1// Copyright 2016 The Prometheus Authors 2// Licensed under the Apache License, Version 2.0 (the "License"); 3// you may not use this file except in compliance with the License. 4// You may obtain a copy of the License at 5// 6// http://www.apache.org/licenses/LICENSE-2.0 7// 8// Unless required by applicable law or agreed to in writing, software 9// distributed under the License is distributed on an "AS IS" BASIS, 10// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11// See the License for the specific language governing permissions and 12// limitations under the License. 13 14// +build go1.8 15 16package config 17 18import ( 19 "bytes" 20 "context" 21 "crypto/sha256" 22 "crypto/tls" 23 "crypto/x509" 24 "encoding/json" 25 "fmt" 26 "io/ioutil" 27 "net" 28 "net/http" 29 "net/url" 30 "os" 31 "strings" 32 "sync" 33 "time" 34 35 "github.com/mwitkow/go-conntrack" 36 "golang.org/x/net/http2" 37 "golang.org/x/oauth2" 38 "golang.org/x/oauth2/clientcredentials" 39 "gopkg.in/yaml.v2" 40) 41 42// DefaultHTTPClientConfig is the default HTTP client configuration. 43var DefaultHTTPClientConfig = HTTPClientConfig{ 44 FollowRedirects: true, 45} 46 47// defaultHTTPClientOptions holds the default HTTP client options. 48var defaultHTTPClientOptions = httpClientOptions{ 49 keepAlivesEnabled: true, 50 http2Enabled: true, 51 // 5 minutes is typically above the maximum sane scrape interval. So we can 52 // use keepalive for all configurations. 53 idleConnTimeout: 5 * time.Minute, 54} 55 56type closeIdler interface { 57 CloseIdleConnections() 58} 59 60// BasicAuth contains basic HTTP authentication credentials. 61type BasicAuth struct { 62 Username string `yaml:"username" json:"username"` 63 Password Secret `yaml:"password,omitempty" json:"password,omitempty"` 64 PasswordFile string `yaml:"password_file,omitempty" json:"password_file,omitempty"` 65} 66 67// SetDirectory joins any relative file paths with dir. 68func (a *BasicAuth) SetDirectory(dir string) { 69 if a == nil { 70 return 71 } 72 a.PasswordFile = JoinDir(dir, a.PasswordFile) 73} 74 75// Authorization contains HTTP authorization credentials. 76type Authorization struct { 77 Type string `yaml:"type,omitempty" json:"type,omitempty"` 78 Credentials Secret `yaml:"credentials,omitempty" json:"credentials,omitempty"` 79 CredentialsFile string `yaml:"credentials_file,omitempty" json:"credentials_file,omitempty"` 80} 81 82// SetDirectory joins any relative file paths with dir. 83func (a *Authorization) SetDirectory(dir string) { 84 if a == nil { 85 return 86 } 87 a.CredentialsFile = JoinDir(dir, a.CredentialsFile) 88} 89 90// URL is a custom URL type that allows validation at configuration load time. 91type URL struct { 92 *url.URL 93} 94 95// UnmarshalYAML implements the yaml.Unmarshaler interface for URLs. 96func (u *URL) UnmarshalYAML(unmarshal func(interface{}) error) error { 97 var s string 98 if err := unmarshal(&s); err != nil { 99 return err 100 } 101 102 urlp, err := url.Parse(s) 103 if err != nil { 104 return err 105 } 106 u.URL = urlp 107 return nil 108} 109 110// MarshalYAML implements the yaml.Marshaler interface for URLs. 111func (u URL) MarshalYAML() (interface{}, error) { 112 if u.URL != nil { 113 return u.Redacted(), nil 114 } 115 return nil, nil 116} 117 118// Redacted returns the URL but replaces any password with "xxxxx". 119func (u URL) Redacted() string { 120 if u.URL == nil { 121 return "" 122 } 123 124 ru := *u.URL 125 if _, ok := ru.User.Password(); ok { 126 // We can not use secretToken because it would be escaped. 