mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-14 10:20:20 +00:00
f080b9e0c9
Signed-off-by: Niels de Vos <ndevos@ibm.com>
400 lines
12 KiB
Go
400 lines
12 KiB
Go
/*
|
|
Copyright 2015 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package transport
|
|
|
|
import (
|
|
"context"
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"encoding/pem"
|
|
"fmt"
|
|
"net/http"
|
|
"os"
|
|
"sync"
|
|
"time"
|
|
|
|
utilnet "k8s.io/apimachinery/pkg/util/net"
|
|
"k8s.io/klog/v2"
|
|
)
|
|
|
|
// New returns an http.RoundTripper that will provide the authentication
|
|
// or transport level security defined by the provided Config.
|
|
func New(config *Config) (http.RoundTripper, error) {
|
|
// Set transport level security
|
|
if config.Transport != nil && (config.HasCA() || config.HasCertAuth() || config.HasCertCallback() || config.TLS.Insecure) {
|
|
return nil, fmt.Errorf("using a custom transport with TLS certificate options or the insecure flag is not allowed")
|
|
}
|
|
|
|
if !isValidHolders(config) {
|
|
return nil, fmt.Errorf("misconfigured holder for dialer or cert callback")
|
|
}
|
|
|
|
var (
|
|
rt http.RoundTripper
|
|
err error
|
|
)
|
|
|
|
if config.Transport != nil {
|
|
rt = config.Transport
|
|
} else {
|
|
rt, err = tlsCache.get(config)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
|
|
return HTTPWrappersForConfig(config, rt)
|
|
}
|
|
|
|
func isValidHolders(config *Config) bool {
|
|
if config.TLS.GetCertHolder != nil && config.TLS.GetCertHolder.GetCert == nil {
|
|
return false
|
|
}
|
|
|
|
if config.DialHolder != nil && config.DialHolder.Dial == nil {
|
|
return false
|
|
}
|
|
|
|
return true
|
|
}
|
|
|
|
// TLSConfigFor returns a tls.Config that will provide the transport level security defined
|
|
// by the provided Config. Will return nil if no transport level security is requested.
|
|
func TLSConfigFor(c *Config) (*tls.Config, error) {
|
|
if !(c.HasCA() || c.HasCertAuth() || c.HasCertCallback() || c.TLS.Insecure || len(c.TLS.ServerName) > 0 || len(c.TLS.NextProtos) > 0) {
|
|
return nil, nil
|
|
}
|
|
if c.HasCA() && c.TLS.Insecure {
|
|
return nil, fmt.Errorf("specifying a root certificates file with the insecure flag is not allowed")
|
|
}
|
|
if err := loadTLSFiles(c); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
tlsConfig := &tls.Config{
|
|
// Can't use SSLv3 because of POODLE and BEAST
|
|
// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
|
|
// Can't use TLSv1.1 because of RC4 cipher usage
|
|
MinVersion: tls.VersionTLS12,
|
|
InsecureSkipVerify: c.TLS.Insecure,
|
|
ServerName: c.TLS.ServerName,
|
|
NextProtos: c.TLS.NextProtos,
|
|
}
|
|
|
|
if c.HasCA() {
|
|
/*
|
|
kubernetes mutual (2-way) x509 between client and apiserver:
|
|
|
|
1. apiserver sending its apiserver certificate along with its publickey to client
|
|
>2. client verifies the apiserver certificate sent against its cluster certificate authority data
|
|
3. client sending its client certificate along with its public key to the apiserver
|
|
4. apiserver verifies the client certificate sent against its cluster certificate authority data
|
|
|
|
description:
|
|
here, with this block,
|
|
cluster certificate authority data gets loaded into TLS before the handshake process
|
|
for client to later during the handshake verify the apiserver certificate
|
|
|
|
normal args related to this stage:
|
|
--certificate-authority='':
|
|
Path to a cert file for the certificate authority
|
|
|
|
(retrievable from "kubectl options" command)
|
|
(suggested by @deads2k)
|
|
|
|
see also:
|
|
- for the step 1, see: staging/src/k8s.io/apiserver/pkg/server/options/serving.go
|
|
- for the step 3, see: a few lines below in this file
|
|
- for the step 4, see: staging/src/k8s.io/apiserver/pkg/authentication/request/x509/x509.go
|
|
*/
|
|
|
|
rootCAs, err := rootCertPool(c.TLS.CAData)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("unable to load root certificates: %w", err)
|
|
}
|
|
tlsConfig.RootCAs = rootCAs
|
|
}
|
|
|
|
var staticCert *tls.Certificate
|
|
// Treat cert as static if either key or cert was data, not a file
|
|
if c.HasCertAuth() && !c.TLS.ReloadTLSFiles {
|
|
// If key/cert were provided, verify them before setting up
|
|
// tlsConfig.GetClientCertificate.
