gitee.com/Mydawng/fabric-ca@v2.0.0-alpha.0.20201214145411-9ea68369cb61+incompatible/lib/server_test.go (about) 1 /* 2 Copyright IBM Corp. All Rights Reserved. 3 4 SPDX-License-Identifier: Apache-2.0 5 */ 6 7 package lib_test 8 9 import ( 10 "bytes" 11 "crypto/tls" 12 "crypto/x509" 13 "fmt" 14 "io" 15 "io/ioutil" 16 "math/rand" 17 "net" 18 "net/http" 19 "os" 20 "path" 21 "path/filepath" 22 "strconv" 23 "strings" 24 "sync" 25 "testing" 26 "time" 27 28 "github.com/cloudflare/cfssl/certdb" 29 "github.com/cloudflare/cfssl/csr" 30 "github.com/hyperledger/fabric-ca/internal/pkg/api" 31 "github.com/hyperledger/fabric-ca/internal/pkg/util" 32 . "github.com/hyperledger/fabric-ca/lib" 33 "github.com/hyperledger/fabric-ca/lib/metadata" 34 "github.com/hyperledger/fabric-ca/lib/server/db" 35 "github.com/hyperledger/fabric-ca/lib/server/db/mysql" 36 "github.com/hyperledger/fabric-ca/lib/server/operations" 37 cadbuser "github.com/hyperledger/fabric-ca/lib/server/user" 38 libtls "github.com/hyperledger/fabric-ca/lib/tls" 39 "github.com/hyperledger/fabric/bccsp/factory" 40 . "github.com/onsi/gomega" 41 "github.com/onsi/gomega/gbytes" 42 "github.com/spf13/viper" 43 "github.com/stretchr/testify/assert" 44 ) 45 46 const ( 47 rootPort = 7075 48 rootDir = "rootDir" 49 intermediatePort = 7076 50 intermediateDir = "intDir" 51 testdataDir = "../testdata" 52 pportEnvVar = "FABRIC_CA_SERVER_PROFILE_PORT" 53 testdata = "../testdata" 54 ) 55 56 func TestMain(m *testing.M) { 57 metadata.Version = "1.1.0" 58 os.Exit(m.Run()) 59 } 60 61 func TestSRVServerInit(t *testing.T) { 62 server := TestGetRootServer(t) 63 if server == nil { 64 return 65 } 66 67 err := server.Init(false) 68 if err != nil { 69 t.Errorf("First server init failed") 70 } 71 defer func() { 72 err = os.RemoveAll(rootDir) 73 if err != nil { 74 t.Errorf("RemoveAll failed: %s", err) 75 } 76 }() 77 err = server.Init(false) 78 if err != nil { 79 t.Errorf("Second server init failed") 80 } 81 err = server.Init(true) 82 if err != nil { 83 t.Errorf("Third Server init renew failed: %s", err) 84 } 85 // Verify that the duration of the newly created certificate is 15 years 86 d, err := util.GetCertificateDurationFromFile(path.Join(rootDir, "ca-cert.pem")) 87 assert.NoError(t, err) 88 assert.True(t, d.Hours() == 131400, fmt.Sprintf("Expecting 131400 but found %f", d.Hours())) 89 90 server.Config.CAcfg.CA.Certfile = "../testdata/ec.pem" 91 server.Config.CAcfg.CA.Keyfile = "../testdata/ec-key.pem" 92 err = server.Init(false) 93 if err != nil { 94 t.Errorf("Server init with known key/cert files failed: %s", err) 95 } 96 server.Config.CAcfg.CA.Certfile = "" 97 server.Config.CAcfg.CA.Keyfile = "" 98 err = server.Init(false) 99 if err != nil { 100 t.Errorf("Server init with known key/cert files failed: %s", err) 101 } 102 103 // Fail case - cannot get home directory 104 wd, err := os.Getwd() 105 if err != nil { 106 t.Fatalf("failed to get cwd: %s", err) 107 } 108 td, err := ioutil.TempDir("", "ServerInitStat") 109 if err != nil { 110 t.Fatalf("failed to get tmp dir: %s", err) 111 } 112 defer func() { 113 err = os.RemoveAll(td) 114 if err != nil { 115 t.Fatalf("RemoveAll failed: %s", err) 116 } 117 }() 118 server.HomeDir = "" 119 err = os.Chdir(td) 120 if err != nil { 121 t.Fatalf("failed to cd to %v: %s", td, err) 122 } 123 defer func() { 124 err = os.Chdir(wd) 125 if err != nil { 126 t.Fatalf("failed to cd to %v: %s", wd, err) 127 } 128 }() 129 fileInfo, err := os.Stat(".") 130 if err != nil { 131 t.Fatalf("os.Stat failed on current dir: %s", err) 132 } 133 oldmode := fileInfo.Mode() 134 curd, err := os.Getwd() 135 t.Logf("Current dir: %s", fileInfo.Name()) 136 t.Logf("Current curd: %v", curd) 137 err = os.Chmod(".", 0000) 138 if err != nil { 139 t.Fatalf("Chmod on %s failed: %s", fileInfo.Name(), err) 140 } 141 defer func() { 142 err = os.Chmod(td, oldmode) 143 if err != nil { 144 t.Fatalf("Chmod on %s failed: %s", td, err) 145 } 146 }() 147 148 err = server.Init(false) 149 t.Logf("Server.Init error: %v", err) 150 if err == nil { 151 t.Errorf("Server init should have failed (permission error)") 152 } 153 154 server.HomeDir = "" 155 } 156 157 func TestSRVRootServer(t *testing.T) { 158 var err error 159 var admin, user1 *Identity 160 var rr *api.RegistrationResponse 161 var recs []db.CertRecord 162 163 // Start the server 164 server := TestGetRootServer(t) 165 if server == nil { 166 return 167 } 168 err = server.Start() 169 if err != nil { 170 t.Fatalf("Server start failed: %s", err) 171 } 172 defer func() { 173 err = server.Stop() 174 if err != nil { 175 t.Errorf("Failed to stop server: %s", err) 176 } 177 err = os.RemoveAll(rootDir) 178 if err != nil { 179 t.Errorf("RemoveAll failed: %s", err) 180 } 181 err = os.RemoveAll("../testdata/msp") 182 if err != nil { 183 t.Errorf("RemoveAll failed: %s", err) 184 } 185 }() 186 err = server.Start() 187 t.Logf("Starting duplicate CA server: %s", err) 188 if err == nil { 189 t.Fatalf("Server start should have failed") 190 } 191 192 // Enroll request 193 client := getRootClient() 194 eresp, err := client.Enroll(&api.EnrollmentRequest{ 195 Name: "admin", 196 Secret: "adminpw", 197 }) 198 if err != nil { 199 t.Fatalf("Failed to enroll admin2/admin2pw: %s", err) 200 } 201 admin = eresp.Identity 202 // test registration permissions wrt roles and affiliation 203 testRegistration(admin, t) 204 // Register user1 205 rr, err = admin.Register(&api.RegistrationRequest{ 206 Name: "user1", 207 Type: "user", 208 Affiliation: "hyperledger.fabric.security", 209 Attributes: []api.Attribute{api.Attribute{Name: "attr1", Value: "val1"}}, 210 }) 211 if err != nil { 212 t.Fatalf("Failed to register user1: %s", err) 213 } 214 // Enroll user1 with an explicit OU. Make sure it is ignored. 215 eresp, err = client.Enroll(&api.EnrollmentRequest{ 216 Name: "user1", 217 Secret: rr.Secret, 218 CSR: &api.CSRInfo{Names: []csr.Name{csr.Name{OU: "foobar"}}}, 219 }) 220 if err != nil { 221 t.Fatalf("Failed to enroll user1: %s", err) 222 } 223 user1 = eresp.Identity 224 // Make sure the OUs are correct based on the identity type and affiliation 225 cert := user1.GetECert().GetX509Cert() 226 assert.NotNil(t, cert, "Failed to get user1's enrollment certificate") 227 228 assert.Contains( 229 t, 230 cert.Subject.OrganizationalUnit, 231 "user", 232 "hyperledger", 233 "fabric", 234 "security", 235 ) 236 237 // The admin ID should have 1 cert in the DB now 238 dba := server.CA.CertDBAccessor() 239 recs, err = dba.GetCertificatesByID("admin") 240 if err != nil { 241 t.Errorf("Could not get admin's certs from DB: %s", err) 242 } 243 if len(recs) != 1 { 244 t.Errorf("Admin should have 1 cert in DB but found %d", len(recs)) 245 } 246 _, err = dba.GetUnexpiredCertificates() 247 if err != nil { 248 t.Errorf("Failed to get unexpired certificates: %s", err) 249 } 250 dba = &CertDBAccessor{} 251 _, err = dba.RevokeCertificatesByID("", 0) 252 if err == nil { 253 t.Error("dba.RevokeCertificatesByID on empty accessor should have failed") 254 } 255 var cr certdb.CertificateRecord 256 err = dba.InsertCertificate(cr) 257 if err == nil { 258 t.Error("dba.InsertCertificate on empty accessor should have failed") 259 } 260 // User1 should not be allowed to register 261 user2Registration := &api.RegistrationRequest{ 262 Name: "user2", 263 Type: "user", 264 Affiliation: "hyperledger.fabric-ca", 265 } 266 _, err = user1.Register(user2Registration) 267 if err == nil { 268 t.Error("User1 should have failed to register user2") 269 } 270 // Admin should be allowed to register user2 271 _, err = admin.Register(user2Registration) 272 if err != nil { 273 t.Errorf("Admin failed to register user2: %s", err) 274 } 275 // User1 renew 276 eresp, err = user1.Reenroll(&api.ReenrollmentRequest{}) 277 if err != nil { 278 t.Fatalf("Failed to reenroll user1: %s", err) 279 } 280 user1 = eresp.Identity 281 // User1 should not be allowed to revoke admin 282 _, err = user1.Revoke(&api.RevocationRequest{Name: "admin"}) 283 if err == nil { 284 t.Error("User1 should not be allowed to revoke admin") 285 } 286 // User1 should not be allowed to revoke user2 because of affiliation 287 _, err = user1.Revoke(&api.RevocationRequest{Name: "user2"}) 288 if err == nil { 289 t.Error("User1 should not be allowed to revoke user2 because of affiliation") 290 } 291 // Admin should not be allowed to revoke an invalid cert 292 _, err = admin.Revoke(&api.RevocationRequest{AKI: "foo", Serial: "bar"}) 293 if err == nil { 294 t.Error("Admin should have failed to revoke foo/bar") 295 } 296 // Revoke user1's identity 297 _, err = admin.Revoke(&api.RevocationRequest{Name: "user1"}) 298 if err != nil { 299 t.Fatalf("Failed to revoke user1's identity: %s", err) 300 } 301 302 // Test to make sure that if an identity registered with an 303 // attribute 'hf.Revoker=false' should not be able to make a 304 // successfull revocation request 305 secret, err := admin.Register(&api.RegistrationRequest{ 306 Name: "user3", 307 Type: "user", 308 Affiliation: "hyperledger.fabric-ca", 309 Attributes: makeAttrs(t, "hf.Revoker=false"), 310 }) 311 assert.NoError(t, err, "Failed to register user") 312 eresp, err = client.Enroll(&api.EnrollmentRequest{ 313 Name: "user3", 314 Secret: secret.Secret, 315 }) 316 assert.NoError(t, err, "Failed to enroll user2") 317 user3 := eresp.Identity 318 // User3 should not be allowed to revoke because of attribute 'hf.Revoker=false' 319 _, err = user3.Revoke(&api.RevocationRequest{Name: "admin"}) 320 assert.Error(t, err) 321 322 // deferred cleanup 323 } 324 325 // Test passwords with lowercase "e" to make sure it is stored 326 // correctly in the database with no conversion problems. 327 // See https://jira.hyperledger.org/projects/FAB/issues/FAB-5188 328 func TestSRVSpecialPassword(t *testing.T) { 329 330 user := "admin2" 331 pwd := "034e220796" 332 333 // Start the server 334 server := TestGetRootServer(t) 335 if server == nil { 336 return 337 } 338 err := server.RegisterBootstrapUser(user, pwd, "") 339 if err != nil { 340 t.Fatalf("Failed to register %s: %s", user, err) 341 } 342 err = server.Start() 343 if err != nil { 344 t.Fatalf("Server start failed: %s", err) 345 } 346 defer func() { 347 err = server.Stop() 348 if err != nil { 349 t.Errorf("Failed to stop server: %s", err) 350 } 351 err = os.RemoveAll("../testdata/msp/") 352 if err != nil { 353 t.Errorf("RemoveAll failed: %s", err) 354 } 355 err = os.RemoveAll(rootDir) 356 if err != nil { 357 t.Errorf("RemoveAll failed: %s", err) 358 } 359 }() 360 361 // Enroll request 362 client := getRootClient() 363 _, err = client.Enroll(&api.EnrollmentRequest{Name: user, Secret: pwd}) 364 if err != nil { 365 t.Fatalf("Failed to enroll %s: %s", user, err) 366 } 367 } 368 369 // TestProfiling tests if profiling endpoint can be accessed when profiling is 370 // enabled and not accessible when disabled (default) 371 func TestSRVProfiling(t *testing.T) { 372 t.Log("start TestProfiling") 373 374 defer func() { 375 err := os.RemoveAll(rootDir) 376 if err != nil { 377 t.Errorf("RemoveAll failed: %s", err) 378 } 379 }() 380 381 pport := rootPort + 1000 382 url := fmt.Sprintf("http://localhost:%d/debug/pprof/heap", pport) 383 384 // Start the server with profiling disabled 385 os.Setenv(pportEnvVar, strconv.Itoa(-1)) 386 server := TestGetServer(rootPort, rootDir, "", -1, t) 387 if server == nil { 388 return 389 } 390 err := server.Start() 391 if err != nil { 392 t.Fatalf("Server start failed: %s", err) 393 } 394 resp1, err2 := sendGetReq(url, t) 395 // send heap profiling request to the server and expect a bad response 396 // as profiling is disabled 397 if err2 == nil && resp1.StatusCode == 200 { 398 responseData, _ := ioutil.ReadAll(resp1.Body) 399 t.Errorf("Expected error response for profile request %s but got good response: %s", 400 url, responseData) 401 } 402 err = server.Stop() 403 if err != nil { 404 t.Errorf("Failed to stop server: %s", err) 405 } 406 407 // Start the server with profiling enabled but port set to server port 408 os.Setenv(pportEnvVar, strconv.Itoa(rootPort)) 409 server = TestGetServer(rootPort, rootDir, "", -1, t) 410 if server == nil { 411 return 412 } 413 err = server.Start() 414 if err == nil { 415 t.Fatalf("Server should not have started because of port conflict") 416 } 417 418 // Start the server with profiling enabled 419 os.Setenv(pportEnvVar, strconv.Itoa(pport)) 420 defer os.Unsetenv(pportEnvVar) 421 server = TestGetServer(rootPort, rootDir, "", -1, t) 422 if server == nil { 423 return 424 } 425 err = server.Start() 426 if err != nil { 427 t.Fatalf("Server start failed: %s", err) 428 } 429 defer func() { 430 err = server.Stop() 431 if err != nil { 432 t.Errorf("Failed to stop server: %s", err) 433 } 434 }() 435 436 // send heap profiling request to the server and expect a 200 response 437 // as profiling is enabled 438 resp, err1 := sendGetReq(url, t) 439 if err1 != nil || resp.StatusCode != 200 { 440 if err1 == nil { 441 responseData, _ := ioutil.ReadAll(resp.Body) 442 err1 = fmt.Errorf("Invalid response %s with code %d returned for the request %s", 443 string(responseData), resp.StatusCode, url) 444 } 445 t.Errorf("Failed to send request to %s: %s", url, err1) 446 } 447 } 448 449 // sendGetReq sends GET request to the specified URL 450 func sendGetReq(url string, t *testing.T) (resp *http.Response, err error) { 451 req, err := http.NewRequest("GET", url, bytes.NewReader([]byte{})) 452 if err != nil { 453 t.Fatalf("Failed to create request for url %s: %s", url, err) 454 } 455 var tr = new(http.Transport) 456 httpClient := &http.Client{Transport: tr} 457 return httpClient.Do(req) 458 } 459 460 func TestSRVIntermediateServerWithFalseAttr(t *testing.T) { 461 var err error 462 463 err = os.RemoveAll(rootDir) 464 if err != nil { 465 t.Errorf("RemoveAll failed: %s", err) 466 } 467 468 // Start the root server 469 rootServer := TestGetRootServer(t) 470 if rootServer == nil { 471 return 472 } 473 rootServer.CA.Config.Registry.Identities[0].Attrs["hf.IntermediateCA"] = "false" 474 err = rootServer.Start() 475 if !assert.NoError(t, err, "Server failed start") { 476 assert.FailNow(t, err.Error()) 477 } 478 // Clean up when done 479 defer func() { 480 err = rootServer.Stop() 481 if err != nil { 482 t.Errorf("Failed to stop server: %s", err) 483 } 484 err = os.RemoveAll(rootDir) 485 if err != nil { 486 t.Errorf("RemoveAll failed: %s", err) 487 } 488 err = os.RemoveAll(intermediateDir) 489 if err != nil { 490 t.Errorf("RemoveAll failed: %s", err) 491 } 492 }() 493 494 intermediateServer := TestGetIntermediateServer(0, t) 495 if intermediateServer == nil { 496 return 497 } 498 499 err = intermediateServer.Init(false) 500 util.ErrorContains(t, err, "Authorization failure", "Should have failed, the attribute 'hf.IntermediateCA' is not set to true. Cannot register as Intermediate CA") 501 502 // deferred cleanup 503 } 504 505 func TestSRVIntermediateServer(t *testing.T) { 506 var err error 507 508 // Start the root server 509 rootServer := TestGetRootServer(t) 510 if rootServer == nil { 511 return 512 } 513 err = rootServer.Start() 514 if err != nil { 515 t.Fatalf("Root server start failed: %s", err) 516 } 517 defer func() { 518 err = rootServer.Stop() 519 if err != nil { 520 t.Errorf("Root server stop failed: %s", err) 521 } 522 err := os.RemoveAll("../testdata/msp") 523 if err != nil { 524 t.Errorf("RemoveAll failed: %s", err) 525 } 526 err = os.RemoveAll(rootDir) 527 if err != nil { 528 t.Errorf("RemoveAll failed: %s", err) 529 } 530 }() 531 532 for idx := 0; idx < 3; idx++ { 533 testIntermediateServer(idx, t) 534 } 535 // deferred cleanup 536 } 537 538 func TestSRVIntermediateServerWithTLS(t *testing.T) { 539 var err error 540 541 rootServer := TestGetRootServer(t) 542 if rootServer == nil { 543 return 544 } 545 rootServer.Config.TLS.Enabled = true 546 rootServer.Config.TLS.CertFile = "../../testdata/tls_server-cert.pem" 547 rootServer.Config.TLS.KeyFile = "../../testdata/tls_server-key.pem" 548 rootServer.Config.TLS.ClientAuth.Type = "RequireAndVerifyClientCert" 549 rootServer.Config.TLS.ClientAuth.CertFiles = []string{"../../testdata/root.pem"} 550 551 //Invalid Authtype 552 rootServer.Config.TLS.ClientAuth.Type = "Token" 553 err = rootServer.Start() 554 t.Logf("rootServer.Start err %v", err) 555 if err == nil { 556 t.Fatal("Root server start should have failed: (invalid authtype)") 557 } 558 defer func() { 559 err = rootServer.Stop() 560 if err != nil { 561 t.Errorf("Root server stop failed: %s", err) 562 } 563 err = os.RemoveAll(rootDir) 564 if err != nil { 565 t.Errorf("RemoveAll failed: %s", err) 566 } 567 err = os.RemoveAll(intermediateDir) 568 if err != nil { 569 t.Errorf("RemoveAll failed: %s", err) 570 } 571 }() 572 573 //Valid authtype 574 rootServer.Config.TLS.ClientAuth.Type = "RequireAndVerifyClientCert" 575 err = rootServer.Start() 576 t.Logf("rootServer.Start err %v", err) 577 if err != nil { 578 t.Fatal("Root server start failed") 579 } 580 parentURL := fmt.Sprintf("https://admin:adminpw@localhost:%d", rootPort) 581 intermediateServer := TestGetServer(intermediatePort, intermediateDir, parentURL, -1, t) 582 if intermediateServer == nil { 583 return 584 } 585 intermediateServer.CA.Config.Intermediate.TLS.Client.CertFile = "../../testdata/tls_client-cert.pem" 586 intermediateServer.CA.Config.Intermediate.TLS.Client.KeyFile = "../../testdata/tls_client-key.pem" 587 intermediateServer.CA.Config.CSR.CN = "intermediateServer" 588 589 // Error case 1: CN specified for intermediate server 590 err = intermediateServer.Start() 591 if err == nil { 592 t.Errorf("CN specified for intermediate server, the server should have failed to start") 593 err = intermediateServer.Stop() 594 if err != nil { 595 t.Errorf("Failed to stop server: %s", err) 596 } 597 } 598 599 intermediateServer.CA.Config.CSR.CN = "" 600 intermediateServer.CA.Config.CSR.Hosts = []string{"testhost"} 601 602 // Error case 2: tls.certfiles not specified for intermediate server while connecting to parent CA server over TLS 603 err = intermediateServer.Start() 604 if err == nil { 605 t.Errorf("Certfiles not specified for the Intermediate server, the server should have failed to start") 606 err = intermediateServer.Stop() 607 if err != nil { 608 t.Errorf("Failed to stop server: %s", err) 609 } 610 } 611 612 // Success case 613 intermediateServer.CA.Config.Intermediate.TLS.CertFiles = []string{"../../testdata/root.pem"} 614 err = intermediateServer.Start() 615 if err != nil { 616 t.Errorf("Intermediate server start failed: %s", err) 617 err = intermediateServer.Stop() 618 if err != nil { 619 t.Errorf("Failed to stop server: %s", err) 620 } 621 } 622 time.Sleep(time.Second) 623 624 err = intermediateServer.Stop() 625 if err != nil { 626 t.Errorf("Intermediate server stop failed: %s", err) 627 } 628 629 // Make sure that the hostname was not inserted into the CA certificate 630 err = util.CheckHostsInCert(filepath.Join(intermediateDir, "ca-cert.pem"), "testhost") 631 if err == nil { 632 t.Error("A CA certificate should not have any hostnames") 633 } 634 635 // deferred cleanup 636 } 637 638 func TestSRVRunningTLSServer(t *testing.T) { 639 testDir := "tlsTestDir" 640 os.RemoveAll(testDir) 641 defer os.RemoveAll(testDir) 642 643 srv := TestGetServer(rootPort, testDir, "", -1, t) 644 645 srv.Config.TLS.Enabled = true 646 srv.Config.TLS.CertFile = "../../testdata/tls_server-cert.pem" 647 srv.Config.TLS.KeyFile = "../../testdata/tls_server-key.pem" 648 649 err := srv.Start() 650 if err != nil { 651 t.Fatalf("Server start failed: %s", err) 652 } 653 defer func() { 654 err = srv.Stop() 655 if err != nil { 656 t.Errorf("Failed to stop server: %s", err) 657 } 658 err = os.RemoveAll("../testdata/ca-cert.pem") 659 if err != nil { 660 t.Errorf("RemoveAll failed: %s", err) 661 } 662 err = os.RemoveAll("../testdata/fabric-ca-server.db") 663 if err != nil { 664 t.Errorf("RemoveAll failed: %s", err) 665 } 666 err = os.RemoveAll("../testdata/msp") 667 if err != nil { 668 t.Errorf("RemoveAll failed: %s", err) 669 } 670 }() 671 672 clientConfig := &ClientConfig{ 673 URL: fmt.Sprintf("https://localhost:%d", rootPort), 674 TLS: libtls.ClientTLSConfig{ 675 CertFiles: []string{"../testdata/root.pem"}, 676 Client: libtls.KeyCertFiles{ 677 KeyFile: "../testdata/tls_client-key.pem", 678 CertFile: "../testdata/tls_client-cert.pem", 679 }, 680 }, 681 } 682 683 rawURL := fmt.Sprintf("https://admin:adminpw@localhost:%d", rootPort) 684 685 _, err = clientConfig.Enroll(rawURL, testdataDir) 686 if err != nil { 687 t.Errorf("Failed to enroll over TLS: %s", err) 688 } 689 690 // make sure only TLSv1.2 and TLSv1.3 are supported 691 rootPool := x509.NewCertPool() 692 rootBytes, _ := ioutil.ReadFile("../testdata/root.pem") 693 rootPool.AppendCertsFromPEM(rootBytes) 694 for _, tlsVersion := range []uint16{tls.VersionTLS12, tls.VersionTLS13} { 695 _, err = tls.Dial("tcp", fmt.Sprintf("localhost:%d", rootPort), &tls.Config{ 696 RootCAs: rootPool, 697 MinVersion: tlsVersion, 698 MaxVersion: tlsVersion, 699 }) 700 assert.NoError(t, err, "Should have connected using a valid TLS version [TLSv1.2, TLSv1.3]") 701 } 702 for _, tlsVersion := range []uint16{tls.VersionSSL30, tls.VersionTLS10, tls.VersionTLS11} { 703 _, err = tls.Dial("tcp", fmt.Sprintf("localhost:%d", rootPort), &tls.Config{ 704 MinVersion: tlsVersion, 705 MaxVersion: tlsVersion, 706 }) 707 t.Logf("Attempting TLS version [%d]", tlsVersion) 708 assert.Error(t, err, "Should not have been able to connect with TLS version < 1.2") 709 if tlsVersion == tls.VersionSSL30 { 710 assert.Contains(t, err.Error(), "no supported versions satisfy MinVersion and MaxVersion") 711 } else { 712 assert.Contains(t, err.Error(), "protocol version not supported") 713 } 714 } 715 } 716 717 func TestSRVDefaultDatabase(t *testing.T) { 718 cleanTestSlateSRV(t) 719 defer func() { 720 err := os.RemoveAll("../testdata/ca-cert.pem") 721 if err != nil { 722 t.Errorf("RemoveAll failed: %s", err) 723 } 724 err = os.RemoveAll("../testdata/fabric-ca-server.db") 725 if err != nil { 726 t.Errorf("RemoveAll failed: %s", err) 727 } 728 err = os.RemoveAll("../testdata/msp") 729 if err != nil { 730 t.Errorf("RemoveAll failed: %s", err) 731 } 732 }() 733 734 srv := TestGetServer(rootPort, testdataDir, "", -1, t) 735 736 err := srv.Start() 737 if err != nil { 738 t.Fatalf("Root server start failed: %s", err) 739 } 740 741 err = srv.Stop() 742 if err != nil { 743 t.Errorf("Failed to stop server: %s", err) 744 } 745 746 exist := util.FileExists("../testdata/fabric-ca-server.db") 747 if !exist { 748 t.Error("Failed to create default sqlite fabric-ca-server.db") 749 } 750 } 751 752 func TestSRVDefaultAddrPort(t *testing.T) { 753 cleanTestSlateSRV(t) 754 defer func() { 755 err := os.RemoveAll("../testdata/ca-cert.pem") 756 if err != nil { 757 t.Errorf("RemoveAll failed: %s", err) 758 } 759 err = os.RemoveAll("../testdata/fabric-ca-server.db") 760 if err != nil { 761 t.Errorf("RemoveAll failed: %s", err) 762 } 763 err = os.RemoveAll("../testdata/msp") 764 if err != nil { 765 t.Errorf("RemoveAll failed: %s", err) 766 } 767 }() 768 769 srv1 := getServer(rootPort, testdataDir, "", -1, t) 770 srv1.Config.Address = "" 771 srv1.Config.Port = 0 772 err := srv1.Start() 773 t.Logf("srv.Start err: %v", err) 774 if err != nil { 775 t.Fatalf("Failed to start server: %s", err) 776 } 777 defer func() { 778 err = srv1.Stop() 779 if err != nil { 780 t.Errorf("Failed to stop server: %s", err) 781 } 782 }() 783 784 // Start server with default port (already in use) 785 srv := getServer(rootPort, testdataDir, "", -1, t) 786 srv.Config.Address = "" 787 srv.Config.Port = 0 788 err = srv.Start() 789 t.Logf("srv.Start err: %v", err) 790 if err == nil { 791 t.Errorf("Root server start should have failed (port unavailable)") 792 err = srv.Stop() 793 if err != nil { 794 t.Errorf("Failed to stop server: %s", err) 795 } 796 } 797 798 // Again with TLS 799 srv = getServer(rootPort, testdataDir, "", -1, t) 800 srv.Config.TLS.Enabled = true 801 srv.Config.TLS.CertFile = "../testdata/tls_server-cert.pem" 802 srv.Config.TLS.KeyFile = "../testdata/tls_server-key.pem" 803 srv.Config.TLS.ClientAuth.Type = "RequireAndVerifyClientCert" 804 srv.Config.TLS.ClientAuth.CertFiles = []string{"../testdata/root.pem"} 805 srv.Config.Address = "" 806 srv.Config.Port = 0 807 808 err = srv.Start() 809 t.Logf("srv.Start err: %v", err) 810 if err == nil { 811 t.Errorf("Root server start should have failed (port unavailable)") 812 err = srv.Stop() 813 if err != nil { 814 t.Errorf("Failed to stop server: %s", err) 815 } 816 } 817 } 818 819 func TestSRVBadAuthHeader(t *testing.T) { 820 // Start the server 821 server := TestGetRootServer(t) 822 if server == nil { 823 return 824 } 825 err := server.Start() 826 if err != nil { 827 t.Fatalf("Server start failed: %s", err) 828 } 829 defer func() { 830 err = server.Stop() 831 if err != nil { 832 t.Errorf("Failed to stop server: %s", err) 833 } 834 err = os.RemoveAll(rootDir) 835 if err != nil { 836 t.Errorf("RemoveAll failed: %s", err) 837 } 838 }() 839 840 invalidTokenAuthorization(t) 841 invalidBasicAuthorization(t) 842 perEndpointNegativeTests("info", "none", t) 843 perEndpointNegativeTests("enroll", "basic", t) 844 perEndpointNegativeTests("reenroll", "token", t) 845 perEndpointNegativeTests("register", "token", t) 846 } 847 848 func invalidTokenAuthorization(t *testing.T) { 849 client := getRootClient() 850 851 emptyByte := make([]byte, 0) 852 url := fmt.Sprintf("http://localhost:%d/enroll", rootPort) 853 req, err := http.NewRequest("POST", url, bytes.NewReader(emptyByte)) 854 if err != nil { 855 t.Errorf("Failed creating new request: %s", err) 856 } 857 858 addTokenAuthHeader(req, t) 859 860 err = client.SendReq(req, nil) 861 if err == nil { 862 t.Error("Incorrect auth type set, request should have failed with authorization error") 863 } 864 } 865 866 func addTokenAuthHeader(req *http.Request, t *testing.T) { 867 CSP := factory.GetDefault() 868 cert, err := ioutil.ReadFile("../testdata/ec.pem") 869 if err != nil { 870 t.Fatalf("Failed reading ec.pem: %s", err) 871 } 872 key, err := util.ImportBCCSPKeyFromPEM("../testdata/ec-key.pem", CSP, true) 873 if err != nil { 874 t.Fatalf("Failed importing key %s", err) 875 } 876 emptyByte := make([]byte, 0) 877 token, err := util.CreateToken(CSP, cert, key, req.Method, req.URL.RequestURI(), emptyByte) 878 if err != nil { 879 t.Fatalf("Failed to add token authorization header: %s", err) 880 } 881 req.Header.Set("authorization", token) 882 } 883 884 func perEndpointNegativeTests(endpoint string, authType string, t *testing.T) { 885 client := getRootClient() 886 emptyByte := make([]byte, 0) 887 turl := fmt.Sprintf("http://localhost:7055/%s?ca=bogus", endpoint) 888 req, err := http.NewRequest("POST", turl, bytes.NewReader(emptyByte)) 889 if err != nil { 890 t.Fatalf("Failed in NewRequest with %s", turl) 891 } 892 err = client.SendReq(req, nil) 893 if err == nil { 894 if authType != "" { 895 t.Fatalf("No authorization header; should have failed for %s", turl) 896 } else { 897 t.Fatalf("Bad CA should have failed for %s", turl) 898 } 899 } 900 switch authType { 901 case "none": 902 case "basic": 903 req.SetBasicAuth("admin", "adminpw") 904 case "token": 905 addTokenAuthHeader(req, t) 906 default: 907 t.Fatalf("Invalid auth type: %s", authType) 908 } 909 err = client.SendReq(req, nil) 910 if err == nil { 911 t.Errorf("Invalid CA should have failed for %s", turl) 912 } 913 } 914 915 func invalidBasicAuthorization(t *testing.T) { 916 client := getRootClient() 917 918 emptyByte := make([]byte, 0) 919 url := fmt.Sprintf("http://localhost:%d/register", rootPort) 920 req, err := http.NewRequest("POST", url, bytes.NewReader(emptyByte)) 921 if err != nil { 922 t.Error(err) 923 } 924 925 req.SetBasicAuth("admin", "adminpw") 926 927 err = client.SendReq(req, nil) 928 if err == nil { 929 t.Error("Incorrect auth type set for register request; it should have failed but passed") 930 } 931 } 932 933 func TestSRVTLSAuthClient(t *testing.T) { 934 cleanTestSlateSRV(t) 935 defer cleanTestSlateSRV(t) 936 937 testNoClientCert(t) 938 testInvalidRootCertWithNoClientAuth(t) 939 testInvalidRootCertWithClientAuth(t) 940 testClientAuth(t) 941 } 942 943 func TestSRVMultiCAConfigs(t *testing.T) { 944 t.Log("TestMultiCA...") 945 946 defer func() { 947 cleanMultiCADir(t) 948 err := os.RemoveAll("../testdata/ca-cert.pem") 949 if err != nil { 950 t.Errorf("RemoveAll failed: %s", err) 951 } 952 err = os.RemoveAll("../testdata/fabric-ca-server.db") 953 if err != nil { 954 t.Errorf("RemoveAll failed: %s", err) 955 } 956 err = os.RemoveAll("../testdata/msp") 957 if err != nil { 958 t.Errorf("RemoveAll failed: %s", err) 959 } 960 }() 961 srv := TestGetServer(rootPort, testdataDir, "", -1, t) 962 srv.Config.CAfiles = []string{"ca/ca1/fabric-ca-server-config.yaml", "ca/ca1/fabric-ca-server-config.yaml", "ca/ca2/fabric-ca-server-config.yaml"} 963 964 srv.CA.Config.CSR.Hosts = []string{"hostname"} 965 t.Logf("Server configuration: %+v", srv.Config) 966 967 // Starting server with two cas with same name 968 err := srv.Start() 969 t.Logf("Start two CAs with the same name: %v", err) 970 if err == nil { 971 t.Error("Trying to create two CAs with the same name, server start should have failed") 972 } 973 974 // Starting server with a missing ca config file 975 srv.Config.CAfiles = []string{"ca/rootca/ca1/fabric-ca-server-config.yaml", "ca/rootca/ca2/fabric-ca-server-config.yaml", "ca/rootca/ca4/fabric-ca-server-config.yaml"} 976 err = srv.Start() 977 t.Logf("Start CA with missing config: %v", err) 978 if err == nil { 979 t.Error("Should have failed to start server, missing ca config file") 980 err = srv.Stop() 981 if err != nil { 982 t.Errorf("Failed to stop server: %s", err) 983 } 984 } 985 986 srv.Config.CAfiles = []string{"ca/rootca/ca1/fabric-ca-server-config.yaml", "ca/rootca/ca2/fabric-ca-server-config.yaml", "ca/rootca/ca3/fabric-ca-server-config.yaml"} 987 err = srv.Start() 988 t.Logf("Starting 3 CAs with a duplicated CN name: %s", err) 989 if err == nil { 990 t.Error("Should have failed to start server, CN name is the same across rootca2 and rootca3") 991 err = srv.Stop() 992 if err != nil { 993 t.Errorf("Failed to stop server: %s", err) 994 } 995 } 996 997 // Starting server with (bad) existing certificate 998 err = ioutil.WriteFile("../testdata/ca/rootca/ca1/ca-key.pem", make([]byte, 1), 0644) 999 t.Logf("Create err: %v", err) 1000 if !util.FileExists("../testdata/ca/rootca/ca1/ca-key.pem") { 1001 t.Fatal("../testdata/ca1/ca-key.pem doesn't exist") 1002 } 1003 err = ioutil.WriteFile("../testdata/ca/rootca/ca1/ca-cert.pem", make([]byte, 1), 0644) 1004 t.Logf("Create err: %v", err) 1005 if !util.FileExists("../testdata/ca/rootca/ca1/ca-cert.pem") { 1006 t.Fatal("../testdata/ca1/ca-cert.pem doesn't exist") 1007 } 1008 srv.Config.CAfiles = []string{"ca/rootca/ca1/fabric-ca-server-config.yaml"} 1009 err = srv.Start() 1010 t.Logf("srv.Start ERROR %v", err) 1011 if err == nil { 1012 t.Error("Should have failed to start server, invalid cert") 1013 err = srv.Stop() 1014 if err != nil { 1015 t.Errorf("Failed to stop server: %s", err) 1016 } 1017 } 1018 1019 // Starting server with unreadable certificate 1020 keyfile := filepath.Join(os.TempDir(), "ca-key.pem") 1021 err = CopyFile("../testdata/ca/rootca/ca1/ca-key.pem", keyfile) 1022 if err != nil { 1023 t.Errorf("Failed to copy file: %s", err) 1024 } 1025 if err = os.Chmod(keyfile, 0000); err != nil { 1026 t.Errorf("Failed to chmod key file: , %v", err) 1027 } 1028 certfile := filepath.Join(os.TempDir(), "ca-cert.pem") 1029 err = CopyFile("../testdata/ca/rootca/ca1/ca-cert.pem", certfile) 1030 if err != nil { 1031 t.Errorf("Failed to copy file: %s", err) 1032 } 1033 if err = os.Chmod(certfile, 0000); err != nil { 1034 t.Errorf("Failed to chmod cert file:, %v", err) 1035 } 1036 configfile := filepath.Join(os.TempDir(), "ca-server-config.yaml") 1037 err = CopyFile("../testdata/ca/rootca/ca1/fabric-ca-server-config.yaml", configfile) 1038 if err != nil { 1039 t.Errorf("Failed to copy file: %s", err) 1040 } 1041 srv.Config.CAfiles = []string{configfile} 1042 err = srv.Start() 1043 t.Logf("srv.Start ERROR %v", err) 1044 if err == nil { 1045 t.Error("Should have failed to start server, unreadable cert") 1046 err = srv.Stop() 1047 if err != nil { 1048 t.Errorf("Failed to stop server: %s", err) 1049 } 1050 } 1051 err = os.Remove(keyfile) 1052 if err != nil { 1053 t.Errorf("Remove failed: %s", err) 1054 } 1055 err = os.Remove(certfile) 1056 if err != nil { 1057 t.Errorf("Remove failed: %s", err) 1058 } 1059 err = os.Remove(configfile) 1060 if err != nil { 1061 t.Errorf("Remove failed: %s", err) 1062 } 1063 err = os.RemoveAll(filepath.Join(os.TempDir(), "msp")) 1064 if err != nil { 1065 t.Errorf("RemoveAll failed: %s", err) 1066 } 1067 1068 testBadCryptoData(t, srv, []string{"../testdata/expiredcert.pem", "../testdata/tls_client-key.pem", "expired cert"}) 1069 testBadCryptoData(t, srv, []string{"../testdata/noKeyUsage.cert.pem", "../testdata/noKeyUsage.key.pem", "invalid usage cert"}) 1070 testBadCryptoData(t, srv, []string{"../testdata/caFalse.cert.pem", "../testdata/caFalse.key.pem", "invalid Basic Constraints"}) 1071 testBadCryptoData(t, srv, []string{"../testdata/dsaCa-cert.pem", "../testdata/dsaCa-key.pem", "invalid key type"}) 1072 testBadCryptoData(t, srv, []string{"../testdata/dsaCa-cert.pem", "../testdata/dsaCa-key.pem", "invalid key type"}) 1073 testBadCryptoData(t, srv, []string{"../testdata/rsa512-cert.pem", "../testdata/rsa512-key.pem", "key too short"}) 1074 testBadCryptoData(t, srv, []string{"../testdata/ec256-1-cert.pem", "../testdata/ec256-2-key.pem", "non-matching ecdsa key"}) 1075 testBadCryptoData(t, srv, []string{"../testdata/rsa2048-1-cert.pem", "../testdata/rsa2048-2-key.pem", "non-matching rsa key"}) 1076 testBadCryptoData(t, srv, []string{"../testdata/ec256-1-cert.pem", "../testdata/rsa2048-1-cert.pem", "non-matching key type"}) 1077 1078 // Starting server with correct configuration 1079 srv.Config.CAfiles = []string{"ca/rootca/ca1/fabric-ca-server-config.yaml", "ca/rootca/ca2/fabric-ca-server-config.yaml"} 1080 t.Logf("Server configuration: %+v\n\n", srv.Config) 1081 1082 err = srv.Start() 1083 if err != nil { 1084 t.Fatal("Failed to start server:", err) 1085 } 1086 1087 if !util.FileExists("../testdata/ca/rootca/ca1/fabric-ca-server.db") { 1088 t.Error("Failed to correctly add ca1") 1089 } 1090 1091 if !util.FileExists("../testdata/ca/rootca/ca2/fabric-ca2-server.db") { 1092 t.Error("Failed to correctly add ca2") 1093 } 1094 1095 // Non-existent CA specified by client 1096 clientCA := getRootClient() 1097 _, err = clientCA.Enroll(&api.EnrollmentRequest{ 1098 Name: "admin", 1099 Secret: "adminpw", 1100 CAName: "rootca3", 1101 }) 1102 if err == nil { 1103 t.Error("Should have failed, client using ca name of 'ca3' but no CA exist by that name on server") 1104 } 1105 1106 //Send enroll request to specific CA 1107 clientCA1 := getRootClient() 1108 _, err = clientCA1.Enroll(&api.EnrollmentRequest{ 1109 Name: "adminca1", 1110 Secret: "adminca1pw", 1111 CAName: "rootca1", 1112 }) 1113 if err != nil { 1114 t.Error("Failed to enroll, error: ", err) 1115 } 1116 1117 clientCA2 := getRootClient() 1118 resp, err := clientCA2.Enroll(&api.EnrollmentRequest{ 1119 Name: "admin", 1120 Secret: "adminpw", 1121 CAName: "rootca2", 1122 }) 1123 if err != nil { 1124 t.Error("Failed to enroll, error: ", err) 1125 } 1126 1127 _, err = resp.Identity.Reenroll(&api.ReenrollmentRequest{ 1128 CAName: "rootca2", 1129 }) 1130 if err != nil { 1131 t.Error("Failed to reenroll, error: ", err) 1132 } 1133 1134 // User enrolled with rootca2, should not be able to reenroll with rootca1 1135 _, err = resp.Identity.Reenroll(&api.ReenrollmentRequest{ 1136 CAName: "rootca1", 1137 }) 1138 if err == nil { 1139 t.Error("Should have failed to reenroll a user with a different CA") 1140 } 1141 1142 // No ca name specified should sent to default CA 'ca' 1143 clientCA3 := getRootClient() 1144 _, err = clientCA3.Enroll(&api.EnrollmentRequest{ 1145 Name: "admin", 1146 Secret: "adminpw", 1147 }) 1148 if err != nil { 1149 t.Error("Failed to enroll, error: ", err) 1150 } 1151 1152 err = srv.Stop() 1153 if err != nil { 1154 t.Error("Failed to stop server:", err) 1155 } 1156 1157 // Starting server with correct configuration and pre-existing cert/key 1158 err = os.Remove("../testdata/ca/rootca/ca1/ca-cert.pem") 1159 if err != nil { 1160 t.Errorf("Remove failed: %s", err) 1161 } 1162 srv = getServer(rootPort, testdataDir, "", 0, t) 1163 srv.Config.CAfiles = []string{"ca/rootca/ca1/fabric-ca-server-config.yaml", "ca/rootca/ca2/fabric-ca-server-config.yaml"} 1164 t.Logf("Server configuration: %+v\n\n", srv.Config) 1165 1166 err = CopyFile("../testdata/ec256-1-cert.pem", "../testdata/ca/rootca/ca1/ca-cert.pem") 1167 if err != nil { 1168 t.Fatalf("Failed to copy ec256-1 cert to ../testdata/ca1/ca-cert.pem failed %v", err) 1169 } 1170 err = CopyFile("../testdata/ec256-1-key.pem", "../testdata/ca/rootca/ca1/ca-key.pem") 1171 if err != nil { 1172 t.Fatalf("Failed to copy key to ../testdata/ca/rootca/ca1/ca-key.pem failed %v", err) 1173 } 1174 1175 err = srv.Start() 1176 if err != nil { 1177 t.Fatal("Failed to start server:", err) 1178 } 1179 1180 err = srv.Stop() 1181 if err != nil { 1182 t.Error("Failed to stop server:", err) 1183 } 1184 1185 } 1186 1187 func TestSRVDefaultCAWithSetCAName(t *testing.T) { 1188 defer func() { 1189 err := os.RemoveAll("../testdata/ca-cert.pem") 1190 if err != nil { 1191 t.Errorf("RemoveAll failed: %s", err) 1192 } 1193 err = os.RemoveAll("../testdata/fabric-ca-server.db") 1194 if err != nil { 1195 t.Errorf("RemoveAll failed: %s", err) 1196 } 1197 err = os.RemoveAll("../testdata/msp") 1198 if err != nil { 1199 t.Errorf("RemoveAll failed: %s", err) 1200 } 1201 }() 1202 1203 srv := getServer(rootPort, testdataDir, "", -1, t) 1204 srv.CA.Config.CA.Name = "DefaultCA" 1205 1206 err := srv.Start() 1207 if err != nil { 1208 t.Fatal("Failed to start server:", err) 1209 } 1210 1211 // No ca name specified should sent to default CA 'ca' 1212 client := getRootClient() 1213 _, err = client.Enroll(&api.EnrollmentRequest{ 1214 Name: "admin", 1215 Secret: "adminpw", 1216 }) 1217 if err != nil { 1218 t.Error("Failed to enroll, error: ", err) 1219 } 1220 1221 err = srv.Stop() 1222 if err != nil { 1223 t.Error("Failed to stop server:", err) 1224 } 1225 } 1226 1227 func TestSRVMultiCAWithIntermediate(t *testing.T) { 1228 defer func() { 1229 cleanMultiCADir(t) 1230 err := os.RemoveAll("../testdata/ca-cert.pem") 1231 if err != nil { 1232 t.Errorf("RemoveAll failed: %s", err) 1233 } 1234 err = os.RemoveAll("../testdata/fabric-ca-server.db") 1235 if err != nil { 1236 t.Errorf("RemoveAll failed: %s", err) 1237 } 1238 err = os.RemoveAll("../testdata/msp") 1239 if err != nil { 1240 t.Errorf("RemoveAll failed: %s", err) 1241 } 1242 err = os.RemoveAll("../testdata/IssuerPublicKey") 1243 if err != nil { 1244 t.Errorf("RemoveAll failed: %s", err) 1245 } 1246 err = os.RemoveAll("../testdata/IssuerSecretKey") 1247 if err != nil { 1248 t.Errorf("RemoveAll failed: %s", err) 1249 } 1250 err = os.RemoveAll("../testdata/IssuerRevocationPublicKey") 1251 if err != nil { 1252 t.Errorf("RemoveAll failed: %s", err) 1253 } 1254 }() 1255 1256 srv := TestGetServer(rootPort, testdataDir, "", -1, t) 1257 srv.Config.CAfiles = []string{"ca/rootca/ca1/fabric-ca-server-config.yaml", "ca/rootca/ca2/fabric-ca-server-config.yaml"} 1258 srv.CA.Config.CSR.Hosts = []string{"hostname"} 1259 t.Logf("Server configuration: %+v\n", srv.Config) 1260 1261 // Starting server with two cas with same name 1262 err := srv.Start() 1263 if err != nil { 1264 t.Fatalf("Failed to start server: %s", err) 1265 } 1266 1267 intermediatesrv := TestGetServer(intermediatePort, testdataDir, "", -1, t) 1268 intermediatesrv.Config.CAcount = 2 1269 intermediatesrv.Config.CAcfg.Intermediate.ParentServer.URL = fmt.Sprintf("http://adminca1:adminca1pw@localhost:%d", rootPort) 1270 intermediatesrv.CA.Config.CSR.Hosts = []string{"hostname"} 1271 1272 err = intermediatesrv.Start() 1273 assert.Error(t, err, "Error is expected if cacount is greater than 0 for intermediate CA") 1274 1275 intermediatesrv.Config.CAfiles = []string{"ca/intermediateca/ca1/fabric-ca-server-config.yaml", "ca/intermediateca/ca2/fabric-ca-server-config.yaml"} 1276 err = intermediatesrv.Start() 1277 assert.Error(t, err, "Error is expected if both cacount and cafiles are specified") 1278 1279 intermediatesrv.Config.CAcount = 0 1280 intermediatesrv.Config.CAcfg.Intermediate.ParentServer.URL = "" 1281 1282 // Start it 1283 err = intermediatesrv.Start() 1284 if err != nil { 1285 t.Errorf("Failed to start intermediate server: %s", err) 1286 } 1287 // Stop it 1288 err = intermediatesrv.Stop() 1289 if err != nil { 1290 t.Error("Failed to stop intermediate server: ", err) 1291 } 1292 1293 if !util.FileExists("../testdata/ca/intermediateca/ca1/ca-chain.pem") { 1294 t.Error("Failed to enroll intermediate ca") 1295 } 1296 1297 err = srv.Stop() 1298 if err != nil { 1299 t.Error("Failed to stop server: ", err) 1300 } 1301 1302 // Make sure there is no host name in the intermediate CA cert 1303 err = util.CheckHostsInCert(filepath.Join("../testdata/ca/intermediateca/ca1", "ca-cert.pem"), "testhost1") 1304 if err == nil { 1305 t.Error("Intermediate CA should not contain a hostname, but does") 1306 } 1307 } 1308 1309 func TestSRVDefaultMultiCA(t *testing.T) { 1310 t.Log("TestDefaultMultiCA...") 1311 defer func() { 1312 err := os.RemoveAll("../testdata/msp") 1313 if err != nil { 1314 t.Errorf("RemoveAll failed: %s", err) 1315 } 1316 err = os.RemoveAll("multica") 1317 if err != nil { 1318 t.Errorf("RemoveAll failed: %s", err) 1319 } 1320 }() 1321 srv := TestGetServer(rootPort, "multica", "", -1, t) 1322 srv.Config.CAcount = 4 // Starting 4 default CA instances 1323 srv.Config.CAfiles = []string{"fabric-ca1-config.yaml"} 1324 1325 err := srv.Start() 1326 if err == nil { 1327 t.Error("Both cacount and cafiles set, should have failed to start server") 1328 err = srv.Stop() 1329 if err != nil { 1330 t.Errorf("Failed to stop server: %s", err) 1331 } 1332 } 1333 1334 srv.Config.CAfiles = []string{} 1335 1336 err = srv.Start() 1337 if err != nil { 1338 t.Error("Failed to start server: ", err) 1339 } 1340 1341 //Send enroll request to specific CA 1342 clientCA1 := getRootClient() 1343 _, err = clientCA1.Enroll(&api.EnrollmentRequest{ 1344 Name: "admin", 1345 Secret: "adminpw", 1346 CAName: "ca4", 1347 }) 1348 if err != nil { 1349 t.Error("Failed to enroll, error: ", err) 1350 } 1351 1352 if srv.DBAccessor() == nil { 1353 t.Error("No registry found") 1354 } 1355 1356 err = srv.Stop() 1357 if err != nil { 1358 t.Error("Failed to stop server: ", err) 1359 } 1360 } 1361 1362 // Test the combination of multiple CAs in both root and intermediate servers. 1363 func TestSRVMultiCAIntermediates(t *testing.T) { 1364 myTestDir := "multicaIntermediates" 1365 err := os.RemoveAll(myTestDir) 1366 if err != nil { 1367 t.Errorf("RemoveAll failed: %s", err) 1368 } 1369 defer func(t *testing.T) { 1370 err = os.RemoveAll(myTestDir) 1371 if err != nil { 1372 t.Errorf("RemoveAll failed: %s", err) 1373 } 1374 }(t) 1375 // Start the root server with 2 non-default CAs 1376 rootServer := TestGetServer(rootPort, path.Join(myTestDir, "root"), "", -1, t) 1377 rootServer.Config.CAcount = 2 1378 err = rootServer.Start() 1379 if err != nil { 1380 t.Fatalf("Failed to start root CA: %s", err) 1381 } 1382 home := path.Join(myTestDir, "intermediate") 1383 parentURL := fmt.Sprintf("http://admin:adminpw@localhost:%d", rootPort) 1384 intServer := TestGetServer(0, home, parentURL, -1, t) 1385 intServer.Config.CAfiles = []string{"ca1/ca1.yaml", "ca2/ca2.yaml"} 1386 ca1home := filepath.Join(home, "ca1") 1387 ca2home := filepath.Join(home, "ca2") 1388 1389 // Negative Case - same CA name from two intermediate CAs sent to the same root CA 1390 // Check that CA file paths are getting printed 1391 // Create ca1.yaml and ca2.yaml for the intermediate server CAs 1392 writeCAFile("ca1", "ca1", "ca1", ca1home, rootPort, t) 1393 writeCAFile("ca1", "ca2", "ca2", ca2home, rootPort, t) 1394 err = intServer.Init(false) 1395 if assert.Error(t, err) { 1396 assert.Contains(t, err.Error(), ca1home) 1397 assert.Contains(t, err.Error(), ca2home) 1398 } 1399 err = rootServer.Stop() 1400 if err != nil { 1401 t.Error("Failed to stop server: ", err) 1402 } 1403 1404 err = os.RemoveAll(myTestDir) 1405 if err != nil { 1406 t.Fatalf("RemoveAll failed: %s", err) 1407 } 1408 1409 // Negative Case - same subject distinguished name from two intermediate CAs sent to the same root CA 1410 // Create ca1.yaml and ca2.yaml for the intermediate server CAs 1411 rootServer = TestGetServer(rootPort, path.Join(myTestDir, "root"), "", -1, t) // reset server from last run above 1412 rootServer.Config.CAcount = 2 1413 err = rootServer.Start() 1414 if err != nil { 1415 t.Fatalf("Failed to start root CA: %s", err) 1416 } 1417 writeCAFile("ca1", "ca1", "ca1", ca1home, rootPort, t) 1418 writeCAFile("ca2", "ca1", "ca2", ca2home, rootPort, t) 1419 err = intServer.Init(false) 1420 if assert.Error(t, err) { 1421 assert.Contains(t, err.Error(), "Both issuer and subject distinguished name are already in use") 1422 } 1423 err = rootServer.Stop() 1424 if err != nil { 1425 t.Error("Failed to stop server: ", err) 1426 } 1427 err = os.RemoveAll(myTestDir) 1428 if err != nil { 1429 t.Errorf("RemoveAll failed: %s", err) 1430 } 1431 1432 // Positive Case - same subject distinguished names from two intermediate CAs sent to two different root CAs 1433 rootServer = TestGetServer(rootPort, path.Join(myTestDir, "root"), "", -1, t) // reset server from last run above 1434 rootServer.Config.CAcount = 2 1435 err = rootServer.Start() 1436 if err != nil { 1437 t.Fatalf("Failed to start root CA: %s", err) 1438 } 1439 writeCAFile("ca1", "ca1", "ca1", ca1home, rootPort, t) 1440 writeCAFile("ca2", "ca2", "ca2", ca2home, rootPort, t) 1441 // Init the intermediate server 1442 err = intServer.Init(false) 1443 if err != nil { 1444 t.Fatalf("Failed to initialize intermediate server: %s", err) 1445 } 1446 err = rootServer.Stop() 1447 if err != nil { 1448 t.Error("Failed to stop server: ", err) 1449 } 1450 } 1451 1452 func TestSRVMaxEnrollmentInfinite(t *testing.T) { 1453 t.Log("Test max enrollment infinite") 1454 err := os.RemoveAll(rootDir) 1455 if err != nil { 1456 t.Errorf("RemoveAll failed: %s", err) 1457 } 1458 // Starting server/ca with infinite enrollments 1459 srv := TestGetServer(rootPort, rootDir, "", -1, t) 1460 err = srv.Start() 1461 if err != nil { 1462 t.Fatalf("Server start failed: %s", err) 1463 } 1464 defer func() { 1465 err = srv.Stop() 1466 if err != nil { 1467 t.Errorf("Failed to stop server: %s", err) 1468 } 1469 err = os.RemoveAll("../testdata/msp") 1470 if err != nil { 1471 t.Errorf("RemoveAll failed: %s", err) 1472 } 1473 err = os.RemoveAll(rootDir) 1474 if err != nil { 1475 t.Errorf("RemoveAll failed: %s", err) 1476 } 1477 }() 1478 client := getRootClient() 1479 id, err := client.Enroll(&api.EnrollmentRequest{ 1480 Name: "admin", 1481 Secret: "adminpw", 1482 }) 1483 if err != nil { 1484 t.Error("Enrollment failed, error: ", err) 1485 } 1486 id.Identity.Store() 1487 // Names of users are of the form: 1488 // me_<client's max enrollment setting>_<server's max enrollment setting> 1489 // where "me" stands for "max enrollments" 1490 1491 // Registering user with missing max enrollment value 1492 _, err = id.Identity.Register(&api.RegistrationRequest{ 1493 Name: "me_missing_-1", 1494 Type: "client", 1495 Affiliation: "org2", 1496 }) 1497 if err != nil { 1498 t.Errorf("Failed to register me_missing_-1, error: %s", err) 1499 } 1500 1501 // Registering user with infinite max enrollments (-1) 1502 _, err = id.Identity.Register(&api.RegistrationRequest{ 1503 Name: "me_-1_-1", 1504 Type: "client", 1505 Affiliation: "org2", 1506 MaxEnrollments: -1, 1507 }) 1508 if err != nil { 1509 t.Errorf("Failed to register me_-1_-1, error: %s", err) 1510 } 1511 1512 // Registering user with zero max enrollments, will take value of CA's max enrollment 1513 _, err = id.Identity.Register(&api.RegistrationRequest{ 1514 Name: "me_0_-1", 1515 Type: "client", 1516 Affiliation: "org2", 1517 MaxEnrollments: 0, 1518 }) 1519 if err != nil { 1520 t.Errorf("Failed to register me_0_-1, error: %s", err) 1521 } 1522 1523 // Registering user with 1000 max enrollments 1524 _, err = id.Identity.Register(&api.RegistrationRequest{ 1525 Name: "me_1000_-1", 1526 Type: "client", 1527 Affiliation: "org2", 1528 MaxEnrollments: 1000, 1529 }) 1530 if err != nil { 1531 t.Errorf("Failed to register me_1000_-1, error: %s", err) 1532 } 1533 } 1534 1535 func TestSRVMaxEnrollmentDisabled(t *testing.T) { 1536 t.Log("Test max enrollment disabled") 1537 err := os.RemoveAll(rootDir) 1538 if err != nil { 1539 t.Errorf("RemoveAll failed: %s", err) 1540 } 1541 // Starting server/ca with infinite enrollments 1542 srv := TestGetServer(rootPort, rootDir, "", -1, t) 1543 err = srv.Start() 1544 if err != nil { 1545 t.Fatalf("Server start failed: %s", err) 1546 } 1547 // Clean up when done 1548 defer func() { 1549 err = srv.Stop() 1550 if err != nil { 1551 t.Errorf("Failed to stop server: %s", err) 1552 } 1553 err = os.RemoveAll("../testdata/msp") 1554 if err != nil { 1555 t.Errorf("RemoveAll failed: %s", err) 1556 } 1557 err = os.RemoveAll(rootDir) 1558 if err != nil { 1559 t.Errorf("RemoveAll failed: %s", err) 1560 } 1561 }() 1562 client := getRootClient() 1563 id, err := client.Enroll(&api.EnrollmentRequest{ 1564 Name: "admin", 1565 Secret: "adminpw", 1566 }) 1567 if err != nil { 1568 t.Errorf("Enrollment failed: %s", err) 1569 } 1570 // Disable enrollment 1571 srv.CA.Config.Registry.MaxEnrollments = 0 1572 // Make sure both registration and enrollment fail 1573 _, err = id.Identity.Register(&api.RegistrationRequest{ 1574 Name: "me_0_0", 1575 Type: "client", 1576 Affiliation: "org2", 1577 }) 1578 if err == nil { 1579 t.Error("Registration should have failed but didn't") 1580 } 1581 _, err = client.Enroll(&api.EnrollmentRequest{ 1582 Name: "admin", 1583 Secret: "adminpw", 1584 }) 1585 if err == nil { 1586 t.Error("Enrollment should have failed but didn't") 1587 } 1588 // deferred cleanup 1589 } 1590 1591 func TestSRVMaxEnrollmentLimited(t *testing.T) { 1592 err := os.RemoveAll(rootDir) 1593 if err != nil { 1594 t.Errorf("RemoveAll failed: %s", err) 1595 } 1596 t.Log("Test max enrollment limited") 1597 1598 // Starting server/ca with max enrollments of 1 1599 srv := TestGetServer(rootPort, rootDir, "", 1, t) 1600 err = srv.Start() 1601 if err != nil { 1602 t.Fatalf("Server start failed: %s", err) 1603 } 1604 // Clean up when done 1605 defer func() { 1606 err = srv.Stop() 1607 if err != nil { 1608 t.Errorf("Failed to stop server: %s", err) 1609 } 1610 err = os.RemoveAll("../testdata/msp") 1611 if err != nil { 1612 t.Errorf("RemoveAll failed: %s", err) 1613 } 1614 err = os.RemoveAll(rootDir) 1615 if err != nil { 1616 t.Errorf("RemoveAll failed: %s", err) 1617 } 1618 }() 1619 client := getRootClient() 1620 id, err := client.Enroll(&api.EnrollmentRequest{ 1621 Name: "admin", 1622 Secret: "adminpw", 1623 }) 1624 if err != nil { 1625 t.Fatalf("Enrollment failed, error: %s", err) 1626 } 1627 id.Identity.Store() 1628 _, err = client.Enroll(&api.EnrollmentRequest{ 1629 Name: "admin", 1630 Secret: "adminpw", 1631 }) 1632 if err == nil { 1633 t.Error("Enrollments should have been limited to 1 but allowed 2") 1634 } 1635 // Registering user with missing max enrollment value 1636 // Names of users are of the form: 1637 // me_<client's max enrollment setting>_<server's max enrollment setting> 1638 // where "me" stands for "max enrollments" 1639 _, err = id.Identity.Register(&api.RegistrationRequest{ 1640 Name: "me_-1_1", 1641 Type: "client", 1642 Affiliation: "org2", 1643 MaxEnrollments: -1, 1644 }) 1645 if err == nil { 1646 t.Error("Should have failed to register infinite but didn't") 1647 } 1648 _, err = id.Identity.Register(&api.RegistrationRequest{ 1649 Name: "me_0_1", 1650 Type: "client", 1651 Affiliation: "org2", 1652 MaxEnrollments: 0, 1653 }) 1654 if err != nil { 1655 t.Errorf("Failed to register me_0_1, error: %s", err) 1656 } 1657 user, err := srv.CA.DBAccessor().GetUser("me_0_1", nil) 1658 if err != nil { 1659 t.Errorf("Failed to find user 'me_0_1,' in database") 1660 } 1661 if user.GetMaxEnrollments() != 1 { 1662 t.Error("Failed to correctly set max enrollment value for a user registering with max enrollment of 0") 1663 } 1664 _, err = id.Identity.Register(&api.RegistrationRequest{ 1665 Name: "me_1_1", 1666 Type: "client", 1667 Affiliation: "org2", 1668 MaxEnrollments: 1, 1669 }) 1670 if err != nil { 1671 t.Errorf("Failed to register me_1_1, error: %s", err) 1672 } 1673 _, err = id.Identity.Register(&api.RegistrationRequest{ 1674 Name: "me_2_1", 1675 Type: "client", 1676 Affiliation: "org2", 1677 MaxEnrollments: 2, 1678 }) 1679 if err == nil { 1680 t.Error("Should have failed to register me_2_1 but didn't") 1681 } 1682 // deferred cleanup 1683 } 1684 1685 // Get certificate using the TLS profile on the server to retrieve a certificate to be used for TLS connection 1686 func TestTLSCertIssuance(t *testing.T) { 1687 testDir := "tlsTestDir" 1688 err := os.RemoveAll(testDir) 1689 if err != nil { 1690 t.Errorf("RemoveAll failed: %s", err) 1691 } 1692 defer func() { 1693 err = os.RemoveAll(testDir) 1694 if err != nil { 1695 t.Errorf("RemoveAll failed: %s", err) 1696 } 1697 }() 1698 srv := TestGetServer(rootPort, testDir, "", -1, t) 1699 err = srv.Start() 1700 if err != nil { 1701 t.Fatalf("Root server start failed: %s", err) 1702 } 1703 stopserver := true 1704 defer func() { 1705 if stopserver { 1706 err = srv.Stop() 1707 if err != nil { 1708 t.Errorf("Failed to stop server: %s", err) 1709 } 1710 } 1711 }() 1712 client := &Client{ 1713 Config: &ClientConfig{URL: fmt.Sprintf("http://localhost:%d", rootPort)}, 1714 HomeDir: testDir, 1715 } 1716 eresp, err := client.Enroll(&api.EnrollmentRequest{ 1717 Name: "admin", 1718 Secret: "adminpw", 1719 Profile: "tls", 1720 CSR: &api.CSRInfo{Hosts: []string{"localhost"}}, 1721 }) 1722 if err != nil { 1723 t.Fatalf("Failed to enroll: %s", err) 1724 } 1725 tlsCertBytes := eresp.Identity.GetECert().Cert() 1726 cert, err := util.GetX509CertificateFromPEM(tlsCertBytes) 1727 if err != nil { 1728 t.Fatalf("Failed to get certificate: %s", err) 1729 } 1730 // Check if the certificate has correct key usages 1731 if cert.KeyUsage&x509.KeyUsageDigitalSignature == 0 || cert.KeyUsage&x509.KeyUsageKeyEncipherment == 0 || cert.KeyUsage&x509.KeyUsageKeyAgreement == 0 { 1732 t.Fatal("Certificate does not have correct extended key usage. Should have Digital Signature, Key Encipherment, and Key Agreement") 1733 } 1734 // Check if the certificate has correct extended key usages 1735 clientAuth := false 1736 serverAuth := false 1737 for _, usage := range cert.ExtKeyUsage { 1738 if usage == x509.ExtKeyUsageClientAuth { 1739 clientAuth = true 1740 } 1741 if usage == x509.ExtKeyUsageServerAuth { 1742 serverAuth = true 1743 } 1744 } 1745 if !clientAuth || !serverAuth { 1746 t.Fatal("Certificate does not have correct extended key usage. Should have ExtKeyUsageServerAuth and ExtKeyUsageClientAuth") 1747 } 1748 1749 stopserver = false 1750 err = srv.Stop() 1751 if err != nil { 1752 t.Fatalf("Failed to stop server: %s", err) 1753 } 1754 1755 // Write the TLS certificate to disk 1756 os.MkdirAll(testDir, 0755) 1757 tlsCertFile := path.Join(testDir, "tls-cert.pem") 1758 err = util.WriteFile(tlsCertFile, tlsCertBytes, 0644) 1759 if err != nil { 1760 t.Fatalf("Failed to write TLS certificate file: %s", err) 1761 } 1762 // Get a new server with TLS enabled 1763 srv = TestGetServer2(false, rootPort, testDir, "", -1, t) 1764 srv.Config.TLS.Enabled = true 1765 srv.Config.TLS.CertFile = "tls-cert.pem" 1766 // Start the server 1767 err = srv.Start() 1768 if err != nil { 1769 t.Fatalf("TLS server start failed: %s", err) 1770 } 1771 stopserver = true 1772 // Connect to the server over TLS 1773 cfg := &ClientConfig{URL: fmt.Sprintf("https://localhost:%d", rootPort)} 1774 cfg.TLS.Enabled = true 1775 cfg.TLS.CertFiles = []string{"ca-cert.pem"} 1776 client = &Client{Config: cfg, HomeDir: testDir} 1777 eresp, err = client.Enroll(&api.EnrollmentRequest{ 1778 Name: "admin", 1779 Secret: "adminpw", 1780 }) 1781 if err != nil { 1782 t.Fatalf("Failed to enroll over TLS: %s", err) 1783 } 1784 } 1785 1786 // Configure server to start server with no client authentication required 1787 func testNoClientCert(t *testing.T) { 1788 srv := TestGetServer(rootPort, testdataDir, "", -1, t) 1789 srv = getTLSConfig(srv, "NoClientCert", []string{}) 1790 1791 err := srv.Start() 1792 if err != nil { 1793 t.Fatalf("Root server start failed: %s", err) 1794 } 1795 1796 clientConfig := &ClientConfig{ 1797 URL: fmt.Sprintf("https://localhost:%d", rootPort), 1798 TLS: libtls.ClientTLSConfig{ 1799 CertFiles: []string{"../testdata/root.pem"}, 1800 }, 1801 } 1802 1803 rawURL := fmt.Sprintf("https://admin:adminpw@localhost:%d", rootPort) 1804 1805 _, err = clientConfig.Enroll(rawURL, testdataDir) 1806 if err != nil { 1807 t.Errorf("Failed to enroll over TLS with no client authentication required: %s", err) 1808 } 1809 1810 err = srv.Stop() 1811 if err != nil { 1812 t.Errorf("Failed to stop server: %s", err) 1813 } 1814 } 1815 1816 // Configure server to start with no client authentication required 1817 // Root2.pem does not exists, server should still start because no client auth is requred 1818 func testInvalidRootCertWithNoClientAuth(t *testing.T) { 1819 srv := TestGetServer(rootPort, testdataDir, "", -1, t) 1820 srv = getTLSConfig(srv, "NoClientCert", []string{"../testdata/root.pem", "../testdata/root2.pem"}) 1821 1822 err := srv.Start() 1823 if err != nil { 1824 t.Fatalf("Root server start failed: %s", err) 1825 } 1826 1827 err = srv.Stop() 1828 if err != nil { 1829 t.Errorf("Failed to stop server: %s", err) 1830 } 1831 } 1832 1833 // Configure server to start with client authentication required 1834 // Root2.pem does not exists, server should fail to start 1835 func testInvalidRootCertWithClientAuth(t *testing.T) { 1836 srv := TestGetServer(rootPort, testdataDir, "", -1, t) 1837 srv = getTLSConfig(srv, "RequireAndVerifyClientCert", []string{"../testdata/root.pem", "../testdata/root2.pem"}) 1838 1839 err := srv.Start() 1840 if err == nil { 1841 t.Error("Root2.pem does not exists, server should have failed to start") 1842 err = srv.Stop() 1843 if err != nil { 1844 t.Errorf("Failed to stop server: %s", err) 1845 } 1846 } 1847 } 1848 1849 // Configure server to start with client authentication required 1850 func testClientAuth(t *testing.T) { 1851 srv := TestGetServer(rootPort, testdataDir, "", -1, t) 1852 srv = getTLSConfig(srv, "RequireAndVerifyClientCert", []string{"../testdata/root.pem"}) 1853 1854 err := srv.Start() 1855 if err != nil { 1856 t.Fatalf("Root server start failed: %s", err) 1857 } 1858 1859 clientConfig := &ClientConfig{ 1860 URL: fmt.Sprintf("https://localhost:%d", rootPort), 1861 TLS: libtls.ClientTLSConfig{ 1862 CertFiles: []string{"../testdata/root.pem"}, 1863 }, 1864 } 1865 1866 rawURL := fmt.Sprintf("https://admin:adminpw@localhost:%d", rootPort) 1867 1868 // Enrolling without any client certificate and key information set 1869 _, err = clientConfig.Enroll(rawURL, testdataDir) 1870 if err == nil { 1871 t.Errorf("Client Auth Type: RequireAndVerifyClientCert, should have failed as no client cert was provided") 1872 } 1873 1874 // Client created with certificate and key for TLS 1875 clientConfig = &ClientConfig{ 1876 URL: fmt.Sprintf("https://localhost:%d", rootPort), 1877 TLS: libtls.ClientTLSConfig{ 1878 CertFiles: []string{"../testdata/root.pem"}, 1879 Client: libtls.KeyCertFiles{ 1880 KeyFile: "../testdata/tls_client-key.pem", 1881 CertFile: "../testdata/tls_client-cert.pem", 1882 }, 1883 }, 1884 } 1885 1886 _, err = clientConfig.Enroll(rawURL, testdataDir) 1887 if err != nil { 1888 t.Errorf("Client Auth Type: RequireAndVerifyClientCert, failed to enroll over TLS with client certificate provided") 1889 } 1890 1891 err = srv.Stop() 1892 if err != nil { 1893 t.Errorf("Failed to stop server: %s", err) 1894 } 1895 } 1896 1897 func testIntermediateServer(idx int, t *testing.T) { 1898 // Init the intermediate server 1899 intermediateServer := TestGetIntermediateServer(idx, t) 1900 if intermediateServer == nil { 1901 return 1902 } 1903 err := intermediateServer.Init(true) 1904 if err != nil { 1905 t.Fatalf("Intermediate server init failed: %s", err) 1906 } 1907 // Verify that the duration of the newly created intermediate certificate is 5 years 1908 d, err := util.GetCertificateDurationFromFile(path.Join(intermediateServer.HomeDir, "ca-cert.pem")) 1909 assert.NoError(t, err) 1910 assert.True(t, int(d.Hours()) == 43800, fmt.Sprintf("Expecting 43800 but found %f", d.Hours())) 1911 // Start it 1912 err = intermediateServer.Start() 1913 if err != nil { 1914 t.Fatalf("Intermediate server start failed: %s", err) 1915 } 1916 defer func() { 1917 err = intermediateServer.Stop() 1918 if err != nil { 1919 t.Errorf("Failed to stop server: %s", err) 1920 } 1921 1922 err = os.RemoveAll(intermediateDir) 1923 if err != nil { 1924 t.Errorf("RemoveAll failed: %s", err) 1925 } 1926 }() 1927 // Test enroll against intermediate (covering basic auth) 1928 c := getTestClient(intermediateServer.Config.Port) 1929 resp, err := c.Enroll(&api.EnrollmentRequest{Name: "admin", Secret: "adminpw"}) 1930 if err != nil { 1931 t.Fatalf("Failed to enroll with intermediate server: %s", err) 1932 } 1933 1934 // Test reenroll against intermediate (covering token auth) 1935 _, err = resp.Identity.Reenroll(&api.ReenrollmentRequest{}) 1936 if err != nil { 1937 t.Fatalf("Failed to reenroll with intermediate server: %s", err) 1938 } 1939 1940 // deferred cleanup 1941 } 1942 1943 func TestUnmarshalConfig(t *testing.T) { 1944 cfg := &ServerConfig{} 1945 cfgFile := "../testdata/testviperunmarshal.yaml" 1946 err := UnmarshalConfig(cfg, viper.GetViper(), cfgFile, true) 1947 if err != nil { 1948 t.Errorf("UnmarshalConfig failed: %s", err) 1949 } 1950 err = UnmarshalConfig(cfg, viper.GetViper(), "foo.yaml", true) 1951 if err == nil { 1952 t.Error("UnmarshalConfig invalid file passed but should have failed") 1953 } 1954 } 1955 1956 // TestSqliteLocking tests to ensure that "database is locked" 1957 // error does not occur when multiple requests are sent at the 1958 // same time. 1959 // This test assumes that sqlite is the database used in the tests 1960 func TestSRVSqliteLocking(t *testing.T) { 1961 // Start the server 1962 server := TestGetServer(rootPort, rootDir, "", -1, t) 1963 if server == nil { 1964 return 1965 } 1966 err := server.Start() 1967 if err != nil { 1968 t.Fatalf("Server start failed: %s", err) 1969 } 1970 // Clean up when done 1971 defer func() { 1972 err = server.Stop() 1973 if err != nil { 1974 t.Errorf("Failed to stop server: %s", err) 1975 } 1976 err = os.RemoveAll("../testdata/msp") 1977 if err != nil { 1978 t.Errorf("RemoveAll failed: %s", err) 1979 } 1980 err = os.RemoveAll(rootDir) 1981 if err != nil { 1982 t.Errorf("RemoveAll failed: %s", err) 1983 } 1984 }() 1985 1986 // Enroll bootstrap user 1987 client := getRootClient() 1988 eresp, err := client.Enroll(&api.EnrollmentRequest{ 1989 Name: "admin", 1990 Secret: "adminpw", 1991 }) 1992 if err != nil { 1993 t.Fatalf("Failed to enroll bootstrap user: %s", err) 1994 } 1995 admin := eresp.Identity 1996 errs := make(chan error) 1997 users := 30 1998 // Register users 1999 for i := 0; i < users; i++ { 2000 n := "user" + strconv.Itoa(i) 2001 go func(admin *Identity, name string) { 2002 _, err := admin.Register(&api.RegistrationRequest{ 2003 Name: name, 2004 Type: "user", 2005 Affiliation: "hyperledger.fabric.security", 2006 }) 2007 errs <- err 2008 }(admin, n) 2009 } 2010 for i := 0; ; { 2011 err = <-errs 2012 // Should not see "database is locked" error 2013 if err != nil && strings.Contains(err.Error(), "database is locked") { 2014 t.Fatalf("Failed to register: %s", err) 2015 } 2016 // If