Merge branch 'tunnel_token_file' of github.com:Cyb3r-Jak3/cloudflared…

… into tunnel_token_file

.github/workflows/semgrep.yml

@@ -0,0 +1,24 @@
+on:
+  pull_request: {}
+  workflow_dispatch: {}
+  push: 
+    branches:
+      - main
+      - master
+  schedule:
+    - cron: '0 0 * * *'
+name: Semgrep config
+jobs:
+  semgrep:
+    name: semgrep/ci
+    runs-on: ubuntu-latest
+    env:
+      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+      SEMGREP_URL: https://cloudflare.semgrep.dev
+      SEMGREP_APP_URL: https://cloudflare.semgrep.dev
+      SEMGREP_VERSION_CHECK_URL: https://cloudflare.semgrep.dev/api/check-version
+    container:
+      image: semgrep/semgrep
+    steps:
+      - uses: actions/checkout@v4
+      - run: semgrep ci

.gitignore

@@ -17,3 +17,4 @@ cscope.*
 ssh_server_tests/.env
 /.cover
 built_artifacts/
+component-tests/.venv

.teamcity/install-cloudflare-go.sh

@@ -3,6 +3,6 @@
 cd /tmp
 git clone -q https://github.com/cloudflare/go
 cd go/src
-# https://github.com/cloudflare/go/tree/ec0a014545f180b0c74dfd687698657a9e86e310 is version go1.22.2-devel-cf
-git checkout -q ec0a014545f180b0c74dfd687698657a9e86e310
-./make.bash
+# https://github.com/cloudflare/go/tree/f4334cdc0c3f22a3bfdd7e66f387e3ffc65a5c38 is version go1.22.5-devel-cf
+git checkout -q f4334cdc0c3f22a3bfdd7e66f387e3ffc65a5c38
+./make.bash

.teamcity/windows/component-test.ps1

@@ -37,7 +37,7 @@ if ($LASTEXITCODE -ne 0) { throw "Failed unit tests" }
 
 Write-Output "Running component tests"
 
-python -m pip --disable-pip-version-check install --upgrade -r component-tests/requirements.txt
+python -m pip --disable-pip-version-check install --upgrade -r component-tests/requirements.txt --use-pep517
 python component-tests/setup.py --type create
 python -m pytest component-tests -o log_cli=true --log-cli-level=INFO
 if ($LASTEXITCODE -ne 0) {

.teamcity/windows/install-cloudflare-go.ps1

@@ -9,8 +9,8 @@ Set-Location "$Env:Temp"
 git clone -q https://github.com/cloudflare/go
 Write-Output "Building go..."
 cd go/src
-# https://github.com/cloudflare/go/tree/ec0a014545f180b0c74dfd687698657a9e86e310 is version go1.22.2-devel-cf
-git checkout -q ec0a014545f180b0c74dfd687698657a9e86e310
+# https://github.com/cloudflare/go/tree/f4334cdc0c3f22a3bfdd7e66f387e3ffc65a5c38 is version go1.22.5-devel-cf
+git checkout -q f4334cdc0c3f22a3bfdd7e66f387e3ffc65a5c38
 & ./make.bat
 
-Write-Output "Installed"
+Write-Output "Installed"

.teamcity/windows/install-go-msi.ps1

@@ -1,6 +1,6 @@
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
-$GoMsiVersion = "go1.22.2.windows-amd64.msi"
+$GoMsiVersion = "go1.22.5.windows-amd64.msi"
 
 Write-Output "Downloading go installer..."
 
@@ -17,4 +17,4 @@ Install-Package "$Env:Temp\$GoMsiVersion" -Force
 # Go installer updates global $PATH
 go env
 
-Write-Output "Installed"
+Write-Output "Installed"

CHANGES.md

@@ -1,3 +1,15 @@
+## 2024.12.2
+### New Features
+- This release introduces the ability to collect troubleshooting information from one instance of cloudflared running on the local machine. The command can be executed as `cloudflared tunnel diag`.
+
+## 2024.12.1
+### Notices
+- The use of the `--metrics` is still honoured meaning that if this flag is set the metrics server will try to bind it, however, this version includes a change that makes the metrics server bind to a port with a semi-deterministic approach. If the metrics flag is not present the server will bind to the first available port of the range 20241 to 20245. In case of all ports being unavailable then the fallback is to bind to a random port.
+
+## 2024.10.0
+### Bug Fixes
+- We fixed a bug related to `--grace-period`. Tunnels that use QUIC as transport weren't abiding by this waiting period before forcefully closing the connections to the edge. From now on, both QUIC and HTTP2 tunnels will wait for either the grace period to end (defaults to 30 seconds) or until the last in-flight request is handled. Users that wish to maintain the previous behavior should set `--grace-period` to 0 if `--protocol` is set to `quic`. This will force `cloudflared` to shutdown as soon as either SIGTERM or SIGINT is received.
+
 ## 2024.2.1
 ### Notices
 - Starting from this version, tunnel diagnostics will be enabled by default. This will allow the engineering team to remotely get diagnostics from cloudflared during debug activities. Users still have the capability to opt-out of this feature by defining `--management-diagnostics=false` (or env `TUNNEL_MANAGEMENT_DIAGNOSTICS`).

Dockerfile

@@ -1,11 +1,13 @@
 # use a builder image for building cloudflare
 ARG TARGET_GOOS
 ARG TARGET_GOARCH
-FROM golang:1.22.2 as builder
+FROM golang:1.22.5 as builder
 ENV GO111MODULE=on \
     CGO_ENABLED=0 \
     TARGET_GOOS=${TARGET_GOOS} \
-    TARGET_GOARCH=${TARGET_GOARCH}
+    TARGET_GOARCH=${TARGET_GOARCH} \
+    CONTAINER_BUILD=1
+
 
 WORKDIR /go/src/github.com/cloudflare/cloudflared/
 

Dockerfile.amd64

@@ -1,5 +1,5 @@
 # use a builder image for building cloudflare
-FROM golang:1.22.2 as builder
+FROM golang:1.22.5 as builder
 ENV GO111MODULE=on \
     CGO_ENABLED=0
 

Dockerfile.arm64

@@ -1,5 +1,5 @@
 # use a builder image for building cloudflare
-FROM golang:1.22.2 as builder
+FROM golang:1.22.5 as builder
 ENV GO111MODULE=on \
     CGO_ENABLED=0
 

Makefile

@@ -30,6 +30,10 @@ ifdef PACKAGE_MANAGER
 	VERSION_FLAGS := $(VERSION_FLAGS) -X "github.com/cloudflare/cloudflared/cmd/cloudflared/updater.BuiltForPackageManager=$(PACKAGE_MANAGER)"
 endif
 
+ifdef CONTAINER_BUILD 
+	VERSION_FLAGS := $(VERSION_FLAGS) -X "github.com/cloudflare/cloudflared/metrics.Runtime=virtual"
+endif
+
 LINK_FLAGS :=
 ifeq ($(FIPS), true)
 	LINK_FLAGS := -linkmode=external -extldflags=-static $(LINK_FLAGS)
@@ -165,9 +169,17 @@ cover:
 	# Generate the HTML report that can be viewed from the browser in CI.
 	$Q go tool cover -html ".cover/c.out" -o .cover/all.html
 
-.PHONY: test-ssh-server
-test-ssh-server:
-	docker-compose -f ssh_server_tests/docker-compose.yml up
+.PHONY: fuzz
+fuzz:
+	@go test -fuzz=FuzzIPDecoder -fuzztime=600s ./packet
+	@go test -fuzz=FuzzICMPDecoder -fuzztime=600s ./packet
+	@go test -fuzz=FuzzSessionWrite -fuzztime=600s ./quic/v3
+	@go test -fuzz=FuzzSessionServe -fuzztime=600s ./quic/v3
+	@go test -fuzz=FuzzRegistrationDatagram -fuzztime=600s ./quic/v3
+	@go test -fuzz=FuzzPayloadDatagram -fuzztime=600s ./quic/v3
+	@go test -fuzz=FuzzRegistrationResponseDatagram -fuzztime=600s ./quic/v3
+	@go test -fuzz=FuzzNewIdentity -fuzztime=600s ./tracing
+	@go test -fuzz=FuzzNewAccessValidator -fuzztime=600s ./validation
 
 .PHONY: install-go
 install-go:

README.md

@@ -49,7 +49,7 @@ Once installed, you can authenticate `cloudflared` into your Cloudflare account
 
 ## TryCloudflare
 
-Want to test Cloudflare Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation [available here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/trycloudflare).
+Want to test Cloudflare Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation [available here](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/).
 
 ## Deprecated versions
 

RELEASE_NOTES

@@ -1,3 +1,85 @@
+2024.12.1
+- 2024-12-10 TUN-8795: update createrepo to createrepo_c to fix the release_pkgs.py script
+
+2024.12.0
+- 2024-12-09 TUN-8640: Add ICMP support for datagram V3
+- 2024-12-09 TUN-8789: make python package installation consistent
+- 2024-12-06 TUN-8781: Add Trixie, drop Buster. Default to Bookworm
+- 2024-12-05 TUN-8775: Make sure the session Close can only be called once
+- 2024-12-04 TUN-8725: implement diagnostic procedure
+- 2024-12-04 TUN-8767: include raw output from network collector in diagnostic zipfile
+- 2024-12-04 TUN-8770: add cli configuration and tunnel configuration to diagnostic zipfile
+- 2024-12-04 TUN-8768: add job report to diagnostic zipfile
+- 2024-12-03 TUN-8726: implement compression routine to be used in diagnostic procedure
+- 2024-12-03 TUN-8732: implement port selection algorithm
+- 2024-12-03 TUN-8762: fix argument order when invoking tracert and modify network info output parsing.
+- 2024-12-03 TUN-8769: fix k8s log collector arguments
+- 2024-12-03 TUN-8727: extend client to include function to get cli configuration and tunnel configuration
+- 2024-11-29 TUN-8729: implement network collection for diagnostic procedure
+- 2024-11-29 TUN-8727: implement metrics, runtime, system, and tunnelstate in diagnostic http client
+- 2024-11-27 TUN-8733: add log collection for docker
+- 2024-11-27 TUN-8734: add log collection for kubernetes
+- 2024-11-27 TUN-8640: Refactor ICMPRouter to support new ICMPResponders
+- 2024-11-26 TUN-8735: add managed/local log collection
+- 2024-11-25 TUN-8728: implement diag/tunnel endpoint
+- 2024-11-25 TUN-8730: implement diag/configuration
+- 2024-11-22 TUN-8737: update metrics server port selection
+- 2024-11-22 TUN-8731: Implement diag/system endpoint
+- 2024-11-21 TUN-8748: Migrated datagram V3 flows to use migrated context
+
+2024.11.1
+- 2024-11-18 Add cloudflared tunnel ready command
+- 2024-11-14 Make metrics a requirement for tunnel ready command
+- 2024-11-12 TUN-8701:  Simplify flow registration logs for datagram v3
+- 2024-11-11 add: new go-fuzz targets
+- 2024-11-07 TUN-8701: Add metrics and adjust logs for datagram v3
+- 2024-11-06 TUN-8709: Add session migration for datagram v3
+- 2024-11-04 Fixed 404 in README.md to TryCloudflare
+- 2024-09-24 Update semgrep.yml
+
+2024.11.0
+- 2024-11-05 VULN-66059: remove ssh server tests
+- 2024-11-04 TUN-8700: Add datagram v3 muxer
+- 2024-11-04 TUN-8646: Allow experimental feature support for datagram v3
+- 2024-11-04 TUN-8641: Expose methods to simplify V3 Datagram parsing on the edge
+- 2024-10-31 TUN-8708: Bump python min version to 3.10
+- 2024-10-31 TUN-8667: Add datagram v3 session manager
+- 2024-10-25 TUN-8692: remove dashes from session id
+- 2024-10-24 TUN-8694: Rework release script
+- 2024-10-24 TUN-8661: Refactor connection methods to support future different datagram muxing methods
+- 2024-07-22 TUN-8553: Bump go to 1.22.5 and go-boring 1.22.5-1
+
+2024.10.1
+- 2024-10-23 TUN-8694: Fix github release script
+- 2024-10-21 Revert "TUN-8592: Use metadata from the edge to determine if request body is empty for QUIC transport"
+- 2024-10-18 TUN-8688: Correct UDP bind for IPv6 edge connectivity on macOS
+- 2024-10-17 TUN-8685: Bump coredns dependency
+- 2024-10-16 TUN-8638: Add datagram v3 serializers and deserializers
+- 2024-10-15 chore: Remove h2mux code
+- 2024-10-11 TUN-8631: Abort release on version mismatch
+
+2024.10.0
+- 2024-10-01 TUN-8646: Add datagram v3 support feature flag
+- 2024-09-30 TUN-8621: Fix cloudflared version in change notes to account for release date
+- 2024-09-19 Adding semgrep yaml file
+- 2024-09-12 TUN-8632: Delay checking auto-update by the provided frequency
+- 2024-09-11 TUN-8630: Check checksum of downloaded binary to compare to current for auto-updating
+- 2024-09-09 TUN-8629: Cloudflared update on Windows requires running it twice to update
+- 2024-09-06 PPIP-2310: Update quick tunnel disclaimer
+- 2024-08-30 TUN-8621: Prevent QUIC connection from closing before grace period after unregistering
+- 2024-08-09 TUN-8592: Use metadata from the edge to determine if request body is empty for QUIC transport
+- 2024-06-26 TUN-8484: Print response when QuickTunnel can't be unmarshalled
+
+2024.9.1
+- 2024-09-10 Revert Release 2024.9.0
+
+2024.9.0
+- 2024-09-10 TUN-8621: Fix cloudflared version in change notes.
+- 2024-09-06 PPIP-2310: Update quick tunnel disclaimer
+- 2024-08-30 TUN-8621: Prevent QUIC connection from closing before grace period after unregistering
+- 2024-08-09 TUN-8592: Use metadata from the edge to determine if request body is empty for QUIC transport
+- 2024-06-26 TUN-8484: Print response when QuickTunnel can't be unmarshalled
+
 2024.8.3
 - 2024-08-15 TUN-8591 login command without extra text
 - 2024-03-25 remove code that will not be executed