[FAB-8674] Middleware style authen for cc support

Refactor chaincode support to return the server implementation from its
constructor and to wrap it with authentication middleware when TLS is
enabled.

Change-Id: Id1ab31189d2f0666d7b14924ea8caf0e831897ef
Signed-off-by: Matthew Sykes <sykesmat@us.ibm.com>

Author: sykesm

core/chaincode/accesscontrol/access.go

@@ -18,23 +18,6 @@ import (
 
 var logger = flogging.MustGetLogger("accessControl")
 
-// Authenticator wraps a chaincode service and authenticates
-// chaincode shims (containers)
-type Authenticator interface {
-	// DisableAccessCheck disables the access control
-	// enforcement of the Authenticator
-	DisableAccessCheck()
-
-	// Generate returns a pair of certificate and private key,
-	// and associates the hash of the certificate with the given
-	// chaincode name
-	Generate(ccName string) (*CertAndPrivKeyPair, error)
-
-	// ChaincodeSupportServer - The Authenticator is registered
-	// as a chaincode service
-	pb.ChaincodeSupportServer
-}
-
 // CertAndPrivKeyPair contains a certificate
 // and its corresponding private key in base64 format
 type CertAndPrivKeyPair struct {
@@ -44,31 +27,25 @@ type CertAndPrivKeyPair struct {
 	Key string
 }
 
-type authenticator struct {
-	bypass bool
+type Authenticator struct {
 	mapper *certMapper
-	pb.ChaincodeSupportServer
 }
 
-// NewAuthenticator returns a new authenticator that would wrap the given chaincode service
-func NewAuthenticator(srv pb.ChaincodeSupportServer, ca CA) Authenticator {
-	auth := &authenticator{
-		mapper: newCertMapper(ca.newClientCertKeyPair),
-	}
-	auth.ChaincodeSupportServer = newInterceptor(srv, auth.authenticate)
-	return auth
+func (auth *Authenticator) Wrap(srv pb.ChaincodeSupportServer) pb.ChaincodeSupportServer {
+	return newInterceptor(srv, auth.authenticate)
 }
 
-// DisableAccessCheck disables the access control
-// enforcement of the Authenticator
-func (ac *authenticator) DisableAccessCheck() {
-	ac.bypass = true
+// NewAuthenticator returns a new authenticator that can wrap a chaincode service
+func NewAuthenticator(ca CA) *Authenticator {
+	return &Authenticator{
+		mapper: newCertMapper(ca.newClientCertKeyPair),
+	}
 }
 
 // Generate returns a pair of certificate and private key,
 // and associates the hash of the certificate with the given
 // chaincode name
-func (ac *authenticator) Generate(ccName string) (*CertAndPrivKeyPair, error) {
+func (ac *Authenticator) Generate(ccName string) (*CertAndPrivKeyPair, error) {
 	cert, err := ac.mapper.genCert(ccName)
 	if err != nil {
 		return nil, err
@@ -79,11 +56,7 @@ func (ac *authenticator) Generate(ccName string) (*CertAndPrivKeyPair, error) {
 	}, nil
 }
 
-func (ac *authenticator) authenticate(msg *pb.ChaincodeMessage, stream grpc.ServerStream) error {
-	if ac.bypass {
-		return nil
-	}
-
+func (ac *Authenticator) authenticate(msg *pb.ChaincodeMessage, stream grpc.ServerStream) error {
 	if msg.Type != pb.ChaincodeMessage_REGISTER {
 		logger.Warning("Got message", msg, "but expected a ChaincodeMessage_REGISTER message")
 		return errors.New("First message needs to be a register")

core/chaincode/accesscontrol/access_test.go

@@ -164,8 +164,8 @@ func TestAccessControl(t *testing.T) {
 
 	ca, _ := NewCA()
 	srv := newCCServer(t, 7052, "example02", true, ca)
-	auth := NewAuthenticator(srv, ca)
-	pb.RegisterChaincodeSupportServer(srv.grpcSrv, auth)
+	auth := NewAuthenticator(ca)
+	pb.RegisterChaincodeSupportServer(srv.grpcSrv, auth.Wrap(srv))
 	go srv.grpcSrv.Serve(srv.l)
 	defer srv.stop()
 
@@ -290,52 +290,6 @@ func TestAccessControl(t *testing.T) {
 	logAsserter.assertLastLogContains(t, "with given certificate hash", "not found in registry")
 }
 