127 ru.User = url.UserPassword(ru.User.Username(), "xxxxx") 128 } 129 return ru.String() 130} 131 132// UnmarshalJSON implements the json.Marshaler interface for URL. 133func (u *URL) UnmarshalJSON(data []byte) error { 134 var s string 135 if err := json.Unmarshal(data, &s); err != nil { 136 return err 137 } 138 urlp, err := url.Parse(s) 139 if err != nil { 140 return err 141 } 142 u.URL = urlp 143 return nil 144} 145 146// MarshalJSON implements the json.Marshaler interface for URL. 147func (u URL) MarshalJSON() ([]byte, error) { 148 if u.URL != nil { 149 return json.Marshal(u.URL.String()) 150 } 151 return []byte("null"), nil 152} 153 154// OAuth2 is the oauth2 client configuration. 155type OAuth2 struct { 156 ClientID string `yaml:"client_id" json:"client_id"` 157 ClientSecret Secret `yaml:"client_secret" json:"client_secret"` 158 ClientSecretFile string `yaml:"client_secret_file" json:"client_secret_file"` 159 Scopes []string `yaml:"scopes,omitempty" json:"scopes,omitempty"` 160 TokenURL string `yaml:"token_url" json:"token_url"` 161 EndpointParams map[string]string `yaml:"endpoint_params,omitempty" json:"endpoint_params,omitempty"` 162 163 // TLSConfig is used to connect to the token URL. 164 TLSConfig TLSConfig `yaml:"tls_config,omitempty"` 165} 166 167// SetDirectory joins any relative file paths with dir. 168func (a *OAuth2) SetDirectory(dir string) { 169 if a == nil { 170 return 171 } 172 a.ClientSecretFile = JoinDir(dir, a.ClientSecretFile) 173 a.TLSConfig.SetDirectory(dir) 174} 175 176// HTTPClientConfig configures an HTTP client. 177type HTTPClientConfig struct { 178 // The HTTP basic authentication credentials for the targets. 179 BasicAuth *BasicAuth `yaml:"basic_auth,omitempty" json:"basic_auth,omitempty"` 180 // The HTTP authorization credentials for the targets. 181 Authorization *Authorization `yaml:"authorization,omitempty" json:"authorization,omitempty"` 182 // The OAuth2 client credentials used to fetch a token for the targets. 183 OAuth2 *OAuth2 `yaml:"oauth2,omitempty" json:"oauth2,omitempty"` 184 // The bearer token for the targets. Deprecated in favour of 185 // Authorization.Credentials. 186 BearerToken Secret `yaml:"bearer_token,omitempty" json:"bearer_token,omitempty"` 187 // The bearer token file for the targets. Deprecated in favour of 188 // Authorization.CredentialsFile. 189 BearerTokenFile string `yaml:"bearer_token_file,omitempty" json:"bearer_token_file,omitempty"` 190 // HTTP proxy server to use to connect to the targets. 191 ProxyURL URL `yaml:"proxy_url,omitempty" json:"proxy_url,omitempty"` 192 // TLSConfig to use to connect to the targets. 193 TLSConfig TLSConfig `yaml:"tls_config,omitempty" json:"tls_config,omitempty"` 194 // FollowRedirects specifies whether the client should follow HTTP 3xx redirects. 195 // The omitempty flag is not set, because it would be hidden from the 196 // marshalled configuration when set to false. 197 FollowRedirects bool `yaml:"follow_redirects" json:"follow_redirects"` 198} 199 200// SetDirectory joins any relative file paths with dir. 201func (c *HTTPClientConfig) SetDirectory(dir string) { 202 if c == nil { 203 return 204 } 205 c.TLSConfig.SetDirectory(dir) 206 c.BasicAuth.SetDirectory(dir) 207 c.Authorization.SetDirectory(dir) 208 c.OAuth2.SetDirectory(dir) 209 c.BearerTokenFile = JoinDir(dir, c.BearerTokenFile) 210} 211 212// Validate validates the HTTPClientConfig to check only one of BearerToken, 213// BasicAuth and BearerTokenFile is configured. 214func (c *HTTPClientConfig) Validate() error { 215 // Backwards compatibility with the bearer_token field. 