github.com/bestbeforetoday/fabric-ca@v2.0.0-alpha+incompatible/scripts/fvt/fabric-ca_utils (about) 1 #!/bin/bash 2 # 3 # Copyright IBM Corp. All Rights Reserved. 4 # 5 # SPDX-License-Identifier: Apache-2.0 6 # 7 export FABRIC_CA="$GOPATH/src/github.com/hyperledger/fabric-ca" 8 export FABRIC_CA_CLIENTEXEC="/usr/local/bin/fabric-ca-client" 9 export FABRIC_CA_SERVEREXEC="/usr/local/bin/fabric-ca-server" 10 export TESTDATA="$FABRIC_CA/testdata" 11 export SCRIPTDIR="$FABRIC_CA/scripts/fvt" 12 export MYSQL_PORT="3306" 13 export LDAP_PORT="389" 14 export LDAP_PROTO="ldap://" 15 export LDAP_TLS_PROTO="ldaps://" 16 export POSTGRES_PORT="5432" 17 export PGPASSWORD='postgres' 18 export MSP_KEY_DIR='msp/keystore' 19 export MSP_CERT_DIR='msp/signcerts' 20 export FABRIC_CA_DATA="/etc/hyperledger/fabric-ca" 21 export TLS_ROOTCERT="$FABRIC_CA_DATA/FabricTlsPkiBundle.pem" 22 export TLS_SUBCACERT="$FABRIC_CA_DATA/FabricTlsSubCa-cert.pem" 23 export TLS_RACERT="$FABRIC_CA_DATA/FabricTlsRa-cert.pem" 24 export TLS_SERVERCERT="$FABRIC_CA_DATA/FabricTlsServerEEcert.pem" 25 export TLS_SERVERKEY="$FABRIC_CA_DATA/FabricTlsServerEEkey.pem" 26 export TLS_CLIENTCERT="$FABRIC_CA_DATA/FabricTlsClientEEcert.pem" 27 export TLS_CLIENTKEY="$FABRIC_CA_DATA/FabricTlsClientEEkey.pem" 28 export CA_HOST_ADDRESS="localhost" 29 export PROXY_PORT="7054" 30 export CA_DEFAULT_PORT="1${PROXY_PORT}" 31 export PROFILING_PORT="2${PROXY_PORT}" 32 export DEFAULT_TIMEOUT="180" 33 export DEFAULT_CA_TIMEOUT="150" 34 export DEFAULT_HTTP_TIMEOUT="30" 35 export DEFAULT_MSG_TIMEOUT="30" 36 export DEFAULT_DB_TIMEOUT="30" 37 export INTERMEDIATE_PROXY_PORT="8054" 38 export INTERMEDIATE_CA_DEFAULT_PORT="1${INTERMEDIATE_PROXY_PORT}" 39 export LDAPHOST="-h localhost" 40 export LDAPAUTH="-D "cn=$LDAPUSER,dc=example,dc=com" -w $LDAPPASWD" 41 export LDAPBASE="-b "dc=example,dc=com"" 42 export LDAPUSERBASE="-b ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com" 43 export DEFAULT_RUN_CONFIG_FILE_NAME="runFabricCaFvt.yaml" 44 45 DATE='date +%Y-%m-%d' 46 TIME='date +%I:%M:%S%p' 47 48 stripBlank() { 49 # delete comments and blanks lines 50 egrep -v "^ *#|^$" 51 } 52 53 listUser(){ 54 local user="$1" 55 : ${user:="$LDAPUSER"} 56 shift 57 ldapsearch $LDAPHOST $LDAPAUTH $LDAPUSERBASE -s sub "(uid=$user)" $@ | stripBlank 58 } 59 60 listUsers() { 61 ldapsearch $LDAPHOST $LDAPAUTH $LDAPUSERBASE dn | stripBlank 62 } 63 64 listGroups() { 65 group="$1" 66 test -z "$group" && 67 ldapsearch $LDAPHOST $LDAPAUTH $LDAPBASE \ 68 -s sub "(|(objectclass=posixGroup) (objectclass=groupOfNames))" dn | stripBlank || 69 ldapsearch $LDAPHOST $LDAPAUTH $LDAPBASE \ 70 -s sub "(memberOf=cn=$group,ou=groups,dc=example,dc=com)" dn | stripBlank 71 } 72 73 changeAttr() { 74 local entry="$1" 75 local attr="$2" 76 local val="$3" 77 if test $# -ne 3; then 78 echo "Usage: changeAttr <entry> <attr> <value>" 79 return 80 fi 81 ldapmodify $LDAPHOST $LDAPAUTH <<EOF 82 dn: $entry 83 changetype: modify 84 replace: $attr 85 $attr: $val 86 EOF 87 } 88 89 delUser() { 90 local user="$1" 91 if test $# -ne 1; then 92 echo "Usage: delUser <userName>" 93 return 94 fi 95 ldapdelete $LDAPHOST -p $LDAPPORT $LDAPAUTH \ 96 "uid=$user,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com" 97 } 98 99 addUser () { 100 # Add the eqivalent of a top-level fabric-ca administrator 101 local user="$1" 102 if test $# -ne 1; then 103 echo "Usage: delUser <userName>" 104 return 105 fi 106 # Get the next sequential UID 107 uidN=$(ldapsearch $LDAPHOST -p $LDAPPORT $LDAPAUTH $LDAPUSERBASE | 108 awk '/uidNumber:/ {print $2}' | sort -n | tail -n1) 109 ldapadd -h localhost -p $LDAPPORT \ 110 -D cn=$LDAPUSER,dc=example,dc=com -w $LDAPPASWD <<EOF 111 # User account 112 dn: uid=$user,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com 113 objectClass: posixAccount 114 objectClass: shadowAccount 115 objectClass: inetOrgPerson 116 uid: $user 117 cn: $user 118 sn: Hyperledeger 119 givenName: $user 120 o: Hyperledger 121 ou: Fabric 122 st: North Carolina 123 uidNumber: $((uidN+1)) 124 gidNumber: $((uidN+1)) 125 mail: $user@hyperledeger.example.com 126 loginShell: /bin/bash 127 homeDirectory: /home/$user 128 userPassword: $userpw 129 EOF 130 } 131 132 TimeStamp() { 133 printf "TIMESTAMP--%s %s\n" $($DATE) $($TIME) 134 } 135 136 tolower() { 137 echo "$1" | tr [:upper:] [:lower:] 138 } 139 140 runPSQL() { 141 local cmd="$1" 142 local opts="$2" 143 local wrk_dir="$(pwd)" 144 cd /tmp 145 /usr/bin/psql "$opts" -U postgres -h localhost -c "$cmd" 146 local rc=$? 147 cd $wrk_dir 148 return $rc 149 } 150 151 setTLS() { 152 PROTO="http://" 153 TLSOPT="" 154 # if not set, default to OFF 155 if test -n "$FABRIC_TLS"; then 156 # otherwise, set TLS-related stuff 157 if $($FABRIC_TLS); then 158 PROTO="https://" 159 LDAP_PROTO="ldaps://" 160 LDAP_PORT=636 161 TLSOPT="--tls.certfiles $TLS_ROOTCERT" 162 INTTLSOPT="--intermediate.tls.certfiles $TLS_ROOTCERT" 163 fi 164 fi 165 } 166 167 ErrorMsg() { 168 local msg="$1" 169 local rc="$2" 170 : ${rc:="RC"} 171 echo -e "\033[31m ****** ERROR ****** $msg \033[0m" 172 let $rc+=1 173 } 174 175 ErrorExit() { 176 $SCRIPTDIR/fabric-ca_setup.sh -R -x $CA_CFG_PATH 177 local msg="$1" 178 local rc="$2" 179 : ${rc:="RC"} 180 ErrorMsg "$msg" "$rc" 181 CleanUp $(eval echo \$$rc) 182 exit $(eval echo \$$rc) 183 } 184 185 isReachable() { 186 # a test to see if there is a listener on 187 # specified host:port 188 # netcat would be *far* simpler: 189 # nc -nzvt host port 190 # but not guaranteed to be installed 191 # so use python, since it is ubiquitious 192 local host="$1" 193 local port="$2" 194 test -z "$host" -o -z "$port" && return 1 195 196 python - <<END 197 import socket 198 import sys 199 import os 200 remoteServer = "$host" 201 port = int("$port"); 202 remoteServerIP = socket.gethostbyname(remoteServer) 203 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 204 result = sock.connect_ex((remoteServerIP, port)) 205 sock.close() 206 os._exit(result) 207 END 208 } 209 210 pollServer() { 211 local app="$1" 212 local host="$2" 213 local port="$3" 214 local timeout="$4" 215 : ${timeout:=$DEFAULT_TIMEOUT} 216 local action="$5" 217 : ${action:="start"} 218 local rc=1 219 local starttime=$(date +%s) 220 local searcHost=$host 221 test host = "0.0.0.0" && searcHost='*' 222 223 # continue to poll host:port until 224 # we either get a response, or reach timeout 225 while test "$(($(date +%s)-starttime))" -lt "$timeout" -a $rc -ne 0 226 do 227 printf "\r%s%03d" "Waiting for $app to $action on $host:$port... " "$(($(date +%s)-starttime))" 228 # ss -lpnt "src $searchHost:$port" 229 isReachable "$host" "$port" 230 rc=$? 231 # invert the normal sense of 'success' for stop 232 if test "$action" == "stop"; then 233 test $rc -ne 0 && rc=0 || rc=1 234 fi 235 test $rc -eq 0 && break 236 done 237 return $rc 238 } 239 240 pollLogForMsg() { 241 local msg="$1" 242 local log="$2" 243 local timeout="$3" 244 : ${timeout:=$DEFAULT_MSG_TIMEOUT} 245 local rc=1 246 local starttime=$(date +%s) 247 248 # continue to poll until 249 # we find $msg in $log, or reach timeout 250 while test "$(($(date +%s)-starttime))" -lt "$timeout" -a $rc -ne 0 251 do 252 egrep "$msg" "$log" 253 rc=$? 