diff --git a/core/comm/config.go b/core/comm/config.go index 63e80e54a12..c8af5ebc195 100644 --- a/core/comm/config.go +++ b/core/comm/config.go @@ -39,6 +39,33 @@ var ( } ) +// ServerConfig defines the parameters for configuring a GRPCServer instance +type ServerConfig struct { + // SecOpts defines the security parameters + SecOpts *SecureOptions + // KaOpts defines the keepalive parameters + KaOpts *KeepaliveOptions +} + +// SecureOptions defines the security parameters (e.g. TLS) for a +// GRPCServer instance +type SecureOptions struct { + //PEM-encoded X509 public key to be used by the server for TLS communication + ServerCertificate []byte + //PEM-encoded private key to be used by the server for TLS communication + ServerKey []byte + //Set of PEM-encoded X509 certificate authorities to optionally send + //as part of the server handshake + ServerRootCAs [][]byte + //Set of PEM-encoded X509 certificate authorities to use when verifying + //client certificates + ClientRootCAs [][]byte + //Whether or not to use TLS for communication + UseTLS bool + //Whether or not TLS client must present certificates for authentication + RequireClientCert bool +} + // KeepAliveOptions is used to set the gRPC keepalive settings for both // clients and servers type KeepaliveOptions struct { diff --git a/core/comm/connection_test.go b/core/comm/connection_test.go index a14b6e78eb5..8e3a892f7ea 100644 --- a/core/comm/connection_test.go +++ b/core/comm/connection_test.go @@ -258,10 +258,12 @@ func newServer(org string, port int) *srv { if err != nil { panic(fmt.Errorf("Failed listening on port %d: %v", port, err)) } - gSrv, err := NewGRPCServerFromListener(l, SecureServerConfig{ - ServerCertificate: certs["server.crt"], - ServerKey: certs["server.key"], - UseTLS: true, + gSrv, err := NewGRPCServerFromListener(l, ServerConfig{ + SecOpts: &SecureOptions{ + ServerCertificate: certs["server.crt"], + ServerKey: certs["server.key"], + UseTLS: true, + }, }) if err != nil { panic(fmt.Errorf("Failed starting gRPC server: %v", err)) diff --git a/core/comm/server.go b/core/comm/server.go index 146d6e67663..42cbdc632d6 100644 --- a/core/comm/server.go +++ b/core/comm/server.go @@ -17,25 +17,6 @@ import ( "google.golang.org/grpc" ) -//A SecureServerConfig structure is used to configure security (e.g. TLS) for a -//GRPCServer instance -type SecureServerConfig struct { - //PEM-encoded X509 public key to be used by the server for TLS communication - ServerCertificate []byte - //PEM-encoded private key to be used by the server for TLS communication - ServerKey []byte - //Set of PEM-encoded X509 certificate authorities to optionally send - //as part of the server handshake - ServerRootCAs [][]byte - //Set of PEM-encoded X509 certificate authorities to use when verifying - //client certificates - ClientRootCAs [][]byte - //Whether or not to use TLS for communication - UseTLS bool - //Whether or not TLS client must present certificates for authentication - RequireClientCert bool -} - //GRPCServer defines an interface representing a GRPC-based server type GRPCServer interface { //Address returns the listen address for the GRPCServer @@ -96,25 +77,25 @@ type grpcServerImpl struct { //NewGRPCServer creates a new implementation of a GRPCServer given a //listen address -func NewGRPCServer(address string, secureConfig SecureServerConfig) (GRPCServer, error) { - return newGRPCServerWithKa(address, secureConfig, &keepaliveOptions) +func NewGRPCServer(address string, serverConfig ServerConfig) (GRPCServer, error) { + return newGRPCServerWithKa(address, serverConfig, &keepaliveOptions) } //NewChaincodeGRPCServer creates a new implementation of a chaincode GRPCServer given a //listen address -func NewChaincodeGRPCServer(address string, secureConfig SecureServerConfig) (GRPCServer, error) { - return newGRPCServerWithKa(address, secureConfig, &chaincodeKeepaliveOptions) +func NewChaincodeGRPCServer(address string, serverConfig ServerConfig) (GRPCServer, error) { + return newGRPCServerWithKa(address, serverConfig, &chaincodeKeepaliveOptions) } //NewGRPCServerFromListener creates a new implementation of a GRPCServer given //an existing net.Listener instance using default keepalive -func NewGRPCServerFromListener(listener net.Listener, secureConfig SecureServerConfig) (GRPCServer, error) { - return newGRPCServerFromListenerWithKa(listener, secureConfig, &keepaliveOptions) +func NewGRPCServerFromListener(listener net.Listener, serverConfig ServerConfig) (GRPCServer, error) { + return newGRPCServerFromListenerWithKa(listener, serverConfig, &keepaliveOptions) } //newGRPCServerWithKa creates a new implementation of a GRPCServer given a //listen address with