1package connect
2
3import (
4	"context"
5	"crypto/tls"
6	"crypto/x509"
7	"errors"
8	"net"
9	"net/http"
10	"time"
11
12	"github.com/hashicorp/consul/api"
13	"github.com/hashicorp/consul/api/watch"
14	"github.com/hashicorp/consul/logging"
15	"github.com/hashicorp/go-hclog"
16	"golang.org/x/net/http2"
17)
18
19// Service represents a Consul service that accepts and/or connects via Connect.
20// This can represent a service that only is a server, only is a client, or
21// both.
22//
23// TODO(banks): Agent implicit health checks based on knowing which certs are
24// available should prevent clients being routed until the agent knows the
25// service has been delivered valid certificates. Once built, document that here
26// too.
27type Service struct {
28	// service is the name (not ID) for the Consul service. This is used to request
29	// Connect metadata.
30	service string
31
32	// client is the Consul API client. It must be configured with an appropriate
33	// Token that has `service:write` policy on the provided service. If an
34	// insufficient token is provided, the Service will abort further attempts to
35	// fetch certificates and print a loud error message. It will not Close() or
36	// kill the process since that could lead to a crash loop in every service if
37	// ACL token was revoked. All attempts to dial will error and any incoming
38	// connections will fail to verify. It may be nil if the Service is being
39	// configured from local files for development or testing.
40	client *api.Client
41
42	// tlsCfg is the dynamic TLS config
43	tlsCfg *dynamicTLSConfig
44
45	// httpResolverFromAddr is a function that returns a Resolver from a string
46	// address for HTTP clients. It's privately pluggable to make testing easier
47	// but will default to a simple method to parse the host as a Consul DNS host.
48	httpResolverFromAddr func(addr string) (Resolver, error)
49
50	rootsWatch *watch.Plan
51	leafWatch  *watch.Plan
52
53	logger hclog.Logger
54}
55
56// NewService creates and starts a Service. The caller must close the returned
57// service to free resources and allow the program to exit normally. This is
58// typically called in a signal handler.
59//
60// Caller must provide client which is already configured to speak to the local
61// Consul agent, and with an ACL token that has `service:write` privileges for
62// the service specified.
63func NewService(serviceName string, client *api.Client) (*Service, error) {
64	logger := hclog.New(&hclog.LoggerOptions{})
65
66	return NewServiceWithLogger(serviceName, client,
67		logger)
68}
69
70// NewServiceWithLogger starts the service with a specified log.Logger.
71func NewServiceWithLogger(serviceName string, client *api.Client,
72	logger hclog.Logger) (*Service, error) {
73	s := &Service{
74		service:              serviceName,
75		client:               client,
76		logger:               logger.Named(logging.Connect).With("service", serviceName),
77		tlsCfg:               newDynamicTLSConfig(defaultTLSConfig(), logger),
78		httpResolverFromAddr: ConsulResolverFromAddrFunc(client),
79	}
80
81	// Set up root and leaf watches
82	p, err := watch.Parse(map[string]interface{}{
83		"type": "connect_roots",
84	})
85	if err != nil {
86		return nil, err
87	}
88	s.rootsWatch = p
89	s.rootsWatch.HybridHandler = s.rootsWatchHandler
90
91	p, err = watch.Parse(map[string]interface{}{
92		"type":    "connect_leaf",
93		"service": s.service,
94	})
95	if err != nil {
96		return nil, err
97	}
98	s.leafWatch = p
99	s.leafWatch.HybridHandler = s.leafWatchHandler
100
101	go s.rootsWatch.RunWithClientAndHclog(client, s.logger)
102	go s.leafWatch.RunWithClientAndHclog(client, s.logger)
103
104	return s, nil
105}
106
107// NewDevServiceFromCertFiles creates a Service using certificate and key files
108// passed instead of fetching them from the client.
109func NewDevServiceFromCertFiles(serviceID string, logger hclog.Logger,
110	caFile, certFile, keyFile string) (*Service, error) {
111
112	tlsCfg, err := devTLSConfigFromFiles(caFile, certFile, keyFile)
113	if err != nil {
114		return nil, err
115	}
116	return NewDevServiceWithTLSConfig(serviceID, logger, tlsCfg)
117}
118
119// NewDevServiceWithTLSConfig creates a Service using static TLS config passed.
120// It's mostly useful for testing.
121func NewDevServiceWithTLSConfig(serviceName string, logger hclog.Logger,
122	tlsCfg *tls.Config) (*Service, error) {
123	s := &Service{
124		service: serviceName,
125		logger:  logger,
126		tlsCfg:  newDynamicTLSConfig(tlsCfg, logger),
127	}
128	return s, nil
129}
130
131// Name returns the name of the service this object represents. Note it is the
132// service _name_ as used during discovery, not the ID used to uniquely identify
133// an instance of the service with an agent.
134func (s *Service) Name() string {
135	return s.service
136}
137
138// ServerTLSConfig returns a *tls.Config that allows any TCP listener to accept
139// and authorize incoming Connect clients. It will return a single static config
140// with hooks to dynamically load certificates, and perform Connect
141// authorization during verification. Service implementations do not need to
142// reload this to get new certificates.
143//
144// At any time it may be possible that the Service instance does not have access
145// to usable certificates due to not being initially setup yet or a prolonged
146// error during renewal. The listener will be able to accept connections again
147// once connectivity is restored provided the client's Token is valid.
148//
149// To prevent routing traffic to the app instance while it's certificates are
150// invalid or not populated yet you may use Ready in a health check endpoint
151// and/or ReadyWait during startup before starting the TLS listener. The latter
152// only prevents connections during initial bootstrap (including permission
153// issues where certs can never be issued due to bad credentials) but won't
154// handle the case that certificates expire and an error prevents timely
155// renewal.
156func (s *Service) ServerTLSConfig() *tls.Config {
157	return s.tlsCfg.Get(newServerSideVerifier(s.logger, s.client, s.service))
158}
159
160// Dial connects to a remote Connect-enabled server. The passed Resolver is used
161// to discover a single candidate instance which will be dialed and have it's
162// TLS certificate verified against the expected identity. Failures are returned
163// directly with no retries. Repeated dials may use different instances
164// depending on the Resolver implementation.
165//
166// Timeout can be managed via the Context.
167//
168// Calls to Dial made before the Service has loaded certificates from the agent
169// will fail. You can prevent this by using Ready or ReadyWait in app during
170// startup.
171func (s *Service) Dial(ctx context.Context, resolver Resolver) (net.Conn, error) {
172	addr, certURI, err := resolver.Resolve(ctx)
173	if err != nil {
174		return nil, err
175	}
176	s.logger.Debug("resolved service instance",
177		"address", addr,
178		"identity", certURI.URI(),
179	)
180	var dialer net.Dialer
181	tcpConn, err := dialer.DialContext(ctx, "tcp", addr)
182	if err != nil {
183		return nil, err
184	}
185
186	tlsConn := tls.Client(tcpConn, s.tlsCfg.Get(clientSideVerifier))
187	// Set deadline for Handshake to complete.
188	deadline, ok := ctx.Deadline()
189	if ok {
190		tlsConn.SetDeadline(deadline)
191	}
192	// Perform handshake
193	if err = tlsConn.Handshake(); err != nil {
194		tlsConn.Close()
195		return nil, err
196	}
197	// Clear deadline since that was only for connection. Caller can set their own
198	// deadline later as necessary.
199	tlsConn.SetDeadline(time.Time{})
200
201	// Verify that the connect server's URI matches certURI
202	err = verifyServerCertMatchesURI(tlsConn.ConnectionState().PeerCertificates,
203		certURI)
204	if err != nil {
205		tlsConn.Close()
206		return nil, err
207	}
208	s.logger.Debug("successfully connected to service instance", addr,
209		"address", addr,
210		"identity", certURI.URI(),
211	)
212	return tlsConn, nil
213}
214
215// HTTPDialTLS is compatible with http.Transport.DialTLS. It expects the addr
216// hostname to be specified using Consul DNS query syntax, e.g.
217// "web.service.consul". It converts that into the equivalent ConsulResolver and
218// then call s.Dial with the resolver. This is low level, clients should
219// typically use HTTPClient directly.
220func (s *Service) HTTPDialTLS(network,
221	addr string) (net.Conn, error) {
222	if s.httpResolverFromAddr == nil {
223		return nil, errors.New("no http resolver configured")
224	}
225	r, err := s.httpResolverFromAddr(addr)
226	if err != nil {
227		return nil, err
228	}
229	// TODO(banks): figure out how to do timeouts better.
230	return s.Dial(context.Background(), r)
231}
232
233// HTTPClient returns an *http.Client configured to dial remote Consul Connect
234// HTTP services. The client will return an error if attempting to make requests
235// to a non HTTPS hostname. It resolves the domain of the request with the same
236// syntax as Consul DNS queries although it performs discovery directly via the
237// API rather than just relying on Consul DNS. Hostnames that are not valid
238// Consul DNS queries will fail.
239func (s *Service) HTTPClient() *http.Client {
240	t := &http.Transport{
241		// Sadly we can't use DialContext hook since that is expected to return a
242		// plain TCP connection and http.Client tries to start a TLS handshake over
243		// it. We need to control the handshake to be able to do our validation.
244		// So we have to use the older DialTLS which means no context/timeout
245		// support.
246		//
247		// TODO(banks): figure out how users can configure a timeout when using
248		// this and/or compatibility with http.Request.WithContext.
249		DialTLS: s.HTTPDialTLS,
250	}
251	// Need to manually re-enable http2 support since we set custom DialTLS.
252	// See https://golang.org/src/net/http/transport.go?s=8692:9036#L228
253	http2.ConfigureTransport(t)
254	return &http.Client{
255		Transport: t,
256	}
257}
258
259// Close stops the service and frees resources.
260func (s *Service) Close() error {
261	if s.rootsWatch != nil {
262		s.rootsWatch.Stop()
263	}
264	if s.leafWatch != nil {
265		s.leafWatch.Stop()
266	}
267	return nil
268}
269
270func (s *Service) rootsWatchHandler(blockParam watch.BlockingParamVal, raw interface{}) {
271	if raw == nil {
272		return
273	}
274	v, ok := raw.(*api.CARootList)
275	if !ok || v == nil {
276		s.logger.Error("got invalid response from root watch")
277		return
278	}
279
280	// Got new root certificates, update the tls.Configs.
281	roots := x509.NewCertPool()
282	for _, root := range v.Roots {
283		roots.AppendCertsFromPEM([]byte(root.RootCertPEM))
284	}
285
286	s.tlsCfg.SetRoots(roots)
287}
288
289func (s *Service) leafWatchHandler(blockParam watch.BlockingParamVal, raw interface{}) {
290	if raw == nil {
291		return // ignore
292	}
293	v, ok := raw.(*api.LeafCert)
294	if !ok || v == nil {
295		s.logger.Error("got invalid response from leaf watch")
296		return
297	}
298
299	// Got new leaf, update the tls.Configs
300	cert, err := tls.X509KeyPair([]byte(v.CertPEM), []byte(v.PrivateKeyPEM))
301	if err != nil {
302		s.logger.Error("failed to parse new leaf cert", "error", err)
303		return
304	}
305
306	s.tlsCfg.SetLeaf(&cert)
307}
308
309// Ready returns whether or not both roots and a leaf certificate are
310// configured. If both are non-nil, they are assumed to be valid and usable.
311func (s *Service) Ready() bool {
312	return s.tlsCfg.Ready()
313}
314
315// ReadyWait returns a chan that is closed when the Service becomes ready
316// for use for the first time. Note that if the Service is ready when it is
317// called it returns a nil chan. Ready means that it has root and leaf
318// certificates configured which we assume are valid. The service may
319// subsequently stop being "ready" if it's certificates expire or are revoked
320// and an error prevents new ones being loaded but this method will not stop
321// returning a nil chan in that case. It is only useful for initial startup. For
322// ongoing health Ready() should be used.
323func (s *Service) ReadyWait() <-chan struct{} {
324	return s.tlsCfg.ReadyWait()
325}
326