github.com/49746628/fabric-ca-gm@v2.0.0-alpha.0.20200822143404-8a07eefa7452+incompatible/lib/caconfig.go (about) 1 /* 2 Copyright IBM Corp. All Rights Reserved. 3 4 SPDX-License-Identifier: Apache-2.0 5 */ 6 7 package lib 8 9 import ( 10 "time" 11 12 "github.com/cloudflare/cfssl/config" 13 "github.com/hyperledger/fabric-ca/internal/pkg/api" 14 "github.com/hyperledger/fabric-ca/internal/pkg/util" 15 dbutil "github.com/hyperledger/fabric-ca/lib/server/db/util" 16 "github.com/hyperledger/fabric-ca/lib/server/idemix" 17 "github.com/hyperledger/fabric-ca/lib/server/ldap" 18 "github.com/hyperledger/fabric-ca/lib/tls" 19 "github.com/hyperledger/fabric/bccsp/factory" 20 ) 21 22 const ( 23 // defaultCACfgTemplate is the a CA's default configuration file template 24 defaultCACfgTemplate = ` 25 ############################################################################# 26 # This file contains information specific to a single Certificate Authority (CA). 27 # A single fabric-ca-server can service multiple CAs. The server's configuration 28 # file contains configuration information for the default CA, and each of these 29 # CA-specific files define configuration settings for a non-default CA. 30 # 31 # The only required configuration item in each CA-specific file is a unique 32 # CA name (see "ca.name" below). Each CA name in the same fabric-ca-server 33 # must be unique. All other configuration settings needed for this CA are 34 # taken from the default CA settings, or you may override those settings by 35 # adding the setting to this file. 36 # 37 # For example, you should provide a different username and password for the 38 # bootstrap identity as found in the "identities" subsection of the "registry" 39 # section. 40 # 41 # See the server's configuration file for comments on all settings. 42 # All settings pertaining to the server's listening endpoint are by definition 43 # server-specific and so will be ignored in a CA configuration file. 44 ############################################################################# 45 ca: 46 # Name of this CA 47 name: <<<CANAME>>> 48 # The CA certificate file 49 certfile: ca-cert.pem 50 # The CA key file 51 keyfile: ca-key.pem 52 53 ############################################################################# 54 # Database section 55 # Supported types are: "sqlite3", "postgres", and "mysql". 56 # The datasource value depends on the type. 57 # If the type is "sqlite3", the datasource value is a file name to use 58 # as the database store. Since "sqlite3" is an embedded database, it 59 # may not be used if you want to run the fabric-ca-server in a cluster. 60 # To run the fabric-ca-server in a cluster, you must choose "postgres" 61 # or "mysql". 62 ############################################################################# 63 db: 64 datasource: <<<DATASOURCE>>> 65 66 ########################################################################### 67 # Certificate Signing Request section for generating the CA certificate 68 ########################################################################### 69 csr: 70 cn: <<<COMMONNAME>>> 71 ` 72 ) 73 74 // CAConfig is the CA instance's config 75 // The tags are recognized by the RegisterFlags function in fabric-ca/util/flag.go 76 // and are as follows: 77 // "def" - the default value of the field; 78 // "opt" - the optional one character short name to use on the command line; 79 // "help" - the help message to display on the command line; 80 // "skip" - to skip the field. 81 type CAConfig struct { 82 Version string `skip:"true"` 83 Cfg CfgOptions 84 CA CAInfo 85 Signing *config.Signing `skip:"true"` 86 CSR api.CSRInfo 87 Registry CAConfigRegistry 88 Affiliations map[string]interface{} 89 LDAP ldap.Config 90 DB CAConfigDB 91 CSP *factory.FactoryOpts `yaml:"bccsp" mapstructure:"bccsp" hide:"true"` 92 // Optional client config for an intermediate server which acts as a client 93 // of the root (or parent) server 94 Client *ClientConfig `skip:"true"` 95 Intermediate IntermediateCA 96 CRL CRLConfig 97 Idemix idemix.Config 98 } 99 100 // CfgOptions is a CA configuration that allows for setting different options 101 type CfgOptions struct { 102 Identities identitiesOptions 103 Affiliations affiliationsOptions 104 } 105 106 // identitiesOptions are options that are related to identities 107 type identitiesOptions struct { 108 PasswordAttempts int `def:"10" help:"Number of incorrect password attempts allowed"` 109 AllowRemove bool `help:"Enables removal of identities dynamically"` 110 } 111 112 // affiliationsOptions are options that are related to affiliations 113 type affiliationsOptions struct { 114 AllowRemove bool `help:"Enables removal of affiliations dynamically"` 115 } 116 117 // CAInfo is the CA information on a fabric-ca-server 118 type CAInfo struct { 119 Name string `opt:"n" help:"Certificate Authority name"` 120 Keyfile string `help:"PEM-encoded CA key file"` 121 Certfile string `def:"ca-cert.pem" help:"PEM-encoded CA certificate file"` 122 Chainfile string `def:"ca-chain.pem" help:"PEM-encoded CA chain file"` 123 } 124 125 // CAConfigDB is the database part of the server's config 126 type CAConfigDB struct { 127 Type string `def:"sqlite3" help:"Type of database; one of: sqlite3, postgres, mysql"` 128 Datasource string `def:"fabric-ca-server.db" help:"Data source which is database specific"` 129 TLS tls.ClientTLSConfig 130 } 131 132 // Implements Stringer interface for CAConfigDB 133 // Calls util.StructToString to convert the CAConfigDB struct to 134 // string and masks the password from the database URL. Returns 135 // resulting string. 136 func (c CAConfigDB) String() string { 137 str := util.StructToString(&c) 138 return dbutil.MaskDBCred(str) 139 } 140 141 // CAConfigRegistry is the registry part of the server's config 142 type CAConfigRegistry struct { 143 MaxEnrollments int `def:"-1" help:"Maximum number of enrollments; valid if LDAP not enabled"` 144 Identities []CAConfigIdentity 145 } 146 147 // CAConfigIdentity is identity information in the server's config 148 type CAConfigIdentity struct { 149 Name string `mask:"username"` 150 Pass string `mask:"password"` 151 Type string 152 Affiliation string 153 MaxEnrollments int 154 Attrs map[string]string 155 } 156 157 // ParentServer contains URL for the parent server and the name of CA inside 158 // the server to connect to 159 type ParentServer struct { 160 URL string `opt:"u" help:"URL of the parent fabric-ca-server (e.g. http://<username>:<password>@<address>:<port)" mask:"url"` 161 CAName string `help:"Name of the CA to connect to on fabric-ca-server"` 162 } 163 164 // IntermediateCA contains parent server information, TLS configuration, and 165 // enrollment request for an intermetiate CA 166 type IntermediateCA struct { 167 ParentServer ParentServer 168 TLS tls.ClientTLSConfig 169 Enrollment api.EnrollmentRequest 170 } 171 172 // CRLConfig contains configuration options used by the gencrl request handler 173 type CRLConfig struct { 174 // Specifies expiration for the CRL generated by the gencrl request 175 // The number of hours specified by this property is added to the UTC time, resulting time 176 // is used to set the 'Next Update' date of the CRL 177 Expiry time.Duration `def:"24h" help:"Expiration for the CRL generated by the gencrl request"` 178 } 179 180 func (cc CAConfigIdentity) String() string { 181 return util.StructToString(&cc) 182 } 183 184 func (parent ParentServer) String() string { 185 return util.StructToString(&parent) 186 }