transport/http/dial.go - google-api-go-client - Git at Google

 // Copyright 2015 Google LLC.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

 // Package http supports network connections to HTTP servers.
 // This package is not intended for use by end developers. Use the
 // google.golang.org/api/option package to configure API clients.
 package http

 import (
 	"context"
 	"crypto/tls"
 	"errors"
 	"net"
 	"net/http"
 	"net/url"
 	"os"
 	"strings"
 	"time"

 	"go.opencensus.io/plugin/ochttp"
 	"golang.org/x/oauth2"
 	"google.golang.org/api/googleapi/transport"
 	"google.golang.org/api/internal"
 	"google.golang.org/api/option"
 	"google.golang.org/api/transport/cert"
 	"google.golang.org/api/transport/http/internal/propagation"
 )

 const (
 	mTLSModeAlways = "always"
 	mTLSModeNever  = "never"
 	mTLSModeAuto   = "auto"
 )

 // NewClient returns an HTTP client for use communicating with a Google cloud
 // service, configured with the given ClientOptions. It also returns the endpoint
 // for the service as specified in the options.
 func NewClient(ctx context.Context, opts ...option.ClientOption) (*http.Client, string, error) {
 	settings, err := newSettings(opts)
 	if err != nil {
 		return nil, "", err
 	}
 	clientCertSource, err := getClientCertificateSource(settings)
 	if err != nil {
 		return nil, "", err
 	}
 	endpoint, err := getEndpoint(settings, clientCertSource)
 	if err != nil {
 		return nil, "", err
 	}
 	// TODO(cbro): consider injecting the User-Agent even if an explicit HTTP client is provided?
 	if settings.HTTPClient != nil {
 		return settings.HTTPClient, endpoint, nil
 	}
 	trans, err := newTransport(ctx, defaultBaseTransport(ctx, clientCertSource), settings)
 	if err != nil {
 		return nil, "", err
 	}
 	return &http.Client{Transport: trans}, endpoint, nil
 }

 // NewTransport creates an http.RoundTripper for use communicating with a Google
 // cloud service, configured with the given ClientOptions. Its RoundTrip method delegates to base.
 func NewTransport(ctx context.Context, base http.RoundTripper, opts ...option.ClientOption) (http.RoundTripper, error) {
 	settings, err := newSettings(opts)
 	if err != nil {
 		return nil, err
 	}
 	if settings.HTTPClient != nil {
 		return nil, errors.New("transport/http: WithHTTPClient passed to NewTransport")
 	}
 	return newTransport(ctx, base, settings)
 }

 func newTransport(ctx context.Context, base http.RoundTripper, settings *internal.DialSettings) (http.RoundTripper, error) {
 	paramTransport := &parameterTransport{
 		base:          base,
 		userAgent:     settings.UserAgent,
 		quotaProject:  settings.QuotaProject,
 		requestReason: settings.RequestReason,
 	}
 	var trans http.RoundTripper = paramTransport
 	trans = addOCTransport(trans, settings)
 	switch {
 	case settings.NoAuth:
 		// Do nothing.
 	case settings.APIKey != "":
 		trans = &transport.APIKey{
 			Transport: trans,
 			Key:       settings.APIKey,
 		}
 	default:
 		creds, err := internal.Creds(ctx, settings)
 		if err != nil {
 			return nil, err
 		}
 		if paramTransport.quotaProject == "" {
 			paramTransport.quotaProject = internal.QuotaProjectFromCreds(creds)
 		}

 		ts := creds.TokenSource
 		if settings.TokenSource != nil {
 			ts = settings.TokenSource
 		}
 		trans = &oauth2.Transport{
 			Base:   trans,
 			Source: ts,
 		}
 	}
 	return trans, nil
 }

 func newSettings(opts []option.ClientOption) (*internal.DialSettings, error) {
 	var o internal.DialSettings
 	for _, opt := range opts {
 		opt.Apply(&o)
 	}
 	if err := o.Validate(); err != nil {
 		return nil, err
 	}
 	if o.GRPCConn != nil {
 		return nil, errors.New("unsupported gRPC connection specified")
 	}
 	return &o, nil
 }