216 if len(c.BearerToken) > 0 && len(c.BearerTokenFile) > 0 { 217 return fmt.Errorf("at most one of bearer_token & bearer_token_file must be configured") 218 } 219 if (c.BasicAuth != nil || c.OAuth2 != nil) && (len(c.BearerToken) > 0 || len(c.BearerTokenFile) > 0) { 220 return fmt.Errorf("at most one of basic_auth, oauth2, bearer_token & bearer_token_file must be configured") 221 } 222 if c.BasicAuth != nil && (string(c.BasicAuth.Password) != "" && c.BasicAuth.PasswordFile != "") { 223 return fmt.Errorf("at most one of basic_auth password & password_file must be configured") 224 } 225 if c.Authorization != nil { 226 if len(c.BearerToken) > 0 || len(c.BearerTokenFile) > 0 { 227 return fmt.Errorf("authorization is not compatible with bearer_token & bearer_token_file") 228 } 229 if string(c.Authorization.Credentials) != "" && c.Authorization.CredentialsFile != "" { 230 return fmt.Errorf("at most one of authorization credentials & credentials_file must be configured") 231 } 232 c.Authorization.Type = strings.TrimSpace(c.Authorization.Type) 233 if len(c.Authorization.Type) == 0 { 234 c.Authorization.Type = "Bearer" 235 } 236 if strings.ToLower(c.Authorization.Type) == "basic" { 237 return fmt.Errorf(`authorization type cannot be set to "basic", use "basic_auth" instead`) 238 } 239 if c.BasicAuth != nil || c.OAuth2 != nil { 240 return fmt.Errorf("at most one of basic_auth, oauth2 & authorization must be configured") 241 } 242 } else { 243 if len(c.BearerToken) > 0 { 244 c.Authorization = &Authorization{Credentials: c.BearerToken} 245 c.Authorization.Type = "Bearer" 246 c.BearerToken = "" 247 } 248 if len(c.BearerTokenFile) > 0 { 249 c.Authorization = &Authorization{CredentialsFile: c.BearerTokenFile} 250 c.Authorization.Type = "Bearer" 251 c.BearerTokenFile = "" 252 } 253 } 254 if c.OAuth2 != nil { 255 if c.BasicAuth != nil { 256 return fmt.Errorf("at most one of basic_auth, oauth2 & authorization must be configured") 257 } 258 if len(c.OAuth2.ClientID) == 0 { 259 return fmt.Errorf("oauth2 client_id must be configured") 260 } 261 if len(c.OAuth2.ClientSecret) == 0 && len(c.OAuth2.ClientSecretFile) == 0 { 262 return fmt.Errorf("either oauth2 client_secret or client_secret_file must be configured") 263 } 264 if len(c.OAuth2.TokenURL) == 0 { 265 return fmt.Errorf("oauth2 token_url must be configured") 266 } 267 if len(c.OAuth2.ClientSecret) > 0 && len(c.OAuth2.ClientSecretFile) > 0 { 268 return fmt.Errorf("at most one of oauth2 client_secret & client_secret_file must be configured") 269 } 270 } 271 return nil 272} 273 274// UnmarshalYAML implements the yaml.Unmarshaler interface 275func (c *HTTPClientConfig) UnmarshalYAML(unmarshal func(interface{}) error) error { 276 type plain HTTPClientConfig 277 *c = DefaultHTTPClientConfig 278 if err := unmarshal((*plain)(c)); err != nil { 279 return err 280 } 281 return c.Validate() 282} 283 284// UnmarshalJSON implements the json.Marshaler interface for URL. 285func (c *HTTPClientConfig) UnmarshalJSON(data []byte) error { 286 type plain HTTPClientConfig 287 *c = DefaultHTTPClientConfig 288 if err := json.Unmarshal(data, (*plain)(c)); err != nil { 289 return err 290 } 291 return c.Validate() 292} 293 294// UnmarshalYAML implements the yaml.Unmarshaler interface. 295func (a *BasicAuth) UnmarshalYAML(unmarshal func(interface{}) error) error { 296 type plain BasicAuth 297 return unmarshal((*plain)(a)) 298} 299 300// DialContextFunc defines the signature of the DialContext() function implemented 301// by net.Dialer. 302type DialContextFunc func(context.Context, string, string) (net.Conn, error) 303 304type httpClientOptions struct { 305 dialContextFunc DialContextFunc 306 keepAlivesEnabled bool 307 http2Enabled bool 308 idleConnTimeout time.Duration 309} 310 311// HTTPClientOption defines an option that can be applied to the HTTP client. 