github.com/bestbeforetoday/fabric-ca@v2.0.0-alpha+incompatible/scripts/fvt/affiliation_modify_test.sh (about) 1 #!/bin/bash 2 # 3 # Copyright IBM Corp. All Rights Reserved. 4 # 5 # SPDX-License-Identifier: Apache-2.0 6 # 7 8 dbDriver=postgres 9 10 : ${TESTCASE="aff_modify"} 11 FABRIC_CA="$GOPATH/src/github.com/hyperledger/fabric-ca" 12 SCRIPTDIR="$FABRIC_CA/scripts/fvt" 13 . $SCRIPTDIR/fabric-ca_utils 14 TESTDIR=/tmp/$TESTCASE 15 RC=0 16 NUMROLES=8 17 18 # defaults 19 declare -A defaultValues 20 defaultValues=([Maxenrollments]=2147483647 [Affiliation]='.' [Type]="user" [Passwd]="user1pw") 21 22 function tableCount() { 23 driver="$1" 24 tableType="$2" 25 shift 2 26 $SCRIPTDIR/fabric-ca_setup.sh -L -d $driver -D | sed -n "/$tableType:/,/^.*: *$/p" | sed '1,3d;$d' | 27 awk -v s="$*" ' 28 BEGIN { n=split(s, terms) } 29 { 30 for (i in terms) 31 if (match(tolower($0), tolower(terms[i]))) val[terms[i]]++ 32 } 33 END { for (i in terms) { 34 printf terms[i]":" 35 print val[terms[i]] ? val[terms[i]] : "0" 36 } 37 }' 38 } 39 40 function displayRunningTotal() { 41 tableCount $dbDriver Affiliations "planet0 planet1 planet2 planetx" 42 } 43 44 function verifyTotals() { 45 totals="$(displayRunningTotal | sort | awk -F':' '{printf $2" "}')" 46 expected="$(echo $@ | sed 's/ \+/ /')" 47 test "${totals%% }" = "${expected:-"0"}" || return 1 48 } 49 50 function genAffYaml() { 51 export FABRIC_CA_CLIENT_HOME=$TESTDIR/admin 52 local Planet=(0 1 2) 53 local Landmass=(0 1) 54 local Country=(0 1) 55 local Province=(0 1 2) 56 local Locale=(0 1) 57 local City=(0 1 2) 58 local Hood=(0 1 2 3) 59 echo "affiliations:" 60 indent="${indent} " 61 echo "${indent}org1:" 62 echo "${indent} - department1" 63 echo "${indent} - department2" 64 for P in ${Planet[@]}; do 65 echo "${indent}Planet$P:" 66 indent="${indent} " 67 for L in ${Landmass[@]}; do 68 echo "${indent}Landmass$L:" 69 indent="${indent} " 70 for C in ${Country[@]}; do 71 echo "${indent}Country$C:" 72 indent="${indent} " 73 for R in ${Province[@]}; do 74 echo "${indent}Province$R:" 75 indent="${indent} " 76 for O in ${Locale[@]}; do 77 echo "${indent}Locale$O:" 78 indent="${indent} " 79 for I in ${City[@]}; do 80 echo "${indent}City$I:" 81 indent="${indent} " 82 for H in ${Hood[@]}; do 83 echo "${indent}- Hood$H" 84 done 85 indent="${indent# }" 86 done 87 indent="${indent# }" 88 done 89 indent="${indent# }" 90 done 91 indent="${indent# }" 92 done 93 indent="${indent# }" 94 done 95 indent="${indent# }" 96 done 97 echo "${indent}org2:" 98 echo "${indent} - department1" 99 echo "${indent} - department2" 100 } 101 102 function setupServerEnv() { 103 $SCRIPTDIR/fabric-ca_setup.sh -d $dbDriver -I -S -X -n1 -D -x $TESTDIR > $TESTDIR/server.log 2>&1 104 enroll 105 # Ensure affiliations cannot be deleted if --cfg.affiliations.allowremove not configured 106 $FABRIC_CA_CLIENTEXEC affiliation remove org1 $URI -H $TESTDIR/admin/ 2>&1| 107 grep 'Authorization failure' || 108 ErrorMsg "should not be able to delete 'org1', or wrong error msg" 109 $SCRIPTDIR/fabric-ca_setup.sh -K 110 111 # Generate a large affinity tree for testing; 112 # this is way faster than adding with the cmd-line client 113 genAffYaml >> $CA_CFG_PATH/runFabricCaFvt.yaml 114 $SCRIPTDIR/fabric-ca_setup.sh -d $dbDriver -S -X -n1 -D -x $TESTDIR -- \ 115 --cfg.affiliations.allowremove > $TESTDIR/server.log 2>&1 116 # Sanity check the number of affilitations 117 dbEntries=$(tableCount $dbDriver Affiliations ".