github.com/ewagmig/fabric@v2.1.1+incompatible/common/deliver/acl_test.go

github.com/ewagmig/fabric@v2.1.1+incompatible/common/deliver/acl_test.go (about)

     1  /*
     2  Copyright IBM Corp. All Rights Reserved.
     3  
     4  SPDX-License-Identifier: Apache-2.0
     5  */
     6  
     7  package deliver_test
     8  
     9  import (
    10  	"time"
    11  
    12  	cb "github.com/hyperledger/fabric-protos-go/common"
    13  	"github.com/hyperledger/fabric/common/deliver"
    14  	"github.com/hyperledger/fabric/common/deliver/mock"
    15  	"github.com/hyperledger/fabric/protoutil"
    16  	. "github.com/onsi/ginkgo"
    17  	. "github.com/onsi/gomega"
    18  	"github.com/pkg/errors"
    19  )
    20  
    21  var _ = Describe("SessionAccessControl", func() {
    22  	var (
    23  		fakeChain         *mock.Chain
    24  		envelope          *cb.Envelope
    25  		fakePolicyChecker *mock.PolicyChecker
    26  		expiresAt         deliver.ExpiresAtFunc
    27  	)
    28  
    29  	BeforeEach(func() {
    30  		envelope = &cb.Envelope{
    31  			Payload: protoutil.MarshalOrPanic(&cb.Payload{
    32  				Header: &cb.Header{},
    33  			}),
    34  		}
    35  
    36  		fakeChain = &mock.Chain{}
    37  		fakePolicyChecker = &mock.PolicyChecker{}
    38  		expiresAt = func([]byte) time.Time { return time.Time{} }
    39  	})
    40  
    41  	It("evaluates the policy", func() {
    42  		sac, err := deliver.NewSessionAC(fakeChain, envelope, fakePolicyChecker, "chain-id", expiresAt)
    43  		Expect(err).NotTo(HaveOccurred())
    44  
    45  		err = sac.Evaluate()
    46  		Expect(err).NotTo(HaveOccurred())
    47  
    48  		Expect(fakePolicyChecker.CheckPolicyCallCount()).To(Equal(1))
    49  		env, cid := fakePolicyChecker.CheckPolicyArgsForCall(0)
    50  		Expect(env).To(Equal(envelope))
    51  		Expect(cid).To(Equal("chain-id"))
    52  	})
    53  
    54  	Context("when policy evaluation returns an error", func() {
    55  		BeforeEach(func() {
    56  			fakePolicyChecker.CheckPolicyReturns(errors.New("no-access-for-you"))
    57  		})
    58  
    59  		It("returns the evaluation error", func() {
    60  			sac, err := deliver.NewSessionAC(fakeChain, envelope, fakePolicyChecker, "chain-id", expiresAt)
    61  			Expect(err).NotTo(HaveOccurred())
    62  
    63  			err = sac.Evaluate()
    64  			Expect(err).To(MatchError("no-access-for-you"))
    65  		})
    66  	})
    67  
    68  	It("caches positive policy evaluation", func() {
    69  		sac, err := deliver.NewSessionAC(fakeChain, envelope, fakePolicyChecker, "chain-id", expiresAt)
    70  		Expect(err).NotTo(HaveOccurred())
    71  
    72  		for i := 0; i < 5; i++ {
    73  			err = sac.Evaluate()
    74  			Expect(err).NotTo(HaveOccurred())
    75  		}
    76  		Expect(fakePolicyChecker.CheckPolicyCallCount()).To(Equal(1))
    77  	})
    78  
    79  	Context("when the config sequence changes", func() {
    80  		BeforeEach(func() {
    81  			fakePolicyChecker.CheckPolicyReturnsOnCall(2, errors.New("access-now-denied"))
    82  		})
    83  
    84  		It("re-evaluates the policy", func() {
    85  			sac, err := deliver.NewSessionAC(fakeChain, envelope, fakePolicyChecker, "chain-id", expiresAt)
    86  			Expect(err).NotTo(HaveOccurred())
    87  
    88  			Expect(sac.Evaluate()).To(Succeed())
    89  			Expect(fakePolicyChecker.CheckPolicyCallCount()).To(Equal(1))
    90  			Expect(sac.Evaluate()).To(Succeed())
    91  			Expect(fakePolicyChecker.CheckPolicyCallCount()).To(Equal(1))
    92  
    93  			fakeChain.SequenceReturns(2)
    94  			Expect(sac.Evaluate()).To(Succeed())
    95  			Expect(fakePolicyChecker.CheckPolicyCallCount()).To(Equal(2))
    96  			Expect(sac.Evaluate()).To(Succeed())
    97  			Expect(fakePolicyChecker.CheckPolicyCallCount()).To(Equal(2))
    98  
    99  			fakeChain.SequenceReturns(3)
   100  			Expect(sac.Evaluate()).To(MatchError("access-now-denied"))
   101  			Expect(fakePolicyChecker.CheckPolicyCallCount()).To(Equal(3))
   102  		})
   103  	})
   104  
   105  	Context("when an identity expires", func() {
   106  		BeforeEach(func() {
   107  			expiresAt = func([]byte) time.Time {
   108  				return time.Now().Add(250 * time.Millisecond)
   109  			}
   110  		})
   111  
   112  		It("returns an identity expired error", func() {
   113  			sac, err := deliver.NewSessionAC(fakeChain, envelope, fakePolicyChecker, "chain-id", expiresAt)
   114  			Expect(err).NotTo(HaveOccurred())
   115  
   116  			err = sac.Evaluate()
   117  			Expect(err).NotTo(HaveOccurred())
   118  
   119  			Eventually(sac.Evaluate).Should(MatchError(ContainSubstring("client identity expired")))
   120  		})
   121  	})
   122  
   123  	Context("when the envelope cannot be represented as signed data", func() {
   124  		BeforeEach(func() {
   125  			envelope = &cb.Envelope{}
   126  		})
   127  
   128  		It("returns an error", func() {
   129  			_, expectedError := protoutil.EnvelopeAsSignedData(envelope)
   130  			Expect(expectedError).To(HaveOccurred())
   131  
   132  			_, err := deliver.NewSessionAC(fakeChain, envelope, fakePolicyChecker, "chain-id", expiresAt)
   133  			Expect(err).To(Equal(expectedError))
   134  		})
   135  	})
   136  })