github.com/adecaro/fabric-ca@v2.0.0-alpha+incompatible/lib/server_test.go (about) 1 /* 2 Copyright IBM Corp. All Rights Reserved. 3 4 SPDX-License-Identifier: Apache-2.0 5 */ 6 7 package lib_test 8 9 import ( 10 "bytes" 11 "crypto/tls" 12 "crypto/x509" 13 "fmt" 14 "io" 15 "io/ioutil" 16 "math/rand" 17 "net" 18 "net/http" 19 "os" 20 "path" 21 "path/filepath" 22 "strconv" 23 "strings" 24 "sync" 25 "testing" 26 "time" 27 28 "github.com/cloudflare/cfssl/certdb" 29 "github.com/cloudflare/cfssl/csr" 30 "github.com/hyperledger/fabric-ca/api" 31 . "github.com/hyperledger/fabric-ca/lib" 32 "github.com/hyperledger/fabric-ca/lib/metadata" 33 "github.com/hyperledger/fabric-ca/lib/server/db" 34 "github.com/hyperledger/fabric-ca/lib/server/db/mysql" 35 "github.com/hyperledger/fabric-ca/lib/server/operations" 36 cadbuser "github.com/hyperledger/fabric-ca/lib/server/user" 37 libtls "github.com/hyperledger/fabric-ca/lib/tls" 38 "github.com/hyperledger/fabric-ca/util" 39 "github.com/hyperledger/fabric/bccsp/factory" 40 "github.com/hyperledger/fabric/common/metrics/disabled" 41 . "github.com/onsi/gomega" 42 "github.com/onsi/gomega/gbytes" 43 "github.com/spf13/viper" 44 "github.com/stretchr/testify/assert" 45 ) 46 47 const ( 48 rootPort = 7075 49 rootDir = "rootDir" 50 intermediatePort = 7076 51 intermediateDir = "intDir" 52 testdataDir = "../testdata" 53 pportEnvVar = "FABRIC_CA_SERVER_PROFILE_PORT" 54 testdata = "../testdata" 55 ) 56 57 func TestMain(m *testing.M) { 58 metadata.Version = "1.1.0" 59 os.Exit(m.Run()) 60 } 61 62 func TestSRVServerInit(t *testing.T) { 63 server := TestGetRootServer(t) 64 if server == nil { 65 return 66 } 67 68 err := server.Init(false) 69 if err != nil { 70 t.Errorf("First server init failed") 71 } 72 defer func() { 73 err = os.RemoveAll(rootDir) 74 if err != nil { 75 t.Errorf("RemoveAll failed: %s", err) 76 } 77 }() 78 err = server.Init(false) 79 if err != nil { 80 t.Errorf("Second server init failed") 81 } 82 err = server.Init(true) 83 if err != nil { 84 t.Errorf("Third Server init renew failed: %s", err) 85 } 86 // Verify that the duration of the newly created certificate is 15 years 87 d, err := util.GetCertificateDurationFromFile(path.Join(rootDir, "ca-cert.pem")) 88 assert.NoError(t, err) 89 assert.True(t, d.Hours() == 131400, fmt.Sprintf("Expecting 131400 but found %f", d.Hours())) 90 91 server.Config.CAcfg.CA.Certfile = "../testdata/ec.pem" 92 server.Config.CAcfg.CA.Keyfile = "../testdata/ec-key.pem" 93 err = server.Init(false) 94 if err != nil { 95 t.Errorf("Server init with known key/cert files failed: %s", err) 96 } 97 server.Config.CAcfg.CA.Certfile = "" 98 server.Config.CAcfg.CA.Keyfile = "" 99 err = server.Init(false) 100 if err != nil { 101 t.Errorf("Server init with known key/cert files failed: %s", err) 102 } 103 104 // Fail case - cannot get home directory 105 wd, err := os.Getwd() 106 if err != nil { 107 t.Fatalf("failed to get cwd: %s", err) 108 } 109 td, err := ioutil.TempDir("", "ServerInitStat") 110 if err != nil { 111 t.Fatalf("failed to get tmp dir: %s", err) 112 } 113 defer func() { 114 err = os.RemoveAll(td) 115 if err != nil { 116 t.Fatalf("RemoveAll failed: %s", err) 117 } 118 }() 119 server.HomeDir = "" 120 err = os.Chdir(td) 121 if err != nil { 122 t.Fatalf("failed to cd to %v: %s", td, err) 123 } 124 defer func() { 125 err = os.Chdir(wd) 126 if err != nil { 127 t.Fatalf("failed to cd to %v: %s", wd, err) 128 } 129 }() 130 fileInfo, err := os.Stat(".") 131 if err != nil { 132 t.Fatalf("os.Stat failed on current dir: %s", err) 133 } 134 oldmode := fileInfo.Mode() 135 curd, err := os.Getwd() 136 t.Logf("Current dir: %s", fileInfo.Name()) 137 t.Logf("Current curd: %v", curd) 138 err = os.Chmod(".", 0000) 139 if err != nil { 140 t.Fatalf("Chmod on %s failed: %s", fileInfo.Name(), err) 141 } 142 defer func() { 143 err = os.Chmod(td, oldmode) 144 if err != nil { 145 t.Fatalf("Chmod on %s failed: %s", td, err) 146 } 147 }() 148 149 err = server.Init(false) 150 t.Logf("Server.Init error: %v", err) 151 if err == nil { 152 t.Errorf("Server init should have failed (permission error)") 153 } 154 155 server.HomeDir = "" 156 } 157 158 func TestSRVRootServer(t *testing.T) { 159 var err error 160 var admin, user1 *Identity 161 var rr *api.RegistrationResponse 162 var recs []db.CertRecord 163 164 // Start the server 165 server := TestGetRootServer(t) 166 if server == nil { 167 return 168 } 169 err = server.Start() 170 if err != nil { 171 t.Fatalf("Server start failed: %s", err) 172 } 173 defer func() { 174 err = server.Stop() 175 if err != nil { 176 t.Errorf("Failed to stop server: %s", err) 177 } 178 err = os.RemoveAll(rootDir) 179 if err != nil { 180 t.Errorf("RemoveAll failed: %s", err) 181 } 182 err = os.RemoveAll("../testdata/msp") 183 if err != nil { 184 t.Errorf("RemoveAll failed: %s", err) 185 } 186 }() 187 err = server.Start() 188 t.Logf("Starting duplicate CA server: %s", err) 189 if err == nil { 190 t.Fatalf("Server start should have failed") 191 } 192 193 // Enroll request 194 client := getRootClient() 195 eresp, err := client.Enroll(&api.EnrollmentRequest{ 196 Name: "admin", 197 Secret: "adminpw", 198 }) 199 if err != nil { 200 t.Fatalf("Failed to enroll admin2/admin2pw: %s", err) 201 } 202 admin = eresp.Identity 203 // test registration permissions wrt roles and affiliation 204 testRegistration(admin, t) 205 // Register user1 206 rr, err = admin.Register(&api.RegistrationRequest{ 207 Name: "user1", 208 Type: "user", 209 Affiliation: "hyperledger.fabric.security", 210 Attributes: []api.Attribute{api.Attribute{Name: "attr1", Value: "val1"}}, 211 }) 212 if err != nil { 213 t.Fatalf("Failed to register user1: %s", err) 214 } 215 // Enroll user1 with an explicit OU. Make sure it is ignored. 216 eresp, err = client.Enroll(&api.EnrollmentRequest{ 217 Name: "user1", 218 Secret: rr.Secret, 219 CSR: &api.CSRInfo{Names: []csr.Name{csr.Name{OU: "foobar"}}}, 220 }) 221 if err != nil { 222 t.Fatalf("Failed to enroll user1: %s", err) 223 } 224 user1 = eresp.Identity 225 // Make sure the OUs are correct based on the identity type and affiliation 226 cert := user1.GetECert().GetX509Cert() 227 assert.NotNil(t, cert, "Failed to get user1's enrollment certificate") 228 229 ouPath := strings.Join(cert.Subject.OrganizationalUnit, ".") 230 assert.Equal(t, "user.hyperledger.fabric.security", ouPath, "Invalid OU path in certificate") 231 232 // The admin ID should have 1 cert in the DB now 233 dba := server.CA.CertDBAccessor() 234 recs, err = dba.GetCertificatesByID("admin") 235 if err != nil { 236 t.Errorf("Could not get admin's certs from DB: %s", err) 237 } 238 if len(recs) != 1 { 239 t.Errorf("Admin should have 1 cert in DB but found %d", len(recs)) 240 } 241 _, err = dba.GetUnexpiredCertificates() 242 if err != nil { 243 t.Errorf("Failed to get unexpired certificates: %s", err) 244 } 245 dba = &CertDBAccessor{} 246 _, err = dba.RevokeCertificatesByID("", 0) 247 if err == nil { 248 t.Error("dba.RevokeCertificatesByID on empty accessor should have failed") 249 } 250 var cr certdb.CertificateRecord 251 err = dba.InsertCertificate(cr) 252 if err == nil { 253 t.Error("dba.InsertCertificate on empty accessor should have failed") 254 } 255 // User1 should not be allowed to register 256 user2Registration := &api.RegistrationRequest{ 257 Name: "user2", 258 Type: "user", 259 Affiliation: "hyperledger.fabric-ca", 260 } 261 _, err = user1.Register(user2Registration) 262 if err == nil { 263 t.Error("User1 should have failed to register user2") 264 } 265 // Admin should be allowed to register user2 266 _, err = admin.Register(user2Registration) 267 if err != nil { 268 t.Errorf("Admin failed to register user2: %s", err) 269 } 270 // User1 renew 271 eresp, err = user1.Reenroll(&api.ReenrollmentRequest{}) 272 if err != nil { 273 t.Fatalf("Failed to reenroll user1: %s", err) 274 } 275 user1 = eresp.Identity 276 // User1 should not be allowed to revoke admin 277 _, err = user1.Revoke(&api.RevocationRequest{Name: "admin"}) 278 if err == nil { 279 t.Error("User1 should not be allowed to revoke admin") 280 } 281 // User1 should not be allowed to revoke user2 because of affiliation 282 _, err = user1.Revoke(&api.RevocationRequest{Name: "user2"}) 283 if err == nil { 284 t.Error("User1 should not be allowed to revoke user2 because of affiliation") 285 } 286 // User1 get's batch of tcerts 287 _, err = user1.GetTCertBatch(&api.GetTCertBatchRequest{Count: 1, AttrNames: []string{"attr1"}}) 288 if err != nil { 289 t.Fatalf("Failed to get tcerts for user1: %s", err) 290 } 291 // User1 get's batch of tcerts with attributes 292 _, err = user1.GetTCertBatch(&api.GetTCertBatchRequest{Count: 1}) 293 if err != nil { 294 t.Fatalf("Failed to get tcerts for user1: %s", err) 295 } 296 // Admin should not be allowed to revoke an invalid cert 297 _, err = admin.Revoke(&api.RevocationRequest{AKI: "foo", Serial: "bar"}) 298 if err == nil { 299 t.Error("Admin should have failed to revoke foo/bar") 300 } 301 // Revoke user1's identity 302 _, err = admin.Revoke(&api.RevocationRequest{Name: "user1"}) 303 if err != nil { 304 t.Fatalf("Failed to revoke user1's identity: %s", err) 305 } 306 // User1 should not be allowed to get tcerts now that it is revoked 307 _, err = user1.GetTCertBatch(&api.GetTCertBatchRequest{Count: 1}) 308 if err == nil { 309 t.Errorf("User1 should have failed to get tcerts since it is revoked") 310 } 311 312 // Test to make sure that if an identity registered with an 313 // attribute 'hf.Revoker=false' should not be able to make a 314 // successfull revocation request 315 secret, err := admin.Register(&api.RegistrationRequest{ 316 Name: "user3", 317 Type: "user", 318 Affiliation: "hyperledger.fabric-ca", 319 Attributes: makeAttrs(t, "hf.Revoker=false"), 320 }) 321 assert.NoError(t, err, "Failed to register user") 322 eresp, err = client.Enroll(&api.EnrollmentRequest{ 323 Name: "user3", 324 Secret: secret.Secret, 325 }) 326 assert.NoError(t, err, "Failed to enroll user2") 327 user3 := eresp.Identity 328 // User3 should not be allowed to revoke because of attribute 'hf.Revoker=false' 329 _, err = user3.Revoke(&api.RevocationRequest{Name: "admin"}) 330 assert.Error(t, err) 331 332 // deferred cleanup 333 } 334 335 // Test passwords with lowercase "e" to make sure it is stored 336 // correctly in the database with no conversion problems. 337 // See https://jira.hyperledger.org/projects/FAB/issues/FAB-5188 338 func TestSRVSpecialPassword(t *testing.T) { 339 340 user := "admin2" 341 pwd := "034e220796" 342 343 // Start the server 344 server := TestGetRootServer(t) 345 if server == nil { 346 return 347 } 348 err := server.RegisterBootstrapUser(user, pwd, "") 349 if err != nil { 350 t.Fatalf("Failed to register %s: %s", user, err) 351 } 352 err = server.Start() 353 if err != nil { 354 t.Fatalf("Server start failed: %s", err) 355 } 356 defer func() { 357 err = server.Stop() 358 if err != nil { 359 t.Errorf("Failed to stop server: %s", err) 360 } 361 err = os.RemoveAll("../testdata/msp/") 362 if err != nil { 363 t.Errorf("RemoveAll failed: %s", err) 364 } 365 err = os.RemoveAll(rootDir) 366 if err != nil { 367 t.Errorf("RemoveAll failed: %s", err) 368 } 369 }() 370 371 // Enroll request 372 client := getRootClient() 373 _, err = client.Enroll(&api.EnrollmentRequest{Name: user, Secret: pwd}) 374 if err != nil { 375 t.Fatalf("Failed to enroll %s: %s", user, err) 376 } 377 } 378 379 // TestProfiling tests if profiling endpoint can be accessed when profiling is 380 // enabled and not accessible when disabled (default) 381 func TestSRVProfiling(t *testing.T) { 382 t.Log("start TestProfiling") 383 384 defer func() { 385 err := os.RemoveAll(rootDir) 386 if err != nil { 387 t.Errorf("RemoveAll failed: %s", err) 388 } 389 }() 390 391 pport := rootPort + 1000 392 url := fmt.Sprintf("http://localhost:%d/debug/pprof/heap", pport) 393 394 // Start the server with profiling disabled 395 os.Setenv(pportEnvVar, strconv.Itoa(-1)) 396 server := TestGetServer(rootPort, rootDir, "", -1, t) 397 if server == nil { 398 return 399 } 400 err := server.Start() 401 if err != nil { 402 t.Fatalf("Server start failed: %s", err) 403 } 404 resp1, err2 := sendGetReq(url, t) 405 // send heap profiling request to the server and expect a bad response 406 // as profiling is disabled 407 if err2 == nil && resp1.StatusCode == 200 { 408 responseData, _ := ioutil.ReadAll(resp1.Body) 409 t.Errorf("Expected error response for profile request %s but got good response: %s", 410 url, responseData) 411 } 412 err = server.Stop() 413 if err != nil { 414 t.Errorf("Failed to stop server: %s", err) 415 } 416 417 // Start the server with profiling enabled but port set to server port 418 os.Setenv(pportEnvVar, strconv.Itoa(rootPort)) 419 server = TestGetServer(rootPort, rootDir, "", -1, t) 420 if server == nil { 421 return 422 } 423 err = server.Start() 424 if err == nil { 425 t.Fatalf("Server should not have started