1// Copyright 2016 The Prometheus Authors
2// Licensed under the Apache License, Version 2.0 (the "License");
3// you may not use this file except in compliance with the License.
4// You may obtain a copy of the License at
5//
6// http://www.apache.org/licenses/LICENSE-2.0
7//
8// Unless required by applicable law or agreed to in writing, software
9// distributed under the License is distributed on an "AS IS" BASIS,
10// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11// See the License for the specific language governing permissions and
12// limitations under the License.
13
14// +build go1.8
15
16package config
17
18import (
19	"bytes"
20	"context"
21	"crypto/sha256"
22	"crypto/tls"
23	"crypto/x509"
24	"encoding/json"
25	"fmt"
26	"io/ioutil"
27	"net"
28	"net/http"
29	"net/url"
30	"strings"
31	"sync"
32	"time"
33
34	"github.com/mwitkow/go-conntrack"
35	"golang.org/x/net/http2"
36	"golang.org/x/oauth2"
37	"golang.org/x/oauth2/clientcredentials"
38	"gopkg.in/yaml.v2"
39)
40
41// DefaultHTTPClientConfig is the default HTTP client configuration.
42var DefaultHTTPClientConfig = HTTPClientConfig{
43	FollowRedirects: true,
44}
45
46// defaultHTTPClientOptions holds the default HTTP client options.
47var defaultHTTPClientOptions = httpClientOptions{
48	keepAlivesEnabled: true,
49	http2Enabled:      true,
50}
51
52type closeIdler interface {
53	CloseIdleConnections()
54}
55
56// BasicAuth contains basic HTTP authentication credentials.
57type BasicAuth struct {
58	Username     string `yaml:"username" json:"username"`
59	Password     Secret `yaml:"password,omitempty" json:"password,omitempty"`
60	PasswordFile string `yaml:"password_file,omitempty" json:"password_file,omitempty"`
61}
62
63// SetDirectory joins any relative file paths with dir.
64func (a *BasicAuth) SetDirectory(dir string) {
65	if a == nil {
66		return
67	}
68	a.PasswordFile = JoinDir(dir, a.PasswordFile)
69}
70
71// Authorization contains HTTP authorization credentials.
72type Authorization struct {
73	Type            string `yaml:"type,omitempty" json:"type,omitempty"`
74	Credentials     Secret `yaml:"credentials,omitempty" json:"credentials,omitempty"`
75	CredentialsFile string `yaml:"credentials_file,omitempty" json:"credentials_file,omitempty"`
76}
77
78// SetDirectory joins any relative file paths with dir.
79func (a *Authorization) SetDirectory(dir string) {
80	if a == nil {
81		return
82	}
83	a.CredentialsFile = JoinDir(dir, a.CredentialsFile)
84}
85
86// URL is a custom URL type that allows validation at configuration load time.
87type URL struct {
88	*url.URL
89}
90
91// UnmarshalYAML implements the yaml.Unmarshaler interface for URLs.
92func (u *URL) UnmarshalYAML(unmarshal func(interface{}) error) error {
93	var s string
94	if err := unmarshal(&s); err != nil {
95		return err
96	}
97
98	urlp, err := url.Parse(s)
99	if err != nil {
100		return err
101	}
102	u.URL = urlp
103	return nil
104}
105
106// MarshalYAML implements the yaml.Marshaler interface for URLs.
107func (u URL) MarshalYAML() (interface{}, error) {
108	if u.URL != nil {
109		return u.String(), nil
110	}
111	return nil, nil
112}
113
114// UnmarshalJSON implements the json.Marshaler interface for URL.
115func (u *URL) UnmarshalJSON(data []byte) error {
116	var s string
117	if err := json.Unmarshal(data, &s); err != nil {
118		return err
119	}
120	urlp, err := url.Parse(s)
121	if err != nil {
122		return err
123	}
124	u.URL = urlp
125	return nil
126}
127
128// MarshalJSON implements the json.Marshaler interface for URL.
