Adapted implementation based on new design in prometheus/common

Signed-off-by: Marco Pracucci <[email protected]>

Author: pracucci

pkg/alertmanager/alertmanager.go

@@ -40,10 +40,12 @@ import (
 	"github.com/prometheus/alertmanager/ui"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promauto"
+	commoncfg "github.com/prometheus/common/config"
 	"github.com/prometheus/common/model"
 	"github.com/prometheus/common/route"
 
 	"github.com/cortexproject/cortex/pkg/alertmanager/alertstore"
+	util_net "github.com/cortexproject/cortex/pkg/util/net"
 	"github.com/cortexproject/cortex/pkg/util/services"
 )
 
@@ -95,6 +97,7 @@ type Alertmanager struct {
 	wg              sync.WaitGroup
 	mux             *http.ServeMux
 	registry        *prometheus.Registry
+	firewallDialer  *util_net.FirewallDialer
 
 	// The Dispatcher is the only component we need to recreate when we call ApplyConfig.
 	// Given its metrics don't have any variable labels we need to re-use the same metrics.
@@ -148,6 +151,10 @@ func New(cfg *Config, reg *prometheus.Registry) (*Alertmanager, error) {
 		cfg:    cfg,
 		logger: log.With(cfg.Logger, "user", cfg.UserID),
 		stop:   make(chan struct{}),
+		firewallDialer: util_net.NewFirewallDialer(util_net.FirewallDialerConfig{
+			BlockCIDRNetworks:     cfg.ReceiversFirewall.Block.CIDRNetworks,
+			BlockPrivateAddresses: cfg.ReceiversFirewall.Block.PrivateAddresses,
+		}),
 		configHashMetric: promauto.With(reg).NewGauge(prometheus.GaugeOpts{
 			Name: "alertmanager_config_hash",
 			Help: "Hash of the currently loaded alertmanager configuration.",
@@ -280,8 +287,6 @@ func clusterWait(position func() int, timeout time.Duration) func() time.Duratio
 
 // ApplyConfig applies a new configuration to an Alertmanager.
 func (am *Alertmanager) ApplyConfig(userID string, conf *config.Config, rawCfg string) error {
-	conf = injectFirewallToAlertmanagerConfig(conf, am.cfg.ReceiversFirewall)
-
 	templateFiles := make([]string, len(conf.Templates))
 	if len(conf.Templates) > 0 {
 		for i, t := range conf.Templates {
@@ -318,7 +323,7 @@ func (am *Alertmanager) ApplyConfig(userID string, conf *config.Config, rawCfg s
 		return d + waitFunc()
 	}
 
-	integrationsMap, err := buildIntegrationsMap(conf.Receivers, tmpl, am.logger)
+	integrationsMap, err := buildIntegrationsMap(conf.Receivers, tmpl, am.firewallDialer, am.logger)
 	if err != nil {
 		return nil
 	}
@@ -410,10 +415,10 @@ func (am *Alertmanager) getFullState() (*clusterpb.FullState, error) {
 
 // buildIntegrationsMap builds a map of name to the list of integration notifiers off of a
 // list of receiver config.
-func buildIntegrationsMap(nc []*config.Receiver, tmpl *template.Template, logger log.Logger) (map[string][]notify.Integration, error) {
+func buildIntegrationsMap(nc []*config.Receiver, tmpl *template.Template, firewallDialer *util_net.FirewallDialer, logger log.Logger) (map[string][]notify.Integration, error) {
 	integrationsMap := make(map[string][]notify.Integration, len(nc))
 	for _, rcv := range nc {
-		integrations, err := buildReceiverIntegrations(rcv, tmpl, logger)
+		integrations, err := buildReceiverIntegrations(rcv, tmpl, firewallDialer, logger)
 		if err != nil {
 			return nil, err
 		}
@@ -425,7 +430,7 @@ func buildIntegrationsMap(nc []*config.Receiver, tmpl *template.Template, logger
 // buildReceiverIntegrations builds a list of integration notifiers off of a
 // receiver config.
 // Taken from https://github.com/prometheus/alertmanager/blob/94d875f1227b29abece661db1a68c001122d1da5/cmd/alertmanager/main.go#L112-L159.
-func buildReceiverIntegrations(nc *config.Receiver, tmpl *template.Template, logger log.Logger) ([]notify.Integration, error) {
+func buildReceiverIntegrations(nc *config.Receiver, tmpl *template.Template, firewallDialer *util_net.FirewallDialer, logger log.Logger) ([]notify.Integration, error) {
 	var (
 		errs         types.MultiError
 		integrations []notify.Integration
@@ -439,29 +444,34 @@ func buildReceiverIntegrations(nc *config.Receiver, tmpl *template.Template, log
 		}
 	)
 
+	// Inject the firewall to any receiver integration supporting it.
+	httpOps := []commoncfg.HTTPClientOption{
+		commoncfg.WithDialContextFunc(firewallDialer.DialContext),
+	}
+
 	for i, c := range nc.WebhookConfigs {
-		add("webhook", i, c, func(l log.Logger) (notify.Notifier, error) { return webhook.New(c, tmpl, l) })
+		add("webhook", i, c, func(l log.Logger) (notify.Notifier, error) { return webhook.New(c, tmpl, l, httpOps...) })
 	}
 	for i, c := range nc.EmailConfigs {
 		add("email", i, c, func(l log.Logger) (notify.Notifier, error) { return email.New(c, tmpl, l), nil })
 	}
 	for i, c := range nc.PagerdutyConfigs {
-		add("pagerduty", i, c, func(l log.Logger) (notify.Notifier, error) { return pagerduty.New(c, tmpl, l) })
+		add("pagerduty", i, c, func(l log.Logger) (notify.Notifier, error) { return pagerduty.New(c, tmpl, l, httpOps...) })
 	}
 	for i, c := range nc.OpsGenieConfigs {
-		add("opsgenie", i, c, func(l log.Logger) (notify.Notifier, error) { return opsgenie.New(c, tmpl, l) })
+		add("opsgenie", i, c, func(l log.Logger) (notify.Notifier, error) { return opsgenie.New(c, tmpl, l, httpOps...) })
 	}
 	for i, c := range nc.WechatConfigs {
-		add("wechat", i, c, func(l log.Logger) (notify.Notifier, error) { return wechat.New(c, tmpl, l) })
+		add("wechat", i, c, func(l log.Logger) (notify.Notifier, error) { return wechat.New(c, tmpl, l, httpOps...) })
 	}
 	for i, c := range nc.SlackConfigs {
-		add("slack", i, c, func(l log.Logger) (notify.Notifier, error) { return slack.New(c, tmpl, l) })
+		add("slack", i, c, func(l log.Logger) (notify.Notifier, error) { return slack.New(c, tmpl, l, httpOps...) })
 	}
 	for i, c := range nc.VictorOpsConfigs {
-		add("victorops", i, c, func(l log.Logger) (notify.Notifier, error) { return victorops.New(c, tmpl, l) })
+		add("victorops", i, c, func(l log.Logger) (notify.Notifier, error) { return victorops.New(c, tmpl, l, httpOps...) })
 	}
 	for i, c := range nc.PushoverConfigs {
-		add("pushover", i, c, func(l log.Logger) (notify.Notifier, error) { return pushover.New(c, tmpl, l) })
+		add("pushover", i, c, func(l log.Logger) (notify.Notifier, error) { return pushover.New(c, tmpl, l, httpOps...) })
 	}
 	if errs.Len() > 0 {
 		return nil, &errs

pkg/alertmanager/firewall.go

@@ -4,11 +4,7 @@ import (
 	"flag"
 	"fmt"
 
-	"github.com/prometheus/alertmanager/config"
-	commoncfg "github.com/prometheus/common/config"
-
 	"github.com/cortexproject/cortex/pkg/util/flagext"
-	netutil "github.com/cortexproject/cortex/pkg/util/net"
 )
 
 type FirewallConfig struct {
@@ -20,57 +16,11 @@ func (cfg *FirewallConfig) RegisterFlagsWithPrefix(prefix string, f *flag.FlagSe
 }
 
 type FirewallHostsSpec struct {
-	CIDRs   flagext.CIDRSliceCSV `yaml:"cidrs"`
-	Private bool                 `yaml:"private_addresses"`
+	CIDRNetworks     flagext.CIDRSliceCSV `yaml:"cidr_networks"`
+	PrivateAddresses bool                 `yaml:"private_addresses"`
 }
 
