From 2a72911dacf0c6e660c3fe4a721fd2b790e8f398 Mon Sep 17 00:00:00 2001 From: Jonathan Lang Date: Fri, 9 Dec 2022 10:29:50 +0100 Subject: [PATCH 1/6] Add support for cert configuration See #186. --- apmproxy/option.go | 36 ++++++++++++++++++++++++++++++++++++ apmproxy/receiver.go | 5 +---- app/app.go | 26 ++++++++++++++++++++++++++ 3 files changed, 63 insertions(+), 4 deletions(-) diff --git a/apmproxy/option.go b/apmproxy/option.go index 36f997d6..f41f5049 100644 --- a/apmproxy/option.go +++ b/apmproxy/option.go @@ -18,6 +18,9 @@ package apmproxy import ( + "crypto/tls" + "crypto/x509" + "net/http" "time" "github.com/elastic/apm-aws-lambda/accumulator" @@ -94,3 +97,36 @@ func WithBatch(batch *accumulator.Batch) Option { c.batch = batch } } + +func WithRootCerts(certs string) Option { + return func(c *Client) { + EnsureTlsConfig(c) + transportClient := c.client.Transport.(*http.Transport) + if transportClient.TLSClientConfig.RootCAs == nil { + transportClient.TLSClientConfig.RootCAs = DefaultCertPool() + } + transportClient.TLSClientConfig.RootCAs.AppendCertsFromPEM([]byte(certs)) + } +} + +func WithVerifyCerts(verify bool) Option { + return func(c *Client) { + EnsureTlsConfig(c) + transportClient := c.client.Transport.(*http.Transport) + transportClient.TLSClientConfig.InsecureSkipVerify = !verify + } +} + +func DefaultCertPool() *x509.CertPool { + certPool, _ := x509.SystemCertPool() + if certPool == nil { + certPool = &x509.CertPool{} + } + return certPool +} +func EnsureTlsConfig(c *Client) { + transportClient := c.client.Transport.(*http.Transport) + if transportClient.TLSClientConfig == nil { + transportClient.TLSClientConfig = &tls.Config{} + } +} diff --git a/apmproxy/receiver.go b/apmproxy/receiver.go index f17e1580..7cc6e95b 100644 --- a/apmproxy/receiver.go +++ b/apmproxy/receiver.go @@ -83,16 +83,13 @@ func (c *Client) handleInfoRequest() (func(w http.ResponseWriter, r *http.Reques reverseProxy := httputil.NewSingleHostReverseProxy(parsedApmServerUrl) - customTransport := http.DefaultTransport.(*http.Transport).Clone() - customTransport.ResponseHeaderTimeout = c.client.Timeout - reverseProxy.Transport = customTransport + reverseProxy.Transport = c.client.Transport.(*http.Transport).Clone() reverseProxy.ErrorHandler = func(w http.ResponseWriter, r *http.Request, err error) { // Don't update the status of the transport as it is possible that the extension // is frozen while processing the request and context is canceled due to timeout. c.logger.Errorf("Error querying version from the APM server: %v", err) - // Server is unreachable, return StatusBadGateway (default behaviour) to avoid // returning a Status OK. w.WriteHeader(http.StatusBadGateway) diff --git a/app/app.go b/app/app.go index b1b38219..d38f41bd 100644 --- a/app/app.go +++ b/app/app.go @@ -136,6 +136,32 @@ func New(ctx context.Context, opts ...ConfigOption) (*App, error) { apmOpts = append(apmOpts, apmproxy.WithAgentDataBufferSize(size)) } + if verifyCertsString := os.Getenv("ELASTIC_APM_LAMBDA_SERVER_VERIFY_CERT"); verifyCertsString != "" { + verifyCerts, err := strconv.ParseBool(verifyCertsString) + if err != nil { + return nil, err + } + if !verifyCerts { + app.logger.Infof("Ignoring Certificates.") + } + apmOpts = append(apmOpts, apmproxy.WithVerifyCerts(verifyCerts)) + } + + if encodedCertPem := os.Getenv("ELASTIC_APM_LAMBDA_SERVER_CERT_PEM"); encodedCertPem != "" { + certPem := strings.ReplaceAll(encodedCertPem, "\\n", "\n") + app.logger.Infof("Using CA certificates from environment variable.") + apmOpts = append(apmOpts, apmproxy.WithRootCerts(certPem)) + } + + if certFile := os.Getenv("ELASTIC_APM_LAMBDA_SERVER_CERT"); certFile != "" { + cert, err := os.ReadFile(certFile) + if err != nil { + return nil, err + } + app.logger.Infof("Using CA certificate loaded from file %s", certFile) + apmOpts = append(apmOpts, apmproxy.WithRootCerts(string(cert))) + } + apmOpts = append(apmOpts, apmproxy.WithURL(os.Getenv("ELASTIC_APM_LAMBDA_APM_SERVER")), apmproxy.WithLogger(app.logger), From 67c33c69f59b178fbb806b6114a48688f3593f79 Mon Sep 17 00:00:00 2001 From: Jonathan Lang Date: Fri, 9 Dec 2022 12:11:22 +0100 Subject: [PATCH 2/6] Allow CA certificates form ACM --- app/app.go | 9 +++++++++ app/aws.go | 14 ++++++++++++++ go.mod | 10 ++++++---- go.sum | 11 +++++++++++ 4 files changed, 40 insertions(+), 4 deletions(-) diff --git a/app/app.go b/app/app.go index d38f41bd..b84cf9c8 100644 --- a/app/app.go +++ b/app/app.go @@ -162,6 +162,15 @@ func New(ctx context.Context, opts ...ConfigOption) (*App, error) { apmOpts = append(apmOpts, apmproxy.WithRootCerts(string(cert))) } + if acmCertArn := os.Getenv("ELASTIC_APM_LAMBDA_SERVER_CERT_ID"); acmCertArn != "" { + cert, err := loadAcmCertificate(acmCertArn, c.awsConfig, ctx) + if err != nil { + return nil, err + } + app.logger.Infof("Using CA certificate %s", acmCertArn) + apmOpts = append(apmOpts, apmproxy.WithRootCerts(*cert)) + } + apmOpts = append(apmOpts, apmproxy.WithURL(os.Getenv("ELASTIC_APM_LAMBDA_APM_SERVER")), apmproxy.WithLogger(app.logger), diff --git a/app/aws.go b/app/aws.go index 952b9e11..4cb5b43e 100644 --- a/app/aws.go +++ b/app/aws.go @@ -24,6 +24,7 @@ import ( "os" "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/service/acm" "github.com/aws/aws-sdk-go-v2/service/secretsmanager" "go.uber.org/zap" ) @@ -79,6 +80,19 @@ func loadSecret(ctx context.Context, manager *secretsmanager.Client, secretID st return string(decodedBinarySecretBytes), nil } +func loadAcmCertificate(arn string, cfg aws.Config, ctx context.Context) (*string, error) { + acmClient := acm.NewFromConfig(cfg) + getCertificateInput := acm.GetCertificateInput{ + CertificateArn: &arn, + } + response, err := acmClient.GetCertificate(ctx, &getCertificateInput) + if err != nil { + return nil, err + } + + return response.Certificate, nil +} + func ptrFromString(v string) *string { return &v } diff --git a/go.mod b/go.mod index 24318e1e..6ab627e9 100644 --- a/go.mod +++ b/go.mod @@ -14,7 +14,7 @@ require ( ) require ( - github.com/aws/aws-sdk-go-v2 v1.16.7 + github.com/aws/aws-sdk-go-v2 v1.17.2 github.com/aws/aws-sdk-go-v2/config v1.15.14 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.15.13 github.com/tidwall/gjson v1.14.3 @@ -26,15 +26,17 @@ require ( require ( github.com/aws/aws-sdk-go-v2/credentials v1.12.9 // indirect github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.8 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.14 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.8 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.26 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.20 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.3.15 // indirect + github.com/aws/aws-sdk-go-v2/service/acm v1.16.4 // indirect