1// Copyright 2016 The Prometheus Authors 2// Licensed under the Apache License, Version 2.0 (the "License"); 3// you may not use this file except in compliance with the License. 4// You may obtain a copy of the License at 5// 6// http://www.apache.org/licenses/LICENSE-2.0 7// 8// Unless required by applicable law or agreed to in writing, software 9// distributed under the License is distributed on an "AS IS" BASIS, 10// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11// See the License for the specific language governing permissions and 12// limitations under the License. 13 14// +build go1.8 15 16package config 17 18import ( 19 "bytes" 20 "context" 21 "crypto/sha256" 22 "crypto/tls" 23 "crypto/x509" 24 "encoding/json" 25 "fmt" 26 "io/ioutil" 27 "net" 28 "net/http" 29 "net/url" 30 "strings" 31 "sync" 32 "time" 33 34 "github.com/mwitkow/go-conntrack" 35 "golang.org/x/net/http2" 36 "golang.org/x/oauth2" 37 "golang.org/x/oauth2/clientcredentials" 38 "gopkg.in/yaml.v2" 39) 40 41// DefaultHTTPClientConfig is the default HTTP client configuration. 42var DefaultHTTPClientConfig = HTTPClientConfig{ 43 FollowRedirects: true, 44} 45 46// defaultHTTPClientOptions holds the default HTTP client options. 47var defaultHTTPClientOptions = httpClientOptions{ 48 keepAlivesEnabled: true, 49 http2Enabled: true, 50} 51 52type closeIdler interface { 53 CloseIdleConnections() 54} 55 56// BasicAuth contains basic HTTP authentication credentials. 57type BasicAuth struct { 58 Username string `yaml:"username" json:"username"` 59 Password Secret `yaml:"password,omitempty" json:"password,omitempty"` 60 PasswordFile string `yaml:"password_file,omitempty" json:"password_file,omitempty"` 61} 62 63// SetDirectory joins any relative file paths with dir. 64func (a *BasicAuth) SetDirectory(dir string) { 65 if a == nil { 66 return 67 } 68 a.PasswordFile = JoinDir(dir, a.PasswordFile) 69} 70 71// Authorization contains HTTP authorization credentials. 72type Authorization struct { 73 Type string `yaml:"type,omitempty" json:"type,omitempty"` 74 Credentials Secret `yaml:"credentials,omitempty" json:"credentials,omitempty"` 75 CredentialsFile string `yaml:"credentials_file,omitempty" json:"credentials_file,omitempty"` 76} 77 78// SetDirectory joins any relative file paths with dir. 79func (a *Authorization) SetDirectory(dir string) { 80 if a == nil { 81 return 82 } 83 a.CredentialsFile = JoinDir(dir, a.CredentialsFile) 84} 85 86// URL is a custom URL type that allows validation at configuration load time. 87type URL struct { 88 *url.URL 89} 90 91// UnmarshalYAML implements the yaml.Unmarshaler interface for URLs. 92func (u *URL) UnmarshalYAML(unmarshal func(interface{}) error) error { 93 var s string 94 if err := unmarshal(&s); err != nil { 95 return err 96 } 97 98 urlp, err := url.Parse(s) 99 if err != nil { 100 return err 101 } 102 u.URL = urlp 103 return nil 104} 105 106// MarshalYAML implements the yaml.Marshaler interface for URLs. 107func (u URL) MarshalYAML() (interface{}, error) { 108 if u.URL != nil { 109 return u.String(), nil 110 } 111 return nil, nil 112} 113 114// UnmarshalJSON implements the json.Marshaler interface for URL. 115func (u *URL) UnmarshalJSON(data []byte) error { 116 var s string 117 if err := json.Unmarshal(data, &s); err != nil { 118 return err 119 } 120 urlp, err := url.Parse(s) 121 if err != nil { 122 return err 123 } 124 u.URL = urlp 125 return nil 126} 127 128// MarshalJSON implements the json.Marshaler interface for URL. 129func (u URL) MarshalJSON() ([]byte, error) { 130 if u.URL != nil { 131 return json.Marshal(u.URL.String()) 132 } 133 return nil, nil 134} 135 136// OAuth2 is the oauth2 client configuration. 