github.com/cactusblossom/fabric-ca@v0.0.0-20200611062428-0082fc643826/scripts/fvt/multica_test.sh (about) 1 #!/bin/bash 2 # 3 # Copyright IBM Corp. All Rights Reserved. 4 # 5 # SPDX-License-Identifier: Apache-2.0 6 # 7 8 9 : ${TESTCASE:="multica-test"} 10 TDIR=/tmp/$TESTCASE 11 FABRIC_CA="$GOPATH/src/github.com/hyperledger/fabric-ca" 12 SCRIPTDIR="$FABRIC_CA/scripts/fvt" 13 TESTDATA="$FABRIC_CA/testdata" 14 . $SCRIPTDIR/fabric-ca_utils 15 TLSDIR="$TESTDATA" 16 NUMINTCAS=4 17 MAXENROLL=$((2*NUMINTCAS)) 18 NUMUSERS=2 19 RC=0 20 21 function createRootCA() { 22 # Start RootCA 23 mkdir -p "$TDIR/ca0" 24 $SCRIPTDIR/fabric-ca_setup.sh -I -x "$TDIR/ca0" -d $driver -m $MAXENROLL 25 sed -i "/^ca:/,/^[^\t ]/ s@\(\(cert\|key\)file:\).*@\1@" $TDIR/ca0/runFabricCaFvt.yaml 26 FABRIC_CA_SERVER_HOME="$TDIR/ca0" fabric-ca-server start -d --cacount $NUMINTCAS \ 27 --csr.hosts $CA_HOST_ADDRESS --address $CA_HOST_ADDRESS \ 28 -c $TDIR/ca0/runFabricCaFvt.yaml 2>&1 | 29 tee $TDIR/ca0/server.log & 30 pollFabricCa "" "" $CA_DEFAULT_PORT 31 } 32 33 function enrollUser() { 34 local user=$1 35 local pswd=$2 36 local caname=$3 37 /usr/local/bin/fabric-ca-client enroll -d \ 38 --caname $caname \ 39 --mspdir $TDIR/$caname/$user/${user}msp \ 40 --id.maxenrollments $MAXENROLL \ 41 -u ${PROTO}$user:$pswd@$CA_HOST_ADDRESS:$CA_DEFAULT_PORT \ 42 -c $TDIR/$caname/enroll.yaml \ 43 $TLSOPT \ 44 --csr.hosts $user@fab-client.raleigh.ibm.com,${user}.fabric.raleigh.ibm.com,127.42.42.$i 45 return $? 46 } 47 48 function registerAndEnrollUser() { 49 local user=$1 50 local caname=$2 51 local attrs='a=1,b=2,c=3,d=4,e=5,f=6,g=7,h=8,i=9,j=100000' 52 local rc=0 53 pswd=$(eval /usr/local/bin/fabric-ca-client register -u ${PROTO}admin:adminpw@$CA_HOST_ADDRESS:$CA_DEFAULT_PORT \ 54 --id.attrs "$attrs" \ 55 --caname $caname \ 56 --mspdir $TDIR/$caname/admin/adminmsp \ 57 --id.name $user \ 58 --id.type user \ 59 --id.maxenrollments $MAXENROLL \ 60 --id.affiliation bank_a \ 61 $TLSOPT \ 62 -c $TDIR/$caname/register.yaml|tail -n1 | awk '{print $NF}') 63 /usr/local/bin/fabric-ca-client enroll \ 64 --caname $caname \ 65 --mspdir $TDIR/$caname/$user/${user}msp \ 66 --id.maxenrollments $MAXENROLL \ 67 -u ${PROTO}$user:$pswd@$CA_HOST_ADDRESS:$CA_DEFAULT_PORT \ 68 -c $TDIR/$caname/$user/enroll.yaml \ 69 $TLSOPT \ 70 --csr.hosts $user@fab-client.raleigh.ibm.com,$user.fabric.raleigh.ibm.com,127.37.37.$i 71 return $? 72 } 73 74 function reenrollUser() { 75 local user=$1 76 local caname=$2 77 local rc=0 78 /usr/local/bin/fabric-ca-client reenroll \ 79 --caname $caname \ 80 --mspdir $TDIR/$caname/${user}/${user}msp \ 81 --id.maxenrollments $MAXENROLL \ 82 -u ${PROTO}@$CA_HOST_ADDRESS:$CA_DEFAULT_PORT \ 83 -c $TDIR/$caname/$user/enroll.yaml \ 84 $TLSOPT \ 85 --csr.hosts ${user}@fab-client.raleigh.ibm.com,${user}.fabric.raleigh.ibm.com,127.42.42.$i 86 return $? 