specified keepalive options -func newGRPCServerWithKa(address string, secureConfig SecureServerConfig, ka *KeepaliveOptions) (GRPCServer, error) { +func newGRPCServerWithKa(address string, serverConfig ServerConfig, ka *KeepaliveOptions) (GRPCServer, error) { if address == "" { return nil, errors.New("Missing address parameter") @@ -126,13 +107,14 @@ func newGRPCServerWithKa(address string, secureConfig SecureServerConfig, ka *Ke return nil, err } - return newGRPCServerFromListenerWithKa(lis, secureConfig, ka) + return newGRPCServerFromListenerWithKa(lis, serverConfig, ka) } //newGRPCServerFromListenerWithKa creates a new implementation of a GRPCServer given //an existing net.Listener instance with specfied keepalive -func newGRPCServerFromListenerWithKa(listener net.Listener, secureConfig SecureServerConfig, ka *KeepaliveOptions) (GRPCServer, error) { +func newGRPCServerFromListenerWithKa(listener net.Listener, serverConfig ServerConfig, + ka *KeepaliveOptions) (GRPCServer, error) { grpcServer := &grpcServerImpl{ address: listener.Addr().String(), listener: listener, @@ -141,8 +123,9 @@ func newGRPCServerFromListenerWithKa(listener net.Listener, secureConfig SecureS //set up our server options var serverOpts []grpc.ServerOption - //check secureConfig - if secureConfig.UseTLS { + //check SecOpts + secureConfig := serverConfig.SecOpts + if secureConfig != nil && secureConfig.UseTLS { //both key and cert are required if secureConfig.ServerKey != nil && secureConfig.ServerCertificate != nil { grpcServer.tlsEnabled = true @@ -184,7 +167,7 @@ func newGRPCServerFromListenerWithKa(listener net.Listener, secureConfig SecureS creds := NewServerTransportCredentials(grpcServer.tlsConfig) serverOpts = append(serverOpts, grpc.Creds(creds)) } else { - return nil, errors.New("secureConfig must contain both ServerKey and " + + return nil, errors.New("serverConfig.SecOpts must contain both ServerKey and " + "ServerCertificate when UseTLS is true") } } diff --git a/core/comm/server_test.go b/core/comm/server_test.go index 455a8a89711..f3a7250adb8 100644 --- a/core/comm/server_test.go +++ b/core/comm/server_test.go @@ -164,7 +164,7 @@ var ( type testServer struct { address string - config comm.SecureServerConfig + config comm.ServerConfig } type serverCert struct { @@ -195,12 +195,14 @@ func (org *testOrg) testServers(port int, clientRootCAs [][]byte) []testServer { for i, serverCert := range org.serverCerts { testServer := testServer{ fmt.Sprintf("localhost:%d", port+i), - comm.SecureServerConfig{ - UseTLS: true, - ServerCertificate: serverCert.certPEM, - ServerKey: serverCert.keyPEM, - RequireClientCert: true, - ClientRootCAs: clientRootCAs, + comm.ServerConfig{ + SecOpts: &comm.SecureOptions{ + UseTLS: true, + ServerCertificate: serverCert.certPEM, + ServerKey: serverCert.keyPEM, + RequireClientCert: true, + ClientRootCAs: clientRootCAs, + }, }, } testServers = append(testServers, testServer) @@ -339,7 +341,8 @@ func TestNewGRPCServerInvalidParameters(t *testing.T) { t.Parallel() //missing address - _, err := comm.NewGRPCServer("", comm.SecureServerConfig{UseTLS: false}) + _, err := comm.NewGRPCServer("", comm.ServerConfig{ + SecOpts: &comm.SecureOptions{UseTLS: false}}) //check for error msg := "Missing address parameter" assert.EqualError(t, err, msg) @@ -348,14 +351,16 @@ func TestNewGRPCServerInvalidParameters(t *testing.T) { } //missing port - _, err = comm.NewGRPCServer("abcdef", comm.SecureServerConfig{UseTLS: false}) + _, err = comm.NewGRPCServer("abcdef", comm.ServerConfig{ + SecOpts: &comm.SecureOptions{UseTLS: false}}) //check for error assert.Error(t, err, "Expected error with missing port") msg = "missing port in address" assert.Contains(t, err.Error(), msg) //bad port - _, err = comm.NewGRPCServer("localhost:1BBB", comm.SecureServerConfig{UseTLS: false}) + _, err = comm.NewGRPCServer("localhost:1BBB", comm.ServerConfig{ + SecOpts: &comm.SecureOptions{UseTLS: false}}) //check for possible errors based on platform and Go release msgs := [3]string{"listen tcp: lookup tcp/1BBB: nodename nor servname provided, or not known", "listen tcp: unknown port tcp/1BBB", "listen tcp: address tcp/1BBB: unknown port"} @@ -369,7 +374,7 @@ func TestNewGRPCServerInvalidParameters(t *testing.T) { //bad hostname _, err = comm.NewGRPCServer("hostdoesnotexist.localdomain:9050", - comm.SecureServerConfig{UseTLS: false}) + comm.ServerConfig{SecOpts: &comm.SecureOptions{UseTLS: false}}) /* We cannot check for a specific error message due to the fact that some systems will automatically resolve unknown host names to a "search" @@ -381,8 +386,10 @@ func TestNewGRPCServerInvalidParameters(t *testing.T) { } //address in use - _, err = comm.NewGRPCServer(":9040", comm.SecureServerConfig{UseTLS: false}) - _, err = comm.NewGRPCServer(":9040", comm.SecureServerConfig{UseTLS: false}) + _, err = comm.NewGRPCServer(":9040", comm.ServerConfig{ + SecOpts: &comm.SecureOptions{UseTLS: false}}) + _, err = comm.NewGRPCServer(":9040", comm.ServerConfig{ + SecOpts: &comm.SecureOptions{UseTLS: false}}) //check for error msg = "listen tcp :9040: bind: address already in use" assert.EqualError(t, err, msg) @@ -392,9 +399,12 @@ func TestNewGRPCServerInvalidParameters(t *testing.T) { //missing serverCertificate _, err = comm.NewGRPCServer(":9041", - comm.SecureServerConfig{UseTLS: true, ServerCertificate: []byte{}}) + comm.ServerConfig{ + SecOpts: &comm.SecureOptions{ + UseTLS: true, + ServerCertificate: []byte{}}}) //check for error - msg = "secureConfig must contain both ServerKey and " + + msg = "serverConfig.SecOpts must contain both ServerKey and " + "ServerCertificate when UseTLS is true" assert.EqualError(t, err, msg) if err != nil { @@ -403,7 +413,10 @@ func TestNewGRPCServerInvalidParameters(t *testing.T) { //missing serverKey _, err = comm.NewGRPCServer(":9042", - comm.SecureServerConfig{UseTLS: true, ServerKey: []byte{}}) + comm.ServerConfig{ + SecOpts: &comm.SecureOptions{ + UseTLS: true, + ServerCertificate: []byte{}}}) //check for error assert.EqualError(t, err, msg) if err != nil { @@ -412,10 +425,11 @@ func TestNewGRPCServerInvalidParameters(t *testing.T) { //bad serverKey _, err = comm.NewGRPCServer(":9043", - comm.SecureServerConfig{ - UseTLS: true, - ServerCertificate: []byte(selfSignedCertPEM), - ServerKey: []byte{}}) + comm.ServerConfig{ + SecOpts: &comm.SecureOptions{ + UseTLS: true, + ServerCertificate: []byte(selfSignedCertPEM), + ServerKey: []byte{}}}) //check for error msg = "tls: failed to find any PEM data in key input" @@ -426,10 +440,11 @@ func TestNewGRPCServerInvalidParameters(t *testing.T) { //bad serverCertificate _, err = comm.NewGRPCServer(":9044", - comm.SecureServerConfig{ - UseTLS: true, - ServerCertificate: []byte{}, - ServerKey: []byte(selfSignedKeyPEM)}) + comm.ServerConfig{ + SecOpts: &comm.SecureOptions{ + UseTLS: true, + ServerCertificate: []byte{}, + ServerKey: []byte(selfSignedKeyPEM)}}) //check for error msg = "tls: failed to find any PEM data in certificate input" assert.EqualError(t, err, msg) @@ -437,30 +452,13 @@ func TestNewGRPCServerInvalidParameters(t *testing.T) { t.Log(err.Error()) } - //bad clientRootCAs - /** TODO: revisit after figuring out why MSP does not serialize PEMs with type - _, err = comm.NewGRPCServer(":9045", - comm.SecureServerConfig{ - UseTLS: true, - ServerCertificate: []byte(selfSignedCertPEM), - ServerKey: []byte(selfSignedKeyPEM), - RequireClientCert: true, - ClientRootCAs: [][]byte{[]byte(pemNoCertificateHeader)}}) - //check for error - msg = "Failed to append client root certificate(s): " + - "No client root certificates found" - assert.EqualError(t, err, msg) - if err != nil { - t.Log(err.Error()) - } - */ - srv, err := comm.NewGRPCServer(":9046", - comm.SecureServerConfig{ - UseTLS: true, - ServerCertificate: []byte(selfSignedCertPEM), - ServerKey: []byte(selfSignedKeyPEM), - RequireClientCert: true}) + comm.ServerConfig{ + SecOpts: &comm.SecureOptions{ + UseTLS: true, + ServerCertificate: []byte(selfSignedCertPEM), + ServerKey: []byte(selfSignedKeyPEM), + RequireClientCert: true}}) badRootCAs := [][]byte{[]byte(badPEM)} err = srv.SetClientRootCAs(badRootCAs) //check for error @@ -477,7 +475,7 @@ func TestNewGRPCServer(t *testing.T) { t.Parallel() testAddress := "localhost:9053" srv, err := comm.NewGRPCServer(testAddress, - comm.SecureServerConfig{UseTLS: false}) + comm.ServerConfig{SecOpts: &comm.SecureOptions{UseTLS: false}}) //check for error if err != nil { t.Fatalf("Failed to return new GRPC server: %v", err) @@ -532,7 +530,7 @@ func TestNewGRPCServerFromListener(t *testing.T) { } srv, err := comm.NewGRPCServerFromListener(lis, - comm.SecureServerConfig{UseTLS: false}) + comm.ServerConfig{SecOpts: &comm.SecureOptions{UseTLS: false}}) //check for error if err != nil { t.Fatalf("Failed to return new GRPC server: %v", err) @@ -578,11 +576,11 @@ func TestNewSecureGRPCServer(t *testing.T) { t.Parallel() testAddress := "localhost:9055" - srv, err := comm.NewGRPCServer(testAddress, comm.SecureServerConfig{ - UseTLS: true, - ServerCertificate: []byte(selfSignedCertPEM), - ServerKey: []byte(selfSignedKeyPEM), - }) + srv, err := comm.NewGRPCServer(testAddress, comm.ServerConfig{ + SecOpts: &comm.SecureOptions{ + UseTLS: true, + ServerCertificate: []byte(selfSignedCertPEM), + ServerKey: []byte(selfSignedKeyPEM)}}) //check for error if err != nil { t.Fatalf("Failed to return new GRPC server: %v", err) @@ -663,11 +661,11 @@ func TestNewSecureGRPCServerFromListener(t *testing.T) { t.Fatalf("Failed to create listener: %v", err) } - srv, err := comm.NewGRPCServerFromListener(lis, comm.SecureServerConfig{ - UseTLS: true, - ServerCertificate: []byte(selfSignedCertPEM), - ServerKey: []byte(selfSignedKeyPEM), - }) + srv, err := comm.NewGRPCServerFromListener(lis, comm.ServerConfig{ + SecOpts: &comm.SecureOptions{ + UseTLS: true, + ServerCertificate: []byte(selfSignedCertPEM), + ServerKey: []byte(selfSignedKeyPEM)}}) //check for error if err != nil { t.Fatalf("Failed to return new GRPC server: %v", err) @@ -745,11 +743,11 @@ func TestWithSignedRootCertificates(t *testing.T) { t.Fatalf("Failed to create listener: %v", err) } - srv, err := comm.NewGRPCServerFromListener(lis, comm.SecureServerConfig{ - UseTLS: true, - ServerCertificate: certPEMBlock, - ServerKey: keyPEMBlock, - }) + srv, err := comm.NewGRPCServerFromListener(lis, comm.ServerConfig{ + SecOpts: &comm.SecureOptions{ + UseTLS: true, + ServerCertificate: certPEMBlock, + ServerKey: keyPEMBlock}}) //check for error if err != nil { t.Fatalf("Failed to return new GRPC server: %v", err) @@ -824,11 +822,11 @@ func TestWithSignedIntermediateCertificates(t *testing.T) { t.Fatalf("Failed to create listener: %v", err) } - srv, err := comm.NewGRPCServerFromListener(lis, comm.SecureServerConfig{ - UseTLS: true, - ServerCertificate: certPEMBlock, - ServerKey: keyPEMBlock, - }) + srv, err := comm.NewGRPCServerFromListener(lis, comm.ServerConfig{ + SecOpts: &comm.SecureOptions{ + UseTLS: true, + ServerCertificate: certPEMBlock, + ServerKey: keyPEMBlock}}) //check for error if err != nil { t.Fatalf("Failed to return new GRPC server: %v", err) @@ -1381,7 +1379,7 @@ func TestKeepaliveNoClientResponse(t *testing.T) { } comm.SetKeepaliveOptions(kap) testAddress := "localhost:9400" - srv, err := comm.NewGRPCServer(testAddress, comm.SecureServerConfig{}) + srv, err := comm.NewGRPCServer(testAddress, comm.ServerConfig{}) assert.NoError(t, err, "Unexpected error starting GRPCServer") go srv.Start() defer srv.Stop() @@ -1413,7 +1411,7 @@ func TestKeepaliveClientResponse(t *testing.T) { } comm.SetKeepaliveOptions(kap) testAddress := "localhost:9401" - srv, err := comm.NewGRPCServer(testAddress, comm.SecureServerConfig{}) + srv, err := comm.NewGRPCServer(testAddress, comm.ServerConfig{}) assert.NoError(t, err, "Unexpected error starting GRPCServer") go srv.Start() defer srv.Stop() diff --git a/core/comm/util_test.go b/core/comm/util_test.go index 880b1b72af7..8989097fea2 100644 --- a/core/comm/util_test.go +++ b/core/comm/util_test.go @@ -129,11 +129,12 @@ func (is *inspectingServer) inspect(envelope *common.Envelope) error { } func newInspectingServer(addr string, inspector comm.BindingInspector) *inspectingServer { - srv, err := comm.NewGRPCServer(addr, comm.SecureServerConfig{ - UseTLS: true, - ServerCertificate: []byte(selfSignedCertPEM), - ServerKey: []byte(selfSignedKeyPEM), - }) + srv, err := comm.NewGRPCServer(addr, comm.ServerConfig{ + SecOpts: &comm.SecureOptions{ + UseTLS: true, + ServerCertificate: []byte(selfSignedCertPEM), + ServerKey: []byte(selfSignedKeyPEM), + }}) if err != nil { panic(err) } diff --git a/core/peer/config.go b/core/peer/config.go index d10ddd55fed..a1ecefa20d8 100644 --- a/core/peer/config.go +++ b/core/peer/config.go @@ -112,46 +112,46 @@ func GetPeerEndpoint() (*pb.PeerEndpoint, error) { return peerEndpoint, peerEndpointError } -// GetSecureConfig returns the secure server configuration for the peer -func GetSecureConfig() (comm.SecureServerConfig, error) { - secureConfig := comm.SecureServerConfig{ +// GetServerConfig returns the gRPC server configuration for the peer +func GetServerConfig() (comm.ServerConfig, error) { + secureOptions := &comm.SecureOptions{ UseTLS: viper.GetBool("peer.tls.enabled"), } - if secureConfig.UseTLS { + serverConfig := comm.ServerConfig{SecOpts: secureOptions} + if secureOptions.UseTLS { // get the certs from the file system serverKey, err := ioutil.ReadFile(config.GetPath("peer.tls.key.file")) if err != nil { - return secureConfig, fmt.Errorf("error loading TLS key (%s)", err) + return serverConfig, fmt.Errorf("error loading TLS key (%s)", err) } serverCert, err := ioutil.ReadFile(config.GetPath("peer.tls.cert.file")) if err != nil { - return secureConfig, fmt.Errorf("error loading TLS certificate (%s)", err) + return serverConfig, fmt.Errorf("error loading TLS certificate (%s)", err) } - secureConfig.ServerCertificate = serverCert - secureConfig.ServerKey = serverKey - secureConfig.RequireClientCert = viper.GetBool("peer.tls.clientAuthRequired") - if secureConfig.RequireClientCert { + secureOptions.ServerCertificate = serverCert + secureOptions.ServerKey = serverKey + secureOptions.RequireClientCert = viper.GetBool("peer.tls.clientAuthRequired") + if secureOptions.RequireClientCert { var clientRoots [][]byte for _, file := range viper.GetStringSlice("peer.tls.clientRootCAs.files") { clientRoot, err := ioutil.ReadFile( config.TranslatePath(filepath.Dir(viper.ConfigFileUsed()), file)) if err != nil { - return secureConfig, + return serverConfig, fmt.Errorf("error loading client root CAs (%s)", err) } clientRoots = append(clientRoots, clientRoot) } - secureConfig.ClientRootCAs = clientRoots + secureOptions.ClientRootCAs = clientRoots } // check for root cert if config.GetPath("peer.tls.rootcert.file") != "" { rootCert, err := ioutil.ReadFile(config.GetPath("peer.tls.rootcert.file")) if err != nil { - return secureConfig, fmt.Errorf("error loading TLS root certificate (%s)", err) + return serverConfig, fmt.Errorf("error loading TLS root certificate (%s)", err) } - secureConfig.ServerRootCAs = [][]byte{rootCert} + secureOptions.ServerRootCAs = [][]byte{rootCert} } - return secureConfig, nil } - return secureConfig, nil + return serverConfig, nil } diff --git a/core/peer/config_test.go b/core/peer/config_test.go index cb60bd51834..f2d411b5438 100644 --- a/core/peer/config_test.go +++ b/core/peer/config_test.go @@ -115,39 +115,40 @@ func TestConfiguration(t *testing.T) { } } -func TestGetSecureConfig(t *testing.T) { +func TestGetServerConfig(t *testing.T) { // good config without TLS viper.Set("peer.tls.enabled", false) - sc, _ := GetSecureConfig() - assert.Equal(t, false, sc.UseTLS, "SecureConfig.UseTLS should be false") + sc, _ := GetServerConfig() + assert.Equal(t, false, sc.SecOpts.UseTLS, + "ServerConfig.SecOpts.UseTLS should be false") // good config with TLS viper.Set("peer.tls.enabled", true) viper.Set("peer.tls.cert.file", filepath.Join("testdata", "Org1-server1-cert.pem")) viper.Set("peer.tls.key.file", filepath.Join("testdata", "Org1-server1-key.pem")) viper.Set("peer.tls.rootcert.file", filepath.Join("testdata", "Org1-cert.pem")) - sc, _ = GetSecureConfig() - assert.Equal(t, true, sc.UseTLS, "SecureConfig.UseTLS should be true") - assert.Equal(t, false, sc.RequireClientCert, - "SecureConfig.RequireClientCert should be false") + sc, _ = GetServerConfig() + assert.Equal(t, true, sc.SecOpts.UseTLS, "ServerConfig.SecOpts.UseTLS should be true") + assert.Equal(t, false, sc.SecOpts.RequireClientCert, + "ServerConfig.SecOpts.RequireClientCert should be false") viper.Set("peer.tls.clientAuthRequired", true) viper.Set("peer.tls.clientRootCAs.files", []string{filepath.Join("testdata", "Org1-cert.pem"), filepath.Join("testdata", "Org2-cert.pem")}) - sc, _ = GetSecureConfig() - assert.Equal(t, true, sc.RequireClientCert, - "SecureConfig.RequireClientCert should be true") - assert.Equal(t, 2, len(sc.ClientRootCAs), - "SecureConfig.ClientRootCAs should contain 2 entries") + sc, _ = GetServerConfig() + assert.Equal(t, true, sc.SecOpts.RequireClientCert, + "ServerConfig.SecOpts.RequireClientCert should be true") + assert.Equal(t, 2, len(sc.SecOpts.ClientRootCAs), + "ServerConfig.SecOpts.ClientRootCAs should contain 2 entries") // bad config with TLS viper.Set("peer.tls.rootcert.file", filepath.Join("testdata", "Org11-cert.pem")) - _, err := GetSecureConfig() - assert.Error(t, err, "GetSecureConfig should return error with bad root cert path") + _, err := GetServerConfig() + assert.Error(t, err, "GetServerConfig should return error with bad root cert path") viper.Set("peer.tls.cert.file", filepath.Join("testdata", "Org11-cert.pem")) - _, err = GetSecureConfig() - assert.Error(t, err, "GetSecureConfig should return error with bad tls cert path") + _, err = GetServerConfig() + assert.Error(t, err, "GetServerConfig should return error with bad tls cert path") // disable TLS for remaining tests viper.Set("peer.tls.enabled", false) diff --git a/core/peer/peer.go b/core/peer/peer.go index 9e7c64171dd..5cf04716c8f 100644 --- a/core/peer/peer.go +++ b/core/peer/peer.go @@ -459,11 +459,11 @@ func GetCurrConfigBlock(cid string) *common.Block { func updateTrustedRoots(cm channelconfig.Resources) { // this is triggered on per channel basis so first update the roots for the channel peerLogger.Debugf("Updating trusted root authorities for channel %s", cm.ConfigtxValidator().ChainID()) - var secureConfig comm.SecureServerConfig + var serverConfig comm.ServerConfig var err error // only run is TLS is enabled - secureConfig, err = GetSecureConfig() - if err == nil && secureConfig.UseTLS { + serverConfig, err = GetServerConfig() + if err == nil && serverConfig.SecOpts.UseTLS { buildTrustedRootsForChain(cm) // now