diff --git a/core/comm/connection.go b/core/comm/connection.go index cac577f3cdb..24c8d39a0e1 100644 --- a/core/comm/connection.go +++ b/core/comm/connection.go @@ -111,6 +111,32 @@ func (cas *CASupport) GetDeliverServiceCredentials() credentials.TransportCreden return creds } +// GetPeerCredentials returns GRPC transport credentials for use by GRPC +// clients which communicate with remote peer endpoints. +func (cas *CASupport) GetPeerCredentials() credentials.TransportCredentials { + var creds credentials.TransportCredentials + var tlsConfig = &tls.Config{} + var certPool = x509.NewCertPool() + // loop through the orderer CAs + roots, _ := cas.GetServerRootCAs() + for _, root := range roots { + block, _ := pem.Decode(root) + if block != nil { + cert, err := x509.ParseCertificate(block.Bytes) + if err == nil { + certPool.AddCert(cert) + } else { + commLogger.Warningf("Failed to add root cert to credentials (%s)", err) + } + } else { + commLogger.Warning("Failed to add root cert to credentials") + } + } + tlsConfig.RootCAs = certPool + creds = credentials.NewTLS(tlsConfig) + return creds +} + // GetClientRootCAs returns the PEM-encoded root certificates for all of the // application and orderer organizations defined for all chains. The root // certificates returned should be used to set the trusted client roots for diff --git a/core/comm/connection_test.go b/core/comm/connection_test.go index 0ed4bd79e83..4ac6cabceaa 100644 --- a/core/comm/connection_test.go +++ b/core/comm/connection_test.go @@ -139,6 +139,9 @@ func TestCASupport(t *testing.T) { assert.Exactly(t, casClone, cas, "Expected GetCASupport to be a singleton") creds := cas.GetDeliverServiceCredentials() + assert.Equal(t, "1.2", creds.Info().SecurityVersion, + "Expected Security version to be 1.2") + creds = cas.GetPeerCredentials() assert.Equal(t, "1.2", creds.Info().SecurityVersion, "Expected Security version to be 1.2") @@ -148,5 +151,8 @@ func TestCASupport(t *testing.T) { creds = cas.GetDeliverServiceCredentials() assert.Equal(t, "1.2", creds.Info().SecurityVersion, "Expected Security version to be 1.2") + creds = cas.GetPeerCredentials() + assert.Equal(t, "1.2", creds.Info().SecurityVersion, + "Expected Security version to be 1.2") } diff --git a/core/peer/peer_test.go b/core/peer/peer_test.go index d3da64b4567..fa9c9bab3d0 100644 --- a/core/peer/peer_test.go +++ b/core/peer/peer_test.go @@ -97,10 +97,15 @@ func TestCreateChainFromBlock(t *testing.T) { identity, _ := mgmt.GetLocalSigningIdentityOrPanic().Serialize() messageCryptoService := peergossip.NewMCS(&mocks.ChannelPolicyManagerGetter{}, localmsp.NewSigner(), mgmt.NewDeserializersManager()) secAdv := peergossip.NewSecurityAdvisor(mgmt.NewDeserializersManager()) + var defaultSecureDialOpts = func() []grpc.DialOption { + var dialOpts []grpc.DialOption + dialOpts = append(dialOpts, grpc.WithInsecure()) + return dialOpts + } service.InitGossipServiceCustomDeliveryFactory( identity, "localhost:13611", grpcServer, &mockDeliveryClientFactory{}, - messageCryptoService, secAdv) + messageCryptoService, secAdv, defaultSecureDialOpts) err = CreateChainFromBlock(block) if err != nil { diff --git a/core/scc/cscc/configure_test.go b/core/scc/cscc/configure_test.go index fad5b0a5b92..5b7f4251085 100644 --- a/core/scc/cscc/configure_test.go +++ b/core/scc/cscc/configure_test.go @@ -167,7 +167,7 @@ func TestConfigerInvokeJoinChainCorrectParams(t *testing.T) { identity, _ := mgmt.GetLocalSigningIdentityOrPanic().Serialize() messageCryptoService := peergossip.NewMCS(&mocks.ChannelPolicyManagerGetter{}, localmsp.NewSigner(), mgmt.NewDeserializersManager()) secAdv := peergossip.NewSecurityAdvisor(mgmt.NewDeserializersManager()) - service.InitGossipServiceCustomDeliveryFactory(identity, peerEndpoint, nil, &mockDeliveryClientFactory{}, messageCryptoService, secAdv) + service.InitGossipServiceCustomDeliveryFactory(identity, peerEndpoint, nil, &mockDeliveryClientFactory{}, messageCryptoService, secAdv, nil) // Successful path for JoinChain blockBytes := mockConfigBlock() diff --git a/gossip/api/crypto.go b/gossip/api/crypto.go index a6521c95903..0f1a17322f8 100644 --- a/gossip/api/crypto.go +++ b/gossip/api/crypto.go @@ -16,7 +16,10 @@ limitations under the License. package api -import "github.com/hyperledger/fabric/gossip/common" +import ( + "github.com/hyperledger/fabric/gossip/common" + "google.golang.org/grpc" +) // MessageCryptoService is the contract between the gossip component and the // peer's cryptographic layer and is used by the gossip component to verify, @@ -61,3 +64,7 @@ type PeerIdentityType []byte // PeerSuspector returns whether a peer with a given identity is suspected // as being revoked, or its CA is revoked type PeerSuspector func(identity PeerIdentityType) bool + +// PeerSecureDialOpts returns the gRPC DialOptions to use for connection level +// security when communicating with remote peer endpoints +type PeerSecureDialOpts func() []grpc.DialOption diff --git a/gossip/comm/comm_impl.go b/gossip/comm/comm_impl.go index 436dcb2dd22..6c479788893 100644 --- a/gossip/comm/comm_impl.go +++ b/gossip/comm/comm_impl.go @@ -65,10 +65,11 @@ func (c *commImpl) SetDialOpts(opts ...grpc.DialOption) { } // NewCommInstanceWithServer creates a comm instance that creates an underlying gRPC server -func NewCommInstanceWithServer(port int, idMapper identity.Mapper, peerIdentity api.PeerIdentityType, dialOpts ...grpc.DialOption) (Comm, error) { +func NewCommInstanceWithServer(port int, idMapper identity.Mapper, peerIdentity api.PeerIdentityType, + secureDialOpts api.PeerSecureDialOpts, dialOpts ...grpc.DialOption) (Comm, error) { + var ll net.Listener var s *grpc.Server - var secOpt grpc.DialOption var certHash []byte if len(dialOpts) == 0 { @@ -76,26 +77,26 @@ func NewCommInstanceWithServer(port int, idMapper identity.Mapper, peerIdentity } if port > 0 { - s, ll, secOpt, certHash = createGRPCLayer(port) - dialOpts = append(dialOpts, secOpt) + s, ll, secureDialOpts, certHash = createGRPCLayer(port) } commInst := &commImpl{ - selfCertHash: certHash, - PKIID: idMapper.GetPKIidOfCert(peerIdentity), - idMapper: idMapper, - logger: util.GetLogger(util.LoggingCommModule, fmt.Sprintf("%d", port)), - peerIdentity: peerIdentity, - opts: dialOpts, - port: port, - lsnr: ll, - gSrv: s, - msgPublisher: NewChannelDemultiplexer(), - lock: &sync.RWMutex{}, - deadEndpoints: make(chan common.PKIidType, 100), - stopping: int32(0), - exitChan: make(chan struct{}, 1), - subscriptions: make([]chan proto.ReceivedMessage, 0), + selfCertHash: certHash, + PKIID: idMapper.GetPKIidOfCert(peerIdentity), + idMapper: idMapper, + logger: util.GetLogger(util.LoggingCommModule, fmt.Sprintf("%d", port)), + peerIdentity: peerIdentity, + opts: dialOpts, + secureDialOpts: secureDialOpts, + port: port, + lsnr: ll, + gSrv: s, + msgPublisher: NewChannelDemultiplexer(), + lock: &sync.RWMutex{}, + deadEndpoints: make(chan common.PKIidType, 100), + stopping: int32(0), + exitChan: make(chan struct{}, 1), + subscriptions: make([]chan proto.ReceivedMessage, 0), } commInst.connStore = newConnStore(commInst, commInst.logger) commInst.idMapper.Put(idMapper.GetPKIidOfCert(peerIdentity), peerIdentity) @@ -117,9 +118,12 @@ func NewCommInstanceWithServer(port int, idMapper identity.Mapper, peerIdentity } // NewCommInstance creates a new comm instance that binds itself to the given gRPC server -func NewCommInstance(s *grpc.Server, cert *tls.Certificate, idStore identity.Mapper, peerIdentity api.PeerIdentityType, dialOpts ...grpc.DialOption) (Comm, error) { +func NewCommInstance(s *grpc.Server, cert *tls.Certificate, idStore identity.Mapper, + peerIdentity api.PeerIdentityType, secureDialOpts api.PeerSecureDialOpts, + dialOpts ...grpc.DialOption) (Comm, error) { + dialOpts = append(dialOpts, grpc.WithTimeout(util.GetDurationOrDefault("peer.gossip.dialTimeout", defDialTimeout))) - commInst, err := NewCommInstanceWithServer(-1, idStore, peerIdentity, dialOpts...) + commInst, err := NewCommInstanceWithServer(-1, idStore, peerIdentity, secureDialOpts, dialOpts...) if err != nil { return nil, err } @@ -139,24 +143,25 @@ func NewCommInstance(s *grpc.Server, cert *tls.Certificate, idStore identity.Map } type commImpl struct { - skipHandshake bool - selfCertHash []byte - peerIdentity api.PeerIdentityType - idMapper identity.Mapper - logger *logging.Logger - opts []grpc.DialOption - connStore *connectionStore - PKIID []byte - port int - deadEndpoints chan common.PKIidType - msgPublisher *ChannelDeMultiplexer - lock *sync.RWMutex - lsnr net.Listener - gSrv *grpc.Server - exitChan chan struct{} - stopping int32 - stopWG sync.WaitGroup - subscriptions []chan proto.ReceivedMessage + skipHandshake bool + selfCertHash []byte + peerIdentity api.PeerIdentityType + idMapper identity.Mapper + logger *logging.Logger + opts []grpc.DialOption + secureDialOpts func() []grpc.DialOption + connStore *connectionStore + PKIID []byte + port int + deadEndpoints chan common.PKIidType + msgPublisher *ChannelDeMultiplexer + lock *sync.RWMutex + lsnr net.Listener + gSrv *grpc.Server + exitChan chan struct{} + stopping int32 + stopWG sync.WaitGroup + subscriptions []chan proto.ReceivedMessage } func (c *commImpl) createConnection(endpoint string, expectedPKIID common.PKIidType) (*connection, error) { @@ -165,6 +170,7 @@ func (c *commImpl) createConnection(endpoint string, expectedPKIID common.PKIidT var stream proto.Gossip_GossipStreamClient var pkiID common.PKIidType var connInfo *proto.ConnectionInfo + var dialOpts []grpc.DialOption c.logger.Debug("Entering", endpoint, expectedPKIID) defer c.logger.Debug("Exiting") @@ -172,7 +178,10 @@ func (c *commImpl) createConnection(endpoint string, expectedPKIID common.PKIidT if c.isStopping() { return nil, errors.New("Stopping") } - cc, err = grpc.Dial(endpoint, append(c.opts, grpc.WithBlock())...) + dialOpts = append(dialOpts, c.secureDialOpts()...) + dialOpts = append(dialOpts, grpc.WithBlock()) + dialOpts = append(dialOpts, c.opts...) + cc, err = grpc.Dial(endpoint, dialOpts...) if err != nil { return nil, err } @@ -257,13 +266,18 @@ func (c *commImpl) isStopping() bool { } func (c *commImpl) Probe(remotePeer *RemotePeer) error { + var dialOpts []grpc.DialOption endpoint := remotePeer.Endpoint pkiID := remotePeer.PKIID if c.isStopping() { return errors.New("Stopping") } c.logger.Debug("Entering, endpoint:", endpoint, "PKIID:", pkiID) - cc, err := grpc.Dial(remotePeer.Endpoint, append(c.opts, grpc.WithBlock())...) + dialOpts = append(dialOpts, c.secureDialOpts()...) + dialOpts = append(dialOpts, grpc.WithBlock()) + dialOpts = append(dialOpts, c.opts...) + + cc, err := grpc.Dial(remotePeer.Endpoint, dialOpts...) if err != nil { c.logger.Debug("Returning", err) return err @@ -276,7 +290,12 @@ func (c *commImpl) Probe(remotePeer *RemotePeer) error { } func (c *commImpl) Handshake(remotePeer *RemotePeer) (api.PeerIdentityType, error) { - cc, err := grpc.Dial(remotePeer.Endpoint, append(c.opts, grpc.WithBlock())...) + var dialOpts []grpc.DialOption + dialOpts = append(dialOpts, c.secureDialOpts()...) + dialOpts = append(dialOpts, grpc.WithBlock()) + dialOpts = append(dialOpts, c.opts...) + + cc, err := grpc.Dial(remotePeer.Endpoint, dialOpts...) if err != nil { return nil, err } @@ -590,13 +609,13 @@ type stream interface { grpc.Stream } -func createGRPCLayer(port int) (*grpc.Server, net.Listener, grpc.DialOption, []byte) { +func createGRPCLayer(port int) (*grpc.Server, net.Listener, api.PeerSecureDialOpts, []byte) { var returnedCertHash []byte var s *grpc.Server var ll net.Listener var err error var serverOpts []grpc.ServerOption - var dialOpts grpc.DialOption + var dialOpts []grpc.DialOption keyFileName := fmt.Sprintf("key.%d.pem", util.RandomUInt64()) certFileName := fmt.Sprintf("cert.%d.pem", util.RandomUInt64()) @@ -627,9 +646,9 @@ func createGRPCLayer(port int) (*grpc.Server, net.Listener, grpc.DialOption, []b Certificates: []tls.Certificate{cert}, InsecureSkipVerify: true, }) - dialOpts = grpc.WithTransportCredentials(&authCreds{tlsCreds: ta}) + dialOpts = append(dialOpts, grpc.WithTransportCredentials(&authCreds{tlsCreds: ta})) } else { - dialOpts = grpc.WithInsecure() + dialOpts = append(dialOpts, grpc.WithInsecure()) } listenAddress := fmt.Sprintf("%s:%d", "", port) @@ -637,7 +656,9 @@ func createGRPCLayer(port int) (*grpc.Server, net.Listener, grpc.DialOption, []b if err != nil { panic(err) } - + secureDialOpts := func() []grpc.DialOption { + return dialOpts + } s = grpc.NewServer(serverOpts...) - return s, ll, dialOpts, returnedCertHash + return s, ll, secureDialOpts, returnedCertHash } diff --git a/gossip/comm/comm_test.go b/gossip/comm/comm_test.go index bd4573792f8..af210988c3f 100644 --- a/gossip/comm/comm_test.go +++ b/gossip/comm/comm_test.go @@ -105,7 +105,7 @@ func (*naiveSecProvider) VerifyByChannel(_ common.ChainID, _ api.PeerIdentityTyp func newCommInstance(port int, sec api.MessageCryptoService) (Comm, error) { endpoint := fmt.Sprintf("localhost:%d", port) - inst, err := NewCommInstanceWithServer(port, identity.NewIdentityMapper(sec), []byte(endpoint)) + inst, err := NewCommInstanceWithServer(port, identity.NewIdentityMapper(sec), []byte(endpoint), nil) return inst, err } diff --git a/gossip/gossip/gossip_impl.go b/gossip/gossip/gossip_impl.go index 72a4cf253f6..9946ea9411d 100644 --- a/gossip/gossip/gossip_impl.go +++ b/gossip/gossip/gossip_impl.go @@ -79,15 +79,18 @@ type gossipServiceImpl struct { } // NewGossipService creates a gossip instance attached to a gRPC server -func NewGossipService(conf *Config, s *grpc.Server, secAdvisor api.SecurityAdvisor, mcs api.MessageCryptoService, idMapper identity.Mapper, selfIdentity api.PeerIdentityType, dialOpts ...grpc.DialOption) Gossip { +func NewGossipService(conf *Config, s *grpc.Server, secAdvisor api.SecurityAdvisor, + mcs api.MessageCryptoService, idMapper identity.Mapper, selfIdentity api.PeerIdentityType, + secureDialOpts api.PeerSecureDialOpts) Gossip { + var c comm.Comm