| package getproviders |
| |
| import ( |
| "context" |
| "crypto/sha256" |
| "encoding/hex" |
| "encoding/json" |
| "errors" |
| "fmt" |
| "io/ioutil" |
| "log" |
| "net/http" |
| "net/url" |
| "os" |
| "path" |
| "strconv" |
| "time" |
| |
| "github.com/hashicorp/go-retryablehttp" |
| svchost "github.com/hashicorp/terraform-svchost" |
| svcauth "github.com/hashicorp/terraform-svchost/auth" |
| |
| "github.com/hashicorp/terraform/internal/addrs" |
| "github.com/hashicorp/terraform/internal/httpclient" |
| "github.com/hashicorp/terraform/internal/logging" |
| "github.com/hashicorp/terraform/version" |
| ) |
| |
| const ( |
| terraformVersionHeader = "X-Terraform-Version" |
| |
| // registryDiscoveryRetryEnvName is the name of the environment variable that |
| // can be configured to customize number of retries for module and provider |
| // discovery requests with the remote registry. |
| registryDiscoveryRetryEnvName = "TF_REGISTRY_DISCOVERY_RETRY" |
| defaultRetry = 1 |
| |
| // registryClientTimeoutEnvName is the name of the environment variable that |
| // can be configured to customize the timeout duration (seconds) for module |
| // and provider discovery with the remote registry. |
| registryClientTimeoutEnvName = "TF_REGISTRY_CLIENT_TIMEOUT" |
| |
| // defaultRequestTimeout is the default timeout duration for requests to the |
| // remote registry. |
| defaultRequestTimeout = 10 * time.Second |
| ) |
| |
| var ( |
| discoveryRetry int |
| requestTimeout time.Duration |
| ) |
| |
| func init() { |
| configureDiscoveryRetry() |
| configureRequestTimeout() |
| } |
| |
| var SupportedPluginProtocols = MustParseVersionConstraints(">= 5, <7") |
| |
| // registryClient is a client for the provider registry protocol that is |
| // specialized only for the needs of this package. It's not intended as a |
| // general registry API client. |
| type registryClient struct { |
| baseURL *url.URL |
| creds svcauth.HostCredentials |
| |
| httpClient *retryablehttp.Client |
| } |
| |
| func newRegistryClient(baseURL *url.URL, creds svcauth.HostCredentials) *registryClient { |
| httpClient := httpclient.New() |
| httpClient.Timeout = requestTimeout |
| |
| retryableClient := retryablehttp.NewClient() |
| retryableClient.HTTPClient = httpClient |
| retryableClient.RetryMax = discoveryRetry |
| retryableClient.RequestLogHook = requestLogHook |
| retryableClient.ErrorHandler = maxRetryErrorHandler |
| |
| retryableClient.Logger = log.New(logging.LogOutput(), "", log.Flags()) |
| |
| return ®istryClient{ |
| baseURL: baseURL, |
| creds: creds, |
| httpClient: retryableClient, |
| } |
| } |
| |
| // ProviderVersions returns the raw version and protocol strings produced by the |
| // registry for the given provider. |
| // |
| // The returned error will be ErrRegistryProviderNotKnown if the registry responds with |
| // 404 Not Found to indicate that the namespace or provider type are not known, |
| // ErrUnauthorized if the registry responds with 401 or 403 status codes, or |
| // ErrQueryFailed for any other protocol or operational problem. |
| func (c *registryClient) ProviderVersions(ctx context.Context, addr addrs.Provider) (map[string][]string, []string, error) { |
| endpointPath, err := url.Parse(path.Join(addr.Namespace, addr.Type, "versions")) |
| if err != nil { |
| // Should never happen because we're constructing this from |
| // already-validated components. |
| return nil, nil, err |
| } |
| endpointURL := c.baseURL.ResolveReference(endpointPath) |
