[ FAB-5009 ] Update intermediate CA test

The current intermediate test does not test using TLS, nor does it test multiple backend DBs. This adds that support, as well and add enroll/reenroll testing. Since the addition of multiple server starts, the utility files have been updated to speep up start detection. This should improve the runtime of the tests. Change-Id: I84c49878e2e17bd5ac98753b0c10c1a4d479d394 Signed-off-by: rennman <[email protected]>
hyperledger · Jul 28, 2017 · 72e010e · 72e010e
1 parent d24c05c
commit 72e010e
Show file tree

Hide file tree

Showing 10 changed files with 370 additions and 89 deletions.
diff --git a/scripts/fvt/enroll.sh b/scripts/fvt/enroll.sh
@@ -10,9 +10,9 @@ FABRIC_CAEXEC="$FABRIC_CA/bin/fabric-ca"
 TESTDATA="$FABRIC_CA/testdata"
 SCRIPTDIR="$FABRIC_CA/scripts/fvt"
 . $SCRIPTDIR/fabric-ca_utils
-HOST="http://localhost:8888"
+HOST="http://localhost:$PROXY_PORT"
 RC=0
-$($FABRIC_TLS) && HOST="https://localhost:8888"
+$($FABRIC_TLS) && HOST="https://localhost:$PROXY_PORT"
 
 while getopts "du:p:t:l:x:" option; do
   case "$option" in

diff --git a/scripts/fvt/enrollments_test.sh b/scripts/fvt/enrollments_test.sh
@@ -54,7 +54,7 @@ registry:
           hf.Revoker: true
 ldap:
    enabled: false
-   url: ldap://admin:adminpw@localhost:7054/base
+   url: ldap://admin:adminpw@localhost:$LDAP_PORT/base
    tls:
       certfiles:
         - ldap-server-cert.pem
@@ -124,7 +124,7 @@ registry:
           hf.Revoker: true
 ldap:
    enabled: false
-   url: ldap://admin:adminpw@localhost:7054/base
+   url: ldap://admin:adminpw@localhost:$LDAP_PORT/base
    tls:
       certfiles:
         - ldap-server-cert.pem
@@ -188,7 +188,7 @@ trap "CleanUp 1; exit 1" INT
 # explicitly set value to '1'
    # user can only enroll once
    MAX_ENROLL=1
-   $SCRIPTDIR/fabric-ca_setup.sh -R -x $CA_CFG_PATH 
+   $SCRIPTDIR/fabric-ca_setup.sh -R -x $CA_CFG_PATH
    $SCRIPTDIR/fabric-ca_setup.sh -I -S -X -m $MAX_ENROLL
    i=0
    while test $((i++)) -lt "$MAX_ENROLL"; do

diff --git a/scripts/fvt/fabric-ca_setup.sh b/scripts/fvt/fabric-ca_setup.sh
@@ -141,7 +141,7 @@ defaults
       timeout server 50000
 
 frontend haproxy
-      bind *:8888
+      bind *:$PROXY_PORT
       mode tcp
       option tcplog
       default_backend fabric-cas
@@ -176,7 +176,7 @@ listen stats
       stats enable
 
 frontend haproxy
-      bind *:8888
+      bind *:$PROXY_PORT
       mode http
       option tcplog
       default_backend fabric-cas
@@ -208,6 +208,7 @@ function startFabricCa() {
                     # --db.datasource $DATASRC --ca.keyfile $DST_KEY --config $RUNCONFIG 2>&1 | sed 's/^/     /' &
    until test "$started" = "$server_addr:${USER_CA_PORT-$CA_DEFAULT_PORT}" -o "$now" -gt "$timeout"; do
       started=$(ss -ltnp src $server_addr:${USER_CA_PORT-$CA_DEFAULT_PORT} | awk 'NR!=1 {print $4}')
+      test "$started" = "$server_addr:${USER_CA_PORT-$CA_DEFAULT_PORT}" && break
       sleep .5
       let now+=1
    done
@@ -261,7 +262,7 @@ done
 : ${TIMEOUT:="10"}
 : ${HTTP_PORT:="3755"}
 : ${DBNAME:="fabric_ca"}
-: ${MAXENROLL:="1"}
+: ${MAXENROLL:="-1"}
 : ${AUTH:="true"}
 : ${DRIVER:="sqlite3"}
 : ${FABRIC_CA_INSTANCES:=1}

diff --git a/scripts/fvt/fabric-ca_utils b/scripts/fvt/fabric-ca_utils
@@ -16,8 +16,9 @@ export PGPASSWORD='postgres'
 export MSP_KEY_DIR='msp/keystore'
 export MSP_CERT_DIR='msp/signcerts'
 export ROOTCERT="$TESTDATA/root.pem"
-export CA_HOST_ADDRESS="127.0.0.1"
-export CA_DEFAULT_PORT="7054"
+export CA_HOST_ADDRESS="localhost"
+export PROXY_PORT="7054"
+export CA_DEFAULT_PORT="1${PROXY_PORT}"
 
 DATE='date +%Y-%m-%d'
 TIME='date +%I:%M:%S%p'
@@ -98,14 +99,16 @@ pollServer() {
 
    # continue to poll host:port until
    # we either get a response, or reach timeout
-   while test "$(($(date +%s)-starttime))" -lt "$timeout" -a $rc -ne 0
+   while test "$(($(date +%s)-starttime))" -lt "$((timeout*2))" -a $rc -ne 0
    do
-      sleep 1
       printf "\r%s%03d" "Waiting for $app start on $host:$port ..." "$(($(date +%s)-starttime))"
+      ss -lpnt "src $host:$port"
       isReachable "$host" "$port"
       rc=$?
+      test $rc -eq 0 && break
+      sleep .5
    done
-   echo ""
+   echo "Server rc $rc"
    return $rc
 }
 
@@ -231,7 +234,7 @@ enroll() {
    local FABRIC_CA_KEY_FILE="$FABRIC_CA_ENROLLMENT_DIR/$MSP_KEY_DIR/key.pem"
    local FABRIC_CA_CLIENT_HOME=$FABRIC_CA_ENROLLMENT_DIR
    local HOST="localhost"
-   local PORT="8888"
+   local PORT="$PROXY_PORT"
    local RC=0
    export FABRIC_CA_CLIENT_HOME
    export FABRIC_CA_ENROLLMENT_DIR
@@ -241,7 +244,7 @@ enroll() {
 
    # Determines the PROTO and TLSOPT values based on FABRIC_TLS setting
    setTLS
-   $FABRIC_CA_CLIENTEXEC enroll -u "${PROTO}${username}:${userpswd}@${HOST}:${PORT}" $TLSOPT \
+   $FABRIC_CA_CLIENTEXEC enroll -u "${PROTO}${username}:${userpswd}@${CA_HOST_ADDRESS}:$PROXY_PORT" $TLSOPT \
                          -c $ENROLLCONFIG \
                          --csr.hosts "$username@fab-client.raleigh.ibm.com" \
                          --csr.hosts "$username.fabric.raleigh.ibm.com,127.0.0.2"
@@ -253,19 +256,19 @@ enroll() {
 }
 
 reenroll() {
-   # Input : username, certfile, keyfile
-   # Output: new cert written to certfile, new key to keyfile
+   local USERNAME="$1"
+   : ${USERNAME:="admin"}
+   local FABRIC_CA_ENROLLMENT_DIR="$CA_CFG_PATH/$USERNAME"
+   local FABRIC_CA_CERT_FILE="$FABRIC_CA_ENROLLMENT_DIR/$MSP_CERT_DIR/cert.pem"
+   local FABRIC_CA_KEY_FILE="$FABRIC_CA_ENROLLMENT_DIR/$MSP_KEY_DIR/key.pem"
+   local FABRIC_CA_CLIENT_HOME=$FABRIC_CA_ENROLLMENT_DIR
    local HOST="localhost"
-   local PORT="8888"
-   local PROTO="http://"
+   local PORT="$PROXY_PORT"
    local RC=0
+   export FABRIC_CA_CLIENT_HOME
+   export FABRIC_CA_ENROLLMENT_DIR
 
-   local USERNAME="$1"
-   local FABRIC_CA_CERT_FILE="$2"
-   local FABRIC_CA_KEY_FILE="$3"
-   local FABRIC_CA_CLIENT_HOME=''
-   : ${USERNAME="admin"}
-   FABRIC_CA_CLIENT_HOME="$CA_CFG_PATH/$USERNAME"
+   test -d "$FABRIC_CA_ENROLLMENT_DIR" || mkdir -p "$FABRIC_CA_ENROLLMENT_DIR"
    FABRIC_CA_CERT_FILE="$FABRIC_CA_CLIENT_HOME/$MSP_CERT_DIR/cert.pem"
    FABRIC_CA_KEY_FILE="$FABRIC_CA_CLIENT_HOME/$MSP_KEY_DIR/key.pem"
 
@@ -275,7 +278,7 @@ reenroll() {
    ENROLLCONFIG="$FABRIC_CA_CLIENT_HOME/enroll.yaml"
    export FABRIC_CA_CLIENT_HOME
    setTLS
-   $FABRIC_CA_CLIENTEXEC reenroll -u $PROTO$HOST:$PORT $TLSOPT -c $ENROLLCONFIG
+   $FABRIC_CA_CLIENTEXEC reenroll -u $PROTO${CA_HOST_ADDRESS}:$PROXY_PORT $TLSOPT -c $ENROLLCONFIG
    RC=$?
    $($FABRIC_CA_DEBUG) && printAuth $FABRIC_CA_CERT_FILE $FABRIC_CA_KEY_FILE
    $SCRIPTDIR/fabric-ca_setup.sh -L -d $driver
@@ -297,13 +300,13 @@ register() {
    : ${USERATTR:='test=testValue'}
    local FABRIC_CA_ENROLLMENT_DIR="$6"
    #FIXME - should not require USER:PASS
-   local HOST="USER:PASS@localhost:8888"
 
    : ${FABRIC_CA_ENROLLMENT_DIR:="$CA_CFG_PATH/$REGISTRAR"}
+   : ${FABRIC_CA_CLIENT_HOME:="$CA_CFG_PATH/$REGISTRAR"}
 
    export FABRIC_CA_ENROLLMENT_DIR
    setTLS
-   $FABRIC_CA_CLIENTEXEC register -u "$PROTO$HOST" $TLSOPT \
+   $FABRIC_CA_CLIENTEXEC register -u "$PROTO${CA_HOST_ADDRESS}:$PROXY_PORT" $TLSOPT \
                            --id.name "$USERNAME" \
                            --id.type "$USERTYPE" \
                            --id.maxenrollments 1 \
@@ -507,12 +510,12 @@ cat > $runconfig <<EOF
             "timestamping"
          ],
          "expiry": "8000h",
-         "crl_url": "http://localhost:3755/TestCRL.crl",
-         "ca_constraint": {
-            "is_ca": true,
-            "max_path_len": 1,
-            "ocsp_no_check": true,
-            "not_before": "2016-12-30T00:00:00.000Z"
+         "crlurl": "http://localhost:3755/TestCRL.crl",
+         "caconstraint": {
+            "isca": true,
+            "maxpathlen": 1,
+            "ocspnocheck": true,
+            "notbefore": "2016-12-30T00:00:00.000Z"
          }
       }
    },
@@ -551,6 +554,18 @@ EOF
 registry:
   maxEnrollments: $maxEnroll
   identities:
+$(for i in {1..16}; do
+echo "    - name: intermediateCa$i
+      pass: intermediateCa${i}pw
+      type: client
+      affiliation: \"\"
+      maxenrollments: $maxEnroll
+      attrs:
+         hf.Registrar.Roles: \"client,user,peer,validator,auditor\"
+         hf.Registrar.DelegateRoles: \"client,user,validator,auditor\"
+         hf.Revoker: true
+         hf.IntermediateCA: true"
+done)
     - name: admin
       pass: adminpw
       type: client
@@ -560,6 +575,7 @@ registry:
         hf.Registrar.Roles: \"client,user,peer,validator,auditor,ca\"
         hf.Registrar.DelegateRoles: \"client,user,validator,auditor\"
         hf.Revoker: true
+        hf.IntermediateCA: true
     - name: admin2
       pass: adminpw2
       type: client
@@ -629,6 +645,17 @@ cat > $runconfig <<EOF
 address: $CA_HOST_ADDRESS
 port: $CA_DEFAULT_PORT
 debug: $FABRIC_CA_DEBUG
+tls:
+  enabled: $TLS_ON
+  certfile: $TESTDATA/tls_server-cert.pem
+  keyfile: $TESTDATA/tls_server-key.pem
+  clientauth:
+    type: noclientcert
+    certfiles:
+ca:
+  name:
+  certfile: $serverCert
+  keyfile: $serverKey
 db:
   type: $driver
   datasource: $datasrc
@@ -639,13 +666,6 @@ db:
      client:
        certfile: $TESTDATA/tls_server-cert.pem
        keyfile: $TESTDATA/tls_server-key.pem
-tls:
-  enabled: $TLS_ON
-  certfile: $TESTDATA/tls_server-cert.pem
-  keyfile: $TESTDATA/tls_server-key.pem
-ca:
-  certfile: $serverCert
-  keyfile: $serverKey
 $registry
 ldap:
   enabled: $LDAP_ENABLE
@@ -670,21 +690,30 @@ affiliations:
     - department1
     - department2
 signing:
-  profiles:
   default:
     usage:
       - cert sign
       - crl sign
       - digital signature
       - key encipherment
       - timestamping
-    expiry: 8000h
-    crl_url: http://localhost:3755/TestCRL.crl
-    ca_constraint:
-      is_ca: true
-      max_path_len: 1
-      ocsp_no_check: true
-      not_before: 2016-12-30T00:00:00Z
+    expiry: 17520h
+    caconstraint:
+      isca: true
+      maxpathlen: 1
+      ocspnocheck: true
+      notbefore: 2016-12-30T00:00:00Z
+  profiles:
+     ca:
+       usage:
+         - cert sign
+         - crl sign
+       expiry: 17520h
+       caconstraint:
+         isca: true
+         maxpathlen: 0
+         ocspnocheck: true
+         notbefore: 2016-12-30T00:00:00Z
 csr:
   names:
     - C: US
@@ -694,16 +723,32 @@ csr:
       OU: Fabric
   hosts:
     - fabricCa.hyperledger.example.com
+    - localhost
   ca:
-    pathlen:
-    pathlenzero:
-    expiry:
-crypto:
-  software:
-    hash_family: SHA2
-    security_level: 256
-    ephemeral: false
-    key_store_dir: keys
+    expiry: 131400h
+    pathlength: 1
+bccsp:
+  default: SW
+  sw:
+    hash: SHA2
+    security: 256
+    filekeystore:
+      keystore:
+cacount:
+cafiles:
+intermediate:
+  parentserver:
+    url:
+    caname:
+  enrollment:
+    hosts:
+    profile:
+    label:
+  tls:
+    certfiles:
+    client:
+      certfile:
+      keyfile:
 EOF
    ;;
    esac