312type HTTPClientOption func(options *httpClientOptions) 313 314// WithDialContextFunc allows you to override func gets used for the actual dialing. The default is `net.Dialer.DialContext`. 315func WithDialContextFunc(fn DialContextFunc) HTTPClientOption { 316 return func(opts *httpClientOptions) { 317 opts.dialContextFunc = fn 318 } 319} 320 321// WithKeepAlivesDisabled allows to disable HTTP keepalive. 322func WithKeepAlivesDisabled() HTTPClientOption { 323 return func(opts *httpClientOptions) { 324 opts.keepAlivesEnabled = false 325 } 326} 327 328// WithHTTP2Disabled allows to disable HTTP2. 329func WithHTTP2Disabled() HTTPClientOption { 330 return func(opts *httpClientOptions) { 331 opts.http2Enabled = false 332 } 333} 334 335// WithIdleConnTimeout allows setting the idle connection timeout. 336func WithIdleConnTimeout(timeout time.Duration) HTTPClientOption { 337 return func(opts *httpClientOptions) { 338 opts.idleConnTimeout = timeout 339 } 340} 341 342// NewClient returns a http.Client using the specified http.RoundTripper. 343func newClient(rt http.RoundTripper) *http.Client { 344 return &http.Client{Transport: rt} 345} 346 347// NewClientFromConfig returns a new HTTP client configured for the 348// given config.HTTPClientConfig and config.HTTPClientOption. 349// The name is used as go-conntrack metric label. 350func NewClientFromConfig(cfg HTTPClientConfig, name string, optFuncs ...HTTPClientOption) (*http.Client, error) { 351 rt, err := NewRoundTripperFromConfig(cfg, name, optFuncs...) 352 if err != nil { 353 return nil, err 354 } 355 client := newClient(rt) 356 if !cfg.FollowRedirects { 357 client.CheckRedirect = func(*http.Request, []*http.Request) error { 358 return http.ErrUseLastResponse 359 } 360 } 361 return client, nil 362} 363 364// NewRoundTripperFromConfig returns a new HTTP RoundTripper configured for the 365// given config.HTTPClientConfig and config.HTTPClientOption. 366// The name is used as go-conntrack metric label. 367func NewRoundTripperFromConfig(cfg HTTPClientConfig, name string, optFuncs ...HTTPClientOption) (http.RoundTripper, error) { 368 opts := defaultHTTPClientOptions 369 for _, f := range optFuncs { 370 f(&opts) 371 } 372 373 var dialContext func(ctx context.Context, network, addr string) (net.Conn, error) 374 375 if opts.dialContextFunc != nil { 376 dialContext = conntrack.NewDialContextFunc( 377 conntrack.DialWithDialContextFunc((func(context.Context, string, string) (net.Conn, error))(opts.dialContextFunc)), 378 conntrack.DialWithTracing(), 379 conntrack.DialWithName(name)) 380 } else { 381 dialContext = conntrack.NewDialContextFunc( 382 conntrack.DialWithTracing(), 383 conntrack.DialWithName(name)) 384 } 385 386 newRT := func(tlsConfig *tls.Config) (http.RoundTripper, error) { 387 // The only timeout we care about is the configured scrape timeout. 388 // It is applied on request. So we leave out any timings here. 389 var rt http.RoundTripper = &http.Transport{ 390 Proxy: http.ProxyURL(cfg.ProxyURL.URL), 391 MaxIdleConns: 20000, 392 MaxIdleConnsPerHost: 1000, // see https://github.com/golang/go/issues/13801 393 DisableKeepAlives: !opts.keepAlivesEnabled, 394 TLSClientConfig: tlsConfig, 395 DisableCompression: true, 396 IdleConnTimeout: opts.idleConnTimeout, 397 TLSHandshakeTimeout: 10 * time.Second, 398 ExpectContinueTimeout: 1 * time.Second, 399 DialContext: dialContext, 400 } 401 if opts.http2Enabled && os.Getenv("PROMETHEUS_COMMON_DISABLE_HTTP2") == "" { 402 // HTTP/2 support is golang had many problematic cornercases where 403 // dead connections would be kept and used in connection pools. 