129func (u URL) MarshalJSON() ([]byte, error) {
130	if u.URL != nil {
131		return json.Marshal(u.URL.String())
132	}
133	return nil, nil
134}
135
136// OAuth2 is the oauth2 client configuration.
137type OAuth2 struct {
138	ClientID         string            `yaml:"client_id" json:"client_id"`
139	ClientSecret     Secret            `yaml:"client_secret" json:"client_secret"`
140	ClientSecretFile string            `yaml:"client_secret_file" json:"client_secret_file"`
141	Scopes           []string          `yaml:"scopes,omitempty" json:"scopes,omitempty"`
142	TokenURL         string            `yaml:"token_url" json:"token_url"`
143	EndpointParams   map[string]string `yaml:"endpoint_params,omitempty" json:"endpoint_params,omitempty"`
144}
145
146// SetDirectory joins any relative file paths with dir.
147func (a *OAuth2) SetDirectory(dir string) {
148	if a == nil {
149		return
150	}
151	a.ClientSecretFile = JoinDir(dir, a.ClientSecretFile)
152}
153
154// HTTPClientConfig configures an HTTP client.
155type HTTPClientConfig struct {
156	// The HTTP basic authentication credentials for the targets.
157	BasicAuth *BasicAuth `yaml:"basic_auth,omitempty" json:"basic_auth,omitempty"`
158	// The HTTP authorization credentials for the targets.
159	Authorization *Authorization `yaml:"authorization,omitempty" json:"authorization,omitempty"`
160	// The OAuth2 client credentials used to fetch a token for the targets.
161	OAuth2 *OAuth2 `yaml:"oauth2,omitempty" json:"oauth2,omitempty"`
162	// The bearer token for the targets. Deprecated in favour of
163	// Authorization.Credentials.
164	BearerToken Secret `yaml:"bearer_token,omitempty" json:"bearer_token,omitempty"`
165	// The bearer token file for the targets. Deprecated in favour of
166	// Authorization.CredentialsFile.
167	BearerTokenFile string `yaml:"bearer_token_file,omitempty" json:"bearer_token_file,omitempty"`
168	// HTTP proxy server to use to connect to the targets.
169	ProxyURL URL `yaml:"proxy_url,omitempty" json:"proxy_url,omitempty"`
170	// TLSConfig to use to connect to the targets.
171	TLSConfig TLSConfig `yaml:"tls_config,omitempty" json:"tls_config,omitempty"`
172	// FollowRedirects specifies whether the client should follow HTTP 3xx redirects.
173	// The omitempty flag is not set, because it would be hidden from the
174	// marshalled configuration when set to false.
175	FollowRedirects bool `yaml:"follow_redirects" json:"follow_redirects"`
176}
177
178// SetDirectory joins any relative file paths with dir.
179func (c *HTTPClientConfig) SetDirectory(dir string) {
180	if c == nil {
181		return
182	}
183	c.TLSConfig.SetDirectory(dir)
184	c.BasicAuth.SetDirectory(dir)
185	c.Authorization.SetDirectory(dir)
186	c.OAuth2.SetDirectory(dir)
187	c.BearerTokenFile = JoinDir(dir, c.BearerTokenFile)
188}
189
190// Validate validates the HTTPClientConfig to check only one of BearerToken,
191// BasicAuth and BearerTokenFile is configured.
192func (c *HTTPClientConfig) Validate() error {
193	// Backwards compatibility with the bearer_token field.
