github.com/hyperledger/fabric-ca@v2.0.0-alpha.0.20201120210307-7b4f34729db1+incompatible/scripts/fvt/fabric-ca_utils (about) 1 #!/bin/bash 2 # 3 # Copyright IBM Corp. All Rights Reserved. 4 # 5 # SPDX-License-Identifier: Apache-2.0 6 # 7 export FABRIC_CA="$GOPATH/src/github.com/hyperledger/fabric-ca" 8 export FABRIC_CA_CLIENTEXEC="/usr/local/bin/fabric-ca-client" 9 export FABRIC_CA_SERVEREXEC="/usr/local/bin/fabric-ca-server" 10 export TESTDATA="$FABRIC_CA/testdata" 11 export SCRIPTDIR="$FABRIC_CA/scripts/fvt" 12 export MYSQL_PORT="3306" 13 export LDAP_PORT="636" 14 export LDAP_PROTO="ldaps://" 15 export LDAP_TLS_PROTO="ldaps://" 16 export POSTGRES_PORT="5432" 17 export PGPASSWORD='postgres' 18 export MSP_KEY_DIR='msp/keystore' 19 export MSP_CERT_DIR='msp/signcerts' 20 export FABRIC_CA_DATA="/etc/hyperledger/fabric-ca" 21 export TLS_ROOTCERT="$FABRIC_CA_DATA/FabricTlsPkiBundle.pem" 22 export TLS_SUBCACERT="$FABRIC_CA_DATA/FabricTlsSubCa-cert.pem" 23 export TLS_RACERT="$FABRIC_CA_DATA/FabricTlsRa-cert.pem" 24 export TLS_SERVERCERT="$FABRIC_CA_DATA/FabricTlsServerEEcert.pem" 25 export TLS_SERVERKEY="$FABRIC_CA_DATA/FabricTlsServerEEkey.pem" 26 export TLS_CLIENTCERT="$FABRIC_CA_DATA/FabricTlsClientEEcert.pem" 27 export TLS_CLIENTKEY="$FABRIC_CA_DATA/FabricTlsClientEEkey.pem" 28 export TLSOPT="--tls.certfiles $TLS_ROOTCERT" 29 export INTTLSOPT="--intermediate.tls.certfiles $TLS_ROOTCERT" 30 export CA_HOST_ADDRESS="localhost" 31 export PROXY_PORT="7054" 32 export CA_DEFAULT_PORT="1${PROXY_PORT}" 33 export PROFILING_PORT="2${PROXY_PORT}" 34 export DEFAULT_TIMEOUT="180" 35 export DEFAULT_CA_TIMEOUT="150" 36 export DEFAULT_HTTP_TIMEOUT="30" 37 export DEFAULT_MSG_TIMEOUT="30" 38 export DEFAULT_DB_TIMEOUT="30" 39 export INTERMEDIATE_PROXY_PORT="8054" 40 export INTERMEDIATE_CA_DEFAULT_PORT="1${INTERMEDIATE_PROXY_PORT}" 41 export LDAPHOST="-h localhost" 42 export LDAPAUTH="-D "cn=$LDAPUSER,dc=example,dc=com" -w $LDAPPASWD" 43 export LDAPBASE="-b "dc=example,dc=com"" 44 export LDAPUSERBASE="-b ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com" 45 export DEFAULT_RUN_CONFIG_FILE_NAME="runFabricCaFvt.yaml" 46 export PROTO="https://" 47 DATE='date +%Y-%m-%d' 48 TIME='date +%I:%M:%S%p' 49 50 stripBlank() { 51 # delete comments and blanks lines 52 egrep -v "^ *#|^$" 53 } 54 55 listUser(){ 56 local user="$1" 57 : ${user:="$LDAPUSER"} 58 shift 59 ldapsearch $LDAPHOST $LDAPAUTH $LDAPUSERBASE -s sub "(uid=$user)" $@ | stripBlank 60 } 61 62 listUsers() { 63 ldapsearch $LDAPHOST $LDAPAUTH $LDAPUSERBASE dn | stripBlank 64 } 65 66 listGroups() { 67 group="$1" 68 test -z "$group" && 69 ldapsearch $LDAPHOST $LDAPAUTH $LDAPBASE \ 70 -s sub "(|(objectclass=posixGroup) (objectclass=groupOfNames))" dn | stripBlank || 71 ldapsearch $LDAPHOST $LDAPAUTH $LDAPBASE \ 72 -s sub "(memberOf=cn=$group,ou=groups,dc=example,dc=com)" dn | stripBlank 73 } 74 75 changeAttr() { 76 local entry="$1" 77 local attr="$2" 78 local val="$3" 79 if test $# -ne 3; then 80 echo "Usage: changeAttr <entry> <attr> <value>" 81 return 82 fi 83 ldapmodify $LDAPHOST $LDAPAUTH <<EOF 84 dn: $entry 85 changetype: modify 86 replace: $attr 87 $attr: $val 88 EOF 89 } 90 91 delUser() { 92 local user="$1" 93 if test $# -ne 1; then 94 echo "Usage: delUser <userName>" 95 return 96 fi 97 ldapdelete $LDAPHOST -p $LDAPPORT $LDAPAUTH \ 98 "uid=$user,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com" 99 } 100 101 addUser () { 102 # Add the eqivalent of a top-level