Commit 806a7991 by beorn7

Update exporter-toolkit dependency to 0.5.1

Signed-off-by: 's avatarbeorn7 <beorn@grafana.com>
parent 02e92236
......@@ -46,8 +46,8 @@ import (
"github.com/prometheus/common/promlog"
promlogflag "github.com/prometheus/common/promlog/flag"
"github.com/prometheus/common/version"
"github.com/prometheus/exporter-toolkit/https"
httpsflag "github.com/prometheus/exporter-toolkit/https/kingpinflag"
toolkit_web "github.com/prometheus/exporter-toolkit/web"
httpsflag "github.com/prometheus/exporter-toolkit/web/kingpinflag"
jcfg "github.com/uber/jaeger-client-go/config"
jprom "github.com/uber/jaeger-lib/metrics/prometheus"
"go.uber.org/atomic"
......@@ -568,7 +568,7 @@ func main() {
os.Exit(1)
}
err = https.Validate(*httpsConfig)
err = toolkit_web.Validate(*httpsConfig)
if err != nil {
level.Error(logger).Log("msg", "Unable to validate web configuration file", "err", err)
os.Exit(1)
......
......@@ -37,7 +37,7 @@ import (
config_util "github.com/prometheus/common/config"
"github.com/prometheus/common/model"
"github.com/prometheus/common/version"
"github.com/prometheus/exporter-toolkit/https"
toolkit_web "github.com/prometheus/exporter-toolkit/web"
"gopkg.in/alecthomas/kingpin.v2"
"github.com/prometheus/prometheus/config"
......@@ -249,7 +249,7 @@ func CheckWebConfig(files ...string) int {
failed := false
for _, f := range files {
if err := https.Validate(f); err != nil {
if err := toolkit_web.Validate(f); err != nil {
fmt.Fprintln(os.Stderr, f, "FAILED:", err)
failed = true
continue
......
......@@ -52,7 +52,7 @@ require (
github.com/prometheus/client_golang v1.9.0
github.com/prometheus/client_model v0.2.0
github.com/prometheus/common v0.15.0
github.com/prometheus/exporter-toolkit v0.4.0
github.com/prometheus/exporter-toolkit v0.5.1
github.com/samuel/go-zookeeper v0.0.0-20201211165307-7117e9ea2414
github.com/shurcooL/httpfs v0.0.0-20190707220628-8d4bc4ba7749
github.com/shurcooL/vfsgen v0.0.0-20200824052919-0d455de96546
......
......@@ -711,8 +711,8 @@ github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8b
github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
github.com/prometheus/common v0.15.0 h1:4fgOnadei3EZvgRwxJ7RMpG1k1pOZth5Pc13tyspaKM=
github.com/prometheus/common v0.15.0/go.mod h1:U+gB1OBLb1lF3O42bTCL+FK18tX9Oar16Clt/msog/s=
github.com/prometheus/exporter-toolkit v0.4.0 h1:O7Bw+ZKEMzW7vD10IuVF70b8EE4JIG7BvHFj9UKz49g=
github.com/prometheus/exporter-toolkit v0.4.0/go.mod h1:OCkM4805mmisBhLmVFw858QYi3v0wKdY6/UxrT0pZVg=
github.com/prometheus/exporter-toolkit v0.5.1 h1:9eqgis5er9xN613ZSADjypCJaDGj9ZlcWBvsIHa8/3c=
github.com/prometheus/exporter-toolkit v0.5.1/go.mod h1:OCkM4805mmisBhLmVFw858QYi3v0wKdY6/UxrT0pZVg=
github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
......
# HTTPS Package for Prometheus
The `https` directory contains a Go package and a sample configuration file for
running `node_exporter` with HTTPS instead of HTTP. We currently support TLS 1.3
and TLS 1.2.
To run a server with TLS, use the flag `--web.config`.
e.g. `./node_exporter --web.config="web-config.yml"`
If the config is kept within the https directory.
The config file should be written in YAML format, and is reloaded on each connection to check for new certificates and/or authentication policy.
