forked from cloudflare/cloudflare-go
-
Notifications
You must be signed in to change notification settings - Fork 0
/
cloudflare.go
598 lines (507 loc) · 18.1 KB
/
cloudflare.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
// Package cloudflare implements the Cloudflare v4 API.
package cloudflare
import (
"bytes"
"context"
"encoding/json"
"errors"
"fmt"
"io"
"log"
"math"
"net/http"
"net/http/httputil"
"net/url"
"regexp"
"strconv"
"strings"
"time"
"golang.org/x/time/rate"
)
var (
Version string = "v4"
// Deprecated: Use `client.New` configuration instead.
apiURL = fmt.Sprintf("%s://%s%s", defaultScheme, defaultHostname, defaultBasePath)
)
const (
// AuthKeyEmail specifies that we should authenticate with API key and email address.
AuthKeyEmail = 1 << iota
// AuthUserService specifies that we should authenticate with a User-Service key.
AuthUserService
// AuthToken specifies that we should authenticate with an API Token.
AuthToken
)
// API holds the configuration for the current API client. A client should not
// be modified concurrently.
type API struct {
APIKey string
APIEmail string
APIUserServiceKey string
APIToken string
BaseURL string
AccountID string
UserAgent string
headers http.Header
httpClient *http.Client
authType int
rateLimiter *rate.Limiter
retryPolicy RetryPolicy
logger Logger
Debug bool
}
// newClient provides shared logic for New and NewWithUserServiceKey.
func newClient(opts ...Option) (*API, error) {
silentLogger := log.New(io.Discard, "", log.LstdFlags)
api := &API{
BaseURL: fmt.Sprintf("%s://%s%s", defaultScheme, defaultHostname, defaultBasePath),
UserAgent: userAgent + "/" + Version,
headers: make(http.Header),
rateLimiter: rate.NewLimiter(rate.Limit(4), 1), // 4rps equates to default api limit (1200 req/5 min)
retryPolicy: RetryPolicy{
MaxRetries: 3,
MinRetryDelay: 1 * time.Second,
MaxRetryDelay: 30 * time.Second,
},
logger: silentLogger,
}
err := api.parseOptions(opts...)
if err != nil {
return nil, fmt.Errorf("options parsing failed: %w", err)
}
// Fall back to http.DefaultClient if the package user does not provide
// their own.
if api.httpClient == nil {
api.httpClient = http.DefaultClient
}
return api, nil
}
// New creates a new Cloudflare v4 API client.
func New(key, email string, opts ...Option) (*API, error) {
if key == "" || email == "" {
return nil, errors.New(errEmptyCredentials)
}
api, err := newClient(opts...)
if err != nil {
return nil, err
}
api.APIKey = key
api.APIEmail = email
api.authType = AuthKeyEmail
return api, nil
}
// NewWithAPIToken creates a new Cloudflare v4 API client using API Tokens.
func NewWithAPIToken(token string, opts ...Option) (*API, error) {
if token == "" {
return nil, errors.New(errEmptyAPIToken)
}
api, err := newClient(opts...)
if err != nil {
return nil, err
}
api.APIToken = token
api.authType = AuthToken
return api, nil
}
// NewWithUserServiceKey creates a new Cloudflare v4 API client using service key authentication.
func NewWithUserServiceKey(key string, opts ...Option) (*API, error) {
if key == "" {
return nil, errors.New(errEmptyCredentials)
}
api, err := newClient(opts...)
if err != nil {
return nil, err
}
api.APIUserServiceKey = key
api.authType = AuthUserService
return api, nil
}
// SetAuthType sets the authentication method (AuthKeyEmail, AuthToken, or AuthUserService).
func (api *API) SetAuthType(authType int) {
api.authType = authType
}
// ZoneIDByName retrieves a zone's ID from the name.
func (api *API) ZoneIDByName(zoneName string) (string, error) {
zoneName = normalizeZoneName(zoneName)
res, err := api.ListZonesContext(context.Background(), WithZoneFilters(zoneName, api.AccountID, ""))
if err != nil {
return "", fmt.Errorf("ListZonesContext command failed: %w", err)
}
switch len(res.Result) {
case 0:
return "", errors.New("zone could not be found")
case 1:
return res.Result[0].ID, nil
default:
return "", errors.New("ambiguous zone name; an account ID might help")
}
}
// makeRequest makes a HTTP request and returns the body as a byte slice,
// closing it before returning. params will be serialized to JSON.