 type parameterTransport struct {
 	userAgent     string
 	quotaProject  string
 	requestReason string

 	base http.RoundTripper
 }

 func (t *parameterTransport) RoundTrip(req *http.Request) (*http.Response, error) {
 	rt := t.base
 	if rt == nil {
 		return nil, errors.New("transport: no Transport specified")
 	}
 	newReq := *req
 	newReq.Header = make(http.Header)
 	for k, vv := range req.Header {
 		newReq.Header[k] = vv
 	}
 	if t.userAgent != "" {
 		// TODO(cbro): append to existing User-Agent header?
 		newReq.Header.Set("User-Agent", t.userAgent)
 	}

 	// Attach system parameters into the header
 	if t.quotaProject != "" {
 		newReq.Header.Set("X-Goog-User-Project", t.quotaProject)
 	}
 	if t.requestReason != "" {
 		newReq.Header.Set("X-Goog-Request-Reason", t.requestReason)
 	}

 	return rt.RoundTrip(&newReq)
 }

 // Set at init time by dial_appengine.go. If nil, we're not on App Engine.
 var appengineUrlfetchHook func(context.Context) http.RoundTripper

 // defaultBaseTransport returns the base HTTP transport.
 // On App Engine, this is urlfetch.Transport.
 // Otherwise, use a default transport, taking most defaults from
 // http.DefaultTransport.
 // If TLSCertificate is available, set TLSClientConfig as well.
 func defaultBaseTransport(ctx context.Context, clientCertSource cert.Source) http.RoundTripper {
 	if appengineUrlfetchHook != nil {
 		return appengineUrlfetchHook(ctx)
 	}

 	// Copy http.DefaultTransport except for MaxIdleConnsPerHost setting,
 	// which is increased due to reported performance issues under load in the GCS
 	// client. Transport.Clone is only available in Go 1.13 and up.
 	trans := clonedTransport(http.DefaultTransport)
 	if trans == nil {
 		trans = fallbackBaseTransport()
 	}
 	trans.MaxIdleConnsPerHost = 100

 	if clientCertSource != nil {
 		trans.TLSClientConfig = &tls.Config{
 			GetClientCertificate: clientCertSource,
 		}
 	}

 	return trans
 }

 // fallbackBaseTransport is used in <go1.13 as well as in the rare case if
 // http.DefaultTransport has been reassigned something that's not a
 // *http.Transport.
 func fallbackBaseTransport() *http.Transport {
 	return &http.Transport{
 		Proxy: http.ProxyFromEnvironment,
 		DialContext: (&net.Dialer{
 			Timeout:   30 * time.Second,
 			KeepAlive: 30 * time.Second,
 			DualStack: true,
 		}).DialContext,
 		MaxIdleConns:          100,
 		MaxIdleConnsPerHost:   100,
 		IdleConnTimeout:       90 * time.Second,
 		TLSHandshakeTimeout:   10 * time.Second,
 		ExpectContinueTimeout: 1 * time.Second,
 	}
 }

 func addOCTransport(trans http.RoundTripper, settings *internal.DialSettings) http.RoundTripper {
 	if settings.TelemetryDisabled {
 		return trans
 	}
 	return &ochttp.Transport{
 		Base:        trans,
 		Propagation: &propagation.HTTPFormat{},
 	}
 }

 // getClientCertificateSource returns a default client certificate source, if
 // not provided by the user.
 //
 // A nil default source can be returned if the source does not exist. Any exceptions
 // encountered while initializing the default source will be reported as client
 // error (ex. corrupt metadata file).
 //
 // The overall logic is as follows:
 // 1. If both endpoint override and client certificate are specified, use them as is.
 // 2. If user does not specify client certificate, we will attempt to use default
 //    client certificate.
 // 3. If user does not specify endpoint override, we will use defaultMtlsEndpoint if
 //    client certificate is available and defaultEndpoint otherwise.
 //
 // Implications of the above logic:
 // 1. If the user specifies a non-mTLS endpoint override but client certificate is
 //    available, we will pass along the cert anyway and let the server decide what to do.
 // 2. If the user specifies an mTLS endpoint override but client certificate is not
 //    available, we will not fail-fast, but let backend throw error when connecting.
 //
 // We would like to avoid introducing client-side logic that parses whether the
 // endpoint override is an mTLS url, since the url pattern may change at anytime.
 func getClientCertificateSource(settings *internal.DialSettings) (cert.Source, error) {
 	if settings.HTTPClient != nil {
 		return nil, nil // HTTPClient is incompatible with ClientCertificateSource
 	} else if settings.ClientCertSource != nil {
 		return settings.ClientCertSource, nil
 	} else {
 		return cert.DefaultSource()
 	}

 }

 // getEndpoint returns the endpoint for the service, taking into account the
 // user-provided endpoint override "settings.Endpoint"
 //
 // If no endpoint override is specified, we will either return the default endpoint or
 // the default mTLS endpoint if a client certificate is available.
 //
 // You can override the default endpoint (mtls vs. regular) by setting the
 // GOOGLE_API_USE_MTLS environment variable.
 //
 // If the endpoint override is an address (host:port) rather than full base
 // URL (ex. https://...), then the user-provided address will be merged into
 // the default endpoint. For example, WithEndpoint("myhost:8000") and
 // WithDefaultEndpoint("https://foo.com/bar/baz") will return "https://myhost:8080/bar/baz"
 func getEndpoint(settings *internal.DialSettings, clientCertSource cert.Source) (string, error) {
 	if settings.Endpoint == "" {
 		mtlsMode := getMTLSMode()
 		if mtlsMode == mTLSModeAlways || (clientCertSource != nil && mtlsMode == mTLSModeAuto) {
 			return generateDefaultMtlsEndpoint(settings.DefaultEndpoint), nil
 		}
 		return settings.DefaultEndpoint, nil
 	}
 	if strings.Contains(settings.Endpoint, "://") {
 		// User passed in a full URL path, use it verbatim.
 		return settings.Endpoint, nil
 	}
 	if settings.DefaultEndpoint == "" {
 		return "", errors.New("WithEndpoint requires a full URL path")
 	}

 	// Assume user-provided endpoint is host[:port], merge it with the default endpoint.
 	return mergeEndpoints(settings.DefaultEndpoint, settings.Endpoint)
 }

 func getMTLSMode() string {
 	mode := os.Getenv("GOOGLE_API_USE_MTLS")
 	if mode == "" {
 		// TODO(shinfan): Update this to "auto" when the mTLS feature is fully released.
 		return mTLSModeNever
 	}
 	return strings.ToLower(mode)
 }

 func mergeEndpoints(base, newHost string) (string, error) {
 	u, err := url.Parse(base)
 	if err != nil {
 		return "", err
 	}
 	u.Host = newHost
 	return u.String(), nil
 }

 // generateDefaultMtlsEndpoint attempts to derive the mTLS version of the
 // defaultEndpoint via regex, and returns defaultEndpoint if unsuccessful.
 //
 // We need to applying the following 2 transformations:
 // 1. pubsub.googleapis.com to pubsub.mtls.googleapis.com
 // 2. pubsub.sandbox.googleapis.com to pubsub.mtls.sandbox.googleapis.com
 //
 // TODO(andyzhao): In the future, the mTLS endpoint will be read from the Discovery Document
 // and passed in as defaultMtlsEndpoint instead of generated from defaultEndpoint,
 // and this function will be removed.
 func generateDefaultMtlsEndpoint(defaultEndpoint string) string {
 	var domains = []string{
 		".sandbox.googleapis.com", // must come first because .googleapis.com is a substring
 		".googleapis.com",
 	}
 	for _, domain := range domains {
 		if strings.Contains(defaultEndpoint, domain) {
 			return strings.Replace(defaultEndpoint, domain, ".mtls"+domain, -1)
 		}
 	}
 	return defaultEndpoint
 }
	// Copyright 2015 Google LLC.
	// Use of this source code is governed by a BSD-style
	// license that can be found in the LICENSE file.

