github.com/defanghe/fabric@v2.1.1+incompatible/msp/idemixmsp_test.go (about) 1 /* 2 Copyright IBM Corp. All Rights Reserved. 3 4 SPDX-License-Identifier: Apache-2.0 5 */ 6 7 package msp 8 9 import ( 10 "testing" 11 12 "github.com/golang/protobuf/proto" 13 "github.com/hyperledger/fabric-protos-go/msp" 14 "github.com/hyperledger/fabric/idemix" 15 "github.com/pkg/errors" 16 "github.com/stretchr/testify/assert" 17 ) 18 19 func setup(configPath string, ID string) (MSP, error) { 20 return setupWithVersion(configPath, ID, MSPv1_3) 21 } 22 23 func setupWithVersion(configPath string, ID string, version MSPVersion) (MSP, error) { 24 msp, err := newIdemixMsp(version) 25 if err != nil { 26 return nil, err 27 } 28 29 conf, err := GetIdemixMspConfig(configPath, ID) 30 if err != nil { 31 return nil, errors.Wrap(err, "Getting MSP config failed") 32 } 33 34 err = msp.Setup(conf) 35 if err != nil { 36 return nil, errors.Wrap(err, "Setting up MSP failed") 37 } 38 return msp, nil 39 } 40 41 func getDefaultSigner(msp MSP) (SigningIdentity, error) { 42 id, err := msp.GetDefaultSigningIdentity() 43 if err != nil { 44 return nil, errors.Wrap(err, "Getting default signing identity failed") 45 } 46 47 err = id.Validate() 48 if err != nil { 49 return nil, errors.Wrap(err, "Default signing identity invalid") 50 } 51 52 err = msp.Validate(id) 53 if err != nil { 54 return nil, errors.Wrap(err, "Default signing identity invalid") 55 } 56 57 return id, nil 58 } 59 60 func TestSetup(t *testing.T) { 61 msp, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 62 assert.NoError(t, err) 63 64 assert.Equal(t, IDEMIX, msp.GetType()) 65 } 66 67 func TestSetupBad(t *testing.T) { 68 _, err := setup("testdata/idemix/badpath", "MSPID") 69 assert.Error(t, err) 70 assert.Contains(t, err.Error(), "Getting MSP config failed") 71 72 msp1, err := newIdemixMsp(MSPv1_3) 73 assert.NoError(t, err) 74 75 // Setup with nil config 76 err = msp1.Setup(nil) 77 assert.Error(t, err) 78 assert.Contains(t, err.Error(), "setup error: nil conf reference") 79 80 // Setup with incorrect MSP type 81 conf := &msp.MSPConfig{Type: 1234, Config: nil} 82 err = msp1.Setup(conf) 83 assert.Error(t, err) 84 assert.Contains(t, err.Error(), "setup error: config is not of type IDEMIX") 85 86 // Setup with bad idemix config bytes 87 conf = &msp.MSPConfig{Type: int32(IDEMIX), Config: []byte("barf")} 88 err = msp1.Setup(conf) 89 assert.Error(t, err) 90 assert.Contains(t, err.Error(), "failed unmarshalling idemix msp config") 91 92 conf, err = GetIdemixMspConfig("testdata/idemix/MSP1OU1", "IdemixMSP1") 93 idemixconfig := &msp.IdemixMSPConfig{} 94 err = proto.Unmarshal(conf.Config, idemixconfig) 95 assert.NoError(t, err) 96 97 // Create MSP config with IPK with incorrect attribute names 98 rng, err := idemix.GetRand() 99 assert.NoError(t, err) 100 key, err := idemix.NewIssuerKey([]string{}, rng) 101 assert.NoError(t, err) 102 ipkBytes, err := proto.Marshal(key.Ipk) 103 assert.NoError(t, err) 104 idemixconfig.Ipk = ipkBytes 105 106 idemixConfigBytes, err := proto.Marshal(idemixconfig) 107 assert.NoError(t, err) 108 conf.Config = idemixConfigBytes 109 110 err = msp1.Setup(conf) 111 assert.Error(t, err) 112 assert.Contains(t, err.Error(), "issuer public key must have have attributes OU, Role, EnrollmentId, and RevocationHandle") 113 114 // Create MSP config with bad IPK bytes 115 ipkBytes = []byte("barf") 116 idemixconfig.Ipk = ipkBytes 117 118 idemixConfigBytes, err = proto.Marshal(idemixconfig) 119 assert.NoError(t, err) 120 conf.Config = idemixConfigBytes 121 122 err = msp1.Setup(conf) 123 assert.Error(t, err) 124 assert.Contains(t, err.Error(), "failed to unmarshal ipk from idemix msp config") 125 } 126 127 func TestSigning(t *testing.T) { 128 msp, err := setup("testdata/idemix/MSP1OU1", "MSP1") 129 assert.NoError(t, err) 130 131 id, err := getDefaultSigner(msp) 132 assert.NoError(t, err) 133 134 msg := []byte("TestMessage") 135 sig, err := id.Sign(msg) 136 assert.NoError(t, err) 137 138 err = id.Verify(msg, sig) 139 assert.NoError(t, err) 140 141 err = id.Verify([]byte("OtherMessage"), sig) 142 assert.Error(t, err) 143 assert.Contains(t, err.Error(), "pseudonym signature invalid: zero-knowledge proof is invalid") 144 145 verMsp, err := setup("testdata/idemix/MSP1Verifier", "MSP1") 146 assert.NoError(t, err) 147 err = verMsp.Validate(id) 148 assert.NoError(t, err) 149 _, err = verMsp.GetDefaultSigningIdentity() 150 assert.Error(t, err) 151 assert.Contains(t, err.Error(), "no default signer setup") 152 } 153 154 func TestSigningBad(t *testing.T) { 155 msp, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 156 assert.NoError(t, err) 157 158 id, err := getDefaultSigner(msp) 159 assert.NoError(t, err) 160 161 msg := []byte("TestMessage") 162 sig := []byte("barf") 163 164 err = id.Verify(msg, sig) 165 assert.Error(t, err) 166 assert.Contains(t, err.Error(), "error unmarshalling signature") 167 } 168 169 func TestIdentitySerialization(t *testing.T) { 170 msp, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 171 assert.NoError(t, err) 172 173 id, err := getDefaultSigner(msp) 174 assert.NoError(t, err) 175 176 // Test serialization of identities 177 serializedID, err := id.Serialize() 178 assert.NoError(t, err) 179 180 verID, err := msp.DeserializeIdentity(serializedID) 181 182 err = verID.Validate() 183 assert.NoError(t, err) 184 185 err = msp.Validate(verID) 186 assert.NoError(t, err) 187 } 188 189 func TestIdentitySerializationBad(t *testing.T) { 190 msp, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 191 assert.NoError(t, err) 192 193 _, err = msp.DeserializeIdentity([]byte("barf")) 194 assert.Error(t, err, "DeserializeIdentity should have failed for bad input") 195 assert.Contains(t, err.Error(), "could not deserialize a SerializedIdentity") 196 } 197 198 func TestIdentitySerializationWrongMSP(t *testing.T) { 199 msp1, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 200 assert.NoError(t, err) 201 msp2, err := setup("testdata/idemix/MSP2OU1", "MSP2OU1") 202 assert.NoError(t, err) 203 id2, err := getDefaultSigner(msp2) 204 assert.NoError(t, err) 205 206 idBytes, err := id2.Serialize() 207 assert.NoError(t, err) 208 209 _, err = msp1.DeserializeIdentity(idBytes) 210 assert.Error(t, err, "DeserializeIdentity should have failed for ID of other MSP") 211 assert.Contains(t, err.Error(), "expected MSP ID MSP1OU1, received MSP2OU1") 212 } 213 214 func TestPrincipalIdentity(t *testing.T) { 215 msp1, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 216 assert.NoError(t, err) 217 218 id1, err := getDefaultSigner(msp1) 219 assert.NoError(t, err) 220 221 idBytes, err := id1.Serialize() 222 assert.NoError(t, err) 223 224 principal := &msp.MSPPrincipal{ 225 PrincipalClassification: msp.MSPPrincipal_IDENTITY, 226 Principal: idBytes} 227 228 err = id1.SatisfiesPrincipal(principal) 229 assert.NoError(t, err) 230 } 231 232 func TestPrincipalIdentityWrongIdentity(t *testing.T) { 233 msp1, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 234 assert.NoError(t, err) 235 236 id1, err := getDefaultSigner(msp1) 237 assert.NoError(t, err) 238 239 msp2, err := setup("testdata/idemix/MSP1OU2", "MSP1OU2") 240 assert.NoError(t, err) 241 242 id2, err := getDefaultSigner(msp2) 243 assert.NoError(t, err) 244 245 idBytes, err := id1.Serialize() 246 assert.NoError(t, err) 247 248 principal := &msp.MSPPrincipal{ 249 PrincipalClassification: msp.MSPPrincipal_IDENTITY, 250 Principal: idBytes} 251 252 err = id2.SatisfiesPrincipal(principal) 253 assert.Error(t, err, "Identity MSP principal for different user should fail") 254 assert.Contains(t, err.Error(), "the identities do not match") 255 256 } 257 258 func TestPrincipalIdentityBadIdentity(t *testing.T) { 259 msp1, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 260 assert.NoError(t, err) 261 262 id1, err := getDefaultSigner(msp1) 263 assert.NoError(t, err) 264 265 idBytes := []byte("barf") 266 267 principal := &msp.MSPPrincipal{ 268 PrincipalClassification: msp.MSPPrincipal_IDENTITY, 269 Principal: idBytes} 270 271 err = id1.SatisfiesPrincipal(principal) 272 assert.Error(t, err, "Identity MSP principal for a bad principal should fail") 273 assert.Contains(t, err.Error(), "the identities do not match") 274 } 275 276 func TestAnonymityPrincipal(t *testing.T) { 277 msp1, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 278 assert.NoError(t, err) 279 280 id1, err := getDefaultSigner(msp1) 281 assert.NoError(t, err) 282 283 principalBytes, err := proto.Marshal(&msp.MSPIdentityAnonymity{AnonymityType: msp.MSPIdentityAnonymity_ANONYMOUS}) 284 assert.NoError(t, err) 285 286 principal := &msp.MSPPrincipal{ 287 PrincipalClassification: msp.MSPPrincipal_ANONYMITY, 288 Principal: principalBytes} 289 290 err = id1.SatisfiesPrincipal(principal) 291 assert.NoError(t, err) 292 } 293 294 func TestAnonymityPrincipalBad(t *testing.T) { 295 msp1, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 296 assert.NoError(t, err) 297 298 id1, err := getDefaultSigner(msp1) 299 assert.NoError(t, err) 300 301 principalBytes, err := proto.Marshal(&msp.MSPIdentityAnonymity{AnonymityType: msp.MSPIdentityAnonymity_NOMINAL}) 302 assert.NoError(t, err) 303 304 principal := &msp.MSPPrincipal{ 305 PrincipalClassification: msp.MSPPrincipal_ANONYMITY, 306 Principal: principalBytes} 307 308 err = id1.SatisfiesPrincipal(principal) 309 assert.Error(t, err, "Idemix identity is anonymous and should not pass NOMINAL anonymity principal") 310 assert.Contains(t, err.Error(), "principal is nominal, but idemix MSP is anonymous") 311 } 312 313 func TestAnonymityPrincipalV11(t *testing.T) { 314 msp1, err := setupWithVersion("testdata/idemix/MSP1OU1", "MSP1OU1", MSPv1_1) 315 assert.NoError(t, err) 316 317 id1, err := getDefaultSigner(msp1) 318 assert.NoError(t, err) 319 320 principalBytes, err := proto.Marshal(&msp.MSPIdentityAnonymity{AnonymityType: msp.MSPIdentityAnonymity_NOMINAL}) 321 assert.NoError(t, err) 322 323 principal := &msp.MSPPrincipal{ 324 PrincipalClassification: msp.MSPPrincipal_ANONYMITY, 325 Principal: principalBytes} 326 327 err = id1.SatisfiesPrincipal(principal) 328 assert.Error(t, err) 329 assert.Contains(t, err.Error(), "Anonymity MSP Principals are unsupported in MSPv1_1") 330 } 331 332 func TestIdemixIsWellFormed(t *testing.T) { 333 idemixMSP, err := setup("testdata/idemix/MSP1OU1", "TestName") 334 assert.NoError(t, err) 335 336 id, err := getDefaultSigner(idemixMSP) 337 assert.NoError(t, err) 338 rawId, err := id.Serialize() 339 assert.NoError(t, err) 340 sId := &msp.SerializedIdentity{} 341 err = proto.Unmarshal(rawId, sId) 342 assert.NoError(t, err) 343 err = idemixMSP.IsWellFormed(sId) 344 assert.NoError(t, err) 345 // Corrupt the identity bytes 346 sId.IdBytes = append(sId.IdBytes, 1) 347 err = idemixMSP.IsWellFormed(sId) 348 assert.Error(t, err) 349 assert.Contains(t, err.Error(), "not an idemix identity") 350 } 351 352 func TestPrincipalOU(t *testing.T) { 353 msp1, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 354 assert.NoError(t, err) 355 356 id1, err := getDefaultSigner(msp1) 357 assert.NoError(t, err) 358 359 ou := &msp.OrganizationUnit{ 360 OrganizationalUnitIdentifier: id1.GetOrganizationalUnits()[0].OrganizationalUnitIdentifier, 361 MspIdentifier: id1.GetMSPIdentifier(), 362 CertifiersIdentifier: nil, 363 } 364 bytes, err := proto.Marshal(ou) 365 assert.NoError(t, err) 366 367 principal := &msp.MSPPrincipal{ 368 PrincipalClassification: msp.MSPPrincipal_ORGANIZATION_UNIT, 369 Principal: bytes} 370 371 err = id1.SatisfiesPrincipal(principal) 372 assert.NoError(t, err) 373 } 374 375 func TestPrincipalOUWrongOU(t *testing.T) { 376 msp1, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 377 assert.NoError(t, err) 378 379 id1, err := getDefaultSigner(msp1) 380 assert.NoError(t, err) 381 382 ou := &msp.OrganizationUnit{ 383 OrganizationalUnitIdentifier: "DifferentOU", 384 MspIdentifier: id1.GetMSPIdentifier(), 385 CertifiersIdentifier: nil, 386 } 387 bytes, err := proto.Marshal(ou) 388 assert.NoError(t, err) 389 390 principal := &msp.MSPPrincipal{ 391 PrincipalClassification: msp.MSPPrincipal_ORGANIZATION_UNIT, 392 Principal: bytes} 393 394 err = id1.SatisfiesPrincipal(principal) 395 assert.Error(t, err, "OU MSP principal should have failed for user of different OU") 396 assert.Contains(t, err.Error(), "user is not part of the desired organizational unit") 397 398 } 399 400 func TestPrincipalOUWrongMSP(t *testing.T) { 401 msp1, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 402 assert.NoError(t, err) 403 404 id1, err := getDefaultSigner(msp1) 405 assert.NoError(t, err) 406 407 ou := &msp.OrganizationUnit{ 408 OrganizationalUnitIdentifier: "OU1", 409 MspIdentifier: "OtherMSP", 410 CertifiersIdentifier: nil, 411 } 412 bytes, err := proto.Marshal(ou) 413 assert.NoError(t, err) 414 415 principal := &msp.MSPPrincipal{ 416 PrincipalClassification: msp.MSPPrincipal_ORGANIZATION_UNIT, 417 Principal: bytes} 418 419 err = id1.SatisfiesPrincipal(principal) 420 assert.Error(t, err, "OU MSP principal should have failed for user of different MSP") 421 assert.Contains(t, err.Error(), "the identity is a member of a different MSP") 422 423 } 424 425 func TestPrincipalOUBad(t *testing.T) { 426 msp1, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 427 assert.NoError(t, err) 428 429 id1, err := getDefaultSigner(msp1) 430 assert.NoError(t, err) 431 432 bytes := []byte("barf") 433 assert.NoError(t, err) 434 435 principal := &msp.MSPPrincipal{ 436 PrincipalClassification: msp.MSPPrincipal_ORGANIZATION_UNIT, 437 Principal: bytes} 438 439 err = id1.SatisfiesPrincipal(principal) 440 assert.Error(t, err, "OU MSP principal should have failed for a bad OU principal") 441 assert.Contains(t, err.Error(), "could not unmarshal OU from principal") 442 } 443 444 func TestPrincipalRoleMember(t *testing.T) { 445 msp1, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 446 assert.NoError(t, err) 447 448 id1, err := getDefaultSigner(msp1) 449 assert.NoError(t, err) 450 451 principalBytes, err := proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_MEMBER, MspIdentifier: id1.GetMSPIdentifier()}) 452 assert.NoError(t, err) 453 454 principal := &msp.MSPPrincipal{ 455 PrincipalClassification: msp.MSPPrincipal_ROLE, 456 Principal: principalBytes} 457 458 err = id1.SatisfiesPrincipal(principal) 459 assert.NoError(t, err) 460 461 // Member should also satisfy client 462 principalBytes, err = proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_CLIENT, MspIdentifier: id1.GetMSPIdentifier()}) 463 assert.NoError(t, err) 464 465 principal = &msp.MSPPrincipal{ 466 PrincipalClassification: msp.MSPPrincipal_ROLE, 467 Principal: principalBytes} 468 469 err = id1.SatisfiesPrincipal(principal) 470 assert.NoError(t, err) 471 } 472 473 func TestPrincipalRoleAdmin(t *testing.T) { 474 msp1, err := setup("testdata/idemix/MSP1OU1Admin", "MSP1OU1Admin") 475 assert.NoError(t, err) 476 477 id1, err := getDefaultSigner(msp1) 478 assert.NoError(t, err) 479 480 principalBytes, err := proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_MEMBER, MspIdentifier: id1.GetMSPIdentifier()}) 481 assert.NoError(t, err) 482 483 principal := &msp.MSPPrincipal{ 484 PrincipalClassification: msp.MSPPrincipal_ROLE, 485 Principal: principalBytes} 486 487 // Admin should also satisfy member 488 err = id1.SatisfiesPrincipal(principal) 489 assert.NoError(t, err) 490 491 principalBytes, err = proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_ADMIN, MspIdentifier: id1.GetMSPIdentifier()}) 492 assert.NoError(t, err) 493 494 principal = &msp.MSPPrincipal{ 495 PrincipalClassification: msp.MSPPrincipal_ROLE, 496 Principal: principalBytes} 497 498 err = id1.SatisfiesPrincipal(principal) 499 assert.NoError(t, err) 500 } 501 502 func TestPrincipalRoleNotPeer(t *testing.T) { 503 msp1, err := setup("testdata/idemix/MSP1OU1Admin", "MSP1OU1") 504 assert.NoError(t, err) 505 506 id1, err := getDefaultSigner(msp1) 507 assert.NoError(t, err) 508 509 principalBytes, err := proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_PEER, MspIdentifier: id1.GetMSPIdentifier()}) 510 assert.NoError(t, err) 511 512 principal := &msp.MSPPrincipal{ 513 PrincipalClassification: msp.MSPPrincipal_ROLE, 514 Principal: principalBytes} 515 516 err = id1.SatisfiesPrincipal(principal) 517 assert.Error(t, err, "Admin should not satisfy PEER principal") 518 assert.Contains(t, err.Error(), "idemixmsp only supports client use, so it cannot satisfy an MSPRole PEER principal") 519 } 520 521 func TestPrincipalRoleNotAdmin(t *testing.T) { 522 msp1, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 523 assert.NoError(t, err) 524 525 id1, err := getDefaultSigner(msp1) 526 assert.NoError(t, err) 527 528 principalBytes, err := proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_ADMIN, MspIdentifier: id1.GetMSPIdentifier()}) 529 assert.NoError(t, err) 530 531 principal := &msp.MSPPrincipal{ 532 PrincipalClassification: msp.MSPPrincipal_ROLE, 533 Principal: principalBytes} 534 535 err = id1.SatisfiesPrincipal(principal) 536 assert.Error(t, err, "Member should not satisfy Admin principal") 537 assert.Contains(t, err.Error(), "user is not an admin") 538 } 539 540 func TestPrincipalRoleWrongMSP(t *testing.T) { 541 msp1, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 542 assert.NoError(t, err) 543 544 id1, err := getDefaultSigner(msp1) 545 assert.NoError(t, err) 546 547 principalBytes, err := proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_MEMBER, MspIdentifier: "OtherMSP"}) 548 assert.NoError(t, err) 549 550 principal := &msp.MSPPrincipal{ 551 PrincipalClassification: msp.MSPPrincipal_ROLE, 552 Principal: principalBytes} 553 554 err = id1.SatisfiesPrincipal(principal) 555 assert.Error(t, err, "Role MSP principal should have failed for user of different MSP") 556 