blob: 5de0a2cb1012dac9f3539e0dd35ff9e0fed7a21e [file] [log] [blame]
Zack Williamse940c7a2019-08-21 14:25:39 -07001/*
2Copyright 2015 The Kubernetes Authors.
3
4Licensed under the Apache License, Version 2.0 (the "License");
5you may not use this file except in compliance with the License.
6You may obtain a copy of the License at
7
8 http://www.apache.org/licenses/LICENSE-2.0
9
10Unless required by applicable law or agreed to in writing, software
11distributed under the License is distributed on an "AS IS" BASIS,
12WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13See the License for the specific language governing permissions and
14limitations under the License.
15*/
16
17package transport
18
19import (
20 "context"
21 "crypto/tls"
22 "net"
23 "net/http"
24)
25
26// Config holds various options for establishing a transport.
27type Config struct {
28 // UserAgent is an optional field that specifies the caller of this
29 // request.
30 UserAgent string
31
32 // The base TLS configuration for this transport.
33 TLS TLSConfig
34
35 // Username and password for basic authentication
36 Username string
37 Password string
38
39 // Bearer token for authentication
40 BearerToken string
41
42 // Path to a file containing a BearerToken.
43 // If set, the contents are periodically read.
44 // The last successfully read value takes precedence over BearerToken.
45 BearerTokenFile string
46
47 // Impersonate is the config that this Config will impersonate using
48 Impersonate ImpersonationConfig
49
50 // Transport may be used for custom HTTP behavior. This attribute may
51 // not be specified with the TLS client certificate options. Use
52 // WrapTransport for most client level operations.
53 Transport http.RoundTripper
54
55 // WrapTransport will be invoked for custom HTTP behavior after the
56 // underlying transport is initialized (either the transport created
57 // from TLSClientConfig, Transport, or http.DefaultTransport). The
58 // config may layer other RoundTrippers on top of the returned
59 // RoundTripper.
60 //
61 // A future release will change this field to an array. Use config.Wrap()
62 // instead of setting this value directly.
63 WrapTransport WrapperFunc
64
65 // Dial specifies the dial function for creating unencrypted TCP connections.
66 Dial func(ctx context.Context, network, address string) (net.Conn, error)
67}
68
69// ImpersonationConfig has all the available impersonation options
70type ImpersonationConfig struct {
71 // UserName matches user.Info.GetName()
72 UserName string
73 // Groups matches user.Info.GetGroups()
74 Groups []string
75 // Extra matches user.Info.GetExtra()
76 Extra map[string][]string
77}
78
79// HasCA returns whether the configuration has a certificate authority or not.
80func (c *Config) HasCA() bool {
81 return len(c.TLS.CAData) > 0 || len(c.TLS.CAFile) > 0
82}
83
84// HasBasicAuth returns whether the configuration has basic authentication or not.
85func (c *Config) HasBasicAuth() bool {
86 return len(c.Username) != 0
87}
88
89// HasTokenAuth returns whether the configuration has token authentication or not.
90func (c *Config) HasTokenAuth() bool {
91 return len(c.BearerToken) != 0 || len(c.BearerTokenFile) != 0
92}
93
94// HasCertAuth returns whether the configuration has certificate authentication or not.
95func (c *Config) HasCertAuth() bool {
96 return (len(c.TLS.CertData) != 0 || len(c.TLS.CertFile) != 0) && (len(c.TLS.KeyData) != 0 || len(c.TLS.KeyFile) != 0)
97}
98
99// HasCertCallbacks returns whether the configuration has certificate callback or not.
100func (c *Config) HasCertCallback() bool {
101 return c.TLS.GetCert != nil
102}
103
104// Wrap adds a transport middleware function that will give the caller
105// an opportunity to wrap the underlying http.RoundTripper prior to the
106// first API call being made. The provided function is invoked after any
107// existing transport wrappers are invoked.
108func (c *Config) Wrap(fn WrapperFunc) {
109 c.WrapTransport = Wrappers(c.WrapTransport, fn)
110}
111
112// TLSConfig holds the information needed to set up a TLS transport.
113type TLSConfig struct {
114 CAFile string // Path of the PEM-encoded server trusted root certificates.
115 CertFile string // Path of the PEM-encoded client certificate.
116 KeyFile string // Path of the PEM-encoded client key.
117
118 Insecure bool // Server should be accessed without verifying the certificate. For testing only.
119 ServerName string // Override for the server name passed to the server for SNI and used to verify certificates.
120
121 CAData []byte // Bytes of the PEM-encoded server trusted root certificates. Supercedes CAFile.
122 CertData []byte // Bytes of the PEM-encoded client certificate. Supercedes CertFile.
123 KeyData []byte // Bytes of the PEM-encoded client key. Supercedes KeyFile.
124
125 GetCert func() (*tls.Certificate, error) // Callback that returns a TLS client certificate. CertData, CertFile, KeyData and KeyFile supercede this field.
126}