comm

package
v0.0.0-...-d1c7554 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 4, 2019 License: Apache-2.0 Imports: 25 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	// Max send and receive bytes for grpc clients and servers
	MaxRecvMsgSize = 100 * 1024 * 1024
	MaxSendMsgSize = 100 * 1024 * 1024
	// Default peer keepalive options
	DefaultKeepaliveOptions = &KeepaliveOptions{
		ClientInterval:    time.Duration(1) * time.Minute,
		ClientTimeout:     time.Duration(20) * time.Second,
		ServerInterval:    time.Duration(2) * time.Hour,
		ServerTimeout:     time.Duration(20) * time.Second,
		ServerMinInterval: time.Duration(1) * time.Minute,
	}
	// strong TLS cipher suites
	DefaultTLSCipherSuites = []uint16{
		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
		tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
		tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
	}
	// default connection timeout
	DefaultConnectionTimeout = 5 * time.Second
)

Configuration defaults

View Source
var (
	ClientHandshakeNotImplError = errors.New("core/comm: Client handshakes" +
		"are not implemented with serverCreds")
	OverrrideHostnameNotSupportedError = errors.New(
		"core/comm: OverrideServerName is " +
			"not supported")
	MissingServerConfigError = errors.New(
		"core/comm: `serverConfig` cannot be nil")
)
View Source
var EndpointDisableInterval = time.Second * 10

Functions

func AddPemToCertPool

func AddPemToCertPool(pemCerts []byte, pool *x509.CertPool) error

AddPemToCertPool adds PEM-encoded certs to a cert pool

func ClientKeepaliveOptions

func ClientKeepaliveOptions(ka *KeepaliveOptions) []grpc.DialOption

ClientKeepaliveOptions returns gRPC keepalive options for clients. If opts is nil, the default keepalive options are returned

func ExtractCertificateHashFromContext

func ExtractCertificateHashFromContext(ctx context.Context) []byte

ExtractCertificateHashFromContext extracts the hash of the certificate from the given context

func InitTLSForShim

func InitTLSForShim(key, certStr string) credentials.TransportCredentials

func NewClientConnectionWithAddress

func NewClientConnectionWithAddress(peerAddress string, block bool, tslEnabled bool,
	creds credentials.TransportCredentials, ka *KeepaliveOptions) (*grpc.ClientConn, error)

NewClientConnectionWithAddress Returns a new grpc.ClientConn to the given address

func NewServerTransportCredentials

func NewServerTransportCredentials(serverConfig *tls.Config) credentials.TransportCredentials

NewServerTransportCredentials returns a new initialized grpc/credentials.TransportCredentials

func ServerKeepaliveOptions

func ServerKeepaliveOptions(ka *KeepaliveOptions) []grpc.ServerOption

ServerKeepaliveOptions returns gRPC keepalive options for server. If opts is nil, the default keepalive options are returned

Types

type BindingInspector

type BindingInspector func(context.Context, proto.Message) error

BindingInspector receives as parameters a gRPC context and an Envelope, and verifies whether the message contains an appropriate binding to the context

func NewBindingInspector

func NewBindingInspector(mutualTLS bool, extractTLSCertHash CertHashExtractor) BindingInspector

NewBindingInspector returns a BindingInspector according to whether mutualTLS is configured or not, and according to a function that extracts TLS certificate hashes from proto messages

type CASupport

type CASupport struct {
	sync.RWMutex
	AppRootCAsByChain     map[string][][]byte
	OrdererRootCAsByChain map[string][][]byte
	ClientRootCAs         [][]byte
	ServerRootCAs         [][]byte
}

CASupport type manages certificate authorities scoped by channel

func (*CASupport) GetClientRootCAs

func (cas *CASupport) GetClientRootCAs() (appRootCAs, ordererRootCAs [][]byte)

GetClientRootCAs returns the PEM-encoded root certificates for all of the application and orderer organizations defined for all chains. The root certificates returned should be used to set the trusted client roots for TLS servers.

func (*CASupport) GetServerRootCAs

func (cas *CASupport) GetServerRootCAs() (appRootCAs, ordererRootCAs [][]byte)

GetServerRootCAs returns the PEM-encoded root certificates for all of the application and orderer organizations defined for all chains. The root certificates returned should be used to set the trusted server roots for TLS clients.

type CertHashExtractor

type CertHashExtractor func(proto.Message) []byte

CertHashExtractor extracts a certificate from a proto.Message message

type ClientConfig

type ClientConfig struct {
	// SecOpts defines the security parameters
	SecOpts *SecureOptions
	// KaOpts defines the keepalive parameters
	KaOpts *KeepaliveOptions
	// Timeout specifies how long the client will block when attempting to
	// establish a connection
	Timeout time.Duration
}

ClientConfig defines the parameters for configuring a GRPCClient instance

type ConnectionFactory

type ConnectionFactory func(endpoint string) (*grpc.ClientConn, error)

ConnectionFactory creates a connection to a certain endpoint

type ConnectionProducer

type ConnectionProducer interface {
	// NewConnection creates a new connection.
	// Returns the connection, the endpoint selected, nil on success.
	// Returns nil, "", error on failure
	NewConnection() (*grpc.ClientConn, string, error)
	// UpdateEndpoints updates the endpoints of the ConnectionProducer
	// to be the given endpoints
	UpdateEndpoints(endpoints []string)
	// DisableEndpoint remove endpoint from endpoint for some time
	DisableEndpoint(endpoint string)
	// GetEndpoints return ordering service endpoints
	GetEndpoints() []string
}

ConnectionProducer produces connections out of a set of predefined endpoints

func NewConnectionProducer

func NewConnectionProducer(factory ConnectionFactory, endpoints []string) ConnectionProducer

NewConnectionProducer creates a new ConnectionProducer with given endpoints and connection factory. It returns nil, if the given endpoints slice is empty.

type CredentialSupport

type CredentialSupport struct {
	*CASupport
	// contains filtered or unexported fields
}

CredentialSupport type manages credentials used for gRPC client connections

func GetCredentialSupport

func GetCredentialSupport() *CredentialSupport

GetCredentialSupport returns the singleton CredentialSupport instance

func (*CredentialSupport) GetClientCertificate

func (cs *CredentialSupport) GetClientCertificate() tls.Certificate

GetClientCertificate returns the client certificate of the CredentialSupport

func (*CredentialSupport) GetDeliverServiceCredentials

func (cs *CredentialSupport) GetDeliverServiceCredentials(channelID string) (credentials.TransportCredentials, error)

GetDeliverServiceCredentials returns GRPC transport credentials for given channel to be used by GRPC clients which communicate with ordering service endpoints. If the channel isn't found, error is returned.

func (*CredentialSupport) GetPeerCredentials

func (cs *CredentialSupport) GetPeerCredentials() credentials.TransportCredentials

GetPeerCredentials returns GRPC transport credentials for use by GRPC clients which communicate with remote peer endpoints.

func (*CredentialSupport) SetClientCertificate

func (cs *CredentialSupport) SetClientCertificate(cert tls.Certificate)

SetClientCertificate sets the tls.Certificate to use for gRPC client connections

type GRPCClient

type GRPCClient struct {
	// contains filtered or unexported fields
}

func NewGRPCClient

func NewGRPCClient(config ClientConfig) (*GRPCClient, error)

NewGRPCClient creates a new implementation of GRPCClient given an address and client configuration

func (*GRPCClient) Certificate

func (client *GRPCClient) Certificate() tls.Certificate

Certificate returns the tls.Certificate used to make TLS connections when client certificates are required by the server

func (*GRPCClient) MutualTLSRequired

func (client *GRPCClient) MutualTLSRequired() bool

MutualTLSRequired is a flag indicating whether the client must send a certificate when making TLS connections

func (*GRPCClient) NewConnection

func (client *GRPCClient) NewConnection(address string, serverNameOverride string) (
	*grpc.ClientConn, error)

NewConnection returns a grpc.ClientConn for the target address and overrides the server name used to verify the hostname on the certificate returned by a server when using TLS

func (*GRPCClient) SetMaxRecvMsgSize

func (client *GRPCClient) SetMaxRecvMsgSize(size int)

SetMaxRecvMsgSize sets the maximum message size the client can receive

func (*GRPCClient) SetMaxSendMsgSize

func (client *GRPCClient) SetMaxSendMsgSize(size int)

SetMaxSendMsgSize sets the maximum message size the client can send

func (*GRPCClient) SetServerRootCAs

func (client *GRPCClient) SetServerRootCAs(serverRoots [][]byte) error

SetServerRootCAs sets the list of authorities used to verify server certificates based on a list of PEM-encoded X509 certificate authorities

func (*GRPCClient) TLSEnabled

func (client *GRPCClient) TLSEnabled() bool

TLSEnabled is a flag indicating whether to use TLS for client connections

type GRPCServer

type GRPCServer struct {
	// contains filtered or unexported fields
}

func NewGRPCServer

func NewGRPCServer(address string, serverConfig ServerConfig) (*GRPCServer, error)

