node_exporter/https/tls_config.go

// Copyright 2019 The Prometheus Authors
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

// Package https allows the implementation of TLS.
package https

import (
	"crypto/tls"
	"crypto/x509"
	"io/ioutil"
	"net/http"

	"github.com/pkg/errors"
	"gopkg.in/yaml.v2"
)

type Config struct {
	TLSConfig TLSStruct `yaml:"tlsConfig"`
}

type TLSStruct struct {
	TLSCertPath string `yaml:"tlsCertPath"`
	TLSKeyPath  string `yaml:"tlsKeyPath"`
	ClientAuth  string `yaml:"clientAuth"`
	ClientCAs   string `yaml:"clientCAs"`
}

func getTLSConfig(configPath string) (*tls.Config, error) {
	content, err := ioutil.ReadFile(configPath)
	if err != nil {
		return nil, err
	}
	c := &Config{}
	err = yaml.Unmarshal(content, c)
	if err != nil {
		return nil, err
	}
	return configToTLSConfig(&c.TLSConfig)
}

func configToTLSConfig(c *TLSStruct) (*tls.Config, error) {
	cfg := &tls.Config{}
	if len(c.TLSCertPath) == 0 {
		return nil, errors.New("missing TLSCertPath")
	}
	if len(c.TLSKeyPath) == 0 {
		return nil, errors.New("missing TLSKeyPath")
	}
	loadCert := func() (*tls.Certificate, error) {
		cert, err := tls.LoadX509KeyPair(c.TLSCertPath, c.TLSKeyPath)
		if err != nil {
			return nil, errors.Wrap(err, "failed to load X509KeyPair")
		}
		return &cert, nil
	}
	// Confirm that certificate and key paths are valid.
	if _, err := loadCert(); err != nil {
		return nil, err
	}
	cfg.GetCertificate = func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
		return loadCert()
	}

	if len(c.ClientCAs) > 0 {
		clientCAPool := x509.NewCertPool()
		clientCAFile, err := ioutil.ReadFile(c.ClientCAs)
		if err != nil {
			return nil, err
		}
		clientCAPool.AppendCertsFromPEM(clientCAFile)
		cfg.ClientCAs = clientCAPool
	}
	if len(c.ClientAuth) > 0 {
		switch s := (c.ClientAuth); s {
		case "NoClientCert":
			cfg.ClientAuth = tls.NoClientCert
		case "RequestClientCert":
			cfg.ClientAuth = tls.RequestClientCert
		case "RequireClientCert":
			cfg.ClientAuth = tls.RequireAnyClientCert
		case "VerifyClientCertIfGiven":
			cfg.ClientAuth = tls.VerifyClientCertIfGiven
		case "RequireAndVerifyClientCert":
			cfg.ClientAuth = tls.RequireAndVerifyClientCert
		case "":
			cfg.ClientAuth = tls.NoClientCert
		default:
			return nil, errors.New("Invalid ClientAuth: " + s)
		}
	}
	if len(c.ClientCAs) > 0 && cfg.ClientAuth == tls.NoClientCert {
		return nil, errors.New("Client CA's have been configured without a Client Auth Policy")
	}
	return cfg, nil
}

// Listen starts the server on the given address. If tlsConfigPath isn't empty the server connection will be started using TLS.
func Listen(server *http.Server, tlsConfigPath string) error {
	if (tlsConfigPath) == "" {
		return server.ListenAndServe()
	}
	var err error
	server.TLSConfig, err = getTLSConfig(tlsConfigPath)
	if err != nil {
		return err
	}
	// Set the GetConfigForClient method of the HTTPS server so that the config
	// and certs are reloaded on new connections.
	server.TLSConfig.GetConfigForClient = func(*tls.ClientHelloInfo) (*tls.Config, error) {
		return getTLSConfig(tlsConfigPath)
	}
	return server.ListenAndServeTLS("", "")
}
Adding TLS to node exporter - cleaner version (#1277) Add support for https connections. Signed-off-by: ksherryBAE <kieran.sherry@baesystems.com> Signed-off-by: James Ritchie <james.g.ritchie@baesystems.com> Signed-off-by: Simon Pasquier <spasquie@redhat.com> Signed-off-by: Ben RIdley <benridley29@gmail.com> 2019-11-15 15:12:57 -08:00			`// Copyright 2019 The Prometheus Authors`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

			`// Package https allows the implementation of TLS.`
			`package https`

			`import (`
			`"crypto/tls"`
			`"crypto/x509"`
			`"io/ioutil"`
			`"net/http"`

			`"github.com/pkg/errors"`
			`"gopkg.in/yaml.v2"`
			`)`

			`type Config struct {`
			TLSConfig TLSStruct `yaml:"tlsConfig"`
			`}`

			`type TLSStruct struct {`
			TLSCertPath string `yaml:"tlsCertPath"`
			TLSKeyPath string `yaml:"tlsKeyPath"`
			ClientAuth string `yaml:"clientAuth"`
			ClientCAs string `yaml:"clientCAs"`
			`}`

			`func getTLSConfig(configPath string) (*tls.Config, error) {`
			`content, err := ioutil.ReadFile(configPath)`
			`if err != nil {`
			`return nil, err`
			`}`
			`c := &Config{}`
			`err = yaml.Unmarshal(content, c)`
			`if err != nil {`
			`return nil, err`
			`}`
			`return configToTLSConfig(&c.TLSConfig)`
			`}`

			`func configToTLSConfig(c TLSStruct) (tls.Config, error) {`
			`cfg := &tls.Config{}`
			`if len(c.TLSCertPath) == 0 {`
			`return nil, errors.New("missing TLSCertPath")`
			`}`
			`if len(c.TLSKeyPath) == 0 {`
			`return nil, errors.New("missing TLSKeyPath")`
			`}`
			`loadCert := func() (*tls.Certificate, error) {`
			`cert, err := tls.LoadX509KeyPair(c.TLSCertPath, c.TLSKeyPath)`
			`if err != nil {`
			`return nil, errors.Wrap(err, "failed to load X509KeyPair")`
			`}`
			`return &cert, nil`
			`}`
			`// Confirm that certificate and key paths are valid.`
			`if _, err := loadCert(); err != nil {`
			`return nil, err`
			`}`
			`cfg.GetCertificate = func(tls.ClientHelloInfo) (tls.Certificate, error) {`
			`return loadCert()`
			`}`

			`if len(c.ClientCAs) > 0 {`
			`clientCAPool := x509.NewCertPool()`
			`clientCAFile, err := ioutil.ReadFile(c.ClientCAs)`
			`if err != nil {`
			`return nil, err`
			`}`
			`clientCAPool.AppendCertsFromPEM(clientCAFile)`
			`cfg.ClientCAs = clientCAPool`
			`}`
			`if len(c.ClientAuth) > 0 {`
			`switch s := (c.ClientAuth); s {`
			`case "NoClientCert":`
			`cfg.ClientAuth = tls.NoClientCert`
			`case "RequestClientCert":`
			`cfg.ClientAuth = tls.RequestClientCert`
			`case "RequireClientCert":`
			`cfg.ClientAuth = tls.RequireAnyClientCert`
			`case "VerifyClientCertIfGiven":`
			`cfg.ClientAuth = tls.VerifyClientCertIfGiven`
			`case "RequireAndVerifyClientCert":`
			`cfg.ClientAuth = tls.RequireAndVerifyClientCert`
			`case "":`
			`cfg.ClientAuth = tls.NoClientCert`
			`default:`
			`return nil, errors.New("Invalid ClientAuth: " + s)`
			`}`
			`}`
			`if len(c.ClientCAs) > 0 && cfg.ClientAuth == tls.NoClientCert {`
			`return nil, errors.New("Client CA's have been configured without a Client Auth Policy")`
			`}`
			`return cfg, nil`
			`}`

			`// Listen starts the server on the given address. If tlsConfigPath isn't empty the server connection will be started using TLS.`
			`func Listen(server *http.Server, tlsConfigPath string) error {`
			`if (tlsConfigPath) == "" {`
			`return server.ListenAndServe()`
			`}`
			`var err error`
			`server.TLSConfig, err = getTLSConfig(tlsConfigPath)`
			`if err != nil {`
			`return err`
			`}`
			`// Set the GetConfigForClient method of the HTTPS server so that the config`
			`// and certs are reloaded on new connections.`
			`server.TLSConfig.GetConfigForClient = func(tls.ClientHelloInfo) (tls.Config, error) {`
			`return getTLSConfig(tlsConfigPath)`
			`}`
			`return server.ListenAndServeTLS("", "")`
			`}`