Merge pull request #1330 from kaleido-io/webhooks_mtls

feat: TLS Configs for Webhooks

docs/reference/config.md

@@ -481,6 +481,23 @@ nav_order: 2
 |key|The signing key allocated to the root organization within this namespace|`string`|`<nil>`
 |name|A short name for the local root organization within this namespace|`string`|`<nil>`
 
+## namespaces.predefined[].tlsConfigs[]
+
+|Key|Description|Type|Default Value|
+|---|-----------|----|-------------|
+|name|Name of the TLS Config|`string`|`<nil>`
+
+## namespaces.predefined[].tlsConfigs[].tls
+
+|Key|Description|Type|Default Value|
+|---|-----------|----|-------------|
+|caFile|The path to the CA file for TLS on this API|`string`|`<nil>`
+|certFile|The path to the certificate file for TLS on this API|`string`|`<nil>`
+|clientAuth|Enables or disables client auth for TLS on this API|`string`|`<nil>`
+|enabled|Enables or disables TLS on this API|`boolean`|`false`
+|keyFile|The path to the private key file for TLS on this API|`string`|`<nil>`
+|requiredDNAttributes|A set of required subject DN attributes. Each entry is a regular expression, and the subject certificate must have a matching attribute of the specified type (CN, C, O, OU, ST, L, STREET, POSTALCODE, SERIALNUMBER are valid attributes)|`map[string]string`|`<nil>`
+
 ## namespaces.retry
 
 |Key|Description|Type|Default Value|
@@ -679,6 +696,7 @@ nav_order: 2
 
 |Key|Description|Type|Default Value|
 |---|-----------|----|-------------|
+|connectionTimeout|The amount of time to wait while establishing a connection (or auto-reconnection)|[`time.Duration`](https://pkg.go.dev/time#Duration)|`45s`
 |heartbeatInterval|The amount of time to wait between heartbeat signals on the WebSocket connection|[`time.Duration`](https://pkg.go.dev/time#Duration)|`30s`
 |initialConnectAttempts|The number of attempts FireFly will make to connect to the WebSocket when starting up, before failing|`int`|`5`
 |path|The WebSocket sever URL to which FireFly should connect|WebSocket URL `string`|`<nil>`
@@ -800,6 +818,7 @@ nav_order: 2
 
 |Key|Description|Type|Default Value|
 |---|-----------|----|-------------|
+|connectionTimeout|The amount of time to wait while establishing a connection (or auto-reconnection)|[`time.Duration`](https://pkg.go.dev/time#Duration)|`45s`
 |heartbeatInterval|The amount of time to wait between heartbeat signals on the WebSocket connection|[`time.Duration`](https://pkg.go.dev/time#Duration)|`30s`
 |initialConnectAttempts|The number of attempts FireFly will make to connect to the WebSocket when starting up, before failing|`int`|`5`
 |path|The WebSocket sever URL to which FireFly should connect|WebSocket URL `string`|`<nil>`
@@ -924,6 +943,7 @@ nav_order: 2
 
 |Key|Description|Type|Default Value|
 |---|-----------|----|-------------|
+|connectionTimeout|The amount of time to wait while establishing a connection (or auto-reconnection)|[`time.Duration`](https://pkg.go.dev/time#Duration)|`45s`
 |heartbeatInterval|The amount of time to wait between heartbeat signals on the WebSocket connection|[`time.Duration`](https://pkg.go.dev/time#Duration)|`30s`
 |initialConnectAttempts|The number of attempts FireFly will make to connect to the WebSocket when starting up, before failing|`int`|`5`
 |path|The WebSocket sever URL to which FireFly should connect|WebSocket URL `string`|`<nil>`
@@ -1114,6 +1134,7 @@ nav_order: 2
 
 |Key|Description|Type|Default Value|
 |---|-----------|----|-------------|
+|connectionTimeout|The amount of time to wait while establishing a connection (or auto-reconnection)|[`time.Duration`](https://pkg.go.dev/time#Duration)|`45s`
 |heartbeatInterval|The amount of time to wait between heartbeat signals on the WebSocket connection|[`time.Duration`](https://pkg.go.dev/time#Duration)|`30s`
 |initialConnectAttempts|The number of attempts FireFly will make to connect to the WebSocket when starting up, before failing|`int`|`5`
 |path|The WebSocket sever URL to which FireFly should connect|WebSocket URL `string`|`<nil>`

docs/reference/types/subscription.md

@@ -114,6 +114,7 @@ nav_order: 3
 | `replytx` | Webhooks only: The transaction type to set on the reply message | `string` |
 | `headers` | Webhooks only: Static headers to set on the webhook request | `` |
 | `query` | Webhooks only: Static query params to set on the webhook request | `` |
+| `tlsConfigName` | The name of an existing TLS configuration associated to the namespace to use | `string` |
 | `input` | Webhooks only: A set of options to extract data from the first JSON input data in the incoming message. Only applies if withData=true | [`WebhookInputOptions`](#webhookinputoptions) |
 
 ## WebhookInputOptions

docs/reference/types/wsstart.md

@@ -105,6 +105,7 @@ nav_order: 23
 | `replytx` | Webhooks only: The transaction type to set on the reply message | `string` |
 | `headers` | Webhooks only: Static headers to set on the webhook request | `` |
 | `query` | Webhooks only: Static query params to set on the webhook request | `` |
+| `tlsConfigName` | The name of an existing TLS configuration associated to the namespace to use | `string` |
 | `input` | Webhooks only: A set of options to extract data from the first JSON input data in the incoming message. Only applies if withData=true | [`WebhookInputOptions`](#webhookinputoptions) |
 
 ## WebhookInputOptions

docs/swagger/swagger.yaml

@@ -27786,6 +27786,10 @@ paths:
                           description: 'Webhooks only: The transaction type to set
                             on the reply message'
                           type: string
+                        tlsConfigName:
+                          description: The name of an existing TLS configuration associated
+                            to the namespace to use
+                          type: string
                         url:
                           description: 'Webhooks only: HTTP url to invoke. Can be
                             relative if a base URL is set in the webhook plugin config'
@@ -28005,6 +28009,10 @@ paths:
                       description: 'Webhooks only: The transaction type to set on
                         the reply message'
                       type: string
+                    tlsConfigName:
+                      description: The name of an existing TLS configuration associated
+                        to the namespace to use
+                      type: string
                     url:
                       description: 'Webhooks only: HTTP url to invoke. Can be relative
                         if a base URL is set in the webhook plugin config'
@@ -28212,6 +28220,10 @@ paths:
                         description: 'Webhooks only: The transaction type to set on
                           the reply message'
                         type: string
+                      tlsConfigName:
+                        description: The name of an existing TLS configuration associated
+                          to the namespace to use
+                        type: string
                       url:
                         description: 'Webhooks only: HTTP url to invoke. Can be relative
                           if a base URL is set in the webhook plugin config'
@@ -28429,6 +28441,10 @@ paths:
                       description: 'Webhooks only: The transaction type to set on
                         the reply message'
                       type: string
+                    tlsConfigName:
+                      description: The name of an existing TLS configuration associated
+                        to the namespace to use
+                      type: string
                     url:
                       description: 'Webhooks only: HTTP url to invoke. Can be relative
                         if a base URL is set in the webhook plugin config'
@@ -28636,6 +28652,10 @@ paths:
                         description: 'Webhooks only: The transaction type to set on
                           the reply message'
                         type: string
+                      tlsConfigName:
+                        description: The name of an existing TLS configuration associated
+                          to the namespace to use
+                        type: string
                       url:
                         description: 'Webhooks only: HTTP url to invoke. Can be relative
                           if a base URL is set in the webhook plugin config'
@@ -28916,6 +28936,10 @@ paths:
                         description: 'Webhooks only: The transaction type to set on
                           the reply message'
                         type: string
+                      tlsConfigName:
+                        description: The name of an existing TLS configuration associated
+                          to the namespace to use
+                        type: string
                       url:
                         description: 'Webhooks only: HTTP url to invoke. Can be relative
                           if a base URL is set in the webhook plugin config'
@@ -36335,6 +36359,10 @@ paths:
                           description: 'Webhooks only: The transaction type to set
                             on the reply message'
                           type: string
+                        tlsConfigName:
+                          description: The name of an existing TLS configuration associated
+                            to the namespace to use
+                          type: string
                         url:
                           description: 'Webhooks only: HTTP url to invoke. Can be
                             relative if a base URL is set in the webhook plugin config'
@@ -36547,6 +36575,10 @@ paths:
                       description: 'Webhooks only: The transaction type to set on
                         the reply message'
                       type: string
+                    tlsConfigName:
+                      description: The name of an existing TLS configuration associated
+                        to the namespace to use
+                      type: string
                     url:
                       description: 'Webhooks only: HTTP url to invoke. Can be relative
                         if a base URL is set in the webhook plugin config'
@@ -36754,6 +36786,10 @@ paths:
                         description: 'Webhooks only: The transaction type to set on
                           the reply message'
                         type: string
+                      tlsConfigName:
+                        description: The name of an existing TLS configuration associated
+                          to the namespace to use
+                        type: string
                       url:
                         description: 'Webhooks only: HTTP url to invoke. Can be relative
                           if a base URL is set in the webhook plugin config'
@@ -36964,6 +37000,10 @@ paths:
                       description: 'Webhooks only: The transaction type to set on
                         the reply message'
                       type: string
+                    tlsConfigName:
+                      description: The name of an existing TLS configuration associated
+                        to the namespace to use
+                      type: string
                     url:
                       description: 'Webhooks only: HTTP url to invoke. Can be relative
                         if a base URL is set in the webhook plugin config'
@@ -37171,6 +37211,10 @@ paths:
                         description: 'Webhooks only: The transaction type to set on
                           the reply message'
                         type: string
+                      tlsConfigName:
+                        description: The name of an existing TLS configuration associated
+                          to the namespace to use
+                        type: string
                       url:
                         description: 'Webhooks only: HTTP url to invoke. Can be relative
                           if a base URL is set in the webhook plugin config'
@@ -37437,6 +37481,10 @@ paths:
                         description: 'Webhooks only: The transaction type to set on
                           the reply message'
                         type: string
+                      tlsConfigName:
+                        description: The name of an existing TLS configuration associated
+                          to the namespace to use
+                        type: string
                       url:
                         description: 'Webhooks only: HTTP url to invoke. Can be relative
                           if a base URL is set in the webhook plugin config'

go.mod

@@ -14,7 +14,7 @@ require (
 	github.com/golang-migrate/migrate/v4 v4.15.2
 	github.com/gorilla/mux v1.8.0
 	github.com/gorilla/websocket v1.5.0
-	github.com/hyperledger/firefly-common v1.2.11
+	github.com/hyperledger/firefly-common v1.2.15
 	github.com/hyperledger/firefly-signer v1.1.8
 	github.com/jarcoal/httpmock v1.2.0
 	github.com/karlseguin/ccache v2.0.3+incompatible
@@ -85,4 +85,4 @@ require (
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-)
+)

go.sum

@@ -676,8 +676,10 @@ github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0m
 github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
 github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
-github.com/hyperledger/firefly-common v1.2.11 h1:ePDHJtorKE6ss8PtoPlyqLb+cB0TDB7ziM85Gtyerqs=
-github.com/hyperledger/firefly-common v1.2.11/go.mod h1:17lOH4YufiPy82LpKm8fPa/YXJ0pUyq01zK1CmklJwM=
+github.com/hyperledger/firefly-common v1.2.14 h1:HON9GJZXvrL0l2AG5DWHSGiBh05hElgFS5lm1OPR83M=
+github.com/hyperledger/firefly-common v1.2.14/go.mod h1:17lOH4YufiPy82LpKm8fPa/YXJ0pUyq01zK1CmklJwM=
+github.com/hyperledger/firefly-common v1.2.15 h1:WdNB65IJvIyiOhVW3nxB3sQKqtJbdJ7ie0PJIM11CSU=
+github.com/hyperledger/firefly-common v1.2.15/go.mod h1:17lOH4YufiPy82LpKm8fPa/YXJ0pUyq01zK1CmklJwM=
 github.com/hyperledger/firefly-signer v1.1.8 h1:XyJjZXesih2dWYG31m5ZYt4irH7/PdkRutMPld7AqKE=
 github.com/hyperledger/firefly-signer v1.1.8/go.mod h1:vNbbROziwqkOmO0b+9ky3devjcFg0JIkR2M1KG7seTQ=
 github.com/iancoleman/strcase v0.2.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho=

