github.com/bestbeforetoday/fabric-ca@v2.0.0-alpha+incompatible/scripts/fvt/ldap_test.sh (about) 1 #!/bin/bash 2 # 3 # Copyright IBM Corp. All Rights Reserved. 4 # 5 # SPDX-License-Identifier: Apache-2.0 6 # 7 8 : ${TESTNAME:=ldap} 9 FABRIC_CA="$GOPATH/src/github.com/hyperledger/fabric-ca" 10 SCRIPTDIR="$FABRIC_CA/scripts/fvt" 11 TESTDIR="/tmp/$TESTNAME" 12 . $SCRIPTDIR/fabric-ca_utils 13 RC=0 14 export CA_CFG_PATH="$TESTDIR" 15 export UDIR="$TESTDIR/users" 16 17 rm -rf $UDIR 18 mkdir -p $UDIR 19 20 users1=( rootadmin admin admin2 notadmin tstadmin devadmin revoker2 revoker nonrevoker expiryUser testUser testUser2 testUser6 testUser8 ) 21 users2=( testUser3 ) 22 23 $SCRIPTDIR/fabric-ca_setup.sh -R 24 $SCRIPTDIR/fabric-ca_setup.sh -I -a -D -X -S -n1 25 26 checkUserCert() { 27 local USER="$1" 28 case $USER in 29 *User*|not*|non*) revoker='false' ;; 30 *) revoker='true' ;; 31 esac 32 attrOID="1.2.3.4.5.6.7.8.1" 33 # Make sure the "dn" attribute is in the user's certificate 34 CERTFILE=$UDIR/$USER/msp/signcerts/cert.pem 35 ATTRS=$(openssl x509 -noout -text -in $CERTFILE| awk '/'"$attrOID"'/ {getline; print $1}') 36 EXPECTED="{\"attrs\":{\"hf.Revoker\":\"$revoker\",\"uid\":\"$USER\"}}" 37 if test "$ATTRS" != "$EXPECTED"; then 38 ErrorMsg "Failed to find hf.Revoker and uid attributes in certificate for user $USER" 39 echo " Found: $ATTRS" 40 echo " Expected: $EXPECTED" 41 fi 42 } 43 44 revokeEcert() { 45 admin="$1" 46 user="$2" 47 result="$3" 48 49 certFile=$UDIR/$user/msp/signcerts/cert.pem 50 AKI=$(openssl x509 -noout -text -in $certFile |awk '/keyid/ {gsub(/ *keyid:|:/,"",$1);print toupper($0)}') 51 SN=$(openssl x509 -noout -serial -in $certFile | awk -F'=' '{print toupper($2)}') 52 53 case "$result" in 54 pass) echo "User '$admin' is revoking the ecert of user cert of user '$user' ..." 55 $FABRIC_CA_CLIENTEXEC revoke -u $URI -a $AKI -s $SN $TLSOPT -H $UDIR/$admin 2>&1 56 test "$?" -eq 0 || ErrorMsg "User '$admin' failed to revoke '$user'" 57 ;; 58 fail) echo "User '$admin is attempting to revoke the ecert of user cert of user '$user' ..." 59 # Caller does not have authority to act on affiliation 60 #$FABRIC_CA_CLIENTEXEC revoke -u $URI -a $AKI -s $SN $TLSOPT -H $UDIR/$admin 2>&1| grep 'does not have authority to revoke' 61 $FABRIC_CA_CLIENTEXEC revoke -u $URI -a $AKI -s $SN $TLSOPT -H $UDIR/$admin 2>&1| egrep "(does not have authority to (act|revoke)|Authorization failure)" 62 test "$?" -eq 0 || ErrorMsg "User '$admin' not authorized to revoke '$user'" 63 ;; 64 esac 65 } 66 67 for u in ${users1[*]}; do 68 CA_CFG_PATH=$UDIR enroll $u ${u}pw uid,hf.Revoker 69 test $? -ne 0 && ErrorExit "Failed to enroll $u" 70 checkUserCert $u 71 done 72 73 $FABRIC_CA_CLIENTEXEC register -d -u "$PROTO${CA_HOST_ADDRESS}:$PROXY_PORT" $TLSOPT \ 74 --id.name "testldapuser" \ 75 -c /tmp/ldap/users/testUser8/fabric-ca-client-config.yaml 2>&1 | egrep "Registration is not supported when using LDAP" 76 test $? -ne 0 && ErrorExit "Registration while using LDAP should have failed" 77 # Sleep for more than the idle connection timeout limit of 1 second 78 sleep 3 79 80 for u in ${users2[*]}; do 81 CA_CFG_PATH=$UDIR enroll $u ${u}pw uid,hf.Revoker 82 test $? -ne 0 && ErrorExit "Failed to enroll $u" 83 checkUserCert $u 84 done 85 86 URI=$PROTO${CA_HOST_ADDRESS}:$PROXY_PORT 87 88 # User 'revoker' revokes the ecert of user 'testUser' 89 revokeEcert revoker testUser pass 90 # User 'admin2' revokes the ecert of user 'testUser2' 91 revokeEcert admin2 expiryUser pass 92 # User 'notadmin' not authorized to revoke (non hf.Revoker) 93 revokeEcert notadmin nonrevoker fail 94 95 # User 'rootadmin' (uid=rootadmin,dc=example,dc=com) can revoke all affiliations 96 for user in testUser2 testUser6 testUser8; do 97 revokeEcert rootadmin $user pass 98 done 99 # re-enroll for next test 100 for u in expiryUser testUser testUser2 testUser6 testUser8; do 101 CA_CFG_PATH=$UDIR enroll $u ${u}pw uid,hf.Revoker 102 test $? -ne 0 && ErrorExit "Failed to enroll $u" 103 done 104 105 # User 'tstadmin' (uid=tstadmin,ou=tst,ou=fabric,dc=hyperledeger,dc=example,dc=com) 106 # can only revoke members of the 'tst' group 107 revokeEcert tstadmin testUser6 pass 108 for user in testUser2 testUser8 ; do 109 revokeEcert tstadmin $user fail 110 done 111 # re-enroll for next test 112 for u in testUser2 testUser6 testUser8; do 113 CA_CFG_PATH=$UDIR enroll $u ${u}pw uid,hf.Revoker 114 test $? -ne 0 && ErrorExit "Failed to enroll $u" 115 done 116 117 # User 'devadmin' (uid=devadmin,ou=dev,ou=fabric,dc=hyperledeger,dc=example,dc=com) 118 # can only revoke members of the 'dev' group 119 revokeEcert devadmin testUser8 pass 120 for user in testUser2 testUser6 ; do 121 revokeEcert devadmin $user fail 122 done 123 124 # User 'admin' can generate crl' 125 echo "User 'admin' is generating a crl ... " 126 $FABRIC_CA_CLIENTEXEC gencrl -u $URI -H $UDIR/admin $TLSOPT 127 test "$?" -eq 0 || ErrorMsg "User 'admin' failed to generate a crl" 128 # User 'notadmin' cannot generate crl' 129 echo "User 'notadmin' is attempting to generate a crl ... " 130 $FABRIC_CA_CLIENTEXEC gencrl -u $URI -H $UDIR/notadmin $TLSOPT 2>&1| grep 'Authorization failure' 131 test "$?" -eq 0 || ErrorMsg "User 'notadmin' should not generate a crl" 132 133 export LDAP_ERROR=true 134 $SCRIPTDIR/fabric-ca_setup.sh -R 135 $SCRIPTDIR/fabric-ca_setup.sh -I -a -D -X -S -n1 136 CA_CFG_PATH=$UDIR enroll testUser testUserpw uid,hf.Revoker 2>&1 | grep "Failed to evaluate LDAP expression" 137 test "$?" -eq 0 || ErrorMsg "Enroll should fail, incorrect LDAP converter specified" 138 139 CleanUp $RC 140 exit $RC