func (api *API) makeRequest(method, uri string, params interface{}) ([]byte, error) {
return api.makeRequestWithAuthType(context.Background(), method, uri, params, api.authType)
}
func (api *API) makeRequestContext(ctx context.Context, method, uri string, params interface{}) ([]byte, error) {
return api.makeRequestWithAuthType(ctx, method, uri, params, api.authType)
}
func (api *API) makeRequestContextWithHeaders(ctx context.Context, method, uri string, params interface{}, headers http.Header) ([]byte, error) {
return api.makeRequestWithAuthTypeAndHeaders(ctx, method, uri, params, api.authType, headers)
}
func (api *API) makeRequestWithAuthType(ctx context.Context, method, uri string, params interface{}, authType int) ([]byte, error) {
return api.makeRequestWithAuthTypeAndHeaders(ctx, method, uri, params, authType, nil)
}
// APIResponse holds the structure for a response from the API. It looks alot
// like `http.Response` however, uses a `[]byte` for the `Body` instead of a
// `io.ReadCloser`.
//
// This may go away in the experimental client in favour of `http.Response`.
type APIResponse struct {
Body []byte
Status string
StatusCode int
Headers http.Header
}
func (api *API) makeRequestWithAuthTypeAndHeaders(ctx context.Context, method, uri string, params interface{}, authType int, headers http.Header) ([]byte, error) {
res, err := api.makeRequestWithAuthTypeAndHeadersComplete(ctx, method, uri, params, authType, headers)
if err != nil {
return nil, err
}
return res.Body, err
}
// Use this method if an API response can have different Content-Type headers and different body formats.
func (api *API) makeRequestContextWithHeadersComplete(ctx context.Context, method, uri string, params interface{}, headers http.Header) (*APIResponse, error) {
return api.makeRequestWithAuthTypeAndHeadersComplete(ctx, method, uri, params, api.authType, headers)
}
func (api *API) makeRequestWithAuthTypeAndHeadersComplete(ctx context.Context, method, uri string, params interface{}, authType int, headers http.Header) (*APIResponse, error) {
var err error
var resp *http.Response
var respErr error
var respBody []byte
for i := 0; i <= api.retryPolicy.MaxRetries; i++ {
var reqBody io.Reader
if params != nil {
if r, ok := params.(io.Reader); ok {
reqBody = r
} else if paramBytes, ok := params.([]byte); ok {
reqBody = bytes.NewReader(paramBytes)
} else {
var jsonBody []byte
jsonBody, err = json.Marshal(params)
if err != nil {
return nil, fmt.Errorf("error marshalling params to JSON: %w", err)
}
reqBody = bytes.NewReader(jsonBody)
}
}
if i > 0 {
// expect the backoff introduced here on errored requests to dominate the effect of rate limiting
// don't need a random component here as the rate limiter should do something similar
// nb time duration could truncate an arbitrary float. Since our inputs are all ints, we should be ok
sleepDuration := time.Duration(math.Pow(2, float64(i-1)) * float64(api.retryPolicy.MinRetryDelay))
if sleepDuration > api.retryPolicy.MaxRetryDelay {
sleepDuration = api.retryPolicy.MaxRetryDelay
}
// useful to do some simple logging here, maybe introduce levels later
api.logger.Printf("Sleeping %s before retry attempt number %d for request %s %s", sleepDuration.String(), i, method, uri)
select {
case <-time.After(sleepDuration):
case <-ctx.Done():
return nil, fmt.Errorf("operation aborted during backoff: %w", ctx.Err())
}
}
err = api.rateLimiter.Wait(ctx)
if err != nil {
return nil, fmt.Errorf("error caused by request rate limiting: %w", err)
}
resp, respErr = api.request(ctx, method, uri, reqBody, authType, headers)
// short circuit processing on context timeouts
if respErr != nil && errors.Is(respErr, context.DeadlineExceeded) {
return nil, respErr
}
// retry if the server is rate limiting us or if it failed
// assumes server operations are rolled back on failure
if respErr != nil || resp.StatusCode == http.StatusTooManyRequests || resp.StatusCode >= 500 {
if resp != nil && resp.StatusCode == http.StatusTooManyRequests {
respErr = errors.New("exceeded available rate limit retries")
}
if respErr == nil {
respErr = fmt.Errorf("received %s response (HTTP %d), please try again later", strings.ToLower(http.StatusText(resp.StatusCode)), resp.StatusCode)
}
continue
} else {
respBody, err = io.ReadAll(resp.Body)
defer resp.Body.Close()
if err != nil {
return nil, fmt.Errorf("could not read response body: %w", err)
}
break
}
}
// still had an error after all retries
if respErr != nil {
return nil, respErr
}
if resp.StatusCode >= http.StatusBadRequest {
if strings.HasSuffix(resp.Request.URL.Path, "/filters/validate-expr") {
return nil, fmt.Errorf("%s", respBody)
}
if resp.StatusCode >= http.StatusInternalServerError {
return nil, &ServiceError{cloudflareError: &Error{
StatusCode: resp.StatusCode,
RayID: resp.Header.Get("cf-ray"),
Errors: []ResponseInfo{{
Message: errInternalServiceError,
}},
}}
}
errBody := &Response{}
err = json.Unmarshal(respBody, &errBody)
if err != nil {
return nil, fmt.Errorf(errUnmarshalErrorBody+": %w", err)
}
errCodes := make([]int, 0, len(errBody.Errors))
errMsgs := make([]string, 0, len(errBody.Errors))
for _, e := range errBody.Errors {
errCodes = append(errCodes, e.Code)
errMsgs = append(errMsgs, e.Message)
}
err := &Error{
StatusCode: resp.StatusCode,
RayID: resp.Header.Get("cf-ray"),
Errors: errBody.Errors,
ErrorCodes: errCodes,
ErrorMessages: errMsgs,
Messages: errBody.Messages,
}
switch resp.StatusCode {
case http.StatusUnauthorized:
err.Type = ErrorTypeAuthorization
return nil, &AuthorizationError{cloudflareError: err}
case http.StatusForbidden:
err.Type = ErrorTypeAuthentication
return nil, &AuthenticationError{cloudflareError: err}
case http.StatusNotFound:
err.Type = ErrorTypeNotFound
return nil, &NotFoundError{cloudflareError: err}
case http.StatusTooManyRequests:
err.Type = ErrorTypeRateLimit
return nil, &RatelimitError{cloudflareError: err}
default:
err.Type = ErrorTypeRequest
return nil, &RequestError{cloudflareError: err}
}
}
return &APIResponse{
Body: respBody,
StatusCode: resp.StatusCode,
Status: resp.Status,
Headers: resp.Header,
}, nil
}
// request makes a HTTP request to the given API endpoint, returning the raw
// *http.Response, or an error if one occurred. The caller is responsible for
// closing the response body.
func (api *API) request(ctx context.Context, method, uri string, reqBody io.Reader, authType int, headers http.Header) (*http.Response, error) {
req, err := http.NewRequestWithContext(ctx, method, api.BaseURL+uri, reqBody)
if err != nil {
return nil, fmt.Errorf("HTTP request creation failed: %w", err)
}
combinedHeaders := make(http.Header)
copyHeader(combinedHeaders, api.headers)
copyHeader(combinedHeaders, headers)
req.Header = combinedHeaders
if authType&AuthKeyEmail != 0 {
req.Header.Set("X-Auth-Key", api.APIKey)
req.Header.Set("X-Auth-Email", api.APIEmail)
}
if authType&AuthUserService != 0 {
req.Header.Set("X-Auth-User-Service-Key", api.APIUserServiceKey)
}
if authType&AuthToken != 0 {
req.Header.Set("Authorization", "Bearer "+api.APIToken)
}
if api.UserAgent != "" {
req.Header.Set("User-Agent", api.UserAgent)
}
if req.Header.Get("Content-Type") == "" {
req.Header.Set("Content-Type", "application/json")
}
if api.Debug {
dump, err := httputil.DumpRequestOut(req, true)
if err != nil {
return nil, err
}
// Strip out any sensitive information from the request payload.
sensitiveKeys := []string{api.APIKey, api.APIEmail, api.APIToken, api.APIUserServiceKey}
for _, key := range sensitiveKeys {
if key != "" {
valueRegex := regexp.MustCompile(fmt.Sprintf("(?m)%s", key))
dump = valueRegex.ReplaceAll(dump, []byte("[redacted]"))
}
}
log.Printf("\n%s", string(dump))
}
resp, err := api.httpClient.Do(req)
if err != nil {
return nil, fmt.Errorf("HTTP request failed: %w", err)
}
if api.Debug {
dump, err := httputil.DumpResponse(resp, true)
if err != nil {
return resp, err
}
log.Printf("\n%s", string(dump))
}
return resp, nil
}
// Returns the base URL to use for API endpoints that exist for accounts.
// If an account option was used when creating the API instance, returns
// the account URL.
//
// accountBase is the base URL for endpoints referring to the current user.
// It exists as a parameter because it is not consistent across APIs.
func (api *API) userBaseURL(accountBase string) string {
if api.AccountID != "" {
return "/accounts/" + api.AccountID
}
return accountBase
}
// copyHeader copies all headers for `source` and sets them on `target`.
