2018-03-15 00:37:54 +00:00
|
|
|
package consul
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"strings"
|
|
|
|
"time"
|
|
|
|
|
2018-09-13 17:43:40 +00:00
|
|
|
log "github.com/hashicorp/go-hclog"
|
2018-03-15 00:37:54 +00:00
|
|
|
version "github.com/hashicorp/go-version"
|
2022-02-02 16:59:53 +00:00
|
|
|
"github.com/hashicorp/nomad/helper"
|
2018-03-15 00:37:54 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// checkConsulTLSSkipVerify logs if Consul does not support TLSSkipVerify on
|
|
|
|
// checks and is intended to be run in a goroutine.
|
2018-09-13 17:43:40 +00:00
|
|
|
func checkConsulTLSSkipVerify(ctx context.Context, logger log.Logger, client AgentAPI, done chan struct{}) {
|
2018-03-15 00:37:54 +00:00
|
|
|
const (
|
|
|
|
baseline = time.Second
|
|
|
|
limit = 20 * time.Second
|
|
|
|
)
|
|
|
|
|
|
|
|
defer close(done)
|
|
|
|
|
|
|
|
i := uint64(0)
|
2022-02-02 16:59:53 +00:00
|
|
|
|
|
|
|
timer, stop := helper.NewSafeTimer(limit)
|
|
|
|
defer stop()
|
|
|
|
|
2018-03-15 00:37:54 +00:00
|
|
|
for {
|
|
|
|
self, err := client.Self()
|
|
|
|
if err == nil {
|
|
|
|
if supportsTLSSkipVerify(self) {
|
2018-09-13 17:43:40 +00:00
|
|
|
logger.Trace("Consul supports TLSSkipVerify")
|
2018-03-15 00:37:54 +00:00
|
|
|
} else {
|
2018-09-13 17:43:40 +00:00
|
|
|
logger.Warn("Consul does NOT support TLSSkipVerify; please upgrade Consul",
|
|
|
|
"min_version", consulTLSSkipVerifyMinVersion)
|
2018-03-15 00:37:54 +00:00
|
|
|
}
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2018-03-16 23:32:59 +00:00
|
|
|
backoff := (1 << (2 * i)) * baseline
|
2018-03-15 00:37:54 +00:00
|
|
|
if backoff > limit {
|
|
|
|
backoff = limit
|
|
|
|
} else {
|
|
|
|
i++
|
|
|
|
}
|
|
|
|
|
2022-02-02 16:59:53 +00:00
|
|
|
timer.Reset(backoff)
|
|
|
|
|
2018-03-15 00:37:54 +00:00
|
|
|
select {
|
|
|
|
case <-ctx.Done():
|
|
|
|
return
|
2022-02-02 16:59:53 +00:00
|
|
|
case <-timer.C:
|
2018-03-15 00:37:54 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
var consulTLSSkipVerifyMinVersion = version.Must(version.NewVersion("0.7.2"))
|
|
|
|
|
|
|
|
// supportsTLSSkipVerify returns true if Consul supports TLSSkipVerify.
|
|
|
|
func supportsTLSSkipVerify(self map[string]map[string]interface{}) bool {
|
|
|
|
member, ok := self["Member"]
|
|
|
|
if !ok {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
tagsI, ok := member["Tags"]
|
|
|
|
if !ok {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
tags, ok := tagsI.(map[string]interface{})
|
|
|
|
if !ok {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
buildI, ok := tags["build"]
|
|
|
|
if !ok {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
build, ok := buildI.(string)
|
|
|
|
if !ok {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
parts := strings.SplitN(build, ":", 2)
|
|
|
|
if len(parts) != 2 {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
v, err := version.NewVersion(parts[0])
|
|
|
|
if err != nil {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
if v.LessThan(consulTLSSkipVerifyMinVersion) {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
return true
|
|
|
|
}
|