fabric-ca administrator 103 local user="$1" 104 if test $# -ne 1; then 105 echo "Usage: delUser <userName>" 106 return 107 fi 108 # Get the next sequential UID 109 uidN=$(ldapsearch $LDAPHOST -p $LDAPPORT $LDAPAUTH $LDAPUSERBASE | 110 awk '/uidNumber:/ {print $2}' | sort -n | tail -n1) 111 ldapadd -h localhost -p $LDAPPORT \ 112 -D cn=$LDAPUSER,dc=example,dc=com -w $LDAPPASWD <<EOF 113 # User account 114 dn: uid=$user,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com 115 objectClass: posixAccount 116 objectClass: shadowAccount 117 objectClass: inetOrgPerson 118 uid: $user 119 cn: $user 120 sn: Hyperledeger 121 givenName: $user 122 o: Hyperledger 123 ou: Fabric 124 st: North Carolina 125 uidNumber: $((uidN+1)) 126 gidNumber: $((uidN+1)) 127 mail: $user@hyperledeger.example.com 128 loginShell: /bin/bash 129 homeDirectory: /home/$user 130 userPassword: $userpw 131 EOF 132 } 133 134 TimeStamp() { 135 printf "TIMESTAMP--%s %s\n" $($DATE) $($TIME) 136 } 137 138 tolower() { 139 echo "$1" | tr [:upper:] [:lower:] 140 } 141 142 runPSQL() { 143 local cmd="$1" 144 local opts="$2" 145 local wrk_dir="$(pwd)" 146 cd /tmp 147 /usr/bin/psql "$opts" -U postgres -h localhost -c "$cmd" 148 local rc=$? 149 cd $wrk_dir 150 return $rc 151 } 152 153 ErrorMsg() { 154 local msg="$1" 155 local rc="$2" 156 : ${rc:="RC"} 157 echo -e "\033[31m ****** ERROR ****** $msg \033[0m" 158 let $rc+=1 159 } 160 161 ErrorExit() { 162 $SCRIPTDIR/fabric-ca_setup.sh -R -x $CA_CFG_PATH 163 local msg="$1" 164 local rc="$2" 165 : ${rc:="RC"} 166 ErrorMsg "$msg" "$rc" 167 CleanUp $(eval echo \$$rc) 168 exit $(eval echo \$$rc) 169 } 170 171 isReachable() { 172 # a test to see if there is a listener on 173 # specified host:port 174 # netcat would be *far* simpler: 175 # nc -nzvt host port 176 # but not guaranteed to be installed 177 # so use python, since it is ubiquitious 178 local host="$1" 179 local port="$2" 180 test -z "$host" -o -z "$port" && return 1 181 182 python - <<END 183 import socket 184 import sys 185 import os 186 remoteServer = "$host" 187 port = int("$port"); 188 remoteServerIP = socket.gethostbyname(remoteServer) 189 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 190 result = sock.connect_ex((remoteServerIP, port)) 191 sock.close() 192 os._exit(result) 193 END 194 } 195 196 pollServer() { 197 local app="$1" 198 local host="$2" 199 local port="$3" 200 local timeout="$4" 201 : ${timeout:=$DEFAULT_TIMEOUT} 202 local action="$5" 203 : ${action:="start"} 204 local rc=1 205 local starttime=$(date +%s) 206 local searcHost=$host 207 test host = "0.0.0.0" && searcHost='*' 208 209 # continue to poll host:port until 210 # we either get a response, or reach timeout 211 while test "$(($(date +%s)-starttime))" -lt "$timeout" -a $rc -ne 0 212 do 213 printf "\r%s%03d" "Waiting for $app to $action on $host:$port... " "$(($(date +%s)-starttime))" 214 # ss -lpnt "src $searchHost:$port" 215 isReachable "$host" "$port" 216 rc=$? 217 # invert the normal sense of 'success' for stop 218 if test "$action" == "stop"; then 219 test $rc -ne 0 && rc=0 || rc=1 220 fi 221 test $rc -eq 0 && break 222 done 223 return $rc 224 } 225 226 pollLogForMsg() { 227 local msg="$1" 228 local log="$2" 229 local timeout="$3" 230 : ${timeout:=$DEFAULT_MSG_TIMEOUT} 231 local rc=1 232 local starttime=$(date +%s) 233 234 # continue to poll until 235 # we find $msg in $log, or reach timeout 236 while test "$(($(date +%s)-starttime))" -lt "$timeout" -a $rc -ne 0 237 do 238 egrep "$msg" "$log" 239 rc=$? 240 test $rc -eq 0 && break 241 sleep .1 242 done 243 return $rc 244 } 245 246 pollFabricCa() { 247 local app="$1" 248 local host="$2" 249 local port="$3" 250 local action="$4" 251 local timeout="$5" 252 : ${app:="$FABRIC_CA_SERVEREXEC"} 253 : ${host:="$CA_HOST_ADDRESS"} 254 : ${port:="$PROXY_PORT"} 255 : ${action:="start"} 256 : ${timeout:=$DEFAULT_CA_TIMEOUT} 257 258 pollServer "$app" "$host" "$port" "$timeout" "$action" 259 return $? 260 } 261 262 pollSimpleHttp() { 263 local app="$1" 264 local host="$2" 265 local port="$3" 266 local action="$4" 267 local timeout="$5" 268 : ${app:="python"} 269 : ${host:="localhost"} 270 : ${port:="3755"} 271 : ${action:="start"} 272 : ${timeout:=$DEFAULT_HTTP_TIMEOUT} 273 274 pollServer "$app" "$host" "$port" "$timeout" "$action" 275 return $? 276 } 277 278 pollMySql() { 279 local app="$1" 280 local host="$2" 281 local port="$3" 282 local action="$4" 283 local timeout="$5" 284 : ${app:="/usr/sbin/mysqld"} 285 : ${host:="localhost"} 286 : ${port:="$MYSQL_PORT"} 287 : ${action:="start"} 288 : ${timeout:=$DEFAULT_DB_TIMEOUT} 289 290 pollServer "$app" "$host" "$port" "$timeout" "$action" 291 return $? 292 } 293 294 pollPostgres() { 295 local app="$1" 296 local host="$2" 297 local port="$3" 298 local action="$4" 299 local timeout="$5" 300 : ${app:="postgres -D /usr/local/pgsql/data"} 301 : ${host:="localhost"} 302 : ${port:="$POSTGRES_PORT"} 303 : ${action:="start"} 304 : ${timeout:=$DEFAULT_DB_TIMEOUT} 305 306 pollServer "$app" "$host" "$port" "$timeout" "$action" 307 return $? 308 } 309 310 CleanUp() { 311 local RC=$1 312 : ${RC:=0} 313 ############################################################################### 314 # Summary 315 ############################################################################### 316 echo "" 317 echo "#########################################################################" 318 printf "RC: $RC, $TESTCASE " 319 320 if test "$RC" -eq 0; then 321 RESULT="PASSED" 322 else 323 RESULT="FAILED" 324 fi 325 326 printf "%s\n" $RESULT 327 RUNTIME_S="$((SECONDS-STARTIME))" 328 echo "$((RUNTIME_S/60)) minutes, $((RUNTIME_S%60)) seconds runtime" 329 printf "$(TimeStamp) $TESTCASE ENDED\n" 330 echo "#########################################################################" 331 332 TimeStamp 333 printf "%s test ended.\n" $TESTCASE 334 } 335 336 verifyServerTraffic() { 337 # verifyServerTraffic 338 # validate that backend <server_name> 339 # got at least <num_requests> requests from client 340 # with a minimum of <percent> HTTP status code <code> 341 local haproxy_addr="$1" 342 local server_name="$2" 343 local num_requests="$3" 344 local percent="$4" 345 local code="$5" 346 local op="$6" 347 local rc=0 348 349 # default 350 # server got at least one request 351 # all received requests were successfully served 352 : ${haproxy_addr:="localhost:10888"} 353 : ${server_name:="server1"} 354 : ${num_requests:="1"} 355 : ${percent:="100"} 356 : ${code:="HTTP 2xx"} 357 : ${op:="eq"} 358 359 result=$(curl -s http://${haproxy_addr}/ | 360 awk -v s="$server_name\"" '$0~s'|html2text| 361 awk -v c="$code" ' 362 /Cum. sessions:/ {sessions=$NF} 363 $0~c {gsub(/[(%)]/,"",$NF);status=$NF} 364 END {print sessions" "status}') 365 eval test "${result%% *}" -$op "$num_requests" 2>/dev/null; rc=$((rc+$?)) 366 eval test "${result##* }" -$op "$percent" 2>/dev/null; rc=$((rc+$?)) 367 return $rc 368 } 369 370 printAuth() { 371 test "$#" -eq 2 || return 1 372 local CLIENTCERT="$1" 373 local CLIENTKEY="$2" 374 375 echo CERT: 376 openssl x509 -in $CLIENTCERT -text 2>&1 | sed 's/^/ /' 377 type=$(cat $CLIENTKEY | head -n1 | awk '{print tolower($2)}') 378 test "$type" = "private" && type=ec 379 echo KEY: 380 openssl $type -in $CLIENTKEY -text 2>/dev/null| sed 's/^/ /' 381 } 382 383 startHttp() { 384 local port="$1" 385 local rootdir="$2" 386 cd $rootdir 387 python -m SimpleHTTPServer $port & 388 HTTP_PID=$! 389 pollSimpleHttp 390 } 391 392 keyCheck() { 393 local cert="$1" 394 local key="$2" 395 local alg="$3" 396 : ${alg:="rsa"} 397 test -f "$cert" -a -f "$key" || return 1 398 399 # check to see that the public/private key pair match 400 case "$alg" in 401 rsa|dsa) 402 k_hash=$(openssl $alg -noout -modulus -in $key 2>&1| awk -F'=' '/=/ {print $2}' | openssl md5 | awk '{print $NF}') 403 c_hash=$(openssl x509 -noout -modulus -in $cert 2>&1| awk -F'=' '/=/ {print $2}' | openssl md5 | awk '{print $NF}') 404 ;; 405 *) 406 k_hash=$(openssl $alg -pubout -in $key 2>/dev/null| openssl md5 | awk '{print $NF}') 407 c_hash=$(openssl x509 -noout -pubkey -in $cert | openssl md5 | awk '{print $NF}') 408 ;; 409 esac 410 411 test -z "$k_hash" -o -z "$c_hash" && return 1 412 test "$k_hash" == "$c_hash" || return 1 413 414 return 0 415 } 416 417 enroll() { 418 # Input : username, password 419 # Output: cert to filename1, key to filename2 420 local username="$1" 421 : ${username:="admin"} 422 local userpswd="$2" 423 : ${userpswd:="adminpw"} 424 if [ $# -gt 2 ]; then 425 ATTRS="--enrollment.attrs $3" 426 fi 427 local FABRIC_CA_ENROLLMENT_DIR="$CA_CFG_PATH/$username" 428 local FABRIC_CA_CERT_FILE="$FABRIC_CA_ENROLLMENT_DIR/$MSP_CERT_DIR/cert.pem" 429 local FABRIC_CA_KEY_FILE="$FABRIC_CA_ENROLLMENT_DIR/$MSP_KEY_DIR/key.pem" 430 local FABRIC_CA_CLIENT_HOME=$FABRIC_CA_ENROLLMENT_DIR 431 local HOST="localhost" 432 local PORT="$PROXY_PORT" 433 local RC=0 434 export FABRIC_CA_CLIENT_HOME 435 export FABRIC_CA_ENROLLMENT_DIR 436 437 test -d "$FABRIC_CA_ENROLLMENT_DIR" || mkdir -p "$FABRIC_CA_ENROLLMENT_DIR" 438 ENROLLCONFIG="$FABRIC_CA_ENROLLMENT_DIR/enroll.yaml" 439 440 $FABRIC_CA_CLIENTEXEC enroll -u "${PROTO}${username}:${userpswd}@${CA_HOST_ADDRESS}:$PROXY_PORT" $TLSOPT \ 441 -c $ENROLLCONFIG $ATTRS \ 442 --csr.hosts "$username@fab-client.raleigh.ibm.com" \ 443 --csr.hosts "$username.fabric.raleigh.ibm.com,127.0.0.2" 444 RC=$? 445 if test -n "$FABRIC_CA_DEBUG"; then 446 $(test "$RC" -eq 0 && $($FABRIC_CA_DEBUG)) && printAuth $FABRIC_CA_CERT_FILE $FABRIC_CA_KEY_FILE 447 fi 448 return $RC 449 } 450 451 reenroll() { 452 local USERNAME="$1" 453 : ${USERNAME:="admin"} 454 local FABRIC_CA_ENROLLMENT_DIR="$CA_CFG_PATH/$USERNAME" 455 local FABRIC_CA_CERT_FILE="$FABRIC_CA_ENROLLMENT_DIR/$MSP_CERT_DIR/cert.pem" 456 local FABRIC_CA_KEY_FILE="$FABRIC_CA_ENROLLMENT_DIR/$MSP_KEY_DIR/key.pem" 457 local FABRIC_CA_CLIENT_HOME=$FABRIC_CA_ENROLLMENT_DIR 458 local HOST="localhost" 459 local PORT="$PROXY_PORT" 460 local RC=0 461 export FABRIC_CA_CLIENT_HOME 462 export FABRIC_CA_ENROLLMENT_DIR 463 464 test -d "$FABRIC_CA_ENROLLMENT_DIR" || mkdir -p "$FABRIC_CA_ENROLLMENT_DIR" 465 FABRIC_CA_CERT_FILE="$FABRIC_CA_CLIENT_HOME/$MSP_CERT_DIR/cert.pem" 466 FABRIC_CA_KEY_FILE="$FABRIC_CA_CLIENT_HOME/$MSP_KEY_DIR/key.pem" 467 468 : ${KEYTYPE="ecdsa"} 469 : ${KEYLEN="256"} 470 test -d "$FABRIC_CA_CLIENT_HOME" || mkdir -p "$FABRIC_CA_CLIENT_HOME" 471 ENROLLCONFIG="$FABRIC_CA_CLIENT_HOME/enroll.yaml" 472 export FABRIC_CA_CLIENT_HOME 473 $FABRIC_CA_CLIENTEXEC reenroll -u $PROTO${CA_HOST_ADDRESS}:$PROXY_PORT $TLSOPT -c $ENROLLCONFIG 474 RC=$? 475 $($FABRIC_CA_DEBUG) && printAuth $FABRIC_CA_CERT_FILE $FABRIC_CA_KEY_FILE 476 $SCRIPTDIR/fabric-ca_setup.sh -L -d $driver 477 return $RC 478 } 479 480 register() { 481 local REGISTRAR="$1" 482 : ${REGISTRAR:="admin"} 483 local USERNAME="$2" 484 : ${USERNAME:="testuser"} 485 local USERTYPE="$3" 486 : ${USERTYPE:="client"} 487 local USERGRP="$4" 488 : ${USERGRP:="bank_a"} 489 test "$USERGRP" = '[]' && USERGRP_OPT="" || USERGRP_OPT="--id.affiliation $USERGRP" 490 local USERATTR="$5" 491 : ${USERATTR:='test=testValue'} 492 local FABRIC_CA_ENROLLMENT_DIR="$6" 493 494 : ${FABRIC_CA_ENROLLMENT_DIR:="$CA_CFG_PATH/$REGISTRAR"} 495 : ${FABRIC_CA_CLIENT_HOME:="$CA_CFG_PATH/$REGISTRAR"} 496 497 export FABRIC_CA_ENROLLMENT_DIR 498 $FABRIC_CA_CLIENTEXEC register -d -u "$PROTO${CA_HOST_ADDRESS}:$PROXY_PORT" $TLSOPT \ 499 --id.name "$USERNAME" \ 500 --id.type "$USERTYPE" \ 501 --id.maxenrollments 1 \ 502 $USERGRP_OPT \ 503 --id.attrs "$USERATTR" \ 504 -c $FABRIC_CA_CLIENT_HOME/fabric-ca-client-config.yaml 505 local rc=$? 506 return $rc 507 } 508 509 function genRunconfig() { 510 local runconfig="$1" 511 local driver="$2" 512 local datasrc="$3" 513 local serverCert="$4" 514 local serverKey="$5" 515 local maxEnroll="$6" 516 local version="$7" 517 : ${FABRIC_CA_DEBUG:='false'} 518 local registry="" 519 local converters="" 520 521 case ${version:-"yaml"} in 522 json) if ! $($LDAP_ENABLE); then registry=" 523 \"registry\": { 524 \"maxEnrollments\": \"$maxEnroll\", 525 \"identities\": [ 526 { 527 \"name\": \"admin\", 528 \"pass\": \"adminpw\", 529 \"type\": \"client\", 530 \"affiliation\": \"bank_a\", 531 \"maxEnrollments\": \"$maxEnroll\", 532 \"attrs\": { 533 \"hf.Registrar.Roles\": \"client,user,peer,validator,auditor,ca\", 534 \"hf.Registrar.DelegateRoles\": \"client,user,validator,auditor\", 535 \"hf.Revoker\": true, 536 \"hf.GenCRL\": true 537 } 538 }, 539 { 540 \"name\": \"admin2\", 541 \"pass\": \"adminpw2\", 542 \"type\": \"client\", 543 \"affiliation\": \"bank_a\", 544 \"maxEnrollments\": \"$maxEnroll\", 545 \"attrs\": { 546 \"hf.Registrar.Roles\": \"client,user,peer,validator,auditor,ca\", 547 \"hf.Registrar.DelegateRoles\": \"client,user,validator,auditor\", 548 \"hf.Revoker\": true, 549 \"hf.GenCRL\": true 550 } 551 }, 552 { 553 \"name\": \"revoker\", 554 \"pass\": \"revokerpw\", 555 \"type\": \"client\", 556 \"affiliation\": \"bank_a\", 557 \"maxEnrollments\": \"$maxEnroll\", 558 \"attrs\": { 559 \"hf.Revoker\": true 560 } 561 }, 562 { 563 \"name\": \"revoker2\", 564 \"pass\": \"revokerpw2\", 565 \"type\": \"client\", 566 \"affiliation\": \"bank_a\", 567 \"maxEnrollments\": \"$maxEnroll\", 568 \"attrs\": { 569 \"hf.Revoker\": true 570 } 571 }, 572 { 573 \"name\": \"nonrevoker\", 574 \"pass\": \"nonrevokerpw\", 575 \"type\": \"client\", 576 \"affiliation\": \"bank_a\", 577 \"maxEnrollments\": \"$maxEnroll\" 578 }, 579 { 580 \"name\": \"nonrevoker2\", 581 \"pass\": \"nonrevokerpw2\", 582 \"type\": \"client\", 583 \"affiliation\": \"bank_a\", 584 \"maxEnrollments\": \"$maxEnroll\" 585 }, 586 { 587 \"name\": \"notadmin\", 588 \"pass\": \"pass\", 589 \"type\": \"client\", 590 \"affiliation\": \"bank_a\", 591 \"maxEnrollments\": \"$maxEnroll\", 592 \"attrs\": { 593 \"hf.Registrar.Roles\": \"client,user,peer,validator,auditor,ca\", 594 \"hf.Registrar.DelegateRoles\": \"client\" 