added p2p tls creds

Signed-off-by: Mikhail Boldyrev <miboldyrev@gmail.com>
hyperledger · Oct 13, 2019 · 7d776e9 · 7d776e9
1 parent a97d630
commit 7d776e9
Show file tree

Hide file tree

Showing 21 changed files with 281 additions and 221 deletions.
diff --git a/irohad/main/CMakeLists.txt b/irohad/main/CMakeLists.txt
@@ -7,7 +7,6 @@ set(EXECUTABLE_OUTPUT_PATH ${PROJECT_BINARY_DIR}/bin)
 
 add_library(server_runner
     server_runner.cpp
-    tls_keypair.cpp
     )
 target_link_libraries(server_runner
     logger
@@ -48,6 +47,7 @@ add_library(application
     )
 target_link_libraries(application
     PRIVATE
+    tls_credentials
     yac
     yac_transport
     PUBLIC

diff --git a/irohad/main/application.cpp b/irohad/main/application.cpp
@@ -41,6 +41,7 @@
 #include "multi_sig_transactions/transport/mst_transport_stub.hpp"
 #include "network/impl/block_loader_impl.hpp"
 #include "network/impl/peer_communication_service_impl.hpp"
+#include "network/impl/tls_credentials.hpp"
 #include "ordering/impl/kick_out_proposal_creation_strategy.hpp"
 #include "ordering/impl/on_demand_common.hpp"
 #include "ordering/impl/on_demand_ordering_gate.hpp"
@@ -81,24 +82,26 @@ static constexpr iroha::consensus::yac::ConsistencyModel
 /**
  * Configuring iroha daemon
  */
-Irohad::Irohad(const boost::optional<std::string> &block_store_dir,
-               std::unique_ptr<ametsuchi::PostgresOptions> pg_opt,
-               const std::string &listen_ip,
-               size_t torii_port,
-               size_t internal_port,
-               size_t max_proposal_size,
-               std::chrono::milliseconds proposal_delay,
-               std::chrono::milliseconds vote_delay,
-               std::chrono::minutes mst_expiration_time,
-               const shared_model::crypto::Keypair &keypair,
-               std::chrono::milliseconds max_rounds_delay,
-               size_t stale_stream_max_rounds,
-               boost::optional<shared_model::interface::types::PeerList>
-                   opt_alternative_peers,
-               logger::LoggerManagerTreePtr logger_manager,
-               const boost::optional<GossipPropagationStrategyParams>
-                   &opt_mst_gossip_params,
-               const boost::optional<iroha::torii::TlsParams> &torii_tls_params)
+Irohad::Irohad(
+    const boost::optional<std::string> &block_store_dir,
+    std::unique_ptr<ametsuchi::PostgresOptions> pg_opt,
+    const std::string &listen_ip,
+    size_t torii_port,
+    size_t internal_port,
+    size_t max_proposal_size,
+    std::chrono::milliseconds proposal_delay,
+    std::chrono::milliseconds vote_delay,
+    std::chrono::minutes mst_expiration_time,
+    const shared_model::crypto::Keypair &keypair,
+    std::chrono::milliseconds max_rounds_delay,
+    size_t stale_stream_max_rounds,
+    boost::optional<shared_model::interface::types::PeerList>
+        opt_alternative_peers,
+    logger::LoggerManagerTreePtr logger_manager,
+    const boost::optional<GossipPropagationStrategyParams>
+        &opt_mst_gossip_params,
+    const boost::optional<iroha::torii::TlsParams> &torii_tls_params,
+    boost::optional<IrohadConfig::InterPeerTls> inter_peer_tls_config)
     : block_store_dir_(block_store_dir),
       listen_ip_(listen_ip),
       torii_port_(torii_port),
@@ -113,6 +116,7 @@ Irohad::Irohad(const boost::optional<std::string> &block_store_dir,
       stale_stream_max_rounds_(stale_stream_max_rounds),
       opt_alternative_peers_(std::move(opt_alternative_peers)),
       opt_mst_gossip_params_(opt_mst_gossip_params),
+      inter_peer_tls_config_(std::move(inter_peer_tls_config)),
       pending_txs_storage_init(
           std::make_unique<PendingTransactionStorageInit>()),
       keypair(keypair),
@@ -150,6 +154,7 @@ Irohad::RunResult Irohad::init() {
                                       // to be sure it is consistent
   }
   | [this]{ return restoreWsv();}
+  | [this]{ return initTlsCredentials();}
   | [this]{ return initCryptoProvider();}
   | [this]{ return initBatchParser();}
   | [this]{ return initValidators();}
@@ -316,6 +321,38 @@ Irohad::RunResult Irohad::restoreWsv() {
   };
 }
 
+/**
+ * Initializing own TLS credentials.
+ */
+Irohad::RunResult Irohad::initTlsCredentials() {
+  const auto &p2p_path = inter_peer_tls_config_ |
+      [](const auto &p2p_config) { return p2p_config.my_tls_creds_path; };
+  const auto &torii_path = torii_tls_params_ | [](const auto &torii_config) {
+    return boost::make_optional(torii_config.key_path);
+  };
+
+  auto load_tls_creds = [this](const auto &opt_path,
+                               const auto &description,
+                               auto &destination) -> RunResult {
+    if (opt_path) {
+      return TlsCredentials::load(opt_path.value()) |
+                 [&](auto &&tls_creds) -> RunResult {
+        destination = std::move(tls_creds);
+        return {};
+        log_->debug("Loaded my {} TLS credentials from '{}'.",
+                    description,
+                    opt_path.value());
+      };
+    }
+    return {};
+  };
+
+  return load_tls_creds(p2p_path, "inter peer", my_inter_peer_tls_creds_) |
+      [&, this] {
+        return load_tls_creds(torii_path, "torii", this->torii_tls_creds_);
+      };
+}
+
 /**
  * Initializing crypto provider
  */
@@ -848,27 +885,20 @@ Irohad::RunResult Irohad::run() {
       | make_port_logger("Torii");
 
   // Run torii TLS server
-  if (torii_tls_params_) {
-    auto tls_keypair =
-        TlsKeypairFactory().readFromFiles(torii_tls_params_->key_path);
-    if (not tls_keypair) {
-      return expected::makeError("Failed to read TLS keypair from "
-                                 + torii_tls_params_->key_path);
-    }
-
+  torii_tls_creds_ | [&, this](const auto &tls_creds) {
     run_result |= [&, this] {
       torii_tls_server = std::make_unique<ServerRunner>(
           listen_ip_ + ":" + std::to_string(torii_tls_params_->port),
           log_manager_->getChild("ToriiTlsServerRunner")->getLogger(),
           false,
-          tls_keypair);
+          tls_creds);
       return (*torii_tls_server)
                  ->append(command_service_transport)
                  .append(query_service)
                  .run()
           | make_port_logger("Torii TLS");
     };
-  }
+  };
 
   // Run internal server
   run_result |= [&, this] {

diff --git a/irohad/main/application.hpp b/irohad/main/application.hpp
@@ -16,6 +16,7 @@
 #include "logger/logger_manager_fwd.hpp"
 #include "main/impl/block_loader_init.hpp"
 #include "main/impl/on_demand_ordering_init.hpp"
+#include "main/iroha_conf_loader.hpp"
 #include "main/server_runner.hpp"
 #include "multi_sig_transactions/gossip_propagation_strategy_params.hpp"
 #include "torii/tls_params.hpp"
@@ -43,6 +44,7 @@ namespace iroha {
     class PeerCommunicationService;
     class MstTransport;
     class OrderingGate;
+    struct TlsCredentials;
   }  // namespace network
   namespace simulator {
     class Simulator;
@@ -105,6 +107,7 @@ class Irohad {
    * TODO mboldyrev 03.11.2018 IR-1844 Refactor the constructor.
    * @param torii_tls_params - optional TLS params for torii.
    * @see iroha::torii::TlsParams
+   * @param inter_peer_tls_config - set up TLS in peer-to-peer communication
    */
   Irohad(const boost::optional<std::string> &block_store_dir,
          std::unique_ptr<iroha::ametsuchi::PostgresOptions> pg_opt,
@@ -124,6 +127,8 @@ class Irohad {
          const boost::optional<iroha::GossipPropagationStrategyParams>
              &opt_mst_gossip_params = boost::none,
          const boost::optional<iroha::torii::TlsParams> &torii_tls_params =
+             boost::none,
+         boost::optional<IrohadConfig::InterPeerTls> inter_peer_tls_config =
              boost::none);
 
   /**
@@ -155,6 +160,8 @@ class Irohad {
   virtual RunResult initStorage(
       std::unique_ptr<iroha::ametsuchi::PostgresOptions> pg_opt);
 
+  RunResult initTlsCredentials();
+
   virtual RunResult initCryptoProvider();
 
   virtual RunResult initBatchParser();
@@ -217,6 +224,12 @@ class Irohad {
       opt_alternative_peers_;
   boost::optional<iroha::GossipPropagationStrategyParams>
       opt_mst_gossip_params_;
+  boost::optional<IrohadConfig::InterPeerTls> inter_peer_tls_config_;
+
+  boost::optional<std::shared_ptr<const iroha::network::TlsCredentials>>
+      my_inter_peer_tls_creds_;
+  boost::optional<std::shared_ptr<const iroha::network::TlsCredentials>>
+      torii_tls_creds_;
 
   std::unique_ptr<iroha::PendingTransactionStorageInit>
       pending_txs_storage_init;
@@ -340,9 +353,10 @@ class Irohad {
   rxcpp::subjects::subject<iroha::consensus::GateObject> consensus_gate_objects;
   rxcpp::composite_subscription consensus_gate_events_subscription;
 
-  std::unique_ptr<ServerRunner> torii_server;
-  boost::optional<std::unique_ptr<ServerRunner>> torii_tls_server = boost::none;
-  std::unique_ptr<ServerRunner> internal_server;
+  std::unique_ptr<iroha::network::ServerRunner> torii_server;
+  boost::optional<std::unique_ptr<iroha::network::ServerRunner>>
+      torii_tls_server = boost::none;
+  std::unique_ptr<iroha::network::ServerRunner> internal_server;
 
   logger::LoggerManagerTreePtr log_manager_;  ///< application root log manager
 

diff --git a/irohad/main/iroha_conf_literals.cpp b/irohad/main/iroha_conf_literals.cpp
@@ -9,6 +9,7 @@ namespace config_members {
   const char *BlockStorePath = "block_store_path";
   const char *ToriiPort = "torii_port";
   const char *ToriiTlsParams = "torii_tls_params";
+  const char *InterPeerTls = "inter_peer_tls";
   const char *InternalPort = "internal_port";
   const char *KeyPairPath = "key_pair_path";
   const char *PgOpt = "pg_opt";

diff --git a/irohad/main/iroha_conf_literals.hpp b/irohad/main/iroha_conf_literals.hpp
@@ -15,6 +15,7 @@ namespace config_members {
   extern const char *BlockStorePath;
   extern const char *ToriiPort;
   extern const char *ToriiTlsParams;
+  extern const char *InterPeerTls;
   extern const char *InternalPort;
   extern const char *KeyPairPath;
   extern const char *PgOpt;

diff --git a/irohad/main/iroha_conf_loader.cpp b/irohad/main/iroha_conf_loader.cpp
@@ -377,6 +377,16 @@ inline void JsonDeserializerImpl::getVal<iroha::torii::TlsParams>(
   getValByKey(path, dest.key_path, obj, config_members::KeyPairPath);
 }
 
+template <>
+inline void JsonDeserializerImpl::getVal<IrohadConfig::InterPeerTls>(
+    const std::string &path,
+    IrohadConfig::InterPeerTls &dest,
+    const rapidjson::Value &src) {
+  assert_fatal(src.IsObject(), path + " must be a dictionary");
+  const auto obj = src.GetObject();
+  getValByKey(path, dest.my_tls_creds_path, obj, config_members::KeyPairPath);
+}
+
 template <>
 inline void JsonDeserializerImpl::getVal<IrohadConfig::DbConfig>(
     const std::string &path,
@@ -403,6 +413,7 @@ inline void JsonDeserializerImpl::getVal<IrohadConfig>(
   getValByKey(path, dest.block_store_path, obj, config_members::BlockStorePath);
   getValByKey(path, dest.torii_port, obj, config_members::ToriiPort);
   getValByKey(path, dest.torii_tls_params, obj, config_members::ToriiTlsParams);
+  getValByKey(path, dest.inter_peer_tls, obj, config_members::InterPeerTls);
   getValByKey(path, dest.internal_port, obj, config_members::InternalPort);
   getValByKey(path, dest.pg_opt, obj, config_members::PgOpt);
   getValByKey(path, dest.database_config, obj, config_members::DbConfig);

diff --git a/irohad/main/iroha_conf_loader.hpp b/irohad/main/iroha_conf_loader.hpp
@@ -24,11 +24,16 @@ struct IrohadConfig {
     std::string maintenance_dbname;
   };
 
+  struct InterPeerTls {
+    boost::optional<std::string> my_tls_creds_path;
+  };
+
   // TODO: block_store_path is now optional, change docs IR-576
   // luckychess 29.06.2019
   boost::optional<std::string> block_store_path;
   uint16_t torii_port;
   boost::optional<iroha::torii::TlsParams> torii_tls_params;
+  boost::optional<InterPeerTls> inter_peer_tls;
   uint16_t internal_port;
   boost::optional<std::string>
       pg_opt;  // TODO 2019.06.26 mboldyrev IR-556 remove

diff --git a/irohad/main/server_runner.cpp b/irohad/main/server_runner.cpp
@@ -10,17 +10,41 @@
 #include <grpc/impl/codegen/grpc_types.h>
 #include <boost/format.hpp>
 #include "logger/logger.hpp"
+#include "network/impl/tls_credentials.hpp"
+
+using namespace iroha::network;
+
+namespace {
+
+  const auto kPortBindError = "Cannot bind server to address %s";
+
+  std::shared_ptr<grpc::ServerCredentials> createCredentials(
+      const boost::optional<std::shared_ptr<const TlsCredentials>>
+          &my_tls_creds) {
+    if (not my_tls_creds) {
+      return grpc::InsecureServerCredentials();
+    }
+    auto options = grpc::SslServerCredentialsOptions(
+        GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
+    grpc::SslServerCredentialsOptions::PemKeyCertPair keypair = {
+        my_tls_creds.value()->private_key, my_tls_creds.value()->certificate};
+    options.pem_key_cert_pairs.push_back(keypair);
+    std::shared_ptr<grpc::ServerCredentials> credentials =
+        grpc::SslServerCredentials(options);
+    return credentials;
+  }
 
-const auto kPortBindError = "Cannot bind server to address %s";
+}  // namespace
 
-ServerRunner::ServerRunner(const std::string &address,
-                           logger::LoggerPtr log,
-                           bool reuse,
-                           const boost::optional<TlsKeypair> &tls_keypair)
+ServerRunner::ServerRunner(
+    const std::string &address,
+    logger::LoggerPtr log,
+    bool reuse,
+    const boost::optional<std::shared_ptr<const TlsCredentials>> &my_tls_creds)
     : log_(std::move(log)),
       server_address_(address),
-      reuse_(reuse),
-      tls_keypair_(tls_keypair) {}
+      credentials_(createCredentials(my_tls_creds)),
+      reuse_(reuse) {}
 
 ServerRunner::~ServerRunner() {
   shutdown(std::chrono::system_clock::now());
@@ -39,7 +63,7 @@ iroha::expected::Result<int, std::string> ServerRunner::run() {
     builder.AddChannelArgument(GRPC_ARG_ALLOW_REUSEPORT, 0);
   }
 
-  addListeningPortToBuilder(builder, &selected_port);
+  builder.AddListeningPort(server_address_, credentials_, &selected_port);
 
   for (auto &service : services_) {
     builder.RegisterService(service.get());
@@ -70,26 +94,6 @@ void ServerRunner::waitForServersReady() {
   }
 }
 
-std::shared_ptr<grpc::ServerCredentials>
-ServerRunner::createSecureCredentials() {
-  grpc::SslServerCredentialsOptions::PemKeyCertPair keypair = {
-      tls_keypair_->pem_private_key, tls_keypair_->pem_certificate};
-  auto options = grpc::SslServerCredentialsOptions();
-  options.pem_key_cert_pairs.push_back(keypair);
-  return grpc::SslServerCredentials(options);
-}
-
-void ServerRunner::addListeningPortToBuilder(grpc::ServerBuilder &builder,
-                                             int *selected_port) {
-  if (tls_keypair_) {  // if specified, requested to enable TLS
-    auto credentials = createSecureCredentials();
-    builder.AddListeningPort(server_address_, credentials, selected_port);
-  } else {  // tls is disabled
-    builder.AddListeningPort(
-        server_address_, grpc::InsecureServerCredentials(), selected_port);
-  }
-}
-
 void ServerRunner::shutdown() {
   if (server_instance_) {
     server_instance_->Shutdown();