	// Package http supports network connections to HTTP servers.
	// This package is not intended for use by end developers. Use the
	// google.golang.org/api/option package to configure API clients.
	package http

	import (
	"context"
	"crypto/tls"
	"errors"
	"net"
	"net/http"
	"net/url"
	"os"
	"strings"
	"time"

	"go.opencensus.io/plugin/ochttp"
	"golang.org/x/oauth2"
	"google.golang.org/api/googleapi/transport"
	"google.golang.org/api/internal"
	"google.golang.org/api/option"
	"google.golang.org/api/transport/cert"
	"google.golang.org/api/transport/http/internal/propagation"
	)

	const (
	mTLSModeAlways = "always"
	mTLSModeNever = "never"
	mTLSModeAuto = "auto"
	)

	// NewClient returns an HTTP client for use communicating with a Google cloud
	// service, configured with the given ClientOptions. It also returns the endpoint
	// for the service as specified in the options.
	func NewClient(ctx context.Context, opts ...option.ClientOption) (*http.Client, string, error) {
	settings, err := newSettings(opts)
	if err != nil {
	return nil, "", err
	}
	clientCertSource, err := getClientCertificateSource(settings)
	if err != nil {
	return nil, "", err
	}
	endpoint, err := getEndpoint(settings, clientCertSource)
	if err != nil {
	return nil, "", err
	}
	// TODO(cbro): consider injecting the User-Agent even if an explicit HTTP client is provided?
	if settings.HTTPClient != nil {
	return settings.HTTPClient, endpoint, nil
	}
	trans, err := newTransport(ctx, defaultBaseTransport(ctx, clientCertSource), settings)
	if err != nil {
	return nil, "", err
	}
	return &http.Client{Transport: trans}, endpoint, nil
	}

	// NewTransport creates an http.RoundTripper for use communicating with a Google
	// cloud service, configured with the given ClientOptions. Its RoundTrip method delegates to base.
	func NewTransport(ctx context.Context, base http.RoundTripper, opts ...option.ClientOption) (http.RoundTripper, error) {
	settings, err := newSettings(opts)
	if err != nil {
	return nil, err
	}
	if settings.HTTPClient != nil {
	return nil, errors.New("transport/http: WithHTTPClient passed to NewTransport")
	}
	return newTransport(ctx, base, settings)
	}

	func newTransport(ctx context.Context, base http.RoundTripper, settings *internal.DialSettings) (http.RoundTripper, error) {
	paramTransport := &parameterTransport{
	base: base,
	userAgent: settings.UserAgent,
	quotaProject: settings.QuotaProject,
	requestReason: settings.RequestReason,
	}
	var trans http.RoundTripper = paramTransport
	trans = addOCTransport(trans, settings)
	switch {
	case settings.NoAuth:
	// Do nothing.
	case settings.APIKey != "":
	trans = &transport.APIKey{
	Transport: trans,
	Key: settings.APIKey,
	}
	default:
	creds, err := internal.Creds(ctx, settings)
	if err != nil {
	return nil, err
	}
	if paramTransport.quotaProject == "" {
	paramTransport.quotaProject = internal.QuotaProjectFromCreds(creds)
	}

	ts := creds.TokenSource
	if settings.TokenSource != nil {
	ts = settings.TokenSource
	}
	trans = &oauth2.Transport{
	Base: trans,
	Source: ts,
	}
	}
	return trans, nil
	}