 func (cfg *FirewallHostsSpec) RegisterFlagsWithPrefix(prefix, action string, f *flag.FlagSet) {
-	f.Var(&cfg.CIDRs, prefix+".cidrs", fmt.Sprintf("Comma-separated list of network CIDRs to %s in Alertmanager receiver integrations.", action))
-	f.BoolVar(&cfg.Private, prefix+".private-addresses", false, fmt.Sprintf("True to %s private and local addresses in Alertmanager receiver integrations.", action))
-}
-
-func injectFirewallToAlertmanagerConfig(conf *config.Config, firewallCfg FirewallConfig) *config.Config {
-	firewall := netutil.NewFirewallDialer(netutil.FirewallDialerConfig{
-		BlockCIDRs:   firewallCfg.Block.CIDRs,
-		BlockPrivate: firewallCfg.Block.Private,
-	})
-
-	conf.Global.HTTPConfig = injectFirewallToHTTPConfig(conf.Global.HTTPConfig, firewall)
-
-	for _, receiver := range conf.Receivers {
-		for _, rc := range receiver.WebhookConfigs {
-			rc.HTTPConfig = injectFirewallToHTTPConfig(rc.HTTPConfig, firewall)
-		}
-		for _, rc := range receiver.SlackConfigs {
-			rc.HTTPConfig = injectFirewallToHTTPConfig(rc.HTTPConfig, firewall)
-		}
-		for _, rc := range receiver.PushoverConfigs {
-			rc.HTTPConfig = injectFirewallToHTTPConfig(rc.HTTPConfig, firewall)
-		}
-		for _, rc := range receiver.PagerdutyConfigs {
-			rc.HTTPConfig = injectFirewallToHTTPConfig(rc.HTTPConfig, firewall)
-		}
-		for _, rc := range receiver.OpsGenieConfigs {
-			rc.HTTPConfig = injectFirewallToHTTPConfig(rc.HTTPConfig, firewall)
-		}
-		for _, rc := range receiver.WechatConfigs {
-			rc.HTTPConfig = injectFirewallToHTTPConfig(rc.HTTPConfig, firewall)
-		}
-		for _, rc := range receiver.VictorOpsConfigs {
-			rc.HTTPConfig = injectFirewallToHTTPConfig(rc.HTTPConfig, firewall)
-		}
-	}
-
-	return conf
-}
-
-func injectFirewallToHTTPConfig(conf *commoncfg.HTTPClientConfig, firewall *netutil.FirewallDialer) *commoncfg.HTTPClientConfig {
-	if conf == nil {
-		return &commoncfg.HTTPClientConfig{
-			DialContext: firewall.DialContext,
-		}
-	}
-
-	conf.DialContext = firewall.DialContext
-	return conf
+	f.Var(&cfg.CIDRNetworks, prefix+".cidr_networks", fmt.Sprintf("Comma-separated list of network CIDRs to %s in Alertmanager receiver integrations.", action))
+	f.BoolVar(&cfg.PrivateAddresses, prefix+".private-addresses", false, fmt.Sprintf("True to %s private and local addresses in Alertmanager receiver integrations.", action))
 }

pkg/alertmanager/multitenant_test.go

@@ -386,7 +386,7 @@ receivers:
 
 				// Prepare the alertmanager config.
 				cfg := mockAlertmanagerConfig(t)
-				cfg.ReceiversFirewall.Block.Private = firewallEnabled
+				cfg.ReceiversFirewall.Block.PrivateAddresses = firewallEnabled
 
 				// Start the alertmanager.
 				reg := prometheus.NewPedanticRegistry()

pkg/util/net/firewall_dialer.go

@@ -14,8 +14,8 @@ var errBlockedAddress = errors.New("blocked address")
 var errInvalidAddress = errors.New("invalid address")
 
 type FirewallDialerConfig struct {
-	BlockCIDRs   []flagext.CIDR
-	BlockPrivate bool
+	BlockCIDRNetworks     []flagext.CIDR
+	BlockPrivateAddresses bool
 }
 
 // FirewallDialer is a net dialer which integrates a firewall to block specific addresses.
@@ -35,6 +35,11 @@ func (d *FirewallDialer) DialContext(ctx context.Context, network, address strin
 }
 
 func (d *FirewallDialer) control(_, address string, _ syscall.RawConn) error {
+	// Skip any control if no firewall has been configured.
+	if !d.cfg.BlockPrivateAddresses && len(d.cfg.BlockCIDRNetworks) == 0 {
+		return nil
+	}
+
 	host, _, err := net.SplitHostPort(address)
 	if err != nil {
 		return errInvalidAddress
@@ -46,11 +51,11 @@ func (d *FirewallDialer) control(_, address string, _ syscall.RawConn) error {
 		return errBlockedAddress
 	}
 
-	if d.cfg.BlockPrivate && (isPrivate(ip) || isLocal(ip)) {
+	if d.cfg.BlockPrivateAddresses && (isPrivate(ip) || isLocal(ip)) {
 		return errBlockedAddress
 	}
 
-	for _, cidr := range d.cfg.BlockCIDRs {
+	for _, cidr := range d.cfg.BlockCIDRNetworks {
 		if cidr.Value.Contains(ip) {
 			return errBlockedAddress
 		}

pkg/util/net/firewall_dialer_test.go

@@ -38,7 +38,7 @@ func TestFirewallDialer(t *testing.T) {
 		},
 		"should support blocking private addresses": {
 			cfg: FirewallDialerConfig{
-				BlockPrivate: true,
+				BlockPrivateAddresses: true,
 			},
 			cases: []testCase{
 				{"localhost", true},
@@ -56,7 +56,7 @@ func TestFirewallDialer(t *testing.T) {
 		},
 		"should support blocking custom CIDRs": {
 			cfg: FirewallDialerConfig{
-				BlockCIDRs: []flagext.CIDR{blockedCIDR},
+				BlockCIDRNetworks: []flagext.CIDR{blockedCIDR},
 			},
 			cases: []testCase{
 				{"localhost", false},