254 test $rc -eq 0 && break 255 sleep .1 256 done 257 return $rc 258 } 259 260 pollFabricCa() { 261 local app="$1" 262 local host="$2" 263 local port="$3" 264 local action="$4" 265 local timeout="$5" 266 : ${app:="$FABRIC_CA_SERVEREXEC"} 267 : ${host:="$CA_HOST_ADDRESS"} 268 : ${port:="$PROXY_PORT"} 269 : ${action:="start"} 270 : ${timeout:=$DEFAULT_CA_TIMEOUT} 271 272 pollServer "$app" "$host" "$port" "$timeout" "$action" 273 return $? 274 } 275 276 pollSimpleHttp() { 277 local app="$1" 278 local host="$2" 279 local port="$3" 280 local action="$4" 281 local timeout="$5" 282 : ${app:="python"} 283 : ${host:="localhost"} 284 : ${port:="3755"} 285 : ${action:="start"} 286 : ${timeout:=$DEFAULT_HTTP_TIMEOUT} 287 288 pollServer "$app" "$host" "$port" "$timeout" "$action" 289 return $? 290 } 291 292 pollMySql() { 293 local app="$1" 294 local host="$2" 295 local port="$3" 296 local action="$4" 297 local timeout="$5" 298 : ${app:="/usr/sbin/mysqld"} 299 : ${host:="localhost"} 300 : ${port:="$MYSQL_PORT"} 301 : ${action:="start"} 302 : ${timeout:=$DEFAULT_DB_TIMEOUT} 303 304 pollServer "$app" "$host" "$port" "$timeout" "$action" 305 return $? 306 } 307 308 pollPostgres() { 309 local app="$1" 310 local host="$2" 311 local port="$3" 312 local action="$4" 313 local timeout="$5" 314 : ${app:="postgres -D /usr/local/pgsql/data"} 315 : ${host:="localhost"} 316 : ${port:="$POSTGRES_PORT"} 317 : ${action:="start"} 318 : ${timeout:=$DEFAULT_DB_TIMEOUT} 319 320 pollServer "$app" "$host" "$port" "$timeout" "$action" 321 return $? 322 } 323 324 CleanUp() { 325 local RC=$1 326 : ${RC:=0} 327 ############################################################################### 328 # Summary 329 ############################################################################### 330 echo "" 331 echo "#########################################################################" 332 printf "RC: $RC, $TESTCASE " 333 334 if test "$RC" -eq 0; then 335 RESULT="PASSED" 336 else 337 RESULT="FAILED" 338 fi 339 340 printf "%s\n" $RESULT 341 RUNTIME_S="$((SECONDS-STARTIME))" 342 echo "$((RUNTIME_S/60)) minutes, $((RUNTIME_S%60)) seconds runtime" 343 printf "$(TimeStamp) $TESTCASE ENDED\n" 344 echo "#########################################################################" 345 346 TimeStamp 347 printf "%s test ended.\n" $TESTCASE 348 } 349 350 verifyServerTraffic() { 351 # verifyServerTraffic 352 # validate that backend <server_name> 353 # got at least <num_requests> requests from client 354 # with a minimum of <percent> HTTP status code <code> 355 local haproxy_addr="$1" 356 local server_name="$2" 357 local num_requests="$3" 358 local percent="$4" 359 local code="$5" 360 local op="$6" 361 local rc=0 362 363 # default 364 # server got at least one request 365 # all received requests were successfully served 366 : ${haproxy_addr:="localhost:10888"} 367 : ${server_name:="server1"} 368 : ${num_requests:="1"} 369 : ${percent:="100"} 370 : ${code:="HTTP 2xx"} 371 : ${op:="eq"} 372 373 result=$(curl -s http://${haproxy_addr}/ | 374 awk -v s="$server_name\"" '$0~s'|html2text| 375 awk -v c="$code" ' 376 /Cum. sessions:/ {sessions=$NF} 377 $0~c {gsub(/[(%)]/,"",$NF);status=$NF} 378 END {print sessions" "status}') 379 eval test "${result%% *}" -$op "$num_requests" 2>/dev/null; rc=$((rc+$?)) 380 eval test "${result##* }" -$op "$percent" 2>/dev/null; rc=$((rc+$?)) 