Skip to content

Commit 22c704d

Browse files
mastersingh24mastersingh24
committed
[FAB-6718] Add mutual TLS flag to comm.GRPCServer
There are several places where checking for mutual TLS will be required as part of enabling mutual TLS support for peer and orderer nodes. This CR simply adds a convenience method to the comm.GRPCServer interface Change-Id: I42b37798aef37ed6d0979810e50e764aaad780c0 Signed-off-by: Gari Singh <gari.r.singh@gmail.com>
1 parent 3b43020 commit 22c704d

File tree

2 files changed

+27
-4
lines changed

2 files changed

+27
-4
lines changed

core/comm/server.go

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,9 @@ type GRPCServer interface {
5353
//TLSEnabled is a flag indicating whether or not TLS is enabled for this
5454
//GRPCServer instance
5555
TLSEnabled() bool
56+
//MutualTLSRequired is a flag indicating whether or not client certificates
57+
//are required for this GRPCServer instance
58+
MutualTLSRequired() bool
5659
//AppendClientRootCAs appends PEM-encoded X509 certificate authorities to
5760
//the list of authorities used to verify client certificates
5861
AppendClientRootCAs(clientRoots [][]byte) error
@@ -87,6 +90,8 @@ type grpcServerImpl struct {
8790
tlsConfig *tls.Config
8891
//Is TLS enabled?
8992
tlsEnabled bool
93+
//Are client certifictes required
94+
mutualTLSRequired bool
9095
}
9196

9297
//NewGRPCServer creates a new implementation of a GRPCServer given a
@@ -159,6 +164,7 @@ func newGRPCServerFromListenerWithKa(listener net.Listener, secureConfig SecureS
159164
grpcServer.tlsConfig.ClientAuth = tls.RequestClientCert
160165
//check if client authentication is required
161166
if secureConfig.RequireClientCert {
167+
grpcServer.mutualTLSRequired = true
162168
//require TLS client auth
163169
grpcServer.tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
164170
//if we have client root CAs, create a certPool
@@ -219,6 +225,12 @@ func (gServer *grpcServerImpl) TLSEnabled() bool {
219225
return gServer.tlsEnabled
220226
}
221227

228+
//MutualTLSRequired is a flag indicating whether or not client certificates
229+
//are required for this GRPCServer instance
230+
func (gServer *grpcServerImpl) MutualTLSRequired() bool {
231+
return gServer.mutualTLSRequired
232+
}
233+
222234
//Start starts the underlying grpc.Server
223235
func (gServer *grpcServerImpl) Start() error {
224236
return gServer.server.Serve(gServer.listener)

core/comm/server_test.go

Lines changed: 15 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -489,8 +489,10 @@ func TestNewGRPCServer(t *testing.T) {
489489
assert.Equal(t, srv.Address(), addr.String())
490490
assert.Equal(t, srv.Listener().Addr().String(), addr.String())
491491

492-
//TlSEnabled should be false
492+
//TLSEnabled should be false
493493
assert.Equal(t, srv.TLSEnabled(), false)
494+
//MutualTLSRequired should be false
495+
assert.Equal(t, srv.MutualTLSRequired(), false)
494496

495497
//register the GRPC test server
496498
testpb.RegisterTestServiceServer(srv.Server(), &testServiceServer{})
@@ -542,8 +544,10 @@ func TestNewGRPCServerFromListener(t *testing.T) {
542544
assert.Equal(t, srv.Address(), addr.String())
543545
assert.Equal(t, srv.Listener().Addr().String(), addr.String())
544546

545-
//TlSEnabled should be false
547+
//TLSEnabled should be false
546548
assert.Equal(t, srv.TLSEnabled(), false)
549+
//MutualTLSRequired should be false
550+
assert.Equal(t, srv.MutualTLSRequired(), false)
547551

548552
//register the GRPC test server
549553
testpb.RegisterTestServiceServer(srv.Server(), &testServiceServer{})
@@ -594,8 +598,10 @@ func TestNewSecureGRPCServer(t *testing.T) {
594598
cert, _ := tls.X509KeyPair([]byte(selfSignedCertPEM), []byte(selfSignedKeyPEM))
595599
assert.Equal(t, srv.ServerCertificate(), cert)
596600

597-
//TlSEnabled should be true
601+
//TLSEnabled should be true
598602
assert.Equal(t, srv.TLSEnabled(), true)
603+
//MutualTLSRequired should be false
604+
assert.Equal(t, srv.MutualTLSRequired(), false)
599605

600606
//register the GRPC test server
601607
testpb.RegisterTestServiceServer(srv.Server(), &testServiceServer{})
@@ -677,8 +683,10 @@ func TestNewSecureGRPCServerFromListener(t *testing.T) {
677683
cert, _ := tls.X509KeyPair([]byte(selfSignedCertPEM), []byte(selfSignedKeyPEM))
678684
assert.Equal(t, srv.ServerCertificate(), cert)
679685

680-
//TlSEnabled should be true
686+
//TLSEnabled should be true
681687
assert.Equal(t, srv.TLSEnabled(), true)
688+
//MutualTLSRequired should be false
689+
assert.Equal(t, srv.MutualTLSRequired(), false)
682690

683691
//register the GRPC test server
684692
testpb.RegisterTestServiceServer(srv.Server(), &testServiceServer{})
@@ -894,6 +902,9 @@ func runMutualAuth(t *testing.T, servers []testServer, trustedClients, unTrusted
894902
return err
895903
}
896904

905+
//MutualTLSRequired should be true
906+
assert.Equal(t, srv.MutualTLSRequired(), true)
907+
897908
//register the GRPC test server and start the GRPCServer
898909
testpb.RegisterTestServiceServer(srv.Server(), &testServiceServer{})
899910
go srv.Start()

0 commit comments

Comments
 (0)