grafana/pkg/models/datasource_cache.go

package models

import (
	"crypto/tls"
	"crypto/x509"
	"errors"
	"net"
	"net/http"
	"sync"
	"time"
)

type proxyTransportCache struct {
	cache map[int64]cachedTransport
	sync.Mutex
}

type cachedTransport struct {
	updated time.Time

	*http.Transport
}

var ptc = proxyTransportCache{
	cache: make(map[int64]cachedTransport),
}

func (ds *DataSource) GetHttpClient() (*http.Client, error) {
	transport, err := ds.GetHttpTransport()

	if err != nil {
		return nil, err
	}

	return &http.Client{
		Timeout:   time.Duration(30 * time.Second),
		Transport: transport,
	}, nil
}

func (ds *DataSource) GetHttpTransport() (*http.Transport, error) {
	ptc.Lock()
	defer ptc.Unlock()

	if t, present := ptc.cache[ds.Id]; present && ds.Updated.Equal(t.updated) {
		return t.Transport, nil
	}

	var tlsSkipVerify, tlsClientAuth, tlsAuthWithCACert bool
	if ds.JsonData != nil {
		tlsClientAuth = ds.JsonData.Get("tlsAuth").MustBool(false)
		tlsAuthWithCACert = ds.JsonData.Get("tlsAuthWithCACert").MustBool(false)
		tlsSkipVerify = ds.JsonData.Get("tlsSkipVerify").MustBool(false)
	}

	transport := &http.Transport{
		TLSClientConfig: &tls.Config{
			InsecureSkipVerify: tlsSkipVerify,
			Renegotiation:      tls.RenegotiateFreelyAsClient,
		},
		Proxy: http.ProxyFromEnvironment,
		Dial: (&net.Dialer{
			Timeout:   30 * time.Second,
			KeepAlive: 30 * time.Second,
			DualStack: true,
		}).Dial,
		TLSHandshakeTimeout:   10 * time.Second,
		ExpectContinueTimeout: 1 * time.Second,
		MaxIdleConns:          100,
		IdleConnTimeout:       90 * time.Second,
	}

	if tlsClientAuth || tlsAuthWithCACert {
		decrypted := ds.SecureJsonData.Decrypt()
		if tlsAuthWithCACert && len(decrypted["tlsCACert"]) > 0 {
			caPool := x509.NewCertPool()
			ok := caPool.AppendCertsFromPEM([]byte(decrypted["tlsCACert"]))
			if !ok {
				return nil, errors.New("Failed to parse TLS CA PEM certificate")
			}
			transport.TLSClientConfig.RootCAs = caPool
		}

		if tlsClientAuth {
			cert, err := tls.X509KeyPair([]byte(decrypted["tlsClientCert"]), []byte(decrypted["tlsClientKey"]))
			if err != nil {
				return nil, err
			}
			transport.TLSClientConfig.Certificates = []tls.Certificate{cert}
		}
	}

	ptc.cache[ds.Id] = cachedTransport{
		Transport: transport,
		updated:   ds.Updated,
	}

	return transport, nil
}
Use cache for http.client in tsdb package. (#6833) * datasource: move caching closer to datasource struct * tsdb: use cached version of datasource http transport closes #6825 2016-12-07 18:10:42 +08:00			`package models`

			`import (`
			`"crypto/tls"`
			`"crypto/x509"`
Return error if datasource TLS CA not parsed 2017-09-28 21:55:32 +08:00			`"errors"`
Use cache for http.client in tsdb package. (#6833) * datasource: move caching closer to datasource struct * tsdb: use cached version of datasource http transport closes #6825 2016-12-07 18:10:42 +08:00			`"net"`
			`"net/http"`
			`"sync"`
			`"time"`
			`)`

			`type proxyTransportCache struct {`
			`cache map[int64]cachedTransport`
			`sync.Mutex`
			`}`

			`type cachedTransport struct {`
			`updated time.Time`

			`*http.Transport`
			`}`

			`var ptc = proxyTransportCache{`
			`cache: make(map[int64]cachedTransport),`
			`}`

			`func (ds DataSource) GetHttpClient() (http.Client, error) {`
			`transport, err := ds.GetHttpTransport()`

			`if err != nil {`
			`return nil, err`
			`}`

			`return &http.Client{`
			`Timeout: time.Duration(30 * time.Second),`
			`Transport: transport,`
			`}, nil`
			`}`

			`func (ds DataSource) GetHttpTransport() (http.Transport, error) {`
			`ptc.Lock()`
			`defer ptc.Unlock()`

			`if t, present := ptc.cache[ds.Id]; present && ds.Updated.Equal(t.updated) {`
			`return t.Transport, nil`
			`}`

