...

Source file src/cmd/vendor/github.com/google/pprof/internal/transport/transport.go

     1	// Copyright 2018 Google Inc. All Rights Reserved.
     2	//
     3	// Licensed under the Apache License, Version 2.0 (the "License");
     4	// you may not use this file except in compliance with the License.
     5	// You may obtain a copy of the License at
     6	//
     7	//     http://www.apache.org/licenses/LICENSE-2.0
     8	//
     9	// Unless required by applicable law or agreed to in writing, software
    10	// distributed under the License is distributed on an "AS IS" BASIS,
    11	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12	// See the License for the specific language governing permissions and
    13	// limitations under the License.
    14	
    15	// Package transport provides a mechanism to send requests with https cert,
    16	// key, and CA.
    17	package transport
    18	
    19	import (
    20		"crypto/tls"
    21		"crypto/x509"
    22		"fmt"
    23		"io/ioutil"
    24		"net/http"
    25		"sync"
    26	
    27		"github.com/google/pprof/internal/plugin"
    28	)
    29	
    30	type transport struct {
    31		cert       *string
    32		key        *string
    33		ca         *string
    34		caCertPool *x509.CertPool
    35		certs      []tls.Certificate
    36		initOnce   sync.Once
    37		initErr    error
    38	}
    39	
    40	const extraUsage = `    -tls_cert             TLS client certificate file for fetching profile and symbols
    41	    -tls_key              TLS private key file for fetching profile and symbols
    42	    -tls_ca               TLS CA certs file for fetching profile and symbols`
    43	
    44	// New returns a round tripper for making requests with the
    45	// specified cert, key, and ca. The flags tls_cert, tls_key, and tls_ca are
    46	// added to the flagset to allow a user to specify the cert, key, and ca. If
    47	// the flagset is nil, no flags will be added, and users will not be able to
    48	// use these flags.
    49	func New(flagset plugin.FlagSet) http.RoundTripper {
    50		if flagset == nil {
    51			return &transport{}
    52		}
    53		flagset.AddExtraUsage(extraUsage)
    54		return &transport{
    55			cert: flagset.String("tls_cert", "", "TLS client certificate file for fetching profile and symbols"),
    56			key:  flagset.String("tls_key", "", "TLS private key file for fetching profile and symbols"),
    57			ca:   flagset.String("tls_ca", "", "TLS CA certs file for fetching profile and symbols"),
    58		}
    59	}
    60	
    61	// initialize uses the cert, key, and ca to initialize the certs
    62	// to use these when making requests.
    63	func (tr *transport) initialize() error {
    64		var cert, key, ca string
    65		if tr.cert != nil {
    66			cert = *tr.cert
    67		}
    68		if tr.key != nil {
    69			key = *tr.key
    70		}
    71		if tr.ca != nil {
    72			ca = *tr.ca
    73		}
    74	
    75		if cert != "" && key != "" {
    76			tlsCert, err := tls.LoadX509KeyPair(cert, key)
    77			if err != nil {
    78				return fmt.Errorf("could not load certificate/key pair specified by -tls_cert and -tls_key: %v", err)
    79			}
    80			tr.certs = []tls.Certificate{tlsCert}
    81		} else if cert == "" && key != "" {
    82			return fmt.Errorf("-tls_key is specified, so -tls_cert must also be specified")
    83		} else if cert != "" && key == "" {
    84			return fmt.Errorf("-tls_cert is specified, so -tls_key must also be specified")
    85		}
    86	
    87		if ca != "" {
    88			caCertPool := x509.NewCertPool()
    89			caCert, err := ioutil.ReadFile(ca)
    90			if err != nil {
    91				return fmt.Errorf("could not load CA specified by -tls_ca: %v", err)
    92			}
    93			caCertPool.AppendCertsFromPEM(caCert)
    94			tr.caCertPool = caCertPool
    95		}
    96	
    97		return nil
    98	}
    99	
   100	// RoundTrip executes a single HTTP transaction, returning
   101	// a Response for the provided Request.
   102	func (tr *transport) RoundTrip(req *http.Request) (*http.Response, error) {
   103		tr.initOnce.Do(func() {
   104			tr.initErr = tr.initialize()
   105		})
   106		if tr.initErr != nil {
   107			return nil, tr.initErr
   108		}
   109	
   110		tlsConfig := &tls.Config{
   111			RootCAs:      tr.caCertPool,
   112			Certificates: tr.certs,
   113		}
   114	
   115		if req.URL.Scheme == "https+insecure" {
   116			// Make shallow copy of request, and req.URL, so the request's URL can be
   117			// modified.
   118			r := *req
   119			*r.URL = *req.URL
   120			req = &r
   121			tlsConfig.InsecureSkipVerify = true
   122			req.URL.Scheme = "https"
   123		}
   124	
   125		transport := http.Transport{
   126			Proxy:           http.ProxyFromEnvironment,
   127			TLSClientConfig: tlsConfig,
   128		}
   129	
   130		return transport.RoundTrip(req)
   131	}
   132

View as plain text