*"| awk -F':' '{print $2}') 118 # discount the summary line displayed in the above command 119 let dbEntries-- 120 serverEntries="$(( $($FABRIC_CA_CLIENTEXEC affiliation list $URI -H $TESTDIR/admin/ | wc -l) -1))" 121 test "$dbEntries" -eq "$serverEntries" || ErrorMsg "Wrong number of affiliations: expected $dbEntries, got $serverEntries" 122 displayRunningTotal 123 verifyTotals "403 403 403 0" || ErrorMsg "Wrong number of affiliations" 124 } 125 126 function testAffiliationRefs() { 127 # @TODO all of these should be 400 bad request FAB-7466 128 # Ensure affiliations w/ sub-affiliations cannot be deleted w/o --force 129 $FABRIC_CA_CLIENTEXEC affiliation remove org1 $URI -H $TESTDIR/admin/ -d 2>&1 | 130 grep "Authorization failure" || 131 ErrorMsg "should not be able to delete 'org1' w/o force (has sub-affiliations)" 132 # Ensure affiliations can be deleted if no ID's are referencing them 133 $FABRIC_CA_CLIENTEXEC affiliation remove org1.department1 $URI -H $TESTDIR/admin/ -d 2>&1 || 134 ErrorMsg "should be able to delete org1.department1" 135 $FABRIC_CA_CLIENTEXEC affiliation remove org1 --force $URI -H $TESTDIR/admin/ -d 2>&1 || 136 ErrorMsg "should be able to delete org1" 137 # Ensure affiliations can be deleted, even if ID's are referencing them, but only w/ --force 138 $FABRIC_CA_CLIENTEXEC affiliation remove bank_b $URI -H $TESTDIR/admin/ -d 2>&1 && 139 ErrorMsg "should not be able to delete 'bank_b' with references" 140 # Ensure affiliations cannot be deleted if ID's are referencing them, 141 # and --cfg.identities.allowremove is not configed, even w/ --force 142 $FABRIC_CA_CLIENTEXEC affiliation remove bank_b $URI -H $TESTDIR/admin/ --force -d 2>&1 && 143 ErrorMsg "should be able to delete 'bank_b' without --cfg.identities.allowremove" 144 } 145 146 function testAllowremove() { 147 # ensure cfg.identities.allowremove flag is required 148 $FABRIC_CA_CLIENTEXEC affiliation remove bank_b --force $URI -H $TESTDIR/admin/ 2>&1 | 149 grep 'Authorization failure' || 150 ErrorMsg "should not be able to delete 'bank_b', or wrong error msg" 151 # add cfg.identities.allowremove flag 152 $SCRIPTDIR/fabric-ca_setup.sh -K 153 $SCRIPTDIR/fabric-ca_setup.sh -d $dbDriver -S -X -n1 -D -x $TESTDIR -- \ 154 --cfg.affiliations.allowremove --cfg.identities.allowremove > $TESTDIR/server.log 2>&1 155 # try again 156 $FABRIC_CA_CLIENTEXEC affiliation remove bank_b --force $URI -H $TESTDIR/admin/ 2>&1 || ErrorMsg "should be able to delete 'bank_b'" 157 # make sure entries are deleted 158 $SCRIPTDIR/fabric-ca_setup.sh -L -d $dbDriver -D | grep bank_b && ErrorMsg "'bank_b' not deleted" 159 expected=$((dbEntries - 2)) 160 dbEntries=$(tableCount $dbDriver Affiliations ".*"| awk -F':' '{print $2}') 161 let dbEntries-- 162 serverEntries="$(( $($FABRIC_CA_CLIENTEXEC affiliation list $URI -H $TESTDIR/admin/ | wc -l) -1))" 163 test "$expected" -eq "$serverEntries" || ErrorMsg "Wrong number of affiliations: expected $expected, got $serverEntries" 164 displayRunningTotal 165 verifyTotals "403 403 403 0" || ErrorMsg "Wrong number of affiliations" 166 167 # Ensure all children are deleted 168 $FABRIC_CA_CLIENTEXEC affiliation remove planet2.landmass1 --force $URI -H $TESTDIR/admin/ 2>&1 || 169 ErrorMsg "should be able to delete 'planet2.landmass1'" 170 # make sure entries are deleted 171 $SCRIPTDIR/fabric-ca_setup.sh -L -d $dbDriver -D | grep "planet2.landmass1" && ErrorMsg "'planet2.landmass1' not deleted" 172 expected=$((dbEntries - 201)) 173 dbEntries=$(tableCount $dbDriver Affiliations ".*"| awk -F':' '{print $2}') 174 let dbEntries-- 175 serverEntries="$(( $($FABRIC_CA_CLIENTEXEC affiliation list $URI -H $TESTDIR/admin/ | wc -l) -1))" 176 test "$expected" -eq "$serverEntries" || ErrorMsg "Wrong number of affiliations: expected $expected, got $serverEntries" 177 displayRunningTotal 178 verifyTotals "403 403 202 0" || ErrorMsg "Wrong number of affiliations" 179 } 180 181 function testAffiliationMgr() { 182 # Ensure affiliations can only be updated by authorized users 183 enroll admin2 adminpw2 184 $FABRIC_CA_CLIENTEXEC affiliation remove org2 $URI -H $TESTDIR/admin2 2>&1 | 185 grep "Authorization failure" || 186 ErrorMsg "Should not be able to delete attributes, or wrong error msg" 187 188 # Ensure admin cannot add affiliations higher in it's affiliation tree 189 $FABRIC_CA_CLIENTEXEC identity add affman $URI -H $TESTDIR/admin --secret passwd \ 190 --attrs '"hf.Registrar.Roles=client,user,peer,validator,auditor,ca"' \ 191 --affiliation "planet2.landmass0.country1.province0" 192 $FABRIC_CA_CLIENTEXEC identity modify affman --attrs "hf.AffiliationMgr=1" $URI -H $TESTDIR/admin 193 enroll affman passwd 194 } 195 196 function testTreePruningFailCases() { 197 # higher 198 $FABRIC_CA_CLIENTEXEC affiliation remove planet2.landmass0.country1 $URI -H $TESTDIR/affman/ -d 2>&1 | 199 grep 'Authorization failure' || ErrorMsg "Should not be able to delete 'planet2.landmass0.country1" 200 $FABRIC_CA_CLIENTEXEC affiliation add planet2.landmass0.country10 $URI -H $TESTDIR/affman/ -d 2>&1 | 201 grep 'Authorization failure' || ErrorMsg "Should not be able to add 'planet2.landmass0.country10" 202 # lateral 203 $FABRIC_CA_CLIENTEXEC affiliation remove planet2.landmass0.country1.province1 $URI -H $TESTDIR/affman/ -d 2>&1 | 204 grep 'Authorization failure' || ErrorMsg "Should not be able to delete 'planet2.landmass0.country1.province1" 205 $FABRIC_CA_CLIENTEXEC affiliation add planet2.landmass0.country1.province10 $URI -H $TESTDIR/affman/ -d 2>&1 | 206 grep 'Authorization failure' || ErrorMsg "Should not be able to delete 'planet2.landmass0.country1.province10" 207 # cannot delete own affiliation 208 $FABRIC_CA_CLIENTEXEC affiliation remove planet2.landmass0.country1.province0 $URI -H $TESTDIR/affman/ -d 2>&1 | 209 grep 'Authorization failure' || ErrorMsg "Should not be able to delete own affiliation" 210 for l in 0 1; do for c in 0 1 2; do for h in 0 1 2 3; do 211 $FABRIC_CA_CLIENTEXEC identity add newuser$l$c$h $URI -H $TESTDIR/admin --secret passwd \ 212 --affiliation "planet2.landmass0.country1.province0.locale$l.city$c.Hood$h" 213 enroll newuser$l$c$h passwd > /dev/null 214 done; done; done 215 216 # --force