-func TestAccessControlNoTLS(t *testing.T) {
-	chaincodeID := &pb.ChaincodeID{Name: "example02"}
-	payload, err := proto.Marshal(chaincodeID)
-	registerMsg := &pb.ChaincodeMessage{
-		Type:    pb.ChaincodeMessage_REGISTER,
-		Payload: payload,
-	}
-	putStateMsg := &pb.ChaincodeMessage{
-		Type: pb.ChaincodeMessage_PUT_STATE,
-	}
-
-	ca, _ := NewCA()
-	s := newCCServer(t, 8052, "example02", false, ca)
-	auth := NewAuthenticator(s, ca)
-	pb.RegisterChaincodeSupportServer(s.grpcSrv, auth)
-	go s.grpcSrv.Serve(s.l)
-	defer s.stop()
-	ctx := context.Background()
-	ctx, _ = context.WithTimeout(ctx, time.Second)
-	conn, err := grpc.DialContext(ctx, fmt.Sprintf("localhost:%d", 8052), grpc.WithInsecure(), grpc.WithBlock())
-	assert.NoError(t, err)
-	chaincodeSupportClient := pb.NewChaincodeSupportClient(conn)
-	stream, err := chaincodeSupportClient.Register(context.Background())
-	stream.Send(registerMsg)
-	stream.Send(putStateMsg)
-	// Should fail because we haven't disabled security yet
-	echoMsg, err := stream.Recv()
-	assert.Error(t, err)
-	assert.Contains(t, err.Error(), "TLS is active but chaincode")
-	assert.Nil(t, echoMsg)
-	conn.Close()
-
-	auth.DisableAccessCheck()
-	// Now it should work
-	conn, err = grpc.DialContext(ctx, fmt.Sprintf("localhost:%d", 8052), grpc.WithInsecure(), grpc.WithBlock())
-	assert.NoError(t, err)
-	defer conn.Close()
-	chaincodeSupportClient = pb.NewChaincodeSupportClient(conn)
-	stream, err = chaincodeSupportClient.Register(context.Background())
-	stream.Send(registerMsg)
-	stream.Send(putStateMsg)
-	echoMsg, err = stream.Recv()
-	assert.NotNil(t, echoMsg)
-	assert.NoError(t, err)
-}
-
 type logBackend struct {
 	logEntries chan string
 }

core/chaincode/accesscontrol/mapper.go

@@ -13,7 +13,6 @@ import (
 	"time"
 
 	"github.com/hyperledger/fabric/common/util"
-	"github.com/spf13/viper"
 	"golang.org/x/net/context"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/peer"
@@ -26,14 +25,12 @@ type certHash string
 type certMapper struct {
 	keyGen KeyGenFunc
 	sync.RWMutex
-	m   map[certHash]string
-	tls bool
+	m map[certHash]string
 }
 
 func newCertMapper(keyGen KeyGenFunc) *certMapper {
 	return &certMapper{
 		keyGen: keyGen,
-		tls:    viper.GetBool("peer.tls.enabled"),
 		m:      make(map[certHash]string),
 	}
 }

core/chaincode/chaincode_support.go

@@ -136,30 +136,32 @@ func (chaincodeSupport *ChaincodeSupport) launchStarted(chaincode string) bool {
 }
 
 // NewChaincodeSupport creates a new ChaincodeSupport instance
-func NewChaincodeSupport(ccEndpoint string, userrunsCC bool, ccstartuptimeout time.Duration, ca accesscontrol.CA) pb.ChaincodeSupportServer {
+func NewChaincodeSupport(
+	ccEndpoint string,
+	userrunsCC bool,
+	ccstartuptimeout time.Duration,
+	caCert []byte,
+	certGenerator CertGenerator,
+) *ChaincodeSupport {
 	ccprovider.SetChaincodesPath(config.GetPath("peer.fileSystemPath") + string(filepath.Separator) + "chaincodes")
 	pnid := viper.GetString("peer.networkId")
 	pid := viper.GetString("peer.id")
 
 	theChaincodeSupport = &ChaincodeSupport{
-		ca: ca,
+		caCert:        caCert,
+		certGenerator: certGenerator,
 		runningChaincodes: &runningChaincodes{
 			chaincodeMap:  make(map[string]*chaincodeRTEnv),
 			launchStarted: make(map[string]bool),
 		}, peerNetworkID: pnid, peerID: pid,
 	}
 
