mattermost/services/httpservice/client.go

// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
// See LICENSE.txt for license information.

package httpservice

import (
	"context"
	"crypto/tls"
	"errors"
	"net"
	"net/http"
	"time"

	"github.com/mattermost/mattermost-server/v5/model"
)

const (
	ConnectTimeout = 3 * time.Second
	RequestTimeout = 30 * time.Second
)

var reservedIPRanges []*net.IPNet

// IsReservedIP checks whether the target IP belongs to reserved IP address ranges to avoid SSRF attacks to the internal
// network of the Mattermost server
func IsReservedIP(ip net.IP) bool {
	for _, ipRange := range reservedIPRanges {
		if ipRange.Contains(ip) {
			return true
		}
	}
	return false
}

// IsOwnIP handles the special case that a request might be made to the public IP of the host which on Linux is routed
// directly via the loopback IP to any listening sockets, effectively bypassing host-based firewalls such as firewalld
func IsOwnIP(ip net.IP) (bool, error) {
	interfaces, err := net.Interfaces()
	if err != nil {
		return false, err
	}

	for _, interf := range interfaces {
		addresses, err := interf.Addrs()
		if err != nil {
			return false, err
		}

		for _, addr := range addresses {
			var selfIP net.IP
			switch v := addr.(type) {
			case *net.IPNet:
				selfIP = v.IP
			case *net.IPAddr:
				selfIP = v.IP
			}

			if ip.Equal(selfIP) {
				return true, nil
			}
		}
	}

	return false, nil
}

var defaultUserAgent string

func init() {
	for _, cidr := range []string{
		// See https://tools.ietf.org/html/rfc6890
		"0.0.0.0/8",      // This host on this network
		"10.0.0.0/8",     // Private-Use
		"127.0.0.0/8",    // Loopback
		"169.254.0.0/16", // Link Local
		"172.16.0.0/12",  // Private-Use Networks
		"192.168.0.0/16", // Private-Use Networks
		"::/128",         // Unspecified Address
		"::1/128",        // Loopback Address
		"fc00::/7",       // Unique-Local
		"fe80::/10",      // Linked-Scoped Unicast
	} {
		_, parsed, err := net.ParseCIDR(cidr)
		if err != nil {
			panic(err)
		}
		reservedIPRanges = append(reservedIPRanges, parsed)
	}
	defaultUserAgent = "mattermost-" + model.CurrentVersion
}

type DialContextFunction func(ctx context.Context, network, addr string) (net.Conn, error)

var AddressForbidden error = errors.New("address forbidden, you may need to set AllowedUntrustedInternalConnections to allow an integration access to your internal network")

func dialContextFilter(dial DialContextFunction, allowHost func(host string) bool, allowIP func(ip net.IP) bool) DialContextFunction {
	return func(ctx context.Context, network, addr string) (net.Conn, error) {
		host, port, err := net.SplitHostPort(addr)
		if err != nil {
			return nil, err
		}

		if allowHost != nil && allowHost(host) {
			return dial(ctx, network, addr)
		}

		ips, err := net.LookupIP(host)
		if err != nil {
			return nil, err
		}

		var firstErr error
		for _, ip := range ips {
			select {
			case <-ctx.Done():
				return nil, ctx.Err()
			default:
			}

			if allowIP == nil || !allowIP(ip) {
				continue
			}

			conn, err := dial(ctx, network, net.JoinHostPort(ip.String(), port))
			if err == nil {
				return conn, nil
			}
			if firstErr == nil {
				firstErr = err
			}
		}
		if firstErr == nil {
			return nil, AddressForbidden
		}
		return nil, firstErr
	}
}

func NewTransport(enableInsecureConnections bool, allowHost func(host string) bool, allowIP func(ip net.IP) bool) http.RoundTripper {
	dialContext := (&net.Dialer{
		Timeout:   ConnectTimeout,
		KeepAlive: 30 * time.Second,
	}).DialContext

	if allowHost != nil || allowIP != nil {
		dialContext = dialContextFilter(dialContext, allowHost, allowIP)
	}

	return &MattermostTransport{
		&http.Transport{
			Proxy:                 http.ProxyFromEnvironment,
			DialContext:           dialContext,
			MaxIdleConns:          100,
			IdleConnTimeout:       90 * time.Second,
			TLSHandshakeTimeout:   ConnectTimeout,
			ExpectContinueTimeout: 1 * time.Second,
			TLSClientConfig: &tls.Config{
				InsecureSkipVerify: enableInsecureConnections,
			},
		},
	}
}
Consistent license message for all the go files (#13235) * Consistent license message for all the go files * Fixing the last set of unconsistencies with the license headers * Addressing PR review comments * Fixing busy.go and busy_test.go license header 2019-11-29 06:59:40 -05:00			`// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.`
			`// See LICENSE.txt for license information.`
PLT-5705 Created a single source of http.Client creation logic with internet proxy support, reasonable timeouts and optional insecure connections (#6503) 2017-05-31 10:34:05 -04:00
Move HTTPService and ConfigService into services package (#9422) * Move HTTPService and ConfigService into utils package * Re-add StaticConfigService * Move config and http services into their own packages 2018-09-26 12:42:51 -04:00			`package httpservice`
PLT-5705 Created a single source of http.Client creation logic with internet proxy support, reasonable timeouts and optional insecure connections (#6503) 2017-05-31 10:34:05 -04:00
			`import (`
PLT-6358: Server HTTP client improvements (#6980) * restrict untrusted, internal http connections by default * command test fix * more test fixes * change setting from toggle to whitelist * requested ui changes * add isdefault diagnostic * fix tests 2017-08-09 16:49:07 -04:00			`"context"`
PLT-5705 Created a single source of http.Client creation logic with internet proxy support, reasonable timeouts and optional insecure connections (#6503) 2017-05-31 10:34:05 -04:00			`"crypto/tls"`
PLT-6358: Server HTTP client improvements (#6980) * restrict untrusted, internal http connections by default * command test fix * more test fixes * change setting from toggle to whitelist * requested ui changes * add isdefault diagnostic * fix tests 2017-08-09 16:49:07 -04:00			`"errors"`
PLT-5705 Created a single source of http.Client creation logic with internet proxy support, reasonable timeouts and optional insecure connections (#6503) 2017-05-31 10:34:05 -04:00			`"net"`
			`"net/http"`
			`"time"`
Set a proper HTTP user-agent header (#9482) Previously, mattermost-server would always request with the default user-agent of Go's net/http package that is `Go-http-client/1.1` or something similar. This has several disadvantages, one is that the default user-agent made it pretty hard to distinguish mattermost requests from other service requests in a network log for example. Now a user-agent of the form `mattermost-<current-version>` is set in the client. - [x] Added or updated unit tests (required for all new features) 2018-10-03 13:28:44 -04:00
[MM-19948] Set version on module file and internal paths (#13186) * [MM-19948] Set version on module file and internal paths * Fixes after merge * Fix i18n checker error 2019-11-28 08:39:38 -05:00			`"github.com/mattermost/mattermost-server/v5/model"`
PLT-5705 Created a single source of http.Client creation logic with internet proxy support, reasonable timeouts and optional insecure connections (#6503) 2017-05-31 10:34:05 -04:00			`)`

			`const (`
MM-10417 Improve HTTPService for use in image proxy (#9966) * Replaced httpservice with proper http.Client * Added HTTPService.MakeTransport * Expose timeouts used by HTTPServiceImpl * Add additional documentation to HTTPService * Remove MockedHTTPService * Fix missing license 2018-12-12 11:39:14 -05:00			`ConnectTimeout = 3 * time.Second`
			`RequestTimeout = 30 * time.Second`
PLT-5705 Created a single source of http.Client creation logic with internet proxy support, reasonable timeouts and optional insecure connections (#6503) 2017-05-31 10:34:05 -04:00			`)`

PLT-6358: Server HTTP client improvements (#6980) * restrict untrusted, internal http connections by default * command test fix * more test fixes * change setting from toggle to whitelist * requested ui changes * add isdefault diagnostic * fix tests 2017-08-09 16:49:07 -04:00			`var reservedIPRanges []*net.IPNet`

[MM-14333] Stricten external HTTP Calls to require that own IPs need to be explicitly whitelisted (#10375) * Stricten external HTTP Calls to require that own IPs need to be explicitly whitelisted * gofmt * Documentation; Style fixes for IsOwnIP function 2019-03-01 10:22:24 -05:00			`// IsReservedIP checks whether the target IP belongs to reserved IP address ranges to avoid SSRF attacks to the internal`
			`// network of the Mattermost server`
HTTP client refactor (#7884) * http client refactor * simplification 2017-11-22 10:15:03 -05:00			`func IsReservedIP(ip net.IP) bool {`
PLT-6358: Server HTTP client improvements (#6980) * restrict untrusted, internal http connections by default * command test fix * more test fixes * change setting from toggle to whitelist * requested ui changes * add isdefault diagnostic * fix tests 2017-08-09 16:49:07 -04:00			`for _, ipRange := range reservedIPRanges {`
			`if ipRange.Contains(ip) {`
			`return true`
			`}`
			`}`
			`return false`
			`}`

[MM-14333] Stricten external HTTP Calls to require that own IPs need to be explicitly whitelisted (#10375) * Stricten external HTTP Calls to require that own IPs need to be explicitly whitelisted * gofmt * Documentation; Style fixes for IsOwnIP function 2019-03-01 10:22:24 -05:00			`// IsOwnIP handles the special case that a request might be made to the public IP of the host which on Linux is routed`
			`// directly via the loopback IP to any listening sockets, effectively bypassing host-based firewalls such as firewalld`
			`func IsOwnIP(ip net.IP) (bool, error) {`
			`interfaces, err := net.Interfaces()`
			`if err != nil {`
			`return false, err`
			`}`

			`for _, interf := range interfaces {`
			`addresses, err := interf.Addrs()`
			`if err != nil {`
			`return false, err`
			`}`

			`for _, addr := range addresses {`
			`var selfIP net.IP`
			`switch v := addr.(type) {`
			`case *net.IPNet:`
			`selfIP = v.IP`
			`case *net.IPAddr:`
			`selfIP = v.IP`
			`}`

			`if ip.Equal(selfIP) {`
			`return true, nil`
			`}`
			`}`
			`}`

			`return false, nil`
			`}`

Set a proper HTTP user-agent header (#9482) Previously, mattermost-server would always request with the default user-agent of Go's net/http package that is `Go-http-client/1.1` or something similar. This has several disadvantages, one is that the default user-agent made it pretty hard to distinguish mattermost requests from other service requests in a network log for example. Now a user-agent of the form `mattermost-<current-version>` is set in the client. - [x] Added or updated unit tests (required for all new features) 2018-10-03 13:28:44 -04:00			`var defaultUserAgent string`

PLT-6358: Server HTTP client improvements (#6980) * restrict untrusted, internal http connections by default * command test fix * more test fixes * change setting from toggle to whitelist * requested ui changes * add isdefault diagnostic * fix tests 2017-08-09 16:49:07 -04:00			`func init() {`
			`for _, cidr := range []string{`
			`// See https://tools.ietf.org/html/rfc6890`
			`"0.0.0.0/8", // This host on this network`
			`"10.0.0.0/8", // Private-Use`
			`"127.0.0.0/8", // Loopback`
			`"169.254.0.0/16", // Link Local`
			`"172.16.0.0/12", // Private-Use Networks`
			`"192.168.0.0/16", // Private-Use Networks`
			`"::/128", // Unspecified Address`
			`"::1/128", // Loopback Address`
			`"fc00::/7", // Unique-Local`
			`"fe80::/10", // Linked-Scoped Unicast`
			`} {`
			`_, parsed, err := net.ParseCIDR(cidr)`
			`if err != nil {`
			`panic(err)`
			`}`
			`reservedIPRanges = append(reservedIPRanges, parsed)`
			`}`
Set a proper HTTP user-agent header (#9482) Previously, mattermost-server would always request with the default user-agent of Go's net/http package that is `Go-http-client/1.1` or something similar. This has several disadvantages, one is that the default user-agent made it pretty hard to distinguish mattermost requests from other service requests in a network log for example. Now a user-agent of the form `mattermost-<current-version>` is set in the client. - [x] Added or updated unit tests (required for all new features) 2018-10-03 13:28:44 -04:00			`defaultUserAgent = "mattermost-" + model.CurrentVersion`
PLT-6358: Server HTTP client improvements (#6980) * restrict untrusted, internal http connections by default * command test fix * more test fixes * change setting from toggle to whitelist * requested ui changes * add isdefault diagnostic * fix tests 2017-08-09 16:49:07 -04:00			`}`

			`type DialContextFunction func(ctx context.Context, network, addr string) (net.Conn, error)`

MM-11693 Allow connections to /plugins for interactive message buttons. (#9333) * Allow connetions to /plugins for interactive message buttons. * Adding siteurl to exclusions for AllowedUntrustedInternalConnections * Adding subpath support for allowing interactive message buttons plugin connections. 2018-09-02 03:30:10 -04:00			`var AddressForbidden error = errors.New("address forbidden, you may need to set AllowedUntrustedInternalConnections to allow an integration access to your internal network")`
PLT-6358: Server HTTP client improvements (#6980) * restrict untrusted, internal http connections by default * command test fix * more test fixes * change setting from toggle to whitelist * requested ui changes * add isdefault diagnostic * fix tests 2017-08-09 16:49:07 -04:00
			`func dialContextFilter(dial DialContextFunction, allowHost func(host string) bool, allowIP func(ip net.IP) bool) DialContextFunction {`
			`return func(ctx context.Context, network, addr string) (net.Conn, error) {`
			`host, port, err := net.SplitHostPort(addr)`
			`if err != nil {`
			`return nil, err`
			`}`

			`if allowHost != nil && allowHost(host) {`
			`return dial(ctx, network, addr)`
			`}`

			`ips, err := net.LookupIP(host)`
			`if err != nil {`
			`return nil, err`
			`}`

			`var firstErr error`
			`for _, ip := range ips {`
			`select {`
			`case <-ctx.Done():`
			`return nil, ctx.Err()`
			`default:`
			`}`

			`if allowIP == nil \|\| !allowIP(ip) {`
			`continue`
			`}`

			`conn, err := dial(ctx, network, net.JoinHostPort(ip.String(), port))`
			`if err == nil {`
			`return conn, nil`
			`}`
			`if firstErr == nil {`
			`firstErr = err`
			`}`
			`}`
			`if firstErr == nil {`
			`return nil, AddressForbidden`
			`}`
			`return nil, firstErr`
			`}`
			`}`

MM-10417 Improve HTTPService for use in image proxy (#9966) * Replaced httpservice with proper http.Client * Added HTTPService.MakeTransport * Expose timeouts used by HTTPServiceImpl * Add additional documentation to HTTPService * Remove MockedHTTPService * Fix missing license 2018-12-12 11:39:14 -05:00			`func NewTransport(enableInsecureConnections bool, allowHost func(host string) bool, allowIP func(ip net.IP) bool) http.RoundTripper {`
PLT-6358: Server HTTP client improvements (#6980) * restrict untrusted, internal http connections by default * command test fix * more test fixes * change setting from toggle to whitelist * requested ui changes * add isdefault diagnostic * fix tests 2017-08-09 16:49:07 -04:00			`dialContext := (&net.Dialer{`
MM-10417 Improve HTTPService for use in image proxy (#9966) * Replaced httpservice with proper http.Client * Added HTTPService.MakeTransport * Expose timeouts used by HTTPServiceImpl * Add additional documentation to HTTPService * Remove MockedHTTPService * Fix missing license 2018-12-12 11:39:14 -05:00			`Timeout: ConnectTimeout,`
PLT-6358: Server HTTP client improvements (#6980) * restrict untrusted, internal http connections by default * command test fix * more test fixes * change setting from toggle to whitelist * requested ui changes * add isdefault diagnostic * fix tests 2017-08-09 16:49:07 -04:00			`KeepAlive: 30 * time.Second,`
			`}).DialContext`

			`if allowHost != nil \|\| allowIP != nil {`
			`dialContext = dialContextFilter(dialContext, allowHost, allowIP)`
			`}`
PLT-5705 Created a single source of http.Client creation logic with internet proxy support, reasonable timeouts and optional insecure connections (#6503) 2017-05-31 10:34:05 -04:00
MM-10417 Improve HTTPService for use in image proxy (#9966) * Replaced httpservice with proper http.Client * Added HTTPService.MakeTransport * Expose timeouts used by HTTPServiceImpl * Add additional documentation to HTTPService * Remove MockedHTTPService * Fix missing license 2018-12-12 11:39:14 -05:00			`return &MattermostTransport{`
			`&http.Transport{`
PLT-6358: Server HTTP client improvements (#6980) * restrict untrusted, internal http connections by default * command test fix * more test fixes * change setting from toggle to whitelist * requested ui changes * add isdefault diagnostic * fix tests 2017-08-09 16:49:07 -04:00			`Proxy: http.ProxyFromEnvironment,`
			`DialContext: dialContext,`
PLT-5705 Created a single source of http.Client creation logic with internet proxy support, reasonable timeouts and optional insecure connections (#6503) 2017-05-31 10:34:05 -04:00			`MaxIdleConns: 100,`
			`IdleConnTimeout: 90 * time.Second,`
MM-10417 Improve HTTPService for use in image proxy (#9966) * Replaced httpservice with proper http.Client * Added HTTPService.MakeTransport * Expose timeouts used by HTTPServiceImpl * Add additional documentation to HTTPService * Remove MockedHTTPService * Fix missing license 2018-12-12 11:39:14 -05:00			`TLSHandshakeTimeout: ConnectTimeout,`
PLT-5705 Created a single source of http.Client creation logic with internet proxy support, reasonable timeouts and optional insecure connections (#6503) 2017-05-31 10:34:05 -04:00			`ExpectContinueTimeout: 1 * time.Second,`
			`TLSClientConfig: &tls.Config{`
			`InsecureSkipVerify: enableInsecureConnections,`
			`},`
			`},`
			`}`
MM-10417 Improve HTTPService for use in image proxy (#9966) * Replaced httpservice with proper http.Client * Added HTTPService.MakeTransport * Expose timeouts used by HTTPServiceImpl * Add additional documentation to HTTPService * Remove MockedHTTPService * Fix missing license 2018-12-12 11:39:14 -05:00			`}`