// Copyright 2015 clair authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // Package http provides utility functions for HTTP servers and clients. package http import ( "crypto/tls" "crypto/x509" "encoding/json" "io" "io/ioutil" "net/http" "github.com/coreos/clair/database" cerrors "github.com/coreos/clair/utils/errors" "github.com/coreos/clair/worker" ) // MaxPostSize is the maximum number of bytes that ParseHTTPBody reads from an http.Request.Body. const MaxBodySize int64 = 1048576 // LoadTLSClientConfig initializes a *tls.Config using the given certificates and private key, that // can be used to communicate with a server using client certificate authentificate. // // If no certificates are given, a nil *tls.Config is returned. // The CA certificate is optionnal, the system defaults are used if not provided. func LoadTLSClientConfig(certFile, keyFile, caFile string) (*tls.Config, error) { if len(certFile) == 0 || len(keyFile) == 0 { return nil, nil } cert, err := tls.LoadX509KeyPair(certFile, keyFile) if err != nil { return nil, err } var caCertPool *x509.CertPool if len(caFile) > 0 { caCert, err := ioutil.ReadFile(caFile) if err != nil { return nil, err } caCertPool = x509.NewCertPool() caCertPool.AppendCertsFromPEM(caCert) } tlsConfig := &tls.Config{ Certificates: []tls.Certificate{cert}, RootCAs: caCertPool, } return tlsConfig, nil } // LoadTLSClientConfigForServer initializes a *tls.Config using the given CA, that can be used to // configure http server to do client certificate authentification. // // If no CA is given, a nil *tls.Config is returned: no client certificate will be required and // verified. In other words, authentification will be disabled. func LoadTLSClientConfigForServer(caFile string) (*tls.Config, error) { if len(caFile) == 0 { return nil, nil } caCert, err := ioutil.ReadFile(caFile) if err != nil { return nil, err } caCertPool := x509.NewCertPool() caCertPool.AppendCertsFromPEM(caCert) tlsConfig := &tls.Config{ ClientCAs: caCertPool, ClientAuth: tls.RequireAndVerifyClientCert, } return tlsConfig, nil } // WriteHTTP writes a JSON-encoded object to a http.ResponseWriter, as well as // a HTTP status code. func WriteHTTP(w http.ResponseWriter, httpStatus int, v interface{}) { w.WriteHeader(httpStatus) if v != nil { w.Header().Set("Content-Type", "application/json; charset=utf-8") result, _ := json.Marshal(v) w.Write(result) } } // WriteHTTPError writes an error, wrapped in the Message field of a JSON-encoded // object to a http.ResponseWriter, as well as a HTTP status code. // If the status code is 0, handleError tries to guess the proper HTTP status // code from the error type. func WriteHTTPError(w http.ResponseWriter, httpStatus int, err error) { if httpStatus == 0 { httpStatus = http.StatusInternalServerError // Try to guess the http status code from the error type if _, isBadRequestError := err.(*cerrors.ErrBadRequest); isBadRequestError { httpStatus = http.StatusBadRequest } else { switch err { case cerrors.ErrNotFound: httpStatus = http.StatusNotFound case database.ErrTransaction, database.ErrBackendException: httpStatus = http.StatusServiceUnavailable case worker.ErrParentUnknown, worker.ErrUnsupported: httpStatus = http.StatusBadRequest } } } WriteHTTP(w, httpStatus, struct{ Message string }{Message: err.Error()}) } // ParseHTTPBody reads a JSON-encoded body from a http.Request and unmarshals it // into the provided object. func ParseHTTPBody(r *http.Request, v interface{}) (int, error) { defer r.Body.Close() err := json.NewDecoder(io.LimitReader(r.Body, MaxBodySize)).Decode(v) if err != nil { return http.StatusUnsupportedMediaType, err } return 0, nil }