595 } 596 }, 597 { 598 \"name\": \"expiryUser\", 599 \"pass\": \"expirypw\", 600 \"type\": \"client\", 601 \"affiliation\": \"bank_a\", 602 \"maxEnrollments\": \"$maxEnroll\" 603 }, 604 { 605 \"name\": \"testUser\", 606 \"pass\": \"user1\", 607 \"type\": \"client\", 608 \"affiliation\": \"bank_b\", 609 \"maxEnrollments\": \"$maxEnroll\", 610 \"attrs\": [] 611 }, 612 { 613 \"name\": \"testUser2\", 614 \"pass\": \"user2\", 615 \"type\": \"client\", 616 \"affiliation\": \"bank_c\", 617 \"maxEnrollments\": \"$maxEnroll\", 618 \"attrs\": [] 619 }, 620 { 621 \"name\": \"testUser3\", 622 \"pass\": \"user3\", 623 \"type\": \"client\", 624 \"affiliation\": \"bank_a\", 625 \"maxEnrollments\": \"$maxEnroll\", 626 \"attrs\": [] 627 } 628 ] 629 }, 630 " 631 fi 632 cat > $runconfig <<EOF 633 { 634 "address": "$CA_HOST_ADDRESS", 635 "port": $CA_DEFAULT_PORT, 636 "debug": "$FABRIC_CA_DEBUG", 637 "db": { 638 "type": "$driver", 639 "datasource": "$datasrc" 640 }, 641 "tls": { 642 "enabled": true, 643 "certfile": "$TLS_SERVERCERT", 644 "keyfile": "$TLS_SERVERKEY" 645 }, 646 "ca": { 647 "certfile": "$serverCert", 648 "keyfile": "$serverKey" 649 }, 650 $registry 651 "ldap": { 652 "enabled": $LDAP_ENABLE, 653 "url": "${LDAP_PROTO}CN=admin,dc=example,dc=com:adminpw@localhost:$LDAP_PORT/dc=example,dc=com", 654 "tls": { 655 "certfiles": [ "$TLS_ROOTCERT", $TLS_RACERT, $TLS_SUBCACERT ], 656 "client": { 657 "certfile": "$TLS_CLIENTCERT", 658 "keyfile": "$TLS_CLIENTKEY" 659 } 660 } 661 }, 662 "affiliations": { 663 "bank_a": [ 664 "department1" 665 ], 666 "bank_b": [ 667 "department1" 668 ], 669 "bank_c": [ 670 "department1" 671 ], 672 "org1": [ 673 "department1", 674 "department2" 675 ], 676 "org2": [ 677 "department1", 678 "department2" 679 ], 680 "org3": [ 681 "department1", 682 "department2" 683 ] 684 }, 685 "signing": { 686 "profiles": null, 687 "default": { 688 "usage": [ 689 "cert sign", 690 "crl sign", 691 "digital signature", 692 "key encipherment", 693 "timestamping" 694 ], 695 "expiry": "8000h", 696 "crlurl": "http://localhost:3755/TestCRL.crl", 697 "caconstraint": { 698 "isca": true, 699 "maxpathlen": 1, 700 "ocspnocheck": true, 701 "notbefore": "2016-12-30T00:00:00.000Z" 702 } 703 } 704 }, 705 "csr": { 706 "cn": "fabric-ca-server", 707 "names": [ 708 { 709 "C": "US", 710 "ST": "North Carolina", 711 "L": null, 712 "O": "Hyperledger", 713 "OU": "Fabric" 714 } 715 ], 716 "hosts": [ 717 "fabricCa.hyperledger.example.com" 718 ], 719 "ca": { 720 "pathlen": null, 721 "pathlenzero": null, 722 "expiry": null 723 } 724 }, 725 "crypto": { 726 "software": { 727 "hash_family": "SHA2", 728 "security_level": 256, 729 "ephemeral": false, 730 "key_store_dir": "keys" 731 } 732 } 733 } 734 EOF 735 ;; 736 yaml) if ! $($LDAP_ENABLE); then registry=" 737 registry: 738 maxEnrollments: $maxEnroll 739 identities: 740 $(for i in {1..16}; do 741 echo " - name: intermediateCa$i 742 pass: intermediateCa${i}pw 743 type: client 744 affiliation: \"\" 745 maxenrollments: $maxEnroll 746 attrs: 747 hf.Registrar.Roles: \"client,user,peer,validator,auditor\" 748 hf.Registrar.DelegateRoles: \"client,user,validator,auditor\" 749 hf.Revoker: true 750 hf.IntermediateCA: true 751 hf.AffiliationMgr: true" 752 done) 753 - name: admin 754 pass: adminpw 755 type: client 756 affiliation: 757 maxEnrollments: $maxEnroll 758 attrs: 759 hf.Registrar.Roles: \"client,user,peer,validator,auditor,ca\" 760 hf.Registrar.DelegateRoles: \"client,user,validator,auditor\" 761 hf.Revoker: true 762 hf.IntermediateCA: true 763 hf.Registrar.Attributes: \"*\" 764 hf.GenCRL: true 765 hf.AffiliationMgr: true 766 - name: admin2 767 pass: adminpw2 768 type: client 769 affiliation: 770 maxEnrollments: $maxEnroll 771 attrs: 772 hf.Registrar.Roles: \"client,user,peer,validator,auditor,ca\" 773 hf.Registrar.DelegateRoles: \"client,user,validator,auditor\" 774 hf.Revoker: true 775 hf.IntermediateCA: true 776 hf.Registrar.Attributes: \"*\" 777 hf.GenCRL: true 778 - name: revoker 779 pass: revokerpw 780 type: client 781 affiliation: bank_a 782 maxEnrollments: $maxEnroll 783 attrs: 784 hf.Revoker: true 785 - name: revoker2 786 pass: revokerpw2 787 type: client 788 affiliation: bank_a 789 maxEnrollments: $maxEnroll 790 attrs: 791 hf.Revoker: true 792 - name: nonrevoker 793 pass: nonrevokerpw 794 type: client 795 affiliation: bank_a 796 maxEnrollments: $maxEnroll 797 - name: nonrevoker2 798 pass: nonrevokerpw2 799 type: client 800 affiliation: bank_a 801 maxEnrollments: $maxEnroll 802 - name: notadmin 803 pass: pass 804 type: client 805 affiliation: bank_a 806 maxEnrollments: $maxEnroll 807 attrs: 808 hf.Registrar.Roles: \"client,user,peer,validator,auditor,ca\" 809 hf.Registrar.DelegateRoles: \"client\" 810 - name: expiryUser 811 pass: expirypw 812 type: client 813 affiliation: bank_a 814 maxEnrollments: $maxEnroll 815 - name: testUser 816 pass: user1 817 type: client 818 affiliation: bank_b 819 maxEnrollments: $maxEnroll 820 attrs: [] 821 - name: testUser2 822 pass: user2 823 type: client 824 affiliation: bank_c 825 maxEnrollments: $maxEnroll 826 attrs: [] 827 - name: testUser3 828 pass: user3 829 type: client 830 affiliation: bank_a 831 maxEnrollments: $maxEnroll 832 attrs: []" 833 fi 834 835 converters=' 836 converters: 837 - name: hf.GenCRL 838 value: attr("memberOf") =~ "cn=Gencrl,ou=groups,dc=example,dc=com" || attr("memberOf") =~ "cn=pkiAdmin,ou=groups,dc=example,dc=com" 839 - name: hf.Revoker 840 value: attr("memberOf") =~ "cn=Revoker,ou=groups,dc=example,dc=com" || attr("memberOf") =~ "cn=pkiAdmin,ou=groups,dc=example,dc=com" 841 - name: hf.IntermediateCA 842 value: attr("memberOf") =~ "cn=Ca,ou=groups,dc=example,dc=com" 843 - name: hf.Registrar.Roles 844 value: map(attr("memberOf"),"roles")' 845 846 if [ "$LDAP_ERROR" == "true" ]; then converters=' 847 converters: 848 - name: hf.GenCRL 849 value: attr("memberOf") =~ "cn=Gencrl,ou=groups,dc=example,dc=com" || attr("memberOf") =~ "cn=pkiAdmin,ou=groups,dc=example,dc=com" 850 - name: hf.Type 851 value: client' 852 fi 853 854 cat > $runconfig <<EOF 855 address: $CA_HOST_ADDRESS 856 port: $CA_DEFAULT_PORT 857 debug: $FABRIC_CA_DEBUG 858 db: 859 type: $driver 860 datasource: $datasrc 861 tls: 862 enabled: true 863 certfile: $TLS_SERVERCERT 864 keyfile: $TLS_SERVERKEY 865 ca: 866 name: 867 certfile: $serverCert 868 keyfile: $serverKey 869 $registry 870 ldap: 871 enabled: $LDAP_ENABLE 872 url: ${LDAP_PROTO}CN=admin,dc=example,dc=com:adminpw@localhost:$LDAP_PORT/dc=example,dc=com 873 userfilter: "(uid=%s)" 874 attribute: 875 names: [ 876 "cn", 877 "gidNumber", 878 "givenName", 879 "homeDirectory", 880 "loginShell", 881 "mail", 882 "o", 883 "objectClass", 884 "ou", 885 "sn", 886 "st", 887 "uid", 888 "uidNumber", 889 "memberOf" 890 ] 891 $converters 892 maps: 893 ROLES: 894 - name: cn=Client,ou=groups,dc=example,dc=com 895 value: client 896 - name: cn=User,ou=groups,dc=example,dc=com 897 value: user 898 - name: cn=Peer,ou=groups,dc=example,dc=com 899 value: peer 900 - name: cn=App,ou=groups,dc=example,dc=com 901 value: app 902 - name: cn=Auditor,ou=groups,dc=example,dc=com 903 value: auditor 904 - name: cn=Validator,ou=groups,dc=example,dc=com 905 value: validator 906 - name: cn=pkiAdmin,ou=groups,dc=example,dc=com 907 value: pkiadmin 908 tls: 909 certfiles: 910 - $TLS_ROOTCERT 911 client: 912 certfile: $TLS_CLIENTCERT 913 keyfile: $TLS_CLIENTKEY 914 affiliations: 915 bank_a: 916 - department1 917 bank_b: 918 - department1 919 bank_c: 920 - department1 921 org1: 922 - department1 923 - department2 924 org2: 925 - department1 926 - department2 927 signing: 928 default: 929 usage: 930 - digital signature 931 expiry: 17520h 932 backdate: 30s 933 ocspnocheck: true 934 caconstraint: 935 isca: false 936 profiles: 937 ca: 938 usage: 939 - cert sign 940 - crl sign 941 expiry: 43800h 942 caconstraint: 943 isca: true 944 maxpathlen: 0 945 ocspnocheck: true 946 tls: 947 usage: 948 - server auth 949 - client auth 950 expiry: 8760h 951 caconstraint: 952 isca: false 953 csr: 954 keyrequest: 955 algo: $KEYTYPE 956 size: $KEYLEN 957 names: 958 - C: US 959 ST: "North Carolina" 960 L: 961 O: Hyperledger 962 OU: Fabric 963 hosts: 964 - fabricCa.hyperledger.example.com 965 - localhost 966 ca: 967 expiry: 131400h 968 pathlength: 1 969 bccsp: 970 default: SW 971 sw: 972 hash: SHA2 973 security: 256 974 filekeystore: 975 keystore: 976 cacount: $CACOUNT 977 cafiles: 978 intermediate: 979 parentserver: 980 url: 981 caname: 982 enrollment: 983 hosts: 984 profile: 985 label: 986 tls: 987 certfiles: 988 - $TLS_ROOTCERT 989 client: 990 certfile: $TLS_CLIENTCERT 991 keyfile: $TLS_CLIENTKEY 992 EOF 993 ;; 994 esac 995 } 996 997 function testStatus() { 998 local user="$1" 999 local driver="$2" 1000 local ca_cfg_path="$3" 1001 local dbname="$4" 1002 : ${driver:="sqlite3"} 1003 : ${ca_cfg_path:="$CA_CFG_PATH"} 1004 : ${dbname:="fabric_ca"} 1005 case $driver in 1006 sqlite3) 1007 user_status="$(sqlite3 $ca_cfg_path/$dbname "SELECT * FROM users WHERE (id=\"$user\");")" 1008 cert_status="$(sqlite3 $ca_cfg_path/$dbname "SELECT * FROM certificates WHERE (id=\"$user\");")" 1009 1010 user_status_code="$(printf "$user_status" | awk -F'|' -v s=$user '$1~s {print $6}')" 1011 cert_status_code="$(printf "$cert_status" | awk -F'|' -v s=$user '$1~s {print $5}')" 1012 ;; 1013 mysql) 1014 user_status_code=$(mysql --host=localhost --user=root --password=mysql -e "SELECT * FROM users WHERE (id=\"$user\");" $dbname| awk -F'\t' -v u=$user '$1==u {print $6}') 1015 cert_status_code=$(mysql --host=localhost --user=root --password=mysql -e "SELECT * FROM certificates WHERE (id=\"$user\") order by revoked_at;" $dbname| awk -F'\t' -v u=$user '$1==u {print $5}') 1016 ;; 1017 postgres) 1018 user_status_code=$(/usr/bin/psql -U postgres -h localhost -c "SELECT id,state FROM users WHERE id='$user';" --dbname=$dbname | awk -v u=$user -F'|' '$1~u {gsub(/ /,"");print $2}') 1019 cert_status_code=$(/usr/bin/psql -U postgres -h localhost -c "SELECT id,encode(status,'escape') FROM certificates WHERE id='$user' order by revoked_at;" --dbname=$dbname | awk -v u=$user -F'|' '$1~u {gsub(/ /,"");print $2}') 1020 ;; 1021 esac 1022 echo "$user_status_code $cert_status_code" 1023 } 1024 1025 function killserver { 1026 echo "killing server $1" 1027 kill -9 $1 1028 pollFabricCa "" "" "$CA_DEFAULT_PORT" stop 30 1029 return $? 1030 } 1031 1032 function grepPrint() { 1033 tee /dev/stderr| egrep "$1" 1034 }