137type OAuth2 struct { 138 ClientID string `yaml:"client_id" json:"client_id"` 139 ClientSecret Secret `yaml:"client_secret" json:"client_secret"` 140 ClientSecretFile string `yaml:"client_secret_file" json:"client_secret_file"` 141 Scopes []string `yaml:"scopes,omitempty" json:"scopes,omitempty"` 142 TokenURL string `yaml:"token_url" json:"token_url"` 143 EndpointParams map[string]string `yaml:"endpoint_params,omitempty" json:"endpoint_params,omitempty"` 144} 145 146// SetDirectory joins any relative file paths with dir. 147func (a *OAuth2) SetDirectory(dir string) { 148 if a == nil { 149 return 150 } 151 a.ClientSecretFile = JoinDir(dir, a.ClientSecretFile) 152} 153 154// HTTPClientConfig configures an HTTP client. 155type HTTPClientConfig struct { 156 // The HTTP basic authentication credentials for the targets. 157 BasicAuth *BasicAuth `yaml:"basic_auth,omitempty" json:"basic_auth,omitempty"` 158 // The HTTP authorization credentials for the targets. 159 Authorization *Authorization `yaml:"authorization,omitempty" json:"authorization,omitempty"` 160 // The OAuth2 client credentials used to fetch a token for the targets. 161 OAuth2 *OAuth2 `yaml:"oauth2,omitempty" json:"oauth2,omitempty"` 162 // The bearer token for the targets. Deprecated in favour of 163 // Authorization.Credentials. 164 BearerToken Secret `yaml:"bearer_token,omitempty" json:"bearer_token,omitempty"` 165 // The bearer token file for the targets. Deprecated in favour of 166 // Authorization.CredentialsFile. 167 BearerTokenFile string `yaml:"bearer_token_file,omitempty" json:"bearer_token_file,omitempty"` 168 // HTTP proxy server to use to connect to the targets. 169 ProxyURL URL `yaml:"proxy_url,omitempty" json:"proxy_url,omitempty"` 170 // TLSConfig to use to connect to the targets. 171 TLSConfig TLSConfig `yaml:"tls_config,omitempty" json:"tls_config,omitempty"` 172 // FollowRedirects specifies whether the client should follow HTTP 3xx redirects. 173 // The omitempty flag is not set, because it would be hidden from the 174 // marshalled configuration when set to false. 175 FollowRedirects bool `yaml:"follow_redirects" json:"follow_redirects"` 176} 177 178// SetDirectory joins any relative file paths with dir. 179func (c *HTTPClientConfig) SetDirectory(dir string) { 180 if c == nil { 181 return 182 } 183 c.TLSConfig.SetDirectory(dir) 184 c.BasicAuth.SetDirectory(dir) 185 c.Authorization.SetDirectory(dir) 186 c.OAuth2.SetDirectory(dir) 187 c.BearerTokenFile = JoinDir(dir, c.BearerTokenFile) 188} 189 190// Validate validates the HTTPClientConfig to check only one of BearerToken, 191// BasicAuth and BearerTokenFile is configured. 192func (c *HTTPClientConfig) Validate() error { 193 // Backwards compatibility with the bearer_token field. 