because of port conflict") 426 } 427 428 // Start the server with profiling enabled 429 os.Setenv(pportEnvVar, strconv.Itoa(pport)) 430 defer os.Unsetenv(pportEnvVar) 431 server = TestGetServer(rootPort, rootDir, "", -1, t) 432 if server == nil { 433 return 434 } 435 err = server.Start() 436 if err != nil { 437 t.Fatalf("Server start failed: %s", err) 438 } 439 defer func() { 440 err = server.Stop() 441 if err != nil { 442 t.Errorf("Failed to stop server: %s", err) 443 } 444 }() 445 446 // send heap profiling request to the server and expect a 200 response 447 // as profiling is enabled 448 resp, err1 := sendGetReq(url, t) 449 if err1 != nil || resp.StatusCode != 200 { 450 if err1 == nil { 451 responseData, _ := ioutil.ReadAll(resp.Body) 452 err1 = fmt.Errorf("Invalid response %s with code %d returned for the request %s", 453 string(responseData), resp.StatusCode, url) 454 } 455 t.Errorf("Failed to send request to %s: %s", url, err1) 456 } 457 } 458 459 // sendGetReq sends GET request to the specified URL 460 func sendGetReq(url string, t *testing.T) (resp *http.Response, err error) { 461 req, err := http.NewRequest("GET", url, bytes.NewReader([]byte{})) 462 if err != nil { 463 t.Fatalf("Failed to create request for url %s: %s", url, err) 464 } 465 var tr = new(http.Transport) 466 httpClient := &http.Client{Transport: tr} 467 return httpClient.Do(req) 468 } 469 470 func TestSRVIntermediateServerWithFalseAttr(t *testing.T) { 471 var err error 472 473 err = os.RemoveAll(rootDir) 474 if err != nil { 475 t.Errorf("RemoveAll failed: %s", err) 476 } 477 478 // Start the root server 479 rootServer := TestGetRootServer(t) 480 if rootServer == nil { 481 return 482 } 483 rootServer.CA.Config.Registry.Identities[0].Attrs["hf.IntermediateCA"] = "false" 484 err = rootServer.Start() 485 if !assert.NoError(t, err, "Server failed start") { 486 assert.FailNow(t, err.Error()) 487 } 488 // Clean up when done 489 defer func() { 490 err = rootServer.Stop() 491 if err != nil { 492 t.Errorf("Failed to stop server: %s", err) 493 } 494 err = os.RemoveAll(rootDir) 495 if err != nil { 496 t.Errorf("RemoveAll failed: %s", err) 497 } 498 err = os.RemoveAll(intermediateDir) 499 if err != nil { 500 t.Errorf("RemoveAll failed: %s", err) 501 } 502 }() 503 504 intermediateServer := TestGetIntermediateServer(0, t) 505 if intermediateServer == nil { 506 return 507 } 508 509 err = intermediateServer.Init(false) 510 util.ErrorContains(t, err, "Authorization failure", "Should have failed, the attribute 'hf.IntermediateCA' is not set to true. Cannot register as Intermediate CA") 511 512 // deferred cleanup 513 } 514 515 func TestSRVIntermediateServer(t *testing.T) { 516 var err error 517 518 // Start the root server 519 rootServer := TestGetRootServer(t) 520 if rootServer == nil { 521 return 522 } 523 err = rootServer.Start() 524 if err != nil { 525 t.Fatalf("Root server start failed: %s", err) 526 } 527 defer func() { 528 err = rootServer.Stop() 529 if err != nil { 530 t.Errorf("Root server stop failed: %s", err) 531 } 532 err := os.RemoveAll("../testdata/msp") 533 if err != nil { 534 t.Errorf("RemoveAll failed: %s", err) 535 } 536 err = os.RemoveAll(rootDir) 537 if err != nil { 538 t.Errorf("RemoveAll failed: %s", err) 539 } 540 }() 541 542 for idx := 0; idx < 3; idx++ { 543 testIntermediateServer(idx, t) 544 } 545 // deferred cleanup 546 } 547 548 func TestSRVIntermediateServerWithTLS(t *testing.T) { 549 var err error 550 551 rootServer := TestGetRootServer(t) 552 if rootServer == nil { 553 return 554 } 555 rootServer.Config.TLS.Enabled = true 556 rootServer.Config.TLS.CertFile = "../../testdata/tls_server-cert.pem" 557 rootServer.Config.TLS.KeyFile = "../../testdata/tls_server-key.pem" 558 rootServer.Config.TLS.ClientAuth.Type = "RequireAndVerifyClientCert" 559 rootServer.Config.TLS.ClientAuth.CertFiles = []string{"../../testdata/root.pem"} 560 561 //Invalid Authtype 562 rootServer.Config.TLS.ClientAuth.Type = "Token" 563 err = rootServer.Start() 564 t.Logf("rootServer.Start err %v", err) 565 if err == nil { 566 t.Fatal("Root server start should have failed: (invalid authtype)") 567 } 568 defer func() { 569 err = rootServer.Stop() 570 if err != nil { 571 t.Errorf("Root server stop failed: %s", err) 572 } 573 err = os.RemoveAll(rootDir) 574 if err != nil { 575 t.Errorf("RemoveAll failed: %s", err) 576 } 577 err = os.RemoveAll(intermediateDir) 578 if err != nil { 579 t.Errorf("RemoveAll failed: %s", err) 580 } 581 }() 582 583 //Valid authtype 584 rootServer.Config.TLS.ClientAuth.Type = "RequireAndVerifyClientCert" 585 err = rootServer.Start() 586 t.Logf("rootServer.Start err %v", err) 587 if err != nil { 588 t.Fatal("Root server start failed") 589 } 590 parentURL := fmt.Sprintf("https://admin:adminpw@localhost:%d", rootPort) 591 intermediateServer := TestGetServer(intermediatePort, intermediateDir, parentURL, -1, t) 592 if intermediateServer == nil { 593 return 594 } 595 intermediateServer.CA.Config.Intermediate.TLS.Client.CertFile = "../../testdata/tls_client-cert.pem" 596 intermediateServer.CA.Config.Intermediate.TLS.Client.KeyFile = "../../testdata/tls_client-key.pem" 597 intermediateServer.CA.Config.CSR.CN = "intermediateServer" 598 599 // Error case 1: CN specified for intermediate server 600 err = intermediateServer.Start() 601 if err == nil { 602 t.Errorf("CN specified for intermediate server, the server should have failed to start") 603 err = intermediateServer.Stop() 604 if err != nil { 605 t.Errorf("Failed to stop server: %s", err) 606 } 607 } 608 609 intermediateServer.CA.Config.CSR.CN = "" 610 intermediateServer.CA.Config.CSR.Hosts = []string{"testhost"} 611 612 // Error case 2: tls.certfiles not specified for intermediate server while connecting to parent CA server over TLS 613 err = intermediateServer.Start() 614 if err == nil { 615 t.Errorf("Certfiles not specified for the Intermediate server, the server should have failed to start") 616 err = intermediateServer.Stop() 617 if err != nil { 618 t.Errorf("Failed to stop server: %s", err) 619 } 620 } 621 622 // Success case 623 intermediateServer.CA.Config.Intermediate.TLS.CertFiles = []string{"../../testdata/root.pem"} 624 err = intermediateServer.Start() 625 if err != nil { 626 t.Errorf("Intermediate server start failed: %s", err) 627 err = intermediateServer.Stop() 628 if err != nil { 629 t.Errorf("Failed to stop server: %s", err) 630 } 631 } 632 time.Sleep(time.Second) 633 634 err = intermediateServer.Stop() 635 if err != nil { 636 t.Errorf("Intermediate server stop failed: %s", err) 637 } 638 639 // Make sure that the hostname was not inserted into the CA certificate 640 err = util.CheckHostsInCert(filepath.Join(intermediateDir, "ca-cert.pem"), "testhost") 641 if err == nil { 642 t.Error("A CA certificate should not have any hostnames") 643 } 644 645 // deferred cleanup 646 } 647 648 func TestSRVRunningTLSServer(t *testing.T) { 649 testDir := "tlsTestDir" 650 os.RemoveAll(testDir) 651 defer os.RemoveAll(testDir) 652 653 srv := TestGetServer(rootPort, testDir, "", -1, t) 654 655 srv.Config.TLS.Enabled = true 656 srv.Config.TLS.CertFile = "../../testdata/tls_server-cert.pem" 657 srv.Config.TLS.KeyFile = "../../testdata/tls_server-key.pem" 658 659 err := srv.Start() 660 if err != nil { 661 t.Fatalf("Server start failed: %s", err) 662 } 663 defer func() { 664 err = srv.Stop() 665 if err != nil { 666 t.Errorf("Failed to stop server: %s", err) 667 } 668 err = os.RemoveAll("../testdata/ca-cert.pem") 669 if err != nil { 670 t.Errorf("RemoveAll failed: %s", err) 671 } 672 err = os.RemoveAll("../testdata/fabric-ca-server.db") 673 if err != nil { 674 t.Errorf("RemoveAll failed: %s", err) 675 } 676 err = os.RemoveAll("../testdata/msp") 677 if err != nil { 678 t.Errorf("RemoveAll failed: %s", err) 679 } 680 }() 681 682 clientConfig := &ClientConfig{ 683 URL: fmt.Sprintf("https://localhost:%d", rootPort), 684 TLS: libtls.ClientTLSConfig{ 685 CertFiles: []string{"../testdata/root.pem"}, 686 Client: libtls.KeyCertFiles{ 687 KeyFile: "../testdata/tls_client-key.pem", 688 CertFile: "../testdata/tls_client-cert.pem", 689 }, 690 }, 691 } 692 693 rawURL := fmt.Sprintf("https://admin:adminpw@localhost:%d", rootPort) 694 695 _, err = clientConfig.Enroll(rawURL, testdataDir) 696 if err != nil { 697 t.Errorf("Failed to enroll over TLS: %s", err) 698 } 699 700 // make sure only TLS 1.2 is supported 701 rootPool := x509.NewCertPool() 702 rootBytes, _ := ioutil.ReadFile("../testdata/root.pem") 703 rootPool.AppendCertsFromPEM(rootBytes) 704 _, err = tls.Dial("tcp", fmt.Sprintf("localhost:%d", rootPort), &tls.Config{ 705 RootCAs: rootPool, 706 MinVersion: tls.VersionTLS12, 707 MaxVersion: tls.VersionTLS12, 708 }) 709 assert.NoError(t, err, "Should have connected using TLS 1.2") 710 for _, tlsVersion := range []uint16{tls.VersionSSL30, tls.VersionTLS10, tls.VersionTLS11} { 711 _, err = tls.Dial("tcp", fmt.Sprintf("localhost:%d", rootPort), &tls.Config{ 712 MinVersion: tlsVersion, 713 MaxVersion: tlsVersion, 714 }) 715 t.Logf("Attempting TLS version [%d]", tlsVersion) 716 assert.Error(t, err, "Should not have been able to connect with TLS version < 1.2") 717 assert.Contains(t, err.Error(), "protocol version not supported") 718 } 719 } 720 721 func TestSRVDefaultDatabase(t *testing.T) { 722 cleanTestSlateSRV(t) 723 defer func() { 724 err := os.RemoveAll("../testdata/ca-cert.pem") 725 if err != nil { 726 t.Errorf("RemoveAll failed: %s", err) 727 } 728 err = os.RemoveAll("../testdata/fabric-ca-server.db") 729 if err != nil { 730 t.Errorf("RemoveAll failed: %s", err) 731 } 732 err = os.RemoveAll("../testdata/msp") 733 if err != nil { 734 t.Errorf("RemoveAll failed: %s", err) 735 } 736 }() 737 738 srv := TestGetServer(rootPort, testdataDir, "", -1, t) 739 740 err := srv.Start() 741 if err != nil { 742 t.Fatalf("Root server start failed: %s", err) 743 } 744 745 err = srv.Stop() 746 if err != nil { 747 t.Errorf("Failed to stop server: %s", err) 748 } 749 750 exist := util.FileExists("../testdata/fabric-ca-server.db") 751 if !exist { 752 t.Error("Failed to create default sqlite fabric-ca-server.db") 753 } 754 } 755 756 func TestSRVDefaultAddrPort(t *testing.T) { 757 cleanTestSlateSRV(t) 758 defer func() { 759 err := os.RemoveAll("../testdata/ca-cert.pem") 760 if err != nil { 761 t.Errorf("RemoveAll failed: %s", err) 762 } 763 err = os.RemoveAll("../testdata/fabric-ca-server.db") 764 if err != nil { 765 t.Errorf("RemoveAll failed: %s", err) 766 } 767 err = os.RemoveAll("../testdata/msp") 768 if err != nil { 769 t.Errorf("RemoveAll failed: %s", err) 770 } 771 }() 772 773 srv1 := getServer(rootPort, testdataDir, "", -1, t) 774 srv1.Config.Address = "" 775 srv1.Config.Port = 0 776 err := srv1.Start() 777 t.Logf("srv.Start err: %v", err) 778 if err != nil { 779 t.Fatalf("Failed to start server: %s", err) 780 } 781 defer func() { 782 err = srv1.Stop() 783 if err != nil { 784 t.Errorf("Failed to stop server: %s", err) 785 } 786 }() 787 788 // Start server with default port (already in use) 789 srv := getServer(rootPort, testdataDir, "", -1, t) 790 srv.Config.Address = "" 791 srv.Config.Port = 0 792 err = srv.Start() 793 t.Logf("srv.Start err: %v", err) 794 if err == nil { 795 t.Errorf("Root server start should have failed (port unavailable)") 796 err = srv.Stop() 797 if err != nil { 798 t.Errorf("Failed to stop server: %s", err) 799 } 800 } 801 802 // Again with TLS 803 srv = getServer(rootPort, testdataDir, "", -1, t) 804 srv.Config.TLS.Enabled = true 805 srv.Config.TLS.CertFile = "../testdata/tls_server-cert.pem" 806 srv.Config.TLS.KeyFile = "../testdata/tls_server-key.pem" 807 srv.Config.TLS.ClientAuth.Type = "RequireAndVerifyClientCert" 808 srv.Config.TLS.ClientAuth.CertFiles = []string{"../testdata/root.pem"} 809 srv.Config.Address = "" 810 srv.Config.Port = 0 811 812 err = srv.Start() 813 t.Logf("srv.Start err: %v", err) 814 if err == nil { 815 t.Errorf("Root server start should have failed (port unavailable)") 816 err = srv.Stop() 817 if err != nil { 818 t.Errorf("Failed to stop server: %s", err) 819 } 820 } 821 } 822 823 func TestSRVBadAuthHeader(t *testing.T) { 824 // Start the server 825 server := TestGetRootServer(t) 826 if server == nil { 827 return 828 } 829 err := server.Start() 830 if err != nil { 831 t.Fatalf("Server start failed: %s", err) 832 } 833 defer func() { 834 err = server.Stop() 835 if err != nil { 836 t.Errorf("Failed to stop server: %s", err) 837 } 838 err = os.RemoveAll(rootDir) 839 if err != nil { 840 t.Errorf("RemoveAll failed: %s", err) 841 } 842 }() 843 844 invalidTokenAuthorization(t) 845 invalidBasicAuthorization(t) 846 perEndpointNegativeTests("info", "none", t) 847 perEndpointNegativeTests("enroll", "basic", t) 848 perEndpointNegativeTests("reenroll", "token", t) 849 perEndpointNegativeTests("register", "token", t) 850 perEndpointNegativeTests("tcert", "token", t) 851 } 852 853 func invalidTokenAuthorization(t *testing.T) { 854 client := getRootClient() 855 856 emptyByte := make([]byte, 0) 857 url := fmt.Sprintf("http://localhost:%d/enroll", rootPort) 858 req, err := http.NewRequest("POST", url, bytes.NewReader(emptyByte)) 859 if err != nil { 860 t.Errorf("Failed creating new request: %s", err) 861 } 862 863 addTokenAuthHeader(req, t) 864 865 err = client.SendReq(req, nil) 866 if err == nil { 867 t.Error("Incorrect auth type set, request should have failed with authorization error") 868 } 869 } 870 871 func addTokenAuthHeader(req *http.Request, t *testing.T) { 872 CSP := factory.GetDefault() 873 cert, err := ioutil.ReadFile("../testdata/ec.pem") 874 if err != nil { 875 t.Fatalf("Failed reading ec.pem: %s", err) 876 } 877 key, err := util.ImportBCCSPKeyFromPEM("../testdata/ec-key.pem", CSP, true) 878 if err != nil { 879 t.Fatalf("Failed importing key %s", err) 880 } 881 emptyByte := make([]byte, 0) 882 token, err := util.CreateToken(CSP, cert, key, req.Method, req.URL.RequestURI(), emptyByte) 883 if err != nil { 884 t.Fatalf("Failed to add token authorization header: %s", err) 885 } 886 req.Header.Set("authorization", token) 887 } 888 889 func perEndpointNegativeTests(endpoint string, authType string, t *testing.T) { 890 client := getRootClient() 891 emptyByte := make([]byte, 0) 892 turl := fmt.Sprintf("http://localhost:7055/%s?ca=bogus", endpoint) 893 req, err := http.NewRequest("POST", turl, bytes.NewReader(emptyByte)) 894 if err != nil { 895 t.Fatalf("Failed in NewRequest with %s", turl) 896 } 897 err = client.SendReq(req, nil) 898 if err == nil { 899 if authType != "" { 900 t.Fatalf("No authorization header; should have failed for %s", turl) 901 } else { 902 t.Fatalf("Bad CA should have failed for %s", turl) 903 } 904 } 905 switch authType { 906 case "none": 907 case "basic": 908 req.SetBasicAuth("admin", "adminpw") 909 case "token": 910 addTokenAuthHeader(req, t) 911 default: 912 t.Fatalf("Invalid auth type: %s", authType) 913 } 914 err = client.SendReq(req, nil) 915 if err == nil { 916 t.Errorf("Invalid CA should have failed for %s", turl) 917 } 918 } 919 920 func invalidBasicAuthorization(t *testing.T) { 921 client := getRootClient() 922 923 emptyByte := make([]byte, 0) 924 url := fmt.Sprintf("http://localhost:%d/register", rootPort) 925 req, err := http.NewRequest("POST", url, bytes.NewReader(emptyByte)) 926 if err != nil { 927 t.Error(err) 928 } 929 930 req.SetBasicAuth("admin", "adminpw") 931 932 err = client.SendReq(req, nil) 933 if err == nil { 934 t.Error("Incorrect auth type set for register request; it should have failed but passed") 935 } 936 } 937 938 func TestSRVTLSAuthClient(t *testing.T) { 939 cleanTestSlateSRV(t) 940 defer cleanTestSlateSRV(t) 941 942 testNoClientCert(t) 943 testInvalidRootCertWithNoClientAuth(t) 944 testInvalidRootCertWithClientAuth(t) 945 testClientAuth(t) 946 } 947 948 func TestSRVMultiCAConfigs(t *testing.T) { 949 t.Log("TestMultiCA...") 950 951 defer func() { 952 cleanMultiCADir(t) 953 err := os.RemoveAll("../testdata/ca-cert.pem") 954 if err != nil { 955 t.Errorf("RemoveAll failed: %s", err) 956 } 957 err = os.RemoveAll("../testdata/fabric-ca-server.db") 958 if err != nil { 959 t.Errorf("RemoveAll failed: %s", err) 960 } 961 err = os.RemoveAll("../testdata/msp") 962 if err != nil { 963 t.Errorf("RemoveAll failed: %s", err) 964 } 965 }() 966 srv := TestGetServer(rootPort, testdataDir, "", -1, t) 967 srv.Config.CAfiles = []string{"ca/ca1/fabric-ca-server-config.yaml", "ca/ca1/fabric-ca-server-config.yaml", "ca/ca2/fabric-ca-server-config.yaml"} 968 969 srv.CA.Config.CSR.Hosts = []string{"hostname"} 970 t.Logf("Server configuration: %+v", srv.Config) 971 972 // Starting server with two cas with same name 973 err := srv.Start() 974 t.Logf("Start two CAs with the same name: %v", err) 975 if err == nil { 976 t.Error("Trying to create two CAs with the same name, server start should have failed") 977 } 978 979 // Starting server with a missing ca config file 980 srv.Config.CAfiles = []string{"ca/rootca/ca1/fabric-ca-server-config.yaml", "ca/rootca/ca2/fabric-ca-server-config.yaml", "ca/rootca/ca4/fabric-ca-server-config.yaml"} 981 err = srv.Start() 982 t.Logf("Start CA with missing config: %v", err) 983 if err == nil { 984 t.Error("Should have failed to start server, missing ca config file") 985 err = srv.Stop() 986 if err != nil { 987 t.Errorf("Failed to stop server: %s", err) 988 } 989 } 990 991 srv.Config.CAfiles = []string{"ca/rootca/ca1/fabric-ca-server-config.yaml", "ca/rootca/ca2/fabric-ca-server-config.yaml", "ca/rootca/ca3/fabric-ca-server-config.yaml"} 992 err = srv.Start() 993 t.Logf("Starting 3 CAs with a duplicated CN name: %s", err) 994 if err == nil { 995 t.Error("Should have failed to start server, CN name is the same across rootca2 and rootca3") 996 err = srv.Stop() 997 if err != nil { 998 t.Errorf("Failed to stop server: %s", err) 999 } 1000 } 1001 1002 // Starting server with (bad) existing certificate 1003 err = ioutil.WriteFile("../testdata/ca/rootca/ca1/ca-key.pem", make([]byte, 1), 0644) 1004 t.Logf("Create err: %v", err) 1005 if !util.FileExists("../testdata/ca/rootca/ca1/ca-key.pem") { 1006 t.Fatal("../testdata/ca1/ca-key.pem doesn't exist") 1007 } 1008 err = ioutil.WriteFile("../testdata/ca/rootca/ca1/ca-cert.pem", make([]byte, 1), 0644) 1009 t.Logf("Create err: %v", err) 1010 if !util.FileExists("../testdata/ca/rootca/ca1/ca-cert.pem") { 1011 t.Fatal("../testdata/ca1/ca-cert.pem doesn't exist") 1012 } 1013 srv.Config.CAfiles = []string{"ca/rootca/ca1/fabric-ca-server-config.yaml"} 1014 err = srv.Start() 1015 t.Logf("srv.Start ERROR %v", err) 1016 if err == nil { 1017 t.Error("Should have failed to start server, invalid cert") 1018 err = srv.Stop() 1019 if err != nil { 1020 t.Errorf("Failed to stop server: %s", err) 1021 } 1022 } 1023 1024 // Starting server with unreadable certificate 1025 keyfile := filepath.Join(os.TempDir(), "ca-key.pem") 1026 err = CopyFile("../testdata/ca/rootca/ca1/ca-key.pem", keyfile) 1027 if err != nil { 1028 t.Errorf("Failed to copy file: %s", err) 1029 } 1030 if err = os.Chmod(keyfile, 0000); err != nil { 1031 t.Errorf("Failed to chmod key file: , %v", err) 1032 } 1033 certfile := filepath.Join(os.TempDir(), "ca-cert.pem") 1034 err = CopyFile("../testdata/ca/rootca/ca1/ca-cert.pem", certfile) 1035 if err != nil { 1036 t.Errorf("Failed to copy file: %s", err) 1037 } 1038 if err = os.Chmod(certfile, 0000); err != nil { 1039 t.Errorf("Failed to chmod cert file:, %v", err) 1040 } 1041 configfile := filepath.Join(os.TempDir(), "ca-server-config.yaml") 1042 err = CopyFile("../testdata/ca/rootca/ca1/fabric-ca-server-config.yaml", configfile) 1043 if err != nil { 1044 t.Errorf("Failed to copy file: %s", err) 1045 } 1046 srv.Config.CAfiles = []string{configfile} 1047 err = srv.Start() 1048 t.Logf("srv.Start ERROR %v", err) 1049 if err == nil { 1050 t.Error("Should have failed to start server, unreadable cert") 1051 err = srv.Stop() 1052 if err != nil { 1053 t.Errorf("Failed to stop server: %s", err) 1054 } 1055 } 1056 err = os.Remove(keyfile) 1057 if err != nil { 1058 t.Errorf("Remove failed: %s", err) 1059 } 1060 err = os.Remove(certfile) 1061 if err != nil { 1062 t.Errorf("Remove failed: %s", err) 1063 } 1064 err = os.Remove(configfile) 1065 if err != nil { 1066 t.Errorf("Remove failed: %s", err) 1067 } 1068 err = os.RemoveAll(filepath.Join(os.TempDir(), "msp")) 1069 if err != nil { 1070 t.Errorf("RemoveAll failed: %s", err) 1071 } 1072 1073 testBadCryptoData(t, srv, []string{"../testdata/expiredcert.pem", "../testdata/tls_client-key.pem", "expired cert"}) 1074 testBadCryptoData(t, srv, []string{"../testdata/noKeyUsage.cert.pem", "../testdata/noKeyUsage.key.pem", "invalid usage cert"}) 1075 testBadCryptoData(t, srv, []string{"../testdata/caFalse.cert.pem", "../testdata/caFalse.key.pem", "invalid Basic Constraints"}) 1076 testBadCryptoData(t, srv, []string{"../testdata/dsaCa-cert.pem", "../testdata/dsaCa-key.pem", "invalid key type"}) 1077 testBadCryptoData(t, srv, []string{"../testdata/dsaCa-cert.pem", "../testdata/dsaCa-key.pem", "invalid key type"}) 1078 testBadCryptoData(t, srv, []string{"../testdata/rsa512-cert.pem", "../testdata/rsa512-key.pem", "key too short"}) 1079 testBadCryptoData(t, srv, []string{"../testdata/ec256-1-cert.pem", "../testdata/ec256-2-key.pem", "non-matching ecdsa key"}) 1080 testBadCryptoData(t, srv, []string{"../testdata/rsa2048-1-cert.pem", "../testdata/rsa2048-2-key.pem", "non-matching rsa key"}) 1081 testBadCryptoData(t, srv, []string{"../testdata/ec256-1-cert.pem", "../testdata/rsa2048-1-cert.pem", "non-matching key type"}) 1082 1083 // Starting server with correct configuration 1084 srv.Config.CAfiles = []string{"ca/rootca/ca1/fabric-ca-server-config.yaml", "ca/rootca/ca2/fabric-ca-server-config.yaml"} 1085 t.Logf("Server configuration: %+v\n\n", srv.Config) 1086 1087 err = srv.Start() 1088 if err != nil { 1089 t.Fatal("Failed to start server:", err) 1090 } 1091 1092 if !util.FileExists("../testdata/ca/rootca/ca1/fabric-ca-server.db") { 1093 t.Error("Failed to correctly add ca1") 1094 } 1095 1096 if !util.FileExists("../testdata/ca/rootca/ca2/fabric-ca2-server.db") { 1097 t.Error("Failed to correctly add ca2") 1098 } 1099 1100 // Non-existent CA specified by client 1101 clientCA := getRootClient() 1102 _, err = clientCA.Enroll(&api.EnrollmentRequest{ 1103 Name: "admin", 1104 Secret: "adminpw", 1105 CAName: "rootca3", 1106 }) 1107 if err == nil { 1108 t.Error("Should have failed, client using ca name of 'ca3' but no CA exist by that name on server") 1109 } 1110 1111 //Send enroll request to specific CA 1112 clientCA1 := getRootClient() 1113 _, err = clientCA1.Enroll(&api.EnrollmentRequest{ 1114 Name: "adminca1", 1115 Secret: "adminca1pw", 1116 CAName: "rootca1", 1117 }) 1118 if err != nil { 1119 t.Error("Failed to enroll, error: ", err) 1120 } 1121 1122 clientCA2 := getRootClient() 1123 resp, err := clientCA2.Enroll(&api.EnrollmentRequest{ 1124 Name: "admin", 1125 Secret: "adminpw", 1126 CAName: "rootca2", 1127 }) 1128 if err != nil { 1129 t.Error("Failed to enroll, error: ", err) 1130 } 1131 1132 _, err = resp.Identity.Reenroll(&api.ReenrollmentRequest{ 1133 CAName: "rootca2", 1134 }) 1135 if err != nil { 1136 t.Error("Failed to reenroll, error: ", err) 1137 } 1138 1139 // User enrolled with rootca2, should not be able to reenroll with rootca1 1140 _, err = resp.Identity.Reenroll(&api.ReenrollmentRequest{ 1141 CAName: "rootca1", 1142 }) 1143 if err == nil { 1144 t.Error("Should have failed to reenroll a user with a different CA") 1145 } 1146 1147 // No ca name specified should sent to default CA 'ca' 1148 clientCA3 := getRootClient() 1149 _, err = clientCA3.Enroll(&api.EnrollmentRequest{ 1150 Name: "admin", 1151 Secret: "adminpw", 1152 }) 1153 if err != nil { 1154 t.Error("Failed to enroll, error: ", err) 1155 } 1156 1157 err = srv.Stop() 1158 if err != nil { 1159 t.Error("Failed to stop server:", err) 1160 } 1161 1162 // Starting server with correct configuration and pre-existing cert/key 1163 err = os.Remove("../testdata/ca/rootca/ca1/ca-cert.pem") 1164 if err != nil { 1165 t.Errorf("Remove failed: %s", err) 1166 } 1167 srv = getServer(rootPort, testdataDir, "", 0, t) 1168 srv.Config.CAfiles = []string{"ca/rootca/ca1/fabric-ca-server-config.yaml", "ca/rootca/ca2/fabric-ca-server-config.yaml"} 1169 t.Logf("Server configuration: %+v\n\n", srv.Config) 1170 1171 err = CopyFile("../testdata/ec256-1-cert.pem", "../testdata/ca/rootca/ca1/ca-cert.pem") 1172 if err != nil { 1173 t.Fatalf("Failed to copy ec256-1 cert to ../testdata/ca1/ca-cert.pem failed %v", err) 1174 } 1175 err = CopyFile("../testdata/ec256-1-key.pem", "../testdata/ca/rootca/ca1/ca-key.pem") 1176 if err != nil { 1177 t.Fatalf("Failed to copy key to ../testdata/ca/rootca/ca1/ca-key.pem failed %v", err) 1178 } 1179 1180 err = srv.Start() 1181 if err != nil { 1182 t.Fatal("Failed to start server:", err) 1183 } 1184 1185 err = srv.Stop() 1186 if err != nil { 1187 t.Error("Failed to stop server:", err) 1188 } 1189 1190 } 1191 1192 func TestSRVDefaultCAWithSetCAName(t *testing.T) { 1193 defer func() { 1194 err := os.RemoveAll("../testdata/ca-cert.pem") 1195 if err != nil { 1196 t.Errorf("RemoveAll failed: %s", err) 1197 } 1198 err = os.RemoveAll("../testdata/fabric-ca-server.db") 1199 if err != nil { 1200 t.Errorf("RemoveAll failed: %s", err) 1201 } 1202 err = os.RemoveAll("../testdata/msp") 1203 if err != nil { 1204 t.Errorf("RemoveAll failed: %s", err) 1205 } 1206 }() 1207 1208 srv := getServer(rootPort, testdataDir, "", -1, t) 1209 srv.CA.Config.CA.Name = "DefaultCA" 1210 1211 err := srv.Start() 1212 if err != nil { 1213 t.Fatal("Failed to start server:", err) 1214 } 1215 1216 // No ca name specified should sent to default CA 'ca' 1217 client := getRootClient() 1218 _, err = client.Enroll(&api.EnrollmentRequest{ 1219 Name: "admin", 1220 Secret: "adminpw", 1221 }) 1222 if err != nil { 1223 