allow requests with self signed certs

MauveSoftware · Oct 22, 2021 · a9bb3ff · a9bb3ff
1 parent 7661d0d
commit a9bb3ff
Show file tree

Hide file tree

Showing 7 changed files with 86 additions and 47 deletions.
diff --git a/cmd/http-check-server/main.go b/cmd/http-check-server/main.go
@@ -24,7 +24,8 @@ const (
 var (
 	showVersion = kingpin.Flag("version", "Show version info").Bool()
 	workerCount = kingpin.Flag("worker-count", "Number of workers processing http checks in parallel").Default("25").Uint32()
-	timeout     = kingpin.Flag("timeout", "Timeout after a connection attempt will be cancelled").Default("10s").Duration()
+	timeout     = kingpin.Flag("timeout", "Request timeout").Default("10s").Duration()
+	tlsTimeout  = kingpin.Flag("tls-timeout", "TLS connect timeout").Default("1s").Duration()
 	socketPath  = kingpin.Flag("socket-path", "Socket to create to listen for check requests").Default("/tmp/http-check.sock").String()
 )
 
@@ -44,7 +45,7 @@ func main() {
 
 	srv := grpc.NewServer()
 	logrus.Infof("Starting %d workers", *workerCount)
-	s := server.New(*workerCount, server.WithTimeout(*timeout))
+	s := server.New(*workerCount, *timeout, *tlsTimeout)
 	pb.RegisterHttpCheckServiceServer(srv, s)
 
 	logrus.Infof("Listen for connections on socket %s", *socketPath)

diff --git a/cmd/http-check/main.go b/cmd/http-check/main.go
@@ -30,6 +30,7 @@ var (
 	expectedBodyRegex  = kingpin.Flag("expect-body-regex", "Expected regex matching string in response body").Short('r').String()
 	certExpireDays     = kingpin.Flag("cert-min-expire-days", "Minimum number of days until certificate expiration").Uint32()
 	socketPath         = kingpin.Flag("socket-path", "Socket to use to communicate with the server performing the check").Default("/tmp/http-check.sock").String()
+	insecure           = kingpin.Flag("insecure", "Allow invalid TLS certificaets (e.g. self signed)").Default("false").Bool()
 )
 
 func main() {
@@ -68,6 +69,7 @@ func runCheck() {
 		ExpectedBodyRegex:  *expectedBodyRegex,
 		CertExpireDays:     *certExpireDays,
 		Debug:              *verbose,
+		Insecure:           *insecure,
 	}
 	resp, err := c.Check(context.Background(), req)
 	if err != nil {

diff --git a/pb/service.pb.go b/pb/service.pb.go
diff --git a/pb/service.proto b/pb/service.proto
@@ -13,6 +13,7 @@ message Request {
     string expected_body_regex = 8;
     uint32 cert_expire_days = 9;
     bool debug = 10;
+    bool insecure = 11;
 }
 
 message Response {

diff --git a/pkg/check/check.go b/pkg/check/check.go
@@ -31,6 +31,12 @@ func WithDebug(w io.Writer) Option {
 	}
 }
 
+func WithInsecure() Option {
+	return func(c *Check) {
+		c.insecure = true
+	}
+}
+
 // Check executes a web request and validates the response against a set of defined assertions
 type Check struct {
 	client      *http.Client
@@ -39,6 +45,7 @@ type Check struct {
 	password    string
 	assertions  []assertion
 	debug       bool
+	insecure    bool
 	debugWriter io.Writer
 }
 

diff --git a/pkg/server/server.go b/pkg/server/server.go
@@ -2,6 +2,8 @@ package server
 
 import (
 	"context"
+	"crypto/tls"
+	"net"
 	"net/http"
 	"time"
 
@@ -10,32 +12,21 @@ import (
 
 // HTTPCheckServer runs HTTP checks. It provides an gRPC interface to receive check tasks
 type HTTPCheckServer struct {
-	cl          *http.Client
 	workerCount uint32
+	reqTimeout  time.Duration
+	tlsTimeout  time.Duration
 	ch          chan *task
 }
 
-// Option specifies options for the server
-type Option func(*HTTPCheckServer)
-
-// WithTimeout specifies the timeout for each HTTP request
-func WithTimeout(t time.Duration) Option {
-	return func(s *HTTPCheckServer) {
-		s.cl.Timeout = t
-	}
-}
-
 // New creates a new server instance
-func New(workerCount uint32, opts ...Option) *HTTPCheckServer {
+func New(workerCount uint32, reqTimeout, tlsTimeout time.Duration) *HTTPCheckServer {
 	s := &HTTPCheckServer{
-		cl:          &http.Client{},
 		workerCount: workerCount,
+		reqTimeout:  reqTimeout,
+		tlsTimeout:  tlsTimeout,
 		ch:          make(chan *task),
 	}
 
-	for _, opt := range opts {
-		opt(s)
-	}
 	s.startWorkers()
 
 	return s
@@ -44,14 +35,31 @@ func New(workerCount uint32, opts ...Option) *HTTPCheckServer {
 func (s *HTTPCheckServer) startWorkers() {
 	for i := 0; i < int(s.workerCount); i++ {
 		w := &worker{
-			id: i + 1,
-			cl: s.cl,
-			ch: s.ch,
+			id:         i + 1,
+			cl:         s.newHttpClient(false),
+			insecureCl: s.newHttpClient(true),
+			ch:         s.ch,
 		}
 		go w.run()
 	}
 }
 
+func (s *HTTPCheckServer) newHttpClient(insecure bool) *http.Client {
+	var tr = &http.Transport{
+		Dial: (&net.Dialer{
+			Timeout: s.reqTimeout,
+		}).Dial,
+		TLSHandshakeTimeout: s.tlsTimeout,
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: insecure,
+		},
+	}
+
+	return &http.Client{
+		Transport: tr,
+	}
+}
+
 // Check performs a http check and returns the check result
 func (s *HTTPCheckServer) Check(ctx context.Context, in *pb.Request) (*pb.Response, error) {
 	respCh := make(chan *pb.Response, 1)

diff --git a/pkg/server/worker.go b/pkg/server/worker.go
@@ -18,9 +18,10 @@ type task struct {
 }
 
 type worker struct {
-	id int
-	cl *http.Client
-	ch chan *task
+	id         int
+	cl         *http.Client
+	insecureCl *http.Client
+	ch         chan *task
 }
 
 func (w *worker) run() {
@@ -64,8 +65,18 @@ func (w *worker) checkForRequest(req *pb.Request, out io.Writer) *check.Check {
 		opts = append(opts, check.WithDebug(out))
 	}
 
+	if req.Insecure {
+		opts = append(opts, check.WithInsecure())
+	}
+
 	url := fmt.Sprintf("%s://%s%s", req.Protocol, req.Host, req.Path)
-	c := check.NewCheck(w.cl, url, opts...)
+
+	cl := w.cl
+	if req.Insecure {
+		cl = w.insecureCl
+	}
+
+	c := check.NewCheck(cl, url, opts...)
 
 	if len(req.ExpectedStatusCode) > 0 {
 		c.AssertStatusCodeIn(req.ExpectedStatusCode)