Skip to content
This repository has been archived by the owner on Dec 20, 2024. It is now read-only.

Commit

Permalink
feature: dfdaemon supports proxing https registries
Browse files Browse the repository at this point in the history
Signed-off-by: lowzj <[email protected]>
  • Loading branch information
lowzj committed Feb 25, 2019
1 parent 647698a commit fc8c0f4
Show file tree
Hide file tree
Showing 10 changed files with 501 additions and 64 deletions.
8 changes: 7 additions & 1 deletion cmd/dfdaemon/app/options/options.go
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,10 @@ type Options struct {
// TrustHosts includes the trusted hosts which dfdaemon forward their
// requests directly when dfdaemon is used to http_proxy mode.
TrustHosts []string

// ConfigPath is the path of dfdaemon's configuration file.
// default value is: /etc/dragonfly/dfdaemon.yml
ConfigPath string
}

// NewOption returns the default options.
Expand All @@ -88,7 +92,6 @@ func NewOption() *Options {
if absPath, err := filepath.Abs(path); err == nil {
defaultPath = filepath.Dir(absPath) + "/dfget"
}

}

o := &Options{
Expand Down Expand Up @@ -120,4 +123,7 @@ func (o *Options) AddFlags(fs *flag.FlagSet) {
fs.StringVar(&o.DownRule, "rule", "", "download the url by P2P if url matches the specified pattern,format:reg1,reg2,reg3")
fs.BoolVar(&o.Notbs, "notbs", true, "not try back source to download if throw exception")
fs.StringSliceVar(&o.TrustHosts, "trust-hosts", o.TrustHosts, "list of trusted hosts which dfdaemon forward their requests directly, comma separated.")

fs.StringVar(&o.ConfigPath, "config", "/etc/dragonfly/dfdaemon.yml",
"the path of dfdaemon's configuration file")
}
166 changes: 166 additions & 0 deletions dfdaemon/config/config.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,166 @@
/*
* Copyright The Dragonfly Authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

package config

import (
"crypto/tls"
"crypto/x509"
"fmt"
"io/ioutil"
"regexp"
"strings"

"gopkg.in/yaml.v2"
)

// -----------------------------------------------------------------------------
// Properties

// NewProperties create a new properties with default values.
func NewProperties() *Properties {
return &Properties{}
}

// Properties holds all configurable properties of dfdaemon.
// The default path is '/etc/dragonfly/dfdaemon.yml'
type Properties struct {
Registries []*Registry `yaml:"registries"`
}

// Load loads properties from config file.
func (p *Properties) Load(path string) error {
if err := p.loadFromYaml(path); err != nil {
return err
}
var tmp []*Registry
for _, v := range p.Registries {
if v != nil {
if err := v.init(); err != nil {
return err
}
tmp = append(tmp, v)
}
}
p.Registries = tmp
return nil
}

func (p *Properties) loadFromYaml(path string) error {
yamlFile, err := ioutil.ReadFile(path)
if err != nil {
return fmt.Errorf("read yaml config from %s error: %v", path, err)
}
err = yaml.Unmarshal(yamlFile, p)
if err != nil {
return fmt.Errorf("unmarshal yaml error:%v", err)
}
return nil
}

// -----------------------------------------------------------------------------
// Registry

// NewRegistry create and init registry proxy with the giving values.
func NewRegistry(schema, host, regx string, certs []string) (*Registry, error) {
reg := &Registry{
Schema: schema,
Host: host,
Certs: certs,
Regx: regx,
}
if err := reg.init(); err != nil {
return nil, err
}
return reg, nil
}

// Registry is the proxied registry base information.
type Registry struct {
// Schema can be 'http', 'https' or empty. It will use dfdaemon's schema if
// it's empty.
Schema string `yaml:"schema"`

// Host is the host of proxied registry, including ip and port.
Host string `yaml:"host"`

// Certs is the path of server-side certification. It should be provided when
// the 'Schema' is 'https' and the dfdaemon is worked on proxy pattern and
// the proxied registry is self-certificated.
// The server-side certification could be get by using this command:
// openssl x509 -in <(openssl s_client -showcerts -servername xxx -connect xxx:443 -prexit 2>/dev/null)
Certs []string `yaml:"certs"`

// Regx is a regular expression, dfdaemon use this registry to process the
// requests whose host is matched.
Regx string `yaml:"regx"`

compiler *regexp.Regexp
tlsConfig *tls.Config
}

// Match reports whether the Registry matches the string s.
func (r *Registry) Match(s string) bool {
return r.compiler != nil && r.compiler.MatchString(s)
}

// TLSConfig returns a initialized tls.Config instance.
func (r *Registry) TLSConfig() *tls.Config {
return r.tlsConfig
}

func (r *Registry) init() error {
if err := r.validate(); err != nil {
return err
}

c, err := regexp.Compile(r.Regx)
if err != nil {
return err
}
r.compiler = c

return r.initTLSConfig()
}

func (r *Registry) validate() error {
r.Schema = strings.ToLower(r.Schema)
if r.Schema != "http" && r.Schema != "https" && r.Schema != "" {
return fmt.Errorf("invalid schema:%s", r.Schema)
}
return nil
}

func (r *Registry) initTLSConfig() error {
size := len(r.Certs)
if size <= 0 {
r.tlsConfig = &tls.Config{InsecureSkipVerify: true}
return nil
}

roots := x509.NewCertPool()
for i := 0; i < size; i++ {
cert, err := ioutil.ReadFile(r.Certs[i])
if err != nil {
return err
}
if !roots.AppendCertsFromPEM(cert) {
return fmt.Errorf("invalid cert:%s", r.Certs[i])
}
}
r.tlsConfig = &tls.Config{RootCAs: roots}
return nil
}
197 changes: 197 additions & 0 deletions dfdaemon/config/config_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,197 @@
/*
* Copyright The Dragonfly Authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

package config

import (
"fmt"
"io/ioutil"
"os"
"path/filepath"
"strings"
"testing"

"github.com/go-check/check"
)

func Test(t *testing.T) {
check.TestingT(t)
}

func init() {
check.Suite(&ConfigTestSuite{})
}

var testCrt = `-----BEGIN CERTIFICATE-----
MIICKzCCAZQCCQDZrCsm2rX81DANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJD
TjERMA8GA1UECAwIWmhlamlhbmcxETAPBgNVBAcMCEhhbmd6aG91MQ4wDAYDVQQK
DAVsb3d6ajEVMBMGA1UEAwwMZGZkYWVtb24uY29tMB4XDTE5MDIyNTAyNDYwN1oX
DTE5MDMyNzAyNDYwN1owWjELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFpoZWppYW5n
MREwDwYDVQQHDAhIYW5nemhvdTEOMAwGA1UECgwFbG93emoxFTATBgNVBAMMDGRm
ZGFlbW9uLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtX1VzZRg1tgF
D0AFkUW2FpakkrhRzFuukWepoN0LfFSS/rNf8v1823de1SkpXBHsm2pMf94BIdmY
NDWH1tk27i4V5xydjNqxbdjjNjGHedBAM2tRQWWQuJAEo12sWUVYwDyN7RbL6wnz
7Egeac023FA9JhfMxaDvJHqJHVuKW3kCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCT
VrDbo4m3QkcUT8ohuAUD8OHjTwJAuoxqVdHm+SpgjBYMLQgqXAPwaTGsIvx+32h2
J88xU3xXABE5QsNNbqLcMgQoXeMmqk1WuUhxXzTXT5h5gdW53faxV5M5Cb3zI8My
PPpBF5Cw+khgkJcY/ezKjHIvyABJwdzW8aAqwDBFAQ==
-----END CERTIFICATE-----`

type ConfigTestSuite struct {
workHome string
crtPath string
}

func (s *ConfigTestSuite) SetUpSuite(c *check.C) {
s.workHome, _ = ioutil.TempDir("/tmp", "dfget-ConfigTestSuite-")
s.crtPath = filepath.Join(s.workHome, "server.crt")
ioutil.WriteFile(s.crtPath, []byte(testCrt), os.ModePerm)
}

func (s *ConfigTestSuite) TearDownSuite(c *check.C) {
if s.workHome != "" {
os.RemoveAll(s.workHome)
}
}

func (s *ConfigTestSuite) TestProperties_Load(c *check.C) {
var f = func(schema ...string) *Properties {
var tmp []*Registry
for _, s := range schema {
r := &Registry{Schema: s}
r.init()
tmp = append(tmp, r)
}
return &Properties{Registries: tmp}
}
var cases = []struct {
create bool
content string
errMsg string
expected *Properties
}{
{create: false, content: "", errMsg: "read yaml", expected: nil},
{create: true, content: "-", errMsg: "unmarshal yaml", expected: nil},
{create: true, content: "registries:\n - regx: '^['",
errMsg: "missing closing", expected: nil},
{create: true, content: "registries:\n -", errMsg: "", expected: f()},
{
create: true,
content: "registries:\n - schema: http",
errMsg: "",
expected: f("http"),
},
}
for idx, v := range cases {
filename := filepath.Join(s.workHome, fmt.Sprintf("test-%d", idx))
if v.create {
ioutil.WriteFile(filename, []byte(v.content), os.ModePerm)
}
p := &Properties{}
err := p.Load(filename)
if v.expected != nil {
c.Assert(err, check.IsNil)
c.Assert(len(p.Registries), check.Equals, len(v.expected.Registries))
for i := 0; i < len(v.expected.Registries); i++ {
c.Assert(p.Registries[i], check.DeepEquals, v.expected.Registries[i])
}
} else {
c.Assert(err, check.NotNil)
c.Assert(strings.Contains(err.Error(), v.errMsg), check.Equals, true,
check.Commentf("error:%v expected:%s", err, v.errMsg))
}
}
}

func (s *ConfigTestSuite) TestRegistry_Match(c *check.C) {
var cases = []struct {
regx string
str string
errNotNil bool
matched bool
}{
{regx: "[a.com", str: "a.com", errNotNil: true, matched: false},
{regx: "a.com", str: "a.com", matched: true},
{regx: "a.com", str: "ba.com", matched: true},
{regx: "a.com", str: "a.comm", matched: true},
{regx: "^a.com", str: "ba.com", matched: false},
{regx: "^a.com$", str: "ba.com", matched: false},
{regx: "^a.com$", str: "a.comm", matched: false},
{regx: "^a.com$", str: "a.com", matched: true},
{regx: "", str: "a.com", matched: true},
}

for _, v := range cases {
reg, err := NewRegistry("", "", v.regx, nil)
if v.errNotNil {
c.Assert(err, check.NotNil)
} else {
c.Assert(err, check.IsNil)
c.Assert(reg.Match(v.str), check.Equals, v.matched,
check.Commentf("%v", v))
}
}
}

func (s *ConfigTestSuite) TestRegistry_validate(c *check.C) {
var cases = []struct {
schema string
err string
}{
{schema: "http", err: ""},
{schema: "https", err: ""},
{schema: "", err: ""},
{schema: "x", err: "invalid schema.*"},
}

for _, v := range cases {
reg := Registry{Schema: v.schema}
err := reg.init()
if v.err == "" {
c.Assert(err, check.IsNil)
} else {
c.Assert(err, check.NotNil)
c.Assert(err, check.ErrorMatches, v.err)
}
}
}

func (s *ConfigTestSuite) TestRegistry_initTLSConfig(c *check.C) {
invalidCrt := filepath.Join(s.workHome, "invalid.crt")
ioutil.WriteFile(invalidCrt, nil, os.ModePerm)

var cases = []struct {
crt string
err string
}{
{s.workHome, "read.*"},
{s.crtPath, ""},
{invalidCrt, "invalid cert.*"},
}

for _, v := range cases {
reg := Registry{Certs: []string{v.crt}}
err := reg.initTLSConfig()
if v.err == "" {
c.Assert(err, check.IsNil)
c.Assert(reg.TLSConfig(), check.NotNil)
} else {
c.Assert(reg.TLSConfig(), check.IsNil)
c.Assert(err, check.NotNil)
c.Assert(err, check.ErrorMatches, v.err)
}
}
}
Loading

0 comments on commit fc8c0f4

Please sign in to comment.