mattermost/utils/httpclient.go

// Copyright (c) 2017-present Mattermost, Inc. All Rights Reserved.
// See License.txt for license information.

package utils

import (
	"context"
	"crypto/tls"
	"errors"
	"net"
	"net/http"
	"time"
)

const (
	connectTimeout = 3 * time.Second
	requestTimeout = 30 * time.Second
)

var reservedIPRanges []*net.IPNet

func IsReservedIP(ip net.IP) bool {
	for _, ipRange := range reservedIPRanges {
		if ipRange.Contains(ip) {
			return true
		}
	}
	return false
}

func init() {
	for _, cidr := range []string{
		// See https://tools.ietf.org/html/rfc6890
		"0.0.0.0/8",      // This host on this network
		"10.0.0.0/8",     // Private-Use
		"127.0.0.0/8",    // Loopback
		"169.254.0.0/16", // Link Local
		"172.16.0.0/12",  // Private-Use Networks
		"192.168.0.0/16", // Private-Use Networks
		"::/128",         // Unspecified Address
		"::1/128",        // Loopback Address
		"fc00::/7",       // Unique-Local
		"fe80::/10",      // Linked-Scoped Unicast
	} {
		_, parsed, err := net.ParseCIDR(cidr)
		if err != nil {
			panic(err)
		}
		reservedIPRanges = append(reservedIPRanges, parsed)
	}
}

type DialContextFunction func(ctx context.Context, network, addr string) (net.Conn, error)

var AddressForbidden error = errors.New("address forbidden")

func dialContextFilter(dial DialContextFunction, allowHost func(host string) bool, allowIP func(ip net.IP) bool) DialContextFunction {
	return func(ctx context.Context, network, addr string) (net.Conn, error) {
		host, port, err := net.SplitHostPort(addr)
		if err != nil {
			return nil, err
		}

		if allowHost != nil && allowHost(host) {
			return dial(ctx, network, addr)
		}

		ips, err := net.LookupIP(host)
		if err != nil {
			return nil, err
		}

		var firstErr error
		for _, ip := range ips {
			select {
			case <-ctx.Done():
				return nil, ctx.Err()
			default:
			}

			if allowIP == nil || !allowIP(ip) {
				continue
			}

			conn, err := dial(ctx, network, net.JoinHostPort(ip.String(), port))
			if err == nil {
				return conn, nil
			}
			if firstErr == nil {
				firstErr = err
			}
		}
		if firstErr == nil {
			return nil, AddressForbidden
		}
		return nil, firstErr
	}
}

// NewHTTPClient returns a variation the default implementation of Client.
// It uses a Transport with the same settings as the default Transport
// but with the following modifications:
// - shorter timeout for dial and TLS handshake (defined as constant
//   "connectTimeout")
// - timeout for the end-to-end request (defined as constant
//   "requestTimeout")
func NewHTTPClient(enableInsecureConnections bool, allowHost func(host string) bool, allowIP func(ip net.IP) bool) *http.Client {
	dialContext := (&net.Dialer{
		Timeout:   connectTimeout,
		KeepAlive: 30 * time.Second,
	}).DialContext

	if allowHost != nil || allowIP != nil {
		dialContext = dialContextFilter(dialContext, allowHost, allowIP)
	}

	client := &http.Client{
		Transport: &http.Transport{
			Proxy:                 http.ProxyFromEnvironment,
			DialContext:           dialContext,
			MaxIdleConns:          100,
			IdleConnTimeout:       90 * time.Second,
			TLSHandshakeTimeout:   connectTimeout,
			ExpectContinueTimeout: 1 * time.Second,
			TLSClientConfig: &tls.Config{
				InsecureSkipVerify: enableInsecureConnections,
			},
		},
		Timeout: requestTimeout,
	}

	return client
}
PLT-5705 Created a single source of http.Client creation logic with internet proxy support, reasonable timeouts and optional insecure connections (#6503) 2017-05-31 16:34:05 +02:00			`// Copyright (c) 2017-present Mattermost, Inc. All Rights Reserved.`
			`// See License.txt for license information.`

