Skip to content

Commit

Permalink
INFOPLAT-1562 Handle configuration inconsistency
Browse files Browse the repository at this point in the history
if Config.InsecureConnection is `false` we should ensure that we set our `PerRPCCredentials` implementation to return true for `RequireTransportSecurity`

While `RequireTransportSecurity` can be set on AuthHeaderProvider initiailzation,  its not required, this can lead to a mismatch in configurations, this adds a guard to prevent this from happening
  • Loading branch information
hendoxc committed Dec 20, 2024
1 parent da28e35 commit d895532
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 3 deletions.
11 changes: 11 additions & 0 deletions pkg/beholder/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,10 @@ const (
)

type AuthHeaderProvider interface {
// Credentials returns the PerRPCCredentials implementation
Credentials() credentials.PerRPCCredentials
// SetRequireTransportSecurity sets the value of requireTransportSecurity
SetRequireTransportSecurity(bool)
}

// AuthHeaderProviderConfig configures AuthHeaderProvider
Expand Down Expand Up @@ -78,6 +81,14 @@ func (a *authHeaderPerRPCCredentials) RequireTransportSecurity() bool {
return a.requireTransportSecurity
}

// SetRequireTransportSecurity sets the value of requireTransportSecurity
// This is to safeguard against inconsistent values between the PerRPCCredentials and the AuthHeaderProvider
func (a *authHeaderPerRPCCredentials) SetRequireTransportSecurity(newValue bool) {
a.mu.Lock()
defer a.mu.Unlock()
a.requireTransportSecurity = newValue
}

// getHeaders returns the auth headers, refreshing them if they are expired
func (a *authHeaderPerRPCCredentials) getHeaders() map[string]string {
if time.Since(a.lastUpdated) > a.headerTTL {
Expand Down
13 changes: 10 additions & 3 deletions pkg/beholder/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@ func newGRPCClient(cfg Config, otlploggrpcNew otlploggrpcFactory) (*Client, erro
otlploggrpc.WithEndpoint(cfg.OtelExporterGRPCEndpoint),
}
if cfg.AuthHeaderProvider != nil {
opts = append(opts, otlploggrpc.WithDialOption(grpc.WithPerRPCCredentials(cfg.AuthHeaderProvider.Credentials())))
opts = append(opts, otlploggrpc.WithDialOption(authHeaderDialOption(creds, cfg.AuthHeaderProvider)))
} else {
opts = append(opts, otlploggrpc.WithHeaders(cfg.AuthHeaders))
}
Expand Down Expand Up @@ -312,7 +312,7 @@ func newTracerProvider(config Config, resource *sdkresource.Resource, creds cred
otlptracegrpc.WithEndpoint(config.OtelExporterGRPCEndpoint),
}
if config.AuthHeaderProvider != nil {
exporterOpts = append(exporterOpts, otlptracegrpc.WithDialOption(grpc.WithPerRPCCredentials(config.AuthHeaderProvider.Credentials())))
exporterOpts = append(exporterOpts, otlptracegrpc.WithDialOption(authHeaderDialOption(creds, config.AuthHeaderProvider)))
} else {
exporterOpts = append(exporterOpts, otlptracegrpc.WithHeaders(config.AuthHeaders))
}
Expand Down Expand Up @@ -356,7 +356,7 @@ func newMeterProvider(config Config, resource *sdkresource.Resource, creds crede
otlpmetricgrpc.WithEndpoint(config.OtelExporterGRPCEndpoint),
}
if config.AuthHeaderProvider != nil {
opts = append(opts, otlpmetricgrpc.WithDialOption(grpc.WithPerRPCCredentials(config.AuthHeaderProvider.Credentials())))
opts = append(opts, otlpmetricgrpc.WithDialOption(authHeaderDialOption(creds, config.AuthHeaderProvider)))
} else {
opts = append(opts, otlpmetricgrpc.WithHeaders(config.AuthHeaders))
}
Expand Down Expand Up @@ -386,3 +386,10 @@ func newMeterProvider(config Config, resource *sdkresource.Resource, creds crede
)
return mp, nil
}

func authHeaderDialOption(creds credentials.TransportCredentials, authHeaderProvider AuthHeaderProvider) grpc.DialOption {
if creds.Info().SecurityProtocol == "tls" {
authHeaderProvider.SetRequireTransportSecurity(true)
}
return grpc.WithPerRPCCredentials(authHeaderProvider.Credentials())
}

0 comments on commit d895532

Please sign in to comment.