| req, err := retryablehttp.NewRequest("GET", endpointURL.String(), nil) |
| if err != nil { |
| return nil, nil, err |
| } |
| req = req.WithContext(ctx) |
| c.addHeadersToRequest(req.Request) |
| |
| resp, err := c.httpClient.Do(req) |
| if err != nil { |
| return nil, nil, c.errQueryFailed(addr, err) |
| } |
| defer resp.Body.Close() |
| |
| switch resp.StatusCode { |
| case http.StatusOK: |
| // Great! |
| case http.StatusNotFound: |
| return nil, nil, ErrRegistryProviderNotKnown{ |
| Provider: addr, |
| } |
| case http.StatusUnauthorized, http.StatusForbidden: |
| return nil, nil, c.errUnauthorized(addr.Hostname) |
| default: |
| return nil, nil, c.errQueryFailed(addr, errors.New(resp.Status)) |
| } |
| |
| // We ignore the platforms portion of the response body, because the |
| // installer verifies the platform compatibility after pulling a provider |
| // versions' metadata. |
| type ResponseBody struct { |
| Versions []struct { |
| Version string `json:"version"` |
| Protocols []string `json:"protocols"` |
| } `json:"versions"` |
| Warnings []string `json:"warnings"` |
| } |
| var body ResponseBody |
| |
| dec := json.NewDecoder(resp.Body) |
| if err := dec.Decode(&body); err != nil { |
| return nil, nil, c.errQueryFailed(addr, err) |
| } |
| |
| if len(body.Versions) == 0 { |
| return nil, body.Warnings, nil |
| } |
| |
| ret := make(map[string][]string, len(body.Versions)) |
| for _, v := range body.Versions { |
| ret[v.Version] = v.Protocols |
| } |
| |
| return ret, body.Warnings, nil |
| } |
| |
| // PackageMeta returns metadata about a distribution package for a provider. |
| // |
| // The returned error will be one of the following: |
| // |
| // - ErrPlatformNotSupported if the registry responds with 404 Not Found, |
| // under the assumption that the caller previously checked that the provider |
| // and version are valid. |
| // - ErrProtocolNotSupported if the requested provider version's protocols are not |
| // supported by this version of terraform. |
| // - ErrUnauthorized if the registry responds with 401 or 403 status codes |
| // - ErrQueryFailed for any other operational problem. |
| func (c *registryClient) PackageMeta(ctx context.Context, provider addrs.Provider, version Version, target Platform) (PackageMeta, error) { |
| endpointPath, err := url.Parse(path.Join( |
| provider.Namespace, |
| provider.Type, |
| version.String(), |
| "download", |
| target.OS, |
| target.Arch, |
| )) |
| if err != nil { |
| // Should never happen because we're constructing this from |
| // already-validated components. |
| return PackageMeta{}, err |
| } |
| endpointURL := c.baseURL.ResolveReference(endpointPath) |
| |
| req, err := retryablehttp.NewRequest("GET", endpointURL.String(), nil) |
| if err != nil { |
| return PackageMeta{}, err |
| } |
| req = req.WithContext(ctx) |
| c.addHeadersToRequest(req.Request) |
| |
| resp, err := c.httpClient.Do(req) |
| if err != nil { |
| return PackageMeta{}, c.errQueryFailed(provider, err) |
| } |
| defer resp.Body.Close() |
| |
| switch resp.StatusCode { |
| case http.StatusOK: |
| // Great! |
| case http.StatusNotFound: |
| return PackageMeta{}, ErrPlatformNotSupported{ |
| Provider: provider, |
| Version: version, |
| Platform: target, |
| } |
| case http.StatusUnauthorized, http.StatusForbidden: |
| return PackageMeta{}, c.errUnauthorized(provider.Hostname) |
| default: |
| return PackageMeta{}, c.errQueryFailed(provider, errors.New(resp.Status)) |
| } |
| |