github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.8 // indirect github.com/aws/aws-sdk-go-v2/service/sso v1.11.12 // indirect github.com/aws/aws-sdk-go-v2/service/sts v1.16.9 // indirect - github.com/aws/smithy-go v1.12.0 // indirect + github.com/aws/smithy-go v1.13.5 // indirect github.com/benbjohnson/clock v1.1.0 // indirect github.com/davecgh/go-spew v1.1.1 // indirect + github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/santhosh-tekuri/jsonschema v1.2.4 // indirect diff --git a/go.sum b/go.sum index a8601b72..919a7a9b 100644 --- a/go.sum +++ b/go.sum @@ -1,6 +1,8 @@ github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/aws/aws-sdk-go-v2 v1.16.7 h1:zfBwXus3u14OszRxGcqCDS4MfMCv10e8SMJ2r8Xm0Ns= github.com/aws/aws-sdk-go-v2 v1.16.7/go.mod h1:6CpKuLXg2w7If3ABZCl/qZ6rEgwtjZTn4eAf4RcEyuw= +github.com/aws/aws-sdk-go-v2 v1.17.2 h1:r0yRZInwiPBNpQ4aDy/Ssh3ROWsGtKDwar2JS8Lm+N8= +github.com/aws/aws-sdk-go-v2 v1.17.2/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw= github.com/aws/aws-sdk-go-v2/config v1.15.14 h1:+BqpqlydTq4c2et9Daury7gE+o67P4lbk7eybiCBNc4= github.com/aws/aws-sdk-go-v2/config v1.15.14/go.mod h1:CQBv+VVv8rR5z2xE+Chdh5m+rFfsqeY4k0veEZeq6QM= github.com/aws/aws-sdk-go-v2/credentials v1.12.9 h1:DloAJr0/jbvm0iVRFDFh8GlWxrOd9XKyX82U+dfVeZs= @@ -9,10 +11,16 @@ github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.8 h1:VfBdn2AxwMbFyJN/lF/xuT3 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.8/go.mod h1:oL1Q3KuCq1D4NykQnIvtRiBGLUXhcpY5pl6QZB2XEPU= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.14 h1:2C0pYHcUBmdzPj+EKNC4qj97oK6yjrUhc1KoSodglvk= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.14/go.mod h1:kdjrMwHwrC3+FsKhNcCMJ7tUVj/8uSD5CZXeQ4wV6fM= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.26 h1:5WU31cY7m0tG+AiaXuXGoMzo2GBQ1IixtWa8Yywsgco= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.26/go.mod h1:2E0LdbJW6lbeU4uxjum99GZzI0ZjDpAb0CoSCM0oeEY= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.8 h1:2J+jdlBJWEmTyAwC82Ym68xCykIvnSnIN18b8xHGlcc= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.8/go.mod h1:ZIV8GYoC6WLBW5KGs+o4rsc65/ozd+eQ0L31XF5VDwk= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.20 h1:WW0qSzDWoiWU2FS5DbKpxGilFVlCEJPwx4YtjdfI0Jw= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.20/go.mod h1:/+6lSiby8TBFpTVXZgKiN/rCfkYXEGvhlM4zCgPpt7w= github.com/aws/aws-sdk-go-v2/internal/ini v1.3.15 h1:QquxR7NH3ULBsKC+NoTpilzbKKS+5AELfNREInbhvas= github.com/aws/aws-sdk-go-v2/internal/ini v1.3.15/go.mod h1:Tkrthp/0sNBShQQsamR7j/zY4p19tVTAs+nnqhH6R3c= +github.com/aws/aws-sdk-go-v2/service/acm v1.16.4 h1:al5cTTr3Bb0tTkTOltTtNS2nDFWIeDaMb+GMI9EV66k= +github.com/aws/aws-sdk-go-v2/service/acm v1.16.4/go.mod h1:+9LxBsxy1yMQ/v4BzFru5koxJQialGRxtwJ6w+afXZg= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.8 h1:oKnAXxSF2FUvfgw8uzU/v9OTYorJJZ8eBmWhr9TWVVQ= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.8/go.mod h1:rDVhIMAX9N2r8nWxDUlbubvvaFMnfsm+3jAV7q+rpM4= github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.15.13 h1:9hFlfWKP1+u3js8IhRGf3M+S4MSoDK2v3bqIndGEpxU= @@ -23,6 +31,8 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.16.9 h1:yOfILxyjmtr2ubRkRJldlHDFBhf5 github.com/aws/aws-sdk-go-v2/service/sts v1.16.9/go.mod h1:O1IvkYxr+39hRf960Us6j0x1P8pDqhTX+oXM5kQNl/Y= github.com/aws/smithy-go v1.12.0 