|
|
cert, err := tls.X509KeyPair(c.TLS.CertData, c.TLS.KeyData)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
staticCert = &cert
|
|
}
|
|
|
|
var dynamicCertLoader func() (*tls.Certificate, error)
|
|
if c.TLS.ReloadTLSFiles {
|
|
dynamicCertLoader = cachingCertificateLoader(c.TLS.CertFile, c.TLS.KeyFile)
|
|
}
|
|
|
|
if c.HasCertAuth() || c.HasCertCallback() {
|
|
|
|
/*
|
|
kubernetes mutual (2-way) x509 between client and apiserver:
|
|
|
|
1. apiserver sending its apiserver certificate along with its publickey to client
|
|
2. client verifies the apiserver certificate sent against its cluster certificate authority data
|
|
>3. client sending its client certificate along with its public key to the apiserver
|
|
4. apiserver verifies the client certificate sent against its cluster certificate authority data
|
|
|
|
description:
|
|
here, with this callback function,
|
|
client certificate and pub key get loaded into TLS during the handshake process
|
|
for apiserver to later in the step 4 verify the client certificate
|
|
|
|
normal args related to this stage:
|
|
--client-certificate='':
|
|
Path to a client certificate file for TLS
|
|
--client-key='':
|
|
Path to a client key file for TLS
|
|
|
|
(retrievable from "kubectl options" command)
|
|
(suggested by @deads2k)
|
|
|
|
see also:
|
|
- for the step 1, see: staging/src/k8s.io/apiserver/pkg/server/options/serving.go
|
|
- for the step 2, see: a few lines above in this file
|
|
- for the step 4, see: staging/src/k8s.io/apiserver/pkg/authentication/request/x509/x509.go
|
|
*/
|
|
|
|
tlsConfig.GetClientCertificate = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
|
|
// Note: static key/cert data always take precedence over cert
|
|
// callback.
|
|
if staticCert != nil {
|
|
return staticCert, nil
|
|
}
|
|
// key/cert files lead to ReloadTLSFiles being set - takes precedence over cert callback
|
|
if dynamicCertLoader != nil {
|
|
return dynamicCertLoader()
|
|
}
|
|
if c.HasCertCallback() {
|
|
cert, err := c.TLS.GetCertHolder.GetCert()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
// GetCert may return empty value, meaning no cert.
|
|
if cert != nil {
|
|
return cert, nil
|
|
}
|
|
}
|
|
|
|
// Both c.TLS.CertData/KeyData were unset and GetCert didn't return
|
|
// anything. Return an empty tls.Certificate, no client cert will
|
|
// be sent to the server.
|
|
return &tls.Certificate{}, nil
|
|
}
|
|
}
|
|
|
|
return tlsConfig, nil
|
|
}
|
|
|
|
// loadTLSFiles copies the data from the CertFile, KeyFile, and CAFile fields into the CertData,
|
|
// KeyData, and CAFile fields, or returns an error. If no error is returned, all three fields are
|
|
// either populated or were empty to start.
|
|
func loadTLSFiles(c *Config) error {
|
|
var err error
|
|
c.TLS.CAData, err = dataFromSliceOrFile(c.TLS.CAData, c.TLS.CAFile)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Check that we are purely loading from files
|
|
if len(c.TLS.CertFile) > 0 && len(c.TLS.CertData) == 0 && len(c.TLS.KeyFile) > 0 && len(c.TLS.KeyData) == 0 {
|
|
c.TLS.ReloadTLSFiles = true
|
|
}
|
|
|
|
c.TLS.CertData, err = dataFromSliceOrFile(c.TLS.CertData, c.TLS.CertFile)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
c.TLS.KeyData, err = dataFromSliceOrFile(c.TLS.KeyData, c.TLS.KeyFile)
|
|
return err
|
|
}
|
|
|
|
// dataFromSliceOrFile returns data from the slice (if non-empty), or from the file,
|
|
// or an error if an error occurred reading the file
|
|
func dataFromSliceOrFile(data []byte, file string) ([]byte, error) {
|
|
if len(data) > 0 {
|
|
return data, nil
|
|
}
|
|
if len(file) > 0 {
|
|
fileData, err := os.ReadFile(file)
|
|
if err != nil {
|
|
return []byte{}, err
|
|
}
|
|
return fileData, nil
|
|
}
|
|
return nil, nil
|
|
}
|
|
|
|
// rootCertPool returns nil if caData is empty. When passed along, this will mean "use system CAs".
|
|
// When caData is not empty, it will be the ONLY information used in the CertPool.
