From 05af32b1915aabe8dde076c38320ff61e9ed4691 Mon Sep 17 00:00:00 2001
From: Robert Sullivan <rsullivan@pivotal.io>
Date: Fri, 22 Feb 2019 15:18:36 -0700
Subject: [PATCH] Clean up TLS configuration in prometheus_client output plugin

Signed-off-by: Jesse Weaver <jeweaver@pivotal.io>
---
 plugins/outputs/prometheus_client/.gitignore  |  2 -
 .../prometheus_client/prometheus_client.go    | 56 ++++---------------
 .../prometheus_client_tls_test.go             | 41 ++------------
 .../scripts/generate_certs.sh                 | 17 ------
 4 files changed, 17 insertions(+), 99 deletions(-)
 delete mode 100644 plugins/outputs/prometheus_client/.gitignore
 delete mode 100755 plugins/outputs/prometheus_client/scripts/generate_certs.sh

diff --git a/plugins/outputs/prometheus_client/.gitignore b/plugins/outputs/prometheus_client/.gitignore
deleted file mode 100644
index 418f8fafd..000000000
--- a/plugins/outputs/prometheus_client/.gitignore
+++ /dev/null
@@ -1,2 +0,0 @@
-vendor
-assets
diff --git a/plugins/outputs/prometheus_client/prometheus_client.go b/plugins/outputs/prometheus_client/prometheus_client.go
index c1365e44c..c2af6f655 100644
--- a/plugins/outputs/prometheus_client/prometheus_client.go
+++ b/plugins/outputs/prometheus_client/prometheus_client.go
@@ -3,10 +3,7 @@ package prometheus_client
 import (
 	"context"
 	"crypto/subtle"
-	cryptotls "crypto/tls"
-	"crypto/x509"
 	"fmt"
-	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
@@ -69,7 +66,8 @@ type PrometheusClient struct {
 	StringAsLabel      bool              `toml:"string_as_label"`
 	ExportTimestamp    bool              `toml:"export_timestamp"`
 
-	tls.ClientConfig
+	tls.ServerConfig
+
 	server *http.Server
 
 	sync.Mutex
@@ -193,24 +191,20 @@ func (p *PrometheusClient) Connect() error {
 	mux.Handle(p.Path, p.auth(promhttp.HandlerFor(
 		registry, promhttp.HandlerOpts{ErrorHandling: promhttp.ContinueOnError})))
 
-	if p.TLSCA != "" {
-		log.Printf("Starting Prometheus Output Plugin Server with Mutual TLS enabled.\n")
-		p.server = &http.Server{
-			Addr:      p.Listen,
-			Handler:   mux,
-			TLSConfig: p.buildMutualTLSConfig(),
-		}
-	} else {
-		p.server = &http.Server{
-			Addr:    p.Listen,
-			Handler: mux,
-		}
+	tlsConfig, err := p.TLSConfig()
+	if err != nil {
+		return err
+	}
+	p.server = &http.Server{
+		Addr:      p.Listen,
+		Handler:   mux,
+		TLSConfig: tlsConfig,
 	}
 
 	go func() {
 		var err error
 		if p.TLSCert != "" && p.TLSKey != "" {
-			err = p.server.ListenAndServeTLS(p.TLSCert, p.TLSKey)
+			err = p.server.ListenAndServeTLS("", "")
 		} else {
 			err = p.server.ListenAndServe()
 		}
@@ -223,34 +217,6 @@ func (p *PrometheusClient) Connect() error {
 	return nil
 }
 
-func (p *PrometheusClient) buildMutualTLSConfig() *cryptotls.Config {
-	certPool := x509.NewCertPool()
-	caCert, err := ioutil.ReadFile(p.TLSCA)
-	if err != nil {
-		log.Printf("failed to read client ca cert: %s", err.Error())
-		panic(err)
-	}
-	ok := certPool.AppendCertsFromPEM(caCert)
-	if !ok {
-		log.Printf("failed to append client certs: %s", err.Error())
-		panic(err)
-	}
-
-	clientAuth := cryptotls.RequireAndVerifyClientCert
-	if p.InsecureSkipVerify {
-		clientAuth = cryptotls.RequestClientCert
-	}
-
-	return &cryptotls.Config{
-		ClientAuth:               clientAuth,
-		ClientCAs:                certPool,
-		MinVersion:               cryptotls.VersionTLS12,
-		CipherSuites:             []uint16{cryptotls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, cryptotls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
-		PreferServerCipherSuites: true,
-		InsecureSkipVerify:       p.InsecureSkipVerify,
-	}
-}
-
 func (p *PrometheusClient) Close() error {
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
 	defer cancel()
diff --git a/plugins/outputs/prometheus_client/prometheus_client_tls_test.go b/plugins/outputs/prometheus_client/prometheus_client_tls_test.go
index 485f9143b..4658fcdb4 100644
--- a/plugins/outputs/prometheus_client/prometheus_client_tls_test.go
+++ b/plugins/outputs/prometheus_client/prometheus_client_tls_test.go
@@ -2,28 +2,23 @@ package prometheus_client_test
 
