327 lines
10 KiB
Go
327 lines
10 KiB
Go
// Copyright 2015 Google LLC.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
// Package http supports network connections to HTTP servers.
|
|
// This package is not intended for use by end developers. Use the
|
|
// google.golang.org/api/option package to configure API clients.
|
|
package http
|
|
|
|
import (
|
|
"context"
|
|
"crypto/tls"
|
|
"errors"
|
|
"net"
|
|
"net/http"
|
|
"net/url"
|
|
"os"
|
|
"strings"
|
|
"time"
|
|
|
|
"go.opencensus.io/plugin/ochttp"
|
|
"golang.org/x/oauth2"
|
|
"google.golang.org/api/googleapi/transport"
|
|
"google.golang.org/api/internal"
|
|
"google.golang.org/api/option"
|
|
"google.golang.org/api/transport/cert"
|
|
"google.golang.org/api/transport/http/internal/propagation"
|
|
)
|
|
|
|
const (
|
|
mTLSModeAlways = "always"
|
|
mTLSModeNever = "never"
|
|
mTLSModeAuto = "auto"
|
|
)
|
|
|
|
// NewClient returns an HTTP client for use communicating with a Google cloud
|
|
// service, configured with the given ClientOptions. It also returns the endpoint
|
|
// for the service as specified in the options.
|
|
func NewClient(ctx context.Context, opts ...option.ClientOption) (*http.Client, string, error) {
|
|
settings, err := newSettings(opts)
|
|
if err != nil {
|
|
return nil, "", err
|
|
}
|
|
clientCertSource, err := getClientCertificateSource(settings)
|
|
if err != nil {
|
|
return nil, "", err
|
|
}
|
|
endpoint, err := getEndpoint(settings, clientCertSource)
|
|
if err != nil {
|
|
return nil, "", err
|
|
}
|
|
// TODO(cbro): consider injecting the User-Agent even if an explicit HTTP client is provided?
|
|
if settings.HTTPClient != nil {
|
|
return settings.HTTPClient, endpoint, nil
|
|
}
|
|
trans, err := newTransport(ctx, defaultBaseTransport(ctx, clientCertSource), settings)
|
|
if err != nil {
|
|
return nil, "", err
|
|
}
|
|
return &http.Client{Transport: trans}, endpoint, nil
|
|
}
|
|
|
|
// NewTransport creates an http.RoundTripper for use communicating with a Google
|
|
// cloud service, configured with the given ClientOptions. Its RoundTrip method delegates to base.
|
|
func NewTransport(ctx context.Context, base http.RoundTripper, opts ...option.ClientOption) (http.RoundTripper, error) {
|
|
settings, err := newSettings(opts)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if settings.HTTPClient != nil {
|
|
return nil, errors.New("transport/http: WithHTTPClient passed to NewTransport")
|
|
}
|
|
return newTransport(ctx, base, settings)
|
|
}
|
|
|
|
func newTransport(ctx context.Context, base http.RoundTripper, settings *internal.DialSettings) (http.RoundTripper, error) {
|
|
paramTransport := ¶meterTransport{
|
|
base: base,
|
|
userAgent: settings.UserAgent,
|
|
quotaProject: settings.QuotaProject,
|
|
requestReason: settings.RequestReason,
|
|
}
|
|
var trans http.RoundTripper = paramTransport
|
|
trans = addOCTransport(trans, settings)
|
|
switch {
|
|
case settings.NoAuth:
|
|
// Do nothing.
|
|
case settings.APIKey != "":
|
|
trans = &transport.APIKey{
|
|
Transport: trans,
|
|
Key: settings.APIKey,
|
|
}
|
|
default:
|
|
creds, err := internal.Creds(ctx, settings)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if paramTransport.quotaProject == "" {
|
|
paramTransport.quotaProject = internal.QuotaProjectFromCreds(creds)
|
|
}
|
|
|
|
ts := creds.TokenSource
|
|
if settings.TokenSource != nil {
|
|
ts = settings.TokenSource
|
|
}
|
|
trans = &oauth2.Transport{
|
|
Base: trans,
|
|
Source: ts,
|
|
}
|
|
}
|
|
return trans, nil
|
|
}
|
|
|
|
func newSettings(opts []option.ClientOption) (*internal.DialSettings, error) {
|
|
var o internal.DialSettings
|
|
for _, opt := range opts {
|
|
opt.Apply(&o)
|
|
}
|
|
if err := o.Validate(); err != nil {
|
|
return nil, err
|
|
}
|
|
if o.GRPCConn != nil {
|
|
return nil, errors.New("unsupported gRPC connection specified")
|
|
}
|
|
return &o, nil
|
|
}
|
|
|
|
type parameterTransport struct {
|
|
userAgent string
|
|
quotaProject string
|
|
requestReason string
|
|
|
|
base http.RoundTripper
|
|
}
|
|
|
|
func (t *parameterTransport) RoundTrip(req *http.Request) (*http.Response, error) {
|
|
rt := t.base
|
|
if rt == nil {
|
|
return nil, errors.New("transport: no Transport specified")
|
|
}
|
|
newReq := *req
|
|
newReq.Header = make(http.Header)
|
|
for k, vv := range req.Header {
|
|
newReq.Header[k] = vv
|
|
}
|
|
if t.userAgent != "" {
|
|
// TODO(cbro): append to existing User-Agent header?
|
|
newReq.Header.Set("User-Agent", t.userAgent)
|
|
}
|
|
|
|
// Attach system parameters into the header
|
|
if t.quotaProject != "" {
|
|
newReq.Header.Set("X-Goog-User-Project", t.quotaProject)
|
|
}
|
|
if t.requestReason != "" {
|
|
newReq.Header.Set("X-Goog-Request-Reason", t.requestReason)
|
|
}
|
|
|
|
return rt.RoundTrip(&newReq)
|
|
}
|
|
|
|
// Set at init time by dial_appengine.go. If nil, we're not on App Engine.
|
|
var appengineUrlfetchHook func(context.Context) http.RoundTripper
|
|
|
|
// defaultBaseTransport returns the base HTTP transport.
|
|
// On App Engine, this is urlfetch.Transport.
|
|
// Otherwise, use a default transport, taking most defaults from
|
|
// http.DefaultTransport.
|
|
// If TLSCertificate is available, set TLSClientConfig as well.
|
|
func defaultBaseTransport(ctx context.Context, clientCertSource cert.Source) http.RoundTripper {
|
|
if appengineUrlfetchHook != nil {
|
|
return appengineUrlfetchHook(ctx)
|
|
}
|
|
|
|
// Copy http.DefaultTransport except for MaxIdleConnsPerHost setting,
|
|
// which is increased due to reported performance issues under load in the GCS
|
|
// client. Transport.Clone is only available in Go 1.13 and up.
|
|
trans := clonedTransport(http.DefaultTransport)
|
|
if trans == nil {
|
|
trans = fallbackBaseTransport()
|
|
}
|
|
trans.MaxIdleConnsPerHost = 100
|
|
|
|
if clientCertSource != nil {
|
|
trans.TLSClientConfig = &tls.Config{
|
|
GetClientCertificate: clientCertSource,
|
|
}
|
|
}
|
|
|
|
return trans
|
|
}
|
|
|
|
// fallbackBaseTransport is used in <go1.13 as well as in the rare case if
|
|
// http.DefaultTransport has been reassigned something that's not a
|
|
// *http.Transport.
|
|
func fallbackBaseTransport() *http.Transport {
|
|
return &http.Transport{
|
|
Proxy: http.ProxyFromEnvironment,
|
|
DialContext: (&net.Dialer{
|
|
Timeout: 30 * time.Second,
|
|
KeepAlive: 30 * time.Second,
|
|
DualStack: true,
|
|
}).DialContext,
|
|
MaxIdleConns: 100,
|
|
MaxIdleConnsPerHost: 100,
|
|
IdleConnTimeout: 90 * time.Second,
|
|
TLSHandshakeTimeout: 10 * time.Second,
|
|
ExpectContinueTimeout: 1 * time.Second,
|
|
}
|
|
}
|
|
|
|
func addOCTransport(trans http.RoundTripper, settings *internal.DialSettings) http.RoundTripper {
|
|
if settings.TelemetryDisabled {
|
|
return trans
|
|
}
|
|
return &ochttp.Transport{
|
|
Base: trans,
|
|
Propagation: &propagation.HTTPFormat{},
|
|
}
|
|
}
|
|
|
|
// getClientCertificateSource returns a default client certificate source, if
|
|
// not provided by the user.
|
|
//
|
|
// A nil default source can be returned if the source does not exist. Any exceptions
|
|
// encountered while initializing the default source will be reported as client
|
|
// error (ex. corrupt metadata file).
|
|
//
|
|
// The overall logic is as follows:
|
|
// 1. If both endpoint override and client certificate are specified, use them as is.
|
|
// 2. If user does not specify client certificate, we will attempt to use default
|
|
// client certificate.
|
|
// 3. If user does not specify endpoint override, we will use defaultMtlsEndpoint if
|
|
// client certificate is available and defaultEndpoint otherwise.