194 if len(c.BearerToken) > 0 && len(c.BearerTokenFile) > 0 { 195 return fmt.Errorf("at most one of bearer_token & bearer_token_file must be configured") 196 } 197 if (c.BasicAuth != nil || c.OAuth2 != nil) && (len(c.BearerToken) > 0 || len(c.BearerTokenFile) > 0) { 198 return fmt.Errorf("at most one of basic_auth, oauth2, bearer_token & bearer_token_file must be configured") 199 } 200 if c.BasicAuth != nil && (string(c.BasicAuth.Password) != "" && c.BasicAuth.PasswordFile != "") { 201 return fmt.Errorf("at most one of basic_auth password & password_file must be configured") 202 } 203 if c.Authorization != nil { 204 if len(c.BearerToken) > 0 || len(c.BearerTokenFile) > 0 { 205 return fmt.Errorf("authorization is not compatible with bearer_token & bearer_token_file") 206 } 207 if string(c.Authorization.Credentials) != "" && c.Authorization.CredentialsFile != "" { 208 return fmt.Errorf("at most one of authorization credentials & credentials_file must be configured") 209 } 210 c.Authorization.Type = strings.TrimSpace(c.Authorization.Type) 211 if len(c.Authorization.Type) == 0 { 212 c.Authorization.Type = "Bearer" 213 } 214 if strings.ToLower(c.Authorization.Type) == "basic" { 215 return fmt.Errorf(`authorization type cannot be set to "basic", use "basic_auth" instead`) 216 } 217 if c.BasicAuth != nil || c.OAuth2 != nil { 218 return fmt.Errorf("at most one of basic_auth, oauth2 & authorization must be configured") 219 } 220 } else { 221 if len(c.BearerToken) > 0 { 222 c.Authorization = &Authorization{Credentials: c.BearerToken} 223 c.Authorization.Type = "Bearer" 224 c.BearerToken = "" 225 } 226 if len(c.BearerTokenFile) > 0 { 227 c.Authorization = &Authorization{CredentialsFile: c.BearerTokenFile} 228 c.Authorization.Type = "Bearer" 229 c.BearerTokenFile = "" 230 } 231 } 232 if c.OAuth2 != nil { 233 if c.BasicAuth != nil { 234 return fmt.Errorf("at most one of basic_auth, oauth2 & authorization must be configured") 235 } 236 if len(c.OAuth2.ClientID) == 0 { 237 return fmt.Errorf("oauth2 client_id must be configured") 238 } 239 if len(c.OAuth2.ClientSecret) == 0 && len(c.OAuth2.ClientSecretFile) == 0 { 240 return fmt.Errorf("either oauth2 client_secret or client_secret_file must be configured") 241 } 242 if len(c.OAuth2.TokenURL) == 0 { 243 return fmt.Errorf("oauth2 token_url must be configured") 244 } 245 if len(c.OAuth2.ClientSecret) > 0 && len(c.OAuth2.ClientSecretFile) > 0 { 246 return fmt.Errorf("at most one of oauth2 client_secret & client_secret_file must be configured") 247 } 248 } 249 return nil 250} 251 252// UnmarshalYAML implements the yaml.Unmarshaler interface 253func (c *HTTPClientConfig) UnmarshalYAML(unmarshal func(interface{}) error) error { 254 type plain HTTPClientConfig 255 *c = DefaultHTTPClientConfig 256 if err := unmarshal((*plain)(c)); err != nil { 257 return err 258 } 259 return c.Validate() 260} 261 262// UnmarshalJSON implements the json.Marshaler interface for URL. 263func (c *HTTPClientConfig) UnmarshalJSON(data []byte) error { 264 type plain HTTPClientConfig 265 *c = DefaultHTTPClientConfig 266 if err := json.Unmarshal(data, (*plain)(c)); err != nil { 267 return err 268 } 269 return c.Validate() 270} 271 272// UnmarshalYAML implements the yaml.Unmarshaler interface. 273func (a *BasicAuth) UnmarshalYAML(unmarshal func(interface{}) error) error { 274 type plain BasicAuth 275 return unmarshal((*plain)(a)) 276} 277 278// DialContextFunc defines the signature of the DialContext() function implemented 279// by net.Dialer. 280type DialContextFunc func(context.Context, string, string) (net.Conn, error) 281 282type httpClientOptions struct { 283 dialContextFunc DialContextFunc 284 keepAlivesEnabled bool 285 http2Enabled bool 286} 287 288// HTTPClientOption defines an option that can be applied to the HTTP client. 289type HTTPClientOption func(options *httpClientOptions) 290 291// WithDialContextFunc allows you to override func gets used for the actual dialing. The default is `net.Dialer.DialContext`. 292func WithDialContextFunc(fn DialContextFunc) HTTPClientOption { 293 return func(opts *httpClientOptions) { 294 opts.dialContextFunc = fn 295 } 296} 297 298// WithKeepAlivesDisabled allows to disable HTTP keepalive. 299func WithKeepAlivesDisabled() HTTPClientOption { 300 return func(opts *httpClientOptions) { 301 opts.keepAlivesEnabled = false 302 } 303} 304 305// WithHTTP2Disabled allows to disable HTTP2. 306func WithHTTP2Disabled() HTTPClientOption { 307 return func(opts *httpClientOptions) { 308 opts.http2Enabled = false 309 } 310} 311 312// NewClient returns a http.Client using the specified http.RoundTripper. 313func newClient(rt http.RoundTripper) *http.Client { 314 return &http.Client{Transport: rt} 315} 316 317// NewClientFromConfig returns a new HTTP client configured for the 318// given config.HTTPClientConfig and config.HTTPClientOption. 319// The name is used as go-conntrack metric label. 320func NewClientFromConfig(cfg HTTPClientConfig, name string, optFuncs ...HTTPClientOption) (*http.Client, error) { 321 rt, err := NewRoundTripperFromConfig(cfg, name, optFuncs...) 322 if err != nil { 323 return nil, err 324 } 325 client := newClient(rt) 326 if !cfg.FollowRedirects { 327 client.CheckRedirect = func(*http.Request, []*http.Request) error { 328 return http.ErrUseLastResponse 329 } 330 } 331 return client, nil 332} 333 334// NewRoundTripperFromConfig returns a new HTTP RoundTripper configured for the 335// given config.HTTPClientConfig and config.HTTPClientOption. 336// The name is used as go-conntrack metric label. 337func NewRoundTripperFromConfig(cfg HTTPClientConfig, name string, optFuncs ...HTTPClientOption) (http.RoundTripper, error) { 338 opts := defaultHTTPClientOptions 339 for _, f := range optFuncs { 340 f(&opts) 341 } 342 343 var dialContext func(ctx context.Context, network, addr string) (net.Conn, error) 344 345 if opts.dialContextFunc != nil { 346 dialContext = conntrack.NewDialContextFunc( 347 conntrack.DialWithDialContextFunc((func(context.Context, string, string) (net.Conn, error))(opts.dialContextFunc)), 348 conntrack.DialWithTracing(), 349 conntrack.DialWithName(name)) 350 } else { 351 dialContext = conntrack.NewDialContextFunc( 352 conntrack.DialWithTracing(), 353 conntrack.DialWithName(name)) 354 } 355 356 newRT := func(tlsConfig *tls.Config) (http.RoundTripper, error) { 357 // The only timeout we care about is the configured scrape timeout. 358 // It is applied on request. So we leave out any timings here. 359 var rt http.RoundTripper = &http.Transport{ 360 Proxy: http.ProxyURL(cfg.ProxyURL.URL), 361 MaxIdleConns: 20000, 362 MaxIdleConnsPerHost: 1000, // see https://github.com/golang/go/issues/13801 363 DisableKeepAlives: !opts.keepAlivesEnabled, 364 TLSClientConfig: tlsConfig, 365 DisableCompression: true, 366 // 5 minutes is typically above the maximum sane scrape interval. So we can 367 // use keepalive for all configurations. 368 IdleConnTimeout: 5 * time.Minute, 369 TLSHandshakeTimeout: 10 * time.Second, 370 ExpectContinueTimeout: 1 * time.Second, 371 DialContext: dialContext, 372 } 373 if opts.http2Enabled { 374 // HTTP/2 support is golang has many problematic cornercases where 375 // dead connections would be kept and used in connection pools. 