			`package utils`

			`import (`
PLT-6358: Server HTTP client improvements (#6980) * restrict untrusted, internal http connections by default * command test fix * more test fixes * change setting from toggle to whitelist * requested ui changes * add isdefault diagnostic * fix tests 2017-08-09 15:49:07 -05:00			`"context"`
PLT-5705 Created a single source of http.Client creation logic with internet proxy support, reasonable timeouts and optional insecure connections (#6503) 2017-05-31 16:34:05 +02:00			`"crypto/tls"`
PLT-6358: Server HTTP client improvements (#6980) * restrict untrusted, internal http connections by default * command test fix * more test fixes * change setting from toggle to whitelist * requested ui changes * add isdefault diagnostic * fix tests 2017-08-09 15:49:07 -05:00			`"errors"`
PLT-5705 Created a single source of http.Client creation logic with internet proxy support, reasonable timeouts and optional insecure connections (#6503) 2017-05-31 16:34:05 +02:00			`"net"`
			`"net/http"`
			`"time"`
			`)`

			`const (`
			`connectTimeout = 3 * time.Second`
Merge release-3.10 into master (#6654) * PLT-6787 Fixed being able to send a post before files finished uploading (#6617) * Fix quick switcher for channels/users not stored locally (#6610) * Fix button text on confirm mention modal (#6609) * fix post delete permission of channel admin (#6608) * open comment thread for the most recent reply-able message (#6605) * Use mutex flag with yarn to prevent concurrent builds interfering (#6619) * Use mutex flag with yarn to prevent concurrent builds interfering * Remove yarn mutex file with clean * Minor bug fixes (#6615) * PLT-6774 - Fixing color for offline icon * PLT-6784 - Fixing status icon * Fixing icon margin * Updating caret position * PLT-6070 Have ChannelMentionProvider stop searching after a term returns no results (#6620) * Fixing JS error (#6623) * Minor bug fixes (#6622) * PLT-6808 - Updating channel switcher on mobile * PLT-6743 - Updating scrollbar styling * Login instead of failing if user exists in OAuth sign-up flow (#6627) * PLT-6802 Disable team switcher (#6626) * Disable team switcher * Fix ESLint errors * PLT-6807 Ensured select teams page can scroll on iOS (#6630) * Do not redirect from account switch pages on 401 (#6631) * Fixing loadtest command and renaming to /test (#6624) * PLT-6820 Update mattermost-redux dependency (#6632) * translations PR 20170612 (#6629) * Bump HTTP client timeout to 30 seconds (#6633) * For team unreads return empty array instead of null (#6636) * PLT-6831 Fix status modal localization IDs (#6637) * Fix status modal localization IDs * Update test snapshot 2017-06-15 11:05:43 -04:00			`requestTimeout = 30 * time.Second`
PLT-5705 Created a single source of http.Client creation logic with internet proxy support, reasonable timeouts and optional insecure connections (#6503) 2017-05-31 16:34:05 +02:00			`)`

PLT-6358: Server HTTP client improvements (#6980) * restrict untrusted, internal http connections by default * command test fix * more test fixes * change setting from toggle to whitelist * requested ui changes * add isdefault diagnostic * fix tests 2017-08-09 15:49:07 -05:00			`var reservedIPRanges []*net.IPNet`

HTTP client refactor (#7884) * http client refactor * simplification 2017-11-22 09:15:03 -06:00			`func IsReservedIP(ip net.IP) bool {`
PLT-6358: Server HTTP client improvements (#6980) * restrict untrusted, internal http connections by default * command test fix * more test fixes * change setting from toggle to whitelist * requested ui changes * add isdefault diagnostic * fix tests 2017-08-09 15:49:07 -05:00			`for _, ipRange := range reservedIPRanges {`
			`if ipRange.Contains(ip) {`
			`return true`
			`}`
			`}`
			`return false`
			`}`

