VictoriaMetrics/lib/promauth/config.go

package promauth

import (
	"bytes"
	"crypto/tls"
	"crypto/x509"
	"encoding/base64"
	"fmt"
	"io/ioutil"
)

// TLSConfig represents TLS config.
//
// See https://prometheus.io/docs/prometheus/latest/configuration/configuration/#tls_config
type TLSConfig struct {
	CAFile             string `yaml:"ca_file,omitempty"`
	CertFile           string `yaml:"cert_file,omitempty"`
	KeyFile            string `yaml:"key_file,omitempty"`
	ServerName         string `yaml:"server_name,omitempty"`
	InsecureSkipVerify bool   `yaml:"insecure_skip_verify,omitempty"`
}

// Authorization represents generic authorization config.
//
// See https://prometheus.io/docs/prometheus/latest/configuration/configuration/
type Authorization struct {
	Type            string `yaml:"type,omitempty"`
	Credentials     string `yaml:"credentials,omitempty"`
	CredentialsFile string `yaml:"credentials_file,omitempty"`
}

// BasicAuthConfig represents basic auth config.
type BasicAuthConfig struct {
	Username     string `yaml:"username"`
	Password     string `yaml:"password,omitempty"`
	PasswordFile string `yaml:"password_file,omitempty"`
}

// HTTPClientConfig represents http client config.
type HTTPClientConfig struct {
	Authorization   *Authorization   `yaml:"authorization,omitempty"`
	BasicAuth       *BasicAuthConfig `yaml:"basic_auth,omitempty"`
	BearerToken     string           `yaml:"bearer_token,omitempty"`
	BearerTokenFile string           `yaml:"bearer_token_file,omitempty"`
	TLSConfig       *TLSConfig       `yaml:"tls_config,omitempty"`
}

// Config is auth config.
type Config struct {
	// Optional `Authorization` header.
	//
	// It may contain `Basic ....` or `Bearer ....` string.
	Authorization string

	// Optional TLS config
	TLSRootCA             *x509.CertPool
	TLSCertificate        *tls.Certificate
	TLSServerName         string
	TLSInsecureSkipVerify bool
}

// String returns human-(un)readable representation for cfg.
func (ac *Config) String() string {
	return fmt.Sprintf("Authorization=%s, TLSRootCA=%s, TLSCertificate=%s, TLSServerName=%s, TLSInsecureSkipVerify=%v",
		ac.Authorization, ac.tlsRootCAString(), ac.tlsCertificateString(), ac.TLSServerName, ac.TLSInsecureSkipVerify)
}

func (ac *Config) tlsRootCAString() string {
	if ac.TLSRootCA == nil {
		return ""
	}
	data := ac.TLSRootCA.Subjects()
	return string(bytes.Join(data, []byte("\n")))
}

func (ac *Config) tlsCertificateString() string {
	if ac.TLSCertificate == nil {
		return ""
	}
	return string(bytes.Join(ac.TLSCertificate.Certificate, []byte("\n")))
}

// NewTLSConfig returns new TLS config for the given ac.
func (ac *Config) NewTLSConfig() *tls.Config {
	tlsCfg := &tls.Config{
		ClientSessionCache: tls.NewLRUClientSessionCache(0),
	}
	if ac == nil {
		return tlsCfg
	}
	if ac.TLSCertificate != nil {
		// Do not set tlsCfg.GetClientCertificate, since tlsCfg.Certificates should work OK.
		tlsCfg.Certificates = []tls.Certificate{*ac.TLSCertificate}
	}
	tlsCfg.RootCAs = ac.TLSRootCA
	tlsCfg.ServerName = ac.TLSServerName
	tlsCfg.InsecureSkipVerify = ac.TLSInsecureSkipVerify
	return tlsCfg
}

// NewConfig creates auth config for the given hcc.
func (hcc *HTTPClientConfig) NewConfig(baseDir string) (*Config, error) {
	return NewConfig(baseDir, hcc.Authorization, hcc.BasicAuth, hcc.BearerToken, hcc.BearerTokenFile, hcc.TLSConfig)
}

// NewConfig creates auth config from the given args.
func NewConfig(baseDir string, az *Authorization, basicAuth *BasicAuthConfig, bearerToken, bearerTokenFile string, tlsConfig *TLSConfig) (*Config, error) {
	var authorization string
	if az != nil {
		azType := "Bearer"
		if az.Type != "" {
			azType = az.Type
		}
		azToken := az.Credentials
		if az.CredentialsFile != "" {
			if az.Credentials != "" {
				return nil, fmt.Errorf("both `credentials`=%q and `credentials_file`=%q are set", az.Credentials, az.CredentialsFile)
			}
			path := getFilepath(baseDir, az.CredentialsFile)
			token, err := readPasswordFromFile(path)
			if err != nil {
				return nil, fmt.Errorf("cannot read credentials from `credentials_file`=%q: %w", az.CredentialsFile, err)
			}
			azToken = token
		}
		authorization = azType + " " + azToken
	}
	if basicAuth != nil {
		if authorization != "" {
			return nil, fmt.Errorf("cannot use both `authorization` and `basic_auth`")
		}
		if basicAuth.Username == "" {
			return nil, fmt.Errorf("missing `username` in `basic_auth` section")
		}
		username := basicAuth.Username
		password := basicAuth.Password
		if basicAuth.PasswordFile != "" {
			if basicAuth.Password != "" {
				return nil, fmt.Errorf("both `password`=%q and `password_file`=%q are set in `basic_auth` section", basicAuth.Password, basicAuth.PasswordFile)
			}
			path := getFilepath(baseDir, basicAuth.PasswordFile)
			pass, err := readPasswordFromFile(path)
			if err != nil {
				return nil, fmt.Errorf("cannot read password from `password_file`=%q set in `basic_auth` section: %w", basicAuth.PasswordFile, err)
			}
			password = pass
		}
		// See https://en.wikipedia.org/wiki/Basic_access_authentication
		token := username + ":" + password
		token64 := base64.StdEncoding.EncodeToString([]byte(token))
		authorization = "Basic " + token64
	}
	if bearerTokenFile != "" {
		if authorization != "" {
			return nil, fmt.Errorf("cannot simultaneously use `authorization`, `basic_auth` and `bearer_token_file`")
		}
		if bearerToken != "" {
			return nil, fmt.Errorf("both `bearer_token`=%q and `bearer_token_file`=%q are set", bearerToken, bearerTokenFile)
		}
		path := getFilepath(baseDir, bearerTokenFile)
		token, err := readPasswordFromFile(path)
		if err != nil {
			return nil, fmt.Errorf("cannot read bearer token from `bearer_token_file`=%q: %w", bearerTokenFile, err)
		}
		authorization = "Bearer " + token
	}
	if bearerToken != "" {
		if authorization != "" {
			return nil, fmt.Errorf("cannot simultaneously use `authorization`, `basic_auth` and `bearer_token`")
		}
		authorization = "Bearer " + bearerToken
	}
	var tlsRootCA *x509.CertPool
	var tlsCertificate *tls.Certificate
	tlsServerName := ""
	tlsInsecureSkipVerify := false
	if tlsConfig != nil {
		tlsServerName = tlsConfig.ServerName
		tlsInsecureSkipVerify = tlsConfig.InsecureSkipVerify
		if tlsConfig.CertFile != "" || tlsConfig.KeyFile != "" {
			certPath := getFilepath(baseDir, tlsConfig.CertFile)
			keyPath := getFilepath(baseDir, tlsConfig.KeyFile)
			cert, err := tls.LoadX509KeyPair(certPath, keyPath)
			if err != nil {
				return nil, fmt.Errorf("cannot load TLS certificate from `cert_file`=%q, `key_file`=%q: %w", tlsConfig.CertFile, tlsConfig.KeyFile, err)
			}
			tlsCertificate = &cert
		}
		if tlsConfig.CAFile != "" {
			path := getFilepath(baseDir, tlsConfig.CAFile)
			data, err := ioutil.ReadFile(path)
			if err != nil {
				return nil, fmt.Errorf("cannot read `ca_file` %q: %w", tlsConfig.CAFile, err)
			}
			tlsRootCA = x509.NewCertPool()
			if !tlsRootCA.AppendCertsFromPEM(data) {
				return nil, fmt.Errorf("cannot parse data from `ca_file` %q", tlsConfig.CAFile)
			}
		}
	}
	ac := &Config{
		Authorization:         authorization,
		TLSRootCA:             tlsRootCA,
		TLSCertificate:        tlsCertificate,
		TLSServerName:         tlsServerName,
		TLSInsecureSkipVerify: tlsInsecureSkipVerify,
	}
	return ac, nil
}
lib/promscrape: extract common auth code to lib/promauth 2020-04-13 11:59:05 +02:00			`package promauth`

