Merge pull request #175 from ftokarev/netty-grpc-server-tls-fix

NettyGrpcServer -- configure ALPN to enable TLS

Author: mbwhite

fabric-chaincode-shim/src/main/java/org/hyperledger/fabric/shim/NettyGrpcServer.java

@@ -9,6 +9,8 @@
 
 import io.grpc.Server;
 import io.grpc.netty.shaded.io.grpc.netty.NettyServerBuilder;
+import io.grpc.netty.shaded.io.netty.handler.ssl.ApplicationProtocolConfig;
+import io.grpc.netty.shaded.io.netty.handler.ssl.ApplicationProtocolNames;
 import io.grpc.netty.shaded.io.netty.handler.ssl.SslContextBuilder;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -23,13 +25,14 @@
  */
 public final class NettyGrpcServer implements GrpcServer {
 
-    private static Log logger = LogFactory.getLog(NettyGrpcServer.class);
+    private static final Log LOGGER = LogFactory.getLog(NettyGrpcServer.class);
 
     private final Server server;
+
     /**
      * init netty grpc server.
      *
-     * @param chaincodeBase - chaincode implementation (invoke, init)
+     * @param chaincodeBase             - chaincode implementation (invoke, init)
      * @param chaincodeServerProperties - setting for grpc server
      * @throws IOException
      */
@@ -56,27 +59,37 @@ public NettyGrpcServer(final ChaincodeBase chaincodeBase, final ChaincodeServerP
             final File keyCertChainFile = Paths.get(chaincodeServerProperties.getKeyCertChainFile()).toFile();
             final File keyFile = Paths.get(chaincodeServerProperties.getKeyFile()).toFile();
 
+            SslContextBuilder sslContextBuilder;
             if (chaincodeServerProperties.getKeyPassword() == null || chaincodeServerProperties.getKeyPassword().isEmpty()) {
-                serverBuilder.sslContext(SslContextBuilder.forServer(keyCertChainFile, keyFile).build());
+                sslContextBuilder = SslContextBuilder.forServer(keyCertChainFile, keyFile);
             } else {
-                serverBuilder.sslContext(SslContextBuilder.forServer(keyCertChainFile, keyFile, chaincodeServerProperties.getKeyPassword()).build());
+                sslContextBuilder = SslContextBuilder.forServer(keyCertChainFile, keyFile, chaincodeServerProperties.getKeyPassword());
             }
+
+            ApplicationProtocolConfig apn = new ApplicationProtocolConfig(
+                    ApplicationProtocolConfig.Protocol.ALPN,
+                    ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
+                    ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
+                    ApplicationProtocolNames.HTTP_2);
+            sslContextBuilder.applicationProtocolConfig(apn);
+
+            serverBuilder.sslContext(sslContextBuilder.build());
         }
 
-        logger.info("<<<<<<<<<<<<<chaincodeServerProperties>>>>>>>>>>>>:\n");
-        logger.info("PortChaincodeServer:" + chaincodeServerProperties.getPortChaincodeServer());
-        logger.info("MaxInboundMetadataSize:" + chaincodeServerProperties.getMaxInboundMetadataSize());
-        logger.info("MaxInboundMessageSize:" + chaincodeServerProperties.getMaxInboundMessageSize());
-        logger.info("MaxConnectionAgeSeconds:" + chaincodeServerProperties.getMaxConnectionAgeSeconds());
-        logger.info("KeepAliveTimeoutSeconds:" + chaincodeServerProperties.getKeepAliveTimeoutSeconds());
-        logger.info("PermitKeepAliveTimeMinutes:" + chaincodeServerProperties.getPermitKeepAliveTimeMinutes());
-        logger.info("KeepAliveTimeMinutes:" + chaincodeServerProperties.getKeepAliveTimeMinutes());
-        logger.info("PermitKeepAliveWithoutCalls:" + chaincodeServerProperties.getPermitKeepAliveWithoutCalls());
-        logger.info("KeyPassword:" + chaincodeServerProperties.getKeyPassword());
-        logger.info("KeyCertChainFile:" + chaincodeServerProperties.getKeyCertChainFile());
-        logger.info("KeyFile:" + chaincodeServerProperties.getKeyFile());
-        logger.info("isTlsEnabled:" + chaincodeServerProperties.isTlsEnabled());
-        logger.info("\n");
+        LOGGER.info("<<<<<<<<<<<<<chaincodeServerProperties>>>>>>>>>>>>:\n");
+        LOGGER.info("PortChaincodeServer:" + chaincodeServerProperties.getPortChaincodeServer());
+        LOGGER.info("MaxInboundMetadataSize:" + chaincodeServerProperties.getMaxInboundMetadataSize());
+        LOGGER.info("MaxInboundMessageSize:" + chaincodeServerProperties.getMaxInboundMessageSize());
+        LOGGER.info("MaxConnectionAgeSeconds:" + chaincodeServerProperties.getMaxConnectionAgeSeconds());
+        LOGGER.info("KeepAliveTimeoutSeconds:" + chaincodeServerProperties.getKeepAliveTimeoutSeconds());
+        LOGGER.info("PermitKeepAliveTimeMinutes:" + chaincodeServerProperties.getPermitKeepAliveTimeMinutes());
+        LOGGER.info("KeepAliveTimeMinutes:" + chaincodeServerProperties.getKeepAliveTimeMinutes());
+        LOGGER.info("PermitKeepAliveWithoutCalls:" + chaincodeServerProperties.getPermitKeepAliveWithoutCalls());
+        LOGGER.info("KeyPassword:" + chaincodeServerProperties.getKeyPassword());
+        LOGGER.info("KeyCertChainFile:" + chaincodeServerProperties.getKeyCertChainFile());
+        LOGGER.info("KeyFile:" + chaincodeServerProperties.getKeyFile());
+        LOGGER.info("isTlsEnabled:" + chaincodeServerProperties.isTlsEnabled());
+        LOGGER.info("\n");
 
         this.server = serverBuilder.build();
     }
@@ -87,7 +100,7 @@ public NettyGrpcServer(final ChaincodeBase chaincodeBase, final ChaincodeServerP
      * @throws IOException
      */
     public void start() throws IOException {
-        logger.info("start grpc server");
+        LOGGER.info("start grpc server");
         Runtime.getRuntime()
                 .addShutdownHook(
                         new Thread(() -> {
@@ -105,15 +118,15 @@ public void start() throws IOException {
      * @throws InterruptedException
      */
     public void blockUntilShutdown() throws InterruptedException {
-        logger.info("Waits for the server to become terminated.");
+        LOGGER.info("Waits for the server to become terminated.");
         server.awaitTermination();
     }
 
     /**
      * shutdown now grpc server.
      */
     public void stop() {
-        logger.info("shutdown now grpc server.");
+        LOGGER.info("shutdown now grpc server.");
         server.shutdownNow();
     }
 }

fabric-chaincode-shim/src/test/java/org/hyperledger/fabric/shim/NettyGrpcServerTest.java

@@ -288,7 +288,12 @@ void startAndStopTlsPassword() {
         try {
             final ChaincodeBase chaincodeBase = new EmptyChaincode();
             chaincodeBase.processEnvironmentOptions();
-            ChaincodeServer chaincodeServer = new NettyChaincodeServer(chaincodeBase, new ChaincodeServerProperties());
+            final ChaincodeServerProperties chaincodeServerProperties = new ChaincodeServerProperties();
+            chaincodeServerProperties.setTlsEnabled(true);
+            chaincodeServerProperties.setKeyFile("src/test/resources/client.key.password-protected");
+            chaincodeServerProperties.setKeyCertChainFile("src/test/resources/client.crt");
+            chaincodeServerProperties.setKeyPassword("test");
+            ChaincodeServer chaincodeServer = new NettyChaincodeServer(chaincodeBase, chaincodeServerProperties);
             new Thread(() -> {
                 try {
                     chaincodeServer.start();
@@ -315,6 +320,9 @@ void startAndStopTlsWithoutPassword() {
             final ChaincodeBase chaincodeBase = new EmptyChaincode();
             chaincodeBase.processEnvironmentOptions();
             final ChaincodeServerProperties chaincodeServerProperties = new ChaincodeServerProperties();
+            chaincodeServerProperties.setTlsEnabled(true);
+            chaincodeServerProperties.setKeyFile("src/test/resources/client.key");
+            chaincodeServerProperties.setKeyCertChainFile("src/test/resources/client.crt");
             ChaincodeServer chaincodeServer = new NettyChaincodeServer(chaincodeBase, chaincodeServerProperties);
             new Thread(() -> {
                 try {

fabric-chaincode-shim/src/test/resources/client.key.password-protected

@@ -0,0 +1,6 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIGxMBwGCiqGSIb3DQEMAQMwDgQIfzm0IqTm+rACAggABIGQDY1vpaSD+KDuVRyT
+Gi35536iOYUuVoz01ktV3YCDv03Pm5+8xZ1JXXW8lDM3JP/TcKbocRRk63y/R7O2
+dB9kcyV7/gYtYH0B3TMk1/x1WtfHL8JnYRFHQ/OuhYjJ6O04B4aY2waeYByzsIsI
+YhNVZq5fZ7/bjsy8b54o57WD4DDHH3uRysbv8I5TaDVyJMJq
+-----END ENCRYPTED PRIVATE KEY-----