github.com/lzy4123/fabric@v2.1.1+incompatible/integration/msp/msp_test.go (about)

     1  /*
     2  Copyright IBM Corp. All Rights Reserved.
     3  
     4  SPDX-License-Identifier: Apache-2.0
     5  */
     6  
     7  package msp
     8  
     9  import (
    10  	"fmt"
    11  	"io"
    12  	"io/ioutil"
    13  	"os"
    14  	"path/filepath"
    15  	"syscall"
    16  
    17  	docker "github.com/fsouza/go-dockerclient"
    18  	"github.com/hyperledger/fabric/integration/nwo"
    19  	"github.com/hyperledger/fabric/integration/nwo/commands"
    20  	. "github.com/onsi/ginkgo"
    21  	. "github.com/onsi/gomega"
    22  	"github.com/onsi/gomega/gbytes"
    23  	"github.com/onsi/gomega/gexec"
    24  	"github.com/tedsuo/ifrit"
    25  )
    26  
    27  var _ = Describe("MSP identity test on a network with mutual TLS required", func() {
    28  	var (
    29  		client  *docker.Client
    30  		tempDir string
    31  		network *nwo.Network
    32  		process ifrit.Process
    33  	)
    34  
    35  	BeforeEach(func() {
    36  		var err error
    37  		tempDir, err = ioutil.TempDir("", "msp")
    38  		Expect(err).NotTo(HaveOccurred())
    39  
    40  		client, err = docker.NewClientFromEnv()
    41  		Expect(err).NotTo(HaveOccurred())
    42  
    43  		network = nwo.New(nwo.BasicSolo(), tempDir, client, StartPort(), components)
    44  	})
    45  
    46  	AfterEach(func() {
    47  		// Shutdown processes and cleanup
    48  		process.Signal(syscall.SIGTERM)
    49  		Eventually(process.Wait(), network.EventuallyTimeout).Should(Receive())
    50  
    51  		if network != nil {
    52  			network.Cleanup()
    53  		}
    54  		os.RemoveAll(tempDir)
    55  	})
    56  
    57  	It("invokes chaincode on a peer that does not have a valid endorser identity", func() {
    58  		By("setting TLS ClientAuthRequired to be true for all peers and orderers")
    59  		network.ClientAuthRequired = true
    60  
    61  		By("disabling NodeOU for org2")
    62  		// Org2 Peer0 is used to test chaincode endorsement policy not satisfied due to peer's MSP
    63  		// does not define Node OU.
    64  		Org2 := network.Organization("Org2")
    65  		Org2.EnableNodeOUs = false
    66  
    67  		network.GenerateConfigTree()
    68  		network.Bootstrap()
    69  
    70  		By("starting all processes for fabric")
    71  		networkRunner := network.NetworkGroupRunner()
    72  		process = ifrit.Invoke(networkRunner)
    73  		Eventually(process.Ready(), network.EventuallyTimeout).Should(BeClosed())
    74  
    75  		org1Peer0 := network.Peer("Org1", "peer0")
    76  		org2Peer0 := network.Peer("Org2", "peer0")
    77  		orderer := network.Orderer("orderer")
    78  
    79  		By("creating and joining channels")
    80  		network.CreateAndJoinChannels(orderer)
    81  		By("enabling new lifecycle capabilities")
    82  		nwo.EnableCapabilities(network, "testchannel", "Application", "V2_0", orderer, network.Peer("Org1", "peer0"), network.Peer("Org2", "peer0"))
    83  
    84  		chaincode := nwo.Chaincode{
    85  			Name:            "mycc",
    86  			Version:         "0.0",
    87  			Path:            "github.com/hyperledger/fabric/integration/chaincode/simple/cmd",
    88  			Lang:            "golang",
    89  			PackageFile:     filepath.Join(tempDir, "simplecc.tar.gz"),
    90  			Ctor:            `{"Args":["init","a","100","b","200"]}`,
    91  			SignaturePolicy: `OR ('Org1MSP.peer', 'Org2MSP.peer')`,
    92  			Sequence:        "1",
    93  			InitRequired:    true,
    94  			Label:           "my_simple_chaincode",
    95  		}
    96  
    97  		By("deploying the chaincode")
    98  		nwo.DeployChaincode(network, "testchannel", orderer, chaincode)
    99  
   100  		By("querying and invoking chaincode with mutual TLS enabled")
   101  		RunQueryInvokeQuery(network, orderer, org1Peer0, 100)
   102  
   103  		By("querying the chaincode with org2 peer")
   104  		sess, err := network.PeerUserSession(org2Peer0, "User1", commands.ChaincodeQuery{
   105  			ChannelID: "testchannel",
   106  			Name:      "mycc",
   107  			Ctor:      `{"Args":["query","a"]}`,
   108  		})
   109  		Expect(err).NotTo(HaveOccurred())
   110  		Eventually(sess, network.EventuallyTimeout).Should(gexec.Exit(0))
   111  		Expect(sess).To(gbytes.Say("90"))
   112  
   113  		// Testing scenario one: chaincode endorsement policy not satisfied due to peer's MSP does not define
   114  		// the peer node OU.
   115  		By("attempting to invoke chaincode on a peer that does not have a valid endorser identity (endorsing peer has member identity)")
   116  		sess, err = network.PeerUserSession(org2Peer0, "User1", commands.ChaincodeInvoke{
   117  			ChannelID: "testchannel",
   118  			Orderer:   network.OrdererAddress(orderer, nwo.ListenPort),
   119  			Name:      "mycc",
   120  			Ctor:      `{"Args":["invoke","a","b","10"]}`,
   121  			PeerAddresses: []string{
   122  				network.PeerAddress(network.Peer("Org2", "peer0"), nwo.ListenPort),
   123  			},
   124  			WaitForEvent: true,
   125  			ClientAuth:   network.ClientAuthRequired,
   126  		})
   127  		Expect(err).NotTo(HaveOccurred())
   128  		Eventually(sess, network.EventuallyTimeout).Should(gexec.Exit(1))
   129  		Expect(sess.Err).To(gbytes.Say(`(ENDORSEMENT_POLICY_FAILURE)`))
   130  
   131  		By("reverifying the channel was not affected by the unauthorized endorsement")
   132  		sess, err = network.PeerUserSession(org2Peer0, "User1", commands.ChaincodeQuery{
   133  			ChannelID: "testchannel",
   134  			Name:      "mycc",
   135  			Ctor:      `{"Args":["query","a"]}`,
   136  		})
   137  		Expect(err).NotTo(HaveOccurred())
   138  		Eventually(sess, network.EventuallyTimeout).Should(gexec.Exit(0))
   139  		Expect(sess).To(gbytes.Say("90"))
   140  
   141  		// Testing scenario two: chaincode endorsement policy not satisfied due to peer's signer cert does not
   142  		// satisfy endorsement policy.
   143  		By("replacing org1peer0's identity with a client identity")
   144  		// Org1 peer0 is used to test chaincode endorsement policy not satisfied due to peer's signer
   145  		// cert does not satisfy endorsement policy.
   146  		org1Peer0MSPDir := network.PeerLocalMSPDir(org1Peer0)
   147  		org1User1MSPDir := network.PeerUserMSPDir(org1Peer0, "User1")
   148  
   149  		_, err = copyFile(filepath.Join(org1User1MSPDir, "signcerts", "User1@org1.example.com-cert.pem"), filepath.Join(org1Peer0MSPDir, "signcerts", "peer0.org1.example.com-cert.pem"))
   150  		Expect(err).NotTo(HaveOccurred())
   151  		_, err = copyFile(filepath.Join(org1User1MSPDir, "keystore", "priv_sk"), filepath.Join(org1Peer0MSPDir, "keystore", "priv_sk"))
   152  		Expect(err).NotTo(HaveOccurred())
   153  
   154  		By("restarting all fabric processes to reload MSP identities")
   155  		process.Signal(syscall.SIGTERM)
   156  		Eventually(process.Wait(), network.EventuallyTimeout).Should(Receive())
   157  		networkRunner = network.NetworkGroupRunner()
   158  		process = ifrit.Invoke(networkRunner)
   159  		Eventually(process.Ready(), network.EventuallyTimeout).Should(BeClosed())
   160  
   161  		By("attempting to invoke chaincode on a peer that does not have a valid endorser identity (endorsing peer has client identity)")
   162  		sess, err = network.PeerUserSession(org1Peer0, "User1", commands.ChaincodeInvoke{
   163  			ChannelID: "testchannel",
   164  			Orderer:   network.OrdererAddress(orderer, nwo.ListenPort),
   165  			Name:      "mycc",
   166  			Ctor:      `{"Args":["invoke","a","b","10"]}`,
   167  			PeerAddresses: []string{
   168  				network.PeerAddress(network.Peer("Org1", "peer0"), nwo.ListenPort),
   169  			},
   170  			WaitForEvent: true,
   171  			ClientAuth:   network.ClientAuthRequired,
   172  		})
   173  		Expect(err).NotTo(HaveOccurred())
   174  		Eventually(sess, network.EventuallyTimeout).Should(gexec.Exit(1))
   175  		Expect(sess.Err).To(gbytes.Say(`(ENDORSEMENT_POLICY_FAILURE)`))
   176  
   177  		By("reverifying the channel was not affected by the unauthorized endorsement")
   178  		sess, err = network.PeerUserSession(org1Peer0, "User1", commands.ChaincodeQuery{
   179  			ChannelID: "testchannel",
   180  			Name:      "mycc",
   181  			Ctor:      `{"Args":["query","a"]}`,
   182  		})
   183  		Expect(err).NotTo(HaveOccurred())
   184  		Eventually(sess, network.EventuallyTimeout).Should(gexec.Exit(0))
   185  		Expect(sess).To(gbytes.Say("90"))
   186  
   187  	})
   188  })
   189  
   190  func RunQueryInvokeQuery(n *nwo.Network, orderer *nwo.Orderer, peer *nwo.Peer, initialQueryResult int) {
   191  	sess, err := n.PeerUserSession(peer, "User1", commands.ChaincodeQuery{
   192  		ChannelID: "testchannel",
   193  		Name:      "mycc",
   194  		Ctor:      `{"Args":["query","a"]}`,
   195  	})
   196  	Expect(err).NotTo(HaveOccurred())
   197  	Eventually(sess, n.EventuallyTimeout).Should(gexec.Exit(0))
   198  	Expect(sess).To(gbytes.Say(fmt.Sprint(initialQueryResult)))
   199  
   200  	sess, err = n.PeerUserSession(peer, "User1", commands.ChaincodeInvoke{
   201  		ChannelID: "testchannel",
   202  		Orderer:   n.OrdererAddress(orderer, nwo.ListenPort),
   203  		Name:      "mycc",
   204  		Ctor:      `{"Args":["invoke","a","b","10"]}`,
   205  		PeerAddresses: []string{
   206  			n.PeerAddress(n.Peer("Org1", "peer0"), nwo.ListenPort),
   207  			n.PeerAddress(n.Peer("Org2", "peer0"), nwo.ListenPort),
   208  		},
   209  		WaitForEvent: true,
   210  		ClientAuth:   n.ClientAuthRequired,
   211  	})
   212  	Expect(err).NotTo(HaveOccurred())
   213  	Eventually(sess, n.EventuallyTimeout).Should(gexec.Exit(0))
   214  	Expect(sess.Err).To(gbytes.Say("Chaincode invoke successful. result: status:200"))
   215  
   216  	sess, err = n.PeerUserSession(peer, "User1", commands.ChaincodeQuery{
   217  		ChannelID: "testchannel",
   218  		Name:      "mycc",
   219  		Ctor:      `{"Args":["query","a"]}`,
   220  	})
   221  	Expect(err).NotTo(HaveOccurred())
   222  	Eventually(sess, n.EventuallyTimeout).Should(gexec.Exit(0))
   223  	Expect(sess).To(gbytes.Say(fmt.Sprint(initialQueryResult - 10)))
   224  }
   225  
   226  func copyFile(src, dst string) (int64, error) {
   227  	source, err := os.Open(src)
   228  	if err != nil {
   229  		return 0, err
   230  	}
   231  	defer source.Close()
   232  
   233  	err = os.Remove(dst)
   234  	if err != nil {
   235  		return 0, err
   236  	}
   237  	destination, err := os.Create(dst)
   238  	if err != nil {
   239  		return 0, err
   240  	}
   241  	defer destination.Close()
   242  	nBytes, err := io.Copy(destination, source)
   243  	return nBytes, err
   244  }