## Sample Config
```
tls_server_config:
# Certificate and key files for server to use to authenticate to client.
cert_file: <filename>
key_file: <filename>
# Server policy for client authentication. Maps to ClientAuth Policies.
# For more detail on clientAuth options: [ClientAuthType](https://golang.org/pkg/crypto/tls/#ClientAuthType)
[ client_auth_type: <string> | default = "NoClientCert" ]
# CA certificate for client certificate authentication to the server.
[ client_ca_file: <filename> ]
# Minimum TLS version that is acceptable.
[ min_version: <string> | default = "TLS12" ]
# Maximum TLS version that is acceptable.
[ max_version: <string> | default = "TLS13" ]
# List of supported cipher suites for TLS versions up to TLS 1.2. If empty,
# Go default cipher suites are used. Available cipher suites are documented
# in the go documentation:
# https://golang.org/pkg/crypto/tls/#pkg-constants
[ cipher_suites:
[ - <string> ] ]
# prefer_server_cipher_suites controls whether the server selects the
# client's most preferred ciphersuite, or the server's most preferred
# ciphersuite. If true then the server's preference, as expressed in
# the order of elements in cipher_suites, is used.
[ prefer_server_cipher_suites: <bool> | default = true ]
# Elliptic curves that will be used in an ECDHE handshake, in preference
# order. Available curves are documented in the go documentation:
# https://golang.org/pkg/crypto/tls/#CurveID
[ curve_preferences:
[ - <string> ] ]
http_server_config:
# Enable HTTP/2 support. Note that HTTP/2 is only supported with TLS.
# This can not be changed on the fly.
[ http2: <bool> | default = true ]
# Usernames and hashed passwords that have full access to the web
# server via basic authentication. If empty, no basic authentication is
# required. Passwords are hashed with bcrypt.
basic_auth_users:
[ <string>: <secret> ... ]
```
## About bcrypt
There are several tools out there to generate bcrypt passwords, e.g.
[htpasswd](https://httpd.apache.org/docs/2.4/programs/htpasswd.html):
`htpasswd -nBC 10 "" | tr -d ':\n'`
That command will prompt you for a password and output the hashed password,
which will look something like:
`$2y$10$X0h1gDsPszWURQaxFh.zoubFi6DXncSjhoQNJgRrnGs7EsimhC7zG`
The cost (10 in the example) influences the time it takes for computing the
hash. A higher cost will en up slowing down the authentication process.
Depending on the machine, a cost of 10 will take about ~70ms where a cost of
18 can take up to a few seconds. That hash will be computed on every
password-protected request.
# web package
This package can be used by Prometheus exporters to enable TLS and
authentication.
We actively encourage the community to use this repository, to provide a
consistent experience across the ecosystem.
Developers documentation can be found on
[pkg.go.dev](https://pkg.go.dev/github.com/prometheus/exporter-toolkit/).
// Copyright 2021 The Prometheus Authors
// This code is partly borrowed from Caddy:
// Copyright 2015 Matthew Holt and The Caddy Authors
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package web
import (
weakrand "math/rand"
"sync"
"time"
)
var cacheSize = 100
func init() {
weakrand.Seed(time.Now().UnixNano())
}
type cache struct {
cache map[string]bool
mtx sync.Mutex
}
// newCache returns a cache that contains a mapping of plaintext passwords
// to their hashes (with random eviction). This can greatly improve the
// performance of traffic-heavy servers that use secure password hashing
// algorithms, with the downside that plaintext passwords will be stored in
// memory for a longer time (this should not be a problem as long as your
// machine is not compromised, at which point all bets are off, since basicauth
// necessitates plaintext passwords being received over the wire anyway).
func newCache() *cache {
return &cache{
cache: make(map[string]bool),
}
}
func (c *cache) get(key string) (bool, bool) {
c.mtx.Lock()
defer c.mtx.Unlock()
v, ok := c.cache[key]
return v, ok
}
func (c *cache) set(key string, value bool) {
c.mtx.Lock()
defer c.mtx.Unlock()
c.makeRoom()
c.cache[key] = value
}
func (c *cache) makeRoom() {
if len(c.cache) < cacheSize {
return
}
// We delete more than just 1 entry so that we don't have
// to do this on every request; assuming the capacity of
// the cache is on a long tail, we can save a lot of CPU
// time by doing a whole bunch of deletions now and then
// we won't have to do them again for a while.
numToDelete := len(c.cache) / 10
if numToDelete < 1 {
numToDelete = 1
}
for deleted := 0; deleted <= numToDelete; deleted++ {
// Go maps are "nondeterministic" not actually random,
// so although we could just chop off the "front" of the
// map with less code, this is a heavily skewed eviction
// strategy; generating random numbers is cheap and
// ensures a much better distribution.
rnd := weakrand.Intn(len(c.cache))
i := 0
for key := range c.cache {
if i == rnd {
delete(c.cache, key)
break
}
i++
}
}
}
......@@ -11,8 +11,7 @@
// See the License for the specific language governing permissions and
// limitations under the License.