h1:gXpeZel/jPoWQ7OEmLIgCUnhkFftqNfwWUwAHSlp1v0= github.com/aws/smithy-go v1.12.0/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= +github.com/aws/smithy-go v1.13.5 h1:hgz0X/DX0dGqTYpGALqXJoRKRj5oQ7150i5FdTePzO8= +github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -39,6 +49,7 @@ github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/jcchavezs/porto v0.1.0/go.mod h1:fESH0gzDHiutHRdX2hv27ojnOVFco37hg1W6E9EZF4A= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= +github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901/go.mod h1:Z86h9688Y0wesXCyonoVr47MasHilkuLMqGhRZ4Hpak= From 5638a9462bbe2c0951efe00bad9f9145c57aa069 Mon Sep 17 00:00:00 2001 From: Jonathan Lang Date: Mon, 9 Jan 2023 18:34:17 +0100 Subject: [PATCH 3/6] Update autogenerated documentation --- NOTICE.txt | 259 ++++++++++++++++++++++++++++++++++++++++-- dependencies.asciidoc | 10 +- 2 files changed, 253 insertions(+), 16 deletions(-) diff --git a/NOTICE.txt b/NOTICE.txt index 6ced7491..da0ef808 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -655,11 +655,11 @@ Contents of probable licence file $GOMODCACHE/github.com/aws/aws-sdk-go-v2/featu -------------------------------------------------------------------------------- Module : github.com/aws/aws-sdk-go-v2/internal/configsources -Version : v1.1.14 -Time : 2022-07-05T18:21:55Z +Version : v1.1.26 +Time : 2022-12-02T19:13:55Z Licence : Apache-2.0 -Contents of probable licence file $GOMODCACHE/github.com/aws/aws-sdk-go-v2/internal/configsources@v1.1.14/LICENSE.txt: +Contents of probable licence file $GOMODCACHE/github.com/aws/aws-sdk-go-v2/internal/configsources@v1.1.26/LICENSE.txt: Apache License @@ -867,11 +867,11 @@ Contents of probable licence file $GOMODCACHE/github.com/aws/aws-sdk-go-v2/inter -------------------------------------------------------------------------------- Module : github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 -Version : v2.4.8 -Time : 2022-07-05T18:21:55Z +Version : v2.4.20 +Time : 2022-12-02T19:13:55Z Licence : Apache-2.0 -Contents of probable licence file $GOMODCACHE/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2@v2.4.8/LICENSE.txt: +Contents of probable licence file $GOMODCACHE/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2@v2.4.20/LICENSE.txt: Apache License @@ -1289,6 +1289,218 @@ Contents of probable licence file $GOMODCACHE/github.com/aws/aws-sdk-go-v2/inter limitations under the License. +-------------------------------------------------------------------------------- +Module : github.com/aws/aws-sdk-go-v2/service/acm +Version : v1.16.4 +Time : 2022-12-02T19:13:55Z +Licence : Apache-2.0 + +Contents of probable licence file $GOMODCACHE/github.com/aws/aws-sdk-go-v2/service/acm@v1.16.4/LICENSE.txt: + + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + + -------------------------------------------------------------------------------- Module : github.com/aws/aws-sdk-go-v2/service/internal/presigned-url Version : v1.9.8 @@ -2139,11 +2351,11 @@ Contents of probable licence file $GOMODCACHE/github.com/aws/aws-sdk-go-v2/servi -------------------------------------------------------------------------------- Module : github.com/aws/aws-sdk-go-v2 -Version : v1.16.7 -Time : 2022-07-05T18:21:55Z +Version : v1.17.2 +Time : 2022-12-02T19:13:55Z Licence : Apache-2.0 -Contents of probable licence file $GOMODCACHE/github.com/aws/aws-sdk-go-v2@v1.16.7/LICENSE.txt: +Contents of probable licence file $GOMODCACHE/github.com/aws/aws-sdk-go-v2@v1.17.2/LICENSE.txt: Apache License @@ -2351,11 +2563,11 @@ Contents of probable licence file $GOMODCACHE/github.com/aws/aws-sdk-go-v2@v1.16 -------------------------------------------------------------------------------- Module : github.com/aws/smithy-go -Version : v1.12.0 -Time : 2022-06-29T18:13:27Z +Version : v1.13.5 +Time : 2022-12-02T19:09:05Z Licence : Apache-2.0 -Contents of probable licence file $GOMODCACHE/github.com/aws/smithy-go@v1.12.0/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/aws/smithy-go@v1.13.5/LICENSE: Apache License @@ -2534,6 +2746,29 @@ Contents of probable licence file $GOMODCACHE/github.com/aws/smithy-go@v1.12.0/L of your accepting any such warranty or additional liability. +-------------------------------------------------------------------------------- +Module : github.com/jmespath/go-jmespath +Version : v0.4.0 +Time : 2020-09-18T23:53:51Z +Licence : Apache-2.0 + +Contents of probable licence file $GOMODCACHE/github.com/jmespath/go-jmespath@v0.4.0/LICENSE: + +Copyright 2015 James Saryerwinnie + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + + -------------------------------------------------------------------------------- Module : github.com/pkg/errors Version : v0.9.1 diff --git a/dependencies.asciidoc b/dependencies.asciidoc index 252a9ff3..5f811430 100644 --- a/dependencies.asciidoc +++ b/dependencies.asciidoc @@ -17,15 +17,17 @@ This page lists the third-party dependencies used to build {n}. | link:https://github.com/aws/aws-sdk-go-v2[$$github.com/aws/aws-sdk-go-v2/config$$] | v1.15.14 | Apache-2.0 | link:https://github.com/aws/aws-sdk-go-v2[$$github.com/aws/aws-sdk-go-v2/credentials$$] | v1.12.9 | Apache-2.0 | link:https://github.com/aws/aws-sdk-go-v2[$$github.com/aws/aws-sdk-go-v2/feature/ec2/imds$$] | v1.12.8 | Apache-2.0 -| link:https://github.com/aws/aws-sdk-go-v2[$$github.com/aws/aws-sdk-go-v2/internal/configsources$$] | v1.1.14 | Apache-2.0 -| link:https://github.com/aws/aws-sdk-go-v2[$$github.com/aws/aws-sdk-go-v2/internal/endpoints/v2$$] | v2.4.8 | Apache-2.0 +| link:https://github.com/aws/aws-sdk-go-v2[$$github.com/aws/aws-sdk-go-v2/internal/configsources$$] | v1.1.26 | Apache-2.0 +| link:https://github.com/aws/aws-sdk-go-v2[$$github.com/aws/aws-sdk-go-v2/internal/endpoints/v2$$] | v2.4.20 | Apache-2.0 | link:https://github.com/aws/aws-sdk-go-v2[$$github.com/aws/aws-sdk-go-v2/internal/ini$$] | v1.3.15 | Apache-2.0 +| link:https://github.com/aws/aws-sdk-go-v2[$$github.com/aws/aws-sdk-go-v2/service/acm$$] | v1.16.4 | Apache-2.0 | link:https://github.com/aws/aws-sdk-go-v2[$$github.com/aws/aws-sdk-go-v2/service/internal/presigned-url$$] | v1.9.8 | Apache-2.0 | link:https://github.com/aws/aws-sdk-go-v2[$$github.com/aws/aws-sdk-go-v2/service/secretsmanager$$] | v1.15.13 | Apache-2.0 | link:https://github.com/aws/aws-sdk-go-v2[$$github.com/aws/aws-sdk-go-v2/service/sso$$] | v1.11.12 | Apache-2.0 | link:https://github.com/aws/aws-sdk-go-v2[$$github.com/aws/aws-sdk-go-v2/service/sts$$] | v1.16.9 | Apache-2.0 -| link:https://github.com/aws/aws-sdk-go-v2[$$github.com/aws/aws-sdk-go-v2$$] | v1.16.7 | Apache-2.0 -| link:https://github.com/aws/smithy-go[$$github.com/aws/smithy-go$$] | v1.12.0 | Apache-2.0 +| link:https://github.com/aws/aws-sdk-go-v2[$$github.com/aws/aws-sdk-go-v2$$] | v1.17.2 | Apache-2.0 +| link:https://github.com/aws/smithy-go[$$github.com/aws/smithy-go$$] | v1.13.5 | Apache-2.0 +| link:https://github.com/jmespath/go-jmespath[$$github.com/jmespath/go-jmespath$$] | v0.4.0 | Apache-2.0 | link:https://github.com/pkg/errors[$$github.com/pkg/errors$$] | v0.9.1 | BSD-2-Clause | link:https://github.com/tidwall/gjson[$$github.com/tidwall/gjson$$] | v1.14.3 | MIT | link:https://github.com/tidwall/match[$$github.com/tidwall/match$$] | v1.1.1 | MIT From a65dddf074b85a8e4b1bb70975f4966f67c43f6f Mon Sep 17 00:00:00 2001 From: Jonathan Lang Date: Fri, 13 Jan 2023 08:18:23 +0100 Subject: [PATCH 4/6] Rename Environment Variables Co-authored-by: Andrew Wilkins --- app/app.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/app/app.go b/app/app.go index b84cf9c8..23ef1340 100644 --- a/app/app.go +++ b/app/app.go @@ -136,7 +136,7 @@ func New(ctx context.Context, opts ...ConfigOption) (*App, error) { apmOpts = append(apmOpts, apmproxy.WithAgentDataBufferSize(size)) } - if verifyCertsString := os.Getenv("ELASTIC_APM_LAMBDA_SERVER_VERIFY_CERT"); verifyCertsString != "" { + if verifyCertsString := os.Getenv("ELASTIC_APM_LAMBDA_VERIFY_SERVER_CERT"); verifyCertsString != "" { verifyCerts, err := strconv.ParseBool(verifyCertsString) if err != nil { return nil, err @@ -147,13 +147,13 @@ func New(ctx context.Context, opts ...ConfigOption) (*App, error) { apmOpts = append(apmOpts, apmproxy.WithVerifyCerts(verifyCerts)) } - if encodedCertPem := os.Getenv("ELASTIC_APM_LAMBDA_SERVER_CERT_PEM"); encodedCertPem != "" { + if encodedCertPem := os.Getenv("ELASTIC_APM_LAMBDA_SERVER_CA_CERT_PEM"); encodedCertPem != "" { certPem := strings.ReplaceAll(encodedCertPem, "\\n", "\n") app.logger.Infof("Using CA certificates from environment variable.") apmOpts = append(apmOpts, apmproxy.WithRootCerts(certPem)) } - if certFile := os.Getenv("ELASTIC_APM_LAMBDA_SERVER_CERT"); certFile != "" { + if certFile := os.Getenv("ELASTIC_APM_SERVER_CA_CERT_FILE"); certFile != "" { cert, err := os.ReadFile(certFile) if err != nil { return nil, err @@ -162,7 +162,7 @@ func New(ctx context.Context, opts ...ConfigOption) (*App, error) { apmOpts = append(apmOpts, apmproxy.WithRootCerts(string(cert))) } - if acmCertArn := os.Getenv("ELASTIC_APM_LAMBDA_SERVER_CERT_ID"); acmCertArn != "" { + if acmCertArn := os.Getenv("ELASTIC_APM_SERVER_CA_CERT_ACM_ID"); acmCertArn != "" { cert, err := loadAcmCertificate(acmCertArn, c.awsConfig, ctx) if err != nil { return nil, err From e7f8c5a8725196d4987435a44adf8686f3854c9f Mon Sep 17 00:00:00 2001 From: Jonathan Lang Date: Fri, 13 Jan 2023 11:22:59 +0100 Subject: [PATCH 5/6] Add TLS Tests --- apmproxy/receiver_test.go | 101 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 101 insertions(+) diff --git a/apmproxy/receiver_test.go b/apmproxy/receiver_test.go index bbbbcc2d..26af1fcb 100644 --- a/apmproxy/receiver_test.go +++ b/apmproxy/receiver_test.go @@ -19,6 +19,7 @@ package apmproxy_test import ( "bytes" + "encoding/pem" "io" "net" "net/http" @@ -331,3 +332,103 @@ func Test_handleIntakeV2EventsQueryParamEmptyData(t *testing.T) { t.Fatal("Timed out waiting for server to send flush signal") } } + +func TestWithVerifyCerts(t *testing.T) { + headers := map[string]string{"Authorization": "test-value"} + clientConnected := false + + // Create apm server and handler + apmServer := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.Header().Add("test", "header") + _, err := w.Write([]byte(`{"foo": "bar"}`)) + require.NoError(t, err) + clientConnected = true + })) + defer apmServer.Close() + + // Create extension config and start the server + apmClient, err := apmproxy.NewClient( + apmproxy.WithURL(apmServer.URL), + apmproxy.WithSecretToken("foo"), + apmproxy.WithAPIKey("bar"), + apmproxy.WithReceiverAddress(":1234"), + apmproxy.WithReceiverTimeout(15*time.Second), + apmproxy.WithLogger(zaptest.NewLogger(t).Sugar()), + apmproxy.WithVerifyCerts(false), + ) + require.NoError(t, err) + + require.NoError(t, apmClient.StartReceiver()) + defer func() { + require.NoError(t, apmClient.Shutdown()) + }() + + hosts, _ := net.LookupHost("localhost") + url := "http://" + hosts[0] + ":1234" + + // Create a request to send to the extension + req, err := http.NewRequest(http.MethodGet, url, nil) + require.NoError(t, err) + for name, value := range headers { + req.Header.Add(name, value) + } + + // Send the request to the extension + client := &http.Client{} + resp, err := client.Do(req) + require.NoError(t, err) + require.NoError(t, resp.Body.Close()) + + require.True(t, clientConnected, "The apm proxy did not connect to the tls server.") +} + +func TestWithRootCerts(t *testing.T) { + headers := map[string]string{"Authorization": "test-value"} + clientConnected := false + + // Create apm server and handler + apmServer := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.Header().Add("test", "header") + _, err := w.Write([]byte(`{"foo": "bar"}`)) + require.NoError(t, err) + clientConnected = true + })) + defer apmServer.Close() + + pemCert := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: apmServer.Certificate().Raw}) + + // Create extension config and start the server + apmClient, err := apmproxy.NewClient( + apmproxy.WithURL(apmServer.URL), + apmproxy.WithSecretToken("foo"), + apmproxy.WithAPIKey("bar"), + apmproxy.WithReceiverAddress(":1234"), + apmproxy.WithReceiverTimeout(15*time.Second), + apmproxy.WithLogger(zaptest.NewLogger(t).Sugar()), + apmproxy.WithRootCerts(string(pemCert)), + ) + require.NoError(t, err) + + require.NoError(t, apmClient.StartReceiver()) + defer func() { + require.NoError(t, apmClient.Shutdown()) + }() + + hosts, _ := net.LookupHost("localhost") + url := "http://" + hosts[0] + ":1234" + + // Create a request to send to the extension + req, err := http.NewRequest(http.MethodGet, url, nil) + require.NoError(t, err) + for name, value := range headers { + req.Header.Add(name, value) + } + + // Send the request to the extension + client := &http.Client{} + resp, err := client.Do(req) + require.NoError(t, err) + require.NoError(t, resp.Body.Close()) + + require.True(t, clientConnected, "The apm proxy did not connect to the tls server.") +} From 88d4b847a5edd5ebb1d85de9ea3b834b49f7aa61 Mon Sep 17 00:00:00 2001 From: Jonathan Lang Date: Mon, 16 Jan 2023 20:36:37 +0100 Subject: [PATCH 6/6] run go mod tidy --- go.mod | 2 +- go.sum | 5 +---- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index 6ab627e9..2646cf44 100644 --- a/go.mod +++ b/go.mod @@ -16,6 +16,7 @@ require ( require ( github.com/aws/aws-sdk-go-v2 v1.17.2 github.com/aws/aws-sdk-go-v2/config v1.15.14 + github.com/aws/aws-sdk-go-v2/service/acm v1.16.4 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.15.13 github.com/tidwall/gjson v1.14.3 github.com/tidwall/sjson v1.2.5 @@ -29,7 +30,6 @@ require ( github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.26 // indirect github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.20 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.3.15 // indirect - github.com/aws/aws-sdk-go-v2/service/acm v1.16.4 // indirect github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.8 // indirect github.com/aws/aws-sdk-go-v2/service/sso v1.11.12 // indirect github.com/aws/aws-sdk-go-v2/service/sts v1.16.9 // indirect diff --git a/go.sum b/go.sum index 919a7a9b..5f0d267c 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,4 @@ github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= -github.com/aws/aws-sdk-go-v2 v1.16.7 h1:zfBwXus3u14OszRxGcqCDS4MfMCv10e8SMJ2r8Xm0Ns= github.com/aws/aws-sdk-go-v2 v1.16.7/go.mod h1:6CpKuLXg2w7If3ABZCl/qZ6rEgwtjZTn4eAf4RcEyuw= github.com/aws/aws-sdk-go-v2 v1.17.2 h1:r0yRZInwiPBNpQ4aDy/Ssh3ROWsGtKDwar2JS8Lm+N8= github.com/aws/aws-sdk-go-v2 v1.17.2/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw= @@ -9,11 +8,9 @@ github.com/aws/aws-sdk-go-v2/credentials v1.12.9 h1:DloAJr0/jbvm0iVRFDFh8GlWxrOd github.com/aws/aws-sdk-go-v2/credentials v1.12.9/go.mod h1:2Vavxl1qqQXJ8MUcQZTsIEW8cwenFCWYXtLRPba3L/o= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.8 h1:VfBdn2AxwMbFyJN/lF/xuT3SakomJ86PZu3rCxb5K0s= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.8/go.mod h1:oL1Q3KuCq1D4NykQnIvtRiBGLUXhcpY5pl6QZB2XEPU= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.14 h1:2C0pYHcUBmdzPj+EKNC4qj97oK6yjrUhc1KoSodglvk= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.14/go.mod h1:kdjrMwHwrC3+FsKhNcCMJ7tUVj/8uSD5CZXeQ4wV6fM= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.26 h1:5WU31cY7m0tG+AiaXuXGoMzo2GBQ1IixtWa8Yywsgco= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.26/go.mod h1:2E0LdbJW6lbeU4uxjum99GZzI0ZjDpAb0CoSCM0oeEY= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.8 h1:2J+jdlBJWEmTyAwC82Ym68xCykIvnSnIN18b8xHGlcc= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.8/go.mod h1:ZIV8GYoC6WLBW5KGs+o4rsc65/ozd+eQ0L31XF5VDwk= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.20 h1:WW0qSzDWoiWU2FS5DbKpxGilFVlCEJPwx4YtjdfI0Jw= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.20/go.mod h1:/+6lSiby8TBFpTVXZgKiN/rCfkYXEGvhlM4zCgPpt7w= @@ -29,7 +26,6 @@ github.com/aws/aws-sdk-go-v2/service/sso v1.11.12 h1:760bUnTX/+d693FT6T6Oa7PZHfE github.com/aws/aws-sdk-go-v2/service/sso v1.11.12/go.mod h1:MO4qguFjs3wPGcCSpQ7kOFTwRvb+eu+fn+1vKleGHUk= github.com/aws/aws-sdk-go-v2/service/sts v1.16.9 h1:yOfILxyjmtr2ubRkRJldlHDFBhf5vw4CzhbwWIBmimQ= github.com/aws/aws-sdk-go-v2/service/sts v1.16.9/go.mod h1:O1IvkYxr+39hRf960Us6j0x1P8pDqhTX+oXM5kQNl/Y= -github.com/aws/smithy-go v1.12.0 h1:gXpeZel/jPoWQ7OEmLIgCUnhkFftqNfwWUwAHSlp1v0= github.com/aws/smithy-go v1.12.0/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= github.com/aws/smithy-go v1.13.5 h1:hgz0X/DX0dGqTYpGALqXJoRKRj5oQ7150i5FdTePzO8= github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= @@ -51,6 +47,7 @@ github.com/jcchavezs/porto v0.1.0/go.mod h1:fESH0gzDHiutHRdX2hv27ojnOVFco37hg1W6 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= +github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901/go.mod h1:Z86h9688Y0wesXCyonoVr47MasHilkuLMqGhRZ4Hpak= github.com/joho/godotenv v1.4.0 h1:3l4+N6zfMWnkbPEXKng2o2/MR5mSwTrBih4ZEkkz1lg=