From dbfe523dc1b2fdf97d15ff2b9d7beb550cbdcc65 Mon Sep 17 00:00:00 2001 From: Gerhard Lausser Date: Sat, 10 Sep 2016 19:42:31 +0200 Subject: [PATCH] http: implement TLS and InsecureSkipVerify (#58) --- README.md | 2 ++ http.go | 9 ++++++++ http_test.go | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++ main.go | 1 + 4 files changed, 70 insertions(+) diff --git a/README.md b/README.md index 809aed2..8478071 100644 --- a/README.md +++ b/README.md @@ -43,6 +43,8 @@ modules: - "Could not connect to database" fail_if_not_matches_regexp: - "Download the latest version here" + tls_config: + insecure_skip_verify: false tcp_connect: prober: tcp timeout: 5s diff --git a/http.go b/http.go index c246f5f..df8ddba 100644 --- a/http.go +++ b/http.go @@ -62,6 +62,15 @@ func probeHTTP(target string, w http.ResponseWriter, module Module) (success boo Timeout: module.Timeout, } + tlsconfig, err := module.HTTP.TLSConfig.GenerateConfig() + if err != nil { + log.Errorf("Error generating TLS config: %s", err) + return false + } + client.Transport = &http.Transport{ + TLSClientConfig: tlsconfig, + } + client.CheckRedirect = func(_ *http.Request, via []*http.Request) error { redirects = len(via) if redirects > 10 || config.NoFollowRedirects { diff --git a/http_test.go b/http_test.go index cddfe2f..85877b5 100644 --- a/http_test.go +++ b/http_test.go @@ -15,6 +15,7 @@ package main import ( "fmt" + "github.com/prometheus/common/config" "net/http" "net/http/httptest" "strings" @@ -268,3 +269,60 @@ func TestHTTPHeaders(t *testing.T) { t.Fatalf("Probe failed unexpectedly.") } } + +func TestFailIfSelfSignedCA(t *testing.T) { + ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + })) + defer ts.Close() + + recorder := httptest.NewRecorder() + result := probeHTTP(ts.URL, recorder, + Module{Timeout: time.Second, HTTP: HTTPProbe{ + TLSConfig: config.TLSConfig{InsecureSkipVerify: false}, + }}) + body := recorder.Body.String() + if result { + t.Fatalf("Fail if selfsigned CA test suceeded unexpectedly, got %s", body) + } + if !strings.Contains(body, "probe_http_ssl 0\n") { + t.Fatalf("Expected HTTP without SSL because of CA failure, got %s", body) + } +} + +func TestSucceedIfSelfSignedCA(t *testing.T) { + ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + })) + defer ts.Close() + + recorder := httptest.NewRecorder() + result := probeHTTP(ts.URL, recorder, + Module{Timeout: time.Second, HTTP: HTTPProbe{ + TLSConfig: config.TLSConfig{InsecureSkipVerify: true}, + }}) + body := recorder.Body.String() + if !result { + t.Fatalf("Fail if (not strict) selfsigned CA test fails unexpectedly, got %s", body) + } + if !strings.Contains(body, "probe_http_ssl 1\n") { + t.Fatalf("Expected HTTP with SSL, got %s", body) + } +} + +func TestTLSConfigIsIgnoredForPlainHTTP(t *testing.T) { + ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + })) + defer ts.Close() + + recorder := httptest.NewRecorder() + result := probeHTTP(ts.URL, recorder, + Module{Timeout: time.Second, HTTP: HTTPProbe{ + TLSConfig: config.TLSConfig{InsecureSkipVerify: false}, + }}) + body := recorder.Body.String() + if !result { + t.Fatalf("Fail if InsecureSkipVerify affects simple http fails unexpectedly, got %s", body) + } + if !strings.Contains(body, "probe_http_ssl 0\n") { + t.Fatalf("Expected HTTP without SSL, got %s", body) + } +} diff --git a/main.go b/main.go index b8447d1..db2844c 100644 --- a/main.go +++ b/main.go @@ -58,6 +58,7 @@ type HTTPProbe struct { Headers map[string]string `yaml:"headers"` FailIfMatchesRegexp []string `yaml:"fail_if_matches_regexp"` FailIfNotMatchesRegexp []string `yaml:"fail_if_not_matches_regexp"` + TLSConfig config.TLSConfig `yaml:"tls_config"` } type QueryResponse struct { -- 2.25.1