381 return $rc 382 } 383 384 printAuth() { 385 test "$#" -eq 2 || return 1 386 local CLIENTCERT="$1" 387 local CLIENTKEY="$2" 388 389 echo CERT: 390 openssl x509 -in $CLIENTCERT -text 2>&1 | sed 's/^/ /' 391 type=$(cat $CLIENTKEY | head -n1 | awk '{print tolower($2)}') 392 test "$type" = "private" && type=ec 393 echo KEY: 394 openssl $type -in $CLIENTKEY -text 2>/dev/null| sed 's/^/ /' 395 } 396 397 startHttp() { 398 local port="$1" 399 local rootdir="$2" 400 cd $rootdir 401 python -m SimpleHTTPServer $port & 402 HTTP_PID=$! 403 pollSimpleHttp 404 } 405 406 keyCheck() { 407 local cert="$1" 408 local key="$2" 409 local alg="$3" 410 : ${alg:="rsa"} 411 test -f "$cert" -a -f "$key" || return 1 412 413 # check to see that the public/private key pair match 414 case "$alg" in 415 rsa|dsa) 416 k_hash=$(openssl $alg -noout -modulus -in $key 2>&1| awk -F'=' '/=/ {print $2}' | openssl md5 | awk '{print $NF}') 417 c_hash=$(openssl x509 -noout -modulus -in $cert 2>&1| awk -F'=' '/=/ {print $2}' | openssl md5 | awk '{print $NF}') 418 ;; 419 *) 420 k_hash=$(openssl $alg -pubout -in $key 2>/dev/null| openssl md5 | awk '{print $NF}') 421 c_hash=$(openssl x509 -noout -pubkey -in $cert | openssl md5 | awk '{print $NF}') 422 ;; 423 esac 424 425 test -z "$k_hash" -o -z "$c_hash" && return 1 426 test "$k_hash" == "$c_hash" || return 1 427 428 return 0 429 } 430 431 enroll() { 432 # Input : username, password 433 # Output: cert to filename1, key to filename2 434 local username="$1" 435 : ${username:="admin"} 436 local userpswd="$2" 437 : ${userpswd:="adminpw"} 438 if [ $# -gt 2 ]; then 439 ATTRS="--enrollment.attrs $3" 440 fi 441 local FABRIC_CA_ENROLLMENT_DIR="$CA_CFG_PATH/$username" 442 local FABRIC_CA_CERT_FILE="$FABRIC_CA_ENROLLMENT_DIR/$MSP_CERT_DIR/cert.pem" 443 local FABRIC_CA_KEY_FILE="$FABRIC_CA_ENROLLMENT_DIR/$MSP_KEY_DIR/key.pem" 444 local FABRIC_CA_CLIENT_HOME=$FABRIC_CA_ENROLLMENT_DIR 445 local HOST="localhost" 446 local PORT="$PROXY_PORT" 447 local RC=0 448 export FABRIC_CA_CLIENT_HOME 449 export FABRIC_CA_ENROLLMENT_DIR 450 451 test -d "$FABRIC_CA_ENROLLMENT_DIR" || mkdir -p "$FABRIC_CA_ENROLLMENT_DIR" 452 ENROLLCONFIG="$FABRIC_CA_ENROLLMENT_DIR/enroll.yaml" 453 454 # Determines the PROTO and TLSOPT values based on FABRIC_TLS setting 455 setTLS 456 $FABRIC_CA_CLIENTEXEC enroll -u "${PROTO}${username}:${userpswd}@${CA_HOST_ADDRESS}:$PROXY_PORT" $TLSOPT \ 457 -c $ENROLLCONFIG $ATTRS \ 458 --csr.hosts "$username@fab-client.raleigh.ibm.com" \ 459 --csr.hosts "$username.fabric.raleigh.ibm.com,127.0.0.2" 460 RC=$? 461 if test -n "$FABRIC_CA_DEBUG"; then 462 $(test "$RC" -eq 0 && $($FABRIC_CA_DEBUG)) && printAuth $FABRIC_CA_CERT_FILE $FABRIC_CA_KEY_FILE 463 fi 464 return $RC 465 } 466 467 reenroll() { 468 local USERNAME="$1" 469 : ${USERNAME:="admin"} 470 local FABRIC_CA_ENROLLMENT_DIR="$CA_CFG_PATH/$USERNAME" 471 local FABRIC_CA_CERT_FILE="$FABRIC_CA_ENROLLMENT_DIR/$MSP_CERT_DIR/cert.pem" 472 local FABRIC_CA_KEY_FILE="$FABRIC_CA_ENROLLMENT_DIR/$MSP_KEY_DIR/key.pem" 473 local FABRIC_CA_CLIENT_HOME=$FABRIC_CA_ENROLLMENT_DIR 474 local HOST="localhost" 475 local PORT="$PROXY_PORT" 476 local RC=0 477 export FABRIC_CA_CLIENT_HOME 478 export FABRIC_CA_ENROLLMENT_DIR 479 480 test -d "$FABRIC_CA_ENROLLMENT_DIR" || mkdir -p "$FABRIC_CA_ENROLLMENT_DIR" 481 FABRIC_CA_CERT_FILE="$FABRIC_CA_CLIENT_HOME/$MSP_CERT_DIR/cert.pem" 482 FABRIC_CA_KEY_FILE="$FABRIC_CA_CLIENT_HOME/$MSP_KEY_DIR/key.pem" 483 484 : ${KEYTYPE="ecdsa"} 485 : ${KEYLEN="256"} 486 test -d "$FABRIC_CA_CLIENT_HOME" || mkdir -p "$FABRIC_CA_CLIENT_HOME" 487 ENROLLCONFIG="$FABRIC_CA_CLIENT_HOME/enroll.yaml" 488 export FABRIC_CA_CLIENT_HOME 489 setTLS 490 $FABRIC_CA_CLIENTEXEC reenroll -u $PROTO${CA_HOST_ADDRESS}:$PROXY_PORT $TLSOPT -c $ENROLLCONFIG 491 RC=$? 492 $($FABRIC_CA_DEBUG) && printAuth $FABRIC_CA_CERT_FILE $FABRIC_CA_KEY_FILE 493 $SCRIPTDIR/fabric-ca_setup.sh -L -d $driver 494 return $RC 495 } 496 497 register() { 498 local REGISTRAR="$1" 499 : ${REGISTRAR:="admin"} 500 local USERNAME="$2" 501 : ${USERNAME:="testuser"} 502 local USERTYPE="$3" 503 : ${USERTYPE:="client"} 504 local USERGRP="$4" 505 : ${USERGRP:="bank_a"} 506 test "$USERGRP" = '[]' && USERGRP_OPT="" || USERGRP_OPT="--id.affiliation $USERGRP" 507 local USERATTR="$5" 508 : ${USERATTR:='test=testValue'} 509 local FABRIC_CA_ENROLLMENT_DIR="$6" 510 511 : ${FABRIC_CA_ENROLLMENT_DIR:="$CA_CFG_PATH/$REGISTRAR"} 512 : ${FABRIC_CA_CLIENT_HOME:="$CA_CFG_PATH/$REGISTRAR"} 513 514 export FABRIC_CA_ENROLLMENT_DIR 515 setTLS 516 $FABRIC_CA_CLIENTEXEC register -d -u "$PROTO${CA_HOST_ADDRESS}:$PROXY_PORT" $TLSOPT \ 517 --id.name "$USERNAME" \ 518 --id.type "$USERTYPE" \ 519 --id.maxenrollments 1 \ 520 $USERGRP_OPT \ 521 --id.attrs "$USERATTR" \ 522 -c $FABRIC_CA_CLIENT_HOME/fabric-ca-client-config.yaml 523 local rc=$? 524 return $rc 525 } 526 527 function genRunconfig() { 528 local runconfig="$1" 529 local driver="$2" 530 local datasrc="$3" 531 local serverCert="$4" 532 local serverKey="$5" 533 local maxEnroll="$6" 534 local version="$7" 535 : ${FABRIC_TLS:='false'} 536 : ${FABRIC_CA_DEBUG:='false'} 537 local registry="" 538 local converters="" 539 setTLS 540 541 case ${version:-"yaml"} in 542 json) if ! $($LDAP_ENABLE); then registry=" 543 \"registry\": { 544 \"maxEnrollments\": \"$maxEnroll\", 545 \"identities\": [ 546 { 547 \"name\": \"admin\", 548 \"pass\": \"adminpw\", 549 \"type\": \"client\", 550 \"affiliation\": \"bank_a\", 551 \"maxEnrollments\": \"$maxEnroll\", 552 \"attrs\": { 553 \"hf.Registrar.Roles\": \"client,user,peer,validator,auditor,ca\", 554 \"hf.Registrar.DelegateRoles\": \"client,user,validator,auditor\", 555 \"hf.Revoker\": true, 556 \"hf.GenCRL\": true 557 } 558 }, 559 { 560 \"name\": \"admin2\", 561 \"pass\": \"adminpw2\", 562 \"type\": \"client\", 563 \"affiliation\": \"bank_a\", 564 \"maxEnrollments\": \"$maxEnroll\", 565 \"attrs\": { 566 \"hf.Registrar.Roles\": \"client,user,peer,validator,auditor,ca\", 567 \"hf.Registrar.DelegateRoles\": \"client,user,validator,auditor\", 568 \"hf.Revoker\": true, 569 \"hf.GenCRL\": true 570 } 571 }, 572 { 573 \"name\": \"revoker\", 574 \"pass\": \"revokerpw\", 575 \"type\": \"client\", 576 \"affiliation\": \"bank_a\", 577 \"maxEnrollments\": \"$maxEnroll\", 578 \"attrs\": { 579 \"hf.Revoker\": true 580 } 581 }, 582 { 583 \"name\": \"revoker2\", 584 \"pass\": \"revokerpw2\", 585 \"type\": \"client\", 586 \"affiliation\": \"bank_a\", 587 \"maxEnrollments\": \"$maxEnroll\", 588 \"attrs\": { 589 \"hf.Revoker\": true 590 } 591 }, 592 { 593 \"name\": \"nonrevoker\", 594 \"pass\": \"nonrevokerpw\", 595 \"type\": \"client\", 596 \"affiliation\": \"bank_a\", 597 \"maxEnrollments\": \"$maxEnroll\" 598 }, 599 { 600 \"name\": \"nonrevoker2\", 601 \"pass\": \"nonrevokerpw2\", 602 \"type\": \"client\", 603 \"affiliation\": \"bank_a\", 604 \"maxEnrollments\": \"$maxEnroll\" 605 }, 606 { 607 \"name\": \"notadmin\", 608 \"pass\": \"pass\", 609 \"type\": \"client\", 610 \"affiliation\": \"bank_a\", 611 \"maxEnrollments\": \"$maxEnroll\", 612 \"attrs\": { 613 \"hf.Registrar.Roles\": \"client,user,peer,validator,auditor,ca\", 614 \"hf.Registrar.DelegateRoles\": \"client\" 615 } 616 }, 617 { 618 \"name\": \"expiryUser\", 619 \"pass\": \"expirypw\", 620 \"type\": \"client\", 