var err error lgr := util.GetLogger(util.LoggingGossipModule, conf.ID) if s == nil { - c, err = createCommWithServer(conf.BindPort, idMapper, selfIdentity) + c, err = createCommWithServer(conf.BindPort, idMapper, selfIdentity, secureDialOpts) } else { - c, err = createCommWithoutServer(s, conf.TLSServerCert, idMapper, selfIdentity, dialOpts...) + c, err = createCommWithoutServer(s, conf.TLSServerCert, idMapper, selfIdentity, secureDialOpts) } if err != nil { @@ -159,17 +162,20 @@ func newChannelState(g *gossipServiceImpl) *channelState { } } -func createCommWithoutServer(s *grpc.Server, cert *tls.Certificate, idStore identity.Mapper, identity api.PeerIdentityType, dialOpts ...grpc.DialOption) (comm.Comm, error) { - return comm.NewCommInstance(s, cert, idStore, identity, dialOpts...) +func createCommWithoutServer(s *grpc.Server, cert *tls.Certificate, idStore identity.Mapper, + identity api.PeerIdentityType, secureDialOpts api.PeerSecureDialOpts) (comm.Comm, error) { + return comm.NewCommInstance(s, cert, idStore, identity, secureDialOpts) } // NewGossipServiceWithServer creates a new gossip instance with a gRPC server -func NewGossipServiceWithServer(conf *Config, secAdvisor api.SecurityAdvisor, mcs api.MessageCryptoService, mapper identity.Mapper, identity api.PeerIdentityType) Gossip { - return NewGossipService(conf, nil, secAdvisor, mcs, mapper, identity) +func NewGossipServiceWithServer(conf *Config, secAdvisor api.SecurityAdvisor, mcs api.MessageCryptoService, + mapper identity.Mapper, identity api.PeerIdentityType, secureDialOpts api.PeerSecureDialOpts) Gossip { + return NewGossipService(conf, nil, secAdvisor, mcs, mapper, identity, secureDialOpts) } -func createCommWithServer(port int, idStore identity.Mapper, identity api.PeerIdentityType) (comm.Comm, error) { - return comm.NewCommInstanceWithServer(port, idStore, identity) +func createCommWithServer(port int, idStore identity.Mapper, identity api.PeerIdentityType, + secureDialOpts api.PeerSecureDialOpts) (comm.Comm, error) { + return comm.NewCommInstanceWithServer(port, idStore, identity, secureDialOpts) } func (g *gossipServiceImpl) toDie() bool { diff --git a/gossip/gossip/gossip_test.go b/gossip/gossip/gossip_test.go index 6dff1ae7cad..3b9f176cd7d 100644 --- a/gossip/gossip/gossip_test.go +++ b/gossip/gossip/gossip_test.go @@ -219,7 +219,8 @@ func newGossipInstanceWithCustomMCS(portPrefix int, id int, maxMsgCount int, mcs } idMapper := identity.NewIdentityMapper(mcs) - g := NewGossipServiceWithServer(conf, &orgCryptoService{}, mcs, idMapper, api.PeerIdentityType(conf.InternalEndpoint)) + g := NewGossipServiceWithServer(conf, &orgCryptoService{}, mcs, idMapper, + api.PeerIdentityType(conf.InternalEndpoint), nil) return g } @@ -251,7 +252,8 @@ func newGossipInstanceWithOnlyPull(portPrefix int, id int, maxMsgCount int, boot cryptoService := &naiveCryptoService{} idMapper := identity.NewIdentityMapper(cryptoService) - g := NewGossipServiceWithServer(conf, &orgCryptoService{}, cryptoService, idMapper, api.PeerIdentityType(conf.InternalEndpoint)) + g := NewGossipServiceWithServer(conf, &orgCryptoService{}, cryptoService, idMapper, + api.PeerIdentityType(conf.InternalEndpoint), nil) return g } diff --git a/gossip/gossip/orgs_test.go b/gossip/gossip/orgs_test.go index 3b8600e6ecf..d3f257e4185 100644 --- a/gossip/gossip/orgs_test.go +++ b/gossip/gossip/orgs_test.go @@ -121,7 +121,8 @@ func newGossipInstanceWithExternalEndpoint(portPrefix int, id int, mcs *configur } idMapper := identity.NewIdentityMapper(mcs) - g := NewGossipServiceWithServer(conf, mcs, mcs, idMapper, api.PeerIdentityType(conf.InternalEndpoint)) + g := NewGossipServiceWithServer(conf, mcs, mcs, idMapper, api.PeerIdentityType(conf.InternalEndpoint), + nil) return g } diff --git a/gossip/integration/integration.go b/gossip/integration/integration.go index 5ceb65f1436..e4bc0359640 100644 --- a/gossip/integration/integration.go +++ b/gossip/integration/integration.go @@ -70,12 +70,15 @@ func newConfig(selfEndpoint string, externalEndpoint string, bootPeers ...string } // NewGossipComponent creates a gossip component that attaches itself to the given gRPC server -func NewGossipComponent(peerIdentity []byte, endpoint string, s *grpc.Server, secAdv api.SecurityAdvisor, cryptSvc api.MessageCryptoService, idMapper identity.Mapper, dialOpts []grpc.DialOption, bootPeers ...string) gossip.Gossip { +func NewGossipComponent(peerIdentity []byte, endpoint string, s *grpc.Server, + secAdv api.SecurityAdvisor, cryptSvc api.MessageCryptoService, idMapper identity.Mapper, + secureDialOpts api.PeerSecureDialOpts, bootPeers ...string) gossip.Gossip { externalEndpoint := viper.GetString("peer.gossip.externalEndpoint") conf := newConfig(endpoint, externalEndpoint, bootPeers...) - gossipInstance := gossip.NewGossipService(conf, s, secAdv, cryptSvc, idMapper, peerIdentity, dialOpts...) + gossipInstance := gossip.NewGossipService(conf, s, secAdv, cryptSvc, idMapper, + peerIdentity, secureDialOpts) return gossipInstance } diff --git a/gossip/integration/integration_test.go b/gossip/integration/integration_test.go index 7f3d28e130e..ebb615206b4 100644 --- a/gossip/integration/integration_test.go +++ b/gossip/integration/integration_test.go @@ -42,6 +42,11 @@ var ( cryptSvc = &cryptoService{} secAdv = &secAdviser{} ) +var defaultSecureDialOpts = func() []grpc.DialOption { + var dialOpts []grpc.DialOption + dialOpts = append(dialOpts, grpc.WithInsecure()) + return dialOpts +} // This is just a test that shows how to instantiate a gossip component func TestNewGossipCryptoService(t *testing.T) { @@ -59,9 +64,12 @@ func TestNewGossipCryptoService(t *testing.T) { peerIdentity, _ := mgmt.GetLocalSigningIdentityOrPanic().Serialize() idMapper := identity.NewIdentityMapper(cryptSvc) - g1 := NewGossipComponent(peerIdentity, endpoint1, s1, secAdv, cryptSvc, idMapper, []grpc.DialOption{grpc.WithInsecure()}) - g2 := NewGossipComponent(peerIdentity, endpoint2, s2, secAdv, cryptSvc, idMapper, []grpc.DialOption{grpc.WithInsecure()}, endpoint1) - g3 := NewGossipComponent(peerIdentity, endpoint3, s3, secAdv, cryptSvc, idMapper, []grpc.DialOption{grpc.WithInsecure()}, endpoint1) + g1 := NewGossipComponent(peerIdentity, endpoint1, s1, secAdv, cryptSvc, idMapper, + defaultSecureDialOpts) + g2 := NewGossipComponent(peerIdentity, endpoint2, s2, secAdv, cryptSvc, idMapper, + defaultSecureDialOpts, endpoint1) + g3 := NewGossipComponent(peerIdentity, endpoint3, s3, secAdv, cryptSvc, idMapper, + defaultSecureDialOpts, endpoint1) defer g1.Stop() defer g2.Stop() defer g3.Stop() @@ -80,7 +88,8 @@ func TestBadInitialization(t *testing.T) { }) assert.Panics(t, func() { viper.Set("peer.tls.enabled", true) - NewGossipComponent(peerIdentity, "localhost:5000", s1, secAdv, cryptSvc, idMapper, []grpc.DialOption{grpc.WithInsecure()}) + NewGossipComponent(peerIdentity, "localhost:5000", s1, secAdv, cryptSvc, idMapper, + defaultSecureDialOpts) }) } diff --git a/gossip/service/gossip_service.go b/gossip/service/gossip_service.go index c1289038389..a66df1b76d9 100644 --- a/gossip/service/gossip_service.go +++ b/gossip/service/gossip_service.go @@ -19,7 +19,6 @@ package service import ( "sync" - peerComm "github.com/hyperledger/fabric/core/comm" "github.com/hyperledger/fabric/core/committer" "github.com/hyperledger/fabric/core/deliverservice" "github.com/hyperledger/fabric/core/deliverservice/blocksprovider" @@ -120,34 +119,29 @@ func (jcm *joinChannelMessage) AnchorPeersOf(org api.OrgIdentityType) []api.Anch var logger = util.GetLogger(util.LoggingServiceModule, "") // InitGossipService initialize gossip service -func InitGossipService(peerIdentity []byte, endpoint string, s *grpc.Server, mcs api.MessageCryptoService, secAdv api.SecurityAdvisor, bootPeers ...string) { +func InitGossipService(peerIdentity []byte, endpoint string, s *grpc.Server, mcs api.MessageCryptoService, + secAdv api.SecurityAdvisor, secureDialOpts api.PeerSecureDialOpts, bootPeers ...string) { // TODO: Remove this. // TODO: This is a temporary work-around to make the gossip leader election module load its logger at startup // TODO: in order for the flogging package to register this logger in time so it can set the log levels as requested in the config util.GetLogger(util.LoggingElectionModule, "") - InitGossipServiceCustomDeliveryFactory(peerIdentity, endpoint, s, &deliveryFactoryImpl{}, mcs, secAdv, bootPeers...) + InitGossipServiceCustomDeliveryFactory(peerIdentity, endpoint, s, &deliveryFactoryImpl{}, + mcs, secAdv, secureDialOpts, bootPeers...) } // InitGossipServiceCustomDeliveryFactory initialize gossip service with customize delivery factory // implementation, might be useful for testing and mocking purposes -func InitGossipServiceCustomDeliveryFactory(peerIdentity []byte, endpoint string, s *grpc.Server, factory DeliveryServiceFactory, mcs api.MessageCryptoService, secAdv api.SecurityAdvisor, bootPeers ...string) { +func InitGossipServiceCustomDeliveryFactory(peerIdentity []byte, endpoint string, s *grpc.Server, + factory DeliveryServiceFactory, mcs api.MessageCryptoService, secAdv api.SecurityAdvisor, + secureDialOpts api.PeerSecureDialOpts, bootPeers ...string) { once.Do(func() { logger.Info("Initialize gossip with endpoint", endpoint, "and bootstrap set", bootPeers) - dialOpts := []grpc.DialOption{} - if peerComm.TLSEnabled() { - dialOpts = append(dialOpts, grpc.WithTransportCredentials(peerComm.InitTLSForPeer())) - } else { - dialOpts = append(dialOpts, grpc.WithInsecure()) - } - - if overrideEndpoint := viper.GetString("peer.gossip.endpoint"); overrideEndpoint != "" { - endpoint = overrideEndpoint - } idMapper := identity.NewIdentityMapper(mcs) idMapper.Put(mcs.GetPKIidOfCert(peerIdentity), peerIdentity) - gossip := integration.NewGossipComponent(peerIdentity, endpoint, s, secAdv, mcs, idMapper, dialOpts, bootPeers...) + gossip := integration.NewGossipComponent(peerIdentity, endpoint, s, secAdv, + mcs, idMapper, secureDialOpts, bootPeers...) gossipServiceInstance = &gossipServiceImpl{ mcs: mcs, gossipSvc: gossip, diff --git a/gossip/service/gossip_service_test.go b/gossip/service/gossip_service_test.go index 4b5b18e03ac..1b22a8f93fc 100644 --- a/gossip/service/gossip_service_test.go +++ b/gossip/service/gossip_service_test.go @@ -69,7 +69,8 @@ func TestInitGossipService(t *testing.T) { go func() { messageCryptoService := peergossip.NewMCS(&mocks.ChannelPolicyManagerGetter{}, localmsp.NewSigner(), mgmt.NewDeserializersManager()) secAdv := peergossip.NewSecurityAdvisor(mgmt.NewDeserializersManager()) - InitGossipService(identity, "localhost:5611", grpcServer, messageCryptoService, secAdv) + InitGossipService(identity, "localhost:5611", grpcServer, messageCryptoService, + secAdv, nil) wg.Done() }() @@ -614,7 +615,8 @@ func newGossipInstance(portPrefix int, id int, maxMsgCount int, boot ...int) Gos cryptoService := &naiveCryptoService{} idMapper := identity.NewIdentityMapper(cryptoService) - gossip := gossip.NewGossipServiceWithServer(conf, &orgCryptoService{}, cryptoService, idMapper, api.PeerIdentityType(conf.InternalEndpoint)) + gossip := gossip.NewGossipServiceWithServer(conf, &orgCryptoService{}, cryptoService, + idMapper, api.PeerIdentityType(conf.InternalEndpoint), nil) gossipService := &gossipServiceImpl{ gossipSvc: gossip, @@ -704,7 +706,8 @@ func TestInvalidInitialization(t *testing.T) { defer grpcServer.Stop() secAdv := peergossip.NewSecurityAdvisor(mgmt.NewDeserializersManager()) - InitGossipService(api.PeerIdentityType("IDENTITY"), "localhost:7611", grpcServer, &naiveCryptoService{}, secAdv) + InitGossipService(api.PeerIdentityType("IDENTITY"), "localhost:7611", grpcServer, + &naiveCryptoService{}, secAdv, nil) gService := GetGossipService().(*gossipServiceImpl) defer gService.Stop() @@ -727,7 +730,8 @@ func TestChannelConfig(t *testing.T) { defer grpcServer.Stop() secAdv := peergossip.NewSecurityAdvisor(mgmt.NewDeserializersManager()) - InitGossipService(api.PeerIdentityType("IDENTITY"), "localhost:6611", grpcServer, &naiveCryptoService{}, secAdv) + InitGossipService(api.PeerIdentityType("IDENTITY"), "localhost:6611", grpcServer, + &naiveCryptoService{}, secAdv, nil) gService := GetGossipService().(*gossipServiceImpl) defer gService.Stop() diff --git a/gossip/state/state_test.go b/gossip/state/state_test.go index 4ecc0d5712a..58fa22c1a88 100644 --- a/gossip/state/state_test.go +++ b/gossip/state/state_test.go @@ -215,8 +215,8 @@ func newGossipConfig(id int, boot ...int) *gossip.Config { // Create gossip instance func newGossipInstance(config *gossip.Config, mcs api.MessageCryptoService) gossip.Gossip { idMapper := identity.NewIdentityMapper(mcs) - - return gossip.NewGossipServiceWithServer(config, &orgCryptoService{}, mcs, idMapper, []byte(config.InternalEndpoint)) + return gossip.NewGossipServiceWithServer(config, &orgCryptoService{}, mcs, + idMapper, []byte(config.InternalEndpoint), nil) } // Create new instance of KVLedger to be used for testing diff --git a/peer/node/start.go b/peer/node/start.go index 51894d97269..64507cd0f8e 100644 --- a/peer/node/start.go +++ b/peer/node/start.go @@ -163,7 +163,18 @@ func serve(args []string) error { mgmt.NewDeserializersManager()) secAdv := peergossip.NewSecurityAdvisor(mgmt.NewDeserializersManager()) - service.InitGossipService(serializedIdentity, peerEndpoint.Address, peerServer.Server(), messageCryptoService, secAdv, bootstrap...) + // callback function for secure dial options for gossip service + secureDialOpts := func() []grpc.DialOption { + var dialOpts []grpc.DialOption + if comm.TLSEnabled() { + dialOpts = append(dialOpts, grpc.WithTransportCredentials(comm.GetCASupport().GetPeerCredentials())) + } else { + dialOpts = append(dialOpts, grpc.WithInsecure()) + } + return dialOpts + } + service.InitGossipService(serializedIdentity, peerEndpoint.Address, peerServer.Server(), + messageCryptoService, secAdv, secureDialOpts, bootstrap...) defer service.GetGossipService().Stop() //initialize system chaincodes