[FABG-703] SSL target override for CA config

- added GRPCOptions["ssl-target-name-override"] in SDK config for ca config target URL override. - added entity matcher 'certificateAuthority.sslTargetOverrideUrlSubstitutionExp' for override. Change-Id: I218faeb5e1eebaecfc11d14910982edc7d5c3ac1 Signed-off-by: Sudesh Shetty <[email protected]>
herbie-workday · Aug 14, 2018 · 9f88b34 · 9f88b34
1 parent 6c18d00
commit 9f88b34
Show file tree

Hide file tree

Showing 18 changed files with 105 additions and 18 deletions.
diff --git a/internal/github.com/hyperledger/fabric-ca/lib/client.go b/internal/github.com/hyperledger/fabric-ca/lib/client.go
@@ -126,7 +126,7 @@ func (c *Client) Init() error {
 
 		c.csp = cfg.CSP
 		// Create http.Client object and associate it with this client
-		err = c.initHTTPClient()
+		err = c.initHTTPClient(cfg.ServerName)
 		if err != nil {
 			return err
 		}
@@ -137,7 +137,7 @@ func (c *Client) Init() error {
 	return nil
 }
 
-func (c *Client) initHTTPClient() error {
+func (c *Client) initHTTPClient(serverName string) error {
 	tr := new(http.Transport)
 	if c.Config.TLS.Enabled {
 		log.Info("TLS Enabled")
@@ -148,6 +148,9 @@ func (c *Client) initHTTPClient() error {
 		}
 		// set the default ciphers
 		tlsConfig.CipherSuites = tls.DefaultCipherSuites
+		//set the host name override
+		tlsConfig.ServerName = serverName
+
 		tr.TLSClientConfig = tlsConfig
 	}
 	c.httpClient = &http.Client{Transport: tr}

diff --git a/internal/github.com/hyperledger/fabric-ca/lib/clientconfig.go b/internal/github.com/hyperledger/fabric-ca/lib/clientconfig.go
@@ -38,4 +38,5 @@ type ClientConfig struct {
 	CAInfo     api.GetCAInfoRequest
 	CAName     string           `help:"Name of CA"`
 	CSP        core.CryptoSuite `mapstructure:"bccsp"`
+	ServerName string           `help:"CA server name to be used in case of host name override"`
 }
diff --git a/pkg/common/providers/msp/provider.go b/pkg/common/providers/msp/provider.go
@@ -65,6 +65,7 @@ type EnrollCredentials struct {
 // CAConfig defines a CA configuration
 type CAConfig struct {
 	URL              string
+	GRPCOptions      map[string]interface{}
 	Registrar        EnrollCredentials
 	CAName           string
 	TLSCAServerCerts [][]byte

diff --git a/pkg/core/config/testdata/config_test.yaml b/pkg/core/config/testdata/config_test.yaml
@@ -297,6 +297,9 @@ peers:
 certificateAuthorities:
   ca.org1.example.com:
     url: https://ca.org1.example.com:7054
+    # [Optional] The optional server name for target override
+    grpcOptions:
+      ssl-target-name-override: ca.org1.example.com
     tlsCACerts:
       # Comma-Separated list of paths
       path: ${GOPATH}/src/github.com/hyperledger/fabric-sdk-go/pkg/core/config/testdata/certs/ca.crt
@@ -316,6 +319,9 @@ certificateAuthorities:
     caName: ca.org1.example.com
   ca.org2.example.com:
     url: https://ca.org2.example.com:8054
+    # [Optional] The optional server name for target override
+    grpcOptions:
+      ssl-target-name-override: ca.org2.example.com
     tlsCACerts:
       # Comma-Separated list of paths
       path: ${GOPATH}/src/github.com/hyperledger/fabric-sdk-go/pkg/core/config/testdata/certs/ca.crt

diff --git a/pkg/core/config/testdata/config_test_embedded_pems.yaml b/pkg/core/config/testdata/config_test_embedded_pems.yaml
@@ -448,6 +448,9 @@ peers:
 certificateAuthorities:
   ca-org1:
     url: https://ca_peerOrg1:7054
+    # [Optional] The optional server name for target override
+    grpcOptions:
+      ssl-target-name-override: ca_peerOrg1
     tlsCACerts:
       pem:
         - |
@@ -511,6 +514,9 @@ certificateAuthorities:
     caName: ca-org1
   ca-org2:
     url: https://ca_peerOrg2:7054
+    # [Optional] The optional server name for target override
+    grpcOptions:
+      ssl-target-name-override: ca_peerOrg2
     tlsCACerts:
       # Comma-Separated list of paths
       path: ${GOPATH}/src/github.com/hyperledger/fabric-sdk-go/pkg/core/config/testdata/certs/ca.crt