194	if len(c.BearerToken) > 0 && len(c.BearerTokenFile) > 0 {
195		return fmt.Errorf("at most one of bearer_token & bearer_token_file must be configured")
196	}
197	if (c.BasicAuth != nil || c.OAuth2 != nil) && (len(c.BearerToken) > 0 || len(c.BearerTokenFile) > 0) {
198		return fmt.Errorf("at most one of basic_auth, oauth2, bearer_token & bearer_token_file must be configured")
199	}
200	if c.BasicAuth != nil && (string(c.BasicAuth.Password) != "" && c.BasicAuth.PasswordFile != "") {
201		return fmt.Errorf("at most one of basic_auth password & password_file must be configured")
202	}
203	if c.Authorization != nil {
204		if len(c.BearerToken) > 0 || len(c.BearerTokenFile) > 0 {
205			return fmt.Errorf("authorization is not compatible with bearer_token & bearer_token_file")
206		}
207		if string(c.Authorization.Credentials) != "" && c.Authorization.CredentialsFile != "" {
208			return fmt.Errorf("at most one of authorization credentials & credentials_file must be configured")
209		}
210		c.Authorization.Type = strings.TrimSpace(c.Authorization.Type)
211		if len(c.Authorization.Type) == 0 {
212			c.Authorization.Type = "Bearer"
213		}
214		if strings.ToLower(c.Authorization.Type) == "basic" {
215			return fmt.Errorf(`authorization type cannot be set to "basic", use "basic_auth" instead`)
216		}
217		if c.BasicAuth != nil || c.OAuth2 != nil {
218			return fmt.Errorf("at most one of basic_auth, oauth2 & authorization must be configured")
219		}
220	} else {
221		if len(c.BearerToken) > 0 {
222			c.Authorization = &Authorization{Credentials: c.BearerToken}
223			c.Authorization.Type = "Bearer"
224			c.BearerToken = ""
225		}
226		if len(c.BearerTokenFile) > 0 {
227			c.Authorization = &Authorization{CredentialsFile: c.BearerTokenFile}
228			c.Authorization.Type = "Bearer"
229			c.BearerTokenFile = ""
230		}
231	}
232	if c.OAuth2 != nil {
233		if c.BasicAuth != nil {
234			return fmt.Errorf("at most one of basic_auth, oauth2 & authorization must be configured")
235		}
236		if len(c.OAuth2.ClientID) == 0 {
237			return fmt.Errorf("oauth2 client_id must be configured")
238		}
239		if len(c.OAuth2.ClientSecret) == 0 && len(c.OAuth2.ClientSecretFile) == 0 {
240			return fmt.Errorf("either oauth2 client_secret or client_secret_file must be configured")
241		}
242		if len(c.OAuth2.TokenURL) == 0 {
243			return fmt.Errorf("oauth2 token_url must be configured")
244		}
245		if len(c.OAuth2.ClientSecret) > 0 && len(c.OAuth2.ClientSecretFile) > 0 {
246			return fmt.Errorf("at most one of oauth2 client_secret & client_secret_file must be configured")
247		}
248	}
249	return nil
250}
251
252// UnmarshalYAML implements the yaml.Unmarshaler interface
253func (c *HTTPClientConfig) UnmarshalYAML(unmarshal func(interface{}) error) error {
254	type plain HTTPClientConfig
255	*c = DefaultHTTPClientConfig
256	if err := unmarshal((*plain)(c)); err != nil {
257		return err
258	}
259	return c.Validate()
260}
261
262// UnmarshalJSON implements the json.Marshaler interface for URL.
263func (c *HTTPClientConfig) UnmarshalJSON(data []byte) error {
264	type plain HTTPClientConfig
265	*c = DefaultHTTPClientConfig
266	if err := json.Unmarshal(data, (*plain)(c)); err != nil {
267		return err
268	}
269	return c.Validate()
270}
271
272// UnmarshalYAML implements the yaml.Unmarshaler interface.
273func (a *BasicAuth) UnmarshalYAML(unmarshal func(interface{}) error) error {
274	type plain BasicAuth
275	return unmarshal((*plain)(a))
276}
277
278// DialContextFunc defines the signature of the DialContext() function implemented
279// by net.Dialer.
280type DialContextFunc func(context.Context, string, string) (net.Conn, error)
281
282type httpClientOptions struct {
283	dialContextFunc   DialContextFunc
284	keepAlivesEnabled bool
285	http2Enabled      bool
286}
287
288// HTTPClientOption defines an option that can be applied to the HTTP client.
289type HTTPClientOption func(options *httpClientOptions)
290
291// WithDialContextFunc allows you to override func gets used for the actual dialing. The default is `net.Dialer.DialContext`.
