github.com/osdi23p228/fabric@v0.0.0-20221218062954-77808885f5db/msp/idemixmsp_test.go (about) 1 /* 2 Copyright IBM Corp. All Rights Reserved. 3 4 SPDX-License-Identifier: Apache-2.0 5 */ 6 7 package msp 8 9 import ( 10 "testing" 11 12 "github.com/golang/protobuf/proto" 13 "github.com/hyperledger/fabric-protos-go/msp" 14 "github.com/osdi23p228/fabric/idemix" 15 "github.com/pkg/errors" 16 "github.com/stretchr/testify/assert" 17 ) 18 19 func setup(configPath string, ID string) (MSP, error) { 20 return setupWithVersion(configPath, ID, MSPv1_3) 21 } 22 23 func setupWithVersion(configPath string, ID string, version MSPVersion) (MSP, error) { 24 msp, err := newIdemixMsp(version) 25 if err != nil { 26 return nil, err 27 } 28 29 conf, err := GetIdemixMspConfig(configPath, ID) 30 if err != nil { 31 return nil, errors.Wrap(err, "Getting MSP config failed") 32 } 33 34 err = msp.Setup(conf) 35 if err != nil { 36 return nil, errors.Wrap(err, "Setting up MSP failed") 37 } 38 return msp, nil 39 } 40 41 func getDefaultSigner(msp MSP) (SigningIdentity, error) { 42 id, err := msp.GetDefaultSigningIdentity() 43 if err != nil { 44 return nil, errors.Wrap(err, "Getting default signing identity failed") 45 } 46 47 err = id.Validate() 48 if err != nil { 49 return nil, errors.Wrap(err, "Default signing identity invalid") 50 } 51 52 err = msp.Validate(id) 53 if err != nil { 54 return nil, errors.Wrap(err, "Default signing identity invalid") 55 } 56 57 return id, nil 58 } 59 60 func TestSetup(t *testing.T) { 61 msp, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 62 assert.NoError(t, err) 63 64 assert.Equal(t, IDEMIX, msp.GetType()) 65 } 66 67 func TestSetupBad(t *testing.T) { 68 _, err := setup("testdata/idemix/badpath", "MSPID") 69 assert.Error(t, err) 70 assert.Contains(t, err.Error(), "Getting MSP config failed") 71 72 msp1, err := newIdemixMsp(MSPv1_3) 73 assert.NoError(t, err) 74 75 // Setup with nil config 76 err = msp1.Setup(nil) 77 assert.Error(t, err) 78 assert.Contains(t, err.Error(), "setup error: nil conf reference") 79 80 // Setup with incorrect MSP type 81 conf := &msp.MSPConfig{Type: 1234, Config: nil} 82 err = msp1.Setup(conf) 83 assert.Error(t, err) 84 assert.Contains(t, err.Error(), "setup error: config is not of type IDEMIX") 85 86 // Setup with bad idemix config bytes 87 conf = &msp.MSPConfig{Type: int32(IDEMIX), Config: []byte("barf")} 88 err = msp1.Setup(conf) 89 assert.Error(t, err) 90 assert.Contains(t, err.Error(), "failed unmarshalling idemix msp config") 91 92 conf, err = GetIdemixMspConfig("testdata/idemix/MSP1OU1", "IdemixMSP1") 93 assert.NoError(t, err) 94 idemixconfig := &msp.IdemixMSPConfig{} 95 err = proto.Unmarshal(conf.Config, idemixconfig) 96 assert.NoError(t, err) 97 98 // Create MSP config with IPK with incorrect attribute names 99 rng, err := idemix.GetRand() 100 assert.NoError(t, err) 101 key, err := idemix.NewIssuerKey([]string{}, rng) 102 assert.NoError(t, err) 103 ipkBytes, err := proto.Marshal(key.Ipk) 104 assert.NoError(t, err) 105 idemixconfig.Ipk = ipkBytes 106 107 idemixConfigBytes, err := proto.Marshal(idemixconfig) 108 assert.NoError(t, err) 109 conf.Config = idemixConfigBytes 110 111 err = msp1.Setup(conf) 112 assert.Error(t, err) 113 assert.Contains(t, err.Error(), "issuer public key must have have attributes OU, Role, EnrollmentId, and RevocationHandle") 114 115 // Create MSP config with bad IPK bytes 116 ipkBytes = []byte("barf") 117 idemixconfig.Ipk = ipkBytes 118 119 idemixConfigBytes, err = proto.Marshal(idemixconfig) 120 assert.NoError(t, err) 121 conf.Config = idemixConfigBytes 122 123 err = msp1.Setup(conf) 124 assert.Error(t, err) 125 assert.Contains(t, err.Error(), "failed to unmarshal ipk from idemix msp config") 126 } 127 128 func TestSigning(t *testing.T) { 129 msp, err := setup("testdata/idemix/MSP1OU1", "MSP1") 130 assert.NoError(t, err) 131 132 id, err := getDefaultSigner(msp) 133 assert.NoError(t, err) 134 135 msg := []byte("TestMessage") 136 sig, err := id.Sign(msg) 137 assert.NoError(t, err) 138 139 err = id.Verify(msg, sig) 140 assert.NoError(t, err) 141 142 err = id.Verify([]byte("OtherMessage"), sig) 143 assert.Error(t, err) 144 assert.Contains(t, err.Error(), "pseudonym signature invalid: zero-knowledge proof is invalid") 145 146 verMsp, err := setup("testdata/idemix/MSP1Verifier", "MSP1") 147 assert.NoError(t, err) 148 err = verMsp.Validate(id) 149 assert.NoError(t, err) 150 _, err = verMsp.GetDefaultSigningIdentity() 151 assert.Error(t, err) 152 assert.Contains(t, err.Error(), "no default signer setup") 153 } 154 155 func TestSigningBad(t *testing.T) { 156 msp, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 157 assert.NoError(t, err) 158 159 id, err := getDefaultSigner(msp) 160 assert.NoError(t, err) 161 162 msg := []byte("TestMessage") 163 sig := []byte("barf") 164 165 err = id.Verify(msg, sig) 166 assert.Error(t, err) 167 assert.Contains(t, err.Error(), "error unmarshalling signature") 168 } 169 170 func TestIdentitySerialization(t *testing.T) { 171 msp, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 172 assert.NoError(t, err) 173 174 id, err := getDefaultSigner(msp) 175 assert.NoError(t, err) 176 177 // Test serialization of identities 178 serializedID, err := id.Serialize() 179 assert.NoError(t, err) 180 181 verID, err := msp.DeserializeIdentity(serializedID) 182 assert.NoError(t, err) 183 184 err = verID.Validate() 185 assert.NoError(t, err) 186 187 err = msp.Validate(verID) 188 assert.NoError(t, err) 189 } 190 191 func TestIdentitySerializationBad(t *testing.T) { 192 msp, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 193 assert.NoError(t, err) 194 195 _, err = msp.DeserializeIdentity([]byte("barf")) 196 assert.Error(t, err, "DeserializeIdentity should have failed for bad input") 197 assert.Contains(t, err.Error(), "could not deserialize a SerializedIdentity") 198 } 199 200 func TestIdentitySerializationWrongMSP(t *testing.T) { 201 msp1, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 202 assert.NoError(t, err) 203 msp2, err := setup("testdata/idemix/MSP2OU1", "MSP2OU1") 204 assert.NoError(t, err) 205 id2, err := getDefaultSigner(msp2) 206 assert.NoError(t, err) 207 208 idBytes, err := id2.Serialize() 209 assert.NoError(t, err) 210 211 _, err = msp1.DeserializeIdentity(idBytes) 212 assert.Error(t, err, "DeserializeIdentity should have failed for ID of other MSP") 213 assert.Contains(t, err.Error(), "expected MSP ID MSP1OU1, received MSP2OU1") 214 } 215 216 func TestPrincipalIdentity(t *testing.T) { 217 msp1, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 218 assert.NoError(t, err) 219 220 id1, err := getDefaultSigner(msp1) 221 assert.NoError(t, err) 222 223 idBytes, err := id1.Serialize() 224 assert.NoError(t, err) 225 226 principal := &msp.MSPPrincipal{ 227 PrincipalClassification: msp.MSPPrincipal_IDENTITY, 228 Principal: idBytes} 229 230 err = id1.SatisfiesPrincipal(principal) 231 assert.NoError(t, err) 232 } 233 234 func TestPrincipalIdentityWrongIdentity(t *testing.T) { 235 msp1, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 236 assert.NoError(t, err) 237 238 id1, err := getDefaultSigner(msp1) 