mirror of
https://github.com/corda/corda.git
synced 2025-06-16 14:18:20 +00:00
CORDA-2113 - Include PNM ID in CSR (#4086)
* CORDA-2113 - Include PNM ID in CSR If Compatibility Zone operator is using private networks and the node should be joining one, optionally the ID (a UUID) of that network can be included as part of the node's CSR to to the Doorman. * fix broken test
This commit is contained in:
Katelyn Baker
GitHub
@ -47,18 +47,22 @@ class NetworkMapTest(var initFunc: (URL, NetworkMapServer) -> CompatibilityZoneP
|
||||
@JvmStatic
|
||||
@Parameterized.Parameters(name = "{0}")
|
||||
fun runParams() = listOf(
|
||||
{ addr: URL, nms: NetworkMapServer ->
|
||||
SharedCompatibilityZoneParams(
|
||||
{
|
||||
addr: URL,
|
||||
nms: NetworkMapServer -> SharedCompatibilityZoneParams(
|
||||
addr,
|
||||
pnm = null,
|
||||
publishNotaries = {
|
||||
nms.networkParameters = testNetworkParameters(it, modifiedTime = Instant.ofEpochMilli(random63BitValue()), epoch = 2)
|
||||
}
|
||||
)
|
||||
},
|
||||
{ addr: URL, nms: NetworkMapServer ->
|
||||
SplitCompatibilityZoneParams(
|
||||
{
|
||||
addr: URL,
|
||||
nms: NetworkMapServer -> SplitCompatibilityZoneParams (
|
||||
doormanURL = URL("http://I/Don't/Exist"),
|
||||
networkMapURL = addr,
|
||||
pnm = null,
|
||||
publishNotaries = {
|
||||
nms.networkParameters = testNetworkParameters(it, modifiedTime = Instant.ofEpochMilli(random63BitValue()), epoch = 2)
|
||||
}
|
||||
|
||||
@ -81,6 +81,7 @@ class NodeRegistrationTest {
|
||||
fun `node registration correct root cert`() {
|
||||
val compatibilityZone = SharedCompatibilityZoneParams(
|
||||
URL("http://$serverHostAndPort"),
|
||||
null,
|
||||
publishNotaries = { server.networkParameters = testNetworkParameters(it) },
|
||||
rootCert = DEV_ROOT_CA.certificate)
|
||||
internalDriver(
|
||||
|
||||
@ -152,7 +152,7 @@ open class NodeStartup : CordaCliWrapper("corda", "Runs a Corda Node") {
|
||||
|
||||
private val handleRegistrationError = { error: Exception ->
|
||||
when (error) {
|
||||
is NodeRegistrationException -> error.logAsExpected("Node registration service is unavailable. Perhaps try to perform the initial registration again after a while.")
|
||||
is NodeRegistrationException -> error.logAsExpected("Issue with Node registration: ${error.message}")
|
||||
else -> error.logAsUnexpected("Exception during node registration")
|
||||
}
|
||||
}
|
||||
@ -385,17 +385,23 @@ open class NodeStartup : CordaCliWrapper("corda", "Runs a Corda Node") {
|
||||
logger.info(nodeStartedMessage)
|
||||
}
|
||||
|
||||
protected open fun registerWithNetwork(conf: NodeConfiguration, versionInfo: VersionInfo, nodeRegistrationConfig: NodeRegistrationOption) {
|
||||
val compatibilityZoneURL = conf.networkServices?.doormanURL ?: throw RuntimeException(
|
||||
"compatibilityZoneURL or networkServices must be configured!")
|
||||
protected open fun registerWithNetwork(
|
||||
conf: NodeConfiguration,
|
||||
versionInfo: VersionInfo,
|
||||
nodeRegistrationConfig: NodeRegistrationOption
|
||||
) {
|
||||
println("\n" +
|
||||
"******************************************************************\n" +
|
||||
"* *\n" +
|
||||
"* Registering as a new participant with a Corda network *\n" +
|
||||
"* *\n" +
|
||||
"******************************************************************\n")
|
||||
|
||||
println()
|
||||
println("******************************************************************")
|
||||
println("* *")
|
||||
println("* Registering as a new participant with Corda network *")
|
||||
println("* *")
|
||||
println("******************************************************************")
|
||||
NodeRegistrationHelper(conf, HTTPNetworkRegistrationService(compatibilityZoneURL, versionInfo), nodeRegistrationConfig).buildKeystore()
|
||||
NodeRegistrationHelper(conf,
|
||||
HTTPNetworkRegistrationService(
|
||||
requireNotNull(conf.networkServices),
|
||||
versionInfo),
|
||||
nodeRegistrationConfig).buildKeystore()
|
||||
|
||||
// Minimal changes to make registration tool create node identity.
|
||||
// TODO: Move node identity generation logic from node to registration helper.
|
||||
|
||||
@ -156,6 +156,8 @@ data class BFTSMaRtConfiguration(
|
||||
*
|
||||
* @property doormanURL The URL of the tls certificate signing service.
|
||||
* @property networkMapURL The URL of the Network Map service.
|
||||
* @property pnm If the compatibility zone operator supports the private network map option, have the node
|
||||
* at registration automatically join that private network.
|
||||
* @property inferred Non user setting that indicates weather the Network Services configuration was
|
||||
* set explicitly ([inferred] == false) or weather they have been inferred via the compatibilityZoneURL parameter
|
||||
* ([inferred] == true) where both the network map and doorman are running on the same endpoint. Only one,
|
||||
@ -164,6 +166,7 @@ data class BFTSMaRtConfiguration(
|
||||
data class NetworkServicesConfig(
|
||||
val doormanURL: URL,
|
||||
val networkMapURL: URL,
|
||||
val pnm: UUID? = null,
|
||||
val inferred : Boolean = false
|
||||
)
|
||||
|
||||
@ -371,8 +374,9 @@ data class NodeConfigurationImpl(
|
||||
""".trimMargin())
|
||||
}
|
||||
|
||||
// Support the deprecated method of configuring network services with a single compatibilityZoneURL option
|
||||
if (compatibilityZoneURL != null && networkServices == null) {
|
||||
networkServices = NetworkServicesConfig(compatibilityZoneURL, compatibilityZoneURL, true)
|
||||
networkServices = NetworkServicesConfig(compatibilityZoneURL, compatibilityZoneURL, inferred = true)
|
||||
}
|
||||
require(h2port == null || h2Settings == null) { "Cannot specify both 'h2port' and 'h2Settings' in configuration" }
|
||||
}
|
||||
|
||||
@ -6,6 +6,7 @@ import net.corda.core.internal.post
|
||||
import net.corda.core.utilities.OpaqueBytes
|
||||
import net.corda.core.utilities.seconds
|
||||
import net.corda.node.VersionInfo
|
||||
import net.corda.node.services.config.NetworkServicesConfig
|
||||
import net.corda.nodeapi.internal.crypto.X509CertificateFactory
|
||||
import okhttp3.CacheControl
|
||||
import okhttp3.Headers
|
||||
@ -19,8 +20,11 @@ import java.util.*
|
||||
import java.util.zip.ZipInputStream
|
||||
import javax.naming.ServiceUnavailableException
|
||||
|
||||
class HTTPNetworkRegistrationService(compatibilityZoneURL: URL, val versionInfo: VersionInfo) : NetworkRegistrationService {
|
||||
private val registrationURL = URL("$compatibilityZoneURL/certificate")
|
||||
class HTTPNetworkRegistrationService(
|
||||
val config : NetworkServicesConfig,
|
||||
val versionInfo: VersionInfo
|
||||
) : NetworkRegistrationService {
|
||||
private val registrationURL = URL("${config.doormanURL}/certificate")
|
||||
|
||||
companion object {
|
||||
private val TRANSIENT_ERROR_STATUS_CODES = setOf(HTTP_BAD_GATEWAY, HTTP_UNAVAILABLE, HTTP_GATEWAY_TIMEOUT)
|
||||
@ -54,7 +58,8 @@ class HTTPNetworkRegistrationService(compatibilityZoneURL: URL, val versionInfo:
|
||||
override fun submitRequest(request: PKCS10CertificationRequest): String {
|
||||
return String(registrationURL.post(OpaqueBytes(request.encoded),
|
||||
"Platform-Version" to "${versionInfo.platformVersion}",
|
||||
"Client-Version" to versionInfo.releaseVersion))
|
||||
"Client-Version" to versionInfo.releaseVersion,
|
||||
"Private-Network-Map" to (config.pnm?.toString() ?: "")))
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -96,10 +96,9 @@ open class NetworkRegistrationHelper(private val certificatesDirectory: Path,
|
||||
val requestId = try {
|
||||
submitOrResumeCertificateSigningRequest(keyPair)
|
||||
} catch (e: Exception) {
|
||||
if (e is ConnectException || e is ServiceUnavailableException || e is IOException) {
|
||||
throw NodeRegistrationException(e)
|
||||
}
|
||||
throw e
|
||||
throw if (e is ConnectException || e is ServiceUnavailableException || e is IOException) {
|
||||
NodeRegistrationException(e.message, e)
|
||||
} else e
|
||||
}
|
||||
|
||||
val certificates = try {
|
||||
@ -200,7 +199,8 @@ open class NetworkRegistrationHelper(private val certificatesDirectory: Path,
|
||||
if (idlePeriodDuration != null) {
|
||||
Thread.sleep(idlePeriodDuration.toMillis())
|
||||
} else {
|
||||
throw NodeRegistrationException(e)
|
||||
throw NodeRegistrationException("Compatibility Zone registration service is currently unavailable, "
|
||||
+ "try again later!.", e)
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -249,10 +249,17 @@ open class NetworkRegistrationHelper(private val certificatesDirectory: Path,
|
||||
protected open fun isTlsCrlIssuerCertRequired(): Boolean = false
|
||||
}
|
||||
|
||||
class NodeRegistrationException(cause: Throwable?) : IOException("Unable to contact node registration service", cause)
|
||||
class NodeRegistrationException(
|
||||
message: String?,
|
||||
cause: Throwable?
|
||||
) : IOException(message ?: "Unable to contact node registration service", cause)
|
||||
|
||||
class NodeRegistrationHelper(private val config: NodeConfiguration, certService: NetworkRegistrationService, regConfig: NodeRegistrationOption, computeNextIdleDoormanConnectionPollInterval: (Duration?) -> Duration? = FixedPeriodLimitedRetrialStrategy(10, Duration.ofMinutes(1))) :
|
||||
NetworkRegistrationHelper(
|
||||
class NodeRegistrationHelper(
|
||||
private val config: NodeConfiguration,
|
||||
certService: NetworkRegistrationService,
|
||||
regConfig: NodeRegistrationOption,
|
||||
computeNextIdleDoormanConnectionPollInterval: (Duration?) -> Duration? = FixedPeriodLimitedRetrialStrategy(10, Duration.ofMinutes(1))
|
||||
) : NetworkRegistrationHelper(
|
||||
config.certificatesDirectory,
|
||||
config.signingCertificateStore,
|
||||
config.myLegalName,
|
||||
|
||||
Reference in New Issue
Block a user