-	theChaincodeSupport.auth = accesscontrol.NewAuthenticator(theChaincodeSupport, ca)
 	theChaincodeSupport.peerAddress = ccEndpoint
 	chaincodeLogger.Infof("Chaincode support using peerAddress: %s\n", theChaincodeSupport.peerAddress)
 
 	theChaincodeSupport.userRunsCC = userrunsCC
 	theChaincodeSupport.ccStartupTimeout = ccstartuptimeout
-
 	theChaincodeSupport.peerTLS = viper.GetBool("peer.tls.enabled")
-	if !theChaincodeSupport.peerTLS {
-		theChaincodeSupport.auth.DisableAccessCheck()
-	}
 
 	kadef := 0
 	if ka := viper.GetString("chaincode.keepalive"); ka == "" {
@@ -196,7 +198,7 @@ func NewChaincodeSupport(ccEndpoint string, userrunsCC bool, ccstartuptimeout ti
 	theChaincodeSupport.shimLogLevel = getLogLevelFromViper("shim")
 	theChaincodeSupport.logFormat = viper.GetString("chaincode.logging.format")
 
-	return theChaincodeSupport.auth
+	return theChaincodeSupport
 }
 
 // getLogLevelFromViper gets the chaincode container log levels from viper
@@ -213,10 +215,17 @@ func getLogLevelFromViper(module string) string {
 	return levelString
 }
 
+// CertGenerator generates client certificates for chaincode.
+type CertGenerator interface {
+	// Generate returns a certificate and private key and associates
+	// the hash of the certificate with the given chaincode name
+	Generate(ccName string) (*accesscontrol.CertAndPrivKeyPair, error)
+}
+
 // ChaincodeSupport responsible for providing interfacing with chaincodes from the Peer.
 type ChaincodeSupport struct {
-	ca                accesscontrol.CA
-	auth              accesscontrol.Authenticator
+	caCert            []byte
+	certGenerator     CertGenerator
 	runningChaincodes *runningChaincodes
 	peerAddress       string
 	ccStartupTimeout  time.Duration
@@ -358,7 +367,7 @@ func (chaincodeSupport *ChaincodeSupport) getTLSFiles(keyPair *accesscontrol.Cer
 	return map[string][]byte{
 		TLSClientKeyPath:      []byte(keyPair.Key),
 		TLSClientCertPath:     []byte(keyPair.Cert),
-		TLSClientRootCertPath: chaincodeSupport.ca.CertBytes(),
+		TLSClientRootCertPath: chaincodeSupport.caCert,
 	}
 }
 
@@ -379,7 +388,7 @@ func (chaincodeSupport *ChaincodeSupport) getLaunchConfigs(cccid *ccprovider.CCC
 	// ----------------------------------------------------------------------------
 	var certKeyPair *accesscontrol.CertAndPrivKeyPair
 	if chaincodeSupport.peerTLS {
-		certKeyPair, err = chaincodeSupport.auth.Generate(cccid.GetCanonicalName())
+		certKeyPair, err = chaincodeSupport.certGenerator.Generate(cccid.GetCanonicalName())
 		if err != nil {
 			return nil, nil, nil, errors.WithMessage(err, fmt.Sprintf("failed generating TLS cert for %s", cccid.GetCanonicalName()))
 		}

core/chaincode/chaincode_support_test.go

@@ -164,7 +164,8 @@ func initMockPeer(chainIDs ...string) error {
 
 	ccStartupTimeout := time.Duration(10) * time.Second
 	ca, _ := accesscontrol.NewCA()
-	NewChaincodeSupport("0.0.0.0:7052", false, ccStartupTimeout, ca)
+	certGenerator := accesscontrol.NewAuthenticator(ca)
+	NewChaincodeSupport("0.0.0.0:7052", false, ccStartupTimeout, ca.CertBytes(), certGenerator)
 	theChaincodeSupport.executetimeout = time.Duration(1) * time.Second
 
 	// Mock policy checker
@@ -815,11 +816,11 @@ func getHistory(t *testing.T, chainID, ccname string, ccSide *mockpeer.MockCCCom
 	return nil
 }
 
-func getLaunchConfigs(t *testing.T, auth accesscontrol.Authenticator) {
+func getLaunchConfigs(t *testing.T, certGenerator CertGenerator) {
 	newCCSupport := &ChaincodeSupport{peerTLS: true, chaincodeLogLevel: "debug", shimLogLevel: "info"}
 
-	//set the authenticator for generating TLS stuff
-	newCCSupport.auth = auth
+	//set the certGenerator for generating TLS stuff
+	newCCSupport.certGenerator = certGenerator
 
 	ccContext := ccprovider.NewCCContext("dummyChannelId", "mycc", "v0", "dummyTxid", false, nil, nil)
 	args, envs, filesToUpload, err := newCCSupport.getLaunchConfigs(ccContext, pb.ChaincodeSpec_GOLANG)
@@ -1169,8 +1170,8 @@ func TestCCFramework(t *testing.T) {
 	//call's history result
 	getHistory(t, chainID, ccname, ccSide)
 
-	//just use the previous authhandler for generating TLS key/pair
-	getLaunchConfigs(t, theChaincodeSupport.auth)
+	//just use the previous certGenerator for generating TLS key/pair
+	getLaunchConfigs(t, theChaincodeSupport.certGenerator)
 
 	ccSide.Quit()
 }

core/chaincode/exectransaction_test.go

@@ -100,7 +100,8 @@ func initPeer(chainIDs ...string) (net.Listener, error) {
 
 	ccStartupTimeout := time.Duration(3) * time.Minute
 	ca, _ := accesscontrol.NewCA()
-	pb.RegisterChaincodeSupportServer(grpcServer, NewChaincodeSupport(peerAddress, false, ccStartupTimeout, ca))
+	certGenerator := accesscontrol.NewAuthenticator(ca)
+	pb.RegisterChaincodeSupportServer(grpcServer, NewChaincodeSupport(peerAddress, false, ccStartupTimeout, ca.CertBytes(), certGenerator))
 
 	// Mock policy checker
 	policy.RegisterPolicyCheckerFactory(&mockPolicyCheckerFactory{})

core/chaincode/systemchaincode_test.go

@@ -69,7 +69,8 @@ func initSysCCTests() (*oldSysCCInfo, net.Listener, error) {
 
 	ccStartupTimeout := time.Duration(5000) * time.Millisecond
 	ca, _ := accesscontrol.NewCA()
-	pb.RegisterChaincodeSupportServer(grpcServer, NewChaincodeSupport(peerAddress, false, ccStartupTimeout, ca))
+	certGenerator := accesscontrol.NewAuthenticator(ca)
+	pb.RegisterChaincodeSupportServer(grpcServer, NewChaincodeSupport(peerAddress, false, ccStartupTimeout, ca.CertBytes(), certGenerator))
 
 	go grpcServer.Serve(lis)
 

core/scc/cscc/configure_test.go

@@ -204,7 +204,8 @@ func TestConfigerInvokeJoinChainCorrectParams(t *testing.T) {
 
 	ccStartupTimeout := time.Duration(30000) * time.Millisecond
 	ca, _ := accesscontrol.NewCA()
-	chaincode.NewChaincodeSupport(peerEndpoint, false, ccStartupTimeout, ca)
+	certGenerator := accesscontrol.NewAuthenticator(ca)
+	chaincode.NewChaincodeSupport(peerEndpoint, false, ccStartupTimeout, ca.CertBytes(), certGenerator)
 
 	// Init the policy checker
 	policyManagerGetter := &policymocks.MockChannelPolicyManagerGetter{

peer/node/start.go

@@ -502,6 +502,7 @@ func computeChaincodeEndpoint(peerHostname string) (ccEndpoint string, err error
 func registerChaincodeSupport(grpcServer comm.GRPCServer, ccEndpoint string, ca accesscontrol.CA) {
 	//get user mode
 	userRunsCC := chaincode.IsDevMode()
+	tlsEnabled := viper.GetBool("peer.tls.enabled")
 
 	//get chaincode startup timeout
 	ccStartupTimeout := viper.GetDuration("chaincode.startuptimeout")
@@ -512,7 +513,12 @@ func registerChaincodeSupport(grpcServer comm.GRPCServer, ccEndpoint string, ca
 		logger.Debugf("Chaincode startup timeout value set to %s", ccStartupTimeout)
 	}
 
-	ccSrv := chaincode.NewChaincodeSupport(ccEndpoint, userRunsCC, ccStartupTimeout, ca)
+	authenticator := accesscontrol.NewAuthenticator(ca)
+	chaincodeSupport := chaincode.NewChaincodeSupport(ccEndpoint, userRunsCC, ccStartupTimeout, ca.CertBytes(), authenticator)
+	ccSrv := pb.ChaincodeSupportServer(chaincodeSupport)
+	if tlsEnabled {
+		ccSrv = authenticator.Wrap(ccSrv)
+	}
 
 	//Now that chaincode is initialized, register all system chaincodes.
 	scc.RegisterSysCCs()