Documentation ¶
Index ¶
- Variables
- func AddPemToCertPool(pemCerts []byte, pool *x509.CertPool) error
- func ClientKeepaliveOptions(ka *KeepaliveOptions) []grpc.DialOption
- func ExtractCertificateFromContext(ctx context.Context) *x509.Certificate
- func ExtractCertificateHashFromContext(ctx context.Context) []byte
- func ExtractRawCertificateFromContext(ctx context.Context) []byte
- func InitTLSForShim(key, certStr string) credentials.TransportCredentials
- func NewClientConnectionWithAddress(peerAddress string, block bool, tslEnabled bool, ...) (*grpc.ClientConn, error)
- func NewServerTransportCredentials(serverConfig *TLSConfig, logger *flogging.FabricLogger) credentials.TransportCredentials
- func ServerKeepaliveOptions(ka *KeepaliveOptions) []grpc.ServerOption
- type BindingInspector
- type CertHashExtractor
- type CertificateBundle
- type ClientConfig
- type ConnProducer
- type ConnectionFactory
- type ConnectionProducer
- type CredentialSupport
- func (cs *CredentialSupport) GetClientCertificate() tls.Certificate
- func (cs *CredentialSupport) GetDeliverServiceCredentials(channelID string, appendStaticRoots bool, orgs []string, ...) (credentials.TransportCredentials, error)
- func (cs *CredentialSupport) GetPeerCredentials() credentials.TransportCredentials
- func (cs *CredentialSupport) SetClientCertificate(cert tls.Certificate)
- type DynamicClientCredentials
- func (dtc *DynamicClientCredentials) ClientHandshake(ctx context.Context, authority string, rawConn net.Conn) (net.Conn, credentials.AuthInfo, error)
- func (dtc *DynamicClientCredentials) Clone() credentials.TransportCredentials
- func (dtc *DynamicClientCredentials) Info() credentials.ProtocolInfo
- func (dtc *DynamicClientCredentials) OverrideServerName(name string) error
- func (dtc *DynamicClientCredentials) ServerHandshake(rawConn net.Conn) (net.Conn, credentials.AuthInfo, error)
- type EndpointCriteria
- type GRPCClient
- func (client *GRPCClient) Certificate() tls.Certificate
- func (client *GRPCClient) MutualTLSRequired() bool
- func (client *GRPCClient) NewConnection(address string, serverNameOverride string, tlsOptions ...TLSOption) (*grpc.ClientConn, error)
- func (client *GRPCClient) SetMaxRecvMsgSize(size int)
- func (client *GRPCClient) SetMaxSendMsgSize(size int)
- func (client *GRPCClient) SetServerRootCAs(serverRoots [][]byte) error
- func (client *GRPCClient) TLSEnabled() bool
- type GRPCServer
- func (gServer *GRPCServer) Address() string
- func (gServer *GRPCServer) Listener() net.Listener
- func (gServer *GRPCServer) MutualTLSRequired() bool
- func (gServer *GRPCServer) RemoveClientRootCAs(clientRoots [][]byte) error
- func (gServer *GRPCServer) Server() *grpc.Server
- func (gServer *GRPCServer) ServerCertificate() tls.Certificate
- func (gServer *GRPCServer) SetClientRootCAs(clientRoots [][]byte) error
- func (gServer *GRPCServer) SetServerCertificate(cert tls.Certificate)
- func (gServer *GRPCServer) Start() error
- func (gServer *GRPCServer) Stop()
- func (gServer *GRPCServer) TLSEnabled() bool
- type KeepaliveOptions
- type Metrics
- type NewSemaphoreFunc
- type OrdererEndpoint
- type OrgRootCAs
- type PerOrgCertificateBundle
- type SecureOptions
- type Semaphore
- type ServerConfig
- type ServerStatsHandler
- func (h *ServerStatsHandler) HandleConn(ctx context.Context, s stats.ConnStats)
- func (h *ServerStatsHandler) HandleRPC(ctx context.Context, s stats.RPCStats)
- func (h *ServerStatsHandler) TagConn(ctx context.Context, info *stats.ConnTagInfo) context.Context
- func (h *ServerStatsHandler) TagRPC(ctx context.Context, info *stats.RPCTagInfo) context.Context
- type TLSConfig
- type TLSOption
- type Throttle
- type ThrottleOption
Constants ¶
This section is empty.