239 assert.NoError(t, err) 240 241 msp2, err := setup("testdata/idemix/MSP1OU2", "MSP1OU2") 242 assert.NoError(t, err) 243 244 id2, err := getDefaultSigner(msp2) 245 assert.NoError(t, err) 246 247 idBytes, err := id1.Serialize() 248 assert.NoError(t, err) 249 250 principal := &msp.MSPPrincipal{ 251 PrincipalClassification: msp.MSPPrincipal_IDENTITY, 252 Principal: idBytes} 253 254 err = id2.SatisfiesPrincipal(principal) 255 assert.Error(t, err, "Identity MSP principal for different user should fail") 256 assert.Contains(t, err.Error(), "the identities do not match") 257 258 } 259 260 func TestPrincipalIdentityBadIdentity(t *testing.T) { 261 msp1, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 262 assert.NoError(t, err) 263 264 id1, err := getDefaultSigner(msp1) 265 assert.NoError(t, err) 266 267 idBytes := []byte("barf") 268 269 principal := &msp.MSPPrincipal{ 270 PrincipalClassification: msp.MSPPrincipal_IDENTITY, 271 Principal: idBytes} 272 273 err = id1.SatisfiesPrincipal(principal) 274 assert.Error(t, err, "Identity MSP principal for a bad principal should fail") 275 assert.Contains(t, err.Error(), "the identities do not match") 276 } 277 278 func TestAnonymityPrincipal(t *testing.T) { 279 msp1, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 280 assert.NoError(t, err) 281 282 id1, err := getDefaultSigner(msp1) 283 assert.NoError(t, err) 284 285 principalBytes, err := proto.Marshal(&msp.MSPIdentityAnonymity{AnonymityType: msp.MSPIdentityAnonymity_ANONYMOUS}) 286 assert.NoError(t, err) 287 288 principal := &msp.MSPPrincipal{ 289 PrincipalClassification: msp.MSPPrincipal_ANONYMITY, 290 Principal: principalBytes} 291 292 err = id1.SatisfiesPrincipal(principal) 293 assert.NoError(t, err) 294 } 295 296 func TestAnonymityPrincipalBad(t *testing.T) { 297 msp1, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 298 assert.NoError(t, err) 299 300 id1, err := getDefaultSigner(msp1) 301 assert.NoError(t, err) 302 303 principalBytes, err := proto.Marshal(&msp.MSPIdentityAnonymity{AnonymityType: msp.MSPIdentityAnonymity_NOMINAL}) 304 assert.NoError(t, err) 305 306 principal := &msp.MSPPrincipal{ 307 PrincipalClassification: msp.MSPPrincipal_ANONYMITY, 308 Principal: principalBytes} 309 310 err = id1.SatisfiesPrincipal(principal) 311 assert.Error(t, err, "Idemix identity is anonymous and should not pass NOMINAL anonymity principal") 312 assert.Contains(t, err.Error(), "principal is nominal, but idemix MSP is anonymous") 313 } 314 315 func TestAnonymityPrincipalV11(t *testing.T) { 316 msp1, err := setupWithVersion("testdata/idemix/MSP1OU1", "MSP1OU1", MSPv1_1) 317 assert.NoError(t, err) 318 319 id1, err := getDefaultSigner(msp1) 320 assert.NoError(t, err) 321 322 principalBytes, err := proto.Marshal(&msp.MSPIdentityAnonymity{AnonymityType: msp.MSPIdentityAnonymity_NOMINAL}) 323 assert.NoError(t, err) 324 325 principal := &msp.MSPPrincipal{ 326 PrincipalClassification: msp.MSPPrincipal_ANONYMITY, 327 Principal: principalBytes} 328 329 err = id1.SatisfiesPrincipal(principal) 330 assert.Error(t, err) 331 assert.Contains(t, err.Error(), "Anonymity MSP Principals are unsupported in MSPv1_1") 332 } 333 334 func TestIdemixIsWellFormed(t *testing.T) { 335 idemixMSP, err := setup("testdata/idemix/MSP1OU1", "TestName") 336 assert.NoError(t, err) 337 338 id, err := getDefaultSigner(idemixMSP) 339 assert.NoError(t, err) 340 rawId, err := id.Serialize() 341 assert.NoError(t, err) 342 sId := &msp.SerializedIdentity{} 343 err = proto.Unmarshal(rawId, sId) 344 assert.NoError(t, err) 345 err = idemixMSP.IsWellFormed(sId) 