-
Notifications
You must be signed in to change notification settings - Fork 198
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
allow secure connection from JSON API to ledger (#5555)
* factor TlsConfiguration parser from extractor * move TlsConfigurationParser to new library * link extractor to ledger-service/cli-opts properly * use TlsConfigurationCli in http-json, pass SslContext to ledger-client * test TLS options as used in http-json - the TLS config code is shared with extractor, where it is more fully tested; we just do a sanity check here * doc TLS options for http-json CHANGELOG_BEGIN - [JSON API] New ``--pem``, ``--crt``, ``--cacrt``, and ``--tls`` options for securing the connection between JSON API server and ledger. See `issue #2540 <https://github.com/digital-asset/daml/issues/2540>`__. CHANGELOG_END * TLS off in daml-script JSON API test
- Loading branch information
Showing
16 changed files
with
201 additions
and
64 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
# Copyright (c) 2020 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved. | ||
# SPDX-License-Identifier: Apache-2.0 | ||
|
||
load( | ||
"//bazel_tools:scala.bzl", | ||
"da_scala_library", | ||
"lf_scalacopts", | ||
) | ||
|
||
da_scala_library( | ||
name = "cli-opts", | ||
srcs = glob(["src/main/scala/**/*.scala"]), | ||
scalacopts = lf_scalacopts, | ||
tags = ["maven_coordinates=com.daml:http-json-cli-opts:__VERSION__"], | ||
visibility = ["//visibility:public"], | ||
deps = [ | ||
"//ledger/ledger-api-common", | ||
"@maven//:com_github_scopt_scopt_2_12", | ||
"@maven//:io_netty_netty_handler", | ||
], | ||
) |
63 changes: 63 additions & 0 deletions
63
ledger-service/cli-opts/src/main/scala/ledger/api/tls/TlsConfigurationCli.scala
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
// Copyright (c) 2020 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved. | ||
// SPDX-License-Identifier: Apache-2.0 | ||
|
||
package com.daml.ledger.api.tls | ||
|
||
import java.nio.file.Paths | ||
|
||
import scala.util.Try | ||
|
||
object TlsConfigurationCli { | ||
def parse[C](parser: scopt.OptionParser[C], colSpacer: String)( | ||
setter: (TlsConfiguration => TlsConfiguration, C) => C): Unit = { | ||
def enableSet(tlsUp: TlsConfiguration => TlsConfiguration, c: C) = | ||
setter(tlsc => tlsUp(tlsc copy (enabled = true)), c) | ||
|
||
import parser.opt | ||
|
||
opt[String]("pem") | ||
.optional() | ||
.text("TLS: The pem file to be used as the private key.") | ||
.validate(validatePath(_, "The file specified via --pem does not exist")) | ||
.action { (path, c) => | ||
enableSet(_ copy (keyFile = Some(Paths.get(path).toFile)), c) | ||
} | ||
|
||
opt[String]("crt") | ||
.optional() | ||
.text( | ||
s"TLS: The crt file to be used as the cert chain.\n${colSpacer}" + | ||
s"Required for client authentication." | ||
) | ||
.validate(validatePath(_, "The file specified via --crt does not exist")) | ||
.action { (path, c) => | ||
enableSet(_ copy (keyCertChainFile = Some(Paths.get(path).toFile)), c) | ||
} | ||
|
||
opt[String]("cacrt") | ||
.optional() | ||
.text("TLS: The crt file to be used as the the trusted root CA.") | ||
.validate(validatePath(_, "The file specified via --cacrt does not exist")) | ||
.action { (path, c) => | ||
enableSet(_ copy (trustCertCollectionFile = Some(Paths.get(path).toFile)), c) | ||
} | ||
|
||
// allows you to enable tls without any special certs, | ||
// i.e., tls without client auth with the default root certs. | ||
// If any certificates are set tls is enabled implicitly and | ||
// this is redundant. | ||
opt[Unit]("tls") | ||
.optional() | ||
.text("TLS: Enable tls. This is redundant if --pem, --crt or --cacrt are set") | ||
.action { (_, c) => | ||
enableSet(identity, c) | ||
} | ||
|
||
() | ||
} | ||
|
||
private def validatePath(path: String, message: String): Either[String, Unit] = { | ||
val valid = Try(Paths.get(path).toFile.canRead).getOrElse(false) | ||
if (valid) Right(()) else Left(message) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.