|
|
func rootCertPool(caData []byte) (*x509.CertPool, error) {
|
|
// What we really want is a copy of x509.systemRootsPool, but that isn't exposed. It's difficult to build (see the go
|
|
// code for a look at the platform specific insanity), so we'll use the fact that RootCAs == nil gives us the system values
|
|
// It doesn't allow trusting either/or, but hopefully that won't be an issue
|
|
if len(caData) == 0 {
|
|
return nil, nil
|
|
}
|
|
|
|
// if we have caData, use it
|
|
certPool := x509.NewCertPool()
|
|
if ok := certPool.AppendCertsFromPEM(caData); !ok {
|
|
return nil, createErrorParsingCAData(caData)
|
|
}
|
|
return certPool, nil
|
|
}
|
|
|
|
// createErrorParsingCAData ALWAYS returns an error. We call it because know we failed to AppendCertsFromPEM
|
|
// but we don't know the specific error because that API is just true/false
|
|
func createErrorParsingCAData(pemCerts []byte) error {
|
|
for len(pemCerts) > 0 {
|
|
var block *pem.Block
|
|
block, pemCerts = pem.Decode(pemCerts)
|
|
if block == nil {
|
|
return fmt.Errorf("unable to parse bytes as PEM block")
|
|
}
|
|
|
|
if block.Type != "CERTIFICATE" || len(block.Headers) != 0 {
|
|
continue
|
|
}
|
|
|
|
if _, err := x509.ParseCertificate(block.Bytes); err != nil {
|
|
return fmt.Errorf("failed to parse certificate: %w", err)
|
|
}
|
|
}
|
|
return fmt.Errorf("no valid certificate authority data seen")
|
|
}
|
|
|
|
// WrapperFunc wraps an http.RoundTripper when a new transport
|
|
// is created for a client, allowing per connection behavior
|
|
// to be injected.
|
|
type WrapperFunc func(rt http.RoundTripper) http.RoundTripper
|
|
|
|
// Wrappers accepts any number of wrappers and returns a wrapper
|
|
// function that is the equivalent of calling each of them in order. Nil
|
|
// values are ignored, which makes this function convenient for incrementally
|
|
// wrapping a function.
|
|
func Wrappers(fns ...WrapperFunc) WrapperFunc {
|
|
if len(fns) == 0 {
|
|
return nil
|
|
}
|
|
// optimize the common case of wrapping a possibly nil transport wrapper
|
|
// with an additional wrapper
|
|
if len(fns) == 2 && fns[0] == nil {
|
|
return fns[1]
|
|
}
|
|
return func(rt http.RoundTripper) http.RoundTripper {
|
|
base := rt
|
|
for _, fn := range fns {
|
|
if fn != nil {
|
|
base = fn(base)
|
|
}
|
|
}
|
|
return base
|
|
}
|
|
}
|
|
|
|
// ContextCanceller prevents new requests after the provided context is finished.
|
|
// err is returned when the context is closed, allowing the caller to provide a context
|
|
// appropriate error.
|
|
func ContextCanceller(ctx context.Context, err error) WrapperFunc {
|
|
return func(rt http.RoundTripper) http.RoundTripper {
|
|
return &contextCanceller{
|
|
ctx: ctx,
|
|
rt: rt,
|
|
err: err,
|
|
}
|
|
}
|
|
}
|
|
|
|
type contextCanceller struct {
|
|
ctx context.Context
|
|
rt http.RoundTripper
|
|
err error
|
|
}
|
|
|
|
func (b *contextCanceller) RoundTrip(req *http.Request) (*http.Response, error) {
|
|
select {
|
|
case <-b.ctx.Done():
|
|
return nil, b.err
|
|
default:
|
|
return b.rt.RoundTrip(req)
|
|
}
|
|
}
|
|
|
|
func tryCancelRequest(rt http.RoundTripper, req *http.Request) {
|
|
type canceler interface {
|
|
CancelRequest(*http.Request)
|
|
}
|
|
switch rt := rt.(type) {
|
|
case canceler:
|
|
rt.CancelRequest(req)
|
|
case utilnet.RoundTripperWrapper:
|
|
tryCancelRequest(rt.WrappedRoundTripper(), req)
|
|
default:
|
|
klog.Warningf("Unable to cancel request for %T", rt)
|
|
}
|
|
}
|
|
|
|
type certificateCacheEntry struct {
|
|
cert *tls.Certificate
|
|
err error
|
|
birth time.Time
|
|
}
|
|
|
|
// isStale returns true when this cache entry is too old to be usable
|
|
func (c *certificateCacheEntry) isStale() bool {
|
|
return time.Since(c.birth) > time.Second
|
|
}
|
|
|
|
func newCertificateCacheEntry(certFile, keyFile string) certificateCacheEntry {
|
|
cert, err := tls.LoadX509KeyPair(certFile, keyFile)
|
|
return certificateCacheEntry{cert: &cert, err: err, birth: time.Now()}
|
|
}
|
|
|
|
// cachingCertificateLoader ensures that we don't hammer the filesystem when opening many connections
|
|
// the underlying cert files are read at most once every second
|
|
func cachingCertificateLoader(certFile, keyFile string) func() (*tls.Certificate, error) {
|
|
current := newCertificateCacheEntry(certFile, keyFile)
|
|
var currentMtx sync.RWMutex
|
|
|
|
return func() (*tls.Certificate, error) {
|
|
currentMtx.RLock()
|
|
if current.isStale() {
|
|
currentMtx.RUnlock()
|
|
|
|
currentMtx.Lock()
|
|
defer currentMtx.Unlock()
|
|
|
|
if current.isStale() {
|
|
current = newCertificateCacheEntry(certFile, keyFile)
|
|
}
|
|
} else {
|
|
defer currentMtx.RUnlock()
|
|
}
|
|
|
|
return current.cert, current.err
|
|
}
|
|
}
|