iterate over all roots for all app and orderer chains @@ -474,11 +474,11 @@ func updateTrustedRoots(cm channelconfig.Resources) { trustedRoots = append(trustedRoots, roots...) } // also need to append statically configured root certs - if len(secureConfig.ClientRootCAs) > 0 { - trustedRoots = append(trustedRoots, secureConfig.ClientRootCAs...) + if len(serverConfig.SecOpts.ClientRootCAs) > 0 { + trustedRoots = append(trustedRoots, serverConfig.SecOpts.ClientRootCAs...) } - if len(secureConfig.ServerRootCAs) > 0 { - trustedRoots = append(trustedRoots, secureConfig.ServerRootCAs...) + if len(serverConfig.SecOpts.ServerRootCAs) > 0 { + trustedRoots = append(trustedRoots, serverConfig.SecOpts.ServerRootCAs...) } server := GetPeerServer() @@ -667,10 +667,10 @@ func (c *channelPolicyManagerGetter) Manager(channelID string) (policies.Manager // CreatePeerServer creates an instance of comm.GRPCServer // This server is used for peer communications func CreatePeerServer(listenAddress string, - secureConfig comm.SecureServerConfig) (comm.GRPCServer, error) { + serverConfig comm.ServerConfig) (comm.GRPCServer, error) { var err error - peerServer, err = comm.NewGRPCServer(listenAddress, secureConfig) + peerServer, err = comm.NewGRPCServer(listenAddress, serverConfig) if err != nil { peerLogger.Errorf("Failed to create peer server (%s)", err) return nil, err diff --git a/core/peer/peer_test.go b/core/peer/peer_test.go index fc4eece6f16..b3a9bd36e7e 100644 --- a/core/peer/peer_test.go +++ b/core/peer/peer_test.go @@ -65,13 +65,13 @@ func (*mockDeliveryClientFactory) Service(g service.GossipService, endpoints []s func TestCreatePeerServer(t *testing.T) { - server, err := CreatePeerServer(":4050", comm.SecureServerConfig{}) + server, err := CreatePeerServer(":4050", comm.ServerConfig{}) assert.NoError(t, err, "CreatePeerServer returned unexpected error") assert.Equal(t, "[::]:4050", server.Address(), "CreatePeerServer returned the wrong address") server.Stop() - _, err = CreatePeerServer("", comm.SecureServerConfig{}) + _, err = CreatePeerServer("", comm.ServerConfig{}) assert.Error(t, err, "expected CreatePeerServer to return error with missing address") } diff --git a/core/peer/pkg_test.go b/core/peer/pkg_test.go index 98046036b89..91d344a2d7e 100644 --- a/core/peer/pkg_test.go +++ b/core/peer/pkg_test.go @@ -222,7 +222,7 @@ func TestUpdateRootsFromConfigBlock(t *testing.T) { var tests = []struct { name string listenAddress string - secureConfig comm.SecureServerConfig + serverConfig comm.ServerConfig createChannel func() goodOptions []grpc.DialOption badOptions []grpc.DialOption @@ -233,12 +233,14 @@ func TestUpdateRootsFromConfigBlock(t *testing.T) { { name: "MutualTLSOrg1Org1", listenAddress: fmt.Sprintf("localhost:%d", 4051), - secureConfig: comm.SecureServerConfig{ - UseTLS: true, - ServerCertificate: org1Server1Cert, - ServerKey: org1Server1Key, - ServerRootCAs: [][]byte{org1CA}, - RequireClientCert: true, + serverConfig: comm.ServerConfig{ + SecOpts: &comm.SecureOptions{ + UseTLS: true, + ServerCertificate: org1Server1Cert, + ServerKey: org1Server1Key, + ServerRootCAs: [][]byte{org1CA}, + RequireClientCert: true, + }, }, createChannel: func() { createChannel("channel1", channel1Block) }, goodOptions: []grpc.DialOption{grpc.WithTransportCredentials(org1Creds)}, @@ -249,12 +251,14 @@ func TestUpdateRootsFromConfigBlock(t *testing.T) { { name: "MutualTLSOrg1Org2", listenAddress: fmt.Sprintf("localhost:%d", 4052), - secureConfig: comm.SecureServerConfig{ - UseTLS: true, - ServerCertificate: org1Server1Cert, - ServerKey: org1Server1Key, - ServerRootCAs: [][]byte{org1CA}, - RequireClientCert: true, + serverConfig: comm.ServerConfig{ + SecOpts: &comm.SecureOptions{ + UseTLS: true, + ServerCertificate: org1Server1Cert, + ServerKey: org1Server1Key, + ServerRootCAs: [][]byte{org1CA}, + RequireClientCert: true, + }, }, createChannel: func() { createChannel("channel2", channel2Block) }, goodOptions: []grpc.DialOption{ @@ -267,12 +271,14 @@ func TestUpdateRootsFromConfigBlock(t *testing.T) { { name: "MutualTLSOrg1Org2Intermediate", listenAddress: fmt.Sprintf("localhost:%d", 4053), - secureConfig: comm.SecureServerConfig{ - UseTLS: true, - ServerCertificate: org1Server1Cert, - ServerKey: org1Server1Key, - ServerRootCAs: [][]byte{org1CA}, - RequireClientCert: true, + serverConfig: comm.ServerConfig{ + SecOpts: &comm.SecureOptions{ + UseTLS: true, + ServerCertificate: org1Server1Cert, + ServerKey: org1Server1Key, + ServerRootCAs: [][]byte{org1CA}, + RequireClientCert: true, + }, }, createChannel: func() { createChannel("channel3", channel3Block) }, goodOptions: []grpc.DialOption{ @@ -288,7 +294,7 @@ func TestUpdateRootsFromConfigBlock(t *testing.T) { test := test t.Run(test.name, func(t *testing.T) { t.Logf("Running test %s ...", test.name) - _, err := peer.CreatePeerServer(test.listenAddress, test.secureConfig) + _, err := peer.CreatePeerServer(test.listenAddress, test.serverConfig) if err != nil { t.Fatalf("CreatePeerServer failed with error [%s]", err) } else { diff --git a/orderer/common/server/main.go b/orderer/common/server/main.go index d4dd2a093ec..f2b228cdd2b 100644 --- a/orderer/common/server/main.go +++ b/orderer/common/server/main.go @@ -77,12 +77,12 @@ func Main() { // Start provides a layer of abstraction for benchmark test func Start(cmd string, conf *config.TopLevel) { signer := localmsp.NewSigner() - secureConfig := initializeSecureServerConfig(conf) - grpcServer := initializeGrpcServer(conf, secureConfig) + serverConfig := initializeServerConfig(conf) + grpcServer := initializeGrpcServer(conf, serverConfig) caSupport := &comm.CASupport{ AppRootCAsByChain: make(map[string][][]byte), OrdererRootCAsByChain: make(map[string][][]byte), - ClientRootCAs: secureConfig.ClientRootCAs, + ClientRootCAs: serverConfig.SecOpts.ClientRootCAs, } tlsCallback := func(bundle *channelconfig.Bundle) { // only need to do this if mutual TLS is required @@ -126,14 +126,14 @@ func initializeProfilingService(conf *config.TopLevel) { } } -func initializeSecureServerConfig(conf *config.TopLevel) comm.SecureServerConfig { +func initializeServerConfig(conf *config.TopLevel) comm.ServerConfig { // secure server config - secureConfig := comm.SecureServerConfig{ + secureOpts := &comm.SecureOptions{ UseTLS: conf.General.TLS.Enabled, RequireClientCert: conf.General.TLS.ClientAuthEnabled, } // check to see if TLS is enabled - if secureConfig.UseTLS { + if secureOpts.UseTLS { msg := "TLS" // load crypto material from files serverCertificate, err := ioutil.ReadFile(conf.General.TLS.Certificate) @@ -155,7 +155,7 @@ func initializeSecureServerConfig(conf *config.TopLevel) comm.SecureServerConfig } serverRootCAs = append(serverRootCAs, root) } - if secureConfig.RequireClientCert { + if secureOpts.RequireClientCert { for _, clientRoot := range conf.General.TLS.ClientRootCAs { root, err := ioutil.ReadFile(clientRoot) if err != nil { @@ -166,13 +166,13 @@ func initializeSecureServerConfig(conf *config.TopLevel) comm.SecureServerConfig } msg = "mutual TLS" } - secureConfig.ServerKey = serverKey - secureConfig.ServerCertificate = serverCertificate - secureConfig.ServerRootCAs = serverRootCAs - secureConfig.ClientRootCAs = clientRootCAs + secureOpts.ServerKey = serverKey + secureOpts.ServerCertificate = serverCertificate + secureOpts.ServerRootCAs = serverRootCAs + secureOpts.ClientRootCAs = clientRootCAs logger.Infof("Starting orderer with %s enabled", msg) } - return secureConfig + return comm.ServerConfig{SecOpts: secureOpts} } func initializeBootstrapChannel(conf *config.TopLevel, lf ledger.Factory) { @@ -203,14 +203,14 @@ func initializeBootstrapChannel(conf *config.TopLevel, lf ledger.Factory) { } } -func initializeGrpcServer(conf *config.TopLevel, secureConfig comm.SecureServerConfig) comm.GRPCServer { +func initializeGrpcServer(conf *config.TopLevel, serverConfig comm.ServerConfig) comm.GRPCServer { lis, err := net.Listen("tcp", fmt.Sprintf("%s:%d", conf.General.ListenAddress, conf.General.ListenPort)) if err != nil { logger.Fatal("Failed to listen:", err) } // Create GRPC server - return if an error occurs - grpcServer, err := comm.NewGRPCServerFromListener(lis, secureConfig) + grpcServer, err := comm.NewGRPCServerFromListener(lis, serverConfig) if err != nil { logger.Fatal("Failed to return new GRPC server:", err) } diff --git a/orderer/common/server/main_test.go b/orderer/common/server/main_test.go index 022e12f372b..885005418c4 100644 --- a/orderer/common/server/main_test.go +++ b/orderer/common/server/main_test.go @@ -75,8 +75,8 @@ func TestInitializeProfilingService(t *testing.T) { } } -func TestInitializeSecureServerConfig(t *testing.T) { - initializeSecureServerConfig( +func TestInitializeServerConfig(t *testing.T) { + initializeServerConfig( &config.TopLevel{ General: config.General{ TLS: config.TLS{ @@ -113,7 +113,7 @@ func TestInitializeSecureServerConfig(t *testing.T) { for _, tc := range testCases { t.Run(tc.name, func(t *testing.T) { assert.Panics(t, func() { - initializeSecureServerConfig( + initializeServerConfig( &config.TopLevel{ General: config.General{ TLS: config.TLS{ @@ -247,7 +247,7 @@ func TestInitializeGrpcServer(t *testing.T) { }, } assert.NotPanics(t, func() { - grpcServer := initializeGrpcServer(conf, initializeSecureServerConfig(conf)) + grpcServer := initializeGrpcServer(conf, initializeServerConfig(conf)) grpcServer.Listener().Close() }) } @@ -271,7 +271,7 @@ func TestUpdateTrustedRoots(t *testing.T) { }, }, } - grpcServer := initializeGrpcServer(conf, initializeSecureServerConfig(conf)) + grpcServer := initializeGrpcServer(conf, initializeServerConfig(conf)) caSupport := &comm.CASupport{ AppRootCAsByChain: make(map[string][][]byte), OrdererRootCAsByChain: make(map[string][][]byte), @@ -302,7 +302,7 @@ func TestUpdateTrustedRoots(t *testing.T) { }, }, } - grpcServer = initializeGrpcServer(conf, initializeSecureServerConfig(conf)) + grpcServer = initializeGrpcServer(conf, initializeServerConfig(conf)) caSupport = &comm.CASupport{ AppRootCAsByChain: make(map[string][][]byte), OrdererRootCAsByChain: make(map[string][][]byte), diff --git a/peer/node/start.go b/peer/node/start.go index 512d5c6f702..fee3670ddf4 100644 --- a/peer/node/start.go +++ b/peer/node/start.go @@ -133,24 +133,24 @@ func serve(args []string) error { listenAddr := viper.GetString("peer.listenAddress") - secureConfig, err := peer.GetSecureConfig() + serverConfig, err := peer.GetServerConfig() if err != nil { logger.Fatalf("Error loading secure config for peer (%s)", err) } - peerServer, err := peer.CreatePeerServer(listenAddr, secureConfig) + peerServer, err := peer.CreatePeerServer(listenAddr, serverConfig) if err != nil { logger.Fatalf("Failed to create peer server (%s)", err) } - if secureConfig.UseTLS { + if serverConfig.SecOpts.UseTLS { logger.Info("Starting peer with TLS enabled") // set up credential support cs := comm.GetCredentialSupport() - cs.ServerRootCAs = secureConfig.ServerRootCAs + cs.ServerRootCAs = serverConfig.SecOpts.ServerRootCAs } //TODO - do we need different SSL material for events ? - ehubGrpcServer, err := createEventHubServer(secureConfig) + ehubGrpcServer, err := createEventHubServer(serverConfig) if err != nil { grpclog.Fatalf("Failed to create ehub server: %v", err) } @@ -309,14 +309,14 @@ func createChaincodeServer(caCert []byte, peerHostname string) (comm.GRPCServer, var srv comm.GRPCServer var ccEpFunc ccEndpointFunc - config, err := peer.GetSecureConfig() + config, err := peer.GetServerConfig() if err != nil { panic(err) } - if config.UseTLS { - config.RequireClientCert = true - config.ClientRootCAs = append(config.ClientRootCAs, caCert) + if config.SecOpts.UseTLS { + config.SecOpts.RequireClientCert = true + config.SecOpts.ClientRootCAs = append(config.SecOpts.ClientRootCAs, caCert) } srv, err = comm.NewChaincodeGRPCServer(cclistenAddress, config) @@ -372,7 +372,7 @@ func registerChaincodeSupport(grpcServer comm.GRPCServer, ccEpFunc ccEndpointFun pb.RegisterChaincodeSupportServer(grpcServer.Server(), ccSrv) } -func createEventHubServer(secureConfig comm.SecureServerConfig) (comm.GRPCServer, error) { +func createEventHubServer(serverConfig comm.ServerConfig) (comm.GRPCServer, error) { var lis net.Listener var err error lis, err = net.Listen("tcp", viper.GetString("peer.events.address")) @@ -380,7 +380,7 @@ func createEventHubServer(secureConfig comm.SecureServerConfig) (comm.GRPCServer return nil, fmt.Errorf("failed to listen: %v", err) } - grpcServer, err := comm.NewGRPCServerFromListener(lis, secureConfig) + grpcServer, err := comm.NewGRPCServerFromListener(lis, serverConfig) if err != nil { logger.Errorf("Failed to return new GRPC server: %s", err) return nil, err diff --git a/peer/node/status_test.go b/peer/node/status_test.go index 268a1d4ee87..9427fd36bdf 100644 --- a/peer/node/status_test.go +++ b/peer/node/status_test.go @@ -38,7 +38,7 @@ func (tss *testServiceServer) EmptyCall(context.Context, *testpb.Empty) (*testpb func TestStatusCmd(t *testing.T) { viper.Set("peer.address", "localhost:7070") - peerServer, err := peer.CreatePeerServer("localhost:7070", comm.SecureServerConfig{}) + peerServer, err := peer.CreatePeerServer("localhost:7070", comm.ServerConfig{}) if err != nil { t.Fatalf("Failed to create peer server (%s)", err) } else { @@ -80,7 +80,7 @@ func TestStatus(t *testing.T) { t.Run(test.name, func(t *testing.T) { t.Logf("Running test: %s", test.name) viper.Set("peer.address", test.peerAddress) - peerServer, err := peer.CreatePeerServer(test.listenAddress, comm.SecureServerConfig{}) + peerServer, err := peer.CreatePeerServer(test.listenAddress, comm.ServerConfig{}) if err != nil { t.Fatalf("Failed to create peer server (%s)", err) } else { @@ -99,7 +99,7 @@ func TestStatus(t *testing.T) { func TestStatusWithGetStatusError(t *testing.T) { viper.Set("peer.address", "localhost:7073") - peerServer, err := peer.CreatePeerServer(":7073", comm.SecureServerConfig{}) + peerServer, err := peer.CreatePeerServer(":7073", comm.ServerConfig{}) if err != nil { t.Fatalf("Failed to create peer server (%s)", err) }