we have heard from all the go routines, break to exit the test 2017 if i++; i == users { 2018 break 2019 } 2020 } 2021 } 2022 2023 func TestSRVNewUserRegistryMySQL(t *testing.T) { 2024 datasource := "" 2025 2026 // Test with no cert files specified 2027 tlsConfig := &libtls.ClientTLSConfig{ 2028 Enabled: true, 2029 } 2030 csp := util.GetDefaultBCCSP() 2031 _, err := getMysqlDb(mysql.NewDB(datasource, "", tlsConfig, csp, nil)) 2032 assert.Error(t, err) 2033 assert.Contains(t, err.Error(), "No trusted root certificates for TLS were provided") 2034 2035 // Test with with a file that does not exist 2036 tlsConfig = &libtls.ClientTLSConfig{ 2037 Enabled: true, 2038 CertFiles: []string{"doesnotexit.pem"}, 2039 } 2040 _, err = getMysqlDb(mysql.NewDB(datasource, "", tlsConfig, csp, nil)) 2041 assert.Error(t, err) 2042 assert.Contains(t, err.Error(), "no such file or directory") 2043 2044 // Test with a file that is not of appropriate format 2045 tlsConfig = &libtls.ClientTLSConfig{ 2046 Enabled: true, 2047 CertFiles: []string{"../testdata/empty.json"}, 2048 } 2049 _, err = getMysqlDb(mysql.NewDB(datasource, "", tlsConfig, csp, nil)) 2050 assert.Error(t, err) 2051 assert.Contains(t, err.Error(), "Failed to process certificate from file") 2052 2053 // Test with a file that does not have read permissions 2054 2055 tmpFile := filepath.Join(os.TempDir(), "root.pem") 2056 err = CopyFile("../testdata/root.pem", tmpFile) 2057 if err != nil { 2058 t.Fatalf("Failed to copy file: %s", err) 2059 } 2060 err = os.Chmod(tmpFile, 0000) 2061 if err != nil { 2062 t.Fatalf("Failed to change file mode: %s", err) 2063 } 2064 2065 tlsConfig = &libtls.ClientTLSConfig{ 2066 Enabled: true, 2067 CertFiles: []string{tmpFile}, 2068 } 2069 _, err = getMysqlDb(mysql.NewDB(datasource, "", tlsConfig, csp, nil)) 2070 assert.Error(t, err) 2071 if err != nil { 2072 t.Logf("%s", err.Error()) 2073 } 2074 assert.Contains(t, err.Error(), "denied") 2075 2076 err = os.RemoveAll(tmpFile) 2077 if err != nil { 2078 t.Logf("%s", err.Error()) 2079 } 2080 } 2081 2082 func TestCSRInputLengthCheck(t *testing.T) { 2083 t.Log("Testing CSR input length check") 2084 err := os.RemoveAll("../testdata/msp/") 2085 if err != nil { 2086 t.Errorf("RemoveAll failed: %s", err) 2087 } 2088 err = os.RemoveAll(rootDir) 2089 if err != nil { 2090 t.Errorf("RemoveAll failed: %s", err) 2091 } 2092 defer func() { 2093 err = os.RemoveAll("../testdata/msp/") 2094 if err != nil { 2095 t.Errorf("RemoveAll failed: %s", err) 2096 } 2097 err = os.RemoveAll(rootDir) 2098 if err != nil { 2099 t.Errorf("RemoveAll failed: %s", err) 2100 } 2101 }() 2102 2103 server := TestGetServer(rootPort, rootDir, "", -1, t) 2104 if server == nil { 2105 return 2106 } 2107 longCN := randSeq(65) 2108 err = server.RegisterBootstrapUser(longCN, "pass", "") 2109 if err != nil { 2110 t.Errorf("Failed to register bootstrap user: %s", err) 2111 } 2112 err = server.Start() 2113 if err != nil { 2114 t.Fatalf("Server start failed: %s", err) 2115 } 2116 defer func() { 2117 err = server.Stop() 2118 if err != nil { 2119 t.Errorf("Failed to stop server: %s", err) 2120 } 2121 }() 2122 2123 // Passing case: all value are of appropriate length 2124 client := getRootClient() 2125 csr1 := api.CSRInfo{ 2126 CN: "test", 2127 Names: []csr.Name{ 2128 csr.Name{ 2129 C: "US", 2130 ST: "North Carolina", 2131 L: "Raleigh", 2132 O: "Hyperledger", 2133 OU: "Fabric", 2134 }, 2135 csr.Name{ 2136 C: "CA", 2137 }, 2138 }, 2139 SerialNumber: "123abc", 2140 } 2141 _, err = client.Enroll(&api.EnrollmentRequest{ 2142 Name: "admin", 2143 Secret: "adminpw", 2144 CSR: &csr1, 2145 }) 2146 if err != nil { 2147 t.Error("Failed to enroll user in passing case: ", err) 2148 } 2149 2150 // Failing case: CN is greater than 64 characters 2151 badCSR := &api.CSRInfo{ 2152 CN: longCN, 2153 } 2154 _, err = client.Enroll(&api.EnrollmentRequest{ 2155 Name: longCN, 2156 Secret: "pass", 2157 CSR: badCSR, 2158 }) 2159 if assert.Error(t, err, fmt.Sprint("Number of characters for CN is greater than the maximum limit, should have resulted in an error")) { 2160 assert.Contains(t, err.Error(), "CN") 2161 } 2162 2163 // CSRs that test failing cases for other fields in the CSR 2164 badCSRs := map[string]*api.CSRInfo{ 2165 "country": &api.CSRInfo{ 2166 Names: []csr.Name{ 2167 csr.Name{ 2168 C: randSeq(3), 2169 }, 2170 }, 2171 }, 2172 "locality": &api.CSRInfo{ 2173 Names: []csr.Name{ 2174 csr.Name{ 2175 L: randSeq(129), 2176 }, 2177 }, 2178 }, 2179 "state": &api.CSRInfo{ 2180 Names: []csr.Name{ 2181 csr.Name{ 2182 ST: randSeq(129), 2183 }, 2184 }, 2185 }, 2186 "organization": &api.CSRInfo{ 2187 Names: []csr.Name{ 2188 csr.Name{ 2189 O: randSeq(65), 2190 }, 2191 }, 2192 }, 2193 "organizational unit": &api.CSRInfo{ 2194 Names: []csr.Name{ 2195 csr.Name{ 2196 OU: randSeq(65), 2197 }, 2198 }, 2199 }, 2200 "serial number": &api.CSRInfo{ 2201 SerialNumber: randSeq(65), 2202 }, 2203 } 2204 2205 for name, badCSR := range badCSRs { 2206 _, err = client.Enroll(&api.EnrollmentRequest{ 2207 Name: "admin", 2208 Secret: "adminpw", 2209 CSR: badCSR, 2210 }) 2211 if assert.Error(t, err, fmt.Sprintf("Number of characters for '%s' is greater than the maximum limit, should have resulted in an error", name)) { 2212 assert.Contains(t, err.Error(), name) 2213 } 2214 } 2215 } 2216 2217 func TestAutoTLSCertificateGeneration(t *testing.T) { 2218 err := os.RemoveAll(rootDir) 2219 if err != nil { 2220 t.Errorf("RemoveAll failed: %s", err) 2221 } 2222 err = os.RemoveAll("../testdata/msp/") 2223 if err != nil { 2224 t.Errorf("RemoveAll failed: %s", err) 2225 } 2226 defer func() { 2227 err = os.RemoveAll(rootDir) 2228 if err != nil { 2229 t.Errorf("RemoveAll failed: %s", err) 2230 } 2231 err = os.RemoveAll("../testdata/msp/") 2232 if err != nil { 2233 t.Errorf("RemoveAll failed: %s", err) 2234 } 2235 }() 2236 2237 srv := TestGetRootServer(t) 2238 2239 srv.Config.TLS.Enabled = true 2240 srv.Config.TLS.CertFile = "tls-cert.pem" 2241 srv.Config.CAcfg.CSR.CN = "fabric-ca-server" 2242 srv.Config.CAcfg.CSR.Hosts = []string{"localhost"} 2243 2244 err = srv.Start() 2245 if !assert.NoError(t, err, "Failed to start server") { 2246 t.Fatalf("Failed to start server: %s", err) 2247 } 2248 2249 cert, err := util.GetX509CertificateFromPEMFile(srv.Config.TLS.CertFile) 2250 assert.NoError(t, err, "Failed to get certificate") 2251 2252 // Check if the certificate has correct extended key usages 2253 clientAuth := false 2254 serverAuth := false 2255 for _, usage := range cert.ExtKeyUsage { 2256 if usage == x509.ExtKeyUsageClientAuth { 2257 clientAuth = true 2258 } 2259 if usage == x509.ExtKeyUsageServerAuth { 2260 serverAuth = true 2261 } 2262 } 2263 2264 if !clientAuth || !serverAuth { 2265 t.Error("Certificate does not have correct extended key usage. Should have ExtKeyUsageServerAuth and ExtKeyUsageClientAuth") 2266 } 2267 2268 trustedTLSCert, err := filepath.Abs(srv.CA.Config.CA.Certfile) 2269 trustedTLSCerts := []string{trustedTLSCert} 2270 2271 // Test enrolling with with client using TLS 2272 client := getTLSTestClient(7075, trustedTLSCerts) 2273 enrollReq := &api.EnrollmentRequest{ 2274 Name: "admin", 2275 Secret: "adminpw", 2276 } 2277 _, err = client.Enroll(enrollReq) 2278 assert.NoError(t, err, "Error occured during enrollment on TLS enabled fabric-ca server") 2279 2280 err = srv.Stop() 2281 assert.NoError(t, err, "Failed to stop server") 2282 2283 // Test the case where TLS key is provided but TLS certificate does not exist 2284 srv.Config.TLS.CertFile = "fake-tls-cert.pem" 2285 srv.Config.TLS.KeyFile = "key.pem" 2286 2287 err = srv.Start() 2288 if assert.Error(t, err, "Should have failed to start server where TLS key is specified but certificate does not exist") { 2289 assert.Contains(t, err.Error(), fmt.Sprintf("File specified by 'tls.keyfile' does not exist: %s", srv.Config.TLS.KeyFile)) 2290 } 2291 } 2292 func TestRegistrationAffiliation(t *testing.T) { 2293 // Start the server 2294 server := TestGetServer(rootPort, rootDir, "", -1, t) 2295 if server == nil { 2296 return 2297 } 2298 server.RegisterBootstrapUser("admin2", "admin2pw", "hyperledger") 2299 err := server.Start() 2300 assert.NoError(t, err, "Server start failed") 2301 defer func() { 2302 err = server.Stop() 2303 if err != nil { 2304 t.Errorf("Failed to stop server: %s", err) 2305 } 2306 err = os.RemoveAll("../testdata/msp") 2307 if err != nil { 2308 t.Errorf("RemoveAll failed: %s", err) 2309 } 2310 err = os.RemoveAll(rootDir) 2311 if err != nil { 2312 t.Errorf("RemoveAll failed: %s", err) 2313 } 2314 }() 2315 2316 // Enroll bootstrap user 2317 client := getRootClient() 2318 eresp, err := client.Enroll(&api.EnrollmentRequest{ 2319 Name: "admin", 2320 Secret: "adminpw", 2321 }) 2322 assert.NoError(t, err, "Failed to enroll bootstrap user") 2323 admin := eresp.Identity 2324 2325 // Registering with no affiliation specified, should default to using the registrar's affiliation 2326 _, err = admin.Register(&api.RegistrationRequest{ 2327 Name: "testuser", 2328 Type: "user", 2329 Affiliation: "", 2330 }) 2331 assert.NoError(t, err, "Client register failed") 2332 2333 db := server.DBAccessor() 2334 user, err := db.GetUser("testuser", nil) 2335 assert.NoError(t, err) 2336 2337 userAff := cadbuser.GetAffiliation(user) 2338 if userAff != "" { 2339 t.Errorf("Incorrect affiliation set for user being registered when no affiliation was specified, expected '' got %s", userAff) 2340 } 2341 2342 _, err = admin.Register(&api.RegistrationRequest{ 2343 Name: "testuser2", 2344 Type: "user", 2345 Affiliation: ".", 2346 }) 2347 assert.NoError(t, err, "Client register failed") 2348 2349 user, err = db.GetUser("testuser2", nil) 2350 assert.NoError(t, err) 2351 2352 userAff = cadbuser.GetAffiliation(user) 2353 if userAff != "" { 2354 t.Errorf("Incorrect affiliation set for user being registered when no affiliation was specified, expected '' got %s", userAff) 2355 } 2356 2357 eresp, err = client.Enroll(&api.EnrollmentRequest{ 2358 Name: "admin2", 2359 Secret: "admin2pw", 2360 }) 2361 assert.NoError(t, err, "Failed to enroll bootstrap user") 2362 admin2 := eresp.Identity // admin2 has an affiliation of 'hyperledger' 2363 2364 // Registering with no affiliation specified, should default to using the registrar's affiliation 2365 _, err = admin2.Register(&api.RegistrationRequest{ 2366 Name: "testuser3", 2367 Type: "user", 2368 Affiliation: "", 2369 }) 2370 assert.NoError(t, err, "Client register failed") 2371 2372 db = server.DBAccessor() 2373 user, err = db.GetUser("testuser3", nil) 2374 assert.NoError(t, err) 2375 2376 userAff = cadbuser.GetAffiliation(user) 2377 if userAff != "hyperledger" { 2378 t.Errorf("Incorrect affiliation set for user being registered when no affiliation was specified, expected 'hyperledger' got %s", userAff) 2379 } 2380 2381 _, err = admin2.Register(&api.RegistrationRequest{ 2382 Name: "testuser4", 2383 Type: "user", 2384 Affiliation: ".", 2385 }) 2386 assert.Error(t, err, "Should have failed, can't register a user with root affiliation if the registrar does not have root affiliation") 2387 } 2388 2389 func TestCompEnvVar(t *testing.T) { 2390 os.Setenv("FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3", "badVal") 2391 defer os.Unsetenv("FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3") 2392 2393 os.RemoveAll(rootDir) 2394 defer os.RemoveAll(rootDir) 2395 2396 server := TestGetRootServer(t) 2397 err := server.Init(false) 2398 util.ErrorContains(t, err, "parsing \"badVal\": invalid syntax", "Should error if using an invalid boolean value") 2399 2400 os.Setenv("FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3", "true") 2401 err = server.Init(false) 2402 assert.NoError(t, err) 2403 } 2404 2405 func cleanMultiCADir(t *testing.T) { 2406 var err error 2407 caFolder := "../testdata/ca" 2408 toplevelFolders := []string{"intermediateca", "rootca"} 2409 nestedFolders := []string{"ca1", "ca2", "ca3"} 2410 removeFiles := []string{"ca-cert.pem", "ca-key.pem", "fabric-ca-server.db", 2411 "fabric-ca2-server.db", "ca-chain.pem", "IssuerPublicKey", "IssuerSecretKey", "IssuerRevocationPublicKey"} 2412 2413 for _, topFolder := range toplevelFolders { 2414 for _, nestedFolder := range nestedFolders { 2415 path := filepath.Join(caFolder, topFolder, nestedFolder) 2416 for _, file := range removeFiles { 2417 err = os.RemoveAll(filepath.Join(path, file)) 2418 if err != nil { 2419 t.Errorf("RemoveAll failed: %s", err) 2420 } 2421 } 2422 err = os.RemoveAll(filepath.Join(path, "msp")) 2423 if err != nil { 2424 t.Errorf("RemoveAll failed: %s", err) 2425 } 2426 } 2427 } 2428 err = os.RemoveAll("../testdata/ca/intermediateca/ca1/msp") 2429 if err != nil { 2430 t.Errorf("RemoveAll failed: %s", err) 2431 } 2432 err = os.RemoveAll("multica") 2433 if err != nil { 2434 t.Errorf("RemoveAll failed: %s", err) 2435 } 2436 err = os.RemoveAll("msp") 2437 if err != nil { 2438 t.Errorf("RemoveAll failed: %s", err) 2439 } 2440 } 2441 2442 func getRootServerURL() string { 2443 return fmt.Sprintf("http://admin:adminpw@localhost:%d", rootPort) 2444 } 2445 2446 func getRootServer(t *testing.T) *Server { 2447 return getServer(rootPort, rootDir, "", -1, t) 2448 } 2449 2450 func getIntermediateServer(idx int, t *testing.T) *Server { 2451 return getServer( 2452 intermediatePort, 2453 path.Join(intermediateDir, strconv.Itoa(idx)), 2454 getRootServerURL(), 2455 -1, 2456 t) 2457 } 2458 2459 func getServer(port int, home, parentURL string, maxEnroll int, t *testing.T) *Server { 2460 if home != testdataDir { 2461 err := os.RemoveAll(home) 2462 if err != nil { 2463 t.Errorf("RemoveAll failed: %s", err) 2464 } 2465 } 2466 affiliations := map[string]interface{}{ 2467 "hyperledger": map[string]interface{}{ 2468 "fabric": []string{"ledger", "orderer", "security"}, 2469 "fabric-ca": nil, 2470 "sdk": nil, 2471 }, 2472 "org2": nil, 2473 } 2474 2475 srv := &Server{ 2476 Config: &ServerConfig{ 2477 Port: port, 2478 Debug: true, 2479 }, 2480 CA: CA{ 2481 Config: &CAConfig{ 2482 Intermediate: IntermediateCA{ 2483 ParentServer: ParentServer{ 2484 URL: parentURL, 2485 }, 2486 }, 2487 Affiliations: affiliations, 2488 Registry: CAConfigRegistry{ 2489 MaxEnrollments: maxEnroll, 2490 }, 2491 }, 2492 }, 2493 HomeDir: home, 2494 } 2495 // The bootstrap user's affiliation is the empty string, which 2496 // means the user is at the affiliation root 2497 err := srv.RegisterBootstrapUser("admin", "adminpw", "") 2498 if err != nil { 2499 t.Errorf("Failed to register bootstrap user: %s", err) 2500 return nil 2501 } 2502 // Error case of empty bootstrap data 2503 err = srv.RegisterBootstrapUser("admin", "", "") 2504 t.Logf("Empty bootstrap id: %s", err) 2505 if err == nil { 2506 t.Errorf("register bootstrap user should have failed") 2507 return nil 2508 } 2509 return srv 2510 } 2511 2512 func getRootClient() *Client { 2513 return getTestClient(rootPort) 2514 } 2515 2516 func getIntermediateClient() *Client { 2517 return getTestClient(intermediatePort) 2518 } 2519 2520 func getTestClient(port int) *Client { 2521 return &Client{ 2522 Config: &ClientConfig{URL: fmt.Sprintf("http://localhost:%d", port)}, 2523 HomeDir: testdataDir, 2524 } 2525 } 2526 2527 func getTLSTestClient(port int, trustedTLSCerts []string) *Client { 2528 return &Client{ 2529 Config: &ClientConfig{ 2530 URL: fmt.Sprintf("https://localhost:%d", port), 2531 TLS: libtls.ClientTLSConfig{ 2532 Enabled: true, 2533 CertFiles: trustedTLSCerts, 2534 }, 2535 }, 2536 HomeDir: testdataDir, 2537 } 2538 } 2539 2540 func getTLSConfig(srv *Server, clientAuthType string, clientRootCerts []string) *Server { 2541 srv.Config.TLS.Enabled = true 2542 srv.Config.TLS.CertFile = "../testdata/tls_server-cert.pem" 2543 srv.Config.TLS.KeyFile = "../testdata/tls_server-key.pem" 2544 srv.Config.TLS.ClientAuth.Type = clientAuthType 2545 srv.Config.TLS.ClientAuth.CertFiles = clientRootCerts 2546 2547 return srv 2548 } 2549 2550 func testRegistration(admin *Identity, t *testing.T) { 2551 name := "testRegistrationUser1" 2552 topAffiliation := "hyperledger" 2553 midAffiliation := "hyperledger.fabric" 2554 botAffiliation := "hyperledger.fabric.security" 2555 _, err := admin.RegisterAndEnroll(&api.RegistrationRequest{ 2556 Name: name, 2557 Type: "user", 2558 Affiliation: midAffiliation, 2559 Attributes: makeAttrs(t, "hf.Registrar.Roles=user", "hf.Registrar.DelegateRoles=user,peer"), 2560 }) 2561 if err == nil { 2562 t.Error("Should have failed to register delegate roles which exceed roles") 2563 } 2564 id1, err := admin.RegisterAndEnroll(&api.RegistrationRequest{ 2565 Name: name, 2566 Type: "user", 2567 Affiliation: midAffiliation, 2568 Attributes: makeAttrs(t, "hf.Registrar.Roles=user,peer", "hf.Registrar.DelegateRoles=user", "hf.Registrar.Attributes=*"), 2569 }) 2570 if err != nil { 2571 t.Fatalf("%s", err) 2572 } 2573 _, err = id1.RegisterAndEnroll(&api.RegistrationRequest{ 2574 Name: name, 2575 Type: "user", 2576 Affiliation: botAffiliation, 2577 Attributes: makeAttrs(t, "hf.Registrar.Roles=peer"), 2578 }) 2579 if err == nil { 2580 t.Error("ID1 should not be allowed to delegate peer registration to another identity") 2581 } 2582 _, err = id1.RegisterAndEnroll(&api.RegistrationRequest{ 2583 Name: name, 2584 Type: "user", 2585 Affiliation: topAffiliation, 2586 }) 2587 if err == nil { 2588 t.Error("ID1 should not be allowed to registrar outside of its affiliation hierarchy") 2589 } 2590 name = "testRegistrationUser2" 2591 id2, err := id1.RegisterAndEnroll(&api.RegistrationRequest{ 2592 Name: name, 2593 Type: "user", 2594 Affiliation: botAffiliation, 2595 }) 2596 if err != nil { 2597 t.Fatalf("ID1 failed to register %s: %s", name, err) 2598 } 2599 name = "testRegistrationUser3" 2600 _, err = id2.RegisterAndEnroll(&api.RegistrationRequest{ 2601 Name: name, 2602 Type: "user", 2603 Affiliation: botAffiliation, 2604 }) 2605 if err == nil { 2606 t.Error("ID2 should not be allowed to register") 2607 } 2608 } 2609 2610 func makeAttrs(t *testing.T, args ...string) []api.Attribute { 2611 attrs := make([]api.Attribute, len(args)) 2612 for idx, attr := range args { 2613 eles := strings.Split(attr, "=") 2614 if len(eles) != 2 { 2615 t.Fatalf("Not two elements in %s", attr) 2616 } 2617 attrs[idx].Name = eles[0] 2618 attrs[idx].Value = eles[1] 2619 } 2620 return attrs 2621 } 2622 2623 func writeCAFile(name, parentcaname, filename, home string, port int, t *testing.T) { 2624 contents := fmt.Sprintf(` 2625 ca: 2626 name: %s 2627 intermediate: 2628 parentserver: 2629 url: http://admin:adminpw@localhost:%d 2630 caname: %s 2631 `, name, port, parentcaname) 2632 os.MkdirAll(home, 0755) 2633 fpath := path.Join(home, fmt.Sprintf("%s.yaml", filename)) 2634 err := ioutil.WriteFile(fpath, []byte(contents), 0644) 2635 if err != nil { 2636 t.Fatalf("Failed to create ca1.yaml: %s", err) 2637 } 2638 } 2639 2640 var letters = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ") 2641 2642 func randSeq(n int) string { 2643 b := make([]rune, n) 2644 for i := range b { 2645 b[i] = letters[rand.Intn(len(letters))] 2646 } 2647 return string(b) 2648 } 2649 2650 func testBadCryptoData(t *testing.T, s *Server, testData []string) { 2651 config := []string{"ca/rootca/ca1/fabric-ca-server-config.yaml"} 2652 sCert := "../testdata/ca/rootca/ca1/ca-cert.pem" 2653 sKey := "../testdata/ca/rootca/ca1/ca-key.pem" 2654 // Starting server with expired certificate 2655 err := CopyFile(testData[0], sCert) 2656 if err != nil { 2657 t.Errorf("Failed to copy expired cert to %s failed: %v", testData[0], err) 2658 } 2659 err = CopyFile(testData[1], sKey) 2660 if err != nil { 2661 t.Errorf("Failed to copy key to %s failed: %v", testData[1], err) 2662 } 2663 s.Config.CAfiles = config 2664 err = s.Start() 2665 t.Logf("srvStart ERROR %v", err) 2666 if err == nil { 2667 t.Errorf("Should have failed to start server, %s", testData[2]) 2668 err = s.Stop() 2669 if err != nil { 2670 t.Errorf("Failed to stop server: %s", err) 2671 } 2672 } 2673 err = os.Remove(sCert) 2674 if err != nil { 2675 t.Errorf("Remove failed: %s", err) 2676 } 2677 err = os.Remove(sKey) 2678 if err != nil { 2679 t.Errorf("Remove failed: %s", err) 2680 } 2681 } 2682 2683 func cleanTestSlateSRV(t *testing.T) { 2684 err := os.RemoveAll("../testdata/ca-cert.pem") 2685 if err != nil { 2686 t.Errorf("RemoveAll failed: %s", err) 2687 } 2688 err = os.RemoveAll("../testdata/ca-key.pem") 2689 if err != nil { 2690 t.Errorf("RemoveAll failed: %s", err) 2691 } 2692 err = os.RemoveAll("../testdata/fabric-ca-server.db") 2693 if err != nil { 2694 t.Errorf("RemoveAll failed: %s", err) 2695 } 2696 err = os.RemoveAll(rootDir) 2697 if err != nil { 2698 t.Errorf("RemoveAll failed: %s", err) 2699 } 2700 err = os.RemoveAll(intermediateDir) 2701 if err != nil { 2702 t.Errorf("RemoveAll failed: %s", err) 2703 } 2704 err = os.RemoveAll("multica") 2705 if err != nil { 2706 t.Errorf("RemoveAll failed: %s", err) 2707 } 2708 err = os.RemoveAll(serversDir) 2709 if err != nil { 2710 t.Errorf("RemoveAll failed: %s", err) 2711 } 2712 err = os.RemoveAll("../testdata/msp") 2713 if err != nil { 2714 t.Errorf("RemoveAll failed: %s", err) 2715 } 2716 err = os.RemoveAll("msp") 2717 if err != nil { 2718 t.Errorf("RemoveAll failed: %s", err) 2719 } 2720 err = os.RemoveAll("../util/msp") 2721 if err != nil { 2722 t.Errorf("RemoveAll failed: %s", err) 2723 } 2724 cleanMultiCADir(t) 2725 } 2726 2727 func TestStatsdMetricsE2E(t *testing.T) { 2728 gt := NewGomegaWithT(t) 2729 var err error 2730 2731 server := TestGetRootServer(t) 2732 2733 // Statsd 2734 datagramReader := NewDatagramReader(t) 2735 go datagramReader.Start() 2736 defer datagramReader.Close() 2737 2738 server.Config.Metrics = operations.MetricsOptions{ 2739 Provider: "statsd", 2740 Statsd: &operations.Statsd{ 2741 Network: "udp", 2742 Address: datagramReader.Address(), 2743 Prefix: "server", 2744 WriteInterval: time.Duration(time.Millisecond), 2745 }, 2746 } 2747 2748 server.CA.Config.CA.Name = "ca" 2749 err = server.Start() 2750 gt.Expect(err).NotTo(HaveOccurred()) 2751 defer server.Stop() 2752 defer os.RemoveAll(rootDir) 2753 2754 client := TestGetClient(rootPort, "metrics") 2755 _, err = client.Enroll(&api.EnrollmentRequest{ 2756 Name: "admin", 2757 Secret: "badpass", 2758 CAName: "ca", 2759 }) 2760 gt.Expect(err).To(HaveOccurred()) 2761 defer os.RemoveAll("metrics") 2762 2763 _, err = client.Enroll(&api.EnrollmentRequest{ 2764 Name: "admin", 2765 Secret: "adminpw", 2766 CAName: "ca", 2767 }) 2768 gt.Expect(err).NotTo(HaveOccurred()) 2769 2770 eventuallyTimeout := 10 * time.Second 2771 gt.Eventually(datagramReader, eventuallyTimeout).Should(gbytes.Say("serverx.api_request.count.ca.enroll.201:1.000000|c")) 2772 gt.Eventually(datagramReader, eventuallyTimeout).Should(gbytes.Say("server.api_request.duration.ca.enroll.201")) 2773 contents := datagramReader.String() 2774 gt.Expect(contents).To(ContainSubstring("server.api_request.duration.ca.enroll.401")) 2775 gt.Expect(contents).To(ContainSubstring("server.api_request.count.ca.enroll.401:1.000000|c")) 2776 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.GetRAInfo.Select:1.000000|c")) 2777 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.CreateAffiliationsTable.Exec:2.000000|c")) 2778 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.CreateCertificatesTable.Exec:2.000000|c")) 2779 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.CreatePropertiesTable.Exec:2.000000|c")) 2780 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.GetProperty.Get:12.000000|c")) 2781 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.InsertAffiliation.Exec:11.000000|c")) 2782 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.CreateTable.Commit:1.000000|c")) 2783 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.GetUserLessThanLevel.Queryx:1.000000|c")) 2784 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.MigrateAffiliationsTable.Exec:4.000000|c")) 2785 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.Migration.Commit:1.000000|c")) 2786 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.CreateUsersTable.Exec:3.000000|c")) 2787 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.MigrateCertificatesTable.Exec:4.000000|c")) 2788 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.GetUser.Get:1.000000|c")) 2789 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.AddRAInfo.NamedExec:1.000000|c")) 2790 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.CreateCredentialsTable.Exec:1.000000|c")) 2791 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.CreateRevocationAuthorityTable.Exec:1.000000|c")) 2792 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.CreateNoncesTable.Exec:1.000000|c")) 2793 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.MigrateUsersTable.Exec:7.000000|c")) 2794 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.CreatePropertiesTable.Exec")) 2795 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.GetUserLessThanLevel.Queryx")) 2796 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.MigrateCertificatesTable.Exec")) 2797 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.GetUser.Get")) 2798 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.Migration.Commit")) 2799 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.InsertUser.NamedExec")) 2800 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.CreateAffiliationsTable.Exec")) 2801 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.CreateCredentialsTable.Exec")) 2802 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.CreateRevocationAuthorityTable.Exec")) 2803 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.CreateNoncesTable.Exec")) 2804 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.GetProperty.Get")) 