621 \"affiliation\": \"bank_a\", 622 \"maxEnrollments\": \"$maxEnroll\" 623 }, 624 { 625 \"name\": \"testUser\", 626 \"pass\": \"user1\", 627 \"type\": \"client\", 628 \"affiliation\": \"bank_b\", 629 \"maxEnrollments\": \"$maxEnroll\", 630 \"attrs\": [] 631 }, 632 { 633 \"name\": \"testUser2\", 634 \"pass\": \"user2\", 635 \"type\": \"client\", 636 \"affiliation\": \"bank_c\", 637 \"maxEnrollments\": \"$maxEnroll\", 638 \"attrs\": [] 639 }, 640 { 641 \"name\": \"testUser3\", 642 \"pass\": \"user3\", 643 \"type\": \"client\", 644 \"affiliation\": \"bank_a\", 645 \"maxEnrollments\": \"$maxEnroll\", 646 \"attrs\": [] 647 } 648 ] 649 }, 650 " 651 fi 652 cat > $runconfig <<EOF 653 { 654 "address": "$CA_HOST_ADDRESS", 655 "port": $CA_DEFAULT_PORT, 656 "debug": "$FABRIC_CA_DEBUG", 657 "db": { 658 "type": "$driver", 659 "datasource": "$datasrc", 660 "tls": { 661 "enabled": "$TLS_ON", 662 "certfiles": [ "$TLS_ROOTCERT", $TLS_RACERT, $TLS_SUBCACERT ], 663 "client": { 664 "certfile": "$TLS_CLIENTCERT", 665 "keyfile": "$TLS_CLIENTKEY" 666 } 667 } 668 }, 669 "tls": { 670 "enabled": "$TLS_ON", 671 "certfile": "$TLS_SERVERCERT", 672 "keyfile": "$TLS_SERVERKEY" 673 }, 674 "ca": { 675 "certfile": "$serverCert", 676 "keyfile": "$serverKey" 677 }, 678 $registry 679 "ldap": { 680 "enabled": $LDAP_ENABLE, 681 "url": "${LDAP_PROTO}CN=admin,dc=example,dc=com:adminpw@localhost:$LDAP_PORT/dc=example,dc=com", 682 "tls": { 683 "certfiles": [ "$TLS_ROOTCERT", $TLS_RACERT, $TLS_SUBCACERT ], 684 "client": { 685 "certfile": "$TLS_CLIENTCERT", 686 "keyfile": "$TLS_CLIENTKEY" 687 } 688 } 689 }, 690 "affiliations": { 691 "bank_a": [ 692 "department1" 693 ], 694 "bank_b": [ 695 "department1" 696 ], 697 "bank_c": [ 698 "department1" 699 ], 700 "org1": [ 701 "department1", 702 "department2" 703 ], 704 "org2": [ 705 "department1", 706 "department2" 707 ], 708 "org3": [ 709 "department1", 710 "department2" 711 ] 712 }, 713 "signing": { 714 "profiles": null, 715 "default": { 716 "usage": [ 717 "cert sign", 718 "crl sign", 719 "digital signature", 720 "key encipherment", 721 "timestamping" 722 ], 723 "expiry": "8000h", 724 "crlurl": "http://localhost:3755/TestCRL.crl", 725 "caconstraint": { 726 "isca": true, 727 "maxpathlen": 1, 728 "ocspnocheck": true, 729 "notbefore": "2016-12-30T00:00:00.000Z" 730 } 731 } 732 }, 733 "csr": { 734 "cn": "fabric-ca-server", 735 "names": [ 736 { 737 "C": "US", 738 "ST": "North Carolina", 739 "L": null, 740 "O": "Hyperledger", 741 "OU": "Fabric" 742 } 743 ], 744 "hosts": [ 745 "fabricCa.hyperledger.example.com" 746 ], 747 "ca": { 748 "pathlen": null, 749 "pathlenzero": null, 750 "expiry": null 751 } 752 }, 753 "crypto": { 754 "software": { 755 "hash_family": "SHA2", 756 "security_level": 256, 757 "ephemeral": false, 758 "key_store_dir": "keys" 759 } 760 } 761 } 762 EOF 763 ;; 764 yaml) if ! $($LDAP_ENABLE); then registry=" 765 registry: 766 maxEnrollments: $maxEnroll 767 identities: 768 $(for i in {1..16}; do 769 echo " - name: intermediateCa$i 770 pass: intermediateCa${i}pw 771 type: client 772 affiliation: \"\" 773 maxenrollments: $maxEnroll 774 attrs: 775 hf.Registrar.Roles: \"client,user,peer,validator,auditor\" 776 hf.Registrar.DelegateRoles: \"client,user,validator,auditor\" 777 hf.Revoker: true 778 hf.IntermediateCA: true 779 hf.AffiliationMgr: true" 780 done) 781 - name: admin 782 pass: adminpw 783 type: client 784 affiliation: 785 maxEnrollments: $maxEnroll 786 attrs: 787 hf.Registrar.Roles: \"client,user,peer,validator,auditor,ca\" 788 hf.Registrar.DelegateRoles: \"client,user,validator,auditor\" 789 hf.Revoker: true 790 hf.IntermediateCA: true 791 hf.Registrar.Attributes: \"*\" 792 hf.GenCRL: true 793 hf.AffiliationMgr: true 794 - name: admin2 795 pass: adminpw2 796 type: client 797 affiliation: 798 maxEnrollments: $maxEnroll 799 attrs: 800 hf.Registrar.Roles: \"client,user,peer,validator,auditor,ca\" 801 hf.Registrar.DelegateRoles: \"client,user,validator,auditor\" 802 hf.Revoker: true 803 hf.IntermediateCA: true 804 hf.Registrar.Attributes: \"*\" 805 hf.GenCRL: true 806 - name: revoker 807 pass: revokerpw 808 type: client 809 affiliation: bank_a 810 maxEnrollments: $maxEnroll 811 attrs: 812 hf.Revoker: true 813 - name: revoker2 814 pass: revokerpw2 815 type: client 816 affiliation: bank_a 817 maxEnrollments: $maxEnroll 818 attrs: 819 hf.Revoker: true 820 - name: nonrevoker 821 pass: nonrevokerpw 822 type: client 823 affiliation: bank_a 824 maxEnrollments: $maxEnroll 825 - name: nonrevoker2 826 pass: nonrevokerpw2 827 type: client 828 affiliation: bank_a 829 maxEnrollments: $maxEnroll 830 - name: notadmin 831 pass: pass 832 type: client 833 affiliation: bank_a 834 maxEnrollments: $maxEnroll 835 attrs: 836 hf.Registrar.Roles: \"client,user,peer,validator,auditor,ca\" 837 hf.Registrar.DelegateRoles: \"client\" 838 - name: expiryUser 839 pass: expirypw 840 type: client 841 affiliation: bank_a 842 maxEnrollments: $maxEnroll 843 - name: testUser 844 pass: user1 845 type: client 846 affiliation: bank_b 847 maxEnrollments: $maxEnroll 848 attrs: [] 849 - name: testUser2 850 pass: user2 851 type: client 852 affiliation: bank_c 853 maxEnrollments: $maxEnroll 854 attrs: [] 855 - name: testUser3 856 pass: user3 857 type: client 858 affiliation: bank_a 859 maxEnrollments: $maxEnroll 860 attrs: []" 861 fi 862 863 converters=' 864 converters: 865 - name: hf.GenCRL 866 value: attr("memberOf") =~ "cn=Gencrl,ou=groups,dc=example,dc=com" || attr("memberOf") =~ "cn=pkiAdmin,ou=groups,dc=example,dc=com" 867 - name: hf.Revoker 868 value: attr("memberOf") =~ "cn=Revoker,ou=groups,dc=example,dc=com" || attr("memberOf") =~ "cn=pkiAdmin,ou=groups,dc=example,dc=com" 869 - name: hf.IntermediateCA 870 value: attr("memberOf") =~ "cn=Ca,ou=groups,dc=example,dc=com" 871 - name: hf.Registrar.Roles 872 value: map(attr("memberOf"),"roles")' 873 874 if [ "$LDAP_ERROR" == "true" ]; then converters=' 875 converters: 876 - name: hf.GenCRL 877 value: attr("memberOf") =~ "cn=Gencrl,ou=groups,dc=example,dc=com" || attr("memberOf") =~ "cn=pkiAdmin,ou=groups,dc=example,dc=com" 878 - name: hf.Type 879 value: client' 880 fi 881 882 cat > $runconfig <<EOF 883 address: $CA_HOST_ADDRESS 884 port: $CA_DEFAULT_PORT 885 debug: $FABRIC_CA_DEBUG 886 db: 887 type: $driver 888 datasource: $datasrc 889 tls: 890 enabled: $TLS_ON 891 certfiles: 892 - $TLS_ROOTCERT 893 client: 894 certfile: $TLS_CLIENTCERT 895 keyfile: $TLS_CLIENTKEY 896 tls: 897 enabled: $TLS_ON 898 certfile: $TLS_SERVERCERT 899 keyfile: $TLS_SERVERKEY 900 ca: 901 name: 902 certfile: $serverCert 903 keyfile: $serverKey 904 $registry 905 ldap: 906 enabled: $LDAP_ENABLE 907 url: ${LDAP_PROTO}CN=admin,dc=example,dc=com:adminpw@localhost:$LDAP_PORT/dc=example,dc=com 908 userfilter: "(uid=%s)" 909 attribute: 910 names: [ 911 "cn", 912 "gidNumber", 913 "givenName", 914 "homeDirectory", 915 "loginShell", 916 "mail", 917 "o", 918 "objectClass", 919 "ou", 920 "sn", 921 "st", 922 "uid", 923 "uidNumber", 924 "memberOf" 925 ] 926 $converters 927 maps: 928 ROLES: 929 - name: cn=Client,ou=groups,dc=example,dc=com 930 value: client 931 - name: cn=User,ou=groups,dc=example,dc=com 