	func newSettings(opts []option.ClientOption) (*internal.DialSettings, error) {
	var o internal.DialSettings
	for _, opt := range opts {
	opt.Apply(&o)
	}
	if err := o.Validate(); err != nil {
	return nil, err
	}
	if o.GRPCConn != nil {
	return nil, errors.New("unsupported gRPC connection specified")
	}
	return &o, nil
	}

	type parameterTransport struct {
	userAgent string
	quotaProject string
	requestReason string

	base http.RoundTripper
	}

	func (t parameterTransport) RoundTrip(req http.Request) (*http.Response, error) {
	rt := t.base
	if rt == nil {
	return nil, errors.New("transport: no Transport specified")
	}
	newReq := *req
	newReq.Header = make(http.Header)
	for k, vv := range req.Header {
	newReq.Header[k] = vv
	}
	if t.userAgent != "" {
	// TODO(cbro): append to existing User-Agent header?
	newReq.Header.Set("User-Agent", t.userAgent)
	}

	// Attach system parameters into the header
	if t.quotaProject != "" {
	newReq.Header.Set("X-Goog-User-Project", t.quotaProject)
	}
	if t.requestReason != "" {
	newReq.Header.Set("X-Goog-Request-Reason", t.requestReason)
	}

	return rt.RoundTrip(&newReq)
	}

	// Set at init time by dial_appengine.go. If nil, we're not on App Engine.
	var appengineUrlfetchHook func(context.Context) http.RoundTripper

	// defaultBaseTransport returns the base HTTP transport.
	// On App Engine, this is urlfetch.Transport.
	// Otherwise, use a default transport, taking most defaults from
	// http.DefaultTransport.
	// If TLSCertificate is available, set TLSClientConfig as well.
	func defaultBaseTransport(ctx context.Context, clientCertSource cert.Source) http.RoundTripper {
	if appengineUrlfetchHook != nil {
	return appengineUrlfetchHook(ctx)
	}

	// Copy http.DefaultTransport except for MaxIdleConnsPerHost setting,
	// which is increased due to reported performance issues under load in the GCS
	// client. Transport.Clone is only available in Go 1.13 and up.
	trans := clonedTransport(http.DefaultTransport)
	if trans == nil {
	trans = fallbackBaseTransport()
	}
	trans.MaxIdleConnsPerHost = 100

	if clientCertSource != nil {
	trans.TLSClientConfig = &tls.Config{
	GetClientCertificate: clientCertSource,
	}
	}

	return trans
	}

	// fallbackBaseTransport is used in <go1.13 as well as in the rare case if
	// http.DefaultTransport has been reassigned something that's not a
	// *http.Transport.
	func fallbackBaseTransport() *http.Transport {
	return &http.Transport{
	Proxy: http.ProxyFromEnvironment,
	DialContext: (&net.Dialer{
	Timeout: 30 * time.Second,
	KeepAlive: 30 * time.Second,
	DualStack: true,
	}).DialContext,
	MaxIdleConns: 100,
	MaxIdleConnsPerHost: 100,
	IdleConnTimeout: 90 * time.Second,
	TLSHandshakeTimeout: 10 * time.Second,
	ExpectContinueTimeout: 1 * time.Second,
	}
	}

	func addOCTransport(trans http.RoundTripper, settings *internal.DialSettings) http.RoundTripper {
	if settings.TelemetryDisabled {
	return trans
	}
	return &ochttp.Transport{
	Base: trans,
	Propagation: &propagation.HTTPFormat{},
	}
	}