404 // https://github.com/golang/go/issues/32388 405 // https://github.com/golang/go/issues/39337 406 // https://github.com/golang/go/issues/39750 407 408 // Do not enable HTTP2 if the environment variable 409 // PROMETHEUS_COMMON_DISABLE_HTTP2 is set to a non-empty value. 410 // This allows users to easily disable HTTP2 in case they run into 411 // issues again, but will be removed once we are confident that 412 // things work as expected. 413 414 http2t, err := http2.ConfigureTransports(rt.(*http.Transport)) 415 if err != nil { 416 return nil, err 417 } 418 http2t.ReadIdleTimeout = time.Minute 419 } 420 421 // If a authorization_credentials is provided, create a round tripper that will set the 422 // Authorization header correctly on each request. 423 if cfg.Authorization != nil && len(cfg.Authorization.Credentials) > 0 { 424 rt = NewAuthorizationCredentialsRoundTripper(cfg.Authorization.Type, cfg.Authorization.Credentials, rt) 425 } else if cfg.Authorization != nil && len(cfg.Authorization.CredentialsFile) > 0 { 426 rt = NewAuthorizationCredentialsFileRoundTripper(cfg.Authorization.Type, cfg.Authorization.CredentialsFile, rt) 427 } 428 // Backwards compatibility, be nice with importers who would not have 429 // called Validate(). 430 if len(cfg.BearerToken) > 0 { 431 rt = NewAuthorizationCredentialsRoundTripper("Bearer", cfg.BearerToken, rt) 432 } else if len(cfg.BearerTokenFile) > 0 { 433 rt = NewAuthorizationCredentialsFileRoundTripper("Bearer", cfg.BearerTokenFile, rt) 434 } 435 436 if cfg.BasicAuth != nil { 437 rt = NewBasicAuthRoundTripper(cfg.BasicAuth.Username, cfg.BasicAuth.Password, cfg.BasicAuth.PasswordFile, rt) 438 } 439 440 if cfg.OAuth2 != nil { 441 rt = NewOAuth2RoundTripper(cfg.OAuth2, rt) 442 } 443 // Return a new configured RoundTripper. 444 return rt, nil 445 } 446 447 tlsConfig, err := NewTLSConfig(&cfg.TLSConfig) 448 if err != nil { 449 return nil, err 450 } 451 452 if len(cfg.TLSConfig.CAFile) == 0 { 453 // No need for a RoundTripper that reloads the CA file automatically. 454 return newRT(tlsConfig) 455 } 456 457 return NewTLSRoundTripper(tlsConfig, cfg.TLSConfig.CAFile, newRT) 458} 459 460type authorizationCredentialsRoundTripper struct { 461 authType string 462 authCredentials Secret 463 rt http.RoundTripper 464} 465 466// NewAuthorizationCredentialsRoundTripper adds the provided credentials to a 467// request unless the authorization header has already been set. 468func NewAuthorizationCredentialsRoundTripper(authType string, authCredentials Secret, rt http.RoundTripper) http.RoundTripper { 469 return &authorizationCredentialsRoundTripper{authType, authCredentials, rt} 470} 471 472func (rt *authorizationCredentialsRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { 473 if len(req.Header.Get("Authorization")) == 0 { 474 req = cloneRequest(req) 475 req.Header.Set("Authorization", fmt.Sprintf("%s %s", rt.authType, string(rt.authCredentials))) 476 } 477 return rt.rt.RoundTrip(req) 478} 479 480func (rt *authorizationCredentialsRoundTripper) CloseIdleConnections() { 481 if ci, ok := rt.rt.(closeIdler); ok { 482 ci.CloseIdleConnections() 483 } 484} 485 486type authorizationCredentialsFileRoundTripper struct { 487 authType string 488 authCredentialsFile string 489 rt http.RoundTripper 490} 491 492// NewAuthorizationCredentialsFileRoundTripper adds the authorization 493// credentials read from the provided file to a request unless the authorization 494// header has already been set. This file is read for every request. 