| 
									
										
										
										
											2017-05-01 19:30:52 +02:00
										 |  |  | package backend | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | import ( | 
					
						
							| 
									
										
										
										
											2017-09-24 20:04:23 +02:00
										 |  |  | 	"crypto/tls" | 
					
						
							|  |  |  | 	"crypto/x509" | 
					
						
							| 
									
										
										
										
											2018-01-27 13:57:43 +01:00
										 |  |  | 	"encoding/pem" | 
					
						
							| 
									
										
										
										
											2017-09-24 20:04:23 +02:00
										 |  |  | 	"io/ioutil" | 
					
						
							| 
									
										
										
										
											2017-05-01 19:30:52 +02:00
										 |  |  | 	"net" | 
					
						
							|  |  |  | 	"net/http" | 
					
						
							| 
									
										
										
										
											2018-01-27 13:57:43 +01:00
										 |  |  | 	"strings" | 
					
						
							| 
									
										
										
										
											2017-05-01 19:30:52 +02:00
										 |  |  | 	"time" | 
					
						
							| 
									
										
										
										
											2017-07-23 14:21:03 +02:00
										 |  |  | 
 | 
					
						
							|  |  |  | 	"github.com/restic/restic/internal/debug" | 
					
						
							| 
									
										
										
										
											2018-01-27 13:57:43 +01:00
										 |  |  | 	"github.com/restic/restic/internal/errors" | 
					
						
							| 
									
										
										
										
											2017-05-01 19:30:52 +02:00
										 |  |  | ) | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-01-27 13:57:43 +01:00
										 |  |  | // TransportOptions collects various options which can be set for an HTTP based | 
					
						
							|  |  |  | // transport. | 
					
						
							|  |  |  | type TransportOptions struct { | 
					
						
							|  |  |  | 	// contains filenames of PEM encoded root certificates to trust | 
					
						
							|  |  |  | 	RootCertFilenames []string | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	// contains the name of a file containing the TLS client certificate and private key in PEM format | 
					
						
							|  |  |  | 	TLSClientCertKeyFilename string | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | // readPEMCertKey reads a file and returns the PEM encoded certificate and key | 
					
						
							|  |  |  | // blocks. | 
					
						
							|  |  |  | func readPEMCertKey(filename string) (certs []byte, key []byte, err error) { | 
					
						
							| 
									
										
										
										
											2018-04-30 15:05:06 -07:00
										 |  |  | 	data, err := ioutil.ReadFile(filename) | 
					
						
							| 
									
										
										
										
											2018-01-27 13:57:43 +01:00
										 |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		return nil, nil, errors.Wrap(err, "ReadFile") | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	var block *pem.Block | 
					
						
							|  |  |  | 	for { | 
					
						
							|  |  |  | 		if len(data) == 0 { | 
					
						
							|  |  |  | 			break | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 		block, data = pem.Decode(data) | 
					
						
							|  |  |  | 		if block == nil { | 
					
						
							|  |  |  | 			break | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		switch { | 
					
						
							|  |  |  | 		case strings.HasSuffix(block.Type, "CERTIFICATE"): | 
					
						
							|  |  |  | 			certs = append(certs, pem.EncodeToMemory(block)...) | 
					
						
							|  |  |  | 		case strings.HasSuffix(block.Type, "PRIVATE KEY"): | 
					
						
							|  |  |  | 			if key != nil { | 
					
						
							|  |  |  | 				return nil, nil, errors.Errorf("error loading TLS cert and key from %v: more than one private key found", filename) | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 			key = pem.EncodeToMemory(block) | 
					
						
							|  |  |  | 		default: | 
					
						
							|  |  |  | 			return nil, nil, errors.Errorf("error loading TLS cert and key from %v: unknown block type %v found", filename, block.Type) | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	return certs, key, nil | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-09-24 20:04:23 +02:00
										 |  |  | // Transport returns a new http.RoundTripper with default settings applied. If | 
					
						
							|  |  |  | // a custom rootCertFilename is non-empty, it must point to a valid PEM file, | 
					
						
							|  |  |  | // otherwise the function will return an error. | 
					
						
							| 
									
										
										
										
											2018-01-27 13:57:43 +01:00
										 |  |  | func Transport(opts TransportOptions) (http.RoundTripper, error) { | 
					
						
							| 
									
										
										
