From 49f88a3b430c53ea19afabf6c54d0311e20fefee Mon Sep 17 00:00:00 2001 From: Sudesh Shetty Date: Thu, 7 Jun 2018 15:34:07 -0400 Subject: [PATCH] [FAB-10568] remove client and CA from NetworkConfig - Client & CertificateAuthoties shouldn't be exposed in network config, since they should be accessed through identity config - removed CertficateAuthorities references in endpoint config. - removed fab.NetworkConfig dependencies in identity config Change-Id: I9fa9365cf0812bd9e323e39f11324ca5bd85227e Signed-off-by: Sudesh Shetty --- pkg/client/msp/client_test.go | 7 +- pkg/common/providers/fab/network.go | 13 +- pkg/core/config/lookup/lookup_test.go | 24 ++- pkg/fab/endpointconfig.go | 85 +++----- pkg/fab/endpointconfig_test.go | 199 +++++++++--------- pkg/msp/caclient_test.go | 9 +- pkg/msp/identityconfig.go | 71 ++++--- pkg/msp/main_test.go | 2 +- .../endpointconfig_override_test.go | 2 - .../identityconfig_override_test.go | 5 +- 10 files changed, 202 insertions(+), 215 deletions(-) diff --git a/pkg/client/msp/client_test.go b/pkg/client/msp/client_test.go index 5a9ddf3689..21f9496bf3 100644 --- a/pkg/client/msp/client_test.go +++ b/pkg/client/msp/client_test.go @@ -19,7 +19,6 @@ import ( contextApi "github.com/hyperledger/fabric-sdk-go/pkg/common/providers/context" "github.com/hyperledger/fabric-sdk-go/pkg/common/providers/core" - "github.com/hyperledger/fabric-sdk-go/pkg/common/providers/fab" "github.com/hyperledger/fabric-sdk-go/pkg/common/providers/msp" mspctx "github.com/hyperledger/fabric-sdk-go/pkg/common/providers/msp" "github.com/hyperledger/fabric-sdk-go/pkg/core/config" @@ -38,6 +37,10 @@ const ( var caServerURL string +type nwConfig struct { + CertificateAuthorities map[string]msp.CAConfig +} + // TestMSP is a unit test for Client enrollment and re-enrollment scenarios func TestMSP(t *testing.T) { @@ -413,7 +416,7 @@ func getCustomBackend(currentBackends ...core.ConfigBackend) []core.ConfigBacken backendMap := make(map[string]interface{}) //Custom URLs for ca configs - networkConfig := fab.NetworkConfig{} + networkConfig := nwConfig{} configLookup := lookup.New(currentBackends...) configLookup.UnmarshalKey("certificateAuthorities", &networkConfig.CertificateAuthorities) diff --git a/pkg/common/providers/fab/network.go b/pkg/common/providers/fab/network.go index 352689cd37..5c4c468cab 100644 --- a/pkg/common/providers/fab/network.go +++ b/pkg/common/providers/fab/network.go @@ -8,23 +8,18 @@ package fab import ( "github.com/hyperledger/fabric-sdk-go/pkg/common/errors/retry" - "github.com/hyperledger/fabric-sdk-go/pkg/common/providers/msp" "github.com/hyperledger/fabric-sdk-go/pkg/core/config/endpoint" ) -// NetworkConfig provides a static definition of a Hyperledger Fabric network +// NetworkConfig provides a static definition of endpoint configuration network type NetworkConfig struct { - Name string - Description string - Version string - //TODO to be removed, no apparent reason to expose it in network config - Client msp.ClientConfig + Name string + Description string + Version string Channels map[string]ChannelNetworkConfig Organizations map[string]OrganizationConfig Orderers map[string]OrdererConfig Peers map[string]PeerConfig - //TODO to be removed, no apparent reason to expose it in network config - CertificateAuthorities map[string]msp.CAConfig } // ChannelNetworkConfig provides the definition of channels for the network diff --git a/pkg/core/config/lookup/lookup_test.go b/pkg/core/config/lookup/lookup_test.go index cdeae34c7f..c1580ec031 100644 --- a/pkg/core/config/lookup/lookup_test.go +++ b/pkg/core/config/lookup/lookup_test.go @@ -19,6 +19,7 @@ import ( "github.com/hyperledger/fabric-sdk-go/pkg/common/providers/core" "github.com/hyperledger/fabric-sdk-go/pkg/common/providers/fab" + "github.com/hyperledger/fabric-sdk-go/pkg/common/providers/msp" "github.com/hyperledger/fabric-sdk-go/pkg/core/mocks" "github.com/mitchellh/mapstructure" "github.com/spf13/viper" @@ -35,6 +36,19 @@ type testEntityMatchers struct { matchers map[string][]fab.MatchConfig } +// networkConfig matches all network config elements +type networkConfig struct { + Name string + Description string + Version string + Client msp.ClientConfig + Channels map[string]fab.ChannelNetworkConfig + Organizations map[string]fab.OrganizationConfig + Orderers map[string]fab.OrdererConfig + Peers map[string]fab.PeerConfig + CertificateAuthorities map[string]msp.CAConfig +} + func TestMain(m *testing.M) { backend = setupCustomBackend("key") r := m.Run() @@ -180,7 +194,7 @@ func TestUnmarshal(t *testing.T) { testLookup := New(backend) //output struct - networkConfig := fab.NetworkConfig{} + networkConfig := networkConfig{} testLookup.UnmarshalKey("channels", &networkConfig.Channels) assert.Equal(t, len(networkConfig.Channels), 3) @@ -230,7 +244,7 @@ func TestUnmarshalWithMultipleBackend(t *testing.T) { testLookup := New(backends...) //output struct - networkConfig := fab.NetworkConfig{} + networkConfig := networkConfig{} entityMatchers := testEntityMatchers{} assert.Nil(t, testLookup.UnmarshalKey("client", &networkConfig.Client), "unmarshalKey supposed to succeed") @@ -291,9 +305,9 @@ func TestLookupUnmarshalAgainstViperUnmarshal(t *testing.T) { //setup viper sampleViper := newViper() //viper network config - networkConfigViper := fab.NetworkConfig{} + networkConfigViper := networkConfig{} //lookup network config - networkConfig := fab.NetworkConfig{} + networkConfig := networkConfig{} /* TEST NETWORK CONFIG CLIENT @@ -454,7 +468,7 @@ func TestUnmarshalWithHookFunc(t *testing.T) { testLookup := New(backend) tamperPeerChannelConfig(backend) //output struct - networkConfig := fab.NetworkConfig{} + networkConfig := networkConfig{} testLookup.UnmarshalKey("channels", &networkConfig.Channels, WithUnmarshalHookFunction(setTrueDefaultForPeerChannelConfig())) //Test if mandatory hook func is working as expected diff --git a/pkg/fab/endpointconfig.go b/pkg/fab/endpointconfig.go index f794cfaf7c..0c5af03163 100644 --- a/pkg/fab/endpointconfig.go +++ b/pkg/fab/endpointconfig.go @@ -109,6 +109,11 @@ type entityMatchers struct { matchers map[string][]fab.MatchConfig } +//endpointConfigEntity contains endpoint config elements needed by endpointconfig +type endpointConfigEntity struct { + Client msp.ClientConfig +} + // Timeout reads timeouts for the given timeout type, if type is not found in the config // then default is set as per the const value above for the corresponding type func (c *EndpointConfig) Timeout(tType fab.TimeoutType) time.Duration { @@ -434,12 +439,12 @@ func (c *EndpointConfig) loadNetworkConfiguration() error { networkConfig.Name = c.backend.GetString("name") networkConfig.Description = c.backend.GetString("description") networkConfig.Version = c.backend.GetString("version") + endpointConfigEntity := endpointConfigEntity{} - //TODO: to be removed from NetworkConfig, to be used only in identity Config - err := c.backend.UnmarshalKey("client", &networkConfig.Client) - logger.Debugf("Client is: %+v", networkConfig.Client) + err := c.backend.UnmarshalKey("client", &endpointConfigEntity.Client) + logger.Debugf("Client is: %+v", endpointConfigEntity.Client) if err != nil { - return errors.WithMessage(err, "failed to parse 'client' config item to networkConfig.Client type") + return errors.WithMessage(err, "failed to parse 'client' config item to endpointConfigEntity.Client type") } err = c.backend.UnmarshalKey("channels", &networkConfig.Channels, lookup.WithUnmarshalHookFunction(peerChannelConfigHookFunc())) @@ -466,15 +471,8 @@ func (c *EndpointConfig) loadNetworkConfiguration() error { return errors.WithMessage(err, "failed to parse 'peers' config item to networkConfig.Peers type") } - //TODO: to be removed from NetworkConfig, to be used only in identity Config - err = c.backend.UnmarshalKey("certificateAuthorities", &networkConfig.CertificateAuthorities) - logger.Debugf("certificateAuthorities are: %+v", networkConfig.CertificateAuthorities) - if err != nil { - return errors.WithMessage(err, "failed to parse 'certificateAuthorities' config item to networkConfig.CertificateAuthorities type") - } - //load all endpointconfig entities - err = c.loadEndpointConfigEntities(&networkConfig) + err = c.loadEndpointConfigEntities(&networkConfig, &endpointConfigEntity) if err != nil { return errors.WithMessage(err, "failed to load channel configs") } @@ -483,7 +481,7 @@ func (c *EndpointConfig) loadNetworkConfiguration() error { return nil } -func (c *EndpointConfig) loadEndpointConfigEntities(networkConfig *fab.NetworkConfig) error { +func (c *EndpointConfig) loadEndpointConfigEntities(networkConfig *fab.NetworkConfig, configEntity *endpointConfigEntity) error { //Compile the entityMatchers matchError := c.compileMatchers() @@ -492,7 +490,7 @@ func (c *EndpointConfig) loadEndpointConfigEntities(networkConfig *fab.NetworkCo } //load all TLS configs - err := c.loadAllTLSConfig(networkConfig) + err := c.loadAllTLSConfig(networkConfig, configEntity) if err != nil { return errors.WithMessage(err, "failed to load network TLSConfig") } @@ -525,28 +523,27 @@ func (c *EndpointConfig) loadEndpointConfigEntities(networkConfig *fab.NetworkCo } //loadAllTLSConfig pre-loads all network TLS Configs -func (c *EndpointConfig) loadAllTLSConfig(networkConfig *fab.NetworkConfig) error { - err := c.loadClientTLSConfig(networkConfig) +func (c *EndpointConfig) loadAllTLSConfig(networkConfig *fab.NetworkConfig, configEntity *endpointConfigEntity) error { + //resolve path and load bytes + err := c.loadClientTLSConfig(configEntity) if err != nil { return errors.WithMessage(err, "failed to load client TLSConfig ") } + //resolve path and load bytes err = c.loadOrgTLSConfig(networkConfig) if err != nil { return errors.WithMessage(err, "failed to load org TLSConfig ") } + //resolve path and load bytes err = c.loadOrdererPeerTLSConfig(networkConfig) if err != nil { return errors.WithMessage(err, "failed to load orderer/peer TLSConfig ") } - err = c.loadCATLSConfig(networkConfig) - if err != nil { - return errors.WithMessage(err, "failed to load CA TLSConfig ") - } - - err = c.loadTLSClientCerts(networkConfig) + //preload TLS client certs + err = c.loadTLSClientCerts(configEntity) if err != nil { return errors.WithMessage(err, "failed to load TLS client certs ") } @@ -555,21 +552,21 @@ func (c *EndpointConfig) loadAllTLSConfig(networkConfig *fab.NetworkConfig) erro } //loadClientTLSConfig pre-loads all TLSConfig bytes in client config -func (c *EndpointConfig) loadClientTLSConfig(networkConfig *fab.NetworkConfig) error { +func (c *EndpointConfig) loadClientTLSConfig(configEntity *endpointConfigEntity) error { //Clients Config //resolve paths and org name - networkConfig.Client.Organization = strings.ToLower(networkConfig.Client.Organization) - networkConfig.Client.TLSCerts.Path = pathvar.Subst(networkConfig.Client.TLSCerts.Path) - networkConfig.Client.TLSCerts.Client.Key.Path = pathvar.Subst(networkConfig.Client.TLSCerts.Client.Key.Path) - networkConfig.Client.TLSCerts.Client.Cert.Path = pathvar.Subst(networkConfig.Client.TLSCerts.Client.Cert.Path) + configEntity.Client.Organization = strings.ToLower(configEntity.Client.Organization) + configEntity.Client.TLSCerts.Path = pathvar.Subst(configEntity.Client.TLSCerts.Path) + configEntity.Client.TLSCerts.Client.Key.Path = pathvar.Subst(configEntity.Client.TLSCerts.Client.Key.Path) + configEntity.Client.TLSCerts.Client.Cert.Path = pathvar.Subst(configEntity.Client.TLSCerts.Client.Cert.Path) //pre load client key and cert bytes - err := networkConfig.Client.TLSCerts.Client.Key.LoadBytes() + err := configEntity.Client.TLSCerts.Client.Key.LoadBytes() if err != nil { return errors.WithMessage(err, "failed to load client key") } - err = networkConfig.Client.TLSCerts.Client.Cert.LoadBytes() + err = configEntity.Client.TLSCerts.Client.Cert.LoadBytes() if err != nil { return errors.WithMessage(err, "failed to load client cert") } @@ -634,30 +631,6 @@ func (c *EndpointConfig) loadOrdererPeerTLSConfig(networkConfig *fab.NetworkConf return nil } -//loadCATLSConfig pre-loads all TLSConfig bytes in certificate authorities -func (c *EndpointConfig) loadCATLSConfig(networkConfig *fab.NetworkConfig) error { - //CA Config - for ca, caConfig := range networkConfig.CertificateAuthorities { - //resolve paths - caConfig.TLSCACerts.Path = pathvar.Subst(caConfig.TLSCACerts.Path) - caConfig.TLSCACerts.Client.Key.Path = pathvar.Subst(caConfig.TLSCACerts.Client.Key.Path) - caConfig.TLSCACerts.Client.Cert.Path = pathvar.Subst(caConfig.TLSCACerts.Client.Cert.Path) - //pre load key and cert bytes - err := caConfig.TLSCACerts.Client.Key.LoadBytes() - if err != nil { - return errors.WithMessage(err, "failed to load ca key") - } - - err = caConfig.TLSCACerts.Client.Cert.LoadBytes() - if err != nil { - return errors.WithMessage(err, "failed to load ca cert") - } - networkConfig.CertificateAuthorities[ca] = caConfig - } - - return nil -} - func (c *EndpointConfig) loadPeerConfigsByOrg(networkConfig *fab.NetworkConfig) { c.peerConfigsByOrg = make(map[string][]fab.PeerConfig) @@ -799,10 +772,10 @@ func (c *EndpointConfig) loadChannelOrderers(networkConfig *fab.NetworkConfig) e // loadTLSClientCerts loads the client's certs for mutual TLS // It checks the config for embedded pem files before looking for cert files -func (c *EndpointConfig) loadTLSClientCerts(networkConfig *fab.NetworkConfig) error { +func (c *EndpointConfig) loadTLSClientCerts(configEntity *endpointConfigEntity) error { var clientCerts tls.Certificate - cb := networkConfig.Client.TLSCerts.Client.Cert.Bytes() + cb := configEntity.Client.TLSCerts.Client.Cert.Bytes() if len(cb) == 0 { // if no cert found in the config, empty cert chain should be used c.tlsClientCerts = []tls.Certificate{clientCerts} @@ -816,7 +789,7 @@ func (c *EndpointConfig) loadTLSClientCerts(networkConfig *fab.NetworkConfig) er // If CryptoSuite fails to load private key from cert then load private key from config if err != nil || pk == nil { logger.Debugf("Reading pk from config, unable to retrieve from cert: %s", err) - tlsClientCerts, err := c.loadPrivateKeyFromConfig(&networkConfig.Client, clientCerts, cb) + tlsClientCerts, err := c.loadPrivateKeyFromConfig(&configEntity.Client, clientCerts, cb) if err != nil { return errors.WithMessage(err, "failed to load TLS client certs") } diff --git a/pkg/fab/endpointconfig_test.go b/pkg/fab/endpointconfig_test.go index 14954eb8e2..49564757c1 100644 --- a/pkg/fab/endpointconfig_test.go +++ b/pkg/fab/endpointconfig_test.go @@ -25,6 +25,7 @@ import ( "github.com/hyperledger/fabric-sdk-go/pkg/common/providers/core" "github.com/hyperledger/fabric-sdk-go/pkg/common/providers/fab" "github.com/hyperledger/fabric-sdk-go/pkg/core/config" + "github.com/hyperledger/fabric-sdk-go/pkg/core/config/endpoint" "github.com/hyperledger/fabric-sdk-go/pkg/core/config/lookup" "github.com/hyperledger/fabric-sdk-go/pkg/core/mocks" "github.com/hyperledger/fabric-sdk-go/pkg/fab/comm" @@ -869,45 +870,43 @@ func TestInitConfigFromRawWrongType(t *testing.T) { } func TestTLSClientCertsFromFiles(t *testing.T) { - config, err := ConfigFromBackend(configBackend) - if err != nil { - t.Fatal(err) - } - endpointConfig := config.(*EndpointConfig) - endpointConfig.networkConfig.Client.TLSCerts.Client.Cert.Path = pathvar.Subst(certPath) - endpointConfig.networkConfig.Client.TLSCerts.Client.Key.Path = pathvar.Subst(keyPath) - endpointConfig.networkConfig.Client.TLSCerts.Client.Cert.Pem = "" - endpointConfig.networkConfig.Client.TLSCerts.Client.Key.Pem = "" + clientTLSOverride := endpoint.MutualTLSConfig{} + clientTLSOverride.Client.Cert.Path = pathvar.Subst(certPath) + clientTLSOverride.Client.Key.Path = pathvar.Subst(keyPath) + clientTLSOverride.Client.Cert.Pem = "" + clientTLSOverride.Client.Key.Pem = "" - certs := endpointConfig.TLSClientCerts() - if len(certs) != 1 { - t.Fatal("Expected only one tls cert struct") - } + backends, err := overrideClientTLSInBackend(configBackend, &clientTLSOverride) + assert.Nil(t, err) - emptyCert := tls.Certificate{} + config, err := ConfigFromBackend(backends...) + assert.Nil(t, err) + + certs := config.TLSClientCerts() + assert.Equal(t, 1, len(certs), "Expected only one tls cert struct") - if reflect.DeepEqual(certs[0], emptyCert) { + if reflect.DeepEqual(certs[0], tls.Certificate{}) { t.Fatal("Actual cert is empty") } } func TestTLSClientCertsFromFilesIncorrectPaths(t *testing.T) { - nwConfig := fab.NetworkConfig{} + configEntity := endpointConfigEntity{} testlookup := lookup.New(configBackend) - testlookup.UnmarshalKey("client", &nwConfig.Client) + testlookup.UnmarshalKey("client", &configEntity.Client) //Set client tls paths to empty strings - nwConfig.Client.TLSCerts.Client.Cert.Path = "/test/fixtures/config/mutual_tls/client_sdk_go.pem" - nwConfig.Client.TLSCerts.Client.Key.Path = "/test/fixtures/config/mutual_tls/client_sdk_go-key.pem" - nwConfig.Client.TLSCerts.Client.Cert.Pem = "" - nwConfig.Client.TLSCerts.Client.Key.Pem = "" + configEntity.Client.TLSCerts.Client.Cert.Path = "/test/fixtures/config/mutual_tls/client_sdk_go.pem" + configEntity.Client.TLSCerts.Client.Key.Path = "/test/fixtures/config/mutual_tls/client_sdk_go-key.pem" + configEntity.Client.TLSCerts.Client.Cert.Pem = "" + configEntity.Client.TLSCerts.Client.Key.Pem = "" //Create backend override configBackendOverride := &mocks.MockConfigBackend{} configBackendOverride.KeyValueMap = make(map[string]interface{}) - configBackendOverride.KeyValueMap["client"] = nwConfig.Client + configBackendOverride.KeyValueMap["client"] = configEntity.Client _, err := ConfigFromBackend(configBackendOverride, configBackend) if err == nil || !strings.Contains(err.Error(), "failed to load client key: failed to load pem bytes from path") { @@ -917,16 +916,13 @@ func TestTLSClientCertsFromFilesIncorrectPaths(t *testing.T) { } func TestTLSClientCertsFromPem(t *testing.T) { - config, err := ConfigFromBackend(configBackend) - if err != nil { - t.Fatal(err) - } - endpointConfig := config.(*EndpointConfig) - endpointConfig.networkConfig.Client.TLSCerts.Client.Cert.Path = "" - endpointConfig.networkConfig.Client.TLSCerts.Client.Key.Path = "" + clientTLSOverride := endpoint.MutualTLSConfig{} - endpointConfig.networkConfig.Client.TLSCerts.Client.Cert.Pem = `-----BEGIN CERTIFICATE----- + clientTLSOverride.Client.Cert.Path = "" + clientTLSOverride.Client.Key.Path = "" + + clientTLSOverride.Client.Cert.Pem = `-----BEGIN CERTIFICATE----- MIIC5TCCAkagAwIBAgIUMYhiY5MS3jEmQ7Fz4X/e1Dx33J0wCgYIKoZIzj0EAwQw gYwxCzAJBgNVBAYTAkNBMRAwDgYDVQQIEwdPbnRhcmlvMRAwDgYDVQQHEwdUb3Jv bnRvMREwDwYDVQQKEwhsaW51eGN0bDEMMAoGA1UECxMDTGFiMTgwNgYDVQQDEy9s @@ -945,36 +941,35 @@ gw2rrxqbW67ulwmMQzp6EJbm/28T2pIoYWWyIwpzrquypI7BOuf8is5b7Jcgn9oz 3YkZ9DhdH1tN4U/h+YulG/CkKOtUATtQxg== -----END CERTIFICATE-----` - endpointConfig.networkConfig.Client.TLSCerts.Client.Key.Pem = `-----BEGIN EC PRIVATE KEY----- + clientTLSOverride.Client.Key.Pem = `-----BEGIN EC PRIVATE KEY----- MIGkAgEBBDByldj7VTpqTQESGgJpR9PFW9b6YTTde2WN6/IiBo2nW+CIDmwQgmAl c/EOc9wmgu+gBwYFK4EEACKhZANiAAT6I1CGNrkchIAEmeJGo53XhDsoJwRiohBv 2PotEEGuO6rMyaOupulj2VOj+YtgWw4ZtU49g4Nv6rq1QlKwRYyMwwRJSAZHIUMh YZjcDi7YEOZ3Fs1hxKmIxR+TTR2vf9I= -----END EC PRIVATE KEY-----` - certs := endpointConfig.TLSClientCerts() - if len(certs) != 1 { - t.Fatal("Expected only one tls cert struct") - } + backends, err := overrideClientTLSInBackend(configBackend, &clientTLSOverride) + assert.Nil(t, err) - emptyCert := tls.Certificate{} + config, err := ConfigFromBackend(backends...) + assert.Nil(t, err) + + certs := config.TLSClientCerts() + assert.Equal(t, 1, len(certs), "Expected only one tls cert struct") - if reflect.DeepEqual(certs[0], emptyCert) { + if reflect.DeepEqual(certs[0], tls.Certificate{}) { t.Fatal("Actual cert is empty") } } func TestTLSClientCertFromPemAndKeyFromFile(t *testing.T) { - config, err := ConfigFromBackend(configBackend) - if err != nil { - t.Fatal(err) - } - endpointConfig := config.(*EndpointConfig) - endpointConfig.networkConfig.Client.TLSCerts.Client.Cert.Path = "" - endpointConfig.networkConfig.Client.TLSCerts.Client.Key.Path = pathvar.Subst(keyPath) + clientTLSOverride := endpoint.MutualTLSConfig{} - endpointConfig.networkConfig.Client.TLSCerts.Client.Cert.Pem = `-----BEGIN CERTIFICATE----- + clientTLSOverride.Client.Cert.Path = "" + clientTLSOverride.Client.Key.Path = pathvar.Subst(keyPath) + + clientTLSOverride.Client.Cert.Pem = `-----BEGIN CERTIFICATE----- MIIC5TCCAkegAwIBAgIUBzAG7MTjO4n9GFkYTkJBnvCInRIwCgYIKoZIzj0EAwQw gYwxCzAJBgNVBAYTAkNBMRAwDgYDVQQIEwdPbnRhcmlvMRAwDgYDVQQHEwdUb3Jv bnRvMREwDwYDVQQKEwhsaW51eGN0bDEMMAoGA1UECxMDTGFiMTgwNgYDVQQDEy9s @@ -993,63 +988,57 @@ rIYog3WBAkECntF217dk3VCZHXfl+rik6wm+ijzYk+k336UERiSJRu09YHHEh7x6 NRCHI3uXUJ5/3zDZM3qtV8UYHou4KDS35Q== -----END CERTIFICATE-----` - endpointConfig.networkConfig.Client.TLSCerts.Client.Key.Pem = "" + clientTLSOverride.Client.Key.Pem = "" - certs := endpointConfig.TLSClientCerts() - if len(certs) != 1 { - t.Fatal("Expected only one tls cert struct") - } + backends, err := overrideClientTLSInBackend(configBackend, &clientTLSOverride) + assert.Nil(t, err) - emptyCert := tls.Certificate{} + config, err := ConfigFromBackend(backends...) + assert.Nil(t, err) - if reflect.DeepEqual(certs[0], emptyCert) { + certs := config.TLSClientCerts() + assert.Equal(t, 1, len(certs), "Expected only one tls cert struct") + + if reflect.DeepEqual(certs[0], tls.Certificate{}) { t.Fatal("Actual cert is empty") } } func TestTLSClientCertFromFileAndKeyFromPem(t *testing.T) { - config, err := ConfigFromBackend(configBackend) - if err != nil { - t.Fatal(err) - } - - endpointConfig := config.