495func NewAuthorizationCredentialsFileRoundTripper(authType, authCredentialsFile string, rt http.RoundTripper) http.RoundTripper { 496 return &authorizationCredentialsFileRoundTripper{authType, authCredentialsFile, rt} 497} 498 499func (rt *authorizationCredentialsFileRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { 500 if len(req.Header.Get("Authorization")) == 0 { 501 b, err := ioutil.ReadFile(rt.authCredentialsFile) 502 if err != nil { 503 return nil, fmt.Errorf("unable to read authorization credentials file %s: %s", rt.authCredentialsFile, err) 504 } 505 authCredentials := strings.TrimSpace(string(b)) 506 507 req = cloneRequest(req) 508 req.Header.Set("Authorization", fmt.Sprintf("%s %s", rt.authType, authCredentials)) 509 } 510 511 return rt.rt.RoundTrip(req) 512} 513 514func (rt *authorizationCredentialsFileRoundTripper) CloseIdleConnections() { 515 if ci, ok := rt.rt.(closeIdler); ok { 516 ci.CloseIdleConnections() 517 } 518} 519 520type basicAuthRoundTripper struct { 521 username string 522 password Secret 523 passwordFile string 524 rt http.RoundTripper 525} 526 527// NewBasicAuthRoundTripper will apply a BASIC auth authorization header to a request unless it has 528// already been set. 529func NewBasicAuthRoundTripper(username string, password Secret, passwordFile string, rt http.RoundTripper) http.RoundTripper { 530 return &basicAuthRoundTripper{username, password, passwordFile, rt} 531} 532 533func (rt *basicAuthRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { 534 if len(req.Header.Get("Authorization")) != 0 { 535 return rt.rt.RoundTrip(req) 536 } 537 req = cloneRequest(req) 538 if rt.passwordFile != "" { 539 bs, err := ioutil.ReadFile(rt.passwordFile) 540 if err != nil { 541 return nil, fmt.Errorf("unable to read basic auth password file %s: %s", rt.passwordFile, err) 542 } 543 req.SetBasicAuth(rt.username, strings.TrimSpace(string(bs))) 544 } else { 545 req.SetBasicAuth(rt.username, strings.TrimSpace(string(rt.password))) 546 } 547 return rt.rt.RoundTrip(req) 548} 549 550func (rt *basicAuthRoundTripper) CloseIdleConnections() { 551 if ci, ok := rt.rt.(closeIdler); ok { 552 ci.CloseIdleConnections() 553 } 554} 555 556type oauth2RoundTripper struct { 557 config *OAuth2 558 rt http.RoundTripper 559 next http.RoundTripper 560 secret string 561 mtx sync.RWMutex 562} 563 564func NewOAuth2RoundTripper(config *OAuth2, next http.RoundTripper) http.RoundTripper { 565 return &oauth2RoundTripper{ 566 config: config, 567 next: next, 568 } 569} 570 571func (rt *oauth2RoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { 572 var ( 573 secret string 574 changed bool 575 ) 576 577 if rt.config.ClientSecretFile != "" { 578 data, err := ioutil.ReadFile(rt.config.ClientSecretFile) 579 if err != nil { 580 return nil, fmt.Errorf("unable to read oauth2 client secret file %s: %s", rt.config.ClientSecretFile, err) 581 } 582 secret = strings.TrimSpace(string(data)) 583 rt.mtx.RLock() 584 changed = secret != rt.secret 585 rt.mtx.RUnlock() 586 } 587 588 if changed || rt.rt == nil { 589 if rt.config.ClientSecret != "" { 590 secret = string(rt.config.ClientSecret) 591 } 592 593 config := &clientcredentials.Config{ 594 ClientID: rt.config.ClientID, 595 ClientSecret: secret, 596 Scopes: rt.config.Scopes, 597 TokenURL: rt.config.TokenURL, 598 EndpointParams: mapToValues(rt.config.EndpointParams), 599 } 600 601 tlsConfig, err := NewTLSConfig(&rt.config.TLSConfig) 602 if err != nil { 603 return nil, err 604 } 605 606 var t http.RoundTripper 607 if len(rt.config.TLSConfig.CAFile) == 0 { 608 t = &http.Transport{TLSClientConfig: tlsConfig} 609 } else { 610 t, err = NewTLSRoundTripper(tlsConfig, rt.config.TLSConfig.CAFile, func(tls *tls.Config) (http.RoundTripper, error) { 611 return &http.Transport{TLSClientConfig: tls}, nil 612 }) 613 if err != nil { 614 return nil, err 615 } 616 } 617 618 ctx := context.WithValue(context.Background(), oauth2.HTTPClient, &http.Client{Transport: t}) 619 tokenSource := config.TokenSource(ctx) 620 621 rt.mtx.Lock() 622 rt.secret = secret 623 rt.rt = &oauth2.Transport{ 624 Base: rt.next, 625 Source: tokenSource, 626 } 627 rt.mtx.Unlock() 628 } 629 630 rt.mtx.RLock() 631 currentRT := rt.rt 632 rt.mtx.RUnlock() 633 return currentRT.RoundTrip(req) 634} 635 636func (rt *oauth2RoundTripper) CloseIdleConnections() { 637 // OAuth2 RT does not support CloseIdleConnections() but the next RT might. 638 if ci, ok := rt.next.(closeIdler); ok { 639 ci.CloseIdleConnections() 640 } 641} 642 643func mapToValues(m map[string]string) url.Values { 644 v := url.Values{} 645 for name, value := range m { 646 v.Set(name, value) 647 } 648 649 return v 650} 651 652// cloneRequest returns a clone of the provided *http.Request. 653// The clone is a shallow copy of the struct and its Header map. 654func cloneRequest(r *http.Request) *http.Request { 655 // Shallow copy of the struct. 656 r2 := new(http.Request) 657 *r2 = *r 658 // Deep copy of the Header. 659 r2.Header = make(http.Header) 660 for k, s := range r.Header { 661 r2.Header[k] = s 662 } 663 return r2 664} 665 666// NewTLSConfig creates a new tls.Config from the given TLSConfig. 667func NewTLSConfig(cfg *TLSConfig) (*tls.Config, error) { 668 tlsConfig := &tls.Config{InsecureSkipVerify: cfg.InsecureSkipVerify} 669 670 // If a CA cert is provided then let's read it in so we can validate the 671 // scrape target's certificate properly. 672 if len(cfg.CAFile) > 0 { 673 b, err := readCAFile(cfg.CAFile) 674 if err != nil { 675 return nil, err 676 } 677 if !updateRootCA(tlsConfig, b) { 678 return nil, fmt.Errorf("unable to use specified CA cert %s", cfg.CAFile) 679 } 680 } 681 682 if len(cfg.ServerName) > 0 { 683 tlsConfig.ServerName = cfg.ServerName 684 } 685 // If a client cert & key is provided then configure TLS config accordingly. 686 if len(cfg.CertFile) > 0 && len(cfg.KeyFile) == 0 { 687 return nil, fmt.Errorf("client cert file %q specified without client key file", cfg.CertFile) 688 } else if len(cfg.KeyFile) > 0 && len(cfg.CertFile) == 0 { 689 return nil, fmt.Errorf("client key file %q specified without client cert file", cfg.KeyFile) 690 } else if len(cfg.CertFile) > 0 && len(cfg.KeyFile) > 0 { 691 // Verify that client cert and key are valid. 692 if _, err := cfg.getClientCertificate(nil); err != nil { 693 return nil, err 694 } 695 tlsConfig.GetClientCertificate = cfg.getClientCertificate 696 } 697 698 return tlsConfig, nil 699} 700 701// TLSConfig configures the options for TLS connections. 702type TLSConfig struct { 703 // The CA cert to use for the targets. 704 CAFile string `yaml:"ca_file,omitempty" json:"ca_file,omitempty"` 705 // The client cert file for the targets. 706 CertFile string `yaml:"cert_file,omitempty" json:"cert_file,omitempty"` 707 // The client key file for the targets. 708 KeyFile string `yaml:"key_file,omitempty" json:"key_file,omitempty"` 709 // Used to verify the hostname for the targets. 710 ServerName string `yaml:"server_name,omitempty" json:"server_name,omitempty"` 711 // Disable target certificate validation. 712 InsecureSkipVerify bool `yaml:"insecure_skip_verify" json:"insecure_skip_verify"` 713} 714 715// SetDirectory joins any relative file paths with dir. 716func (c *TLSConfig) SetDirectory(dir string) { 717 if c == nil { 718 return 719 } 720 c.CAFile = JoinDir(dir, c.CAFile) 721 c.CertFile = JoinDir(dir, c.CertFile) 722 c.KeyFile = JoinDir(dir, c.KeyFile) 723} 724 725// UnmarshalYAML implements the yaml.Unmarshaler interface. 