github.com/yimialmonte/fabric@v2.1.1+incompatible/common/cauthdsl/cauthdsl_test.go (about) 1 /* 2 Copyright IBM Corp. All Rights Reserved. 3 4 SPDX-License-Identifier: Apache-2.0 5 */ 6 7 package cauthdsl 8 9 import ( 10 "bytes" 11 "errors" 12 "testing" 13 "time" 14 15 "github.com/golang/protobuf/proto" 16 cb "github.com/hyperledger/fabric-protos-go/common" 17 mb "github.com/hyperledger/fabric-protos-go/msp" 18 "github.com/hyperledger/fabric/common/policydsl" 19 "github.com/hyperledger/fabric/msp" 20 "github.com/stretchr/testify/assert" 21 ) 22 23 var invalidSignature = []byte("badsigned") 24 25 type mockIdentity struct { 26 idBytes []byte 27 } 28 29 func (id *mockIdentity) Anonymous() bool { 30 panic("implement me") 31 } 32 33 func (id *mockIdentity) ExpiresAt() time.Time { 34 return time.Time{} 35 } 36 37 func (id *mockIdentity) SatisfiesPrincipal(p *mb.MSPPrincipal) error { 38 if !bytes.Equal(id.idBytes, p.Principal) { 39 return errors.New("Principals do not match") 40 } 41 return nil 42 } 43 44 func (id *mockIdentity) GetIdentifier() *msp.IdentityIdentifier { 45 return &msp.IdentityIdentifier{Mspid: "Mock", Id: string(id.idBytes)} 46 } 47 48 func (id *mockIdentity) GetMSPIdentifier() string { 49 return "Mock" 50 } 51 52 func (id *mockIdentity) Validate() error { 53 return nil 54 } 55 56 func (id *mockIdentity) GetOrganizationalUnits() []*msp.OUIdentifier { 57 return nil 58 } 59 60 func (id *mockIdentity) Verify(msg []byte, sig []byte) error { 61 if bytes.Equal(sig, invalidSignature) { 62 return errors.New("Invalid signature") 63 } 64 return nil 65 } 66 67 func (id *mockIdentity) Serialize() ([]byte, error) { 68 return id.idBytes, nil 69 } 70 71 func toIdentities(idBytesSlice [][]byte, deserializer msp.IdentityDeserializer) ([]msp.Identity, []bool) { 72 identities := make([]msp.Identity, len(idBytesSlice)) 73 for i, idBytes := range idBytesSlice { 74 id, _ := deserializer.DeserializeIdentity(idBytes) 75 identities[i] = id 76 } 77 78 return identities, make([]bool, len(idBytesSlice)) 79 } 80 81 type mockDeserializer struct { 82 fail error 83 } 84 85 func (md *mockDeserializer) IsWellFormed(_ *mb.SerializedIdentity) error { 86 return nil 87 } 88 89 func (md *mockDeserializer) DeserializeIdentity(serializedIdentity []byte) (msp.Identity, error) { 90 if md.fail != nil { 91 return nil, md.fail 92 } 93 return &mockIdentity{idBytes: serializedIdentity}, nil 94 } 95 96 var validSignature = []byte("signed") 97 var signers = [][]byte{[]byte("signer0"), []byte("signer1")} 98 var msgs = [][]byte{nil, nil} 99 var moreMsgs = [][]byte{nil, nil, nil} 100 101 func TestSimpleSignature(t *testing.T) { 102 policy := policydsl.Envelope(policydsl.SignedBy(0), signers) 103 104 spe, err := compile(policy.Rule, policy.Identities) 105 if err != nil { 106 t.Fatalf("Could not create a new SignaturePolicyEvaluator using the given policy, crypto-helper: %s", err) 107 } 108 109 if !spe(toIdentities([][]byte{signers[0]}, &mockDeserializer{})) { 110 t.Errorf("Expected authentication to succeed with valid signatures") 111 } 112 if spe(toIdentities([][]byte{signers[1]}, &mockDeserializer{})) { 113 t.Errorf("Expected authentication to fail because signers[1] is not authorized in the policy, despite his valid signature") 114 } 115 } 116 117 func TestMultipleSignature(t *testing.T) { 118 policy := policydsl.Envelope(policydsl.And(policydsl.SignedBy(0), policydsl.SignedBy(1)), signers) 119 120 spe, err := compile(policy.Rule, policy.Identities) 121 if err != nil { 122 t.Fatalf("Could not create a new SignaturePolicyEvaluator using the given policy, crypto-helper: %s", err) 123 } 124 125 if !spe(toIdentities(signers, &mockDeserializer{})) { 126 t.Errorf("Expected authentication