diff --git a/pkg/core/config/testdata/config_test_entity_matchers.yaml b/pkg/core/config/testdata/config_test_entity_matchers.yaml
@@ -365,6 +365,9 @@ peers:
 certificateAuthorities:
   local.ca.org1.example.com:
     url: https://ca.org1.example.com:7054
+    # [Optional] The optional server name for target override
+    grpcOptions:
+      ssl-target-name-override: ca.org1.example.com
     tlsCACerts:
       # Comma-Separated list of paths
       path: ${GOPATH}/src/github.com/hyperledger/fabric-sdk-go/pkg/core/config/testdata/certs/ca.crt
@@ -384,6 +387,9 @@ certificateAuthorities:
     caName: ca.org1.example.com
   local.ca.org2.example.com:
     url: https://ca.org2.example.com:8054
+    # [Optional] The optional server name for target override
+    grpcOptions:
+      ssl-target-name-override: ca.org2.example.com
     tlsCACerts:
       # Comma-Separated list of paths
       path: ${GOPATH}/src/github.com/hyperledger/fabric-sdk-go/pkg/core/config/testdata/certs/ca.crt

diff --git a/pkg/core/config/testdata/config_test_pem.yaml b/pkg/core/config/testdata/config_test_pem.yaml
@@ -299,6 +299,9 @@ peers:
 certificateAuthorities:
   ca.org1.example.com:
     url: https://ca_peerOrg1:7054
+    # [Optional] The optional server name for target override
+    grpcOptions:
+      ssl-target-name-override: ca_peerOrg1
     tlsCACerts:
       pem:
         - |
@@ -362,6 +365,9 @@ certificateAuthorities:
     caName: ca.org1.example.com
   ca.org2.example.com:
     url: https://ca_peerOrg2:7054
+    # [Optional] The optional server name for target override
+    grpcOptions:
+      ssl-target-name-override: ca_peerOrg2
     tlsCACerts:
       # Comma-Separated list of paths
       path: ${GOPATH}/src/github.com/hyperledger/fabric-sdk-go/pkg/core/config/testdata/certs/ca.crt

diff --git a/pkg/core/config/testdata/matcher-samples/matchers_sample1.yaml b/pkg/core/config/testdata/matcher-samples/matchers_sample1.yaml
@@ -35,6 +35,7 @@ entityMatchers:
   certificateAuthority:
     - pattern: (\w+).org1.example.(\w+)
       urlSubstitutionExp: https://ca.org1.example.com:8888
+      sslTargetOverrideUrlSubstitutionExp: ca.override.example.com
       mappedHost: ca.org1.example.com
 
   channel:

diff --git a/pkg/core/config/testdata/matcher-samples/matchers_sample3.yaml b/pkg/core/config/testdata/matcher-samples/matchers_sample3.yaml
@@ -46,4 +46,5 @@ entityMatchers:
   certificateAuthority:
     - pattern: (\w+).org1.example.(\w+)
       urlSubstitutionExp: https://$1.org1.example.$2:8888
+      sslTargetOverrideUrlSubstitutionExp: $1.override.example.$2
       mappedHost: $1.org1.example.$2
diff --git a/pkg/core/config/testdata/matcher-samples/matchers_sample6.yaml b/pkg/core/config/testdata/matcher-samples/matchers_sample6.yaml
@@ -301,6 +301,7 @@ entityMatchers:
   certificateAuthority:
     - pattern: (\w+).org1.example.(\w+)
       urlSubstitutionExp: https://ca.org1.example.com:7054
+      sslTargetOverrideUrlSubstitutionExp: ca.override.example.com
       mappedHost: ca.org1.example.com
 
     - pattern: (\w+).org2.example.(\w+)

diff --git a/pkg/core/config/testdata/template/config.yaml b/pkg/core/config/testdata/template/config.yaml
@@ -342,26 +342,29 @@ peers:
 certificateAuthorities:
 #  ca.org1.example.com:
 #    url: https://ca.org1.example.com:7054
+#    [Optional] The optional server name for target override
+#    grpcOptions:
+#      ssl-target-name-override: ca.org1.example.com
 #    tlsCACerts:
 #      dash-pipe ('- |') delimited pem strings of CA cert
 #      pem: 'pem strings of CA cert'
-      # Comma-Separated list of paths
+#       Comma-Separated list of paths
 #      path: path/to/tls/cert/for/ca-org1
-      # Client key and cert for SSL handshake with Fabric CA
+#       Client key and cert for SSL handshake with Fabric CA
 #      client:
 #        key:
 #          path: path/to/client_fabric_client-key.pem
 #          pem: `key pem'
 #        cert:
 #          path: path/to/client_fabric_client-key.pem
 #          pem: `cert pem`
-
-    # Fabric-CA supports dynamic user enrollment via REST APIs. A "root" user, a.k.a registrar, is
-    # needed to enroll and invoke new users.
+#
+#     Fabric-CA supports dynamic user enrollment via REST APIs. A "root" user, a.k.a registrar, is
+#     needed to enroll and invoke new users.
 #    registrar:
 #      enrollId: usually-it-is_admin
 #      enrollSecret: adminpasswd
-    # [Optional] The optional name of the CA.
+#     [Optional] The optional name of the CA.
 #    caName: ca.org1.example.com
 
 # EntityMatchers enable substitution of network hostnames with static configurations
@@ -435,10 +438,12 @@ entityMatchers:
 #  certificateAuthority:
 #    - pattern: (\w+).org1.example.(\w+)
 #      urlSubstitutionExp:
+#      sslTargetOverrideUrlSubstitutionExp:
 #      mappedHost: ca.org1.example.com
 #
 #    - pattern: (\w+).org2.example.(\w+)
 #      urlSubstitutionExp:
+#      sslTargetOverrideUrlSubstitutionExp:
 #      mappedHost: ca.org2.example.com
 
 #    - pattern: (\w+).org.example5.(\w+):(\d+)

diff --git a/pkg/msp/fabcaadapter.go b/pkg/msp/fabcaadapter.go
@@ -391,6 +391,8 @@ func createFabricCAClient(org string, cryptoSuite core.CryptoSuite, config msp.I
 	c.Config.CAName = conf.CAName
 	//set server URL
 	c.Config.URL = endpoint.ToAddress(conf.URL)
+	//set server name
+	c.Config.ServerName, _ = conf.GRPCOptions["ssl-target-name-override"].(string)
 	//certs file list
 	c.Config.TLS.CertFiles, ok = config.CAServerCerts(org)
 	if !ok {

diff --git a/pkg/msp/identityconfig.go b/pkg/msp/identityconfig.go
@@ -84,10 +84,11 @@ type ClientTLSConfig struct {
 
 // CAConfig defines a CA configuration in identity config
 type CAConfig struct {
-	URL        string
-	TLSCACerts endpoint.MutualTLSConfig
-	Registrar  msp.EnrollCredentials
-	CAName     string
+	URL         string
+	GRPCOptions map[string]interface{}
+	TLSCACerts  endpoint.MutualTLSConfig
+	Registrar   msp.EnrollCredentials
+	CAName      string
 }
 
 // MatchConfig contains match pattern and substitution pattern
@@ -96,8 +97,9 @@ type MatchConfig struct {
 	Pattern string
 
 	// these are used for hostname mapping
-	URLSubstitutionExp string
-	MappedHost         string
+	URLSubstitutionExp                  string
+	SSLTargetOverrideURLSubstitutionExp string
+	MappedHost                          string
 
 	// this is used for Name mapping instead of hostname mappings
 	MappedName string
@@ -311,6 +313,7 @@ func (c *IdentityConfig) getMSPCAConfig(caConfig *CAConfig) (*msp.CAConfig, erro
 
 	return &msp.CAConfig{
 		URL:              caConfig.URL,
+		GRPCOptions:      caConfig.GRPCOptions,
 		Registrar:        caConfig.Registrar,
 		CAName:           caConfig.CAName,
 		TLSCAClientCert:  caConfig.TLSCACerts.Client.Cert.Bytes(),
@@ -374,10 +377,10 @@ func (c *IdentityConfig) compileMatchers() error {
 
 func (c *IdentityConfig) tryMatchingCAConfig(configEntity *identityConfigEntity, caName string) (*CAConfig, bool) {
 
-	//loop over certAuthorityEntityMatchers to find the matching Cert
+	//loop over certAuthorityEntityMatchers to find the matching CA Config
 	for _, matcher := range c.caMatchers {
 		if matcher.regex.MatchString(caName) {
-			return c.findMatchingCert(configEntity, caName, matcher)
+			return c.findMatchingCAConfig(configEntity, caName, matcher)
 		}
 	}
 
@@ -387,10 +390,14 @@ func (c *IdentityConfig) tryMatchingCAConfig(configEntity *identityConfigEntity,
 		return nil, false
 	}
 
+	if caConfig.GRPCOptions == nil {
+		caConfig.GRPCOptions = make(map[string]interface{})
+	}
+
 	return &caConfig, true
 }
 
-func (c *IdentityConfig) findMatchingCert(configEntity *identityConfigEntity, caName string, matcher matcherEntry) (*CAConfig, bool) {
+func (c *IdentityConfig) findMatchingCAConfig(configEntity *identityConfigEntity, caName string, matcher matcherEntry) (*CAConfig, bool) {
 
 	if matcher.matchConfig.IgnoreEndpoint {
 		logger.Debugf("Ignoring CA `%s` since entity matcher 'IgnoreEndpoint' flag is on", caName)
@@ -416,5 +423,19 @@ func (c *IdentityConfig) findMatchingCert(configEntity *identityConfigEntity, ca
 		}
 	}
 
+	if caConfig.GRPCOptions == nil {
+		caConfig.GRPCOptions = make(map[string]interface{})
+	}
+
+	//SSLTargetOverrideURLSubstitutionExp if found use from entity matcher otherwise use from mapped host
+	if matcher.matchConfig.SSLTargetOverrideURLSubstitutionExp != "" {
+		hostOverride := matcher.matchConfig.SSLTargetOverrideURLSubstitutionExp
+		//check for regex replace '$'
+		if strings.Contains(hostOverride, "$") {
+			hostOverride = matcher.regex.ReplaceAllString(caName, hostOverride)
+		}
+		caConfig.GRPCOptions["ssl-target-name-override"] = hostOverride
+	}
+
 	return &caConfig, true
 }
diff --git a/pkg/msp/identityconfig_test.go b/pkg/msp/identityconfig_test.go
@@ -347,6 +347,8 @@ func TestCAConfig(t *testing.T) {
 	caConfig, ok := identityConfig.CAConfig(org1)
 	assert.True(t, ok, "Get CA Config failed")
 	assert.NotNil(t, caConfig, "Get CA Config failed")
+	assert.Equal(t, 1, len(caConfig.GRPCOptions))
+	assert.Equal(t, "ca.org1.example.com", caConfig.GRPCOptions["ssl-target-name-override"])
 
 	// Test CA KeyStore Path
 	testCAKeyStorePath(backend[0], t, identityConfig)
@@ -456,6 +458,8 @@ func TestIdentityConfigWithMultipleBackends(t *testing.T) {
 	caConfig, ok := identityConfig.CAConfig("org1")
 	assert.True(t, ok, "identityConfig.CAConfig(org1) should have been successful for multiple backends")
 	assert.Equal(t, caConfig.URL, "https://ca.org1.example.com:7054")
+	assert.Equal(t, 1, len(caConfig.GRPCOptions))
+	assert.Equal(t, "ca.org1.example.com", caConfig.GRPCOptions["ssl-target-name-override"])
 
 }
 

diff --git a/pkg/msp/matchers_test.go b/pkg/msp/matchers_test.go
@@ -21,6 +21,9 @@ const (
 
 	actualCAURL    = "https://ca.org1.example.com:7054"
 	overridedCAURL = "https://ca.org1.example.com:8888"
+
+	actualTargetServerName    = "ca.org1.example.com"
+	overridedTargetServerName = "ca.override.example.com"
 )
 
 //TestCAURLOverride
@@ -48,6 +51,7 @@ func testCAEntityMatcher(t *testing.T, configPath string) {
 	assert.True(t, ok, "supposed to find caconfig")
 	assert.NotNil(t, caConfig)
 	assert.Equal(t, actualCAURL, caConfig.URL)
+	assert.Equal(t, actualTargetServerName, caConfig.GRPCOptions["ssl-target-name-override"])
 
 	//Using entity matcher to override CA URL
 	backends, err = getBackendsFromFiles(configPath, configTestFilePath)
@@ -62,6 +66,7 @@ func testCAEntityMatcher(t *testing.T, configPath string) {
 	assert.True(t, ok, "supposed to find caconfig")
 	assert.NotNil(t, caConfig)
 	assert.Equal(t, overridedCAURL, caConfig.URL)
+	assert.Equal(t, overridedTargetServerName, caConfig.GRPCOptions["ssl-target-name-override"])
 }
 
 //TestCAEntityMatcherIgnoreEndpoint tests CA entity matcher 'IgnoreEndpoint' option

diff --git a/scripts/third_party_pins/fabric-ca/apply_fabric_ca_client_utils.sh b/scripts/third_party_pins/fabric-ca/apply_fabric_ca_client_utils.sh
@@ -122,6 +122,12 @@ do
 done
 sed -i'' -e 's/return c.newIdemixEnrollmentResponse(identity, &result, sk, req.Name)/return nil, errors.New("idemix enroll not supported")/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
 sed -i'' -e 's/x509Cred := x509cred.NewCredential(c.certFile, c.keyFile, c)/x509Cred := x509cred.NewCredential(key, certByte, c)/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
+sed -i'' -e 's/func (c \*Client) initHTTPClient() error {/func (c \*Client) initHTTPClient(serverName string) error {/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
+sed -i'' -e 's/err = c.initHTTPClient()/err = c.initHTTPClient(cfg.ServerName)/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
+sed -i'' -e '/tlsConfig.CipherSuites = tls.DefaultCipherSuites/ a\
+//set the host name override \
+tlsConfig.ServerName = serverName\
+' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
 
 
 FILTER_FILENAME="lib/identity.go"
@@ -138,7 +144,9 @@ FILTER_FILENAME="lib/clientconfig.go"
 FILTER_FN=
 gofilter
 sed -i'' -e 's/*factory.FactoryOpts/core.CryptoSuite/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
-
+sed -i'' -e '/core.CryptoSuite `mapstructure:"bccsp"`/ a\
+ServerName string           `help:"CA server name to be used in case of host name override"`\
+' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
 
 FILTER_FILENAME="lib/util.go"
 FILTER_FN="GetCertID,BytesToX509Cert,addQueryParm"

diff --git a/test/fixtures/config/config_test.yaml b/test/fixtures/config/config_test.yaml
@@ -386,6 +386,9 @@ peers:
 certificateAuthorities:
   ca.org1.example.com:
     url: https://ca.org1.example.com:7054
+    # [Optional] The optional server name for target override
+    grpcOptions:
+      ssl-target-name-override: ca.org1.example.com
     tlsCACerts:
       # Comma-Separated list of paths
       path: ${GOPATH}/src/github.com/hyperledger/fabric-sdk-go/${CRYPTOCONFIG_FIXTURES_PATH}/peerOrganizations/org1.example.com/tlsca/tlsca.org1.example.com-cert.pem
@@ -405,6 +408,9 @@ certificateAuthorities:
     caName: ca.org1.example.com
   ca.org2.example.com:
     url: https://ca.org2.example.com:8054
+    # [Optional] The optional server name for target override
+    grpcOptions:
+      ssl-target-name-override: ca.org2.example.com
     tlsCACerts:
       # Comma-Separated list of paths
       path: ${GOPATH}/src/github.com/hyperledger/fabric-sdk-go/${CRYPTOCONFIG_FIXTURES_PATH}/peerOrganizations/org2.example.com/tlsca/tlsca.org2.example.com-cert.pem
@@ -493,8 +499,10 @@ certificateAuthorities:
 #  certificateAuthority:
 #    - pattern: (\w+).org1.example.(\w+)
 #      urlSubstitutionExp:
+#      sslTargetOverrideUrlSubstitutionExp: ca.example.com
 #      mappedHost: ca.org1.example.com
 #
 #    - pattern: (\w+).org2.example.(\w+)
 #      urlSubstitutionExp:
+#      sslTargetOverrideUrlSubstitutionExp: ca.example.com
 #      mappedHost: ca.org2.example.com
diff --git a/test/fixtures/config/overrides/local_entity_matchers.yaml b/test/fixtures/config/overrides/local_entity_matchers.yaml
@@ -89,8 +89,10 @@ entityMatchers:
   certificateAuthority:
     - pattern: (\w+).org1.example.(\w+)
       urlSubstitutionExp: https://localhost:7054
+      sslTargetOverrideUrlSubstitutionExp: ca.org1.example.com
       mappedHost: ca.org1.example.com
 
     - pattern: (\w+).org2.example.(\w+)
       urlSubstitutionExp: https://localhost:8054
+      sslTargetOverrideUrlSubstitutionExp: ca.org2.example.com
       mappedHost: ca.org2.example.com