1 /* 2 Copyright 2015 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package transport 18 19 import ( 20 "context" 21 "crypto/tls" 22 "net" 23 "net/http" 24 "net/url" 25 ) 26 27 // Config holds various options for establishing a transport. 28 type Config struct { 29 // UserAgent is an optional field that specifies the caller of this 30 // request. 31 UserAgent string 32 33 // The base TLS configuration for this transport. 34 TLS TLSConfig 35 36 // Username and password for basic authentication 37 Username string 38 Password string `datapolicy:"password"` 39 40 // Bearer token for authentication 41 BearerToken string `datapolicy:"token"` 42 43 // Path to a file containing a BearerToken. 44 // If set, the contents are periodically read. 45 // The last successfully read value takes precedence over BearerToken. 46 BearerTokenFile string 47 48 // Impersonate is the config that this Config will impersonate using 49 Impersonate ImpersonationConfig 50 51 // DisableCompression bypasses automatic GZip compression requests to the 52 // server. 53 DisableCompression bool 54 55 // Transport may be used for custom HTTP behavior. This attribute may 56 // not be specified with the TLS client certificate options. Use 57 // WrapTransport for most client level operations. 58 Transport http.RoundTripper 59 60 // WrapTransport will be invoked for custom HTTP behavior after the 61 // underlying transport is initialized (either the transport created 62 // from TLSClientConfig, Transport, or http.DefaultTransport). The 63 // config may layer other RoundTrippers on top of the returned 64 // RoundTripper. 65 // 66 // A future release will change this field to an array. Use config.Wrap() 67 // instead of setting this value directly. 68 WrapTransport WrapperFunc 69 70 // DialHolder specifies the dial function for creating unencrypted TCP connections. 71 // This struct indirection is used to make transport configs cacheable. 72 DialHolder *DialHolder 73 74 // Proxy is the proxy func to be used for all requests made by this 75 // transport. If Proxy is nil, http.ProxyFromEnvironment is used. If Proxy 76 // returns a nil *URL, no proxy is used. 77 // 78 // socks5 proxying does not currently support spdy streaming endpoints. 79 Proxy func(*http.Request) (*url.URL, error) 80 } 81 82 // DialHolder is used to make the wrapped function comparable so that it can be used as a map key. 83 type DialHolder struct { 84 Dial func(ctx context.Context, network, address string) (net.Conn, error) 85 } 86 87 // ImpersonationConfig has all the available impersonation options 88 type ImpersonationConfig struct { 89 // UserName matches user.Info.GetName() 90 UserName string 91 // UID matches user.Info.GetUID() 92 UID string 93 // Groups matches user.Info.GetGroups() 94 Groups []string 95 // Extra matches user.Info.GetExtra() 96 Extra map[string][]string 97 } 98 99 // HasCA returns whether the configuration has a certificate authority or not. 100 func (c *Config) HasCA() bool { 101 return len(c.TLS.CAData) > 0 || len(c.TLS.CAFile) > 0 102 } 103 104 // HasBasicAuth returns whether the configuration has basic authentication or not. 105 func (c *Config) HasBasicAuth() bool { 106 return len(c.Username) != 0 107 } 108 109 // HasTokenAuth returns whether the configuration has token authentication or not. 110 func (c *Config) HasTokenAuth() bool { 111 return len(c.BearerToken) != 0 || len(c.BearerTokenFile) != 0 112 } 113 114 // HasCertAuth returns whether the configuration has certificate authentication or not. 115 func (c *Config) HasCertAuth() bool { 116 return (len(c.TLS.CertData) != 0 || len(c.TLS.CertFile) != 0) && (len(c.TLS.KeyData) != 0 || len(c.TLS.KeyFile) != 0) 117 } 118 119 // HasCertCallback returns whether the configuration has certificate callback or not. 120 func (c *Config) HasCertCallback() bool { 121 return c.TLS.GetCertHolder != nil 122 } 123 124 // Wrap adds a transport middleware function that will give the caller 125 // an opportunity to wrap the underlying http.RoundTripper prior to the 126 // first API call being made. The provided function is invoked after any 127 // existing transport wrappers are invoked. 128 func (c *Config) Wrap(fn WrapperFunc) { 129 c.WrapTransport = Wrappers(c.WrapTransport, fn) 130 } 131 132 // TLSConfig holds the information needed to set up a TLS transport. 133 type TLSConfig struct { 134 CAFile string // Path of the PEM-encoded server trusted root certificates. 135 CertFile string // Path of the PEM-encoded client certificate. 136 KeyFile string // Path of the PEM-encoded client key. 137 ReloadTLSFiles bool // Set to indicate that the original config provided files, and that they should be reloaded 138 139 Insecure bool // Server should be accessed without verifying the certificate. For testing only. 140 ServerName string // Override for the server name passed to the server for SNI and used to verify certificates. 141 142 CAData []byte // Bytes of the PEM-encoded server trusted root certificates. Supercedes CAFile. 143 CertData []byte // Bytes of the PEM-encoded client certificate. Supercedes CertFile. 144 KeyData []byte // Bytes of the PEM-encoded client key. Supercedes KeyFile. 145 146 // NextProtos is a list of supported application level protocols, in order of preference. 147 // Used to populate tls.Config.NextProtos. 148 // To indicate to the server http/1.1 is preferred over http/2, set to ["http/1.1", "h2"] (though the server is free to ignore that preference). 149 // To use only http/1.1, set to ["http/1.1"]. 150 NextProtos []string 151 152 // Callback that returns a TLS client certificate. CertData, CertFile, KeyData and KeyFile supercede this field. 153 // This struct indirection is used to make transport configs cacheable. 154 GetCertHolder *GetCertHolder 155 } 156 157 // GetCertHolder is used to make the wrapped function comparable so that it can be used as a map key. 158 type GetCertHolder struct { 159 GetCert func() (*tls.Certificate, error) 160 } 161