to succeed with valid signatures") 127 } 128 if spe(toIdentities([][]byte{signers[0], signers[0]}, &mockDeserializer{})) { 129 t.Errorf("Expected authentication to fail because although there were two valid signatures, one was duplicated") 130 } 131 } 132 133 func TestComplexNestedSignature(t *testing.T) { 134 policy := policydsl.Envelope(policydsl.And(policydsl.Or(policydsl.And(policydsl.SignedBy(0), policydsl.SignedBy(1)), policydsl.And(policydsl.SignedBy(0), policydsl.SignedBy(0))), policydsl.SignedBy(0)), signers) 135 136 spe, err := compile(policy.Rule, policy.Identities) 137 if err != nil { 138 t.Fatalf("Could not create a new SignaturePolicyEvaluator using the given policy, crypto-helper: %s", err) 139 } 140 141 if !spe(toIdentities(append(signers, [][]byte{[]byte("signer0")}...), &mockDeserializer{})) { 142 t.Errorf("Expected authentication to succeed with valid signatures") 143 } 144 if !spe(toIdentities([][]byte{[]byte("signer0"), []byte("signer0"), []byte("signer0")}, &mockDeserializer{})) { 145 t.Errorf("Expected authentication to succeed with valid signatures") 146 } 147 if spe(toIdentities(signers, &mockDeserializer{})) { 148 t.Errorf("Expected authentication to fail with too few signatures") 149 } 150 if spe(toIdentities(append(signers, [][]byte{[]byte("signer1")}...), &mockDeserializer{})) { 151 t.Errorf("Expected authentication failure as there was a signature from signer[0] missing") 152 } 153 } 154 155 func TestNegatively(t *testing.T) { 156 rpolicy := policydsl.Envelope(policydsl.And(policydsl.SignedBy(0), policydsl.SignedBy(1)), signers) 157 rpolicy.Rule.Type = nil 158 b, _ := proto.Marshal(rpolicy) 159 policy := &cb.SignaturePolicyEnvelope{} 160 _ = proto.Unmarshal(b, policy) 161 _, err := compile(policy.Rule, policy.Identities) 162 if err == nil { 163 t.Fatal("Should have errored compiling because the Type field was nil") 164 } 165 } 166 167 func TestNilSignaturePolicyEnvelope(t *testing.T) { 168 _, err := compile(nil, nil) 169 assert.Error(t, err, "Fail to compile") 170 } 171 172 func TestSignedByMspClient(t *testing.T) { 173 e := policydsl.SignedByMspClient("A") 174 assert.Equal(t, 1, len(e.Identities)) 175 176 role := &mb.MSPRole{} 177 err := proto.Unmarshal(e.Identities[0].Principal, role) 178 assert.NoError(t, err) 179 180 assert.Equal(t, role.MspIdentifier, "A") 181 assert.Equal(t, role.Role, mb.MSPRole_CLIENT) 182 183 e = policydsl.SignedByAnyClient([]string{"A"}) 184 assert.Equal(t, 1, len(e.Identities)) 185 186 role = &mb.MSPRole{} 187 err = proto.Unmarshal(e.Identities[0].Principal, role) 188 assert.NoError(t, err) 189 190 assert.Equal(t, role.MspIdentifier, "A") 191 assert.Equal(t, role.Role, mb.MSPRole_CLIENT) 192 } 193 194 func TestSignedByMspPeer(t *testing.T) { 195 e := policydsl.SignedByMspPeer("A") 196 assert.Equal(t, 1, len(e.Identities)) 197 198 role := &mb.MSPRole{} 199 err := proto.Unmarshal(e.Identities[0].Principal, role) 200 assert.NoError(t, err) 201 202 assert.Equal(t, role.MspIdentifier, "A") 203 assert.Equal(t, role.Role, mb.MSPRole_PEER) 204 205 e = policydsl.SignedByAnyPeer([]string{"A"}) 206 assert.Equal(t, 1, len(e.Identities)) 207 208 role = &mb.MSPRole{} 209 err = proto.Unmarshal(e.Identities[0].Principal, role) 210 assert.NoError(t, err) 211 212 assert.Equal(t, role.MspIdentifier, "A") 213 assert.Equal(t, role.Role, mb.MSPRole_PEER) 214 } 215 216 func TestReturnNil(t *testing.T) { 217 policy := policydsl.Envelope(policydsl.And(policydsl.SignedBy(-1), policydsl.SignedBy(-2)), signers) 218 219 spe, err := compile(policy.Rule, policy.Identities) 220 assert.Nil(t, spe) 221 assert.EqualError(t, err, "identity index out of range, requested -1, but identities length is 2") 222 }