376 // https://github.com/golang/go/issues/32388 377 // https://github.com/golang/go/issues/39337 378 // https://github.com/golang/go/issues/39750 379 // TODO: Re-Enable HTTP/2 once upstream issue is fixed. 380 // TODO: use ForceAttemptHTTP2 when we move to Go 1.13+. 381 err := http2.ConfigureTransport(rt.(*http.Transport)) 382 if err != nil { 383 return nil, err 384 } 385 } 386 387 // If a authorization_credentials is provided, create a round tripper that will set the 388 // Authorization header correctly on each request. 389 if cfg.Authorization != nil && len(cfg.Authorization.Credentials) > 0 { 390 rt = NewAuthorizationCredentialsRoundTripper(cfg.Authorization.Type, cfg.Authorization.Credentials, rt) 391 } else if cfg.Authorization != nil && len(cfg.Authorization.CredentialsFile) > 0 { 392 rt = NewAuthorizationCredentialsFileRoundTripper(cfg.Authorization.Type, cfg.Authorization.CredentialsFile, rt) 393 } 394 // Backwards compatibility, be nice with importers who would not have 395 // called Validate(). 396 if len(cfg.BearerToken) > 0 { 397 rt = NewAuthorizationCredentialsRoundTripper("Bearer", cfg.BearerToken, rt) 398 } else if len(cfg.BearerTokenFile) > 0 { 399 rt = NewAuthorizationCredentialsFileRoundTripper("Bearer", cfg.BearerTokenFile, rt) 400 } 401 402 if cfg.BasicAuth != nil { 403 rt = NewBasicAuthRoundTripper(cfg.BasicAuth.Username, cfg.BasicAuth.Password, cfg.BasicAuth.PasswordFile, rt) 404 } 405 406 if cfg.OAuth2 != nil { 407 rt = NewOAuth2RoundTripper(cfg.OAuth2, rt) 408 } 409 // Return a new configured RoundTripper. 410 return rt, nil 411 } 412 413 tlsConfig, err := NewTLSConfig(&cfg.TLSConfig) 414 if err != nil { 415 return nil, err 416 } 417 418 if len(cfg.TLSConfig.CAFile) == 0 { 419 // No need for a RoundTripper that reloads the CA file automatically. 420 return newRT(tlsConfig) 421 } 422 423 return NewTLSRoundTripper(tlsConfig, cfg.TLSConfig.CAFile, newRT) 424} 425 426type authorizationCredentialsRoundTripper struct { 427 authType string 428 authCredentials Secret 429 rt http.RoundTripper 430} 431 432// NewAuthorizationCredentialsRoundTripper adds the provided credentials to a 433// request unless the authorization header has already been set. 434func NewAuthorizationCredentialsRoundTripper(authType string, authCredentials Secret, rt http.RoundTripper) http.RoundTripper { 435 return &authorizationCredentialsRoundTripper{authType, authCredentials, rt} 436} 437 438func (rt *authorizationCredentialsRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { 439 if len(req.Header.Get("Authorization")) == 0 { 440 req = cloneRequest(req) 441 req.Header.Set("Authorization", fmt.Sprintf("%s %s", rt.authType, string(rt.authCredentials))) 442 } 443 return rt.rt.RoundTrip(req) 444} 445 446func (rt *authorizationCredentialsRoundTripper) CloseIdleConnections() { 447 if ci, ok := rt.rt.(closeIdler); ok { 448 ci.CloseIdleConnections() 449 } 450} 451 452type authorizationCredentialsFileRoundTripper struct { 453 authType string 454 authCredentialsFile string 455 rt http.RoundTripper 456} 457 458// NewAuthorizationCredentialsFileRoundTripper adds the authorization 459// credentials read from the provided file to a request unless the authorization 460// header has already been set. This file is read for every request. 461func NewAuthorizationCredentialsFileRoundTripper(authType, authCredentialsFile string, rt http.RoundTripper) http.RoundTripper { 462 return &authorizationCredentialsFileRoundTripper{authType, authCredentialsFile, rt} 463} 464 465func (rt *authorizationCredentialsFileRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { 466 if len(req.Header.Get("Authorization")) == 0 { 467 b, err := ioutil.ReadFile(rt.authCredentialsFile) 468 if err != nil { 469 return nil, fmt.Errorf("unable to read authorization credentials file %s: %s", rt.authCredentialsFile, err) 470 } 471 authCredentials := strings.TrimSpace(string(b)) 472 473 req = cloneRequest(req) 474 req.Header.Set("Authorization", fmt.Sprintf("%s %s", rt.authType, authCredentials)) 475 } 476 477 return rt.rt.RoundTrip(req) 478} 479 480func (rt *authorizationCredentialsFileRoundTripper) CloseIdleConnections() { 481 if ci, ok := rt.rt.(closeIdler); ok { 482 ci.CloseIdleConnections() 483 } 484} 485 486type basicAuthRoundTripper struct { 487 username string 488 password Secret 489 passwordFile string 490 rt http.RoundTripper 491} 492 493// NewBasicAuthRoundTripper will apply a BASIC auth authorization header to a request unless it has 494// already been set. 495func NewBasicAuthRoundTripper(username string, password Secret, passwordFile string, rt http.RoundTripper) http.RoundTripper { 496 return &basicAuthRoundTripper{username, password, passwordFile, rt} 497} 498 499func (rt *basicAuthRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { 500 if len(req.Header.Get("Authorization")) != 0 { 501 return rt.rt.RoundTrip(req) 502 } 503 req = cloneRequest(req) 504 if rt.passwordFile != "" { 505 bs, err := ioutil.ReadFile(rt.passwordFile) 506 if err != nil { 507 return nil, fmt.Errorf("unable to read basic auth password file %s: %s", rt.passwordFile, err) 508 } 509 req.SetBasicAuth(rt.username, strings.TrimSpace(string(bs))) 510 } else { 511 req.SetBasicAuth(rt.username, strings.TrimSpace(string(rt.password))) 512 } 513 return rt.rt.RoundTrip(req) 514} 515 516func (rt *basicAuthRoundTripper) CloseIdleConnections() { 517 if ci, ok := rt.rt.(closeIdler); ok { 518 ci.CloseIdleConnections() 519 } 520} 521 522type oauth2RoundTripper struct { 523 config *OAuth2 524 rt http.RoundTripper 525 next http.RoundTripper 526 secret string 527 mtx sync.RWMutex 528} 529 530func NewOAuth2RoundTripper(config *OAuth2, next http.RoundTripper) http.RoundTripper { 531 return &oauth2RoundTripper{ 532 config: config, 533 next: next, 534 } 535} 536 537func (rt *oauth2RoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { 538 var ( 539 secret string 540 changed bool 541 ) 542 543 if rt.config.ClientSecretFile != "" { 544 data, err := ioutil.ReadFile(rt.config.ClientSecretFile) 545 if err != nil { 546 return nil, fmt.Errorf("unable to read oauth2 client secret file %s: %s", rt.config.ClientSecretFile, err) 547 } 548 secret = strings.TrimSpace(string(data)) 549 rt.mtx.RLock() 550 changed = secret != rt.secret 551 rt.mtx.RUnlock() 552 } 553 554 if changed || rt.rt == nil { 555 if rt.config.ClientSecret != "" { 556 secret = string(rt.config.ClientSecret) 557 } 558 559 config := &clientcredentials.Config{ 560 ClientID: rt.config.ClientID, 561 ClientSecret: secret, 562 Scopes: rt.config.Scopes, 563 TokenURL: rt.config.TokenURL, 564 EndpointParams: mapToValues(rt.config.EndpointParams), 565 } 566 567 tokenSource := config.TokenSource(context.Background()) 568 569 rt.mtx.Lock() 570 rt.secret = secret 571 rt.rt = &oauth2.Transport{ 572 Base: rt.next, 573 Source: tokenSource, 574 } 575 rt.mtx.Unlock() 576 } 577 578 rt.mtx.RLock() 579 currentRT := rt.rt 580 rt.mtx.RUnlock() 581 return currentRT.RoundTrip(req) 582} 583 584func (rt *oauth2RoundTripper) CloseIdleConnections() { 585 // OAuth2 RT does not support CloseIdleConnections() but the next RT might. 