2019-11-15 23:12:57 +00:00
|
|
|
// Copyright 2019 The Prometheus Authors
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
//
|
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
//
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
// limitations under the License.
|
|
|
|
|
|
|
|
// Package https allows the implementation of TLS.
|
|
|
|
package https
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/tls"
|
|
|
|
"crypto/x509"
|
2020-05-13 18:26:01 +00:00
|
|
|
"fmt"
|
2019-11-15 23:12:57 +00:00
|
|
|
"io/ioutil"
|
|
|
|
"net/http"
|
|
|
|
|
2020-05-01 12:26:51 +00:00
|
|
|
"github.com/go-kit/kit/log"
|
|
|
|
"github.com/go-kit/kit/log/level"
|
2019-11-15 23:12:57 +00:00
|
|
|
"github.com/pkg/errors"
|
2020-05-01 12:26:51 +00:00
|
|
|
config_util "github.com/prometheus/common/config"
|
2019-11-15 23:12:57 +00:00
|
|
|
"gopkg.in/yaml.v2"
|
|
|
|
)
|
|
|
|
|
2020-05-01 12:26:51 +00:00
|
|
|
var (
|
|
|
|
errNoTLSConfig = errors.New("TLS config is not present")
|
|
|
|
)
|
|
|
|
|
2019-11-15 23:12:57 +00:00
|
|
|
type Config struct {
|
2020-05-13 18:26:01 +00:00
|
|
|
TLSConfig TLSStruct `yaml:"tls_server_config"`
|
|
|
|
HTTPConfig HTTPStruct `yaml:"http_server_config"`
|
|
|
|
Users map[string]config_util.Secret `yaml:"basic_auth_users"`
|
2019-11-15 23:12:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
type TLSStruct struct {
|
2020-05-13 18:26:01 +00:00
|
|
|
TLSCertPath string `yaml:"cert_file"`
|
|
|
|
TLSKeyPath string `yaml:"key_file"`
|
|
|
|
ClientAuth string `yaml:"client_auth_type"`
|
|
|
|
ClientCAs string `yaml:"client_ca_file"`
|
|
|
|
CipherSuites []cipher `yaml:"cipher_suites"`
|
|
|
|
CurvePreferences []curve `yaml:"curve_preferences"`
|
|
|
|
MinVersion tlsVersion `yaml:"min_version"`
|
|
|
|
MaxVersion tlsVersion `yaml:"max_version"`
|
|
|
|
PreferServerCipherSuites bool `yaml:"prefer_server_cipher_suites"`
|
|
|
|
}
|
|
|
|
|
|
|
|
type HTTPStruct struct {
|
|
|
|
HTTP2 bool `yaml:"http2"`
|
2019-11-15 23:12:57 +00:00
|
|
|
}
|
|
|
|
|
2020-05-01 12:26:51 +00:00
|
|
|
func getConfig(configPath string) (*Config, error) {
|
2019-11-15 23:12:57 +00:00
|
|
|
content, err := ioutil.ReadFile(configPath)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2020-05-13 18:26:01 +00:00
|
|
|
c := &Config{
|
|
|
|
TLSConfig: TLSStruct{
|
|
|
|
MinVersion: tls.VersionTLS12,
|
|
|
|
MaxVersion: tls.VersionTLS13,
|
|
|
|
PreferServerCipherSuites: true,
|
|
|
|
},
|
|
|
|
HTTPConfig: HTTPStruct{HTTP2: true},
|
|
|
|
}
|
2020-05-01 12:26:51 +00:00
|
|
|
err = yaml.UnmarshalStrict(content, c)
|
|
|
|
return c, err
|
|
|
|
}
|
|
|
|
|
|
|
|
func getTLSConfig(configPath string) (*tls.Config, error) {
|
|
|
|
c, err := getConfig(configPath)
|
2019-11-15 23:12:57 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2020-04-16 07:58:51 +00:00
|
|
|
return ConfigToTLSConfig(&c.TLSConfig)
|
2019-11-15 23:12:57 +00:00
|
|
|
}
|
|
|
|
|
2020-04-16 07:58:51 +00:00
|
|
|
// ConfigToTLSConfig generates the golang tls.Config from the TLSStruct config.
|
|
|
|
func ConfigToTLSConfig(c *TLSStruct) (*tls.Config, error) {
|
2020-05-01 12:26:51 +00:00
|
|
|
if c.TLSCertPath == "" && c.TLSKeyPath == "" && c.ClientAuth == "" && c.ClientCAs == "" {
|
|
|
|
return nil, errNoTLSConfig
|
2020-04-25 13:51:32 +00:00
|
|
|
}
|
2020-05-01 12:26:51 +00:00
|
|
|
|
|
|
|
if c.TLSCertPath == "" {
|
|
|
|
return nil, errors.New("missing cert_file")
|
2019-11-15 23:12:57 +00:00
|
|
|
}
|
2020-05-13 18:26:01 +00:00
|
|
|
|
2020-05-01 12:26:51 +00:00
|
|
|
if c.TLSKeyPath == "" {
|
|
|
|
return nil, errors.New("missing key_file")
|
|
|
|
}
|
2020-05-13 18:26:01 +00:00
|
|
|
|
2019-11-15 23:12:57 +00:00
|
|
|
loadCert := func() (*tls.Certificate, error) {
|
|
|
|
cert, err := tls.LoadX509KeyPair(c.TLSCertPath, c.TLSKeyPath)
|
|
|
|
if err != nil {
|
|
|
|
return nil, errors.Wrap(err, "failed to load X509KeyPair")
|
|
|
|
}
|
|
|
|
return &cert, nil
|
|
|
|
}
|
2020-05-13 18:26:01 +00:00
|
|
|
|
2019-11-15 23:12:57 +00:00
|
|
|
// Confirm that certificate and key paths are valid.
|
|
|
|
if _, err := loadCert(); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2020-05-13 18:26:01 +00:00
|
|
|
|
|
|
|
cfg := &tls.Config{
|
|
|
|
MinVersion: (uint16)(c.MinVersion),
|
|
|
|
MaxVersion: (uint16)(c.MaxVersion),
|
|
|
|
PreferServerCipherSuites: c.PreferServerCipherSuites,
|
|
|
|
}
|
|
|
|
|
2019-11-15 23:12:57 +00:00
|
|
|
cfg.GetCertificate = func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
|
|
|
|
return loadCert()
|
|
|
|
}
|
|
|
|
|
2020-05-13 18:26:01 +00:00
|
|
|
var cf []uint16
|
|
|
|
for _, c := range c.CipherSuites {
|
|
|
|
cf = append(cf, (uint16)(c))
|
|
|
|
}
|
|
|
|
if len(cf) > 0 {
|
|
|
|
cfg.CipherSuites = cf
|
|
|
|
}
|
|
|
|
|
|
|
|
var cp []tls.CurveID
|
|
|
|
for _, c := range c.CurvePreferences {
|
|
|
|
cp = append(cp, (tls.CurveID)(c))
|
|
|
|
}
|
|
|
|
if len(cp) > 0 {
|
|
|
|
cfg.CurvePreferences = cp
|
|
|
|
}
|
|
|
|
|
2020-05-01 12:26:51 +00:00
|
|
|
if c.ClientCAs != "" {
|
2019-11-15 23:12:57 +00:00
|
|
|
clientCAPool := x509.NewCertPool()
|
|
|
|
clientCAFile, err := ioutil.ReadFile(c.ClientCAs)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
clientCAPool.AppendCertsFromPEM(clientCAFile)
|
|
|
|
cfg.ClientCAs = clientCAPool
|
|
|
|
}
|
2020-05-01 12:26:51 +00:00
|
|
|
|
|
|
|
switch c.ClientAuth {
|
|
|
|
case "RequestClientCert":
|
|
|
|
cfg.ClientAuth = tls.RequestClientCert
|
|
|
|
case "RequireClientCert":
|
|
|
|
cfg.ClientAuth = tls.RequireAnyClientCert
|
|
|
|
case "VerifyClientCertIfGiven":
|
|
|
|
cfg.ClientAuth = tls.VerifyClientCertIfGiven
|
|
|
|
case "RequireAndVerifyClientCert":
|
|
|
|
cfg.ClientAuth = tls.RequireAndVerifyClientCert
|
|
|
|
case "", "NoClientCert":
|
|
|
|
cfg.ClientAuth = tls.NoClientCert
|
|
|
|
default:
|
|
|
|
return nil, errors.New("Invalid ClientAuth: " + c.ClientAuth)
|
2019-11-15 23:12:57 +00:00
|
|
|
}
|
2020-05-01 12:26:51 +00:00
|
|
|
|
|
|
|
if c.ClientCAs != "" && cfg.ClientAuth == tls.NoClientCert {
|
2019-11-15 23:12:57 +00:00
|
|
|
return nil, errors.New("Client CA's have been configured without a Client Auth Policy")
|
|
|
|
}
|
2020-05-01 12:26:51 +00:00
|
|
|
|
2019-11-15 23:12:57 +00:00
|
|
|
return cfg, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Listen starts the server on the given address. If tlsConfigPath isn't empty the server connection will be started using TLS.
|
2020-05-01 12:26:51 +00:00
|
|
|
func Listen(server *http.Server, tlsConfigPath string, logger log.Logger) error {
|
|
|
|
if tlsConfigPath == "" {
|
2020-05-13 18:26:01 +00:00
|
|
|
level.Info(logger).Log("msg", "TLS is disabled and it cannot be enabled on the fly.", "http2", false)
|
2019-11-15 23:12:57 +00:00
|
|
|
return server.ListenAndServe()
|
|
|
|
}
|
2020-05-01 12:26:51 +00:00
|
|
|
|
|
|
|
if err := validateUsers(tlsConfigPath); err != nil {
|
2019-11-15 23:12:57 +00:00
|
|
|
return err
|
|
|
|
}
|
2020-05-01 12:26:51 +00:00
|
|
|
|
|
|
|
// Setup basic authentication.
|
|
|
|
var handler http.Handler = http.DefaultServeMux
|
|
|
|
if server.Handler != nil {
|
|
|
|
handler = server.Handler
|
|
|
|
}
|
|
|
|
server.Handler = &userAuthRoundtrip{
|
|
|
|
tlsConfigPath: tlsConfigPath,
|
|
|
|
logger: logger,
|
|
|
|
handler: handler,
|
|
|
|
}
|
|
|
|
|
2020-05-13 18:26:01 +00:00
|
|
|
c, err := getConfig(tlsConfigPath)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
config, err := ConfigToTLSConfig(&c.TLSConfig)
|
2020-05-01 12:26:51 +00:00
|
|
|
switch err {
|
|
|
|
case nil:
|
2020-05-13 18:26:01 +00:00
|
|
|
if !c.HTTPConfig.HTTP2 {
|
|
|
|
server.TLSNextProto = make(map[string]func(*http.Server, *tls.Conn, http.Handler))
|
|
|
|
}
|
2020-05-01 12:26:51 +00:00
|
|
|
// Valid TLS config.
|
2020-05-13 18:26:01 +00:00
|
|
|
level.Info(logger).Log("msg", "TLS is enabled and it cannot be disabled on the fly.", "http2", c.HTTPConfig.HTTP2)
|
2020-05-01 12:26:51 +00:00
|
|
|
case errNoTLSConfig:
|
|
|
|
// No TLS config, back to plain HTTP.
|
2020-05-13 18:26:01 +00:00
|
|
|
level.Info(logger).Log("msg", "TLS is disabled and it cannot be enabled on the fly.", "http2", false)
|
2020-05-01 12:26:51 +00:00
|
|
|
return server.ListenAndServe()
|
|
|
|
default:
|
|
|
|
// Invalid TLS config.
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
server.TLSConfig = config
|
|
|
|
|
2019-11-15 23:12:57 +00:00
|
|
|
// Set the GetConfigForClient method of the HTTPS server so that the config
|
|
|
|
// and certs are reloaded on new connections.
|
|
|
|
server.TLSConfig.GetConfigForClient = func(*tls.ClientHelloInfo) (*tls.Config, error) {
|
|
|
|
return getTLSConfig(tlsConfigPath)
|
|
|
|
}
|
|
|
|
return server.ListenAndServeTLS("", "")
|
|
|
|
}
|
2020-05-13 18:26:01 +00:00
|
|
|
|
|
|
|
type cipher uint16
|
|
|
|
|
|
|
|
func (c *cipher) UnmarshalYAML(unmarshal func(interface{}) error) error {
|
|
|
|
var s string
|
|
|
|
err := unmarshal((*string)(&s))
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
for _, cs := range tls.CipherSuites() {
|
|
|
|
if cs.Name == s {
|
|
|
|
*c = (cipher)(cs.ID)
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return errors.New("unknown cipher: " + s)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c cipher) MarshalYAML() (interface{}, error) {
|
|
|
|
return tls.CipherSuiteName((uint16)(c)), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
type curve tls.CurveID
|
|
|
|
|
|
|
|
var curves = map[string]curve{
|
|
|
|
"CurveP256": (curve)(tls.CurveP256),
|
|
|
|
"CurveP384": (curve)(tls.CurveP384),
|
|
|
|
"CurveP521": (curve)(tls.CurveP521),
|
|
|
|
"X25519": (curve)(tls.X25519),
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *curve) UnmarshalYAML(unmarshal func(interface{}) error) error {
|
|
|
|
var s string
|
|
|
|
err := unmarshal((*string)(&s))
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if curveid, ok := curves[s]; ok {
|
|
|
|
*c = curveid
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return errors.New("unknown curve: " + s)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *curve) MarshalYAML() (interface{}, error) {
|
|
|
|
for s, curveid := range curves {
|
|
|
|
if *c == curveid {
|
|
|
|
return s, nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return fmt.Sprintf("%v", c), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
type tlsVersion uint16
|
|
|
|
|
|
|
|
var tlsVersions = map[string]tlsVersion{
|
|
|
|
"TLS13": (tlsVersion)(tls.VersionTLS13),
|
|
|
|
"TLS12": (tlsVersion)(tls.VersionTLS12),
|
|
|
|
"TLS11": (tlsVersion)(tls.VersionTLS11),
|
|
|
|
"TLS10": (tlsVersion)(tls.VersionTLS10),
|
|
|
|
}
|
|
|
|
|
|
|
|
func (tv *tlsVersion) UnmarshalYAML(unmarshal func(interface{}) error) error {
|
|
|
|
var s string
|
|
|
|
err := unmarshal((*string)(&s))
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if v, ok := tlsVersions[s]; ok {
|
|
|
|
*tv = v
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return errors.New("unknown TLS version: " + s)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (tv *tlsVersion) MarshalYAML() (interface{}, error) {
|
|
|
|
for s, v := range tlsVersions {
|
|
|
|
if *tv == v {
|
|
|
|
return s, nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return fmt.Sprintf("%v", tv), nil
|
|
|
|
}
|