Add ip restriction for the prometheus_client output (#4431)

dupondje · glinton · commit e1160c26bcea · 2018-08-01T16:43:34.000-06:00
diff --git a/etc/telegraf.conf b/etc/telegraf.conf
@@ -747,6 +747,9 @@
 #   #basic_username = "Foo"
 #   #basic_password = "Bar"
 #
+#   ## IP Ranges which are allowed to access metrics
+#   #ip_range = ["192.168.0.0/24", "192.168.1.0/30"]
+#
 #   ## Interval to expire metrics and not deliver to prometheus, 0 == no expiration
 #   # expiration_interval = "60s"
 #
diff --git a/plugins/outputs/prometheus_client/README.md b/plugins/outputs/prometheus_client/README.md
@@ -18,6 +18,9 @@ This plugin starts a [Prometheus](https://prometheus.io/) Client, it exposes all
   basic_username = "Foo"
   basic_password = "Bar"
 
+  # IP Ranges which are allowed to access metrics
+  ip_range = ["192.168.0.0/24", "192.168.1.0/30"]
+
   # Path to publish the metrics on, defaults to /metrics
   path = "/metrics"   
 
diff --git a/plugins/outputs/prometheus_client/prometheus_client.go b/plugins/outputs/prometheus_client/prometheus_client.go
@@ -5,6 +5,7 @@ import (
 	"crypto/subtle"
 	"fmt"
 	"log"
+	"net"
 	"net/http"
 	"os"
 	"regexp"
@@ -58,6 +59,7 @@ type PrometheusClient struct {
 	TLSKey             string            `toml:"tls_key"`
 	BasicUsername      string            `toml:"basic_username"`
 	BasicPassword      string            `toml:"basic_password"`
+	IPRange            []string          `toml:"ip_range"`
 	ExpirationInterval internal.Duration `toml:"expiration_interval"`
 	Path               string            `toml:"path"`
 	CollectorsExclude  []string          `toml:"collectors_exclude"`
@@ -84,6 +86,9 @@ var sampleConfig = `
   #basic_username = "Foo"
   #basic_password = "Bar"
 
+  ## IP Ranges which are allowed to access metrics
+  #ip_range = ["192.168.0.0/24", "192.168.1.0/30"]
+
   ## Interval to expire metrics and not deliver to prometheus, 0 == no expiration
   # expiration_interval = "60s"
 
@@ -96,7 +101,7 @@ var sampleConfig = `
   string_as_label = true
 `
 
-func (p *PrometheusClient) basicAuth(h http.Handler) http.Handler {
+func (p *PrometheusClient) auth(h http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if p.BasicUsername != "" && p.BasicPassword != "" {
 			w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
@@ -110,6 +115,27 @@ func (p *PrometheusClient) basicAuth(h http.Handler) http.Handler {
 			}
 		}
 
+		if len(p.IPRange) > 0 {
+			matched := false
+			remoteIPs, _, _ := net.SplitHostPort(r.RemoteAddr)
+			remoteIP := net.ParseIP(remoteIPs)
+			for _, iprange := range p.IPRange {
+				_, ipNet, err := net.ParseCIDR(iprange)
+				if err != nil {
+					http.Error(w, "Config Error in ip_range setting", 500)
+					return
+				}
+				if ipNet.Contains(remoteIP) {
+					matched = true
+					break
+				}
+			}
+			if !matched {
+				http.Error(w, "Not authorized", 401)
+				return
+			}
+		}
+
 		h.ServeHTTP(w, r)
 	})
 }
@@ -146,7 +172,7 @@ func (p *PrometheusClient) Start() error {
 	}
 
 	mux := http.NewServeMux()
-	mux.Handle(p.Path, p.basicAuth(promhttp.HandlerFor(
+	mux.Handle(p.Path, p.auth(promhttp.HandlerFor(
 		registry, promhttp.HandlerOpts{ErrorHandling: promhttp.ContinueOnError})))
 
 	p.server = &http.Server{

Original file line number	Diff line number	Diff line change
`@@ -747,6 +747,9 @@`
`747`	`747`	`# #basic_username = "Foo"`
`748`	`748`	`# #basic_password = "Bar"`
`749`	`749`	`#`
	`750`	`+# ## IP Ranges which are allowed to access metrics`
	`751`	`+# #ip_range = ["192.168.0.0/24", "192.168.1.0/30"]`
	`752`	`+#`
`750`	`753`	`# ## Interval to expire metrics and not deliver to prometheus, 0 == no expiration`
`751`	`754`	`# # expiration_interval = "60s"`
`752`	`755`	`#`