implement using tls configuration

2018-08-02 13:42:48 -06:00 · 2018-08-02 13:42:48 -06:00 · 767b991089
parent 903bd6c14a
commit 767b991089
12 changed files with 140 additions and 42 deletions
--- a/client/influxdb.go
+++ b/client/influxdb.go
@ -118,6 +118,7 @@ type Config struct {
 	WriteConsistency string
 	UnsafeSsl        bool
 	Proxy            func(req *http.Request) (*url.URL, error)
+	TLS              *tls.Config
 }

 // NewConfig will create a config to be used in connecting to the client
@ -154,9 +155,11 @@ const (

 // NewClient will instantiate and return a connected client to issue commands to the server.
 func NewClient(c Config) (*Client, error) {
-	tlsConfig := &tls.Config{
-		InsecureSkipVerify: c.UnsafeSsl,
+	tlsConfig := new(tls.Config)
+	if c.TLS != nil {
+		tlsConfig = c.TLS.Clone()
 	}
+	tlsConfig.InsecureSkipVerify = c.UnsafeSsl

 	tr := &http.Transport{
 		Proxy:           c.Proxy,
--- a/cmd/influxd/run/config.go
+++ b/cmd/influxd/run/config.go
@ -191,6 +191,10 @@ func (c *Config) Validate() error {
 		}
 	}

+	if err := c.TLS.Validate(); err != nil {
+		return err
+	}
+
 	return nil
 }

--- a/cmd/influxd/run/server.go
+++ b/cmd/influxd/run/server.go
@ -1,6 +1,7 @@
 package run

 import (
+	"crypto/tls"
 	"fmt"
 	"io"
 	"log"
@ -101,8 +102,30 @@ type Server struct {
 	config *Config
 }

+// updateTLSConfig stores with into the tls config pointed at by into but only if with is not nil
+// and into is nil. Think of it as setting the default value.
+func updateTLSConfig(into **tls.Config, with *tls.Config) {
+	if with != nil && into != nil && *into == nil {
+		*into = with
+	}
+}
+
 // NewServer returns a new instance of Server built from a config.
 func NewServer(c *Config, buildInfo *BuildInfo) (*Server, error) {
+	// First grab the base tls config we will use for all clients and servers
+	tlsConfig, err := c.TLS.Parse()
+	if err != nil {
+		return nil, fmt.Errorf("tls configuration: %v", err)
+	}
+
+	// Update the TLS values on each of the configs to be the parsed one if
+	// not already specified (set the default).
+	updateTLSConfig(&c.HTTPD.TLS, tlsConfig)
+	updateTLSConfig(&c.Subscriber.TLS, tlsConfig)
+	for i := range c.OpenTSDBInputs {
+		updateTLSConfig(&c.OpenTSDBInputs[i].TLS, tlsConfig)
+	}
+
 	// We need to ensure that a meta directory always exists even if
 	// we don't start the meta store.  node.json is always stored under
 	// the meta directory.
@ -122,7 +145,7 @@ func NewServer(c *Config, buildInfo *BuildInfo) (*Server, error) {
 		}
 	}

-	_, err := influxdb.LoadNode(c.Meta.Dir)
+	_, err = influxdb.LoadNode(c.Meta.Dir)
 	if err != nil {
 		if !os.IsNotExist(err) {
 			return nil, err
--- a/cmd/influxd/run/tls_config.go
+++ b/cmd/influxd/run/tls_config.go
@ -12,11 +12,18 @@ type TLSConfig struct {
 	MaxVersion string   `toml:"max-version"`
 }

-func ParseTLSConfig(config TLSConfig) (*tls.Config, error) {
-	out := new(tls.Config)
+func (c TLSConfig) Validate() error {
+	_, err := c.Parse()
+	return err
+}

