondaryConnection = closeListener
func closeListener(_ context.Context, l net.Listener) error {
if l != nil {
return l.Close()
}
return nil
}
func (w *Worker) startListeners(sm session.Manager) error {
const op = "worker.(Worker).startListeners"
e := event.SysEventer()
if e == nil {
return fmt.Errorf("%s: sys eventer not initialized", op)
}
logger, err := e.StandardLogger(w.baseContext, "worker.listeners: ", event.ErrorType)
if err != nil {
return fmt.Errorf("%s: unable to initialize std logger: %w", op, err)
}
if w.proxyListener == nil {
return fmt.Errorf("%s: nil proxy listener", op)
}
workerServer, err := w.configureForWorker(w.proxyListener, logger, sm)
if err != nil {
return fmt.Errorf("%s: failed to configure for worker: %w", op, err)
}
workerServer()
return nil
}
func (w *Worker) configureForWorker(ln *base.ServerListener, logger *log.Logger, sessionManager session.Manager) (func(), error) {
const op = "worker.configureForWorker"
handler, err := w.handler(HandlerProperties{ListenerConfig: ln.Config}, sessionManager)
if err != nil {
return nil, err
}
cancelCtx := w.baseContext
httpServer := &http.Server{
Handler: handler,
ReadHeaderTimeout: 10 * time.Second,
ReadTimeout: 30 * time.Second,
ErrorLog: logger,
BaseContext: func(net.Listener) context.Context {
return cancelCtx
},
}
ln.HTTPServer = httpServer
if ln.Config.HTTPReadHeaderTimeout > 0 {
httpServer.ReadHeaderTimeout = ln.Config.HTTPReadHeaderTimeout
}
if ln.Config.HTTPReadTimeout > 0 {
httpServer.ReadTimeout = ln.Config.HTTPReadTimeout
}
if ln.Config.HTTPWriteTimeout > 0 {
httpServer.WriteTimeout = ln.Config.HTTPWriteTimeout
}
if ln.Config.HTTPIdleTimeout > 0 {
httpServer.IdleTimeout = ln.Config.HTTPIdleTimeout
}
fetchCredsFn := func(
ctx context.Context,
_ nodee.Storage,
req *types.FetchNodeCredentialsRequest,
_ ...nodee.Option,
) (*types.FetchNodeCredentialsResponse, error) {
client := w.controllerMultihopConn.Load()
if client == nil {
return nil, temperror.New(stderrers.New("error fetching controller connection, client is nil"))
}
multihopClient, ok := client.(multihop.MultihopServiceClient)
if !ok {
return nil, temperror.New(stderrers.New("client could not be understood as a multihop service client"))
}
return multihopClient.FetchNodeCredentials(ctx, req)
}
generateServerCertificatesFn := func(
ctx context.Context,
_ nodee.Storage,
req *types.GenerateServerCertificatesRequest,
_ ...nodee.Option,
) (*types.GenerateServerCertificatesResponse, error) {
client := w.controllerMultihopConn.Load()
if client == nil {
return nil, temperror.New(stderrers.New("error fetching controller connection, client is nil"))
}
multihopClient, ok := client.(multihop.MultihopServiceClient)
if !ok {
return nil, temperror.New(stderrers.New("client could not be understood as a multihop service client"))
}
return multihopClient.GenerateServerCertificates(ctx, req)
}
interceptingListener, err := protocol.NewInterceptingListener(
&protocol.InterceptingListenerConfiguration{
Context: w.baseContext,
Storage: w.WorkerAuthStorage,
BaseListener: ln.ProxyListener,
BaseTlsConfiguration: &tls.Config{
GetConfigForClient: w.getSessionTls(sessionManager),
},
FetchCredsFunc: fetchCredsFn,
GenerateServerCertificatesFunc: generateServerCertificatesFn,
})
if err != nil {
return nil, fmt.Errorf("error instantiating node auth listener: %w", err)
}
// Create split listener
w.workerAuthSplitListener, err = nodeenet.NewSplitListener(interceptingListener)
if err != nil {
return nil, fmt.Errorf("error instantiating split listener: %w", err)
}
// This handles connections coming in that are authenticated via
// nodeenrollment but not with any extra purpose; these are normal PKI
// worker connections
nodeeAuthListener, err := w.workerAuthSplitListener.GetListener(nodeenet.AuthenticatedNonSpecificNextProto)
if err != nil {
return nil, fmt.Errorf("error instantiating worker split listener: %w", err)
}
// Connections that come into here are not authed by nodeenrollment so are
// proxy connections
proxyListener, err := w.workerAuthSplitListener.GetListener(nodeenet.UnauthenticatedNextProto)
if err != nil {
return nil, fmt.Errorf("error instantiating non-worker split listener: %w", err)
}
// Connections coming in here are authed by nodeenrollment and are for the
// reverse grpc purpose
reverseGrpcListener, err := w.workerAuthSplitListener.GetListener(common.ReverseGrpcConnectionAlpnValue)
if err != nil {
return nil, fmt.Errorf("error instantiating non-worker split listener: %w", err)
}
downstreamServer := grpc.NewServer(
grpc.MaxRecvMsgSize(math.MaxInt32),
grpc.MaxSendMsgSize(math.MaxInt32),
)
for _, fn := range workerGrpcServiceRegistrationFunctions {
if err := fn(cancelCtx, w, downstreamServer); err != nil {
return nil, err
}
}
ln.GrpcServer = downstreamServer
eventingListener, err := common.NewEventingListener(cancelCtx, nodeeAuthListener)
if err != nil {
return nil, fmt.Errorf("%s: error creating eventing listener: %w", op, err)
}
return func() {
go w.workerAuthSplitListener.Start()
go httpServer.Serve(proxyListener)
go ln.GrpcServer.Serve(eventingListener)
go handleSecondaryConnection(cancelCtx, reverseGrpcListener)
}, nil
}
func (w *Worker) stopServersAndListeners() error {
var mg multierror.Group
mg.Go(w.stopHttpServer)
mg.Go(w.stopClusterGrpcServer)
stopErrors := mg.Wait()
err := w.stopAnyListeners()
if err != nil {
stopErrors = multierror.Append(stopErrors, err)
}
return stopErrors.ErrorOrNil()
}
func (w *Worker) stopHttpServer() error {
if w.proxyListener == nil {
return nil
}
if w.proxyListener.HTTPServer == nil {
return nil
}
ctx, cancel := context.WithTimeout(w.baseContext, w.proxyListener.Config.MaxRequestDuration)
w.proxyListener.HTTPServer.Shutdown(ctx)
cancel()
return nil
}
func (w *Worker) stopClusterGrpcServer() error {
if w.proxyListener == nil {
return nil
}
if w.proxyListener.GrpcServer == nil {
return nil
}
w.proxyListener.GrpcServer.GracefulStop()
return nil
}
// stopAnyListeners does a final once over the known
// listeners to make sure we didn't miss any;
// expected to run at the end of stopServersAndListeners.
func (w *Worker) stopAnyListeners() error {
if w.proxyListener == nil {
return nil
}
if w.proxyListener.ProxyListener == nil {
return nil
}
return listenerCloseErrorCheck("proxy", w.proxyListener.ProxyListener.Close())
}
// listenerCloseErrorCheck does some validation on an error returned
// by a net.Listener's Close function, and ignores a few cases
// where we don't actually want an error to be returned.
func listenerCloseErrorCheck(lnType string, err error) error {
if errors.Is(err, net.ErrClosed) {
// Ignore net.ErrClosed - The listener was already closed,
// so there's nothing else to do.
return nil
}
if _, ok := err.(*os.PathError); ok && lnType == "unix" {
// The underlying rmListener probably tried to remove
// the file but it didn't exist, ignore the error;
// this is a conflict between rmListener and the
// default Go behavior of removing auto-vivified
// Unix domain sockets.
return nil
}
return err
}