github.com/sykesm/fabric@v1.1.0-preview.0.20200129034918-2aa12b1a0181/integration/msp/msp_test.go (about) 1 /* 2 Copyright IBM Corp. All Rights Reserved. 3 4 SPDX-License-Identifier: Apache-2.0 5 */ 6 7 package msp 8 9 import ( 10 "fmt" 11 "io" 12 "io/ioutil" 13 "os" 14 "path/filepath" 15 "syscall" 16 17 docker "github.com/fsouza/go-dockerclient" 18 "github.com/hyperledger/fabric/integration/nwo" 19 "github.com/hyperledger/fabric/integration/nwo/commands" 20 . "github.com/onsi/ginkgo" 21 . "github.com/onsi/gomega" 22 "github.com/onsi/gomega/gbytes" 23 "github.com/onsi/gomega/gexec" 24 "github.com/tedsuo/ifrit" 25 ) 26 27 var _ = Describe("MSP identity test on a network with mutual TLS required", func() { 28 var ( 29 client *docker.Client 30 tempDir string 31 network *nwo.Network 32 process ifrit.Process 33 ) 34 35 BeforeEach(func() { 36 var err error 37 tempDir, err = ioutil.TempDir("", "msp") 38 Expect(err).NotTo(HaveOccurred()) 39 40 client, err = docker.NewClientFromEnv() 41 Expect(err).NotTo(HaveOccurred()) 42 43 network = nwo.New(nwo.BasicSolo(), tempDir, client, StartPort(), components) 44 }) 45 46 AfterEach(func() { 47 // Shutdown processes and cleanup 48 process.Signal(syscall.SIGTERM) 49 Eventually(process.Wait(), network.EventuallyTimeout).Should(Receive()) 50 51 if network != nil { 52 network.Cleanup() 53 } 54 os.RemoveAll(tempDir) 55 }) 56 57 It("invokes chaincode on a peer that does not have a valid endorser identity", func() { 58 By("setting TLS ClientAuthRequired to be true for all peers and orderers") 59 network.ClientAuthRequired = true 60 61 By("disabling NodeOU for org2") 62 // Org2 Peer0 is used to test chaincode endorsement policy not satisfied due to peer's MSP 63 // does not define Node OU. 64 Org2 := network.Organization("Org2") 65 Org2.EnableNodeOUs = false 66 67 network.GenerateConfigTree() 68 network.Bootstrap() 69 70 By("starting all processes for fabric") 71 networkRunner := network.NetworkGroupRunner() 72 process = ifrit.Invoke(networkRunner) 73 Eventually(process.Ready(), network.EventuallyTimeout).Should(BeClosed()) 74 75 org1Peer0 := network.Peer("Org1", "peer0") 76 org2Peer0 := network.Peer("Org2", "peer0") 77 orderer := network.Orderer("orderer") 78 79 By("creating and joining channels") 80 network.CreateAndJoinChannels(orderer) 81 By("enabling new lifecycle capabilities") 82 nwo.EnableCapabilities(network, "testchannel", "Application", "V2_0", orderer, network.Peer("Org1", "peer0"), network.Peer("Org2", "peer0")) 83 84 chaincode := nwo.Chaincode{ 85 Name: "mycc", 86 Version: "0.0", 87 Path: "github.com/hyperledger/fabric/integration/chaincode/simple/cmd", 88 Lang: "golang", 89 PackageFile: filepath.Join(tempDir, "simplecc.tar.gz"), 90 Ctor: `{"Args":["init","a","100","b","200"]}`, 91 SignaturePolicy: `OR ('Org1MSP.peer', 'Org2MSP.peer')`, 92 Sequence: "1", 93 InitRequired: true, 94 Label: "my_simple_chaincode", 95 } 96 97 By("deploying the chaincode") 98 nwo.DeployChaincode(network, "testchannel", orderer, chaincode) 99 100 By("querying and invoking chaincode with mutual TLS enabled") 101 RunQueryInvokeQuery(network, orderer, org1Peer0, 100) 102 103 By("querying the chaincode with org2 peer") 104 sess, err := network.PeerUserSession(org2Peer0, "User1", commands.ChaincodeQuery{ 105 ChannelID: "testchannel", 106 Name: "mycc", 107 Ctor: `{"Args":["query","a"]}`, 108 }) 109 Expect(err).NotTo(HaveOccurred()) 110 Eventually(sess, network.EventuallyTimeout).Should(gexec.Exit(0)) 111 Expect(sess).To(gbytes.Say("90")) 112 113 // Testing scenario one: chaincode endorsement policy not satisfied due to peer's MSP does not define 114 // the peer node OU. 115 By("attempting to invoke chaincode on a peer that does not have a valid endorser identity (endorsing peer has member identity)") 116 sess, err = network.PeerUserSession(org2Peer0, "User1", commands.ChaincodeInvoke{ 117 ChannelID: "testchannel", 118 Orderer: network.OrdererAddress(orderer, nwo.ListenPort), 119 Name: "mycc", 120 Ctor: `{"Args":["invoke","a","b","10"]}`, 121 PeerAddresses: []string{ 122 network.PeerAddress(network.Peer("Org2", "peer0"), nwo.ListenPort), 123 }, 124 WaitForEvent: true, 125 ClientAuth: network.ClientAuthRequired, 126 }) 127 Expect(err).NotTo(HaveOccurred()) 128 Eventually(sess, network.EventuallyTimeout).Should(gexec.Exit(1)) 129 Expect(sess.Err).To(gbytes.Say(`(ENDORSEMENT_POLICY_FAILURE)`)) 130 131 By("reverifying the channel was not affected by the unauthorized endorsement") 132 sess, err = network.PeerUserSession(org2Peer0, "User1", commands.ChaincodeQuery{ 133 ChannelID: "testchannel", 134 Name: "mycc", 135 Ctor: `{"Args":["query","a"]}`, 136 }) 137 Expect(err).NotTo(HaveOccurred()) 138 Eventually(sess, network.EventuallyTimeout).Should(gexec.Exit(0)) 139 Expect(sess).To(gbytes.Say("90")) 140 141 // Testing scenario two: chaincode endorsement policy not satisfied due to peer's signer cert does not 142 // satisfy endorsement policy. 143 By("replacing org1peer0's identity with a client identity") 144 // Org1 peer0 is used to test chaincode endorsement policy not satisfied due to peer's signer 145 // cert does not satisfy endorsement policy. 146 org1Peer0MSPDir := network.PeerLocalMSPDir(org1Peer0) 147 org1User1MSPDir := network.PeerUserMSPDir(org1Peer0, "User1") 148 149 _, err = copyFile(filepath.Join(org1User1MSPDir, "signcerts", "User1@org1.example.com-cert.pem"), filepath.Join(org1Peer0MSPDir, "signcerts", "peer0.org1.example.com-cert.pem")) 150 Expect(err).NotTo(HaveOccurred()) 151 _, err = copyFile(filepath.Join(org1User1MSPDir, "keystore", "priv_sk"), filepath.Join(org1Peer0MSPDir, "keystore", "priv_sk")) 152 Expect(err).NotTo(HaveOccurred()) 153 154 By("restarting all fabric processes to reload MSP identities") 155 process.Signal(syscall.SIGTERM) 156 Eventually(process.Wait(), network.EventuallyTimeout).Should(Receive()) 157 networkRunner = network.NetworkGroupRunner() 158 process = ifrit.Invoke(networkRunner) 159 Eventually(process.Ready(), network.EventuallyTimeout).Should(BeClosed()) 160 161 By("attempting to invoke chaincode on a peer that does not have a valid endorser identity (endorsing peer has client identity)") 162 sess, err = network.PeerUserSession(org1Peer0, "User1", commands.ChaincodeInvoke{ 163 ChannelID: "testchannel", 164 Orderer: network.OrdererAddress(orderer, nwo.ListenPort), 165 Name: "mycc", 166 Ctor: `{"Args":["invoke","a","b","10"]}`, 167 PeerAddresses: []string{ 168 network.PeerAddress(network.Peer("Org1", "peer0"), nwo.ListenPort), 169 }, 170 WaitForEvent: true, 171 ClientAuth: network.ClientAuthRequired, 172 }) 173 Expect(err).NotTo(HaveOccurred()) 174 Eventually(sess, network.EventuallyTimeout).Should(gexec.Exit(1)) 175 Expect(sess.Err).To(gbytes.Say(`(ENDORSEMENT_POLICY_FAILURE)`)) 176 177 By("reverifying the channel was not affected by the unauthorized endorsement") 178 sess, err = network.PeerUserSession(org1Peer0, "User1", commands.ChaincodeQuery{ 179 ChannelID: "testchannel", 180 Name: "mycc", 181 Ctor: `{"Args":["query","a"]}`, 182 }) 183 Expect(err).NotTo(HaveOccurred()) 184 Eventually(sess, network.EventuallyTimeout).Should(gexec.Exit(0)) 185 Expect(sess).To(gbytes.Say("90")) 186 187 }) 188 }) 189 190 func RunQueryInvokeQuery(n *nwo.Network, orderer *nwo.Orderer, peer *nwo.Peer, initialQueryResult int) { 191 sess, err := n.PeerUserSession(peer, "User1", commands.ChaincodeQuery{ 192 ChannelID: "testchannel", 193 Name: "mycc", 194 Ctor: `{"Args":["query","a"]}`, 195 }) 196 Expect(err).NotTo(HaveOccurred()) 197 Eventually(sess, n.EventuallyTimeout).Should(gexec.Exit(0)) 198 Expect(sess).To(gbytes.Say(fmt.Sprint(initialQueryResult))) 199 200 sess, err = n.PeerUserSession(peer, "User1", commands.ChaincodeInvoke{ 201 ChannelID: "testchannel", 202 Orderer: n.OrdererAddress(orderer, nwo.ListenPort), 203 Name: "mycc", 204 Ctor: `{"Args":["invoke","a","b","10"]}`, 205 PeerAddresses: []string{ 206 n.PeerAddress(n.Peer("Org1", "peer0"), nwo.ListenPort), 207 n.PeerAddress(n.Peer("Org2", "peer0"), nwo.ListenPort), 208 }, 209 WaitForEvent: true, 210 ClientAuth: n.ClientAuthRequired, 211 }) 212 Expect(err).NotTo(HaveOccurred()) 213 Eventually(sess, n.EventuallyTimeout).Should(gexec.Exit(0)) 214 Expect(sess.Err).To(gbytes.Say("Chaincode invoke successful. result: status:200")) 215 216 sess, err = n.PeerUserSession(peer, "User1", commands.ChaincodeQuery{ 217 ChannelID: "testchannel", 218 Name: "mycc", 219 Ctor: `{"Args":["query","a"]}`, 220 }) 221 Expect(err).NotTo(HaveOccurred()) 222 Eventually(sess, n.EventuallyTimeout).Should(gexec.Exit(0)) 223 Expect(sess).To(gbytes.Say(fmt.Sprint(initialQueryResult - 10))) 224 } 225 226 func copyFile(src, dst string) (int64, error) { 227 source, err := os.Open(src) 228 if err != nil { 229 return 0, err 230 } 231 defer source.Close() 232 233 err = os.Remove(dst) 234 if err != nil { 235 return 0, err 236 } 237 destination, err := os.Create(dst) 238 if err != nil { 239 return 0, err 240 } 241 defer destination.Close() 242 nBytes, err := io.Copy(destination, source) 243 return nBytes, err 244 }