assert.Contains(t, err.Error(), "the identity is a member of a different MSP") 557 } 558 559 func TestPrincipalRoleBadRole(t *testing.T) { 560 msp1, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 561 assert.NoError(t, err) 562 563 id1, err := getDefaultSigner(msp1) 564 assert.NoError(t, err) 565 566 // Make principal for nonexisting role 1234 567 principalBytes, err := proto.Marshal(&msp.MSPRole{Role: 1234, MspIdentifier: id1.GetMSPIdentifier()}) 568 assert.NoError(t, err) 569 570 principal := &msp.MSPPrincipal{ 571 PrincipalClassification: msp.MSPPrincipal_ROLE, 572 Principal: principalBytes} 573 574 err = id1.SatisfiesPrincipal(principal) 575 assert.Error(t, err, "Role MSP principal should have failed for a bad Role") 576 assert.Contains(t, err.Error(), "invalid MSP role type") 577 } 578 579 func TestPrincipalBad(t *testing.T) { 580 msp1, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 581 assert.NoError(t, err) 582 583 id1, err := getDefaultSigner(msp1) 584 assert.NoError(t, err) 585 586 principal := &msp.MSPPrincipal{ 587 PrincipalClassification: 1234, 588 Principal: nil} 589 590 err = id1.SatisfiesPrincipal(principal) 591 assert.Error(t, err, "Principal with bad Classification should fail") 592 assert.Contains(t, err.Error(), "invalid principal type") 593 } 594 595 func TestPrincipalCombined(t *testing.T) { 596 msp1, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 597 assert.NoError(t, err) 598 599 id1, err := getDefaultSigner(msp1) 600 assert.NoError(t, err) 601 602 ou := &msp.OrganizationUnit{ 603 OrganizationalUnitIdentifier: id1.GetOrganizationalUnits()[0].OrganizationalUnitIdentifier, 604 MspIdentifier: id1.GetMSPIdentifier(), 605 CertifiersIdentifier: nil, 606 } 607 principalBytes, err := proto.Marshal(ou) 608 assert.NoError(t, err) 609 610 principalOU := &msp.MSPPrincipal{ 611 PrincipalClassification: msp.MSPPrincipal_ORGANIZATION_UNIT, 612 Principal: principalBytes} 613 614 principalBytes, err = proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_MEMBER, MspIdentifier: id1.GetMSPIdentifier()}) 615 assert.NoError(t, err) 616 617 principalRole := &msp.MSPPrincipal{ 618 PrincipalClassification: msp.MSPPrincipal_ROLE, 619 Principal: principalBytes} 620 621 principals := []*msp.MSPPrincipal{principalOU, principalRole} 622 623 combinedPrincipal := &msp.CombinedPrincipal{Principals: principals} 624 combinedPrincipalBytes, err := proto.Marshal(combinedPrincipal) 625 626 assert.NoError(t, err) 627 628 principalsCombined := &msp.MSPPrincipal{PrincipalClassification: msp.MSPPrincipal_COMBINED, Principal: combinedPrincipalBytes} 629 630 err = id1.SatisfiesPrincipal(principalsCombined) 631 assert.NoError(t, err) 632 } 633 634 func TestPrincipalCombinedBad(t *testing.T) { 635 msp1, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 636 assert.NoError(t, err) 637 638 id1, err := getDefaultSigner(msp1) 639 assert.NoError(t, err) 640 641 // create combined principal requiring membership of OU1 in MSP1 and requiring admin role 642 ou := &msp.OrganizationUnit{ 643 OrganizationalUnitIdentifier: id1.GetOrganizationalUnits()[0].OrganizationalUnitIdentifier, 644 MspIdentifier: id1.GetMSPIdentifier(), 645 CertifiersIdentifier: nil, 646 } 647 principalBytes, err := proto.Marshal(ou) 648 assert.NoError(t, err) 649 650 principalOU := &msp.MSPPrincipal{ 651 PrincipalClassification: msp.MSPPrincipal_ORGANIZATION_UNIT, 652 Principal: principalBytes} 653 654 principalBytes, err = proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_ADMIN, MspIdentifier: id1.GetMSPIdentifier()}) 655 assert.NoError(t, err) 656 657 principalRole := &msp.MSPPrincipal{ 658 PrincipalClassification: msp.MSPPrincipal_ROLE, 659 Principal: principalBytes} 660 661 principals := []*msp.MSPPrincipal{principalOU, principalRole} 662 663 combinedPrincipal := &msp.CombinedPrincipal{Principals: principals} 664 combinedPrincipalBytes, err := proto.Marshal(combinedPrincipal) 665 666 assert.NoError(t, err) 667 668 principalsCombined := &msp.MSPPrincipal{PrincipalClassification: msp.MSPPrincipal_COMBINED, Principal: combinedPrincipalBytes} 669 670 err = id1.SatisfiesPrincipal(principalsCombined) 671 assert.Error(t, err, "non-admin member of OU1 in MSP1 should not satisfy principal admin and OU1 in MSP1") 672 assert.Contains(t, err.Error(), "user is not an admin") 673 } 674 675 func TestPrincipalCombinedV11(t *testing.T) { 676 msp1, err := setupWithVersion("testdata/idemix/MSP1OU1", "MSP1OU1", MSPv1_1) 677 assert.NoError(t, err) 678 679 id1, err := getDefaultSigner(msp1) 680 assert.NoError(t, err) 681 682 ou := &msp.OrganizationUnit{ 683 OrganizationalUnitIdentifier: id1.GetOrganizationalUnits()[0].OrganizationalUnitIdentifier, 684 MspIdentifier: id1.GetMSPIdentifier(), 685 CertifiersIdentifier: nil, 686 } 687 principalBytes, err := proto.Marshal(ou) 688 assert.NoError(t, err) 689 690 principalOU := &msp.MSPPrincipal{ 691 PrincipalClassification: msp.MSPPrincipal_ORGANIZATION_UNIT, 692 Principal: principalBytes} 693 694 principalBytes, err = proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_MEMBER, MspIdentifier: id1.GetMSPIdentifier()}) 695 assert.NoError(t, err) 696 697 principalRole := &msp.MSPPrincipal{ 698 PrincipalClassification: msp.MSPPrincipal_ROLE, 699 Principal: principalBytes} 700 701 principals := []*msp.MSPPrincipal{principalOU, principalRole} 702 703 combinedPrincipal := &msp.CombinedPrincipal{Principals: principals} 704 combinedPrincipalBytes, err := proto.Marshal(combinedPrincipal) 705 706 assert.NoError(t, err) 707 708 principalsCombined := &msp.MSPPrincipal{PrincipalClassification: msp.MSPPrincipal_COMBINED, Principal: combinedPrincipalBytes} 709 710 err = id1.SatisfiesPrincipal(principalsCombined) 711 assert.Error(t, err) 712 assert.Contains(t, err.Error(), "Combined MSP Principals are unsupported in MSPv1_1") 713 } 714 715 func TestRoleClientV11(t *testing.T) { 716 msp1, err := setupWithVersion("testdata/idemix/MSP1OU1", "MSP1OU1", MSPv1_1) 717 assert.NoError(t, err) 718 id1, err := getDefaultSigner(msp1) 719 assert.NoError(t, err) 720 721 principalBytes, err := proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_CLIENT, MspIdentifier: id1.GetMSPIdentifier()}) 722 assert.NoError(t, err) 723 principalRole := &msp.MSPPrincipal{ 724 PrincipalClassification: msp.MSPPrincipal_ROLE, 725 Principal: principalBytes} 726 err = id1.SatisfiesPrincipal(principalRole) 727 assert.Error(t, err) 728 assert.Contains(t, err.Error(), "invalid MSP role type") 729 } 730 731 func TestRolePeerV11(t *testing.T) { 732 msp1, err := setupWithVersion("testdata/idemix/MSP1OU1", "MSP1OU1", MSPv1_1) 733 assert.NoError(t, err) 734 id1, err := getDefaultSigner(msp1) 735 assert.NoError(t, err) 736 737 principalBytes, err := proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_PEER, MspIdentifier: id1.GetMSPIdentifier()}) 738 assert.NoError(t, err) 739 principalRole := &msp.MSPPrincipal{ 740 PrincipalClassification: msp.MSPPrincipal_ROLE, 741 Principal: principalBytes} 742 err = id1.SatisfiesPrincipal(principalRole) 743 assert.Error(t, err) 744 assert.Contains(t, err.Error(), "invalid MSP role type") 745 }