Documentation ¶
Index ¶
- Constants
- Variables
- func AddPemToCertPool(pemCerts []byte, pool *x509.CertPool) error
- func ClientKeepaliveOptions(ka KeepaliveOptions) []grpc.DialOption
- func ExtractCertificateFromContext(ctx context.Context) *x509.Certificate
- func ExtractCertificateHashFromContext(ctx context.Context) []byte
- func ExtractRawCertificateFromContext(ctx context.Context) []byte
- func GetLocalIP() (string, error)
- func NewServerTransportCredentials(serverConfig *TLSConfig, logger *flogging.FabricLogger) credentials.TransportCredentials
- func ServerKeepaliveOptions(ka KeepaliveOptions) []grpc.ServerOption
- type BindingInspector
- type CertHashExtractor
- type ClientConfig
- type CredentialSupport
- func (cs *CredentialSupport) AppRootCAsByChain() map[string][][]byte
- func (cs *CredentialSupport) BuildTrustedRootsForChain(cm channelconfig.Resources)
- func (cs *CredentialSupport) GetClientCertificate() gmtls.Certificate
- func (cs *CredentialSupport) GetPeerCredentials() credentials.TransportCredentials
- func (cs *CredentialSupport) SetClientCertificate(cert gmtls.Certificate)
- type DynamicClientCredentials
- func (dtc *DynamicClientCredentials) ClientHandshake(ctx context.Context, authority string, rawConn net.Conn) (net.Conn, credentials.AuthInfo, error)
- func (dtc *DynamicClientCredentials) Clone() credentials.TransportCredentials
- func (dtc *DynamicClientCredentials) Info() credentials.ProtocolInfo
- func (dtc *DynamicClientCredentials) OverrideServerName(name string) error
- func (dtc *DynamicClientCredentials) ServerHandshake(rawConn net.Conn) (net.Conn, credentials.AuthInfo, error)
- type GRPCClient
- func (client *GRPCClient) Certificate() tls.Certificate
- func (client *GRPCClient) MutualTLSRequired() bool
- func (client *GRPCClient) NewConnection(address string, tlsOptions ...TLSOption) (*grpc.ClientConn, error)
- func (client *GRPCClient) SetServerRootCAs(serverRoots [][]byte) error
- func (client *GRPCClient) TLSEnabled() bool
- type GRPCServer
- func (gServer *GRPCServer) Address() string
- func (gServer *GRPCServer) Listener() net.Listener
- func (gServer *GRPCServer) MutualTLSRequired() bool
- func (gServer *GRPCServer) Server() *grpc.Server
- func (gServer *GRPCServer) ServerCertificate() tls.Certificate
- func (gServer *GRPCServer) SetClientRootCAs(clientRoots [][]byte) error
- func (gServer *GRPCServer) SetServerCertificate(cert tls.Certificate)
- func (gServer *GRPCServer) Start() error
- func (gServer *GRPCServer) Stop()
- func (gServer *GRPCServer) TLSEnabled() bool
- type KeepaliveOptions
- type Metrics
- type SecureOptions
- type ServerConfig
- type ServerStatsHandler
- func (h *ServerStatsHandler) HandleConn(ctx context.Context, s stats.ConnStats)
- func (h *ServerStatsHandler) HandleRPC(ctx context.Context, s stats.RPCStats)
- func (h *ServerStatsHandler) TagConn(ctx context.Context, info *stats.ConnTagInfo) context.Context
- func (h *ServerStatsHandler) TagRPC(ctx context.Context, info *stats.RPCTagInfo) context.Context
- type TLSConfig
- type TLSOption
Constants ¶
const ( DefaultMaxRecvMsgSize = 100 * 1024 * 1024 DefaultMaxSendMsgSize = 100 * 1024 * 1024 )
Max send and receive bytes for grpc clients and servers
Variables ¶
var ( // Default peer keepalive options DefaultKeepaliveOptions = KeepaliveOptions{ ClientInterval: time.Duration(1) * time.Minute, ClientTimeout: time.Duration(20) * time.Second, ServerInterval: time.Duration(2) * time.Hour, ServerTimeout: time.Duration(20) * time.Second, ServerMinInterval: time.Duration(1) * time.Minute, } // strong TLS cipher suites DefaultTLSCipherSuites = []uint16{ tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, tls.TLS_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_RSA_WITH_AES_256_GCM_SHA384, } // default connection timeout DefaultConnectionTimeout = 5 * time.Second )
var ( ErrClientHandshakeNotImplemented = errors.New("core/comm: client handshakes are not implemented with serverCreds") ErrServerHandshakeNotImplemented = errors.New("core/comm: server handshakes are not implemented with clientCreds") ErrOverrideHostnameNotSupported = errors.New("core/comm: OverrideServerName is not supported") )
Functions ¶
func AddPemToCertPool ¶
AddPemToCertPool adds PEM-encoded certs to a cert pool
func ClientKeepaliveOptions ¶
func ClientKeepaliveOptions(ka KeepaliveOptions) []grpc.DialOption
ClientKeepaliveOptions returns gRPC keepalive options for clients.
