comm

package
v2.1.1+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 1, 2020 License: Apache-2.0 Imports: 25 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	// Max send and receive bytes for grpc clients and servers
	MaxRecvMsgSize = 100 * 1024 * 1024
	MaxSendMsgSize = 100 * 1024 * 1024
	// Default peer keepalive options
	DefaultKeepaliveOptions = KeepaliveOptions{
		ClientInterval:    time.Duration(1) * time.Minute,
		ClientTimeout:     time.Duration(20) * time.Second,
		ServerInterval:    time.Duration(2) * time.Hour,
		ServerTimeout:     time.Duration(20) * time.Second,
		ServerMinInterval: time.Duration(1) * time.Minute,
	}
	// strong TLS cipher suites
	DefaultTLSCipherSuites = []uint16{
		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
		tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
		tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
	}
	// default connection timeout
	DefaultConnectionTimeout = 5 * time.Second
)

Configuration defaults

View Source
var (
	ErrClientHandshakeNotImplemented = errors.New("core/comm: client handshakes are not implemented with serverCreds")
	ErrServerHandshakeNotImplemented = errors.New("core/comm: server handshakes are not implemented with clientCreds")
	ErrOverrideHostnameNotSupported  = errors.New("core/comm: OverrideServerName is not supported")
)

Functions

func AddPemToCertPool

func AddPemToCertPool(pemCerts []byte, pool *x509.CertPool) error

AddPemToCertPool adds PEM-encoded certs to a cert pool

func ClientKeepaliveOptions

func ClientKeepaliveOptions(ka KeepaliveOptions) []grpc.DialOption

ClientKeepaliveOptions returns gRPC keepalive options for clients.

func ExtractCertificateFromContext

func ExtractCertificateFromContext(ctx context.Context) *x509.Certificate

ExtractCertificateFromContext returns the TLS certificate (if applicable) from the given context of a gRPC stream

func ExtractCertificateHashFromContext

func ExtractCertificateHashFromContext(ctx context.Context) []byte

ExtractCertificateHashFromContext extracts the hash of the certificate from the given context. If the certificate isn't present, nil is returned

func ExtractRawCertificateFromContext

func ExtractRawCertificateFromContext(ctx context.Context) []byte

ExtractRawCertificateFromContext returns the raw TLS certificate (if applicable) from the given context of a gRPC stream

func GetLocalIP

func GetLocalIP() (string, error)

GetLocalIP returns the non loopback local IP of the host

func NewServerTransportCredentials

func NewServerTransportCredentials(
	serverConfig *TLSConfig,
	logger *flogging.FabricLogger) credentials.TransportCredentials

NewServerTransportCredentials returns a new initialized grpc/credentials.TransportCredentials

func ServerKeepaliveOptions

func ServerKeepaliveOptions(ka KeepaliveOptions) []grpc.ServerOption

ServerKeepaliveOptions returns gRPC keepalive options for server.

Types

type BindingInspector

type BindingInspector func(context.Context, proto.Message) error

BindingInspector receives as parameters a gRPC context and an Envelope, and verifies whether the message contains an appropriate binding to the context

func NewBindingInspector

func NewBindingInspector(mutualTLS bool, extractTLSCertHash CertHashExtractor) BindingInspector

NewBindingInspector returns a BindingInspector according to whether mutualTLS is configured or not, and according to a function that extracts TLS certificate hashes from proto messages

type CertHashExtractor

type CertHashExtractor func(proto.Message) []byte

CertHashExtractor extracts a certificate from a proto.Message message

type ClientConfig

type ClientConfig struct {
	// SecOpts defines the security parameters
	SecOpts SecureOptions
	// KaOpts defines the keepalive parameters
	KaOpts KeepaliveOptions
	// Timeout specifies how long the client will block when attempting to
	// establish a connection
	Timeout time.Duration
	// AsyncConnect makes connection creation non blocking
	AsyncConnect bool
}

ClientConfig defines the parameters for configuring a GRPCClient instance

func (ClientConfig) Clone

func (cc ClientConfig) Clone() ClientConfig

Clone clones this ClientConfig

type CredentialSupport

type CredentialSupport struct {
	// contains filtered or unexported fields
}

CredentialSupport type manages credentials used for gRPC client connections

func NewCredentialSupport

func NewCredentialSupport(rootCAs ...[]byte) *CredentialSupport

NewCredentialSupport creates a CredentialSupport instance.

func (*CredentialSupport) AppRootCAsByChain

func (cs *CredentialSupport) AppRootCAsByChain() map[string][][]byte

func (*CredentialSupport) BuildTrustedRootsForChain

func (cs *CredentialSupport) BuildTrustedRootsForChain(cm channelconfig.Resources)

BuildTrustedRootsForChain populates the appRootCAs and orderRootCAs maps by getting the root and intermediate certs for all msps associated with the MSPManager.

func (*CredentialSupport) GetClientCertificate

func (cs *CredentialSupport) GetClientCertificate() tls.Certificate

GetClientCertificate returns the client certificate of the CredentialSupport

func (*CredentialSupport) GetPeerCredentials

func (cs *CredentialSupport) GetPeerCredentials() credentials.TransportCredentials

GetPeerCredentials returns gRPC transport credentials for use by gRPC clients which communicate with remote peer endpoints.

func (*CredentialSupport) SetClientCertificate

func (cs *CredentialSupport) SetClientCertificate(cert tls.Certificate)

SetClientCertificate sets the tls.Certificate to use for gRPC client connections

type DynamicClientCredentials

type DynamicClientCredentials struct {
	TLSConfig  *tls.Config
	TLSOptions []TLSOption
}

func (*DynamicClientCredentials) ClientHandshake

func (dtc *DynamicClientCredentials) ClientHandshake(ctx context.Context, authority string, rawConn net.Conn) (net.Conn, credentials.AuthInfo, error)

func (*DynamicClientCredentials) Clone

func (*DynamicClientCredentials) Info

func (*DynamicClientCredentials) OverrideServerName

func (dtc *DynamicClientCredentials) OverrideServerName(name string) error

func (*DynamicClientCredentials) ServerHandshake

func (dtc *DynamicClientCredentials) ServerHandshake(rawConn net.Conn) (net.Conn, credentials.AuthInfo, error)

type GRPCClient

type GRPCClient struct {
	// contains filtered or unexported fields
}

func NewGRPCClient

func NewGRPCClient(config ClientConfig) (*GRPCClient, error)

NewGRPCClient creates a new implementation of GRPCClient given an address and client configuration

func (*GRPCClient) Certificate

func (client *GRPCClient) Certificate() tls.Certificate

Certificate returns the tls.Certificate used to make TLS connections when client certificates are required by the server

func (*GRPCClient) MutualTLSRequired

func (client *GRPCClient) MutualTLSRequired() bool

MutualTLSRequired is a flag indicating whether the client must send a certificate when making TLS connections

func (*GRPCClient) NewConnection

func (client *GRPCClient) NewConnection(address string, tlsOptions ...TLSOption) (*grpc.ClientConn, error)

NewConnection returns a grpc.ClientConn for the target address and overrides the server name used to verify the hostname on the certificate returned by a server when using TLS

func (*GRPCClient) SetMaxRecvMsgSize

func (client *GRPCClient) SetMaxRecvMsgSize(size int)

SetMaxRecvMsgSize sets the maximum message size the client can receive

func (*GRPCClient) SetMaxSendMsgSize

func (client *GRPCClient) SetMaxSendMsgSize(size int)

SetMaxSendMsgSize sets the maximum message size the client can send

func (*GRPCClient) SetServerRootCAs

func (client *GRPCClient) SetServerRootCAs(serverRoots [][]byte) error

SetServerRootCAs sets the list of authorities used to verify server certificates based on a list of PEM-encoded X509 certificate authorities

func (*GRPCClient) TLSEnabled

func (client *GRPCClient) TLSEnabled() bool

TLSEnabled is a flag indicating whether to use TLS for client connections

type GRPCServer

type GRPCServer struct {
	// contains filtered or unexported fields
}

func NewGRPCServer

func NewGRPCServer(address string, serverConfig ServerConfig) (*GRPCServer, error)

NewGRPCServer creates a new implementation of a GRPCServer given a listen address

func NewGRPCServerFromListener

func NewGRPCServerFromListener(listener net.Listener, serverConfig ServerConfig) (*GRPCServer, error)

NewGRPCServerFromListener creates a new implementation of a GRPCServer given an existing net.Listener instance using default keepalive

func (*GRPCServer) Address

func (gServer *GRPCServer) Address() string

Address returns the listen address for this GRPCServer instance

func (*GRPCServer) Listener

func (gServer *GRPCServer) Listener() net.Listener

Listener returns the net.Listener for the GRPCServer instance

func (*GRPCServer) MutualTLSRequired

func (gServer *GRPCServer) MutualTLSRequired() bool

MutualTLSRequired is a flag indicating whether or not client certificates are required for this GRPCServer instance

func (*GRPCServer) Server

func (gServer *GRPCServer) Server() *grpc.Server

Server returns the grpc.Server for the GRPCServer instance

func (*GRPCServer) ServerCertificate

func (gServer *GRPCServer) ServerCertificate() tls.Certificate

ServerCertificate returns the tls.Certificate used by the grpc.Server

func (*GRPCServer) SetClientRootCAs

func (gServer *GRPCServer) SetClientRootCAs(clientRoots [][]byte) error

SetClientRootCAs sets the list of authorities used to verify client certificates based on a list of PEM-encoded X509 certificate authorities

func (*GRPCServer) SetServerCertificate

func (gServer *GRPCServer) SetServerCertificate(cert tls.Certificate)

SetServerCertificate assigns the current TLS certificate to be the peer's server certificate

func (*GRPCServer) Start

func (gServer *GRPCServer) Start() error

Start starts the underlying grpc.Server

func (*GRPCServer) Stop

func (gServer *GRPCServer) Stop()

Stop stops the underlying grpc.Server

func (*GRPCServer) TLSEnabled

func (gServer *GRPCServer) TLSEnabled() bool

TLSEnabled is a flag indicating whether or not TLS is enabled for the GRPCServer instance

type KeepaliveOptions

type KeepaliveOptions struct {
	// ClientInterval is the duration after which if the client does not see
	// any activity from the server it pings the server to see if it is alive
	ClientInterval time.Duration
	// ClientTimeout is the duration the client waits for a response
	// from the server after sending a ping before closing the connection
	ClientTimeout time.Duration
	// ServerInterval is the duration after which if the server does not see
	// any activity from the client it pings the client to see if it is alive
	ServerInterval time.Duration
	// ServerTimeout is the duration the server waits for a response
	// from the client after sending a ping before closing the connection
	ServerTimeout time.Duration
	// ServerMinInterval is the minimum permitted time between client pings.
	// If clients send pings more frequently, the server will disconnect them
	ServerMinInterval time.Duration
}

KeepaliveOptions is used to set the gRPC keepalive settings for both clients and servers

type Metrics

type Metrics struct {
	// OpenConnCounter keeps track of number of open connections
	OpenConnCounter metrics.Counter
	// ClosedConnCounter keeps track of number connections closed
	ClosedConnCounter metrics.Counter
}

type SecureOptions

type SecureOptions struct {
	// VerifyCertificate, if not nil, is called after normal
	// certificate verification by either a TLS client or server.
	// If it returns a non-nil error, the handshake is aborted and that error results.
	VerifyCertificate func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error
	// PEM-encoded X509 public key to be used for TLS communication
	Certificate []byte
	// PEM-encoded private key to be used for TLS communication
	Key []byte
	// Set of PEM-encoded X509 certificate authorities used by clients to
	// verify server certificates
	ServerRootCAs [][]byte
	// Set of PEM-encoded X509 certificate authorities used by servers to
	// verify client certificates
	ClientRootCAs [][]byte
	// Whether or not to use TLS for communication
	UseTLS bool
	// Whether or not TLS client must present certificates for authentication
	RequireClientCert bool
	// CipherSuites is a list of supported cipher suites for TLS
	CipherSuites []uint16
	// TimeShift makes TLS handshakes time sampling shift to the past by a given duration
	TimeShift time.Duration
}

SecureOptions defines the security parameters (e.g. TLS) for a GRPCServer or GRPCClient instance

type ServerConfig

type ServerConfig struct {
	// ConnectionTimeout specifies the timeout for connection establishment
	// for all new connections
	ConnectionTimeout time.Duration
	// SecOpts defines the security parameters
	SecOpts SecureOptions
	// KaOpts defines the keepalive parameters
	KaOpts KeepaliveOptions
	// StreamInterceptors specifies a list of interceptors to apply to
	// streaming RPCs.  They are executed in order.
	StreamInterceptors []grpc.StreamServerInterceptor
	// UnaryInterceptors specifies a list of interceptors to apply to unary
	// RPCs.  They are executed in order.
	UnaryInterceptors []grpc.UnaryServerInterceptor
	// Logger specifies the logger the server will use
	Logger *flogging.FabricLogger
	// HealthCheckEnabled enables the gRPC Health Checking Protocol for the server
	HealthCheckEnabled bool
	// ServerStatsHandler should be set if metrics on connections are to be reported.
	ServerStatsHandler *ServerStatsHandler
}

ServerConfig defines the parameters for configuring a GRPCServer instance

type ServerStatsHandler

type ServerStatsHandler struct {
	OpenConnCounter   metrics.Counter
	ClosedConnCounter metrics.Counter
}

func NewServerStatsHandler

func NewServerStatsHandler(p metrics.Provider) *ServerStatsHandler

func (*ServerStatsHandler) HandleConn

func (h *ServerStatsHandler) HandleConn(ctx context.Context, s stats.ConnStats)

func (*ServerStatsHandler) HandleRPC

func (h *ServerStatsHandler) HandleRPC(ctx context.Context, s stats.RPCStats)

func (*ServerStatsHandler) TagConn

func (*ServerStatsHandler) TagRPC

type TLSConfig

type TLSConfig struct {
	// contains filtered or unexported fields
}

func NewTLSConfig

func NewTLSConfig(config *tls.Config) *TLSConfig

func (*TLSConfig) AddClientRootCA

func (t *TLSConfig) AddClientRootCA(cert *x509.Certificate)

func (*TLSConfig) Config

func (t *TLSConfig) Config() tls.Config

func (*TLSConfig) SetClientCAs

func (t *TLSConfig) SetClientCAs(certPool *x509.CertPool)

type TLSOption

type TLSOption func(tlsConfig *tls.Config)

func CertPoolOverride

func CertPoolOverride(pool *x509.CertPool) TLSOption

func ServerNameOverride

func ServerNameOverride(name string) TLSOption

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL