github.com/silveraid/fabric-ca@v1.1.0-preview.0.20180127000700-71974f53ab08/lib/serverregister_test.go (about) 1 /* 2 Copyright IBM Corp. 2016 All Rights Reserved. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 package lib 17 18 import ( 19 "os" 20 "strconv" 21 "testing" 22 23 "github.com/hyperledger/fabric-ca/api" 24 "github.com/hyperledger/fabric-ca/lib/attr" 25 "github.com/hyperledger/fabric-ca/util" 26 "github.com/stretchr/testify/assert" 27 ) 28 29 func TestRegistrarAttribute(t *testing.T) { 30 os.RemoveAll(rootDir) 31 os.RemoveAll("../testdata/msp") 32 defer os.RemoveAll(rootDir) 33 defer os.RemoveAll("../testdata/msp") 34 35 var err error 36 37 srv := TestGetRootServer(t) 38 registry := &srv.CA.Config.Registry 39 40 // admin2 own attributes but does not have 'hf.Registrar.Attributes' attribute 41 id := CAConfigIdentity{ 42 Name: "admin2", 43 Pass: "admin2pw", 44 Type: "user", 45 Affiliation: "org2", 46 MaxEnrollments: -1, 47 Attrs: map[string]string{ 48 attr.Roles: "user,peer", 49 attr.Revoker: "false", 50 "a.b": "val1", 51 }, 52 } 53 registry.Identities = append(registry.Identities, id) 54 55 // admin3 has 'hf.Registrar.Attributes' attribute 56 id = CAConfigIdentity{ 57 Name: "admin3", 58 Pass: "admin3pw", 59 Type: "user", 60 Affiliation: "org2", 61 MaxEnrollments: -1, 62 Attrs: map[string]string{ 63 attr.Roles: allRoles, 64 attr.DelegateRoles: allRoles, 65 attr.Revoker: "true", 66 attr.IntermediateCA: "true", 67 attr.RegistrarAttr: "a.b.c, x.y.*, testattr*, attr$, hf.Registrar.Attributes, hf.Revoker", 68 }, 69 } 70 registry.Identities = append(registry.Identities, id) 71 72 // admin4 has 'hf.Registrar.Attributes' attribute but can only register 'hf.' attributes 73 id = CAConfigIdentity{ 74 Name: "admin4", 75 Pass: "admin4pw", 76 Type: "user", 77 Affiliation: "org2", 78 MaxEnrollments: -1, 79 Attrs: map[string]string{ 80 attr.Roles: "user,peer", 81 attr.Revoker: "false", 82 attr.RegistrarAttr: "hf.*", 83 }, 84 } 85 registry.Identities = append(registry.Identities, id) 86 87 err = srv.Start() 88 util.FatalError(t, err, "Failed to start server") 89 defer srv.Stop() 90 91 // Enroll admin2 92 client := getTestClient(rootPort) 93 94 negativeCases(t, client) 95 positiveCases(t, client) 96 } 97 98 func negativeCases(t *testing.T, client *Client) { 99 enrollResp, err := client.Enroll(&api.EnrollmentRequest{ 100 Name: "admin2", 101 Secret: "admin2pw", 102 }) 103 util.FatalError(t, err, "Failed to enroll 'admin2' user") 104 registrar := enrollResp.Identity 105 106 missingHfRegistrarAttr(t, registrar) 107 108 enrollResp, err = client.Enroll(&api.EnrollmentRequest{ 109 Name: "admin4", 110 Secret: "admin4pw", 111 }) 112 util.FatalError(t, err, "Failed to enroll 'admin4' user") 113 registrar = enrollResp.Identity 114 115 invalidAttrRequestValues(t, registrar) 116 117 // Enroll request for admin3 118 enrollResp, err = client.Enroll(&api.EnrollmentRequest{ 119 Name: "admin3", 120 Secret: "admin3pw", 121 }) 122 assert.NoError(t, err, "Failed to enroll 'admin3' user") 123 registrar = enrollResp.Identity 124 125 invalidAttrRequest(t, registrar) 126 invalidHfRegistrarAttrRequest(t, registrar) 127 128 } 129 130 func missingHfRegistrarAttr(t *testing.T, registrar *Identity) { 131 // Negative case: Registrar does not have the attribute 'hf.Registrar.Attributes' 132 _, err := registrar.Register(registerTestUser("user1", 133 []api.Attribute{ 134 api.Attribute{ 135 Name: "fake.attribute", 136 Value: "val1", 137 }, 138 }), 139 ) 140 if assert.Error(t, err, "Should have failed to register an identity with inappropriate attributes") { 141 assert.Contains(t, err.Error(), strconv.Itoa(ErrAuthFailure)) 142 } 143 144 // Negative case: Registrar does not own 'hf.Registrar.Attributes' 145 _, err = registrar.Register(registerTestUser("user1", 146 []api.Attribute{ 147 api.Attribute{ 148 Name: attr.RegistrarAttr, 149 Value: "val1", 150 }, 151 }), 152 ) 153 if assert.Error(t, err, "Should have failed to register an identity with inappropriate attributes") { 154 assert.Contains(t, err.Error(), strconv.Itoa(ErrAuthFailure)) 155 } 156 } 157 158 func invalidAttrRequestValues(t *testing.T, registrar *Identity) { 159 _, err := registrar.Register(registerTestUser("user1", 160 []api.Attribute{ 161 api.Attribute{ 162 Name: attr.Roles, 163 Value: "user,peer,client", 164 }, 165 }), 166 ) 167 if assert.Errorf(t, err, "Should have failed to register an identity with inappropriate values for '%s', can only register a subset", attr.Roles) { 168 assert.Contains(t, err.Error(), strconv.Itoa(ErrAuthFailure)) 169 } 170 171 // Negative case: Registrar owns this attribute but with a value of 'false', can't register with a value of 'true' 172 _, err = registrar.Register(registerTestUser("user1", 173 []api.Attribute{ 174 api.Attribute{ 175 Name: attr.Revoker, 176 Value: "true", 177 }, 178 }), 179 ) 180 if assert.Error(t, err, "Should have failed to register an identity with an attribute that is not part of 'hf.Registrar.Attributes'") { 181 assert.Contains(t, err.Error(), strconv.Itoa(ErrAuthFailure)) 182 } 183 184 // Negative case: Registrar owns this attribute but with a value of 'false', can't register with a value of 'true' 185 _, err = registrar.Register(registerTestUser("user1", 186 []api.Attribute{ 187 api.Attribute{ 188 Name: "hf.FakeAttr", 189 Value: "true", 190 }, 191 }), 192 ) 193 if assert.Error(t, err, "Should have failed to register an identity with an attribute invalid attribute with prefix 'hf.'") { 194 assert.Contains(t, err.Error(), strconv.Itoa(ErrAuthFailure)) 195 } 196 } 197 198 func invalidAttrRequest(t *testing.T, registrar *Identity) { 199 // Negative case: Registrar's hf.Registrar.Attribute = a.b.c, x.y.*, testattr*, attr$, hf.Registrar.Attributes, hf.Revoker 200 _, err := registrar.Register(registerTestUser("user2", 201 []api.Attribute{ 202 api.Attribute{ 203 Name: "a.b.*", 204 Value: "val1", 205 }, 206 }), 207 ) 208 if assert.Error(t, err, "Should have failed to register an identity with inappropriate attributes") { 209 assert.Contains(t, err.Error(), strconv.Itoa(ErrAuthFailure)) 210 } 211 212 // Negative case: Registrar's hf.Registrar.Attribute = a.b.c, x.y.*, testattr*, attr$, hf.Registrar.Attributes, hf.Revoker 213 _, err = registrar.Register(registerTestUser("user2", 214 []api.Attribute{ 215 api.Attribute{ 216 Name: "a.b.c.d", 217 Value: "val1", 218 }, 219 }), 220 ) 221 if assert.Error(t, err, "Should have failed to register an identity with inappropriate attributes") { 222 assert.Contains(t, err.Error(), strconv.Itoa(ErrAuthFailure)) 223 } 224 225 // Negative case: Registrar's hf.Registrar.Attribute = a.b.c, x.y.*, testattr*, attr$, hf.Registrar.Attributes, hf.Revoker 226 _, err = registrar.Register(registerTestUser("user2", 227 []api.Attribute{ 228 api.Attribute{ 229 Name: "test", 230 Value: "val1", 231 }, 232 }), 233 ) 234 if assert.Error(t, err, "Should have failed to register an identity with inappropriate attributes") { 235 assert.Contains(t, err.Error(), strconv.Itoa(ErrAuthFailure)) 236 } 237 238 // Negative case: Registrar's hf.Registrar.Attribute = a.b.c, x.y.*, testattr*, attr$, hf.Registrar.Attributes, hf.Revoker 239 _, err = registrar.Register(registerTestUser("user11", 240 []api.Attribute{ 241 api.Attribute{ 242 Name: "*", 243 Value: "val1", 244 }, 245 }), 246 ) 247 if assert.Error(t, err, "Should have failed to register an identity with inappropriate attributes") { 248 assert.Contains(t, err.Error(), strconv.Itoa(ErrAuthFailure)) 249 } 250 251 // Negative case: Registrar's hf.Registrar.Attribute = a.b.c, x.y.*, testattr*, attr$, hf.Registrar.Attributes, hf.Revoker 252 _, err = registrar.Register(registerTestUser("user12", 253 []api.Attribute{ 254 api.Attribute{ 255 Name: "w.x.y.z", 256 Value: "val1", 257 }, 258 }), 259 ) 260 if assert.Error(t, err, "Should have failed to register an identity with inappropriate attributes") { 261 assert.Contains(t, err.Error(), strconv.Itoa(ErrAuthFailure)) 262 } 263 264 // Negative case: Registrar's hf.Registrar.Attribute = a.b.c, x.y.*, testattr*, attr$, hf.Registrar.Attributes, hf.Revoker 265 _, err = registrar.Register(registerTestUser("user13", 266 []api.Attribute{ 267 api.Attribute{ 268 Name: "hf.fakeAttr", 269 Value: "val1", 270 }, 271 }), 272 ) 273 if assert.Error(t, err, "Should have failed to register an identity with inappropriate attributes (hf.fakeAttr)") { 274 assert.Contains(t, err.Error(), strconv.Itoa(ErrAuthFailure)) 275 } 276 } 277 278 func invalidHfRegistrarAttrRequest(t *testing.T, registrar *Identity) { 279 // Negative case: Registrar's hf.Registrar.Attribute = a.b.c, x.y.*, testattr*, attr$, hf.Registrar.Attributes, hf.Revoker 280 _, err := registrar.Register(registerTestUser("user7", 281 []api.Attribute{ 282 api.Attribute{ 283 Name: attr.RegistrarAttr, 284 Value: "a.b, x.y", 285 }, 286 }), 287 ) 288 if assert.Error(t, err, "Should have failed to register an identity with inappropriate attributes") { 289 assert.Contains(t, err.Error(), strconv.Itoa(ErrAuthFailure)) 290 } 291 292 // Negative case: Registrar's hf.Registrar.Attribute = a.b.c, x.y.*, testattr*, attr$, hf.Registrar.Attributes, hf.Revoker 293 _, err = registrar.Register(registerTestUser("user7", 294 []api.Attribute{ 295 api.Attribute{ 296 Name: attr.RegistrarAttr, 297 Value: "a.b.c, x.y", 298 }, 299 }), 300 ) 301 if assert.Error(t, err, "Should have failed to register an identity with inappropriate attributes") { 302 assert.Contains(t, err.Error(), strconv.Itoa(ErrAuthFailure)) 303 } 304 305 // Negative case: Registrar's hf.Registrar.Attribute = a.b.c, x.y.*, testattr*, attr$, hf.Registrar.Attributes, hf.Revoker 306 _, err = registrar.Register(registerTestUser("user7", 307 []api.Attribute{ 308 api.Attribute{ 309 Name: attr.RegistrarAttr, 310 Value: "hf.Revoker", 311 }, 312 }), 313 ) 314 if assert.Error(t, err, "Should have failed to register an identity with inappropriate attributes, identity does not posses 'hf.Revoker'") { 315 assert.Contains(t, err.Error(), strconv.Itoa(ErrAuthFailure)) 316 } 317 } 318 319 func positiveCases(t *testing.T, client *Client) { 320 enrollResp, err := client.Enroll(&api.EnrollmentRequest{ 321 Name: "admin3", 322 Secret: "admin3pw", 323 }) 324 assert.NoError(t, err, "Failed to enroll 'admin' user") 325 326 registrar := enrollResp.Identity 327 328 registerCustomAttr(t, registrar) 329 registerHfRegistrarAttr(t, registrar) 330 331 // Enroll request for admin 332 enrollResp, err = client.Enroll(&api.EnrollmentRequest{ 333 Name: "admin", 334 Secret: "adminpw", 335 }) 336 assert.NoError(t, err, "Failed to enroll 'admin' user") 337 338 registrar = enrollResp.Identity 339 340 // Positive case: Registrar's hf.Registrar.Attribute = * 341 _, err = registrar.Register(registerTestUser("user14", 342 []api.Attribute{ 343 api.Attribute{ 344 Name: "*", 345 Value: "val1", 346 }, 347 }), 348 ) 349 assert.NoError(t, err, "Failed to register an identity with appropriate attributes") 350 } 351 352 func registerCustomAttr(t *testing.T, registrar *Identity) { 353 // Positive case: Registrar's hf.Registrar.Attribute = a.b.c, x.y.*, testattr*, attr$, hf.Registrar.Attributes, hf.Revoker 354 _, err := registrar.Register(registerTestUser("user2", 355 []api.Attribute{ 356 api.Attribute{ 357 Name: "a.b.c", 358 Value: "val1", 359 }, 360 }), 361 ) 362 assert.NoError(t, err, "Should have succeeded to register an identity with appropriate attributes") 363 364 // Positive case: Registrar's hf.Registrar.Attribute = a.b.c, x.y.*, testattr*, attr$, hf.Registrar.Attributes, hf.Revoker 365 _, err = registrar.Register(registerTestUser("user3", 366 []api.Attribute{ 367 api.Attribute{ 368 Name: "testattr1", 369 Value: "val1", 370 }, 371 }), 372 ) 373 assert.NoError(t, err, "Should have succeeded to register an identity with appropriate attributes") 374 375 // Positive case: Registrar's hf.Registrar.Attribute = a.b.c, x.y.*, testattr*, attr$, hf.Registrar.Attributes, hf.Revoker 376 _, err = registrar.Register(registerTestUser("user4", 377 []api.Attribute{ 378 api.Attribute{ 379 Name: "x.y.*", 380 Value: "val1", 381 }, 382 }), 383 ) 384 assert.NoError(t, err, "Failed to register an identity with appropriate attributes") 385 386 // Positive case: Registrar's hf.Registrar.Attribute = a.b.c, x.y.*, testattr*, attr$, hf.Registrar.Attributes, hf.Revoker 387 _, err = registrar.Register(registerTestUser("user5", 388 []api.Attribute{ 389 api.Attribute{ 390 Name: "x.y.z", 391 Value: "val1", 392 }, 393 }), 394 ) 395 assert.NoError(t, err, "Should have succeeded to register an identity with appropriate attributes") 396 } 397 398 func registerHfRegistrarAttr(t *testing.T, registrar *Identity) { 399 // Positive case: Registrar's hf.Registrar.Attribute = a.b.c, x.y.*, testattr*, attr$, hf.Registrar.Attributes, hf.Revoker 400 _, err := registrar.Register(registerTestUser("user6", 401 []api.Attribute{ 402 api.Attribute{ 403 Name: attr.RegistrarAttr, 404 Value: "a.b.c, x.y.*", 405 }, 406 }), 407 ) 408 assert.NoError(t, err, "Should have succeeded to register an identity with appropriate attributes") 409 410 // Positive case: Registrar's hf.Registrar.Attribute = a.b.c, x.y.*, testattr*, attr$, hf.Registrar.Attributes, hf.Revoker 411 _, err = registrar.Register(registerTestUser("user7", 412 []api.Attribute{ 413 api.Attribute{ 414 Name: attr.RegistrarAttr, 415 Value: "a.b.c", 416 }, 417 }), 418 ) 419 assert.NoError(t, err, "Should have succeeded to register an identity with appropriate attributes") 420 421 // Positive case: Registrar's hf.Registrar.Attribute = a.b.c, x.y.*, testattr*, attr$, hf.Registrar.Attributes, hf.Revoker 422 _, err = registrar.Register(registerTestUser("user8", 423 []api.Attribute{ 424 api.Attribute{ 425 Name: attr.RegistrarAttr, 426 Value: "x.y.z.z", 427 }, 428 }), 429 ) 430 assert.NoError(t, err, "Should have succeeded to register an identity with appropriate attributes") 431 432 // Positive case: Registrar's hf.Registrar.Attribute = a.b.c, x.y.*, testattr*, attr$, attr, hf.Registrar.Attributes 433 _, err = registrar.Register(registerTestUser("user9", 434 []api.Attribute{ 435 api.Attribute{ 436 Name: "attr$", 437 Value: "val1", 438 }, 439 }), 440 ) 441 assert.NoError(t, err, "Should have succeeded to register an identity with appropriate attributes") 442 443 // Positive case: Registrar's hf.Registrar.Attribute = a.b.c, x.y.*, testattr*, attr$, hf.Registrar.Attributes, hf.Revoker 444 _, err = registrar.Register(registerTestUser("user10", 445 []api.Attribute{ 446 api.Attribute{ 447 Name: attr.RegistrarAttr, 448 Value: "x.y.z.*", 449 }, 450 }), 451 ) 452 assert.NoError(t, err, "Should not have failed to register appropriate command") 453 } 454 455 func registerTestUser(username string, attribute []api.Attribute) *api.RegistrationRequest { 456 return &api.RegistrationRequest{ 457 Name: username, 458 Affiliation: "org2", 459 Attributes: attribute, 460 } 461 } 462 463 func TestAffiliationAndTypeCheck(t *testing.T) { 464 os.RemoveAll(rootDir) 465 os.RemoveAll("../testdata/msp") 466 defer os.RemoveAll(rootDir) 467 defer os.RemoveAll("../testdata/msp") 468 469 var err error 470 471 srv := TestGetRootServer(t) 472 473 registry := &srv.CA.Config.Registry 474 475 // admin2 own attributes but does not have 'hf.Registrar.Attributes' attribute 476 id := CAConfigIdentity{ 477 Name: "admin2", 478 Pass: "admin2pw", 479 Type: "user", 480 Affiliation: "org2", 481 MaxEnrollments: -1, 482 Attrs: map[string]string{ 483 attr.Roles: allRoles, 484 }, 485 } 486 registry.Identities = append(registry.Identities, id) 487 488 err = srv.Start() 489 if !assert.NoError(t, err, "Failed to start server") { 490 t.Fatal("Failed to start server: ", err) 491 } 492 493 // Enroll admin2 494 client := getTestClient(rootPort) 495 enrollResp, err := client.Enroll(&api.EnrollmentRequest{ 496 Name: "admin2", 497 Secret: "admin2pw", 498 }) 499 assert.NoError(t, err, "Failed to enroll 'admin' user") 500 501 registrar := enrollResp.Identity 502 503 _, err = registrar.Register(&api.RegistrationRequest{ 504 Name: "testuser", 505 Affiliation: "org2dept1", 506 }) 507 assert.Error(t, err, "Should have failed to register, registrar with affiliation 'org1' can't register 'org1dept1'") 508 509 _, err = registrar.Register(&api.RegistrationRequest{ 510 Name: "testuser", 511 Affiliation: "org2", 512 }) 513 assert.NoError(t, err, "Failed to register user 'testuser' with appropriate affiliation") 514 515 _, err = registrar.Register(&api.RegistrationRequest{ 516 Name: "testuser2", 517 Affiliation: "org2.dept1", 518 }) 519 assert.NoError(t, err, "Failed to register user 'testuser2' with appropriate affiliation") 520 521 _, err = registrar.Register(&api.RegistrationRequest{ 522 Name: "testuser3", 523 }) 524 assert.NoError(t, err, "Failed to register user 'testuser2' with appropriate affiliation") 525 526 db := srv.CA.registry 527 528 user, err := db.GetUser("testuser3", nil) 529 assert.NoError(t, err, "Failed to get user") 530 531 assert.Equal(t, "user", user.GetType(), "Failed to set correct default type for a registering user") 532 assert.Equal(t, "org2", GetUserAffiliation(user), "Failed to set correct default affiliation for a registering userr") 533 534 err = srv.Stop() 535 assert.NoError(t, err, "Failed to start server") 536 }