needed when users are impacted 217 $FABRIC_CA_CLIENTEXEC affiliation modify planet2 --name planetX $URI -H $TESTDIR/admin 2>&1 | 218 grep "Need to use 'force'" || ErrorMsg "Should not be able to modify affiliation w/o --force" 219 $FABRIC_CA_CLIENTEXEC affiliation modify planet2 --name planetX --force $URI -H $TESTDIR/admin || 220 ErrorMsg "Should be able to modify affiliation w/ --force" 221 displayRunningTotal 222 verifyTotals "403 403 0 202" || ErrorMsg "Wrong number of affiliations" 223 test $($SCRIPTDIR/fabric-ca_setup.sh -L -d $dbDriver | grep planetX | wc -l) -eq 25 || 224 ErrorMsg "Wrong number of users" 225 } 226 227 function testTreePruningSuccessCases() { 228 # lower, succeeds -- all children deleted 229 $FABRIC_CA_CLIENTEXEC affiliation remove --force planetX.landmass0.country1.province0.locale0 $URI -H $TESTDIR/affman || 230 ErrorMsg "Should be able to delete lower affiliation" 231 displayRunningTotal 232 verifyTotals "403 403 0 186" || ErrorMsg "Wrong number of affiliations" 233 test $($SCRIPTDIR/fabric-ca_setup.sh -L -d $dbDriver | grep planetX | wc -l) -eq 13 || 234 ErrorMsg "Wrong number of users" 235 $FABRIC_CA_CLIENTEXEC affiliation add planetX.landmass0.country1.province0.locale10 $URI -H $TESTDIR/affman || 236 ErrorMsg "Should be able to add lower affiliation" 237 displayRunningTotal 238 verifyTotals "403 403 0 187" || ErrorMsg "Wrong number of affiliations" 239 test $($SCRIPTDIR/fabric-ca_setup.sh -L -d $dbDriver | grep planetX | wc -l) -eq 13 || 240 ErrorMsg "Wrong number of users" 241 test $($SCRIPTDIR/fabric-ca_setup.sh -L -d $dbDriver | grep planetX | wc -l) -eq 13 || 242 ErrorMsg "Wrong number of users" 243 $FABRIC_CA_CLIENTEXEC affiliation modify planetX.landmass0.country1.province0.locale10 \ 244 --name planetX.landmass0.country1.province0.locale11 $URI -H $TESTDIR/affman || 245 ErrorMsg "Should be able to modify lower affiliation" 246 displayRunningTotal 247 verifyTotals "403 403 0 187" || ErrorMsg "Wrong number of affiliations" 248 test $($SCRIPTDIR/fabric-ca_setup.sh -L -d $dbDriver | grep planetX | wc -l) -eq 13 || 249 ErrorMsg "Wrong number of users" 250 # Ensure we accept alternate values 251 $FABRIC_CA_CLIENTEXEC identity modify affman --attrs "hf.AffiliationMgr=T" $URI -H $TESTDIR/admin || ErrorMsg "Failed to update affman" 252 $FABRIC_CA_CLIENTEXEC affiliation remove --force planetX.landmass0.country1.province0.locale1 $URI -H $TESTDIR/affman/ || 253 ErrorMsg "Should be able to delete lower affiliation" 254 displayRunningTotal 255 verifyTotals "403 403 0 171" || ErrorMsg "Wrong number of affiliations" 256 test $($SCRIPTDIR/fabric-ca_setup.sh -L -d $dbDriver | grep planetX | wc -l) -eq 1 || 257 ErrorMsg "Wrong number of users" 258 # ensure all children are gone 259 expected=$((dbEntries - 31)) 260 dbEntries=$(tableCount $dbDriver Affiliations ".*"| awk -F':' '{print $2}') 261 let dbEntries-- 262 serverEntries="$(( $($FABRIC_CA_CLIENTEXEC affiliation list $URI -H $TESTDIR/admin/ | wc -l) -1))" 263 test "$expected" -eq "$serverEntries" || ErrorMsg "Wrong number of affiliations: expected $expected, got $serverEntries" 264 displayRunningTotal 265 verifyTotals "403 403 0 171" || ErrorMsg "Wrong number of affiliations" 266 } 267 268 function testCertRevocation() { 269 # Ensure any users who are deleted as part of an 270 # affiliation deletion have certs revoked; 271 # NOTE: $dbDriver stores the status as a binary asci blob, 272 # hence the check for '7265766f6b6564' (revoked) 273 $SCRIPTDIR/fabric-ca_setup.sh -L -d $dbDriver -D | 274 awk -F'|' -v revoked=0 ' 275 /Certificates:/,/Affiliations:/ { 276 if ($1~/newuser/) { 277 found+=1 278 if ($5!~/7265766f6b6564/) revoked++}} 279 END {if (!(found) || revoked>0 ) exit 1}' 280 test $? -ne 0 && ErrorMsg "user certs should be revoked" 281 } 282 283 function testAlternateTruthValues() { 284 for v in 0 F false; do 285 $FABRIC_CA_CLIENTEXEC identity modify affman --attrs "hf.AffiliationMgr=$v" $URI -H $TESTDIR/admin 286 $FABRIC_CA_CLIENTEXEC affiliation add planetX.landmass0.country1.province0.locale1.village $URI -H $TESTDIR/affman 2>&1 | 287 grep "Authorization failure" || ErrorMsg "Should have failed Authorization" 288 $FABRIC_CA_CLIENTEXEC affiliation remove --force planetX.landmass0.country1.province0.locale1 $URI -H $TESTDIR/affman 2>&1 | 289 grep "Authorization failure" || ErrorMsg "Should have failed Authorization" 290 $FABRIC_CA_CLIENTEXEC affiliation modify planetX.landmass0.country1.province0.locale1 \ 291 --name planet3 --force $URI -H $TESTDIR/affman 2>&1 | 292 grep "Authorization failure" || ErrorMsg "Should have failed Authorization" 293 done 294 } 295 296 function testNonExistant() { 297 # Attempt to add an affiliation that already exists 298 $FABRIC_CA_CLIENTEXEC affiliation add org1 $URI -H $TESTDIR/admin/ -d 2>&1 | 299 grep 'Affiliation already exists' || 300 ErrorMsg "should not be able to add 'org1'" 301 # Attempt to modify an affiliation that doesn't exist 302 $FABRIC_CA_CLIENTEXEC affiliation modify plan9 --name castleBravo $URI -H $TESTDIR/admin/ -d 2>&1 | 303 grep '404 Not Found' || 304 ErrorMsg "should not be able to add 'plan9'" 305 # Attempt to list an affiliation that doesn't exist 306 $FABRIC_CA_CLIENTEXEC affiliation list --affiliation plan9 $URI -H $TESTDIR/admin/ -d 2>&1 | 307 grep 'Failed to get affiliation' || 308 ErrorMsg "should not be able to add 'plan9'" 309 } 310 311 export -f register 312 313 ### Start Test ### 314 export CA_CFG_PATH=$TESTDIR 315 $SCRIPTDIR/fabric-ca_setup.sh -D -R -x $TESTDIR 316 mkdir -p $TESTDIR 317 setTLS 318 URI="-u ${PROTO}@$CA_HOST_ADDRESS:$PROXY_PORT $TLSOPT" 319 320 echo -e "\n\n\n =============> Setting up Server" 321 setupServerEnv 322 echo -e "\n\n\n =============> testAffiliationRefs" 323 testAffiliationRefs 324 echo -e "\n\n\n =============> testAllowremove" 325 testAllowremove 326 echo -e "\n\n\n =============> testAffiliationMgr" 327 testAffiliationMgr 328 echo -e "\n\n\n =============> testTreePruningFailCases" 329 testTreePruningFailCases 330 echo -e "\n\n\n =============> testTreePruningSuccessCases" 331 testTreePruningSuccessCases 332 echo -e "\n\n\n =============> testCertRevocation" 333 testCertRevocation 334 echo -e "\n\n\n =============> testAlternateTruthValues" 335 testAlternateTruthValues 336 echo -e "\n\n\n =============> testNonExistant" 337 testNonExistant 338 339 $SCRIPTDIR/fabric-ca_setup.sh -D -R -x $TESTDIR 340 CleanUp $RC 341 exit $RC