tls connection to chaincode server (#29)

* support tls by chaincode server Signed-off-by: Alexander Zemtsov <a.zemtsov@gmail.com> * revert comment Signed-off-by: Alexander Zemtsov <a.zemtsov@gmail.com> * move loading tls options to chaincode server start Signed-off-by: Alexander Zemtsov <a.zemtsov@gmail.com> --------- Signed-off-by: Alexander Zemtsov <a.zemtsov@gmail.com>
anoideaopen · Jun 11, 2024 · f9214ce · f9214ce
1 parent 2ca8cea
commit f9214ce
Showing 1 changed file with 85 additions and 6 deletions.
diff --git a/cc/chaincode.go b/cc/chaincode.go
@@ -126,14 +126,93 @@ func (c *ACL) startAsChaincodeServer() error {
 		port = chaincodeServerDefaultPort
 	}
 
+	tlsProps, err := tlsProperties()
+	if err != nil {
+		return fmt.Errorf("failed obtaining tls properties for chaincode server: %w", err)
+	}
+
 	srv := shim.ChaincodeServer{
-		CCID:    ccID,
-		Address: fmt.Sprintf("%s:%s", "0.0.0.0", port),
-		CC:      c,
-		TLSProps: shim.TLSProperties{
-			Disabled: true,
-		},
+		CCID:     ccID,
+		Address:  fmt.Sprintf("%s:%s", "0.0.0.0", port),
+		CC:       c,
+		TLSProps: tlsProps,
 	}
 
 	return srv.Start()
 }
+
+func tlsProperties() (shim.TLSProperties, error) {
+	tlsProps := shim.TLSProperties{
+		Disabled: true,
+	}
+
+	key, cert, clientCACerts, err := readTLSConfigFromEnv()
+	if err != nil {
+		return tlsProps, fmt.Errorf("error reading TLS config from environment: %w", err)
+	}
+
+	// If TLS configuration is found in environment variables, use it.
+	if key != nil && cert != nil {
+		tlsProps.Disabled = false
+		tlsProps.Key = key
+		tlsProps.Cert = cert
+		tlsProps.ClientCACerts = clientCACerts
+	}
+
+	return tlsProps, nil
+}
+
+// readTLSConfigFromEnv tries to read TLS configuration from environment variables.
+func readTLSConfigFromEnv() ([]byte, []byte, []byte, error) {
+	const (
+		// TLS environment variables for the chaincode's TLS configuration with files.
+		// tlsKeyFileEnv is the environment variable that specifies the private key file for TLS communication.
+		tlsKeyFileEnv = "CHAINCODE_TLS_KEY_FILE"
+		// tlsCertFileEnv is the environment variable that specifies the public key certificate file for TLS communication.
+		tlsCertFileEnv = "CHAINCODE_TLS_CERT_FILE"
+		// tlsClientCACertsFileEnv is the environment variable that specifies the client CA certificates file for TLS communication.
+		tlsClientCACertsFileEnv = "CHAINCODE_TLS_CLIENT_CA_CERTS_FILE"
+
+		// TLS environment variables for the chaincode's TLS configuration, directly from ENVs.
+		// tlsKeyEnv is the environment variable that specifies the private key for TLS communication.
+		tlsKeyEnv = "CHAINCODE_TLS_KEY"
+		// tlsCertEnv is the environment variable that specifies the public key certificate for TLS communication.
+		tlsCertEnv = "CHAINCODE_TLS_CERT"
+		// tlsClientCACertsEnv is the environment variable that specifies the client CA certificates for TLS communication.
+		tlsClientCACertsEnv = "CHAINCODE_TLS_CLIENT_CA_CERTS"
+	)
+
+	var (
+		key, cert, clientCACerts []byte
+		err                      error
+	)
+
+	if keyEnv := os.Getenv(tlsKeyEnv); keyEnv != "" {
+		key = []byte(keyEnv)
+	} else if keyFile := os.Getenv(tlsKeyFileEnv); keyFile != "" {
+		key, err = os.ReadFile(keyFile)
+		if err != nil {
+			return nil, nil, nil, fmt.Errorf("failed to read TLS key file: %w", err)
+		}
+	}
+
+	if certEnv := os.Getenv(tlsCertEnv); certEnv != "" {
+		cert = []byte(certEnv)
+	} else if certFile := os.Getenv(tlsCertFileEnv); certFile != "" {
+		cert, err = os.ReadFile(certFile)
+		if err != nil {
+			return nil, nil, nil, fmt.Errorf("failed to read TLS certificate file: %w", err)
+		}
+	}
+
+	if caCertsEnv := os.Getenv(tlsClientCACertsEnv); caCertsEnv != "" {
+		clientCACerts = []byte(caCertsEnv)
+	} else if caCertsFile := os.Getenv(tlsClientCACertsFileEnv); caCertsFile != "" {
+		clientCACerts, err = os.ReadFile(caCertsFile)
+		if err != nil {
+			return nil, nil, nil, fmt.Errorf("failed to read client CA certificates file: %w", err)
+		}
+	}
+
+	return key, cert, clientCACerts, nil
+}