github.com/blockchain-gm/fabric-ca@v0.0.0-20200423072702-b2c40c7ac69c/lib/serverenroll_test.go (about) 1 /* 2 Copyright IBM Corp. All Rights Reserved. 3 4 SPDX-License-Identifier: Apache-2.0 5 */ 6 7 package lib 8 9 import ( 10 "os" 11 "testing" 12 13 "github.com/hyperledger/fabric-ca/api" 14 dbuser "github.com/hyperledger/fabric-ca/lib/server/user" 15 "github.com/hyperledger/fabric-ca/util" 16 "github.com/stretchr/testify/assert" 17 ) 18 19 func TestStateUpdate(t *testing.T) { 20 cleanTestSlateSE(t) 21 defer cleanTestSlateSE(t) 22 23 var err error 24 srv := TestGetRootServer(t) 25 26 err = srv.Start() 27 assert.NoError(t, err, "Failed to start server") 28 29 client := getTestClient(rootPort) 30 _, err = client.Enroll(&api.EnrollmentRequest{ 31 Name: "admin", 32 Secret: "adminpw", 33 }) 34 assert.NoError(t, err, "Failed to enroll 'admin' user") 35 36 registry := srv.CA.DBAccessor() 37 userInfo, err := registry.GetUser("admin", nil) 38 assert.NoError(t, err, "Failed to get user 'admin' from database") 39 // User state should have gotten updated to 1 after a successful enrollment 40 if userInfo.(*dbuser.Impl).State != 1 { 41 t.Error("Incorrect state set for user") 42 } 43 44 // Send bad CSR to cause the enroll to fail but the login to succeed 45 reqNet := &api.EnrollmentRequestNet{} 46 reqNet.SignRequest.Request = "badcsr" 47 body, err := util.Marshal(reqNet, "SignRequest") 48 assert.NoError(t, err, "Failed to marshal enroll request") 49 50 // Send the CSR to the fabric-ca server with basic auth header 51 post, err := client.newPost("enroll", body) 52 assert.NoError(t, err, "Failed to create post request") 53 post.SetBasicAuth("admin", "adminpw") 54 err = client.SendReq(post, nil) 55 if assert.Error(t, err, "Should have failed due to bad csr") { 56 assert.Contains(t, err.Error(), "CSR Decode failed") 57 } 58 59 // State should not have gotten updated because the enrollment failed 60 userInfo, err = registry.GetUser("admin", nil) 61 assert.NoError(t, err, "Failed to get user 'admin' from database") 62 if userInfo.(*dbuser.Impl).State != 1 { 63 t.Error("Incorrect state set for user") 64 } 65 66 err = srv.Stop() 67 assert.NoError(t, err, "Failed to stop server") 68 69 } 70 71 func cleanTestSlateSE(t *testing.T) { 72 err := os.RemoveAll(rootDir) 73 if err != nil { 74 t.Errorf("RemoveAll failed: %s", err) 75 } 76 err = os.RemoveAll("../testdata/msp") 77 if err != nil { 78 t.Errorf("RemoveAll failed: %s", err) 79 } 80 } 81 82 func TestPasswordLimit(t *testing.T) { 83 cleanTestSlateSE(t) 84 defer cleanTestSlateSE(t) 85 86 passLimit := 3 87 88 srv := TestGetRootServer(t) 89 srv.CA.Config.Cfg.Identities.PasswordAttempts = passLimit 90 err := srv.Start() 91 util.FatalError(t, err, "Failed to start server") 92 defer srv.Stop() 93 94 client := getTestClient(rootPort) 95 enrollResp, err := client.Enroll(&api.EnrollmentRequest{ 96 Name: "admin", 97 Secret: "adminpw", 98 }) 99 util.FatalError(t, err, "Failed to enroll 'admin' user") 100 admin := enrollResp.Identity 101 102 _, err = admin.Register(&api.RegistrationRequest{ 103 Name: "user1", 104 Secret: "user1pw", 105 }) 106 util.FatalError(t, err, "Failed to register 'user1' user") 107 108 // Reach maximum incorrect password limit 109 for i := 0; i < passLimit; i++ { 110 _, err = client.Enroll(&api.EnrollmentRequest{ 111 Name: "user1", 112 Secret: "badpass", 113 }) 114 assert.Error(t, err, "Enroll for user 'user1' should fail due to bad password") 115 } 116 _, err = client.Enroll(&api.EnrollmentRequest{ 117 Name: "user1", 118 Secret: "badpass", 119 }) 120 util.ErrorContains(t, err, "73", "Should fail, incorrect password limit reached") 121 122 // Admin modifying identity, confirm that just modifying identity does not reset attempt 123 // count. Incorrect password attempt count should only be reset to zero, if password 124 // is modified. 125 modReq := &api.ModifyIdentityRequest{ 126 ID: "user1", 127 } 128 129 modReq.Type = "client" 130 _, err = admin.ModifyIdentity(modReq) 131 assert.NoError(t, err, "Failed to modify identity") 132 133 _, err = client.Enroll(&api.EnrollmentRequest{ 134 Name: "user1", 135 Secret: "user1pw", 136 }) 137 assert.Error(t, err, "Should failed to enroll") 138 139 // Admin reset password 140 modReq.Secret = "newPass" 141 _, err = admin.ModifyIdentity(modReq) 142 assert.NoError(t, err, "Failed to modify identity") 143 144 _, err = client.Enroll(&api.EnrollmentRequest{ 145 Name: "user1", 146 Secret: "newPass", 147 }) 148 assert.NoError(t, err, "Failed to enroll using new password after admin reset password") 149 150 // Test that if password is entered correctly before reaching incorrect password limit, 151 // the incorrect password count is reset back to 0 152 _, err = client.Enroll(&api.EnrollmentRequest{ 153 Name: "user1", 154 Secret: "badPass", 155 }) 156 assert.Error(t, err, "Enroll for user 'user1' should fail due to bad password") 157 158 registry := srv.CA.DBAccessor() 159 user1, err := registry.GetUser("user1", nil) 160 util.FatalError(t, err, "Failed to get 'user1' from database") 161 assert.Equal(t, 1, user1.GetFailedLoginAttempts()) 162 163 _, err = client.Enroll(&api.EnrollmentRequest{ 164 Name: "user1", 165 Secret: "newPass", 166 }) 167 assert.NoError(t, err, "Failed to enroll user with correct password") 168 169 user1, err = registry.GetUser("user1", nil) 170 util.FatalError(t, err, "Failed to get 'user1' from database") 171 assert.Equal(t, 0, user1.GetFailedLoginAttempts()) 172 }