t.Error("Failed to enroll, error: ", err) 1224 } 1225 1226 err = srv.Stop() 1227 if err != nil { 1228 t.Error("Failed to stop server:", err) 1229 } 1230 } 1231 1232 func TestSRVMultiCAWithIntermediate(t *testing.T) { 1233 defer func() { 1234 cleanMultiCADir(t) 1235 err := os.RemoveAll("../testdata/ca-cert.pem") 1236 if err != nil { 1237 t.Errorf("RemoveAll failed: %s", err) 1238 } 1239 err = os.RemoveAll("../testdata/fabric-ca-server.db") 1240 if err != nil { 1241 t.Errorf("RemoveAll failed: %s", err) 1242 } 1243 err = os.RemoveAll("../testdata/msp") 1244 if err != nil { 1245 t.Errorf("RemoveAll failed: %s", err) 1246 } 1247 err = os.RemoveAll("../testdata/IssuerPublicKey") 1248 if err != nil { 1249 t.Errorf("RemoveAll failed: %s", err) 1250 } 1251 err = os.RemoveAll("../testdata/IssuerSecretKey") 1252 if err != nil { 1253 t.Errorf("RemoveAll failed: %s", err) 1254 } 1255 err = os.RemoveAll("../testdata/IssuerRevocationPublicKey") 1256 if err != nil { 1257 t.Errorf("RemoveAll failed: %s", err) 1258 } 1259 }() 1260 1261 srv := TestGetServer(rootPort, testdataDir, "", -1, t) 1262 srv.Config.CAfiles = []string{"ca/rootca/ca1/fabric-ca-server-config.yaml", "ca/rootca/ca2/fabric-ca-server-config.yaml"} 1263 srv.CA.Config.CSR.Hosts = []string{"hostname"} 1264 t.Logf("Server configuration: %+v\n", srv.Config) 1265 1266 // Starting server with two cas with same name 1267 err := srv.Start() 1268 if err != nil { 1269 t.Fatalf("Failed to start server: %s", err) 1270 } 1271 1272 intermediatesrv := TestGetServer(intermediatePort, testdataDir, "", -1, t) 1273 intermediatesrv.Config.CAcount = 2 1274 intermediatesrv.Config.CAcfg.Intermediate.ParentServer.URL = fmt.Sprintf("http://adminca1:adminca1pw@localhost:%d", rootPort) 1275 intermediatesrv.CA.Config.CSR.Hosts = []string{"hostname"} 1276 1277 err = intermediatesrv.Start() 1278 assert.Error(t, err, "Error is expected if cacount is greater than 0 for intermediate CA") 1279 1280 intermediatesrv.Config.CAfiles = []string{"ca/intermediateca/ca1/fabric-ca-server-config.yaml", "ca/intermediateca/ca2/fabric-ca-server-config.yaml"} 1281 err = intermediatesrv.Start() 1282 assert.Error(t, err, "Error is expected if both cacount and cafiles are specified") 1283 1284 intermediatesrv.Config.CAcount = 0 1285 intermediatesrv.Config.CAcfg.Intermediate.ParentServer.URL = "" 1286 1287 // Start it 1288 err = intermediatesrv.Start() 1289 if err != nil { 1290 t.Errorf("Failed to start intermediate server: %s", err) 1291 } 1292 // Stop it 1293 err = intermediatesrv.Stop() 1294 if err != nil { 1295 t.Error("Failed to stop intermediate server: ", err) 1296 } 1297 1298 if !util.FileExists("../testdata/ca/intermediateca/ca1/ca-chain.pem") { 1299 t.Error("Failed to enroll intermediate ca") 1300 } 1301 1302 err = srv.Stop() 1303 if err != nil { 1304 t.Error("Failed to stop server: ", err) 1305 } 1306 1307 // Make sure there is no host name in the intermediate CA cert 1308 err = util.CheckHostsInCert(filepath.Join("../testdata/ca/intermediateca/ca1", "ca-cert.pem"), "testhost1") 1309 if err == nil { 1310 t.Error("Intermediate CA should not contain a hostname, but does") 1311 } 1312 } 1313 1314 func TestSRVDefaultMultiCA(t *testing.T) { 1315 t.Log("TestDefaultMultiCA...") 1316 defer func() { 1317 err := os.RemoveAll("../testdata/msp") 1318 if err != nil { 1319 t.Errorf("RemoveAll failed: %s", err) 1320 } 1321 err = os.RemoveAll("multica") 1322 if err != nil { 1323 t.Errorf("RemoveAll failed: %s", err) 1324 } 1325 }() 1326 srv := TestGetServer(rootPort, "multica", "", -1, t) 1327 srv.Config.CAcount = 4 // Starting 4 default CA instances 1328 srv.Config.CAfiles = []string{"fabric-ca1-config.yaml"} 1329 1330 err := srv.Start() 1331 if err == nil { 1332 t.Error("Both cacount and cafiles set, should have failed to start server") 1333 err = srv.Stop() 1334 if err != nil { 1335 t.Errorf("Failed to stop server: %s", err) 1336 } 1337 } 1338 1339 srv.Config.CAfiles = []string{} 1340 1341 err = srv.Start() 1342 if err != nil { 1343 t.Error("Failed to start server: ", err) 1344 } 1345 1346 //Send enroll request to specific CA 1347 clientCA1 := getRootClient() 1348 _, err = clientCA1.Enroll(&api.EnrollmentRequest{ 1349 Name: "admin", 1350 Secret: "adminpw", 1351 CAName: "ca4", 1352 }) 1353 if err != nil { 1354 t.Error("Failed to enroll, error: ", err) 1355 } 1356 1357 if srv.DBAccessor() == nil { 1358 t.Error("No registry found") 1359 } 1360 1361 err = srv.Stop() 1362 if err != nil { 1363 t.Error("Failed to stop server: ", err) 1364 } 1365 } 1366 1367 // Test the combination of multiple CAs in both root and intermediate servers. 1368 func TestSRVMultiCAIntermediates(t *testing.T) { 1369 myTestDir := "multicaIntermediates" 1370 err := os.RemoveAll(myTestDir) 1371 if err != nil { 1372 t.Errorf("RemoveAll failed: %s", err) 1373 } 1374 defer func(t *testing.T) { 1375 err = os.RemoveAll(myTestDir) 1376 if err != nil { 1377 t.Errorf("RemoveAll failed: %s", err) 1378 } 1379 }(t) 1380 // Start the root server with 2 non-default CAs 1381 rootServer := TestGetServer(rootPort, path.Join(myTestDir, "root"), "", -1, t) 1382 rootServer.Config.CAcount = 2 1383 err = rootServer.Start() 1384 if err != nil { 1385 t.Fatalf("Failed to start root CA: %s", err) 1386 } 1387 home := path.Join(myTestDir, "intermediate") 1388 parentURL := fmt.Sprintf("http://admin:adminpw@localhost:%d", rootPort) 1389 intServer := TestGetServer(0, home, parentURL, -1, t) 1390 intServer.Config.CAfiles = []string{"ca1/ca1.yaml", "ca2/ca2.yaml"} 1391 ca1home := filepath.Join(home, "ca1") 1392 ca2home := filepath.Join(home, "ca2") 1393 1394 // Negative Case - same CA name from two intermediate CAs sent to the same root CA 1395 // Check that CA file paths are getting printed 1396 // Create ca1.yaml and ca2.yaml for the intermediate server CAs 1397 writeCAFile("ca1", "ca1", "ca1", ca1home, rootPort, t) 1398 writeCAFile("ca1", "ca2", "ca2", ca2home, rootPort, t) 1399 err = intServer.Init(false) 1400 if assert.Error(t, err) { 1401 assert.Contains(t, err.Error(), ca1home) 1402 assert.Contains(t, err.Error(), ca2home) 1403 } 1404 err = rootServer.Stop() 1405 if err != nil { 1406 t.Error("Failed to stop server: ", err) 1407 } 1408 1409 err = os.RemoveAll(myTestDir) 1410 if err != nil { 1411 t.Fatalf("RemoveAll failed: %s", err) 1412 } 1413 1414 // Negative Case - same subject distinguished name from two intermediate CAs sent to the same root CA 1415 // Create ca1.yaml and ca2.yaml for the intermediate server CAs 1416 rootServer = TestGetServer(rootPort, path.Join(myTestDir, "root"), "", -1, t) // reset server from last run above 1417 rootServer.Config.CAcount = 2 1418 err = rootServer.Start() 1419 if err != nil { 1420 t.Fatalf("Failed to start root CA: %s", err) 1421 } 1422 writeCAFile("ca1", "ca1", "ca1", ca1home, rootPort, t) 1423 writeCAFile("ca2", "ca1", "ca2", ca2home, rootPort, t) 1424 err = intServer.Init(false) 1425 if assert.Error(t, err) { 1426 assert.Contains(t, err.Error(), "Both issuer and subject distinguished name are already in use") 1427 } 1428 err = rootServer.Stop() 1429 if err != nil { 1430 t.Error("Failed to stop server: ", err) 1431 } 1432 err = os.RemoveAll(myTestDir) 1433 if err != nil { 1434 t.Errorf("RemoveAll failed: %s", err) 1435 } 1436 1437 // Positive Case - same subject distinguished names from two intermediate CAs sent to two different root CAs 1438 rootServer = TestGetServer(rootPort, path.Join(myTestDir, "root"), "", -1, t) // reset server from last run above 1439 rootServer.Config.CAcount = 2 1440 err = rootServer.Start() 1441 if err != nil { 1442 t.Fatalf("Failed to start root CA: %s", err) 1443 } 1444 writeCAFile("ca1", "ca1", "ca1", ca1home, rootPort, t) 1445 writeCAFile("ca2", "ca2", "ca2", ca2home, rootPort, t) 1446 // Init the intermediate server 1447 err = intServer.Init(false) 1448 if err != nil { 1449 t.Fatalf("Failed to initialize intermediate server: %s", err) 1450 } 1451 err = rootServer.Stop() 1452 if err != nil { 1453 t.Error("Failed to stop server: ", err) 1454 } 1455 } 1456 1457 func TestSRVMaxEnrollmentInfinite(t *testing.T) { 1458 t.Log("Test max enrollment infinite") 1459 err := os.RemoveAll(rootDir) 1460 if err != nil { 1461 t.Errorf("RemoveAll failed: %s", err) 1462 } 1463 // Starting server/ca with infinite enrollments 1464 srv := TestGetServer(rootPort, rootDir, "", -1, t) 1465 err = srv.Start() 1466 if err != nil { 1467 t.Fatalf("Server start failed: %s", err) 1468 } 1469 defer func() { 1470 err = srv.Stop() 1471 if err != nil { 1472 t.Errorf("Failed to stop server: %s", err) 1473 } 1474 err = os.RemoveAll("../testdata/msp") 1475 if err != nil { 1476 t.Errorf("RemoveAll failed: %s", err) 1477 } 1478 err = os.RemoveAll(rootDir) 1479 if err != nil { 1480 t.Errorf("RemoveAll failed: %s", err) 1481 } 1482 }() 1483 client := getRootClient() 1484 id, err := client.Enroll(&api.EnrollmentRequest{ 1485 Name: "admin", 1486 Secret: "adminpw", 1487 }) 1488 if err != nil { 1489 t.Error("Enrollment failed, error: ", err) 1490 } 1491 id.Identity.Store() 1492 // Names of users are of the form: 1493 // me_<client's max enrollment setting>_<server's max enrollment setting> 1494 // where "me" stands for "max enrollments" 1495 1496 // Registering user with missing max enrollment value 1497 _, err = id.Identity.Register(&api.RegistrationRequest{ 1498 Name: "me_missing_-1", 1499 Type: "client", 1500 Affiliation: "org2", 1501 }) 1502 if err != nil { 1503 t.Errorf("Failed to register me_missing_-1, error: %s", err) 1504 } 1505 1506 // Registering user with infinite max enrollments (-1) 1507 _, err = id.Identity.Register(&api.RegistrationRequest{ 1508 Name: "me_-1_-1", 1509 Type: "client", 1510 Affiliation: "org2", 1511 MaxEnrollments: -1, 1512 }) 1513 if err != nil { 1514 t.Errorf("Failed to register me_-1_-1, error: %s", err) 1515 } 1516 1517 // Registering user with zero max enrollments, will take value of CA's max enrollment 1518 _, err = id.Identity.Register(&api.RegistrationRequest{ 1519 Name: "me_0_-1", 1520 Type: "client", 1521 Affiliation: "org2", 1522 MaxEnrollments: 0, 1523 }) 1524 if err != nil { 1525 t.Errorf("Failed to register me_0_-1, error: %s", err) 1526 } 1527 1528 // Registering user with 1000 max enrollments 1529 _, err = id.Identity.Register(&api.RegistrationRequest{ 1530 Name: "me_1000_-1", 1531 Type: "client", 1532 Affiliation: "org2", 1533 MaxEnrollments: 1000, 1534 }) 1535 if err != nil { 1536 t.Errorf("Failed to register me_1000_-1, error: %s", err) 1537 } 1538 } 1539 1540 func TestSRVMaxEnrollmentDisabled(t *testing.T) { 1541 t.Log("Test max enrollment disabled") 1542 err := os.RemoveAll(rootDir) 1543 if err != nil { 1544 t.Errorf("RemoveAll failed: %s", err) 1545 } 1546 // Starting server/ca with infinite enrollments 1547 srv := TestGetServer(rootPort, rootDir, "", -1, t) 1548 err = srv.Start() 1549 if err != nil { 1550 t.Fatalf("Server start failed: %s", err) 1551 } 1552 // Clean up when done 1553 defer func() { 1554 err = srv.Stop() 1555 if err != nil { 1556 t.Errorf("Failed to stop server: %s", err) 1557 } 1558 err = os.RemoveAll("../testdata/msp") 1559 if err != nil { 1560 t.Errorf("RemoveAll failed: %s", err) 1561 } 1562 err = os.RemoveAll(rootDir) 1563 if err != nil { 1564 t.Errorf("RemoveAll failed: %s", err) 1565 } 1566 }() 1567 client := getRootClient() 1568 id, err := client.Enroll(&api.EnrollmentRequest{ 1569 Name: "admin", 1570 Secret: "adminpw", 1571 }) 1572 if err != nil { 1573 t.Errorf("Enrollment failed: %s", err) 1574 } 1575 // Disable enrollment 1576 srv.CA.Config.Registry.MaxEnrollments = 0 1577 // Make sure both registration and enrollment fail 1578 _, err = id.Identity.Register(&api.RegistrationRequest{ 1579 Name: "me_0_0", 1580 Type: "client", 1581 Affiliation: "org2", 1582 }) 1583 if err == nil { 1584 t.Error("Registration should have failed but didn't") 1585 } 1586 _, err = client.Enroll(&api.EnrollmentRequest{ 1587 Name: "admin", 1588 Secret: "adminpw", 1589 }) 1590 if err == nil { 1591 t.Error("Enrollment should have failed but didn't") 1592 } 1593 // deferred cleanup 1594 } 1595 1596 func TestSRVMaxEnrollmentLimited(t *testing.T) { 1597 err := os.RemoveAll(rootDir) 1598 if err != nil { 1599 t.Errorf("RemoveAll failed: %s", err) 1600 } 1601 t.Log("Test max enrollment limited") 1602 1603 // Starting server/ca with max enrollments of 1 1604 srv := TestGetServer(rootPort, rootDir, "", 1, t) 1605 err = srv.Start() 1606 if err != nil { 1607 t.Fatalf("Server start failed: %s", err) 1608 } 1609 // Clean up when done 1610 defer func() { 1611 err = srv.Stop() 1612 if err != nil { 1613 t.Errorf("Failed to stop server: %s", err) 1614 } 1615 err = os.RemoveAll("../testdata/msp") 1616 if err != nil { 1617 t.Errorf("RemoveAll failed: %s", err) 1618 } 1619 err = os.RemoveAll(rootDir) 1620 if err != nil { 1621 t.Errorf("RemoveAll failed: %s", err) 1622 } 1623 }() 1624 client := getRootClient() 1625 id, err := client.Enroll(&api.EnrollmentRequest{ 1626 Name: "admin", 1627 Secret: "adminpw", 1628 }) 1629 if err != nil { 1630 t.Fatalf("Enrollment failed, error: %s", err) 1631 } 1632 id.Identity.Store() 1633 _, err = client.Enroll(&api.EnrollmentRequest{ 1634 Name: "admin", 1635 Secret: "adminpw", 1636 }) 1637 if err == nil { 1638 t.Error("Enrollments should have been limited to 1 but allowed 2") 1639 } 1640 // Registering user with missing max enrollment value 1641 // Names of users are of the form: 1642 // me_<client's max enrollment setting>_<server's max enrollment setting> 1643 // where "me" stands for "max enrollments" 1644 _, err = id.Identity.Register(&api.RegistrationRequest{ 1645 Name: "me_-1_1", 1646 Type: "client", 1647 Affiliation: "org2", 1648 MaxEnrollments: -1, 1649 }) 1650 if err == nil { 1651 t.Error("Should have failed to register infinite but didn't") 1652 } 1653 _, err = id.Identity.Register(&api.RegistrationRequest{ 1654 Name: "me_0_1", 1655 Type: "client", 1656 Affiliation: "org2", 1657 MaxEnrollments: 0, 1658 }) 1659 if err != nil { 1660 t.Errorf("Failed to register me_0_1, error: %s", err) 1661 } 1662 user, err := srv.CA.DBAccessor().GetUser("me_0_1", nil) 1663 if err != nil { 1664 t.Errorf("Failed to find user 'me_0_1,' in database") 1665 } 1666 if user.GetMaxEnrollments() != 1 { 1667 t.Error("Failed to correctly set max enrollment value for a user registering with max enrollment of 0") 1668 } 1669 _, err = id.Identity.Register(&api.RegistrationRequest{ 1670 Name: "me_1_1", 1671 Type: "client", 1672 Affiliation: "org2", 1673 MaxEnrollments: 1, 1674 }) 1675 if err != nil { 1676 t.Errorf("Failed to register me_1_1, error: %s", err) 1677 } 1678 _, err = id.Identity.Register(&api.RegistrationRequest{ 1679 Name: "me_2_1", 1680 Type: "client", 1681 Affiliation: "org2", 1682 MaxEnrollments: 2, 1683 }) 1684 if err == nil { 1685 t.Error("Should have failed to register me_2_1 but didn't") 1686 } 1687 // deferred cleanup 1688 } 1689 1690 // Get certificate using the TLS profile on the server to retrieve a certificate to be used for TLS connection 1691 func TestTLSCertIssuance(t *testing.T) { 1692 testDir := "tlsTestDir" 1693 err := os.RemoveAll(testDir) 1694 if err != nil { 1695 t.Errorf("RemoveAll failed: %s", err) 1696 } 1697 defer func() { 1698 err = os.RemoveAll(testDir) 1699 if err != nil { 1700 t.Errorf("RemoveAll failed: %s", err) 1701 } 1702 }() 1703 srv := TestGetServer(rootPort, testDir, "", -1, t) 1704 err = srv.Start() 1705 if err != nil { 1706 t.Fatalf("Root server start failed: %s", err) 1707 } 1708 stopserver := true 1709 defer func() { 1710 if stopserver { 1711 err = srv.Stop() 1712 if err != nil { 1713 t.Errorf("Failed to stop server: %s", err) 1714 } 1715 } 1716 }() 1717 client := &Client{ 1718 Config: &ClientConfig{URL: fmt.Sprintf("http://localhost:%d", rootPort)}, 1719 HomeDir: testDir, 1720 } 1721 eresp, err := client.Enroll(&api.EnrollmentRequest{ 1722 Name: "admin", 1723 Secret: "adminpw", 1724 Profile: "tls", 1725 CSR: &api.CSRInfo{Hosts: []string{"localhost"}}, 1726 }) 1727 if err != nil { 1728 t.Fatalf("Failed to enroll: %s", err) 1729 } 1730 tlsCertBytes := eresp.Identity.GetECert().Cert() 1731 cert, err := util.GetX509CertificateFromPEM(tlsCertBytes) 1732 if err != nil { 1733 t.Fatalf("Failed to get certificate: %s", err) 1734 } 1735 // Check if the certificate has correct key usages 1736 if cert.KeyUsage&x509.KeyUsageDigitalSignature == 0 || cert.KeyUsage&x509.KeyUsageKeyEncipherment == 0 || cert.KeyUsage&x509.KeyUsageKeyAgreement == 0 { 1737 t.Fatal("Certificate does not have correct extended key usage. Should have Digital Signature, Key Encipherment, and Key Agreement") 1738 } 1739 // Check if the certificate has correct extended key usages 1740 clientAuth := false 1741 serverAuth := false 1742 for _, usage := range cert.ExtKeyUsage { 1743 if usage == x509.ExtKeyUsageClientAuth { 1744 clientAuth = true 1745 } 1746 if usage == x509.ExtKeyUsageServerAuth { 1747 serverAuth = true 1748 } 1749 } 1750 if !clientAuth || !serverAuth { 1751 t.Fatal("Certificate does not have correct extended key usage. Should have ExtKeyUsageServerAuth and ExtKeyUsageClientAuth") 1752 } 1753 1754 stopserver = false 1755 err = srv.Stop() 1756 if err != nil { 1757 t.Fatalf("Failed to stop server: %s", err) 1758 } 1759 1760 // Write the TLS certificate to disk 1761 os.MkdirAll(testDir, 0755) 1762 tlsCertFile := path.Join(testDir, "tls-cert.pem") 1763 err = util.WriteFile(tlsCertFile, tlsCertBytes, 0644) 1764 if err != nil { 1765 t.Fatalf("Failed to write TLS certificate file: %s", err) 1766 } 1767 // Get a new server with TLS enabled 1768 srv = TestGetServer2(false, rootPort, testDir, "", -1, t) 1769 srv.Config.TLS.Enabled = true 1770 srv.Config.TLS.CertFile = "tls-cert.pem" 1771 // Start the server 1772 err = srv.Start() 1773 if err != nil { 1774 t.Fatalf("TLS server start failed: %s", err) 1775 } 1776 stopserver = true 1777 // Connect to the server over TLS 1778 cfg := &ClientConfig{URL: fmt.Sprintf("https://localhost:%d", rootPort)} 1779 cfg.TLS.Enabled = true 1780 cfg.TLS.CertFiles = []string{"ca-cert.pem"} 1781 client = &Client{Config: cfg, HomeDir: testDir} 1782 eresp, err = client.Enroll(&api.EnrollmentRequest{ 1783 Name: "admin", 1784 Secret: "adminpw", 1785 }) 1786 if err != nil { 1787 t.Fatalf("Failed to enroll over TLS: %s", err) 1788 } 1789 } 1790 1791 // Configure server to start server with no client authentication required 1792 func testNoClientCert(t *testing.T) { 1793 srv := TestGetServer(rootPort, testdataDir, "", -1, t) 1794 srv = getTLSConfig(srv, "NoClientCert", []string{}) 1795 1796 err := srv.Start() 1797 if err != nil { 1798 t.Fatalf("Root server start failed: %s", err) 1799 } 1800 1801 clientConfig := &ClientConfig{ 1802 URL: fmt.Sprintf("https://localhost:%d", rootPort), 1803 TLS: libtls.ClientTLSConfig{ 1804 CertFiles: []string{"../testdata/root.pem"}, 1805 }, 1806 } 1807 1808 rawURL := fmt.Sprintf("https://admin:adminpw@localhost:%d", rootPort) 1809 1810 _, err = clientConfig.Enroll(rawURL, testdataDir) 1811 if err != nil { 1812 t.Errorf("Failed to enroll over TLS with no client authentication required: %s", err) 1813 } 1814 1815 err = srv.Stop() 1816 if err != nil { 1817 t.Errorf("Failed to stop server: %s", err) 1818 } 1819 } 1820 1821 // Configure server to start with no client authentication required 1822 // Root2.pem does not exists, server should still start because no client auth is requred 1823 func testInvalidRootCertWithNoClientAuth(t *testing.T) { 1824 srv := TestGetServer(rootPort, testdataDir, "", -1, t) 1825 srv = getTLSConfig(srv, "NoClientCert", []string{"../testdata/root.pem", "../testdata/root2.pem"}) 1826 1827 err := srv.Start() 1828 if err != nil { 1829 t.Fatalf("Root server start failed: %s", err) 1830 } 1831 1832 err = srv.Stop() 1833 if err != nil { 1834 t.Errorf("Failed to stop server: %s", err) 1835 } 1836 } 1837 1838 // Configure server to start with client authentication required 1839 // Root2.pem does not exists, server should fail to start 1840 func testInvalidRootCertWithClientAuth(t *testing.T) { 1841 srv := TestGetServer(rootPort, testdataDir, "", -1, t) 1842 srv = getTLSConfig(srv, "RequireAndVerifyClientCert", []string{"../testdata/root.pem", "../testdata/root2.pem"}) 1843 1844 err := srv.Start() 1845 if err == nil { 1846 t.Error("Root2.pem does not exists, server should have failed to start") 1847 err = srv.Stop() 1848 if err != nil { 1849 t.Errorf("Failed to stop server: %s", err) 1850 } 1851 } 1852 } 1853 1854 // Configure server to start with client authentication required 1855 func testClientAuth(t *testing.T) { 1856 srv := TestGetServer(rootPort, testdataDir, "", -1, t) 1857 srv = getTLSConfig(srv, "RequireAndVerifyClientCert", []string{"../testdata/root.pem"}) 1858 1859 err := srv.Start() 1860 if err != nil { 1861 t.Fatalf("Root server start failed: %s", err) 1862 } 1863 1864 clientConfig := &ClientConfig{ 1865 URL: fmt.Sprintf("https://localhost:%d", rootPort), 1866 TLS: libtls.ClientTLSConfig{ 1867 CertFiles: []string{"../testdata/root.pem"}, 1868 }, 1869 } 1870 1871 rawURL := fmt.Sprintf("https://admin:adminpw@localhost:%d", rootPort) 1872 1873 // Enrolling without any client certificate and key information set 1874 _, err = clientConfig.Enroll(rawURL, testdataDir) 1875 if err == nil { 1876 t.Errorf("Client Auth Type: RequireAndVerifyClientCert, should have failed as no client cert was provided") 1877 } 1878 1879 // Client created with certificate and key for TLS 1880 clientConfig = &ClientConfig{ 1881 URL: fmt.Sprintf("https://localhost:%d", rootPort), 1882 TLS: libtls.ClientTLSConfig{ 1883 CertFiles: []string{"../testdata/root.pem"}, 1884 Client: libtls.KeyCertFiles{ 1885 KeyFile: "../testdata/tls_client-key.pem", 1886 CertFile: "../testdata/tls_client-cert.pem", 1887 }, 1888 }, 1889 } 1890 1891 _, err = clientConfig.Enroll(rawURL, testdataDir) 1892 if err != nil { 1893 t.Errorf("Client Auth Type: RequireAndVerifyClientCert, failed to enroll over TLS with client certificate provided") 1894 } 1895 1896 err = srv.Stop() 1897 if err != nil { 1898 t.Errorf("Failed to stop server: %s", err) 1899 } 1900 } 1901 1902 func testIntermediateServer(idx int, t *testing.T) { 1903 // Init the intermediate server 1904 intermediateServer := TestGetIntermediateServer(idx, t) 1905 if intermediateServer == nil { 1906 return 1907 } 1908 err := intermediateServer.Init(true) 1909 if err != nil { 1910 t.Fatalf("Intermediate server init failed: %s", err) 1911 } 1912 // Verify that the duration of the newly created intermediate certificate is 5 years 1913 d, err := util.GetCertificateDurationFromFile(path.Join(intermediateServer.HomeDir, "ca-cert.pem")) 1914 assert.NoError(t, err) 1915 assert.True(t, int(d.Hours()) == 43800, fmt.Sprintf("Expecting 43800 but found %f", d.Hours())) 1916 // Start it 1917 err = intermediateServer.Start() 1918 if err != nil { 1919 t.Fatalf("Intermediate server start failed: %s", err) 1920 } 1921 defer func() { 1922 err = intermediateServer.Stop() 1923 if err != nil { 1924 t.Errorf("Failed to stop server: %s", err) 1925 } 1926 1927 err = os.RemoveAll(intermediateDir) 1928 if err != nil { 1929 t.Errorf("RemoveAll failed: %s", err) 1930 } 1931 }() 1932 // Test enroll against intermediate (covering basic auth) 1933 c := getTestClient(intermediateServer.Config.Port) 1934 resp, err := c.Enroll(&api.EnrollmentRequest{Name: "admin", Secret: "adminpw"}) 1935 if err != nil { 1936 t.Fatalf("Failed to enroll with intermediate server: %s", err) 1937 } 1938 1939 // Test reenroll against intermediate (covering token auth) 1940 _, err = resp.Identity.Reenroll(&api.ReenrollmentRequest{}) 1941 if err != nil { 1942 t.Fatalf("Failed to reenroll with intermediate server: %s", err) 1943 } 1944 1945 // deferred cleanup 1946 } 1947 1948 func TestUnmarshalConfig(t *testing.T) { 1949 cfg := &ServerConfig{} 1950 cfgFile := "../testdata/testviperunmarshal.yaml" 1951 err := UnmarshalConfig(cfg, viper.GetViper(), cfgFile, true) 1952 if err != nil { 1953 t.Errorf("UnmarshalConfig failed: %s", err) 1954 } 1955 err = UnmarshalConfig(cfg, viper.GetViper(), "foo.yaml", true) 1956 if err == nil { 1957 t.Error("UnmarshalConfig invalid file passed but should have failed") 1958 } 1959 } 1960 1961 // TestSqliteLocking tests to ensure that "database is locked" 1962 // error does not occur when multiple requests are sent at the 1963 // same time. 1964 // This test assumes that sqlite is the database used in the tests 1965 func TestSRVSqliteLocking(t *testing.T) { 1966 // Start the server 1967 server := TestGetServer(rootPort, rootDir, "", -1, t) 1968 if server == nil { 1969 return 1970 } 1971 err := server.Start() 1972 if err != nil { 1973 t.Fatalf("Server start failed: %s", err) 1974 } 1975 // Clean up when done 1976 defer func() { 1977 err = server.Stop() 1978 if err != nil { 1979 t.Errorf("Failed to stop server: %s", err) 1980 } 1981 err = os.RemoveAll("../testdata/msp") 1982 if err != nil { 1983 t.Errorf("RemoveAll failed: %s", err) 1984 } 1985 err = os.RemoveAll(rootDir) 1986 if err != nil { 1987 t.Errorf("RemoveAll failed: %s", err) 1988 } 1989 }() 1990 1991 // Enroll bootstrap user 1992 client := getRootClient() 1993 eresp, err := client.Enroll(&api.EnrollmentRequest{ 1994 Name: "admin", 1995 Secret: "adminpw", 1996 }) 1997 if err != nil { 1998 t.Fatalf("Failed to enroll bootstrap user: %s", err) 1999 } 2000 admin := eresp.Identity 2001 errs := make(chan error) 2002 users := 30 2003 // Register users 2004 for i := 0; i < users; i++ { 2005 n := "user" + strconv.Itoa(i) 2006 go func(admin *Identity, name string) { 2007 _, err := admin.Register(&api.RegistrationRequest{ 2008 Name: name, 2009 Type: "user", 2010 Affiliation: "hyperledger.fabric.security", 2011 }) 2012 errs <- err 2013 }(admin, n) 2014 } 2015 for i := 0; ; { 2016 err = <-errs 2017 // Should not see "database is locked" error 2018 if err != nil && strings.Contains(err.Error(), "database is locked") { 2019 t.Fatalf("Failed to register: %s", err) 2020 } 2021 // If we have heard from all the go routines, break to exit the test 2022 if i++; i == users { 2023 break 2024 } 2025 } 2026 } 2027 2028 func TestSRVNewUserRegistryMySQL(t *testing.T) { 2029 datasource := "" 2030 2031 // Test with no cert files specified 2032 tlsConfig := &libtls.ClientTLSConfig{ 2033 Enabled: true, 2034 } 2035 csp := util.GetDefaultBCCSP() 2036 _, err := getMysqlDb(mysql.NewDB(datasource, "", tlsConfig, csp, &disabled.Provider{})) 2037 assert.Error(t, err) 2038 assert.Contains(t, err.Error(), "No trusted root certificates for TLS were provided") 2039 2040 // Test with with a file that does not exist 2041 tlsConfig = &libtls.ClientTLSConfig{ 2042 Enabled: true, 2043 CertFiles: []string{"doesnotexit.pem"}, 2044 } 2045 _, err = getMysqlDb(mysql.NewDB(datasource, "", tlsConfig, csp, &disabled.Provider{})) 2046 assert.Error(t, err) 2047 assert.Contains(t, err.Error(), "no such file or directory") 2048 2049 // Test with a file that is not of appropriate format 2050 tlsConfig = &libtls.ClientTLSConfig{ 2051 Enabled: true, 2052 CertFiles: []string{"../testdata/empty.json"}, 2053 } 2054 _, err = getMysqlDb(mysql.NewDB(datasource, "", tlsConfig, csp, &disabled.Provider{})) 2055 assert.Error(t, err) 2056 assert.Contains(t, err.Error(), "Failed to process certificate from file") 2057 2058 // Test with a file that does not have read permissions 2059 2060 tmpFile := filepath.Join(os.TempDir(), "root.pem") 2061 err = CopyFile("../testdata/root.pem", tmpFile) 2062 if err != nil { 2063 t.Fatalf("Failed to copy file: %s", err) 2064 } 2065 err = os.Chmod(tmpFile, 0000) 2066 if err != nil { 2067 t.Fatalf("Failed to change file mode: %s", err) 2068 } 2069 2070 tlsConfig = &libtls.ClientTLSConfig{ 2071 Enabled: true, 2072 CertFiles: []string{tmpFile}, 2073 } 2074 _, err = getMysqlDb(mysql.NewDB(datasource, "", tlsConfig, csp, &disabled.Provider{})) 2075 assert.Error(t, err) 2076 if err != nil { 2077 t.Logf("%s", err.Error()) 2078 } 2079 assert.Contains(t, err.Error(), "denied") 2080 2081 err = os.RemoveAll(tmpFile) 2082 if err != nil { 2083 t.Logf("%s", err.Error()) 2084 } 2085 } 2086 2087 func TestCSRInputLengthCheck(t *testing.T) { 2088 t.Log("Testing CSR input length check") 2089 err := os.RemoveAll("../testdata/msp/") 2090 if err != nil { 2091 t.Errorf("RemoveAll failed: %s", err) 2092 } 2093 err = os.RemoveAll(rootDir) 2094 if err != nil { 2095 t.Errorf("RemoveAll failed: %s", err) 2096 } 2097 defer func() { 2098 err = os.RemoveAll("../testdata/msp/") 2099 if err != nil { 2100 t.Errorf("RemoveAll failed: %s", err) 2101 } 2102 err = os.RemoveAll(rootDir) 2103 if err != nil { 2104 t.Errorf("RemoveAll failed: %s", err) 2105 } 2106 }() 2107 2108 server := TestGetServer(rootPort, rootDir, "", -1, t) 2109 if server == nil { 2110 return 2111 } 2112 longCN := randSeq(65) 2113 err = server.RegisterBootstrapUser(longCN, "pass", "") 2114 if err != nil { 2115 t.Errorf("Failed to register bootstrap user: %s", err) 2116 } 2117 err = server.Start() 2118 if err != nil { 2119 t.Fatalf("Server start failed: %s", err) 2120 } 2121 defer func() { 2122 err = server.Stop() 2123 if err != nil { 2124 t.Errorf("Failed to stop server: %s", err) 2125 } 2126 }() 2127 2128 // Passing case: all value are of appropriate length 2129 client := getRootClient() 2130 csr1 := api.CSRInfo{ 2131 CN: "test", 2132 Names: []csr.Name{ 2133 csr.Name{ 2134 C: "US", 2135 ST: "North Carolina", 2136 L: "Raleigh", 2137 O: "Hyperledger", 2138 OU: "Fabric", 2139 }, 2140 csr.Name{ 2141 C: "CA", 2142 }, 2143 }, 2144 SerialNumber: "123abc", 2145 } 2146 _, err = client.Enroll(&api.EnrollmentRequest{ 2147 Name: "admin", 2148 Secret: "adminpw", 2149 CSR: &csr1, 2150 }) 2151 if err != nil { 2152 t.Error("Failed to enroll user in passing case: ", err) 2153 } 2154 2155 // Failing case: CN is greater than 64 characters 2156 badCSR := &api.CSRInfo{ 2157 CN: longCN, 2158 } 2159 _, err = client.Enroll(&api.EnrollmentRequest{ 2160 Name: longCN, 2161 Secret: "pass", 2162 CSR: badCSR, 2163 }) 2164 if assert.Error(t, err, fmt.Sprint("Number of characters for CN is greater than the maximum limit, should have resulted in an error")) { 2165 assert.Contains(t, err.Error(), "CN") 2166 } 2167 2168 // CSRs that test failing cases for other fields in the CSR 2169 badCSRs := map[string]*api.CSRInfo{ 2170 "country": &api.CSRInfo{ 2171 Names: []csr.Name{ 2172 csr.Name{ 2173 C: randSeq(3), 2174 }, 2175 }, 2176 }, 2177 "locality": &api.CSRInfo{ 2178 Names: []csr.Name{ 2179 csr.Name{ 2180 L: randSeq(129), 2181 }, 2182 }, 2183 }, 2184 "state": &api.CSRInfo{ 2185 Names: []csr.Name{ 2186 csr.Name{ 2187 ST: randSeq(129), 2188 }, 2189 }, 2190 }, 2191 "organization": &api.CSRInfo{ 2192 Names: []csr.Name{ 2193 csr.Name{ 2194 O: randSeq(65), 2195 }, 2196 }, 2197 }, 2198 "organizational unit": &api.CSRInfo{ 2199 Names: []csr.Name{ 2200 csr.Name{ 2201 OU: randSeq(65), 2202 }, 2203 }, 2204 }, 2205 "serial number": &api.CSRInfo{ 2206 SerialNumber: randSeq(65), 2207 }, 2208 } 2209 2210 for name, badCSR := range badCSRs { 2211 _, err = client.Enroll(&api.EnrollmentRequest{ 2212 Name: "admin", 2213 Secret: "adminpw", 2214 CSR: badCSR, 2215 }) 2216 if assert.Error(t, err, fmt.Sprintf("Number of characters for '%s' is greater than the maximum limit, should have resulted in an error", name)) { 2217 assert.Contains(t, err.Error(), name) 2218 } 2219 } 2220 } 2221 2222 func TestAutoTLSCertificateGeneration(t *testing.T) { 2223 err := os.RemoveAll(rootDir) 2224 if err != nil { 2225 t.Errorf("RemoveAll failed: %s", err) 2226 } 2227 err = os.RemoveAll("../testdata/msp/") 2228 if err != nil { 2229 t.Errorf("RemoveAll failed: %s", err) 2230 } 2231 defer func() { 2232 err = os.RemoveAll(rootDir) 2233 if err != nil { 2234 t.Errorf("RemoveAll failed: %s", err) 2235 } 2236 err = os.RemoveAll("../testdata/msp/") 2237 if err != nil { 2238 t.Errorf("RemoveAll failed: %s", err) 2239 } 2240 }() 2241 2242 srv := TestGetRootServer(t) 2243 2244 srv.Config.TLS.Enabled = true 2245 srv.Config.TLS.CertFile = "tls-cert.pem" 2246 srv.Config.CAcfg.CSR.CN = "fabric-ca-server" 2247 srv.Config.CAcfg.CSR.Hosts = []string{"localhost"} 2248 2249 err = srv.Start() 2250 if !assert.NoError(t, err, "Failed to start server") { 2251 t.Fatalf("Failed to start server: %s", err) 2252 } 2253 2254 cert, err := util.GetX509CertificateFromPEMFile(srv.Config.TLS.CertFile) 2255 assert.NoError(t, err, "Failed to get certificate") 2256 2257 // Check if the certificate has correct extended key usages 2258 clientAuth := false 2259 serverAuth := false 2260 for _, usage := range cert.ExtKeyUsage { 2261 if usage == x509.ExtKeyUsageClientAuth { 2262 clientAuth = true 2263 } 2264 if usage == x509.ExtKeyUsageServerAuth { 2265 serverAuth = true 2266 } 2267 } 2268 2269 if !clientAuth || !serverAuth { 2270 t.Error("Certificate does not have correct extended key usage. Should have ExtKeyUsageServerAuth and ExtKeyUsageClientAuth") 2271 } 2272 2273 trustedTLSCert, err := filepath.Abs(srv.CA.Config.CA.Certfile) 2274 trustedTLSCerts := []string{trustedTLSCert} 2275 2276 // Test enrolling with with client using TLS 2277 client := getTLSTestClient(7075, trustedTLSCerts) 2278 enrollReq := &api.EnrollmentRequest{ 2279 Name: "admin", 2280 Secret: "adminpw", 2281 } 2282 _, err = client.Enroll(enrollReq) 2283 assert.NoError(t, err, "Error occured during enrollment on TLS enabled fabric-ca server") 2284 2285 err = srv.Stop() 2286 assert.NoError(t, err, "Failed to stop server") 2287 2288 // Test the case where TLS key is provided but TLS certificate does not exist 2289 srv.Config.TLS.CertFile = "fake-tls-cert.pem" 2290 srv.Config.TLS.KeyFile = "key.pem" 2291 2292 err = srv.Start() 2293 if assert.Error(t, err, "Should have failed to start server where TLS key is specified but certificate does not exist") { 2294 assert.Contains(t, err.Error(), fmt.Sprintf("File specified by 'tls.keyfile' does not exist: %s", srv.Config.TLS.KeyFile)) 2295 } 2296 } 2297 func TestRegistrationAffiliation(t *testing.T) { 2298 // Start the server 2299 server := TestGetServer(rootPort, rootDir, "", -1, t) 2300 if server == nil { 2301 return 2302 } 2303 server.RegisterBootstrapUser("admin2", "admin2pw", "hyperledger") 2304 err := server.Start() 2305 assert.NoError(t, err, "Server start failed") 2306 defer func() { 2307 err = server.Stop() 2308 if err != nil { 2309 t.Errorf("Failed to stop server: %s", err) 2310 } 2311 err = os.RemoveAll("../testdata/msp") 2312 if err != nil { 2313 t.Errorf("RemoveAll failed: %s", err) 2314 } 2315 err = os.RemoveAll(rootDir) 2316 if err != nil { 2317 t.Errorf("RemoveAll failed: %s", err) 2318 } 2319 }() 2320 2321 // Enroll bootstrap user 2322 client := getRootClient() 2323 eresp, err := client.Enroll(&api.EnrollmentRequest{ 2324 Name: "admin", 2325 Secret: "adminpw", 2326 }) 2327 assert.NoError(t, err, "Failed to enroll bootstrap user") 2328 admin := eresp.Identity 2329 2330 // Registering with no affiliation specified, should default to using the registrar's affiliation 2331 _, err = admin.Register(&api.RegistrationRequest{ 2332 Name: "testuser", 2333 Type: "user", 2334 Affiliation: "", 2335 }) 2336 assert.NoError(t, err, "Client register failed") 2337 2338 db := server.DBAccessor() 2339 user, err := db.GetUser("testuser", nil) 2340 assert.NoError(t, err) 2341 2342 userAff := cadbuser.GetAffiliation(user) 2343 if userAff != "" { 2344 t.Errorf("Incorrect affiliation set for user being registered when no affiliation was specified, expected '' got %s", userAff) 2345 } 2346 2347 _, err = admin.Register(&api.RegistrationRequest{ 2348 Name: "testuser2", 2349 Type: "user", 2350 Affiliation: ".", 2351 }) 2352 assert.NoError(t, err, "Client register failed") 2353 2354 user, err = db.GetUser("testuser2", nil) 2355 assert.NoError(t, err) 2356 2357 userAff = cadbuser.GetAffiliation(user) 2358 if userAff != "" { 2359 t.Errorf("Incorrect affiliation set for user being registered when no affiliation was specified, expected '' got %s", userAff) 2360 } 2361 2362 eresp, err = client.Enroll(&api.EnrollmentRequest{ 2363 Name: "admin2", 2364 Secret: "admin2pw", 2365 }) 2366 assert.NoError(t, err, "Failed to enroll bootstrap user") 2367 admin2 := eresp.Identity // admin2 has an affiliation of 'hyperledger' 2368 2369 // Registering with no affiliation specified, should default to using the registrar's affiliation 2370 _, err = admin2.Register(&api.RegistrationRequest{ 2371 Name: "testuser3", 2372 Type: "user", 2373 Affiliation: "", 2374 }) 2375 assert.NoError(t, err, "Client register failed") 2376 2377 db = server.DBAccessor() 2378 user, err = db.GetUser("testuser3", nil) 2379 assert.NoError(t, err) 2380 2381 userAff = cadbuser.GetAffiliation(user) 2382 if userAff != "hyperledger" { 2383 t.Errorf("Incorrect affiliation set for user being registered when no affiliation was specified, expected 'hyperledger' got %s", userAff) 2384 } 2385 2386 _, err = admin2.Register(&api.RegistrationRequest{ 2387 Name: "testuser4", 2388 Type: "user", 2389 Affiliation: ".", 2390 }) 2391 assert.Error(t, err, "Should have failed, can't register a user with root affiliation if the registrar does not have root affiliation") 2392 } 2393 2394 func TestCompEnvVar(t *testing.T) { 2395 os.Setenv("FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3", "badVal") 2396 defer os.Unsetenv("FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3") 2397 2398 os.RemoveAll(rootDir) 2399 defer os.RemoveAll(rootDir) 2400 2401 server := TestGetRootServer(t) 2402 err := server.Init(false) 2403 util.ErrorContains(t, err, "parsing \"badVal\": invalid syntax", "Should error if using an invalid boolean value") 2404 2405 os.Setenv("FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3", "true") 2406 err = server.Init(false) 2407 assert.NoError(t, err) 2408 } 2409 2410 func cleanMultiCADir(t *testing.T) { 2411 var err error 2412 caFolder := "../testdata/ca" 2413 toplevelFolders := []string{"intermediateca", "rootca"} 2414 nestedFolders := []string{"ca1", "ca2", "ca3"} 2415 removeFiles := []string{"ca-cert.pem", "ca-key.pem", "fabric-ca-server.db", 2416 "fabric-ca2-server.db", "ca-chain.pem", "IssuerPublicKey", "IssuerSecretKey", "IssuerRevocationPublicKey"} 2417 2418 for _, topFolder := range toplevelFolders { 2419 for _, nestedFolder := range nestedFolders { 2420 path := filepath.Join(caFolder, topFolder, nestedFolder) 2421 for _, file := range removeFiles { 2422 err = os.RemoveAll(filepath.Join(path, file)) 2423 if err != nil { 2424 t.Errorf("RemoveAll failed: %s", err) 2425 } 2426 } 2427 err = os.RemoveAll(filepath.Join(path, "msp")) 2428 if err != nil { 2429 t.Errorf("RemoveAll failed: %s", err) 2430 } 2431 } 2432 } 2433 err = os.RemoveAll("../testdata/ca/intermediateca/ca1/msp") 2434 if err != nil { 2435 t.Errorf("RemoveAll failed: %s", err) 2436 } 2437 err = os.RemoveAll("multica") 2438 if err != nil { 2439 t.Errorf("RemoveAll failed: %s", err) 2440 } 2441 err = os.RemoveAll("msp") 2442 if err != nil { 2443 t.Errorf("RemoveAll failed: %s", err) 2444 } 2445 } 2446 2447 func getRootServerURL() string { 2448 return fmt.Sprintf("http://admin:adminpw@localhost:%d", rootPort) 2449 } 2450 2451 func getRootServer(t *testing.T) *Server { 2452 return getServer(rootPort, rootDir, "", -1, t) 2453 } 2454 2455 func getIntermediateServer(idx int, t *testing.T) *Server { 2456 return getServer( 2457 intermediatePort, 2458 path.Join(intermediateDir, strconv.Itoa(idx)), 2459 getRootServerURL(), 2460 -1, 2461 t) 2462 } 2463 2464 func getServer(port int, home, parentURL string, maxEnroll int, t *testing.T) *Server { 2465 if home != testdataDir { 2466 err := os.RemoveAll(home) 2467 if err != nil { 2468 t.Errorf("RemoveAll failed: %s", err) 2469 } 2470 } 2471 affiliations := map[string]interface{}{ 2472 "hyperledger": map[string]interface{}{ 2473 "fabric": []string{"ledger", "orderer", "security"}, 2474 "fabric-ca": nil, 2475 "sdk": nil, 2476 }, 2477 "org2": nil, 2478 } 2479 2480 srv := &Server{ 2481 Config: &ServerConfig{ 2482 Port: port, 2483 Debug: true, 2484 }, 2485 CA: CA{ 2486 Config: &CAConfig{ 2487 Intermediate: IntermediateCA{ 2488 ParentServer: ParentServer{ 2489 URL: parentURL, 2490 }, 2491 }, 2492 Affiliations: affiliations, 2493 Registry: CAConfigRegistry{ 2494 MaxEnrollments: maxEnroll, 2495 }, 2496 }, 2497 }, 2498 HomeDir: home, 2499 } 2500 // The bootstrap user's affiliation is the empty string, which 2501 // means the user is at the affiliation root 2502 err := srv.RegisterBootstrapUser("admin", "adminpw", "") 2503 if err != nil { 2504 t.Errorf("Failed to register bootstrap user: %s", err) 2505 return nil 2506 } 2507 // Error case of empty bootstrap data 2508 err = srv.RegisterBootstrapUser("admin", "", "") 2509 t.Logf("Empty bootstrap id: %s", err) 2510 if err == nil { 2511 t.Errorf("register bootstrap user should have failed") 2512 return nil 2513 } 2514 return srv 2515 } 2516 2517 func getRootClient() *Client { 2518 return getTestClient(rootPort) 2519 } 2520 2521 func getIntermediateClient() *Client { 2522 return getTestClient(intermediatePort) 2523 } 2524 2525 func getTestClient(port int) *Client { 2526 return &Client{ 2527 Config: &ClientConfig{URL: fmt.Sprintf("http://localhost:%d", port)}, 2528 HomeDir: testdataDir, 2529 } 2530 } 2531 2532 func getTLSTestClient(port int, trustedTLSCerts []string) *Client { 2533 return &Client{ 2534 Config: &ClientConfig{ 2535 URL: fmt.Sprintf("https://localhost:%d", port), 2536 TLS: libtls.ClientTLSConfig{ 2537 Enabled: true, 2538 CertFiles: trustedTLSCerts, 2539 }, 2540 }, 2541 HomeDir: testdataDir, 2542 } 2543 } 2544 2545 func getTLSConfig(srv *Server, clientAuthType string, clientRootCerts []string) *Server { 2546 srv.Config.TLS.Enabled = true 2547 srv.Config.TLS.CertFile = "../testdata/tls_server-cert.pem" 2548 srv.Config.TLS.KeyFile = "../testdata/tls_server-key.pem" 2549 srv.Config.TLS.ClientAuth.Type = clientAuthType 2550 srv.Config.TLS.ClientAuth.CertFiles = clientRootCerts 2551 2552 return srv 2553 } 2554 2555 func testRegistration(admin *Identity, t *testing.T) { 2556 name := "testRegistrationUser1" 2557 topAffiliation := "hyperledger" 2558 midAffiliation := "hyperledger.fabric" 2559 botAffiliation := "hyperledger.fabric.security" 2560 _, err := admin.RegisterAndEnroll(&api.RegistrationRequest{ 2561 Name: name, 2562 Type: "user", 2563 Affiliation: midAffiliation, 2564 Attributes: makeAttrs(t, "hf.Registrar.Roles=user", "hf.Registrar.DelegateRoles=user,peer"), 2565 }) 2566 if err == nil { 2567 t.Error("Should have failed to register delegate roles which exceed roles") 2568 } 2569 id1, err := admin.RegisterAndEnroll(&api.RegistrationRequest{ 2570 Name: name, 2571 Type: "user", 2572 Affiliation: midAffiliation, 2573 Attributes: makeAttrs(t, "hf.Registrar.Roles=user,peer", "hf.Registrar.DelegateRoles=user", "hf.Registrar.Attributes=*"), 2574 }) 2575 if err != nil { 2576 t.Fatalf("%s", err) 2577 } 2578 _, err = id1.RegisterAndEnroll(&api.RegistrationRequest{ 2579 Name: name, 2580 Type: "user", 2581 Affiliation: botAffiliation, 2582 Attributes: makeAttrs(t, "hf.Registrar.Roles=peer"), 2583 }) 2584 if err == nil { 2585 t.Error("ID1 should not be allowed to delegate peer registration to another identity") 2586 } 2587 _, err = id1.RegisterAndEnroll(&api.RegistrationRequest{ 2588 Name: name, 2589 Type: "user", 2590 Affiliation: topAffiliation, 2591 }) 2592 if err == nil { 2593 t.Error("ID1 should not be allowed to registrar outside of its affiliation hierarchy") 2594 } 2595 name = "testRegistrationUser2" 2596 id2, err := id1.RegisterAndEnroll(&api.RegistrationRequest{ 2597 Name: name, 2598 Type: "user", 2599 Affiliation: botAffiliation, 2600 }) 2601 if err != nil { 2602 t.Fatalf("ID1 failed to register %s: %s", name, err) 2603 } 2604 name = "testRegistrationUser3" 2605 _, err = id2.RegisterAndEnroll(&api.RegistrationRequest{ 2606 Name: name, 2607 Type: "user", 2608 Affiliation: botAffiliation, 2609 }) 2610 if err == nil { 2611 t.Error("ID2 should not be allowed to register") 2612 } 2613 } 2614 2615 func makeAttrs(t *testing.T, args ...string) []api.Attribute { 2616 attrs := make([]api.Attribute, len(args)) 2617 for idx, attr := range args { 2618 eles := strings.Split(attr, "=") 2619 if len(eles) != 2 { 2620 t.Fatalf("Not two elements in %s", attr) 2621 } 2622 attrs[idx].Name = eles[0] 2623 attrs[idx].Value = eles[1] 2624 } 2625 return attrs 2626 } 2627 2628 func writeCAFile(name, parentcaname, filename, home string, port int, t *testing.T) { 2629 contents := fmt.Sprintf(` 2630 ca: 2631 name: %s 2632 intermediate: 2633 parentserver: 2634 url: http://admin:adminpw@localhost:%d 2635 caname: %s 2636 `, name, port, parentcaname) 2637 os.MkdirAll(home, 0755) 2638 fpath := path.Join(home, fmt.Sprintf("%s.yaml", filename)) 2639 err := ioutil.WriteFile(fpath, []byte(contents), 0644) 2640 if err != nil { 2641 t.Fatalf("Failed to create ca1.yaml: %s", err) 2642 } 2643 } 2644 2645 var letters = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ") 2646 2647 func randSeq(n int) string { 2648 b := make([]rune, n) 2649 for i := range b { 2650 b[i] = letters[rand.Intn(len(letters))] 2651 } 2652 return string(b) 2653 } 2654 2655 func testBadCryptoData(t *testing.T, s *Server, testData []string) { 2656 config := []string{"ca/rootca/ca1/fabric-ca-server-config.yaml"} 2657 sCert := "../testdata/ca/rootca/ca1/ca-cert.pem" 2658 sKey := "../testdata/ca/rootca/ca1/ca-key.pem" 2659 // Starting server with expired certificate 2660 err := CopyFile(testData[0], sCert) 2661 if err != nil { 2662 t.Errorf("Failed to copy expired cert to %s failed: %v", testData[0], err) 2663 } 2664 err = CopyFile(testData[1], sKey) 2665 if err != nil { 2666 t.Errorf("Failed to copy key to %s failed: %v", testData[1], err) 2667 } 2668 s.Config.CAfiles = config 2669 err = s.Start() 2670 t.Logf("srvStart ERROR %v", err) 2671 if err == nil { 2672 t.Errorf("Should have failed to start server, %s", testData[2]) 2673 err = s.Stop() 2674 if err != nil { 2675 t.Errorf("Failed to stop server: %s", err) 2676 } 2677 } 2678 err = os.Remove(sCert) 2679 if err != nil { 2680 t.Errorf("Remove failed: %s", err) 2681 } 2682 err = os.Remove(sKey) 2683 if err != nil { 2684 t.Errorf("Remove failed: %s", err) 2685 } 2686 } 2687 2688 func cleanTestSlateSRV(t *testing.T) { 2689 err := os.RemoveAll("../testdata/ca-cert.pem") 2690 if err != nil { 2691 t.Errorf("RemoveAll failed: %s", err) 2692 } 2693 err = os.RemoveAll("../testdata/ca-key.pem") 2694 if err != nil { 2695 t.Errorf("RemoveAll failed: %s", err) 2696 } 2697 err = os.RemoveAll("../testdata/fabric-ca-server.db") 2698 if err != nil { 2699 t.Errorf("RemoveAll failed: %s", err) 2700 } 2701 err = os.RemoveAll(rootDir) 2702 if err != nil { 2703 t.Errorf("RemoveAll failed: %s", err) 2704 } 2705 err = os.RemoveAll(intermediateDir) 2706 if err != nil { 2707 t.Errorf("RemoveAll failed: %s", err) 2708 } 2709 err = os.RemoveAll("multica") 2710 if err != nil { 2711 t.Errorf("RemoveAll failed: %s", err) 2712 } 2713 err = os.RemoveAll(serversDir) 2714 if err != nil { 2715 t.Errorf("RemoveAll failed: %s", err) 2716 } 2717 err = os.RemoveAll("../testdata/msp") 2718 if err != nil { 2719 t.Errorf("RemoveAll failed: %s", err) 2720 } 2721 err = os.RemoveAll("msp") 2722 if err != nil { 2723 t.Errorf("RemoveAll failed: %s", err) 2724 } 2725 err = os.RemoveAll("../util/msp") 2726 if err != nil { 2727 t.Errorf("RemoveAll failed: %s", err) 2728 } 2729 cleanMultiCADir(t) 2730 } 2731 2732 func TestStatsdMetricsE2E(t *testing.T) { 2733 gt := NewGomegaWithT(t) 2734 var err error 2735 2736 server := TestGetRootServer(t) 2737 2738 // Statsd 2739 datagramReader := NewDatagramReader(t) 2740 go datagramReader.Start() 2741 defer datagramReader.Close() 2742 2743 server.Config.Metrics = operations.MetricsOptions{ 2744 Provider: "statsd", 2745 Statsd: &operations.Statsd{ 2746 Network: "udp", 2747 Address: datagramReader.Address(), 2748 Prefix: "server", 2749 WriteInterval: time.Duration(time.Millisecond), 2750 }, 2751 } 2752 2753 server.CA.Config.CA.Name = "ca" 2754 err = server.Start() 2755 gt.Expect(err).NotTo(HaveOccurred()) 2756 defer server.Stop() 2757 defer os.RemoveAll(rootDir) 2758 2759 client := TestGetClient(rootPort, "metrics") 2760 _, err = client.Enroll(&api.EnrollmentRequest{ 2761 Name: "admin", 2762 Secret: "badpass", 2763 CAName: "ca", 2764 }) 2765 gt.Expect(err).To(HaveOccurred()) 2766 defer os.RemoveAll("metrics") 2767 2768 _, err = client.Enroll(&api.EnrollmentRequest{ 2769 Name: "admin", 2770 Secret: "adminpw", 2771 CAName: "ca", 2772 }) 2773 gt.Expect(err).NotTo(HaveOccurred()) 2774 2775 eventuallyTimeout := 10 * time.Second 2776 gt.Eventually(datagramReader, eventuallyTimeout).Should(gbytes.Say("serverx.api_request.count.ca.enroll.201:1.000000|c")) 2777 gt.Eventually(datagramReader, eventuallyTimeout).Should(gbytes.Say("server.api_request.duration.ca.enroll.201")) 2778 contents := datagramReader.String() 2779 gt.Expect(contents).To(ContainSubstring("server.api_request.duration.ca.enroll.401")) 2780 gt.Expect(contents).To(ContainSubstring("server.api_request.count.ca.enroll.401:1.000000|c")) 2781 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.GetRAInfo.Select:1.000000|c")) 2782 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.CreateAffiliationsTable.Exec:2.000000|c")) 2783 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.CreateCertificatesTable.Exec:2.000000|c")) 2784 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.CreatePropertiesTable.Exec:2.000000|c")) 2785 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.GetProperty.Get:12.000000|c")) 2786 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.InsertAffiliation.Exec:11.000000|c")) 2787 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.CreateTable.Commit:1.000000|c")) 2788 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.GetUserLessThanLevel.Queryx:1.000000|c")) 2789 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.MigrateAffiliationsTable.Exec:4.000000|c")) 2790 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.Migration.Commit:1.000000|c")) 2791 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.CreateUsersTable.Exec:3.000000|c")) 2792 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.MigrateCertificatesTable.Exec:4.000000|c")) 2793 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.GetUser.Get:1.000000|c")) 2794 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.AddRAInfo.NamedExec:1.000000|c")) 2795 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.CreateCredentialsTable.Exec:1.000000|c")) 2796 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.CreateRevocationAuthorityTable.Exec:1.000000|c")) 2797 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.CreateNoncesTable.Exec:1.000000|c")) 2798 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.MigrateUsersTable.Exec:7.000000|c")) 2799 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.CreatePropertiesTable.Exec")) 2800 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.GetUserLessThanLevel.Queryx")) 2801 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.MigrateCertificatesTable.Exec")) 2802 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.GetUser.Get")) 2803 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.Migration.Commit")) 2804 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.InsertUser.NamedExec")) 2805 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.CreateAffiliationsTable.Exec")) 2806 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.CreateCredentialsTable.Exec")) 2807 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.CreateRevocationAuthorityTable.Exec")) 2808 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.CreateNoncesTable.Exec")) 2809 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.GetProperty.Get")) 2810 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.AddRAInfo.NamedExec")) 2811 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.CreateCertificatesTable.Exec")) 2812 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.CreateTable.Commit")) 2813 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.MigrateUsersTable.Exec")) 2814 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.InsertAffiliation.Exec")) 2815 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.GetRAInfo.Select")) 2816 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.CreateUsersTable.Exec")) 2817 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.MigrateAffiliationsTable.Exec")) 2818 } 2819 2820 func TestPrometheusMetricsE2E(t *testing.T) { 2821 gt := NewGomegaWithT(t) 2822 var err error 2823 2824 server := TestGetRootServer(t) 2825 // Prometheus 2826 server.Config.Metrics.Provider = "prometheus" 2827 server.Config.Operations.ListenAddress = "localhost:0" 2828 2829 server.Config.Operations.TLS = operations.TLS{ 2830 Enabled: true, 2831 CertFile: filepath.Join(testdata, "tls_server-cert.pem"), 2832 KeyFile: filepath.Join(testdata, "tls_server-key.pem"), 2833 ClientCertRequired: true, 2834 ClientCACertFiles: []string{"../testdata/root.pem"}, 2835 } 2836 2837 server.CA.Config.CA.Name = "ca" 2838 err = server.Start() 2839 gt.Expect(err).NotTo(HaveOccurred()) 2840 defer server.Stop() 2841 defer os.RemoveAll(rootDir) 2842 2843 client := TestGetClient(rootPort, "metrics") 2844 _, err = client.Enroll(&api.EnrollmentRequest{ 2845 Name: "admin", 2846 Secret: "badpass", 2847 CAName: "ca", 2848 }) 2849 gt.Expect(err).To(HaveOccurred()) 2850 defer os.RemoveAll("metrics") 2851 2852 _, err = client.Enroll(&api.EnrollmentRequest{ 2853 Name: "admin", 2854 Secret: "adminpw", 2855 CAName: "ca", 2856 }) 2857 gt.Expect(err).NotTo(HaveOccurred()) 2858 2859 // Prometheus client 2860 clientCert, err := tls.LoadX509KeyPair( 2861 filepath.Join(testdata, "tls_client-cert.pem"), 2862 filepath.Join(testdata, "tls_client-key.pem"), 2863 ) 2864 gt.Expect(err).NotTo(HaveOccurred()) 2865 clientCertPool := x509.NewCertPool() 2866 caCert, err := ioutil.ReadFile(filepath.Join(testdata, "root.pem")) 2867 gt.Expect(err).NotTo(HaveOccurred()) 2868 clientCertPool.AppendCertsFromPEM(caCert) 2869 2870 c := &http.Client{ 2871 Transport: &http.Transport{ 2872 TLSClientConfig: &tls.Config{ 2873 Certificates: []tls.Certificate{clientCert}, 2874 RootCAs: clientCertPool, 2875 }, 2876 }, 2877 } 2878 2879 addr := strings.Split(server.Operations.Addr(), ":") 2880 metricsURL := fmt.Sprintf("https://localhost:%s/metrics", addr[1]) 2881 resp, err := c.Get(metricsURL) 2882 gt.Expect(err).NotTo(HaveOccurred()) 2883 gt.Expect(resp.StatusCode).To(Equal(http.StatusOK)) 2884 defer resp.Body.Close() 2885 2886 bodyBytes, err := ioutil.ReadAll(resp.Body) 2887 gt.Expect(err).NotTo(HaveOccurred()) 2888 body := string(bodyBytes) 2889 2890 err = server.Stop() 2891 gt.Expect(err).NotTo(HaveOccurred()) 2892 2893 gt.Expect(body).To(ContainSubstring(`# HELP api_request_count Number of requests made to an API`)) 2894 gt.Expect(body).To(ContainSubstring(`# TYPE api_request_count counter`)) 2895 gt.Expect(body).To(ContainSubstring(`api_request_count{api_name="enroll",ca_name="ca",status_code="201"} 1.0`)) 2896 gt.Expect(body).To(ContainSubstring(`api_request_count{api_name="enroll",ca_name="ca",status_code="401"} 1.0`)) 2897 gt.Expect(body).To(ContainSubstring(`# HELP api_request_duration Time taken in seconds for the request to an API to be completed`)) 2898 gt.Expect(body).To(ContainSubstring(`# TYPE api_request_duration histogram`)) 2899 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="0.005"}`)) 2900 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="0.01"}`)) 2901 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="0.025"}`)) 2902 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="0.05"}`)) 2903 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="0.1"}`)) 2904 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="0.25"}`)) 2905 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="0.5"}`)) 2906 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="1.0"}`)) 2907 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="2.5"}`)) 2908 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="5.0"}`)) 2909 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="10.0"}`)) 2910 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="+Inf"}`)) 2911 gt.Expect(body).To(ContainSubstring(`api_request_duration_sum{api_name="enroll",ca_name="ca",status_code="201"}`)) 2912 gt.Expect(body).To(ContainSubstring(`api_request_duration_count{api_name="enroll",ca_name="ca",status_code="201"} 1.0`)) 2913 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="0.005"}`)) 2914 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="0.01"}`)) 2915 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="0.025"}`)) 2916 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="0.05"}`)) 2917 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="0.1"}`)) 2918 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="0.25"}`)) 2919 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="0.5"}`)) 2920 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="1.0"}`)) 2921 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="2.5"}`)) 2922 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="5.0"}`)) 2923 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="10.0"}`)) 2924 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="+Inf"}`)) 2925 gt.Expect(body).To(ContainSubstring(`api_request_duration_sum{api_name="enroll",ca_name="ca",status_code="401"}`)) 2926 gt.Expect(body).To(ContainSubstring(`api_request_duration_count{api_name="enroll",ca_name="ca",status_code="401"} 1.0`)) 2927 gt.Expect(body).To(ContainSubstring(`# HELP db_api_request_count Number of requests made to a database API`)) 2928 gt.Expect(body).To(ContainSubstring(`# TYPE db_api_request_count counter`)) 2929 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Commit",func_name="CreateTable"} 1.0`)) 2930 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Commit",func_name="Migration"} 1.0`)) 2931 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="CreateAffiliationsTable"} 2.0`)) 2932 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="CreateCertificatesTable"} 2.0`)) 2933 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="CreateCredentialsTable"} 1.0`)) 2934 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="CreateNoncesTable"} 1.0`)) 2935 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="CreatePropertiesTable"} 2.0`)) 2936 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="CreateRevocationAuthorityTable"} 1.0`)) 2937 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="CreateUsersTable"} 3.0`)) 2938 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="IncrementIncorrectPasswordAttempts"} 1.0`)) 2939 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="InsertAffiliation"} 11.0`)) 2940 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="LoginComplete"} 1.0`)) 2941 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="MigrateAffiliationsTable"} 4.0`)) 2942 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="MigrateCertificatesTable"} 4.0`)) 2943 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="MigrateUsersTable"} 7.0`)) 2944 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="ResetIncorrectLoginAttempts"} 1.0`)) 2945 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Get",func_name="GetProperty"} 12.0`)) 2946 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Get",func_name="GetUser"} 5.0`)) 2947 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Get",func_name="ResetIncorrectLoginAttempts"} 1.0`)) 2948 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="NamedExec",func_name="AddRAInfo"} 1.0`)) 2949 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="NamedExec",func_name="InsertCertificate"} 1.0`)) 2950 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="NamedExec",func_name="InsertUser"} 1.0`)) 2951 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Queryx",func_name="GetUserLessThanLevel"} 1.0`)) 2952 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Select",func_name="GetRAInfo"} 1.0`)) 2953 gt.Expect(body).To(ContainSubstring(`# HELP db_api_request_duration Time taken in seconds for the request to a database API to be completed`)) 2954 gt.Expect(body).To(ContainSubstring(`# TYPE db_api_request_duration histogram`)) 2955 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Commit",func_name="CreateTable",le="0.5"}`)) 2956 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Commit",func_name="Migration",le="0.5"}`)) 2957 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="CreateAffiliationsTable",le="0.5"}`)) 2958 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="CreateCertificatesTable",le="0.5"}`)) 2959 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="CreateCredentialsTable",le="0.5"}`)) 2960 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="CreateNoncesTable",le="0.5"}`)) 2961 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="CreatePropertiesTable",le="0.5"}`)) 2962 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="CreateRevocationAuthorityTable",le="0.5"}`)) 2963 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="CreateUsersTable",le="0.5"}`)) 2964 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="IncrementIncorrectPasswordAttempts",le="0.5"}`)) 2965 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="InsertAffiliation",le="0.5"}`)) 2966 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="LoginComplete",le="0.5"}`)) 2967 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="MigrateAffiliationsTable",le="0.5"}`)) 2968 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="MigrateCertificatesTable",le="0.5"}`)) 2969 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="MigrateUsersTable",le="0.5"}`)) 2970 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Get",func_name="GetProperty",le="0.5"}`)) 2971 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Get",func_name="GetUser",le="0.5"}`)) 2972 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Get",func_name="ResetIncorrectLoginAttempts",le="0.5"}`)) 2973 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="NamedExec",func_name="AddRAInfo",le="0.5"}`)) 2974 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="NamedExec",func_name="InsertCertificate",le="0.5"}`)) 2975 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="NamedExec",func_name="InsertUser",le="0.5"}`)) 2976 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Queryx",func_name="GetUserLessThanLevel",le="0.5"}`)) 2977 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Select",func_name="GetRAInfo",le="0.25"}`)) 2978 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Select",func_name="GetRAInfo",le="0.5"}`)) 2979 } 2980 2981 type DatagramReader struct { 2982 buffer *gbytes.Buffer 2983 errCh chan error 2984 sock *net.UDPConn 2985 doneCh chan struct{} 2986 closeOnce sync.Once 2987 err error 2988 } 2989 2990 func NewDatagramReader(t *testing.T) *DatagramReader { 2991 gt := NewGomegaWithT(t) 2992 2993 udpAddr, err := net.ResolveUDPAddr("udp", "127.0.0.1:0") 2994 gt.Expect(err).NotTo(HaveOccurred()) 2995 sock, err := net.ListenUDP("udp", udpAddr) 2996 gt.Expect(err).NotTo(HaveOccurred()) 2997 err = sock.SetReadBuffer(1024 * 1024) 2998 gt.Expect(err).NotTo(HaveOccurred()) 2999 3000 return &DatagramReader{ 3001 buffer: gbytes.NewBuffer(), 3002 sock: sock, 3003 errCh: make(chan error, 1), 3004 doneCh: make(chan struct{}), 3005 } 3006 } 3007 3008 func (dr *DatagramReader) Buffer() *gbytes.Buffer { 3009 return dr.buffer 3010 } 3011 3012 func (dr *DatagramReader) Address() string { 3013 return dr.sock.LocalAddr().String() 3014 } 3015 3016 func (dr *DatagramReader) String() string { 3017 return string(dr.buffer.Contents()) 3018 } 3019 3020 func (dr *DatagramReader) Start() { 3021 buf := make([]byte, 1024*1024) 3022 for { 3023 select { 3024 case <-dr.doneCh: 3025 dr.errCh <- nil 3026 return 3027 3028 default: 3029 n, _, err := dr.sock.ReadFrom(buf) 3030 if err != nil { 3031 dr.errCh <- err 3032 return 3033 } 3034 _, err = dr.buffer.Write(buf[0:n]) 3035 if err != nil { 3036 dr.errCh <- err 3037 return 3038 } 3039 } 3040 } 3041 } 3042 3043 func (dr *DatagramReader) Close() error { 3044 dr.closeOnce.Do(func() { 3045 close(dr.doneCh) 3046 err := dr.sock.Close() 3047 dr.err = <-dr.errCh 3048 if dr.err == nil && err != nil && err != io.EOF { 3049 dr.err = err 3050 } 3051 }) 3052 return dr.err 3053 } 3054 3055 func getMysqlDb(m *mysql.Mysql) (*db.DB, error) { 3056 err := m.Connect() 3057 if err != nil { 3058 return nil, err 3059 } 3060 testdb, err := m.Create() 3061 if err != nil { 3062 return nil, err 3063 } 3064 return testdb, nil 3065 }