Configuration defaults
var (
// Max send and receive bytes for grpc clients and servers
MaxRecvMsgSize = 100 * 1024 * 1024
MaxSendMsgSize = 100 * 1024 * 1024
// Default peer keepalive options
DefaultKeepaliveOptions = &KeepaliveOptions{
ClientInterval: time.Duration(1) * time.Minute,
ClientTimeout: time.Duration(20) * time.Second,
ServerInterval: time.Duration(2) * time.Hour,
ServerTimeout: time.Duration(20) * time.Second,
ServerMinInterval: time.Duration(1) * time.Minute,
}
// strong TLS cipher suites
DefaultTLSCipherSuites = []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
}
// default connection timeout
DefaultConnectionTimeout = 5 * time.Second
)
var (
ClientHandshakeNotImplError = errors.New("core/comm: Client handshakes" +
"are not implemented with serverCreds")
OverrrideHostnameNotSupportedError = errors.New(
"core/comm: OverrideServerName is " +
"not supported")
MissingServerConfigError = errors.New(
"core/comm: `serverConfig` cannot be nil")
)
var EndpointDisableInterval = time.Second * 10
func AddPemToCertPool(pemCerts []byte, pool *x509.CertPool) error
AddPemToCertPool adds PEM-encoded certs to a cert pool
func ClientKeepaliveOptions(ka *KeepaliveOptions) []grpc.DialOption
ClientKeepaliveOptions returns gRPC keepalive options for clients. If opts is nil, the default keepalive options are returned
func ExtractCertificateFromContext(ctx context.Context) *x509.Certificate
ExtractCertificateFromContext returns the TLS certificate (if applicable) from the given context of a gRPC stream
func ExtractCertificateHashFromContext(ctx context.Context) []byte
ExtractCertificateHashFromContext extracts the hash of the certificate from the given context. If the certificate isn't present, nil is returned
func ExtractRawCertificateFromContext(ctx context.Context) []byte
ExtractRawCertificateFromContext returns the raw TLS certificate (if applicable) from the given context of a gRPC stream
func InitTLSForShim(key, certStr string) credentials.TransportCredentials
func NewClientConnectionWithAddress(peerAddress string, block bool, tslEnabled bool, creds credentials.TransportCredentials, ka *KeepaliveOptions) (*grpc.ClientConn, error)
NewClientConnectionWithAddress Returns a new grpc.ClientConn to the given address
func NewServerTransportCredentials(
serverConfig *tls.Config,
logger *flogging.FabricLogger) credentials.TransportCredentials
NewServerTransportCredentials returns a new initialized grpc/credentials.TransportCredentials
func ServerKeepaliveOptions(ka *KeepaliveOptions) []grpc.ServerOption
ServerKeepaliveOptions returns gRPC keepalive options for server. If opts is nil, the default keepalive options are returned
BindingInspector receives as parameters a gRPC context and an Envelope, and verifies whether the message contains an appropriate binding to the context
type BindingInspector func(context.Context, proto.Message) error
func NewBindingInspector(mutualTLS bool, extractTLSCertHash CertHashExtractor) BindingInspector
NewBindingInspector returns a BindingInspector according to whether mutualTLS is configured or not, and according to a function that extracts TLS certificate hashes from proto messages
CertHashExtractor extracts a certificate from a proto.Message message
type CertHashExtractor func(proto.Message) []byte
CertificateBundle bundles certificates
type CertificateBundle [][]byte
ClientConfig defines the parameters for configuring a GRPCClient instance
type ClientConfig struct {
// SecOpts defines the security parameters
SecOpts *SecureOptions
// KaOpts defines the keepalive parameters
KaOpts *KeepaliveOptions
// Timeout specifies how long the client will block when attempting to
// establish a connection
Timeout time.Duration
// AsyncConnect makes connection creation non blocking
AsyncConnect bool
}
func (cc ClientConfig) Clone() ClientConfig
Clone clones this ClientConfig
ConnProducer produces connections
type ConnProducer struct {
sync.RWMutex
// contains filtered or unexported fields
}
func NewConnectionProducer(factory ConnectionFactory, endpoints []EndpointCriteria) *ConnProducer
NewConnectionProducer creates a new ConnectionProducer with given endpoints and connection factory. It returns nil, if the given endpoints slice is empty.
