[FAB-2738] orderer.yaml TLS parameters ignored

https://jira.hyperledger.org/browse/FAB-2738

The orderer.yaml currently includes variables to specify the TLS
configuration, bu they are not currently passed into the TLS server for
usage.  This CR translates them from the orderer TLS config format to
the one required by the TLS server, and passes them in on instantiation.

Also resolved in this changeset is a limitation where _FILE environment
variable is not picked up unless it is overriding an existing value
in a yaml configuration file.

Change-Id: Ic4c099dd4b2338f0e20d0d5619f4e9376a8a9f0b
Signed-off-by: Jason Yellick <[email protected]>
Signed-off-by: Luis Sanchez <[email protected]>

Author: Jason Yellick

common/viperutil/config_test.go

@@ -247,6 +247,68 @@ func TestPEMBlocksFromFile(t *testing.T) {
 	}
 }
 
+func TestPEMBlocksFromFileEnv(t *testing.T) {
+
+	// create temp file
+	file, err := ioutil.TempFile(os.TempDir(), "test")
+	if err != nil {
+		t.Fatalf("Unable to create temp file.")
+	}
+	defer os.Remove(file.Name())
+
+	numberOfCertificates := 3
+	var pems []byte
+	for i := 0; i < numberOfCertificates; i++ {
+		publicKeyCert, _, err := util.GenerateMockPublicPrivateKeyPairPEM(true)
+		if err != nil {
+			t.Fatalf("Enable to generate a signer certificate: %v", err)
+		}
+		pems = append(pems, publicKeyCert...)
+	}
+
+	// write temp file
+	if err := ioutil.WriteFile(file.Name(), pems, 0666); err != nil {
+		t.Fatalf("Unable to write to temp file: %v", err)
+	}
+
+	testCases := []struct {
+		name string
+		data string
+	}{
+		{"Override", "---\nInner:\n  Multiple:\n    File: wrong_file"},
+		{"NoFileElement", "---\nInner:\n  Multiple:\n"},
+		// {"NoElementAtAll", "---\nInner:\n"}, test case for another time
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+
+			envVar := "VIPERUTIL_INNER_MULTIPLE_FILE"
+			envVal := file.Name()
+			os.Setenv(envVar, envVal)
+			defer os.Unsetenv(envVar)
+			config := viper.New()
+			config.SetEnvPrefix(Prefix)
+			config.AutomaticEnv()
+			replacer := strings.NewReplacer(".", "_")
+			config.SetEnvKeyReplacer(replacer)
+			config.SetConfigType("yaml")
+
+			if err := config.ReadConfig(bytes.NewReader([]byte(tc.data))); err != nil {
+				t.Fatalf("Error reading config: %v", err)
+			}
+			var uconf stringFromFileConfig
+			if err := EnhancedExactUnmarshal(config, &uconf); err != nil {
+				t.Fatalf("Failed to unmarshall: %v", err)
+			}
+
+			if len(uconf.Inner.Multiple) != 3 {
+				t.Fatalf(`Expected: "%v", Actual: "%v"`, numberOfCertificates, len(uconf.Inner.Multiple))
+			}
+		})
+	}
+}
+
 func TestStringFromFileNotSpecified(t *testing.T) {
 
 	yaml := fmt.Sprintf("---\nInner:\n  Single:\n    File:\n")
@@ -280,33 +342,45 @@ func TestStringFromFileEnv(t *testing.T) {
 		t.Fatalf("Unable to write to temp file.")
 	}
 
-	envVar := "VIPERUTIL_INNER_SINGLE_FILE"
-	envVal := file.Name()
-	os.Setenv(envVar, envVal)
-	defer os.Unsetenv(envVar)
-	config := viper.New()
-	config.SetEnvPrefix(Prefix)
-	config.AutomaticEnv()
-	replacer := strings.NewReplacer(".", "_")
-	config.SetEnvKeyReplacer(replacer)
-	config.SetConfigType("yaml")
-
-	data := "---\nInner:\n  Single:\n    File: wrong_file"
-
-	if err = config.ReadConfig(bytes.NewReader([]byte(data))); err != nil {
-		t.Fatalf("Error reading %s plugin config: %s", Prefix, err)
+	testCases := []struct {
+		name string
+		data string
+	}{
+		{"Override", "---\nInner:\n  Single:\n    File: wrong_file"},
+		{"NoFileElement", "---\nInner:\n  Single:\n"},
+		// {"NoElementAtAll", "---\nInner:\n"}, test case for another time
 	}
 
-	var uconf stringFromFileConfig
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			envVar := "VIPERUTIL_INNER_SINGLE_FILE"
+			envVal := file.Name()
+			os.Setenv(envVar, envVal)
+			defer os.Unsetenv(envVar)
+			config := viper.New()
+			config.SetEnvPrefix(Prefix)
+			config.AutomaticEnv()
+			replacer := strings.NewReplacer(".", "_")
+			config.SetEnvKeyReplacer(replacer)
+			config.SetConfigType("yaml")
+
+			if err = config.ReadConfig(bytes.NewReader([]byte(tc.data))); err != nil {
+				t.Fatalf("Error reading %s plugin config: %s", Prefix, err)
+			}
 
-	err = EnhancedExactUnmarshal(config, &uconf)
-	if err != nil {
-		t.Fatalf("Failed to unmarshal with: %s", err)
-	}
+			var uconf stringFromFileConfig
 
-	t.Log(uconf.Inner.Single)
+			err = EnhancedExactUnmarshal(config, &uconf)
+			if err != nil {
+				t.Fatalf("Failed to unmarshal with: %s", err)
+			}
 
-	if !reflect.DeepEqual(uconf.Inner.Single, expectedValue) {
-		t.Fatalf(`Expected: "%v",  Actual: "%v"`, expectedValue, uconf.Inner.Single)
+			t.Log(uconf.Inner.Single)
+
+			if !reflect.DeepEqual(uconf.Inner.Single, expectedValue) {
+				t.Fatalf(`Expected: "%v",  Actual: "%v"`, expectedValue, uconf.Inner.Single)
+			}
+		})
 	}
+
 }

common/viperutil/config_util.go

@@ -59,8 +59,17 @@ func getKeysRecursively(base string, v *viper.Viper, nodeKeys map[string]interfa
 			logger.Debugf("Found real value for %s setting to map[string]string %v", fqKey, m)
 			result[key] = m
 		} else {
+			if val == nil {
+				fileSubKey := fqKey + ".File"
+				fileVal := v.Get(fileSubKey)
+				if fileVal != nil {
+					result[key] = map[string]interface{}{"File": fileVal}
+					continue
+				}
+			}
 			logger.Debugf("Found real value for %s setting to %T %v", fqKey, val, val)
 			result[key] = val
+
 		}
 	}
 	return result

orderer/main.go

@@ -70,9 +70,24 @@ func main() {
 		return
 	}
 
+	serverRootCAs := make([][]byte, len(conf.General.TLS.RootCAs))
+	for i, cert := range conf.General.TLS.RootCAs {
+		serverRootCAs[i] = []byte(cert)
+	}
+
+	clientRootCAs := make([][]byte, len(conf.General.TLS.ClientRootCAs))
+	for i, cert := range conf.General.TLS.ClientRootCAs {
+		clientRootCAs[i] = []byte(cert)
+	}
+
 	// Create GRPC server - return if an error occurs
 	secureConfig := comm.SecureServerConfig{
-		UseTLS: conf.General.TLS.Enabled,
+		UseTLS:            conf.General.TLS.Enabled,
+		ServerCertificate: []byte(conf.General.TLS.Certificate),
+		ServerKey:         []byte(conf.General.TLS.PrivateKey),
+		ServerRootCAs:     serverRootCAs,
+		RequireClientCert: conf.General.TLS.ClientAuthEnabled,
+		ClientRootCAs:     clientRootCAs,
 	}
 	grpcServer, err := comm.NewGRPCServerFromListener(lis, secureConfig)
 	if err != nil {