Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Gateway support for mutual TLS networks #3235

Merged
merged 1 commit into from
Feb 21, 2022
Merged

Gateway support for mutual TLS networks #3235

merged 1 commit into from
Feb 21, 2022

Conversation

andrew-coleman
Copy link
Member

To support client authentication (mTLS), the gateway needs to pass the host peer’s client certificate when making connections to the other nodes in the network.
If client authentication is not enabled, then these certs will be ignored.

Resolves #3234

Signed-off-by: andrew-coleman andrew_coleman@uk.ibm.com

@andrew-coleman andrew-coleman requested a review from a team as a code owner February 17, 2022 12:10
yacovm
yacovm reviewed Feb 18, 2022
View reviewed changes
internal/pkg/comm/config.go Outdated
@@ -164,6 +164,8 @@ type SecureOptions struct {
Certificate []byte
// PEM-encoded private key to be used for TLS communication
Key []byte
// The client certificate which, if specified, will be used instead of the PEM-encoded Certificate/Key pair
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But why would you do this? Why have two different ways to construct the SecureOptions?
Until this PR, the entire code base used the SecureOptions as-is. Do we really have to expand this configuration structure and add another field that can be constructed from the existing fields?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair point

yacovm
yacovm reviewed Feb 18, 2022
View reviewed changes
integration/gateway/gateway_mtls_test.go Outdated
"github.com/tedsuo/ifrit"
)

var _ = Describe("GatewayService with mutual TLS network", func() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we really have to spin up an entire network, (with three Raft nodes....), to check that the gateway sends its TLS certificate to a peer or an orderer?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was probably overkill, but it gave me confidence I'd really fixed the problem. I've replaced it with a minimal unit test that spins up a grpc server with client auth enabled, and checks the gateway's endpointFactory can connect to it.

yacovm
yacovm reviewed Feb 18, 2022
View reviewed changes
internal/pkg/gateway/gateway.go Outdated
@@ -76,13 +77,13 @@ func CreateServer(localEndorser peerproto.EndorserServer, discovery Discovery, p
return server
}

func newServer(localEndorser peerproto.EndorserClient, discovery Discovery, finder CommitFinder, policy ACLChecker, ledgerProvider LedgerProvider, localPKIID common.PKIidType, localEndpoint, localMSPID string, options config.Options) *Server {
func newServer(localEndorser peerproto.EndorserClient, discovery Discovery, finder CommitFinder, policy ACLChecker, ledgerProvider LedgerProvider, localInfo gdiscovery.NetworkMember, localMSPID string, clientCert tls.Certificate, options config.Options) *Server {
Copy link
Contributor

@yacovm yacovm Feb 18, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we not test this with a unit test? We have plenty of TLS unit tests scattered around that test mutual TLS. They are much cheaper than to spin up an entire Fabric network.

@andrew-coleman
Gateway support for mutual TLS networks
3330620 
To support client authentication (mTLS), the gateway needs to pass the host peer’s client certificate when making connections to the other nodes in the network.
If client authentication is not enabled, then these certs will be ignored.

Signed-off-by: andrew-coleman <andrew_coleman@uk.ibm.com>
@yacovm yacovm merged commit 59835e6 into hyperledger:main Feb 21, 2022
yacovm
yacovm reviewed Feb 21, 2022
View reviewed changes
internal/peer/node/start.go
@@ -825,6 +825,7 @@ func serve(args []string) error {
serverEndorser,
discoveryService,
peerInstance,
&serverConfig.SecOpts,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one small thing - here you passed the server config, not the client config.
This would mean that you do not honor the tls.clientKey and tls.clientCert.

We probably need to check if the client TLS config is defined, and if so, then use it instead and only otherwise fallback on the server TLS config.

@andrew-coleman andrew-coleman deleted the mutual_tls branch February 22, 2022 11:41
afrancoc2000 pushed a commit to afrancoc2000/fabric that referenced this pull request Feb 22, 2022
@andrew-coleman @afrancoc2000
Gateway support for mutual TLS networks (hyperledger#3235)
f08a0c6 
To support client authentication (mTLS), the gateway needs to pass the host peer’s client certificate when making connections to the other nodes in the network.
If client authentication is not enabled, then these certs will be ignored.

Signed-off-by: andrew-coleman <andrew_coleman@uk.ibm.com>
@denyeart
Copy link
Contributor

@Mergifyio backport release-2.4

@mergify mergify bot mentioned this pull request Feb 22, 2022
Merged
@mergify
Copy link

mergify bot commented Feb 22, 2022

backport release-2.4

✅ Backports have been created

mergify bot pushed a commit that referenced this pull request Feb 22, 2022
@andrew-coleman
Gateway support for mutual TLS networks (#3235)
6afcb7a 
To support client authentication (mTLS), the gateway needs to pass the host peer’s client certificate when making connections to the other nodes in the network.
If client authentication is not enabled, then these certs will be ignored.

Signed-off-by: andrew-coleman <andrew_coleman@uk.ibm.com>
(cherry picked from commit 59835e6)
denyeart pushed a commit that referenced this pull request Feb 23, 2022
@andrew-coleman @denyeart
Gateway support for mutual TLS networks (#3235)
c89ba60 
To support client authentication (mTLS), the gateway needs to pass the host peer’s client certificate when making connections to the other nodes in the network.
If client authentication is not enabled, then these certs will be ignored.

Signed-off-by: andrew-coleman <andrew_coleman@uk.ibm.com>
(cherry picked from commit 59835e6)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yacovm yacovm yacovm approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Gateway support for client authentication (mutual TLS)
3 participants
@andrew-coleman @denyeart @yacovm