NewGRPCServer creates a new implementation of a GRPCServer given a listen address

func NewGRPCServerFromListener

func NewGRPCServerFromListener(listener net.Listener, serverConfig ServerConfig) (*GRPCServer, error)

NewGRPCServerFromListener creates a new implementation of a GRPCServer given an existing net.Listener instance using default keepalive

func (*GRPCServer) Address

func (gServer *GRPCServer) Address() string

Address returns the listen address for this GRPCServer instance

func (*GRPCServer) AppendClientRootCAs

func (gServer *GRPCServer) AppendClientRootCAs(clientRoots [][]byte) error

AppendClientRootCAs appends PEM-encoded X509 certificate authorities to the list of authorities used to verify client certificates

func (*GRPCServer) Listener

func (gServer *GRPCServer) Listener() net.Listener

Listener returns the net.Listener for the GRPCServer instance

func (*GRPCServer) MutualTLSRequired

func (gServer *GRPCServer) MutualTLSRequired() bool

MutualTLSRequired is a flag indicating whether or not client certificates are required for this GRPCServer instance

func (*GRPCServer) RemoveClientRootCAs

func (gServer *GRPCServer) RemoveClientRootCAs(clientRoots [][]byte) error

RemoveClientRootCAs removes PEM-encoded X509 certificate authorities from the list of authorities used to verify client certificates

func (*GRPCServer) Server

func (gServer *GRPCServer) Server() *grpc.Server

Server returns the grpc.Server for the GRPCServer instance

func (*GRPCServer) ServerCertificate

func (gServer *GRPCServer) ServerCertificate() tls.Certificate

ServerCertificate returns the tls.Certificate used by the grpc.Server

func (*GRPCServer) SetClientRootCAs

func (gServer *GRPCServer) SetClientRootCAs(clientRoots [][]byte) error

SetClientRootCAs sets the list of authorities used to verify client certificates based on a list of PEM-encoded X509 certificate authorities

func (*GRPCServer) SetServerCertificate

func (gServer *GRPCServer) SetServerCertificate(cert tls.Certificate)

SetServerCertificate assigns the current TLS certificate to be the peer's server certificate

func (*GRPCServer) Start

func (gServer *GRPCServer) Start() error

Start starts the underlying grpc.Server

func (*GRPCServer) Stop

func (gServer *GRPCServer) Stop()

Stop stops the underlying grpc.Server

func (*GRPCServer) TLSEnabled

func (gServer *GRPCServer) TLSEnabled() bool

TLSEnabled is a flag indicating whether or not TLS is enabled for the GRPCServer instance

type KeepaliveOptions

type KeepaliveOptions struct {
	// ClientInterval is the duration after which if the client does not see
	// any activity from the server it pings the server to see if it is alive
	ClientInterval time.Duration
	// ClientTimeout is the duration the client waits for a response
	// from the server after sending a ping before closing the connection
	ClientTimeout time.Duration
	// ServerInterval is the duration after which if the server does not see
	// any activity from the client it pings the client to see if it is alive
	ServerInterval time.Duration
	// ServerTimeout is the duration the server waits for a response
	// from the client after sending a ping before closing the connection
	ServerTimeout time.Duration
	// ServerMinInterval is the minimum permitted time between client pings.
	// If clients send pings more frequently, the server will disconnect them
	ServerMinInterval time.Duration
}

KeepaliveOptions is used to set the gRPC keepalive settings for both clients and servers

type SecureOptions

type SecureOptions struct {
	// PEM-encoded X509 public key to be used for TLS communication
	Certificate []byte
	// PEM-encoded private key to be used for TLS communication
	Key []byte
	// Set of PEM-encoded X509 certificate authorities used by clients to
	// verify server certificates
	ServerRootCAs [][]byte
	// Set of PEM-encoded X509 certificate authorities used by servers to
	// verify client certificates
	ClientRootCAs [][]byte
	// Whether or not to use TLS for communication
	UseTLS bool
	// Whether or not TLS client must present certificates for authentication
	RequireClientCert bool
	// CipherSuites is a list of supported cipher suites for TLS
	CipherSuites []uint16
}

SecureOptions defines the security parameters (e.g. TLS) for a GRPCServer or GRPCClient instance

type ServerConfig

type ServerConfig struct {
	// ConnectionTimeout specifies the timeout for connection establishment
	// for all new connections
	ConnectionTimeout time.Duration
	// SecOpts defines the security parameters
	SecOpts *SecureOptions
	// KaOpts defines the keepalive parameters
	KaOpts *KeepaliveOptions
}

ServerConfig defines the parameters for configuring a GRPCServer instance

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL