func maybeAutoPublish(cmd *cobra.Command, doPublish bool, gun string, config *viper.Viper, passRetriever notary.PassRetriever) error {
if !doPublish {
return nil
}
// We need to set up a http RoundTripper when publishing
rt, err := getTransport(config, gun, readWrite)
if err != nil {
return err
}
trustPin, err := getTrustPinning(config)
if err != nil {
return err
}
nRepo, err := notaryclient.NewFileCachedNotaryRepository(
config.GetString("trust_dir"), gun, getRemoteTrustServer(config), rt, passRetriever, trustPin)
if err != nil {
return err
}
cmd.Println("Auto-publishing changes to", gun)
return publishAndPrintToCLI(cmd, nRepo, gun)
}
func newObcBatch(id uint64, config *viper.Viper, stack consensus.Stack) *obcBatch {
var err error
op := &obcBatch{stack: stack}
op.startup = make(chan []byte)
op.executor = NewOBCExecutor(config, op, stack)
logger.Debug("Replica %d obtaining startup information", id)
startupInfo := <-op.startup
close(op.startup)
op.pbft = newPbftCore(id, config, op, startupInfo)
queueSize := config.GetInt("executor.queuesize")
if queueSize <= int(op.pbft.L) {
logger.Error("Replica %d has executor queue size %d less than PBFT log size %d, this indicates a misconfiguration", id, queueSize, op.pbft.L)
}
op.batchSize = config.GetInt("general.batchSize")
op.batchStore = nil
op.batchTimeout, err = time.ParseDuration(config.GetString("general.timeout.batch"))
if err != nil {
panic(fmt.Errorf("Cannot parse batch timeout: %s", err))
}
// create non-running timer
op.batchTimer = time.NewTimer(100 * time.Hour) // XXX ugly
op.batchTimer.Stop()
go op.batchTimerHander()
return op
}
func (k *keyCommander) getKeyStores(
config *viper.Viper, withHardware, hardwareBackup bool) ([]trustmanager.KeyStore, error) {
retriever := k.getRetriever()
directory := config.GetString("trust_dir")
fileKeyStore, err := trustmanager.NewKeyFileStore(directory, retriever)
if err != nil {
return nil, fmt.Errorf(
"Failed to create private key store in directory: %s", directory)
}
ks := []trustmanager.KeyStore{fileKeyStore}
if withHardware {
var yubiStore trustmanager.KeyStore
if hardwareBackup {
yubiStore, err = getYubiStore(fileKeyStore, retriever)
} else {
yubiStore, err = getYubiStore(nil, retriever)
}
if err == nil && yubiStore != nil {
// Note that the order is important, since we want to prioritize
// the yubikey store
ks = []trustmanager.KeyStore{yubiStore, fileKeyStore}
}
}
return ks, nil
}
func newObcBatch(id uint64, config *viper.Viper, stack consensus.Stack) *obcBatch {
var err error
op := &obcBatch{
obcGeneric: obcGeneric{stack},
stack: stack,
}
op.persistForward.persistor = stack
logger.Debug("Replica %d obtaining startup information", id)
op.pbft = newPbftCore(id, config, op)
op.batchSize = config.GetInt("general.batchSize")
op.batchStore = nil
op.batchTimeout, err = time.ParseDuration(config.GetString("general.timeout.batch"))
if err != nil {
panic(fmt.Errorf("Cannot parse batch timeout: %s", err))
}
op.incomingChan = make(chan *batchMessage)
// create non-running timer
op.batchTimer = time.NewTimer(100 * time.Hour) // XXX ugly
op.batchTimer.Stop()
op.idleChan = make(chan struct{})
go op.main()
return op
}
// ParseStorage tries to parse out Storage from a Viper. If backend and
// URL are not provided, returns a nil pointer. Storage is required (if
// a backend is not provided, an error will be returned.)
func ParseStorage(configuration *viper.Viper, allowedBackends []string) (*Storage, error) {
store := Storage{
Backend: configuration.GetString("storage.backend"),
Source: configuration.GetString("storage.db_url"),
}
supported := false
store.Backend = strings.ToLower(store.Backend)
for _, backend := range allowedBackends {
if backend == store.Backend {
supported = true
break
}
}
if !supported {
return nil, fmt.Errorf(
"must specify one of these supported backends: %s",
strings.Join(allowedBackends, ", "))
}
if store.Backend == MemoryBackend {
return &Storage{Backend: MemoryBackend}, nil
}
if store.Source == "" {
return nil, fmt.Errorf(
"must provide a non-empty database source for %s", store.Backend)
}
return &store, nil
}
func newObcBatch(id uint64, config *viper.Viper, stack consensus.Stack) *obcBatch {
var err error
op := &obcBatch{
obcGeneric: obcGeneric{stack: stack},
}
op.persistForward.persistor = stack
logger.Debugf("Replica %d obtaining startup information", id)
op.manager = events.NewManagerImpl() // TODO, this is hacky, eventually rip it out
op.manager.SetReceiver(op)
etf := events.NewTimerFactoryImpl(op.manager)
op.pbft = newPbftCore(id, config, op, etf)
op.manager.Start()
blockchainInfoBlob := stack.GetBlockchainInfoBlob()
op.externalEventReceiver.manager = op.manager
op.broadcaster = newBroadcaster(id, op.pbft.N, op.pbft.f, op.pbft.broadcastTimeout, stack)
op.manager.Queue() <- workEvent(func() {
op.pbft.stateTransfer(&stateUpdateTarget{
checkpointMessage: checkpointMessage{
seqNo: op.pbft.lastExec,
id: blockchainInfoBlob,
},
})
})
op.batchSize = config.GetInt("general.batchsize")
op.batchStore = nil
op.batchTimeout, err = time.ParseDuration(config.GetString("general.timeout.batch"))
if err != nil {
panic(fmt.Errorf("Cannot parse batch timeout: %s", err))
}
logger.Infof("PBFT Batch size = %d", op.batchSize)
logger.Infof("PBFT Batch timeout = %v", op.batchTimeout)
if op.batchTimeout >= op.pbft.requestTimeout {
op.pbft.requestTimeout = 3 * op.batchTimeout / 2
logger.Warningf("Configured request timeout must be greater than batch timeout, setting to %v", op.pbft.requestTimeout)
}
if op.pbft.requestTimeout >= op.pbft.nullRequestTimeout && op.pbft.nullRequestTimeout != 0 {
op.pbft.nullRequestTimeout = 3 * op.pbft.requestTimeout / 2
logger.Warningf("Configured null request timeout must be greater than request timeout, setting to %v", op.pbft.nullRequestTimeout)
}
op.incomingChan = make(chan *batchMessage)
op.batchTimer = etf.CreateTimer()
op.reqStore = newRequestStore()
op.deduplicator = newDeduplicator()
op.idleChan = make(chan struct{})
close(op.idleChan) // TODO remove eventually
return op
}
// Parse the cache configurations for GET-ting current and checksummed metadata,
// returning the configuration for current (non-content-addressed) metadata
// first, then the configuration for consistent (content-addressed) metadata
// second. The configuration consists mainly of the max-age (an integer in seconds,
// just like in the Cache-Control header) for each type of metadata.
// The max-age must be between 0 and 31536000 (one year in seconds, which is
// the recommended maximum time data is cached), else parsing will return an error.
// A max-age of 0 will disable caching for that type of download (consistent or current).
func getCacheConfig(configuration *viper.Viper) (current, consistent utils.CacheControlConfig, err error) {
cccs := make(map[string]utils.CacheControlConfig)
currentOpt, consistentOpt := "current_metadata", "consistent_metadata"
defaults := map[string]int{
currentOpt: int(notary.CurrentMetadataCacheMaxAge.Seconds()),
consistentOpt: int(notary.ConsistentMetadataCacheMaxAge.Seconds()),
}
maxMaxAge := int(notary.CacheMaxAgeLimit.Seconds())
for optionName, seconds := range defaults {
m := configuration.GetString(fmt.Sprintf("caching.max_age.%s", optionName))
if m != "" {
seconds, err = strconv.Atoi(m)
if err != nil || seconds < 0 || seconds > maxMaxAge {
return nil, nil, fmt.Errorf(
"must specify a cache-control max-age between 0 and %v", maxMaxAge)
}
}
cccs[optionName] = utils.NewCacheControlConfig(seconds, optionName == currentOpt)
}
current = cccs[currentOpt]
consistent = cccs[consistentOpt]
return
}
// GetPathRelativeToConfig gets a configuration key which is a path, and if
// it is not empty or an absolute path, returns the absolute path relative
// to the configuration file
func GetPathRelativeToConfig(configuration *viper.Viper, key string) string {
configFile := configuration.ConfigFileUsed()
p := configuration.GetString(key)
if p == "" || filepath.IsAbs(p) {
return p
}
return filepath.Clean(filepath.Join(filepath.Dir(configFile), p))
}
// Open and return a listening unix socket.
func NewUnixListener(v *viper.Viper) (*net.UnixListener, error) {
l, err := net.ListenUnix("unix", &net.UnixAddr{Net: "unix", Name: v.GetString("socket")})
if err != nil {
return nil, err
}
return l, nil
}
func loadOAuth2Config(v *viper.Viper) {
Config.OAuth2Enabled = v.GetBool("stormpath.web.oauth2.enabled")
Config.OAuth2URI = v.GetString("stormpath.web.oauth2.uri")
Config.OAuth2ClientCredentialsGrantTypeEnabled = v.GetBool("stormpath.web.oauth2.client_credentials.enabled")
Config.OAuth2ClientCredentialsGrantTypeAccessTokenTTL = time.Duration(v.GetInt("stormpath.web.oauth2.client_credentials.accessToken.ttl")) * time.Second
Config.OAuth2PasswordGrantTypeEnabled = v.GetBool("stormpath.web.oauth2.password.enabled")
Config.OAuth2PasswordGrantTypeValidationStrategy = v.GetString("stormpath.web.oauth2.password.validationStrategy")
}
// ParseLogLevel tries to parse out a log level from a Viper. If there is no
// configuration, defaults to the provided error level
func ParseLogLevel(configuration *viper.Viper, defaultLevel logrus.Level) (
logrus.Level, error) {
logStr := configuration.GetString("logging.level")
if logStr == "" {
return defaultLevel, nil
}
return logrus.ParseLevel(logStr)
}
func newPbftCore(id uint64, config *viper.Viper, consumer innerCPI) *pbftCore {
instance := &pbftCore{}
instance.id = id
instance.consumer = consumer
// in dev/debugging mode you are expected to override the config values
// with the environment variable OPENCHAIN_OBCPBFT_X_Y
// read from the config file
// you can override the config values with the environment variable prefix
// OPENCHAIN_OBCPBFT, e.g. OPENCHAIN_OBCPBFT_BYZANTINE
var err error
instance.byzantine = config.GetBool("replica.byzantine")
instance.f = config.GetInt("general.f")
instance.K = uint64(config.GetInt("general.K"))
instance.requestTimeout, err = time.ParseDuration(config.GetString("general.timeout.request"))
if err != nil {
panic(fmt.Errorf("Cannot parse request timeout: %s", err))
}
instance.newViewTimeout, err = time.ParseDuration(config.GetString("general.timeout.viewchange"))
if err != nil {
panic(fmt.Errorf("Cannot parse new view timeout: %s", err))
}
instance.activeView = true
instance.L = 2 * instance.K // log size
instance.replicaCount = 3*instance.f + 1
// init the logs
instance.certStore = make(map[msgID]*msgCert)
instance.reqStore = make(map[string]*Request)
instance.checkpointStore = make(map[Checkpoint]bool)
instance.chkpts = make(map[uint64]string)
instance.viewChangeStore = make(map[vcidx]*ViewChange)
instance.pset = make(map[uint64]*ViewChange_PQ)
instance.qset = make(map[qidx]*ViewChange_PQ)
instance.newViewStore = make(map[uint64]*NewView)
// load genesis checkpoint
stateHash, err := instance.consumer.getStateHash(0)
if err != nil {
panic(fmt.Errorf("Cannot load genesis block: %s", err))
}
instance.chkpts[0] = base64.StdEncoding.EncodeToString(stateHash)
// create non-running timer XXX ugly
instance.newViewTimer = time.NewTimer(100 * time.Hour)
instance.newViewTimer.Stop()
instance.lastNewViewTimeout = instance.newViewTimeout
instance.outstandingReqs = make(map[string]*Request)
go instance.timerHander()
return instance
}
func getRemoteTrustServer(config *viper.Viper) string {
if remoteTrustServer == "" {
configRemote := config.GetString("remote_server.url")
if configRemote != "" {
remoteTrustServer = configRemote
} else {
remoteTrustServer = defaultServerURL
}
}
return remoteTrustServer
}
// get the address for the HTTP server, and parses the optional TLS
// configuration for the server - if no TLS configuration is specified,
// TLS is not enabled.
func getAddrAndTLSConfig(configuration *viper.Viper) (string, *tls.Config, error) {
httpAddr := configuration.GetString("server.http_addr")
if httpAddr == "" {
return "", nil, fmt.Errorf("http listen address required for server")
}
tlsConfig, err := utils.ParseServerTLS(configuration, false)
if err != nil {
return "", nil, fmt.Errorf(err.Error())
}
return httpAddr, tlsConfig, nil
}
func getDefaultAlias(configuration *viper.Viper) (string, error) {
defaultAlias := configuration.GetString("storage.default_alias")
if defaultAlias == "" {
// backwards compatibility - support this environment variable
defaultAlias = configuration.GetString(defaultAliasEnv)
}
if defaultAlias == "" {
return "", fmt.Errorf("must provide a default alias for the key DB")
}
logrus.Debug("Default Alias: ", defaultAlias)
return defaultAlias, nil
}
func getAddrAndTLSConfig(configuration *viper.Viper) (string, *tls.Config, error) {
tlsConfig, err := utils.ParseServerTLS(configuration, true)
if err != nil {
return "", nil, fmt.Errorf("unable to set up TLS: %s", err.Error())
}
grpcAddr := configuration.GetString("server.grpc_addr")
if grpcAddr == "" {
return "", nil, fmt.Errorf("grpc listen address required for server")
}
return grpcAddr, tlsConfig, nil
}
func configureLogging(v *viper.Viper) {
level, err := log.ParseLevel(v.GetString("log_level"))
if err != nil {
log.Fatalln(err)
}
log.SetLevel(level)
if v.GetString("log_format") == "text" {
log.SetFormatter(&log.TextFormatter{DisableColors: true, FullTimestamp: true})
} else if v.GetString("log_format") == "json" {
log.SetFormatter(&log.JSONFormatter{})
} else {
log.Errorln("Error: log_type invalid, defaulting to text")
log.SetFormatter(&log.TextFormatter{})
}
switch v.GetString("log_target") {
case "stdout":
log.SetOutput(os.Stdout)
case "stderr":
log.SetOutput(os.Stderr)
default:
log.Errorln("Error: log_target invalid, defaulting to Stdout")
log.SetOutput(os.Stdout)
}
}
func newObcBatch(id uint64, config *viper.Viper, cpi consensus.CPI) *obcBatch {
var err error
op := &obcBatch{cpi: cpi}
op.pbft = newPbftCore(id, config, op, cpi)
op.batchSize = config.GetInt("general.batchSize")
op.batchStore = make(map[string]*Request)
op.batchTimeout, err = time.ParseDuration(config.GetString("general.timeout.batch"))
if err != nil {
panic(fmt.Errorf("Cannot parse batch timeout: %s", err))
}
// create non-running timer XXX ugly
op.batchTimer = time.NewTimer(100 * time.Hour)
op.batchTimer.Stop()
go op.batchTimerHander()
return op
}
func newObcBatch(id uint64, config *viper.Viper, stack consensus.Stack) *obcBatch {
var err error
op := &obcBatch{stack: stack}
op.pbft = newPbftCore(id, config, op, stack)
op.batchSize = config.GetInt("general.batchSize")
op.batchStore = nil
op.batchTimeout, err = time.ParseDuration(config.GetString("general.timeout.batch"))
if err != nil {
panic(fmt.Errorf("Cannot parse batch timeout: %s", err))
}
// create non-running timer
op.batchTimer = time.NewTimer(100 * time.Hour) // XXX ugly
op.batchTimer.Stop()
go op.batchTimerHander()
return op
}
// parses the configuration and returns a backing store for the TUF files
func getStore(configuration *viper.Viper, hRegister healthRegister) (
storage.MetaStore, error) {
var store storage.MetaStore
backend := configuration.GetString("storage.backend")
logrus.Infof("Using %s backend", backend)
switch backend {
case notary.MemoryBackend:
return storage.NewMemStorage(), nil
case notary.MySQLBackend, notary.SQLiteBackend:
storeConfig, err := utils.ParseSQLStorage(configuration)
if err != nil {
return nil, err
}
s, err := storage.NewSQLStorage(storeConfig.Backend, storeConfig.Source)
if err != nil {
return nil, fmt.Errorf("Error starting %s driver: %s", backend, err.Error())
}
store = *storage.NewTUFMetaStorage(s)
hRegister("DB operational", time.Minute, s.CheckHealth)
case notary.RethinkDBBackend:
var sess *gorethink.Session
storeConfig, err := utils.ParseRethinkDBStorage(configuration)
if err != nil {
return nil, err
}
tlsOpts := tlsconfig.Options{
CAFile: storeConfig.CA,
CertFile: storeConfig.Cert,
KeyFile: storeConfig.Key,
}
if doBootstrap {
sess, err = rethinkdb.AdminConnection(tlsOpts, storeConfig.Source)
} else {
sess, err = rethinkdb.UserConnection(tlsOpts, storeConfig.Source, storeConfig.Username, storeConfig.Password)
}
if err != nil {
return nil, fmt.Errorf("Error starting %s driver: %s", backend, err.Error())
}
s := storage.NewRethinkDBStorage(storeConfig.DBName, storeConfig.Username, storeConfig.Password, sess)
store = *storage.NewTUFMetaStorage(s)
hRegister("DB operational", time.Minute, s.CheckHealth)
default:
return nil, fmt.Errorf("%s is not a supported storage backend", backend)
}
return store, nil
}
func zonesocks5(v *viper.Viper) {
var wg sync.WaitGroup
// Create a SOCKS5 server
username := v.GetString("username")
password := v.GetString("password")
creds := socks5.StaticCredentials{}
creds[username] = password
cator := socks5.UserPassAuthenticator{Credentials: creds}
conf := &socks5.Config{
AuthMethods: []socks5.Authenticator{cator},
Credentials: creds,
}
server, err := socks5.New(conf)
if err != nil {
glog.Infoln("new socks5 config error ", err)
}
address := v.GetString("address")
glog.Infoln("listen to address ", address)
wg.Add(1)
go func() {
if err := server.ListenAndServe("tcp", address); err != nil {
glog.Errorln(err)
}
wg.Done()
}()
// signal hup
c := make(chan os.Signal, 1)
signal.Notify(c, syscall.SIGHUP)
wg.Add(1)
go func() {
for sig := range c {
switch sig {
case syscall.SIGHUP:
glog.Infoln("got hup signal")
default:
glog.Infoln("not ready to process ", sig.String())
}
}
wg.Done()
}()
wg.Wait()
}
// SetEnvironmentSpecificConfig sets the configuration to match the given env.
func SetEnvironmentSpecificConfig(v *viper.Viper, env string) {
if v == nil {
v = viper.New()
v.SetDefault("env", env)
}
// Read common config
v.AddConfigPath(".")
v.AddConfigPath("../")
v.SetConfigName("config-common")
if err := v.ReadInConfig(); err != nil {
panic(fmt.Errorf("Fatal error reading common config file: %s \n", err))
}
// Merge in environment specific config
configName := "config-" + env + ".yml"
configPaths := []string{configName, "../" + configName}
configFilePath := ""
for _, path := range configPaths {
if b, _ := exists(path); b {
configFilePath = path
continue
}
}
if configFilePath == "" {
panic(fmt.Errorf("Could not find config file: %s \n", configName))
}
configBytes, err := ioutil.ReadFile(configFilePath)
if err != nil {
panic(fmt.Errorf("Could not read config file: %s \n", err))
}
err = v.MergeConfig(bytes.NewBuffer(configBytes)) // Find and read the config file
if err != nil { // Handle errors reading the config file
panic(fmt.Errorf("Fatal error config file: %s \n", err))
}
// Read config from consul
v.AddRemoteProvider("consul", v.GetString("ConsulEndpoint"), v.GetString("ConsulSupportOptimizationWorkflowConfig"))
v.SetConfigType("yaml")
// err = v.ReadRemoteConfig() // Find and read the config file
// if err != nil { // Handle errors reading the config file
// panic(fmt.Errorf("Fatal error reading remote config file: %s \n", err))
// }
Viper = &config{v}
}
// optionally sets up TLS for the server - if no TLS configuration is
// specified, TLS is not enabled.
func serverTLS(configuration *viper.Viper) (*tls.Config, error) {
tlsCertFile := configuration.GetString("server.tls_cert_file")
tlsKeyFile := configuration.GetString("server.tls_key_file")
if tlsCertFile == "" && tlsKeyFile == "" {
return nil, nil
} else if tlsCertFile == "" || tlsKeyFile == "" {
return nil, fmt.Errorf("Partial TLS configuration found. Either include both a cert and key file in the configuration, or include neither to disable TLS.")
}
tlsConfig, err := utils.ConfigureServerTLS(&utils.ServerTLSOpts{
ServerCertFile: tlsCertFile,
ServerKeyFile: tlsKeyFile,
})
if err != nil {
return nil, fmt.Errorf("Unable to set up TLS: %s", err.Error())
}
return tlsConfig, nil
}
// Reads the configuration file for storage setup, and sets up the cryptoservice
// mapping
func setUpCryptoservices(configuration *viper.Viper, allowedBackends []string) (
signer.CryptoServiceIndex, error) {
storeConfig, err := utils.ParseStorage(configuration, allowedBackends)
if err != nil {
return nil, err
}
var keyStore trustmanager.KeyStore
if storeConfig.Backend == utils.MemoryBackend {
keyStore = trustmanager.NewKeyMemoryStore(
passphrase.ConstantRetriever("memory-db-ignore"))
} else {
defaultAlias := configuration.GetString("storage.default_alias")
if defaultAlias == "" {
// backwards compatibility - support this environment variable
defaultAlias = configuration.GetString(defaultAliasEnv)
}
if defaultAlias == "" {
return nil, fmt.Errorf("must provide a default alias for the key DB")
}
logrus.Debug("Default Alias: ", defaultAlias)
dbStore, err := keydbstore.NewKeyDBStore(
passphraseRetriever, defaultAlias, storeConfig.Backend, storeConfig.Source)
if err != nil {
return nil, fmt.Errorf("failed to create a new keydbstore: %v", err)
}
logrus.Debugf("Using %s DB: %s", storeConfig.Backend, storeConfig.Source)
health.RegisterPeriodicFunc(
"DB operational", dbStore.HealthCheck, time.Second*60)
keyStore = dbStore
}
cryptoService := cryptoservice.NewCryptoService("", keyStore)
cryptoServices := make(signer.CryptoServiceIndex)
cryptoServices[data.ED25519Key] = cryptoService
cryptoServices[data.ECDSAKey] = cryptoService
return cryptoServices, nil
}
// ParseSQLStorage tries to parse out Storage from a Viper. If backend and
// URL are not provided, returns a nil pointer. Storage is required (if
// a backend is not provided, an error will be returned.)
func ParseSQLStorage(configuration *viper.Viper) (*Storage, error) {
store := Storage{
Backend: configuration.GetString("storage.backend"),
Source: configuration.GetString("storage.db_url"),
}
switch {
case store.Backend != notary.MySQLBackend && store.Backend != notary.SQLiteBackend:
return nil, fmt.Errorf(
"%s is not a supported SQL backend driver",
store.Backend,
)
case store.Source == "":
return nil, fmt.Errorf(
"must provide a non-empty database source for %s",
store.Backend,
)
}
return &store, nil
}
// parses the configuration and determines which trust service and key algorithm
// to return
func getTrustService(configuration *viper.Viper, sFactory signerFactory,
hRegister healthRegister) (signed.CryptoService, string, error) {
switch configuration.GetString("trust_service.type") {
case "local":
logrus.Info("Using local signing service, which requires ED25519. " +
"Ignoring all other trust_service parameters, including keyAlgorithm")
return signed.NewEd25519(), data.ED25519Key, nil
case "remote":
default:
return nil, "", fmt.Errorf(
"must specify either a \"local\" or \"remote\" type for trust_service")
}
keyAlgo := configuration.GetString("trust_service.key_algorithm")
if keyAlgo != data.ED25519Key && keyAlgo != data.ECDSAKey && keyAlgo != data.RSAKey {
return nil, "", fmt.Errorf("invalid key algorithm configured: %s", keyAlgo)
}
clientTLS, err := grpcTLS(configuration)
if err != nil {
return nil, "", err
}
logrus.Info("Using remote signing service")
notarySigner, err := sFactory(
configuration.GetString("trust_service.hostname"),
configuration.GetString("trust_service.port"),
clientTLS,
)
if err != nil {
return nil, "", err
}
duration := 10 * time.Second
hRegister(
"Trust operational",
duration,
func() error {
err := notarySigner.CheckHealth(duration, notary.HealthCheckOverall)
if err != nil {
logrus.Error("Trust not fully operational: ", err.Error())
}
return err
},
)
return notarySigner, keyAlgo, nil
}
func newObcBatch(id uint64, config *viper.Viper, stack consensus.Stack) *obcBatch {
var err error
op := &obcBatch{
obcGeneric: obcGeneric{stack: stack},
}
op.persistForward.persistor = stack
logger.Debugf("Replica %d obtaining startup information", id)
op.manager = events.NewManagerImpl() // TODO, this is hacky, eventually rip it out
op.manager.SetReceiver(op)
etf := events.NewTimerFactoryImpl(op.manager)
op.pbft = newPbftCore(id, config, op, etf)
op.manager.Start()
op.externalEventReceiver.manager = op.manager
op.broadcaster = newBroadcaster(id, op.pbft.N, op.pbft.f, stack)
op.batchSize = config.GetInt("general.batchsize")
op.batchStore = nil
op.batchTimeout, err = time.ParseDuration(config.GetString("general.timeout.batch"))
if err != nil {
panic(fmt.Errorf("Cannot parse batch timeout: %s", err))
}
logger.Infof("PBFT Batch size = %d", op.batchSize)
logger.Infof("PBFT Batch timeout = %v", op.batchTimeout)
op.incomingChan = make(chan *batchMessage)
op.batchTimer = etf.CreateTimer()
op.outstandingReqs = make(map[*Request]struct{})
op.idleChan = make(chan struct{})
close(op.idleChan) // TODO remove eventually
return op
}
// get the address for the HTTP server, and parses the optional TLS
// configuration for the server - if no TLS configuration is specified,
// TLS is not enabled.
