github.com/cactusblossom/fabric-ca@v0.0.0-20200611062428-0082fc643826/scripts/fvt/ident_modify_test.sh (about) 1 #!/bin/bash 2 # 3 # Copyright IBM Corp. All Rights Reserved. 4 # 5 # SPDX-License-Identifier: Apache-2.0 6 # 7 8 : ${TESTCASE="ident_modify"} 9 FABRIC_CA="$GOPATH/src/github.com/hyperledger/fabric-ca" 10 SCRIPTDIR="$FABRIC_CA/scripts/fvt" 11 . $SCRIPTDIR/fabric-ca_utils 12 TESTDIR=/tmp/$TESTCASE 13 RC=0 14 NUMROLES=8 15 16 # defaults 17 declare -A defaultValues 18 defaultValues=([Maxenrollments]=2147483647 [Affiliation]='.' [Type]="user" [Passwd]="user1pw") 19 20 adminTemplate=' 21 {\"secret\": \"$passwd\", 22 \"type\": \"user\", 23 \"affiliation\": \"$org\", 24 \"max_enrollments\": 100, 25 \"attrs\": 26 [{\"name\": \"hf.Registrar.Roles\", \"value\": \"client,user,peer,validator,auditor,ca,app,role1,role2,role3,role4,role5,role6,role7,role8,apple,orange\"}, 27 {\"name\": \"hf.Registrar.DelegateRoles\", \"value\": \"client,user,peer,validator,auditor,ca,app,role1,role2,role3,role4,role5,role6,role7,role8,apple,orange\"}, 28 {\"name\": \"hf.Revoker\", \"value\": \"true\"}, 29 {\"name\": \"hf.IntermediateCA\", \"value\": \"true\"}, 30 {\"name\": \"hf.GenCRL\", \"value\": \"true\"}, 31 {\"name\": \"hf.Registrar.Attributes\", \"value\": \"*\"}]} 32 ' 33 34 function registerEnroll() { 35 roles="role$1" 36 utype="type$1" 37 eval $FABRIC_CA_CLIENTEXEC identity add userType$i $URI --secret userType${i}pw \ 38 -H $TESTDIR/admin --type $roles --affiliation ${defaultValues[Affiliation]} \ 39 --maxenrollments ${defaultValues[Maxenrollments]} --attrs '"hf.Registrar.Roles=$roles"' 40 enroll userType$i userType${i}pw 41 } 42 43 function checkDefaults() { 44 awk -v c=0 -v e=0 \ 45 -v i="Name: $1," \ 46 -v t="Type: ${defaultValues[Type]}," \ 47 -v a="Affiliation: " \ 48 -v n="ECert:true" ' 49 $0~i {c++} 50 $0~t {c++} 51 $0~a {c++} 52 $0~n {e++} 53 END {print "defaults:"c",ecert:"e;if ((c!=3)||(e!=3)) exit 1} ' 54 } 55 56 function getAttrs() { 57 # The complete (current) list 58 # hf.Affiliation 59 # hf.EnrollmentID 60 # hf.GenCRL 61 # hf.IntermediateCA 62 # hf.Registrar.Attributes 63 # hf.Registrar.DelegateRoles 64 # hf.Registrar.Roles 65 # hf.Revoker 66 # hf.Type 67 local admin="$1" 68 local user="$2" 69 70 $FABRIC_CA_CLIENTEXEC identity list $URI -H $TESTDIR/$admin 2>&1 | 71 grepPrint "^Name: $user," | 72 grep -oP "Attributes:.*?]"| 73 tr '{' "\n" | 74 grep hf| sort | awk 'BEGIN {print ""}; {print $1" "$2}' 75 } 76 77 function testAuthenticationAuthorization() { 78 # Objective: 79 # Only an authorized user can issue the list command: 80 # 1 -admin will have a certificate from an unknown CA 81 # 2- testUser does not have the "hf.Registrar.Roles" attribute 82 83 rm -rf $TESTDIR/admin/msp/keystore/* 84 rm -rf $TESTDIR/admin/msp/signcerts/* 85 /etc/hyperledger/fabric-ca/pki -f newcert -t ec -l 256 \ 86 -n "/CN=admin/" -p admin >/dev/null 2>&1 87 mv /root/admincert.pem $TESTDIR/admin/msp/signcerts/cert.pem 88 mv /root/adminkey.pem $TESTDIR/admin/msp/keystore/key.pem 89 enroll testUser user1 90 for op in list remove add modify; do 91 # username not required for 'list' operation 92 test "$op" != list && user=testUser3 || user="" 93 94 # Unknown CA 95 $FABRIC_CA_CLIENTEXEC identity $op $user $URI -d -H $TESTDIR/admin 2>&1 | 96 # @TODO these messages need to change 97 # grepPrint "Authorization failure" || ErrorMsg "Test '$op' Authorization" 98 grepPrint "Authentication failure" || ErrorMsg "Test '$op' Authorization" 99 # testUser not authorized - user must have the "hf.Registrar.Roles" attribute 100 $FABRIC_CA_CLIENTEXEC identity $op $user $URI -d -H $TESTDIR/testUser 2>&1 | 101 # @TODO these messages need to change 102 # grepPrint "403 Forbidden" || ErrorMsg "Test '$op' Authorization" 103 grepPrint "Authorization failure" || ErrorMsg "Test '$op' Authorization" 104 done 105 } 106 107 function testRoleAuthorization() { 108 # Objective: 109 # for add/modify: 110 # identity type must be in the client user's hf.Registrar.Roles list 111 # for list: 112 # only entries whose type is in the "hf.Registrar.Roles attribute of 113 # the issuer will be displayed 114 # Enroll admin 115 enroll 116 # Baseline 117 $FABRIC_CA_CLIENTEXEC identity list $URI -H $TESTDIR/admin || 118 ErrorMsg "admin 'identity list' failed" 119 # the type of the identity being added must be in the user's hf.Registrar.Roles list 120 $FABRIC_CA_CLIENTEXEC identity add userType1 $URI -H $TESTDIR/admin \ 121 --type account --affiliation ${defaultValues[Affiliation]} 2>&1 | 122 grepPrint "Registrar does not have authority to act on type 'account'" || 123 ErrorMsg "admin should not be able to add user of type 'account'" 124 $FABRIC_CA_CLIENTEXEC identity modify admin $URI -H $TESTDIR/admin/ -d \ 125 --attrs '"hf.Registrar.Roles=client,user,peer,validator,auditor,ca,app,role1,role2,role3,role4,role5,role6,role7,role8,apple,orange"' 126 for i in $(seq $NUMROLES); do 127 registerEnroll $i 128 # only entries whose type is in the "hf.Registrar.Roles" 129 # attribute of the issuer will be displayed; in this case, himself 130 test $($FABRIC_CA_CLIENTEXEC identity list $URI -H $TESTDIR/userType$i 2>&1 | wc -l) -eq 1 || 131 ErrorMsg "userType$i 'identity list' failed" 132 $FABRIC_CA_CLIENTEXEC identity list $URI -H $TESTDIR/userType$i 2>&1 | 133 grepPrint "hf.EnrollmentID Value:userType$i.*Type Value:role$i.*Affiliation Value: " || 134 ErrorMsg "ID:userType$i Type:role$i 'identity list' failed" 135 done 136 } 137 138 function testModifyRegistrarRoles() { 139 # Objective: 140 # Use case: 141 # a) registrar does not have <type> in hf.Registrar.Roles: fail 142 # b) registrar's entry is successfully modified to add <type> 143 # c) registrar successfully adds user with <type> 144 145 # should fail 146 $FABRIC_CA_CLIENTEXEC identity modify userType1 $URI -d \ 147 -H $TESTDIR/admin2 --type client 2>&1 | 148 grepPrint "Authorization failure" || 149 ErrorMsg "admin2 should not be able to modify user whose type is 'role1'" 150 $FABRIC_CA_CLIENTEXEC identity modify admin2 $URI -d -H $TESTDIR/admin \ 151 --attrs '"hf.Registrar.Roles=client,user,peer,validator,auditor,ca,app,role1,role2,role3,role4,role5,role6,role7,role8,apple,orange"' || 152 ErrorMsg "modify of admin2 by admin failed" 153 154 # should succeed 155 $FABRIC_CA_CLIENTEXEC identity modify userType1 $URI -d \ 156 -H $TESTDIR/admin2 --type client || 157 ErrorMsg "admin2 modify of userType1 failed" 158 159 # put it back like it was 160 $FABRIC_CA_CLIENTEXEC identity modify userType1 $URI -d \ 161 -H $TESTDIR/admin2 --type role1 || 162 ErrorMsg "admin2 modify of userType1 failed" 163 } 164 165 function testAffiliation() { 166 # Objective: 167 # - a client may not view records outside of his own affiliation 168 169 $FABRIC_CA_CLIENTEXEC identity modify admin $URI -d \ 170 -H $TESTDIR/admin --affiliation 'org2.department2' 171 # User can only see himself 172 test $($FABRIC_CA_CLIENTEXEC identity list $URI -H $TESTDIR/admin 2>&1 | wc -l) -eq 1 || 173 ErrorMsg "admin 'identity list' failed" 174 $FABRIC_CA_CLIENTEXEC identity list $URI -H $TESTDIR/admin 2>&1 | 175 grep "Name: admin, Type: client, Affiliation: org2.department2" || 176 ErrorMsg "admin 'identity list' failed" 177 # add a subset of roles - user can only see that explicit list 178 $FABRIC_CA_CLIENTEXEC identity modify admin $URI -d -H $TESTDIR/admin2 \ 179 --affiliation ${defaultValues[Affiliation]} \ 180 --attrs '"hf.Registrar.Roles=role1,role2,role3,role4,role5,role6,role7,role8"' 181 test "$($FABRIC_CA_CLIENTEXEC identity list $URI -H $TESTDIR/admin | wc -l)" -eq $NUMROLES || 182 ErrorMsg "admin 'identity list' contained wrong number of users" 183 # put it back like it was 184 $FABRIC_CA_CLIENTEXEC identity modify admin $URI -d -H $TESTDIR/admin2 \ 185 --affiliation ${defaultValues[Affiliation]} \ 186 --attrs '"hf.Registrar.Roles=client,user,peer,validator,auditor,ca,app,role1,role2,role3,role4,role5,role6,role7,role8,apple,orange,ca"' 187 } 188 189 function testDelegation () { 190 # Objective: 191 # an admin may not delegate roles not in his hf.Registrar.Roles, 192 # even if he has a wildcarded hf.Registrar.Attributes '*' 193 194 enroll 195 # @TODO change return code to 403 196 # $FABRIC_CA_CLIENTEXEC identity add userType10 $URI -d -H $TESTDIR/admin --type role1 --affiliation ${defaultValues[Affiliation]} --attrs '"hf.Registrar.DelegateRoles=type10"' | grepPrint "403 Forbidden" || ErrorMsg "admin should not be able to add user with type 'type10', or wrong error code" 197 $FABRIC_CA_CLIENTEXEC identity add userType10 $URI -d -H $TESTDIR/admin \ 198 --type role1 --affiliation ${defaultValues[Affiliation]} \ 199 --attrs '"hf.Registrar.DelegateRoles=type10"' 2>&1 | 200 grepPrint "not authorized to register" || 201 ErrorMsg "admin should not be able to add user with type 'type10', or wrong error code" 202 restrictedAdminAttrsAttrs=' 203 { 204 "secret": "superUserpw", 205 "type": "user", 206 "affiliation": ".", 207 "attrs": [ 208 {"name": "hf.Registrar.Roles", "value": "client,user,validator,auditor"}, 209 {"name": "hf.Registrar.Attributes", "value": "*"} 210 ] 211 }' 212 # Create restrictedAdmin, but with hf.Registrar.Attributes: "*" 213 $FABRIC_CA_CLIENTEXEC identity add restrictedAdmin $URI -d \ 214 --json "$restrictedAdminAttrsAttrs" -H $TESTDIR/admin 2>&1 215 pw=superUserpw 216 enroll restrictedAdmin $pw 217 $FABRIC_CA_CLIENTEXEC identity list $URI -d --id restrictedAdmin -H $TESTDIR/restrictedAdmin 218 if test "$?" -ne 0; then 219 ErrorMsg "Failed to enroll restrictedAdmin" 220 return 221 fi 222 223 # Attempting to create user with greater authority than restrictedAdmin should fail 224 SuperAttrs=' 225 {"secret": "superUserpw", 226 "type": "user", 227 "affiliation": ".", 228 "max_enrollments": -1, 229 "attrs": 230 [{"name": "hf.Registrar.Roles", "value": "pianist,SuperUser,client,user,peer,validator,auditor,ca,app,role1,role2,role3,role4,role5,role6,role7,role8,apple,orange"}, 231 {"name": "hf.Registrar.DelegateRoles", "value": "SuperUser,client,user,peer,validator,auditor,ca,app,role1,role2,role3,role4,role5,role6,role7,role8,apple,orange"}, 232 {"name": "hf.Revoker", "value": "true"}, 233 {"name": "hf.IntermediateCA", "value": "true"}, 234 {"name": "hf.GenCRL", "value": "true"}, 235 {"name": "hf.Registrar.Attributes", "value": "*"}]}' 236 $FABRIC_CA_CLIENTEXEC identity add SuperUser $URI -d \ 237 --json "$SuperAttrs" -H $TESTDIR/restrictedAdmin 2>&1 | 238 grepPrint "attribute value:.*is not a member" || 239 ErrorMsg "restrictedAdmin should not be able to add SuperUser, or wrong error code" 240 } 241 242 function testDefaults() { 243 # Objective: 244 # ensure the correct defaults for 'add' 245 $FABRIC_CA_CLIENTEXEC identity add vanillaUser $URI -H $TESTDIR/admin 2>&1 | 246 tr '{' "\n" | 247 checkDefaults vanillaUser || 248 ErrorMsg "Incorrect default values for new user" 249 } 250 251 function testHfAttrs() { 252 # Objective: 253 # add a user with every available configurable 254 # parameter an enure all values are set correctly 255 256 local admin="admin" 257 local user="everythingBagel" 258 259 org=org1 260 passwd=${defaultValues[Passwd]} 261 eval "userDef=\"$adminTemplate\"" 262 $FABRIC_CA_CLIENTEXEC identity add $user $URI --json "$userDef" -H $TESTDIR/$admin 2>&1 263 enroll $user $passwd 264 expectedAttrs=" 265 Name:hf.Affiliation Value:$org 266 Name:hf.EnrollmentID Value:$user 267 Name:hf.GenCRL Value:true 268 Name:hf.IntermediateCA Value:true 269 Name:hf.Registrar.Attributes Value:* 270 Name:hf.Registrar.DelegateRoles Value:client,user,peer,validator,auditor,ca,app,role1,role2,role3,role4,role5,role6,role7,role8,apple,orange 271 Name:hf.Registrar.Roles Value:client,user,peer,validator,auditor,ca,app,role1,role2,role3,role4,role5,role6,role7,role8,apple,orange 272 Name:hf.Revoker Value:true 273 Name:hf.Type Value:user" 274 getAttrs $admin $user 275 currentAttrs="$(getAttrs $admin $user)" 276 if test "$currentAttrs" != "$expectedAttrs"; then 277 ErrorMsg "Incorrect value for registered attributes" 278 echo "currentAttrs: $currentAttrs" 279 echo "expectedAttrs: $expectedAttrs" 280 return 281 fi 282 } 283 284 function testLateralAffiliation() { 285 # Objective: 286 # Ensure that an admin may only add/modify a user 287 # in his own affiliation tree, e.g. not disjunct (lateral) 288 # and not higher in the tree 289 290 # now that we have an admin within an org, attempt to register new user in same org 291 local admin="everythingBagel" 292 local user="NewUserOrg1" 293 org=org1 294 eval "userDef=\"$adminTemplate\"" 295 $FABRIC_CA_CLIENTEXEC identity add $user $URI -d \ 296 --json "$userDef" -H $TESTDIR/$admin 2>&1 || 297 ErrorMsg "Failed to add user '$user'" 298 enroll $user $passwd || ErrorMsg "Failed to enroll user '$user'" 299 # attempt to modify user in same org 300 $FABRIC_CA_CLIENTEXEC identity modify $user $URI -d \ 301 -H $TESTDIR/$admin --affiliation ${defaultValues[Affiliation]} \ 302 --attrs '"hf.Registrar.Roles=client,user,peer,validator,auditor,ca,app,role1,role2,role3,role4,role5,role6,role7,role8,apple,orange,ca"' 2>&1 | 303 grepPrint "Authorization failure" || ErrorMsg "$admin should not be able to operate on higher level affiliation ${defaultValues[Affiliation]}" 304 305 # register new user in child org 306 admin="NewUserOrg1" 307 user="NewUserOrg1Dep1" 308 org=org1.department1 309 eval "userDef=\"$adminTemplate\"" 310 $FABRIC_CA_CLIENTEXEC identity add $user $URI -d \ 311 --json "$userDef" -H $TESTDIR/$admin 2>&1 || 312 ErrorMsg "Failed to add user '$user'" 313 enroll $user $passwd || ErrorMsg "Failed to enroll user '$user'" 314 315 # register new user in same org 316 admin="NewUserOrg1Dep1" 317 user="NewUser2Org1Dep1" 318 org=org1.department1 319 eval "userDef=\"$adminTemplate\"" 320 $FABRIC_CA_CLIENTEXEC identity add $user $URI -d\ 321 --json "$userDef" -H $TESTDIR/$admin 2>&1 || 322 ErrorMsg "Failed to add user '$user'" 323 enroll $user $passwd || ErrorMsg "Failed to enroll user '$user'" 324 # modify user in same org 325 $FABRIC_CA_CLIENTEXEC identity modify $user $URI -d -H $TESTDIR/$admin \ 326 --attrs "hf.IntermediateCA=false" 2>&1 || 327 ErrorMsg "Failed to modify user '$user'" 328 # restrict hf.Registrar.Attributes for admin 329 $FABRIC_CA_CLIENTEXEC identity modify $admin $URI -d -H $TESTDIR/$admin \ 330 --attrs "hf.Registrar.Attributes=hf*" 2>&1 || 331 ErrorMsg "Failed to modify user '$admin'" 332 # attempt to modify w/ wildarded hf.Registrar.Attributes 333 $FABRIC_CA_CLIENTEXEC identity modify $user $URI -d -H $TESTDIR/$admin \ 334 --attrs "hf.IntermediateCA=true" 2>&1 || 335 ErrorMsg "Failed to modify user '$user'" 336 # take away entirely hf.Registrar.Attributes from admin 337 $FABRIC_CA_CLIENTEXEC identity modify $admin $URI -d -H $TESTDIR/admin \ 338 --attrs "hf.Registrar.Attributes=''" 2>&1 || 339 ErrorMsg "Failed to modify user '$admin'" 340 # attempt to modify w/o hf.Registrar.Attributes set 341 # this returns 'Authorization failure' should return '403 Forbidden' 342 $FABRIC_CA_CLIENTEXEC identity modify $user $URI -d -H $TESTDIR/$admin \ 343 --attrs "hf.IntermediateCA=false" 2>&1 | 344 grepPrint "Authorization failure" || 345 ErrorMsg "admin '$admin' w/o hf.Registrar.Attributes should not be able to modify user '$user', or wrong error code" 346 347 # attempt to register new user in lateral org 348 admin="NewUser2Org1Dep1" 349 user="NewUserOrg1Dep2" 350 org=org1.department2 351 eval "userDef=\"$adminTemplate\"" 352 $FABRIC_CA_CLIENTEXEC identity add $user $URI -d --json "$userDef" -H $TESTDIR/$admin 2>&1 | 353 grepPrint "Caller does not have authority to act on affiliation '$org'" || 354 ErrorMsg "Incorrectly added '$user', or improper error message" 355 356 # attempt to register higher affiliation 357 admin="NewUser2Org1Dep1" 358 user="NewUser1Org1" 359 org=org1 360 eval "userDef=\"$adminTemplate\"" 361 $FABRIC_CA_CLIENTEXEC identity add $user $URI -d --json "$userDef" -H $TESTDIR/$admin 2>&1 | 362 grepPrint "Caller does not have authority to act on affiliation '$org'" || 363 ErrorMsg "Incorrectly added '$user', or improper error message" 364 } 365 366 function testConflictingHfAttrs() { 367 # Objective: 368 # Ensure that we cannot set 'static' internal attributes: 369 # hf.Type 370 # hf.EnrollmentID 371 local admin="$1" 372 local user="$2" 373 userdef=' 374 {"secret": "user1pw", 375 "type": "orange", 376 "affiliation": "org1", 377 "max_enrollments": 1, 378 "attrs": 379 [ {"name": "hf.Type", "value": "apple"}]} 380 ' 381 for flag in '--type peer' '--affiliation .' '--attrs a=1' '--maxenrollments 1' '--secret p' '--type app'; do 382 $FABRIC_CA_CLIENTEXEC identity add $user $URI -d $flag --json "$userdef" \ 383 -H $TESTDIR/$admin 2>&1 | grep -o "Can't use 'json' flag" || 384 ErrorMsg "Failed invalid flag combination" 385 done 386 387 $FABRIC_CA_CLIENTEXEC identity add ${user}1 $URI -d --json "$userdef" -H $TESTDIR/$admin 2>&1 | 388 grepPrint "Cannot register fixed value attribute 'hf.Type'" || 389 ErrorMsg "Should not be able to set hf.Type against '--type'" 390 391 userdef=' 392 {"name": "admin", 393 "type": "user", 394 "affiliation": "org1", 395 "max_enrollments": 1, 396 "attrs": 397 [ {"name": "hf.EnrollmentID", "value": "admin"}]} 398 ' 399 $FABRIC_CA_CLIENTEXEC identity add ${user}2 $URI -d --json "$userdef" -H $TESTDIR/admin2 2>&1 | 400 grepPrint "Cannot register fixed value attribute 'hf.EnrollmentID'" || 401 ErrorMsg "Should not be able to configure 'hf.EnrollmentID'" 402 } 403 404 function removeAllUsers() { 405 # Objective: 406 # Ensure that a valid authorized admin may delete users 407 # Ensure that a deleted users' certiifcates ae revoked 408 # Ensure correct error when deletiing non-existent user 409 # Ensure we may not delete self with the --force flag 410 # At each step, verify the expected number of user entries in DB 411 412 # delete everyone except for admin 413 for u in $( $FABRIC_CA_CLIENTEXEC identity list $URI -H $TESTDIR/admin/ | 414 awk '{for (i=1;i<=NR;i++) {gsub(/,/,"");if ($i=="Name:" && $(i+1)!="admin") print $(i+1) }}'); do 415 $FABRIC_CA_CLIENTEXEC identity remove $u $URI -d -H $TESTDIR/admin/ || ErrorMsg "Failed to delete user $u" 416 done 417 $FABRIC_CA_CLIENTEXEC identity list $u $URI -H $TESTDIR/admin/ 418 numUsers=$($FABRIC_CA_CLIENTEXEC identity list $u $URI -H $TESTDIR/admin/ | wc -l) 419 test "$numUsers" -ne 1 && ErrorMsg "Wrong number of users" 420 421 # ensure all user certs revoked 422 $SCRIPTDIR/fabric-ca_setup.sh -L -d mysql -D 2>/dev/null| 423 sed -n '/Certificates:/,/Affiliations:/p' | sed '1,2d;$d' | 424 awk -v rc=0 '$1!="admin" {if ($4!="revoked") rc++}; END {exit rc}' || 425 ErrorMsg "Not all certs have been revoked" 426 427 # delete non-existent user (should return '404') 428 $FABRIC_CA_CLIENTEXEC identity remove id $URI -H $TESTDIR/admin/ 2>&1 | 429 grepPrint 'Failed to get User' || 430 ErrorMsg "Should have failed, or wrong error code" 431 # attempt delete self w/o force 432 $FABRIC_CA_CLIENTEXEC identity remove admin $URI -H $TESTDIR/admin/ 2>&1 | 433 grepPrint "Need to use 'force'" || 434 ErrorMsg "Should have failed, or wrong error code" 435 # delete self 436 $FABRIC_CA_CLIENTEXEC identity remove admin $URI --force -H $TESTDIR/admin/ || 437 ErrorMsg "Failed to delete self" 438 numUsers=$(./scripts/fvt/fabric-ca_setup.sh -L -d mysql 2>/dev/null| 439 sed -n '/Users/,$p' | sed '1d' | wc -l) 440 test "$numUsers" -ne 0 && ErrorMsg "Wrong number of users" 441 } 442 443 export -f register 444 445 ### Start Test ### 446 export CA_CFG_PATH=$TESTDIR 447 $SCRIPTDIR/fabric-ca_setup.sh -D -R -x $TESTDIR 448 mkdir -p $TESTDIR 449 $SCRIPTDIR/fabric-ca_setup.sh -d mysql -I -X -n1 -D -x $TESTDIR 450 cp $TESTDIR/runFabricCaFvt.yaml /tmp 451 $SCRIPTDIR/fabric-ca_setup.sh -D -R -x $TESTDIR 452 mkdir -p $TESTDIR 453 cp /tmp/runFabricCaFvt.yaml $TESTDIR/runFabricCaFvt.yaml 454 sed -i '/name: admin$/,/hf.Registrar.DelegateRoles:/s/hf.Registrar.Roles:.*/hf.Registrar.Roles: "client,user,peer,validator,auditor,ca,app,role1,role2,role3,role4,role5,role6,role7,role8,apple,orange,ca\"/; 455 s/hf.Registrar.DelegateRoles:.*/hf.Registrar.DelegateRoles: "client,user,peer,validator,auditor,ca,app,role1,role2,role3,role4,role5,role6,role7,role8,apple,orange,ca\"/' $TESTDIR/runFabricCaFvt.yaml 456 $SCRIPTDIR/fabric-ca_setup.sh -d mysql -S -X -n1 -D -x $TESTDIR -- \ 457 --cfg.identities.allowremove > $TESTDIR/server.log 2>&1 458 459 URI="-u ${PROTO}@$CA_HOST_ADDRESS:$PROXY_PORT $TLSOPT" 460 461 enroll 462 printf "\n\n" 463 echo "===============> testHfAttrs..." 464 testHfAttrs 465 466 printf "\n\n" 467 echo "===============> testLateralAffiliation..." 468 testLateralAffiliation 469 470 printf "\n\n" 471 echo "===============> testDelegation..." 472 testDelegation 473 474 printf "\n\n" 475 echo "===============> testDefaults..." 476 testDefaults 477 478 printf "\n\n" 479 echo "===============> testAuthenticationAuthorization..." 480 testAuthenticationAuthorization 481 482 printf "\n\n" 483 echo "===============> testRoleAuthorization..." 484 testRoleAuthorization 485 enroll revoker revokerpw 486 enroll admin2 adminpw2 487 488 printf "\n\n" 489 echo "===============> testModifyRegistrarRoles..." 490 testModifyRegistrarRoles 491 492 printf "\n\n" 493 echo "===============> testAffiliation..." 494 testAffiliation 495 496 printf "\n\n" 497 echo "===============> testHfAttrs..." 498 testHfAttrs 499 500 printf "\n\n" 501 echo "===============> testConflictingHfAttrs..." 502 testConflictingHfAttrs admin2 conflictedUser 503 504 printf "\n\n" 505 echo "===============> removeAllUsers..." 506 removeAllUsers 507 508 509 CleanUp $RC 510 exit $RC