func main() {
configPathPtr := flag.String("config", "config.json", "path to config file")
flag.Parse()
configReader, err := os.Open(*configPathPtr)
if err != nil {
log.Fatalf("Failed to open configuration file: %s", err)
}
cfg := &proto.VerifierConfig{}
err = jsonpb.Unmarshal(configReader, cfg)
if err != nil {
log.Fatalf("Failed to parse configuration file: %s", err)
}
leveldb, err := leveldb.OpenFile(cfg.LevelDBPath, nil)
if err != nil {
log.Fatalf("Couldn't open DB in directory %s: %s", cfg.LevelDBPath, err)
}
db := leveldbkv.Wrap(leveldb)
server, err := verifier.Start(cfg, db, getKey)
if err != nil {
panic(err)
}
defer server.Stop()
ch := make(chan os.Signal, 1)
signal.Notify(ch, os.Interrupt)
<-ch
}
func withDB(f func(kv.DB)) {
dir, err := ioutil.TempDir("", "merkletree")
if err != nil {
panic(err)
}
defer os.RemoveAll(dir)
db, err := leveldb.OpenFile(dir, nil)
if err != nil {
panic(err)
}
defer db.Close()
f(leveldbkv.Wrap(db))
}
func setupDB(t *testing.T) (db kv.DB, teardown func()) {
dir, err := ioutil.TempDir("", "keyserver")
if err != nil {
t.Fatal(err)
}
teardown = func() { os.RemoveAll(dir) }
ldb, err := leveldb.OpenFile(dir, nil)
if err != nil {
teardown()
t.Fatal(err)
}
teardown = chain(func() { ldb.Close() }, teardown)
return leveldbkv.Wrap(ldb), teardown
}
// setupVerifier initializes a verifier, but does not start it and does not
// wait for it to sign anything.
func setupVerifier(t *testing.T, keyserverVerif *proto.AuthorizationPolicy, keyserverAddr string, caCert *x509.Certificate, caPool *x509.CertPool, caKey *ecdsa.PrivateKey) (cfg *proto.VerifierConfig, getKey func(string) (crypto.PrivateKey, error), db kv.DB, sv *proto.PublicKey, teardown func()) {
dir, err := ioutil.TempDir("", "verifier")
if err != nil {
t.Fatal(err)
}
teardown = chain(func() { os.RemoveAll(dir) })
ldb, err := leveldb.OpenFile(dir, nil)
if err != nil {
teardown()
t.Fatal(err)
}
teardown = chain(func() { ldb.Close() }, teardown)
pk, sk, err := ed25519.GenerateKey(rand.Reader)
if err != nil {
teardown()
t.Fatal(err)
}
sv = &proto.PublicKey{PubkeyType: &proto.PublicKey_Ed25519{Ed25519: pk[:]}}
cert := tlstestutil.Cert(t, caCert, caKey, fmt.Sprintf("verifier %x", proto.KeyID(sv)), nil)
getKey = func(keyid string) (crypto.PrivateKey, error) {
switch keyid {
case "signing":
return sk, nil
case "tls":
return cert.PrivateKey, nil
default:
panic("unknown key requested in tests [" + keyid + "]")
}
}
cfg = &proto.VerifierConfig{
Realm: testingRealm,
KeyserverAddr: keyserverAddr,
InitialKeyserverAuth: *keyserverVerif,
SigningKeyID: "signing",
ID: proto.KeyID(sv),
TLS: &proto.TLSConfig{RootCAs: [][]byte{caCert.Raw}, Certificates: []*proto.CertificateAndKeyID{{cert.Certificate, "tls", nil}}},
}
db = leveldbkv.Wrap(ldb)
return
}
func RunWithConfig(cfg *proto.ReplicaConfig) {
// TODO: since we only want to support precisely this ratification policy,
// this should be moved into server.go
ratificationPolicy := &proto.AuthorizationPolicy{
PublicKeys: make(map[uint64]*proto.PublicKey),
PolicyType: &proto.AuthorizationPolicy_Quorum{Quorum: &proto.QuorumExpr{
Threshold: uint32(majority(len(cfg.KeyserverConfig.InitialReplicas)))},
},
}
replicaIDs := []uint64{}
for _, replica := range cfg.KeyserverConfig.InitialReplicas {
replicaIDs = append(replicaIDs, replica.ID)
replicaExpr := &proto.QuorumExpr{
Threshold: 1,
}
for _, pk := range replica.PublicKeys {
pkid := proto.KeyID(pk)
ratificationPolicy.PublicKeys[pkid] = pk
replicaExpr.Candidates = append(replicaExpr.Candidates, pkid)
}
ratificationPolicy.PolicyType.(*proto.AuthorizationPolicy_Quorum).Quorum.Subexpressions = append(ratificationPolicy.PolicyType.(*proto.AuthorizationPolicy_Quorum).Quorum.Subexpressions, replicaExpr)
}
leveldb, err := leveldb.OpenFile(cfg.LevelDBPath, nil)
if err != nil {
log.Fatalf("Couldn't open DB in directory %s: %s", cfg.LevelDBPath, err)
}
db := leveldbkv.Wrap(leveldb)
clk := clock.New()
raftListener, err := net.Listen("tcp", cfg.RaftAddr)
if err != nil {
log.Fatalf("Couldn't bind to Raft node address %s: %s", cfg.RaftAddr, err)
}
defer raftListener.Close()
raftTLS, err := cfg.RaftTLS.Config(getKey)
if err != nil {
log.Fatalf("Bad Raft TLS configuration: %s", err)
}
raftCreds := credentials.NewTLS(raftTLS)
raftServer := grpc.NewServer(grpc.Creds(raftCreds))
go raftServer.Serve(raftListener)
defer raftServer.Stop()
dialRaftPeer := func(id uint64) raftproto.RaftClient {
// TODO use current, not initial, config
for _, replica := range cfg.KeyserverConfig.InitialReplicas {
if replica.ID == id {
conn, err := grpc.Dial(replica.RaftAddr, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{RootCAs: raftTLS.RootCAs})))
if err != nil {
log.Panicf("Raft GRPC dial failed: %s", err)
}
return raftproto.NewRaftClient(conn)
}
}
log.Panicf("No raft peer %x in configuration", id)
return nil
}
raft := raftlog.New(
cfg.ReplicaID, replicaIDs, db, []byte{tableReplicationLogPrefix},
clk, cfg.RaftHeartbeat.Duration(), raftServer, dialRaftPeer,
)
defer raft.Stop()
server, err := Open(cfg, db, raft, ratificationPolicy, clk, getKey, net.LookupTXT)
if err != nil {
log.Fatalf("Failed to initialize keyserver: %s", err)
}
server.Start()
defer server.Stop()
ch := make(chan os.Signal, 1)
signal.Notify(ch, os.Interrupt)
<-ch
}