func getAddrAndTLSConfig(configuration *viper.Viper) (string, *tls.Config, error) {
httpAddr := configuration.GetString("server.http_addr")
if httpAddr == "" {
return "", nil, fmt.Errorf("http listen address required for server")
}
tlsOpts, err := utils.ParseServerTLS(configuration, false)
if err != nil {
return "", nil, fmt.Errorf(err.Error())
}
// do not support this yet since the client doesn't have client cert support
if tlsOpts != nil {
tlsOpts.ClientCAFile = ""
tlsConfig, err := utils.ConfigureServerTLS(tlsOpts)
if err != nil {
return "", nil, fmt.Errorf(
"unable to set up TLS for server: %s", err.Error())
}
return httpAddr, tlsConfig, nil
}
return httpAddr, nil, nil
}
// sets up TLS for the GRPC connection to notary-signer
func grpcTLS(configuration *viper.Viper) (*tls.Config, error) {
rootCA := utils.GetPathRelativeToConfig(configuration, "trust_service.tls_ca_file")
serverName := configuration.GetString("trust_service.hostname")
clientCert := utils.GetPathRelativeToConfig(configuration, "trust_service.tls_client_cert")
clientKey := utils.GetPathRelativeToConfig(configuration, "trust_service.tls_client_key")
if (clientCert == "" && clientKey != "") || (clientCert != "" && clientKey == "") {
return nil, fmt.Errorf("Partial TLS configuration found. Either include both a client cert and client key file in the configuration, or include neither.")
}
tlsConfig, err := utils.ConfigureClientTLS(&utils.ClientTLSOpts{
RootCAFile: rootCA,
ServerName: serverName,
ClientCertFile: clientCert,
ClientKeyFile: clientKey,
})
if err != nil {
return nil, fmt.Errorf(
"Unable to configure TLS to the trust service: %s", err.Error())
}
return tlsConfig, nil
}
// ParseRethinkDBStorage tries to parse out Storage from a Viper. If backend and
// URL are not provided, returns a nil pointer. Storage is required (if
// a backend is not provided, an error will be returned.)
func ParseRethinkDBStorage(configuration *viper.Viper) (*RethinkDBStorage, error) {
store := RethinkDBStorage{
Storage: Storage{
Backend: configuration.GetString("storage.backend"),
Source: configuration.GetString("storage.db_url"),
},
CA: GetPathRelativeToConfig(configuration, "storage.tls_ca_file"),
Cert: GetPathRelativeToConfig(configuration, "storage.client_cert_file"),
Key: GetPathRelativeToConfig(configuration, "storage.client_key_file"),
DBName: configuration.GetString("storage.database"),
Username: configuration.GetString("storage.username"),
Password: configuration.GetString("storage.password"),
}
switch {
case store.Backend != notary.RethinkDBBackend:
return nil, fmt.Errorf(
"%s is not a supported RethinkDB backend driver",
store.Backend,
)
case store.Source == "":
return nil, fmt.Errorf(
"must provide a non-empty host:port for %s",
store.Backend,
)
case store.CA == "":
return nil, fmt.Errorf(
"cowardly refusal to connect to %s without a CA cert",
store.Backend,
)
case store.Cert == "" || store.Key == "":
return nil, fmt.Errorf(
"cowardly refusal to connect to %s without a client cert and key",
store.Backend,
)
case store.DBName == "":
return nil, fmt.Errorf(
"%s requires a specific database to connect to",
store.Backend,
)
case store.Username == "":
return nil, fmt.Errorf(
"%s requires a username to connect to the db",
store.Backend,
)
}
return &store, nil
}