	// getClientCertificateSource returns a default client certificate source, if
	// not provided by the user.
	//
	// A nil default source can be returned if the source does not exist. Any exceptions
	// encountered while initializing the default source will be reported as client
	// error (ex. corrupt metadata file).
	//
	// The overall logic is as follows:
	// 1. If both endpoint override and client certificate are specified, use them as is.
	// 2. If user does not specify client certificate, we will attempt to use default
	// client certificate.
	// 3. If user does not specify endpoint override, we will use defaultMtlsEndpoint if
	// client certificate is available and defaultEndpoint otherwise.
	//
	// Implications of the above logic:
	// 1. If the user specifies a non-mTLS endpoint override but client certificate is
	// available, we will pass along the cert anyway and let the server decide what to do.
	// 2. If the user specifies an mTLS endpoint override but client certificate is not
	// available, we will not fail-fast, but let backend throw error when connecting.
	//
	// We would like to avoid introducing client-side logic that parses whether the
	// endpoint override is an mTLS url, since the url pattern may change at anytime.
	func getClientCertificateSource(settings *internal.DialSettings) (cert.Source, error) {
	if settings.HTTPClient != nil {
	return nil, nil // HTTPClient is incompatible with ClientCertificateSource
	} else if settings.ClientCertSource != nil {
	return settings.ClientCertSource, nil
	} else {
	return cert.DefaultSource()
	}

	}

	// getEndpoint returns the endpoint for the service, taking into account the
	// user-provided endpoint override "settings.Endpoint"
	//
	// If no endpoint override is specified, we will either return the default endpoint or
	// the default mTLS endpoint if a client certificate is available.
	//
	// You can override the default endpoint (mtls vs. regular) by setting the
	// GOOGLE_API_USE_MTLS environment variable.
	//
	// If the endpoint override is an address (host:port) rather than full base
	// URL (ex. https://...), then the user-provided address will be merged into
	// the default endpoint. For example, WithEndpoint("myhost:8000") and
	// WithDefaultEndpoint("https://foo.com/bar/baz") will return "https://myhost:8080/bar/baz"
	func getEndpoint(settings *internal.DialSettings, clientCertSource cert.Source) (string, error) {
	if settings.Endpoint == "" {
	mtlsMode := getMTLSMode()
	if mtlsMode == mTLSModeAlways \|\| (clientCertSource != nil && mtlsMode == mTLSModeAuto) {
	return generateDefaultMtlsEndpoint(settings.DefaultEndpoint), nil
	}
	return settings.DefaultEndpoint, nil
	}
	if strings.Contains(settings.Endpoint, "://") {
	// User passed in a full URL path, use it verbatim.
	return settings.Endpoint, nil
	}
	if settings.DefaultEndpoint == "" {
	return "", errors.New("WithEndpoint requires a full URL path")
	}

	// Assume user-provided endpoint is host[:port], merge it with the default endpoint.
	return mergeEndpoints(settings.DefaultEndpoint, settings.Endpoint)
	}

	func getMTLSMode() string {
	mode := os.Getenv("GOOGLE_API_USE_MTLS")
	if mode == "" {
	// TODO(shinfan): Update this to "auto" when the mTLS feature is fully released.
	return mTLSModeNever
	}
	return strings.ToLower(mode)
	}

	func mergeEndpoints(base, newHost string) (string, error) {
	u, err := url.Parse(base)
	if err != nil {
	return "", err
	}
	u.Host = newHost
	return u.String(), nil
	}

	// generateDefaultMtlsEndpoint attempts to derive the mTLS version of the
	// defaultEndpoint via regex, and returns defaultEndpoint if unsuccessful.
	//
	// We need to applying the following 2 transformations:
	// 1. pubsub.googleapis.com to pubsub.mtls.googleapis.com
	// 2. pubsub.sandbox.googleapis.com to pubsub.mtls.sandbox.googleapis.com
	//
	// TODO(andyzhao): In the future, the mTLS endpoint will be read from the Discovery Document
	// and passed in as defaultMtlsEndpoint instead of generated from defaultEndpoint,
	// and this function will be removed.
	func generateDefaultMtlsEndpoint(defaultEndpoint string) string {
	var domains = []string{
	".sandbox.googleapis.com", // must come first because .googleapis.com is a substring
	".googleapis.com",
	}
	for _, domain := range domains {
	if strings.Contains(defaultEndpoint, domain) {
	return strings.Replace(defaultEndpoint, domain, ".mtls"+domain, -1)
	}
	}
	return defaultEndpoint
	}