-	if len(config.Ciphers) > 0 {
-		for _, name := range config.Ciphers {
+func (c TLSConfig) Parse() (out *tls.Config, err error) {
+	if len(c.Ciphers) > 0 {
+		if out == nil {
+			out = new(tls.Config)
+		}
+
+		for _, name := range c.Ciphers {
 			cipher, ok := ciphersMap[strings.ToUpper(name)]
 			if !ok {
 				return nil, unknownCipher(name)
@ -25,18 +32,26 @@ func ParseTLSConfig(config TLSConfig) (*tls.Config, error) {
 		}
 	}

-	if config.MinVersion != "" {
-		version, ok := versionsMap[strings.ToUpper(config.MinVersion)]
+	if c.MinVersion != "" {
+		if out == nil {
+			out = new(tls.Config)
+		}
+
+		version, ok := versionsMap[strings.ToUpper(c.MinVersion)]
 		if !ok {
-			return nil, unknownVersion(config.MinVersion)
+			return nil, unknownVersion(c.MinVersion)
 		}
 		out.MinVersion = version
 	}

-	if config.MaxVersion != "" {
-		version, ok := versionsMap[strings.ToUpper(config.MaxVersion)]
+	if c.MaxVersion != "" {
+		if out == nil {
+			out = new(tls.Config)
+		}
+
+		version, ok := versionsMap[strings.ToUpper(c.MaxVersion)]
 		if !ok {
-			return nil, unknownVersion(config.MaxVersion)
+			return nil, unknownVersion(c.MaxVersion)
 		}
 		out.MaxVersion = version
 	}
@ -77,8 +92,11 @@ func unknownCipher(name string) error {
 var versionsMap = map[string]uint16{
 	"SSL3.0": tls.VersionSSL30,
 	"TLS1.0": tls.VersionTLS10,
+	"1.0":    tls.VersionTLS11,
 	"TLS1.1": tls.VersionTLS11,
+	"1.1":    tls.VersionTLS11,
 	"TLS1.2": tls.VersionTLS12,
+	"1.2":    tls.VersionTLS12,
 }

 func unknownVersion(name string) error {
--- a/etc/config.sample.toml
+++ b/etc/config.sample.toml
@ -487,7 +487,7 @@
  # bind-address = ":8089"
  # database = "udp"
  # retention-policy = ""
- 
+
  # InfluxDB precision for timestamps on received points ("" or "n", "u", "ms", "s", "m", "h")
  # precision = ""

@ -525,3 +525,26 @@

  # interval for how often continuous queries will be checked if they need to run
  # run-interval = "1s"
+
+###
+### [tls]
+###
+### Global configuration settings for TLS in InfluxDB.
+###
+
+[tls]
+  # Determines the available set of cipher suites. See https://golang.org/pkg/crypto/tls/#pkg-constants
+  # for a list of available ciphers, which depends on the version of Go. If not specified, uses
+  # the default settings from crypto/tls.
+  # ciphers = [
+  #   "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+  #   "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+  # ]
+
+  # Minimum version of the tls protocol that will be negotiated. If not specified, uses the
+  # default settings from crypto/tls.
+  # min-version = "tls1.2"
+
+  # Maximum version of the tls protocol that will be negotiated. If not specified, uses the
+  # default settings from crypto/tls.
+  # max-version = "tls1.2"
--- a/services/httpd/config.go
+++ b/services/httpd/config.go
@ -1,6 +1,7 @@
 package httpd

 import (
+	"crypto/tls"
 	"time"

 	"github.com/influxdata/influxdb/monitor/diagnostics"
@ -50,6 +51,7 @@ type Config struct {
 	MaxConcurrentWriteLimit int           `toml:"max-concurrent-write-limit"`
 	MaxEnqueuedWriteLimit   int           `toml:"max-enqueued-write-limit"`
 	EnqueuedWriteTimeout    time.Duration `toml:"enqueued-write-timeout"`
+	TLS                     *tls.Config   `toml:"-"`
 }