292func WithDialContextFunc(fn DialContextFunc) HTTPClientOption {
293	return func(opts *httpClientOptions) {
294		opts.dialContextFunc = fn
295	}
296}
297
298// WithKeepAlivesDisabled allows to disable HTTP keepalive.
299func WithKeepAlivesDisabled() HTTPClientOption {
300	return func(opts *httpClientOptions) {
301		opts.keepAlivesEnabled = false
302	}
303}
304
305// WithHTTP2Disabled allows to disable HTTP2.
306func WithHTTP2Disabled() HTTPClientOption {
307	return func(opts *httpClientOptions) {
308		opts.http2Enabled = false
309	}
310}
311
312// NewClient returns a http.Client using the specified http.RoundTripper.
313func newClient(rt http.RoundTripper) *http.Client {
314	return &http.Client{Transport: rt}
315}
316
317// NewClientFromConfig returns a new HTTP client configured for the
318// given config.HTTPClientConfig and config.HTTPClientOption.
319// The name is used as go-conntrack metric label.
320func NewClientFromConfig(cfg HTTPClientConfig, name string, optFuncs ...HTTPClientOption) (*http.Client, error) {
321	rt, err := NewRoundTripperFromConfig(cfg, name, optFuncs...)
322	if err != nil {
323		return nil, err
324	}
325	client := newClient(rt)
326	if !cfg.FollowRedirects {
327		client.CheckRedirect = func(*http.Request, []*http.Request) error {
328			return http.ErrUseLastResponse
329		}
330	}
331	return client, nil
332}
333
334// NewRoundTripperFromConfig returns a new HTTP RoundTripper configured for the
335// given config.HTTPClientConfig and config.HTTPClientOption.
336// The name is used as go-conntrack metric label.
337func NewRoundTripperFromConfig(cfg HTTPClientConfig, name string, optFuncs ...HTTPClientOption) (http.RoundTripper, error) {
338	opts := defaultHTTPClientOptions
339	for _, f := range optFuncs {
340		f(&opts)
341	}
342
343	var dialContext func(ctx context.Context, network, addr string) (net.Conn, error)
344
345	if opts.dialContextFunc != nil {
346		dialContext = conntrack.NewDialContextFunc(
347			conntrack.DialWithDialContextFunc((func(context.Context, string, string) (net.Conn, error))(opts.dialContextFunc)),
348			conntrack.DialWithTracing(),
349			conntrack.DialWithName(name))
350	} else {
351		dialContext = conntrack.NewDialContextFunc(
352			conntrack.DialWithTracing(),
353			conntrack.DialWithName(name))
354	}
355
356	newRT := func(tlsConfig *tls.Config) (http.RoundTripper, error) {
357		// The only timeout we care about is the configured scrape timeout.
358		// It is applied on request. So we leave out any timings here.
359		var rt http.RoundTripper = &http.Transport{
360			Proxy:               http.ProxyURL(cfg.ProxyURL.URL),
361			MaxIdleConns:        20000,
362			MaxIdleConnsPerHost: 1000, // see https://github.com/golang/go/issues/13801
363			DisableKeepAlives:   !opts.keepAlivesEnabled,
364			TLSClientConfig:     tlsConfig,
365			DisableCompression:  true,
366			// 5 minutes is typically above the maximum sane scrape interval. So we can
367			// use keepalive for all configurations.
368			IdleConnTimeout:       5 * time.Minute,
369			TLSHandshakeTimeout:   10 * time.Second,
370			ExpectContinueTimeout: 1 * time.Second,
371			DialContext:           dialContext,
372		}
373		if opts.http2Enabled {
374			// HTTP/2 support is golang has many problematic cornercases where
375			// dead connections would be kept and used in connection pools.
376			// https://github.com/golang/go/issues/32388
377			// https://github.com/golang/go/issues/39337
378			// https://github.com/golang/go/issues/39750
379			// TODO: Re-Enable HTTP/2 once upstream issue is fixed.
380			// TODO: use ForceAttemptHTTP2 when we move to Go 1.13+.
381			err := http2.ConfigureTransport(rt.(*http.Transport))
382			if err != nil {
383				return nil, err
384			}
385		}
386
387		// If a authorization_credentials is provided, create a round tripper that will set the
388		// Authorization header correctly on each request.
389		if cfg.Authorization != nil && len(cfg.Authorization.Credentials) > 0 {
390			rt = NewAuthorizationCredentialsRoundTripper(cfg.Authorization.Type, cfg.Authorization.Credentials, rt)
391		} else if cfg.Authorization != nil && len(cfg.Authorization.CredentialsFile) > 0 {
392			rt = NewAuthorizationCredentialsFileRoundTripper(cfg.Authorization.Type, cfg.Authorization.CredentialsFile, rt)
393		}
394		// Backwards compatibility, be nice with importers who would not have
395		// called Validate().
396		if len(cfg.BearerToken) > 0 {
397			rt = NewAuthorizationCredentialsRoundTripper("Bearer", cfg.BearerToken, rt)
398		} else if len(cfg.BearerTokenFile) > 0 {
399			rt = NewAuthorizationCredentialsFileRoundTripper("Bearer", cfg.BearerTokenFile, rt)
400		}
401
402		if cfg.BasicAuth != nil {
403			rt = NewBasicAuthRoundTripper(cfg.BasicAuth.Username, cfg.BasicAuth.Password, cfg.BasicAuth.PasswordFile, rt)
404		}
405
406		if cfg.OAuth2 != nil {
407			rt = NewOAuth2RoundTripper(cfg.OAuth2, rt)
408		}
409		// Return a new configured RoundTripper.
410		return rt, nil
411	}
412
413	tlsConfig, err := NewTLSConfig(&cfg.TLSConfig)
414	if err != nil {
415		return nil, err
416	}
417
418	if len(cfg.TLSConfig.CAFile) == 0 {
419		// No need for a RoundTripper that reloads the CA file automatically.
420		return newRT(tlsConfig)
421	}
422
423	return NewTLSRoundTripper(tlsConfig, cfg.TLSConfig.CAFile, newRT)
424}
425
426type authorizationCredentialsRoundTripper struct {
427	authType        string
428	authCredentials Secret
429	rt              http.RoundTripper
430}
431
432// NewAuthorizationCredentialsRoundTripper adds the provided credentials to a
433// request unless the authorization header has already been set.
434func NewAuthorizationCredentialsRoundTripper(authType string, authCredentials Secret, rt http.RoundTripper) http.RoundTripper {
435	return &authorizationCredentialsRoundTripper{authType, authCredentials, rt}
436}
437
438func (rt *authorizationCredentialsRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
439	if len(req.Header.Get("Authorization")) == 0 {
440		req = cloneRequest(req)
441		req.Header.Set("Authorization", fmt.Sprintf("%s %s", rt.authType, string(rt.authCredentials)))
442	}
443	return rt.rt.RoundTrip(req)
444}
445
446func (rt *authorizationCredentialsRoundTripper) CloseIdleConnections() {
447	if ci, ok := rt.rt.(closeIdler); ok {
448		ci.CloseIdleConnections()
449	}
450}
451
452type authorizationCredentialsFileRoundTripper struct {
453	authType            string
454	authCredentialsFile string
455	rt                  http.RoundTripper
456}
457
458// NewAuthorizationCredentialsFileRoundTripper adds the authorization
459// credentials read from the provided file to a request unless the authorization
460// header has already been set. This file is read for every request.
461func NewAuthorizationCredentialsFileRoundTripper(authType, authCredentialsFile string, rt http.RoundTripper) http.RoundTripper {
462	return &authorizationCredentialsFileRoundTripper{authType, authCredentialsFile, rt}
463}
464
465func (rt *authorizationCredentialsFileRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
466	if len(req.Header.Get("Authorization")) == 0 {
467		b, err := ioutil.ReadFile(rt.authCredentialsFile)
468		if err != nil {
469			return nil, fmt.Errorf("unable to read authorization credentials file %s: %s", rt.authCredentialsFile, err)
470		}
471		authCredentials := strings.TrimSpace(string(b))
472
473		req = cloneRequest(req)
474		req.Header.Set("Authorization", fmt.Sprintf("%s %s", rt.authType, authCredentials))
475	}
476
477	return rt.rt.RoundTrip(req)
478}
479
480func (rt *authorizationCredentialsFileRoundTripper) CloseIdleConnections() {
481	if ci, ok := rt.rt.(closeIdler); ok {
482		ci.CloseIdleConnections()
483	}
484}
485
486type basicAuthRoundTripper struct {
487	username     string
488	password     Secret
489	passwordFile string
490	rt           http.RoundTripper
491}
492
493// NewBasicAuthRoundTripper will apply a BASIC auth authorization header to a request unless it has
494// already been set.
495func NewBasicAuthRoundTripper(username string, password Secret, passwordFile string, rt http.RoundTripper) http.RoundTripper {
496	return &basicAuthRoundTripper{username, password, passwordFile, rt}
497}
498
499func (rt *basicAuthRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
500	if len(req.Header.Get("Authorization")) != 0 {
501		return rt.rt.RoundTrip(req)
502	}
503	req = cloneRequest(req)
504	if rt.passwordFile != "" {
505		bs, err := ioutil.ReadFile(rt.passwordFile)
506		if err != nil {
507			return nil, fmt.Errorf("unable to read basic auth password file %s: %s", rt.passwordFile, err)
508		}
509		req.SetBasicAuth(rt.username, strings.TrimSpace(string(bs)))
510	} else {
511		req.SetBasicAuth(rt.username, strings.TrimSpace(string(rt.password)))
512	}
513	return rt.rt.RoundTrip(req)
514}
515
516func (rt *basicAuthRoundTripper) CloseIdleConnections() {
517	if ci, ok := rt.rt.(closeIdler); ok {
518		ci.CloseIdleConnections()
519	}
520}
521
522type oauth2RoundTripper struct {
523	config *OAuth2
524	rt     http.RoundTripper
525	next   http.RoundTripper
526	secret string
527	mtx    sync.RWMutex
528}
529
530func NewOAuth2RoundTripper(config *OAuth2, next http.RoundTripper) http.RoundTripper {
531	return &oauth2RoundTripper{
532		config: config,
533		next:   next,
534	}
535}
536
537func (rt *oauth2RoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
538	var (
539		secret  string
540		changed bool
541	)
542
543	if rt.config.ClientSecretFile != "" {
544		data, err := ioutil.ReadFile(rt.config.ClientSecretFile)
545		if err != nil {
546			return nil, fmt.Errorf("unable to read oauth2 client secret file %s: %s", rt.config.ClientSecretFile, err)
547		}
548		secret = strings.TrimSpace(string(data))
549		rt.mtx.RLock()
550		changed = secret != rt.secret
551		rt.mtx.RUnlock()
552	}
553
554	if changed || rt.rt == nil {
555		if rt.config.ClientSecret != "" {
556			secret = string(rt.config.ClientSecret)
557		}
558
559		config := &clientcredentials.Config{
560			ClientID:       rt.config.ClientID,
561			ClientSecret:   secret,
562			Scopes:         rt.config.Scopes,
563			TokenURL:       rt.config.TokenURL,
564			EndpointParams: mapToValues(rt.config.EndpointParams),
565		}
566
567		tokenSource := config.TokenSource(context.Background())
568
569		rt.mtx.Lock()
570		rt.secret = secret
571		rt.rt = &oauth2.Transport{
572			Base:   rt.next,
573			Source: tokenSource,
574		}
575		rt.mtx.Unlock()
576	}
577
578	rt.mtx.RLock()
579	currentRT := rt.rt
580	rt.mtx.RUnlock()
581	return currentRT.RoundTrip(req)
582}
583
584func (rt *oauth2RoundTripper) CloseIdleConnections() {
585	// OAuth2 RT does not support CloseIdleConnections() but the next RT might.
