Add Socket::proxyTo() API

samples/tcp-ingress/config.capnp

@@ -0,0 +1,20 @@
+using Workerd = import "/workerd/workerd.capnp";
+
+const tcpIngressExample :Workerd.Config = (
+  services = [
+    (name = "main", worker = .worker),
+  ],
+
+  sockets = [
+    ( name = "http", address = "*:8080", http = (), service = "main" ),
+    ( name = "tcp", address = "*:8081", tcp = (), service = "main" )
+  ]
+);
+
+const worker :Workerd.Worker = (
+  modules = [
+    (name = "worker", esModule = embed "worker.js")
+  ],
+  compatibilityFlags = ["nodejs_compat_v2", "experimental"],
+  compatibilityDate = "2023-02-28",
+);

samples/tcp-ingress/worker.js

@@ -0,0 +1,11 @@
+
+export default {
+  async fetch(req) {
+    return new Response("ok");
+  },
+
+  async connect(socket) {
+    // pipe the input stream to the output
+    await socket.readable.pipeTo(socket.writable);
+  }
+};

src/workerd/api/actor.h

@@ -114,14 +114,15 @@ class DurableObject final: public Fetcher {
 
     JSG_TS_DEFINE(interface DurableObject {
       fetch(request: Request): Response | Promise<Response>;
+      connect?(socket: Socket): void | Promise<void>;
       alarm?(alarmInfo?: AlarmInvocationInfo): void | Promise<void>;
       webSocketMessage?(ws: WebSocket, message: string | ArrayBuffer): void | Promise<void>;
       webSocketClose?(ws: WebSocket, code: number, reason: string, wasClean: boolean): void | Promise<void>;
       webSocketError?(ws: WebSocket, error: unknown): void | Promise<void>;
     });
     JSG_TS_OVERRIDE(
       type DurableObjectStub<T extends Rpc.DurableObjectBranded | undefined = undefined> =
-        Fetcher<T, "alarm" | "webSocketMessage" | "webSocketClose" | "webSocketError">
+        Fetcher<T, "alarm" | "connect" | "webSocketMessage" | "webSocketClose" | "webSocketError">
         & {
           readonly id: DurableObjectId;
           readonly name?: string;

src/workerd/api/global-scope.c++

@@ -86,6 +86,7 @@ jsg::LenientOptional<T> mapAddRef(jsg::Lock& js, jsg::LenientOptional<T>& functi
 ExportedHandler ExportedHandler::clone(jsg::Lock& js) {
   return ExportedHandler{
     .fetch{mapAddRef(js, fetch)},
+    .connect{mapAddRef(js, connect)},
     .tail{mapAddRef(js, tail)},
     .trace{mapAddRef(js, trace)},
     .tailStream{mapAddRef(js, tailStream)},
@@ -118,6 +119,55 @@ void ServiceWorkerGlobalScope::clear() {
   unhandledRejections.clear();
 }
 
+kj::Promise<void> ServiceWorkerGlobalScope::connect(kj::String host,
+    const kj::HttpHeaders& headers,
+    kj::AsyncIoStream& connection,
+    kj::HttpService::ConnectResponse& response,
+    Worker::Lock& lock,
+    kj::Maybe<ExportedHandler&> exportedHandler) {
+  ExportedHandler& eh = JSG_REQUIRE_NONNULL(exportedHandler, Error,
+      "Connect ingress is not currently supported with Service Workers syntax.");
+  KJ_REQUIRE(FeatureFlags::get(lock).getWorkerdExperimental(),
+      "connect handling requires the experimental flag.");
+
+  KJ_IF_SOME(handler, eh.connect) {
+    // Has a connect handler!
+    response.accept(200, "OK", headers);
+
+    // Using neuterable stream to manage lifetime of stream promises
+    auto ownConnection = newNeuterableIoStream(connection);
+
+    auto& ioContext = IoContext::current();
+    jsg::Lock& js = lock;
+
+    auto input = kj::str("fake://", host);
+    auto url = JSG_REQUIRE_NONNULL(
+        jsg::Url::tryParse(input.asPtr()), TypeError, "Specified address could not be parsed.");
+    auto hostName = url.getHostname();
+    auto port = url.getPort();
+    JSG_REQUIRE(hostName != ""_kj, TypeError, "Specified address is missing hostname.");
+    JSG_REQUIRE(port != ""_kj, TypeError, "Specified address is missing port.");
+
+    // TLS support is not implemented so far.
+    auto nullTlsStarter = kj::heap<kj::TlsStarterCallback>();
+    // We set isDefaultFetchPort to false here – sockets.c++ sets it for ports 443 and 8080 to
+    // provide a more descriptive error message for HTTP, but this is not relevant on the TCP server
+    // side.
+    jsg::Ref<Socket> jsSocket = setupSocket(js, kj::mv(ownConnection), kj::mv(host), kj::none,
+        kj::mv(nullTlsStarter), SecureTransportKind::OFF, kj::str(hostName), false, kj::none);
+    // handleProxyStatus() is required to indicate that the socket was opened properly. Since the
+    // connection is already open at this point, exception handling is not required.
+    jsSocket->handleProxyStatus(js, kj::Promise<kj::Maybe<kj::Exception>>(kj::none));
+
+    kj::Maybe<SpanBuilder> span = ioContext.makeTraceSpan("connect_handler"_kjc);
+    auto promise = handler(js, kj::mv(jsSocket), eh.env.addRef(js), eh.getCtx());
+    return ioContext.awaitJs(js, kj::mv(promise)).attach(kj::mv(span));
+  }
+  lock.logWarningOnce("Received a connect event but we lack a handler. "
+                      "Did you remember to export a connect() function?");
+  JSG_FAIL_REQUIRE(Error, "Handler does not export a connect() function.");
+}
+
 kj::Promise<DeferredProxy<void>> ServiceWorkerGlobalScope::request(kj::HttpMethod method,
     kj::StringPtr url,
     const kj::HttpHeaders& headers,

src/workerd/api/global-scope.h

@@ -9,6 +9,7 @@
 #include "http.h"
 #include "messagechannel.h"
 #include "performance.h"
+#include "sockets.h"
 
 #include <workerd/api/hibernation-event-params.h>
 #ifdef WORKERD_FUZZILLI
@@ -350,6 +351,10 @@ struct ExportedHandler {
       jsg::Optional<jsg::Ref<ExecutionContext>> ctx);
   jsg::LenientOptional<jsg::Function<FetchHandler>> fetch;
 
+  using ConnectHandler = jsg::Promise<void>(
+      jsg::Ref<Socket> socket, jsg::Value env, jsg::Optional<jsg::Ref<ExecutionContext>> ctx);
+  jsg::LenientOptional<jsg::Function<ConnectHandler>> connect;
+
   using TailHandler = kj::Promise<void>(kj::Array<jsg::Ref<TraceItem>> events,
       jsg::Value env,
       jsg::Optional<jsg::Ref<ExecutionContext>> ctx);
@@ -389,6 +394,7 @@ struct ExportedHandler {
   jsg::SelfRef self;
 
   JSG_STRUCT(fetch,
+      connect,
       tail,
       trace,
       tailStream,
@@ -406,6 +412,7 @@ struct ExportedHandler {
 
   JSG_STRUCT_TS_DEFINE(
     type ExportedHandlerFetchHandler<Env = unknown, CfHostMetadata = unknown, Props = unknown> = (request: Request<CfHostMetadata, IncomingRequestCfProperties<CfHostMetadata>>, env: Env, ctx: ExecutionContext<Props>) => Response | Promise<Response>;
+    type ExportedHandlerConnectHandler<Env = unknown, Props = unknown> = (socket: Socket, env: Env, ctx: ExecutionContext<Props>) => void | Promise<void>;
     type ExportedHandlerTailHandler<Env = unknown, Props = unknown> = (events: TraceItem[], env: Env, ctx: ExecutionContext<Props>) => void | Promise<void>;
     type ExportedHandlerTraceHandler<Env = unknown, Props = unknown> = (traces: TraceItem[], env: Env, ctx: ExecutionContext<Props>) => void | Promise<void>;
     type ExportedHandlerTailStreamHandler<Env = unknown, Props = unknown> = (event : TailStream.TailEvent<TailStream.Onset>, env: Env, ctx: ExecutionContext<Props>) => TailStream.TailEventHandlerType | Promise<TailStream.TailEventHandlerType>;
@@ -416,6 +423,7 @@ struct ExportedHandler {
   JSG_STRUCT_TS_OVERRIDE(<Env = unknown, QueueHandlerMessage = unknown, CfHostMetadata = unknown, Props = unknown> {
     email?: EmailExportedHandler<Env, Props>;
     fetch?: ExportedHandlerFetchHandler<Env, CfHostMetadata, Props>;
+    connect?: ExportedHandlerConnectHandler<Env, Props>;
     tail?: ExportedHandlerTailHandler<Env, Props>;
     trace?: ExportedHandlerTraceHandler<Env, Props>;
     tailStream?: ExportedHandlerTailStreamHandler<Env, Props>;
@@ -515,6 +523,14 @@ class ServiceWorkerGlobalScope: public WorkerGlobalScope {
   // TODO(cleanup): Factor out the shared code used between old-style event listeners vs. module
   //   exports and move that code somewhere more appropriate.
 
