From 29ae682a941fc738bea94151cb433bab2d2fefe8 Mon Sep 17 00:00:00 2001 From: beorn7 Date: Fri, 22 Jan 2021 20:31:33 +0100 Subject: [PATCH 1/2] Update dependencies Signed-off-by: beorn7 --- go.mod | 2 +- go.sum | 4 +- .../prometheus/exporter-toolkit/web/cache.go | 91 +++++++++++++++++++ .../exporter-toolkit/web/tls_config.go | 12 ++- .../prometheus/exporter-toolkit/web/users.go | 38 +++++++- vendor/modules.txt | 2 +- 6 files changed, 135 insertions(+), 14 deletions(-) create mode 100644 vendor/github.com/prometheus/exporter-toolkit/web/cache.go diff --git a/go.mod b/go.mod index 5396e5a4..3baf49a9 100644 --- a/go.mod +++ b/go.mod @@ -10,7 +10,7 @@ require ( github.com/prometheus/client_golang v1.9.0 github.com/prometheus/client_model v0.2.0 github.com/prometheus/common v0.15.0 - github.com/prometheus/exporter-toolkit v0.5.0 + github.com/prometheus/exporter-toolkit v0.5.1 github.com/shurcooL/httpfs v0.0.0-20190707220628-8d4bc4ba7749 // indirect github.com/shurcooL/vfsgen v0.0.0-20200824052919-0d455de96546 github.com/stretchr/testify v1.6.1 // indirect diff --git a/go.sum b/go.sum index 4c25b606..febda61c 100644 --- a/go.sum +++ b/go.sum @@ -280,8 +280,8 @@ github.com/prometheus/common v0.7.0/go.mod h1:DjGbpBbp5NYNiECxcL/VnbXCCaQpKd3tt2 github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= github.com/prometheus/common v0.15.0 h1:4fgOnadei3EZvgRwxJ7RMpG1k1pOZth5Pc13tyspaKM= github.com/prometheus/common v0.15.0/go.mod h1:U+gB1OBLb1lF3O42bTCL+FK18tX9Oar16Clt/msog/s= -github.com/prometheus/exporter-toolkit v0.5.0 h1:GwrxhCviqOl8Mm0vKqkh7Xy54m+FPlHEJacFs48M3gY= -github.com/prometheus/exporter-toolkit v0.5.0/go.mod h1:OCkM4805mmisBhLmVFw858QYi3v0wKdY6/UxrT0pZVg= +github.com/prometheus/exporter-toolkit v0.5.1 h1:9eqgis5er9xN613ZSADjypCJaDGj9ZlcWBvsIHa8/3c= +github.com/prometheus/exporter-toolkit v0.5.1/go.mod h1:OCkM4805mmisBhLmVFw858QYi3v0wKdY6/UxrT0pZVg= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.2 h1:6LJUbpNm42llc4HRCuvApCSWB/WfhuNo9K98Q9sNGfs= diff --git a/vendor/github.com/prometheus/exporter-toolkit/web/cache.go b/vendor/github.com/prometheus/exporter-toolkit/web/cache.go new file mode 100644 index 00000000..9425e7ac --- /dev/null +++ b/vendor/github.com/prometheus/exporter-toolkit/web/cache.go @@ -0,0 +1,91 @@ +// Copyright 2021 The Prometheus Authors +// This code is partly borrowed from Caddy: +// Copyright 2015 Matthew Holt and The Caddy Authors +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package web + +import ( + weakrand "math/rand" + "sync" + "time" +) + +var cacheSize = 100 + +func init() { + weakrand.Seed(time.Now().UnixNano()) +} + +type cache struct { + cache map[string]bool + mtx sync.Mutex +} + +// newCache returns a cache that contains a mapping of plaintext passwords +// to their hashes (with random eviction). This can greatly improve the +// performance of traffic-heavy servers that use secure password hashing +// algorithms, with the downside that plaintext passwords will be stored in +// memory for a longer time (this should not be a problem as long as your +// machine is not compromised, at which point all bets are off, since basicauth +// necessitates plaintext passwords being received over the wire anyway). +func newCache() *cache { + return &cache{ + cache: make(map[string]bool), + } +} + +func (c *cache) get(key string) (bool, bool) { + c.mtx.Lock() + defer c.mtx.Unlock() + v, ok := c.cache[key] + return v, ok +} + +func (c *cache) set(key string, value bool) { + c.mtx.Lock() + defer c.mtx.Unlock() + c.makeRoom() + c.cache[key] = value +} + +func (c *cache) makeRoom() { + if len(c.cache) < cacheSize { + return + } + // We delete more than just 1 entry so that we don't have + // to do this on every request; assuming the capacity of + // the cache is on a long tail, we can save a lot of CPU + // time by doing a whole bunch of deletions now and then + // we won't have to do them again for a while. + numToDelete := len(c.cache) / 10 + if numToDelete < 1 { + numToDelete = 1 + } + for deleted := 0; deleted <= numToDelete; deleted++ { + // Go maps are "nondeterministic" not actually random, + // so although we could just chop off the "front" of the + // map with less code, this is a heavily skewed eviction + // strategy; generating random numbers is cheap and + // ensures a much better