|
|
//
|
|
// Implications of the above logic:
|
|
// 1. If the user specifies a non-mTLS endpoint override but client certificate is
|
|
// available, we will pass along the cert anyway and let the server decide what to do.
|
|
// 2. If the user specifies an mTLS endpoint override but client certificate is not
|
|
// available, we will not fail-fast, but let backend throw error when connecting.
|
|
//
|
|
// We would like to avoid introducing client-side logic that parses whether the
|
|
// endpoint override is an mTLS url, since the url pattern may change at anytime.
|
|
func getClientCertificateSource(settings *internal.DialSettings) (cert.Source, error) {
|
|
if settings.HTTPClient != nil {
|
|
return nil, nil // HTTPClient is incompatible with ClientCertificateSource
|
|
} else if settings.ClientCertSource != nil {
|
|
return settings.ClientCertSource, nil
|
|
} else {
|
|
return cert.DefaultSource()
|
|
}
|
|
|
|
}
|
|
|
|
// getEndpoint returns the endpoint for the service, taking into account the
|
|
// user-provided endpoint override "settings.Endpoint"
|
|
//
|
|
// If no endpoint override is specified, we will either return the default endpoint or
|
|
// the default mTLS endpoint if a client certificate is available.
|
|
//
|
|
// You can override the default endpoint (mtls vs. regular) by setting the
|
|
// GOOGLE_API_USE_MTLS environment variable.
|
|
//
|
|
// If the endpoint override is an address (host:port) rather than full base
|
|
// URL (ex. https://...), then the user-provided address will be merged into
|
|
// the default endpoint. For example, WithEndpoint("myhost:8000") and
|
|
// WithDefaultEndpoint("https://foo.com/bar/baz") will return "https://myhost:8080/bar/baz"
|
|
func getEndpoint(settings *internal.DialSettings, clientCertSource cert.Source) (string, error) {
|
|
if settings.Endpoint == "" {
|
|
mtlsMode := getMTLSMode()
|
|
if mtlsMode == mTLSModeAlways || (clientCertSource != nil && mtlsMode == mTLSModeAuto) {
|
|
return generateDefaultMtlsEndpoint(settings.DefaultEndpoint), nil
|
|
}
|
|
return settings.DefaultEndpoint, nil
|
|
}
|
|
if strings.Contains(settings.Endpoint, "://") {
|
|
// User passed in a full URL path, use it verbatim.
|
|
return settings.Endpoint, nil
|
|
}
|
|
if settings.DefaultEndpoint == "" {
|
|
return "", errors.New("WithEndpoint requires a full URL path")
|
|
}
|
|
|
|
// Assume user-provided endpoint is host[:port], merge it with the default endpoint.
|
|
return mergeEndpoints(settings.DefaultEndpoint, settings.Endpoint)
|
|
}
|
|
|
|
func getMTLSMode() string {
|
|
mode := os.Getenv("GOOGLE_API_USE_MTLS")
|
|
if mode == "" {
|
|
// TODO(shinfan): Update this to "auto" when the mTLS feature is fully released.
|
|
return mTLSModeNever
|
|
}
|
|
return strings.ToLower(mode)
|
|
}
|
|
|
|
func mergeEndpoints(base, newHost string) (string, error) {
|
|
u, err := url.Parse(base)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
u.Host = newHost
|
|
return u.String(), nil
|
|
}
|
|
|
|
// generateDefaultMtlsEndpoint attempts to derive the mTLS version of the
|
|
// defaultEndpoint via regex, and returns defaultEndpoint if unsuccessful.
|
|
//
|
|
// We need to applying the following 2 transformations:
|
|
// 1. pubsub.googleapis.com to pubsub.mtls.googleapis.com
|
|
// 2. pubsub.sandbox.googleapis.com to pubsub.mtls.sandbox.googleapis.com
|
|
//
|
|
// TODO(andyzhao): In the future, the mTLS endpoint will be read from the Discovery Document
|
|
// and passed in as defaultMtlsEndpoint instead of generated from defaultEndpoint,
|
|
// and this function will be removed.
|
|
func generateDefaultMtlsEndpoint(defaultEndpoint string) string {
|
|
var domains = []string{
|
|
".sandbox.googleapis.com", // must come first because .googleapis.com is a substring
|
|
".googleapis.com",
|
|
}
|
|
for _, domain := range domains {
|
|
if strings.Contains(defaultEndpoint, domain) {
|
|
return strings.Replace(defaultEndpoint, domain, ".mtls"+domain, -1)
|
|
}
|
|
}
|
|
return defaultEndpoint
|
|
}
|