			`import (`
lib/promscrape: reload only modified scrapers on config changes This should improve scrape stability when big number of targets are scraped and these targets are frequently changed. Thanks to @xbsura for the idea and initial implementation attempts at the following pull requests: - https://github.com/VictoriaMetrics/VictoriaMetrics/pull/449 - https://github.com/VictoriaMetrics/VictoriaMetrics/pull/458 - https://github.com/VictoriaMetrics/VictoriaMetrics/pull/459 - https://github.com/VictoriaMetrics/VictoriaMetrics/pull/460 2020-05-03 11:41:13 +02:00			`"bytes"`
lib/promscrape: extract common auth code to lib/promauth 2020-04-13 11:59:05 +02:00			`"crypto/tls"`
			`"crypto/x509"`
			`"encoding/base64"`
			`"fmt"`
			`"io/ioutil"`
			`)`

			`// TLSConfig represents TLS config.`
			`//`
			`// See https://prometheus.io/docs/prometheus/latest/configuration/configuration/#tls_config`
			`type TLSConfig struct {`
Add omitempty for DisableCompression and DisableKeepAlive fields in ScrapeConfig (#796) * Add omitempty for DisableCompression and DisableKeepAlive fields in ScrapeConfig * Add omitempty annotation to all the default/optional values * Fix annotations after review 2020-11-13 15:17:03 +01:00			CAFile string `yaml:"ca_file,omitempty"`
			CertFile string `yaml:"cert_file,omitempty"`
			KeyFile string `yaml:"key_file,omitempty"`
			ServerName string `yaml:"server_name,omitempty"`
			InsecureSkipVerify bool `yaml:"insecure_skip_verify,omitempty"`
lib/promscrape: extract common auth code to lib/promauth 2020-04-13 11:59:05 +02:00			`}`

lib/promscrape: add support for `authorization` config in `-promscrape.config` as Prometheus 2.26 does See https://github.com/prometheus/prometheus/pull/8512 2021-04-02 20:17:43 +02:00			`// Authorization represents generic authorization config.`
			`//`
			`// See https://prometheus.io/docs/prometheus/latest/configuration/configuration/`
			`type Authorization struct {`
			Type string `yaml:"type,omitempty"`
			Credentials string `yaml:"credentials,omitempty"`
			CredentialsFile string `yaml:"credentials_file,omitempty"`
			`}`

lib/promscrape: extract common auth code to lib/promauth 2020-04-13 11:59:05 +02:00			`// BasicAuthConfig represents basic auth config.`
			`type BasicAuthConfig struct {`
			Username string `yaml:"username"`
Add omitempty for DisableCompression and DisableKeepAlive fields in ScrapeConfig (#796) * Add omitempty for DisableCompression and DisableKeepAlive fields in ScrapeConfig * Add omitempty annotation to all the default/optional values * Fix annotations after review 2020-11-13 15:17:03 +01:00			Password string `yaml:"password,omitempty"`
			PasswordFile string `yaml:"password_file,omitempty"`
lib/promscrape: extract common auth code to lib/promauth 2020-04-13 11:59:05 +02:00			`}`

lib/promscrape: add support for `authorization` config in `-promscrape.config` as Prometheus 2.26 does See https://github.com/prometheus/prometheus/pull/8512 2021-04-02 20:17:43 +02:00			`// HTTPClientConfig represents http client config.`
			`type HTTPClientConfig struct {`
			Authorization *Authorization `yaml:"authorization,omitempty"`
			BasicAuth *BasicAuthConfig `yaml:"basic_auth,omitempty"`
			BearerToken string `yaml:"bearer_token,omitempty"`
			BearerTokenFile string `yaml:"bearer_token_file,omitempty"`
			TLSConfig *TLSConfig `yaml:"tls_config,omitempty"`
			`}`

lib/promscrape: extract common auth code to lib/promauth 2020-04-13 11:59:05 +02:00			`// Config is auth config.`
			`type Config struct {`
			// Optional `Authorization` header.
			`//`
			// It may contain `Basic ....` or `Bearer ....` string.
			`Authorization string`

			`// Optional TLS config`
			`TLSRootCA *x509.CertPool`
			`TLSCertificate *tls.Certificate`
			`TLSServerName string`
			`TLSInsecureSkipVerify bool`
			`}`

lib/promscrape: reload only modified scrapers on config changes This should improve scrape stability when big number of targets are scraped and these targets are frequently changed. Thanks to @xbsura for the idea and initial implementation attempts at the following pull requests: - https://github.com/VictoriaMetrics/VictoriaMetrics/pull/449 - https://github.com/VictoriaMetrics/VictoriaMetrics/pull/458 - https://github.com/VictoriaMetrics/VictoriaMetrics/pull/459 - https://github.com/VictoriaMetrics/VictoriaMetrics/pull/460 2020-05-03 11:41:13 +02:00			`// String returns human-(un)readable representation for cfg.`
			`func (ac *Config) String() string {`
			`return fmt.Sprintf("Authorization=%s, TLSRootCA=%s, TLSCertificate=%s, TLSServerName=%s, TLSInsecureSkipVerify=%v",`
			`ac.Authorization, ac.tlsRootCAString(), ac.tlsCertificateString(), ac.TLSServerName, ac.TLSInsecureSkipVerify)`
			`}`

			`func (ac *Config) tlsRootCAString() string {`
			`if ac.TLSRootCA == nil {`
			`return ""`
			`}`
			`data := ac.TLSRootCA.Subjects()`
			`return string(bytes.Join(data, []byte("\n")))`
			`}`

			`func (ac *Config) tlsCertificateString() string {`
			`if ac.TLSCertificate == nil {`
			`return ""`
			`}`
			`return string(bytes.Join(ac.TLSCertificate.Certificate, []byte("\n")))`
			`}`

lib/promscrape: extract common auth code to lib/promauth 2020-04-13 11:59:05 +02:00			`// NewTLSConfig returns new TLS config for the given ac.`
			`func (ac Config) NewTLSConfig() tls.Config {`
			`tlsCfg := &tls.Config{`
			`ClientSessionCache: tls.NewLRUClientSessionCache(0),`
			`}`
lib/proxy: set missing ServerName in TLS config for `proxy_url`. While at it, allow setting Proxy-Authorization for `proxy_url` via `basic_auth` and `bearer_token` configs. 2021-03-09 17:54:09 +01:00			`if ac == nil {`
			`return tlsCfg`
			`}`
lib/promscrape: extract common auth code to lib/promauth 2020-04-13 11:59:05 +02:00			`if ac.TLSCertificate != nil {`
app/vmagent: fix scraping mTLS targets, which has been broken in v1.35.1 Updates https://github.com/VictoriaMetrics/VictoriaMetrics/issues/470 2020-05-12 16:20:55 +02:00			`// Do not set tlsCfg.GetClientCertificate, since tlsCfg.Certificates should work OK.`
			`tlsCfg.Certificates = []tls.Certificate{*ac.TLSCertificate}`
lib/promscrape: extract common auth code to lib/promauth 2020-04-13 11:59:05 +02:00			`}`
lib/proxy: set missing ServerName in TLS config for `proxy_url`. While at it, allow setting Proxy-Authorization for `proxy_url` via `basic_auth` and `bearer_token` configs. 2021-03-09 17:54:09 +01:00			`tlsCfg.RootCAs = ac.TLSRootCA`
lib/promscrape: extract common auth code to lib/promauth 2020-04-13 11:59:05 +02:00			`tlsCfg.ServerName = ac.TLSServerName`
			`tlsCfg.InsecureSkipVerify = ac.TLSInsecureSkipVerify`
			`return tlsCfg`
			`}`

lib/promscrape: add support for `authorization` config in `-promscrape.config` as Prometheus 2.26 does See https://github.com/prometheus/prometheus/pull/8512 2021-04-02 20:17:43 +02:00			`// NewConfig creates auth config for the given hcc.`
			`func (hcc HTTPClientConfig) NewConfig(baseDir string) (Config, error) {`
			`return NewConfig(baseDir, hcc.Authorization, hcc.BasicAuth, hcc.BearerToken, hcc.BearerTokenFile, hcc.TLSConfig)`
			`}`

lib/promscrape: extract common auth code to lib/promauth 2020-04-13 11:59:05 +02:00			`// NewConfig creates auth config from the given args.`
lib/promscrape: add support for `authorization` config in `-promscrape.config` as Prometheus 2.26 does See https://github.com/prometheus/prometheus/pull/8512 2021-04-02 20:17:43 +02:00			`func NewConfig(baseDir string, az Authorization, basicAuth BasicAuthConfig, bearerToken, bearerTokenFile string, tlsConfig TLSConfig) (Config, error) {`
lib/promscrape: extract common auth code to lib/promauth 2020-04-13 11:59:05 +02:00			`var authorization string`
lib/promscrape: add support for `authorization` config in `-promscrape.config` as Prometheus 2.26 does See https://github.com/prometheus/prometheus/pull/8512 2021-04-02 20:17:43 +02:00			`if az != nil {`
			`azType := "Bearer"`
			`if az.Type != "" {`
			`azType = az.Type`
			`}`
			`azToken := az.Credentials`
			`if az.CredentialsFile != "" {`
			`if az.Credentials != "" {`
			return nil, fmt.Errorf("both `credentials`=%q and `credentials_file`=%q are set", az.Credentials, az.CredentialsFile)
			`}`
			`path := getFilepath(baseDir, az.CredentialsFile)`
			`token, err := readPasswordFromFile(path)`
			`if err != nil {`
			return nil, fmt.Errorf("cannot read credentials from `credentials_file`=%q: %w", az.CredentialsFile, err)
			`}`
			`azToken = token`
			`}`
			`authorization = azType + " " + azToken`
			`}`
lib/promscrape: extract common auth code to lib/promauth 2020-04-13 11:59:05 +02:00			`if basicAuth != nil {`
lib/promscrape: add support for `authorization` config in `-promscrape.config` as Prometheus 2.26 does See https://github.com/prometheus/prometheus/pull/8512 2021-04-02 20:17:43 +02:00			`if authorization != "" {`
			return nil, fmt.Errorf("cannot use both `authorization` and `basic_auth`")
			`}`
lib/promscrape: extract common auth code to lib/promauth 2020-04-13 11:59:05 +02:00			`if basicAuth.Username == "" {`
			return nil, fmt.Errorf("missing `username` in `basic_auth` section")
			`}`
			`username := basicAuth.Username`
			`password := basicAuth.Password`
			`if basicAuth.PasswordFile != "" {`
			`if basicAuth.Password != "" {`
			return nil, fmt.Errorf("both `password`=%q and `password_file`=%q are set in `basic_auth` section", basicAuth.Password, basicAuth.PasswordFile)
			`}`
			`path := getFilepath(baseDir, basicAuth.PasswordFile)`
			`pass, err := readPasswordFromFile(path)`
			`if err != nil {`
all: use %w instead of %s for wrapping errors in `fmt.Errorf` This will simplify examining the returned errors such as httpserver.ErrorWithStatusCode . See https://blog.golang.org/go1.13-errors for details. 2020-06-30 21:58:18 +02:00			return nil, fmt.Errorf("cannot read password from `password_file`=%q set in `basic_auth` section: %w", basicAuth.PasswordFile, err)
lib/promscrape: extract common auth code to lib/promauth 2020-04-13 11:59:05 +02:00			`}`
			`password = pass`
			`}`
			`// See https://en.wikipedia.org/wiki/Basic_access_authentication`
			`token := username + ":" + password`
			`token64 := base64.StdEncoding.EncodeToString([]byte(token))`
			`authorization = "Basic " + token64`
			`}`
			`if bearerTokenFile != "" {`
lib/promscrape: add support for `authorization` config in `-promscrape.config` as Prometheus 2.26 does See https://github.com/prometheus/prometheus/pull/8512 2021-04-02 20:17:43 +02:00			`if authorization != "" {`
			return nil, fmt.Errorf("cannot simultaneously use `authorization`, `basic_auth` and `bearer_token_file`")
			`}`
lib/promscrape: extract common auth code to lib/promauth 2020-04-13 11:59:05 +02:00			`if bearerToken != "" {`
			return nil, fmt.Errorf("both `bearer_token`=%q and `bearer_token_file`=%q are set", bearerToken, bearerTokenFile)
			`}`
			`path := getFilepath(baseDir, bearerTokenFile)`
			`token, err := readPasswordFromFile(path)`
			`if err != nil {`
all: use %w instead of %s for wrapping errors in `fmt.Errorf` This will simplify examining the returned errors such as httpserver.ErrorWithStatusCode . See https://blog.golang.org/go1.13-errors for details. 2020-06-30 21:58:18 +02:00			return nil, fmt.Errorf("cannot read bearer token from `bearer_token_file`=%q: %w", bearerTokenFile, err)
lib/promscrape: extract common auth code to lib/promauth 2020-04-13 11:59:05 +02:00			`}`
lib/promscrape: add support for `authorization` config in `-promscrape.config` as Prometheus 2.26 does See https://github.com/prometheus/prometheus/pull/8512 2021-04-02 20:17:43 +02:00			`authorization = "Bearer " + token`
lib/promscrape: extract common auth code to lib/promauth 2020-04-13 11:59:05 +02:00			`}`
			`if bearerToken != "" {`
			`if authorization != "" {`
lib/promscrape: add support for `authorization` config in `-promscrape.config` as Prometheus 2.26 does See https://github.com/prometheus/prometheus/pull/8512 2021-04-02 20:17:43 +02:00			return nil, fmt.Errorf("cannot simultaneously use `authorization`, `basic_auth` and `bearer_token`")
lib/promscrape: extract common auth code to lib/promauth 2020-04-13 11:59:05 +02:00			`}`
			`authorization = "Bearer " + bearerToken`
			`}`
			`var tlsRootCA *x509.CertPool`
			`var tlsCertificate *tls.Certificate`
			`tlsServerName := ""`
			`tlsInsecureSkipVerify := false`
			`if tlsConfig != nil {`
			`tlsServerName = tlsConfig.ServerName`
			`tlsInsecureSkipVerify = tlsConfig.InsecureSkipVerify`
			`if tlsConfig.CertFile != "" \|\| tlsConfig.KeyFile != "" {`
			`certPath := getFilepath(baseDir, tlsConfig.CertFile)`
			`keyPath := getFilepath(baseDir, tlsConfig.KeyFile)`
			`cert, err := tls.LoadX509KeyPair(certPath, keyPath)`
			`if err != nil {`
all: use %w instead of %s for wrapping errors in `fmt.Errorf` This will simplify examining the returned errors such as httpserver.ErrorWithStatusCode . See https://blog.golang.org/go1.13-errors for details. 2020-06-30 21:58:18 +02:00			return nil, fmt.Errorf("cannot load TLS certificate from `cert_file`=%q, `key_file`=%q: %w", tlsConfig.CertFile, tlsConfig.KeyFile, err)
lib/promscrape: extract common auth code to lib/promauth 2020-04-13 11:59:05 +02:00			`}`
			`tlsCertificate = &cert`
			`}`
			`if tlsConfig.CAFile != "" {`
			`path := getFilepath(baseDir, tlsConfig.CAFile)`
			`data, err := ioutil.ReadFile(path)`
			`if err != nil {`
all: use %w instead of %s for wrapping errors in `fmt.Errorf` This will simplify examining the returned errors such as httpserver.ErrorWithStatusCode . See https://blog.golang.org/go1.13-errors for details. 2020-06-30 21:58:18 +02:00			return nil, fmt.Errorf("cannot read `ca_file` %q: %w", tlsConfig.CAFile, err)
lib/promscrape: extract common auth code to lib/promauth 2020-04-13 11:59:05 +02:00			`}`
			`tlsRootCA = x509.NewCertPool()`
			`if !tlsRootCA.AppendCertsFromPEM(data) {`
			return nil, fmt.Errorf("cannot parse data from `ca_file` %q", tlsConfig.CAFile)
			`}`
			`}`
			`}`
			`ac := &Config{`
			`Authorization: authorization,`
			`TLSRootCA: tlsRootCA,`
			`TLSCertificate: tlsCertificate,`
			`TLSServerName: tlsServerName,`
			`TLSInsecureSkipVerify: tlsInsecureSkipVerify,`
			`}`
			`return ac, nil`
			`}`