| type SigningKeyList struct { |
| GPGPublicKeys []*SigningKey `json:"gpg_public_keys"` |
| } |
| type ResponseBody struct { |
| Protocols []string `json:"protocols"` |
| OS string `json:"os"` |
| Arch string `json:"arch"` |
| Filename string `json:"filename"` |
| DownloadURL string `json:"download_url"` |
| SHA256Sum string `json:"shasum"` |
| |
| SHA256SumsURL string `json:"shasums_url"` |
| SHA256SumsSignatureURL string `json:"shasums_signature_url"` |
| |
| SigningKeys SigningKeyList `json:"signing_keys"` |
| } |
| var body ResponseBody |
| |
| dec := json.NewDecoder(resp.Body) |
| if err := dec.Decode(&body); err != nil { |
| return PackageMeta{}, c.errQueryFailed(provider, err) |
| } |
| |
| var protoVersions VersionList |
| for _, versionStr := range body.Protocols { |
| v, err := ParseVersion(versionStr) |
| if err != nil { |
| return PackageMeta{}, c.errQueryFailed( |
| provider, |
| fmt.Errorf("registry response includes invalid version string %q: %s", versionStr, err), |
| ) |
| } |
| protoVersions = append(protoVersions, v) |
| } |
| protoVersions.Sort() |
| |
| // Verify that this version of terraform supports the providers' protocol |
| // version(s) |
| if len(protoVersions) > 0 { |
| supportedProtos := MeetingConstraints(SupportedPluginProtocols) |
| protoErr := ErrProtocolNotSupported{ |
| Provider: provider, |
| Version: version, |
| } |
| match := false |
| for _, version := range protoVersions { |
| if supportedProtos.Has(version) { |
| match = true |
| } |
| } |
| if !match { |
| // If the protocol version is not supported, try to find the closest |
| // matching version. |
| closest, err := c.findClosestProtocolCompatibleVersion(ctx, provider, version) |
| if err != nil { |
| return PackageMeta{}, err |
| } |
| protoErr.Suggestion = closest |
| return PackageMeta{}, protoErr |
| } |
| } |
| |
| if body.OS != target.OS || body.Arch != target.Arch { |
| return PackageMeta{}, fmt.Errorf("registry response to request for %s archive has incorrect target %s", target, Platform{body.OS, body.Arch}) |
| } |
| |
| downloadURL, err := url.Parse(body.DownloadURL) |
| if err != nil { |
| return PackageMeta{}, fmt.Errorf("registry response includes invalid download URL: %s", err) |
| } |
| downloadURL = resp.Request.URL.ResolveReference(downloadURL) |
| if downloadURL.Scheme != "http" && downloadURL.Scheme != "https" { |
| return PackageMeta{}, fmt.Errorf("registry response includes invalid download URL: must use http or https scheme") |
| } |
| |
| ret := PackageMeta{ |
| Provider: provider, |
| Version: version, |
| ProtocolVersions: protoVersions, |
| TargetPlatform: Platform{ |
| OS: body.OS, |
| Arch: body.Arch, |
| }, |
| Filename: body.Filename, |
| Location: PackageHTTPURL(downloadURL.String()), |
| // "Authentication" is populated below |
| } |
| |
| if len(body.SHA256Sum) != sha256.Size*2 { // *2 because it's hex-encoded |
| return PackageMeta{}, c.errQueryFailed( |
| provider, |
| fmt.Errorf("registry response includes invalid SHA256 hash %q: %s", body.SHA256Sum, err), |
| ) |
| } |
| |
| var checksum [sha256.Size]byte |
| _, err = hex.Decode(checksum[:], []byte(body.SHA256Sum)) |
| if err != nil { |
| return PackageMeta{}, c.errQueryFailed( |
| provider, |
| fmt.Errorf("registry response includes invalid SHA256 hash %q: %s", body.SHA256Sum, err), |
| ) |
| } |
| |
| shasumsURL, err := url.Parse(body.SHA256SumsURL) |
| if err != nil { |
| return PackageMeta{}, fmt.Errorf("registry response includes invalid SHASUMS URL: %s", err) |
| } |
| shasumsURL = resp.Request.URL.ResolveReference(shasumsURL) |
| if shasumsURL.Scheme != "http" && shasumsURL.Scheme != "https" { |
| return PackageMeta{}, fmt.Errorf("registry response includes invalid SHASUMS URL: must use http or https scheme") |
| } |
| document, err := c.getFile(shasumsURL) |
| if err != nil { |
| return PackageMeta{}, c.errQueryFailed( |
| provider, |
| fmt.Errorf("failed to retrieve authentication checksums for provider: %s", err), |
| ) |
| } |
| signatureURL, err := url.Parse(body.SHA256SumsSignatureURL) |
| if err != nil { |
| return PackageMeta{}, fmt.Errorf("registry response includes invalid SHASUMS signature URL: %s", err) |
| } |
| signatureURL = resp.Request.URL.ResolveReference(signatureURL) |
| if signatureURL.Scheme != "http" && signatureURL.Scheme != "https" { |
| return PackageMeta{}, fmt.Errorf("registry response includes invalid SHASUMS signature URL: must use http or https scheme") |
| } |
| signature, err := c.getFile(signatureURL) |
| if err != nil { |
| return PackageMeta{}, c.errQueryFailed( |
| provider, |
| fmt.Errorf("failed to retrieve cryptographic signature for provider: %s", err), |
| ) |
| } |
| |
| keys := make([]SigningKey, len(body.SigningKeys.GPGPublicKeys)) |
| for i, key := range body.SigningKeys.GPGPublicKeys { |
| keys[i] = *key |
| } |
| |
| ret.Authentication = PackageAuthenticationAll( |
| NewMatchingChecksumAuthentication(document, body.Filename, checksum), |
| NewArchiveChecksumAuthentication(ret.TargetPlatform, checksum), |
| NewSignatureAuthentication(document, signature, keys), |
| ) |
| |
| return ret, nil |
| } |
| |
| // findClosestProtocolCompatibleVersion searches for the provider version with the closest protocol match. |
| func (c *registryClient) findClosestProtocolCompatibleVersion(ctx context.Context, provider addrs.Provider, version Version) (Version, error) { |
| var match Version |
| available, _, err := c.ProviderVersions(ctx, provider) |
| if err != nil { |
| return UnspecifiedVersion, err |
| } |
| |
| // extract the maps keys so we can make a sorted list of available versions. |
| versionList := make(VersionList, 0, len(available)) |
| for versionStr := range available { |
| v, err := ParseVersion(versionStr) |
| if err != nil { |
| return UnspecifiedVersion, ErrQueryFailed{ |
| Provider: provider, |
| Wrapped: fmt.Errorf("registry response includes invalid version string %q: %s", versionStr, err), |
| } |
| } |
| versionList = append(versionList, v) |
| } |
| versionList.Sort() // lowest precedence first, preserving order when equal precedence |
| |
| protoVersions := MeetingConstraints(SupportedPluginProtocols) |
| FindMatch: |
| // put the versions in increasing order of precedence |
| for index := len(versionList) - 1; index >= 0; index-- { // walk backwards to consider newer versions first |
| for _, protoStr := range available[versionList[index].String()] { |
| p, err := ParseVersion(protoStr) |
| if err != nil { |
| return UnspecifiedVersion, ErrQueryFailed{ |
| Provider: provider, |
| Wrapped: fmt.Errorf("registry response includes invalid protocol string %q: %s", protoStr, err), |
| } |
| } |
| if protoVersions.Has(p) { |
| match = versionList[index] |
| break FindMatch |
| } |
| } |
| } |
| return match, nil |
| } |
| |
| func (c *registryClient) addHeadersToRequest(req *http.Request) { |
| if c.creds != nil { |
| c.creds.PrepareRequest(req) |
| } |
| req.Header.Set(terraformVersionHeader, version.String()) |
| } |
