[FAB-7490] Mutual TLS support for CLI

The CLI was not working properly with mutual TLS
enabled.  In order to add support for client
certficates, the code needed to be partially
refactored by adding peer and orderer client
instances.  This code should be useful in the
future as part of any additional CLI rework.

Change-Id: Ifa19c26bf3aff887c5279a8f721e0425ec49732e
Signed-off-by: Gari Singh <gari.r.singh@gmail.com>

Author: mastersingh24

core/comm/client.go

@@ -35,8 +35,10 @@ type GRPCClient interface {
 	// SetServerRootCAs sets the list of authorities used to verify server
 	// certificates based on a list of PEM-encoded X509 certificate authorities
 	SetServerRootCAs(clientRoots [][]byte) error
-	// NewConnection returns a grpc.ClientConn for the target address
-	NewConnection(address string) (*grpc.ClientConn, error)
+	// NewConnection returns a grpc.ClientConn for the target address and
+	// overrides the server name used to verify the hostname on the
+	// certificate returned by a server when using TLS
+	NewConnection(address string, serverNameOverride string) (*grpc.ClientConn, error)
 }
 
 type grpcClient struct {
@@ -185,8 +187,10 @@ func (client *grpcClient) SetServerRootCAs(serverRoots [][]byte) error {
 	return nil
 }
 
-// NewConnection returns a grpc.ClientConn for the target address
-func (client *grpcClient) NewConnection(address string) (
+// NewConnection returns a grpc.ClientConn for the target address and
+// overrides the server name used to verify the hostname on the
+// certificate returned by a server when using TLS
+func (client *grpcClient) NewConnection(address string, serverNameOverride string) (
 	*grpc.ClientConn, error) {
 
 	var dialOpts []grpc.DialOption
@@ -197,6 +201,7 @@ func (client *grpcClient) NewConnection(address string) (
 	// SetServerRootCAs / SetMaxRecvMsgSize / SetMaxSendMsgSize
 	//  to take effect on a per connection basis
 	if client.tlsConfig != nil {
+		client.tlsConfig.ServerName = serverNameOverride
 		dialOpts = append(dialOpts,
 			grpc.WithTransportCredentials(
 				credentials.NewTLS(client.tlsConfig)))

core/comm/client_test.go

@@ -135,7 +135,7 @@ func TestNewConnection_Timeout(t *testing.T) {
 	config := comm.ClientConfig{
 		Timeout: 1 * time.Second}
 	client, err := comm.NewGRPCClient(config)
-	conn, err := client.NewConnection(testAddress)
+	conn, err := client.NewConnection(testAddress, "")
 	assert.Contains(t, err.Error(), "context deadline exceeded")
 	t.Log(err)
 	assert.Nil(t, conn)
@@ -292,7 +292,7 @@ func TestNewConnection(t *testing.T) {
 				t.Fatalf("error creating client for test: %v", err)
 			}
 			conn, err := client.NewConnection(fmt.Sprintf("localhost:%d",
-				test.clientPort))
+				test.clientPort), "")
 			if test.success {
 				assert.NoError(t, err)
 				assert.NotNil(t, conn)
@@ -348,7 +348,7 @@ func TestSetServerRootCAs(t *testing.T) {
 
 	// initial config should work
 	t.Log("running initial good config")
-	conn, err := client.NewConnection(address)
+	conn, err := client.NewConnection(address, "")
 	assert.NoError(t, err)
 	assert.NotNil(t, conn)
 	if conn != nil {
@@ -360,15 +360,15 @@ func TestSetServerRootCAs(t *testing.T) {
 	err = client.SetServerRootCAs([][]byte{})
 	assert.NoError(t, err)
 	// now connection should fail
-	_, err = client.NewConnection(address)
+	_, err = client.NewConnection(address, "")
 	assert.Error(t, err)
 
 	// good root cert
 	t.Log("running good config")
 	err = client.SetServerRootCAs([][]byte{[]byte(caPEM)})
 	assert.NoError(t, err)
 	// now connection should succeed again
-	conn, err = client.NewConnection(address)
+	conn, err = client.NewConnection(address, "")
 	assert.NoError(t, err)
 	assert.NotNil(t, conn)
 	conn.Close()
@@ -442,7 +442,7 @@ func TestSetMessageSize(t *testing.T) {
 			if test.maxSendSize > 0 {
 				client.SetMaxSendMsgSize(test.maxSendSize)
 			}
-			conn, err := client.NewConnection(address)
+			conn, err := client.NewConnection(address, "")
 			assert.NoError(t, err)
 			defer conn.Close()
 			// create service client from conn

peer/chaincode/chaincode.go

@@ -24,11 +24,8 @@ const (
 var logger = flogging.MustGetLogger("chaincodeCmd")
 
 func addFlags(cmd *cobra.Command) {
+	common.AddOrdererFlags(cmd)
 	flags := cmd.PersistentFlags()
-
-	flags.StringVarP(&orderingEndpoint, "orderer", "o", "", "Ordering service endpoint")
-	flags.BoolVarP(&tls, "tls", "", false, "Use TLS when communicating with the orderer endpoint")
-	flags.StringVarP(&caFile, "cafile", "", "", "Path to file containing PEM-encoded trusted certificate(s) for the ordering endpoint")
 	flags.StringVarP(&transient, "transient", "", "", "Transient map of arguments in JSON encoding")
 }
 
@@ -64,18 +61,16 @@ var (
 	escc                  string
 	vscc                  string
 	policyMarshalled      []byte
-	orderingEndpoint      string
-	tls                   bool
-	caFile                string
 	transient             string
 	collectionsConfigFile string
 	collectionConfigBytes []byte
 )
 
 var chaincodeCmd = &cobra.Command{
-	Use:   chainFuncName,
-	Short: fmt.Sprint(shortDes),
-	Long:  fmt.Sprint(longDes),
+	Use:              chainFuncName,
+	Short:            fmt.Sprint(shortDes),
+	Long:             fmt.Sprint(longDes),
+	PersistentPreRun: common.SetOrdererEnv,
 }
 
 var flags *pflag.FlagSet

peer/chaincode/common.go

@@ -26,6 +26,7 @@ import (
 	putils "github.com/hyperledger/fabric/protos/utils"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
 	"golang.org/x/net/context"
 )
 
@@ -315,7 +316,7 @@ func InitCmdFactory(isEndorserRequired, isOrdererRequired bool) (*ChaincodeCmdFa
 
 	var broadcastClient common.BroadcastClient
 	if isOrdererRequired {
-		if len(orderingEndpoint) == 0 {
+		if len(common.OrderingEndpoint) == 0 {
 			orderingEndpoints, err := common.GetOrdererEndpointOfChainFnc(channelID, signer, endorserClient)
 			if err != nil {
 				return nil, fmt.Errorf("Error getting (%s) orderer endpoint: %s", channelID, err)
@@ -324,10 +325,11 @@ func InitCmdFactory(isEndorserRequired, isOrdererRequired bool) (*ChaincodeCmdFa
 				return nil, fmt.Errorf("Error no orderer endpoint got for %s", channelID)
 			}
 			logger.Infof("Get chain(%s) orderer endpoint: %s", channelID, orderingEndpoints[0])
-			orderingEndpoint = orderingEndpoints[0]
+			// override viper env
+			viper.Set("orderer.address", orderingEndpoints[0])
 		}
 
-		broadcastClient, err = common.GetBroadcastClientFnc(orderingEndpoint, tls, caFile)
+		broadcastClient, err = common.GetBroadcastClientFnc()
 
 		if err != nil {
 			return nil, fmt.Errorf("Error getting broadcast client: %s", err)

peer/chaincode/flags_test.go

@@ -0,0 +1,59 @@
+/*
+Copyright IBM Corp. 2016-2017 All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package chaincode
+
+import (
+	"testing"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestOrdererFlags(t *testing.T) {
+
+	var (
+		ca       = "root.crt"
+		key      = "client.key"
+		cert     = "client.crt"
+		endpoint = "orderer.example.com:7050"
+		sn       = "override.example.com"
+	)
+
+	testCmd := &cobra.Command{
+		Use: "test",
+		Run: func(cmd *cobra.Command, args []string) {
+			t.Logf("rootcert: %s", viper.GetString("orderer.tls.rootcert.file"))
+			assert.Equal(t, ca, viper.GetString("orderer.tls.rootcert.file"))
+			assert.Equal(t, key, viper.GetString("orderer.tls.clientKey.file"))
+			assert.Equal(t, cert, viper.GetString("orderer.tls.clientCert.file"))
+			assert.Equal(t, endpoint, viper.GetString("orderer.address"))
+			assert.Equal(t, sn, viper.GetString("orderer.tls.serverhostoverride"))
+			assert.Equal(t, true, viper.GetBool("orderer.tls.enabled"))
+			assert.Equal(t, true, viper.GetBool("orderer.tls.clientAuthRequired"))
+		}}
+
+	runCmd := Cmd(nil)
+
+	runCmd.AddCommand(testCmd)
+
+	runCmd.SetArgs([]string{"test", "--cafile", ca, "--keyfile", key,
+		"--certfile", cert, "--orderer", endpoint, "--tls", "--clientauth",
+		"--ordererTLSHostnameOverride", sn})
+	err := runCmd.Execute()
+	assert.NoError(t, err)
+
+	// check env one more time
+	t.Logf("address: %s", viper.GetString("orderer.address"))
+	assert.Equal(t, ca, viper.GetString("orderer.tls.rootcert.file"))
+	assert.Equal(t, key, viper.GetString("orderer.tls.clientKey.file"))
+	assert.Equal(t, cert, viper.GetString("orderer.tls.clientCert.file"))
+	assert.Equal(t, endpoint, viper.GetString("orderer.address"))
+	assert.Equal(t, sn, viper.GetString("orderer.tls.serverhostoverride"))
+	assert.Equal(t, true, viper.GetBool("orderer.tls.enabled"))
+	assert.Equal(t, true, viper.GetBool("orderer.tls.clientAuthRequired"))
+}

peer/chaincode/invoke_test.go

@@ -117,15 +117,15 @@ func TestInvokeCmd(t *testing.T) {
 	common.GetOrdererEndpointOfChainFnc = func(chainID string, signer msp.SigningIdentity, endorserClient pb.EndorserClient) ([]string, error) {
 		return []string{"localhost:9999"}, nil
 	}
-	common.GetBroadcastClientFnc = func(orderingEndpoint string, tlsEnabled bool, caFile string) (common.BroadcastClient, error) {
+	common.GetBroadcastClientFnc = func() (common.BroadcastClient, error) {
 		return nil, errors.New("error")
 	}
 	err = cmd.Execute()
 	assert.Error(t, err)
 
 	// Success case
 	t.Logf("Start success case")
-	common.GetBroadcastClientFnc = func(orderingEndpoint string, tlsEnabled bool, caFile string) (common.BroadcastClient, error) {
+	common.GetBroadcastClientFnc = func() (common.BroadcastClient, error) {
 		return mockCF.BroadcastClient, nil
 	}
 	err = cmd.Execute()

peer/channel/channel.go

@@ -23,13 +23,9 @@ import (
 	"github.com/hyperledger/fabric/common/flogging"
 	"github.com/hyperledger/fabric/msp"
 	"github.com/hyperledger/fabric/peer/common"
-	ab "github.com/hyperledger/fabric/protos/orderer"
 	pb "github.com/hyperledger/fabric/protos/peer"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
-	"golang.org/x/net/context"
-	"google.golang.org/grpc"
-	"google.golang.org/grpc/credentials"
 )
 
 const (
@@ -55,13 +51,9 @@ var (
 	genesisBlockPath string
 
 	// create related variables
-	channelID                  string
-	channelTxFile              string
-	orderingEndpoint           string
-	tls                        bool
-	caFile                     string
-	ordererTLSHostnameOverride string
-	timeout                    int
+	channelID     string
+	channelTxFile string
+	timeout       int
 )
 