			`func init() {`
			`for _, cidr := range []string{`
			`// See https://tools.ietf.org/html/rfc6890`
			`"0.0.0.0/8", // This host on this network`
			`"10.0.0.0/8", // Private-Use`
			`"127.0.0.0/8", // Loopback`
			`"169.254.0.0/16", // Link Local`
			`"172.16.0.0/12", // Private-Use Networks`
			`"192.168.0.0/16", // Private-Use Networks`
			`"::/128", // Unspecified Address`
			`"::1/128", // Loopback Address`
			`"fc00::/7", // Unique-Local`
			`"fe80::/10", // Linked-Scoped Unicast`
			`} {`
			`_, parsed, err := net.ParseCIDR(cidr)`
			`if err != nil {`
			`panic(err)`
			`}`
			`reservedIPRanges = append(reservedIPRanges, parsed)`
			`}`
			`}`

			`type DialContextFunction func(ctx context.Context, network, addr string) (net.Conn, error)`

			`var AddressForbidden error = errors.New("address forbidden")`

			`func dialContextFilter(dial DialContextFunction, allowHost func(host string) bool, allowIP func(ip net.IP) bool) DialContextFunction {`
			`return func(ctx context.Context, network, addr string) (net.Conn, error) {`
			`host, port, err := net.SplitHostPort(addr)`
			`if err != nil {`
			`return nil, err`
			`}`

			`if allowHost != nil && allowHost(host) {`
			`return dial(ctx, network, addr)`
			`}`

			`ips, err := net.LookupIP(host)`
			`if err != nil {`
			`return nil, err`
			`}`

			`var firstErr error`
			`for _, ip := range ips {`
			`select {`
			`case <-ctx.Done():`
			`return nil, ctx.Err()`
			`default:`
			`}`

			`if allowIP == nil \|\| !allowIP(ip) {`
			`continue`
			`}`

			`conn, err := dial(ctx, network, net.JoinHostPort(ip.String(), port))`
			`if err == nil {`
			`return conn, nil`
			`}`
			`if firstErr == nil {`
			`firstErr = err`
			`}`
			`}`
			`if firstErr == nil {`
			`return nil, AddressForbidden`
			`}`
			`return nil, firstErr`
			`}`
			`}`

HTTP client refactor (#7884) * http client refactor * simplification 2017-11-22 09:15:03 -06:00			`// NewHTTPClient returns a variation the default implementation of Client.`
			`// It uses a Transport with the same settings as the default Transport`
			`// but with the following modifications:`
			`// - shorter timeout for dial and TLS handshake (defined as constant`
			`// "connectTimeout")`
			`// - timeout for the end-to-end request (defined as constant`
			`// "requestTimeout")`
			`func NewHTTPClient(enableInsecureConnections bool, allowHost func(host string) bool, allowIP func(ip net.IP) bool) *http.Client {`
PLT-6358: Server HTTP client improvements (#6980) * restrict untrusted, internal http connections by default * command test fix * more test fixes * change setting from toggle to whitelist * requested ui changes * add isdefault diagnostic * fix tests 2017-08-09 15:49:07 -05:00			`dialContext := (&net.Dialer{`
			`Timeout: connectTimeout,`
			`KeepAlive: 30 * time.Second,`
			`}).DialContext`

			`if allowHost != nil \|\| allowIP != nil {`
			`dialContext = dialContextFilter(dialContext, allowHost, allowIP)`
			`}`
PLT-5705 Created a single source of http.Client creation logic with internet proxy support, reasonable timeouts and optional insecure connections (#6503) 2017-05-31 16:34:05 +02:00
			`client := &http.Client{`
			`Transport: &http.Transport{`
PLT-6358: Server HTTP client improvements (#6980) * restrict untrusted, internal http connections by default * command test fix * more test fixes * change setting from toggle to whitelist * requested ui changes * add isdefault diagnostic * fix tests 2017-08-09 15:49:07 -05:00			`Proxy: http.ProxyFromEnvironment,`
			`DialContext: dialContext,`
PLT-5705 Created a single source of http.Client creation logic with internet proxy support, reasonable timeouts and optional insecure connections (#6503) 2017-05-31 16:34:05 +02:00			`MaxIdleConns: 100,`
			`IdleConnTimeout: 90 * time.Second,`
			`TLSHandshakeTimeout: connectTimeout,`
			`ExpectContinueTimeout: 1 * time.Second,`
			`TLSClientConfig: &tls.Config{`
			`InsecureSkipVerify: enableInsecureConnections,`
			`},`
			`},`
			`Timeout: requestTimeout,`
			`}`

			`return client`
			`}`