github.com/tw-bc-group/fabric-ca-gm@v0.0.0-20201218004200-3b690512bd5a/lib/server_test.go (about) 1 /* 2 Copyright IBM Corp. All Rights Reserved. 3 4 SPDX-License-Identifier: Apache-2.0 5 */ 6 7 package lib_test 8 9 import ( 10 "bytes" 11 "crypto/tls" 12 "crypto/x509" 13 "fmt" 14 "io" 15 "io/ioutil" 16 "math/rand" 17 "net" 18 "net/http" 19 "os" 20 "path" 21 "path/filepath" 22 "strconv" 23 "strings" 24 "sync" 25 "testing" 26 "time" 27 28 "github.com/cloudflare/cfssl/certdb" 29 "github.com/cloudflare/cfssl/csr" 30 . "github.com/onsi/gomega" 31 "github.com/onsi/gomega/gbytes" 32 "github.com/spf13/viper" 33 "github.com/stretchr/testify/assert" 34 "github.com/tw-bc-group/fabric-ca-gm/api" 35 . "github.com/tw-bc-group/fabric-ca-gm/lib" 36 "github.com/tw-bc-group/fabric-ca-gm/lib/metadata" 37 "github.com/tw-bc-group/fabric-ca-gm/lib/server/db" 38 "github.com/tw-bc-group/fabric-ca-gm/lib/server/db/mysql" 39 "github.com/tw-bc-group/fabric-ca-gm/lib/server/operations" 40 cadbuser "github.com/tw-bc-group/fabric-ca-gm/lib/server/user" 41 libtls "github.com/tw-bc-group/fabric-ca-gm/lib/tls" 42 "github.com/tw-bc-group/fabric-ca-gm/util" 43 "github.com/tw-bc-group/fabric-gm/bccsp/factory" 44 "github.com/tw-bc-group/fabric-gm/common/metrics/disabled" 45 ) 46 47 const ( 48 rootPort = 7075 49 rootDir = "rootDir" 50 intermediatePort = 7076 51 intermediateDir = "intDir" 52 testdataDir = "../testdata" 53 pportEnvVar = "FABRIC_CA_SERVER_PROFILE_PORT" 54 testdata = "../testdata" 55 ) 56 57 func TestMain(m *testing.M) { 58 metadata.Version = "1.1.0" 59 os.Exit(m.Run()) 60 } 61 62 func TestSRVServerInit(t *testing.T) { 63 server := TestGetRootServer(t) 64 if server == nil { 65 return 66 } 67 68 err := server.Init(false) 69 if err != nil { 70 t.Errorf("First server init failed") 71 } 72 defer func() { 73 err = os.RemoveAll(rootDir) 74 if err != nil { 75 t.Errorf("RemoveAll failed: %s", err) 76 } 77 }() 78 err = server.Init(false) 79 if err != nil { 80 t.Errorf("Second server init failed") 81 } 82 err = server.Init(true) 83 if err != nil { 84 t.Errorf("Third Server init renew failed: %s", err) 85 } 86 // Verify that the duration of the newly created certificate is 15 years 87 d, err := util.GetCertificateDurationFromFile(path.Join(rootDir, "ca-cert.pem")) 88 assert.NoError(t, err) 89 assert.True(t, d.Hours() == 131400, fmt.Sprintf("Expecting 131400 but found %f", d.Hours())) 90 91 server.Config.CAcfg.CA.Certfile = "../testdata/ec.pem" 92 server.Config.CAcfg.CA.Keyfile = "../testdata/ec-key.pem" 93 err = server.Init(false) 94 if err != nil { 95 t.Errorf("Server init with known key/cert files failed: %s", err) 96 } 97 server.Config.CAcfg.CA.Certfile = "" 98 server.Config.CAcfg.CA.Keyfile = "" 99 err = server.Init(false) 100 if err != nil { 101 t.Errorf("Server init with known key/cert files failed: %s", err) 102 } 103 104 // Fail case - cannot get home directory 105 wd, err := os.Getwd() 106 if err != nil { 107 t.Fatalf("failed to get cwd: %s", err) 108 } 109 td, err := ioutil.TempDir("", "ServerInitStat") 110 if err != nil { 111 t.Fatalf("failed to get tmp dir: %s", err) 112 } 113 defer func() { 114 err = os.RemoveAll(td) 115 if err != nil { 116 t.Fatalf("RemoveAll failed: %s", err) 117 } 118 }() 119 server.HomeDir = "" 120 err = os.Chdir(td) 121 if err != nil { 122 t.Fatalf("failed to cd to %v: %s", td, err) 123 } 124 defer func() { 125 err = os.Chdir(wd) 126 if err != nil { 127 t.Fatalf("failed to cd to %v: %s", wd, err) 128 } 129 }() 130 fileInfo, err := os.Stat(".") 131 if err != nil { 132 t.Fatalf("os.Stat failed on current dir: %s", err) 133 } 134 oldmode := fileInfo.Mode() 135 curd, err := os.Getwd() 136 t.Logf("Current dir: %s", fileInfo.Name()) 137 t.Logf("Current curd: %v", curd) 138 err = os.Chmod(".", 0000) 139 if err != nil { 140 t.Fatalf("Chmod on %s failed: %s", fileInfo.Name(), err) 141 } 142 defer func() { 143 err = os.Chmod(td, oldmode) 144 if err != nil { 145 t.Fatalf("Chmod on %s failed: %s", td, err) 146 } 147 }() 148 149 err = server.Init(false) 150 t.Logf("Server.Init error: %v", err) 151 if err == nil { 152 t.Errorf("Server init should have failed (permission error)") 153 } 154 155 server.HomeDir = "" 156 } 157 158 func TestSRVRootServer(t *testing.T) { 159 var err error 160 var admin, user1 *Identity 161 var rr *api.RegistrationResponse 162 var recs []db.CertRecord 163 164 // Start the server 165 server := TestGetRootServer(t) 166 if server == nil { 167 return 168 } 169 err = server.Start() 170 if err != nil { 171 t.Fatalf("Server start failed: %s", err) 172 } 173 defer func() { 174 err = server.Stop() 175 if err != nil { 176 t.Errorf("Failed to stop server: %s", err) 177 } 178 err = os.RemoveAll(rootDir) 179 if err != nil { 180 t.Errorf("RemoveAll failed: %s", err) 181 } 182 err = os.RemoveAll("../testdata/msp") 183 if err != nil { 184 t.Errorf("RemoveAll failed: %s", err) 185 } 186 }() 187 err = server.Start() 188 t.Logf("Starting duplicate CA server: %s", err) 189 if err == nil { 190 t.Fatalf("Server start should have failed") 191 } 192 193 // Enroll request 194 client := getRootClient() 195 eresp, err := client.Enroll(&api.EnrollmentRequest{ 196 Name: "admin", 197 Secret: "adminpw", 198 }) 199 if err != nil { 200 t.Fatalf("Failed to enroll admin2/admin2pw: %s", err) 201 } 202 admin = eresp.Identity 203 // test registration permissions wrt roles and affiliation 204 testRegistration(admin, t) 205 // Register user1 206 rr, err = admin.Register(&api.RegistrationRequest{ 207 Name: "user1", 208 Type: "user", 209 Affiliation: "hyperledger.fabric.security", 210 Attributes: []api.Attribute{api.Attribute{Name: "attr1", Value: "val1"}}, 211 }) 212 if err != nil { 213 t.Fatalf("Failed to register user1: %s", err) 214 } 215 // Enroll user1 with an explicit OU. Make sure it is ignored. 216 eresp, err = client.Enroll(&api.EnrollmentRequest{ 217 Name: "user1", 218 Secret: rr.Secret, 219 CSR: &api.CSRInfo{Names: []csr.Name{csr.Name{OU: "foobar"}}}, 220 }) 221 if err != nil { 222 t.Fatalf("Failed to enroll user1: %s", err) 223 } 224 user1 = eresp.Identity 225 // Make sure the OUs are correct based on the identity type and affiliation 226 cert := user1.GetECert().GetX509Cert() 227 assert.NotNil(t, cert, "Failed to get user1's enrollment certificate") 228 229 ouPath := strings.Join(cert.Subject.OrganizationalUnit, ".") 230 assert.Equal(t, "user.hyperledger.fabric.security", ouPath, "Invalid OU path in certificate") 231 232 // The admin ID should have 1 cert in the DB now 233 dba := server.CA.CertDBAccessor() 234 recs, err = dba.GetCertificatesByID("admin") 235 if err != nil { 236 t.Errorf("Could not get admin's certs from DB: %s", err) 237 } 238 if len(recs) != 1 { 239 t.Errorf("Admin should have 1 cert in DB but found %d", len(recs)) 240 } 241 _, err = dba.GetUnexpiredCertificates() 242 if err != nil { 243 t.Errorf("Failed to get unexpired certificates: %s", err) 244 } 245 dba = &CertDBAccessor{} 246 _, err = dba.RevokeCertificatesByID("", 0) 247 if err == nil { 248 t.Error("dba.RevokeCertificatesByID on empty accessor should have failed") 249 } 250 var cr certdb.CertificateRecord 251 err = dba.InsertCertificate(cr) 252 if err == nil { 253 t.Error("dba.InsertCertificate on empty accessor should have failed") 254 } 255 // User1 should not be allowed to register 256 user2Registration := &api.RegistrationRequest{ 257 Name: "user2", 258 Type: "user", 259 Affiliation: "hyperledger.fabric-ca", 260 } 261 _, err = user1.Register(user2Registration) 262 if err == nil { 263 t.Error("User1 should have failed to register user2") 264 } 265 // Admin should be allowed to register user2 266 _, err = admin.Register(user2Registration) 267 if err != nil { 268 t.Errorf("Admin failed to register user2: %s", err) 269 } 270 // User1 renew 271 eresp, err = user1.Reenroll(&api.ReenrollmentRequest{}) 272 if err != nil { 273 t.Fatalf("Failed to reenroll user1: %s", err) 274 } 275 user1 = eresp.Identity 276 // User1 should not be allowed to revoke admin 277 _, err = user1.Revoke(&api.RevocationRequest{Name: "admin"}) 278 if err == nil { 279 t.Error("User1 should not be allowed to revoke admin") 280 } 281 // User1 should not be allowed to revoke user2 because of affiliation 282 _, err = user1.Revoke(&api.RevocationRequest{Name: "user2"}) 283 if err == nil { 284 t.Error("User1 should not be allowed to revoke user2 because of affiliation") 285 } 286 // User1 get's batch of tcerts 287 _, err = user1.GetTCertBatch(&api.GetTCertBatchRequest{Count: 1, AttrNames: []string{"attr1"}}) 288 if err != nil { 289 t.Fatalf("Failed to get tcerts for user1: %s", err) 290 } 291 // User1 get's batch of tcerts with attributes 292 _, err = user1.GetTCertBatch(&api.GetTCertBatchRequest{Count: 1}) 293 if err != nil { 294 t.Fatalf("Failed to get tcerts for user1: %s", err) 295 } 296 // Admin should not be allowed to revoke an invalid cert 297 _, err = admin.Revoke(&api.RevocationRequest{AKI: "foo", Serial: "bar"}) 298 if err == nil { 299 t.Error("Admin should have failed to revoke foo/bar") 300 } 301 // Revoke user1's identity 302 _, err = admin.Revoke(&api.RevocationRequest{Name: "user1"}) 303 if err != nil { 304 t.Fatalf("Failed to revoke user1's identity: %s", err) 305 } 306 // User1 should not be allowed to get tcerts now that it is revoked 307 _, err = user1.GetTCertBatch(&api.GetTCertBatchRequest{Count: 1}) 308 if err == nil { 309 t.Errorf("User1 should have failed to get tcerts since it is revoked") 310 } 311 312 // Test to make sure that if an identity registered with an 313 // attribute 'hf.Revoker=false' should not be able to make a 314 // successfull revocation request 315 secret, err := admin.Register(&api.RegistrationRequest{ 316 Name: "user3", 317 Type: "user", 318 Affiliation: "hyperledger.fabric-ca", 319 Attributes: makeAttrs(t, "hf.Revoker=false"), 320 }) 321 assert.NoError(t, err, "Failed to register user") 322 eresp, err = client.Enroll(&api.EnrollmentRequest{ 323 Name: "user3", 324 Secret: secret.Secret, 325 }) 326 assert.NoError(t, err, "Failed to enroll user2") 327 user3 := eresp.Identity 328 // User3 should not be allowed to revoke because of attribute 'hf.Revoker=false' 329 _, err = user3.Revoke(&api.RevocationRequest{Name: "admin"}) 330 assert.Error(t, err) 331 332 // deferred cleanup 333 } 334 335 // Test passwords with lowercase "e" to make sure it is stored 336 // correctly in the database with no conversion problems. 337 // See https://jira.hyperledger.org/projects/FAB/issues/FAB-5188 338 func TestSRVSpecialPassword(t *testing.T) { 339 340 user := "admin2" 341 pwd := "034e220796" 342 343 // Start the server 344 server := TestGetRootServer(t) 345 if server == nil { 346 return 347 } 348 err := server.RegisterBootstrapUser(user, pwd, "") 349 if err != nil { 350 t.Fatalf("Failed to register %s: %s", user, err) 351 } 352 err = server.Start() 353 if err != nil { 354 t.Fatalf("Server start failed: %s", err) 355 } 356 defer func() { 357 err = server.Stop() 358 if err != nil { 359 t.Errorf("Failed to stop server: %s", err) 360 } 361 err = os.RemoveAll("../testdata/msp/") 362 if err != nil { 363 t.Errorf("RemoveAll failed: %s", err) 364 } 365 err = os.RemoveAll(rootDir) 366 if err != nil { 367 t.Errorf("RemoveAll failed: %s", err) 368 } 369 }() 370 371 // Enroll request 372 client := getRootClient() 373 _, err = client.Enroll(&api.EnrollmentRequest{Name: user, Secret: pwd}) 374 if err != nil { 375 t.Fatalf("Failed to enroll %s: %s", user, err) 376 } 377 } 378 379 // TestProfiling tests if profiling endpoint can be accessed when profiling is 380 // enabled and not accessible when disabled (default) 381 func TestSRVProfiling(t *testing.T) { 382 t.Log("start TestProfiling") 383 384 defer func() { 385 err := os.RemoveAll(rootDir) 386 if err != nil { 387 t.Errorf("RemoveAll failed: %s", err) 388 } 389 }() 390 391 pport := rootPort + 1000 392 url := fmt.Sprintf("http://localhost:%d/debug/pprof/heap", pport) 393 394 // Start the server with profiling disabled 395 os.Setenv(pportEnvVar, strconv.Itoa(-1)) 396 server := TestGetServer(rootPort, rootDir, "", -1, t) 397 if server == nil { 398 return 399 } 400 err := server.Start() 401 if err != nil { 402 t.Fatalf("Server start failed: %s", err) 403 } 404 resp1, err2 := sendGetReq(url, t) 405 // send heap profiling request to the server and expect a bad response 406 // as profiling is disabled 407 if err2 == nil && resp1.StatusCode == 200 { 408 responseData, _ := ioutil.ReadAll(resp1.Body) 409 t.Errorf("Expected error response for profile request %s but got good response: %s", 410 url, responseData) 411 } 412 err = server.Stop() 413 if err != nil { 414 t.Errorf("Failed to stop server: %s", err) 415 } 416 417 // Start the server with profiling enabled but port set to server port 418 os.Setenv(pportEnvVar, strconv.Itoa(rootPort)) 419 server = TestGetServer(rootPort, rootDir, "", -1, t) 420 if server == nil { 421 return 422 } 423 err = server.Start() 424 if err == nil { 425 