 // NewConfig returns a new Config with default settings.
--- a/services/httpd/service.go
+++ b/services/httpd/service.go
@ -46,13 +46,14 @@ const (

 // Service manages the listener and handler for an HTTP endpoint.
 type Service struct {
-	ln    net.Listener
-	addr  string
-	https bool
-	cert  string
-	key   string
-	limit int
-	err   chan error
+	ln        net.Listener
+	addr      string
+	https     bool
+	cert      string
+	key       string
+	limit     int
+	tlsConfig *tls.Config
+	err       chan error

 	unixSocket         bool
 	unixSocketPerm     uint32
@ -73,6 +74,7 @@ func NewService(c Config) *Service {
 		cert:           c.HTTPSCertificate,
 		key:            c.HTTPSPrivateKey,
 		limit:          c.MaxConnectionLimit,
+		tlsConfig:      c.TLS,
 		err:            make(chan error),
 		unixSocket:     c.UnixSocketEnabled,
 		unixSocketPerm: uint32(c.UnixSocketPermissions),
@ -80,6 +82,9 @@ func NewService(c Config) *Service {
 		Handler:        NewHandler(c),
 		Logger:         zap.NewNop(),
 	}
+	if s.tlsConfig == nil {
+		s.tlsConfig = new(tls.Config)
+	}
 	if s.key == "" {
 		s.key = s.cert
 	}
@ -103,9 +108,10 @@ func (s *Service) Open() error {
 			return err
 		}

-		listener, err := tls.Listen("tcp", s.addr, &tls.Config{
-			Certificates: []tls.Certificate{cert},
-		})
+		tlsConfig := s.tlsConfig.Clone()
+		tlsConfig.Certificates = []tls.Certificate{cert}
+
+		listener, err := tls.Listen("tcp", s.addr, tlsConfig)
 		if err != nil {
 			return err
 		}
--- a/services/opentsdb/config.go
+++ b/services/opentsdb/config.go
@ -1,6 +1,7 @@
 package opentsdb

 import (
+	"crypto/tls"
 	"time"

 	"github.com/influxdata/influxdb/monitor/diagnostics"
@ -46,6 +47,7 @@ type Config struct {
 	BatchPending     int           `toml:"batch-pending"`
 	BatchTimeout     toml.Duration `toml:"batch-timeout"`
 	LogPointErrors   bool          `toml:"log-point-errors"`
+	TLS              *tls.Config   `toml:"-"`
 }

 // NewConfig returns a new config for the service.
--- a/services/opentsdb/service.go
+++ b/services/opentsdb/service.go
@ -47,9 +47,10 @@ type Service struct {
 	ln     net.Listener  // main listener
 	httpln *chanListener // http channel-based listener

-	wg   sync.WaitGroup
-	tls  bool
-	cert string
+	wg        sync.WaitGroup
+	tls       bool
+	tlsConfig *tls.Config
+	cert      string

 	mu    sync.RWMutex
 	ready bool          // Has the required database been created?
@ -86,6 +87,7 @@ func NewService(c Config) (*Service, error) {

 	s := &Service{
 		tls:             d.TLSEnabled,
+		tlsConfig:       d.TLS,
 		cert:            d.Certificate,
 		BindAddress:     d.BindAddress,
 		Database:        d.Database,
@ -98,6 +100,10 @@ func NewService(c Config) (*Service, error) {
 		stats:           &Statistics{},
 		defaultTags:     models.StatisticTags{"bind": d.BindAddress},
 	}
+	if s.tlsConfig == nil {
+		s.tlsConfig = new(tls.Config)
+	}
+
 	return s, nil
 }