87 } 88 89 function revokeUser() { 90 local revoker=$1 91 local user=$2 92 local caname=$3 93 local sn=$4 94 local aki=$5 95 local rc=0 96 test -n "$sn" && local serial="--revoke.serial $sn" 97 test -n "$aki" && local index="--revoke.aki $aki" 98 export FABRIC_CA_CLIENT_HOME="$TDIR/$caname/$revoker" 99 /usr/local/bin/fabric-ca-client revoke --caname $caname \ 100 --mspdir $TDIR/$caname/$revoker/${revoker}msp \ 101 -u ${PROTO}$CA_HOST_ADDRESS:$CA_DEFAULT_PORT \ 102 --revoke.name $user $serial $index $TLSOPT 103 return $? 104 } 105 106 function resetDB() { 107 local driver=$1 108 if [ $driver = "mysql" ]; then 109 i=0;while test $((i++)) -lt $NUMINTCAS; do 110 mysql --host=localhost --user=root --password=mysql -e "drop database fabric_ca_ca$i;" 111 done 112 fi 113 114 if [ $driver = "postgres" ]; then 115 i=0;while test $((i++)) -lt $NUMINTCAS; do 116 psql -c "drop database fabric_ca_ca$i" 117 done 118 fi 119 120 if [ $driver = "sqlite3" ]; then 121 rm -rf $TDIR 122 fi 123 } 124 125 ### Start Test ### 126 for driver in postgres mysql; do 127 128 # Expected codes 129 # Result after enroll/reenroll - 130 # user status: 1, certs status: all 'good' 131 enrolledGood=$(printf "1 %s\n%s\n%s" good good good) 132 # Result after revoking the current enrollment cert - 133 # user status: 1, certs status: one revoked 134 enrolledRevoked=$(printf "1 %s\n%s\n%s" good good revoked) 135 # Result after revoking userid - 136 # user status: -1, certs status: all 'revoked' 137 revokedRevoked=$(printf -- "-1 %s\n%s\n%s" revoked revoked revoked) 138 139 $SCRIPTDIR/fabric-ca_setup.sh -R -x $TDIR/ca0 -D -d $driver 140 rm -rf $TDIR 141 142 resetDB $driver 143 144 createRootCA || ErrorExit "Failed to create root CA" 145 146 USERS=("admin" "admin2" "notadmin" "testUser" "testUser2" "testUser3" ) 147 PSWDS=("adminpw" "adminpw2" "pass" "user1" "user2" "user3" ) 148 # roundrobin through all servers in pool and enroll users 149 u=-1; while test $((u++)) -lt ${#USERS[u]}; do 150 i=0;while test $((i++)) -lt $NUMINTCAS; do 151 for iter in $(seq 1 $MAXENROLL); do 152 # Issue duplicate enroll to ensure proper processing of multiple requests 153 enrollUser ${USERS[u]} ${PSWDS[u]} ca$i || ErrorExit "Failed to enroll ${USERS[u]} to ca$i" 154 done 155 done 156 done 157 158 # enrolling beyond the configured MAXENROLL should fail 159 u=-1; while test $((u++)) -lt ${#USERS[u]}; do 160 i=0;while test $((i++)) -lt $NUMINTCAS; do 161 enrollUser ${USERS[u]} ${PSWDS[u]} ca$i && ErrorExit "Should have failed to enroll ${USERS[u]} to ca$i" 162 done 163 done 164 165 i=0;while test $((i++)) -lt $NUMINTCAS; do 166 j=0;while test $((j++)) -lt $NUMUSERS; do 167 registerAndEnrollUser user$i$j ca$i || ErrorExit "Enroll user$i$j to CA ca$i failed" 168 done 169 done 170 171 # roundrobin through all servers in pool and renroll users 172 for iter in {0..1}; do 173 # Issue duplicate reenroll to ensure proper processing of multiple requests 174 i=0;while test $((i++)) -lt $NUMINTCAS; do 175 j=0;while test $((j++)) -lt $NUMUSERS; do 176 reenrollUser user$i$j ca$i || ErrorExit "reenrollUser user$i$j ca$i failed" 177 done 178 done 179 done 180 181 # notadmin cannot revoke 182 revokeUser notadmin user11 ca1 2>&1 | egrep "Authorization failure" 183 test "$?" -ne 0 && ErrorMsg "Non-revoker successfully revoked cert or failed for incorrect reason" 184 185 # Check the DB contents 186 i=0;while test $((i++)) -lt $NUMINTCAS; do 187 j=0;while test $((j++)) -lt $NUMUSERS; do 188 test "$(testStatus user$i$j $driver $TDIR/ca0/ca/ca$i fabric_ca_ca$i )" = "$enrolledGood" || 189 ErrorMsg "Incorrect user/certificate status for $user$i$j" RC 190 done 191 done 192 193 i=0;while test $((i++)) -lt $NUMINTCAS; do 194 j=0;while test $((j++)) -lt $NUMUSERS; do 195 c="$TDIR/ca$i/user$i$j/user$i${j}msp/signcerts/cert.pem" 196 # Grab the serial number of user$i$j cert 197 SN_UC="$(openssl x509 -noout -serial -in $c | awk -F'=' '{print toupper($2)}')" 198 # and the auth keyid of notadmin cert - translate upper to lower case 199 AKI_UC=$(openssl x509 -noout -text -in $c |awk '/keyid/ {gsub(/ *keyid:|:/,"",$1);print toupper($0)}') 200 # Revoke the certs 201 echo "SN ---> $SN_UC" 202 echo "AKI ---> $AKI_UC" 203 revokeUser admin user$i$j ca$i "$SN_UC" "$AKI_UC" 204 #### Ensure that revoking an already revoked cert doesn't blow up 205 echo "=========================> Issuing duplicate revoke by -s -a" 206 revokeUser admin user$i$j ca$i "$SN_UC" "$AKI_UC" 207 test "$(testStatus user$i$j $driver $TDIR/ca0/ca/ca$i fabric_ca_ca$i )" = "$enrolledRevoked" || 208 ErrorMsg "Incorrect user/certificate status for user$i$j" RC 209 done 210 done 211 212 i=0;while test $((i++)) -lt $NUMINTCAS; do 213 j=0;while test $((j++)) -lt $NUMUSERS; do 214 echo "=========================> REVOKING by --eid" 215 revokeUser admin user$i$j ca$i 216 #### Ensure that revoking an already revoked cert doesn't blow up 217 echo "=========================> Issuing duplicate revoke by -s -a" 218 revokeUser admin user$i$j ca$i 219 test "$(testStatus user$i$j $driver $TDIR/ca0/ca/ca$i fabric_ca_ca$i )" = "$revokedRevoked" || 220 ErrorMsg "Incorrect user/certificate status for user$i$j" RC 221 done 222 done 223 224 #### Revoke admin cert 225 i=0;while test $((i++)) -lt $NUMINTCAS; do 226 j=0;while test $((j++)) -lt $NUMUSERS; do 227 echo "=========================> REVOKING self" 228 revokeUser admin admin ca$i 229 # Verify that the cert is no longer usable 230 revokeUser admin user$i$j ca$i 2>&1 | egrep "Authentication failure" 231 test $? -ne 0 && ErrorMsg "Improper revocation using revoked certificate" RC 232 done 233 done 234 235 $SCRIPTDIR/fabric-ca_setup.sh -L -x $TDIR/ca0 -D -d $driver 236 kill $(ps -x -o pid,comm | awk '$2~/fabric-ca-serve/ {print $1}') 237 done 238 239 # If the test failed, leave the results for debugging 240 test "$RC" -eq 0 && $SCRIPTDIR/fabric-ca_setup.sh -R -x $CA_CFG_PATH -d $driver 241 242 ### Clean up ### 243 rm -f $TESTDATA/openssl.cnf.base.req 244 CleanUp "$RC" 245 exit $RC 246