View GRPC Server: Enforce Signature Verification #27

integration/fsc/pingpong/README.md

@@ -393,7 +393,7 @@ logging:
  # Format
  format: '%{color}%{time:2006-01-02 15:04:05.000 MST} [%{module}] %{shortfunc} -> %{level:.4s} %{id:03x}%{color:reset} %{message}'
 fsc:
-  # The FSC id provides a name for this peer instance and is used when
+  # The FSC id provides a name for this node instance and is used when
   # naming docker resources.
   id: fsc.initiator
   # The networkId allows for logical separation of networks and is used when
@@ -422,7 +422,7 @@ fsc:
     enabled:  true
     # Require client certificates / mutual TLS for inbound connections.
     # Note that clients that are not configured to use a certificate will
-    # fail to connect to the peer.
+    # fail to connect to the node.
     clientAuthRequired: false
     # X.509 certificate used for TLS server
     cert:

integration/fsc/pingpong/pingpong_suite_test.go

@@ -24,6 +24,10 @@ func StartPort() int {
 	return integration.PingPongPort.StartPortForNode()
 }
 
-func StartPort2() int {
+func StartPortWithGeneration() int {
 	return integration.PingPong2Port.StartPortForNode()
 }
+
+func StartPortWithAdmin() int {
+	return integration.PingPongWithAdminPort.StartPortForNode()
+}

integration/fsc/pingpong/pingpong_test.go

@@ -65,7 +65,7 @@ var _ = Describe("EndToEnd", func() {
 		It("generate artifacts & successful pingpong", func() {
 			var err error
 			// Create the integration ii
-			ii, err = integration.Generate(StartPort2(), pingpong.Topology()...)
+			ii, err = integration.Generate(StartPortWithGeneration(), pingpong.Topology()...)
 			Expect(err).NotTo(HaveOccurred())
 			// Start the integration ii
 			ii.Start()
@@ -78,6 +78,22 @@ var _ = Describe("EndToEnd", func() {
 			Expect(common.JSONUnmarshalString(res)).To(BeEquivalentTo("OK"))
 		})
 
+		It("generate artifacts & successful pingpong with Admin", func() {
+			var err error
+			// Create the integration ii
+			ii, err = integration.Generate(StartPortWithAdmin(), pingpong.Topology()...)
+			Expect(err).NotTo(HaveOccurred())
+			// Start the integration ii
+			ii.Start()
+			time.Sleep(3 * time.Second)
+			// Get an admin client for the fsc node labelled initiator
+			initiatorAdmin := ii.Admin("initiator")
+			// Initiate a view and check the output
+			res, err := initiatorAdmin.CallView("init", nil)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(common.JSONUnmarshalString(res)).To(BeEquivalentTo("OK"))
+		})
+
 		It("load artifact & successful pingpong", func() {
 			var err error
 			// Create the integration ii

integration/fsc/pingpong/testdata/fsc/fscnodes/fsc.initiator/core.yaml

@@ -1,66 +1,114 @@
 ---
+# Logging section
 logging:
- spec: grpc=error:debug
- format: '%{color}%{time:2006-01-02 15:04:05.000 MST} [%{module}] %{shortfunc} -> %{level:.4s} %{id:03x}%{color:reset} %{message}'
+  # Spec
+  spec: grpc=error:debug
+  # Format
+  format: '%{color}%{time:2006-01-02 15:04:05.000 MST} [%{module}] %{shortfunc} -> %{level:.4s} %{id:03x}%{color:reset} %{message}'
 fsc:
+  # The FSC id provides a name for this node instance and is used when
+  # naming docker resources.
   id: fsc.initiator
-  networkId: 2bhw25xuircy7mqvyxwllcnzsq
+  # The networkId allows for logical separation of networks and is used when
+  # naming docker resources.
+  networkId: 5utks6sssfhvzag6vceymm4rjy
+  # This represents the endpoint to other FSC nodes in the same organization.
   address: 127.0.0.1:20000
+  # Whether the FSC node should programmatically determine its address
+  # This case is useful for docker containers.
+  # When set to true, will override FSC address.
   addressAutoDetect: true
+  # GRPC Server listener address   
   listenAddress: 127.0.0.1:20000
+  # Identity of this node, used to connect to other nodes
   identity:
+    # X.509 certificate used as identity of this node
     cert:
       file: ./../../crypto/peerOrganizations/fsc.example.com/peers/initiator.fsc.example.com/msp/signcerts/initiator.fsc.example.com-cert.pem
+    # Private key matching the X.509 certificate
     key:
       file: ./../../crypto/peerOrganizations/fsc.example.com/peers/initiator.fsc.example.com/msp/keystore/priv_sk
+  # Admin X.509 certificates    
+  admin:
+    certs:
+    - ./../../crypto/peerOrganizations/fsc.example.com/users/[email protected]/msp/signcerts/[email protected]
+  # TLS Settings
+  # (We use here the same set of properties as Hyperledger Fabric)
   tls:
+    # Require server-side TLS
     enabled:  true
+    # Require client certificates / mutual TLS for inbound connections.
+    # Note that clients that are not configured to use a certificate will
+    # fail to connect to the node.
     clientAuthRequired: false
+    # X.509 certificate used for TLS server
     cert:
       file: ./../../crypto/peerOrganizations/fsc.example.com/peers/initiator.fsc.example.com/tls/server.crt
+    # Private key used for TLS server
     key:
       file: ./../../crypto/peerOrganizations/fsc.example.com/peers/initiator.fsc.example.com/tls/server.key
+    # X.509 certificate used for TLS when making client connections.
+    # If not set, fsc.tls.cert.file will be used instead
     clientCert:
       file: ./../../crypto/peerOrganizations/fsc.example.com/peers/initiator.fsc.example.com/tls/server.crt
+    # Private key used for TLS when making client connections.
+    # If not set, fsc.tls.key.file will be used instead
     clientKey:
       file: ./../../crypto/peerOrganizations/fsc.example.com/peers/initiator.fsc.example.com/tls/server.key
+    # rootcert.file represents the trusted root certificate chain used for verifying certificates
+    # of other nodes during outbound connections.
     rootcert:
       file: ./../../crypto/peerOrganizations/fsc.example.com/peers/initiator.fsc.example.com/tls/ca.crt
+    # If mutual TLS is enabled, clientRootCAs.files contains a list of additional root certificates
+    # used for verifying certificates of client connections.
     clientRootCAs:
       files:
-      - ./../../crypto/peerOrganizations/fsc.example.com/peers/initiator.fsc.example.com/tls/ca.crt
+        - ./../../crypto/peerOrganizations/fsc.example.com/peers/initiator.fsc.example.com/tls/ca.crt
     rootCertFile: ./../../crypto/ca-certs.pem
+  # Keepalive settings for node server and clients
   keepalive:
+    # MinInterval is the minimum permitted time between client pings.
+    # If clients send pings more frequently, the peer server will
+    # disconnect them
     minInterval: 60s
+    # Interval is the duration after which if the server does not see
+    # any activity from the client it pings the client to see if it's alive
     interval: 300s
+    # Timeout is the duration the server waits for a response
+    # from the client after sending a ping before closing the connection
     timeout: 600s
+  # P2P configuration
   p2p:
+    # Listening address
     listenAddress: /ip4/127.0.0.1/tcp/20001
-    bootstrapNode: 
+    # If empty, this is a P2P boostrap node. Otherwise, it contains the name of the FCS node that is a bootstrap node
+    bootstrapNode:
+  # The Key-Value Store is used to store various information related to the FSC node
   kvs:
     persistence:
+      # Persistence type can be \'badger\' (on disk) or \'memory\'
       type: badger
       opts:
         path: ./../../fscnodes/fsc.initiator/kvs
+  # The endpoint section tells how to reach other FSC node in the network.
+  # For each node, the name, the domain, the identity of the node, and its addresses must be specified.
   endpoint:
-    resolves: 
-    - name: initiator
-      domain: fsc.example.com
-      identity:
-        id: initiator
-        path: ./../../crypto/peerOrganizations/fsc.example.com/peers/initiator.fsc.example.com/msp/signcerts/initiator.fsc.example.com-cert.pem
-      addresses: 
-         Listen: 127.0.0.1:20000
-         P2P: 127.0.0.1:20001
-         View: 127.0.0.1:20000
-    - name: responder
-      domain: fsc.example.com
-      identity:
-        id: responder
-        path: ./../../crypto/peerOrganizations/fsc.example.com/peers/responder.fsc.example.com/msp/signcerts/responder.fsc.example.com-cert.pem
-      addresses: 
-         Listen: 127.0.0.1:20002
-         P2P: 127.0.0.1:20003
-         View: 127.0.0.1:20002
-
-
+    resolves:
+      - name: initiator
+        domain: fsc.example.com
+        identity:
+          id: initiator
+          path: ./../../crypto/peerOrganizations/fsc.example.com/peers/initiator.fsc.example.com/msp/signcerts/initiator.fsc.example.com-cert.pem
+        addresses:
+          Listen: 127.0.0.1:20000
+          P2P: 127.0.0.1:20001
+          View: 127.0.0.1:20000
+      - name: responder
+        domain: fsc.example.com
+        identity:
+          id: responder
+          path: ./../../crypto/peerOrganizations/fsc.example.com/peers/responder.fsc.example.com/msp/signcerts/responder.fsc.example.com-cert.pem
+        addresses:
+          Listen: 127.0.0.1:20002
+          P2P: 127.0.0.1:20003
+          View: 127.0.0.1:20002

