Merge pull request #2 from marriva/add-tls-auth

add mtls client auth

Author: uzhinskiy

modules/config/config.go

@@ -28,12 +28,15 @@ type Config struct {
 		TimeOutRaw *int   `yaml:"timeout"`
 	} `yaml:"app"`
 	Elastic struct {
-		Host     string `yaml:"host`
-		SSL      bool   `yaml:"ssl"`
-		Username string `yaml:"username"`
-		Password string `yaml:"password"`
-		Cert     string `yaml:"certfile"`
-		Include  bool   `yaml:"include_system"`
+		Host               string `yaml:"host"`
+		SSL                bool   `yaml:"ssl"`
+		Username           string `yaml:"username"`
+		Password           string `yaml:"password"`
+		CAcert             string `yaml:"ca_cert"`
+		ClientCert         string `yaml:"client_cert"`
+		ClientKey          string `yaml:"client_key"`
+		InsecureSkipVerify bool   `yaml:"insecure"`
+		Include            bool   `yaml:"include_system"`
 	} `yaml:"elastic"`
 }
 

modules/router/methods.go

@@ -14,7 +14,6 @@
 package router
 
 import (
-	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -42,11 +41,13 @@ type esError struct {
 }
 
 func (rt *Router) netClientPrepare() {
+	tlsClientConfig := createTLSConfig(rt.conf.Elastic.CAcert, rt.conf.Elastic.ClientCert,
+		rt.conf.Elastic.ClientKey, rt.conf.Elastic.InsecureSkipVerify)
 	var netTransport = &http.Transport{
 		Dial: (&net.Dialer{
 			Timeout: time.Duration(rt.conf.App.TimeOut) * time.Second,
 		}).Dial,
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		TLSClientConfig: tlsClientConfig,
 	}
 
 	rt.nc = &http.Client{

modules/router/tls.go

@@ -0,0 +1,69 @@
+// Copyright 2021 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package router
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"io/ioutil"
+	"log"
+)
+
+func createTLSConfig(pemFile, pemCertFile, pemPrivateKeyFile string, insecureSkipVerify bool) *tls.Config {
+	tlsConfig := tls.Config{}
+	if insecureSkipVerify {
+		// pem settings are irrelevant if we're skipping verification anyway
+		tlsConfig.InsecureSkipVerify = true
+	}
+	if len(pemFile) > 0 {
+		rootCerts, err := loadCertificatesFrom(pemFile)
+		if err != nil {
+			log.Fatalf("Couldn't load root certificate from %s. Got %s.", pemFile, err)
+			return nil
+		}
+		tlsConfig.RootCAs = rootCerts
+	}
+	if len(pemCertFile) > 0 && len(pemPrivateKeyFile) > 0 {
+		// Load files once to catch configuration error early.
+		_, err := loadPrivateKeyFrom(pemCertFile, pemPrivateKeyFile)
+		if err != nil {
+			log.Fatalf("Couldn't setup client authentication. Got %s.", err)
+			return nil
+		}
+		// Define a function to load certificate and key lazily at TLS handshake to
+		// ensure that the latest files are used in case they have been rotated.
+		tlsConfig.GetClientCertificate = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
+			return loadPrivateKeyFrom(pemCertFile, pemPrivateKeyFile)
+		}
+	}
+	return &tlsConfig
+}
+
+func loadCertificatesFrom(pemFile string) (*x509.CertPool, error) {
+	caCert, err := ioutil.ReadFile(pemFile)
+	if err != nil {
+		return nil, err
+	}
+	certificates := x509.NewCertPool()
+	certificates.AppendCertsFromPEM(caCert)
+	return certificates, nil
+}
+
+func loadPrivateKeyFrom(pemCertFile, pemPrivateKeyFile string) (*tls.Certificate, error) {
+	privateKey, err := tls.LoadX509KeyPair(pemCertFile, pemPrivateKeyFile)
+	if err != nil {
+		return nil, err
+	}
+	return &privateKey, nil
+}