932 value: user 933 - name: cn=Peer,ou=groups,dc=example,dc=com 934 value: peer 935 - name: cn=App,ou=groups,dc=example,dc=com 936 value: app 937 - name: cn=Auditor,ou=groups,dc=example,dc=com 938 value: auditor 939 - name: cn=Validator,ou=groups,dc=example,dc=com 940 value: validator 941 - name: cn=pkiAdmin,ou=groups,dc=example,dc=com 942 value: pkiadmin 943 tls: 944 certfiles: 945 - $TLS_ROOTCERT 946 client: 947 certfile: $TLS_CLIENTCERT 948 keyfile: $TLS_CLIENTKEY 949 affiliations: 950 bank_a: 951 - department1 952 bank_b: 953 - department1 954 bank_c: 955 - department1 956 org1: 957 - department1 958 - department2 959 org2: 960 - department1 961 - department2 962 signing: 963 default: 964 usage: 965 - digital signature 966 expiry: 17520h 967 backdate: 30s 968 ocspnocheck: true 969 caconstraint: 970 isca: false 971 profiles: 972 ca: 973 usage: 974 - cert sign 975 - crl sign 976 expiry: 43800h 977 caconstraint: 978 isca: true 979 maxpathlen: 0 980 ocspnocheck: true 981 tls: 982 usage: 983 - server auth 984 - client auth 985 expiry: 8760h 986 caconstraint: 987 isca: false 988 csr: 989 keyrequest: 990 algo: $KEYTYPE 991 size: $KEYLEN 992 names: 993 - C: US 994 ST: "North Carolina" 995 L: 996 O: Hyperledger 997 OU: Fabric 998 hosts: 999 - fabricCa.hyperledger.example.com 1000 - localhost 1001 ca: 1002 expiry: 131400h 1003 pathlength: 1 1004 bccsp: 1005 default: SW 1006 sw: 1007 hash: SHA2 1008 security: 256 1009 filekeystore: 1010 keystore: 1011 cacount: $CACOUNT 1012 cafiles: 1013 intermediate: 1014 parentserver: 1015 url: 1016 caname: 1017 enrollment: 1018 hosts: 1019 profile: 1020 label: 1021 tls: 1022 certfiles: 1023 - $TLS_ROOTCERT 1024 client: 1025 certfile: $TLS_CLIENTCERT 1026 keyfile: $TLS_CLIENTKEY 1027 EOF 1028 ;; 1029 esac 1030 } 1031 1032 function testStatus() { 1033 local user="$1" 1034 local driver="$2" 1035 local ca_cfg_path="$3" 1036 local dbname="$4" 1037 : ${driver:="sqlite3"} 1038 : ${ca_cfg_path:="$CA_CFG_PATH"} 1039 : ${dbname:="fabric_ca"} 1040 case $driver in 1041 sqlite3) 1042 user_status="$(sqlite3 $ca_cfg_path/$dbname "SELECT * FROM users WHERE (id=\"$user\");")" 1043 cert_status="$(sqlite3 $ca_cfg_path/$dbname "SELECT * FROM certificates WHERE (id=\"$user\");")" 1044 1045 user_status_code="$(printf "$user_status" | awk -F'|' -v s=$user '$1~s {print $6}')" 1046 cert_status_code="$(printf "$cert_status" | awk -F'|' -v s=$user '$1~s {print $5}')" 1047 ;; 1048 mysql) 1049 user_status_code=$(mysql --host=localhost --user=root --password=mysql -e "SELECT * FROM users WHERE (id=\"$user\");" $dbname| awk -F'\t' -v u=$user '$1==u {print $6}') 1050 cert_status_code=$(mysql --host=localhost --user=root --password=mysql -e "SELECT * FROM certificates WHERE (id=\"$user\") order by revoked_at;" $dbname| awk -F'\t' -v u=$user '$1==u {print $5}') 1051 ;; 1052 postgres) 1053 user_status_code=$(/usr/bin/psql -U postgres -h localhost -c "SELECT id,state FROM users WHERE id='$user';" --dbname=$dbname | awk -v u=$user -F'|' '$1~u {gsub(/ /,"");print $2}') 1054 cert_status_code=$(/usr/bin/psql -U postgres -h localhost -c "SELECT id,encode(status,'escape') FROM certificates WHERE id='$user' order by revoked_at;" --dbname=$dbname | awk -v u=$user -F'|' '$1~u {gsub(/ /,"");print $2}') 1055 ;; 1056 esac 1057 echo "$user_status_code $cert_status_code" 1058 } 1059 1060 function killserver { 1061 echo "killing server $1" 1062 kill -9 $1 1063 pollFabricCa "" "" "$CA_DEFAULT_PORT" stop 30 1064 return $? 1065 } 1066 1067 function grepPrint() { 1068 tee /dev/stderr| egrep "$1" 1069 }