| |
| func (c *registryClient) errQueryFailed(provider addrs.Provider, err error) error { |
| if err == context.Canceled { |
| // This one has a special error type so that callers can |
| // handle it in a different way. |
| return ErrRequestCanceled{} |
| } |
| return ErrQueryFailed{ |
| Provider: provider, |
| Wrapped: err, |
| } |
| } |
| |
| func (c *registryClient) errUnauthorized(hostname svchost.Hostname) error { |
| return ErrUnauthorized{ |
| Hostname: hostname, |
| HaveCredentials: c.creds != nil, |
| } |
| } |
| |
| func (c *registryClient) getFile(url *url.URL) ([]byte, error) { |
| resp, err := c.httpClient.Get(url.String()) |
| if err != nil { |
| return nil, err |
| } |
| defer resp.Body.Close() |
| |
| if resp.StatusCode != http.StatusOK { |
| return nil, fmt.Errorf("%s returned from %s", resp.Status, HostFromRequest(resp.Request)) |
| } |
| |
| data, err := ioutil.ReadAll(resp.Body) |
| if err != nil { |
| return data, err |
| } |
| |
| return data, nil |
| } |
| |
| // configureDiscoveryRetry configures the number of retries the registry client |
| // will attempt for requests with retryable errors, like 502 status codes |
| func configureDiscoveryRetry() { |
| discoveryRetry = defaultRetry |
| |
| if v := os.Getenv(registryDiscoveryRetryEnvName); v != "" { |
| retry, err := strconv.Atoi(v) |
| if err == nil && retry > 0 { |
| discoveryRetry = retry |
| } |
| } |
| } |
| |
| func requestLogHook(logger retryablehttp.Logger, req *http.Request, i int) { |
| if i > 0 { |
| logger.Printf("[INFO] Previous request to the remote registry failed, attempting retry.") |
| } |
| } |
| |
| func maxRetryErrorHandler(resp *http.Response, err error, numTries int) (*http.Response, error) { |
| // Close the body per library instructions |
| if resp != nil { |
| resp.Body.Close() |
| } |
| |
| // Additional error detail: if we have a response, use the status code; |
| // if we have an error, use that; otherwise nothing. We will never have |
| // both response and error. |
| var errMsg string |
| if resp != nil { |
| errMsg = fmt.Sprintf(": %s returned from %s", resp.Status, HostFromRequest(resp.Request)) |
| } else if err != nil { |
| errMsg = fmt.Sprintf(": %s", err) |
| } |
| |
| // This function is always called with numTries=RetryMax+1. If we made any |
| // retry attempts, include that in the error message. |
| if numTries > 1 { |
| return resp, fmt.Errorf("the request failed after %d attempts, please try again later%s", |
| numTries, errMsg) |
| } |
| return resp, fmt.Errorf("the request failed, please try again later%s", errMsg) |
| } |
| |
| // HostFromRequest extracts host the same way net/http Request.Write would, |
| // accounting for empty Request.Host |
| func HostFromRequest(req *http.Request) string { |
| if req.Host != "" { |
| return req.Host |
| } |
| if req.URL != nil { |
| return req.URL.Host |
| } |
| |
| // this should never happen and if it does |
| // it will be handled as part of Request.Write() |
| // https://cs.opensource.google/go/go/+/refs/tags/go1.18.4:src/net/http/request.go;l=574 |
| return "" |
| } |
| |
| // configureRequestTimeout configures the registry client request timeout from |
| // environment variables |
| func configureRequestTimeout() { |
| requestTimeout = defaultRequestTimeout |
| |
| if v := os.Getenv(registryClientTimeoutEnvName); v != "" { |
| timeout, err := strconv.Atoi(v) |
| if err == nil && timeout > 0 { |
| requestTimeout = time.Duration(timeout) * time.Second |
| } |
| } |
| } |