Variables ¶
var ( // Max send and receive bytes for grpc clients and servers MaxRecvMsgSize = 100 * 1024 * 1024 MaxSendMsgSize = 100 * 1024 * 1024 // Default peer keepalive options DefaultKeepaliveOptions = &KeepaliveOptions{ ClientInterval: time.Duration(1) * time.Minute, ClientTimeout: time.Duration(20) * time.Second, ServerInterval: time.Duration(2) * time.Hour, ServerTimeout: time.Duration(20) * time.Second, ServerMinInterval: time.Duration(1) * time.Minute, } // strong TLS cipher suites DefaultTLSCipherSuites = []uint16{ tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, tls.TLS_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_RSA_WITH_AES_256_GCM_SHA384, } // default connection timeout DefaultConnectionTimeout = 5 * time.Second )
Configuration defaults
var ( ClientHandshakeNotImplError = errors.New("core/comm: Client handshakes" + "are not implemented with serverCreds") OverrrideHostnameNotSupportedError = errors.New( "core/comm: OverrideServerName is " + "not supported") ServerHandshakeNotImplementedError = errors.New("core/comm: server handshakes are not implemented with clientCreds") MissingServerConfigError = errors.New( "core/comm: `serverConfig` cannot be nil") )
Functions ¶
func AddPemToCertPool ¶ added in v1.1.0
AddPemToCertPool adds PEM-encoded certs to a cert pool
func ClientKeepaliveOptions ¶
func ClientKeepaliveOptions(ka *KeepaliveOptions) []grpc.DialOption
ClientKeepaliveOptions returns gRPC keepalive options for clients. If opts is nil, the default keepalive options are returned
func ExtractCertificateFromContext ¶ added in v1.3.0
func ExtractCertificateFromContext(ctx context.Context) *x509.Certificate
ExtractCertificateFromContext returns the TLS certificate (if applicable) from the given context of a gRPC stream
func ExtractCertificateHashFromContext ¶ added in v1.1.0
ExtractCertificateHashFromContext extracts the hash of the certificate from the given context. If the certificate isn't present, nil is returned
func ExtractRawCertificateFromContext ¶ added in v1.4.1
ExtractRawCertificateFromContext returns the raw TLS certificate (if applicable) from the given context of a gRPC stream
func InitTLSForShim ¶ added in v1.1.0
func InitTLSForShim(key, certStr string) credentials.TransportCredentials
func NewClientConnectionWithAddress ¶
func NewClientConnectionWithAddress(peerAddress string, block bool, tslEnabled bool, creds credentials.TransportCredentials, ka *KeepaliveOptions) (*grpc.ClientConn, error)
NewClientConnectionWithAddress Returns a new grpc.ClientConn to the given address
func NewServerTransportCredentials ¶
func NewServerTransportCredentials( serverConfig *TLSConfig, logger *flogging.FabricLogger) credentials.TransportCredentials
NewServerTransportCredentials returns a new initialized grpc/credentials.TransportCredentials
func ServerKeepaliveOptions ¶
func ServerKeepaliveOptions(ka *KeepaliveOptions) []grpc.ServerOption
ServerKeepaliveOptions returns gRPC keepalive options for server. If opts is nil, the default keepalive options are returned
Types ¶
type BindingInspector ¶ added in v1.1.0
BindingInspector receives as parameters a gRPC context and an Envelope, and verifies whether the message contains an appropriate binding to the context
func NewBindingInspector ¶ added in v1.1.0
func NewBindingInspector(mutualTLS bool, extractTLSCertHash CertHashExtractor) BindingInspector
NewBindingInspector returns a BindingInspector according to whether mutualTLS is configured or not, and according to a function that extracts TLS certificate hashes from proto messages
type CertHashExtractor ¶ added in v1.1.0
CertHashExtractor extracts a certificate from a proto.Message message
type CertificateBundle ¶ added in v1.4.2
type CertificateBundle [][]byte
CertificateBundle bundles certificates
type ClientConfig ¶ added in v1.1.0
type ClientConfig struct { // SecOpts defines the security parameters SecOpts *SecureOptions // KaOpts defines the keepalive parameters KaOpts *KeepaliveOptions // Timeout specifies how long the client will block when attempting to // establish a connection Timeout time.Duration // AsyncConnect makes connection creation non blocking AsyncConnect bool }
ClientConfig defines the parameters for configuring a GRPCClient instance
func (ClientConfig) Clone ¶ added in v1.4.2
func (cc ClientConfig) Clone() ClientConfig
Clone clones this ClientConfig
type ConnProducer ¶ added in v1.4.2
ConnProducer produces connections
func NewConnectionProducer ¶
func NewConnectionProducer(factory ConnectionFactory, endpoints []EndpointCriteria) *ConnProducer
NewConnectionProducer creates a new ConnectionProducer with given endpoints and connection factory. It returns nil, if the given endpoints slice is empty.
