124 lines
3.5 KiB
Go
124 lines
3.5 KiB
Go
// Copyright 2019 The Prometheus Authors
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
// Package https allows the implementation of TLS.
|
|
package https
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"io/ioutil"
|
|
"net/http"
|
|
|
|
"github.com/pkg/errors"
|
|
"gopkg.in/yaml.v2"
|
|
)
|
|
|
|
type Config struct {
|
|
TLSConfig TLSStruct `yaml:"tlsConfig"`
|
|
}
|
|
|
|
type TLSStruct struct {
|
|
TLSCertPath string `yaml:"tlsCertPath"`
|
|
TLSKeyPath string `yaml:"tlsKeyPath"`
|
|
ClientAuth string `yaml:"clientAuth"`
|
|
ClientCAs string `yaml:"clientCAs"`
|
|
}
|
|
|
|
func getTLSConfig(configPath string) (*tls.Config, error) {
|
|
content, err := ioutil.ReadFile(configPath)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
c := &Config{}
|
|
err = yaml.Unmarshal(content, c)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return configToTLSConfig(&c.TLSConfig)
|
|
}
|
|
|
|
func configToTLSConfig(c *TLSStruct) (*tls.Config, error) {
|
|
cfg := &tls.Config{}
|
|
if len(c.TLSCertPath) == 0 {
|
|
return nil, errors.New("missing TLSCertPath")
|
|
}
|
|
if len(c.TLSKeyPath) == 0 {
|
|
return nil, errors.New("missing TLSKeyPath")
|
|
}
|
|
loadCert := func() (*tls.Certificate, error) {
|
|
cert, err := tls.LoadX509KeyPair(c.TLSCertPath, c.TLSKeyPath)
|
|
if err != nil {
|
|
return nil, errors.Wrap(err, "failed to load X509KeyPair")
|
|
}
|
|
return &cert, nil
|
|
}
|
|
// Confirm that certificate and key paths are valid.
|
|
if _, err := loadCert(); err != nil {
|
|
return nil, err
|
|
}
|
|
cfg.GetCertificate = func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
|
|
return loadCert()
|
|
}
|
|
|
|
if len(c.ClientCAs) > 0 {
|
|
clientCAPool := x509.NewCertPool()
|
|
clientCAFile, err := ioutil.ReadFile(c.ClientCAs)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
clientCAPool.AppendCertsFromPEM(clientCAFile)
|
|
cfg.ClientCAs = clientCAPool
|
|
}
|
|
if len(c.ClientAuth) > 0 {
|
|
switch s := (c.ClientAuth); s {
|
|
case "NoClientCert":
|
|
cfg.ClientAuth = tls.NoClientCert
|
|
case "RequestClientCert":
|
|
cfg.ClientAuth = tls.RequestClientCert
|
|
case "RequireClientCert":
|
|
cfg.ClientAuth = tls.RequireAnyClientCert
|
|
case "VerifyClientCertIfGiven":
|
|
cfg.ClientAuth = tls.VerifyClientCertIfGiven
|
|
case "RequireAndVerifyClientCert":
|
|
cfg.ClientAuth = tls.RequireAndVerifyClientCert
|
|
case "":
|
|
cfg.ClientAuth = tls.NoClientCert
|
|
default:
|
|
return nil, errors.New("Invalid ClientAuth: " + s)
|
|
}
|
|
}
|
|
if len(c.ClientCAs) > 0 && cfg.ClientAuth == tls.NoClientCert {
|
|
return nil, errors.New("Client CA's have been configured without a Client Auth Policy")
|
|
}
|
|
return cfg, nil
|
|
}
|
|
|
|
// Listen starts the server on the given address. If tlsConfigPath isn't empty the server connection will be started using TLS.
|
|
func Listen(server *http.Server, tlsConfigPath string) error {
|
|
if (tlsConfigPath) == "" {
|
|
return server.ListenAndServe()
|
|
}
|
|
var err error
|
|
server.TLSConfig, err = getTLSConfig(tlsConfigPath)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
// Set the GetConfigForClient method of the HTTPS server so that the config
|
|
// and certs are reloaded on new connections.
|
|
server.TLSConfig.GetConfigForClient = func(*tls.ClientHelloInfo) (*tls.Config, error) {
|
|
return getTLSConfig(tlsConfigPath)
|
|
}
|
|
return server.ListenAndServeTLS("", "")
|
|
}
|