 import (
 	"crypto/tls"
-	"crypto/x509"
 	"fmt"
 	"github.com/influxdata/telegraf/plugins/outputs/prometheus_client"
 	"github.com/influxdata/telegraf/testutil"
 	"github.com/influxdata/toml"
 	. "github.com/onsi/gomega"
-	"io/ioutil"
 	"net/http"
-	"os/exec"
-	"path/filepath"
 	"testing"
 )
 
-var ca, _ = filepath.Abs("assets/telegrafCA.crt")
-var cert, _ = filepath.Abs("assets/telegraf.crt")
-var key, _ = filepath.Abs("assets/telegraf.key")
+var pki = testutil.NewPKI("../../../testutil/pki")
+
 var configWithTLS = fmt.Sprintf(`
  listen = "127.0.0.1:9090"
- tls_ca = "%s"
+ tls_allowed_cacerts = ["%s"]
  tls_cert = "%s"
  tls_key = "%s"
-`, ca, cert, key)
+`, pki.TLSServerConfig().TLSAllowedCACerts[0], pki.TLSServerConfig().TLSCert, pki.TLSServerConfig().TLSKey)
 
 var configWithoutTLS = `
   listen = "127.0.0.1:9090"
@@ -37,14 +32,6 @@ type PrometheusClientTestContext struct {
 	*GomegaWithT
 }
 
-func init() {
-	path, _ := filepath.Abs("./scripts/generate_certs.sh")
-	_, err := exec.Command(path).CombinedOutput()
-	if err != nil {
-		panic(err)
-	}
-}
-
 func TestWorksWithoutTLS(t *testing.T) {
 	tc := buildTestContext(t, []byte(configWithoutTLS))
 	err := tc.Output.Connect()
@@ -114,7 +101,7 @@ func buildTestContext(t *testing.T, config []byte) *PrometheusClientTestContext
 		httpClient *http.Client
 	)
 
-	if output.TLSCA != "" {
+	if len(output.TLSAllowedCACerts) != 0 {
 		httpClient = buildClientWithTLS(output)
 	} else {
 		httpClient = buildClientWithoutTLS()
@@ -133,26 +120,10 @@ func buildClientWithoutTLS() *http.Client {
 }
 
 func buildClientWithTLS(output *prometheus_client.PrometheusClient) *http.Client {
-	cert, err := tls.LoadX509KeyPair(output.TLSCert, output.TLSKey)
+	tlsConfig, err := pki.TLSClientConfig().TLSConfig()
 	if err != nil {
 		panic(err)
 	}
-
-	caCert, err := ioutil.ReadFile(output.TLSCA)
-	if err != nil {
-		panic(err)
-	}
-	caCertPool := x509.NewCertPool()
-	caCertPool.AppendCertsFromPEM(caCert)
-
-	tlsConfig := &tls.Config{
-		Certificates: []tls.Certificate{cert},
-		RootCAs:      caCertPool,
-		MinVersion:   tls.VersionTLS12,
-		CipherSuites: []uint16{tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
-		ServerName:   "telegraf",
-	}
-	tlsConfig.BuildNameToCertificate()
 	transport := &http.Transport{TLSClientConfig: tlsConfig}
 	return &http.Client{Transport: transport}
 }
diff --git a/plugins/outputs/prometheus_client/scripts/generate_certs.sh b/plugins/outputs/prometheus_client/scripts/generate_certs.sh
deleted file mode 100755
index 1f7c3418f..000000000
--- a/plugins/outputs/prometheus_client/scripts/generate_certs.sh
+++ /dev/null
@@ -1,17 +0,0 @@
-#!/bin/bash -e
-
-scripts_dir=$(cd $(dirname $0) && pwd)
-
-mkdir -p ${scripts_dir}/../assets
-assets_dir=$(cd ${scripts_dir}/../assets && pwd)
-
-echo "Generating certs into ${assets_dir}"
-
-test ! `which certstrap` && go get -u -v github.com/square/certstrap
-
-rm -f ${assets_dir}/*
-
-# CA to distribute to loggregator certs
-certstrap --depot-path ${assets_dir} init --passphrase '' --common-name telegrafCA --expires "25 years"
-certstrap --depot-path ${assets_dir} request-cert --passphrase '' --common-name telegraf
-certstrap --depot-path ${assets_dir} sign telegraf --CA telegrafCA --expires "25 years"
\ No newline at end of file