Datasource HTTP settings: Add TLS skip verify In c04d95f35 I changed the default for datasource HTTP requests so that TLS is always verified. This commit adds a checkbox to allow an admin to explicitly skip TLS verification, for testing purposes. 2017-09-28 21:10:14 +08:00			`var tlsSkipVerify, tlsClientAuth, tlsAuthWithCACert bool`
			`if ds.JsonData != nil {`
Retain old name for TLS client auth I renamed `tlsAuth` to `tlsClientAuth` to better describe the fact that this variable is used to enable TLS client authentication (as opposed to server authentication) in c04d95f35. However, changing the name breaks backwards compatibility for existing installations using this feature and Grafana does not have a standardised way of migrating changes in the schema: https://github.com/grafana/grafana/pull/9377#issuecomment-333063543 For reasons of expediency given the severity of the bug (not verifying TLS), keep the old name. 2017-10-02 22:06:02 +08:00			`tlsClientAuth = ds.JsonData.Get("tlsAuth").MustBool(false)`
Datasource HTTP settings: Add TLS skip verify In c04d95f35 I changed the default for datasource HTTP requests so that TLS is always verified. This commit adds a checkbox to allow an admin to explicitly skip TLS verification, for testing purposes. 2017-09-28 21:10:14 +08:00			`tlsAuthWithCACert = ds.JsonData.Get("tlsAuthWithCACert").MustBool(false)`
			`tlsSkipVerify = ds.JsonData.Get("tlsSkipVerify").MustBool(false)`
			`}`

Use cache for http.client in tsdb package. (#6833) * datasource: move caching closer to datasource struct * tsdb: use cached version of datasource http transport closes #6825 2016-12-07 18:10:42 +08:00			`transport := &http.Transport{`
			`TLSClientConfig: &tls.Config{`
Datasource HTTP settings: Add TLS skip verify In c04d95f35 I changed the default for datasource HTTP requests so that TLS is always verified. This commit adds a checkbox to allow an admin to explicitly skip TLS verification, for testing purposes. 2017-09-28 21:10:14 +08:00			`InsecureSkipVerify: tlsSkipVerify,`
			`Renegotiation: tls.RenegotiateFreelyAsClient,`
Use cache for http.client in tsdb package. (#6833) * datasource: move caching closer to datasource struct * tsdb: use cached version of datasource http transport closes #6825 2016-12-07 18:10:42 +08:00			`},`
			`Proxy: http.ProxyFromEnvironment,`
			`Dial: (&net.Dialer{`
			`Timeout: 30 * time.Second,`
			`KeepAlive: 30 * time.Second,`
Enable dualstack in every net.Dialer, fixes #9364 Default transport enables it: * https://github.com/golang/go/blob/d2826d3e06/src/net/http/transport.go#L42-L46 ``` DialContext: (&net.Dialer{ Timeout: 30 * time.Second, KeepAlive: 30 * time.Second, DualStack: true, }).DialContext, ``` See also: https://github.com/golang/go/issues/15324 2017-09-28 13:25:00 +08:00			`DualStack: true,`
Use cache for http.client in tsdb package. (#6833) * datasource: move caching closer to datasource struct * tsdb: use cached version of datasource http transport closes #6825 2016-12-07 18:10:42 +08:00			`}).Dial,`
			`TLSHandshakeTimeout: 10 * time.Second,`
			`ExpectContinueTimeout: 1 * time.Second,`
			`MaxIdleConns: 100,`
			`IdleConnTimeout: 90 * time.Second,`
			`}`

Verify datasource TLS and split client auth and CA 2017-09-28 18:04:01 +08:00			`if tlsClientAuth \|\| tlsAuthWithCACert {`
Use cache for http.client in tsdb package. (#6833) * datasource: move caching closer to datasource struct * tsdb: use cached version of datasource http transport closes #6825 2016-12-07 18:10:42 +08:00			`decrypted := ds.SecureJsonData.Decrypt()`
			`if tlsAuthWithCACert && len(decrypted["tlsCACert"]) > 0 {`
			`caPool := x509.NewCertPool()`
			`ok := caPool.AppendCertsFromPEM([]byte(decrypted["tlsCACert"]))`
Return error if datasource TLS CA not parsed 2017-09-28 21:55:32 +08:00			`if !ok {`
			`return nil, errors.New("Failed to parse TLS CA PEM certificate")`
Use cache for http.client in tsdb package. (#6833) * datasource: move caching closer to datasource struct * tsdb: use cached version of datasource http transport closes #6825 2016-12-07 18:10:42 +08:00			`}`
Return error if datasource TLS CA not parsed 2017-09-28 21:55:32 +08:00			`transport.TLSClientConfig.RootCAs = caPool`
Use cache for http.client in tsdb package. (#6833) * datasource: move caching closer to datasource struct * tsdb: use cached version of datasource http transport closes #6825 2016-12-07 18:10:42 +08:00			`}`

Verify datasource TLS and split client auth and CA 2017-09-28 18:04:01 +08:00			`if tlsClientAuth {`
			`cert, err := tls.X509KeyPair([]byte(decrypted["tlsClientCert"]), []byte(decrypted["tlsClientKey"]))`
			`if err != nil {`
			`return nil, err`
			`}`
			`transport.TLSClientConfig.Certificates = []tls.Certificate{cert}`
Use cache for http.client in tsdb package. (#6833) * datasource: move caching closer to datasource struct * tsdb: use cached version of datasource http transport closes #6825 2016-12-07 18:10:42 +08:00			`}`
			`}`

			`ptc.cache[ds.Id] = cachedTransport{`
			`Transport: transport,`
			`updated: ds.Updated,`
			`}`

			`return transport, nil`
			`}`