go.work.sum

@@ -282,6 +282,8 @@ github.com/fsouza/fake-gcs-server v1.17.0 h1:OeH75kBZcZa3ZE+zz/mFdJ2btt9FgqfjI7g
 github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa h1:RDBNVkRviHZtvDvId8XSGPu3rmpmSe+wKRcEWNgsfWU=
 github.com/gabriel-vasile/mimetype v1.4.0 h1:Cn9dkdYsMIu56tGho+fqzh7XmvY2YyGU0FnbhiOsEro=
 github.com/garyburd/redigo v0.0.0-20150301180006-535138d7bcd7 h1:LofdAjjjqCSXMwLGgOgnE+rdPuvX9DxCqaHwKy7i/ko=
+github.com/getkin/kin-openapi v0.117.0 h1:QT2DyGujAL09F4NrKDHJGsUoIprlIcFVHWDVDcUFE8A=
+github.com/getkin/kin-openapi v0.117.0/go.mod h1:l5e9PaFUo9fyLJCPGQeXI2ML8c3P8BHOEV2VaAVf/pc=
 github.com/getsentry/raven-go v0.2.0 h1:no+xWJRb5ZI7eE8TWgIq1jLulQiIoLG0IfYxv5JYMGs=
 github.com/go-fonts/dejavu v0.1.0 h1:JSajPXURYqpr+Cu8U9bt8K+XcACIHWqWrvWCKyeFmVQ=
 github.com/go-fonts/latin-modern v0.2.0 h1:5/Tv1Ek/QCr20C6ZOz15vw3g7GELYL98KWr8Hgo+3vk=
@@ -374,6 +376,8 @@ github.com/hashicorp/serf v0.9.8 h1:JGklO/2Drf1QGa312EieQN3zhxQ+aJg6pG+aC3MFaVo=
 github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI=
 github.com/hyperledger/firefly-common v1.2.8 h1:tPHgjGzQnPRXl77qHQd+dieu6N62NFEWhoGW7sn9u6U=
 github.com/hyperledger/firefly-common v1.2.8/go.mod h1:q6uawjzWAFekIMFb0t9EWpJQQvjvl2CFBikk6++8Woc=
+github.com/hyperledger/firefly-common v1.2.15 h1:WdNB65IJvIyiOhVW3nxB3sQKqtJbdJ7ie0PJIM11CSU=
+github.com/hyperledger/firefly-common v1.2.15/go.mod h1:17lOH4YufiPy82LpKm8fPa/YXJ0pUyq01zK1CmklJwM=
 github.com/iancoleman/strcase v0.2.0 h1:05I4QRnGpI0m37iZQRuskXh+w77mr6Z41lwQzuHLwW0=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639 h1:mV02weKRL81bEnm8A0HT1/CAelMQDBuQIfLw8n+d6xI=
 github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU=
@@ -528,7 +532,6 @@ github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43 h1:+lm10QQTN
 github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50 h1:hlE8//ciYMztlGpl/VA+Zm1AcTPHYkHJPbHqE6WJUXE=
 github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f h1:ERexzlUfuTvpE74urLSbIQW0Z/6hF9t8U4NsJLaioAY=
 github.com/zenazn/goji v0.9.0 h1:RSQQAbXGArQ0dIDEq+PI6WqN6if+5KHu6x2Cx/GXLTQ=
-gitlab.com/hfuss/mux-prometheus v0.0.5 h1:Kcqyiekx8W2dO1EHg+6wOL1F0cFNgRO1uCK18V31D0s=
 gitlab.com/nyarla/go-crypt v0.0.0-20160106005555-d9a5dc2b789b h1:7gd+rd8P3bqcn/96gOZa3F5dpJr/vEiDQYlNb/y2uNs=
 go.etcd.io/bbolt v1.3.6 h1:/ecaJf0sk1l4l6V4awd65v2C3ILy7MSj+s/x1ADCIMU=
 go.etcd.io/etcd v0.5.0-alpha.5.0.20200910180754-dd1b699fc489 h1:1JFLBqwIgdyHN1ZtgjTBwO+blA6gVOmZurpiMEsETKo=

internal/coreconfig/coreconfig.go

@@ -37,6 +37,12 @@ const (
 	NamespaceDescription = "description"
 	// NamespacePlugins is the list of namespace plugins
 	NamespacePlugins = "plugins"
+	// NamespaceTLSConfigName is the user-supplied name for the TLS Config
+	NamespaceTLSConfigName = "name"
+	// NamespaceTLSConfigs is the list of tls configs
+	NamespaceTLSConfigs = "tlsConfigs"
+	// NamespaceTLSConfigTLSSection is the section to provide the paths to CA , cert and key files
+	NamespaceTLSConfigTLSSection = "tls"
 	// NamespaceDefaultKey is the default signing key for blockchain transactions within this namespace
 	NamespaceDefaultKey = "defaultKey"
 	// NamespaceAssetKeyNormalization mechanism to normalize keys before using them. Valid options: "blockchain_plugin" - use blockchain plugin (default), "none" - do not attempt normalization