distribution. + rnd := weakrand.Intn(len(c.cache)) + i := 0 + for key := range c.cache { + if i == rnd { + delete(c.cache, key) + break + } + i++ + } + } +} diff --git a/vendor/github.com/prometheus/exporter-toolkit/web/tls_config.go b/vendor/github.com/prometheus/exporter-toolkit/web/tls_config.go index 2f244a51..06fb1548 100644 --- a/vendor/github.com/prometheus/exporter-toolkit/web/tls_config.go +++ b/vendor/github.com/prometheus/exporter-toolkit/web/tls_config.go @@ -201,17 +201,19 @@ func Serve(l net.Listener, server *http.Server, tlsConfigPath string, logger log if server.Handler != nil { handler = server.Handler } - server.Handler = &userAuthRoundtrip{ - tlsConfigPath: tlsConfigPath, - logger: logger, - handler: handler, - } c, err := getConfig(tlsConfigPath) if err != nil { return err } + server.Handler = &userAuthRoundtrip{ + tlsConfigPath: tlsConfigPath, + logger: logger, + handler: handler, + cache: newCache(), + } + config, err := ConfigToTLSConfig(&c.TLSConfig) switch err { case nil: diff --git a/vendor/github.com/prometheus/exporter-toolkit/web/users.go b/vendor/github.com/prometheus/exporter-toolkit/web/users.go index 7b9cd6a2..8168dabf 100644 --- a/vendor/github.com/prometheus/exporter-toolkit/web/users.go +++ b/vendor/github.com/prometheus/exporter-toolkit/web/users.go @@ -1,4 +1,6 @@ // Copyright 2020 The Prometheus Authors +// This code is partly borrowed from Caddy: +// Copyright 2015 Matthew Holt and The Caddy Authors // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at @@ -14,7 +16,9 @@ package web import ( + "encoding/hex" "net/http" + "sync" "github.com/go-kit/kit/log" "golang.org/x/crypto/bcrypt" @@ -40,6 +44,10 @@ type userAuthRoundtrip struct { tlsConfigPath string handler http.Handler logger log.Logger + cache *cache + // bcryptMtx is there to ensure that bcrypt.CompareHashAndPassword is run + // only once in parallel as this is CPU intensive. + bcryptMtx sync.Mutex } func (u *userAuthRoundtrip) ServeHTTP(w http.ResponseWriter, r *http.Request) { @@ -57,11 +65,31 @@ func (u *userAuthRoundtrip) ServeHTTP(w http.ResponseWriter, r *http.Request) { user, pass, auth := r.BasicAuth() if auth { - if hashedPassword, ok := c.Users[user]; ok { - if err := bcrypt.CompareHashAndPassword([]byte(hashedPassword), []byte(pass)); err == nil { - u.handler.ServeHTTP(w, r) - return - } + hashedPassword, validUser := c.Users[user] + + if !validUser { + // The user is not found. Use a fixed password hash to + // prevent user enumeration by timing requests. + // This is a bcrypt-hashed version of "fakepassword". + hashedPassword = "$2y$10$QOauhQNbBCuQDKes6eFzPeMqBSjb7Mr5DUmpZ/VcEd00UAV/LDeSi" + } + + cacheKey := hex.EncodeToString(append(append([]byte(user), []byte(hashedPassword)...), []byte(pass)...)) + authOk, ok := u.cache.get(cacheKey) + + if !ok { + // This user, hashedPassword, password is not cached. + u.bcryptMtx.Lock() + err := bcrypt.CompareHashAndPassword([]byte(hashedPassword), []byte(pass)) + u.bcryptMtx.Unlock() + + authOk = err == nil + u.cache.set(cacheKey, authOk) + } + + if authOk && validUser { + u.handler.ServeHTTP(w, r) + return } } diff --git a/vendor/modules.txt b/vendor/modules.txt index 5aa16f6e..40de457e 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -45,7 +45,7 @@ github.com/prometheus/common/promlog/flag github.com/prometheus/common/route github.com/prometheus/common/server github.com/prometheus/common/version -# github.com/prometheus/exporter-toolkit v0.5.0 +# github.com/prometheus/exporter-toolkit v0.5.1 github.com/prometheus/exporter-toolkit/web github.com/prometheus/exporter-toolkit/web/kingpinflag # github.com/prometheus/procfs v0.2.0 From 28a3962e5469a9d6383a4da6d25122239a1fbccf Mon Sep 17 00:00:00 2001 From: beorn7 Date: Fri, 22 Jan 2021 20:35:57 +0100 Subject: [PATCH 2/2] Cut v1.4.0 Signed-off-by: beorn7 --- CHANGELOG.md | 4 ++++ VERSION | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ad5166f0..d322d77b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.4.0 / 2021-01-23 + +* [FEATURE] **Experimental!** Add TLS and basic authentication to HTTP endpoints. #381 + ## 1.3.1 / 2020-12-17 * [ENHANCEMENT] Web UI: Improved metrics text alignment. #369 diff --git a/VERSION b/VERSION index 3a3cd8cc..88c5fb89 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.3.1 +1.4.0