										
											2017-05-01 19:30:52 +02:00
										 |  |  | 	// copied from net/http | 
					
						
							|  |  |  | 	tr := &http.Transport{ | 
					
						
							|  |  |  | 		Proxy: http.ProxyFromEnvironment, | 
					
						
							|  |  |  | 		DialContext: (&net.Dialer{ | 
					
						
							|  |  |  | 			Timeout:   30 * time.Second, | 
					
						
							|  |  |  | 			KeepAlive: 30 * time.Second, | 
					
						
							|  |  |  | 			DualStack: true, | 
					
						
							|  |  |  | 		}).DialContext, | 
					
						
							|  |  |  | 		MaxIdleConns:          100, | 
					
						
							| 
									
										
										
										
											2017-05-31 19:39:19 +02:00
										 |  |  | 		MaxIdleConnsPerHost:   100, | 
					
						
							| 
									
										
										
										
											2017-05-01 19:30:52 +02:00
										 |  |  | 		IdleConnTimeout:       90 * time.Second, | 
					
						
							|  |  |  | 		TLSHandshakeTimeout:   10 * time.Second, | 
					
						
							|  |  |  | 		ExpectContinueTimeout: 1 * time.Second, | 
					
						
							| 
									
										
										
										
											2017-12-29 19:51:13 -08:00
										 |  |  | 		TLSClientConfig:       &tls.Config{}, | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-01-27 13:57:43 +01:00
										 |  |  | 	if opts.TLSClientCertKeyFilename != "" { | 
					
						
							|  |  |  | 		certs, key, err := readPEMCertKey(opts.TLSClientCertKeyFilename) | 
					
						
							| 
									
										
										
										
											2017-12-29 19:51:13 -08:00
										 |  |  | 		if err != nil { | 
					
						
							| 
									
										
										
										
											2018-01-27 13:57:43 +01:00
										 |  |  | 			return nil, err | 
					
						
							| 
									
										
										
										
											2017-12-29 19:51:13 -08:00
										 |  |  | 		} | 
					
						
							| 
									
										
										
										
											2017-09-24 20:04:23 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-01-27 13:57:43 +01:00
										 |  |  | 		crt, err := tls.X509KeyPair(certs, key) | 
					
						
							| 
									
										
										
										
											2017-09-24 20:04:23 +02:00
										 |  |  | 		if err != nil { | 
					
						
							| 
									
										
										
										
											2018-01-27 13:57:43 +01:00
										 |  |  | 			return nil, errors.Errorf("parse TLS client cert or key: %v", err) | 
					
						
							| 
									
										
										
										
											2017-09-24 20:04:23 +02:00
										 |  |  | 		} | 
					
						
							| 
									
										
										
										
											2018-01-27 13:57:43 +01:00
										 |  |  | 		tr.TLSClientConfig.Certificates = []tls.Certificate{crt} | 
					
						
							| 
									
										
										
										
											2017-09-24 20:04:23 +02:00
										 |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-01-27 13:57:43 +01:00
										 |  |  | 	if opts.RootCertFilenames != nil { | 
					
						
							|  |  |  | 		pool := x509.NewCertPool() | 
					
						
							|  |  |  | 		for _, filename := range opts.RootCertFilenames { | 
					
						
							|  |  |  | 			if filename == "" { | 
					
						
							|  |  |  | 				return nil, errors.Errorf("empty filename for root certificate supplied") | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 			b, err := ioutil.ReadFile(filename) | 
					
						
							|  |  |  | 			if err != nil { | 
					
						
							|  |  |  | 				return nil, errors.Errorf("unable to read root certificate: %v", err) | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 			if ok := pool.AppendCertsFromPEM(b); !ok { | 
					
						
							|  |  |  | 				return nil, errors.Errorf("cannot parse root certificate from %q", filename) | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 		tr.TLSClientConfig.RootCAs = pool | 
					
						
							|  |  |  | 	} | 
					
						
							| 
									
										
										
										
											2017-09-24 20:04:23 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-01-27 13:57:43 +01:00
										 |  |  | 	// wrap in the debug round tripper (if active) | 
					
						
							| 
									
										
										
										
											2017-09-24 20:04:23 +02:00
										 |  |  | 	return debug.RoundTripper(tr), nil | 
					
						
							| 
									
										
										
										
											2017-05-01 19:30:52 +02:00
										 |  |  | } |