func (*ConnProducer) GetEndpoints ¶ added in v1.4.2
func (cp *ConnProducer) GetEndpoints() []EndpointCriteria
GetEndpoints returns configured endpoint criteria for ordering service
func (*ConnProducer) NewConnection ¶ added in v1.4.2
func (cp *ConnProducer) NewConnection() (*grpc.ClientConn, string, error)
NewConnection creates a new connection. Returns the connection, the endpoint selected, nil on success. Returns nil, "", error on failure
func (*ConnProducer) UpdateEndpoints ¶ added in v1.4.2
func (cp *ConnProducer) UpdateEndpoints(endpoints []EndpointCriteria)
UpdateEndpoints updates the endpoints of the ConnectionProducer to be the given endpoints
type ConnectionFactory ¶
type ConnectionFactory func(criteria EndpointCriteria) (*grpc.ClientConn, error)
ConnectionFactory creates a connection to a certain endpoint
type ConnectionProducer ¶
type ConnectionProducer interface { // NewConnection creates a new connection. // Returns the connection, the endpoint selected, nil on success. // Returns nil, "", error on failure NewConnection() (*grpc.ClientConn, string, error) // UpdateEndpoints updates the endpoint criteria of the ConnectionProducer // to be the given endpoints. UpdateEndpoints(endpoints []EndpointCriteria) // GetEndpoints return ordering service endpoint criteria. GetEndpoints() []EndpointCriteria }
ConnectionProducer produces connections out of a set of predefined endpoints
type CredentialSupport ¶ added in v1.1.0
type CredentialSupport struct { sync.RWMutex AppRootCAsByChain map[string]CertificateBundle OrdererRootCAsByChainAndOrg OrgRootCAs ClientRootCAs CertificateBundle ServerRootCAs CertificateBundle // contains filtered or unexported fields }
CredentialSupport type manages credentials used for gRPC client connections
func GetCredentialSupport ¶ added in v1.1.0
func GetCredentialSupport() *CredentialSupport
GetCredentialSupport returns the singleton CredentialSupport instance
func (*CredentialSupport) GetClientCertificate ¶ added in v1.1.0
func (cs *CredentialSupport) GetClientCertificate() tls.Certificate
GetClientCertificate returns the client certificate of the CredentialSupport
func (*CredentialSupport) GetDeliverServiceCredentials ¶ added in v1.1.0
func (cs *CredentialSupport) GetDeliverServiceCredentials( channelID string, appendStaticRoots bool, orgs []string, endpointOverrides map[string]*OrdererEndpoint, ) (credentials.TransportCredentials, error)
GetDeliverServiceCredentials returns gRPC transport credentials for given channel to be used by gRPC clients which communicate with ordering service endpoints. If appendStaticRoots is set to true, ServerRootCAs are also included in the credentials. If the channel isn't found, an error is returned.
func (*CredentialSupport) GetPeerCredentials ¶ added in v1.1.0
func (cs *CredentialSupport) GetPeerCredentials() credentials.TransportCredentials
GetPeerCredentials returns gRPC transport credentials for use by gRPC clients which communicate with remote peer endpoints.
func (*CredentialSupport) SetClientCertificate ¶ added in v1.1.0
func (cs *CredentialSupport) SetClientCertificate(cert tls.Certificate)
SetClientCertificate sets the tls.Certificate to use for gRPC client connections
type DynamicClientCredentials ¶ added in v1.4.5
func (*DynamicClientCredentials) ClientHandshake ¶ added in v1.4.5
func (*DynamicClientCredentials) Clone ¶ added in v1.4.5
func (dtc *DynamicClientCredentials) Clone() credentials.TransportCredentials
func (*DynamicClientCredentials) Info ¶ added in v1.4.5
func (dtc *DynamicClientCredentials) Info() credentials.ProtocolInfo
func (*DynamicClientCredentials) OverrideServerName ¶ added in v1.4.5
func (dtc *DynamicClientCredentials) OverrideServerName(name string) error
func (*DynamicClientCredentials) ServerHandshake ¶ added in v1.4.5
func (dtc *DynamicClientCredentials) ServerHandshake(rawConn net.Conn) (net.Conn, credentials.AuthInfo, error)
type EndpointCriteria ¶ added in v1.4.2
EndpointCriteria defines an endpoint, and a list of trusted organizations it corresponds to.
func (EndpointCriteria) Equals ¶ added in v1.4.2
func (ec EndpointCriteria) Equals(other EndpointCriteria) bool
Equals returns whether this EndpointCriteria is equivalent to the given other EndpointCriteria
type GRPCClient ¶ added in v1.1.0
type GRPCClient struct {
// contains filtered or unexported fields
}
func NewGRPCClient ¶ added in v1.1.0
func NewGRPCClient(config ClientConfig) (*GRPCClient, error)
NewGRPCClient creates a new implementation of GRPCClient given an address and client configuration
func (*GRPCClient) Certificate ¶ added in v1.1.0
func (client *GRPCClient) Certificate() tls.Certificate
Certificate returns the tls.Certificate used to make TLS connections when client certificates are required by the server
func (*GRPCClient) MutualTLSRequired ¶ added in v1.1.0
func (client *GRPCClient) MutualTLSRequired() bool
MutualTLSRequired is a flag indicating whether the client must send a certificate when making TLS connections
func (*GRPCClient) NewConnection ¶ added in v1.1.0
func (client *GRPCClient) NewConnection(address string, serverNameOverride string, tlsOptions ...TLSOption) ( *grpc.ClientConn, error)
NewConnection returns a grpc.ClientConn for the target address and overrides the server name used to verify the hostname on the certificate returned by a server when using TLS
func (*GRPCClient) SetMaxRecvMsgSize ¶ added in v1.1.0
func (client *GRPCClient) SetMaxRecvMsgSize(size int)
SetMaxRecvMsgSize sets the maximum message size the client can receive
func (*GRPCClient) SetMaxSendMsgSize ¶ added in v1.1.0
func (client *GRPCClient) SetMaxSendMsgSize(size int)
SetMaxSendMsgSize sets the maximum message size the client can send
func (*GRPCClient) SetServerRootCAs ¶ added in v1.1.0
func (client *GRPCClient) SetServerRootCAs(serverRoots [][]byte) error
SetServerRootCAs sets the list of authorities used to verify server certificates based on a list of PEM-encoded X509 certificate authorities
func (*GRPCClient) TLSEnabled ¶ added in v1.1.0
func (client *GRPCClient) TLSEnabled() bool
TLSEnabled is a flag indicating whether to use TLS for client connections
type GRPCServer ¶
type GRPCServer struct {
// contains filtered or unexported fields
}
func NewGRPCServer ¶
func NewGRPCServer(address string, serverConfig ServerConfig) (*GRPCServer, error)
NewGRPCServer creates a new implementation of a GRPCServer given a listen address
func NewGRPCServerFromListener ¶
func NewGRPCServerFromListener(listener net.Listener, serverConfig ServerConfig) (*GRPCServer, error)
NewGRPCServerFromListener creates a new implementation of a GRPCServer given an existing net.Listener instance using default keepalive
func (*GRPCServer) Address ¶
func (gServer *GRPCServer) Address() string
Address returns the listen address for this GRPCServer instance
func (*GRPCServer) Listener ¶
func (gServer *GRPCServer) Listener() net.Listener
Listener returns the net.Listener for the GRPCServer instance
func (*GRPCServer) MutualTLSRequired ¶ added in v1.1.0
func (gServer *GRPCServer) MutualTLSRequired() bool
MutualTLSRequired is a flag indicating whether or not client certificates are required for this GRPCServer instance
func (*GRPCServer) RemoveClientRootCAs ¶
func (gServer *GRPCServer) RemoveClientRootCAs(clientRoots [][]byte) error
RemoveClientRootCAs removes PEM-encoded X509 certificate authorities from the list of authorities used to verify client certificates
func (*GRPCServer) Server ¶
func (gServer *GRPCServer) Server() *grpc.Server
Server returns the grpc.Server for the GRPCServer instance
func (*GRPCServer) ServerCertificate ¶
func (gServer *GRPCServer) ServerCertificate() tls.Certificate
ServerCertificate returns the tls.Certificate used by the grpc.Server
func (*GRPCServer) SetClientRootCAs ¶
func (gServer *GRPCServer) SetClientRootCAs(clientRoots [][]byte) error
SetClientRootCAs sets the list of authorities used to verify client certificates based on a list of PEM-encoded X509 certificate authorities
func (*GRPCServer) SetServerCertificate ¶ added in v1.1.0
func (gServer *GRPCServer) SetServerCertificate(cert tls.Certificate)
SetServerCertificate assigns the current TLS certificate to be the peer's server certificate
func (*GRPCServer) Start ¶
func (gServer *GRPCServer) Start() error
Start starts the underlying grpc.Server
func (*GRPCServer) TLSEnabled ¶
func (gServer *GRPCServer) TLSEnabled() bool
TLSEnabled is a flag indicating whether or not TLS is enabled for the GRPCServer instance
type KeepaliveOptions ¶
type KeepaliveOptions struct { // ClientInterval is the duration after which if the client does not see // any activity from the server it pings the server to see if it is alive ClientInterval time.Duration // ClientTimeout is the duration the client waits for a response // from the server after sending a ping before closing the connection ClientTimeout time.Duration // ServerInterval is the duration after which if the server does not see // any activity from the client it pings the client to see if it is alive ServerInterval time.Duration // ServerTimeout is the duration the server waits for a response // from the client after sending a ping before closing the connection ServerTimeout time.Duration // ServerMinInterval is the minimum permitted time between client pings. // If clients send pings more frequently, the server will disconnect them ServerMinInterval time.Duration }
KeepaliveOptions is used to set the gRPC keepalive settings for both clients and servers
type Metrics ¶ added in v1.4.0
type OrgRootCAs ¶ added in v1.4.2
type OrgRootCAs map[string]PerOrgCertificateBundle
OrgRootCAs defines root CA certificates of organizations, by their corresponding channels. channel --> organization --> certificates
func (OrgRootCAs) AppendCertificates ¶ added in v1.4.2
func (orc OrgRootCAs) AppendCertificates(channel string, org string, rootCAs CertificateBundle)
AppendCertificates appends certificates that belong to the given organization in the context of the given channel. This operation isn't thread safe.
func (OrgRootCAs) CertificatesByChannelAndOrg ¶ added in v1.4.2
func (orc OrgRootCAs) CertificatesByChannelAndOrg(channel string, org string) CertificateBundle
CertificatesByChannelAndOrg returns the certificates of the given organization in the context of the given channel.
type PerOrgCertificateBundle ¶ added in v1.4.2
type PerOrgCertificateBundle map[string]CertificateBundle
PerOrgCertificateBundle maps organizations to CertificateBundles
type SecureOptions ¶ added in v1.1.0
type SecureOptions struct { // VerifyCertificate, if not nil, is called after normal // certificate verification by either a TLS client or server. // If it returns a non-nil error, the handshake is aborted and that error results. VerifyCertificate func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error // PEM-encoded X509 public key to be used for TLS communication Certificate []byte // PEM-encoded private key to be used for TLS communication Key []byte // Set of PEM-encoded X509 certificate authorities used by clients to // verify server certificates ServerRootCAs [][]byte // Set of PEM-encoded X509 certificate authorities used by servers to // verify client certificates ClientRootCAs [][]byte // Whether or not to use TLS for communication UseTLS bool // Whether or not TLS client must present certificates for authentication RequireClientCert bool // CipherSuites is a list of supported cipher suites for TLS CipherSuites []uint16 // TimeShift makes TLS handshakes time sampling shift to the past by a given duration TimeShift time.Duration }
SecureOptions defines the security parameters (e.g. TLS) for a GRPCServer or GRPCClient instance
type Semaphore ¶ added in v1.4.1
type ServerConfig ¶ added in v1.1.0
type ServerConfig struct { // ConnectionTimeout specifies the timeout for connection establishment // for all new connections ConnectionTimeout time.Duration // SecOpts defines the security parameters SecOpts *SecureOptions // KaOpts defines the keepalive parameters KaOpts *KeepaliveOptions // StreamInterceptors specifies a list of interceptors to apply to // streaming RPCs. They are executed in order. StreamInterceptors []grpc.StreamServerInterceptor // UnaryInterceptors specifies a list of interceptors to apply to unary // RPCs. They are executed in order. UnaryInterceptors []grpc.UnaryServerInterceptor // Logger specifies the logger the server will use Logger *flogging.FabricLogger // ServerStatsHandler should be set if metrics on connections are to be reported. ServerStatsHandler *ServerStatsHandler }
ServerConfig defines the parameters for configuring a GRPCServer instance
type ServerStatsHandler ¶ added in v1.4.0
type ServerStatsHandler struct { OpenConnCounter metrics.Counter ClosedConnCounter metrics.Counter }
func NewServerStatsHandler ¶ added in v1.4.0
func NewServerStatsHandler(p metrics.Provider) *ServerStatsHandler
func (*ServerStatsHandler) HandleConn ¶ added in v1.4.0
func (h *ServerStatsHandler) HandleConn(ctx context.Context, s stats.ConnStats)
func (*ServerStatsHandler) HandleRPC ¶ added in v1.4.0
func (h *ServerStatsHandler) HandleRPC(ctx context.Context, s stats.RPCStats)
func (*ServerStatsHandler) TagConn ¶ added in v1.4.0
func (h *ServerStatsHandler) TagConn(ctx context.Context, info *stats.ConnTagInfo) context.Context
func (*ServerStatsHandler) TagRPC ¶ added in v1.4.0
func (h *ServerStatsHandler) TagRPC(ctx context.Context, info *stats.RPCTagInfo) context.Context
type TLSConfig ¶ added in v1.4.7
type TLSConfig struct {
// contains filtered or unexported fields
}
func (*TLSConfig) AddClientRootCA ¶ added in v1.4.7
func (t *TLSConfig) AddClientRootCA(cert *x509.Certificate)
type TLSOption ¶ added in v1.4.5
TLSOption changes the given TLS config
type Throttle ¶ added in v1.4.1
type Throttle struct {
// contains filtered or unexported fields
}
func NewThrottle ¶ added in v1.4.1
func NewThrottle(maxConcurrency int, options ...ThrottleOption) *Throttle
func (*Throttle) StreamServerInterceptor ¶ added in v1.4.1
func (t *Throttle) StreamServerInterceptor(srv interface{}, ss grpc.ServerStream, info *grpc.StreamServerInfo, handler grpc.StreamHandler) error
func (*Throttle) UnaryServerIntercptor ¶ added in v1.4.1
func (t *Throttle) UnaryServerIntercptor(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error)
type ThrottleOption ¶ added in v1.4.1
type ThrottleOption func(t *Throttle)
func WithNewSemaphore ¶ added in v1.4.1
func WithNewSemaphore(newSemaphore NewSemaphoreFunc) ThrottleOption