586 if ci, ok := rt.next.(closeIdler); ok { 587 ci.CloseIdleConnections() 588 } 589} 590 591func mapToValues(m map[string]string) url.Values { 592 v := url.Values{} 593 for name, value := range m { 594 v.Set(name, value) 595 } 596 597 return v 598} 599 600// cloneRequest returns a clone of the provided *http.Request. 601// The clone is a shallow copy of the struct and its Header map. 602func cloneRequest(r *http.Request) *http.Request { 603 // Shallow copy of the struct. 604 r2 := new(http.Request) 605 *r2 = *r 606 // Deep copy of the Header. 607 r2.Header = make(http.Header) 608 for k, s := range r.Header { 609 r2.Header[k] = s 610 } 611 return r2 612} 613 614// NewTLSConfig creates a new tls.Config from the given TLSConfig. 615func NewTLSConfig(cfg *TLSConfig) (*tls.Config, error) { 616 tlsConfig := &tls.Config{InsecureSkipVerify: cfg.InsecureSkipVerify} 617 618 // If a CA cert is provided then let's read it in so we can validate the 619 // scrape target's certificate properly. 620 if len(cfg.CAFile) > 0 { 621 b, err := readCAFile(cfg.CAFile) 622 if err != nil { 623 return nil, err 624 } 625 if !updateRootCA(tlsConfig, b) { 626 return nil, fmt.Errorf("unable to use specified CA cert %s", cfg.CAFile) 627 } 628 } 629 630 if len(cfg.ServerName) > 0 { 631 tlsConfig.ServerName = cfg.ServerName 632 } 633 // If a client cert & key is provided then configure TLS config accordingly. 634 if len(cfg.CertFile) > 0 && len(cfg.KeyFile) == 0 { 635 return nil, fmt.Errorf("client cert file %q specified without client key file", cfg.CertFile) 636 } else if len(cfg.KeyFile) > 0 && len(cfg.CertFile) == 0 { 637 return nil, fmt.Errorf("client key file %q specified without client cert file", cfg.KeyFile) 638 } else if len(cfg.CertFile) > 0 && len(cfg.KeyFile) > 0 { 639 // Verify that client cert and key are valid. 640 if _, err := cfg.getClientCertificate(nil); err != nil { 641 return nil, err 642 } 643 tlsConfig.GetClientCertificate = cfg.getClientCertificate 644 } 645 646 return tlsConfig, nil 647} 648 649// TLSConfig configures the options for TLS connections. 650type TLSConfig struct { 651 // The CA cert to use for the targets. 652 CAFile string `yaml:"ca_file,omitempty" json:"ca_file,omitempty"` 653 // The client cert file for the targets. 654 CertFile string `yaml:"cert_file,omitempty" json:"cert_file,omitempty"` 655 // The client key file for the targets. 656 KeyFile string `yaml:"key_file,omitempty" json:"key_file,omitempty"` 657 // Used to verify the hostname for the targets. 658 ServerName string `yaml:"server_name,omitempty" json:"server_name,omitempty"` 659 // Disable target certificate validation. 660 InsecureSkipVerify bool `yaml:"insecure_skip_verify" json:"insecure_skip_verify"` 661} 662 663// SetDirectory joins any relative file paths with dir. 664func (c *TLSConfig) SetDirectory(dir string) { 665 if c == nil { 666 return 667 } 668 c.CAFile = JoinDir(dir, c.CAFile) 669 c.CertFile = JoinDir(dir, c.CertFile) 670 c.KeyFile = JoinDir(dir, c.KeyFile) 671} 672 673// UnmarshalYAML implements the yaml.Unmarshaler interface. 