346 assert.NoError(t, err) 347 // Corrupt the identity bytes 348 sId.IdBytes = append(sId.IdBytes, 1) 349 err = idemixMSP.IsWellFormed(sId) 350 assert.Error(t, err) 351 assert.Contains(t, err.Error(), "not an idemix identity") 352 } 353 354 func TestPrincipalOU(t *testing.T) { 355 msp1, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 356 assert.NoError(t, err) 357 358 id1, err := getDefaultSigner(msp1) 359 assert.NoError(t, err) 360 361 ou := &msp.OrganizationUnit{ 362 OrganizationalUnitIdentifier: id1.GetOrganizationalUnits()[0].OrganizationalUnitIdentifier, 363 MspIdentifier: id1.GetMSPIdentifier(), 364 CertifiersIdentifier: nil, 365 } 366 bytes, err := proto.Marshal(ou) 367 assert.NoError(t, err) 368 369 principal := &msp.MSPPrincipal{ 370 PrincipalClassification: msp.MSPPrincipal_ORGANIZATION_UNIT, 371 Principal: bytes} 372 373 err = id1.SatisfiesPrincipal(principal) 374 assert.NoError(t, err) 375 } 376 377 func TestPrincipalOUWrongOU(t *testing.T) { 378 msp1, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 379 assert.NoError(t, err) 380 381 id1, err := getDefaultSigner(msp1) 382 assert.NoError(t, err) 383 384 ou := &msp.OrganizationUnit{ 385 OrganizationalUnitIdentifier: "DifferentOU", 386 MspIdentifier: id1.GetMSPIdentifier(), 387 CertifiersIdentifier: nil, 388 } 389 bytes, err := proto.Marshal(ou) 390 assert.NoError(t, err) 391 392 principal := &msp.MSPPrincipal{ 393 PrincipalClassification: msp.MSPPrincipal_ORGANIZATION_UNIT, 394 Principal: bytes} 395 396 err = id1.SatisfiesPrincipal(principal) 397 assert.Error(t, err, "OU MSP principal should have failed for user of different OU") 398 assert.Contains(t, err.Error(), "user is not part of the desired organizational unit") 399 400 } 401 402 func TestPrincipalOUWrongMSP(t *testing.T) { 403 msp1, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 404 assert.NoError(t, err) 405 406 id1, err := getDefaultSigner(msp1) 407 assert.NoError(t, err) 408 409 ou := &msp.OrganizationUnit{ 410 OrganizationalUnitIdentifier: "OU1", 411 MspIdentifier: "OtherMSP", 412 CertifiersIdentifier: nil, 413 } 414 bytes, err := proto.Marshal(ou) 415 assert.NoError(t, err) 416 417 principal := &msp.MSPPrincipal{ 418 PrincipalClassification: msp.MSPPrincipal_ORGANIZATION_UNIT, 419 Principal: bytes} 420 421 err = id1.SatisfiesPrincipal(principal) 422 assert.Error(t, err, "OU MSP principal should have failed for user of different MSP") 423 assert.Contains(t, err.Error(), "the identity is a member of a different MSP") 424 425 } 426 427 func TestPrincipalOUBad(t *testing.T) { 428 msp1, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 429 assert.NoError(t, err) 430 431 id1, err := getDefaultSigner(msp1) 432 assert.NoError(t, err) 433 434 bytes := []byte("barf") 435 assert.NoError(t, err) 436 437 principal := &msp.MSPPrincipal{ 438 PrincipalClassification: msp.MSPPrincipal_ORGANIZATION_UNIT, 439 Principal: bytes} 440 441 err = id1.SatisfiesPrincipal(principal) 442 assert.Error(t, err, "OU MSP principal should have failed for a bad OU principal") 443 assert.Contains(t, err.Error(), "could not unmarshal OU from principal") 444 } 445 446 func TestPrincipalRoleMember(t *testing.T) { 447 msp1, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 448 assert.NoError(t, err) 449 450 id1, err := getDefaultSigner(msp1) 451 assert.NoError(t, err) 452 453 principalBytes, err := proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_MEMBER, MspIdentifier: id1.GetMSPIdentifier()}) 454 assert.NoError(t, err) 455 456 principal := &msp.MSPPrincipal{ 457 PrincipalClassification: msp.MSPPrincipal_ROLE, 458 Principal: principalBytes} 459 460 err = id1.SatisfiesPrincipal(principal) 461 assert.NoError(t, err) 462 463 // Member should also satisfy client 464 principalBytes, err = proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_CLIENT, MspIdentifier: id1.GetMSPIdentifier()}) 465 assert.NoError(t, err) 466 467 principal = &msp.MSPPrincipal{ 468 PrincipalClassification: msp.MSPPrincipal_ROLE, 469 Principal: principalBytes} 470 471 err = id1.SatisfiesPrincipal(principal) 472 assert.NoError(t, err) 473 } 474 475 func TestPrincipalRoleAdmin(t *testing.T) { 476 msp1, err := setup("testdata/idemix/MSP1OU1Admin", "MSP1OU1Admin") 477 assert.NoError(t, err) 478 479 id1, err := getDefaultSigner(msp1) 480 assert.NoError(t, err) 481 482 principalBytes, err := proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_MEMBER, MspIdentifier: id1.GetMSPIdentifier()}) 483 assert.NoError(t, err) 484 485 principal := &msp.MSPPrincipal{ 486 PrincipalClassification: msp.MSPPrincipal_ROLE, 487 Principal: principalBytes} 488 489 // Admin should also satisfy member 490 err = id1.SatisfiesPrincipal(principal) 491 assert.NoError(t, err) 492 493 principalBytes, err = proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_ADMIN, MspIdentifier: id1.GetMSPIdentifier()}) 494 assert.NoError(t, err) 495 496 principal = &msp.MSPPrincipal{ 497 PrincipalClassification: msp.MSPPrincipal_ROLE, 498 Principal: principalBytes} 499 500 err = id1.SatisfiesPrincipal(principal) 501 assert.NoError(t, err) 502 } 503 504 func TestPrincipalRoleNotPeer(t *testing.T) { 505 msp1, err := setup("testdata/idemix/MSP1OU1Admin", "MSP1OU1") 506 assert.NoError(t, err) 507 508 id1, err := getDefaultSigner(msp1) 509 assert.NoError(t, err) 510 511 principalBytes, err := proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_PEER, MspIdentifier: id1.GetMSPIdentifier()}) 512 assert.NoError(t, err) 513 514 principal := &msp.MSPPrincipal{ 515 PrincipalClassification: msp.MSPPrincipal_ROLE, 516 Principal: principalBytes} 517 518 err = id1.SatisfiesPrincipal(principal) 519 assert.Error(t, err, "Admin should not satisfy PEER principal") 520 assert.Contains(t, err.Error(), "idemixmsp only supports client use, so it cannot satisfy an MSPRole PEER principal") 521 } 522 523 func TestPrincipalRoleNotAdmin(t *testing.T) { 524 msp1, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 525 assert.NoError(t, err) 526 527 id1, err := getDefaultSigner(msp1) 528 assert.NoError(t, err) 529 530 principalBytes, err := proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_ADMIN, MspIdentifier: id1.GetMSPIdentifier()}) 531 assert.NoError(t, err) 532 533 principal := &msp.MSPPrincipal{ 534 PrincipalClassification: msp.MSPPrincipal_ROLE, 535 Principal: principalBytes} 536 537 err = id1.SatisfiesPrincipal(principal) 538 assert.Error(t, err, "Member should not satisfy Admin principal") 539 assert.Contains(t, err.Error(), "user is not an admin") 540 } 541 542 func TestPrincipalRoleWrongMSP(t *testing.T) { 543 msp1, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 544 assert.NoError(t, err) 545 546 id1, err := getDefaultSigner(msp1) 547 assert.NoError(t, err) 548 549 principalBytes, err := proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_MEMBER, MspIdentifier: "OtherMSP"}) 550 assert.NoError(t, err) 551 552 principal := &msp.MSPPrincipal{ 553 PrincipalClassification: msp.MSPPrincipal_ROLE, 554 Principal: principalBytes} 555 556 err = id1.SatisfiesPrincipal(principal) 557 assert.Error(t, err, "Role MSP principal should have failed for user of different MSP") 558 assert.Contains(t, err.Error(), "the identity is a member of a different MSP") 559 } 560 561 func TestPrincipalRoleBadRole(t *testing.T) { 562 msp1, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 563 assert.NoError(t, err) 564 565 id1, err := getDefaultSigner(msp1) 566 assert.NoError(t, err) 567 568 // Make principal for nonexisting role 1234 569 principalBytes, err := proto.Marshal(&msp.MSPRole{Role: 1234, MspIdentifier: id1.GetMSPIdentifier()}) 570 assert.NoError(t, err) 571 572 principal := &msp.MSPPrincipal{ 573 PrincipalClassification: msp.MSPPrincipal_ROLE, 574 Principal: principalBytes} 575 576 err = id1.SatisfiesPrincipal(principal) 577 assert.Error(t, err, "Role MSP principal should have failed for a bad Role") 578 assert.Contains(t, err.Error(), "invalid MSP role type") 579 } 580 581 func TestPrincipalBad(t *testing.T) { 582 msp1, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 583 assert.NoError(t, err) 584 585 id1, err := getDefaultSigner(msp1) 586 assert.NoError(t, err) 587 588 principal := &msp.MSPPrincipal{ 589 PrincipalClassification: 1234, 590 Principal: nil} 591 592 err = id1.SatisfiesPrincipal(principal) 593 assert.Error(t, err, "Principal with bad Classification should fail") 594 assert.Contains(t, err.Error(), "invalid principal type") 595 } 596 597 func TestPrincipalCombined(t *testing.T) { 598 msp1, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 599 assert.NoError(t, err) 600 601 id1, err := getDefaultSigner(msp1) 602 assert.NoError(t, err) 603 604 ou := &msp.OrganizationUnit{ 605 OrganizationalUnitIdentifier: id1.GetOrganizationalUnits()[0].OrganizationalUnitIdentifier, 606 MspIdentifier: id1.GetMSPIdentifier(), 607 CertifiersIdentifier: nil, 608 } 609 principalBytes, err := proto.Marshal(ou) 610 assert.NoError(t, err) 611 612 principalOU := &msp.MSPPrincipal{ 613 PrincipalClassification: msp.MSPPrincipal_ORGANIZATION_UNIT, 614 Principal: principalBytes} 615 616 principalBytes, err = proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_MEMBER, MspIdentifier: id1.GetMSPIdentifier()}) 617 assert.NoError(t, err) 618 619 principalRole := &msp.MSPPrincipal{ 620 PrincipalClassification: msp.MSPPrincipal_ROLE, 621 Principal: principalBytes} 622 623 principals := []*msp.MSPPrincipal{principalOU, principalRole} 624 625 combinedPrincipal := &msp.CombinedPrincipal{Principals: principals} 626 combinedPrincipalBytes, err := proto.Marshal(combinedPrincipal) 627 628 assert.NoError(t, err) 629 630 principalsCombined := &msp.MSPPrincipal{PrincipalClassification: msp.MSPPrincipal_COMBINED, Principal: combinedPrincipalBytes} 631 632 err = id1.SatisfiesPrincipal(principalsCombined) 633 assert.NoError(t, err) 634 } 635 636 func TestPrincipalCombinedBad(t *testing.T) { 637 msp1, err := setup("testdata/idemix/MSP1OU1", "MSP1OU1") 638 assert.NoError(t, err) 639 640 id1, err := getDefaultSigner(msp1) 641 assert.NoError(t, err) 642 643 // create combined principal requiring membership of OU1 in MSP1 and requiring admin role 644 ou := &msp.OrganizationUnit{ 645 OrganizationalUnitIdentifier: id1.GetOrganizationalUnits()[0].OrganizationalUnitIdentifier, 646 MspIdentifier: id1.GetMSPIdentifier(), 647 CertifiersIdentifier: nil, 648 } 649 principalBytes, err := proto.Marshal(ou) 650 assert.NoError(t, err) 651 652 principalOU := &msp.MSPPrincipal{ 653 PrincipalClassification: msp.MSPPrincipal_ORGANIZATION_UNIT, 654 Principal: principalBytes} 655 656 principalBytes, err = proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_ADMIN, MspIdentifier: id1.GetMSPIdentifier()}) 657 assert.NoError(t, err) 658 659 principalRole := &msp.MSPPrincipal{ 660 PrincipalClassification: msp.MSPPrincipal_ROLE, 661 Principal: principalBytes} 662 663 principals := []*msp.MSPPrincipal{principalOU, principalRole} 664 665 combinedPrincipal := &msp.CombinedPrincipal{Principals: principals} 666 combinedPrincipalBytes, err := proto.Marshal(combinedPrincipal) 667 668 assert.NoError(t, err) 669 670 principalsCombined := &msp.MSPPrincipal{PrincipalClassification: msp.MSPPrincipal_COMBINED, Principal: combinedPrincipalBytes} 671 672 err = id1.SatisfiesPrincipal(principalsCombined) 673 assert.Error(t, err, "non-admin member of OU1 in MSP1 should not satisfy principal admin and OU1 in MSP1") 674 assert.Contains(t, err.Error(), "user is not an admin") 675 } 676 677 func TestPrincipalCombinedV11(t *testing.T) { 678 msp1, err := setupWithVersion("testdata/idemix/MSP1OU1", "MSP1OU1", MSPv1_1) 679 assert.NoError(t, err) 680 681 id1, err := getDefaultSigner(msp1) 682 assert.NoError(t, err) 683 684 ou := &msp.OrganizationUnit{ 685 OrganizationalUnitIdentifier: id1.GetOrganizationalUnits()[0].OrganizationalUnitIdentifier, 686 MspIdentifier: id1.GetMSPIdentifier(), 687 CertifiersIdentifier: nil, 688 } 689 principalBytes, err := proto.Marshal(ou) 690 assert.NoError(t, err) 691 692 principalOU := &msp.MSPPrincipal{ 693 PrincipalClassification: msp.MSPPrincipal_ORGANIZATION_UNIT, 694 Principal: principalBytes} 695 696 principalBytes, err = proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_MEMBER, MspIdentifier: id1.GetMSPIdentifier()}) 697 assert.NoError(t, err) 698 699 principalRole := &msp.MSPPrincipal{ 700 PrincipalClassification: msp.MSPPrincipal_ROLE, 701 Principal: principalBytes} 702 703 principals := []*msp.MSPPrincipal{principalOU, principalRole} 704 705 combinedPrincipal := &msp.CombinedPrincipal{Principals: principals} 706 combinedPrincipalBytes, err := proto.Marshal(combinedPrincipal) 707 708 assert.NoError(t, err) 709 710 principalsCombined := &msp.MSPPrincipal{PrincipalClassification: msp.MSPPrincipal_COMBINED, Principal: combinedPrincipalBytes} 711 712 err = id1.SatisfiesPrincipal(principalsCombined) 713 assert.Error(t, err) 714 assert.Contains(t, err.Error(), "Combined MSP Principals are unsupported in MSPv1_1") 715 } 716 717 func TestRoleClientV11(t *testing.T) { 718 msp1, err := setupWithVersion("testdata/idemix/MSP1OU1", "MSP1OU1", MSPv1_1) 719 assert.NoError(t, err) 720 id1, err := getDefaultSigner(msp1) 721 assert.NoError(t, err) 722 723 principalBytes, err := proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_CLIENT, MspIdentifier: id1.GetMSPIdentifier()}) 724 assert.NoError(t, err) 725 principalRole := &msp.MSPPrincipal{ 726 PrincipalClassification: msp.MSPPrincipal_ROLE, 727 Principal: principalBytes} 728 err = id1.SatisfiesPrincipal(principalRole) 729 assert.Error(t, err) 730 assert.Contains(t, err.Error(), "invalid MSP role type") 731 } 732 733 func TestRolePeerV11(t *testing.T) { 734 msp1, err := setupWithVersion("testdata/idemix/MSP1OU1", "MSP1OU1", MSPv1_1) 735 assert.NoError(t, err) 736 id1, err := getDefaultSigner(msp1) 737 assert.NoError(t, err) 738 739 principalBytes, err := proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_PEER, MspIdentifier: id1.GetMSPIdentifier()}) 740 assert.NoError(t, err) 741 principalRole := &msp.MSPPrincipal{ 742 PrincipalClassification: msp.MSPPrincipal_ROLE, 743 Principal: principalBytes} 744 err = id1.SatisfiesPrincipal(principalRole) 745 assert.Error(t, err) 746 assert.Contains(t, err.Error(), "invalid MSP role type") 747 }