Merge pull request #184 from VRamakrishna/main

Enable TLS in Relay, Drivers, and Apps

Author: sandeepnRES

common/protos-java-kt/build.gradle

@@ -14,8 +14,8 @@ buildscript {
 
 plugins {
     id "maven-publish"
-	id 'java'
-	id 'com.google.protobuf' version '0.8.12'
+    id 'java'
+    id 'com.google.protobuf' version '0.8.12'
     id 'idea'
 }
 
@@ -124,4 +124,4 @@ publishing {
 			}
 		}
 	}
-}
+}

common/protos-java-kt/gradle.properties

@@ -1,4 +1,4 @@
 name=Interop Protos
 group=com.weaver
-version=1.2.4-alpha.4
+version=1.2.4-alpha.5
 kotlin.incremental=false

core/drivers/corda-driver/README.md

@@ -57,6 +57,29 @@ To run the driver, use the following:
 
 The driver gRPC server will be listening on port `9099`.
 
+### With TLS
+
+If the relay expects a TLS connection over gRPC, you need to specify the following environment variables in the `corda-driver` command:
+- `RELAY_TLS`: should be set to `true`
+- One of the following:
+  * If the relay server TLS CA certificates are in a password-protected Java Key Store (JKS file):
+    - `RELAY_TLSCA_TRUST_STORE`: JKS file path
+    - `RELAY_TLSCA_TRUST_STORE_PASSWORD`: password used to create the JKS file
+  * If the relay server TLS CA certificates are in separate PEM files in the filesystem:
+    - `RELAY_TLSCA_CERT_PATHS`: colon-separated list of CA certificate file paths
+If you wish to run the driver service with TLS enabled, you need to specify the following environment variables in the `corda-driver` command:
+- `DRIVER_TLS`: should be set to `true`
+- `DRIVER_CERT_PATH`: driver's TLS certificate file path
+- `DRIVER_KEY_PATH`: driver's TLS private key file path
+- Example: both relay and driver are TLS-enabled, and a trust store is used as a certificate repository:
+  ```bash
+  RELAY_TLS=true RELAY_TLSCA_TRUST_STORE_PASSWORD=password RELAY_TLSCA_TRUST_STORE=trust_store.jks DRIVER_TLS=true DRIVER_CERT_PATH=cert.pem DRIVER_KEY_PATH=key.pem ./build/install/corda-driver/bin/corda-driver
+  ```
+- Example: only relay is TLS-enabled, and the driver's trusted certificates are in separate files in the filesystem:
+  ```bash
+  RELAY_TLS=true RELAY_TLSCA_CERT_PATHS=ca_cert1.pem:ca_cert2.pem ./build/install/corda-driver/bin/corda-driver
+  ```
+
 ## Driver configuration
 
 By default, the driver gRPC server listens on port `9099`. To change the port, set 
@@ -84,15 +107,18 @@ To push image to github container registry:
 
 **NOTE:** Push image to `hyperledger-labs` only after PR approval, first test it by deploying it on your fork by running (instead of last step above): `make push-image DOCKER_REGISTRY=ghcr.io/<username>`, where replace `<username>` with your git username.
 
-### Docker-compose Deployment
+### Docker-Compose Deployment
 
 * Copy `.env.docker.template` to `.env`
-    - `NETWORK_NAME`: Used as suffix to corda-driver container name, i.e. `corda-driver-<network-name>` will be the name of container.
+    - `NETWORK_NAME`: Used as suffix to corda-driver container name, i.e. `corda-driver-<network-name>` will be the name of the container.
     - `DRIVER_PORT`: Driver server port.
-    - `EXTERNAL_NETWORK`: is the docker network in which corda-network is running.
-    - `DOCKER_IMAGE_NAME`: Keep it same.
+    - `DRIVER_RPC_USERNAME`: RPC user registered for Driver.
+    - `DRIVER_RPC_PASSWORD`: Password for the above RPC user.
+    - `EXTERNAL_NETWORK`: Name of the docker network in which the Corda containers are deployed.
+    - `DOCKER_IMAGE_NAME`: _Keep this unchanged_.
     - `DOCKER_TAG`: Refer here for the image tags available: [weaver-corda-driver](https://github.com/hyperledger-labs/weaver-dlt-interoperability/pkgs/container/weaver-corda-driver)
-    - `DOCKER_REGISTRY`: Keep it same. (replace `hyperledger-labs` with your git username if testing from your fork)
+    - `COMPOSE_PROJECT_NAME`: Docker project name for the Corda network to which this driver is supposed to attach. By default, the folder name of the Corda network's `docker-compose.yml`, is the project name.
+    - `COMPOSE_PROJECT_NETWORK`: Docker project network name for the Corda network to which this driver is supposed to attach. By default, `default` is the project network name.
 * Create a Personal Access Token with read packages access in github. Refer [Creating a Personal Access Token](https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token) for help.
 * Run `docker login ghcr.io` and use your github username and personal access token as password.
 * Run: `make deploy`.

core/drivers/corda-driver/build.gradle

@@ -2,6 +2,7 @@ buildscript {
     ext.kotlin_version = "1.3.61"
     ext.coroutines_version = "1.3.3"
     ext.protobuf_version = "3.11.1"
+    ext.bcprov_version = "1.53"
     ext.grpc_version = "1.28.1" // CURRENT_GRPC_VERSION
     ext.grpc_kotlin_version = "0.1.3" // CURRENT_GRPC_KOTLIN_VERSION
     ext.corda_release_group = "net.corda"
@@ -49,6 +50,7 @@ repositories {
         flatDir {
             dirs '../../network/corda-interop-app/interop-contracts/build/libs'
             dirs '../../network/corda-interop-app/interop-workflows/build/libs'
+            dirs '../../../sdks/corda/build/libs'
             dirs '../../../common/protos-java-kt/build/libs'
         }
 
@@ -60,6 +62,8 @@ apply plugin: "kotlin"
 dependencies {
     // This repo
     implementation "io.grpc:grpc-kotlin-stub:$grpc_kotlin_version"
+    implementation "io.grpc:grpc-okhttp:$grpc_version"
+    implementation "org.bouncycastle:bcprov-jdk15on:$bcprov_version"
 
     implementation "org.jetbrains.kotlin:kotlin-stdlib-jdk8"
     implementation "org.jetbrains.kotlin:kotlin-reflect:$kotlin_version"
@@ -81,6 +85,7 @@ dependencies {
 
     implementation(group: 'com.weaver.corda.app.interop', name: 'interop-contracts', version: "$weaver_version")
     implementation(group: 'com.weaver.corda.app.interop', name: 'interop-workflows', version: "$weaver_version")
+    implementation(group: 'com.weaver.corda.sdk', name: 'weaver-corda-sdk', version: "$weaver_version")
     implementation(group: 'com.weaver', name: 'protos-java-kt', version: "$weaver_version")
 
     // gRPC and protobuf dependencies

core/drivers/corda-driver/makefile

@@ -1,5 +1,5 @@
 DOCKER_IMAGE_NAME ?= weaver-corda-driver
-DOCKER_TAG ?= 1.2.4-alpha.1
+DOCKER_TAG ?= 1.2.4-alpha.5
 DOCKER_REGISTRY ?= ghcr.io/hyperledger-labs
 GIT_URL = https://github.com/hyperledger-labs/weaver-dlt-interoperability/core/drivers/corda-driver
 COMPOSE_ARG ?=

core/drivers/corda-driver/src/main/kotlin/CordaDriver.kt

@@ -11,13 +11,13 @@ import arrow.core.extensions.either.applicative.applicative
 import arrow.core.extensions.list.traverse.traverse
 import com.google.gson.Gson
 import net.corda.core.messaging.startFlow
-import io.grpc.ManagedChannelBuilder
 import kotlinx.coroutines.*
 import com.google.protobuf.ByteString
 import net.corda.core.messaging.CordaRPCOps
 import java.util.*
 
 import com.weaver.corda.app.interop.flows.HandleExternalRequest
+import com.weaver.corda.sdk.InteroperableHelper
 import com.weaver.protos.common.query.QueryOuterClass
 import com.weaver.protos.common.state.State
 import com.weaver.protos.corda.ViewDataOuterClass
@@ -144,11 +144,14 @@ fun createAggregatedCordaView(views: List<State.View>) : Either<Error, State.Vie
 fun createGrpcConnection(address: String) = try {
     parseRelayAddress(address).map { relayAddresses ->
     // TODO: if the first relay address fails, retry with other relay addresses in the list.
-        GrpcClient(
-                ManagedChannelBuilder.forAddress(relayAddresses[0].host, relayAddresses[0].port)
-                        .usePlaintext()
-                        .executor(Dispatchers.Default.asExecutor())
-                        .build())
+        val channel = InteroperableHelper.getChannelToRelay(
+                relayAddresses[0].host,
+                relayAddresses[0].port,
+                System.getenv("RELAY_TLS")?.toBoolean() ?: false,
+                System.getenv("RELAY_TLSCA_TRUST_STORE")?.toString() ?: "",
+                System.getenv("RELAY_TLSCA_TRUST_STORE_PASSWORD")?.toString() ?: "",
+                System.getenv("RELAY_TLSCA_CERT_PATHS")?.toString() ?: "")
+        GrpcClient(channel)
     }
 } catch (e: Exception) {
     println("Driver Error: Error creating relay gRPC client: ${e.message}")

core/drivers/corda-driver/src/main/kotlin/GrpcServer.kt

@@ -6,6 +6,7 @@
 
 package com.weaver.corda.driver
 
+import java.io.File
 import io.grpc.Server
 import io.grpc.ServerBuilder
 import kotlinx.coroutines.*
@@ -21,10 +22,23 @@ import com.weaver.protos.driver.driver.DriverCommunicationGrpcKt
  * dispatching them to the correct network node and returning an Ack to the requesting gRPC client.
  */
 class GrpcServer(private val port: Int) {
-    val server: Server = ServerBuilder
-        .forPort(port)
-        .addService(GrpcService())
-        .build()
+    val server: Server
+    val useTlsForDriver = (System.getenv("DRIVER_TLS")?.toBoolean() ?: false)
+
+    init {
+        if (useTlsForDriver) {
+            server = ServerBuilder
+                .forPort(port)
+                .useTransportSecurity(File(System.getenv("DRIVER_CERT_PATH")?.toString() ?: ""), File(System.getenv("DRIVER_KEY_PATH")?.toString() ?: ""))
+                .addService(GrpcService())
+                .build()
+        } else {
+            server = ServerBuilder
+                .forPort(port)
+                .addService(GrpcService())
+                .build()
+        }
+    }
 
     /**
      * The start() method is used to bring up the gRPC server of the driver.
@@ -80,4 +94,4 @@ class GrpcServer(private val port: Int) {
             return ack
         }
     }
-}
+}

core/drivers/fabric-driver/.env.docker.template

@@ -1,8 +1,13 @@
 CONNECTION_PROFILE=<path_to_connection_profile>
 DRIVER_CONFIG=<path_to_config_json>
 RELAY_ENDPOINT=<relay-hostname>:<relay-port>
+RELAY_TLS=false
+RELAY_TLSCA_CERT_PATH=<path_to_tls_ca_cert_pem_for_relay>
 NETWORK_NAME=<network-name>
 DRIVER_PORT=<driver-server-port>
+DRIVER_TLS=false
+DRIVER_TLS_CERT_PATH=<path_to_tls_cert_pem_for_driver>
+DRIVER_TLS_KEY_PATH=<path_to_tls_key_pem_for_driver>
 INTEROP_CHAINCODE=<interop-chaincode-name>
 DOCKER_IMAGE_NAME=ghcr.io/hyperledger-labs/weaver-fabric-driver
 DOCKER_TAG=1.2.1

core/drivers/fabric-driver/.env.template

@@ -1,6 +1,11 @@
 CONNECTION_PROFILE=path_to_connection_profile
 RELAY_ENDPOINT=localhost:9080
+RELAY_TLS=false
+RELAY_TLSCA_CERT_PATH=path_to_tls_ca_cert_pem_for_relay
 DRIVER_ENDPOINT=localhost:9090
+DRIVER_TLS=false
+DRIVER_TLS_CERT_PATH=path_to_tls_cert_pem_for_driver
+DRIVER_TLS_KEY_PATH=path_to_tls_key_pem_for_driver
 NETWORK_NAME=network1
 DRIVER_CONFIG=
-INTEROP_CHAINCODE=interop
+INTEROP_CHAINCODE=interop

core/drivers/fabric-driver/readme.md

@@ -16,12 +16,30 @@ NOTE: Minimum requirement of npm v5.0 for patch-package to apply the patch for t
 
 ### Setup
 
-The .env (check .env.template, more information [here](#Environment-variables)) and config.json files need to be checked and updated to match the network and relay that it will be connecting to.
+Create a `.env` file using `.env.template` as the base and setting suitable environment variable values (see [here](#Environment-variables)) and `config.json` files need to be checked and updated to match the network and relay that it will be connecting to.
 The .env contains information related to the network and relay. The config.json contains information about the ca admin, user and its org, that is used when connecting to the network.
 
+#### Enabling TLS
+
+If the relay is TLS-enabled, set the following values in the `.env`:
+```
+RELAY_TLS=true
+RELAY_TLSCA_CERT_PATH=path_to_tls_ca_cert_pem_for_relay
+```
+- `path_to_tls_ca_cert_pem_for_relay` should be set to CA certificate file path
+
+To enforce secure communication over TLS with your driver, set the following values in the `.env`:
+```
+DRIVER_TLS=true
+DRIVER_TLS_CERT_PATH=path_to_tls_cert_pem_for_driver
+DRIVER_TLS_KEY_PATH=path_to_tls_key_pem_for_driver
+```
+- `path_to_tls_cert_pem_for_driver` should be set to driver's TLS certificate file path
+- `path_to_tls_key_pem_for_driver` should be set to driver's TLS private key file path
+
 ### Running
 
-To do a full build run then `make build-local`. This update/clones protos, generates js protos and compiles typescript.
+To do a full build run then `make build-local`. This update/clones protos, generates js protos and compiles TypeScript.
 
 For tsc compilation in watch mode: `npm run watch`