integration/fsc/pingpong/testdata/fsc/fscnodes/fsc.responder/core.yaml

@@ -1,66 +1,114 @@
 ---
+# Logging section
 logging:
- spec: grpc=error:debug
- format: '%{color}%{time:2006-01-02 15:04:05.000 MST} [%{module}] %{shortfunc} -> %{level:.4s} %{id:03x}%{color:reset} %{message}'
+  # Spec
+  spec: grpc=error:debug
+  # Format
+  format: '%{color}%{time:2006-01-02 15:04:05.000 MST} [%{module}] %{shortfunc} -> %{level:.4s} %{id:03x}%{color:reset} %{message}'
 fsc:
+  # The FSC id provides a name for this node instance and is used when
+  # naming docker resources.
   id: fsc.responder
-  networkId: 2bhw25xuircy7mqvyxwllcnzsq
+  # The networkId allows for logical separation of networks and is used when
+  # naming docker resources.
+  networkId: 5utks6sssfhvzag6vceymm4rjy
+  # This represents the endpoint to other FSC nodes in the same organization.
   address: 127.0.0.1:20002
+  # Whether the FSC node should programmatically determine its address
+  # This case is useful for docker containers.
+  # When set to true, will override FSC address.
   addressAutoDetect: true
+  # GRPC Server listener address   
   listenAddress: 127.0.0.1:20002
+  # Identity of this node, used to connect to other nodes
   identity:
+    # X.509 certificate used as identity of this node
     cert:
       file: ./../../crypto/peerOrganizations/fsc.example.com/peers/responder.fsc.example.com/msp/signcerts/responder.fsc.example.com-cert.pem
+    # Private key matching the X.509 certificate
     key:
       file: ./../../crypto/peerOrganizations/fsc.example.com/peers/responder.fsc.example.com/msp/keystore/priv_sk
+  # Admin X.509 certificates
+  admin:
+    certs:
+    - ./../../crypto/peerOrganizations/fsc.example.com/users/[email protected]/msp/signcerts/[email protected]
+  # TLS Settings
+  # (We use here the same set of properties as Hyperledger Fabric)
   tls:
+    # Require server-side TLS
     enabled:  true
+    # Require client certificates / mutual TLS for inbound connections.
+    # Note that clients that are not configured to use a certificate will
+    # fail to connect to the node.
     clientAuthRequired: false
+    # X.509 certificate used for TLS server
     cert:
       file: ./../../crypto/peerOrganizations/fsc.example.com/peers/responder.fsc.example.com/tls/server.crt
+    # Private key used for TLS server
     key:
       file: ./../../crypto/peerOrganizations/fsc.example.com/peers/responder.fsc.example.com/tls/server.key
+    # X.509 certificate used for TLS when making client connections.
+    # If not set, fsc.tls.cert.file will be used instead
     clientCert:
       file: ./../../crypto/peerOrganizations/fsc.example.com/peers/responder.fsc.example.com/tls/server.crt
+    # Private key used for TLS when making client connections.
+    # If not set, fsc.tls.key.file will be used instead
     clientKey:
       file: ./../../crypto/peerOrganizations/fsc.example.com/peers/responder.fsc.example.com/tls/server.key
+    # rootcert.file represents the trusted root certificate chain used for verifying certificates
+    # of other nodes during outbound connections.
     rootcert:
       file: ./../../crypto/peerOrganizations/fsc.example.com/peers/responder.fsc.example.com/tls/ca.crt
+    # If mutual TLS is enabled, clientRootCAs.files contains a list of additional root certificates
+    # used for verifying certificates of client connections.
     clientRootCAs:
       files:
-      - ./../../crypto/peerOrganizations/fsc.example.com/peers/responder.fsc.example.com/tls/ca.crt
+        - ./../../crypto/peerOrganizations/fsc.example.com/peers/responder.fsc.example.com/tls/ca.crt
     rootCertFile: ./../../crypto/ca-certs.pem
+  # Keepalive settings for node server and clients
   keepalive:
+    # MinInterval is the minimum permitted time between client pings.
+    # If clients send pings more frequently, the peer server will
+    # disconnect them
     minInterval: 60s
+    # Interval is the duration after which if the server does not see
+    # any activity from the client it pings the client to see if it's alive
     interval: 300s
+    # Timeout is the duration the server waits for a response
+    # from the client after sending a ping before closing the connection
     timeout: 600s
+  # P2P configuration
   p2p:
+    # Listening address
     listenAddress: /ip4/127.0.0.1/tcp/20003
+    # If empty, this is a P2P boostrap node. Otherwise, it contains the name of the FCS node that is a bootstrap node
     bootstrapNode: initiator
+  # The Key-Value Store is used to store various information related to the FSC node
   kvs:
     persistence:
+      # Persistence type can be \'badger\' (on disk) or \'memory\'
       type: badger
       opts:
         path: ./../../fscnodes/fsc.responder/kvs
+  # The endpoint section tells how to reach other FSC node in the network.
+  # For each node, the name, the domain, the identity of the node, and its addresses must be specified.
   endpoint:
-    resolves: 
-    - name: initiator
-      domain: fsc.example.com
-      identity:
-        id: initiator
-        path: ./../../crypto/peerOrganizations/fsc.example.com/peers/initiator.fsc.example.com/msp/signcerts/initiator.fsc.example.com-cert.pem
-      addresses: 
-         Listen: 127.0.0.1:20000
-         P2P: 127.0.0.1:20001
-         View: 127.0.0.1:20000
-    - name: responder
-      domain: fsc.example.com
-      identity:
-        id: responder
-        path: ./../../crypto/peerOrganizations/fsc.example.com/peers/responder.fsc.example.com/msp/signcerts/responder.fsc.example.com-cert.pem
-      addresses: 
-         Listen: 127.0.0.1:20002
-         P2P: 127.0.0.1:20003
-         View: 127.0.0.1:20002
-
-
+    resolves:
+      - name: initiator
+        domain: fsc.example.com
+        identity:
+          id: initiator
+          path: ./../../crypto/peerOrganizations/fsc.example.com/peers/initiator.fsc.example.com/msp/signcerts/initiator.fsc.example.com-cert.pem
+        addresses:
+          Listen: 127.0.0.1:20000
+          P2P: 127.0.0.1:20001
+          View: 127.0.0.1:20000
+      - name: responder
+        domain: fsc.example.com
+        identity:
+          id: responder
+          path: ./../../crypto/peerOrganizations/fsc.example.com/peers/responder.fsc.example.com/msp/signcerts/responder.fsc.example.com-cert.pem
+        addresses:
+          Listen: 127.0.0.1:20002
+          P2P: 127.0.0.1:20003
+          View: 127.0.0.1:20002

