clair/api/api.go

// Copyright 2015 clair authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package api

import (
	"crypto/tls"
	"crypto/x509"
	"io/ioutil"
	"net"
	"net/http"
	"strconv"
	"time"

	"github.com/tylerb/graceful"

	"github.com/coreos/clair/api/context"
	"github.com/coreos/clair/config"
	"github.com/coreos/clair/utils"
	"github.com/coreos/pkg/capnslog"
)

const timeoutResponse = `{"Error":{"Message":"Clair failed to respond within the configured timeout window.","Type":"Timeout"}}`

var log = capnslog.NewPackageLogger("github.com/coreos/clair", "api")

func Run(config *config.APIConfig, ctx *context.RouteContext, st *utils.Stopper) {
	defer st.End()

	// Do not run the API service if there is no config.
	if config == nil {
		log.Infof("main API service is disabled.")
		return
	}
	log.Infof("starting main API on port %d.", config.Port)

	tlsConfig, err := tlsClientConfig(config.CAFile)
	if err != nil {
		log.Fatalf("could not initialize client cert authentication: %s\n", err)
	}
	if tlsConfig != nil {
		log.Info("main API configured with client certificate authentication")
	}

	srv := &graceful.Server{
		Timeout:          0,    // Already handled by our TimeOut middleware
		NoSignalHandling: true, // We want to use our own Stopper
		Server: &http.Server{
			Addr:      ":" + strconv.Itoa(config.Port),
			TLSConfig: tlsConfig,
			Handler:   http.TimeoutHandler(newAPIHandler(ctx), config.Timeout, timeoutResponse),
		},
	}

	listenAndServeWithStopper(srv, st, config.CertFile, config.KeyFile)

	log.Info("main API stopped")
}

func RunHealth(config *config.APIConfig, ctx *context.RouteContext, st *utils.Stopper) {
	defer st.End()

	// Do not run the API service if there is no config.
	if config == nil {
		log.Infof("health API service is disabled.")
		return
	}
	log.Infof("starting health API on port %d.", config.HealthPort)

	srv := &graceful.Server{
		Timeout:          10 * time.Second, // Interrupt health checks when stopping
		NoSignalHandling: true,             // We want to use our own Stopper
		Server: &http.Server{
			Addr:    ":" + strconv.Itoa(config.HealthPort),
			Handler: http.TimeoutHandler(newHealthHandler(ctx), config.Timeout, timeoutResponse),
		},
	}

	listenAndServeWithStopper(srv, st, "", "")

	log.Info("health API stopped")
}

// listenAndServeWithStopper wraps graceful.Server's
// ListenAndServe/ListenAndServeTLS and adds the ability to interrupt them with
// the provided utils.Stopper
func listenAndServeWithStopper(srv *graceful.Server, st *utils.Stopper, certFile, keyFile string) {
	go func() {
		<-st.Chan()
		srv.Stop(0)
	}()

	var err error
	if certFile != "" && keyFile != "" {
		log.Info("API: TLS Enabled")
		err = srv.ListenAndServeTLS(certFile, keyFile)
	} else {
		err = srv.ListenAndServe()
	}

	if err != nil {
		if opErr, ok := err.(*net.OpError); !ok || (ok && opErr.Op != "accept") {
			log.Fatal(err)
		}
	}
}

// tlsClientConfig initializes a *tls.Config using the given CA. The resulting
// *tls.Config is meant to be used to configure an HTTP server to do client
// certificate authentication.
//
// If no CA is given, a nil *tls.Config is returned; no client certificate will
// be required and verified. In other words, authentication will be disabled.
func tlsClientConfig(caPath string) (*tls.Config, error) {
	if caPath == "" {
		return nil, nil
	}

	caCert, err := ioutil.ReadFile(caPath)
	if err != nil {
		return nil, err
	}

	caCertPool := x509.NewCertPool()
	caCertPool.AppendCertsFromPEM(caCert)

	tlsConfig := &tls.Config{
		ClientCAs:  caCertPool,
		ClientAuth: tls.RequireAndVerifyClientCert,
	}

	return tlsConfig, nil
}
Initial commit 2015-11-13 19:11:28 +00:00			`// Copyright 2015 clair authors`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

			`package api`

			`import (`
move LoadTLSClientConfigForServer into API package This isn't reused any where just yet, so we're best off leaving it local to the place that needs it. 2015-12-15 17:03:42 +00:00			`"crypto/tls"`
			`"crypto/x509"`
			`"io/ioutil"`
Initial commit 2015-11-13 19:11:28 +00:00			`"net"`
			`"net/http"`
			`"strconv"`
			`"time"`

			`"github.com/tylerb/graceful"`
api: Extracted client cert & HTTP JSON Render to utils. 2015-11-24 05:18:11 +00:00
api: add initial work on the new API 2016-01-27 19:07:58 +00:00			`"github.com/coreos/clair/api/context"`
main: Use configuration file instead of flags and simplify app extension. Clair will now use a YAML configuration file instead of command line arguments as the number of parameters grows. Also, Clair now exposes a Boot() func that allows everyone to easily create their own project and load dynamically their own fetchers/updaters. 2015-12-07 21:38:50 +00:00			`"github.com/coreos/clair/config"`
api: Extracted client cert & HTTP JSON Render to utils. 2015-11-24 05:18:11 +00:00			`"github.com/coreos/clair/utils"`
api: fix /v1 router and some status codes 2016-01-28 20:13:11 +00:00			`"github.com/coreos/pkg/capnslog"`
Initial commit 2015-11-13 19:11:28 +00:00			`)`

api: add initial work on the new API 2016-01-27 19:07:58 +00:00			const timeoutResponse = `{"Error":{"Message":"Clair failed to respond within the configured timeout window.","Type":"Timeout"}}`
Initial commit 2015-11-13 19:11:28 +00:00
api: fix /v1 router and some status codes 2016-01-28 20:13:11 +00:00			`var log = capnslog.NewPackageLogger("github.com/coreos/clair", "api")`

api: add initial work on the new API 2016-01-27 19:07:58 +00:00			`func Run(config config.APIConfig, ctx context.RouteContext, st *utils.Stopper) {`
main: Use configuration file instead of flags and simplify app extension. Clair will now use a YAML configuration file instead of command line arguments as the number of parameters grows. Also, Clair now exposes a Boot() func that allows everyone to easily create their own project and load dynamically their own fetchers/updaters. 2015-12-07 21:38:50 +00:00			`defer st.End()`

			`// Do not run the API service if there is no config.`
			`if config == nil {`
			`log.Infof("main API service is disabled.")`
			`return`
			`}`
			`log.Infof("starting main API on port %d.", config.Port)`
Initial commit 2015-11-13 19:11:28 +00:00
move LoadTLSClientConfigForServer into API package This isn't reused any where just yet, so we're best off leaving it local to the place that needs it. 2015-12-15 17:03:42 +00:00			`tlsConfig, err := tlsClientConfig(config.CAFile)`
api: Extracted client cert & HTTP JSON Render to utils. 2015-11-24 05:18:11 +00:00			`if err != nil {`
*: Fix `authentification` typo 2015-12-16 17:01:51 +00:00			`log.Fatalf("could not initialize client cert authentication: %s\n", err)`
api: Extracted client cert & HTTP JSON Render to utils. 2015-11-24 05:18:11 +00:00			`}`
			`if tlsConfig != nil {`
*: Fix `authentification` typo 2015-12-16 17:01:51 +00:00			`log.Info("main API configured with client certificate authentication")`
api: Extracted client cert & HTTP JSON Render to utils. 2015-11-24 05:18:11 +00:00			`}`

Initial commit 2015-11-13 19:11:28 +00:00			`srv := &graceful.Server{`
			`Timeout: 0, // Already handled by our TimeOut middleware`
			`NoSignalHandling: true, // We want to use our own Stopper`
			`Server: &http.Server{`
main: Use configuration file instead of flags and simplify app extension. Clair will now use a YAML configuration file instead of command line arguments as the number of parameters grows. Also, Clair now exposes a Boot() func that allows everyone to easily create their own project and load dynamically their own fetchers/updaters. 2015-12-07 21:38:50 +00:00			`Addr: ":" + strconv.Itoa(config.Port),`
api: Extracted client cert & HTTP JSON Render to utils. 2015-11-24 05:18:11 +00:00			`TLSConfig: tlsConfig,`
api: add initial work on the new API 2016-01-27 19:07:58 +00:00			`Handler: http.TimeoutHandler(newAPIHandler(ctx), config.Timeout, timeoutResponse),`
Initial commit 2015-11-13 19:11:28 +00:00			`},`
			`}`
api: add initial work on the new API 2016-01-27 19:07:58 +00:00
main: Use configuration file instead of flags and simplify app extension. Clair will now use a YAML configuration file instead of command line arguments as the number of parameters grows. Also, Clair now exposes a Boot() func that allows everyone to easily create their own project and load dynamically their own fetchers/updaters. 2015-12-07 21:38:50 +00:00			`listenAndServeWithStopper(srv, st, config.CertFile, config.KeyFile)`
api: add initial work on the new API 2016-01-27 19:07:58 +00:00
main: Use configuration file instead of flags and simplify app extension. Clair will now use a YAML configuration file instead of command line arguments as the number of parameters grows. Also, Clair now exposes a Boot() func that allows everyone to easily create their own project and load dynamically their own fetchers/updaters. 2015-12-07 21:38:50 +00:00			`log.Info("main API stopped")`
Initial commit 2015-11-13 19:11:28 +00:00			`}`