// Package https allows the implementation of TLS.
package https
package web
import (
"crypto/tls"
......@@ -174,9 +173,9 @@ func ConfigToTLSConfig(c *TLSStruct) (*tls.Config, error) {
return cfg, nil
}
// Listen starts the server on the given address. Based on the file
// ListenAndServe starts the server on the given address. Based on the file
// tlsConfigPath, TLS or basic auth could be enabled.
func Listen(server *http.Server, tlsConfigPath string, logger log.Logger) error {
func ListenAndServe(server *http.Server, tlsConfigPath string, logger log.Logger) error {
listener, err := net.Listen("tcp", server.Addr)
if err != nil {
return err
......@@ -202,17 +201,19 @@ func Serve(l net.Listener, server *http.Server, tlsConfigPath string, logger log
if server.Handler != nil {
handler = server.Handler
}
server.Handler = &userAuthRoundtrip{
tlsConfigPath: tlsConfigPath,
logger: logger,
handler: handler,
}
c, err := getConfig(tlsConfigPath)
if err != nil {
return err
}
server.Handler = &userAuthRoundtrip{
tlsConfigPath: tlsConfigPath,
logger: logger,
handler: handler,
cache: newCache(),
}
config, err := ConfigToTLSConfig(&c.TLSConfig)
switch err {
case nil:
......@@ -341,3 +342,11 @@ func (tv *tlsVersion) MarshalYAML() (interface{}, error) {
}
return fmt.Sprintf("%v", tv), nil
}
// Listen starts the server on the given address. Based on the file
// tlsConfigPath, TLS or basic auth could be enabled.
//
// Deprecated: Use ListenAndServe instead.
func Listen(server *http.Server, tlsConfigPath string, logger log.Logger) error {
return ListenAndServe(server, tlsConfigPath, logger)
}
// Copyright 2020 The Prometheus Authors
// This code is partly borrowed from Caddy:
// Copyright 2015 Matthew Holt and The Caddy Authors
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
......@@ -11,10 +13,12 @@
// See the License for the specific language governing permissions and
// limitations under the License.
package https
package web
import (
"encoding/hex"
"net/http"
"sync"
"github.com/go-kit/kit/log"
"golang.org/x/crypto/bcrypt"
......@@ -40,6 +44,10 @@ type userAuthRoundtrip struct {
tlsConfigPath string
handler http.Handler
logger log.Logger
cache *cache
// bcryptMtx is there to ensure that bcrypt.CompareHashAndPassword is run
// only once in parallel as this is CPU intensive.
bcryptMtx sync.Mutex
}
func (u *userAuthRoundtrip) ServeHTTP(w http.ResponseWriter, r *http.Request) {
......@@ -57,11 +65,31 @@ func (u *userAuthRoundtrip) ServeHTTP(w http.ResponseWriter, r *http.Request) {
user, pass, auth := r.BasicAuth()
if auth {
if hashedPassword, ok := c.Users[user]; ok {
if err := bcrypt.CompareHashAndPassword([]byte(hashedPassword), []byte(pass)); err == nil {
u.handler.ServeHTTP(w, r)
return
}
hashedPassword, validUser := c.Users[user]
if !validUser {
// The user is not found. Use a fixed password hash to
// prevent user enumeration by timing requests.
// This is a bcrypt-hashed version of "fakepassword".
hashedPassword = "$2y$10$QOauhQNbBCuQDKes6eFzPeMqBSjb7Mr5DUmpZ/VcEd00UAV/LDeSi"
}
cacheKey := hex.EncodeToString(append(append([]byte(user), []byte(hashedPassword)...), []byte(pass)...))
authOk, ok := u.cache.get(cacheKey)
if !ok {
// This user, hashedPassword, password is not cached.
u.bcryptMtx.Lock()
err := bcrypt.CompareHashAndPassword([]byte(hashedPassword), []byte(pass))
u.bcryptMtx.Unlock()
authOk = err == nil
u.cache.set(cacheKey, authOk)
}
if authOk && validUser {
u.handler.ServeHTTP(w, r)
return
}
}
......
......@@ -395,10 +395,10 @@ github.com/prometheus/common/promlog/flag
github.com/prometheus/common/route
github.com/prometheus/common/server
github.com/prometheus/common/version
# github.com/prometheus/exporter-toolkit v0.4.0
# github.com/prometheus/exporter-toolkit v0.5.1
## explicit
github.com/prometheus/exporter-toolkit/https
github.com/prometheus/exporter-toolkit/https/kingpinflag
github.com/prometheus/exporter-toolkit/web
github.com/prometheus/exporter-toolkit/web/kingpinflag
# github.com/prometheus/procfs v0.2.0
github.com/prometheus/procfs
github.com/prometheus/procfs/internal/fs
......
......@@ -50,7 +50,7 @@ import (
"github.com/prometheus/common/model"
"github.com/prometheus/common/route"
"github.com/prometheus/common/server"
"github.com/prometheus/exporter-toolkit/https"
https "github.com/prometheus/exporter-toolkit/web"
"go.uber.org/atomic"
"golang.org/x/net/netutil"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment