Skip to content

Commit

Permalink
[ FAB-5278 ] Multi-ca fvt test
Browse files Browse the repository at this point in the history 
Include basic configuration parsing, registration,
enroll, reenroll, revocation, multiple backend DBs,
haproxy, and TLS.

Change-Id: Iab2843d52cc56012cdd0dcffa69e964975c097d8
Signed-off-by: rennman <[email protected]>
  • Loading branch information
@rennman
rennman committed Jul 31, 2017
1 parent 919d632 commit 9895f6b
Show file tree
Hide file tree
Showing 3 changed files with 268 additions and 26 deletions.
30 changes: 28 additions & 2 deletions scripts/fvt/fabric-ca_utils
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,8 +57,7 @@ ErrorExit() {
local msg="$1"
local rc="$2"
: ${rc:="RC"}
let $rc+=1
echo -e "\033[31m ****** ERROR ****** $msg \033[0m"
ErrorMsg "$msg" "$rc"
CleanUp $(eval echo \$$rc)
exit $(eval echo \$$rc)
}
Expand Down Expand Up @@ -753,3 +752,30 @@ EOF
;;
esac
}

function testStatus() {
local user="$1"
local driver="$2"
local ca_cfg_path="$3"
: ${driver:="sqlite3"}
: ${ca_cfg_path:="$CA_CFG_PATH"}
case $driver in
sqlite3)
user_status="$(sqlite3 $ca_cfg_path/$DB "SELECT * FROM users WHERE (id=\"$user\");")"
cert_status="$(sqlite3 $ca_cfg_path/$DB "SELECT * FROM certificates WHERE (id=\"$user\");")"

user_status_code="$(printf "$user_status" | awk -F'|' -v s=$user '$1~s {print $6}')"
cert_status_code="$(printf "$cert_status" | awk -F'|' -v s=$user '$1~s {print $5}')"
;;
mysql)
user_status_code=$(mysql --host=localhost --user=root --password=mysql -e "SELECT * FROM users WHERE (id=\"$user\");" $DB| awk -F'\t' -v u=$user '$1==u {print $6}')
cert_status_code=$(mysql --host=localhost --user=root --password=mysql -e "SELECT * FROM certificates WHERE (id=\"$user\") order by revoked_at;" $DB| awk -F'\t' -v u=$user '$1==u {print $5}')
;;
postgres)
user_status_code=$(/usr/bin/psql -U postgres -h localhost -c "SELECT id,state FROM users WHERE id='$user';" --dbname=fabric_ca | awk -v u=$user -F'|' '$1~u {gsub(/ /,"");print $2}')
cert_status_code=$(/usr/bin/psql -U postgres -h localhost -c "SELECT id,encode(status,'escape') FROM certificates WHERE id='$user' order by revoked_at;" --dbname=fabric_ca | awk -v u=$user -F'|' '$1~u {gsub(/ /,"");print $2}')
;;
esac
echo "$user_status_code $cert_status_code"
}

239 changes: 239 additions & 0 deletions scripts/fvt/multica_test.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,239 @@
#!/bin/bash
#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#

TESTCASE="multica-test"
TDIR=/tmp/$TESTCASE
FABRIC_CA="$GOPATH/src/github.com/hyperledger/fabric-ca"
SCRIPTDIR="$FABRIC_CA/scripts/fvt"
TESTDATA="$FABRIC_CA/testdata"
export DB="fabric_ca"
. $SCRIPTDIR/fabric-ca_utils
PROTO="http://"
ROOT_CA_ADDR=localhost
CA_PORT=17054
TLSDIR="$TESTDATA"
NUMINTCAS=4
TIMEOUT=30
MAXENROLL=$((2*NUMINTCAS))
NUMUSERS=2
RC=0

function createRootCA() {
# Start RootCA
mkdir -p "$TDIR/ca0"
$SCRIPTDIR/fabric-ca_setup.sh -I -x "$TDIR/ca0" -d $driver -m $MAXENROLL
sed -i "/^ca:/,/^[^\t ]/ s@\(\(cert\|key\)file:\).*@\1@" /tmp/multica-test/ca0/runFabricCaFvt.yaml
FABRIC_CA_SERVER_HOME="$TDIR/ca0" fabric-ca-server start -d --cacount $NUMINTCAS \
--csr.hosts $ROOT_CA_ADDR --address $ROOT_CA_ADDR \
-c $TDIR/ca0/runFabricCaFvt.yaml 2>&1 |
tee $TDIR/ca0/server.log &
pollServer fabric-ca-server $ROOT_CA_ADDR $CA_PORT $TIMEOUT
}

function enrollUser() {
local user=$1
local pswd=$2
local caname=$3
/usr/local/bin/fabric-ca-client enroll -d \
--caname $caname \
--mspdir $TDIR/$caname/$user/${user}msp \
--id.maxenrollments $MAXENROLL \
-u ${PROTO}$user:$pswd@$ROOT_CA_ADDR:$CA_PORT \
-c $TDIR/$caname/enroll.yaml \
--tls.certfiles $TLSDIR/root.pem \
--csr.hosts $user@fab-client.raleigh.ibm.com,${user}.fabric.raleigh.ibm.com,127.42.42.$i
return $?
}

function registerAndEnrollUser() {
local user=$1
local caname=$2
local attrs='a=1,b=2,c=3,d=4,e=5,f=6,g=7,h=8,i=9,j=100000'
local rc=0
pswd=$(eval /usr/local/bin/fabric-ca-client register -u ${PROTO}admin:adminpw@$ROOT_CA_ADDR:$CA_PORT \
--id.attrs "$attrs" \
--caname $caname \
--mspdir $TDIR/$caname/admin/adminmsp \
--id.name $user \
--id.type user \
--id.maxenrollments $MAXENROLL \
--id.affiliation bank_a \
--tls.certfiles $TLSDIR/root.pem \
-c $TDIR/$caname/register.yaml|tail -n1 | awk '{print $NF}')
/usr/local/bin/fabric-ca-client enroll \
--caname $caname \
--mspdir $TDIR/$caname/$user/${user}msp \
--id.maxenrollments $MAXENROLL \
-u ${PROTO}$user:$pswd@$ROOT_CA_ADDR:$CA_PORT \
-c $TDIR/$caname/$user/enroll.yaml \
--tls.certfiles $TLSDIR/root.pem \
--csr.hosts $user@fab-client.raleigh.ibm.com,$user.fabric.raleigh.ibm.com,127.37.37.$i
return $?
}

function reenrollUser() {
local user=$1
local caname=$2
local rc=0
/usr/local/bin/fabric-ca-client reenroll \
--caname $caname \
--mspdir $TDIR/$caname/${user}/${user}msp \
--id.maxenrollments $MAXENROLL \
-u ${PROTO}@$ROOT_CA_ADDR:$CA_PORT \
-c $TDIR/$caname/$user/enroll.yaml \
--tls.certfiles $TLSDIR/root.pem \
--csr.hosts ${user}@fab-client.raleigh.ibm.com,${user}.fabric.raleigh.ibm.com,127.42.42.$i
return $?
}

function revokeUser() {
local revoker=$1
local user=$2
local caname=$3
local sn=$4
local aki=$5
local rc=0
test -n "$sn" && local serial="--revoke.serial $sn"
test -n "$aki" && local index="--revoke.aki $aki"
export FABRIC_CA_CLIENT_HOME="$TDIR/$caname/$revoker"
/usr/local/bin/fabric-ca-client revoke --caname $caname \
--mspdir $TDIR/$caname/$revoker/${revoker}msp \
-u ${PROTO}$ROOT_CA_ADDR:$CA_PORT \
--revoke.name $user $serial $index --tls.certfiles $TLSDIR/root.pem
return $?
}

function setTLS() {
: ${FABRIC_TLS:="false"}
if $($FABRIC_TLS); then
PROTO="https://"
fi
}

### Start Test ###
for driver in sqlite3 postgres mysql; do

# Expected codes
# Result after enroll/reenroll -
# user status: 1, certs status: all 'good'
enrolledGood=$(printf "1 %s\n%s\n%s" good good good)
# Result after revoking the current enrollment cert -
# user status: 1, certs status: one revoked
enrolledRevoked=$(printf "1 %s\n%s\n%s" good good revoked)
# Result after revoking userid -
# user status: -1, certs status: all 'revoked'
revokedRevoked=$(printf -- "-1 %s\n%s\n%s" revoked revoked revoked)

$SCRIPTDIR/fabric-ca_setup.sh -R -x $TDIR/ca0 -D -d $driver
rm -rf $TDIR

# if ENV FABRIC_TLS=true, use TLS
setTLS

createRootCA || ErrorExit "Failed to create root CA"

USERS=("admin" "admin2" "notadmin" "testUser" "testUser2" "testUser3" )
PSWDS=("adminpw" "adminpw2" "pass" "user1" "user2" "user3" )
# roundrobin through all servers in pool and enroll users
u=-1; while test $((u++)) -lt ${#USERS[u]}; do
i=0;while test $((i++)) -lt $NUMINTCAS; do
for iter in {0..1}; do
# Issue duplicate enroll to ensure proper processing of multiple requests
enrollUser ${USERS[u]} ${PSWDS[u]} ca$i || ErrorExit "Failed to enroll ${USERS[u]} to ca$i"
done
done
done

# enrolling beyond the configured MAXENROLL should fail
u=-1; while test $((u++)) -lt ${#USERS[u]}; do
i=0;while test $((i++)) -lt $NUMINTCAS; do
enrollUser ${USERS[u]} ${PSWDS[u]} ca$i && ErrorExit "Should have failedto enroll ${USERS[u]} to ca$i"
done
done

i=0;while test $((i++)) -lt $NUMINTCAS; do
j=0;while test $((j++)) -lt $NUMUSERS; do
registerAndEnrollUser user$i$j ca$i || ErrorExit "Enroll user$i$j to CA ca$i failed"
done
done

# roundrobin through all servers in pool and renroll users
for iter in {0..1}; do
# Issue duplicate reenroll to ensure proper processing of multiple requests
i=0;while test $((i++)) -lt $NUMINTCAS; do
j=0;while test $((j++)) -lt $NUMUSERS; do
reenrollUser user$i$j ca$i || ErrorExit "reenrollUser user$i$j ca$i failed"
done
done
done

# notadmin cannot revoke
revokeUser notadmin user11 ca1 2>&1 | egrep "Identity 'notadmin' does not have attribute 'hf.Revoker'"
test "$?" -ne 0 && ErrorMsg "Non-revoker successfully revoked cert or failed for incorrect reason"

# Check the DB contents
i=0;while test $((i++)) -lt $NUMINTCAS; do
j=0;while test $((j++)) -lt $NUMUSERS; do
test "$(testStatus user$i$j $driver $TDIR/ca0 )" = "$enrolledGood" ||
ErrorMsg "Incorrect user/certificate status for $user$i$j" RC
done
done

i=0;while test $((i++)) -lt $NUMINTCAS; do
j=0;while test $((j++)) -lt $NUMUSERS; do
c="$TDIR/ca$i/user$i$j/user$i${j}msp/signcerts/cert.pem"
# Grab the serial number of user$i$j cert
SN_UC="$(openssl x509 -noout -serial -in $c | awk -F'=' '{print toupper($2)}')"
# and the auth keyid of notadmin cert - translate upper to lower case
AKI_UC=$(openssl x509 -noout -text -in $c |awk '/keyid/ {gsub(/ *keyid:|:/,"",$1);print toupper($0)}')
# Revoke the certs
echo "SN ---> $SN_UC"
echo "AKI ---> $AKI_UC"
revokeUser admin user$i$j ca$i "$SN_UC" "$AKI_UC"
#### Ensure that revoking an already revoked cert doesn't blow up
echo "=========================> Issuing duplicate revoke by -s -a"
revokeUser admin user$i$j ca$i "$SN_UC" "$AKI_UC"
test "$(testStatus user$i$j $driver $TDIR/ca0 )" = "$enrolledRevoked" ||
ErrorMsg "Incorrect user/certificate status for user$i$j" RC
done
done

i=0;while test $((i++)) -lt $NUMINTCAS; do
j=0;while test $((j++)) -lt $NUMUSERS; do
echo "=========================> REVOKING by --eid"
revokeUser admin user$i$j ca$i
#### Ensure that revoking an already revoked cert doesn't blow up
echo "=========================> Issuing duplicate revoke by -s -a"
revokeUser admin user$i$j ca$i
test "$(testStatus user$i$j $driver $TDIR/ca0 )" = "$revokedRevoked" ||
ErrorMsg "Incorrect user/certificate status for user$i$j" RC
done
done

#### Revoke admin cert
i=0;while test $((i++)) -lt $NUMINTCAS; do
j=0;while test $((j++)) -lt $NUMUSERS; do
echo "=========================> REVOKING self"
revokeUser admin admin ca$i
# Verify that the cert is no longer usable
revokeUser admin user$i$j ca$i 2>&1 | egrep "Authorization failure"
test $? -ne 0 && ErrorMsg "Improper revocation using revoked certificate" RC
done
done

$SCRIPTDIR/fabric-ca_setup.sh -L -x $TDIR/ca0 -D -d $driver
kill $(ps -x -o pid,comm | awk '$2~/fabric-ca-serve/ {print $1}')
done

# If the test failed, leave the results for debugging
test "$RC" -eq 0 && $SCRIPTDIR/fabric-ca_setup.sh -R -x $CA_CFG_PATH -d $driver

### Clean up ###
rm -f $TESTDATA/openssl.cnf.base.req
CleanUp "$RC"
exit $RC

25 changes: 1 addition & 24 deletions scripts/fvt/revoke_test.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ URI="${PROTO}user:pass@localhost:$PROXY_PORT"
genAffYaml() {
local Planet=(0 1)
local Landmass=(0)
local Country=(0 1)
local Country=(0 1)
local Province=(0 1 2)
local Locale=(0)
local City=(0 1)
Expand Down Expand Up @@ -68,29 +68,6 @@ genAffYaml() {
indent="${indent} "
}

function testStatus() {
local user="$1"
local driver="$2"
: ${driver:="sqlite3"}
case $driver in
sqlite3)
user_status=$(sqlite3 $CA_CFG_PATH/$DB "SELECT * FROM users WHERE (id=\"$user\");")
cert_status=$(sqlite3 $CA_CFG_PATH/$DB "SELECT * FROM certificates WHERE (id=\"$user\");")
user_status_code=$(echo $user_status | awk -F'|' '{print $6}')
cert_status_code=$(echo $cert_status | awk -F'|' '{print $5}')
;;
mysql)
user_status_code=$(mysql --host=localhost --user=root --password=mysql -e "SELECT * FROM users WHERE (id=\"$user\");" $DB| awk -F'\t' -v u=$user '$1~u {print $6}')
cert_status_code=$(mysql --host=localhost --user=root --password=mysql -e "SELECT * FROM certificates WHERE (id=\"$user\");" $DB| awk -F'\t' -v u=$user '$1~u {print $5}')
;;
postgres)
user_status_code=$(/usr/bin/psql -U postgres -h localhost -c "SELECT id,state FROM users WHERE id='$user';" --dbname=fabric_ca | awk -v u=$user -F'|' '$1~u {gsub(/ /,"");print $2}')
cert_status_code=$(/usr/bin/psql -U postgres -h localhost -c "SELECT id,encode(status,'escape') FROM certificates WHERE id='$user';" --dbname=fabric_ca | awk -v u=$user -F'|' '$1~u {gsub(/ /,"");print $2}')
;;
esac
echo "$user_status_code $cert_status_code"
}

# Expected codes
# user cert
enrolledGood="1 good"
Expand Down

0 comments on commit 9895f6b

Please sign in to comment.