586	if ci, ok := rt.next.(closeIdler); ok {
587		ci.CloseIdleConnections()
588	}
589}
590
591func mapToValues(m map[string]string) url.Values {
592	v := url.Values{}
593	for name, value := range m {
594		v.Set(name, value)
595	}
596
597	return v
598}
599
600// cloneRequest returns a clone of the provided *http.Request.
601// The clone is a shallow copy of the struct and its Header map.
602func cloneRequest(r *http.Request) *http.Request {
603	// Shallow copy of the struct.
604	r2 := new(http.Request)
605	*r2 = *r
606	// Deep copy of the Header.
607	r2.Header = make(http.Header)
608	for k, s := range r.Header {
609		r2.Header[k] = s
610	}
611	return r2
612}
613
614// NewTLSConfig creates a new tls.Config from the given TLSConfig.
615func NewTLSConfig(cfg *TLSConfig) (*tls.Config, error) {
616	tlsConfig := &tls.Config{InsecureSkipVerify: cfg.InsecureSkipVerify}
617
618	// If a CA cert is provided then let's read it in so we can validate the
619	// scrape target's certificate properly.
620	if len(cfg.CAFile) > 0 {
621		b, err := readCAFile(cfg.CAFile)
622		if err != nil {
623			return nil, err
624		}
625		if !updateRootCA(tlsConfig, b) {
626			return nil, fmt.Errorf("unable to use specified CA cert %s", cfg.CAFile)
627		}
628	}
629
630	if len(cfg.ServerName) > 0 {
631		tlsConfig.ServerName = cfg.ServerName
632	}
633	// If a client cert & key is provided then configure TLS config accordingly.
634	if len(cfg.CertFile) > 0 && len(cfg.KeyFile) == 0 {
635		return nil, fmt.Errorf("client cert file %q specified without client key file", cfg.CertFile)
636	} else if len(cfg.KeyFile) > 0 && len(cfg.CertFile) == 0 {
637		return nil, fmt.Errorf("client key file %q specified without client cert file", cfg.KeyFile)
638	} else if len(cfg.CertFile) > 0 && len(cfg.KeyFile) > 0 {
639		// Verify that client cert and key are valid.
640		if _, err := cfg.getClientCertificate(nil); err != nil {
641			return nil, err
642		}
643		tlsConfig.GetClientCertificate = cfg.getClientCertificate
644	}
645
646	return tlsConfig, nil
647}
648
649// TLSConfig configures the options for TLS connections.
650type TLSConfig struct {
651	// The CA cert to use for the targets.
652	CAFile string `yaml:"ca_file,omitempty" json:"ca_file,omitempty"`
653	// The client cert file for the targets.
654	CertFile string `yaml:"cert_file,omitempty" json:"cert_file,omitempty"`
655	// The client key file for the targets.
656	KeyFile string `yaml:"key_file,omitempty" json:"key_file,omitempty"`
657	// Used to verify the hostname for the targets.
658	ServerName string `yaml:"server_name,omitempty" json:"server_name,omitempty"`
659	// Disable target certificate validation.
660	InsecureSkipVerify bool `yaml:"insecure_skip_verify" json:"insecure_skip_verify"`
661}
662
663// SetDirectory joins any relative file paths with dir.
664func (c *TLSConfig) SetDirectory(dir string) {
665	if c == nil {
666		return
667	}
668	c.CAFile = JoinDir(dir, c.CAFile)
669	c.CertFile = JoinDir(dir, c.CertFile)
670	c.KeyFile = JoinDir(dir, c.KeyFile)
671}
672
673// UnmarshalYAML implements the yaml.Unmarshaler interface.
674func (c *TLSConfig) UnmarshalYAML(unmarshal func(interface{}) error) error {
675	type plain TLSConfig
676	return unmarshal((*plain)(c))
677}
678
679// getClientCertificate reads the pair of client cert and key from disk and returns a tls.Certificate.