 // Cmd returns the cobra command for Node
@@ -81,12 +73,7 @@ func Cmd(cf *ChannelCmdFactory) *cobra.Command {
 
 // AddFlags adds flags for create and join
 func AddFlags(cmd *cobra.Command) {
-	flags := cmd.PersistentFlags()
-
-	flags.StringVarP(&orderingEndpoint, "orderer", "o", "", "Ordering service endpoint")
-	flags.BoolVarP(&tls, "tls", "", false, "Use TLS when communicating with the orderer endpoint")
-	flags.StringVarP(&caFile, "cafile", "", "", "Path to file containing PEM-encoded trusted certificate(s) for the ordering endpoint")
-	flags.StringVarP(&ordererTLSHostnameOverride, "ordererTLSHostnameOverride", "", "", "The hostname override to use when validating the TLS connection to the orderer.")
+	common.AddOrdererFlags(cmd)
 }
 
 var flags *pflag.FlagSet
@@ -117,9 +104,10 @@ func attachFlags(cmd *cobra.Command, names []string) {
 }
 
 var channelCmd = &cobra.Command{
-	Use:   channelFuncName,
-	Short: fmt.Sprint(shortDes),
-	Long:  fmt.Sprint(longDes),
+	Use:              channelFuncName,
+	Short:            fmt.Sprint(shortDes),
+	Long:             fmt.Sprint(longDes),
+	PersistentPreRun: common.SetOrdererEnv,
 }
 
 type BroadcastClientFactory func() (common.BroadcastClient, error)
@@ -145,7 +133,7 @@ func InitCmdFactory(isEndorserRequired EndorserRequirement, isOrdererRequired Or
 	}
 
 	cmdFact.BroadcastFactory = func() (common.BroadcastClient, error) {
-		return common.GetBroadcastClientFnc(orderingEndpoint, tls, caFile)
+		return common.GetBroadcastClientFnc()
 	}
 
 	//for join and list, we need the endorser as well
@@ -158,34 +146,13 @@ func InitCmdFactory(isEndorserRequired EndorserRequirement, isOrdererRequired Or
 
 	//for create and fetch, we need the orderer as well
 	if isOrdererRequired {
-		if len(strings.Split(orderingEndpoint, ":")) != 2 {
-			return nil, fmt.Errorf("Ordering service endpoint %s is not valid or missing", orderingEndpoint)
-		}
-
-		var opts []grpc.DialOption
-		// check for TLS
-		if tls {
-			if caFile != "" {
-				creds, err := credentials.NewClientTLSFromFile(caFile, ordererTLSHostnameOverride)
-				if err != nil {
-					return nil, fmt.Errorf("Error connecting to %s due to %s", orderingEndpoint, err)
-				}
-				opts = append(opts, grpc.WithTransportCredentials(creds))
-			}
-		} else {
-			opts = append(opts, grpc.WithInsecure())
+		if len(strings.Split(common.OrderingEndpoint, ":")) != 2 {
+			return nil, fmt.Errorf("ordering service endpoint %s is not valid or missing", common.OrderingEndpoint)
 		}
-		conn, err := grpc.Dial(orderingEndpoint, opts...)
+		cmdFact.DeliverClient, err = newDeliverClient(channelID)
 		if err != nil {
 			return nil, err
 		}
-
-		client, err := ab.NewAtomicBroadcastClient(conn).Deliver(context.TODO())
-		if err != nil {
-			return nil, fmt.Errorf("Error connecting due to  %s", err)
-		}
-
-		cmdFact.DeliverClient = newDeliverClient(conn, client, channelID)
 	}
 	logger.Infof("Endorser and orderer connections initialized")
 	return cmdFact, nil