@ -127,9 +133,10 @@ func (s *Service) Open() error {
 			return err
 		}

-		listener, err := tls.Listen("tcp", s.BindAddress, &tls.Config{
-			Certificates: []tls.Certificate{cert},
-		})
+		tlsConfig := s.tlsConfig.Clone()
+		tlsConfig.Certificates = []tls.Certificate{cert}
+
+		listener, err := tls.Listen("tcp", s.BindAddress, tlsConfig)
 		if err != nil {
 			return err
 		}
--- a/services/subscriber/config.go
+++ b/services/subscriber/config.go
@ -1,6 +1,7 @@
 package subscriber

 import (
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"os"
@ -42,6 +43,9 @@ type Config struct {

 	// The number of in-flight writes buffered in the write channel.
 	WriteBufferSize int `toml:"write-buffer-size"`
+
+	// TLS is a base tls config to use for https clients.
+	TLS *tls.Config `toml:"-"`
 }

 // NewConfig returns a new instance of a subscriber config.
--- a/services/subscriber/http.go
+++ b/services/subscriber/http.go
@ -17,12 +17,12 @@ type HTTP struct {

 // NewHTTP returns a new HTTP points writer with default options.
 func NewHTTP(addr string, timeout time.Duration) (*HTTP, error) {
-	return NewHTTPS(addr, timeout, false, "")
+	return NewHTTPS(addr, timeout, false, "", nil)
 }

 // NewHTTPS returns a new HTTPS points writer with default options and HTTPS configured.
-func NewHTTPS(addr string, timeout time.Duration, unsafeSsl bool, caCerts string) (*HTTP, error) {
-	tlsConfig, err := createTLSConfig(caCerts)
+func NewHTTPS(addr string, timeout time.Duration, unsafeSsl bool, caCerts string, tlsConfig *tls.Config) (*HTTP, error) {
+	tlsConfig, err := createTLSConfig(caCerts, tlsConfig)
 	if err != nil {
 		return nil, err
 	}
@ -54,22 +54,28 @@ func (h *HTTP) WritePoints(p *coordinator.WritePointsRequest) (err error) {
 	return
 }

-func createTLSConfig(caCerts string) (*tls.Config, error) {
+func createTLSConfig(caCerts string, tlsConfig *tls.Config) (*tls.Config, error) {
 	if caCerts == "" {
+		if tlsConfig != nil {
+			return tlsConfig.Clone(), nil
+		}
 		return nil, nil
 	}
-	return loadCaCerts(caCerts)
+	return loadCaCerts(caCerts, tlsConfig)
 }

-func loadCaCerts(caCerts string) (*tls.Config, error) {
+func loadCaCerts(caCerts string, tlsConfig *tls.Config) (*tls.Config, error) {
 	caCert, err := ioutil.ReadFile(caCerts)
 	if err != nil {
 		return nil, err
 	}
-	caCertPool := x509.NewCertPool()
-	caCertPool.AppendCertsFromPEM(caCert)

-	return &tls.Config{
-		RootCAs: caCertPool,
-	}, nil
+	out := new(tls.Config)
+	if tlsConfig != nil {
+		out = tlsConfig.Clone()
+	}
+
+	out.RootCAs = x509.NewCertPool()
+	out.RootCAs.AppendCertsFromPEM(caCert)
+	return out, nil
 }
--- a/services/subscriber/service.go
+++ b/services/subscriber/service.go
@ -348,7 +348,7 @@ func (s *Service) newPointsWriter(u url.URL) (PointsWriter, error) {
 		if s.conf.InsecureSkipVerify {
 			s.Logger.Warn("'insecure-skip-verify' is true. This will skip all certificate verifications.")
 		}
-		return NewHTTPS(u.String(), time.Duration(s.conf.HTTPTimeout), s.conf.InsecureSkipVerify, s.conf.CaCerts)
+		return NewHTTPS(u.String(), time.Duration(s.conf.HTTPTimeout), s.conf.InsecureSkipVerify, s.conf.CaCerts, s.conf.TLS)
 	default:
 		return nil, fmt.Errorf("unknown destination scheme %s", u.Scheme)
 	}