feat(cli): add p2p diagnostics to ping

ethanndickson · ethanndickson · commit 62ef172d0549 · 2024-08-26T11:28:40.000Z
diff --git a/agent/api.go b/agent/api.go
@@ -37,6 +37,7 @@ func (a *agent) apiHandler() http.Handler {
 	}
 	promHandler := PrometheusMetricsHandler(a.prometheusRegistry, a.logger)
 	r.Get("/api/v0/listening-ports", lp.handler)
+	r.Get("/api/v0/netcheck", a.HandleNetCheck)
 	r.Get("/debug/logs", a.HandleHTTPDebugLogs)
 	r.Get("/debug/magicsock", a.HandleHTTPDebugMagicsock)
 	r.Get("/debug/magicsock/debug-logging/{state}", a.HandleHTTPMagicsockDebugLoggingState)
diff --git a/agent/health.go b/agent/health.go
@@ -0,0 +1,20 @@
+package agent
+
+import (
+	"net/http"
+
+	"github.com/coder/coder/v2/coderd/healthcheck/health"
+	"github.com/coder/coder/v2/coderd/httpapi"
+	"github.com/coder/coder/v2/codersdk/healthsdk"
+)
+
+func (a *agent) HandleNetCheck(rw http.ResponseWriter, r *http.Request) {
+	ni := a.TailnetConn().GetNetInfo()
+
+	httpapi.Write(r.Context(), rw, http.StatusOK, healthsdk.AgentNetcheckReport{
+		BaseReport: healthsdk.BaseReport{
+			Severity: health.SeverityOK,
+		},
+		NetInfo: ni,
+	})
+}
diff --git a/cli/cliui/agent.go b/cli/cliui/agent.go
@@ -10,8 +10,11 @@ import (
 
 	"github.com/google/uuid"
 	"golang.org/x/xerrors"
+	"tailscale.com/tailcfg"
 
 	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/coder/v2/codersdk/healthsdk"
+	"github.com/coder/coder/v2/codersdk/workspacesdk"
 	"github.com/coder/coder/v2/tailnet"
 )
 
@@ -346,3 +349,42 @@ func PeerDiagnostics(w io.Writer, d tailnet.PeerDiagnostics) {
 		_, _ = fmt.Fprint(w, "✘ Wireguard is not connected\n")
 	}
 }
+
+type ConnDiags struct {
+	Info               *workspacesdk.AgentConnectionInfo
+	PingP2P            bool
+	LocalNetInfo       *tailcfg.NetInfo
+	FetchAgentNetcheck func() (healthsdk.AgentNetcheckReport, error)
+	// TODO: More diagnostics
+}
+
+func ConnDiagnostics(w io.Writer, d ConnDiags) {
+	if d.PingP2P {
+		_, _ = fmt.Fprint(w, "✔ You are connected directly, peer-to-peer (p2p).\n")
+		return
+	}
+	_, _ = fmt.Fprint(w, "❗ You are connected via a DERP relay, not directly, peer-to-peer (p2p).\n")
+
+	if d.Info != nil && d.Info.DisableDirectConnections {
+		_, _ = fmt.Fprint(w, "❗ Your Coder administrator has blocked direct connections.\n")
+		return
+	}
+
+	if d.Info != nil && d.Info.DERPMap != nil && !d.Info.DERPMap.HasSTUN() {
+		_, _ = fmt.Fprint(w, "✘ The workspace agent appears to be unable to reach any STUN servers.\nhttps://coder.com/docs/networking/stun")
+	}
+
+	if d.LocalNetInfo != nil && d.LocalNetInfo.MappingVariesByDestIP.EqualBool(true) {
+		_, _ = fmt.Fprint(w, "❗ Client is potentially behind a hard NAT, as multiple endpoints were retrieved from different STUN servers.\n")
+	}
+
+	agentReport, err := d.FetchAgentNetcheck()
+	if err != nil {
+		_, _ = fmt.Fprintf(w, "Failed to retrieve netcheck report from agent: %v\n", err)
+		return
+	}
+
+	if agentReport.NetInfo != nil && agentReport.NetInfo.MappingVariesByDestIP.EqualBool(true) {
+		_, _ = fmt.Fprint(w, "❗ Agent is potentially behind a hard NAT, as multiple endpoints were retrieved from different STUN servers.\n")
+	}
+}
diff --git a/cli/cliui/agent_test.go b/cli/cliui/agent_test.go
@@ -22,6 +22,8 @@ import (
 	"github.com/coder/coder/v2/cli/cliui"
 	"github.com/coder/coder/v2/coderd/util/ptr"
 	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/coder/v2/codersdk/healthsdk"
+	"github.com/coder/coder/v2/codersdk/workspacesdk"
 	"github.com/coder/coder/v2/tailnet"
 	"github.com/coder/coder/v2/testutil"
 	"github.com/coder/serpent"
@@ -672,3 +674,117 @@ func TestPeerDiagnostics(t *testing.T) {
 		})
 	}
 }
+
+func TestConnDiagnostics(t *testing.T) {
+	t.Parallel()
+	testCases := []struct {
+		name  string
+		diags cliui.ConnDiags
+		want  []*regexp.Regexp
+	}{
+		{
+			name: "Direct",
+			diags: cliui.ConnDiags{
+				Info:         &workspacesdk.AgentConnectionInfo{},
+				PingP2P:      true,
+				LocalNetInfo: &tailcfg.NetInfo{},
+				FetchAgentNetcheck: func() (healthsdk.AgentNetcheckReport, error) {
+					return healthsdk.AgentNetcheckReport{}, nil
+				},
+			},
+			want: []*regexp.Regexp{
+				regexp.MustCompile(`^✔ You are connected directly, peer-to-peer \(p2p\).$`),
+			},
+		},
+		{
+			name: "DirectBlocked",
+			diags: cliui.ConnDiags{
+				Info: &workspacesdk.AgentConnectionInfo{
+					DisableDirectConnections: true,
+				},
+				FetchAgentNetcheck: func() (healthsdk.AgentNetcheckReport, error) {
+					return healthsdk.AgentNetcheckReport{}, nil
+				},
+			},
+			want: []*regexp.Regexp{
+				regexp.MustCompile(`^❗ You are connected via a DERP relay, not directly, peer-to-peer \(p2p\).$`),
+				regexp.MustCompile(`^❗ Your Coder administrator has blocked direct connections.$`),
+			},
+		},
+		{
+			name: "NoStun",
+			diags: cliui.ConnDiags{
+				Info: &workspacesdk.AgentConnectionInfo{
+					DERPMap: &tailcfg.DERPMap{},
+				},
+				LocalNetInfo: &tailcfg.NetInfo{},
+				FetchAgentNetcheck: func() (healthsdk.AgentNetcheckReport, error) {
+					return healthsdk.AgentNetcheckReport{}, nil
+				},
+			},
+			want: []*regexp.Regexp{
+				regexp.MustCompile(`^❗ You are connected via a DERP relay, not directly, peer-to-peer \(p2p\).$`),
+				regexp.MustCompile(`^✘ The workspace agent appears to be unable to reach any STUN servers.$`),
+			},
+		},
+		{
+			name: "ClientHardNat",
+			diags: cliui.ConnDiags{
+				LocalNetInfo: &tailcfg.NetInfo{
+					MappingVariesByDestIP: "true",
+				},
+				FetchAgentNetcheck: func() (healthsdk.AgentNetcheckReport, error) {
+					return healthsdk.AgentNetcheckReport{}, nil
+				},
+			},
+			want: []*regexp.Regexp{
+				regexp.MustCompile(`^❗ You are connected via a DERP relay, not directly, peer-to-peer \(p2p\).$`),
+				regexp.MustCompile(`^❗ Client is potentially behind a hard NAT, as multiple endpoints were retrieved from different STUN servers.`),
+			},
+		},
+		{
+			name: "AgentHardNat",
+			diags: cliui.ConnDiags{
+				Info:         &workspacesdk.AgentConnectionInfo{},
+				PingP2P:      false,
+				LocalNetInfo: &tailcfg.NetInfo{},
+				FetchAgentNetcheck: func() (healthsdk.AgentNetcheckReport, error) {
+					return healthsdk.AgentNetcheckReport{
+						NetInfo: &tailcfg.NetInfo{MappingVariesByDestIP: "true"},
+					}, nil
+				},
+			},
+			want: []*regexp.Regexp{
+				regexp.MustCompile(`^❗ You are connected via a DERP relay, not directly, peer-to-peer \(p2p\).$`),
+				regexp.MustCompile(`^❗ Agent is potentially behind a hard NAT, as multiple endpoints were retrieved from different STUN servers.`),
+			},
+		},
+	}
+	for _, tc := range testCases {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			r, w := io.Pipe()
+			go func() {
+				defer w.Close()
+				cliui.ConnDiagnostics(w, tc.diags)
+			}()
+			s := bufio.NewScanner(r)
+			i := 0
+			got := make([]string, 0)
+			for s.Scan() {
+				got = append(got, s.Text())
+				if i < len(tc.want) {
+					reg := tc.want[i]
+					if reg.Match(s.Bytes()) {
+						i++
+					}
+				}
+			}
+			if i < len(tc.want) {
+				t.Logf("failed to match regexp: %s\ngot:\n%s", tc.want[i].String(), strings.Join(got, "\n"))
+				t.FailNow()
+			}
+		})
+	}
+}
diff --git a/cli/ping.go b/cli/ping.go
@@ -14,6 +14,7 @@ import (
 
 	"github.com/coder/coder/v2/cli/cliui"
 	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/coder/v2/codersdk/healthsdk"
 	"github.com/coder/coder/v2/codersdk/workspacesdk"
 	"github.com/coder/serpent"
 )
@@ -140,6 +141,18 @@ func (r *RootCmd) ping() *serpent.Command {
 				if n == int(pingNum) {
 					diags := conn.GetPeerDiagnostics()
 					cliui.PeerDiagnostics(inv.Stdout, diags)
+
+					connDiags := cliui.ConnDiags{
+						PingP2P: didP2p,
+						FetchAgentNetcheck: func() (healthsdk.AgentNetcheckReport, error) {
+							return conn.NetCheck(ctx)
+						},
+					}
+					connInfo, err := workspacesdk.New(client).AgentConnectionInfoGeneric(ctx)
+					if err == nil {
+						connDiags.Info = &connInfo
+					}
+					cliui.ConnDiagnostics(inv.Stdout, connDiags)
 					return nil
 				}
 			}
diff --git a/codersdk/healthsdk/healthsdk.go b/codersdk/healthsdk/healthsdk.go
@@ -273,3 +273,9 @@ type ClientNetcheckReport struct {
 	DERP       DERPHealthReport `json:"derp"`
 	Interfaces InterfacesReport `json:"interfaces"`
 }
+
+// @typescript-ignore AgentNetcheckReport
+type AgentNetcheckReport struct {
+	BaseReport
+	NetInfo *tailcfg.NetInfo `json:"net_info"`
+}
diff --git a/codersdk/workspacesdk/agentconn.go b/codersdk/workspacesdk/agentconn.go
@@ -22,6 +22,7 @@ import (
 
 	"github.com/coder/coder/v2/coderd/tracing"
 	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/coder/v2/codersdk/healthsdk"
 	"github.com/coder/coder/v2/tailnet"
 )
 
@@ -241,6 +242,23 @@ func (c *AgentConn) ListeningPorts(ctx context.Context) (codersdk.WorkspaceAgent
 	return resp, json.NewDecoder(res.Body).Decode(&resp)
 }
 
+// NetCheck returns a network check report from the workspace agent.
+func (c *AgentConn) NetCheck(ctx context.Context) (healthsdk.AgentNetcheckReport, error) {
+	ctx, span := tracing.StartSpan(ctx)
+	defer span.End()
+	res, err := c.apiRequest(ctx, http.MethodGet, "/api/v0/netcheck", nil)
+	if err != nil {
+		return healthsdk.AgentNetcheckReport{}, xerrors.Errorf("do request: %w", err)
+	}
+	defer res.Body.Close()
+	if res.StatusCode != http.StatusOK {
+		return healthsdk.AgentNetcheckReport{}, codersdk.ReadBodyAsError(res)
+	}
+
+	var resp healthsdk.AgentNetcheckReport
+	return resp, json.NewDecoder(res.Body).Decode(&resp)
+}
+
 // DebugMagicsock makes a request to the workspace agent's magicsock debug endpoint.
 func (c *AgentConn) DebugMagicsock(ctx context.Context) ([]byte, error) {
 	ctx, span := tracing.StartSpan(ctx)
diff --git a/tailnet/conn.go b/tailnet/conn.go
@@ -294,6 +294,9 @@ func NewConn(options *Options) (conn *Conn, err error) {
 	}()
 	if server.telemetryStore != nil {
 		server.wireguardEngine.SetNetInfoCallback(func(ni *tailcfg.NetInfo) {
+			server.mutex.Lock()
+			defer server.mutex.Unlock()
+			server.lastNetInfo = ni.Clone()
 			server.telemetryStore.setNetInfo(ni)
 			nodeUp.setNetInfo(ni)
 			server.telemetryStore.pingPeer(server)
@@ -304,7 +307,12 @@ func NewConn(options *Options) (conn *Conn, err error) {
 		})
 		go server.watchConnChange()
 	} else {
-		server.wireguardEngine.SetNetInfoCallback(nodeUp.setNetInfo)
+		server.wireguardEngine.SetNetInfoCallback(func(ni *tailcfg.NetInfo) {
+			server.mutex.Lock()
+			defer server.mutex.Unlock()
+			server.lastNetInfo = ni.Clone()
+			nodeUp.setNetInfo(ni)
+		})
 	}
 	server.wireguardEngine.SetStatusCallback(nodeUp.setStatus)
 	server.magicConn.SetDERPForcedWebsocketCallback(nodeUp.setDERPForcedWebsocket)
@@ -373,6 +381,13 @@ type Conn struct {
 	watchCancel func()
 
 	trafficStats *connstats.Statistics
+	lastNetInfo  *tailcfg.NetInfo
+}
+
+func (c *Conn) GetNetInfo() *tailcfg.NetInfo {
+	c.mutex.Lock()
+	defer c.mutex.Unlock()
+	return c.lastNetInfo.Clone()
 }
 
 func (c *Conn) SetTunnelDestination(id uuid.UUID) {

Original file line number	Diff line number	Diff line change
`@@ -37,6 +37,7 @@ func (a *agent) apiHandler() http.Handler {`
`37`	`37`	`}`
`38`	`38`	`promHandler := PrometheusMetricsHandler(a.prometheusRegistry, a.logger)`
`39`	`39`	`r.Get("/api/v0/listening-ports", lp.handler)`
	`40`	`+ r.Get("/api/v0/netcheck", a.HandleNetCheck)`
`40`	`41`	`r.Get("/debug/logs", a.HandleHTTPDebugLogs)`
`41`	`42`	`r.Get("/debug/magicsock", a.HandleHTTPDebugMagicsock)`
`42`	`43`	`r.Get("/debug/magicsock/debug-logging/{state}", a.HandleHTTPMagicsockDebugLoggingState)`