726func (c *TLSConfig) UnmarshalYAML(unmarshal func(interface{}) error) error { 727 type plain TLSConfig 728 return unmarshal((*plain)(c)) 729} 730 731// getClientCertificate reads the pair of client cert and key from disk and returns a tls.Certificate. 732func (c *TLSConfig) getClientCertificate(*tls.CertificateRequestInfo) (*tls.Certificate, error) { 733 cert, err := tls.LoadX509KeyPair(c.CertFile, c.KeyFile) 734 if err != nil { 735 return nil, fmt.Errorf("unable to use specified client cert (%s) & key (%s): %s", c.CertFile, c.KeyFile, err) 736 } 737 return &cert, nil 738} 739 740// readCAFile reads the CA cert file from disk. 741func readCAFile(f string) ([]byte, error) { 742 data, err := ioutil.ReadFile(f) 743 if err != nil { 744 return nil, fmt.Errorf("unable to load specified CA cert %s: %s", f, err) 745 } 746 return data, nil 747} 748 749// updateRootCA parses the given byte slice as a series of PEM encoded certificates and updates tls.Config.RootCAs. 750func updateRootCA(cfg *tls.Config, b []byte) bool { 751 caCertPool := x509.NewCertPool() 752 if !caCertPool.AppendCertsFromPEM(b) { 753 return false 754 } 755 cfg.RootCAs = caCertPool 756 return true 757} 758 759// tlsRoundTripper is a RoundTripper that updates automatically its TLS 760// configuration whenever the content of the CA file changes. 761type tlsRoundTripper struct { 762 caFile string 763 // newRT returns a new RoundTripper. 764 newRT func(*tls.Config) (http.RoundTripper, error) 765 766 mtx sync.RWMutex 767 rt http.RoundTripper 768 hashCAFile []byte 769 tlsConfig *tls.Config 770} 771 772func NewTLSRoundTripper( 773 cfg *tls.Config, 774 caFile string, 775 newRT func(*tls.Config) (http.RoundTripper, error), 776) (http.RoundTripper, error) { 777 t := &tlsRoundTripper{ 778 caFile: caFile, 779 newRT: newRT, 780 tlsConfig: cfg, 781 } 782 783 rt, err := t.newRT(t.tlsConfig) 784 if err != nil { 785 return nil, err 786 } 787 t.rt = rt 788 _, t.hashCAFile, err = t.getCAWithHash() 789 if err != nil { 790 return nil, err 791 } 792 793 return t, nil 794} 795 796func (t *tlsRoundTripper) getCAWithHash() ([]byte, []byte, error) { 797 b, err := readCAFile(t.caFile) 798 if err != nil { 799 return nil, nil, err 800 } 801 h := sha256.Sum256(b) 802 return b, h[:], nil 803 804} 805 806// RoundTrip implements the http.RoundTrip interface. 807func (t *tlsRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { 808 b, h, err := t.getCAWithHash() 809 if err != nil { 810 return nil, err 811 } 812 813 t.mtx.RLock() 814 equal := bytes.Equal(h[:], t.hashCAFile) 815 rt := t.rt 816 t.mtx.RUnlock() 817 if equal { 818 // The CA cert hasn't changed, use the existing RoundTripper. 819 return rt.RoundTrip(req) 820 } 821 822 // Create a new RoundTripper. 823 tlsConfig := t.tlsConfig.Clone() 824 if !updateRootCA(tlsConfig, b) { 825 return nil, fmt.Errorf("unable to use specified CA cert %s", t.caFile) 826 } 827 rt, err = t.newRT(tlsConfig) 828 if err != nil { 829 return nil, err 830 } 831 t.CloseIdleConnections() 832 833 t.mtx.Lock() 834 t.rt = rt 835 t.hashCAFile = h[:] 836 t.mtx.Unlock() 837 838 return rt.RoundTrip(req) 839} 840 841func (t *tlsRoundTripper) CloseIdleConnections() { 842 t.mtx.RLock() 843 defer t.mtx.RUnlock() 844 if ci, ok := t.rt.(closeIdler); ok { 845 ci.CloseIdleConnections() 846 } 847} 848 849func (c HTTPClientConfig) String() string { 850 b, err := yaml.Marshal(c) 851 if err != nil { 852 return fmt.Sprintf("<error creating http client config string: %s>", err) 853 } 854 return string(b) 855} 856