func ExtractCertificateFromContext ¶
func ExtractCertificateFromContext(ctx context.Context) *x509.Certificate
ExtractCertificateFromContext returns the TLS certificate (if applicable) from the given context of a gRPC stream
func ExtractCertificateHashFromContext ¶
ExtractCertificateHashFromContext extracts the hash of the certificate from the given context. If the certificate isn't present, nil is returned
func ExtractRawCertificateFromContext ¶
ExtractRawCertificateFromContext returns the raw TLS certificate (if applicable) from the given context of a gRPC stream
func GetLocalIP ¶
GetLocalIP returns the non loopback local IP of the host
func NewServerTransportCredentials ¶
func NewServerTransportCredentials( serverConfig *TLSConfig, logger *flogging.FabricLogger) credentials.TransportCredentials
NewServerTransportCredentials returns a new initialized grpc/credentials.TransportCredentials
func ServerKeepaliveOptions ¶
func ServerKeepaliveOptions(ka KeepaliveOptions) []grpc.ServerOption
ServerKeepaliveOptions returns gRPC keepalive options for server.
Types ¶
type BindingInspector ¶
BindingInspector receives as parameters a gRPC context and an Envelope, and verifies whether the message contains an appropriate binding to the context
func NewBindingInspector ¶
func NewBindingInspector(mutualTLS bool, extractTLSCertHash CertHashExtractor) BindingInspector
NewBindingInspector returns a BindingInspector according to whether mutualTLS is configured or not, and according to a function that extracts TLS certificate hashes from proto messages
type CertHashExtractor ¶
CertHashExtractor extracts a certificate from a proto.Message message
type ClientConfig ¶
type ClientConfig struct { // SecOpts defines the security parameters SecOpts SecureOptions // KaOpts defines the keepalive parameters KaOpts KeepaliveOptions // Timeout specifies how long the client will block when attempting to // establish a connection Timeout time.Duration // AsyncConnect makes connection creation non blocking AsyncConnect bool // Maximum message size the client can receive MaxRecvMsgSize int // Maximum message size the client can send MaxSendMsgSize int }
ClientConfig defines the parameters for configuring a GRPCClient instance
func (ClientConfig) Clone ¶
func (cc ClientConfig) Clone() ClientConfig
Clone clones this ClientConfig
type CredentialSupport ¶
type CredentialSupport struct {
// contains filtered or unexported fields
}
CredentialSupport type manages credentials used for gRPC client connections
func NewCredentialSupport ¶
func NewCredentialSupport(rootCAs ...[]byte) *CredentialSupport
NewCredentialSupport creates a CredentialSupport instance.
func (*CredentialSupport) AppRootCAsByChain ¶
func (cs *CredentialSupport) AppRootCAsByChain() map[string][][]byte
func (*CredentialSupport) BuildTrustedRootsForChain ¶
func (cs *CredentialSupport) BuildTrustedRootsForChain(cm channelconfig.Resources)
BuildTrustedRootsForChain populates the appRootCAs and orderRootCAs maps by getting the root and intermediate certs for all msps associated with the MSPManager.
func (*CredentialSupport) GetClientCertificate ¶
func (cs *CredentialSupport) GetClientCertificate() gmtls.Certificate
GetClientCertificate returns the client certificate of the CredentialSupport
func (*CredentialSupport) GetPeerCredentials ¶
func (cs *CredentialSupport) GetPeerCredentials() credentials.TransportCredentials
GetPeerCredentials returns gRPC transport credentials for use by gRPC clients which communicate with remote peer endpoints.
func (*CredentialSupport) SetClientCertificate ¶
func (cs *CredentialSupport) SetClientCertificate(cert gmtls.Certificate)
SetClientCertificate sets the tls.Certificate to use for gRPC client connections
type DynamicClientCredentials ¶
func (*DynamicClientCredentials) ClientHandshake ¶
func (*DynamicClientCredentials) Clone ¶
func (dtc *DynamicClientCredentials) Clone() credentials.TransportCredentials
func (*DynamicClientCredentials) Info ¶
func (dtc *DynamicClientCredentials) Info() credentials.ProtocolInfo
func (*DynamicClientCredentials) OverrideServerName ¶
func (dtc *DynamicClientCredentials) OverrideServerName(name string) error
func (*DynamicClientCredentials) ServerHandshake ¶
func (dtc *DynamicClientCredentials) ServerHandshake(rawConn net.Conn) (net.Conn, credentials.AuthInfo, error)
type GRPCClient ¶
type GRPCClient struct {
// contains filtered or unexported fields
}
func NewGRPCClient ¶
func NewGRPCClient(config ClientConfig) (*GRPCClient, error)
NewGRPCClient creates a new implementation of GRPCClient given an address and client configuration
func (*GRPCClient) Certificate ¶
func (client *GRPCClient) Certificate() tls.Certificate
Certificate returns the tls.Certificate used to make TLS connections when client certificates are required by the server
func (*GRPCClient) MutualTLSRequired ¶
func (client *GRPCClient) MutualTLSRequired() bool
MutualTLSRequired is a flag indicating whether the client must send a certificate when making TLS connections
func (*GRPCClient) NewConnection ¶
func (client *GRPCClient) NewConnection(address string, tlsOptions ...TLSOption) (*grpc.ClientConn, error)
NewConnection returns a grpc.ClientConn for the target address and overrides the server name used to verify the hostname on the certificate returned by a server when using TLS
func (*GRPCClient) SetServerRootCAs ¶
func (client *GRPCClient) SetServerRootCAs(serverRoots [][]byte) error
SetServerRootCAs sets the list of authorities used to verify server certificates based on a list of PEM-encoded X509 certificate authorities
func (*GRPCClient) TLSEnabled ¶
func (client *GRPCClient) TLSEnabled() bool
TLSEnabled is a flag indicating whether to use TLS for client connections
type GRPCServer ¶
type GRPCServer struct {
// contains filtered or unexported fields
}
func NewGRPCServer ¶
func NewGRPCServer(address string, serverConfig ServerConfig) (*GRPCServer, error)
NewGRPCServer creates a new implementation of a GRPCServer given a listen address
func NewGRPCServerFromListener ¶
func NewGRPCServerFromListener(listener net.Listener, serverConfig ServerConfig) (*GRPCServer, error)
NewGRPCServerFromListener creates a new implementation of a GRPCServer given an existing net.Listener instance using default keepalive
func (*GRPCServer) Address ¶
func (gServer *GRPCServer) Address() string
Address returns the listen address for this GRPCServer instance
func (*GRPCServer) Listener ¶
func (gServer *GRPCServer) Listener() net.Listener
Listener returns the net.Listener for the GRPCServer instance
func (*GRPCServer) MutualTLSRequired ¶
func (gServer *GRPCServer) MutualTLSRequired() bool
MutualTLSRequired is a flag indicating whether or not client certificates are required for this GRPCServer instance
func (*GRPCServer) Server ¶
func (gServer *GRPCServer) Server() *grpc.Server
Server returns the grpc.Server for the GRPCServer instance
func (*GRPCServer) ServerCertificate ¶
func (gServer *GRPCServer) ServerCertificate() tls.Certificate
ServerCertificate returns the tls.Certificate used by the grpc.Server
func (*GRPCServer) SetClientRootCAs ¶
func (gServer *GRPCServer) SetClientRootCAs(clientRoots [][]byte) error
SetClientRootCAs sets the list of authorities used to verify client certificates based on a list of PEM-encoded X509 certificate authorities
func (*GRPCServer) SetServerCertificate ¶
func (gServer *GRPCServer) SetServerCertificate(cert tls.Certificate)
SetServerCertificate assigns the current TLS certificate to be the peer's server certificate
func (*GRPCServer) Start ¶
func (gServer *GRPCServer) Start() error
Start starts the underlying grpc.Server
func (*GRPCServer) TLSEnabled ¶
func (gServer *GRPCServer) TLSEnabled() bool
TLSEnabled is a flag indicating whether or not TLS is enabled for the GRPCServer instance
type KeepaliveOptions ¶
type KeepaliveOptions struct { // ClientInterval is the duration after which if the client does not see // any activity from the server it pings the server to see if it is alive ClientInterval time.Duration // ClientTimeout is the duration the client waits for a response // from the server after sending a ping before closing the connection ClientTimeout time.Duration // ServerInterval is the duration after which if the server does not see // any activity from the client it pings the client to see if it is alive ServerInterval time.Duration // ServerTimeout is the duration the server waits for a response // from the client after sending a ping before closing the connection ServerTimeout time.Duration // ServerMinInterval is the minimum permitted time between client pings. // If clients send pings more frequently, the server will disconnect them ServerMinInterval time.Duration }
KeepaliveOptions is used to set the gRPC keepalive settings for both clients and servers
type SecureOptions ¶
type SecureOptions struct { // VerifyCertificate, if not nil, is called after normal // certificate verification by either a TLS client or server. // If it returns a non-nil error, the handshake is aborted and that error results. VerifyCertificate func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error // PEM-encoded X509 public key to be used for TLS communication Certificate []byte // PEM-encoded private key to be used for TLS communication Key []byte // Set of PEM-encoded X509 certificate authorities used by clients to // verify server certificates ServerRootCAs [][]byte // Set of PEM-encoded X509 certificate authorities used by servers to // verify client certificates ClientRootCAs [][]byte // Whether or not to use TLS for communication UseTLS bool // Whether or not TLS client must present certificates for authentication RequireClientCert bool // CipherSuites is a list of supported cipher suites for TLS CipherSuites []uint16 // TimeShift makes TLS handshakes time sampling shift to the past by a given duration TimeShift time.Duration }
SecureOptions defines the security parameters (e.g. TLS) for a GRPCServer or GRPCClient instance
type ServerConfig ¶
type ServerConfig struct { // ConnectionTimeout specifies the timeout for connection establishment // for all new connections ConnectionTimeout time.Duration // SecOpts defines the security parameters SecOpts SecureOptions // KaOpts defines the keepalive parameters KaOpts KeepaliveOptions // StreamInterceptors specifies a list of interceptors to apply to // streaming RPCs. They are executed in order. StreamInterceptors []grpc.StreamServerInterceptor // UnaryInterceptors specifies a list of interceptors to apply to unary // RPCs. They are executed in order. UnaryInterceptors []grpc.UnaryServerInterceptor // Logger specifies the logger the server will use Logger *flogging.FabricLogger // HealthCheckEnabled enables the gRPC Health Checking Protocol for the server HealthCheckEnabled bool // ServerStatsHandler should be set if metrics on connections are to be reported. ServerStatsHandler *ServerStatsHandler // Maximum message size the server can receive MaxRecvMsgSize int // Maximum message size the server can send MaxSendMsgSize int }
ServerConfig defines the parameters for configuring a GRPCServer instance
type ServerStatsHandler ¶
type ServerStatsHandler struct { OpenConnCounter metrics.Counter ClosedConnCounter metrics.Counter }
func NewServerStatsHandler ¶
func NewServerStatsHandler(p metrics.Provider) *ServerStatsHandler
func (*ServerStatsHandler) HandleConn ¶
func (h *ServerStatsHandler) HandleConn(ctx context.Context, s stats.ConnStats)
func (*ServerStatsHandler) HandleRPC ¶
func (h *ServerStatsHandler) HandleRPC(ctx context.Context, s stats.RPCStats)
func (*ServerStatsHandler) TagConn ¶
func (h *ServerStatsHandler) TagConn(ctx context.Context, info *stats.ConnTagInfo) context.Context
func (*ServerStatsHandler) TagRPC ¶
func (h *ServerStatsHandler) TagRPC(ctx context.Context, info *stats.RPCTagInfo) context.Context
type TLSConfig ¶
type TLSConfig struct {
// contains filtered or unexported fields
}
func NewTLSConfig ¶
func (*TLSConfig) AddClientRootCA ¶
func (t *TLSConfig) AddClientRootCA(cert *x509.Certificate)