Add config debug

- Info log CA config upon startup (consistent with fabric peer approach) - Info log FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3 setting - Debug log when falling back to COMPATIBILITY_MODE_V1_3 authentication header validation Signed-off-by: David Enyeart <[email protected]>
hyperledger · Feb 7, 2025 · 087bcb3 · 087bcb3
1 parent a5bb4b7
commit 087bcb3
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 1 deletion.
diff --git a/cmd/fabric-ca-server/config.go b/cmd/fabric-ca-server/config.go
@@ -19,6 +19,7 @@ import (
 	"github.com/hyperledger/fabric-ca/lib/metadata"
 	"github.com/hyperledger/fabric-ca/util"
 	"github.com/pkg/errors"
+	"gopkg.in/yaml.v2"
 )
 
 const (
@@ -578,6 +579,33 @@ func (s *ServerCmd) configInit() (err error) {
 		return err
 	}
 
+	// Info logging for CA config, includes yaml file settings and environment variable overrides
+	allSettings := s.myViper.AllSettings()
+	settingsYaml, err := yaml.Marshal(allSettings)
+	if err == nil {
+		// Exclude config lines with sensitive configurations
+		lines := strings.Split(string(settingsYaml), "\n")
+		var filteredLines []string
+		excludedKeywords := []string{"password", "secret", "ldap", "tcp"} // Sensitive configurations to exclude
+
+		for _, line := range lines {
+			lowerLine := strings.ToLower(line)
+			exclude := false
+			for _, keyword := range excludedKeywords {
+				if strings.Contains(lowerLine, keyword) {
+					exclude = true
+					break
+				}
+			}
+			if !exclude {
+				filteredLines = append(filteredLines, line)
+			}
+		}
+
+		filteredYaml := strings.Join(filteredLines, "\n")
+		log.Infof("CA config with combined yaml file and environment variable overrides (sensitive lines excluded):\n%s", filteredYaml)
+	}
+
 	// Read operations tls files
 	if s.myViper.GetBool("operations.tls.enabled") {
 		cf := s.myViper.GetString("operations.tls.cert.file")

diff --git a/lib/server.go b/lib/server.go
@@ -331,8 +331,10 @@ func (s *Server) initConfig() (err error) {
 	s.makeFileNamesAbsolute()
 
 	if compModeStr := os.Getenv("FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3"); compModeStr == "" {
+		log.Info("FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3 not set, defaulting to false")
 		s.Config.CompMode1_3 = false
 	} else {
+		log.Infof("Using FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3 value of %s", compModeStr)
 		s.Config.CompMode1_3, err = strconv.ParseBool(compModeStr)
 		if err != nil {
 			return errors.WithMessage(err, "Invalid value for boolean environment variable 'FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3'")

diff --git a/util/util.go b/util/util.go
@@ -233,8 +233,9 @@ func VerifyToken(csp bccsp.BCCSP, token string, method, uri string, body []byte,
 	}
 
 	valid, validErr := csp.Verify(pk2, sig, digest, nil)
+
 	if compMode1_3 && !valid {
-		log.Debugf("Failed to verify token based on new authentication header requirements: %s", err)
+		log.Debugf("Failed to verify token based on new authentication header requirements (initial validation error: %s), attempting with COMPATIBILITY_MODE_V1_3 verification", validErr)
 		sigString := b64Body + "." + b64Cert
 		digest, digestError := csp.Hash([]byte(sigString), &bccsp.SHAOpts{})
 		if digestError != nil {