From b024fc8785289de5a553e02648ba8d04c9b548d7 Mon Sep 17 00:00:00 2001 From: Tiffany Harris Date: Thu, 5 Nov 2020 14:47:48 -0500 Subject: [PATCH] [FAB-18298] Default cluster cert and key Signed-off-by: Tiffany Harris Signed-off-by: Will Lahti --- integration/raft/cft_test.go | 2 + orderer/common/server/main.go | 16 +++-- orderer/common/server/main_test.go | 104 ++++++++++++++++++++++++++--- 3 files changed, 109 insertions(+), 13 deletions(-) diff --git a/integration/raft/cft_test.go b/integration/raft/cft_test.go index edbdc99f6f7..519c2573437 100644 --- a/integration/raft/cft_test.go +++ b/integration/raft/cft_test.go @@ -470,6 +470,8 @@ var _ = Describe("EndToEnd Crash Fault Tolerance", func() { ordererConfig.General.Cluster.ListenAddress = "" ordererConfig.General.Cluster.ServerCertificate = "" ordererConfig.General.Cluster.ServerPrivateKey = "" + ordererConfig.General.Cluster.ClientCertificate = "" + ordererConfig.General.Cluster.ClientPrivateKey = "" network.WriteOrdererConfig(orderer, ordererConfig) } diff --git a/orderer/common/server/main.go b/orderer/common/server/main.go index 41aaa2e3435..89a6b1dc536 100644 --- a/orderer/common/server/main.go +++ b/orderer/common/server/main.go @@ -539,17 +539,23 @@ func initializeClusterClientConfig(conf *localconfig.TopLevel) comm.ClientConfig SecOpts: comm.SecureOptions{}, } - if conf.General.Cluster.ClientCertificate == "" { - return cc - } + reuseGrpcListener := reuseListener(conf) certFile := conf.General.Cluster.ClientCertificate + keyFile := conf.General.Cluster.ClientPrivateKey + if certFile == "" && keyFile == "" { + if !reuseGrpcListener { + return cc + } + certFile = conf.General.TLS.Certificate + keyFile = conf.General.TLS.PrivateKey + } + certBytes, err := ioutil.ReadFile(certFile) if err != nil { logger.Fatalf("Failed to load client TLS certificate file '%s' (%s)", certFile, err) } - keyFile := conf.General.Cluster.ClientPrivateKey keyBytes, err := ioutil.ReadFile(keyFile) if err != nil { logger.Fatalf("Failed to load client TLS key file '%s' (%s)", keyFile, err) @@ -565,7 +571,7 @@ func initializeClusterClientConfig(conf *localconfig.TopLevel) comm.ClientConfig } timeShift := conf.General.TLS.TLSHandshakeTimeShift - if reuseGrpcListener := reuseListener(conf); !reuseGrpcListener { + if !reuseGrpcListener { timeShift = conf.General.Cluster.TLSHandshakeTimeShift } diff --git a/orderer/common/server/main_test.go b/orderer/common/server/main_test.go index a49515ebd27..153c6eabc01 100644 --- a/orderer/common/server/main_test.go +++ b/orderer/common/server/main_test.go @@ -195,14 +195,102 @@ func TestInitializeServerConfig(t *testing.T) { clusterCert string clusterKey string clusterCA string + isCluster bool }{ - {"BadCertificate", badFile, goodFile, goodFile, goodFile, "", "", ""}, - {"BadPrivateKey", goodFile, badFile, goodFile, goodFile, "", "", ""}, - {"BadRootCA", goodFile, goodFile, badFile, goodFile, "", "", ""}, - {"BadClientRootCertificate", goodFile, goodFile, goodFile, badFile, "", "", ""}, - {"ClusterBadCertificate", goodFile, goodFile, goodFile, goodFile, badFile, goodFile, goodFile}, - {"ClusterBadPrivateKey", goodFile, goodFile, goodFile, goodFile, goodFile, badFile, goodFile}, - {"ClusterBadRootCA", goodFile, goodFile, goodFile, goodFile, goodFile, goodFile, badFile}, + { + name: "BadCertificate", + certificate: badFile, + privateKey: goodFile, + rootCA: goodFile, + clientRootCert: goodFile, + }, + { + name: "BadPrivateKey", + certificate: goodFile, + privateKey: badFile, + rootCA: goodFile, + clientRootCert: goodFile, + }, + { + name: "BadRootCA", + certificate: goodFile, + privateKey: goodFile, + rootCA: badFile, + clientRootCert: goodFile, + }, + { + name: "BadClientRootCertificate", + certificate: goodFile, + privateKey: goodFile, + rootCA: goodFile, + clientRootCert: badFile, + }, + { + name: "BadCertificate - cluster reuses server config", + certificate: badFile, + privateKey: goodFile, + rootCA: goodFile, + clientRootCert: goodFile, + clusterCert: "", + clusterKey: "", + clusterCA: "", + isCluster: true, + }, + { + name: "BadPrivateKey - cluster reuses server config", + certificate: goodFile, + privateKey: badFile, + rootCA: goodFile, + clientRootCert: goodFile, + clusterCert: "", + clusterKey: "", + clusterCA: "", + isCluster: true, + }, + { + name: "BadRootCA - cluster reuses server config", + certificate: goodFile, + privateKey: goodFile, + rootCA: badFile, + clientRootCert: goodFile, + clusterCert: "", + clusterKey: "", + clusterCA: "", + isCluster: true, + }, + { + name: "ClusterBadCertificate", + certificate: goodFile, + privateKey: goodFile, + rootCA: goodFile, + clientRootCert: goodFile, + clusterCert: badFile, + clusterKey: goodFile, + clusterCA: goodFile, + isCluster: true, + }, + { + name: "ClusterBadPrivateKey", + certificate: goodFile, + privateKey: goodFile, + rootCA: goodFile, + clientRootCert: goodFile, + clusterCert: goodFile, + clusterKey: badFile, + clusterCA: goodFile, + isCluster: true, + }, + { + name: "ClusterBadRootCA", + certificate: goodFile, + privateKey: goodFile, + rootCA: goodFile, + clientRootCert: goodFile, + clusterCert: goodFile, + clusterKey: goodFile, + clusterCA: badFile, + isCluster: true, + }, } for _, tc := range testCases { t.Run(tc.name, func(t *testing.T) { @@ -224,7 +312,7 @@ func TestInitializeServerConfig(t *testing.T) { }, } require.Panics(t, func() { - if tc.clusterCert == "" { + if !tc.isCluster { initializeServerConfig(conf, nil) } else { initializeClusterClientConfig(conf)