integration/integration.go

@@ -172,6 +172,14 @@ func (i *Infrastructure) Client(name string) ViewClient {
 	return i.registry.ViewClients[name]
 }
 
+func (i *Infrastructure) Admin(name string) ViewClient {
+	if i.nwo == nil {
+		panic("call generate or load first")
+	}
+
+	return i.registry.ViewClients[name+".admin"]
+}
+
 func (i *Infrastructure) Identity(name string) view.Identity {
 	if i.nwo == nil {
 		panic("call generate or load first")

integration/nwo/common/registry/registry.go

@@ -53,6 +53,7 @@ type Registry struct {
 	ViewIdentityAliases     map[string][]string
 	ConnectionConfigs       map[string]*grpc.ConnectionConfig
 	ClientSigningIdentities map[string]SigningIdentity
+	AdminSigningIdentities  map[string]SigningIdentity
 }
 
 func NewRegistry(topologies ...nwo.Topology) *Registry {
@@ -67,6 +68,7 @@ func NewRegistry(topologies ...nwo.Topology) *Registry {
 		ViewIdentityAliases:     map[string][]string{},
 		ConnectionConfigs:       map[string]*grpc.ConnectionConfig{},
 		ClientSigningIdentities: map[string]SigningIdentity{},
+		AdminSigningIdentities:  map[string]SigningIdentity{},
 		PortsByPeerID:           map[string]Ports{},
 		ExtensionsByPeerID:      map[string]Extensions{},
 		TopologiesByName:        topologiesByName,