support ssl-hostname-overwrite

Signed-off-by: DavidLiu <[email protected]>
Hyperledger-TWGC · Mar 26, 2022 · feea25c · feea25c
1 parent 185ae15
commit feea25c
Show file tree

Hide file tree

Showing 11 changed files with 50 additions and 40 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -1,13 +1,14 @@
-node_modules
+.github
 .idea
+.vscode
+.gitignore
 .dockerignore
 .git
 .DS_Store
 
 fabric-samples
-.vscode
-.gitignore
+vendor
 
+test
 config.yaml
 organizations
-mocktmp
diff --git a/.gitignore b/.gitignore
@@ -16,4 +16,6 @@
 *.idea/
 *.vscode/
 
-e2e/Tape.log
+e2e/Tape.log
+# local dependency
+vendor
diff --git a/Dockerfile b/Dockerfile
@@ -8,6 +8,7 @@ ENV GOPROXY=https://goproxy.cn,direct
 ENV export GOSUMDB=off
 
 COPY . .
+RUN go mod vendor
 
 RUN go build -v ./cmd/tape
 

diff --git a/Makefile b/Makefile
@@ -72,3 +72,7 @@ basic-checks: gotools-install linter
 linter:
 	@echo "LINT: Running code checks......"
 	./scripts/golinter.sh
+
+clean:
+	cd fabric-samples/first-network; echo y | ./byfn.sh down
+	rm -rf fabric-samples
diff --git a/cmd/tape/main.go b/cmd/tape/main.go
@@ -82,7 +82,6 @@ func main() {
 
 	if err != nil {
 		logger.Error(err)
-		fmt.Fprint(os.Stderr, err)
 		os.Exit(1)
 	}
 	os.Exit(0)

diff --git a/docs/configfile.md b/docs/configfile.md
@@ -12,16 +12,19 @@ This is a sample:
 # Definition of nodes
 peer1: &peer1
   addr: localhost:7051
+  ssl_target_name_override: peer0.org1.example.com
   org: org1
   tls_ca_cert: /config/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/tlscacerts/tlsca.org1.example.com-cert.pem
 
 peer2: &peer2
   addr: localhost:9051
+  ssl_target_name_override: peer0.org2.example.com
   org: org2
   tls_ca_cert: /config/crypto-config/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/msp/tlscacerts/tlsca.org2.example.com-cert.pem
 
 orderer1: &orderer1
   addr: localhost:7050
+  ssl_target_name_override: orderer.example.com
   org: org1
   tls_ca_cert: /config/crypto-config/ordererOrganizations/example.com/msp/tlscacerts/tlsca.example.com-cert.pem
 
@@ -68,26 +71,21 @@ Let's deep dive the config.
 ```yaml
 # Definition of nodes
 peer1: &peer1
-  addr: localhost:7051
-  org: org1
-  tls_ca_cert: /config/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/tlscacerts/tlsca.org1.example.com-cert.pem
+  ...
 
 peer2: &peer2
-  addr: localhost:9051
-  org: org2
-  tls_ca_cert: /config/crypto-config/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/msp/tlscacerts/tlsca.org2.example.com-cert.pem
+  ...
 
 orderer1: &orderer1
-  addr: localhost:7050
-  org: org1
-  tls_ca_cert: /config/crypto-config/ordererOrganizations/example.com/msp/tlscacerts/tlsca.example.com-cert.pem
+  ...
 ```
 
-Here defines for nodes, including peer and orderer. we need address in socket format, org names for endorsement policy useage, and (m)TLS certs if any.
+Here defines for nodes, including peer and orderer. we need address, org name (for endorsement policy usage), and (m)TLS certs if any.
 
-定义了不同的节点，包括 Peer 节点和排序节点，配置中需要确认节点地址以及 TLS CA 证书（如果启用 TLS，则必须配置 TLS CA 证书）。其中节点地址格式为`地址:端口`。此处`地址`推荐使用域名，因此您可能还需要在 hosts 文件中增加节点域名和 IP 的映射关系。另外org表明了peer所属的组织信息以用来供给背书策略使用。
+定义了不同的节点，包括 Peer 节点和排序节点，配置中需要确认节点地址以及 TLS CA 证书（如果启用 TLS，则必须配置 TLS CA 证书）。
+其中节点地址格式为`地址:端口`。此处`地址`推荐使用域名，否则需要在`ssl_target_name_override`中指定域名。另外org表明了peer所属的组织信息以用来供给背书策略使用。
 
-如果启用了双向 TLS，即你的 Fabric 网络中的 Peer 节点在 core.yaml 配置了 "peer->tls->clientAuthRequired" 为 "true"，则表明，不但服务端（Peer 节点）向客户端（Tape）发送的信息是经过加密的，客户端（Tape）向服务端（Peer 节点）发送的信息也应该是加密的，因此我们就需要在配置文件中增加 TLS 通信中需要使用的密钥，双向 TLS 配置示例如下：
+如果启用了双向 TLS，即你的 Fabric 网络中的 Peer 节点在 core.yaml 配置了 "peer->tls->clientAuthRequired" 为 "true"，我们就需要在配置文件中增加 TLS 通信中需要使用的密钥，双向 TLS 配置示例如下：
 
 ```yaml
 peer1: &peer1

diff --git a/pkg/infra/basic/client.go b/pkg/infra/basic/client.go
@@ -81,7 +81,10 @@ func DialConnection(node Node, logger *log.Logger) (*grpc.ClientConn, error) {
 	var connError error
 	var conn *grpc.ClientConn
 	for i := 1; i <= 3; i++ {
-		conn, connError = gRPCClient.NewConnection(node.Addr, func(tlsConfig *tls.Config) { tlsConfig.InsecureSkipVerify = true })
+		conn, connError = gRPCClient.NewConnection(node.Addr, func(tlsConfig *tls.Config) {
+			tlsConfig.InsecureSkipVerify = true
+			tlsConfig.ServerName = node.SslTargetNameOverride
+		})
 		if connError == nil {
 			return conn, nil
 		} else {
@@ -97,7 +100,10 @@ func CreateDeliverClient(node Node) (orderer.AtomicBroadcast_DeliverClient, erro
 		return nil, err
 	}
 
-	conn, err := gRPCClient.NewConnection(node.Addr, func(tlsConfig *tls.Config) { tlsConfig.InsecureSkipVerify = true })
+	conn, err := gRPCClient.NewConnection(node.Addr, func(tlsConfig *tls.Config) {
+		tlsConfig.InsecureSkipVerify = true
+		tlsConfig.ServerName = node.SslTargetNameOverride
+	})
 	if err != nil {
 		return nil, err
 	}

diff --git a/pkg/infra/basic/config.go b/pkg/infra/basic/config.go
@@ -61,14 +61,15 @@ type Config struct {
 }
 
 type Node struct {
-	Addr          string `yaml:"addr"`
-	TLSCACert     string `yaml:"tls_ca_cert"`
-	Org           string `yaml:"org"`
-	TLSCAKey      string `yaml:"tls_ca_key"`
-	TLSCARoot     string `yaml:"tls_ca_root"`
-	TLSCACertByte []byte
-	TLSCAKeyByte  []byte
-	TLSCARootByte []byte
+	Addr                  string `yaml:"addr"`
+	SslTargetNameOverride string `yaml:"ssl_target_name_override"`
+	TLSCACert             string `yaml:"tls_ca_cert"`
+	Org                   string `yaml:"org"`
+	TLSCAKey              string `yaml:"tls_ca_key"`
+	TLSCARoot             string `yaml:"tls_ca_root"`
+	TLSCACertByte         []byte
+	TLSCAKeyByte          []byte
+	TLSCARootByte         []byte
 }
 
 func LoadConfig(f string) (Config, error) {
@@ -94,18 +95,18 @@ func LoadConfig(f string) (Config, error) {
 	config.Rule = string(in)
 
 	for i := range config.Endorsers {
-		err = config.Endorsers[i].loadConfig()
+		err = config.Endorsers[i].LoadConfig()
 		if err != nil {
 			return config, err
 		}
 	}
 	for i := range config.Committers {
-		err = config.Committers[i].loadConfig()
+		err = config.Committers[i].LoadConfig()
 		if err != nil {
 			return config, err
 		}
 	}
-	err = config.Orderer.loadConfig()
+	err = config.Orderer.LoadConfig()
 	if err != nil {
 		return config, err
 	}
@@ -164,7 +165,7 @@ func GetTLSCACerts(file string) ([]byte, error) {
 	return in, nil
 }
 
-func (n *Node) loadConfig() error {
+func (n *Node) LoadConfig() error {
 	TLSCACert, err := GetTLSCACerts(n.TLSCACert)
 	if err != nil {
 		return errors.Wrapf(err, "fail to load TLS CA Cert %s", n.TLSCACert)

diff --git a/pkg/infra/basic/config_test.go b/pkg/infra/basic/config_test.go
@@ -18,7 +18,8 @@ type files struct {
 func generateConfigFile(FileName string, values interface{}) {
 	var Text = `# Definition of nodes
 org1peer0: &org1peer0
-  addr: peer0.org1.example.com:7051
+  addr: localhost:7051
+  ssl_target_name_override: peer0.org1.example.com
   tls_ca_cert: {{.TlsFile}}
   org: org1
 org2peer0: &org2peer0
@@ -97,7 +98,7 @@ var _ = Describe("Config", func() {
 			Expect(err).NotTo(HaveOccurred())
 			Expect(c).To(Equal(basic.Config{
 				Endorsers: []basic.Node{
-					{Addr: "peer0.org1.example.com:7051", TLSCACert: tlsFile.Name(), TLSCACertByte: []byte("a"), Org: "org1"},
+					{Addr: "localhost:7051", SslTargetNameOverride: "peer0.org1.example.com", TLSCACert: tlsFile.Name(), TLSCACertByte: []byte("a"), Org: "org1"},
 					{Addr: "peer0.org2.example.com:7051", TLSCACert: tlsFile.Name(), TLSCACertByte: []byte("a"), Org: "org2"},
 				},
 				Committers:      []basic.Node{{Addr: "peer0.org2.example.com:7051", TLSCACert: tlsFile.Name(), TLSCACertByte: []byte("a"), Org: "org2"}},

diff --git a/test/bootstraps/bootstrap-v2.2.sh → test/bootstrap-v2.2.sh b/test/bootstraps/bootstrap-v2.2.sh → test/bootstrap-v2.2.sh
diff --git a/test/integration-test.sh b/test/integration-test.sh
@@ -13,15 +13,12 @@ case $1 in
     # sadly, bootstrap.sh from release-1.4 still pulls binaries from Nexus, which is not available anymore
     # Why comment following code? Please check this issue: https://github.com/Hyperledger-TWGC/tape/issues/159
     # curl -vsS https://raw.githubusercontent.com/hyperledger/fabric/release-2.2/scripts/bootstrap.sh | bash
-    ./test/bootstraps/bootstrap-v2.2.sh
+    ./test/bootstrap-v2.2.sh 1.4.12 1.5.2
     cd ./fabric-samples/
     git checkout release-1.4
     cd ./first-network
-    # 1.4.10
-    echo y | ./byfn.sh up -i 1.4.10
-    # comments here for 1.4.8 work around as docker image issue.
-    # docker pull hyperledger/fabric-orderer:amd64-1.4  
-    # Error response from daemon: manifest for hyperledger/fabric-orderer:amd64-1.4 not found: manifest unknown: manifest unknown
+
+    echo y | ./byfn.sh up -i 1.4.12
     cp -r crypto-config "$DIR"
 
     CONFIG_FILE=/config/test/config14org1andorg2.yaml