support basic_auth_password_file to read HTTP Basic auth password from

Issue: prometheus/prometheus#4074 Signed-off-by: Adam Shannon <adamkshannon@gmail.com>
prometheus · Apr 10, 2018 · 439e70a · 439e70a
1 parent 89604d1
commit 439e70a
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 2 deletions.
diff --git a/config/http_config.go b/config/http_config.go
@@ -66,6 +66,8 @@ func (u URL) MarshalYAML() (interface{}, error) {
 type HTTPClientConfig struct {
 	// The HTTP basic authentication credentials for the targets.
 	BasicAuth *BasicAuth `yaml:"basic_auth,omitempty"`
+	// The HTTP basic authentication password file
+	BasicAuthPasswordFile string `yaml:"basic_auth_password_file,omitempty"`
 	// The bearer token for the targets.
 	BearerToken Secret `yaml:"bearer_token,omitempty"`
 	// The bearer token file for the targets.
@@ -85,6 +87,9 @@ func (c *HTTPClientConfig) Validate() error {
 	if len(c.BearerToken) > 0 && len(c.BearerTokenFile) > 0 {
 		return fmt.Errorf("at most one of bearer_token & bearer_token_file must be configured")
 	}
+	if c.BasicAuth != nil && (c.BasicAuth.Password == "" && c.BasicAuthPasswordFile == "") {
+		return fmt.Errorf("you need to specify either basic_auth_password_file or basic_auth.password")
+	}
 	if c.BasicAuth != nil && (len(c.BearerToken) > 0 || len(c.BearerTokenFile) > 0) {
 		return fmt.Errorf("at most one of basic_auth, bearer_token & bearer_token_file must be configured")
 	}
@@ -146,7 +151,15 @@ func NewHTTPClientFromConfig(cfg *HTTPClientConfig) (*http.Client, error) {
 	}
 
 	if cfg.BasicAuth != nil {
-		rt = NewBasicAuthRoundTripper(cfg.BasicAuth.Username, Secret(cfg.BasicAuth.Password), rt)
+		pass := cfg.BasicAuth.Password
+		if string(pass) == "" || cfg.BasicAuthPasswordFile != "" {
+			bs, err := ioutil.ReadFile(cfg.BasicAuthPasswordFile)
+			if err != nil {
+				return nil, fmt.Errorf("Unable to read %s as basic_auth password file", cfg.BasicAuthPasswordFile)
+			}
+			pass = Secret(strings.TrimSpace(string(bs)))
+		}
+		rt = NewBasicAuthRoundTripper(cfg.BasicAuth.Username, pass, rt)
 	}
 
 	// Return a new client with the configured round tripper.

diff --git a/config/http_config_test.go b/config/http_config_test.go
@@ -38,7 +38,6 @@ var invalidHTTPClientConfigs = []struct {
 }
 
 func TestAuthRoundTrippers(t *testing.T) {
-
 	cfg, _, err := LoadHTTPConfigFile("testdata/http.conf.good.yml")
 	if err != nil {
 		t.Errorf("Error loading HTTP client config: %v", err)
@@ -63,6 +62,29 @@ func TestAuthRoundTrippers(t *testing.T) {
 	basicAuthRoundTripper.RoundTrip(req)
 }
 
+func TestBasicAuthPasswordFile(t *testing.T) {
+	cfg, _, err := LoadHTTPConfigFile("testdata/http.conf.basic-auth.good.yaml")
+	if err != nil {
+		t.Errorf("Error loading HTTP client config: %v", err)
+	}
+	client, err := NewHTTPClientFromConfig(cfg)
+	if err != nil {
+		t.Errorf("Error creating HTTP Client: %v", err)
+	}
+
+	rt, ok := client.Transport.(*basicAuthRoundTripper)
+	if !ok {
+		t.Errorf("Error casting to basic auth transport, %v", client.Transport)
+	}
+
+	if rt.username != "user" {
+		t.Errorf("Bad HTTP client username: %s", rt.username)
+	}
+	if string(rt.password) != "foobar" {
+		t.Errorf("Bad HTTP client password: %s", rt.password)
+	}
+}
+
 func TestHideHTTPClientConfigSecrets(t *testing.T) {
 	c, _, err := LoadHTTPConfigFile("testdata/http.conf.good.yml")
 	if err != nil {

diff --git a/config/testdata/basic-auth-password b/config/testdata/basic-auth-password
@@ -0,0 +1 @@
+foobar
diff --git a/config/testdata/http.conf.basic-auth.good.yaml b/config/testdata/http.conf.basic-auth.good.yaml
@@ -0,0 +1,4 @@
+basic_auth:
+  username: user
+  password: foo
+basic_auth_password_file: testdata/basic-auth-password