674func (c *TLSConfig) UnmarshalYAML(unmarshal func(interface{}) error) error { 675 type plain TLSConfig 676 return unmarshal((*plain)(c)) 677} 678 679// getClientCertificate reads the pair of client cert and key from disk and returns a tls.Certificate. 680func (c *TLSConfig) getClientCertificate(*tls.CertificateRequestInfo) (*tls.Certificate, error) { 681 cert, err := tls.LoadX509KeyPair(c.CertFile, c.KeyFile) 682 if err != nil { 683 return nil, fmt.Errorf("unable to use specified client cert (%s) & key (%s): %s", c.CertFile, c.KeyFile, err) 684 } 685 return &cert, nil 686} 687 688// readCAFile reads the CA cert file from disk. 689func readCAFile(f string) ([]byte, error) { 690 data, err := ioutil.ReadFile(f) 691 if err != nil { 692 return nil, fmt.Errorf("unable to load specified CA cert %s: %s", f, err) 693 } 694 return data, nil 695} 696 697// updateRootCA parses the given byte slice as a series of PEM encoded certificates and updates tls.Config.RootCAs. 698func updateRootCA(cfg *tls.Config, b []byte) bool { 699 caCertPool := x509.NewCertPool() 700 if !caCertPool.AppendCertsFromPEM(b) { 701 return false 702 } 703 cfg.RootCAs = caCertPool 704 return true 705} 706 707// tlsRoundTripper is a RoundTripper that updates automatically its TLS 708// configuration whenever the content of the CA file changes. 709type tlsRoundTripper struct { 710 caFile string 711 // newRT returns a new RoundTripper. 712 newRT func(*tls.Config) (http.RoundTripper, error) 713 714 mtx sync.RWMutex 715 rt http.RoundTripper 716 hashCAFile []byte 717 tlsConfig *tls.Config 718} 719 720func NewTLSRoundTripper( 721 cfg *tls.Config, 722 caFile string, 723 newRT func(*tls.Config) (http.RoundTripper, error), 724) (http.RoundTripper, error) { 725 t := &tlsRoundTripper{ 726 caFile: caFile, 727 newRT: newRT, 728 tlsConfig: cfg, 729 } 730 731 rt, err := t.newRT(t.tlsConfig) 732 if err != nil { 733 return nil, err 734 } 735 t.rt = rt 736 737 _, t.hashCAFile, err = t.getCAWithHash() 738 if err != nil { 739 return nil, err 740 } 741 742 return t, nil 743} 744 745func (t *tlsRoundTripper) getCAWithHash() ([]byte, []byte, error) { 746 b, err := readCAFile(t.caFile) 747 if err != nil { 748 return nil, nil, err 749 } 750 h := sha256.Sum256(b) 751 return b, h[:], nil 752 753} 754 755// RoundTrip implements the http.RoundTrip interface. 756func (t *tlsRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { 757 b, h, err := t.getCAWithHash() 758 if err != nil { 759 return nil, err 760 } 761 762 t.mtx.RLock() 763 equal := bytes.Equal(h[:], t.hashCAFile) 764 rt := t.rt 765 t.mtx.RUnlock() 766 if equal { 767 // The CA cert hasn't changed, use the existing RoundTripper. 768 return rt.RoundTrip(req) 769 } 770 771 // Create a new RoundTripper. 772 tlsConfig := t.tlsConfig.Clone() 773 if !updateRootCA(tlsConfig, b) { 774 return nil, fmt.Errorf("unable to use specified CA cert %s", t.caFile) 775 } 776 rt, err = t.newRT(tlsConfig) 777 if err != nil { 778 return nil, err 779 } 780 t.CloseIdleConnections() 781 782 t.mtx.Lock() 783 t.rt = rt 784 t.hashCAFile = h[:] 785 t.mtx.Unlock() 786 787 return rt.RoundTrip(req) 788} 789 790func (t *tlsRoundTripper) CloseIdleConnections() { 791 t.mtx.RLock() 792 defer t.mtx.RUnlock() 793 if ci, ok := t.rt.(closeIdler); ok { 794 ci.CloseIdleConnections() 795 } 796} 797 798func (c HTTPClientConfig) String() string { 799 b, err := yaml.Marshal(c) 800 if err != nil { 801 return fmt.Sprintf("<error creating http client config string: %s>", err) 802 } 803 return string(b) 804} 805