github.com/kaituanwang/hyperledger@v2.0.1+incompatible/msp/nodeous_test.go (about) 1 /* 2 Copyright IBM Corp. 2017 All Rights Reserved. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package msp 18 19 import ( 20 "path/filepath" 21 "testing" 22 23 "github.com/golang/protobuf/proto" 24 "github.com/hyperledger/fabric-protos-go/msp" 25 "github.com/hyperledger/fabric/bccsp/sw" 26 "github.com/stretchr/testify/assert" 27 ) 28 29 func TestInvalidAdminNodeOU(t *testing.T) { 30 // testdata/nodeous1: 31 // the configuration enables NodeOUs but the administrator does not carry 32 // any valid NodeOUS. Therefore MSP initialization must fail 33 thisMSP, err := getLocalMSPWithVersionAndError(t, "testdata/nodeous1", MSPv1_1) 34 assert.True(t, thisMSP.(*bccspmsp).ouEnforcement) 35 assert.Error(t, err) 36 37 // MSPv1_0 should not fail 38 thisMSP, err = getLocalMSPWithVersionAndError(t, "testdata/nodeous1", MSPv1_0) 39 assert.False(t, thisMSP.(*bccspmsp).ouEnforcement) 40 assert.NoError(t, err) 41 } 42 43 func TestInvalidSigningIdentityNodeOU(t *testing.T) { 44 // testdata/nodeous2: 45 // the configuration enables NodeOUs but the signing identity does not carry 46 // any valid NodeOUS. Therefore signing identity validation should fail 47 thisMSP := getLocalMSPWithVersion(t, "testdata/nodeous2", MSPv1_1) 48 assert.True(t, thisMSP.(*bccspmsp).ouEnforcement) 49 50 id, err := thisMSP.GetDefaultSigningIdentity() 51 assert.NoError(t, err) 52 53 err = id.Validate() 54 assert.Error(t, err) 55 56 // MSPv1_0 should not fail 57 thisMSP, err = getLocalMSPWithVersionAndError(t, "testdata/nodeous1", MSPv1_0) 58 assert.False(t, thisMSP.(*bccspmsp).ouEnforcement) 59 assert.NoError(t, err) 60 61 id, err = thisMSP.GetDefaultSigningIdentity() 62 assert.NoError(t, err) 63 64 err = id.Validate() 65 assert.NoError(t, err) 66 } 67 68 func TestValidMSPWithNodeOU(t *testing.T) { 69 // testdata/nodeous3: 70 // the configuration enables NodeOUs and admin and signing identity are valid 71 thisMSP := getLocalMSPWithVersion(t, "testdata/nodeous3", MSPv1_1) 72 assert.True(t, thisMSP.(*bccspmsp).ouEnforcement) 73 74 id, err := thisMSP.GetDefaultSigningIdentity() 75 assert.NoError(t, err) 76 77 err = id.Validate() 78 assert.NoError(t, err) 79 80 // MSPv1_0 should not fail as well 81 thisMSP = getLocalMSPWithVersion(t, "testdata/nodeous3", MSPv1_0) 82 assert.False(t, thisMSP.(*bccspmsp).ouEnforcement) 83 84 id, err = thisMSP.GetDefaultSigningIdentity() 85 assert.NoError(t, err) 86 87 err = id.Validate() 88 assert.NoError(t, err) 89 } 90 91 func TestValidMSPWithNodeOUAndOrganizationalUnits(t *testing.T) { 92 // testdata/nodeous6: 93 // the configuration enables NodeOUs and OrganizationalUnits, and admin and signing identity are valid 94 thisMSP := getLocalMSPWithVersion(t, "testdata/nodeous6", MSPv1_1) 95 assert.True(t, thisMSP.(*bccspmsp).ouEnforcement) 96 97 id, err := thisMSP.GetDefaultSigningIdentity() 98 assert.NoError(t, err) 99 100 err = id.Validate() 101 assert.NoError(t, err) 102 103 // MSPv1_0 should not fail as well 104 thisMSP = getLocalMSPWithVersion(t, "testdata/nodeous6", MSPv1_0) 105 assert.False(t, thisMSP.(*bccspmsp).ouEnforcement) 106 107 id, err = thisMSP.GetDefaultSigningIdentity() 108 assert.NoError(t, err) 109 110 err = id.Validate() 111 assert.NoError(t, err) 112 } 113 114 func TestInvalidMSPWithNodeOUAndOrganizationalUnits(t *testing.T) { 115 // testdata/nodeous6: 116 // the configuration enables NodeOUs and OrganizationalUnits, 117 // and admin and signing identity are not valid because they don't have 118 // OU_common in their OUs. 119 thisMSP, err := getLocalMSPWithVersionAndError(t, "testdata/nodeous7", MSPv1_1) 120 assert.True(t, thisMSP.(*bccspmsp).ouEnforcement) 121 if assert.Error(t, err) { 122 assert.Contains(t, err.Error(), "could not validate identity's OUs: none of the identity's organizational units") 123 } 124 125 // MSPv1_0 should fail as well 126 thisMSP, err = getLocalMSPWithVersionAndError(t, "testdata/nodeous7", MSPv1_0) 127 assert.False(t, thisMSP.(*bccspmsp).ouEnforcement) 128 if assert.Error(t, err) { 129 assert.Contains(t, err.Error(), "could not validate identity's OUs: none of the identity's organizational units") 130 } 131 } 132 133 func TestInvalidAdminOU(t *testing.T) { 134 // testdata/nodeous4: 135 // the configuration enables NodeOUs and admin does not match the certifier chain specified at config 136 thisMSP, err := getLocalMSPWithVersionAndError(t, "testdata/nodeous4", MSPv1_1) 137 assert.True(t, thisMSP.(*bccspmsp).ouEnforcement) 138 assert.Error(t, err) 139 assert.Contains(t, err.Error(), "admin 0 is invalid: The identity is not valid under this MSP [SampleOrg]: could not validate identity's OUs: certifiersIdentifier does not match") 140 141 // MSPv1_0 should not fail as well 142 thisMSP, err = getLocalMSPWithVersionAndError(t, "testdata/nodeous4", MSPv1_0) 143 assert.False(t, thisMSP.(*bccspmsp).ouEnforcement) 144 assert.NoError(t, err) 145 } 146 147 func TestInvalidAdminOUNotAClient(t *testing.T) { 148 // testdata/nodeous4: 149 // the configuration enables NodeOUs and admin is not a client 150 thisMSP, err := getLocalMSPWithVersionAndError(t, "testdata/nodeous8", MSPv1_1) 151 assert.True(t, thisMSP.(*bccspmsp).ouEnforcement) 152 assert.Error(t, err) 153 assert.Contains(t, err.Error(), "The identity does not contain OU [CLIENT]") 154 155 // MSPv1_0 should not fail 156 thisMSP, err = getLocalMSPWithVersionAndError(t, "testdata/nodeous8", MSPv1_0) 157 assert.False(t, thisMSP.(*bccspmsp).ouEnforcement) 158 assert.NoError(t, err) 159 } 160 161 func TestSatisfiesPrincipalPeer(t *testing.T) { 162 // testdata/nodeous3: 163 // the configuration enables NodeOUs and admin and signing identity are valid 164 thisMSP := getLocalMSPWithVersion(t, "testdata/nodeous3", MSPv1_1) 165 assert.True(t, thisMSP.(*bccspmsp).ouEnforcement) 166 167 // The default signing identity is a peer 168 id, err := thisMSP.GetDefaultSigningIdentity() 169 assert.NoError(t, err) 170 171 err = id.Validate() 172 assert.NoError(t, err) 173 174 assert.True(t, t.Run("Check that id is a peer", func(t *testing.T) { 175 // Check that id is a peer 176 mspID, err := thisMSP.GetIdentifier() 177 assert.NoError(t, err) 178 principalBytes, err := proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_PEER, MspIdentifier: mspID}) 179 assert.NoError(t, err) 180 principal := &msp.MSPPrincipal{ 181 PrincipalClassification: msp.MSPPrincipal_ROLE, 182 Principal: principalBytes} 183 err = id.SatisfiesPrincipal(principal) 184 assert.NoError(t, err) 185 })) 186 187 assert.True(t, t.Run("Check that id is not a client", func(t *testing.T) { 188 // Check that id is not a client 189 mspID, err := thisMSP.GetIdentifier() 190 assert.NoError(t, err) 191 principalBytes, err := proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_CLIENT, MspIdentifier: mspID}) 192 assert.NoError(t, err) 193 principal := &msp.MSPPrincipal{ 194 PrincipalClassification: msp.MSPPrincipal_ROLE, 195 Principal: principalBytes} 196 err = id.SatisfiesPrincipal(principal) 197 assert.Error(t, err) 198 assert.Contains(t, err.Error(), "The identity is not a [CLIENT] under this MSP [SampleOrg]") 199 })) 200 } 201 202 func TestSatisfiesPrincipalClient(t *testing.T) { 203 // testdata/nodeous3: 204 // the configuration enables NodeOUs and admin and signing identity are valid 205 thisMSP := getLocalMSPWithVersion(t, "testdata/nodeous3", MSPv1_1) 206 assert.True(t, thisMSP.(*bccspmsp).ouEnforcement) 207 208 // The admin of this msp is a client 209 assert.Equal(t, 1, len(thisMSP.(*bccspmsp).admins)) 210 id := thisMSP.(*bccspmsp).admins[0] 211 212 err := id.Validate() 213 assert.NoError(t, err) 214 215 // Check that id is a client 216 assert.True(t, t.Run("Check that id is a client", func(t *testing.T) { 217 mspID, err := thisMSP.GetIdentifier() 218 assert.NoError(t, err) 219 principalBytes, err := proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_CLIENT, MspIdentifier: mspID}) 220 assert.NoError(t, err) 221 principal := &msp.MSPPrincipal{ 222 PrincipalClassification: msp.MSPPrincipal_ROLE, 223 Principal: principalBytes} 224 err = id.SatisfiesPrincipal(principal) 225 assert.NoError(t, err) 226 })) 227 228 assert.True(t, t.Run("Check that id is not a peer", func(t *testing.T) { 229 // Check that id is not a peer 230 mspID, err := thisMSP.GetIdentifier() 231 assert.NoError(t, err) 232 principalBytes, err := proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_PEER, MspIdentifier: mspID}) 233 assert.NoError(t, err) 234 principal := &msp.MSPPrincipal{ 235 PrincipalClassification: msp.MSPPrincipal_ROLE, 236 Principal: principalBytes} 237 err = id.SatisfiesPrincipal(principal) 238 assert.Error(t, err) 239 assert.Contains(t, err.Error(), "The identity is not a [PEER] under this MSP [SampleOrg]") 240 })) 241 } 242 243 func TestSatisfiesPrincipalAdmin(t *testing.T) { 244 // testdata/nodeouadmin: 245 // the configuration enables NodeOUs (with adminOU) and admin and signing identity are valid 246 thisMSP := getLocalMSPWithVersion(t, "testdata/nodeouadmin", MSPv1_4_3) 247 assert.True(t, thisMSP.(*bccspmsp).ouEnforcement) 248 249 cert, err := readFile("testdata/nodeouadmin/adm/testadmincert.pem") 250 assert.NoError(t, err) 251 252 id, _, err := thisMSP.(*bccspmsp).getIdentityFromConf(cert) 253 assert.NoError(t, err) 254 255 principalBytes, err := proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_ADMIN, MspIdentifier: "SampleOrg"}) 256 assert.NoError(t, err) 257 principal := &msp.MSPPrincipal{ 258 PrincipalClassification: msp.MSPPrincipal_ROLE, 259 Principal: principalBytes} 260 err = id.SatisfiesPrincipal(principal) 261 assert.NoError(t, err) 262 } 263 264 func TestLoad142MSPWithInvalidAdminConfiguration(t *testing.T) { 265 // testdata/nodeouadmin2: 266 // the configuration enables NodeOUs (with adminOU) but no valid identifier for the AdminOU 267 conf, err := GetLocalMspConfig("testdata/nodeouadmin2", nil, "SampleOrg") 268 assert.NoError(t, err) 269 270 ks, err := sw.NewFileBasedKeyStore(nil, filepath.Join("testdata/nodeouadmin2", "keystore"), true) 271 assert.NoError(t, err) 272 cryptoProvider, err := sw.NewDefaultSecurityLevelWithKeystore(sw.NewDummyKeyStore()) 273 assert.NoError(t, err) 274 thisMSP, err := NewBccspMspWithKeyStore(MSPv1_4_3, ks, cryptoProvider) 275 assert.NoError(t, err) 276 277 err = thisMSP.Setup(conf) 278 assert.Error(t, err) 279 assert.Equal(t, "administrators must be declared when no admin ou classification is set", err.Error()) 280 281 // testdata/nodeouadmin3: 282 // the configuration enables NodeOUs (with adminOU) but no valid identifier for the AdminOU 283 conf, err = GetLocalMspConfig("testdata/nodeouadmin3", nil, "SampleOrg") 284 assert.NoError(t, err) 285 286 ks, err = sw.NewFileBasedKeyStore(nil, filepath.Join("testdata/nodeouadmin3", "keystore"), true) 287 assert.NoError(t, err) 288 thisMSP, err = NewBccspMspWithKeyStore(MSPv1_4_3, ks, cryptoProvider) 289 assert.NoError(t, err) 290 291 err = thisMSP.Setup(conf) 292 assert.Error(t, err) 293 assert.Equal(t, "administrators must be declared when no admin ou classification is set", err.Error()) 294 } 295 296 func TestAdminInAdmincertsWith143MSP(t *testing.T) { 297 // testdata/nodeouadminclient enables NodeOU classification and contains in the admincerts folder 298 // a certificate classified as client. This test checks that that identity is considered an admin anyway. 299 // testdata/nodeouadminclient2 enables NodeOU classification and contains in the admincerts folder 300 // a certificate classified as client. This test checks that that identity is considered an admin anyway. 301 // Notice that the configuration used is one that is usually expected for MSP version < 1.4.3 which 302 // only define peer and client OU. 303 testFolders := []string{"testdata/nodeouadminclient", "testdata/nodeouadminclient2"} 304 305 for _, testFolder := range testFolders { 306 localMSP := getLocalMSPWithVersion(t, testFolder, MSPv1_4_3) 307 308 cert, err := readFile(filepath.Join(testFolder, "admincerts", "admin.pem")) 309 assert.NoError(t, err) 310 311 id, _, err := localMSP.(*bccspmsp).getIdentityFromConf(cert) 312 assert.NoError(t, err) 313 for _, ou := range id.GetOrganizationalUnits() { 314 assert.NotEqual(t, "admin", ou.OrganizationalUnitIdentifier) 315 } 316 317 principalBytes, err := proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_ADMIN, MspIdentifier: "SampleOrg"}) 318 assert.NoError(t, err) 319 principal := &msp.MSPPrincipal{ 320 PrincipalClassification: msp.MSPPrincipal_ROLE, 321 Principal: principalBytes} 322 err = id.SatisfiesPrincipal(principal) 323 assert.NoError(t, err) 324 } 325 } 326 327 func TestSatisfiesPrincipalOrderer(t *testing.T) { 328 // testdata/nodeouorderer: 329 // the configuration enables NodeOUs (with orderOU) 330 thisMSP := getLocalMSPWithVersion(t, "testdata/nodeouorderer", MSPv1_4_3) 331 assert.True(t, thisMSP.(*bccspmsp).ouEnforcement) 332 333 id, err := thisMSP.(*bccspmsp).GetDefaultSigningIdentity() 334 assert.NoError(t, err) 335 336 principalBytes, err := proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_ORDERER, MspIdentifier: "SampleOrg"}) 337 assert.NoError(t, err) 338 principal := &msp.MSPPrincipal{ 339 PrincipalClassification: msp.MSPPrincipal_ROLE, 340 Principal: principalBytes} 341 err = id.SatisfiesPrincipal(principal) 342 assert.NoError(t, err) 343 } 344 345 func TestLoad142MSPWithInvalidOrdererConfiguration(t *testing.T) { 346 // testdata/nodeouorderer2: 347 // the configuration enables NodeOUs (with orderOU) but no valid identifier for the OrdererOU 348 conf, err := GetLocalMspConfig("testdata/nodeouorderer2", nil, "SampleOrg") 349 assert.NoError(t, err) 350 351 ks, err := sw.NewFileBasedKeyStore(nil, filepath.Join("testdata/nodeouorderer2", "keystore"), true) 352 assert.NoError(t, err) 353 cryptoProvider, err := sw.NewDefaultSecurityLevelWithKeystore(sw.NewDummyKeyStore()) 354 assert.NoError(t, err) 355 thisMSP, err := NewBccspMspWithKeyStore(MSPv1_4_3, ks, cryptoProvider) 356 assert.NoError(t, err) 357 358 err = thisMSP.Setup(conf) 359 assert.NoError(t, err) 360 id, err := thisMSP.(*bccspmsp).GetDefaultSigningIdentity() 361 assert.NoError(t, err) 362 363 principalBytes, err := proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_ORDERER, MspIdentifier: "SampleOrg"}) 364 assert.NoError(t, err) 365 principal := &msp.MSPPrincipal{ 366 PrincipalClassification: msp.MSPPrincipal_ROLE, 367 Principal: principalBytes} 368 err = id.SatisfiesPrincipal(principal) 369 assert.Error(t, err) 370 assert.Equal(t, "The identity is not a [ORDERER] under this MSP [SampleOrg]: cannot test for classification, node ou for type [ORDERER], not defined, msp: [SampleOrg]", err.Error()) 371 372 // testdata/nodeouorderer3: 373 // the configuration enables NodeOUs (with orderOU) but no valid identifier for the OrdererOU 374 conf, err = GetLocalMspConfig("testdata/nodeouorderer3", nil, "SampleOrg") 375 assert.NoError(t, err) 376 377 ks, err = sw.NewFileBasedKeyStore(nil, filepath.Join("testdata/nodeouorderer3", "keystore"), true) 378 assert.NoError(t, err) 379 thisMSP, err = NewBccspMspWithKeyStore(MSPv1_4_3, ks, cryptoProvider) 380 assert.NoError(t, err) 381 382 err = thisMSP.Setup(conf) 383 assert.NoError(t, err) 384 id, err = thisMSP.(*bccspmsp).GetDefaultSigningIdentity() 385 assert.NoError(t, err) 386 387 principalBytes, err = proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_ORDERER, MspIdentifier: "SampleOrg"}) 388 assert.NoError(t, err) 389 principal = &msp.MSPPrincipal{ 390 PrincipalClassification: msp.MSPPrincipal_ROLE, 391 Principal: principalBytes} 392 err = id.SatisfiesPrincipal(principal) 393 assert.Error(t, err) 394 assert.Equal(t, "The identity is not a [ORDERER] under this MSP [SampleOrg]: cannot test for classification, node ou for type [ORDERER], not defined, msp: [SampleOrg]", err.Error()) 395 } 396 397 func TestValidMSPWithNodeOUMissingClassification(t *testing.T) { 398 // testdata/nodeousbadconf1: 399 // the configuration enables NodeOUs but client ou identifier is missing 400 _, err := getLocalMSPWithVersionAndError(t, "testdata/nodeousbadconf1", MSPv1_3) 401 assert.Error(t, err) 402 assert.Equal(t, "Failed setting up NodeOUs. ClientOU must be different from nil.", err.Error()) 403 404 _, err = getLocalMSPWithVersionAndError(t, "testdata/nodeousbadconf1", MSPv1_4_3) 405 assert.Error(t, err) 406 assert.Equal(t, "admin 0 is invalid [cannot test for classification, node ou for type [CLIENT], not defined, msp: [SampleOrg],The identity does not contain OU [ADMIN], MSP: [SampleOrg]]", err.Error()) 407 408 // testdata/nodeousbadconf2: 409 // the configuration enables NodeOUs but peer ou identifier is missing 410 _, err = getLocalMSPWithVersionAndError(t, "testdata/nodeousbadconf2", MSPv1_3) 411 assert.Error(t, err) 412 assert.Equal(t, "Failed setting up NodeOUs. PeerOU must be different from nil.", err.Error()) 413 414 _, err = getLocalMSPWithVersionAndError(t, "testdata/nodeousbadconf2", MSPv1_4_3) 415 assert.NoError(t, err) 416 }