// based on https://godoc.org/github.com/golang/gddo/httputil/header#Copy
func copyHeader(target, source http.Header) {
for k, vs := range source {
target[k] = vs
}
}
// ResponseInfo contains a code and message returned by the API as errors or
// informational messages inside the response.
type ResponseInfo struct {
Code int `json:"code"`
Message string `json:"message"`
}
// Response is a template. There will also be a result struct. There will be a
// unique response type for each response, which will include this type.
type Response struct {
Success bool `json:"success"`
Errors []ResponseInfo `json:"errors"`
Messages []ResponseInfo `json:"messages"`
}
// ResultInfoCursors contains information about cursors.
type ResultInfoCursors struct {
Before string `json:"before" url:"before,omitempty"`
After string `json:"after" url:"after,omitempty"`
}
// ResultInfo contains metadata about the Response.
type ResultInfo struct {
Page int `json:"page" url:"page,omitempty"`
PerPage int `json:"per_page" url:"per_page,omitempty"`
TotalPages int `json:"total_pages" url:"-"`
Count int `json:"count" url:"-"`
Total int `json:"total_count" url:"-"`
Cursor string `json:"cursor" url:"cursor,omitempty"`
Cursors ResultInfoCursors `json:"cursors" url:"cursors,omitempty"`
}
// RawResponse keeps the result as JSON form.
type RawResponse struct {
Response
Result json.RawMessage `json:"result"`
}
// Raw makes a HTTP request with user provided params and returns the
// result as untouched JSON.
func (api *API) Raw(ctx context.Context, method, endpoint string, data interface{}, headers http.Header) (json.RawMessage, error) {
res, err := api.makeRequestContextWithHeaders(ctx, method, endpoint, data, headers)
if err != nil {
return nil, err
}
var r RawResponse
if err := json.Unmarshal(res, &r); err != nil {
return nil, fmt.Errorf("%s: %w", errUnmarshalError, err)
}
return r.Result, nil
}
// PaginationOptions can be passed to a list request to configure paging
// These values will be defaulted if omitted, and PerPage has min/max limits set by resource.
type PaginationOptions struct {
Page int `json:"page,omitempty" url:"page,omitempty"`
PerPage int `json:"per_page,omitempty" url:"per_page,omitempty"`
}
// RetryPolicy specifies number of retries and min/max retry delays
// This config is used when the client exponentially backs off after errored requests.
type RetryPolicy struct {
MaxRetries int
MinRetryDelay time.Duration
MaxRetryDelay time.Duration
}
// Logger defines the interface this library needs to use logging
// This is a subset of the methods implemented in the log package.
type Logger interface {
Printf(format string, v ...interface{})
}
// ReqOption is a functional option for configuring API requests.
type ReqOption func(opt *reqOption)
type reqOption struct {
params url.Values
}
// WithZoneFilters applies a filter based on zone properties.
func WithZoneFilters(zoneName, accountID, status string) ReqOption {
return func(opt *reqOption) {
if zoneName != "" {
opt.params.Set("name", normalizeZoneName(zoneName))
}
if accountID != "" {
opt.params.Set("account.id", accountID)
}
if status != "" {
opt.params.Set("status", status)
}
}
}
// WithPagination configures the pagination for a response.
func WithPagination(opts PaginationOptions) ReqOption {
return func(opt *reqOption) {
if opts.Page > 0 {
opt.params.Set("page", strconv.Itoa(opts.Page))
}
if opts.PerPage > 0 {
opt.params.Set("per_page", strconv.Itoa(opts.PerPage))
}
}
}
// checkResultInfo checks whether ResultInfo is reasonable except that it currently
// ignores the cursor information. perPage, page, and count are the requested #items
// per page, the requested page number, and the actual length of the Result array.
//
// Responses from the actual Cloudflare servers should pass all these checks (or we
// discover a serious bug in the Cloudflare servers). However, the unit tests can
// easily violate these constraints and this utility function can help debugging.
// Correct pagination information is crucial for more advanced List* functions that
// handle pagination automatically and fetch different pages in parallel.
//
// TODO: check cursors as well.
func checkResultInfo(perPage, page, count int, info *ResultInfo) bool {
if info.Cursor != "" || info.Cursors.Before != "" || info.Cursors.After != "" {
panic("checkResultInfo could not handle cursors yet.")
}
switch {
case info.PerPage != perPage || info.Page != page || info.Count != count:
return false
case info.PerPage <= 0:
return false
case info.Total == 0 && info.TotalPages == 0 && info.Page == 1 && info.Count == 0:
return true
case info.Total <= 0 || info.TotalPages <= 0:
return false
case info.Total > info.PerPage*info.TotalPages || info.Total <= info.PerPage*(info.TotalPages-1):
return false
}
switch {
case info.Page > info.TotalPages || info.Page <= 0:
return false
case info.Page < info.TotalPages:
return info.Count == info.PerPage
case info.Page == info.TotalPages:
return info.Count == info.Total-info.PerPage*(info.TotalPages-1)
default:
// This is actually impossible, but Go compiler does not know trichotomy
panic("checkResultInfo: impossible")
}
}