680func (c *TLSConfig) getClientCertificate(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
681	cert, err := tls.LoadX509KeyPair(c.CertFile, c.KeyFile)
682	if err != nil {
683		return nil, fmt.Errorf("unable to use specified client cert (%s) & key (%s): %s", c.CertFile, c.KeyFile, err)
684	}
685	return &cert, nil
686}
687
688// readCAFile reads the CA cert file from disk.
689func readCAFile(f string) ([]byte, error) {
690	data, err := ioutil.ReadFile(f)
691	if err != nil {
692		return nil, fmt.Errorf("unable to load specified CA cert %s: %s", f, err)
693	}
694	return data, nil
695}
696
697// updateRootCA parses the given byte slice as a series of PEM encoded certificates and updates tls.Config.RootCAs.
698func updateRootCA(cfg *tls.Config, b []byte) bool {
699	caCertPool := x509.NewCertPool()
700	if !caCertPool.AppendCertsFromPEM(b) {
701		return false
702	}
703	cfg.RootCAs = caCertPool
704	return true
705}
706
707// tlsRoundTripper is a RoundTripper that updates automatically its TLS
708// configuration whenever the content of the CA file changes.
709type tlsRoundTripper struct {
710	caFile string
711	// newRT returns a new RoundTripper.
712	newRT func(*tls.Config) (http.RoundTripper, error)
713
714	mtx        sync.RWMutex
715	rt         http.RoundTripper
716	hashCAFile []byte
717	tlsConfig  *tls.Config
718}
719
720func NewTLSRoundTripper(
721	cfg *tls.Config,
722	caFile string,
723	newRT func(*tls.Config) (http.RoundTripper, error),
724) (http.RoundTripper, error) {
725	t := &tlsRoundTripper{
726		caFile:    caFile,
727		newRT:     newRT,
728		tlsConfig: cfg,
729	}
730
731	rt, err := t.newRT(t.tlsConfig)
732	if err != nil {
733		return nil, err
734	}
735	t.rt = rt
736
737	_, t.hashCAFile, err = t.getCAWithHash()
738	if err != nil {
739		return nil, err
740	}
741
742	return t, nil
743}
744
745func (t *tlsRoundTripper) getCAWithHash() ([]byte, []byte, error) {
746	b, err := readCAFile(t.caFile)
747	if err != nil {
748		return nil, nil, err
749	}
750	h := sha256.Sum256(b)
751	return b, h[:], nil
752
753}
754
755// RoundTrip implements the http.RoundTrip interface.
756func (t *tlsRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
757	b, h, err := t.getCAWithHash()
758	if err != nil {
759		return nil, err
760	}
761
762	t.mtx.RLock()
763	equal := bytes.Equal(h[:], t.hashCAFile)
764	rt := t.rt
765	t.mtx.RUnlock()
766	if equal {
767		// The CA cert hasn't changed, use the existing RoundTripper.
768		return rt.RoundTrip(req)
769	}
770
771	// Create a new RoundTripper.
772	tlsConfig := t.tlsConfig.Clone()
773	if !updateRootCA(tlsConfig, b) {
774		return nil, fmt.Errorf("unable to use specified CA cert %s", t.caFile)
775	}
776	rt, err = t.newRT(tlsConfig)
777	if err != nil {
778		return nil, err
779	}
780	t.CloseIdleConnections()
781
782	t.mtx.Lock()
783	t.rt = rt
784	t.hashCAFile = h[:]
785	t.mtx.Unlock()
786
787	return rt.RoundTrip(req)
788}
789
790func (t *tlsRoundTripper) CloseIdleConnections() {
791	t.mtx.RLock()
792	defer t.mtx.RUnlock()
793	if ci, ok := t.rt.(closeIdler); ok {
794		ci.CloseIdleConnections()
795	}
796}
797
798func (c HTTPClientConfig) String() string {
799	b, err := yaml.Marshal(c)
800	if err != nil {
801		return fmt.Sprintf("<error creating http client config string: %s>", err)
802	}
803	return string(b)
804}
805