t.Fatalf("Server should not have started because of port conflict") 426 } 427 428 // Start the server with profiling enabled 429 os.Setenv(pportEnvVar, strconv.Itoa(pport)) 430 defer os.Unsetenv(pportEnvVar) 431 server = TestGetServer(rootPort, rootDir, "", -1, t) 432 if server == nil { 433 return 434 } 435 err = server.Start() 436 if err != nil { 437 t.Fatalf("Server start failed: %s", err) 438 } 439 defer func() { 440 err = server.Stop() 441 if err != nil { 442 t.Errorf("Failed to stop server: %s", err) 443 } 444 }() 445 446 // send heap profiling request to the server and expect a 200 response 447 // as profiling is enabled 448 resp, err1 := sendGetReq(url, t) 449 if err1 != nil || resp.StatusCode != 200 { 450 if err1 == nil { 451 responseData, _ := ioutil.ReadAll(resp.Body) 452 err1 = fmt.Errorf("Invalid response %s with code %d returned for the request %s", 453 string(responseData), resp.StatusCode, url) 454 } 455 t.Errorf("Failed to send request to %s: %s", url, err1) 456 } 457 } 458 459 // sendGetReq sends GET request to the specified URL 460 func sendGetReq(url string, t *testing.T) (resp *http.Response, err error) { 461 req, err := http.NewRequest("GET", url, bytes.NewReader([]byte{})) 462 if err != nil { 463 t.Fatalf("Failed to create request for url %s: %s", url, err) 464 } 465 var tr = new(http.Transport) 466 httpClient := &http.Client{Transport: tr} 467 return httpClient.Do(req) 468 } 469 470 func TestSRVIntermediateServerWithFalseAttr(t *testing.T) { 471 var err error 472 473 err = os.RemoveAll(rootDir) 474 if err != nil { 475 t.Errorf("RemoveAll failed: %s", err) 476 } 477 478 // Start the root server 479 rootServer := TestGetRootServer(t) 480 if rootServer == nil { 481 return 482 } 483 rootServer.CA.Config.Registry.Identities[0].Attrs["hf.IntermediateCA"] = "false" 484 err = rootServer.Start() 485 if !assert.NoError(t, err, "Server failed start") { 486 assert.FailNow(t, err.Error()) 487 } 488 // Clean up when done 489 defer func() { 490 err = rootServer.Stop() 491 if err != nil { 492 t.Errorf("Failed to stop server: %s", err) 493 } 494 err = os.RemoveAll(rootDir) 495 if err != nil { 496 t.Errorf("RemoveAll failed: %s", err) 497 } 498 err = os.RemoveAll(intermediateDir) 499 if err != nil { 500 t.Errorf("RemoveAll failed: %s", err) 501 } 502 }() 503 504 intermediateServer := TestGetIntermediateServer(0, t) 505 if intermediateServer == nil { 506 return 507 } 508 509 err = intermediateServer.Init(false) 510 if assert.Error(t, err, "Should have failed, the attribute 'hf.IntermediateCA' is not set to true. Cannot register as Intermediate CA") { 511 assert.Contains(t, err.Error(), "is not set to true") 512 } 513 514 // deferred cleanup 515 } 516 517 func TestSRVIntermediateServer(t *testing.T) { 518 var err error 519 520 // Start the root server 521 rootServer := TestGetRootServer(t) 522 if rootServer == nil { 523 return 524 } 525 err = rootServer.Start() 526 if err != nil { 527 t.Fatalf("Root server start failed: %s", err) 528 } 529 defer func() { 530 err = rootServer.Stop() 531 if err != nil { 532 t.Errorf("Root server stop failed: %s", err) 533 } 534 err := os.RemoveAll("../testdata/msp") 535 if err != nil { 536 t.Errorf("RemoveAll failed: %s", err) 537 } 538 err = os.RemoveAll(rootDir) 539 if err != nil { 540 t.Errorf("RemoveAll failed: %s", err) 541 } 542 }() 543 544 for idx := 0; idx < 3; idx++ { 545 testIntermediateServer(idx, t) 546 } 547 // deferred cleanup 548 } 549 550 func TestSRVIntermediateServerWithTLS(t *testing.T) { 551 var err error 552 553 rootServer := TestGetRootServer(t) 554 if rootServer == nil { 555 return 556 } 557 rootServer.Config.TLS.Enabled = true 558 rootServer.Config.TLS.CertFile = "../../testdata/tls_server-cert.pem" 559 rootServer.Config.TLS.KeyFile = "../../testdata/tls_server-key.pem" 560 rootServer.Config.TLS.ClientAuth.Type = "RequireAndVerifyClientCert" 561 rootServer.Config.TLS.ClientAuth.CertFiles = []string{"../../testdata/root.pem"} 562 563 //Invalid Authtype 564 rootServer.Config.TLS.ClientAuth.Type = "Token" 565 err = rootServer.Start() 566 t.Logf("rootServer.Start err %v", err) 567 if err == nil { 568 t.Fatal("Root server start should have failed: (invalid authtype)") 569 } 570 defer func() { 571 err = rootServer.Stop() 572 if err != nil { 573 t.Errorf("Root server stop failed: %s", err) 574 } 575 err = os.RemoveAll(rootDir) 576 if err != nil { 577 t.Errorf("RemoveAll failed: %s", err) 578 } 579 err = os.RemoveAll(intermediateDir) 580 if err != nil { 581 t.Errorf("RemoveAll failed: %s", err) 582 } 583 }() 584 585 //Valid authtype 586 rootServer.Config.TLS.ClientAuth.Type = "RequireAndVerifyClientCert" 587 err = rootServer.Start() 588 t.Logf("rootServer.Start err %v", err) 589 if err != nil { 590 t.Fatal("Root server start failed") 591 } 592 parentURL := fmt.Sprintf("https://admin:adminpw@localhost:%d", rootPort) 593 intermediateServer := TestGetServer(intermediatePort, intermediateDir, parentURL, -1, t) 594 if intermediateServer == nil { 595 return 596 } 597 intermediateServer.CA.Config.Intermediate.TLS.Client.CertFile = "../../testdata/tls_client-cert.pem" 598 intermediateServer.CA.Config.Intermediate.TLS.Client.KeyFile = "../../testdata/tls_client-key.pem" 599 intermediateServer.CA.Config.CSR.CN = "intermediateServer" 600 601 // Error case 1: CN specified for intermediate server 602 err = intermediateServer.Start() 603 if err == nil { 604 t.Errorf("CN specified for intermediate server, the server should have failed to start") 605 err = intermediateServer.Stop() 606 if err != nil { 607 t.Errorf("Failed to stop server: %s", err) 608 } 609 } 610 611 intermediateServer.CA.Config.CSR.CN = "" 612 intermediateServer.CA.Config.CSR.Hosts = []string{"testhost"} 613 614 // Error case 2: tls.certfiles not specified for intermediate server while connecting to parent CA server over TLS 615 err = intermediateServer.Start() 616 if err == nil { 617 t.Errorf("Certfiles not specified for the Intermediate server, the server should have failed to start") 618 err = intermediateServer.Stop() 619 if err != nil { 620 t.Errorf("Failed to stop server: %s", err) 621 } 622 } 623 624 // Success case 625 intermediateServer.CA.Config.Intermediate.TLS.CertFiles = []string{"../../testdata/root.pem"} 626 err = intermediateServer.Start() 627 if err != nil { 628 t.Errorf("Intermediate server start failed: %s", err) 629 err = intermediateServer.Stop() 630 if err != nil { 631 t.Errorf("Failed to stop server: %s", err) 632 } 633 } 634 time.Sleep(time.Second) 635 636 err = intermediateServer.Stop() 637 if err != nil { 638 t.Errorf("Intermediate server stop failed: %s", err) 639 } 640 641 // Make sure that the hostname was not inserted into the CA certificate 642 err = util.CheckHostsInCert(filepath.Join(intermediateDir, "ca-cert.pem"), "testhost") 643 if err == nil { 644 t.Error("A CA certificate should not have any hostnames") 645 } 646 647 // deferred cleanup 648 } 649 650 func TestSRVRunningTLSServer(t *testing.T) { 651 testDir := "tlsTestDir" 652 os.RemoveAll(testDir) 653 defer os.RemoveAll(testDir) 654 655 srv := TestGetServer(rootPort, testDir, "", -1, t) 656 657 srv.Config.TLS.Enabled = true 658 srv.Config.TLS.CertFile = "../../testdata/tls_server-cert.pem" 659 srv.Config.TLS.KeyFile = "../../testdata/tls_server-key.pem" 660 661 err := srv.Start() 662 if err != nil { 663 t.Fatalf("Server start failed: %s", err) 664 } 665 defer func() { 666 err = srv.Stop() 667 if err != nil { 668 t.Errorf("Failed to stop server: %s", err) 669 } 670 err = os.RemoveAll("../testdata/ca-cert.pem") 671 if err != nil { 672 t.Errorf("RemoveAll failed: %s", err) 673 } 674 err = os.RemoveAll("../testdata/fabric-ca-server.db") 675 if err != nil { 676 t.Errorf("RemoveAll failed: %s", err) 677 } 678 err = os.RemoveAll("../testdata/msp") 679 if err != nil { 680 t.Errorf("RemoveAll failed: %s", err) 681 } 682 }() 683 684 clientConfig := &ClientConfig{ 685 URL: fmt.Sprintf("https://localhost:%d", rootPort), 686 TLS: libtls.ClientTLSConfig{ 687 CertFiles: []string{"../testdata/root.pem"}, 688 Client: libtls.KeyCertFiles{ 689 KeyFile: "../testdata/tls_client-key.pem", 690 CertFile: "../testdata/tls_client-cert.pem", 691 }, 692 }, 693 } 694 695 rawURL := fmt.Sprintf("https://admin:adminpw@localhost:%d", rootPort) 696 697 _, err = clientConfig.Enroll(rawURL, testdataDir) 698 if err != nil { 699 t.Errorf("Failed to enroll over TLS: %s", err) 700 } 701 702 // make sure only TLS 1.2 is supported 703 rootPool := x509.NewCertPool() 704 rootBytes, _ := ioutil.ReadFile("../testdata/root.pem") 705 rootPool.AppendCertsFromPEM(rootBytes) 706 _, err = tls.Dial("tcp", fmt.Sprintf("localhost:%d", rootPort), &tls.Config{ 707 RootCAs: rootPool, 708 MinVersion: tls.VersionTLS12, 709 MaxVersion: tls.VersionTLS12, 710 }) 711 assert.NoError(t, err, "Should have connected using TLS 1.2") 712 for _, tlsVersion := range []uint16{tls.VersionSSL30, tls.VersionTLS10, tls.VersionTLS11} { 713 _, err = tls.Dial("tcp", fmt.Sprintf("localhost:%d", rootPort), &tls.Config{ 714 MinVersion: tlsVersion, 715 MaxVersion: tlsVersion, 716 }) 717 t.Logf("Attempting TLS version [%d]", tlsVersion) 718 assert.Error(t, err, "Should not have been able to connect with TLS version < 1.2") 719 assert.Contains(t, err.Error(), "protocol version not supported") 720 } 721 } 722 723 func TestSRVDefaultDatabase(t *testing.T) { 724 cleanTestSlateSRV(t) 725 defer func() { 726 err := os.RemoveAll("../testdata/ca-cert.pem") 727 if err != nil { 728 t.Errorf("RemoveAll failed: %s", err) 729 } 730 err = os.RemoveAll("../testdata/fabric-ca-server.db") 731 if err != nil { 732 t.Errorf("RemoveAll failed: %s", err) 733 } 734 err = os.RemoveAll("../testdata/msp") 735 if err != nil { 736 t.Errorf("RemoveAll failed: %s", err) 737 } 738 }() 739 740 srv := TestGetServer(rootPort, testdataDir, "", -1, t) 741 742 err := srv.Start() 743 if err != nil { 744 t.Fatalf("Root server start failed: %s", err) 745 } 746 747 err = srv.Stop() 748 if err != nil { 749 t.Errorf("Failed to stop server: %s", err) 750 } 751 752 exist := util.FileExists("../testdata/fabric-ca-server.db") 753 if !exist { 754 t.Error("Failed to create default sqlite fabric-ca-server.db") 755 } 756 } 757 758 func TestSRVDefaultAddrPort(t *testing.T) { 759 cleanTestSlateSRV(t) 760 defer func() { 761 err := os.RemoveAll("../testdata/ca-cert.pem") 762 if err != nil { 763 t.Errorf("RemoveAll failed: %s", err) 764 } 765 err = os.RemoveAll("../testdata/fabric-ca-server.db") 766 if err != nil { 767 t.Errorf("RemoveAll failed: %s", err) 768 } 769 err = os.RemoveAll("../testdata/msp") 770 if err != nil { 771 t.Errorf("RemoveAll failed: %s", err) 772 } 773 }() 774 775 srv1 := getServer(rootPort, testdataDir, "", -1, t) 776 srv1.Config.Address = "" 777 srv1.Config.Port = 0 778 err := srv1.Start() 779 t.Logf("srv.Start err: %v", err) 780 if err != nil { 781 t.Fatalf("Failed to start server: %s", err) 782 } 783 defer func() { 784 err = srv1.Stop() 785 if err != nil { 786 t.Errorf("Failed to stop server: %s", err) 787 } 788 }() 789 790 // Start server with default port (already in use) 791 srv := getServer(rootPort, testdataDir, "", -1, t) 792 srv.Config.Address = "" 793 srv.Config.Port = 0 794 err = srv.Start() 795 t.Logf("srv.Start err: %v", err) 796 if err == nil { 797 t.Errorf("Root server start should have failed (port unavailable)") 798 err = srv.Stop() 799 if err != nil { 800 t.Errorf("Failed to stop server: %s", err) 801 } 802 } 803 804 // Again with TLS 805 srv = getServer(rootPort, testdataDir, "", -1, t) 806 srv.Config.TLS.Enabled = true 807 srv.Config.TLS.CertFile = "../testdata/tls_server-cert.pem" 808 srv.Config.TLS.KeyFile = "../testdata/tls_server-key.pem" 809 srv.Config.TLS.ClientAuth.Type = "RequireAndVerifyClientCert" 810 srv.Config.TLS.ClientAuth.CertFiles = []string{"../testdata/root.pem"} 811 srv.Config.Address = "" 812 srv.Config.Port = 0 813 814 err = srv.Start() 815 t.Logf("srv.Start err: %v", err) 816 if err == nil { 817 t.Errorf("Root server start should have failed (port unavailable)") 818 err = srv.Stop() 819 if err != nil { 820 t.Errorf("Failed to stop server: %s", err) 821 } 822 } 823 } 824 825 func TestSRVBadAuthHeader(t *testing.T) { 826 // Start the server 827 server := TestGetRootServer(t) 828 if server == nil { 829 return 830 } 831 err := server.Start() 832 if err != nil { 833 t.Fatalf("Server start failed: %s", err) 834 } 835 defer func() { 836 err = server.Stop() 837 if err != nil { 838 t.Errorf("Failed to stop server: %s", err) 839 } 840 err = os.RemoveAll(rootDir) 841 if err != nil { 842 t.Errorf("RemoveAll failed: %s", err) 843 } 844 }() 845 846 invalidTokenAuthorization(t) 847 invalidBasicAuthorization(t) 848 perEndpointNegativeTests("info", "none", t) 849 perEndpointNegativeTests("enroll", "basic", t) 850 perEndpointNegativeTests("reenroll", "token", t) 851 perEndpointNegativeTests("register", "token", t) 852 perEndpointNegativeTests("tcert", "token", t) 853 } 854 855 func invalidTokenAuthorization(t *testing.T) { 856 client := getRootClient() 857 858 emptyByte := make([]byte, 0) 859 url := fmt.Sprintf("http://localhost:%d/enroll", rootPort) 860 req, err := http.NewRequest("POST", url, bytes.NewReader(emptyByte)) 861 if err != nil { 862 t.Errorf("Failed creating new request: %s", err) 863 } 864 865 addTokenAuthHeader(req, t) 866 867 err = client.SendReq(req, nil) 868 if err == nil { 869 t.Error("Incorrect auth type set, request should have failed with authorization error") 870 } 871 } 872 873 func addTokenAuthHeader(req *http.Request, t *testing.T) { 874 CSP := factory.GetDefault() 875 cert, err := ioutil.ReadFile("../testdata/ec.pem") 876 if err != nil { 877 t.Fatalf("Failed reading ec.pem: %s", err) 878 } 879 key, err := util.ImportBCCSPKeyFromPEM("../testdata/ec-key.pem", CSP, true) 880 if err != nil { 881 t.Fatalf("Failed importing key %s", err) 882 } 883 emptyByte := make([]byte, 0) 884 token, err := util.CreateToken(CSP, cert, key, req.Method, req.URL.RequestURI(), emptyByte) 885 if err != nil { 886 t.Fatalf("Failed to add token authorization header: %s", err) 887 } 888 req.Header.Set("authorization", token) 889 } 890 891 func perEndpointNegativeTests(endpoint string, authType string, t *testing.T) { 892 client := getRootClient() 893 emptyByte := make([]byte, 0) 894 turl := fmt.Sprintf("http://localhost:7055/%s?ca=bogus", endpoint) 895 req, err := http.NewRequest("POST", turl, bytes.NewReader(emptyByte)) 896 if err != nil { 897 t.Fatalf("Failed in NewRequest with %s", turl) 898 } 899 err = client.SendReq(req, nil) 900 if err == nil { 901 if authType != "" { 902 t.Fatalf("No authorization header; should have failed for %s", turl) 903 } else { 904 t.Fatalf("Bad CA should have failed for %s", turl) 905 } 906 } 907 switch authType { 908 case "none": 909 case "basic": 910 req.SetBasicAuth("admin", "adminpw") 911 case "token": 912 addTokenAuthHeader(req, t) 913 default: 914 t.Fatalf("Invalid auth type: %s", authType) 915 } 916 err = client.SendReq(req, nil) 917 if err == nil { 918 t.Errorf("Invalid CA should have failed for %s", turl) 919 } 920 } 921 922 func invalidBasicAuthorization(t *testing.T) { 923 client := getRootClient() 924 925 emptyByte := make([]byte, 0) 926 url := fmt.Sprintf("http://localhost:%d/register", rootPort) 927 req, err := http.NewRequest("POST", url, bytes.NewReader(emptyByte)) 928 if err != nil { 929 t.Error(err) 930 } 931 932 req.SetBasicAuth("admin", "adminpw") 933 934 err = client.SendReq(req, nil) 935 if err == nil { 936 t.Error("Incorrect auth type set for register request; it should have failed but passed") 937 } 938 } 939 940 func TestSRVTLSAuthClient(t *testing.T) { 941 cleanTestSlateSRV(t) 942 defer cleanTestSlateSRV(t) 943 944 testNoClientCert(t) 945 testInvalidRootCertWithNoClientAuth(t) 946 testInvalidRootCertWithClientAuth(t) 947 testClientAuth(t) 948 } 949 950 func TestSRVMultiCAConfigs(t *testing.T) { 951 t.Log("TestMultiCA...") 952 953 defer func() { 954 cleanMultiCADir(t) 955 err := os.RemoveAll("../testdata/ca-cert.pem") 956 if err != nil { 957 t.Errorf("RemoveAll failed: %s", err) 958 } 959 err = os.RemoveAll("../testdata/fabric-ca-server.db") 960 if err != nil { 961 t.Errorf("RemoveAll failed: %s", err) 962 } 963 err = os.RemoveAll("../testdata/msp") 964 if err != nil { 965 t.Errorf("RemoveAll failed: %s", err) 966 } 967 }() 968 srv := TestGetServer(rootPort, testdataDir, "", -1, t) 969 srv.Config.CAfiles = []string{"ca/ca1/fabric-ca-server-config.yaml", "ca/ca1/fabric-ca-server-config.yaml", "ca/ca2/fabric-ca-server-config.yaml"} 970 971 srv.CA.Config.CSR.Hosts = []string{"hostname"} 972 t.Logf("Server configuration: %+v", srv.Config) 973 974 // Starting server with two cas with same name 975 err := srv.Start() 976 t.Logf("Start two CAs with the same name: %v", err) 977 if err == nil { 978 t.Error("Trying to create two CAs with the same name, server start should have failed") 979 } 980 981 // Starting server with a missing ca config file 982 srv.Config.CAfiles = []string{"ca/rootca/ca1/fabric-ca-server-config.yaml", "ca/rootca/ca2/fabric-ca-server-config.yaml", "ca/rootca/ca4/fabric-ca-server-config.yaml"} 983 err = srv.Start() 984 t.Logf("Start CA with missing config: %v", err) 985 if err == nil { 986 t.Error("Should have failed to start server, missing ca config file") 987 err = srv.Stop() 988 if err != nil { 989 t.Errorf("Failed to stop server: %s", err) 990 } 991 } 992 993 srv.Config.CAfiles = []string{"ca/rootca/ca1/fabric-ca-server-config.yaml", "ca/rootca/ca2/fabric-ca-server-config.yaml", "ca/rootca/ca3/fabric-ca-server-config.yaml"} 994 err = srv.Start() 995 t.Logf("Starting 3 CAs with a duplicated CN name: %s", err) 996 if err == nil { 997 t.Error("Should have failed to start server, CN name is the same across rootca2 and rootca3") 998 err = srv.Stop() 999 if err != nil { 1000 t.Errorf("Failed to stop server: %s", err) 1001 } 1002 } 1003 1004 // Starting server with (bad) existing certificate 1005 err = ioutil.WriteFile("../testdata/ca/rootca/ca1/ca-key.pem", make([]byte, 1), 0644) 1006 t.Logf("Create err: %v", err) 1007 if !util.FileExists("../testdata/ca/rootca/ca1/ca-key.pem") { 1008 t.Fatal("../testdata/ca1/ca-key.pem doesn't exist") 1009 } 1010 err = ioutil.WriteFile("../testdata/ca/rootca/ca1/ca-cert.pem", make([]byte, 1), 0644) 1011 t.Logf("Create err: %v", err) 1012 if !util.FileExists("../testdata/ca/rootca/ca1/ca-cert.pem") { 1013 t.Fatal("../testdata/ca1/ca-cert.pem doesn't exist") 1014 } 1015 srv.Config.CAfiles = []string{"ca/rootca/ca1/fabric-ca-server-config.yaml"} 1016 err = srv.Start() 1017 t.Logf("srv.Start ERROR %v", err) 1018 if err == nil { 1019 t.Error("Should have failed to start server, invalid cert") 1020 err = srv.Stop() 1021 if err != nil { 1022 t.Errorf("Failed to stop server: %s", err) 1023 } 1024 } 1025 1026 // Starting server with unreadable certificate 1027 keyfile := filepath.Join(os.TempDir(), "ca-key.pem") 1028 err = CopyFile("../testdata/ca/rootca/ca1/ca-key.pem", keyfile) 1029 if err != nil { 1030 t.Errorf("Failed to copy file: %s", err) 1031 } 1032 if err = os.Chmod(keyfile, 0000); err != nil { 1033 t.Errorf("Failed to chmod key file: , %v", err) 1034 } 1035 certfile := filepath.Join(os.TempDir(), "ca-cert.pem") 1036 err = CopyFile("../testdata/ca/rootca/ca1/ca-cert.pem", certfile) 1037 if err != nil { 1038 t.Errorf("Failed to copy file: %s", err) 1039 } 1040 if err = os.Chmod(certfile, 0000); err != nil { 1041 t.Errorf("Failed to chmod cert file:, %v", err) 1042 } 1043 configfile := filepath.Join(os.TempDir(), "ca-server-config.yaml") 1044 err = CopyFile("../testdata/ca/rootca/ca1/fabric-ca-server-config.yaml", configfile) 1045 if err != nil { 1046 t.Errorf("Failed to copy file: %s", err) 1047 } 1048 srv.Config.CAfiles = []string{configfile} 1049 err = srv.Start() 1050 t.Logf("srv.Start ERROR %v", err) 1051 if err == nil { 1052 t.Error("Should have failed to start server, unreadable cert") 1053 err = srv.Stop() 1054 if err != nil { 1055 t.Errorf("Failed to stop server: %s", err) 1056 } 1057 } 1058 err = os.Remove(keyfile) 1059 if err != nil { 1060 t.Errorf("Remove failed: %s", err) 1061 } 1062 err = os.Remove(certfile) 1063 if err != nil { 1064 t.Errorf("Remove failed: %s", err) 1065 } 1066 err = os.Remove(configfile) 1067 if err != nil { 1068 t.Errorf("Remove failed: %s", err) 1069 } 1070 err = os.RemoveAll(filepath.Join(os.TempDir(), "msp")) 1071 if err != nil { 1072 t.Errorf("RemoveAll failed: %s", err) 1073 } 1074 1075 testBadCryptoData(t, srv, []string{"../testdata/expiredcert.pem", "../testdata/tls_client-key.pem", "expired cert"}) 1076 testBadCryptoData(t, srv, []string{"../testdata/noKeyUsage.cert.pem", "../testdata/noKeyUsage.key.pem", "invalid usage cert"}) 1077 testBadCryptoData(t, srv, []string{"../testdata/caFalse.cert.pem", "../testdata/caFalse.key.pem", "invalid Basic Constraints"}) 1078 testBadCryptoData(t, srv, []string{"../testdata/dsaCa-cert.pem", "../testdata/dsaCa-key.pem", "invalid key type"}) 1079 testBadCryptoData(t, srv, []string{"../testdata/dsaCa-cert.pem", "../testdata/dsaCa-key.pem", "invalid key type"}) 1080 testBadCryptoData(t, srv, []string{"../testdata/rsa512-cert.pem", "../testdata/rsa512-key.pem", "key too short"}) 1081 testBadCryptoData(t, srv, []string{"../testdata/ec256-1-cert.pem", "../testdata/ec256-2-key.pem", "non-matching ecdsa key"}) 1082 testBadCryptoData(t, srv, []string{"../testdata/rsa2048-1-cert.pem", "../testdata/rsa2048-2-key.pem", "non-matching rsa key"}) 1083 testBadCryptoData(t, srv, []string{"../testdata/ec256-1-cert.pem", "../testdata/rsa2048-1-cert.pem", "non-matching key type"}) 1084 1085 // Starting server with correct configuration 1086 srv.Config.CAfiles = []string{"ca/rootca/ca1/fabric-ca-server-config.yaml", "ca/rootca/ca2/fabric-ca-server-config.yaml"} 1087 t.Logf("Server configuration: %+v\n\n", srv.Config) 1088 1089 err = srv.Start() 1090 if err != nil { 1091 t.Fatal("Failed to start server:", err) 1092 } 1093 1094 if !util.FileExists("../testdata/ca/rootca/ca1/fabric-ca-server.db") { 1095 t.Error("Failed to correctly add ca1") 1096 } 1097 1098 if !util.FileExists("../testdata/ca/rootca/ca2/fabric-ca2-server.db") { 1099 t.Error("Failed to correctly add ca2") 1100 } 1101 1102 // Non-existent CA specified by client 1103 clientCA := getRootClient() 1104 _, err = clientCA.Enroll(&api.EnrollmentRequest{ 1105 Name: "admin", 1106 Secret: "adminpw", 1107 CAName: "rootca3", 1108 }) 1109 if err == nil { 1110 t.Error("Should have failed, client using ca name of 'ca3' but no CA exist by that name on server") 1111 } 1112 1113 //Send enroll request to specific CA 1114 clientCA1 := getRootClient() 1115 _, err = clientCA1.Enroll(&api.EnrollmentRequest{ 1116 Name: "adminca1", 1117 Secret: "adminca1pw", 1118 CAName: "rootca1", 1119 }) 1120 if err != nil { 1121 t.Error("Failed to enroll, error: ", err) 1122 } 1123 1124 clientCA2 := getRootClient() 1125 resp, err := clientCA2.Enroll(&api.EnrollmentRequest{ 1126 Name: "admin", 1127 Secret: "adminpw", 1128 CAName: "rootca2", 1129 }) 1130 if err != nil { 1131 t.Error("Failed to enroll, error: ", err) 1132 } 1133 1134 _, err = resp.Identity.Reenroll(&api.ReenrollmentRequest{ 1135 CAName: "rootca2", 1136 }) 1137 if err != nil { 1138 t.Error("Failed to reenroll, error: ", err) 1139 } 1140 1141 // User enrolled with rootca2, should not be able to reenroll with rootca1 1142 _, err = resp.Identity.Reenroll(&api.ReenrollmentRequest{ 1143 CAName: "rootca1", 1144 }) 1145 if err == nil { 1146 t.Error("Should have failed to reenroll a user with a different CA") 1147 } 1148 1149 // No ca name specified should sent to default CA 'ca' 1150 clientCA3 := getRootClient() 1151 _, err = clientCA3.Enroll(&api.EnrollmentRequest{ 1152 Name: "admin", 1153 Secret: "adminpw", 1154 }) 1155 if err != nil { 1156 t.Error("Failed to enroll, error: ", err) 1157 } 1158 1159 err = srv.Stop() 1160 if err != nil { 1161 t.Error("Failed to stop server:", err) 1162 } 1163 1164 // Starting server with correct configuration and pre-existing cert/key 1165 err = os.Remove("../testdata/ca/rootca/ca1/ca-cert.pem") 1166 if err != nil { 1167 t.Errorf("Remove failed: %s", err) 1168 } 1169 srv = getServer(rootPort, testdataDir, "", 0, t) 1170 srv.Config.CAfiles = []string{"ca/rootca/ca1/fabric-ca-server-config.yaml", "ca/rootca/ca2/fabric-ca-server-config.yaml"} 1171 t.Logf("Server configuration: %+v\n\n", srv.Config) 1172 1173 err = CopyFile("../testdata/ec256-1-cert.pem", "../testdata/ca/rootca/ca1/ca-cert.pem") 1174 if err != nil { 1175 t.Fatalf("Failed to copy ec256-1 cert to ../testdata/ca1/ca-cert.pem failed %v", err) 1176 } 1177 err = CopyFile("../testdata/ec256-1-key.pem", "../testdata/ca/rootca/ca1/ca-key.pem") 1178 if err != nil { 1179 t.Fatalf("Failed to copy key to ../testdata/ca/rootca/ca1/ca-key.pem failed %v", err) 1180 } 1181 1182 err = srv.Start() 1183 if err != nil { 1184 t.Fatal("Failed to start server:", err) 1185 } 1186 1187 err = srv.Stop() 1188 if err != nil { 1189 t.Error("Failed to stop server:", err) 1190 } 1191 1192 } 1193 1194 func TestSRVDefaultCAWithSetCAName(t *testing.T) { 1195 defer func() { 1196 err := os.RemoveAll("../testdata/ca-cert.pem") 1197 if err != nil { 1198 t.Errorf("RemoveAll failed: %s", err) 1199 } 1200 err = os.RemoveAll("../testdata/fabric-ca-server.db") 1201 if err != nil { 1202 t.Errorf("RemoveAll failed: %s", err) 1203 } 1204 err = os.RemoveAll("../testdata/msp") 1205 if err != nil { 1206 t.Errorf("RemoveAll failed: %s", err) 1207 } 1208 }() 1209 1210 srv := getServer(rootPort, testdataDir, "", -1, t) 1211 srv.CA.Config.CA.Name = "DefaultCA" 1212 1213 err := srv.Start() 1214 if err != nil { 1215 t.Fatal("Failed to start server:", err) 1216 } 1217 1218 // No ca name specified should sent to default CA 'ca' 1219 client := getRootClient() 1220 _, err = client.Enroll(&api.EnrollmentRequest{ 1221 Name: "admin", 1222 Secret: "adminpw", 1223 }) 1224 if err != nil { 1225 t.Error("Failed to enroll, error: ", err) 1226 } 1227 1228 err = srv.Stop() 1229 if err != nil { 1230 t.Error("Failed to stop server:", err) 1231 } 1232 } 1233 1234 func TestSRVMultiCAWithIntermediate(t *testing.T) { 1235 defer func() { 1236 cleanMultiCADir(t) 1237 err := os.RemoveAll("../testdata/ca-cert.pem") 1238 if err != nil { 1239 t.Errorf("RemoveAll failed: %s", err) 1240 } 1241 err = os.RemoveAll("../testdata/fabric-ca-server.db") 1242 if err != nil { 1243 t.Errorf("RemoveAll failed: %s", err) 1244 } 1245 err = os.RemoveAll("../testdata/msp") 1246 if err != nil { 1247 t.Errorf("RemoveAll failed: %s", err) 1248 } 1249 err = os.RemoveAll("../testdata/IssuerPublicKey") 1250 if err != nil { 1251 t.Errorf("RemoveAll failed: %s", err) 1252 } 1253 err = os.RemoveAll("../testdata/IssuerSecretKey") 1254 if err != nil { 1255 t.Errorf("RemoveAll failed: %s", err) 1256 } 1257 err = os.RemoveAll("../testdata/IssuerRevocationPublicKey") 1258 if err != nil { 1259 t.Errorf("RemoveAll failed: %s", err) 1260 } 1261 }() 1262 1263 srv := TestGetServer(rootPort, testdataDir, "", -1, t) 1264 srv.Config.CAfiles = []string{"ca/rootca/ca1/fabric-ca-server-config.yaml", "ca/rootca/ca2/fabric-ca-server-config.yaml"} 1265 srv.CA.Config.CSR.Hosts = []string{"hostname"} 1266 t.Logf("Server configuration: %+v\n", srv.Config) 1267 1268 // Starting server with two cas with same name 1269 err := srv.Start() 1270 if err != nil { 1271 t.Fatalf("Failed to start server: %s", err) 1272 } 1273 1274 intermediatesrv := TestGetServer(intermediatePort, testdataDir, "", -1, t) 1275 intermediatesrv.Config.CAcount = 2 1276 intermediatesrv.Config.CAcfg.Intermediate.ParentServer.URL = fmt.Sprintf("http://adminca1:adminca1pw@localhost:%d", rootPort) 1277 intermediatesrv.CA.Config.CSR.Hosts = []string{"hostname"} 1278 1279 err = intermediatesrv.Start() 1280 assert.Error(t, err, "Error is expected if cacount is greater than 0 for intermediate CA") 1281 1282 intermediatesrv.Config.CAfiles = []string{"ca/intermediateca/ca1/fabric-ca-server-config.yaml", "ca/intermediateca/ca2/fabric-ca-server-config.yaml"} 1283 err = intermediatesrv.Start() 1284 assert.Error(t, err, "Error is expected if both cacount and cafiles are specified") 1285 1286 intermediatesrv.Config.CAcount = 0 1287 intermediatesrv.Config.CAcfg.Intermediate.ParentServer.URL = "" 1288 1289 // Start it 1290 err = intermediatesrv.Start() 1291 if err != nil { 1292 t.Errorf("Failed to start intermediate server: %s", err) 1293 } 1294 // Stop it 1295 err = intermediatesrv.Stop() 1296 if err != nil { 1297 t.Error("Failed to stop intermediate server: ", err) 1298 } 1299 1300 if !util.FileExists("../testdata/ca/intermediateca/ca1/ca-chain.pem") { 1301 t.Error("Failed to enroll intermediate ca") 1302 } 1303 1304 err = srv.Stop() 1305 if err != nil { 1306 t.Error("Failed to stop server: ", err) 1307 } 1308 1309 // Make sure there is no host name in the intermediate CA cert 1310 err = util.CheckHostsInCert(filepath.Join("../testdata/ca/intermediateca/ca1", "ca-cert.pem"), "testhost1") 1311 if err == nil { 1312 t.Error("Intermediate CA should not contain a hostname, but does") 1313 } 1314 } 1315 1316 func TestSRVDefaultMultiCA(t *testing.T) { 1317 t.Log("TestDefaultMultiCA...") 1318 defer func() { 1319 err := os.RemoveAll("../testdata/msp") 1320 if err != nil { 1321 t.Errorf("RemoveAll failed: %s", err) 1322 } 1323 err = os.RemoveAll("multica") 1324 if err != nil { 1325 t.Errorf("RemoveAll failed: %s", err) 1326 } 1327 }() 1328 srv := TestGetServer(rootPort, "multica", "", -1, t) 1329 srv.Config.CAcount = 4 // Starting 4 default CA instances 1330 srv.Config.CAfiles = []string{"fabric-ca1-config.yaml"} 1331 1332 err := srv.Start() 1333 if err == nil { 1334 t.Error("Both cacount and cafiles set, should have failed to start server") 1335 err = srv.Stop() 1336 if err != nil { 1337 t.Errorf("Failed to stop server: %s", err) 1338 } 1339 } 1340 1341 srv.Config.CAfiles = []string{} 1342 1343 err = srv.Start() 1344 if err != nil { 1345 t.Error("Failed to start server: ", err) 1346 } 1347 1348 //Send enroll request to specific CA 1349 clientCA1 := getRootClient() 1350 _, err = clientCA1.Enroll(&api.EnrollmentRequest{ 1351 Name: "admin", 1352 Secret: "adminpw", 1353 CAName: "ca4", 1354 }) 1355 if err != nil { 1356 t.Error("Failed to enroll, error: ", err) 1357 } 1358 1359 if srv.DBAccessor() == nil { 1360 t.Error("No registry found") 1361 } 1362 1363 err = srv.Stop() 1364 if err != nil { 1365 t.Error("Failed to stop server: ", err) 1366 } 1367 } 1368 1369 // Test the combination of multiple CAs in both root and intermediate servers. 1370 func TestSRVMultiCAIntermediates(t *testing.T) { 1371 myTestDir := "multicaIntermediates" 1372 err := os.RemoveAll(myTestDir) 1373 if err != nil { 1374 t.Errorf("RemoveAll failed: %s", err) 1375 } 1376 defer func(t *testing.T) { 1377 err = os.RemoveAll(myTestDir) 1378 if err != nil { 1379 t.Errorf("RemoveAll failed: %s", err) 1380 } 1381 }(t) 1382 // Start the root server with 2 non-default CAs 1383 rootServer := TestGetServer(rootPort, path.Join(myTestDir, "root"), "", -1, t) 1384 rootServer.Config.CAcount = 2 1385 err = rootServer.Start() 1386 if err != nil { 1387 t.Fatalf("Failed to start root CA: %s", err) 1388 } 1389 home := path.Join(myTestDir, "intermediate") 1390 parentURL := fmt.Sprintf("http://admin:adminpw@localhost:%d", rootPort) 1391 intServer := TestGetServer(0, home, parentURL, -1, t) 1392 intServer.Config.CAfiles = []string{"ca1/ca1.yaml", "ca2/ca2.yaml"} 1393 ca1home := filepath.Join(home, "ca1") 1394 ca2home := filepath.Join(home, "ca2") 1395 1396 // Negative Case - same CA name from two intermediate CAs sent to the same root CA 1397 // Check that CA file paths are getting printed 1398 // Create ca1.yaml and ca2.yaml for the intermediate server CAs 1399 writeCAFile("ca1", "ca1", "ca1", ca1home, rootPort, t) 1400 writeCAFile("ca1", "ca2", "ca2", ca2home, rootPort, t) 1401 err = intServer.Init(false) 1402 if assert.Error(t, err) { 1403 assert.Contains(t, err.Error(), ca1home) 1404 assert.Contains(t, err.Error(), ca2home) 1405 } 1406 err = rootServer.Stop() 1407 if err != nil { 1408 t.Error("Failed to stop server: ", err) 1409 } 1410 1411 err = os.RemoveAll(myTestDir) 1412 if err != nil { 1413 t.Fatalf("RemoveAll failed: %s", err) 1414 } 1415 1416 // Negative Case - same subject distinguished name from two intermediate CAs sent to the same root CA 1417 // Create ca1.yaml and ca2.yaml for the intermediate server CAs 1418 rootServer = TestGetServer(rootPort, path.Join(myTestDir, "root"), "", -1, t) // reset server from last run above 1419 rootServer.Config.CAcount = 2 1420 err = rootServer.Start() 1421 if err != nil { 1422 t.Fatalf("Failed to start root CA: %s", err) 1423 } 1424 writeCAFile("ca1", "ca1", "ca1", ca1home, rootPort, t) 1425 writeCAFile("ca2", "ca1", "ca2", ca2home, rootPort, t) 1426 err = intServer.Init(false) 1427 if assert.Error(t, err) { 1428 assert.Contains(t, err.Error(), "Both issuer and subject distinguished name are already in use") 1429 } 1430 err = rootServer.Stop() 1431 if err != nil { 1432 t.Error("Failed to stop server: ", err) 1433 } 1434 err = os.RemoveAll(myTestDir) 1435 if err != nil { 1436 t.Errorf("RemoveAll failed: %s", err) 1437 } 1438 1439 // Positive Case - same subject distinguished names from two intermediate CAs sent to two different root CAs 1440 rootServer = TestGetServer(rootPort, path.Join(myTestDir, "root"), "", -1, t) // reset server from last run above 1441 rootServer.Config.CAcount = 2 1442 err = rootServer.Start() 1443 if err != nil { 1444 t.Fatalf("Failed to start root CA: %s", err) 1445 } 1446 writeCAFile("ca1", "ca1", "ca1", ca1home, rootPort, t) 1447 writeCAFile("ca2", "ca2", "ca2", ca2home, rootPort, t) 1448 // Init the intermediate server 1449 err = intServer.Init(false) 1450 if err != nil { 1451 t.Fatalf("Failed to initialize intermediate server: %s", err) 1452 } 1453 err = rootServer.Stop() 1454 if err != nil { 1455 t.Error("Failed to stop server: ", err) 1456 } 1457 } 1458 1459 func TestSRVMaxEnrollmentInfinite(t *testing.T) { 1460 t.Log("Test max enrollment infinite") 1461 err := os.RemoveAll(rootDir) 1462 if err != nil { 1463 t.Errorf("RemoveAll failed: %s", err) 1464 } 1465 // Starting server/ca with infinite enrollments 1466 srv := TestGetServer(rootPort, rootDir, "", -1, t) 1467 err = srv.Start() 1468 if err != nil { 1469 t.Fatalf("Server start failed: %s", err) 1470 } 1471 defer func() { 1472 err = srv.Stop() 1473 if err != nil { 1474 t.Errorf("Failed to stop server: %s", err) 1475 } 1476 err = os.RemoveAll("../testdata/msp") 1477 if err != nil { 1478 t.Errorf("RemoveAll failed: %s", err) 1479 } 1480 err = os.RemoveAll(rootDir) 1481 if err != nil { 1482 t.Errorf("RemoveAll failed: %s", err) 1483 } 1484 }() 1485 client := getRootClient() 1486 id, err := client.Enroll(&api.EnrollmentRequest{ 1487 Name: "admin", 1488 Secret: "adminpw", 1489 }) 1490 if err != nil { 1491 t.Error("Enrollment failed, error: ", err) 1492 } 1493 id.Identity.Store() 1494 // Names of users are of the form: 1495 // me_<client's max enrollment setting>_<server's max enrollment setting> 1496 // where "me" stands for "max enrollments" 1497 1498 // Registering user with missing max enrollment value 1499 _, err = id.Identity.Register(&api.RegistrationRequest{ 1500 Name: "me_missing_-1", 1501 Type: "client", 1502 Affiliation: "org2", 1503 }) 1504 if err != nil { 1505 t.Errorf("Failed to register me_missing_-1, error: %s", err) 1506 } 1507 1508 // Registering user with infinite max enrollments (-1) 1509 _, err = id.Identity.Register(&api.RegistrationRequest{ 1510 Name: "me_-1_-1", 1511 Type: "client", 1512 Affiliation: "org2", 1513 MaxEnrollments: -1, 1514 }) 1515 if err != nil { 1516 t.Errorf("Failed to register me_-1_-1, error: %s", err) 1517 } 1518 1519 // Registering user with zero max enrollments, will take value of CA's max enrollment 1520 _, err = id.Identity.Register(&api.RegistrationRequest{ 1521 Name: "me_0_-1", 1522 Type: "client", 1523 Affiliation: "org2", 1524 MaxEnrollments: 0, 1525 }) 1526 if err != nil { 1527 t.Errorf("Failed to register me_0_-1, error: %s", err) 1528 } 1529 1530 // Registering user with 1000 max enrollments 1531 _, err = id.Identity.Register(&api.RegistrationRequest{ 1532 Name: "me_1000_-1", 1533 Type: "client", 1534 Affiliation: "org2", 1535 MaxEnrollments: 1000, 1536 }) 1537 if err != nil { 1538 t.Errorf("Failed to register me_1000_-1, error: %s", err) 1539 } 1540 } 1541 1542 func TestSRVMaxEnrollmentDisabled(t *testing.T) { 1543 t.Log("Test max enrollment disabled") 1544 err := os.RemoveAll(rootDir) 1545 if err != nil { 1546 t.Errorf("RemoveAll failed: %s", err) 1547 } 1548 // Starting server/ca with infinite enrollments 1549 srv := TestGetServer(rootPort, rootDir, "", -1, t) 1550 err = srv.Start() 1551 if err != nil { 1552 t.Fatalf("Server start failed: %s", err) 1553 } 1554 // Clean up when done 1555 defer func() { 1556 err = srv.Stop() 1557 if err != nil { 1558 t.Errorf("Failed to stop server: %s", err) 1559 } 1560 err = os.RemoveAll("../testdata/msp") 1561 if err != nil { 1562 t.Errorf("RemoveAll failed: %s", err) 1563 } 1564 err = os.RemoveAll(rootDir) 1565 if err != nil { 1566 t.Errorf("RemoveAll failed: %s", err) 1567 } 1568 }() 1569 client := getRootClient() 1570 id, err := client.Enroll(&api.EnrollmentRequest{ 1571 Name: "admin", 1572 Secret: "adminpw", 1573 }) 1574 if err != nil { 1575 t.Errorf("Enrollment failed: %s", err) 1576 } 1577 // Disable enrollment 1578 srv.CA.Config.Registry.MaxEnrollments = 0 1579 // Make sure both registration and enrollment fail 1580 _, err = id.Identity.Register(&api.RegistrationRequest{ 1581 Name: "me_0_0", 1582 Type: "client", 1583 Affiliation: "org2", 1584 }) 1585 if err == nil { 1586 t.Error("Registration should have failed but didn't") 1587 } 1588 _, err = client.Enroll(&api.EnrollmentRequest{ 1589 Name: "admin", 1590 Secret: "adminpw", 1591 }) 1592 if err == nil { 1593 t.Error("Enrollment should have failed but didn't") 1594 } 1595 // deferred cleanup 1596 } 1597 1598 func TestSRVMaxEnrollmentLimited(t *testing.T) { 1599 err := os.RemoveAll(rootDir) 1600 if err != nil { 1601 t.Errorf("RemoveAll failed: %s", err) 1602 } 1603 t.Log("Test max enrollment limited") 1604 1605 // Starting server/ca with max enrollments of 1 1606 srv := TestGetServer(rootPort, rootDir, "", 1, t) 1607 err = srv.Start() 1608 if err != nil { 1609 t.Fatalf("Server start failed: %s", err) 1610 } 1611 // Clean up when done 1612 defer func() { 1613 err = srv.Stop() 1614 if err != nil { 1615 t.Errorf("Failed to stop server: %s", err) 1616 } 1617 err = os.RemoveAll("../testdata/msp") 1618 if err != nil { 1619 t.Errorf("RemoveAll failed: %s", err) 1620 } 1621 err = os.RemoveAll(rootDir) 1622 if err != nil { 1623 t.Errorf("RemoveAll failed: %s", err) 1624 } 1625 }() 1626 client := getRootClient() 1627 id, err := client.Enroll(&api.EnrollmentRequest{ 1628 Name: "admin", 1629 Secret: "adminpw", 1630 }) 1631 if err != nil { 1632 t.Fatalf("Enrollment failed, error: %s", err) 1633 } 1634 id.Identity.Store() 1635 _, err = client.Enroll(&api.EnrollmentRequest{ 1636 Name: "admin", 1637 Secret: "adminpw", 1638 }) 1639 if err == nil { 1640 t.Error("Enrollments should have been limited to 1 but allowed 2") 1641 } 1642 // Registering user with missing max enrollment value 1643 // Names of users are of the form: 1644 // me_<client's max enrollment setting>_<server's max enrollment setting> 1645 // where "me" stands for "max enrollments" 1646 _, err = id.Identity.Register(&api.RegistrationRequest{ 1647 Name: "me_-1_1", 1648 Type: "client", 1649 Affiliation: "org2", 1650 MaxEnrollments: -1, 1651 }) 1652 if err == nil { 1653 t.Error("Should have failed to register infinite but didn't") 1654 } 1655 _, err = id.Identity.Register(&api.RegistrationRequest{ 1656 Name: "me_0_1", 1657 Type: "client", 1658 Affiliation: "org2", 1659 MaxEnrollments: 0, 1660 }) 1661 if err != nil { 1662 t.Errorf("Failed to register me_0_1, error: %s", err) 1663 } 1664 user, err := srv.CA.DBAccessor().GetUser("me_0_1", nil) 1665 if err != nil { 1666 t.Errorf("Failed to find user 'me_0_1,' in database") 1667 } 1668 if user.GetMaxEnrollments() != 1 { 1669 t.Error("Failed to correctly set max enrollment value for a user registering with max enrollment of 0") 1670 } 1671 _, err = id.Identity.Register(&api.RegistrationRequest{ 1672 Name: "me_1_1", 1673 Type: "client", 1674 Affiliation: "org2", 1675 MaxEnrollments: 1, 1676 }) 1677 if err != nil { 1678 t.Errorf("Failed to register me_1_1, error: %s", err) 1679 } 1680 _, err = id.Identity.Register(&api.RegistrationRequest{ 1681 Name: "me_2_1", 1682 Type: "client", 1683 Affiliation: "org2", 1684 MaxEnrollments: 2, 1685 }) 1686 if err == nil { 1687 t.Error("Should have failed to register me_2_1 but didn't") 1688 } 1689 // deferred cleanup 1690 } 1691 1692 // Get certificate using the TLS profile on the server to retrieve a certificate to be used for TLS connection 1693 func TestTLSCertIssuance(t *testing.T) { 1694 testDir := "tlsTestDir" 1695 err := os.RemoveAll(testDir) 1696 if err != nil { 1697 t.Errorf("RemoveAll failed: %s", err) 1698 } 1699 defer func() { 1700 err = os.RemoveAll(testDir) 1701 if err != nil { 1702 t.Errorf("RemoveAll failed: %s", err) 1703 } 1704 }() 1705 srv := TestGetServer(rootPort, testDir, "", -1, t) 1706 err = srv.Start() 1707 if err != nil { 1708 t.Fatalf("Root server start failed: %s", err) 1709 } 1710 stopserver := true 1711 defer func() { 1712 if stopserver { 1713 err = srv.Stop() 1714 if err != nil { 1715 t.Errorf("Failed to stop server: %s", err) 1716 } 1717 } 1718 }() 1719 client := &Client{ 1720 Config: &ClientConfig{URL: fmt.Sprintf("http://localhost:%d", rootPort)}, 1721 HomeDir: testDir, 1722 } 1723 eresp, err := client.Enroll(&api.EnrollmentRequest{ 1724 Name: "admin", 1725 Secret: "adminpw", 1726 Profile: "tls", 1727 CSR: &api.CSRInfo{Hosts: []string{"localhost"}}, 1728 }) 1729 if err != nil { 1730 t.Fatalf("Failed to enroll: %s", err) 1731 } 1732 tlsCertBytes := eresp.Identity.GetECert().Cert() 1733 cert, err := util.GetX509CertificateFromPEM(tlsCertBytes) 1734 if err != nil { 1735 t.Fatalf("Failed to get certificate: %s", err) 1736 } 1737 // Check if the certificate has correct key usages 1738 if cert.KeyUsage&x509.KeyUsageDigitalSignature == 0 || cert.KeyUsage&x509.KeyUsageKeyEncipherment == 0 || cert.KeyUsage&x509.KeyUsageKeyAgreement == 0 { 1739 t.Fatal("Certificate does not have correct extended key usage. Should have Digital Signature, Key Encipherment, and Key Agreement") 1740 } 1741 // Check if the certificate has correct extended key usages 1742 clientAuth := false 1743 serverAuth := false 1744 for _, usage := range cert.ExtKeyUsage { 1745 if usage == x509.ExtKeyUsageClientAuth { 1746 clientAuth = true 1747 } 1748 if usage == x509.ExtKeyUsageServerAuth { 1749 serverAuth = true 1750 } 1751 } 1752 if !clientAuth || !serverAuth { 1753 t.Fatal("Certificate does not have correct extended key usage. Should have ExtKeyUsageServerAuth and ExtKeyUsageClientAuth") 1754 } 1755 1756 stopserver = false 1757 err = srv.Stop() 1758 if err != nil { 1759 t.Fatalf("Failed to stop server: %s", err) 1760 } 1761 1762 // Write the TLS certificate to disk 1763 os.MkdirAll(testDir, 0755) 1764 tlsCertFile := path.Join(testDir, "tls-cert.pem") 1765 err = util.WriteFile(tlsCertFile, tlsCertBytes, 0644) 1766 if err != nil { 1767 t.Fatalf("Failed to write TLS certificate file: %s", err) 1768 } 1769 // Get a new server with TLS enabled 1770 srv = TestGetServer2(false, rootPort, testDir, "", -1, t) 1771 srv.Config.TLS.Enabled = true 1772 srv.Config.TLS.CertFile = "tls-cert.pem" 1773 // Start the server 1774 err = srv.Start() 1775 if err != nil { 1776 t.Fatalf("TLS server start failed: %s", err) 1777 } 1778 stopserver = true 1779 // Connect to the server over TLS 1780 cfg := &ClientConfig{URL: fmt.Sprintf("https://localhost:%d", rootPort)} 1781 cfg.TLS.Enabled = true 1782 cfg.TLS.CertFiles = []string{"ca-cert.pem"} 1783 client = &Client{Config: cfg, HomeDir: testDir} 1784 eresp, err = client.Enroll(&api.EnrollmentRequest{ 1785 Name: "admin", 1786 Secret: "adminpw", 1787 }) 1788 if err != nil { 1789 t.Fatalf("Failed to enroll over TLS: %s", err) 1790 } 1791 } 1792 1793 // Configure server to start server with no client authentication required 1794 func testNoClientCert(t *testing.T) { 1795 srv := TestGetServer(rootPort, testdataDir, "", -1, t) 1796 srv = getTLSConfig(srv, "NoClientCert", []string{}) 1797 1798 err := srv.Start() 1799 if err != nil { 1800 t.Fatalf("Root server start failed: %s", err) 1801 } 1802 1803 clientConfig := &ClientConfig{ 1804 URL: fmt.Sprintf("https://localhost:%d", rootPort), 1805 TLS: libtls.ClientTLSConfig{ 1806 CertFiles: []string{"../testdata/root.pem"}, 1807 }, 1808 } 1809 1810 rawURL := fmt.Sprintf("https://admin:adminpw@localhost:%d", rootPort) 1811 1812 _, err = clientConfig.Enroll(rawURL, testdataDir) 1813 if err != nil { 1814 t.Errorf("Failed to enroll over TLS with no client authentication required: %s", err) 1815 } 1816 1817 err = srv.Stop() 1818 if err != nil { 1819 t.Errorf("Failed to stop server: %s", err) 1820 } 1821 } 1822 1823 // Configure server to start with no client authentication required 1824 // Root2.pem does not exists, server should still start because no client auth is requred 1825 func testInvalidRootCertWithNoClientAuth(t *testing.T) { 1826 srv := TestGetServer(rootPort, testdataDir, "", -1, t) 1827 srv = getTLSConfig(srv, "NoClientCert", []string{"../testdata/root.pem", "../testdata/root2.pem"}) 1828 1829 err := srv.Start() 1830 if err != nil { 1831 t.Fatalf("Root server start failed: %s", err) 1832 } 1833 1834 err = srv.Stop() 1835 if err != nil { 1836 t.Errorf("Failed to stop server: %s", err) 1837 } 1838 } 1839 1840 // Configure server to start with client authentication required 1841 // Root2.pem does not exists, server should fail to start 1842 func testInvalidRootCertWithClientAuth(t *testing.T) { 1843 srv := TestGetServer(rootPort, testdataDir, "", -1, t) 1844 srv = getTLSConfig(srv, "RequireAndVerifyClientCert", []string{"../testdata/root.pem", "../testdata/root2.pem"}) 1845 1846 err := srv.Start() 1847 if err == nil { 1848 t.Error("Root2.pem does not exists, server should have failed to start") 1849 err = srv.Stop() 1850 if err != nil { 1851 t.Errorf("Failed to stop server: %s", err) 1852 } 1853 } 1854 } 1855 1856 // Configure server to start with client authentication required 1857 func testClientAuth(t *testing.T) { 1858 srv := TestGetServer(rootPort, testdataDir, "", -1, t) 1859 srv = getTLSConfig(srv, "RequireAndVerifyClientCert", []string{"../testdata/root.pem"}) 1860 1861 err := srv.Start() 1862 if err != nil { 1863 t.Fatalf("Root server start failed: %s", err) 1864 } 1865 1866 clientConfig := &ClientConfig{ 1867 URL: fmt.Sprintf("https://localhost:%d", rootPort), 1868 TLS: libtls.ClientTLSConfig{ 1869 CertFiles: []string{"../testdata/root.pem"}, 1870 }, 1871 } 1872 1873 rawURL := fmt.Sprintf("https://admin:adminpw@localhost:%d", rootPort) 1874 1875 // Enrolling without any client certificate and key information set 1876 _, err = clientConfig.Enroll(rawURL, testdataDir) 1877 if err == nil { 1878 t.Errorf("Client Auth Type: RequireAndVerifyClientCert, should have failed as no client cert was provided") 1879 } 1880 1881 // Client created with certificate and key for TLS 1882 clientConfig = &ClientConfig{ 1883 URL: fmt.Sprintf("https://localhost:%d", rootPort), 1884 TLS: libtls.ClientTLSConfig{ 1885 CertFiles: []string{"../testdata/root.pem"}, 1886 Client: libtls.KeyCertFiles{ 1887 KeyFile: "../testdata/tls_client-key.pem", 1888 CertFile: "../testdata/tls_client-cert.pem", 1889 }, 1890 }, 1891 } 1892 1893 _, err = clientConfig.Enroll(rawURL, testdataDir) 1894 if err != nil { 1895 t.Errorf("Client Auth Type: RequireAndVerifyClientCert, failed to enroll over TLS with client certificate provided") 1896 } 1897 1898 err = srv.Stop() 1899 if err != nil { 1900 t.Errorf("Failed to stop server: %s", err) 1901 } 1902 } 1903 1904 func testIntermediateServer(idx int, t *testing.T) { 1905 // Init the intermediate server 1906 intermediateServer := TestGetIntermediateServer(idx, t) 1907 if intermediateServer == nil { 1908 return 1909 } 1910 err := intermediateServer.Init(true) 1911 if err != nil { 1912 t.Fatalf("Intermediate server init failed: %s", err) 1913 } 1914 // Verify that the duration of the newly created intermediate certificate is 5 years 1915 d, err := util.GetCertificateDurationFromFile(path.Join(intermediateServer.HomeDir, "ca-cert.pem")) 1916 assert.NoError(t, err) 1917 assert.True(t, int(d.Hours()) == 43800, fmt.Sprintf("Expecting 43800 but found %f", d.Hours())) 1918 // Start it 1919 err = intermediateServer.Start() 1920 if err != nil { 1921 t.Fatalf("Intermediate server start failed: %s", err) 1922 } 1923 defer func() { 1924 err = intermediateServer.Stop() 1925 if err != nil { 1926 t.Errorf("Failed to stop server: %s", err) 1927 } 1928 1929 err = os.RemoveAll(intermediateDir) 1930 if err != nil { 1931 t.Errorf("RemoveAll failed: %s", err) 1932 } 1933 }() 1934 // Test enroll against intermediate (covering basic auth) 1935 c := getTestClient(intermediateServer.Config.Port) 1936 resp, err := c.Enroll(&api.EnrollmentRequest{Name: "admin", Secret: "adminpw"}) 1937 if err != nil { 1938 t.Fatalf("Failed to enroll with intermediate server: %s", err) 1939 } 1940 1941 // Test reenroll against intermediate (covering token auth) 1942 _, err = resp.Identity.Reenroll(&api.ReenrollmentRequest{}) 1943 if err != nil { 1944 t.Fatalf("Failed to reenroll with intermediate server: %s", err) 1945 } 1946 1947 // deferred cleanup 1948 } 1949 1950 func TestUnmarshalConfig(t *testing.T) { 1951 cfg := &ServerConfig{} 1952 cfgFile := "../testdata/testviperunmarshal.yaml" 1953 err := UnmarshalConfig(cfg, viper.GetViper(), cfgFile, true) 1954 if err != nil { 1955 t.Errorf("UnmarshalConfig failed: %s", err) 1956 } 1957 err = UnmarshalConfig(cfg, viper.GetViper(), "foo.yaml", true) 1958 if err == nil { 1959 t.Error("UnmarshalConfig invalid file passed but should have failed") 1960 } 1961 } 1962 1963 // TestSqliteLocking tests to ensure that "database is locked" 1964 // error does not occur when multiple requests are sent at the 1965 // same time. 1966 // This test assumes that sqlite is the database used in the tests 1967 func TestSRVSqliteLocking(t *testing.T) { 1968 // Start the server 1969 server := TestGetServer(rootPort, rootDir, "", -1, t) 1970 if server == nil { 1971 return 1972 } 1973 err := server.Start() 1974 if err != nil { 1975 t.Fatalf("Server start failed: %s", err) 1976 } 1977 // Clean up when done 1978 defer func() { 1979 err = server.Stop() 1980 if err != nil { 1981 t.Errorf("Failed to stop server: %s", err) 1982 } 1983 err = os.RemoveAll("../testdata/msp") 1984 if err != nil { 1985 t.Errorf("RemoveAll failed: %s", err) 1986 } 1987 err = os.RemoveAll(rootDir) 1988 if err != nil { 1989 t.Errorf("RemoveAll failed: %s", err) 1990 } 1991 }() 1992 1993 // Enroll bootstrap user 1994 client := getRootClient() 1995 eresp, err := client.Enroll(&api.EnrollmentRequest{ 1996 Name: "admin", 1997 Secret: "adminpw", 1998 }) 1999 if err != nil { 2000 t.Fatalf("Failed to enroll bootstrap user: %s", err) 2001 } 2002 admin := eresp.Identity 2003 errs := make(chan error) 2004 users := 30 2005 // Register users 2006 for i := 0; i < users; i++ { 2007 n := "user" + strconv.Itoa(i) 2008 go func(admin *Identity, name string) { 2009 _, err := admin.Register(&api.RegistrationRequest{ 2010 Name: name, 2011 Type: "user", 2012 Affiliation: "hyperledger.fabric.security", 2013 }) 2014 errs <- err 2015 }(admin, n) 2016 } 2017 for i := 0; ; { 2018 err = <-errs 2019 // Should not see "database is locked" error 2020 if err != nil && strings.Contains(err.Error(), "database is locked") { 2021 t.Fatalf("Failed to register: %s", err) 2022 } 2023 // If we have heard from all the go routines, break to exit the test 2024 if i++; i == users { 2025 break 2026 } 2027 } 2028 } 2029 2030 func TestSRVNewUserRegistryMySQL(t *testing.T) { 2031 datasource := "" 2032 2033 // Test with no cert files specified 2034 tlsConfig := &libtls.ClientTLSConfig{ 2035 Enabled: true, 2036 } 2037 csp := util.GetDefaultBCCSP() 2038 _, err := getMysqlDb(mysql.NewDB(datasource, "", tlsConfig, csp, &disabled.Provider{})) 2039 assert.Error(t, err) 2040 assert.Contains(t, err.Error(), "No trusted root certificates for TLS were provided") 2041 2042 // Test with with a file that does not exist 2043 tlsConfig = &libtls.ClientTLSConfig{ 2044 Enabled: true, 2045 CertFiles: []string{"doesnotexit.pem"}, 2046 } 2047 _, err = getMysqlDb(mysql.NewDB(datasource, "", tlsConfig, csp, &disabled.Provider{})) 2048 assert.Error(t, err) 2049 assert.Contains(t, err.Error(), "no such file or directory") 2050 2051 // Test with a file that is not of appropriate format 2052 tlsConfig = &libtls.ClientTLSConfig{ 2053 Enabled: true, 2054 CertFiles: []string{"../testdata/empty.json"}, 2055 } 2056 _, err = getMysqlDb(mysql.NewDB(datasource, "", tlsConfig, csp, &disabled.Provider{})) 2057 assert.Error(t, err) 2058 assert.Contains(t, err.Error(), "Failed to process certificate from file") 2059 2060 // Test with a file that does not have read permissions 2061 2062 tmpFile := filepath.Join(os.TempDir(), "root.pem") 2063 err = CopyFile("../testdata/root.pem", tmpFile) 2064 if err != nil { 2065 t.Fatalf("Failed to copy file: %s", err) 2066 } 2067 err = os.Chmod(tmpFile, 0000) 2068 if err != nil { 2069 t.Fatalf("Failed to change file mode: %s", err) 2070 } 2071 2072 tlsConfig = &libtls.ClientTLSConfig{ 2073 Enabled: true, 2074 CertFiles: []string{tmpFile}, 2075 } 2076 _, err = getMysqlDb(mysql.NewDB(datasource, "", tlsConfig, csp, &disabled.Provider{})) 2077 assert.Error(t, err) 2078 if err != nil { 2079 t.Logf("%s", err.Error()) 2080 } 2081 assert.Contains(t, err.Error(), "denied") 2082 2083 err = os.RemoveAll(tmpFile) 2084 if err != nil { 2085 t.Logf("%s", err.Error()) 2086 } 2087 } 2088 2089 func TestCSRInputLengthCheck(t *testing.T) { 2090 t.Log("Testing CSR input length check") 2091 err := os.RemoveAll("../testdata/msp/") 2092 if err != nil { 2093 t.Errorf("RemoveAll failed: %s", err) 2094 } 2095 err = os.RemoveAll(rootDir) 2096 if err != nil { 2097 t.Errorf("RemoveAll failed: %s", err) 2098 } 2099 defer func() { 2100 err = os.RemoveAll("../testdata/msp/") 2101 if err != nil { 2102 t.Errorf("RemoveAll failed: %s", err) 2103 } 2104 err = os.RemoveAll(rootDir) 2105 if err != nil { 2106 t.Errorf("RemoveAll failed: %s", err) 2107 } 2108 }() 2109 2110 server := TestGetServer(rootPort, rootDir, "", -1, t) 2111 if server == nil { 2112 return 2113 } 2114 longCN := randSeq(65) 2115 err = server.RegisterBootstrapUser(longCN, "pass", "") 2116 if err != nil { 2117 t.Errorf("Failed to register bootstrap user: %s", err) 2118 } 2119 err = server.Start() 2120 if err != nil { 2121 t.Fatalf("Server start failed: %s", err) 2122 } 2123 defer func() { 2124 err = server.Stop() 2125 if err != nil { 2126 t.Errorf("Failed to stop server: %s", err) 2127 } 2128 }() 2129 2130 // Passing case: all value are of appropriate length 2131 client := getRootClient() 2132 csr1 := api.CSRInfo{ 2133 CN: "test", 2134 Names: []csr.Name{ 2135 csr.Name{ 2136 C: "US", 2137 ST: "North Carolina", 2138 L: "Raleigh", 2139 O: "Hyperledger", 2140 OU: "Fabric", 2141 }, 2142 csr.Name{ 2143 C: "CA", 2144 }, 2145 }, 2146 SerialNumber: "123abc", 2147 } 2148 _, err = client.Enroll(&api.EnrollmentRequest{ 2149 Name: "admin", 2150 Secret: "adminpw", 2151 CSR: &csr1, 2152 }) 2153 if err != nil { 2154 t.Error("Failed to enroll user in passing case: ", err) 2155 } 2156 2157 // Failing case: CN is greater than 64 characters 2158 badCSR := &api.CSRInfo{ 2159 CN: longCN, 2160 } 2161 _, err = client.Enroll(&api.EnrollmentRequest{ 2162 Name: longCN, 2163 Secret: "pass", 2164 CSR: badCSR, 2165 }) 2166 if assert.Error(t, err, fmt.Sprint("Number of characters for CN is greater than the maximum limit, should have resulted in an error")) { 2167 assert.Contains(t, err.Error(), "CN") 2168 } 2169 2170 // CSRs that test failing cases for other fields in the CSR 2171 badCSRs := map[string]*api.CSRInfo{ 2172 "country": &api.CSRInfo{ 2173 Names: []csr.Name{ 2174 csr.Name{ 2175 C: randSeq(3), 2176 }, 2177 }, 2178 }, 2179 "locality": &api.CSRInfo{ 2180 Names: []csr.Name{ 2181 csr.Name{ 2182 L: randSeq(129), 2183 }, 2184 }, 2185 }, 2186 "state": &api.CSRInfo{ 2187 Names: []csr.Name{ 2188 csr.Name{ 2189 ST: randSeq(129), 2190 }, 2191 }, 2192 }, 2193 "organization": &api.CSRInfo{ 2194 Names: []csr.Name{ 2195 csr.Name{ 2196 O: randSeq(65), 2197 }, 2198 }, 2199 }, 2200 "organizational unit": &api.CSRInfo{ 2201 Names: []csr.Name{ 2202 csr.Name{ 2203 OU: randSeq(65), 2204 }, 2205 }, 2206 }, 2207 "serial number": &api.CSRInfo{ 2208 SerialNumber: randSeq(65), 2209 }, 2210 } 2211 2212 for name, badCSR := range badCSRs { 2213 _, err = client.Enroll(&api.EnrollmentRequest{ 2214 Name: "admin", 2215 Secret: "adminpw", 2216 CSR: badCSR, 2217 }) 2218 if assert.Error(t, err, fmt.Sprintf("Number of characters for '%s' is greater than the maximum limit, should have resulted in an error", name)) { 2219 assert.Contains(t, err.Error(), name) 2220 } 2221 } 2222 } 2223 2224 func TestAutoTLSCertificateGeneration(t *testing.T) { 2225 err := os.RemoveAll(rootDir) 2226 if err != nil { 2227 t.Errorf("RemoveAll failed: %s", err) 2228 } 2229 err = os.RemoveAll("../testdata/msp/") 2230 if err != nil { 2231 t.Errorf("RemoveAll failed: %s", err) 2232 } 2233 defer func() { 2234 err = os.RemoveAll(rootDir) 2235 if err != nil { 2236 t.Errorf("RemoveAll failed: %s", err) 2237 } 2238 err = os.RemoveAll("../testdata/msp/") 2239 if err != nil { 2240 t.Errorf("RemoveAll failed: %s", err) 2241 } 2242 }() 2243 2244 srv := TestGetRootServer(t) 2245 2246 srv.Config.TLS.Enabled = true 2247 srv.Config.TLS.CertFile = "tls-cert.pem" 2248 srv.Config.CAcfg.CSR.CN = "fabric-ca-server" 2249 srv.Config.CAcfg.CSR.Hosts = []string{"localhost"} 2250 2251 err = srv.Start() 2252 if !assert.NoError(t, err, "Failed to start server") { 2253 t.Fatalf("Failed to start server: %s", err) 2254 } 2255 2256 cert, err := util.GetX509CertificateFromPEMFile(srv.Config.TLS.CertFile) 2257 assert.NoError(t, err, "Failed to get certificate") 2258 2259 // Check if the certificate has correct extended key usages 2260 clientAuth := false 2261 serverAuth := false 2262 for _, usage := range cert.ExtKeyUsage { 2263 if usage == x509.ExtKeyUsageClientAuth { 2264 clientAuth = true 2265 } 2266 if usage == x509.ExtKeyUsageServerAuth { 2267 serverAuth = true 2268 } 2269 } 2270 2271 if !clientAuth || !serverAuth { 2272 t.Error("Certificate does not have correct extended key usage. Should have ExtKeyUsageServerAuth and ExtKeyUsageClientAuth") 2273 } 2274 2275 trustedTLSCert, err := filepath.Abs(srv.CA.Config.CA.Certfile) 2276 trustedTLSCerts := []string{trustedTLSCert} 2277 2278 // Test enrolling with with client using TLS 2279 client := getTLSTestClient(7075, trustedTLSCerts) 2280 enrollReq := &api.EnrollmentRequest{ 2281 Name: "admin", 2282 Secret: "adminpw", 2283 } 2284 _, err = client.Enroll(enrollReq) 2285 assert.NoError(t, err, "Error occured during enrollment on TLS enabled fabric-ca server") 2286 2287 err = srv.Stop() 2288 assert.NoError(t, err, "Failed to stop server") 2289 2290 // Test the case where TLS key is provided but TLS certificate does not exist 2291 srv.Config.TLS.CertFile = "fake-tls-cert.pem" 2292 srv.Config.TLS.KeyFile = "key.pem" 2293 2294 err = srv.Start() 2295 if assert.Error(t, err, "Should have failed to start server where TLS key is specified but certificate does not exist") { 2296 assert.Contains(t, err.Error(), fmt.Sprintf("File specified by 'tls.keyfile' does not exist: %s", srv.Config.TLS.KeyFile)) 2297 } 2298 } 2299 func TestRegistrationAffiliation(t *testing.T) { 2300 // Start the server 2301 server := TestGetServer(rootPort, rootDir, "", -1, t) 2302 if server == nil { 2303 return 2304 } 2305 server.RegisterBootstrapUser("admin2", "admin2pw", "hyperledger") 2306 err := server.Start() 2307 assert.NoError(t, err, "Server start failed") 2308 defer func() { 2309 err = server.Stop() 2310 if err != nil { 2311 t.Errorf("Failed to stop server: %s", err) 2312 } 2313 err = os.RemoveAll("../testdata/msp") 2314 if err != nil { 2315 t.Errorf("RemoveAll failed: %s", err) 2316 } 2317 err = os.RemoveAll(rootDir) 2318 if err != nil { 2319 t.Errorf("RemoveAll failed: %s", err) 2320 } 2321 }() 2322 2323 // Enroll bootstrap user 2324 client := getRootClient() 2325 eresp, err := client.Enroll(&api.EnrollmentRequest{ 2326 Name: "admin", 2327 Secret: "adminpw", 2328 }) 2329 assert.NoError(t, err, "Failed to enroll bootstrap user") 2330 admin := eresp.Identity 2331 2332 // Registering with no affiliation specified, should default to using the registrar's affiliation 2333 _, err = admin.Register(&api.RegistrationRequest{ 2334 Name: "testuser", 2335 Type: "user", 2336 Affiliation: "", 2337 }) 2338 assert.NoError(t, err, "Client register failed") 2339 2340 db := server.DBAccessor() 2341 user, err := db.GetUser("testuser", nil) 2342 assert.NoError(t, err) 2343 2344 userAff := cadbuser.GetAffiliation(user) 2345 if userAff != "" { 2346 t.Errorf("Incorrect affiliation set for user being registered when no affiliation was specified, expected '' got %s", userAff) 2347 } 2348 2349 _, err = admin.Register(&api.RegistrationRequest{ 2350 Name: "testuser2", 2351 Type: "user", 2352 Affiliation: ".", 2353 }) 2354 assert.NoError(t, err, "Client register failed") 2355 2356 user, err = db.GetUser("testuser2", nil) 2357 assert.NoError(t, err) 2358 2359 userAff = cadbuser.GetAffiliation(user) 2360 if userAff != "" { 2361 t.Errorf("Incorrect affiliation set for user being registered when no affiliation was specified, expected '' got %s", userAff) 2362 } 2363 2364 eresp, err = client.Enroll(&api.EnrollmentRequest{ 2365 Name: "admin2", 2366 Secret: "admin2pw", 2367 }) 2368 assert.NoError(t, err, "Failed to enroll bootstrap user") 2369 admin2 := eresp.Identity // admin2 has an affiliation of 'hyperledger' 2370 2371 // Registering with no affiliation specified, should default to using the registrar's affiliation 2372 _, err = admin2.Register(&api.RegistrationRequest{ 2373 Name: "testuser3", 2374 Type: "user", 2375 Affiliation: "", 2376 }) 2377 assert.NoError(t, err, "Client register failed") 2378 2379 db = server.DBAccessor() 2380 user, err = db.GetUser("testuser3", nil) 2381 assert.NoError(t, err) 2382 2383 userAff = cadbuser.GetAffiliation(user) 2384 if userAff != "hyperledger" { 2385 t.Errorf("Incorrect affiliation set for user being registered when no affiliation was specified, expected 'hyperledger' got %s", userAff) 2386 } 2387 2388 _, err = admin2.Register(&api.RegistrationRequest{ 2389 Name: "testuser4", 2390 Type: "user", 2391 Affiliation: ".", 2392 }) 2393 assert.Error(t, err, "Should have failed, can't register a user with root affiliation if the registrar does not have root affiliation") 2394 } 2395 2396 func TestCompEnvVar(t *testing.T) { 2397 os.Setenv("FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3", "badVal") 2398 defer os.Unsetenv("FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3") 2399 2400 os.RemoveAll(rootDir) 2401 defer os.RemoveAll(rootDir) 2402 2403 server := TestGetRootServer(t) 2404 err := server.Init(false) 2405 util.ErrorContains(t, err, "parsing \"badVal\": invalid syntax", "Should error if using an invalid boolean value") 2406 2407 os.Setenv("FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3", "true") 2408 err = server.Init(false) 2409 assert.NoError(t, err) 2410 } 2411 2412 func cleanMultiCADir(t *testing.T) { 2413 var err error 2414 caFolder := "../testdata/ca" 2415 toplevelFolders := []string{"intermediateca", "rootca"} 2416 nestedFolders := []string{"ca1", "ca2", "ca3"} 2417 removeFiles := []string{"ca-cert.pem", "ca-key.pem", "fabric-ca-server.db", 2418 "fabric-ca2-server.db", "ca-chain.pem", "IssuerPublicKey", "IssuerSecretKey", "IssuerRevocationPublicKey"} 2419 2420 for _, topFolder := range toplevelFolders { 2421 for _, nestedFolder := range nestedFolders { 2422 path := filepath.Join(caFolder, topFolder, nestedFolder) 2423 for _, file := range removeFiles { 2424 err = os.RemoveAll(filepath.Join(path, file)) 2425 if err != nil { 2426 t.Errorf("RemoveAll failed: %s", err) 2427 } 2428 } 2429 err = os.RemoveAll(filepath.Join(path, "msp")) 2430 if err != nil { 2431 t.Errorf("RemoveAll failed: %s", err) 2432 } 2433 } 2434 } 2435 err = os.RemoveAll("../testdata/ca/intermediateca/ca1/msp") 2436 if err != nil { 2437 t.Errorf("RemoveAll failed: %s", err) 2438 } 2439 err = os.RemoveAll("multica") 2440 if err != nil { 2441 t.Errorf("RemoveAll failed: %s", err) 2442 } 2443 err = os.RemoveAll("msp") 2444 if err != nil { 2445 t.Errorf("RemoveAll failed: %s", err) 2446 } 2447 } 2448 2449 func getRootServerURL() string { 2450 return fmt.Sprintf("http://admin:adminpw@localhost:%d", rootPort) 2451 } 2452 2453 func getRootServer(t *testing.T) *Server { 2454 return getServer(rootPort, rootDir, "", -1, t) 2455 } 2456 2457 func getIntermediateServer(idx int, t *testing.T) *Server { 2458 return getServer( 2459 intermediatePort, 2460 path.Join(intermediateDir, strconv.Itoa(idx)), 2461 getRootServerURL(), 2462 -1, 2463 t) 2464 } 2465 2466 func getServer(port int, home, parentURL string, maxEnroll int, t *testing.T) *Server { 2467 if home != testdataDir { 2468 err := os.RemoveAll(home) 2469 if err != nil { 2470 t.Errorf("RemoveAll failed: %s", err) 2471 } 2472 } 2473 affiliations := map[string]interface{}{ 2474 "hyperledger": map[string]interface{}{ 2475 "fabric": []string{"ledger", "orderer", "security"}, 2476 "fabric-ca": nil, 2477 "sdk": nil, 2478 }, 2479 "org2": nil, 2480 } 2481 2482 srv := &Server{ 2483 Config: &ServerConfig{ 2484 Port: port, 2485 Debug: true, 2486 }, 2487 CA: CA{ 2488 Config: &CAConfig{ 2489 Intermediate: IntermediateCA{ 2490 ParentServer: ParentServer{ 2491 URL: parentURL, 2492 }, 2493 }, 2494 Affiliations: affiliations, 2495 Registry: CAConfigRegistry{ 2496 MaxEnrollments: maxEnroll, 2497 }, 2498 }, 2499 }, 2500 HomeDir: home, 2501 } 2502 // The bootstrap user's affiliation is the empty string, which 2503 // means the user is at the affiliation root 2504 err := srv.RegisterBootstrapUser("admin", "adminpw", "") 2505 if err != nil { 2506 t.Errorf("Failed to register bootstrap user: %s", err) 2507 return nil 2508 } 2509 // Error case of empty bootstrap data 2510 err = srv.RegisterBootstrapUser("admin", "", "") 2511 t.Logf("Empty bootstrap id: %s", err) 2512 if err == nil { 2513 t.Errorf("register bootstrap user should have failed") 2514 return nil 2515 } 2516 return srv 2517 } 2518 2519 func getRootClient() *Client { 2520 return getTestClient(rootPort) 2521 } 2522 2523 func getIntermediateClient() *Client { 2524 return getTestClient(intermediatePort) 2525 } 2526 2527 func getTestClient(port int) *Client { 2528 return &Client{ 2529 Config: &ClientConfig{URL: fmt.Sprintf("http://localhost:%d", port)}, 2530 HomeDir: testdataDir, 2531 } 2532 } 2533 2534 func getTLSTestClient(port int, trustedTLSCerts []string) *Client { 2535 return &Client{ 2536 Config: &ClientConfig{ 2537 URL: fmt.Sprintf("https://localhost:%d", port), 2538 TLS: libtls.ClientTLSConfig{ 2539 Enabled: true, 2540 CertFiles: trustedTLSCerts, 2541 }, 2542 }, 2543 HomeDir: testdataDir, 2544 } 2545 } 2546 2547 func getTLSConfig(srv *Server, clientAuthType string, clientRootCerts []string) *Server { 2548 srv.Config.TLS.Enabled = true 2549 srv.Config.TLS.CertFile = "../testdata/tls_server-cert.pem" 2550 srv.Config.TLS.KeyFile = "../testdata/tls_server-key.pem" 2551 srv.Config.TLS.ClientAuth.Type = clientAuthType 2552 srv.Config.TLS.ClientAuth.CertFiles = clientRootCerts 2553 2554 return srv 2555 } 2556 2557 func testRegistration(admin *Identity, t *testing.T) { 2558 name := "testRegistrationUser1" 2559 topAffiliation := "hyperledger" 2560 midAffiliation := "hyperledger.fabric" 2561 botAffiliation := "hyperledger.fabric.security" 2562 _, err := admin.RegisterAndEnroll(&api.RegistrationRequest{ 2563 Name: name, 2564 Type: "user", 2565 Affiliation: midAffiliation, 2566 Attributes: makeAttrs(t, "hf.Registrar.Roles=user", "hf.Registrar.DelegateRoles=user,peer"), 2567 }) 2568 if err == nil { 2569 t.Error("Should have failed to register delegate roles which exceed roles") 2570 } 2571 id1, err := admin.RegisterAndEnroll(&api.RegistrationRequest{ 2572 Name: name, 2573 Type: "user", 2574 Affiliation: midAffiliation, 2575 Attributes: makeAttrs(t, "hf.Registrar.Roles=user,peer", "hf.Registrar.DelegateRoles=user", "hf.Registrar.Attributes=*"), 2576 }) 2577 if err != nil { 2578 t.Fatalf("%s", err) 2579 } 2580 _, err = id1.RegisterAndEnroll(&api.RegistrationRequest{ 2581 Name: name, 2582 Type: "user", 2583 Affiliation: botAffiliation, 2584 Attributes: makeAttrs(t, "hf.Registrar.Roles=peer"), 2585 }) 2586 if err == nil { 2587 t.Error("ID1 should not be allowed to delegate peer registration to another identity") 2588 } 2589 _, err = id1.RegisterAndEnroll(&api.RegistrationRequest{ 2590 Name: name, 2591 Type: "user", 2592 Affiliation: topAffiliation, 2593 }) 2594 if err == nil { 2595 t.Error("ID1 should not be allowed to registrar outside of its affiliation hierarchy") 2596 } 2597 name = "testRegistrationUser2" 2598 id2, err := id1.RegisterAndEnroll(&api.RegistrationRequest{ 2599 Name: name, 2600 Type: "user", 2601 Affiliation: botAffiliation, 2602 }) 2603 if err != nil { 2604 t.Fatalf("ID1 failed to register %s: %s", name, err) 2605 } 2606 name = "testRegistrationUser3" 2607 _, err = id2.RegisterAndEnroll(&api.RegistrationRequest{ 2608 Name: name, 2609 Type: "user", 2610 Affiliation: botAffiliation, 2611 }) 2612 if err == nil { 2613 t.Error("ID2 should not be allowed to register") 2614 } 2615 } 2616 2617 func makeAttrs(t *testing.T, args ...string) []api.Attribute { 2618 attrs := make([]api.Attribute, len(args)) 2619 for idx, attr := range args { 2620 eles := strings.Split(attr, "=") 2621 if len(eles) != 2 { 2622 t.Fatalf("Not two elements in %s", attr) 2623 } 2624 attrs[idx].Name = eles[0] 2625 attrs[idx].Value = eles[1] 2626 } 2627 return attrs 2628 } 2629 2630 func writeCAFile(name, parentcaname, filename, home string, port int, t *testing.T) { 2631 contents := fmt.Sprintf(` 2632 ca: 2633 name: %s 2634 intermediate: 2635 parentserver: 2636 url: http://admin:adminpw@localhost:%d 2637 caname: %s 2638 `, name, port, parentcaname) 2639 os.MkdirAll(home, 0755) 2640 fpath := path.Join(home, fmt.Sprintf("%s.yaml", filename)) 2641 err := ioutil.WriteFile(fpath, []byte(contents), 0644) 2642 if err != nil { 2643 t.Fatalf("Failed to create ca1.yaml: %s", err) 2644 } 2645 } 2646 2647 var letters = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ") 2648 2649 func randSeq(n int) string { 2650 b := make([]rune, n) 2651 for i := range b { 2652 b[i] = letters[rand.Intn(len(letters))] 2653 } 2654 return string(b) 2655 } 2656 2657 func testBadCryptoData(t *testing.T, s *Server, testData []string) { 2658 config := []string{"ca/rootca/ca1/fabric-ca-server-config.yaml"} 2659 sCert := "../testdata/ca/rootca/ca1/ca-cert.pem" 2660 sKey := "../testdata/ca/rootca/ca1/ca-key.pem" 2661 // Starting server with expired certificate 2662 err := CopyFile(testData[0], sCert) 2663 if err != nil { 2664 t.Errorf("Failed to copy expired cert to %s failed: %v", testData[0], err) 2665 } 2666 err = CopyFile(testData[1], sKey) 2667 if err != nil { 2668 t.Errorf("Failed to copy key to %s failed: %v", testData[1], err) 2669 } 2670 s.Config.CAfiles = config 2671 err = s.Start() 2672 t.Logf("srvStart ERROR %v", err) 2673 if err == nil { 2674 t.Errorf("Should have failed to start server, %s", testData[2]) 2675 err = s.Stop() 2676 if err != nil { 2677 t.Errorf("Failed to stop server: %s", err) 2678 } 2679 } 2680 err = os.Remove(sCert) 2681 if err != nil { 2682 t.Errorf("Remove failed: %s", err) 2683 } 2684 err = os.Remove(sKey) 2685 if err != nil { 2686 t.Errorf("Remove failed: %s", err) 2687 } 2688 } 2689 2690 func cleanTestSlateSRV(t *testing.T) { 2691 err := os.RemoveAll("../testdata/ca-cert.pem") 2692 if err != nil { 2693 t.Errorf("RemoveAll failed: %s", err) 2694 } 2695 err = os.RemoveAll("../testdata/ca-key.pem") 2696 if err != nil { 2697 t.Errorf("RemoveAll failed: %s", err) 2698 } 2699 err = os.RemoveAll("../testdata/fabric-ca-server.db") 2700 if err != nil { 2701 t.Errorf("RemoveAll failed: %s", err) 2702 } 2703 err = os.RemoveAll(rootDir) 2704 if err != nil { 2705 t.Errorf("RemoveAll failed: %s", err) 2706 } 2707 err = os.RemoveAll(intermediateDir) 2708 if err != nil { 2709 t.Errorf("RemoveAll failed: %s", err) 2710 } 2711 err = os.RemoveAll("multica") 2712 if err != nil { 2713 t.Errorf("RemoveAll failed: %s", err) 2714 } 2715 err = os.RemoveAll(serversDir) 2716 if err != nil { 2717 t.Errorf("RemoveAll failed: %s", err) 2718 } 2719 err = os.RemoveAll("../testdata/msp") 2720 if err != nil { 2721 t.Errorf("RemoveAll failed: %s", err) 2722 } 2723 err = os.RemoveAll("msp") 2724 if err != nil { 2725 t.Errorf("RemoveAll failed: %s", err) 2726 } 2727 err = os.RemoveAll("../util/msp") 2728 if err != nil { 2729 t.Errorf("RemoveAll failed: %s", err) 2730 } 2731 cleanMultiCADir(t) 2732 } 2733 2734 func TestStatsdMetricsE2E(t *testing.T) { 2735 gt := NewGomegaWithT(t) 2736 var err error 2737 2738 server := TestGetRootServer(t) 2739 2740 // Statsd 2741 datagramReader := NewDatagramReader(t) 2742 go datagramReader.Start() 2743 defer datagramReader.Close() 2744 2745 server.Config.Metrics = operations.MetricsOptions{ 2746 Provider: "statsd", 2747 Statsd: &operations.Statsd{ 2748 Network: "udp", 2749 Address: datagramReader.Address(), 2750 Prefix: "server", 2751 WriteInterval: time.Duration(time.Millisecond), 2752 }, 2753 } 2754 2755 server.CA.Config.CA.Name = "ca" 2756 err = server.Start() 2757 gt.Expect(err).NotTo(HaveOccurred()) 2758 defer server.Stop() 2759 defer os.RemoveAll(rootDir) 2760 2761 client := TestGetClient(rootPort, "metrics") 2762 _, err = client.Enroll(&api.EnrollmentRequest{ 2763 Name: "admin", 2764 Secret: "badpass", 2765 CAName: "ca", 2766 }) 2767 gt.Expect(err).To(HaveOccurred()) 2768 defer os.RemoveAll("metrics") 2769 2770 _, err = client.Enroll(&api.EnrollmentRequest{ 2771 Name: "admin", 2772 Secret: "adminpw", 2773 CAName: "ca", 2774 }) 2775 gt.Expect(err).NotTo(HaveOccurred()) 2776 2777 eventuallyTimeout := 10 * time.Second 2778 gt.Eventually(datagramReader, eventuallyTimeout).Should(gbytes.Say("serverx.api_request.count.ca.enroll.201:1.000000|c")) 2779 gt.Eventually(datagramReader, eventuallyTimeout).Should(gbytes.Say("server.api_request.duration.ca.enroll.201")) 2780 contents := datagramReader.String() 2781 gt.Expect(contents).To(ContainSubstring("server.api_request.duration.ca.enroll.401")) 2782 gt.Expect(contents).To(ContainSubstring("server.api_request.count.ca.enroll.401:1.000000|c")) 2783 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.GetRAInfo.Select:1.000000|c")) 2784 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.CreateAffiliationsTable.Exec:2.000000|c")) 2785 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.CreateCertificatesTable.Exec:2.000000|c")) 2786 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.CreatePropertiesTable.Exec:2.000000|c")) 2787 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.GetProperty.Get:12.000000|c")) 2788 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.InsertAffiliation.Exec:11.000000|c")) 2789 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.CreateTable.Commit:1.000000|c")) 2790 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.GetUserLessThanLevel.Queryx:1.000000|c")) 2791 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.MigrateAffiliationsTable.Exec:4.000000|c")) 2792 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.Migration.Commit:1.000000|c")) 2793 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.CreateUsersTable.Exec:3.000000|c")) 2794 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.MigrateCertificatesTable.Exec:4.000000|c")) 2795 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.GetUser.Get:1.000000|c")) 2796 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.AddRAInfo.NamedExec:1.000000|c")) 2797 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.CreateCredentialsTable.Exec:1.000000|c")) 2798 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.CreateRevocationAuthorityTable.Exec:1.000000|c")) 2799 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.CreateNoncesTable.Exec:1.000000|c")) 2800 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.MigrateUsersTable.Exec:7.000000|c")) 2801 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.CreatePropertiesTable.Exec")) 2802 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.GetUserLessThanLevel.Queryx")) 2803 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.MigrateCertificatesTable.Exec")) 2804 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.GetUser.Get")) 2805 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.Migration.Commit")) 2806 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.InsertUser.NamedExec")) 2807 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.CreateAffiliationsTable.Exec")) 2808 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.CreateCredentialsTable.Exec")) 2809 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.CreateRevocationAuthorityTable.Exec")) 2810 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.CreateNoncesTable.Exec")) 2811 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.GetProperty.Get")) 2812 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.AddRAInfo.NamedExec")) 2813 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.CreateCertificatesTable.Exec")) 2814 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.CreateTable.Commit")) 2815 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.MigrateUsersTable.Exec")) 2816 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.InsertAffiliation.Exec")) 2817 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.GetRAInfo.Select")) 2818 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.CreateUsersTable.Exec")) 2819 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.MigrateAffiliationsTable.Exec")) 2820 } 2821 2822 func TestPrometheusMetricsE2E(t *testing.T) { 2823 gt := NewGomegaWithT(t) 2824 var err error 2825 2826 server := TestGetRootServer(t) 2827 // Prometheus 2828 server.Config.Metrics.Provider = "prometheus" 2829 server.Config.Operations.ListenAddress = "localhost:0" 2830 2831 server.Config.Operations.TLS = operations.TLS{ 2832 Enabled: true, 2833 CertFile: filepath.Join(testdata, "tls_server-cert.pem"), 2834 KeyFile: filepath.Join(testdata, "tls_server-key.pem"), 2835 ClientCertRequired: true, 2836 ClientCACertFiles: []string{"../testdata/root.pem"}, 2837 } 2838 2839 server.CA.Config.CA.Name = "ca" 2840 err = server.Start() 2841 gt.Expect(err).NotTo(HaveOccurred()) 2842 defer server.Stop() 2843 defer os.RemoveAll(rootDir) 2844 2845 client := TestGetClient(rootPort, "metrics") 2846 _, err = client.Enroll(&api.EnrollmentRequest{ 2847 Name: "admin", 2848 Secret: "badpass", 2849 CAName: "ca", 2850 }) 2851 gt.Expect(err).To(HaveOccurred()) 2852 defer os.RemoveAll("metrics") 2853 2854 _, err = client.Enroll(&api.EnrollmentRequest{ 2855 Name: "admin", 2856 Secret: "adminpw", 2857 CAName: "ca", 2858 }) 2859 gt.Expect(err).NotTo(HaveOccurred()) 2860 2861 // Prometheus client 2862 clientCert, err := tls.LoadX509KeyPair( 2863 filepath.Join(testdata, "tls_client-cert.pem"), 2864 filepath.Join(testdata, "tls_client-key.pem"), 2865 ) 2866 gt.Expect(err).NotTo(HaveOccurred()) 2867 clientCertPool := x509.NewCertPool() 2868 caCert, err := ioutil.ReadFile(filepath.Join(testdata, "root.pem")) 2869 gt.Expect(err).NotTo(HaveOccurred()) 2870 clientCertPool.AppendCertsFromPEM(caCert) 2871 2872 c := &http.Client{ 2873 Transport: &http.Transport{ 2874 TLSClientConfig: &tls.Config{ 2875 Certificates: []tls.Certificate{clientCert}, 2876 RootCAs: clientCertPool, 2877 }, 2878 }, 2879 } 2880 2881 addr := strings.Split(server.Operations.Addr(), ":") 2882 metricsURL := fmt.Sprintf("https://localhost:%s/metrics", addr[1]) 2883 resp, err := c.Get(metricsURL) 2884 gt.Expect(err).NotTo(HaveOccurred()) 2885 gt.Expect(resp.StatusCode).To(Equal(http.StatusOK)) 2886 defer resp.Body.Close() 2887 2888 bodyBytes, err := ioutil.ReadAll(resp.Body) 2889 gt.Expect(err).NotTo(HaveOccurred()) 2890 body := string(bodyBytes) 2891 2892 err = server.Stop() 2893 gt.Expect(err).NotTo(HaveOccurred()) 2894 2895 gt.Expect(body).To(ContainSubstring(`# HELP api_request_count Number of requests made to an API`)) 2896 gt.Expect(body).To(ContainSubstring(`# TYPE api_request_count counter`)) 2897 gt.Expect(body).To(ContainSubstring(`api_request_count{api_name="enroll",ca_name="ca",status_code="201"} 1.0`)) 2898 gt.Expect(body).To(ContainSubstring(`api_request_count{api_name="enroll",ca_name="ca",status_code="401"} 1.0`)) 2899 gt.Expect(body).To(ContainSubstring(`# HELP api_request_duration Time taken in seconds for the request to an API to be completed`)) 2900 gt.Expect(body).To(ContainSubstring(`# TYPE api_request_duration histogram`)) 2901 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="0.005"}`)) 2902 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="0.01"}`)) 2903 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="0.025"}`)) 2904 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="0.05"}`)) 2905 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="0.1"}`)) 2906 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="0.25"}`)) 2907 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="0.5"}`)) 2908 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="1.0"}`)) 2909 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="2.5"}`)) 2910 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="5.0"}`)) 2911 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="10.0"}`)) 2912 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="+Inf"}`)) 2913 gt.Expect(body).To(ContainSubstring(`api_request_duration_sum{api_name="enroll",ca_name="ca",status_code="201"}`)) 2914 gt.Expect(body).To(ContainSubstring(`api_request_duration_count{api_name="enroll",ca_name="ca",status_code="201"} 1.0`)) 2915 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="0.005"}`)) 2916 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="0.01"}`)) 2917 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="0.025"}`)) 2918 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="0.05"}`)) 2919 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="0.1"}`)) 2920 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="0.25"}`)) 2921 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="0.5"}`)) 2922 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="1.0"}`)) 2923 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="2.5"}`)) 2924 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="5.0"}`)) 2925 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="10.0"}`)) 2926 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="+Inf"}`)) 2927 gt.Expect(body).To(ContainSubstring(`api_request_duration_sum{api_name="enroll",ca_name="ca",status_code="401"}`)) 2928 gt.Expect(body).To(ContainSubstring(`api_request_duration_count{api_name="enroll",ca_name="ca",status_code="401"} 1.0`)) 2929 gt.Expect(body).To(ContainSubstring(`# HELP db_api_request_count Number of requests made to a database API`)) 2930 gt.Expect(body).To(ContainSubstring(`# TYPE db_api_request_count counter`)) 2931 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Commit",func_name="CreateTable"} 1.0`)) 2932 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Commit",func_name="Migration"} 1.0`)) 2933 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="CreateAffiliationsTable"} 2.0`)) 2934 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="CreateCertificatesTable"} 2.0`)) 2935 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="CreateCredentialsTable"} 1.0`)) 2936 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="CreateNoncesTable"} 1.0`)) 2937 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="CreatePropertiesTable"} 2.0`)) 2938 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="CreateRevocationAuthorityTable"} 1.0`)) 2939 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="CreateUsersTable"} 3.0`)) 2940 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="IncrementIncorrectPasswordAttempts"} 1.0`)) 2941 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="InsertAffiliation"} 11.0`)) 2942 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="LoginComplete"} 1.0`)) 2943 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="MigrateAffiliationsTable"} 4.0`)) 2944 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="MigrateCertificatesTable"} 4.0`)) 2945 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="MigrateUsersTable"} 7.0`)) 2946 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="ResetIncorrectLoginAttempts"} 1.0`)) 2947 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Get",func_name="GetProperty"} 12.0`)) 2948 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Get",func_name="GetUser"} 5.0`)) 2949 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Get",func_name="ResetIncorrectLoginAttempts"} 1.0`)) 2950 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="NamedExec",func_name="AddRAInfo"} 1.0`)) 2951 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="NamedExec",func_name="InsertCertificate"} 1.0`)) 2952 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="NamedExec",func_name="InsertUser"} 1.0`)) 2953 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Queryx",func_name="GetUserLessThanLevel"} 1.0`)) 2954 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Select",func_name="GetRAInfo"} 1.0`)) 2955 gt.Expect(body).To(ContainSubstring(`# HELP db_api_request_duration Time taken in seconds for the request to a database API to be completed`)) 2956 gt.Expect(body).To(ContainSubstring(`# TYPE db_api_request_duration histogram`)) 2957 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Commit",func_name="CreateTable",le="0.5"}`)) 2958 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Commit",func_name="Migration",le="0.5"}`)) 2959 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="CreateAffiliationsTable",le="0.5"}`)) 2960 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="CreateCertificatesTable",le="0.5"}`)) 2961 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="CreateCredentialsTable",le="0.5"}`)) 2962 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="CreateNoncesTable",le="0.5"}`)) 2963 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="CreatePropertiesTable",le="0.5"}`)) 2964 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="CreateRevocationAuthorityTable",le="0.5"}`)) 2965 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="CreateUsersTable",le="0.5"}`)) 2966 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="IncrementIncorrectPasswordAttempts",le="0.5"}`)) 2967 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="InsertAffiliation",le="0.5"}`)) 2968 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="LoginComplete",le="0.5"}`)) 2969 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="MigrateAffiliationsTable",le="0.5"}`)) 2970 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="MigrateCertificatesTable",le="0.5"}`)) 2971 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="MigrateUsersTable",le="0.5"}`)) 2972 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Get",func_name="GetProperty",le="0.5"}`)) 2973 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Get",func_name="GetUser",le="0.5"}`)) 2974 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Get",func_name="ResetIncorrectLoginAttempts",le="0.5"}`)) 2975 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="NamedExec",func_name="AddRAInfo",le="0.5"}`)) 2976 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="NamedExec",func_name="InsertCertificate",le="0.5"}`)) 2977 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="NamedExec",func_name="InsertUser",le="0.5"}`)) 2978 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Queryx",func_name="GetUserLessThanLevel",le="0.5"}`)) 2979 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Select",func_name="GetRAInfo",le="0.25"}`)) 2980 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Select",func_name="GetRAInfo",le="0.5"}`)) 2981 } 2982 2983 type DatagramReader struct { 2984 buffer *gbytes.Buffer 2985 errCh chan error 2986 sock *net.UDPConn 2987 doneCh chan struct{} 2988 closeOnce sync.Once 2989 err error 2990 } 2991 2992 func NewDatagramReader(t *testing.T) *DatagramReader { 2993 gt := NewGomegaWithT(t) 2994 2995 udpAddr, err := net.ResolveUDPAddr("udp", "127.0.0.1:0") 2996 gt.Expect(err).NotTo(HaveOccurred()) 2997 sock, err := net.ListenUDP("udp", udpAddr) 2998 gt.Expect(err).NotTo(HaveOccurred()) 2999 err = sock.SetReadBuffer(1024 * 1024) 3000 gt.Expect(err).NotTo(HaveOccurred()) 3001 3002 return &DatagramReader{ 3003 buffer: gbytes.NewBuffer(), 3004 sock: sock, 3005 errCh: make(chan error, 1), 3006 doneCh: make(chan struct{}), 3007 } 3008 } 3009 3010 func (dr *DatagramReader) Buffer() *gbytes.Buffer { 3011 return dr.buffer 3012 } 3013 3014 func (dr *DatagramReader) Address() string { 3015 return dr.sock.LocalAddr().String() 3016 } 3017 3018 func (dr *DatagramReader) String() string { 3019 return string(dr.buffer.Contents()) 3020 } 3021 3022 func (dr *DatagramReader) Start() { 3023 buf := make([]byte, 1024*1024) 3024 for { 3025 select { 3026 case <-dr.doneCh: 3027 dr.errCh <- nil 3028 return 3029 3030 default: 3031 n, _, err := dr.sock.ReadFrom(buf) 3032 if err != nil { 3033 dr.errCh <- err 3034 return 3035 } 3036 _, err = dr.buffer.Write(buf[0:n]) 3037 if err != nil { 3038 dr.errCh <- err 3039 return 3040 } 3041 } 3042 } 3043 } 3044 3045 func (dr *DatagramReader) Close() error { 3046 dr.closeOnce.Do(func() { 3047 close(dr.doneCh) 3048 err := dr.sock.Close() 3049 dr.err = <-dr.errCh 3050 if dr.err == nil && err != nil && err != io.EOF { 3051 dr.err = err 3052 } 3053 }) 3054 return dr.err 3055 } 3056 3057 func getMysqlDb(m *mysql.Mysql) (*db.DB, error) { 3058 err := m.Connect() 3059 if err != nil { 3060 return nil, err 3061 } 3062 testdb, err := m.Create() 3063 if err != nil { 3064 return nil, err 3065 } 3066 return testdb, nil 3067 }