func (cp *ConnProducer) GetEndpoints() []EndpointCriteria
GetEndpoints returns configured endpoint criteria for ordering service
func (cp *ConnProducer) NewConnection() (*grpc.ClientConn, string, error)
NewConnection creates a new connection. Returns the connection, the endpoint selected, nil on success. Returns nil, "", error on failure
func (cp *ConnProducer) UpdateEndpoints(endpoints []EndpointCriteria)
UpdateEndpoints updates the endpoints of the ConnectionProducer to be the given endpoints
ConnectionFactory creates a connection to a certain endpoint
type ConnectionFactory func(criteria EndpointCriteria) (*grpc.ClientConn, error)
ConnectionProducer produces connections out of a set of predefined endpoints
type ConnectionProducer interface {
// NewConnection creates a new connection.
// Returns the connection, the endpoint selected, nil on success.
// Returns nil, "", error on failure
NewConnection() (*grpc.ClientConn, string, error)
// UpdateEndpoints updates the endpoint criteria of the ConnectionProducer
// to be the given endpoints.
UpdateEndpoints(endpoints []EndpointCriteria)
// GetEndpoints return ordering service endpoint criteria.
GetEndpoints() []EndpointCriteria
}
CredentialSupport type manages credentials used for gRPC client connections
type CredentialSupport struct {
sync.RWMutex
AppRootCAsByChain map[string]CertificateBundle
OrdererRootCAsByChainAndOrg OrgRootCAs
ClientRootCAs CertificateBundle
ServerRootCAs CertificateBundle
// contains filtered or unexported fields
}
func GetCredentialSupport() *CredentialSupport
GetCredentialSupport returns the singleton CredentialSupport instance
func (cs *CredentialSupport) GetClientCertificate() tls.Certificate
GetClientCertificate returns the client certificate of the CredentialSupport
func (cs *CredentialSupport) GetDeliverServiceCredentials( channelID string, appendStaticRoots bool, orgs []string, endpointOverrides map[string]*OrdererEndpoint, ) (credentials.TransportCredentials, error)
GetDeliverServiceCredentials returns gRPC transport credentials for given channel to be used by gRPC clients which communicate with ordering service endpoints. If appendStaticRoots is set to true, ServerRootCAs are also included in the credentials. If the channel isn't found, an error is returned.
func (cs *CredentialSupport) GetPeerCredentials() credentials.TransportCredentials
GetPeerCredentials returns gRPC transport credentials for use by gRPC clients which communicate with remote peer endpoints.
func (cs *CredentialSupport) SetClientCertificate(cert tls.Certificate)
SetClientCertificate sets the tls.Certificate to use for gRPC client connections
EndpointCriteria defines an endpoint, and a list of trusted organizations it corresponds to.