+  // Received TCP/socket ingress (called from C++, not JS).
+  kj::Promise<void> connect(kj::String host,
+      const kj::HttpHeaders& headers,
+      kj::AsyncIoStream& connection,
+      kj::HttpService::ConnectResponse& response,
+      Worker::Lock& lock,
+      kj::Maybe<ExportedHandler&> exportedHandler);
+
   // Received sendTraces (called from C++, not JS).
   void sendTraces(kj::ArrayPtr<kj::Own<Trace>> traces,
       Worker::Lock& lock,

src/workerd/api/sockets.c++

@@ -318,6 +318,12 @@ jsg::Promise<void> Socket::close(jsg::Lock& js) {
   }).catch_(js, [this](jsg::Lock& js, jsg::Value err) { errorHandler(js, kj::mv(err)); });
 }
 
+jsg::Promise<void> Socket::proxyTo(jsg::Lock& js, jsg::Ref<Socket> sock) {
+  auto pipeA = sock->readable->pipeTo(js, writable.addRef(), {});
+  auto pipeB = readable->pipeTo(js, sock->writable.addRef(), {});
+  return pipeA.then(js, [pipeB = kj::mv(pipeB)](jsg::Lock& js) mutable { kj::mv(pipeB); });
+}
+
 jsg::Ref<Socket> Socket::startTls(jsg::Lock& js, jsg::Optional<TlsOptions> tlsOptions) {
   JSG_REQUIRE(
       secureTransport != SecureTransportKind::ON, TypeError, "Cannot startTls on a TLS socket.");

src/workerd/api/sockets.h

@@ -126,6 +126,11 @@ class Socket: public jsg::Object {
   // closing.
   jsg::Promise<void> close(jsg::Lock& js);
 
+  // Proxies to the other socket. Equivalent to:
+  // a.readable.pipeTo(b.writable); b.readable.pipeTo(a.writable);
+  // TODO: May want to add jsg::Optional<PipeToOptions> options?
+  jsg::Promise<void> proxyTo(jsg::Lock& js, jsg::Ref<Socket> sock);
+
   // Flushes write buffers then performs a TLS handshake on the current Socket connection.
   // The current `Socket` instance is closed and its readable/writable instances are also closed.
   // All new operations should be performed on the new `Socket` instance.
@@ -155,6 +160,7 @@ class Socket: public jsg::Object {
     JSG_READONLY_PROTOTYPE_PROPERTY(secureTransport, getSecureTransport);
     JSG_METHOD(close);
     JSG_METHOD(startTls);
+    JSG_METHOD(proxyTo);
 
     JSG_TS_OVERRIDE({
       get secureTransport(): 'on' | 'off' | 'starttls';

src/workerd/api/tests/BUILD.bazel

@@ -19,6 +19,18 @@ wd_test(
     data = ["delete-all-deletes-alarm-test.js"],
 )
 
+wd_test(
+    src = "connect-handler-test.wd-test",
+    args = ["--experimental"],
+    data = [
+        "connect-handler-test.js",
+        "connect-handler-test-proxy.js",
+    ],
+    # Test uses TCP sockets for ports 8081-8083 and may fail when running concurrently with other
+    # tests that do so.
+    tags = ["exclusive"],
+)
+
 wd_test(
     src = "actor-alarms-test.wd-test",
     args = ["--experimental"],
@@ -42,7 +54,10 @@ wd_test(
         "tail-worker-test-invalid.js",
         "tail-worker-test-jsrpc.js",
         "websocket-hibernation.js",
+        "connect-handler-test.js",
+        "connect-handler-test-proxy.js",
     ],
+    tags = ["exclusive"],
 )
 
 # Test to validate timing semantics for JSRPC streaming responses.
@@ -327,6 +342,7 @@ wd_test(
     src = "js-rpc-test.wd-test",
     args = ["--experimental"],
     data = ["js-rpc-test.js"],
+    tags = ["exclusive"],
 )
 
 wd_test(
@@ -577,6 +593,7 @@ wd_test(
         "--no-verbose",
     ],
     data = ["js-rpc-test.js"],
+    tags = ["exclusive"],
 )
 
 wd_test(

src/workerd/api/tests/connect-handler-test-proxy.js

@@ -0,0 +1,19 @@
+import { connect } from 'cloudflare:sockets';
+import { WorkerEntrypoint } from 'cloudflare:workers';
+
+export class ConnectProxy extends WorkerEntrypoint {
+  async connect(socket) {
+    // proxy for ConnectEndpoint instance on port 8083.
+    let upstream = connect('localhost:8083');
+    await socket.proxyTo(upstream);
+  }
+}
+
+export class ConnectEndpoint extends WorkerEntrypoint {
+  async connect(socket) {
+    const enc = new TextEncoder();
+    let writer = socket.writable.getWriter();
+    await writer.write(enc.encode('hello-from-endpoint'));
+    await writer.close();
+  }
+}

src/workerd/api/tests/connect-handler-test.js

@@ -0,0 +1,45 @@
+import { connect } from 'cloudflare:sockets';
+import { ok, strictEqual } from 'assert';
+
+export const connectHandler = {
+  async test() {
+    // Check that the connect handler can send a message through a socket
+    const socket = connect('localhost:8081');
+    await socket.opened;
+    const dec = new TextDecoder();
+    let result = '';
+    for await (const chunk of socket.readable) {
+      result += dec.decode(chunk, { stream: true });
+    }
+    result += dec.decode();
+    strictEqual(result, 'hello');
+    await socket.closed;
+  },
+};
+
+export const connectHandlerProxy = {
+  async test() {
+    // Check that we can get a message proxied through a connect handler. This call connects us with
+    // an instance of Server, which serves as a proxy for an instance of OtherServer, as defined in
+    // connect-handler-test-proxy.js.
+    const socket = connect('localhost:8082');
+    await socket.opened;
+    const dec = new TextDecoder();
+    let result = '';
+    for await (const chunk of socket.readable) {
+      result += dec.decode(chunk, { stream: true });
+    }
+    result += dec.decode();
+    strictEqual(result, 'hello-from-endpoint');
+    await socket.closed;
+  },
+};
+
+export default {
+  async connect(socket) {
+    const enc = new TextEncoder();
+    let writer = socket.writable.getWriter();
+    await writer.write(enc.encode('hello'));
+    await writer.close();
+  },
+};

src/workerd/api/tests/connect-handler-test.wd-test

@@ -0,0 +1,36 @@
+using Workerd = import "/workerd/workerd.capnp";
+
+const unitTests :Workerd.Config = (
+  services = [
+    ( name = "connect-handler-test",
+      worker = (
+        modules = [
+          (name = "worker", esModule = embed "connect-handler-test.js"),
+        ],
+        compatibilityFlags = ["nodejs_compat_v2", "experimental"],
+      )
+    ),
+    ( name = "connect-handler-test-proxy",
+      worker = (
+        modules = [
+          (name = "worker", esModule = embed "connect-handler-test-proxy.js"),
+        ],
+        compatibilityFlags = ["nodejs_compat_v2", "experimental"],
+      )
+    ),
+    ( name = "connect-handler-test-endpoint",
+      worker = (
+        modules = [
+          (name = "worker", esModule = embed "connect-handler-test-proxy.js"),
+        ],
+        compatibilityFlags = ["nodejs_compat_v2", "experimental"],
+      )
+    ),
+    ( name = "internet", network = ( allow = ["private"] ) )
+  ],
+  sockets = [
+    (name = "tcp", address = "*:8081", tcp = (), service = "connect-handler-test"),
+    (name = "tcp", address = "*:8082", tcp = (), service = (name = "connect-handler-test-proxy", entrypoint = "ConnectProxy")),
+    (name = "tcp", address = "*:8083", tcp = (), service = (name = "connect-handler-test-endpoint", entrypoint = "ConnectEndpoint"))
+  ]
+);

src/workerd/api/tests/js-rpc-socket-test.wd-test

@@ -72,6 +72,7 @@ const unitTests :Workerd.Config = (
         http = (capnpConnectHost = "cappy")
       )
     ),
+    ( name = "internet", network = ( allow = ["private"] ) ),
   ],
   sockets = [
     ( name = "MyService-loop",
@@ -99,6 +100,8 @@ const unitTests :Workerd.Config = (
       service = (name = "js-rpc-test", entrypoint = "GreeterFactory"),
       http = (capnpConnectHost = "cappy")
     ),
+    # For testing connect() handler
+    (name = "tcp", address = "*:8081", tcp = (), service = "js-rpc-test")
   ],
   v8Flags = [ "--expose-gc" ],
 );