[FAB-2896] Create CA configuration struct

Last change set created the distinction between
a Server struct and CA struct. This change set
seperates out the serverconfig and caconfig struct
to only contain elements that are appropriate
for each.

Change-Id: If73e9d3b61ee2c65368ae72244d0cdb01caad633
Signed-off-by: Saad Karim <[email protected]>

cmd/fabric-ca-client/main_test.go

@@ -162,7 +162,7 @@ func TestClientCommandsNoTLS(t *testing.T) {
 	aff["company1"] = []string{}
 	aff["company2"] = []string{}
 
-	srv.Config.Affiliations = aff
+	srv.CA.Config.Affiliations = aff
 
 	err = srv.Start()
 	if err != nil {
@@ -594,14 +594,23 @@ func getServer() *lib.Server {
 	return &lib.Server{
 		HomeDir: ".",
 		Config:  getServerConfig(),
+		CA: lib.CA{
+			HomeDir: ".",
+			Config:  getCAConfig(),
+		},
 	}
 }
 
 func getServerConfig() *lib.ServerConfig {
 	return &lib.ServerConfig{
 		Debug: true,
 		Port:  7054,
-		CA: lib.ServerConfigCA{
+	}
+}
+
+func getCAConfig() *lib.CAConfig {
+	return &lib.CAConfig{
+		CA: lib.CAInfo{
 			Keyfile:  keyfile,
 			Certfile: certfile,
 		},
@@ -612,7 +621,7 @@ func getServerConfig() *lib.ServerConfig {
 }
 
 func getSerialAKIByID(id string) (serial, aki string, err error) {
-	testdb, _, _ := dbutil.NewUserRegistrySQLLite3(srv.Config.DB.Datasource)
+	testdb, _, _ := dbutil.NewUserRegistrySQLLite3(srv.CA.Config.DB.Datasource)
 	acc := lib.NewCertDBAccessor(testdb)
 
 	certs, _ := acc.GetCertificatesByID(id)

cmd/fabric-ca-server/config.go

@@ -101,7 +101,7 @@ tls:
   keyfile: ca-key.pem
   clientauth:
     type: noclientcert
-    certfiles: 			# Comma Separated list of root certificate files (e.g. root.pem, root2.pem)
+    certfiles:
 
 #############################################################################
 #  The CA section contains information related to the Certificate Authority
@@ -299,14 +299,22 @@ func configInit() (err error) {
 		if err != nil {
 			return fmt.Errorf("Incorrect format in file '%s': %s", cfgFileName, err)
 		}
+		err = viper.Unmarshal(&serverCfg.CAcfg)
+		if err != nil {
+			return fmt.Errorf("Incorrect format in file '%s': %s", cfgFileName, err)
+		}
 	} else {
 		err = viper.Unmarshal(serverCfg)
 		if err != nil {
 			return fmt.Errorf("Incorrect format in file '%s': %s", cfgFileName, err)
 		}
+		err = viper.Unmarshal(&serverCfg.CAcfg)
+		if err != nil {
+			return fmt.Errorf("Incorrect format in file '%s': %s", cfgFileName, err)
+		}
 	}
 
-	if serverCfg.CA.Name == "" {
+	if serverCfg.CAcfg.CA.Name == "" {
 		return fmt.Errorf(caNameReqMsg)
 	}
 

cmd/fabric-ca-server/main.go

@@ -68,7 +68,12 @@ func init() {
 		"help.csr.serialnumber": "The serial number in a certificate signing request to a parent fabric-ca-server",
 		"help.csr.hosts":        "A list of space-separated host names in a certificate signing request to a parent fabric-ca-server",
 	}
-	err := util.RegisterFlags(pflags, serverCfg, tags)
+	err := util.RegisterFlags(pflags, serverCfg, nil)
+	if err != nil {
+		panic(err)
+	}
+	caCfg := &lib.CAConfig{}
+	err = util.RegisterFlags(pflags, caCfg, tags)
 	if err != nil {
 		panic(err)
 	}
@@ -104,5 +109,8 @@ func getServer() *lib.Server {
 		Config:          serverCfg,
 		BlockingStart:   blockingStart,
 		ParentServerURL: viper.GetString("url"),
+		CA: lib.CA{
+			Config: &serverCfg.CAcfg,
+		},
 	}
 }

lib/ca.go

@@ -55,9 +55,7 @@ type CA struct {
 	// The home directory for the CA
 	HomeDir string
 	// The CA's configuration
-	Config *ServerConfig
-	// The parent server URL, which is non-null if this is an intermediate server
-	ParentServerURL string
+	Config *CAConfig
 	// The database handle used to store certificates and optionally
 	// the user registry information, unless LDAP it enabled for the
 	// user registry function.
@@ -70,18 +68,15 @@ type CA struct {
 	registry spi.UserRegistry
 	// The signer used for enrollment
 	enrollSigner signer.Signer
+
+	server *Server
 }
 
 // NewCA creates a new CA with the specified
 // home directory, parent server URL, and config
-func NewCA(homeDir, parentServerURL string, config *ServerConfig, renew bool) (*CA, error) {
-	ca := &CA{
-		HomeDir:         homeDir,
-		ParentServerURL: parentServerURL,
-		Config:          config,
-	}
-
-	err := ca.init(renew)
+func NewCA(homeDir string, config *CAConfig, server *Server, renew bool) (*CA, error) {
+	ca := new(CA)
+	err := initCA(ca, homeDir, config, server, renew)
 	if err != nil {
 		return nil, err
 	}
@@ -90,10 +85,10 @@ func NewCA(homeDir, parentServerURL string, config *ServerConfig, renew bool) (*
 }
 
 // initCA will initialize the passed in pointer to a CA struct
-func initCA(ca *CA, homeDir, parentServerURL string, config *ServerConfig, renew bool) error {
+func initCA(ca *CA, homeDir string, config *CAConfig, server *Server, renew bool) error {
 	ca.HomeDir = homeDir
-	ca.ParentServerURL = parentServerURL
 	ca.Config = config
+	ca.server = server
 
 	err := ca.init(renew)
 	if err != nil {
@@ -179,8 +174,8 @@ func (ca *CA) initKeyMaterial(renew bool) error {
 
 // Get the CA certificate and key for this CA
 func (ca *CA) getCACertAndKey() (cert, key []byte, err error) {
-	log.Debugf("Getting CA cert and key; parent server URL is '%s'", ca.ParentServerURL)
-	if ca.ParentServerURL != "" {
+	log.Debugf("Getting CA cert and key; parent server URL is '%s'", ca.server.ParentServerURL)
+	if ca.server.ParentServerURL != "" {
 		// This is an intermediate CA, so call the parent fabric-ca-server
 		// to get the key and cert
 		clientCfg := ca.Config.Client
@@ -198,7 +193,7 @@ func (ca *CA) getCACertAndKey() (cert, key []byte, err error) {
 		}
 		log.Debugf("Intermediate enrollment request: %v", clientCfg.Enrollment)
 		var resp *EnrollmentResponse
-		resp, err = clientCfg.Enroll(ca.ParentServerURL, ca.HomeDir)
+		resp, err = clientCfg.Enroll(ca.server.ParentServerURL, ca.HomeDir)
 		if err != nil {
 			return nil, nil, err
 		}
@@ -266,7 +261,7 @@ func (ca *CA) getCAChain() (chain []byte, err error) {
 		return util.ReadFile(certAuth.Chainfile)
 	}
 	// Otherwise, if this is a root CA, we always return the contents of the CACertfile
-	if ca.ParentServerURL == "" {
+	if ca.server.ParentServerURL == "" {
 		return util.ReadFile(certAuth.Certfile)
 	}
 	// If this is an intermediate CA but the ca.Chainfile doesn't exist,
@@ -283,9 +278,10 @@ func (ca *CA) initConfig() (err error) {
 			return fmt.Errorf("Failed to initialize CA's home directory: %s", err)
 		}
 	}
+	log.Info("CA Home Directory: ", ca.HomeDir)
 	// Init config if not set
 	if ca.Config == nil {
-		ca.Config = new(ServerConfig)
+		ca.Config = new(CAConfig)
 	}
 	// Set config defaults
 	cfg := ca.Config
@@ -299,7 +295,7 @@ func (ca *CA) initConfig() (err error) {
 		cfg.CSR.CN = "fabric-ca-server"
 	}
 	// Set log level if debug is true
-	if cfg.Debug {
+	if ca.server.Config.Debug {
 		log.Level = log.LevelDebug
 	}
 	// Init the BCCSP
@@ -419,8 +415,8 @@ func (ca *CA) initEnrollmentSigner() (err error) {
 	}
 
 	// Make sure the policy reflects the new remote
-	if c.Remote != "" {
-		err = policy.OverrideRemotes(c.Remote)
+	if ca.server.Config.Remote != "" {
+		err = policy.OverrideRemotes(ca.server.Config.Remote)
 		if err != nil {
 			return fmt.Errorf("Failed initializing enrollment signer: %s", err)
 		}
@@ -432,7 +428,7 @@ func (ca *CA) initEnrollmentSigner() (err error) {
 			"cert-file": c.CA.Certfile,
 			"key-file":  c.CA.Keyfile,
 		},
-		ForceRemote: c.Remote != "",
+		ForceRemote: ca.server.Config.Remote != "",
 	}
 	ca.enrollSigner, err = universal.NewSigner(root, policy)
 	if err != nil {
@@ -514,7 +510,7 @@ func (ca *CA) loadAffiliationsTableR(val interface{}, parentPath string) (err er
 }
 
 // Add an identity to the registry
-func (ca *CA) addIdentity(id *ServerConfigIdentity, errIfFound bool) error {
+func (ca *CA) addIdentity(id *CAConfigIdentity, errIfFound bool) error {
 	var err error
 	user, _ := ca.registry.GetUser(id.Name, nil)
 	if user != nil {
@@ -598,8 +594,6 @@ func (ca *CA) makeFileNamesAbsolute() error {
 		&ca.Config.CA.Certfile,
 		&ca.Config.CA.Keyfile,
 		&ca.Config.CA.Chainfile,
-		&ca.Config.TLS.CertFile,
-		&ca.Config.TLS.KeyFile,
 	}
 	for _, namePtr := range fields {
 		abs, err := util.MakeFileAbs(*namePtr, ca.HomeDir)

lib/caconfig.go

@@ -0,0 +1,80 @@
+/*
+Copyright IBM Corp. 2017 All Rights Reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+                 http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package lib
+
+import (
+	"github.com/cloudflare/cfssl/config"
+	"github.com/cloudflare/cfssl/csr"
+	"github.com/hyperledger/fabric-ca/lib/ldap"
+	"github.com/hyperledger/fabric-ca/lib/tls"
+	"github.com/hyperledger/fabric-ca/util"
+	"github.com/hyperledger/fabric/bccsp/factory"
+)
+
+// CAConfig is the CA instance's config
+// The tags are recognized by the RegisterFlags function in fabric-ca/lib/util.go
+// and are as follows:
+// "def" - the default value of the field;
+// "opt" - the optional one character short name to use on the command line;
+// "help" - the help message to display on the command line;
+// "skip" - to skip the field.
+type CAConfig struct {
+	CSP          *factory.FactoryOpts
+	CA           CAInfo
+	Signing      *config.Signing
+	CSR          csr.CertificateRequest
+	Registry     CAConfigRegistry
+	Affiliations map[string]interface{}
+	LDAP         ldap.Config
+	DB           CAConfigDB
+	Client       *ClientConfig
+}
+
+// CAInfo is the CA information on a fabric-ca-server
+type CAInfo struct {
+	Name      string `opt:"n" help:"Certificate Authority name"`
+	Keyfile   string `def:"ca-key.pem" help:"PEM-encoded CA key file"`
+	Certfile  string `def:"ca-cert.pem" help:"PEM-encoded CA certificate file"`
+	Chainfile string `def:"ca-chain.pem" help:"PEM-encoded CA chain file"`
+}
+
+// CAConfigDB is the database part of the server's config
+type CAConfigDB struct {
+	Type       string `def:"sqlite3" help:"Type of database; one of: sqlite3, postgres, mysql"`
+	Datasource string `def:"fabric-ca-server.db" help:"Data source which is database specific"`
+	TLS        tls.ClientTLSConfig
+}
+
+// CAConfigRegistry is the registry part of the server's config
+type CAConfigRegistry struct {
+	MaxEnrollments int `def:"0" help:"Maximum number of enrollments; valid if LDAP not enabled"`
+	Identities     []CAConfigIdentity
+}
+
+// CAConfigIdentity is identity information in the server's config
+type CAConfigIdentity struct {
+	Name           string
+	Pass           string `secret:"password"`
+	Type           string
+	Affiliation    string
+	MaxEnrollments int
+	Attrs          map[string]string
+}
+
+func (cc *CAConfigIdentity) String() string {
+	return util.StructToString(cc)
+}

lib/client_test.go

@@ -255,7 +255,7 @@ func TestCustomizableMaxEnroll(t *testing.T) {
 		return
 	}
 
-	srv.Config.Registry.MaxEnrollments = 3
+	srv.CA.Config.Registry.MaxEnrollments = 3
 	srv.Config.Debug = true
 
 	err := srv.Start()

lib/client_whitebox_test.go

@@ -134,11 +134,15 @@ func getServer(port int, home, parentURL string, maxEnroll int, t *testing.T) *S
 	}
 	srv := &Server{
 		Config: &ServerConfig{
-			Port:         port,
-			Debug:        true,
-			Affiliations: affiliations,
-			Registry: ServerConfigRegistry{
-				MaxEnrollments: maxEnroll,
+			Port:  port,
+			Debug: true,
+		},
+		CA: CA{
+			Config: &CAConfig{
+				Affiliations: affiliations,
+				Registry: CAConfigRegistry{
+					MaxEnrollments: maxEnroll,
+				},
 			},
 		},
 		HomeDir:         home,