type EndpointCriteria struct {
Endpoint string
Organizations []string
}
func Shuffle(a []EndpointCriteria) []EndpointCriteria
func (ec EndpointCriteria) Equals(other EndpointCriteria) bool
Equals returns whether this EndpointCriteria is equivalent to the given other EndpointCriteria
type GRPCClient struct {
// contains filtered or unexported fields
}
func NewGRPCClient(config ClientConfig) (*GRPCClient, error)
NewGRPCClient creates a new implementation of GRPCClient given an address and client configuration
func (client *GRPCClient) Certificate() tls.Certificate
Certificate returns the tls.Certificate used to make TLS connections when client certificates are required by the server
func (client *GRPCClient) MutualTLSRequired() bool
MutualTLSRequired is a flag indicating whether the client must send a certificate when making TLS connections
func (client *GRPCClient) NewConnection(address string, serverNameOverride string) ( *grpc.ClientConn, error)
NewConnection returns a grpc.ClientConn for the target address and overrides the server name used to verify the hostname on the certificate returned by a server when using TLS
func (client *GRPCClient) SetMaxRecvMsgSize(size int)
SetMaxRecvMsgSize sets the maximum message size the client can receive
func (client *GRPCClient) SetMaxSendMsgSize(size int)
SetMaxSendMsgSize sets the maximum message size the client can send
func (client *GRPCClient) SetServerRootCAs(serverRoots [][]byte) error
SetServerRootCAs sets the list of authorities used to verify server certificates based on a list of PEM-encoded X509 certificate authorities
func (client *GRPCClient) TLSEnabled() bool
TLSEnabled is a flag indicating whether to use TLS for client connections
type GRPCServer struct {
// contains filtered or unexported fields
}
func NewGRPCServer(address string, serverConfig ServerConfig) (*GRPCServer, error)
NewGRPCServer creates a new implementation of a GRPCServer given a listen address
func NewGRPCServerFromListener(listener net.Listener, serverConfig ServerConfig) (*GRPCServer, error)
NewGRPCServerFromListener creates a new implementation of a GRPCServer given an existing net.Listener instance using default keepalive
func (gServer *GRPCServer) Address() string
Address returns the listen address for this GRPCServer instance
func (gServer *GRPCServer) AppendClientRootCAs(clientRoots [][]byte) error
AppendClientRootCAs appends PEM-encoded X509 certificate authorities to the list of authorities used to verify client certificates
func (gServer *GRPCServer) Listener() net.Listener
Listener returns the net.Listener for the GRPCServer instance
func (gServer *GRPCServer) MutualTLSRequired() bool
MutualTLSRequired is a flag indicating whether or not client certificates are required for this GRPCServer instance
func (gServer *GRPCServer) RemoveClientRootCAs(clientRoots [][]byte) error
RemoveClientRootCAs removes PEM-encoded X509 certificate authorities from the list of authorities used to verify client certificates
func (gServer *GRPCServer) Server() *grpc.Server
Server returns the grpc.Server for the GRPCServer instance
func (gServer *GRPCServer) ServerCertificate() tls.Certificate
ServerCertificate returns the tls.Certificate used by the grpc.Server
func (gServer *GRPCServer) SetClientRootCAs(clientRoots [][]byte) error
SetClientRootCAs sets the list of authorities used to verify client certificates based on a list of PEM-encoded X509 certificate authorities
func (gServer *GRPCServer) SetServerCertificate(cert tls.Certificate)
SetServerCertificate assigns the current TLS certificate to be the peer's server certificate
func (gServer *GRPCServer) Start() error
Start starts the underlying grpc.Server
func (gServer *GRPCServer) Stop()
Stop stops the underlying grpc.Server
func (gServer *GRPCServer) TLSEnabled() bool
TLSEnabled is a flag indicating whether or not TLS is enabled for the GRPCServer instance
KeepaliveOptions is used to set the gRPC keepalive settings for both clients and servers
type KeepaliveOptions struct {
// ClientInterval is the duration after which if the client does not see
// any activity from the server it pings the server to see if it is alive
ClientInterval time.Duration
// ClientTimeout is the duration the client waits for a response
// from the server after sending a ping before closing the connection
ClientTimeout time.Duration
// ServerInterval is the duration after which if the server does not see
// any activity from the client it pings the client to see if it is alive
ServerInterval time.Duration
// ServerTimeout is the duration the server waits for a response
// from the client after sending a ping before closing the connection
ServerTimeout time.Duration
// ServerMinInterval is the minimum permitted time between client pings.
// If clients send pings more frequently, the server will disconnect them
ServerMinInterval time.Duration
}
type Metrics struct {
// OpenConnCounter keeps track of number of open connections
OpenConnCounter metrics.Counter
// ClosedConnCounter keeps track of number connections closed
ClosedConnCounter metrics.Counter
}
type NewSemaphoreFunc func(size int) Semaphore
type OrdererEndpoint struct {
Address string
PEMs []byte
}
OrgRootCAs defines root CA certificates of organizations, by their corresponding channels. channel --> organization --> certificates
type OrgRootCAs map[string]PerOrgCertificateBundle
func (orc OrgRootCAs) AppendCertificates(channel string, org string, rootCAs CertificateBundle)
AppendCertificates appends certificates that belong to the given organization in the context of the given channel. This operation isn't thread safe.
func (orc OrgRootCAs) CertificatesByChannelAndOrg(channel string, org string) CertificateBundle
CertificatesByChannelAndOrg returns the certificates of the given organization in the context of the given channel.
PerOrgCertificateBundle maps organizations to CertificateBundles
type PerOrgCertificateBundle map[string]CertificateBundle
SecureOptions defines the security parameters (e.g. TLS) for a GRPCServer or GRPCClient instance
type SecureOptions struct {
// VerifyCertificate, if not nil, is called after normal
// certificate verification by either a TLS client or server.
// If it returns a non-nil error, the handshake is aborted and that error results.
VerifyCertificate func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error
// PEM-encoded X509 public key to be used for TLS communication
Certificate []byte
// PEM-encoded private key to be used for TLS communication
Key []byte
// Set of PEM-encoded X509 certificate authorities used by clients to
// verify server certificates
ServerRootCAs [][]byte
// Set of PEM-encoded X509 certificate authorities used by servers to
// verify client certificates
ClientRootCAs [][]byte
// Whether or not to use TLS for communication
UseTLS bool
// Whether or not TLS client must present certificates for authentication
RequireClientCert bool
// CipherSuites is a list of supported cipher suites for TLS
CipherSuites []uint16
// TimeShift makes TLS handshakes time sampling shift to the past by a given duration
TimeShift time.Duration
}
type Semaphore interface {
Acquire(ctx context.Context) error
Release()
}
ServerConfig defines the parameters for configuring a GRPCServer instance
type ServerConfig struct {
// ConnectionTimeout specifies the timeout for connection establishment
// for all new connections
ConnectionTimeout time.Duration
// SecOpts defines the security parameters
SecOpts *SecureOptions
// KaOpts defines the keepalive parameters
KaOpts *KeepaliveOptions
// StreamInterceptors specifies a list of interceptors to apply to
// streaming RPCs. They are executed in order.
StreamInterceptors []grpc.StreamServerInterceptor
// UnaryInterceptors specifies a list of interceptors to apply to unary
// RPCs. They are executed in order.
UnaryInterceptors []grpc.UnaryServerInterceptor
// Logger specifies the logger the server will use
Logger *flogging.FabricLogger
// ServerStatsHandler should be set if metrics on connections are to be reported.
ServerStatsHandler *ServerStatsHandler
}
type ServerStatsHandler struct {
OpenConnCounter metrics.Counter
ClosedConnCounter metrics.Counter
}
func NewServerStatsHandler(p metrics.Provider) *ServerStatsHandler
func (h *ServerStatsHandler) HandleConn(ctx context.Context, s stats.ConnStats)
func (h *ServerStatsHandler) HandleRPC(ctx context.Context, s stats.RPCStats)
func (h *ServerStatsHandler) TagConn(ctx context.Context, info *stats.ConnTagInfo) context.Context
func (h *ServerStatsHandler) TagRPC(ctx context.Context, info *stats.RPCTagInfo) context.Context
type Throttle struct {
// contains filtered or unexported fields
}
func NewThrottle(maxConcurrency int, options ...ThrottleOption) *Throttle
func (t *Throttle) StreamServerInterceptor(srv interface{}, ss grpc.ServerStream, info *grpc.StreamServerInfo, handler grpc.StreamHandler) error
func (t *Throttle) UnaryServerIntercptor(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error)
type ThrottleOption func(t *Throttle)
func WithNewSemaphore(newSemaphore NewSemaphoreFunc) ThrottleOption