blob: 4081c23e7ff0800718071e9c374a3cdb867369a8 [file] [log] [blame]
Matthias Andreas Benkard832a54e2019-01-29 09:27:38 +01001/*
2Copyright 2015 The Kubernetes Authors.
3
4Licensed under the Apache License, Version 2.0 (the "License");
5you may not use this file except in compliance with the License.
6You may obtain a copy of the License at
7
8 http://www.apache.org/licenses/LICENSE-2.0
9
10Unless required by applicable law or agreed to in writing, software
11distributed under the License is distributed on an "AS IS" BASIS,
12WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13See the License for the specific language governing permissions and
14limitations under the License.
15*/
16
17package transport
18
19import (
20 "context"
21 "crypto/tls"
22 "net"
23 "net/http"
24)
25
26// Config holds various options for establishing a transport.
27type Config struct {
28 // UserAgent is an optional field that specifies the caller of this
29 // request.
30 UserAgent string
31
32 // The base TLS configuration for this transport.
33 TLS TLSConfig
34
35 // Username and password for basic authentication
36 Username string
37 Password string
38
39 // Bearer token for authentication
40 BearerToken string
41
42 // Impersonate is the config that this Config will impersonate using
43 Impersonate ImpersonationConfig
44
45 // Transport may be used for custom HTTP behavior. This attribute may
46 // not be specified with the TLS client certificate options. Use
47 // WrapTransport for most client level operations.
48 Transport http.RoundTripper
49
50 // WrapTransport will be invoked for custom HTTP behavior after the
51 // underlying transport is initialized (either the transport created
52 // from TLSClientConfig, Transport, or http.DefaultTransport). The
53 // config may layer other RoundTrippers on top of the returned
54 // RoundTripper.
55 WrapTransport func(rt http.RoundTripper) http.RoundTripper
56
57 // Dial specifies the dial function for creating unencrypted TCP connections.
58 Dial func(ctx context.Context, network, address string) (net.Conn, error)
59}
60
61// ImpersonationConfig has all the available impersonation options
62type ImpersonationConfig struct {
63 // UserName matches user.Info.GetName()
64 UserName string
65 // Groups matches user.Info.GetGroups()
66 Groups []string
67 // Extra matches user.Info.GetExtra()
68 Extra map[string][]string
69}
70
71// HasCA returns whether the configuration has a certificate authority or not.
72func (c *Config) HasCA() bool {
73 return len(c.TLS.CAData) > 0 || len(c.TLS.CAFile) > 0
74}
75
76// HasBasicAuth returns whether the configuration has basic authentication or not.
77func (c *Config) HasBasicAuth() bool {
78 return len(c.Username) != 0
79}
80
81// HasTokenAuth returns whether the configuration has token authentication or not.
82func (c *Config) HasTokenAuth() bool {
83 return len(c.BearerToken) != 0
84}
85
86// HasCertAuth returns whether the configuration has certificate authentication or not.
87func (c *Config) HasCertAuth() bool {
88 return (len(c.TLS.CertData) != 0 || len(c.TLS.CertFile) != 0) && (len(c.TLS.KeyData) != 0 || len(c.TLS.KeyFile) != 0)
89}
90
91// HasCertCallbacks returns whether the configuration has certificate callback or not.
92func (c *Config) HasCertCallback() bool {
93 return c.TLS.GetCert != nil
94}
95
96// TLSConfig holds the information needed to set up a TLS transport.
97type TLSConfig struct {
98 CAFile string // Path of the PEM-encoded server trusted root certificates.
99 CertFile string // Path of the PEM-encoded client certificate.
100 KeyFile string // Path of the PEM-encoded client key.
101
102 Insecure bool // Server should be accessed without verifying the certificate. For testing only.
103 ServerName string // Override for the server name passed to the server for SNI and used to verify certificates.
104
105 CAData []byte // Bytes of the PEM-encoded server trusted root certificates. Supercedes CAFile.
106 CertData []byte // Bytes of the PEM-encoded client certificate. Supercedes CertFile.
107 KeyData []byte // Bytes of the PEM-encoded client key. Supercedes KeyFile.
108
109 GetCert func() (*tls.Certificate, error) // Callback that returns a TLS client certificate. CertData, CertFile, KeyData and KeyFile supercede this field.
110}