restic/internal/backend/http_transport.go

package backend

import (
	"crypto/tls"
	"crypto/x509"
	"encoding/pem"
	"io/ioutil"
	"net"
	"net/http"
	"strings"
	"time"

	"github.com/restic/restic/internal/debug"
	"github.com/restic/restic/internal/errors"
)

// TransportOptions collects various options which can be set for an HTTP based
// transport.
type TransportOptions struct {
	// contains filenames of PEM encoded root certificates to trust
	RootCertFilenames []string

	// contains the name of a file containing the TLS client certificate and private key in PEM format
	TLSClientCertKeyFilename string
}

// readPEMCertKey reads a file and returns the PEM encoded certificate and key
// blocks.
func readPEMCertKey(filename string) (certs []byte, key []byte, err error) {
	data, err := ioutil.ReadFile(filename)
	if err != nil {
		return nil, nil, errors.Wrap(err, "ReadFile")
	}

	var block *pem.Block
	for {
		if len(data) == 0 {
			break
		}
		block, data = pem.Decode(data)
		if block == nil {
			break
		}

		switch {
		case strings.HasSuffix(block.Type, "CERTIFICATE"):
			certs = append(certs, pem.EncodeToMemory(block)...)
		case strings.HasSuffix(block.Type, "PRIVATE KEY"):
			if key != nil {
				return nil, nil, errors.Errorf("error loading TLS cert and key from %v: more than one private key found", filename)
			}
			key = pem.EncodeToMemory(block)
		default:
			return nil, nil, errors.Errorf("error loading TLS cert and key from %v: unknown block type %v found", filename, block.Type)
		}
	}

	return certs, key, nil
}

// Transport returns a new http.RoundTripper with default settings applied. If
// a custom rootCertFilename is non-empty, it must point to a valid PEM file,
// otherwise the function will return an error.
func Transport(opts TransportOptions) (http.RoundTripper, error) {
	// copied from net/http
	tr := &http.Transport{
		Proxy: http.ProxyFromEnvironment,
		DialContext: (&net.Dialer{
			Timeout:   30 * time.Second,
			KeepAlive: 30 * time.Second,
			DualStack: true,
		}).DialContext,
		MaxIdleConns:          100,
		MaxIdleConnsPerHost:   100,
		IdleConnTimeout:       90 * time.Second,
		TLSHandshakeTimeout:   10 * time.Second,
		ExpectContinueTimeout: 1 * time.Second,
		TLSClientConfig:       &tls.Config{},
	}

	if opts.TLSClientCertKeyFilename != "" {
		certs, key, err := readPEMCertKey(opts.TLSClientCertKeyFilename)
		if err != nil {
			return nil, err
		}

		crt, err := tls.X509KeyPair(certs, key)
		if err != nil {
			return nil, errors.Errorf("parse TLS client cert or key: %v", err)
		}
		tr.TLSClientConfig.Certificates = []tls.Certificate{crt}
	}

	if opts.RootCertFilenames != nil {
		pool := x509.NewCertPool()
		for _, filename := range opts.RootCertFilenames {
			if filename == "" {
				return nil, errors.Errorf("empty filename for root certificate supplied")
			}
			b, err := ioutil.ReadFile(filename)
			if err != nil {
				return nil, errors.Errorf("unable to read root certificate: %v", err)
			}
			if ok := pool.AppendCertsFromPEM(b); !ok {
				return nil, errors.Errorf("cannot parse root certificate from %q", filename)
			}
		}
		tr.TLSClientConfig.RootCAs = pool
	}

	// wrap in the debug round tripper (if active)
	return debug.RoundTripper(tr), nil
}
Add custom HTTP transport 2017-05-01 19:30:52 +02:00			`package backend`

			`import (`
Add REST backend option to use CA root certificate Closes #1114. 2017-09-24 20:04:23 +02:00			`"crypto/tls"`
			`"crypto/x509"`
Read TLS client cert and key from the same file 2018-01-27 13:57:43 +01:00			`"encoding/pem"`
Add REST backend option to use CA root certificate Closes #1114. 2017-09-24 20:04:23 +02:00			`"io/ioutil"`
Add custom HTTP transport 2017-05-01 19:30:52 +02:00			`"net"`
			`"net/http"`
Read TLS client cert and key from the same file 2018-01-27 13:57:43 +01:00			`"strings"`
Add custom HTTP transport 2017-05-01 19:30:52 +02:00			`"time"`
Run goimports 2017-07-23 14:21:03 +02:00
			`"github.com/restic/restic/internal/debug"`
Read TLS client cert and key from the same file 2018-01-27 13:57:43 +01:00			`"github.com/restic/restic/internal/errors"`
Add custom HTTP transport 2017-05-01 19:30:52 +02:00			`)`

Read TLS client cert and key from the same file 2018-01-27 13:57:43 +01:00			`// TransportOptions collects various options which can be set for an HTTP based`
			`// transport.`
			`type TransportOptions struct {`
			`// contains filenames of PEM encoded root certificates to trust`
			`RootCertFilenames []string`

			`// contains the name of a file containing the TLS client certificate and private key in PEM format`
			`TLSClientCertKeyFilename string`
			`}`

			`// readPEMCertKey reads a file and returns the PEM encoded certificate and key`
			`// blocks.`
			`func readPEMCertKey(filename string) (certs []byte, key []byte, err error) {`
http backend: Parse the correct argument when loading --tls-client-cert Previously, the function read from ARGV[1] (hardcoded) rather than the value passed to it, the command-line argument as it exists in globalOptions. Resolves #1745 2018-04-30 15:05:06 -07:00			`data, err := ioutil.ReadFile(filename)`
Read TLS client cert and key from the same file 2018-01-27 13:57:43 +01:00			`if err != nil {`
			`return nil, nil, errors.Wrap(err, "ReadFile")`
			`}`

			`var block *pem.Block`
			`for {`
			`if len(data) == 0 {`
			`break`
			`}`
			`block, data = pem.Decode(data)`
			`if block == nil {`
			`break`
			`}`

			`switch {`
			`case strings.HasSuffix(block.Type, "CERTIFICATE"):`
			`certs = append(certs, pem.EncodeToMemory(block)...)`
			`case strings.HasSuffix(block.Type, "PRIVATE KEY"):`
			`if key != nil {`
			`return nil, nil, errors.Errorf("error loading TLS cert and key from %v: more than one private key found", filename)`
			`}`
			`key = pem.EncodeToMemory(block)`
			`default:`
			`return nil, nil, errors.Errorf("error loading TLS cert and key from %v: unknown block type %v found", filename, block.Type)`
			`}`
			`}`

			`return certs, key, nil`
			`}`

Add REST backend option to use CA root certificate Closes #1114. 2017-09-24 20:04:23 +02:00			`// Transport returns a new http.RoundTripper with default settings applied. If`
			`// a custom rootCertFilename is non-empty, it must point to a valid PEM file,`
			`// otherwise the function will return an error.`
Read TLS client cert and key from the same file 2018-01-27 13:57:43 +01:00			`func Transport(opts TransportOptions) (http.RoundTripper, error) {`
Add custom HTTP transport 2017-05-01 19:30:52 +02:00			`// copied from net/http`
			`tr := &http.Transport{`
			`Proxy: http.ProxyFromEnvironment,`
			`DialContext: (&net.Dialer{`
			`Timeout: 30 * time.Second,`
			`KeepAlive: 30 * time.Second,`
			`DualStack: true,`
			`}).DialContext,`
			`MaxIdleConns: 100,`
Allow many idle connections per host Closes #985 2017-05-31 19:39:19 +02:00			`MaxIdleConnsPerHost: 100,`
Add custom HTTP transport 2017-05-01 19:30:52 +02:00			`IdleConnTimeout: 90 * time.Second,`
			`TLSHandshakeTimeout: 10 * time.Second,`
			`ExpectContinueTimeout: 1 * time.Second,`
Support for TLS client certificate authentication This adds --tls-client-cert and --tls-client-key parameters and enables use of that certificate/key pair when connecting to https servers. 2017-12-29 19:51:13 -08:00			`TLSClientConfig: &tls.Config{},`
			`}`

Read TLS client cert and key from the same file 2018-01-27 13:57:43 +01:00			`if opts.TLSClientCertKeyFilename != "" {`
			`certs, key, err := readPEMCertKey(opts.TLSClientCertKeyFilename)`
Support for TLS client certificate authentication This adds --tls-client-cert and --tls-client-key parameters and enables use of that certificate/key pair when connecting to https servers. 2017-12-29 19:51:13 -08:00			`if err != nil {`
Read TLS client cert and key from the same file 2018-01-27 13:57:43 +01:00			`return nil, err`
Support for TLS client certificate authentication This adds --tls-client-cert and --tls-client-key parameters and enables use of that certificate/key pair when connecting to https servers. 2017-12-29 19:51:13 -08:00			`}`
Add REST backend option to use CA root certificate Closes #1114. 2017-09-24 20:04:23 +02:00
Read TLS client cert and key from the same file 2018-01-27 13:57:43 +01:00			`crt, err := tls.X509KeyPair(certs, key)`
Add REST backend option to use CA root certificate Closes #1114. 2017-09-24 20:04:23 +02:00			`if err != nil {`
Read TLS client cert and key from the same file 2018-01-27 13:57:43 +01:00			`return nil, errors.Errorf("parse TLS client cert or key: %v", err)`
Add REST backend option to use CA root certificate Closes #1114. 2017-09-24 20:04:23 +02:00			`}`
Read TLS client cert and key from the same file 2018-01-27 13:57:43 +01:00			`tr.TLSClientConfig.Certificates = []tls.Certificate{crt}`
Add REST backend option to use CA root certificate Closes #1114. 2017-09-24 20:04:23 +02:00			`}`

Read TLS client cert and key from the same file 2018-01-27 13:57:43 +01:00			`if opts.RootCertFilenames != nil {`
			`pool := x509.NewCertPool()`
			`for _, filename := range opts.RootCertFilenames {`
			`if filename == "" {`
			`return nil, errors.Errorf("empty filename for root certificate supplied")`
			`}`
			`b, err := ioutil.ReadFile(filename)`
			`if err != nil {`
			`return nil, errors.Errorf("unable to read root certificate: %v", err)`
			`}`
			`if ok := pool.AppendCertsFromPEM(b); !ok {`
			`return nil, errors.Errorf("cannot parse root certificate from %q", filename)`
			`}`
			`}`
			`tr.TLSClientConfig.RootCAs = pool`
			`}`
Add REST backend option to use CA root certificate Closes #1114. 2017-09-24 20:04:23 +02:00
Read TLS client cert and key from the same file 2018-01-27 13:57:43 +01:00			`// wrap in the debug round tripper (if active)`
Add REST backend option to use CA root certificate Closes #1114. 2017-09-24 20:04:23 +02:00			`return debug.RoundTripper(tr), nil`
Add custom HTTP transport 2017-05-01 19:30:52 +02:00			`}`