2805 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.AddRAInfo.NamedExec")) 2806 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.CreateCertificatesTable.Exec")) 2807 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.CreateTable.Commit")) 2808 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.MigrateUsersTable.Exec")) 2809 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.InsertAffiliation.Exec")) 2810 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.GetRAInfo.Select")) 2811 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.CreateUsersTable.Exec")) 2812 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.MigrateAffiliationsTable.Exec")) 2813 } 2814 2815 func TestPrometheusMetricsE2E(t *testing.T) { 2816 gt := NewGomegaWithT(t) 2817 var err error 2818 2819 server := TestGetRootServer(t) 2820 // Prometheus 2821 server.Config.Metrics.Provider = "prometheus" 2822 server.Config.Operations.ListenAddress = "localhost:0" 2823 2824 server.Config.Operations.TLS = operations.TLS{ 2825 Enabled: true, 2826 CertFile: filepath.Join(testdata, "tls_server-cert.pem"), 2827 KeyFile: filepath.Join(testdata, "tls_server-key.pem"), 2828 ClientCertRequired: true, 2829 ClientCACertFiles: []string{"../testdata/root.pem"}, 2830 } 2831 2832 server.CA.Config.CA.Name = "ca" 2833 err = server.Start() 2834 gt.Expect(err).NotTo(HaveOccurred()) 2835 defer server.Stop() 2836 defer os.RemoveAll(rootDir) 2837 2838 client := TestGetClient(rootPort, "metrics") 2839 _, err = client.Enroll(&api.EnrollmentRequest{ 2840 Name: "admin", 2841 Secret: "badpass", 2842 CAName: "ca", 2843 }) 2844 gt.Expect(err).To(HaveOccurred()) 2845 defer os.RemoveAll("metrics") 2846 2847 _, err = client.Enroll(&api.EnrollmentRequest{ 2848 Name: "admin", 2849 Secret: "adminpw", 2850 CAName: "ca", 2851 }) 2852 gt.Expect(err).NotTo(HaveOccurred()) 2853 2854 // Prometheus client 2855 clientCert, err := tls.LoadX509KeyPair( 2856 filepath.Join(testdata, "tls_client-cert.pem"), 2857 filepath.Join(testdata, "tls_client-key.pem"), 2858 ) 2859 gt.Expect(err).NotTo(HaveOccurred()) 2860 clientCertPool := x509.NewCertPool() 2861 caCert, err := ioutil.ReadFile(filepath.Join(testdata, "root.pem")) 2862 gt.Expect(err).NotTo(HaveOccurred()) 2863 clientCertPool.AppendCertsFromPEM(caCert) 2864 2865 c := &http.Client{ 2866 Transport: &http.Transport{ 2867 TLSClientConfig: &tls.Config{ 2868 Certificates: []tls.Certificate{clientCert}, 2869 RootCAs: clientCertPool, 2870 }, 2871 }, 2872 } 2873 2874 addr := strings.Split(server.Operations.Addr(), ":") 2875 metricsURL := fmt.Sprintf("https://localhost:%s/metrics", addr[1]) 2876 resp, err := c.Get(metricsURL) 2877 gt.Expect(err).NotTo(HaveOccurred()) 2878 gt.Expect(resp.StatusCode).To(Equal(http.StatusOK)) 2879 defer resp.Body.Close() 2880 2881 bodyBytes, err := ioutil.ReadAll(resp.Body) 2882 gt.Expect(err).NotTo(HaveOccurred()) 2883 body := string(bodyBytes) 2884 2885 err = server.Stop() 2886 gt.Expect(err).NotTo(HaveOccurred()) 2887 2888 gt.Expect(body).To(ContainSubstring(`# HELP api_request_count Number of requests made to an API`)) 2889 gt.Expect(body).To(ContainSubstring(`# TYPE api_request_count counter`)) 2890 gt.Expect(body).To(ContainSubstring(`api_request_count{api_name="enroll",ca_name="ca",status_code="201"} 1`)) 2891 gt.Expect(body).To(ContainSubstring(`api_request_count{api_name="enroll",ca_name="ca",status_code="401"} 1`)) 2892 gt.Expect(body).To(ContainSubstring(`# HELP api_request_duration Time taken in seconds for the request to an API to be completed`)) 2893 gt.Expect(body).To(ContainSubstring(`# TYPE api_request_duration histogram`)) 2894 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="0.005"}`)) 2895 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="0.01"}`)) 2896 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="0.025"}`)) 2897 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="0.05"}`)) 2898 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="0.1"}`)) 2899 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="0.25"}`)) 2900 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="0.5"}`)) 2901 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="1"}`)) 2902 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="2.5"}`)) 2903 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="5"}`)) 2904 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="10"}`)) 2905 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="+Inf"}`)) 2906 gt.Expect(body).To(ContainSubstring(`api_request_duration_sum{api_name="enroll",ca_name="ca",status_code="201"}`)) 2907 gt.Expect(body).To(ContainSubstring(`api_request_duration_count{api_name="enroll",ca_name="ca",status_code="201"} 1`)) 2908 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="0.005"}`)) 2909 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="0.01"}`)) 2910 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="0.025"}`)) 2911 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="0.05"}`)) 2912 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="0.1"}`)) 2913 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="0.25"}`)) 2914 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="0.5"}`)) 2915 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="1"}`)) 2916 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="2.5"}`)) 2917 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="5"}`)) 2918 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="10"}`)) 2919 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="+Inf"}`)) 2920 gt.Expect(body).To(ContainSubstring(`api_request_duration_sum{api_name="enroll",ca_name="ca",status_code="401"}`)) 2921 gt.Expect(body).To(ContainSubstring(`api_request_duration_count{api_name="enroll",ca_name="ca",status_code="401"} 1`)) 2922 gt.Expect(body).To(ContainSubstring(`# HELP db_api_request_count Number of requests made to a database API`)) 2923 gt.Expect(body).To(ContainSubstring(`# TYPE db_api_request_count counter`)) 2924 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Commit",func_name="CreateTable"} 1`)) 2925 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Commit",func_name="Migration"} 1`)) 2926 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="CreateAffiliationsTable"} 2`)) 2927 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="CreateCertificatesTable"} 2`)) 2928 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="CreateCredentialsTable"} 1`)) 2929 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="CreateNoncesTable"} 1`)) 2930 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="CreatePropertiesTable"} 2`)) 2931 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="CreateRevocationAuthorityTable"} 1`)) 2932 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="CreateUsersTable"} 3`)) 2933 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="IncrementIncorrectPasswordAttempts"} 1`)) 2934 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="InsertAffiliation"} 11`)) 2935 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="LoginComplete"} 1`)) 2936 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="MigrateAffiliationsTable"} 4`)) 2937 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="MigrateCertificatesTable"} 4`)) 2938 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="MigrateUsersTable"} 7`)) 2939 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="ResetIncorrectLoginAttempts"} 1`)) 2940 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Get",func_name="GetProperty"} 12`)) 2941 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Get",func_name="GetUser"} 5`)) 2942 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Get",func_name="ResetIncorrectLoginAttempts"} 1`)) 2943 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="NamedExec",func_name="AddRAInfo"} 1`)) 2944 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="NamedExec",func_name="InsertCertificate"} 1`)) 2945 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="NamedExec",func_name="InsertUser"} 1`)) 2946 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Queryx",func_name="GetUserLessThanLevel"} 1`)) 2947 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Select",func_name="GetRAInfo"} 1`)) 2948 gt.Expect(body).To(ContainSubstring(`# HELP db_api_request_duration Time taken in seconds for the request to a database API to be completed`)) 2949 gt.Expect(body).To(ContainSubstring(`# TYPE db_api_request_duration histogram`)) 2950 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Commit",func_name="CreateTable",le="0.5"}`)) 2951 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Commit",func_name="Migration",le="0.5"}`)) 2952 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="CreateAffiliationsTable",le="0.5"}`)) 2953 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="CreateCertificatesTable",le="0.5"}`)) 2954 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="CreateCredentialsTable",le="0.5"}`)) 2955 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="CreateNoncesTable",le="0.5"}`)) 2956 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="CreatePropertiesTable",le="0.5"}`)) 2957 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="CreateRevocationAuthorityTable",le="0.5"}`)) 2958 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="CreateUsersTable",le="0.5"}`)) 2959 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="IncrementIncorrectPasswordAttempts",le="0.5"}`)) 2960 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="InsertAffiliation",le="0.5"}`)) 2961 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="LoginComplete",le="0.5"}`)) 2962 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="MigrateAffiliationsTable",le="0.5"}`)) 2963 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="MigrateCertificatesTable",le="0.5"}`)) 2964 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="MigrateUsersTable",le="0.5"}`)) 2965 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Get",func_name="GetProperty",le="0.5"}`)) 2966 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Get",func_name="GetUser",le="0.5"}`)) 2967 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Get",func_name="ResetIncorrectLoginAttempts",le="0.5"}`)) 2968 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="NamedExec",func_name="AddRAInfo",le="0.5"}`)) 2969 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="NamedExec",func_name="InsertCertificate",le="0.5"}`)) 2970 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="NamedExec",func_name="InsertUser",le="0.5"}`)) 2971 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Queryx",func_name="GetUserLessThanLevel",le="0.5"}`)) 2972 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Select",func_name="GetRAInfo",le="0.25"}`)) 2973 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Select",func_name="GetRAInfo",le="0.5"}`)) 2974 } 2975 2976 type DatagramReader struct { 2977 buffer *gbytes.Buffer 2978 errCh chan error 2979 sock *net.UDPConn 2980 doneCh chan struct{} 2981 closeOnce sync.Once 2982 err error 2983 } 2984 2985 func NewDatagramReader(t *testing.T) *DatagramReader { 2986 gt := NewGomegaWithT(t) 2987 2988 udpAddr, err := net.ResolveUDPAddr("udp", "127.0.0.1:0") 2989 gt.Expect(err).NotTo(HaveOccurred()) 2990 sock, err := net.ListenUDP("udp", udpAddr) 2991 gt.Expect(err).NotTo(HaveOccurred()) 2992 err = sock.SetReadBuffer(1024 * 1024) 2993 gt.Expect(err).NotTo(HaveOccurred()) 2994 2995 return &DatagramReader{ 2996 buffer: gbytes.NewBuffer(), 2997 sock: sock, 2998 errCh: make(chan error, 1), 2999 doneCh: make(chan struct{}), 3000 } 3001 } 3002 3003 func (dr *DatagramReader) Buffer() *gbytes.Buffer { 3004 return dr.buffer 3005 } 3006 3007 func (dr *DatagramReader) Address() string { 3008 return dr.sock.LocalAddr().String() 3009 } 3010 3011 func (dr *DatagramReader) String() string { 3012 return string(dr.buffer.Contents()) 3013 } 3014 3015 func (dr *DatagramReader) Start() { 3016 buf := make([]byte, 1024*1024) 3017 for { 3018 select { 3019 case <-dr.doneCh: 3020 dr.errCh <- nil 3021 return 3022 3023 default: 3024 n, _, err := dr.sock.ReadFrom(buf) 3025 if err != nil { 3026 dr.errCh <- err 3027 return 3028 } 3029 _, err = dr.buffer.Write(buf[0:n]) 3030 if err != nil { 3031 dr.errCh <- err 3032 return 3033 } 3034 } 3035 } 3036 } 3037 3038 func (dr *DatagramReader) Close() error { 3039 dr.closeOnce.Do(func() { 3040 close(dr.doneCh) 3041 err := dr.sock.Close() 3042 dr.err = <-dr.errCh 3043 if dr.err == nil && err != nil && err != io.EOF { 3044 dr.err = err 3045 } 3046 }) 3047 return dr.err 3048 } 3049 3050 func getMysqlDb(m *mysql.Mysql) (*db.DB, error) { 3051 err := m.Connect() 3052 if err != nil { 3053 return nil, err 3054 } 3055 testdb, err := m.Create() 3056 if err != nil { 3057 return nil, err 3058 } 3059 return testdb, nil 3060 }