(*EndpointConfig) - endpointConfig.networkConfig.Client.TLSCerts.Client.Cert.Path = pathvar.Subst(certPath) - endpointConfig.networkConfig.Client.TLSCerts.Client.Key.Path = "" - endpointConfig.networkConfig.Client.TLSCerts.Client.Cert.Pem = "" - - endpointConfig.networkConfig.Client.TLSCerts.Client.Key.Pem = `-----BEGIN EC PRIVATE KEY----- + clientTLSOverride := endpoint.MutualTLSConfig{} + clientTLSOverride.Client.Cert.Path = pathvar.Subst(certPath) + clientTLSOverride.Client.Key.Path = "" + clientTLSOverride.Client.Cert.Pem = "" + clientTLSOverride.Client.Key.Pem = `-----BEGIN EC PRIVATE KEY----- MIGkAgEBBDAeWRhdAl+olgpLiI9mXHwcgJ1g4NNgPrYFSkkukISeAGfvK348izwG 0Aub948H5IygBwYFK4EEACKhZANiAATJb6oe7bpmnuJwjYMaQX7D2YQ0vLHmRWKs QSn674xQJ5N8rMHAA/DXtpIMKI5uulot0jJ5xFkpikLGd8+6soQp8pd5tkMqZB0a nFoUptdom8LjgRus6rnHbXxGqcIN6oA= -----END EC PRIVATE KEY-----` - certs := endpointConfig.TLSClientCerts() - if len(certs) != 1 { - t.Fatal("Expected only one tls cert struct") - } + backends, err := overrideClientTLSInBackend(configBackend, &clientTLSOverride) + assert.Nil(t, err) - emptyCert := tls.Certificate{} + config, err := ConfigFromBackend(backends...) + assert.Nil(t, err) + + certs := config.TLSClientCerts() + assert.Equal(t, 1, len(certs), "Expected only one tls cert struct") - if reflect.DeepEqual(certs[0], emptyCert) { + if reflect.DeepEqual(certs[0], tls.Certificate{}) { t.Fatal("Actual cert is empty") } } func TestTLSClientCertsPemBeforeFiles(t *testing.T) { - config, err := ConfigFromBackend(configBackend) - if err != nil { - t.Fatal(err) - } - endpointConfig := config.(*EndpointConfig) + clientTLSOverride := endpoint.MutualTLSConfig{} // files have incorrect paths, but pems are loaded first - endpointConfig.networkConfig.Client.TLSCerts.Client.Cert.Path = "/test/fixtures/config/mutual_tls/client_sdk_go.pem" - endpointConfig.networkConfig.Client.TLSCerts.Client.Key.Path = "/test/fixtures/config/mutual_tls/client_sdk_go-key.pem" + clientTLSOverride.Client.Cert.Path = "/test/fixtures/config/mutual_tls/client_sdk_go.pem" + clientTLSOverride.Client.Key.Path = "/test/fixtures/config/mutual_tls/client_sdk_go-key.pem" - endpointConfig.networkConfig.Client.TLSCerts.Client.Cert.Pem = `-----BEGIN CERTIFICATE----- + clientTLSOverride.Client.Cert.Pem = `-----BEGIN CERTIFICATE----- MIIC5TCCAkagAwIBAgIUMYhiY5MS3jEmQ7Fz4X/e1Dx33J0wCgYIKoZIzj0EAwQw gYwxCzAJBgNVBAYTAkNBMRAwDgYDVQQIEwdPbnRhcmlvMRAwDgYDVQQHEwdUb3Jv bnRvMREwDwYDVQQKEwhsaW51eGN0bDEMMAoGA1UECxMDTGFiMTgwNgYDVQQDEy9s @@ -1068,41 +1057,47 @@ gw2rrxqbW67ulwmMQzp6EJbm/28T2pIoYWWyIwpzrquypI7BOuf8is5b7Jcgn9oz 3YkZ9DhdH1tN4U/h+YulG/CkKOtUATtQxg== -----END CERTIFICATE-----` - endpointConfig.networkConfig.Client.TLSCerts.Client.Key.Pem = `-----BEGIN EC PRIVATE KEY----- + clientTLSOverride.Client.Key.Pem = `-----BEGIN EC PRIVATE KEY----- MIGkAgEBBDByldj7VTpqTQESGgJpR9PFW9b6YTTde2WN6/IiBo2nW+CIDmwQgmAl c/EOc9wmgu+gBwYFK4EEACKhZANiAAT6I1CGNrkchIAEmeJGo53XhDsoJwRiohBv 2PotEEGuO6rMyaOupulj2VOj+YtgWw4ZtU49g4Nv6rq1QlKwRYyMwwRJSAZHIUMh YZjcDi7YEOZ3Fs1hxKmIxR+TTR2vf9I= -----END EC PRIVATE KEY-----` - certs := endpointConfig.TLSClientCerts() + backends, err := overrideClientTLSInBackend(configBackend, &clientTLSOverride) + assert.Nil(t, err) + + config, err := ConfigFromBackend(backends...) + if err != nil { + t.Fatal(err) + } + + certs := config.TLSClientCerts() if len(certs) != 1 { t.Fatal("Expected only one tls cert struct") } - emptyCert := tls.Certificate{} - - if reflect.DeepEqual(certs[0], emptyCert) { + if reflect.DeepEqual(certs[0], tls.Certificate{}) { t.Fatal("Actual cert is empty") } } func TestTLSClientCertsNoCerts(t *testing.T) { - nwConfig := fab.NetworkConfig{} + configEntity := endpointConfigEntity{} testlookup := lookup.New(configBackend) - testlookup.UnmarshalKey("client", &nwConfig.Client) + testlookup.UnmarshalKey("client", &configEntity.Client) //Set client tls paths to empty strings - nwConfig.Client.TLSCerts.Client.Cert.Path = "" - nwConfig.Client.TLSCerts.Client.Key.Path = "" - nwConfig.Client.TLSCerts.Client.Cert.Pem = "" - nwConfig.Client.TLSCerts.Client.Key.Pem = "" + configEntity.Client.TLSCerts.Client.Cert.Path = "" + configEntity.Client.TLSCerts.Client.Key.Path = "" + configEntity.Client.TLSCerts.Client.Cert.Pem = "" + configEntity.Client.TLSCerts.Client.Key.Pem = "" //Create backend override configBackendOverride := &mocks.MockConfigBackend{} configBackendOverride.KeyValueMap = make(map[string]interface{}) - configBackendOverride.KeyValueMap["client"] = nwConfig.Client + configBackendOverride.KeyValueMap["client"] = configEntity.Client config, err := ConfigFromBackend(configBackendOverride, configBackend) if err != nil { @@ -1175,10 +1170,6 @@ func TestEndpointConfigWithMultipleBackends(t *testing.T) { backendMap["channels"] = sampleViper.Get("channels") backends = append(backends, &mocks.MockConfigBackend{KeyValueMap: backendMap}) - backendMap = make(map[string]interface{}) - backendMap["certificateAuthorities"] = sampleViper.Get("certificateAuthorities") - backends = append(backends, &mocks.MockConfigBackend{KeyValueMap: backendMap}) - backendMap = make(map[string]interface{}) backendMap["entityMatchers"] = sampleViper.Get("entityMatchers") backends = append(backends, &mocks.MockConfigBackend{KeyValueMap: backendMap}) @@ -1205,9 +1196,6 @@ func TestEndpointConfigWithMultipleBackends(t *testing.T) { networkConfig := endpointConfig.NetworkConfig() assert.NotNil(t, networkConfig, "Invalid networkConfig") - //Client - assert.True(t, networkConfig.Client.Organization == "org1") - //Channel assert.Equal(t, len(networkConfig.Channels), 3) assert.Equal(t, len(networkConfig.Channels["mychannel"].Peers), 1) @@ -1217,11 +1205,6 @@ func TestEndpointConfigWithMultipleBackends(t *testing.T) { assert.Equal(t, networkConfig.Channels["mychannel"].Policies.QueryChannelConfig.RetryOpts.InitialBackoff.String(), (500 * time.Millisecond).String()) assert.Equal(t, networkConfig.Channels["mychannel"].Policies.QueryChannelConfig.RetryOpts.BackoffFactor, 2.0) - //CertificateAuthorities - assert.Equal(t, len(networkConfig.CertificateAuthorities), 2) - assert.Equal(t, networkConfig.CertificateAuthorities["local.ca.org1.example.com"].URL, "https://ca.org1.example.com:7054") - assert.Equal(t, networkConfig.CertificateAuthorities["local.ca.org2.example.com"].URL, "https://ca.org2.example.com:8054") - //Organizations assert.Equal(t, len(networkConfig.Organizations), 3) assert.Equal(t, networkConfig.Organizations["org1"].MSPID, "Org1MSP") @@ -1364,3 +1347,17 @@ func newViper(path string) *viper.Viper { } return myViper } + +func overrideClientTLSInBackend(backend core.ConfigBackend, tlsCerts *endpoint.MutualTLSConfig) ([]core.ConfigBackend, error) { + endpointEntity := endpointConfigEntity{} + err := lookup.New(backend).UnmarshalKey("client", &endpointEntity.Client) + if err != nil { + return nil, err + } + + backendOverride := mocks.MockConfigBackend{} + backendOverride.KeyValueMap = make(map[string]interface{}) + backendOverride.KeyValueMap["client"] = endpointEntity.Client + + return []core.ConfigBackend{&backendOverride, backend}, nil +} diff --git a/pkg/msp/caclient_test.go b/pkg/msp/caclient_test.go index c285cdc767..2612f15991 100644 --- a/pkg/msp/caclient_test.go +++ b/pkg/msp/caclient_test.go @@ -14,7 +14,6 @@ import ( "github.com/golang/mock/gomock" "github.com/hyperledger/fabric-sdk-go/pkg/common/providers/core" - fabApi "github.com/hyperledger/fabric-sdk-go/pkg/common/providers/fab" "github.com/hyperledger/fabric-sdk-go/pkg/common/providers/msp" "github.com/hyperledger/fabric-sdk-go/pkg/common/providers/test/mockcontext" mockmspApi "github.com/hyperledger/fabric-sdk-go/pkg/common/providers/test/mockmsp" @@ -576,7 +575,7 @@ func getInvalidURLBackend() ([]core.ConfigBackend, error) { } //Create an invalid channel - networkConfig := fabApi.NetworkConfig{} + networkConfig := identityConfigEntity{} //get valid certificate authorities err = lookup.New(mockConfigBackend...).UnmarshalKey("certificateAuthorities", &networkConfig.CertificateAuthorities) if err != nil { @@ -609,7 +608,7 @@ func getNoRegistrarBackend() ([]core.ConfigBackend, error) { } //Create an invalid channel - networkConfig := fabApi.NetworkConfig{} + networkConfig := identityConfigEntity{} //get valid certificate authorities err = lookup.New(mockConfigBackend...).UnmarshalKey("certificateAuthorities", &networkConfig.CertificateAuthorities) if err != nil { @@ -642,7 +641,7 @@ func getNoCAConfigBackend() ([]core.ConfigBackend, error) { } //Create an empty network config - networkConfig := fabApi.NetworkConfig{} + networkConfig := identityConfigEntity{} //get valid certificate authorities err = lookup.New(mockConfigBackend...).UnmarshalKey("organizations", &networkConfig.Organizations) if err != nil { @@ -676,7 +675,7 @@ func getEmbeddedRegistrarConfigBackend() ([]core.ConfigBackend, error) { embeddedRegistrarID := "embeddedregistrar" //Create an empty network config - networkConfig := fabApi.NetworkConfig{} + networkConfig := identityConfigEntity{} //get valid certificate authorities err = lookup.New(mockConfigBackend...).UnmarshalKey("organizations", &networkConfig.Organizations) if err != nil { diff --git a/pkg/msp/identityconfig.go b/pkg/msp/identityconfig.go index 05205c75fe..e1180a3200 100644 --- a/pkg/msp/identityconfig.go +++ b/pkg/msp/identityconfig.go @@ -58,6 +58,13 @@ type entityMatchers struct { matchers map[string][]fab.MatchConfig } +//identityConfigEntity contains all config entities needed +type identityConfigEntity struct { + Client msp.ClientConfig + Organizations map[string]fab.OrganizationConfig + CertificateAuthorities map[string]msp.CAConfig +} + // Client returns the Client config func (c *IdentityConfig) Client() *msp.ClientConfig { return c.client @@ -116,24 +123,24 @@ func (c *IdentityConfig) CredentialStorePath() string { //loadIdentityConfigEntities loads config entities and dictionaries for searches func (c *IdentityConfig) loadIdentityConfigEntities() error { - networkConfig := fab.NetworkConfig{} + configEntity := identityConfigEntity{} - err := c.backend.UnmarshalKey("client", &networkConfig.Client) - logger.Debugf("Client is: %+v", networkConfig.Client) + err := c.backend.UnmarshalKey("client", &configEntity.Client) + logger.Debugf("Client is: %+v", configEntity.Client) if err != nil { - return errors.WithMessage(err, "failed to parse 'client' config item to networkConfig.Client type") + return errors.WithMessage(err, "failed to parse 'client' config item to identityConfigEntity.Client type") } - err = c.backend.UnmarshalKey("organizations", &networkConfig.Organizations) - logger.Debugf("organizations are: %+v", networkConfig.Organizations) + err = c.backend.UnmarshalKey("organizations", &configEntity.Organizations) + logger.Debugf("organizations are: %+v", configEntity.Organizations) if err != nil { - return errors.WithMessage(err, "failed to parse 'organizations' config item to networkConfig.Organizations type") + return errors.WithMessage(err, "failed to parse 'organizations' config item to identityConfigEntity.Organizations type") } - err = c.backend.UnmarshalKey("certificateAuthorities", &networkConfig.CertificateAuthorities) - logger.Debugf("certificateAuthorities are: %+v", networkConfig.CertificateAuthorities) + err = c.backend.UnmarshalKey("certificateAuthorities", &configEntity.CertificateAuthorities) + logger.Debugf("certificateAuthorities are: %+v", configEntity.CertificateAuthorities) if err != nil { - return errors.WithMessage(err, "failed to parse 'certificateAuthorities' config item to networkConfig.CertificateAuthorities type") + return errors.WithMessage(err, "failed to parse 'certificateAuthorities' config item to identityConfigEntity.CertificateAuthorities type") } //compile CA matchers @@ -142,17 +149,17 @@ func (c *IdentityConfig) loadIdentityConfigEntities() error { return errors.WithMessage(err, "failed to compile certificate authority matchers") } - err = c.loadClientTLSConfig(&networkConfig) + err = c.loadClientTLSConfig(&configEntity) if err != nil { return errors.WithMessage(err, "failed to load client TLSConfig ") } - err = c.loadCATLSConfig(&networkConfig) + err = c.loadCATLSConfig(&configEntity) if err != nil { return errors.WithMessage(err, "failed to load CA TLSConfig ") } - err = c.loadAllCAConfigs(&networkConfig) + err = c.loadAllCAConfigs(&configEntity) if err != nil { return errors.WithMessage(err, "failed to load all CA configs ") } @@ -162,7 +169,7 @@ func (c *IdentityConfig) loadIdentityConfigEntities() error { return errors.WithMessage(err, "failed to load all CA server certs ") } - c.client = &networkConfig.Client + c.client = &configEntity.Client c.caKeyStorePath = pathvar.Subst(c.backend.GetString("client.credentialStore.cryptoStore.path")) c.credentialStorePath = pathvar.Subst(c.backend.GetString("client.credentialStore.path")) @@ -170,21 +177,21 @@ func (c *IdentityConfig) loadIdentityConfigEntities() error { } //loadClientTLSConfig pre-loads all TLSConfig bytes in client config -func (c *IdentityConfig) loadClientTLSConfig(networkConfig *fab.NetworkConfig) error { +func (c *IdentityConfig) loadClientTLSConfig(configEntity *identityConfigEntity) error { //Clients Config //resolve paths and org name - networkConfig.Client.Organization = strings.ToLower(networkConfig.Client.Organization) - networkConfig.Client.TLSCerts.Path = pathvar.Subst(networkConfig.Client.TLSCerts.Path) - networkConfig.Client.TLSCerts.Client.Key.Path = pathvar.Subst(networkConfig.Client.TLSCerts.Client.Key.Path) - networkConfig.Client.TLSCerts.Client.Cert.Path = pathvar.Subst(networkConfig.Client.TLSCerts.Client.Cert.Path) + configEntity.Client.Organization = strings.ToLower(configEntity.Client.Organization) + configEntity.Client.TLSCerts.Path = pathvar.Subst(configEntity.Client.TLSCerts.Path) + configEntity.Client.TLSCerts.Client.Key.Path = pathvar.Subst(configEntity.Client.TLSCerts.Client.Key.Path) + configEntity.Client.TLSCerts.Client.Cert.Path = pathvar.Subst(configEntity.Client.TLSCerts.Client.Cert.Path) //pre load client key and cert bytes - err := networkConfig.Client.TLSCerts.Client.Key.LoadBytes() + err := configEntity.Client.TLSCerts.Client.Key.LoadBytes() if err != nil { return errors.WithMessage(err, "failed to load client key") } - err = networkConfig.Client.TLSCerts.Client.Cert.LoadBytes() + err = configEntity.Client.TLSCerts.Client.Cert.LoadBytes() if err != nil { return errors.WithMessage(err, "failed to load client cert") } @@ -193,9 +200,9 @@ func (c *IdentityConfig) loadClientTLSConfig(networkConfig *fab.NetworkConfig) e } //loadCATLSConfig pre-loads all TLSConfig bytes in certificate authorities -func (c *IdentityConfig) loadCATLSConfig(networkConfig *fab.NetworkConfig) error { +func (c *IdentityConfig) loadCATLSConfig(configEntity *identityConfigEntity) error { //CA Config - for ca, caConfig := range networkConfig.CertificateAuthorities { + for ca, caConfig := range configEntity.CertificateAuthorities { //resolve paths caConfig.TLSCACerts.Path = pathvar.Subst(caConfig.TLSCACerts.Path) caConfig.TLSCACerts.Client.Key.Path = pathvar.Subst(caConfig.TLSCACerts.Client.Key.Path) @@ -210,26 +217,26 @@ func (c *IdentityConfig) loadCATLSConfig(networkConfig *fab.NetworkConfig) error if err != nil { return errors.WithMessage(err, "failed to load ca cert") } - networkConfig.CertificateAuthorities[ca] = caConfig + configEntity.CertificateAuthorities[ca] = caConfig } return nil } -func (c *IdentityConfig) loadAllCAConfigs(networkConfig *fab.NetworkConfig) error { +func (c *IdentityConfig) loadAllCAConfigs(configEntity *identityConfigEntity) error { caConfigsByOrg := make(map[string][]*msp.CAConfig) - for orgName, orgConfig := range networkConfig.Organizations { + for orgName, orgConfig := range configEntity.Organizations { var caConfigs []*msp.CAConfig for _, caName := range orgConfig.CertificateAuthorities { if caName == "" { continue } - caConfig, ok := networkConfig.CertificateAuthorities[strings.ToLower(caName)] + caConfig, ok := configEntity.CertificateAuthorities[strings.ToLower(caName)] if !ok { logger.Debugf("Could not find Certificate Authority for [%s], trying with Entity Matchers", caName) - matchedCaConfig, mappedHost := c.tryMatchingCAConfig(networkConfig, strings.ToLower(caName)) + matchedCaConfig, mappedHost := c.tryMatchingCAConfig(configEntity, strings.ToLower(caName)) if mappedHost == "" { return errors.Errorf("CA Server Name [%s] not found", caName) } @@ -312,7 +319,7 @@ func (c *IdentityConfig) compileMatchers() error { return nil } -func (c *IdentityConfig) tryMatchingCAConfig(networkConfig *fab.NetworkConfig, caName string) (*msp.CAConfig, string) { +func (c *IdentityConfig) tryMatchingCAConfig(configEntity *identityConfigEntity, caName string) (*msp.CAConfig, string) { //Return if no caMatchers are configured if len(c.caMatchers) == 0 { return nil, "" @@ -329,18 +336,18 @@ func (c *IdentityConfig) tryMatchingCAConfig(networkConfig *fab.NetworkConfig, c for _, k := range keys { v := c.caMatchers[k] if v.MatchString(caName) { - return c.findMatchingCert(networkConfig, caName, v, k) + return c.findMatchingCert(configEntity, caName, v, k) } } return nil, "" } -func (c *IdentityConfig) findMatchingCert(networkConfig *fab.NetworkConfig, caName string, v *regexp.Regexp, k int) (*msp.CAConfig, string) { +func (c *IdentityConfig) findMatchingCert(configEntity *identityConfigEntity, caName string, v *regexp.Regexp, k int) (*msp.CAConfig, string) { // get the matching Config from the index number certAuthorityMatchConfig := c.entityMatchers.matchers["certificateauthority"][k] //Get the certAuthorityMatchConfig from mapped host - caConfig, ok := networkConfig.CertificateAuthorities[strings.ToLower(certAuthorityMatchConfig.MappedHost)] + caConfig, ok := configEntity.CertificateAuthorities[strings.ToLower(certAuthorityMatchConfig.MappedHost)] if !ok { return nil, "" } diff --git a/pkg/msp/main_test.go b/pkg/msp/main_test.go index 8f9907c3b0..9428745a93 100644 --- a/pkg/msp/main_test.go +++ b/pkg/msp/main_test.go @@ -209,7 +209,7 @@ func (p *identityManagerProvider) IdentityManager(orgName string) (msp.IdentityM func updateCAServerURL(caServerURL string, existingBackends []core.ConfigBackend) []core.ConfigBackend { //get existing certificateAuthorities - networkConfig := fab.NetworkConfig{} + networkConfig := identityConfigEntity{} lookup.New(existingBackends...).UnmarshalKey("certificateAuthorities", &networkConfig.CertificateAuthorities) //update URLs diff --git a/test/integration/e2e/configless/endpointconfig_override_test.go b/test/integration/e2e/configless/endpointconfig_override_test.go index f083244e0a..2dcc097c3d 100644 --- a/test/integration/e2e/configless/endpointconfig_override_test.go +++ b/test/integration/e2e/configless/endpointconfig_override_test.go @@ -210,12 +210,10 @@ var ( networkConfig = fab.NetworkConfig{ Name: "config-overridden network", Description: "This config structure is an example of overriding the sdk config by injecting interfaces instead of using a config file", - Client: clientConfig, Channels: channelsConfig, Organizations: orgsConfig, Orderers: newOrderersConfig(), Peers: newPeersConfig(), - CertificateAuthorities: newCAsConfig(), // EntityMatchers are not used in this implementation //EntityMatchers: entityMatchers, } diff --git a/test/integration/e2e/configless/identityconfig_override_test.go b/test/integration/e2e/configless/identityconfig_override_test.go index 76631e599d..1b77e3d90b 100644 --- a/test/integration/e2e/configless/identityconfig_override_test.go +++ b/test/integration/e2e/configless/identityconfig_override_test.go @@ -44,7 +44,7 @@ type exampleClient struct { } func (m *exampleClient) Client() *msp.ClientConfig { - client := networkConfig.Client + client := clientConfig client.Organization = strings.ToLower(client.Organization) return &client } @@ -67,7 +67,8 @@ func getCAConfig(networkConfig *fab.NetworkConfig, org string) (*msp.CAConfig, b return nil, false } - caConfig, ok := networkConfig.CertificateAuthorities[strings.ToLower(certAuthorityName)] + caConfigs := newCAsConfig() + caConfig, ok := caConfigs[strings.ToLower(certAuthorityName)] if !ok { // EntityMatchers are not supported in this implementation. If needed, uncomment the below lines //caConfig, mappedHost := m.tryMatchingCAConfig(networkConfig, strings.ToLower(certAuthorityName))