api: add initial work on the new API 2016-01-27 19:07:58 +00:00			`func RunHealth(config config.APIConfig, ctx context.RouteContext, st *utils.Stopper) {`
api: fix graceful stop 2016-02-01 20:42:41 +00:00			`defer st.End()`

main: Use configuration file instead of flags and simplify app extension. Clair will now use a YAML configuration file instead of command line arguments as the number of parameters grows. Also, Clair now exposes a Boot() func that allows everyone to easily create their own project and load dynamically their own fetchers/updaters. 2015-12-07 21:38:50 +00:00			`// Do not run the API service if there is no config.`
			`if config == nil {`
			`log.Infof("health API service is disabled.")`
			`return`
			`}`
			`log.Infof("starting health API on port %d.", config.HealthPort)`
Initial commit 2015-11-13 19:11:28 +00:00
			`srv := &graceful.Server{`
			`Timeout: 10 * time.Second, // Interrupt health checks when stopping`
			`NoSignalHandling: true, // We want to use our own Stopper`
			`Server: &http.Server{`
main: Use configuration file instead of flags and simplify app extension. Clair will now use a YAML configuration file instead of command line arguments as the number of parameters grows. Also, Clair now exposes a Boot() func that allows everyone to easily create their own project and load dynamically their own fetchers/updaters. 2015-12-07 21:38:50 +00:00			`Addr: ":" + strconv.Itoa(config.HealthPort),`
api: add initial work on the new API 2016-01-27 19:07:58 +00:00			`Handler: http.TimeoutHandler(newHealthHandler(ctx), config.Timeout, timeoutResponse),`
Initial commit 2015-11-13 19:11:28 +00:00			`},`
			`}`
api: add initial work on the new API 2016-01-27 19:07:58 +00:00
Initial commit 2015-11-13 19:11:28 +00:00			`listenAndServeWithStopper(srv, st, "", "")`
api: add initial work on the new API 2016-01-27 19:07:58 +00:00
main: Use configuration file instead of flags and simplify app extension. Clair will now use a YAML configuration file instead of command line arguments as the number of parameters grows. Also, Clair now exposes a Boot() func that allows everyone to easily create their own project and load dynamically their own fetchers/updaters. 2015-12-07 21:38:50 +00:00			`log.Info("health API stopped")`
Initial commit 2015-11-13 19:11:28 +00:00			`}`

			`// listenAndServeWithStopper wraps graceful.Server's`
			`// ListenAndServe/ListenAndServeTLS and adds the ability to interrupt them with`
			`// the provided utils.Stopper`
			`func listenAndServeWithStopper(srv graceful.Server, st utils.Stopper, certFile, keyFile string) {`
			`go func() {`
			`<-st.Chan()`
			`srv.Stop(0)`
			`}()`

			`var err error`
			`if certFile != "" && keyFile != "" {`
			`log.Info("API: TLS Enabled")`
			`err = srv.ListenAndServeTLS(certFile, keyFile)`
			`} else {`
			`err = srv.ListenAndServe()`
			`}`

api: fix log message when stopping the API server 2016-02-01 23:51:13 +00:00			`if err != nil {`
			`if opErr, ok := err.(*net.OpError); !ok \|\| (ok && opErr.Op != "accept") {`
			`log.Fatal(err)`
			`}`
Initial commit 2015-11-13 19:11:28 +00:00			`}`
			`}`
move LoadTLSClientConfigForServer into API package This isn't reused any where just yet, so we're best off leaving it local to the place that needs it. 2015-12-15 17:03:42 +00:00
			`// tlsClientConfig initializes a *tls.Config using the given CA. The resulting`
			`// *tls.Config is meant to be used to configure an HTTP server to do client`
			`// certificate authentication.`
			`//`
			`// If no CA is given, a nil *tls.Config is returned; no client certificate will`
*: Fix `authentification` typo 2015-12-16 17:01:51 +00:00			`// be required and verified. In other words, authentication will be disabled.`
move LoadTLSClientConfigForServer into API package This isn't reused any where just yet, so we're best off leaving it local to the place that needs it. 2015-12-15 17:03:42 +00:00			`func tlsClientConfig(caPath string) (*tls.Config, error) {`
			`if caPath == "" {`
			`return nil, nil`
			`}`

			`caCert, err := ioutil.ReadFile(caPath)`
			`if err != nil {`
			`return nil, err`
			`}`

			`caCertPool := x509.NewCertPool()`
			`caCertPool.AppendCertsFromPEM(caCert)`

			`tlsConfig := &tls.Config{`
			`ClientCAs: caCertPool,`
			`ClientAuth: tls.RequireAndVerifyClientCert,`
			`}`

			`return tlsConfig, nil`
			`}`