Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Peer CLI communicate with orderers with expired TLS certs #1863

Merged
merged 1 commit into from
Sep 15, 2020

Conversation

wlahti
Copy link
Contributor

@wlahti wlahti commented Sep 9, 2020

Type of change

  • New feature

Description

Implement a TLS handshake timeshift for the "peer channel fetch" and "peer channel update" comands to allow fetching config blocks and updating the config for orderers with expired TLS certificates.

Related issues

FAB-18205

@wlahti wlahti requested a review from a team as a code owner September 9, 2020 18:44
@wlahti wlahti force-pushed the fab-18205 branch 4 times, most recently from f556ce0 to 6f852a0 Compare September 10, 2020 13:42
if c.OutputFile != "" {
args = append(args, c.OutputFile)
"--channelID", c.ChannelID,
"--orderer", c.Orderer,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we never use this command to pull blocks from a peer? Certainly channelID should not be empty, but it seems that the others could be?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I made this change because the code here was unnecessarily complex and inconsistent with (at least the majority) of the command helpers. For these args, we can just set them regardless of whether they're empty or not. The CLI logic will fetch from the peer if the specified orderer arg is empty.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, makes sense. thanks.

@@ -86,6 +89,7 @@ func resetFlags() {
flags.StringVarP(&outputBlock, "outputBlock", "", common.UndefinedParamValue, `The path to write the genesis block for the channel. (default ./<channelID>.block)`)
flags.DurationVarP(&timeout, "timeout", "t", 10*time.Second, "Channel creation timeout")
flags.BoolVarP(&bestEffort, "bestEffort", "", false, "Whether fetch requests should ignore errors and return blocks on a best effort basis")
flags.DurationVarP(&tlsHandshakeTimeShift, "tlsHandshakeTimeShift", "", 0, "The amount of time to shift backwards during TLS handshakes")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps expand a bit in the descriptive text, something like "... of time to shift backwards for certificate expiration checks during ..."

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@@ -22,11 +23,12 @@ type OrdererClient struct {

// NewOrdererClientFromEnv creates an instance of an OrdererClient from the
// global Viper instance
func NewOrdererClientFromEnv() (*OrdererClient, error) {
func NewOrdererClientFromEnv(tlsHandshakeTimeShift time.Duration) (*OrdererClient, error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not saying that the viper approach is a great one, but it's a little odd that all of the parameters for setting up the ordering connection are wired in via configFromEnv, but not the timeshift. And, it's also pretty ugly that everyone calling for this function has to explicitly disable the timeshift by passing in a zero value. I don't know that it gets any less ugly following the existing pattern, but thought I'd ask?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I definitely don't love this change. I did it this way because I hadn't realized the viper config that configFromEnv was using actually derives from flags that are then viper.Set in peer/common/ordererenv.go's SetOrdererEnv(). I'll update things to be consistent with the others now that I realize that.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

Implement a TLS handshake timeshift for the "peer channel fetch"
and "peer channel update" comands to allow fetching config blocks
and updating the config for orderers with expired TLS certificates.

FAB-18205 #done

Signed-off-by: Will Lahti <wtlahti@us.ibm.com>
if c.OutputFile != "" {
args = append(args, c.OutputFile)
"--channelID", c.ChannelID,
"--orderer", c.Orderer,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, makes sense. thanks.

@jyellick jyellick merged commit cbf16f0 into hyperledger:master Sep 15, 2020
wlahti added a commit to wlahti/fabric that referenced this pull request Sep 15, 2020
…r#1863)

Implement a TLS handshake timeshift for the "peer channel fetch"
and "peer channel update" comands to allow fetching config blocks
and updating the config for orderers with expired TLS certificates.

FAB-18205 #done

Signed-off-by: Will Lahti <wtlahti@us.ibm.com>
denyeart pushed a commit that referenced this pull request Sep 17, 2020
Implement a TLS handshake timeshift for the "peer channel fetch"
and "peer channel update" comands to allow fetching config blocks
and updating the config for orderers with expired TLS certificates.

FAB-18205 #done

Signed-off-by: Will Lahti <wtlahti@us.ibm.com>
@wlahti wlahti deleted the fab-18205 branch September 25, 2020 15:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants